New signing key is not loaded successfully.There is error Uninitialized keystore

This topic has 6 replies, 2 voices, and was last updated 1 day, 7 hours ago by Hanh.

  • Author
    Posts
  • #28032
     Hanh
    Participant

    Hi all,
    Please help me on this issue: I followed up the AM6.5 Setup and Maintenance Guide document to create new key alias, then encrypt store’s and key’s password to file, change the config of Security to new keystore, storepass, keypass file; relaunch the web-based AM console, try creating a Hosted Identity Provider -> the signing key is not loaded, there is error “Uninitialized keystore”. please help me how to create a custom signing key and use it
    By the way, the password of default keystore is not “changeit”, I try run the command: keytool -list -keystore keystore.jceks -storetype JCEKS and input the password as changeit but it said that “password was incorrect”
    Thanks

    #28033
     Jatinder Singh
    Participant

    If you have a custom signing key that you want to use for signing SAML assertions, please ensure the key is successfully imported into keystore.jceks keystore. The password is not changeit but kept in a hidden file called .storepass at the same location where keystore.jceks resides.

    I suggest run the list subcommand to verify your private key entry was successfully added.

    Hope this helps!

    #28034
     Hanh
    Participant

    Thanks Jatinder for your response
    I cannot import my key to keystore.jceks because the password of keystore is incorrect. I tried using password “F9KOR4zR4snxzFcq6YY7484Z2GHMsPeI” which is in the .storepass but it is still failed. I tried using the list command but is failed with error “keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect”.
    Please share with me the password of keystore or guide me how to change its password. Thanks

    #28038
     Jatinder Singh
    Participant

    Did you replace keystore.jceks with your own? Are you seeing any signing keys in the dropdown when you configure Hosted Identity Provider? If yes and assuming it’s your lab environment, you can try the following.

    Before trying the dangerous bit – verify your passwords are indeed different:

    * Copy the value of your .storepass file;
    * Open `https://youropenamhostname:443/openam/encode.jsp” page;
    * Enter the copied value to encrypt your clear text password;
    * Take the encrypted password and compare it with the value of secrets/encrypted/storepass;
    * If values differ – then you surely know the value inside .storepass is not the correct value. And then you should try to find out – how this happened.

    P.S the storepass file under encrypted directory contains the encrypted password to your keystore.jceks and is used in the Secret Stores configuration.

    **CAUTION: IT IS RECOMMENDED NOT TO SHARE YOUR ENCRYPTION KEY OR ENCRYPTED PASSWORD WITH 3RD PARTY SOURCES LIKE BELOW. THE ALTERNATIVE APPROACH WOULD BE TO WRITE A JAVA UTILITY CLASS FOR SUCH PURPOSES.**

    * Visit http://idp.ssocircle.com/sso/toolbox/ossoPwDecrypt.jsp
    * Copy storepass value under secrets/encrypted/storepass in the Encrypted Password field of the above page;
    * Login into your AM Console and visit Deployment > Servers > Your Server > Security Tab > Copy Password Encryption Key value and copy it to Encryption Key field of the above form;
    * Click Decode and it will spit out Cleartext Password. This is the password of your keystore.jceks keystore.

    Edited.

    #28048
     Hanh
    Participant

    Thanks Jatinder,
    I followed your step and knew the password of keystore. Now I can add new signing key on OpenAM successful
    Thank you very much

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.

©2020 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?