Access Manager 7 2005Q4 Patch 11

Access Manager 7 patch 11 (revision 11) fixes a number of problems, as listed in the README file included with the patch. Patch 11 also includes these issues and changes:

• CR# 6564877: Access Manager 7 patch installation overwrites SAML v2 files

• CR# 6872718: Persistent XSS attacks are prevented in Access Manager

• CR# 6843487: Access Manager session cookies can be marked as HTTPOnly

CR# 6564877: Access Manager 7 patch installation overwrites SAML v2 files

If the SAML v2 plug-in is installed and you install a new SAML v2 plug-in patch or Access Manager 7 patch, the patch installation overwrites the existing SAML v2 related files, and you must reconfigure your SAML v2 deployment.

Workaround: Run the saml2setup installer with the update option to update a previously configured staging directory with new files from a patch installation directory and to regenerate a modified WAR file for redeployment. The update option prevents the unconfigure and configure routine, which removes your existing SAML v2 files.

Note: The saml2setup installer with the update option is available in the SAML v2 Plug-in for Federation Services patch 1 or later. Therefore, you must add the SAML v2 plug-in patch 1 or later to use this option. Although the update option was first available in patch 1, Oracle recommends that you always install the latest patch. The patch IDs are:

• Solaris SPARC systems: 122983

• Solaris x86 systems: 122984

• Linux: 122985

To use the saml2setup installer with the update option, follow these steps:

1. Install the new Access Manager or SAML v2 patch.

2. If you installed an Access Manager patch in Step 1:

   1. Run amconfig to generate a new amserver.war.

   2. Update the SAML v2 staging directory with the new amserver.war.

   3. Reapply any necessary customizations for your deployment.

3. Run the saml2setup installer with the update option as follows:

   saml2setup update -s installation-configuration-properties-file

4. Redeploy the modified WAR file.

5. Restart the Access Manager or Federation Manager web container.

6. Do any postinstallation tasks required for the Access Manager or Federation Manager instance.

For information about the saml2setup installer, see Chapter 2, Installing the SAML v2 Plug-in for Federation Services, in Sun Java System SAML v2 Plug-in for Federation Services User’s Guide.

CR# 6872718: Persistent XSS attacks are prevented in Access Manager

Patch 11 prevents potential persistent cross-site scripting (XSS) attacks in Access Manager.

CR# 6843487: Access Manager session cookies can be marked as HTTPOnly

Patch 11 includes the new com.sun.identity.cookie.httponly property to allow Access Manager session cookies to be marked as HTTPOnly, in order to prevent scripts or third-party programs from accessing the cookies. Specifically, session cookies marked as HTTPOnly can avoid cross site scripting (XSS) attacks.

By default, the value for com.sun.identity.cookie.httponly is false. To set this new property, add it to the AMConfig.properties file with a value of true and then restart the Access Manager web container.