This section describes the following known issues and workarounds, if available, at the time of the release.
Incompatibility between Java ES 2004Q2 servers and IM on Java ES 2005Q4 (6309082)
Incompatibilities exist in core authentication module for legacy mode (6305840)
Agent cannot login because “Profile not in the organization” (6295074)
Delegated Administrator commadmin utility does not create a user (6294603)
Delegated Administrator commadmin utility does not create an organization (6292104)
The following deployment scenario caused this problem:
server-1: Java ES 2004Q2: Directory Server
server-2: Java ES 2004Q2: Application Server, Access Manager, and Portal Server
server-3: Java ES 2004Q2: Calendar Server and Messaging Server
server-4: Java ES 2005Q4: Application Server, Instant Messaging, and Access Manager SDK
When running the imconfig utility to configure Instant Messaging on server-4, the configuration was not successful. The Access Manager 7 2005Q4 SDK, which is used by Instant Messaging (IM) on server-4, is not compatible with the Java ES 2004Q2 release.
Workaround: Ideally, the Access Manager server and Access Manager SDK should be the same release. For more information, see the Sun Java Enterprise System 2005Q4 Upgrade Guide.
Access Manager 7 2005Q4 legacy mode has the following incompatibilities in the core authentication module from Access Manager 6 2005Q1:
Organization Authentication Modules are removed in legacy mode.
The presentation of the “Administrator Authentication Configuration” and “Organization Authentication Configuration” has changed. In the Access Manager 7 2005Q4 Console, the drop-down list has ldapService selected by default. In the Access Manager 6 2005Q1 Console, the Edit button was provided, and the LDAP module was not selected by default.
Workaround: None.
In the Access Manager Console, create an agent in Realm Mode. If you log out and then login again using the agent name, Access Manager returns an error because the agent does not have the privileges to access the realm.
Workaround: Modify the permissions to allow read/write access for the agent.
The Delegated Administrator commadmin utility with the -S mail,cal option does not create a user in the default domain.
Workaround: This problem occurs if you upgrade Access Manager to version 7 2005Q4 but you do not upgrade Delegated Administrator. For information about upgrading Delegated Administrator, see the Sun Java Enterprise System 2005Q4 Upgrade Guide.
If you do not plan to upgrade Delegated Administrator, follow these steps:
In the UserCalendarService.xml file, mark the mail, icssubcribed, and icsfirstday attributes as optional instead of required. This file is located by default in the /opt/SUNWcomm/lib/services/ directory on Solaris systems.
In Access Manager, remove the existing XML file by running the amadmin command, as follows:
# ./amadmin -u amadmin -w password -r UserCalendarService
In Access Manager, add the updated XML file, as follows:
# ./amadmin -u amadmin -w password -s /opt/SUNWcomm/lib/services/UserCalendarService.xml
Restart the Access Manager web container.
The Delegated Administrator commadmin utility with the -S mail,cal option does not create an organization.
Workaround: See the workaround for the previous problem.
After applying patch 1, /tmp/amsilent file allows read access for all users (6370691)
On SDK install with container configuration, notification URL is not correct (6327845)
Access Manager classpath refers to expired JCE 1.2.1 package (6297949)
Installing Access Manager on an existing DIT requires rebuilding Directory Server indexes (6268096)
Log and debug directories permissions incorrect for non-root users (6257161)
Installer doesn't add platform entry for existing directory install (6202902)
After you apply patch 1, the /tmp/amsilentfile allows read access for all users.
Workaround: After you apply the patch, reset the permissions for the file to allow read access only by the Access Manager administrator.
If you perform an SDK installation with the container configuration (DEPLOY_LEVEL=4), the notification URL is not correct.
Workaround:
Set the following property in the AMConfig.properties file:
com.iplanet.am.notification.url= protocol://fqdn:port/amserver/servlet/com.iplanet.services.comm.client. PLLNotificationServlet
Restart Access Manager for the new value to take effect.
The Access Manager classpath refers to Java Cryptography Extension (JCE) 1.2.1 Package (Signing Certificate), which expired on July 27, 2005.
Workaround: None. Although the package reference is in the classpath Access Manager does not use this package.
To improve the search performance, Directory Server has several new indexes.
Workaround: After you install Access Manager with an existing Directory Information Tree (DIT), rebuild the Directory Server indexes by running the db2index.pl script. For example:
# ./db2index.pl -D "cn=Directory Manager" -w password -n userRoot
The db2index.pl script is available in the DS-install-directory/slapd-hostname/ directory.
When a non-root user is specified in the silent install configuration file, permissions on the debug, logs, and starts directories are not set appropriately.
Workaround: Change the permissions on these directories to allow access for a non-root user.
Although the classpath and other Access Manager web container environment variables are updated during installation, the installation process does not restart the web container. If you try to login to Access Manager after installation before the web container is restarted, the following error is returned:
Authentication Service is not initialized. Contact your system administrator.
Workaround: Restart the web container before you login to Access Manager. Directory Server must also be running before you login.
The Java ES Installer does not add a platform entry for an existing directory server installation (DIRECTORY_MODE=2).
Workaround: Add the Realm/DNS aliases and platform server list entries manually. For the steps, see the Adding Additional Instances to the Platform Server List and Realm/DNS Aliases in Sun Java System Access Manager 7 2005Q4 Deployment Planning Guide.
Access Manager ampre70upgrade script does not remove localized packages (6378444)
AMConfig.properties file has an old version for the web container (6316833)
Node agent server.policy file isn't updated as part of an Access Manager upgrade (6313416)
After upgrade, Session Property Condition is missing in the Condition list (6309785)
After upgrade, Identity Subject type is missing from the policy subject list (6304617)
Access Manager upgrade failed because the classpath is not migrated (6284595)
After upgrade, amadmin command returns wrong version shown (6283758)
Add ContainerDefaultTemplateRole attribute after data migration (4677779)
If you are upgrading Access Manager to Access Manager 7 2005Q4, the ampre70upgrade script does not remove any Access Manager localized packages that you have on your system.
Workaround: Before you upgrade to Access Manager 7 2005Q4, use the pkgrm command to manually remove any localized Access Manager packages that are installed on your system.
After Access Manager and Application Server are upgraded to Java ES 2005Q4 versions, the Access Manager AMConfig.properties file has an old version of Application Server.
Workaround: Before you run the Delegated Administrator configuration program (config-commda), change the following property in the AMConfig.properties file:
com.sun.identity.webcontainer=IAS8.1
After upgrading Access Manager, the node agent server.policy file isn't updated.
Workaround: Replace the server.policy file for the node agent with the following file:
/var/opt/SUNWappserver/domains/domain1/config/server.policy
After upgrading Access Manager from version 2005Q1 to version 2005Q4, the Session Property Condition is not displayed as a choice in the policy Condition list if you try to add a Condition to a policy.
Workaround: Select the Session Property Condition type in the policy configuration service template at the corresponding realm.
After upgrading Access Manager from version 2005Q1 to version 2005Q4, the Identity Subject, a newly added policy subject type, is not displayed as a choice in the policy subject list.
Workaround: Select the Identity Subject type as a default subject type in the policy configuration service template.
During the upgrade of Access Manager from Java ES 2004Q2 to Java ES 2005Q4, the upgrade from Java ES 2004Q2 to Java ES 2005Q1 failed. Access Manager was being deployed on Application Server, which was also being upgraded from Java ES 2004Q2 to Java ES 2005Q4. The classpath in the domain.xml file did not have Access Manager JAR file paths.
Workaround: Follow these steps:
Before running the amupgrade script, re-index Directory Server, because of a problem with the comm_dssetup.pl script.
Add entries for Access Manager to the server.policy file of the node agent. A copy of server.policy from the default server policy (/var/opt/SUNWappserver/domains/domain1/config/server.policy) is sufficient.
Update the classpath in the domain.xml file of the node agent as follows. Copy the classpath-suffix and relevant classpath from the server-classpath attributes of the java-config element from the server.xml file to the respective attributes in the java-config element of domain.xml. The java-config element can be found under the config element in domain.xml.
After Access Manager was upgraded from version 6 2005Q1 to version 7 2005Q4, the amadmin --version command returned the wrong version: Sun Java System Access Manager version 2005Q1.
Workaround: After you upgrade Access Manager, run the amconfig script to configure Access Manager. When you run amconfig, specify the full path to the configuration (amsamplesilent) file. For example, on a Solaris system:
# ./amconfig -s ./config-file
or
# ./amconfig -s /opt/SUNWam/bin/config-file
The user's role does not display under an organization that was not created in Access Manager. In debug mode, the following message is displayed:
ERROR: DesktopServlet.handleException() com.iplanet.portalserver.desktop.DesktopException: DesktopServlet.doGetPost(): no privilige to execute desktop
This error becomes evident after the Java ES installer migration scripts are run. The ContainerDefaultTemplateRole attribute is not automatically added to the organization when the organization is migrated from an existing directory information tree (DIT) or from another source.
Workaround: Use the Directory Server console to copy the ContainerDefaultTemplateRole attribute from another Access Manager organization and then add it to the affected organization.
Application Server 8.1 server.policy file must be edited when using non-default URIs (6309759)
Platform server list and FQDN alias attribute are not updated (6309259, 6308649)
Data validation for required attributes in the services (6308653)
Document workaround for deployment on a secure WebLogic 8.1 instance (6295863)
The amconfig script does not update the realm/DNS aliases and platform server list entries (6284161)
Default Access Manager mode is realm in the configuration state file template (6280844)
URL signing failed in IBM WebSphere when using RSA key (6271087)
If you are deploying Access Manager 7 2005Q4 on Application Server 8.1 and you are using non-default URIs for the services, console, and password web applications, which have default URI values of amserver, amconsole, and ampassword, respectively, you must edit the application server domain's server.policy file before attempting to access Access Manager via a web browser.
Workaround: Edit the server.policy file as follows:
Stop the Application Server instance on which Access Manager is deployed.
Change to the /config directory. For example:
cd /var/opt/SUNWappserver/domains/domain1/config
Make a backup copy of the server.policy file. For example:
cp server.policy server.policy.orig
In the server.policy file, look for the following policies:
grant codeBase "file:\${com.sun.aas.instanceRoot}/ applications/j2ee-modules/amserver/-" { ... }; grant codeBase "file:\${com.sun.aas.instanceRoot}/ applications/j2ee-modules/amconsole/-" { ... }; grant codeBase "file:\${com.sun.aas.instanceRoot}/ applications/j2ee-modules/ampassword/-" { ... };
Replace amserver with the non-default URI used for the services web application in the following line:
grant codeBase "file:\${com.sun.aas.instanceRoot}/ applications/j2ee-modules/amserver/-" {
For legacy mode installations, replace amconsole with the non-default URI used for the console web application in the following line:
grant codeBase "file:\${com.sun.aas.instanceRoot}/ applications/j2ee-modules/amconsole/-" {
Replace ampassword with the non-default URI used for the password web application in the following line:
grant codeBase "file:\${com.sun.aas.instanceRoot}/ applications/j2ee-modules/ampassword/-" {
Start the Application Server instance on which Access Manager is deployed.
In a multiple server deployment, the platform server list and FQDN alias attribute are not updated if you install Access Manager on the second (and subsequent) servers.
Workaround: Add the Realm/DNS aliases and platform server list entries manually. For the steps, see the Adding Additional Instances to the Platform Server List and Realm/DNS Aliases in Sun Java System Access Manager 7 2005Q4 Deployment Planning Guide.
Access Manager 7 2005Q4 enforces required attributes in service XML files to have default values.
Workaround: If you have services with required attributes that do not have values, add values for the attributes and then reload the service.
If you deploy Access Manager 7 2005Q4 into a secure (SSL enabled) BEA WebLogic 8.1 SP4 instance, an exception occurs during the deployment of each Access Manager web application.
Workaround: Follow these steps:
Apply the WebLogic 8.1 SP4 patch JAR CR210310_81sp4.jar, which is available from BEA.
In the /opt/SUNWam/bin/amwl81config script, (Solaris systems) or /opt/sun/identity/bin/amwl81config script (Linux systems), update the doDeploy function and the undeploy_it function to prepend the path of the patch JAR to the wl8_classpath, which is the variable that contains the classpath used to deploy and un-deploy the Access Manager web applications.
Find the following line containing the wl8_classpath:
wl8_classpath= ...
Immediately after the line you found in Step 2, add the following line:
wl8_classpath=path-to-CR210310_81sp4.jar:$wl8_classpath
In a multiple server deployment, the amconfig script does not update the realm/DNS aliases and platform server list entries for additional Access Manager instances.
Workaround: Add the Realm/DNS aliases and platform server list entries manually. For the steps, see the Adding Additional Instances to the Platform Server List and Realm/DNS Aliases in Sun Java System Access Manager 7 2005Q4 Deployment Planning Guide.
By default, the Access Manager mode (AM_REALM variable) is enabled in the configuration state file template.
Workaround: To install or configure Access Manager in Legacy mode, reset the variable in the state file:
AM_REALM = disabled
When using an RSA key in IBM WebSphere, the signing of URL string failed with the following exception:
ERROR: FSSignatureUtil.signAndReturnQueryString: FSSignatureException occured while signing query string: no such provider: SunRsaSign
Workaround:The “SunRsaSign” provider is missing from the WebSphere bundled JDK. To fix this problem, edit the websphere_jdk_root/jre/lib/security/java.security file and add following line to enable “SunRsaSign” as one of the providers:
security.provider.6=com.sun.rsajca.Provider
For SAML, duplicate Trusted Partner console edit errors (6326634)
Remote logging is not working for amConsole.access and amPasswordReset.access (6311786)
Adding more amadmin properties in the console is changing the amadmin user password (6309830)
New Access Manager Console cannot set the CoS template priorities (6309262)
Exception error occurs when adding a group to a user as a policy admin user (6299543)
In legacy mode, you cannot delete all users from a role (6293758)
Cannot add, delete, or modify Discovery Service resource offerings (6273148)
Wrong LDAP bind password should give error for the subject search (6241241)
Access Manager cannot create an organization under a container in legacy mode (6290720)
Old console appears when adding Portal Server related services (6293299)
In the Access Manager Console, create SAML Trusted Partner under the Federation > SAML tab. If you try to duplicate the Trusted Partner, errors occur.
Workaround: None. This problem is fixed in patch 1. See Access Manager 7 2005Q4 Patch 1 for information about applying the patch for your specific platform.
When remote logging is configured, all logs are written to the remote Access Manager instance except amConsole.accessand amPasswordReset.access for the password reset information. The log record is not written anywhere.
Workaround: None.
Adding or editing some of the properties for the amadmin user in the administration console causes the amadmin user password to change.
Workaround: None. This problem is fixed in patch 1. See Access Manager 7 2005Q4 Patch 1 for information about applying the patch for your specific platform.
The new Access Manager 7 2005Q4 Console cannot set or modify a Class of Service (CoS) template priority.
Workaround: Login to the Access Manager 6 2005Q1 Console to set or modify a CoS template priority.
The Access Manager Console returns an exception error when you add a group to a user as a policy admin user.
Workaround: None.
In legacy mode, if you try to delete all users from a role, a user is left.
Workaround: Try again to delete the user from the role.
The Access Manager Administration Console does not allow you to add, delete, or modify the resource offerings for a user, role, or realm.
Workaround: None. This problem is fixed in patch 1. See Access Manager 7 2005Q4 Patch 1 for information about applying the patch for your specific platform.
The Access Manager Administration Console is not returning an error when the wrong LDAP bind password is used.
Workaround: None.
If you create a container and then try to create an organization under the container, Access Manager returns a “uniqueness violation error”.
Workaround: None.
Portal Server and Access Manager are installed on the same serve. With Access Manager installed in Legacy mode, login to the new Access Manager Console using /amserver. If you choose an existing user and try to add services (such as NetFile or Netlet), the old Access Manager Console (/amconsle) suddenly appears.
Workaround: None. The current version of Portal Server requires the Access Manager 6 2005Q1 Console.
Install Directory Server and then Access Manager with the existing DIT option. Login to the Access Manager Console and create a group. Edit the users in the group. For example, add users with the filter uid=*999*. The resulting list box is empty, and the console does not display any error, information, or warning messages.
Workaround: The group membership must not be greater than the Directory Server search size limit. If the group membership is greater, change the search size limit accordingly.
Can't remove Session Service configuration for a subrealm (6318296)
CDC servlet redirecting to the invalid login page when policy condition is specified (6311985)
Clients do not get notifications after the server restarts (6309161)
SDK clients need to restart after service schema change (6292616)
After creating a subrealm of the top-level realm and adding the Session Service to it, a subsequent attempt to remove the Session Service configuration caused an error message.
Workaround: Remove the default top-level ID repository, AMSDK1, and then add this repository back into the configuration.
This problem is fixed in patch 1. See Access Manager 7 2005Q4 Patch 1 for information about applying the patch for your specific platform.
With the Apache agent 2.2 in CDSSO mode, when accessing the agent protected resource, the CDC servlet redirects the user to the anonymous authentication page, instead of the default login page.
Workaround: None. This problem is fixed in patch 1. See Access Manager 7 2005Q4 Patch 1 for information about applying the patch for your specific platform.
Applications written using the client SDK (amclientsdk.jar) do not get notifications if the server restarts.
Workaround: None.
If you modify any service schema, ServiceSchema.getGlobalSchema returns the old schema and not the new schema.
Workaround: Restart the client after a service schema change.
This problem is fixed in patch 1. See Access Manager 7 2005Q4 Patch 1 for information about applying the patch for your specific platform.
Null attribute LDAP search returns an error when Access Manager points to Directory Proxy (6357975)
New schema files are missing from amserveradmin script (6255110)
Cannot save XML documents with escape character in Internet Explorer 6.0 (4995100)
If you are using Sun Java System Directory Proxy Server, a null attribute LDAP search returns an error. For example:
# ldapsearch -b base-dn uid=user ""
If Access Manager points directly to the LDAP director server, the same search is successful.
Workaround: If you are using Directory Proxy Server, either enable null attribute searches or supply an attribute name for the search.
After installation, when you need to run amserveradmin script to load the services into Directory Server, the script is missing the defaultDelegationPolicies.xml and idRepoDefaults.xml schema files.
Workaround: Manually load the defaultDelegationPolicies.xml and idRepoDefaults.xml files using the amadmin CLI tool with the -toption.
If you add a special character (such as the string “amp;” next to an “&”) in an XML file, the file will save properly, however; if you later retrieve the XML profile using Internet Explorer 6.0, the file doesn't display properly. If you then try to save the profile again, an error is returned.
Workaround: None.
Unable to login to subrealm with LDAPV3 plugin/dynamic profile after correcting password (6309097)
Attribute uniqueness broken in the top-level organization for naming attributes (6204537)
The UrlAccessAgent SSO Token is expiring because the application module does not return the special user DN, which causes the special user DN match and hence a non-expiring token to fail.
Workaround: None. This problem is fixed in patch 1. See Access Manager 7 2005Q4 Patch 1 for information about applying the patch for your specific platform.
In realm mode, if you create an ldapv3 datastore in a realm with a “wrong” password and you later change the password as amadmin, when you try to login again as the user with the changed password, the logon fails, saying that no profile exists.
Workaround: None.
After installation with Access Manager in legacy mode, the default configuration for the Statistics Service has changed:
The service is turned on by default (com.iplanet.services.stats.state=file). Previously, it was off.
The default interval (com.iplanet.am.stats.interval) has changed from 3600 to 60.
The default stats directory (com.iplanet.services.stats.directory) has changed from /var/opt/SUNWam/debug to /var/opt/SUNWam/stats.
Workaround: None.
After you install Access Manager, login as amadmin and add the o, sunPreferredDomain, associatedDomain, sunOrganizationAlias, uid, and mail attributes to the Unique Attribute List. If you create two new organizations with the same name, the operation fails, but Access Manager displays the “organization already exists” message rather than the expected “attribute uniqueness violated” message.
Workaround: None. Ignore the incorrect message. Access Manager is functioning correctly.
Access Manager instances across time zones timeout other user sessions (6323639)
Session failover (amsfoconfig) script has incorrect permissions on Linux 2.1 system (6298433)
Session failover (amsfoconfig) script fails on Linux 2.1 system (6298462)
System creates invalid service host name when load balancer has SSL termination (6245660)
Using HttpSession with third-party web containers (No CR number)
Access Manager instances installed across different time zones and in the same circle of trust cause user sessions to timeout.
The session failover configuration script (/opt/sun/identity/bin/amsfoconfig) has incorrect permissions and is not executable on Linux 2.1 system.
Workaround: Change the permissions to make the amsfoconfig script executable (for example, 755).
This problem is fixed in patch 1. See Access Manager 7 2005Q4 Patch 1 for information about applying the patch for your specific platform.
The session failover configuration script (amsfoconfig) fails on Linux 2.1 server because the tab character (\t) is not being interpreted correctly.
Workaround: Configure session failover manually. For the steps, see Configuring Session Failover Manually in Sun Java System Access Manager 7 2005Q4 Deployment Planning Guide.
This problem is fixed in patch 1. See Access Manager 7 2005Q4 Patch 1 for information about applying the patch for your specific platform.
If Access Manager is deployed with Web Server as the web container using a load balancer with SSL termination, clients are not directed to the correct Web Server page. Clicking the Sessions tab in the Access Manager Console returns an error because the host is invalid.
Workaround: In the following examples, Web Server listens on port 3030. The load balancer listens on port 80 and redirects requests to Web Server.
In the web-server-instance-name/config/server.xml file, edit the servername attribute to point to the load balancer, depending on the release of Web Server you are using.
For Web Server 6.1 Service Pack (SP) releases, edit the servername attribute as follows:
<LS id="ls1" port="3030" servername="loadbalancer.example.com:80" defaultvs="https-sample" security="false" ip="any" blocking="false" acceptorthreads="1"/>
Web Server 6.1 SP2 (or later) can switch the protocol from http to https or https to http. Therefore, edit servername as follows:
<LS id="ls1" port="3030" servername="https://loadbalancer.example.com:443" defaultvs="https-sample" security="false" ip="any" blocking="false" acceptorthreads="1"/>
The default method of maintaining sessions for authentications is “internal session” instead of HttpSession. The default invalid session maximum time value of three minutes is sufficient. The amtune script sets the value to one minute for Web Server or Application Server. However, if you are using a third-party web container (IBM WebSphere or BEA WebLogic Server) and the optional HttpSession, you might need to limit the web container's maximum HttpSession time limit to avoid performance problems.
The deletion of dynamic attributes in Policy Configuration Service causes issues in editing of policies for this scenario:
Create two dynamic attributes in the Policy Configuration Service.
Create a policy and select the dynamic attributes (from Step 1) in the response provider.
Remove the dynamic attributes in the Policy Configuration Service and create two more attributes.
Try to edit the policy created in Step 2.
Results are: “Error Invalid Dynamic property being set.” No policies were displayed in the list by default. After a search is done, the policies are displayed, but you cannot edit or delete the existing policies or create a new policy.
Workaround: Before removing the dynamic attributes from the Policy Configuration Service, remove the references to those attributes from the policies.
Access Manager 7 2005Q4 startup returns the debug errors in amDelegation and amProfile debug files:
amDelegation: Unable to get an instance of plugin for delegation
amProfile: Got Delegation Exception
Workaround: None. You can ignore these messages.
If you deploy Access Manager using BEA WebLogic Server as the web container, Access Manager might not be accessible.
Workaround: Restart WebLogic Server a second time for Access Manager to be accessible.
If you are running Application Server 8.1 on Red Hat Linux, the stack size of the threads created by the Red Hat OS for Application Server is 10 Mbytes, which can cause JVM resource problems when the number of Access Manager user sessions reaches 200.
Workaround: Workaround Set the Red Hat OS operating stack size to a lesser value such as 2048 or even 256 Kbytes, by executing the ulimit command before you start Application Server. Execute the ulimit command on the same console that you will use to start Application Server. For example:
# ulimit -s 256;
Running the web services sample returns “Resource offering not found” (6359900)
Special characters (&) in SAML statements should be encoded (6321128)
Exception occurs when trying to add Disco Service to a role (6313437)
EP Sample does not work if root suffix contains “&” character (6300163)
When Access Manager is configured to access the web services samples under the AccessManager-base/SUNWam/samples/phase2/wsc directory on Solaris systems or the AccessManager-base/identity/samples/phase2/wsc directory on Linux systems, querying the Discovery Service or modifying the Resource Offering returns the error message: “Resource offering not found”.
AccessManager-base is the base installation directory. The default base installation directory is /opt on Solaris systems and /opt/sun on Linux systems.
Workaround:
Go to the following samples directory: AccessManager-base/SUNWam/samples/phase2/wsc) directory on Solaris systems or the AccessManager-base/identity/samples/phase2/wsc directory on Linux systems
In the index.jsp file, search for the following string:
com.sun.org.apache.xml.security.utils.XMLUtils.outputDOM
Immediately before the line that contains the string you found in the previous step, insert the following new line:
com.sun.org.apache.xml.security.Init.init();
Re-run the sample. (You do not need to restart Access Manager.)
If you setup an identity provider (IDP) and a service provider (SP), change the communication protocol to use the browser Artifact profile, and then try to federate users between the IDP and SP, the federation fails.
Workaround: None.
With Access Manager as the source site and destination site and SSO configured, an error occurs in the destination site, because the special character (&) in the SAML statements is not encoded and hence the parsing of assertion fails.
Workaround: None. This problem is fixed in patch 1. See Access Manager 7 2005Q4 Patch 1 for information about applying the patch for your specific platform.
In the Access Manager Console, if you try to add a resource offering to the Disco Service, an unknown exception occurs.
Workaround: None.
Auth Context attributes are not configurable until you have configured and saved other attributes.
Workaround: Configure and save a provider profile before you configure the Auth Context attributes.
If Directory Server has a root suffix that contain the “&” character and you try to add an Employee Profile Service Resource Offering, an exception is thrown.
Workaround: None.
In realm mode, if you federate user accounts on an identity provider (IDP) and service provider (SP), terminate Federation, and then logout, an error occurs: Error: No sub organization found.
Workaround: None.
User locale preferences are not applied to the whole administration console (6326734)
Version information is blank when Access Manager is deployed on IBM WebSphere (6319796)
Multibyte characters are displayed as question marks in log files (5014120)
Parts of the Access Manager administration console are not following the user locale preferences but instead using the browser locale settings. This problem affects the Version, Logout and online help buttons as well as the contents of the Version and online help.
Workaround: Change the browser settings to the same locale as user preferences.
In all European locales (Spanish, German, and French), the online help is not fully accessible when Access Manager is deployed on an IBM WebSphere Application Server instance. The online help displays “Application Error” for these frames:
Upper frame, where the Help and Close buttons should be.
Left frame, where the Contents, Index, and Search buttons should be.
Workaround: Set your browser language setting to English and refresh the page to access the left frame. The upper frame, however, will still display “Application Error.”
In any locale, when Access Manager is deployed on an IBM WebSphere Application Server instance, the product version is not visible when you click the Version button. A blank page is displayed instead.
Workaround: None.
The Client Detection function is not working properly. Changes made in the Access Manager 7 2005Q4 Console are not automatically propagated to the browser.
Workaround:There are two workarounds:
Restart the Access Manager web container after you make a change in the Client Detection section.
or
Follow these steps in the Access Manager Console:
Click Client Detection under the Configuration tab.
Click the Edit link for genericHTML.
Under the HTML tab, click the genericHTML link.
Enter the following entry in the character set list: UTF-8;q=0.5 (Make sure that the UTF-8 q factor is lower than the other character sets of your locale.)
Save, logout, and login again.
Multibyte messages in log files in the /var/opt/SUNWam/logs directory are displayed as question marks (?). Log files are in native encoding and not always UTF-8. When a web container instance starts in a certain locale, log files will be in native encoding for that locale. If you switch to another locale and restart the web container instance, the ongoing messages will be in the native encoding for the current locale, but messages from previous encoding will be displayed as question marks.
Workaround: Make sure to start any web container instances always using the same native encoding.
Document that Access Manager cannot revert from Realm Mode to Legacy Mode (6508473)
Document more information about disabling persistent searches (6486927)
Document Access Manager supported and unsupported privileges (2143066)
Document Windows Desktop SSO configuration for Windows 2003 (6487361)
Document steps to set up Distributed Authentication UI server passwords (6510859)
Online Help for “To create a new site name” needs more information (2144543)
Release Notes have wrong workaround for known issue (6422907)
Document com.iplanet.am.session.protectedPropertiesList in AMConfig.properties (6351192)
Document the roles and filtered roles support for LDAPv3 plug-in (6365196)
Document unused properties in the AMConfig.properties file (6344530)
com.iplanet.am.session.client.polling.enable on server side must not be true (6320475)
Default Success URL is incorrect in the console online help (6296751)
If you install Access Manager 7 2005Q4 in Realm Mode, you cannot revert to Legacy Mode.
If you install Access Manager 7 2005Q4 in Legacy Mode, however, you can change to Realm Mode by using the amadmin command with the -M option. For example:
amadmin -u cn=amAdmin,ou=People,dc=example,dc=com -w amadmin-password -M dc=example,dc=com
Access Manager uses persistent searches to receive information about Sun Java System Directory Server entries that change. By default, Access Manager creates the following persistent search connections during server startup:
aci - Changes to the aci attribute, with the search using the LDAP filter (aci=*)
sm - Changes in the Access Manager information tree (or service management node), which includes objects with the sunService or sunServiceComponent marker object class. For example, you might create a policy to define access privileges for a protected resource, or you might modify the rules, subjects, conditions, or response providers for an existing policy.
um - Changes in the user directory (or user management node). For example, you might change a user's name or address.
Disabling persistent searches for any of these components is not recommended, because a component with a disabled persistent search does not receive notifications from Directory Server. Consequently, changes made in Directory Server for that particular component will not be notified to the component cache, and the component cache will go stale.
For example, if you disable persistent searches for changes in the user directory (um), the Access Manager server will not receive notifications from Directory Server. Therefore, an agent would not get notifications from Access Manager to update its local user cache with the new values for the user attribute. Then, if an application queries the agent for the user attributes, it might receive the old value for that attribute.
Use this property only in special circumstances when absolutely required. For example, if you know that Service Configuration changes (related to changing values to any of services such as Session Service and Authentication Services) will not happen in production environment, the persistent search to the Service Management (sm) component can be disabled. However, if any changes occur for any of the services, a server restart would be required. The same condition also applies to other persistent searches, specified by the aci and um values.
For more information, see CR# 6363157: New property disables persistent searches if absolutely required.
Privileges define the access permissions to administrators who are members of roles or groups that exist within a realm. Access Manager allows you to configure permissions for the following administrator types:
Realm administrators can perform all realm-related tasks, including defining identity repositories (data stores), configuring authentication, and defining policies.
Policy administrators can configure policies in existing realms.
The following privileges are supported:
Read and write access to all realm and policy properties. Defines read and write access privileges for realm administrators.
Read and write access for only policy properties. Defines read and write access privileges for policy administrators.
Combination of supported privileges: Read and write access only for policy properties and read only access to data stores. Other combinations of privileges are not supported.
When Access Manager servers are deployed behind a load balancer, cookie-based sticky request routing prevents a client request from being misrouted to an incorrect Access Manager server (that is, to a server that is not hosting the session). This feature was implemented in Access Manager 7 2005Q4 patch 3.
In the previous behavior, without cookie-based sticky request routing, requests from non-browser based clients (such as policy agents and clients using the remote Access Manager client SDK) were often misrouted to an Access Manager server that was not hosting the session. Then, in order to send the request to the correct server, the Access Manager server had to validate the session using back-channel communication, which usually caused some performance degradation. Cookie-based sticky request routing prevents the need for this back-channel communication and thus improves Access Manager performance.
To implement cookie-based sticky request routing, the Access Manager deployment must be configured as a site. For information, see Configuring an Access Manager Deployment as a Site in Sun Java System Access Manager 7 2005Q4 Deployment Planning Guide.
To configure cookie-based sticky request routing:
To specify a cookie name, set the com.iplanet.am.lbcookie.name property in the AMConfig.properties file. Access Manager then generates the load balancer cookie value using the two-byte server ID (such as 01, 02, and 03). If you do not specify a cookie name, Access Manager generates the load balancer cookie value using the default name amlbcookie plus the two-byte server ID.
If you set the cookie name on the Access Manager server, you must use the same name in the AMAgent.properties file for a Policy Agent. Also, if you are using the Access Manager client SDK, you must also use the same cookie name used by the Access Manager server.
Note: Do not set the com.iplanet.am.lbcookie.value property, because Access Manager sets the cookie value using the two-byte server ID.
Configure your load balancer with the cookie name from Step 1. You can use a hardware or software load balancer with your Access Manager deployment.
If session failover is implemented, enable the com.sun.identity.session.resetLBCookie property for both Policy Agents and the Access Manager server.
For a Policy Agent, add and enable the property in the AMAgent.properties file.
For the Access Manager server, add and enable the property in the AMConfig.properties file.
For example:
com.sun.identity.session.resetLBCookie='true'
If a failover situation occurs, the session is routed to a secondary Access Manager server, and the load balancer cookie value is set using the server ID for the secondary Access Manager server. Any subsequent requests for the session are then routed to the secondary Access Manager server.
To configure Windows Desktop SSO on Windows 2003, as described in the Configuring Windows Desktop SSO in Sun Java System Access Manager 7 2005Q4 Administration Guide, use the following ktpass command:
ktpass /out filename /mapuser username /princ HTTP/hostname.domainname /crypto encryptiontype /rndpass /ptype principaltype /target domainname
For example:
ktpass /out demo.HTTP.keytab /mapuser http /princ HTTP/demo.identity.sun.com@IDENTITY.SUN.COM /crypto RC4-HMAC-NT /rndpass /ptype KRB5_NT_PRINCIPAL /target IDENTITY.SUN.COM
For the syntax definitions, see the following site:
http://technet.microsoft.com/en-us/library/cc779157(WS.10).aspx
The following procedure describes how to set up the encrypted passwords for a Distributed Authentication UI server that communicates with an Access Manager server.
To set up the passwords for a Distributed Authentication UI server:
On the Access Manager server:
Encrypt the amadmin password using the ampassword -e utility. For example, on Solaris systems:
# cd /opt/SUNWam/bin # ./ampassword -e amadmin-password AQIC0K3omEozd544XEJIg25GT2wi1D7UAQLX
Save this encrypted value.
Copy and save the am.encryption.pwd property value from the Access Manager server's AMConfig.properties file. For example:
am.encryption.pwd=ydV8JXhJF2J35vpxjZRiGt7SH/7mUr+Y
On the Distributed Authentication UI server, make these changes to the AMConfig.properties file:
Comment out the com.iplanet.am.service.password property.
Set the com.iplanet.am.service.secret property to the encrypted amadmin password from Step 1a.
Add the am.encryption.pwd and encrypted value that you copied from Step 1b. For example:
com.sun.identity.agents.app.username=username #com.iplanet.am.service.password=password com.iplanet.am.service.secret=AQIC0K3omEozd544XEJIg25GT2wi1D7UAQLX am.encryption.pwd=ydV8JXhJF2J35vpxjZRiGt7SH/7mUr+Y
Restart the Distributed Authentication UI server.
The Access Manager Console online Help is missing the Save step for “To create new site name” under Configuration>System Properties>Platform. If you don't click Save after adding a new site name and you then try to add an instance name, the process fails. Therefore, always click Save after adding the site name, and then add the instance name.
On Solaris and Linux systems, the Access Manager administrator (amadmin) password configuration parameter in the amsamplesilent file is ADMINPASSWD. On Windows systems, however, the parameter in the AMConfigurator.properties file is ADMIN_PASSWD.
If you are running amconfig.bat on Windows systems, set the amadmin password in the AMConfigurator.properties file using the ADMIN_PASSWORD parameter and not ADMINPASSWD.
Step 3 of the workaround for Running the web services sample returns “Resource offering not found” (6359900) has been corrected.
The com.iplanet.am.session.protectedPropertiesList parameter allows you to protect certain core or internal session properties from remote updates via the SetProperty method of the Session Service. By setting this “hidden” key security parameter, you can customize session attributes in order to participate in authorization as well as other Access Manager features. To use this parameter:
With a text editor, add the parameter to the AMConfig.properties file.
Set the parameter to the session properties that you want to protect. For example:
com.iplanet.am.session.protectedPropertiesList = PropertyName1,PropertyName2,PropertyName3
Restart the Access Manager Web container for the values to take effect.
After applying the respective patch, you can configure roles and filtered roles for the LDAPv3 plug-in, if the data is stored in Sun Java System Directory Server (fixes CR 6349959). In the Access Manager 7 2005Q4 Administrator Console, in LDAPv3 configuration for the “LDAPv3 Plugin Supported Types and Operations” field, enter the values as:
role: read,edit,create,delete filteredrole: read,edit,create,delete
You can enter one or both of the above entries, depending on the roles and filtered roles you plan to use in your LDAPv3 configuration.
The following properties in the AMConfig.properties file are not used:
com.iplanet.am.directory.host com.iplanet.am.directory.port
The com.iplanet.am.session.client.polling.enable property in the AMConfig.properties file must never be set to true on the server side.
Workaround: This property is set to false by default and should never be reset to true.
The Default Success URL is incorrect in the service.scserviceprofile.iplanetamauthservice.html online help file. The Default Success URL field accepts a list of multiple values that specify the URL where users are redirected after successful authentication. The format of this attribute is clientType|URL, although you can specify only the value of the URL, which assumes a default type of HTML.
The “/amconsole” default value is incorrect.
Workaround: The correct default value is “/amserver/console”.
To enable XML encryption for either Access Manager or Federation Manager using the Bouncy Castle JAR file to generate a transport key, follow these steps:
If you are using a JDK version earlier than JDK 1.5, download the Bouncy Castle JCE provider from the Bouncy Castle site (http://www.bouncycastle.org/). For example, for JDK 1.4, download the bcprov-jdk14-131.jar file.
If you downloaded a JAR file in the previous step, copy the file to the jdk_root/jre/lib/ext directory.
For the domestic version of the JDK, download the JCE Unlimited Strength Jurisdiction Policy Files from the site (http://www.oracle.com/technetwork/java/index.html) for your version of the JDK. For IBM WebSphere, go to the corresponding IBM site to download the required files.
Copy the downloaded US_export_policy.jar and local_policy.jar files to the jdk_root/jre/lib/security directory.
If you are using a JDK version earlier than JDK 1.5, edit the jdk_root/jre/lib/security/java.security file and add Bouncy Castle as one of the providers. For example:
security.provider.6=org.bouncycastle.jce.provider.BouncyCastleProvider
Set the following property in the AMConfig.properties file to true:
com.sun.identity.jss.donotInstallAtHighestPriority=true
Restart the Access Manager web container.
For more information, refer to problem ID 5110285 (XML encryption requires Bouncy Castle JAR file).