Chapter 2 OpenSSO 8.0 Update 2 Patch Releases

The chapter provides information about OpenSSO 8.0 Update 2 Patch 1.

OpenSSO 8.0 Update 2 Patch 1

Oracle OpenSSO 8.0 Update 2 patch 1 is available as patch ID 141655-05 on SunSolve: http://sunsolve.sun.com.

For information about installation, see Chapter 3, Installing OpenSSO 8.0 Update 2.

For a list of the problems fixed in patch 1, see the README file distributed with the patch.

Known Issues in OpenSSO 8.0 Update 2 Patch 1

• CR 6978018: Running OpenSSO 8.0 in GlassFish 2.1.x using LDAPS with JDK 1.6.x

• CR 7002787: OpenSSO 8.0 Update 2 is not working with Active Directory Data Store

• CR 6897101: After a login to a non-default realm, user experiences multiple logins after a timeout

• CR 6983035: Remote console with OpenSSO server returns errors after a session timeout

• CR 6983026: Remote console with OpenSSO server causes errors when modifying Federation or SAML v2 attributes requiring the certificate keystore

• CR 6995584: “Post-Authentication Plug-In for First Time Login” sample requires OpenSSO 8.0 Update 1 or later

CR 6978018: Running OpenSSO 8.0 in GlassFish 2.1.x using LDAPS with JDK 1.6.x

To run OpenSSO 8.0 in a GlassFish 2.1.x web container with an external directory server using LDAPS with JDK 1.6.x, set the NSS_USE_DECODED_CKA_EC_POINT environment variable to 1 before you start the GlassFish 2.1.x domain. For example:

NSS_USE_DECODED_CKA_EC_POINT=1
export NSS_USE_DECODED_CKA_EC_POINT
glassfish-root/bin/asadmin start-domain glassfish-domain

CR 7002787: OpenSSO 8.0 Update 2 is not working with Active Directory Data Store

This problem occurs for both OpenSSO 8.0 Update 2 and OpenSSO 8.0 Update 2 patch 1. If you create an Active Directory data store and then log in to the OpenSSO administration console using the Active Directory authentication module, OpenSSO returns the error message “User has no profile in this organization” to your browser.

Workaround. To use the Active Directory data store and authentication module with OpenSSO 8.0 Update 2 or OpenSSO 8.0 Update 2 patch 1, perform these steps:

1. Log in to the OpenSSO Administration Console.

2. Under the Active Directory data store configuration, make these changes:

   1. For the LDAPv3 Plug-in Supported Types and Operations, change:

      user=read,create,edit,delete

      to

      user=read,create,edit,delete,service

   2. In Attribute Name Mapping, add the following attribute mappings:

      • iplanet-am-user-alias-list=objectGUID

      • employeeNumber=distinguishedName

      • mail=userPrincipalName

      • portalAddress=sAMAccountName

      • telephonenumber=displayName

      • uid=sAMAccountName

   3. Click Save and log out of the console.

3. Restart the OpenSSO web container.

CR 6897101: After a login to a non-default realm, user experiences multiple logins after a timeout

Previously, if a user entered valid credentials after an authentication module timeout occurred, the login screen for the second authentication module was presented and the user could enter an invalid password to get access to a protected resource.

Patch 1 fixes this CR; however, this fix works only with non-JAAS modules. If you write a custom authentication module, you must use non-JAAS modules.

CR 6983035: Remote console with OpenSSO server returns errors after a session timeout

If you log in to OpenSSO server from a remote console and a session timeout occurs, some console functions do not work properly. Also, errors are displayed if you click on various tabs in the console.

Workaround. After making changes from the remote console, log out from the remote console. To get rid of the errors, restart both OpenSSO server and the remote console.

CR 6983026: Remote console with OpenSSO server causes errors when modifying Federation or SAML v2 attributes requiring the certificate keystore

If you are using a remote console and try to save Federation or SAML properties that need access to the certificate keystore, errors are returned. This problem occurs because the certificate keystore resides on the OpenSSO server, and the remote console does not have access to the keystore.

Workaround. Use either of these solutions, depending on your deployment:

• If the keystore is directly accessible from the remote console through a mount point, specify the complete absolute path to the keystore.

• Copy the keystore files from the OpenSSO server to the remote console. This solution, however, requires that if you make changes to the keystore files on the OpenSSO server, you must also update the keystore files on the remote console.

CR 6995584: “Post-Authentication Plug-In for First Time Login” sample requires OpenSSO 8.0 Update 1 or later

If you are using the sample in “Example 1–1 Code Sample: Post-Authentication Plug-In for First-Time Login” in the Sun OpenSSO Enterprise 8.0 Integration Guide, you must be running OpenSSO 8.0 Update 1 or later. Otherwise, the sample does not compile because the Java compiler cannot find the POST_PROCESS_LOGIN_SUCCESS_URL property, which was first available with OpenSSO 8.0 Update 1.