--- title: Limitations description: The following limitations are inherent to the design, not bugs to be fixed. component: pingam version: release-notes page_id: pingam::limitations canonical_url: https://docs.pingidentity.com/pingam/release-notes/limitations.html section_ids: redundant_files: Redundant files evaluation_installations: Evaluation installations identity_and_data_store_scaling: Identity and data store scaling webauthn-limitations: Web Authentication (WebAuthn) am_admin_ui_access_requires_the_realm_admin_privilege: AM admin UI access requires the Realm Admin privilege specifying_keys_in_jwt_headers: Specifying keys in JWT headers different_am_versions_within_a_site: Different AM versions within a site special_characters_in_policy_application_or_referral_names: Special characters in policy, application, or referral names xacml_policy_import_and_export_from_different_vendors: XACML policy import and export from different vendors uma: UMA amster-limitations: Amster --- # Limitations The following limitations are inherent to the design, not bugs to be fixed. ## Redundant files The installation and upgrade wizards use three libraries that you should remove for security reasons. When your installation or upgrade is complete, remove the following `.jar` files from the `WEB-INF/lib` directory: * `click-extras-2.3.0.jar` * `click-nodeps-2.3.0.jar` * `velocity-1.7.jar` These files are used *only* by the wizards. Removing them will have no effect on your installed instance. ## Evaluation installations Sometimes, installing AM for evaluation purposes will fail with a message similar to the following if the JDK's default truststore's permissions are `444`: ``` $JAVA_HOME/lib/security/cacerts (Permission denied), refer to install.log under /path/to/install.log for more information. ``` To work around this issue, locate the truststore that your container is using and change its permissions to `644` before installing AM: ``` $ sudo chmod 644 $JAVA_HOME/lib/security/cacerts ``` You can change the permissions to their original settings after you have installed AM. ## Identity and data store scaling The connection strings to the data or identity stores are static and not hot-swappable. This means that, if you expand or contract your DS affinity deployment, AM will not detect the change. To work around this, either: * Manually add or remove the instances from the connection string and restart AM or the container where it runs. * Configure a [DS proxy](https://docs.pingidentity.com/pingds/8.1/config-guide/proxy.html) in front of the DS instances to distribute data across many DS *shards*, and configure the proxy address in the connection string. ## Web Authentication (WebAuthn) AM doesn't support the following functionality, as described in the [Web Authentication specification](https://www.w3.org/TR/webauthn/): * Registration * AM doesn't support [Token Binding](https://datatracker.ietf.org/doc/html/draft-ietf-tokbind-protocol-19#token-binding). * [Web Authentication extensions](https://www.w3.org/TR/webauthn/#extensions) aren't supported. * [Credential ID](https://www.w3.org/TR/webauthn/#credential-id) values aren't verified against the credential IDs registered with all existing users. * The ECDAA signature of the [Packed attestation format](https://www.w3.org/TR/webauthn/#packed-attestation) isn't supported. * Authentication * [Token Binding](https://datatracker.ietf.org/doc/html/draft-ietf-tokbind-protocol-19#token-binding) isn't supported. * [Web Authentication extensions](https://www.w3.org/TR/webauthn/#extensions) aren't supported. * [Signature counters](https://www.w3.org/TR/webauthn/#signature-counter) aren't supported. Refer to [MFA: Web Authentication (WebAuthn)](https://docs.pingidentity.com/pingam/7.3/authentication-guide/authn-mfa-webauthn.html) for more information. ## AM admin UI access requires the `Realm Admin` privilege In this version of AM, administrators can use the AM admin UI as follows: * Delegated administrators with the `Realm Admin` privilege can access full AM admin UI functionality within the realms they administer. In addition, delegated administrators in the Top Level Realm who have this privilege can access AM's global configuration. * Administrators with fewer privileges, such as the `Policy Admin` privilege, can't access the AM admin UI. * The top-level administrator, such as `amAdmin`, has access to full AM admin UI functionality in all realms and can access AM's global configuration. ## Specifying keys in JWT headers AM ignores keys specified in JWT headers, such as `jku` and `jwe`. Configure the public keys or certificates in AM instead, as explained in the relevant sections of the documentation. ## Different AM versions within a site Different AM versions within a site aren't supported. Don't run different versions of AM together in the same AM site. ## Special characters in policy, application, or referral names Don't use special characters in policy, application or referral names (for example, "my+referral"). AM returns a 400 Bad Request error. The special characters are: * double quotes (") * plus sign (+) * comma (,) * less than (<) * equals (=) * greater than (>) * backslash (\\) * null (\u0000) ## XACML policy import and export from different vendors AM can only import XACML 3.0 files that were created by an AM instance, or that have had minor manual modifications, due to the reuse of some XACML 3.0 parameters for non-standard information. ## UMA UMA is not currently supported in the Platform End User UI. ## Amster Amster has the following known limitations: * **No support for load balanced deployments** Amster can't connect to a load balancer URL. You must connect Amster directly to a single AM instance. Using a load balancer could send sequential commands to different AM instances, and could result in concurrency issues when writing to the underlying configuration store. * **Bulk import to external application stores with affinity** If affinity is enabled for an external application data store, bulk import intermittently fails with errors similar to the following: `Resource path 'http////////eea87a38e3ca476fa93a3669375ada3a' contains empty path elements` Before using Amster for a bulk import to an application store, disable data store affinity, or remove the load balancer from the application store deployment. You can re-enable affinity when the import has completed. * **Importing resources containing slash characters can fail** Some PingAM resources have names that can contain slash characters (`/`), for example policy names, application names, and SAML v2.0 entities. These slash characters can cause unexpected behavior and failures in Amster when importing into PingAM instances running on Apache Tomcat. To workaround this issue, configure Apache Tomcat 8.5 or 9 to allow encoded slash characters by updating the `CATALINA_OPTS` environment variable. For example: On Unix/Linux systems: ``` $ export CATALINA_OPTS= \ "-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true" $ startup.sh ``` On Windows systems: ``` C:\> set CATALINA_OPTS= ^ "-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true" C:\> startup.bat ``` | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | It's strongly recommended that you do *not* enable `org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH` when running AM in production as it introduces a security risk on Apache Tomcat. Additionally, this setting isn't supported on Apache Tomcat 10. | Learn more in [How do I safely enable the org.apache.tomcat.util.buf.UDecoder.ALLOW\_ENCODED\_SLASH setting in PingAM?](https://support.pingidentity.com/s/article/How-do-I-safely-enable-the-org-apache-tomcat-util-buf-UDecoder-ALLOWENCODEDSLASH-setting-in-PingAM) in the *Knowledge Base*. * **\[INFO] messages showing on SuSE on Amster start up** Running Amster on SuSE may produce `[INFO]` messages, for example: ``` # ./amster [INFO] Unable to bind key for unsupported operation: up-history [INFO] Unable to bind key for unsupported operation: down-history [INFO] Unable to bind key for unsupported operation: up-history [INFO] Unable to bind key for unsupported operation: down-history OpenAM Shell (version build build, JVM: version) Type ':help' or ':h' for help. ----------------------------------------------------- am> ``` These messages are caused by the keyboard mappings configured in the `/etc/inputrc` file and can safely be ignored, as they don't affect functionality.