Tuesday Jul 08, 2008

Sun Alert 201538

A new Sun alert 201538 was released June 26, 2008 - Access Manager Does not Securely Process XSLT Stylesheets contained in XML Signatures. It is actually a bug 6519471 in xml signing software bundled in AM. The fixed xmlsec.jar is now bundled in AM patches, 7.1p1, 7.0p6, 6.3p12, 6.2p15 and 6.1p22 in varies platform forms. To check out the alert, click
http://sunsolve.sun.com/search/document.do?assetkey=1-66-201538-1.

Monday Jun 09, 2008

Virtual Federation?

A new term Virtual Federation was invented recently in identity federation world. It is actually a new name for Secure Attribute Exchange (SAE), a key capability of the upcoming Sun Federated Access Manager 8.0. Virtual Federation will help enterprises to overwhelm challenges, like scalability, legacy applications, transient and transaction data, protocols when doing federation.

[Read More]

Friday Feb 08, 2008

Password With Multi-byte Characters

Though it is almost impossible to crack a password that is composed of randomly chosen ASCII characters, you might want to make it more secure to use multi-byte characters, like Cyrillic letters or East Asian characters like Chinese, Korean, Japanese.

[Read More]

Friday Jan 04, 2008

A NSS/JSS Bug is Fixed

Someone reported that their J2EE agent 2.2 periodically hangs. The thread dump shows that over hundreds threads waiting for a lock that was held by a thread writing a log message to the remote Access Manager (AM) server.


at java.net.SocketInputStream.socketRead0(Native Method)
at java.net.SocketInputStream.read(SocketInputStream.java:129)
at com.sun.net.ssl.internal.ssl.InputRecord.readFully(InputRecord.java:293)
at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:331)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:723)

This stack trace is not new to me. I have seen this kind of thread stack trace many times, especially on AM servers. The difference is that on AM server, there could be many threads doing socketRead when all sending session/policy notifications, as this operation is asynchronous. The common thing is that this problem only happens when AM server or client running in secure mode. Basically SSL is enabled.

This is not an AM/agent problem, but root in NSS/JSS/NSPR packages. This morning, I checked the latest NSS/JSS/NSPR patch 119211-14(Solaris 9). I am very happy to this
bug 6524809 - JSS SSLSocket.close() may be blocked and not interrupting the SSLSocket.read() thread. Actually it is fixed in rev #13. I strongly believe that this bug might be responsible to all AM/agents hang issues with SSL enabled


Solaris 8 SPARC: 119209-13
Solaris 9 SPARC: 119211-13
Solaris 9 X86: 119212-13
Solaris 10 SPARC: 119213-13
Solaris 10 X86: 119214-13
Linux: 121656-13
HP-UX pa-risc: 124379-04
JES5 Windows: 125923-02
JES5 Solaris SPARC: 125358-02
JES5 Solaris x86: 125359-02

Monday Nov 05, 2007

Configure Session Failover on Access Manager 6.3

When testing AM6.3 patch12, session failover feature was reported not working. There is a NPE when checking whether a server instance is up or not. The amsessiondb process never received any READ requests. After some debugging, it appeared that the server ID of the Load Balancer (03, suppose 2 AM servers 01 and 02 in the cluster) have to be added to make it working.

However, in Deployment Planing Guide of AM6.3, it clearly states "Do not include the server ID of load balancer." in "Session Cluster Server List".

The root cause is that the person who set up the environment modified the value of "com.iplanet.am.localserver.host" in configure file AMConfig.properties when changing other properties "com.iplanet.am.server.host", "com.iplanet.am.console.host", "com.iplanet.am.profile.host" and "com.iplanet.am.naming.url". Properties "com.iplanet.am.localserver.xxx" should never change unless you have to modify the host name of the box.

Actually with localserver.host changed to the host name of LB, adding server ID of LB to the "Session Cluster Server List" could help session failover to work, but it may cause some performance issue, some unnecessary internal session routings.

Tuesday Sep 04, 2007

ldapsearch to search DS with SSL enabled

Normally, you don't have any problem to run ldapsearch on a directory server without SSL enabled. The ldapsearch can be of any version, even the default one of Solaris system works. However, if the directory server instance runs on secure port, you might run into lots of trouble.

[Read More]

Wednesday Jul 11, 2007

Access Manager 7.0 patch5 on Windows and HP-UX

Links to new AM7.0patch5 releases on Windows and HP-UX

[Read More]
About

gc

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today