test

Sun Java System Access Manager 7.1 Release Notes for Microsoft Windows

Other Known Issues and Limitations

This section describes the following known issues and workarounds, if available, at the time of the 7.0 release.

Installation Issues

Installing Access Manager on an Existing DIT Requires Rebuilding Directory Server Indexes (6268096)

To improve the search performance, Directory Server has several new indexes.

Workaround: After you install Access Manager with an existing directory information tree (DIT), rebuild the Directory Server indexes by running the db2index.pl script. For example:

# ./db2index.pl -D "cn=Directory Manager" -w password -n userRoot

The db2index.pl script is available in the DS-install-directory/slapd-hostname directory.

Authentication Service Is Not Initialized When Access Manager and Directory Server Are Installed on Separate Machines (6229897)

Although the classpath and other Access Manager web container environment variables are updated during installation, the installation process does not restart the web container. If you try to login to Access Manager after installation before the web container is restarted, the following error is returned: 

Authentication Service is not initialized. 
Contact your system administrator.

Workaround: Restart the web container before you login to Access Manager. Directory Server must also be running before you login.

Upgrade Issues

Portal Server and Web Console Do Not Work After Upgrading Java ES 4 Access Manager to Java ES 5 Access Manager (6515054)

After upgrading Java ES 5 Access Manager to Java ES 5 Access Manager, the deployed applications, Portal Server, and web console do not work.

Workaround: Copy the config.properties file from the Java ES 5 installation location to Java ES 4 installation location:

copy install-Dir\share\MobileAccess\config\config.properties JavaES4–install-dir\PortalServer\https-host-name\portal\web-apps\WEB-INF\classes\

Configuration Issues

Active Perl 5.8 or Later Is Required to Configure Some Access Manager Modules

Active Perl 5.8 or later needs to be installed to configure the following components with Access Manager:

You can download Active Perl fromhttp://www.activestate.com/Products/ActivePerl/.

Installer Unable to Configure Distributed Authentication and Client SDK Components

In Configure Automatically During Installation, the distributed authentication and client SDK components are not configured. No error message is displayed.

Workaround: Use the Configure Manually After Installation option during installation and manually configure the distributed authentication and client SDK components after installation.

am2bak.bat and bak2am.bat Files Not Generated Correctly (6491091)

Access manager 7.1 does not support the backup (am2bak.bat) and restore (bak2am.bat) utilities.

Workaround: None.

User Account Is Not Deactivated After Many Successive Unsuccessful Logins (6469200)

User account is not deactivated after multiple unsuccessful logins to the Access Manager.

    Workaround: Use the realm administration console (\amserver\console) to enable or disable the lockout utility. To set the Login Failure Lockout Mode attribute, follow these steps:

  1. Open the Access Manager GUI.

  2. Select a ream to enable lockout.

  3. Select the Authentication tab.

  4. Click the Advanced Properties button.

  5. Select the Login Failure Lockout Mode attribute.

  6. Save the properties by clicking the Save button.

Access Manager Console Issues

New Access Manager Console Cannot Set the CoS Template Priorities (6309262)

The new Access Manager 7.1 Console cannot set or modify a Class of Service (CoS) template priority.

Workaround: Login to the Access Manager 6 2005Q1 Console to set or modify a CoS template priority.

Old Console Appears When Adding Portal Server Related Services (6293299)

Portal Server and Access Manager are installed on the same server. With Access Manager installed in Legacy mode, login to the new Access Manager Console using /amserver. If you choose an existing user and try to add services such as NetFile or Netlet, the old Access Manager Console (/amconsle) suddenly appears.

Workaround: None. The current version of Portal Server requires the Access Manager 6 2005Q1 Console.

Console Does Not Return the Results Set From Directory Server After Reaching the Resource Limit (6239724)

In the following situation , the Console does not display accurate information: Install Directory Server and then Access Manager with the existing DIT option. Login to the Access Manager Console and create a group. Edit the users in the group, for example, add users with the filter uid=*999*. The resulting list box is empty, and the console does not display any error, information, or warning messages.

Workaround: The group membership must not be greater than the Directory Server search size limit. If the group membership is greater, change the search size limit accordingly.

SDK and Client Issues

Unable to Create The Same Deleted User Through the Portal (6479611)

You cannot create the same deleted user profile through the portal. The following error message is displayed:


An error occurred while storing the user profile.

Workaround: None.

Clients Do Not Get Notifications After the Server Restarts (6309161)

Applications written using the client SDK (amclientsdk.jar) do not get notifications if the server restarts.

Workaround: None.

SDK Clients Need to Restart After Service Schema Change (6292616)

If you modify any service schema, ServiceSchema.getGlobalSchema returns the old schema and not the new schema.

Workaround: Restart the client after a service schema change.

Session and SSO Issues

Using HttpSession With Third-Party Web Containers

The default method of maintaining sessions for authentications is “internal session” instead of HttpSession. The default invalid session maximum time value of three minutes is sufficient. The amtune script sets the value to one minute for Web Server or Application Server. However, if you are using a third-party web container such as IBM WebSphere or BEA WebLogic Server and the optional HttpSession, you might need to limit the web container's maximum HttpSession time limit to avoid performance problems.

Policy Issues

Deletion of Dynamic Attributes in Policy Configuration Service Causing Issues in Editing of Policies (6299074)

The deletion of dynamic attributes in Policy Configuration Service causes issues in the editing of policies in this scenario:

  1. Create two dynamic attributes in the Policy Configuration Service.

  2. Create a policy and select the newly created dynamic attributes in the response provider.

  3. Remove the dynamic attributes in the Policy Configuration Service and create two more attributes.

  4. Try to edit the policy created in Step 2.

The following error message is displayed: “Error Invalid Dynamic property being set.” No policies are displayed in the list by default. After a search is done, the policies are displayed, but you cannot edit or delete the existing policies or create a new policy.

Workaround: Before removing the dynamic attributes from the Policy Configuration Service, remove the references to those attributes from the policies.

Server Startup Issues

Debug Error Occurs on Access Manager Startup (6309274, 6308646)

Access Manager 7.1 startup returns the following debug errors in the amDelegation and amProfile debug files:

Workaround: None. You can ignore these messages.

Federation and SAML Issues

Federation Fails When Using Artifact Profile (6324056)

If you setup an identity provider (IDP) and a service provider (SP), change the communication protocol to use the browser Artifact profile, and then try to federate users between the IDP and SP, the federation fails.

Workaround: None.

Logout Error Occurs in Federation (6291744)

In realm mode, if you federate user accounts on an identity provider (IDP) and service provider (SP), terminate Federation, and then logout, the following error message is displayed: Error: No sub organization found.

Workaround: None.

Globalization (g11n) Issues

Application Error Displayed in Left Panel of Online Help in Realm Console (6508103)

When Access Manager is deployed to the Application Server, the left panel in the online help in the realm console displays an application error.

Workaround: Follow these steps:

  1. Copy the jhall.jar file.

    copy install-dir\share\lib\jhall.jar %JAVA_HOME%\jre\lib\ext

  2. Restart the Application Server.

Removing UTF-8 Does Not Work in Client Detection (5028779)

The Client Detection function is not working properly. Changes made in the Access Manager 7.1 Console are not automatically propagated to the browser.

Workaround:Try the following workarounds:

  1. Restart the Access Manager web container after you make a change in the Client Detection section.

  2. Perform the following steps in the Access Manager Console:

    1. Click Client Detection under the Configuration tab.

    2. Click the Edit link for genericHTML.

    3. Under the HTML tab, click the genericHTML link.

    4. Type the following entry in the character set list: UTF-8;q=0.5 (Make sure that the UTF-8 q factor is lower than the other character sets of your locale.)

    5. Click Save.

    6. Logout and then log in again.

Multi-byte Characters Are Displayed as Question Marks in Log Files (5014120)

Multi-byte messages in log files in the install_dir\identity\logs directory are displayed as question marks (?). Log files are in native encoding and are not always UTF-8. When a web container instance starts in a certain locale, log files will be in native encoding for that locale. If you switch to another locale and restart the web container instance, the ongoing messages will be in the native encoding for the current locale, but messages from previous encoding will be displayed as question marks.

Workaround: When starting any web container instances, always use the same native encoding.

Documentation Issues

Document the Roles and Filtered Roles Support for LDAPv3 Plug-in (6365196)

After applying the respective patch, you can configure roles and filtered roles for the LDAPv3 plug-in, if the data is stored in Sun Java System Directory Server. In , in for

  1. Go to the Access Manager 7.1 Administrator Console.

  2. Select LDAPv3 configuration.

  3. In the “LDAPv3 Plugin Supported Types and Operations” field, type the following values depending on the roles and filtered roles you plan to use in your LDAPv3 configuration:

    role: read,edit,create,delete
filteredrole: read,edit,create,delete

Document Unused Properties in the AMConfig.properties File (6344530)

The following properties in the AMConfig.properties file are not used: 

com.iplanet.am.directory.host
com.iplanet.am.directory.port

Document How to Enable XML Encryption (6275563)

To enable XML encryption, perform the following steps:

  1. (Optional) If you are using a JDK version earlier than JDK version 1.5:,

    1. download the Bouncy Castle JCE provider from the Bouncy Castle site (http://www.bouncycastle.org/).

      For example, for JDK version 1.4, download the bcprov-jdk14-131.jar file.

    2. Copy the file to the jdk_root\jre\lib\ext directory.

  2. Download the JCE Unlimited Strength Jurisdiction Policy Files. for your version of the JDK.

    • For Sun Systems, download the files from the Sun site (http://java.sun.com) for your version of the JDK.

    • For IBM WebSphere, go to the corresponding IBM site to download the required files.

  3. Copy the downloaded US_export_policy.jar and local_policy.jar files to the jdk_root\jre\lib\security directory.

  4. If you are using a JDK version earlier than JDK 1.5, edit the jdk_root\jre\lib\security\java.security file and add Bouncy Castle as one of the providers. For example:

    security.provider.6=org.bouncycastle.jce.provider.BouncyCastleProvider

  5. Set the following property in the AMConfig.properties file to true:

    com.sun.identity.jss.donotInstallAtHighestPriority=true

  6. Restart the Access Manager web container.

For more information, refer to problem ID 5110285 (XML encryption requires Bouncy Castle JAR file).