AM 5, 5.1.x and OpenAM 13.5.1 cannot access external CTS after configuration is changed via the console
The purpose of this article is to provide assistance if AM/OpenAM cannot access the external Core Token Service (CTS) after the configuration has been changed via the console. You will also see a "CTS: Configuration was invalid" error in your logs when this happens.
Archived
This article has been archived and is no longer maintained by ForgeRock.
Symptoms
AM/OpenAM cannot access the external CTS store after configuration changes are made via the console (using either the CTS or Advanced option under Server Defaults). You are unable to access the console If AM/OpenAM is restarted after saving your configuration changes.
You will see the following error in the AM CoreSystem debug logs:
Caused by: java.lang.RuntimeException: org.forgerock.openam.sm.datalayer.api.DataLayerException: CTS: Configuration was invalid at org.forgerock.openam.core.guice.CoreGuiceModule.getCTSWorkerExecutorService(CoreGuiceModule.java:382) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at com.google.inject.internal.ProviderMethod.get(ProviderMethod.java:104) at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:40) at com.google.inject.internal.InjectorImpl$4$1.call(InjectorImpl.java:978) at com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1031) at com.google.inject.internal.InjectorImpl$4.get(InjectorImpl.java:974) at com.google.inject.spi.ProviderLookup$1.get(ProviderLookup.java:89) at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:40) at com.google.inject.internal.SingleParameterInjector.inject(SingleParameterInjector.java:38) at com.google.inject.internal.SingleParameterInjector.getAll(SingleParameterInjector.java:62) at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:84)If you check the CTS configuration via the console, you will notice the bind password field is empty; similarly, the bind password (org.forgerock.openam.services.cts.store.password) will also be missing from DS/OpenDJ.
On the DS/OpenDJ side, you will see failures in the access log similar to the following:
[21/Oct/2017:15:21:29 +0100] BIND REQ conn=11 op=0 msgID=1 version=3 type=SIMPLE dn="cn=Directory Manager" [21/Oct/2017:15:21:29 +0100] BIND RES conn=11 op=0 msgID=1 result=49 authFailureReason="The password provided by the user did not match any password(s) stored in the user's entry" authDN="cn=Directory Manager" etime=1Run an ldapsearch against the AM/OpenAM configuration store to check if "org.forgerock.services.cts.store.password" exists, for example:
$./ldapsearch --port 50389 --bindDN "cn=Directory Manager" --bindPassword password --baseDN ou=services,dc=openam,dc=forgerock,dc=org "objectclass=*" | grep "serverconfig=org.forgerock.services.cts.store.password"If the entry exists, you will see the following sunKeyValue returned with the encrypted password:
sunKeyValue: serverconfig=org.forgerock.services.cts.store.password=AQICJGRFB44klBpzNjYQZpUyFhh73lmwivHGRecent Changes
Configured an external CTS via the console.
Made changes to the external CTS configuration using the console.
Causes
There is a known issue: OPENAM-11987 (SmsServerPropertiesResource removes password when unchanged.) where saving CTS configuration changes via the console inadvertently removes the saved bind password for the external CTS store, which in turn prevents access to the CTS due to invalid credentials.
Solution
This issue can be resolved by upgrading to AM 5.5.1 or later, or OpenAM 13.5.2; you can download this from BackStage.
Workaround
You can workaround this issue by re-entering the bind password before saving CTS configuration changes in the console or by using ssoadm to update the CTS configuration instead: How do I configure an external CTS token store in AM (All versions) using Amster or ssoadm?
If you have already saved your configuration changes, you can re-enter the password using either the console (providing you have not restarted AM/OpenAM), Amster (AM 5 and later) or ssoadm:
- Console: navigate to: Configure > Server Defaults > CTS > External Store Configuration > Password and enter the bind password.
-
Amster: follow the steps in How do I update property values in AM (All versions) using Amster?with these values:
- Entity: CtsDataStoreProperties
- Property: org.forgerock.services.cts.store.password
- ssoadm: enter the following command: $ ./ssoadm update-server-cfg -s default -u [adminID] -f [passwordfile] -a org.forgerock.services.cts.store.password=[bindPassword] replacing [adminID], [passwordfile] and [bindPassword] with appropriate values.
See Also
How do I configure an external CTS token store in AM (All versions) using Amster or ssoadm?
Related Training
N/A
Related Issue Tracker IDs
OPENAM-11987 (SmsServerPropertiesResource removes password when unchanged.)
OPENAM-11834 (Passwords being set to empty strings in tabbed forms in XUI)
OPENAM-11763 ("Saving" CTS configuration overwrites the bind password)