Solutions

AM/OpenAM (All versions) upgrade fails when com.iplanet.am.version is empty or corrupted

Last updated Jan 17, 2019

The purpose of this article is to provide assistance if your AM/OpenAM upgrade fails, that is, the Upgrade page is not shown after deploying the new war file and the com.iplanet.am.version property is empty or invalid. This property indicates the AM/OpenAM version and is needed for the upgrade process.


1 reader recommends this article

Symptoms

The Upgrade page is not shown when you access the server URL after deploying a new war file for a later AM/OpenAM version. You may see the console as normal, a Loading... page or the following message instead:

HTTP 500 error in AMSetupFilter: 
type Exception report

message AMSetupFilter.doFilter

description The server encountered an internal error that prevented it from fulfilling this request.

You will see some errors in the web application container logs, but they will vary by version and you will also notice the com.iplanet.am.version property is empty or corrupted. See Checking the com.iplanet.am.version property section below for further information on checking this value.

You will see errors similar to the following in the web application container log (for example, catalina.out for Apache Tomcat™) depending on which version of AM/OpenAM you are upgrading to:

  • AM 6 and later:
    org.forgerock.openam.upgrade.UpgradeException: Unable to parse product versions for comparison. Current: null war: ForgeRock Access Management 6.0.0 Build 3676519ec1 (2018-May-08 10:07)
       org.forgerock.openam.upgrade.VersionUtils.isVersionNewer(VersionUtils.java:100)
       org.forgerock.openam.upgrade.VersionUtils.isVersionNewer(VersionUtils.java:87)
       com.sun.identity.setup.AMSetupManager.isVersionNewer(AMSetupManager.java:72)
       com.sun.identity.setup.AMSetupFilter.isConfigStoreDown(AMSetupFilter.java:162)
       com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:115)
       org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:46)
    
  • AM 5.1.x:
    com.google.inject.ProvisionException: Guice provision errors:
    
    1) Error injecting constructor, java.lang.IllegalStateException: Failed to load monitoring configuration
       at com.sun.identity.monitoring.MonitoringConfig.<init>(Unknown Source)
       at com.sun.identity.monitoring.MonitoringConfig.class(Unknown Source)
       while locating com.sun.identity.monitoring.MonitoringConfig
         for parameter 0 at com.sun.identity.monitoring.MonitoringManager.<init>(Unknown Source)
       at com.sun.identity.monitoring.MonitoringManager.class(Unknown Source)
       while locating com.sun.identity.monitoring.MonitoringManager
    
    1 error
       at com.google.inject.internal.InjectorImpl$4.get(InjectorImpl.java:987)
       at com.google.inject.internal.InjectorImpl.getInstance(InjectorImpl.java:1013)
       at org.forgerock.guice.core.InjectorHolder.getInstance(InjectorHolder.java:72)
       at com.sun.identity.monitoring.MonitoringUtil.isRunning(MonitoringUtil.java:58)
       at com.sun.identity.log.LogManager.updateMonitConfigForLogService(LogManager.java:679)
       at com.sun.identity.log.LogManager.readConfiguration(LogManager.java:538)
       at com.sun.identity.log.Logger.<clinit>(Logger.java:94)
       at org.forgerock.openam.oauth2.OAuth2AuditLogger.init(OAuth2AuditLogger.java:52)
       at org.forgerock.openam.oauth2.OAuth2AuditLogger.<init>(OAuth2AuditLogger.java:45)
    ...
    Caused by: java.lang.IllegalStateException: Failed to load monitoring configuration
       at com.sun.identity.monitoring.MonitoringConfig.<init>(MonitoringConfig.java:63)
       at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
       at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
       at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
       at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
    ...
    Caused by: java.lang.IllegalStateException: Failed to load monitoring configuration
       at com.sun.identity.monitoring.MonitoringConfig$HotSwappableMonitoringConfig.<init>(MonitoringConfig.java:187)
       at com.sun.identity.monitoring.MonitoringConfig.<init>(MonitoringConfig.java:48)
     ... 104 more
    Caused by: java.lang.NumberFormatException: null
       at java.lang.Integer.parseInt(Integer.java:454)
       at java.lang.Integer.valueOf(Integer.java:582)
       at com.sun.identity.monitoring.MonitoringConfig$HotSwappableMonitoringConfig.loadSettings(MonitoringConfig.java:204)
       at com.sun.identity.monitoring.MonitoringConfig$HotSwappableMonitoringConfig.<init>(MonitoringConfig.java:183)
     ... 105 more
    
  • AM 5:
    javax.servlet.ServletException: Servlet execution threw an exception
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:315)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
       at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
       at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:36)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
       at org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:80)
    ...
    Caused by: java.lang.NoClassDefFoundError: Could not initialize class com.sun.identity.authentication.service.AuthD
     at com.sun.identity.authentication.service.AuthUtils.getAuthContext(AuthUtils.java:199)
     at com.sun.identity.authentication.service.AuthUtils.getAuthContext(AuthUtils.java:172)
     at com.sun.identity.authentication.UI.LoginViewBean.forwardTo(LoginViewBean.java:412)
     at com.iplanet.jato.ApplicationServletBase.dispatchRequest(ApplicationServletBase.java:981)
     at com.iplanet.jato.ApplicationServletBase.processRequest(ApplicationServletBase.java:615)
     at com.iplanet.jato.ApplicationServletBase.doGet(ApplicationServletBase.java:459)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:622)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292)
     ... 35 more
    
  • OpenAM 13.5.0:
    javax.servlet.ServletException: Servlet execution threw an exception
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:326)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
       at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
       at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
       at org.forgerock.openam.xui.XUIFilter.doFilter(XUIFilter.java:131)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
       at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:111)
    ...
    Caused by: java.lang.ExceptionInInitializerError
       at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
       at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
       at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
    ...
    Caused by: java.lang.IllegalStateException: Unable to initialize AuthD
       at com.sun.identity.authentication.service.AuthD.<init>(AuthD.java:262)
       at com.sun.identity.authentication.service.AuthD.<init>(AuthD.java:101)
       at com.sun.identity.authentication.service.AuthD$SingletonHolder.getInstance(AuthD.java:123)
       at com.sun.identity.authentication.service.AuthD.getAuth(AuthD.java:532)
       at com.sun.identity.authentication.UI.AuthExceptionViewBean.<clinit>(AuthExceptionViewBean.java:298)
    	... 44 more
    Caused by: com.google.inject.ProvisionException: Guice provision errors:
    1) Error injecting constructor, java.lang.NullPointerException
       at org.forgerock.openam.audit.AuditServiceProviderImpl.<init>(Unknown Source)
       at org.forgerock.openam.audit.AuditServiceProviderImpl.class(Unknown Source)
       while locating org.forgerock.openam.audit.AuditServiceProviderImpl
       while locating org.forgerock.openam.audit.AuditServiceProvider
         for parameter 0 at org.forgerock.openam.audit.AuditEventPublisherImpl.<init>(Unknown Source)
       at org.forgerock.openam.audit.AuditEventPublisherImpl.class(Unknown Source)
       while locating org.forgerock.openam.audit.AuditEventPublisherImpl
       while locating org.forgerock.openam.audit.AuditEventPublisher
         for parameter 0 at com.iplanet.dpro.session.service.SessionAuditor.<init>(Unknown Source)
       at com.iplanet.dpro.session.service.SessionAuditor.class(Unknown Source)
       while locating com.iplanet.dpro.session.service.SessionAuditor
         for parameter 11 at com.iplanet.dpro.session.service.SessionService.<init>(Unknown Source)
       at com.iplanet.dpro.session.service.SessionService.class(Unknown Source)
       while locating com.iplanet.dpro.session.service.SessionService
    1 error
       at com.google.inject.internal.InjectorImpl$4.get(InjectorImpl.java:987)
       at com.google.inject.internal.InjectorImpl.getInstance(InjectorImpl.java:1013)
       at org.forgerock.guice.core.InjectorHolder.getInstance(InjectorHolder.java:80)
       at com.sun.identity.authentication.service.AuthD.getSessionService(AuthD.java:799)
       at com.sun.identity.authentication.service.AuthD.initAuthSession(AuthD.java:815)
       at com.sun.identity.authentication.service.AuthD.<init>(AuthD.java:243)
       ... 48 more
    Caused by: java.lang.NullPointerException
    
Note

You may see the "Unable to parse product versions for comparison" error during upgrade even though the com.iplanet.am.version property is populated correctly. If this happens, you should also check your AM debug logs for a "No subject alternative DNS name matching" error and refer to LDAP connection fails with No subject alternative DNS name matching error in AM 5.1.x, 6.x and DS 5.5.1, 5.5.2, 6.x for further information.

You may also see an error similar to the following in the debug.out log:

amAudit:08/17/2017 10:21:35:895 AM EDT: Thread[localhost-startStop-1,5,main]: TransactionId[45e67abf-fcbc-42a8-a8ca-7081d9be1605-0]
ERROR: Error accessing service AuditService
Message:Service does not exist : AuditService
   at com.sun.identity.sm.ServiceSchemaManagerImpl.isValid(ServiceSchemaManagerImpl.java:138)
   at com.sun.identity.sm.ServiceSchemaManagerImpl.<init>(ServiceSchemaManagerImpl.java:116)
   at com.sun.identity.sm.ServiceSchemaManagerImpl.getInstance(ServiceSchemaManagerImpl.java:640)
   at com.sun.identity.sm.ServiceConfigManagerImpl.getGlobalConfig(ServiceConfigManagerImpl.java:194)
   at com.sun.identity.sm.ServiceConfigManager.getGlobalConfig(ServiceConfigManager.java:253)
   at org.forgerock.openam.audit.configuration.AuditServiceConfigurationProviderImpl.getAuditGlobalConfiguration(AuditServiceConfigurationProviderImpl.java:270)
   at org.forgerock.openam.audit.configuration.AuditServiceConfigurationProviderImpl.getDefaultConfiguration(AuditServiceConfigurationProviderImpl.java:137)
   at org.forgerock.openam.audit.AuditServiceProviderImpl.refreshDefaultAuditService(AuditServiceProviderImpl.java:132)
   at org.forgerock.openam.audit.AuditServiceProviderImpl.access$000(AuditServiceProviderImpl.java:47)
   at org.forgerock.openam.audit.AuditServiceProviderImpl$1.globalConfigurationChanged(AuditServiceProviderImpl.java:93)
   at org.forgerock.openam.audit.configuration.AuditServiceConfigurationProviderImpl.addConfigurationListener(AuditServiceConfigurationProviderImpl.java:100)
   at org.forgerock.openam.audit.AuditServiceProviderImpl.registerListeners(AuditServiceProviderImpl.java:90)
   at org.forgerock.openam.audit.AuditServiceProviderImpl.<init>(AuditServiceProviderImpl.java:69)

Checking the com.iplanet.am.version property

You can check the com.iplanet.am.version property in the configuration store of the current AM/OpenAM version (that is, the one you are upgrading from) using one of the following methods. The value of this property should specify the product version and build details (per the table in the Solutions section):

  • Check a previous configuration export for this value assuming you have a recent backup.
  • Use the ldapsearch command to check the value, for example:
    $ ./ldapsearch --hostname ds1.example.com --port 50389 --bindDN "cn=Directory Manager" --bindPassword password --baseDN "ou=server-default,ou=com-sun-identity-servers,ou=default,ou=GlobalConfig,ou=1.0,ou=iPlanetAMPlatformService,ou=services,dc=openam,dc=forgerock,dc=org" '(objectclass=*)' '+' '*' | grep am.version
    
  • Use ssoadm to check the value, for example:
    $ ./ssoadm list-server-cfg -u amadmin -f pwd.txt -s default | grep am.version
  • Check the value of the com.iplanet.am.version property in the console (if the console is available). In AM / OpenAM 13.5, navigate to: Configure > Server Defaults > Advanced and in pre-OpenAM 13.5, navigate to: Configuration > Servers and Sites > Default Server Settings > Advanced.

Example corrupted or incomplete values that can cause this issue are:

com.iplanet.am.version=@VERSION@ (@DATESTAMP@)
com.iplanet.am.version=OpenAM 14.0.0

If you are upgrading to a customized AM/OpenAM, that is, you have deployed a custom war file, you should also check the version is correct in the customized war file: Check the com.iplanet.am.version property value in the serverdefaults.properties file (located in the WEB-INF/classes directory in the war file) and ensure it corresponds to the version you are upgrading to per the table in the Solutions section.

Recent Changes

Deployed a later AM/OpenAM war file in order to upgrade.

Deployed a custom war file.

Used Amster to export and import service configurations.

Causes

The com.iplanet.am.version property indicates the AM/OpenAM version and is used to determine when the upgrade process should be started. The upgrade process is triggered if the version in the deployed AM/OpenAM war file is newer than the version defined in the configuration store. If the value in the configuration store is missing, incomplete or corrupted, the upgrade will not proceed correctly.

Possible reasons for an invalid com.iplanet.am.version property include:

  • You have deployed a custom war file - this may be the currently deployed AM/OpenAM or the one you are upgrading to.
  • You exported and imported a service configuration using Amster in AM 5 or 5.1.x; there is a known issue, which removes the com.iplanet.am.version property value: OPENAM-11307 (Amster import should not set the com.iplanet.am.version property). This issue is resolved in AM 5.5.

Solution

This issue can be resolved using one of the following approaches:

  • Modify the com.iplanet.am.version value directly in the configuration store.
  • Modify the com.iplanet.am.version value in AM/OpenAM.

Modify the com.iplanet.am.version value directly in the configuration store

  1. Create an ldif file to update the com.iplanet.am.version value, ensuring you specify the value that corresponds to the version you are upgrading from (find the required value in the table below). For example, if you are upgrading from AM 6:
    $ cat version.ldif
    dn: ou=server-default,ou=com-sun-identity-servers,ou=default,ou=GlobalConfig,ou=1.0,ou=iPlanetAMPlatformService,ou=services,dc=openam,dc=forgerock,dc=org
    changetype: modify
    replace: com.iplanet.am.version 
    com.iplanet.am.version=ForgeRock Access Management 6.0.0 Build 3676519ec1 (2018-May-08 10:07)
    
  2. Update the configuration store with this modified entry using the following command depending on your version:
    • DS 5 and later:
      $ ./ldapmodify --hostname ds1.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password version.ldif --UseSSL --trustALL
    • Pre-DS 5:
      $ ./ldapmodify --hostname ds1.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --filename version.ldif --UseSSL --trustALL
      
  3. Restart the web application container in which AM/OpenAM runs to pick up this updated configuration; this should initiate the upgrade process again.

Modify the com.iplanet.am.version value in AM/OpenAM

  1. Modify the com.iplanet.am.version to the AM/OpenAM version currently deployed (that is, the version you are upgrading from) using either the console (if the console is available) or ssoadm (find the required value in the table below):
    • AM / OpenAM 13.5 console: navigate to: Configure > Server Defaults > Advanced and add the com.iplanet.am.version property and appropriate value. Once you have entered the property and value, click + to add followed by Save Changes.
    • Pre-OpenAM 13.5 console: navigate to: Configuration > Servers and Sites > Default Server Settings > Advanced and add the com.iplanet.am.version property and appropriate value.
    • ssoadm: enter the following command:
      $ ./ssoadm update-server-cfg -u [adminID] -f [passwordfile] -s default -a com.iplanet.am.version="[version]"
      replacing [adminID], [passwordfile] and [version] with appropriate values, where the [version] must be quotes.
  2. Restart the web application container in which AM/OpenAM runs to update the configuration; this should initiate the upgrade process again.

AM/OpenAM version and corresponding com.iplanet.am.version values

The following table shows the required value depending on your AM/OpenAM version:

Version com.iplanet.am.version
AM 6.5.0.1 ForgeRock Access Management 6.5.0.1 Build d239585362 (2019-January-15 06:37)
AM 6.5 ForgeRock Access Management 6.5.0 Build f8ac1261d9 (2018-November-28 15:19)
AM 6.0.0.6 ForgeRock Access Management 6.0.0.6 Build 92d60f32d1 (2018-November-26 06:25)
AM 6.0.0.5 ForgeRock Access Management 6.0.0.5 Build 70748811ef (2018-October-12 05:22)
AM 6.0.0.4 ForgeRock Access Management 6.0.0.4 Build 36b7da0716 (2018-August-19 21:05)
AM 6.0.0.3 ForgeRock Access Management 6.0.0.3 Build 6b8d8d357c (2018-July-15 21:12)
AM 6.0.0.2 ForgeRock Access Management 6.0.0.2 Build 3a1761ce2e (2018-June-12 22:40) 
AM 6.0.0.1 ForgeRock Access Management 6.0.0.1 Build e149ecbb9b (2018-May-23 20:06)
AM 6 ForgeRock Access Management 6.0.0 Build 3676519ec1 (2018-May-08 10:07)
AM 5.5.1 ForgeRock Access Management 5.5.1 Build 96b47ad4f1 (2017-October-26 15:41)
AM 5.5 ForgeRock Access Management 5.5.0 Build 95de0e129b (2017-October-19 14:37)
AM 5.1.1 OpenAM 14.1.1 Build 2de1c7b98b (2017-August-09 12:33)
AM 5.1 OpenAM 14.1.0 Build 0d174ec57d (2017-June-06 09:33)
AM 5 OpenAM 14.0.0 Build 2db9af6287 (2017-March-29 05:21)
OpenAM 13.5.2 OpenAM 13.5.2 Build 3242213173 (2018-June-05 14:43)
OpenAM 13.5.1 OpenAM 13.5.1 Build 15db0458c8 (2017-July-21 10:54)
OpenAM 13.5.0 OpenAM 13.5.0 Build 550cfe7d60 (2016-July-13 08:43)
OpenAM 13.0 OpenAM 13.0.0 Build 5d4589530d (2016-January-14 21:15)
OpenAM 12.0.4 OpenAM 12.0.4 Build 55a318123d (2016-October-12 08:25)
OpenAM 12.0.3 OpenAM 12.0.3 Build 29988e300d (2016-May-18 11:37)
OpenAM 12.0.2 OpenAM 12.0.2 Build 15797 (2015-September-21 17:41)
OpenAM 12.0.1 OpenAM 12.0.1 Build 14322 (2015-June-22 16:03)
OpenAM 12.0.0 OpenAM 12.0.0 Build 11961 (2014-December-17 21:16)

See Also

ssoadm command fails to run with null pointer exception in AM 5 and 5.1.x

Best practice for upgrading to AM 6.x

Best practice for upgrading to AM 5.x

Best practice for upgrading to OpenAM 13.x

How do I upgrade AM/OpenAM (All versions) with minimal downtime when replication is used?

How do I upgrade AM/OpenAM (All versions) if I am using a site configuration?

FAQ: Upgrading AM/OpenAM

Upgrading AM/OpenAM

Related Training

N/A

Related Issue Tracker IDs

OPENAM-11547 (Missing entry or corrupted value in "com.iplanet.am.version" causes upgrade failure )

OPENAM-11307 (Amster import should not set the com.iplanet.am.version property)

OPENAM-9967 (OpenAM upgrade can hang if com.iplanet.am.version is not found)

OPENAM-2090 (OPENAM_HOME/.version file is not updated)



Copyright and TrademarksCopyright © 2019 ForgeRock, all rights reserved.
Loading...