Keys in OpenAM

The OpenAM system uses a two of different kinds of keys to encrypt data and to authorize transactions by clients with the server.

Each OpenAM server has a pair of these that are generated on initial configuration of a server. Following is guidance on how to find them.


The keys are the Authentication Shared Service Key and the Password Encryption Key.

These are displayed in the gui console under Configuration… Servers and Sites… [Server Name]… Security.

They can also be found by doing an LDAP search as Directory Manager on the configuration directory.

The entry containing this information is:

“dn: ou=[OpenAM server URL], ou=com-sun-identity-servers, ou=default, ou=GlobalConfig, ou=1.0, ou=iPlanetAMPlatformService, ou=services,dc=opensso, dc=java, dc=net”

Because the naming attribute value for this entry, “ou”, has an abbreviated value, “ou=[OpenAM server URL]”, it is probably easier to search using that. For example:

ldapsearch -h ldap.example.com -p 1389 -D "cn=directory manager" 
-w xxxxxx -b "dc=opensso,dc=java,dc=net" -s sub 
"(ou=http://testam.example.com:8181/openam)"

Here are the relevant parts of the entry returned in LDIF format:

dn: ou=http://testam.example.com:8181/openam,ou=com-sun-identity-servers,o
 u=default,ou=GlobalConfig,ou=1.0,ou=iPlanetAMPlatformService,ou=services,dc
 =opensso,dc=java,dc=net
objectClass: sunServiceComponent
objectClass: top
ou: http://testam.example.com:8181/openam

* * *

sunKeyValue: serverconfig=com.iplanet.am.service.secret=AHICR40jCtUFuULt4TYK
 0SYei+NIFR/rv7Uh

* * *

sunKeyValue: serverconfig=am.encryption.pwd=GqA73HIVMvF7wM7PBcq78lazDEX+B4GMbE

The first value above is the Authentication Shared Service Key, the second is the Password Encryption Key.

Note that the “server name” in these examples is the server host name, not the site. In the above the site might be addressed like “https://newsite.example.com/openam” through an Apache HTTPS proxy.