[OPENAM-14371] Document suggestions for AM 6.5 Configuring Keystores Created: 05/Feb/19  Updated: 14/Feb/20  Resolved: 26/Feb/19

Status: Resolved
Project: OpenAM
Component/s: documentation
Affects Version/s: 6.5.0, 7.0.0
Fix Version/s:, 6.5.1, 7.0.0

Type: Improvement Priority: Major
Reporter: Mark Nienaber Assignee: Cristina Herraz
Resolution: Fixed Votes: 0
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
is related to OPENAM-15937 Boot.json is modified when the defaul... Resolved
Rank: 1|hzxjw7:
Sprint: 2019.2 - AM Docs - Hmm, 2019.2 - AM Docs - Harry
Story Points: 2
Support Ticket IDs:


As requested in Ticket #37004 :



In the 6.2. Configuring Keystores section:


The keystore used for the AM's startup process must contain the configstorepwd and the dsameuserpwd password strings. Failure to do so will render AM unbootable. For more information about configuring keystores for AM's startup process, see "Starting Servers" in the Installation Guide.


In this section above we would recommend to mention that you need to import especially the dsameuserpwd from the default keystore to the new generated keystore, because it is not directly mentioned that you need to IMPORT this entry from the default keystore.jceks.

In the documentation there is no possibility mentioned to create an dsameuserpwd.

We know that the configstorepwd can be created, but it is fortunately also possible to import this entry.


Also for the following description on point 8.:


  • 8. Note that a configuration of %BASE_DIR%/%SERVER_URI%/keystore.jceks in the AM console corresponds to the path /path/to/openam/openam/keystore.jceks in the boot.json file.


We would recommend to make it clear that the new keystore has to be at first configured in the AM configuration UI on_Configure > Server Defaults > Security > Key Store_

AND also in the /path/to/openam/boot.json file

then after these 2 changes you can reboot the service so the new keystore is used.


These both recommendations we give you are in our view standard steps for setting up the AM for every customer of ForgeRock because it's recommended from ForgeRock to create a new keystore in production environments and there is no sufficient enough explanation on getting a new keystore working.

Comment by Cristina Herraz [ 05/Feb/19 ]

Hi Mark

ForgeRock's recommendation about creating a new keystore in production environments is to replace the one configured in Configure > Server Defaults > Security > Key Store, to avoid customers using the default keys for the features.

The boot keystore does not need to be the keystore that is configured to Configure > Server Defaults > Security > Key Store, and this is pointed out several times in the chapter about keystores. By default it is, but it does not need to be. This is so you can actually create a new keystore for your keys and yet leave the default keystore with the dsameuserpwd in place.

There is no comment on how to create dsameuserpwd again because you cannot recreate it. I guess you can export it and import it somewhere else, though, but you could perfectly use the keystore.jceks file to keep the 2 bootstrap passwords and then create a new keystore for all other keys. If you really want, you could also delete all other keys from the keystore.jceks file and rename it.

Although this is explained in the Keystore chapter, it seems it is not clear enough. We will not apply the changes requested by this Jira `as they are`, but we will think about how to make the information clearer.

Comment by Cristina Herraz [ 26/Feb/19 ]

Changed the format of the chapter and added more information about the bootstrap keystore.

Generated at Sat Feb 27 04:19:45 UTC 2021 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.