This chapter contains the following topics:
OpenSSO 8.0 Update 2 includes enhancements to the Security Token Service and the OpenSSO Fedlet. This update also includes new web container support for WebLogic 10.3.3 and fixes to many bugs.
The Security Token Service now includes the following new features:
Supports TokenType for generating a specific web service provider security token.
Supports both Asymmetric and Transport binding for X509 and username security tokens as requestor.
Enforces SSL/Transport binding with a username security token when OpenSSO STS is configured with a username over SSL.
Issues SAML holder-of-key security token for Asymmetric KeyType with useKey as the web service client public key and web service client X509 security token.
WSDL is dynamically updated based on security token configuration.
Supports encryption by the web service provider public key.
Encrypts the static username password before storing it in the configuration store.
Supports UserName token as On Behalf Of security token through a WS-Trust request.
Supports issuance of SAML Bearer Tokens.
New Web Service Security authentication module WSSAuth supports digest password validation.
New OAMAuth authentication module enables single sign-on using Oracle Access Manager with OpenSSO.
For more information, see Chapter 4, Using the Security Token Service.
The Fedlet now includes the following new features:
Supports encryption in the .NET Fedlet
Supports signing in the .NET Fedlet
.NET Fedlet now supports single logout
.NET Fedlet provides Service Provider initiated single sign-on and artifact support
Supports multiple Identity Providers and Identity Provider Discovery in .NET Fedlet
Supplies version information within property and configuration files for the Fedlet
New password SPI implementation
Supports attribute query
Supports single logout
For more information, see Chapter 5, Using the Oracle OpenSSO Fedlet.
The table lists issues that have been resolved in OpenSSO 8.0 Update 2.
Table 1–1 Bugs Fixed in This Release
Change Request Identifier |
Description |
---|---|
6422249 |
SAML assertions using excessive memory. |
6659356 |
New bug with the interaction process in a load-balanced scenario. |
6802207 |
Policy agent "gateway servelet" function yields "Your authentication module is denied." |
6894077 |
In Cookie hijacking mode, logout request hangs. |
6931544 |
Javadoc comments missing for public API AMLoginModule:isSessionQuotaReached. |
6918266 |
/opensso/realm/IDRepoEdit delete Session service configuration in realm. |
6923660 |
Inheritance setting in agent profile does not work as expected. |
6924534 |
ssoadm --version did not return the right value after patching 141655-03. |
6926203 |
goto URL not validated on distributed authentication. |
6928480, 6934888 |
Distributed authentication UI: In log files IP recorded is DAUI IP, not client IP. |
6931012 |
Access Manager console becomes unresponsive after adding a new config property. |
6931476 |
Incorrect exceptions thrown in the logs for misconfigured SAML/IDP's service URLs on the Service Provider side. |
6933168 |
Password reset page is not localized when locale parameter is given in the URL. |
6933268 |
"Auth module instance" condition with "application timeout properties" set drops session after login. |
6937698 |
OpenSSO8.0: Console Invalid Characters check is not performed |
6937700 |
OpenSSO allows to create username with special characters, but complains during login. |
6939038 |
Security Token Service client samples are failing for IBM Websphere Application Server 6.1. |
6940455 |
Security Token Service "ssoadm set-site-sec-urls" throws an NPE on the console. |
6942485, 6942813 |
OpenSSO does not escape "\" in uid correctly, and 2 different uid values are stored in Directory Server entry. |
6945286 |
Distributed Authentication login: uid with special characters results in error. |
6947033 |
“URL not found” exception errors in SAML. |
6949778 |
iplanet-am-auth-locale value of realm is not taken in consideration in the evaluation process. |
6947068 |
goto is missing after session timeout. |
6958448 |
LDAPv3Repo.setAttributes method fetches the schema multiple times even for a single modification. |
See the System Requirements and Supported Platforms for Oracle OpenSSO 8.0u2 document listed under Oracle Branded Releases of Sun Products Supported Configuration at the following URL:
http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certification-100350.html
CR 6959610: OpenSSO 8.0 Update 2 samples should be removed in production environment
CRs 6944573, 6964648: New Java security permissions are required for WebLogic Server 10.3.3
CR 6967026: Configurator cannot connect to LDAPS-enabled directory server
CR 6956461:SecurID authentication fails on IBM WebSphere Application Server
CR 6959373: Web container requires a restart after running updateschema script
CR 6961419: Running updateschema.bat script requires a password file
CR 6972593: Java Oracle OpenSSO Fedlet single sign-on (SSO) fails on JBoss AS 5.0.x
SR 72335286 and CR 6929674: LDAP Referrals Do Not Work as Expected
General security concerns exist regarding using a HTTP Basic Authentication module. See http://en.wikipedia.org/wiki/Basic_access_authentication, the “Disadvantages” section. Be sure that you can address these security concerns before you consider using HTTP Basic Authentication in a production deployment.
To minimize random or unnecessary configuration changes through inadvertent sample program runs, remove the samples before you deploy OpenSSO 8.0 Update 2 in a production environment.
If you are deploying OpenSSO 8.0 Update 2 on Oracle WebLogic Server 10.3.3 with the security manager enabled, an additional Java security permission is required.
Workaround. Add the following permission to the WebLogic Server 10.3.3 weblogic.policy file:
permission java.lang.RuntimePermission "getClassLoader";
Due to an issue in earlier versions of Oracle WebLogic Server such as 10.3.0 and 10.3.1, certificate authentication with either LDAP checking or OSCP checking enabled fails.
Workaround. This problem has been fixed in WebLogic Server 10.3.3. To use certificate authentication with either LDAP checking or OSCP checking, use OpenSSO Update 2 with WebLogic Server 10.3.3.
In the Spanish version of OpenSSO 8.0 Update 2, you cannot access authentication certificates. When you go to Configuration > Authentication > Certificates, an error occurs. The following is displayed in the log "Caused by: java.lang.IllegalArgumentException."
Workaround. None.
Download the ojdbc6.jar file from the following URL:
http://www.oracle.com/technetwork/database/enterprise-edition/jdbc-112010-090769.html.
Create a staging area and change to that directory. For example:
mkdir /tmp/staging cd /tmp/staging |
Explode the opensso.war in the staging area.
jar xf opensso.war |
Change to the WEB-INF/lib directory.
Copy ojdbc6.jar into that directory. For example:
cp OJDBC6_DOWNLOAD_LOCATION/ojdbc6.jar |
Create an updated opensso.war file from the staging area. For example:
cd ../.. jar cf /tmp/opensso.war * |
Undeploy the current opensso.war.
Deploy the opensso.war file you created in Step 6.
Restart the OpenSSO web container instance.
By default, the OpenSSO configurator supports only the JCE/JSSE provider for SSL. However, you can use the OpenSSO administration console to manually enable JSS/NSS. If OpenSSO is deployed on Sun Web Server 7.0 or on GlassFish Enterprise Edition 2.1.0, then complete the following steps. For GlassFish Enterprise Edition 2.1.1 and later versions, see CR 6967026: Configurator cannot connect to LDAPS-enabled directory server.
If you want OpenSSO to connect to an LDAPS-enabled directory server, then the CA certificate for the LDAPS-enabled directory server must be already imported into the JVM trust store (by default JAVA_HOME/jre/lib/security/cacert).
Log in to the OpenSSO Administration Console as amadmin.
Click Configuration > Servers and Sites > Server Name instance.
Click Security.
Click Inheritance Settings.
Uncheck the Encryption class and Secure Random Factory Class properties.
Click Save, and then click Back to Server Profile.
Change Encryption class to com.iplanet.services.util.JSSEncryption.
Change Secure Random Factory Class to com.iplanet.am.util.JSSSecureRandomFactoryImpl.
Click Save, and then click the Advanced tab.
Change the com.iplanet.security.SSLSocketFactoryImpl property to com.iplanet.services.ldap.JSSSocketFactory.
Edit the following property and value:
Property Name: opensso.protocol.handler.pkgs
Property Value: com.iplanet.services.comm
Click Add, and add following property and value:
Property Name: com.iplanet.am.admin.cli.certdb.dir
Property Value: path-to-NSS-database
Click Save.
Restart the OpenSSO Enterprise 8.0 server instance.
If OpenSSO is deployed on GlassFish Enterprise Server 2.1.1 or later versions, then OpenSSO cannot connect to an LDAPS-enabled directory server instance with JSS/NSS. The problem occurs because OpenSSO and GlassFish Enterprise Server 2.1.1 and later versions do not use the same JSS version.
Workaround: Use the JSSE provider instead of the NSS provider for SSL.
If you deploy OpenSSO 8.0 Update 2 (opensso.war) in the WebLogic Server 10.3.3 administration console and click Start to allow OpenSSO 8.0 Update 2 to start receiving requests, exceptions are thrown in the console where the WebLogic Server domain was started.
Note: After you start OpenSSO 8.0 Update 2, it remains started and exceptions are not thrown again until OpenSSO 8.0 Update 2 is stopped and then restarted.
Workaround. Copy the saaj-impl.jar file from the OpenSSO 8 Update 2 opensso-client-jdk15.war file to the WebLogic Server 10.3.3 configuration endorsed directory, as follows:
Stop the Oracle WebLogic Server 10.3.3 domain.
If necessary, unzip the OpenSSO 8.0 Update 2 opensso.zip file.
Create a temporary directory and unzip the zip-root/opensso/samples/opensso-client.zip file in that directory, where zip-root is where you unzipped the opensso.zip file. For example:
cd zip-root/opensso/samples mkdir ziptmp cd ziptmp unzip ../opensso-client.zip
Create a temporary directory and extract the saaj-impl.jar file from opensso-client-jdk15.war. For example:
cd zip-root/opensso/samples/ziptmp/war mkdir wartmp cd wartmp jar xvf ../opensso-client-jdk15.war WEB-INF/lib/saaj-impl.jar
Create a new directory named endorsed under the WEBLOGIC_JAVA_HOME/jre/lib directory (if endorsed does not already exist), where WEBLOGIC_JAVA_HOME is the JDK that WebLogic Server is configured to use.
Copy the saaj-impl.jar file to the WEBLOGIC_JAVA_HOME/jre/lib/endorsed directory.
Start the WebLogic Server domain.
When OpenSSO is configured on IBM WebSphere Application Server 6.1 or AIX 5.3, a valid plain text password user can not be authenticated via a SecurID authentication module instance.
Workaround. None. Do not use plain text passwords on IBM WebSphere Application Server.
After you run the updateschema.sh or updateschema.bat script, you must restart the OpenSSO 8.0 Update 2 web container.
The updateschema.bat script executes several ssoadm commands. Therefore, before you run updateschema.bat on Windows systems, create a password file that contains the password user in clear text for the amadmin user. The updateschema.bat script prompts you for the path to the password file. Before the script terminates, it removes the password file.
When using OpenSSO Update 2 on the following browsers, the browser scroll does not work as designed: Microsoft Internet Explorer 7 and 8 on Windows 2003 or 2008.
Workaround. Maximize the browser window.
JBoss 5.x uses Tomcat 6.0.16 which does not support the special symbols in the OpenSSO iPlanetDirectoryPro cookie. This affects OpenSSO cookie-handling.
Workaround. See To Deploy OpenSSO on JBoss 5.0.
The minimum heap size should be set to at least 512M (-Xms256m), and maximum heap size should be set to 1024M (-Xmx1024m).
The MaxPermSize should be set to 256M (-XX:MaxPermSize=256m)
In the JBoss run.conf file (run.conf.bat on Windows), which is used to start up the JBoss instance, add the following JVM options:
-Dcom.iplanet.am.cookie.encode=true -Dcom.iplanet.am.cookie.c66Encode=true
If you do not set these properties, after entering your credentials in the OpenSSO console, you are directed back to the login page. After you've deployed and configured OpenSSO you can remove this entry in the run.conf file (or run.conf.bat on Windows). OpenSSO configures the cookie encode property during deployment.
Unjar the opensso.war.
Create text-file opensso.war/WEB-INF/jboss-web.xml.
Enter the following content in the file:
<!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 5.0//EN" "http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd"> <jboss-web> <class-loading java2ClassLoadingCompliance='true'> <loader-repository> jbia.loader:loader=opensso <loader-repository-config> java2ParentDelegaton=true </loader-repository-config> </loader-repository> </class-loading> <resource-ref> <res-ref-name>jdbc/openssousersdb</res-ref-name> <jndi-name>java:jdbc/openssousersdb</jndi-name> </resource-ref> </jboss-web>
Create the WAR again.
Stop the JBoss server.
Create a directory under the mode that opensso will be deployed to.
Example: JBOSS_INSTALL_DIR>/server/$CONFIG/deploy/opensso.war
where $CONFIG is the mode such as default, all, or production.
Go to the opensso.war directory.
Example: JBOSS_INSTALL_DIR/server/$CONFIG/deploy/opensso.war
Explode the war to this directory.
jar -xvf WAR_FILE_LOCATION/opensso.war
Restart the JBoss container.
Deployment of opensso.war will succeed without errors.
OpenSSO 8.0 U2 installation on JBoss 5.0.0 is supported in exploded war mode only.
If you deploy and configure the opensso.war file on JBoss Application Server 5.0.0.0 and then restart the JBoss Application Server web container, OpenSSO 8.0 Update 2 displays the configurator page again instead of the login page.
Workaround. Deploy the opensso.war file in the JBoss AS deploy directory, as follows:
Stop the JBoss Application Server web container.
Edit the JBoss Application Server run.conf file by adding the following options:
-Dcom.iplanet.am.cookie.encode=true -Dcom.iplanet.am.cookie.c66Encode=true
Uncomment the line "admin=admin" in the following files:
JBOSS_INSTALL_DIR/server/$CONFIG/conf/props/jmx-console-users.properties
JBOSS_INSTALL_DIR/server/$CONFIG/deploy/management/console-mgr.sar/web-console.war/WEB-INF/classes/web-console-users.properties
Copy the opensso.war file to the following JBoss Application Server directory:
JBOSS_INSTALL_DIR/server/$CONFIG/deploy
where $CONFIG is the JBoss Application Server mode, such as default, all, or production.
Restart the JBoss Application Server web container.
Deploy the opensso.war file in the directory shown in Step 4.
If you deploy the Java Oracle OpenSSO Fedlet on JBoss Application Server 5.0.x, index.jsp doesn't display and Fedlet SSO fails with an IllegalStateException.
Workaround. Follow these steps.
Stop the JBoss AS web container. JBoss AS web container.
Add the following Java options in the JBoss AS 5.0 run.conf file: -
Djavax.xml.soap.MetaFactory= com.sun.xml.messaging.saaj.soap.SAAJMetaFactoryImpl -Djavax.xml.soap.MessageFactory= com.sun.xml.messaging.saaj.soap.ver1_1.SOAPMessageFactory1_1Impl -Djavax.xml.soap.SOAPConnectionFactory= com.sun.xml.messaging.saaj.client.p2p.HttpSOAPConnectionFactory -Djavax.xml.soap.SOAPFactory= com.sun.xml.messaging.saaj.soap.ver1_1.SOAPFactory1_1Impl
Start the JBoss AS web container.
When LDAP referrals are enabled, authentication fails for the user in the referral directory server. Authentication fails regardless of how the option "LDAP Follows Referral" is set. Also, the Subjects tab in the OpenSSO administration console does not display referral users.
These issues are due in part because of a known issue with the LDAP SDK (CR 6969674). Using LDAP SDK, LDAP referrals are not honored in OpenSSO.
Workaround. There are no workarounds at this time.
In addition to this document, additional OpenSSO 8.0 documentation is available in the following collection:
http://docs.sun.com/coll/1767.1
OpenSSO 8.0 Update 2 includes the following documentation issues:
CR 6958580: Console online Help documents unsupported Discovery Agents
CR 6967006 Console online Help does not document OAMAuth and WSSAuth authentication modules
CR 6953579: OpenSSO Fedlet README file should document single logout feature
CR 6960630: Information for patching a specialized OpenSSO WAR should be revised
The OpenSSO 8.0 Update 2 administration console online Help documents Discovery Agents, even though these agents are not supported.
Workaround. None. Ignore the information about Discovery Agents in the online Help.
The OpenSSO 8.0 Update 2 administration console online Help does not document the Oracle Access Manager (OAM) and Web Services Security (WSS) authentication modules.
Workaround. For information about these authentication modules, see Chapter 4, Using the Security Token Service.
The Fedlet Java API public reference is available as part of the Oracle OpenSSO 8.0 Update 2 Java API Reference, which is available in the following documentation collection: http://docs.sun.com/coll/1767.1.
Note: OpenSSO 8.0 Update 2 does not support the getPolicyDecisionForFedlet method, even though this method is in the Java API reference.
The Fedlet README files do not document the single logout feature.
Workaround. For Oracle OpenSSO 8.0 Update 2, the Fedlet single logout feature is documented in Chapter 5, Using the Oracle OpenSSO Fedlet.
The information has been revised. See Patching a Specialized OpenSSO WAR.
You can also find additional useful information and resources at the following locations:
Oracle Advanced Customer Services for Systems:
http://www.oracle.com/us/support/systems/advanced-customer-services/index.html
Software Products: http://www.oracle.com/us/sun/sun-products-map-075562.html
SunSolve: http://sunsolve.sun.com/
Oracle Technology Network: http://www.oracle.com/technetwork/index.html
Sun Developer Services:http://developers.sun.com/services/
The Service Management Service (SMS) APIs (com.sun.identity.sm package) and SMS model are no longer included in OpenSSO.
The Unix authentication module and the Unix authentication helper (amunixd) will not be included in a future OpenSSO release.
The Sun Java System Access Manager 7.1 Release Notes stated that the Access Manager com.iplanet.am.sdk package, commonly known as the Access Manager SDK (AMSDK), and all related APIs and XML templates will not be included in a future OpenSSO release.
Consequently, when the AMSDK is removed, the Legacy Mode option and support will also be removed.
Migration options are not available now and are not expected to be available in the future. Oracle Identity Manager provides user provisioning solutions that you can use instead of the AMSDK. For more information about Identity Manager, see http://www.oracle.com/us/products/middleware/identity-management/index.html.
If you have questions or issues with OpenSSO 8.0 Update 2 or a subsequent patch release, contact Support Resources at http://sunsolve.sun.com/.
This site has links to the Knowledge Base, Online Support Center, and Product Tracker, as well as to maintenance programs and support contact numbers. If you are requesting help for a problem, please include the following information:
Description of the problem, including when the problem occurs and its impact on your operation
Machine type, operating system version, web container and version, JDK version, and OpenSSO version, including any patches or other software that might be affecting the problem
Steps to reproduce the problem
Any error logs or core dumps
To obtain accessibility features that have been released since the publishing of this media, consult Section 508 product assessments available upon request to determine which versions are best suited for deploying accessible solutions.
For information about Oracle's commitment to accessibility, see http://www.oracle.com/index.html.
Third-party URLs are referenced in this document and provide additional, related information.
Oracle is not responsible for the availability of third-party Web sites mentioned in this document. Oracle does not endorse and is not responsible or liable for any content, advertising, products, or other materials that are available on or through such sites or resources. Oracle will not be responsible or liable for any actual or alleged damage or loss caused by or in connection with the use of or reliance on any such content, goods, or services that are available on or through such sites or resources.