Other Enhancements in OpenSSO Enterprise 8.0 Update 1

• CR 6244578: New Property Warns Users if Browser Cookie Support is Disabled or Not Available

• CR 6770231: OpenSSO Enterprise 8.0 Update 1 Validates goto URLs

• CR 6696910: New Property makes Event Notification Cache Configurable

• CR 6740071: New Property Controls Session Cookie for Zero Page Authentication

• CR 6691106: New Properties Prevent Multiple Site Monitor Threads

• CR 6797423: New property configures OpenSSO Enterprise server policy decision cache

• CR 6785321: CRL and OSCP checking support JSS-based logic

• CR 6657112: Redirect callback support is added for Distributed Authentication Server UI

• CR 6657367: CDCServlet removes the JavaScript enabled dependency for user's browser

• CR 6496155: Policy agents send token other than the IP address in cookie hijacking mode

• CR 6697260: New property allows policy agent sessions to time out

• CR 6811036: After upgrading from JES4, in co-existence mode, amadmin authenticates to configuration data store

• CR 6827616: SMS cache is disabled by default for the Client SDK

CR 6244578: New Property Warns Users if Browser Cookie Support is Disabled or Not Available

The new com.sun.identity.am.cookie.check property indicates whether OpenSSO server should check if cookie support is disabled or not available in the user's browser. A value of true causes OpenSSO server to display an error message if the browser does not support cookies or has not enabled cookies.

Previously, if cookie support was disabled or not available on the user's browser and OpenSSO server was not in cookieless mode, authentication for a user failed without any errors. (Actually, authentication was done successfully, but OpenSSO server could not redirect the user to the OpenSSO protected web site.)

To Set the Property

1. Log in to the OpenSSO Administation Console.

2. Click Configuration, Servers and Sites, opensso-instance-name, and then Advanced.

3. Click Add and then specify:

   • Property Name: com.sun.identity.am.cookie.check

   • Property Value: true or false

4. Click Save.

5. Restart the OpenSSO server instance.

Note - If OpenSSO server is expected to support cookieless mode for authentication, set this property to false (which is the default).

CR 6770231: OpenSSO Enterprise 8.0 Update 1 Validates goto URLs

OpenSSO Enterprise 8.0 Update 1 can validate a goto URL after a user logs in to prevent a hacker from sending the user to an imposter site in order to steal the user's personal information.

To Set Valid goto URLs:

1. Install OpenSSO Enterprise 8.0 Update 1. If you are patching OpenSSO Enterprise 8.0, make sure you run the updateschmema.sh or updateschema.bat script and restart the OpenSSO Enterprise web container.

2. Log in to the Admin Console.

3. Click Configuration, Authentication, and then Core.

4. Under Valid goto URL domains, add each valid goto domain name, as follows:

   • A domain name starting with a dot (.) such as .example.com allows all hosts in the example.com domain to be used in a success redirect URL.

   • A domain name that does not start with a dot (.) such as example.com allows the host example.com to be used in a success redirect URL. For example, http://example.com would be valid, but http://host.example.com would not be valid.

   • If you don't add the entire domain to the list, you must add each individual agent host name being used.

   • You do not need to add domains for agents in CDSSO mode, because they are protected automatically.

5. Click Save.

6. Restart the OpenSSO Enterprise web container.

   If you subsequently want to disable the goto URL validation, remove all entries from the Valid goto URL domains list.

Additional Information - If a goto URL is found to be invalid, the user will be redirected to the default success login URL (/opensso/console).

CR 6696910: New Property makes Event Notification Cache Configurable

The new com.sun.am.event.notification.expire.time property allows you to configure or disable the event notification cache in order to improve performance.

To disable the cache, set this property to 0 (zero). The default is 30 minutes.

After you set this property, restart the OpenSSO Enterprise 8.0 web container for the new value to take effect.

CR 6740071: New Property Controls Session Cookie for Zero Page Authentication

The new com.sun.identity.appendSessionCookieInURL property determines whether OpenSSO Enterprise 8.0 Update 1 ppends the session cookie to the URL for zero page authentication.

Set this property to false to prevent OpenSSO Enterprise 8.0 Update 1 from appending the session cookie to the URL. For example, if an application is filtering incoming URLs for special characters for security reasons and a cookie contains a special character, then access is denied. The default value is true (cookie is appended).

To set the new com.sun.identity.appendSessionCookieInURL property:

1. Log in to the OpenSSO Enterprise 8.0 Update 1 Admin Console.

2. Click Configuration, Servers and Sites, Default Server Settings, and then Advanced.

3. Add the property with a value of true.

4. Click Save.

The com.sun.identity.appendSessionCookieInURL property is hotswappable, which means that you don't have to restart the OpenSSO Enterprise 8.0 web container for a new value to take effect.

CR 6691106: New Properties Prevent Multiple Site Monitor Threads

The amNaming log sometimes indicates multiple Site Monitor threads running for checking the same site. To prevent this problem, OpenSSO Enterprise 8.0 Update 1 provides improved synchronization to prevent the creation of the multiple Site Monitor threads for the same site. OpenSSO Enterprise 8.0 also includes these new properties:

• com.sun.identity.urlchecker.retry.interval specifies the time interval in milliseconds between retries for a URL connection. Default is 500 milliseconds (0.5 seconds).

• com.sun.identity.urlchecker.retry.limit specifies the maximum number of retries for the URL connection if a connection failure occurs. Default is 3 retries.

After you set these properties, restart the OpenSSO Enterprise 8.0 web container for the new values to take effect.

The fix for this problem also uses the following property:

• com.sun.identity.urlchecker.sleep.interval specifies the time interval in milliseconds that the site status check should sleep. Default is 30000 milliseconds (30 seconds).

CR 6797423: New property configures OpenSSO Enterprise server policy decision cache

The new com.sun.identity.policy.resultsCacheMaxSize property allows you to configure the policy decision cache for OpenSSO Enterprise 8.0 Update 1 server.

For example, a value of 1000 causes policy decisions to be cached for maximum of 1000 sessions, irrespective of the actual number of concurrent sessions on the server.

CR 6785321: CRL and OSCP checking support JSS-based logic

Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP) checking now support the Network Security Services for Java (JSS) library, enabling FIPS mode when OpenSSO Enterprise 8.0 Update 1 is deployed on the Sun Java System Web Server 7.0 Update 3 or later web container.

Note - FIPS compliance mode depends on JSS, but using JSS does not necessitate FIPS compliance mode.

CR 6657112: Redirect callback support is added for Distributed Authentication Server UI

Redirect callback support (RedirectCallback), which is used to redirect users to an external website as part of the authentication process, now works when the login is through a Distributed Authentication Server UI.

CR 6657367: CDCServlet removes the JavaScript enabled dependency for user's browser

If cross-domain single sign-on (CDSSO) is enabled for a policy agent, the CDCServlet can now redirect assertions (CDCRedirectServlet) for the agent, even if JavaScript is disabled for the user's browser.

CR 6496155: Policy agents send token other than the IP address in cookie hijacking mode

Previously, in cookie hijacking mode, policy agents sent the IP address of the server where they were installed to the OpenSSO Enterprise server. Now, the policy agent first sends the application SSO token. If the agent cannot obtain the application SSO token, the agent then sends the IP address to the OpenSSO Enterprise server.

If strict DN checking is required for a deployment, OpenSSO Enterprise server includes the new

iplanet-am-session-dnrestrictiononly property.

The default value is false. If this property is set to true, the OpenSSO Enterprise server performs strict DN checking. If the agent sends an IP address, the OpenSSO Enterprise server considers the IP address to be an error.

To set iplanet-am-session-dnrestrictiononly for strict DN checking:

1. Add the property with a value of true using either the OpenSSO Enterprise Admin Console or the ssoadm utility.

2. Restart the OpenSSO Enterprise server web container for the DN checking to take effect.

CR 6697260: New property allows policy agent sessions to time out

The new com.iplanet.am.session.agentsessionidletime property sets the maximum idle timeout in minutes for policy agent sessions. The minimum value is 30 minutes. A value greater than 0 and less than 30 will be reset to 30.

The default is 0, which means that the policy agent sessions never time out.

To set com.iplanet.am.session.agentsessionidletime:

1. Add the property with the maximum idle timeout value using either the OpenSSO Enterprise Admin Console or the ssoadm utility.

2. Restart the OpenSSO server web container for the idle timeout value to take effect.

CR 6811036: After upgrading from JES4, in co-existence mode, amadmin authenticates to configuration data store

Due to the fix for security issue 3924 in OpenSSO 8.0 Enterprise 8.0, the amadmin user was prevented from logging in to any authentication module other than the DataStore and Application authentication modules.

This new fix for CR 6811036 removes this restriction, but at the same time re-implements the original security fix to protect the authentication as the amadmin user, which is considered as the OpenSSO Enterprise internal or special user, in following manner:

• amadmin can authenticate only to or or the Top-Level Realm.

• amadmin and its password will first be authenticated against the configuration data store. That is, this user and its password should match the amadmin user and its password in the OpenSSO Enterprise configuration data store. Then, this user will be authenticated against the required authentication store (authentication module) with the same credentials. Finally, this user will be retrieved (searched) in the OpenSSO Enterprise user data store (based on the user profile option selected in the Authentication service configuration).

  The actual authentication module store and/or user data store and configuration data store could be different, as long as the above is successful. If all three stores are the same, the above would be automatically successful.

CR 6827616: SMS cache is disabled by default for the Client SDK

After a Client SDK installation, the service management service (SMS) cache is disabled by default, which can cause performance issues.

Workaround: To enable the cache for SMS and the Identity Repository (IdRepo), set or add the following properties in the AMClient.properties file:

com.iplanet.am.sdk.caching.enabled=true
com.sun.identity.idm.cache.enabled=true
com.sun.identity.sm.cache.enabled=true