Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14027

Cannot access keys from default JCEKS keystore if AM upgraded from 13.0


    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Expired
    • Affects Version/s: 6.5.0
    • Fix Version/s: None
    • Component/s: self-service
    • Labels:


      Bug description

      From OpenAM 13.5 onwards we default to using a JCEKS keystore rather than a JKS keystore.  Support for JCEKS is needed to allow symmetric keys to be stored.  If upgrading from a version of OpenAM earlier than 13.5, OpenAM/AM will continue to use the JKS keystore rather than switching to using the JCEKS keystore.

      This was a conscious decision as admins should have moved away from using the default JKS keystore in favour of one they create for themselves.

      How to reproduce the issue

      1. Install AM 13.0.x
      2. Upgrade to AM 6.5.0-M17
      3. Run the functional test com.forgerock.openam.functionaltest.ui.uss.pages.AnswerSecurityQuestionPageTest
      Expected behaviour
      All tests should pass.
      Current behaviour
      Tests fail as the User Self-Service cannot be created.  This is because the signing key alias required by User Self-Service is not found in the JKS keystore.

      Work around

      Configure AM to use the JCEKS keystore rather then the JSK keystore.

      1. Login to the admin console
      2. Select Configure > Server Defaults
      3. Select Security
      4. Select the "Key Store" tab
      5. Update "Keystore File" to %BASE_DIR%/%SERVER_URI%/keystore.jceks
      6. Update "Keystore Type" to JCEKS
      7. Restart AM


          Issue Links



              • Assignee:
                craig.mcdonnell Craig McDonnell
                craig.mcdonnell Craig McDonnell
              • Votes:
                0 Vote for this issue
                4 Start watching this issue


                • Created: