Sun Java System Access Manager 7.1 Release Notes Sun Microsystems, Inc. 4150 Network Circle Santa Clara, CA 95054 U.S.A.
Copyright 2007 Sun Microsystems, Inc. 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved. Sun Microsystems, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more U.S. patents or pending patent applications in the U.S. and in other countries. U.S. Government Rights – Commercial software.
Contents Sun Java System Access Manager 7.1 Release Notes .......................................................................5 Revision History .....................................................................................................................................6 About Sun Java System Access Manager 7.1 ........................................................................................6 What’s New in This Release ......................................................................
Contents AMSDK Issues .............................................................................................................................. 27 SSL Issue ........................................................................................................................................ 28 Samples Issue ................................................................................................................................ 29 Linux OS Issues ...............................................
Sun Java System Access Manager 7.1 Release Notes March 2007 Part Number 819-4683-10 The Sun JavaTM System Access Manager 7.1 Release Notes contain important information available for the Sun Java Enterprise System (Java ES) release, including new Access Manager features and known issues with workarounds, if available. Read this document before you install and use this release. To view the Java ES product documentation, including the Access Manager collection, see http://docs.sun.com/prod/entsys.05q4.
Revision History Revision History The following table shows the Access Manager 7.1 Release Notes revision history. TABLE 1 Revision History Date Description of Changes July 2006 Beta release. March 2007 Java Enterprise System 5 release About Sun Java System Access Manager 7.
What’s New in This Release devices, applications, and service-driven networks. Typical uses of the JMX technology include: consulting and changing application configuration, accumulating statistics about application behavior, notification of state changes and erroneous behaviors. Data is delivered to centralized monitoring console. Access Manager 7.
What’s New in This Release ■ ■ ■ ■ ■ Number of successful authentications Number of failed authentications Number of successful logout operations Number of failed logout operations Transaction time for each module if possible (running and waiting states) 2. Sessions ■ ■ Size of the session table (hence maximum number of sessions) Number of active sessions (incremental counter) 3. Profile Service ■ ■ Maximum cache size Transaction time for operations (running and waiting) 4.
What’s New in This Release ■ A new policy condition AuthenticateToRealmCondition added, to enforce the user is authenticated to a specific realm. ■ A new policy condition LDAPFilterCondition is added, to enforce the user matches the specified ldap filter. ■ Support for one level wild card compare to facilitate protecting the contents of the directory without protecting sub-directory.
Hardware and Software Requirements ■ Support JCE Based SecureLogHelper - making it possible to use JCE (in addition to JSS) as a security provider for Secure Logging implementation Deprecation Notification and Announcement Sun Java(TM) System Access Manager 7.1 identity management APIs and XML templates enable system administrators to create, delete, and manage identity entries in Sun Java System Directory Server. Access Manager also provides APIs for identity management.
Hardware and Software Requirements TABLE 2 Hardware and Software Requirements Component Requirement Operating system (OS) ■ SolarisTM10 on SPARC, x86, and x64 based systems, including support for whole root local and sparse root zones. ■ Solaris 9 on SPARC and x86 based systems.
Hardware and Software Requirements TABLE 2 Hardware and Software Requirements (Continued) Component Requirement Web containers Sun Java System Web Server 7.0 On supported platform/OS combinations you may elect to run the Web Server instance in a 64 bit JVM. Support platforms: Solaris 9/SPARC, Solaris 10/SPARC, Solaris 10/AMD64, Red Hat AS or ES 3.0/AMD64, Red Hat AS or ES 4.0/AMD64 Sun Java System Application Server Enterprise Edition 8.2 BEA WebLogic 8.1 SP4 IBM WebSphere Application Server 5.1.1.
General Compatibility Information TABLE 3 Supported Browsers (Continued) Browser Platform MozillaTM 1.7.12 Solaris OS, versions 9 and 10 Windows XP Windows 2000 Red Hat Linux 3 and 4 Mac OS X Netscape TM Communicator 8.0.4 Windows XP Windows 2000 Netscape Communicator 7.
General Compatibility Information Access Manager Legacy Mode If you are installing Access Manager with any of the following products, you must select the Access Manager Legacy (6.x) mode: ■ Sun Java System Portal Server ■ Sun Java System Communications Services servers, including Messaging Server, Calendar Server, Instant Messaging, or Delegated Administrator You select the Access Manager Legacy (6.
General Compatibility Information “Configure Later”Installation Option If you ran the Java ES Installer with the “Configure Later“ option, you must run the amconfig script to configure Access Manager after installation. To select Legacy (6.x) mode, set the following parameter in your configuration script input file (amsamplesilent): ... AM_REALM=disabled ... For more information about configuring Access Manager by running the amconfig script, refer to the Sun Java System Access Manager 7.
Known Issues and Limitations Known Issues and Limitations This section describes the following known issues and workarounds, if available, at the time of the Access Manager 7.1 release.
Known Issues and Limitations ■ ■ ■ “Incompatibilities exist in core authentication module for legacy mode (6305840)” on page 18 “Delegated Administrator commadmin utility does not create a user (6294603)” on page 18 “Delegated Administrator commadmin utility does not create an organization (6292104)” on page 18 Access Manager Single Sign-On fails on Universal Web Client (6367058, 6429573) The problem occurs after you install Access Manager, Messaging Server, and Calendar Server and configure them to wor
Known Issues and Limitations Incompatibilities exist in core authentication module for legacy mode (6305840) Access Manager 7.1 legacy mode has the following incompatibilities in the core authentication module from Access Manager 6 2005Q1: ■ Organization Authentication Modules are removed in legacy mode. ■ The presentation of the “Administrator Authentication Configuration” and “Organization Authentication Configuration” has changed. In the Access Manager 7.
Known Issues and Limitations Configuration Issues ■ ■ ■ ■ ■ ■ ■ “Notification URL needs to be updated for Access Manager SDK installation without web container (6491977)” on page 19 “Password Reset service reports notification errors when a password is changed (6455079)” on page 19 “Platform server list and FQDN alias attribute are not updated (6309259, 6308649)” on page 20 “Data validation for required attributes in the services (6308653)” on page 20 “Document workaround for deployment on a secure W
Known Issues and Limitations Platform server list and FQDN alias attribute are not updated (6309259, 6308649) In a multiple server deployment, the platform server list and FQDN alias attribute are not updated if you install Access Manager on the second (and subsequent) servers. Workaround: Add the Realm/DNS aliases and platform server list entries manually. For the steps, see the section “Adding Additional Instances to the Platform Server List and Realm/DNS Aliases” in Sun Java System Access Manager 7.
Known Issues and Limitations Default Access Manager mode is realm in the configuration state file template (6280844) By default, the Access Manager mode (AM_REALM variable) is enabled in the configuration state file template.
Known Issues and Limitations Console does not return the results set from Directory Server after reaching the resource limit (6239724) Install Directory Server and then Access Manager with the existing DIT option. Login to the Access Manager Console and create a group. Edit the users in the group. For example, add users with the filter uid=*999*. The resulting list box is empty, and the console does not display any error, information, or warning messages.
Known Issues and Limitations 5. Click Save. SDK and Client Issues ■ ■ “Clients do not get notifications after the server restarts (6309161)” on page 23 “SDK clients need to restart after service schema change (6292616)” on page 23 Clients do not get notifications after the server restarts (6309161) Applications written using the client SDK (amclientsdk.jar) do not get notifications if the server restarts. Workaround: None.
Known Issues and Limitations 2. In Directory Server console , add the following ACI. dn:ou=1.0,ou=SunAMClientData,ou=ClientData, changetype:modifyadd:aci aci: (target="ldap:///ou=1.0,ou=SunAMClientData,ou=ClientData,") (targetattr = "*"(version 3.0; acl "SunAM client data anonymous access"; allow (read, search, compare) userdn = "ldap:///";) Notice that the userdn is set to "ldap:///". 3.
Known Issues and Limitations List. If you create two new organizations with the same name, the operation fails, but Access Manager displays the “organization already exists” message rather than the expected “attribute uniqueness violated” message. Workaround: None. Ignore the incorrect message. Access Manager is functioning correctly.
Known Issues and Limitations if you are using a third-party web container (IBM WebSphere or BEA WebLogic Server) and the optional HttpSession, you might need to limit the web container's maximum HttpSession time limit to avoid performance problems.
Known Issues and Limitations AMSDK Issues ■ ■ ■ ■ “Error displayed when performing AMIdentity.modifyService (6506448)” on page 27 “Group members don't show up in selected list (6459598)” on page 27 “Access Manager Login URL Returns Message "No such Organization found" (6430874)” on page 28 “Sub-org creation not possible from Access Manager when using amadmin (5001850)” on page 28 Error displayed when performing AMIdentity.modifyService (6506448) When using AMIdentity.
Known Issues and Limitations Access Manager Login URL Returns Message "No such Organization found" (6430874) The problem may be due to the use of mixed-case (both uppercase and lowercase) characters in the fully qualified domain name (FQDN). Example: HostName.PRC.Example.COM Workaround : After installation, do not use the default Access Manager login URL. Instead, in the login URL, include the LDAP location of the default organization. For example: http://HostName.PRC.Example.
Known Issues and Limitations The amconfig script fails when SSL certificate is expired. (6488777) If the Access Manager container is running in SSL mode, and the container SSL certificate is expired, amconfig fails and may cause classpath corruption. Workaround: If you have already run amconfig with an expired certificate, and the classpath is corrupted, first obtain a valid SSL certificate. Revert to the original domain.xml file, or a copy of the domain.xml file, in which the classpath is not corrupted.
Known Issues and Limitations JVM problems occur when running Access Manager on Application Server (6223676) If you are running Application Server 8.1 on Red Hat Linux, the stack size of the threads created by the Red Hat OS for Application Server is 10 Mbytes, which can cause JVM resource problems when the number of Access Manager user sessions reaches 200.
Known Issues and Limitations Federation fails when using Artifact profile (6324056) If you setup an identity provider (IDP) and a service provider (SP), change the communication protocol to use the browser Artifact profile, and then try to federate users between the IDP and SP, the federation fails. Workaround: None.
Known Issues and Limitations Policy condition date must be specified according to English custom (6390856) Policy condition date format labels under the Chinese locale are not displayed according to Chinese customs. Labels are proposing a date format like English date format. Related fields also accept English date format values. Workaround: For each field, follow the date format example given in the field label.
Known Issues and Limitations Documentation Issues ■ ■ ■ “Document the roles and filtered roles support for LDAPv3 plug-in (6365196)” on page 33 “Document unused properties in the AMConfig.
Documentation Updates 5. If you are using a JDK version earlier than JDK 1.5, edit the jdk_root/jre/lib/security/java.security file and add Bouncy Castle as one of the providers. For example: security.provider.6=org.bouncycastle.jce.provider.BouncyCastleProvider 6. Set the following property in the AMConfig.properties file to true: com.sun.identity.jss.donotInstallAtHighestPriority=true 7. Restart the Access Manager web container.
Additional Sun Resources How to Report Problems and Provide Feedback If you have problems with Access Manager or Sun Java Enterprise System, contact Sun customer support using one of the following mechanisms: ■ Sun Support Resources (SunSolve) services at http://sunsolve.sun.com/. This site has links to the Knowledge Base, Online Support Center, and ProductTracker, as well as to maintenance programs and support contact numbers.
Related Third-Party Web Sites Accessibility Features for People With Disabilities To obtain accessibility features that have been released since the publishing of this media, consult Section 508 product assessments available from Sun upon request to determine which versions are best suited for deploying accessible solutions. Updated versions of applications can be found at http://sun.com/software/javaenterprisesystem/get.html. For information on Sun's commitment to accessibility, visit http://sun.
