--- title: Secrets Reference description: To protect network communication and keep data confidential and unalterable, ForgeOps authentication relies on: component: forgeops version: 2026.1 page_id: forgeops:reference:secrets-reference canonical_url: https://docs.pingidentity.com/forgeops/2026.1/reference/secrets-reference.html section_ids: am_configuration_passwords: AM configuration passwords kubernetes_secret_name_am_env_secret: "Kubernetes secret name: am-env-secret" am_secrets: AM secrets kubernetes_secret_name_am_keystore: "Kubernetes secret name: am-keystore" amster_secrets_keys_and_passwords: Amster secrets, keys, and passwords kubernetes_secret_name_amster: "Kubernetes secret name: amster" kubernetes_secret_name_amster_env_secrets: "Kubernetes secret name: amster-env-secrets" ds_secrets_keys_and_passwords: DS secrets, keys, and passwords kubernetes_secret_name_ds_env_secrets: "Kubernetes secret name: ds-env-secrets" kubernetes_secret_name_ds_passwords: "Kubernetes secret name: ds-passwords" kubernetes_secret_name_ds_master_keypair: "Kubernetes secret name: ds-master-keypair" kubernetes_secret_name_ds_ssl_keypair: "Kubernetes secret name: ds-ssl-keypair" idm_admin_passwords: IDM admin passwords kubernetes_secret_name_idm_env_secrets: "Kubernetes secret name: idm-env-secrets" --- # Secrets Reference To protect network communication and keep data confidential and unalterable, ForgeOps authentication relies on: * AM and IDM signing * Encryption methods. AM and IDM signing and encryption depend on keys or secrets generated using cryptographic algorithms. This section describes various secrets and keys used in ForgeOps. Secrets, passwords, and keys used in ForgeOps are configured as environment variables or as files mounted on the Kubernetes pods. ## AM configuration passwords ### Kubernetes secret name: `am-env-secret` * Passwords stored as environment variables in `am` pod * Pod: `am` * Container: `openam` * Type: Environment variable | Description or role | Location on container | | --------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **AM\_AUTHENTICATION\_SHARED\_SECRET** | | | Core authentication secret for the root realm. | * `cdk/config/services/realm/root/iplanetamauthservice/1.0/organizationconfig/defaultconfig.json` * Value: `security.sharedSecret` | | **AM\_ENCRYPTION\_KEY** | | | Key used for encrypting information stored in the secure state of authentication trees in AM. | - `cdk/config/services/realm/root/iplanetamplatformservice/1.0/globalconfig/default/com-sun-identity-servers/http___am_80_am.json` - `cdk/config/services/realm/root/iplanetamplatformservice/1.0/globalconfig/default/com-sun-identity-servers/server-default.json` | | **AM\_OIDC\_CLIENT\_SUBJECT\_IDENTIFIER\_HASH\_SALT** | | | Configuration parameter used to specify the Subject Identifier Hash Salt in the OAuth 2.0 and OIDC flows. | `base/config/services/realm/root/oauth2provider/1.0/organizationconfig/defaultconfig.json` | | **AM\_PASSWORDS\_AMADMIN\_CLEAR** | | | Password for the amadmin user. Updated to AM\_PASSWORDS\_AMADMIN\_HASHED in `docker-entrypoint.sh`. | `base/config/services/realm/root/sunidentityrepositoryservice/1.0/globalconfig/default/users/amadmin.json` | | **AM\_SELFSERVICE\_LEGACY\_CONFIRMATION\_EMAIL\_LINK\_SIGNING\_KEY** | | | A 256-bit key (base64-encoded) used for HMAC signing of the legacy self-service confirmation email links. | `base/config/services/realm/root/restsecurity/1.0/organizationconfig/defaultconfig.json` | | **AM\_SESSION\_STATELESS\_ENCRYPTION\_KEY** | | | Encryption key for encrypting stateless session tokens. | `base/config/services/realm/root/iplanetamsessionservice/1.0/globalconfig/default.json` | | **AM\_SESSION\_STATELESS\_SIGNING\_KEY** | | | Signing key for validating the security of stateless session tokens. | `base/config/services/realm/root/iplanetamsessionservice/1.0/globalconfig/default.json` | ## AM secrets ### Kubernetes secret name: `am-keystore` * Keystore mounted in `am` pod * Description: The default AM keystore with test aliases * Container: openam * Mount path: /var/run/secrets | | | | - | ---------------------------------------------------------------------------- | | | For use with the secret agent only. Not applicable for the secret generator. | | Description or role | Location on container | | ------------------------------------------------------------------- | ---------------------------------------------------------------------------- | | **`.keystore.jceks`** | | | Default AM keystore with test aliases | Copied in `docker-entrypoint.sh` to `/home/forgerock/security/keystores`. | | **`.keystore`** | | | Default password for all the key aliases in the default AM keystore | Copied in `` `docker-entrypoint.sh to `/home/forgerock/security/keystore ``. | | **`.storepass`** | | | Default AM keystore password | Copied in `docker-entrypoint.sh` to `/home/forgerock/security/keystore`. | ## Amster secrets, keys, and passwords ### Kubernetes secret name: `amster` * Mounted files on `amster` pod * Description: The key-pair for SSH connectivity to PingAM * Pod: `amster` * Container: `amster` or `pause` * Mount path: `/var/run/secrets/amster` | Description or role | Location on container | | ----------------------------------------- | -------------------------------- | | **`id_rsa`** | | | Private key for SSH connection to PingAM. | `/var/run/secrets/amster/id_rsa` | * Mounted files on `am` pod * Pod: `am` * Container: `openam` * Mount path: `/var/run/secrets/amster` | Description or role | Location on container | | ------------------------------------------- | ----------------------------------------- | | **`id_rsa.pub`** | | | Public key for SSH connections from Amster. | `/var/run/secrets/amster/authorized_keys` | ### Kubernetes secret name: `amster-env-secrets` * Environment variables in `amster` pod * Description: The key pairs for SSH connectivity to PingAM * Pod: `amster` * Container: `amster` * Type: Environment variable | Description or role | Location on container | | ----------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------- | | **IDM\_PROVISIONING\_CLIENT\_SECRET** | | | AM nodes in authentication journeys use this confidential client to authenticate through AM and provision identities through IDM. | Used for provisioning Oauth2Client in IDM. | | **IDM\_RS\_CLIENT\_SECRET** | | | IDM uses this confidential client to introspect access tokens through the `am/oauth2/introspect` endpoint to get information about users. | Used in the Oauth2Client of the IDM resource server. | * Environment variables in `idm` pod * Pod: `idm` * Container: `openidm` * Type: Environment variable | Description or role | Location on container | | ----------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------- | | **IDM\_RS\_CLIENT\_SECRET** | | | IDM uses this confidential client to introspect access tokens through the `am/oauth2/introspect` endpoint to get information about users. | Set in `boot.properties: "rs.client.secret"` to communicate with the Oauth2Client of the IDM resource server. | ## DS secrets, keys, and passwords ### Kubernetes secret name: `ds-env-secrets` Service account passwords for AM connecting to DS backends. `ds-set-passwords` is used to update the passwords on the DS backends. * Environment variables in `am` pod * Pod: `am` * Container: `openam` * Type: Environment variables | Description or role | Location on container | | ---------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **AM\_STORES\_USER\_PASSWORD** | | | Password for AM to access the identities backend on `ds-idrepo`. | 1. `cdk/config/services/realm/root/sunidentityrepositoryservice/1.0/organizationconfig/default/opendj.json` 2. `base/config/services/realm/root/amdatastoreservice/1.0/globalconfig/default/datastorecontainer/application-store.json` 3. `base/config/services/realm/root/iplanetamauthldapservice/1.0/organizationconfig/default.json` 4. `base/config/services/realm/root/iplanetamauthldapservice/1.0/organizationconfig/defaultconfig.json` 5. `base/config/services/realm/root/iplanetamplatformservice/1.0/globalconfig/default/com-sun-identity-servers/server-default.json` 6. `base/config/services/realm/root-sunamhiddenrealmdelegationservicepermissions/iplanetamauthldapservice/1.0/organizationconfig/default.json` * **Variables are set in the `docker-entrypoint.sh`** | | **AM\_STORES\_APPLICATION\_PASSWORD** | | | Password for AM to access the config backend on `ds-idrepo`. | 1) `cdk/config/services/realm/root/iplanetamplatformservice/1.0/globalconfig/default/com-sun-identity-servers/server-default.json` 2) `base/config/services/realm/root/amdatastoreservice/1.0/globalconfig/default/datastorecontainer/application-store.json` 3) `base/config/services/realm/root/amdatastoreservice/1.0/globalconfig/default/datastorecontainer/policy-store.json` 4) `base/config/services/realm/root/iplanetamplatformservice/1.0/globalconfig/default/com-sun-identity-servers/server-default.json` 5) `base/config/services/realm/root/iplanetampolicyconfigservice/1.0/organizationconfig/defaultconfig.json` 6) `base/config/services/realm/root-sunamhiddenrealmdelegationservicepermissions/iplanetampolicyconfigservice/1.0/organizationconfig/default.json` | | **AM\_STORES\_CTS\_PASSWORD** | | | Password for AM to access the tokens backend on `ds-cts`. | 1. `cdk/config/services/realm/root/iplanetamplatformservice/1.0/globalconfig/default/com-sun-identity-servers/server-default.json` 2. `base/config/services/realm/root/iplanetamplatformservice/1.0/globalconfig/default/com-sun-identity-servers/server-default.json` | * Environment variables in `ds-set-passwords` pod * Pod: `ds-set-passwords` * Container: `openidm` * Type: Environment variables | Name | Description | | ------------------------------------- | ------------------------------------------------------------------- | | **AM\_STORES\_USER\_PASSWORD** | Password for AM to access the identity backend on the `ds-idrepo`. | | **AM\_STORES\_APPLICATION\_PASSWORD** | Password for AM to access the configuration backend on `ds-idrepo`. | | **AM\_STORES\_CTS\_PASSWORD** | Password for AM to access the tokens backend on `ds-cts`. | ### Kubernetes secret name: `ds-passwords` * Passwords mounted in `ds-idrepo` or `ds-cts` pods DS management passwords for administration and monitoring. * Pod: `ds-idrepo` or `ds-cts` * Container: `ds` * Mount path: `/var/run/secrets/admin` | Description or role | Location on container | | --------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------- | | **dirmanager.pw** | | | Root password for the `uid=admin` user. | Set in `/opt/opendj/data/db/rootUser/rootUser.ldif` as `uid-admin`. | | **monitor.pw** | | | Password for the monitor backend. The monitor backend allows clients to access information provided by the DS server monitor providers. | Set in `/opt/opendj/data/db/monitorUser/monitorUser.ldif` as `uid=monitor`. | * Passwords mounted in `idm` pods * Pod: `idm` * Container: `idm` * Type: Environment variables - `OPENIDM_REPO_PASSWORD` and `USERSTORE_PASSWORD` | Description or role | Location on container | | --------------------------------------------------------------------------------------------- | --------------------- | | **`dirmanager.pw`** | | | Root password for communicating with DS. Configured in `docker/idm/resolver/boot.properties`. | | ### Kubernetes secret name: `ds-master-keypair` Master SSL key pair for encrypting DS data * Pod: `ds-idrepo` or `ds-cts` * Container: `init` and `ds` * Mount path: `/var/run/secrets/ds-master-keypair` | Description or role | Location on container | | -------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------ | | **`ca.crt`, `tls.crt`, or `tls.key`** | | | SSL key pair with ca self-signed cert used to encrypt DS data for backups. | `/var/run/secrets/keys/ds/master-key`. Used by `PEM Key Manager` provider configured in `ds-setup.sh`. | ### Kubernetes secret name: `ds-ssl-keypair` The SSL key pair used for encrypting replication traffic. It also used by AM and IDM as a trust store for LDAPS connections to DS. * Pod: `ds-idrepo` or `ds-cts` * Container: `init` and `ds` * Mount path: `/var/run/secrets/keys/ds/ds-ssl-keypair` | Description or role | Location on container | | ------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------- | | **ca.crt/tls.crt/tls.key** | | | SSL key pair with a self-signed certificate of the certificate authority. Used for encrypting data replicated between servers. | `/var/run/secrets/keys/ds/ds-ssl-keypair`. Used by the `PEM Key Manager` provider configured in `ds-setup.sh`. | * Pod: `idm` * Container: `truststore-init` * Mount path: `/var/run/secrets/truststore/ca.crt` | Description or role | Location on container | | ------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------- | | **ca.crt** | | | SSL key pair with a certificate authority signed certificate. Used for encrypting data replicated between servers. | `IDM_PEM_TRUSTSTORE_DS=/var/run/secrets/truststore/cacerts`, copied to `/opt/openidm/idmtruststore`. | * Pod: `am` * Container: `truststore-init` * Mount path: `/var/run/secrets/truststore/ca.crt` | Description or role | Location on container | | -------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------- | | **ca.crt** | | | SSL key pair with the self-signed certificate of the certificate authority. Used for encrypting data replicated between servers. | `IDM_PEM_TRUSTSTORE_DS=/var/run/secrets/truststore/ca.crt`, copied to `/opt/openidm/idmtruststore`. | ## IDM admin passwords ### Kubernetes secret name: `idm-env-secrets` IDM administration and keystore passwords * Pod: `idm` * Container: `openidm` * Type: ENV VARS | Description or role | Location on container | | ------------------------------- | --------------------------------------------------- | | **OPENIDM\_ADMIN\_PASSWORD** | | | IDM admin password. | Configured in `repo.init.json` | | **OPENIDM\_KEYSTORE\_PASSWORD** | | | IDM keystore password. | Configured in `docker/idm/resolver/boot.properties` |