---
title: Changes in AM 7.3.x
description: Previously, for journeys containing a Certificate Collector node, AM would throw an exception in the following scenario:
component: pingam
version: release-notes
page_id: pingam::changes-7.3
canonical_url: https://docs.pingidentity.com/pingam/release-notes/changes-7.3.html
section_ids:
  am_7_3_2: AM 7.3.2
  change_in_behavior_for_journeys_containing_a_certificate_collector_node: Change in behavior for journeys containing a Certificate Collector node
  am_7_3_1: AM 7.3.1
  change_to_oauth_2_0_refresh_token_introspection_response_types: Change to OAuth 2.0 refresh token introspection response types
  am_7_3: AM 7.3
  artifact-changes: Artifact updates
  change-amidentity: AMIdentity constructor
  deletion_of_site_data_on_logout: Deletion of site data on logout
  session_condition_advice_behavior: Session condition advice behavior
  password_change_messages_can_now_be_returned_in_sentence_case: Password change messages can now be returned in sentence case
  base_url_x_forwarded_headers: Base URL X-Forwarded-* headers
  org_forgerock_openam_services_email_mailserver_interface: org.forgerock.openam.services.email.MailServer interface
  removed-cts-worker-pool: Removal of CTS worker thread pool
---

# Changes in AM 7.3.x

## AM 7.3.2

### Change in behavior for journeys containing a [Certificate Collector node](https://docs.pingidentity.com/auth-node-ref/8.1/certificate-collector.html)

Previously, for journeys containing a [Certificate Collector node](https://docs.pingidentity.com/auth-node-ref/8.1/certificate-collector.html), AM would throw an exception in the following scenario:

* You set the node's Certificate Collection Method property to `Either` or `Header`

* You specified an HTTP header name

* The certificate was missing from the browser (and from the request if `Either` was selected)

Now, in this scenario, the journey continues down the `Not Collected` path.

## AM 7.3.1

### Change to OAuth 2.0 refresh token introspection response types

Previously, introspecting a stateful refresh token returned some claims as an array containing a single string.

For consistency, the following claims are now returned as strings:

* `realm`

* `userName`

* `authGrantId`

* `clientID`

## AM 7.3

### Artifact updates

If your custom code uses the following supported Java classes, you must update your build dependencies to include these modules:

| Class / interface                           | Module            |
| ------------------------------------------- | ----------------- |
| `com.sun.identity.idm.IdUtils`              | `customer-api`    |
| `com.sun.identity.idm.AMIdentity`           | `identity-api`    |
| `com.sun.identity.idm.IdEventListener`      | `identity-api`    |
| `com.sun.identity.idm.IdOperation`          | `identity-api`    |
| `com.sun.identity.idm.IdRepoException`      | `identity-api`    |
| `com.sun.identity.idm.IdSearchControl`      | `identity-api`    |
| `com.sun.identity.idm.IdSearchResults`      | `identity-api`    |
| `com.sun.identity.idm.IdSearchOpModifier`   | `identity-api`    |
| `com.sun.identity.idm.IdType`               | `identity-api`    |
| `com.sun.identity.idm.AMIdentityRepository` | `openam-identity` |
| `com.sun.identity.idm.IdRepoListener`       | `openam-identity` |

### `AMIdentity` constructor

The supported constructor, `public AMIdentity(SSOToken token, String universalId) throws IdRepoException`, no longer throws an `IllegalArgumentException` if the provided string is not a valid representation of a DN. Instead, these exceptions are now converted to instances of `IdRepoException`.

### Deletion of site data on logout

For security reasons, AM now instructs the browser to clear site data such as locally cached data and cookies when a user successfully logs out. This behavior can be disabled for compatibility purposes. Refer to the Add clear-site-data Header on Logout property in the [Core authentication attributes](https://docs.pingidentity.com/pingam/7.3/authentication-guide/authn-core-settings.html) for more information.

### Session condition advice behavior

Previously, a `Session` condition failure resulted in a `No configuration found` error. This behavior has been changed as follows:

* If `terminateSession` is `true` and policy evaluation is requested, AM sends the session advice to the Java, Web, or Identity Gateway agent when the `maxSessionTime` elapses and the user is required to reauthenticate.

* If `terminateSession` is `false` and policy evaluation is requested, AM does not send the session advice to the Java, Web, or Identity Gateway agent when the `maxSessionTime` elapses. Instead of being redirected to the login page, the user receives a 403 Forbidden response for the protected resource.

### Password change messages can now be returned in sentence case

Previously, all password change and password reset messages were transformed to upper case; for example, `YOU MUST RESET YOUR PASSWORD`. The [LDAP Decision node](https://docs.pingidentity.com/auth-node-ref/8.1/ldap-decision.html) now provide an option to disable this transformation, letting messages be returned in the case in which they are configured; for example `You must reset your password`.

This option is disabled by default.

### Base URL `X-Forwarded-*` headers

* Previously, if you set the [Base URL source](https://docs.pingidentity.com/pingam/7.3/reference/global-services-configuration.html#base-url-source) to `X-Forwarded-* headers` and no `X-Forwarded-Proto` header was provided, the generated URL would have a protocol of `null`, for example `null://host`, which would result in a broken URL.

  From this release, if no `X-Forwarded-Proto` header is provided, a fallback scheme is used, based on the URI of the request.

* You can now specify a port in the Base URL, using the `X-Forwarded-Port` header.

* If multiple `X-Forwarded-Host` headers are specified, the outermost proxy host is used.

### `org.forgerock.openam.services.email.MailServer` interface

The supported interface, `org.forgerock.openam.services.email.MailServer` has moved from the `openam-core` module to `mail-api`.

You need to update the dependencies to recompile your implementation of this interface.

### Removal of CTS worker thread pool

To simplify AM behavior, CTS operations are now performed as part of the HTTP worker thread created by the HTTP container. This refactoring introduces the following changes:

* The `org.forgerock.services.cts.async.queue.size` and `org.forgerock.services.cts.async.queue.timeout` advanced configuration properties are no longer used.

* The following monitoring metrics have been replaced:

  * Old: `cts.task.queue` and `cts.task.queue.size`

  * New: `cts.connection.state.out` and `cts.connection.state.pending`

    For details, refer to [CTS metrics](https://docs.pingidentity.com/pingam/7.3/maintenance-guide/monitoring-metrics.html#ref-CTS-metrics).

* The primary way to tune the CTS connection pool is to use the `org.forgerock.services.cts.store.max.connections` property. The default value has been increased from `10` to `100`. Existing deployments will be upgraded to whichever is greater: `100` or the original value.

* In previous AM releases, calls to the `/json/health/ready` endpoint returned an `HTTP 200 OK` response if the CTS queue was below the configured threshold, even if the CTS data store was unavailable.

  The CTS queue has been removed in AM 7.3 as part of optimizing connections to the CTS store. If the CTS data store is unavailable, calls to the `/json/health/ready` endpoint now return an `HTTP 503 Service Unavailable` error.