search

OpenIdentityPlatform / OpenAM

OpenAM is an open access management solution that includes Authentication, SSO, Authorization, Federation, Entitlements and Web Services Security.
https://www.openidentityplatform.org/openam
Other
772 stars 151 forks source link

Session quotas not working correctly #145

Closed rlogue closed 1 year ago

rlogue commented 5 years ago

Describe the bug When limiting users to 1 session the next time they request a session the authenticate call hangs indefinitely.

To Reproduce Steps to reproduce the behavior:

  1. Use legacy GUI. Navigate to Configuration->Global->Session. Set Enable Quota Constraints=On, Resulting behavior if session quota exhausted = DENY, Active User Sessions = 1
  2. Login with user. (using json/REALM/authenticate)
  3. With above login still active login with user again
  4. The second login just hangs and no error is return to indicate max session quota has been hit.

Expected behavior Authenticate call should return an error to show that the user has reached the max session quota.

Desktop (please complete the following information):

Additional context Add any other context about the problem here.

rlogue commented 5 years ago

Wondering if you have any idea yet what the issue is? i.e. will it require a release or maybe I can alter my configuration? We want to start performance testing our solution soon but don't want to have to update OpenAM after this point. Thanks.

rlogue commented 5 years ago

Also noticed that the openam global services page is blank i.e. /openam/XUI/?realm=/#configure/global-services, see attached screenshot. From reading document i.e. https://backstage.forgerock.com/knowledge/kb/article/a94724800 in this screen I should see some configuration. Potentially this is causing the issue?

OpenAM-GlobalServices

rlogue commented 5 years ago

Seen in the CoreSystem log the following error when I try to access the Global Services page

frRest:04/17/2019 02:54:01:034 PM BST: Thread[http-nio-8801-exec-5,5,main]: TransactionId[30057191-bb78-4bbe-ad71-b74480c08471-481] ERROR: A runtime exception occurred during the CREST request handling java.lang.IllegalStateException: Exception from invocation expected to be handled by promise at org.forgerock.json.resource.AnnotatedMethod.invoke(AnnotatedMethod.java:100) at org.forgerock.json.resource.AnnotatedMethod.invoke(AnnotatedMethod.java:64) at org.forgerock.json.resource.AnnotatedSingletonHandler.handleRead(AnnotatedSingletonHandler.java:63) at org.forgerock.json.resource.Router.handleRead(Router.java:328) at org.forgerock.json.resource.FilterChain$Cursor.handleRead(FilterChain.java:113) at org.forgerock.authz.filter.crest.AuthorizationFilters$AuthorizationFilter$6.apply(AuthorizationFilters.java:378) at org.forgerock.authz.filter.crest.AuthorizationFilters$AuthorizationFilter$6.apply(AuthorizationFilters.java:374) at org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:255) at org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:244) at org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:223) at org.forgerock.authz.filter.crest.AuthorizationFilters$AuthorizationFilter.filterRead(AuthorizationFilters.java:374) at org.forgerock.json.resource.FilterChain$Cursor.handleRead(FilterChain.java:111) at org.forgerock.json.resource.FilterChain.handleRead(FilterChain.java:260) at org.forgerock.json.resource.Router.handleRead(Router.java:328) at org.forgerock.openam.core.rest.sms.tree.SmsRouteTree.handleRead(SmsRouteTree.java:400) at org.forgerock.openam.core.rest.sms.tree.SmsRouteTree.getSingletonInstance(SmsRouteTree.java:350) at org.forgerock.openam.core.rest.sms.tree.SmsRouteTree.readInstances(SmsRouteTree.java:340) at org.forgerock.openam.core.rest.sms.tree.SmsRouteTree.handleAction(SmsRouteTree.java:269) at org.forgerock.json.resource.Router.handleAction(Router.java:245) at org.forgerock.openam.core.rest.sms.tree.SmsRouteTree.handleAction(SmsRouteTree.java:300) at org.forgerock.openam.core.rest.sms.SmsRequestHandler.handleAction(SmsRequestHandler.java:647) at org.forgerock.json.resource.Router.handleAction(Router.java:245) at org.forgerock.json.resource.FilterChain$Cursor.handleAction(FilterChain.java:63) at org.forgerock.openam.rest.fluent.AuditFilter.filterAction(AuditFilter.java:89) at org.forgerock.openam.rest.fluent.AuditFilterWrapper.filterAction(AuditFilterWrapper.java:60) at org.forgerock.json.resource.FilterChain$Cursor.handleAction(FilterChain.java:61) at org.forgerock.openam.rest.fluent.CrestLoggingFilter.filterAction(CrestLoggingFilter.java:74) at org.forgerock.json.resource.FilterChain$Cursor.handleAction(FilterChain.java:61) at org.forgerock.openam.rest.ContextFilter.filterAction(ContextFilter.java:57) at org.forgerock.json.resource.FilterChain$Cursor.handleAction(FilterChain.java:61) at org.forgerock.openam.rest.AuthenticationEnforcer.filterAction(AuthenticationEnforcer.java:137) at org.forgerock.json.resource.FilterChain$Cursor.handleAction(FilterChain.java:61) at org.forgerock.json.resource.FilterChain.handleAction(FilterChain.java:230) at org.forgerock.json.resource.InternalConnection.actionAsync(InternalConnection.java:37) at org.forgerock.json.resource.http.RequestRunner.visitActionRequest(RequestRunner.java:147) at org.forgerock.json.resource.http.RequestRunner.visitActionRequest(RequestRunner.java:93) at org.forgerock.json.resource.Requests$ActionRequestImpl.accept(Requests.java:185) at org.forgerock.json.resource.http.RequestRunner.handleResult(RequestRunner.java:139) at org.forgerock.json.resource.http.HttpAdapter$1.apply(HttpAdapter.java:710) at org.forgerock.json.resource.http.HttpAdapter$1.apply(HttpAdapter.java:707) at org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:255) at org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:244) at org.forgerock.json.resource.http.HttpAdapter.doRequest(HttpAdapter.java:707) at org.forgerock.json.resource.http.HttpAdapter.doAction(HttpAdapter.java:612) at org.forgerock.json.resource.http.HttpAdapter.handle(HttpAdapter.java:276) at org.forgerock.http.handler.Handlers$HandlerDescribableAsDescribableHandler.handle(Handlers.java:154) at org.forgerock.http.filter.OptionsFilter.filter(OptionsFilter.java:77) at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:61) at org.forgerock.http.routing.Router.handle(Router.java:100) at org.forgerock.http.routing.Router.handle(Router.java:100) at org.forgerock.http.routing.ResourceApiVersionRoutingFilter.filter(ResourceApiVersionRoutingFilter.java:64) at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:61) at org.forgerock.caf.authentication.framework.AuthenticationFramework.grantAccess(AuthenticationFramework.java:220) at org.forgerock.caf.authentication.framework.AuthenticationFramework.access$400(AuthenticationFramework.java:65) at org.forgerock.caf.authentication.framework.AuthenticationFramework$3.apply(AuthenticationFramework.java:212) at org.forgerock.caf.authentication.framework.AuthenticationFramework$3.apply(AuthenticationFramework.java:205) at org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:255) at org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:244) at org.forgerock.caf.authentication.framework.AuthenticationFramework.validateRequest(AuthenticationFramework.java:170) at org.forgerock.caf.authentication.framework.AuthenticationFramework.access$100(AuthenticationFramework.java:65) at org.forgerock.caf.authentication.framework.AuthenticationFramework$1.apply(AuthenticationFramework.java:155) at org.forgerock.caf.authentication.framework.AuthenticationFramework$1.apply(AuthenticationFramework.java:152) at org.forgerock.util.promise.PromiseImpl$7.handleStateChange(PromiseImpl.java:485) at org.forgerock.util.promise.PromiseImpl.handleCompletion(PromiseImpl.java:567) at org.forgerock.util.promise.PromiseImpl.addOrFireListener(PromiseImpl.java:555) at org.forgerock.util.promise.PromiseImpl.thenAsync(PromiseImpl.java:477) at org.forgerock.util.promise.PromiseImpl.thenAsync(PromiseImpl.java:468) at org.forgerock.caf.authentication.framework.AuthenticationFramework.processMessage(AuthenticationFramework.java:147) at org.forgerock.caf.authentication.framework.AuthenticationFilter.filter(AuthenticationFilter.java:96) at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:61) at org.forgerock.openam.http.GuiceHandler.handle(GuiceHandler.java:59) at org.forgerock.openam.http.HttpRoute$6.handle(HttpRoute.java:214) at org.forgerock.http.routing.Router.handle(Router.java:100) at org.forgerock.http.swagger.OpenApiRequestFilter.filter(OpenApiRequestFilter.java:69) at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:61) at org.forgerock.openam.http.ApiDescriptorFilter.filter(ApiDescriptorFilter.java:122) at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:61) at org.forgerock.openam.http.OpenAMHttpApplication$1.filter(OpenAMHttpApplication.java:70) at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:61) at org.forgerock.http.filter.TransactionIdInboundFilter.filter(TransactionIdInboundFilter.java:60) at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:61) at org.forgerock.http.servlet.HttpFrameworkServlet.service(HttpFrameworkServlet.java:237) at javax.servlet.http.HttpServlet.service(HttpServlet.java:729) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:291) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:88) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:111) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:51) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:617) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:518) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1091) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:668) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1521) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1478) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) Caused by: java.lang.reflect.InvocationTargetException at sun.reflect.GeneratedMethodAccessor92.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.forgerock.json.resource.AnnotatedMethod.invoke(AnnotatedMethod.java:96) ... 115 more Caused by: org.forgerock.json.JsonException: Unable to validate attributes at org.forgerock.openam.core.rest.sms.SmsJsonConverter.toJson(SmsJsonConverter.java:198) at org.forgerock.openam.core.rest.sms.SmsJsonConverter.toJson(SmsJsonConverter.java:167) at org.forgerock.openam.core.rest.sms.SmsJsonConverter.toJson(SmsJsonConverter.java:141) at org.forgerock.openam.core.rest.sms.SmsGlobalSingletonProvider.addOrganisationAttributes(SmsGlobalSingletonProvider.java:148) at org.forgerock.openam.core.rest.sms.SmsResourceProvider.getJsonValue(SmsResourceProvider.java:452) at org.forgerock.openam.core.rest.sms.SmsResourceProvider.getJsonValue(SmsResourceProvider.java:440) at org.forgerock.openam.core.rest.sms.SmsSingletonProvider.handleRead(SmsSingletonProvider.java:154) ... 119 more Caused by: Message:Data validation failed for the attribute, selfServiceSigningSecretKeyAlias

    at com.sun.identity.sm.ServiceSchemaImpl.throwInvalidAttributeValuesException(ServiceSchemaImpl.java:741)
    at com.sun.identity.sm.ServiceSchemaImpl.validatePlugin(ServiceSchemaImpl.java:722)
    at com.sun.identity.sm.ServiceSchemaImpl.serverEndAttrValidation(ServiceSchemaImpl.java:692)
    at com.sun.identity.sm.ServiceSchemaImpl.validatePlugin(ServiceSchemaImpl.java:650)
    at com.sun.identity.sm.ServiceSchemaImpl.validateAttrValues(ServiceSchemaImpl.java:597)
    at com.sun.identity.sm.ServiceSchemaImpl.validateAttributes(ServiceSchemaImpl.java:345)
    at com.sun.identity.sm.ServiceSchemaImpl.validateAttributes(ServiceSchemaImpl.java:314)
    at com.sun.identity.sm.ServiceSchema.validateAttributes(ServiceSchema.java:749)
    at org.forgerock.openam.core.rest.sms.SmsJsonConverter.toJson(SmsJsonConverter.java:191)
    ... 125 more
rlogue commented 5 years ago

Seems like the attribute is added in the upgrade. I seen the following in the upgrade log

Services Upgrade Report

New Services

Modified Services

I also see in the embedded opendj the following

../opends/db/userRoot/00000008.jdb: </AttributeSchema><AttributeSchema cosQualifier="default" i18nKey="signing.secret.key.alias" isSearchable="no" listOrder="natural" name="selfServiceSigningSecretKeyAlias" order="10" resourceName="signingSecretKeyAlias" syntax="string" type="single" validator="KeyAliasValidator" >

Does any of this stand out as being incorrect?

rlogue commented 5 years ago

Is there any other information I gather here to help out?

rlogue commented 5 years ago

If I do a fresh install of OpenAM 14.2.2 I can see that the Global Services tab is populated with configuration like you would expect. It would seem maybe this is an upgrade issue? If we can pin point the config that is causing the issue maybe there is a manual step that can be applied to allow this tab to work?

openam-fresh-globalservices

rlogue commented 5 years ago

Seems potentially related to this (Do you agree?)

https://backstage.forgerock.com/knowledge/kb/book/b37078014#a62372040

But everytime I run ssoadm, using the following command

./ssoadm get-attr-defs -s selfService -t organization -u amadmin -f pwd.txt

I get an error saying

Logging configuration class "com.sun.identity.log.s1is.LogConfigReader" failed com.sun.identity.security.AMSecurityPropertiesException: AdminTokenAction: FATAL ERROR: Cannot obtain Application SSO token. com.sun.identity.security.AMSecurityPropertiesException: AdminTokenAction: FATAL ERROR: Cannot obtain Application SSO token.

and in the authenticaiton debug log I see

ERROR: Failed to obtain auth service url from server:

I have followed the advice here https://backstage.forgerock.com/knowledge/kb/article/a17894100 to trust all certs but still can't get ssoadm running to ee if it can help my issue.

Do you think this is a path worth pursuing?

rlogue commented 5 years ago

Followed the advice here

https://bugster.forgerock.org/jira/browse/OPENAM-10280

which talks about what to do here

https://backstage.forgerock.com/docs/openam/13.5/upgrade-guide/#upgrade-user-services

I can now see the data under Global Services but still have the issue with session quotas. So a user can login once but whe they try the second time the call just hangs

When I make the requests I do a grep on all the files in the debug log directory and see no messages.

Edit. Is there anywhere else I can look to get information why the call is hanging?

rlogue commented 5 years ago

Issue is present in a clean install of 14.2.2 also. Issue only happens when

Resulting behavior if session quota exhausted = org.forgerock.openam.session.service.DenyAccessAction

rlogue commented 5 years ago

Don't seem to be getting any response on Jira anymore on this is it possible to let me know if we can proceed to get a fix here?

kumar1801 commented 4 years ago

Hi @rlogue

For Also noticed that the openam global services page is blank i.e. /openam/XUI/?realm=/#configure/global-services, see attached screenshot

You can follow the below steps to visible Global Services. Modify Keystore:

After upgrading we have to modify key store extension from JKS to JCEKS.

The following steps show how to set up the JCEKS Keystore for user self-service:

In the OpenAM console, navigate to Configure > Server Defaults > Security > Key Store. Change the Keystore File property to %BASE_DIR%/%SERVER_URI%/keystore.jceks. Change the Keystore Type property to JCEKS. Restart the OpenAM server.

rlogue commented 4 years ago

Hello,

Yes we did that it was mentioned in the link I posted on 6th May ie

https://bugster.forgerock.org/jira/browse/OPENAM-10280

Thanks, Robert

kumar1801 commented 4 years ago

@rlogue

Ok Thank you

dairoca90 commented 1 year ago

im having the same issue in the current version OpenAM 14.6.6

sp193 commented 1 year ago

Seen in the CoreSystem log the following error when I try to access the Global Services page

frRest:04/17/2019 02:54:01:034 PM BST: Thread[http-nio-8801-exec-5,5,main]: TransactionId[30057191-bb78-4bbe-ad71-b74480c08471-481] ERROR: A runtime exception occurred during the CREST request handling java.lang.IllegalStateException: Exception from invocation expected to be handled by promise at org.forgerock.json.resource.AnnotatedMethod.invoke(AnnotatedMethod.java:100) at org.forgerock.json.resource.AnnotatedMethod.invoke(AnnotatedMethod.java:64) at org.forgerock.json.resource.AnnotatedSingletonHandler.handleRead(AnnotatedSingletonHandler.java:63) at org.forgerock.json.resource.Router.handleRead(Router.java:328) at org.forgerock.json.resource.FilterChain$Cursor.handleRead(FilterChain.java:113) at org.forgerock.authz.filter.crest.AuthorizationFilters$AuthorizationFilter$6.apply(AuthorizationFilters.java:378) at org.forgerock.authz.filter.crest.AuthorizationFilters$AuthorizationFilter$6.apply(AuthorizationFilters.java:374) at org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:255) at org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:244) at org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:223) at org.forgerock.authz.filter.crest.AuthorizationFilters$AuthorizationFilter.filterRead(AuthorizationFilters.java:374) at org.forgerock.json.resource.FilterChain$Cursor.handleRead(FilterChain.java:111) at org.forgerock.json.resource.FilterChain.handleRead(FilterChain.java:260) at org.forgerock.json.resource.Router.handleRead(Router.java:328) at org.forgerock.openam.core.rest.sms.tree.SmsRouteTree.handleRead(SmsRouteTree.java:400) at org.forgerock.openam.core.rest.sms.tree.SmsRouteTree.getSingletonInstance(SmsRouteTree.java:350) at org.forgerock.openam.core.rest.sms.tree.SmsRouteTree.readInstances(SmsRouteTree.java:340) at org.forgerock.openam.core.rest.sms.tree.SmsRouteTree.handleAction(SmsRouteTree.java:269) at org.forgerock.json.resource.Router.handleAction(Router.java:245) at org.forgerock.openam.core.rest.sms.tree.SmsRouteTree.handleAction(SmsRouteTree.java:300) at org.forgerock.openam.core.rest.sms.SmsRequestHandler.handleAction(SmsRequestHandler.java:647) at org.forgerock.json.resource.Router.handleAction(Router.java:245) at org.forgerock.json.resource.FilterChain$Cursor.handleAction(FilterChain.java:63) at org.forgerock.openam.rest.fluent.AuditFilter.filterAction(AuditFilter.java:89) at org.forgerock.openam.rest.fluent.AuditFilterWrapper.filterAction(AuditFilterWrapper.java:60) at org.forgerock.json.resource.FilterChain$Cursor.handleAction(FilterChain.java:61) at org.forgerock.openam.rest.fluent.CrestLoggingFilter.filterAction(CrestLoggingFilter.java:74) at org.forgerock.json.resource.FilterChain$Cursor.handleAction(FilterChain.java:61) at org.forgerock.openam.rest.ContextFilter.filterAction(ContextFilter.java:57) at org.forgerock.json.resource.FilterChain$Cursor.handleAction(FilterChain.java:61) at org.forgerock.openam.rest.AuthenticationEnforcer.filterAction(AuthenticationEnforcer.java:137) at org.forgerock.json.resource.FilterChain$Cursor.handleAction(FilterChain.java:61) at org.forgerock.json.resource.FilterChain.handleAction(FilterChain.java:230) at org.forgerock.json.resource.InternalConnection.actionAsync(InternalConnection.java:37) at org.forgerock.json.resource.http.RequestRunner.visitActionRequest(RequestRunner.java:147) at org.forgerock.json.resource.http.RequestRunner.visitActionRequest(RequestRunner.java:93) at org.forgerock.json.resource.Requests$ActionRequestImpl.accept(Requests.java:185) at org.forgerock.json.resource.http.RequestRunner.handleResult(RequestRunner.java:139) at org.forgerock.json.resource.http.HttpAdapter$1.apply(HttpAdapter.java:710) at org.forgerock.json.resource.http.HttpAdapter$1.apply(HttpAdapter.java:707) at org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:255) at org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:244) at org.forgerock.json.resource.http.HttpAdapter.doRequest(HttpAdapter.java:707) at org.forgerock.json.resource.http.HttpAdapter.doAction(HttpAdapter.java:612) at org.forgerock.json.resource.http.HttpAdapter.handle(HttpAdapter.java:276) at org.forgerock.http.handler.Handlers$HandlerDescribableAsDescribableHandler.handle(Handlers.java:154) at org.forgerock.http.filter.OptionsFilter.filter(OptionsFilter.java:77) at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:61) at org.forgerock.http.routing.Router.handle(Router.java:100) at org.forgerock.http.routing.Router.handle(Router.java:100) at org.forgerock.http.routing.ResourceApiVersionRoutingFilter.filter(ResourceApiVersionRoutingFilter.java:64) at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:61) at org.forgerock.caf.authentication.framework.AuthenticationFramework.grantAccess(AuthenticationFramework.java:220) at org.forgerock.caf.authentication.framework.AuthenticationFramework.access$400(AuthenticationFramework.java:65) at org.forgerock.caf.authentication.framework.AuthenticationFramework$3.apply(AuthenticationFramework.java:212) at org.forgerock.caf.authentication.framework.AuthenticationFramework$3.apply(AuthenticationFramework.java:205) at org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:255) at org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:244) at org.forgerock.caf.authentication.framework.AuthenticationFramework.validateRequest(AuthenticationFramework.java:170) at org.forgerock.caf.authentication.framework.AuthenticationFramework.access$100(AuthenticationFramework.java:65) at org.forgerock.caf.authentication.framework.AuthenticationFramework$1.apply(AuthenticationFramework.java:155) at org.forgerock.caf.authentication.framework.AuthenticationFramework$1.apply(AuthenticationFramework.java:152) at org.forgerock.util.promise.PromiseImpl$7.handleStateChange(PromiseImpl.java:485) at org.forgerock.util.promise.PromiseImpl.handleCompletion(PromiseImpl.java:567) at org.forgerock.util.promise.PromiseImpl.addOrFireListener(PromiseImpl.java:555) at org.forgerock.util.promise.PromiseImpl.thenAsync(PromiseImpl.java:477) at org.forgerock.util.promise.PromiseImpl.thenAsync(PromiseImpl.java:468) at org.forgerock.caf.authentication.framework.AuthenticationFramework.processMessage(AuthenticationFramework.java:147) at org.forgerock.caf.authentication.framework.AuthenticationFilter.filter(AuthenticationFilter.java:96) at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:61) at org.forgerock.openam.http.GuiceHandler.handle(GuiceHandler.java:59) at org.forgerock.openam.http.HttpRoute$6.handle(HttpRoute.java:214) at org.forgerock.http.routing.Router.handle(Router.java:100) at org.forgerock.http.swagger.OpenApiRequestFilter.filter(OpenApiRequestFilter.java:69) at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:61) at org.forgerock.openam.http.ApiDescriptorFilter.filter(ApiDescriptorFilter.java:122) at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:61) at org.forgerock.openam.http.OpenAMHttpApplication$1.filter(OpenAMHttpApplication.java:70) at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:61) at org.forgerock.http.filter.TransactionIdInboundFilter.filter(TransactionIdInboundFilter.java:60) at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:61) at org.forgerock.http.servlet.HttpFrameworkServlet.service(HttpFrameworkServlet.java:237) at javax.servlet.http.HttpServlet.service(HttpServlet.java:729) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:291) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:88) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:111) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:51) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:617) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:518) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1091) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:668) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1521) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1478) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) Caused by: java.lang.reflect.InvocationTargetException at sun.reflect.GeneratedMethodAccessor92.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.forgerock.json.resource.AnnotatedMethod.invoke(AnnotatedMethod.java:96) ... 115 more Caused by: org.forgerock.json.JsonException: Unable to validate attributes at org.forgerock.openam.core.rest.sms.SmsJsonConverter.toJson(SmsJsonConverter.java:198) at org.forgerock.openam.core.rest.sms.SmsJsonConverter.toJson(SmsJsonConverter.java:167) at org.forgerock.openam.core.rest.sms.SmsJsonConverter.toJson(SmsJsonConverter.java:141) at org.forgerock.openam.core.rest.sms.SmsGlobalSingletonProvider.addOrganisationAttributes(SmsGlobalSingletonProvider.java:148) at org.forgerock.openam.core.rest.sms.SmsResourceProvider.getJsonValue(SmsResourceProvider.java:452) at org.forgerock.openam.core.rest.sms.SmsResourceProvider.getJsonValue(SmsResourceProvider.java:440) at org.forgerock.openam.core.rest.sms.SmsSingletonProvider.handleRead(SmsSingletonProvider.java:154) ... 119 more Caused by: Message:Data validation failed for the attribute, selfServiceSigningSecretKeyAlias

    at com.sun.identity.sm.ServiceSchemaImpl.throwInvalidAttributeValuesException(ServiceSchemaImpl.java:741)
    at com.sun.identity.sm.ServiceSchemaImpl.validatePlugin(ServiceSchemaImpl.java:722)
    at com.sun.identity.sm.ServiceSchemaImpl.serverEndAttrValidation(ServiceSchemaImpl.java:692)
    at com.sun.identity.sm.ServiceSchemaImpl.validatePlugin(ServiceSchemaImpl.java:650)
    at com.sun.identity.sm.ServiceSchemaImpl.validateAttrValues(ServiceSchemaImpl.java:597)
    at com.sun.identity.sm.ServiceSchemaImpl.validateAttributes(ServiceSchemaImpl.java:345)
    at com.sun.identity.sm.ServiceSchemaImpl.validateAttributes(ServiceSchemaImpl.java:314)
    at com.sun.identity.sm.ServiceSchema.validateAttributes(ServiceSchema.java:749)
    at org.forgerock.openam.core.rest.sms.SmsJsonConverter.toJson(SmsJsonConverter.java:191)
    ... 125 more

I believe @rlogue encounted some issue while upgrading. But this error may also appear if you attempted to utilize the user self-service API to reset the password, while the realm did not have the selfServiceSigningSecretKeyAlias/selfServiceEncryptionSecretKeyAlias set. This is perhaps a generic error that indicates a lack of required configuration.

So, if you are trying out the user self-service feature, do ensure that the specified realm (in the API call) has the User Self-Service feature completely configured. I'm mentioning this because I encounted this issue today and the error led me back to this Github issue.

On the other hand, if you get this error while upgrading, I am sorry to say that I have no idea why this happens. It may be because the old version of AM didn't have this attribute, the upgrade process doesn't include it, and the UI/backend does not correctly cover this. Perhaps a workaround would be to follow this article, to set the attributes with ssoadm (or maybe opendj itself): https://backstage.forgerock.com/knowledge/kb/article/a62372040 (In fact, could this even be the right article to address this problem in this specific situation? This OpenAM had some commit related to a pre-release of AM 5)