OpenAM Java EE agent plain text password

Question

In the documentation, it looks like I can set up a plain text password instead of an encrypted one.

com.iplanet.am.service.secret

When using a plain text password, set this to the password for the agent profile, and leave am.encryption.pwd blank.

So, I've set the following in my OpenSSOAgentBootstrap.properties:

com.iplanet.am.service.secret = myPlainTextPassword
am.encryption.pwd =

Accessing the agent application now gives me:

java.lang.RuntimeException: Failed to load configuration: Invalid application password specified
    com.sun.identity.agents.arch.AgentConfiguration.bootStrapClientConfiguration(AgentConfiguration.java:790)
    com.sun.identity.agents.arch.AgentConfiguration.initializeConfiguration(AgentConfiguration.java:1140)
    com.sun.identity.agents.arch.AgentConfiguration.<clinit>(AgentConfiguration.java:1579)
    com.sun.identity.agents.arch.Manager.<clinit>(Manager.java:675)
    com.sun.identity.agents.filter.AmAgentBaseFilter.initializeFilter(AmAgentBaseFilter.java:274)
    com.sun.identity.agents.filter.AmAgentBaseFilter.getAmFilterInstance(AmAgentBaseFilter.java:364)
    com.sun.identity.agents.filter.AmAgentBaseFilter.doFilter(AmAgentBaseFilter.java:73)

I also saw from here that I should be using com.iplanet.am.service.password instead. This did not work either.

Is there something that must be set on the OpenAM server? Am I missing something on the agent side of things?

Edit 1

OpenAM Server is v12.0.0, and the Tomcat agent is v3.3.0. Log entries before the exception:

2015-04-01 12:44:09,634 [localhost-startStop-1] INFO  org.springframework.web.servlet.DispatcherServlet  - FrameworkServlet 'myapp': initialization started
2015-04-01 12:44:09,634 [localhost-startStop-1] INFO  org.springframework.web.context.support.XmlWebApplicationContext  - Refreshing WebApplicationContext for namespace 'myapp': startup date [Wed Apr 01 12:44:09 PDT 2015]; parent: Root WebApplicationContext
2015-04-01 12:44:09,634 [localhost-startStop-1] INFO  org.springframework.beans.factory.xml.XmlBeanDefinitionReader  - Loading XML bean definitions from ServletContext resource [/WEB-INF/servlet-context.xml]
Apr 01, 2015 12:44:09 PM org.apache.catalina.core.ApplicationContext log
INFO: Initializing Spring FrameworkServlet 'myapp'
2015-04-01 12:44:09,775 [localhost-startStop-1] INFO  org.springframework.beans.factory.support.DefaultListableBeanFactory  - Overriding bean definition for bean 'mvcContentNegotiationManager': replacing [Root bean: class [org.springframework.web.accept.ContentNegotiationManagerFactoryBean]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null] with [Root bean: class [null]; scope=; abstract=false; lazyInit=false; autowireMode=3; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=org.springframework.web.servlet.config.annotation.DelegatingWebMvcConfiguration; factoryMethodName=mvcContentNegotiationManager; initMethodName=null; destroyMethodName=(inferred); defined in class path resource [org/springframework/web/servlet/config/annotation/DelegatingWebMvcConfiguration.class]]
2015-04-01 12:44:09,775 [localhost-startStop-1] INFO  org.springframework.context.annotation.ConfigurationClassBeanDefinitionReader  - Skipping bean definition for [BeanMethod:name=mvcUriComponentsContributor,declaringClass=org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport]: a definition for bean 'mvcUriComponentsContributor' already exists. This top-level bean definition is considered as an override.
2015-04-01 12:44:09,994 [localhost-startStop-1] INFO  org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter  - Looking for @ControllerAdvice: WebApplicationContext for namespace 'myapp': startup date [Wed Apr 01 12:44:09 PDT 2015]; parent: Root WebApplicationContext
2015-04-01 12:44:10,135 [localhost-startStop-1] INFO  org.springframework.web.servlet.handler.SimpleUrlHandlerMapping  - Mapped URL path [/**] onto handler of type [class org.springframework.web.servlet.resource.DefaultServletHttpRequestHandler]
2015-04-01 12:44:10,182 [localhost-startStop-1] INFO  org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter  - Looking for @ControllerAdvice: WebApplicationContext for namespace 'myapp': startup date [Wed Apr 01 12:44:09 PDT 2015]; parent: Root WebApplicationContext
2015-04-01 12:44:10,213 [localhost-startStop-1] INFO  org.apache.tiles.access.TilesAccess  - Publishing TilesContext for context: org.springframework.web.servlet.view.tiles3.SpringWildcardServletTilesApplicationContext
2015-04-01 12:44:10,244 [localhost-startStop-1] INFO  org.springframework.web.servlet.DispatcherServlet  - FrameworkServlet 'myapp': initialization completed in 610 ms
Apr 01, 2015 12:44:10 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-bio-8081"]
Apr 01, 2015 12:44:10 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-bio-8081"]
java.lang.RuntimeException: Invalid application password specified
    at com.sun.identity.agents.arch.AgentConfiguration.setApplicationPassword(AgentConfiguration.java:1030)
    at com.sun.identity.agents.arch.AgentConfiguration.bootStrapClientConfiguration(AgentConfiguration.java:720)
    at com.sun.identity.agents.arch.AgentConfiguration.initializeConfiguration(AgentConfiguration.java:1140)
    at com.sun.identity.agents.arch.AgentConfiguration.<clinit>(AgentConfiguration.java:1579)
    at com.sun.identity.agents.arch.Manager.<clinit>(Manager.java:675)
    at com.sun.identity.agents.filter.AmAgentBaseFilter.initializeFilter(AmAgentBaseFilter.java:274)
    at com.sun.identity.agents.filter.AmAgentBaseFilter.getAmFilterInstance(AmAgentBaseFilter.java:364)
    at com.sun.identity.agents.filter.AmAgentBaseFilter.doFilter(AmAgentBaseFilter.java:73)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
    at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:745)

The agent's debug.out shows:

amAgentCore:04/01/2015 12:44:35:314 PM PDT: Thread[http-bio-8081-exec-1,5,main]
**********************************************
amAgentCore:04/01/2015 12:44:35:314 PM PDT: Thread[http-bio-8081-exec-1,5,main]
AgentConfiguration.setOrganizationName: organization name for realm is set to: /
amAgentCore:04/01/2015 12:44:35:314 PM PDT: Thread[http-bio-8081-exec-1,5,main]
AgentConfiguration: service resolver set to: com.sun.identity.agents.tomcat.v6.AmTomcatAgentServiceResolver
amAgentCore:04/01/2015 12:44:35:314 PM PDT: Thread[http-bio-8081-exec-1,5,main]
AgentConfiguration: service resolver reports EJBContext available: false
amAgentCore:04/01/2015 12:44:35:314 PM PDT: Thread[http-bio-8081-exec-1,5,main]
AgentConfiguration: Application User: myAgent
amSDK:04/01/2015 12:44:35:329 PM PDT: Thread[http-bio-8081-exec-1,5,main]
**********************************************
amSDK:04/01/2015 12:44:35:329 PM PDT: Thread[http-bio-8081-exec-1,5,main]
ERROR: JCEEncryption:: failed to decrypt data
java.lang.NullPointerException
    at com.iplanet.services.util.JCEEncryption.pbeDecrypt(JCEEncryption.java:246)
    at com.iplanet.services.util.JCEEncryption.decrypt(JCEEncryption.java:141)
    at com.iplanet.services.util.Crypt.decode(Crypt.java:343)
    at com.iplanet.services.util.Crypt.decryptLocal(Crypt.java:238)
    at com.sun.identity.agents.arch.AM70Crypt.decrypt(AM70Crypt.java:57)
    at com.sun.identity.agents.arch.AgentConfiguration.setApplicationPassword(AgentConfiguration.java:1020)
    at com.sun.identity.agents.arch.AgentConfiguration.bootStrapClientConfiguration(AgentConfiguration.java:720)
    at com.sun.identity.agents.arch.AgentConfiguration.initializeConfiguration(AgentConfiguration.java:1140)
    at com.sun.identity.agents.arch.AgentConfiguration.<clinit>(AgentConfiguration.java:1579)
    at com.sun.identity.agents.arch.Manager.<clinit>(Manager.java:675)
    at com.sun.identity.agents.filter.AmAgentBaseFilter.initializeFilter(AmAgentBaseFilter.java:274)
    at com.sun.identity.agents.filter.AmAgentBaseFilter.getAmFilterInstance(AmAgentBaseFilter.java:364)
    at com.sun.identity.agents.filter.AmAgentBaseFilter.doFilter(AmAgentBaseFilter.java:73)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
    at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:745)

Apparently can't add too much to a comment. So I've added the additional information as an edit to the original post. — user4739556, Commented Apr 1, 2015 at 21:47

devops · Accepted Answer · 2015-04-01 22:15:57Z

Let us look at this source code taken from GitHub: OpenRock/OpenAM

private static synchronized void setApplicationPassword() {
    if (!isInitialized()) {
        try {
            _crypt = ServiceFactory.getCryptProvider();
            if(_crypt != null) {
                String encodedPass = getProperty(SDKPROP_APP_PASSWORD);
                _applicationPassword = _crypt.decrypt(encodedPass);
            }
        } catch (Exception ex) {
            logError("AgentConfiguration: Unable to create new instance of " + "Crypt class with exception ", ex);
        }
        if (_applicationPassword == null || _applicationPassword.trim().length() == 0) {
            throw new RuntimeException("Invalid application password specified");
        }
    }
}

The constant SDFSFD defined as:

public static final String SDKPROP_APP_PASSWORD = "com.iplanet.am.service.secret";

As you can see AgentConfiguration reads the password and stores it into encodedPass.

So I believe the method getCryptProvider returns broken Cryptprovider (_crypt). _crypt.decrypt(encodedPass) get NullPointerException and variable _applicationPassword get never initialized then RuntimeException will thrown.

Make sure your configuration allows or defines a CryptProvider.

ok i saw your edit

NullPointerException occurs here. Try to interpret that.

final Cipher pbeCipher = cipherProvider.getCipher(); // NPE

Looking over the code today, it seems the password must always be encrypted. Came back here to report, and saw Peter's response to confirm. But thank you for pointing me in the right direction. — user4739556, Commented Apr 2, 2015 at 17:30

Peter Major · Accepted Answer · 2015-04-02 14:26:30Z

1

The documentation appears to be incorrect, from what I can tell based on the source code of AgentConfiguration, the password can be only provided in an encrypted format (which also means that am.encryption.pwd should be set up properly as well.

answered Apr 2, 2015 at 14:26

Peter Major

2,9954 gold badges17 silver badges18 bronze badges

Had that suspicion after going over the code. Thank you for confirming. Can't seem to mark your answer as accepted though.
– user4739556
Commented Apr 2, 2015 at 17:32

Add a comment |

Collectives™ on Stack Overflow

OpenAM Java EE agent plain text password

2 Answers 2

Your Answer

Not the answer you're looking for? Browse other questions tagged
openam
or ask your own question.

Hot Network Questions

Collectives™ on Stack Overflow

2 Answers 2

Your Answer

Sign up or log in

Post as a guest

Not the answer you're looking for? Browse other questions tagged openam or ask your own question.

Related

Not the answer you're looking for? Browse other questions tagged
openam
or ask your own question.