5 Overview of Behaviors

This chapter provides a brief summary of the latest Oracle Access Manager 10.1.4 behaviors. some topics mentions earlier behaviors so that you can compare and contrast with new behaviors.

Note:

Unless explicitly stated, 10.1.4 refers to any Oracle Access Manager release in the 10.1.4 series. This includes base 10g (10.1.4.0.1) or 10g (10.1.4.3) installations and also those to which the 10g (10.1.4.2.0) or 10g (10.1.4.3) patch set is applied. For more information, including a list of bugs fixed in the latest patch set, see Oracle Access Manager Patch Set Notes Release 10.1.4 Patch Set 2 (10.1.4.3.0) For All Supported Operating Systems.

Topics include:

Platform and SDK .NET Support
About Installers, Patch Sets, Bundle Patches, and Newly Certified Agents
General Behavior Summary
Identity System Behavior Summary

Access System Behavior Summary

Note:

Complete details of all features are presented throughout the suite of Oracle Access Manager manuals. For a brief list of new functions, see "What's New in Oracle Access Manager?". Also, see "Product and Component Name Changes".

5.1 Platform and SDK .NET Support

This topic describes platform and SDK support and also how to get the latest certified support matrix.

10g (10.1.4.3) SDK with NET 1 Support: Oracle Access Manager software developer kit (SDK) for Windows continues to support .NET Framework 1.1 and Microsoft Visual Studio 2002. AccessGates created using the independently installed SDK continues this support.

10g (10.1.4.3) SDK with .NET 2 Support: A new and optional SDK is also provided which supports .NET version 2 and MSDE Visual Studio 2005. This is specific to only custom AccessGates. This SDK can be independently installed in your deployment whether it is a fresh installation or an upgraded environment that includes the 10g (10.1.4.3) patch.

5.2 About Installers, Patch Sets, Bundle Patches, and Newly Certified Agents

This section includes the following sections:

Definitions
Packages for Upgrading Earlier Oracle Access Manager Deployments

5.2.1 Definitions

Installers: Oracle provides installers for a fresh installation. With a major release, installation packages can also be used to upgrade earlier instances.

Patch Sets: A patch set is a mechanism for delivering fully tested and integrated product fixes. Each patch set release updates specific software and configuration files in your installation. Patch sets can include new functionality.

Bundle Patches: A bundle patch is an official Oracle patch for Oracle Access Manager components on baseline platforms. Bundle patches are available following one release or patch set and before the next.

Newly Certified Agents: Oracle provides Oracle Access Manager full installers and patch packages for components on newly certified platforms. These packages are available under the Oracle Access Manager 3rd Party Integration link on the Oracle Technology Network (OTN).

For more information, see the "About Installation Packages, Patch Sets, Bundle Patches, and Newly Certified Agents" in the Oracle Access Manager Installation Guide.

5.2.2 Packages for Upgrading Earlier Oracle Access Manager Deployments

10g (10.1.4.3) installers cannot be used to upgrade or patch an earlier Oracle Access Manager release. When upgrading an earlier Oracle Access Manager release, from 6.x or 7.x to 10.1.4, you must use either:

In-Place Component Upgrade Method with 10g (10.1.4.0.1) installers available on OTN, and then apply the 10g (10.1.4.2.0) patch and then apply the 10g (10.1.4.3) patch.
Zero Downtime Upgrade Method using both 10g (10.1.4.0.1) installers available on OTN and 10g (10.1.4.2.0) patch set packages available on My Oracle Support (formerly MetaLink), and then apply the 10g (10.1.4.3) patch.

To obtain installers and patch sets, see "Obtaining the Latest Installers, Patch Set, Bundle Patches, and Newly Certified Agents" in the Oracle Access Manager Installation Guide. Upgrading methods and details are found in the Oracle Access Manager Upgrade Guide.

5.3 General Behavior Summary

Several earlier product behaviors have changed to support product globalization. In addition, new features have been added and changes have been made to improve product usability and performance.

If you have upgraded an earlier installation to Oracle Access Manager 10.1.4, some backward compatibility is enabled during the upgrade and some manual processing must occur. For more information about upgrading, see the Oracle Access Manager Upgrade Guide, which includes a list of components and third-party products that are no longer supported.

To ensure that you always have the most up to date information, support details are not presented in manuals. For the latest platform and support information, be sure to see Oracle Technology Network (OTN) at:

http://www.oracle.com/technology/products/id_mgmt/coreid_acc/pdf/oracle_access_manager_certification_10.1.4_r3_matrix.xls

For more information, see "Platform and SDK .NET Support".

Whether you install the Identity System alone or include the Access System, Table 5-1 briefly summarizes overall Oracle Access Manager behaviors.

Table 5-1 General Oracle Access Manager Behavior Summary

Function	Behavior
10g (10.1.4.3) Packages	Oracle Access Manager 10g (10.1.4.3) provides component packages that you can use for a fresh installation only. Do not use 10g (10.1.4.3) installers to upgrade or patch an earlier Oracle Access Manager installation. Note: 10g (10.1.4.3) patch set packages can be applied to only 10g (10.1.4.2.0) instances. For more information, see "About Installers, Patch Sets, Bundle Patches, and Newly Certified Agents". 10g (10.1.4.3) WebGate installers for Oracle HTTP Server 11g are available on the Oracle Access Manager WebGate download page on Oracle Technology Network. To use Oracle Access Manager WebGates as usual, see the chapter on installing WebGate in the Oracle Access Manager Installation Guide. When integrating the Oracle Access Manager Authentication Provider with Oracle WebLogic Application Server 11g, see the Oracle Fusion Middleware Security Guide chapter on "Configuring Oracle Application Server Single Sign-On".
Acquiring and Using Multiple Languages	Early product releases provided messages for end users and administrators in only the English language. Starting with release 6.5, support for translatable messages was provided through Language Packs for certain Latin-1 languages (French and German). Oracle Access Manager 10.1.4 provides support for nearly a dozen Administrator languages and over two dozen end-user languages, as described in Chapter 4, "About Globalization and Multibyte Support". When you install the product without a Language Pack, only English is available. Administrative information can be displayed in the Administrators languages listed in Table 4-1 only. When installing components with Oracle-provided Language Packs, you can choose the language (locale) to be used as the default for administrative tasks. If administrative pages are requested in any other language (based on browser settings), the language that was selected as the default during product installation is used to display the pages. See the Oracle Access Manager Installation Guide for installation details. Oracle Access Manager 10g (10.1.4.3) provides new Language Pack installers required in any10g (10.1.4.3) deployment, whether it is a fresh installation or an upgraded and patched deployment. For more information, see the Oracle Access Manager Installation Guide. Note: Messages for minor releases (10g (10.1.4.2.0) and 10g (10.1.4.3) added as a result of new functionality might not be translated and can appear in only English. After installing Oracle Access Manager with Oracle-provided Language Packs, you must enable all languages to be used, then configure Oracle Access Manager to use the installed languages by entering display names for attributes, tabs, and panels as described in the Oracle Access Manager Identity and Common Administration Guide. Messages in Oracle Access Manager stylesheets depend upon a language. Beginning with release 6.5, messages have been brought out of the stylesheets and defined separately as variables in msgctlg.xsl (and msgctlg.js for JavaScript files). In addition, each stylesheet has a corresponding language-specific thin wrapper stored in IdentityServer_install_dir\identity\oblix\lang\langTag\style0 to segregate the main functionality of the stylesheet template from language-specific messages in the stylesheets. For more information, see the Oracle Access Manager Customization Guide.
Auditing and Access Reporting	To support all available languages, definitions of oblix_audit_events, oblix_rpt_as_reports, oblix_rpt_as_resources, and oblix_rpt_as_users tables have changed. For details, see the Oracle Access Manager Identity and Common Administration Guide. The Crystal Reports package is no longer provided with the Oracle Access Manager package. You must obtain this product from the vendor. You can now audit to an Oracle Database and also to Microsoft SQL Server. Support for MySQL is deprecated in this release. When configuring Audit Policies in the Identity System Console, you can specify a list of profile attributes for every audit record. Profile attributes (Full Name, Employee Number, Department Number, and the like) are specific to the user performing the action/event being audited (Search or View Profile or Modify Profile, for example). The purpose of profile attributes is to help you identify the user performing the action/event. Warning: To avoid exposing a challenge phrase or response attribute, Oracle recommends that you do not select these as profile attributes for auditing. If you add a challenge phrase or response as a profile attribute, it is audited in proprietary encoded format. Before auditing in an environment you upgraded to 10.1.4, you must retain the original database and data, create a new database instance for use with 10.1.4, generate new tables, and import earlier data before you start auditing (this last item is a must only if you want to query/generate reports using both old and new data), as described in the Oracle Access Manager Upgrade Guide. 10g (10.1.4.2.0): Oracle Instant Client binaries are now shipped with the Identity Server and Access Server. This eliminates the requirement for a 10.1.0.5 ORACLE_HOME on the computer that hosts them when auditing to a database.
Automatic Login and the Password Redirect URL	Using an enhancement in 10g (10.1.4.2.0), users can be logged in automatically after changing their password. To configure automatic login, the change password redirect URL must include `STLogin=%applySTLogin%` as a parameter.The following is an example of a change password redirect URL that logs the user in: /http://computername:portnumber/identity/oblix/apps/lost_password_mgmt/bin/lost_password_mgmt.cgi? program=redirectforchangepwd&login=%login%%userid%&backURL=% HostTarget%%RESOURCE%&STLogin=%applySTLogin%&target=top To implement this with a form-based authentication scheme, you must configure the challenge parameter `creds` by supplying the user name credential parameter as the first token, the password credential parameter as the second token, then any other credential parameters. See the Oracle Access Manager Identity and Common Administration Guide for details.
Automatic Schema Update Support for ADAM	Removed due to an ldifde.exe tool licensing issue. For ADAM, the schema must be updated manually, as described in the Oracle Access Manager Installation Guide.
C++ Programs	When upgrading from releases earlier than 7.0, you may need to recompile C++ programs created with the Software Developer Kit and APIs after the upgrade. See other topics in this chapter for an overview of the impact on Identity System event plug-ins; Access Manager SDK, Access Manager API, and custom AccessGates; and custom authentication and authorization plug-ins and interfaces. See also, the Oracle Access Manager Developer Guide.
Cache Flush	A 10.1.4 Identity Server cannot flush the cache of an earlier Access Server, which impacts environments that you upgrade. To eliminate problems, you must upgrade the Access Server to the same release as the Identity server. If you install a new Access Server, ensure that it is backward compatible. See information on the Access Server in Table 5-3.
Certificate Store and Localized Certificates	You can request and add localized certificates containing non-ASCII text in all fields except Email and Country (per x509 standards). Starting with release 7.0 and continuing with 10.1.4, the default certificate store format and name has changed to cert8.db. When you upgrade to 10.1.4, the old certificate store is used. 10.1.4 works with both the cert7.db (upgraded environments) and cert8.db (new installations) certificate store. Generating a new certificate store occurs transparently whenever you add, modify, or delete certificates using configureAAAServer, setup_ois, or setup_accessmanager utilities. For more information, see the Oracle Access Manager Identity and Common Administration Guide.
Compilers for Plug-ins	Starting with release 7.0, components on Solaris and Linux are compiled using the GCC v3.3.2 C++ compiler to address multi-threading issues encountered with earlier compiler releases. After upgrading to 10.1.4, you must recompile custom plug-ins from release 5.x or 6.x using the GCC v3.3.2 C++ compiler available from your vendor. This includes Identity Event plug-ins and custom authentication and authorization plug-ins. For details, see the Oracle Access Manager Upgrade Guide.
Configuration Files	Earlier releases of Oracle Access Manager managed certain information (including but not limited to directory connection information and WebGate parameters) solely through XML and LST configuration files. Release 10.1.4 provides the ability to manage this information through the Identity System Console and Access System Console. See also "Directory Server Connection Details" (in this table) and "WebGates" (in Table 5-3, "Access System Behavior Summary").
Connection Pool Details	Starting with release 7.0, connection pooling was consolidated to support failover across the entire system. The directory connection pool does not depend on directory type. There is some impact when upgrading (depending on the configuration of your earlier installation to each directory server that is configured). See the topic on directory server failover in this table. For more information, see the Oracle Access Manager Upgrade Guide and Oracle Access Manager Deployment Guide.
Console-based Command-Line Interfaces	Oracle Access Manager command-line tools have been modified to automatically detect the server locale and use it for processing. To override the server locale you may set either the COREID_NLS_LANG or NLS_LANG environment variables to toggle auto-detection off and take precedence over the server locale. For details, see the Oracle Access Manager Installation Guide. When set, NLS_LANG takes precedence over LANG and COREID_NLS_LANG takes precedence over NLS_LANG. 10g (10.1.4.2.0): Even if an environment variable is set to ORACLE_HOME or ORA_NLS10, or a third-party Web component refers to a different version of the NLS libraries and data files than the one used by Oracle Access Manager, Oracle Access Manager components choose NLS data files from the oracle_access_manager_component_install_dir. For details, see the Oracle Access Manager Installation Guide.
Customized Styles	Product functionality depends, in part, on stylesheet files in the latest \style0 and \shared directories. Starting with Oracle Access Manager release 6.5, to support multiple languages the location of JavaScript, stylesheets, and images changed. The directory structure introduced with release 6.5 continues with 10.1.4. For general information about stylesheets and customization, see the Oracle Access Manager Customization Guide. Customized .XSL style files, images, and JavaScript files are not migrated during an upgrade. If files in your earlier Oracle Access Manager \style0 directory were customized, you must manually edit the newer version files in \style0 and \shared directories after the upgrade. For more information, see the discussion on incorporating custom items in the Oracle Access Manager Upgrade Guide.
Database Input and Output	Oracle Access Manager 10.1.4 supports the Unicode character set. In new installations, Oracle recommends that you choose a Unicode character set for your database. For more information, see Chapter 4, "About Globalization and Multibyte Support". Earlier Oracle Access Manager releases used the Latin-1 character set. As a result the varchar type for the columns of audit and reporting related tables was sufficient. 10.1.4 supports an internationalized character set. As a result, the audit record may contain data with non Latin-1 characters (Chinese, Japanese, Arabic, and the like). For more information, see details about auditing and access reporting in this table.
Date and Time Formats	In the 10.1.4 Identity System, the date format remains the same as in the last release and is not internationalized (on the Diagnostics page and Ticket Information page for example). However, month names taken from Identity System message catalogs are displayed in the locale specified by the browser. As in earlier releases, date order formats (MM/DD/YYYY versus DD/MM/YYYY and the like) can be configured by modifying object class attributes in the Identity System Console as described in the Oracle Access Manager Identity and Common Administration Guide. On the Ticket Information page, the date is displayed in the format specified in the `obDateType` parameter in the globalparams.xml file. Weekday names do not appear anywhere within the Identity System. In the Access System, month names, the date-order format (MM/DD/YYYY versus DD/MM/YYYY), and weekday names are displayed according to the locale specified for the browser. In the Access System, month and weekday names are not taken from message catalog files.
Default Product Page	As in earlier releases, there can be only one static HTML page at the address /identity/oblix/index.html and one static HTML page at the address /access/oblix/index.html. These static product pages always use the default Administrator language selected during Identity Server and Policy Manager installation at this location. Starting with release 6.5, the product supported multiple Latin-1 languages (French, German). The default product page behavior remains the same as in earlier releases. See also information about HTML pages later within this table.
Detecting Cross-site Scripting and SQL Injection	10g (10.1.4.2.0) provides enhancements for detecting and handling cross-site scripting and SQL injection. These enhancements guard against malicious data entry in the Oracle Access Manager user applications and administration consoles.
Diagnostic Tools for Identity and Access Servers	10g (10.1.4.2.0) includes new diagnostic tools for the Identity and Access Server to help you work with an Oracle Technical Support representative to troubleshoot problems. The diagnostic tools enable you to do the following: Obtain hard-to-locate information about component configuration and behavior. Automatically capture events that immediately precede a core dump. Manually capture a stack trace of any event in the Identity or Access System. For example, if Oracle Access Manager experiences a core dump, it can now write a stack trace to a log file. To enable this functionality, you turn on logging at any minimal level. You can send the log file that contains the stack trace information to Oracle, along with a report of the problem. See the Oracle Access Manager Identity and Common Administration Guide for details.
Directory Profiles and Database Instance Profiles	In earlier releases, the Identity System included directory profiles and database instance profiles. A directory profile (also known as a directory server profile) contains the connection information for one or more directory servers that share the same namespace and operational requirements for Read, Write, Search, and so on. The connection information includes a name, a domain or namespace to which it applies, a directory type, and a set of operations. Starting with release 6.5, the Access System began partially using directory profiles and database instance profiles for accessing user data. Also, these directory profiles replace the UserDB.lst, GroupDB.lst, UserDBFailover.lst, and GroupDBFailover.lst configuration files that were used in earlier Access System releases. In 10.1.4, a directory profile is created automatically each time you install an Identity Server, Policy Manager, or Access Server and specify new directory server connection information. You can create additional directory server profiles for load balancing and failover after installation. When you upgrade an earlier Policy Manager or Access Server, a message appears during the incremental upgrade to release 6.5. The message "DB Profiles created" refers to the directory server profile that is created. See also information on connection pools, earlier in this table.
Directory Server Connection Details vs. XML Files	Earlier releases managed directory connection information solely through XML configuration files. Recently, Oracle Access Manager provided the ability to manage this information through the interface using the Directory Profile page in the Identity System Console and the Access System Console. However, some configuration and policy data is still managed through XML files.
Directory Server Failover	Your earlier implementation may include failover between an Oracle Access Manager server and the directory server. Following data upgrades, the Access Server handles multiple directory servers using directory profiles that are automatically created during the upgrade between release 6.1.0 and 6.5. After upgrading, it is a good idea to verify that the failover configuration you had in the earlier release operates as expected as described in the Oracle Access Manager Deployment Guide. See also information on connection pool details mentioned earlier in this table, and information about message and parameter .lst files that are transformed into .xml files. An enhancement with 10g (10.1.4.2.0) provides a new parameter in globalparams.xml named `LDAPOperationTimeout` sets an amount of time that the Identity Server, Access Server, or Policy Manager waits for a response from the directory server for a single entry of a search result before the component fails over to a secondary server, if one is configured. A `heartbeat_ldap_connection_timeout_in_millis` parameter in globalparams.xml determines the time limit for establishing a connection with the directory server. If the time limit is reached, the Identity and Access Servers start establishing connections with another directory server. This parameter enables the Identity and Access Servers to proactively identify when a directory server is down, and it enables failover without requiring an incoming directory service request and a subsequent TCP timeout. See the chapter on failover in the Oracle Access Manager Deployment Guide and the appendix on parameter files in the Oracle Access Manager Customization Guide for details.
Directory Server Searches	In previous releases, it could take a long time to create a large number of policy domains and URL prefixes in the Policy Manager. 10g (10.1.4.2.0), searches to the directory server have been minimized for these operations, resulting in better performance for these operations.
Directory Server Interface	The 10.1.4 directory server interface reads, processes, and stores data using UTF-8 encoding.
Directory Structure	When you install 10g (10.1.4.0.1) or 10g (10.1.4.3) components, you can name the top-level directory as you like. With each installed component, Oracle Access Manager appends an identifier to the directory name you assign. For example: IdentityServer_install_dir\identity AccessServer_install_dir\access In each case, a directory named \oblix\oracle\nlstrl is created after the automatic installation of the Oracle National Language Support Library (not available in earlier releases). For more information, see the Oracle Access Manager Installation Guide.
Domain Names, URIs, and URLs	Oracle Access Manager 10.1.4 supports ASCII characters only for domain names, URIs, and URLs. This is the same as in earlier releases. There is no support for internationalized characters.
Encryption Schemes	Cookies are encrypted using a configurable encryption key known as a shared secret. In release 5.x, the RC4 encryption scheme was recommended for shared secret keys. In release 6.x, the RC6 encryption scheme was recommended. Starting with release 7.0, AES became the default Access System encryption scheme. For more information, see shared secret details later in Table 5-3 and the Oracle Access Manager Access Administration Guide. The Identity System continues to use RC6 encryption for Lost Password Management responses.
Failover and Failback	Release 7 introduced a heartbeat polling mechanism to facilitate immediate failover to a secondary directory server when the number of connections in the connection pool falls below the specified threshold level. Additionally, a failback mechanism facilitates switching from the secondary directory server back to the primary server as soon as the preferred connection has been recovered. The heartbeat feature polls the primary directory server connections periodically to verify the availability of the directory service (and by implication, the network). When the host cannot be reached, further attempts to connect to that host are blocked for the specified Sleep For interval, rather than for the TCP timeout used previously. If the directory service is not available, the heartbeat mechanism immediately initiates failover to the secondary directory server. Thus, failover can take place without being triggered by an incoming directory service request and a subsequent TCP timeout. A new parameter in globalparams.xml determines the timeout interval for establishing a connection. In situations where the enterprise network performance is poor, the heartbeat feature can trigger false alarms and tear down already-established connections. Therefore, the `heartbeat_enabled` parameter in the globalparams.xml enables you to activate or deactivate the heartbeat mechanism in response to current network conditions. By default the heartbeat feature is activated. For more information, see the Oracle Access Manager Deployment Guide.
File and Path Names	With Oracle Access Manager 10.1.4 only ASCII characters are supported in file and path names. This is the same as in earlier releases.
Graphical User Interface	Several changes have been made to improve and clarify the Web-based graphical user interface. The user interface is introduced in the this guide and described throughout the suite of manuals.
HTML Pages	In Oracle Access Manager 10.1.4, all HTML pages generated by Oracle Access Manager use UTF-8 encoding. This encoding is communicated to Web browsers using the Content-Type HTTP header and META tags. See also information about default product pages mentioned earlier in this table.
LDAP Bind Password	10g (10.1.4.2.0) provides an enhancement in the form of `ModifyLDAPBindPassword`. This command enables you to periodically update the LDAP bind password for the directory servers that communicate with Oracle Access Manager components in Oracle Access Manager configuration files. Using the `ModifyLDAPBindPassword` command, you can reset the LDAP bind password without restarting any servers or re-running setup. See the chapter on reconfiguring the system in the Oracle Access Manager Deployment Guide for details.
Linux Native Posix Thread Library	See Native Posix Thread Library for Linux, in this table.
LogFile Enhancements	10g (10.1.4.2.0): Operating system error information is now included in the logs. For example, when an attempt to create a listener thread fails, the error code returned on GetLastError() is added to the log files. You can log the time consumed by different types of calls to external components. You can now generate logs that show details about the time consumed by different types of calls to external components. Using this information, you can better assess whether requests to specific components are taking longer than expected. For more information, see the Oracle Access Manager Identity and Common Administration Guide.
Message and Parameter Catalogs	10g (10.1.4.2.0) includes .XML parameter and message catalog files. The exception to this rule includes files that are used during an upgrade. In 10.1.4, message files reside in specific directories for each installed language. For example: IdentityServer_install_dir/identity/oblix/lang/langTag /oblixbasemsg.xml. For more information, see the Oracle Access Manager Customization Guide.
Migrating User Data at First Login	10g (10.1.4.2.0) includes a new parameter in the globalparams.xml, file `MigrateUserDataTo1014`. This parameter comes into play only when you upgrade using the zero downtime upgrade method. For more information, see the Oracle Access Manager Upgrade Guide.
Minimum Number of Search Characters	In earlier releases, you needed to enter at least three characters when performing a search in Identity System applications. In Oracle Access Manager 10.1.4 there is no minimum number of characters required. As in earlier releases, you can control the minimum number of characters that users must enter in the search field as described in Oracle Access Manager Customization Guide.
Multiple Values in Challenge Phrase and Response Attributes	In earlier releases, the lost password management feature supported only a single value for the challenge phrase and response attribute in user entries. Oracle Access Manager 10.1.4 supports multiple values in challenge phrases and response attributes, and expects these in encoded format. For more information, see the Oracle Access Manager Identity and Common Administration Guide.
Names Assigned by Administrators and Product Names	Some product and component names have changed. Certain function names have been made consistent between the Access and Identity Systems as noun phrases. During an upgrade, earlier names are changed to the new name. For more information, see "Product and Component Name Changes". However, any service names assigned by an administrator during installation or configuration are not changed during an upgrade. Therefore if you have a service named "COREid Server" or "NetPoint Server", these names remain intact after the upgrade. Also, earlier authentication scheme names and policy domain names assigned by an administrator remain unchanged after an upgrade.
Namespaces for Policy Data and User Data Stored Separately	Before release 6.5, the namespaces for policy data and user data stored in two separate directories had to be unique. During an upgrade to 10.1.4 you must confirm this uniqueness to ensure that multi-language capability can be enabled. For more information, see the Oracle Access Manager Upgrade Guide.
Native POSIX Thread Library for Linux	Oracle Access Manager 10g (10.1.4.3) uses either Native POSIX Thread Library (NPTL) or LinuxThreads. The default mode is LinuxThreads; the start_ois_server and start_access_server scripts start in LinuxThreads mode. To use NPTL mode, you must start the server with the start_ois_server_nptl (or restart_ois_server_nptl) or start_access_server_nptl (or restart_access_server_nptl) scripts. Stop scripts remain the same for both LinuxThreads and NPTL. Some standard setup scripts operate successfully whether you use LinuxThreads or NPTL: start_setup_ois, start_setup_webpass, start_setup_access_manager, start_configureAAAServer. However, start_snmp_agent includes an entry for LD_ASSUME_KERNEL which you must remove or comment out when using NPTL. Note: On Linux, Oracle Access Manager Web components for Oracle HTTP Server 11g use only NPTL; you cannot use the LinuxThreads library. In this case, do not set the environment variable LD_ASSUME_KERNEL to 2.4.19. For more information, see details in the chapter on preparing for installation, and the topic "NPTL Requirements and Post-Installation Tasks" in the troubleshooting appendix of the Oracle Access Manager Installation Guide. With NPTL, there is no impact on custom plug-ins and APIs that you have created for Oracle Access Manager. When upgrading, you must still recompile custom plug-ins from Oracle Access Manager 5.x or 6.x using the GCC v3.3.2 C++ compiler. See also the Oracle Access Manager Upgrade Guide. For details about differences between NPTL and LinuxThreads, see `http://www.kernel.org/doc/man-pages/online/pages/man7/pthreads.7.html`.
Object Classes and Attributes	There have been several schema changes in 10g (10.1.4.0.1). For more information, see Oracle Access Manager Schema Description.
obVer Attribute Changes	Until release 10g (10.1.4.0.1), the obVer attribute was purely informational. However starting with release 10g (10.1.4.0.1), the obVer attribute is used by the Identity and Access Servers to support encoding of multiple values in challenge phrase and response attributes for lost password management. In this case, Oracle Access Manager 10g (10.1.4.0.1) reads the obVer attribute in: oblixConfig class: The structural class defines the container node for the Oracle Access Manager configuration data. OblixOrgPerson class: The auxiliary class used for associating Oracle Access Manager person information with the class configured as the structural person object class. When you upgrade from an earlier release to Oracle Access Manager 10g (10.1.4.0.1), configuration data stored in the `oblix` tree is migrated automatically and the value of the obVer attribute is changed to 10.1.4.0. However, user data is not migrated until the first login following the upgrade. This means that the obVer attribute value remains less than 10.1.4.0 in user data (in the OblixOrgPerson class). For more information, see the Oracle Access Manager Upgrade Guide and the Oracle Access Manager Schema Description.
Password Policies and Lost Password Management	This release contains password policy and password management enhancements. You can configure the minimum and maximum number of characters users can specify in a password. For lost password management, you can set multiple challenge-response pairs, create multiple style sheets, and configure other aspects of the user's lost password management experience. You can also redirect users back to the originally requested page after resetting a password. For more information, see the Oracle Access Manager Identity and Common Administration Guide. Oracle Access Manager 10g (10.1.4.0.1) uses the value of the obVer attribute in the user entry (OblixOrgPerson) to indicate the encoding for challenge phrase and response attributes. This has implications when upgrading from an earlier release to Oracle Access Manager 10g (10.1.4.0.1). When upgrading,see the Oracle Access Manager Upgrade Guide.
Reconfiguring the Logging Framework without a Restart	In Oracle Access Manager 10.1.4, you may reconfigure the logging framework without restarting the servers. To do this an administrator must manually update the logging configuration for each component: Identity Server WebPass Policy Manager Access Server WebGate Access Manager SDK (Custom AccessGate) Changes to logging parameters take affect within one minute, rather than requiring you to restart the server where the changes were made. For more information, see the Oracle Access Manager Identity and Common Administration Guide.
Secure Logging	Oracle Access Manager handles sensitive information about users, which can include the user password, date of birth, a challenge response, security questions and answers for lost password requests, and more. At certain logging levels, sensitive information might be captured. Today, you can enable secure logging and filter sensitive information in log files. For more information, see the chapter on logging in the Oracle Access Manager Identity and Common Administration Guide.
Support Changes and Certification Matrix	There have been several changes in supported platforms and third-party versions. You can now locate complete platform support details on Oracle Technology Network at: `http://www.oracle.com/technology/products/id_mgmt/coreid_acc/pdf/oracle_access_manager_certification_10.1.4_r3_matrix.xls`
Transport Security for the Directory Server	When you configure SSL mode for the directory server, only server authentication is supported. Client certificates are not supported. Oracle Access Manager verifies the server certificate against the Root CA certificate that you imported during product setup. For more information, see the Oracle Access Manager Access Administration Guide.
Upgrade Enhancements	A new method is available that enables you to perform an upgrade to Oracle Access Manager 10g (10.1.4.0.1) while making a switch from a Solaris platform to a Linux platform. 10g (10.1.4.2.0): A new zero downtime upgrade method is available that enables you to perform an upgrade to 10.1.4.2.0 while nearly eliminating the downtime that is generally associated with a standard in-place component upgrade. For more information, see the Oracle Access Manager Upgrade Guide.
Web Components and Backward Compatibility	Earlier WebPass instances are not compatible with 10.1.4 Identity Servers (or Policy Managers). After upgrading all earlier Identity Servers, you must upgrade all earlier WebPass instances. For more information, see the Oracle Access Manager Upgrade Guide. Following an upgrade, you may install compatible 10.1.4 WebPass instances in your upgraded environment. For more information, see the Oracle Access Manager Installation Guide. If you add a 10.1.4 Access Server to the upgraded environment, you must set a flag to enable backward compatibility with earlier WebGates. For more information, see details about Access Server backward compatibility. Release 6.1.1, 6.5, and 7.x WebGates may coexist with upgraded Access Servers. Following an upgrade, you may install 10.1.4 WebGates in your upgraded environment. However, 10.1.4 WebGates are not compatible with earlier Access Servers. Fore more information, see the Oracle Access Manager Upgrade Guide. Note: Oracle continually certifies Oracle Access Manager support with various third-party platforms, Web server releases, directory server releases, and applications. Certain Web server-specific packages are not available with the initial release. For more information, see "Web Server-Specific Installation Packages" in the Oracle Access Manager Installation Guide.
Web Server Configuration Files	There have been no changes for globalization and UTF-8 support in any Web server configuration files. However, the importantnotes.txt file has been removed and the information that was in this file is now documented in an appendix in the Oracle Access Manager Installation Guide.
Writing a Stack Trace to a Log File	An enhancement in 10g (10.1.4.2.0) enables Oracle Access Manager to write a stack trace to a log file when there is a core dump. To enable this functionality, you turn on logging at any minimal level. You can send the log file that contains the stack trace information to Oracle, along with a report of the problem. See the appendix on troubleshooting in the Oracle Access Manager Identity and Common Administration Guide for details.
XML Catalogs and XSL Stylesheet Encoding	For non-English languages, XML message files have encoding set as UTF-8, because ISO-8859-1 encoding cannot represent all characters in all languages. When no encoding is specified, UTF-8 is used as the default. Some English-only files still use ISO-8859-1 encoding. For more information, see the Oracle Access Manager Customization Guide.
XSL Enhancements	Enhancements have been made to certain xsl files to support a JavaScript-related fix and several large-group-related fixes. These xsl files are available when you install the 10.1.4.2.0 patch set. For more information, see Oracle Access Manager Customization Guide.

5.4 Identity System Behavior Summary

Table 5-2 briefly summarizes the latest Identity System behaviors.

Table 5-2 Identity System Behavior Summary

Function	Behavior
Challenge and Response Attributes	Starting with 10g (10.1.4.0.1), both the challenge phrase and response attributes must be on the same panel in Identity System applications. Challenge phrases and responses are displayed one after the other even though these are not configured one after the other in the panel. If a panel contains only the challenge attribute, it is displayed in the Profile page without a response. If the panel contains only the response (without the challenge attribute), the response is not displayed in the Profile Page at all. For details about configuring these, see the Oracle Access Manager Identity and Common Administration Guide. For details about combining these on a single panel after the upgrade, see the Oracle Access Manager Upgrade Guide. For changes to IdentityXML, see the Oracle Access Manager Developer Guide.
Content-length Header in a WebPass Response	You can add the `SetContentLengthHeader` parameter to the WebPass globalparams.xml file. A value of true sets the "Content-length" header in the response coming from WebPass to its Web server. As a result, the Web server does not send the "Connection" header with the value "Close" in its response to the browse. For more information, see the chapter on parameters in the Oracle Access Manager Customization Guide.
Email Notifications	Oracle Access Manager 10g (10.1.4.3) provides the `UseDefaultOptionsForAllMails` parameter in the Identity Server globalparams.xml file. This parameter enables you to configure an email ID to be used to send all email notifications. For more information about this parameter, see Parameter Reference" in Oracle Access Manager Customization Guide. For encoding formats, see "Mail Notifications" in this table.
Identity Server Backward Compatibility	Starting with 10g (10.1.4.0.1), the Identity Server uses UTF-8 encoding and plug-in data contains UTF-8 data. Earlier custom plug-ins send and receive data in Latin-1 encoding. Backward compatibility with earlier custom plug-ins is automatic. However, when you add a new 10.1.4 Identity Server to an upgraded environment, you need manually set the encoding flag in the Identity Server oblixpppcatalog.lst to enable communication with earlier plug-ins and interfaces. For details, see the Oracle Access Manager Installation Guide.
Identity System Event Plug-ins	With release 10.1.4, the Identity Server uses UTF-8 encoding; plug-in data contains UTF-8 data. For more information, see the Oracle Access Manager Developer Guide. Backward compatibility between an upgraded Identity Server and earlier Identity Event plug-ins is automatic. For details about adding a new Identity Server to an upgraded environment, see the Oracle Access Manager Installation Guide.
IdentityXML and SOAP Requests and Responses	Starting with release 6.5, certain syntax changes were made for IdentityXML requests. Oracle recommends that you use the latest syntax for your customizations. However, the earlier syntax should still operate without problem. In 10.1.4, UTF-8 encoding is used for XML pages, for SOAP/IdentityXML requests, and for Identity Event Plug-in data sent to executables. For more information and new syntax descriptions, see the Oracle Access Manager Developer Guide.
IdentityXML Enhancement	Starting with 10g (10.1.4.2.0), IdentityXML requests for gathering the attribute list pertaining to modifying a profile (modifyUser, modifyGroup, and modifyObject), no longer depend on a panel in the Identity System. For more information, see the IdentityXML chapter of the Oracle Access Manager Developer Guide
Java Applets	A user working in an English locale cannot view applets in multibyte languages. To work with applets in a multibyte language, the locale on the user's computer must be set to the same language. Setting browser encoding does not work. There is a known limitation of Java applets in JDK1.1.7. Oracle Access Manager 10g (10.1.4.0.1), applets with non-ASCII data can only be displayed properly on computers running with a native encoded operating system. For more information about acquiring and using languages, see Table 5-1, "General Oracle Access Manager Behavior Summary". See also the Oracle Access Manager Identity and Common Administration Guide.
Large Group Evaluations	Enhancements with 10g (10.1.4.3) enable you to set parameters in the groupdbparams.xml file to enhance performance during group evaluation by eliminating dynamic or nested group evaluations when these are not used. For more information, see the Parameters chapter in the Oracle Access Manager Customization Guide
Large Static Groups	With 10g (10.1.4.2.0), if a static group is too large (over 10,000 members, for example) you can modify the default evaluation method for the group using the `LargeStaticGroups` parameter in globalparams.xml. For more information on this parameter, see the Oracle Access Manager Customization Guide. If you use this feature, you must make appropriate changes in your Identity System configuration to ensure that subgroups of the modified group are still searched and evaluated as intended. See the chapter on performance tuning in the Oracle Access Manager Deployment Guide for details.
Mail Notification	In 10.1.4, UTF-8 "B" (Base64 encoding) is used.MIME headers for all mails non-MHTML mail message are set as follows: MIME-Version: 1.0; Content-Type: text/plain; charset=UTF-8; Content-Transfer-Encoding: 8bit.
Minimum Number of Search Characters	In earlier releases, you needed to enter at least three characters when performing a search in Identity System applications (User Manager, Group Manager, and Organization Manager). In 10.1.4 there is no minimum number of characters required. By default, you can enter no characters. As in earlier releases, to help users narrow their search criteria you can control the minimum number of characters that users must enter in the search field by setting the `searchStringMinimumLength` parameter in oblixadminparams.xml. See the Oracle Access Manager Customization Guide for details.
Multi-Step Identity Workflow Engine	You can model your business processes in the Identity System using workflows. In earlier releases, you could use a workflow to issue, revoke, and renew certificates. However, this is no longer supported.
Oracle Identity Protocol (OIP)	The Oracle Identity Protocol (formerly known as the NetPoint Identity Protocol) facilitates communication between Identity Servers and associated WebPass instances. There are no changes in the protocol for globalization.
New Parameters in globalparams.xml	Several new parameters are available for globalparams.xml: Identity Server: you can use the `UseDefaultOptionsForAllMails` parameter enables you to configure an email ID to be used to send all email notifications. WebPass: You can add the `SetContentLengthHeader` parameter to the WebPass globalparams.xml file. A value of true sets the "Content-length" header in the response coming from WebPass to its Web server. As a result, the Web server does not send the "Connection" header with the value "Close" in its response to the browse. For more information, see the chapter on parameters in the Oracle Access Manager Customization Guide.
Password Policies and Password Management Run Time	In 10.1.4, internationalized characters are supported in password policies. In earlier releases, password policies worked only with Latin1 characters when enforcing policy constraints. There are no Password Management run-time changes.
Poll Tracking Refresh Parameter	10g (10.1.4.2.0): The webpass.xml file poll tracking refresh parameter is configurable. When setting up multiple Identity Servers or modifying WebPass, administrators can now configure the PollTrackingRefreshInterval in the webpass.xml file. This interval should be configured in seconds. There are implications when setting up multiple Identity Servers or modifying a WebPass instance. See the Oracle Access Manager Identity and Common Administration Guide for details.
Portal Inserts and URI Query Strings	In 10.1.4, the encoding of data in the URI query string is UTF-8 encoding. However, earlier Portal Inserts in installations that have been upgraded to 10.1.4 require modification after upgrading. For more information, see the Oracle Access Manager Upgrade Guide.
PresentationXML Directories	Before release 6.5, the PresentationXML library was provided under two directories and distributed depending upon how the files were likely to be used. For example, stylesheets that define the default Oracle Access Manager Classic Style were maintained in flat files in \IdentityServer_install_dir\identity\oblix\apps\AppName. Starting with release 6.5 and continuing through 10.1.4, the PresentationXML library is now stored in different directories. For more information, see the Oracle Access Manager Customization Guide.
Sorting User Search Results	In the User Manager, Group Manager and Org. Manager, search results are sorted using a locale-based case insensitive method when you click the column heading (Full Name, for example) in the search results table.
Tuning Internal DBAgent Cache	Guidelines are provided to improve performance by tuning the internal DBAgent cache. After performing this task, specific attributes are not read or cached during view and modify profile operations from a broswer. However, IdentityXML requests cache attributes even if they appear in a negative list. In the Identity Server globalparams.xml file, you can use the negativeListForEntityAttributes parameter to identify specific attributes that are not read or cached during view and modify profile operations. For more information, see the Performance chapter, "Tuning the Internal DBAgent Cache", in the Oracle Access Manager Deployment Guide, and the Parameters chapter, globalparams.xml table, in the Oracle Access Manager Customization Guide.
Web Services Code	Oracle Access Manager now provides sample code for implementing Web services using IdentityXML. For more information, see the Oracle Access Manager Developer Guide.
XSLProcessor Parameter	With 10g (10.1.4.2.0), when using IdentityXML, the `XSLProcessor` parameter in the globalparams.xml file indicates the processor to use when generating the page. The only officially supported value, `default`, indicates that the XDK processor should be used. The values `XALAN` or `DGXT` can be used for testing. See the appendix on configuration parameters in the Oracle Access Manager Customization Guide for details.

5.5 Access System Behavior Summary

Table 5-3 briefly summarizes the latest Access System behaviors.

Table 5-3 Access System Behavior Summary

Function	Behavior
Access Server Backward Compatibility	Earlier custom plug-ins sent and received data in Latin-1 encoding. In 10.1.4, Access Servers use UTF-8 encoding and 10.1.4 custom plug-in data is UTF-8 encoded. In 10.1.4, cookie encryption and decryption is accomplished by the Access Server. When you upgrade an earlier Access Server to 10.1.4, a new parameter is set in the Access Server globalparams.xml file automatically. This provides backward compatibility with earlier custom plug-ins and interfaces, and also earlier WebGates and custom AccessGates. For more information, see the Oracle Access Manager Upgrade Guide. When you add a new Access Server to an upgraded environment, you need manually set the value in the Access Server globalparams.xml to enable backward compatibility. For more information, see the Oracle Access Manager Installation Guide.
Access Management Service	Several clarifications have been made with regard to the Access Management Service in WebGate and Access Server profiles. This setting is Off by default. When set to On, the Access Server starts servicing requests from AccessGates. The Access Management Service must be On for associated Access Servers and AccessGates. WebGates do not require the Access Management Service, unless an associated Access Server uses it. For more information, see the chapter on configuring Access Servers and WebGates in the Oracle Access Manager Access Administration Guide.
Access Manager SDK, Access Manager API, and Custom AccessGates	10.1.4 Access Servers use UTF-8 encoding automatically. In addition, the Access Manager SDK (formerly the Access Server SDK) and Access Manager API (formerly known as the Access Server API) are used to create custom AccessGates. Custom AccessGates use UTF-8 encoding automatically. For Java interfaces and the Java implementation of the Access Manager API, there have been no external changes for 10.1.4. JNI calls use UTF-16 encoded Java string objects. Earlier Oracle Access Manager releases converted this data to Latin-1. 10.1.4 Access Servers and AccessGates use UTF-8 encoding automatically. The 10.1.4 Access Manager SDK and custom 10.1.4 AccessGates are not backward compatible with earlier Access Servers, nor with the earlier Access Manager SDK and AccessGates. However, you can use earlier AccessGates with 10.1.4 Access Servers that are enabled to be backward compatible. Oracle Access Manager 10g (10.1.4.3) also includes a new SDK for Windows, which provides .NET 2 support for custom AccessGates. This new SDK uses Microsoft Development Environment (MSDE) 2005, including NET Framework 2 and MSDE Visual Studio 2005. This new SDK can be added to a fresh installation or to an upgraded installation that includes the 10g (10.1.4.3) patch. If you have earlier AccessGates created with the .NET 1 SDK and you start building AccessGates with the .NET 2 SDK, you might want to recompile the earlier AccessGates for .NET 2 Support.
Asynchronous Cache Flush	Previous releases of Oracle Access Manager used a synchronous mode for cache flush requests from Identity Servers to Access Servers. In synchronous, mode the Identity Server sends a cache flush request to the primary Access Server and the Identity Server does not proceed until it receives a response. However, any delay in the system causes a delay for the user. Oracle Access Manager 10g (10.1.4.3) provides an asynchronous cache flush option to help streamline performance and avoid delays associated with synchronous cache flush operations on the Access System. The flow of information is the same whether you use the synchronous or asynchronous method. However, with the asynchronous method, the thread does not wait for a response from the Access Server before notifying the Identity Server. Instead, the request arrives at the Access Server and a response is sent immediately to the Identity Server. For more information, see the chapter on caching in the Oracle Access Manager Deployment Guide. See "Mixed Mode Communication", and "Global Sequence Number Corruption Recovery" in this table.
Authentication Scheme Updates	In 10.1.4 it is no longer necessary to disable an authentication scheme before you modify it. Also, you can configure an authentication scheme that allows the user to log in for a time period rather than a single session.
Authorization Rules and Access Policies	Starting with release 6.5, Authorization rules are grouped under a tab named "Authorization Rules". Also, a new authorization inconclusive state was introduced in release 7.x (apart from authorization success and failure states). During an upgrade the rules are renamed using a combination of the Policy Domain name to which the rule belongs, followed by the Authorization Rule name: PolicyDomain_AuthorizationRuleName.When your earlier installation included authorization failure redirects, you must complete a procedure after the upgrade to assure proper authorization failure re-directs. For more information, see the Oracle Access Manager Upgrade Guide. For details about the size of authorization expressions, see "Large Authorization Expressions", in this table.
Cache Flush Enhancements	See "Asynchronous Cache Flush", "Global Sequence Number Corruption Recovery", "Error Handling for Message Channel Initialization During Cache Flush", Mixed Mode Communication", and "Synchronous Cache Flush Between Multiple Access Servers" in this table.
Custom Authentication and Authorization Plug-in Interfaces	Before 10g (10.1.4.0.1), the Authentication Plug-In API and Authorization Plug-In API for C used Latin-1 encoding for data exchanged between the Access Server and the custom plug-ins. In 10.1.4, the Authentication Plug-In API and Authorization Plug-In API for C use UTF-8 encoding for plug-in processing. There is no change for .NET (managed code) plug-ins.
Directory Profiles	Release 6.5 introduced support for directory server profiles for the Access Server and Policy Manager. During a Policy Manager upgrade from any release before 7.x, a new directory server profile is added automatically. However, the values for `Initial Connections` and `Maximum Connections` are not retained during the Policy Manager upgrade. After upgrading, Oracle recommends that you verify and validate that new directory server profiles were properly created and that load-balancing and failover settings in Access System directory server profiles are configured as expected. For more information about directory profiles, see "Error Handling for Message Channel Initialization During Cache Flush", in the Oracle Access Manager Deployment Guide, Chapter 5.
Dynamic Filter Size	Oracle Access Manager 10g (10.1.4.3) provides the `DynamicGroupFilterMaxSize` parameter in the globalparameters.xml file. This parameter enables a dynamic filter size greater than 4k.It is for use while migrating a group dynamic filter (4K of data only) during or after an Access Server upgrade. For more information, see "Parameter Reference" in Oracle Access Manager Customization Guide.
Error Handling for Message Channel Initialization During Cache Flush	Oracle Access Manager 10g (10.1.4.3) enhances the network layer shared by WebGate and Access Server. As a result, errors that might occur as a result of message channel initialization failure due to a closed socket are avoided. Today, the message channel stops sending and receiving messages and a WARNING level log message is recorded. For more information, see Table 5-1, "General Oracle Access Manager Behavior Summary".
Form-based Authentication	Oracle Access Manager 10g (10.1.4.3) includes a new, optional, and configurable challenge parameter (`maxpostdatabytes`) for form-based authentication schemes only. Use of the `maxpostdatabytes` challenge parameter is similar to other challenge parameters (form, creds, action, and passthrough). For more information, see the Oracle Access Manager Access Administration Guide. 10.1.4 WebGates accept input data only in UTF-8 encoding. To ensure that character set encoding for the login form is set to UTF-8, add the following META tag to the HEAD tag of the login form HTML page: <META http-equiv="Content-Type" content="text/html;charset=utf-8">.
Global Sequence Number Corruption Recovery	Before a cache flush, the Access Server checks the oblixGSN objectclass in the directory server, which is used in the cache flush mechanism. It contains a global sequence number (a value in the obSeqNo attribute) that represents the flush request number. This value is updated every time an entry is written to the directory server when the Update Cache feature turned on. When you have multiple Access Servers writing to multiple directory servers, however, changes could cause the global sequence number in the directory servers to get out of sync. As a result, corresponding entries in the directory servers might become corrupted, which can lead to inconsistent performance in Oracle Access Manager. Recovery requires removal of corrupted entries from the directory server. A manual process is possible; however, it is error prone and time consuming. Oracle Access Manager 10g (10.1.4.3) provides functionality that enables you to detect corrupted global sequence numbers in the directory server. You can do this from the command-line tool (recovergsncorruption) in the following path: PolicyManager_install_dir\access\oblix\tools. You can also recover from the corruption after disabling cache flush operations between Identity Servers and Access Servers and block updates from the Policy Manager and applications using AMAPI. For more information, see the section on "Restoring Sync Records in Environments with Multiple Directory Servers" in the chapter on "Access System Management" in the Oracle Access Manager Access Administration Guide. In the Access Server globalparams.xml file, the `UserMgmtNodeEnabled` parameter can be used. This parameter controls the enabling and disabling of a feature that manages WebGate memory growth. For more information, see the chapter on parameters in the Oracle Access Manager Customization Guide.. See also, the tip on "Cache Flush Issues with Active Directory" in the Oracle Access Manager Access Administration Guide.
idleSessionTimeoutLogic Change	In release 7.0.4 WebGates enforced their own idle session timeout only. In 10g (10.1.4.0.1), behavior changed and WebGates enforced the most restrictive timeout value among all WebGates the token had visited. With 10g (10.1.4.3), the 7.0.4 behavior has been reinstated as the default. This 7.0.4 behavior can be reconfigured by setting a User-Defined Parameter (`idleSessionTimeoutLogic`) in the AccessGate Configuration page of the Access System Console. Now WebGates enforce their own idle session timeout only, ignoring the MaxIdleSessionTimeout. For information on setting the `idleSessionTimeoutLogic` configuration parameter, see "Configuring User-Defined AccessGate Parameters" in the Oracle Access Manager Access Administration Guide.
Impersonation for Windows	In addition to configuring impersonation for resources on a computer that is protected by a WebGate, you can extend impersonation to other resources on the network. This is known as assigning a Delegate impersonation level to the client and is available with 10g (10.1.4.2.0). See the chapter on Windows Impersonation in the Oracle Access Manager Integration Guide for details.
Integration Support Enhanced	10g (10.1.4.2.0): Integration support includes SharePoint Office Server 2007. See the chapter on integrating with SharePoint in the Oracle Access Manager Integration Guide for details. Integration support with SAP NetWeaver is provided. See the chapter on integrating with SAP in the Oracle Access Manager Integration Guide for details. Integration support with Siebel in a multi-domain Active Directory environment is provided. See the chapter on integrating with Siebel in the Oracle Access Manager Integration Guide for details. Integration support with WebLogic 9.2 is provided. See the chapter on integrating with WebLogic in the Oracle Access Manager Integration Guide for details. Integration support with WebSphere 6.1 is provided. See the chapter on integrating with WebSphere in the Oracle Access Manager Integration Guide for details.
Internet Protocol Version 6	Oracle Access Manager supports Internet Protocol Version 4 (IPv4). However, you can configure Oracle Access Manager to work with clients that support IPv6 by setting up a reverse proxy server. For more information, see the Oracle Access Manager Access Administration Guide.
Large Authorization Expressions	Oracle Access Manager 10g (10.1.4.3) provides the `policyDSMaxAttrValueLength` parameter in the globalparams.xml file of Access Server and Policy Manager. This parameter enables you to add large authorization expressions (beyond the directory server limit for non-binary attribute values). You might also need to configure the directory server to accept large attribute values. For more information, see "Parameter Reference" in Oracle Access Manager Customization Guide.
Large Group Evaluations	The following Access System performance enhancements for large group evaluations are provided with Oracle Access Manager 10g (10.1.4.3): The Access Server (and Policy Manager when using the Access Tester) evaluates the group for membership as a type, only if that type is enabled. To improve performance during group evaluations when you do not use dynamic groups, or when you have dynamic groups but do not want to evaluate them while processing ObMyGroups, you can turn off dynamic group evaluation using the `TurnOffDynamicGroupEvaluation` parameter in the Access Server (or Policy Manager) globalparams.xml file. Today, retrieving all attributes except the desired attribute (uniquemember, groupfilter, and the like) depends on the LDAP query. Also, caching the whole entry has been disabled; only the attributes in the LDAP query are cached. Today, a new algorithm can be used during group evaluation involving ObMyGroups: `TurnOffNewAlgorithmForObmyGroups`. This algorithm in the Access Server globalparams.xml file works equally when you have static, dynamic, and nested groups. Today, a new parameter in the Access Server globalparams.xml file,`NestedQueryLDAPFilterSize` encan be used if `TurnOffNewAlgorithmForObmyGroups` is `false` to improve evaluation performance of ObMyGroups. With this parameter, the LDAP search query is divided and then executed. The `GroupCacheTimeout` parameter enables you to specify the amount of time an element remains valid in the Access Server group cache. The parameter is provided in the Access Server globalparams.xml file (or the Policy Manager file if you are using the Access Tester). The `GroupCacheMaximumElement` parameter specifies the maximum number of elements that can be stored in the Access Server group cache. The parameter is provided in the Access Server globalparams.xml file (or the Policy Manager file if you are using the Access Tester). For more information, see the chapter on performance in the Oracle Access Manager Deployment Guideand chapter on parameters in the Oracle Access Manager Customization Guide.
Maximum Elements in Session Token Cache	In earlier releases, the default value for this parameter was 100000. However, in Oracle Access Manager 10g (10.1.4.0.1), the default value has changed to 10000. You can find this parameter by navigating to the Access System Console, Access System Configuration tab, Access Server Configuration function. Look on the Details for Access Server page. For more information, see the Oracle Access Manager Access Administration Guide.
Mixed-Mode Communication	Oracle Access Manager 10g (10.1.4.2.0) provided a manual method that enabled you to use Open mode communication for cache flush requests between the Identity and Access Server while retaining Simple or Cert mode for all other requests. This type of configuration is known as mixed-security mode (or mixed-mode) communication. After configuring mixed security mode manually, you had to follow a specific method to modify an AccessGate or WebGate. Otherwise, WebGate could not contact the Access Server when running the `configurewebgate` or `configureaccessgate` tool. Specifically, when you attempted to modify an AccessGate or WebGate, all previous Preferred HTTP Host settings were removed. Oracle Access Manager 10g (10.1.4.3) provides a streamlined and automated method to implement automatic mixed-mode communication for cache flush requests. This method avoids the additional tasks associated with configuring an modify an AccessGate or WebGate after manually setting up mixed-mode communication. For more information, see the caching chapter in the Oracle Access Manager Deployment Guide.
Oracle Access Protocol	In 10.1.4, UTF-8 encoding is used to for communication between Access System components to accommodate globalization. The Oracle Access Protocol (OAP) was formerly known as the NetPoint Access Protocol (NAP). For information about the Access Server and backward compatibility, see earlier discussions in this table.
OracleAS Web Cache	Oracle Access Manager 10g (10.1.4.3) provides support for integration with OracleAS Web Cache. OracleAS Web Cache is a reverse proxy cache and compression engine that is deployed between the browser and the Oracle Access Manager WebGate Web server. This configuration provides the following Oracle Access Manager functionality: POST Data Restoration: WebGate uses Web Cache to provide POST data restoration after the POST request is interrupted for re-authentication due to timeout. performance. Cookieless Session Support: You can implement a cookie-less user session for Oracle Access Manager Single Sign-on and handle cookies with large data content on electronic devices. For more information, see the Oracle Access Manager Integration Guide.
Policy Manager	The Oracle Access Manager Policy Manager was formerly known as the Access Manager component. After upgrading all Identity System components, you must upgrade all earlier Policy Managers as described in the Oracle Access Manager Upgrade Guide.
Policy Manager API	The Policy Manager API was formerly known as the Access Management API. In 10g (10.1.4.0.1), In the C language API, the `ObAMMasterAuditRule_getEscapeCharacter` remains and you may continue using this. However, the audit escape character must be an ASCII character; otherwise the return value is incorrect. In this case, you must modify your C code to use the new API. On Java clients, the `ObAMMasterAuditRule_getEscapeCharacter` works correctly and you can continue using this even when the audit escape character is not an ASCII character. In the C language API, a new `ObAMMasterAuditRule_getUTF8EscapeCharacter` has been added, which returns a pointer to the UTF-8 encoded audit escape character. For more information, see the Oracle Access Manager Developer Guide.
Preferred HTTP Host	This WebGate configuration parameter is now mandatory before WebGate installation and must be configured with an appropriate value whenever a WebGate is added. (From the Access System Console, select Access System Configuration, Add New AccessGate.) This parameter defines how the hostname appears in all HTTP requests as users attempt to access the protected Web server. The hostname within the HTTP request is translated into the value entered into this field (regardless of the way the hostname was defined in an HTTP request from a user). For more information, see the Oracle Access Manager Installation Guide. 10g (10.1.4.2.0): To support virtual hosts you set the Preferred HTTP Host value to HOST_HTTP_HEADER for most Web hosts or SERVER_NAME (Apache only). Additional configuration is required for IIS. See the chapter on configuring Access Servers and AccessGates in the Oracle Access Manager Access Administration Guide for details. 10g (10.1.4.3): In the Policy Manager globalparams.xml file, you can use the PreferredHostValidityCheckEnabled parameter to validate the value in the Preferred HTTP Host field of a WebGate profile. For more information, see the chapter on parameters in the Oracle Access Manager Customization Guide. New parameters can be added to Policy Manager globalparams.xml, that help monitor the Preferred HTTP Host field in a WebGate configuration in the Access System Console. `AllowEmptyPreferredHost`: When the value is `true`, the Preferred HTTP Host field can be empty in a WebGate configuration profile in the Access System Console. `PreferredHostValidityCheckEnabled`: When the value is `true` (or not present by default) the value in the Preferred HTTP Host field is validated to catch ttypographical errors. For more information, see "Invalid or Missing Preferred HTTP Host Identifier in WebGate Profile" in the Oracle Access Manager Access Administration Guide. For details about each parameters, see the table on globalparams.xml in the chapter on parameters in the Oracle Access Manager Customization Guide.
Shared Secret	The location of the shared secret key remains unchanged from earlier releases. However, in 10g (10.1.4.0.1), cookie encryption/decryption is handled by the Access Server. During an upgrade to 10g (10.1.4.0.1), the earlier encryption scheme is retained. For more information about Access Servers and WebGates, see other items in this table. If you change the shared secret during a user session, the user does not need to re-authenticate. If a cookie is being decrypted with the old shared secret and the cookie is refreshed, it is encrypted with the new shared secret. For more information, see the Oracle Access Manager Access Administration Guide.
Synchronous Cache Flush Between Multiple Access Servers	Oracle Access Manager 10g (10.1.4.3) provides a new parameter that enables you to specify a wait period for sockets during synchronous cache flush requests for the Access Server and Policy Manager. An indefinite perioid is the default. You limit the waiting period by setting a positive integer value for the `CacheFlushTimeOut` parameter in the globalparams.xml file of the respective component (Access Server or Policy Manager). In this case, a socket waits for only a specified time for I/O completion. If the expected operation is not completed within the specified time, an error is reported and the request is sent to other Access Servers. With synchronous requests, WebPass and Policy Manager does not hang if one Access Server hangs. For more information, see "Configuring Sychronous Cache Flush Requests between Multiple Access Servers", in the Oracle Access Manager Deployment Guide, Chapter 5.
Triggering Authentication Actions After the ObSSOCookie Is Set	You can cause authentication actions to be executed after the ObSSOCookie is set. Typically, authentication actions are triggered after authentication has been processed and before the ObSSOCookie is set. However, in a complex environment, the ObSSOCookie may be set before a user is redirected to a page containing a resource. In this case, you can configure an authentication scheme to trigger these events. See also Oracle Access Manager Access Administration Guide.
WebGates	In earlier releases, cookie encryption and decryption was accomplished by WebGates and AccessGates. Today, cookie encryption and decryption is accomplished by the Access Server. WebGates and AccessGates no longer need the shared secret key. WebGates have been redesigned and the WebGatestatic.lst file has been replaced with options you can configure using the Access System Console, Access System Configuration tab. See the Oracle Access Manager Access Administration Guide for details. Earlier WebGates can coexist with the latest Access Servers. However, each Access Server must be backward compatible with earlier WebGates. For more information, see details about Access Servers in this table, and the Oracle Access Manager Upgrade Guide. The code for WebGates has been rewritten so that WebGates and AccessGates share the same code base. For more information, see the Oracle Access Manager Developer Guide. A WebGate-to-Access Server timeout threshold specifies how long (in seconds) the WebGate waits for the Access Server to respond before it considers it unreachable and attempts the request on a new connection. However, if the Access Server takes longer to service a request than the value of the timeout threshold, the WebGate abandons the request and retries the request on a new connection. Note that the new connection that is returned from the connection pool can be to the same Access Server, depending on your connection pool settings. Additionally, other Access Servers may also take longer to process the request than the time allowed by the threshold. In these cases, the WebGate can continue to retry the request until the Access Servers are shut down. You can now configure a limit on the number of retries that the WebGate performs for a non-responsive server using the `client_request_retry_attempts` parameter. This is a user-defined parameter in the Access System. The default value for this parameter is -1. Setting the parameter value to -1 (or not setting it at all) allows an infinite number of retries.See the Oracle Access Manager Access Administration Guide for details. Several new user-defined parameters have been added for use in 10g (10.1.4.3) WebGate configuration profiles. ContentLengthFor401Response idleSessionTimeoutLogic ProxySSLHeaderVar RetainDownstreamPostData SUN61HttpProtocolVersion For more information, see the chapter on configuring Access Servers and WebGates in the Oracle Access Manager Access Administration Guide.