Notes covering new features, fixes and known issues for the ForgeRock® Access Management command-line interface, Amster.


Amster is a lightweight command-line interface, ideal for use in DevOps processes, such as continuous integration and deployment.

Read these release notes before you install Amster. The information contained in these release notes cover prerequisites for installation, known issues and improvements to the software, changes and deprecated functionality, and other important information.

About ForgeRock Identity Platform™ Software

ForgeRock Identity Platform™ is the only offering for access management, identity management, user-managed access, directory services, and an identity gateway, designed and built as a single, unified platform.

The platform includes the following components that extend what is available in open source projects to provide fully featured, enterprise-ready software:

  • ForgeRock Access Management (AM)

  • ForgeRock Identity Management (IDM)

  • ForgeRock Directory Services (DS)

  • ForgeRock Identity Gateway (IG)

  • ForgeRock Identity Message Broker (IMB)

Chapter 1. What's New

This chapter covers new features and improvements in Amster.

Amster 5.5
  • Support for AM 5.5 or Newer Only

    Amster 5.5 supports exporting and importing configuration from AM 5.5 or newer.

    If you have a previous version of Amster:

    1. Perform a fresh installation of Amster 5.5. For more information, see Section 2.2, "Installing Amster" in the User Guide.

    2. Migrate any Amster Groovy scripts from the previous Amster installation. Take into account these Release Notes for possible changes in functionality.

    3. Migrate any JSON configuration files that were exported from the following versions of AM:

      • AM 5

      • AM 5.1.0

      • AM 5.1.1

      A configuration file upgrade tool is provided in the AM 5.5.0 ZIP file. For more information on converting configuration files for import into AM 5.5, see the file in the file.

    4. Test the new Amster installation

    5. Delete the previous amster installation. For example:

      $ rm -rf /path/to/amster_5.0
  • Support for Installing Access Management With an External Configuration and User Store

    Amster 5.5 supports installing AM with an external configuration store. When you install AM with an external configuration store, you must also use an external user store. By default, the external user store is the same directory server instance as the external configuration store. You can, however, specify a different user store.

    For more information about installing AM with an external configuration store, see Installing AM With an External Configuration Store in the User Guide.

    For more information about supported user stores, see the ForgeRock Access Management Release Notes.

    For more information about the configuration options supported by Amster, see Section 4.2, "Command-Line Reference" in the User Guide.

Chapter 2. Before You Install

This section covers software and hardware prerequisites for installing and running Amster.

ForgeRock supports customers using the versions specified here. Other versions and alternative environments might work as well. When opening a support ticket for an issue, however, make sure you can also reproduce the problem on a combination covered here.

2.1. Operating System Requirements

ForgeRock supports customers using ForgeRock Access Management server software on the following operating system versions:

Table 2.1. Supported Operating Systems
Operating SystemVersion
Red Hat Enterprise Linux, Centos, Amazon Linux6, 7
Amazon LinuxAmazon Linux AMI 2017.03
Ubuntu14.04 LTS, 16.04 LTS
Solaris x6410, 11
Solaris Sparc10, 11
Windows Server2012, 2012 R2, 2016

2.2. Java Requirements

Table 2.2. JDK Requirements
Oracle JDK8
IBM SDK, Java Technology Edition (Websphere only)8

2.3. Special Requests

If you have a special request regarding support for a combination not listed here, contact ForgeRock at

Chapter 3. Changes and Deprecated Functionality

This chapter covers both major changes to existing functionality, and also deprecated and removed functionality.

3.1. Removed Functionality

Functionality listed under this section has been removed from Amster.

Amster 5.5
  • PolicyAgentPwd Option Removed

    The PolicyAgentPwd option has been removed from the install-openam option, since it is no longer required by AM.

Chapter 4. Limitations and Known Issues

4.1. Key Fixes

The following issues are fixed in this release. For details, see the OpenAM issue tracker.

Amster 5.5

The following important issues were fixed in this release:

  • OPENAM-11307: Amster import should not set the property

  • OPENAM-10689: Installing AM using Amster failed when using an external data store

  • OPENAM-10664: Amster does not support configuration of an external user store

4.2. Limitations

The following important issues remained open at the time release 5.5 became available:

  • Private Key Connections to Access Management Can Fail

    Installing or upgrading AM appends the contents of the /path/to/openam/ file to the /path/to/openam/authorized_keys file. The contents of the authorized_keys file resemble the following:

    from=",::1" ssh-rsa AAAAB3NzaC1y...

    The from attribute restricts the communication between AM and Amster clients that communicate using the network. If your AM server is not configured in the loopback interface, Amster connections may fail with an error resembling the following:

    am> connect  --private-key /home/fr/openam/amster_rsa
    Unexpected response from OpenAM
    [code:401, reason:Unauthorized, message:Authentication Failed]

    To work around this problem, remove or update the from attribute to suit your environment as follows:

    • Remove the from attribute, leaving only the key. For example:

      ssh-rsa AAAAB3NzaC1y...

      In this example, the Amster client holding the appropriate private key can communicate with AM regardless of their IP address or DNS domain.

    • Update the loopback network specified in the from attribute with the DNS domain configured for AM. For example:

      $ cat /etc/hosts | grep -i openam
      $ vi /path/to/openam/authorized_keys
      from="*" ssh-rsa AAAAB3NzaC1y...

      In this example, the Amster client holding the appropriate private key can communicate with AM if they are part of the DNS domain.

      Refer to the Linux documentation for more information about patterns supported by the from attribute.

  • Amster Installs Single-server Instances of Access Management

    To create instances and add them to a multi-server site deployment, see the ForgeRock Access Management Install Guide.

  • Importing Resources Containing Slash Characters Can Fail

    Some Access Management resources have names that can contain slash characters (/), for example policy names, application names, and SAML v2.0 entities. These slash characters can cause unexpected behavior and failures in Amster when importing into Access Management instances running on Apache Tomcat.

    To workaround this issue, configure Apache Tomcat to allow encoded slash characters by updating the CATALINA_OPTS environment variable. For example:

    On Unix/Linux systems:

    $ export CATALINA_OPTS= \

    On Windows systems:

    C:\> set CATALINA_OPTS= ^
    C:\> startup.bat


    It is strongly recommended that you do not enable org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH when running AM in production as it introduces a security risk on Apache Tomcat.

    For more information, see How do I safely enable the org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH setting in AM/OpenAM (All Versions)? in the ForgeRock Knowledge Base.

  • [INFO] Messages Showing On SuSE On Amster Start Up

    Running Amster on SuSE may produce [INFO] messages, for example:

    # ./amster
    [INFO] Unable to bind key for unsupported operation: up-history
    [INFO] Unable to bind key for unsupported operation: down-history
    [INFO] Unable to bind key for unsupported operation: up-history
    [INFO] Unable to bind key for unsupported operation: down-history
    OpenAM Shell (5.5 build c9ca9450a9, JVM: 1.8.0_65)
    Type ':help' or ':h' for help.

    These messages are caused by the keyboard mappings configured in the /etc/inputrc file and can safely be ignored, as they do not affect functionality.

4.3. Known Issues

Amster 5.5
  • No issues remained open when Amster 5.5 became available.

Chapter 5. Documentation Updates

The following table tracks changes to the documentation set following the release of Amster 5.5:

Table 5.1. Documentation Change Log

Added a warning admonition about enabling -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH in production. For more information, see Section 4.2, "Limitations".


Added a brief paragraph on how to pass variables into an Amster script. See Section 3.5, "Scripting" in the User Guide


Added a brief paragraph on how to invoke a script directly in Amster. See Section 3.5, "Scripting" in the User Guide


Initial release

Appendix A. Getting Support

For more information or resources about OpenAM and ForgeRock Support, see the following sections:

A.1. Accessing Documentation Online

ForgeRock publishes comprehensive documentation online:

  • The ForgeRock Knowledge Base offers a large and increasing number of up-to-date, practical articles that help you deploy and manage ForgeRock software.

    While many articles are visible to community members, ForgeRock customers have access to much more, including advanced information for customers using ForgeRock software in a mission-critical capacity.

  • ForgeRock product documentation, such as this document, aims to be technically accurate and complete with respect to the software documented. It is visible to everyone and covers all product features and examples of how to use them.

A.2. Using the Site

The site has links to source code for ForgeRock open source software, as well as links to the ForgeRock forums and technical blogs.

If you are a ForgeRock customer, raise a support ticket instead of using the forums. ForgeRock support professionals will get in touch to help you.

A.3. Getting Support and Contacting ForgeRock

ForgeRock provides support services, professional services, classes through ForgeRock University, and partner services to assist you in setting up and maintaining your deployments. For a general overview of these services, see

ForgeRock has staff members around the globe who support our international customers and partners. For details, visit, or send an email to ForgeRock at

Read a different version of :