Upgrade to OpenAM 13.x fails with Failed to modify privilege! message when migrating policies
The purpose of this article is to provide assistance if your upgrade to OpenAM 13.x fails with ERROR: "Failed to modify privilege!" when migrating policies. This issue will only occur if you are upgrading from an old release and the policies are being migrated to the OpenAM 13.x format for the first time.
This article has been archived and is no longer maintained by ForgeRock.
The upgrade fails and you see the following message in the Upgrade wizard:Failed to modify privilege!
An error similar to the following is shown in the amUpgrade log when the Upgrade fails:amUpgrade:10/12/2015 04:07:22:665 PM PDT: Thread[catalina-exec-1,5,main] ERROR: Failed to modify privilege! com.sun.identity.entitlement.EntitlementException: Invalid Resource https://openam.example.com:8443/web/personal-details?* at com.sun.identity.entitlement.Entitlement.validateResourceNames(Entitlement.java:826) at com.sun.identity.entitlement.Privilege.validateResourceNames(Privilege.java:164) at com.sun.identity.entitlement.opensso.PolicyPrivilegeManager.modify(PolicyPrivilegeManager.java:265) at org.forgerock.openam.upgrade.steps.policy.conditions.OldPolicyConditionMigrationUpgradeStep.perform(OldPolicyConditionMigrationUpgradeStep.java:193) at org.forgerock.openam.upgrade.UpgradeServices.upgrade(UpgradeServices.java:186) at com.sun.identity.config.upgrade.Upgrade.doUpgrade(Upgrade.java:79) ... amUpgrade:10/12/2015 04:07:22:666 PM PDT: Thread[catalina-exec-1,5,main] ERROR: Error occured while upgrading OpenAM org.forgerock.openam.upgrade.UpgradeException: Failed to modify privilege! at org.forgerock.openam.upgrade.steps.policy.conditions.OldPolicyConditionMigrationUpgradeStep.perform(OldPolicyConditionMigrationUpgradeStep.java:196) at org.forgerock.openam.upgrade.UpgradeServices.upgrade(UpgradeServices.java:186) at com.sun.identity.config.upgrade.Upgrade.doUpgrade(Upgrade.java:79)
Upgrading to OpenAM 13.xf from an old release.
You only have one referral rule from the top-level realm. As per changes that were introduced in OpenAM 11.0.0, you should have three referral rules, for example:
- root "/"
- pages "/*"
- pages with parameters "/*?*"
This issue can be resolved by adding the other two referral rules and re-running the upgrade.
For example, if your current referral rule is:https://openam.example.com:8443/*
You would need to add the following referral rules:https://openam.example.com:8443/ https://openam.example.com:8443/*?*
Although referrals are not used in OpenAM 13, they still need to be correct prior to upgrading as they are processed during the upgrade process as detailed in OpenAM 13 Upgrade Guide › Upgrading OpenAM Servers.
Best practice for migrating policies when upgrading to OpenAM 12.x or 13.x
Best practice for creating and testing policies in AM (All versions)
OpenAM 11.0.0 Release Notes › OpenAM Changes & Deprecated Functionality › Important Changes to Existing Functionality
OpenAM 12.0.0 Release Notes › OpenAM Changes and Deprecated Functionality › Important Changes to Existing Functionality
Related Issue Tracker IDs
OPENAM-5441 (upgrade from 12.0.0 to 13.0.0 fails)
OPENAM-5333 (Upgrade failure when policy has more than one rule)
OPENAM-3509 (PolicyEvaluation strips off trailing '/' from resource resulting in wrong enforcement on agent side)