CR 6830298: OpenSSO Enterprise Admin Tools Must be Re-installed
CR 6823779: ssoadm cannot be used with Secure WebSphere Application Server 7.0
CR 6824420: Configuration fails for WebSphere Application Server 7.0 with Java 2 security enabled
CR 6836470: Hotfix Required to Use KDCs Hosted on Windows Server 2008
CR 6831600: Configurator buttons are not visible using Safari on a Mac
CR 6819848: Berkeley DB client does not failover to secondary Message Queue broker
CR 6834714: Permissions need updating for WebSphere Application Server 6.1
CR 6835816: After you enable FIPS mode, bootstrap file cannot be decrypted
CR 6831687: SAML2 post profile fails on the Service Provider (SP)
CR 6828741: Configuring OpenSSO Enterprise 8.0 Update 1 as site throws exception in debug logs
CR 6833362: SAMLv2 returns error on WebLogic Server 10 with SOAP binding
If you patch OpenSSO Enterprise 8.0 with Update 1, you must re-install the admin tools in Update 1 before you run the updateschema.sh or updateschema.bat script, because the script requires the Update 1 version of the ssoadm command-line utility.
Workaround. Before you run the updateschema.sh or updateschema.bat script, install the Update 1 admin tools, as described in Chapter 3, Installing the OpenSSO Enterprise 8.0 Update 1 Admin Tools.
If the admin tools (ssoAdminTools.zip) are configured to use the IBM JVM with a secure (SSL-enabled) WebSphere Application Server 7.0 instance, the ssoadm returns a fatal error.
Workaround. To configure ssoadm, see Chapter 5, Deploying IBM WebSphere Application Server 7.0 as the OpenSSO Enterprise 8.0 Update 1 Web Container.
If OpenSSO Enterprise 8.0 Update 1 is deployed with IBM WebSphere Application Server 7.0 and Java 2 security is enabled, the configuration fails.
Workaround. Add the required permissions to the WebSphere Application Server 7.0 server.policy. For more information see Chapter 5, Deploying IBM WebSphere Application Server 7.0 as the OpenSSO Enterprise 8.0 Update 1 Web Container.
OpenSSO Enterprise 8.0 Update 1 has added support for using KDCs hosted on Windows Server 2008. To use this new feature, however, you must install a Microsoft hotfix to KTpass on the Windows Server 2008 KDC before using the KDC for Windows Desktop SSO authentication.
For more information and to download this hotfix, see http://support.microsoft.com/kb/951191.
Workaround. If OpenSSO Enterprise 8.0 Update 1 is deployed on IBM WebSphere Application Server 7.0 on Windows:
Prefix the Keytab File Name property of the Windows Desktop SSO authentication module instance with file:///. For example:
file:///C:/keytabs/ssohost-4100-04.HTTP.keytab
Set the new com.sun.identity.authentication.module.WindowsDesktopSSO.Krb5LoginModule property to com.ibm.security.auth.module.Krb5LoginModule.
Set this new property using ssoadm or in the OpenSSO Enterprise Admin Console under Configuration, Sites and Server, opensso-instance-name, and Advanced. Then, restart the WebSphere Application Server 7.0 instance for the value to take effect.
When running the Configurator using Safari on a Mac, the Next and Cancel buttons are not visible, which gives the impression that the configuration cannot continue.
Workaround. Maximize the Safari browser to the fullest extent and scroll down to see the buttons.
In a session failover configuration, the Berkeley DB client does not failover to the secondary Message Queue broker. OpenSSO Enterprise server, however, does failover
to the secondary broker, which causes the queue on that broker to quickly fill up. Then, the broker blocks the producer from sending any more messages, which in turn blocks messages from OpenSSO Enterprise server.
If you are using IBM WebSphere Application Server 6.1 as the web container and the Java Security Manager is enabled, the securing permissions need to be updated.
Workaround. For the correct permissions, see the Sun OpenSSO Enterprise 8.0 Installation and Configuration Guide.
Workaround. Before you enable FIPS mode, backup the bootstap file. Then, after you enable FIPS mode, replace the bootstrap file with the backup copy.
For more information, see Chapter 8, Configuring OpenSSO Enterprise 8.0 Update 1 in FIPS Mode.
Using JDK 1.6.x, when a Service Provider (SP) tries to verify a signed SAML2 response/assertion, the Identity Provider (IDP)throws a Null Pointer Exception.
Workaround. This problem occurs because JDK 1.6.x includes an older version of the XML security library. To fix this problem:
Create an endorsed directory in JDK 1.6.x. For example:
JDK_1.6_HOME_DIR/jre/lib/endorsed
Copy the xmlsec.jar file from the OpenSSO_WAR_extracted_dir/WEB-INF/lib directory to the endorsed directory.
Restart the OpenSSO Enterprise 8.0 web container.
When you configure OpenSSO Enterprise 8.0 Update 1 using the console, if you provide the site details such as the load balancer and server instances, the configuration finishes successfully and you can log in. However, the debug logs contain an exception.
Workaround. None. You can ignore the exception.
If you deploy OpenSSO Enterprise 8.0 Update 1 on WebLogic Server 10 for both the SP and IDP, configure the meta for SP and IDP for signing and encryption using the default keystore, and then terminate with SOAP binding, an error is returned.
Workaround. Remove last two lines from idpArtifactResolution.jsp, idpMNISOAP.jsp, and spMNISOAP.jsp. Also, remove any empty spaces between %> and <%.