test

Oracle OpenSSO 8.0 Update 2 Release Notes

OpenSSO 8.0 Update 2 Issues and Workarounds

General Security Advisory

General security concerns exist regarding using a HTTP Basic Authentication module. See http://en.wikipedia.org/wiki/Basic_access_authentication, the “Disadvantages” section. Be sure that you can address these security concerns before you consider using HTTP Basic Authentication in a production deployment.

CR 6959610: OpenSSO 8.0 Update 2 samples should be removed in production environment

To minimize random or unnecessary configuration changes through inadvertent sample program runs, remove the samples before you deploy OpenSSO 8.0 Update 2 in a production environment.

CRs 6944573, 6964648: New Java security permissions are required for WebLogic Server 10.3.3

If you are deploying OpenSSO 8.0 Update 2 on Oracle WebLogic Server 10.3.3 with the security manager enabled, an additional Java security permission is required.

Workaround. Add the following permission to the WebLogic Server 10.3.3 weblogic.policy file:

permission java.lang.RuntimePermission "getClassLoader";

CR 6939443: Certificate authentication with LDAP checking or OCSP checking fails on WebLogic Server 10.3.x

Due to an issue in earlier versions of Oracle WebLogic Server such as 10.3.0 and 10.3.1, certificate authentication with either LDAP checking or OSCP checking enabled fails.

Workaround. This problem has been fixed in WebLogic Server 10.3.3. To use certificate authentication with either LDAP checking or OSCP checking, use OpenSSO Update 2 with WebLogic Server 10.3.3.

CR 6960514: Cannot access authentication certificates

In the Spanish version of OpenSSO 8.0 Update 2, you cannot access authentication certificates. When you go to Configuration > Authentication > Certificates, an error occurs. The following is displayed in the log "Caused by: java.lang.IllegalArgumentException."

Workaround. None.

ProcedureTo Configure JDBC Authentication with Oracle Database

  1. Download the ojdbc6.jar file from the following URL:

    http://www.oracle.com/technetwork/database/enterprise-edition/jdbc-112010-090769.html.

  2. Create a staging area and change to that directory. For example:


    mkdir /tmp/staging
cd /tmp/staging

  3. Explode the opensso.war in the staging area.


    jar xf opensso.war

  4. Change to the WEB-INF/lib directory.

  5. Copy ojdbc6.jar into that directory. For example:


    cp OJDBC6_DOWNLOAD_LOCATION/ojdbc6.jar

  6. Create an updated opensso.war file from the staging area. For example:


    cd ../..
jar cf /tmp/opensso.war *

  7. Undeploy the current opensso.war.

  8. Deploy the opensso.war file you created in Step 6.

  9. Restart the OpenSSO web container instance.

ProcedureTo Manually Configure NSS on OpenSSO

By default, the OpenSSO configurator supports only the JCE/JSSE provider for SSL. However, you can use the OpenSSO administration console to manually enable JSS/NSS. If OpenSSO is deployed on Sun Web Server 7.0 or on GlassFish Enterprise Edition 2.1.0, then complete the following steps. For GlassFish Enterprise Edition 2.1.1 and later versions, see CR 6967026: Configurator cannot connect to LDAPS-enabled directory server.

Before You Begin

  1. Log in to the OpenSSO Administration Console as amadmin.

  2. Click Configuration > Servers and Sites > Server Name instance.

  3. Click Security.

  4. Click Inheritance Settings.

  5. Uncheck the Encryption class and Secure Random Factory Class properties.

  6. Click Save, and then click Back to Server Profile.

  7. Change Encryption class to com.iplanet.services.util.JSSEncryption.

  8. Change Secure Random Factory Class to com.iplanet.am.util.JSSSecureRandomFactoryImpl.

  9. Click Save, and then click the Advanced tab.

  10. Change the com.iplanet.security.SSLSocketFactoryImpl property to com.iplanet.services.ldap.JSSSocketFactory.

  11. Edit the following property and value:

    • Property Name: opensso.protocol.handler.pkgs

    • Property Value: com.iplanet.services.comm

  12. Click Add, and add following property and value:

    • Property Name: com.iplanet.am.admin.cli.certdb.dir

    • Property Value: path-to-NSS-database

  13. Click Save.

  14. Restart the OpenSSO Enterprise 8.0 server instance.

CR 6967026: Configurator cannot connect to LDAPS-enabled directory server

If OpenSSO is deployed on GlassFish Enterprise Server 2.1.1 or later versions, then OpenSSO cannot connect to an LDAPS-enabled directory server instance with JSS/NSS. The problem occurs because OpenSSO and GlassFish Enterprise Server 2.1.1 and later versions do not use the same JSS version.

Workaround: Use the JSSE provider instead of the NSS provider for SSL.

CR 6948937: Activating OpenSSO 8.0 Update 2 in WebLogic Server 10.3.3 admin console causes exceptions

If you deploy OpenSSO 8.0 Update 2 (opensso.war) in the WebLogic Server 10.3.3 administration console and click Start to allow OpenSSO 8.0 Update 2 to start receiving requests, exceptions are thrown in the console where the WebLogic Server domain was started.

Note: After you start OpenSSO 8.0 Update 2, it remains started and exceptions are not thrown again until OpenSSO 8.0 Update 2 is stopped and then restarted.

Workaround. Copy the saaj-impl.jar file from the OpenSSO 8 Update 2 opensso-client-jdk15.war file to the WebLogic Server 10.3.3 configuration endorsed directory, as follows:

  1. Stop the Oracle WebLogic Server 10.3.3 domain.

  2. If necessary, unzip the OpenSSO 8.0 Update 2 opensso.zip file.

  3. Create a temporary directory and unzip the zip-root/opensso/samples/opensso-client.zip file in that directory, where zip-root is where you unzipped the opensso.zip file. For example:

    cd zip-root/opensso/samples
mkdir ziptmp
cd ziptmp
unzip ../opensso-client.zip

  4. Create a temporary directory and extract the saaj-impl.jar file from opensso-client-jdk15.war. For example:

    cd zip-root/opensso/samples/ziptmp/war
mkdir wartmp
cd wartmp
jar xvf ../opensso-client-jdk15.war WEB-INF/lib/saaj-impl.jar

  5. Create a new directory named endorsed under the WEBLOGIC_JAVA_HOME/jre/lib directory (if endorsed does not already exist), where WEBLOGIC_JAVA_HOME is the JDK that WebLogic Server is configured to use.

  6. Copy the saaj-impl.jar file to the WEBLOGIC_JAVA_HOME/jre/lib/endorsed directory.

  7. Start the WebLogic Server domain.

CR 6956461:SecurID authentication fails on IBM WebSphere Application Server

When OpenSSO is configured on IBM WebSphere Application Server 6.1 or AIX 5.3, a valid plain text password user can not be authenticated via a SecurID authentication module instance.

Workaround. None. Do not use plain text passwords on IBM WebSphere Application Server.

CR 6959373: Web container requires a restart after running updateschema script

After you run the updateschema.sh or updateschema.bat script, you must restart the OpenSSO 8.0 Update 2 web container.

CR 6961419: Running updateschema.bat script requires a password file

The updateschema.bat script executes several ssoadm commands. Therefore, before you run updateschema.bat on Windows systems, create a password file that contains the password user in clear text for the amadmin user. The updateschema.bat script prompts you for the path to the password file. Before the script terminates, it removes the password file.

CR 6970859: Browser scroll feature does not work

When using OpenSSO Update 2 on the following browsers, the browser scroll does not work as designed: Microsoft Internet Explorer 7 and 8 on Windows 2003 or 2008.

Workaround. Maximize the browser window.

Deploying OpenSSO 8.0 Update 2 on JBoss 5.0

JBoss 5.x uses Tomcat 6.0.16 which does not support the special symbols in the OpenSSO iPlanetDirectoryPro cookie. This affects OpenSSO cookie-handling.

Workaround. See To Deploy OpenSSO on JBoss 5.0.

ProcedureTo Deploy OpenSSO on JBoss 5.0

Before You Begin

  1. In the JBoss run.conf file (run.conf.bat on Windows), which is used to start up the JBoss instance, add the following JVM options:

    -Dcom.iplanet.am.cookie.encode=true 
-Dcom.iplanet.am.cookie.c66Encode=true

    If you do not set these properties, after entering your credentials in the OpenSSO console, you are directed back to the login page. After you've deployed and configured OpenSSO you can remove this entry in the run.conf file (or run.conf.bat on Windows). OpenSSO configures the cookie encode property during deployment.

  2. Unjar the opensso.war.

    1. Create text-file opensso.war/WEB-INF/jboss-web.xml.

    2. Enter the following content in the file:

      <!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 5.0//EN" 
"http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd"> 
<jboss-web> 
<class-loading java2ClassLoadingCompliance='true'> 
        <loader-repository> 
            jbia.loader:loader=opensso 
            <loader-repository-config> 
                java2ParentDelegaton=true 
            </loader-repository-config> 
        </loader-repository> 
   </class-loading> 
   <resource-ref> 
        <res-ref-name>jdbc/openssousersdb</res-ref-name> 
        <jndi-name>java:jdbc/openssousersdb</jndi-name> 
    </resource-ref> 
</jboss-web>

  3. Create the WAR again.

  4. Stop the JBoss server.

  5. Create a directory under the mode that opensso will be deployed to.

    Example: JBOSS_INSTALL_DIR>/server/$CONFIG/deploy/opensso.war

    where $CONFIG is the mode such as default, all, or production.

  6. Go to the opensso.war directory.

    Example: JBOSS_INSTALL_DIR/server/$CONFIG/deploy/opensso.war

  7. Explode the war to this directory. 

    jar -xvf WAR_FILE_LOCATION/opensso.war

  8. Restart the JBoss container.

    Deployment of opensso.war will succeed without errors.

    Note –

    OpenSSO 8.0 U2 installation on JBoss 5.0.0 is supported in exploded war mode only.

CR 6971437 : OpenSSO 8.0 Update 2 loses configuration after restart of JBoss Application Server 5.0.0.0

If you deploy and configure the opensso.war file on JBoss Application Server 5.0.0.0 and then restart the JBoss Application Server web container, OpenSSO 8.0 Update 2 displays the configurator page again instead of the login page.

Workaround. Deploy the opensso.war file in the JBoss AS deploy directory, as follows:

  1. Stop the JBoss Application Server web container.

  2. Edit the JBoss Application Server run.conf file by adding the following options: 

    -Dcom.iplanet.am.cookie.encode=true 
-Dcom.iplanet.am.cookie.c66Encode=true

  3. Uncomment the line "admin=admin" in the following files:

    • JBOSS_INSTALL_DIR/server/$CONFIG/conf/props/jmx-console-users.properties

    • JBOSS_INSTALL_DIR/server/$CONFIG/deploy/management/console-mgr.sar/web-console.war/WEB-INF/classes/web-console-users.properties

  4. Copy the opensso.war file to the following JBoss Application Server directory:

    JBOSS_INSTALL_DIR/server/$CONFIG/deploy

    where $CONFIG is the JBoss Application Server mode, such as default, all, or production.

  5. Restart the JBoss Application Server web container.

  6. Deploy the opensso.war file in the directory shown in Step 4.

CR 6972593: Java Oracle OpenSSO Fedlet single sign-on (SSO) fails on JBoss AS 5.0.x

If you deploy the Java Oracle OpenSSO Fedlet on JBoss Application Server 5.0.x, index.jsp doesn't display and Fedlet SSO fails with an IllegalStateException.

Workaround. Follow these steps.

  1. Stop the JBoss AS web container. JBoss AS web container.

  2. Add the following Java options in the JBoss AS 5.0 run.conf file: -

    Djavax.xml.soap.MetaFactory=
com.sun.xml.messaging.saaj.soap.SAAJMetaFactoryImpl 
-Djavax.xml.soap.MessageFactory=
com.sun.xml.messaging.saaj.soap.ver1_1.SOAPMessageFactory1_1Impl 
-Djavax.xml.soap.SOAPConnectionFactory=
com.sun.xml.messaging.saaj.client.p2p.HttpSOAPConnectionFactory 
-Djavax.xml.soap.SOAPFactory=
com.sun.xml.messaging.saaj.soap.ver1_1.SOAPFactory1_1Impl

  3. Start the JBoss AS web container.

SR 72335286 and CR 6929674: LDAP Referrals Do Not Work as Expected

When LDAP referrals are enabled, authentication fails for the user in the referral directory server. Authentication fails regardless of how the option "LDAP Follows Referral" is set. Also, the Subjects tab in the OpenSSO administration console does not display referral users.

These issues are due in part because of a known issue with the LDAP SDK (CR 6969674). Using LDAP SDK, LDAP referrals are not honored in OpenSSO.

Workaround. There are no workarounds at this time.