test

Sun OpenSSO Enterprise 8.0 Update 1 Release Notes

What's New in OpenSSO Enterprise 8.0 Update 1

OpenSSO Enterprise 8.0 Update 1 also fixes a number of problems, as listed in the README file included with patch 141655-01.

OpenDS as a User Data Store

You can configure an external OpenDS server as the OpenSSO Enterprise 8.0 Update 1 user data store.

You can also store a relatively small number of users in the embedded OpenSSO configuration data store (OpenDS), when scalability is not an important requirement. This option is useful when you want to install OpenSSO Enterprise 8.0 Update 1 quickly for demonstration or evaluation purposes. However, you should not use an embedded OpenDS server as a user data store in a production environment.

See Chapter 9, Using OpenDS as a User Data Store for OpenSSO Enterprise 8.0 Update 1.

Simplified OpenSSO WAR File Creation

The ability to create a specialized WAR file was present in OpenSSO Enterprise 8.0. In OpenSSO Enterprise 8.0 Update 1, the process has been simplified using the createwar.sh or createwar.bat script.

See Chapter 4, Creating a Specialized OpenSSO Enterprise 8.0 Update 1 WAR File.

Centralized SAMLv2 Error Conditions Page

OpenSSO Enterprise 8.0 Update 1 provides a single page where you can view all SAMLv2 error conditions. This page is useful when you are troubleshooting a SAMLv2 configuration.

See Chapter 6, Centralizing SAML Error Display in OpenSSO Enterprise 8.0 Update 1.

Secure Attribute Exchange (SAE) Data Encryption

OpenSSO Enterprise 8.0 Update 1 supports Secure Attributes Exchange (SAE) data encryption. (SAE is also known as Virtual Federation.)

See Chapter 7, Encrypting Data in a Secure Attribute Exchange in OpenSSO Enterprise 8.0 Update 1.

FIPS Compliance Mode

OpenSSO Enterprise 8.0 Update 1 supports Federal Information Processing Standards (FIPS) mode.

See Chapter 8, Configuring OpenSSO Enterprise 8.0 Update 1 in FIPS Mode.

Support for New Web Containers

OpenSSO Enterprise 8.0 Update 1 supports the web containers described in Web Containers Supported For OpenSSO Enterprise 8.0 in Sun OpenSSO Enterprise 8.0 Release Notes and the following new web containers:

OpenDS as a User Data Store

OpenSSO Enterprise 8.0 Update 1 supports OpenDS to store user profiles, authentication data, and policies.

See Chapter 9, Using OpenDS as a User Data Store for OpenSSO Enterprise 8.0 Update 1.

ASP.NET Fedlet

OpenSSO Enterprise 8.0 Update 1 includes the Fedlet.dll, template metadata files, and a sample application for implementing the Fedlet with ASP.NET applications. See Chapter 10, Using the ASP.NET Fedlet with OpenSSO Enterprise 8.0 Update 1.

Other Enhancements in OpenSSO Enterprise 8.0 Update 1

CR 6244578: New Property Warns Users if Browser Cookie Support is Disabled or Not Available

The new com.sun.identity.am.cookie.check property indicates whether OpenSSO server should check if cookie support is disabled or not available in the user's browser. A value of true causes OpenSSO server to display an error message if the browser does not support cookies or has not enabled cookies.

Previously, if cookie support was disabled or not available on the user's browser and OpenSSO server was not in cookieless mode, authentication for a user failed without any errors. (Actually, authentication was done successfully, but OpenSSO server could not redirect the user to the OpenSSO protected web site.)

To Set the Property

  1. Log in to the OpenSSO Administation Console.

  2. Click Configuration, Servers and Sites, opensso-instance-name, and then Advanced.

  3. Click Add and then specify:

    • Property Name: com.sun.identity.am.cookie.check

    • Property Value: true or false

  4. Click Save.

  5. Restart the OpenSSO server instance.

Note - If OpenSSO server is expected to support cookieless mode for authentication, set this property to false (which is the default).

CR 6770231: OpenSSO Enterprise 8.0 Update 1 Validates goto URLs

OpenSSO Enterprise 8.0 Update 1 can validate a goto URL after a user logs in to prevent a hacker from sending the user to an imposter site in order to steal the user's personal information.

To Set Valid goto URLs:

  1. Install OpenSSO Enterprise 8.0 Update 1. If you are patching OpenSSO Enterprise 8.0, make sure you run the updateschmema.sh or updateschema.bat script and restart the OpenSSO Enterprise web container.

  2. Log in to the Admin Console.

  3. Click Configuration, Authentication, and then Core.

  4. Under Valid goto URL domains, add each valid goto domain name, as follows:

    • A domain name starting with a dot (.) such as .example.com allows all hosts in the example.com domain to be used in a success redirect URL.

    • A domain name that does not start with a dot (.) such as example.com allows the host example.com to be used in a success redirect URL. For example, http://example.com would be valid, but http://host.example.com would not be valid.

    • If you don't add the entire domain to the list, you must add each individual agent host name being used.

    • You do not need to add domains for agents in CDSSO mode, because they are protected automatically.

  5. Click Save.

  6. Restart the OpenSSO Enterprise web container.

    If you subsequently want to disable the goto URL validation, remove all entries from the Valid goto URL domains list.

Additional Information - If a goto URL is found to be invalid, the user will be redirected to the default success login URL (/opensso/console).

CR 6696910: New Property makes Event Notification Cache Configurable

The new com.sun.am.event.notification.expire.time property allows you to configure or disable the event notification cache in order to improve performance.

To disable the cache, set this property to 0 (zero). The default is 30 minutes.

After you set this property, restart the OpenSSO Enterprise 8.0 web container for the new value to take effect.

CR 6740071: New Property Controls Session Cookie for Zero Page Authentication

The new com.sun.identity.appendSessionCookieInURL property determines whether OpenSSO Enterprise 8.0 Update 1 ppends the session cookie to the URL for zero page authentication.

Set this property to false to prevent OpenSSO Enterprise 8.0 Update 1 from appending the session cookie to the URL. For example, if an application is filtering incoming URLs for special characters for security reasons and a cookie contains a special character, then access is denied. The default value is true (cookie is appended).

To set the new com.sun.identity.appendSessionCookieInURL property:

  1. Log in to the OpenSSO Enterprise 8.0 Update 1 Admin Console.

  2. Click Configuration, Servers and Sites, Default Server Settings, and then Advanced.

  3. Add the property with a value of true.

  4. Click Save.

The com.sun.identity.appendSessionCookieInURL property is hotswappable, which means that you don't have to restart the OpenSSO Enterprise 8.0 web container for a new value to take effect.

CR 6691106: New Properties Prevent Multiple Site Monitor Threads

The amNaming log sometimes indicates multiple Site Monitor threads running for checking the same site. To prevent this problem, OpenSSO Enterprise 8.0 Update 1 provides improved synchronization to prevent the creation of the multiple Site Monitor threads for the same site. OpenSSO Enterprise 8.0 also includes these new properties:

After you set these properties, restart the OpenSSO Enterprise 8.0 web container for the new values to take effect.

The fix for this problem also uses the following property:

CR 6797423: New property configures OpenSSO Enterprise server policy decision cache

The new com.sun.identity.policy.resultsCacheMaxSize property allows you to configure the policy decision cache for OpenSSO Enterprise 8.0 Update 1 server.

For example, a value of 1000 causes policy decisions to be cached for maximum of 1000 sessions, irrespective of the actual number of concurrent sessions on the server.

CR 6785321: CRL and OSCP checking support JSS-based logic

Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP) checking now support the Network Security Services for Java (JSS) library, enabling FIPS mode when OpenSSO Enterprise 8.0 Update 1 is deployed on the Sun Java System Web Server 7.0 Update 3 or later web container.

Note - FIPS compliance mode depends on JSS, but using JSS does not necessitate FIPS compliance mode.

CR 6657112: Redirect callback support is added for Distributed Authentication Server UI

Redirect callback support (RedirectCallback), which is used to redirect users to an external website as part of the authentication process, now works when the login is through a Distributed Authentication Server UI.

CR 6657367: CDCServlet removes the JavaScript enabled dependency for user's browser

If cross-domain single sign-on (CDSSO) is enabled for a policy agent, the CDCServlet can now redirect assertions (CDCRedirectServlet) for the agent, even if JavaScript is disabled for the user's browser.

CR 6496155: Policy agents send token other than the IP address in cookie hijacking mode

Previously, in cookie hijacking mode, policy agents sent the IP address of the server where they were installed to the OpenSSO Enterprise server. Now, the policy agent first sends the application SSO token. If the agent cannot obtain the application SSO token, the agent then sends the IP address to the OpenSSO Enterprise server.

If strict DN checking is required for a deployment, OpenSSO Enterprise server includes the new

iplanet-am-session-dnrestrictiononly property.

The default value is false. If this property is set to true, the OpenSSO Enterprise server performs strict DN checking. If the agent sends an IP address, the OpenSSO Enterprise server considers the IP address to be an error.

To set iplanet-am-session-dnrestrictiononly for strict DN checking:

  1. Add the property with a value of true using either the OpenSSO Enterprise Admin Console or the ssoadm utility.

  2. Restart the OpenSSO Enterprise server web container for the DN checking to take effect.

CR 6697260: New property allows policy agent sessions to time out

The new com.iplanet.am.session.agentsessionidletime property sets the maximum idle timeout in minutes for policy agent sessions. The minimum value is 30 minutes. A value greater than 0 and less than 30 will be reset to 30.

The default is 0, which means that the policy agent sessions never time out.

To set com.iplanet.am.session.agentsessionidletime:

  1. Add the property with the maximum idle timeout value using either the OpenSSO Enterprise Admin Console or the ssoadm utility.

  2. Restart the OpenSSO server web container for the idle timeout value to take effect.

CR 6811036: After upgrading from JES4, in co-existence mode, amadmin authenticates to configuration data store

Due to the fix for security issue 3924 in OpenSSO 8.0 Enterprise 8.0, the amadmin user was prevented from logging in to any authentication module other than the DataStore and Application authentication modules.

This new fix for CR 6811036 removes this restriction, but at the same time re-implements the original security fix to protect the authentication as the amadmin user, which is considered as the OpenSSO Enterprise internal or special user, in following manner:

CR 6827616: SMS cache is disabled by default for the Client SDK

After a Client SDK installation, the service management service (SMS) cache is disabled by default, which can cause performance issues.

Workaround: To enable the cache for SMS and the Identity Repository (IdRepo), set or add the following properties in the AMClient.properties file:


com.iplanet.am.sdk.caching.enabled=true
com.sun.identity.idm.cache.enabled=true
com.sun.identity.sm.cache.enabled=true