August 12, 2019 at 11:14 pm #26204ranjitParticipant
We know that when we add a new AM server to the SITE, after finishing the AM-Configurator GUI wizard, one important requirement is to make the existing AM keystore infrastructure available to the new instance.
The simplest way to achieve this is to copy the keystore.jceks file and its password files from any other server in the SITE to the same location in the new instance and makes sure that the new AM’s /path/to/openam/boot.json points to it.
However, at my surprise, I did not copy the JCEKS keystore and password files and still the second AM in the site came up properly.
Just to dig more, when I opened both JCEKS keystores of the first and second AM of the site, I found that all the fingerprints of all the signing/encrypting keys as well as the encoded format of secret key (for symmetric keys) were exactly identical.
Hence I am confused. The store-passwords were different but the contents of the two JCEKS keystores looks similar (if we go by the fingerprints, serial number etc)
So my question is what exactly happened when AM was being configured.
Does AM prepare every JCEKS keystore with the same content ?
If that is true then why should I copy the keystore from the first AM-instance in the SITE ?
Appreciate your help.
ThanksAugust 29, 2019 at 6:10 pm #26262Chris LeeParticipant
The default keys in the JCEKS keystores are identical in each instance, and are intended for demo purposes only.
shouldMUST replace any keypairs you are making use of in production environments, and must ensure these new/custom keys are available to each instance in a site.
Have a look at https://backstage.forgerock.com/docs/am/6.5/maintenance-guide/index.html#about-default-keystores for more information.
Hope that helps.
You must be logged in to reply to this topic.