Solutions
Archived

Upgrade to OpenAM 13.x fails with Failed to modify privilege! message when migrating policies

Last updated Jan 5, 2021

The purpose of this article is to provide assistance if your upgrade to OpenAM 13.x fails with ERROR: "Failed to modify privilege!" when migrating policies. This issue will only occur if you are upgrading from an old release and the policies are being migrated to the OpenAM 13.x format for the first time.

Archived

This article has been archived and is no longer maintained by ForgeRock.

Symptoms

The upgrade fails and you see the following message in the Upgrade wizard:

Failed to modify privilege!

An error similar to the following is shown in the amUpgrade log when the Upgrade fails:

amUpgrade:10/12/2015 04:07:22:665 PM PDT: Thread[catalina-exec-1,5,main] ERROR: Failed to modify privilege! com.sun.identity.entitlement.EntitlementException: Invalid Resource https://openam.example.com:8443/web/personal-details?* at com.sun.identity.entitlement.Entitlement.validateResourceNames(Entitlement.java:826) at com.sun.identity.entitlement.Privilege.validateResourceNames(Privilege.java:164) at com.sun.identity.entitlement.opensso.PolicyPrivilegeManager.modify(PolicyPrivilegeManager.java:265) at org.forgerock.openam.upgrade.steps.policy.conditions.OldPolicyConditionMigrationUpgradeStep.perform(OldPolicyConditionMigrationUpgradeStep.java:193) at org.forgerock.openam.upgrade.UpgradeServices.upgrade(UpgradeServices.java:186) at com.sun.identity.config.upgrade.Upgrade.doUpgrade(Upgrade.java:79) ... amUpgrade:10/12/2015 04:07:22:666 PM PDT: Thread[catalina-exec-1,5,main] ERROR: Error occured while upgrading OpenAM org.forgerock.openam.upgrade.UpgradeException: Failed to modify privilege! at org.forgerock.openam.upgrade.steps.policy.conditions.OldPolicyConditionMigrationUpgradeStep.perform(OldPolicyConditionMigrationUpgradeStep.java:196) at org.forgerock.openam.upgrade.UpgradeServices.upgrade(UpgradeServices.java:186) at com.sun.identity.config.upgrade.Upgrade.doUpgrade(Upgrade.java:79)

Recent Changes

Upgrading to OpenAM 13.xf from an old release.

Causes

You only have one referral rule from the top-level realm. As per changes that were introduced in OpenAM 11.0.0, you should have three referral rules, for example: 

  • root "/"
  • pages "/*"
  • pages with parameters "/*?*"

Solution

This issue can be resolved by adding the other two referral rules and re-running the upgrade. 

For example, if your current referral rule is: 

https://openam.example.com:8443/*

You would need to add the following referral rules:

https://openam.example.com:8443/ https://openam.example.com:8443/*?*
Note

Although referrals are not used in OpenAM 13, they still need to be correct prior to upgrading as they are processed during the upgrade process as detailed in OpenAM 13 Upgrade Guide › Upgrading OpenAM Servers.

See Also

Best practice for migrating policies when upgrading to OpenAM 12.x or 13.x

Best practice for creating and testing policies in AM (All versions)

OpenAM 11.0.0 Release Notes › OpenAM Changes & Deprecated Functionality › Important Changes to Existing Functionality 

OpenAM 12.0.0 Release Notes › OpenAM Changes and Deprecated Functionality › Important Changes to Existing Functionality

Related Training

N/A

Related Issue Tracker IDs

OPENAM-5441 (upgrade from 12.0.0 to 13.0.0 fails)

OPENAM-5333 (Upgrade failure when policy has more than one rule)

OPENAM-3509 (PolicyEvaluation strips off trailing '/' from resource resulting in wrong enforcement on agent side)

Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.