Unable to find key error after upgrading to IDM 6.5.x or 7.x

Last updated Jan 12, 2023

The purpose of this article is to provide assistance if you encounter "Unable to find key" or "Unable to find decryption key with alias" errors after upgrading IDM or creating custom aliases.

Symptoms

The following errors are shown one after another in the logs when this happens:

SEVERE: Unable to find key: Dec 24, 2020 14:17:19.863 PM org.forgerock.openidm.secrets.impl.DefaultSecretsService getIdAndKey SEVERE: Unable to find key org.forgerock.secrets.NoSuchSecretException: No secret with id custom.alias for purpose idm.default at org.forgerock.secrets.keystore.KeyStoreSecretStore.getNamed(KeyStoreSecretStore.java:274) at org.forgerock.secrets.SecretsProvider.lambda$null$5(SecretsProvider.java:156) at org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:262) at org.forgerock.util.promise.Promises$CompletedPromise.thenCatchAsync(Promises.java:232) at org.forgerock.secrets.SecretsProvider.lambda$getNamedSecret$6(SecretsProvider.java:156)
WARNING: Resource exception: 500 Internal Server Error:Dec 24, 2020 14:17:19.867 PM org.forgerock.openidm.servlet.internal.ServletConnectionFactory$3 lambda$handleRequestWithLogging$8 WARNING: Resource exception: 500 Internal Server Error: "Wrapped org.forgerock.json.JsonValueException: /: org.forgerock.json.crypto.JsonCryptoException: Unable to find decryption key with alias: custom.alias" org.forgerock.json.resource.InternalServerErrorException: Wrapped org.forgerock.json.JsonValueException: /: org.forgerock.json.crypto.JsonCryptoException: Unable to find decryption key with alias: custom.alias at org.forgerock.json.resource.ResourceException.newResourceException(ResourceException.java:231) at org.forgerock.openidm.script.ScriptThrownException.toResourceException(ScriptThrownException.java:135) at org.forgerock.openidm.script.handler.ScriptedRequestHandler.convertScriptException(ScriptedRequestHandler.java:372) at org.forgerock.openidm.script.handler.ScriptedRequestHandler.lambda$handleAction$1(ScriptedRequestHandler.java:176) ... Caused by: org.forgerock.openidm.script.ScriptThrownException: Wrapped org.forgerock.json.JsonValueException: /: org.forgerock.json.crypto.JsonCryptoException: Unable to find decryption key with alias: custom.alias ...

The secret (shown as custom.alias in the above logs) is a custom alias you have created.

Recent Changes

Upgraded to IDM 6.5 or later.

Configured the Active Directory® password synchronization plugin in IDM 6.5 or later.

Causes

This issue can occur if you've created a custom alias for a default key and the alias mapping is missing or incorrectly configured.

If this issue has occurred after configuring the Active Directory password synchronization plugin, you may have missed a step to add the alias to the secrets.json file. This step is missing in some versions of the documentation per: OPENIDM-15054 (secrets.json not documented for AD Password sync). This is resolved in the documentation for IDM 6.5.1, and IDM 7.0.1 and later.

Solution

This issue can be resolved by adding the missing alias to secrets.json for the idm.default secret:

Add the alias to the list of aliases for the idm.default secret in secrets.json, for example:{ "secretId" : "idm.default", "types": [ "ENCRYPT", "DECRYPT" ], "aliases": [ "&{openidm.config.crypto.alias|openidm-sym-default}","custom.alias" ] }
Restart IDM to reload the keystores.

See To Generate Keys and Certificates With Custom Aliases (Workaround for OPENIDM-12078) for further information.

If you have configured the Active Directory password synchronization plugin and it is still not working, ensure you review the steps in the current documentation to ensure you have completed them all successfully: Install the Active Directory password synchronization plugin.

Related Training

N/A

Related Issue Tracker IDs

N/A