Access Manager 7 2005Q4 patch 4 (revision 04) fixes the following problems:
CR# 6463796: Disabling iPlanetAMClientDetection service for genericHTML prevents access to any Access Manager HTML page
CR# 6463779: Distributed Authentication amProfile_Client and Access Manager Server amProfile_Server get filled with harmless exceptions
CR# 6463730: Cross-site scripting (XSS) vulnerability exists with the goto and gx-charset parameters
CR# 6435889: Method Session.getSession fails because RestrictedTokenContext is not set
Known Issues and Limitations in Patch 4
CR# 6470055: Distributed Authentication UI server performance improvement
CR# 6455079: Password reset service reports notification errors when a password is changed
To improve performance in reading, searching, and comparing user attributes for a Distributed Authentication UI server user, follow these steps:
In the Makefile.distAuthUI file, change the application user name from anonymous to another user. For example:
APPLICATION_USERNAME=user1
In Directory Server, add the new user (user1 in the example) and ACI to allow reading, searching, and comparing user attributes. The following example adds the new ACI:
dn:ou=1.0,ou=SunAMClientData,ou=ClientData,dc=example,dc=com changetype:modify add:aci aci: (target="ldap:///ou=1.0,ou=SunAMClientData,ou=ClientData,dc=example,dc=com") (targetattr = *")(version 3.0; acl "SunAM client data access to a Distributed Auth App User"; allow (read, search, compare) userdn = "ldap:///uid=user1,ou=people,dc=example,dc=com";)
When a password is changed, Access Manager submits the email notification using the unqualified sender name Identity-Server, which results in error entries in the amPasswordReset logs. For example:
07/19/2006 10:26:04:010 AM PDT: Thread[service-j2ee,5,main] ERROR: Could not send email to user [Ljava.lang.String;@999262 com.sun.mail.smtp.SMTPSendFailedException: 553 5.5.4 <Identity-Server>... Domain name required for sender address Identity-Server
Workaround: Change the from address to include the fully qualified domain name of the host server in the amPasswordResetModuleMsgs.properties file:
Change the from address label. For example:
fromAddress.label=<Identity-Server@amhost.example.com>
Change the lockOutEmailFrom property to insure that lockout notifications use the correct from address. For example:
lockOutEmailFrom=<Identity-Server@amhost.example.com>
The amPasswordResetModuleMsgs.properties file is in the AccessManager-base/SUNWam/locale directory on Solaris systems and the AccessManager-base/identity/locale directory on Linux systems.
AccessManager-base is the base installation directory. The default base installation directory is /opt on Solaris systems and /opt/sun on Linux systems.