Application Server 8.1 server.policy file must be edited when using non-default URIs (6309759)
Platform server list and FQDN alias attribute are not updated (6309259, 6308649)
Data validation for required attributes in the services (6308653)
Document workaround for deployment on a secure WebLogic 8.1 instance (6295863)
The amconfig script does not update the realm/DNS aliases and platform server list entries (6284161)
Default Access Manager mode is realm in the configuration state file template (6280844)
URL signing failed in IBM WebSphere when using RSA key (6271087)
If you are deploying Access Manager 7 2005Q4 on Application Server 8.1 and you are using non-default URIs for the services, console, and password web applications, which have default URI values of amserver, amconsole, and ampassword, respectively, you must edit the application server domain's server.policy file before attempting to access Access Manager via a web browser.
Workaround: Edit the server.policy file as follows:
Stop the Application Server instance on which Access Manager is deployed.
Change to the /config directory. For example:
cd /var/opt/SUNWappserver/domains/domain1/config
Make a backup copy of the server.policy file. For example:
cp server.policy server.policy.orig
In the server.policy file, look for the following policies:
grant codeBase "file:\${com.sun.aas.instanceRoot}/ applications/j2ee-modules/amserver/-" { ... }; grant codeBase "file:\${com.sun.aas.instanceRoot}/ applications/j2ee-modules/amconsole/-" { ... }; grant codeBase "file:\${com.sun.aas.instanceRoot}/ applications/j2ee-modules/ampassword/-" { ... };
Replace amserver with the non-default URI used for the services web application in the following line:
grant codeBase "file:\${com.sun.aas.instanceRoot}/ applications/j2ee-modules/amserver/-" {
For legacy mode installations, replace amconsole with the non-default URI used for the console web application in the following line:
grant codeBase "file:\${com.sun.aas.instanceRoot}/ applications/j2ee-modules/amconsole/-" {
Replace ampassword with the non-default URI used for the password web application in the following line:
grant codeBase "file:\${com.sun.aas.instanceRoot}/ applications/j2ee-modules/ampassword/-" {
Start the Application Server instance on which Access Manager is deployed.
In a multiple server deployment, the platform server list and FQDN alias attribute are not updated if you install Access Manager on the second (and subsequent) servers.
Workaround: Add the Realm/DNS aliases and platform server list entries manually. For the steps, see the Adding Additional Instances to the Platform Server List and Realm/DNS Aliases in Sun Java System Access Manager 7 2005Q4 Deployment Planning Guide.
Access Manager 7 2005Q4 enforces required attributes in service XML files to have default values.
Workaround: If you have services with required attributes that do not have values, add values for the attributes and then reload the service.
If you deploy Access Manager 7 2005Q4 into a secure (SSL enabled) BEA WebLogic 8.1 SP4 instance, an exception occurs during the deployment of each Access Manager web application.
Workaround: Follow these steps:
Apply the WebLogic 8.1 SP4 patch JAR CR210310_81sp4.jar, which is available from BEA.
In the /opt/SUNWam/bin/amwl81config script, (Solaris systems) or /opt/sun/identity/bin/amwl81config script (Linux systems), update the doDeploy function and the undeploy_it function to prepend the path of the patch JAR to the wl8_classpath, which is the variable that contains the classpath used to deploy and un-deploy the Access Manager web applications.
Find the following line containing the wl8_classpath:
wl8_classpath= ...
Immediately after the line you found in Step 2, add the following line:
wl8_classpath=path-to-CR210310_81sp4.jar:$wl8_classpath
In a multiple server deployment, the amconfig script does not update the realm/DNS aliases and platform server list entries for additional Access Manager instances.
Workaround: Add the Realm/DNS aliases and platform server list entries manually. For the steps, see the Adding Additional Instances to the Platform Server List and Realm/DNS Aliases in Sun Java System Access Manager 7 2005Q4 Deployment Planning Guide.
By default, the Access Manager mode (AM_REALM variable) is enabled in the configuration state file template.
Workaround: To install or configure Access Manager in Legacy mode, reset the variable in the state file:
AM_REALM = disabled
When using an RSA key in IBM WebSphere, the signing of URL string failed with the following exception:
ERROR: FSSignatureUtil.signAndReturnQueryString: FSSignatureException occured while signing query string: no such provider: SunRsaSign
Workaround:The “SunRsaSign” provider is missing from the WebSphere bundled JDK. To fix this problem, edit the websphere_jdk_root/jre/lib/security/java.security file and add following line to enable “SunRsaSign” as one of the providers:
security.provider.6=com.sun.rsajca.Provider