What's New in OpenSSO 8.0 Update 2
Security Token Service Enhancements
Hardware and Software Requirements For OpenSSO 8.0 Update 2
OpenSSO 8.0 Update 2 Issues and Workarounds
CR 6959610: OpenSSO 8.0 Update 2 samples should be removed in production environment
CRs 6944573, 6964648: New Java security permissions are required for WebLogic Server 10.3.3
CR 6960514: Cannot access authentication certificates
To Configure JDBC Authentication with Oracle Database
To Manually Configure NSS on OpenSSO
CR 6967026: Configurator cannot connect to LDAPS-enabled directory server
CR 6956461:SecurID authentication fails on IBM WebSphere Application Server
CR 6959373: Web container requires a restart after running updateschema script
CR 6961419: Running updateschema.bat script requires a password file
CR 6970859: Browser scroll feature does not work
Deploying OpenSSO 8.0 Update 2 on JBoss 5.0
To Deploy OpenSSO on JBoss 5.0
CR 6972593: Java Oracle OpenSSO Fedlet single sign-on (SSO) fails on JBoss AS 5.0.x
SR 72335286 and CR 6929674: LDAP Referrals Do Not Work as Expected
OpenSSO 8.0 Update 2 Documentation
CR 6958580: Console online Help documents unsupported Discovery Agents
CR 6967006 Console online Help does not document OAMAuth and WSSAuth authentication modules
CR 6953582: Fedlet Java API reference should be public
CR 6953579: OpenSSO Fedlet README file should document single logout feature
CR 6960630: Information for patching a specialized OpenSSO WAR should be revised
Additional Information and Resources
Deprecation Notifications and Announcements
How to Report Problems and Provide Feedback
Accessibility Features for People With Disabilities
2. OpenSSO 8.0 Update 2 Patch Releases
3. Installing OpenSSO 8.0 Update 2
4. Using the Security Token Service
5. Using the Oracle OpenSSO Fedlet
6. Integrating the OpenSSO 8.0 Update 2 with Oracle Access Manager
CR 6959610: OpenSSO 8.0 Update 2 samples should be removed in production environment
CRs 6944573, 6964648: New Java security permissions are required for WebLogic Server 10.3.3
CR 6967026: Configurator cannot connect to LDAPS-enabled directory server
CR 6956461:SecurID authentication fails on IBM WebSphere Application Server
CR 6959373: Web container requires a restart after running updateschema script
CR 6961419: Running updateschema.bat script requires a password file
CR 6972593: Java Oracle OpenSSO Fedlet single sign-on (SSO) fails on JBoss AS 5.0.x
SR 72335286 and CR 6929674: LDAP Referrals Do Not Work as Expected
General security concerns exist regarding using a HTTP Basic Authentication module. See http://en.wikipedia.org/wiki/Basic_access_authentication, the “Disadvantages” section. Be sure that you can address these security concerns before you consider using HTTP Basic Authentication in a production deployment.
To minimize random or unnecessary configuration changes through inadvertent sample program runs, remove the samples before you deploy OpenSSO 8.0 Update 2 in a production environment.
If you are deploying OpenSSO 8.0 Update 2 on Oracle WebLogic Server 10.3.3 with the security manager enabled, an additional Java security permission is required.
Workaround. Add the following permission to the WebLogic Server 10.3.3 weblogic.policy file:
permission java.lang.RuntimePermission "getClassLoader";
Due to an issue in earlier versions of Oracle WebLogic Server such as 10.3.0 and 10.3.1, certificate authentication with either LDAP checking or OSCP checking enabled fails.
Workaround. This problem has been fixed in WebLogic Server 10.3.3. To use certificate authentication with either LDAP checking or OSCP checking, use OpenSSO Update 2 with WebLogic Server 10.3.3.
In the Spanish version of OpenSSO 8.0 Update 2, you cannot access authentication certificates. When you go to Configuration > Authentication > Certificates, an error occurs. The following is displayed in the log "Caused by: java.lang.IllegalArgumentException."
Workaround. None.
http://www.oracle.com/technetwork/database/enterprise-edition/jdbc-112010-090769.html.
mkdir /tmp/staging cd /tmp/staging
jar xf opensso.war
cp OJDBC6_DOWNLOAD_LOCATION/ojdbc6.jar
cd ../.. jar cf /tmp/opensso.war *
By default, the OpenSSO configurator supports only the JCE/JSSE provider for SSL. However, you can use the OpenSSO administration console to manually enable JSS/NSS. If OpenSSO is deployed on Sun Web Server 7.0 or on GlassFish Enterprise Edition 2.1.0, then complete the following steps. For GlassFish Enterprise Edition 2.1.1 and later versions, see CR 6967026: Configurator cannot connect to LDAPS-enabled directory server.
Before You Begin
If you want OpenSSO to connect to an LDAPS-enabled directory server, then the CA certificate for the LDAPS-enabled directory server must be already imported into the JVM trust store (by default JAVA_HOME/jre/lib/security/cacert).
Property Name: opensso.protocol.handler.pkgs
Property Value: com.iplanet.services.comm
Property Name: com.iplanet.am.admin.cli.certdb.dir
Property Value: path-to-NSS-database
If OpenSSO is deployed on GlassFish Enterprise Server 2.1.1 or later versions, then OpenSSO cannot connect to an LDAPS-enabled directory server instance with JSS/NSS. The problem occurs because OpenSSO and GlassFish Enterprise Server 2.1.1 and later versions do not use the same JSS version.
Workaround: Use the JSSE provider instead of the NSS provider for SSL.
If you deploy OpenSSO 8.0 Update 2 (opensso.war) in the WebLogic Server 10.3.3 administration console and click Start to allow OpenSSO 8.0 Update 2 to start receiving requests, exceptions are thrown in the console where the WebLogic Server domain was started.
Note: After you start OpenSSO 8.0 Update 2, it remains started and exceptions are not thrown again until OpenSSO 8.0 Update 2 is stopped and then restarted.
Workaround. Copy the saaj-impl.jar file from the OpenSSO 8 Update 2 opensso-client-jdk15.war file to the WebLogic Server 10.3.3 configuration endorsed directory, as follows:
Stop the Oracle WebLogic Server 10.3.3 domain.
If necessary, unzip the OpenSSO 8.0 Update 2 opensso.zip file.
Create a temporary directory and unzip the zip-root/opensso/samples/opensso-client.zip file in that directory, where zip-root is where you unzipped the opensso.zip file. For example:
cd zip-root/opensso/samples mkdir ziptmp cd ziptmp unzip ../opensso-client.zip
Create a temporary directory and extract the saaj-impl.jar file from opensso-client-jdk15.war. For example:
cd zip-root/opensso/samples/ziptmp/war mkdir wartmp cd wartmp jar xvf ../opensso-client-jdk15.war WEB-INF/lib/saaj-impl.jar
Create a new directory named endorsed under the WEBLOGIC_JAVA_HOME/jre/lib directory (if endorsed does not already exist), where WEBLOGIC_JAVA_HOME is the JDK that WebLogic Server is configured to use.
Copy the saaj-impl.jar file to the WEBLOGIC_JAVA_HOME/jre/lib/endorsed directory.
Start the WebLogic Server domain.
When OpenSSO is configured on IBM WebSphere Application Server 6.1 or AIX 5.3, a valid plain text password user can not be authenticated via a SecurID authentication module instance.
Workaround. None. Do not use plain text passwords on IBM WebSphere Application Server.
After you run the updateschema.sh or updateschema.bat script, you must restart the OpenSSO 8.0 Update 2 web container.
The updateschema.bat script executes several ssoadm commands. Therefore, before you run updateschema.bat on Windows systems, create a password file that contains the password user in clear text for the amadmin user. The updateschema.bat script prompts you for the path to the password file. Before the script terminates, it removes the password file.
When using OpenSSO Update 2 on the following browsers, the browser scroll does not work as designed: Microsoft Internet Explorer 7 and 8 on Windows 2003 or 2008.
Workaround. Maximize the browser window.
JBoss 5.x uses Tomcat 6.0.16 which does not support the special symbols in the OpenSSO iPlanetDirectoryPro cookie. This affects OpenSSO cookie-handling.
Workaround. See To Deploy OpenSSO on JBoss 5.0.
Before You Begin
The minimum heap size should be set to at least 512M (-Xms256m), and maximum heap size should be set to 1024M (-Xmx1024m).
The MaxPermSize should be set to 256M (-XX:MaxPermSize=256m)
-Dcom.iplanet.am.cookie.encode=true -Dcom.iplanet.am.cookie.c66Encode=true
If you do not set these properties, after entering your credentials in the OpenSSO console, you are directed back to the login page. After you've deployed and configured OpenSSO you can remove this entry in the run.conf file (or run.conf.bat on Windows). OpenSSO configures the cookie encode property during deployment.
<!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 5.0//EN" "http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd"> <jboss-web> <class-loading java2ClassLoadingCompliance='true'> <loader-repository> jbia.loader:loader=opensso <loader-repository-config> java2ParentDelegaton=true </loader-repository-config> </loader-repository> </class-loading> <resource-ref> <res-ref-name>jdbc/openssousersdb</res-ref-name> <jndi-name>java:jdbc/openssousersdb</jndi-name> </resource-ref> </jboss-web>
Example: JBOSS_INSTALL_DIR>/server/$CONFIG/deploy/opensso.war
where $CONFIG is the mode such as default, all, or production.
Example: JBOSS_INSTALL_DIR/server/$CONFIG/deploy/opensso.war
jar -xvf WAR_FILE_LOCATION/opensso.war
Deployment of opensso.war will succeed without errors.
Note - OpenSSO 8.0 U2 installation on JBoss 5.0.0 is supported in exploded war mode only.
If you deploy and configure the opensso.war file on JBoss Application Server 5.0.0.0 and then restart the JBoss Application Server web container, OpenSSO 8.0 Update 2 displays the configurator page again instead of the login page.
Workaround. Deploy the opensso.war file in the JBoss AS deploy directory, as follows:
Stop the JBoss Application Server web container.
Edit the JBoss Application Server run.conf file by adding the following options:
-Dcom.iplanet.am.cookie.encode=true -Dcom.iplanet.am.cookie.c66Encode=true
Uncomment the line "admin=admin" in the following files:
JBOSS_INSTALL_DIR/server/$CONFIG/conf/props/jmx-console-users.properties
JBOSS_INSTALL_DIR/server/$CONFIG/deploy/management/console-mgr.sar/web-console.war/WEB-INF/classes/web-console-users.properties
Copy the opensso.war file to the following JBoss Application Server directory:
JBOSS_INSTALL_DIR/server/$CONFIG/deploy
where $CONFIG is the JBoss Application Server mode, such as default, all, or production.
Restart the JBoss Application Server web container.
Deploy the opensso.war file in the directory shown in Step 4.
If you deploy the Java Oracle OpenSSO Fedlet on JBoss Application Server 5.0.x, index.jsp doesn't display and Fedlet SSO fails with an IllegalStateException.
Workaround. Follow these steps.
Stop the JBoss AS web container. JBoss AS web container.
Add the following Java options in the JBoss AS 5.0 run.conf file: -
Djavax.xml.soap.MetaFactory= com.sun.xml.messaging.saaj.soap.SAAJMetaFactoryImpl -Djavax.xml.soap.MessageFactory= com.sun.xml.messaging.saaj.soap.ver1_1.SOAPMessageFactory1_1Impl -Djavax.xml.soap.SOAPConnectionFactory= com.sun.xml.messaging.saaj.client.p2p.HttpSOAPConnectionFactory -Djavax.xml.soap.SOAPFactory= com.sun.xml.messaging.saaj.soap.ver1_1.SOAPFactory1_1Impl
Start the JBoss AS web container.
When LDAP referrals are enabled, authentication fails for the user in the referral directory server. Authentication fails regardless of how the option "LDAP Follows Referral" is set. Also, the Subjects tab in the OpenSSO administration console does not display referral users.
These issues are due in part because of a known issue with the LDAP SDK (CR 6969674). Using LDAP SDK, LDAP referrals are not honored in OpenSSO.
Workaround. There are no workarounds at this time.