We know that when we add a new AM server to the SITE, after finishing the AM-Configurator GUI wizard, one important requirement is to make the existing AM keystore infrastructure available to the new instance.
The simplest way to achieve this is to copy the keystore.jceks file and its password files from any other server in the SITE to the same location in the new instance and makes sure that the new AM’s /path/to/openam/boot.json points to it.
However, at my surprise, I did not copy the JCEKS keystore and password files and still the second AM in the site came up properly.
Just to dig more, when I opened both JCEKS keystores of the first and second AM of the site, I found that all the fingerprints of all the signing/encrypting keys as well as the encoded format of secret key (for symmetric keys) were exactly identical.
Hence I am confused. The store-passwords were different but the contents of the two JCEKS keystores looks similar (if we go by the fingerprints, serial number etc)
So my question is what exactly happened when AM was being configured. Does AM prepare every JCEKS keystore with the same content ?
If that is true then why should I copy the keystore from the first AM-instance in the SITE ?