Document toolboxDocument toolbox

Troubleshooting the sign and encrypt engine

This article includes is new for Identity Manager 5.0.1.

This article provides guidance and troubleshooting tips for addressing common error scenarios related to the sign and encrypt engine and how to solve them.

Before doing any repair procedures, creating a backup of the Identity Manager applications, configuration files, and database is recommended.

Error messages on startup

Upon startup of Identity Manager you might see one or more error messages like the one below:

Compromised key detected: Descriptor [SelfServiceJWTSigner (version: 1)] in engineSignEncrypt config xml. This is a SECURITY RISK on productive systems. It is ESSENTIAL to replace it with a new secure key.

This means that one or more blacklisted keys (such as publicly known demo keys) are in use. Each message indicates the offending descriptor and version from the configuration XML.

For information about how to replace the keys, see https://nexusdoc.atlassian.net/wiki/spaces/PUB/pages/199196688.

Startup fails with exception message

Startup of Identity Manager might fail with an exception message in the log.

Example

Aborting deployment! Unable to verify the last Object History entry of the chain [PRIME1]. There appears to be an error in the engineSignEncrypt configuration of the descriptor [ObjectHistorySigner (version: 2)]. The referenced key is probably wrong. Another possible explanation for this error is that the ObjectHistory entry was manipulated. Offending entry id: [4711]. Please check the engineSignEncrypt config xml and the referenced keys! If the configured key is correct, the entry might be corrupted. This can be worked around by starting a new chain.

Potential causes:

  1. The key configured for the ObjectHistorySigner descriptor in the current version (version 2 in the example error message) is wrong, the wrong P12 file might been configured.

  2. The object history got corrupted by accident or deliberate manipulation, forensic analysis may be advisable.

A quick workaround to restart the application is to switch to a new chain name for idm-operator:

Tomcat deployment: Set chain name in system.properties

... etc. ... commonHistoryService.chainName=NEW_CHAIN_NAME_GOES_HERE ... etc. ...

Docker-deployment: Set chain name in docker-compose.yml

... etc. ...     environment: ... etc. ...       - 'SYSTEM_PROPERTIES={ "commonHistoryService.chainName": "NEW_CHAIN_NAME_GOES_HERE", ... etc. ...

You can solve this properly by re-signing the history entries via the batch_re-sign_history tool.

Error accessing the sign and encrypt engine

Startup of Identity Manager might fail with an exception message like this in the log:

Error accessing the sign and encrypt engine (There's no keystore at classpath:hybridEncKeypair.p12)

This means that the configuration XML for the sign and encrypt engine references a file that does not exist at the given location. All files referenced via the location classpath: usually need to be inside the WEB-INF\classes\ folder of the web application.

For docker deployment the files have to be placed into the docker/compose/certs folder, which is mounted into /certs inside the container. These files need to be referenced as shown below (replace example.p12 with the proper filename):

For more information, see https://nexusdoc.atlassian.net/wiki/spaces/PUB/pages/199196688 to bootstrap any missing keys/certificates.

 

Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions