Patch-ID# 120091-12 NOTE: *********************************************************************** READ THE TERMS OF THE AGREEMENT ("AGREEMENT") IN THE LEGAL_LICENSE.TXT FILE CAREFULLY BEFORE USING THIS SOFTWARE. BY USING THE SOFTWARE, YOU AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS, PROMPTLY DESTROY THE UNUSED SOFTWARE. *********************************************************************** Keywords: access manager security Synopsis: AM 6.2_x86: Sun Java System Access Manager Date: May/03/2006 Install Requirements: See Special Install Instructions Solaris Release: 9_x86 SunOS Release: 5.9_x86 Unbundled Product: Sun ONE Access Manager Unbundled Release: 6.2 Xref: This patch available for sparc as patch 115766-12, for Linux as patch 119409-12 Topic: Sun Java System Access Manager Relevant Architectures: i386 BugId's fixed with this patch: 4847369 4872249 4987109 5013718 5013729 5015054 5031902 5040055 5046174 5048378 5051401 5052696 5055145 5056660 5060050 5060560 5063149 5064043 5072454 5076037 5079696 5083368 5083387 5083405 5085363 5086581 5087540 5090018 5093089 5094149 5095724 5097235 5097909 5099037 5102536 5102680 5105263 5107381 5107637 5109607 6178909 6185149 6185928 6197111 6198000 6201986 6202838 6202840 6204178 6206629 6214677 6215016 6217200 6218242 6221330 6222704 6226769 6228648 6232251 6235384 6236892 6237056 6237190 6241717 6243214 6245634 6251148 6254890 6254917 6260601 6260941 6265175 6267130 6269826 6274185 6276972 6277864 6285085 6292616 6292838 6293833 6294440 6297065 6297076 6308771 6308982 6320475 6330306 6331016 6350438 6351524 6354057 6381655 6384492 6385019 6387712 6398604 Changes incorporated in this version: 6354057 6398604 6385019 Patches accumulated and obsoleted by this patch: Patches which conflict with this patch: Patches required with this patch: Obsoleted by: Files included with this patch: /etc/opt/SUNWam/config/AMConfig.properties.template /etc/opt/SUNWam/config/ldif/install.ldif /etc/opt/SUNWam/config/xml/amAuth.xml /etc/opt/SUNWam/config/xml/amAuthSafeWord.xml /etc/opt/SUNWam/config/xml/amProviderConfig.xml /etc/opt/SUNWam/config/xml/amSession.xml /opt/SUNWam/bin/amas70config /opt/SUNWam/bin/amwl61config /opt/SUNWam/bin/amwl81config /opt/SUNWam/console.war /opt/SUNWam/docs/am_public_javadocs.jar /opt/SUNWam/dtd/amAdmin.dtd /opt/SUNWam/dtd/policy.dtd /opt/SUNWam/dtd/sms.dtd /opt/SUNWam/introduction.war /opt/SUNWam/lib/am_logging.jar /opt/SUNWam/lib/am_sdk.jar /opt/SUNWam/lib/am_services.jar /opt/SUNWam/lib/am_sso_provider.jar /opt/SUNWam/lib/iaik_jce_full.jar /opt/SUNWam/lib/xalan.jar /opt/SUNWam/lib/xercesImpl.jar /opt/SUNWam/lib/xml-apis.jar /opt/SUNWam/locale/LC_MESSAGES/am_auth_unix_keys.mo /opt/SUNWam/locale/LC_MESSAGES/backup_restore.mo /opt/SUNWam/locale/LC_MESSAGES/dpscripts.mo /opt/SUNWam/locale/LC_MESSAGES/multiserverscripts.mo /opt/SUNWam/locale/amAdminCLI.properties /opt/SUNWam/locale/amAdminModuleMsgs.properties /opt/SUNWam/locale/amAuth.properties /opt/SUNWam/locale/amAuthSafeWord.properties /opt/SUNWam/locale/amAuthUI.properties /opt/SUNWam/locale/amProviderConfig.properties /opt/SUNWam/locale/amSession.properties /opt/SUNWam/locale/getEncoding.class /opt/SUNWam/migration/61to62/scripts/Upgrade61DitTo62 /opt/SUNWam/migration/61to62/scripts/locale/LC_MESSAGES/upgradescripts.mo /opt/SUNWam/password.war /opt/SUNWam/samples/appserver/amsamples.war /opt/SUNWam/services.war /usr/share/lib/identity/console-war/WEB-INF/lib/am_console.jar /opt/SUNWam/bin/amws61config Problem Description: From 120091-12 ============== 6354057 : ErrorCodes_ja.props in patch 115766-08 is broken 6398604 : Profile is not created with userCreationAttributes from external LDAP if password has to be changed 6385019 : Double clicking login button can crash WS if login module calls HttpServletResponse.addHeader From 120091-11 ============== 6381655 : An enhanced pre61to62upgrade script with error checking is requested 6384492 : script Upgrade61DitTo62 does not validate passwords 6387712 : notification requests can cause a build up of close_wait connections From 120091-10 ============== 6308982 : Need population of module specific customized error message and error template via Auth remote API 5094149 : auth does not set error message/template in the xml message 6330306 : Access Manager SDK HttpsURLConnection uses a plain socket when retrying a failed connection 6351524 : LDAP search time during policy evaluation is too long when there are thousands users in a group 6350438 : AM hang under peak load caused by LDAP access within synchronized block 6201986 : AM SDK can not handle user credentials with '& ' and '<' characters From 120091-09 ============== 6308771 : Pluggable User Status Event Classes" does not exist in the GUI, under core- authentication 6269826 : login password in debug mode shown in plain text in amAuth debug file 6245634 : To many invalid session requests could cause a server hang 6292616 : AM sdk clients need restart after svc schema change 6237190 : Need to escape the special characters in session xml messages 5064043 : Identity Server running on two networks cannot distinguish between addresses 6320475 : com.iplanet.am.session.client.polling.enable on server side must not be true 6276972 : Delay in AM6.3 failover to secondary ldap directory 6331016 : logging out of a server using a remote session does not destroy the session From 120091-08 ============== 6297065 : Improve AM6.2 patch building mechanism to keep patchID only in one place 6297076 : Cleanup AM6.2 patch README file to eliminate manual steps 6228648 : Attribute iplanet-am-role-managed-container-dn of a filtered role not read with fix for Bug 6217200 6265175 : It is not possible to apply AM hotpatches on systems which has not installed a comlete AccessManager 6292838 : iplanet-am-role-display-options not processed correctly for Filtered Roles 6293833 : Exception thrown when removing members from static group 6294440 : LDAP authentication module can prompt user to change their password prematurely From 120091-07 ============== 6221330 : API getFilteredRoleDNs and getAllRoleDNs of AMUser/AMUserImpl does not check whether the roleDN's of a user have objectclass "iplanet-am-managed-role" and "iplanet-am-managed-filtered-role". 6251148 : Authenticator ID is being stransmission of Radius client request. 6260601 : AM6.2 patch does not run on x86 platforms 5083387 : amadmin cli cannot add subconfiguration if subConfigName contains "/" 6254917 : Minor Version in the SAML REsponse and Assertion part are mismatched 6232251 : Auth UI does not always honor gotoOnFail parameter 6267130 : AM6.2 patches failed to apply on a system with only AM SDK installed 6260941 : AM does not work correctly from behind a proxy server 6274185 : AM6.2 patch6 breaks soft link of AMConfig.properties 5056660 : Changing password user ldap does not work when password getting expired 6277864 : AM6.2 patch6 included wrong xercesImpl.jar and xml-apis.jar From 120091-06 ============== 6226769 : Makefiles need to be changed to pick up fix of 6221011 on ldapjdk.jar 4.16.1 5079696 : Searching for another ldap subject after selecting one subject throws error 5048378 : Inconsistent usage of com.iplanet.am.smtpport property 6236892 : Image/Text place holder while CDCServlet is processing the AuthNResponse after Login 6185928 : AM6.2HP2 - Default "LoginURL" not work, when SSL terminated externaly 6218242 : Access Manager does not handle List types in group selection 6237056 : AM6.2 patch 4 should redeploy services.war to update Login.jsp for a bug fix 6241717 : 6.2patch4 fails to update classpath for xml jars 6243214 : Issues when installing AM6.2 patches 6254890 : ApprovalCallback has to have a property which makes AM server to trust only servers listed in AMConfig.properties From 120091-05 ============== 6214677 : Policy API not extracting policy correctly in certain circumstances. 6235384 : AM6.2 backout issue From 120091-04 =============== 5076037 : locale parameter not set correctly in non JAAS Thread model 6198000 : Back button on invalid session breaks goto 6202838 : Back button breaks goto URL 6202840 : Session history keeping Goto URL's around 5107637 : Already logged in - an incorrect wording 6206629 : WebLogic J2EE Agents have persistent LDAP connections closed by load balancer due to idle 6204178 : there is no way to terminate a session created by application auth module 6222704 : Pre/Post processing doesn't work for password changes 6217200 : users in filtered admin roles are not redirected to the admin console. From 120091-03 =============== 5046174 : Non-JAAS thread implementation to 6.2 in auth framework in order to prevent DOS attack 5086581 : Non JAAS Thread Mode - Cert Auth Module Sample not working 6185149 : AddDefaultValues doesnt add default value for an existing service 5087540 : Error "modification of profile fail" when adding a user to a group. 6197111 : AM6.2 HP2 does not seem to be patching the WAR staging area, instead it is patching the exploded areas 4847369 : Logs getting inconsistent values for IP address 6215016 : Module parameter in url cannot be carried into new org login page From 120091-02 =============== 5107381 : Recursive user-profile look-up in Certificate Authentication 5102680 : CRLValidation doesnot work on AM6.2 due to GeneralNamesException class being drop in JDK 1.4.2 and above. 5085363 : Identity Server running on two networks cannot distinguish between addresses 5093089 : TCP sessions builds up to a point where the machine runs out of file descriptor. 5083405 : Authentication failed page leads to "AuthnRequest is not Valid" 6178909 : Can not install AM6.2HP1 when SSL is enabled on DS 5105263 : AM6.2 - Reauth with invalid credential should show error 5099037 : Need to make AuthenticationLocality configurable 5083368 : Threading and performance problem in federation and de-federation scenario 5102536 : Unable to modify trusted provider list after a provider had been deleted 4987109 : possible bug in preserving referential integrity of objects [ subs & policies ] From 120091-01 =============== 4872249 : Subject eval should be outside of the policy 5052696 : Session and Auth Objects dont get cleaned up completely a fter a login/timeout 5031902 : Policy Cache not cleaned up correctly 5040055 : readACL - search ACL in the search engine does not work with filtered roles 5060050 : iPlanet Portal Server 6.3 Service definitions do not pop up 5015054 : There should be a way to configure the redirect url on identity server 6285085 : revision number changes for SMS.dtd 5072454 : pre61to62upgrade script hangs, using wrong Directory Server instance path 5097909 : Web Server crashes in liberty when accessed by multiple clients 5055145 : Identity Server preupgrade script removes the locale directory but not the localization package. 5060560 : not refreshing cache 5013729 : Policy state is made inconsistent after the Policy Service is deleted 5013718 : Safeword connections are not closed by Identity server 5090018 : LDAP Auth fails when authenticating against OpenLDAP 5109607 : Xalan2.6 upgrade 5095724 : Logout action leads to 'ServerError' 5097235 : XML configuration for authentication modules does not work as expected 5051401 : login error message rendered with "null\n" 5063149 : SSO tokens created by internal auth api fails on policy evaluation. Patch Installation Instructions: -------------------------------- Backup following files: amamAdminConsole.xml amAuth.xml amAuthSafeWord.xml amProviderConfig.xml amAdminCLI.properties amAdminModuleMsgs.properties amAuth.properties amAuthSafeWord.properties amAuthUI.properties amProviderConfig.properties AMConfig.properties Login.jsp membership.jsp new_org.jsp For Solaris 8 and 9 releases, refer to the man pages for instructions on using 'patchadd' and 'patchrm' scripts provided with Solaris. Any other special or non-generic installation instructions should be described below as special instructions. The following example installs a patch to a standalone machine: example# patchadd /var/spool/patch/120091-12 When postpatch script is executed, it will ask one to three questions about the server instance path. In case Identity Server is running on web server, you will be asked with this question: What is the path of the WS 6.1 instance [/opt/SUNWwbsvr/https-hostname.domainname] ? For Identity Server running on application server, the following question will be asked: What is the path of Application Server instance [/var/opt/SUNWappserver7/domains/domain1/server1] When Identity Server is running on application server, if the Identity Server applications are redeployed multiple times, the application root path can vary. In this case, you will be asked to input the correct path to the deployment directory of application /amserver and /amconsole What is the path of the deployment directory of /amserver [/var/opt/SUNWappserver7/domains/domain1/server1/applications/j2ee-modules/amserver_1] ? What is the path of the deployment directory of /amconsole [/var/opt/SUNWappserver7/domains/domain1/server1/applications/j2ee-modules/amconsole_1] ? Besides the above, there are two more questions to be asked: What is the dn of the Directory Manager [cn=Directory Manager] What is the password for the Directory Manager [] Restart Sun ONE Identity Server once the patch is installed successful. The following example removes a patch from a standalone system: example# patchrm 120091-12 For additional examples please see the appropriate man pages. Special Install Instructions: ----------------------------- For Access Manager Server specific patch information and patch installation instructions, refer to the included patch release notes file, rel_notes.html, located inside of the patchID directory once the file has been unzipped. The patch release notes include must read information including installation information, redeployment instructions, instructions on how to deal with customized auth jsp files and workarounds for known issues and limitations. README -- Last modified date: Wednesday, May 3, 2006