Access Manager 7 patch 11 (revision 11) fixes a number of problems, as listed in the README file included with the patch. Patch 11 also includes these issues and changes:
CR# 6564877: Access Manager 7 patch installation overwrites SAML v2 files
CR# 6872718: Persistent XSS attacks are prevented in Access Manager
CR# 6843487: Access Manager session cookies can be marked as HTTPOnly
If the SAML v2 plug-in is installed and you install a new SAML v2 plug-in patch or Access Manager 7 patch, the patch installation overwrites the existing SAML v2 related files, and you must reconfigure your SAML v2 deployment.
Workaround: Run the saml2setup installer with the update option to update a previously configured staging directory with new files from a patch installation directory and to regenerate a modified WAR file for redeployment. The update option prevents the unconfigure and configure routine, which removes your existing SAML v2 files.
Note: The saml2setup installer with the update option is available in the SAML v2 Plug-in for Federation Services patch 1 or later. Therefore, you must add the SAML v2 plug-in patch 1 or later to use this option. Although the update option was first available in patch 1, Oracle recommends that you always install the latest patch. The patch IDs are:
Solaris SPARC systems: 122983
Solaris x86 systems: 122984
Linux: 122985
To use the saml2setup installer with the update option, follow these steps:
Install the new Access Manager or SAML v2 patch.
If you installed an Access Manager patch in Step 1:
Run amconfig to generate a new amserver.war.
Update the SAML v2 staging directory with the new amserver.war.
Reapply any necessary customizations for your deployment.
Run the saml2setup installer with the update option as follows:
saml2setup update -s installation-configuration-properties-file
Redeploy the modified WAR file.
Restart the Access Manager or Federation Manager web container.
Do any postinstallation tasks required for the Access Manager or Federation Manager instance.
For information about the saml2setup installer, see Chapter 2, Installing the SAML v2 Plug-in for Federation Services, in Sun Java System SAML v2 Plug-in for Federation Services User’s Guide.
Patch 11 prevents potential persistent cross-site scripting (XSS) attacks in Access Manager.
Patch 11 includes the new com.sun.identity.cookie.httponly property to allow Access Manager session cookies to be marked as HTTPOnly, in order to prevent scripts or third-party programs from accessing the cookies. Specifically, session cookies marked as HTTPOnly can avoid cross site scripting (XSS) attacks.
By default, the value for com.sun.identity.cookie.httponly is false. To set this new property, add it to the AMConfig.properties file with a value of true and then restart the Access Manager web container.