Patch-ID# 126357-06

6897044 Getting "An internal authentication error has occurred" msg when accessing btw login page with realm 
7012182 URI is considered as URL in the goto parameter when it is URL-encoded 
7025841 @ symbol in goto URL is not interpreted correctly.
7016248 A security risk on gotoOnFail URL parameter
6935201 OpenSSO U1P3: DAUI sends errors after 3 uses (user reload three times DAUI login url)
6897101 When login in non-default realm, user experience multiple logins after timeout.
6986916 AM 7.1 patch 4 DAUI, access granted to protected page on browser refresh under certain conditions    
6992299 AM 7.1 patch 4 and fix for bug: 6935201, distauth tries to login users to previously accessed realm  
7011583 CDSSO shows internal hostname in header when site is configured.
7018857 AM71 P5 loosing the realm context when using the return login link after session timeout.
6985634 IDFF - Composite Advice not handled correctly by SP
 
(from 126357-05)
6888778 SB: config/federation/default/Error.jsp - should escape output
6932793 Intermittent authentication session timeout in 7.1p4 multiserver setup
6894077 In Cookie hijacking mode, logout request hangs
6964062 Unnecessary session requests repeatedly send from one server to another
6920839 SAMLPostProfile Servlet XSS issues
6951498 Session memory leak due to orphaned sessions on Restricted Tokens in a CDSSO/CHM with logout
6954288 With AM restart, logout is broken for active CDSSO Restricted agents leading to sessions leak
6808492 GF 2.1 CLI undeploy attempt fails and causes all future CLI commands to fail
6902310 New sessionid should be generated upon successful authn
6871163 Need to bundle in latest C-SDK (from WebAgents 2.2-05 bits bundled with NSS 3.12.5) into AM
6926203 goto URL not validated on distauth
6937104 OpenSSO u1 patch3 - XSS security vulnerability
6925817 IdRepo prints user password attribute in clear text in debug log with debug level message
6960346 Concurrentmodification Exceptions glassfish container, AM 7.1P3
6960348 Null Pointer Exceptions in CachedDirectoryServicesImpl
6962024 AM 7.1P3 ClassCast Exception in logs
6918755 amconfig from AM 7.1 patch 03 console redeploy breaks on testing USE_MFWK
6927207 AM server web interface lost focus of selected page after return
6963531 Implementing retry mechanism in PLL server (to avoid network glitch)
6967601 Unbranded screen is shown in response to a URL with an invalid GOTO parameter
6957896 AM 7.1 Patch4, User passwords containing "+" are failing
6816501 DAS Auth UI fail-over support can result in user being blocked access to the DAS
6859742 LoginViewBean in the DAS does not support server side success URL changes during the request
6867326 DistAuthUI does not recognise DNS alias when determining the authentication context realm
6891374 If session constraints fail, then the debug data is lost
6888784 SB: WH-3153144: Policy servlet should validate/encode output
6422249 SAML assertions using excessive memory
6938162 SESS:FIX Session Token in URLs /opensso/federation /opensso/realm etc
6937999 INPT:XSS Cross Site Scripting on /opensso/base/AMAdminFrame
6970770 Sub-realm user with same user-id as in root realm can access root realm protected resources
6925475 Username and password fields missing in login screen for non-LDAP auth modules in Legacy mode
6938355 NPE while deleting Portal Desktop service for a user in Access Manager Console
6947904 NullPointerException while hitting "Save" button many times on admin console
6888783 SB : WH-3148162 : SMProfileViewBean.java should escape/validate SMProfile.server
6973683 Implement TTL in SMS cache
6677966 HttpServletRequest/HttpServletResponse not available in AMLoginModule when using DA
 
(from 126357-04)
6884271 CR/LF weakness of Access Manager 7.1
6870575 Change updateschema.sh user/run environment
6697260 Add option to allow agent application session to idle timeout
6879946 Cert auth does not work if iplanet-am-auth-cert-user-profile-mapper-ext not set  
6808821 ClientSDK : Cannot login and get profile as Portal user created in Active Direct 
6907618 Remote IdRepo calls does not work when special characters present
6850818 CLI ampassword needs new option to both hash and encrypt a password
6882250 Session attribute userId is not set correctly
6496155 Use a restriction token other than the IP address in cookie hijacking feature
6849170 Client sdk throws InvalidAppSSOTokenException following accessmanger restart
6846717 Dist auth zero page login does not escape special characters
6853935 Cookies should be decoded in the communication between 2 AM instances
6862240 BUG#6816973 causes anonymous login to fail - Msg: Session Upgrade fails since us 
6877027 Can not login with DataStore module if auth naming attribute is changed from the
6883136 AM7.1 - When is authContext.submitRequirements=true ?  - errMsg:"Too many Authen
6883091 Am7.1 Patch2 : can't configure url policy which contains character '?'
6802207 PA "gateway servlet" function yeilds "Your authentication module is denied"
6640377 AM7.1.1: temporary file with directory manager's password is world-readable
6843487 Set flag HttpOnly when creating AM session cookie
6696354 CDC servlet does not encode special characters in the destination URL
6896456 CDCClientServlet does not respect "com.iplanet.am.cookie.encode" property
6908649 Admin Console shows error message during logout
6765971 While using Unix Auth module AM logs wrong DN in amAuthentication.access file
6611872 Can not remove agentRootURL key value for agent profile from Admin console
6859022 Bootstrapping the Liberty ID-WSF with SAML v2 Doc has wrong information
6861920 XSS Vulnerability fix
6667760 AMLoginModule requires a method to determine users current session quota level
6800246 CDCservlet needs to be able to insert custom HTTP response header
6797573 Unable to get/set properties on restricted tokens
6712208 Locale cannot be changed during authentication using dist auth ui (resource bundle
6817798 Auth UI does not process locale parameter to meet RFC4646
6685368 Dist. Auth state lost at login page after com.iplanet.am.session.invalidate time
6703429 "Accept-Language" property not inherited when request are exchange between AM se
6721606 Return incorrect cookie domain for method getCookieDomainsForReq
6872718 Persistent XSS scripting issue in OpenSSO
6876880 LDAP Connection Pool Size settings being ignored
6888820 Request to add AMSDK and DAM support for Windows Desktop SSO authentication     
6897887 AM 7.1-in-memory account lockout doesn't work for the users in the second Auth module in Auth Chain
6714023 SECURID messages for SAFEWORD Authentication does not translate one particular message correctly
6637086 Session time out message should be shown even if the idle time exceeds invalidsessionmaxtime
6916584 Policy day condition is not evaluating the condition if the range is laying over into next year
 
(from 126357-03)
6791898 "No such Organization found" shown when primary LDAP is stopped
6791437 Sun Java SAM 7.1 Distributed Auth UI session timeout re-login URL incorrect
6748117 AM71 losing the realm context when using the return login link
6770120 AM 7.1sp1 console bug can lock out amadmin account permanently
6754419 AM server does not send password expired error to remote client
6387712 Notification requests can cause a build up of close_wait connections
6515502 LDAPv3 Repo plugin does not handle "Alias Search Attribute" correctly
6768678 Can not access user profile of users not in the default people container
6782529 updateschema.sh script is required to make schema changes after applying a patch
6637600 psearch connections to directory server not terminating resulting in resouce crunch and even crash
6521565 Agent fails if agentRootURL list has a non dns hostname
6607892 Access Manager will not follow goto URL from logout page when session has expired
6456504 Can not start server if an entry in server or site list does not have port number
6496155 Use a restriction token other than the IP address in cookie hijacking feature
6763401 Updating "primary ldap server" of policy configuration on amconsole causes two MOD operations in ldap
6797112 A user is not locked after password reset failure attempts
6773986 Warning message not displayed on login failure before the user lockout
6620746 Memory leak causing heap growth in Policy Evaluation tests
6677440 Probable XSS vulnerability in the cdcservlet
6471046 AuthLoginException message not meaningful when authenticating user is locked
6698247 Access Manager Radius Authentication Module lost uid between access_request and access challenge
6754852 AM7.1 DAUI does not work with basic auth
6700722 Don't kill old session during session upgrade
6771038 JESMF auth module integration does not recognise custom modules
6785877 Clear text passwords in debug files when using message level debugging
6653144 Exception handling around LdapSPValidator and DNOrIPAddressListTokenRestriction is poor
6486724 secure cookie flag should be set in CDSSO/cookie hijacking scenario
6702797 Problem with new line chars in authContext during authentication
6770231 goto URLnot validated
6722156 NullPointerException in post auth plugin
6756079 Randomly, some users cannot log in Access Manager despite their login and passwd being correct
6776613 As session timed-out, session time out page is not displayed
6746634 Policy is created but ineffective until AM restarted
6749656 Updating service schema for filtered role privileges
6754195 LDAP servers not correctly closing sockets can cause AM server to hang
6709771 federation session map is not cleaned up if sessions are timed out
6796939 Application based session time out is not working via Dist. Auth
6811036 After upgrade from JES4 cannot login as amadmin in coexistence mode - authentication module is denied
6350438 AM hang under peak load caused by LDAP access within synchronized block
6804294 AM7.1 console does not function correctly if the LB host name resolves to an unreachable IP address
6795308 CDCServlet can make advice available to the wrong client
6754863 amclientsdk bundled with agent 2.2hp5 and 7 has backward compatibility issues
6817037 AM 7.1 cert auth module is not able to use "X509v3 Subject Alternative Name"
6844490 Need to bundle in latest C-SDK into AM server
6816973 User matching is not checked in Session Upgrade case
6769316 Zero page login does not work with distributed authentication
6817344 DA could inadvertently make a connection to an untrusted host
6832763 updateschema.sh script does not take inputted DS host and port
6832765 amconfig after patch install (7.1patch2) gives cryptic error related to Cacao/JMF
6435889 Method Session.getSession fails because RestrictedTokenContext is not set
6837372 "No such Organization found" page shown when primary LDAP is stopped, in legacy mode
6818423 Severing LDAP connection causes sporadic login failure
6755801 AMSDK does not failover to secondary DS if primary DS is down in legacy mode 
 
(from 126357-02)
6619906 AM 7.1 REALM mode: authentication with Unix/SecurID does not pull user profile
6539090 User Based Authentication shows incorrect profile post authentication
6740852 Configuration Items in console can show information
6689601 SAML errors while parsing Assertions "verify AssertionAndGetGSSMap : missing or extra
6665155 AM 7.1 has issues if sub-realm has 2 Active Directory datastores
6712993 Information issue in access manager login
6740071 Zero Page authentication is putting the cookie in the URL
6644879 User can login with empty password in AD module in special case
6636341 AM 7.1 Password Reset Service not showing errors
6603228 Access Manager KeyProvider needs option to use types other than JKS format
6600331 Make composite advice available to underlying authentication modules
6600325 Persistent cookie support
6707604 AMSDK API search control issues with the creation of new instance of search in AM 7.1
6710058 AM 7.1 User can login to amconsole using uid with wildcards such as "amadmi*" or "amad*"
6713147 NPE appears in agent debug log when CDSSO is enabled in J2EE Agent 2.2-01
6713579 ClientTypeManager is not initiated if client detection is disabled
6726583 WebtopNaming.getPlatformServerList() returns empty Vector sometimes during saml2 perforance testing
6727687 Method getPrimaryConnection stops retry and returns a null
6729535 Remote logging fails if incoming request has empty recMsg
6737459 CDC servlet looses subrealm
6666244 Share persistence searches if host,orgdn and search filter are same
6667267 NPE if search attribute does not include amsdkdn
6667756 AMLoginModule should provide access to Account Lockout count
6671815 ProxyPolicyEvaluator doesn't work as expected in Sun Realms in AM 7.1
6674544 Thread lock in LDAPv3Repo
6674688 Need to support force auth
6694162 Sharing psearch can deadlock
6699166 AM 7.1 U1 - Session failover testing throws java.lang.ClassCastException error
6706821 Password reset policy in auth chain module(LDAP) causes authentication failure
6409600 ConcurrentModificationException in AMObjectImpl prevents AMEvents from being delivered
6651832 In Remote auth previous AuthContext is not set even if the request is a session upgrade
6657102 NameCallbacks defaultNames are not available in the dist auth UI
6657112 RedirectCallback not supported in the Remote Auth API
6657667 DistAuth UI cannot process more than 2 callbacks during one page only login
6485237 Need to be able to deploy CDCServlet on the Dist-Auth server
6663135 Remote auth API cannot handle special XML characters in callback values
6666187 CRL validation is not working in war deployment under appserver9.1
6647324 Login page localization does not work with DAUI for AM7.1
6621802 SecurID authentication support on Solaris/x86 platform
6627230 AM7.0 does not set session property UserId to the uid for Cert module
6629110 Under load testing, amconsole experiences memory leak
6745353 AM SDK does not failover to secondary DS properly
6746406 AD data store: Groups from sub branches of a DIT are not visible under Subjects
6761627 Subream admin can login as amadmin at root realm by creating user amadmin in sub-realm
6766363 Re-establishing ldap conn pool under load has problems/race conditions
6638652 amconsole breaks while managing custom attributes added to organizationAttributeSchema
6651757 MAP libraries missing from DAS application
6658586 AMStoreConnection.daysSinceModified() got incorrect days
6666912 DistAuth URI by default does not take you to Login page
6668046 SAMLv2 needs to support failover on Artifact SSO and SLO
6673538 Security permission is missing for CRL validation
6693152 amsdk jar files should include version number in the manifest file
6634276 ExceedRetryLimit message does not show correctly on AM7 with JA locale
6486843 Privileges cannot be defined for a filtered role
6409176 AM authentication issue when Account lockout is enabled in Directory Server
6538181 SMS layer does not update SMS cache when policy schema of a service is changed
6698447 Unnecessary debug error msg when safeword auth fails
6656744 Collection object is not synchronized
 
(from 126357-01)
6473199  Method onLoginFailure instead of onLogout of postprocess is not executed when user logs out
6488432  Policy response to include issueInstant
6494643  Compatibility issue among agent, sdk client and server
6494304  Authschemecondition should support application idle timeout and force authn
6442520  Session upgrade does not work in case
6498405  Some Chinese Characters are not allowed when creating AM managed groups
6513655  Profile attribute set to Ignore doesn't give access to console to TopLevelAdmin Roles
6460780  authN throughput improvements
6532311  Authentication validation rules should prompt user password and not deny user
6541695  Post-auth plug-in changes to support Sharepoint
6507568  LDAP AuthModule does not return correct error when password validation fails
6547061  Need to bundle in new xmlsec.jar due to incorporate fix for 6519471
6499264  Need AuthInstant for every authenticated module Instance
6499268  Support for ForcedAuth using Composite Advice and URL parameter
6498902  Policy client sdk should clear policy decision with advice on first use
6472774  Access manger console user/password does not match sdk installer
6474089  AMUserPasswordValidation class should not be invoked during initial authentication
6476852  Server runs out of PermGen space with several deploy/redeploys
6476899  Bundled AccessManager startup times are huge with JavaEE SDK B08
6485695  In realm mode creating a group creates an administrative role with set of ACIs which never get used
6487880  Authentication type field needs more explanation in online help
6490703  Missing document: Multi instance AM setup on top of DS in MMR without LB
6495293  Service not assigned to users properly using AD plugin
6500868  Exception thrown when debug mode is set to message on client side
6501178  Exception in thread AMTimer
6503706  ClassCastException when trying to get binary attribute
6504377  New user created with AD plugin is inactive
6506448  NPE when doing AMIdentity.modifyService
6515043  The AM and portal server auto configuration failed when installing on zh_TW and es locales.
6521389  Appclient projects require sun-acc.xml to include the AMClientProvider provider-config element.
6523565  Server sample fails to run
6523681  Using an empty username for UserNameToken profile exposes a security hole
6524678  Readme.txt in the SDK install/addons has to be updated.
6524713  Impossible to login to AS Adm. GUI after the execution of java -jar am-configurator.jar
6524796  Deletion of subconfiguration fails when the config name has special characters.
6524854  Document install procedure for application server multiple instances
6525783  AM security doesn't work when using custom keystore
6528549  Need a getBinaryServiceAttribtues api for AMIdentity
6532967  com.iplanet.am.sdk.caching.enabled default value is documented incorrectly
6541622  Auth should not make call to DS for user search when username contains NOT allowed pattern
6542686  Unable retrieve schema info from AD
6543620  Access Manager Policy Agent profiles should be able to apply a digital signature to the service req
6543623  AM Policy Agent profiles should be able to encrypt SOAP request body and SOAP response body
6543625  UserName token authentication should be able to authenticate against a configured LDAP module.
6543626  SOAPRequestHandler should return SSOToken set in the Subject, in addition to X509
6544092  Service schema file for AD
6544177  When using X509 token with an invalid certificate AM always accepts the cert even without root ca
6544585  Unable to login with agent
6545645  New AMIdentity constructor does not work when token has no uuid.
6547440  Verification of unsigned response is passed
6547958  AMSDK doesn't fallback to primary directory server once primary comes up
6549639  Typo in Postinstallation Guide for Single War Deployment
6550261  Additional jar file is required for war generated by config later option
6552218  Restricted token (anti-hijack prevention mode) doesn't work in federated environment
6554372  Dist Auth broken in Websphere and Weblogic
6559603  Need to add boolean configuration flag for request signing
6560931  The provider-id for the Anonymous security mechanism in the provider-config is incorrect
6562414  Incorrect dynamic attr value returned by AD plugin
6563104  AM security fails when running against jdk1.5 on Solaris, Linux and MacOS
6564121  AM 7.1 legacy mode with AS 9.0 J2EE Agent 2.2 doesn't return the requested roles.
6567469  AM can`t be configured properly using old installation contract
6568278  NPE in amclientsdk
6568911  Access Manager Username Token Profile OASIS standard mismatch
6569403  Request with no encryption is not validated
6569870  Addition Fields to Web Service Security Provider and Client Profile Page
6570021  Encryption support for SOAP messages with extra spaces or newline characters
6570022  Error in soapHandler.validateRequest during load testing
6570025  Need help with troubleshooting authorization based on X509 tokens.
6572525  Auto creation of WSS agents do not specify Agent type as WSC or WSP
6573080  System hangs under heavy load in the LdapConnectionPool
6575312  Auth configuration corruption in multi threaded scenario
6576339  Compiler error while deploying identity webservices samples
6576571  Issue with AM 7.1  timeout with(Distributed Auth module)
6577414  UserNameToken-Plain profile does not have a corresponding provider-config entry in domain.xml
6577929  Username Token Created element uses incompatible namespace
6581230  Console can not set response encrypt / decrypt flag value for WSC and WSP
6584794  Authentication Exception due to incorrect handler. 
6584960  Configurator.jsp fails to install on a DS suffix such as 'o=company'
6585444  Anoymous User in AM 7.1 when configured with Distributed Authentication throws server error
6587038  Datastore authentication does not enumerate through all datastore
6587553  DistAuth does not work with subrealms; displays 'Organization not found'.
6587627  FDQN is stripped to just the host name, needs to be preserved
6591245  Stalled Cookie Problem in Distributed Auth User Interface
6591330  Incorrect Lockout Handling
6592311  Auth makes three sms calls to config data store which is causing performance degradation
6571897  After PS installation was able to start AS, reach AS Admin GUI without passwords
6567200  AM7.1 cdcservlet is preserving the policy advice if the Web Server is reusing the same servlet
6592426  SessionServic.getSessionService call always enters the synchronized block even though not required.
6591791  amtune files for WS7 and utils are missing from the patch1 nightly ZIP file
6592884  Session stickyness not working with multisite configuration with WebAgents
6472574  Policy subject result cache is not cleaned up when receiving session notifications
6600057  AM does not report Session notification queue size in the stats.
6601819  Single war needs to support BEA WL 9.2 
6596078  Can not login to AM 7.1 with data store auth module if DS running on non-default port
6583877  IE7: The "continue" button doesn't work when registering a new user without inputting info. 
6603137  Can not create policy with time condition
6609886  AM hangs if Session notification queue is full
6495293  Service not assigned to users properly using AD plugin
6610519  When purge delay is set to 0 we still send two notifications timeout and destroy.
6609003  The usage is not displayed when using the syntax provided. amtune help
6612691  Missing functionalities in distAuth
6611909  realmqualified authscheme perapp timeout is not giving the access to the resource for valid auth
6618961  amadmin CLI sends 5 session validations req/sec for the same session handle
6626786  Server memory leak with repeated application SSOtoken creation and destroy
6621053  Client Certificate authentication broken on WebSphere
6621055  Client Certificate authentication failed on WebLogic
6628235  Single WAR web application cannot be configured with a root suffix with '&' char

--------------------------------
 
For Solaris 8, 9 and 10 releases, refer to the man pages for instructions
on using 'patchadd' and 'patchrm' scripts provided with Solaris.
Any other special or non-generic installation instructions should be
described below as special instructions.  The following example
installs a patch to a standalone machine:
 
       example# patchadd /var/spool/patch/126357-06
 
The following example removes a patch from a standalone system:
 
       example# patchrm 126357-06
 
For additional examples please see the appropriate man pages.

-----------------------------
For Access Manager 7.1 patch 3 and higher, there is a dependency on the 
following LDAP JDK patch, which needs to be installed prior to installing 
AM patch
 
platform                patchid
----------             --------------------------
solaris sparc, x86      119725-06 or higher
Linux                   120834-04 or higher
windows                 138905-01 or higher
 
For Access Manager specific patch information and patch installation
instructions, refer to the AM 7.1 patch release notes that is available online.
http://docs.sun.com/doc/819-4683/gfotd?a=view
 
The patch release notes include important information including installation
information, redeployment instructions and workarounds for known issues and limitations.