| Skip Navigation Links | |
| Exit Print View | |
|
Sun Java System Access Manager Policy Agent 2.2 Release Notes |
Sun Java System Access Manager Policy Agent 2.2 Release Notes
About Access Manager Policy Agent 2.2
What's New About Web Agents in This Release
Support for Fetching User Session Attributes
Policy-Based Response Attributes
Additional Method for Fetching the REMOTE_USER Server Variable
Malicious Header Attributes Automatically Cleared by Agents
Support for Heterogeneous Agent Types on the Same Machine
Support for Turning Off FQDN Mapping
Web Agents and Backward Compatibility With Access Manager 6.3
What's New About J2EE Agents in This Release
Removal of Dependencies on LDAP and on Administrative Accounts
Coexistence With Access Manager
Support for Client Identification Based on Custom HTTP Headers
Agent Specific Application for Housekeeping Tasks
Support for Flexible User Mapping Mechanisms
Support for Fetching User Session Attributes (J2EE Agents)
Support for Not-Enforced IP Lists
Support for Custom Response Headers
Support for Application Logout Integration
Support for Application Specific Agent Filter Operation Modes
Support for Affinity-Based Login URL Selection
Support for a Sample Application
J2EE Agents and Backward Compatibility With Access Manager 6.3
Policy Agent 2.2-05 Update Release
Web Agents in the Policy Agent 2.2-05 Update Release
Key Fixes and Enhancements in the Policy Agent 2.2-05 Update Release
Web agent behind load balancer now evaluates request against not-enforced client IP list (6915959)
Wildcard (*) support is added for not-enforced client IP list (6903850)
Web agents can map LDAP attributes to more than one HTTP header (6937504)
NSS libraries are upgraded to version 3.12.3 (6870161)
New properties for POST data preservation (6891373)
Known Issues in the Policy Agent 2.2-05 Update Release
In cookie hijacking mode, logout request hangs (6894077)
Policy Agent 2.2-04 Update Release
Web Agents in the Policy Agent 2.2-04 Update Release
Key Fixes and Enhancements in the Policy Agent 2.2-04 Update Release
Web agents have changes in the path info related properties (6854806)
NSS and NSPR libraries are bundled with web agents on Solaris and Linux systems (6794995)
Policy Agent 2.2-03 Update Release
Java EE Agents in the Policy Agent 2.2-03 Update Release
Patch IDs for Java EE Agents in the Policy Agent 2.2-03 Update Release
Web Agents in the Policy Agent 2.2-03 Update Release
Patch IDs for Web Agents in the Policy Agent 2.2-03 Update Release
Web Agents: Key Fixes and Enhancements in the Policy Agent 2.2-03 Update
IIS 6.0 agent supports POST data preservation (6735280)
Web Proxy Server 4.0 agent can send GET request without header (6787007)
Web agents libxml2.so library is upgraded (6817868)
Not-enforced POST requests can be accessed in CDSSO mode (6789020)
Web agent can handle new Access Manager 7.1 policy advices (6785022)
IIS 6.0 agent supports agent URL override functionality (6829880)
Web Agents: Known Issues in the Policy Agent 2.2-03 Update Release
Agent for Apache HTTP Server 2.0.x on IBM AIX 5.3 requires bos.rte.libc fileset upgrade
NSPR libraries need to be upgraded to version 4.7.0
Version 2.2-02 agent for Apache HTTP Server 2.2.3 fails to start on Linux 5.0
Policy Agent 2.2-02 Update Release
Policy Agent 2.2-02 Update For Web Agents
New Certifications and Support Added in 2.2-02 Web Agents
Large File Support For Apache 2.0 Agent
New Platform Support for 2.2-02 Web Agents
Policy Agent 2.2-02 Update For J2EE Agents
New Platform Support for 2.2-02 J2EE Agents
Key Fixes and Enhancements in the Policy Agent 2.2-02 Update
J2EE policy agent fails to log when the log action is LOG_DENY (6729386)
Performance issue resolved for policy agent (6768406)
For web agents, sunwMethod parameter is removed from the URL in CDSSO mode (6725383)
Composite advice can be included in the query instead of through a POST request (6676032)
Apache 2.0 agent supports additional HTTP methods for a Subversion repository (6647805)
For web agents, support is added to adjust the policy clock skew (6608463)
Policy Agent 2.2-01 Update Release
Policy Agent 2.2-01 Web Agents
Determining the Version of a Policy Agent 2.2 Web Agent
Key Fixes and Enhancements in Policy Agent 2.2-01 Web Agents
Request for specific session attributes to be populated in HTTP headers (6409146)
Web agents in the Policy Agent 2.2 release fail with Access Manager 6.3 (6490037)
Disabling Internet Explorer pop up when protocol changes from HTTP to HTTPS (6532260)
Program Database (.pdb) files should be part of agent binaries to help in debugging issues (6581272)
Other Additions to Policy Agent 2.2-01 Web Agents
The Key New Properties Added for Policy Agent 2.2-01 Web Agents
Property Added: com.sun.am.tcp_nodelay.enable
Property Added: com.sun.am.cookie.secure
Property Made Available: com.sun.am.replaypasswd.key
Property Added: com.sun.am.policy.agents.config.encode_url_special_chars.enable
Property Made Available: com.sun.am.policy.agents.config.no_child_thread_activation_delay
Properties Made Available for Microsoft Office SharePoint and Outlook Web Access
Access Manager and Policy Agent 2.2-01 Web Agents: Allowing Requests Using Non-Standard HTTP Methods
Supported HTTP Methods of Web Agents in Policy Agent 2.2-01
Policy Agent 2.2-01 Web Agents: Newly Supported HTTP Methods
Policy Agent 2.2-01 Web Agents: Support for INVALID Methods
Policy Agent 2.2-01 J2EE Agents
Determining the Version of a Policy Agent 2.2 J2EE Agent
Key Fixes and Enhancements in Policy Agent 2.2-01 J2EE Agents
The Key New Properties Added for Policy Agent 2.2-01 J2EE Agents
Property Made Available: com.sun.identity.enableUniqueSSOTokenCookie
Policy Agent 2.2: Problem Accessing Identities With IBM WebSphere Administration Console
Policy Agent 2.2-01: Overview of Fix for IBM WebSphere Administration Console Access Problem
Supported Servers in Policy Agent 2.2
Understanding Server and Operating System Support for Policy Agent 2.2
Web Agents and Minor Version Support of Servers and Operating Systems
J2EE Agents and Minor Version Support of Servers and Operating Systems
Supported Servers for Web Agents in Policy Agent 2.2
Supported Servers for J2EE Agents in Policy Agent 2.2
Compatibility With Access Manager and OpenSSO Enterprise
Installation Notes for Web Agents in Policy Agent 2.2
Uninstallation Script for Web Agents in Policy Agent 2.2
Installation Notes for J2EE Agents in Policy Agent 2.2
Using the agentadmin Program with J2EE Agents
Deploying the Agent Application
Combining a J2EE Agent With Access Manager (Conditional)
All Agents in Policy Agent 2.2
Individual Policy Agent 2.2 Guides Do Not Describe Precautions Against Cookie Hijacking
Web Agents in Policy Agent 2.2
All Web Agents in Policy Agent 2.2
On UNIX-based machines, all web agents require that the X11 DISPLAY variable be set properly.
A harmless error message appears in the web agent log files (6334519)
Web agent log entries are written to the wrong files (6301676)
Web Servers often cannot interpret hyphens used in header names
Error message issued during installation of Policy Agent 2.2 on Linux systems
Policy Agent 2.2 for Microsoft Internet Information Services 6.0 (Microsoft IIS 6.0)
When a specific environment variable is not properly set, the system might fail (6433790)
J2EE Agents in Policy Agent 2.2
All J2EE Agents in Policy Agent 2.2
A harmless error message appears in the J2EE agent log files (6301668)
Resources accessed with Internet Explorer 6.0 SP1 can result in 404 Not Found Error (6362249)
Harmless error messages related to JAX-RPC appear in the J2EE agent debug files (6325238)
Exceptions thrown when Access Manager uses polling with a J2EE agent (6452320)
J2EE agent installation prompts do not allow responses with leading or trailing spaces (6452708)
The first use of a resource protected by a declarative constraint results in a misdirect
Policy Agent 2.2 for Sun Java System Application Server 8.1
Policy Agent 2.2 for Apache Tomcat 5.5 Servlet/JSP Container
Policy Agent 2.2 for IBM WebSphere Application Server
The agentadmin --install command fails on Agent for IBM WebSphere Application Server (6385085)
Settings for CLASPATH variable are lost after agentadmin command is issued (6653936)
Policy Agent 2.2 for Oracle Application Server 10g
The sample application requires editing to work properly (6486895)
Policy Agent 2.2 documentation should reference OpenSSO (6857941)
Deprecation Notifications and Announcements
The known issues concerning Policy Agent 2.2 are separated into subsections as follows:
The following known issue exists that affects all agents (both J2EE agents and web agents) in the Policy Agent 2.2 software set.
Precautions you can take against cookie hijacking in an Access Manager deployment are documented in a separate technical note. Though such a deployment includes the configuration of agents from the Policy Agent 2.2 software set, the information is not currently documented in individual agent guides. The following technical note covers this issue: Technical Note: Precautions Against Cookie Hijacking in an Access Manager Deployment.
Important known issues concerning web agents are separated in this document into the following categories:
The following known issues exist that affect all web agents in Policy Agent 2.2.
To set the X11 DISPLAY variable properly, set the variable to a valid X server before installing or uninstalling the web agent. This condition applies even when the install or uninstall command is performed from the command line using the -nodisplay argument.
An error message appears when many concurrent users access the web agent. The error message is as follows: LogService::process() logRecWrite SAXParseException. This exception occurs in the Access Manager log in the following directory: /var/opt/SUNWam/debug. This problem is due to a bug in the multi-threaded logging mechanism of the web agent. However, no known effect to the web agent or the respective Access Manager instance occurs with this error message.
Workaround: You can ignore this message.
When a large number of logging entries are recorded, log rotation fails and the log entries are redirected from the web agent log files to the error log files of the web container. These redirected log entries get written as stderr. The log files then accumulate on the web container without being automatically deleted.
Workaround: During production, do not use fine-grained logging levels, such as levels 4 or 5. These logging levels are only appropriate for short periods of time, such as for debugging.
For example, Agent for Sun Java System Web Server 6.1 does not support the 64-bit release of Sun Java System Web Server 6.1.
Workaround:Except when using Agent for Apache HTTP Server 2.0.54, do not use a web agent with a 64-bit version of the supported web container.
When you set the following property in the web agent AMAgent.properties configuration file, be aware of the web server behavior that typically applies:
com.sun.am.policy.agents.config.profile.attribute.map
Most web servers demonstrate the following behavior:
Prefix the header name by HTTP_.
Replace all lower case letters with upper case letters.
Replace all hyphens with underscores.
Therefore, use underscores “_” rather than hyphens “-” in the header name mapped to the LDAP attribute name to avoid problems. For example, the following property setting could be problematic:
com.sun.am.policy.agents.config.profile.attribute.map = cn|common-name
Web servers search for the header HTTP_COMMON_NAME, and would not find HTTP_COMMON-NAME.
Note - You can use the following property to customize the “HTTP_” prefix:
com.sun.am.policy.agents.config.profile.attribute.cookie.prefix
The following example demonstrates how this property can be set:
com.sun.am.policy.agents.config.profile.attribute.cookie.prefix = EXAMPLE_
When the Linux operating system is installed, specific components can be selected. Occasionally the specific components of the operating system selected lack the libraries necessary for Policy Agent 2.2 to function. When the complete Linux operating system is installed, all the required libraries are available. The libraries that are required for the agent to function are as follows: NSPR, NSS, and libxml2.
Workaround: If the Linux operating system you are using is not complete, install the latest versions of these libraries as described in the steps that follow:
At the time this note was added, the latest version of the NSPR library packages was NSPR 4.6.x , while the latest version of the NSS library package was NSS 3.11.x.
To Install Missing Libraries for Policy Agent 2.2 on Linux Systems
Install the NSS, and libxml2 libraries. These libraries are usually available as part of Linux installation media. NSPR and NSS are available as part of Mozilla binaries/development packages. You can also check the following sites:
Since the com.sun.am.ignore.naming_service property is not documented in the individual web agent guides, it is explained in this release note.
Starting with Access Manager 7.0, if a load balancer is deployed in front of an Access Manager host, by default the naming response (for all services) uses the protocol, host, and port number of the load balancer.
However, for Access Manager 6.3, the naming response by default uses the protocol, host and port number of the individual Access Manager Server instances. The web agents must then replace the protocol, host, and port number of the individual Access Manager Server instances with the protocol, host, and port number of the of the load balancer. In this scenario, for Policy Agent 2.2, configure the web agent to use the correct server information by setting the com.sun.am.ignore.naming_service property as shown in the workaround that follows.
Workaround: Add the following property to the web agent AMAgent.properties configuration file and set the value to true as indicated:
com.sun.am.ignore.naming_service = true
While the com.sun.am.ignore.naming_service property is not visible in the web agent AMAgent.properties configuration file, it exists in the web agent and is by default set to false. Therefore, you must add both the property and the value.
The value for this property is the number of milliseconds the agent waits to receive responses from Access Manager. Once the amount of time that has passed matches the value set for this property, any incomplete transactions are dropped and an error is issued indicating that one of the connections has failed.
The default value is 0. When set to 0, the socket remains open indefinitely. In most cases, the value should remain at 0.
Workaround: Not applicable.
The following known problem exists that affects Agent for Microsoft IIS 6.0.
This problem involves the following global environment variable:
NSPR_NATIVE_THREADS_ONLY
Workaround: Before you install this agent, set this environment variable as shown:
NSPR_NATIVE_THREADS_ONLY = 1
Important known issues concerning J2EE agents are separated in this document into the following categories:
The following known issues exist that affect all J2EE agents in Policy Agent 2.2.
This error message, which appears in certain situations, is as follows: ERROR: RemoteHandler.getLogHostURL(): 'null' is malformed. null.
Workaround: You can ignore this message.
The error message displayed in this situation is as follows:
*** ERROR: Another instance of agentadmin is already running. Please stop that instance and try again.
This message appears when the first installation operation is aborted with the CTRL-z keystroke combination. This keystroke combination suspends the process, but does not actually stop the process. If other methods are used to abort the operation, such as the CTRL-c keystroke combination, this problem does not occur.
Workaround: When this problem is encountered, close the terminal window and open a new terminal window.
This problem occurs when the following conditions apply:
The J2EE Agent and Access Manager are on the same machine.
The agent is running in J2EE_POLICY mode.
The application being accessed is protected by form-based declarative security.
This specific configuration results in an error message primarily because of a bug in Internet Explorer 6.0 SP1, which cannot properly handle redirection when the HTTP request contains a port number. More specifically, this browser does not update the host header to reflect the new port number when you redirect HTTP requests that contain a port number.
Workaround: If the browser used to access content protected by a J2EE agent is Internet Explorer, at a minimum, the version must be Internet Explorer 6.0 SP2.
In the J2EE agent debug files, you might see exceptions related to Java API for XML-based remote procedure calls (JAX-RPC). Such messages are not an indication of any known problem.
Workaround: You can safely ignore these error messages.
Errors can occur when you perform both of the following:
Deploy amclientsdk.jar file on a client machine, such as when deploying a J2EE agent.
Enable polling in Access Manager.
The errors that appear are similar to the following:
ERROR: Send Polling Error: com.iplanet.am.util.ThreadPoolException: amSessionPoller thread pool's task queue is full.
Workaround: This workaround is specific to J2EE agents. If you deployed Access Manager Client SDK in another manner, such as by deploying the Distributed Authentication UI, the two properties mentioned subsequently would be added to the Access Manager AMConfig.properties configuration file instead of to the J2EE agent AMAgents.properties configuration file.
If you have only a few hundred concurrent sessions, you can create the following properties in the J2EE agent AMAgents.properties configuration file by adding the two following lines to the bottom of the file:
com.sun.identity.session.polling.threadpool.size=10 com.sun.identity.session.polling.threadpool.threshold=10000
For thousands or tens of thousands of sessions, the values should be set the same as those for notification in the Access Manager AMConfig.properties file after running amtune-identity.
For example, for a machine with 4GB of RAM, the Access Manager amtune-identity will set the following:
com.sun.identity.session.notification.threadpool.size=28 com.sun.identity.session.notification.threadpool.threshold=76288
You can set similar values in the J2EE agent AMAgents.properties configuration file when the machine for the J2EE agent has 4GB of RAM:
com.sun.identity.session.polling.threadpool.size=28 com.sun.identity.session.polling.threadpool.threshold=76288
Currently, no information is provided in Policy Agent 2.2 documentation for J2EE agents regarding this issue. Therefore, the required task for this scenario is presented at this time in this document.
If you install a J2EE agent instance on the same deployment container (such as an application server) as an Access Manager SDK instance, you must edit a property in the AMConfig.properties file of the Access Manager SDK instance.
This task is necessary to ensure proper evaluation of policies. The configuration task described in this section applies to J2EE agents, not web agents, in the Policy Agent 2.2 software set. Therefore, no additional configuration steps are required when an Access Manager SDK instance and a web agent instance are installed on the same deployment container (such as a web server).
Note - The configuration task described in this section applies to situations where Access Manager SDK was installed as a separate component using the Sun Java Enterprise System installer. The configuration task described in this section is not required for the following versions of the SDK:
The client SDK
Access Manager SDK bundled with Access Manager
This task is performed on the deployment container on which the Access Manager SDK is installed. This same deployment container is protected by the J2EE agent.
com.sun.identity.agents.config.location = PolicyAgent-base/AgentInstance-Dir/config/AMAgent.properties
The installer for J2EE agents does not ignore leading and trailing spaces when you provide answers to prompts. This situation can cause a variety of problems. For example, if you include a leading or trailing space when pointing to a resource, the resource would not be recognized and an error message such as the following would be issued:
ERROR: Invalid Server Instance directory.
The preceding error message is one example. Any one of several messages could be issued depending upon the specific scenario.
Workaround: None. However, be aware of the situation and be sure not to include leading or trailing spaces when providing responses to installation prompts.
An agent instance directory, for example agent_001, is created early in a J2EE agent installation. If that installation is unsuccessful, then the actual agent “agent_001” is not created, but the directory agent_001 might have been created. If the agent instance directory was created, the installer does not remove it in cases where the installation fails. In such a scenario, a subsequent installation attempt of a J2EE agent would fail unless the directory agent_001 is manually removed first.
In this scenario, the installer does not detect the previously unsuccessful installation of agent_001. and, therefore, attempts to create it. At first, the installer only searches for the agent instance, not the agent instance directory. As the installation begins, the installer attempts to create the agent_001 directory, but at that point the installer finds that this directory already exists. The installer then aborts the installation. In such a scenario, an error message such as the following is issued:
ERROR: Installation failed due to the following error - (Failed to create directory /export/j2ee_agents/am_websphere_agent/agent_001.)
Workaround: Manually remove the agent instance directory of the unsuccessful agent installation before attempting to install the agent again.
At this time, this behavior affects all J2EE agents except for the various agents for BEA WebLogic and Apache Tomcat.
This situation occurs prior to the user being authenticated by Access Manager and only when web-tier declarative security is set for the specific resource the user is attempting to access. Under these circumstances, when the user attempts to access the resource, she (after authentication) is directed to the welcome page of the application instead of to the exact location requested.
While the user might not expect to be directed to the welcome page, the result does not constitute an access problem. From the welcome page, the user can still access the desired resource based on the policies defined.
Workaround: This behavior is expected. No workaround exists.
When you issue the agentadmin --getUuid command to retrieve the universal ID of the amadmin user, you might see an error message such as the following:
agentadmin --getUuid amadmin user example Failed to create debug directory Failed to create debug directory Failed to create debug directory Failed to create debug directory Failed to create debug directory 10/25/2006 02:22:39:834 PM PDT: Thread[main,5,main] DataLayer: number of retry = 3
The problem occurs under these conditions:
Install one of the following agents:
Agent for IBM WebSphere Application Server 5.1.1
Agent for IBM WebSphere Application Server 6.0
Agent for BEA WebLogic Server/Portal 8.1 SP4
Agent for BEA WebLogic Server 9.0/9.1
Agent for BEA WebLogic Server/Portal 10
Agent for Sun Java System Application Server 8.1
Agent for Sun Java System Application Server 9.0/9.1
Configure the agent with Access Manager 7 in realm mode.
Workaround: None at this time.
The following known problems exist that affect Agent for Sun Java System Application Server 8.1.
The exception message displayed in this situation is as follows: javax.cryptoBadPaddingException.
Workaround: None at this time.
The following known problems exist that affect Agent for Apache Tomcat 5.5 Servlet/JSP Container. This agent also supports Agent for Apache Tomcat 5.0.28 Servlet/JSP Container.
The Apache Tomcat Servlet/JSP Container bits with the .exe extension do not contain the Catalina scripts required to plug in the agent realm and filter. Therefore, Apache Tomcat Servlet/JSP Container bits with the .exe extension are not supported by the agent.
Workaround: When installing Apache Tomcat Servlet/JSP Container bits use the .zip extension. For example, for version 5.5.9, the correct compressed file supported by the agent is as follows:
jakarta-tomcat-5.5.9.zip
Compressed files for Apache Tomcat Servlet/JSP Container are available at the Apache web site. For example, you can attempt to retrieve the compressed file specifically for version 5.5.9 using the following link: http://archive.apache.org/dist/tomcat/tomcat-5/archive/v5.5.9/bin/jakarta-tomcat-5.5.9.zip.
This is a classpath issue. After installing Agent for Apache Tomcat 5.5 Servlet/JSP Container on Apache Tomcat 5.5.23, the Apache server does not start. The server log might show an error that includes the following line:
java.lang.NoClassDefFoundError: org/apache/commons/modeler/BaseModelMBean
This error occurs because a jar file that was named commons-modeler.jar prior to Apache Tomcat 5.5.23 Servlet/JSP Container changed names to commons-modeler-2.0.jar in Apache Tomcat 5.5.23 Servlet/JSP Container.
Workaround: After installing Agent for Apache Tomcat 5.5 Servlet/JSP Container on Apache Tomcat 5.5.23, follow these steps:
Open the following platform specific file:
Tomcat-base/bin/setAgentclasspath.sh
Tomcat-base\bin\setAgentclasspath.bat
Change the name of commons-modeler.jar file to commons-modeler-2.0.jar.
Save the file.
Restart Apache Tomcat 5.5 Servlet/JSP Container.
The following known problems exist that can affect the following agents: Agent for IBM WebSphere Application Server 5.1.1, Agent for IBM WebSphere Application Server 6.0, Agent for IBM WebSphere Application Server 6.1.
This issue applies to both Agent for IBM WebSphere Application Server 5.1.1 and Agent for IBM WebSphere Application Server 6.0.
The --install option of the agentadmin command can fail because of an issue with the IBM Java Development Kit (JDK). The IBM JDK comes with IBM WebSphere Application Server.
To run the --install option, the agentadmin script searches for a JDK with a Sun Microsystems JCE provider. However, the IBM JDK does not come with this JCE provider.
Therefore, to allow the agent installer to work with the IBM JDK, implement the steps described in the following workaround.
Workaround: The following task involving the editing of the agentadmin file makes available a JCE implementation that allows the agent installer to function properly.
PolicyAgent-base/bin
This file is either the agentadmin script or, for Windows systems, the agentadmin.bat file.
This line starts with the following string: $JAVA_VM -classpath ...
-DamCryptoDescriptor.provider=IBMJCE -DamKeyGenDescriptor.provider=IBMJCE
For example, after editing the final line of the script, it appears as follows:
$JAVA_VM -DamCryptoDescriptor.provider=IBMJCE -DamKeyGenDescriptor.provider=IBMJCE -classpath $AGENT_CLASSPATH com.sun.identity.agents.tools.launch.AgentAdminLauncher $*
This issue applies to both Agent for IBM WebSphere Application Server 5.1.1 and Agent for IBM WebSphere Application Server 6.0.
An exception message appears in the debug logs for the message mode. The exception message states that the DirectoryManager class cannot be found. The message is issued by the software development kit (SDK) as it searches for an indication of the mode in which it is running: remote or server.
Workaround: You can safely ignore this message.
The problem occurs when spaces are used in the common name (cn) in specific scenarios. The following conditions can cause the problem:
When either of the following agents are used:
Agent for IBM WebSphere Application Server 5.1.1
Agent for IBM WebSphere Application Server 6.0
When either of the following agentadmin options are used:
agentadmin --setGroup
agentadmin --removeGroup
When Access Manager 6.3 is used, since the problem occurs when the group name includes cn, which is specific to Access Manager 6.3.
The following agentadmin command illustrates the problem. Notice that the cn contains spaces: was admin role. The spaces before and after the string admin are not allowed:
/agentadmin --setGroup administrator "cn=was admin role,dc=example,dc=com" /opt/WebSphere/AppServer/config/cells/
Workaround: Use a text editor of your choice to directly map the groups in the admin-authz.xml file.
This issue applies to both Agent for IBM WebSphere Application Server 5.1.1 and Agent for IBM WebSphere Application Server 6.0.
The sample application issues a message that erroneously states that you must be logged in with the role “employee” in order to be granted access.
The following specific conditions apply:
Install and configure Agent for IBM WebSphere Application Server
Deploy the sample application.
Invoke the declarative J2EE security test sample.
At this point, a message appears saying that access to this servlet requires you to belong to the “employee” role.
Log in with the role “employee.”
Access is denied.
Log in with the role “manager.”
Access is allowed.
Workaround: None. However, be aware of the situation and be sure to log in as a user who belongs to the “manager” role.
This issue applies to both Agent for IBM WebSphere Application Server 5.1.1 and Agent for IBM WebSphere Application Server 6.0.
If two instances of Agent for IBM WebSphere Application Server are required on the same host, you cannot use the same agent bits to install each instance.
Workaround: Download a second set of bits to install the second instance of Agent for IBM WebSphere Application Server.
This issue applies to both Agent for IBM WebSphere Application Server 5.1.1 and Agent for IBM WebSphere Application Server 6.0.
Be aware that this issue only occurs on Windows systems. During the installation of the agent, you are prompted for the encryption key, as such:
Enter a valid Encryption Key. [ ? : Help, < : Back, ! : Exit ] Enter the Encryption Key []:
Usually, a default encryption key is provided in the prompt. However, depending upon the configuration of the IBM WebSphere Application Server instance, the IBM Java Virtual Machine (JVM) might return an empty encryption key. In such a case, the agent installer presents the prompt without a default encryption key included, as illustrated by the preceding example prompt.
Workaround: Manually enter a random value in response to this prompt.
This behavior has been observed with Agent for IBM WebSphere Application Server 6.0. Though rare, CLASPATH variable settings can be cleared after the agentadmin command is executed.
Workaround: Manually add the following entries to the CLASPATH variable of the IBM WebSphere Application Server 6.0 instance (where agent_001 is an example of the agent instance. It might be another instance, such as a agent_002or agent_003):
PolicyAgent-base/agent_00x/config
PolicyAgent-base/locale
The following known problem exists that affects Agent for Oracle Application Server 10g.
The sample application of Agent for Oracle Application Server 10g requires minor editing of XML files to work properly. The following task explains the editing required.
<pathelement location="${appserv.lib.dir}/ebj.jar"/>
<pathelement location="${appserv.lib.dir}/ejb.jar"/>
<pathelement location="${appserv.lib.dir}/servlet.jar"/>
<pathelement location="${appserv.lib.dir}/ejb.jar"/>"location="./jazn-data.xml"
The following shows how the element appears before and after you have added the required attribute:
<jazn provider="XML">
<jazn provider="XML" "location="./jazn-data.xml">
<?xml version="1.0" encoding="UTF-8" standalone='yes'?>
<!DOCTYPE jazn-data PUBLIC "JAZN-XML Data"
"http://xmlns.oracle.com/ias/dtds/jazn-data.dtd">
<jazn-data>
<!-- JAZN Realm Data -->
<jazn-realm>
<realm>
<name>jazn.com</name>
<users>
</users>
<roles>
</roles>
</realm>
</jazn-realm>
<!-- JAZN Policy Data -->
<jazn-policy>
</jazn-policy>
<!-- Permission Class Data -->
<jazn-permission-classes>
</jazn-permission-classes>
<!-- Principal Class Data -->
<jazn-principal-classes>
</jazn-principal-classes>
<!-- Login Module Data -->
<jazn-loginconfig>
</jazn-loginconfig>
</jazn-data>After you have performed the preceding steps, rebuild the sample application as described in the sample application readme.txt file, which is in the following location:
PolicyAgent-base/sampleapp/readme.txt
|