Session and SSO Issues (Sun Java System Access Manager 7 2005Q4 Release Notes)

Sun Java System Access Manager 7 2005Q4 Release Notes

Session and SSO Issues

Access Manager instances across time zones timeout other user sessions (6323639)
Session failover (amsfoconfig) script has incorrect permissions on Linux 2.1 system (6298433)
Session failover (amsfoconfig) script fails on Linux 2.1 system (6298462)
System creates invalid service host name when load balancer has SSL termination (6245660)
Using HttpSession with third-party web containers (No CR number)

Access Manager instances across time zones timeout other user sessions (6323639)

Access Manager instances installed across different time zones and in the same circle of trust cause user sessions to timeout.

Session failover (`amsfoconfig`) script has incorrect permissions on Linux 2.1 system (6298433)

The session failover configuration script (/opt/sun/identity/bin/amsfoconfig) has incorrect permissions and is not executable on Linux 2.1 system.

Workaround: Change the permissions to make the amsfoconfig script executable (for example, 755).

This problem is fixed in patch 1. See Access Manager 7 2005Q4 Patch 1 for information about applying the patch for your specific platform.

Session failover (`amsfoconfig`) script fails on Linux 2.1 system (6298462)

The session failover configuration script (amsfoconfig) fails on Linux 2.1 server because the tab character (\t) is not being interpreted correctly.

Workaround: Configure session failover manually. For the steps, see Configuring Session Failover Manually in Sun Java System Access Manager 7 2005Q4 Deployment Planning Guide.

This problem is fixed in patch 1. See Access Manager 7 2005Q4 Patch 1 for information about applying the patch for your specific platform.

System creates invalid service host name when load balancer has SSL termination (6245660)

If Access Manager is deployed with Web Server as the web container using a load balancer with SSL termination, clients are not directed to the correct Web Server page. Clicking the Sessions tab in the Access Manager Console returns an error because the host is invalid.

Workaround: In the following examples, Web Server listens on port 3030. The load balancer listens on port 80 and redirects requests to Web Server.

In the web-server-instance-name/config/server.xml file, edit the servername attribute to point to the load balancer, depending on the release of Web Server you are using.

For Web Server 6.1 Service Pack (SP) releases, edit the servername attribute as follows:

<LS id="ls1" port="3030" servername="loadbalancer.example.com:80" 
defaultvs="https-sample" security="false" ip="any" blocking="false" 
acceptorthreads="1"/>

Web Server 6.1 SP2 (or later) can switch the protocol from http to https or https to http. Therefore, edit servername as follows:

<LS id="ls1" port="3030" 
servername="https://loadbalancer.example.com:443" defaultvs="https-sample" 
security="false" ip="any" blocking="false" acceptorthreads="1"/>

Using `HttpSession` with third-party web containers (No CR number)

The default method of maintaining sessions for authentications is “internal session” instead of HttpSession. The default invalid session maximum time value of three minutes is sufficient. The amtune script sets the value to one minute for Web Server or Application Server. However, if you are using a third-party web container (IBM WebSphere or BEA WebLogic Server) and the optional HttpSession, you might need to limit the web container's maximum HttpSession time limit to avoid performance problems.