5 Overview of 10g (10.1.4.0.1) Behaviors

This chapter provides a brief summary of Oracle Access Manager 10g (10.1.4.0.1) behaviors and mentions earlier behaviors (if those were different).

Note:

10g (10.1.4.0.1) refers to any Oracle Access Manager release in the 10.1.4 series, including base 10g (10.1.4.0.1) installations as well as those which include the 10.1.4.2.0 Patchset. For more information, including a brief description of enhancements available in the latest patchset, see Oracle Access Manager List of Bugs Fixed Release 10.1.4 Patchset 1 (10.1.4.2.0).

Topics include:

• Oracle Access Manager Configuration Manager

• Platform Support

• Obtaining the Latest Patchset

• General Behavior Summary

• Identity System Behavior Summary

• Access System Behavior Summary

  Note:

  Complete details of all features are presented throughout the suite of Oracle Access Manager manuals. For a list of new functions in 10g (10.1.4.0.1), see "What's New in Oracle Access Manager?". Also, see "Product and Component Name Changes".

5.1 Oracle Access Manager Configuration Manager

This new application automates the process of migrating (pushing a copy) of Oracle Access Manager configuration and access policy data from a designated source directory in one deployment to a designated target directory in a different deployment. For example after installing and configuring Oracle Access Manager 10g (10.1.4.0.1) for a small audience for testing, you will most likely need to migrate to a larger deployment that is availble to a wider audience. This process is sometimes known as horizontal data migration.

The Oracle Access Manager Configuration Manager Installation and Administration Guide provides considerations, prerequisites, and step-by-step instructions to help ensure your success.

5.2 Platform Support

There are no significant changes in platform support between releases 7.0.4 (also available as part of Oracle Application Server 10g Release 2 (10.1.2)) and 10g (10.1.4.0.1). However, there may significant differences in support prior to release 7.0.4 and 10g (10.1.4.0.1).

For the latest support information, see details under the Certify tab on:

https://metalink.oracle.com

To use Metalink

1. Navigate to MetaLink at https://metalink.oracle.com.

2. Log in to MetaLink as directed

3. Click the Certify tab.

4. Click View Certifications by Product

5. Select the Application Server option and click Submit.

6. Choose Oracle Identity Manager and click Submit.

7. Click Oracle Identity Management Certification Information 10g (10.1.4.0.1) (html) to display the Oracle Identity Management page.

8. Click the link for Section 6, "Oracle Access Manager Certification" to display the certification matrix.

For a quick reference table of components and third-party products that are no longer supported, see the Oracle Access Manager Upgrade Guide.

5.3 Obtaining the Latest Patchset

A Patchset is a mechanism for delivering fully tested and integrated product fixes. Patchsets may include new functionality. Each Patchset is cumulative and includes all of the fixes available in earlier Patchsets for the release and PSE Hotfixes if any.

After installing Oracle Access Manager 10g (10.1.4.0.1) on host computers, or after upgrading to Oracle Access Manager 10g (10.1.4.0.1), Oracle recommends that you apply the latest Patchset.

Note:

The Release 10.1.4 Patchset 1 (10.1.4.2.0) provides the latest tools required when using the zero downtime upgrade method. For more information, see the Oracle Access Manager Upgrade Guide.

The information in the following procedure explains how to obtain Release 10.1.4 Patchset 1 (10.1.4.2.0). There may be a later Patchset available. Oracle recommends that you always apply the latest Patchset.

To obtain Release 10.1.4 Patchset 1 (10.1.4.2.0)

1. Go to Oracle MetaLink Web site and obtain Release 10.1.4 Patchset 1 (10.1.4.2.0), as follows:

   1. Navigate to MetaLink at https://metalink.oracle.com.

   2. Log in to MetaLink as directed.

   3. Click the Patches & Updates tab.

   4. Click Quick Links to the Latest Patchsets, Mini Packs, and Maintenance Packs

   5. Double-click Oracle Oblix COREid, under the label "Latest Oracle Server/Tools Patchsets".

   6. Locate and select the latest patchset for 10g (10.1.4.0.1) from the table at the bottom of the page. For example, select 5957301 to obtain Release 10.1.4 Patchset 1 (10.1.4.2.0).

   7. From the Platform or Language list, select the appropriate platform for your deployment and then click Download.

2. Use instructions in the Oracle Access Manager Patchset Notes Release 10.1.4 Patchset 1 (10.1.4.2.0) For All Supported Operating Systems to apply Release 10.1.4 Patchset 1 (10.1.4.2.0) to each 10g (10.1.4.0.1) component instance:

   • Identity Server instances

   • WebPass instances

   • Policy Manager instances

   • Access Server instances

   • WebGate instances

3. Review the Oracle Access Manager List of Bugs Fixed Release 10.1.4 Patchset 1 (10.1.4.2.0) for details about the enhancements available with this Patchset as well as the bugs fixed with this Patchset release.

5.4 General Behavior Summary

A number of earlier product behaviors have changed to support product globalization. In addition, new features have been added and changes have been made to improve product usability and performance.

If you have upgraded an earlier installation to Oracle Access Manager 10g (10.1.4.0.1), some backward compatibility is enabled during the upgrade and some manual processing must occur. For more information about upgrading, see the Oracle Access Manager Upgrade Guide, which includes details about components and third-party products that are no longer supported.

To ensure that you always have the most up to date information, support details are not presented in manuals. For the latest platform and support information, be sure to see the Certify tab at https://metalink.oracle.com. For more information, see "Platform Support".

Whether you install the Identity System alone or include the Access System, Table 5-1 briefly summarizes overall Oracle Access Manager 10g (10.1.4.0.1) behaviors.

Table 5-1 General Oracle Access Manager Behavior Summary

Function	Behavior
Acquiring and Using Multiple Languages	Early product releases provided messages for end users and administrators in only the English language. Starting with release 6.5, support for translatable messages was provided through Language Packs for certain Latin-1 languages (French and German). Oracle Access Manager 10g (10.1.4.0.1) provides support for nearly a dozen Administrator languages and over two dozen end-user languages, as described in Chapter 4, "About Globalization and Multibyte Support". When you install the product without a Language Pack, only English is available. Administrative information can be displayed in the Administrators languages listed in Table 4-1 only. When installing components with Oracle-provided Language Packs, you can choose the language (locale) to be used as the default for administrative tasks. If administrative pages are requested in any other language (based on browser settings), the language that was selected as the default during product installation is used to display the pages. See the Oracle Access Manager Installation Guide for installation details. After installing Oracle Access Manager with Oracle-provided Language Packs, you must enable all languages to be used, then configure Oracle Access Manager to use the installed languages by entering display names for attributes, tabs, and panels as described in the Oracle Access Manager Identity and Common Administration Guide. Messages in Oracle Access Manager stylesheets depend upon a language. Beginning with release 6.5, messages have been brought out of the stylesheets and defined separately as variables in msgctlg.xsl (and msgctlg.js for JavaScript files). In addition, each stylesheet has a corresponding language-specific thin wrapper stored in IdentityServer_install_dir\identity\oblix\lang\langTag\style0 to segregate the main functionality of the stylesheet template from language-specific messages in the stylesheets. For more information, see the Oracle Access Manager Customization Guide.
Auditing and Access Reporting	To support all available languages, definitions of oblix_audit_events, oblix_rpt_as_reports, oblix_rpt_as_resources, and oblix_rpt_as_users tables have changed. For details, see the Oracle Access Manager Identity and Common Administration Guide. The Crystal Reports package is no longer provided with the Oracle Access Manager package. You must obtain this product from the vendor. You can now audit to an Oracle Database as well as to Microsoft SQL Server. Support for MySQL is deprecated in this release. When configuring Audit Policies in the Identity System Console, you can specify a list of profile attributes for every audit record. Profile attributes (Full Name, Employee Number, Department Number, and the like) are specific to the user performing the action/event being audited (Search or View Profile or Modify Profile, for example). The purpose of profile attributes is to help you identify the user performing the action/event. Warning: To avoid exposing a challenge phrase or response attribute, Oracle recommends that you do not select these as profile attributes for auditing. If you add a challenge phrase or response as a profile attribute, it is audited in proprietary encoded format. Before auditing in an environment you upgraded to 10g (10.1.4.0.1), you must retain the original database and data, create a new database instance for use with 10g (10.1.4.0.1), generate new tables, and import earlier data before you start auditing (this last item is a must only if you want to query/generate reports using both old and new data), as described in the Oracle Access Manager Upgrade Guide. Release 10.1.4 Patchset 1 (10.1.4.2.0): Oracle Instant Client binaries are now shipped with the Identity Server and Access Server. This eliminates the requirement for a 10.1.0.5 ORACLE_HOME on the computer that hosts them when auditing to a database.
Automatic Login and the Password Redirect URL	Using an enhancement in Release 10.1.4 Patchset 1 (10.1.4.2.0), users can be logged in automatically after changing their password. To configure automatic login, the change password redirect URL must include STLogin=%applySTLogin% as a parameter.The following is an example of a change password redirect URL that logs the user in: /http://computername:portnumber/identity/oblix/apps/lost_password_mgmt/bin/lost_password_mgmt.cgi? program=redirectforchangepwd&login=%login%%userid%&backURL=% HostTarget%%RESOURCE%&STLogin=%applySTLogin%&target=top To implement this with a form-based authentication scheme, you must configure the challenge parameter creds by supplying the user name credential parameter as the first token, the password credential parameter as the second token, then any other credential parameters. See the Oracle Access Manager Identity and Common Administration Guide for details.
Automatic Schema Update Support for ADAM	Removed due to an ldifde.exe tool licensing issue. For ADAM, the schema must be updated manually, as described in the Oracle Access Manager Installation Guide.
C++ Programs	When upgrading from releases earlier than 7.0, you may need to recompile C++ programs created with the Software Developer Kit and APIs after the upgrade. See other topics in this chapter for an overview of the impact on Identity System event plug-ins; Access Manager SDK, Access Manager API, and custom AccessGates; and custom authentication and authorization plug-ins and interfaces. See also, the Oracle Access Manager Developer Guide.
Cache Flush	A 10g (10.1.4.0.1) Identity Server cannot flush the cache of an earlier Access Server, which impacts environments that you upgrade. To eliminate problems, you must upgrade the Access Server to 10g (10.1.4.0.1). If you install a new Access Server, ensure that it is backward compatible. See information on the Access Server in Table 5-3.
Certificate Store and Localized Certificates	You can request and add localized certificates containing non-ASCII text in all fields except Email and Country (per x509 standards). Starting with release 7.0 and continuing with 10g (10.1.4.0.1), the default certificate store format and name has changed to cert8.db. When you upgrade to 10g (10.1.4.0.1), the old certificate store is used. 10g (10.1.4.0.1) works with both the cert7.db (upgraded environments) and cert8.db (new installations) certificate store. Generating a new certificate store occurs transparently whenever you add, modify, or delete certificates using configureAAAServer, setup_ois, or setup_accessmanager utilities. For more information, see the Oracle Access Manager Identity and Common Administration Guide.
Compilers for Plug-ins	Starting with release 7.0, components on Solaris and Linux are compiled using the GCC v3.3.2 C++ compiler to address multi-threading issues encountered with earlier compiler releases. After upgrading to 10g (10.1.4.0.1), you must recompile custom plug-ins from release 5.x or 6.x using the GCC v3.3.2 C++ compiler available from your vendor. This includes Identity Event plug-ins and custom authentication and authorization plug-ins. For details, see the Oracle Access Manager Upgrade Guide.
Configuration Files	Earlier releases of Oracle Access Manager managed certain information (including but not limited to directory connection information and WebGate parameters) solely through XML and LST configuration files. Release 10g (10.1.4.0.1) provides the ability to manage this information through the Identity System Console and Access System Console. See also "Directory Server Connection Details" (in this table) and "WebGates" (in Table 5-3, "Access System Behavior Summary").
Connection Pool Details	Starting with release 7.0, connection pooling was consolidated to support failover across the entire system. The directory connection pool does not depend on directory type. There is some impact when upgrading (depending on the configuration of your earlier installation to each directory server that is configured). See the topic on directory server failover in this table. For more information, see the Oracle Access Manager Upgrade Guide and Oracle Access Manager Deployment Guide.
Console-based Command-Line Interfaces	Oracle Access Manager command-line tools have been modified to automatically detect the server locale and use it for processing. To override the server locale you may set either the COREID_NLS_LANG or NLS_LANG environment variables to toggle auto-detection off and take precedence over the server locale. For details, see the Oracle Access Manager Installation Guide. When set, NLS_LANG takes precedence over LANG and COREID_NLS_LANG takes precedence over NLS_LANG. Release 10.1.4 Patchset 1 (10.1.4.2.0): Even if an environment variable is set to ORACLE_HOME or ORA_NLS10, or a third-party Web component refers to a different version of the NLS libraries and data files than the one used by Oracle Access Manager, Oracle Access Manager components choose NLS data files from the oracle_access_manager_component_install_dir. For details, see the Oracle Access Manager Installation Guide.
Customized Styles	Product functionality depends, in part, on stylesheet files in the latest \style0 and \shared directories. Starting with Oracle Access Manager release 6.5, to support multiple languages the location of JavaScript, stylesheets, and images changed. The directory structure introduced with release 6.5 continues with 10g (10.1.4.0.1). For general information about stylesheets and customization, see the Oracle Access Manager Customization Guide. Customized .XSL style files, images, and JavaScript files are not migrated during an upgrade. If files in your earlier Oracle Access Manager \style0 directory were customized, you must manually edit the newer version files in \style0 and \shared directories after the upgrade. For more information, see the discussion on incorporating custom items in the Oracle Access Manager Upgrade Guide.
Database Input and Output	Oracle Access Manager 10g (10.1.4.0.1) supports the Unicode character set. In new installations, Oracle recommends that you choose a Unicode character set for your database. For more information, see Chapter 4, "About Globalization and Multibyte Support". Earlier Oracle Access Manager releases used the Latin-1 character set. As a result the varchar type for the columns of audit and reporting related tables was sufficient. 10g (10.1.4.0.1) supports an internationalized character set. As a result, the audit record may contain data with non Latin-1 characters (Chinese, Japanese, Arabic, and the like). For more information, see details about auditing and access reporting in this table.
Date and Time Formats	In the 10g (10.1.4.0.1) Identity System, the date format remains the same as in the last release and is not internationalized (on the Diagnostics page and Ticket Information page for example). However, month names taken from Identity System message catalogs are displayed in the locale specified by the browser. As in earlier releases, date order formats (MM/DD/YYYY versus DD/MM/YYYY and the like) can be configured by modifying object class attributes in the Identity System Console as described in the Oracle Access Manager Identity and Common Administration Guide. On the Ticket Information page, the date is displayed in the format specified in the obDateType parameter in the globalparams.xml file. Weekday names do not appear anywhere within the Identity System. In the Access System, month names, the date-order format (MM/DD/YYYY versus DD/MM/YYYY), and weekday names are displayed according to the locale specified for the browser. In the Access System, month and weekday names are not taken from message catalog files.
Default Product Page	As in earlier releases, there can be only one static HTML page at the address /identity/oblix/index.html and one static HTML page at the address /access/oblix/index.html. These static product pages always use the default Administrator language selected during Identity Server and Policy Manager installation at this location. Starting with release 6.5, the product supported multiple Latin-1 languages (French, German). The default product page behavior remains the same as in earlier releases. See also information about HTML pages later within this table.
Detecting Cross-site Scripting and SQL Injection	Release 10.1.4 Patchset 1 (10.1.4.2.0) provides enhancements for detecting and handling cross-site scripting and SQL injection. These enhancements guard against malicious data entry in the Oracle Access Manager user applications and administration consoles.
Diagnostic Tools for Identity and Access Servers	Release 10.1.4 Patchset 1 (10.1.4.2.0) includes new diagnostic tools for the Identity and Access Server to help you work with an Oracle Technical Support representative to troubleshoot problems. The diagnostic tools enable you to do the following: Obtain hard-to-locate information about component configuration and behavior. Automatically capture events that immediately precede a core dump. Manually capture a stack trace of any event in the Identity or Access System. For example, if Oracle Access Manager experiences a core dump, it can now write a stack trace to a log file. To enable this functionality, you turn on logging at any minimal level. You can send the log file that contains the stack trace information to Oracle, along with a report of the problem. See the Oracle Access Manager Identity and Common Administration Guide for details.
Directory Profiles and Database Instance Profiles	In earlier releases, the Identity System included directory profiles and database instance profiles. A directory profile (also known as a directory server profile) contains the connection information for one or more directory servers that share the same namespace and operational requirements for Read, Write, Search, and so on. The connection information includes a name, a domain or namespace to which it applies, a directory type, and a set of operations. Starting with release 6.5, the Access System began partially using directory profiles and database instance profiles for accessing user data. Also, these directory profiles replace the UserDB.lst, GroupDB.lst, UserDBFailover.lst, and GroupDBFailover.lst configuration files that were used in earlier Access System releases. In 10g (10.1.4.0.1), a directory profile is created automatically each time you install an Identity Server, Policy Manager, or Access Server and specify new directory server connection information. You can create additional directory server profiles for load balancing and failover after installation. When you upgrade an earlier Policy Manager or Access Server, a message appears during the incremental upgrade to release 6.5. The message "DB Profiles created" refers to the directory server profile that is created. See also information on connection pools, earlier in this table.
Directory Server Connection Details vs. XML Files	Earlier releases managed directory connection information solely through XML configuration files. Recently, Oracle Access Manager provided the ability to manage this information through the interface using the Directory Profile page in the Identity System Console and the Access System Console. However, some configuration and policy data is still managed through XML files.
Directory Server Failover	Your earlier implementation may include failover between an Oracle Access Manager server and the directory server. Following data upgrades, the Access Server handles multiple directory servers using directory profiles that are automatically created during the upgrade between release 6.1.0 and 6.5. After upgrading, it is a good idea to verify that the failover configuration you had in the earlier release operates as expected as described in the Oracle Access Manager Deployment Guide. See also information on connection pool details mentioned earlier in this table, and information about message and parameter .lst files that are transformed into .xml files. An enhancement with Release 10.1.4 Patchset 1 (10.1.4.2.0) provides a new parameter in globalparams.xml named LDAPOperationTimeout sets an amount of time that the Identity Server, Access Server, or Policy Manager waits for a response from the directory server for a single entry of a search result before the component fails over to a secondary server, if one is configured. A heartbeat_ldap_connection_timeout_in_millis parameter in globalparams.xml determines the time limit for establishing a connection with the directory server. If the time limit is reached, the Identity and Access Servers start establishing connections with another directory server. This parameter enables the Identity and Access Servers to proactively identify when a directory server is down, and it enables failover without requiring an incoming directory service request and a subsequent TCP timeout. See the chapter on failover in the Oracle Access Manager Deployment Guide and the appendix on parameter files in the Oracle Access Manager Identity Customization Guide for details.
Directory Server Searches	In previous releases, it could take a long time to create a large number of policy domains and URL prefixes in the Policy Manager. Release 10.1.4 Patchset 1 (10.1.4.2.0), searches to the directory server have been minimized for these operations, resulting in better performance for these operations.
Directory Server Interface	The 10g (10.1.4.0.1) directory server interface reads, processes, and stores data using UTF-8 encoding.
Directory Structure	When you install 10g (10.1.4.0.1) components, you can name the top-level directory as you like. With each installed component, Oracle Access Manager appends an identifier to the directory name you assign. For example: IdentityServer_install_dir\identity AccessServer_install_dir\access In each case, a directory named \oblix\oracle\nlstrl is created after the automatic installation of the Oracle National Language Support Library (not available in earlier releases). For more information, see the Oracle Access Manager Installation Guide.
Domain Names, URIs, and URLs	10g (10.1.4.0.1) supports ASCII characters only for domain names, URIs, and URLs. This is the same as in earlier releases. There is no support for internationalized characters.
Encryption Schemes	Cookies are encrypted using a configurable encryption key known as a shared secret. In release 5.x, the RC4 encryption scheme was recommended for shared secret keys. In release 6.x, the RC6 encryption scheme was recommended. Starting with release 7.0, AES became the default Access System encryption scheme. For more information, see shared secret details later in Table 5-3 and the Oracle Access Manager Access Administration Guide. The Identity System continues to use RC6 encryption for Lost Password Management responses.
Failover and Failback	Release 7 introduced a heartbeat polling mechanism to facilitate immediate failover to a secondary directory server when the number of connections in the connection pool falls below the specified threshold level. Additionally, a failback mechanism facilitates switching from the secondary directory server back to the primary server as soon as the preferred connection has been recovered. The heartbeat feature polls the primary directory server connections periodically to verify the availability of the directory service (and by implication, the network). When the host cannot be reached, further attempts to connect to that host are blocked for the specified Sleep For interval, rather than for the TCP timeout used previously. If the directory service is not available, the heartbeat mechanism immediately initiates failover to the secondary directory server. Thus, failover can take place without being triggered by an incoming directory service request and a subsequent TCP timeout. A new parameter in globalparams.xml determines the timeout interval for establishing a connection. In situations where the enterprise network performance is poor, the heartbeat feature can trigger false alarms and tear down already-established connections. Therefore, the heartbeat_enabled parameter in the globalparams.xml enables you to activate or deactivate the heartbeat mechanism in response to current network conditions. By default the heartbeat feature is activated. For more information, see theOracle Access Manager Deployment Guide.
File and Path Names	With 10g (10.1.4.0.1) only ASCII characters are supported in file and path names. This is the same as in earlier releases.
Graphical User Interface	A number of changes have been made to improve and clarify the Web-based graphical user interface. The user interface is introduced in the this guide and described throughout the suite of manuals.
HTML Pages	In 10g (10.1.4.0.1), all HTML pages generated by Oracle Access Manager use UTF-8 encoding. This encoding is communicated to Web browsers using the Content-Type HTTP header and META tags. See also information about default product pages mentioned earlier in this table.
LDAP Bind Password	Release 10.1.4 Patchset 1 (10.1.4.2.0) provides an enhancement in the form of ModifyLDAPBindPassword. This command enables you to periodically update the LDAP bind password for the directory servers that communicate with Oracle Access Manager components in Oracle Access Manager configuration files. Using the ModifyLDAPBindPassword command, you can reset the LDAP bind password without restarting any servers or re-running setup. See the chapter on reconfiguring the system in the Oracle Access Manager Deployment Guide for details.
LogFile Enhancements	Release 10.1.4 Patchset 1 (10.1.4.2.0): Operating system error information is now included in the logs. For example, when an attempt to create a listener thread fails, the error code returned on GetLastError() is added to the log files. You can log the time consumed by different types of calls to external components. You can now generate logs that show details about the time consumed by different types of calls to external components. Using this information, you can better assess whether requests to specific components are taking longer than expected. For more information, see the Oracle Access Manager Identity and Common Administration Guide.
Message and Parameter Catalogs	Release 10.1.4 Patchset 1 (10.1.4.2.0) includes .XML parameter and message catalog files. The exception to this rule includes files that are used during an upgrade. In 10g (10.1.4.0.1), message files reside in specific directories for each installed language. For example: IdentityServer_install_dir/identity/oblix/lang/langTag /oblixbasemsg.xml. For more information, see the Oracle Access Manager Customization Guide.
Migrating User Data at First Login	Release 10.1.4 Patchset 1 (10.1.4.2.0) includes a new parameter in the globalparams.xml, file MigrateUserDataTo1014. This parameter comes into play only when you upgrade using the zero downtime upgrade method. For more information, see the Oracle Access Manager Upgrade Guide.
Minimum Number of Search Characters	In earlier releases, you needed to enter at least three characters when performing a search in Identity System applications. In 10g (10.1.4.0.1) there is no minimum number of characters required. As in earlier releases, you can control the minimum number of characters that users must enter in the search field as described in Oracle Access Manager Customization Guide.
Multiple Values in Challenge Phrase and Response Attributes	In earlier releases, the lost password management feature supported only a single value for the challenge phrase and response attribute in user entries. Oracle Access Manager 10g (10.1.4.0.1) supports multiple values in challenge phrases and response attributes, and expects these in encoded format. For more information, see the Oracle Access Manager Identity and Common Administration Guide.
Names Assigned by Administrators and Product Names	Some product and component names have changed. Certain function names have been made consistent between the Access and Identity Systems as noun phrases. During an upgrade, earlier names are changed to the new name. For more information, see "Product and Component Name Changes" on page -xxv. However, any service names assigned by an administrator during installation or configuration are not changed during an upgrade. Therefore if you have a service named "COREid Server" or "NetPoint Server", these names remain intact after the upgrade. Also, earlier authentication scheme names and policy domain names assigned by an administrator remain unchanged after an upgrade.
Namespaces for Policy Data and User Data Stored Separately	Before release 6.5, the namespaces for policy data and user data stored in two separate directories had to be unique. During an upgrade to 10g (10.1.4.0.1) you need to confirm this uniqueness to ensure that multi-language capability can be enabled. For more information, see the Oracle Access Manager Upgrade Guide.
Object Classes and Attributes	There have been several schema changes in 10g (10.1.4.0.1). For more information, see Oracle Access Manager Schema Description.
obVer Attribute Changes	Until release 10g (10.1.4.0.1), the obVer attribute was purely informational. However starting with release 10g (10.1.4.0.1), the obVer attribute is used by the Identity and Access Servers to support encoding of multiple values in challenge phrase and response attributes for lost password management. In this case, Oracle Access Manager 10g (10.1.4.0.1) reads the obVer attribute in: oblixConfig class: The structural class defines the container node for the Oracle Access Manager configuration data. OblixOrgPerson class: The auxiliary class used for associating Oracle Access Manager person information with the class configured as the structural person object class. When you upgrade from an earlier release to Oracle Access Manager 10g (10.1.4.0.1), configuration data stored in the oblix tree is migrated automatically and the value of the obVer attribute is changed to 10.1.4.0. However, user data is not migrated until the first login following the upgrade. This means that the obVer attribute value remains less than 10.1.4.0 in user data (in the OblixOrgPerson class). For more information, see the Oracle Access Manager Upgrade Guide and the Oracle Access Manager Schema Description.
Password Policies and Lost Password Management	This release contains password policy and password management enhancements. You can configure the minimum and maximum number of characters users can specify in a password. For lost password management, you can set multiple challenge-response pairs, create multiple style sheets, and configure other aspects of the user's lost password management experience. You can also redirect users back to the originally requested page after resetting a password. For more information, see the Oracle Access Manager Identity and Common Administration Guide. Oracle Access Manager 10g (10.1.4.0.1) uses the value of the obVer attribute in the user entry (OblixOrgPerson) to indicate the encoding for challenge phrase and response attributes. This has implications when upgrading from an earlier release to Oracle Access Manager 10g (10.1.4.0.1). When upgrading,see the Oracle Access Manager Upgrade Guide.
Reconfiguring the Logging Framework without a Restart	In 10g (10.1.4.0.1), you may reconfigure the logging framework without restarting the servers. To do this an administrator must manually update the logging configuration for each component: Identity Server WebPass Policy Manager Access Server WebGate Changes to logging parameters take affect within one minute, rather than requiring you to restart the server where the changes were made. For more information, see the Oracle Access Manager Identity and Common Administration Guide.
Support Changes	There have been a number of changes in supported platforms and third-party versions. You can now locate complete platform support details under the Certify tab at https://metalink.oracle.com. To use Metalink: Log in to Metalink as directed. Click the Certify tab. Click View Certifications by Product. Select the Application Server option and click Submit. Choose Oracle Application Server and click Submit.
Transport Security for the Directory Server	When you configure SSL mode for the directory server, only server authentication is supported. Client certificates are not supported. Oracle Access Manager verifies the server certificate against the Root CA certificate that you imported during product setup. For more information, see the Oracle Access Manager Access Administration Guide.
Upgrade Enhancements	A new method is available that enables you to perform an upgrade to Oracle Access Manager 10g (10.1.4.0.1) while making a swtich from a Solaris platform to a Linux platform. Release 10.1.4 Patchset 1 (10.1.4.2.0): A new method is available that enables you to perform an upgrade to 10.1.4.2.0 while nearly eliminating the downtime that is generally associated with a standard in-place compnent upgrade. For more information, see the Oracle Access Manager Upgrade Guide.
Web Components and Backward Compatibility	Earlier WebPass instances are not compatible with 10g (10.1.4.0.1) Identity Servers (or Policy Managers). After upgrading all earlier Identity Servers, you must upgrade all earlier WebPass instances. For more information, see the Oracle Access Manager Upgrade Guide. Following an upgrade, you may install 10g (10.1.4.0.1) WebPass instances in your upgraded environment. For more information, see the Oracle Access Manager Installation Guide. If you add a 10g (10.1.4.0.1) Access Server to the upgraded environment, you must set a flag to enable backward compatibility with earlier WebGates. For more information, see details about Access Server backward compatibility. Release 6.1.1, 6.5, and 7.x WebGates may coexist with upgraded Access Servers. Following an upgrade, you may install 10g (10.1.4.0.1) WebGates in your upgraded environment. However, 10g (10.1.4.0.1) WebGates are not compatible with earlier Access Servers. Fore more information, see the Oracle Access Manager Upgrade Guide.
Web Server Configuration Files	There have been no changes for globalization and UTF-8 support in any Web server configuration files. However, the importantnotes.txt file has been removed and the information that was in this file is now documented in an appendix in the Oracle Access Manager Installation Guide.
Writing a Stack Trace to a Log File	An enhancement in Release 10.1.4 Patchset 1 (10.1.4.2.0) enables Oracle Access Manager to write a stack trace to a log file when there is a core dump. To enable this functionality, you turn on logging at any minimal level. You can send the log file that contains the stack trace information to Oracle, along with a report of the problem. See the appendix on troubleshooting in the Oracle Access Manager Identity and Common Administration Guide for details.
XML Catalogs and XSL Stylesheet Encoding	For non-English languages, XML message files have encoding set as UTF-8, because ISO-8859-1 encoding cannot represent all characters in all languages. When no encoding is specified, UTF-8 is used as the default. Some English-only files still use ISO-8859-1 encoding. For more information, see the Oracle Access Manager Customization Guide.
XSL Enhancements	Enhancements have been made to certain xsl files to support a JavaScript-related fix and a number of large-group-related fixes. These xsl files are available when you install the 10.1.4.2.0 patch set. For more information, see Oracle Access Manager Customization Guide.

5.5 Identity System Behavior Summary

Table 5-2 briefly summarizes 10g (10.1.4.0.1) Identity System behaviors.

Table 5-2 Identity System Behavior Summary

Function	Behavior
Challenge and Response Attributes	Starting with 10g (10.1.4.0.1), both the challenge phrase and response attributes must be on the same panel in Identity System applications. Challenge phrases and responses are displayed one after the other even though these are not configured one after the other in the panel. If a panel contains only the challenge attribute, it will be displayed in the Profile page without a response. If the panel contains only the response (without the challenge attribute), the response will not be displayed in the Profile Page at all. For details about configuring these, see the Oracle Access Manager Identity and Common Administration Guide. For details about combining these on a single panel after the upgrade, see the Oracle Access Manager Upgrade Guide. For changes to IdentityXML, see the Oracle Access Manager Developer Guide.
Identity Server Backward Compatibility	Starting with 10g (10.1.4.0.1), the Identity Server uses UTF-8 encoding and plug-in data will contain UTF-8 data. Earlier custom plug-ins send and receive data in Latin-1 encoding. Backward compatibility with earlier custom plug-ins is automatic. However, when you add a new 10g (10.1.4.0.1) Identity Server to an upgraded environment, you need manually set the encoding flag in the Identity Server oblixpppcatalog.lst to enable communication with earlier plug-ins and interfaces. For details, see the Oracle Access Manager Installation Guide.
Identity System Event Plug-ins	With release 10g (10.1.4.0.1), the Identity Server uses UTF-8 encoding; plug-in data will contain UTF-8 data. For more information, see the Oracle Access Manager Developer Guide. Backward compatibility between an upgraded Identity Server and earlier Identity Event plug-ins is automatic. For details about adding a new Identity Server to an upgraded environment, see the Oracle Access Manager Installation Guide.
IdentityXML and SOAP Requests and Responses	Starting with release 6.5, certain syntax changes were made for IdentityXML requests. Oracle recommends that you use the latest syntax for your customizations. However, the earlier syntax should still operate without problem. In 10g (10.1.4.0.1), UTF-8 encoding is used for XML pages, for SOAP/IdentityXML requests, and for Identity Event Plug-in data sent to executables. For more information and new syntax descriptions, see the Oracle Access Manager Developer Guide.
Java Applets	A user working in an English locale cannot view applets in multibyte languages. To work with applets in a multibyte language, the locale on the user's computer must be set to the same language. Setting browser encoding will not work. There is a known limitation of Java applets in JDK1.1.7. Oracle Access Manager 10g (10.1.4.0.1), applets with non-ASCII data can only be displayed properly on computers running with a native encoded operating system. For more information about acquiring and using languages, see Table 5-1, "General Oracle Access Manager Behavior Summary". See also the Oracle Access Manager Identity and Common Administration Guide.
Large Static Groups	With Release 10.1.4 Patchset 1 (10.1.4.2.0), if a static group is too large  (over 10,000 members, for example) you can modify the default evaluation method for the group using the LargeStaticGroups parameter in globalparams.xml. For more information on this parameter, see the Oracle Access Manager Customization Guide. If you use this feature, you must make appropriate changes in your Identity System configuration to ensure that subgroups of the modified group are still searched and evaluated as intended. See the chapter on performance tuning in the Oracle Access Manager Deployment Guide for details.
Mail Notification	In 10g (10.1.4.0.1) UTF-8 "B" (Base64 encoding) is used.MIME headers for all mails non-MHTML mail message are set as follows: MIME-Version: 1.0; Content-Type: text/plain; charset=UTF-8; Content-Transfer-Encoding: 8bit.
Minimum Number of Search Characters	In earlier releases, you needed to enter at least three characters when performing a search in Identity System applications (User Manager, Group Manager, and Organization Manager). In 10g (10.1.4.0.1) there is no minimum number of characters required. By default, you can enter no characters. As in earlier releases, to help users narrow their search criteria you can control the minimum number of characters that users must enter in the search field by setting the searchStringMinimumLength parameter in oblixadminparams.xml. See the Oracle Access Manager Customization Guide for details.
Multi-Step Identity Workflow Engine	You can model your business processes in the Identity System using workflows. In earlier releases, you could use a workflow to issue, revoke, and renew certificates. However, this is no longer supported.
Oracle Identity Protocol (OIP)	The Oracle Identity Protocol (formerly known as the NetPoint Identity Protocol) facilitates communication between Identity Servers and associated WebPass instances. There are no changes in the protocol for globalization.
Password Policies and Password Management Runtime	In 10g (10.1.4.0.1), internationalized characters are supported in password policies. In earlier releases, password policies worked only with Latin1 characters when enforcing policy constraints. There are no Password Management runtime changes.
Poll Tracking Refresh Parameter	Release 10.1.4 Patchset 1 (10.1.4.2.0): The webpass.xml file poll tracking refresh parameter is configurable. When setting up multiple Identity Servers or modifying WebPass, administrators can now configure the PollTrackingRefreshInterval in the webpass.xml file. This interval should be configured in seconds. There are implications when setting up multiple Identity Servers or modifying a WebPass instance. See the Oracle Access Manager Identity and Common Administration Guide for details.
Portal Inserts and URI Query Strings	In 10g (10.1.4.0.1), the encoding of data in the URI query string is UTF-8 encoding. However, earlier Portal Inserts in installations that have been upgraded to 10g (10.1.4.0.1) require modification after upgrading. For more information, see the Oracle Access Manager Upgrade Guide.
PresentationXML Directories	Before release 6.5, the PresentationXML library was provided under two directories and distributed depending upon how the files were likely to be used. For example, stylesheets that define the default Oracle Access Manager Classic Style were maintained in flat files in \IdentityServer_install_dir\identity\oblix\apps\AppName. Starting with release 6.5 and continuing through 10g (10.1.4.0.1), the PresentationXML library is now stored in different directories. For more information, see the Oracle Access Manager Customization Guide.
Sorting User Search Results	In the User Manager, Group Manager and Org. Manager, search results are sorted using a locale-based case insensitive method when you click the column heading (Full Name, for example) in the search results table.
Web Services Code	Oracle Access Manager now provides sample code for implementing Web services using IdentityXML. For more information, see the Oracle Access Manager Developer Guide.
XSLProcessor Parameter	With Release 10.1.4 Patchset 1 (10.1.4.2.0), when using IdentityXML, the XSLProcessor parameter in the globalparams.xml file indicates the processor to use when generating the page. The only officially supported value, default, indicates that the XDK processor should be used. The values XALAN or DGXT can be used for testing. See the appendix on configuration parameters in the Oracle Access Manager Customization Guide for details.

5.6 Access System Behavior Summary

Table 5-3 briefly summarizes 10g (10.1.4.0.1) Access System behaviors.

Table 5-3 Access System Behavior Summary

Function	Behavior
Access Server Backward Compatibility	Earlier custom plug-ins sent and received data in Latin-1 encoding. In 10g (10.1.4.0.1), Access Servers use UTF-8 encoding and 10g (10.1.4.0.1) custom plug-in data will be UTF-8 encoded. In 10g (10.1.4.0.1), cookie encryption and decryption is accomplished by the Access Server. When you upgrade an earlier Access Server to 10g (10.1.4.0.1), a new parameter is set in the Access Server globalparams.xml file automatically. This provides backward compatibility with earlier custom plug-ins and interfaces, as well as earlier WebGates and custom AccessGates. For more information, see the Oracle Access Manager Upgrade Guide When you add a new Access Server to an upgraded environment, you need manually set the value in the Access Server globalparams.xml to enable backward compatibility. For more information, see the Oracle Access Manager Installation Guide.
Access Manager SDK, Access Manager API, and Custom AccessGates	10g (10.1.4.0.1) Access Servers use UTF-8 encoding automatically. In addition, the Access Manager SDK (formerly the Access Server SDK) and Access Manager API (formerly known as the Access Server API) are used to create custom AccessGates. Custom AccessGates use UTF-8 encoding automatically. For Java interfaces and the Java implementation of the Access Manager API, there have been no external changes for 10g (10.1.4.0.1). JNI calls use UTF-16 encoded Java string objects. Earlier Oracle Access Manager releases converted this data to Latin-1. 10g (10.1.4.0.1) Access Servers and AccessGates use UTF-8 encoding automatically. The 10g (10.1.4.0.1) Access Manager SDK and custom 10g (10.1.4.0.1) AccessGates are not backward compatible with earlier Access Servers, nor with the earlier Access Manager SDK and AccessGates. However, you can use earlier AccessGates with 10g (10.1.4.0.1) Access Servers that are enabled to be backward compatible.
Authentication Scheme Updates	In 10g (10.1.4.0.1) it is no longer necessary to disable an authentication scheme before you modify it. Also, in 10g (10.1.4.0.1) you can configure an authentication scheme that allows the user to log in for a period of time rather than a single session.
Authorization Rules and Access Policies	Starting with release 6.5, Authorization rules are grouped under a tab named "Authorization Rules". Also, a new authorization inconclusive state was introduced in release 7.x (apart from authorization success and failure states). During an upgrade the rules are renamed using a combination of the Policy Domain name to which the rule belongs, followed by the Authorization Rule name: PolicyDomain_AuthorizationRuleName.When your earlier installation included authorization failure redirects, you need to complete a procedure after the upgrade to assure proper authorization failure re-directs. For more information, see the Oracle Access Manager Upgrade Guide.
Custom Authentication and Authorization Plug-in Interfaces	Before 10g (10.1.4.0.1), the Authentication Plug-In API and Authorization Plug-In API for C used Latin-1 encoding for data exchanged between the Access Server and the custom plug-ins. In 10g (10.1.4.0.1), the Authentication Plug-In API and Authorization Plug-In API for C use UTF-8 encoding for plug-in processing. There is no change for .NET (managed code) plug-ins.
Directory Profiles	Release 6.5 introduced support for directory server profiles for the Access Server and Policy Manager. During a Policy Manager upgrade from any release before 7.x, a new directory server profile is added automatically. However, the values for Initial Connections and Maximum Connections are not retained during the Policy Manager upgrade. After upgrading, Oracle recommends that you verify and validate that new directory server profiles were properly created and that load-balancing and failover settings in Access System directory server profiles are configured as expected. For more information about directory profiles, see Table 5-1, "General Oracle Access Manager Behavior Summary".
Form-based Authentication	10g (10.1.4.0.1) WebGates accept input data only in UTF-8 encoding. To ensure that character set encoding for the login form is set to UTF-8, add the following META tag to the HEAD tag of the login form HTML page: <META http-equiv="Content-Type" content="text/html;charset=utf-8">. For more information, see the Oracle Access Manager Access Administration Guide.
Impersonation	In addition to configuring impersonation for resources on a computer that is protected by a WebGate, you can extend impersonation to other resources on the network. This is known as assigning a Delegate impersonation level to the client and is available with Release 10.1.4 Patchset 1 (10.1.4.2.0). See the chapter on Windows Impersonation in the Oracle Access Manager Integration Guide for details.
Integration Support Enhanced	Release 10.1.4 Patchset 1 (10.1.4.2.0): Integration support includes SharePoint Office Server 2007. See the chapter on integrating with SharePoint in the Oracle Access Manager Integration Guide for details. Integration support with SAP NetWeaver is provided. See the chapter on integrating with SAP in the Oracle Access Manager Integration Guide for details. Integration support with Siebel in a multi-domain Active Directory environment is provided. See the chapter on integrating with Siebel in the Oracle Access Manager Integration Guide for details. Integration support with Weblogic 9.2 is provided. See the chapter on integrating with WebLogic in the Oracle Access Manager Integration Guide for details. Integration support with WebSphere 6.1 is provided. See the chapter on integrating with WebSphere in the Oracle Access Manager Integration Guide for details.
Maximum Elements in Session Token Cache	In earlier releases, the default value for this parameter was 100000. However, in Oracle Access Manager 10g (10.1.4.0.1), the default value has changed to 10000. You can find this parameter by navigating to the Access System Console, Access System Configuration tab, Access Server Configuration function. Look on the Details for Access Server page. For more information, see the Oracle Access Manager Access Administration Guide.
Oracle Access Protocol	In 10g (10.1.4.0.1), UTF-8 encoding is used to for communication between Access System components to accommodate globalization. The Oracle Access Protocol (OAP) was formerly known as the NetPoint Access Protocol (NAP). For information about the Access Server and backward compatibility, see earlier discussions in this table.
Policy Manager	The Oracle Access Manager Policy Manager was formerly known as the Access Manager component. After upgrading all Identity System components, you must upgrade all earlier Policy Managers as described in the Oracle Access Manager Upgrade Guide.
Policy Manager API	The Policy Manager API was formerly known as the Access Management API. In 10g (10.1.4.0.1), In the C language API, the ObAMMasterAuditRule_getEscapeCharacter remains and you may continue using this. However, the audit escape character must be an ASCII character; otherwise the return value is incorrect. In this case, you must modify your C code to use the new API. On Java clients, the ObAMMasterAuditRule_getEscapeCharacter works correctly and you can continue using this even when the audit escape character is not an ASCII character. In the C language API, a new ObAMMasterAuditRule_getUTF8EscapeCharacter has been added, which returns a pointer to the UTF-8 encoded audit escape character. For more information, see the Oracle Access Manager Developer Guide.
Preferred HTTP Host	This WebGate configuration parameter is now mandatory before WebGate installation and must be configured with an appropriate value whenever a WebGate is added. (From the Access System Console, select Access System Configuration, Add New AccessGate.) This parameter defines how the hostname appears in all HTTP requests as users attempt to access the protected Web server. The hostname within the HTTP request is translated into the value entered into this field (regardless of the way the hostname was defined in an HTTP request from a user). For more information, see the Oracle Access Manager Installation Guide. Release 10.1.4 Patchset 1 (10.1.4.2.0): To support virtual hosts you set the Preferred HTTP Host value to HOST_HTTP_HEADER for most Web hosts or SERVER_NAME (Apache only). Additional configuration is required for IIS. See the chapter on configuring Access Servers and AccessGates in the Oracle Access Manager Access Administration Guide for details.
Shared Secret	The location of the shared secret key remains unchanged from earlier releases. However, in 10g (10.1.4.0.1), cookie encryption/decryption is handled by the Access Server. During an upgrade to 10g (10.1.4.0.1), the earlier encryption scheme is retained. For more information about Access Servers and WebGates, see other items in this table. If you change the shared secret during a user session, the user does not need to re-authenticate. If a cookie is being decrypted with the old shared secret and the cookie is refreshed, it is encrypted with the new shared secret. For more information, see the Oracle Access Manager Access Administration Guide.
Triggering Authentication Actions After the ObSSOCookie Is Set	You can cause authentication actions to be executed after the ObSSOCookie is set. Typically, authentication actions are triggered after authentication has been processed and before the ObSSOCookie is set. However, in a complex environment, the ObSSOCookie may be set before a user is redirected to a page containing a resource. In this case, you can configure an authentication scheme to trigger these events. See also Oracle Access Manager Access Administration Guide.
WebGates	In earlier releases, cookie encryption and decryption was accomplished by WebGates and AccessGates. In 10g (10.1.4.0.1), cookie encryption and decryption is accomplished by the Access Server. WebGates and AccessGates no longer need the shared secret key. 10g (10.1.4.0.1) WebGates have been redesigned and the WebGatestatic.lst file has been replaced with options you can configure using the Access System Console, Access System Configuration tab. See the Oracle Access Manager Access Administration Guide for details. Earlier WebGates may coexist with 10g (10.1.4.0.1) Access Servers. However, each Access Server must be backward compatible with earlier WebGates. For more information, see details about Access Servers in this table, and the Oracle Access Manager Upgrade Guide. The code for WebGates has been rewritten so that 10g (10.1.4.0.1) WebGates and AccessGates share the same code base. For more information, see the Oracle Access Manager Developer Guide. Release 10.1.4 Patchset 1 (10.1.4.2.0): A WebGate-to-Access Server timeout threshold specifies how long (in seconds) the WebGate waits for the Access Serverto respond before it considers it unreachable and attempts the request on a new connection. However, if the Access Server takes longer to service a request than the value of the timeout threshold, the WebGate abandons the request and retries the request on a new connection. Note that the new connection that is returned from the connection pool can be to the same Access Server, depending on your connection pool settings. Additionally, other Access Servers may also take longer to process the request than the time allowed by the threshold. In these cases, the WebGate can continue to retry the request until the Access Servers are shut down. You can now configure a limit on the number of retries that the WebGate performs for a non-responsive server using the client_request_retry_attempts parameter. This is a user-defined parameter in the Access System. The default value for this parameter is -1. Setting the parameter value to -1 (or not setting it at all) allows an infinite number of retries.See the Oracle Access Manager Access Administration Guide for details.