Persistent cookie is not created in AM (All versions) after changing default keystore
The purpose of this article is to provide assistance if the persistent cookie (called session-jwt by default) is not created in AM after you have changed the default keystore and a NullPointerException is shown in the logs. This applies to the persistent cookie created via the Persistent Cookie module.
1 reader recommends this article
Symptoms
The persistent cookie is not created.
An error similar to the following is shown in the log (when debug level is set to Message):
postLoginProcess Class Name is : org.forgerock.openam.authentication.modules.persistentcookie.PersistentCookieAuthModule amAuth:02/25/2014 04:21:39:487 PM GMT: Thread[http-bio-8443-exec-5,5,main] Error java.lang.NullPointerException at org.forgerock.common.util.KeystoreManager.getPublicKey(KeystoreManager.java:128) at org.forgerock.jaspi.modules.session.jwt.JwtSessionModule.createSessionJwtCookie(JwtSessionModule.java:428) at org.forgerock.jaspi.modules.session.jwt.JwtSessionModule.secureResponse(JwtSessionModule.java:407)Recent Changes
Changed the AM keystore.
Causes
The JSON Web Token (JWT) cookie is encrypted using the default test key in the default AM keystore. The default test key cannot be found if the keystore changes, which causes the Persistent Cookie module to fail.
Solution
This issue can be resolved by updating the key from its default value of test to the value associated with the new keystore. You can do this globally or in a specific realm, where realm level take precedence over the global level.
Global
You can update this value globally using either the AM admin UI or ssoadm:
- AM admin UI: navigate to: Configure > Authentication > Core Attributes > Security > Persistent Cookie Encryption Certificate Alias and change test to the name of your actual key.
- ssoadm: enter the following command: $ ./ssoadm set-attr-defs -s iPlanetAMAuthService -t organization -u [adminID] -f [passwordfile] -a iplanet-am-auth-key-alias=[keyname]replacing [adminID], [passwordfile] and [keyname] with appropriate values.
Realm level
You can update this value in a specific realm using either the AM admin UI or ssoadm:
- AM admin UI: navigate to: Realms > [Realm Name] > Authentication > Settings > Security > Persistent Cookie Encryption Certificate Alias and change test to the name of your actual key.
- ssoadm: enter the following command: $ ./ssoadm set-realm-svc-attrs -s iPlanetAMAuthService -e [realmname] -u [adminID] -f [passwordfile] -a iplanet-am-auth-key-alias=[keyname]replacing [realmname], [adminID], [passwordfile] and [keyname] with appropriate values.
Note
You must restart the web application container in which AM runs to apply these configuration changes.
See Also
Persistent cookie is no longer created in AM 6.0.x
How do I change the persistent cookie name (session-jwt) in AM (All versions)?
Related Training
N/A
Related Issue Tracker IDs
N/A