How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I enable SSL in AM (All versions) for an existing installation?

Last updated Jan 16, 2023

The purpose of this article is to provide information on enabling SSL in AM for an existing installation. It assumes you have already enabled SSL on your web application container and the truststore used by the JVM running AM has the necessary certificates installed.

1 reader recommends this article

If this is an existing install, you can enable SSL as described in this article. If it is a new install, it is preferable to reinstall AM rather than making lots of configuration changes as described in How do I enable SSL in AM (All versions) post-install?

Enabling SSL for an existing installation

To enable SSL:

  1. Enable SSL on your web application container per your vendor's instructions. Ensure the truststore used by the JVM running AM has the necessary certificates installed. See How do I import a certificate into the truststore used by AM (All versions) for SSL? for further information.
  2. Take a backup of your configuration data to ensure you have it for reference or in case you want to restore your current configuration. See Back up configurations (AM 7 and later) or How do I make a backup of configuration data in AM 6.x?
  3. Log into the AM admin UI as the admin user (typically amAdmin).
  4. Clone the server configuration by navigating to: Deployment > Servers and selecting the vertical ellipsis > Clone on the AM instance you want to change to an SSL enabled installation.
  5. Enter the new server URL in the Server URL field using the https protocol instead of http and changing the port as appropriate. For example, if your existing server URL was:, you would change it to something similar to:
  6. Update the Realm DNS alias in the top level realm if the hostname has changed by navigating to: Realms > Top Level Realm / > Properties > Realm/DNS Aliases in the AM admin UI.
  7. Update the cookie domain if the hostname domain has changed by navigating to: Configure > Global Services > Platform > Cookie Domains.
  8. Logout of the AM admin UI.
  9. Edit the bootstrap file to point to the new server. This is the boot.json file, which is located in the /path/to/am/config directory (AM 7 and later) or the /path/to/am directory (AM 6.x).
  10. Restart the web application container in which AM runs.
  11. Navigate to the new server URL that you specified in step 5 to ensure it works as expected.
  12. If the new server is operational, remove the old server and Realm DNS alias associated with the old hostname (if different).

Once you have enabled SSL in AM, you should include details of the truststore that contains the required certificates in the setup or setup.bat script prior to installing ssoadm and in the ssoadm or ssoadm.bat script once it is installed. This is described in FAQ: Installing and using ssoadm in AM (Q. How do I install the ssoadm administration tool if I am using SSL?).

See Also

How do I enable SSL in AM (All versions) post-install?

FAQ: SSL/TLS secured connections in AM and Agents

How do I make AM 6.x communicate with a secured LDAP server?

Prepare the truststore

Related Training


Related Issue Tracker IDs


Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.