Oracle® OpenSSO Release Notes Release 11gR1. Version 11.1.1.3.0 Part Number E17846-03 |
|
|
View PDF |
The Oracle OpenSSO Security Token Service (OpenSSO STS) provides a secure way to handle identity propagation that is controllable by policy. As a trusted authority service, OpenSSO STS issues and validates security tokens. As a web services security provider, OpenSSO STS secures communication among web service clients and web service providers
This chapter contains the following topics:
Section 1.1, "Oracle OpenSSO Security Token Service Supported Standards and Applications"
Section 1.2, "Oracle OpenSSO Security Token Service Download Location"
Section 1.3, "Oracle OpenSSO Security Token Service Issues and Workarounds"
For detailed installation and administration instructions, see the Oracle OpenSSO Security Token Service Administrator's Guide in this documentation library.
For information about the platforms and product versions supported by the Oracle OpenSSO Security Token Service, see the appropriate certification matrix:
http://www.oracle.com/technology/software/products/ias/files/fusion_certification.html
The Oracle OpenSSO Security Token Service is available to download from the Oracle Fusion Middleware 11gR1 Software Downloads page:
http://www.oracle.com/technology/software/products/middleware/htdocs/fmw_11_download.html
This section describes the following issues and workarounds for the Oracle OpenSSO Security Token Service:
Section 1.3.2, "OpenSSO STS ssoadm do-batch Subcommand Throws a Null Pointer Exception"
Section 1.3.4, "OpenSSO STS opensso-client.zip File Contains an Unsupported WAR File"
Section 1.3.5, "Custom Configurator Can Disable an Existing OpenSSO STS Configuration"
Before you configure OpenSSO STS, set the Internet Options settings for Internet Explorer 7 or Internet Explorer 8 as follows:
Permit the execution of JavaScript (Enable Active scripting).
Add the OpenSSO STS site to be configured to the Trusted sites zone.
Included per bug 6940462.
The ssoadm
do-batch
subcommand throws a Null Pointer Exception (NPE) related to logging before the command completes.
Included per bug 6964741.
After deploying OpenSSO STS (openssosts.war
) in Oracle WebLogic Server 10.3.3 in production mode and starting the OpenSSO STS web application, exceptions are thrown in the console where the WebLogic Server domain was started.
After starting OpenSSO STS, it remains started and exceptions are not thrown again until OpenSSO STS is stopped and then restarted.
The workaround is to copy the saaj-impl.jar
file from the OpenSSO STS opensso-client-jdk15.war
file to the WebLogic Server 10.3.3 configuration endorsed
directory, as follows:
Stop the WebLogic Server 10.3.3 domain.
If necessary, unzip the OpenSSO STS ZIP file.
Create a temporary directory and unzip the openssosts-zip-path/opensso/samples/opensso-client.zip
file in that directory, where openssosts-zip-path
is where you unzipped the OpenSSO STS ZIP file. For example:
cd openssosts-zip-path/samples mkdir ziptmp cd ziptmp unzip ../opensso-client.zip
Create a temporary directory and extract the saaj-impl.jar
file from opensso-client-jdk15.war
. For example:
cd openssosts-zip-path/opensso/samples/ziptmp/war mkdir wartmp cd wartmp jar xvf ../opensso-client-jdk15.war WEB-INF/lib/saaj-impl.jar
Create a new directory named endorsed
under the WEBLOGIC_JAVA_HOME/jre/lib directory
(if endorsed
does not exist), where WEBLOGIC_JAVA_HOME
is the JDK that WebLogic Server is configured to use.
Copy the saaj-impl.jar
file to the WEBLOGIC_JAVA_HOME/jre/lib/endorsed
directory.
Start the WebLogic Server domain.
Included per bug 6964168.
The openssosts.zip
contains the opensso-client.zip
, which has samples and corresponding WAR files. The opensso-client-jdk15.war
file is not supported, because the minimum supported JDK for OpenSSO STS is JDK 1.6.0_18.
The workaround is to not deploy the openssoclient-jdk15.war
file. This WAR file, however, contains the saaj-impl.jar
file, which is used in the workaround for Section 1.3.3, "Activating OpenSSO STS in the WebLogic Server 10.3.3 Administration Console Throws Exceptions."
After using stsconfig.jsp
to create a successful OpenSSO STS configuration, to avoid an internal accidental configuration overwrite or change of the OpenSSO STS configuration, it is recommended that you perform one of the following procedures.
Without a Load Balancer. If you have not deployed OpenSSO STS behind a load balancer, perform the following steps before deploying the openssosts.war
file:
Create a temporary staging area:
mkdir /tmp/staging
Go to the staging area:
cd /tmp/staging
Expand the openssosts.war
file:
jar xvf WAR-FILE-HOME/openssosts.war
Go to the config directory:
cd config
Remove the options.htm
file:
rm options.htm
Go up one directory:
cd ..
Create openssosts.war
from the staging area:
jar cf /tmp/openssosts.war *
Redeploy the /tmp/openssosts.warfile
on the same web container instance on which OpenSSO STS was originally deployed and configured.
Remove the staging area directory:
rm -rf /tmp/staging
With a Load Balancer. If OpenSSO STS is fronted by a load balancer, protect DEPLOY_URI/config/options.htm
from the load balancer.