ForgeRock repos and mirrors

ForgeRock LogoYou might already know that ForgeRock’s platform is built on open source software. We have been using Stash, now BitBucket, to host the git repos and to manage the review process.

If you want to read the code or the doc source code, you will find the canonical copies on that server. For example—there are more repos on the server, but here are some of the most popular links:

If you want to contribute a patch or a feature, sign up, login, and follow the development process. That process involves working on

You will also find read-only mirrors (and other goodies) at GitHub, under

Either server is fine if you just want to read the code or clone a repo.

docbkx-tools 2.0.17 is out

Congratulations to Cedric on the release of docbkx-tools 2.0.17 earlier this week.

For those of you working with DocBook and Maven, docbkx-tools provides a plugin to generate output formats (HTML, PDF, etc.) as part of the Maven build, by applying the DocBook XSL stylesheets.

The 2.0.17 release adds some improvements, including support for DocBook XSL 1.79.1.

At ForgeRock, we have been relying on docbkx-tools since 2011. The next release of our doc build plugin is using 2.0.17. Upgrade was straightforward. The only issue that still needs fixing is olink support in chunked HTML.

OpenAM Web Policy Agent Security Advisory #201603

A security vulnerability has been discovered in the OpenAM Web Policy Agent. This issue is present in version 4.0.0 of the OpenAM Web Policy Agent.

This advisory provides guidance on how to ensure your deployments can be secured. A workaround and a patch is available for the issue.

The maximum severity of the issue in this advisory is Critical. Deployers should take steps as outlined in this advisory and apply the relevant update at the earliest opportunity.

The recommendation is to deploy the following maintenance release of the Web Policy Agent (in accordance with ForgeRock’s Maintenance and Patch availability policy): 4.0.1

Customers can obtain this updated Web Agent version from BackStage.

Issue #201603-01: Business Logic Vulnerability

Product: OpenAM Web Policy Agent
Affected versions: 4.0.0
Fixed versions: 4.0.1
Component: Web Agent
Severity: Critical


When the Agent not enforced list contains a wildcard entry it may be possible to access any protected resource on the server without the need for authorization.


Set ‘’ to false and define explicit security rules for your website not-enforced resources.

Alternatively, set ‘com.forgerock.agents.notenforced.url.regex.enable’ to true and use regular expression based ‘not-enforced rules’ as per OpenAM Web Policy Agent User’s Guide › Configuring Web Policy Agents › Configuring Web Policy Agent Application Properties, instead of the older wildcard approach. Even so, explicit ‘not-enforced rules’ will need to be created.

However, it should be noted that neither of these workarounds will work well with dynamic URLs. In this instance, the only solution is to upgrade to the 4.0.1 Web Agent Release.


Use the workaround or deploy the relevant 4.0.1 Web Policy Agent Release.

We are holding a technical Unconference Summit in San Francisco on June 1

In years past we’ve held a variety of business-focused Summits. This year we’re shaking things up a bit, and hosting the inaugural San Francisco UnSummit. Similar to an unconference, the UnSummit agenda will be fluid and determined by the attendees.

We’re looking to have a shared experience, where we help impart our product knowledge and best practices, and you are able to share your feedback as users, as well as your tips, tricks and more. Our product management and engineering teams will be your hosts and you’ll be able to interact directly with our team.

Our technical Unsummit will be held on June 1 in San Francisco, CA. Register here.

While the agenda will be a collaborative effort and ultimately determined by the attendees, here are some of the sessions we’re proposing:

  • 2016 roadmap – The Road to Identityville!
  • Getting Started sessions
  • Provisioning Roles and Relationships
  • State of the Union: Understanding Stateless Identity
  • The ForgeRock APIs can do WHAT?
  • Preview of the ForgeRock Identity Gateway UI
  • ForgeRock and Angular2: Key Concepts and Getting Started
  • Plus lots more!

To learn more about the event, including more of our proposed topics (and to propose your own), or to register, visit our TicketLeap site.

For those looking to learn more about our other Summits, visit our summit site.

OpenIDM Security Advisory #201602

Security vulnerabilities have been discovered in OpenIDM components. These issues are present in versions of OpenIDM including 3.x and 4.0.x.

This advisory provides guidance on how to ensure your deployments can be secured. Workarounds or patches are available for all of the issues.

The maximum severity of issues in this advisory is High. Deployers should take steps as outlined in this advisory and deploy the recommended workarounds or resolutions as described within each issue below.

Issue #201602-01: Unencrypted Repo JDBC Password

Product: OpenIDM
Affected versions: 3.0.0, 3.1.0, 4.0.0
Fixed versions: n/a
Component: OpenIDM JDBC Repository Server
Severity: High

JDBC Repository passwords are no longer auto-encrypted by OpenIDM when the repository is activated. As a result, the password stored within the repository configuration as well as those written to the JSON configuration files (repo.jdbc.json or datasource.jdbc-default.json) and the OpenIDM log will appear in clear-text.

Manually encrypt the JDBC Repository password using the OpenIDM Command-Line Interface as detailed in the following Knowledge Article: Repository password is not encrypted in OpenIDM 3.x or 4.x log and configuration files.