Notes covering prerequisites, fixes, known issues for OpenAM Java EE policy agents. OpenAM provides open source Authentication, Authorization, Entitlement and Federation software.

Chapter 1. Java EE Policy Agents 3.3

This chapter concerns OpenAM Java EE policy agents. Java EE policy agents run in web application containers and protect Java EE applications.

1.1. New in JavaEE Policy Agents 3.3

  • The Java EE agent goto URL can now be modified (OPENAM-1299).

  • The Apache Tomcat policy agent now supports Tomcat 7 as well (OPENAM-1273).

  • Java EE policy agents can now conditionally redirect users based on the incoming request URL (OPENAM-1265).

  • The auto-submitting form in FormLoginContent.txt now parses as valid XML (OPENAM-674).

1.2. Before You Install OpenAM Java EE Policy Agents

This section covers software and hardware prerequisites for installing and running OpenAM Java EE Policy Agents.

If you have a special request to support a combination not listed here, contact ForgeRock at

1.2.1. Java EE Agents Java Requirements

Java EE policy agents run in a Java EE Web container. All Java EE policy require Java Development Kit 6 or Java Development Kit 7. ForgeRock recommends the most recent update to ensure you have the latest security fixes.

ForgeRock has tested this release with Oracle Java SE JDK.

1.2.2. Java EE Agents Browsers Tested

ForgeRock has tested this policy agent release with the following web browsers.

  • Chrome release 16 and later

  • Firefox 3.6 and later

  • Internet Explorer 7 and later

1.2.3. Web Application Container Requirements

Java EE policy agents support the following Java EE application containers.

  • Apache Tomcat 6, 7

  • GlassFish v2, v3 (at least 3.1)

  • IBM WebSphere Application Server 7, 8, 8.5

  • JBoss Enterprise Application Platform 5 and 6, JBoss Application Server 7

  • Jetty 7 (at least 7.6.13), 8 (at least 8.1.13)

  • Oracle WebLogic Server 10g, 11g, 12c

1.2.4. Java EE Agents Platform Requirements

Apache Tomcat Java EE policy agents have been tested on Linux 2.6 or later, and on Microsoft Windows Server 2008 R2.

GlassFish Java EE policy agents have been tested on Oracle Solaris 10 or later.

Other Java EE policy agents have been tested on Linux 2.6 or later.

Testing has focused on 64-bit operating systems.

1.2.5. Java EE Agents Hardware Requirements

You can deploy OpenAM Java EE policy agents on any hardware supported for the combination of software required.

ForgeRock has tested this release on x86 and x64 based systems.

1.3. Java EE Policy Agent Compatibility

This section concerns OpenAM Java EE Policy Agents 3.3.

1.3.1. Major Changes to Java EE Policy Agent Functionality

No major changes affecting compatibility have been made to the OpenAM Java EE Policy Agents in this release.

1.3.2. Deprecated Functionality

Support for Oracle WebLogic 10g is deprecated and is likely to be removed in a future release.

1.3.3. Removed Functionality

No functionality has been removed in this release.

1.4. Java EE Policy Agents Fixes, Limitations, & Known Issues

OpenAM Java EE policy agent issues are tracked at

1.4.1. Key Fixes

The following bugs were fixed in release 3.3. For details, see the OpenAM issue tracker.

  • OPENAM-1775: Java EE agent should not encapsulate exceptions coming out of applications

  • OPENAM-1357: WebSphere Policy Agent authentication issue for syncNode script when OpenAM authentication chain updated to not use Datastore as first module.

  • OPENAM-1220: Invalid date header -1 with Java agents

  • OPENAM-665: Uninstallation of agent on Glassfish 3 does cleanly reset security-service element correctly.

  • OPENAM-390: Hot-deployment fails for J2EE Agents

  • OPENAM-276: Agent logout throws 403 after logout if cookie encoding is enabled

  • OPENAM-212: RemoteUser still setted after logout when accessing not enforced URL

1.4.2. Limitations

Not all features of OpenAM Java EE policy agents work with IPv6.

Apache Tomcat can fail to shut down properly when the Java EE policy agent for Tomcat is deployed. To work around this limitation, add the following to your Tomcat configuration in the <Server port="8005" shutdown="SHUTDOWN"> section.

 className="org.forgerock.agents.tomcat.v6.TomcatLifeCycleListener" />

When setting com.sun.identity.agents.config.notenforced.ip, know that loopback addresses are not considered valid IPs for the Not Enforced IP list. The policy agent ignores the loopback address if specified.

1.4.3. Known Issues

The following important known issues remained open at the time release 3.3 became available. For details and information on other issues, see the OpenAM issue tracker.

  • OPENAM-3209: Tomcat 6 agent custom-install does not modify global web.xml

  • OPENAM-3162: AgentRemoteConfigUtils failover logic is erroneous

  • OPENAM-2974: agentadmin should allow to configure multiple instances for the same agent on the same host

  • OPENAM-1991: Tomcat doesn't shutdown properly with J2EE agent for the tomcat.

  • OPENAM-1849: J2EE profile attribute mapper cannot handle identities with special chars in universal ID

  • OPENAM-1206: J2EE agent silent install isn't silent

  • OPENAM-1106: Null messages in the error log

  • OPENAM-868: J2EE Agent strips off servlet context when processing request for JSF application (Apache Trinidad)

  • OPENAM-605: Tomcat J2ee Agent initialization fails on Windows 2003

  • OPENAM-211: J2EE agents are unable to work, if the container was started prior to OpenAM

Chapter 2. How to Report Problems & Provide Feedback

If you have questions regarding OpenAM policy agents which are not answered by the documentation, there is a mailing list which can be found at where you are likely to find an answer.

If you have found issues or reproducible bugs within OpenAM 3.3 policy agents, report them in

When requesting help with a problem, include the following information:

  • Description of the problem, including when the problem occurs and its impact on your operation

  • Description of the environment, including the following information:

    • Machine type

    • Operating system and version

    • Web server or container and version

    • Java version

    • OpenAM policy agent and version

    • Any patches or other software that might be affecting the problem

  • Steps to reproduce the problem

  • Any relevant access and error logs, stack traces, or core dumps

Chapter 3. Support

You can purchase OpenAM support subscriptions and training courses from ForgeRock and from consulting partners around the world and in your area. To contact ForgeRock, send mail to To find a partner in your area, see

Read a different version of :