June 22, 2020 at 1:46 pm #28032
Please help me on this issue: I followed up the AM6.5 Setup and Maintenance Guide document to create new key alias, then encrypt store’s and key’s password to file, change the config of Security to new keystore, storepass, keypass file; relaunch the web-based AM console, try creating a Hosted Identity Provider -> the signing key is not loaded, there is error “Uninitialized keystore”. please help me how to create a custom signing key and use it
By the way, the password of default keystore is not “changeit”, I try run the command: keytool -list -keystore keystore.jceks -storetype JCEKS and input the password as changeit but it said that “password was incorrect”
ThanksJune 25, 2020 at 4:53 am #28033Jatinder SinghParticipant
If you have a custom signing key that you want to use for signing SAML assertions, please ensure the key is successfully imported into
keystore.jcekskeystore. The password is not changeit but kept in a hidden file called
.storepassat the same location where
I suggest run the
listsubcommand to verify your private key entry was successfully added.
Hope this helps!June 25, 2020 at 11:38 am #28034
Thanks Jatinder for your response
I cannot import my key to keystore.jceks because the password of keystore is incorrect. I tried using password “F9KOR4zR4snxzFcq6YY7484Z2GHMsPeI” which is in the .storepass but it is still failed. I tried using the list command but is failed with error “keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect”.
Please share with me the password of keystore or guide me how to change its password. ThanksJune 25, 2020 at 4:16 pm #28038Jatinder SinghParticipant
Did you replace
keystore.jcekswith your own? Are you seeing any signing keys in the dropdown when you configure
Hosted Identity Provider? If yes and assuming it’s your lab environment, you can try the following.
Before trying the dangerous bit – verify your passwords are indeed different:
* Copy the value of your
* Open `https://youropenamhostname:443/openam/encode.jsp” page;
* Enter the copied value to encrypt your clear text password;
* Take the encrypted password and compare it with the value of
* If values differ – then you surely know the value inside
.storepassis not the correct value. And then you should try to find out – how this happened.
encrypteddirectory contains the encrypted password to your
keystore.jceksand is used in the
**CAUTION: IT IS RECOMMENDED NOT TO SHARE YOUR ENCRYPTION KEY OR ENCRYPTED PASSWORD WITH 3RD PARTY SOURCES LIKE BELOW. THE ALTERNATIVE APPROACH WOULD BE TO WRITE A JAVA UTILITY CLASS FOR SUCH PURPOSES.**
Encrypted Passwordfield of the above page;
* Login into your
AM Consoleand visit
Deployment > Servers > Your Server > Security Tab > Copy Password Encryption Keyvalue and copy it to
Encryption Keyfield of the above form;
Decodeand it will spit out
Cleartext Password. This is the password of your
Edited.July 7, 2020 at 10:25 am #28048
I followed your step and knew the password of keystore. Now I can add new signing key on OpenAM successful
Thank you very much
You must be logged in to reply to this topic.