How To
Archived

How do I change the default keystore password in OpenIDM 4.x?

Last updated Jan 5, 2021

The purpose of this article is to provide information on changing the default keystore password in OpenIDM for improved security. The keystore password is changeit by default and should be changed in production environments. You can also use this procedure to change the truststore password.


Archived

This article has been archived and is no longer maintained by ForgeRock.

Overview

The keystore password is changeit by default and should be changed in production environments to improve security.

You can change the default keystore password as follows:

Changing the default keystore password (OpenIDM 4.x)

You can change the default keystore password as follows:

  1. Change the keystore password in the keystore using the following command: $ keytool -storepasswd -keystore /path/to/security/keystore.jceks -storetype JCEKS -storepass 'changeit' -new 'newPassword'
  2. List the keys in your keystore to show all the key aliases using the following command: $ keytool -list -keystore /path/to/security/keystore.jceks -storetype JCEKS -storepass 'newPassword'
  3. Update the password for all key aliases in your keystore (to match your new keystore password) using the following command: $ keytool -keypasswd -alias 'keyAlias' -keystore /path/to/security/keystore.jceks -storetype JCEKS -storepass 'newPassword' -keypass 'changeit' -new 'newPassword' You should substitute 'keyAlias' with the aliases you want to update. By default, there are two key aliases ("openidm-localhost" and "openidm-sym-default"); however, you must ensure you change the password for all aliases that were listed in step 2.
Note

If you have added any other keys to your keystore, you must ensure they have also been updated to match the new keystore password.

  1. Update the keystore password (openidm.keystore.password) stored in boot.properties (located in /path/to/idm/conf/boot). You can either update the plain text value or optionally use the crypto bundle to obfuscate the password (recommended):
    • Plain text password example: # Keystore password, adjust to match your keystore and protect this file openidm.keystore.password=newPassword
    • Obfuscated password example: # Keystore password, adjust to match your keystore and protect this file #openidm.keystore.password=changeit openidm.truststore.password=changeit # Optionally use the crypto bundle to obfuscate the password and set one of these: openidm.keystore.password=OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0 #openidm.keystore.password=CRYPT: This is described in further detail in Integrator's Guide › Change the Default Keystore Password.
  2. Repeat steps 1 to 4 on each node if you run multiple nodes in a cluster to ensure the new password is present on all nodes.

See Also

Integrator's Guide › Using the keytool Subcommand

Integrator's Guide › Replace Default Security Settings

Integrator's Guide › Securing & Hardening OpenIDM

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.