Copyright © 2011-2013 ForgeRock AS
Publication date: May 22, 2013
Notes covering OpenAM prerequisites, fixes, known issues. OpenAM provides open source Authentication, Authorization, Entitlement and Federation software.
OpenAM 10.2.0-SNAPSHOT fixes a number of issues, and provides the following additional features.
The zero page login has been modified so that administrators can disable the functionality. The zero page login process is the ability of the user to login using only GET parameters, which presents a possible security issue. Zero page login is now disabled by default.
REST Authentication Service has been updated to handle Integrated Windows
Authentication. IWA is now available through the REST interface by using the new endpoint,
http://<OpenAM Host>:<Port>/<deploy_uri>/json/auth/1/authenticate.
The legacy REST authentication interface is still available.
The policy tree index has been updated so that resources first check the root level of a realm first. The tree will be created from this level, and any subsequent referrals will create another tree specific to the realm where the referral was retrieved. This conserves memory and reduces the amount of time required to load the tree. An intelligent indexing model now assists with quickly identifying relevant policy rules for the resource being authorized.
Users and realms can be created, read, edited, and deleted using an HTTP POST of the JSON representation. See Identity Management and Realm Management for explanations, instructions, and examples.
OpenAM now provides further support for OAuth 2.0. In addition to playing the role of client and resource server, OpenAM can now also play the role of OAuth 2.0 authorization server. See Managing OAuth 2.0 Authorization for explanations, instructions, and examples.
Session failover has been modified to be simpler to deploy (OPENAM-625). OpenAM 10.0.1 and earlier required the use of Open Message Queue and Berkeley DB Java Edition, which increased the complexity and amount of time required to get session failover working. OpenAM now writes session data to the configuration data store instead. This implementation also can be used to make sessions persist across restart for single OpenAM servers. The current implementation requires that you use OpenDJ for the configuration data store.
This new implementation is designed to operate on a local site network. Cross-site session failover and session failover across wide area networks (WANs) are not supported.
IBM® WebSphere® 8.0 is now a supported platform. See Preparing IBM WebSphere in the Installation Guide for details on how to setup WebSphere 8.0 and 8.5 before deploying OpenAM.
Legacy naming conventions have been changed to conform to the
current product name, OpenAM. This includes the OpenAM bootstrap file
(OPENAM-1555). $HOME/.openamcfg/
is the new name for $HOME/.openssocfg/. If you upgrade,
OpenAM still supports use of $HOME/.openssocfg/, and
does not rename the folder. For new OpenAM installs, OpenAM creates the
directory with the new name, $HOME/.openamcfg/, at
configuration time. Other files, such as the openam.war
file, and paths have been modified to ensure consistency with the naming
conventions.
OpenAM now supports Open Authentication (OPENAM-727). The module provides the user with a one-time password based either on a HMAC one-time password or a time-based one-time password. OATH lets you determine which type of one-time password is best for your users when they need to login with a password generating device. Devices can range from a smartphone to a dedicated device, such as YubiKey or any other OATH compliant device.
With OATH, OpenAM now supports YubiKey® authentication. The YubiKey simplifies the process of logging in with a One Time Password token as it does not require the user to re-type long pass codes from a display device into the login field of the computer. The YubiKey is inserted in the USB-port of any computer and the OTP is generated and automatically entered with a simple touch of a button on the YubiKey, and without the need of any client software or drivers.
OpenAM now provides an account expiration post authentication plugin to set an account expiration date on successful login.
OpenAM now bundles OpenDJ 2.4.6 (OPENAM-1954).
The AMLoginModule now lets authentication modules retrieve the list of current session tokens for a user (OPENAM-1721).
OpenAM's IDPAdapter now provides additional hooks for customization. This improvement introduces changes to the API that affect custom IDPAdapters (OPENAM-1623).
When running as a Service Provider, OpenAM no longer requires that you enable module-based authentication (OPENAM-1470).
OpenAM now has better support for using a reverse proxy for federation when DAS is also deployed (OPENAM-1454).
OpenAM now allows use of a read-only data store with a non-transient NameID during SAML 2.0 federation (OPENAM-1427).
The ssoadm command now includes a get-sub-cfg subcommand (OPENAM-1348).
The REST authenticate command now has a parameter to specify the client IP address (OPENAM-1048).
OpenAM is now built with Maven. Maven artifacts continue to be uploaded to the ForgeRock Maven repository (OPENAM-739).
You can now prevent OpenAM from caching subject evaluations for policy decisions (part of the fix for OPENAM-24).
In most cases you do not need to turn off caching, as OpenAM now clears cache when group membership changes. Before turning off caching in production, first test the setting to ensure that the performance impact is acceptable for your deployment.
To turn off caching, set Access Control > Realm Name > Services > Policy Configuration >
Subjects Result Time to Live to 0. The equivalent
ssoadm property for the
iPlanetAMPolicyConfigService is
iplanet-am-policy-config-subjects-result-ttl.
This chapter covers software and hardware prerequisites for installing and running OpenAM software.
This release of OpenAM requires Java Development Kit 1.6, at least 1.6.0_10. ForgeRock recommends the most recent release of Java 6 to ensure you have the latest security fixes.
ForgeRock has tested this release of OpenAM primarily with Oracle Java SE JDK.
OpenAM Java SDK requires Java Development Kit 1.5 or 1.6.
This release of OpenAM runs in the following web application containers.
Apache Tomcat 6.0.x, 7.0.x (ForgeRock's preferred web container for OpenAM)
GlassFish v2
IBM WebSphere 8.0, 8.5
JBoss Enterprise Application Platform 4.x, 5.x
JBoss Application Server 7.x
Oracle WebLogic Server 11g (10.3.5)
Oracle WebLogic Server 12c (12.1.1)
If running as a non-root user, the web application container must be able to write to its own home directory, where OpenAM stores configuration files.
This release of OpenAM works with the following configuration data stores.
Embedded (using ForgeRock OpenDJ for the data store)
When using the embedded configuration store, you must deploy OpenAM on a local file system and not on an NFS-mounted file system.
External ForgeRock OpenDJ data store
ForgeRock recommends updating to the latest stable release.
External Sun OpenDS data store, version 2 or later
External Oracle Directory Server Enterprise Edition data store, version 6.3 or later
This release of OpenAM works with the following user profile data stores.
ForgeRock OpenDJ
Microsoft Active Directory (tested by ForgeRock on Windows Server 2008 R2)
IBM Tivoli Directory Server 6.3
OpenDS, version 2 or later
Oracle Directory Server Enterprise Edition, version 6.3 or later
OpenAM also works with other LDAPv3 compliant directory servers. Some features of OpenAM depend on features supported by your directory service, such as the following:
Extensible LDAP schema, required to extend the schema for OpenAM.
First, install OpenAM to use a fresh instance of OpenDJ, such as the
embedded OpenDJ server. After installation, study the custom schema
definitions from the OpenDJ file,
config/schema/99-user.ldif, to see what schema
definitions you must add to your directory. You might need to adapt the
schema definition format before adding the definitions to your
directory.
The persistent search request control
(OID: 2.16.840.1.113730.3.4.3).
The Behera Internet-Draft Password Policy for LDAP Directories (in the context of the LDAP authentication module only)
If you plan to deploy with OpenLDAP or other LDAPv3 directory for user data, make sure you test your solution before you deploy to ensure all OpenAM features that you use work as expected.
ForgeRock has tested many browsers with OpenAM console and end user pages, including the following browsers.
Chrome and Chromium 16 and later
Firefox 3.6 and later
Internet Explorer 7 and later
Safari 5 and later
ForgeRock has tested this release of OpenAM on the following platforms.
Linux 2.6, 3.0
Microsoft Windows Server 2003, 2008 R2
Oracle Solaris 10
You can deploy OpenAM on any hardware supported for the combination of software required. Deploying OpenAM requires a minimum of 1 GB free RAM over and above the RAM used by all other software on the system.
Minimum requirements are enough to start and to evaluate OpenAM. Recommended hardware resources depend on your specific deployment requirements. For more information, see the Administration Guide chapter on Tuning OpenAM.
ForgeRock has tested this release of OpenAM primarily on x86 and x64 based systems.
If you have a special request regarding support for a component or combination not listed here, contact ForgeRock at info@forgerock.com.
This chapter covers both major changes to existing functionality, and also deprecated and removed functionality.
When you create a new OpenAM custom configuration that uses an
external LDAP directory server for the configuration data store, you must
use a root suffix DN with at least two domain components, such as
dc=example,dc=com.
The advanced server property used to set the HTTP header name,
com.sun.identity.authentication.client.ipAddressHeader ,
has replaced the legacy OpenSSO property
com.sun.identity.session.httpClientIPHeader (OPENAM-1879).
Legacy naming conventions have been changed to conform to the current product name, OpenAM.
$HOME/.openamcfg/ is the new name for
$HOME/.openssocfg/. If you upgrade, OpenAM still
supports use of $HOME/.openssocfg/, and does not
rename the folder. For new OpenAM installs, OpenAM creates the directory
with the new name, $HOME/.openamcfg/, at configuration
time.
Other files, such as the openam.war file, and
paths have been modified to ensure consistency with the naming
conventions.
OpenAM now ships with multiple .war files. You no longer have to build custom .war files for core server-only or distributed authentication UI installations for example.
In earlier versions the default root suffix DN for OpenAM
configuration and profile data was
dc=opensso,dc=java,dc=net.
The default root suffix is now
dc=openam,dc=forgerock,dc=org.
The following functionality is deprecated in OpenAM 10.2.0-SNAPSHOT, and is likely to be removed in a future release.
With the implementation of OAuth 2.0 in this release, OAuth 1.0 has been deprecated. OAuth 1.0 support was originally provided in OpenAM 9.
The Netscape LDAP API is to be removed from OpenAM, with OpenAM
using the OpenDJ LDAP SDK instead. This affects all classes in
com.sun.identity.shared.ldap.* packages.
OpenAM currently uses Sun Java System Application Framework (JATO). JATO is deprecated and is likely to be replaced in a future release.
For OpenAM 10.2.0-SNAPSHOT, the use of the previous session failover implementation has been removed.
With the updated session failover, SAML 2 and session persistence have changed. The methods used prior to OpenAM 10.1.0 are no longer available.
Support for Liberty Identity Web Services Framework (ID-WSF) has been removed.
The advanced server property,
openam.session.destroy_all_sessions, has been replaced
by the built-in Global Session Service setting,
DESTROY_OLD_SESSIONS.
Resources for integrating OpenAM with third-party access and identity management software are not delivered with the distribution.
Javadoc for the client SDK is no longer delivered with the distribution, but instead is available online.
OpenAM issues are tracked at https://bugster.forgerock.org/jira/browse/OPENAM. This chapter covers the status of key issues and limitations at release 10.2.0-SNAPSHOT.
The following bugs were fixed in release 10.2.0-SNAPSHOT. For details, see the OpenAM issue tracker.
TODO
When session failover is configured to use external OpenDJ directory servers, OpenAM must access those directory servers through an LDAP load balancer that can fail over connections from OpenAM whenever a directory server goes offline. Otherwise, sessions could continue to persist after users logout of OpenAM.
Do not run different versions of OpenAM together in the same OpenAM site.
Not all features of OpenAM work with IPv6.
The Database Repository type of data store is experimental and not supported for production use.
By default OpenAM does not enforce session quotas when running in Site
mode without session failover. To work around this behavior, set the server
configuration property
openam.session.useLocalSessionsInMultiServerMode=true.
You can set this property in OpenAM console under Configuration > Servers
and Sites > Servers > Server Name > Advanced.
The following important known issues remained open at the time release 10.2.0-SNAPSHOT became available. For details and information on other issues, see the OpenAM issue tracker.
TODO
If you have questions regarding OpenAM which are not answered by the documentation, there is a mailing list which can be found at https://lists.forgerock.org/mailman/listinfo/openam where you are likely to find an answer.
If you have found issues or reproducible bugs within OpenAM 10.2.0-SNAPSHOT, report them in https://bugster.forgerock.org.
When requesting help with a problem, include the following information:
Description of the problem, including when the problem occurs and its impact on your operation
Description of the environment, including the following information:
Machine type
Operating system and version
Web server or container and version
Java version
OpenAM version
Any patches or other software that might be affecting the problem
Steps to reproduce the problem
Any relevant access and error logs, stack traces, or core dumps
You can purchase OpenAM support subscriptions and training courses from ForgeRock and from consulting partners around the world and in your area. To contact ForgeRock, send mail to info@forgerock.com. To find a partner in your area, see http://forgerock.com/partners/find-a-partner/.