Skip to end of metadata
Go to start of metadata

OpenAM 9.5.5 Release Notes provide the following information.

What's New in OpenAM 9.5.5

Compared to the OpenAM 9.5.4, OpenAM 9.5.5 is a maintenance release that resolves a number of issues.  If updating from a version earlier than 9.5.4, also see the release notes for the intermediate releases.


This release contains fixes that resolve security issues within OpenAM. Older versions of OpenAM contain these vulnerabilities. It is strongly recommended that you update to this release to make your deployment more secure. ForgeRock customers can contact support for help and further information.

OpenAM 9.5.5 Hardware and Software Requirements

Hardware and software requirements for OpenAM 9.5.5 are listed here: OpenAM Hardware and Software requirements.

Java 6 Required

This release of OpenAM requires Java 6 to run. This is due to the product taking advantage of specific features introduced in Java 6.

OpenAM Client SDK is supported on JDK 1.5 and later.

OpenAM requires a Java Heap size of 1024MB to run. Make sure you start your deployment container with the following JVM options:

-Xmx1024m -XX:MaxPermSize=256m

Getting Started with OpenAM 9.5.5

Please note that the latest version with all the latest features is OpenAM 10.0.

If you have not previously installed OpenAM, here are the basic steps to follow.

  1. If necessary, install, configure, and start one of the supported web containers.
  2. Download and unzip OpenAM 9.5.5.
    The download page is
  3. Deploy the openam.war file to your web container, using the web container administration console or deployment command. Or, if supported by the web container, simply copy the .war file to the container's autodeploy directory.
  4. Configure OpenAM 9.5.5 using either the GUI Configurator or the command-line configurator.jar.
    To launch the GUI Configurator, enter the following URL in your browser: protocol://host.domain:port/deploy_uri. For example,
  5. Perform additional configuration using either the OpenAM Administration Console or the ssoadm command-line utility.

To download a version 3.0 policy agent, refer the ForgeRock download page.

For a more detailed explanation of the OpenAM installation process, read the deployment howto.

Updating From an Earlier Release of OpenAM 9.5.x

If you have already installed OpenAM, here are the basic steps to follow.

  1. Download and unzip OpenAM 9.5.5.
    The download page is
  2. If you have made any customizations, re-apply these to the 9.5.5 .war file.
  3. Redeploy the .war file to your web container, using the web container administration console or deployment command.
  4. If you are using session failover, you must ensure that OpenMQ is cleared as part of the update to OpenAM 9.5.5 as OpenAM's internal representation of session objects has changed in this release.
    To clear OpenMQ, run amsfo stop and then run amsfo start.

Issues Resolved in This Release

Snapshot 9.5.5 is an incremental release with a number of improvements and features, as listed in the following sections.

Bugs Fixed

  • OPENAM-1819: "IDP Session is NULL" when logging in to two different OpenAM servers within an IDP site configuration
  • OPENAM-1779: REST interface should always set Cache-Control headers to prevent caching
  • OPENAM-1703: SP Single Logout Init returns HTTP 400 when no local session exists
  • OPENAM-1622: Remote Session validation can lead to heap accumulation
  • OPENAM-1546: Logout/Idle Timeout does not clear Restricted Token Session objects if multiple Policy Agents are in use
  • OPENAM-1545: Container shutdown might hang when using SFO
  • OPENAM-1544: Request headers are not proxied for GET requests
  • OPENAM-1515: Possibility that LB Cookie is not set
  • OPENAM-1438: Multiple failing null-callback sufficient modules can result in NPE
  • OPENAM-1347: Multiple tabs setting not listed in validserverconfig
  • OPENAM-1333: SAML2 does not set content type when using HTTP-POST binding
  • OPENAM-1329: EntitlementException locale files missing from ClientSDK
  • OPENAM-1326: Deadlock in PeriodicRunnable (side effect of OPENSSO-5377)
  • OPENAM-1307: Goto validation not carried out on Logout if there is no SSO session
  • OPENAM-1285: Incorrect JAVA EE API usage in FileUpload.jsp
  • OPENAM-1283: OpenAM does not return adequate SOAP faults during ArtifactResolution
  • OPENAM-1280: Persistent cookies only works when debug is at Message Level
  • OPENAM-1252: ssoadm loses exception causes
  • OPENAM-1246: More than 5 referral policies under a realm would hang PrivilegeEvaluator
  • OPENAM-1241: Upgrade fails due to ArrayOutOfBoundsException
  • OPENAM-1221: WSSAgent can not sign request if security mechanism 'X509Token' and Signing Reference Type 'KeyIdentifier Reference' is configured in Web Service Client profile
  • OPENAM-1215: DAS forgets original login URL with multi-step modules
  • OPENAM-1209: DNS lookups in DNOrIPAddressListTokenRestriction should be truely optional
  • OPENAM-1168: Rest/SOAP interface no longer returns the error message for cases where a HTTP 401 is generated
  • OPENAM-1135: The IdP does not sign the SAML2 Logout Response when using HTTP-POST binding when the SP has asked to sign them
  • OPENAM-1132: Extensive logging in IdentityServicesImpl
  • OPENAM-1125: Request serialization does not work in subrealm with DAS
  • OPENAM-1123: LDAPException with -1 resultCode can cause MissingResourceException
  • OPENAM-1121: Problem when a SAML2 Single Logout Request lands in the OpenAM that did not issue the original assertion
  • OPENAM-1104: CDCServlet doesn't work if custom authentication was used
  • OPENAM-1100: OAuth provider does not work with subrealms
  • OPENAM-1086: The SAML2 IdP Adapter does not get called when using IdP Initiated SSO
  • OPENAM-1083: Using Federation redirects with the valid goto URL whitelist causes problems
  • OPENAM-1069: createSSOToken(request) does not honor client IP header settings
  • OPENAM-1064: NPE when SDK cache is disabled
  • OPENAM-1061: Deadlock in LDAPv3Repo
  • OPENAM-1047: isSessionQuotaReached does not work correctly if users session quota > 1
  • OPENAM-1041: Destroy Oldest Session action should actually destroy the oldest session
  • OPENAM-1028: ArrayIndexOutOfBoundsException in debug log message in AMLoginContext
  • OPENAM-1007: Memory Leak in SMSNotificationManager when ldap error occurs
  • OPENAM-1006: Wildcards in referrals can be ignored due to invalid search filter
  • OPENAM-1002: persistent cookie doesn't work for subrealm with different datastore than default realm
  • OPENAM-987: special character used in membership search filter should be escaped (rfc2254)
  • OPENAM-985: LDAPv3Repo and associated classes can cause leak in the shutdown manager due to LDAP exceptions
  • OPENAM-975: RuntimeException in Sufficient module breaks the chain
  • OPENAM-952: OpenAM Role Subject type does not work in console-only deployment
  • OPENAM-917: When using Console only deployment, checking policies in a sub-realm throws a "java.lang.UnsupportedOperationException: Not supported" exception.
  • OPENAM-886: Memory leak in REST API (RegExResourceName)
  • OPENAM-746: CDCServlet should only compute TokenRestriction if cookie hijacking prevention is configured
  • OPENAM-732: encode issue in CDCServlet if url contains blank
  • OPENAM-670: Entitlement evaluation throws org.json.JSONException when evaluating entitlements with resource attributes
  • OPENAM-507: Adding to existing deployment fails for non-default Org. Auth. configuration
  • OPENAM-171: "Authentication by Module Chain" fails when used in a sub-realm
  • OPENAM-74: RuntimeException does not updates the failureModuleSet in LoginState
  • OPENAM-24: Identity Changes not propagating to policy decisions

New Features and Enhancements

  • OPENAM-1721: New method in AMLoginModule to allow customers to determine other user sessions
  • OPENAM-1470: Running OpenAM as an SP should not require enabling module based auth
  • OPENAM-1454: Improve RP support for federation when using DAS
  • OPENAM-1266: Configure option in OpenAM IDP to Proxy all the requests, regardless if the SP allows or not.
  • OPENAM-1048: Add client parameter to REST authenticate command
  • OPENAM-875: "Maximum number of concurrent sessions allowed for a user" when MULTI_SERVER_MODE
  • OPENAM-766: REST authentication should return amlbcookie
  • OPENAM-700: Set IdPAdapter Class with Console

Known Issues in This Release

OpenAM 9.5.5 contains a number of outstanding issues that have been noted in the OpenAM bug tracker. Check for the latest list of issues.

OpenAM Documentation

This wiki provides a substantial quantity of documentation available for OpenAM.

Although it applies mainly to the upcoming release of OpenAM, much of the in-progress OpenAM core documentation is also useful for this release.

How to Report Problems and Provide Feedback

If you have questions regarding OpenAM which are not answered by the documentation, there is a helpful mailing list which can be found at where you are likely to find an answer.

If you have found issues or reproducible bugs within OpenAM 9.5.5, report them in

If you are requesting help for a problem, please include the following information:

  • Description of the problem, including when the problem occurs and its impact on your operation
  • Machine type, operating system version, web container and version, JDK version, and OpenAM release version, including any patches or other software that might be affecting the problem
  • Steps to reproduce the problem
  • Any error logs or core dumps


  • No labels