Update user records (including password) is failing in FR IDM

727935 · October 20, 2023, 9:31am

We are getting below error message in IDM logs when we are updating any existing user records (including password) through IDM Console.
However, all update operations are working fine for new created users (We are able to create new users and update records also through IDM console)

Our FR IDM is deployed in OpenShift in Azure. And below mentioned is the IDM pod logs.

{“status”:“FAILED”,“statusCode”:“500”,“elapsedTime”:5,“elapsedTimeUnits”:“MILLISECONDS”,“detail”:{“code”:500,“reason”:“Internal Server Error”,“message”:“/password: org.forgerock.json.crypto.JsonCryptoException: Decryption failed”}},“roles”:[“internal/role/openidm-admin”,“internal/role/openidm-authorized”],“source”:“audit”,“topic”:“access”,“level”:“INFO”}
[86] Oct 20, 2023 6:02:16.730 AM org.forgerock.openidm.servlet.internal.ResourceFilters$3 lambda$handleRequestWithLogging$8
WARNING: Resource exception: 500 Internal Server Error: “/password: org.forgerock.json.crypto.JsonCryptoException: Decryption failed”
org.forgerock.json.resource.InternalServerErrorException: /password: org.forgerock.json.crypto.JsonCryptoException: Decryption failed
at org.forgerock.openidm.managed.ManagedObjectSet.decrypt(ManagedObjectSet.java:666)

patrick_diligent · October 23, 2023, 12:44am

Hi,

It’s likely the encryption key has been reset - e.g one common cause is the keystore has been re-created by IDM with new keys on the next deployment - to avoid this, the keystore must be preserved and placed in the security folder on a new deployment.

Regards
Patrick