WARNING: WhitelistObjectInputStream.resolveClass message in logs for OpenAM 11.0.3, 12.0.1 and 12.0.2

Symptoms

Variations on the "WARNING: WhitelistObjectInputStream.resolveClass... was not in the whitelist of allowed classes" message can be seen in the CoreSystem debug log including:

Recent Changes

Installed or upgraded to OpenAM 12.0.1 or 12.0.2.

Installed the patch for OpenAM Security Advisory #201505 or later on OpenAM 11.0.3.

Causes

A recent security fix to prevent potential exploitation of serialized objects resulted in a new openam.deserialisation.classes.whitelist property that lists valid classes when OpenAM performs object deserialization. Several classes were initially missed from the default settings.

Solution

These issues can be resolved by upgrading to OpenAM 12.0.3 or later; you can download this from BackStage.

Alternatively, these issues can be resolved by updating the Object Deserialisation Class Whitelist. The whitelist values you need to add depend on which issue(s) you are encountering: 

•  OPENAM-6468 (InvalidClassException with certauth after #201505-01 patch) - identified by the following error message: WARNING: WhitelistObjectInputStream.resolveClass:java.security.cert.Certificate$CertificateRep was not in the whitelist of allowed classes resolved by adding the following whitelist values: java.security.cert.Certificate java.security.cert.Certificate$CertificateRep
• OPENAM-6499 (Configuration store servers are not listed in Directory Configuration) - identified by the following error message: WARNING: WhitelistObjectInputStream.resolveClass:com.sun.identity.common.configuration.ServerConfigXML$ServerObject was not in the whitelist of allowed classes resolved by adding the following whitelist values: com.sun.identity.common.configuration.ServerConfigXML com.sun.identity.common.configuration.ServerConfigXML$DirUserObject com.sun.identity.common.configuration.ServerConfigXML$ServerGroup com.sun.identity.common.configuration.ServerConfigXML$ServerObject
• OPENAM-6615 (12.0.1 Legacy Password reset options page does not display when clicking "Edit" on user profile page) - identified by the following error message: WARNING: WhitelistObjectInputStream.resolveClass:com.sun.identity.console.user.model.UMUserPasswordResetOptionsData was not in the whitelist of allowed classes resolved by adding the following whitelist value: com.sun.identity.console.user.model.UMUserPasswordResetOptionsData
•  OPENAM-6741 (STS configuration not showing in admin console) - identified by the following error message: WARNING: WhitelistObjectInputStream.resolveClass:java.util.LinkedHashSet was not in the whitelist of allowed classes resolved by adding the following whitelist value: java.util.LinkedHashSet

You can update this whitelist using either the OpenAM console or ssoadm:

• OpenAM console: navigate to: Configuration > Servers and Sites > Default Server Settings > Security > Object Deserialisation Class Whitelist and add the necessary values.
• ssoadm:
  1. Run the following command to create a data file. This command creates the data file (called DATA_FILE to match the next command) and populates it with the current openam.deserialisation.classes.whitelist property value to ensure you don't lose any existing changes. $ ./ssoadm list-server-cfg -s default -u [adminID] -f [passwordfile] | grep openam.deserialisation.classes.whitelist > DATA_FILE replacing [adminID] and [passwordfile] with appropriate values.
  2. Update the data file you just created by appending the required whitelist values (from above), separating each one with a comma. For example, your data file would look like this if you started with the default value and added the values required for OPENAM-6468: openam.deserialisation.classes.whitelist=com.iplanet.dpro.session.DNOrIPAddressListTokenRestriction,com.sun.identity.common.CaseInsensitiveHashMap,com.sun.identity.common.CaseInsensitiveHashSet,com.sun.identity.common.CaseInsensitiveKey,com.sun.identity.console.base.model.SMSubConfig,com.sun.identity.console.service.model.SMDescriptionData,com.sun.identity.console.service.model.SMDiscoEntryData,com.sun.identity.console.session.model.SMSessionData,com.sun.identity.shared.datastruct.OrderedSet,com.sun.xml.bind.util.ListImpl,com.sun.xml.bind.util.ProxyListImpl,java.lang.Boolean,java.lang.Integer,java.lang.Number,java.lang.StringBuffer,java.net.InetAddress,java.util.ArrayList,java.util.Collections$EmptyMap,java.util.HashMap,java.util.HashSet,java.util.Locale,org.forgerock.openam.authentication.service.protocol.RemoteCookie,org.forgerock.openam.authentication.service.protocol.RemoteHttpServletRequest,org.forgerock.openam.authentication.service.protocol.RemoteHttpServletResponse,org.forgerock.openam.authentication.service.protocol.RemoteServletRequest,org.forgerock.openam.authentication.service.protocol.RemoteServletResponse,org.forgerock.openam.authentication.service.protocol.RemoteSession,org.forgerock.openam.dpro.session.NoOpTokenRestriction,java.security.cert.Certificate,java.security.cert.Certificate$CertificateRep
  3. Run the following command to update the openam.deserialisation.classes.whitelist property: $ ./ssoadm update-server-cfg -s default -u [adminID] -f [passwordfile] -D DATA_FILE replacing [adminID] and [passwordfile] with appropriate values.

See Also

Configuration servers are not listed under Directory Configuration in OpenAM console 11.0.3, 12.0.1 or 12.0.2

OpenAM 12.0.1 Release Notes › What's New in OpenAM 12.0.1 › Security Advisories

OpenAM 12.0.2 Release Notes › OpenAM Fixes, Limitations, and Known Issues

Related Training

N/A

Related Issue Tracker IDs

OPENAM-6468 (InvalidClassException with certauth after #201505-01 patch)

OPENAM-6499 (Configuration store servers are not listed in Directory Configuration)

OPENAM-6615 (12.0.1 Legacy Password reset options page does not display when clicking "Edit" on user profile page)

OPENAM-6741 (STS configuration not showing in admin console)