This topic contains 1 reply, has 2 voices, and was last updated by  Chris Lee 1 month, 2 weeks ago.

  • Author
    Posts
  • #26204
     ranjit 
    Participant

    Hello,

    We know that when we add a new AM server to the SITE, after finishing the AM-Configurator GUI wizard, one important requirement is to make the existing AM keystore infrastructure available to the new instance.

    The simplest way to achieve this is to copy the keystore.jceks file and its password files from any other server in the SITE to the same location in the new instance and makes sure that the new AM’s /path/to/openam/boot.json points to it.

    However, at my surprise, I did not copy the JCEKS keystore and password files and still the second AM in the site came up properly.
    Just to dig more, when I opened both JCEKS keystores of the first and second AM of the site, I found that all the fingerprints of all the signing/encrypting keys as well as the encoded format of secret key (for symmetric keys) were exactly identical.

    Hence I am confused. The store-passwords were different but the contents of the two JCEKS keystores looks similar (if we go by the fingerprints, serial number etc)

    So my question is what exactly happened when AM was being configured.
    Does AM prepare every JCEKS keystore with the same content ?
    If that is true then why should I copy the keystore from the first AM-instance in the SITE ?

    Appreciate your help.

    Thanks

    #26262
     Chris Lee 
    Participant

    Hi,
    The default keys in the JCEKS keystores are identical in each instance, and are intended for demo purposes only.
    You should MUST replace any keypairs you are making use of in production environments, and must ensure these new/custom keys are available to each instance in a site.
    Have a look at https://backstage.forgerock.com/docs/am/6.5/maintenance-guide/index.html#about-default-keystores for more information.
    Hope that helps.
    Regards,
    Chris

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?