Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

AM (All versions) upgrade fails when com.iplanet.am.version is empty or corrupted

Last updated Apr 13, 2021

The purpose of this article is to provide assistance if your AM upgrade fails, that is, the Upgrade page is not shown after deploying the new war file and the com.iplanet.am.version property is empty or invalid. This property indicates the AM version and is needed for the upgrade process.


1 reader recommends this article

Symptoms

The Upgrade page is not shown when you access the server URL after deploying a new war file for a later AM version. You may see the console as normal, a Loading... page or the following message instead:

HTTP 500 error in AMSetupFilter: type Exception report  message AMSetupFilter.doFilter  description The server encountered an internal error that prevented it from fulfilling this request.

You will see some errors in the web application container logs, but they will vary by version and you will also notice the com.iplanet.am.version property is empty or corrupted. See Checking the com.iplanet.am.version property section below for further information on checking this value.

You will see errors similar to the following in the web application container log (for example, catalina.out for Apache Tomcat™) depending on which version of AM you are upgrading to:

  • AM 6 and later: org.forgerock.openam.upgrade.UpgradeException: Unable to parse product versions for comparison. Current: null war: ForgeRock Access Management 6.0.0 Build 3676519ec1 (2018-May-08 10:07)    org.forgerock.openam.upgrade.VersionUtils.isVersionNewer(VersionUtils.java:100)     org.forgerock.openam.upgrade.VersionUtils.isVersionNewer(VersionUtils.java:87)     com.sun.identity.setup.AMSetupManager.isVersionNewer(AMSetupManager.java:72)     com.sun.identity.setup.AMSetupFilter.isConfigStoreDown(AMSetupFilter.java:162)     com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:115)    org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:46)
  • AM 5.1.x: com.google.inject.ProvisionException: Guice provision errors: 1) Error injecting constructor, java.lang.IllegalStateException: Failed to load monitoring configuration     at com.sun.identity.monitoring.MonitoringConfig.<init>(Unknown Source)     at com.sun.identity.monitoring.MonitoringConfig.class(Unknown Source)     while locating com.sun.identity.monitoring.MonitoringConfig        for parameter 0 at com.sun.identity.monitoring.MonitoringManager.<init>(Unknown Source)     at com.sun.identity.monitoring.MonitoringManager.class(Unknown Source)     while locating com.sun.identity.monitoring.MonitoringManager  1 error     at com.google.inject.internal.InjectorImpl$4.get(InjectorImpl.java:987)     at com.google.inject.internal.InjectorImpl.getInstance(InjectorImpl.java:1013)     at org.forgerock.guice.core.InjectorHolder.getInstance(InjectorHolder.java:72)     at com.sun.identity.monitoring.MonitoringUtil.isRunning(MonitoringUtil.java:58)     at com.sun.identity.log.LogManager.updateMonitConfigForLogService(LogManager.java:679)     at com.sun.identity.log.LogManager.readConfiguration(LogManager.java:538)     at com.sun.identity.log.Logger.<clinit>(Logger.java:94)     at org.forgerock.openam.oauth2.OAuth2AuditLogger.init(OAuth2AuditLogger.java:52)     at org.forgerock.openam.oauth2.OAuth2AuditLogger.<init>(OAuth2AuditLogger.java:45)  ...  Caused by: java.lang.IllegalStateException: Failed to load monitoring configuration     at com.sun.identity.monitoring.MonitoringConfig.<init>(MonitoringConfig.java:63)     at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)     at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)     at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)     at java.lang.reflect.Constructor.newInstance(Constructor.java:526)  ...  Caused by: java.lang.IllegalStateException: Failed to load monitoring configuration     at com.sun.identity.monitoring.MonitoringConfig$HotSwappableMonitoringConfig.<init>(MonitoringConfig.java:187)     at com.sun.identity.monitoring.MonitoringConfig.<init>(MonitoringConfig.java:48)  ... 104 more  Caused by: java.lang.NumberFormatException: null
  • AM 5: javax.servlet.ServletException: Servlet execution threw an exception    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:315)     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)     at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)     at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:36)     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)     at org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:80)  ...  Caused by: java.lang.NoClassDefFoundError: Could not initialize class com.sun.identity.authentication.service.AuthD
Note

You may see the "Unable to parse product versions for comparison" error during upgrade even though the com.iplanet.am.version property is populated correctly. If this happens, you should also check your AM debug logs for a "No subject alternative DNS name matching" error and refer to LDAP connection fails with No subject alternative DNS name matching error in AM 5.1.x, 5.5.2, 6.x, 7.x and DS 5.5.1, 5.5.2, 6.x, 7.x for further information.

You may also see an error similar to the following in the debug.out log:

amAudit:08/17/2017 10:21:35:895 AM EDT: Thread[localhost-startStop-1,5,main]: TransactionId[45e67abf-fcbc-42a8-a8ca-7081d9be1605-0] ERROR: Error accessing service AuditService Message:Service does not exist : AuditService     at com.sun.identity.sm.ServiceSchemaManagerImpl.isValid(ServiceSchemaManagerImpl.java:138)     at com.sun.identity.sm.ServiceSchemaManagerImpl.<init>(ServiceSchemaManagerImpl.java:116)     at com.sun.identity.sm.ServiceSchemaManagerImpl.getInstance(ServiceSchemaManagerImpl.java:640)     at com.sun.identity.sm.ServiceConfigManagerImpl.getGlobalConfig(ServiceConfigManagerImpl.java:194)     at com.sun.identity.sm.ServiceConfigManager.getGlobalConfig(ServiceConfigManager.java:253)     at org.forgerock.openam.audit.configuration.AuditServiceConfigurationProviderImpl.getAuditGlobalConfiguration(AuditServiceConfigurationProviderImpl.java:270)     at org.forgerock.openam.audit.configuration.AuditServiceConfigurationProviderImpl.getDefaultConfiguration(AuditServiceConfigurationProviderImpl.java:137)     at org.forgerock.openam.audit.AuditServiceProviderImpl.refreshDefaultAuditService(AuditServiceProviderImpl.java:132)     at org.forgerock.openam.audit.AuditServiceProviderImpl.access$000(AuditServiceProviderImpl.java:47)     at org.forgerock.openam.audit.AuditServiceProviderImpl$1.globalConfigurationChanged(AuditServiceProviderImpl.java:93)     at org.forgerock.openam.audit.configuration.AuditServiceConfigurationProviderImpl.addConfigurationListener(AuditServiceConfigurationProviderImpl.java:100)     at org.forgerock.openam.audit.AuditServiceProviderImpl.registerListeners(AuditServiceProviderImpl.java:90)     at org.forgerock.openam.audit.AuditServiceProviderImpl.<init>(AuditServiceProviderImpl.java:69)

Checking the com.iplanet.am.version property

You can check the com.iplanet.am.version property in the configuration store of the current AM version (that is, the one you are upgrading from) using one of the following methods. The value of this property should specify the product version and build details (per the table in the Solutions section):

  • Check a previous configuration export for this value assuming you have a recent backup.
  • Use the ldapsearch command to check the value, for example:
    • DS 7 and later: $ ./ldapsearch --hostname ds1.example.com --port 50389 --bindDN uid=admin --bindPassword password --baseDN "ou=server-default,ou=com-sun-identity-servers,ou=default,ou=GlobalConfig,ou=1.0,ou=iPlanetAMPlatformService,ou=services,dc=openam,dc=forgerock,dc=org" '(objectclass=*)' '+' '*' | grep am.version
    • Pre-DS 7: $ ./ldapsearch --hostname ds1.example.com --port 50389 --bindDN "cn=Directory Manager" --bindPassword password --baseDN "ou=server-default,ou=com-sun-identity-servers,ou=default,ou=GlobalConfig,ou=1.0,ou=iPlanetAMPlatformService,ou=services,dc=openam,dc=forgerock,dc=org" '(objectclass=*)' '+' '*' | grep am.version
  • Use ssoadm to check the value, for example:
    • AM 7 and later: $ ./ssoadm list-server-cfg -u uid=amAdmin,ou=People,dc=openam,dc=forgerock,dc=org -f pwd.txt -s default | grep am.version
    • Pre-AM 7: $ ./ssoadm list-server-cfg -u amadmin -f pwd.txt -s default | grep am.version
  • Check the value of the com.iplanet.am.version property in the console (if the console is available) by navigating to: Configure > Server Defaults > Advanced.

Example corrupted or incomplete values that can cause this issue are:

com.iplanet.am.version=@VERSION@ (@DATESTAMP@) com.iplanet.am.version=OpenAM 14.0.0

If you are upgrading to a customized AM, that is, you have deployed a custom war file, you should also check the version is correct in the customized war file: Check the com.iplanet.am.version property value in the serverdefaults.properties file (located in the WEB-INF/classes directory in the war file) and ensure it corresponds to the version you are upgrading to per the table in the Solutions section.

Recent Changes

Deployed a later AM war file in order to upgrade.

Deployed a custom war file.

Used Amster to export and import service configurations.

Causes

The com.iplanet.am.version property indicates the AM version and is used to determine when the upgrade process should be started. The upgrade process is triggered if the version in the deployed AM war file is newer than the version defined in the configuration store. If the value in the configuration store is missing, incomplete or corrupted, the upgrade will not proceed correctly.

Possible reasons for an invalid com.iplanet.am.version property include:

Solution

This issue can be resolved using one of the following approaches:

  • Modify the com.iplanet.am.version value directly in the configuration store.
  • Modify the com.iplanet.am.version value in AM.

Modify the com.iplanet.am.version value directly in the configuration store 

  1. Create a ldif file to update the com.iplanet.am.version value, ensuring you specify the value that corresponds to the version you are upgrading from (find the required value in the table below). For example, if you are upgrading from AM 6: $ cat version.ldif dn: ou=server-default,ou=com-sun-identity-servers,ou=default,ou=GlobalConfig,ou=1.0,ou=iPlanetAMPlatformService,ou=services,dc=openam,dc=forgerock,dc=org changetype: modify replace: com.iplanet.am.version com.iplanet.am.version=ForgeRock Access Management 6.5.0 Build f8ac1261d9 (2018-November-28 15:19)
  2. Update the configuration store with this modified entry using the following command depending on your version:
    • DS 7 and later: $ ./ldapmodify --hostname ds1.example.com --port 4444 --bindDN uid=admin --bindPassword password version.ldif --UseSSL --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin
    • Pre-DS 7: $ ./ldapmodify --hostname ds1.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password version.ldif --UseSSL --trustALL
  3. Restart the web application container in which AM runs to pick up this updated configuration; this should initiate the upgrade process again.

Modify the com.iplanet.am.version value in AM

  1. Modify the com.iplanet.am.version to the AM version currently deployed (that is, the version you are upgrading from) using either the console (if the console is available) or ssoadm (find the required value in the table below):
    • Console: navigate to: Configure > Server Defaults > Advanced and add the com.iplanet.am.version property and appropriate value. Once you have entered the property and value, click + to add followed by Save Changes.
    • ssoadm: enter the following command: $ ./ssoadm update-server-cfg -u [adminID] -f [passwordfile] -s default -a com.iplanet.am.version="[version]"replacing [adminID], [passwordfile] and [version] with appropriate values, where the [version] must be quotes.
  2. Restart the web application container in which AM runs to update the configuration; this should initiate the upgrade process again.

AM version and corresponding com.iplanet.am.version values

The following table shows the required value depending on your AM version:

Version com.iplanet.am.version
AM 7.0.1 ForgeRock Access Management 7.0.1 Build fb4286cca5ec8b02b2c3073da49d248fa487803f (2020-November-02 14:13)
AM 7 ForgeRock Access Management 7.0.0 Build ab875ee2a13a9f1ccb7f7d8032a31ef4c9684147 (2020-August-07 08:09)
AM 6.5.3 ForgeRock Access Management 6.5.3 Build fd13bbcf96 (2020-September-16 10:09)
AM 6.5.2.3 ForgeRock Access Management 6.5.2.3 Build 4ed586d624 (2020-February-17 09:14)
AM 6.5.2.2 ForgeRock Access Management 6.5.2.2 Build 512c5a2f00 (2019-October-30 10:12)
AM 6.5.2.1 ForgeRock Access Management 6.5.2.1 Build 727bdc4c2a (2019-August-20 13:05)
AM 6.5.2 ForgeRock Access Management 6.5.2 Build 314d553429 (2019-June-17 15:07)
AM 6.5.1 ForgeRock Access Management 6.5.1 Build 24e379e3e1 (2019-April-05 09:02)
AM 6.5.0.2 ForgeRock Access Management 6.5.0.2 Build d784683348 (2019-April-17 08:06)
AM 6.5.0.1 ForgeRock Access Management 6.5.0.1 Build d239585362 (2019-January-15 06:37)
AM 6.5 ForgeRock Access Management 6.5.0 Build f8ac1261d9 (2018-November-28 15:19)
AM 6.0.0.7 ForgeRock Access Management 6.0.0.7 Build 08f0eba1d7 (2019-May-16 12:51)
AM 6.0.0.6 ForgeRock Access Management 6.0.0.6 Build 92d60f32d1 (2018-November-26 06:25)
AM 6.0.0.5 ForgeRock Access Management 6.0.0.5 Build 70748811ef (2018-October-12 05:22)
AM 6.0.0.4 ForgeRock Access Management 6.0.0.4 Build 36b7da0716 (2018-August-19 21:05)
AM 6.0.0.3 ForgeRock Access Management 6.0.0.3 Build 6b8d8d357c (2018-July-15 21:12)
AM 6.0.0.2 ForgeRock Access Management 6.0.0.2 Build 3a1761ce2e (2018-June-12 22:40) 
AM 6.0.0.1 ForgeRock Access Management 6.0.0.1 Build e149ecbb9b (2018-May-23 20:06)
AM 6 ForgeRock Access Management 6.0.0 Build 3676519ec1 (2018-May-08 10:07)
AM 5.5.2 ForgeRock Access Management 5.5.2 Build b5d8681263 (2020-April-29 15:21)
AM 5.5.1 ForgeRock Access Management 5.5.1 Build 96b47ad4f1 (2017-October-26 15:41)
AM 5.5 ForgeRock Access Management 5.5.0 Build 95de0e129b (2017-October-19 14:37)
AM 5.1.1 OpenAM 14.1.1 Build 2de1c7b98b (2017-August-09 12:33)
AM 5.1 OpenAM 14.1.0 Build 0d174ec57d (2017-June-06 09:33)
AM 5 OpenAM 14.0.0 Build 2db9af6287 (2017-March-29 05:21)

See Also

LDAP connection fails with No subject alternative DNS name matching error in AM 5.1.x, 5.5.2, 6.x, 7.x and DS 5.5.1, 5.5.2, 6.x, 7.x

Best practice for upgrading to AM 6.x

How do I upgrade AM (All versions) with minimal downtime when replication is used?

FAQ: Upgrading AM

Upgrading AM

Related Training

N/A

Related Issue Tracker IDs

N/A



Copyright and TrademarksCopyright © 2021 ForgeRock, all rights reserved.
Loading...