Unable to read secret/private key error in AM 6.5.x or 7.x
The purpose of this article is to provide assistance if you get an "Unable to read secret/private key" error in AM after generating a new key alias.
1 reader recommends this article
Symptoms
The following error is shown in the org.forgerock.secrets.keystore.KeyStoreSecretStore debug log when attempting to view keystore mappings in the AM admin UI (where 'secret.id' and [key alias] refer to the keys in your store):
Looking up active key for purpose Purpose{secretType=SigningKey, label='secret.id'} org.forgerock.secrets.keystore.KeyStoreSecretStore:04/03/2020 11:07:20:993 AM GMT: Thread[https-jsse-nio-8443-exec-7,5,main]: TransactionId[a51cde84-07e0-494b-93c3-a05cf6fb1ed8-468] ERROR: Unable to read secret/private [key alias]The following error is shown in the org.forgerock.secrets.keystore.KeyStoreSecretStore debug log when AM is trying to read the key alias (for example, when requesting an OIDC token):
org.forgerock.secrets.keystore.KeyStoreSecretStore:04/03/2020 11:07:20:993 AM GMT: Thread[https-jsse-nio-8443-exec-2,5,main]: TransactionId[a3bfc6a0-46ae-493b-bfc9-00012a31f700-25283] ERROR: Unable to read secret/private key alias java.security.UnrecoverableKeyException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. at com.sun.crypto.provider.KeyProtector.recover(KeyProtector.java:189) at com.sun.crypto.provider.JceKeyStore.engineGetKey(JceKeyStore.java:133) at java.security.KeyStore.getKey(KeyStore.java:1023) at org.forgerock.secrets.keystore.KeyStoreSecretStore.lambda$loadKey$18(KeyStoreSecretStore.java:313) ...The following response is shown when requesting an OIDC token:
{ "error_description": "Unable to sign", "error": "server_error" }Recent Changes
Generated a new key alias.
Causes
When creating a new key alias, you must specify the correct keypass. The keypass is the password that AM uses to protect private/signing keys in the keystore. AM uses this keypass to access the private/signing keys.
If you have used the wrong keypass (for example, you have used the storepass instead) when creating the new key alias, AM will not be able to read the new key, which causes this error.
Solution
This issue can be resolved by re-creating the key with the correct keypass. You must not use special characters in the keypass and you should use the echo -n command to avoid inserting hidden trailing newline characters, for example:
$ echo -n newkeypassword > .am_keystore_keypass
See the steps outlined in Create key aliases for the recommended procedures for creating key aliases in new and existing keystores.
See Also
Secrets, certificates, and keys
Related Training
N/A
Related Issue Tracker IDs
OPENAM-13575 (Unhelpful log message when OIDC public client wants to use HMAC id token signing)