Features in AM That Use Keys

Most features that require storing secrets for signing or encryption use the AM keystore, which is configured by going to Configure > Server Defaults > Security > Key Store. However, some features may require or support different configurations:

Features that only use the AM keystore
Features that use secret stores

For a list of the secret ID mappings, see "Secret ID Default Mappings".

Features that support different keystore configurations:
  • ForgeRock Authenticator (OATH), ForgeRock Authenticator (PUSH) modules, and the WebAuthn Profile Encryption Service

    Supports configuring a different keystore to encrypt device profiles. They also support different keystore types that are not available to other features. For more information, see "About Multi-Factor Authentication".

  • AM's startup (bootstrap) process

    Requires two password strings. ForgeRock recommends that you use the AM keystore as the bootstrap keystore, but you can configure a bootstrap keystore as long as:

    • You keep the password strings updated.

    • You overwrite the boot.json file before AM starts up.

    For more information, see "To Replace the AM Keystore".

Features that require different keystore configurations:
  • Java Fedlets

    Require a keystore containing a key pair to sign and verify XML assertions and to encrypt and decrypt SAML assertions. Keystore and key information are configurable in the FederationConfig.properties file. For more information, see "Configuring Java Fedlet Properties".

  • Security Token Service

    Requires configuring a JKS keystore for encrypting SAML v2.0 and OpenID Connect tokens. It does not require files to store the keystore password or the key aliases' passwords. For more information, see Configuring STS Instances.

  • CSV audit logging handler

    Requires configuring a keystore for tamper-proofing. It does not require a file to store the keystore password; the password is configured in the AM console. For more information, see "Configuring CSV Audit Event Handlers".


If you are creating your own custom components or plugins, you can implement the SecretIdProvider interface for exposing your own custom secrets.

For more information, see the AM 7.0.2 Public API Javadoc.

Read a different version of :