CR 6935896: Undeploying OpenSSO Enterprise on Sun GlassFish 2.1 using the CLI is unsuccessful
4077: OpenSSO Enterprise configuration on WebLogic Server requires new ldapjdk.jar
WebLogic Server StuckThreadMaxTime value is exceeded during configuration
4055: Error occurred after adding an advanced property in console
3858: Out of memory exceptions occur under heavy load with JDK 1.5 and 1.6 SunPKCS11 provider
2222: Password reset and account lockout services report notification errors
Trying to undeploy OpenSSO Enterprise 8.0 on Sun GlassFish 2.1 or Sun Java System Application Server 9.1 Update 2 is not successful and returns an “Invalid user or password” error (reported by CR 6808492). Subsequent attempts also fail with the same error message.
Workaround. This problem has been fixed in OpenSSO Enterprise 8.0 Update 1 Patch 3 (patch ID 141655-04). The following workaround applies to OpenSSO Enterprise 8.0 deployments before patch 3:
In the appSrvr_install_directory/domains/domain1/config/domain.xml file, add the following entry under the java-config attribute:
<jvm-options> -Dorg.apache.catalina.loader.WebappClassLoader.ENABLE_CLEAR_REFERENCES=false </jvm-options>
Restart the GlassFish or Application Server instance.
Undeploy OpenSSO Enterprise 8.0 using the GlassFish or Application Server asadmin undeploy command.
OpenSSO Enterprise configuration fails on WebLogic Server because weblogic.jar bundles an older ldapjdk.jar file.
Sun provides a new ldapjdk.jar file that includes security and performance related fixes. You must provide the following workaround for both WebLogic Server 9.2 and WebLogic Server 10.
Workaround. Put the Sun ldapjdk.jar ahead of weblogic.jar in the CLASSPATH, as follows:
Extract ldapjdk.jar from opensso.war in a temporary directory using the following command:
jar xvf opensso.war WEB-INF/lib/ldapjdk.jar
Copy the above extracted ldapjdk.jar to the WebLogic lib directory.
For example, for WebLogic Server 10 on Solaris or Linux systems: BEA_HOME/weblogic_10.0/server/lib
Or, for WebLogic Server 9.2 on Windows:BEA_HOME\weblogic92\server\lib
Prefix the path to this ldapjdk.jar to the existing classpath. by editing the startup script used to start WebLogic Server. In the following examples, BEA_HOME is where WebLogic Server is installed.
For WebLogic 9.2 on Windows, edit:
BEA_HOME\weblogic92\samples\domains\wl_server\bin\startWebLogic.cmd
Change set CLASSPATH=%CLASSPATH%;%MEDREC_WEBLOGIC_CLASSPATH% to:
set CLASSPATH=BEA_HOME\weblogic92\server\lib\ldapjdk.jar;%CLASSPATH%;%MEDREC_WEBLOGIC_CLASSPATH%
For WebLogic 10 on Windows, edit:
BEA_HOME\wlserver_10.0\samples\domains\wl_server\bin\startWebLogic.cmd
Change set CLASSPATH=%CLASSPATH%;%MEDREC_WEBLOGIC_CLASSPATH% to:
set CLASSPATH= BEA_HOME\wlserver_10.0\server\lib\ldapjdk.jar;%CLASSPATH%;%MEDREC_WEBLOGIC_CLASSPATH%
For WebLogic 9.2 MP2 on Solaris or Linux, edit:
/bea/weblogic92/samples/domains/wl_server/bin/ startWebLogic.sh
or
/usr/local/bea/user_projects/domains/base_domain/bin/startWebLogic.sh
Change CLASSPATH="${CLASSPATH}${CLASSPATHSEP}${MEDREC_WEBLOGIC_CLASSPATH}" to:
CLASSPATH= "BEA_HOME/weblogic92/server/lib/ldapjdk.jar${CLASSPATH}${CLASSPATHSEP}${MEDREC_WEBLOGIC_CLASSPATH}" |
For WebLogic 10 on Solaris or Linux, edit:
/bea/wlserver_10.0/samples/domains/wl_server/bin/startWebLogic.sh
or
/bea/user_projects/domains/wl10_domain/bin/startWebLogic.sh
Change CLASSPATH="${CLASSPATH}${CLASSPATHSEP}${MEDREC_WEBLOGIC_CLASSPATH}" to
CLASSPATH= "BEA_HOME/wlserver_10.0/server/lib/ldapjdk.jar${CLASSPATH}${CLASSPATHSEP}${MEDREC_WEBLOGIC_CLASSPATH}"
Restart the server.
Configure OpenSSO Enterprise.
If you are configuring WebLogic Server 9.2 MP2 or 10 using the Configurator and you take longer than 600 seconds to finish the configuration, the following error is returned to the terminal and WebLogic Server domain and server logs:
<Error> <WebLogicServer> <BEA-000337> <[STUCK] Exe cuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)' has been busy for "681" seconds working on the request "Http Request: /opensso/setup/setSetup Progress", which is more than the configured time (StuckThreadMaxTime) of "600" seconds. Stack trace: ...
This error occurs because the WebLogic Server has exceeded its “Stuck Thread Max Time:” default value of 600 seconds.
Workaround. If the Configurator does not respond, restart it. Also, consider setting the WebLogic Server “Stuck Thread Max Time” value from its default 600 seconds to a larger value such as 1200 seconds. Use the WebLogic Console to change this value (base_domain > Environment > Servers > Admin Server > Configuration/Tuning).
On WebLogic Server 8.1, opensso-client-jdk14.war configured for ID-WSF returned an error when looking for service.
Workaround. Add following JAR files under weblogic-home/jdk142_08/jre/lib/endorsed:
jax-qname.jar
namespace.jar
relaxngDatatype.jar
xalan.jar
To obtain these JAR files, contact your Sun representative.
This issue occurs only if the following conditions are met:
Your configuration data store is Sun Java System Directory Server.
You are trying to perform a multi-server installation.
Your amadmin password is different from the Directory Server bind dn password.
Workaround. There are two parts to this workaround:
Make sure your configuration Directory Server bind dn password is same as the amadmin password.
Configure the second and additional OpenSSO Enterprise servers. To perform the second server installation and point to the first OpenSSO Enterprise server's configuration directory, simply access the Configurator page of the second OpenSSO Enterprise server and enter the amadmin password, cookie domain, and other details for Step 1 and Step 2.
For Step 3, do not select the Add to Existing Deployment. Instead, select the first instance option and provide the same Directory Server name, port, DN, password, and encryption key of your first server. Then, proceed with the configuration as usual.
Adding an advanced property in the Console caused OpenSSO Enterprise server to return an error. This problem can occur after adding any advanced configuration property.
Workaround. If you change the default server configuration in the Console, you must restart the OpenSSO Enterprise server web container.
JDK 1.5 and 1.6 contain a list of PKCS11 providers. The default is sun.security.pkcs11.SunPKCS11 (see the provider list below). Under a heavy load, this provider will generate an Out of Memory Exception (OOME) for the web container and cause the container to crash. At minimum, the following scenarios are impacted:
SSL on these web containers: GlassFish Application Server V2 UR2, WebLogic Server 9.2, and JBoss Application Server 4.2.2 (but not on Sun Java System Web Server 7.0, which uses a different JSS implementation for SSL)
SAML2 signing on Sun Java System Web Server 7 U3
The issue is currently under investigation and might impact other web container platforms not listed above.
Workaround. Remove the SunPKCS11 provider from the provider list in the java.security file for the JVM. For example, if the security provider section in your java.security file (found in JDK_Path/jre/lib/security/) looks like:
security.provider.1=sun.security.pkcs11.SunPKCS11 \ ${java.home}/lib/security/sunpkcs11-solaris.cfg security.provider.2=sun.security.provider.Sun security.provider.3=sun.security.rsa.SunRsaSign security.provider.4=com.sun.net.ssl.internal.ssl.Provider security.provider.5=com.sun.crypto.provider.SunJCE security.provider.6=sun.security.jgss.SunProvider security.provider.7=com.sun.security.sasl.Provider
Change it to:
security.provider.1=sun.security.provider.Sun security.provider.2=sun.security.rsa.SunRsaSign security.provider.3=com.sun.net.ssl.internal.ssl.Provider security.provider.4=com.sun.crypto.provider.SunJCE security.provider.5=sun.security.jgss.SunProvider security.provider.6=com.sun.security.sasl.Provider
Note. This workaround can lower your performance because the provider used now is not as optimized as the SunPKCS11 provider. It also prevents you from using hardware security tokens if the SunPKCS11 provider is required.
With Oracle Application Server 10g version 10.1.3.1 as the web container, OpenSSO configuration failed with an exception error.
Workaround. Before you configure OpenSSO, add the following JVM option to the “Server Properties” for the target Oracle Application Server 10g server instance:
-Doc4j.jmx.security.proxy.off=true
OpenSSO Enterprise submits email notifications using the unqualified sender name, Identity-Server, which returns error entries in the logs.
Workaround. Change the sender name from Identity-Server to Identity-Server@hostname.domainname in the following files:
In amPasswordResetModuleMsgs.properties, change fromAddress.label.
In amAuth.properties, change lockOutEmailFrom.