Unable to login to AEM instances due to missing cryptoservice acls

Issue

Unable to log into AEM instances due to missing cryptoservice ACLs. The error [1] below is observed in the error.log on startup.

07.12.2017 15:24:31.980 *ERROR* [FelixStartLevel] com.adobe.granite.crypto.internal.Activator setupCryptoSupport: Failed creating CryptoSupport Implementation: 
javax.jcr.AccessDeniedException: Root node is not accessible.
    at org.apache.jackrabbit.oak.jcr.session.SessionImpl$4.perform(SessionImpl.java:294)
    at org.apache.jackrabbit.oak.jcr.session.SessionImpl$4.perform(SessionImpl.java:288)
    at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.perform(SessionDelegate.java:208)
    at org.apache.jackrabbit.oak.jcr.session.SessionImpl.getRootNode(SessionImpl.java:288)
    at com.adobe.granite.crypto.internal.Activator.getOrCreateKeyNode(Activator.java:290)
    at com.adobe.granite.crypto.internal.Activator.writeKey(Activator.java:320)
    at com.adobe.granite.crypto.internal.Activator.loadOrCreateKey(Activator.java:258)
    at com.adobe.granite.crypto.internal.Activator.startCryptoSupport(Activator.java:162)
    at com.adobe.granite.crypto.internal.Activator$1.serviceChanged(Activator.java:127)
    at com.adobe.granite.crypto.internal.Activator.start(Activator.java:138)
    at org.apache.felix.framework.util.SecureAction.startActivator(SecureAction.java:697)
    at org.apache.felix.framework.Felix.activateBundle(Felix.java:2226)
    at org.apache.felix.framework.Felix.startBundle(Felix.java:2144)
    at org.apache.felix.framework.Felix.setActiveStartLevel(Felix.java:1371)
    at org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:308)
    at java.lang.Thread.run(Thread.java:745)

Cause

This problem is caused when custom permissions packages are installed to the instance which overwrite out of the box ACLs.

Resolution

Option A: Create the missing ACL​ 

  1. Go to http://aemhost:port/crx/de/index.jsp and log in as admin.

  2. Browse to /etc/key.

  3. Select the Access Control tab.

  4. Grant cryptoservice user rep:all permission on the node.

Option B: Create a package to migrate the permissions from a clean AEM install 

  1. Set up a clean AEM instance of the same version you observed the error on. Apply the same service pack, hotfixes and/or cumulative fix pack to the instance.

  2. Go to http://aemhost:port/crx/packmgr/index.jsp and log in as admin.

  3. Create a new package.

  4. Click Edit.

  5. Select the Filters tab.

  6. Add a new rule for /etc/key.

  7. Click on the Advanced tab.

  8. Set AC Handling to Merge mode.

  9. Click Save.

  10. Click Build.

  11. Download the package.

  12. Upload and install the package to the package manager of the broken AEM instance.

If you need to install custom permissions packages again, use the MergePreserve AC Handling package option at the time of building the package on the source instance.

 Adobe

Get help faster and easier

New user?