Patch-ID# 120954-12 NOTE: *********************************************************************** READ THE TERMS OF THE AGREEMENT ("AGREEMENT") IN THE LEGAL_LICENSE.TXT FILE CAREFULLY BEFORE USING THIS SOFTWARE. BY USING THE SOFTWARE, YOU AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS, PROMPTLY DESTROY THE UNUSED SOFTWARE. *********************************************************************** For further information on patching best practices and resources, please see the Big Admin Patching Center: http://www.oracle.com/technetwork/systems/patches *********************************************************************** Keywords: access manager security Synopsis: AM 7.0: Sun Java System Access Manager 2005Q4 Date: Nov/03/2010 Install Requirements: NA Solaris Release: 8 9 10 SunOS Release: 5.8 5.9 5.10 Unbundled Product: Sun Java System Access Manager Unbundled Release: 7.0 Xref: This patch available for i386 as patch 120955-12, for Linux as patch Patch-ID# 120956-12 Topic: Sun Java System Access Manager Relevant Architectures: sparc BugId's fixed with this patch: 5088144 6202135 6204679 6215016 6228648 6236892 6244578 6246905 6269853 6269858 6273148 6281358 6282777 6283582 6286388 6289589 6291287 6292616 6292838 6293673 6293720 6294440 6294618 6295075 6295078 6295081 6295524 6295834 6296108 6298433 6298462 6299621 6303917 6303975 6305268 6306605 6306833 6307920 6308488 6308982 6309830 6309907 6310356 6311985 6313117 6314342 6318296 6319028 6320046 6320475 6321128 6321616 6323367 6323368 6323608 6324349 6324841 6325333 6325343 6326050 6326634 6327691 6327802 6327836 6328018 6328362 6328396 6330306 6330678 6330679 6330685 6330687 6330747 6331016 6333870 6334633 6335137 6336904 6337063 6337106 6337160 6337701 6337806 6338418 6338582 6339025 6340418 6340625 6340918 6341686 6341737 6342097 6342223 6342313 6342725 6343531 6345189 6345362 6346904 6346908 6346918 6347568 6348888 6349244 6349253 6349959 6349962 6350126 6350438 6350573 6351524 6351948 6352008 6352076 6354073 6356127 6356473 6356670 6356715 6356879 6357625 6359266 6360631 6361191 6362232 6362297 6362300 6363157 6363399 6366215 6366219 6367058 6368218 6369227 6369341 6369414 6369745 6370252 6370350 6370360 6370363 6371584 6371762 6373302 6373328 6373458 6373599 6374669 6374846 6376650 6377915 6377962 6379325 6380680 6381655 6382633 6384339 6384379 6384492 6385019 6385184 6385185 6385696 6385710 6385729 6386277 6386378 6387712 6388327 6388549 6389019 6389196 6389564 6390379 6390472 6391943 6395463 6396409 6396494 6396913 6397102 6398604 6399168 6400814 6402490 6406621 6406729 6406919 6407995 6408727 6409176 6409584 6409600 6410007 6410312 6411060 6413030 6413108 6413589 6413597 6416012 6418545 6419295 6419838 6421328 6422875 6422876 6422877 6422878 6422879 6422901 6423547 6423781 6425383 6426044 6426050 6426055 6426056 6426505 6426508 6426515 6426517 6426900 6428296 6429236 6429368 6429610 6429932 6430126 6431798 6432893 6432969 6433637 6434881 6435889 6435983 6436152 6436482 6436910 6436913 6437042 6437423 6440691 6440697 6441961 6442520 6442818 6443758 6444030 6444541 6445678 6447532 6449079 6449563 6449573 6449611 6449618 6450565 6452630 6452758 6453795 6456504 6457138 6458041 6458905 6460002 6461079 6461481 6462310 6463730 6463779 6463796 6464271 6465657 6466835 6467562 6472574 6473199 6476470 6477938 6478175 6478255 6478361 6479248 6479540 6480019 6482886 6483150 6484947 6485240 6485597 6486724 6486843 6488432 6489514 6489518 6489519 6491021 6491371 6494304 6494643 6495781 6496155 6498405 6498902 6499264 6499268 6502285 6503710 6503831 6503891 6507303 6507510 6507568 6511876 6513642 6513653 6513655 6513697 6514355 6515502 6517760 6518521 6518919 6521565 6522179 6522720 6523866 6523888 6524926 6526440 6529205 6532311 6532315 6536635 6538606 6539090 6539195 6539894 6541695 6542522 6545176 6547061 6547376 6548341 6553229 6553505 6554621 6557778 6562232 6564604 6564877 6566948 6567746 6569557 6570409 6580630 6581324 6584816 6592884 6600618 6603137 6605870 6607892 6612609 6615879 6620746 6624895 6625191 6626786 6627230 6629110 6634276 6637600 6647387 6648925 6653827 6657367 6657393 6659356 6676816 6677440 6685368 6691106 6693152 6696354 6696910 6697260 6697966 6698247 6703429 6709771 6709889 6711711 6712993 6714023 6714693 6721606 6725206 6728227 6730843 6738703 6740852 6745353 6746634 6749656 6753050 6754195 6755801 6756079 6766363 6770231 6777889 6785877 6786610 6795308 6798890 6804391 6808821 6813339 6818423 6822388 6834791 6842190 6843487 6844490 6867944 6871163 6872718 6888778 6888783 6888784 6888820 6894077 6902174 6902310 6907618 6907699 6916733 6920839 6925817 6926203 6937104 6937999 6938162 6959325 6960112 6964062 6970770 6971095 Changes incorporated in this version: 6964062 6971095 6770231 6926203 6920839 6937104 6902310 6970770 6871163 6894077 6808821 6916733 6907618 6888820 6959325 6907699 6822388 6960112 6888778 6888783 6888784 6938162 6937999 6925817 Patches accumulated and obsoleted by this patch: Patches which conflict with this patch: Patches required with this patch: Obsoleted by: Files included with this patch: /etc/opt/SUNWam/config/AMConfig.properties.template /etc/opt/SUNWam/config/amProfile.conf /etc/opt/SUNWam/config/serverconfig.xml.template /etc/opt/SUNWam/config/xml/template/amAuth.xml /etc/opt/SUNWam/config/xml/template/amAuthCert.xml /etc/opt/SUNWam/config/xml/template/amDelegation.xml /etc/opt/SUNWam/config/xml/template/amDisco.xml /etc/opt/SUNWam/config/xml/template/amPlatform.xml /etc/opt/SUNWam/config/xml/template/amPolicyConfig.xml /etc/opt/SUNWam/config/xml/template/amSOAPBinding.xml /etc/opt/SUNWam/config/xml/template/amSession.xml /etc/opt/SUNWam/config/xml/template/idRepoService.xml /opt/SUNWam/Makefile.clientsdk /opt/SUNWam/Makefile.distAuthUI /opt/SUNWam/README.clientsdk /opt/SUNWam/README.distAuthUI /opt/SUNWam/am_server.war /opt/SUNWam/amauthdistui.war /opt/SUNWam/amclient.war /opt/SUNWam/bin/am2bak.template /opt/SUNWam/bin/amadmin.template /opt/SUNWam/bin/amas70config /opt/SUNWam/bin/amas81config /opt/SUNWam/bin/amconfig /opt/SUNWam/bin/amhasetup /opt/SUNWam/bin/ampassword.template /opt/SUNWam/bin/amsamplesilent /opt/SUNWam/bin/amsdkconfig /opt/SUNWam/bin/amserver.template /opt/SUNWam/bin/amsessiondb /opt/SUNWam/bin/amsfo /opt/SUNWam/bin/amsfoconfig /opt/SUNWam/bin/amsfopassword /opt/SUNWam/bin/amsvcconfig /opt/SUNWam/bin/amtune/amtune /opt/SUNWam/bin/amtune/amtune-as7 /opt/SUNWam/bin/amtune/amtune-as8 /opt/SUNWam/bin/amtune/amtune-directory.template /opt/SUNWam/bin/amtune/amtune-env /opt/SUNWam/bin/amtune/amtune-identity /opt/SUNWam/bin/amtune/amtune-os /opt/SUNWam/bin/amtune/amtune-prepareDSTuner /opt/SUNWam/bin/amtune/amtune-samplepasswordfile /opt/SUNWam/bin/amtune/amtune-utils /opt/SUNWam/bin/amtune/amtune-ws61 /opt/SUNWam/bin/amtune/remacis.ldif /opt/SUNWam/bin/amutils /opt/SUNWam/bin/amverifyarchive.template /opt/SUNWam/bin/amwas51config /opt/SUNWam/bin/amwl81config /opt/SUNWam/bin/amws61config /opt/SUNWam/bin/bak2am.template /opt/SUNWam/console.war /opt/SUNWam/docs/am_public_javadocs.jar /opt/SUNWam/dtd/Auth_Module_Properties.dtd /opt/SUNWam/dtd/remote-auth.dtd /opt/SUNWam/include/am.h /opt/SUNWam/include/am_log.h /opt/SUNWam/include/am_map.h /opt/SUNWam/include/am_policy.h /opt/SUNWam/include/am_properties.h /opt/SUNWam/include/am_sso.h /opt/SUNWam/include/am_string_set.h /opt/SUNWam/include/am_types.h /opt/SUNWam/include/am_utils.h /opt/SUNWam/include/am_web.h /opt/SUNWam/introduction.war /opt/SUNWam/lib/am_logging.jar /opt/SUNWam/lib/am_sdk.jar /opt/SUNWam/lib/am_services.jar /opt/SUNWam/lib/am_sessiondb.jar /opt/SUNWam/lib/am_sso_provider.jar /opt/SUNWam/lib/amclientsdk.jar /opt/SUNWam/lib/amsfo.conf /opt/SUNWam/lib/libamsdk.so.2 /opt/SUNWam/lib/libamutils.so /opt/SUNWam/lib/xmlsec.jar /opt/SUNWam/locale/LC_MESSAGES/amsfoconfig.mo /opt/SUNWam/locale/amAdminCLI.properties /opt/SUNWam/locale/amAuth.properties /opt/SUNWam/locale/amAuthCert.properties /opt/SUNWam/locale/amAuthContext.properties /opt/SUNWam/locale/amAuthLDAP.properties /opt/SUNWam/locale/amAuthSecurID.properties /opt/SUNWam/locale/amAuthUI.properties /opt/SUNWam/locale/amConsole.properties /opt/SUNWam/locale/amFederation.properties /opt/SUNWam/locale/amIdRepoService.properties /opt/SUNWam/locale/amInteraction.properties /opt/SUNWam/locale/amPolicy.properties /opt/SUNWam/locale/amPolicyConfig.properties /opt/SUNWam/locale/amSAML.properties /opt/SUNWam/locale/amSDK.properties /opt/SUNWam/locale/amSOAPBinding.properties /opt/SUNWam/locale/amSession.properties /opt/SUNWam/locale/amSessionDB.properties /opt/SUNWam/locale/getEncoding.class /opt/SUNWam/migration/61to62/scripts/Upgrade61DitTo62 /opt/SUNWam/password.war /opt/SUNWam/samples/authentication/api/Cert/Makefile /opt/SUNWam/samples/authentication/api/LDAP/LDAPLogin.java /opt/SUNWam/samples/authentication/api/LDAP/Makefile /opt/SUNWam/samples/authentication/api/Readme_setup.html /opt/SUNWam/samples/authentication/api/jcdi/Makefile /opt/SUNWam/samples/authentication/spi/certmodule/CertModuleSample.java /opt/SUNWam/samples/authentication/spi/certmodule/CertModuleSample.xml /opt/SUNWam/samples/authentication/spi/certmodule/CertModuleSamplePrincipal.java /opt/SUNWam/samples/authentication/spi/certmodule/Makefile /opt/SUNWam/samples/authentication/spi/certmodule/Readme.html /opt/SUNWam/samples/authentication/spi/certmodule/amAuthCertModuleSample.properties /opt/SUNWam/samples/authentication/spi/certmodule/amAuthCertModuleSample.xml /opt/SUNWam/samples/authentication/spi/genuid/Readme.html /opt/SUNWam/samples/authentication/spi/jcdi/Readme.html /opt/SUNWam/samples/authentication/spi/postprocess/ISAuthPostProcessSample.java /opt/SUNWam/samples/authentication/spi/postprocess/Readme.html /opt/SUNWam/samples/authentication/spi/providers/Readme.html /opt/SUNWam/samples/authentication/spi/purejaas/Makefile /opt/SUNWam/samples/authentication/spi/purejaas/Readme.html /opt/SUNWam/samples/console/Readme.html /opt/SUNWam/samples/console/Readme.txt /opt/SUNWam/samples/csdk/README.TXT /opt/SUNWam/samples/csdk/am_log_test.c /opt/SUNWam/samples/csdk/am_sso_test.c /opt/SUNWam/samples/logging/RunSample /opt/SUNWam/samples/phase2/sis-ep/bin/load_ldif.sh /opt/SUNWam/samples/phase2/wsc/index.jsp /opt/SUNWam/samples/policy/Readme.html /opt/SUNWam/samples/policy/Readme.txt /opt/SUNWam/samples/saml/xmlsig/Readme.html /opt/SUNWam/samples/saml/xmlsig/Readme.txt /opt/SUNWam/samples/sso/TestHttpsClient.java /opt/SUNWam/samples/sso/run /opt/SUNWam/samples/um/Readme.html /opt/SUNWam/samples/um/RunSamples /opt/SUNWam/services.war /opt/SUNWam/share/HARepo/amsessionconfig /opt/SUNWam/share/bin/amsecuridd /opt/SUNWam/share/bin/amunixd /opt/SUNWam/share/bin/amwar /opt/SUNWam/share/bin/checkport /usr/share/lib/identity/console-war/WEB-INF/lib/am_console.jar /opt/SUNWam/lib/libxml2.so.2 Problem Description: 6964062 Unnecessary session requests repeatedly send from one server to another 6971095 Certificate based authentication does not work with Dist Auth 6770231 goto URL not validated 6926203 goto URL incorrect validation in distAuth 6920839 SAMLPostProfile Servlet issues 6937104 OpenSSO - Password Reset link issue 6902310 session-id issue upon successful authentication 6970770 Resource access issues across realms 6871163 Need to bundle in latest C-SDK (from WebAgents 2.2-05 bits bundled with NSS 3.12.5) into AM server 6894077 In Cookie hijacking mode, logout request hangs 6808821 ClientSDK : Cannot login and get profile as Portal user created in Active Directory through OpenSSO 6916733 updateschema.sh has issue with old version of ldapjdk.jar 6907618 Remote IdRepo calls does not work when special characters present 6888820 Need to add 7.0 AMSDK DistAuth support for 7.1 AM Server Windows Desktop SSO authentication 6959325 Access Manager Patch README needs to declare the required patch 6907699 LDAP+Radius Auth chain can't propagate Radius new pin or Next Token page 6822388 App session invalid message can not be handled by web agent 6960112 Null Pointer Exception during reauthentication of user 6888778 config/federation/default/Error.jsp problem 6888783 problem in SMProfileViewBean 6888784 Policy servlet output encoding 6938162 Session Token in URLs /opensso/federation /opensso/realm etc 6937999 Problem in /opensso/base/AMAdminFrame 6925817 IdRepo unwanted debug info (from 120954-11) 6867944 Method encodeUrlPath does not handle simple path properly 6698247 Access Manager Radius Authn Module lost uid between access_request and a ccess challenge 6902174 SAML Assertion has incorrect character in the Assertion ID, causing fail ure in interaction service 6843487 Add a property to set flag HttpOnly when creating AM session cookie 6753050 Cannot Access Admin Console After applying patch8 on Websphere 5.1.1 6872718 Persistent XSS scripting issue in OpenSSO (from 120954-10) 6804391 amsecuridd process crash and hang issues in AM Servers 6.3 and 7.0 6834791 updateschema.pl is not prompting for DS hostname and port in AM on Windows 6777889 amSecurIDD process crashing in AM 6.3 and AM 7.x servers frequently 6795308 CDCServlet can make advice available to the wrong client 6813339 notification URL is not re-registerd after restarting AM 6818423 severing LDAP connection cause spordic login failure afterwards 6785877 Cleanup debug files 6844490 Need to bundle in latest C-SDK into AM server 6842190 updateschema.sh throws ": integer expression expected[: 21 " on linux 6749656 Updating service schema for filtered role privileges (from 120954-09) 6754195 LDAP servers not correctly closing sockets can cause AM server to hang 6677440 Probable XSS vulnerability in the cdcservlet on AM7.0p5 6564604 WindowDesktop SSO is not working with IBM Websphere 6755801 AMSDK does not failover to secondary DS if primary DS is down in legacy mode 6798890 7.0patch8 double encodes query string in CDCServlet 6738703 Attributes in http header are never updated 6745353 AM SDK does not failover to secondary DS properly 6766363 Re-establishing ldap conn pool under load has problems/race conditions 6786610 Application based idle timeout feature broken when security hole was plugged 6714023 SECURID messages for SAFEWORD Authentication does not translate one particular message correctly 6756079 Randomly some users cannot log in Access Manager despite their login and password being correct 6746634 Policy is created but ineffective until AM restarted 6728227 Policy evaluation fails when the policy definition's subject include Chinese characters (from 120954-08) 6377962 Additional SAML logging is required for authentication logging 6486843 Delegation Privileges cannot be defined for a filtered role 6712993 information issue in access manager login 6740852 Configuration Items in console can show information 6503710 AM login sporadically fails when LDAPv3 people container is set to empty 6538606 IDWSF need to enhance to work with SAML2 6600618 Appending a string matching a wildcard policy to a URL can result in unexpected authenticated access 6637600 psearch connections to directory server not terminating resulting in resouce crunch and even crash 6647387 Logging Reducing the Logging overhead from internal users logged when communicating from PA to AM Server 6653827 SOAP client is entering an infinite loop after the AM server becomes unavailable 6657367 CDSSO: CDCServlet has JS dependency, enhancement to remove this dependency 6657393 %U in user id causes infinite loop 6659356 New bug with the interaction process in a balanced scenario 6676816 Passing http parameters ending in % causes thread to spin when running on IBM or BEA appserver 6685368 DistAuth state lost at login page after com.iplanet.am.session.invalidate timeout and goto param 6691106 Multiple SiteMonitor threads could be running for checking the same site 6693152 amsdk jar files should include version number in the manifest file 6696354 CDC servlet does not encode special characters in the destination URL 6696910 AM 7.0 patch 5 memory leak (hashmap/string objects) 6697260 Add option to allow agent application session to idle timeout 6697966 Upgrade JES2 to JES4 : Access Manager amupgrade script hangs 6703429 "Accept-Language" property not inherited when request are exchange between AM servers in a LB env 6709771 Federation session map is not cleaned up if sessions are timed out 6709889 User can login to amconsole using uid with wildcards such as "amadmi*" or "amadm*" or "amad*" 6711711 Profile attributes map not forwarded in HTTP_HEADER 6714693 In an AM LB environment, PA return inconsistent HTTP_HEADER values for entrydn 6721606 Return incorrect cookie domain for method getCookieDomainsForReq 6725206 Memory leak on ServiceConfigImpl object 6730843 "goto" is missed in the "Authentication failied" page, if LB is not sticky (from 120954-07) 6286388 Not able to dymanically create user profile with LDAPv3 data store 6511876 SAML request fails if LB does SSL termination 6449079 ServiceConfigImpl synchronization block causes hang when client/server are on the same host 6620746 Memory leak causing heap growth in AM 6.3 Policy Evaluation tests 6409600 ConcurrentModificationException in AMObjectImpl prevents AMEvents from being delivered 6458041 Patches should add properties to the AMConfig.properties files for all instances 6566948 NT users fail to authenticate against AM if user's password contain an accent character 6567746 AM7 patch5 reports errorCode=null instead of 107 when passwordretrycount is exceeded 6570409 Interaction Service behind the load balancer does not work as expected. 6581324 Portal Server doesn't reconnect to Access Manager if access manager is started after the PS 6605870 StackOverflowError when evaluating the delegation 6607892 Access Manager will not follow goto URL from logout page when session has expired 6612609 Session failover does not work if network cable is pulled off from MQ box 6615879 AM patching script should notify what properties and config files get overwritten by the patch 6624895 Connection to ldaps hangs when used with access manager 7.0 p6 6625191 AM 7.0 Patch 6 amconfig script overwrites serverconfig.xml 6626786 Internal sessions created for application auth module do not get cleaned 6627230 AM7.0 does not set session property UserId to the uid for Cert module 6629110 Under load testing stress the amconsole experience memory leak 6634276 ExceedRetryLimit message doesnot show correctly on AM7 with JA locale 6648925 Incorrect title bar is shown when an invalid realm is provided at login 6653827 SOAP client is entering an infinite loop after the AM server becomes unavailable (from 120954-06) 6292838 iplanet-am-role-display-options not processed correctly for Filtered Roles 6228648 Attribute iplanet-am-role-managed-container-dn of a filtered role not read 6324841 LDAPConnections not being reset periodically 6350438 AM hang under peak load caused by LDAP access within synchronized block 6413108 amsdk doesn't fallback to primary directory server once primary comes up 6522179 Policy evals for subjects with multiple groups time out because LDAP search time limit exceeded 6536635 AM needs to support the new setReadTimeout API introduced in JDK1.5 6539090 User Based Authentication shows incorrect profile post authentication 6466835 Synchronization issue in JAXRPCUtil.java for getValidURL method 6337806 Errors while redeploying to multiple instances on app server 8.1 6449611 amclientsdk: Changes in data store are not propagated to the clientsdk 6449618 amclientsdk: AMConfig.properties created by Makefile.clientsdk is unusable 6461481 AM7 instances should log to separate directories/log files for the /var/opt/SUNWam/logs 6472574 Policy subject result cache is not cleaned up when receiving session notifications 6486724 Secure cookie flag should be set in CDSSO/cookie hijacking scenario 6496155 Use a restriction token other than the IP address in cookie hijacking feature 6502285 AM 7.0, new line char in the Policy Description throws message that is misleading 6503891 Need to provide AM protected namespace for protected properties 6507303 Programatic login cannot be localized 6507510 Patch add fails when Access Manager is installed with Configure Later option on Solaris 6507568 LDAP AuthModule does not return correct error when password validation fails 6514355 session quota constraints blocking user access when session db/jmq is down and session failover 6518521 bak2am.bat fails with "ERROR: Operation failed: Could not get running services." 6521565 Agent fails if agentRootURL list has a non dns hostname 6522720 On the AM Console, performing search in help doesnot work if keyword is enter as Japanese character 6523866 Alternate Boot Environment support required for AM 7.0 6523888 Config later support is required in 7.0 for Linux 6526440 XML Entity References cause problems in Remote Auth API Callbacks 6532311 Authentication validation rules should prompt user password and not deny user 6532315 Dead lock in SM while getting list of polcies from policy manager 6539195 AM 7.0: Server memory leak 6539894 AM 7.0 Multiple cookies domain does not work after applying patch 5 6541695 Post-auth plug-in changes to support Sharepoint 6542522 "Select Action" drop down menu should not have certain options when results return via membership 6545176 SAML2 plugin corrupting the amserver.war file 6547061 Need to bundle in new xmlsec.jar due to incorporate fix for 6519471 6547376 Errors when connecting to the ldapv3 plugin 6548341 AM 7.0P5:Protected resource is not displayed if the hostname and domain name are in mixed case 6553229 AM7 Console on Linux does not correctly display Action items 6553505 RSA auth module logs pin & token in debug mode 6554621 Needs to support com.iplanet.am.jssproxy.SSLTrustHostList 6557778 AM7.0 timed out sessions didn't clean up due to session notification looping 6562232 Realm login via distAuth is not working in AM7.0Patch5 6564877 AM 7.0 Patch upgradation or installation overwrites the SAML V2 setup without warning 6569557 ServiceSchema.setAttributeDefaults() fails with amclientsdk 6580630 Addition of IE 7 browser support to Access Manager 7.0 6584816 Server error using AM7.0 patch 5 when user tried to assigned role 6592884 Session stickyness not working with multisite configuration with WebAgents 6603137 Cannot create policy with time condition (from 120954-05) 6390472 AM API does not authenticate if the password contains a leading or a trailing space 6398604 Profile is not created with userCreationAttributes from external LDAP if password has to be changed 6385019 Double clicking login button can crash WS if login module calls HttpServletResponse.addHeader 6409176 AM authentication issue when Account loockout enabled in Directory Server 6377915 SAMLAwareServlet does not work in a Load Balanced environment 6391943 Can't find resource for bundle java.util.PropertyResourceBundle, key wrongSOAPEnvtag 6453795 Authentication Context section of hosted providers is not localized. 6461079 Service schema allows to have duplicated AttributesSchemas 6308488 Error message logged on web container for every remote auth request 6452630 AM SecurID helper hard coded 7500 ms timeout for connection 6444541 Post authentication processing of logouts can fail in multi server environment 6478175 amsfo scripts fail when a non-default installation directory is used 6478361 amsessiondb script hardcodes AM_HOME to /opt/SUNWam(solaris) and /opt/sun/identity(Linux) 6479248 maxSessions.jsp forwarded to users even though stats report active session below max limit 6479540 AccessManager sends incorrect PolicyResponse when ChineseCharacters are used in the URL as Query. 6480019 amconsole: Error is shown during remove member from group created on new console 6484947 Critical ACIs are removed from Directory Server by amtune scripts thereby opening up a security hole 6386378 Kerberos auth error using Windows Desktop SSO in Access Manager 2005Q1 6491021 Creating users starting with '#' creates two uids 6407995 Auth/Session : IP address checking in session does not work under certain conditions 6482886 perftune/amtune do not work in zones install 6406919 AM /amconsole: Password is visible in logs, in URL 6399168 LDAPRoles membership evaluation throws NullPointerException if the user does not have any role 6441961 Sub-realms not created with the proper set of services 6442520 Session upgrade does not work in case of remote Authentication 6447532 AM7 clientsdk javadoc missing doc for package com.sun.identity.idm 6449573 LDAPv3Repo: All attributes available are pulled from the datastore 6452758 When switching orgs with auth, Authentication Exception is thrown due to incorrect handler 6456504 Cannot start server if an entry in server or site list does not have port number or has trailing / 6457138 Setting ignoring profile no longer has effect 6458905 Authentication chains: JAAS state sharing were incorrect executed; Sharing works for up to two 6460002 SAML should support name identifier spi 6462310 Site Monitor assume -1 for default port number, if not specified 6464271 CCEditableList not working properly when trying to customize AM policy condition 6465657 Interaction Service request fails if the user does not allows one attribute 6467562 Filtered role name missing an "ou=service" in the container JASS Subject 6473199 Method onLoginFailure instead of onLogout of postprocess is not executed when user logs out 6476470 With 61 cookie domains, uwc fails with IE, with 121 cookie domains amserver/amconsole fails with IE 6477938 CDCServlet redirects to auth module base on auth URL cookie blindly if unique SSO token is enabled 6478255 Service Failover is working only for one direction 6483150 LDAPFilterCondition does not pick the policy config data defined at the realm where defined. 6485240 Need to specify realm when cdcservlet redirects to AM login 6485597 amadmin removeSubConfig fails if the subConfigName has / 6488432 Policy response to include issueInstant 6489514 CertAuth has problem in getting CRL if distPoint does not support post 6489518 CertAuth needs to use UPN value to map user profile 6489519 Thread based SiteMonitor impl needs to be ported as oob feature 6491371 Cert AuthModule sample missing 6494304 authschemecondition should support application idle timeout and force authn 6494643 7.0patch4 creates compatibility issue among agent, sdk client and server 6495781 wsc sample cannot write bootstrapping info therefore sample failure 6498405 Some Chinese Characters are not allowed when creating AM managed groups 6498902 policy client sdk should clear policy decision with advice on first use 6499264 Need AuthInstant for every authenticated module Instance 6499268 Support for "ForcedAuth" using Composite Advice and URL parameter 6503831 Distributed Authentication UI to support Composite Advices 6513642 amtune creates a /tmp/dspasswd file which is world readable 6513655 Profile attribute set to "Ignore" doesnt give access to console to TopLevelAdmin Roles 6513697 Enabling Basic Authentication in IIS6 agent 6517760 Installation/Configuration of multiple J2EE Agents in Web Logic Server 6518919 Client Authentication is broken and unknown "a109" attribute notices in CertAuth Module Config 6524926 ldapsearch command is failing while executing updateschema.pl 6410312 Excessive directory server calls made by idrepo during policy evaluation 6442818 Change in filtered roles does not affect policy cache - old decisions are used until cache expiry 6513653 Issue with value modified for com.iplanet.am.session.purgedelay 6515502 LDAPv3 Repo plugin does not handle "Alias Search Attribute" correctly 6529205 Endusers not able to access the profile thru console in legacy mode with a filter role (from 120954-04) 6463730 XSS vulnerability with the goto and gx-charset parameters 6463779 DistAuth's amProfile_Client and AM Server's amProfile_Server get filled with harmless exceptions 6435889 Method Session.getSession fails because RestrictedTokenContext is not set 6463796 Disabling iPlanetAMClientDetection service for genericHTML prevents access to any AM HTML page (from 120954-03) 6327802 Policy does not support Active Directory group as policy subject 6406729 Mixed-case static role from ldapv3 datastore causes duplicate JAAS Principals on agent container 6406621 amsfo script always starts the default instance instead of the JMQ instance in the amsfo.conf 6408727 amsfo should have an option to include amsessiondb arguments 6413030 LDAP Auth module creates new thread for each request if primary LDAP server is down 6416012 SAML2 auth module is wrongly treated as pure JASS module 6351948 .version file not showing the correct product name 6400814 Erroneous caching of a condition evaluation 6419295 Connections to LDAP server not disconnected after bind(amldap) user auth failure 6381655 An enhanced upgrade script with error checking is requested 6384492 Upgrade script does not validate passwords 6215016 module parameter in url cannot be carried into new org login page 6331016 Logging out of a server using a remote session does not destroy the session 6323368 AMUser.addEventListener does not notify and throws Exception 6388327 AMEvent objects created without the sourceDN 6389196 LDAP connectionpool should be indexed with DS root suffix 6422901 Auth NPE when user/passwd is null 6339025 UserID & Password validation plugin is not fully functionning when defined at the organization level 6409584 Multiple AMObjectImpl are not registered in the AMEvent mechanism 6422875 Auth should always set the lbcookie value with the server ID 6422877 Policy client are not sticky to the Server 6422878 Session Client does not replay the amlbcookie in the requests 6422879 Client sdk does not replay the amlbcookie 6389564 Repetitious successive queries on role memberships of user in an ldapv3 data store, during AM login 6418545 IdRepo cache is not getting updated after modifying the agent configuration 6379325 Accessing console during session-failover throws NullPointerException 6426044 Naming url fail-over issue with J2EE Agent 6426050 Delay in Detecting Site Failure - SiteMonitor URL Connection Issue 6426055 User getting 403 error in case of site failure instead of automatic redirection to Login page 6426056 Jaxrpc URL is not failing over to the other site, when primary site goes down 6422876 Dist auth does not set the amlbcookie from the server, it sets its own amlbcookie 6429368 Session contraint not enforced when top-level admins exempt in Session configuration in Console 6373599 Need to modify session code to migrate AM SDK apis to IDRepo interfaces 6321616 AuthnContext Not Correctly Handled in AuthnRequest and AuthnResponse 6389019 Authlevel/authentication context class ref is lost if no fedCookie present 6413597 Session Failover is not working when ignore user profile is turned on 5088144 amadmin can`t remove an Entity Descriptor of a Provider 6362300 Need to make it easy to create dual hosted entity (both SP & IDP) 6411060 Profile attributes, dn and entrydn, are not returned to the Agent with amSDK repo plugin 6390379 Normal user console login emits warning message with exception in amIdm debug file 6430126 Logout displays "Auththentication Exception" if user session is recovered in SFO mode 6445678 Cannot set Liberty ID-FF version with amadmin when creating a provider 6349244 Misconfiguration in Realm Data store or authentication repository causes console to become inaccessible 6374669 Change of bind DN in the LDAPauth does not take effect until server restart 6382633 Policy Client does not create APPSSOToken when APPSSOToken is invalid 6386277 Dist-Auth not capable of destroying http-session on logout/timeout of session on AM server 6395463 SSOToken.getPrincipal().getName() does not return an user DN 6410007 Duplicate searches made by IDRepo 6413589 7.0 patch2 - Authentication fails in session upgrade case with NPE 6419838 jaxrpc failover not working properly with multisite failover 6421328 Session Polling does not work as expected 6423547 Call to SSOToken.getPrincipal().getName() does not return valid DN 6423781 samlp:Responder code is not processed correctly in single logout service 6425383 amadmin input user shouldn't be case sensitive 6426505 User account unusable after two SP users federate with same IDP user 6426508 Need to detect case when federation information does not exist on SP side 6426515 Need to return correct error code to caller in case of account lockout 6426517 Need to return special status code in case account lockout in SP side 6426900 Setting up CDSSO configuration with Policy Agent 2.2 on Web Logic 8.1 SP4 6428296 SAML artifact profile doesn't pass all the parameters in TARGET url 6429236 Click on user level services throws ERROR Processing the request 6429610 Unable to create SSO token in ID-FF single sign-on use case 6429932 Problems with Password Reset Service for users under OU in 7.0 Legacy Mode 6431798 Permission to perform the service operation denied 6432893 Single Logout causes preLogin process if no session exists 6432969 Support for ID-WSF1.1 6433637 Site Monitor has to check all server down case 6434881 Get LDAP error when loading accountLockoutData.xml 6435983 J2EE Policy Filter mode stops working with AM 7.0 Patch 3 6436152 (legacy mode) amconsole: error on next page select for agents 6436482 LDAP module failover hangs when primary server is down 6436910 Distribted authentication UI web application makes 2 calls to AM server when invoked as 0 page login 6436913 User profile set to "Ignored" causes problem to Distributed Auth and J2EE agents 6437042 Patch add replcaes amsfo and amsfo.conf replaces the original file 6437423 ID-FF Name Registration failed using HTTP Redirect profile 6440691 DistAuth configuration required explict JAXRPC url end point in case of multisite configuration 6443758 Persistence Cookie functionality broken after applying patch 120954-02 on AM 7 with 120954-01 6444030 DistAuth has to support CertAuth 6440697 Dist Auth running as non-amAdmin user - remote SM read exception 6385184 Re-direct from within a custom auth module when SSOToken is still in INVALID STATE 6385185 PostAuthModule must be able to override the "goto" URL and specify a different URL 6370363 IDFF : RelayState with > 1 query parameters fails SSO 6450565 Console does not display People Containers with non default naming attribute 6449563 LDAP authentication: Header Replacement does not work (from 120954-02) 6330306 Access Manager SDK HttpsURLConnection uses a plain socket when retrying a failed connection 6342097 When Cert CRL is enabed, too many LDAPConnections open and never get closed, this causes memory leak 6345189 Web agent has to get right naming table even when it is configured with multiple LBs 6351524 LDAP search time during policy evaluation is too long when there are thousands users in a group 6244578 AM should warn user that the browser cookie support is disabled/not available 6360631 Session not terminated through session management 6319028 Clientsdk does not handle exceptions in the SOAP message 6282777 Implementing TTL on amsdk cache 6337063 Adding a sub-organistation using Access Manager 7.0 in JES4 breaks the gateway and Access Manager 6293673 Need to retain the original session information when sending out session timeout notification 6369414 Not able to get session property in token listener callback after timeout 6357625 ID-FF 1.1 AuthContext includes AuthContextComparison 6299621 Legacy mode:Get Invalid user's location when login as an admin user that created from newconsole 6349253 PostProcessor and a custom policy condition classes, set attibutes to the SSOToken, they are lost 6352008 SOAP object does not set the SOAPAction header when transported over HTTP(s) in the SAML request 6269858 AM SDK Cache/ID Repo Cache - Cache size grew substantailly b.w 6.3 and 7.0 6328018 Authentication instance still displayed after being deleted 6340918 Dynamic group/Membership Filter is not updated after saving the changes 6348888 SDK does not check if the IDRepo Plugin supports role memberships 6349962 After removing "AMSDK" plugin in root realm, "amadmin" cannot view the administration page 6356127 Remote Auth does not work if Access Manager instances are running behind a non-sticky load balancer 6359266 DistAuth Fails in the session upgrade scenario 6361191 Trouble to deploy the war of Distributed Authentication on BEA WebLogic 6362232 AM 7.0 patch 1: Client SDK installations cannot be patched 6362297 Wrong entity ID is sent in case of failed single logout 6366219 Policy Evaluation failure with cn as search attribute 6369341 Need to set Attributes passed down from IDP in Assertion as properties on SSO token on SP side 6370252 Distributed Auth after patch1: Click to relogin after logout gives 500 error 6370350 Dist Auth Not working after failed auth - unable to clear authContext /unable to invalidate session 6370360 Attribute based authZ - add LDAPFilterCondition support to AccessManager 6371584 Distributed Auth after patch 1 cannot loadbalance across dist-auth servers 6371762 AM7 console exception for user with multiple roles, user cannot use console 6373328 Provide correct notification URL in the Makefile.distAuthUI 6373458 Unable to modify "iplanet-am-session-quota-limit" for user in ldapv3 data store 6374846 AM 7.0 Group Members filter only works with * 6376650 New authentication services are displayed in the the global (config) section 6373302 Unable to load /portal web application after AMSDK upgrade 6368218 Login fails since Auth throws Null Pointer Exception 6369745 Auth framework needs to append suffix to user principal in case of ignore profile 6350126 Add "User profile" core authn parameter to session 6380680 Destroy Session is not working in LB setup for AM7.0 6269853 User id is null when user id or password is null 6354073 Certificate Mapping authentication module is not flexible 6320046 User name is displaying as 'null' in the Lockout notification mail 6385729 NPE in 7.0 if Federated Identity where in IDP and SP act simultaneously 6340625 JVM option java.util.logging.manager=com.sun.identity.log.LogManager being set in Websphere's xml 6384339 Policy decision returning more than expected ldap attributes 6384379 LDAP atttribute names returned from AM are in lower case 6385696 Existing and new IDP's and SP's are not visible 6367058 UWC SSO fails after applying 7.0patch1 6388549 Server hangs forever when one of the LDAPv3 plugin config is incorrect 6369227 Cert auth module maps full cert subject DN to LDAP attribute value 6385710 Single Logout Request causes Server Error 6396409 LDAPv3 datastore against sun DS keeps looping the psearch connections 6396913 ldapv3 getAttributes call fails if naming attribute is multivalued, resulting in login failure 6397102 LDAP Connections abandoned by LDAPv3 plugin if wrong user password is specified for datastore 6396494 Removing users from static groups with amadmin fails 6387712 Notification requests can cause a build up of close_wait connections 6202135 Auth taglib target attribute incorrectly quoted 6236892 Image/Text place holder while CDCServlet is processing the AuthNResponse after Login 6283582 Num of login failures are not shared across AM instances 6363157 Need to disable unnecessary persistent searches which affect performance 6402490 DSTModify Operation throws exception (from 120954-01) 6289589 Incorrect ldap server info is causing the UI not to display the LDAP related subjects in console 6295075 legacy: Reset button does not work for Client Detection/edit page 6204679 amadmin failed with no specific error message for a valid xml file but with uppercase suffix 6273148 Could not add/delete/modify discovery service resource offerings 6246905 Wrong error msg for Single Sign-On Failure Redirect URL 6291287 Policy UI for condition by auth level displays wrong values for auth level 6310356 amwas51config incorrectly using WL8_PROTOCOL when setting values for naming and notification URL's 6298462 amsfoconfig fails on linux 2.1 server 6298433 amsfoconfig has incorrect permissions on linux 2.1 6292616 AM sdk clients need restart after svc schema change 6305268 Problem with idrepo ldapv3 plugin and openldap 6308982 Need population of module specific customized error message and error template via Auth remote API 6309830 Adding more amadmin properties in the console is changing the amadmin user password 6296108 realm: Exception error when selecting a user from a new Realm contains the default v3 info 6313117 Client SDK (amclientsdk.jar) throws error messages that permission denied for reading config data 6294440 LDAP authentication module can prompt user to change their password prematurely 6320475 com.iplanet.am.session.client.polling.enable on server side must not be true 6306605 AM does not deploy on WebSphere with non-default URI's 6318296 Can't remove Session Service configuration for a subrealm 6311985 CDC: CDC Servlet redirecting to the invalid login page when Policy condition is specified 6325343 amclientsdk.jar doesn't handle localized content in utf-8 properly 6325333 Request to add InternalSession.getObject/InternalSession.setObject() methods 6309907 postprocess plugin defined for a Named config does not execute for role based auth 6328396 IDrepo Gives exception while storing new attribute with LDAPV3 plugin 6324349 JAXRPC classcast exceptions cause initialization failure for portal webapp 6295524 amwl81config: typo prevents wireless_rendering.jar and wireless_rendering_util.jar from being used 6306833 Modification notification mail is sent when other attribute is changed 6303975 Memory leak in distributed Auth 6330678 IdRepo doesn't cache sub entries of ou=users,ou=default,ou=globalconfig,ou=1.0,ou=sunidentityreposit 6330687 There are 4 directory searchs for each authentication 6314342 Unnecessary object creation of Notification/NotificationSet in session service cause perf. problem 6281358 AM legacy mode: Deletion Notification does not work 6293720 legacy: Created groups is not placed under Groups container 6294618 After first click on Directory Management tab, sub-tabs do not appear 6295081 legacy: Should prevent Orgs, Containers, People Con, user,roles to be created under grp Container 6295834 Changing password via console with debug 'message' logs changed password in amProfile 6303917 Deprecating SiteAttributeMapper overwrites new PartnerSiteAttributeMapper in SAML 6321128 Special characters (&) in SAML statements should be encoded 6323367 AM70 does not allow customers to get the uuid through command line or console 6323608 AuthContext object instances/bytes linger/leak even after user logouts and session/idle timeouts 6326050 Session event should be sent when the pre-authentication session times out 6326634 SAML: Duplicate Trusted Partner console edit errors 6327691 UrlAccessAgent SSOToken is expiring as the Application module does not return the special user DN 6327836 Distributed Authentication service to be not required to stick to one server for LB deployments 6328362 Federation performance is slow campared to 6.3 6330679 Auth model cannot be created during to lack of page session data 6330685 Include AM Server healthcheck JSP within services.war 6330747 Unable to assign Named Config(created in sub-realm) to a role 6333870 Adding a DNS/Aliases name to an organization from the Access Management will give LDAP error 6335137 Session notification is unnecessarily being sent to AM server itself 6337106 Ability to disable DNS Lookup 6337701 Realm/Subjects/Role doesnot contains a General page 6338418 Universal ID disappeard when Save button is pressed 6338582 SSO fails for federation 6340418 Logout fails after federation termination 6341737 AMSDK call to AMUser.getAttributesByteArray() returns empty if called after AMUser.getAttributes() 6342313 Login as an org admin user when click on Directory Manager link will get user page 6349959 Adding "role=read,create,edit,delete" to LDAPv3 IdRepo plugin causes IdRepo to fail 6343531 Deleting service leaves amconsole unusable and service partially deleted 6352076 WL8.1 SP4: Access denied while accessing any resource first time in cdsso setup 6356879 amadmin gives access to AM even with invalid user/password 6350573 Distributed Authentication Does not work when deployed in Production mode in Bea WebLogic Server 6334633 Inconsistent AM-SDK Global Schema Cache behaviour 6346904 Session Polling could hang the server under high load 6346908 Session Destroy or logout on the client sdk does not work properly 6342223 Session cache has no way to cleanup client cache when notifications are missed 6341686 Adding all groups to a user get error " Error [Ljava.lang.Object;@1d8be60" 6336904 Authentication service should not be required to stick to one server for LB deployments 6295078 legacy:Cannot delete an organization that created under a container 6307920 Special characters (&) in SAML statements should be encoded 6345362 Server failed to start if com.sun.am.event.connection.idle.timeout is set to a non zero value 6366215 IDRepo unable to search based on "cn" - LDAPv3Repo unable to search with respect to naming attribute 6363399 Policy evaluation fails for LDAPV3 filtered role 6342725 idrepo cache not updated 6356473 Gateway does not come up on a separate node after installation 6346918 cookie name property is missing in AMClient.properties since AMClientSDK is not working 6347568 amclientsdk webapp is not working the amclientsdk.jar file is missing in the war file built. 6356670 java.lang.NullPointerException in amSecurity debug logs 6356715 Auth Remote API gives error due to failure in retrieval of internal session from session ID on server 6337160 IdRepo calls SMS for every operation, leading to performance issues Patch Installation Instructions: -------------------------------- Backup following files: For Solaris 8 and 9 releases, refer to the man pages for instructions on using 'patchadd' and 'patchrm' scripts provided with Solaris. Any other special or non-generic installation instructions should be described below as special instructions. The following example installs a patch to a standalone machine: example# patchadd /var/spool/patch/120954-12 The following example removes a patch from a standalone system: example# patchrm 120954-12 For additional examples please see the appropriate man pages. After the patch is installed or removed, AM applications need to be redeployed. Please refer to release notes rel_notes.html for more details. Special Install Instructions: ----------------------------- For Access Manager 7.0 patch 9 and higher, there is a dependency on the following LDAP JDK patch, which needs to be installed prior to installing AM patch platform patchid ---------- -------------------------- solaris sparc, x86 119725-06 or higher Linux 120834-04 or higher windows 138905-01 or higher For Access Manager Server specific patch information and patch installation instructions, refer to the included patch release notes file, rel_notes.html, located inside the patchID directory once the file has been unzipped. The patch release notes include must read information including installation information, redeployment instructions, instructions on how to deal with customized auth jsp files and workarounds for known issues and limitations. README -- Last modified date: Tuesday, November 23, 2010