This chapter covers both major changes to existing functionality, and also deprecated and removed functionality.
When you create a new OpenAM custom configuration that uses an
external LDAP directory server for the configuration data store, you must
use a root suffix DN with at least two domain components, such as
The advanced server property used to set the HTTP header name,
has replaced the legacy OpenSSO property
Legacy naming conventions have been changed to conform to the current product name, OpenAM.
$HOME/.openamcfg/ is the new name for
$HOME/.openssocfg/. If you upgrade, OpenAM still
supports use of
$HOME/.openssocfg/, and does not
rename the folder. For new OpenAM installs, OpenAM creates the directory
with the new name,
$HOME/.openamcfg/, at configuration
Other files, such as the
openam.war file, and
paths have been modified to ensure consistency with the naming
OpenAM now ships with multiple .war files. You no longer have to build custom .war files for core server-only or distributed authentication UI installations for example.
In versions before OpenAM 10.1.0 the default root suffix DN for OpenAM
configuration and profile data was
The default root suffix is now
The fix for OPENAM-1630 changes SAML metadata signing in OpenAM to better conform with the SAML 2.0 standard.
Metadata for hosted entities is signed using the
metadataSigningKey configured for the realm, or
inherited from the global configuration for the server.
OpenAM now signs the
that contains child
When importing remote entity metadata with signatures, OpenAM does not modify the signatures, but instead returns them as they were when they were imported.
When OpenAM imports remote entity metadata that has no signature and
signed metadata is requested on export, OpenAM signs the metadata with
The default policy evaluation mode for new policy agent profiles is now self rather than subtree, in order to better scale for large numbers of policy rules.
Upgrade does not change existing policy agent profile configurations, however. If you want to adopt the new default setting for existing policy agents, you must change the setting manually.
To do so for Java EE policy agents, set
For web policy agents, set
You now specify rules for referrals in the same way as rules for policies.
For example, with previous releases a referral rule for
http://example.com/ matched everything underneath.
Now you would need three rules,
When used at the end of a rule
* matches one or more characters,
rather than zero or more characters.
When you upgrade OpenAM, the upgrade tool converts existing referral rules.
The following functionality is deprecated in OpenAM 12.0.0-SNAPSHOT, and is likely to be removed in a future release.
With the implementation of OAuth 2.0 in this release, OAuth 1.0 has been deprecated. OAuth 1.0 support was originally provided in OpenAM 9.
The Netscape LDAP API is to be removed from OpenAM, with OpenAM
using the OpenDJ LDAP SDK instead. This affects all classes in
OpenAM currently uses Sun Java System Application Framework (JATO). JATO is deprecated and is likely to be replaced in a future release.
With the implementation of the Persistent Cookie authentication module, the Core Authentication module persistent cookie options are deprecated and are likely to be removed in a future release.
Older REST services relying on the following end points are deprecated.
The following table shows how legacy and newer end points correspond.
|Deprecated URIs||Newer Evolving URIs|
|/identity/create, /identity/delete, /identity/read, /identity/search, /identity/update||/json/agents, /json/groups, /json/realms, /json/users|
Find examples in the Developer Guide chapter on Using RESTful Web Services in OpenAM.
Support for the older REST services is likely to be removed in a future release in favor of the newer REST services. Older REST services will be removed only after replacement REST services are introduced.
OpenAM Java SDK no longer supports JDK 5.
iplanet-am-auth-ldap-server-check property for
LDAP and Active Directory authentication modules has been removed and
replaced with a heartbeat mechanism configurable through the LDAP Connection
Heartbeat Interval (
and LDAP Connection Heartbeat Time Unit
openam-auth-ldap-heartbeat-interval) properties for the
Set these new properties as necessary when you have firewalls or load balancers that drop connections that remain idle for too long.
The advanced server property,
openam.session.destroy_all_sessions, has been replaced
by the built-in Global Session Service setting,
Javadoc for the client SDK is no longer delivered with the distribution, but instead is available online.