Skip Headers
Oracle® OpenSSO 8.0 Update 2 Release Notes
Release 8.0

Part Number E28339-03
Go to Documentation Home
Go to Table of Contents
Go to Feedback page
Contact Us

Go to previous page
Go to next page
View PDF

1 About OpenSSO 8.0 Update 2

This chapter describes Oracle OpenSSO 8.0 Update 2.

This chapter includes the following sections:

1.1 What's New in OpenSSO 8.0 Update 2

OpenSSO 8.0 Update 2 includes enhancements to the Security Token Service and the OpenSSO Fedlet. This update also includes new web container support for WebLogic 10.3.3 and fixes to many bugs.

1.1.1 Security Token Service Enhancements

The Security Token Service now includes the following new features:

  • Supports TokenType for generating a specific web service provider security token.

  • Supports both Asymmetric and Transport binding for X509 and username security tokens as requestor.

  • Enforces SSL/Transport binding with a username security token when OpenSSO STS is configured with a username over SSL.

  • Issues SAML holder-of-key security token for Asymmetric KeyType with useKey as the web service client public key and web service client X509 security token.

  • WSDL is dynamically updated based on security token configuration.

  • Supports encryption by the web service provider public key.

  • Encrypts the static username password before storing it in the configuration store.

  • Supports UserName token as On Behalf Of security token through a WS-Trust request.

  • Supports issuance of SAML Bearer Tokens.

  • New Web Service Security authentication module WSSAuth supports digest password validation.

  • New OAMAuth authentication module enables single sign-on using Oracle Access Manager with OpenSSO.

For more information, see Chapter 4, "Using the Security Token Service".

1.1.2 Fedlet Enhancements

The Fedlet now includes the following new features:

  • Supports encryption in the .NET Fedlet

  • Supports signing in the .NET Fedlet

  • .NET Fedlet now supports single logout

  • .NET Fedlet provides Service Provider initiated single sign-on and artifact support

  • Supports multiple Identity Providers and Identity Provider Discovery in .NET Fedlet

  • Supplies version information within property and configuration files for the Fedlet

  • New password SPI implementation

  • Supports attribute query

  • Supports single logout

For more information, see Chapter 5, "Using the Oracle OpenSSO Fedlet".

1.1.3 Bugs Fixed in This Release

The following table lists the bugs and issues that have been resolved in OpenSSO 8.0 Update 2.

Table 1-1 Bugs Fixed in This Release

Change Request Identifier Description


SAML assertions using excessive memory.


New bug with the interaction process in a load-balanced scenario.


Policy agent "gateway servelet" function yields "Your authentication module is denied."


In Cookie hijacking mode, logout request hangs.


Javadoc comments missing for public API AMLoginModule:isSessionQuotaReached.


/opensso/realm/IDRepoEdit delete Session service configuration in realm.


Inheritance setting in agent profile does not work as expected.


ssoadm --version did not return the right value after patching 141655-03.


goto URL not validated on distributed authentication.

6928480, 6934888

Distributed authentication UI: In log files IP recorded is DAUI IP, not client IP.


Access Manager console becomes unresponsive after adding a new config property.


Incorrect exceptions thrown in the logs for misconfigured SAML/IDP's service URLs on the Service Provider side.


Password reset page is not localized when locale parameter is given in the URL.


"Auth module instance" condition with "application timeout properties" set drops session after login.


OpenSSO8.0: Console Invalid Characters check is not performed


OpenSSO allows to create username with special characters, but complains during login.


Security Token Service client samples are failing for IBM Websphere Application Server 6.1.


Security Token Service "ssoadm set-site-sec-urls" throws an NPE on the console.

6942485, 6942813

OpenSSO does not escape "\" in uid correctly, and 2 different uid values are stored in Directory Server entry.


Distributed Authentication login: uid with special characters results in error.


"URL not found" exception errors in SAML.


iplanet-am-auth-locale value of realm is not taken in consideration in the evaluation process.


goto is missing after session timeout.


LDAPv3Repo.setAttributes method fetches the schema multiple times even for a single modification.

1.2 Hardware and Software Requirements For OpenSSO 8.0 Update 2

See the System Requirements and Supported Platforms for Oracle OpenSSO 8.0u2 document listed under Oracle Branded Releases of Sun Products Supported Configuration at the following URL:

1.3 OpenSSO 8.0 Update 2 Issues and Workarounds

1.3.1 General Security Advisory

General security concerns exist regarding using a HTTP Basic Authentication module. See, the "Disadvantages" section. Be sure that you can address these security concerns before you consider using HTTP Basic Authentication in a production deployment.

1.3.2 CR 6959610: OpenSSO 8.0 Update 2 samples should be removed in production environment

To minimize random or unnecessary configuration changes through inadvertent sample program runs, remove the samples before you deploy OpenSSO 8.0 Update 2 in a production environment.

1.3.3 CRs 6944573, 6964648: New Java security permissions are required for WebLogic Server 10.3.3

If you are deploying OpenSSO 8.0 Update 2 on Oracle WebLogic Server 10.3.3 with the security manager enabled, an additional Java security permission is required.

Workaround. Add the following permission to the WebLogic Server 10.3.3 weblogic.policy file:

permission java.lang.RuntimePermission "getClassLoader";

1.3.4 CR 6939443: Certificate authentication with LDAP checking or OCSP checking fails on WebLogic Server 10.3.x

Due to an issue in earlier versions of Oracle WebLogic Server such as 10.3.0 and 10.3.1, certificate authentication with either LDAP checking or OSCP checking enabled fails.

Workaround. This problem has been fixed in WebLogic Server 10.3.3. To use certificate authentication with either LDAP checking or OSCP checking, use OpenSSO Update 2 with WebLogic Server 10.3.3.

1.3.5 CR 6960514: Cannot access authentication certificates

In the Spanish version of OpenSSO 8.0 Update 2, you cannot access authentication certificates. When you go to Configuration> Authentication> Certificates, an error occurs. The following is displayed in the log "Caused by: java.lang.IllegalArgumentException."

Workaround. None.

1.3.6 To Configure JDBC Authentication with Oracle Database

  1. Download the ojdbc6.jar file from the following URL:

  2. Create a staging area and change to that directory. For example:

    mkdir /tmp/staging
    cd /tmp/staging
  3. Explode the opensso.war in the staging area.

    jar xf opensso.war
  4. Change to the WEB-INF/lib directory.

  5. Copy ojdbc6.jar into that directory. For example:

    cp OJDBC6_DOWNLOAD_LOCATION/ojdbc6.jar 
  6. Create an updated opensso.war file from the staging area. For example:

    cd ../..
    jar cf /tmp/opensso.war *
  7. Undeploy the current opensso.war.

  8. Deploy the opensso.war file you created in Step 6.

  9. Restart the OpenSSO web container instance.

1.3.7 To Manually Configure NSS on OpenSSO

By default, the OpenSSO configurator supports only the JCE/JSSE provider for SSL. However, you can use the OpenSSO administration console to manually enable JSS/NSS. If OpenSSO is deployed on Sun Web Server 7.0 or on GlassFish Enterprise Edition 2.1.0, then complete the following steps. For GlassFish Enterprise Edition 2.1.1 and later versions, see CR 6967026: Configurator cannot connect to LDAPS-enabled directory server.

Before You Begin

  • If you want OpenSSO to connect to an LDAPS-enabled directory server, then the CA certificate for the LDAPS-enabled directory server must be already imported into the JVM trust store (by default JAVA_HOME/jre/lib/security/cacert).

  1. Log in to the OpenSSO Administration Console as amadmin.

  2. Click Configuration> Servers and Sites> Server Name instance.

  3. Click Security.

  4. Click Inheritance Settings.

  5. Uncheck the Encryption class and Secure Random Factory Class properties.

  6. Click Save, and then click Back to Server Profile.

  7. Change Encryption class to

  8. Change Secure Random Factory Class to

  9. Click Save, and then click the Advanced tab.

  10. Change the property to

  11. Edit the following property and value:

    • Property Name: opensso.protocol.handler.pkgs

    • Property Value:

  12. Click Add, and add following property and value:

    • Property Name:

    • Property Value: path-to-NSS-database

  13. Click Save.

  14. Restart the OpenSSO Enterprise 8.0 server instance.

1.3.8 CR 6967026: Configurator cannot connect to LDAPS-enabled directory server

If OpenSSO is deployed on GlassFish Enterprise Server 2.1.1 or later versions, then OpenSSO cannot connect to an LDAPS-enabled directory server instance with JSS/NSS. The problem occurs because OpenSSO and GlassFish Enterprise Server 2.1.1 and later versions do not use the same JSS version.

Workaround: Use the JSSE provider instead of the NSS provider for SSL.

1.3.9 CR 6948937: Activating OpenSSO 8.0 Update 2 in WebLogic Server 10.3.3 admin console causes exceptions

If you deploy OpenSSO 8.0 Update 2 (opensso.war) in the WebLogic Server 10.3.3 administration console and click Start to allow OpenSSO 8.0 Update 2 to start receiving requests, exceptions are thrown in the console where the WebLogic Server domain was started.

Note: After you start OpenSSO 8.0 Update 2, it remains started and exceptions are not thrown again until OpenSSO 8.0 Update 2 is stopped and then restarted.

Workaround. Copy the saaj-impl.jar file from the OpenSSO 8 Update 2 opensso-client-jdk15.war file to the WebLogic Server 10.3.3 configuration endorsed directory, as follows:

  1. Stop the Oracle WebLogic Server 10.3.3 domain.

  2. If necessary, unzip the OpenSSO 8.0 Update 2 file.

  3. Create a temporary directory and unzip the zip-root/opensso/samples/ file in that directory, where zip-root is where you unzipped the file. For example:

    cd zip-root/opensso/samples
    mkdir ziptmp
    cd ziptmp
    unzip ../
  4. Create a temporary directory and extract the saaj-impl.jar file from opensso-client-jdk15.war. For example:

    cd zip-root/opensso/samples/ziptmp/war
    mkdir wartmp
    cd wartmp
    jar xvf ../opensso-client-jdk15.war WEB-INF/lib/saaj-impl.jar
  5. Create a new directory named endorsed under the WEBLOGIC_JAVA_HOME/jre/lib directory (if endorsed does not already exist), where WEBLOGIC_JAVA_HOME is the JDK that WebLogic Server is configured to use.

  6. Copy the saaj-impl.jar file to the WEBLOGIC_JAVA_HOME/jre/lib/endorsed directory.

  7. Start the WebLogic Server domain.

1.3.10 CR 6956461:SecurID authentication fails on IBM WebSphere Application Server

When OpenSSO is configured on IBM WebSphere Application Server 6.1 or AIX 5.3, a valid plain text password user can not be authenticated via a SecurID authentication module instance.

Workaround. None. Do not use plain text passwords on IBM WebSphere Application Server.

1.3.11 CR 6959373: Web container requires a restart after running updateschema script

After you run the or updateschema.bat script, you must restart the OpenSSO 8.0 Update 2 web container.

1.3.12 CR 6961419: Running updateschema.bat script requires a password file

The updateschema.bat script executes several ssoadm commands. Therefore, before you run updateschema.bat on Windows systems, create a password file that contains the password user in clear text for the amadmin user. The updateschema.bat script prompts you for the path to the password file. Before the script terminates, it removes the password file.

1.3.13 CR 6970859: Browser scroll feature does not work

When using OpenSSO Update 2 on the following browsers, the browser scroll does not work as designed: Microsoft Internet Explorer 7 and 8 on Windows 2003 or 2008.

Workaround. Maximize the browser window.

1.3.14 Deploying OpenSSO 8.0 Update 2 on JBoss 5.0

JBoss 5.x uses Tomcat 6.0.16 which does not support the special symbols in the OpenSSO iPlanetDirectoryPro cookie. This affects OpenSSO cookie-handling.

Workaround. See To Deploy OpenSSO on JBoss 5.0. To Deploy OpenSSO on JBoss 5.0

Before You Begin

  • The minimum heap size should be set to at least 512M (-Xms256m), and maximum heap size should be set to 1024M (-Xmx1024m).

  • The MaxPermSize should be set to 256M (-XX:MaxPermSize=256m)

  1. In the JBoss run.conf file (run.conf.bat on Windows), which is used to start up the JBoss instance, add the following JVM options:

    If you do not set these properties, after entering your credentials in the OpenSSO console, you are directed back to the login page. After you've deployed and configured OpenSSO you can remove this entry in the run.conf file (or run.conf.bat on Windows). OpenSSO configures the cookie encode property during deployment.

  2. Unjar the opensso.war.

    1. Create text-file opensso.war/WEB-INF/jboss-web.xml.

    2. Enter the following content in the file:

      <!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 5.0//EN" 
      <class-loading java2ClassLoadingCompliance='true'> 
  3. Create the WAR again.

  4. Stop the JBoss server.

  5. Create a directory under the mode that opensso will be deployed to.

    Example: JBOSS_INSTALL_DIR>/server/$CONFIG/deploy/opensso.war

    where $CONFIG is the mode such as default, all, or production.

  6. Go to the opensso.war directory.

    Example: JBOSS_INSTALL_DIR/server/$CONFIG/deploy/opensso.war

  7. Explode the war to this directory.

    jar -xvf WAR_FILE_LOCATION/opensso.war 
  8. Restart the JBoss container.

    Deployment of opensso.war will succeed without errors.


    OpenSSO 8.0 U2 installation on JBoss 5.0.0 is supported in exploded war mode only.

1.3.15 CR 6971437 : OpenSSO 8.0 Update 2 loses configuration after restart of JBoss Application Server

If you deploy and configure the opensso.war file on JBoss Application Server and then restart the JBoss Application Server web container, OpenSSO 8.0 Update 2 displays the configurator page again instead of the login page.

Workaround. Deploy the opensso.war file in the JBoss AS deploy directory, as follows:

  1. Stop the JBoss Application Server web container.

  2. Edit the JBoss Application Server run.conf file by adding the following options: 
  3. Uncomment the line "admin=admin" in the following files:

    • JBOSS_INSTALL_DIR/server/$CONFIG/conf/props/

    • JBOSS_INSTALL_DIR/server/$CONFIG/deploy/management/console-mgr.sar/linebreakweb-console.war/WEB-INF/classes/

  4. Copy the opensso.war file to the following JBoss Application Server directory:


    where $CONFIG is the JBoss Application Server mode, such as default, all, or production.

  5. Restart the JBoss Application Server web container.

  6. Deploy the opensso.war file in the directory shown in Step 4.

1.3.16 CR 6972593: Java Oracle OpenSSO Fedlet single sign-on (SSO) fails on JBoss AS 5.0.x

If you deploy the Java Oracle OpenSSO Fedlet on JBoss Application Server 5.0.x, index.jsp doesn't display and Fedlet SSO fails with an IllegalStateException.

Workaround. Follow these steps.

  1. Stop the JBoss AS web container. JBoss AS web container.

  2. Add the following Java options in the JBoss AS 5.0 run.conf file: -

  3. Start the JBoss AS web container.

1.3.17 SR 72335286 and CR 6929674: LDAP Referrals Do Not Work as Expected

When LDAP referrals are enabled, authentication fails for the user in the referral directory server. Authentication fails regardless of how the option "LDAP Follows Referral" is set. Also, the Subjects tab in the OpenSSO administration console does not display referral users.

These issues are due in part because of a known issue with the LDAP SDK (CR 6969674). Using LDAP SDK, LDAP referrals are not honored in OpenSSO.

Workaround. There are no workarounds at this time.

1.4 OpenSSO 8.0 Update 2 Documentation

In addition to this document, additional OpenSSO 8.0 documentation is available in the following collection:

1.4.1 Documentation Issues

OpenSSO 8.0 Update 2 includes the following documentation issues: CR 6958580: Console online Help documents unsupported Discovery Agents

The OpenSSO 8.0 Update 2 administration console online Help documents Discovery Agents, even though these agents are not supported.

Workaround. None. Ignore the information about Discovery Agents in the online Help. CR 6967006 Console online Help does not document OAMAuth and WSSAuth authentication modules

The OpenSSO 8.0 Update 2 administration console online Help does not document the Oracle Access Manager (OAM) and Web Services Security (WSS) authentication modules.

Workaround. For information about these authentication modules, see Chapter 4, "Using the Security Token Service". CR 6953582: Fedlet Java API reference should be public

The Fedlet Java API public reference is available as part of the Oracle OpenSSO 8.0 Update 2 Java API Reference, which is available in the following documentation collection:

Note: OpenSSO 8.0 Update 2 does not support the getPolicyDecisionForFedlet method, even though this method is in the Java API reference. CR 6953579: OpenSSO Fedlet README file should document single logout feature

The Fedlet README files do not document the single logout feature.

Workaround. For Oracle OpenSSO 8.0 Update 2, the Fedlet single logout feature is documented in Chapter 5, "Using the Oracle OpenSSO Fedlet". CR 6960630: Information for patching a specialized OpenSSO WAR should be revised

The information has been revised. See Patching a Specialized OpenSSO WAR.

1.5 Additional Information and Resources

This section includes the following topics:

1.5.1 Deprecation Notifications and Announcements

  • The Service Management Service (SMS) APIs ( package) and SMS model are no longer included in OpenSSO.

  • The Unix authentication module and the Unix authentication helper (amunixd) will not be included in a future OpenSSO release.

  • The Sun Java System Access Manager 7.1 Release Notes stated that the Access Manager package, commonly known as the Access Manager SDK (AMSDK), and all related APIs and XML templates will not be included in a future OpenSSO release.

    Consequently, when the AMSDK is removed, the Legacy Mode option and support will also be removed.

    Migration options are not available now and are not expected to be available in the future. Oracle Identity Manager provides user provisioning solutions that you can use instead of the AMSDK. For more information about Identity Manager, see

1.5.2 How to Report Problems and Provide Feedback

If you have questions or issues with OpenSSO 8.0 Update 2 or a subsequent patch release, contact support resources at

This site has links to the Knowledge Base, Online Support Center, and Product Tracker, as well as to maintenance programs and support contact numbers. If you are requesting help for a problem, please include the following information:

  • Description of the problem, including when the problem occurs and its impact on your operation

  • Machine type, operating system version, web container and version, JDK version, and OpenSSO version, including any patches or other software that might be affecting the problem

  • Steps to reproduce the problem

  • Any error logs or core dumps