Release Notes - Liberty Identity Provider for Novell eDirectory April 14, 2003 Table of Contents 1.0 Known Liberty Identity Provider Issues 1.1 Host Names Cannot Use Numbers 1.2 Issues With Connecting to an LDAP Server that is Configured for LDAP 636 Over SSL 1.3 iManager Class Not Found Exception for iPrint Plug-ins 1.4 Do Not Use Spaces When Creating a Signing Certificate 1.5 Delete Temp Files If You Are Doing Multiple Installations 1.6 Use IP Address Instead of Tree Name for iManager Login 1.7 Issue With Service Provider's Name Registration Using DSA Hash 1.8 Service Provider Domain Must Match URLs Used by the Identity Provider 1.9 Deleting an Identity Provider's Service Provider Configuration Might Cause Login Problems 1.10 Restart Apache After Installing the Sample Service Provider 2.0 Converting Your Identity Provider to SSL Mode 2.1 Information for Converting to SSL Mode 3.0 Troubleshooting Tips for the Liberty Identity Provider 3.1 Install the Liberty Identity Provider on a Clean Machine 3.2 Making Changes in iManager Requires Restart of Tomcat 3.3 Time Synchronization is Mandatory Between the Identity Provider and the Service Provider 4.0 Liberty Documentation 4.1 Accessing the Latest Liberty Documentation 5.0 Legal Information 5.1 Disclaimer, Copyright, and Patents 5.2 Trademarks 1.0 Known Liberty Identity Provider Issues 1.1 Host Names Cannot Use Numbers When you are entering your HTTPS host name information, do not use names that begin with numbers (for example, names that begin with an IP address). Names that begin with numbers will return an error message, and you will not be able to create a federation between your identity provider and service provider. 1.2 Issue With Connecting to an LDAP Server that is Configured for LDAP 636 Over SSL If your LDAP server is configured for LDAP 636 over SSL, your identity provider might not connect to your LDAP server. If this is the case, you will get the following Tomcat errors: "Unable to fill connection quota," and "Liberty configuration exception: unable to establish connections with the LDAP server." To work around this issue, add the trusted root of the LDAP server to the JAVA_HOME\jre\lib\security\cacerts keystore by doing the following: 1) Export the trusted root (for example, CAcert.cer) from the LDAP server. 2) Copy the trusted root to the JAVA_HOME\jre\lib\security\ directory. 3) From the JAVA_HOME\jre\lib\security directory, execute the following command: "keytool -import -file CAcert.cer -alias myldap -keystore cacerts -storepass changeit" 1.3 iManager Class Not Found Exception for iPrint Plug-ins Novell iManager has iPrint plug-ins that are only installed when iManager is installed on NetWare. Because you install the Liberty identity provider on Windows, you might see exceptions that indicate the iPrint Roles and Tasks are unavailable. If you click the details for these exceptions, you can view the Java exceptions which indicate the iPrint plug-ins are not available on Windows. 1.4 Do Not Use Spaces When Creating a Signing Certificate The signing certificate will not be created if you use a space in the Alias or the Keystore Name. If you insist on using a space, you must use quotation marks around the entire Alias or Keystore Name. 1.5 Delete Temp Files If You Are Doing Multiple Installations The Liberty identity provider installer does not automatically delete the files it places in the C:\Documents and Settings\\local settings\temp directory after installation. (Note: The variable will change depending on your Windows version. Also, the local settings directory is hidden by default. To display hidden files, go to MS Explorer > Tools > Folder Options, then click the View tab. Under the Hidden files and folders option, select Show All Files, then click Apply.) If you are doing repeated installations, you should delete all of the files in your temp directory to save disk space. 1.6 Use IP Address Instead of Tree Name for iManager Login iManager will return a 634 error during login if the iManager server cannot resolve the tree name to an IP address. To log in, use an IP address rather than the tree name to avoid this error. 1.7 Issue With Service Provider's Name Registration Using DSA Hash Name registration will not work with the Liberty identity provider if you configure the service provider to use a signing certificate that uses a DSA hash. Other functions, including federation and login will work, but Name registration will not. Name registration will work if you configure the service provider to use a signing certificate that uses an RSA hash. 1.8 Service Provider Domain Must Match URLs Used by the Identity Provider When you access the service provider login page, make sure that the domain (or IP Address) of the URL matches those URLs found in the service provider metadata used by the identity provider. This ensures that a single Web server session will be created and used when you access the service provider. 1.9 Deleting an Identity Provider's Service Provider Configuration Might Cause Login Problems Disabling or deleting a service provider configuration at the identity provider with iManager can prevent users from being able to log in at the service provider site. Do not disable or delete an SP from the IDP configuration unless the service provider also removes the IDP from its circle of trust. 1.10 Restart Apache After Installing the Sample Service Provider After you install the sample service provider, you must restart Apache. Failure to do so will result in a "Page Not Found" error. 2.0 Converting Your Identity Provider to SSL Mode 2.1 Information for Converting to SSL Mode After successfully installing your Liberty identity provider, you must configure it to run in secure (SSL) mode. By default, your Liberty identity provider runs in test mode (which is recommended during the installation process). You must change this mode (HTTP) to HTTPS before running in a production environment. For details on how to configure Liberty to run in SSL mode, see "Configuring Your Liberty IDP to Run in SSL Mode" in the Liberty administration guide. 3.0 Troubleshooting Tips for the Liberty Identity Provider 3.1 Install the Liberty Identity Provider on a Clean Machine We strongly recommend that you install the Liberty identity provider on a machine that does not have Novell iManager, Sun JVM, Apache, or Tomcat already installed. Having any of these components are already installed on your machine could cause the Liberty installation to fail. 3.2 Making Changes in iManager Requires Restart of Tomcat If you make any changes to your Liberty configuration in iManager, you must restart your identity provider by restarting Tomcat in order for the changes to take effect. Additionally, if you use iManager to defederate a user, you need to restart Tomcat. 3.3 Time Synchronization is Mandatory Between the Identity Provider and the Service Provider Make sure the time synchronization between your identity provider and service provider is accurate. If there are time discrepancies between them, you might encounter certificate failures, as well as some assertion failures. 4.0 Liberty Documentation 4.1 Accessing the Latest Liberty Documentation For the latest Liberty documentation, including information on Liberty IDP setup and administration, go to http://www.novell.com/documentation and locate the Liberty documentation in the alphabetical list. 5.0 Legal Information 5.1 Disclaimer, Copyright, and Patents Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. You may not export or re-export this product in violation of any applicable laws or regulations including, without limitation, U.S. export regulations or the laws of the country in which you reside. This product may require export authorization from the U.S. Department of Commerce prior to exporting from the U.S. or Canada. Copyright (C) 2003 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher. Patents Pending. 5.2 Trademarks Novell and NetWare are registered trademarks of Novell, Inc. in the United States and other countries. eDirectory is a trademark of Novell, Inc. All third-party trademarks are the property of their respective owners.