Sun OpenSSO Enterprise 8.0 Update 1 Release Notes

OpenSSO Enterprise 8.0 Update 1 Issues and Workarounds

CR 6830298: OpenSSO Enterprise Admin Tools Must be Re-installed

If you patch OpenSSO Enterprise 8.0 with Update 1, you must re-install the admin tools in Update 1 before you run the updateschema.sh or updateschema.bat script, because the script requires the Update 1 version of the ssoadm command-line utility.

Workaround. Before you run the updateschema.sh or updateschema.bat script, install the Update 1 admin tools, as described in Chapter 3, Installing the OpenSSO Enterprise 8.0 Update 1 Admin Tools.

CR 6823779: `ssoadm` cannot be used with Secure WebSphere Application Server 7.0

If the admin tools (ssoAdminTools.zip) are configured to use the IBM JVM with a secure (SSL-enabled) WebSphere Application Server 7.0 instance, the ssoadm returns a fatal error.

Workaround. To configure ssoadm, see Chapter 5, Deploying IBM WebSphere Application Server 7.0 as the OpenSSO Enterprise 8.0 Update 1 Web Container.

CR 6824420: Configuration fails for WebSphere Application Server 7.0 with Java 2 security enabled

If OpenSSO Enterprise 8.0 Update 1 is deployed with IBM WebSphere Application Server 7.0 and Java 2 security is enabled, the configuration fails.

Workaround. Add the required permissions to the WebSphere Application Server 7.0 server.policy. For more information see Chapter 5, Deploying IBM WebSphere Application Server 7.0 as the OpenSSO Enterprise 8.0 Update 1 Web Container.

CR 6836470: Hotfix Required to Use KDCs Hosted on Windows Server 2008

OpenSSO Enterprise 8.0 Update 1 has added support for using KDCs hosted on Windows Server 2008. To use this new feature, however, you must install a Microsoft hotfix to KTpass on the Windows Server 2008 KDC before using the KDC for Windows Desktop SSO authentication.

For more information and to download this hotfix, see http://support.microsoft.com/kb/951191.

CR 6825011: Windows Desktop SSO Authentication fails with Login Exception on WebSphere Application Server 7.0

Workaround. If OpenSSO Enterprise 8.0 Update 1 is deployed on IBM WebSphere Application Server 7.0 on Windows:

Prefix the Keytab File Name property of the Windows Desktop SSO authentication module instance with file:///. For example:

file:///C:/keytabs/ssohost-4100-04.HTTP.keytab
Set the new com.sun.identity.authentication.module.WindowsDesktopSSO.Krb5LoginModule property to com.ibm.security.auth.module.Krb5LoginModule.

Set this new property using ssoadm or in the OpenSSO Enterprise Admin Console under Configuration, Sites and Server, opensso-instance-name, and Advanced. Then, restart the WebSphere Application Server 7.0 instance for the value to take effect.

CR 6831600: Configurator buttons are not visible using Safari on a Mac

When running the Configurator using Safari on a Mac, the Next and Cancel buttons are not visible, which gives the impression that the configuration cannot continue.

Workaround. Maximize the Safari browser to the fullest extent and scroll down to see the buttons.

CR 6819848: Berkeley DB client does not failover to secondary Message Queue broker

In a session failover configuration, the Berkeley DB client does not failover to the secondary Message Queue broker. OpenSSO Enterprise server, however, does failover

to the secondary broker, which causes the queue on that broker to quickly fill up. Then, the broker blocks the producer from sending any more messages, which in turn blocks messages from OpenSSO Enterprise server.

CR 6834714: Permissions need updating for WebSphere Application Server 6.1

If you are using IBM WebSphere Application Server 6.1 as the web container and the Java Security Manager is enabled, the securing permissions need to be updated.

Workaround. For the correct permissions, see the Sun OpenSSO Enterprise 8.0 Installation and Configuration Guide.

CR 6835816: After you enable FIPS mode, bootstrap file cannot be decrypted

Workaround. Before you enable FIPS mode, backup the bootstap file. Then, after you enable FIPS mode, replace the bootstrap file with the backup copy.

For more information, see Chapter 8, Configuring OpenSSO Enterprise 8.0 Update 1 in FIPS Mode.

CR 6831687: SAML2 post profile fails on the Service Provider (SP)

Using JDK 1.6.x, when a Service Provider (SP) tries to verify a signed SAML2 response/assertion, the Identity Provider (IDP)throws a Null Pointer Exception.

Workaround. This problem occurs because JDK 1.6.x includes an older version of the XML security library. To fix this problem:

Create an endorsed directory in JDK 1.6.x. For example:

JDK_1.6_HOME_DIR/jre/lib/endorsed
Copy the xmlsec.jar file from the OpenSSO_WAR_extracted_dir/WEB-INF/lib directory to the endorsed directory.
Restart the OpenSSO Enterprise 8.0 web container.

CR 6828741: Configuring OpenSSO Enterprise 8.0 Update 1 as site throws exception in debug logs

When you configure OpenSSO Enterprise 8.0 Update 1 using the console, if you provide the site details such as the load balancer and server instances, the configuration finishes successfully and you can log in. However, the debug logs contain an exception.

Workaround. None. You can ignore the exception.

CR 6833362: SAMLv2 returns error on WebLogic Server 10 with SOAP binding

If you deploy OpenSSO Enterprise 8.0 Update 1 on WebLogic Server 10 for both the SP and IDP, configure the meta for SP and IDP for signing and encryption using the default keystore, and then terminate with SOAP binding, an error is returned.

Workaround. Remove last two lines from idpArtifactResolution.jsp, idpMNISOAP.jsp, and spMNISOAP.jsp. Also, remove any empty spaces between %> and <%.