Documentation Home
> Sun Java System Access Manager 7 2005Q4 Release Notes
Sun Java System Access Manager 7 2005Q4 Release Notes
Book Information
Sun Java System Access Manager 7 2005Q4 Release Notes
Contents
Revision History
About Sun Java System Access Manager 7 2005Q4
Access Manager 7 2005Q4 Patch Releases
Access Manager 7 2005Q4 Patch 12
CR# 6916733: updateschema script checks for LDAP JDK version 4.21 or later
CR# 6770231: Access Manager 7 Patch 12 validates goto URLs
CR# 6926203 Distributed Authentication UI server deployment validates goto URLs
Pre-Installation Considerations
Backing Up Files
Installing and Configuring Access Manager
Patch Installation Instructions
Patch Installation Instructions For Solaris Systems
Solaris 10 Zones
Patch Installation Instructions For Linux Systems
Patch Installation Instructions For Windows Systems
Installing the Windows Patch
Backing Out the Windows Patch
Patch Installation Instructions For HP-UX Systems
Post-Installation Considerations
CR# 6254355: Access Manager patches do not deploy Access Manager applications in postpatch scripts
CR# 6436409: Redeploying the Distributed Authentication and Client SDK WAR Files
Access Manager 7 2005Q4 Patch 11
CR# 6564877: Access Manager 7 patch installation overwrites SAML v2 files
CR# 6872718: Persistent XSS attacks are prevented in Access Manager
CR# 6843487: Access Manager session cookies can be marked as HTTPOnly
Access Manager 7 2005Q4 Patch 10
CR# 6813339: Access Manager reregisters Notification URL after a restart
CR#6804391 and CR#6777889 Access Manager SecurID authentication process no longer crashes
Access Manager 7 2005Q4 Patch 9
Access Manager 7 2005Q4 Patch 8
CR# 6668882: Cannot access Console that was installed with upper and lower case characters in domain name
CR# 6691106: Multiple SiteMonitor threads could be running for checking the same site
CR# 6697260: New property to set policy agent application session idle timeout
CR# 2151598: Delegation privileges cannot be defined for a filtered role
Access Manager 7 2005Q4 Patch 7
CR# 6637806: After restart, Access Manager sent an invalid application SSO token to an agent
CR# 6612609: Session failover works if network cable is disconnected from Message Queue server
CR# 6570409: Interaction service behind load balancer works correctly as Identity Provider
CR# 6545176: Redirect URLs can be dynamically set in post authentication processing SPI plug-in
Access Manager 7 2005Q4 Patch 6
Access Manager supports the JDK 1.5 HttpURLConnection setReadTimeout method
Access Manager SDK falls back to primary Directory Server after primary comes back up
Multiple Access Manager instances log to separate log files
Access Manager 7 allows multiple cookie domains
Microsoft IIS 6.0 post-authentication plug-in supports SharePoint Server
Access Manager supports Internet Explorer 7
CR# 6379325: Accessing Console during session failover throws null pointer exception
CR# 6508103: On Windows, clicking Help in the Admin Console returns an application error
Access Manager 7 2005Q4 Patch 5
Support for HP-UX Systems
Support for Microsoft Windows Systems
New updateschema.sh script to load LDIF and XML files
Support for specific application idle session timeout values
CDC Servlet can be deployed on a Distributed Authentication UI server
Realm can be specified when CDC servlet redirects to the Access Manager login URL
Certificate Authentication can use UPN value to map user profile
Post authentication processing of logout occurs in a multiple-server environment
SAML supports a new name identifier SPI
New Configuration Properties for Site Monitoring
User no longer must authenticate twice in authentication chain
Changes to Performance Tuning Scripts
Tuning scripts support a password file
Tuning script removes unnecessary ACIs from Directory Server
Tuning scripts can tune the Distributed Authentication UI server web container
Single amtune-os script tunes both Solaris OS and Linux OS
Tuning scripts run to completion in a Solaris 10 local zone
Tuning scripts are available for Windows systems
Tuning Considerations for Sun Fire T1000 and T2000 Servers
Basic Authentication in the IIS 6.0 Policy Agent
CR# 6567746: On HP-UX systems, Access Manager patch 5 reports incorrect errorCode value if password retry count is exceeded
CR# 6527663: Default value for com.sun.identity.log.resolveHostName property should be false instead of true
CR# 6527528: Patch removal leaves XML files with amldapuser password in clear text
CR# 6527516: Full server on WebLogic requires JAX-RPC 1.0 JAR files to communicate with client SDK
CR # 6523499: Patch 5 amsilent file is readable by all users on Linux systems
CR# 6520326: Applying patch 5 to a second Access Manager instance on a server overwrites serverconfig.xml for first instance
CR# 6520016: Patch 5 SDK-only install overwrites the samples makefiles
CR#6515502: LDAPv3 repository plug-in does not always handle Alias Search Attribute correctly
CR# 6515383: Distributed Authentication and J2EE agent do not work in same web container
CR# 6508103: Online help returns application error with Application Server on Windows systems
CR# 6507383 and CR# 6507377: Distributed Authentication requires explicit goto URL parameter
CR# 6402167: LDAP JDK 4.18 causes LDAP client/Directory Server problems
CR# 6352135: Distributed Authentication UI server files are installed in incorrect location
CR# 6522720: Search in console online help does not work for multibyte characters on Windows and HP-UX systems
CR# 6524251: Multibyte characters in output messages are garbled during Access Manager configuration on Windows systems
CR# 6526940: Property keys appear instead of message text during patch 5 installation in non-English locales on Windows systems
CR# 6513653: Issue with com.iplanet.am.session.purgedelay property setting
Access Manager 7 2005Q4 Patch 4
CR# 6470055: Distributed Authentication UI server performance improvement
CR# 6455079: Password reset service reports notification errors when a password is changed
Access Manager 7 2005Q4 Patch 3
New Configuration Properties for Site Monitoring
Liberty Identity Web Services Framework (ID-WSF) 1.1 Support
CR# 6463779 Distributed Authentication amProfile_Client log and Access Manager server amProfile_Server log are filled with harmless exceptions
CR# 6460974 Default Distributed Authentication Application User should not be amadmin
CR# 6460576 No link for the User Service under Filtered Role in console online Help
CR# 6460085 Server on WebSphere is not accessible after running reinstallRTM and redeploying Web applications
CR# 6455757: sunISManagerOrganization marker class must be added to an organization before an upgrade
CR# 6454489: Access Manager 7 2005Q4 Patch 2 upgrade causes an error in the Console Current Sessions tab
CR# 6452320: Exceptions are thrown when using polling with client SDK
CR# 6442905 SSOToken of authenticated user can be unintentionally revealed to rogue sites
CR# 6441918: Site monitor interval and time-out properties
CR# 6440697: Distributed Authentication should run as non-amadmin user
CR# 6440695: Distributed Authentication UI servers with a load balancer
CR# 6440651: Cookie replay requires com.sun.identity.session.resetLBCookie property
CR# 6440648: com.iplanet.am.lbcookie.name property assumes default value of amlbcookie
CR# 6440641: com.iplanet.am.lbcookie.value property is deprecated
CR# 6429610: Unable to create SSO token in ID-FF SSO use case
CR# 6389564: Repetitious successive queries on role memberships of user in an LDAP v3 data store during Access Manager login
CR# 6385185: Authentication module must be able to override the “goto” URL and specify a different URL
CR# 6385184: Re-direct from within a custom authentication module when SSO Token is still in invalid state
CR# 6324056: Federation fails when using artifact profile
Access Manager 7 2005Q4 Patch 2
New Properties for the User Management, Identity Repository, and Service Management Caches
New Property for Federation Service Provider
LDAP Filter Condition Support
CR# 6283582: Num of login failures are not shared across Access Manager instances
CR# 6293673: Need to retain the original session information when sending out session timeout notification
CR# 6244578: Access Manager should warn user that the browser cookie support is disabled/not available
CR# 6236892: Image/Text place holder while CDCServlet is processing the AuthNResponse after login
CR# 6363157: New property disables persistent searches if absolutely required
CR# 6385696: Existing and new IDPs and SPs are not visible
Access Manager 7 2005Q4 Patch 1
Creation of Debug Files
Support for Roles and Filtered Roles in the LDAPv3 Plug-in
CR# 6320475: com.iplanet.am.session.client.polling.enable on server side must not be true
CR# 6358751: Access Manager 7 patch 1 apply fails if the there are embedded spaces in the encryption key
What’s New in This Release
Access Manager Modes
New Access Manager Console
Identity Repository
Access Manager Information Tree
Access Manager Realms
Session Failover Changes
Session Property Change Notification
Session Quota Constraints
Distributed Authentication
Multiple Authentication Module Instances Support
Authentication “Named Configuration” or “Chaining” Name Space
Policy Module Enhancements
Site Configuration
Bulk Federation
Logging Enhancements
Hardware and Software Requirements
Supported Browsers
System Virtualization Support
Compatibility Issues
Access Manager Legacy Mode
Java ES Silent Installation Using a State File
“Configure Now” Installation Option in Graphical Mode
“Configure Now” Installation Option in Text-Based Mode
“Configure Later” Installation Option
Determining the Access Manager Mode
Access Manager Policy Agents
Installation Notes
Known Issues and Limitations
Compatibility Issues
Incompatibility between Java ES 2004Q2 servers and IM on Java ES 2005Q4 (6309082)
Incompatibilities exist in core authentication module for legacy mode (6305840)
Agent cannot login because “Profile not in the organization” (6295074)
Delegated Administrator commadmin utility does not create a user (6294603)
Delegated Administrator commadmin utility does not create an organization (6292104)
Installation Issues
After applying patch 1, /tmp/amsilent file allows read access for all users (6370691)
On SDK install with container configuration, notification URL is not correct (6327845)
Access Manager classpath refers to expired JCE 1.2.1 package (6297949)
Installing Access Manager on an existing DIT requires rebuilding Directory Server indexes (6268096)
Log and debug directories permissions incorrect for non-root users (6257161)
Authentication service is not initialized when Access Manager and Directory Server are installed on separate machines (6229897)
Installer doesn't add platform entry for existing directory install (6202902)
Upgrade Issues
Access Manager ampre70upgrade script does not remove localized packages (6378444)
AMConfig.properties file has an old version for the web container (6316833)
Node agent server.policy file isn't updated as part of an Access Manager upgrade (6313416)
After upgrade, Session Property Condition is missing in the Condition list (6309785)
After upgrade, Identity Subject type is missing from the policy subject list (6304617)
Access Manager upgrade failed because the classpath is not migrated (6284595)
After upgrade, amadmin command returns wrong version shown (6283758)
Add ContainerDefaultTemplateRole attribute after data migration (4677779)
Configuration Issues
Application Server 8.1 server.policy file must be edited when using non-default URIs (6309759)
Platform server list and FQDN alias attribute are not updated (6309259, 6308649)
Data validation for required attributes in the services (6308653)
Document workaround for deployment on a secure WebLogic 8.1 instance (6295863)
The amconfig script does not update the realm/DNS aliases and platform server list entries (6284161)
Default Access Manager mode is realm in the configuration state file template (6280844)
URL signing failed in IBM WebSphere when using RSA key (6271087)
Access Manager Console Issues
For SAML, duplicate Trusted Partner console edit errors (6326634)
Remote logging is not working for amConsole.access and amPasswordReset.access (6311786)
Adding more amadmin properties in the console is changing the amadmin user password (6309830)
New Access Manager Console cannot set the CoS template priorities (6309262)
Exception error occurs when adding a group to a user as a policy admin user (6299543)
In legacy mode, you cannot delete all users from a role (6293758)
Cannot add, delete, or modify Discovery Service resource offerings (6273148)
Wrong LDAP bind password should give error for the subject search (6241241)
Access Manager cannot create an organization under a container in legacy mode (6290720)
Old console appears when adding Portal Server related services (6293299)
Console does not return the results set from Directory Server after reaching the resource limit (6239724)
SDK and Client Issues
Can't remove Session Service configuration for a subrealm (6318296)
CDC servlet redirecting to the invalid login page when policy condition is specified (6311985)
Clients do not get notifications after the server restarts (6309161)
SDK clients need to restart after service schema change (6292616)
Command-Line Utilities Issues
Null attribute LDAP search returns an error when Access Manager points to Directory Proxy (6357975)
New schema files are missing from amserveradmin script (6255110)
Cannot save XML documents with escape character in Internet Explorer 6.0 (4995100)
Authentication Issues
UrlAccessAgent SSO Token is expiring (6327691)
Unable to login to subrealm with LDAPV3 plugin/dynamic profile after correcting password (6309097)
Incompatibility for Access Manager default configuration of Statistics Service for legacy (compatible) mode (6286628)
Attribute uniqueness broken in the top-level organization for naming attributes (6204537)
Session and SSO Issues
Access Manager instances across time zones timeout other user sessions (6323639)
Session failover (amsfoconfig) script has incorrect permissions on Linux 2.1 system (6298433)
Session failover (amsfoconfig) script fails on Linux 2.1 system (6298462)
System creates invalid service host name when load balancer has SSL termination (6245660)
Using HttpSession with third-party web containers (No CR number)
Policy Issues
Deletion of dynamic attributes in Policy Configuration Service causing issues in editing of policies (6299074)
Server Startup Issues
Debug error occurs on Access Manager startup (6309274, 6308646)
Using BEA WebLogic Server as a web container
Linux OS Issues
JVM problems occur when running Access Manager on Application Server (6223676)
Federation and SAML Issues
Running the web services sample returns “Resource offering not found” (6359900)
Federation fails when using Artifact profile (6324056)
Special characters (&) in SAML statements should be encoded (6321128)
Exception occurs when trying to add Disco Service to a role (6313437)
Auth Context attributes are not configurable until you have configured and saved other attributes (6301338)
EP Sample does not work if root suffix contains “&” character (6300163)
Logout error occurs in Federation (6291744)
Globalization (g11n) Issues
User locale preferences are not applied to the whole administration console (6326734)
Online help is not fully available for European languages if Access Manager is deployed on IBM WebSphere (6325024)
Version information is blank when Access Manager is deployed on IBM WebSphere (6319796)
Removing UTF-8 is not working in Client Detection (5028779)
Multibyte characters are displayed as question marks in log files (5014120)
Documentation Issues
Document that Access Manager cannot revert from Realm Mode to Legacy Mode (6508473)
Document more information about disabling persistent searches (6486927)
Document Access Manager supported and unsupported privileges (2143066)
Document cookie-based sticky request routing (6476922)
Document Windows Desktop SSO configuration for Windows 2003 (6487361)
Document steps to set up Distributed Authentication UI server passwords (6510859)
Online Help for “To create a new site name” needs more information (2144543)
Document that administrator password configuration parameter is ADMIN_PASSWD on Windows systems (6470793)
Release Notes have wrong workaround for known issue (6422907)
Document com.iplanet.am.session.protectedPropertiesList in AMConfig.properties (6351192)
Document the roles and filtered roles support for LDAPv3 plug-in (6365196)
Document unused properties in the AMConfig.properties file (6344530)
com.iplanet.am.session.client.polling.enable on server side must not be true (6320475)
Default Success URL is incorrect in the console online help (6296751)
Document how to enable XML encryption (6275563)
Documentation Updates
Sun Java System Access Manager 7 2005Q4 Collection
Sun Java System Federation Manager 7.0 2005Q4 Collection
Sun Java System Access Manager Policy Agent 2.2 Collection
Redistributable Files
How to Report Problems and Provide Feedback
Oracle Welcomes Your Comments
Additional Resources
Oracle's Accessibility Program
Related Third-Party Web Sites
© 2010, Oracle Corporation and/or its affiliates