Access Manager 7 patch 7 (revision 07) fixes a number of problems, as listed in the README file included with the patch.
Patch 7 includes these changes:
CR# 6637806: After restart, Access Manager sent an invalid application SSO token to an agent
CR# 6612609: Session failover works if network cable is disconnected from Message Queue server
CR# 6570409: Interaction service behind load balancer works correctly as Identity Provider
CR# 6545176: Redirect URLs can be dynamically set in post authentication processing SPI plug-in
After an Access Manager server restart, the Access Manager client SDK now sends a meaningful exception to an agent, so the agent can re-authenticate itself to get a new application session. Previously, after applying Access Manager 7 2005Q4 patch 5, the Access Manager client SDK sent a invalid application SSO token to the agent after an Access Manager server restart.
This problem has been fixed by duplicate CR 6496155. Patch 7 also provides an option (comp.iplanet.dpro.session.dnRestrictionOnly property) to send the application SSO token in a restrictive context. By default, agents send the IP address of the server where they are installed, but if strict DN checking is required, set this property in the AMConfig.properties file as follows:
com.iplanet.dpro.session.dnRestrictionOnly=true
In a session failover deployment, if each Access Manager instance and Message Queue broker are installed on the same server, session failover now works if a network cable is disconnected from one of the servers. By default the Message Queue imqAddressListBehavior connection factory attribute is set to PRIORITY, which causes Message Queue to try addresses in the order in which they appear in the broker address list (for example: localhost:7777,server2:7777,server3:7777). If the attribute is set to RANDOM, the addresses are tried in random order.
To set this attribute to RANDOM, set the following parameter in the amsessiondb script:
-DimqAddressListBehavior=RANDOM
For information about the Message Queue PRIORITY and RANDOM attributes, see Broker Address List in Sun Java System Message Queue 3.7 UR1 Administration Guide.
In a deployment with two servers connected with a load balancer and functioning as a single Identity Provider, you must set the following properties in the AMConfig.properties file:
com.sun.identity.liberty.interaction.lbWspRedirectHandler com.sun.identity.liberty.interaction.trustedWspRedirectHandlers
The com.sun.identity.liberty.interaction.interactionConfigClass is the only class currently supported. Thus, by default, the interaction configuration class bundled with Federation Liberty is used to access the interaction configuration parameters.
Redirect URLs can now be dynamically set in post authentication processing SPI plug-ins for login success, login failure, and logout. If a post processing plug-in is not executed, the redirect URL set in the post processing SPI is not used, and redirect URLs set by any other means will be executed as before.
For information, see the com.iplanet.am.samples.authentication.spi.postprocess.ISAuthPostProcessSample.java sample.