test

Sun OpenSSO Enterprise 8.0 Release Notes

Policy Agent 3.0-01 Release

The Policy Agent 3.0-01 release includes both Java EE (formerly called J2EE) agents and web agents:

Java EE Agents in the Policy Agent 3.0-01 Release

Patch IDs for Java EE Agents in the Policy Agent 3.0-01 Release

The following version 3.0–01 Java EE agents are available on http://sunsolve.sun.com/.

Table 1 Patch IDs for Java EE Agents in the Policy Agent 3.0-01 Release

Version 3.0-01 Policy Agent For 

Patch ID 

Oracle WebLogic Server 11g Release 1 (10.3.3) 

Oracle WebLogic Server 10g Release 3 (10.3) 

Oracle WebLogic Server 9.2 and 10.0 

Oracle WebLogic Portal 9.2, 10.0, and 10.2 

145385-01 

Sun GlassFish 2.1, V2 UR1, V2 UR2, and v3 

Sun Java System Application Server 8.1, 8.2, 9.0, and 9.1 

145383-01 

Apache Tomcat 6.0.x 

145384-01 

JBoss Application Server 4.x and 5.x 

145382-01 

IBM WebSphere Application Server 6.1 and 7.0 

IBM WebSphere Portal Server 6.1 

145386-01 

Enhancements and Changes for Java EE Agents in the Policy Agent 3.0-01 Release

Note –

Version 3.0 and later Java EE agents require JDK 1.5 or later on the server where you plan to install the agent. Although some web containers such as JBoss Application Server 4.x and Application Server 8.x can run using JDK 1.4, JDK 1.5 or later is required for both the agent web container and the agentadmin program.

Support is added for GlassFish v3

The version 3.0–01 Java EE agent for Sun Java System Application Server and GlassFish v2 also supports GlassFish v3. See also Patch IDs for Java EE Agents in the Policy Agent 3.0-01 Release.

Issue 5633: New property is added to reset session idle time for not-enforced URLs

Version 3.0–01 Java EE agents include the following new property to specify whether the session idle timeout should be reset after a user with a valid session accesses a URL in the not-enforced list:

com.sun.identity.agents.config.notenforced.refresh.session.idletime

Values for this property can be:

Set this property depending on the location of the agent's configuration repository. If the repository is local to the agent's host server, add the property to the agent's OpenSSOAgentConfiguration.properties file and restart the OpenSSO server instance.

If the agent's configuration repository is centralized, use the OpenSSO Administration Console as follows:

  1. Log in to the OpenSSO Administration Console.

  2. Click Access Control, realm-name, Agents, J2EE, j2ee-agent-name, and then Advanced.

  3. Under Custom Properties, add the new property with its corresponding value.

  4. Click Save.

Issue 6107: JBoss Application Server agent supports custom principal feature

JBoss Application Server 4.x and 5.x login modules support the custom principal feature, which allows users to specify a custom principal in the JBoss AS configuration. The version 3.0–01 agent for JBoss AS 4.x and 5.x also supports the custom principal feature.

To use this feature, add the following line to the <login-module> element in the JBOSS_HOME/server/default/conf/am-login-config.xml file:

<module-option name = "principalClass">com.sample.CustomPrincipal</module-option>

For example, the <login-module> element should then be as follows:

<login-module code = "com.sun.identity.agents.jboss.v40.AmJBossLoginModule" 
                  flag = "required">
    <module-option name = "unauthenticatedIdentity">anonymous</module-option>
    <module-option name = "principalClass">com.sample.CustomPrincipal</module-option>
</login-module>

In this example, com.sample.CustomPrincipal is the custom principal implementation class name. This class must be in the JBoss AS classpath.

Issue 6108: JBoss Application Server agent redirects to the client's requested URI

If the requested URI is using J2EE_POLICY or ALL filter mode and a user accesses a resource protected with J2EE policies by the version 3.0–01 JBoss AS 4.x and 5.x agent, the user is redirected to the client's requested resource after authentication by OpenSSO 8.0 server. Previously, the user was redirected to the client's home page.

Issues and Workarounds for Java EE Agents in the Policy Agent 3.0-01 Release

CR 6976312: Install fails for WebSphere Application Server agent using IBM JDK on all systems except AIX

If you run the agentadmin or agentadmin.bat script to install the version 3.0-01 policy agent for IBM WebSphere Application Server 6.1/7.0 or IBM WebSphere Portal Server 6.1 using the IBM JDK on systems other than IBM AIX, the installation fails because the script cannot find the IBM JCE provider.

Workaround: Add following JAVA options to the agentadmin or agentadmin.bat script and then rerun the installation:

AGENT_OPTS="-DamKeyGenDescriptor.provider=IBMJCE
-DamCryptoDescriptor.provider=IBMJCE
-DamRandomGenProvider=IBMJCE"

CR 6976304: WebSphere Application Server administrative console cannot be accessed

After you install the version 3.0-01 policy agent for WebSphere Application Server 6.1/7.0 or IBM WebSphere Portal Server 6.1, you cannot access the WebSphere administrative console.

Workaround. In the WebSphere Application Server agent profile, add the WebSphere administrative console URL in the Agent Root URL for CDSSO list, as follows:

  1. Log in to the OpenSSO Administration Console.

  2. Click Access Control, realm-name, Agents, J2EE, and then the j2ee-agent-name.

  3. In Agent Root URL for CDSSO, add the WebSphere administrative console URL.

  4. Click Save.

CR 6976308: WebSphere Application Server administrative console redirects to an incorrect URL in CDSSO mode

After you install the version 3.0-01 policy agent for WebSphere Application Server 6.1/7.0 or IBM WebSphere Portal Server 6.1 in cross-domain single sign-on (CDSSO) mode and try to access the administrative console, you are redirected to an incorrect agentapp URL. The URL port is pointing to the admin port instead of the agentapp instance port.

Workaround. In the URL in the browser address bar, manually specify the correct port number for the agentapp instance.

Problems Fixed for Java EE Agents in the Policy Agent 3.0-01 Release

Table 2 Problems Fixed for Java EE Agents in the Policy Agent 3.0-01 Release

CR or Issue 

Description 

6121 

401 error is returned instead of a 302 error when the client presents an invalid SSO Token 

4461 

Security context exception occurred with JBoss AS agent 

6107 

Custom principal in JBoss AS 4.3 is not working with J2EE agent 

6108 

J2EE Agent 3.0 for JBoss AS does not redirect to client request 

4969 

Tomcat agent J2EE tests are denied when debug level set to error mode 

2779 

J2EE agents should have the agentadmin script executable permission set by default

5008 

GlassFish v3 server fails to start with invalid format error 

5012 

Tomcat 6.0 version 3.0 agent returns error with not-enforced IP list 

5764 

agentadmin script does not set up classpath correctly on GlassFish V3

4677 

Tomcat 6.0 agent membership removal causes HTTP 403 access denied error 

5197 

Application logout does not clean up sessions 

5744 

Issue with URL pattern matching for port number in J2EE agents 

4959 

HTTPS session binding should be enabled by default in agent profile 

5024 

When not-enforced IP is used, accessing application of declarative security returns configuration error 

5071 

J2EE agent with CDSSO, cookie hijacking, and composite advice has second login issue 

5633 

J2EE agent does not reset session idle time for not-enforced URLs 

5627 

IP Resource condition fails if login URL in agent profile has resource=true included

6933534 

Tomcat 6.0 version 3.0 agent classes are not added to classpath resulting in Tomcat startup failure

Web Agents in the Policy Agent 3.0-01 Release

Patch IDs for Web Agents in the Policy Agent 3.0-01 Release

The following version 3.0–01 web agents are available on http://sunsolve.sun.com/.

Table 3 Patch IDs for Web Agents in the Policy Agent 3.0-01 Release

Version 3.0-01 Policy Agent For 

Patch ID 

Apache HTTP Server 2.0.x 

144698–01 

Apache HTTP Server 2.2.x 

144699–01 

Microsoft Internet Information Services (IIS) 6.0 

Supported on Microsoft Windows Server 2003, with separate agents for 32–bit and 64–bit systems. 

144700–01 

Microsoft Internet Information Services (IIS) 7.0 and 7.5 

Supported on Microsoft Windows Server 2008 R2, with separate agents for 32–bit and 64–bit systems. 

144701–01 

Sun Java System Web Proxy Server 4.0.x 

144702–01 

Sun Java System Web Server 7.0 

144703–01 

Enhancements and Changes for Web Agents in the Policy Agent 3.0-01 Release

For more information about web agent properties, see the Sun OpenSSO Enterprise Policy Agent 3.0 User’s Guide for Web Agents.

CR 6891373: New Properties Support POST Data Preservation With Sticky Sessions

In the 3.0–01 release, new properties support POST data preservation with sticky sessions configured. If you are using POST data preservation with a load balancer deployed in front of the agent, set the following properties for sticky sessions:

Important: For a sticky session to be set, you must set both of these properties correctly (and not to null).

These new properties are in the OpenSSOAgentConfiguration.properties file. Set these properties depending on the location of your agent's configuration repository. If the repository is local to the agent's host server, edit the agent's OpenSSOAgentConfiguration.properties file.

If the agent's configuration repository is centralized, use the OpenSSO Console:

  1. Log in to the OpenSSO Administration Console.

  2. Click Access Control, realm-name, Agents, Web, web-agent-name, and then Advanced.

  3. Under Custom Properties, add both new properties with their corresponding values.

  4. Click Save.

CR 6903850: Wildcard (*) Support Added for Not-Enforced Client IP List

The policy agent com.sun.identity.agents.config.notenforced.ip property in the OpenSSOAgentConfiguration.properties file now allows the wildcard character (*) to define an IP address. For example:

com.sun.identity.agents.config.notenforced.ip[2] = 192.168.11.*
com.sun.identity.agents.config.notenforced.ip[3] = *.10.10.*

Set this agent property depending on the location of your agent configuration repository. If the repository is centralized on the OpenSSO server, use the OpenSSO Console. If the repository is local to the agent's host server, edit the agent's OpenSSOAgentConfiguration.properties file.

CR 6947499: NSS_STRICT_NOFORK Must be Disabled for Version 3.0–01 Apache Agents

The NSS and NSPR libraries used in the policy agent 3.0–01 release have changed since the version 3.0 agents were released. Therefore, to use the version 3.0–01 Apache HTTP Server 2.0.x or Apache HTTP Server 2.2.x policy agent on any platform, the NSS_STRICT_NOFORK environment variable must be set to DISABLED.

Problems Fixed for Web Agents in the Policy Agent 3.0-01 Release

Problems Fixed For All Web Agents

Table 4 Problems Fixed For All Web Agents

CR or Issue 

Description 

1776 

Not-enforced list does not work in special circumstances 

3755 

Non-IP Based Token Restrictions not working with Access Manager 7 and version 3.0 agents 

4755 

Log message sent by Web Server 7.0 2.2 agent has an empty recMsg

4836 

Policy agent should encode special characters in cookies by URL encoding 

4917 

Log a "no policy or action decision found" message at warning level 

5060 

3.0 Apache agents have issue with agent logout feature 

5155 

Support for x-forwarded-for headers in web agents 

5229 

Expired AppSSOToken during agent configuration fetch

5259 

Cannot use wildcard characters in the path info part of URL in not enforced list 

5266 

In CDSSO mode, corrupted headers are included in the response 

5323 

Web agents remove CDSSO parameters from URL incorrectly 

5413 

Application parameters getting corrupted when CDSSO parameters are removed from the query 

5425 

Composite advice getting duplicated whenever access manager is restarted 

5434 

Apache agent doesn't work properly with mod_python handler

5453 

Requests with existing iPlanetDirectoryPro cookies can cause Assertion to be ignored during session upgrade in CDSSO mode

5538 

Agent crashes web server when setting long value for amlbcookie

5552 

Policy evaluation fails when the request URL contains query parameters 

5637 

Agent doesn't work due to variable initialization issue 

5666 

Problems when path info is "/" 

6086 

Agent enforce URL case sensitivity during policy evaluation 

6903850 

Provide wildcard (*) support for Not Enforced Client IP List 

6953714 

Agent hangs while fetching policy decision if user session is validated from cache and policy has expired 

6954327 

In CDSSO, double POST issue problem during session upgrade 

6774751 

Access Manager 7.1 protected page is jumbled when session is upgraded 

6959619 

Host name is not set correctly when there is a load balancer in front of the agent 

Problems Fixed for the Apache HTTP Server 2.0.x and 2.2.x Agents

Table 5 Problems Fixed for the Apache HTTP Server 2.0.x and 2.2.x Agents

CR or Issue 

Description 

4501 

Additional HTTP methods support for version 3.0 Apache agent 

4799 

Some extra information gets printed on protected pages intermittently 

5640 

Attributes headers issue with 3.0 agent on IBM AIX systems 

6947499 

Apache 2.2 agent does not work when SSL enabled 

Problems Fixed for the Sun Java System Web Server 7.0 Agent

Table 6 Problems Fixed for the Sun Java System Web Server 7.0 Agent

CR or Issue 

Description 

4688 

Web Server agent notifications not working with protocol and port rewriting 

4815 

Memory corruption with POST data preservation 

4911 

Cookie reset for CDSSO set on incorrect domain 

4934 

Problem with POST data preservation feature in Web Server 7.0 agent 

5207 

Need a sticky cookie for load balancing with POST data preservation 

5218 

POST preservation data feature doesn't work with virtual hosts 

5526 

POST data preservation is not used when PA redirects as a result of composite advice 

5532 

Agent crashes web server when root policy is not found 

5706 

Need sticky session for POST data preservation to use URL 

6937576 

IIS 6.0 and web server agents do no handle overridden URL properly 

6958056 

POST data preservation feature doesn't work with normal FQDN and virtual hosts 

Problems Fixed for the Sun Java System Web Proxy Server 4.0.x Agent

Table 7 Problems Fixed for the Sun Java System Web Proxy Server 4.0.x Agent

CR or Issue 

Description 

4911 

Cookie reset for CDSSO set on incorrect domain 

5680 

Policy agent 2.2-02 on Web Proxy Server 4.0.4 has memory leak 

6937576 

IIS 6.0 and Web Server agents do no handle overridden URL properly 

6953702 

Cannot access CGIs through Web Proxy Server 3.0 agent in CDSSO mode 

Problems Fixed for the Microsoft Internet Information Services (IIS) 6.0 Agent

Table 8 Problems Fixed for the Microsoft Internet Information Services (IIS) 6.0 Agent

CR or Issue 

Description 

4815 

Memory corruption with POST data preservation 

4816 

Random crashes with IIS 6.0 agent 

5207 

Need a sticky cookie for load balancing with POST data preservation 

5218 

POST preservation data feature doesn't work with virtual hosts 

5526 

POST data preservation is not used when PA redirects as a result of composite advice 

5532 

Agent crashes Web Server when root policy is not found 

5621 

IIS 6.0 agent is not responding with OK message to notifications from server 

5706 

Need sticky session for POST data preservation to use URL 

6929312 

IIS agent: Existing header as reutersuuid will be replaced by a new header that contains its key

6937576 

IIS 6.0 and web server agents do not handle overridden URL properly 

6958056 

POST data preservation feature doesn't work with normal FQDN and virtual hosts 

Problems Fixed for the Microsoft Internet Information Services (IIS) 7.0 Agent

Table 9 Problems Fixed for the Microsoft Internet Information Services (IIS) 7.0 Agent

CR or Issue 

Description 

5621 

IIS 6.0 Agent is not responding with OK message to notifications from server 

6929312 

For IIS 7.0 agent, existing header as reutersuuid will be replaced by a new header that contains its key

6937576 

IIS 6.0 and Web Server agents do no handle overriden URL properly 

6956162 

"Object Moved error" with redirects in Policy Agent 3.0 for IIS 7.0 

6956232 

Policy Agent 3.0 for IIS 7.0 changes ASP.NET session ID 

6955905 

Server problems when cookie reset is enabled in IIS 7.5 

6934736 

IIS 7.0 agent is not responding with OK message to notifications from server 

Installation of Version 3.0-01 Policy Agents

A version 3.0-01 policy agent requires a full installation. If you have a version 3.0 agent already installed, you must uninstall the existing version 3.0 agent and then reinstall the new version 3.0-01 agent. To install a version 3.01–01 agent, follow these steps:

  1. If you have a version 3.0 agent installed, uninstall the agent by following the instructions in the respective Policy Agent 3.0 guide in the OpenSSO Enterprise 8.0 documentation collection: http://docs.sun.com/coll/1767.1.

    Important: Before you uninstall the agent, back up your existing agent deployment. For example, for the Apache HTTP Server 2.2.x agent, back up the files under AgentHome/web_agents/apache22_agent, where AgentHome is where you installed the agent.

  2. Create a directory to download the version 3.0–01 patch file.

  3. Download the patch for the agent you want to install from http://sunsolve.sun.com/.

  4. In the download directory, unzip the version 3.0–01 patch file. A patch for a web agent contain a README file and separate ZIP files for each platform supported by the specific agent you downloaded. A patch for a Java EE agent contains one ZIP file for all supported platforms.

  5. Unzip the file for your specific platform.

    The files and directories required by the specific agent are then available in the zip-root/web_agents/agent-name directory, where zip-root is where you unzipped the file and agent-name identifies the specific agent.

    Check the README available with the agent for more information about the agent for your specific platform.

  6. Install and configure the version 3.0–01 agent by following the instructions in the respective Policy Agent 3.0 guide in the OpenSSO Enterprise 8.0 documentation collection: http://docs.sun.com/coll/1767.1.

    Note: Version 3.0 and later agents require JDK 1.5 or later on the server where you plan to install the agent. Before you run the agentadmin program to install the agent, set your JAVA_HOME environment variable to point to the JDK installation directory.