Solutions
Archived

Unable to login to OpenAM 13.x console or access REST API after changing the Federation Signing Key

Last updated Jan 5, 2021

The purpose of this article is to provide assistance if you cannot log into the OpenAM console (XUI) or access the REST API after changing the Signing Key or certificate alias for SAML2 or OAuth, and you receive a code 500 "Internal Server Error" "The server encountered an unexpected condition which prevented it from fulfilling the request".


1 reader recommends this article

Archived

This article has been archived and is no longer maintained by ForgeRock.

Symptoms

When attempting to access the OpenAM console or the REST API, the following error is seen:

code: 500 reason: "Internal Server Error" message: "The server encountered an unexpected condition which prevented it from fulfilling the request"

If you are attempting to log into the OpenAM console, you will see the following message after the Internal Server Error has flashed up:

Unable to login to OpenAM

This issue can also be seen in the HTTP container logs. For example, an error similar to the following is shown in the catalina.out log if you are using Apache Tomcat™:

WARNING: Exception or error caught in server resource Internal Server Error (500) - The server encountered an unexpected condition which prevented it from fulfilling the request at org.restlet.resource.ServerResource.doHandle(ServerResource.java:517) at org.restlet.resource.ServerResource.post(ServerResource.java:1216) at org.restlet.resource.ServerResource.doHandle(ServerResource.java:592) at org.restlet.resource.ServerResource.doNegotiatedHandle(ServerResource.java:649) at org.restlet.resource.ServerResource.doConditionalHandle(ServerResource.java:348) at org.restlet.resource.ServerResource.handle(ServerResource.java:952) at org.restlet.resource.Finder.handle(Finder.java:246) at org.forgerock.openam.rest.service.VersionRouter.handle(VersionRouter.java:139) at org.forgerock.openam.rest.service.ServiceRouter$RestletWrapper.handle(ServiceRouter.java:162) ... Caused by: java.lang.NullPointerException at org.forgerock.openam.forgerockrest.authn.AuthIdHelper.generateAuthId(AuthIdHelper.java:174) at org.forgerock.openam.forgerockrest.authn.AuthIdHelper.createAuthId(AuthIdHelper.java:103) at org.forgerock.openam.forgerockrest.authn.RestAuthenticationHandler.createJsonCallbackResponse(RestAuthenticationHandler.java:320) at org.forgerock.openam.forgerockrest.authn.RestAuthenticationHandler.processAuthentication(RestAuthenticationHandler.java:246) at org.forgerock.openam.forgerockrest.authn.RestAuthenticationHandler.authenticate(RestAuthenticationHandler.java:160) at org.forgerock.openam.forgerockrest.authn.RestAuthenticationHandler.initiateAuthentication(RestAuthenticationHandler.java:93) at org.forgerock.openam.forgerockrest.authn.restlet.AuthenticationServiceV1.authenticate(AuthenticationServiceV1.java:133) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.restlet.resource.ServerResource.doHandle(ServerResource.java:503) ... 70 more

If you are attempting to access the REST API, you will also see the following error in the restAuthenticationFilter log file:

restAuthenticationFilter:09/10/2015 04:27:19:029 PM CEST: Thread[http-bio-8080-exec-30,5,main] Access Denied org.forgerock.jaspi.exceptions.JaspiAuthException: Access Denied at org.forgerock.jaspi.runtime.context.ContextHandler.handleCompletion(ContextHandler.java:131) at org.forgerock.jaspi.runtime.context.JaspiServerAuthContext.validateRequest(JaspiServerAuthContext.java:244) at org.forgerock.jaspi.runtime.JaspiRuntime.processMessage(JaspiRuntime.java:160) at org.forgerock.jaspi.JaspiRuntimeFilter.doFilter(JaspiRuntimeFilter.java:131) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44) ... Caused by: org.forgerock.json.resource.PermanentException: Access Denied at org.forgerock.json.resource.ResourceException.getException(ResourceException.java:251) at org.forgerock.json.resource.ResourceException.getException(ResourceException.java:181) at org.forgerock.jaspi.runtime.context.ContextHandler.handleCompletion(ContextHandler.java:129) ... 25 more

Recent Changes

Imported a new signing key into the keystore and changed the certificate alias for SAML2 or OAuth.

Causes

The default 'test' certificate alias used for SAML2 and OAuth signing keys is also used by the XUI and for REST authentication.

If you create a new keystore.jks and replace the default keystore.jks with the newly created one but do not change the certificate alias used for authentication, you will not be able to log into the OpenAM console with XUI enabled or make REST calls.

Solution

This issue can be resolved by updating the certificate alias to match the alias of the new signing key using either the OpenAM console or ssoadm. You can either do this globally or per realm:

Globally:

  • OpenAM 13.5 console: navigate to: Configure > Authentication > Core Attributes > Security > Persistent Cookie Encryption Certificate Alias and enter the alias of the new signing key.
  • OpenAM 13 console: navigate to: Configuration > Authentication > Core > Security > Persistent Cookie Encryption Certificate Alias and enter the alias of the new signing key.
  • ssoadm: enter the following command: $ ./ssoadm set-attr-defs -s iPlanetAMAuthService -t organization -u [adminID] -f [passwordfile] -a iplanet-am-auth-key-alias=[signingkeyalias] replacing [adminID], [passwordfile] and [signingkeyalias] with appropriate values.

Realm:  

  • Console: navigate to: Realms > [Realm Name] > Authentication > Settings > Security > Persistent Cookie Encryption Certificate Alias and enter the alias of the new signing key.
  • ssoadm: enter the following command: $ ./ssoadm set-realm-svc-attrs -s iPlanetAMAuthService -e [realmname] -u [adminID] -f [passwordfile] -a iplanet-am-auth-key-alias=[signingkeyalias] replacing [realmname], [adminID], [passwordfile] and [signingkeyalias] with appropriate values.
Note

You must restart the web application container in which OpenAM runs to apply these configuration changes.

See Also

How do I change the Signing Key for Federation in OpenAM 13.x?

Login to AM console (All versions) fails for amAdmin user

FAQ: SAML certificate management in AM 5.x and 6.x

Related Training

N/A

Related Issue Tracker IDs

OPENAM-6003 (value for 'iplanet-am-auth-key-alias' should be checked when saving)


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.