Book Installing and configuring AM/OpenAMThis book provides information on installing and configuring AM/OpenAM, including frequently asked questions and known issues. Printer friendly viewTable of Contents1 General1.1 What automation tools are available for installing, upgrading and configuring AM/OpenAM deployments (All versions)? 1.2 What versions of DS/OpenDJ are compatible with AM/OpenAM? 1.3 What versions of Policy Agents are compatible with AM/OpenAM? 1.4 What versions of IG/OpenIG are compatible with AM/OpenAM? 1.5 What versions of AM/OpenAM are compatible with IDM/OpenIDM? 1.6 How do I check if a particular AM/OpenAM (All versions) instance is running? 1.7 How do I check what version of AM/OpenAM (All versions) I have installed? 1.8 How do I upgrade Apache Tomcat for an existing AM/OpenAM (All versions) install? 2 Configuration2.1 Best practices for configuring sessions in AM (All versions) to reduce the impact on the CTS store 2.2 How do I export and import Service configurations for AM/OpenAM (All versions)? 2.3 How do I make a backup of configuration data in AM/OpenAM (All versions)? 2.4 How do I make AM/OpenAM (All versions) communicate with a secured LDAP server? 2.5 How do I enable SSL in AM/OpenAM (All versions) post-install? 2.6 How do I enable SSL in AM/OpenAM (All versions) for an existing installation? 2.7 How do I configure the heartbeat timeout in AM/OpenAM (All versions)? 2.8 How do I register or re-register a custom authentication module in AM 5.5.x and 6.x? 2.9 How do I delete an AM/OpenAM instance (All versions) from a site along with the replicated embedded DS/OpenDJ server? 2.10 How do I configure AM 6.0.0.x to work with older policy agents (Web 4.x and JEE 3.5.x)? 2.11 How do I remove console access in AM/OpenAM (All versions)? 2.12 Best practice for blocking the top level realm in a proxy for AM/OpenAM (All versions) 2.13 How do I safely enable the org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH setting in AM/OpenAM (All versions)? 2.14 How do I update the certificate alias for the signing key in the AM/OpenAM (All versions) keystore? 2.15 How do I update the authentication signing secret in AM (All versions) and OpenAM 13.x? 2.16 How do I configure AM/OpenAM (All versions) to check the HTTP header for the user certificate? 2.17 How do I set up Realm DNS Aliases in AM/OpenAM (All versions)? 2.18 How do I set up Realm DNS Aliases in AM/OpenAM (All versions) when CDSSO is configured? 2.19 How do I configure which pages are displayed upon successful and failed logins in AM/OpenAM (All versions)? 2.20 How do I configure a list of valid goto URL resources in AM/OpenAM (All versions)? 2.21 How do I automate the creation of scripts in AM/OpenAM (All versions)? 2.22 How do I re-create a bootstrap file for OpenAM 12.x and 13.x if the bootstrap file has become corrupt? 3 Frequently Asked Questions3.1 FAQ: Installing AM/OpenAM 3.2 FAQ: Configuring AM/OpenAM 3.3 FAQ: Patches in AM/OpenAM 3.4 FAQ: General AM/OpenAM 3.5 FAQ: AM/OpenAM compatibility with third-party products 4 Known Issues4.1 An illegal reflective access operation has occurred when using Java 11 with ForgeRock products 4.2 Install4.2.1 AM/OpenAM (All versions) install fails with emb.creatingfamsuffix.failure error when installing on a Unix or Linux system 4.2.2 javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials] error when reinstalling an AM/OpenAM (All versions) instance 4.2.3 Installing OpenAM 12.x or 13.x with an external OpenDJ instance fails with a NPE 4.3 Startup and Shutdown4.3.1 Error during shutdown message when stopping an AM 6 instance running on Apache Tomcat 4.3.2 AM/OpenAM (All versions) fail to start due to SEVERE: ContainerBase.addChild: start: error on Apache Tomcat 4.3.3 Memory leak messages when shutting down Apache Tomcat web container running AM/OpenAM (All versions) 4.4 Login Page4.4.1 Default Configuration page shown instead of Login page in AM/OpenAM (All versions) 4.4.2 Attempting to access AM/OpenAM (All versions) fails with ConfigurationException: Configuration store is not available 4.4.3 Login page in AM/OpenAM (All versions) hangs on Loading when CORS is enabled 4.4.4 Multiple mappings found for organization identifier error when logging into AM/OpenAM (All versions) 4.4.5 Login page does not load when using authentication trees with custom or Marketplace nodes in AM 6.5.x 4.4.6 Login page does not load or ssoadm fails in AM (All versions) running on Apache Tomcat 8.5 or 9 4.4.7 XUI Login URL with goto parameter causes redirect loop or prevents OpenAM 12.x and 13.x login page loading 4.5 Configuration4.5.1 Cannot recover key error shown when renewing expired certificates or changing the password for the keystore or truststore in AM/OpenAM (All versions) 4.5.2 Unable to retrieve certificate with alias 'test' from keystore after making changes to the keystore in AM (All versions) 4.5.3 AM/OpenAM (All versions) Login flow fails with java.lang.IllegalArgumentException: Request header too large 4.5.4 The CertAndKeyGen security class cannot be found error when configuring OpenAM 13.x 4.5.5 Federation related pages do not display in the console with a java.lang.NoClassDefFoundError: sun/misc/CharacterEncoder error in AM 6.5.x 4.5.6 Unidentified properties or Invalid properties message when adding custom advanced server properties in AM (All versions) and OpenAM 13.5 4.5.7 OpenAM 13.5 redirects to server URL instead of site URL in load balanced environment 4.5.8 Authentication fails in OpenAM 13.0 with an AuthId JWT Signature not valid error 4.5.9 Error when flushing the writer message when AM (All versions) and OpenAM 13.x is under high load with audit logging enabled 4.5.10 SNMP monitoring fails in AM 5.5.1 with No Monitoring interfaces started exception 5 Patches5.1 How do I check what patches are installed for ForgeRock products? 5.2 How do I install an AM/OpenAM patch (All versions) supplied by ForgeRock support?