How do I change the Signing Key for Federation in OpenAM 13.x?

Changing the signing key

The default 'test' certificate alias used for SAML2 and OAuth signing keys is also used by the XUI and for REST authentication in OpenAM.

The JKS keystore is used in OpenAM 13; a new JCEKS keystore type was introduced in OpenAM 13.5, which is used by default for new OpenAM 13.5 installations. If you have upgraded to OpenAM 13.5, the JKS keystore is still used by default. See OpenAM 13.5 Release Notes › Smarter Security Features for further information about the JCEKS keystore.

The keystore type affects the process used to change the signing key as follows:

• JCEKS keystore (OpenAM 13.5 only) - see the OpenAM Administration Guide › To Change OpenAM Default test Signing Key.
• JKS keystore - see the OpenAM Administration Guide › To Change the Default Signing Key. The Organization Authentication Certificate Alias property referred to here has been renamed Persistent Cookie Encryption Certificate Alias; the ssoadm property name has not changed.

See Also

Unable to login to OpenAM 13.x console or access REST API after changing the Federation Signing Key 

How do I update the certificate alias for the signing key in the AM (All versions) keystore?

FAQ: SAML certificate management in AM 6.x

idmdude - How to Configure OpenAM Signing Keys

Related Training

N/A

Related Issue Tracker IDs

OPENAM-6824 (Procedure To Change the Signing Key for Federation results in being locked out of XUI)

OPENAM-6003 (value for 'iplanet-am-auth-key-alias' should be checked when saving)