Patch-ID# 120954-04 NOTE: *********************************************************************** READ THE TERMS OF THE AGREEMENT ("AGREEMENT") IN THE LEGAL_LICENSE.TXT FILE CAREFULLY BEFORE USING THIS SOFTWARE. BY USING THE SOFTWARE, YOU AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS, PROMPTLY DESTROY THE UNUSED SOFTWARE. *********************************************************************** Keywords: access manager security Synopsis: AM 7.0: Sun Java System Access Manager 2005Q4 Date: Nov/06/2006 Install Requirements: NA Solaris Release: 8 9 10 SunOS Release: 5.8 5.9 5.10 Unbundled Product: Sun Java System Access Manager Unbundled Release: 7.0 Xref: This patch available for i386 as patch 120955-04, for Linux as patch Patch-ID# 120956-04 Topic: Sun Java System Access Manager Relevant Architectures: sparc BugId's fixed with this patch: 5088144 6202135 6204679 6215016 6236892 6244578 6246905 6269853 6269858 6273148 6281358 6282777 6283582 6289589 6291287 6292616 6293673 6293720 6294440 6294618 6295075 6295078 6295081 6295524 6295834 6296108 6298433 6298462 6299621 6303917 6303975 6305268 6306605 6306833 6307920 6308982 6309830 6309907 6310356 6311985 6313117 6314342 6318296 6319028 6320046 6320475 6321128 6321616 6323367 6323368 6323608 6324349 6325333 6325343 6326050 6326634 6327691 6327802 6327836 6328018 6328362 6328396 6330306 6330678 6330679 6330685 6330687 6330747 6331016 6333870 6334633 6335137 6336904 6337063 6337106 6337160 6337701 6338418 6338582 6339025 6340418 6340625 6340918 6341686 6341737 6342097 6342223 6342313 6342725 6343531 6345189 6345362 6346904 6346908 6346918 6347568 6348888 6349244 6349253 6349959 6349962 6350126 6350573 6351524 6351948 6352008 6352076 6354073 6356127 6356473 6356670 6356715 6356879 6357625 6359266 6360631 6361191 6362232 6362297 6362300 6363157 6363399 6366215 6366219 6367058 6368218 6369227 6369341 6369414 6369745 6370252 6370350 6370360 6370363 6371584 6371762 6373302 6373328 6373458 6373599 6374669 6374846 6376650 6379325 6380680 6381655 6382633 6384339 6384379 6384492 6385184 6385185 6385696 6385710 6385729 6386277 6387712 6388327 6388549 6389019 6389196 6389564 6390379 6395463 6396409 6396494 6396913 6397102 6400814 6402490 6406621 6406729 6408727 6409584 6410007 6410312 6411060 6413030 6413589 6413597 6416012 6418545 6419295 6419838 6421328 6422875 6422876 6422877 6422878 6422879 6422901 6423547 6423781 6425383 6426044 6426050 6426055 6426056 6426505 6426508 6426515 6426517 6426900 6428296 6429236 6429368 6429610 6429932 6430126 6431798 6432893 6432969 6433637 6434881 6435889 6435983 6436152 6436482 6436910 6436913 6437042 6437423 6440691 6440697 6443758 6444030 6445678 6449563 6450565 6463730 6463779 6463796 Changes incorporated in this version: 6463730 6435889 6463779 6463796 Patches accumulated and obsoleted by this patch: Patches which conflict with this patch: Patches required with this patch: Obsoleted by: Files included with this patch: /etc/opt/SUNWam/config/AMConfig.properties.template /etc/opt/SUNWam/config/serverconfig.xml.template /etc/opt/SUNWam/config/xml/template/amDisco.xml /etc/opt/SUNWam/config/xml/template/amSOAPBinding.xml /etc/opt/SUNWam/config/xml/template/idRepoService.xml /opt/SUNWam/Makefile.distAuthUI /opt/SUNWam/README.distAuthUI /opt/SUNWam/amauthdistui.war /opt/SUNWam/amclient.war /opt/SUNWam/bin/amas70config /opt/SUNWam/bin/amas81config /opt/SUNWam/bin/amconfig /opt/SUNWam/bin/amsdkconfig /opt/SUNWam/bin/amsfo /opt/SUNWam/bin/amsfoconfig /opt/SUNWam/bin/amsvcconfig /opt/SUNWam/bin/amtune/amtune-directory.template /opt/SUNWam/bin/amtune/amtune-env /opt/SUNWam/bin/amtune/amtune-identity /opt/SUNWam/bin/amtune/amtune-os /opt/SUNWam/bin/amtune/amtune-prepareDSTuner /opt/SUNWam/bin/amtune/remacis.ldif /opt/SUNWam/bin/amutils /opt/SUNWam/bin/amwas51config /opt/SUNWam/bin/amwl81config /opt/SUNWam/bin/amws61config /opt/SUNWam/console.war /opt/SUNWam/docs/am_public_javadocs.jar /opt/SUNWam/dtd/Auth_Module_Properties.dtd /opt/SUNWam/dtd/remote-auth.dtd /opt/SUNWam/include/am.h /opt/SUNWam/include/am_log.h /opt/SUNWam/include/am_map.h /opt/SUNWam/include/am_policy.h /opt/SUNWam/include/am_properties.h /opt/SUNWam/include/am_string_set.h /opt/SUNWam/include/am_types.h /opt/SUNWam/include/am_web.h /opt/SUNWam/lib/am_logging.jar /opt/SUNWam/lib/am_sdk.jar /opt/SUNWam/lib/am_services.jar /opt/SUNWam/lib/am_sessiondb.jar /opt/SUNWam/lib/amclientsdk.jar /opt/SUNWam/lib/amsfo.conf /opt/SUNWam/lib/libamsdk.so.2 /opt/SUNWam/locale/LC_MESSAGES/amsfoconfig.mo /opt/SUNWam/locale/amAdminCLI.properties /opt/SUNWam/locale/amAuth.properties /opt/SUNWam/locale/amAuthUI.properties /opt/SUNWam/locale/amConsole.properties /opt/SUNWam/locale/amIdRepoService.properties /opt/SUNWam/locale/amPolicy.properties /opt/SUNWam/locale/amPolicyConfig.properties /opt/SUNWam/locale/amSOAPBinding.properties /opt/SUNWam/locale/amSessionDB.properties /opt/SUNWam/migration/61to62/scripts/Upgrade61DitTo62 /opt/SUNWam/password.war /opt/SUNWam/samples/csdk/README.TXT /opt/SUNWam/samples/csdk/am_log_test.c /opt/SUNWam/samples/csdk/am_sso_test.c /opt/SUNWam/services.war /usr/share/lib/identity/console-war/WEB-INF/lib/am_console.jar /opt/SUNWam/share/bin/amtune/amtune-utils Problem Description: 120954-04 ========= 6463730 XSS vulnerability with the goto and gx-charset parameters 6435889 Method Session.getSession fails because RestrictedTokenContext is not set 6463779 DistAuth's amProfile_Client and AM Server's amProfile_Server get filled with harmless exceptions. 6463796 Disabling iPlanetAMClientDetection service for genericHTML prevents access to any AM HTML page 120954-03 ========= 6327802 Policy does not support Active Directory group as policy subject 6406729 Mixed-case static role from ldapv3 datastore causes duplicate JAAS Principals on agent container 6406621 amsfo script always starts the default instance instead of the JMQ instance in the amsfo.conf 6408727 amsfo should have an option to include amsessiondb arguments 6413030 LDAP Auth module creates new thread for each request if primary LDAP server is down 6416012 SAML2 auth module is wrongly treated as pure JASS module 6351948 .version file not showing the correct product name 6400814 Erroneous caching of a condition evaluation 6419295 Connections to LDAP server not disconnected after bind(amldap) user auth failure 6381655 An enhanced upgrade script with error checking is requested 6384492 Upgrade script does not validate passwords 6215016 module parameter in url cannot be carried into new org login page 6331016 Logging out of a server using a remote session does not destroy the session 6323368 AMUser.addEventListener does not notify and throws Exception 6388327 AMEvent objects created without the sourceDN 6389196 LDAP connectionpool should be indexed with DS root suffix 6422901 Auth NPE when user/passwd is null 6339025 UserID & Password validation plugin is not fully functionning when defined at the organization level 6409584 Multiple AMObjectImpl are not registered in the AMEvent mechanism 6422875 Auth should always set the lbcookie value with the server ID 6422877 Policy client are not sticky to the Server 6422878 Session Client does not replay the amlbcookie in the requests 6422879 Client sdk does not replay the amlbcookie 6389564 Repetitious successive queries on role memberships of user in an ldapv3 data store, during AM login 6418545 IdRepo cache is not getting updated after modifying the agent configuration 6379325 Accessing console during session-failover throws NullPointerException 6426044 Naming url fail-over issue with J2EE Agent 6426050 Delay in Detecting Site Failure - SiteMonitor URL Connection Issue 6426055 User getting 403 error in case of site failure instead of automatic redirection to Login page 6426056 Jaxrpc URL is not failing over to the other site, when primary site goes down 6422876 Dist auth does not set the amlbcookie from the server, it sets its own amlbcookie 6429368 Session contraint not enforced when top-level admins exempt in Session configuration in Console 6373599 (re-worked) Need to modify session code to migrate AM SDK apis to IDRepo interfaces 6321616 AuthnContext Not Correctly Handled in AuthnRequest and AuthnResponse 6389019 Authlevel/authentication context class ref is lost if no fedCookie present 6413597 Session Failover is not working when ignore user profile is turned on 5088144 amadmin can`t remove an Entity Descriptor of a Provider 6362300 Need to make it easy to create dual hosted entity (both SP & IDP) 6411060 Profile attributes, dn and entrydn, are not returned to the Agent with amSDK repo plugin 6390379 Normal user console login emits warning message with exception in amIdm debug file 6430126 Logout displays "Auththentication Exception" if user session is recovered in SFO mode 6445678 Cannot set Liberty ID-FF version with amadmin when creating a provider 6349244 Misconfiguration in Realm Data store or authentication repository causes console to become inaccessible 6374669 Change of bind DN in the LDAPauth does not take effect until server restart 6382633 Policy Client does not create APPSSOToken when APPSSOToken is invalid 6386277 Dist-Auth not capable of destroying http-session on logout/timeout of session on AM server 6395463 SSOToken.getPrincipal().getName() does not return an user DN 6410007 Duplicate searches made by IDRepo 6410312 Excessive directory server calls made by idrepo during policy evaluation 6413589 7.0 patch2 - Authentication fails in session upgrade case with NPE 6419838 jaxrpc failover not working properly with multisite failover 6421328 Session Polling does not work as expected 6423547 Call to SSOToken.getPrincipal().getName() does not return valid DN 6423781 samlp:Responder code is not processed correctly in single logout service 6425383 amadmin input user shouldn't be case sensitive 6426505 User account unusable after two SP users federate with same IDP user 6426508 Need to detect case when federation information does not exist on SP side 6426515 Need to return correct error code to caller in case of account lockout 6426517 Need to return special status code in case account lockout in SP side 6426900 Setting up CDSSO configuration with Policy Agent 2.2 on Web Logic 8.1 SP4 6428296 SAML artifact profile doesn't pass all the parameters in TARGET url 6429236 Click on user level services throws ERROR Processing the request 6429610 Unable to create SSO token in ID-FF single sign-on use case 6429932 Problems with Password Reset Service for users under OU in 7.0 Legacy Mode 6431798 Permission to perform the service operation denied 6432893 Single Logout causes preLogin process if no session exists 6432969 Support for ID-WSF1.1 6433637 Site Monitor has to check all server down case 6434881 Get LDAP error when loading accountLockoutData.xml 6435889 Method Session.getSession fails because RestrictedTokenContext is not set 6435983 J2EE Policy Filter mode stops working with AM 7.0 Patch 3 6436152 (legacy mode) amconsole: error on next page select for agents 6436482 LDAP module failover hangs when primary server is down 6436910 Distribted authentication UI web application makes 2 calls to AM server when invoked as 0 page login 6436913 User profile set to "Ignored" causes problem to Distributed Auth and J2EE agents 6437042 Patch add replcaes amsfo and amsfo.conf replaces the original file 6437423 ID-FF Name Registration failed using HTTP Redirect profile 6440691 DistAuth configuration required explict JAXRPC url end point in case of multisite configuration 6443758 Persistence Cookie functionality broken after applying patch 120954-02 on AM 7 with 120954-01 6444030 DistAuth has to support CertAuth 6440697 Dist Auth running as non-amAdmin user - remote SM read exception 6385184 Re-direct from within a custom auth module when SSOToken is still in INVALID STATE 6385185 PostAuthModule must be able to override the "goto" URL and specify a different URL 6370363 IDFF : RelayState with > 1 query parameters fails SSO 6450565 Console does not display People Containers with non default naming attribute 6449563 LDAP authentication: Header Replacement does not work 120954-02 ========= 6330306 Access Manager SDK HttpsURLConnection uses a plain socket when retrying a failed connection 6342097 When Cert CRL is enabed, too many LDAPConnections open and never get closed, this causes memory leak 6345189 Web agent has to get right naming table even when it is configured with multiple LBs 6351524 LDAP search time during policy evaluation is too long when there are thousands users in a group 6244578 AM should warn user that the browser cookie support is disabled/not available 6360631 Session not terminated through session management 6319028 Clientsdk does not handle exceptions in the SOAP message 6282777 Implementing TTL on amsdk cache 6337063 Adding a sub-organistation using Access Manager 7.0 in JES4 breaks the gateway and Access Manager 6293673 Need to retain the original session information when sending out session timeout notification 6369414 Not able to get session property in token listener callback after timeout 6357625 ID-FF 1.1 AuthContext includes AuthContextComparison 6299621 Legacy mode:Get Invalid user's location when login as an admin user that created from newconsole 6349253 PostProcessor and a custom policy condition classes, set attibutes to the SSOToken, they are lost 6352008 SOAP object does not set the SOAPAction header when transported over HTTP(s) in the SAML request 6269858 AM SDK Cache/ID Repo Cache - Cache size grew substantailly b.w 6.3 and 7.0 6328018 Authentication instance still displayed after being deleted 6340918 Dynamic group/Membership Filter is not updated after saving the changes 6348888 SDK does not check if the IDRepo Plugin supports role memberships 6349962 After removing "AMSDK" plugin in root realm, "amadmin" cannot view the administration page 6356127 Remote Auth does not work if Access Manager instances are running behind a non-sticky load balancer 6359266 DistAuth Fails in the session upgrade scenario 6361191 Trouble to deploy the war of Distributed Authentication on BEA WebLogic 6362232 AM 7.0 patch 1: Client SDK installations cannot be patched 6362297 Wrong entity ID is sent in case of failed single logout 6366219 Policy Evaluation failure with cn as search attribute 6369341 Need to set Attributes passed down from IDP in Assertion as properties on SSO token on SP side 6370252 Distributed Auth after patch1: Click to relogin after logout gives 500 error 6370350 Dist Auth Not working after failed auth - unable to clear authContext /unable to invalidate session 6370360 Attribute based authZ - add LDAPFilterCondition support to AccessManager 6371584 Distributed Auth after patch 1 cannot loadbalance across dist-auth servers 6371762 AM7 console exception for user with multiple roles, user cannot use console 6373328 Provide correct notification URL in the Makefile.distAuthUI 6373458 Unable to modify "iplanet-am-session-quota-limit" for user in ldapv3 data store 6374846 AM 7.0 Group Members filter only works with * 6376650 New authentication services are displayed in the the global (config) section 6373302 Unable to load /portal web application after AMSDK upgrade 6368218 Login fails since Auth throws Null Pointer Exception 6369745 Auth framework needs to append suffix to user principal in case of ignore profile 6350126 Add "User profile" core authn parameter to session 6380680 Destroy Session is not working in LB setup for AM7.0 6269853 User id is null when user id or password is null 6354073 Certificate Mapping authentication module is not flexible 6320046 User name is displaying as 'null' in the Lockout notification mail 6385729 NPE in 7.0 if Federated Identity where in IDP and SP act simultaneously 6340625 JVM option java.util.logging.manager=com.sun.identity.log.LogManager being set in Websphere's xml 6384339 Policy decision returning more than expected ldap attributes 6384379 LDAP atttribute names returned from AM are in lower case 6385696 Existing and new IDP's and SP's are not visible 6367058 UWC SSO fails after applying 7.0patch1 (Note: This bugid is the same as 6343534, previously documented in earlier patch revision) 6388549 Server hangs forever when one of the LDAPv3 plugin config is incorrect 6369227 Cert auth module maps full cert subject DN to LDAP attribute value 6385710 Single Logout Request causes Server Error 6396409 LDAPv3 datastore against sun DS keeps looping the psearch connections 6396913 ldapv3 getAttributes call fails if naming attribute is multivalued, resulting in login failure 6397102 LDAP Connections abandoned by LDAPv3 plugin if wrong user password is specified for datastore 6396494 Removing users from static groups with amadmin fails 6387712 Notification requests can cause a build up of close_wait connections 6202135 Auth taglib target attribute incorrectly quoted 6236892 Image/Text place holder while CDCServlet is processing the AuthNResponse after Login 6283582 Num of login failures are not shared across AM instances 6363157 Need to disable unnecessary persistent searches which affect performance 6402490 DSTModify Operation throws exception 6373599 Need to modify session code to migrate AM SDK apis to IDRepo interfaces 120954-01 ========= 6289589 Incorrect ldap server info is causing the UI not to display the LDAP related subjects in console 6295075 legacy: Reset button does not work for Client Detection/edit page 6204679 amadmin failed with no specific error message for a valid xml file but with uppercase suffix 6273148 Could not add/delete/modify discovery service resource offerings 6246905 Wrong error msg for Single Sign-On Failure Redirect URL 6291287 Policy UI for condition by auth level displays wrong values for auth level 6310356 amwas51config incorrectly using WL8_PROTOCOL when setting values for naming and notification URL's 6298462 amsfoconfig fails on linux 2.1 server 6298433 amsfoconfig has incorrect permissions on linux 2.1 6292616 AM sdk clients need restart after svc schema change 6305268 Problem with idrepo ldapv3 plugin and openldap 6308982 Need population of module specific customized error message and error template via Auth remote API 6309830 Adding more amadmin properties in the console is changing the amadmin user password 6296108 realm: Exception error when selecting a user from a new Realm contains the default v3 info 6313117 Client SDK (amclientsdk.jar) throws error messages that permission denied for reading config data 6294440 LDAP authentication module can prompt user to change their password prematurely 6320475 com.iplanet.am.session.client.polling.enable on server side must not be true 6306605 AM does not deploy on WebSphere with non-default URI's 6318296 Can't remove Session Service configuration for a subrealm 6311985 CDC: CDC Servlet redirecting to the invalid login page when Policy condition is specified 6325343 amclientsdk.jar doesn't handle localized content in utf-8 properly 6325333 Request to add InternalSession.getObject/InternalSession.setObject() methods 6309907 postprocess plugin defined for a Named config does not execute for role based auth 6328396 IDrepo Gives exception while storing new attribute with LDAPV3 plugin 6324349 JAXRPC classcast exceptions cause initialization failure for portal webapp 6295524 amwl81config: typo prevents wireless_rendering.jar and wireless_rendering_util.jar from being used 6306833 Modification notification mail is sent when other attribute is changed 6303975 Memory leak in distributed Auth 6330678 IdRepo doesn't cache sub entries of ou=users,ou=default,ou=globalconfig,ou=1.0,ou=sunidentityreposit 6330687 There are 4 directory searchs for each authentication 6314342 Unnecessary object creation of Notification/NotificationSet in session service cause perf. problem 6281358 AM legacy mode: Deletion Notification does not work 6293720 legacy: Created groups is not placed under Groups container 6294618 After first click on Directory Management tab, sub-tabs do not appear 6295081 legacy: Should prevent Orgs, Containers, People Con, user,roles to be created under grp Container 6295834 Changing password via console with debug 'message' logs changed password in amProfile 6303917 Deprecating SiteAttributeMapper overwrites new PartnerSiteAttributeMapper in SAML 6321128 Special characters (&) in SAML statements should be encoded 6323367 AM70 does not allow customers to get the uuid through command line or console 6323608 AuthContext object instances/bytes linger/leak even after user logouts and session/idle timeouts 6326050 Session event should be sent when the pre-authentication session times out 6326634 SAML: Duplicate Trusted Partner console edit errors 6327691 UrlAccessAgent SSOToken is expiring as the Application module does not return the special user DN 6327836 Distributed Authentication service to be not required to stick to one server for LB deployments 6328362 Federation performance is slow campared to 6.3 6330679 Auth model cannot be created during to lack of page session data 6330685 Include AM Server healthcheck JSP within services.war 6330747 Unable to assign Named Config(created in sub-realm) to a role 6333870 Adding a DNS/Aliases name to an organization from the Access Management will give LDAP error 6335137 Session notification is unnecessarily being sent to AM server itself 6337106 Ability to disable DNS Lookup 6337701 Realm/Subjects/Role doesnot contains a General page 6338418 Universal ID disappeard when Save button is pressed 6338582 SSO fails for federation 6340418 Logout fails after federation termination 6341737 AMSDK call to AMUser.getAttributesByteArray() returns empty if called after AMUser.getAttributes() 6342313 Login as an org admin user when click on Directory Manager link will get user page 6349959 Adding "role=read,create,edit,delete" to LDAPv3 IdRepo plugin causes IdRepo to fail 6343531 Deleting service leaves amconsole unusable and service partially deleted 6352076 WL8.1 SP4: Access denied while accessing any resource first time in cdsso setup 6356879 amadmin gives access to AM even with invalid user/password 6350573 Distributed Authentication Does not work when deployed in Production mode in Bea WebLogic Server 6334633 Inconsistent AM-SDK Global Schema Cache behaviour 6346904 Session Polling could hang the server under high load 6346908 Session Destroy or logout on the client sdk does not work properly 6342223 Session cache has no way to cleanup client cache when notifications are missed 6341686 Adding all groups to a user get error " Error [Ljava.lang.Object;@1d8be60" 6336904 Authentication service should not be required to stick to one server for LB deployments 6295078 legacy:Cannot delete an organization that created under a container 6307920 Special characters (&) in SAML statements should be encoded 6345362 Server failed to start if com.sun.am.event.connection.idle.timeout is set to a non zero value 6366215 IDRepo unable to search based on "cn" - LDAPv3Repo unable to search with respect to naming attribute 6363399 Policy evaluation fails for LDAPV3 filtered role 6342725 idrepo cache not updated 6356473 Gateway does not come up on a separate node after installation 6346918 cookie name property is missing in AMClient.properties since AMClientSDK is not working 6347568 amclientsdk webapp is not working the amclientsdk.jar file is missing in the war file built. 6356670 java.lang.NullPointerException in amSecurity debug logs 6356715 Auth Remote API gives error due to failure in retrieval of internal session from session ID on server 6337160 IdRepo calls SMS for every operation, leading to performance issues Patch Installation Instructions: -------------------------------- Backup following files: For Solaris 8 and 9 releases, refer to the man pages for instructions on using 'patchadd' and 'patchrm' scripts provided with Solaris. Any other special or non-generic installation instructions should be described below as special instructions. The following example installs a patch to a standalone machine: example# patchadd /var/spool/patch/120954-04 The following example removes a patch from a standalone system: example# patchrm 120954-04 For additional examples please see the appropriate man pages. After the patch is installed or removed, AM applications need to be redeployed. Please refer to release notes rel_notes.html for more details. Special Install Instructions: ----------------------------- For Access Manager Server specific patch information and patch installation instructions, refer to the included patch release notes file, rel_notes.html, located inside the patchID directory once the file has been unzipped. The patch release notes include must read information including installation information, redeployment instructions, instructions on how to deal with customized auth jsp files and workarounds for known issues and limitations. README -- Last modified date: Monday, November 6, 2006