|
| Sun ONE Identity Server Release Notes |
Release Notes
Sun™ ONE Identity Server 6.0
These release notes contain important information on the Identity Server 6.0 release.
Enhancements, installation notes, known problems, and late-breaking issues are addressed. Read this document before installing Identity Server. This document contains the following sections:
Key Features
Identity Server Known Problems and Limitations
Key Features
This section lists the key features for the Sun ONE Identity Server 6.0 release.
Authorization Application Program Interface (API) for administration and evaluation.
Policy can support conditions such as IP, time, date, authentication level and authentication method. Custom condition plug-in can be supported through Service Provider Interface (SPI).
Deployment process are greatly simplified. There is no need to manually run scripts first. Policy can be deployed without first deploying user management.
Policy can be defined for existing LDAP groups, roles, or users or through a custom plug-in SPI.
Policy evaluation can be delegated to sub-organization, peer organization or through a custom plug-in SPI.
New Authentication Client API.
Support for organization-based, user-based, resource-based, role-based, authentication level-based and authentication method-based authentication.
Automatic session upgrade if higher level authentication is required.
New Authentication Module service provider interface.
Supports user, role, resource, and organization-based success/failure login URL redirection.
New post authentication process SPI for login success, login failure, and logout.
Java Authentication and Authorization Service (JAAS) based authentication framework.
Supports existing JAAS authentication modules.
New J2EE Assisted Take Off (JATO) based authentication user interface. Available for organization-based or service-based JSP customization.
Online Certificate Status Protocol (OCSP) certificate validation for certificate-based authentication.
Integrated Federation Management module installed with Identity Server and accessible through the Administration Console.
Support for all the Liberty protocols:
Single Sign-On and Federation Protocol
Federation Termination Notification Protocol
Identity Provider (IDP) Introduction Protocol
Sample applications demonstrating integration of applications with the module.
Security Assertion Markup Language (SAML)
New SDK.
Support for attribute, authentication and Authorization Decision query.
XML Digital Signature (XML DSIG) support for signing assertions, responses, and so forth.
Support for Simple Object Access Protocol (SOAP) binding.
Support for Web Artifact profile and Web Post profile.
Console-only installation option for remote console operation.
Support for disabling user management for policy-only customers.
Support for policy administrators (different from org admin).
New Current Sessions page that lists all active sessions and allows you to terminate user sessions.
Sun ONE Certificate Server User certificate issuance integration.
Identity Server supports the following standards:
Improved Configuration backup and restore.
Documentation
This section provides information on the documentation sets for the Identity Server 6.0 release. The documentation listed in this section can be found at the following location:
http://docs.sun.com/db/prod/s1idsrv#hic
Identity Server 6.0 Documentation Set
The Identity Server documentation set contains the following guides in PDF and HTML format:
Product Brief provides an overview of the Identity Server application and its features and functions.
Installation and Configuration Guide describes Identity Server and provides details on how to plan and install Identity Server on Solaris and Windows 2000 Server systems.
Administration Guide documents how to manage user and service data through the Identity Server Administration Console.
Programmer's Guide documents how to customize an Identity Server system for your organization.
Policy Agent Guide provides installation and deployment information about the Sun ONE Identity Server URL policy agents. Policy agents protect content on your web servers and proxy servers from unauthorized intrusions. They control access to services and web resources based on the policies configured by an administrator.
Getting Started Guide documents how to use various features of the Identity Server product to set up a simple organization with identities, policies and roles.
Patches and Downloads
This section contains important information about patches and downloads that are required for Identity Server operation.
NT Authentication Module Requires Samba 2.2.2
In order to actualize the NT Authentication module, Samba 2.2.2 must be downloaded and installed. Samba is a file and print server for blending Windows and UNIX machines together without requiring a separate Windows NT/2000 Server. More information, and the download itself, can be accessed at http://wwws.sun.com/software/download/products/3e3af224.html.
Identity Server Security Service Requires Certificate Server 4.7SP1 Patch
In order to enable the Identity Server Security Service, you must:
Install Sun ONE Certificate Server 4.7 SP1. For installation instructions, see the Certificate Server 4.7 SPI release notes at http://docs.sun.com/source/816-6407-10/index.html.
Configure the Certificate Server to enable the Identity Server Security Service. For configuration instructions, see the "Support for Identity Server Single Sign-on (SSO)" section in the Sun One Certificate Server 4.7 SP1 release notes.
Configure the Identity Server Security Service attributes located in the Service Configuration module of the Identity Server console.
Identity Server Security Service Requires Patch For Internet Explorer 5.x And Higher
If you are using Microsoft Internet Explorer Version 5.x and above, and access the Identity Server Security Service's Get My Certificate attribute, you will receive an Internet Explorer error message displaying VBScript code.
To fix this, install the following two Microsoft Internet Explorer security patches:
Fixes a flaw in certificate enrollment control that may cause digital certificates to be deleted.
Fixes a certificate validation flaw that may permit identity spoofing.
Information and download instructions for these patches can be found at the following location:
http://www.microsoft.com/windows2000/downloads/critical/default.asp
Identity Server Known Problems and Limitations
This section lists and describes the known problems and limitations for this release of Identity Server.
General
Setting The Domain Name Before Identity Server Installation
Before you install Identity Server, you must set the domain name (DNS name) of the machine on which Identity Server will be installed. For more information, please refer to the "Setting the Domain Name" section in Chapter 3 of the Sun ONE Identity Server Installation and Configuration Guide. This document can be found at http://docs.sun.com/coll/S1_IdServ_60.
User Management on Existing Directory Server With Existing DIT
After installation, only Policy management is enabled on an existing Directory Server With an existing DIT. User management is not enabled by default. Before being able to perform user management tasks on console, you need to follow the instructions found in <Identity_Server_root>/SUNWam/migration/README, or <Identity_Server_root>\migration\README for Windows 2000. (#4790361).
Login Fails If Second Server Instance Is Created In SSL Mode
Login may fail to a second Identity Server Instance if that instance was created in SSL mode. The corresponding certificate database needs to created for the second instance for SSL to work. The certificate database should be created using the Web Server's certificate utility, instead of the utility in the C API directory. (#4786301, #4788320)
Debug Directories For Additional Identity Server Instances
If multiple server instances need to use different debug directories, make sure that the individual instance has both read and write permissions. (#4757643)
smtp server port Property Incorrect in AMConfig.properties
The smtp server port property in the AMConfig.properties is not correct. Sent mail incorrectly looks for com.iplanet.am.smtpport. (#4788486)
Installation/Unistallation
Installation Fails With Directory Server With Password Policy Enabled
If you install Identity Server with an existing instance of Directory Server with the Password Policy attribute enabled, you need to adhere to the password policy of Directory Server will entering the administrator password for Identity Server. (#4781602)
Uninstall Program Removes Custom Directories
The uninstall program will delete all the files, including custom files or directories. It is recommended that you backup all of your own files in the console deployment directory and/or the service deployment directory. (#4743115)
Reinstall of Identity Server On Windows 2000 May Not Work If Identity Server Files Remain
If you run the uninstall utility on Windows 2000, it will report that all files have been successfully removed, when in fact they have not. Even if you manually remove the remaining files, you will not be able to successfully re-install Identity Server. If the Identity Server installation program fails on Windows 2000, it may cause conflicts with the operating system that could result in abnormal behavior. (#4745028, #4775027)
When the installation program fails, remove the failed installation directory. In the productregistry file, under <System Drive>\winnt\system32, clean up the registry entries under services corresponding to Directory Server and Web Server, and then reboot the machine.
Authentication
Identity Server In Persistent Cookie Mode
In Identity Server, persistent cookie mode does not work as expected under certain configurations, please contact customer support for the fix if persistent cookie mode needs to be enabled in the real deployment. (#4786616)
Reloading the Session Timeout Page Will Authenticate User with Valid Username and Password
At the login page, if a user waits for the page to timeout and then enters a valid username and password, the user will see the session timeout page. The user will be authenticated to Identity Server if the user reloads the page without re-entering username and password. (#4697120)
User Login Fails If DN To Start User Search Is Not Set To The Object
If a user in newly created organization has same user ID as a user in a default organization, the authentication attempt for both users will fail, because the default value in the DN To Start User Search attribute is set to the root and not to the object. To avoid this kind of failure, the default value for DN To Start User Search should be set to the organization's object and not the root for the registered authentication service. (#4759858)
Failback Problem for LDAP and Membership Authentication Services
In the LDAP and Membership Authentication services, failback is not working correctly for primary and secondary servers. For example, if you have two servers LDAP1 (primary) and LDAP2 (secondary), and then you stop LDAP1 and reauthenticate, authentication to LDAP2 is successful. However, if you restart LDAP1 and then reauthenticate, Identity Server will continue to use LDAP2 for the authentication process. (#4783979)
Stop the secondary server after restarting the primary server. Identity Server will failback to the primary server.
Different Directories Must Be Specified For Multiple SafeWord Servers
A configuration with multiple organizations using their own respective SafeWord servers have to specify their own .../serverVerification directories in their SafeWord Authentication service templates. If you leave the default value, and all servers use the same directory, then the first organization to authenticate with its SafeWord server will be the only one that works. (#4756295)
Policy
Policy Evaluation When Status Is Inactive
When a policy is evaluated on a user, the policy evaluation only checks to see if the policy is applied to this user based on the subjects (Organization, LDAP User, LDAP Group, LDAP Role) in the policy. It does not check the user status by default.
If the user status needs to be checked during the policy evaluation, the user search filter can be changed in the policy configuration so that the user status can be taken into consideration. To do so:
Change the user search filter in iPlanetAmPolicyConfigService to (&(the current search filter)(inetuserstatus=active) if the user entries are managed by the Identity Server
(&(the current search filter)(CustomUserStatusAttribute=ACTIVESTATUS)) if the user entries are not managed by the Identity Server and CustomUserStatusAttribute is the LDAP attribute used to manage the status of the users.
If an organization is being added as a policy subject and its status is Inactive, the users contained in that organization can still access the resources. If the organization status needs to be checked during policy evaluation, the Identity Server can be configured so that users can not authenticate to that organization. To do so, set the DN to Start User Search attribute in the LDAP Authentication service to the root organization. The users in the inactive organization will then not be able to authenticate. (#4752813, #4781990)
Creating Policies With The amadmin Command Line Utility
If you use amadmin to create policies, keep the following items in mind:
The URL resource name must contain the port for iPlanetAMWebAgentService service in the corresponding policy creation XML document.
The policy authentication scheme is case sensitive. For example, if the user authenticates using LDAP, the policy authentication scheme must be LDAP, instead of ldap.
Policy rules, subjects, and conditions are valid. The amadmin tool does not validate those policy elements.
The policy schema XML document only contains boolean and string data types. It does not support paragraph, password, encrypted_password, DN, email, url, numeric, percent, number, decimal_number, number_range, decimal_range, xml, or date. (4738577, #4776010, #4787964, #4727580)
Wildcard Characters Not Accepted In The Hostname Defined In Policy Rules
When policies are defined for web agent services, the hostname in the policy rules can not contain wildcard characters. The hostname should be the FQDN (Fully Qualified Domain Name). (#4786597)
Changes To The Policy Configuration Service Are Not Dynamically Applied To Existing Policies
Changes made to the Policy Configuration service attribute values (other than selected subjects, conditions and referrals), do not become effective in evaluating policies until the server is restarted or all of the policies in the organization are saved. You do not have to make any change to the policies. Simply viewing and saving the policies using console would make the new policy service attribute values effective in policy evaluation. (#4785477)
SAML
SAML Password In Cleartext
The password is stored in cleartext in Directory Server if basic authentication is used for the SAML trust relationship. Because of this, basic authentication is not recommended. Instead, use SSL with client authentication to set up the SAML trust relationship. (#4787204)
SDK
Using Identity Server SDK On A Remote Machine Running In SSL
If the Identity Server SDK is installed on a remote machine using pkgadd, a certificate database needs to be created for the Identity Server SDK to work correctly if the Identity Server is running in SSL mode. The certificate database is created using Web Server's certutil command, or through the Web Server console. Once the certificate database is created, copy it to the remote machine. (#4786617, #4787347)
The certutil command can be found under <Identity_Server_root>/SUNWam/servers/bin/https/admin/bin.
The AMConfig.properties on the remote machine also needs to be modified so that the following properties are set with the correct values:
com.iplanet.am.admin.cli.certdb.dir
com.iplanet.am.admin.cli.certdb.prefix
com.iplanet.am.admin.cli.certdb.passfile
Note The certutil command under <Identity_Server_root>/SUNWam/capi/bin should not be used to create the above certificate database.
Migration
User Management Should Be Enabled After a Successful Migration
After successful login, the administrator should enable the Enable User Management option. (#4756009).
Identity Server Security Service
Identity Server Security Service Enrollment For A Suborganization Does Not Change When Pointing To A Different CA
The enrollment URL does not change for a user at the suborganization level when the Identity Server Security Service is configured to use a different CA for the suborganization. (#4747625)
Installing the Sun ONE Directory Server 5.1 SP1 Hot Patch will rectify this problem.
Certificates Are Not Published To The Proper Attribute In Directory Server
The certificates issued by the Identity Server Security service are not published to the proper attribute, or in the proper format, in the Directory Server. Certificates should be published in binary format to usercertificate. Currently they are published into iplanet-am-dss-certificate. (#4789637)
To publish certificates to the correct attribute in Directory Server, you must:
Configure the Certificate Server for publishing. Instructions for this process are found in Chapter 19 "Setting up LDAP Publishing" in the Sun ONE Certificate Server Installation and Configuration Guide at http://docs.sun.com/source/816-5548-10/pub_ldap.htm#14533.
In the Identity Server console, select Service Configuration.
Click on the Certificate Authentication service Properties arrow.
Modify the following attributes:
Match Certificate In LDAP: Enable this attribute by selecting it.
Attribute In Subject DN To use To Search LDAP: Enter 0.9.2342.19200300.100.1.1
Field In Cert To Use To Access User Profile: Select subject UID.
Save the modifications.
Command Line Utilities
Creating Identity Server Objects Through amadmin
If you create objects through the amadmin command line, ensure that suffix specified in the xml file is exactly in the same case as the root suffix specified during installation and then stored in AMConfig.properties. If not, this may cause problems with authentication and referral policy creation. (#4786157)
Backup and Restore
Backup of Logging in JDBC Database is Not Supported
am2bak does not backup and restore logs in a JDBC database. The database backup and restore tools provided by the corresponding database vendor need to be used to backup and restore Identity Server logs created in the database. (#4709994)
Backup Fails If Root Suffix Contains Embedded Spaces
The backup of configuration files will fail if the specified root suffix contains embedded spaces. (#4787394)
Place amadmin's variables in double quotes ("...").
File/Directory Permissions Incorrectly Set After Backup
When performing a backup with am2bak, the backup permissions are set after the backup process. Because of this, the target backup directory created by the script is readable until the tar file is created, making it possible to read/copy the Identity Server files. (#4788158)
Use the existing backup directory in the root and make sure that it has read/right permissions.
am2bak Does Not Backup Service Config Data When Directory Server Is In SSL Mode
The am2bak script, as part of configuration backup (-c option), performs the backup of the service configuration. This includes both the updated service schema xml files, and the service configuration data. When the Directory Server is configured to run in SSL mode, however, the service configuration backup is not done as part of configuration (-c) backup.
You can specify a non-SSL port of Directory Server in the am2bak script. Alternatively, you can use the backup utility of the Directory Server for service configuration backup. The service configuration information for each organization is stored under ou=services, <org_DN>. You can perform the Directory Server backup through the Directory Server console, or by using the db2bak and bak2db utilities located in <Directory_Server_root>/<slapd_INSTANCENAME>. (#4786292)
Identity Server Unable To Create Log/Debug Files After Restore
By default, Identity Server is installed with the system user and group defined as nobody. If you change the system user and group to anything besides nobody, and run the bak2am script, Identity Server will not create the log and debug files after the restore. This is because the bak2am script always creates the debug and logs directories with permissions set to nobody. (#4786299)
Whenever you run bak2am, go to the <Identity_Server_root>/opt/SUNWam directory and change the permissions of the debug and logs directories to your system user and group settings. For example:
cd /var/opt/SUNWam
chown -R <systemuser>:<systemgroup> debug
chown -R <systemuser>:<systemgroup> logs
chmod 700 debug
chmod 700 logs
Corrections and Additions to the Documentation
This section lists information that is either incorrect or was not included in the Identity Server documentation set at the time of publication.
iplanet-am-user-login-status Not Enforced For Top-level Admin
You can successfully login to Identity Server as amadmin, even if the iplanet-am-user-login-status element is set to inactive. This is to ensure that system administrators do not get locked out. It is expected behavior. (#4749818)
Account Expiration Does Not Work for amadmin
iplanet-am-user-account-life is enforced only for users who login from a browser. An expired account still can be accessed and authenticated to using the amadmin command line utility. It is expected behavior. (#4709928)
Deny/Allow Rule Precedence For Policies
Denial rules always take precedence over allow rules in a policy. For example, if you have two policies for a given resource, one denying access and the other allowing access, the result is a deny access (provided that the conditions for both policies are met). It is recommended that deny policies be used with extreme caution as they may lead to potential conflicts between the policies. Typically, the policy definition process should only use allow rules, and use the default deny when no policies apply to accomplish the deny case.
If explicit deny rules are used, policies that are assigned to a given user through different subjects (such as role and/or group membership) may result in denied access to a resource if at least one of the policies is a deny policy.
Similar conflicts can be resolved by designing appropriate condition plug-ins that force the policy engine to use only those policies that satisfy the particular condition. For example, a condition plug-in can be defined as a "role condition" plug-in that checks the role to which the user is authenticated.(#4785973)
Policy Condition Environment Map
com.sun.identity.policy.PolicyEvaluator accepts envMap in getPolicyDecision() and isAllowed() methods. The key/value pairs in envMap influence condition plug-in evaluations.
The understood values for the keys in envMap and valid values corresponding to the keys in the map are governed by the condition plug-ins installed and enabled in policy framework. If there are entries in the envMap for keys that are not used by any enabled condition plug-ins, the values in the map corresponding to the keys would be simply ignored. It is not an error to have values for unused keys. However, values corresponding to keys used by any condition plug-in has to conform to rules of such condition plug-ins. The following table lists the keys used by "out of box" condition plug-ins shipped with Identity Server, and describes the rules that apply to the values of those keys.
com.sun.identity.policy.client.PolicyEvaluator also accepts envMap in the getPolicyDecision() and isAllowed() methods. The keys understood are same as listed listed for com.sun.identity.policy.PolicyEvaluator. However, values for the keys should be a set of string(s) that can be converted to corresponding object types listed for com.sun.identity.policy.PolicyEvaluator. This may be changed to com.sun.identity.policy.client.PolicyEvaluator in the future, so that the required format of the values would be same as that of com.sun.identity.policy.PolicyEvaluator. (#4785255)
Identity Server Uninstall Program Does Not Remove Directory Server Data
When using the uninstall program, Identity Server does not remove any of the data from an existing Directory Server. This must be done manually.
The Identity Server Uninstall utility will only remove the Directory Server schema installed by Identity Server with the Configure an Existing Directory option enabled. (#4759750)
Javadocs Incorrectly Refers to DebugConfig.properties File
The Javadocs for com.iplanet.am.util.Debug class incorrectly refers to the DebugConfig.properties file. It should refer to AMConfig.properties file, as there is no DebugConfig.properties file in Identity Server. (#4765012)
Email Notification Syntax Incorrectly Listed in Online Help
In the online help, the syntax for creating email lists is incorrectly described for the User Creation Notification List and User Deletion Notification List attributes. The correct syntax is documented in the Sun ONE Identity Server Administration Guide. (#4782740)
Incorrect LDAP Bind DN Attribute Description In Documentation
The online help and Identity Server Administration Guide description for the Policy Configuration service attribute LDAP Bind DN should read:
"This field specifies the bind DN in the LDAP server. By default, it is the Identity Server internal LDAP authentication user of the Identity Server installation." (#4784636)
Migrating Data from DSAME 5.1 to Identity Server 6.0
The following additions were made in "Appendix A: Migrating Data from DSAME 5.1to Identity Server 6.0"
In the section "Introduction," the following caveat was added:
"The migration scripts are case sensitive. The scripts will look for Identity Server attributes, object classes, and values that are in lower case. If you've customized your Identity Server 5.1 deployment with attribute names or object class names that contain upper case letters, then before running the scripts you must change those names to lower case letters." (#4906865)
Under "Uninstalling Identity Server 5.1 (Solaris)," step 6 was added:
"If Directory Server and Identity Server exist on different computer systems, then after installation is complete, you must manually remove the DSAME 5.1 schema file 95ns-amschema.ldif from the Directory Server schema directory." (#4849890)
For More Information
Useful Sun ONE information can be found at the following Internet locations:
Sun ONE release notes and other documentation --- http://docs.sun.com/db/prod/sunone/
Sun ONE product status --- http://www.sun.com/products/
Sun Support information --- http://www.sun.com/service/support/
Sun ONE Middleware developer information --- http://www.sun.com/developers/support/
Sending Your Comments
Sun is interested in improving its documentation and welcomes your comments and suggestions. Email your comments to Sun at this address:
docfeedback@sun.com
Copyright 2002 Sun Microsystems, Inc. All rights reserved.
Last Updated September 26, 2003