Configuration servers are not listed under Directory Configuration in OpenAM console 11.0.3, 12.0.1 or 12.0.2
The purpose of this article is to provide assistance if you cannot see any Directory servers used for the Configuration data store listed under the Directory Configuration tab in the OpenAM 11.0.3, 12.0.1 or 12.0.2 console. The following error is seen in the logs when trying to view the configuration: "WARNING:WhitelistObjectInputStream.resolveClass:com.sun.identity.common.configuration.ServerConfigXML$ServerObject was not in the whitelist of allowed classes". This issue only affects OpenAM 11.0.3 if you have installed the patch for OpenAM Security Advisory #201505.
Archived
This article has been archived and is no longer maintained by ForgeRock.
Symptoms
When you navigate to: Configuration > Servers and Sites > [Server Name] > Directory Configuration in the OpenAM console, the servers list is empty. However, the configuration is still intact if you export your service configuration or view the configuration data store using another method such as a LDAP browser.
An error similar to the following is shown in the CoreSystem debug log:
amUtil:09/10/2015 03:42:59:485 PM CEST: Thread[http-bio-8080-exec-9,5,main] WhitelistObjectInputStream.isValidClass:java.util.ArrayList true amUtil:09/10/2015 03:42:59:485 PM CEST: Thread[http-bio-8080-exec-9,5,main] WhitelistObjectInputStream.isValidClass:com.sun.identity.common.configuration.ServerConfigXML$ServerObject false amUtil:09/10/2015 03:42:59:485 PM CEST: Thread[http-bio-8080-exec-9,5,main] WARNING: WhitelistObjectInputStream.resolveClass:com.sun.identity.common.configuration.ServerConfigXML$ServerObject was not in the whitelist of allowed classes ...Recent Changes
Installed or upgraded to OpenAM 12.0.1.
Upgraded to OpenAM 12.0.2 (this issue does not affect fresh installs of OpenAM 12.0.2).
Installed the patch for OpenAM Security Advisory #201505 on OpenAM 11.0.3.
Causes
A recent security fix to prevent potential exploitation of serialized objects caused this view only issue whereby Configuration data stores no long show on the Directory Configuration tab.
Solution
This issue can be resolved by upgrading to OpenAM 12.0.3 or later; you can download this from BackStage.
Note
Although this issue is resolved in OpenAM 12.0.2, the following update is still required if you have upgraded to OpenAM 12.0.2 (rather than performed a fresh install).
This issue can be resolved by updating the Object Deserialisation Class Whitelist.
You can update this whitelist using either the OpenAM console or ssoadm:
- OpenAM console: navigate to: Configuration > Servers and Sites > Default Server Settings > Security > Object Deserialisation Class Whitelist and add the following values: com.sun.identity.common.configuration.ServerConfigXML com.sun.identity.common.configuration.ServerConfigXML$DirUserObject com.sun.identity.common.configuration.ServerConfigXML$ServerGroup com.sun.identity.common.configuration.ServerConfigXML$ServerObject
-
ssoadm:
- Create a data file (called DATA_FILE to match the next command) with the following contents: openam.deserialisation.classes.whitelist=com.iplanet.dpro.session.DNOrIPAddressListTokenRestriction,com.sun.identity.common.CaseInsensitiveHashMap,com.sun.identity.common.CaseInsensitiveHashSet,com.sun.identity.common.CaseInsensitiveKey,com.sun.identity.console.base.model.SMSubConfig,com.sun.identity.console.service.model.SMDescriptionData,com.sun.identity.console.service.model.SMDiscoEntryData,com.sun.identity.console.session.model.SMSessionData,com.sun.identity.shared.datastruct.OrderedSet,com.sun.xml.bind.util.ListImpl,com.sun.xml.bind.util.ProxyListImpl,java.lang.Boolean,java.lang.Integer,java.lang.Number,java.lang.StringBuffer,java.net.InetAddress,java.util.ArrayList,java.util.Collections$EmptyMap,java.util.HashMap,java.util.HashSet,java.util.Locale,org.forgerock.openam.authentication.service.protocol.RemoteCookie,org.forgerock.openam.authentication.service.protocol.RemoteHttpServletRequest,org.forgerock.openam.authentication.service.protocol.RemoteHttpServletResponse,org.forgerock.openam.authentication.service.protocol.RemoteServletRequest,org.forgerock.openam.authentication.service.protocol.RemoteServletResponse,org.forgerock.openam.authentication.service.protocol.RemoteSession,org.forgerock.openam.dpro.session.NoOpTokenRestriction,com.sun.identity.common.configuration.ServerConfigXML,com.sun.identity.common.configuration.ServerConfigXML$DirUserObject,com.sun.identity.common.configuration.ServerConfigXML$ServerGroup,com.sun.identity.common.configuration.ServerConfigXML$ServerObject
- Run the following command: $ ./ssoadm update-server-cfg -s default -u [adminID] -f [passwordfile] -D DATA_FILE replacing [adminID] and [passwordfile] with appropriate values.
Caution
The contents of the data file specified above assumes you have not made any changes to the openam.deserialisation.classes.whitelist property. If you have, ensure you include your changes in this file as well, separating each whitelist value with a comma, otherwise they will be lost.
There are other known issues regarding missing whitelist values that you may want to review and resolve at the same time:
- OPENAM-6468 (InvalidClassException with certauth after #201505-01 patch) - add the following whitelist values: java.security.cert.Certificate java.security.cert.Certificate$CertificateRep
- OPENAM-6615 (12.0.1 Legacy Password reset options page does not display when clicking "Edit" on user profile page) - add the following whitelist value: com.sun.identity.console.user.model.UMUserPasswordResetOptionsData
- OPENAM-6741 (STS configuration not showing in admin console) - add the following whitelist value: java.util.LinkedHashSet
See Also
OpenAM Release Notes › What's New in OpenAM 12.0.1 › Security Advisories
OpenAM Release Notes › OpenAM Fixes, Limitations, and Known Issues
Related Training
N/A
Related Issue Tracker IDs
OPENAM-6468 (InvalidClassException with certauth after #201505-01 patch)
OPENAM-6499 (Configuration store servers are not listed in Directory Configuration)
OPENAM-6741 (STS configuration not showing in admin console)