Changes in AM 7.4.x

AM 7.4.

Removal of `dsameuserpwd` from default keystore

The alias of the dsameuserpwd has been removed from the default keystore. The dsameUser is an internal account that AM uses to connect to the configuration store. AM now generates the password for this account on startup, and you can’t read or change it.

If you upgrade to AM 7.4 using the upgrade wizard and need to roll back the upgrade, you must restore the default keystore. The upgrade wizard removes the dsameuserpwd alias. If you don’t restore this alias, the rolled back instance of AM won’t start up.

If you try to use a previous version of ssoadm with AM 7.4, the command will show an error Can’t open boot keystore as it expects the dsameuserpwd to be there. To avoid this error, use the ssoadm version that is delivered with AM 7.4.

Preconfigure policy and application data stores

You can now disable policy and application data stores until you are ready to use them. This means that you can preconfigure a data store before the directory server is ready. When you want to use the data store configuration, you can enable it, at which point AM verifies that it can connect to the configured store.

All default policy and application data store configurations are enabled. A new custom external data store configuration is disabled by default. When you upgrade to AM 7.4, existing data store configurations are enabled by default.

The dataStoreEnabled property is mandatory if you’re creating new data stores over REST (using DataStoreService/config?_action=create). It’s also mandatory if you’re updating data stores over REST with a PUT request. For backward compatibility, if you don’t include this property in the JSON payload, the endpoint currently adds it to the configuration by default with a value of true.

In the next AM release, the endpoint version will be incremented and the latest version will require the property to be present.

Change in behavior when an authentication tree is deleted

From this release, when you delete an authentication tree, any nodes referenced by that tree are also deleted, provided they aren’t referenced by another tree.

This change eliminates orphaned nodes in the configuration and lets you delete the scripts referenced by those nodes.

Change in behavior of `subjectattributes` endpoint

The behavior of queries to the subjectattributes endpoint has changed in this release.

To override the new behavior and revert to the previous behavior, set the org.forgerock.security.entitlement.enforce.realm advanced server property to false, then restart AM for the change to take effect.

For security reasons you should set this property back to true when you have updated your scripts.

Rotatable secrets for `amAdmin` password

AM now caches the special secret used to store the password of amAdmin user. The expiry time of the cache is 900 seconds (15 minutes) by default. To change the expiry time, set the org.forgerock.openam.secrets.special.user.secret.refresh.seconds advanced server property.

For more information, refer to Store the amAdmin password in a secret store.

AM release notes