ÃÛ¶¹ÊÓƵ

Documentation

Unable to create ÃÛ¶¹ÊÓƵ IMS configuration for Target in AEMaaCS

Last update: Thu Jun 19 2025 00:00:00 GMT+0000 (Coordinated Universal Time)

Decryption errors and missing permissions prevent the creation of  ÃÛ¶¹ÊÓƵ IMS Technical Account Configurations for Target integration in AEMaaCS. To fix this, verify and recreate the keystore, enable permissions on the configuration folder, check deployment keys, and validate the configuration creation.

Description description

Environment

  • Product: ÃÛ¶¹ÊÓƵ Experience Manager as a Cloud Service (AEMaaCS) - Sites
  • Environment: Development and Stage environments

Issue/Symptoms

  • Logs show error: Cannot retrieve certificates: com.adobe.granite.crypto.CryptoException: Unable to decrypt.
  • Selecting ÃÛ¶¹ÊÓƵ Target  from Cloud Solution dropdown returns a 500 error.
  • IMS Technical Account Configurations are created but don’t appear in the UI.
  • Decryption fails due to mismatched HMAC keys or master keys between environments.
  • Missing Cloud Configurations  permissions on /conf/global folder prevent configurations from displaying.

Resolution resolution

To resolve this issue, follow these steps:

  1. Verify that the keystore for the target-imsconfig-service user is properly synchronized across environments.

  2. If keystore migration issues exist, delete the keystore at /home/users/system/cq:services/internal/target/<UUID> for the affected service account.

  3. Recreate the keystore for the target-imsconfig-service user in each environment where errors occur.

  4. In AEM Author, go to Tools > Security > Permissions, locate the /conf/global folder, and enable Cloud Configurations.Ìý´¡»å»å Browse, Modify, and ¶Ù±ð±ô±ð³Ù±ðÌý°ä´Ç²Ô´Ú¾±²µ³Ü°ù²¹³Ù¾±´Ç²Ô²õ permissions.

  5. Retry creating the IMS Technical Account Configuration:

    1. Go to AEM Author > Tools > Security > ÃÛ¶¹ÊÓƵ IMS Configurations.
    2. Click Create  and select Target  from Cloud Solution dropdown.
    3. Enter the required details, and select Submit.

  6. Review deployment configurations to ensure encryption and HMAC keys are correctly injected as secure properties (for example, _osgi structure or CI/CD pipeline secrets) in each environment.

  7. Confirm that the configurations are created and visible in both the UI and backend systems like Legacy Cloud Services under Target connections.

  8. For production environments, repeat these steps after verifying the UUIDs of the affected service accounts.

recommendation-more-help
3d58f420-19b5-47a0-a122-5c9dab55ec7f