How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I update the certificate alias for the signing key in the AM (All versions) keystore?

Last updated Apr 13, 2021

The purpose of this article is to provide information on updating the certificate alias for the signing key in the AM keystore. You will need to do this if you change the signing key or the keystore. The signing key for the default keystore has an alias of test and this signing key is used to encrypt JSON Web Token (JWT) tokens for OAuth2 and JWT cookies in the Persistent Cookie module.


1 reader recommends this article

Background information

AM uses a JCEKS keystore as its default keystore. The default location is: /path/to/openam/security/keystores/keystore.jceks (AM 7 and later) or /path/to/openAM/keystore.jceks (Pre-AM 7). You can change this by navigating to: Configure > Server Defaults > Security > Key Store > Keystore File.

Updating the certificate alias for the signing key

You can update the alias for the signing key globally or in a specific realm, where realm level take precedence over the global level:

Global

You can update this value globally using either the console or ssoadm:

  • Console: navigate to: Configure > Authentication > Core Attributes > Security > Persistent Cookie Encryption Certificate Alias and enter the alias of the new signing key.
  • ssoadm: enter the following command: $ ./ssoadm set-attr-defs -s iPlanetAMAuthService -t organization -u [adminID] -f [passwordfile] -a iplanet-am-auth-key-alias=[signingkeyalias]replacing [adminID], [passwordfile] and [signingkeyalias] with appropriate values.

Realm

You can update this value in a specific realm using either the console or ssoadm:

  • Console: navigate to: Realms > [Realm Name] > Authentication > Settings > Security > Persistent Cookie Encryption Certificate Alias and enter the alias of the new signing key.
  • ssoadm: enter the following command: $ ./ssoadm set-realm-svc-attrs -s iPlanetAMAuthService -e [realmname] -u [adminID] -f [passwordfile] -a iplanet-am-auth-key-alias=[signingkeyalias]replacing [realmname], [adminID], [passwordfile] and [signingkeyalias] with appropriate values.
Note

You must restart the web application container in which AM runs to apply these configuration changes. 

See Also

Persistent cookie is not created in AM (All versions) after changing default keystore

Security Guide › Configuring Secrets, Certificates, and Keys

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.