Solutions
Archived

Configuration servers are not listed under Directory Configuration in OpenAM console 11.0.3, 12.0.1 or 12.0.2

Last updated Jan 5, 2021

The purpose of this article is to provide assistance if you cannot see any Directory servers used for the Configuration data store listed under the Directory Configuration tab in the OpenAM 11.0.3, 12.0.1 or 12.0.2 console. The following error is seen in the logs when trying to view the configuration: "WARNING:WhitelistObjectInputStream.resolveClass:com.sun.identity.common.configuration.ServerConfigXML$ServerObject was not in the whitelist of allowed classes". This issue only affects OpenAM 11.0.3 if you have installed the patch for OpenAM Security Advisory #201505.

Archived

This article has been archived and is no longer maintained by ForgeRock.

Symptoms

When you navigate to: Configuration > Servers and Sites > [Server Name] > Directory Configuration in the OpenAM console, the servers list is empty. However, the configuration is still intact if you export your service configuration or view the configuration data store using another method such as a LDAP browser.

An error similar to the following is shown in the CoreSystem debug log:

amUtil:09/10/2015 03:42:59:485 PM CEST: Thread[http-bio-8080-exec-9,5,main] WhitelistObjectInputStream.isValidClass:java.util.ArrayList true amUtil:09/10/2015 03:42:59:485 PM CEST: Thread[http-bio-8080-exec-9,5,main] WhitelistObjectInputStream.isValidClass:com.sun.identity.common.configuration.ServerConfigXML$ServerObject false amUtil:09/10/2015 03:42:59:485 PM CEST: Thread[http-bio-8080-exec-9,5,main] WARNING: WhitelistObjectInputStream.resolveClass:com.sun.identity.common.configuration.ServerConfigXML$ServerObject was not in the whitelist of allowed classes ...

Recent Changes

Installed or upgraded to OpenAM 12.0.1.

Upgraded to OpenAM 12.0.2 (this issue does not affect fresh installs of OpenAM 12.0.2).

Installed the patch for OpenAM Security Advisory #201505 on OpenAM 11.0.3.

Causes

A recent security fix to prevent potential exploitation of serialized objects caused this view only issue whereby Configuration data stores no long show on the Directory Configuration tab.

Solution

This issue can be resolved by upgrading to OpenAM 12.0.3 or later; you can download this from BackStage.

Note

Although this issue is resolved in OpenAM 12.0.2, the following update is still required if you have upgraded to OpenAM 12.0.2 (rather than performed a fresh install).

This issue can be resolved by updating the Object Deserialisation Class Whitelist.

You can update this whitelist using either the OpenAM console or ssoadm:

  • OpenAM console: navigate to: Configuration > Servers and Sites > Default Server Settings > Security > Object Deserialisation Class Whitelist and add the following values: com.sun.identity.common.configuration.ServerConfigXML com.sun.identity.common.configuration.ServerConfigXML$DirUserObject com.sun.identity.common.configuration.ServerConfigXML$ServerGroup com.sun.identity.common.configuration.ServerConfigXML$ServerObject
  • ssoadm:
    1. Create a data file (called DATA_FILE to match the next command) with the following contents: openam.deserialisation.classes.whitelist=com.iplanet.dpro.session.DNOrIPAddressListTokenRestriction,com.sun.identity.common.CaseInsensitiveHashMap,com.sun.identity.common.CaseInsensitiveHashSet,com.sun.identity.common.CaseInsensitiveKey,com.sun.identity.console.base.model.SMSubConfig,com.sun.identity.console.service.model.SMDescriptionData,com.sun.identity.console.service.model.SMDiscoEntryData,com.sun.identity.console.session.model.SMSessionData,com.sun.identity.shared.datastruct.OrderedSet,com.sun.xml.bind.util.ListImpl,com.sun.xml.bind.util.ProxyListImpl,java.lang.Boolean,java.lang.Integer,java.lang.Number,java.lang.StringBuffer,java.net.InetAddress,java.util.ArrayList,java.util.Collections$EmptyMap,java.util.HashMap,java.util.HashSet,java.util.Locale,org.forgerock.openam.authentication.service.protocol.RemoteCookie,org.forgerock.openam.authentication.service.protocol.RemoteHttpServletRequest,org.forgerock.openam.authentication.service.protocol.RemoteHttpServletResponse,org.forgerock.openam.authentication.service.protocol.RemoteServletRequest,org.forgerock.openam.authentication.service.protocol.RemoteServletResponse,org.forgerock.openam.authentication.service.protocol.RemoteSession,org.forgerock.openam.dpro.session.NoOpTokenRestriction,com.sun.identity.common.configuration.ServerConfigXML,com.sun.identity.common.configuration.ServerConfigXML$DirUserObject,com.sun.identity.common.configuration.ServerConfigXML$ServerGroup,com.sun.identity.common.configuration.ServerConfigXML$ServerObject
    2. Run the following command: $ ./ssoadm update-server-cfg -s default -u [adminID] -f [passwordfile] -D DATA_FILE replacing [adminID] and [passwordfile] with appropriate values.
Caution

The contents of the data file specified above assumes you have not made any changes to the openam.deserialisation.classes.whitelist property. If you have, ensure you include your changes in this file as well, separating each whitelist value with a comma, otherwise they will be lost.

There are other known issues regarding missing whitelist values that you may want to review and resolve at the same time:

See Also

OpenAM Release Notes › What's New in OpenAM 12.0.1 › Security Advisories

OpenAM Release Notes › OpenAM Fixes, Limitations, and Known Issues

Related Training

N/A

Related Issue Tracker IDs

OPENAM-6468 (InvalidClassException with certauth after #201505-01 patch)

OPENAM-6499 (Configuration store servers are not listed in Directory Configuration)

OPENAM-6615 (12.0.1 Legacy Password reset options page does not display when clicking "Edit" on user profile page)

OPENAM-6741 (STS configuration not showing in admin console)

Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.