The chapter provides information about OpenSSO 8.0 Update 2 Patch 1.
Oracle OpenSSO 8.0 Update 2 patch 1 is available as patch ID 141655-05 on SunSolve: http://sunsolve.sun.com.
For information about installation, see Chapter 3, Installing OpenSSO 8.0 Update 2.
For a list of the problems fixed in patch 1, see the README file distributed with the patch.
CR 6978018: Running OpenSSO 8.0 in GlassFish 2.1.x using LDAPS with JDK 1.6.x
CR 7002787: OpenSSO 8.0 Update 2 is not working with Active Directory Data Store
CR 6897101: After a login to a non-default realm, user experiences multiple logins after a timeout
CR 6983035: Remote console with OpenSSO server returns errors after a session timeout
To run OpenSSO 8.0 in a GlassFish 2.1.x web container with an external directory server using LDAPS with JDK 1.6.x, set the NSS_USE_DECODED_CKA_EC_POINT environment variable to 1 before you start the GlassFish 2.1.x domain. For example:
NSS_USE_DECODED_CKA_EC_POINT=1 export NSS_USE_DECODED_CKA_EC_POINT glassfish-root/bin/asadmin start-domain glassfish-domain
This problem occurs for both OpenSSO 8.0 Update 2 and OpenSSO 8.0 Update 2 patch 1. If you create an Active Directory data store and then log in to the OpenSSO administration console using the Active Directory authentication module, OpenSSO returns the error message “User has no profile in this organization” to your browser.
Workaround. To use the Active Directory data store and authentication module with OpenSSO 8.0 Update 2 or OpenSSO 8.0 Update 2 patch 1, perform these steps:
Log in to the OpenSSO Administration Console.
Under the Active Directory data store configuration, make these changes:
For the LDAPv3 Plug-in Supported Types and Operations, change:
user=read,create,edit,delete
to
user=read,create,edit,delete,service
In Attribute Name Mapping, add the following attribute mappings:
iplanet-am-user-alias-list=objectGUID
employeeNumber=distinguishedName
mail=userPrincipalName
portalAddress=sAMAccountName
telephonenumber=displayName
uid=sAMAccountName
Click Save and log out of the console.
Restart the OpenSSO web container.
Previously, if a user entered valid credentials after an authentication module timeout occurred, the login screen for the second authentication module was presented and the user could enter an invalid password to get access to a protected resource.
Patch 1 fixes this CR; however, this fix works only with non-JAAS modules. If you write a custom authentication module, you must use non-JAAS modules.
If you log in to OpenSSO server from a remote console and a session timeout occurs, some console functions do not work properly. Also, errors are displayed if you click on various tabs in the console.
Workaround. After making changes from the remote console, log out from the remote console. To get rid of the errors, restart both OpenSSO server and the remote console.
If you are using a remote console and try to save Federation or SAML properties that need access to the certificate keystore, errors are returned. This problem occurs because the certificate keystore resides on the OpenSSO server, and the remote console does not have access to the keystore.
Workaround. Use either of these solutions, depending on your deployment:
If the keystore is directly accessible from the remote console through a mount point, specify the complete absolute path to the keystore.
Copy the keystore files from the OpenSSO server to the remote console. This solution, however, requires that if you make changes to the keystore files on the OpenSSO server, you must also update the keystore files on the remote console.
If you are using the sample in “Example 1–1 Code Sample: Post-Authentication Plug-In for First-Time Login” in the Sun OpenSSO Enterprise 8.0 Integration Guide, you must be running OpenSSO 8.0 Update 1 or later. Otherwise, the sample does not compile because the Java compiler cannot find the POST_PROCESS_LOGIN_SUCCESS_URL property, which was first available with OpenSSO 8.0 Update 1.