Chapter 1 About OpenSSO 8.0 Update 2

This chapter contains the following topics:

• What's New in OpenSSO 8.0 Update 2

• Hardware and Software Requirements For OpenSSO 8.0 Update 2

• OpenSSO 8.0 Update 2 Issues and Workarounds

• OpenSSO 8.0 Update 2 Documentation

• Additional Information and Resources

What's New in OpenSSO 8.0 Update 2

OpenSSO 8.0 Update 2 includes enhancements to the Security Token Service and the OpenSSO Fedlet. This update also includes new web container support for WebLogic 10.3.3 and fixes to many bugs.

Security Token Service Enhancements

The Security Token Service now includes the following new features:

• Supports TokenType for generating a specific web service provider security token.

• Supports both Asymmetric and Transport binding for X509 and username security tokens as requestor.

• Enforces SSL/Transport binding with a username security token when OpenSSO STS is configured with a username over SSL.

• Issues SAML holder-of-key security token for Asymmetric KeyType with useKey as the web service client public key and web service client X509 security token.

• WSDL is dynamically updated based on security token configuration.

• Supports encryption by the web service provider public key.

• Encrypts the static username password before storing it in the configuration store.

• Supports UserName token as On Behalf Of security token through a WS-Trust request.

• Supports issuance of SAML Bearer Tokens.

• New Web Service Security authentication module WSSAuth supports digest password validation.

• New OAMAuth authentication module enables single sign-on using Oracle Access Manager with OpenSSO.

For more information, see Chapter 4, Using the Security Token Service.

Fedlet Enhancements

The Fedlet now includes the following new features:

• Supports encryption in the .NET Fedlet

• Supports signing in the .NET Fedlet

• .NET Fedlet now supports single logout

• .NET Fedlet provides Service Provider initiated single sign-on and artifact support

• Supports multiple Identity Providers and Identity Provider Discovery in .NET Fedlet

• Supplies version information within property and configuration files for the Fedlet

• New password SPI implementation

• Supports attribute query

• Supports single logout

For more information, see Chapter 5, Using the Oracle OpenSSO Fedlet.

Bugs Fixed in This Release

The table lists issues that have been resolved in OpenSSO 8.0 Update 2.

Table 1–1 Bugs Fixed in This Release

Change Request Identifier	Description
6422249	SAML assertions using excessive memory.
6659356	New bug with the interaction process in a load-balanced scenario.
6802207	Policy agent "gateway servelet" function yields "Your authentication module is denied."
6894077	In Cookie hijacking mode, logout request hangs.
6931544	Javadoc comments missing for public API AMLoginModule:isSessionQuotaReached.
6918266	/opensso/realm/IDRepoEdit delete Session service configuration in realm.
6923660	Inheritance setting in agent profile does not work as expected.
6924534	ssoadm --version did not return the right value after patching 141655-03.
6926203	goto URL not validated on distributed authentication.
6928480, 6934888	Distributed authentication UI: In log files IP recorded is DAUI IP, not client IP.
6931012	Access Manager console becomes unresponsive after adding a new config property.
6931476	Incorrect exceptions thrown in the logs for misconfigured SAML/IDP's service URLs on the Service Provider side.
6933168	Password reset page is not localized when locale parameter is given in the URL.
6933268	"Auth module instance" condition with "application timeout properties" set drops session after login.
6937698	OpenSSO8.0: Console Invalid Characters check is not performed
6937700	OpenSSO allows to create username with special characters, but complains during login.
6939038	Security Token Service client samples are failing for IBM Websphere Application Server 6.1.
6940455	Security Token Service "ssoadm set-site-sec-urls" throws an NPE on the console.
6942485, 6942813	OpenSSO does not escape "\" in uid correctly, and 2 different uid values are stored in Directory Server entry.
6945286	Distributed Authentication login: uid with special characters results in error.
6947033	“URL not found” exception errors in SAML.
6949778	iplanet-am-auth-locale value of realm is not taken in consideration in the evaluation process.
6947068	goto is missing after session timeout.
6958448	LDAPv3Repo.setAttributes method fetches the schema multiple times even for a single modification.

Hardware and Software Requirements For OpenSSO 8.0 Update 2

See the System Requirements and Supported Platforms for Oracle OpenSSO 8.0u2 document listed under Oracle Branded Releases of Sun Products Supported Configuration at the following URL:

http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certification-100350.html

OpenSSO 8.0 Update 2 Issues and Workarounds

• General Security Advisory

• CR 6959610: OpenSSO 8.0 Update 2 samples should be removed in production environment

• CRs 6944573, 6964648: New Java security permissions are required for WebLogic Server 10.3.3

• CR 6939443: Certificate authentication with LDAP checking or OCSP checking fails on WebLogic Server 10.3.x

• CR 6960514: Cannot access authentication certificates

• To Configure JDBC Authentication with Oracle Database

• To Manually Configure NSS on OpenSSO

• CR 6967026: Configurator cannot connect to LDAPS-enabled directory server

• CR 6948937: Activating OpenSSO 8.0 Update 2 in WebLogic Server 10.3.3 admin console causes exceptions

• CR 6956461:SecurID authentication fails on IBM WebSphere Application Server

• CR 6959373: Web container requires a restart after running updateschema script

• CR 6961419: Running updateschema.bat script requires a password file

• CR 6970859: Browser scroll feature does not work

• Deploying OpenSSO 8.0 Update 2 on JBoss 5.0

• CR 6971437 : OpenSSO 8.0 Update 2 loses configuration after restart of JBoss Application Server 5.0.0.0

• CR 6972593: Java Oracle OpenSSO Fedlet single sign-on (SSO) fails on JBoss AS 5.0.x

• SR 72335286 and CR 6929674: LDAP Referrals Do Not Work as Expected

General Security Advisory

General security concerns exist regarding using a HTTP Basic Authentication module. See http://en.wikipedia.org/wiki/Basic_access_authentication, the “Disadvantages” section. Be sure that you can address these security concerns before you consider using HTTP Basic Authentication in a production deployment.

CR 6959610: OpenSSO 8.0 Update 2 samples should be removed in production environment

To minimize random or unnecessary configuration changes through inadvertent sample program runs, remove the samples before you deploy OpenSSO 8.0 Update 2 in a production environment.

CRs 6944573, 6964648: New Java security permissions are required for WebLogic Server 10.3.3

If you are deploying OpenSSO 8.0 Update 2 on Oracle WebLogic Server 10.3.3 with the security manager enabled, an additional Java security permission is required.

Workaround. Add the following permission to the WebLogic Server 10.3.3 weblogic.policy file:

permission java.lang.RuntimePermission "getClassLoader";

CR 6939443: Certificate authentication with LDAP checking or OCSP checking fails on WebLogic Server 10.3.x

Due to an issue in earlier versions of Oracle WebLogic Server such as 10.3.0 and 10.3.1, certificate authentication with either LDAP checking or OSCP checking enabled fails.

Workaround. This problem has been fixed in WebLogic Server 10.3.3. To use certificate authentication with either LDAP checking or OSCP checking, use OpenSSO Update 2 with WebLogic Server 10.3.3.

CR 6960514: Cannot access authentication certificates

In the Spanish version of OpenSSO 8.0 Update 2, you cannot access authentication certificates. When you go to Configuration > Authentication > Certificates, an error occurs. The following is displayed in the log "Caused by: java.lang.IllegalArgumentException."

Workaround. None.

To Configure JDBC Authentication with Oracle Database

1. Download the ojdbc6.jar file from the following URL:

   http://www.oracle.com/technetwork/database/enterprise-edition/jdbc-112010-090769.html.

2. Create a staging area and change to that directory. For example:

   mkdir /tmp/staging cd /tmp/staging

3. Explode the opensso.war in the staging area.

   jar xf opensso.war

4. Change to the WEB-INF/lib directory.

5. Copy ojdbc6.jar into that directory. For example:

   cp OJDBC6_DOWNLOAD_LOCATION/ojdbc6.jar

6. Create an updated opensso.war file from the staging area. For example:

   cd ../.. jar cf /tmp/opensso.war *

7. Undeploy the current opensso.war.

8. Deploy the opensso.war file you created in Step 6.

9. Restart the OpenSSO web container instance.

To Manually Configure NSS on OpenSSO

By default, the OpenSSO configurator supports only the JCE/JSSE provider for SSL. However, you can use the OpenSSO administration console to manually enable JSS/NSS. If OpenSSO is deployed on Sun Web Server 7.0 or on GlassFish Enterprise Edition 2.1.0, then complete the following steps. For GlassFish Enterprise Edition 2.1.1 and later versions, see CR 6967026: Configurator cannot connect to LDAPS-enabled directory server.

Before You Begin

• If you want OpenSSO to connect to an LDAPS-enabled directory server, then the CA certificate for the LDAPS-enabled directory server must be already imported into the JVM trust store (by default JAVA_HOME/jre/lib/security/cacert).

1. Log in to the OpenSSO Administration Console as amadmin.

2. Click Configuration > Servers and Sites > Server Name instance.

3. Click Security.

4. Click Inheritance Settings.

5. Uncheck the Encryption class and Secure Random Factory Class properties.

6. Click Save, and then click Back to Server Profile.

7. Change Encryption class to com.iplanet.services.util.JSSEncryption.

8. Change Secure Random Factory Class to com.iplanet.am.util.JSSSecureRandomFactoryImpl.

9. Click Save, and then click the Advanced tab.

10. Change the com.iplanet.security.SSLSocketFactoryImpl property to com.iplanet.services.ldap.JSSSocketFactory.

11. Edit the following property and value:

    • Property Name: opensso.protocol.handler.pkgs

    • Property Value: com.iplanet.services.comm

12. Click Add, and add following property and value:

    • Property Name: com.iplanet.am.admin.cli.certdb.dir

    • Property Value: path-to-NSS-database

13. Click Save.

14. Restart the OpenSSO Enterprise 8.0 server instance.

CR 6967026: Configurator cannot connect to LDAPS-enabled directory server

If OpenSSO is deployed on GlassFish Enterprise Server 2.1.1 or later versions, then OpenSSO cannot connect to an LDAPS-enabled directory server instance with JSS/NSS. The problem occurs because OpenSSO and GlassFish Enterprise Server 2.1.1 and later versions do not use the same JSS version.

Workaround: Use the JSSE provider instead of the NSS provider for SSL.

CR 6948937: Activating OpenSSO 8.0 Update 2 in WebLogic Server 10.3.3 admin console causes exceptions

If you deploy OpenSSO 8.0 Update 2 (opensso.war) in the WebLogic Server 10.3.3 administration console and click Start to allow OpenSSO 8.0 Update 2 to start receiving requests, exceptions are thrown in the console where the WebLogic Server domain was started.

Note: After you start OpenSSO 8.0 Update 2, it remains started and exceptions are not thrown again until OpenSSO 8.0 Update 2 is stopped and then restarted.

Workaround. Copy the saaj-impl.jar file from the OpenSSO 8 Update 2 opensso-client-jdk15.war file to the WebLogic Server 10.3.3 configuration endorsed directory, as follows:

1. Stop the Oracle WebLogic Server 10.3.3 domain.

2. If necessary, unzip the OpenSSO 8.0 Update 2 opensso.zip file.

3. Create a temporary directory and unzip the zip-root/opensso/samples/opensso-client.zip file in that directory, where zip-root is where you unzipped the opensso.zip file. For example:

   cd zip-root/opensso/samples
   mkdir ziptmp
   cd ziptmp
   unzip ../opensso-client.zip

4. Create a temporary directory and extract the saaj-impl.jar file from opensso-client-jdk15.war. For example:

   cd zip-root/opensso/samples/ziptmp/war
   mkdir wartmp
   cd wartmp
   jar xvf ../opensso-client-jdk15.war WEB-INF/lib/saaj-impl.jar

5. Create a new directory named endorsed under the WEBLOGIC_JAVA_HOME/jre/lib directory (if endorsed does not already exist), where WEBLOGIC_JAVA_HOME is the JDK that WebLogic Server is configured to use.

6. Copy the saaj-impl.jar file to the WEBLOGIC_JAVA_HOME/jre/lib/endorsed directory.

7. Start the WebLogic Server domain.

CR 6956461:SecurID authentication fails on IBM WebSphere Application Server

When OpenSSO is configured on IBM WebSphere Application Server 6.1 or AIX 5.3, a valid plain text password user can not be authenticated via a SecurID authentication module instance.

Workaround. None. Do not use plain text passwords on IBM WebSphere Application Server.

CR 6959373: Web container requires a restart after running updateschema script

After you run the updateschema.sh or updateschema.bat script, you must restart the OpenSSO 8.0 Update 2 web container.

CR 6961419: Running updateschema.bat script requires a password file

The updateschema.bat script executes several ssoadm commands. Therefore, before you run updateschema.bat on Windows systems, create a password file that contains the password user in clear text for the amadmin user. The updateschema.bat script prompts you for the path to the password file. Before the script terminates, it removes the password file.

CR 6970859: Browser scroll feature does not work

When using OpenSSO Update 2 on the following browsers, the browser scroll does not work as designed: Microsoft Internet Explorer 7 and 8 on Windows 2003 or 2008.

Workaround. Maximize the browser window.

Deploying OpenSSO 8.0 Update 2 on JBoss 5.0

JBoss 5.x uses Tomcat 6.0.16 which does not support the special symbols in the OpenSSO iPlanetDirectoryPro cookie. This affects OpenSSO cookie-handling.

Workaround. See To Deploy OpenSSO on JBoss 5.0.

To Deploy OpenSSO on JBoss 5.0

Before You Begin

• The minimum heap size should be set to at least 512M (-Xms256m), and maximum heap size should be set to 1024M (-Xmx1024m).

• The MaxPermSize should be set to 256M (-XX:MaxPermSize=256m)

1. In the JBoss run.conf file (run.conf.bat on Windows), which is used to start up the JBoss instance, add the following JVM options:

   -Dcom.iplanet.am.cookie.encode=true 
   -Dcom.iplanet.am.cookie.c66Encode=true

   If you do not set these properties, after entering your credentials in the OpenSSO console, you are directed back to the login page. After you've deployed and configured OpenSSO you can remove this entry in the run.conf file (or run.conf.bat on Windows). OpenSSO configures the cookie encode property during deployment.

2. Unjar the opensso.war.

   1. Create text-file opensso.war/WEB-INF/jboss-web.xml.

   2. Enter the following content in the file:

      <!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 5.0//EN" 
      "http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd"> 
      <jboss-web> 
      <class-loading java2ClassLoadingCompliance='true'> 
              <loader-repository> 
                  jbia.loader:loader=opensso 
                  <loader-repository-config> 
                      java2ParentDelegaton=true 
                  </loader-repository-config> 
              </loader-repository> 
         </class-loading> 
         <resource-ref> 
              <res-ref-name>jdbc/openssousersdb</res-ref-name> 
              <jndi-name>java:jdbc/openssousersdb</jndi-name> 
          </resource-ref> 
      </jboss-web> 

3. Create the WAR again.

4. Stop the JBoss server.

5. Create a directory under the mode that opensso will be deployed to.

   Example: JBOSS_INSTALL_DIR>/server/$CONFIG/deploy/opensso.war

   where $CONFIG is the mode such as default, all, or production.

6. Go to the opensso.war directory.

   Example: JBOSS_INSTALL_DIR/server/$CONFIG/deploy/opensso.war

7. Explode the war to this directory.

   jar -xvf WAR_FILE_LOCATION/opensso.war 

8. Restart the JBoss container.

   Deployment of opensso.war will succeed without errors.

   ---

   Note –

   OpenSSO 8.0 U2 installation on JBoss 5.0.0 is supported in exploded war mode only.

   ---

CR 6971437 : OpenSSO 8.0 Update 2 loses configuration after restart of JBoss Application Server 5.0.0.0

If you deploy and configure the opensso.war file on JBoss Application Server 5.0.0.0 and then restart the JBoss Application Server web container, OpenSSO 8.0 Update 2 displays the configurator page again instead of the login page.

Workaround. Deploy the opensso.war file in the JBoss AS deploy directory, as follows:

1. Stop the JBoss Application Server web container.

2. Edit the JBoss Application Server run.conf file by adding the following options:

   -Dcom.iplanet.am.cookie.encode=true 
   -Dcom.iplanet.am.cookie.c66Encode=true 

3. Uncomment the line "admin=admin" in the following files:

   • JBOSS_INSTALL_DIR/server/$CONFIG/conf/props/jmx-console-users.properties

   • JBOSS_INSTALL_DIR/server/$CONFIG/deploy/management/console-mgr.sar/web-console.war/WEB-INF/classes/web-console-users.properties

4. Copy the opensso.war file to the following JBoss Application Server directory:

   JBOSS_INSTALL_DIR/server/$CONFIG/deploy

   where $CONFIG is the JBoss Application Server mode, such as default, all, or production.

5. Restart the JBoss Application Server web container.

6. Deploy the opensso.war file in the directory shown in Step 4.

CR 6972593: Java Oracle OpenSSO Fedlet single sign-on (SSO) fails on JBoss AS 5.0.x

If you deploy the Java Oracle OpenSSO Fedlet on JBoss Application Server 5.0.x, index.jsp doesn't display and Fedlet SSO fails with an IllegalStateException.

Workaround. Follow these steps.

1. Stop the JBoss AS web container. JBoss AS web container.

2. Add the following Java options in the JBoss AS 5.0 run.conf file: -

   Djavax.xml.soap.MetaFactory=
   com.sun.xml.messaging.saaj.soap.SAAJMetaFactoryImpl 
   -Djavax.xml.soap.MessageFactory=
   com.sun.xml.messaging.saaj.soap.ver1_1.SOAPMessageFactory1_1Impl 
   -Djavax.xml.soap.SOAPConnectionFactory=
   com.sun.xml.messaging.saaj.client.p2p.HttpSOAPConnectionFactory 
   -Djavax.xml.soap.SOAPFactory=
   com.sun.xml.messaging.saaj.soap.ver1_1.SOAPFactory1_1Impl 

3. Start the JBoss AS web container.

SR 72335286 and CR 6929674: LDAP Referrals Do Not Work as Expected

When LDAP referrals are enabled, authentication fails for the user in the referral directory server. Authentication fails regardless of how the option "LDAP Follows Referral" is set. Also, the Subjects tab in the OpenSSO administration console does not display referral users.

These issues are due in part because of a known issue with the LDAP SDK (CR 6969674). Using LDAP SDK, LDAP referrals are not honored in OpenSSO.

Workaround. There are no workarounds at this time.

OpenSSO 8.0 Update 2 Documentation

In addition to this document, additional OpenSSO 8.0 documentation is available in the following collection:

http://docs.sun.com/coll/1767.1

Documentation Issues

OpenSSO 8.0 Update 2 includes the following documentation issues:

• CR 6958580: Console online Help documents unsupported Discovery Agents

• CR 6967006 Console online Help does not document OAMAuth and WSSAuth authentication modules

• CR 6953582: Fedlet Java API reference should be public

• CR 6953579: OpenSSO Fedlet README file should document single logout feature

• CR 6960630: Information for patching a specialized OpenSSO WAR should be revised

CR 6958580: Console online Help documents unsupported Discovery Agents

The OpenSSO 8.0 Update 2 administration console online Help documents Discovery Agents, even though these agents are not supported.

Workaround. None. Ignore the information about Discovery Agents in the online Help.

CR 6967006 Console online Help does not document OAMAuth and WSSAuth authentication modules

The OpenSSO 8.0 Update 2 administration console online Help does not document the Oracle Access Manager (OAM) and Web Services Security (WSS) authentication modules.

Workaround. For information about these authentication modules, see Chapter 4, Using the Security Token Service.

CR 6953582: Fedlet Java API reference should be public

The Fedlet Java API public reference is available as part of the Oracle OpenSSO 8.0 Update 2 Java API Reference, which is available in the following documentation collection: http://docs.sun.com/coll/1767.1.

Note: OpenSSO 8.0 Update 2 does not support the getPolicyDecisionForFedlet method, even though this method is in the Java API reference.

CR 6953579: OpenSSO Fedlet README file should document single logout feature

The Fedlet README files do not document the single logout feature.

Workaround. For Oracle OpenSSO 8.0 Update 2, the Fedlet single logout feature is documented in Chapter 5, Using the Oracle OpenSSO Fedlet.

CR 6960630: Information for patching a specialized OpenSSO WAR should be revised

The information has been revised. See Patching a Specialized OpenSSO WAR.

Additional Information and Resources

You can also find additional useful information and resources at the following locations:

• Deprecation Notifications and Announcements

• How to Report Problems and Provide Feedback

• Accessibility Features for People With Disabilities

• Related Third-Party Web Sites

• Oracle Advanced Customer Services for Systems:

  http://www.oracle.com/us/support/systems/advanced-customer-services/index.html

• Software Products: http://www.oracle.com/us/sun/sun-products-map-075562.html

• SunSolve: http://sunsolve.sun.com/

• Oracle Technology Network: http://www.oracle.com/technetwork/index.html

• Sun Developer Services:http://developers.sun.com/services/

Deprecation Notifications and Announcements

• The Service Management Service (SMS) APIs (com.sun.identity.sm package) and SMS model are no longer included in OpenSSO.

• The Unix authentication module and the Unix authentication helper (amunixd) will not be included in a future OpenSSO release.

• The Sun Java System Access Manager 7.1 Release Notes stated that the Access Manager com.iplanet.am.sdk package, commonly known as the Access Manager SDK (AMSDK), and all related APIs and XML templates will not be included in a future OpenSSO release.

  Consequently, when the AMSDK is removed, the Legacy Mode option and support will also be removed.

  Migration options are not available now and are not expected to be available in the future. Oracle Identity Manager provides user provisioning solutions that you can use instead of the AMSDK. For more information about Identity Manager, see http://www.oracle.com/us/products/middleware/identity-management/index.html.

How to Report Problems and Provide Feedback

If you have questions or issues with OpenSSO 8.0 Update 2 or a subsequent patch release, contact Support Resources at http://sunsolve.sun.com/.

This site has links to the Knowledge Base, Online Support Center, and Product Tracker, as well as to maintenance programs and support contact numbers. If you are requesting help for a problem, please include the following information:

• Description of the problem, including when the problem occurs and its impact on your operation

• Machine type, operating system version, web container and version, JDK version, and OpenSSO version, including any patches or other software that might be affecting the problem

• Steps to reproduce the problem

• Any error logs or core dumps

Accessibility Features for People With Disabilities

To obtain accessibility features that have been released since the publishing of this media, consult Section 508 product assessments available upon request to determine which versions are best suited for deploying accessible solutions.

For information about Oracle's commitment to accessibility, see http://www.oracle.com/index.html.

Related Third-Party Web Sites

Third-party URLs are referenced in this document and provide additional, related information.

---

Note –

Oracle is not responsible for the availability of third-party Web sites mentioned in this document. Oracle does not endorse and is not responsible or liable for any content, advertising, products, or other materials that are available on or through such sites or resources. Oracle will not be responsible or liable for any actual or alleged damage or loss caused by or in connection with the use of or reliance on any such content, goods, or services that are available on or through such sites or resources.

---