ForgeRock Identity Platform
Does not apply to Identity Cloud

Resource type lookups and policy evaluation fails in AM 6.5.0.x, 6.5.1, 6.5.2, and when the external Policy Store is restarted

Last updated Feb 24, 2021

The purpose of this article is to provide assistance if you encounter issues with resource type lookups and policy evaluations failing in AM after restarting the external Policy Store. You will see responses such as "Unable to retrieve application under realm /." or "Unable to retrieve resource types under realm /." when this happens.


Viewing policy or resource types in the console fails with an "Internal error".

The following response is received when trying to perform a policy evaluation on a policy that is stored in the external Policy Store:

{"code":404,"reason":"Not Found","message":"Unable to retrieve application under realm /."}

The following error is shown in the CoreSystem debug log when this happens:

frRest:11/12/2019 10:07:55:901 AM BST: Thread[http-bio-8080-exec-2,5,main]: TransactionId[a70ed1c1ec-764c-a703-43a3-ee52e90b3c-32073] resourcetypes :: QUERY attempted by id=amadmin,ou=user,dc=openam,dc=forgerock,dc=org frRest:11/12/2019 10:07:55:903 PM BST: Thread[http-bio-8080-exec-2,5,main]: TransactionId[a70ed1c1ec-764c-a703-43a3-ee52e90b3c-32073] ERROR: ResourceTypesResource :: QUERY by id=amadmin,ou=user,dc=openam,dc=forgerock,dc=org: Caused EntitlementException: com.sun.identity.entitlement.EntitlementException: Unable to retrieve resource types under realm /. at org.forgerock.openam.entitlement.configuration.ResourceTypeConfigurationImpl.getResourceTypesData( at org.forgerock.openam.entitlement.service.ResourceTypeServiceImpl.getResourceTypesData( at at org.forgerock.json.resource.InterfaceCollectionHandler.handleQuery( ... Caused by: Message:Configuration 'sunEntitlementService' in realm '/' could not be retrieved.

The following error is shown in the Policy debug log when this happens:

amEntitlements:11/12/2019 10:05:55:550 PM BST: Thread[pool-5-thread-1,5,main]: TransactionId[a70ed1c1ec-764c-a703-43a3-ee52e90b3c-32073] ERROR: Error attempting to initiate index change monitor. org.forgerock.openam.entitlement.indextree.ChangeMonitorException: Failed creating persistent search. at org.forgerock.openam.entitlement.indextree.IndexChangeMonitorImpl.start( at org.forgerock.openam.entitlement.indextree.IndexChangeManagerImpl$ at java.util.concurrent.Executors$ at ... Caused by: Connect Error: Connection refused ... Caused by: Connection refused

Recent Changes

Restarted the external Policy Store DS server.


When AM starts, service configurations are loaded from the configuration store, which includes all the necessary service schemas that allow the services to load correctly. This includes the sunEntitlementService, which is used for resource lookups and policy evaluation.

When the policy store is restarted, the cache for service configurations is cleared and the sunEntitlementService configuration is reloaded from the policy store instead. However, the service definition in this store does not include the sunServiceSchema, which leaves the service configuration in an invalid state and unable to respond to policy or resource type related calls.


This issue can be resolved by upgrading to AM or later; you can download this from BackStage.


You can workaround this issue by restarting the web application container in which AM runs.

See Also

Setup and Maintenance Guide › Setting Up External Data Stores

Setup and Maintenance Guide › Setting Up External Policy and Application Stores

Setup and Maintenance Guide › To Connect AM to an External Policy or Application Store

Related Training


Related Issue Tracker IDs

OPENAM-15490 (Policy evaluation and resource type lookups and creation fail and cannot recover from External Policy Store restart)

Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.