OpenSSO Express 8 Release Notes


Sun OpenSSO Express 8 is an interim release of Sun OpenSSO Enterprise. This release allows you to try out new features without having to wait for the next full OpenSSO Enterprise release. Previously, Sun released OpenSSO Express 7 in April 2009.

The OpenSSO Express 8 Release Notes provide the following information, as well as links to detailed articles about the new OpenSSO Express 8 features.

Getting Started With OpenSSO Express 8

If you have not previously installed OpenSSO, here are the basic steps to follow:

  1. If necessary, install, configure, and start one of the supported web containers.
  2. Download and unzip the opensso_express_20090901.zip file from the following site:
    OpenSSO project: https://opensso.dev.java.net/public/use/index.html
  3. Deploy the opensso.war file to the web container, using the web container administration console or deployment command. Or, if supported by the web container, simply copy the WAR file to the container's autodeploy directory.
  4. Configure OpenSSO Express 8 using either the GUI Configurator or the command-line Configurator.
    To launch the GUI Configurator, enter the following URL in your browser: protocol://host.domain:port/deploy_uri.
    For example: https://openssohost.example.com:8080/opensso
  5. Perform any additional configuration using either the OpenSSO Administration Console or the ssoadm command-line utility.
  6. To download a version 3.0 policy agent, see https://opensso.dev.java.net/public/use/index.html.

What's New in OpenSSO Express 8

OpensSO Express 8 includes the following new features and the new features described in the OpenSSO Express 7 Release Notes.

OpenSSO Express 8 Web Container Changes

OpenSSO Express 8 web containers require JDK 1.6 or later.

OpenSSO Express 8 supports the following web containers:

The following web containers are are deprecated in OpenSSO Express 8:

  • WebLogic Server 9.2 MP2
  • WebSphere Application Server 6.1

See also the new web containers added in OpenSSO Express 7.

OpenSSO Express 8 Beta Administration Console

OpenSSO Express 8 includes an alternate Administration Console that allows you to access the new OpenSSO Entitlements Service and to use new work flows (common tasks) for Federation and Web Service Security (WSS). For more information, see Using the OpenSSO Express 8 Beta Administration Console.

OpenSSO Express 8 Fedlet Changes

The OpenSSO Express 8 Fedlet supports .NET applications, allowing any SAML 2.0 identity provider to federate wtih .NET service providers.

OpenSSO Express 8 Monitoring Service

The OpenSSO Express 8 Monitoring Service collects configuration data and statistics, maintains the information in MBeans, and makes the MBeans available to network management tools using adaptors or connectors. An administrator can display the monitoring data in the MBeans using third-party tools.

OpenSSO Express 8 Web Services Security (WSS) Changes

OpenSSO Express 8 includes new WSS features and the wssagentadmin program to install and manage a WSS agent on a GlassFish or Sun Java System Application Server 9.1 web container.

OpenSSO Express 8 User Data Store Changes

Configuring the user data store in OpenSSO Express 8 has been simplified for both the GUI Configurator and command-line Configurator. Using MySQL for the user data store is also available as an early access (EA) feature in OpenSSO Express 8.

OpenSSO Express 8 Entitlements Service

The OpenSSO Express 8 Entitlements Service is a new authorization and policy component with a user interface that provides an easy-to-follow process to define rules for controlling access to applications and web resources. You can create fine-grained policies and referrals to assign policy creation based on an OpenSSO realm hierarchy. The Entitlements Service is available using the new Beta OpenSSO Administration Console.

OpenSSO Express 8 Authentication Service Changes

OpenSSO Express 8 includes the HMAC-based One Time Password (HOTP) authentication module and resource authentication as part of the Authentication Service framework, without having to call the Gateway Servlet.

Other New Features in OpenSSO Express 8

OpenSSO Express 8 Hardware and Software Requirements

OpenSSO Express 8 supports most hardware and software requirements supported by OpenSSO Enterprise 8.0. For information, see the Sun OpenSSO Enterprise 8 Release Notes.

For updates to web container support, including new and deprecated web containers, see OpenSSO Express 8 Web Container Changes.

Using Policy Agents with OpenSSO Express 8

OpenSSO Express 8 supports both version 3.0 and version 2.2 policy agents.

For information about version 3.0 agents, see http://docs.sun.com/coll/1767.1.

  • Version 2.2 policy agents are compatible with OpenSSO Enterprise and OpenSSO Express releases. However, a version 2.2 agent must continue to store its configuration data locally in its AMAgent.properties file. And because the version 2.2 agent configuration data is local to the agent, OpenSSO centralized agent configuration is not supported for version 2.2 agents. To configure a version 2.2 agent, you must continue to edit the agent's AMAgent.properties file.

For information about version 2.2 agents, see http://docs.sun.com/coll/1322.1.

Known Issues in This Release

OpenSSO Express 8 requires JDK 1.6 for web container

OpenSSO Express 8 requires JDK 1.6 for web containers; otherwise, the IdentityServicesHandler servlet will not be available.

4918: Cannot log in to OpenSSO Console when OpenSSO Express is deployed on JBoss 5.x

If OpenSSO Express 8 is deployed on JBoss 5.x, you cannot log in to the OpenSSO Console. After entering your credentials, you will be directed back to the login page.

JBoss 5.x uses Tomcat 6.0.16, which affects the cookie-handling features by not supporting the special symbols in the OpenSSO iPlanetDirectoryPro cookie.
Workaround. In the JBoss run.conf file (or run.conf.bat on Windows), which is used to start up the JBoss instance, add the following JVM option: 

-Dcom.iplanet.am.cookie.encode=true

After you've deployed and configured OpenSSO Express 8, you can remove this entry in the run.conf file (or run.conf.bat on Windows), because OpenSSO Express 8 has already have configured the cookie encode property.

5168: OpenSSO Express 8 with new Console doesn't deploy on Oracle Application Server

The OpenSSO Express 8 opensso.war with the new console doesn't deploy on Oracle Application Server.
Workaround.

  1. Download the following JAR files from http://download.java.net/general/opensso/extlib/latest/opensso-sun-extlib.zip:
    • el-api-1.0.jar
    • el-ri-1.0.jar
  2. Rewar opensso.war to include the JAR files from Step 1. For example: 
    jar -xvf opensso.war WEB-INF/lib
cp <el-jar-location>/el-api-1.0.jar WEB-INF/lib
cp <el-jar-location>/el-ri-1.0.jar WEB-INF/lib
jar -uf opensso.war WEB-INF/lib*
  3. Before deployment, in the deployment plan, remove oracle.toplink, oracle.xml,and oracle.xml.security under the classloader settings.
  4. In the Oracle Application Server OC4J's java2.policy file, add the following OpenSSO permissions to the grant statement (in addition to the existing OpenSSO permissions): 
    permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "modifyThread";
permission javax.security.auth.PrivateCredentialPermission
  "com.sun.identity.authentication.internal.AuthSSOToken * \"*\"","read";

4859: Configurator buttons are not visible using Safari on a Mac

When running the Configurator using Safari on a Mac, the Next and Cancel buttons are not visible, which gives the impression that the configuration cannot continue.
Workaround. Maximize the Safari browser to the fullest extent and scroll down to see the buttons.

5372: Entitlement console is not accessible on GlassFish v3 Preview

If OpenSSO Express 8 is deployed on GlassFish v3 Preview, you cannot access the Entitlement console.

Workaround. Although you cannot access the Entitlement console on GlassFish v3 Preview, you can access the console by deploying OpenSSO Express 8 on GlassFish v3 Prelude. For information, see GlassFish Project - v3 Prelude.

5455: Configurator User Data Store settings password field is not rendered properly in Mozilla 1.7

If you are configuring OpenSSO Express 8 using the GUI Configurator with Mozilla 1.7, the Password field in the "Step 4: User Data Store Settings" screen is not rendered properly.

Workaround. To view the user data store settings correctly, reduce the font size in the browser.
Under View, reduce the text size to 75%, and the password field will display correctly.

5324: Creating a group fails on IBM Tivoli Directory Server as user data store

If you are using IBM Tivoli Directory Server as the OpenSSO user data store, the configuration is successful, but an attempt to add a group fails.

Workaround.

  1. Log in to the OpenSSO Console as amadmin.
  2. Click Access Control, realm-name, Data Stores, and then the name of the data store for Tivoli Directory Server.
  3. On the Generic LDAPv3 page:
    • If the Attribute Name for Group Membership field has a value (such as memberOf), remove the value.
    • In Default Group Member's User DN, specify a user. For example: cn=user,dc=example,dc=comTivoli Directory Server requires at least one user in a group before you can create the group.
  4. Click Save.

4844: Fedlet single sign-on fails using IBM WebSphere Application Server 7.0

The OpenSSO Fedlet fails if deployed on IBM WebSphere Application Server 7.0.

Workaround.

  1. Download the OpenSSO External Library Bundle (opensso-sun-extlib.zip) from https://opensso.dev.java.net/public/use/index.html#source.
  2. Unzip opensso-sun-extlib.zip and add the following JAR files to the Fedlet WEB-INF/lib directory:
  • xalan.jar
  • xercesImpl.jar

5439: Realm attributes values are not inherited by new sub-realm

Realm attributes are not inherited by a new sub-realm if the parent realm contains an HTTP Basic authentication module instance that has a "Backend Authentication Module" value that contains a dash character (-). If a sub-realm is created using the this parent realm, a data validation error will occur.
Workaround. Before creating the sub-realm, either remove the HTTP Basic authentication module instance that has a "Backend Authentication Module" that contains the dash character, or use a "Backend Authentication Module" value that does not contain a dash.

5326: Deleted group is not removed from group list with referential integrity enabled

In this scenario, OpenSSO Express 8 is configured to use Sun Java System Directory Server as the remote user data store and referential integrity is enabled for the Directory Server entries. However, if a group is deleted in Directory Server, the group is not removed from the user's group list, even though referential integrity is enabled.
Workaround. For referential integrity to work properly, after you finish running the OpenSSO Express 8 Configurator, restart the remote Sun Directory Server.

5502: Policy creation is not possible in a subrealm in OpenSSO Express 8

You cannot create a policy in a subrealm using the console because of the integration of the Entitlement workspace.
Workaround. Create a policy using the ssoadm command-line utility. For more information, see "Creating Policies and Referrals" in the Sun OpenSSO Enterprise 8.0 Administration Guide.

5477: On Windows, ssoadm does not work when the configuration directory contains spaces

On Windows, ssoadm displays a NoClassDefFoundError if ssoadm is configured using an OpenSSO configuration directory that contains spaces (for example: C:\Documents and Settings\Administrator\opensso).
Workaround. Edit the ssoadm.bat file as follows:

  1. Remove the double quotes from the value of TOOLS_HOME. For example, if the configuration directory is C:/Program Files/ssoadm, then change
    set TOOLS_HOME="C:/Program Files/ssoadm"
    to
    set TOOLS_HOME=C:/Program Files/ssoadm.
  2. Add double quotes around each entry in the classpath.

4727: With session failover, Message Queue queue gets full when two brokers are active

To implement session failover, OpenSSO uses Sun Java System Message Queue to publish session information to a destination (topic) and a Message Queue client to store this information in a persistent database (Berkeley DB). If two Message Queue brokers are active, the Message Queue queue grows constantly until it reaches its limit, which in turn causes performance problems for OpenSSO.

OpenSSO Enterprise 8.0 Documentation

OpenSSO Enterprise 8.0 documentation is available on the following site:

OpenSSO Enterprise 8.0 Documentation Center

Check this site periodically to view the most recent documentation.

Deprecation Notifications and Announcements

  • The LDAP JDK file ldapjdk.jar was not included in OpenSSO, beginning with OpenSSO Express 7.
  • The Service Management Service (SMS) APIs (com.sun.identity.sm package) and SMS model will not be included in a future OpenSSO Enterprise release.
  • The Unix authentication module and the Unix authentication helper (amunixd) will not be included in a future OpenSSO Enterprise release.
  • The Sun Java System Access Manager 7.1 Release Notes stated that the Access Manager com.iplanet.am.sdk package, commonly known as the Access Manager SDK (AMSDK), and all related APIs and
    XML templates will not be included in a future OpenSSO Enterprise release. Migration options are not available now and are not expected to be available in the future. Sun Identity Manager provides user provisioning solutions that you can use instead of the AMSDK. For more information about Identity Manager, see http://www.sun.com/software/products/identity_mgr/index.jsp.

How to Report Problems and Provide Feedback

If you have questions or issues with OpenSSO Express, contact Sun Support Resources (SunSolve) at http://sunsolve.sun.com/.

This site has links to the Knowledge Base, Online Support Center, and Product Tracker, as well as to maintenance programs and support contact numbers.

If you are requesting help for a problem, please include the following information:

  • Description of the problem, including when the problem occurs and its impact on your operation
  • Machine type, operating system version, web container and version, JDK version, and OpenSSO Express version, including any patches or other software that might be affecting the problem
  • Steps to reproduce the problem
  • Any error logs or core dumps

Additional Sun Resources

You can find additional useful information and resources at the following locations:

Top of Page
Contents
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.

Comments (8)

 

  1. Sep 03

    vimal_67 says:

    Before OpenSSO Express 8 Fedlet Changes The OpenSSO Express 8 Fedlet supports .N...

    Before
    OpenSSO Express 8 Fedlet Changes
    The OpenSSO Express 8 Fedlet supports .NET applications, allowing any SAML 2.0 identity provider to federation-enable .NET service providers.

    Should be
    OpenSSO Express 8 Fedlet Changes
    The OpenSSO Express 8 Fedlet supports .NET applications, allowing any SAML 2.0 identity provider to federate with .NET service providers.

  2. Sep 03

    inthanga says:

    for the bug 5168: step3: should read "In Oracle Application Server OC4J's java2....

    for the bug 5168: step3:
    should read "In Oracle Application Server OC4J's java2.policy" instead of "In the JBoss server.policy"

  3. Sep 04

    cmwesley says:

    We should add the following known issue. 5477: ssoadm on Windows does not work ...

    We should add the following known issue.

    5477: ssoadm on Windows does not work when the configuration directory contains spaces

    ssoadm will display a NoClassDefFoundError when ssoadm is configured using an OpenSSO configuration directory which contains spaces (e.g. C:\Documents and Settings\Administrator\opensso).

    Workaround

    Edit the ssoadm.bat as follows

    1. Remove the double quotes from the value of TOOLS_HOME

    For example, if the configuration directory was C:/Program Files/ssoadm then change

    set TOOLS_HOME="C:/Program Files/ssoadm"

    to
    set TOOLS_HOME=C:/Program Files/ssoadm

    2. Add double quotes around each entry in the classpath.

  4. Sep 04

    cmwesley says:

    For issue 4918, we should change JBoss 5.0.1 to JBoss 5.x. This issue also affe...

    For issue 4918, we should change JBoss 5.0.1 to JBoss 5.x. This issue also affects JBoss Application Server 5.1.0. Should we mention that on Windows run.conf.bat is the file that should be edited?

  5. Sep 04

    cmwesley says:

    We should add the following known issue. 5439: Realm attributes are not inherit...

    We should add the following known issue.

    5439: Realm attributes are not inherited by sub-realm if parent realm contains an HTTP Basic authentication module instance which has a "Backend Authentication Module" value which contains a '-' character.

    If the parent realm contains an HTTP Basic authentication module instance which is configured to use a "Backend Authentication Module" which contains an authentication module instance which has a dash character (e.g. "anon-1"). If a sub-realm is created using the aforementioned parent realm then a data validation error will occur.

    Workaround: Either remove the HTTP Basic authentication module instance which has a "Backend Authentication Module" which contains a '' character before creating the sub-realm or use a "Backend Authentication Module" value which does not contain a ''.

  6. Sep 08

    vishnu08 says:

    arunav-1 Add this issue to the Known issues https://opensso.dev.java.net/issues...

    arunav-1
    Add this issue to the Known issues https://opensso.dev.java.net/issues/show_bug.cgi?id=5372
    arunav-2
    For the issue 5502 change the description as follows
    You cannot create a policy creation in a subrealm because of the integration of the Entitlement workspace--->
    Should be changed to

    You cannot create a policy in a subrealm using the console because of the integration of Entitlement workspace.

  7. Oct 02

    AlexDorandish says:

    Has anyone at Sun tested OpenSSO Express 8 with JBoss 5.1.0? I am getting a lot ...

    Has anyone at Sun tested OpenSSO Express 8 with JBoss 5.1.0?
    I am getting a lot of errors and issues with libraries. I tried it under linux (Fedora), Windows vista 64, and Windows vista 32 with Java version "1.6.0_16". All same errors.

    1. Oct 02

      AlexDorandish says:

      I found this answer in the group: "Hi Matthew, We have successfully tested thi...

      I found this answer in the group:

      "Hi Matthew,

      We have successfully tested this on JBoss 5.0.0, not verified this on JBoss 5.1.0 yet, but should not be a problem. We can test this for you.
      Also question on the configurations - I see you are using default "wsc" and "wsp" configurations from OpenSSO, right ? Have you done any modifications to the default settings ?

      Thanks,
      Mrudul"

      http://markmail.org/search/?q=opensso+mrudul+WSS+sample+SOAPElement+expected+exception#query:opensso%20mrudul%20WSS%20sample%20SOAPElement%20expected%20exception+page:1+mid:6yi2n5az54j3pwng+state:results

      So I wonder why does Sun claim that JBoss 5.1 is supported when it has not even been tested and verified?

Sign up or Log in to add a comment or watch this page.


The individuals who post here are part of the extended Sun Microsystems community and they might not be employed or in any way formally affiliated with Sun Microsystems. The opinions expressed here are their own, are not necessarily reviewed in advance by anyone but the individual authors, and neither Sun nor any other party necessarily agrees with them.

Copyright 1994-2009 Sun Microsystems, Inc.
Powered by Atlassian Confluence Sun Guidelines on Public Discourse Privacy Policy Terms of Use Trademarks Site Map Employment Investor Relations Contact