Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

AM (All versions) upgrade fails when com.iplanet.am.version is empty or corrupted

Last updated Jan 16, 2023

The purpose of this article is to provide assistance if your AM upgrade fails, that is, the Upgrade page is not shown after deploying the new war file and the com.iplanet.am.version property is empty or invalid. This property indicates the AM version and is needed for the upgrade process.


2 readers recommend this article

Symptoms

The Upgrade page is not shown when you access the server URL after deploying a new war file for a later AM version. You may see the AM admin UI as normal, a Loading... page or the following message instead:

HTTP 500 error in AMSetupFilter: type Exception report  message AMSetupFilter.doFilter  description The server encountered an internal error that prevented it from fulfilling this request.

You will see some errors in the web application container logs and also notice the com.iplanet.am.version property is empty or corrupted. See Checking the com.iplanet.am.version property section below for further information on checking this value.

You will see an error similar to the following in the web application container log (for example, catalina.out for Apache Tomcat™): org.forgerock.openam.upgrade.UpgradeException: Unable to parse product versions for comparison. Current: null war: ForgeRock Access Management 6.0.0 Build 3676519ec1 (2018-May-08 10:07)    org.forgerock.openam.upgrade.VersionUtils.isVersionNewer(VersionUtils.java:100)     org.forgerock.openam.upgrade.VersionUtils.isVersionNewer(VersionUtils.java:87)     com.sun.identity.setup.AMSetupManager.isVersionNewer(AMSetupManager.java:72)     com.sun.identity.setup.AMSetupFilter.isConfigStoreDown(AMSetupFilter.java:162)     com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:115)    org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:46)

Note

You may see the "Unable to parse product versions for comparison" error during upgrade even though the com.iplanet.am.version property is populated correctly. If this happens, you should also check your AM debug logs for a "No subject alternative DNS name matching" error and refer to LDAP connection fails with No subject alternative DNS name matching error in AM and DS (All versions) for further information.

You may also see an error similar to the following in the debug.out log:

amAudit:08/17/2017 10:21:35:895 AM EDT: Thread[localhost-startStop-1,5,main]: TransactionId[45e67abf-fcbc-42a8-a8ca-7081d9be1605-0] ERROR: Error accessing service AuditService Message:Service does not exist : AuditService     at com.sun.identity.sm.ServiceSchemaManagerImpl.isValid(ServiceSchemaManagerImpl.java:138)     at com.sun.identity.sm.ServiceSchemaManagerImpl.<init>(ServiceSchemaManagerImpl.java:116)     at com.sun.identity.sm.ServiceSchemaManagerImpl.getInstance(ServiceSchemaManagerImpl.java:640)     at com.sun.identity.sm.ServiceConfigManagerImpl.getGlobalConfig(ServiceConfigManagerImpl.java:194)     at com.sun.identity.sm.ServiceConfigManager.getGlobalConfig(ServiceConfigManager.java:253)     at org.forgerock.openam.audit.configuration.AuditServiceConfigurationProviderImpl.getAuditGlobalConfiguration(AuditServiceConfigurationProviderImpl.java:270)     at org.forgerock.openam.audit.configuration.AuditServiceConfigurationProviderImpl.getDefaultConfiguration(AuditServiceConfigurationProviderImpl.java:137)     at org.forgerock.openam.audit.AuditServiceProviderImpl.refreshDefaultAuditService(AuditServiceProviderImpl.java:132)     at org.forgerock.openam.audit.AuditServiceProviderImpl.access$000(AuditServiceProviderImpl.java:47)     at org.forgerock.openam.audit.AuditServiceProviderImpl$1.globalConfigurationChanged(AuditServiceProviderImpl.java:93)     at org.forgerock.openam.audit.configuration.AuditServiceConfigurationProviderImpl.addConfigurationListener(AuditServiceConfigurationProviderImpl.java:100)     at org.forgerock.openam.audit.AuditServiceProviderImpl.registerListeners(AuditServiceProviderImpl.java:90)     at org.forgerock.openam.audit.AuditServiceProviderImpl.<init>(AuditServiceProviderImpl.java:69)

Checking the com.iplanet.am.version property

You can check the com.iplanet.am.version property in the configuration store of the current AM version (that is, the one you are upgrading from) using one of the following methods. The value of this property should specify the product version and build details (per the table in the Solutions section):

  • Check a previous configuration export for this value assuming you have a recent backup.
  • Use the ldapsearch command to check the value, for example:
    • DS 7.1 and later: $ ./ldapsearch --hostname ds.example.com --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password --baseDN "ou=server-default,ou=com-sun-identity-servers,ou=default,ou=GlobalConfig,ou=1.0,ou=iPlanetAMPlatformService,ou=services,dc=am,dc=forgerock,dc=org" '(objectclass=*)' '+' '*' | grep am.version
    • DS 7: $ ./ldapsearch --hostname ds.example.com --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password --baseDN "ou=server-default,ou=com-sun-identity-servers,ou=default,ou=GlobalConfig,ou=1.0,ou=iPlanetAMPlatformService,ou=services,dc=am,dc=forgerock,dc=org" '(objectclass=*)' '+' '*' | grep am.version
    • Pre-DS 7: $ ./ldapsearch --hostname ds.example.com --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --baseDN "ou=server-default,ou=com-sun-identity-servers,ou=default,ou=GlobalConfig,ou=1.0,ou=iPlanetAMPlatformService,ou=services,dc=am,dc=forgerock,dc=org" '(objectclass=*)' '+' '*' | grep am.version
  • Use ssoadm to check the value, for example:
    • AM 7 and later: $ ./ssoadm list-server-cfg -u uid=amAdmin,ou=People,dc=am,dc=forgerock,dc=org -f pwd.txt -s default | grep am.version
    • Pre-AM 7: $ ./ssoadm list-server-cfg -u amadmin -f pwd.txt -s default | grep am.version
  • Check the value of the com.iplanet.am.version property in the AM admin UI (if available) by navigating to: Configure > Server Defaults > Advanced.

Example corrupted or incomplete values that can cause this issue are:

com.iplanet.am.version=@VERSION@ (@DATESTAMP@) com.iplanet.am.version=OpenAM 14.0.0

If you are upgrading to a customized AM, that is, you have deployed a custom war file, you should also check the version is correct in the customized war file: Check the com.iplanet.am.version property value in the serverdefaults.properties file (located in the WEB-INF/classes directory in the war file) and ensure it corresponds to the version you are upgrading to per the table in the Solutions section.

Recent Changes

Deployed a later AM war file in order to upgrade.

Deployed a custom war file.

Used Amster to export and import service configurations.

Causes

The com.iplanet.am.version property indicates the AM version and is used to determine when the upgrade process should be started. The upgrade process is triggered if the version in the deployed AM war file is newer than the version defined in the configuration store. If the value in the configuration store is missing, incomplete or corrupted, the upgrade will not proceed correctly.

One of the reasons this can happen is if you have deployed a custom war file - this may be the currently deployed AM or the one you are upgrading to.

Solution

This issue can be resolved using one of the following approaches:

  • Modify the com.iplanet.am.version value directly in the configuration store.
  • Modify the com.iplanet.am.version value in AM.

Modify the com.iplanet.am.version value directly in the configuration store

  1. Create a ldif file to update the com.iplanet.am.version value, ensuring you specify the value that corresponds to the version you are upgrading from (find the required value in the table below). For example, if you are upgrading from AM 7: $ cat version.ldif dn: ou=server-default,ou=com-sun-identity-servers,ou=default,ou=GlobalConfig,ou=1.0,ou=iPlanetAMPlatformService,ou=services,dc=am,dc=forgerock,dc=org changetype: modify replace: com.iplanet.am.version com.iplanet.am.version=ForgeRock Access Management 7.0.0 Build ab875ee2a13a9f1ccb7f7d8032a31ef4c9684147 (2020-August-07 08:09)
  2. Update the configuration store with this modified entry using the following command depending on your version:
    • DS 7.1 and later: $ ./ldapmodify --hostname ds.example.com --port 1636 --UseSSL --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password version.ldif
    • DS 7: $ ./ldapmodify --hostname ds.example.com --port 1636 --UseSSL --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password version.ldif
    • Pre-DS 7: $ ./ldapmodify --hostname ds.example.com --port 1389 --bindDN "cn=Directory Manager" --bindPassword password version.ldif
  3. Restart the web application container in which AM runs to pick up this updated configuration; this should initiate the upgrade process again.

Modify the com.iplanet.am.version value in AM

  1. Modify the com.iplanet.am.version to the AM version currently deployed (that is, the version you are upgrading from) using either the AM admin UI (if available) or ssoadm (find the required value in the table below):
    • AM admin UI: navigate to: Configure > Server Defaults > Advanced and add the com.iplanet.am.version property and appropriate value. Once you have entered the property and value, click + to add followed by Save Changes.
    • ssoadm: enter the following command: $ ./ssoadm update-server-cfg -u [adminID] -f [passwordfile] -s default -a com.iplanet.am.version="[version]"replacing [adminID], [passwordfile] and [version] with appropriate values, where the [version] must be in quotes.
  2. Restart the web application container in which AM runs to update the configuration; this should initiate the upgrade process again.

AM version and corresponding com.iplanet.am.version values

The following table shows the required value depending on your AM version:

Version com.iplanet.am.version
AM 7.2 ForgeRock Access Management 7.2.0 Build 64ef7ebc01ed3df1a1264d7b0400351bc101361f (2022-June-27 08:15)
AM 7.1.3 ForgeRock Access Management 7.1.3 Build 2c18147f7e042b9af7632119f2249d4697efdef0 (2022-October-12 13:39)
AM 7.1.2 ForgeRock Access Management 7.1.2 Build 1b8a956b868a6794e652f23a878e694c07b8ecc9 (2022-March-11 20:06)
AM 7.1.1 ForgeRock Access Management 7.1.1 Build 0d6b9f8864af1166f0eda0dbcc16bf3be1a30754 (2021-December-01 14:57)
AM 7.1 ForgeRock Access Management 7.1.0 Build 4e72fe392c000b0a15027eb41267d01bfd2d2220 (2021-May-10 11:40)
AM 7.0.1 ForgeRock Access Management 7.0.1 Build fb4286cca5ec8b02b2c3073da49d248fa487803f (2020-November-02 14:13)
AM 7 ForgeRock Access Management 7.0.0 Build ab875ee2a13a9f1ccb7f7d8032a31ef4c9684147 (2020-August-07 08:09)
AM 6.5.5 ForgeRock Access Management 6.5.5 Build 16e236be11 (2022-July-29 14:48)
AM 6.5.4 ForgeRock Access Management 6.5.4 Build cd021a197a (2021-October-08 13:45)
AM 6.5.3 ForgeRock Access Management 6.5.3 Build fd13bbcf96 (2020-September-16 10:09)
AM 6.5.2.3 ForgeRock Access Management 6.5.2.3 Build 4ed586d624 (2020-February-17 09:14)
AM 6.5.2.2 ForgeRock Access Management 6.5.2.2 Build 512c5a2f00 (2019-October-30 10:12)
AM 6.5.2.1 ForgeRock Access Management 6.5.2.1 Build 727bdc4c2a (2019-August-20 13:05)
AM 6.5.2 ForgeRock Access Management 6.5.2 Build 314d553429 (2019-June-17 15:07)
AM 6.5.1 ForgeRock Access Management 6.5.1 Build 24e379e3e1 (2019-April-05 09:02)
AM 6.5.0.2 ForgeRock Access Management 6.5.0.2 Build d784683348 (2019-April-17 08:06)
AM 6.5.0.1 ForgeRock Access Management 6.5.0.1 Build d239585362 (2019-January-15 06:37)
AM 6.5 ForgeRock Access Management 6.5.0 Build f8ac1261d9 (2018-November-28 15:19)
AM 6.0.0.7 ForgeRock Access Management 6.0.0.7 Build 08f0eba1d7 (2019-May-16 12:51)
AM 6.0.0.6 ForgeRock Access Management 6.0.0.6 Build 92d60f32d1 (2018-November-26 06:25)
AM 6.0.0.5 ForgeRock Access Management 6.0.0.5 Build 70748811ef (2018-October-12 05:22)
AM 6.0.0.4 ForgeRock Access Management 6.0.0.4 Build 36b7da0716 (2018-August-19 21:05)
AM 6.0.0.3 ForgeRock Access Management 6.0.0.3 Build 6b8d8d357c (2018-July-15 21:12)
AM 6.0.0.2 ForgeRock Access Management 6.0.0.2 Build 3a1761ce2e (2018-June-12 22:40)
AM 6.0.0.1 ForgeRock Access Management 6.0.0.1 Build e149ecbb9b (2018-May-23 20:06)
AM 6 ForgeRock Access Management 6.0.0 Build 3676519ec1 (2018-May-08 10:07)

See Also

LDAP connection fails with No subject alternative DNS name matching error in AM and DS (All versions)

Best practice for upgrading to AM 7.x

How do I upgrade AM (All versions) with minimal downtime when replication is used?

FAQ: Upgrading AM

Upgrading AM

Upgrade

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.