AM examples often use Apache Tomcat (Tomcat) as the deployment container.
Tomcat is installed on
openam.example.com, and listens on the default ports without a Java Security Manager enabled.
AM core services require a minimum JVM heap size of 1 GB, and a metadata space size of up to 256 MB. If you are evaluating AM and using the embedded DS, you require at least a 2 GB heap, as 50% of that space is allocated to DS. See Prepare the Java environment for details.
CATALINA_OPTS environment variable with the appropriate tuning for your environment.
For example, add the following in the
export CATALINA_OPTS="$CATALINA_OPTS -server -Xmx2g -XX:MetaspaceSize=256m -XX:MaxMetaspaceSize=256m"
Some versions of Internet Explorer and Microsoft Edge support the
Expires header attribute
instead of the
Max-Age header attribute, which may cause SAML v2.0 and agent logout sequences to fail.
If you have set the
org.apache.catalina.STRICT_SERVLET_COMPLIANCE Tomcat property to
$CATALINA_BASE/bin/setenv.sh file, to add the
Expires attribute to the headers:
export CATALINA_OPTS="$CATALINA_OPTS -server -Xmx2g -XX:MetaspaceSize=256m -XX:MaxMetaspaceSize=256m \ -Dorg.apache.tomcat.util.http.ServerCookie.ALWAYS_ADD_EXPIRES=true"
Some AM resources have names that can contain slash characters (/), for example, in policy names, application names, and SAML v2.0 entities. These slash characters can cause unexpected behavior when running AM on Tomcat.
One possible workaround is to configure Tomcat to allow encoded slash characters by adding
org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true property to the
however, this is not recommended for production deployments (see the warning below).
export CATALINA_OPTS="$CATALINA_OPTS -server -Xmx2g -XX:MetaspaceSize=256m -XX:MaxMetaspaceSize=256m \ -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true"
It is strongly recommended that you do not enable
For more information, see How do I safely enable the org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH setting in AM/OpenAM (All Versions)? in the ForgeRock Knowledge Base.
You can set the cookie domain name value to an empty string for host-only cookies or to any non-top level domain.
For example, if you install AM and use
openam.example.com as the host,
you can set the cookie domain name as
For information about configuring the cookie domain during installation,
see To Configure an Instance.
Tomcat provides components called valves that can be configured to track access to resources. The Access Log Valve outputs information about request activity to log files, for you to analyze or use when troubleshooting.
To record request times in the Access Log Valve log, configure the
pattern attribute to include the following values:
%D- Time taken to send an entire request, in millis. This is the total processing time and may be affected by network conditions.
%F- Time taken to commit the response, in millis (not available in Tomcat 7 or earlier).
Valve element in
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="%h %l %u %t "%r" %s %b %D %F" />
ForgeRock recommends that you edit the Tomcat
<Connector> configuration to set
UTF-8 URI encoding ensures that URL-encoded characters in the paths of URIs are correctly decoded by the container.
This is particularly useful if your applications use the AM REST APIs and some identifiers,
such as user names, contain special characters.
You should also ensure the
sslProtocol property is set to
which disables the potentially vulnerable SSL v3.0 protocol.
<Connector> configuration elements are found in the configuration file,
The following excerpt shows an example
<Connector> with the
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" URIEncoding="UTF-8" />
When you have finished setting up Apache Tomcat, ForgeRock recommends that you enforce HTTPS connections to AM. For more information, see Secure connections to the AM container.