OpenAM Snapshot 9 is the ForgeRock release of OpenSSO Build 9.
The OpenSSO Snapshot 9 Release Notes provide the following information, as well as links to articles about the new OpenAM snapshot 9 features.
OpenAM Snapshot 9 supports most hardware and software requirements supported by OpenSSO Enterprise 8.0. For information, see the "Sun OpenSSO Enterprise 8 Release Notes."
This release of OpenAM requires Java 6 to run. This is due to the product taking advantage of new features in Java 6.
If you have not previously installed OpenAM or OpenSSO, here are the basic steps to follow:
openam.warfile to the web container, using the web container administration console or deployment command. Or, if supported by the web container, simply copy the WAR file to the container's autodeploy directory.
OpenAM Snapshot 9 includes an alternate Administration Console that allows you to access the new OpenAM Entitlements Service and to use new work flows (common tasks) for Federation and Web Service Security (WSS). For more information, see:
You can enable XML signing and decryption. For more information, see "New Functionality for the OpenAM Snapshot 9 Java Fedlet."
You can enable ASP.NET Fedlet Single Logout. For more information, see:"Implementing ASP.NET Fedlet Single Logout with OpenAM Snapshot 9."
The OpenAM Entitlements Service provides fine-grained access control. OpenAM Snapshot 9 includes RESTful interfaces (in the form of URLs) which have been developed for the Entitlements Service. For more information, see:
OpenAM Snapshot 9 supports Microsoft Active Directory as the user data store. For more information, see
"Using Microsoft Active Directory 2008 as the OpenAM Snapshot 9 User Data Store"
The Early Access version of the OpenAM OAuth Token Service supports the the following OAuth Core 1.0 Specifications: consumer site registration, Request Token requests, Request Token authorizations, and Access Token requests. These features allow OpenAM to be deployed as a service provider site. For more information, see "Introducing the OpenAM OAuth Token Service (Snapshot 9 Early Access)"
OpenAM Snapshot 9 supports both version 3.0 and version 2.2 policy agents.
For information about version 3.0 agents, see http://docs.sun.com/coll/1767.1.
AMAgent.propertiesfile. And because the version 2.2 agent configuration data is local to the agent, OpenAM centralized agent configuration is not supported for version 2.2 agents. To configure a version 2.2 agent, you must continue to edit the agent's
For information about version 2.2 agents, see http://docs.sun.com/coll/1322.1.
The OpenAM Fedlet fails if deployed on IBM WebSphere Application Server 7.0.
openam-fr-extlib.zip) from [http://forgerock.org/openam.html|https://opensso.dev.java.net/public/use/index.html#source]
openam-fr-extlib.zipand add the following JAR files to the Fedlet
When running the Configurator using Safari on a Mac, the Next and Cancel buttons are not visible, which gives the impression that the configuration cannot continue.
Workaround: Maximize the Safari browser to the fullest extent and scroll down to see the buttons.
Attempting to deploy OpenAM Snapshot 9 on JBoss AS 5.0.0 or 5.1.0 returns class loader errors.
<!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 5.0//EN" "http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd"> <jboss-web> <class-loading java2ClassLoadingCompliance='true'> <loader-repository> jbia.loader:loader=openam <loader-repository-config> java2ParentDelegaton=true </loader-repository-config> </loader-repository> </class-loading> <resource-ref> <res-ref-name>jdbc/openamusersdb</res-ref-name> <jndi-name>java:jdbc/openamusersdb</jndi-name> </resource-ref> </jboss-web>
is the specific release such as
is the JBoss AS server instance name.
When attempting to deploy OpenAM on Apache Germonimo 2.1.4, deployment fails and the following message is displayed: "Unable to deploy: WSDL generation failed."
Workaround: Use Apache Geronimo 2.1.1.
The OpenAM Snapshot 9 openam.war with the new console doesn't deploy on Oracle Application Server.
jar -xvf openam.war WEB-INF/lib cp <el-jar-location>/el-api-1.0.jar WEB-INF/lib cp <el-jar-location>/el-ri-1.0.jar WEB-INF/lib jar -uf openam.war WEB-INF/lib*
java2.policyfile, add the following OpenAM permissions to the
grantstatement (in addition to the existing OpenAM permissions):
permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "modifyThread"; permission javax.security.auth.PrivateCredentialPermission "com.sun.identity.authentication.internal.AuthSSOToken * \"*\"","read";
ssoadmcommands throw exception errors on IBM WebSphere Appplication Server 7.0
When OpenAM is deployed on IBM WebSphere Application Server 7.0 on the IBM AIX 5.3 platform using JDK 1.6.0, exception messages are displayed on the command-line when executing ssoadm commands. The
ssoadm commands are successfully executed despite the messages being displayed. You can ignore the exception messages. The
ssoadm logs are written to the OpenAM server log directory.
If you are using IBM Tivoli Directory Server as the OpenAM user data store, the configuration is successful, but an attempt to add a group fails.
memberOf), remove the value.
cn=user,dc=example,dc=comTivoli Directory Server requires at least one user in a group before you can create the group.
In this scenario, OpenAM Snapshot 9 is configured to use Sun Java System Directory Server as the remote user data store and referential integrity is enabled for the Directory Server entries. However, if a group is deleted in Directory Server, the group is not removed from the user's group list, even though referential integrity is enabled.
Workaround: For referential integrity to work properly, after you finish running the OpenAM Snapshot 9 Configurator, restart the remote Sun Directory Server.
If you are configuring OpenAM Snapshot 9 using the GUI Configurator with Mozilla 1.7, the Password field in the "Step 4: User Data Store Settings" screen is not rendered properly.
Workaround. To view the user data store settings correctly, reduce the font size in the browser.
Under View, reduce the text size to 75%, and the password field will display correctly.
When attempting to delete multiple identities using the following do-bach sub command as in this example:
/ssoadm do-batch -u amadmin -f /tmp/.OpenAM_pass -D /tmp/del
the request is not processed as expected.
Workaround. In the
do-batch sub command, use -Z instead of -D as the short option name for --batchfile.
When OpenAM is deployed using JDK 1.6.0_18, some OpenAM command-line commands may fail.
Workaround. Use JDK 1.6_017 in this environment.
This can occur when you don't provide a password when setting Configuration Data Store settings. In "Step 3: Configuration Data Store Settings" of the Configurator, if you don't enter a password, the Next button should be disabled. Instead, the Next button is enabled and you are inadvertenty allowed to proceed to the next step. The error message is displayed after you click Finish at the end of the program.
Workaround. Click "Return to Configurator," return to Step 3, and provide a password.
After deploying the OpenAM
console.war on GlassFish v2.1.1, when you click the URL to access the OpenAM login page, an ERROR 500 exception is thrown.
This occurs because This is because
esapiport.jar is not present in the created console WAR.
openam.war, and bundle it into the
After bundling this JAR, the exception is no longer displayed, and you should be able to access the OpenAM console.
On the Manage Policies of the page of the Beta Administration Console, when you select multiple policies and then click Export, the following message is displayed:
XML Parsing Error: junk after document element...
There is no workaround for this issue at this time.
When you configure Session Failover after upgrading OpenAM from a previous version, you must manually unzip
ssoSessionTools.zip and re-install its files. The new .zip file contains Message Queue 4.4. For detailed instructions, see "Installing and Configuring the OpenAM Enterprise Session Failover Components". Message Queue 4.4 is automatically installed on the OpenAM server when you unpack the openam.war file.
ForgeRock is working on providing an up to date documentation for the current release of OpenAM. in the meantime you can check the OpenSSO Enterprise 8.0 documentation, available at:
OpenSSO Enterprise 8.0 Documentation Center
ldapjdk.jarwas not included in OpenAM, beginning with OpenSSO Express 7 (predecessor of OpenAM).
com.sun.identity.smpackage) and SMS model will not be included in a future OpenAM release.
amunixd) will not be included in a future OpenAM release.
com.iplanet.am.sdkpackage, commonly known as the Access Manager SDK (AMSDK), and all related APIs and
If you have questions or issues with OpenAM Snapshot, report them in https://bugster.forgerock.org
If you are requesting help for a problem, please include the following information: