Access Manager 7.1 patch 4 fixes a number of problems, as listed in the README file included with the patch. Patch 4 also includes the following changes and known issues:
If you open multiple browser tabs in the same browser instance to access the Access Manager login page, the new com.sun.identity.authentication.mutiple.tabs.used property prevents the “Too many authentication attempts” error.
To use this new property, add it with a value of true to the AMConfig.properties file and restart the Access Manager web container.
The new com.iplanet.am.session.agentsessionidletime property sets the maximum idle timeout in minutes for policy agent sessions. The default value is 0, which causes policy agent sessions to never time out. The minimum value is 30 minutes. A value between 0 and 30 minutes will be reset to 30.
To use this new property, add it with a value appropriate for your deployment to the AMConfig.properties file and restart the Access Manager web container.
The new com.sun.identity.cookie.httponly property allows Access Manager session cookies to be marked as HTTPOnly, in order to prevent scripts or third-party programs from accessing the cookies. Specifically, session cookies marked as HTTPOnly can help to prevent cross-site scripting (XSS) attacks.
By default, the value for com.sun.identity.cookie.httponly is false. To use this new property, add it with a value of true to the AMConfig.properties file and restart the Access Manager web container
You must also set this property on the client side. For example, for a Distributed Authentication UI server deployment, set it to true in the AMDistAuthConfig.properties file.
In patch 4, the ampassword utility has the following new options:
ampassword -s | --hash [ password ] ampassword -c | --hashencrypt [ password ]
-s or --hash hashes the password.
-c or --hashencrypt both hashes and encrypts the password.
Support for Windows Desktop SSO authentication is added for a Distributed Authentication UI server deployment and the Access Manager 7.0 and later Client SDK. This CR was verified for the following Access Manager 7.1 deployment scenarios:
Access Manager 7.1 server with a version 7.1 Distributed Authentication UI server deployment from a browser (both Internet Explorer and Firefox)
Access Manager 7.1 server with a version 7.1 Distributed Authentication UI server deployment with the Access Manager 7.0 and later Client SDK on Windows XP and Windows 2003
In patch 4, if you integrate Cross-Domain Single Sign-On (CDSSO) with programmatic clients, the CDC Servlet inserts an extra HTTP response header (which is not configurable). For example, with a web agent installed in CDSSO mode, viewing a response on “Live HTTP Headers”, you will see the Cdcservlet_auto_post: true header. This change allows custom applications to easily distinguish the auto submitting form and to process the information accordingly.
Patch 4 includes the following changes to the updateschema.sh script:
Removes the restriction of requiring the user to be superuser (root) to execute the script.
Allows the user to specify whether Directory Server has SSL enabled.
Validates the path of the ldapsearch and ldapmodify commands and prompts the user to specify the path if they are incorrect.
Corrects the path to the amadmin utility in an Access Manger 7.1 single WAR file deployment.
On Windows, the updateschema.pl script in Access Manager 7.1 patch 3 and later requires the version 4.21 or later ldapjdk.jar file. In some old ldapjdk.jar files, the version is not even defined in the META-INF/MANIFEST.MF file. If the LDAP JDK version is older than 4.21 or not defined, the updateschema.pl script exits with an error.
Workaround. Download and install the latest LDAP JDK patch, as described in Sun Java System LDAP JDK Patches.
If Access Manager 7.1 patch 4 is deployed from a WAR file, the updateschema script cannot run successfully for the following reasons:
On Solaris systems, the -B option is not available for the version of the ldapsearch utility that is called by the updateschema.sh script.
On Linux systems, the -Z option is not available for the version of the ldapsearch utility that is called by the updateschema.sh script.
On Windows, if you are running the updateschema.pl script, you cannot specify that the Directory Server is SSL enabled.
On Solaris or Linux systems, edit the updateschema.sh script and change the path for the ldapsearch utility to point to a version that supports the -B and -Z options. You might need to download a version of ldapsearch that supports these options. Then, rerun the updateschema.sh script.
On Windows, enable non-SSL access to Directory Server and rerun the updateschema.pl script.