Known Issues and Limitations in OpenSSO Enterprise 8.0 Update 1 Patch 3
Documentation Updates for OpenSSO Enterprise 8.0 Update 1 Patch 3
OpenSSO Enterprise session cookies can be marked as HTTPOnly (CR 6843487)
Support is added for module-based, realm-based, and service-based authentication (CR 6893507)
AMLoginModule class includes new method to determine user?s current session quota level (CR 6667760)
OpenSSO provides new property to specify client configuration folder (CR 6903279)
OpenSSO Console checks for minimum password length of 8 characters (CR 6888785)
In Patch 3, Message Queue 4.3 has been upgraded to GlassFish Message Queue 4.4. This upgrade improves OpenSSO Enterprise performance and addresses several issues with session failover deployments.
For the Message Queue documentation, see http://docs.sun.com/coll/1307.7.
Patch 3 includes the new com.sun.identity.cookie.httponly property to allow OpenSSO Enterprise session cookies to be marked as HTTPOnly, in order to prevent scripts or third-party programs from accessing the cookies. Specifically, session cookies marked as HTTPOnly can help to prevent cross-site scripting (XSS) attacks.
By default, the value for com.sun.identity.cookie.httponly is false. To set this new property, use the OpenSSO Administration Console:
Log in to the OpenSSO Administration Console.
Click Configuration, Servers and Sites, opensso-instance-name, and then Advanced.
Add com.sun.identity.cookie.httponly with a value of true.
Click Save and log out of the Console.
Restart the OpenSSO Enterprise web container.
You also need to set this property on the client side. For example, for a Distributed Authentication UI server deployment, set it to true in the AMDistAuthConfig.properties file.
In Patch 3, the OpenSSO REST-based authentication web service now supports module-based, realm-based, or service-based authentication. You can pass module, realm, and service as query parameters. For example, here are some sample REST commands:
http://host.example.com/opensso/identity/authenticate?username=user1 ANDAMPpassword=changeit http://host.example.com/opensso/identity/authenticate?username=user1 ANDAMPpassword=changeitANDAMPuri=realm%3Dsun http://host.example.com/opensso/identity/authenticate?username=user1 ANDAMPpassword=changeitANDAMPuri=module%3DDataStore http://host.example.com/opensso/identity/authenticate?username=user1 ANDAMPpassword=changeitANDAMPuri=service%3DldapService http://host.example.com/opensso/identity/authenticate?username=user1 ANDAMPpassword=changeitANDAMPuri=realm%3D/sun%26module%3DDataStore http://host.example.com/opensso/identity/authenticate?username=user1 ANDAMPpassword=passwordANDAMPuri=realm%3D/iplanet%26module%3DdataStore |
In Patch 3, the AMLoginModule class includes the new isSessionQuotaReached() method to determine a user?s current session quota level:
public boolean isSessionQuotaReached(String userName)
This new method checks if the sessionCount is greater than or equal to the sessionQuota and returns true or false, depending the result.
Thus, a custom authentication module can check a user?s current session quota level and then if the user is about to exceed the session quota, ask whether that user wants to continue the session. This feature is normally be more useful when session constraints are enabled.
If a new administrator user logs into OpenSSO Enterprise server and tries to access the OpenSSO client website (for example, as deployed from the opensso-client-jdk15.war file), the new administrator user is asked to perform the client reconfiguration even though the configuration has already been done by the previous administrator.
Patch 3 provides the new openssoclient.config.folder property as a JVM argument in the container's configuration file (server.xml or domain.xml) to specify the configuration folder. For example:
<jvm-options>-Dopenssoclient.config.folder=C:/Sun/opensso-client-config</jvm-options> |
If this argument is not specified, the configuration folder is user.home by default.
In Patch 3, the OpenSSO Console checks for a minimum password length of 8 characters for new users and for existing users who are changing a password.
Patch 3 includes the OpenSSO Diagnostic Tool, which allows you to run a number of diagnostic tests to verify configuration settings and to identify potential installation or deployment problems. For information, see the Sun OpenSSO Enterprise 8.0 Installation and Configuration Guide.
OpenSSO ssoadm utility is not producing audit logs (CR 6928588)
Distributed Authentication UI deployments are not receiving session notifications (CR 6919698)
In Patch 3, the ssoadm utility does not produce audit logs to record which sub-commands have been executed. For example, the ssoadm list-realms sub-command should produce four audit log records (AMCLI-1, AMCLI-2, AMCLI-3020, and AMCLI-3021), but the log records are not produced.
In Patch 3, when the Security Token Server (STS) client samples are deployed on WebLogic Server and Jetty, the samples do not obtain the token that the server is deployed on WebLogic Server, and an uninitialized keystore error is thrown.
After installing OpenSSO Enterprise 8.0 Patch 3, Distributed Authentication UI deployments are not receiving notifications from the server.
Workaround. The notification URL property com.iplanet.am.notification.url has been renamed to com.sun.identity.client.notification.url. Update the AMDistAuthConfig.properties configuration file for the Distributed Authentication UI server (and other clients) with the new com.sun.identity.client.notification.url property.
Workaround.
After you apply Patch 3, the default minimum password length is 8 characters. However, to specify a different length for a different realm, run the following command:
./ssoadm set-realm-svc-attrs -u amadmin -f password-file -s sunIdentityRepositoryService -e realm-name -a sunIdRepoAttributeValidator= class=com.sun.identity.idm.server.IdRepoAttributeValidatorImpl sunIdRepoAttributeValidator=minimumPasswordLength=password-minimum-length
In Patch 3, the Fedlet SSO HTTP POST link randomly returns a blank page. This problem occurs when a user is logged in on the IDP side and a session is created with SSO. The problem also occurs with SAMLv2.
Workaround. None
Upgrading to OpenSSO Enterprise 8.0 Update 1 Patch 3 (CR 6887525)
Changing Information in the Directory Server bootstrap File (CR 6849622)
Always run the latest versions of the ssopatch or ssopatch.bat utility and the corresponding updateschema.sh or updateschema.bat script from the Patch 3 release.
If you are patching OpenSSO Enterprise 8.0 with Patch 3:
Run the ssopatch or ssopatch.bat utility from Patch 3.
Run the updateschema or updateschema.bat script from Patch 3.
For more information about patching OpenSSO Enterprise, see the Sun OpenSSO Enterprise 8.0 Installation and Configuration Guide.
If you are moving to Patch 3 from Access Manager 7.1 or Access Manager 7 2005Q4:
Execute the ssoupgrade or ssoupgrade.bat script from Patch 3.
Run updateschema or updateschema.bat script from Patch 3.
For more information about upgrading, see the Sun OpenSSO Enterprise 8.0 Upgrade Guide.
OpenSSO Enterprise 8.0 stores parameters used to access the directory server in the /opensso/bootstrap file. If required by your deployment, you can change some of these parameters using the OpenSSO Adminstration Console. For example, you can change the Directory Manager password.
To Change the Directory Server Parameters in the bootstrap File
Log in to the OpenSSO Administration Console.
Click Configuration, Servers and Sites, opensso-instance-name, and then Directory Configuration.
Change the following values, as required by your deployment:
Bind DN is the privileged directory server administrator.
The default is cn=Directory Manager.
Bind Password is the password used by the Bind DN user to access the directory server.
You can also change the values for the following parameters, if you wish:
Minimum Connection Pool
Maximum Connection Pool
When you have made your changes, click Save.
The OpenSSO Console updates the responding values in the directory server bootstrap file.