Skip Headers
Oracle® OpenSSO Release Notes
Release 11gR1. Version

Part Number E17846-03
Go to Documentation Home
Go to Table of Contents
Go to Feedback page
Contact Us

Go to previous page
Go to next page
View PDF

1 Oracle OpenSSO Security Token Service

The Oracle OpenSSO Security Token Service (OpenSSO STS) provides a secure way to handle identity propagation that is controllable by policy. As a trusted authority service, OpenSSO STS issues and validates security tokens. As a web services security provider, OpenSSO STS secures communication among web service clients and web service providers

This chapter contains the following topics:

For detailed installation and administration instructions, see the Oracle OpenSSO Security Token Service Administrator's Guide in this documentation library.

1.1 Oracle OpenSSO Security Token Service Supported Standards and Applications

For information about the platforms and product versions supported by the Oracle OpenSSO Security Token Service, see the appropriate certification matrix:

1.2 Oracle OpenSSO Security Token Service Download Location

The Oracle OpenSSO Security Token Service is available to download from the Oracle Fusion Middleware 11gR1 Software Downloads page:

1.3 Oracle OpenSSO Security Token Service Issues and Workarounds

This section describes the following issues and workarounds for the Oracle OpenSSO Security Token Service:

1.3.1 Internet Explorer 7 and 8 Browser Options Should be Changed to Configure OpenSSO STS

Before you configure OpenSSO STS, set the Internet Options settings for Internet Explorer 7 or Internet Explorer 8 as follows:

  • Permit the execution of JavaScript (Enable Active scripting).

  • Add the OpenSSO STS site to be configured to the Trusted sites zone.

1.3.2 OpenSSO STS ssoadm do-batch Subcommand Throws a Null Pointer Exception

Included per bug 6940462.

The ssoadm do-batch subcommand throws a Null Pointer Exception (NPE) related to logging before the command completes.

1.3.3 Activating OpenSSO STS in the WebLogic Server 10.3.3 Administration Console Throws Exceptions

Included per bug 6964741.

After deploying OpenSSO STS (openssosts.war) in Oracle WebLogic Server 10.3.3 in production mode and starting the OpenSSO STS web application, exceptions are thrown in the console where the WebLogic Server domain was started.

After starting OpenSSO STS, it remains started and exceptions are not thrown again until OpenSSO STS is stopped and then restarted.

The workaround is to copy the saaj-impl.jar file from the OpenSSO STS opensso-client-jdk15.war file to the WebLogic Server 10.3.3 configuration endorsed directory, as follows:

  1. Stop the WebLogic Server 10.3.3 domain.

  2. If necessary, unzip the OpenSSO STS ZIP file.

  3. Create a temporary directory and unzip the openssosts-zip-path/opensso/samples/ file in that directory, where openssosts-zip-path is where you unzipped the OpenSSO STS ZIP file. For example:

    cd openssosts-zip-path/samples
    mkdir ziptmp
    cd ziptmp
    unzip ../
  4. Create a temporary directory and extract the saaj-impl.jar file from opensso-client-jdk15.war. For example:

    cd openssosts-zip-path/opensso/samples/ziptmp/war
    mkdir wartmp
    cd wartmp
    jar xvf ../opensso-client-jdk15.war WEB-INF/lib/saaj-impl.jar
  5. Create a new directory named endorsed under the WEBLOGIC_JAVA_HOME/jre/lib directory (if endorsed does not exist), where WEBLOGIC_JAVA_HOME is the JDK that WebLogic Server is configured to use.

  6. Copy the saaj-impl.jar file to the WEBLOGIC_JAVA_HOME/jre/lib/endorsed directory.

  7. Start the WebLogic Server domain.

1.3.4 OpenSSO STS File Contains an Unsupported WAR File

Included per bug 6964168.

The contains the, which has samples and corresponding WAR files. The opensso-client-jdk15.war file is not supported, because the minimum supported JDK for OpenSSO STS is JDK 1.6.0_18.

The workaround is to not deploy the openssoclient-jdk15.war file. This WAR file, however, contains the saaj-impl.jar file, which is used in the workaround for Section 1.3.3, "Activating OpenSSO STS in the WebLogic Server 10.3.3 Administration Console Throws Exceptions."

1.3.5 Custom Configurator Can Disable an Existing OpenSSO STS Configuration

After using stsconfig.jsp to create a successful OpenSSO STS configuration, to avoid an internal accidental configuration overwrite or change of the OpenSSO STS configuration, it is recommended that you perform one of the following procedures.

Without a Load Balancer. If you have not deployed OpenSSO STS behind a load balancer, perform the following steps before deploying the openssosts.war file:

  1. Create a temporary staging area:

    mkdir /tmp/staging
  2. Go to the staging area:

    cd /tmp/staging
  3. Expand the openssosts.war file:

    jar xvf WAR-FILE-HOME/openssosts.war
  4. Go to the config directory:

    cd config
  5. Remove the options.htm file:

    rm options.htm
  6. Go up one directory:

    cd ..
  7. Create openssosts.war from the staging area:

    jar cf /tmp/openssosts.war *
  8. Redeploy the /tmp/openssosts.warfile on the same web container instance on which OpenSSO STS was originally deployed and configured.

  9. Remove the staging area directory:

    rm -rf /tmp/staging

With a Load Balancer. If OpenSSO STS is fronted by a load balancer, protect DEPLOY_URI/config/options.htm from the load balancer.