Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

Upgrade to AM 5.x or 6.x fails when anonymous access is disabled in DS

Last updated Apr 13, 2021

The purpose of this article is to provide assistance if your upgrade to AM fails with a "Connect Error: No operational connection factories available". This issue will only affect you if you are using DS for your configuration store and anonymous access is disabled for that DS instance.


1 reader recommends this article

Symptoms

The upgrade process fails and an Upgrade Failed message is shown if you are using the upgrade.jar tool (openam-upgrade-tool-14.1.1.5.jar for AM 6) to perform the upgrade. If you are using the Upgrade Wizard, the upgrade hangs on the Upgrade in progress window.

An error similar to the following is shown in the amUpgrade log when this happens:

amUpgrade:10/08/2020 09:32:11:664 AM GMT: Thread[http-bio-8080-exec-11,5,main]  ERROR: An error occurred while trying to get a connection  org.forgerock.opendj.ldap.ConnectionException: Connect Error: No operational connection factories available     at org.forgerock.opendj.ldap.ErrorResultException.newErrorResult(ErrorResultException.java:210)     at org.forgerock.opendj.ldap.ErrorResultException.newErrorResult(ErrorResultException.java:172)     at org.forgerock.opendj.ldap.ErrorResultException.newErrorResult(ErrorResultException.java:142)  ...  Caused by: org.forgerock.opendj.ldap.ConnectionException: Server Connection Closed: Heartbeat failed     at org.forgerock.opendj.ldap.ErrorResultException.newErrorResult(ErrorResultException.java:210)  ...  Caused by: org.forgerock.opendj.ldap.ErrorResultException: Unwilling to Perform: Rejecting the requested operation because the connection has not been authenticated

Correspondingly, the DS access log shows a CONNECT and DISCONNECT without a SEARCH occurring:

{"eventName":"DJ-LDAP","client":{"ip":"203.0.113.0","port":52597},"server":{"ip":"203.0.113.0","port":1389},"request":{"protocol":"LDAP","operation":"CONNECT","connId":2},"transactionId":"0","response":{"status":"SUCCESSFUL","statusCode":"0","elapsedTime":0,"elapsedTimeUnits":"MILLISECONDS"},"timestamp":"2020-08-15T16:44:49.400Z","_id":"5009191b-a09a-4c7f-84cd-e240b2810a67-1"} {"eventName":"DJ-LDAP","client":{"ip":"203.0.113.0","port":52597},"server":{"ip":"203.0.113.0","port":1389},"request":{"protocol":"LDAP","operation":"UNBIND","connId":2,"msgId":3},"transactionId":"5009191b-a09a-4c7f-84cd-e240b2810a67-8","timestamp":"2020-08-15T16:44:49.729Z","_id":"5009191b-a09a-4c7f-84cd-e240b2810a67-10"} {"eventName":"DJ-LDAP","client":{"ip":"203.0.113.0","port":52597},"server":{"ip":"203.0.113.0","port":1389},"request":{"protocol":"LDAP","operation":"DISCONNECT","connId":2},"transactionId":"0","response":{"status":"SUCCESSFUL","statusCode":"0","elapsedTime":0,"elapsedTimeUnits":"MILLISECONDS","reason":"Client Unbind"},"timestamp":"2020-08-15T16:44:49.734Z","_id":"5009191b-a09a-4c7f-84cd-e240b2810a67-12"}

Recent Changes

Disabled anonymous access in DS using one of the following commands depending on version:

  • DS 6.5.x: $ ./dsconfig --hostname ds1.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password set-global-configuration-prop --set unauthenticated-requests-policy:reject --trustAll --no-prompt
  • Pre-DS 6.5: $ ./dsconfig --hostname ds1.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password set-global-configuration-prop --set reject-unauthenticated-requests:true --trustAll --no-prompt

Causes

Completely disabling anonymous access in DS prevents the SEARCH request from succeeding if AM uses the heartbeat mechanism (which it does by default) and causes connections from AM to fail. AM needs access to the configuration store during the upgrade process, so the upgrade process fails if AM cannot connect.

See How does AM 5.x and 6.x use anonymous access calls to DS? for further information.

Solution

This issue can be resolved by re-enabling anonymous access in DS using one of the following commands and then performing the upgrade again:

  • DS 6.5.x: $ ./dsconfig --hostname ds1.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password set-global-configuration-prop --set unauthenticated-requests-policy:allow --trustAll --no-prompt
  • Pre-DS 6.5: $ ./dsconfig --hostname ds1.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password set-global-configuration-prop --set reject-unauthenticated-requests:false --trustAll --no-prompt

You can use Access Control Instruction (ACI) in DS to prevent anonymous access without affecting the heartbeat mechanism. See Administration Guide › ACI: Disable Anonymous Access for further information.

See Also

How does AM 5.x and 6.x use anonymous access calls to DS?

AM 5.x or 6.x fails to connect to the user data store when anonymous access is disabled in DS

Upgrading AM

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.