AM features that use keys

Requires a key pair alias for encryption. For more information, refer toSet Persistent Cookie node.

Requires a JCEKS keystore with a key pair alias for encryption and a key alias for signing.

For more information, refer to Create a user self-service service instance.

Requires an sms.transport.key key alias to export and import encrypted passwords.

For more information, refer to the Amster documentation.

Requires copying signing and encryption keys from IDM into the AM keystore.

For more information, see Delegate user self-registration to IDM.

Require keys or secrets for signing and encrypting client-side sessions and authentication sessions.

For more information, refer to Client-side session security.

Requires a key alias to encrypt values stored in the authentication tree’s secure state.

For more information, refer to Store values in a tree’s node states.

Require a key alias for signing client-side tokens and OpenID Connect ID tokens. Also require a key alias for encryption of client-side OAuth 2.0 access and refresh tokens.

For more information, see Configure client-side OAuth 2.0 token encryption.

Web agents and Java agents communicate with AM using a built-in OAuth 2.0 provider, configured globally in AM. This communication requires a key alias for signing tokens.

For more information, refer to the ForgeRock Web Agents User Guide and the ForgeRock Java Agents User Guide.

Requires a key alias for signing consent responses, and another key alias for encrypting consent responses.

For more information, refer to Remote consent.

Requires key pairs for signing and encrypting messages, responses, and assertions; for example, a key to encrypt the JWT stored in the local storage of supported browsers.

You might also require a key to sign exported metadata.

For more information, refer to Sign and encrypt messages. For a list of the secret ID mappings, refer to Secret ID default mappings.

Requires a key pair alias for encryption.

For more information, refer to Persistent Cookie module.

Support configuring a different keystore to encrypt device profiles. Also support keystore types that are not available to other features.

For more information, refer to Multi-factor authentication.

Require a keystore containing a key pair to sign and verify XML assertions and to encrypt and decrypt SAML assertions. Keystore and key information are configurable in the FederationConfig.properties file. For more information, refer to Configure Java fedlet properties.

Requires a JKS keystore for encrypting SAML v2.0 and OpenID Connect tokens. Does not require files to store the keystore password or the key aliases' passwords.

For more information, refer to Configure STS instances.

Requires a keystore for tamper-proofing. Does not require a file to store the keystore password; the password is configured in the AM admin UI. For more information, refer to Configure CSV audit event handlers.