test

Sun OpenSSO Enterprise 8.0 Release Notes

Java EE Agents in the Policy Agent 3.0-01 Release

Patch IDs for Java EE Agents in the Policy Agent 3.0-01 Release

The following version 3.0–01 Java EE agents are available on http://sunsolve.sun.com/.

Table 1 Patch IDs for Java EE Agents in the Policy Agent 3.0-01 Release

Version 3.0-01 Policy Agent For 

Patch ID 

Oracle WebLogic Server 11g Release 1 (10.3.3) 

Oracle WebLogic Server 10g Release 3 (10.3) 

Oracle WebLogic Server 9.2 and 10.0 

Oracle WebLogic Portal 9.2, 10.0, and 10.2 

145385-01 

Sun GlassFish 2.1, V2 UR1, V2 UR2, and v3 

Sun Java System Application Server 8.1, 8.2, 9.0, and 9.1 

145383-01 

Apache Tomcat 6.0.x 

145384-01 

JBoss Application Server 4.x and 5.x 

145382-01 

IBM WebSphere Application Server 6.1 and 7.0 

IBM WebSphere Portal Server 6.1 

145386-01 

Enhancements and Changes for Java EE Agents in the Policy Agent 3.0-01 Release

Note –

Version 3.0 and later Java EE agents require JDK 1.5 or later on the server where you plan to install the agent. Although some web containers such as JBoss Application Server 4.x and Application Server 8.x can run using JDK 1.4, JDK 1.5 or later is required for both the agent web container and the agentadmin program.

Support is added for GlassFish v3

The version 3.0–01 Java EE agent for Sun Java System Application Server and GlassFish v2 also supports GlassFish v3. See also Patch IDs for Java EE Agents in the Policy Agent 3.0-01 Release.

Issue 5633: New property is added to reset session idle time for not-enforced URLs

Version 3.0–01 Java EE agents include the following new property to specify whether the session idle timeout should be reset after a user with a valid session accesses a URL in the not-enforced list:

com.sun.identity.agents.config.notenforced.refresh.session.idletime

Values for this property can be:

Set this property depending on the location of the agent's configuration repository. If the repository is local to the agent's host server, add the property to the agent's OpenSSOAgentConfiguration.properties file and restart the OpenSSO server instance.

If the agent's configuration repository is centralized, use the OpenSSO Administration Console as follows:

  1. Log in to the OpenSSO Administration Console.

  2. Click Access Control, realm-name, Agents, J2EE, j2ee-agent-name, and then Advanced.

  3. Under Custom Properties, add the new property with its corresponding value.

  4. Click Save.

Issue 6107: JBoss Application Server agent supports custom principal feature

JBoss Application Server 4.x and 5.x login modules support the custom principal feature, which allows users to specify a custom principal in the JBoss AS configuration. The version 3.0–01 agent for JBoss AS 4.x and 5.x also supports the custom principal feature.

To use this feature, add the following line to the <login-module> element in the JBOSS_HOME/server/default/conf/am-login-config.xml file:

<module-option name = "principalClass">com.sample.CustomPrincipal</module-option>

For example, the <login-module> element should then be as follows:

<login-module code = "com.sun.identity.agents.jboss.v40.AmJBossLoginModule" 
                  flag = "required">
    <module-option name = "unauthenticatedIdentity">anonymous</module-option>
    <module-option name = "principalClass">com.sample.CustomPrincipal</module-option>
</login-module>

In this example, com.sample.CustomPrincipal is the custom principal implementation class name. This class must be in the JBoss AS classpath.

Issue 6108: JBoss Application Server agent redirects to the client's requested URI

If the requested URI is using J2EE_POLICY or ALL filter mode and a user accesses a resource protected with J2EE policies by the version 3.0–01 JBoss AS 4.x and 5.x agent, the user is redirected to the client's requested resource after authentication by OpenSSO 8.0 server. Previously, the user was redirected to the client's home page.

Issues and Workarounds for Java EE Agents in the Policy Agent 3.0-01 Release

CR 6976312: Install fails for WebSphere Application Server agent using IBM JDK on all systems except AIX

If you run the agentadmin or agentadmin.bat script to install the version 3.0-01 policy agent for IBM WebSphere Application Server 6.1/7.0 or IBM WebSphere Portal Server 6.1 using the IBM JDK on systems other than IBM AIX, the installation fails because the script cannot find the IBM JCE provider.

Workaround: Add following JAVA options to the agentadmin or agentadmin.bat script and then rerun the installation:

AGENT_OPTS="-DamKeyGenDescriptor.provider=IBMJCE
-DamCryptoDescriptor.provider=IBMJCE
-DamRandomGenProvider=IBMJCE"

CR 6976304: WebSphere Application Server administrative console cannot be accessed

After you install the version 3.0-01 policy agent for WebSphere Application Server 6.1/7.0 or IBM WebSphere Portal Server 6.1, you cannot access the WebSphere administrative console.

Workaround. In the WebSphere Application Server agent profile, add the WebSphere administrative console URL in the Agent Root URL for CDSSO list, as follows:

  1. Log in to the OpenSSO Administration Console.

  2. Click Access Control, realm-name, Agents, J2EE, and then the j2ee-agent-name.

  3. In Agent Root URL for CDSSO, add the WebSphere administrative console URL.

  4. Click Save.

CR 6976308: WebSphere Application Server administrative console redirects to an incorrect URL in CDSSO mode

After you install the version 3.0-01 policy agent for WebSphere Application Server 6.1/7.0 or IBM WebSphere Portal Server 6.1 in cross-domain single sign-on (CDSSO) mode and try to access the administrative console, you are redirected to an incorrect agentapp URL. The URL port is pointing to the admin port instead of the agentapp instance port.

Workaround. In the URL in the browser address bar, manually specify the correct port number for the agentapp instance.

Problems Fixed for Java EE Agents in the Policy Agent 3.0-01 Release

Table 2 Problems Fixed for Java EE Agents in the Policy Agent 3.0-01 Release

CR or Issue 

Description 

6121 

401 error is returned instead of a 302 error when the client presents an invalid SSO Token 

4461 

Security context exception occurred with JBoss AS agent 

6107 

Custom principal in JBoss AS 4.3 is not working with J2EE agent 

6108 

J2EE Agent 3.0 for JBoss AS does not redirect to client request 

4969 

Tomcat agent J2EE tests are denied when debug level set to error mode 

2779 

J2EE agents should have the agentadmin script executable permission set by default

5008 

GlassFish v3 server fails to start with invalid format error 

5012 

Tomcat 6.0 version 3.0 agent returns error with not-enforced IP list 

5764 

agentadmin script does not set up classpath correctly on GlassFish V3

4677 

Tomcat 6.0 agent membership removal causes HTTP 403 access denied error 

5197 

Application logout does not clean up sessions 

5744 

Issue with URL pattern matching for port number in J2EE agents 

4959 

HTTPS session binding should be enabled by default in agent profile 

5024 

When not-enforced IP is used, accessing application of declarative security returns configuration error 

5071 

J2EE agent with CDSSO, cookie hijacking, and composite advice has second login issue 

5633 

J2EE agent does not reset session idle time for not-enforced URLs 

5627 

IP Resource condition fails if login URL in agent profile has resource=true included

6933534 

Tomcat 6.0 version 3.0 agent classes are not added to classpath resulting in Tomcat startup failure