ForgeRock Identity Platform
Does not apply to Identity Cloud

Attempting to access AM (All versions) fails with ConfigurationException: Configuration store is not available

Last updated May 17, 2021

The purpose of this article is to provide assistance if accessing AM results in an HTTP Status 500 - "ConfigurationException: Configuration store is not available".

3 readers recommend this article


The following message is shown in the browser when you try to access the console:

HTTP Status 500 - AMSetupFilter.doFilter type Exception report message AMSetupFilter.doFilter description The server encountered an internal error that prevented it from fulfilling this request. exception javax.servlet.ServletException: AMSetupFilter.doFilter com.sun.identity.setup.AMSetupFilter.doFilter( root cause com.sun.identity.common.configuration.ConfigurationException: Configuration store is not available. com.sun.identity.setup.AMSetupFilter.doFilter( note The full stack trace of the root cause is available in the Apache Tomcat/7.0.35 logs.

The following error is shown in the web application container log (for example, catalina.out for Apache Tomcat™):

com.sun.identity.common.configuration.ConfigurationException: Configuration store is not available.   at com.sun.identity.setup.AMSetupFilter.doFilter(    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(    at org.apache.catalina.core.ApplicationFilterChain.doFilter(    at org.apache.catalina.core.StandardWrapperValve.invoke(    at org.apache.catalina.core.StandardContextValve.invoke(    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(    at org.apache.catalina.core.StandardHostValve.invoke(    at org.apache.catalina.valves.ErrorReportValve.invoke(    at org.apache.catalina.valves.AccessLogValve.invoke(    at org.apache.catalina.core.StandardEngineValve.invoke(    at org.apache.catalina.connector.CoyoteAdapter.service(    at org.apache.coyote.http11.AbstractHttp11Processor.process(    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(    at$    at java.util.concurrent.ThreadPoolExecutor.runWorker(    at java.util.concurrent.ThreadPoolExecutor$    at

Recent Changes

Restarted AM.

Made configuration changes.

Installed AM or upgraded to a later version.

Changed the directory superuser (uid=admin or cn=Directory Manager) password on the directory server but not in AM. 

Made environmental changes, such as networking, firewall or operating system changes.

Deleted a previously configured server and then re-added it to a site.


This error indicates that AM is unable to communicate with its configuration store. This can occur for a number of reasons, including:

  • The configuration store is not running or AM cannot access the configuration store due to a network failure, or a network issue such as a firewall preventing access.
  • The $HOME/.openamcfg/ directory is missing for the current user; the file used to bootstrap (the bootstrap locator file) is located in this directory for the process owner. If you're not the process owner, this directory will not exist.
  • The directory superuser (uid=admin or cn=Directory Manager) password has been changed on the directory server but not in AM. AM uses this password to connect to the configuration store.
  • The server that was deleted and re-added to a site has lost all its configuration and has been given the default server settings again.


The solution depends on the cause; you should check the following to establish the cause and then rectify accordingly:

Configuration store

  • Check that the configuration store is up and running, and that AM can successfully communicate with it:
    • You can check this by running the DS status command (located in /path/to/ds/bin) or if using the embedded Configuration store (located in the /path/to/openam/opends/bin directory). The server status returned to you should be: Server Run Status: Started.
    • You can also send a request to the /json/health/ready endpoint (AM 7.1 and later) or the isAlive.jsp endpoint (pre-AM 7.1). If AM is running and the directory server used for the configuration store is not reachable, the endpoint will return a 503 response (AM 7.1 and later) or a Server is DOWN response (pre-AM 7.1) as described in How do I check if AM (All versions) is up and running?

$HOME/.openamcfg/  directory

  • Check the $HOME/.openamcfg/ directory exists for the process owner and contains the bootstrap locator file (AMConfig). This is a file called AMConfig_[path_to_openam], for example, AMConfig_opt_tomcat_webapps_openam if /opt/tomcat/webapps/openam is the deployment path of AM.

Process owner

  • Check the process owner; if AM is installed on a Linux® or Unix® system and is deployed on an Apache Tomcat™ web container, you can check the process owner using the following command: ps -ef |grep tomcat The process owner must be same as the user who restarted AM.

Configuration directory

  • Check that the AMConfig file contains the path to a valid configuration directory, which is /path/to/openam by default.
  • Check the configuration directory referenced in the AMConfig file contains a file called boot.json (located in the /config sub-directory in AM 7 and later); check the contents of the boot.json file to ensure the configuration store details it contains are correct. Example configuration store details look like this: "configStoreList" : [ {    "baseDN" : "dc=openam,dc=forgerock,dc=org",     "dirManagerDN" : "cn=Directory Manager",     "ldapHost" : "localhost",     "ldapPort" : 50389,     "ldapProtocol" : "ldap"   } ]

Directory superuser (uid=admin or cn=Directory Manager) password

Revert the directory superuser (uid=admin or cn=Directory Manager) password to its old value on the directory server to allow access to AM again.

You can then update it as detailed in How do I change the password for the configuration store in AM (All versions)? 

Server configuration


When you reconfigure the server, you might need to change the inheritance settings to prevent default server settings from being applied again. You can change these settings within the server configuration; a closed lock means the property is inherited from the defaults. To change an inherited value, click the lock to unlock it; you can now enter a server-specific value.

You should re-add the server to the site by following the steps in the Installation Guide › Configuring Sites. If replication is enabled, you must disable it first and then re-enable it: Configuration Guide › Disable Replication.

See Also

Default Configuration page shown instead of Login page in AM (All versions)

How do I change the password for the configuration store in AM (All versions)?

Related Training


Related Issue Tracker IDs


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.