Directory Services 7.2.5

Before you upgrade

Fulfill these requirements before upgrading Directory Services software, especially before upgrading the software in a production environment. Also refer to the requirements listed in release notes.

Supported Java

  • Always use a JVM with the latest security fixes.

  • Make sure you have a required Java environment installed on the system.

    If your default Java environment is not appropriate, use one of the following solutions:

    • Edit the default.java-home setting in the opendj/config/java.properties file.

    • Set OPENDJ_JAVA_HOME to the path to the correct Java environment.

    • Set OPENDJ_JAVA_BIN to the absolute path of the java command.

  • When running the dskeymgr and setup commands, use the same Java environment everywhere in the deployment.

    Due to a change in Java APIs, the same DS deployment ID generates different CA key pairs with Java 11 and Java 17.

    Using different Java versions is a problem if you use deployment ID-based CA certificates. Replication breaks, for example, when you use the setup command for a new server with a more recent version of Java than was used to set up existing servers.

    For details on resolving the issue, refer to Incompatible Java versions.

DS software supports the following Java environments:

Supported Java Versions
Vendor Versions

OpenJDK, including OpenJDK-based distributions:

  • AdoptOpenJDK/Eclipse Temurin Java Development Kit (Adoptium)

  • Amazon Corretto

  • Azul Zulu

  • Red Hat OpenJDK

ForgeRock tests most extensively with AdoptOpenJDK/Eclipse Temurin.

ForgeRock recommends using the HotSpot JVM.

11(1), 17(2)

Oracle Java

11(1), 17(2)

(1) DS requires Java 11.0.6 or later. Earlier Java 11 updates lack required cryptography fixes. To use TLS 1.3 with PKCS#11, DS requires Java 11.0.8 or later. Use Java 11.0.12 or later for compatibility with third-party cryptographic tools.

(2) DS requires Java 17.0.3 or later. Earlier Java 17 updates lack required cryptography fixes.

Required credentials

Perform the upgrade procedure as the user who owns the server files.

Make sure you have the credentials to run commands as this user.

Back up first

Before upgrading, perform a full file system backup of the current server so that you can revert on failure. Make sure you stop the directory server and back up the file system directory where the current server is installed.

Backup archives are not guaranteed to be compatible across major and minor server releases. Restore backups only on directory servers of the same major or minor version.

Disable Windows service

If you are upgrading a server registered as a Windows service, disable the Windows service before upgrade:

C:\path\to\opendj\bat> windows-service.bat --disableService

After upgrade, enable the server as a Windows service again.