As requested in Ticket #37004 :
In the 6.2. Configuring Keystores section:
The keystore used for the AM's startup process must contain the configstorepwd and the dsameuserpwd password strings. Failure to do so will render AM unbootable. For more information about configuring keystores for AM's startup process, see "Starting Servers" in the Installation Guide.
In this section above we would recommend to mention that you need to import especially the dsameuserpwd from the default keystore to the new generated keystore, because it is not directly mentioned that you need to IMPORT this entry from the default keystore.jceks.
In the documentation there is no possibility mentioned to create an dsameuserpwd.
We know that the configstorepwd can be created, but it is fortunately also possible to import this entry.
Also for the following description on point 8.:
- 8. Note that a configuration of %BASE_DIR%/%SERVER_URI%/keystore.jceks in the AM console corresponds to the path /path/to/openam/openam/keystore.jceks in the boot.json file.
We would recommend to make it clear that the new keystore has to be at first configured in the AM configuration UI on_Configure > Server Defaults > Security > Key Store_
AND also in the /path/to/openam/boot.json file
then after these 2 changes you can reboot the service so the new keystore is used.
These both recommendations we give you are in our view standard steps for setting up the AM for every customer of ForgeRock because it's recommended from ForgeRock to create a new keystore in production environments and there is no sufficient enough explanation on getting a new keystore working.