Oracle® OpenSSO 8.0 Update 2 Release Notes Release 8.0 Part Number E28339-03 |
|
|
View PDF |
This chapter describes errata for documentation in the Oracle OpenSSO Enterprise 8.0 library: http://docs.oracle.com/cd/E19681-01/
.
This chapter includes these sections:
Bug 12271951: OpenSSO server and agents must be restarted after patch installation
Bug 12654373: updateschema.sh
script generates harmless errors
Bug 14310764: Camel case required for com.iplanet.am.session.agentSessionIdleTime
parameter
Bug 14695234: Documentation needed for com.iplanet.am.jssproxy.resolveIPAddress
property
Bug 12260633: OpenSSO support on Red Hat Enterprise Linux 4 and 5 is clarified
Bug 12273592: OpenSSO 8.0 online help servers and sites documentation is inconsistent
Bug 12335605: Documentation has incorrect references to opensso.dev.java.net
site
The OpenSSO documentation does not mention that after you upgrade (or downgrade) an OpenSSO installation by installing an OpenSSO patch, you must restart the OpenSSO server and all policy agents that you have deployed.
updateschema.sh
script generates harmless errorsThe Sun OpenSSO Enterprise 8.0 Administration Guide does not mention that if you upgrade from an OpenSSO 8.0 Update 1 patch to an OpenSSO 8.0 Update 2 patch and the user store and configuration store use the same LDAP directory server, errors can be generated when you run the updateschema.sh
script. (These errors do not occur if the user store and configuration store use different LDAP directory servers.)
Check the updateschema.sh
script logs to determine if the upgrade is successful and the schema is applied correctly. If there are no fatal errors in the log, you can ignore the the updateschema.sh
script errors.
com.iplanet.am.session.agentSessionIdleTime
parameterReferences in the OpenSSO 8.0 documentation (and the Access Manager 7.1 AMConfig.properties
file) show this parameter with all lowercase letters, but that format does not set the idle timeout value for agent sessions.
Workaround
When you set the idle timeout value, specify the parameter as follows:
com.iplanet.am.session.agentSessionIdleTime
nsRoleDN
attribute is not fetched by defaultIn OpenSSO, the nsRoleDN
attribute is not fetched by default. (In previous releases such as Access Manager 7.1, nsRoleDN
was fetched by default.)
Workaround
In the OpenSSO Administration Console, add the nsRoleDN
attribute to the LDAP User Attributes list, as follows:
In the OpenSSO Administration Console, click Access Control, /(Top Level Realm), Data Stores, and then the Sun DS With OpenSSO Schema data store.
In the LDAP User Attributes section, add the nsrole
and nsRoleDN
attributes.
Click Save.
Restart the OpenSSO server.
com.iplanet.am.jssproxy.resolveIPAddress
propertyThe OpenSSO documentation does not fully describe the com.iplanet.am.jssproxy.resolveIPAddress
property.
The com.iplanet.am.jssproxy.resolveIPAddress
property is used for the Network Security Services for Java (JSS). When the property is enabled (set to true), OpenSSO checks if the IP address of the OpenSSO server resolves to the host name in the request.
If the IP address resolves to the host name, OpenSSO continues the request. If the IP address does not resolve to the host name, the request fails and is not completed.
The default value for com.iplanet.am.jssproxy.resolveIPAddress
is false.
See Also:
"JSS Certificate Database Properties" in the OpenSSO Enterprise 8.0 Developer's Guide:
http://docs.oracle.com/cd/E19575-01/820-3748/gfwrj/index.html
The Sun OpenSSO Enterprise 8.0 Release Notes state that OpenSSO Enterprise 8.0 is supported on these platforms:
Red Hat Enterprise Linux 5 (Base and Advanced Platform, 64-bit on AMD servers)
Red Hat Enterprise Linux 4 server (Base and Advanced Platform, 64-bit on AMD servers)
However, for both versions, "on AMD servers" should be removed.
See Also:
Section 1.2, "Hardware and Software Requirements For OpenSSO 8.0 Update 2" for the current list of supported platforms.
The Oracle OpenSSO Admin Console online help has an incorrect definition for the Secondary URL under Configuration, Servers and Sites. This incorrect definition actually applies to an OpenSSO session failover configuration.
In OpenSSO 8.0, you cannot associate the same OpenSSO server instance with multiple sites, which you could do with Access Manager 7.x. For example, in Access Manager 7.x, you could assign the server to multiple sites. For example:
server:port|site1|site2|site3
In OpenSSO 8.0, to associate the same server with multiple sites, follow these steps in the OpenSSO Admin Console:
Define the main load balancer host and port as the primary site. For example:
https://lb1.example.com:443/opensso
Assign the relevant OpenSSO server instances to this site. To use a second load balancer:
Select the site that you defined in the previous step.
Under Secondary URL, add the URL for the second load balancer. For example:
https://lb2.example.com:443/opensso
Under Access Control, realm-name, and then General, add the relevant hostname for both load balancers to the Realm/DNS Aliases, where realm-name is the realm under which you want action taken for the load balancers. Otherwise, you might get errors when you try to access OpenSSO via the load balancer.
opensso.dev.java.net
siteSeveral of the OpenSSO Policy Agent 3.0 guides include references to the opensso.dev.java.net
site to download the openssowssproviders.zip
file.
However, the openssowssproviders.zip
file based on JAX-WS is not supported in OpenSSO Enterprise 8.0 releases. Therefore, it is recommended that you do not download and use this file in your deployment. If you need the comparable files, contact Oracle Support.