Access Manager 7 patch 6 (revision 06) fixes a number of problems, as listed in the README file included with the patch. Patch 6 also includes the following new features, issues, and documentation updates.
New Features in Patch 6
Access Manager supports the JDK 1.5 HttpURLConnection setReadTimeout method
Access Manager SDK falls back to primary Directory Server after primary comes back up
Microsoft IIS 6.0 post-authentication plug-in supports SharePoint Server
CR# 6379325: Accessing Console during session failover throws null pointer exception
CR# 6508103: On Windows, clicking Help in the Admin Console returns an application error
CR# 6564877: Access Manager 7 patch installation overwrites SAML v2 files
Known Issues and Limitations in Patch 6
Access Manager supports the JDK 1.5 HttpURLConnection setReadTimeout method
Access Manager SDK falls back to primary Directory Server after primary comes back up
Microsoft IIS 6.0 post-authentication plug-in supports SharePoint Server
CR# 6379325: Accessing Console during session failover throws null pointer exception
CR# 6508103: On Windows, clicking Help in the Admin Console returns an application error
Before you install patch 6, it is recommended that you upgrade or patch the following components:
If you are using Sun Java System Web Server 6.1 SP5 or earlier, upgrade to Web Server 6.1 SP7, which you can download from this site:
http://www.sun.com/download/products.xml?id=45c90ca9
Follow the upgrade process as described in Upgrade in Sun Java System Web Server 6.1 SP7 Release Notes.
Download and install the latest security patch for NSS, JSS, and NSPR from SunSolve Online: http://sunsolve.sun.com.
Solaris 8 SPARC platforms: 119209
Solaris 8 x86 platforms: 119210
Solaris 9 SPARC platforms: 119211
Solaris 9 x86 platforms: 119212
Solaris 10 SPARC platforms: 119213
Solaris 10 x86 and AMD64 platforms: 119214
Windows systems: 124392
HP-UX systems: 124379
To support the setReadTimeout method, the AMConfig.properties file has the following new property for you to set the read time-out value:
com.sun.identity.url.readTimeout
If the web container is using JDK 1.5, set this property to an appropriate value to cause connections to time out, in order to avoid having too many open HttpURLConnections that might cause the server to hang. The default is 30000 milliseconds (30 seconds).
The setReadTimeout method is ignored if com.sun.identity.url.readTimeout is not present in the AMConfig.properties file or is set to an empty string.
If Sun Java System Directory Server is configured for multi-master replication (MMR), the Access Manager SDK now falls back to the primary Directory Server after the primary server goes down and then comes back up. Previously, the Access Manager SDK continued to access the secondary Directory Server even after the primary server came back up.
To support this new behavior, Access Manager has the following new property in the AMConfig.properties file:
com.sun.am.ldap.fallback.sleep.minutes
This property sets the time in minutes that a secondary Directory Server instance sleeps before it falls back to the primary server after the primary server comes back up. The default is 15 minutes.
The com.sun.am.ldap.fallback.sleep.minutes property is hidden. To set this property to a value other than the default (15 minutes), explicitly add it to the AMConfig.properties file. For example, to set the value to 7 minutes:
com.sun.am.ldap.fallback.sleep.minutes=7
For the new value to take effect, restart the Access Manager web container.
Multiple Access Manager instances running on the same host server can now log to separate log files in different logging subdirectories by setting the following new property in the AMConfig.properties file:
com.sun.identity.log.logSubdir
Unless you change the default logging directory in the Admin Console, the default logging directories are:
Solaris systems: /var/opt/SUNWam/logs
Linux and HP-UX systems: /var/opt/sun/identity/logs
Windows systems: C:\Sun\JavaES5\identity\logs
The first Access Manager instance always logs to the default logging directory. To specify different logging subdirectories for additional Access Manager instances, set the com.sun.identity.log.logSubdir property in the AMConfig.properties file for each additional Access Manager instance.
For example, if you have three instances, am-instance-1, am-instance-2, and am-instance-3, all running on the same Solaris host server, set the property as follows:
com.sun.identity.log.logSubdir=am-instance-2 com.sun.identity.log.logSubdir=am-instance-3
The com.sun.identity.log.logSubdir property is hidden. You must explicitly add this property to the AMConfig.properties file as needed and restart the Access Manager web container for subdirectory values to take effect.
The Access Manager instances then log to the following directories:
/var/opt/SUNWam/logs/log-files-for-am-instance-1 /var/opt/SUNWam/logs/am-instance-2/log-files-for-am-instance-2 /var/opt/SUNWam/logs/am-instance-3/log-files-for-am-instance-3
To support multiple cookie domains, Access Manager has the following new property:
com.sun.identity.authentication.setCookieToAllDomains
The default is true. This new property is hidden. To set the value to false, explicitly add the property to the AMConfig.properties file, and restart the Access Manager web container.
The Microsoft Internet Information Services (IIS) 6.0 authentication plug-in now supports the Microsoft Office SharePoint Server. A user can login to Access Manager with either a user ID or login name. SharePoint Server, however, accepts a login name, which causes problems when the user specifies a user ID.
To allow a login to SharePoint Server, the post-authentication plug-in (ReplayPasswd.java) now uses the following new property:
com.sun.am.sharepoint_login_attr_name
This new property indicates the user attribute that SharePoint Server uses for authentication. For example, the following property species the common name (cn) for authentication:
com.sun.am.sharepoint_login_attr_name=cn
The post-authentication plug-in reads the com.sun.am.sharepoint_login_attr_name property and gets the corresponding attribute value for the user from Directory Server. The plug-in then sets the authorization headers to allow the user to access SharePoint Server.
This property is hidden. To set the property, explicitly add it to the AMConfig.properties file, and then restart the Access Manager web container for the value to take effect.
Access Manager 7 2005Q4 patch 6 now supports Microsoft Windows Internet Explorer 7.
In this scenario, multiple Access Manager servers are deployed in session failover mode behind a load balancer configured for cookie-based sticky request routing. The Access Manager administrator accesses the Access Manager Console through the load balancer. When the administrator logs into the Console, the session is created on one of the Access Manager servers. If that server goes down, the Console session fails over to another Access Manager server, as expected. The administrator, however, sometimes experiences intermittent null pointer exceptions on the browser and in the web-container error log.
The issue affects only the active Access Manager Console session at the time of the failover and not the functioning of the Access Manager servers.
Workaround: To prevent these intermittent null pointer exceptions:
For a temporary solution, refresh the browser, or log out and then back into the Console.
For a permanent solution, deploy the Access Manager Console on a separate Access Manager instance that does not participate in the session failover.
On Windows 2003 Enterprise Edition with Access Manager deployed on Sun Java System Application Server in locales other than English, clicking Help in the Admin Realm Mode Console returns an application error.
Workaround:
Copy the javaes-install-dir\share\lib\jhall.jar file to the %JAVA_HOME%\jre\lib\ext directory.
where javaes-install-dir is the Windows installation directory
Restart the Application Server instance.