test

Sun OpenSSO Enterprise 8.0 Update 1 Release Notes

Chapter 1 About OpenSSO Enterprise 8.0 Update 1

This chapter describes OpenSSO Enterprise 8.0 Update 1, including:

What's New in OpenSSO Enterprise 8.0 Update 1

OpenSSO Enterprise 8.0 Update 1 also fixes a number of problems, as listed in the README file included with patch 141655-01.

OpenDS as a User Data Store

You can configure an external OpenDS server as the OpenSSO Enterprise 8.0 Update 1 user data store.

You can also store a relatively small number of users in the embedded OpenSSO configuration data store (OpenDS), when scalability is not an important requirement. This option is useful when you want to install OpenSSO Enterprise 8.0 Update 1 quickly for demonstration or evaluation purposes. However, you should not use an embedded OpenDS server as a user data store in a production environment.

See Chapter 9, Using OpenDS as a User Data Store for OpenSSO Enterprise 8.0 Update 1.

Simplified OpenSSO WAR File Creation

The ability to create a specialized WAR file was present in OpenSSO Enterprise 8.0. In OpenSSO Enterprise 8.0 Update 1, the process has been simplified using the createwar.sh or createwar.bat script.

See Chapter 4, Creating a Specialized OpenSSO Enterprise 8.0 Update 1 WAR File.

Centralized SAMLv2 Error Conditions Page

OpenSSO Enterprise 8.0 Update 1 provides a single page where you can view all SAMLv2 error conditions. This page is useful when you are troubleshooting a SAMLv2 configuration.

See Chapter 6, Centralizing SAML Error Display in OpenSSO Enterprise 8.0 Update 1.

Secure Attribute Exchange (SAE) Data Encryption

OpenSSO Enterprise 8.0 Update 1 supports Secure Attributes Exchange (SAE) data encryption. (SAE is also known as Virtual Federation.)

See Chapter 7, Encrypting Data in a Secure Attribute Exchange in OpenSSO Enterprise 8.0 Update 1.

FIPS Compliance Mode

OpenSSO Enterprise 8.0 Update 1 supports Federal Information Processing Standards (FIPS) mode.

See Chapter 8, Configuring OpenSSO Enterprise 8.0 Update 1 in FIPS Mode.

Support for New Web Containers

OpenSSO Enterprise 8.0 Update 1 supports the web containers described in Web Containers Supported For OpenSSO Enterprise 8.0 in Sun OpenSSO Enterprise 8.0 Release Notes and the following new web containers:

OpenDS as a User Data Store

OpenSSO Enterprise 8.0 Update 1 supports OpenDS to store user profiles, authentication data, and policies.

See Chapter 9, Using OpenDS as a User Data Store for OpenSSO Enterprise 8.0 Update 1.

ASP.NET Fedlet

OpenSSO Enterprise 8.0 Update 1 includes the Fedlet.dll, template metadata files, and a sample application for implementing the Fedlet with ASP.NET applications. See Chapter 10, Using the ASP.NET Fedlet with OpenSSO Enterprise 8.0 Update 1.

Other Enhancements in OpenSSO Enterprise 8.0 Update 1

CR 6244578: New Property Warns Users if Browser Cookie Support is Disabled or Not Available

The new com.sun.identity.am.cookie.check property indicates whether OpenSSO server should check if cookie support is disabled or not available in the user's browser. A value of true causes OpenSSO server to display an error message if the browser does not support cookies or has not enabled cookies.

Previously, if cookie support was disabled or not available on the user's browser and OpenSSO server was not in cookieless mode, authentication for a user failed without any errors. (Actually, authentication was done successfully, but OpenSSO server could not redirect the user to the OpenSSO protected web site.)

To Set the Property

  1. Log in to the OpenSSO Administation Console.

  2. Click Configuration, Servers and Sites, opensso-instance-name, and then Advanced.

  3. Click Add and then specify:

    • Property Name: com.sun.identity.am.cookie.check

    • Property Value: true or false

  4. Click Save.

  5. Restart the OpenSSO server instance.

Note - If OpenSSO server is expected to support cookieless mode for authentication, set this property to false (which is the default).

CR 6770231: OpenSSO Enterprise 8.0 Update 1 Validates goto URLs

OpenSSO Enterprise 8.0 Update 1 can validate a goto URL after a user logs in to prevent a hacker from sending the user to an imposter site in order to steal the user's personal information.

To Set Valid goto URLs:

  1. Install OpenSSO Enterprise 8.0 Update 1. If you are patching OpenSSO Enterprise 8.0, make sure you run the updateschmema.sh or updateschema.bat script and restart the OpenSSO Enterprise web container.

  2. Log in to the Admin Console.

  3. Click Configuration, Authentication, and then Core.

  4. Under Valid goto URL domains, add each valid goto domain name, as follows:

    • A domain name starting with a dot (.) such as .example.com allows all hosts in the example.com domain to be used in a success redirect URL.

    • A domain name that does not start with a dot (.) such as example.com allows the host example.com to be used in a success redirect URL. For example, http://example.com would be valid, but http://host.example.com would not be valid.

    • If you don't add the entire domain to the list, you must add each individual agent host name being used.

    • You do not need to add domains for agents in CDSSO mode, because they are protected automatically.

  5. Click Save.

  6. Restart the OpenSSO Enterprise web container.

    If you subsequently want to disable the goto URL validation, remove all entries from the Valid goto URL domains list.

Additional Information - If a goto URL is found to be invalid, the user will be redirected to the default success login URL (/opensso/console).

CR 6696910: New Property makes Event Notification Cache Configurable

The new com.sun.am.event.notification.expire.time property allows you to configure or disable the event notification cache in order to improve performance.

To disable the cache, set this property to 0 (zero). The default is 30 minutes.

After you set this property, restart the OpenSSO Enterprise 8.0 web container for the new value to take effect.

CR 6740071: New Property Controls Session Cookie for Zero Page Authentication

The new com.sun.identity.appendSessionCookieInURL property determines whether OpenSSO Enterprise 8.0 Update 1 ppends the session cookie to the URL for zero page authentication.

Set this property to false to prevent OpenSSO Enterprise 8.0 Update 1 from appending the session cookie to the URL. For example, if an application is filtering incoming URLs for special characters for security reasons and a cookie contains a special character, then access is denied. The default value is true (cookie is appended).

To set the new com.sun.identity.appendSessionCookieInURL property:

  1. Log in to the OpenSSO Enterprise 8.0 Update 1 Admin Console.

  2. Click Configuration, Servers and Sites, Default Server Settings, and then Advanced.

  3. Add the property with a value of true.

  4. Click Save.

The com.sun.identity.appendSessionCookieInURL property is hotswappable, which means that you don't have to restart the OpenSSO Enterprise 8.0 web container for a new value to take effect.

CR 6691106: New Properties Prevent Multiple Site Monitor Threads

The amNaming log sometimes indicates multiple Site Monitor threads running for checking the same site. To prevent this problem, OpenSSO Enterprise 8.0 Update 1 provides improved synchronization to prevent the creation of the multiple Site Monitor threads for the same site. OpenSSO Enterprise 8.0 also includes these new properties:

After you set these properties, restart the OpenSSO Enterprise 8.0 web container for the new values to take effect.

The fix for this problem also uses the following property:

CR 6797423: New property configures OpenSSO Enterprise server policy decision cache

The new com.sun.identity.policy.resultsCacheMaxSize property allows you to configure the policy decision cache for OpenSSO Enterprise 8.0 Update 1 server.

For example, a value of 1000 causes policy decisions to be cached for maximum of 1000 sessions, irrespective of the actual number of concurrent sessions on the server.

CR 6785321: CRL and OSCP checking support JSS-based logic

Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP) checking now support the Network Security Services for Java (JSS) library, enabling FIPS mode when OpenSSO Enterprise 8.0 Update 1 is deployed on the Sun Java System Web Server 7.0 Update 3 or later web container.

Note - FIPS compliance mode depends on JSS, but using JSS does not necessitate FIPS compliance mode.

CR 6657112: Redirect callback support is added for Distributed Authentication Server UI

Redirect callback support (RedirectCallback), which is used to redirect users to an external website as part of the authentication process, now works when the login is through a Distributed Authentication Server UI.

CR 6657367: CDCServlet removes the JavaScript enabled dependency for user's browser

If cross-domain single sign-on (CDSSO) is enabled for a policy agent, the CDCServlet can now redirect assertions (CDCRedirectServlet) for the agent, even if JavaScript is disabled for the user's browser.

CR 6496155: Policy agents send token other than the IP address in cookie hijacking mode

Previously, in cookie hijacking mode, policy agents sent the IP address of the server where they were installed to the OpenSSO Enterprise server. Now, the policy agent first sends the application SSO token. If the agent cannot obtain the application SSO token, the agent then sends the IP address to the OpenSSO Enterprise server.

If strict DN checking is required for a deployment, OpenSSO Enterprise server includes the new

iplanet-am-session-dnrestrictiononly property.

The default value is false. If this property is set to true, the OpenSSO Enterprise server performs strict DN checking. If the agent sends an IP address, the OpenSSO Enterprise server considers the IP address to be an error.

To set iplanet-am-session-dnrestrictiononly for strict DN checking:

  1. Add the property with a value of true using either the OpenSSO Enterprise Admin Console or the ssoadm utility.

  2. Restart the OpenSSO Enterprise server web container for the DN checking to take effect.

CR 6697260: New property allows policy agent sessions to time out

The new com.iplanet.am.session.agentsessionidletime property sets the maximum idle timeout in minutes for policy agent sessions. The minimum value is 30 minutes. A value greater than 0 and less than 30 will be reset to 30.

The default is 0, which means that the policy agent sessions never time out.

To set com.iplanet.am.session.agentsessionidletime:

  1. Add the property with the maximum idle timeout value using either the OpenSSO Enterprise Admin Console or the ssoadm utility.

  2. Restart the OpenSSO server web container for the idle timeout value to take effect.

CR 6811036: After upgrading from JES4, in co-existence mode, amadmin authenticates to configuration data store

Due to the fix for security issue 3924 in OpenSSO 8.0 Enterprise 8.0, the amadmin user was prevented from logging in to any authentication module other than the DataStore and Application authentication modules.

This new fix for CR 6811036 removes this restriction, but at the same time re-implements the original security fix to protect the authentication as the amadmin user, which is considered as the OpenSSO Enterprise internal or special user, in following manner:

CR 6827616: SMS cache is disabled by default for the Client SDK

After a Client SDK installation, the service management service (SMS) cache is disabled by default, which can cause performance issues.

Workaround: To enable the cache for SMS and the Identity Repository (IdRepo), set or add the following properties in the AMClient.properties file:


com.iplanet.am.sdk.caching.enabled=true
com.sun.identity.idm.cache.enabled=true
com.sun.identity.sm.cache.enabled=true

Hardware and Software Requirements For OpenSSO Enterprise 8.0 Update 1

Note - The hardware and software requirements for OpenSSO Enterprise 8.0 Update 1 represent the only environments in which it can be deployed with full support from Oracle. No support is provided for environments that do not meet the stated requirements.

Oracle assumes no responsibility or liability for any environments that don't adhere to supported hardware and software requirements for OpenSSO Enterprise 8.0 Update 1 as documented. Oracle strongly recommends that you involve the Professional Services organization before you begin the installation and deployment process. This may require additional expense on your part.

Policy Agent Support in OpenSSO Enterprise 8.0 Update 1

Policy Agent Version 

OpenSSO Enterprise 8.0 Update 1 Support 

3.0 

Version 3.0 Java EE (formerly called J2EE) and web policy agents are supported, including new version 3.0 features. 

For more information, including the available version 3.0 agents, see http://docs.sun.com/coll/1767.1.

2.2 

Version 2.2 Java EE and web policy agents are supported. 

However, a version 2.2 policy agent must continue to use version 2.2 features. For example, the OpenSSO Enterprise centralized agent configuration is not supported, and the 2.2 agent must store its configuration data locally in its AMAgent.properties file.

For more information, including the available version 2.2 agents, see http://docs.sun.com/coll/1322.1.

2.1 

Version 2.1 policy agents are not supported.

OpenSSO Enterprise 8.0 Update 1 Issues and Workarounds

CR 6830298: OpenSSO Enterprise Admin Tools Must be Re-installed

If you patch OpenSSO Enterprise 8.0 with Update 1, you must re-install the admin tools in Update 1 before you run the updateschema.sh or updateschema.bat script, because the script requires the Update 1 version of the ssoadm command-line utility.

Workaround. Before you run the updateschema.sh or updateschema.bat script, install the Update 1 admin tools, as described in Chapter 3, Installing the OpenSSO Enterprise 8.0 Update 1 Admin Tools.

CR 6823779: ssoadm cannot be used with Secure WebSphere Application Server 7.0

If the admin tools (ssoAdminTools.zip) are configured to use the IBM JVM with a secure (SSL-enabled) WebSphere Application Server 7.0 instance, the ssoadm returns a fatal error.

Workaround. To configure ssoadm, see Chapter 5, Deploying IBM WebSphere Application Server 7.0 as the OpenSSO Enterprise 8.0 Update 1 Web Container.

CR 6824420: Configuration fails for WebSphere Application Server 7.0 with Java 2 security enabled

If OpenSSO Enterprise 8.0 Update 1 is deployed with IBM WebSphere Application Server 7.0 and Java 2 security is enabled, the configuration fails.

Workaround. Add the required permissions to the WebSphere Application Server 7.0 server.policy. For more information see Chapter 5, Deploying IBM WebSphere Application Server 7.0 as the OpenSSO Enterprise 8.0 Update 1 Web Container.

CR 6836470: Hotfix Required to Use KDCs Hosted on Windows Server 2008

OpenSSO Enterprise 8.0 Update 1 has added support for using KDCs hosted on Windows Server 2008. To use this new feature, however, you must install a Microsoft hotfix to KTpass on the Windows Server 2008 KDC before using the KDC for Windows Desktop SSO authentication.

For more information and to download this hotfix, see http://support.microsoft.com/kb/951191.

CR 6825011: Windows Desktop SSO Authentication fails with Login Exception on WebSphere Application Server 7.0

Workaround. If OpenSSO Enterprise 8.0 Update 1 is deployed on IBM WebSphere Application Server 7.0 on Windows:

  1. Prefix the Keytab File Name property of the Windows Desktop SSO authentication module instance with file:///. For example:

    file:///C:/keytabs/ssohost-4100-04.HTTP.keytab

  2. Set the new com.sun.identity.authentication.module.WindowsDesktopSSO.Krb5LoginModule property to com.ibm.security.auth.module.Krb5LoginModule.

Set this new property using ssoadm or in the OpenSSO Enterprise Admin Console under Configuration, Sites and Server, opensso-instance-name, and Advanced. Then, restart the WebSphere Application Server 7.0 instance for the value to take effect.

CR 6831600: Configurator buttons are not visible using Safari on a Mac

When running the Configurator using Safari on a Mac, the Next and Cancel buttons are not visible, which gives the impression that the configuration cannot continue.

Workaround. Maximize the Safari browser to the fullest extent and scroll down to see the buttons.

CR 6819848: Berkeley DB client does not failover to secondary Message Queue broker

In a session failover configuration, the Berkeley DB client does not failover to the secondary Message Queue broker. OpenSSO Enterprise server, however, does failover

to the secondary broker, which causes the queue on that broker to quickly fill up. Then, the broker blocks the producer from sending any more messages, which in turn blocks messages from OpenSSO Enterprise server.

CR 6834714: Permissions need updating for WebSphere Application Server 6.1

If you are using IBM WebSphere Application Server 6.1 as the web container and the Java Security Manager is enabled, the securing permissions need to be updated.

Workaround. For the correct permissions, see the Sun OpenSSO Enterprise 8.0 Installation and Configuration Guide.

CR 6835816: After you enable FIPS mode, bootstrap file cannot be decrypted

Workaround. Before you enable FIPS mode, backup the bootstap file. Then, after you enable FIPS mode, replace the bootstrap file with the backup copy.

For more information, see Chapter 8, Configuring OpenSSO Enterprise 8.0 Update 1 in FIPS Mode.

CR 6831687: SAML2 post profile fails on the Service Provider (SP)

Using JDK 1.6.x, when a Service Provider (SP) tries to verify a signed SAML2 response/assertion, the Identity Provider (IDP)throws a Null Pointer Exception.

Workaround. This problem occurs because JDK 1.6.x includes an older version of the XML security library. To fix this problem:

  1. Create an endorsed directory in JDK 1.6.x. For example:

    JDK_1.6_HOME_DIR/jre/lib/endorsed

  2. Copy the xmlsec.jar file from the OpenSSO_WAR_extracted_dir/WEB-INF/lib directory to the endorsed directory.

  3. Restart the OpenSSO Enterprise 8.0 web container.

CR 6828741: Configuring OpenSSO Enterprise 8.0 Update 1 as site throws exception in debug logs

When you configure OpenSSO Enterprise 8.0 Update 1 using the console, if you provide the site details such as the load balancer and server instances, the configuration finishes successfully and you can log in. However, the debug logs contain an exception.

Workaround. None. You can ignore the exception.

CR 6833362: SAMLv2 returns error on WebLogic Server 10 with SOAP binding

If you deploy OpenSSO Enterprise 8.0 Update 1 on WebLogic Server 10 for both the SP and IDP, configure the meta for SP and IDP for signing and encryption using the default keystore, and then terminate with SOAP binding, an error is returned.

Workaround. Remove last two lines from idpArtifactResolution.jsp, idpMNISOAP.jsp, and spMNISOAP.jsp. Also, remove any empty spaces between %> and <%.

OpenSSO Enterprise 8.0 Update 1 Documentation

In addition to this document, additional OpenSSO Enterprise 8.0 documentation is available in the following collection:

http://docs.sun.com/coll/1767.1

OpenSSO Enterprise 8.0 Update 1 Patch Releases

OpenSSO Enterprise 8.0 Update 1 Patch IDs

Oracle periodically releases patches for OpenSSO Enterprise 8.0 on http://sunsolve.sun.com/. The following table shows the patch IDs for OpenSSO Enterprise 8.0 Update 1 and subsequent patch releases.

Release 

Patch ID 

OpenSSO Enterprise 8.0 Update 1 Patch 3 

141655-04 

OpenSSO Enterprise 8.0 Update 1 Patch 2 

141655-03 

OpenSSO Enterprise 8.0 Update 1 Patch 1 

141655-02 

OpenSSO Enterprise 8.0 Update 1 

141655-01 

To download the latest patch, click Download Latest Patch 141655.

To determine if you should install a patch, check this document and the README file available with the patch.

OpenSSO Enterprise 8.0 Update 1 Patch 3 (Patch ID 141655-04)

New Features in OpenSSO Enterprise 8.0 Update 1 Patch 3

Message Queue is upgraded from 4.3 to 4.4 (CR 6900482)

In Patch 3, Message Queue 4.3 has been upgraded to GlassFish Message Queue 4.4. This upgrade improves OpenSSO Enterprise performance and addresses several issues with session failover deployments.

For the Message Queue documentation, see http://docs.sun.com/coll/1307.7.

OpenSSO Enterprise session cookies can be marked as HTTPOnly (CR 6843487)

Patch 3 includes the new com.sun.identity.cookie.httponly property to allow OpenSSO Enterprise session cookies to be marked as HTTPOnly, in order to prevent scripts or third-party programs from accessing the cookies. Specifically, session cookies marked as HTTPOnly can help to prevent cross-site scripting (XSS) attacks.

By default, the value for com.sun.identity.cookie.httponly is false. To set this new property, use the OpenSSO Administration Console:

  1. Log in to the OpenSSO Administration Console.

  2. Click Configuration, Servers and Sites, opensso-instance-name, and then Advanced.

  3. Add com.sun.identity.cookie.httponly with a value of true.

  4. Click Save and log out of the Console.

  5. Restart the OpenSSO Enterprise web container.

You also need to set this property on the client side. For example, for a Distributed Authentication UI server deployment, set it to true in the AMDistAuthConfig.properties file.

Support is added for module-based, realm-based, and service-based authentication (CR 6893507)

In Patch 3, the OpenSSO REST-based authentication web service now supports module-based, realm-based, or service-based authentication. You can pass module, realm, and service as query parameters. For example, here are some sample REST commands:


http://host.example.com/opensso/identity/authenticate?username=user1
ANDAMPpassword=changeit
http://host.example.com/opensso/identity/authenticate?username=user1
ANDAMPpassword=changeitANDAMPuri=realm%3Dsun
http://host.example.com/opensso/identity/authenticate?username=user1
ANDAMPpassword=changeitANDAMPuri=module%3DDataStore
http://host.example.com/opensso/identity/authenticate?username=user1
ANDAMPpassword=changeitANDAMPuri=service%3DldapService
http://host.example.com/opensso/identity/authenticate?username=user1
ANDAMPpassword=changeitANDAMPuri=realm%3D/sun%26module%3DDataStore
http://host.example.com/opensso/identity/authenticate?username=user1
ANDAMPpassword=passwordANDAMPuri=realm%3D/iplanet%26module%3DdataStore

AMLoginModule class includes new method to determine user?s current session quota level (CR 6667760)

In Patch 3, the AMLoginModule class includes the new isSessionQuotaReached() method to determine a user?s current session quota level:

public boolean isSessionQuotaReached(String userName)

This new method checks if the sessionCount is greater than or equal to the sessionQuota and returns true or false, depending the result.

Thus, a custom authentication module can check a user?s current session quota level and then if the user is about to exceed the session quota, ask whether that user wants to continue the session. This feature is normally be more useful when session constraints are enabled.

OpenSSO provides new property to specify client configuration folder (CR 6903279)

If a new administrator user logs into OpenSSO Enterprise server and tries to access the OpenSSO client website (for example, as deployed from the opensso-client-jdk15.war file), the new administrator user is asked to perform the client reconfiguration even though the configuration has already been done by the previous administrator.

Patch 3 provides the new openssoclient.config.folder property as a JVM argument in the container's configuration file (server.xml or domain.xml) to specify the configuration folder. For example:


<jvm-options>-Dopenssoclient.config.folder=C:/Sun/opensso-client-config</jvm-options>

If this argument is not specified, the configuration folder is user.home by default.

OpenSSO Console checks for minimum password length of 8 characters (CR 6888785)

In Patch 3, the OpenSSO Console checks for a minimum password length of 8 characters for new users and for existing users who are changing a password.

OpenSSO Diagnostic Tool is available (CR 6900820)

Patch 3 includes the OpenSSO Diagnostic Tool, which allows you to run a number of diagnostic tests to verify configuration settings and to identify potential installation or deployment problems. For information, see the Sun OpenSSO Enterprise 8.0 Installation and Configuration Guide.

Known Issues and Limitations in OpenSSO Enterprise 8.0 Update 1 Patch 3

OpenSSO ssoadm utility is not producing audit logs (CR 6928588)

In Patch 3, the ssoadm utility does not produce audit logs to record which sub-commands have been executed. For example, the ssoadm list-realms sub-command should produce four audit log records (AMCLI-1, AMCLI-2, AMCLI-3020, and AMCLI-3021), but the log records are not produced.

STS client samples deployed on WebLogic Server and Jetty are not working for the valid keystore (CR 6928433)

In Patch 3, when the Security Token Server (STS) client samples are deployed on WebLogic Server and Jetty, the samples do not obtain the token that the server is deployed on WebLogic Server, and an uninitialized keystore error is thrown.

Distributed Authentication UI deployments are not receiving session notifications (CR 6919698)

After installing OpenSSO Enterprise 8.0 Patch 3, Distributed Authentication UI deployments are not receiving notifications from the server.

Workaround. The notification URL property com.iplanet.am.notification.url has been renamed to com.sun.identity.client.notification.url. Update the AMDistAuthConfig.properties configuration file for the Distributed Authentication UI server (and other clients) with the new com.sun.identity.client.notification.url property.

updateschema.sh script does not modify idRepoService to include minimum password length validation (CR 6919321)

Workaround.

After you apply Patch 3, the default minimum password length is 8 characters. However, to specify a different length for a different realm, run the following command:

./ssoadm set-realm-svc-attrs -u amadmin -f password-file
-s sunIdentityRepositoryService -e realm-name
-a sunIdRepoAttributeValidator=
class=com.sun.identity.idm.server.IdRepoAttributeValidatorImpl
sunIdRepoAttributeValidator=minimumPasswordLength=password-minimum-length

Fedlet SSO HTTP POST link returns a blank page (CR 6927350)

In Patch 3, the Fedlet SSO HTTP POST link randomly returns a blank page. This problem occurs when a user is logged in on the IDP side and a session is created with SSO. The problem also occurs with SAMLv2.

Workaround. None

Documentation Updates for OpenSSO Enterprise 8.0 Update 1 Patch 3

Upgrading to OpenSSO Enterprise 8.0 Update 1 Patch 3 (CR 6887525)

Always run the latest versions of the ssopatch or ssopatch.bat utility and the corresponding updateschema.sh or updateschema.bat script from the Patch 3 release.

If you are patching OpenSSO Enterprise 8.0 with Patch 3:

  1. Run the ssopatch or ssopatch.bat utility from Patch 3.

  2. Run the updateschema or updateschema.bat script from Patch 3.

For more information about patching OpenSSO Enterprise, see the Sun OpenSSO Enterprise 8.0 Installation and Configuration Guide.

If you are moving to Patch 3 from Access Manager 7.1 or Access Manager 7 2005Q4:

  1. Execute the ssoupgrade or ssoupgrade.bat script from Patch 3.

  2. Run updateschema or updateschema.bat script from Patch 3.

For more information about upgrading, see the Sun OpenSSO Enterprise 8.0 Upgrade Guide.

Changing Information in the Directory Server bootstrap File (CR 6849622)

OpenSSO Enterprise 8.0 stores parameters used to access the directory server in the /opensso/bootstrap file. If required by your deployment, you can change some of these parameters using the OpenSSO Adminstration Console. For example, you can change the Directory Manager password.

To Change the Directory Server Parameters in the bootstrap File

  1. Log in to the OpenSSO Administration Console.

  2. Click Configuration, Servers and Sites, opensso-instance-name, and then Directory Configuration.

  3. Change the following values, as required by your deployment:

    • Bind DN is the privileged directory server administrator.

      The default is cn=Directory Manager.

    • Bind Password is the password used by the Bind DN user to access the directory server.

  4. You can also change the values for the following parameters, if you wish:

    • Minimum Connection Pool

    • Maximum Connection Pool

  5. When you have made your changes, click Save.

    The OpenSSO Console updates the responding values in the directory server bootstrap file.

OpenSSO Enterprise 8.0 Update 1 Patch 2 (141655-03)

Additional Web Container and Platform Support in OpenSSO Enterprise 8.0 Update 1 Patch 2

Patch 141655-03 includes support for:

Known Issues and Limitations in OpenSSO Enterprise 8.0 Update 1 Patch 2

OpenSSO Enterprise cannot create URLStreamHandler for WebLogic Server (CR 6867442)

The OpenSSO Enterprise AMURLStreamHandlerFactory cannot create the URLStreamHandler for WebLogic Server, because WebLogic Server has preset the value for the java.protocol.handler.pkgs system property to

weblogic.net|weblogic.utils|weblogic.utils|weblogic.utils. If you try to access a remote WebLogic Server instance from the Console Session UI, OpenSSO Enterprise dumps an error log in the CoreSystem file.

The fix for CR 6867442 adds the new opensso.protocol.handler.pkgs property.

Although this problem occurred on WebLogic Server, the fix affects all web containers. If you have java.protocol.handler.pkg in your setup or if you are planning to use java.protocol.handler.pkg, add this new property as follows:

  1. In the OpenSSO Administration Console, click Configuration, Servers and Sites, opensso-instance-name, and then Advanced.

  2. Click Add and then enter:

    • Property Name: opensso.protocol.handler.pkgs

    • Property Value: com.sun.identity.protocol

  3. Click Save.

Deploying the console.war file in patch 141655-03 generates a malformed goto URL (CR 6881715)

If you deploy and configure the console.war file in patch 141655-03, when you access the login page, the goto URL page is malformed.

Workaround. Manually enter the goto URL as protocol://openssohost:port/console and re-request the login page. For example: https://openssohost.example.com:8080/console

Oracle periodically releases patches to OpenSSO Enterprise 8.0 Update 1 on http://sunsolve.sun.com/. To find the latest patch for Update 1, search for patch ID 141655. To determine if you should install a patch, check the README file available with the patch.

Each patch release includes an opensso.war file that you can deploy as follows:

For more information see Chapter 2, Installing OpenSSO Enterprise 8.0 Update 1.

Additional Information and Resources

You can also find additional useful information and resources at the following locations:

Deprecation Notifications and Announcements

How to Report Problems and Provide Feedback

If you have questions or issues with OpenSSO Enterprise 8.0 Update 1 or a subsequent patch release, contact Support Resources at http://sunsolve.sun.com/.

This site has links to the Knowledge Base, Online Support Center, and Product Tracker, as well as to maintenance programs and support contact numbers. If you are requesting help for a problem, please include the following information:

Accessibility Features for People With Disabilities

To obtain accessibility features that have been released since the publishing of this media, consult Section 508 product assessments available upon request to determine which versions are best suited for deploying accessible solutions.

For information about Oracle's commitment to accessibility, see http://www.sun.com/accessibility/index.jsp.

Related Third-Party Web Sites

Third-party URLs are referenced in this document and provide additional, related information.

Note –

Oracle is not responsible for the availability of third-party Web sites mentioned in this document. Oracle does not endorse and is not responsible or liable for any content, advertising, products, or other materials that are available on or through such sites or resources. Oracle will not be responsible or liable for any actual or alleged damage or loss caused by or in connection with the use of or reliance on any such content, goods, or services that are available on or through such sites or resources.

Revision History

Table 1–1 Revision History

Part Number 

Date 

Description 

821-1818-10 

April 13, 2010 

Initial release of converted document from the Wiki version.