Upgrade, Compatibility, and Coexistence Issues (Sun OpenSSO Enterprise 8.0 Release Notes)

Sun OpenSSO Enterprise 8.0 Release Notes

Upgrade, Compatibility, and Coexistence Issues

5801: During upgrade, `updateschema.sh` fails while executing `ssoadm` in a site configuration

If you are upgrading from OpenSSO Enterprise 8.0 to an OpenSSO 8.0 Update 1 patch release and OpenSSO Enterprise 8.0 has been configured as a site with a load balancer, the updateschema.sh script fails while executing the ssoadm utility.

Workaround. Before you run the updateschema.sh or updateschema.bat script:

Install the ssoadm utility from the OpenSSO Enterprise Update 1 patch release.
After you install the ssoadm utility, edit the ssoadm or ssoadm.bat utility by adding the following property to the java command:
```
-D"com.iplanet.am.naming.map.site.to.server=
http://loadbalancer.example.com:8080/opensso=http://sso1.example.com:8080/opensso"
```
where loadbalancer is the load balancer for the OpenSSO Enterprise site, and sso1 is the OpenSSO Enterprise server where ssoadm or ssoadm.bat is installed.

For more information, see Chapter 3, Installing the OpenSSO Enterprise 8.0 Update 1 Admin Tools, in Sun OpenSSO Enterprise 8.0 Update 1 Release Notes.

4108: Incorrect encryption key used after configuring OpenSSO Enterprise against existing schema (DIT)

After configuring OpenSSO Enterprise against an existing schema (DIT) , you cannot log in to the console, because the encryption key entered during the configuration (the one from the old Access Manager or Federation Manager instance) is not used. Instead, a new incorrect encryption key is generated, which creates an incorrect serverconfig.xml file.

Workaround.

Change to OpenSSO Enterprise config directory.
Change the encryption key in the AMConfig.properties file with the correct value.
Copy the backup copy of serverconfig.xml from the previous Access Manager or Federation Manager instance.
Restart OpenSSO Enterprise server.

3962: Incorrect Console URL returned after authentication for non-admin user

If OpenSSO is configured with an Access Manager 7.1 Directory Server schema (DIT) in coexistence mode and a non-admin user logs in to the OpenSSO Console, the user is taken to an invalid URL. For example:

http://ssohost.example.com:8080/amserver/..amserver/base/AMAdminFrame.

Workaround. Edit the URL as follows:

protocol://host.domain:port/deploy_uri/idm/EndUser

For example:

http://ssohost.example.com:8080/amserver/idm/EndUser

3961: `amadmin` cannot log in to OpenSSO Console in coexistence mode

If OpenSSO is configured with an Access Manager 7.1 Directory Server schema (DIT) in coexistence mode, an attempt to log in as amadmin to the Console using LDAP authentication fails.

Workaround. To log in as amadmin to the OpenSSO Console in coexistence mode, add the module=DataStore query parameter. For example:

protocol://host.domain:port/deploy_uri/UI/Login/?module=DataStore

For example:

http://ssohost.example.com:8080/amserver/UI/Login/?module=DataStore

2348: Document Distributed Authentication UI server support

The OpenSSO Enterprise Distributed Authentication UI server component works only with OpenSSO Enterprise. The following scenarios are not supported:

Distributed Authentication UI server 7.0 or 7.1 with a OpenSSO Enterprise server
OpenSSO Enterprise Distributed Authentication UI server with an Access Manager 7.0 or 7.1 server

830: ID-FF schema metadata is not backward compatible

If you are upgrading from a previous release of Access Manager or Federation Manager to OpenSSO Enterprise 8.0, ID-FF profiles do not work unless you also upgrade the Access Manager or Federation Manager schema.

Workaround. Before you try the ID-FF profiles, upgrade the Access Manager or Federation Manager schema. For more information about upgrading the schema, see the Sun OpenSSO Enterprise 8.0 Upgrade Guide.