Access Manager 7 2005Q4 Patch 6 (Sun Java System Access Manager 7 2005Q4 Release Notes)

Sun Java System Access Manager 7 2005Q4 Release Notes

Access Manager 7 2005Q4 Patch 6

Access Manager 7 patch 6 (revision 06) fixes a number of problems, as listed in the README file included with the patch. Patch 6 also includes the following new features, issues, and documentation updates.

New Features in Patch 6

Known Issues and Limitations in Patch 6

Note –

Before you install patch 6, it is recommended that you upgrade or patch the following components:

If you are using Sun Java System Web Server 6.1 SP5 or earlier, upgrade to Web Server 6.1 SP7, which you can download from this site:

http://www.sun.com/download/products.xml?id=45c90ca9

Follow the upgrade process as described in Upgrade in Sun Java System Web Server 6.1 SP7 Release Notes.
Download and install the latest security patch for NSS, JSS, and NSPR from SunSolve Online: http://sunsolve.sun.com.
- Solaris 8 SPARC platforms: 119209
- Solaris 8 x86 platforms: 119210
- Solaris 9 SPARC platforms: 119211
- Solaris 9 x86 platforms: 119212
- Solaris 10 SPARC platforms: 119213
- Solaris 10 x86 and AMD64 platforms: 119214
- Windows systems: 124392
- HP-UX systems: 124379

Access Manager supports the JDK 1.5 `HttpURLConnection` `setReadTimeout` method

To support the setReadTimeout method, the AMConfig.properties file has the following new property for you to set the read time-out value:

com.sun.identity.url.readTimeout

If the web container is using JDK 1.5, set this property to an appropriate value to cause connections to time out, in order to avoid having too many open HttpURLConnections that might cause the server to hang. The default is 30000 milliseconds (30 seconds).

The setReadTimeout method is ignored if com.sun.identity.url.readTimeout is not present in the AMConfig.properties file or is set to an empty string.

Access Manager SDK falls back to primary Directory Server after primary comes back up

If Sun Java System Directory Server is configured for multi-master replication (MMR), the Access Manager SDK now falls back to the primary Directory Server after the primary server goes down and then comes back up. Previously, the Access Manager SDK continued to access the secondary Directory Server even after the primary server came back up.

To support this new behavior, Access Manager has the following new property in the AMConfig.properties file:

com.sun.am.ldap.fallback.sleep.minutes

This property sets the time in minutes that a secondary Directory Server instance sleeps before it falls back to the primary server after the primary server comes back up. The default is 15 minutes.

The com.sun.am.ldap.fallback.sleep.minutes property is hidden. To set this property to a value other than the default (15 minutes), explicitly add it to the AMConfig.properties file. For example, to set the value to 7 minutes:

com.sun.am.ldap.fallback.sleep.minutes=7

For the new value to take effect, restart the Access Manager web container.

Multiple Access Manager instances log to separate log files

Multiple Access Manager instances running on the same host server can now log to separate log files in different logging subdirectories by setting the following new property in the AMConfig.properties file:

com.sun.identity.log.logSubdir

Unless you change the default logging directory in the Admin Console, the default logging directories are:

Solaris systems: /var/opt/SUNWam/logs
Linux and HP-UX systems: /var/opt/sun/identity/logs
Windows systems: C:\Sun\JavaES5\identity\logs

The first Access Manager instance always logs to the default logging directory. To specify different logging subdirectories for additional Access Manager instances, set the com.sun.identity.log.logSubdir property in the AMConfig.properties file for each additional Access Manager instance.

For example, if you have three instances, am-instance-1, am-instance-2, and am-instance-3, all running on the same Solaris host server, set the property as follows:

com.sun.identity.log.logSubdir=am-instance-2
com.sun.identity.log.logSubdir=am-instance-3

The com.sun.identity.log.logSubdir property is hidden. You must explicitly add this property to the AMConfig.properties file as needed and restart the Access Manager web container for subdirectory values to take effect.

The Access Manager instances then log to the following directories:

/var/opt/SUNWam/logs/log-files-for-am-instance-1
/var/opt/SUNWam/logs/am-instance-2/log-files-for-am-instance-2
/var/opt/SUNWam/logs/am-instance-3/log-files-for-am-instance-3

Access Manager 7 allows multiple cookie domains

To support multiple cookie domains, Access Manager has the following new property:

com.sun.identity.authentication.setCookieToAllDomains

The default is true. This new property is hidden. To set the value to false, explicitly add the property to the AMConfig.properties file, and restart the Access Manager web container.

Microsoft IIS 6.0 post-authentication plug-in supports SharePoint Server

The Microsoft Internet Information Services (IIS) 6.0 authentication plug-in now supports the Microsoft Office SharePoint Server. A user can login to Access Manager with either a user ID or login name. SharePoint Server, however, accepts a login name, which causes problems when the user specifies a user ID.

To allow a login to SharePoint Server, the post-authentication plug-in (ReplayPasswd.java) now uses the following new property:

com.sun.am.sharepoint_login_attr_name

This new property indicates the user attribute that SharePoint Server uses for authentication. For example, the following property species the common name (cn) for authentication:

com.sun.am.sharepoint_login_attr_name=cn

The post-authentication plug-in reads the com.sun.am.sharepoint_login_attr_name property and gets the corresponding attribute value for the user from Directory Server. The plug-in then sets the authorization headers to allow the user to access SharePoint Server.

This property is hidden. To set the property, explicitly add it to the AMConfig.properties file, and then restart the Access Manager web container for the value to take effect.

Access Manager supports Internet Explorer 7

Access Manager 7 2005Q4 patch 6 now supports Microsoft Windows Internet Explorer 7.

CR# 6379325: Accessing Console during session failover throws null pointer exception

In this scenario, multiple Access Manager servers are deployed in session failover mode behind a load balancer configured for cookie-based sticky request routing. The Access Manager administrator accesses the Access Manager Console through the load balancer. When the administrator logs into the Console, the session is created on one of the Access Manager servers. If that server goes down, the Console session fails over to another Access Manager server, as expected. The administrator, however, sometimes experiences intermittent null pointer exceptions on the browser and in the web-container error log.

The issue affects only the active Access Manager Console session at the time of the failover and not the functioning of the Access Manager servers.

Workaround: To prevent these intermittent null pointer exceptions:

For a temporary solution, refresh the browser, or log out and then back into the Console.
For a permanent solution, deploy the Access Manager Console on a separate Access Manager instance that does not participate in the session failover.

CR# 6508103: On Windows, clicking Help in the Admin Console returns an application error

On Windows 2003 Enterprise Edition with Access Manager deployed on Sun Java System Application Server in locales other than English, clicking Help in the Admin Realm Mode Console returns an application error.

Workaround:

Copy the javaes-install-dir\share\lib\jhall.jar file to the %JAVA_HOME%\jre\lib\ext directory.

where javaes-install-dir is the Windows installation directory
Restart the Application Server instance.