What’s New in This Release

This release includes the following new features:

• Java ES Monitoring Framework Integration

• Web Service Security

• Single Access Manager WAR file deployment

• Enhancements to Core Services

• Deprecation Notification and Announcement

Java ES Monitoring Framework Integration

Access Manager 7.1 integrates with the Java Enterprise System monitoring framework through Java Management Extensions (JMX). JMX technology provides the tools for building distributed, Web-based, modular, and dynamic solutions for managing and monitoring devices, applications, and service-driven networks. Typical uses of the JMX technology include: consulting and changing application configuration, accumulating statistics about application behavior, notification of state changes and erroneous behaviors. Data is delivered to centralized monitoring console.

Access Manager 7.1 uses the Java ES Monitoring Framework to capture statistics and service-related data such as the following:

• Number of attempted, successful, and failed authentications

• Policy caching statistics

• Policy evaluation transaction times

Web Service Security

Access Manager 7.1 extends authentication capabilities to web services in the following ways:

• Inserts tokens to outgoing messages

• Evaluates incoming messages for security tokens

• Enables point-and-click selection of Authentication providers for new applications

Single Access Manager WAR file deployment

Access Manager includes a single WAR file you can use to deploy Access Manager services consistently to any supported container on any supported platform. The Access Manager WAR file can coexist with the Java Enterprise System installer, which deploys multiple JAR, XML, JSP, HTML, GIF, and various properties files.

For more information about staging, configuring, and deploying the Access Manager WAR file, see the Sun Java System Access Manager 7.1 Postinstallation Guide.

Enhancements to Core Services

Web Containers supported

• Sun Java System Web Server 7.0

• Sun Java System Application Server 8.2

• BEA WL 8.1 SP4

• IBM WebSphere 5.1.1.6

Monitoring Framework Integration

Access Manager can use the Java Enterprise System Monitoring Framework to monitor the following:

1. Authentication

   • Number of authentications attempted

   • Number of remote authentications attempted (optional)

   • Number of successful authentications

   • Number of failed authentications

   • Number of successful logout operations

   • Number of failed logout operations

   • Transaction time for each module if possible (running and waiting states)

2. Sessions

   • Size of the session table (hence maximum number of sessions)

   • Number of active sessions (incremental counter)

3. Profile Service

   • Maximum cache size

   • Transaction time for operations (running and waiting)

4. Policy

   • Policy evaluation in and out requests

   • Policy connection pool statistics for the subject's plug-in's LDAP server

Authentication module

• Distributed Authentication service not required to stick to one server for load-balanced deployments

• Authentication service and server not required to stick to one server for load-balanced deployments

• Composite advices support among Authentication service, Policy Agents, and Policy service. Includes AuthenticateToRealm condition, AuthenticateToService condition, and realm qualification to all conditions.

• Advising organization (realm qualified Authentication conditions)

• Authentication configurations / authentication chains (AuthServiceCondition)

• Module-based authentication can now be disallowed if Authentication chaining is enforced

• Distributed Authentication service supports Certificate authentication module

• Added CertAuth to Distributed Authentication UI to make it a full featured credential extractor presentation

• New Datastore authentication module as an out-of-box module which authenticates against the configured datastore for a given realm

• Account lockout configuration now persistent across multiple AM server instances

• Chaining of post-processing SPI classes

Policy module

• A new policy condition AuthenticateToServiceCondition added, to enforce the user is authenticated to specifc authentication service chain.

• A new policy condition AuthenticateToRealmCondition added, to enforce the user is authenticated to a specific realm.

• A new policy condition LDAPFilterCondition is added, to enforce the user matches the specified ldap filter.

• Support for one level wild card compare to facilitate protecting the contents of the directory without protecting sub-directory.

• Policies can be created in subrealms without explicit referral policies from parent realm if organization alias referral is enabled in global policy configuration.

• AuthLevelCondition can specify the realm name in addition to authentication level.

• AuthSchemeCondition can specify the realm name in addition to authentication module name .

Service Management module

• Support for storing Service Management/Policy configuration in Active Directory

Access Manager SDK

• Support APIs for authenticating users to a default Identity Repository framework database

Web Services support

• Liberty ID-WSF SOAP provider: Authentication provider that encapsulates the Liberty ID-WSF SOAP binding as implemented by Access Manager. This consists of a client and service provider.

• HTTP layer SSO provider: HttpServlet layer authentication provider that encapsulates server-side Access Manager-based SSO

Installation module

• Repackaging Access Manager as J2EE Application resulting in a single WAR file to become web deployable

• Support for 64-bit SJS Web Server 7.0 - to support the 64-bit JVM

Delegation module

• Support for grouping of delegation privileges

Upgrade

• Supports upgrade to Access Manager 7.1 from the following versions: Access Manager 7.0 2005Q4, Access Manager 6.3 2005Q1, and Identity Server 6.2 2004Q2.

Logging

• Support for delegation in logging module - controlling which Identities are authorized to write to or read from the log files.

• Support JCE Based SecureLogHelper - making it possible to use JCE (in addition to JSS) as a security provider for Secure Logging implementation

Deprecation Notification and Announcement

Sun Java(TM) System Access Manager 7.1 identity management APIs and XML templates enable system administrators to create, delete, and manage identity entries in Sun Java System Directory Server. Access Manager also provides APIs for identity management. Developers use the public interfaces and classes defined in the com.iplanet.am.sdk package to integrate management functions into external applications or services to be managed by Access Manager. Access Manager APIs provide the means to create or delete identity-related objects as well as to get, modify, add, or delete the objects' attributes from Directory Server.

The Access Manager com.iplanet.am.sdk package, commonly known as AMSDK, will not be included in a future Access Manager release. This includes all related APIs and XML templates. No migration options are available now, and no migration options are expected to be available in the future. The user provisioning solutions provided by Sun Java System Identity Manager are compatible replacements that you can start to use now. For more information about Sun Java System Identity Manager, see http://www.oracle.com/us/products/middleware/identity-management/oracle-identity-manager/index.html.