KMFInstanceKeyRegistry failed to unwrap key with sys_id

DmitryS · ‎07-10-2024

Hi All,

Started to get errors this morning for all attempts to use the OAuth client or even update its credentials in UI.

KMFInstanceKeyRegistry failed to unwrap key with sys_id: 4c534321830102100a92f629feaad3bf (error: com.glide.kmf.commons.CryptoOperationException: Unable to unwrap key): com.glide.kmf.AKMFKeyRegistry$KeyRegistryException: KMFInstanceKeyRegistry failed to unwrap key with sys_id: 4c534321830102100a92f629feaad3bf (error: com.glide.kmf.commons.CryptoOperationException: Unable to unwrap key): com.glide.kmf.AKMFKeyRegistry.getKeyByIdOrThrow(AKMFKeyRegistry.java:124)
com.glide.kmf.AKMFKeyRegistry.getKeyById(AKMFKeyRegistry.java:148)
com.glide.kmf.KMFInstanceKeyRegistry.getKeyById(KMFInstanceKeyRegistry.java:79)
com.glide.kmf.LocalRegistryHMACGenerator.computeHMACWithMetadata(LocalRegistryHMACGenerator.java:52)
com.glide.kmf.AKMFKeyRegistry.validateHmac(AKMFKeyRegistry.java:421)
com.glide.kmf.KMFModuleKeyRegistry.getKeyFromRecord(KMFModuleKeyRegistry.java:209)
com.glide.kmf.KMFModuleKeyRegistry.getKeyById(KMFModuleKeyRegistry.java:201)
com.glide.kmf.KMFModuleKeyRegistry.getKeyByType(KMFModuleKeyRegistry.java:118)
com.glide.kmf.AKMFKeyRegistry.getKeyByOperation(AKMFKeyRegistry.java:386)
com.glide.kmf.KMFOutputBaseBuilder.getKeyToUse(KMFOutputBaseBuilder.java:201)
com.glide.kmf.KMFOutputBaseBuilder.getKMFOutputObject(KMFOutputBaseBuilder.java:139)
com.glide.kmf.KMFOutputStringBuilder.apply(KMFOutputStringBuilder.java:21)
com.glide.kmf.KMFGlideEncrypter.encryptUsingParentModule(KMFGlideEncrypter.java:109)
com.glide.kmf.KMFGlideEncrypter.encryptWithFallbackLogic(KMFGlideEncrypter.java:99)
com.glide.kmf.KMFGlideEncrypter.encrypt(KMFGlideEncrypter.java:82)
com.glide.util.Encrypter.encrypt(Encrypter.java:106)
com.glide.script.glide_elements.GlideElementPassword2.encrypt(GlideElementPassword2.java:121)
com.glide.script.glide_elements.GlideElementPassword2.lambda$setDisplayValue$0(GlideElementPassword2.java:97)
com.glide.kmf.stats.KMFStatsRecorder.watch(KMFStatsRecorder.java:55)
com.glide.kmf.stats.KMFStatsRecorder.withTimingsWatcher(KMFStatsRecorder.java:110)
com.glide.script.glide_elements.GlideElementPassword2.setDisplayValue(GlideElementPassword2.java:97)
com.glide.script.ActionRecordList.populateActionRecord(ActionRecordList.java:60)
com.glide.script.ActionValueSetter.setValue(ActionValueSetter.java:424)
com.glide.script.ActionValueSetter.setAllowedValues(ActionValueSetter.java:299)
com.glide.script.ActionValueSetter.setValues(ActionValueSetter.java:218)
com.glide.script.ActionScriptProcessor.processScript(ActionScriptProcessor.java:172)
com.glide.script.Action.process(Action.java:117)
com.glide.ui.RedirectTransaction.invokeAction(RedirectTransaction.java:552)
com.glide.ui.RedirectTransaction.handleActions(RedirectTransaction.java:508)
com.glide.ui.RedirectTransaction.inboundActions(RedirectTransaction.java:344)
com.glide.ui.RedirectTransaction.process(RedirectTransaction.java:207)
com.glide.ui.GlideServletUITransaction.process(GlideServletUITransaction.java:122)
com.glide.processors.AProcessor.runProcessor(AProcessor.java:762)
com.glide.processors.AProcessor.processTransaction(AProcessor.java:313)
com.glide.processors.ProcessorRegistry.process0(ProcessorRegistry.java:187)
com.glide.processors.ProcessorRegistry.process(ProcessorRegistry.java:175)
com.glide.ui.GlideServletTransaction.process(GlideServletTransaction.java:58)
com.glide.sys.Transaction.run(Transaction.java:2734)
com.glide.ui.HTTPTransaction.run(HTTPTransaction.java:35)
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
java.base/java.lang.Thread.run(Thread.java:840)

I have two apps that use OAuth and they aren't working today. I checked the logs and found this. I tried to update credentials in the "Application Registries" but received this error.

Does anyone have an idea what's causing it? Or how simply workaround it?

P.S. My dev instance uses the latest "Washington DC Patch 4 Hot Fix 1".

VishalGrove · ‎01-09-2025

Hi, We are having the same issue in our Dev instance, Pre-Prod working fine.
Did you manage to get any solution and got it working at the end?

We are having this issue on the Success Factors Spoke integration.

DmitryS · ‎01-09-2025

Nope, I gave up and recycled the instance.

snake plissken · ‎07-27-2025

This was my issue. Maybe this might help other diagnose their issues.

I was spinning up an instance (Yohohama) using a single bash script and kept getting the OP's same error message. What it ended up being was I was using the keytool command directly as stated in KB0951869. The issue was at the end of the keytool command it asks "Press RETURN to set key password same as keystore" (or similar). I didn't account for that in my script and it was taking output from the script and using that to set the key password (not keystore password)-- therefore I had a keystore password of "changeit" and a key password of something else. I fixed it by explicitly setting the key/alias password with the "-keypass changeit" flag in the keytool command thus making sure both were the same.

So the moral of my story is be sure that your keystore AND your key (alias) passwords are as you expect and defined correctly in the KMF properties file.