Unable to login to AEM instances due to missing cryptoservice acls


Unable to log into AEM instances due to missing cryptoservice ACLs. The error [1] below is observed in the error.log on startup.

07.12.2017 15:24:31.980 *ERROR* [FelixStartLevel] com.adobe.granite.crypto.internal.Activator setupCryptoSupport: Failed creating CryptoSupport Implementation: 
javax.jcr.AccessDeniedException: Root node is not accessible.
    at org.apache.jackrabbit.oak.jcr.session.SessionImpl$4.perform(SessionImpl.java:294)
    at org.apache.jackrabbit.oak.jcr.session.SessionImpl$4.perform(SessionImpl.java:288)
    at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.perform(SessionDelegate.java:208)
    at org.apache.jackrabbit.oak.jcr.session.SessionImpl.getRootNode(SessionImpl.java:288)
    at com.adobe.granite.crypto.internal.Activator.getOrCreateKeyNode(Activator.java:290)
    at com.adobe.granite.crypto.internal.Activator.writeKey(Activator.java:320)
    at com.adobe.granite.crypto.internal.Activator.loadOrCreateKey(Activator.java:258)
    at com.adobe.granite.crypto.internal.Activator.startCryptoSupport(Activator.java:162)
    at com.adobe.granite.crypto.internal.Activator$1.serviceChanged(Activator.java:127)
    at com.adobe.granite.crypto.internal.Activator.start(Activator.java:138)
    at org.apache.felix.framework.util.SecureAction.startActivator(SecureAction.java:697)
    at org.apache.felix.framework.Felix.activateBundle(Felix.java:2226)
    at org.apache.felix.framework.Felix.startBundle(Felix.java:2144)
    at org.apache.felix.framework.Felix.setActiveStartLevel(Felix.java:1371)
    at org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:308)
    at java.lang.Thread.run(Thread.java:745)


This problem is caused when custom permissions packages are installed to the instance which overwrite out of the box ACLs.


Option A: Create the missing ACL​ 

  1. Go to http://aemhost:port/crx/de/index.jsp and log in as admin.

  2. Browse to /etc/key.

  3. Select the Access Control tab.

  4. Grant cryptoservice user rep:all permission on the node.

Option B: Create a package to migrate the permissions from a clean AEM install 

  1. Set up a clean AEM instance of the same version you observed the error on. Apply the same service pack, hotfixes and/or cumulative fix pack to the instance.

  2. Go to http://aemhost:port/crx/packmgr/index.jsp and log in as admin.

  3. Create a new package.

  4. Click Edit.

  5. Select the Filters tab.

  6. Add a new rule for /etc/key.

  7. Click on the Advanced tab.

  8. Set AC Handling to Merge mode.

  9. Click Save.

  10. Click Build.

  11. Download the package.

  12. Upload and install the package to the package manager of the broken AEM instance.

If you need to install custom permissions packages again, use the MergePreserve AC Handling package option at the time of building the package on the source instance.




Adobe MAX 2024

Adobe MAX

10 月 14 日至 16 日迈阿密海滩及线上

Adobe MAX


10 月 14 日至 16 日迈阿密海滩及线上

Adobe MAX 2024

Adobe MAX

10 月 14 日至 16 日迈阿密海滩及线上

Adobe MAX


10 月 14 日至 16 日迈阿密海滩及线上