The IDM keystore
IDM generates a number of encryption keys in a JCEKS keystore the first time the server starts up. These keys map to the secrets defined in Mapping secretIDs to key aliases. The keystore and the keys are generated at startup and are not prepackaged. The keys are generated only if they do not already exist. You cannot specify custom aliases for these default keys.
To use a different keystore type, such as PKCS #12, create the keystore and generate the keys before you start IDM. This prevents IDM from generating the keys on startup. You can also convert the existing JCEKS keystore to a PKCS #12 keystore. If you use a different keystore type, you must edit the openidm.keystore.type
property (in the conf/secrets.json
file) to match the new type.
Use the keytool
command to list the default encryption keys, as follows:
keytool \ -list \ -keystore /path/to/openidm/security/keystore.jceks \ -storepass changeit \ -storetype JCEKS Keystore type: JCEKS Keystore provider: SunJCE Your keystore contains 5 entries openidm-sym-default, Nov 5, 2019, SecretKeyEntry, openidm-jwtsessionhmac-key, Nov 5, 2019, SecretKeyEntry, selfservice, Nov 5, 2019, PrivateKeyEntry, Certificate fingerprint (SHA-256): E9:0B:BA:FB:58:73:02:FC...:7B openidm-selfservice-key, Nov 5, 2019, SecretKeyEntry, openidm-localhost, Nov 5, 2019, PrivateKeyEntry, Certificate fingerprint (SHA-256): 21:50:6C:90:C7:A7:F7:32...:1B
If you are using IDM in a cluster, you must share these keys among all nodes in the cluster. The easiest way to do this is to generate a keystore with the appropriate keys and share the keystore in some way; for example, by using a filesystem that is shared between the nodes. |
Change the default keystore password
The default keystore password is changeit
. You should change this password in a production environment.
Repeat this procedure on each node if you run multiple nodes in a cluster to ensure that the new password is present on all nodes. |
-
Shut down the server if it is running.
-
Use the
keytool
command to change the keystore password. The following command changes the keystore password tonewPassword
:keytool \ -storepasswd \ -keystore /path/to/openidm/security/keystore.jceks \ -storetype jceks \ -storepass changeit New keystore password: newPassword Re-enter new keystore password: newPassword
-
Change the passwords of the default encryption keys.
IDM uses the encryption keys listed in Mapping secretIDs to key aliases, whose passwords are also
changeit
by default. The passwords of each of these keys must match the password of the keystore.To get the list of keys in the keystore, run the following command:
keytool \ -list \ -keystore /path/to/openidm/security/keystore.jceks \ -storetype jceks \ -storepass newPassword Keystore type: JCEKS Keystore provider: SunJCE Your keystore contains 5 entries openidm-sym-default, May 4, 2021, SecretKeyEntry, selfservice, May 4, 2021, PrivateKeyEntry, Certificate fingerprint (SHA-256): fingerprint openidm-jwtsessionhmac-key, May 4, 2021, SecretKeyEntry, openidm-localhost, May 4, 2021, PrivateKeyEntry, Certificate fingerprint (SHA-256): fingerprint openidm-selfservice-key, May 4, 2021, SecretKeyEntry,
Change the passwords of each default encryption key as follows:
keytool \ -keypasswd \ -alias openidm-localhost \ -keystore /path/to/openidm/security/keystore.jceks \ -storetype jceks \ -storepass newPassword Enter key password for <openidm-localhost> changeit New key password for <openidm-localhost>: newPassword Re-enter new key password for <openidm-localhost>: newPassword
keytool \ -keypasswd \ -alias openidm-sym-default \ -keystore /path/to/openidm/security/keystore.jceks \ -storetype jceks \ -storepass newPassword Enter key password for <openidm-sym-default> changeit New key password for <openidm-sym-default>: newPassword Re-enter new key password for <openidm-sym-default>: newPassword
keytool \ -keypasswd \ -alias openidm-selfservice-key \ -keystore /path/to/openidm/security/keystore.jceks \ -storetype jceks \ -storepass newPassword Enter key password for <openidm-selfservice-key> changeit New key password for <openidm-selfservice-key>: newPassword Re-enter new key password for <openidm-selfservice-key>: newPassword
keytool \ -keypasswd \ -alias selfservice \ -keystore /path/to/openidm/security/keystore.jceks \ -storetype jceks \ -storepass newPassword Enter key password for <selfservice> changeit New key password for <selfservice>: newPassword Re-enter new key password for <selfservice>: newPassword
keytool \ -keypasswd \ -alias openidm-jwtsessionhmac-key \ -keystore /path/to/openidm/security/keystore.jceks \ -storetype jceks \ -storepass newPassword Enter key password for <openidm-jwtsessionhmac-key> changeit New key password for <openidm-jwtsessionhmac-key>: newPassword Re-enter new key password for <openidm-jwtsessionhmac-key>: newPassword
-
Configure a new expression resolver file to store only the keystore password:
-
Create a new directory in
/path/to/openidm/resolver/
that will contain only the properties file for keystore passwords. For example:mkdir /path/to/openidm/resolver/keystore
Substituted properties are not encrypted by default. You must therefore secure access to this directory, using the appropriate permissions. -
Set the
IDM_ENVCONFIG_DIRS
environment variable to include the new directory:export IDM_ENVCONFIG_DIRS=/path/to/openidm/resolver/,/path/to/openidm/resolver/keystore
-
Create a
.json
or.properties
file in that secure directory, that contains the new keystore password as a resolvable IDM property. For example, add one of the following files to that directory:
-