|Oracle® Access Manager Identity and Common Administration Guide
Part Number E12489-01
This section describes new features of the Oracle Access Manager release 10.1.4. This includes details for 10g (10.1.4.0.1), 10g (10.1.4.2.0), and 10g (10.1.4.3).
The following sections are included:
Note:For a comprehensive list of all new features and functions in Oracle Access Manager 10.1.4, and a description of where each is documented, see the chapter on what's new in the Oracle Access Manager Introduction.
The original product name, Oblix NetPoint, has changed to Oracle Access Manager. Most component names remain the same. However, there are several important changes that you should know about, as shown in the following table:
|Product Name||Oblix NetPoint
|Oracle Access Manager|
|Product Name||Oblix SHAREid
NetPoint SAML Services
|Oracle Identity Federation|
|Product Name||OctetString Virtual Directory Engine (VDE)||Oracle Virtual Directory|
|Product Name||BEA WebLogic Application Server
BEA WebLogic Portal Server
|Oracle WebLogic Server
Oracle WebLogic Portal
|Product Release||Oracle COREid 7.0.4||Also available as part of Oracle Application Server 10g Release 2 (10.1.2).|
|Directory Name||COREid Data Anywhere||Data Anywhere|
|Component Name||COREid Server||Identity Server|
|Component Name||Access Manager||Policy Manager|
|Console Name||COREid System Console||Identity System Console|
|Identity System Transport Security Protocol||NetPoint Identity Protocol||Oracle Identity Protocol|
|Access System Transport Protocol||NetPoint Access Protocol||Oracle Access Protocol|
|Directory Tree||Oblix tree||Configuration tree|
|Data||Oblix data||Configuration data|
|Software Developer Kit||Access Server SDK
|Access Manager SDK|
|API||Access Server API
|Access Manager API|
|API||Access Management API
Access Manager API
|Policy Manager API|
|Default Policy Domains||NetPoint Identity Domain
COREid Identity Domain
|Default Policy Domains||NetPoint Access Manager
COREid Access Manager
|Default Authentication Schemes||NetPoint None Authentication
COREid None Authentication
|Default Authentication Schemes||NetPoint Basic Over LDAP
COREid Basic Over LDAP
|Oracle Access and Identity Basic Over LDAP|
|Default Authentication Schemes||NetPoint Basic Over LDAP for AD Forest
COREid Basic Over LDAP for AD Forest
|Oracle Access and Identity for AD Forest|
|Access System Service||AM Service State
Policy Manager API Support Mode
|Access Management Service
Note: Policy Manager API Support Mode and Access Management Service are used interchangeably.
All legacy references in the product or documentation should be understood to connote the new names.
Included in this release are new enhancements and bug fixes for 10g (10.1.4.3) in addition to all fixes and enhancements from 10g (10.1.4.2.0) bundle patches through BP07. The following topics describe 10g (10.1.4.3) enhancements described in this book:
See Also:Oracle Access Manager Introduction for a list of all new features and functions
Oracle Access Manager 10g (10.1.4.3) provides an asynchronous cache flush option to help streamline performance and avoid delays associated with synchronous cache flush operations on the Access System. With the asynchronous method, the request arrives at the Access Server and a response is sent immediately to the Identity Server without a delay.
See Also:The chapter on caching and cloning in the Oracle Access Manager Deployment Guide
Messages for minor releases (10g (10.1.4.2.0) and 10g (10.1.4.3)) added for new functionality might not be translated and can appear in English only.
Earlier releases of Oracle Access Manager for Linux used the LinuxThreads library only. Using LinuxThreads required that you set the environment variable LD_ASSUME_KERNEL, which is used by the dynamic linker to decide what implementation of libraries is used. When you set LD_ASSUME_KERNEL to 2.4.19 the libraries in /lib/i686 are used dynamically.
RedHat Linux v5 and later releases support only Native POSIX Thread Library (NPTL), not LinuxThreads. To accommodate this change, Oracle Access Manager 10g (10.1.4.3) is compliant with NPTL specifications. However, LinuxThreads is used by default for all except Oracle Access Manager Web components for Oracle HTTP Server 11g.
Note:On Linux, Oracle Access Manager Web components for Oracle HTTP Server 11g use only NPTL; you cannot use the LinuxThreads library. In this case, do not set the environment variable LD_ASSUME_KERNEL to 2.4.19.
Oracle Access Manager handles sensitive information about users, which can include the user password, date of birth, a challenge response, security questions and answers for lost password requests, and more. At certain logging levels, sensitive information might be captured.
Today, you can enable secure logging and filter sensitive information in log files.
Oracle Access Manager 10.1.3 has undergone a globalization process to provide multibyte support that enables processing of internationalized data and messages in the user's native language.
As part of the globalization support, some file formats have changed from the proprietary .lst format to .xml:
password.xml; globalparams.xml; obscoreboard; AppDBfailover.xml and AppDB.xml; ConfigDBfailover.xml and ConfigDB.xml; WebResrcDBfailover.xml -- now WebResrcDB.xml; snmp_agent_config_info.xml; obscoreboard_params.xml
See Also:References to these file names in this manual.
Oracle Access Manager uses a locale-based case insensitive sorting method when you click the column heading (Full Name, for example) in the search results table.
See Also:"Search Functionality".
In the Identity System Console, some display names are displayed incorrectly if the locale of the browser is different from the locale of the characters used in the display name.
When generating a report for an Identity application, save the report file as .txt and re-import it for the characters to display correctly.
Password policies and Lost Password Management have been enhanced.
You can configure the minimum and maximum number of characters users can specify in a password.
See Also:"Managing Password Policies".
For lost password management, you can set multiple challenge-response pairs, create multiple stylesheets, and configure other aspects of the user's lost password management experience.
See Also:"Lost Password Management".
You can redirect users back to the originally requested page after resetting a password.
You can enable users to access resources without re-authenticating after resetting a password.
This book contains expanded information on configuring Oracle Access Manager for multiple directory searchbases, also called disjoint domains or realms.
Information has been added on enabling legacy groups to accepting user subscriptions.
This book contains expanded information on configuring workflows for dynamic targets.
You can dynamically assign a user to a target on a create user workflow. For example, you can define a create user workflow that enables user A to log in under ou=users, invoke the workflow, and create user B whose entry is automatically determined to be in the same ou as user A. This ability always existed in the Identity System, and is now explicitly documented in the chapter on workflows.
The section on the QuickStart tool now mentions that only Master Administrators can use the QuickStart tool.
You might receive an error when viewing or managing a static nested group. Administrators can now disable processing of nested static groups for performance reasons.
The section on configuring panel now notes that you should configure at least one panel for Org. Manager. This is required to enable users to save profile data.
You can now audit to an Oracle Database in addition to Microsoft SQL Server. Support for MySQL is deprecated in this release.
The Crystal Reports package is no longer provided with the Oracle Access Manager package. You must obtain this product from the vendor.
Changes to logging parameters take effect within one minute, rather than requiring you to restart the server where the changes were made.
If Oracle Access Manager experiences a core dump, a stack trace is automatically written to the log file if you have enabled logging.
For keeping log output concise while diagnosing particular problems, you can configure different log level thresholds for different modules within a log configuraiton file. For example, to diagnose slow response times for an Identity Server's LDAP directory, you would only be interested in detailed logs for LDAP operations.
For capacity planning and performance tuning purposes, you can log the time it takes to process calls to external components. For example, when performing capacity planning, you might want to know what calls to the directory server are taking the most time.
When you configure SSL mode for the directory server, only server authentication is supported. Client certificates are not supported.
See Also:"Transport Security Mode Between Components".
The default value for the Maximum Session Time of 0 (no maximum) can cause LDAP caches to become too large. The recommended value is 600 (10 hours).
See Also:"Creating an LDAP Directory Server Profile".
The samAccountNameLength parameter enables you to increase the number of characters permitted as a SamAccountName attribute value. For Active Directory environments that are running in native mode, you might want to increase the default value for this parameter.
See Also:"About the Length of the SAMAccountName".
Earlier releases of Oracle Access Manager for Linux used the LinuxThreads library only. This required that you set the environment variable LD_ASSUME_KERNEL, which is used by the dynamic linker to decide what implementation of libraries is used. When you set LD_ASSUME_KERNEL to 2.4.19 the libraries in /lib/i686 are used dynamically.
RedHat Linux v5 and later releases support only Native POSIX Thread Library (NPTL), not LinuxThreads. To accommodate this change, Oracle Access Manager 10g (10.1.4.3) is compliant with NPTL specifications.
Oracle Access Manager 10g (10.1.4.3) uses either Native POSIX Thread Library (NPTL) or LinuxThreads. The default mode is LinuxThreads. To support the default, the start_xxxx_server scripts will start in LinuxThreads mode. However, if you use start_xxxx_server_nptl (or restart_xxxx_server_nptl) scripts, NPTL mode is used.
If you are using NPTL, there is no requirement to manually set the environment variable LD_ASSUME_KERNEL to 2.4.19 when installing Web components or third-party connectors for use with Oracle Access Manager. Setup scripts for WebGate and the Access Manager software developer kit (SDK) include an entry for LD_ASSUME_KERNEL, which you must remove or comment out.
Information on troubleshooting that was dispersed throughout this manual has been consolidated in a separate appendix.
See Also:"Troubleshooting Oracle Access Manager".
You can now write diagnostic information to a log file and collect stack traces.
The Access Server and Identity Server provide diagnostic tools to help you work with an Oracle Technical Support representative to troubleshoot problems. These tools are not for day-to-day administration. Their purpose is to help you investigate problems that require assistance from Oracle Technical Support.
See Also:"Capturing Diagnostic Information".
New troubleshooting topics have been added.