Sun Java System Access Manager 7 2005Q4 Release Notes

Access Manager 7 2005Q4 Patch 6

Access Manager 7 patch 6 (revision 06) fixes a number of problems, as listed in the README file included with the patch. Patch 6 also includes the following new features, issues, and documentation updates.

New Features in Patch 6

Known Issues and Limitations in Patch 6

Note –

Before you install patch 6, it is recommended that you upgrade or patch the following components:

Access Manager supports the JDK 1.5 HttpURLConnection setReadTimeout method

To support the setReadTimeout method, the file has the following new property for you to set the read time-out value:


If the web container is using JDK 1.5, set this property to an appropriate value to cause connections to time out, in order to avoid having too many open HttpURLConnections that might cause the server to hang. The default is 30000 milliseconds (30 seconds).

The setReadTimeout method is ignored if com.sun.identity.url.readTimeout is not present in the file or is set to an empty string.

Access Manager SDK falls back to primary Directory Server after primary comes back up

If Sun Java System Directory Server is configured for multi-master replication (MMR), the Access Manager SDK now falls back to the primary Directory Server after the primary server goes down and then comes back up. Previously, the Access Manager SDK continued to access the secondary Directory Server even after the primary server came back up.

To support this new behavior, Access Manager has the following new property in the file:

This property sets the time in minutes that a secondary Directory Server instance sleeps before it falls back to the primary server after the primary server comes back up. The default is 15 minutes.

The property is hidden. To set this property to a value other than the default (15 minutes), explicitly add it to the file. For example, to set the value to 7 minutes:

For the new value to take effect, restart the Access Manager web container.

Multiple Access Manager instances log to separate log files

Multiple Access Manager instances running on the same host server can now log to separate log files in different logging subdirectories by setting the following new property in the file:


Unless you change the default logging directory in the Admin Console, the default logging directories are:

The first Access Manager instance always logs to the default logging directory. To specify different logging subdirectories for additional Access Manager instances, set the com.sun.identity.log.logSubdir property in the file for each additional Access Manager instance.

For example, if you have three instances, am-instance-1, am-instance-2, and am-instance-3, all running on the same Solaris host server, set the property as follows:


The com.sun.identity.log.logSubdir property is hidden. You must explicitly add this property to the file as needed and restart the Access Manager web container for subdirectory values to take effect.

The Access Manager instances then log to the following directories:


Access Manager 7 allows multiple cookie domains

To support multiple cookie domains, Access Manager has the following new property:


The default is true. This new property is hidden. To set the value to false, explicitly add the property to the file, and restart the Access Manager web container.

Microsoft IIS 6.0 post-authentication plug-in supports SharePoint Server

The Microsoft Internet Information Services (IIS) 6.0 authentication plug-in now supports the Microsoft Office SharePoint Server. A user can login to Access Manager with either a user ID or login name. SharePoint Server, however, accepts a login name, which causes problems when the user specifies a user ID.

To allow a login to SharePoint Server, the post-authentication plug-in ( now uses the following new property:

This new property indicates the user attribute that SharePoint Server uses for authentication. For example, the following property species the common name (cn) for authentication:

The post-authentication plug-in reads the property and gets the corresponding attribute value for the user from Directory Server. The plug-in then sets the authorization headers to allow the user to access SharePoint Server.

This property is hidden. To set the property, explicitly add it to the file, and then restart the Access Manager web container for the value to take effect.

Access Manager supports Internet Explorer 7

Access Manager 7 2005Q4 patch 6 now supports Microsoft Windows Internet Explorer 7.

CR# 6379325: Accessing Console during session failover throws null pointer exception

In this scenario, multiple Access Manager servers are deployed in session failover mode behind a load balancer configured for cookie-based sticky request routing. The Access Manager administrator accesses the Access Manager Console through the load balancer. When the administrator logs into the Console, the session is created on one of the Access Manager servers. If that server goes down, the Console session fails over to another Access Manager server, as expected. The administrator, however, sometimes experiences intermittent null pointer exceptions on the browser and in the web-container error log.

The issue affects only the active Access Manager Console session at the time of the failover and not the functioning of the Access Manager servers.

Workaround: To prevent these intermittent null pointer exceptions:

CR# 6508103: On Windows, clicking Help in the Admin Console returns an application error

On Windows 2003 Enterprise Edition with Access Manager deployed on Sun Java System Application Server in locales other than English, clicking Help in the Admin Realm Mode Console returns an application error.


  1. Copy the javaes-install-dir\share\lib\jhall.jar file to the %JAVA_HOME%\jre\lib\ext directory.

    where javaes-install-dir is the Windows installation directory

  2. Restart the Application Server instance.