Access Manager 7 patch 8 (revision 08) fixes a number of problems, as listed in the README file included with the patch. Patch 8 also includes these changes:
CR# 6691106: Multiple SiteMonitor threads could be running for checking the same site
CR# 6697260: New property to set policy agent application session idle timeout
CR# 2151598: Delegation privileges cannot be defined for a filtered role
If Access Manager is installed with a domain name that contains both upper and lowercase characters, you cannot log in to the Console. For example, if the domain name is amhost.realm-name.Example.COM, you cannot log in using amhost.realm-name.example.com.
Workaround. There are two workarounds:
First, try logging in using the following URL:
http://amhost.realm-name.example.com:port/amserver/UI/Login?realm=realm-name
Or, add the realm-name to the Realm/DNS aliases:
In the Admin Console, go to Realms, Edit Realm - realm-name.
Add amhost.realm-name.example.com to the Realm/DNS aliases.
Restart the Access Manager server.
Log in using the following URL:
http://amhost.realm-name.example.com:port/amserver/UI/Login
The amNaming log sometimes indicates multiple SiteMonitor threads running for checking the same site.
To prevent this problem, patch 8 provides improved synchronization to prevent the creation of the multiple SiteMonitor threads for the same site. Patch 8 also includes these new configuration properties:
com.sun.identity.urlchecker.retry.interval specifies the time interval in milliseconds between retries for a URL connection. Default is 500 milliseconds (0.5 seconds).
com.sun.identity.urlchecker.retry.limit specifies the maximum number of retries for the URL connection if a connection failure occurs. Default is 3 retries.
The fix for this problem also uses the following property, which was added for patch 5:
com.sun.identity.urlchecker.sleep.interval specifies the time interval in milliseconds that the site status check should sleep. Default is 30000 milliseconds (30 seconds).
The patch does not add these new properties to the AMConfig.properties file. To use these properties with values other than the default values:
For each property that you want to set, add the property and its value to the AMConfig.properties file.
Restart the Access Manager web container for the values to take effect.
Patch 8 includes this new property:
com.iplanet.am.session.agentsessionidletime sets the maximum idle timeout in minutes for policy agent sessions. The minimum value is 30 minutes.
By default, policy agent sessions never expire unless you set this property. To use this new property, add it with the maximum idle timeout value to the AMConfig.properties file and restart the Access Manager web container.
If you create a new filtered role, it does not appear under the Privileges tab in the Admin Console.
Workaround. After you apply patch 8, follow these steps to update the Delegation Service (sunAMDelegationService) in the Directory Server schema:
Create an XML file with the FILTEREDROLE subject type. For example:
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE Requests PUBLIC "-//iPlanet//Sun Java System Access Manager 2005Q4 Admin CLI DTD//EN" "jar://com/iplanet/am/admin/cli/amAdmin.dtd"> <Requests> <SchemaRequests serviceName="sunAMDelegationService" SchemaType="Global" i18nKey=""> <AddDefaultValues> <AttributeValuePair> <Attribute name="SubjectIdTypes"/> <Value>FILTEREDROLE</Value> </AttributeValuePair> </AddDefaultValues> </SchemaRequests> </Requests>
Note: The XML encoding used in this example is ISO-8859-1. You might need to use a different encoding depending on your environment.
Use the amadmin command to load the XML file you created in Step 1 into Directory Server. For example:
# cd /opt/SUNWam/bin # ./amadmin -u amadmin -w pwfile -t new-filteredrole.xml
where:
pwfile contains the amadmin password.
new-filteredrole.xml is the new XML file you created in Step 1.
Restart the Access Manager server web container.
Now, when you log in to the Admin Console, the filtered role will appear under the Privileges tab.