IG 6.5 Release Notes

Release Notes
/ ForgeRock Identity Gateway 6.5
Latest update: 6.5.1
Mark Craig
Joanne Henry
ForgeRock AS
201 Mission St., Suite 2900
San Francisco, CA 94105, USA
+1 415-599-1100 (US)
www.forgerock.com
Copyright © 2012-2019 ForgeRock AS.
Abstract
Notes on prerequisites, fixes, and known issues for the ForgeRock® Identity Gateway.
This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.
To view a copy of this license, visit https://creativecommons.org/licenses/by-nc-nd/3.0/ or send a letter to Creative Commons, 444 Castro Street, Suite 900, Mountain View, California, 94041, USA.
ForgeRock® and ForgeRock Identity Platform™ are trademarks of ForgeRock Inc. or its subsidiaries in the U.S. and in other countries. Trademarks are the property of their respective owners.
UNLESS OTHERWISE MUTUALLY AGREED BY THE PARTIES IN WRITING, LICENSOR OFFERS THE WORK AS-IS AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND CONCERNING THE WORK, EXPRESS,
IMPLIED, STATUTORY OR OTHERWISE, INCLUDING, WITHOUT LIMITATION, WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR THE ABSENCE OF LATENT
OR OTHER DEFECTS, ACCURACY, OR THE PRESENCE OF ABSENCE OF ERRORS, WHETHER OR NOT DISCOVERABLE. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO SUCH
EXCLUSION MAY NOT APPLY TO YOU.
EXCEPT TO THE EXTENT REQUIRED BY APPLICABLE LAW, IN NO EVENT WILL LICENSOR BE LIABLE TO YOU ON ANY LEGAL THEORY FOR ANY SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR EXEMPLARY
DAMAGES ARISING OUT OF THIS LICENSE OR THE USE OF THE WORK, EVEN IF LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
DejaVu Fonts
Bitstream Vera Fonts Copyright
Copyright (c) 2003 by Bitstream, Inc. All Rights Reserved. Bitstream Vera is a trademark of Bitstream, Inc.
Permission is hereby granted, free of charge, to any person obtaining a copy of the fonts accompanying this license ("Fonts") and associated documentation files (the "Font Software"), to reproduce and distribute the Font
Software, including without limitation the rights to use, copy, merge, publish, distribute, and/or sell copies of the Font Software, and to permit persons to whom the Font Software is furnished to do so, subject to the following
conditions:
The above copyright and trademark notices and this permission notice shall be included in all copies of one or more of the Font Software typefaces.
The Font Software may be modified, altered, or added to, and in particular the designs of glyphs or characters in the Fonts may be modified and additional glyphs or characters may be added to the Fonts, only if the fonts are
renamed to names not containing either the words "Bitstream" or the word "Vera".
This License becomes null and void to the extent applicable to Fonts or Font Software that has been modified and is distributed under the "Bitstream Vera" names.
The Font Software may be sold as part of a larger software package but no copy of one or more of the Font Software typefaces may be sold by itself.
THE FONT SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE AND NONINFRINGEMENT OF COPYRIGHT, PATENT, TRADEMARK, OR OTHER RIGHT. IN NO EVENT SHALL BITSTREAM OR THE GNOME FOUNDATION BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, INCLUDING ANY GENERAL, SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF THE USE OR
INABILITY TO USE THE FONT SOFTWARE OR FROM OTHER DEALINGS IN THE FONT SOFTWARE.
Except as contained in this notice, the names of Gnome, the Gnome Foundation, and Bitstream Inc., shall not be used in advertising or otherwise to promote the sale, use or other dealings in this Font Software without prior
written authorization from the Gnome Foundation or Bitstream Inc., respectively. For further information, contact: fonts at gnome dot org.
Arev Fonts Copyright
Copyright (c) 2006 by Tavmjong Bah. All Rights Reserved.
Permission is hereby granted, free of charge, to any person obtaining a copy of the fonts accompanying this license ("Fonts") and associated documentation files (the "Font Software"), to reproduce and distribute the modifications
to the Bitstream Vera Font Software, including without limitation the rights to use, copy, merge, publish, distribute, and/or sell copies of the Font Software, and to permit persons to whom the Font Software is furnished to do so,
subject to the following conditions:
The above copyright and trademark notices and this permission notice shall be included in all copies of one or more of the Font Software typefaces.
The Font Software may be modified, altered, or added to, and in particular the designs of glyphs or characters in the Fonts may be modified and additional glyphs or characters may be added to the Fonts, only if the fonts are
renamed to names not containing either the words "Tavmjong Bah" or the word "Arev".
This License becomes null and void to the extent applicable to Fonts or Font Software that has been modified and is distributed under the "Tavmjong Bah Arev" names.
The Font Software may be sold as part of a larger software package but no copy of one or more of the Font Software typefaces may be sold by itself.
THE FONT SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE AND NONINFRINGEMENT OF COPYRIGHT, PATENT, TRADEMARK, OR OTHER RIGHT. IN NO EVENT SHALL TAVMJONG BAH BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, INCLUDING ANY
GENERAL, SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF THE USE OR INABILITY TO USE THE FONT
SOFTWARE OR FROM OTHER DEALINGS IN THE FONT SOFTWARE.
Except as contained in this notice, the name of Tavmjong Bah shall not be used in advertising or otherwise to promote the sale, use or other dealings in this Font Software without prior written authorization from Tavmjong Bah.
For further information, contact: tavmjong @ free . fr.
FontAwesome Copyright
Copyright (c) 2017 by Dave Gandy, http://fontawesome.io.
This Font Software is licensed under the SIL Open Font License, Version 1.1. This license is available with a FAQ at: http://scripts.sil.org/OFL
Table of Contents
Preface ......................................................................................................................... iv
1. What's New ............................................................................................................... 1
1.1. Maintenance Releases .................................................................................... 1
1.2. New Features ................................................................................................. 1
1.3. Product Improvements ................................................................................... 7
1.4. Security Advisories ......................................................................................... 8
2. Before You Install ..................................................................................................... 9
2.1. Downloading IG Software ............................................................................... 9
2.2. Java Requirements ......................................................................................... 9
2.3. Web Application Containers ........................................................................... 9
2.4. AM Java Agents ............................................................................................ 10
2.5. Features Supported With ForgeRock Access Management ............................ 10
2.6. Third-Party Software Required for Encryption .............................................. 11
3. Compatibility With Other Releases .......................................................................... 12
3.1. Important Changes to Existing Functionality ................................................ 12
3.2. Deprecated Functionality .............................................................................. 13
3.3. Removed Functionality ................................................................................. 17
4. Fixes, Limitations, and Known Issues ...................................................................... 19
4.1. Key Fixes ...................................................................................................... 19
4.2. Limitations ................................................................................................... 20
4.3. Known Issues ............................................................................................... 21
5. Documentation Changes .......................................................................................... 23
A. Release Levels and Interface Stability ..................................................................... 24
A.1. ForgeRock Product Release Levels ............................................................... 24
A.2. ForgeRock Product Interface Stability .......................................................... 25
B. Getting Support ...................................................................................................... 27
B.1. Accessing Documentation Online .................................................................. 27
B.2. How to Report Problems or Provide Feedback .............................................. 27
B.3. Getting Support and Contacting ForgeRock ................................................. 28
Release Notes ForgeRock Identity Gateway 6.5 (2019-04-10T17:34:43.175)

Copyright © 2012-2019 ForgeRock AS. All rights reserved. iii
Preface
ForgeRock Identity Platform™ serves as the basis for our simple and comprehensive Identity
and Access Management solution. We help our customers deepen their relationships with their
customers, and improve the productivity and connectivity of their employees and partners. For more
information about ForgeRock and about the platform, see https://www.forgerock.com.

Copyright © 2012-2019 ForgeRock AS. All rights reserved. iv
What's New
Maintenance Releases
Chapter 1
What's New
1.1. Maintenance Releases
IG 6.5.1
• ForgeRock maintenance releases contain a collection of fixes and minor RFEs that have been
grouped together and released as part of our commitment to support our customers. IG 6.5.1 is
the latest release targeted for IG 6.5.0 deployments and can be downloaded from the ForgeRock
Backstage website. To view the list of fixes in this release, see Key Fixes in IG 6.5.1.
The release can be deployed as an initial deployment or updated from an existing 6.5.0 deployment.
IG 6.5.0 is available for download at the ForgeRock Backstage website.
For general information on ForgeRock's maintenance and patch releases, see Maintenance and
Patch Availability Policy.
1.2. New Features
What's New in IG 6.5.1
• OAuth 2.0 Mutual TLS
IG now supports that ability for clients to authenticate to AM through OAuth 2.0 mutual TLS
(mTLS) and X.509 certificates. You must use self-signed certificates or public key infrastructure
(PKI), as per version 12 of the draft OAuth 2.0 Mutual TLS Client Authentication and Certificate
Bound Access Tokens.
For information about IG's support of Mutual TLS, see Access Token Resolvers in the Configuration
Reference, and "Acting as an OAuth 2.0 Resource Server" in the Gateway Guide.
• StatelessAccessTokenResolver can now rely on a SecretsProvider
A new heap object, SecretsProvider, is available to provide a secrets service for the
StatelessAccessTokenResolver, that uses specified secret stores to resolve access_tokens.

Copyright © 2012-2019 ForgeRock AS. All rights reserved. 1
What's New
New Features
Before this improvement, the StatelessAccessTokenResolver used the global secrets service to
resolve access_tokens, which searches for keys across the whole configuration. If multiple keys
have the same label, there is a bigger risk that the wrong key is used.
For backward compatibility, if SecretsProvider is not configured, the StatelessAccessTokenResolver

uses the global secrets service.
For information, see SecretsProvider(5) in the Configuration Reference and

StatelessAccessTokenResolver(5) in the Configuration Reference.
• Policy Enforcement Advice
If an AM policy decision denies a request with supported advices, the PolicyEnforcementFilter can
now redirect the request to a URL specified in a SingleSignOnFilter, such as the URL of a custom
login page. Previously, the filter always redirected the request back to AM.
The URL is passed in a new property, loginEndpoint, in the ssoToken context. To use the redirect,
configure loginEndpoint in the SingleSignOnFilter.
For information, see SingleSignOnFilter(5) in the Configuration Reference.
• New toJSON Function to Parse Strings as JSON
IG 6.5.1 provides a toJSON function that can be used in expressions to parse strings as JSON. For
more information, see Functions(5) in the Configuration Reference.
• Preserve Query Strings In URLs
A new property in admin.json allows you to preserve query strings as they are presented in URLs.
Select this option when query strings must not change during processing, for example, in signature
verification.
By default, IG tolerates characters that are disallowed in query string URL components, by applying
a decode/encode process to the whole query string.
For information, see preserveOriginalQueryString in AdminHttpApplication(5) in the Configuration

Reference.
What's New in IG 6.5.0

• Commons Secret Service
IG now leverages the ForgeRock Commons Secrets Service for the management of passwords
and secrets in the following objects: AmService, ClientHandler, ClientRegistration, JwtSession,
KeyManager, JwtBuilderFilter, and CapturedUserPasswordFilter.
Managing secrets with the Commons Secrets Service provides the following benefits:
• Separation from other configuration so that configuration can be moved between environments

What's New
New Features
• Storage in different secure backends, including file-based keystores, Hardware Security Modules
(HSM), and Key Management Systems (KMS)
• Provision through environment variables or unencrypted JSON, for deployment simplicity or

where host/OS security is considered adequate.
• Ease of rotation or revocation, regardless of the storage backend.
In this release, routes generated in Studio do not use the Commons Secrets Service. Documentation
examples generated with Studio use deprecated properties.
For information about the SecretsService, see Secrets in the Configuration Reference. For
information about new and deprecated properties, see "Compatibility With Other Releases".
• Local Validation of Stateless Access-Tokens
The StatelessAccessTokenResolver is now available to validate stateless access_tokens

without referring to AM. Use StatelessAccessTokenResolver with the access_token resolver in
OAuth2ResourceServerFilter.
Because IG can validate stateless access_tokens locally, without referring AM, this feature provides
the following benefits:
• Improved performance, by reducing the number of network hops required for validation
• Improved robustness, by validating access_tokens even when AM is not available

Supported with OpenAM 13.5, and AM 5 and later versions.
For more information, see "Validating Stateless Access_Tokens With the

StatelessAccessTokenResolver" in the Gateway Guide and StatelessAccessTokenResolver(5) in the
Configuration Reference.
• Transactional Authorization
IG can now respond to the TransactionConditionAdvice from AM to require users to perform additional
actions when trying to access a resource protected by an AM policy.
Performing the additional actions successfully grants a one-time access to the protected resource.
Additional attempts to access the resource require the user to perform the additional actions again.
Supported with AM 5.5 and later versions.
For more information, see "Hardening Authorization With Advice From AM" in the Gateway Guide.
• Disconnection Strategy WebSocket Notification Service
IG can now configure what happens to the session cache and policy enforcement cache when the
WebSocket notification service is disconnected and then reconnected. By default, the caches are
cleared on disconnect.

What's New
New Features
For information, see onNotificationDisconnection in AmService(5) in the Configuration Reference and

PolicyEnforcementFilter(5) in the Configuration Reference.
• Dynamic Scope Evaluation for OAuth2ResourceServerFilter
The OAuth2ResourceServerFilter can now use a script to evaluate which scopes must be provided
in an OAuth 2.0 access_token to access a protected resource. The script evaluates each request
dynamically and returns the scopes that are required for the request to access the protected
resource.
Use this feature when protected resources can't be grouped within a set of static scopes, for
example, when one set of URLs require one scope, and another set of URLs require another scope.
For more information, see the scopes section and Examples section of
OAuth2ResourceServerFilter(5) in the Configuration Reference.
• JWT Encryption With JwtBuilderFilter
A new property, encryption, has been added to the JwtBuilderFilter to configure JWT encryption.
For more information, see JwtBuilderFilter(5) in the Configuration Reference.
• JwtBuilderFilter Template Declared as Expression
The template property of JwtBuilderFilter can now be configured as an expression that evaluates to a
map. The referenced map will be serialized as a JSON object.
For more information, see JwtBuilderFilter(5) in the Configuration Reference.
• Connection to TLS-Protected Endpoints With TlsOptions
A new object, TlsOptions, is available to configure connections to TLS-protected endpoints for the
ClientHandler, ReverseProxyHandler, and for WebSocket notifications in AmService.
For more information, see TlsOptions(5) in the Configuration Reference.
• Increased Flexibility for Retrieving and Caching User Profiles From AM
The UserProfileFilter provides new features to retrieve and cache user profile information.
For more information, see UserProfileFilter(5) in the Configuration Reference.
• User Authentication From OAuth 2.0 Access Tokens With UserProfileFilter
The UserProfileFilter can now retrieve AM profile attributes for users identified by their username,
and can be used in routes that rely on OAuth2ResourceServerFilter and the /oauth2/introspect
endpoint to resolve access tokens.
The filter can use the SsoTokenContext, SessionInfoContext, or OAuth2Context to retrieve profile
attributes.

What's New
New Features
• Cache for User Profile Attributes with UserProfileFilter
The UserProfileFilter can now cache user profile attributes and reuse them without repeatedly
querying AM.
In previous releases, the UserProfileFilter had to query AM for each request to retrieve the
required user profile attributes.
• Simplified Configuration of Objects by Using AmService Agent
A new property, agent, in AmService defines a Java agent to act on behalf of IG, and simplify
configuration of the following filters:
• SingleSignOnFilter, where agent defines the AM service to use for authentication. Users can
authenticate in the same realm as the agent, or in a different realm.
• PolicyEnforcementFilter, where agent defines the AM agent with the right to request policy
decisions from AM. The policy set can be located in the same realm as the agent, or in a different
realm.
• TokenTransformationFilter, where agent defines the AM agent with the right to authenticate IG as
an AM REST STS client.
The agent property is now mandatory in AmService and replaces properties in the above filters. For
more information, see "Removed Functionality".
For more information, see AmService(5) in the Configuration Reference.
• Configuration of WebSocket Notifications by Using AmService
A new property, notifications, has been added to AmService to disable WebSocket notifications,
configure the time between attempts to re-establish lost WebSocket connections, and to configure
WebSocket connections to TLS-protected endpoints.
For more information, see "WebSocket Notification Service" in the Configuration Reference.
• UserProfileFilter Configuration Moved to AmService
To simplify configuration, properties in UserProfileFilter have been deprecated and replaced with
properties in AmService.
For more information, see Deprecated Functionality in IG 6.5.0.
• StudioProtectionFilter to Restrict Access to Studio In Development Mode
A new filter, StudioProtectionFilter, is available to protect the Studio endpoint when IG is running
in development mode.

What's New
New Features
When IG is running in development mode, by default the Studio endpoint is open and accessible.
When StudioProtectionFilter is defined in admin.json, IG uses it to filter access to the Studio
endpoint.
For an example configuration, see "Restricting Access to Studio in Development Mode" in the
Gateway Guide. For more information about StudioProtectionFilter, see "Provided Objects" in the
• New Features in Studio
New features have been added to the technology preview of Studio to allow you to:
• Configure a SplunkAuditEventHandler.
• Upgrade HTTP connections to WebSocket protocol.
• Enable a session cache.
• Evaluate scopes dynamically for OAuth 2.0 authorization.
• New Features in Freeform Studio
New features have been added to the technology preview of Freeform Studio to allow you to:
• Create new routes that contain a SingleSignOnFilter, a PolicyEnforcementFilter, and an example

AmService. Select the objects to configure them.
• Drag and drop a SingleSignOnFilter, a PolicyEnforcementFilter, or any filter type onto the
canvas. Select the filter to configure it. For other filter types, select the type, name the filter, and
add the JSON configuration.
• Define multiple AmService objects that you can choose from for filters.
• Drag and drop a DispatchHandler onto the canvas, select its input node to connect it to the start
element or another object, and select its output node to connect to one or more handlers. Select
the connections to define the conditions for the dispatch.
• Drag any filter into or out of a chain, and drag any filter or handler around the canvas. Select it to
delete it.
• Ctrl-click to select multiple objects, and maneuver or delete them at the same time.
• View unconnected filters or handlers on the canvas as part of the JSON heap.
• View the object name on the canvas.
Routes created in previous version of Freeform Studio are automatically transitioned into JSON
editor routes.

What's New
Product Improvements
1.3. Product Improvements
Improvements in IG 6.5.1
• There are no product improvements other than those listed in Improvements in IG 6.5.0 and What's
New in IG 6.5.1.
Improvements in IG 6.5.0
• TimerDecorator Publishes Metrics to the MetricRegistry
When a TimerDecorator is set to true in a route, the metrics are now written to the Prometheus
Scrape Endpoint and the ForgeRock Common REST Monitoring Endpoint.
For information, see TimerDecorator(5) in the Configuration Reference.
• Audit Logging to Standard Output
Support has been added for an audit handler to send access log messages to standard output.
For information, see JsonStdoutAuditEventHandler(5) in the Configuration Reference and

"Recording Audit Events to Standard Output" in the Gateway Guide.
• Default Configurations for Objects In AdminHttpApplication
AdminHttpApplication now declares default configurations for the following objects: ClientHandler,
ReverseProxyHandler, ForgeRockClientHandler, ScheduledThreadPoolExecutor, and
TransactionIdOutboundFilter.
For more information, see AdminHttpApplication(5) in the Configuration Reference.
• Improved Security for Authentication Cookies in CrossDomainSingleSignOnFilter and JwtSession
By default, the JwtCookieSession cookie and CrossDomainSingleSignOnFilter authentication cookie

and are now flagged as HttpOnly.
CrossDomainSingleSignOnFilter has additional properties to set or unset cookie flags for HttpOnly
and secure. For more information, see CrossDomainSingleSignOnFilter(5) in the Configuration
Reference.
• WebSocket Traffic for TLS Connections
IG can now detect requests to upgrade from HTTPS to the WebSocket protocol, and create a
secure, dedicated tunnel to send and receive WebSocket traffic.
For information, see the websocket property of ClientHandler(5) in the Configuration Reference or
ReverseProxyHandler(5) in the Configuration Reference.

What's New
Security Advisories
1.4. Security Advisories
ForgeRock issues security advisories in collaboration with our customers and the open source
community to address any security vulnerabilities transparently and rapidly. ForgeRock's security
advisory policy governs the process on how security issues are submitted, received, and evaluated as
well as the timeline for the issuance of security advisories and patches.
For details of all the security advisories across ForgeRock products, see Security Advisories in the
Knowledge Base library.

Before You Install
Downloading IG Software
Chapter 2
Before You Install

This chapter describes the requirements for running IG.
Tip
If you have a request to support a component or combination not listed here, contact ForgeRock at
[email protected].
2.1. Downloading IG Software
Download the following product software from the ForgeRock BackStage download site:
• IG .war file, IG-6.5.1.war
• Web application for testing IG configurations, IG-sample-application-6.5.1.jar
2.2. Java Requirements
The following table lists supported Java versions:
JDK Requirements
Vendor Versions
Oracle JDK 8
OpenJDK 8, 11
If you are using IG on Tomcat with SSL enabled, to prevent mismatch between client-side ciphers and
server-side ciphers, use OpenJDK 1.8.0_121 or later versions.
For the latest security fixes, ForgeRock recommends that you use the most recent update.
2.3. Web Application Containers

IG runs in the following web application containers:

Before You Install
AM Java Agents
• Apache Tomcat 8.5.x or 9
• Jetty 9
• JBoss EAP 7.1
Deploy IG to the root context of the container. Deployment in other contexts causes unexpected
results, and is not supported.
For information about setting up a web application container see "Configuring Deployment
Containers" in the Gateway Guide.
2.4. AM Java Agents

IG supports several versions of Java Agents. For supported container versions and other platform
requirements related to agents, see the Java Agents Release Notes .
If you install Java Agents in the same container as IG, use a Java release that is also supported by the
agent.
If you install an AM policy agent in the same container as IG, use Java Agents 3.5 or later. Earlier
versions might not shut down properly with the web application container.
You cannot run Java Agents 5.5.0 and IG in the same Tomcat container.
2.5. Features Supported With ForgeRock Access Management

This section describes the IG features that are supported with AM:
Features Supported With AM

Feature Supported In AM Version
Support for OAuth 2.0 Mutual TLS AM 6.5.1 and later versions.
(mTLS). For more information, see
ConfirmationKeyVerifierAccessTokenResolver(5)
in the Configuration Reference, and "Validating
Access_Tokens Obtained Through mTLS" in the
Gateway Guide.
Eviction of entries from the AmService sessionCache, AM 5.5 when the user manually whitelists the AmCtxId
using WebSocket notifications from AM. For more session property, and with AM 6 and later versions
information, see AmService(5) in the Configuration (where the AmCtxId session property is whitelisted by
Reference. default).
AM password capture and replay, as described in Supported with AM 5 and later versions, and with AM
"Getting Login Credentials From AM" in the Gateway 6 and later versions when the AES keyType is used to
Guide. decrypt the password.

Before You Install
Third-Party Software Required for Encryption
Feature Supported In AM Version

AM policy enforcement, as described in "Enforcing AM 5 and later versions
Policy Decisions From AM" in the Gateway Guide.
OpenID Connect dynamic registration and discovery, OpenAM 13.5, and AM 5 and later versions
as described in "Using OpenID Connect Discovery and
Dynamic Client Registration" in the Gateway Guide.
Token transformation, as described in "Transforming OpenAM 13.5, and AM 5 and later versions
OpenID Connect ID Tokens Into SAML Assertions" in
the Gateway Guide.
User Managed Access 2.x, for IG 5.5, as described in AM 5.5 and later versions
"Supporting UMA Resource Servers" in the Gateway
Guide.
User Managed Access 1.x, for IG 5 and earlier AM 5.1 and earlier versions
versions.
Single sign-on, as described in "About SSO Using the AM 5 and later versions
SingleSignOnFilter" in the Gateway Guide.
Cross-domain single sign-on, as described in "About AM 5.5 and later versions
CDSSO Using the CrossDomainSingleSignOnFilter" in
the Gateway Guide.
Capture and storage of AM session information, as AM 5 and later versions
described in SessionInfoFilter(5) in the Configuration
Reference.
Capture and storage of AM user profile attributes, as AM 5 and later
described in UserProfileFilter(5) in the Configuration
Reference.
Support for transactional authorization, as described AM 5.5 and later versions
in "Hardening Authorization With Advice From AM" in
the Gateway Guide.
Validation of stateless access_tokens, as described OpenAM 13.5, and AM 5 and later versions
in "Validating Stateless Access_Tokens With the
StatelessAccessTokenResolver" in the Gateway Guide.
2.6. Third-Party Software Required for Encryption

To use RSASSA-PSS for signature encryption in the JwtBuilderFilter, install Bouncy Castle. For
information, see The Legion of the Bouncy Castle.

Compatibility With Other Releases
Important Changes to Existing Functionality
Chapter 3

This chapter describes major changes to existing functionality, deprecated functionality, and removed
functionality.
3.1. Important Changes to Existing Functionality

Important Changes in IG 6.5.1
• See What's New in IG 6.5.1 for a list of important changes to existing functionality.
Important Changes in IG 6.5.0
• Agent Credentials Mandatory in AmService
The agent property of AmService is now mandatory. The agent defines the credentials of an AM
Java agent that acts on behalf of IG to authenticate with AM, request policy decisions from AM, and
communicate WebSocket notifications from AM to IG.
This is a breaking change for all filters that use AmService, and for the following filters where agent
replaces properties that are removed in this release:
• SingleSignOnFilter, where agent replaces previously deprecated properties.
• PolicyEnforcementFilter, where agent replaces previously deprecated properties and the following
properties: pepUsername and pepPassword.
• TokenTransformationFilter, where agent replaces previously deprecated properties and the

following properties: username and password.
For more information, see Removed Functionality in IG 6.5.0.
• Agent Session Logged Out When AmService Stopped
When a route containing an AmService is reloaded, or when an AmService is stopped, the agent
session is logged out.
For more information, see org.forgerock.openig.tools.am.AmService.
• Disconnection Strategy for Session Cache and PolicyEnforcementFilter Cache

Deprecated Functionality
When the WebSocket notification service is disconnected, by default the session cache and policy
enforcement cache is cleared. In previous releases, the caches were not cleared.
For information, see onNotificationDisconnection in AmService(5) in the Configuration Reference and

PolicyEnforcementFilter(5) in the Configuration Reference.
• DS API Change for Secure LDAP Connection
DS 6.5 has updated its client API for establishing SSL connections. The SslContextBuilder class has
been removed and related usages have been integrated into SslOptions.
This has an impact on existing scripts that are using IG's LdapClient for connecting to a secure LDAP
server.
Previously working script:

import org.forgerock.opendj.security.SslContextBuilder;
//...
SslContextBuilder builder = new SslContextBuilder();
builder.trustManager(TrustManagers.trustAll());
SslOptions sslOptions = SslOptions.newSslOptions(builder.build())
.enabledProtocols("TLSv1.2");
Usage of the new API:
SslOptions sslOptions = SslOptions.newSslOptions(null, TrustManagers.trustAll())

.enabledProtocols("TLSv1.2");
3.2. Deprecated Functionality
Deprecated Functionality in IG 6.5.1
Deprecated Configuration Settings

Configuration Object Deprecated Settings Replacement Settings
StatelessAccessTokenResolver signatureSecretId Replaced by verificationSecretId.
encryptionSecretId Replaced by decryptionSecretId.
Deprecated Functionality in IG 6.5.0
Automatically Transfered Upgrade Routes
During IG upgrade, routes that were previously created in Studio are automatically transferred
to the new version of IG. Where possible, IG replaces deprecated settings with the newer evolved

setting. If IG needs additional information to upgrade the route, the route status becomes 
Compatibility update required. Select the route, and provide the requested information.
Routes Generated in Studio Do Not Use the Commons Secrets Service
In this release, routes generated in Studio do not use the Commons Secrets Service.
Documentation examples generated with Studio use deprecated properties.
IG Route Monitoring Endpoint
The IG Route Monitoring Endpoint is deprecated and will be removed in a later release. As a
replacement, IG provides Prometheus Scrape Endpoint and Common REST Monitoring Endpoint.
For more information, see "Prometheus Scrape Endpoint" in the Gateway Guide, and "Common
REST Monitoring Endpoint" in the Gateway Guide,
Support for .war File Delivery
The delivery of a .war file is deprecated in this release and may be removed in the next release.
Support AM Policy Agents
Support for the use of AM policy agents in password capture and replay is deprecated in this
release.
By using CapturedUserPasswordFilter, you can get login credentials from AM without setting
up an AM policy agent. For more information, see "Getting Login Credentials From AM" in the
Gateway Guide, and CapturedUserPasswordFilter(5) in the Configuration Reference.
Deprecated Configuration Settings

AmService password Replaced by passwordSecretId.
If the deprecated and replacement

properties are both provided,
the replacement property takes
precedence.
ClientHandler proxy subproperty password Replaced by passwordSecretId.

precedence.
• keyManager Replaced by the TlsOptions
object. For more information, see
• sslCipherSuites TlsOptions(5) in the Configuration
Reference.
• sslContextAlgorithm
• sslEnabledProtocols


• trustManager
websocket subproperties: Replaced by the TlsOptions
• keyManager TlsOptions(5) in the Configuration
Reference.
• sslCipherSuites
• trustManager
ReverseProxyHandler • keyManager Replaced by the TlsOptions
• sslCipherSuites TlsOptions(5) in the Configuration
Reference.
• trustManager
websocket subproperties: Replaced by the TlsOptions
• keyManager TlsOptions(5) in the Configuration
Reference.
• sslCipherSuites
• trustManager
JwtSession password Replaced by passwordSecretId

precedence.
Combination of password, alias, Replaced by encryptionSecretId
and keystore
Combination of passwordSecretId, properties are both provided,
alias, and keystore the replacement property takes
precedence.
sharedSecret Replaced by signatureSecretId

precedence.


KeyManager password Replaced by passwordSecretId.

precedence.
KeyStore password Replaced by passwordSecretId.

precedence.
CapturedUserPasswordFilter key Replaced by keySecretId.

precedence.
JwtBuilderFilter signature subproperties: Replaced by signature property
secretId.
• keystore
• alias properties are both provided,
• password precedence.
Route monitor Replaced by the Prometheus Scrape
Endpoint and Common REST
Monitoring Endpoint.
For information, see Monitoring

Endpoints(5) in the Configuration
Reference.
UserProfileFilter ssoToken Replaced by username in
UserProfileFilter.
amService and profileAttributes Replaced amService and
profileAttributes, as sub-
properties of userProfileService
ClientRegistration keyStore Replaced by keystore.
clientSecret Replaced by clientSecretId.

precedence.
The environment variable and OPENIG_BASE and openig.base Replaced by IG_INSTANCE_DIR and ig
system property that define the file .instance.dir.

Removed Functionality

system directory for configuration If neither the deprecated setting
files. nor the replacement setting are
provided, configuration files are in
the default directory $HOME/.openig
(on Windows, %appdata%\OpenIG).
If the deprecated setting and

the replacement setting are both
provided, the replacement setting is
used.
OpenAmAccessTokenResolver endpoint Replaced by the AmService

property url.
For information, see

OpenAmAccessTokenResolver in
OAuth2ResourceServerFilter(5) in
the Configuration Reference.
PolicyEnforcementFilter cache subproperty maxTimeout Replaced by cache property
maximumTimeToCache.
OAuth2ResourceServerFilter cacheExpiration Replaced by cache and its sub-

properties enabled, defaultTimeout,
and maxTimeout.
If cacheExpiration is configured
and cache is not configured, the
cache is enabled and the value
of cacheExpiration is used as
maxTimeout.
The following values for

cacheExpiration, supported
in previous releases, are not
supported in this release: zero,
unlimited.
For more information, see

OAuth2ResourceServerFilter(5) in
3.3. Removed Functionality
Removed Functionality in IG 6.5.1
• There is no removed functionality in IG 6.5.1, other than those listed in Removed Functionality in IG
6.5.0.

Removed Functionality
Removed Functionality in IG 6.5.0
This section lists removed functionality, as defined in "ForgeRock Product Interface Stability":
•
Removed Configuration Settings
Configuration Object Removed Settings Newer Evolving Settings
PolicyEnforcementFilter(5) in the Deprecated previously, removed in Replaced by AmService properties:
Configuration Reference this release:
• amHandler
• amHandler
• url
• openamUrl
• realm
• realm
• ssoTokenHeader
• ssoTokenHeader
Deprecated and removed in this Replaced by AmService property:
release:
• agent
• pepUsername
• pepPassword
SingleSignOnFilter(5) in the Deprecated previously, removed in Replaced by AmService properties:
Configuration Reference this release:
• amHandler
• amHandler
• url
• openamUrl
• realm
• realm
• ssoTokenHeader
• ssoTokenHeader
TokenTransformationFilter(5) in Deprecated previously, removed in Replaced by AmService properties:
the Configuration Reference this release:
• amHandler
• amHandler
• url
• openamUrl
• realm
• realm
• ssoTokenHeader
• ssoTokenHeader
Deprecated and removed in this Replaced by AmService property:
release:
• agent
• username
• password

Fixes, Limitations, and Known Issues
Key Fixes
Chapter 4

IG issues are tracked at https://bugster.forgerock.org/jira/browse/OPENIG. This chapter covers the
status of key issues and limitations at release 6.5.
4.1. Key Fixes
The following important bugs were fixed in this release:
Key Fixes in IG 6.5.1
• OPENIG-3328: CDSSOFilter : although using a valid token, user can't access the protected resource
• OPENIG-3403: ContentTypeHeader quoted directives should be maintained
• OPENIG-3443: Don't attempt to create the groovy script directories if they already exist
• OPENIG-3454: StatelessAccessTokenResolver: incorrect usage of COMMONS Secrets API to get

the keys
• OPENIG-3457: Provide a toJson function that can be used in expressions to parse strings as JSON
• OPENIG-3484: IdTokenValidationFilter reports problem with iat with valid token
• OPENIG-3491: Invalid token is returned when signature verification is enabled in

OAuth2ResourceServer filter
• OPENIG-3523: UI: Fix open studio in IE
Key Fixes in IG 6.5.0
• OPENIG-3231: OpenDJ SslContextBuilder has been removed
• OPENIG-3219: When using scan feature in logback.xml the ig.instance.dir property is lost on reload
• OPENIG-3113: Not possible to use token substitutions within a monitor decorator of a Route

Limitations
4.2. Limitations
Limitations in IG 6.5.1
• There are no known limitations in IG 6.5.1, other than those identified in Limitations in IG 6.5.0.
Limitations in IG 6.5.0
• SamlFederationHandler Doesn't Support Filtering (OPENIG-3275)
The SamlFederationHandler does not support filtering. Do not use a SamlFederationHandler as the
handler for a Chain.
More generally, do not use this handler when its use depends on something in the response.
The response can be handled independently of IG, and can be null when control returns to IG.
For example, do not use this handler in a SequenceHandler where the postcondition depends on the
response.
• IG Scripts Can Access Anything in Their Environment (OPENIG-3274)
IG scripts are not sandboxed, but instead have access to anything in their environment. You must
make sure that the scripts that IG loads are safe.
• Persists UMA Shares (OPENIG-3273)
Shared resources cannot be persisted when IG restarts. They must be shared each time that IG
restarts. For more information, see "Supporting UMA Resource Servers" in the Gateway Guide.
• Proxy WebSocket Traffic (OPENIG-3248)
When IG is running in the Jetty application container, it cannot proxy WebSocket traffic.
For more information, see "Proxying WebSocket Traffic" in the Gateway Guide, and the websocket
property of ClientHandler(5) in the Configuration Reference or ReverseProxyHandler(5) in the
• Blocked ClientHandler With Asynchronous HTTP Clients (OPENIG-2417)
IG processes responses from asynchronous HTTP clients by using two thread pools of the same
size:
• the first thread pool receive the response headers,
• the second thread pool completes the promise by to executing the callback and writing the
response content to the stream. Reading and writing to the stream are synchronous, blocking
operations
When there are a lot of clients, or when responses are big, the synchronous operation can cause
routes to declare a blocked ClientHandler.

Known Issues
To recover from blocking, restart the route, or, if the route is config.json, restart the server. To
prevent blocking, increase the number of worker threads.
• Cannot Use Custom config.json in Studio (OPENIG-1557)
When a customized config.json is configured in Studio, Studio cannot deploy routes.
• Log File of Audit Events Can be Overwritten (OPENIG-813)
The log file of audit events can be overwritten when the log file is rotated.
When CsvAuditEventHandler is used to log audit events, the log file is overwritten if it is rotated before
the file suffix, rotationFileSuffix, changes. By default, rotationFileSuffix is defined as a date in the
format _yyyy-MM-dd.
Log files are rotated when one of the following limits is reached: maxFileSize, rotationInterval, or
rotationTimes.
Set the log rotation parameters so that the log is not likely to rotate before rotationFileSuffix
changes.
• CookieFilter Is Not JwtSession Compatible (OPENIG-458)
The CookieFilter heap object stores a java.net.CookieManager reference in the session, so

that cookies are linked to the HTTP session. This behavior is not compatible with the use of a
JwtSession.
• Cannot Use SAML With AM Policy Agent (OPENIG-291)
When SAML is used with an AM policy agent, class cast exceptions occur.
• SAML Fails With Incorrect User-Defined Mapping (OPENIG-234)
When the user defined mapping is incorrectly set, missing SAML assertions produce an infinite loop
during authentication attempts.
• For Mutual Authentication in HTTPS Cannot Specify Which Certificate to Present (OPENIG-221)
IG can check server certificates for HTTPS. However, for mutual authentication, the client
certificate must be the first certificate in the KeyStore.
4.3. Known Issues
This release of IG includes the following known issues:
Known Issues in IG 6.5.1

• There are no known issues in IG 6.5.1, other than those identified in Known Issues in IG 6.5.0.

Known Issues
Known Issues in IG 6.5.0
• OPENIG-3235: Support UTF-8 encoded password values for agent's credentials
• OPENIG-3221: OpenIG is decoding special character ' while sending to the backend which is
causing issues
• OPENIG-659: CryptoHeaderFilter - error on handling header value with incorrect length

Documentation Changes
Chapter 5
Documentation Changes
Documentation Change Log
Date Description
2019-03-10 Release of IG 6.5.1 maintenance release.
2018-11-30 Release of IG 6.5.0 release.
The following changes were made to the documentation:
• The default configuration of IG, provided by when your configuration does not
include a custom config.json file, is now described in the Examples section of
GatewayHttpApplication(5) in the Configuration Reference.
• Information about session upgrade has moved from "Enforcing Policy Decisions
From AM" in the Gateway Guide to the new chapter "Hardening Authorization
With Advice From AM" in the Gateway Guide.
• A description of the readWithCharset function has been added to Functions(5) in

• The description of available access_token resolvers has moved from the

accessTokenResolvers property of OAuth2ResourceServerFilter(5) in the
Configuration Reference to the dedicated section Access Token Resolvers in the
• The examples in "Throttling the Rate of Requests to Protected Applications"

in the Gateway Guide have been changed to take the grouping policy and rate
policy from fields in the OAuth2Context.
• Documentation for the deprecated IG Route Monitoring Endpoint is removed in

this release.

Appendix A. Release Levels and Interface
Stability
This appendix includes ForgeRock definitions for product release levels and interface stability.
A.1. ForgeRock Product Release Levels

ForgeRock defines Major, Minor, Maintenance, and Patch product release levels. The release level
is reflected in the version number. The release level tells you what sort of compatibility changes to
expect.
Release Level Definitions

Release Label Version Numbers Characteristics
Major Version: x[.0.0] • Bring major new features, minor features, and bug fixes
(trailing 0s are
optional) • Can include changes even to Stable interfaces
• Can remove previously Deprecated functionality, and in rare

cases remove Evolving functionality that has not been explicitly
Deprecated
• Include changes present in previous Minor and Maintenance

releases
Minor Version: x.y[.0] • Bring minor features, and bug fixes
(trailing 0s are
optional)

Release Label Version Numbers Characteristics
• Can include backwards-compatible changes to Stable interfaces
in the same Major release, and incompatible changes to
Evolving interfaces
• Can remove previously Deprecated functionality
• Include changes present in previous Minor and Maintenance

releases
Maintenance, Patch Version: x.y.z[.p] • Bring bug fixes
The optional .p • Are intended to be fully compatible with previous versions from
reflects a Patch the same Minor release
version.
A.2. ForgeRock Product Interface Stability

ForgeRock products support many protocols, APIs, GUIs, and command-line interfaces. Some of these
interfaces are standard and very stable. Others offer new functionality that is continuing to evolve.
ForgeRock acknowledges that you invest in these interfaces, and therefore must know when and how
ForgeRock expects them to change. For that reason, ForgeRock defines interface stability labels and
uses these definitions in ForgeRock products.
Interface Stability Definitions

Stability Label Definition
Stable This documented interface is expected to undergo backwards-compatible changes
only for major releases. Changes may be announced at least one minor release
before they take effect.
Evolving This documented interface is continuing to evolve and so is expected to change,
potentially in backwards-incompatible ways even in a minor release. Changes are
documented at the time of product release.
While new protocols and APIs are still in the process of standardization, they are
Evolving. This applies for example to recent Internet-Draft implementations, and
also to newly developed functionality.
Deprecated This interface is deprecated and likely to be removed in a future release. For
previously stable interfaces, the change was likely announced in a previous
release. Deprecated interfaces will be removed from ForgeRock products.
Removed This interface was deprecated in a previous release and has now been removed
from the product.
Technology Preview Technology previews provide access to new features that are evolving new
technology that are not yet supported. Technology preview features may
be functionally incomplete and the function as implemented is subject to

Stability Label Definition
change without notice. DO NOT DEPLOY A TECHNOLOGY PREVIEW INTO A
PRODUCTION ENVIRONMENT.
Customers are encouraged to test drive the technology preview features in a non-
production environment and are welcome to make comments and suggestions
about the features in the associated forums.
ForgeRock does not guarantee that a technology preview feature will be present
in future releases, the final complete version of the feature is liable to change
between preview and the final version. Once a technology preview moves into
the completed version, said feature will become part of the ForgeRock platform.
Technology previews are provided on an “AS-IS” basis for evaluation purposes
only and ForgeRock accepts no liability or obligations for the use thereof.
Internal/Undocumented Internal and undocumented interfaces can change without notice. If you
depend on one of these interfaces, contact ForgeRock support or email
[email protected] to discuss your needs.

Appendix B. Getting Support
This chapter includes information and resources for IG and ForgeRock support.
B.1. Accessing Documentation Online

ForgeRock publishes comprehensive documentation online:
• The ForgeRock Knowledge Base offers a large and increasing number of up-to-date, practical
articles that help you deploy and manage ForgeRock software.
While many articles are visible to community members, ForgeRock customers have access to much
more, including advanced information for customers using ForgeRock software in a mission-critical
capacity.
• ForgeRock product documentation, such as this document, aims to be technically accurate and
complete with respect to the software documented. It is visible to everyone and covers all product
features and examples of how to use them.
B.2. How to Report Problems or Provide Feedback

If you find issues or reproducible bugs, report them in https://bugster.forgerock.org.
When requesting help with a problem, include the following information:
• Description of the problem, including when the problem occurs and its impact on your operation
• Description of the environment, including the following information:

• Machine type
• Operating system and version
• Web server or container and version
• Java version
• Patches or other software that might affect the problem
• Steps to reproduce the problem
• Relevant access and error logs, stack traces, and core dumps
B.3. Getting Support and Contacting ForgeRock

ForgeRock provides support services, professional services, training through ForgeRock University,
and partner services to assist you in setting up and maintaining your deployments. For a general
overview of these services, see https://www.forgerock.com.
ForgeRock has staff members around the globe who support our international customers
and partners. For details, visit https://www.forgerock.com, or send an email to ForgeRock at
[email protected].


IG 6.5 Release Notes

Uploaded by

Copyright:

Available Formats

IG 6.5 Release Notes

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IG 6.5 Release Notes

Uploaded by

Copyright:

Available Formats

Release Notes

/ ForgeRock Identity Gateway 6.5

Latest update: 6.5.1

Bitstream Vera Fonts Copyright

Arev Fonts Copyright

Copyright (c) 2006 by Tavmjong Bah. All Rights Reserved.

Copyright (c) 2017 by Dave Gandy, http://fontawesome.io.

Release Notes ForgeRock Identity Gateway 6.5 (2019-04-10T17:34:43.175)

Release Notes ForgeRock Identity Gateway 6.5 (2019-04-10T17:34:43.175)

IG 6.5.0 is available for download at the ForgeRock Backstage website.

• OAuth 2.0 Mutual TLS

• StatelessAccessTokenResolver can now rely on a SecretsProvider

Release Notes ForgeRock Identity Gateway 6.5 (2019-04-10T17:34:43.175)

For backward compatibility, if SecretsProvider is not configured, the StatelessAccessTokenResolver

For information, see SecretsProvider(5) in the Configuration Reference and

• Policy Enforcement Advice

For information, see SingleSignOnFilter(5) in the Configuration Reference.

• New toJSON Function to Parse Strings as JSON

• Preserve Query Strings In URLs

For information, see preserveOriginalQueryString in AdminHttpApplication(5) in the Configuration

What's New in IG 6.5.0

Release Notes ForgeRock Identity Gateway 6.5 (2019-04-10T17:34:43.175)

• Provision through environment variables or unencrypted JSON, for deployment simplicity or

• Ease of rotation or revocation, regardless of the storage backend.

• Local Validation of Stateless Access-Tokens

The StatelessAccessTokenResolver is now available to validate stateless access_tokens

• Improved robustness, by validating access_tokens even when AM is not available

For more information, see "Validating Stateless Access_Tokens With the

Supported with AM 5.5 and later versions.

• Disconnection Strategy WebSocket Notification Service

Release Notes ForgeRock Identity Gateway 6.5 (2019-04-10T17:34:43.175)

For information, see onNotificationDisconnection in AmService(5) in the Configuration Reference and

• Dynamic Scope Evaluation for OAuth2ResourceServerFilter

• JWT Encryption With JwtBuilderFilter

For more information, see JwtBuilderFilter(5) in the Configuration Reference.

• JwtBuilderFilter Template Declared as Expression

For more information, see JwtBuilderFilter(5) in the Configuration Reference.

• Connection to TLS-Protected Endpoints With TlsOptions

For more information, see TlsOptions(5) in the Configuration Reference.

• Increased Flexibility for Retrieving and Caching User Profiles From AM

For more information, see UserProfileFilter(5) in the Configuration Reference.

• User Authentication From OAuth 2.0 Access Tokens With UserProfileFilter

Release Notes ForgeRock Identity Gateway 6.5 (2019-04-10T17:34:43.175)

• Cache for User Profile Attributes with UserProfileFilter

• Simplified Configuration of Objects by Using AmService Agent

For more information, see AmService(5) in the Configuration Reference.

• Configuration of WebSocket Notifications by Using AmService

• UserProfileFilter Configuration Moved to AmService

For more information, see Deprecated Functionality in IG 6.5.0.

• StudioProtectionFilter to Restrict Access to Studio In Development Mode

Release Notes ForgeRock Identity Gateway 6.5 (2019-04-10T17:34:43.175)

• New Features in Studio

• Upgrade HTTP connections to WebSocket protocol.

• Enable a session cache.

• Evaluate scopes dynamically for OAuth 2.0 authorization.

• New Features in Freeform Studio

• Create new routes that contain a SingleSignOnFilter, a PolicyEnforcementFilter, and an example

• View the object name on the canvas.

Release Notes ForgeRock Identity Gateway 6.5 (2019-04-10T17:34:43.175)

• TimerDecorator Publishes Metrics to the MetricRegistry