Secrets Reference

ForgeOps authentication relies on AM and IDM signing and encryption methods to protect network communication and to keep data confidential and unalterable. In turn, signing and encryption depend on keys or secrets generated using cryptographic algorithms.

This section describes various secrets and keys used in ForgeOps. Secrets, passwords, and keys used in ForgeOps are configured as environment variables or as files mounted on the Kubernetes pods.

AM configuration passwords

Kubernetes secret name: `am-env-secret`

Passwords stored as environment variables in am pod

Pod: am
Container: openam

Type: Environment variable

Description or role Location on container

Description or role	Location on container
AM_AUTHENTICATION_SHARED_SECRET
Core authentication secret for the root realm.	`cdk/config/services/realm/root/iplanetamauthservice/1.0/organizationconfig/defaultconfig.json` Value: `security.sharedSecret`
AM_ENCRYPTION_KEY
Key used for encrypting information stored in the secure state of authentication trees in AM.	`cdk/config/services/realm/root/iplanetamplatformservice/1.0/globalconfig/default/com-sun-identity-servers/http___am_80_am.json` `cdk/config/services/realm/root/iplanetamplatformservice/1.0/globalconfig/default/com-sun-identity-servers/server-default.json`
AM_OIDC_CLIENT_SUBJECT_IDENTIFIER_HASH_SALT
Configuration parameter used to specify the Subject Identifier Hash Salt in the OAuth 2.0 and OIDC flows.	`base/config/services/realm/root/oauth2provider/1.0/organizationconfig/defaultconfig.json`
AM_PASSWORDS_AMADMIN_CLEAR
Password for the amadmin user. Updated to AM_PASSWORDS_AMADMIN_HASHED in `docker-entrypoint.sh`.	`base/config/services/realm/root/sunidentityrepositoryservice/1.0/globalconfig/default/users/amadmin.json`
AM_SELFSERVICE_LEGACY_CONFIRMATION_EMAIL_LINK_SIGNING_KEY
A 256-bit key (base64-encoded) used for HMAC signing of the legacy self-service confirmation email links.	`base/config/services/realm/root/restsecurity/1.0/organizationconfig/defaultconfig.json`
AM_SESSION_STATELESS_ENCRYPTION_KEY
Encryption key for encrypting stateless session tokens.	`base/config/services/realm/root/iplanetamsessionservice/1.0/globalconfig/default.json`
AM_SESSION_STATELESS_SIGNING_KEY
Signing key for validating the security of stateless session tokens.	`base/config/services/realm/root/iplanetamsessionservice/1.0/globalconfig/default.json`

AM_AUTHENTICATION_SHARED_SECRET

Core authentication secret for the root realm.

cdk/config/services/realm/root/iplanetamauthservice/1.0/organizationconfig/defaultconfig.json
Value: security.sharedSecret

AM_ENCRYPTION_KEY

Key used for encrypting information stored in the secure state of authentication trees in AM.

cdk/config/services/realm/root/iplanetamplatformservice/1.0/globalconfig/default/com-sun-identity-servers/http___am_80_am.json
cdk/config/services/realm/root/iplanetamplatformservice/1.0/globalconfig/default/com-sun-identity-servers/server-default.json

AM_OIDC_CLIENT_SUBJECT_IDENTIFIER_HASH_SALT

Configuration parameter used to specify the Subject Identifier Hash Salt in the OAuth 2.0 and OIDC flows.

base/config/services/realm/root/oauth2provider/1.0/organizationconfig/defaultconfig.json

AM_PASSWORDS_AMADMIN_CLEAR

Password for the amadmin user. Updated to AM_PASSWORDS_AMADMIN_HASHED in docker-entrypoint.sh.

base/config/services/realm/root/sunidentityrepositoryservice/1.0/globalconfig/default/users/amadmin.json

AM_SELFSERVICE_LEGACY_CONFIRMATION_EMAIL_LINK_SIGNING_KEY

A 256-bit key (base64-encoded) used for HMAC signing of the legacy self-service confirmation email links.

base/config/services/realm/root/restsecurity/1.0/organizationconfig/defaultconfig.json

AM_SESSION_STATELESS_ENCRYPTION_KEY

Encryption key for encrypting stateless session tokens.

base/config/services/realm/root/iplanetamsessionservice/1.0/globalconfig/default.json

AM_SESSION_STATELESS_SIGNING_KEY

Signing key for validating the security of stateless session tokens.

base/config/services/realm/root/iplanetamsessionservice/1.0/globalconfig/default.json

Amster secrets, keys, and passwords

Kubernetes secret name: `amster`

Mounted files on amster pod

Description: The key-pair for SSH connectivity to PingAM
Pod: amster
Container: amster or pause
Mount path: /var/run/secrets/amster

Description or role Location on container

id_rsa

Private key for SSH connection to PingAM.

/var/run/secrets/amster/id_rsa

Mounted files on am pod

Description or role	Location on container
`id_rsa`
Private key for SSH connection to PingAM.	`/var/run/secrets/amster/id_rsa`

Pod: am
Container: openam
Mount path: /var/run/secrets/amster

Description or role Location on container

id_rsa.pub

Public key for SSH connections from Amster.

/var/run/secrets/amster/authorized_keys

Description or role	Location on container
`id_rsa.pub`
Public key for SSH connections from Amster.	`/var/run/secrets/amster/authorized_keys`

Kubernetes secret name: `amster-env-secrets`

Environment variables in amster pod

Description: The key pairs for SSH connectivity to PingAM
Pod: amster
Container: amster

Type: Environment variable

Description or role Location on container

Description or role	Location on container
IDM_PROVISIONING_CLIENT_SECRET
AM nodes in authentication journeys use this confidential client to authenticate through AM and provision identities through IDM.	Used for provisioning Oauth2Client in IDM.
IDM_RS_CLIENT_SECRET
IDM uses this confidential client to introspect access tokens through the `am/oauth2/introspect` endpoint to get information about users.	Used in the Oauth2Client of the IDM resource server.

IDM_PROVISIONING_CLIENT_SECRET

AM nodes in authentication journeys use this confidential client to authenticate through AM and provision identities through IDM.

Used for provisioning Oauth2Client in IDM.

IDM_RS_CLIENT_SECRET

IDM uses this confidential client to introspect access tokens through the am/oauth2/introspect endpoint to get information about users.

Used in the Oauth2Client of the IDM resource server.

Environment variables in idm pod

Pod: idm
Container: openidm

Type: Environment variable

Description or role Location on container

Description or role	Location on container
IDM_RS_CLIENT_SECRET
IDM uses this confidential client to introspect access tokens through the `am/oauth2/introspect` endpoint to get information about users.	Set in `boot.properties: “rs.client.secret”` to communicate with the Oauth2Client of the IDM resource server.

IDM_RS_CLIENT_SECRET

IDM uses this confidential client to introspect access tokens through the am/oauth2/introspect endpoint to get information about users.

Set in boot.properties: “rs.client.secret” to communicate with the Oauth2Client of the IDM resource server.

DS secrets, keys, and passwords

Kubernetes secret name: `ds-env-secrets`

Service account passwords for AM connecting to DS backends. ldif-importer is used to update the passwords on the DS backends.

Environment variables in am pod

Pod: am
Container: openam

Type: Environment variables

Description or role Location on container

Description or role	Location on container
AM_STORES_USER_PASSWORD
Password for AM to access the identities backend on `ds-idrepo`.	`cdk/config/services/realm/root/sunidentityrepositoryservice/1.0/organizationconfig/default/opendj.json` `base/config/services/realm/root/amdatastoreservice/1.0/globalconfig/default/datastorecontainer/application-store.json` `base/config/services/realm/root/iplanetamauthldapservice/1.0/organizationconfig/default.json` `base/config/services/realm/root/iplanetamauthldapservice/1.0/organizationconfig/defaultconfig.json` `base/config/services/realm/root/iplanetamplatformservice/1.0/globalconfig/default/com-sun-identity-servers/server-default.json` `base/config/services/realm/root-sunamhiddenrealmdelegationservicepermissions/iplanetamauthldapservice/1.0/organizationconfig/default.json` Variables are set in the `docker-entrypoint.sh`
AM_STORES_APPLICATION_PASSWORD
Password for AM to access the config backend on `ds-idrepo`.	`cdk/config/services/realm/root/iplanetamplatformservice/1.0/globalconfig/default/com-sun-identity-servers/server-default.json` `base/config/services/realm/root/amdatastoreservice/1.0/globalconfig/default/datastorecontainer/application-store.json` `base/config/services/realm/root/amdatastoreservice/1.0/globalconfig/default/datastorecontainer/policy-store.json` `base/config/services/realm/root/iplanetamplatformservice/1.0/globalconfig/default/com-sun-identity-servers/server-default.json` `base/config/services/realm/root/iplanetampolicyconfigservice/1.0/organizationconfig/defaultconfig.json` `base/config/services/realm/root-sunamhiddenrealmdelegationservicepermissions/iplanetampolicyconfigservice/1.0/organizationconfig/default.json`
AM_STORES_CTS_PASSWORD
Password for AM to access the tokens backend on `ds-cts`.	`cdk/config/services/realm/root/iplanetamplatformservice/1.0/globalconfig/default/com-sun-identity-servers/server-default.json` `base/config/services/realm/root/iplanetamplatformservice/1.0/globalconfig/default/com-sun-identity-servers/server-default.json`

AM_STORES_USER_PASSWORD

Password for AM to access the identities backend on ds-idrepo.

cdk/config/services/realm/root/sunidentityrepositoryservice/1.0/organizationconfig/default/opendj.json
base/config/services/realm/root/amdatastoreservice/1.0/globalconfig/default/datastorecontainer/application-store.json
base/config/services/realm/root/iplanetamauthldapservice/1.0/organizationconfig/default.json
base/config/services/realm/root/iplanetamauthldapservice/1.0/organizationconfig/defaultconfig.json
base/config/services/realm/root/iplanetamplatformservice/1.0/globalconfig/default/com-sun-identity-servers/server-default.json
base/config/services/realm/root-sunamhiddenrealmdelegationservicepermissions/iplanetamauthldapservice/1.0/organizationconfig/default.json
- Variables are set in the docker-entrypoint.sh

AM_STORES_APPLICATION_PASSWORD

Password for AM to access the config backend on ds-idrepo.

cdk/config/services/realm/root/iplanetamplatformservice/1.0/globalconfig/default/com-sun-identity-servers/server-default.json
base/config/services/realm/root/amdatastoreservice/1.0/globalconfig/default/datastorecontainer/application-store.json
base/config/services/realm/root/amdatastoreservice/1.0/globalconfig/default/datastorecontainer/policy-store.json
base/config/services/realm/root/iplanetamplatformservice/1.0/globalconfig/default/com-sun-identity-servers/server-default.json
base/config/services/realm/root/iplanetampolicyconfigservice/1.0/organizationconfig/defaultconfig.json
base/config/services/realm/root-sunamhiddenrealmdelegationservicepermissions/iplanetampolicyconfigservice/1.0/organizationconfig/default.json

AM_STORES_CTS_PASSWORD

Password for AM to access the tokens backend on ds-cts.

cdk/config/services/realm/root/iplanetamplatformservice/1.0/globalconfig/default/com-sun-identity-servers/server-default.json
base/config/services/realm/root/iplanetamplatformservice/1.0/globalconfig/default/com-sun-identity-servers/server-default.json

Environment variables in ldif-importer pod

Pod: ldif-importer
Container: openidm

Type: Environment variables

Description or role Location on container

Description or role	Location on container
AM_STORES_USER_PASSWORD
Password for AM to access the identity backend on the `ds-idrepo`.
AM_STORES_APPLICATION_PASSWORD
Password for AM to access the configuration backend on `ds-idrepo`.
AM_STORES_CTS_PASSWORD
Password for AM to access the tokens backend on `ds-cts`.

AM_STORES_USER_PASSWORD

Password for AM to access the identity backend on the ds-idrepo.

AM_STORES_APPLICATION_PASSWORD

Password for AM to access the configuration backend on ds-idrepo.

AM_STORES_CTS_PASSWORD

Password for AM to access the tokens backend on ds-cts.

Kubernetes secret name: `ds-password`

Passwords mounted in ds-idrepo or ds-cts pods

DS management passwords for administration and monitoring.

Pod: ds-idrepo or ds-cts
Container: ds

Mount path: /var/run/secrets/admin

Description or role Location on container

Description or role	Location on container
dirmanager.pw
Root password for the `uid=admin` user.	Set in `/opt/opendj/data/db/rootUser/rootUser.ldif` as `uid-admin`.
monitor.pw
Password for the monitor backend. The monitor backend allows clients to access information provided by the DS server monitor providers.	Set in `/opt/opendj/data/db/monitorUser/monitorUser.ldif` as `uid=monitor`.

dirmanager.pw

Root password for the uid=admin user.

Set in /opt/opendj/data/db/rootUser/rootUser.ldif as uid-admin.

monitor.pw

Password for the monitor backend. The monitor backend allows clients to access information provided by the DS server monitor providers.

Set in /opt/opendj/data/db/monitorUser/monitorUser.ldif as uid=monitor.

Passwords mounted in idm pods

Pod: idm
Container: idm
Type: Environment variables - OPENIDM_REPO_PASSWORD and USERSTORE_PASSWORD

Description or role Location on container

dirmanager.pw

Root password for communicating with DS. Configured in docker/idm/resolver/boot.properties.

Description or role	Location on container
`dirmanager.pw`
Root password for communicating with DS. Configured in `docker/idm/resolver/boot.properties`.

Kubernetes secret name: `ds-master-keypair`

Master SSL key pair for encrypting DS data

Pod: ds-idrepo or ds-cts
Container: init and ds

Mount path: /var/run/secrets/ds-master-keypair

Description or role Location on container

Description or role	Location on container
`ca.crt`, `tls.crt`, or `tls.key`
SSL key pair with ca self-signed cert used to encrypt DS data for backups.	`/var/run/secrets/keys/ds/master-key`. Used by `PEM Key Manager` provider configured in `ds-setup.sh`.

ca.crt, tls.crt, or tls.key

SSL key pair with ca self-signed cert used to encrypt DS data for backups.

/var/run/secrets/keys/ds/master-key. Used by PEM Key Manager provider configured in ds-setup.sh.

Kubernetes secret name: `ds-ssl-keypair`

The SSL key pair used for encrypting replication traffic. It also used by AM and IDM as a trust store for LDAPS connections to DS.

Pod: ds-idrepo or ds-cts
Container: init and ds

Mount path: /var/run/secrets/keys/ds/ds-ssl-keypair

Description or role Location on container

Description or role	Location on container
ca.crt/tls.crt/tls.key
SSL key pair with a self-signed certificate of the certificate authority. Used for encrypting data replicated between servers.	`/var/run/secrets/keys/ds/ds-ssl-keypair`. Used by the `PEM Key Manager` provider configured in `ds-setup.sh`.

ca.crt/tls.crt/tls.key

SSL key pair with a self-signed certificate of the certificate authority. Used for encrypting data replicated between servers.

/var/run/secrets/keys/ds/ds-ssl-keypair. Used by the PEM Key Manager provider configured in ds-setup.sh.

Pod: idm
Container: truststore-init

Mount path: /var/run/secrets/truststore/ca.crt

Description or role Location on container

Description or role	Location on container
ca.crt
SSL key pair with a certificate authority signed certificate. Used for encrypting data replicated between servers.	`IDM_PEM_TRUSTSTORE_DS=/var/run/secrets/truststore/cacerts`, copied to `/opt/openidm/idmtruststore`.

ca.crt

SSL key pair with a certificate authority signed certificate. Used for encrypting data replicated between servers.

IDM_PEM_TRUSTSTORE_DS=/var/run/secrets/truststore/cacerts, copied to /opt/openidm/idmtruststore.

Pod: am
Container: truststore-init

Mount path: /var/run/secrets/truststore/ca.crt

Description or role Location on container

Description or role	Location on container
ca.crt
SSL key pair with the self-signed certificate of the certificate authority. Used for encrypting data replicated between servers.	`IDM_PEM_TRUSTSTORE_DS=/var/run/secrets/truststore/ca.crt`, copied to `/opt/openidm/idmtruststore`.

ca.crt

SSL key pair with the self-signed certificate of the certificate authority. Used for encrypting data replicated between servers.

IDM_PEM_TRUSTSTORE_DS=/var/run/secrets/truststore/ca.crt, copied to /opt/openidm/idmtruststore.

IDM admin passwords

Kubernetes secret name: `idm-env-secrets`

IDM admininstration and key store passwords

Pod: idm
Container: openidm

Type: ENV VARS

Description or role Location on container

Description or role	Location on container
OPENIDM_ADMIN_PASSWORD
IDM admin password.	Configured in `repo.init.json`
OPENIDM_KEYSTORE_PASSWORD
IDM key store password.	Configured in `docker/idm/resolver/boot.properties`

OPENIDM_ADMIN_PASSWORD

IDM admin password.

Configured in repo.init.json

OPENIDM_KEYSTORE_PASSWORD

IDM key store password.

Configured in docker/idm/resolver/boot.properties

ForgeOps

Secrets Reference

AM configuration passwords

Kubernetes secret name: am-env-secret

Amster secrets, keys, and passwords

Kubernetes secret name: amster

Kubernetes secret name: amster-env-secrets

DS secrets, keys, and passwords

Kubernetes secret name: ds-env-secrets

Kubernetes secret name: ds-password

Kubernetes secret name: ds-master-keypair

Kubernetes secret name: ds-ssl-keypair

IDM admin passwords

Kubernetes secret name: idm-env-secrets

Kubernetes secret name: `am-env-secret`

Kubernetes secret name: `amster`

Kubernetes secret name: `amster-env-secrets`

Kubernetes secret name: `ds-env-secrets`

Kubernetes secret name: `ds-password`

Kubernetes secret name: `ds-master-keypair`

Kubernetes secret name: `ds-ssl-keypair`

Kubernetes secret name: `idm-env-secrets`