How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I update the authentication signing secret in AM (All versions)?

Last updated Jan 16, 2023

The purpose of this article is to provide information on updating the value of the authentication signing secret in AM. The signing secret is a random key that AM generates upon startup and uses to sign the authentication token (authID). You can replace the generated value with a static value if required.


1 reader recommends this article

Updating the value of the signing secret

You should generate a random string that is at least 128 bit and base64 encoded for your signing secret. For example, you could use a random number generator and then encode it using the DS base64 tool or you could use openssl:

$ openssl rand -base64 32

You can then update the value of the signing secret globally or in a specific realm using this generated string, where realm level takes precedence over the global level:

Global

You can update this value globally using either the AM admin UI or ssoadm:

  • AM admin UI: navigate to: Configure > Authentication > Core Attributes > Security > Organization Authentication Signing Secret and enter the value of your shared secret.
  • ssoadm: enter the following command: $ ./ssoadm set-attr-defs -s iPlanetAMAuthService -t organization -u [adminID] -f [passwordfile] -a iplanet-am-auth-hmac-signing-shared-secret=[sharedSecret]replacing [adminID], [passwordfile] and [sharedSecret] with appropriate values.

Realm level

You can update this value in a specific realm using either the AM admin UI or ssoadm:

  • AM admin UI: navigate to: Realms > [Realm Name] > Authentication > Settings > Security > Organization Authentication Signing Secret and enter the value of your shared secret.
  • ssoadm: enter the following command: $ ./ssoadm set-realm-svc-attrs -u [adminID] -f [passwordfile] -s iPlanetAMAuthService -e [realmname] -a iplanet-am-auth-hmac-signing-shared-secret=[sharedSecret]replacing [adminID], [passwordfile], [realmname] and [sharedSecret] with appropriate values.
Note

You must restart the web application container in which AM runs to apply these configuration changes.

See Also

Authentication configuration

base64

Related Training

N/A

Related Issue Tracker IDs

OPENAM-8264 (insufficient validator for service property 'iplanet-am-auth-hmac-signing-shared-secret')


Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.