Oracle Enterprise Single Sign-on 11.1.1.5.2 Bundle Patch Release Notes

Oracle Enterprise Single Sign-on Suite Plus 11.1.1.5.1 Bundle Patch Release Notes

This document describes the resolved issues and new features included in the Oracle Enterprise Single Sign-on Suite Plus Bundle Patch 11.1.1.5.1, as well as a list of known issues, if applicable. It also provides information about installing and uninstalling this bundle patch.

Oracle Enterprise Single Sign-on Logon Manager (ESSO-LM) is the only component of the Oracle Enterprise Single Sign-on Suite Plus 11.1.1.5.0 that is affected by this bundle patch. Other products in the suite remain unchanged.

The information in this document supplements and supersedes information in the original release notes for this product.

Contents

· Resolved Issues

· New Features

· Change Introduced

· Open Issues

· Installation Instructions

· Uninstalling this Bundle Patch

· Related Documentation

Resolved Issues

This section contains the list of issues addressed in this bundle patch with their corresponding tracking numbers:

· a17538: Microsoft Internet Explorer dropped keystrokes when the Agent was running.

· a17577: The Agent auto-populated the username field with the word "OK" when credential sharing was enabled. The field was uneditable until it was excluded from the credential sharing group.

· a17579: Synchronization was occurring after each successful credential submission.

· a17584: The Agent was utilizing 100 percent of the CPU's power in certain configurations.

· a17601, BugDB12398818: The ESSO-LM Administrative Console terminated unexpectedly during operation of the Configuration Test Manager.

· a17631: Switching the password recovery method from "User passphrase" to “Passphrase suppression using user’s SID” failed if the Windows password was changed before authenticating to ESSO-LM.

· a17687: Passphrase suppression was switched from on to off during an upgrade from ESSO-LM version 11.1.1.2.0 to 11.1.1.5.0.

· a17688: After upgrading from ESSO-LM version 10.1.4.1.0 to 11.1.1.5.0, the Agent was unable to retrieve the user's previous passphrase answer, displaying a message that the verification process was not successful.

New Features

· s8675, a17449: ESSO-LM has added support for dynamic assignment of short names of mainframe sessions for Attachmate InfoConnect extensions to a HLLAPI interface.

· a17265, BugDB12548767: ESSO-LM has added support for Mozilla Firefox 4.0.

· a17375: You can now configure the following features for Smart Card authenticator:

o Lock Desktop on Smart Card Removal. After a user logs on to a workstation with smart card and PIN, removing the card locks the desktop and resets authentication status. To use this feature, you must set “Lock desktop on smart card removal” to “Yes” in the ESSO-LM Administrative Console, and users must be enrolled in Smart Card authenticator as their Primary Logon Method.

Note: In order for this feature to function properly, ESSO-LM must be fully loaded in the system tray. If it has not finished loading, removing the card will not lock the desktop.

o Smart Card PIN as Recovery Method. Smart Card PIN is now a secondary authentication method for recovery. This feature allows users to authenticate to ESSO-LM without a smart card using the PIN as a passphrase. This is useful in the case where a user loses a card and is waiting for a new one. Additionally, if a new certificate is added to the smart card or the smart card PIN changes, the secondary authentication method can be used to authenticate users. This process is transparent to users. To use this feature, you must set “Recovery method” to “Smart card PIN” in the ESSO-LM Administrative Console, and users must be enrolled in Smart Card authenticator as their Primary Logon Method. This feature works in conjunction with PIN Recovery Group.

o PIN Recovery Group. Administrators can temporarily assign users who have lost their smart cards to a PIN recovery group, allowing these users to authenticate using their PIN until the card is replaced. To use this feature, you must specify the name of an Active Directory Security Group as the value of “PIN recovery group," and set “Recovery method” to “Smart card PIN” in the ESSO-LM Administrative Console. Additionally, users must be enrolled in Smart Card authenticator as their Primary Logon Method.

Note: You cannot use a PIN recovery group in conjunction with the Secure PIN Entry feature.

o Eliminate ESSO-LM Authentication Prompt After Windows Logon with Smart Card. If a user logs on to a workstation with smart card and PIN, ESSO-LM will use the PIN entered by the user at the Windows logon to authenticate, and not prompt the user again for a PIN. This will continue until the ESSO-LM re-authentication timer expires or the user performs an action for which ESSO-LM forces re-authentication. To use this feature, you must set “Allow forced verification” to “Yes” in the ESSO-LM Administrative Console, users must enroll in Smart Card authenticator as their Primary Logon Method, and you MUST install Network Provider with ESSO-LM.

See the ESSO-LM Administrative Console help and Global Agent Settings Reference Guide for information on using these new settings.

· a17408: The inclusion of the third and fourth field columns in the Logon Chooser dialog box is now configurable in the Administrative Console. The new setting appears on the "Miscellaneous" tab of the selected application. See the ESSO-LM Administrative Console help for more information.

· a17433: ESSO-LM has added support to Smart Card authenticator for PIV and Gemalto .NET v2 smart cards with Microsoft Base Smart Card CSP on the Microsoft Windows 7 32-bit operating system.

Note: While Oracle products are designed to support both the PKCS#11 and Microsoft CAPI standards for smart cards, Oracle does not test every combination of smart cards and middleware with its products. Due to variations in middleware vendors’ implementation of these standards, a specific smart card or middleware product may not be compatible. If you experience problems with a product that claims support for these standards, contact the product vendor and Oracle Support for assistance.

· a17450: Two new features have been added to Smart Card and Read-Only Smart Card authenticators:

o Custom Certificate Check Extension. The CCCE allows the authenticators to load a third-party module, such as CCCE.dll, from a specified location and pass a certificate contained on a smart card to this module. This module can perform additional certificate checks, and if the additional checks fail, authentication to ESSO-LM will not succeed. Specify the path to the third-party module as the value of "Custom certificate check extension path" in the ESSO-LM Administrative Console. Users must be enrolled in Smart Card or Read-Only Smart Card as their Primary Logon Method.

o Secure PIN Entry. This feature allows users to enter a PIN on a smart card reader keypad that supports SPE. To use this feature, set “Allow secure PIN entry” to “Only allow SPE login” in the ESSO-LM Administrative Console. Users must be enrolled in Smart Card or Read-Only Smart Card as their Primary Logon Method.

Notes:

o You cannot use Secure PIN Entry in conjunction with the PIN Recovery Group feature.

o Due to firmware limitations with some readers, users might experience a significant delay (up to 25 seconds) if they attempt to cancel out of the Confirm Smart Card PIN dialog box.

Refer to the ESSO-LM Administrative Console help and Global Agent Settings Reference Guide for information about using these settings.

· a17508: ESSO-LM Secure Data Storage now supports Oracle Internet Directory for Read-Only Smart Card authenticator. For the procedure to configure this functionality, see the Oracle Enterprise Single Sign-on Logon Manager Strong Authenticator Configuration Guide.

Change Introduced

· a17624: To facilitate functionality of the Smart Card authenticator, the Oracle Enterprise Single Sign-on Logon Manager installer has been changed to permit installation of Network Provider independently of Windows Authenticator v2.

Open Issues

· a17749: The Agent prompts for a PIN after unlocking a workstation on the Windows 7 operating system. This occurs if a user has logged on to a workstation with username and password, and accessed ESSO-LM with a smart card and PIN prior to locking.

Users with the Windows 7 operating system must enter a PIN when prompted to do so.

· a17750: If Firefox 4 is running, selecting "Create template" for a Windows or host/mainframe application launches the Web Form Wizard.

To work around this issue, close all Firefox windows prior to using the "Create template" feature, or create the template using the traditional procedure.

Installation Instructions

To install future bundle patches, you must update the ESSO-LM component included in the 11.1.1.5.1 bundle patch.

To help ensure a satisfactory installation:

1. Review the hardware and software requirements listed in the Oracle Enterprise Single Sign-on Suite Plus 11.1.1.5.0 Release Notes, available on the Oracle online documentation center.

2. Read these bundle patch release notes entirely.

3. If this is an upgrade installation, back up all data. Oracle strongly recommends that you back up data prior to the installation of any software.

4. Close all Oracle software.

Installing this Bundle Patch

1. Open ofm_esso_win_11.1.1.5.1_disk1_1of1.zip.

2. Extract the ESSO-LM installer files. Keep in mind the following:

· ESSO-LM is the only component that has changed in the 11.1.1.5.1 bundle patch.

· The 64-bit component installers include "x64" at the end of the installer file name.

· The MSI and EXE installers offer different options. Refer to the ESSO-LM Installation and Setup Guide to determine which installer is appropriate for you.

· If you have already customized your Global Agent Settings, you must create a custom MSI that includes these settings in order to preserve them in the new installation. See the guide, Packaging ESSO-LM for Mass Deployment, for a full discussion.

3. Launch the desired installers and follow the onscreen instructions. Refer to the ESSO-LM Installation and Setup Guide for detailed instructions.

Uninstalling this Bundle Patch

To uninstall this bundle patch, you must uninstall the ESSO-LM component, following the standard procedure for uninstalling Windows software. For more information, refer to the ESSO-LM Installation and Setup Guide.