OpenAM security is a serious matter, especially when this software has a critical role in your architecture, which is often the case. So here are some advices to avoid OpenAM security holes.
1 – OpenAM lower layers security
To avoid security flaws in your OpenAM based architecture, you have first to check it’s lower layers security. By OpenAM lower layers I mean mainly the operating system, the Java virtual machine and the web container. You should always keep these components updated with the last security patches. You will find security news and updates in each used component website.
2 – OpenAM security
ForgeRock keeps it’s OpenAM users aware of potential security flaws in their product through this page. You can also get notified of last security advisories by either subscribing their mailing lists, following the rss feed or making sure your customer (in case you are) details are correct in ForgeRock BackStage.
Here are some external resources about old OpenAM flaws and the way an attacker could exploit them :
Andrew Petukhov Youtube Channel :
ZeroNights 2012 presentation :
3 – Securing OpenAM in production
The last (but not least) advice is securing OpenAM in production deployments. To do so, you can follow the OpenAM best practices guide. It shows, among others, how to protect network access and secure administration and communication.