This section lists the key fixes and enhancements introduced in the Policy Agent 2.2 J2EE agent hot patches, which are now rolled into the 2.2-01 update release. The initial issue is described with its associated change request (bug) number. Furthermore, a short summary is provided about the fix.
This problem was fixed in Access Manager 7.0 patch 7 (CR 6496155), but the problem still exists in Access Manager 7.1.
Workaround: Two workarounds exist:
Add the following new property to the J2EE agent AMAgent.properites configuration:
com.sun.identity.enableUniqueSSOTokenCookie=false |
For more about setting the value for the preceding property, see Property Made Available: com.sun.identity.enableUniqueSSOTokenCookie.
or
Always restart agent after restarting Access Manager.
This problem stems from the custom registry that Policy Agent adds for IBM WebSphere Application Server and applies to the following agents:
Agent for IBM WebSphere Application Server 5.1.1
Agent for IBM WebSphere Application Server 6.0
In terms of Agent for IBM WebSphere Application Server 6.1, the fix was integrated into the original version of the agent.
In terms of Agent for IBM WebSphere Application Server 5.1.1 and Agent for IBM WebSphere Application Server 6.0, this fix enables you to use the WebSphere Administration Console to map the Access Manager roles, groups, and user identities to local J2EE roles that are specific to IBM WebSphere Application Server for authorization purposes. Furthermore, being able to use the WebSphere Administration Console in this manner eliminates the necessity of manually editing the admin-authz.xml file or using the Policy Agent agentadmin --setGroup command.
For the fix to work, you must also implement specific tasks as described in these Release Notes. The instructions apply to Agent for IBM WebSphere Application Server 5.1.1 and Agent for IBM WebSphere Application Server 6.0. See Policy Agent 2.2–01: Enabling Access Manager Identities to Access the IBM WebSphere Administration Console.