Unable to login to /openam in clustered environment

This topic has 2 replies, 1 voice, and was last updated 3 years, 4 months ago by smmellac.

  • Author
  • #25377

    We are trying to setup a clustered openam env. At this point, both openam instances are pointing to the same DS. When we login to http://server1:8080/openam using amadmin creds it works. However, when we login to http://server2:8080/openam using amadmin creds, we get username/password not valid error.

    Upon looking further into the server config, we found that openam is using default 4444 as admin port instead of 1444 which we used when setting up DS. Could that be the issue? If so, how can we switch the admin port to 1444 instead of 4444?

    Another thought is if we could set up a DS with default 4444 port as admin and try connecting to it by changing the config in Directory servers.

    Any input on this is appreciated. Thanks in advance,


    Followed the below steps from doc to setup a clustered instance
    To Add a Server to a Site
    High availability requires redundant servers in case of failure. With AM, you configure an AM site with multiple servers in a pool behind a load balancing service that exposes a single URL as an entry point to the site.

    Follow these steps to configure a server to an existing site:

    If the site is already using keystore keys in the configuration, such as for signing client-based session cookies, SAML v2.0 assertions, and others, copy the keystore from any of the servers of the site to the configuration directory of the new instance:

    Create the configuration directory of the new instance, for example, /path/to/openam/openam. This directory must be the same as the configuration directory used by other AM servers in the site.

    Log in to the AM console and navigate to Deployment > Servers > Server Name > Security > Key Store and find the following properties:

    Keystore File

    Keystore Password File

    Private Key Password File

    These properties configure the name and path of the keystore files you need to copy to the new instance. By default, they are located in the /path/to/openam/openam directory.

    Copy the keystore files from one of the instances of the site to the /path/to/openam/openam directory created for the new instance.

    Navigate to the deployment URL of the new instance. You should see the AM configurator page.

    We are unable to get to the amconfigurator page. Below is the error in catalina.out file. Note that we copied openam.war to webapps folder and restarted tomcat. It is not a null war.
    ERROR: Unable to parse product versions for comparison; Current: null war: ForgeRock Access Management Build d239585362 (2019-January-15 06:37)
    org.forgerock.openam.upgrade.UpgradeException: Unable to parse product versions for comparison. Current: null war: ForgeRock Access Management Build d239585362 (2019-January-15 06:37)
    at org.forgerock.openam.upgrade.VersionUtils.isVersionNewer(VersionUtils.java:103)
    at org.forgerock.openam.upgrade.VersionUtils.isVersionNewer(VersionUtils.java:90)
    at com.sun.identity.setup.AMSetupManager.isVersionNewer(AMSetupManager.java:72)
    at com.sun.identity.setup.AMSetupFilter.isConfigStoreDown(AMSetupFilter.java:170)
    at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:118)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:46)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
    at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800)
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:806)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498)
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:748)


    Incorrect cookie domain value was provided that caused this issue. It is now resolved

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?