Upgrading Components and Services
As part of planning your upgrade, you need to consider that certain changes in later AM versions may have an impact on your environment. Usually, these changes are driven by changes in specification, security policies, or performance.
When possible, the upgrade process makes the appropriate changes on AM configuration. However, sometimes you will need to perform additional configuration based on your environment needs.
In addition to mandatory upgrade steps outlined in Upgrading AM Instances, if you are using features described in the following table you will need to perform additional upgrade tasks:
AM Version | Component or Feature | Change |
---|---|---|
7.1 | Decompressed JWTs | By default, AM rejects any JWT that expands to more than 32 KiB (32768 bytes) when decompressed. For more information about changing this default value, see "Controlling the Maximum Size of Compressed JWTs". |
Request Body Size | By default, AM rejects incoming requests with a body larger than 1 MB (1048576 bytes) in size. For more information about changing this default value, see "Limiting the Size of the Request Body". | |
Pre-Approval for Redirection URIs Enforced | This change affects AM when acting as an OAuth 2.0 and OpenID Connect client. If a redirection URI uses a scheme, host, or port that differs from that of AM, you must now add it to the global validation service to ensure that it is pre-approved. This is described in "Configuring Success and Failure Redirection URLs". Otherwise, AM rejects the URI, and redirection fails. | |
Subject Claim in Access and ID Tokens | The subject claim of access tokens and ID tokens has changed formats to ensure that it is locally unique. The new format is not enforced after upgrading to AM 7.1, but new installations default to it. The Before enabling it, ensure that your clients can use the new | |
The "Retry Limit Decision Node" | The new Save Retry Limit to User feature in this node is enabled by default after upgrade and requires upgrading the identity store schema. Ensure you update the schema following the instructions in Upgrading AM Instances, or disable the feature. ForgeRock recommends keeping it enabled for security reasons. Failure to take any of the actions will break the authentication journey for trees using this node. | |
One-Time Passwords in Authentication Nodes | One-time passwords created by the "HOTP Generator Node" are now stored in the authentication tree's transient state. Modify any custom authentication nodes or scripts used by the "Scripted Decision Node" to retrieve the one-time passwords from the transient state after upgrading to AM 7.1. | |
7 | User Profile Whitelist | The profile attribute whitelist controls the information returned to non-administrative users when accessing Common profile attributes are whitelisted by default, but you need to add any custom attribute you want your non-administrative users to see. For more information, see "Configuring the User Profile Whitelist". |
/json/authenticate Endpoint | When a client makes a call to the { "tokenId":"", "successUrl":"/openam/console", "realm":"/alpha" } | |
Secure Authentication Tree State Secret ID | An AES 256-bit key called After upgrade, ensure that the | |
The Embedded DS | The embedded DS can only be used for single AM instances, for test and demo purposes. Sites are not supported. Sites using embedded DS servers must be migrated to external DS servers before upgrading. | |
SAML v2.0 Secrets | AM 7 migrated SAML v2.0 to use secret stores. The upgrade process only creates the secret store files on the AM instance where you ran the upgrade process. For more information, see "Configuring Secret Stores After Upgrade". | |
goto and gotoOnFail Query Parameter Redirection | Redirection URLs for authentication services, agents, and SAML v.2.0 must be configured in the Validation Service if they are not in the same scheme, FQDN, and port as AM, or are not relative to AM's URL. | |
Web Agents of a Version Earlier than 5.6.3 | Several properties that used to be configured as custom properties ( To work around this issue, perform one of the following actions:
| |
Changes on the CTS Reaper Tuning Properties | AM 7 changes the way the CTS reaper searches for expired tokens. After upgrading, retune the CTS Reaper using the information in "Reaper Search Size". | |
OpenID Connect Clients Authenticating with JWTs | OpenID Connect clients authenticating with JWTs must include in the JWT a | |
Cookie Filter | AM flags cookies as secure if they come through a connection marked as secure, or if they come through HTTPS. See "Managing the Secure Cookie Filter". | |
6.5.0.2 // 6.5.1 | OAuth 2.0 Refresh Tokens | AM only issues refresh tokens to clients that have the After an upgrade to 6.5 or later using the UI or the openam-upgrade-tool .jar file, existing OAuth 2.0 clients are configured to use all grant flows, including the Refresh Token Grant flow. To configure the |
6.5 | Recovery Codes | Recovery Codes are encrypted, and existing codes are no longer displayed to the user. For more information, see "Upgrading Device Recovery Codes". |
Secret Stores | AM 6.5 introduced secret stores for OAuth 2.0 and the persistent cookie module. The upgrade process only creates the secret store files on the AM instance where you ran the upgrade process. For more information, see "Configuring Secret Stores After Upgrade". | |
External Configuration Store | DS 6.5 introduced setup profiles, which pre-configure instances for different usages, such as CTS or configuration data. The default base DN for a DS configuration store instance ( You should not attempt to run multiple instances of AM where the configuration store base DNs do not match. Use the same configuration store base DNs when configuring external DS 6.5+ instances that will be used simultaneously alongside existing DS 6 or earlier configuration store instances. For more information, see "Preparing Configuration Stores". | |
6 | json/ Endpoints | AM's CSRF protection filter requires that either the |
Tip
For information on the endpoints deprecated or removed in previous versions, and their current equivalents, see the following Knowledge Base article.