| Skip Navigation Links | |
| Exit Print View | |
|
Sun Java System Access Manager 7.1 Release Notes |
Sun Java System Access Manager 7.1 Release Notes
About Sun Java System Access Manager 7.1
Access Manager 7.1 Patch Releases
Sun Java System LDAP JDK Patches
Access Manager 7.1 Patch 6 WAR File Issue on GlassFish 2.2.x (13730542)
Time to Live (TTL) is implemented for the Service Management (SMS) cache (6973683)
Retry mechanism is implemented in the PLL server (6963531)
Access Manager 7.1 patch Readme lists the required LDAP JDK patches (6959325)
New Features and Changes in Access Manager 7.1 Patch 4
New property prevents "Too many authentication attempts" error (6883136)
New property sets idle time out for policy agent sessions (6697260)
Access Manager session cookies can be marked as HTTPOnly (6843487)
ampassword utility has new options to hash and encrypt a password (6850818)
CDC Servlet inserts custom HTTP response header (6800246)
Changes to the updateschema.sh script (6870576)
Known Issues in Access Manager 7.1 Patch 4
updateschema.pl script fails with older version of ldapjdk.jar (6934848)
New Features and Changes in Access Manager 7.1 Patch 3
Sun Java System LDAP JDK Patches are Available
Running the updateschema Script is Required
Limitation is Removed for Creation of Data Store Authentication Module Instance in Legacy Mode
Backward Compatibility Issue Between Access Manager 7.1 and amclientsdk.jar is Fixed
Sun Java Web Console 3.1 Patches Are Required
New Property Prevents Sessions From Being Destroyed After Session Upgrade
New Property Allows SSO Token Restriction Other Than an IP Address
Distributed Authentication UI Server Works With Basic Authentication
SecurID Authentication Support is Added for Linux Systems
Known Issues in Access Manager 7.1 Patch 3
Single WAR Access Manager Deployment Cannot Use https Protocol Handler (6810092)
If config Directory Path on Windows Contains a Space, Patch 3 updateschema.pl Fails (6852463)
Hard-coded Path Should be Removed from Patch 3 updateschema.pl Script on Windows (6852467)
Access Manager 7.1 on WebLogic Server requires new ldapjdk.jar File (6774634)
Creation of Data Store authentication module instance fails in Legacy mode (6764919)
Sub-realm administrator can log in as amadmin in root realm (6761627)
New com.sun.identity.appendSessionCookieInURL property (6740071)
Backward compatibility issue between Access Manager 7.1 and amclientsdk.jar File (6754863)
Access Manager JAR files should include version number in MANIFEST.MF file (6693152)
Security permission is missing for CRL validation (6673538)
SecurID authentication is supported on Solaris x86 systems (6621802)
Access Manager Key Provider needs option to use types other than JKS format (6603228)
Delegation privileges cannot be defined for a filtered role (6486843)
Persistent cookie support is added (6600325)
Support for specific application idle session timeout values
Web Proxy Agent 2.2-01 in CDSSO mode does not work with Access Manager 7.1 Patch 1 (CR 6611841)
Distributed Auth UI does not work with a WebSphere Application Server 5.1.1.12 server (CR 6625928)
Password file exposed in a temporary directory after Patch 1 re-deployment (CR 6640377)
LDAP Failover not working properly (CR 6611627)
amconfig does not tag-swap and re-register the monitoring framework descriptor (CR 6636710)
amtune does not work if installed in a non-default directory (CR6640673)
amtune does not delete the world readable password file (CR 6640672)
amsfo.pl does not work for Windows (CR 6629189)
Not able to deploy WAR file generated by patch.bat if -l option is used for Windows (CR 6636474)
amserveradmin.bat throwing errors for Access Manager 7.1 Patch for Windows (CR 6631526)
Access Manager classpath not pointing to xml.sec.jar in Patch 1 for Windows (CR 6644461)
Post authentication plug-in supports Microsoft SharePoint (CR 6541695)
Retrieving schema from Active Directory data store fails (CR 6542686)
Access Manager supports the JDK 1.5 HttpURLConnection setReadTimeout method (CR 6536635)
G11n: CLI commands amhasetup and amserver are not localized (CR 6567135)
G11n: The User sub-tab incorrectly translated in French language (CR 6633529)
Web Security Service Issues Fixed
6543625 -- UserName token authentication can authenticate against a configured LDAP module
6543626 -- SOAPRequestHandler returns the SSOToken set in the Subject
6559603 -- Boolean configuration flag for "request" signing
6570021 Encryption supports SOAP messages with extra spaces.
Removed ACIs that cause unnecessary performance degradation (CR 6484947)
6.3-based console online help not displayed win Application Server 8.2 (CR 6587213)
Multiple passwords not required for amtune script
amtune-os will not run in local zone
Pre-Installation Considerations
Installing and Configuring Access Manager
Patch Installation Instructions
Patch Installation Instructions For Solaris Systems
Patch Installation Instructions For Linux Systems
Patch Installation Instructions For Windows Systems
Access Manager 7.1 Patch 1 Single WAR Deployment
New Container Versions Supported
Considerations for Single WAR Deployment with WebSphere 6.1
Considerations for Single WAR Deployment with Weblogic 9.2
Applying Patch 1 for Single WAR Deployment
Known Issues with Patch 1 WAR Deployment
Modifying SAML source ID in WAR deployment for Access Manager 7.1 Patch 1 (CR 6582972)
amAdmin from amAdminTools.zip Single WAR does not work with IBM JDK WebSphere 6.1 (CR 6618861)
Hardware and Software Requirements
General Compatibility Information
AMSDK intersystem incompatibility with Access Manager server
Upgrade not supported for Access Manager HPUX version
Java ES Silent Installation Using a State File
"Configure Now" Installation Option in Graphical Mode
"Configure Now" Installation Option in Text-Based Mode
"Configure Later" Installation Option
Determining the Access Manager Mode
Single WAR Configurator fails against DS (6562076)
Multi-server configuration of AM Single WAR on same host throws exception (6490150)
Required Services not supported in Access Manager 7.1 Console in Realm Mode (6615838)
Access Manager Single Sign-On fails on Universal Web Client (6367058, 6429573)
StackOverflowError occurs on Web Server 7.0 running in 64-bit mode (6449977)
Incompatibilities exist in core authentication module for legacy mode (6305840)
Delegated Administrator commadmin utility does not create a user (6294603)
Delegated Administrator commadmin utility does not create an organization (6292104)
Incorrect console redirection behind a load balancer (6480354)
Password Reset service reports notification errors when a password is changed (6455079)
Account Locking feature fails to send email notification when the user's account is locked (6760137)
Platform server list and FQDN alias attribute are not updated (6309259, 6308649)
Data validation for required attributes in the services (6308653)
Document workaround for deployment on a secure WebLogic 8.1 instance (6295863)
The amconfig script does not update the realm/DNS aliases and platform server list entries (6284161)
Default Access Manager mode is realm in the configuration state file template (6280844)
In Realm mode, creation of a new group generates Group Admin with ACIs that never get used (6485695)
New Access Manager Console cannot set the CoS template priorities (6309262)
Old console appears when adding Portal Server related services (6293299)
Add ContainerDefaultTemplateRole attribute after data migration (4677779)
Clients do not get notifications after the server restarts (6309161)
SDK clients need to restart after service schema change (6292616)
Attribute uniqueness broken in the top-level organization for naming attributes (6204537)
System creates invalid service host name when load balancer has SSL termination (6245660)
Using HttpSession with third-party web containers
Debug error occurs on Access Manager startup (6309274, 6308646)
Error displayed when performing AMIdentity.modifyService (6506448)
Group members don't show up in selected list (6459598)
Access Manager Login URL Returns Message "No such Organization found" (6430874)
Sub-org creation not possible from Access Manager when using amadmin (5001850)
The amconfig script fails when SSL certificate is expired. (6488777)
Clientsdk samples directory contains unwanted makefile (6490071)
JVM problems occur when running Access Manager on Application Server (6223676)
Access Manager auto configuration failed when installing on zh_TW and es locales (6515043)
HP-UX needs gettext binary with AM while installing Java Enterprise System full stack (6497926)
Logout error occurs in Federation (6291744)
Administration console components displayed in English in the zh locale (6470543)
Current Value and New value are incorrectly displayed in the console (6476672)
Policy condition date must be specified according to English custom (6390856)
Removing UTF-8 is not working in Client Detection (5028779)
Multi-byte characters are displayed as question marks in log files (5014120)
Missing information when configuring Access Manager in SSL mode (6660610)
Document the roles and filtered roles support for LDAPv3 plug-in (6365196)
Document unused properties in the AMConfig.properties file (6344530)
Document how to enable XML encryption (6275563)
Access Manager 7.1 Documentation Collection
Support for the Java SecurID Authentication Module
Access Manager in an Application Server Cluster
This release includes the following new features:
Access Manager 7.1 integrates with the Java Enterprise System monitoring framework through Java Management Extensions (JMX). JMX technology provides the tools for building distributed, Web-based, modular, and dynamic solutions for managing and monitoring devices, applications, and service-driven networks. Typical uses of the JMX technology include: consulting and changing application configuration, accumulating statistics about application behavior, notification of state changes and erroneous behaviors. Data is delivered to centralized monitoring console.
Access Manager 7.1 uses the Java ES Monitoring Framework to capture statistics and service-related data such as the following:
Number of attempted, successful, and failed authentications
Policy caching statistics
Policy evaluation transaction times
Access Manager 7.1 extends authentication capabilities to web services in the following ways:
Inserts tokens to outgoing messages
Evaluates incoming messages for security tokens
Enables point-and-click selection of Authentication providers for new applications
Access Manager includes a single WAR file you can use to deploy Access Manager services consistently to any supported container on any supported platform. The Access Manager WAR file can coexist with the Java Enterprise System installer, which deploys multiple JAR, XML, JSP, HTML, GIF, and various properties files.
For more information about staging, configuring, and deploying the Access Manager WAR file, see the Sun Java System Access Manager 7.1 Postinstallation Guide.
Web Containers supported
Sun Java System Web Server 7.0
Sun Java System Application Server 8.2
BEA WL 8.1 SP4
IBM WebSphere 5.1.1.6
Monitoring Framework Integration
Access Manager can use the Java Enterprise System Monitoring Framework to monitor the following:
Authentication
Number of authentications attempted
Number of remote authentications attempted (optional)
Number of successful authentications
Number of failed authentications
Number of successful logout operations
Number of failed logout operations
Transaction time for each module if possible (running and waiting states)
Sessions
Size of the session table (hence maximum number of sessions)
Number of active sessions (incremental counter)
Profile Service
Maximum cache size
Transaction time for operations (running and waiting)
Policy
Policy evaluation in and out requests
Policy connection pool statistics for the subject's plug-in's LDAP server
Authentication module
Distributed Authentication service not required to stick to one server for load-balanced deployments
Authentication service and server not required to stick to one server for load-balanced deployments
Composite advices support among Authentication service, Policy Agents, and Policy service. Includes AuthenticateToRealm condition, AuthenticateToService condition, and realm qualification to all conditions.
Advising organization (realm qualified Authentication conditions)
Authentication configurations / authentication chains (AuthServiceCondition)
Module-based authentication can now be disallowed if Authentication chaining is enforced
Distributed Authentication service supports Certificate authentication module
Added CertAuth to Distributed Authentication UI to make it a full featured credential extractor presentation
New Datastore authentication module as an out-of-box module which authenticates against the configured datastore for a given realm
Account lockout configuration now persistent across multiple AM server instances
Chaining of post-processing SPI classes
Policy module
A new policy condition AuthenticateToServiceCondition added, to enforce the user is authenticated to specifc authentication service chain.
A new policy condition AuthenticateToRealmCondition added, to enforce the user is authenticated to a specific realm.
A new policy condition LDAPFilterCondition is added, to enforce the user matches the specified ldap filter.
Support for one level wild card compare to facilitate protecting the contents of the directory without protecting sub-directory.
Policies can be created in subrealms without explicit referral policies from parent realm if organization alias referral is enabled in global policy configuration.
AuthLevelCondition can specify the realm name in addition to authentication level.
AuthSchemeCondition can specify the realm name in addition to authentication module name .
Service Management module
Support for storing Service Management/Policy configuration in Active Directory
Access Manager SDK
Support APIs for authenticating users to a default Identity Repository framework database
Web Services support
Liberty ID-WSF SOAP provider: Authentication provider that encapsulates the Liberty ID-WSF SOAP binding as implemented by Access Manager. This consists of a client and service provider.
HTTP layer SSO provider: HttpServlet layer authentication provider that encapsulates server-side Access Manager-based SSO
Installation module
Repackaging Access Manager as J2EE Application resulting in a single WAR file to become web deployable
Support for 64-bit SJS Web Server 7.0 - to support the 64-bit JVM
Delegation module
Support for grouping of delegation privileges
Upgrade
Supports upgrade to Access Manager 7.1 from the following versions: Access Manager 7.0 2005Q4, Access Manager 6.3 2005Q1, and Identity Server 6.2 2004Q2.
Logging
Support for delegation in logging module - controlling which Identities are authorized to write to or read from the log files.
Support JCE Based SecureLogHelper - making it possible to use JCE (in addition to JSS) as a security provider for Secure Logging implementation
Sun Java(TM) System Access Manager 7.1 identity management APIs and XML templates enable system administrators to create, delete, and manage identity entries in Sun Java System Directory Server. Access Manager also provides APIs for identity management. Developers use the public interfaces and classes defined in the com.iplanet.am.sdk package to integrate management functions into external applications or services to be managed by Access Manager. Access Manager APIs provide the means to create or delete identity-related objects as well as to get, modify, add, or delete the objects' attributes from Directory Server.
The Access Manager com.iplanet.am.sdk package, commonly known as AMSDK, will not be included in a future Access Manager release. This includes all related APIs and XML templates. No migration options are available now, and no migration options are expected to be available in the future. The user provisioning solutions provided by Sun Java System Identity Manager are compatible replacements that you can start to use now. For more information about Sun Java System Identity Manager, see http://www.oracle.com/us/products/middleware/identity-management/oracle-identity-manager/index.html.
|