test

Deployment Example 1: Access Manager 7.0 Load Balancing, Distributed Authentication UI, and Session Failover

Appendix H Known Issues and Limitations

The information in this appendix will be updated as more information becomes available.

Table H–1 Known Issues and Limitations

Reference Number 

Description 

6490164 

Installing Access Manager with upper case results in “No Such Orrganization” error.

If you install Access Manager with the server host name and domain name in mixed-case letters, you may not be able to access the Access Manager console. A “No Such Organization” or “No Such Domain” message is displayed. 

Workaround: Log in to the Access Manager console using the fully-qualified DN of the amadmin such asuid=amAdmin,ou=People,o=example.com, then add you fully-qualified server name in all-lowercase letters to the Realm/DNS Alias list of the top-level realm. Click the top-level realm to see the realm properties, and you will see the list of Realm/DNS Aliases.

6477741 

Exception is thrown when you run the agentadmin utility.

The following exception is thrown when you run the agentadmin utility from the J2EE Policy Agent2.2 server (Hotpatch 3 for BEA Appserver 9.1).  


# ./agentadmin --getUuid amadmin user example.com 
Failed to create debug directory 
Failed to create debug directory 
Failed to create debug directory 
Failed to create debug directory 
Failed to create debug directory

6476271 

BEA servers do not start up when startup script is not configured properly.

The BEA administration server and managed server will not start up if the start up script is not configured properly. When using J2EE Policy Agent 2.2 (Hotpatch-3) on BEA Application Server 9.1, you must append the following to the end of the file setDomainEnv.sh file:


. /usr/local/bea/user_projects/domains/mydomain/setAgentEnv_server1.sh

The setDomainEnv.sh file contains the call to commEnv.sh.

6472662 

When SSL terminates at the Access Manager load balancer, the console application changes protocol from HTTPS to HTTP.

When you try to access the Access Manager load balancer with a URL such as https://loadbalancerURL:port/amserver/console, you cannot access log in page because the console application changes the protocol from HTTPS to HTTP.

Workaround:When you access the Access Manager load balancer, manually modify the URL to the following: https://loadbalancerURL:port/amserver/UI/Login.

6482952 

J2EE policy agent redirects to the context root in the goto URL .

The problem occurs when testing the sample application for the J2EE Policy Agent 2.2 for BEA Weblogic 9.1 Application Server. 

If you access a URL such as http://agentLoadBalancerURL:port/agentsample/protectedservlet, you are redirected to the Access Manager login page, but the goto part of the URL contains only this: =http%3A%2F%2FagentLoadBalancerURL%3Aport%2Fagentsample. The result is that after successful authentication, you are redirected to the index page of the application, and not the page that you had requested.

Workaround: There is no workaround at this time.

6363157 

Performance is impacted due to unnecessary persistent searches.

The problem can occur, for example, when Access Manager uses LDAP roles. Persistent search is not necessary in this case, and one should be able to disable persistent searches without introducing additional risks to the system. 

Workaround: There is no workaround at this time.

6489403 

Login to a sub-realm fails when using the Distributed Authentication UI.

The problem occurs when you attempt to access a sub-realm using a URL such as the following:  

http://AuthenticationUIserver:1080/distAuth/UI/Login?realm=users&goto=http://hostName.domainName.com:1080

Instead of a login page, the following message is displayed: "No such Organization found.”  

Workaround: There is no workaround at this time.

6467562 

Filtered role name missing ou=service in the container JAAS Subject.

When trying to use declarative security with J2EE agents, for any user in a sub-realm the role membership is not populated properly within the container JAAS Subject. It is missing ou=services in the jaas_subject role names. There is a mismatch between the role name returned from the Access Manager server and what is seen in the JAAS Subject.

Workaround: In the AMAgent.properties file, remove the ou=services part in the mapping key com.sun.identity.agents.config.privileged.attribute.mapping . For example, change this: 


com.sun.identity.agents.config.privileged.attribute.mapping
[id\=manager,ou\=role,o\=users,ou\=services,o\=example.com] = am_manager_role

to 


com.sun.identity.agents.config.privileged.attribute.mapping
[id\=manager,ou\=role,o\=users,o\=example.com] = am_manager_role