How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I update the certificate alias for the signing key in the AM (All versions) keystore?

Last updated Jan 16, 2023

The purpose of this article is to provide information on updating the certificate alias for the signing key in the AM keystore. You will need to do this if you change the signing key or the keystore. The signing key for the default keystore has an alias of test and this signing key is used to encrypt JSON Web Token (JWT) tokens for OAuth2 and JWT cookies in the Persistent Cookie module.


1 reader recommends this article

Background information

AM uses a JCEKS keystore as its default keystore. The default location is: /path/to/am/security/keystores/keystore.jceks (AM 7 and later) or /path/to/am/keystore.jceks (AM 6.x). You can change this by navigating to: Configure > Server Defaults > Security > Key Store > Keystore File.

Updating the certificate alias for the signing key

You can update the alias for the signing key globally or in a specific realm, where realm level takes precedence over the global level:

Global

You can update this value globally using either the AM admin UI or ssoadm:

  • AM admin UI: navigate to: Configure > Authentication > Core Attributes > Security > Persistent Cookie Encryption Certificate Alias and enter the alias of the new signing key.
  • ssoadm: enter the following command: $ ./ssoadm set-attr-defs -s iPlanetAMAuthService -t organization -u [adminID] -f [passwordfile] -a iplanet-am-auth-key-alias=[signingkeyalias]replacing [adminID], [passwordfile] and [signingkeyalias] with appropriate values.

Realm

You can update this value in a specific realm using either the AM admin UI or ssoadm:

  • AM admin UI: navigate to: Realms > [Realm Name] > Authentication > Settings > Security > Persistent Cookie Encryption Certificate Alias and enter the alias of the new signing key.
  • ssoadm: enter the following command: $ ./ssoadm set-realm-svc-attrs -s iPlanetAMAuthService -e [realmname] -u [adminID] -f [passwordfile] -a iplanet-am-auth-key-alias=[signingkeyalias]replacing [realmname], [adminID], [passwordfile] and [signingkeyalias] with appropriate values.
Note

You must restart the web application container in which AM runs to apply these configuration changes.

See Also

Persistent cookie is not created in AM (All versions) after changing default keystore

Secrets, certificates, and keys

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.