This topic has 6 replies, 3 voices, and was last updated 3 years, 2 months ago by ranjit.

  • Author
  • #26505


    I have a quick question about our JCEKS keystore that we get when we install AM
    This keystore comes with store-password and key-password stored in 2 different plain text-files.

    What is the interpretation of “.keypass” file ?

    If I create a few new secrets or RSA key-pairs in this keystore through keytool, do I have to always give the SAME key-password for every such new key ?

    Basically is it necessary that all the keys have same password and that SINGLE password has to be in the .keypass file ?



    Hi Ranjit,

    I don’t think you need to have same keypass for all keys and you can have different keypass for different keys and save it to the .keypass file.

    Even if you want to have the same keypass for all keys it’s upto you.



    Yes, what you said is very logical.
    The only question is, if I have different key-passwords for different keys, what would be the format of the .keypass file ?

    When AM wants to use any private-key OR any secret like config-store-password, it will look into this .keypass file to first get the password of that private-key or secret.

    Right now, the default .keypass file that we get by installing AM has only one word in it i.e., changeit which is the password of all the keys.


     Peter Major

    Some features in AM allow you to set different key passwords than what you have in the .keypass file. My understanding is that PKCS12 keystore format works best when the key password is the same as the keystore password.


    Thanks Peter.
    I believe keystore-password is in totally separate file and that part is very neat and clear.
    My concern is how to store multiple keys and their passwords in the .keypass file.
    Would the format be like

    alias1 password1
    alias2 password2

    For eg., if I want to have different password for config-store-password key and the RSA-key used for signing the OAuth tokens., how do I put these two keys’ password in the .keypass file ?


     Peter Major

    The .keypass file can only contain one password.
    If a feature in AM supports a key specific key password, then that feature would have an extra setting where that key password can be provided. If you don’t see such field for the service you are configuring, then assume that it will use the default password from the .keypass file.


    Got it and fully clarified.
    Thanks Peter !!!

Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?