An illegal reflective access operation has occurred when using Java 11 with ForgeRock products

Symptoms

You will see An illegal reflective access operation has occurred warning when installing and using AM (including Amster and ssoadm tools), Java Agents, DS, IDM and IG. The subsequent two lines following this warning vary depending on which product you are using and what you were doing at the time it occurred.

Here are some examples of the types of error you will see by product:

• AM: WARNING: An illegal reflective access operation has occurred WARNING: Illegal reflective access by org.codehaus.groovy.vmplugin.v7.Java7$1 (file:/path/to/tomcat/webapps/am/WEB-INF/lib/groovy-2.4.6.jar (about:blank)) to constructor java.lang.invoke.MethodHandles$Lookup(java.lang.Class,int) WARNING: Please consider reporting this to the maintainers of org.codehaus.groovy.vmplugin.v7.Java7$1 WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations WARNING: All illegal access operations will be denied in a future release
• Java Agent: WARNING: An illegal reflective access operation has occurred WARNING: Illegal reflective access by org.forgerock.openam.sdk.com.google.inject.internal.cglib.core.$ReflectUtils$1 (file:/tmp/5.6.0/java/java_agents/tomcat_agent/lib/jee-agents-installtools-5.6.0.jar) to method java.lang.ClassLoader.defineClass(java.lang.String,byte[],int,int,java.security.ProtectionDomain) WARNING: Please consider reporting this to the maintainers of org.forgerock.openam.sdk.com.google.inject.internal.cglib.core.$ReflectUtils$1 WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations WARNING: All illegal access operations will be denied in a future release
• DS: WARNING: An illegal reflective access operation has occurred WARNING: Illegal reflective access by org.opends.server.util.Platform$PlatformIMPL (file:/path/to/ds/lib/opendj.jar) to constructor sun.security.tools.keytool.CertAndKeyGen(java.lang.String,java.lang.String) WARNING: Please consider reporting this to the maintainers of org.opends.server.util.Platform$PlatformIMPL WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations WARNING: All illegal access operations will be denied in a future release
• IDM: WARNING: An illegal reflective access operation has occurred WARNING: Illegal reflective access by org.apache.felix.framework.ext.ClassPathExtenderFactory$DefaultClassLoaderExtender (file:/path/to/idm/bin/felix.jar) to method java.net.URLClassLoader.addURL(java.net.URL) WARNING: Please consider reporting this to the maintainers of org.apache.felix.framework.ext.ClassPathExtenderFactory$DefaultClassLoaderExtender WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations WARNING: All illegal access operations will be denied in a future release

Recent Changes

Upgraded to Java 11.

Installed AM 6.5.x, DS 6.5.x, IDM 6.5.x or IG 6.5.x with Java 11.

Installed Java Agent 5.6.x with Java 11.

Causes

These warnings occur when using Groovy 2.x with Java 11 but are fixed in Groovy 3. 

For reference, these known issues are:

• GROOVY-8339 (Fix warning "An illegal reflective access operation has occurred")
• GROOVY-8843 (Fix illegal reflective access within o.c.g.vmplugin.v7.Java7)
• GROOVY-9103 (CLONE - CLONE - Fix warning "An illegal reflective access operation has occurred")

Whenever you use functionality that accesses Groovy scripting, you will see these warnings.  

Additionally, there is a similar compatibility issue with Felix: FELIX-5765 (An illegal reflective access operation has occurred).

Solution

These messages can be safely ignored because they do not impact the use or functionality of ForgeRock products. However, if you do not want to see them, you can do one of the following:

• Use Groovy 3.x.
• Allowlist these warnings.
• Downgrade Java to JDK 1.8

See Also

SSLHandshakeException or ClassCastException when using an HSM and Java 11 with ForgeRock products

Federation related pages do not display in the admin UI with a java.lang.NoClassDefFoundError: sun/misc/CharacterEncoder error in AM 6.5.x

How do I disable TLS 1.3 when running DS 6.5, 6.5.1 or 6.5.2 with Java 11.0.5 and earlier, or Java 1.8.0_272 and later?

Cannot install or use ssoadm in AM 6.0.x, 6.5.0 and 6.5.0.1 after restricting configuration store (DS) cipher suites or Java upgrade

AM 6.0.0.x, IDM 6.x and Rest2LDAP cannot connect to DS 6 after restricting DS cipher suites or Java upgrade

Related Training

N/A

Related Issue Tracker IDs

OPENAM-14478 (AM on JDK11 shows warning when Groovy access with "Illegal reflective access by org.codehaus.groovy.vmplugin.v7.Java7$1")

OPENIDM-11765 (Warnings on startup when using embedded DS repo with Java 11)

OPENDJ-5664 (JDK 11: illegal reflective access warning during import-ldif)

OPENDJ-5663 (JDK 11: illegal reflective access warning on setup (without profile))

OPENDJ-5660 (JDK 11: illegal reflective access warning on setup (with profile))

AMAGENTS-2616 (Java agent installer makes warning messages when JDK 11 is used)