OpenSSO Enterprise 8.0 Update 1 Patch Releases

• OpenSSO Enterprise 8.0 Update 1 Patch IDs

• OpenSSO Enterprise 8.0 Update 1 Patch 3 (Patch ID 141655-04)

• OpenSSO Enterprise 8.0 Update 1 Patch 2 (141655-03)

OpenSSO Enterprise 8.0 Update 1 Patch IDs

Oracle periodically releases patches for OpenSSO Enterprise 8.0 on http://sunsolve.sun.com/. The following table shows the patch IDs for OpenSSO Enterprise 8.0 Update 1 and subsequent patch releases.

To download the latest patch, click Download Latest Patch 141655.

To determine if you should install a patch, check this document and the README file available with the patch.

OpenSSO Enterprise 8.0 Update 1 Patch 3 (Patch ID 141655-04)

• New Features in OpenSSO Enterprise 8.0 Update 1 Patch 3

• Known Issues and Limitations in OpenSSO Enterprise 8.0 Update 1 Patch 3

• Documentation Updates for OpenSSO Enterprise 8.0 Update 1 Patch 3

New Features in OpenSSO Enterprise 8.0 Update 1 Patch 3

• Message Queue is upgraded from 4.3 to 4.4 (CR 6900482)

• OpenSSO Enterprise session cookies can be marked as HTTPOnly (CR 6843487)

• Support is added for module-based, realm-based, and service-based authentication (CR 6893507)

• AMLoginModule class includes new method to determine user?s current session quota level (CR 6667760)

• OpenSSO provides new property to specify client configuration folder (CR 6903279)

• OpenSSO Console checks for minimum password length of 8 characters (CR 6888785)

• OpenSSO Diagnostic Tool is available (CR 6900820)

Message Queue is upgraded from 4.3 to 4.4 (CR 6900482)

In Patch 3, Message Queue 4.3 has been upgraded to GlassFish Message Queue 4.4. This upgrade improves OpenSSO Enterprise performance and addresses several issues with session failover deployments.

For the Message Queue documentation, see http://docs.sun.com/coll/1307.7.

OpenSSO Enterprise session cookies can be marked as HTTPOnly (CR 6843487)

Patch 3 includes the new com.sun.identity.cookie.httponly property to allow OpenSSO Enterprise session cookies to be marked as HTTPOnly, in order to prevent scripts or third-party programs from accessing the cookies. Specifically, session cookies marked as HTTPOnly can help to prevent cross-site scripting (XSS) attacks.

By default, the value for com.sun.identity.cookie.httponly is false. To set this new property, use the OpenSSO Administration Console:

1. Log in to the OpenSSO Administration Console.

2. Click Configuration, Servers and Sites, opensso-instance-name, and then Advanced.

3. Add com.sun.identity.cookie.httponly with a value of true.

4. Click Save and log out of the Console.

5. Restart the OpenSSO Enterprise web container.

You also need to set this property on the client side. For example, for a Distributed Authentication UI server deployment, set it to true in the AMDistAuthConfig.properties file.

Support is added for module-based, realm-based, and service-based authentication (CR 6893507)

In Patch 3, the OpenSSO REST-based authentication web service now supports module-based, realm-based, or service-based authentication. You can pass module, realm, and service as query parameters. For example, here are some sample REST commands:

http://host.example.com/opensso/identity/authenticate?username=user1
ANDAMPpassword=changeit
http://host.example.com/opensso/identity/authenticate?username=user1
ANDAMPpassword=changeitANDAMPuri=realm%3Dsun
http://host.example.com/opensso/identity/authenticate?username=user1
ANDAMPpassword=changeitANDAMPuri=module%3DDataStore
http://host.example.com/opensso/identity/authenticate?username=user1
ANDAMPpassword=changeitANDAMPuri=service%3DldapService
http://host.example.com/opensso/identity/authenticate?username=user1
ANDAMPpassword=changeitANDAMPuri=realm%3D/sun%26module%3DDataStore
http://host.example.com/opensso/identity/authenticate?username=user1
ANDAMPpassword=passwordANDAMPuri=realm%3D/iplanet%26module%3DdataStore

AMLoginModule class includes new method to determine user?s current session quota level (CR 6667760)

In Patch 3, the AMLoginModule class includes the new isSessionQuotaReached() method to determine a user?s current session quota level:

public boolean isSessionQuotaReached(String userName)

This new method checks if the sessionCount is greater than or equal to the sessionQuota and returns true or false, depending the result.

Thus, a custom authentication module can check a user?s current session quota level and then if the user is about to exceed the session quota, ask whether that user wants to continue the session. This feature is normally be more useful when session constraints are enabled.

OpenSSO provides new property to specify client configuration folder (CR 6903279)

If a new administrator user logs into OpenSSO Enterprise server and tries to access the OpenSSO client website (for example, as deployed from the opensso-client-jdk15.war file), the new administrator user is asked to perform the client reconfiguration even though the configuration has already been done by the previous administrator.

Patch 3 provides the new openssoclient.config.folder property as a JVM argument in the container's configuration file (server.xml or domain.xml) to specify the configuration folder. For example:

<jvm-options>-Dopenssoclient.config.folder=C:/Sun/opensso-client-config</jvm-options>

If this argument is not specified, the configuration folder is user.home by default.

OpenSSO Console checks for minimum password length of 8 characters (CR 6888785)

In Patch 3, the OpenSSO Console checks for a minimum password length of 8 characters for new users and for existing users who are changing a password.

OpenSSO Diagnostic Tool is available (CR 6900820)

Patch 3 includes the OpenSSO Diagnostic Tool, which allows you to run a number of diagnostic tests to verify configuration settings and to identify potential installation or deployment problems. For information, see the Sun OpenSSO Enterprise 8.0 Installation and Configuration Guide.

Known Issues and Limitations in OpenSSO Enterprise 8.0 Update 1 Patch 3

• OpenSSO ssoadm utility is not producing audit logs (CR 6928588)

• STS client samples deployed on WebLogic Server and Jetty are not working for the valid keystore (CR 6928433)

• Distributed Authentication UI deployments are not receiving session notifications (CR 6919698)

• updateschema.sh script does not modify idRepoService to include minimum password length validation (CR 6919321)

• Fedlet SSO HTTP POST link returns a blank page (CR 6927350)

OpenSSO ssoadm utility is not producing audit logs (CR 6928588)

In Patch 3, the ssoadm utility does not produce audit logs to record which sub-commands have been executed. For example, the ssoadm list-realms sub-command should produce four audit log records (AMCLI-1, AMCLI-2, AMCLI-3020, and AMCLI-3021), but the log records are not produced.

STS client samples deployed on WebLogic Server and Jetty are not working for the valid keystore (CR 6928433)

In Patch 3, when the Security Token Server (STS) client samples are deployed on WebLogic Server and Jetty, the samples do not obtain the token that the server is deployed on WebLogic Server, and an uninitialized keystore error is thrown.

Distributed Authentication UI deployments are not receiving session notifications (CR 6919698)

After installing OpenSSO Enterprise 8.0 Patch 3, Distributed Authentication UI deployments are not receiving notifications from the server.

Workaround. The notification URL property com.iplanet.am.notification.url has been renamed to com.sun.identity.client.notification.url. Update the AMDistAuthConfig.properties configuration file for the Distributed Authentication UI server (and other clients) with the new com.sun.identity.client.notification.url property.

updateschema.sh script does not modify idRepoService to include minimum password length validation (CR 6919321)

Workaround.

After you apply Patch 3, the default minimum password length is 8 characters. However, to specify a different length for a different realm, run the following command:

./ssoadm set-realm-svc-attrs -u amadmin -f password-file
-s sunIdentityRepositoryService -e realm-name
-a sunIdRepoAttributeValidator=
class=com.sun.identity.idm.server.IdRepoAttributeValidatorImpl
sunIdRepoAttributeValidator=minimumPasswordLength=password-minimum-length

Fedlet SSO HTTP POST link returns a blank page (CR 6927350)

In Patch 3, the Fedlet SSO HTTP POST link randomly returns a blank page. This problem occurs when a user is logged in on the IDP side and a session is created with SSO. The problem also occurs with SAMLv2.

Workaround. None

Documentation Updates for OpenSSO Enterprise 8.0 Update 1 Patch 3

• Upgrading to OpenSSO Enterprise 8.0 Update 1 Patch 3 (CR 6887525)

• Changing Information in the Directory Server bootstrap File (CR 6849622)

Upgrading to OpenSSO Enterprise 8.0 Update 1 Patch 3 (CR 6887525)

Always run the latest versions of the ssopatch or ssopatch.bat utility and the corresponding updateschema.sh or updateschema.bat script from the Patch 3 release.

If you are patching OpenSSO Enterprise 8.0 with Patch 3:

1. Run the ssopatch or ssopatch.bat utility from Patch 3.

2. Run the updateschema or updateschema.bat script from Patch 3.

For more information about patching OpenSSO Enterprise, see the Sun OpenSSO Enterprise 8.0 Installation and Configuration Guide.

If you are moving to Patch 3 from Access Manager 7.1 or Access Manager 7 2005Q4:

1. Execute the ssoupgrade or ssoupgrade.bat script from Patch 3.

2. Run updateschema or updateschema.bat script from Patch 3.

For more information about upgrading, see the Sun OpenSSO Enterprise 8.0 Upgrade Guide.

Changing Information in the Directory Server bootstrap File (CR 6849622)

OpenSSO Enterprise 8.0 stores parameters used to access the directory server in the /opensso/bootstrap file. If required by your deployment, you can change some of these parameters using the OpenSSO Adminstration Console. For example, you can change the Directory Manager password.

To Change the Directory Server Parameters in the bootstrap File

1. Log in to the OpenSSO Administration Console.

2. Click Configuration, Servers and Sites, opensso-instance-name, and then Directory Configuration.

3. Change the following values, as required by your deployment:

   • Bind DN is the privileged directory server administrator.

     The default is cn=Directory Manager.

   • Bind Password is the password used by the Bind DN user to access the directory server.

4. You can also change the values for the following parameters, if you wish:

   • Minimum Connection Pool

   • Maximum Connection Pool

5. When you have made your changes, click Save.

   The OpenSSO Console updates the responding values in the directory server bootstrap file.

OpenSSO Enterprise 8.0 Update 1 Patch 2 (141655-03)

• Additional Web Container and Platform Support in OpenSSO Enterprise 8.0 Update 1 Patch 2

• Known Issues and Limitations in OpenSSO Enterprise 8.0 Update 1 Patch 2

Additional Web Container and Platform Support in OpenSSO Enterprise 8.0 Update 1 Patch 2

Patch 141655-03 includes support for:

• IBM AIX 6.1 platform

• GlassFish Enterprise Server v2.1 web container

Known Issues and Limitations in OpenSSO Enterprise 8.0 Update 1 Patch 2

• OpenSSO Enterprise cannot create URLStreamHandler for WebLogic Server (CR 6867442)

• Deploying the console.war file in patch 141655-03 generates a malformed goto URL (CR 6881715)

OpenSSO Enterprise cannot create URLStreamHandler for WebLogic Server (CR 6867442)

The OpenSSO Enterprise AMURLStreamHandlerFactory cannot create the URLStreamHandler for WebLogic Server, because WebLogic Server has preset the value for the java.protocol.handler.pkgs system property to

weblogic.net|weblogic.utils|weblogic.utils|weblogic.utils. If you try to access a remote WebLogic Server instance from the Console Session UI, OpenSSO Enterprise dumps an error log in the CoreSystem file.

The fix for CR 6867442 adds the new opensso.protocol.handler.pkgs property.

Although this problem occurred on WebLogic Server, the fix affects all web containers. If you have java.protocol.handler.pkg in your setup or if you are planning to use java.protocol.handler.pkg, add this new property as follows:

1. In the OpenSSO Administration Console, click Configuration, Servers and Sites, opensso-instance-name, and then Advanced.

2. Click Add and then enter:

   • Property Name: opensso.protocol.handler.pkgs

   • Property Value: com.sun.identity.protocol

3. Click Save.

Deploying the console.war file in patch 141655-03 generates a malformed goto URL (CR 6881715)

If you deploy and configure the console.war file in patch 141655-03, when you access the login page, the goto URL page is malformed.

Workaround. Manually enter the goto URL as protocol://openssohost:port/console and re-request the login page. For example: https://openssohost.example.com:8080/console

Oracle periodically releases patches to OpenSSO Enterprise 8.0 Update 1 on http://sunsolve.sun.com/. To find the latest patch for Update 1, search for patch ID 141655. To determine if you should install a patch, check the README file available with the patch.

Each patch release includes an opensso.war file that you can deploy as follows:

• Patch an existing OpenSSO Enterprise 8.0 deployment

• Install a new OpenSSO Enterprise 8.0 deployment

• Create or patch one of the following specialized WAR files:

  • OpenSSO Enterprise Administration console only

  • OpenSSO Enterprise server only without the Administration console

  • OpenSSO Enterprise Distributed Authentication UI server

  • OpenSSO Enterprise IDP Discovery Service

For more information see Chapter 2, Installing OpenSSO Enterprise 8.0 Update 1.