Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

Persistent cookie is no longer created in AM (All versions)

Last updated Apr 13, 2021

The purpose of this article is to provide assistance if the persistent cookie is not created after installing AM and you see the following error: "Signing key must be at least 256-bits base64 encoded". The persistent cookie is called session-jwt by default and is created via the Persistent Cookie module.


Symptoms

The persistent cookie is not created; users who were logged in using a persistent cookie generated in an earlier version of AM must log in again.

The following error is shown in the Authentication log when the persistent cookie is not created:

amAuthO2PersistentCookie:08/10/2016 11:47:19:546 AM EST: Thread[ajp-bio-8010-exec-10,5,main]: TransactionId[ddda86b2-56b2-4fe7-8fb1-d8fb94c0455b-475] ERROR: Failed to initialise the underlying JASPI Server Auth Module.  org.forgerock.caf.authentication.api.AuthenticationException: Signing key must be at least 256-bits base64 encoded     at org.forgerock.jaspi.modules.session.jwt.AbstractJwtSessionModule.initialize(AbstractJwtSessionModule.java:196)    at org.forgerock.jaspi.modules.session.jwt.ServletJwtSessionModule.initialize(ServletJwtSessionModule.java:47)     at org.forgerock.jaspi.modules.session.jwt.ServletJwtSessionModule.initialize(ServletJwtSessionModule.java:68)     at org.forgerock.openam.authentication.modules.common.JaspiAuthModuleWrapper.init(JaspiAuthModuleWrapper.java:78)     at org.forgerock.openam.authentication.modules.common.AbstractLoginModuleBinder.init(AbstractLoginModuleBinder.java:66)

Recent Changes

Installed AM or upgraded to a later version.

Implemented the Persistent Cookie module.

Causes

Persistent cookies must be signed by a user-specified HMAC signing key to be considered valid; additionally, the HMAC signing key must be a random string that is at least 256 bits and base64 encoded. If the HMAC signing key is either missing or invalid, the persistent cookie will not be created and you will see this error.

Solution

This issue can be resolved by setting or correcting the value of the HMAC signing key.

  1. Generate a random string that is at least 256 bits and base64 encoded for your signing key. For example, you could use a random number generator and then encode it using the DS base64 tool or you could use openssl: $ openssl rand -base64 32
  2. Update the value of the HMAC signing key for the Persistent Cookie module using either the console or ssoadm:
    • Console: navigate to: Realms > [Realm Name] > Authentication > Modules > [Module Name] > HMAC Signing Key and enter the string you generated in step 1.
    • ssoadm: enter the following command: $ ./ssoadm update-auth-instance -e [realmname] -m [modulename] -u [adminID] -f [passwordfile] -a openam-auth-persistent-cookie-hmac-key=[string]replacing [realmname], [modulename], [adminID], [passwordfile] and [string] with appropriate values, where [string] is the string you generated in step 1.
Note

The Persistent Cookie Encryption Certificate Alias is used to encrypt the persistent cookie and the HMAC key is for signing. Both are necessary for the persistent cookie to be created, but the value of one does not depend on the other. See Persistent cookie is not created in AM (All versions) after changing default keystore for further information on changing this value.

See Also

Persistent cookie is not created in AM (All versions) after changing default keystore

How do I change the persistent cookie name (session-jwt) in AM (All versions)?

Authentication and Single Sign-On Guide › Persistent Cookie Module

Related Training

N/A

Related Issue Tracker IDs

OPENAM-9492 (XUI should validate the value of a Persistent Cookie HMAC Signing Key)

OPENAM-8264 (insufficient validator for service property 'iplanet-am-auth-hmac-signing-shared-secret')


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.