Child pages
  • Configuring IG for AM Tokens (and KeyStores)

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


Code Block
titleSample heap config
    "heap": [
            "config": {
                "type": "PKCS12",
                "password": "keystore",
                "url": "file:///Users/wayne.morrison/dev/pyforge/results/20180723-114228/Filters/openig/ig_instance_dir/config/IG_keystore.p12"
            "name": "IgP12KeyStore",
            "type": "KeyStore"

Specific key comfiguration configuration would be added in the Filter or other component configuration. For example, for StatelessAccessTokenResolver:


  1. Key configured in AM not found:
    1. Confirm the correct configured keystore is the same as the one where the keys were added.
    2. Restart AM after keys are added.
  2. Issue creating a specific key type in a keystore:
    1. The keystore type does not support the type of key being created:
      1. For instance JKS does not support SecretKey
  3. Issue importing a specific key type into a new keystore:
    1. The new keystore type does not support the type of key being imported:
      1. For instance JKS does not support SecretKey
  4. keytool operation fails with error indicating incorrect format or that tampering has occurred:
    1. Invalid keystore format
    2. Use the -storetype setting to ensure you're performing the operation on an expected keystore type.
  5. Issue importing keys from one keystore to another:
    1. Ensure the -srcstoretype and -deststoretypedeststoretype settings are correct for the source and target keystores.
    2. Ensure that the destination keystore can accommodate the algorithm used in the source key.
      1. If it cannot then... ????‍??
      2. This is the issue that occurred while trying to import the AM test key "directenctest". It wasn't clear what algorithm was used.
  6. AM fails to encrypt a key, complaining of a "Invalid offset/length combination":
    1. The key specified has a keysize that cannot be used in combination with the key type. Try a larger key size
    2. I found that an AES key of 256b was fine.
  7. AM issue when creating an access token - complains of no signature even though encryption is being used:
    1. This actually relates to the id-token configuration
      1. Ensure that if ID Token Signing Algorithm is not being used then it is set to "none" (not left empty).