OpenSSO Enterprise 8.0 Update 1 also fixes a number of problems, as listed in the README file included with patch 141655-01.
You can configure an external OpenDS server as the OpenSSO Enterprise 8.0 Update 1 user data store.
You can also store a relatively small number of users in the embedded OpenSSO configuration data store (OpenDS), when scalability is not an important requirement. This option is useful when you want to install OpenSSO Enterprise 8.0 Update 1 quickly for demonstration or evaluation purposes. However, you should not use an embedded OpenDS server as a user data store in a production environment.
The ability to create a specialized WAR file was present in OpenSSO Enterprise 8.0. In OpenSSO Enterprise 8.0 Update 1, the process has been simplified using the createwar.sh or createwar.bat script.
OpenSSO Enterprise 8.0 Update 1 provides a single page where you can view all SAMLv2 error conditions. This page is useful when you are troubleshooting a SAMLv2 configuration.
OpenSSO Enterprise 8.0 Update 1 supports Secure Attributes Exchange (SAE) data encryption. (SAE is also known as Virtual Federation.)
OpenSSO Enterprise 8.0 Update 1 supports Federal Information Processing Standards (FIPS) mode.
OpenSSO Enterprise 8.0 Update 1 supports the web containers described in Web Containers Supported For OpenSSO Enterprise 8.0 in Sun OpenSSO Enterprise 8.0 Release Notes and the following new web containers:
IBM WebSphere Application Server 7.0. See Chapter 5, Deploying IBM WebSphere Application Server 7.0 as the OpenSSO Enterprise 8.0 Update 1 Web Container.
Oracle WebLogic Server 10g Release 3 (10.3)
GlassFish Prelude 3
OpenSSO Enterprise 8.0 Update 1 supports OpenDS to store user profiles, authentication data, and policies.
OpenSSO Enterprise 8.0 Update 1 includes the Fedlet.dll, template metadata files, and a sample application for implementing the Fedlet with ASP.NET applications. See Chapter 10, Using the ASP.NET Fedlet with OpenSSO Enterprise 8.0 Update 1.
The new com.sun.identity.am.cookie.check property indicates whether OpenSSO server should check if cookie support is disabled or not available in the user's browser. A value of true causes OpenSSO server to display an error message if the browser does not support cookies or has not enabled cookies.
Previously, if cookie support was disabled or not available on the user's browser and OpenSSO server was not in cookieless mode, authentication for a user failed without any errors. (Actually, authentication was done successfully, but OpenSSO server could not redirect the user to the OpenSSO protected web site.)
To Set the Property
Log in to the OpenSSO Administation Console.
Click Configuration, Servers and Sites, opensso-instance-name, and then Advanced.
Click Add and then specify:
Property Name: com.sun.identity.am.cookie.check
Property Value: true or false
Restart the OpenSSO server instance.
Note - If OpenSSO server is expected to support cookieless mode for authentication, set this property to false (which is the default).
OpenSSO Enterprise 8.0 Update 1 can validate a goto URL after a user logs in to prevent a hacker from sending the user to an imposter site in order to steal the user's personal information.
To Set Valid goto URLs:
Install OpenSSO Enterprise 8.0 Update 1. If you are patching OpenSSO Enterprise 8.0, make sure you run the updateschmema.sh or updateschema.bat script and restart the OpenSSO Enterprise web container.
Log in to the Admin Console.
Click Configuration, Authentication, and then Core.
Under Valid goto URL domains, add each valid goto domain name, as follows:
A domain name starting with a dot (.) such as .example.com allows all hosts in the example.com domain to be used in a success redirect URL.
A domain name that does not start with a dot (.) such as example.com allows the host example.com to be used in a success redirect URL. For example, http://example.com would be valid, but http://host.example.com would not be valid.
If you don't add the entire domain to the list, you must add each individual agent host name being used.
You do not need to add domains for agents in CDSSO mode, because they are protected automatically.
Restart the OpenSSO Enterprise web container.
If you subsequently want to disable the goto URL validation, remove all entries from the Valid goto URL domains list.
Additional Information - If a goto URL is found to be invalid, the user will be redirected to the default success login URL (/opensso/console).
The new com.sun.am.event.notification.expire.time property allows you to configure or disable the event notification cache in order to improve performance.
To disable the cache, set this property to 0 (zero). The default is 30 minutes.
After you set this property, restart the OpenSSO Enterprise 8.0 web container for the new value to take effect.
The new com.sun.identity.appendSessionCookieInURL property determines whether OpenSSO Enterprise 8.0 Update 1 ppends the session cookie to the URL for zero page authentication.
Set this property to false to prevent OpenSSO Enterprise 8.0 Update 1 from appending the session cookie to the URL. For example, if an application is filtering incoming URLs for special characters for security reasons and a cookie contains a special character, then access is denied. The default value is true (cookie is appended).
To set the new com.sun.identity.appendSessionCookieInURL property:
Log in to the OpenSSO Enterprise 8.0 Update 1 Admin Console.
Click Configuration, Servers and Sites, Default Server Settings, and then Advanced.
Add the property with a value of true.
The com.sun.identity.appendSessionCookieInURL property is hotswappable, which means that you don't have to restart the OpenSSO Enterprise 8.0 web container for a new value to take effect.
The amNaming log sometimes indicates multiple Site Monitor threads running for checking the same site. To prevent this problem, OpenSSO Enterprise 8.0 Update 1 provides improved synchronization to prevent the creation of the multiple Site Monitor threads for the same site. OpenSSO Enterprise 8.0 also includes these new properties:
com.sun.identity.urlchecker.retry.interval specifies the time interval in milliseconds between retries for a URL connection. Default is 500 milliseconds (0.5 seconds).
com.sun.identity.urlchecker.retry.limit specifies the maximum number of retries for the URL connection if a connection failure occurs. Default is 3 retries.
After you set these properties, restart the OpenSSO Enterprise 8.0 web container for the new values to take effect.
The fix for this problem also uses the following property:
com.sun.identity.urlchecker.sleep.interval specifies the time interval in milliseconds that the site status check should sleep. Default is 30000 milliseconds (30 seconds).
The new com.sun.identity.policy.resultsCacheMaxSize property allows you to configure the policy decision cache for OpenSSO Enterprise 8.0 Update 1 server.
For example, a value of 1000 causes policy decisions to be cached for maximum of 1000 sessions, irrespective of the actual number of concurrent sessions on the server.
Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP) checking now support the Network Security Services for Java (JSS) library, enabling FIPS mode when OpenSSO Enterprise 8.0 Update 1 is deployed on the Sun Java System Web Server 7.0 Update 3 or later web container.
Note - FIPS compliance mode depends on JSS, but using JSS does not necessitate FIPS compliance mode.
Redirect callback support (RedirectCallback), which is used to redirect users to an external website as part of the authentication process, now works when the login is through a Distributed Authentication Server UI.
Previously, in cookie hijacking mode, policy agents sent the IP address of the server where they were installed to the OpenSSO Enterprise server. Now, the policy agent first sends the application SSO token. If the agent cannot obtain the application SSO token, the agent then sends the IP address to the OpenSSO Enterprise server.
If strict DN checking is required for a deployment, OpenSSO Enterprise server includes the new
The default value is false. If this property is set to true, the OpenSSO Enterprise server performs strict DN checking. If the agent sends an IP address, the OpenSSO Enterprise server considers the IP address to be an error.
To set iplanet-am-session-dnrestrictiononly for strict DN checking:
Add the property with a value of true using either the OpenSSO Enterprise Admin Console or the ssoadm utility.
Restart the OpenSSO Enterprise server web container for the DN checking to take effect.
The new com.iplanet.am.session.agentsessionidletime property sets the maximum idle timeout in minutes for policy agent sessions. The minimum value is 30 minutes. A value greater than 0 and less than 30 will be reset to 30.
The default is 0, which means that the policy agent sessions never time out.
To set com.iplanet.am.session.agentsessionidletime:
Add the property with the maximum idle timeout value using either the OpenSSO Enterprise Admin Console or the ssoadm utility.
Restart the OpenSSO server web container for the idle timeout value to take effect.
Due to the fix for security issue 3924 in OpenSSO 8.0 Enterprise 8.0, the amadmin user was prevented from logging in to any authentication module other than the DataStore and Application authentication modules.
This new fix for CR 6811036 removes this restriction, but at the same time re-implements the original security fix to protect the authentication as the amadmin user, which is considered as the OpenSSO Enterprise internal or special user, in following manner:
amadmin can authenticate only to or or the Top-Level Realm.
amadmin and its password will first be authenticated against the configuration data store. That is, this user and its password should match the amadmin user and its password in the OpenSSO Enterprise configuration data store. Then, this user will be authenticated against the required authentication store (authentication module) with the same credentials. Finally, this user will be retrieved (searched) in the OpenSSO Enterprise user data store (based on the user profile option selected in the Authentication service configuration).
The actual authentication module store and/or user data store and configuration data store could be different, as long as the above is successful. If all three stores are the same, the above would be automatically successful.
After a Client SDK installation, the service management service (SMS) cache is disabled by default, which can cause performance issues.
Workaround: To enable the cache for SMS and the Identity Repository (IdRepo), set or add the following properties in the AMClient.properties file:
com.iplanet.am.sdk.caching.enabled=true com.sun.identity.idm.cache.enabled=true com.sun.identity.sm.cache.enabled=true