Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

Unable to read secret/private key error in AM 6.5.x or 7.x

Last updated Jan 16, 2023

The purpose of this article is to provide assistance if you get an "Unable to read secret/private key" error in AM after generating a new key alias.


1 reader recommends this article

Symptoms

The following error is shown in the org.forgerock.secrets.keystore.KeyStoreSecretStore debug log when attempting to view keystore mappings in the AM admin UI (where 'secret.id' and [key alias] refer to the keys in your store):

Looking up active key for purpose Purpose{secretType=SigningKey, label='secret.id'} org.forgerock.secrets.keystore.KeyStoreSecretStore:04/03/2020 11:07:20:993 AM GMT: Thread[https-jsse-nio-8443-exec-7,5,main]: TransactionId[a51cde84-07e0-494b-93c3-a05cf6fb1ed8-468]  ERROR: Unable to read secret/private [key alias]

The following error is shown in the org.forgerock.secrets.keystore.KeyStoreSecretStore debug log when AM is trying to read the key alias (for example, when requesting an OIDC token):

org.forgerock.secrets.keystore.KeyStoreSecretStore:04/03/2020 11:07:20:993 AM GMT: Thread[https-jsse-nio-8443-exec-2,5,main]: TransactionId[a3bfc6a0-46ae-493b-bfc9-00012a31f700-25283] ERROR: Unable to read secret/private key alias java.security.UnrecoverableKeyException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.   at com.sun.crypto.provider.KeyProtector.recover(KeyProtector.java:189)    at com.sun.crypto.provider.JceKeyStore.engineGetKey(JceKeyStore.java:133)    at java.security.KeyStore.getKey(KeyStore.java:1023)    at org.forgerock.secrets.keystore.KeyStoreSecretStore.lambda$loadKey$18(KeyStoreSecretStore.java:313) ...

The following response is shown when requesting an OIDC token:

{  "error_description": "Unable to sign",   "error": "server_error" }

Recent Changes

Generated a new key alias.

Causes

When creating a new key alias, you must specify the correct keypass. The keypass is the password that AM uses to protect private/signing keys in the keystore. AM uses this keypass to access the private/signing keys.

If you have used the wrong keypass (for example, you have used the storepass instead) when creating the new key alias, AM will not be able to read the new key, which causes this error.

Solution

This issue can be resolved by re-creating the key with the correct keypass. You must not use special characters in the keypass and you should use the echo -n command to avoid inserting hidden trailing newline characters, for example:

$ echo -n newkeypassword > .am_keystore_keypass

See the steps outlined in Create key aliases for the recommended procedures for creating key aliases in new and existing keystores.

See Also

Secrets, certificates, and keys

Mapping and Rotating Secrets

Client registration

Related Training

N/A

Related Issue Tracker IDs

OPENAM-13575 (Unhelpful log message when OIDC public client wants to use HMAC id token signing)


Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.