For a list of Access Manager patches that are obsoleted by this patch, and any patches you must install prior to installing this patch, refer to the included patch README. This patch is not a standalone installation and does not include Access Manager 6.3. Access Manager 6.3 must be installed prior to patch installation. Please note that this document is applicable to all Access Manager 6.3 supported platforms with following patch IDs:

• Solaris OS, SPARC Platform Edition: 119465 and 119466
• Solaris OS, x86 Platform Edition: 119465 and 119467

It is important that this patch, as with any other patch, be tested thoroughly on a staging or pre-deployment system prior to being put into production. Additionally, special care should be taken in regards to some customized JSP files. Due to the nature and complexity of some modifications, the patch installer might fail to update some of those files properly, so manual changes might be required in order for the product to continue functioning normally.

Back to top

This section describes patch installation instructions

For Solaris 8-10 releases, refer to the man pages for instructions on using 'patchadd' and 'patchrm' scripts provided with Solaris. Any other special or non-generic installation instructions should be described below as special instructions. The following example installs a patch to a standalone machine:

# patchadd /var/spool/patch/119465-08

The following example removes a patch from a standalone system:

# patchrm 119465-08

For additional examples please see the appropriate man pages.

Back to top

This section describes known problems while applying the patch and associated workarounds for Access Manager.

Make sure you are applying the patch to an existing Access Manager 6 2005Q1 installation.

Before applying the patch, obtain the information required to configure Access Manager after the patch installation. You must provide specific information, including administrator names and passwords.

For example, you must know the Access Manager administrator and password and the Directory Manager name and password for the Directory Server that Access Manager is using.

Back up any customized files.

Apply the following Access Manager patches:

Configure Access Manager for your specific web container by setting the Access Manager configuration variables and running the amconfig script.

The patch installation process prepares a configuration script input file named /tmp/.amsilent. This file is based on the amsamplesilent template file.

Run the amconfig command as shown below. Before you run amconfig, Directory Server and the Access Manager web container must be running.

Create the amsilent file based on $BASEDIR/$PRODUCT_DIR/bin/amsamplesilent template file and also set the appropriate configuration variables, including:
   - DEPLOY_LEVEL=21
   - DIRECTORY_MODE=5
   - Passwords for DS_DIRMGRPASSWD, ADMINPASSWD, and AMLDAPUSERPASSWD
   - Access Manager Web container variables. For more details about the Web container variables, see the amsamplesilent file in the /opt/SUNWam/bin directory on Solaris systems or the /opt/sun/identity/bin directory on Linux systems.
5. Run the amconfig script as shown below. Before you run amconfig, Directory Server and the Access Manager web container must be running. For example, to run amconfig on a Solaris system with Access Manager installed in the default base installation directory:
     #cd /opt/SUNWam/bin
     #./amconfig -s amsilent
For more information about running the amconfig script, see the Access Manager Administration Guide: http://docs.sun.com/doc/817-7647

5029256: Typo in Argument to Referential Integrity Plugin Impacts Performance When Access Manager enables the referencial integrity plugin for Directory Server, an argument to the plugin has a typo in an attribute name (iplanet-am-modifiable-by). A "search not indexed" warning is generated in the Directory Server error log, and Directory Server performance is impacted. Workaround 1. Backup your existing index.ldif and plugin.ldif files. 2. Copy the new index.ldif and plugin.ldif files from the patch installation to your specific installed directory. The default directory is /etc/opt/SUNWam/config/ldif. 3. Import the indexes from the index.ldif and plugin.ldif into Directory Server using the ldapmodify command. 4. Since new indexes are introduced, rebuild the indexes to generate a new set of indexes after updating the files on all databases. There are various ways to rebuild the indexes. For example,you can run the db2index.pl Perl script on all instances where the index.ldif was updated. If your Directory Server instance is on /var/Sun/mps, the db2index.pl script is in the /var/Sun/mps/slapd- directory. For more information about the db2index.pl perl script, see Chapter 8, "Command-Line Scripts" in the Directory Server Configuration, Command, and File Reference: http://docs.sun.com/source/816-5608-10/scripts.htm#27451

Bug ID 6269680: Fail to create user with clientsdk When trying to create a new user through clientsdk, a NullPointerException is thrown at runtime. The reason is that the service config of service DAI is not accessible from the client, though it exists. The root cause is that the default application user "UrlAccessAgent" does not have ACI permission to read DAI service. So it fails to read DAI service before creating new user. Workaround 1. Use a different user such as "amadmin" who has the permission. Change property "com.sun.identity.agents.app.username" in AMConfig.properties from "UrlAccessAgent" (default) to "amadmin". Of course, one has to modify "com.iplanet.am.service.secret" as well. It should be set as the result of command /opt/SUNWam/bin/ampassword -e 2. If customer does not want to use "amadmin" it can be any user who has Org or Policy Admin Privileges (i.e., admin roles). 3. For AM 7.0, this was fixed such that we use Delegation rather than directory ACIs.

Bug ID 6276972: Delay in AM6.3 failover to secondary ldap directory 1.Add the following VM option to server.xml for the specific container. -Dnetworkaddress.cache.ttl=0 -Dsun.net.inetaddr.ttl=0 2.Restart web container.

Bug ID 6292838: iplanet-am-role-display-options not processed correctly for Filt ered Roles Copy am_console.jar from "/usr/share/lib/identity/console-war/WEB-INF/lib" to "/opt/SUNWwbsvr/https-./is-web-apps/applications/WEB-INF/lib" directory.

Bug ID 6343535: BEA's SOAP implementation is incompatible with Sun's AM 6.3 amclientdsk Add the following line to IS_OPTIONS variable in server.xml of the web container where Access Manager 6.3 runs: -Djavax.xml.soap.MessageFactory=com.sun.xml.messaging.saaj.soap.ver1_1.SOAPMessageFactory1_1Impl

Bug ID 6198000: Back button on invalid session breaks goto As part of the fix of 6198000, Login.jsp is modified by adding a line "> if you do not have this jsp file customized, running amconfig to redeploy AM applications on the web container would take care this. Otherwise, you would need to add it manually before the line

Bug ID 6368958: Operation failure of amadmin command after abnormal termination by Ctrl+C This problem only happens when importing DAI service with ums.xml. First of all, never abort the amadmin command with Ctrl+C. If running into this issue, you can delete all entries under ou=DAI,ou=services,, and then re-import service schema file ums.xml. Due to the large number of entries of DAI service and restriction of deleting nonleaf, it is better to have a script to do the deletion. Please contact SUN if you need help on the script.

Bug ID 6222704: Pre/Post processing doesn't work for password changes com.sun.identity.authentication.spi package now provides an interface to receive notifications of a user status change after successful password reset or after account lockout (memory) Following files have been added for the same: com/sun/identity/authentication/spi/AMAuthCallBack.java com/sun/identity/authentication/spi/AMAuthCallBackException.java To configure Pluggable User Status Event Interface : * Add "com.sun.identity.authentication.spi.SampleAMAuthCallBack" to "Pluggable User Status Event Classes" attribute in the Core Authentication service using the console. * Debug information will be available in the AuthCallBackSample debug file next time someone is locked out or changes password via the LDAP module password change feature (and the debug level is set to message).

(For Linux patch) Bug ID 6301106: After amconfig, WebSphere Application server fails to start -In server.xml file, remove the leading extra characters "/:" in the value for the genericJvmArguments option in the jvmEntries before adding the patch. -In the startServer.sh add /opt/sun/private/lib to the LD_LIBRARY_PATH (for Linux) diff startServer.sh startServer.sh.orig 75c75 < LD_LIBRARY_PATH="$WAS_LIBPATH":$LD_LIBRARY_PATH:/opt/sun/private/lib --- < LD_LIBRARY_PATH="$WAS_LIBPATH":$LD_LIBRARY_PATH

(For Linux patch) Backout instructions 1. Make sure to take the ldap backup before adding AM Linux patch. (Later we can automate this step) cd /var/opt/mps/serverroot/slapd-yourinstance db2ldif -s "root_suffix" ldiffile: /var/opt/mps/serverroot/slapd-yourinstance/ldif/YYYY_DD_MM_XXXX.ldif <--- This is the backup file. Example for root_suffix: dc=red,dc=iplanet,dc=sun 2. Add patch-XX Please note patch scripts takes backup of /opt/sun/ into a file am63_backup.gzip Copy am63_backup.gzip in a in a safe folder. 3. Keep YYYY_DD_MM_XXXX.ldif and am63_backup.gzip in a safe folder (i.e., not in installation directory) 4. uninstall AM63. 5. Install AM63 with patch-1. 6 Restore the directoryserver backup cd /var/opt/mps/serverroot/slapd-yourinstance ./stop-slapd ldif2db -s ?dc=red,dc=iplanet,dc=com? -i /var/opt/mps/serverroot/slapd-yourinstance/ldif/YYYY_DD_MM_XXXX.ldif 7. To copy am63_backup.gzip into installation area mv /opt/sun/ /opt/sun.orig 8. cd / tar xfz am63_backup.gzip 9. Restart DS and AM instance.

Back to top