What's New in Oracle Access Manager?

This section describes new features of the Oracle Access Manager release 10.1.4. This includes details for 10g (10.1.4.0.1), 10g (10.1.4.2.0), and 10g (10.1.4.3).

The following sections are included:

• Product and Component Name Changes

• Enhancements Available in 10g (10.1.4.3)

• WebGate Updates

• URL Prefixes and Patterns

• Triggering Authentication Actions After the ObSSOCookie Is Set

• Form-based Authentication

• Disabling Authentication Schemes

• Persistent Cookies in Authentication Schemes

• HTTP Header Variables and Cookies

• Configuring Logout

• Associating WebGates with Specific Virtual Hosts, Directories, and Files

• Configuring the validate_password Plug-In

• Overriding Windows-Enabled Impersonation

• Configuring Lotus Domino and Windows Impersonation Single Sign-On

• Troubleshooting

Note:

For a comprehensive list of all new features and functions in Oracle Access Manager 10.1.4, and a description of where each is documented, see the chapter on what's new in the Oracle Access Manager Introduction.

Product and Component Name Changes

The original product name, Oblix NetPoint, has changed to Oracle Access Manager. Most component names remain the same. However, there are several important changes that you should know about, as shown in the following table:

Item	Was	Is
Product Name	Oblix NetPoint Oracle COREid	Oracle Access Manager
Product Name	Oblix SHAREid NetPoint SAML Services	Oracle Identity Federation
Product Name	OctetString Virtual Directory Engine (VDE)	Oracle Virtual Directory
Product Name	BEA WebLogic Application Server BEA WebLogic Portal Server	Oracle WebLogic Server Oracle WebLogic Portal
Product Release	Oracle COREid 7.0.4	Also available as part of Oracle Application Server 10g Release 2 (10.1.2).
Directory Name	COREid Data Anywhere	Data Anywhere
Component Name	COREid Server	Identity Server
Component Name	Access Manager	Policy Manager
Console Name	COREid System Console	Identity System Console
Identity System Transport Security Protocol	NetPoint Identity Protocol	Oracle Identity Protocol
Access System Transport Protocol	NetPoint Access Protocol	Oracle Access Protocol
Administrator	NetPoint Administrator COREid Administrator	Master Administrator
Directory Tree	Oblix tree	Configuration tree
Data	Oblix data	Configuration data
Software Developer Kit	Access Server SDK ASDK	Access Manager SDK
API	Access Server API Access API	Access Manager API
API	Access Management API Access Manager API	Policy Manager API
Default Policy Domains	NetPoint Identity Domain COREid Identity Domain	Identity Domain
Default Policy Domains	NetPoint Access Manager COREid Access Manager	Access Domain
Default Authentication Schemes	NetPoint None Authentication COREid None Authentication	Anonymous Authentication
Default Authentication Schemes	NetPoint Basic Over LDAP COREid Basic Over LDAP	Oracle Access and Identity Basic Over LDAP
Default Authentication Schemes	NetPoint Basic Over LDAP for AD Forest COREid Basic Over LDAP for AD Forest	Oracle Access and Identity for AD Forest
Access System Service	AM Service State Policy Manager API Support Mode	Access Management Service Note: Policy Manager API Support Mode and Access Management Service are used interchangeably.

All legacy references in the product or documentation should be understood to connote the new names.

Enhancements Available in 10g (10.1.4.3)

Included in this release are new enhancements and bug fixes for 10g (10.1.4.3) in addition to all fixes and enhancements from 10g (10.1.4.2.0) bundle patches through BP07. The following topics describe 10g (10.1.4.3) enhancements described in this book:

• Access Management Service Clarifications

• Access Tester Use with Custom Authentication and Authorization Plug-ins

• Form-based Authentication Parameters

• Global Sequence Number Corruption Recovery

• Internet Protocol Version 6

• Multi-Language Deployments and English Only Messages

• Native POSIX Thread Library (NPTL) for Linux

• Troubleshooting Tips

• WebGate User-Defined Configuration Parameters

See Also:

Oracle Access Manager Introduction for a list of all new features and functions

Access Management Service Clarifications

Several clarifications have been made with regard to the Access Management Service in WebGate and Access Server profiles. This setting is Off by default. When set to On, the Access Server starts servicing requests from AccessGates. The Access Management Service must be On for associated Access Servers and AccessGates. The Access Management Service must be On for associated Access Servers and AccessGates. WebGates do not require the Access Management Service, unless an associated Access Server uses it.

See Also:

Chapter 3, "Configuring WebGates and Access Servers"

Access Tester Use with Custom Authentication and Authorization Plug-ins

New information has been added to describe how to use Access Tester when you have custom authentication or authorization plug-ins.

See Also:

"Using Access Tester"

Form-based Authentication Parameters

Oracle has added a new, optional, and configurable challenge parameter (maxpostdatabytes) for form-based authentication schemes only. Use of the maxpostdatabytes challenge parameter is similar to other challenge parameters (form, creds, action, and passthrough).

See Also:

Appendix A, "Form-Based Authentication"

Global Sequence Number Corruption Recovery

The oblixGSN objectclass in the directory server is used in the cache flush mechanism. It contains a global sequence number (a value in the obSeqNo attribute) that represents the flush request number. When you have multiple Access Servers writing to multiple directory servers, however, changes could cause the global sequence number in the directory servers to get out of sync. Thus, corresponding entries in the directory servers might become corrupted, which can lead to inconsistent performance in Oracle Access Manager.

Oracle Access Manager provides functionality that enables you to detect corrupted GSNs in the directory server from the command-line tool (recovergsncorruption) in the following path: PolicyManager_install_dir\access\oblix\tools. If corruption is discovered, you can initiate recovery processing after disabling the cache flush operation between Identity Servers and Access Servers.

See Also:

• "Detecting and Restoring Corrupted Sync Records in Environments with Multiple Directory Servers"

• "Cache Flush Issues with Active Directory"

Internet Protocol Version 6

Oracle Access Manager supports Internet Protocol Version 4 (IPv4). However, you can configure Oracle Access Manager to work with clients that support IPv6 by setting up a reverse proxy server.

See Also:

Appendix D, "Using Oracle Access Manager with IPv6 Clients"

Multi-Language Deployments and English Only Messages

Messages for minor releases (10g (10.1.4.2.0) and 10g (10.1.4.3)) added for new functionality might not be translated and can appear in English only.

Native POSIX Thread Library (NPTL) for Linux

Earlier releases of Oracle Access Manager for Linux used the LinuxThreads library only. Using LinuxThreads required that you set the environment variable LD_ASSUME_KERNEL, which is used by the dynamic linker to decide what implementation of libraries is used. When you set LD_ASSUME_KERNEL to 2.4.19 the libraries in /lib/i686 are used dynamically.

RedHat Linux v5 and later releases support only Native POSIX Thread Library (NPTL), not LinuxThreads. To accommodate this change, Oracle Access Manager 10g (10.1.4.3) is compliant with NPTL specifications. However, LinuxThreads is used by default for all except Oracle Access Manager Web components for Oracle HTTP Server 11g.

Note:

On Linux, Oracle Access Manager Web components for Oracle HTTP Server 11g use only NPTL; you cannot use the LinuxThreads library. In this case, do not set the environment variable LD_ASSUME_KERNEL to 2.4.19.

Troubleshooting Tips

Several new tips have been added to the troubleshooting details in this guide:

See Also:

Appendix E, "Troubleshooting Oracle Access Manager"

• "Problem with Large Authorization Expressions"

• "Cache Flush Issues with Active Directory"

• "File Ownership and Command Line Tools"

• "Policy Manager Hangs During Cache Flush from Policy Manager to Access Server"

• "Mismatch Between Content and Content Length in a Web Server 401 Response"

WebGate User-Defined Configuration Parameters

Several new user-defined parameters have been added for use in WebGate configuration profiles.

• ContentLengthFor401Response

• idleSessionTimeoutLogic

• ProxySSLHeaderVar

• RetainDownstreamPostData

• SUN61HttpProtocolVersion

See Also:

"Configuring User-Defined AccessGate Parameters"

WebGate Updates

• WebGates have been updated to use the same code as the Access System, and WebGate configuration parameters that once existed in WebGateStatic.lst have been moved to the Access System user interface.

  After installing the new WebGates, you can now configure such parameters as IPValidation and IPValidationExceptions from the Access System GUI. The WebGateStatic.lst file no longer exists.

  See Also:

  "Configuring AccessGates and WebGates", "Configuring User-Defined AccessGate Parameters".

• WebGates can work behind a reverse proxy.

  Information on setting up a WebGate behind a reverse proxy has been added to this book.

  See Also:

  "Placing a WebGate Behind a Reverse Proxy".

• Preferred HTTP Hosts are now required, and special configuration is needed to support virtual Web hosting.

  In this release, you must supply a Preferred HTTP Host when configuring a WebGate. If you use virtual Web hosting, there are new parameters for specifying a preferred HTTP host when your environment supports virtual hosting.

  See Also:

  "Configuring Preferred HTTP Hosts, Host Identifiers, and Virtual Web Hosts" and "Configuring Virtual Web Hosting".

URL Prefixes and Patterns

• The documentation on URL prefixes and patterns has been updated for clarity.

  See Also:

  "About URL Prefixes", "About URL Patterns".

• WebGates can work behind a reverse proxy.

  Information on setting up a WebGate behind a reverse proxy has been added to this book.

  See Also:

  "Placing a WebGate Behind a Reverse Proxy".

Triggering Authentication Actions After the ObSSOCookie Is Set

• You can cause authentication actions to be executed after the ObSSOCookie is set.

  Typically, authentication actions are triggered after authentication has been processed and before the ObSSOCookie is set. However, in a complex environment, the ObSSOCookie may be set before a user is redirected to a page containing a resource. In this case, you can configure an authentication scheme to trigger these events.

  See Also:

  "Triggering Authentication Actions After the ObSSOCookie is Set".

Form-based Authentication

• Globalization support impacts basic authentication and form-based authentication methods.

  See Also:

  "About Basic and X.509Cert (Client Cert)", "Sample Login Form".

• Information has been added about the differences between configuring a form on the server where the WebGate resides and configuring it on a server other than the one hosting the WebGate.

  See Also:

  "Configuring a Form-Based Authentication Scheme" and "Forms that Reside on Servers Other Than a WebGate".

• Information has been added about configuring single logout from applications that use form-based authentication.

  See Also:

  "Configuring Logout".

Disabling Authentication Schemes

• It is no longer necessary to disable an authentication scheme before you modify it.

  See Also:

  Configuring User Authentication.

Persistent Cookies in Authentication Schemes

• You can configure an authentication scheme that allows the user to log in for a time period rather than a single session.

  See Also:

  "Retaining the ObSSOCookie Over Multiple Sessions".

HTTP Header Variables and Cookies

• Non-ASCII characters are not permitted in HTTP headers or cookies. Thus, non-ASCII characters are not supported in the header variable Name and Return Attribute fields when you define authentication rule actions.

  See Also:

  "About the Use of HTTP Header Variables and Cookies".

Configuring Logout

• You can configure the Oracle Access Manager single sign-on logout URL to point to a logout.html file in the language of the user's browser.

  See Also:

  "Configuring a Single Sign-On Logout URL".

• A section has been added on creating custom single sign-on logout URLs and logout pages.

  See Also:

  "Configuring Logout".

Associating WebGates with Specific Virtual Hosts, Directories, and Files

• You can configure the WebGate to only work with specific virtual hosts, directories, and files.

  See Also:

  "Associating a WebGate with Particular Virtual Hosts, Directories, or Files".

Configuring the validate_password Plug-In

• An additional parameter has been added to this plug-in, to be used for Lost Password Management, when a WebPass is on a different server from the WebGate that protects the requested resource.

  See Also:

  "Validate Password Plug-In"

Overriding Windows-Enabled Impersonation

• The appendix on using the Access System to override Windows-enabled Impersonation has been moved.

  See Also:

  Oracle Access Manager Integration Guide.

Configuring Lotus Domino and Windows Impersonation Single Sign-On

• The information on configuring single sign-on with Lotus Domino and Windows Impersonation has been moved to another book in this suite.

  See Also:

  Oracle Access Manager Integration Guide.

Troubleshooting

• Information on troubleshooting that was dispersed throughout this manual has been consolidated in a separate appendix.

  See Also:

  "Troubleshooting Oracle Access Manager".

• You can now write diagnostic information to a log file.

  See Also:

  "Capturing Diagnostic Information".

• New troubleshooting topics have been added.

  See also:

  • "WebGate Diagnostics URL Incorrectly Report that the Access Server Is Down"

  • "WebGate Cannot Connect to its Associated Access Server"

  • "Error Message to Check if the Directory Server is Running or Responding"