Issue

After configuring a local KMS using a PKCS12 (.p12 / .pkcs12) keystore, the Semarchy xDM platform fails to start.

Typical errors may include:

  • "Error creating bean with name 'secretsFormResource'".
  • "ComponentDefinitionException: Error when instantiating bean internalSecretsEncryptionService".
  • "NullPointerException: While starting bundle com.semarchy.platform.secrets".

The platform initialization stops during the secrets service startup phase.


Cause

When using a keystore of type pkcs12, the key password is mandatory.

If the following environment variable is missing:

XDM_SECRETS_INTERNAL_KMS_LOCALKEYSTORE_KEYSTORE_KEYPASSWORD

the local KMS initialization fails and may trigger:

  • Bean initialization failures.
  • OSGI startup exceptions.
  • NullPointerExceptions during platform startup.


For PKCS12 keystores:

  • The key password is required.
  • The key password is typically identical to the keystore password.

Unlike some other keystore types, PKCS12 requires explicit declaration of the key password.


Solution

Ensure that the key password parameter is explicitly declared in the Local KMS configuration.


For PKCS12 keystores, configure:

XDM_SECRETS_INTERNAL_KMS_LOCALKEYSTORE_KEYSTORE_KEYPASSWORD

using the same value as the keystore password.


Example Local KMS Configuration:

export XDM_SECRETS_INTERNAL_KMS_LOCALKEYSTORE_TYPE=LOCAL
export XDM_SECRETS_INTERNAL_KMS_LOCALKEYSTORE_KEYSTORE_FILE=/Users/username/semarechyKey
export XDM_SECRETS_INTERNAL_KMS_LOCALKEYSTORE_KEYSTORE_PASSWORD=testingkey
export XDM_SECRETS_INTERNAL_KMS_LOCALKEYSTORE_KEYSTORE_KEY=semarchy
export XDM_SECRETS_INTERNAL_KMS_LOCALKEYSTORE_KEYSTORE_KEYPASSWORD=testingkey
export XDM_SECRETS_INTERNAL_KMS_LOCALKEYSTORE_KEYSTORE_TYPE=pkcs12

In this example:

  • KEYSTORE_FILE = path to the keystore file.
  • KEYSTORE_PASSWORD = password protecting the keystore.
  • KEYSTORE_KEY = alias of the encryption key.
  • KEYSTORE_KEYPASSWORD = password protecting the key.
  • KEYSTORE_TYPE = keystore type (pkcs12).


Important Note

For PKCS12 keystores:

  • The key password is mandatory.
  • It is usually the same as the keystore password.
  • Omitting it may prevent the entire xDM platform from starting.


After Updating the Configuration

Once the missing parameter has been added:

  • Restart the application server.
  • Verify that the platform starts correctly.
  • Confirm the secrets bundle initializes successfully.

The Local KMS should now initialize normally.