Changing Default Key Aliases

For demo and test purposes, AM configures different demo key aliases for several features. You can keep the demo key aliases configured in those features you are not using, but you may decide to remove them completely from your production environment.

When possible, the following list includes the Global Services or Server Default paths where the demo key aliases are configured. If you already have configured any of the features in a realm, ensure that the key alias is replaced in the realm configuration as well.

To replace the default key aliases:

  1. Create the required key aliases following the tasks in "Managing Key Aliases and Passwords".

  2. Change default key aliases in AM:

    Web Agents and Java Agents

    Refer to the ForgeRock Web Agents User Guide and the ForgeRock Java Agents User Guide for more information.

    Persistent Cookie Module

    To change the default mapping for the Persistent Cookie module, go to Realms > Realm Name > Authentication > Settings > Security and replace the test key alias in the Persistent Cookie Encryption Certificate Alias field with the alias you created for persistent cookies in your secret stores.

    For more information about the secret ID mappings used by this feature, see Secret ID Mappings for Persistent Cookies.

    OAuth 2.0 and OpenID Connect Providers

    See the list of secret IDs and their defaults here and here.

    SAML v2.0 Hosted Providers

    See the list of secret IDs and their defaults here.

    Client-Based Sessions

    Go to Configure > Global Services > Session > Client-based Sessions and replace the test key alias in the Signing RSA/ECDSA Certificate Alias field and in the Encryption RSA Certificate Alias field.

    User Self-Service

    Go to Realms > Realm Name > Services > User Self-Service and populate the values of the Encryption Key Pair Alias and the Signing Secret Key Alias properties.

    Note that the name of the demo keys shows with a gray color; that does not mean the fields are filled in.

    Authentication Trees

    Authentication trees use the secret ID specified in Secret ID Mappings for Encrypting Authentication Trees' Secure State Data.


    Ensure that this secret ID is always mapped to an existing, resolvable secret or key alias, or authentication trees may not work as expected.


    The IoT Service uses the secret IDs specified in Secret ID Mappings for the IoT Trusted JWT Issuer.

Read a different version of :