Access Manager 7 2005Q4 Patch 12

Access Manager 7 patch 12 (revision 12) fixes a number of problems, as listed in the README file included with the patch. Patch 12 also includes these issues and changes:

• CR# 6916733: updateschema script checks for LDAP JDK version 4.21 or later

• CR# 6770231: Access Manager 7 Patch 12 validates goto URLs

• CR# 6926203 Distributed Authentication UI server deployment validates goto URLs

CR# 6916733: updateschema script checks for LDAP JDK version 4.21 or later

Access Manager 7 patch 9 and later requires LDAP JDK (ldapjdk.jar) version 4.21 or later.

With patch 12, the updateschema.sh or updateschema.pl script checks the LDAP JDK version. If the version is older than 4.21 or not defined, the script displays a message that you should install the latest LDAP JDK patch.

For security reasons, it is highly recommended that you download and install the latest LDAP JDK patch from SunSolve Online (http://sunsolve.sun.com/), depending on your specific platform:

• Solaris SPARC and x86 systems: 119725

• Linux: 120834

• Windows and platforms other than Solaris and Linux systems: 138905

CR# 6770231: Access Manager 7 Patch 12 validates goto URLs

After installing patch 12, Access Manager 7 2005Q4 server can validate a goto URL after a user logs in. This fix prevents a hacker from sending the user to an imposter site in order to steal the user's personal information.

To set valid goto URLs, follow these steps:

1. After you install patch 12, make sure you run the updateschmema.sh or updateschema.bat script and then restart the Access Manager web container.

2. Log in to the Access Manager Administration Console.

3. Click Configuration, Authentication, and then Core.

4. Under Valid goto URL domains, add each valid goto domain name, as follows:

   • A domain name starting with a dot (.) such as .example.com allows all hosts in the example.com domain to be used in a success redirect URL.

   • A domain name that does not start with a dot (.) such as example.com allows the host example.com to be used in a success redirect URL. For example, http://example.com would be valid, but http://host.example.com would not be valid.

   • If you don't add the entire domain to the list, you must add each individual agent host name being used.

   • You do not need to add domains for agents in CDSSO mode, because they are protected automatically.

5. Click Save.

6. Restart the Access Manager web container.

If you subsequently want to disable the goto URL validation, remove all entries from the Valid goto URL domains list. If a goto URL is found to be invalid, the user will be redirected to the default success login URL.

CR# 6926203 Distributed Authentication UI server deployment validates goto URLs

In a Distributed Authentication UI (DAUI) server deployment, Access Manager 7 patch 12 validates goto URLs on the DAUI server side. This fix is similar to the Access Manager server side fix described previously in CR 6770231. The DAUI server reads the valid domain list from Access Manager server and does not maintain its own list. After you install patch 12, make sure you restart the DAUI server.