| Oracle® OpenSSO 8.0 Update 2 Release Notes Release 8.0 Part Number E28339-03 |
|
|
View PDF |
| Oracle® OpenSSO 8.0 Update 2 Release Notes Release 8.0 Part Number E28339-03 |
|
|
View PDF |
This chapter describes the patches that Oracle periodically releases for OpenSSO 8.0 Update 2.
This chapter includes the following sections:
For information about version 3.0 policy agents, see the Oracle OpenSSO Policy Agent 3.0 Release Notes.
The following information applies to all OpenSSO 8.0 Update 2 patch releases:
Patches are available on the My Oracle Support site: https://support.oracle.com/. After you sign in, search for the patch ID under the Patches & Updates tab.
For information about installing a patch, see Chapter 3, "Installing OpenSSO 8.0 Update 2".
Patches are cumulative. You can install the latest patch without first installing an earlier patch. However, if you did not install an earlier patch, review the earlier patch sections to determine if any of the features or issues apply to your deployment.
For a list of the problems fixed in a patch, see the README file distributed with the patch.
OpenSSO 8.0 Update 2 patch 5 is available as patch ID 141655-09 on the My Oracle Support site:
This section describes these topics:
Patch 5 supports these new web containers:
IBM WebSphere Application Server version 7.0.0.31 is supported as a web container for the deployment of the opensso.war on IBM AIX 7.1.
IBM WebSphere Application Server Version 7.0.0.27 is supported as a web container for the deployment of the opensso.war on both Red Hat Enterprise Linux 5.8 and Oracle Enterprise Linux 5.8.
See Also:
Table 11, "Web Containers Supported For OpenSSO Enterprise 8.0," in the Sun OpenSSO Enterprise 8.0 Release Notes for other supported web containers:
Note:
For WebSphere Application Server to work with patch 5, Websphere Application Server requires Fix Pack 27 Java SDK 1.6 SR11 or above Cumulative Fix for WebSphere Application Server.
Patch 5 fixes the following problems:
Bug 13845938: OpenSSO installation of second instance fails with JDK 1.6.0_21 and later
Bug 13073465: Original client IP via proxy is not getting logged in OpenSSO
The installation of a second instance of OpenSSO server was failing because of a problem with OpenDS (OpenDS issue 4575 - jdk1.6.0_21 is more strict about the filter syntax). Patch 5 fixes this problem by including a new version of the OpenDS JAR file.
Patch 5 fixes the problem where the client's IP address was not getting logged in the authentication logs. If you are accessing the Oracle OpenSSO console via a proxy and you want the client's IP address to be recorded in the authentication logs, set the following advanced property to the HTTP header name with the client's IP address:
com.sun.identity.session.httpClientIPHeader
To set this property, follow these steps:
Log in to the Oracle OpenSSO Administration Console.
Click Configuration and then Servers and Sites.
Select the OpenSSO server link you want to configure.
Click Advanced and then set the property com.sun.identity.session.httpClientIPHeader to the HTTP header name with the client's IP address.
Click Save.
Exit the Console and restart the Oracle OpenSSO server web container.
OpenSSO 8.0 Update 2 patch 4 is available as patch ID 141655-08 on the My Oracle Support site. Information about this patch includes:
Bug 12286933: Dist Auth cannot receive session notifications
Bug 12427762: SAML attributes containing a | are not decoded in a SAML attribute
Bug 13361224: SecurID authentication support for WebSphere Application Server 6.1 on AIX 6.1
In patch 4, the new com.sun.identity.client.notification.url property in the AMDistAuthConfig.properties file allows a Distributed Authentication UI (DAUI) deployment to receive session notifications. This property replaces the com.iplanet.am.notification.url property.
For a DAUI deployment, the com.sun.identity.client.notification.url property defines the URL where notifications will be received by the client application, in the following format:
protocol://host:port/distauth-uri/notificationservice
For a new DAUI deployment, no changes are required, because the new property is available by default in the AMDistAuthConfig.properties file. However, in the case of a DAUI deployment upgrade from an older version, you must reconfigure the DAUI deployment after upgrading and redeploying the Dist Auth WAR file, because the original AMDistAuthConfig.properties does not have this property.
Otherwise, if you do not reconfigure the DAUI deployment, this property must be manually added to the DistAuthConfig.properties file of the upgraded instance.
Redeploying the Dist Auth WAR file is required, but if you reconfigure, you do not have to add the property manually. If you don't reconfigure the DAUI deployment, you must manually add the property after redeploying.
In patch 4, the new com.sun.identity.saml.escapespecialchars property determines if the special characters "|" and "&" should be escaped during attribute mapping in a generated session after SAML SSO by a Service Provider.
By default com.sun.identity.saml.escapespecialchars is set to true, which specifies that the characters should be escaped.
If you do not want the special characters to be escaped (that is, you want the characters retained as they are now), set the property to false, as follows:
In the Oracle OpenSSO Admin Console, click Configuration> Servers and Sites> Server SP> Advanced> and then set the com.sun.identity.saml.escapespecialchars property to false.
For SecurID authentication to operate with IBM WebSphere Application Server 6.1 on the AIX 6.1 platform, the SecurID Java Authentication APIs must be updated. You must replace the existing SecurID Java Authentication API JAR files in the OpenSSO WAR file (opensso.war) with the latest RSA Authentication API for Java version 8.1.1.312.
Download the SecurID Java Authentication API JAR files from the RSA website:
These JAR files must replaced in the opensso.war file:
authapi.jar
cryptoj.jar
log4j-1.2.8.jar
To replace the JAR files in the opensso.war:
Create a staging directory.
Explode the opensso.war in the staging directory.
Copy the new SecurID JAR files to the staging-directory/opensso/WEB-INF/lib directory.
Recreate the opensso.war file from the staging directory.
Deploy the opensso.war.
Note: If the opensso.war is already deployed, first undeploy the existing opensso.war and then redeploy the updated opensso.war.
Restart the OpenSSO web container.
Configure the SecurID authentication module as described in the Oracle OpenSSO documentation in the following library:
Restart the OpenSSO web container
OpenSSO 8.0 Update 2 patch 3 is available as patch ID 141655-07 on the My Oracle Support site. Other information about this patch includes:
list-agents command fails with GlassFish v2.1.1 patch 9Other issues related to this bug include:
Bug 12361318: OpenSSO 8.0 Update 2 patch 1 ssoadm command returns null pointer exception with GlassFish v2.1.1 patch 10
Bug 12305906: Convergence SSO is not working when OpenSSO is deployed with GlassFish v2.1.1 patch 7 and later
These problems occur with GlassFish v2.1.1 patch 7 and later patches because of an incompatibility with the JAX-RPC JAR files.
Workaround. Downgrade to GlassFish v2.1.1 patch 6.
Bug 12307986: OpenSSO client SDK caches URL policy decision with correct methods
Bug 12309423: Inconsistent session timeout behavior is fixed
In patch 3, the OpenSSO client SDK caches the URL policy decision with all correct methods for a policy. Previously, only the URL policy decision for the method being accessed was cached.
For the Policy Service to return the policy actions for a given policy, the following property must be set in the OpenSSO client SDK configuration:
com.sun.identity.policy.client.cache.combine.actionItems.enabled=true
By default, this value is set to false.
Patch 3 fixes an inconsistent session timeout behavior. In some cases, OpenSSO server displayed the Login page rather than the Session Timeout page.
However, for the Session Timeout page to be displayed, the Purge Delay value must be greater than 0 (zero).
OpenSSO 8.0 Update 2 patch 2 is available as patch ID 141655-06 on the My Oracle Support site. Other information about this patch includes:
gotoOnFail URLsOpenSSO 8.0 Update 2 Patch 2 can validate a gotoOnFail URL after a user fails authentication. This validation prevents a hacker from sending the user to an imposter site.
To set valid gotoOnFail URLs, follow these steps after you install patch 2:
If you patched an earlier version of OpenSSO 8.0, make sure you have run the updateschmema.sh or updateschema.bat script and then restarted the OpenSSO web container, as described in Running the updateschema Script.
In the OpenSSO Administration Console, click Access Control, realm-name, Authentication, and then Advanced Properties.
Under Valid gotoOnFail URL domains, add each valid goto domain name, as follows:
A domain name starting with a dot (.) such as .example.com allows all hosts in the example.com domain to be used in a failure redirect URL.
A domain name that does not start with a dot (.) such as example.com allows the host example.com to be used in a failure redirect URL.
For example, http://example.com would be valid, but http://host.example.com would not be valid.
If you don't add the entire domain to the list, you must add each individual agent host name being used.
You do not need to add domains for agents in CDSSO mode, because they are protected automatically.
Click Save.
Log out of the console and restart the OpenSSO web container.
Additional Information
If a gotoOnFail URL is found to be invalid, the user is redirected to the default login failure URL.
If you subsequently want to disable the gotoOnFail URL validation, remove all entries from the Valid goto URL domains list.
NameIDPolicy interface without SPNameQualifierOpenSSO 8.0 Update 2 Patch 2 provides an implementation of the NameIDPolicy interface without the SPNameQualifier attribute.
The SPNameQualifier attribute in the NameIDPolicy interface is optional in a SAMLv2 authentication request. In some instances, a service provider (SP) initiated SSO can fail because an identity provider (IDP) cannot recognize the SPNameQualifier attribute in NameIDPolicy of the authentication request.
This implementation is available in the following new class:
com.sun.identity.saml2.protocol.impl.NameIDPolicyImplWithoutSPNameQualifier
The default behavior (that is, to put the SPNameQualifier attribute in NameIDPolicy of the authentication request) does not change.
To use the new class, follow these steps:
In the OpenSSO Administration Console, click Configuration, Servers and Sites, server-name, and then Advanced.
Add the following new property and value:
Property: com.sun.identity.saml2.sdk.mapping.NameIDPolicy
Value: com.sun.identity.saml2.protocol.impl.NameIDPolicyImplWithoutSPNameQualifier
Click Save.
Logo out of the console and restart the OpenSSO server web container.
HttpServletRequest and HttpServletResponse are available with Distributed Authentication User Interface (6677966)OpenSSO 8.0 Update 2 Patch 2 allows you to access the HttpServletRequest object and modify the HttpServletResponse object through a custom authentication module for OpenSSO server deployments with the Distributed Authentication User Interface (DAUI), as well as for OpenSSO server deployments without the DAUI.
To use this new feature, you must modify your existing custom authentication modules using the authentication SPI framework. (If you don't want to use this feature, your existing custom authentication modules do not need to be modified. The current APIs for getHttpServletRequest and getHttpServletResponse will continue to be supported but only for OpenSSO server deployments without the DAUI.)
Changes to custom authentication modules include both JAVA class files and callback XML files. No UI changes are required. OpenSSO 8.0 Update 2 Patch 2 adds these new callbacks:
HttpRequestCallback: equivalent to the container HttpServletRequest object
HttpResponseCallback: equivalent to the container HttpServletResponse object
For more information, see the OpenSSO Enterprise 8.0 Developer's Guide.
For OpenSSO 8.0 Update 2 Patch 1 and later releases, the Policy Service sometimes returns HTTP status code 500. This problem is caused by a missing app_sso_token_invalid key in the amPolicy.properties file.
Workaround:
In the OpenSSO-Deploy-base/WEB-INF/classes/amPolicy.properties file, add the following line:
app_sso_token_invalid=Application sso token is invalid
OpenSSO-Deploy-base represents the path where the web container deploys the opensso.war file.
Restart the OpenSSO web container.
The Oracle OpenSSO STS Administrator's Guide requires additional information about the Private Key Alias in Chapter 4, Managing the Security Token Service:
http://docs.oracle.com/cd/E17842_01/doc.1111/e17844/tokenservice.htm
Private Key Alias
Behind the Private Key Alias, a real certificate exists in the client's keystore. The value of this certificate depends on the OpenSSO server configuration. For authentication between a web services client (WSC) and a web services provider (WSP) such as OpenSSO server to function properly, the certificates on the client and OpenSSO server must match.
On the client side, you must import the certificate from OpenSSO server into the client's certificate store database. This imported certificate can be under a different name than OpenSSO server, but the client and OpenSSO server must use the same certificate to communicate properly.
For more information about web services security, see the OpenSSO Enterprise 8.0 Administration Reference:
OpenSSO 8.0 Update 2 and later releases do not allow sensitive information such as a password in URLs using the REST identity interface. This change (CR 6940612) prevents sensitive information from appearing in browser history files and web server or proxy log files.
If you are using the REST identity interface, a URL that contains sensitive information such as a password returns an unsupported operation exception. For example, the follow URL contains the user's password and would return an exception:
https://opensso.example.com:80/opensso/identity/authenticate?username=user&password=user-password
In the OpenSSO Enterprise 8.0 Developer's Guide, Chapter 10, Using the REST Identity Interfaces, states that "the REST authenticate interface works with simple user name and password only." However, in OpenSSO 8.0 Update 2 and later releases, sensitive information such as the password is not allowed in the URL and returns an exception.
Therefore, if you are using the REST identity interface with OpenSSO 8.0 Update 2 and later releases, use a POST operation to send the authentication data to OpenSSO server. POST data is usually not logged or stored as part of the browser history.
OpenSSO 8.0 Update 2 patch 2 is available as patch ID 141655-05 on the My Oracle Support site.
CR 6978018: Running OpenSSO 8.0 in GlassFish 2.1.x using LDAPS with JDK 1.6.x
CR 7002787: OpenSSO 8.0 Update 2 is not working with Active Directory Data Store
CR 6897101: After a login to a non-default realm, user experiences multiple logins after a timeout
CR 6983035: Remote console with OpenSSO server returns errors after a session timeout
To run OpenSSO 8.0 in a GlassFish 2.1.x web container with an external directory server using LDAPS with JDK 1.6.x, set the NSS_USE_DECODED_CKA_EC_POINT environment variable to 1 before you start the GlassFish 2.1.x domain. For example:
NSS_USE_DECODED_CKA_EC_POINT=1 export NSS_USE_DECODED_CKA_EC_POINT glassfish-root/bin/asadmin start-domain glassfish-domain
This problem occurs for both OpenSSO 8.0 Update 2 and OpenSSO 8.0 Update 2 patch 1. If you create an Active Directory data store and then log in to the OpenSSO administration console using the Active Directory authentication module, OpenSSO returns the error message "User has no profile in this organization" to your browser.
Workaround. To use the Active Directory data store and authentication module with OpenSSO 8.0 Update 2 or OpenSSO 8.0 Update 2 patch 1, perform these steps:
Log in to the OpenSSO Administration Console.
Under the Active Directory data store configuration, make these changes:
For the LDAPv3 Plug-in Supported Types and Operations, change:
user=read,create,edit,delete
to
user=read,create,edit,delete,service
In Attribute Name Mapping, add the following attribute mappings:
iplanet-am-user-alias-list=objectGUID
employeeNumber=distinguishedName
mail=userPrincipalName
portalAddress=sAMAccountName
telephonenumber=displayName
uid=sAMAccountName
Click Save and log out of the console.
Restart the OpenSSO web container.
Previously, if a user entered valid credentials after an authentication module timeout occurred, the login screen for the second authentication module was presented and the user could enter an invalid password to get access to a protected resource.
Patch 1 fixes this CR; however, this fix works only with non-JAAS modules. If you write a custom authentication module, you must use non-JAAS modules.
If you log in to OpenSSO server from a remote console and a session timeout occurs, some console functions do not work properly. Also, errors are displayed if you click on various tabs in the console.
Workaround. After making changes from the remote console, log out from the remote console. To get rid of the errors, restart both OpenSSO server and the remote console.
If you are using a remote console and try to save Federation or SAML properties that need access to the certificate keystore, errors are returned. This problem occurs because the certificate keystore resides on the OpenSSO server, and the remote console does not have access to the keystore.
Workaround. Use either of these solutions, depending on your deployment:
If the keystore is directly accessible from the remote console through a mount point, specify the complete absolute path to the keystore.
Copy the keystore files from the OpenSSO server to the remote console. This solution, however, requires that if you make changes to the keystore files on the OpenSSO server, you must also update the keystore files on the remote console.
If you are using the sample in "Example 1-1 Code Sample: Post-Authentication Plug-In for First-Time Login" in the Sun OpenSSO Enterprise 8.0 Integration Guide, you must be running OpenSSO 8.0 Update 1 or later. Otherwise, the sample does not compile because the Java compiler cannot find the POST_PROCESS_LOGIN_SUCCESS_URL property, which was first available with OpenSSO 8.0 Update 1.
|
 Copyright © 2010, 2014, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|