OpenSSO Enterprise 8.0 Update 1 Release Notes

The Sun OpenSSO Enterprise 8.0 Update 1 Release Notes contain information about Update 1, including new features, hardware and software requirements, and known issues with workarounds, if available.

OpenSSO Enterprise 8.0 Update 1 is available as patch 141655-01 on http://sunsolve.sun.com/. This patch includes a WAR file (opensso.war) that you can deploy on Solaris (SPARCĀ® and x86 platforms), Linux, and Windows systems.

OpenSSO Enterprise 8.0 Update 1 Patches

Sun periodically releases patches for OpenSSO Enterprise 8.0 Update 1 on SunSolve. The following table shows the patch IDs for Update 1 and subsequent patch releases:

Release
Patch ID
OpenSSO Enterprise 8.0 Update 1 141655-01
OpenSSO Enterprise 8.0 Update 1 Patch 1 141655-02
OpenSSO Enterprise 8.0 Update 1 Patch 2 141655-03

To download the latest patch for Update 1, click Download Latest Patch 141655.

To determine if you should install a patch, check the README file available with the patch.

Changes in OpenSSO Enterprise 8.0 Update 1 Patch 2 (141655-03)

Additional OpenSSO Enterprise Web Container and Platform Support

Patch 141655-03 includes support for:

  • IBM AIX 6.1 platform
  • Sun GlassFish Enterprise Server v2.1 web container

Known Issues and Limitations

OpenSSO Enterprise cannot create URLStreamHandler for WebLogic Server (CR 6867442)

The OpenSSO Enterprise AMURLStreamHandlerFactory cannot create the URLStreamHandler for WebLogic Server, because WebLogic Server has preset the value for the java.protocol.handler.pkgs system property to
weblogic.net|weblogic.utils|weblogic.utils|weblogic.utils. If you try to access a remote WebLogic Server instance from the Console Session UI, OpenSSO Enterprise dumps an error log in the CoreSystem file.

The fix for CR 6867442 adds the new opensso.protocol.handler.pkgs property.

Although this problem occurred on WebLogic Server, the fix affects all web containers. If you have java.protocol.handler.pkg in your setup or if you are planning to use java.protocol.handler.pkg, add this new property as follows:

  1. In the OpenSSO Administration Console, click Configuration, Servers and Sites, opensso-instance-name, and then Advanced.
  2. Click Add and then enter:
    • Property Name: opensso.protocol.handler.pkgs
    • Property Value: com.sun.identity.protocol
  3. Click Save.

Deploying the console.war file in patch 141655-03 generates a malformed goto URL (CR 6881715)

If you deploy and configure the console.war file in patch 141655-03, when you access the login page, the goto URL page is malformed.
Workaround. Manually enter the goto URL as protocol://openssohost:port/console and re-request the login page. For example: https://openssohost.example.com:8080/console

Sun periodically releases patches to OpenSSO Enterprise 8.0 Update 1 on http://sunsolve.sun.com/. To find the latest patch for Update 1, search for patch ID 141655. To determine if you should install a patch, check the README file available with the patch.

Each patch release includes an opensso.war file that you can deploy as follows:

  • Patch an existing OpenSSO Enterprise 8.0 deployment
  • Install a new OpenSSO Enterprise 8.0 deployment
  • Create or patch one of the following specialized WAR files:
    • OpenSSO Enterprise Administration console only
    • OpenSSO Enterprise server only without the Administration console
    • OpenSSO Enterprise Distributed Authentication UI server
    • OpenSSO Enterprise IDP Discovery Service

For more information see Installing OpenSSO Enterprise 8.0 Update 1.

What's New in OpenSSO Enterprise 8.0 Update 1

OpenSSO Enterprise 8.0 Update 1 also fixes a number of problems, as listed in the README file included with patch 141655-01.

OpenDS as a User Data Store

You can configure an external OpenDS server as the OpenSSO Enterprise 8.0 Update 1 user data store. See Using OpenDS as a User Data Store.
You can also store a relatively small number of users in the embedded OpenSSO configuration data store (OpenDS), when scalability is not an important requirement. This option is useful when you want to install OpenSSO Enterprise 8.0 Update 1 quickly for demonstration or evaluation purposes. However, you should not use an embedded OpenDS server as a user data store in a production environment.

Simplified OpenSSO WAR File Creation

The ability to create a specialized WAR file was present in OpenSSO Enterprise 8.0. In OpenSSO Enterprise 8.0 Update 1, the process has been simplified using the createwar.sh or createwar.bat script. See Creating a Specialized OpenSSO WAR File.

Centralized SAMLv2 Error Conditions Page

OpenSSO Enterprise 8.0 Update 1 provides a single page where you can view all SAMLv2 error conditions. This page is useful when you are troubleshooting a SAMLv2 configuration. See Centralized SAMLv2 Error Processing.

Secure Attribute Exchange (SAE) Data Encryption

OpenSSO Enterprise 8.0 Update 1 supports Secure Attributes Exchange (SAE) data encryption. (SAE is also known as Virtual Federation.) See Encrypting Data in a Secure Attribute Exchange.

FIPS Compliance Mode

OpenSSO Enterprise 8.0 Update 1 supports Federal Information Processing Standards (FIPS) mode. See Configuring OpenSSO Enterprise 8.0 Update 1 in FIPS Mode.

Support for New Web Containers

OpenSSO Enterprise 8.0 Update 1 supports the web containers described in the OpenSSO Enterprise 8.0 Release Notes and the following new web containers:

.NET Fedlet

OpenSSO Enterprise 8.0 Update 1 includes the Fedlet.dll, template metadata files, and a sample application for implementing the Fedlet with .NET applications. See Using the .NET Fedlet with OpenSSO Enterprise 8.0 Update 1.

Other Enhancements in OpenSSO Enterprise 8.0 Update 1

CR 6244578: New Property Warns Users if Browser Cookie Support is Disabled or Not Available

The new com.sun.identity.am.cookie.check property indicates whether OpenSSO server should check if cookie support is disabled or not available in the user's browser. A value of true causes OpenSSO server to display an error message if the browser does not support cookies or has not enabled cookies.

Previously, if cookie support was disabled or not available on the user's browser and OpenSSO server was not in cookieless mode, authentication for a user failed without any errors. (Actually, authentication was done successfully, but OpenSSO server could not redirect the user to the OpenSSO protected web site.)

To Set the com.sun.identity.am.cookie.check Property
  1. Log in to the OpenSSO Administation Console.
  2. Click Configuration, Servers and Sites, opensso-instance-name, and then Advanced.
  3. Click Add and then specify:
    • Property Name: com.sun.identity.am.cookie.check
    • Property Value: true or false
  4. Click Save.
  5. Restart the OpenSSO server instance.

Note – If OpenSSO server is expected to support cookieless mode for authentication, set this property to false (which is the default).

CR 6770231: OpenSSO Enterprise 8.0 Update 1 Validates goto URLs

OpenSSO Enterprise 8.0 Update 1 can validate a goto URL after a user logs in to prevent a hacker from sending the user to an imposter site in order to steal the user's personal information.

To Set Valid goto URLs:
  1. Install OpenSSO Enterprise 8.0 Update 1. If you are patching OpenSSO Enterprise 8.0, make sure you run the updateschmema.sh or updateschema.bat script and restart the OpenSSO Enterprise web container.
  2. Log in to the Admin Console.
  3. Click Configuration, Authentication, and then Core.
  4. Under Valid goto URL domains, add each valid goto domain name, as follows:
    • A domain name starting with a dot (.) such as .example.com allows all hosts in the example.com domain to be used in a success redirect URL.
    • A domain name that does not start with a dot (.) such as example.com allows the host example.com to be used in a success redirect URL. For example, http://example.com would be valid, but http://host.example.com would not be valid.
    • If you don't add the entire domain to the list, you must add each individual agent host name being used.
    • You do not need to add domains for agents in CDSSO mode, because they are protected automatically.
  5. Click Save.
  6. Restart the OpenSSO Enterprise web container.
    If you subsequently want to disable the goto URL validation, remove all entries from the Valid goto URL domains list.

Additional Information – If a goto URL is found to be invalid, the user will be redirected to the default success login URL (/opensso/console).

CR 6696910: New Property makes Event Notification Cache Configurable

The new com.sun.am.event.notification.expire.time property allows you to configure or disable the event notification cache in order to improve performance.
To disable the cache, set this property to 0 (zero). The default is 30 minutes.

After you set this property, restart the OpenSSO Enterprise 8.0 web container for the new value to take effect.

CR 6740071: New Property Controls Session Cookie for Zero Page Authentication

The new com.sun.identity.appendSessionCookieInURL property determines whether OpenSSO Enterprise 8.0 Update 1 appends the session cookie to the URL for zero page authentication.
Set this property to false to prevent OpenSSO Enterprise 8.0 Update 1 from appending the session cookie to the URL. For example, if an application is filtering incoming URLs for special characters for security reasons and a cookie contains a special character, then access is denied. The default value is true (cookie is appended).

To set the new com.sun.identity.appendSessionCookieInURL property:

  1. Log in to the OpenSSO Enterprise 8.0 Update 1 Admin Console.
  2. Click Configuration, Servers and Sites, Default Server Settings, and then Advanced.
  3. Add the property with a value of true.
  4. Click Save.

The com.sun.identity.appendSessionCookieInURL property is hotswappable, which means that you don't have to restart the OpenSSO Enterprise 8.0 web container for a new value to take effect.

CR 6691106: New Properties Prevent Multiple Site Monitor Threads

The amNaming log sometimes indicates multiple Site Monitor threads running for checking the same site. To prevent this problem, OpenSSO Enterprise 8.0 Update 1 provides improved synchronization to prevent the creation of the multiple Site Monitor threads for the same site. OpenSSO Enterprise 8.0 also includes these new properties:

  • com.sun.identity.urlchecker.retry.interval specifies the time interval in milliseconds between retries for a URL connection. Default is 500 milliseconds (0.5 seconds).
  • com.sun.identity.urlchecker.retry.limit specifies the maximum number of retries for the URL connection if a connection failure occurs. Default is 3 retries.

After you set these properties, restart the OpenSSO Enterprise 8.0 web container for the new values to take effect.

The fix for this problem also uses the following property:

  • com.sun.identity.urlchecker.sleep.interval specifies the time interval in milliseconds that the site status check should sleep. Default is 30000 milliseconds (30 seconds).

CR 6797423: New property configures OpenSSO Enterprise server policy decision cache

The new com.sun.identity.policy.resultsCacheMaxSize property allows you to configure the policy decision cache for OpenSSO Enterprise 8.0 Update 1 server.

For example, a value of 1000 causes policy decisions to be cached for maximum of 1000 sessions, irrespective of the actual number of concurrent sessions on the server.

CR 6785321: CRL and OSCP checking support JSS-based logic

Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP) checking now support the Network Security Services for Java (JSS) library, enabling FIPS mode when OpenSSO Enterprise 8.0 Update 1 is deployed on the Sun Java Web Server 7.0 Update 3 or later web container.
Note – FIPS compliance mode depends on JSS, but using JSS does not necessitate FIPS compliance mode.

CR 6657112: Redirect callback support is added for Distributed Authentication Server UI

Redirect callback support (RedirectCallback), which is used to redirect users to an external website as part of the authentication process, now works when the login is through a Distributed Authentication Server UI.

CR 6657367: CDCServlet removes the JavaScript enabled dependency for user's browser

If cross-domain single sign-on (CDSSO) is enabled for a policy agent, the CDCServlet can now redirect assertions (CDCRedirectServlet) for the agent, even if JavaScript is disabled for the user's browser.

CR 6496155: Policy agents send token other than the IP address in cookie hijacking mode

Previously, in cookie hijacking mode, policy agents sent the IP address of the server where they were installed to the OpenSSO Enterprise server. Now, the policy agent first sends the application SSO token. If the agent cannot obtain the application SSO token, the agent then sends the IP address to the OpenSSO Enterprise server.

If strict DN checking is required for a deployment, OpenSSO Enterprise server includes the new
iplanet-am-session-dnrestrictiononly property.

The default value is false. If this property is set to true, the OpenSSO Enterprise server performs strict DN checking. If the agent sends an IP address, the OpenSSO Enterprise server considers the IP address to be an error.

To set iplanet-am-session-dnrestrictiononly for strict DN checking:

  1. Add the property with a value of true using either the OpenSSO Enterprise Admin Console or the ssoadm utility.
  2. Restart the OpenSSO Enterprise server web container for the DN checking to take effect.

CR 6697260: New property allows policy agent sessions to time out

The new com.iplanet.am.session.agentsessionidletime property sets the maximum idle timeout in minutes for policy agent sessions. The minimum value is 30 minutes. A value greater than 0 and less than 30 will be reset to 30.
The default is 0, which means that the policy agent sessions never time out.

To set com.iplanet.am.session.agentsessionidletime:

  1. Add the property with the maximum idle timeout value using either the OpenSSO Enterprise Admin Console or the ssoadm utility.
  2. Restart the OpenSSO server web container for the idle timeout value to take effect.

CR 6811036: After upgrading from JES4, in co-existence mode, amadmin authenticates to configuration data store

Due to the fix for security issue 3924 in OpenSSO 8.0 Enterprise 8.0, the amadmin user was prevented from logging in to any authentication module other than the DataStore and Application authentication modules.
This new fix for CR 6811036 removes this restriction, but at the same time re-implements the original security fix to protect the authentication as the amadmin user, which is considered as the OpenSSO Enterprise internal or special user, in following manner:

  • amadmin can authenticate only to or or the Top-Level Realm.
  • amadmin and its password will first be authenticated against the configuration data store. That is, this user and its password should match the amadmin user and its password in the OpenSSO Enterprise configuration data store. Then, this user will be authenticated against the required authentication store (authentication module) with the same credentials. Finally, this user will be retrieved (searched) in the OpenSSO Enterprise user data store (based on the user profile option selected in the Authentication service configuration).
    The actual authentication module store and/or user data store and configuration data store could be different, as long as the above is successful. If all three stores are the same, the above would be automatically successful.

CR 6827616: SMS cache is disabled by default for the Client SDK

After a Client SDK installation, the service management service (SMS) cache is disabled by default, which can cause performance issues.
Workaround: To enable the cache for SMS and the Identity Repository (IdRepo), set or add the following properties in the AMClient.properties file:

com.iplanet.am.sdk.caching.enabled=true
com.sun.identity.idm.cache.enabled=true
com.sun.identity.sm.cache.enabled=true

Installing OpenSSO Enterprise 8.0 Update 1

First, download patch 141655-01 from http://sunsolve.sun.com/. Then, install OpenSSO Enterprise 8.0 Update 1, as described in Installing OpenSSO Enterprise 8.0 Update 1.

Hardware and Software Requirements For OpenSSO Enterprise 8.0 Update 1

Note - The hardware and software requirements for OpenSSO Enterprise 8.0 Update 1 represent the only environments in which it can be deployed with full support from Sun Microsystems. No support is provided for environments that do not meet the stated requirements.
Sun Microsystems assumes no responsibility or liability for any environments that don't adhere to supported hardware and software requirements for OpenSSO Enterprise 8.0 Update 1 as documented. Sun strongly recommends that you involve the Sun Professional Services organization before you begin the installation and deployment process. This may require additional expense on your part.

Policy Agent Support in OpenSSO Enterprise 8.0 Update 1

Policy Agent Version OpenSSO Enterprise 8.0 Update 1 Support
3.0 Version 3.0 Java EE (also called J2EE) and web policy agents are supported, including new version 3.0 features.
For more information, including the available version 3.0 agents, see http://docs.sun.com/coll/1767.1.
2.2 Version 2.2 Java EE and web policy agents are supported.
However, a version 2.2 policy agent must continue to use version 2.2 features. For example, the OpenSSO Enterprise centralized agent configuration is not supported, and the 2.2 agent must store its configuration data locally in its AMAgent.properties file.
For more information, including the available version 2.2 agents, see http://docs.sun.com/coll/1322.1.
2.1 Version 2.1 policy agents are not supported.

OpenSSO Enterprise 8.0 Update 1 Issues and Workarounds

CR 6830298: OpenSSO Enterprise Admin Tools Must be Re-installed

If you patch OpenSSO Enterprise 8.0 with Update 1, you must re-install the admin tools in Update 1 before you run the updateschema.sh or updateschema.bat script, because the script requires the Update 1 version of the ssoadm command-line utility.

Workaround. Before you run the updateschema.sh or updateschema.bat script, install the Update 1 admin tools, as described in see Installing the OpenSSO Enterprise 8.0 Update 1 Admin Tools.

CR 6823779: ssoadm cannot be used with Secure WebSphere Application Server 7.0

If the admin tools (ssoAdminTools.zip) are configured to use the IBM JVM with a secure (SSL-enabled) WebSphere Application Server 7.0 instance, the ssoadm returns a fatal error.

Workaround. To configure ssoadm, see Deploying IBM WebSphere Application Server 7.0 as the OpenSSO Enterprise 8.0 Update 1 Web Container.

CR 6824420: Configuration fails for WebSphere Application Server 7.0 with Java 2 security enabled

If OpenSSO Enterprise 8.0 Update 1 is deployed with IBM WebSphere Application Server 7.0 and Java 2 security is enabled, the configuration fails.

Workaround. Add the required permissions to the WebSphere Application Server 7.0 server.policy, as described in Deploying an IBM WebSphere Application Server 7.0 Web Container.

CR 6836470: Hotfix Required to Use KDCs Hosted on Windows Server 2008

OpenSSO Enterprise 8.0 Update 1 has added support for using KDCs hosted on Windows Server 2008. To use this new feature, however, you must install a Microsoft hotfix to KTpass on the Windows Server 2008 KDC before using the KDC for Windows Desktop SSO authentication.
For more information and to download this hotfix, see http://support.microsoft.com/kb/951191.

CR 6825011: Windows Desktop SSO Authentication fails with Login Exception on WebSphere Application Server 7.0

Workaround. If OpenSSO Enterprise 8.0 Update 1 is deployed on IBM WebSphere Application Server 7.0 on Windows:

  1. Prefix the Keytab File Name property of the Windows Desktop SSO authentication module instance with file:///. For example:
    file:///C:/keytabs/ssohost-4100-04.HTTP.keytab
  2. Set the new com.sun.identity.authentication.module.WindowsDesktopSSO.Krb5LoginModule property to com.ibm.security.auth.module.Krb5LoginModule.

Set this new property using ssoadm or in the OpenSSO Enterprise Admin Console under Configuration > Sites and Servers > opensso-instance-name > Advanced. Then, restart the WebSphere Application Server 7.0 instance for the value to take effect.

CR 6831600: Configurator buttons are not visible using Safari on a Mac

When running the Configurator using Safari on a Mac, the Next and Cancel buttons are not visible, which gives the impression that the configuration cannot continue.
Workaround. Maximize the Safari browser to the fullest extent and scroll down to see the buttons.

CR 6819848: Berkeley DB client does not failover to secondary Message Queue broker

In a session failover configuration, the Berkeley DB client does not failover to the secondary Message Queue broker. OpenSSO Enterprise server, however, does failover
to the secondary broker, which causes the queue on that broker to quickly fill up. Then, the broker blocks the producer from sending any more messages, which in turn blocks messages from OpenSSO Enterprise server.

CR 6834714: Permissions need updating for WebSphere Application Server 6.1

If you are using IBM WebSphere Application Server 6.1 as the web container and the Java Security Manager is enabled, the securing permissions need to be updated.
Workaround. For the correct permissions, see http://docs.sun.com/doc/820-3320/gimjh.

CR 6835816: After you enable FIPS mode, bootstrap file cannot be decrypted

Workaround. Before you enable FIPS mode, backup the bootstap file. Then, after you enable FIPS mode, replace the bootstrap file with the backup copy.

For more information, see Configuring OpenSSO Enterprise 8.0 Update 1 in FIPS Mode

CR 6831687: SAML2 post profile fails on the Service Provider (SP)

Using JDK 1.6.x, when a Service Provider (SP) tries to verify a signed SAML2 response/assertion, the Identity Provider (IDP)throws a Null Pointer Exception.
Workaround. This problem occurs because JDK 1.6.x includes an older version of the XML security library. To fix this problem:

  1. Create an endorsed directory in JDK 1.6.x. For example:
    JDK_1.6_HOME_DIR/jre/lib/endorsed
  2. Copy the xmlsec.jar file from the OpenSSO_WAR_extracted_dir/WEB-INF/lib directory to the endorsed directory.
  3. Restart the OpenSSO Enterprise 8.0 web container.

CR 6828741: Configuring OpenSSO Enterprise 8.0 Update 1 as site throws exception in debug logs

When you configure OpenSSO Enterprise 8.0 Update 1 using the console, if you provide the site details such as the load balancer and server instances, the configuration finishes successfully and you can log in. However, the debug logs contain an exception.

Workaround. None. You can ignore the exception.

CR 6833362: SAMLv2 returns error on WebLogic Server 10 with SOAP binding

If you deploy OpenSSO Enterprise 8.0 Update 1 on WebLogic Server 10 for both the SP and IDP, configure the meta for SP and IDP for signing and encryption using the default keystore, and then terminate with SOAP binding, an error is returned.

Workaround. Remove last two lines from idpArtifactResolution.jsp, idpMNISOAP.jsp, and spMNISOAP.jsp. Also, remove any empty spaces between %> and <%.

OpenSSO Enterprise 8.0 Update 1 Documentation

In addition to these Release Notes, additional OpenSSO Enterprise 8.0 documentation is available on the following site: http://docs.sun.com/coll/1767.1

Additional Sun Information and Resources

You can find additional useful information and resources at the following locations:

Deprecation Notifications and Announcements

  • The Service Management Service (SMS) APIs (com.sun.identity.sm package) and SMS model will not be included in a future OpenSSO Enterprise release.
  • The Unix authentication module and the Unix authentication helper (amunixd) will not be included in a future OpenSSO Enterprise release.
  • The Sun Java System Access Manager 7.1 Release Notes stated that the Access Manager com.iplanet.am.sdk package, commonly known as the Access Manager SDK (AMSDK), and all related APIs and XML templates will not be included in a future OpenSSO Enterprise release.
    Consequently, when the AMSDK is removed, the Legacy Mode option and support will also be removed.
    Migration options are not available now and are not expected to be available in the future. Sun Identity Manager provides user provisioning solutions that you can use instead of the AMSDK. For more information about Identity Manager, see http://www.sun.com/software/products/identity_mgr/index.jsp.

How to Report Problems and Provide Feedback

If you have questions or issues with OpenSSO Enterprise 8.0 Update 1, contact Sun Support Resources (SunSolve) at http://sunsolve.sun.com/.

This site has links to the Knowledge Base, Online Support Center, and Product Tracker, as well as to maintenance programs and support contact numbers.

If you are requesting help for a problem, please include the following information:

  • Description of the problem, including when the problem occurs and its impact on your operation
  • Machine type, operating system version, web container and version, JDK version, and OpenSSO Enterprise version, including any patches or other software that might be affecting the problem
  • Steps to reproduce the problem
  • Any error logs or core dumps

Accessibility Features for People With Disabilities

To obtain accessibility features that have been released since the publishing of this media, consult Section 508 product assessments available from Sun upon request to determine which versions are best suited for deploying accessible solutions.

For information about Sun's commitment to accessibility, see http://sun.com/access.

Related Third-Party Web Sites

Third-party URLs are referenced in this document and provide additional, related information.
Note - Sun is not responsible for the availability of third-party Web sites mentioned in this document. Sun does not endorse and is not responsible or liable for any content, advertising, products, or other materials that are available on or through such sites or resources. Sun will not be responsible or liable for any actual or alleged damage or loss caused by or in connection with the use of or reliance on any such content, goods, or services that are available on or through such sites or resources.

Top of Page
Contents
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.

Sign up or Log in to add a comment or watch this page.


The individuals who post here are part of the extended Sun Microsystems community and they might not be employed or in any way formally affiliated with Sun Microsystems. The opinions expressed here are their own, are not necessarily reviewed in advance by anyone but the individual authors, and neither Sun nor any other party necessarily agrees with them.

Copyright 1994-2009 Sun Microsystems, Inc.
Powered by Atlassian Confluence Sun Guidelines on Public Discourse Privacy Policy Terms of Use Trademarks Site Map Employment Investor Relations Contact