What's New in Oracle Access Manager?

This section describes new features of the Oracle Access Manager release 10.1.4. This includes details for 10g (10.1.4.0.1), 10g (10.1.4.2.0), and 10g (10.1.4.3).

The following sections are included:

• Product and Component Name Changes

• Enhancements Available in 10g (10.1.4.3)

• Globalization

• Password Policies and Lost Password Management

• Configuring Multiple Searchbases

• Configuring Workflows

• Configuring Group Manager

• Configuring Org. Manager

• Auditing

• Logging

• Configuring the Directory Server

• Active Directory

• Linux Native POSIX Thread Library (NPTL)

• Troubleshooting

Note:

For a comprehensive list of all new features and functions in Oracle Access Manager 10.1.4, and a description of where each is documented, see the chapter on what's new in the Oracle Access Manager Introduction.

Product and Component Name Changes

The original product name, Oblix NetPoint, has changed to Oracle Access Manager. Most component names remain the same. However, there are several important changes that you should know about, as shown in the following table:

Item	Was	Is
Product Name	Oblix NetPoint Oracle COREid	Oracle Access Manager
Product Name	Oblix SHAREid NetPoint SAML Services	Oracle Identity Federation
Product Name	OctetString Virtual Directory Engine (VDE)	Oracle Virtual Directory
Product Name	BEA WebLogic Application Server BEA WebLogic Portal Server	Oracle WebLogic Server Oracle WebLogic Portal
Product Release	Oracle COREid 7.0.4	Also available as part of Oracle Application Server 10g Release 2 (10.1.2).
Directory Name	COREid Data Anywhere	Data Anywhere
Component Name	COREid Server	Identity Server
Component Name	Access Manager	Policy Manager
Console Name	COREid System Console	Identity System Console
Identity System Transport Security Protocol	NetPoint Identity Protocol	Oracle Identity Protocol
Access System Transport Protocol	NetPoint Access Protocol	Oracle Access Protocol
Administrator	NetPoint Administrator COREid Administrator	Master Administrator
Directory Tree	Oblix tree	Configuration tree
Data	Oblix data	Configuration data
Software Developer Kit	Access Server SDK ASDK	Access Manager SDK
API	Access Server API Access API	Access Manager API
API	Access Management API Access Manager API	Policy Manager API
Default Policy Domains	NetPoint Identity Domain COREid Identity Domain	Identity Domain
Default Policy Domains	NetPoint Access Manager COREid Access Manager	Access Domain
Default Authentication Schemes	NetPoint None Authentication COREid None Authentication	Anonymous Authentication
Default Authentication Schemes	NetPoint Basic Over LDAP COREid Basic Over LDAP	Oracle Access and Identity Basic Over LDAP
Default Authentication Schemes	NetPoint Basic Over LDAP for AD Forest COREid Basic Over LDAP for AD Forest	Oracle Access and Identity for AD Forest
Access System Service	AM Service State Policy Manager API Support Mode	Access Management Service Note: Policy Manager API Support Mode and Access Management Service are used interchangeably.

All legacy references in the product or documentation should be understood to connote the new names.

Enhancements Available in 10g (10.1.4.3)

Included in this release are new enhancements and bug fixes for 10g (10.1.4.3) in addition to all fixes and enhancements from 10g (10.1.4.2.0) bundle patches through BP07. The following topics describe 10g (10.1.4.3) enhancements described in this book:

• Asynchronous Cache Flush Operations Between Identity and Access Servers

• Multi-Language Deployments and English Only Messages

• Native POSIX Thread Library (NPTL) for Linux

• Securing Sensitive Information in Logs

See Also:

Oracle Access Manager Introduction for a list of all new features and functions

Asynchronous Cache Flush Operations Between Identity and Access Servers

Oracle Access Manager 10g (10.1.4.3) provides an asynchronous cache flush option to help streamline performance and avoid delays associated with synchronous cache flush operations on the Access System. With the asynchronous method, the request arrives at the Access Server and a response is sent immediately to the Identity Server without a delay.

See Also:

The chapter on caching and cloning in the Oracle Access Manager Deployment Guide

Multi-Language Deployments and English Only Messages

Messages for minor releases (10g (10.1.4.2.0) and 10g (10.1.4.3)) added for new functionality might not be translated and can appear in English only.

Native POSIX Thread Library (NPTL) for Linux

Earlier releases of Oracle Access Manager for Linux used the LinuxThreads library only. Using LinuxThreads required that you set the environment variable LD_ASSUME_KERNEL, which is used by the dynamic linker to decide what implementation of libraries is used. When you set LD_ASSUME_KERNEL to 2.4.19 the libraries in /lib/i686 are used dynamically.

RedHat Linux v5 and later releases support only Native POSIX Thread Library (NPTL), not LinuxThreads. To accommodate this change, Oracle Access Manager 10g (10.1.4.3) is compliant with NPTL specifications. However, LinuxThreads is used by default for all except Oracle Access Manager Web components for Oracle HTTP Server 11g.

Note:

On Linux, Oracle Access Manager Web components for Oracle HTTP Server 11g use only NPTL; you cannot use the LinuxThreads library. In this case, do not set the environment variable LD_ASSUME_KERNEL to 2.4.19.

Securing Sensitive Information in Logs

Oracle Access Manager handles sensitive information about users, which can include the user password, date of birth, a challenge response, security questions and answers for lost password requests, and more. At certain logging levels, sensitive information might be captured.

Today, you can enable secure logging and filter sensitive information in log files.

See Also:

• "About Logging, Log Levels, and Log Output"

• "The Simple List, Logging Threshold, and Identity System Console Synchronization"

• "The Filter List"

• "Settings in the Default Log Configuration File"

• "Filtering Sensitive Attributes"

Globalization

Oracle Access Manager 10.1.3 has undergone a globalization process to provide multibyte support that enables processing of internationalized data and messages in the user's native language.

• As part of the globalization support, some file formats have changed from the proprietary .lst format to .xml:

  password.xml; globalparams.xml; obscoreboard; AppDBfailover.xml and AppDB.xml; ConfigDBfailover.xml and ConfigDB.xml; WebResrcDBfailover.xml -- now WebResrcDB.xml; snmp_agent_config_info.xml; obscoreboard_params.xml

  See Also:

  References to these file names in this manual.

• Oracle Access Manager uses a locale-based case insensitive sorting method when you click the column heading (Full Name, for example) in the search results table.

  See Also:

  "Search Functionality".

• In the Identity System Console, some display names are displayed incorrectly if the locale of the browser is different from the locale of the characters used in the display name.

  See Also:

  "Attribute Display Types", "Multiple Languages on a Panel" .

• When generating a report for an Identity application, save the report file as .txt and re-import it for the characters to display correctly.

  See Also:

  "Viewing, Modifying, Localizing, and Deleting Reports".

Password Policies and Lost Password Management

Password policies and Lost Password Management have been enhanced.

• You can configure the minimum and maximum number of characters users can specify in a password.

  See Also:

  "Managing Password Policies".

• For lost password management, you can set multiple challenge-response pairs, create multiple stylesheets, and configure other aspects of the user's lost password management experience.

  See Also:

  "Lost Password Management".

• You can redirect users back to the originally requested page after resetting a password.

  See Also:

  "Configuring Redirection to a Password Reset Page After Password Expiry".

• You can enable users to access resources without re-authenticating after resetting a password.

  See Also:

  "Configuring Redirection to a Password Reset Page After Password Expiry".

Configuring Multiple Searchbases

• This book contains expanded information on configuring Oracle Access Manager for multiple directory searchbases, also called disjoint domains or realms.

  See Also:

  "Working With Multiple Directory Searchbases".

Configuring Groups to Accept Subscriptions

• Information has been added on enabling legacy groups to accepting user subscriptions.

  See Also:

  "Configuring a Group to Accept Subscriptions".

Configuring Workflows

• This book contains expanded information on configuring workflows for dynamic targets.

  You can dynamically assign a user to a target on a create user workflow. For example, you can define a create user workflow that enables user A to log in under ou=users, invoke the workflow, and create user B whose entry is automatically determined to be in the same ou as user A. This ability always existed in the Identity System, and is now explicitly documented in the chapter on workflows.

• The section on the QuickStart tool now mentions that only Master Administrators can use the QuickStart tool.

  See Also:

  "Starting a New Workflow Definition", "Defining an LDAP Target for Create Object Workflows" , and "Using the QuickStart Tool" .

Configuring Group Manager

• You might receive an error when viewing or managing a static nested group. Administrators can now disable processing of nested static groups for performance reasons.

  See Also:

  • "Managing Group Members in Group Manager"

  • "Searching for Group Members"

  • "Allowing Users to View and Change LDAP Data"

  • "Writing LDAP Filters Using Query Builder"

  • Oracle Access Manager Deployment Guide performance tuning chapter

Configuring Org. Manager

• The section on configuring panel now notes that you should configure at least one panel for Org. Manager. This is required to enable users to save profile data.

  See Also:

  "Adding, Modifying, Localizing, and Deleting a Panel".

Auditing

• You can now audit to an Oracle Database in addition to Microsoft SQL Server. Support for MySQL is deprecated in this release.

  The Crystal Reports package is no longer provided with the Oracle Access Manager package. You must obtain this product from the vendor.

  See Also:

  "Auditing".

Logging

• Changes to logging parameters take effect within one minute, rather than requiring you to restart the server where the changes were made.

  See Also:

  "Logging".

• If Oracle Access Manager experiences a core dump, a stack trace is automatically written to the log file if you have enabled logging.

  See Also:

  "Logging" and "Capturing Diagnostic Information".

• For keeping log output concise while diagnosing particular problems, you can configure different log level thresholds for different modules within a log configuraiton file. For example, to diagnose slow response times for an Identity Server's LDAP directory, you would only be interested in detailed logs for LDAP operations.

  See Also:

  "Configuring Different Threshold Levels for Different Types of Data".

• For capacity planning and performance tuning purposes, you can log the time it takes to process calls to external components. For example, when performing capacity planning, you might want to know what calls to the directory server are taking the most time.

  See Also:

  "Logging the Amount of Time to Process Requests".

Configuring the Directory Server

• When you configure SSL mode for the directory server, only server authentication is supported. Client certificates are not supported.

  See Also:

  "Transport Security Mode Between Components".

• The default value for the Maximum Session Time of 0 (no maximum) can cause LDAP caches to become too large. The recommended value is 600 (10 hours).

  See Also:

  "Creating an LDAP Directory Server Profile".

Active Directory

• The samAccountNameLength parameter enables you to increase the number of characters permitted as a SamAccountName attribute value. For Active Directory environments that are running in native mode, you might want to increase the default value for this parameter.

  See Also:

  "About the Length of the SAMAccountName".

Linux Native POSIX Thread Library (NPTL)

Earlier releases of Oracle Access Manager for Linux used the LinuxThreads library only. This required that you set the environment variable LD_ASSUME_KERNEL, which is used by the dynamic linker to decide what implementation of libraries is used. When you set LD_ASSUME_KERNEL to 2.4.19 the libraries in /lib/i686 are used dynamically.

RedHat Linux v5 and later releases support only Native POSIX Thread Library (NPTL), not LinuxThreads. To accommodate this change, Oracle Access Manager 10g (10.1.4.3) is compliant with NPTL specifications.

Oracle Access Manager 10g (10.1.4.3) uses either Native POSIX Thread Library (NPTL) or LinuxThreads. The default mode is LinuxThreads. To support the default, the start_xxxx_server scripts will start in LinuxThreads mode. However, if you use start_xxxx_server_nptl (or restart_xxxx_server_nptl) scripts, NPTL mode is used.

If you are using NPTL, there is no requirement to manually set the environment variable LD_ASSUME_KERNEL to 2.4.19 when installing Web components or third-party connectors for use with Oracle Access Manager. Setup scripts for WebGate and the Access Manager software developer kit (SDK) include an entry for LD_ASSUME_KERNEL, which you must remove or comment out.

See Also:

"NPTL Requirements and Post-Installation Tasks".

Troubleshooting

• Information on troubleshooting that was dispersed throughout this manual has been consolidated in a separate appendix.

  See Also:

  "Troubleshooting Oracle Access Manager".

• You can now write diagnostic information to a log file and collect stack traces.

  The Access Server and Identity Server provide diagnostic tools to help you work with an Oracle Technical Support representative to troubleshoot problems. These tools are not for day-to-day administration. Their purpose is to help you investigate problems that require assistance from Oracle Technical Support.

  See Also:

  "Capturing Diagnostic Information".

• New troubleshooting topics have been added.

  See Also:

  • "Access Server Won't Start When the Debug Log Reaches 2GB"

  • "Access Control and Searchbase Support for eDirectory 8.7.3"

  • "There is No Profile Configured for This Kind of Object" Error Is Issued"

  • "Unable to Save a Directory Server Profile"

  • "Error Message to Check if the Directory Server is Running or Responding"

  • "Active Directory: Adding Members Causes the Group Size to Shrink"

  • "ADSI Cannot Be Enabled for a Directory Profile"

  • "Stylesheet Validation Fails"

  • "Identity Server Crashes if It Cannot Find a Stylesheet"

  • "Identity System Deletes a User Entry When an RDN Is Modified"

  • "WebPass Is Unable to Connect to Its Associated Identity Server"

  • "Simple Transport Security Mode Expires After One Year", "JPEG Photo Images Are Not Updated"

  • "Enable Failed Error Is Issued When Using a Workflow"

  • "Cannot Find xenroll.cab Error Is Issued When Using a Workflow"

  • "Reports With Non-ASCII Characters Are Not Imported Correctly in Excel"

  • "Auditing for the Identity System Ceases to Work"