Patch IDs for Java EE Agents in the Policy Agent 3.0-01 Release
Enhancements and Changes for Java EE Agents in the Policy Agent 3.0-01 Release
Issues and Workarounds for Java EE Agents in the Policy Agent 3.0-01 Release
Problems Fixed for Java EE Agents in the Policy Agent 3.0-01 Release
The following version 3.0–01 Java EE agents are available on http://sunsolve.sun.com/.
Table 1 Patch IDs for Java EE Agents in the Policy Agent 3.0-01 Release
Version 3.0-01 Policy Agent For |
Patch ID |
---|---|
Oracle WebLogic Server 11g Release 1 (10.3.3) Oracle WebLogic Server 10g Release 3 (10.3) Oracle WebLogic Server 9.2 and 10.0 Oracle WebLogic Portal 9.2, 10.0, and 10.2 |
145385-01 |
Sun GlassFish 2.1, V2 UR1, V2 UR2, and v3 Sun Java System Application Server 8.1, 8.2, 9.0, and 9.1 |
145383-01 |
Apache Tomcat 6.0.x |
145384-01 |
JBoss Application Server 4.x and 5.x |
145382-01 |
IBM WebSphere Application Server 6.1 and 7.0 IBM WebSphere Portal Server 6.1 |
145386-01 |
Issue 5633: New property is added to reset session idle time for not-enforced URLs
Issue 6107: JBoss Application Server agent supports custom principal feature
Issue 6108: JBoss Application Server agent redirects to the client's requested URI
Version 3.0 and later Java EE agents require JDK 1.5 or later on the server where you plan to install the agent. Although some web containers such as JBoss Application Server 4.x and Application Server 8.x can run using JDK 1.4, JDK 1.5 or later is required for both the agent web container and the agentadmin program.
The version 3.0–01 Java EE agent for Sun Java System Application Server and GlassFish v2 also supports GlassFish v3. See also Patch IDs for Java EE Agents in the Policy Agent 3.0-01 Release.
Version 3.0–01 Java EE agents include the following new property to specify whether the session idle timeout should be reset after a user with a valid session accesses a URL in the not-enforced list:
com.sun.identity.agents.config.notenforced.refresh.session.idletime
Values for this property can be:
true: The session idle time is reset after a user with a valid session accesses a URL in the not-enforced list.
false (default): The session idle time is not reset.
Set this property depending on the location of the agent's configuration repository. If the repository is local to the agent's host server, add the property to the agent's OpenSSOAgentConfiguration.properties file and restart the OpenSSO server instance.
If the agent's configuration repository is centralized, use the OpenSSO Administration Console as follows:
Log in to the OpenSSO Administration Console.
Click Access Control, realm-name, Agents, J2EE, j2ee-agent-name, and then Advanced.
Under Custom Properties, add the new property with its corresponding value.
Click Save.
JBoss Application Server 4.x and 5.x login modules support the custom principal feature, which allows users to specify a custom principal in the JBoss AS configuration. The version 3.0–01 agent for JBoss AS 4.x and 5.x also supports the custom principal feature.
To use this feature, add the following line to the <login-module> element in the JBOSS_HOME/server/default/conf/am-login-config.xml file:
<module-option name = "principalClass">com.sample.CustomPrincipal</module-option>
For example, the <login-module> element should then be as follows:
<login-module code = "com.sun.identity.agents.jboss.v40.AmJBossLoginModule" flag = "required"> <module-option name = "unauthenticatedIdentity">anonymous</module-option> <module-option name = "principalClass">com.sample.CustomPrincipal</module-option> </login-module>
In this example, com.sample.CustomPrincipal is the custom principal implementation class name. This class must be in the JBoss AS classpath.
If the requested URI is using J2EE_POLICY or ALL filter mode and a user accesses a resource protected with J2EE policies by the version 3.0–01 JBoss AS 4.x and 5.x agent, the user is redirected to the client's requested resource after authentication by OpenSSO 8.0 server. Previously, the user was redirected to the client's home page.
If you run the agentadmin or agentadmin.bat script to install the version 3.0-01 policy agent for IBM WebSphere Application Server 6.1/7.0 or IBM WebSphere Portal Server 6.1 using the IBM JDK on systems other than IBM AIX, the installation fails because the script cannot find the IBM JCE provider.
Workaround: Add following JAVA options to the agentadmin or agentadmin.bat script and then rerun the installation:
AGENT_OPTS="-DamKeyGenDescriptor.provider=IBMJCE -DamCryptoDescriptor.provider=IBMJCE -DamRandomGenProvider=IBMJCE"
After you install the version 3.0-01 policy agent for WebSphere Application Server 6.1/7.0 or IBM WebSphere Portal Server 6.1, you cannot access the WebSphere administrative console.
Workaround. In the WebSphere Application Server agent profile, add the WebSphere administrative console URL in the Agent Root URL for CDSSO list, as follows:
Log in to the OpenSSO Administration Console.
Click Access Control, realm-name, Agents, J2EE, and then the j2ee-agent-name.
In Agent Root URL for CDSSO, add the WebSphere administrative console URL.
Click Save.
After you install the version 3.0-01 policy agent for WebSphere Application Server 6.1/7.0 or IBM WebSphere Portal Server 6.1 in cross-domain single sign-on (CDSSO) mode and try to access the administrative console, you are redirected to an incorrect agentapp URL. The URL port is pointing to the admin port instead of the agentapp instance port.
Workaround. In the URL in the browser address bar, manually specify the correct port number for the agentapp instance.
CR or Issue |
Description |
---|---|
6121 |
401 error is returned instead of a 302 error when the client presents an invalid SSO Token |
4461 |
Security context exception occurred with JBoss AS agent |
6107 |
Custom principal in JBoss AS 4.3 is not working with J2EE agent |
6108 |
J2EE Agent 3.0 for JBoss AS does not redirect to client request |
4969 |
Tomcat agent J2EE tests are denied when debug level set to error mode |
2779 |
J2EE agents should have the agentadmin script executable permission set by default |
5008 |
GlassFish v3 server fails to start with invalid format error |
5012 |
Tomcat 6.0 version 3.0 agent returns error with not-enforced IP list |
5764 |
agentadmin script does not set up classpath correctly on GlassFish V3 |
4677 |
Tomcat 6.0 agent membership removal causes HTTP 403 access denied error |
5197 |
Application logout does not clean up sessions |
5744 |
Issue with URL pattern matching for port number in J2EE agents |
4959 |
HTTPS session binding should be enabled by default in agent profile |
5024 |
When not-enforced IP is used, accessing application of declarative security returns configuration error |
5071 |
J2EE agent with CDSSO, cookie hijacking, and composite advice has second login issue |
5633 |
J2EE agent does not reset session idle time for not-enforced URLs |
5627 |
IP Resource condition fails if login URL in agent profile has resource=true included |
6933534 |
Tomcat 6.0 version 3.0 agent classes are not added to classpath resulting in Tomcat startup failure |