Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

Unable to read secret/private key error in AM 6.5.x or 7.x

Last updated Feb 24, 2021

The purpose of this article is to provide assistance if you get an "Unable to read secret/private key" error in AM after generating a new key alias.


Symptoms

The following error is shown in the org.forgerock.secrets.keystore.KeyStoreSecretStore debug log when attempting to view keystore mappings in the console (where 'secret.id' and [key alias] refer to the keys in your store):

Looking up active key for purpose Purpose{secretType=SigningKey, label='secret.id'}  org.forgerock.secrets.keystore.KeyStoreSecretStore:04/03/2020 11:07:20:993 AM GMT: Thread[https-jsse-nio-8443-exec-7,5,main]: TransactionId[a51cde84-07e0-494b-93c3-a05cf6fb1ed8-468]  ERROR: Unable to read secret/private [key alias]

The following error is shown in the org.forgerock.secrets.keystore.KeyStoreSecretStore debug log when AM is trying to read the key alias (for example, when requesting an OIDC token):

org.forgerock.secrets.keystore.KeyStoreSecretStore:04/03/2020 11:07:20:993 AM GMT: Thread[https-jsse-nio-8443-exec-2,5,main]: TransactionId[a3bfc6a0-46ae-493b-bfc9-00012a31f700-25283] ERROR: Unable to read secret/private key alias java.security.UnrecoverableKeyException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.    at com.sun.crypto.provider.KeyProtector.recover(KeyProtector.java:189)    at com.sun.crypto.provider.JceKeyStore.engineGetKey(JceKeyStore.java:133)    at java.security.KeyStore.getKey(KeyStore.java:1023)    at org.forgerock.secrets.keystore.KeyStoreSecretStore.lambda$loadKey$18(KeyStoreSecretStore.java:313) ...

The following response is shown when requesting an OIDC token:

{   "error_description": "Unable to sign",   "error": "server_error" }

Recent Changes

Generated a new key alias.

Causes

When creating a new key alias, you must specify the correct keypass. The keypass is the password that AM uses to protect private/signing keys in the keystore. AM uses this keypass to access the private/signing keys.  

If you have used the wrong keypass (for example, you have used the storepass instead) when creating the new key alias, AM will not be able to read the new key, which causes this error.

Solution

This issue can be resolved by re-creating the key with the correct keypass. You must not use special characters in the keypass and you should use the echo -n command to avoid inserting hidden trailing newline characters, for example:

$ echo -n newkeypassword > .am_keystore_keypass

See the steps outlined in Security Guide › Creating Key Aliases for the recommended procedures for creating key aliases in new and existing keystores. 

See Also

Secret store fails to start with Label must match regex exception in AM 6.5.0.x, 6.5.1 and 6.5.2.x

Shared secret cannot be null error when requesting OAuth2 access tokens in AM 5.x and 6.0.0.x

Security Guide › Configuring Secrets, Certificates, and Keys

Security Guide › Mapping and Rotating Secrets

OAuth 2.0 Guide › Client Registration

Related Training

N/A

Related Issue Tracker IDs

OPENAM-13575 (Unhelpful log message when OIDC public client wants to use HMAC id token signing)



Copyright and TrademarksCopyright © 2021 ForgeRock, all rights reserved.
Loading...