ForgeRock Identity Platform
Does not apply to Identity Cloud

Persistent cookie is no longer created in AM (All versions)

Last updated May 10, 2022

The purpose of this article is to provide assistance if the persistent cookie is not created after installing AM and you see the following error: "Signing key must be at least 256-bits base64 encoded". The persistent cookie is called session-jwt by default and is created via the Persistent Cookie module.


The persistent cookie is not created; users who were logged in using a persistent cookie generated in an earlier version of AM must log in again.

The following error is shown in the Authentication log when the persistent cookie is not created:

amAuthO2PersistentCookie:08/10/2016 11:47:19:546 AM EST: Thread[ajp-bio-8010-exec-10,5,main]: TransactionId[ddda86b2-56b2-4fe7-8fb1-d8fb94c0455b-475] ERROR: Failed to initialise the underlying JASPI Server Auth Module.  org.forgerock.caf.authentication.api.AuthenticationException: Signing key must be at least 256-bits base64 encoded     at org.forgerock.jaspi.modules.session.jwt.AbstractJwtSessionModule.initialize(    at org.forgerock.jaspi.modules.session.jwt.ServletJwtSessionModule.initialize(     at org.forgerock.jaspi.modules.session.jwt.ServletJwtSessionModule.initialize(     at org.forgerock.openam.authentication.modules.common.JaspiAuthModuleWrapper.init(     at org.forgerock.openam.authentication.modules.common.AbstractLoginModuleBinder.init(

Recent Changes

Installed AM or upgraded to a later version.

Implemented the Persistent Cookie module.


Persistent cookies must be signed by a user-specified HMAC signing key to be considered valid; additionally, the HMAC signing key must be a random string that is at least 256 bits and base64 encoded. If the HMAC signing key is either missing or invalid, the persistent cookie will not be created and you will see this error.


This issue can be resolved by setting or correcting the value of the HMAC signing key.

  1. Generate a random string that is at least 256 bits and base64 encoded for your signing key. For example, you could use a random number generator and then encode it using the DS base64 tool or you could use openssl: $ openssl rand -base64 32
  2. Update the value of the HMAC signing key for the Persistent Cookie module using either the console or ssoadm:
    • Console: navigate to: Realms > [Realm Name] > Authentication > Modules > [Module Name] > HMAC Signing Key and enter the string you generated in step 1.
    • ssoadm: enter the following command: $ ./ssoadm update-auth-instance -e [realmname] -m [modulename] -u [adminID] -f [passwordfile] -a openam-auth-persistent-cookie-hmac-key=[string]replacing [realmname], [modulename], [adminID], [passwordfile] and [string] with appropriate values, where [string] is the string you generated in step 1.

The Persistent Cookie Encryption Certificate Alias is used to encrypt the persistent cookie and the HMAC key is for signing. Both are necessary for the persistent cookie to be created, but the value of one does not depend on the other. See Persistent cookie is not created in AM (All versions) after changing default keystore for further information on changing this value.

See Also

Persistent cookie is not created in AM (All versions) after changing default keystore

How do I change the persistent cookie name (session-jwt) in AM (All versions)?

Persistent Cookie Module

Related Training


Related Issue Tracker IDs

OPENAM-9492 (XUI should validate the value of a Persistent Cookie HMAC Signing Key)

OPENAM-8264 (insufficient validator for service property 'iplanet-am-auth-hmac-signing-shared-secret')

Copyright and Trademarks Copyright © 2022 ForgeRock, all rights reserved.