...
For replacing these keys see Bootstrap the sign and encrypt engine in Identity Manager Bootstrapping Productive Systems .
| Note |
|---|
Replacing the EncryptedFields descriptor's key requires re-encryption of existing secrets via the batch_secretfieldstore_change_encryption_key tool. Replacing the ObjectHistorySigner descriptor's key requires re-signing existing history entries via the batch_re-sign_history tool. Replacing the ConfigZipSigner descriptor's key means any previously exported encrypted config ZIP files cannot be decrypted anymore (versioning to enable decryption with historical keys is not yet supported here). |
...
The key configured for the ObjectHistorySigner descriptor in the current version (2 in the example error message above) is wrong, maybe you configured the wrong P12 file.
The object history got corrupted (by accident or deliberate manipulation - forensic analysis may be advisable).
A quick workaround to get the application to start again would be switching to a new chain name for idm-operator (history verification will still fail, though):Tomcat deployment: set chain name in system.properties
Code Block ... etc. ... commonHistoryService.chainName=NEW_CHAIN_NAME_GOES_HERE ... etc. ...
Docker-deployment: set chain name in docker-compose.yml
Code Block language yaml ... etc. ... environment: ... etc. ... - 'SYSTEM_PROPERTIES={ "commonHistoryService.chainName": "NEW_CHAIN_NAME_GOES_HERE", ... etc. ...
You can solve this properly by re-signing the history entries via the batch_re-sign_history tool.
...
In IDM versions before 24.R1 that folder did contain all demo keys, which were since removed. Furthermore, the engineSignEncryptConfig.xml shipped in WAR files of 24.R1 and above references additional P12 files not used or not bootstrapped previously (by default we use a dedicated P12 file per descriptor, instead of sharing them).
Refer to Bootstrap List of descriptors of the sign and encrypt engine in Identity Manager to bootstrap any missing keys/certificates.
...