Forgerock AM installation Failure- Could not write Amster keys

Setup
, , ,
#1

Hi,

Unable to install Forgerock AM on windows , getting the below error
AMSetupServlet.processRequest: error java.lang.IllegalStateException: Could not write Amster keys
at org.forgerock.openam.authentication.modules.amster.AuthorizedKeyConfiguratorPlugin.createLocalAmsterKey(AuthorizedKeyConfiguratorPlugin.java:77)
at org.forgerock.openam.authentication.modules.amster.AuthorizedKeyConfiguratorPlugin.doPostConfiguration(AuthorizedKeyConfiguratorPlugin.java:57)
at com.sun.identity.setup.AMSetupServlet.handlePostPlugins(AMSetupServlet.java:1083)
at com.sun.identity.setup.AMSetupServlet.configure(AMSetupServlet.java:959)
at com.sun.identity.setup.AMSetupServlet.processRequest(AMSetupServlet.java:552)
at com.sun.identity.config.DefaultSummary.createDefaultConfig(DefaultSummary.java:124)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.apache.click.util.ClickUtils.invokeMethod(ClickUtils.java:3317)
at org.apache.click.util.ClickUtils.invokeListener(ClickUtils.java:2088)
at org.apache.click.control.AbstractControl$1.onAction(AbstractControl.java:228)
at org.apache.click.ActionEventDispatcher.fireActionEvent(ActionEventDispatcher.java:259)
at org.apache.click.ActionEventDispatcher.fireActionEvents(ActionEventDispatcher.java:236)
at org.apache.click.ActionEventDispatcher.fireActionEvents(ActionEventDispatcher.java:180)
at org.apache.click.ClickServlet.performOnProcess(ClickServlet.java:746)
at org.apache.click.ClickServlet.processAjaxPageEvents(ClickServlet.java:1860)
at org.apache.click.ClickServlet.processPage(ClickServlet.java:559)
at org.apache.click.ClickServlet.handleRequest(ClickServlet.java:383)
at org.apache.click.ClickServlet.doGet(ClickServlet.java:276)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:656)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:765)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.forgerock.openam.headers.SecureCookieFilter.doFilter(SecureCookieFilter.java:63)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.forgerock.openam.headers.DisableSameSiteCookiesFilter.doFilter(DisableSameSiteCookiesFilter.java:105)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:59)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:93)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:93)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:127)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.forgerock.openam.validation.RequestEntitySizeVerificationFilter.doFilter(RequestEntitySizeVerificationFilter.java:64)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:47)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:177)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:543)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:698)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:367)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:639)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:885)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1688)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: java.io.IOException: GROUP@: The trust relationship between the primary domain and the trusted domain failed.

at java.base/sun.nio.fs.WindowsUserPrincipals.lookup(WindowsUserPrincipals.java:148)
at java.base/sun.nio.fs.WindowsFileSystem$LookupService$1.lookupPrincipalByName(WindowsFileSystem.java:244)
at org.forgerock.openam.utils.file.FileUtils.getWindowsPath(FileUtils.java:149)
at org.forgerock.openam.utils.file.FileUtils.create(FileUtils.java:112)
at org.forgerock.openam.utils.file.FileUtils.createFileWithPermissions(FileUtils.java:91)
at org.forgerock.openam.authentication.modules.amster.AuthorizedKeyConfiguratorPlugin.writePrivateKey(AuthorizedKeyConfiguratorPlugin.java:82)
at org.forgerock.openam.authentication.modules.amster.AuthorizedKeyConfiguratorPlugin.createLocalAmsterKey(AuthorizedKeyConfiguratorPlugin.java:72)
... 68 more

Any idea how to solve this?

#2

Java details for the installation

JAVA --version
openjdk 11 2018-09-25
OpenJDK Runtime Environment 18.9 (build 11+28)
OpenJDK 64-Bit Server VM 18.9 (build 11+28, mixed mode)

#3

Hi sthaval

Did you find any solution to your problem?

I am also facing the same issue when trying to install on Windows.

Regards

AJ

#4

Hi sthaval,

After reviewing the exception, I found that it is actually a Windows error message and not an error specific to AM. The error message java.io.IOException: GROUP@: The trust relationship between the primary domain and the trusted domain failed. is indicating a failure in the trust relationship between two domains in a Windows environment.

Based on investigation and consultation with our internal teams, it appears that the reported issue has only been raised a few times and is not related to AM. However, the following instructions were provided on the Microsoft Q&A forum to address the problem with multiple domains.

Can you test the instruction given in Issue with Windows Authentication in IIS on site (Multiple Domains) - Microsoft Q&A

Maybe you can get the Trusted Domain using powershell

Import-Module ActiveDirectory
Get-ADForest | select domains

and the user domain

$env:UserDomain

and see if there is trust as suggested.

I hope you find this helpful.

Thank you
Sheila

#5

Hi,

I did not follow it up, as the another team suggested to install it on Linux OS, as they too experienced the same and was solved.However, I did try to install AM on another system having windows OS, forgerock installation was successful.

The below link is given by another response check it works for you

1 Like
#6

Hi Sheila,

I do not have the same system now, as we were in a hurry to start working, we had to move to Linux OS. Anyways thanks for the response, will check it out if anyone face the same issue.

Regards,
Sajid

1 Like
#7

Hi Sajid,

Thanks so much for your time and for providing us with a status update.

Cheers!
Sheila