Unable to find key error after upgrading to IDM 6.5.x or 7.x
The purpose of this article is to provide assistance if you encounter "Unable to find key" or "Unable to find decryption key with alias" errors after upgrading IDM or creating custom aliases.
Symptoms
- SEVERE: Unable to find key: Dec 24, 2020 14:17:19.863 PM org.forgerock.openidm.secrets.impl.DefaultSecretsService getIdAndKey SEVERE: Unable to find key org.forgerock.secrets.NoSuchSecretException: No secret with id custom.alias for purpose idm.default at org.forgerock.secrets.keystore.KeyStoreSecretStore.getNamed(KeyStoreSecretStore.java:274) at org.forgerock.secrets.SecretsProvider.lambda$null$5(SecretsProvider.java:156) at org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:262) at org.forgerock.util.promise.Promises$CompletedPromise.thenCatchAsync(Promises.java:232) at org.forgerock.secrets.SecretsProvider.lambda$getNamedSecret$6(SecretsProvider.java:156)
- WARNING: Resource exception: 500 Internal Server Error:Dec 24, 2020 14:17:19.867 PM org.forgerock.openidm.servlet.internal.ServletConnectionFactory$3 lambda$handleRequestWithLogging$8 WARNING: Resource exception: 500 Internal Server Error: "Wrapped org.forgerock.json.JsonValueException: /: org.forgerock.json.crypto.JsonCryptoException: Unable to find decryption key with alias: custom.alias" org.forgerock.json.resource.InternalServerErrorException: Wrapped org.forgerock.json.JsonValueException: /: org.forgerock.json.crypto.JsonCryptoException: Unable to find decryption key with alias: custom.alias at org.forgerock.json.resource.ResourceException.newResourceException(ResourceException.java:231) at org.forgerock.openidm.script.ScriptThrownException.toResourceException(ScriptThrownException.java:135) at org.forgerock.openidm.script.handler.ScriptedRequestHandler.convertScriptException(ScriptedRequestHandler.java:372) at org.forgerock.openidm.script.handler.ScriptedRequestHandler.lambda$handleAction$1(ScriptedRequestHandler.java:176) ... Caused by: org.forgerock.openidm.script.ScriptThrownException: Wrapped org.forgerock.json.JsonValueException: /: org.forgerock.json.crypto.JsonCryptoException: Unable to find decryption key with alias: custom.alias ...
The secret (shown as custom.alias in the above logs) is a custom alias you have created.
Recent Changes
Upgraded to IDM 6.5 or later.
Configured the Active Directory® password synchronization plugin in IDM 6.5 or later.
Causes
If this issue has occurred after configuring the Active Directory password synchronization plugin, you may have missed a step to add the alias to the secrets.json file. This step is missing in some versions of the documentation per: OPENIDM-15054 (secrets.json not documented for AD Password sync). This is resolved in the documentation for IDM 6.5.1, and IDM 7.0.1 and later.
Solution
This issue can be resolved by adding the missing alias to secrets.json for the idm.default secret:
- Add the alias to the list of aliases for the idm.default secret in secrets.json, for example:{ "secretId" : "idm.default", "types": [ "ENCRYPT", "DECRYPT" ], "aliases": [ "&{openidm.config.crypto.alias|openidm-sym-default}","custom.alias" ] }
- Restart IDM to reload the keystores.
See Release Notes › To Generate Keys and Certificates With Custom Aliases (Workaround for OPENIDM-12078) for further information.
If you have configured the Active Directory password synchronization plugin and it is still not working, ensure you review the steps in the current documentation to ensure you have completed them all successfully: Password Synchronization Plugin Guide › Installing the Active Directory Password Synchronization Plugin.
See Also
Resource exception: 500 Internal Server Error keeps happening in IDM (All versions)
How do I troubleshoot Active Directory password synchronization issues in IDM (All versions)?
Security Guide › Managing Secret Stores, Certificates and Keys
Related Training
N/A