FAQ: Patches in AM
The purpose of this FAQ is to provide answers to commonly asked questions regarding patches in AM, including Security Advisory patches.
2 readers recommend this article
Frequently asked questions
- Q. How do I install a patch?
- Q. How does the patch work?
- Q. How can I check that I have applied the patch successfully?
- Q. How do I check for conflicting patches that have already been installed?
- Q. What happens to my patches when I upgrade to a later version?
- Q. What happens to my patches when I install a security advisory?
- Q. Do I have to install each security advisory patch individually for my version of AM?
Q. How do I install a patch?
A. You can install a patch as detailed in How do I install an AM patch (All versions) supplied by ForgeRock support?
For security advisory patches, you should refer to the README.X file contained in the WEB-INF directory of the unzipped security advisory patch file for instructions on installing the patch.
Q. How does the patch work?
A. The patched classes contain updated code to resolve your issue(s). When you extract the patch to the /path/to/tomcat/webapps/am directory, AM loads the patched class from that directory first before loading the other class from the jar file, meaning the patched class will always take precedence.
Q. How can I check that I have applied the patch successfully?
A. You can compare the contents of the filesystem layout in the zip file and the /WEB-INF/classes directory to ensure the new class files (and corresponding directory structure) have been created.. If you want further reassurance, you can check that the changed classes are being loaded from the /WEB-INF/classes directory rather than a jar file. The following example uses the Apache Tomcat™ web container:
- Add the following line to the setenv.sh file (typically located in the /tomcat/bin/ directory). If this file doesn't exist, you should create it in the same directory as the catalina.sh file (also located in the /tomcat/bin/directory): export CATALINA_OPTS="$CATALINA_OPTS -verbose:class"
- Restart the web application container in which AM runs.
- Check the catalina.out file to verify that the changed classes are now loaded from the individually unzipped class files. For example, you will see something similar to the following at the end of the catalina.out file if they are: [Loaded com.sun.identity.setup.AMSetupServlet from file: /path/to/tomcat/webapps/am/WEB-INF/classes/com/sun/identity/setup/AMSetupServlet.class]
You won't necessarily see all classes loaded straight away as some of them might not be needed until certain functionality is used, but if you check that one or two of them are being loaded and the others were unzipped to the same directory, then this is a fairly reliable check.
Q. How do I check for conflicting patches that have already been installed?
A. You can check the /path/to/tomcat/webapps/am/WEB-INF/classes directory where AM is deployed to ensure that the classes contained in the patch don't already exist in the WEB-INF/classes directory. If one or more classes do already exist, it may mean you have a conflicting patch installed. If this is the case, you should seek advice from ForgeRock support prior to applying the patch.
See How do I use the patchinfo utility to check what patches are installed for AM or IG (All versions)? and How do I check what patches are installed for ForgeRock products? for further information.
Q. What happens to my patches when I upgrade to a later version?
A. When you upgrade AM, all previously installed patches are overridden by the new release. If the issue you received the patch for has not been resolved in the new release, you will need to request a new patch by raising a ticket with ForgeRock support.
You can check if an issue has been resolved by checking the Fixed Versions field for your issue ID on the Issue Tracking page on Backstage.
Q. What happens to my patches when I install a security advisory?
A. Existing patches are unaffected when you install a security advisory, although the security advisory may cause conflicts with your previous patches. If you have patches installed, you should seek advice from ForgeRock support prior to installing the security advisory.
Q. Do I have to install each security advisory patch individually for my version of AM?
A. No, you should install the latest security advisory patch for your version of AM and that will include all patches from previous security advisories that apply to your version. Alternatively, you can upgrade to a recommended version that contains the fixes and again that will include previous security advisory patches.
It is recommended that you apply the latest security patches to ensure your systems remain protected.
How do I install an AM patch (All versions) supplied by ForgeRock support?