The error message "ERROR [ims.llsdk6.PasswordBlobImpl] (default task-1) Invalid JSON value in blobText" appears frequently in the Identity Manager server.log.
This can appear when users log in, or in the following example when a user attempts to reset their password:
When execute the “Forgotten Password” task, sometimes the task is completed but sometimes fail.
The failed error is:
Send Email: Generated By Policy Xpress: Failed to execute SendEmailEvent. ERROR MESSAGE: PxEnvironmentException:Error sending email
Below are the errors from server log:
2023-02-14 10:48:34,814 ERROR [ims.llsdk6.PasswordBlobImpl] (Thread-367 (ActiveMQ-client-global-threads)) Invalid JSON value in blobText
2023-02-14 10:48:34,814 ERROR [ims.llsdk6.PasswordBlobImpl] (Thread-367 (ActiveMQ-client-global-threads)) java.lang.NullPointerException
Invalid JSON value in blobText indicates that the password blob, that is, some, or all of, the data stored in the users PASSWORD_DATA (imPasswordData in the user store, see KB 132835 for details on accessing the Userstore) user attribute, is unreadable.
Anything that changes the encryption algorithm will cause the data in the PASSWORD_DATA blob to become invalid.
There are several causes of the data becoming unreadable like user data being imported from another system with different data encoding or encryption (which occurs if Siteminder is integrated after users are created), or an external process that is unexpectedly modifying the password_data value, etc.
Seeing this error indicates that a user's password history is invalid and cannot be fully used in Password Policies, which could allow someone to at least temporarily, violate your password policies.
The PASSWORD_DATA stores historical password information to be used by Password Policies, for example, to prevent users from reusing the same password repeatedly. It does not store the user's current password.
Once the algorithm is changed there is no way we can fix this as new data is being written with the new algorithm, meaning that reverting whatever change caused this would still result in the error because the new data would be the unreadable data.
The only option to clear the Invalid JSON value in blobText messages in the logs is to delete the PASSWORD_DATA for the impacted users.
Clear the value of the user's PASSWORD_DATA (imPasswordData) attribute at the UserStore Directory layer:
See KB 132835 for details on accessing the Userstore
If the issue happens to be widespread among users, you should investigate how and why the password_data is not readable by Identity Manager and then clear out the unreadable values as needed.
PASSWORD_DATA does not store the current users password, that is held in the userPassword attribute, PASSWORD_DATA contains historical details about user passwords for use with your password policy. This consists largely of Password history intended to prevent users from reusing a password or to indicate to IDM if a user must change a password after a set period of time.
There can be both good and bad data in the PASSWORD_DATA at the database as new passwords will be written with the new encryption, meaning that your password policies may appear to be working, but there is still data in that table that cannot be read resulting in the error in the log.