Versions Compared

Version Old Version 12 New Version 13
Changes made by

David Banz

David Banz

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Upon startup of IDM you might see one or more error messages like the one below:

...

Compromised

...

key

...

detected:

...

Descriptor

...

[SelfServiceJWTSigner

...

(version:

...

1)]

...

in

...

engineSignEncrypt

...

config

...

xml.

...

This

...

is

...

a

...

SECURITY

...

RISK

...

on

...

productive

...

systems.

...

It

...

is

...

ESSENTIAL

...

to

...

replace

...

it

...

with

...

a

...

new

...

secure

...

key.

...

This means that one or more demo keys (considered compromised and unfit for productive use) are still in use. Each message indicates the offending descriptor and version from the config XML.

...

Startup of IDM might fail with an exception message like this in the log:

...

Aborting

...

deployment!

...

Unable

...

to

...

verify

...

the

...

last

...

Object

...

History

...

entry

...

of

...

the

...

chain

...

[PRIME1].

...

There

...

appears

...

to

...

be

...

an

...

error

...

in

...

the

...

engineSignEncrypt

...

configuration

...

of

...

the

...

descriptor

...

[ObjectHistorySigner

...

(version:

...

2)].

...

The

...

referenced

...

key

...

is

...

probably

...

wrong.

...

Another

...

possible

...

explanation

...

for

...

this

...

error

...

is

...

that

...

the

...

ObjectHistory

...

entry

...

was

...

manipulated.

...

Offending

...

entry

...

id:

...

[4711].

...

Please

...

check

...

the

...

engineSignEncrypt

...

config

...

xml

...

and

...

the

...

referenced

...

keys!

...

If

...

the

...

configured

...

key

...

is

...

correct,

...

the

...

entry

...

might

...

be

...

corrupted.

...

This

...

can

...

be

...

worked

...

around

...

by

...

starting

...

a

...

new

...

chain.

Some potential causes:

  1. The key configured for the ObjectHistorySigner descriptor in the current version (2 in the example above) is wrong, maybe you configured the wrong P12 file.

  2. The object history got corrupted (by accident or deliberate manipulation - forensic analysis may be advisable).
    A quick workaround to get the application to start again would be switching to a new chain name for idm-operator (history verification will still fail, though):

    Tomcat deployment: set chain name in system.properties

    Code Block
    ... etc. ...
commonHistoryService.chainName=NEW_CHAIN_NAME_GOES_HERE
... etc. ...


    Docker-deployment: set chain name in docker-compose.yml

    Code Block
    languageyaml
    ... etc. ...
    environment:
... etc. ...
      - 'SYSTEM_PROPERTIES={
          "commonHistoryService.chainName": "NEW_CHAIN_NAME_GOES_HERE",
... etc. ...


    You can solve this properly by re-signing the history entries via the batch_re-sign_history tool.

...

Startup of IDM might fail with an exception message like this in the log:

...

Error

...

accessing

...

the

...

sign

...

and

...

encrypt

...

engine

...

(

...

There's

...

no

...

keystore

...

at

...

classpath:hybridEncKeypair.p12)

This means that the config XML for the sign and encrypt engine references a file that does not exist at the given location.

...