---
title: AuthenticatorOath
description: Resource path:
component: pingam
version: 8.1
page_id: pingam:entity-reference:sec-amster-entity-authenticatoroath
canonical_url: https://docs.pingidentity.com/pingam/8.1/entity-reference/sec-amster-entity-authenticatoroath.html
section_ids:
  sec-amster-entity-authenticatoroath-realm-ops: Realm Operations
  sec-amster-entity-authenticatoroath-realm-ops-create: create
  sec-amster-entity-authenticatoroath-realm-ops-delete: delete
  sec-amster-entity-authenticatoroath-realm-ops-getalltypes: getAllTypes
  sec-amster-entity-authenticatoroath-realm-ops-getcreatabletypes: getCreatableTypes
  sec-amster-entity-authenticatoroath-realm-ops-nextdescendents: nextdescendents
  sec-amster-entity-authenticatoroath-realm-ops-read: read
  sec-amster-entity-authenticatoroath-realm-ops-update: update
  sec-amster-entity-authenticatoroath-global-ops: Global Operations
  sec-amster-entity-authenticatoroath-global-ops-getalltypes: getAllTypes
  sec-amster-entity-authenticatoroath-global-ops-getcreatabletypes: getCreatableTypes
  sec-amster-entity-authenticatoroath-global-ops-nextdescendents: nextdescendents
  sec-amster-entity-authenticatoroath-global-ops-read: read
  sec-amster-entity-authenticatoroath-global-ops-update: update
---

# AuthenticatorOath

## Realm Operations

Resource path:

```
/realm-config/services/authenticatorOathService
```

Resource version: `0.0`

### create

**Usage**

```
am> create AuthenticatorOath --realm Realm --body body
```

**Parameters**

* *\--body*

  The resource in JSON format, described by the following JSON schema:

  ```json
  {
    "type" : "object",
    "properties" : {
      "authenticatorOATHSkippableName" : {
        "title" : "ForgeRock Authenticator (OATH) Device Skippable Attribute Name",
        "description" : "The data store attribute that holds the user's decision to enable or disable obtaining and providing a password obtained from the ForgeRock Authenticator app. This attribute must be writeable.",
        "propertyOrder" : 800,
        "required" : true,
        "type" : "string",
        "exampleValue" : ""
      },
      "oathAttrName" : {
        "title" : "Profile Storage Attribute",
        "description" : "Attribute for storing ForgeRock Authenticator OATH profiles.<br><br>The default attribute is added to the user store during OpenAM installation. If you want to use a different attribute, you must make sure to add it to your user store schema prior to deploying two-step verification with a ForgeRock OATH authenticator app in OpenAM. OpenAM must be able to write to the attribute.",
        "propertyOrder" : 100,
        "required" : true,
        "type" : "string",
        "exampleValue" : ""
      },
      "authenticatorOATHDeviceSettingsEncryptionScheme" : {
        "title" : "Device Profile Encryption Scheme",
        "description" : "Encryption scheme for securing device profiles stored on the server.<br><br>If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.<p><p><i>Note:</i> AES-256 may require installation of the JCE Unlimited Strength policy files.",
        "propertyOrder" : 200,
        "required" : true,
        "type" : "string",
        "exampleValue" : ""
      },
      "authenticatorOATHDeviceSettingsEncryptionKeystorePassword" : {
        "title" : "Key Store Password",
        "description" : "Password to unlock the key store. AM encrypts this password when you save it in the configuration.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatoroath.encryption</code> to a secret in a secret store.",
        "propertyOrder" : 500,
        "required" : true,
        "type" : "string",
        "format" : "password",
        "exampleValue" : ""
      },
      "authenticatorOATHDeviceSettingsEncryptionKeystore" : {
        "title" : "Encryption Key Store",
        "description" : "Path to the key store from which to load encryption keys.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatoroath.encryption</code> to a secret in a secret store.",
        "propertyOrder" : 300,
        "required" : true,
        "type" : "string",
        "exampleValue" : ""
      },
      "authenticatorOATHDeviceSettingsEncryptionKeystoreType" : {
        "title" : "Key Store Type",
        "description" : "Type of encryption key store.<br><br><i>Note:</i> PKCS#11 keys tores require hardware support such as a security device or smart card and is not available by default in most JVM installations.<p><p>See the <a href=\"https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html\" target=\"_blank\">JDK 8 PKCS#11 Reference Guide</a> for more details.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatoroath.encryption</code> to a secret in a secret store.",
        "propertyOrder" : 400,
        "required" : true,
        "type" : "string",
        "exampleValue" : ""
      },
      "authenticatorOATHDeviceSettingsEncryptionKeystorePrivateKeyPassword" : {
        "title" : "Private Key Password",
        "description" : "Password to unlock the private key.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatoroath.encryption</code> to a secret in a secret store.",
        "propertyOrder" : 700,
        "required" : true,
        "type" : "string",
        "format" : "password",
        "exampleValue" : ""
      },
      "authenticatorOATHDeviceSettingsEncryptionKeystoreKeyPairAlias" : {
        "title" : "Key-Pair Alias",
        "description" : "Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatoroath.encryption</code> to a secret in a secret store.",
        "propertyOrder" : 600,
        "required" : true,
        "type" : "string",
        "exampleValue" : ""
      }
    }
  }
  ```

### delete

**Usage**

```
am> delete AuthenticatorOath --realm Realm
```

### getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

**Usage**

```
am> action AuthenticatorOath --realm Realm --actionName getAllTypes
```

### getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

**Usage**

```
am> action AuthenticatorOath --realm Realm --actionName getCreatableTypes
```

### nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

**Usage**

```
am> action AuthenticatorOath --realm Realm --actionName nextdescendents
```

### read

**Usage**

```
am> read AuthenticatorOath --realm Realm
```

### update

**Usage**

```
am> update AuthenticatorOath --realm Realm --body body
```

**Parameters**

* *\--body*

  The resource in JSON format, described by the following JSON schema:

  ```json
  {
    "type" : "object",
    "properties" : {
      "authenticatorOATHSkippableName" : {
        "title" : "ForgeRock Authenticator (OATH) Device Skippable Attribute Name",
        "description" : "The data store attribute that holds the user's decision to enable or disable obtaining and providing a password obtained from the ForgeRock Authenticator app. This attribute must be writeable.",
        "propertyOrder" : 800,
        "required" : true,
        "type" : "string",
        "exampleValue" : ""
      },
      "oathAttrName" : {
        "title" : "Profile Storage Attribute",
        "description" : "Attribute for storing ForgeRock Authenticator OATH profiles.<br><br>The default attribute is added to the user store during OpenAM installation. If you want to use a different attribute, you must make sure to add it to your user store schema prior to deploying two-step verification with a ForgeRock OATH authenticator app in OpenAM. OpenAM must be able to write to the attribute.",
        "propertyOrder" : 100,
        "required" : true,
        "type" : "string",
        "exampleValue" : ""
      },
      "authenticatorOATHDeviceSettingsEncryptionScheme" : {
        "title" : "Device Profile Encryption Scheme",
        "description" : "Encryption scheme for securing device profiles stored on the server.<br><br>If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.<p><p><i>Note:</i> AES-256 may require installation of the JCE Unlimited Strength policy files.",
        "propertyOrder" : 200,
        "required" : true,
        "type" : "string",
        "exampleValue" : ""
      },
      "authenticatorOATHDeviceSettingsEncryptionKeystorePassword" : {
        "title" : "Key Store Password",
        "description" : "Password to unlock the key store. AM encrypts this password when you save it in the configuration.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatoroath.encryption</code> to a secret in a secret store.",
        "propertyOrder" : 500,
        "required" : true,
        "type" : "string",
        "format" : "password",
        "exampleValue" : ""
      },
      "authenticatorOATHDeviceSettingsEncryptionKeystore" : {
        "title" : "Encryption Key Store",
        "description" : "Path to the key store from which to load encryption keys.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatoroath.encryption</code> to a secret in a secret store.",
        "propertyOrder" : 300,
        "required" : true,
        "type" : "string",
        "exampleValue" : ""
      },
      "authenticatorOATHDeviceSettingsEncryptionKeystoreType" : {
        "title" : "Key Store Type",
        "description" : "Type of encryption key store.<br><br><i>Note:</i> PKCS#11 keys tores require hardware support such as a security device or smart card and is not available by default in most JVM installations.<p><p>See the <a href=\"https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html\" target=\"_blank\">JDK 8 PKCS#11 Reference Guide</a> for more details.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatoroath.encryption</code> to a secret in a secret store.",
        "propertyOrder" : 400,
        "required" : true,
        "type" : "string",
        "exampleValue" : ""
      },
      "authenticatorOATHDeviceSettingsEncryptionKeystorePrivateKeyPassword" : {
        "title" : "Private Key Password",
        "description" : "Password to unlock the private key.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatoroath.encryption</code> to a secret in a secret store.",
        "propertyOrder" : 700,
        "required" : true,
        "type" : "string",
        "format" : "password",
        "exampleValue" : ""
      },
      "authenticatorOATHDeviceSettingsEncryptionKeystoreKeyPairAlias" : {
        "title" : "Key-Pair Alias",
        "description" : "Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatoroath.encryption</code> to a secret in a secret store.",
        "propertyOrder" : 600,
        "required" : true,
        "type" : "string",
        "exampleValue" : ""
      }
    }
  }
  ```

## Global Operations

Resource path:

```
/global-config/services/authenticatorOathService
```

Resource version: `1.0`

### getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

**Usage**

```
am> action AuthenticatorOath --global --actionName getAllTypes
```

### getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

**Usage**

```
am> action AuthenticatorOath --global --actionName getCreatableTypes
```

### nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

**Usage**

```
am> action AuthenticatorOath --global --actionName nextdescendents
```

### read

**Usage**

```
am> read AuthenticatorOath --global
```

### update

**Usage**

```
am> update AuthenticatorOath --global --body body
```

**Parameters**

* *\--body*

  The resource in JSON format, described by the following JSON schema:

  ```json
  {
    "type" : "object",
    "properties" : {
      "defaults" : {
        "properties" : {
          "authenticatorOATHSkippableName" : {
            "title" : "ForgeRock Authenticator (OATH) Device Skippable Attribute Name",
            "description" : "The data store attribute that holds the user's decision to enable or disable obtaining and providing a password obtained from the ForgeRock Authenticator app. This attribute must be writeable.",
            "propertyOrder" : 800,
            "required" : true,
            "type" : "string",
            "exampleValue" : ""
          },
          "authenticatorOATHDeviceSettingsEncryptionKeystoreType" : {
            "title" : "Key Store Type",
            "description" : "Type of encryption key store.<br><br><i>Note:</i> PKCS#11 keys tores require hardware support such as a security device or smart card and is not available by default in most JVM installations.<p><p>See the <a href=\"https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html\" target=\"_blank\">JDK 8 PKCS#11 Reference Guide</a> for more details.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatoroath.encryption</code> to a secret in a secret store.",
            "propertyOrder" : 400,
            "required" : true,
            "type" : "string",
            "exampleValue" : ""
          },
          "authenticatorOATHDeviceSettingsEncryptionKeystorePrivateKeyPassword" : {
            "title" : "Private Key Password",
            "description" : "Password to unlock the private key.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatoroath.encryption</code> to a secret in a secret store.",
            "propertyOrder" : 700,
            "required" : true,
            "type" : "string",
            "format" : "password",
            "exampleValue" : ""
          },
          "authenticatorOATHDeviceSettingsEncryptionScheme" : {
            "title" : "Device Profile Encryption Scheme",
            "description" : "Encryption scheme for securing device profiles stored on the server.<br><br>If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.<p><p><i>Note:</i> AES-256 may require installation of the JCE Unlimited Strength policy files.",
            "propertyOrder" : 200,
            "required" : true,
            "type" : "string",
            "exampleValue" : ""
          },
          "authenticatorOATHDeviceSettingsEncryptionKeystorePassword" : {
            "title" : "Key Store Password",
            "description" : "Password to unlock the key store. AM encrypts this password when you save it in the configuration.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatoroath.encryption</code> to a secret in a secret store.",
            "propertyOrder" : 500,
            "required" : true,
            "type" : "string",
            "format" : "password",
            "exampleValue" : ""
          },
          "oathAttrName" : {
            "title" : "Profile Storage Attribute",
            "description" : "Attribute for storing ForgeRock Authenticator OATH profiles.<br><br>The default attribute is added to the user store during OpenAM installation. If you want to use a different attribute, you must make sure to add it to your user store schema prior to deploying two-step verification with a ForgeRock OATH authenticator app in OpenAM. OpenAM must be able to write to the attribute.",
            "propertyOrder" : 100,
            "required" : true,
            "type" : "string",
            "exampleValue" : ""
          },
          "authenticatorOATHDeviceSettingsEncryptionKeystore" : {
            "title" : "Encryption Key Store",
            "description" : "Path to the key store from which to load encryption keys.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatoroath.encryption</code> to a secret in a secret store.",
            "propertyOrder" : 300,
            "required" : true,
            "type" : "string",
            "exampleValue" : ""
          },
          "authenticatorOATHDeviceSettingsEncryptionKeystoreKeyPairAlias" : {
            "title" : "Key-Pair Alias",
            "description" : "Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.<br/> <strong>Note:</strong> AM ignores this value if you map <code>am.services.authenticatoroath.encryption</code> to a secret in a secret store.",
            "propertyOrder" : 600,
            "required" : true,
            "type" : "string",
            "exampleValue" : ""
          }
        },
        "type" : "object",
        "title" : "Realm Defaults"
      }
    }
  }
  ```