test

Sun Java System Access Manager 7 2005Q4 Release Notes

Known Issues and Limitations

This section describes the following known issues and workarounds, if available, at the time of the release.

Compatibility Issues

Incompatibility between Java ES 2004Q2 servers and IM on Java ES 2005Q4 (6309082)

The following deployment scenario caused this problem:

When running the imconfig utility to configure Instant Messaging on server-4, the configuration was not successful. The Access Manager 7 2005Q4 SDK, which is used by Instant Messaging (IM) on server-4, is not compatible with the Java ES 2004Q2 release.

Workaround: Ideally, the Access Manager server and Access Manager SDK should be the same release. For more information, see the Sun Java Enterprise System 2005Q4 Upgrade Guide.

Incompatibilities exist in core authentication module for legacy mode (6305840)

Access Manager 7 2005Q4 legacy mode has the following incompatibilities in the core authentication module from Access Manager 6 2005Q1:

Workaround: None.

Agent cannot login because “Profile not in the organization” (6295074)

In the Access Manager Console, create an agent in Realm Mode. If you log out and then login again using the agent name, Access Manager returns an error because the agent does not have the privileges to access the realm.

Workaround: Modify the permissions to allow read/write access for the agent.

Delegated Administrator commadmin utility does not create a user (6294603)

The Delegated Administrator commadmin utility with the -S mail,cal option does not create a user in the default domain.

Workaround: This problem occurs if you upgrade Access Manager to version 7 2005Q4 but you do not upgrade Delegated Administrator. For information about upgrading Delegated Administrator, see the Sun Java Enterprise System 2005Q4 Upgrade Guide.

If you do not plan to upgrade Delegated Administrator, follow these steps:

  1. In the UserCalendarService.xml file, mark the mail, icssubcribed, and icsfirstday attributes as optional instead of required. This file is located by default in the /opt/SUNWcomm/lib/services/ directory on Solaris systems.

  2. In Access Manager, remove the existing XML file by running the amadmin command, as follows:

    # ./amadmin -u amadmin -w password -r UserCalendarService

  3. In Access Manager, add the updated XML file, as follows:

    # ./amadmin -u amadmin -w password 
-s /opt/SUNWcomm/lib/services/UserCalendarService.xml

  4. Restart the Access Manager web container.

Delegated Administrator commadmin utility does not create an organization (6292104)

The Delegated Administrator commadmin utility with the -S mail,cal option does not create an organization.

Workaround: See the workaround for the previous problem.

Installation Issues

After applying patch 1, /tmp/amsilent file allows read access for all users (6370691)

After you apply patch 1, the /tmp/amsilentfile allows read access for all users.

Workaround: After you apply the patch, reset the permissions for the file to allow read access only by the Access Manager administrator.

On SDK install with container configuration, notification URL is not correct (6327845)

If you perform an SDK installation with the container configuration (DEPLOY_LEVEL=4), the notification URL is not correct.

Workaround:

  1. Set the following property in the AMConfig.properties file:

    com.iplanet.am.notification.url=
protocol://fqdn:port/amserver/servlet/com.iplanet.services.comm.client.
PLLNotificationServlet

  2. Restart Access Manager for the new value to take effect.

Access Manager classpath refers to expired JCE 1.2.1 package (6297949)

The Access Manager classpath refers to Java Cryptography Extension (JCE) 1.2.1 Package (Signing Certificate), which expired on July 27, 2005.

Workaround: None. Although the package reference is in the classpath Access Manager does not use this package.

Installing Access Manager on an existing DIT requires rebuilding Directory Server indexes (6268096)

To improve the search performance, Directory Server has several new indexes.

Workaround: After you install Access Manager with an existing Directory Information Tree (DIT), rebuild the Directory Server indexes by running the db2index.pl script. For example:

# ./db2index.pl -D "cn=Directory Manager" -w password -n userRoot

The db2index.pl script is available in the DS-install-directory/slapd-hostname/ directory.

Log and debug directories permissions incorrect for non-root users (6257161)

When a non-root user is specified in the silent install configuration file, permissions on the debug, logs, and starts directories are not set appropriately.

Workaround: Change the permissions on these directories to allow access for a non-root user.

Authentication service is not initialized when Access Manager and Directory Server are installed on separate machines (6229897)

Although the classpath and other Access Manager web container environment variables are updated during installation, the installation process does not restart the web container. If you try to login to Access Manager after installation before the web container is restarted, the following error is returned: 

Authentication Service is not initialized. 
Contact your system administrator.

Workaround: Restart the web container before you login to Access Manager. Directory Server must also be running before you login.

Installer doesn't add platform entry for existing directory install (6202902)

The Java ES Installer does not add a platform entry for an existing directory server installation (DIRECTORY_MODE=2).

Workaround: Add the Realm/DNS aliases and platform server list entries manually. For the steps, see the Adding Additional Instances to the Platform Server List and Realm/DNS Aliases in Sun Java System Access Manager 7 2005Q4 Deployment Planning Guide.

Upgrade Issues

Access Manager ampre70upgrade script does not remove localized packages (6378444)

If you are upgrading Access Manager to Access Manager 7 2005Q4, the ampre70upgrade script does not remove any Access Manager localized packages that you have on your system.

Workaround: Before you upgrade to Access Manager 7 2005Q4, use the pkgrm command to manually remove any localized Access Manager packages that are installed on your system.

AMConfig.properties file has an old version for the web container (6316833)

After Access Manager and Application Server are upgraded to Java ES 2005Q4 versions, the Access Manager AMConfig.properties file has an old version of Application Server.

Workaround: Before you run the Delegated Administrator configuration program (config-commda), change the following property in the AMConfig.properties file: 

com.sun.identity.webcontainer=IAS8.1

Node agent server.policy file isn't updated as part of an Access Manager upgrade (6313416)

After upgrading Access Manager, the node agent server.policy file isn't updated.

Workaround: Replace the server.policy file for the node agent with the following file:

/var/opt/SUNWappserver/domains/domain1/config/server.policy

After upgrade, Session Property Condition is missing in the Condition list (6309785)

After upgrading Access Manager from version 2005Q1 to version 2005Q4, the Session Property Condition is not displayed as a choice in the policy Condition list if you try to add a Condition to a policy.

Workaround: Select the Session Property Condition type in the policy configuration service template at the corresponding realm.

After upgrade, Identity Subject type is missing from the policy subject list (6304617)

After upgrading Access Manager from version 2005Q1 to version 2005Q4, the Identity Subject, a newly added policy subject type, is not displayed as a choice in the policy subject list.

Workaround: Select the Identity Subject type as a default subject type in the policy configuration service template.

Access Manager upgrade failed because the classpath is not migrated (6284595)

During the upgrade of Access Manager from Java ES 2004Q2 to Java ES 2005Q4, the upgrade from Java ES 2004Q2 to Java ES 2005Q1 failed. Access Manager was being deployed on Application Server, which was also being upgraded from Java ES 2004Q2 to Java ES 2005Q4. The classpath in the domain.xml file did not have Access Manager JAR file paths.

Workaround: Follow these steps:

  1. Before running the amupgrade script, re-index Directory Server, because of a problem with the comm_dssetup.pl script.

  2. Add entries for Access Manager to the server.policy file of the node agent. A copy of server.policy from the default server policy (/var/opt/SUNWappserver/domains/domain1/config/server.policy) is sufficient.

  3. Update the classpath in the domain.xml file of the node agent as follows. Copy the classpath-suffix and relevant classpath from the server-classpath attributes of the java-config element from the server.xml file to the respective attributes in the java-config element of domain.xml. The java-config element can be found under the config element in domain.xml.

After upgrade, amadmin command returns wrong version shown (6283758)

After Access Manager was upgraded from version 6 2005Q1 to version 7 2005Q4, the amadmin --version command returned the wrong version: Sun Java System Access Manager version 2005Q1.

Workaround: After you upgrade Access Manager, run the amconfig script to configure Access Manager. When you run amconfig, specify the full path to the configuration (amsamplesilent) file. For example, on a Solaris system: 

# ./amconfig -s ./config-file

or

# ./amconfig -s /opt/SUNWam/bin/config-file

Add ContainerDefaultTemplateRole attribute after data migration (4677779)

The user's role does not display under an organization that was not created in Access Manager. In debug mode, the following message is displayed:

ERROR: DesktopServlet.handleException()
com.iplanet.portalserver.desktop.DesktopException:
DesktopServlet.doGetPost(): no privilige to execute desktop

This error becomes evident after the Java ES installer migration scripts are run. The ContainerDefaultTemplateRole attribute is not automatically added to the organization when the organization is migrated from an existing directory information tree (DIT) or from another source.

Workaround: Use the Directory Server console to copy the ContainerDefaultTemplateRole attribute from another Access Manager organization and then add it to the affected organization.

Configuration Issues

Application Server 8.1 server.policy file must be edited when using non-default URIs (6309759)

If you are deploying Access Manager 7 2005Q4 on Application Server 8.1 and you are using non-default URIs for the services, console, and password web applications, which have default URI values of amserver, amconsole, and ampassword, respectively, you must edit the application server domain's server.policy file before attempting to access Access Manager via a web browser.

Workaround: Edit the server.policy file as follows:

  1. Stop the Application Server instance on which Access Manager is deployed.

  2. Change to the /config directory. For example:

    cd /var/opt/SUNWappserver/domains/domain1/config

  3. Make a backup copy of the server.policy file. For example:

    cp server.policy server.policy.orig

  4. In the server.policy file, look for the following policies:

    grant codeBase "file:\${com.sun.aas.instanceRoot}/
applications/j2ee-modules/amserver/-" { ... 
};
grant codeBase "file:\${com.sun.aas.instanceRoot}/
applications/j2ee-modules/amconsole/-" { ...
};
grant codeBase "file:\${com.sun.aas.instanceRoot}/
applications/j2ee-modules/ampassword/-" { ...
};

  5. Replace amserver with the non-default URI used for the services web application in the following line:

    grant codeBase "file:\${com.sun.aas.instanceRoot}/
applications/j2ee-modules/amserver/-" {

  6. For legacy mode installations, replace amconsole with the non-default URI used for the console web application in the following line:

    grant codeBase "file:\${com.sun.aas.instanceRoot}/
applications/j2ee-modules/amconsole/-" {

  7. Replace ampassword with the non-default URI used for the password web application in the following line:

    grant codeBase "file:\${com.sun.aas.instanceRoot}/
applications/j2ee-modules/ampassword/-" {

  8. Start the Application Server instance on which Access Manager is deployed.

Platform server list and FQDN alias attribute are not updated (6309259, 6308649)

In a multiple server deployment, the platform server list and FQDN alias attribute are not updated if you install Access Manager on the second (and subsequent) servers.

Workaround: Add the Realm/DNS aliases and platform server list entries manually. For the steps, see the Adding Additional Instances to the Platform Server List and Realm/DNS Aliases in Sun Java System Access Manager 7 2005Q4 Deployment Planning Guide.

Data validation for required attributes in the services (6308653)

Access Manager 7 2005Q4 enforces required attributes in service XML files to have default values.

Workaround: If you have services with required attributes that do not have values, add values for the attributes and then reload the service.

Document workaround for deployment on a secure WebLogic 8.1 instance (6295863)

If you deploy Access Manager 7 2005Q4 into a secure (SSL enabled) BEA WebLogic 8.1 SP4 instance, an exception occurs during the deployment of each Access Manager web application.

Workaround: Follow these steps:

  1. Apply the WebLogic 8.1 SP4 patch JAR CR210310_81sp4.jar, which is available from BEA.

  2. In the /opt/SUNWam/bin/amwl81config script, (Solaris systems) or /opt/sun/identity/bin/amwl81config script (Linux systems), update the doDeploy function and the undeploy_it function to prepend the path of the patch JAR to the wl8_classpath, which is the variable that contains the classpath used to deploy and un-deploy the Access Manager web applications.

    Find the following line containing the wl8_classpath:

    wl8_classpath= ...

  3. Immediately after the line you found in Step 2, add the following line:

    wl8_classpath=path-to-CR210310_81sp4.jar:$wl8_classpath

The amconfig script does not update the realm/DNS aliases and platform server list entries (6284161)

In a multiple server deployment, the amconfig script does not update the realm/DNS aliases and platform server list entries for additional Access Manager instances.

Workaround: Add the Realm/DNS aliases and platform server list entries manually. For the steps, see the Adding Additional Instances to the Platform Server List and Realm/DNS Aliases in Sun Java System Access Manager 7 2005Q4 Deployment Planning Guide.

Default Access Manager mode is realm in the configuration state file template (6280844)

By default, the Access Manager mode (AM_REALM variable) is enabled in the configuration state file template.

Workaround: To install or configure Access Manager in Legacy mode, reset the variable in the state file:

AM_REALM = disabled

URL signing failed in IBM WebSphere when using RSA key (6271087)

When using an RSA key in IBM WebSphere, the signing of URL string failed with the following exception: 

ERROR: FSSignatureUtil.signAndReturnQueryString: FSSignatureException 
occured while signing query string: no such provider: SunRsaSign

Workaround:The “SunRsaSign” provider is missing from the WebSphere bundled JDK. To fix this problem, edit the websphere_jdk_root/jre/lib/security/java.security file and add following line to enable “SunRsaSign” as one of the providers:

security.provider.6=com.sun.rsajca.Provider

Access Manager Console Issues

For SAML, duplicate Trusted Partner console edit errors (6326634)

In the Access Manager Console, create SAML Trusted Partner under the Federation > SAML tab. If you try to duplicate the Trusted Partner, errors occur.

Workaround: None. This problem is fixed in patch 1. See Access Manager 7 2005Q4 Patch 1 for information about applying the patch for your specific platform.

Remote logging is not working for amConsole.access and amPasswordReset.access (6311786)

When remote logging is configured, all logs are written to the remote Access Manager instance except amConsole.accessand amPasswordReset.access for the password reset information. The log record is not written anywhere.

Workaround: None.

Adding more amadmin properties in the console is changing the amadmin user password (6309830)

Adding or editing some of the properties for the amadmin user in the administration console causes the amadmin user password to change.

Workaround: None. This problem is fixed in patch 1. See Access Manager 7 2005Q4 Patch 1 for information about applying the patch for your specific platform.

New Access Manager Console cannot set the CoS template priorities (6309262)

The new Access Manager 7 2005Q4 Console cannot set or modify a Class of Service (CoS) template priority.

Workaround: Login to the Access Manager 6 2005Q1 Console to set or modify a CoS template priority.

Exception error occurs when adding a group to a user as a policy admin user (6299543)

The Access Manager Console returns an exception error when you add a group to a user as a policy admin user.

Workaround: None.

In legacy mode, you cannot delete all users from a role (6293758)

In legacy mode, if you try to delete all users from a role, a user is left.

Workaround: Try again to delete the user from the role.

Cannot add, delete, or modify Discovery Service resource offerings (6273148)

The Access Manager Administration Console does not allow you to add, delete, or modify the resource offerings for a user, role, or realm.

Workaround: None. This problem is fixed in patch 1. See Access Manager 7 2005Q4 Patch 1 for information about applying the patch for your specific platform.

Wrong LDAP bind password should give error for the subject search (6241241)

The Access Manager Administration Console is not returning an error when the wrong LDAP bind password is used.

Workaround: None.

Access Manager cannot create an organization under a container in legacy mode (6290720)

If you create a container and then try to create an organization under the container, Access Manager returns a “uniqueness violation error”.

Workaround: None.

Old console appears when adding Portal Server related services (6293299)

Portal Server and Access Manager are installed on the same serve. With Access Manager installed in Legacy mode, login to the new Access Manager Console using /amserver. If you choose an existing user and try to add services (such as NetFile or Netlet), the old Access Manager Console (/amconsle) suddenly appears.

Workaround: None. The current version of Portal Server requires the Access Manager 6 2005Q1 Console.

Console does not return the results set from Directory Server after reaching the resource limit (6239724)

Install Directory Server and then Access Manager with the existing DIT option. Login to the Access Manager Console and create a group. Edit the users in the group. For example, add users with the filter uid=*999*. The resulting list box is empty, and the console does not display any error, information, or warning messages.

Workaround: The group membership must not be greater than the Directory Server search size limit. If the group membership is greater, change the search size limit accordingly.

SDK and Client Issues

Can't remove Session Service configuration for a subrealm (6318296)

After creating a subrealm of the top-level realm and adding the Session Service to it, a subsequent attempt to remove the Session Service configuration caused an error message.

Workaround: Remove the default top-level ID repository, AMSDK1, and then add this repository back into the configuration.

This problem is fixed in patch 1. See Access Manager 7 2005Q4 Patch 1 for information about applying the patch for your specific platform.

CDC servlet redirecting to the invalid login page when policy condition is specified (6311985)

With the Apache agent 2.2 in CDSSO mode, when accessing the agent protected resource, the CDC servlet redirects the user to the anonymous authentication page, instead of the default login page.

Workaround: None. This problem is fixed in patch 1. See Access Manager 7 2005Q4 Patch 1 for information about applying the patch for your specific platform.

Clients do not get notifications after the server restarts (6309161)

Applications written using the client SDK (amclientsdk.jar) do not get notifications if the server restarts.

Workaround: None.

SDK clients need to restart after service schema change (6292616)

If you modify any service schema, ServiceSchema.getGlobalSchema returns the old schema and not the new schema.

Workaround: Restart the client after a service schema change.

This problem is fixed in patch 1. See Access Manager 7 2005Q4 Patch 1 for information about applying the patch for your specific platform.

Command-Line Utilities Issues

Null attribute LDAP search returns an error when Access Manager points to Directory Proxy (6357975)

If you are using Sun Java System Directory Proxy Server, a null attribute LDAP search returns an error. For example:

# ldapsearch -b base-dn uid=user ""

If Access Manager points directly to the LDAP director server, the same search is successful.

Workaround: If you are using Directory Proxy Server, either enable null attribute searches or supply an attribute name for the search.

New schema files are missing from amserveradmin script (6255110)

After installation, when you need to run amserveradmin script to load the services into Directory Server, the script is missing the defaultDelegationPolicies.xml and idRepoDefaults.xml schema files.

Workaround: Manually load the defaultDelegationPolicies.xml and idRepoDefaults.xml files using the amadmin CLI tool with the -toption.

Cannot save XML documents with escape character in Internet Explorer 6.0 (4995100)

If you add a special character (such as the string “amp;” next to an “&”) in an XML file, the file will save properly, however; if you later retrieve the XML profile using Internet Explorer 6.0, the file doesn't display properly. If you then try to save the profile again, an error is returned.

Workaround: None.

Authentication Issues

UrlAccessAgent SSO Token is expiring (6327691)

The UrlAccessAgent SSO Token is expiring because the application module does not return the special user DN, which causes the special user DN match and hence a non-expiring token to fail.

Workaround: None. This problem is fixed in patch 1. See Access Manager 7 2005Q4 Patch 1 for information about applying the patch for your specific platform.

Unable to login to subrealm with LDAPV3 plugin/dynamic profile after correcting password (6309097)

In realm mode, if you create an ldapv3 datastore in a realm with a “wrong” password and you later change the password as amadmin, when you try to login again as the user with the changed password, the logon fails, saying that no profile exists.

Workaround: None.

Incompatibility for Access Manager default configuration of Statistics Service for legacy (compatible) mode (6286628)

After installation with Access Manager in legacy mode, the default configuration for the Statistics Service has changed:

Workaround: None.

Attribute uniqueness broken in the top-level organization for naming attributes (6204537)

After you install Access Manager, login as amadmin and add the o, sunPreferredDomain, associatedDomain, sunOrganizationAlias, uid, and mail attributes to the Unique Attribute List. If you create two new organizations with the same name, the operation fails, but Access Manager displays the “organization already exists” message rather than the expected “attribute uniqueness violated” message.

Workaround: None. Ignore the incorrect message. Access Manager is functioning correctly.

Session and SSO Issues

Access Manager instances across time zones timeout other user sessions (6323639)

Access Manager instances installed across different time zones and in the same circle of trust cause user sessions to timeout.

Session failover (amsfoconfig) script has incorrect permissions on Linux 2.1 system (6298433)

The session failover configuration script (/opt/sun/identity/bin/amsfoconfig) has incorrect permissions and is not executable on Linux 2.1 system.

Workaround: Change the permissions to make the amsfoconfig script executable (for example, 755).

This problem is fixed in patch 1. See Access Manager 7 2005Q4 Patch 1 for information about applying the patch for your specific platform.

Session failover (amsfoconfig) script fails on Linux 2.1 system (6298462)

The session failover configuration script (amsfoconfig) fails on Linux 2.1 server because the tab character (\t) is not being interpreted correctly.

Workaround: Configure session failover manually. For the steps, see Configuring Session Failover Manually in Sun Java System Access Manager 7 2005Q4 Deployment Planning Guide.

This problem is fixed in patch 1. See Access Manager 7 2005Q4 Patch 1 for information about applying the patch for your specific platform.

System creates invalid service host name when load balancer has SSL termination (6245660)

If Access Manager is deployed with Web Server as the web container using a load balancer with SSL termination, clients are not directed to the correct Web Server page. Clicking the Sessions tab in the Access Manager Console returns an error because the host is invalid.

Workaround: In the following examples, Web Server listens on port 3030. The load balancer listens on port 80 and redirects requests to Web Server.

In the web-server-instance-name/config/server.xml file, edit the servername attribute to point to the load balancer, depending on the release of Web Server you are using.

For Web Server 6.1 Service Pack (SP) releases, edit the servername attribute as follows:

<LS id="ls1" port="3030" servername="loadbalancer.example.com:80" 
defaultvs="https-sample" security="false" ip="any" blocking="false" 
acceptorthreads="1"/>

Web Server 6.1 SP2 (or later) can switch the protocol from http to https or https to http. Therefore, edit servername as follows:

<LS id="ls1" port="3030" 
servername="https://loadbalancer.example.com:443" defaultvs="https-sample" 
security="false" ip="any" blocking="false" acceptorthreads="1"/>

Using HttpSession with third-party web containers (No CR number)

The default method of maintaining sessions for authentications is “internal session” instead of HttpSession. The default invalid session maximum time value of three minutes is sufficient. The amtune script sets the value to one minute for Web Server or Application Server. However, if you are using a third-party web container (IBM WebSphere or BEA WebLogic Server) and the optional HttpSession, you might need to limit the web container's maximum HttpSession time limit to avoid performance problems.

Policy Issues

Deletion of dynamic attributes in Policy Configuration Service causing issues in editing of policies (6299074)

The deletion of dynamic attributes in Policy Configuration Service causes issues in editing of policies for this scenario:

  1. Create two dynamic attributes in the Policy Configuration Service.

  2. Create a policy and select the dynamic attributes (from Step 1) in the response provider.

  3. Remove the dynamic attributes in the Policy Configuration Service and create two more attributes.

  4. Try to edit the policy created in Step 2.

Results are: “Error Invalid Dynamic property being set.” No policies were displayed in the list by default. After a search is done, the policies are displayed, but you cannot edit or delete the existing policies or create a new policy.

Workaround: Before removing the dynamic attributes from the Policy Configuration Service, remove the references to those attributes from the policies.

Server Startup Issues

Debug error occurs on Access Manager startup (6309274, 6308646)

Access Manager 7 2005Q4 startup returns the debug errors in amDelegation and amProfile debug files:

Workaround: None. You can ignore these messages.

Using BEA WebLogic Server as a web container

If you deploy Access Manager using BEA WebLogic Server as the web container, Access Manager might not be accessible.

Workaround: Restart WebLogic Server a second time for Access Manager to be accessible.

Linux OS Issues

JVM problems occur when running Access Manager on Application Server (6223676)

If you are running Application Server 8.1 on Red Hat Linux, the stack size of the threads created by the Red Hat OS for Application Server is 10 Mbytes, which can cause JVM resource problems when the number of Access Manager user sessions reaches 200.

Workaround: Workaround Set the Red Hat OS operating stack size to a lesser value such as 2048 or even 256 Kbytes, by executing the ulimit command before you start Application Server. Execute the ulimit command on the same console that you will use to start Application Server. For example: 

# ulimit -s 256;

Federation and SAML Issues

Running the web services sample returns “Resource offering not found” (6359900)

When Access Manager is configured to access the web services samples under the AccessManager-base/SUNWam/samples/phase2/wsc directory on Solaris systems or the AccessManager-base/identity/samples/phase2/wsc directory on Linux systems, querying the Discovery Service or modifying the Resource Offering returns the error message: “Resource offering not found”.

AccessManager-base is the base installation directory. The default base installation directory is /opt on Solaris systems and /opt/sun on Linux systems.

Workaround:

  1. Go to the following samples directory: AccessManager-base/SUNWam/samples/phase2/wsc) directory on Solaris systems or the AccessManager-base/identity/samples/phase2/wsc directory on Linux systems

  2. In the index.jsp file, search for the following string:

    com.sun.org.apache.xml.security.utils.XMLUtils.outputDOM

  3. Immediately before the line that contains the string you found in the previous step, insert the following new line:

    com.sun.org.apache.xml.security.Init.init();

  4. Re-run the sample. (You do not need to restart Access Manager.)

Federation fails when using Artifact profile (6324056)

If you setup an identity provider (IDP) and a service provider (SP), change the communication protocol to use the browser Artifact profile, and then try to federate users between the IDP and SP, the federation fails.

Workaround: None.

Special characters (&) in SAML statements should be encoded (6321128)

With Access Manager as the source site and destination site and SSO configured, an error occurs in the destination site, because the special character (&) in the SAML statements is not encoded and hence the parsing of assertion fails.

Workaround: None. This problem is fixed in patch 1. See Access Manager 7 2005Q4 Patch 1 for information about applying the patch for your specific platform.

Exception occurs when trying to add Disco Service to a role (6313437)

In the Access Manager Console, if you try to add a resource offering to the Disco Service, an unknown exception occurs.

Workaround: None.

Auth Context attributes are not configurable until you have configured and saved other attributes (6301338)

Auth Context attributes are not configurable until you have configured and saved other attributes.

Workaround: Configure and save a provider profile before you configure the Auth Context attributes.

EP Sample does not work if root suffix contains “&” character (6300163)

If Directory Server has a root suffix that contain the “&” character and you try to add an Employee Profile Service Resource Offering, an exception is thrown.

Workaround: None.

Logout error occurs in Federation (6291744)

In realm mode, if you federate user accounts on an identity provider (IDP) and service provider (SP), terminate Federation, and then logout, an error occurs: Error: No sub organization found.

Workaround: None.

Globalization (g11n) Issues

User locale preferences are not applied to the whole administration console (6326734)

Parts of the Access Manager administration console are not following the user locale preferences but instead using the browser locale settings. This problem affects the Version, Logout and online help buttons as well as the contents of the Version and online help.

Workaround: Change the browser settings to the same locale as user preferences.

Online help is not fully available for European languages if Access Manager is deployed on IBM WebSphere (6325024)

In all European locales (Spanish, German, and French), the online help is not fully accessible when Access Manager is deployed on an IBM WebSphere Application Server instance. The online help displays “Application Error” for these frames:

Workaround: Set your browser language setting to English and refresh the page to access the left frame. The upper frame, however, will still display “Application Error.”

Version information is blank when Access Manager is deployed on IBM WebSphere (6319796)

In any locale, when Access Manager is deployed on an IBM WebSphere Application Server instance, the product version is not visible when you click the Version button. A blank page is displayed instead.

Workaround: None.

Removing UTF-8 is not working in Client Detection (5028779)

The Client Detection function is not working properly. Changes made in the Access Manager 7 2005Q4 Console are not automatically propagated to the browser.

Workaround:There are two workarounds:

Multibyte characters are displayed as question marks in log files (5014120)

Multibyte messages in log files in the /var/opt/SUNWam/logs directory are displayed as question marks (?). Log files are in native encoding and not always UTF-8. When a web container instance starts in a certain locale, log files will be in native encoding for that locale. If you switch to another locale and restart the web container instance, the ongoing messages will be in the native encoding for the current locale, but messages from previous encoding will be displayed as question marks.

Workaround: Make sure to start any web container instances always using the same native encoding.

Documentation Issues

Document that Access Manager cannot revert from Realm Mode to Legacy Mode (6508473)

If you install Access Manager 7 2005Q4 in Realm Mode, you cannot revert to Legacy Mode.

If you install Access Manager 7 2005Q4 in Legacy Mode, however, you can change to Realm Mode by using the amadmin command with the -M option. For example:

amadmin -u cn=amAdmin,ou=People,dc=example,dc=com -w amadmin-password -M dc=example,dc=com

Document more information about disabling persistent searches (6486927)

Access Manager uses persistent searches to receive information about Sun Java System Directory Server entries that change. By default, Access Manager creates the following persistent search connections during server startup:

aci - Changes to the aci attribute, with the search using the LDAP filter (aci=*)

sm - Changes in the Access Manager information tree (or service management node), which includes objects with the sunService or sunServiceComponent marker object class. For example, you might create a policy to define access privileges for a protected resource, or you might modify the rules, subjects, conditions, or response providers for an existing policy.

um - Changes in the user directory (or user management node). For example, you might change a user's name or address.

Caution – Caution –

Disabling persistent searches for any of these components is not recommended, because a component with a disabled persistent search does not receive notifications from Directory Server. Consequently, changes made in Directory Server for that particular component will not be notified to the component cache, and the component cache will go stale.

For example, if you disable persistent searches for changes in the user directory (um), the Access Manager server will not receive notifications from Directory Server. Therefore, an agent would not get notifications from Access Manager to update its local user cache with the new values for the user attribute. Then, if an application queries the agent for the user attributes, it might receive the old value for that attribute.

Use this property only in special circumstances when absolutely required. For example, if you know that Service Configuration changes (related to changing values to any of services such as Session Service and Authentication Services) will not happen in production environment, the persistent search to the Service Management (sm) component can be disabled. However, if any changes occur for any of the services, a server restart would be required. The same condition also applies to other persistent searches, specified by the aci and um values.

For more information, see CR# 6363157: New property disables persistent searches if absolutely required.

Document Access Manager supported and unsupported privileges (2143066)

Privileges define the access permissions to administrators who are members of roles or groups that exist within a realm. Access Manager allows you to configure permissions for the following administrator types:

The following privileges are supported:

Document cookie-based sticky request routing (6476922)

When Access Manager servers are deployed behind a load balancer, cookie-based sticky request routing prevents a client request from being misrouted to an incorrect Access Manager server (that is, to a server that is not hosting the session). This feature was implemented in Access Manager 7 2005Q4 patch 3.

In the previous behavior, without cookie-based sticky request routing, requests from non-browser based clients (such as policy agents and clients using the remote Access Manager client SDK) were often misrouted to an Access Manager server that was not hosting the session. Then, in order to send the request to the correct server, the Access Manager server had to validate the session using back-channel communication, which usually caused some performance degradation. Cookie-based sticky request routing prevents the need for this back-channel communication and thus improves Access Manager performance.

To implement cookie-based sticky request routing, the Access Manager deployment must be configured as a site. For information, see Configuring an Access Manager Deployment as a Site in Sun Java System Access Manager 7 2005Q4 Deployment Planning Guide.

To configure cookie-based sticky request routing:

  1. To specify a cookie name, set the com.iplanet.am.lbcookie.name property in the AMConfig.properties file. Access Manager then generates the load balancer cookie value using the two-byte server ID (such as 01, 02, and 03). If you do not specify a cookie name, Access Manager generates the load balancer cookie value using the default name amlbcookie plus the two-byte server ID.

    If you set the cookie name on the Access Manager server, you must use the same name in the AMAgent.properties file for a Policy Agent. Also, if you are using the Access Manager client SDK, you must also use the same cookie name used by the Access Manager server.

    Note: Do not set the com.iplanet.am.lbcookie.value property, because Access Manager sets the cookie value using the two-byte server ID.

  2. Configure your load balancer with the cookie name from Step 1. You can use a hardware or software load balancer with your Access Manager deployment.

  3. If session failover is implemented, enable the com.sun.identity.session.resetLBCookie property for both Policy Agents and the Access Manager server.

    • For a Policy Agent, add and enable the property in the AMAgent.properties file.

    • For the Access Manager server, add and enable the property in the AMConfig.properties file.

    For example:

    com.sun.identity.session.resetLBCookie='true'

    If a failover situation occurs, the session is routed to a secondary Access Manager server, and the load balancer cookie value is set using the server ID for the secondary Access Manager server. Any subsequent requests for the session are then routed to the secondary Access Manager server.

Document Windows Desktop SSO configuration for Windows 2003 (6487361)

To configure Windows Desktop SSO on Windows 2003, as described in the Configuring Windows Desktop SSO in Sun Java System Access Manager 7 2005Q4 Administration Guide, use the following ktpass command:

ktpass /out filename /mapuser username 
/princ HTTP/hostname.domainname /crypto encryptiontype /rndpass 
/ptype principaltype /target domainname

For example:

ktpass /out demo.HTTP.keytab 
/mapuser http /princ HTTP/demo.identity.sun.com@IDENTITY.SUN.COM 
/crypto RC4-HMAC-NT /rndpass /ptype KRB5_NT_PRINCIPAL /target IDENTITY.SUN.COM

For the syntax definitions, see the following site:

http://technet.microsoft.com/en-us/library/cc779157(WS.10).aspx

Document steps to set up Distributed Authentication UI server passwords (6510859)

The following procedure describes how to set up the encrypted passwords for a Distributed Authentication UI server that communicates with an Access Manager server.

To set up the passwords for a Distributed Authentication UI server:

  1. On the Access Manager server:

    1. Encrypt the amadmin password using the ampassword -e utility. For example, on Solaris systems:

      # cd /opt/SUNWam/bin 
# ./ampassword -e amadmin-password 
AQIC0K3omEozd544XEJIg25GT2wi1D7UAQLX

      Save this encrypted value.

    2. Copy and save the am.encryption.pwd property value from the Access Manager server's AMConfig.properties file. For example:

      am.encryption.pwd=ydV8JXhJF2J35vpxjZRiGt7SH/7mUr+Y

  2. On the Distributed Authentication UI server, make these changes to the AMConfig.properties file:

    1. Comment out the com.iplanet.am.service.password property.

    2. Set the com.iplanet.am.service.secret property to the encrypted amadmin password from Step 1a.

    3. Add the am.encryption.pwd and encrypted value that you copied from Step 1b. For example:

      com.sun.identity.agents.app.username=username 
#com.iplanet.am.service.password=password 
com.iplanet.am.service.secret=AQIC0K3omEozd544XEJIg25GT2wi1D7UAQLX 
am.encryption.pwd=ydV8JXhJF2J35vpxjZRiGt7SH/7mUr+Y

  3. Restart the Distributed Authentication UI server.

Online Help for “To create a new site name” needs more information (2144543)

The Access Manager Console online Help is missing the Save step for “To create new site name” under Configuration>System Properties>Platform. If you don't click Save after adding a new site name and you then try to add an instance name, the process fails. Therefore, always click Save after adding the site name, and then add the instance name.

Document that administrator password configuration parameter is ADMIN_PASSWD on Windows systems (6470793)

On Solaris and Linux systems, the Access Manager administrator (amadmin) password configuration parameter in the amsamplesilent file is ADMINPASSWD. On Windows systems, however, the parameter in the AMConfigurator.properties file is ADMIN_PASSWD.

If you are running amconfig.bat on Windows systems, set the amadmin password in the AMConfigurator.properties file using the ADMIN_PASSWORD parameter and not ADMINPASSWD.

Release Notes have wrong workaround for known issue (6422907)

Step 3 of the workaround for Running the web services sample returns “Resource offering not found” (6359900) has been corrected.

Document com.iplanet.am.session.protectedPropertiesList in AMConfig.properties (6351192)

The com.iplanet.am.session.protectedPropertiesList parameter allows you to protect certain core or internal session properties from remote updates via the SetProperty method of the Session Service. By setting this “hidden” key security parameter, you can customize session attributes in order to participate in authorization as well as other Access Manager features. To use this parameter:

  1. With a text editor, add the parameter to the AMConfig.properties file.

  2. Set the parameter to the session properties that you want to protect. For example:

    com.iplanet.am.session.protectedPropertiesList = 
PropertyName1,PropertyName2,PropertyName3

  3. Restart the Access Manager Web container for the values to take effect.

Document the roles and filtered roles support for LDAPv3 plug-in (6365196)

After applying the respective patch, you can configure roles and filtered roles for the LDAPv3 plug-in, if the data is stored in Sun Java System Directory Server (fixes CR 6349959). In the Access Manager 7 2005Q4 Administrator Console, in LDAPv3 configuration for the “LDAPv3 Plugin Supported Types and Operations” field, enter the values as:

role: read,edit,create,delete
filteredrole: read,edit,create,delete

You can enter one or both of the above entries, depending on the roles and filtered roles you plan to use in your LDAPv3 configuration.

Document unused properties in the AMConfig.properties file (6344530)

The following properties in the AMConfig.properties file are not used: 

com.iplanet.am.directory.host
com.iplanet.am.directory.port

com.iplanet.am.session.client.polling.enable on server side must not be true (6320475)

The com.iplanet.am.session.client.polling.enable property in the AMConfig.properties file must never be set to true on the server side.

Workaround: This property is set to false by default and should never be reset to true.

Default Success URL is incorrect in the console online help (6296751)

The Default Success URL is incorrect in the service.scserviceprofile.iplanetamauthservice.html online help file. The Default Success URL field accepts a list of multiple values that specify the URL where users are redirected after successful authentication. The format of this attribute is clientType|URL, although you can specify only the value of the URL, which assumes a default type of HTML.

The “/amconsole” default value is incorrect.

Workaround: The correct default value is “/amserver/console”.

Document how to enable XML encryption (6275563)

To enable XML encryption for either Access Manager or Federation Manager using the Bouncy Castle JAR file to generate a transport key, follow these steps:

  1. If you are using a JDK version earlier than JDK 1.5, download the Bouncy Castle JCE provider from the Bouncy Castle site (http://www.bouncycastle.org/). For example, for JDK 1.4, download the bcprov-jdk14-131.jar file.

  2. If you downloaded a JAR file in the previous step, copy the file to the jdk_root/jre/lib/ext directory.

  3. For the domestic version of the JDK, download the JCE Unlimited Strength Jurisdiction Policy Files from the site (http://www.oracle.com/technetwork/java/index.html) for your version of the JDK. For IBM WebSphere, go to the corresponding IBM site to download the required files.

  4. Copy the downloaded US_export_policy.jar and local_policy.jar files to the jdk_root/jre/lib/security directory.

  5. If you are using a JDK version earlier than JDK 1.5, edit the jdk_root/jre/lib/security/java.security file and add Bouncy Castle as one of the providers. For example:

    security.provider.6=org.bouncycastle.jce.provider.BouncyCastleProvider

  6. Set the following property in the AMConfig.properties file to true:

    com.sun.identity.jss.donotInstallAtHighestPriority=true

  7. Restart the Access Manager web container.

For more information, refer to problem ID 5110285 (XML encryption requires Bouncy Castle JAR file).