This chapter describes OpenSSO Enterprise 8.0 Update 1, including:
OpenSSO Enterprise 8.0 Update 1 also fixes a number of problems, as listed in the README file included with patch 141655-01.
You can configure an external OpenDS server as the OpenSSO Enterprise 8.0 Update 1 user data store.
You can also store a relatively small number of users in the embedded OpenSSO configuration data store (OpenDS), when scalability is not an important requirement. This option is useful when you want to install OpenSSO Enterprise 8.0 Update 1 quickly for demonstration or evaluation purposes. However, you should not use an embedded OpenDS server as a user data store in a production environment.
The ability to create a specialized WAR file was present in OpenSSO Enterprise 8.0. In OpenSSO Enterprise 8.0 Update 1, the process has been simplified using the createwar.sh or createwar.bat script.
OpenSSO Enterprise 8.0 Update 1 provides a single page where you can view all SAMLv2 error conditions. This page is useful when you are troubleshooting a SAMLv2 configuration.
OpenSSO Enterprise 8.0 Update 1 supports Secure Attributes Exchange (SAE) data encryption. (SAE is also known as Virtual Federation.)
OpenSSO Enterprise 8.0 Update 1 supports Federal Information Processing Standards (FIPS) mode.
OpenSSO Enterprise 8.0 Update 1 supports the web containers described in Web Containers Supported For OpenSSO Enterprise 8.0 in Sun OpenSSO Enterprise 8.0 Release Notes and the following new web containers:
IBM WebSphere Application Server 7.0. See Chapter 5, Deploying IBM WebSphere Application Server 7.0 as the OpenSSO Enterprise 8.0 Update 1 Web Container.
Oracle WebLogic Server 10g Release 3 (10.3)
GlassFish Prelude 3
OpenSSO Enterprise 8.0 Update 1 supports OpenDS to store user profiles, authentication data, and policies.
OpenSSO Enterprise 8.0 Update 1 includes the Fedlet.dll, template metadata files, and a sample application for implementing the Fedlet with ASP.NET applications. See Chapter 10, Using the ASP.NET Fedlet with OpenSSO Enterprise 8.0 Update 1.
The new com.sun.identity.am.cookie.check property indicates whether OpenSSO server should check if cookie support is disabled or not available in the user's browser. A value of true causes OpenSSO server to display an error message if the browser does not support cookies or has not enabled cookies.
Previously, if cookie support was disabled or not available on the user's browser and OpenSSO server was not in cookieless mode, authentication for a user failed without any errors. (Actually, authentication was done successfully, but OpenSSO server could not redirect the user to the OpenSSO protected web site.)
To Set the Property
Log in to the OpenSSO Administation Console.
Click Configuration, Servers and Sites, opensso-instance-name, and then Advanced.
Click Add and then specify:
Property Name: com.sun.identity.am.cookie.check
Property Value: true or false
Restart the OpenSSO server instance.
Note - If OpenSSO server is expected to support cookieless mode for authentication, set this property to false (which is the default).
OpenSSO Enterprise 8.0 Update 1 can validate a goto URL after a user logs in to prevent a hacker from sending the user to an imposter site in order to steal the user's personal information.
To Set Valid goto URLs:
Install OpenSSO Enterprise 8.0 Update 1. If you are patching OpenSSO Enterprise 8.0, make sure you run the updateschmema.sh or updateschema.bat script and restart the OpenSSO Enterprise web container.
Log in to the Admin Console.
Click Configuration, Authentication, and then Core.
Under Valid goto URL domains, add each valid goto domain name, as follows:
A domain name starting with a dot (.) such as .example.com allows all hosts in the example.com domain to be used in a success redirect URL.
A domain name that does not start with a dot (.) such as example.com allows the host example.com to be used in a success redirect URL. For example, http://example.com would be valid, but http://host.example.com would not be valid.
If you don't add the entire domain to the list, you must add each individual agent host name being used.
You do not need to add domains for agents in CDSSO mode, because they are protected automatically.
Restart the OpenSSO Enterprise web container.
If you subsequently want to disable the goto URL validation, remove all entries from the Valid goto URL domains list.
Additional Information - If a goto URL is found to be invalid, the user will be redirected to the default success login URL (/opensso/console).
The new com.sun.am.event.notification.expire.time property allows you to configure or disable the event notification cache in order to improve performance.
To disable the cache, set this property to 0 (zero). The default is 30 minutes.
After you set this property, restart the OpenSSO Enterprise 8.0 web container for the new value to take effect.
The new com.sun.identity.appendSessionCookieInURL property determines whether OpenSSO Enterprise 8.0 Update 1 ppends the session cookie to the URL for zero page authentication.
Set this property to false to prevent OpenSSO Enterprise 8.0 Update 1 from appending the session cookie to the URL. For example, if an application is filtering incoming URLs for special characters for security reasons and a cookie contains a special character, then access is denied. The default value is true (cookie is appended).
To set the new com.sun.identity.appendSessionCookieInURL property:
Log in to the OpenSSO Enterprise 8.0 Update 1 Admin Console.
Click Configuration, Servers and Sites, Default Server Settings, and then Advanced.
Add the property with a value of true.
The com.sun.identity.appendSessionCookieInURL property is hotswappable, which means that you don't have to restart the OpenSSO Enterprise 8.0 web container for a new value to take effect.
The amNaming log sometimes indicates multiple Site Monitor threads running for checking the same site. To prevent this problem, OpenSSO Enterprise 8.0 Update 1 provides improved synchronization to prevent the creation of the multiple Site Monitor threads for the same site. OpenSSO Enterprise 8.0 also includes these new properties:
com.sun.identity.urlchecker.retry.interval specifies the time interval in milliseconds between retries for a URL connection. Default is 500 milliseconds (0.5 seconds).
com.sun.identity.urlchecker.retry.limit specifies the maximum number of retries for the URL connection if a connection failure occurs. Default is 3 retries.
After you set these properties, restart the OpenSSO Enterprise 8.0 web container for the new values to take effect.
The fix for this problem also uses the following property:
com.sun.identity.urlchecker.sleep.interval specifies the time interval in milliseconds that the site status check should sleep. Default is 30000 milliseconds (30 seconds).
The new com.sun.identity.policy.resultsCacheMaxSize property allows you to configure the policy decision cache for OpenSSO Enterprise 8.0 Update 1 server.
For example, a value of 1000 causes policy decisions to be cached for maximum of 1000 sessions, irrespective of the actual number of concurrent sessions on the server.
Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP) checking now support the Network Security Services for Java (JSS) library, enabling FIPS mode when OpenSSO Enterprise 8.0 Update 1 is deployed on the Sun Java System Web Server 7.0 Update 3 or later web container.
Note - FIPS compliance mode depends on JSS, but using JSS does not necessitate FIPS compliance mode.
Redirect callback support (RedirectCallback), which is used to redirect users to an external website as part of the authentication process, now works when the login is through a Distributed Authentication Server UI.
Previously, in cookie hijacking mode, policy agents sent the IP address of the server where they were installed to the OpenSSO Enterprise server. Now, the policy agent first sends the application SSO token. If the agent cannot obtain the application SSO token, the agent then sends the IP address to the OpenSSO Enterprise server.
If strict DN checking is required for a deployment, OpenSSO Enterprise server includes the new
The default value is false. If this property is set to true, the OpenSSO Enterprise server performs strict DN checking. If the agent sends an IP address, the OpenSSO Enterprise server considers the IP address to be an error.
To set iplanet-am-session-dnrestrictiononly for strict DN checking:
Add the property with a value of true using either the OpenSSO Enterprise Admin Console or the ssoadm utility.
Restart the OpenSSO Enterprise server web container for the DN checking to take effect.
The new com.iplanet.am.session.agentsessionidletime property sets the maximum idle timeout in minutes for policy agent sessions. The minimum value is 30 minutes. A value greater than 0 and less than 30 will be reset to 30.
The default is 0, which means that the policy agent sessions never time out.
To set com.iplanet.am.session.agentsessionidletime:
Add the property with the maximum idle timeout value using either the OpenSSO Enterprise Admin Console or the ssoadm utility.
Restart the OpenSSO server web container for the idle timeout value to take effect.
Due to the fix for security issue 3924 in OpenSSO 8.0 Enterprise 8.0, the amadmin user was prevented from logging in to any authentication module other than the DataStore and Application authentication modules.
This new fix for CR 6811036 removes this restriction, but at the same time re-implements the original security fix to protect the authentication as the amadmin user, which is considered as the OpenSSO Enterprise internal or special user, in following manner:
amadmin can authenticate only to or or the Top-Level Realm.
amadmin and its password will first be authenticated against the configuration data store. That is, this user and its password should match the amadmin user and its password in the OpenSSO Enterprise configuration data store. Then, this user will be authenticated against the required authentication store (authentication module) with the same credentials. Finally, this user will be retrieved (searched) in the OpenSSO Enterprise user data store (based on the user profile option selected in the Authentication service configuration).
The actual authentication module store and/or user data store and configuration data store could be different, as long as the above is successful. If all three stores are the same, the above would be automatically successful.
After a Client SDK installation, the service management service (SMS) cache is disabled by default, which can cause performance issues.
Workaround: To enable the cache for SMS and the Identity Repository (IdRepo), set or add the following properties in the AMClient.properties file:
com.iplanet.am.sdk.caching.enabled=true com.sun.identity.idm.cache.enabled=true com.sun.identity.sm.cache.enabled=true
Note - The hardware and software requirements for OpenSSO Enterprise 8.0 Update 1 represent the only environments in which it can be deployed with full support from Oracle. No support is provided for environments that do not meet the stated requirements.
Oracle assumes no responsibility or liability for any environments that don't adhere to supported hardware and software requirements for OpenSSO Enterprise 8.0 Update 1 as documented. Oracle strongly recommends that you involve the Professional Services organization before you begin the installation and deployment process. This may require additional expense on your part.
Policy Agent Version
OpenSSO Enterprise 8.0 Update 1 Support
Version 3.0 Java EE (formerly called J2EE) and web policy agents are supported, including new version 3.0 features.
For more information, including the available version 3.0 agents, see http://docs.sun.com/coll/1767.1.
Version 2.2 Java EE and web policy agents are supported.
However, a version 2.2 policy agent must continue to use version 2.2 features. For example, the OpenSSO Enterprise centralized agent configuration is not supported, and the 2.2 agent must store its configuration data locally in its AMAgent.properties file.
For more information, including the available version 2.2 agents, see http://docs.sun.com/coll/1322.1.
Version 2.1 policy agents are not supported.
If you patch OpenSSO Enterprise 8.0 with Update 1, you must re-install the admin tools in Update 1 before you run the updateschema.sh or updateschema.bat script, because the script requires the Update 1 version of the ssoadm command-line utility.
Workaround. Before you run the updateschema.sh or updateschema.bat script, install the Update 1 admin tools, as described in Chapter 3, Installing the OpenSSO Enterprise 8.0 Update 1 Admin Tools.
If the admin tools (ssoAdminTools.zip) are configured to use the IBM JVM with a secure (SSL-enabled) WebSphere Application Server 7.0 instance, the ssoadm returns a fatal error.
Workaround. To configure ssoadm, see Chapter 5, Deploying IBM WebSphere Application Server 7.0 as the OpenSSO Enterprise 8.0 Update 1 Web Container.
If OpenSSO Enterprise 8.0 Update 1 is deployed with IBM WebSphere Application Server 7.0 and Java 2 security is enabled, the configuration fails.
Workaround. Add the required permissions to the WebSphere Application Server 7.0 server.policy. For more information see Chapter 5, Deploying IBM WebSphere Application Server 7.0 as the OpenSSO Enterprise 8.0 Update 1 Web Container.
OpenSSO Enterprise 8.0 Update 1 has added support for using KDCs hosted on Windows Server 2008. To use this new feature, however, you must install a Microsoft hotfix to KTpass on the Windows Server 2008 KDC before using the KDC for Windows Desktop SSO authentication.
For more information and to download this hotfix, see http://support.microsoft.com/kb/951191.
Workaround. If OpenSSO Enterprise 8.0 Update 1 is deployed on IBM WebSphere Application Server 7.0 on Windows:
Prefix the Keytab File Name property of the Windows Desktop SSO authentication module instance with file:///. For example:
Set the new com.sun.identity.authentication.module.WindowsDesktopSSO.Krb5LoginModule property to com.ibm.security.auth.module.Krb5LoginModule.
Set this new property using ssoadm or in the OpenSSO Enterprise Admin Console under Configuration, Sites and Server, opensso-instance-name, and Advanced. Then, restart the WebSphere Application Server 7.0 instance for the value to take effect.
When running the Configurator using Safari on a Mac, the Next and Cancel buttons are not visible, which gives the impression that the configuration cannot continue.
Workaround. Maximize the Safari browser to the fullest extent and scroll down to see the buttons.
In a session failover configuration, the Berkeley DB client does not failover to the secondary Message Queue broker. OpenSSO Enterprise server, however, does failover
to the secondary broker, which causes the queue on that broker to quickly fill up. Then, the broker blocks the producer from sending any more messages, which in turn blocks messages from OpenSSO Enterprise server.
If you are using IBM WebSphere Application Server 6.1 as the web container and the Java Security Manager is enabled, the securing permissions need to be updated.
Workaround. For the correct permissions, see the Sun OpenSSO Enterprise 8.0 Installation and Configuration Guide.
Workaround. Before you enable FIPS mode, backup the bootstap file. Then, after you enable FIPS mode, replace the bootstrap file with the backup copy.
For more information, see Chapter 8, Configuring OpenSSO Enterprise 8.0 Update 1 in FIPS Mode.
Using JDK 1.6.x, when a Service Provider (SP) tries to verify a signed SAML2 response/assertion, the Identity Provider (IDP)throws a Null Pointer Exception.
Workaround. This problem occurs because JDK 1.6.x includes an older version of the XML security library. To fix this problem:
Create an endorsed directory in JDK 1.6.x. For example:
Copy the xmlsec.jar file from the OpenSSO_WAR_extracted_dir/WEB-INF/lib directory to the endorsed directory.
Restart the OpenSSO Enterprise 8.0 web container.
When you configure OpenSSO Enterprise 8.0 Update 1 using the console, if you provide the site details such as the load balancer and server instances, the configuration finishes successfully and you can log in. However, the debug logs contain an exception.
Workaround. None. You can ignore the exception.
If you deploy OpenSSO Enterprise 8.0 Update 1 on WebLogic Server 10 for both the SP and IDP, configure the meta for SP and IDP for signing and encryption using the default keystore, and then terminate with SOAP binding, an error is returned.
Workaround. Remove last two lines from idpArtifactResolution.jsp, idpMNISOAP.jsp, and spMNISOAP.jsp. Also, remove any empty spaces between %> and <%.
In addition to this document, additional OpenSSO Enterprise 8.0 documentation is available in the following collection:
Oracle periodically releases patches for OpenSSO Enterprise 8.0 on http://sunsolve.sun.com/. The following table shows the patch IDs for OpenSSO Enterprise 8.0 Update 1 and subsequent patch releases.
OpenSSO Enterprise 8.0 Update 1 Patch 3
OpenSSO Enterprise 8.0 Update 1 Patch 2
OpenSSO Enterprise 8.0 Update 1 Patch 1
OpenSSO Enterprise 8.0 Update 1
To download the latest patch, click Download Latest Patch 141655.
To determine if you should install a patch, check this document and the README file available with the patch.
In Patch 3, Message Queue 4.3 has been upgraded to GlassFish Message Queue 4.4. This upgrade improves OpenSSO Enterprise performance and addresses several issues with session failover deployments.
For the Message Queue documentation, see http://docs.sun.com/coll/1307.7.
Patch 3 includes the new com.sun.identity.cookie.httponly property to allow OpenSSO Enterprise session cookies to be marked as HTTPOnly, in order to prevent scripts or third-party programs from accessing the cookies. Specifically, session cookies marked as HTTPOnly can help to prevent cross-site scripting (XSS) attacks.
By default, the value for com.sun.identity.cookie.httponly is false. To set this new property, use the OpenSSO Administration Console:
Log in to the OpenSSO Administration Console.
Click Configuration, Servers and Sites, opensso-instance-name, and then Advanced.
Add com.sun.identity.cookie.httponly with a value of true.
Click Save and log out of the Console.
Restart the OpenSSO Enterprise web container.
You also need to set this property on the client side. For example, for a Distributed Authentication UI server deployment, set it to true in the AMDistAuthConfig.properties file.
In Patch 3, the OpenSSO REST-based authentication web service now supports module-based, realm-based, or service-based authentication. You can pass module, realm, and service as query parameters. For example, here are some sample REST commands:
http://host.example.com/opensso/identity/authenticate?username=user1 ANDAMPpassword=changeit http://host.example.com/opensso/identity/authenticate?username=user1 ANDAMPpassword=changeitANDAMPuri=realm%3Dsun http://host.example.com/opensso/identity/authenticate?username=user1 ANDAMPpassword=changeitANDAMPuri=module%3DDataStore http://host.example.com/opensso/identity/authenticate?username=user1 ANDAMPpassword=changeitANDAMPuri=service%3DldapService http://host.example.com/opensso/identity/authenticate?username=user1 ANDAMPpassword=changeitANDAMPuri=realm%3D/sun%26module%3DDataStore http://host.example.com/opensso/identity/authenticate?username=user1 ANDAMPpassword=passwordANDAMPuri=realm%3D/iplanet%26module%3DdataStore
In Patch 3, the AMLoginModule class includes the new isSessionQuotaReached() method to determine a user?s current session quota level:
public boolean isSessionQuotaReached(String userName)
This new method checks if the sessionCount is greater than or equal to the sessionQuota and returns true or false, depending the result.
Thus, a custom authentication module can check a user?s current session quota level and then if the user is about to exceed the session quota, ask whether that user wants to continue the session. This feature is normally be more useful when session constraints are enabled.
If a new administrator user logs into OpenSSO Enterprise server and tries to access the OpenSSO client website (for example, as deployed from the opensso-client-jdk15.war file), the new administrator user is asked to perform the client reconfiguration even though the configuration has already been done by the previous administrator.
Patch 3 provides the new openssoclient.config.folder property as a JVM argument in the container's configuration file (server.xml or domain.xml) to specify the configuration folder. For example:
If this argument is not specified, the configuration folder is user.home by default.
In Patch 3, the OpenSSO Console checks for a minimum password length of 8 characters for new users and for existing users who are changing a password.
Patch 3 includes the OpenSSO Diagnostic Tool, which allows you to run a number of diagnostic tests to verify configuration settings and to identify potential installation or deployment problems. For information, see the Sun OpenSSO Enterprise 8.0 Installation and Configuration Guide.
In Patch 3, the ssoadm utility does not produce audit logs to record which sub-commands have been executed. For example, the ssoadm list-realms sub-command should produce four audit log records (AMCLI-1, AMCLI-2, AMCLI-3020, and AMCLI-3021), but the log records are not produced.
In Patch 3, when the Security Token Server (STS) client samples are deployed on WebLogic Server and Jetty, the samples do not obtain the token that the server is deployed on WebLogic Server, and an uninitialized keystore error is thrown.
After installing OpenSSO Enterprise 8.0 Patch 3, Distributed Authentication UI deployments are not receiving notifications from the server.
Workaround. The notification URL property com.iplanet.am.notification.url has been renamed to com.sun.identity.client.notification.url. Update the AMDistAuthConfig.properties configuration file for the Distributed Authentication UI server (and other clients) with the new com.sun.identity.client.notification.url property.
After you apply Patch 3, the default minimum password length is 8 characters. However, to specify a different length for a different realm, run the following command:
./ssoadm set-realm-svc-attrs -u amadmin -f password-file -s sunIdentityRepositoryService -e realm-name -a sunIdRepoAttributeValidator= class=com.sun.identity.idm.server.IdRepoAttributeValidatorImpl sunIdRepoAttributeValidator=minimumPasswordLength=password-minimum-length
In Patch 3, the Fedlet SSO HTTP POST link randomly returns a blank page. This problem occurs when a user is logged in on the IDP side and a session is created with SSO. The problem also occurs with SAMLv2.
Always run the latest versions of the ssopatch or ssopatch.bat utility and the corresponding updateschema.sh or updateschema.bat script from the Patch 3 release.
If you are patching OpenSSO Enterprise 8.0 with Patch 3:
Run the ssopatch or ssopatch.bat utility from Patch 3.
Run the updateschema or updateschema.bat script from Patch 3.
For more information about patching OpenSSO Enterprise, see the Sun OpenSSO Enterprise 8.0 Installation and Configuration Guide.
If you are moving to Patch 3 from Access Manager 7.1 or Access Manager 7 2005Q4:
Execute the ssoupgrade or ssoupgrade.bat script from Patch 3.
Run updateschema or updateschema.bat script from Patch 3.
For more information about upgrading, see the Sun OpenSSO Enterprise 8.0 Upgrade Guide.
OpenSSO Enterprise 8.0 stores parameters used to access the directory server in the /opensso/bootstrap file. If required by your deployment, you can change some of these parameters using the OpenSSO Adminstration Console. For example, you can change the Directory Manager password.
To Change the Directory Server Parameters in the bootstrap File
Log in to the OpenSSO Administration Console.
Click Configuration, Servers and Sites, opensso-instance-name, and then Directory Configuration.
Change the following values, as required by your deployment:
Bind DN is the privileged directory server administrator.
The default is cn=Directory Manager.
Bind Password is the password used by the Bind DN user to access the directory server.
You can also change the values for the following parameters, if you wish:
Minimum Connection Pool
Maximum Connection Pool
When you have made your changes, click Save.
The OpenSSO Console updates the responding values in the directory server bootstrap file.
Patch 141655-03 includes support for:
IBM AIX 6.1 platform
GlassFish Enterprise Server v2.1 web container
The OpenSSO Enterprise AMURLStreamHandlerFactory cannot create the URLStreamHandler for WebLogic Server, because WebLogic Server has preset the value for the java.protocol.handler.pkgs system property to
weblogic.net|weblogic.utils|weblogic.utils|weblogic.utils. If you try to access a remote WebLogic Server instance from the Console Session UI, OpenSSO Enterprise dumps an error log in the CoreSystem file.
The fix for CR 6867442 adds the new opensso.protocol.handler.pkgs property.
Although this problem occurred on WebLogic Server, the fix affects all web containers. If you have java.protocol.handler.pkg in your setup or if you are planning to use java.protocol.handler.pkg, add this new property as follows:
In the OpenSSO Administration Console, click Configuration, Servers and Sites, opensso-instance-name, and then Advanced.
Click Add and then enter:
Property Name: opensso.protocol.handler.pkgs
Property Value: com.sun.identity.protocol
If you deploy and configure the console.war file in patch 141655-03, when you access the login page, the goto URL page is malformed.
Workaround. Manually enter the goto URL as protocol://openssohost:port/console and re-request the login page. For example: https://openssohost.example.com:8080/console
Oracle periodically releases patches to OpenSSO Enterprise 8.0 Update 1 on http://sunsolve.sun.com/. To find the latest patch for Update 1, search for patch ID 141655. To determine if you should install a patch, check the README file available with the patch.
Each patch release includes an opensso.war file that you can deploy as follows:
Patch an existing OpenSSO Enterprise 8.0 deployment
Install a new OpenSSO Enterprise 8.0 deployment
Create or patch one of the following specialized WAR files:
OpenSSO Enterprise Administration console only
OpenSSO Enterprise server only without the Administration console
OpenSSO Enterprise Distributed Authentication UI server
OpenSSO Enterprise IDP Discovery Service
For more information see Chapter 2, Installing OpenSSO Enterprise 8.0 Update 1.
You can also find additional useful information and resources at the following locations:
Oracle Advanced Customer Services for Systems:
Software Products: http://www.sun.com/software/
Sun Developer Network (SDN): http://developers.sun.com/
Sun Developer Services:http://developers.sun.com/services/
The Service Management Service (SMS) APIs (com.sun.identity.sm package) and SMS model will not be included in a future OpenSSO Enterprise release.
The Unix authentication module and the Unix authentication helper (amunixd) will not be included in a future OpenSSO Enterprise release.
The Sun Java System Access Manager 7.1 Release Notes stated that the Access Manager com.iplanet.am.sdk package, commonly known as the Access Manager SDK (AMSDK), and all related APIs and XML templates will not be included in a future OpenSSO Enterprise release.
Consequently, when the AMSDK is removed, the Legacy Mode option and support will also be removed.
Migration options are not available now and are not expected to be available in the future. Oracle Identity Manager provides user provisioning solutions that you can use instead of the AMSDK. For more information about Identity Manager, see http://www.oracle.com/products/middleware/identity-management/identity-manager.html.
If you have questions or issues with OpenSSO Enterprise 8.0 Update 1 or a subsequent patch release, contact Support Resources at http://sunsolve.sun.com/.
This site has links to the Knowledge Base, Online Support Center, and Product Tracker, as well as to maintenance programs and support contact numbers. If you are requesting help for a problem, please include the following information:
Description of the problem, including when the problem occurs and its impact on your operation
Machine type, operating system version, web container and version, JDK version, and OpenSSO Enterprise version, including any patches or other software that might be affecting the problem
Steps to reproduce the problem
Any error logs or core dumps
To obtain accessibility features that have been released since the publishing of this media, consult Section 508 product assessments available upon request to determine which versions are best suited for deploying accessible solutions.
For information about Oracle's commitment to accessibility, see http://www.sun.com/accessibility/index.jsp.
Third-party URLs are referenced in this document and provide additional, related information.
Oracle is not responsible for the availability of third-party Web sites mentioned in this document. Oracle does not endorse and is not responsible or liable for any content, advertising, products, or other materials that are available on or through such sites or resources. Oracle will not be responsible or liable for any actual or alleged damage or loss caused by or in connection with the use of or reliance on any such content, goods, or services that are available on or through such sites or resources.
April 13, 2010
Initial release of converted document from the Wiki version.