Access Manager 7.1 Patch 4
Access Manager 7.1 patch 4 fixes a number of problems, as listed in the README file included with the patch. Patch 4 also includes the following changes and known issues:
New Features and Changes in Access Manager 7.1 Patch 4
-
New property prevents “Too many authentication attempts” error (6883136)
-
New property sets idle time out for policy agent sessions (6697260)
-
Access Manager session cookies can be marked as HTTPOnly (6843487)
-
ampassword utility has new options to hash and encrypt a password (6850818)
New property prevents “Too many authentication attempts” error (6883136)
If you open multiple browser tabs in the same browser instance to access the Access Manager login page, the new com.sun.identity.authentication.mutiple.tabs.used property prevents the “Too many authentication attempts” error.
To use this new property, add it with a value of true to the AMConfig.properties file and restart the Access Manager web container.
New property sets idle time out for policy agent sessions (6697260)
The new com.iplanet.am.session.agentsessionidletime property sets the maximum idle timeout in minutes for policy agent sessions. The default value is 0, which causes policy agent sessions to never time out. The minimum value is 30 minutes. A value between 0 and 30 minutes will be reset to 30.
To use this new property, add it with a value appropriate for your deployment to the AMConfig.properties file and restart the Access Manager web container.
Access Manager session cookies can be marked as HTTPOnly (6843487)
The new com.sun.identity.cookie.httponly property allows Access Manager session cookies to be marked as HTTPOnly, in order to prevent scripts or third-party programs from accessing the cookies. Specifically, session cookies marked as HTTPOnly can help to prevent cross-site scripting (XSS) attacks.
By default, the value for com.sun.identity.cookie.httponly is false. To use this new property, add it with a value of true to the AMConfig.properties file and restart the Access Manager web container
You must also set this property on the client side. For example, for a Distributed Authentication UI server deployment, set it to true in the AMDistAuthConfig.properties file.
ampassword utility has new options to hash and encrypt a password (6850818)
In patch 4, the ampassword utility has the following new options:
ampassword -s | --hash [ password ] ampassword -c | --hashencrypt [ password ]
where:
-s or --hash hashes the password.
-c or --hashencrypt both hashes and encrypts the password.
Windows Desktop SSO authentication is added for Distributed Authentication UI Server deployment (6888820)
Support for Windows Desktop SSO authentication is added for a Distributed Authentication UI server deployment and the Access Manager 7.0 and later Client SDK. This CR was verified for the following Access Manager 7.1 deployment scenarios:
-
Access Manager 7.1 server with a version 7.1 Distributed Authentication UI server deployment from a browser (both Internet Explorer and Firefox)
-
Access Manager 7.1 server with a version 7.1 Distributed Authentication UI server deployment with the Access Manager 7.0 and later Client SDK on Windows XP and Windows 2003
CDC Servlet inserts custom HTTP response header (6800246)
In patch 4, if you integrate Cross-Domain Single Sign-On (CDSSO) with programmatic clients, the CDC Servlet inserts an extra HTTP response header (which is not configurable). For example, with a web agent installed in CDSSO mode, viewing a response on “Live HTTP Headers”, you will see the Cdcservlet_auto_post: true header. This change allows custom applications to easily distinguish the auto submitting form and to process the information accordingly.
Changes to the updateschema.sh script (6870576)
Patch 4 includes the following changes to the updateschema.sh script:
-
Removes the restriction of requiring the user to be superuser (root) to execute the script.
-
Allows the user to specify whether Directory Server has SSL enabled.
-
Validates the path of the ldapsearch and ldapmodify commands and prompts the user to specify the path if they are incorrect.
-
Corrects the path to the amadmin utility in an Access Manger 7.1 single WAR file deployment.
Known Issues in Access Manager 7.1 Patch 4
updateschema.pl script fails with older version of ldapjdk.jar (6934848)
On Windows, the updateschema.pl script in Access Manager 7.1 patch 3 and later requires the version 4.21 or later ldapjdk.jar file. In some old ldapjdk.jar files, the version is not even defined in the META-INF/MANIFEST.MF file. If the LDAP JDK version is older than 4.21 or not defined, the updateschema.pl script exits with an error.
Workaround. Download and install the latest LDAP JDK patch, as described in Sun Java System LDAP JDK Patches.
updateschema script cannot run successfully under certain circumstances in WAR file deployment (6934844)
If Access Manager 7.1 patch 4 is deployed from a WAR file, the updateschema script cannot run successfully for the following reasons:
-
On Solaris systems, the -B option is not available for the version of the ldapsearch utility that is called by the updateschema.sh script.
-
On Linux systems, the -Z option is not available for the version of the ldapsearch utility that is called by the updateschema.sh script.
-
On Windows, if you are running the updateschema.pl script, you cannot specify that the Directory Server is SSL enabled.
Workarounds
-
On Solaris or Linux systems, edit the updateschema.sh script and change the path for the ldapsearch utility to point to a version that supports the -B and -Z options. You might need to download a version of ldapsearch that supports these options. Then, rerun the updateschema.sh script.
-
On Windows, enable non-SSL access to Directory Server and rerun the updateschema.pl script.
- © 2010, Oracle Corporation and/or its affiliates