Oracle® Access Manager Introduction 10g (10.1.4.3) Part Number E12494-01 |
|
|
View PDF |
This section describes new features of the Oracle Access Manager release 10.1.4. This includes details for 10g (10.1.4.0.1), 10g (10.1.4.2.0), and 10g (10.1.4.3).
The following sections are included:
The original product name, Oblix NetPoint (also known as Oracle COREid) has changed to Oracle Access Manager. Many component names remain the same. However, there are several important changes that you should know about, as shown in the following table:
All legacy references in the product or documentation should be understood to connote the new names.
Included in this release are new enhancements and bug fixes for 10g (10.1.4.3) in addition to all fixes and enhancements from 10g (10.1.4.2.0) bundle patches through BP07. The following topics describe enhancements described in this book:
10g (10.1.4.3) Installers, Patches, Bundle Patches, and Newly Certified Agents
Access System Performance Enhancements for Large Group Evaluations
Access Tester Use with Custom Authentication and Authorization Plug-ins
Asynchronous Cache Flush Operations Between Identity and Access Servers
Eliminate Caching Unwanted Attributes With Identity Server LDAP Retrievals
Error Handling for Message Channel Initialization During Cache Flush
Identity System Performance Enhancements for Large Group Evaluations
A new topic has been added to clarify differences between Oracle Access Manager product packages and their use.
Installation Packages: Oracle Access Manager 10g (10.1.4.3) component installers are available for a fresh installation only.
See Also:
Oracle Access Manager Installation Guide"Full Installers"
"Obtaining the Latest Installers"
Patch Set Packages: 10g (10.1.4.3) patch set packages available from My Oracle Support (formerly MetaLink) must be applied to 10g (10.1.4.2.0) components. Patch set notes and all Oracle Access Manager manuals, including the Oracle Access Manager Upgrade Guide, are provided with the patch set.
Bundle Patches: A new topic has been added to explain bundle patches and their use.
See Also:
Oracle Access Manager Installation Guide"Bundle Patches"
"Obtaining the Latest 10g (10.1.4.3) Bundle Patch"
Newly Certified Agents: A new topic has been added to explain newly certified Oracle Access Manager agents and how to get these.
See Also:
Oracle Access Manager Installation Guide"Newly Certified Agent Packages"
"Obtaining the Latest Certified Agent Packages"
Several clarifications have been made with regard to the Access Management Service in WebGate and Access Server profiles. This setting is Off by default. When set to On, the Access Server starts servicing requests from AccessGates. The Access Management Service must be On for associated Access Servers and AccessGates. WebGates do not require the Access Management Service, unless an associated Access Server uses it.
See Also:
Oracle Access Manager Access Administration Guide, Chapter 3Oracle Access Manager 10g (10.1.4.3) software developer kit (SDK) for Windows continues to support .NET Framework 1.1 and Microsoft Visual Studio 2002. AccessGates created using the independently installed SDK continue this support.
A new and optional 10g (10.1.4.3) SDK is also provided for Windows which supports .NET version 2 and MSDE Visual Studio 2005. This is specific to only custom AccessGates. This SDK can be independently installed in your deployment whether it is a fresh installation or an upgraded environment that includes the 10g (10.1.4.3) patch.
See Also:
Appendix D, "Installing the Access Manager SDK" in the Oracle Access Manager Developer Guide
Oracle Access Manager Upgrade Guide for details about recompiling existing custom AccessGates for .NET 2
The following Access System performance enhancements for large group evaluations are provided with Oracle Access Manager 10g (10.1.4.3):
The Access Server (and Policy Manager when using the Access Tester) evaluates the group for membership as a type, only if that type is enabled. To improve performance during group evaluations when you do not use dynamic groups, or when you have dynamic groups but do not want to evaluate them while processing ObMyGroups, you can turn off dynamic group evaluation using the TurnOffDynamicGroupEvaluation
parameter in the Access Server (or Policy Manager) globalparams.xml file.
Access Server v7.0.2 provided the ability to disable nested group evaluation using the TurnOffNestedGroupEvaluation
parameter in the Access Server globalparams.xml file.
See Also:
"Improving Performance During Group Search When Dynamic Groups Are Not Used", in the chapter on performance in the Oracle Access Manager Deployment Guide
The chapter on parameters in the Oracle Access Manager Customization Guide
In the Access Server globalparams.xml file, a new algorithm can be used during group evaluation involving ObMyGroups: TurnOffNewAlgorithmForObmyGroups
. This algorithm works equally when you have static, dynamic, and nested groups.
See Also:
The topic, "Improving Performance of ObMyGroups Evaluations", in the chapter on performance in the Oracle Access Manager Deployment Guide
The chapter on parameters in the Oracle Access Manager Customization Guide
The NestedQueryLDAPFilterSize
parameter can be used In the Access Server globalparams.xml file, if TurnOffNewAlgorithmForObmyGroups
is false
. This improves evaluation performance of ObMyGroups. With this parameter, the LDAP search query is divided and then executed.
See Also:
The table on globalparams.xml in the chapter on parameters in the Oracle Access Manager Customization GuideThe GroupCacheTimeout
parameter enables you to specify the amount of time an element remains valid in the Access Server group cache. The parameter must be added to the Access Server globalparams.xml file (or the Policy Manager file if you are using the Access Tester).
See Also:
The topic, "Configuring the Access Server Group Cache Timeout and Maximum Elements", in the chapter on performance in the Oracle Access Manager Deployment Guide
The chapter on parameters in the Oracle Access Manager Customization Guide
The GroupCacheMaximumElement
parameter specifies the maximum number of elements that can be stored in the Access Server group cache. The parameter must be added to the Access Server globalparams.xml file (or the Policy Manager file if you are using the Access Tester).
See Also:
The topic, "Configuring the Access Server Group Cache Timeout and Maximum Elements", in the chapter on performance in the Oracle Access Manager Deployment Guide
The chapter on parameters in the Oracle Access Manager Customization Guide
New information has been added to describe how to use Access Tester when you have custom authentication or authorization plug-ins.
Oracle Access Manager 10g (10.1.4.3) provides an asynchronous cache flush option to help streamline performance and avoid delays associated with synchronous cache flush operations on the Access System. With the asynchronous method, the request arrives at the Access Server and a response is sent immediately to the Identity Server without a delay.
See Also:
The chapter on caching and cloning in the Oracle Access Manager Deployment GuideGuidelines are provided to improve performance by tuning the internal DBAgent cache to eliminate specific attributes that are not read or cached during view and modify profile operations.
See Also:
Performance chapter, "Tuning the Internal DBAgent Cache", in the Oracle Access Manager Deployment Guide
Parameters chapter, globalparams.xml table, in the Oracle Access Manager Customization Guide
Oracle Access Manager 10g (10.1.4.3) enhances the network layer shared by WebGate and Access Server. As a result, errors that might occur as a result of message channel initialization failure (due to a socket with an unlimited time period) are avoided. Today, the message channel stops sending and receiving messages and a WARNING level log message is recorded.
See Also:
"Error Handling for Message Channel Initialization During Cache Flush", in the Oracle Access Manager Deployment Guide, Chapter 5.The oblixGSN objectclass in the directory server is used in the cache flush mechanism. It contains a global sequence number (a value in the obSeqNo attribute) that represents the flush request number. When you have multiple Access Servers writing to multiple directory servers, however, changes could cause the global sequence number in the directory servers to get out of sync. As a result, corresponding entries in the directory servers might become corrupted, which can lead to inconsistent performance in Oracle Access Manager.
Oracle Access Manager 10g (10.1.4.3) provides functionality that enables you to detect corrupted GSNs in the directory server from the command-line tool (recovergsncorruption) in the following path: PolicyManager_install_dir\access\oblix\tools. If corruption is discovered, you can initiate recovery processing after disabling the cache flush operation between Identity Servers and Access Servers.
See Also:
"Restoring Sync Records in Environments with Multiple Directory Servers" in the chapter on "Access System Management" in the Oracle Access Manager Access Administration Guide.In the groupdbparams.xml file, TurnOffDynamicGroupEvaluation
and TurnOffNestedGroupEvaluation
can be set to true
to enhance performance during group evaluation by eliminating dynamic or nested groups when these are not used.
See Also:
Parameters chapter in the Oracle Access Manager Customization Guide and Performance chapter of the Oracle Access Manager Deployment GuideIdentityXML requests for gathering the attribute list pertaining to modifing a profile (modifyUser, modifyGroup, and modifyObject), no longer depend on a panel in the Identity System.
See Also:
IdentityXML chapter of the Oracle Access Manager Developer GuideidleSessionTimeoutLogic
Change in BehaviorIn release 7.0.4 WebGates enforce their own idle session timeout only. In 10g (10.1.4.0.1), behavior changed and WebGates enforced the most restrictive timeout value among all WebGates the token had visited. With 10g (10.1.4.3), the 7.0.4 behavior has been reinstated as the default. This 7.0.4 behavior can be reconfigured by setting a User-Defined Parameter (idleSessionTimeoutLogic
) in the AccessGate Configuration page of the Access System Console. Now WebGates enforce their own idle session timeout only, ignoring the MaxIdleSessionTimeout.
See Also:
"Configuring User-Defined AccessGate Parameters" in the Oracle Access Manager Access Administration GuideOracle Access Manager supports Internet Protocol Version 4 (IPv4). However, you can configure Oracle Access Manager to work with clients that support IPv6 by setting up a reverse proxy server.
See Also:
Oracle Access Manager Access Administration Guide chapter on configuring Oracle Access Manager to operate with IPv6 clientsOracle Access Manager 10g (10.1.4.3) provides the policyDSMaxAttrValueLength
parameter in the globalparams.xml file of Access Server and Policy Manager. This parameter enables you to add large authorization expressions (beyond the directory server limit for non-binary attribute values). You might also need to configure the directory server to accept large attribute values.
See Also:
"Parameter Reference" in Oracle Access Manager Customization GuideWhen installing and configuring Oracle Access Manager, specific transport security guidelines must be observed, as described in previous topics. After installation and setup, you can choose to use mixed-mode communication for cache flush operations.
Oracle Access Manager 10g (10.1.4.2.0) provided a method that enabled you to use Open mode communication for cache flush requests between the Identity and Access Server while retaining Simple or Cert mode for all other requests. This type of configuration is known as mixed security mode (or mixed transport security mode) communication. Oracle Access Manager 10g (10.1.4.3) provides a streamlined method to implement mixed-mode communication for cache flush requests.
See Also:
The chapter on caching and cloning in theOracle Access Manager Deployment GuideOracle Access Manager 10g (10.1.4.3) provides new Language Pack installers. 10g (10.1.4.3) Language Packs are required in any 10g (10.1.4.3) deployment, whether it is a fresh installation or an upgraded and patched deployment.
See Also:
Oracle Access Manager Installation GuideMulti-language environments in Chapter 2
Chapter 3, "About Multi-Language Environments"
Chapter 12, "Installing Language Packs Independently"
Messages added for minor releases (10g (10.1.4.2.0) and 10g (10.1.4.3) as a result of new functionality might not be translated and can appear in only English.
Earlier releases of Oracle Access Manager for Linux used the LinuxThreads library only. Using LinuxThreads required that you set the environment variable LD_ASSUME_KERNEL, which is used by the dynamic linker to decide what implementation of libraries is used. When you set LD_ASSUME_KERNEL to 2.4.19 the libraries in /lib/i686 are used dynamically.
RedHat Linux v5 and later releases support only Native POSIX Thread Library (NPTL), not LinuxThreads. To accommodate this change, Oracle Access Manager 10g (10.1.4.3) is compliant with NPTL specifications. However, LinuxThreads is used by default for all except Oracle Access Manager Web components for Oracle HTTP Server 11g.
Note:
On Linux, Oracle Access Manager Web components for Oracle HTTP Server 11g use only NPTL; you cannot use the LinuxThreads library. In this case, do not set the environment variable LD_ASSUME_KERNEL to 2.4.19.For more information on NPTL behaviors and requirements, see Chapter 5, "Overview of Behaviors".
See Also:
Oracle Access Manager Installation GuideLinux details in Chapter 2, "Preparing for Installation"
"NPTL Requirements and Post-Installation Tasks" on page E-27
"Oracle Access Manager Components and Command-line Tools Might Fail with LinuxThreads" on page E-30
Oracle HTTP Server Fails to Start with LinuxThreads on page E-37
"Oracle HTTP Server WebGate Fails to Initialize On Linux Red Hat 4" on page E-38
Oracle Access Manager 10g (10.1.4.3) provides new parameters in the following globalparams.xml files:
In the Identity Server globalparams.xml file, you can use the negativeListForEntityAttributes
parameter to identify specific attributes that are not read or cached during view and modify profile operations. You can view the profile page without the values of the attributes that appear in the negative list. The directory server log shows only the attributes that are not on the list. With IdentityXML, an attribute listed can only be read and cached. For more information, see the topic on tuning the internal DBAgent cache in the Oracle Access Manager Deployment Guide and the chapter on IdentityXML functions and parameters in the Oracle Access Manager Developer Guide.
In the Identity Server globalparams.xml file, you can use the UseDefaultOptionsForAllMails
parameter enables you to configure an email ID to be used to send all email notifications.
In the Identity Server globalparams.xml file, you can use the isLPMResponseCaseSensitive
parameter to trigger case sensitive comparisons of the LPM response.
In the WebPass globalparams.xml file, the SetContentLengthHeader
parameter can be added to set the "Content-length" header in the response coming from WebPass to its Web server. For more information, see the table on globalparams.xml in the chapter on parameters in the Oracle Access Manager Customization Guide.
In the Policy Manager globalparams.xml file, you can use the PreferredHostValidityCheckEnabled
parameter to validate the value in the Preferred HTTP Host field of a WebGate profile. For more information, see the table on globalparams.xml in the chapter on parameters in the Oracle Access Manager Customization Guide.
In the Policy Manager globalparams.xml file, AllowEmptyPreferredHost
can be added which allows you to leave empty the Preferred HTTP Host field in a WebGate configuration in the Access System Console. For more information, see the table on globalparams.xml in the chapter on parameters in the Oracle Access Manager Customization Guide.
In the Access Server globalparams.xml file, the UserMgmtNodeEnabled
parameter can be used. This parameter controls the enabling and disabling of a feature that manages WebGate memory growth. For more information, see the chapter on parameters in the Oracle Access Manager Customization Guide. See also, the tip on "Cache Flush Issues with Active Directory" in the Oracle Access Manager Access Administration Guide.
In the Access Server globalparams.xml file, the splTimeout
parameter can be used to specify the time in seconds for Access Server cache flush operations in replicated environments. For more information, see the caching chapter of the Oracle Access Manager Deployment Guide.
In the Access Server or Policy Manager globalparams.xml file, the CacheFlushTimeOut
parameter can be used to specify a wait period for sockets during synchronous cache flush requests. For details, see the caching chapter of the Oracle Access Manager Deployment Guide.
In the Access Server and Policy Manager globalparams.xml file, the setAccessFlushInOpenMode
parameter enables you to set the mode for cache flush operations. For details, see the caching chapter of the Oracle Access Manager Deployment Guide.
In the Access Server globalparams.xml file, the DynamicGroupFilterMaxSize
enables a dynamic filter size greater than 4k. For use while migrating a group dynamic filter (4K of data only) during or after an Access Server upgrade.
In the Access Server and Policy Manager globalparams.xml file, the policyDSMaxAttrValueLength
parameter enables you to add large authorization expressions (more than 4000 characters). You might also need to configure the directory server to accept large attribute values.
In the Access Server (and Policy Manager when using the Access Tester) evaluates the group for membership as a type, only if that type is enabled. To improve performance during group evaluations when you do not use dynamic groups, or when you have dynamic groups but do not want to evaluate them while processing ObMyGroups, you can turn off dynamic group evaluation using the TurnOffDynamicGroupEvaluation
parameter in the Access Server (or Policy Manager) globalparams.xml file. For details, see "Improving Performance During Group Search When Dynamic Groups Are Not Used", in the chapter on performance in the Oracle Access Manager Deployment Guide.
Today, a new algorithm can be used during group evaluation involving ObMyGroups: TurnOffNewAlgorithmForObmyGroups
. This algorithm in the Access Server globalparams.xml file works equally when you have static, dynamic, and nested groups. For details, see the topic, "Improving Performance of ObMyGroups Evaluations", in the chapter on performance in the Oracle Access Manager Deployment Guide.
The GroupCacheTimeout
parameter enables you to specify the amount of time an element remains valid in the Access Server group cache. The parameter is provided in the Access Server globalparams.xml file (or the Policy Manager file if you are using the Access Tester). For details, the topic, "Configuring the Access Server Group Cache Timeout and Maximum Elements", in the chapter on performance in the Oracle Access Manager Deployment Guide.
The GroupCacheMaxElement
parameter specifies the maximum number of elements that can be stored in the Access Server group cache. The parameter is provided in the Access Server globalparams.xml file (or the Policy Manager file if you are using the Access Tester). For details, the topic, "Configuring the Access Server Group Cache Timeout and Maximum Elements", in the chapter on performance in the Oracle Access Manager Deployment Guide.
See Also:
"Parameter Reference" in Oracle Access Manager Customization Guide
Chapter on Performance in the Oracle Access Manager Deployment Guide
The following topics in this chapter:
Access System Performance Enhancements for Large Group Evaluations
Identity System Performance Enhancements for Large Group Evaluations
The Identity Server evaluates the group for membership as a type, only if that type is enabled. The following parameters are new with Oracle Access Manager 10g (10.1.4.3):
In the Identity Server file groupdbparams.xml, the TurnOffDynamicGroupEvaluation
parameter enables or disables the evaluation of dynamic groups in the directory.
In the Identity Server file groupdbparams.xml, the TurnOffNestedGroupEvaluation
parameter enables or disables the evaluation of nested groups in the directory.
See Also:
"Parameter Reference" in Oracle Access Manager Customization Guide
Chapter on performance in the Oracle Access Manager Deployment Guide
Oracle Access Manager 10g (10.1.4.3) provides support for integration with OracleAS Web Cache. OracleAS Web Cache is a reverse proxy cache and compression engine that is deployed between the browser and the Oracle Access Manager WebGate Web server. This configuration provides the following Oracle Access Manager functionality:
POST Data Restoration
Cookieless Session Support
See Also:
Oracle Access Manager Integration GuideTuning for Oracle Internet Directory has been expanded for various Oracle Internet Directory releases.
See Also:
"Tuning Oracle Internet Directory" in the Oracle Access Manager Installation GuideOracle Internet Directory schema for the orclrole objectclass does not follow RFC 2256. As a result, when Oracle Access Manager is configured with Oracle Internet Directory, this schema discrepancy in Oracle Internet Directory causes issues in the objectclass configuration of Oracle Access Manager.
Also, the LDAP tools have been modified to disable the options -w password and -P password when the environment variable LDAP_PASSWORD_PROMPTONLY is set to TRUE or 1.
See Also:
"Oracle Internet Directory Schema" in the Oracle Access Manager Installation GuideIn an existing Oracle Access Manager deployment, the base release for 10g (10.1.4.3) is 10g (10.1.4.2.0). Oracle Access Manager 10g (10.1.4.3) installers cannot be used to upgrade an earlier Oracle Access Manager release.
See Also:
"Packages for Upgrades" in the Oracle Access Manager Installation GuideOracle continually certifies Oracle Access Manager support with various third-party platforms, Web server releases, directory server releases, and applications. For the latest support details, see the certification matrix that is available at:
http://www.oracle.com/technology/products/id_mgmt/coreid_acc/pdf/oracle_access_manager_certification_10.1.4_r3_matrix.xls
See Also:
"Confirming Certification Requirements" in the Oracle Access Manager Installation GuideCertain Oracle Access Manager Web server-specific packages are not available with the initial release of 10g (10.1.4.3).
See Also:
"Web Server-Specific Installation Packages" in the Oracle Access Manager Installation GuideThe Preferred HTTP Host for WebGate configuration parameter is now mandatory before WebGate installation and must be configured with an appropriate value whenever a WebGate profile is added. This parameter defines how the hostname appears in all HTTP requests as users attempt to access the protected Web server. The hostname within the HTTP request is translated into the value entered into this field (regardless of the way the hostname was defined in an HTTP request from a user).
To support virtual hosts you set the Preferred HTTP Host value to HOST_HTTP_HEADER for most Web hosts or SERVER_NAME (Apache only). Additional configuration is required for IIS.
A new parameter, AllowEmptyPreferredHost
, can be added to Policy Manager globalparams.xml, which allows you to leave empty the Preferred HTTP Host field in a WebGate configuration in the Access System Console. In addition, the parameter PreferredHostValidityCheckEnabled
in Policy Manager globalparams.xml can be used to validate the value in the Preferred HTTP Host field of a WebGate profile.
See Also:
Oracle Access Manager Installation Guide for details about adding a WebGate profile in the Access System Console before installation
Oracle Access Manager Access Administration Guide chapter on configuring Access Servers and AccessGates (and all parameters in a AccessGate profile)
Oracle Access Manager Customization Guide appendix on parameters
Updates and additions have been made to this topic in the Oracle Access Manager Deployment Guide:
You can change basic components that you specified during Oracle Access Manager installation, such as the person object class or the directory server host.
See Also:
"Reconfiguring the System" in the Oracle Access Manager Deployment GuideNew examples of updating the LDAP bind password now include a missing required parameter -i install_dir and other clarifications
See Also:
"Updating the LDAP Bind Password" in the Oracle Access Manager Deployment GuideOracle Access Manager handles sensitive information about users, which can include the user password, date of birth, a challenge response, security questions and answers for lost password requests, and more. At certain logging levels, sensitive information might be captured.
Today, you can enable secure logging and filter sensitive information in log files.
See Also:
The chapter on logging in the Oracle Access Manager Identity and Common Administration GuideSELinux is delivered with Oracle Enterprise Linux. SELinux modifications provide a variety of security policies through the use of Linux Security Modules (LSM) within the Linux kernel. SELinux requires performing additional steps after installing Oracle Access Manager Web components and before starting the associated Web server. This applies to all supported Linux versions that have SELinux.
See Also:
Topics on SELinux in the Oracle Access Manager Installation Guide Chapter 2 and Appendix E.Oracle Access Manager 10g (10.1.4.3) provides a new function that enables you to specify a wait period for sockets during synchronous cache flush requests between multiple Access Servers. In this case, a socket waits for only a specified time for I/O completion. If the expected operation is not completed within the specified time, an error is reported and the request is sent to other Access Servers. With synchronous requests, WebPass and Policy Manager does not hang if one Access Server hangs.
See Also:
"Configuring Synchronous Cache Flush Requests between Multiple Access Servers", in the Oracle Access Manager Deployment Guide, Chapter 5.Several new user-defined parameters have been added for use in WebGate configuration profiles.
ContentLengthFor401Response
idleSessionTimeoutLogic
ProxySSLHeaderVar
RetainDownstreamPostData
SUN61HttpProtocolVersion
See Also:
"Configuring User-Defined AccessGate Parameters" in the Oracle Access Manager Access Administration GuideOracle Access Manager 10g (10.1.4.2.0) updates specific software and configuration files contained in your existing 10g (10.1.4.0.1) Oracle home. The result is improvements to the reliability and performance of the software.
In addition, Oracle Access Manager 10g (10.1.4.2.0) provides additional functionality to several key features. The following table provides a summary of the additional features that are available to you with 10g (10.1.4.2.0).
Feature Description | More Information |
---|---|
Added deployment details and back up and recovery strategies | A new chapter has been added to describe various deployment strategies and scenarios for Oracle Access Manager. For details, see the chapter on deployment scenarios in the Oracle Access Manager Deployment Guide.
A new chapter has been added to outline various back up and recovery strategies for Oracle Access Manager installations. For details, see the chapter on back up and recovery strategies in the Oracle Access Manager Deployment Guide. |
Zero downtime upgrade method is provided as an alternative to the standard in-place component upgrade | You can now perform an upgrade without shutting down service to your Oracle Access Manager customers. The zero downtime upgrade method is provided as an alternative to the standard in-place component upgrade.
The Oracle Access Manager Upgrade Guide describes how you can perform a zero downtime upgrade. |
Added functions for updating the LDAP bind password | You might want to periodically update the LDAP bind password for the directory servers that communicate with Oracle Access Manager components. For example, you may want to update the LDAP bind password to comply with government regulations.
Functionality for updating the LDAP bind password has been added in this release. See the Oracle Access Manager Deployment Guide for details. Note that in previous releases, after updating the LDAP bind password, it was necessary to re-run setup. In this release, it is no longer necessary to rerun setup. |
Assigning a Delegate impersonation level to the client | In addition to configuring impersonation for resources on a computer that is protected by a WebGate, you can extend impersonation to other resources on the network. This is known as assigning a Delegate impersonation level to the client.
See the chapter on Windows Impersonation in the Oracle Access Manager Integration Guide for details. |
New configuration parameters for IdentityXML | When using IdentityXML, the XSLProcessor parameter in the file globalparams.xml indicates the processor to use when generating the page. The only officially supported value, default , indicates that the XDK processor should be used. The values XALAN or DGXT can be used for testing.
See the appendix on configuration parameters in the Oracle Access Manager Customization Guide for details. |
New parameter to halt automatic user data migration when performing a zero downtime upgrade | A new parameter in the globalparams.xml file, MigrateUserDataTo1014 , is used by the Identity Server and Access Server during a zero downtime upgrade. The value of MigrateUserDataTo1014 halts automatic user data migration when a user first logs in after upgrading. Only the multiple challenge and response attributes for Lost Password Management are affected.
See the zero downtime upgrade details in the Oracle Access Manager Upgrade Guide. |
Enhancements to xsl files | Enhancements have been made to certain xsl files to support a JavaScript-related fix and several large-group-related fixes. These xsl files are available when you install the 10.1.4.2.0 patch set.
For more information, see Oracle Access Manager Customization Guide. |
Log the time consumed by different types of calls to external components | You can now generate logs that show details about the time consumed by different types of calls to external components. Using this information, you can better assess whether requests to specific components are taking longer than expected.
For more information, see the Oracle Access Manager Identity and Common Administration Guide. |
Group performance is improved | For large static groups, for example, groups with over 10,000 members, operations that involve the group can cause memory to spike.
Group performance has been improved in this release. However, if you find that a large static group still affects performance, you can modify the default evaluation method for the group using the There are several additional actions that you can take to improve the performance of large groups. See the chapter on performance tuning in the Oracle Access Manager Deployment Guide for details. |
When auditing to a database, Oracle Instant Client binaries are now shipped with the Identity Server and Access Server | This eliminates the requirement for a 10.1.0.5 ORACLE_HOME on the computer that hosts them. |
NLS libraries and data files | Even if an environment variable is set to ORACLE_HOME or ORA_NLS10, or a third-party Web component refers to a different version of the NLS libraries and data files than the one used by Oracle Access Manager, Oracle Access Manager components choose NLS data files from the oracle_access_manager_component_install_dir. For more information, see the Oracle Access Manager Installation Guide. |
Limit the number of retries that the WebGate performs for a non-responsive server | A WebGate-to-Access Server timeout threshold specifies how long (in seconds) the WebGate waits for the Access Server to respond before it considers it unreachable and attempts the request on a new connection. However, if the Access Server takes longer to service a request than the value of the timeout threshold, the WebGate abandons the request and retries the request on a new connection. Note that the new connection that is returned from the connection pool can be to the same Access Server, depending on your connection pool settings. Additionally, other Access Servers may also take longer to process the request than the time allowed by the threshold. In these cases, the WebGate can continue to retry the request until the Access Servers are shut down.
You can now configure a limit on the number of retries that the WebGate performs for a non-responsive server using the See the Oracle Access Manager Access Administration Guide for details. |
Preferred HTTP Host | With Oracle Access Manager 10.1.4.0.1, the Preferred HTTP Host field became required. This introduced issues for environments that support virtual hosting.
In this release, to support virtual hosts you set the Preferred HTTP Host value to HOST_HTTP_HEADER for most Web hosts or SERVER_NAME (Apache only). Additional configuration is required for IIS. See the chapter on configuring Access Servers and AccessGates in the Oracle Access Manager Access Administration Guide for details. |
New diagnostic tools | The Access Server and Identity Server have new diagnostic tools to help you work with an Oracle Technical Support representative to troubleshoot problems.
The diagnostic tools enable you to do the following:
See the Oracle Access Manager Identity and Common Administration Guide for details. |
Log file enhancements | Operating system error information is now included in the logs. For example, when an attempt to create a listener thread fails, the error code returned on GetLastError() is added to the log files. |
Switching from a Solaris platform to a Linux platform when upgrading to 10g (10.1.4.0.1) | The Oracle Access Manager Upgrade Guide includes a new chapter that explains how you can upgrade to 10g (10.1.4.0.1) while making a switch from a Solaris platform to a Linux platform. |
The webpass.xml file poll tracking refresh parameter is configurable | When setting up multiple Identity Servers or modifying WebPass, administrators can now configure the PollTrackingRefreshInterval in the webpass.xml file. This interval should be configured in seconds. There are implications when setting up multiple Identity Servers or modifying a WebPass instance.
See the Oracle Access Manager Identity and Common Administration Guide for details. |
Users can be logged in automatically after changing their password | To configure automatic login, the change password redirect URL must include STLogin=%applySTLogin% as a parameter.
The following is an example of a change password redirect URL that logs the user in: /http://machinename:portnumber/identity/oblix/apps/lost_password_mgmt/bin/lost_password_mgmt.cgi? program=redirectforchangepwd&login=%login%%userid%&backURL=% HostTarget%%RESOURCE%&STLogin=%applySTLogin%&target=top To implement this with a form-based authentication scheme, you must configure the challenge parameter See the Oracle Access Manager Identity and Common Administration Guide for details. |
Write a stack trace to a log file | If Oracle Access Manager experiences a core dump, it can now write a stack trace to a log file. To enable this functionality, you turn on logging at any minimal level.
You can send the log file that contains the stack trace information to Oracle, along with a report of the problem. See the appendix on troubleshooting in the Oracle Access Manager Identity and Common Administration Guide for details. |
New parameters for directory server failover | A new parameter in globalparams.xml named LDAPOperationTimeout sets an amount of time that the Identity Server, Access Server, or Policy Manager waits for a response from the directory server for a single entry of a search result before the component fails over to a secondary server, if one is configured.
A See the chapter on failover in the Oracle Access Manager Deployment Guide and the appendix on parameter files in the Oracle Access Manager Customization Guide for details. |
Resetting the LDAP bind password in configuration files | You might want to periodically update the LDAP bind password for the directory servers that communicate with Oracle Access Manager components. The ModifyLDAPBindPassword command enables you to reset the LDAP bind password in the Oracle Access Manager configuration files. You can reset the LDAP bind password without restarting any servers or re-running setup.
See the chapter on reconfiguring the system in theOracle Access Manager Deployment Guide for details. |
Directory server searches are minimized for certain operations | In previous releases, it could take a long time to create a large number of policy domains and URL prefixes in the Policy Manager. In this release, searches to the directory server have been minimized for these operations, resulting in better performance for these operations. |
Assigning a Delegate impersonation level to the client | In addition to configuring impersonation for resources on the computer that is protected by a WebGate, you can extend impersonation to other resources on the network. This is known as assigning a Delegate impersonation level to the client.
Note that the information on impersonation has moved from the Oracle Access Manager Access Administration Guide to the Oracle Access Manager Integration Guide See the chapter on configuring impersonation in the Oracle Access Manager Integration Guide for details. |
Integration Support Enhanced | 10g (10.1.4.2.0):
Integration support includes SharePoint Office Server 2007. See the chapter on integrating with SharePoint in the Oracle Access Manager Integration Guide for details. Integration support with SAP NetWeaver is provided. See the chapter on integrating with SAP in the Oracle Access Manager Integration Guide for details. Integration support with Siebel in a multi-domain Active Directory environment is provided. See the chapter on integrating with Siebel in the Oracle Access Manager Integration Guide for details. Integration support with WebLogic 9.2 is provided. See the chapter on integrating with WebLogic in the Oracle Access Manager Integration Guide for details. Integration support with WebSphere 6.1 is provided. See the chapter on integrating with WebSphere in the Oracle Access Manager Integration Guide for details. |
Identity System function names and user interface changes have been made to improve usability
Access System function names and user interface changes have been made to improve usability
See Also:
Chapter 5, "Overview of Behaviors".Oracle Access Manager 10g (10.1.4.0.1) provides support for 29 languages though the use of Unicode and UTF-8 encoding.
The Oracle National Language Support Library (NLSL) is installed automatically with each component. However, you may need to perform specific tasks before installation when you have a non-English (AMERICAN) Operating System. You can install language packs in concert with components, or independently after component installation.
See Also:
Oracle Access Manager Installation GuideAutomated language processing occurs during an upgrade to Oracle Access Manager 10g (10.1.4.0.1). In addition, you may need to take specific actions before and after the upgrade to ensure that older plug-ins operate properly, incorporate workflows, ensure that auditing and access reporting work properly, and the like.
See Also:
Oracle Access Manager Upgrade GuideYou must perform specific tasks to use multiple installed languages and display information in various supported languages.
As a result of globalization and translation of messages into 29 languages, some .lst files have been transformed into .xml files. Messages added for minor releases (10g (10.1.4.2.0) and 10g (10.1.4.3) as a result of new functionality might not be translated and can appear in only English.
See Also:
Specific file names in all manuals in this suite of books.You must use form-based authentication for non-ASCII login credentials
Multibyte support impacts IdentityXML functions and parameters, compatibility with XML pages, SOAP/IdentityXML requests, and Identity Event Plug-in data sent to executables; compatibility with the Access Manager SDK, Access Manager APIs, and custom AccessGates.
See Also:
Oracle Access Manager Developer GuideOracle Access Manager uses a locale-based case insensitive sorting method when you click the column heading (Full Name, for example) in the search results table.
Multibyte support and custom C programming language Authorization Plug-in Interfaces behavior in 10g (10.1.4.0.1) (and earlier releases) is discussed, and also backward compatibility with custom authorization plug-ins.
See Also:
Oracle Access Manager Developer GuideGlobalization and multibyte support impacts stylesheets and customizations.
The Access Manager API was formerly known as the Access Server API as described in "Product and Component Name Changes". The following updates have been made:
A new lazyload method has been added to the ObUserSession constructor in the Access Manager API as a result of the WebGate rewrite.
See Also:
Oracle Access Manager Developer GuideNew diagnostics have been added as a result of the WebGate rewrite.
See Also:
Oracle Access Manager Developer GuideNew status codes have been added as a result of the WebGate rewrite.
See Also:
Oracle Access Manager Developer GuideYou can now audit to an Oracle Database and also to Microsoft SQL Server. The Crystal Reports package is no longer provided with the Oracle Access Manager package. You must obtain this product from the vendor.
See Also:
Oracle Access Manager Identity and Common Administration Guide chapter on logging and "Logging"Disabling Authentication Schemes: It is no longer necessary to disable an authentication scheme before you modify it.
Persistent Cookies in Authentication Schemes: You can configure an authentication scheme that allows the user to log in for a time period rather than a single session.
Overview: A brief overview of Oracle Access Manager 10.1.4 product behaviors is outlined for quick reference.
See Also:
Chapter 5, "Overview of Behaviors"Summary of Earlier Behaviors and New Behaviors in Upgraded Environments: Numerous changes have been made to support globalization. In addition, several other changes have been made to improve usability and performance. A brief overview of Oracle Access Manager 10.1.4 product behaviors is outlined for quick reference.
See Also:
Oracle Access Manager Upgrade GuideInformation on configuring Oracle Access Manager for multiple directory searchbases, also called disjoint domains or realms, has been expanded.
You can dynamically assign a user to a target on a create user workflow. For example, you can define a create user workflow that enables user A to log in under ou=users
, invoke the workflow, and create user B whose entry is automatically determined to be in the same ou
as user A. This ability always existed in the Identity System, and is now explicitly documented in the chapter on workflows.
You can authorize users by querying external authentication systems.
When the Access System at a Service Provider site receives a request from a user in a federated environment, it may need additional information about the user from the user's Identity Provider. You can configure the Access System to query external Identity Providers for user authorization.
Oracle HTTP Server support is provided with this release for WebPass, Access Manager, and WebGate components.
Oracle Internet Directory support is included in this release for general use.
Updates and additions to Apache v1 and v2 chapters.
A new chapter has been added that describes how to install the globalized product and also describes how to prepare to install in multi-language environment.
Following the acquisition of OctetString by Oracle, this chapter moved from the Oracle Access Manager Integration Guide and includes minor changes for clarification, product branding, and new information to describe graphics.
See Also:
Oracle Access Manager Installation GuideAll chapters in the Oracle Access Manager Integration Guide describe implementation details for a specific integration
MIIS: The MIIS provisioning solution is deprecated in this release.
OracleAS Single Sign-On Server 10g OC4J: You can configure single sign-on between the Access System and the OracleAS Single Sign-On Server 10g: OC4J. An older version of this chapter previously existed in the Oracle Access Manager Developer Guide. It provides updated information on configuring single sign-on between Oracle Access Manager and Oracle Application Server 10g (OracleAS 10g). When you configure single sign-on you also provide identity management functionality across the Web-based applications running on Oracle Application Servers, for example, Oracle e-business Suite, Oracle Forms, Portals, and other Access System-protected resources. Included in this new version is information about the Oracle HTTP Server WebGate (Apache or Oracle HTTP Server WebGate information has been removed).
SAP: The SAP Enterprise Portal 6.0 can now be protected by the Access System.
RSA Securid: Minor clarifications have been made to this chapter based on input from the field.
Security Connector for WebLogic SSPI: Several clarifications have been made to this chapter.
Oracle Virtual Directory: Integration with Oracle Virtual Directory (formerly known as OctetSTring Virtual Directory Engine) has been updated and moved to the Oracle Access Manager Installation Guide from the Oracle Access Manager Integration Guide.
WebSphere: The integration with WebSphere Application Server (WAS) 4 is deprecated in this release. The information in this chapter has been updated for WAS 5 and 6.
Plumtree: The previous integration with Plumtree Corporate Portal is supported in this release. However, that the most recent version of Plumtree Corporate Portal is now known as BEA Aqualogic Interaction.
Oracle Enterprise Manager 10gIdentity Management Pack: Out-of-box system modeling is provided for Oracle Access Manager and other products in the Oracle Identity and Access Management Suite. For more information, see the Oracle Enterprise Manager Concepts Guide and Oracle Enterprise Manager Advanced Configuration Guide. Online help is available through Oracle Enterprise Manager.
Changes to logging parameters take effect within one minute, rather than requiring you to restart the server where the changes were made.
There have been several schema changes in this release to support password policy enhancements and lost password management.
The following oblixPersonPwdPolicy attributes have been added: obAnsweredChallenges, obYetToBeAnsweredChallenges, obLastSuccessfulLoginTime, obLastFailedLoginTime.
A new object class named oblixLPMPolicy has been added.
This object class stores information about new lost password management policies, including the challenges and responses that have been configured and how challenge phrases are presented to users.
The following attributes have been added to oblixDBInstance: obDatabaseName, obDSNName
The following attributes have been added to oblixAAAEngineConfig: obSessionTokenCache, obMaxSessionTokenCacheElements
The definition of obCompoundData has been updated throughout the Oracle Access Manager Schema Description.
See Also:
Oracle Access Manager Schema Description.Until release 10g (10.1.4.0.1), the obVer attribute was purely informational. However starting with release 10g (10.1.4.0.1), the obVer attribute in the oblixOrgPerson class is used by the Identity and Access Servers to support encoding of multiple challenge phrase and response attributes for lost password management.
If you use complex stylesheets, you may want to increase the value of the StringStack parameter in globalparams.xml.
See Also:
Oracle Access Manager Customization Guide for stylesheet and parameter references.You can configure the minimum and maximum number of characters users can specify in a password. For lost password management, you can set multiple challenge-response pairs, create multiple stylesheets, and configure other aspects of the user's lost password management experience. You can also redirect users back to the originally requested page after resetting a password.
Oracle Access Manager 10g (10.1.4.0.1) supports multiple challenge phrases and response attributes using the value of the obVer attribute in the user entry (OblixOrgPerson) to indicate the encoding for challenge phrase and response attributes. This has implications when upgrading from an earlier release to Oracle Access Manager 10g (10.1.4.0.1).
See Also:
Oracle Access Manager Identity and Common Administration Guide and Oracle Access Manager Upgrade Guide.Web Services code samples have been added to illustrate how to use IdentityXML Web Services to make calls to a WebPass. Two samples have been added, to show how to create a Web service call when a WebPass is protected by a WebGate and when a WebPass is not protected by a WebGate.
See Also:
Oracle Access Manager Developer Guide.You can cause authentication actions to be executed after the ObSSOCookie is set.
Typically, authentication actions are triggered after authentication has been processed and before the ObSSOCookie is set. However, in a complex environment, the ObSSOCookie may be set before a user is redirected to a page containing a resource. In this case, you can configure an authentication scheme to trigger these events.
To optimize performance, you should ensure that your directory performance is optimal.
See Also:
Oracle Access Manager Deployment Guide.There are best practices for optimizing workflow performance.
To minimize the impact that workflows have on server performance, you can tune various parameters in workflowdbparams.xml. You can also tune various workflow search parameters to enhance performance.
See Also:
Oracle Access Manager Deployment Guide.There are best practices for optimizing network and Oracle Access Manager performance.
See Also:
Oracle Access Manager Deployment Guide.You can get a quick look at the upgrade paths from various starting releases, and also the upgrade process.
There has been a change in the release numbering, which you should be aware of.
Review the summary of 10g (10.1.4.0.1) behaviors as compared with behaviors in previous releases
Find out what is preserved and what manual processes are needed after the upgrade.
See Also:
Oracle Access Manager Upgrade GuideWebGates have been updated to use the same code as the Access System, and WebGate configuration parameters that once existed in WebGateStatic.lst have been moved to the Access System Console. The WebGateStatic.lst file no longer exists.
After installing new WebGates or upgrading to 10g (10.1.4.0.1) WebGates, you can now configure such parameters as IPValidation
and IPValidationExceptions
from the Access System Console, Access System Configuration tab.
When you have older WebGates and new 10g (10.1.4.0.1) Access Servers, you must set the isBackwardCompatible
flag to "true
" in new 10g (10.1.4.0.1) Access Server globalparams.xml file.
Check for new details about customizing to allow auto-login.
Look for new information about denying access to unprotected resources automatically.