Access Manager 7 2005Q4 Patch 4

Access Manager 7 2005Q4 patch 4 (revision 04) fixes the following problems:

• CR# 6463796: Disabling iPlanetAMClientDetection service for genericHTML prevents access to any Access Manager HTML page

• CR# 6463779: Distributed Authentication amProfile_Client and Access Manager Server amProfile_Server get filled with harmless exceptions

• CR# 6463730: Cross-site scripting (XSS) vulnerability exists with the goto and gx-charset parameters

• CR# 6435889: Method Session.getSession fails because RestrictedTokenContext is not set

Known Issues and Limitations in Patch 4

• CR# 6470055: Distributed Authentication UI server performance improvement

• CR# 6455079: Password reset service reports notification errors when a password is changed

CR# 6470055: Distributed Authentication UI server performance improvement

To improve performance in reading, searching, and comparing user attributes for a Distributed Authentication UI server user, follow these steps:

1. In the Makefile.distAuthUI file, change the application user name from anonymous to another user. For example:

   APPLICATION_USERNAME=user1

2. In Directory Server, add the new user (user1 in the example) and ACI to allow reading, searching, and comparing user attributes. The following example adds the new ACI:

   dn:ou=1.0,ou=SunAMClientData,ou=ClientData,dc=example,dc=com 
   changetype:modify add:aci 
   aci: (target="ldap:///ou=1.0,ou=SunAMClientData,ou=ClientData,dc=example,dc=com")
   (targetattr = *")(version 3.0; 
   acl "SunAM client data access to a Distributed Auth App User"; 
   allow (read, search, compare) 
   userdn =  "ldap:///uid=user1,ou=people,dc=example,dc=com";)

CR# 6455079: Password reset service reports notification errors when a password is changed

When a password is changed, Access Manager submits the email notification using the unqualified sender name Identity-Server, which results in error entries in the amPasswordReset logs. For example:

07/19/2006 10:26:04:010 AM PDT: Thread[service-j2ee,5,main]
ERROR: Could not send email to user [Ljava.lang.String;@999262
com.sun.mail.smtp.SMTPSendFailedException: 553 5.5.4 <Identity-Server>...
Domain name required for sender address Identity-Server

Workaround: Change the from address to include the fully qualified domain name of the host server in the amPasswordResetModuleMsgs.properties file:

1. Change the from address label. For example:

   fromAddress.label=<Identity-Server@amhost.example.com>

2. Change the lockOutEmailFrom property to insure that lockout notifications use the correct from address. For example:

   lockOutEmailFrom=<Identity-Server@amhost.example.com>

   The amPasswordResetModuleMsgs.properties file is in the AccessManager-base/SUNWam/locale directory on Solaris systems and the AccessManager-base/identity/locale directory on Linux systems.

   AccessManager-base is the base installation directory. The default base installation directory is /opt on Solaris systems and /opt/sun on Linux systems.