Oracle Enterprise Single Sign-on Suite Plus 220.127.116.11.2 Bundle Patch Release Notes
This document describes the resolved issues included in the Oracle Enterprise Single Sign-on Suite Plus Bundle Patch 18.104.22.168.2, and a list of known issues, if applicable. It also provides information about installing and uninstalling this bundle patch.
This bundle patch affects the following components:
· Oracle Enterprise Single Sign-on Logon Manager (ESSO-LM)
· Oracle Enterprise Single Sign-on Password Reset (ESSO-PR)
· Oracle Enterprise Single Sign-on Provisioning Gateway (ESSO-PG)
Visit the Oracle Enterprise Single Sign-on Suite Plus 22.214.171.124.0 documentation Web page for a complete library of product guides and best practices for this release. The information in this document supplements and supersedes information in the original release notes for this product.
This section contains the list of issues addressed in this bundle patch with their corresponding tracking numbers:
· Bug 10376334: The Agent created separate accounts for the same user if the username was entered with varying case (for example, user1 and USER1). This occurred when using Oracle Database as the synchronization repository.
· Bug 11678402: The Agent failed to respond to the password change fields of a Windows application configured as a Service Logon.
· Bug 11683349: Users could not reveal ESSO-LM credentials using Windows Authentication v2 after logging on to Windows with a smart card.
· Bug 11705874: ESSO-LM ceased responding to a mainframe emulator after an upgrade to the emulator was applied.
· Bug 11789187: The Agent could not synchronize to Active Directory on an SSL port when no value was entered for the Global Agent Setting Synchronization > ADEXT > Advanced > Servers.
· Bug 11906440: The Agent responded erratically to the logon and password change forms of a Web application.
· Bug 12544452: ADAM synchronization failed when using SSL.
· Bug 12894501: Clicking the Reveal button in the Retry Logon dialog box and then canceling out of the first authenticator caused the Authentication Manager dropdown to appear behind the Retry Logon. This occurred when Authentication Manager was installed with multiple authenticators and set as the primary authenticator. It resulted in the user's inability to address the Authentication Manager dropdown and the Agent's appearing to be frozen.
· Bug 12894509: A Windows template using SendKeys did not inject credentials correctly when the window did not receive focus immediately, or lost focus during processing.
· Bug 12894525: Using SendKeys during a password change, the cursor did not appear in the New Password field of a dialog box when Lock focus to password change dialog was set in the ESSO-LM Administrative Console.
· Bug 11846854: Information was caching incorrectly when two Web servers addressed the same repository, resulting in users' receiving incorrect messages about their account lockout status.
To address a configuration with more than one Web server, add the following entry to the registry and set its value to zero:
· 0 (zero) disables the PR in-memory user cache
· 1 (one) enables the PR in-memory user cache
Set this value to zero when deploying more than one Web server.
· Bug 11864261: An index has been added to the USERQUESTIONS database table.
· Bug 12415778 : ESSO-PG failed to propagate a Web application's template form to ESSO-LM.
· This bundle patch introduces suite support for Microsoft Internet Explorer version 9.0.
· a17749: The Agent prompts for a PIN after unlocking a workstation on the Windows 7 operating system. This occurs if a user has logged on to a workstation with username and password, and accessed ESSO-LM with a smart card and PIN prior to locking.
Users with the Windows 7 operating system must enter a PIN when prompted to do so.
· a17750: If Firefox 4 is running, selecting "Create template" for a Windows or host/mainframe application launches the Web Form Wizard.
To work around this issue, close all Firefox windows prior to using the "Create template" feature, or create the template using the traditional procedure.
Resolved for ESSO-LM
· a17538: Microsoft Internet Explorer dropped keystrokes when the Agent was running.
· a17577: The Agent auto-populated the username field with the word "OK" when credential sharing was enabled. The field was uneditable until it was excluded from the credential sharing group.
· a17579: Synchronization was occurring after each successful credential submission.
· a17584: The Agent was utilizing 100 percent of the CPU's power in certain configurations.
· a17601, BugDB12398818: The ESSO-LM Administrative Console terminated unexpectedly during operation of the Configuration Test Manager.
· a17631: Switching the password recovery method from "User passphrase" to “Passphrase suppression using user’s SID” failed if the Windows password was changed before authenticating to ESSO-LM.
· a17687: Passphrase suppression was switched from on to off during an upgrade from ESSO-LM version 126.96.36.199.0 to 188.8.131.52.0.
· a17688: After upgrading from ESSO-LM version 10.1.4.1.0 to 184.108.40.206.0, the Agent was unable to retrieve the user's previous passphrase answer, displaying a message that the verification process was not successful.
New Features for ESSO-LM
· s8675, a17449: ESSO-LM has added support for dynamic assignment of short names of mainframe sessions for Attachmate InfoConnect extensions to a HLLAPI interface.
· a17265, BugDB12548767: ESSO-LM has added support for Mozilla Firefox 4.0.
· a17375: You can now configure the following features for Smart Card authenticator:
o Lock Desktop on Smart Card Removal. After a user logs on to a workstation with smart card and PIN, removing the card locks the desktop and resets authentication status. To use this feature, you must set “Lock desktop on smart card removal” to “Yes” in the ESSO-LM Administrative Console, and users must be enrolled in Smart Card authenticator as their Primary Logon Method.
Note: In order for this feature to function properly, ESSO-LM must be fully loaded in the system tray. If it has not finished loading, removing the card will not lock the desktop.
o Smart Card PIN as Recovery Method. Smart Card PIN is now a secondary authentication method for recovery. This feature allows users to authenticate to ESSO-LM without a smart card using the PIN as a passphrase. This is useful in the case where a user loses a card and is waiting for a new one. Additionally, if a new certificate is added to the smart card or the smart card PIN changes, the secondary authentication method can be used to authenticate users. This process is transparent to users. To use this feature, you must set “Recovery method” to “Smart card PIN” in the ESSO-LM Administrative Console, and users must be enrolled in Smart Card authenticator as their Primary Logon Method. This feature works in conjunction with PIN Recovery Group.
o PIN Recovery Group. Administrators can temporarily assign users who have lost their smart cards to a PIN recovery group, allowing these users to authenticate using their PIN until the card is replaced. To use this feature, you must specify the name of an Active Directory Security Group as the value of “PIN recovery group," and set “Recovery method” to “Smart card PIN” in the ESSO-LM Administrative Console. Additionally, users must be enrolled in Smart Card authenticator as their Primary Logon Method.
Note: You cannot use a PIN recovery group in conjunction with the Secure PIN Entry feature.
o Eliminate ESSO-LM Authentication Prompt After Windows Logon with Smart Card. If a user logs on to a workstation with smart card and PIN, ESSO-LM will use the PIN entered by the user at the Windows logon to authenticate, and not prompt the user again for a PIN. This will continue until the ESSO-LM re-authentication timer expires or the user performs an action for which ESSO-LM forces re-authentication. To use this feature, you must set “Allow forced verification” to “Yes” in the ESSO-LM Administrative Console, users must enroll in Smart Card authenticator as their Primary Logon Method, and you MUST install Network Provider with ESSO-LM.
See the ESSO-LM Administrative Console help and Global Agent Settings Reference Guide for information on using these new settings.
· a17408: The inclusion of the third and fourth field columns in the Logon Chooser dialog box is now configurable in the ESSO-LM Administrative Console. The new setting appears on the "Miscellaneous" tab of the selected application. See the ESSO-LM Administrative Console help for more information.
· a17433: ESSO-LM has added support to Smart Card authenticator for PIV and Gemalto .NET v2 smart cards with Microsoft Base Smart Card CSP on the Microsoft Windows 7 32-bit operating system.
Note: While Oracle products are designed to support both the PKCS#11 and Microsoft CAPI standards for smart cards, Oracle does not test every combination of smart cards and middleware with its products. Due to variations in middleware vendors’ implementation of these standards, a specific smart card or middleware product may not be compatible. If you experience problems with a product that claims support for these standards, contact the product vendor and Oracle Support for assistance.
· a17450: Two new features have been added to Smart Card and Read-Only Smart Card authenticators:
o Custom Certificate Check Extension. The CCCE allows the authenticators to load a third-party module, such as CCCE.dll, from a specified location and pass a certificate contained on a smart card to this module. This module can perform additional certificate checks, and if the additional checks fail, authentication to ESSO-LM will not succeed. Specify the path to the third-party module as the value of "Custom certificate check extension path" in the ESSO-LM Administrative Console. Users must be enrolled in Smart Card or Read-Only Smart Card as their Primary Logon Method.
o Secure PIN Entry. This feature allows users to enter a PIN on a smart card reader keypad that supports SPE. To use this feature, set “Allow secure PIN entry” to “Only allow SPE login” in the ESSO-LM Administrative Console. Users must be enrolled in Smart Card or Read-Only Smart Card as their Primary Logon Method.
o You cannot use Secure PIN Entry in conjunction with the PIN Recovery Group feature.
o Due to firmware limitations with some readers, users might experience a significant delay (up to 25 seconds) if they attempt to cancel out of the Confirm Smart Card PIN dialog box.
Refer to the ESSO-LM Administrative Console help and Global Agent Settings Reference Guide for information about using these settings.
· a17508: ESSO-LM Secure Data Storage now supports Oracle Internet Directory for Read-Only Smart Card authenticator. For the procedure to configure this functionality, see the Oracle Enterprise Single Sign-on Logon Manager Strong Authenticator Configuration Guide.
· a17624: To facilitate functionality of the Smart Card authenticator, the ESSO-LM installer has been changed to permit installation of Network Provider independently of Windows Authenticator v2.
Note: If you are applying the ESSO-LM component of this bundle patch, you must first apply the 220.127.116.11.1 bundle patch.
Before You Install
To help ensure a satisfactory installation:
1. Review the hardware and software requirements listed in the Oracle Enterprise Single Sign-on Suite Plus 18.104.22.168.0 Release Notes, available in the Oracle online documentation center.
2. Read these bundle patch release notes entirely.
3. If this is an upgrade installation, back up all data. Oracle strongly recommends that you back up data prior to the installation of any software.
4. Close all Oracle software.
1. Open ofm_esso_win_22.214.171.124.2_disk1_1of1.zip.
2. Extract the installer files for the products that you want to update.
o ESSO_LM Administrative Console.msp
o ESSO_PR Server.msi
o ESSO_PR Client.msi
o ESSO_PRx64 Client.msi
o ESSO_PG Server.msi
o ESSO_PG Client.msp
o ESSO_PG Client CLI.msi
3. Keep in mind the following:
· Oracle recommends that you install the patches for all product components whenever you install a patch for any product. For example, if you are updating the product ESSO-LM, install both the ESSO-LM Administrative Console and the ESSO-LM Agent components.
· The 64-bit component installers include "x64" at the end of the installer file name, while the 32-bit installers contain no special designation.
· ESSO-LM requires prior application of the 126.96.36.199.1 bundle patch.
· The ESSO-PG patch requires the following:
o You must apply the ESSO-LM patch first.
o The ESSO-LM Agent must not be connected to the repository when you install ESSO-PG. Do not launch the ESSO-LM Agent; if it launches automatically, shut it down. Then apply the ESSO-PG patch.
o After applying the ESSO-PG patch, launch the ESSO-LM Agent to perform a repository sync.
· The ESSO-PG Client CLI installer does not automatically uninstall the previous CLI. You must perform the uninstallation manually before applying the CLI patch.
4. Launch the desired installers and follow the onscreen instructions. Refer to the products' respective installation guides for detailed instructions.
Note: Oracle no longer supports installing bundle patches manually.
For ESSO-LM Agent (32- and 64-bit)
For ESSO-PG Client
To uninstall this bundle patch, you must uninstall the individual component(s), following the standard procedure for uninstalling Windows software. For more information, refer to the installation guide for the appropriate product.
The ESSO-PR Server Installation and Setup Guide has been updated to reflect a change implemented in this bundle patch and is available on the 11g Release 1 Documentation Library on the Oracle Technology Network: