Documentation

client_secret in the IMS configuration is getting unset

Last update: Tue May 14 2024 00:00:00 GMT+0000 (Coordinated Universal Time)

This article provides a resolution to the issue where the IMS configuration fails after an AEM restart. The health check associated with IMS configurations consistently fails, indicating an inability to authenticate using the configured client_secret. Save the crypto keys in the Bundle’s file storage.

Description description

Environment:

Experience Manager

Issue/Symptoms

client_secret in the IMS configuration is getting unset.
After upgrading AEM from older versions (e.g., 6.2 or below) to newer versions (6.3 or above), the method for storing crypto keys changes from JCR storage to filesystem storage. This change requires manual intervention to ensure that the hmac and master keys are correctly relocated for AEM to function properly after a restart. Failure to do so can result in authentication problems with services like IMS, as the keys used to encrypt and decrypt sensitive information are not found in the expected location.

The following error is seen:

{"error":"invalid_client","error_description":"invalid client_secret parameter"}

Resolution resolution

To resolve this issue and ensure that IMS configurations remain stable across AEM restarts, follow these steps:

  1. Go to crxde and navigate to /etc/key. Inside that node, there should be a master property and a hmac property. Download those files.

  2. Download the property by clicking on the values for those properties.

  3. Go to  <hostname>/system/console/bundlesand search for “Crypto”

  4. Note the bundle ID for the bundle labeled "Adobe Granite Crypto Bundle Key Provider com.adobe.granite.crypto.file.

  5. Note the bundle ID for the bundle labeled “Adobe Granite Crypto Support com.adobe.granite.crypto”.

  6. Stop AEM.

  7. On your AEM server, navigate to Navigate to crx-quickstart/launchpad/felix/< bundleID> /data, where < bundleID> is from step 5

  8. There is a file named storage in the data directory, download this storage file and replace the one currently on the server. You must replace the file instead of just changing the value from JCR to Bundle because the file must not have a newline char at the end, most editors like vi add a newline char.

  9. Go to the directory crx-quickstart/launchpad/felix/bundle${FILE_BUNDLE_ID}/data, where ${FILE_BUNDLE_ID} is replaced by the “Bundle Id” value from step 4 (the com.adobe.granite.crypto.file bundle ID).

  10. Copy the hmac and master files that you downloaded in step 2 to this location.

  11. Verify the hmac and master files are the same as the ones you downloaded.

  12. The commands would be: md5sum hmac md5sum master

    Ensure that the output is the same for the downloaded files and the replaced files.

  13. Start AEM.

  14. Remove the hmac and master properties from /etc/key and make sure to save.

  15. By following these steps, you relocate the crypto keys from the JCR to the filesystem, aligning with the storage method expected in newer AEM versions. This ensures that AEM can consistently access the keys for encryption and decryption operations, thereby maintaining stable IMS configurations across restarts. It is recommended to test these changes in a lower environment before applying them to production systems.

recommendation-more-help
3d58f420-19b5-47a0-a122-5c9dab55ec7f