If you patch OpenSSO Enterprise 8.0 with Update 1, you must re-install the admin tools in Update 1 before you run the updateschema.sh or updateschema.bat script, because the script requires the Update 1 version of the ssoadm command-line utility.
Workaround. Before you run the updateschema.sh or updateschema.bat script, install the Update 1 admin tools, as described in Chapter 3, Installing the OpenSSO Enterprise 8.0 Update 1 Admin Tools.
If the admin tools (ssoAdminTools.zip) are configured to use the IBM JVM with a secure (SSL-enabled) WebSphere Application Server 7.0 instance, the ssoadm returns a fatal error.
Workaround. To configure ssoadm, see Chapter 5, Deploying IBM WebSphere Application Server 7.0 as the OpenSSO Enterprise 8.0 Update 1 Web Container.
If OpenSSO Enterprise 8.0 Update 1 is deployed with IBM WebSphere Application Server 7.0 and Java 2 security is enabled, the configuration fails.
Workaround. Add the required permissions to the WebSphere Application Server 7.0 server.policy. For more information see Chapter 5, Deploying IBM WebSphere Application Server 7.0 as the OpenSSO Enterprise 8.0 Update 1 Web Container.
OpenSSO Enterprise 8.0 Update 1 has added support for using KDCs hosted on Windows Server 2008. To use this new feature, however, you must install a Microsoft hotfix to KTpass on the Windows Server 2008 KDC before using the KDC for Windows Desktop SSO authentication.
For more information and to download this hotfix, see http://support.microsoft.com/kb/951191.
Workaround. If OpenSSO Enterprise 8.0 Update 1 is deployed on IBM WebSphere Application Server 7.0 on Windows:
Prefix the Keytab File Name property of the Windows Desktop SSO authentication module instance with file:///. For example:
Set the new com.sun.identity.authentication.module.WindowsDesktopSSO.Krb5LoginModule property to com.ibm.security.auth.module.Krb5LoginModule.
Set this new property using ssoadm or in the OpenSSO Enterprise Admin Console under Configuration, Sites and Server, opensso-instance-name, and Advanced. Then, restart the WebSphere Application Server 7.0 instance for the value to take effect.
When running the Configurator using Safari on a Mac, the Next and Cancel buttons are not visible, which gives the impression that the configuration cannot continue.
Workaround. Maximize the Safari browser to the fullest extent and scroll down to see the buttons.
In a session failover configuration, the Berkeley DB client does not failover to the secondary Message Queue broker. OpenSSO Enterprise server, however, does failover
to the secondary broker, which causes the queue on that broker to quickly fill up. Then, the broker blocks the producer from sending any more messages, which in turn blocks messages from OpenSSO Enterprise server.
If you are using IBM WebSphere Application Server 6.1 as the web container and the Java Security Manager is enabled, the securing permissions need to be updated.
Workaround. For the correct permissions, see the Sun OpenSSO Enterprise 8.0 Installation and Configuration Guide.
Workaround. Before you enable FIPS mode, backup the bootstap file. Then, after you enable FIPS mode, replace the bootstrap file with the backup copy.
For more information, see Chapter 8, Configuring OpenSSO Enterprise 8.0 Update 1 in FIPS Mode.
Using JDK 1.6.x, when a Service Provider (SP) tries to verify a signed SAML2 response/assertion, the Identity Provider (IDP)throws a Null Pointer Exception.
Workaround. This problem occurs because JDK 1.6.x includes an older version of the XML security library. To fix this problem:
Create an endorsed directory in JDK 1.6.x. For example:
Copy the xmlsec.jar file from the OpenSSO_WAR_extracted_dir/WEB-INF/lib directory to the endorsed directory.
Restart the OpenSSO Enterprise 8.0 web container.
When you configure OpenSSO Enterprise 8.0 Update 1 using the console, if you provide the site details such as the load balancer and server instances, the configuration finishes successfully and you can log in. However, the debug logs contain an exception.
Workaround. None. You can ignore the exception.
If you deploy OpenSSO Enterprise 8.0 Update 1 on WebLogic Server 10 for both the SP and IDP, configure the meta for SP and IDP for signing and encryption using the default keystore, and then terminate with SOAP binding, an error is returned.
Workaround. Remove last two lines from idpArtifactResolution.jsp, idpMNISOAP.jsp, and spMNISOAP.jsp. Also, remove any empty spaces between %> and <%.