This topic contains 1 voice and has 0 replies.

  • Author
  • #26204


    We know that when we add a new AM server to the SITE, after finishing the AM-Configurator GUI wizard, one important requirement is to make the existing AM keystore infrastructure available to the new instance.

    The simplest way to achieve this is to copy the keystore.jceks file and its password files from any other server in the SITE to the same location in the new instance and makes sure that the new AM’s /path/to/openam/boot.json points to it.

    However, at my surprise, I did not copy the JCEKS keystore and password files and still the second AM in the site came up properly.
    Just to dig more, when I opened both JCEKS keystores of the first and second AM of the site, I found that all the fingerprints of all the signing/encrypting keys as well as the encoded format of secret key (for symmetric keys) were exactly identical.

    Hence I am confused. The store-passwords were different but the contents of the two JCEKS keystores looks similar (if we go by the fingerprints, serial number etc)

    So my question is what exactly happened when AM was being configured.
    Does AM prepare every JCEKS keystore with the same content ?
    If that is true then why should I copy the keystore from the first AM-instance in the SITE ?

    Appreciate your help.


Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?