Web Container and Server Issues

• CR 6935896: Undeploying OpenSSO Enterprise on Sun GlassFish 2.1 using the CLI is unsuccessful

• 4077: OpenSSO Enterprise configuration on WebLogic Server requires new ldapjdk.jar

• WebLogic Server StuckThreadMaxTime value is exceeded during configuration

• 4099: ID-WSF sample with JDK 1.4 WAR returned exception

• 4094: Multi-server setup fails when amadmin password and directory manager password for configuration data store are not the same

• 4055: Error occurred after adding an advanced property in console

• 3858: Out of memory exceptions occur under heavy load with JDK 1.5 and 1.6 SunPKCS11 provider

• 3837: Configuration fails on Oracle Application Server 10g

• 2222: Password reset and account lockout services report notification errors

CR 6935896: Undeploying OpenSSO Enterprise on Sun GlassFish 2.1 using the CLI is unsuccessful

Trying to undeploy OpenSSO Enterprise 8.0 on Sun GlassFish 2.1 or Sun Java System Application Server 9.1 Update 2 is not successful and returns an “Invalid user or password” error (reported by CR 6808492). Subsequent attempts also fail with the same error message.

Workaround. This problem has been fixed in OpenSSO Enterprise 8.0 Update 1 Patch 3 (patch ID 141655-04). The following workaround applies to OpenSSO Enterprise 8.0 deployments before patch 3:

1. In the appSrvr_install_directory/domains/domain1/config/domain.xml file, add the following entry under the java-config attribute:

   <jvm-options>
   -Dorg.apache.catalina.loader.WebappClassLoader.ENABLE_CLEAR_REFERENCES=false
   </jvm-options>

2. Restart the GlassFish or Application Server instance.

3. Undeploy OpenSSO Enterprise 8.0 using the GlassFish or Application Server asadmin undeploy command.

4077: OpenSSO Enterprise configuration on WebLogic Server requires new ldapjdk.jar

OpenSSO Enterprise configuration fails on WebLogic Server because weblogic.jar bundles an older ldapjdk.jar file.

Sun provides a new ldapjdk.jar file that includes security and performance related fixes. You must provide the following workaround for both WebLogic Server 9.2 and WebLogic Server 10.

Workaround. Put the Sun ldapjdk.jar ahead of weblogic.jar in the CLASSPATH, as follows:

1. Extract ldapjdk.jar from opensso.war in a temporary directory using the following command:

   jar xvf opensso.war WEB-INF/lib/ldapjdk.jar

2. Copy the above extracted ldapjdk.jar to the WebLogic lib directory.

   For example, for WebLogic Server 10 on Solaris or Linux systems: BEA_HOME/weblogic_10.0/server/lib

   Or, for WebLogic Server 9.2 on Windows:BEA_HOME\weblogic92\server\lib

3. Prefix the path to this ldapjdk.jar to the existing classpath. by editing the startup script used to start WebLogic Server. In the following examples, BEA_HOME is where WebLogic Server is installed.

   For WebLogic 9.2 on Windows, edit:

   BEA_HOME\weblogic92\samples\domains\wl_server\bin\startWebLogic.cmd

   Change set CLASSPATH=%CLASSPATH%;%MEDREC_WEBLOGIC_CLASSPATH% to:

   set CLASSPATH=BEA_HOME\weblogic92\server\lib\ldapjdk.jar;%CLASSPATH%;%MEDREC_WEBLOGIC_CLASSPATH%
   

   For WebLogic 10 on Windows, edit:

   BEA_HOME\wlserver_10.0\samples\domains\wl_server\bin\startWebLogic.cmd

   Change set CLASSPATH=%CLASSPATH%;%MEDREC_WEBLOGIC_CLASSPATH% to:

   set CLASSPATH=
   BEA_HOME\wlserver_10.0\server\lib\ldapjdk.jar;%CLASSPATH%;%MEDREC_WEBLOGIC_CLASSPATH%

   For WebLogic 9.2 MP2 on Solaris or Linux, edit:

   /bea/weblogic92/samples/domains/wl_server/bin/ startWebLogic.sh

   or

   /usr/local/bea/user_projects/domains/base_domain/bin/startWebLogic.sh

   Change CLASSPATH="${CLASSPATH}${CLASSPATHSEP}${MEDREC_WEBLOGIC_CLASSPATH}" to:

   CLASSPATH= "BEA_HOME/weblogic92/server/lib/ldapjdk.jar${CLASSPATH}${CLASSPATHSEP}${MEDREC_WEBLOGIC_CLASSPATH}"

   For WebLogic 10 on Solaris or Linux, edit:

   /bea/wlserver_10.0/samples/domains/wl_server/bin/startWebLogic.sh

   or

   /bea/user_projects/domains/wl10_domain/bin/startWebLogic.sh

   Change CLASSPATH="${CLASSPATH}${CLASSPATHSEP}${MEDREC_WEBLOGIC_CLASSPATH}" to

   CLASSPATH=
   "BEA_HOME/wlserver_10.0/server/lib/ldapjdk.jar${CLASSPATH}${CLASSPATHSEP}${MEDREC_WEBLOGIC_CLASSPATH}"

4. Restart the server.

5. Configure OpenSSO Enterprise.

WebLogic Server StuckThreadMaxTime value is exceeded during configuration

If you are configuring WebLogic Server 9.2 MP2 or 10 using the Configurator and you take longer than 600 seconds to finish the configuration, the following error is returned to the terminal and WebLogic Server domain and server logs:

<Error> <WebLogicServer> <BEA-000337> <[STUCK] Exe 
cuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)' has been busy 
for "681" seconds working on the request "Http Request: /opensso/setup/setSetup 
Progress", which is more than the configured time (StuckThreadMaxTime) of "600" 
seconds. Stack trace: ... 

This error occurs because the WebLogic Server has exceeded its “Stuck Thread Max Time:” default value of 600 seconds.

Workaround. If the Configurator does not respond, restart it. Also, consider setting the WebLogic Server “Stuck Thread Max Time” value from its default 600 seconds to a larger value such as 1200 seconds. Use the WebLogic Console to change this value (base_domain > Environment > Servers > Admin Server > Configuration/Tuning).

4099: ID-WSF sample with JDK 1.4 WAR returned exception

On WebLogic Server 8.1, opensso-client-jdk14.war configured for ID-WSF returned an error when looking for service.

Workaround. Add following JAR files under weblogic-home/jdk142_08/jre/lib/endorsed:

• jax-qname.jar

• namespace.jar

• relaxngDatatype.jar

• xalan.jar

To obtain these JAR files, contact your Sun representative.

4094: Multi-server setup fails when amadmin password and directory manager password for configuration data store are not the same

This issue occurs only if the following conditions are met:

• Your configuration data store is Sun Java System Directory Server.

• You are trying to perform a multi-server installation.

• Your amadmin password is different from the Directory Server bind dn password.

Workaround. There are two parts to this workaround:

1. Make sure your configuration Directory Server bind dn password is same as the amadmin password.

2. Configure the second and additional OpenSSO Enterprise servers. To perform the second server installation and point to the first OpenSSO Enterprise server's configuration directory, simply access the Configurator page of the second OpenSSO Enterprise server and enter the amadmin password, cookie domain, and other details for Step 1 and Step 2.

   For Step 3, do not select the Add to Existing Deployment. Instead, select the first instance option and provide the same Directory Server name, port, DN, password, and encryption key of your first server. Then, proceed with the configuration as usual.

4055: Error occurred after adding an advanced property in console

Adding an advanced property in the Console caused OpenSSO Enterprise server to return an error. This problem can occur after adding any advanced configuration property.

Workaround. If you change the default server configuration in the Console, you must restart the OpenSSO Enterprise server web container.

3858: Out of memory exceptions occur under heavy load with JDK 1.5 and 1.6 SunPKCS11 provider

JDK 1.5 and 1.6 contain a list of PKCS11 providers. The default is sun.security.pkcs11.SunPKCS11 (see the provider list below). Under a heavy load, this provider will generate an Out of Memory Exception (OOME) for the web container and cause the container to crash. At minimum, the following scenarios are impacted:

• SSL on these web containers: GlassFish Application Server V2 UR2, WebLogic Server 9.2, and JBoss Application Server 4.2.2 (but not on Sun Java System Web Server 7.0, which uses a different JSS implementation for SSL)

• SAML2 signing on Sun Java System Web Server 7 U3

The issue is currently under investigation and might impact other web container platforms not listed above.

Workaround. Remove the SunPKCS11 provider from the provider list in the java.security file for the JVM. For example, if the security provider section in your java.security file (found in JDK_Path/jre/lib/security/) looks like:

security.provider.1=sun.security.pkcs11.SunPKCS11 \
   ${java.home}/lib/security/sunpkcs11-solaris.cfg
security.provider.2=sun.security.provider.Sun
security.provider.3=sun.security.rsa.SunRsaSign
security.provider.4=com.sun.net.ssl.internal.ssl.Provider
security.provider.5=com.sun.crypto.provider.SunJCE
security.provider.6=sun.security.jgss.SunProvider
security.provider.7=com.sun.security.sasl.Provider

Change it to:

security.provider.1=sun.security.provider.Sun
security.provider.2=sun.security.rsa.SunRsaSign
security.provider.3=com.sun.net.ssl.internal.ssl.Provider
security.provider.4=com.sun.crypto.provider.SunJCE
security.provider.5=sun.security.jgss.SunProvider
security.provider.6=com.sun.security.sasl.Provider

Note. This workaround can lower your performance because the provider used now is not as optimized as the SunPKCS11 provider. It also prevents you from using hardware security tokens if the SunPKCS11 provider is required.

3837: Configuration fails on Oracle Application Server 10g

With Oracle Application Server 10g version 10.1.3.1 as the web container, OpenSSO configuration failed with an exception error.

Workaround. Before you configure OpenSSO, add the following JVM option to the “Server Properties” for the target Oracle Application Server 10g server instance:

-Doc4j.jmx.security.proxy.off=true

2222: Password reset and account lockout services report notification errors

OpenSSO Enterprise submits email notifications using the unqualified sender name, Identity-Server, which returns error entries in the logs.

Workaround. Change the sender name from Identity-Server to Identity-Server@hostname.domainname in the following files:

• In amPasswordResetModuleMsgs.properties, change fromAddress.label.

• In amAuth.properties, change lockOutEmailFrom.