Best Practice
ForgeRock Identity Platform
Does not apply to Identity Cloud

Best practice for upgrading to AM 7.x

Last updated Jan 12, 2023

The purpose of this article is to provide best practice advice on upgrading to AM 7.x as there are some known issues regarding the upgrade process and issues that may affect you post-upgrade.


Overview

Preparing for Upgrade

As with any software upgrade, we strongly recommend testing the procedure in your own development environment first and ensuring you have up-to-date backups and recovery plans in case you encounter any issues. You should also make sure you read the AM 7.2 Release notes, AM 7.1 Release Notes and AM 7 Release Notes so that you are fully aware of all changes as well as release notes and Best Practice upgrade articles relevant to any releases between the version you are upgrading from and AM 7.x.

Known issues - upgrade process

The following known issues may affect you during the upgrade process - workarounds are included where applicable:​

  • Configuring AM with an embedded DS fails with a Permission Denied error for the truststore

Configuring AM with an embedded DS fails when trying to create the truststore with a Permission Denied error. This is a known issue: OPENAM-16608 (AM with embedded DS setup fails with permission denied for truststore), which is fixed in AM 7.0.2. You can work around it by changing the file permissions on the origin cacerts file to have write permissions (for example, 666) before starting the configuration. This will ensure the resulting truststore file then has permissions 644 which allows setup to continue.

An embedded DS is not supported in production in AM 7, but you can still use one for testing or demo purposes.

  • Amster Configuration Upgrader tool is not included in AM 7

See How do I upgrade Amster configuration files when upgrading to AM 6.5.x or 7? for information on upgrading to AM 7 if you have Amster configuration files.

AM 7.1 does include a configuration file upgrade tool for converting configuration files exported with the Amster command. See Amster 7.1 What’s New for further information.

  • External CTS needs additional schemas after upgrade

When upgrading to AM 7.x from a previous version, you need to import the following schemas else you will not be able to log in:

  • cts-add-multivalue.ldif
  • cts-add-multivalue-indices.ldif
  • cts-add-ttlexpire.ldif

This step is detailed in the Upgrading AM Instances.

Known issues - post-upgrade

The following known issues may affect you post-upgrade - workarounds are included where applicable:

  • LDAP connection fails with No subject alternative DNS name matching error

Changes in AM and DS have made LDAP SSL hostname validation stricter. You must ensure the hostname you are connecting to the LDAP server with matches the hostnames specified in the server certificate via the SAN (Subject Alternative Name). See LDAP connection fails with No subject alternative DNS name matching error in AM and DS (All versions) for further details about this issue and solution.

  • Login page does not load when using authentication trees with custom or Marketplace nodes

The dependency on forgerock-guava has been removed in AM 6.5 and instead these libraries are retrieved directly from Google Guava. Any custom or Marketplace nodes that use an org.forgerock.guava class will fail as a result. See Login page does not load when using authentication trees with custom or Marketplace nodes in AM 6.5.x or 7.x for further information.

  • Login page does not load or ssoadm fails after upgrading to Tomcat 8.5 or 9

Tomcat 8.5 and later enforces stricter checking for valid cookie domain values; this change prevents the login page loading and causes ssoadm to fail. The necessary steps to resolve this are documented in the following Solution article: Login page does not load or ssoadm fails in AM (All versions) running on Apache Tomcat 8.5 or 9

  • Minimum password length is 8 error when updating identities via REST

There is a known issue with updating identities via REST where the Minimum password length is 8 error is shown even though the user's password is valid: OPENAM-11052 (Minimum password length is 8 error in AM 5.0 when updating identities using the REST API). The necessary steps to resolve this are documented in the following Solution article: Minimum password length is 8 error in AM (All versions) when updating identities using the REST API

  • User attributes in SAML responses are not correctly mapped

There is a known issue that can prevent user profile attributes being returned in SAML responses. This issue occurs if you use a custom IdP attribute mapper that extends DefaultLibraryIDPAttributeMapper: OPENAM-11474 (Custom IDP Attribute mappers may cause failures after upgrade). You should revisit your custom IdP mapper code and update any method names that have changed. Alternatively, you could extend DefaultIDPAttributeMapper or implement an IdP attribute mapper using a script (AM 7.2 and later). See How do I create a custom SAML2 IdP attribute mapper in AM (All versions)? for further information.

Other changes

See AM 7.2 Functional changes, AM 7.1 Changes to Existing Functionality and AM 7 Changes to Existing Functionality for information about all changes to existing functionality.

See Also

Upgrades

Backup and Restore

Upgrade Guides and Release Notes

Troubleshooting

Related Training

ForgeRock Access Management Deep Dive (AM-410)

Related Issue Tracker IDs

OPENAM-16608 (AM with embedded DS setup fails with permission denied for truststore)

OPENAM-11474 (Custom IDP Attribute mappers may cause failures after upgrade)

OPENAM-11052 (Minimum password length is 8 error in AM 5.0 when updating identities using the REST API)


Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.