<chapter xml:id='chap-whats-new'
xmlns='' version='5.0' xml:lang='en'
<title>What's New in OpenAM <?eval ${serverDocTargetVersion}?></title>
<para>OpenAM <?eval ${serverDocTargetVersion}?> fixes a number of issues, and
provides the following additional features.</para>
<para>OpenAM <?eval ${serverDocTargetVersion}?> is a milestone release
from the main development branch of the product. The Xpress release contains
selected key features and all current fixed issues. An Xpress release
undergoes important functional testing but not the complete testing cycle
that is done for a full Enterprise release.</para>
<para>Xpress releases are supported through ForgeRock subscriptions and are
upgradeable to the Enterprise version, which has long term support.</para>
<para>The goal of an Xpress release is to enable you to start build phases
earlier, with the most recent features, instead of having to wait for the
Enterprise release date. Fixes to issues that are discovered in an Xpress
release are delivered as patches to ForgeRock customers, and are guaranteed
to be delivered in the Enterprise release that follows. Xpress releases are
supported for a grace period after the Enterprise version has been
<para>With the exception of these Release Notes, the official documentation
for this release is still in progress, and is accessible at
<link xlink:href="" xlink:show="new"
></link>. The complete, validated
documentation set will be available with the Enterprise release.</para>
<title>Major New Features</title>
<para>OpenAM now provides further support for OAuth 2.0. In addition
to playing the role of client and resource server, OpenAM can now also
play the role of OAuth 2.0 authorization server. See <link
xlink:role=""><citetitle>Managing OAuth
2.0 Authorization</citetitle></link> for explanations, instructions,
and examples.</para>
<para>Session failover has been modified to be simpler to deploy (<link
xlink:show="new">OPENAM-625</link>). OpenAM 10.0.1 and earlier required the
use of Open Message Queue and Berkeley DB Java Edition, which increased the
complexity and amount of time required to get session failover working.
OpenAM now writes session data to the configuration data store instead.
This implementation also can be used to make sessions persist across restart
for single OpenAM servers. The current implementation requires that you use
OpenDJ for the configuration data store.</para>
<para>This new implementation is designed to operate on a local site network.
Cross-site session failover and session failover across wide area networks
(WANs) are not supported.</para>
<para>IBM<superscript>®</superscript> WebSphere<superscript>®</superscript>
8.0 is now a supported platform. See <link
xlink:role=""><citetitle>Preparing IBM
WebSphere</citetitle></link> in the <citetitle>Installation Guide</citetitle>
for details on how to setup WebSphere 8.0 and 8.5 before deploying
<para>Legacy naming conventions have been changed to conform to the
current product name, OpenAM. This includes the OpenAM bootstrap file
(<link xlink:href=""
xlink:show="new">OPENAM-1555</link>). <filename>$HOME/.openamcfg/</filename>
is the new name for <filename>$HOME/.openssocfg/</filename>. If you upgrade,
OpenAM still supports use of <filename>$HOME/.openssocfg/</filename>, and
does not rename the folder. For new OpenAM installs, OpenAM creates the
directory with the new name, <filename>$HOME/.openamcfg/</filename>, at
configuration time. Other files, such as the <filename>openam.war</filename>
file, and paths have been modified to ensure consistency with the naming
<para>OpenAM now supports <link xlink:show="new"
xlink:href="">Open Authentication</link>
(<link xlink:href=""
xlink:show="new">OPENAM-727</link>). The module provides the user with a
one-time password based either on a HMAC one-time password or a time-based
one-time password. OATH lets you determine which type of one-time password
is best for your users when they need to login with a password generating
device. Devices can range from a smartphone to a dedicated device, such as
YubiKey or any other OATH compliant device.</para>
<para>With OATH, OpenAM now supports YubiKey<superscript>®</superscript>
authentication. The YubiKey simplifies the process of logging in with a One
Time Password token as it does not require the user to re-type long pass
codes from a display device into the login field of the computer. The
YubiKey is inserted in the USB-port of any computer and the OTP is generated
and automatically entered with a simple touch of a button on the YubiKey,
and without the need of any client software or drivers.</para>
<title>Additional New Features</title>
<!-- AME-219 and CR-889 -->
<para>OpenAM now provides an account expiration post authentication plugin to
set an account expiration date on successful login.</para>
<para>OpenAM now bundles OpenDJ 2.4.6 (<link
<para>The AMLoginModule now lets authentication modules retrieve the list of
current session tokens for a user (<link
<para>OpenAM's IDPAdapter now provides additional hooks for customization.
This improvement introduces changes to the API that affect custom IDPAdapters
(<link xlink:href=""
<para>When running as a Service Provider, OpenAM no longer requires
that you enable module-based authentication (<link
<!-- Unresolved for Xpress
<para>The OATH authentication module now implements resynchronization
for TOTP (<link
<para>OpenAM now has better support for using a reverse proxy for federation
when DAS is also deployed (<link
<para>OpenAM now allows use of a read-only data store with a non-transient
NameID during SAML 2.0 federation (<link
<para>The ssoadm command now includes a get-sub-cfg subcommand (<link
<para>The REST authenticate command now has a parameter to specify the
client IP address (<link
<para>OpenAM is now built with Maven. Maven artifacts continue to be uploaded
to the ForgeRock Maven repository (<link
<para>You can now prevent OpenAM from caching subject evaluations for
policy decisions (part of the fix for <link xlink:show="new"
<para>In most cases you do not need to turn off caching, as OpenAM now
clears cache when group membership changes. Before turning off caching in
production, first test the setting to ensure that the performance impact is
acceptable for your deployment.</para>
<para>To turn off caching, set Access Control &gt; <replaceable
>Realm Name</replaceable> &gt; Services &gt; Policy Configuration &gt;
Subjects Result Time to Live to 0. The equivalent
<command>ssoadm</command> property for the
<literal>iPlanetAMPolicyConfigService</literal> is