Persistent cookie is no longer created in AM (All versions)
The purpose of this article is to provide assistance if the persistent cookie is not created after installing AM and you see the following error: "Signing key must be at least 256-bits base64 encoded". The persistent cookie is called session-jwt by default and is created via the Persistent Cookie module.
Symptoms
The persistent cookie is not created; users who were logged in using a persistent cookie generated in an earlier version of AM must log in again.
The following error is shown in the Authentication log when the persistent cookie is not created:
amAuthO2PersistentCookie:08/10/2016 11:47:19:546 AM EST: Thread[ajp-bio-8010-exec-10,5,main]: TransactionId[ddda86b2-56b2-4fe7-8fb1-d8fb94c0455b-475] ERROR: Failed to initialise the underlying JASPI Server Auth Module. org.forgerock.caf.authentication.api.AuthenticationException: Signing key must be at least 256-bits base64 encoded at org.forgerock.jaspi.modules.session.jwt.AbstractJwtSessionModule.initialize(AbstractJwtSessionModule.java:196) at org.forgerock.jaspi.modules.session.jwt.ServletJwtSessionModule.initialize(ServletJwtSessionModule.java:47) at org.forgerock.jaspi.modules.session.jwt.ServletJwtSessionModule.initialize(ServletJwtSessionModule.java:68) at org.forgerock.openam.authentication.modules.common.JaspiAuthModuleWrapper.init(JaspiAuthModuleWrapper.java:78) at org.forgerock.openam.authentication.modules.common.AbstractLoginModuleBinder.init(AbstractLoginModuleBinder.java:66)Recent Changes
Installed AM or upgraded to a later version.
Implemented the Persistent Cookie module.
Causes
Persistent cookies must be signed by a user-specified HMAC signing key to be considered valid; additionally, the HMAC signing key must be a random string that is at least 256 bits and base64 encoded. If the HMAC signing key is either missing or invalid, the persistent cookie will not be created and you will see this error.
Solution
This issue can be resolved by setting or correcting the value of the HMAC signing key.
- Generate a random string that is at least 256 bits and base64 encoded for your signing key. For example, you could use a random number generator and then encode it using the DS base64 tool or you could use openssl: $ openssl rand -base64 32
- Update the value of the HMAC signing key for the Persistent Cookie module using either the console or ssoadm:
- Console: navigate to: Realms > [Realm Name] > Authentication > Modules > [Module Name] > HMAC Signing Key and enter the string you generated in step 1.
- ssoadm: enter the following command: $ ./ssoadm update-auth-instance -e [realmname] -m [modulename] -u [adminID] -f [passwordfile] -a openam-auth-persistent-cookie-hmac-key=[string]replacing [realmname], [modulename], [adminID], [passwordfile] and [string] with appropriate values, where [string] is the string you generated in step 1.
Note
The Persistent Cookie Encryption Certificate Alias is used to encrypt the persistent cookie and the HMAC key is for signing. Both are necessary for the persistent cookie to be created, but the value of one does not depend on the other. See Persistent cookie is not created in AM (All versions) after changing default keystore for further information on changing this value.
See Also
Persistent cookie is not created in AM (All versions) after changing default keystore
How do I change the persistent cookie name (session-jwt) in AM (All versions)?
Related Training
N/A
Related Issue Tracker IDs
OPENAM-9492 (XUI should validate the value of a Persistent Cookie HMAC Signing Key)