Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

Persistent cookie is not created in AM (All versions) after changing default keystore

Last updated Apr 13, 2021

The purpose of this article is to provide assistance if the persistent cookie (called session-jwt by default) is not created in AM after you have changed the default keystore and a NullPointerException is shown in the logs. This applies to the persistent cookie created via the Persistent Cookie module.


1 reader recommends this article

Symptoms

The persistent cookie is not created.

An error similar to the following is shown in the log (when debug level is set to Message):

postLoginProcess Class Name is : org.forgerock.openam.authentication.modules.persistentcookie.PersistentCookieAuthModule amAuth:02/25/2014 04:21:39:487 PM GMT: Thread[http-bio-8443-exec-5,5,main] Error java.lang.NullPointerException     at org.forgerock.common.util.KeystoreManager.getPublicKey(KeystoreManager.java:128)     at org.forgerock.jaspi.modules.session.jwt.JwtSessionModule.createSessionJwtCookie(JwtSessionModule.java:428)     at org.forgerock.jaspi.modules.session.jwt.JwtSessionModule.secureResponse(JwtSessionModule.java:407)

Recent Changes

Changed the AM keystore.

Causes

The JSON Web Token (JWT) cookie is encrypted using the default test key in the default AM keystore. The default test key cannot be found if the keystore changes, which causes the Persistent Cookie module to fail.

Solution

This issue can be resolved by updating the key from its default value of test to the value associated with the new keystore. You can do this globally or in a specific realm, where realm level take precedence over the global level.

Global

You can update this value globally using either the console or ssoadm:

  • Console: navigate to: Configure > Authentication > Core Attributes > Security > Persistent Cookie Encryption Certificate Alias and change test to the name of your actual key.
  • ssoadm: enter the following command: $ ./ssoadm set-attr-defs -s iPlanetAMAuthService -t organization -u [adminID] -f [passwordfile] -a iplanet-am-auth-key-alias=[keyname]replacing [adminID], [passwordfile] and [keyname] with appropriate values.

Realm level

You can update this value in a specific realm using either the console or ssoadm:

  • Console: navigate to: Realms > [Realm Name] > Authentication > Settings > Security > Persistent Cookie Encryption Certificate Alias and change test to the name of your actual key.
  • ssoadm: enter the following command: $ ./ssoadm set-realm-svc-attrs -s iPlanetAMAuthService -e [realmname] -u [adminID] -f [passwordfile] -a iplanet-am-auth-key-alias=[keyname]replacing [realmname], [adminID], [passwordfile] and [keyname] with appropriate values.
Note

You must restart the web application container in which AM runs to apply these configuration changes.

See Also

Persistent cookie is no longer created in AM (All versions)

How do I change the persistent cookie name (session-jwt) in AM (All versions)?

Security Guide › Changing Default Key Aliases

Authentication and Single Sign-On Guide › Persistent Cookie Module

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.