Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

Unable to find key error after upgrading to IDM 6.5.x or 7.x

Last updated Mar 19, 2021

The purpose of this article is to provide assistance if you encounter "Unable to find key" or "Unable to find decryption key with alias" errors after upgrading IDM or creating custom aliases.


Symptoms

The following errors are shown one after another in the logs when this happens:

  • SEVERE: Unable to find key: Dec 24, 2020 14:17:19.863 PM org.forgerock.openidm.secrets.impl.DefaultSecretsService getIdAndKey SEVERE: Unable to find key org.forgerock.secrets.NoSuchSecretException: No secret with id custom.alias for purpose idm.default   at org.forgerock.secrets.keystore.KeyStoreSecretStore.getNamed(KeyStoreSecretStore.java:274)    at org.forgerock.secrets.SecretsProvider.lambda$null$5(SecretsProvider.java:156)    at org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:262)    at org.forgerock.util.promise.Promises$CompletedPromise.thenCatchAsync(Promises.java:232)    at org.forgerock.secrets.SecretsProvider.lambda$getNamedSecret$6(SecretsProvider.java:156)
  • WARNING: Resource exception: 500 Internal Server Error:Dec 24, 2020 14:17:19.867 PM org.forgerock.openidm.servlet.internal.ServletConnectionFactory$3 lambda$handleRequestWithLogging$8 WARNING: Resource exception: 500 Internal Server Error: "Wrapped org.forgerock.json.JsonValueException: /: org.forgerock.json.crypto.JsonCryptoException: Unable to find decryption key with alias: custom.alias" org.forgerock.json.resource.InternalServerErrorException: Wrapped org.forgerock.json.JsonValueException: /: org.forgerock.json.crypto.JsonCryptoException: Unable to find decryption key with alias: custom.alias   at org.forgerock.json.resource.ResourceException.newResourceException(ResourceException.java:231)    at org.forgerock.openidm.script.ScriptThrownException.toResourceException(ScriptThrownException.java:135)    at org.forgerock.openidm.script.handler.ScriptedRequestHandler.convertScriptException(ScriptedRequestHandler.java:372)    at org.forgerock.openidm.script.handler.ScriptedRequestHandler.lambda$handleAction$1(ScriptedRequestHandler.java:176) ... Caused by: org.forgerock.openidm.script.ScriptThrownException: Wrapped org.forgerock.json.JsonValueException: /: org.forgerock.json.crypto.JsonCryptoException: Unable to find decryption key with alias: custom.alias  ...

The secret (shown as custom.alias in the above logs) is a custom alias you have created. 

Recent Changes

Upgraded to IDM 6.5 or later.

Configured the Active Directory® password synchronization plugin in IDM 6.5 or later.

Causes

This issue can occur if you've created a custom alias for a default key and the alias mapping is missing or incorrectly configured.

If this issue has occurred after configuring the Active Directory password synchronization plugin, you may have missed a step to add the alias to the secrets.json file. This step is missing in some versions of the documentation per: OPENIDM-15054 (secrets.json not documented for AD Password sync). This is resolved in the documentation for IDM 6.5.1, and IDM 7.0.1 and later.

Solution

This issue can be resolved by adding the missing alias to secrets.json for the idm.default secret:

  1. Add the alias to the list of aliases for the idm.default secret in secrets.json, for example:{            "secretId" : "idm.default",             "types": [ "ENCRYPT", "DECRYPT" ],             "aliases": [ "&{openidm.config.crypto.alias|openidm-sym-default}","custom.alias" ]           }
  2. Restart IDM to reload the keystores.

See Release Notes › To Generate Keys and Certificates With Custom Aliases (Workaround for OPENIDM-12078) for further information.

If you have configured the Active Directory password synchronization plugin and it is still not working, ensure you review the steps in the current documentation to ensure you have completed them all successfully: Password Synchronization Plugin Guide › Installing the Active Directory Password Synchronization Plugin.

See Also

Resource exception: 500 Internal Server Error keeps happening in IDM (All versions)

How do I troubleshoot Active Directory password synchronization issues in IDM (All versions)?

Security Guide › Managing Secret Stores, Certificates and Keys

Security Guide › Configuring Secret Stores

Related Training

N/A

Related Issue Tracker IDs

OPENIDM-12078 (You cannot customize the aliases of the default keys added to the IDM keystore and truststore)



Copyright and TrademarksCopyright © 2021 ForgeRock, all rights reserved.
Loading...