...
Note |
---|
Before doing any repair procedures, a backup of the IDM Identity Manager applications, config configuration files, and database is recommended. |
Error Message(s) Logged On Startup: Compromised key detected ...
Upon startup of IDM Identity Manager you might see one or more error messages like the one below:
...
Note |
---|
Replacing the EncryptedFields descriptor's key requires re-encryption of existing secrets via the batch_secretfieldstore_change_encryption_key tool. Replacing the ObjectHistorySigner descriptor's key requires re-signing existing history entries via the batch_re-sign_history tool. Replacing the ConfigZipSigner descriptor's key means any previously exported encrypted config ZIP files cannot be decrypted anymore (versioning to enable decryption with historical keys is not yet supported here). |
Startup Fails With Exception Message: Aborting deployment! Unable to verify the last Object History entry ...
Startup of IDM Identity Manager might fail with an exception message like this in the log:
...
The key configured for the ObjectHistorySigner descriptor in the current version (2 in the example error message above) is wrong, maybe you configured the wrong P12 file.
The object history got corrupted (by accident or deliberate manipulation - forensic analysis may be advisable).
A quick workaround to get the application to start again would be switching to a new chain name for idm-operator (history verification will still fail, though):
Tomcat deployment: set chain name in system.properties
Code Block |
---|
... etc. ...
commonHistoryService.chainName=NEW_CHAIN_NAME_GOES_HERE
... etc. ... |
Docker-deployment: set chain name in docker-compose.yml
Code Block | ||
---|---|---|
| ||
... etc. ...
environment:
... etc. ...
- 'SYSTEM_PROPERTIES={
"commonHistoryService.chainName": "NEW_CHAIN_NAME_GOES_HERE",
... etc. ... |
You can solve this properly by re-signing the history entries via the batch_re-sign_history tool.
Startup Fails With Exception Message: Error accessing the sign and encrypt engine ( There's no keystore ...
Startup of IDM Identity Manager might fail with an exception message like this in the log:
...
All files referenced via the location classpath:
usually need to be inside the WEB-INF\classes\ folder of the web application.
In IDM Identity Manager versions before 24.R1 that folder did contain all demo keys, which were since removed. Furthermore, the engineSignEncryptConfig.xml shipped in WAR files of 24.R1 and above references additional P12 files not used or not bootstrapped previously (by default we use a dedicated P12 file per descriptor, instead of sharing them).
...