Internal Error when using OpenID connect after allowing acces to account

Tagged: , ,

This topic has 3 replies, 2 voices, and was last updated 4 years, 9 months ago by tomoko.

  • Author
  • #18436

    I am trying to do the basic OpenID Connect configuration from pages like

    After setup the OAuthProvider , and the agent, everythings works ok in one of my environments.
    I can do the login, the page requesting consent to the Agent is shown, and the redirection occurs, ok.

    But in another environment, after the page requesting consent I press Allow, it just shows “internal server error”.
    Checking log in the /debug folder in server, I see that in the file IdRepo file it shows:
    amSDK:08/11/2017 11:33:00:074 AM UTC: Thread[http-apr-8080-exec-6,5,main]: TransactionId[1e0b22f2-ccfc-4fca-af97-d51f8fda79b8-737]
    ERROR: JCEEncryption:: failed to decrypt data
    javax.crypto.BadPaddingException: Given final block not properly padded
    at com.sun.crypto.provider.CipherCore.doFinal(
    at com.sun.crypto.provider.CipherCore.doFinal(
    at com.sun.crypto.provider.PBES1Core.doFinal(
    at com.sun.crypto.provider.PBEWithMD5AndDESCipher.engineDoFinal(
    at javax.crypto.Cipher.doFinal(
    at Method)
    at org.forgerock.openam.utils.OpenAMSettingsImpl.decodePassword(
    at org.forgerock.openam.utils.OpenAMSettingsImpl.getServerKeyPair(
    at org.forgerock.openam.oauth2.OpenAMOAuth2ProviderSettings.getServerKeyPair(
    at org.forgerock.openam.oauth2.OpenAMTokenStore.createOpenIDToken(
    at org.forgerock.openidconnect.IdTokenResponseTypeHandler.handle(
    at org.forgerock.oauth2.core.AuthorizationTokenIssuer.issueTokens(
    at org.forgerock.oauth2.core.AuthorizationServiceImpl.authorize(
    at org.forgerock.oauth2.restlet.AuthorizeResource.authorize(

    The only diference I can think it is one of my environments (where it works) is using a separate OpenDJ as DirectoryServer ; and the one where is failing is using a embbebed internal OpenDJ of OpenAM.

    Any other ideas or checks, please?


    Hi, this sounds like a known issue that should have been fixed in recent versions. Can you describe what version you’re using, and what your configuration is in more detail?



    Failing environment:

    -OpenAM 13.0.0
    Checking a file it says
    “grep version” 13.0.0 Build 5d4589530d (2016-January-14 21:15)

    -Apache Tomcat/7.0.75

    -Internal embbed LDAP in OpenAM.

    -OracleJDK 1.8 , also fails with OpenJDK

    -The openAM server has a UMA configuration done. Using an import import-svc-cfg with a config.xml operation.

    At start I thought it had something to do with the internal LDAP. But later, I discovered it is not the LDAP, because it works also with a fresh/empty openam with internal LDAP.

    Now I believe it has something to do with the previous UMA configuration I did (in another realm), and later export/import in a docker environment I do.
    It is posible to create a uma realm (that creates a Oauthprovider) and a basic OpenID configurator (that also creates a Oauthprovider)? Any conflict?

    Any ideas are welcome, I am a little lost how to isolate the misconfiguration/conflict.


    Finally I found out what was the problem:
    I was using docker, and exporting the config of the server to a xml file (by the way, that tool is very buggy).
    Until i found out that inside the big xml with all lthe configuration there were some references about password and encryption things.

    So i found out, i had to not only get the xml with the config exported but also the “.keypass”, “.storepass” generated when the openam was instatiated and add them to the docker image. So other machines/instances, use the xml and its asociated crypto files.

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?