OpenSSO Enterprise 8.0 Update 1 Release Notes

{section}



{column:width=75%}

{anchor:TopofPage}


The *Sun OpenSSO Enterprise 8.0 Update 1 Release Notes* contain information about Update 1, including new features, hardware and software requirements, and known issues with workarounds, if available.

OpenSSO Enterprise 8.0 Update 1 is available as patch *141655-01* on [http://sunsolve.sun.com/]. This patch includes a WAR file ({{opensso.war}}) that you can deploy on Solaris (SPARC® and x86 platforms), Linux, and Windows systems.

h1. OpenSSO Enterprise 8.0 Update 1 Patches

Sun periodically releases patches for OpenSSO Enterprise 8.0 Update 1 on [SunSolve|http://sunsolve.sun.com/]. The following table shows the patch IDs for Update 1 and subsequent patch releases:
|| Release \\ || Patch ID \\ ||
| OpenSSO Enterprise 8.0 Update 1 | 141655-01 |
| OpenSSO Enterprise 8.0 Update 1 Patch 1 | 141655-02 |
| OpenSSO Enterprise 8.0 Update 1 Patch 2 | 141655-03 |

To download the latest patch for Update 1, click [Download Latest Patch 141655|http://sunsolve.sun.com/search/advsearch.do?collection=PATCH&type=collections&max=50&language=en&queryKey5=141655&toDocument=yes].

To determine if you should install a patch, check the README file available with the patch.

Patch 141655-03 includes support for:
* IBM AIX 6.1 platform

* [OpenSSO Enterprise cannot create URLStreamHandler for WebLogic Server (CR 6867442)|#6867442]
* [Deploying the console.war file in patch 141655-03 generates a malformed {{goto}} URL (CR 6881715)|#6881715]

{anchor:6867442}

h4. OpenSSO Enterprise cannot create URLStreamHandler for WebLogic Server (CR 6867442)

The OpenSSO Enterprise {{AMURLStreamHandlerFactory}} cannot create the {{URLStreamHandler}} for WebLogic Server, because WebLogic Server has preset the value for the {{java.protocol.handler.pkgs}} system property to
{{weblogic.net\|weblogic.utils\|weblogic.utils\|weblogic.utils}}. If you try to access a remote WebLogic Server instance from the Console Session UI, OpenSSO Enterprise dumps an error log in the CoreSystem file.

The fix for CR 6867442 adds the new {{opensso.protocol.handler.pkgs}} property.

Although this problem occurred on WebLogic Server, the fix affects all web containers. If you have {{java.protocol.handler.pkg}} in your setup or if you are planning to use {{java.protocol.handler.pkg}}, add this new property as follows:

# In the OpenSSO Administration Console, click Configuration, Servers and Sites, _opensso-instance-name_, and then Advanced.
# Click Add and then enter:
#* Property Name: {{opensso.protocol.handler.pkgs}}
#* Property Value: {{com.sun.identity.protocol}}
# Click Save.

{anchor:6881715}

h4. Deploying the console.war file in patch 141655-03 generates a malformed {{goto}} URL (CR 6881715)

If you deploy and configure the {{console.war}} file in patch 141655-03, when you access the login page, the {{goto}} URL page is malformed.
*Workaround*. Manually enter the {{goto}} URL as {{{_}protocol_://_openssohost_:_port_/console}} and re-request the login page. For example: {nl:https://openssohost.example.com:8080/console}

Sun periodically releases patches to OpenSSO Enterprise 8.0 Update 1 on [http://sunsolve.sun.com/]. To find the latest patch for Update 1, search for patch ID 141655. To determine if you should install a patch, check the README file available with the patch.

Each patch release includes an {{opensso.war}} file that you can deploy as follows:
* Patch an existing OpenSSO Enterprise 8.0 deployment
* Install a new OpenSSO Enterprise 8.0 deployment
* Create or patch one of the following specialized WAR files:
** OpenSSO Enterprise Administration console only
** OpenSSO Enterprise server only without the Administration console
** OpenSSO Enterprise Distributed Authentication UI server
** OpenSSO Enterprise IDP Discovery Service

For more information see [Installing OpenSSO Enterprise 8.0 Update 1|http://wikis.sun.com/x/RgQCBg].

h1. What's New in OpenSSO Enterprise 8.0 Update 1

* [OpenDS as a User Data Store|#OpenDS]
* [Simplified OpenSSO WAR File Creation|#SimplifiedWAR]
* [Centralized SAMLv2 Error Conditions Page|#SAML2Errors]
* [Secure Attribute Exchange (SAE) Data Encryption|#SAE]
* [FIPS Compliance Mode|#FIPS]
* [Support for New Web Containers|#WebContainers]
* [.NET Fedlet|#NETFedlet]
* [Other Enhancements in OpenSSO Enterprise 8.0 Update 1|#OtherEnhancements]

OpenSSO Enterprise 8.0 Update 1 also fixes a number of problems, as listed in the README file included with patch 141655-01.


{anchor:OpenDS}

h4. OpenDS as a User Data Store

You can configure an external OpenDS server as the OpenSSO Enterprise 8.0 Update 1 user data store. See [Using OpenDS as a User Data Store|http://wikis.sun.com/x/14UrBg].
You can also store a relatively small number of users in the embedded OpenSSO configuration data store (OpenDS), when scalability is not an important requirement. This option is useful when you want to install OpenSSO Enterprise 8.0 Update 1 quickly for demonstration or evaluation purposes. However, you should not use an embedded OpenDS server as a user data store in a production environment.

{anchor:SimplifiedWAR}

h4. Simplified OpenSSO WAR File Creation

The ability to create a specialized WAR file was present in OpenSSO Enterprise 8.0. In OpenSSO Enterprise 8.0 Update 1, the process has been simplified using the {{createwar.sh}} or {{createwar.bat}} script. See [Creating a Specialized OpenSSO WAR File|http://wikis.sun.com/x/JoYrBg].

{anchor:SAML2Errors}

h4. Centralized SAMLv2 Error Conditions Page

OpenSSO Enterprise 8.0 Update 1 provides a single page where you can view all SAMLv2 error conditions. This page is useful when you are troubleshooting a SAMLv2 configuration. See [Centralized SAMLv2 Error Processing|http://wikis.sun.com/x/GIYrBg].

{anchor:SAE}

h4. Secure Attribute Exchange (SAE) Data Encryption

OpenSSO Enterprise 8.0 Update 1 supports Secure Attributes Exchange (SAE) data encryption. (SAE is also known as Virtual Federation.) See [Encrypting Data in a Secure Attribute Exchange|http://wikis.sun.com/x/EIYrBg].

{anchor:FIPS}

h4. FIPS Compliance Mode

OpenSSO Enterprise 8.0 Update 1 supports Federal Information Processing Standards (FIPS) mode. See [Configuring OpenSSO Enterprise 8.0 Update 1 in FIPS Mode|http://wikis.sun.com/x/vAf7BQ].

{anchor:WebContainers}

h4. Support for New Web Containers

OpenSSO Enterprise 8.0 Update 1 supports the web containers described in the [OpenSSO Enterprise 8.0 Release Notes|http://docs.sun.com/doc/820-3745/ggwxa] and the following new web containers:

* IBM WebSphere Application Server 7.0. See [Deploying IBM WebSphere Application Server 7.0 as the OpenSSO Enterprise Web Container|http://wikis.sun.com/x/MYYrBg].
* Oracle WebLogic Server 10g Release 3 (10.3)
* GlassFish Prelude 3

{anchor:NETFedlet}

h4. .NET Fedlet

* [CR 6740071: New Property Controls Session Cookie for Zero Page Authentication|#6740071]
* [CR 6691106: New Properties Prevent Multiple Site Monitor Threads|#6691106]
* [CR 6797423: New property configures OpenSSO Enterprise server policy decision cache|#6797423]
* [CR 6785321: CRL and OSCP checking support JSS-based logic|#6785321]
* [CR 6657112: Redirect callback support is added for Distributed Authentication Server UI|#6657112]
* [CR 6657367: CDCServlet removes the JavaScript enabled dependency for user's browser|#6657367]
* [CR 6496155: Policy agents send token other than the IP address in cookie hijacking mode|#6496155]
* [CR 6697260: New property allows policy agent sessions to time out|#6697260]
* [CR 6811036: After upgrading from JES4, in co-existence mode, amadmin authenticates to configuration data store|#6811036]

h5. CR 6770231: OpenSSO Enterprise 8.0 Update 1 Validates goto URLs

OpenSSO Enterprise 8.0 Update 1 can validate a goto URL after a user logs in to prevent a hacker from sending the user to an imposter site in order to steal the user's personal information.

h6. To Set Valid goto URLs:

# Install OpenSSO Enterprise 8.0 Update 1. If you are patching OpenSSO Enterprise 8.0, make sure you run the {{updateschmema.sh}} or {{updateschema.bat}} script and restart the OpenSSO Enterprise web container.
# Log in to the Admin Console.
# Click Configuration, Authentication, and then Core.
# Under Valid goto URL domains, add each valid goto domain name, as follows:
\\
#* A domain name starting with a dot (.) such as {{.example.com}} allows all hosts in the {{example.com}} domain to be used in a success redirect URL.
#* A domain name that does not start with a dot (.) such as {{example.com}} allows the host {{example.com}} to be used in a success redirect URL. For example, {{[http://example.com]}} would be valid, but {{[http://host.example.com]}} would not be valid.
#* If you don't add the entire domain to the list, you must add each individual agent host name being used.
#* You do not need to add domains for agents in CDSSO mode, because they are protected automatically.
# Click Save.
# Restart the OpenSSO Enterprise web container.
\\
If you subsequently want to disable the goto URL validation, remove all entries from the Valid goto URL domains list.

*Additional Information* -- If a goto URL is found to be invalid, the user will be redirected to the default success login URL ({{/opensso/console}}).

{anchor:6696910}

h5. CR 6696910: New Property makes Event Notification Cache Configurable

The new {{com.sun.am.event.notification.expire.time}} property allows you to configure or disable the event notification cache in order to improve performance.
To disable the cache, set this property to 0 (zero). The default is 30 minutes.

After you set this property, restart the OpenSSO Enterprise 8.0 web container for the new value to take effect.

{anchor:6740071}

h5. CR 6740071: New Property Controls Session Cookie for Zero Page Authentication

The new {{com.sun.identity.appendSessionCookieInURL}} property determines whether OpenSSO Enterprise 8.0 Update 1 appends the session cookie to the URL for zero page authentication.
Set this property to false to prevent OpenSSO Enterprise 8.0 Update 1 from appending the session cookie to the URL. For example, if an application is filtering incoming URLs for special characters for security reasons and a cookie contains a special character, then access is denied. The default value is true (cookie is appended).

To set the new {{com.sun.identity.appendSessionCookieInURL}} property:
# Log in to the OpenSSO Enterprise 8.0 Update 1 Admin Console.
# Click Configuration, Servers and Sites, Default Server Settings, and then Advanced.
# Add the property with a value of {{true}}.
# Click Save.

The {{com.sun.identity.appendSessionCookieInURL property}} is hotswappable, which means that you don't have to restart the OpenSSO Enterprise 8.0 web container for a new value to take effect.

{anchor:6691106}

h5. CR 6691106: New Properties Prevent Multiple Site Monitor Threads

The {{amNaming}} log sometimes indicates multiple Site Monitor threads running for checking the same site. To prevent this problem, OpenSSO Enterprise 8.0 Update 1 provides improved synchronization to prevent the creation of the multiple Site Monitor threads for the same site. OpenSSO Enterprise 8.0 also includes these new properties:
* {{com.sun.identity.urlchecker.retry.interval}} specifies the time interval in milliseconds between retries for a URL connection. Default is 500 milliseconds (0.5 seconds).
* {{com.sun.identity.urlchecker.retry.limit}} specifies the maximum number of retries for the URL connection if a connection failure occurs. Default is 3 retries.

After you set these properties, restart the OpenSSO Enterprise 8.0 web container for the new values to take effect.

The fix for this problem also uses the following property:
* {{com.sun.identity.urlchecker.sleep.interval}} specifies the time interval in milliseconds that the site status check should sleep. Default is 30000 milliseconds (30 seconds).

{anchor:6797423}

h5. CR 6797423: New property configures OpenSSO Enterprise server policy decision cache

The new {{com.sun.identity.policy.resultsCacheMaxSize}} property allows you to configure the policy decision cache for OpenSSO Enterprise 8.0 Update 1 server.

For example, a value of 1000 causes policy decisions to be cached for maximum of 1000 sessions, irrespective of the actual number of concurrent sessions on the server.

{anchor:6785321}

h5. CR 6785321: CRL and OSCP checking support JSS-based logic

Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP) checking now support the Network Security Services for Java (JSS) library, enabling FIPS mode when OpenSSO Enterprise 8.0 Update 1 is deployed on the Sun Java Web Server 7.0 Update 3 or later web container.
*Note* -- FIPS compliance mode depends on JSS, but using JSS does not necessitate FIPS compliance mode.

{anchor:6657112}

h5. CR 6657112: Redirect callback support is added for Distributed Authentication Server UI

Redirect callback support ({{RedirectCallback}}), which is used to redirect users to an external website as part of the authentication process, now works when the login is through a Distributed Authentication Server UI.

{anchor:6657367}

h5. CR 6657367: CDCServlet removes the JavaScript enabled dependency for user's browser

If cross-domain single sign-on (CDSSO) is enabled for a policy agent, the {{CDCServlet}} can now redirect assertions ({{CDCRedirectServlet}}) for the agent, even if JavaScript is disabled for the user's browser.

{anchor:6496155}

h5. CR 6496155: Policy agents send token other than the IP address in cookie hijacking mode

Previously, in cookie hijacking mode, policy agents sent the IP address of the server where they were installed to the OpenSSO Enterprise server. Now, the policy agent first sends the application SSO token. If the agent cannot obtain the application SSO token, the agent then sends the IP address to the OpenSSO Enterprise server.

If strict DN checking is required for a deployment, OpenSSO Enterprise server includes the new
{{iplanet-am-session-dnrestrictiononly}} property.

The default value is {{false}}. If this property is set to {{true}}, the OpenSSO Enterprise server performs strict DN checking. If the agent sends an IP address, the OpenSSO Enterprise server considers the IP address to be an error.

To set {{iplanet-am-session-dnrestrictiononly}} for strict DN checking:
# Add the property with a value of {{true}} using either the OpenSSO Enterprise Admin Console or the {{ssoadm}} utility.
# Restart the OpenSSO Enterprise server web container for the DN checking to take effect.

{anchor:6697260}

h5. CR 6697260: New property allows policy agent sessions to time out

The new {{com.iplanet.am.session.agentsessionidletime}} property sets the maximum idle timeout in minutes for policy agent sessions. The minimum value is 30 minutes. A value greater than 0 and less than 30 will be reset to 30.
The default is 0, which means that the policy agent sessions never time out.

To set {{com.iplanet.am.session.agentsessionidletime}}:
# Add the property with the maximum idle timeout value using either the OpenSSO Enterprise Admin Console or the {{ssoadm}} utility.
# Restart the OpenSSO server web container for the idle timeout value to take effect.

{anchor:6811036}

h5. CR 6811036: After upgrading from JES4, in co-existence mode, amadmin authenticates to configuration data store

Due to the fix for security issue 3924 in OpenSSO 8.0 Enterprise 8.0, the {{amadmin}} user was prevented from logging in to any authentication module other than the DataStore and Application authentication modules.
This new fix for CR 6811036 removes this restriction, but at the same time re-implements the original security fix to protect the authentication as the {{amadmin}} user, which is considered as the OpenSSO Enterprise internal or special user, in following manner:
* {{amadmin}} can authenticate only to or or the Top-Level Realm.
* {{amadmin}} and its password will first be authenticated against the configuration data store. That is, this user and its password should match the {{amadmin}} user and its password in the OpenSSO Enterprise configuration data store. Then, this user will be authenticated against the required authentication store (authentication module) with the same credentials. Finally, this user will be retrieved (searched) in the OpenSSO Enterprise user data store (based on the user profile option selected in the Authentication service configuration).
The actual authentication module store and/or user data store and configuration data store could be different, as long as the above is successful. If all three stores are the same, the above would be automatically successful.

{anchor:6827616}

h5. CR 6827616: SMS cache is disabled by default for the Client SDK

After a Client SDK installation, the service management service (SMS) cache is disabled by default, which can cause performance issues.
*Workaround*: To enable the cache for SMS and the Identity Repository (IdRepo), set or add the following properties in the {{AMClient.properties}} file:
{noformat}
com.iplanet.am.sdk.caching.enabled=true
com.sun.identity.idm.cache.enabled=true
com.sun.identity.sm.cache.enabled=true
{noformat}

h1. Installing OpenSSO Enterprise 8.0 Update 1

First, download patch 141655-01 from [http://sunsolve.sun.com/]. Then, install OpenSSO Enterprise 8.0 Update 1, as described in [Installing OpenSSO Enterprise 8.0 Update 1|http://wikis.sun.com/x/RgQCBg].

h1. Hardware and Software Requirements For OpenSSO Enterprise 8.0 Update 1

* [OpenSSO Enterprise 8.0 Hardware and Software Requirements|http://docs.sun.com/doc/820-3745/adjai?a=view]
* [Support for New Web Containers|#WebContainers]
* [Policy Agent Support in OpenSSO Enterprise 8.0 Update 1|#PolicyAgents]

*Note* \- The hardware and software requirements for OpenSSO Enterprise 8.0 Update 1 represent the only environments in which it can be deployed with full support from Sun Microsystems. No support is provided for environments that do not meet the stated requirements.
Sun Microsystems assumes no responsibility or liability for any environments that don't adhere to supported hardware and software requirements for OpenSSO Enterprise 8.0 Update 1 as documented. Sun strongly recommends that you involve the Sun Professional Services organization before you begin the installation and deployment process. This may require additional expense on your part.

{anchor:PolicyAgents}

h4. Policy Agent Support in OpenSSO Enterprise 8.0 Update 1

|| Policy Agent Version || OpenSSO Enterprise 8.0 Update 1 Support ||
| 3.0 | Version 3.0 Java EE (also called J2EE) and web policy agents are supported, including new version 3.0 features. \\
For more information, including the available version 3.0 agents, see [http://docs.sun.com/coll/1767.1]. |
| 2.2 | Version 2.2 Java EE and web policy agents are supported. \\
However, a version 2.2 policy agent must continue to use version 2.2 features. For example, the OpenSSO Enterprise centralized agent configuration is not supported, and the 2.2 agent must store its configuration data locally in its {{AMAgent.properties}} file. \\
For more information, including the available version 2.2 agents, see [http://docs.sun.com/coll/1322.1]. |
| 2.1 | Version 2.1 policy agents are *not* supported. |

h1. OpenSSO Enterprise 8.0 Update 1 Issues and Workarounds

* [CR 6830298: OpenSSO Enterprise Admin Tools Must be Re-installed|#6830298]
* [CR 6823779: ssoadm cannot be used with Secure WebSphere Application Server 7.0|#6823779]
* [CR 6824420: Configuration fails for WebSphere Application Server 7.0 with Java 2 security enabled|#6824420]
* [CR 6836470: Hotfix Required to Use KDCs Hosted on Windows Server 2008|#6836470]
* [CR 6825011: Windows Desktop SSO Authentication fails with Login Exception on WebSphere Application Server 7.0|#6825011]
* [CR 6831600: Configurator buttons are not visible using Safari on a Mac|#6831600]
* [CR 6819848: Berkeley DB client does not failover to secondary Message Queue broker|#6819848]
* [CR 6834714: Permissions need updating for WebSphere Application Server 6.1|#6834714]
* [CR 6835816: After you enable FIPS mode, bootstrap file cannot be decrypted|#6835816]
* [CR 6831687: SAML2 post profile fails on the Service Provider (SP)|#6831687]
* [CR 6828741: Configuring OpenSSO Enterprise 8.0 Update 1 as site throws exception in debug logs|#6828741]
* [CR 6833362: SAMLv2 returns error on WebLogic Server 10 with SOAP binding|#6833362]


{anchor:6830298}

h4. CR 6830298: OpenSSO Enterprise Admin Tools Must be Re-installed

If you patch OpenSSO Enterprise 8.0 with Update 1, you must re-install the admin tools in Update 1 before you run the {{updateschema.sh}} or {{updateschema.bat}} script, because the script requires the Update 1 version of the {{ssoadm}} command-line utility.

*Workaround*. Before you run the {{updateschema.sh}} or {{updateschema.bat}} script, install the Update 1 admin tools, as described in see [Installing the OpenSSO Enterprise 8.0 Update 1 Admin Tools|http://wikis.sun.com/x/tYF1BQ].

{anchor:6823779}

h4. CR 6823779: {{ssoadm}} cannot be used with Secure WebSphere Application Server 7.0

If the admin tools ({{ssoAdminTools.zip}}) are configured to use the IBM JVM with a secure (SSL-enabled) WebSphere Application Server 7.0 instance, the {{ssoadm}} returns a fatal error.

*Workaround*. To configure {{ssoadm}}, see [Deploying IBM WebSphere Application Server 7.0 as the OpenSSO Enterprise 8.0 Update 1 Web Container|http://wikis.sun.com/x/MYYrBg].

{anchor:6824420}

h4. CR 6824420: Configuration fails for WebSphere Application Server 7.0 with Java 2 security enabled

If OpenSSO Enterprise 8.0 Update 1 is deployed with IBM WebSphere Application Server 7.0 and Java 2 security is enabled, the configuration fails.

*Workaround*. Add the required permissions to the WebSphere Application Server 7.0 {{server.policy}}, as described in [Deploying an IBM WebSphere Application Server 7.0 Web Container|http://wikis.sun.com/x/MgBHBQ].

{anchor:6836470}

h4. CR 6836470: Hotfix Required to Use KDCs Hosted on Windows Server 2008

OpenSSO Enterprise 8.0 Update 1 has added support for using KDCs hosted on Windows Server 2008. To use this new feature, however, you must install a Microsoft hotfix to KTpass on the Windows Server 2008 KDC before using the KDC for Windows Desktop SSO authentication.
For more information and to download this hotfix, see [http://support.microsoft.com/kb/951191].

{anchor:6825011}

h4. CR 6825011: Windows Desktop SSO Authentication fails with Login Exception on WebSphere Application Server 7.0

*Workaround*. If OpenSSO Enterprise 8.0 Update 1 is deployed on IBM WebSphere Application Server 7.0 on Windows:

# Prefix the Keytab File Name property of the Windows Desktop SSO authentication module instance with {{[file:///]}}. For example:
{{[file:///C:/keytabs/ssohost-4100-04.HTTP.keytab]}}
# Set the new {{com.sun.identity.authentication.module.WindowsDesktopSSO.Krb5LoginModule}} property to {{com.ibm.security.auth.module.Krb5LoginModule}}.

Set this new property using {{ssoadm}} or in the OpenSSO Enterprise Admin Console under Configuration > Sites and Servers > {{{_}opensso-instance-name{_}}} > Advanced. Then, restart the WebSphere Application Server 7.0 instance for the value to take effect.

{anchor:6831600}

h4. CR 6831600: Configurator buttons are not visible using Safari on a Mac

When running the Configurator using Safari on a Mac, the Next and Cancel buttons are not visible, which gives the impression that the configuration cannot continue.
*Workaround*. Maximize the Safari browser to the fullest extent and scroll down to see the buttons.

{anchor:6819848}

h4. CR 6819848: Berkeley DB client does not failover to secondary Message Queue broker

In a session failover configuration, the Berkeley DB client does not failover to the secondary Message Queue broker. OpenSSO Enterprise server, however, does failover
to the secondary broker, which causes the queue on that broker to quickly fill up. Then, the broker blocks the producer from sending any more messages, which in turn blocks messages from OpenSSO Enterprise server.

{anchor:6834714}

h4. CR 6834714: Permissions need updating for WebSphere Application Server 6.1

If you are using IBM WebSphere Application Server 6.1 as the web container and the Java Security Manager is enabled, the securing permissions need to be updated.
*Workaround*. For the correct permissions, see [http://docs.sun.com/doc/820-3320/gimjh].

{anchor:6835816}

h4. CR 6835816: After you enable FIPS mode, bootstrap file cannot be decrypted

*Workaround*. Before you enable FIPS mode, backup the bootstap file. Then, after you enable FIPS mode, replace the bootstrap file with the backup copy.

For more information, see [Configuring OpenSSO Enterprise 8.0 Update 1 in FIPS Mode|http://wikis.sun.com/x/vAf7BQ]

{anchor:6831687}

h4. CR 6831687: SAML2 post profile fails on the Service Provider (SP)

Using JDK 1.6.x, when a Service Provider (SP) tries to verify a signed SAML2 response/assertion, the Identity Provider (IDP)throws a Null Pointer Exception.
*Workaround*. This problem occurs because JDK 1.6.x includes an older version of the XML security library. To fix this problem:
# Create an endorsed directory in JDK 1.6.x. For example:
{{{_}JDK_1.6_HOME_DIR_/jre/lib/endorsed}}
# Copy the {{xmlsec.jar}} file from the {{{_}OpenSSO_WAR_extracted_dir_/WEB-INF/lib}} directory to the {{endorsed}} directory.
# Restart the OpenSSO Enterprise 8.0 web container.

{anchor:6828741}

h4. CR 6828741: Configuring OpenSSO Enterprise 8.0 Update 1 as site throws exception in debug logs

When you configure OpenSSO Enterprise 8.0 Update 1 using the console, if you provide the site details such as the load balancer and server instances, the configuration finishes successfully and you can log in. However, the debug logs contain an exception.

*Workaround*. None. You can ignore the exception.

{anchor:6833362}

h4. CR 6833362: SAMLv2 returns error on WebLogic Server 10 with SOAP binding

If you deploy OpenSSO Enterprise 8.0 Update 1 on WebLogic Server 10 for both the SP and IDP, configure the meta for SP and IDP for signing and encryption using the default keystore, and then terminate with SOAP binding, an error is returned.

*Workaround*. Remove last two lines from {{idpArtifactResolution.jsp}}, {{idpMNISOAP.jsp}}, and {{spMNISOAP.jsp}}. Also, remove any empty spaces between {{%>}} and {{<%}}.

h1. OpenSSO Enterprise 8.0 Update 1 Documentation

In addition to these Release Notes, additional OpenSSO Enterprise 8.0 documentation is available on the following site: [http://docs.sun.com/coll/1767.1]

h1. Additional Sun Information and Resources

You can find additional useful information and resources at the following locations:
* Sun Services: [http://www.sun.com/service/consulting/]
* Sun Software Products: [http://wwws.sun.com/software/]
* Sun Support Resources [http://sunsolve.sun.com/]
* Sun Developer Network (SDN): [http://developers.sun.com/]
* Sun Developer Services: [http://www.sun.com/developers/support/]

h2. Deprecation Notifications and Announcements

* The Service Management Service (SMS) APIs ({{com.sun.identity.sm}} package) and SMS model will not be included in a future OpenSSO Enterprise release.
* The Unix authentication module and the Unix authentication helper ({{amunixd}}) will not be included in a future OpenSSO Enterprise release.
* The Sun Java System Access Manager 7.1 Release Notes stated that the Access Manager {{com.iplanet.am.sdk}} package, commonly known as the Access Manager SDK (AMSDK), and all related APIs and XML templates will not be included in a future OpenSSO Enterprise release.
Consequently, when the AMSDK is removed, the Legacy Mode option and support will also be removed.
Migration options are not available now and are not expected to be available in the future. Sun Identity Manager provides user provisioning solutions that you can use instead of the AMSDK. For more information about Identity Manager, see [http://www.sun.com/software/products/identity_mgr/index.jsp].


h2. How to Report Problems and Provide Feedback

If you have questions or issues with OpenSSO Enterprise 8.0 Update 1, contact Sun Support Resources (SunSolve) at [http://sunsolve.sun.com/].

This site has links to the Knowledge Base, Online Support Center, and Product Tracker, as well as to maintenance programs and support contact numbers.

If you are requesting help for a problem, please include the following information:
* Description of the problem, including when the problem occurs and its impact on your operation
* Machine type, operating system version, web container and version, JDK version, and OpenSSO Enterprise version, including any patches or other software that might be affecting the problem
* Steps to reproduce the problem
* Any error logs or core dumps

h2. Accessibility Features for People With Disabilities

To obtain accessibility features that have been released since the publishing of this media, consult Section 508 product assessments available from Sun upon request to determine which versions are best suited for deploying accessible solutions.

For information about Sun's commitment to accessibility, see [http://sun.com/access].

h2. Related Third-Party Web Sites

Third-party URLs are referenced in this document and provide additional, related information.
*Note* \- Sun is not responsible for the availability of third-party Web sites mentioned in this document. Sun does not endorse and is not responsible or liable for any content, advertising, products, or other materials that are available on or through such sites or resources. Sun will not be responsible or liable for any actual or alleged damage or loss caused by or in connection with the use of or reliance on any such content, goods, or services that are available on or through such sites or resources.


[Top of Page|#TopofPage]
{column}


{column:width=25%}

{panel:title=Contents|titleBGColor=white|bgColor=white}
{toc:maxLevel=1}
{panel}
{column}
{section}