Policy Agent 2.2–03 Update Release

The Policy Agent 2.2–03 update release includes fixes and enhancements for web agents and Java EE agents (formerly called J2EE agents). Consider updating to a version 2.2-03 web agent if you have not updated an agent with any of the hot patches since the Policy Agent 2.2–02 update, or if you need any of the fixes or enhancements in the 2.2-03 update.

• Java EE Agents in the Policy Agent 2.2-03 Update Release

• Web Agents in the Policy Agent 2.2-03 Update Release

Java EE Agents in the Policy Agent 2.2–03 Update Release

The Java EE agents in the Policy Agent 2.2–03 update release are available as patches on My Oracle Support: https://support.oracle.com/. For a list of the problems fixed by each patch, check the README file included with the respective patch.

Patch IDs for Java EE Agents in the Policy Agent 2.2–03 Update Release

These patches are full installations. To install a version 2.2–03 agent, you must first uninstall your existing agent and then reinstall the new 2.2–03 agent.

Table 3 Patch IDs for Java EE Agents in the Policy Agent 2.2–03 Update Release

Web Agents in the Policy Agent 2.2–03 Update Release

• Patch IDs for Web Agents in the Policy Agent 2.2-03 Update Release

• Web Agents: Key Fixes and Enhancements in the Policy Agent 2.2-03 Update

• Web Agents: Known Issues in the Policy Agent 2.2-03 Update Release

Patch IDs for Web Agents in the Policy Agent 2.2–03 Update Release

The web agents in the Policy Agent 2.2–03 update release are available as patches on My Oracle Support: https://support.oracle.com/.

Table 4 Patch IDs for Web Agents in the Policy Agent 2.2–03 Update Release

To Download and Install a Version 2.2–03 Web Agent

1. Create a directory to download the patch. For example: v2.2-03_patch

2. In the directory from Step 1, download the patch for the agent you want to install from My Oracle Support: https://support.oracle.com/. For example, for the Apache HTTP Server 2.2.x agent, download 141244-01.zip.

3. In the download directory, unzip the patch.

   Each patch contains a README file and a separate ZIP file for each supported platform. The README file contains information about the patch, including a list of the bugs fixed in the patch (and bugs fixed in earlier releases).

   For example, files for the Apache HTTP Server 2.2.x agent are:

   • README.141244-01

   • Solaris SPARC 64-bit systems: apache_v22_solaris_sparc64_agent.zip

   • Solaris SPARC 32-bit systems: apache_v22_SunOS_agent.zip

   • Linux 32-bit systems: apache_v22_Linux_agent.zip

   • Linux 64-bit systems: apache_v22_linux64_agent.zip

   • Solaris x86 systems: apache_v22_SunOS_x86_agent.zip

   • Windows: apache_v22_WINNT_agent.zip

4. Unzip the file for your specific platform. For example, for Solaris SPARC 64-bit systems, unzip apache_v22_solaris_sparc64_agent.zip.

   Some files have the .tar.gz extension. For example, to unpack the IBM Domino Server agent for Linux:

   # gunzip -dc sun-one-policy-agent-2.2-domino6-linux.tar.gz | tar -xvof -

   The files and directories required by the specific agent are then available in the zip-root/web_agents/agent-name directory, where zip-root is where you unzipped the file and agent-name identifies the specific agent. For example, for the Apache HTTP Server 2.2.x agent:

   zip-root/web_agents/apache22_agent

5. Follow the installation and configuration procedures in the respective Policy Agent 2.2 guide in the following collection:

   Policy Agent 2.2 documentation: http://download.oracle.com/docs/cd/E19534-01/index.html

   Note: Each version 2.2–03 web agent requires a full installation. That is, you must uninstall your existing agent and then re-install the new version 2.2–03 agent.

Web Agents: Key Fixes and Enhancements in the Policy Agent 2.2-03 Update

• IIS 6.0 agent supports POST data preservation (6735280)

• Web Proxy Server 4.0 agent can send GET request without header (6787007)

• Web agents libxml2.so library is upgraded (6817868)

• Not-enforced POST requests can be accessed in CDSSO mode (6789020)

• Web agent can handle new Access Manager 7.1 policy advices (6785022)

• Log entry added if web agent causes Apache Web Server to hang when the agent's log rotation fails (6804139)

• IIS 6.0 agent supports agent URL override functionality (6829880)

• IIS 6.0 SharePoint agent redirects to access-denied page if user doesn't exist in Active Directory (6854317)

IIS 6.0 agent supports POST data preservation (6735280)

The version 2.2–03 agent for Microsoft IIS 6.0 now supports POST data preservation. Users can preserve POST data, which is submitted to IIS 6.0 through HTML forms before the users log in to Access Manager.

To Configure POST Data Preservation for the IIS 6.0 Agent

1. Add the HTML pages containing the forms to the not-enforced URL list, as described in Configuring the Not-Enforced URL List in Sun Java System Access Manager Policy Agent 2.2 Guide for Microsoft Internet Information Services 6.0.

2. In the AMAgent.properties file for the IIS 6.0 agent, set the following properties:

   • com.sun.am.policy.agents.config.postdata.preserve.enable = true

     Enables POST data preservation. The default is false.

   • com.sun.am.policy.agents.config.postcache.entry.lifetime = interval

     Specifies the interval in minutes that the POST data stays valid in the IIS 6.0 agent cache. POST data cache entries that have existed beyond the specified time interval are automatically removed from the cache. The default time is 10 minutes.

3. Restart the IIS 6.0 server instance.

Web Proxy Server 4.0 agent can send GET request without header (6787007)

The version 2.2–03 agent for Sun Java System Web Proxy Server 4.0 can send a GET request without a header. Previously, this type of request caused a dump core, which resulted in a denial of service (DOS) security vulnerability.

For more information, check the security alerts on https://support.oracle.com/.

Web agents libxml2.so library is upgraded (6817868)

The libxml2.so library for version 2.2–03 web agents is upgraded from version 2.6.23 to version 2.7.3, in order to prevent a denial of service (DOS) security vulnerability.

For more information, check the security alerts on https://support.oracle.com/.

Not-enforced POST requests can be accessed in CDSSO mode (6789020)

For version 2.2–03 web agents in cross-domain single sign-on (CDSSO) mode, if a POST request is added to the not-enforced URL list, the browser now displays the POST data without redirecting to the Access Manager login page.

Web agent can handle new Access Manager 7.1 policy advices (6785022)

Version 2.2–03 web agents can handle the new Access Manager 7.1 policy advices for the AuthenticateToServiceConditionAdvice condition on 64–bit web containers.

Log entry added if web agent causes Apache Web Server to hang when the agent's log rotation fails (6804139)

A web agent can cause the Apache Web Server to hang if the agent's log rotation fails. A log entry to report this condition has been added in the version 2.2–03 release.

Workaround: Make sure that the correct permissions are set for the web agent log directory and that the partition where the logs are stored has enough space. Additional considerations for this issue are:

• To prevent permissions failures for the web agent's log directory, make sure all web server child processes have write permissions to the log directory. For example, consider the agent for Apache HTTP Server. If the initial Apache HTTP Server web agent log file is opened by super user (root) and the log rotation will subsequently be attempted by a child process running as a different user (such as apache user), make sure that apache user has write permissions to the log directory.

• In case of log rotation failures due to write permissions, the logs will be written to the web server's error log file.

IIS 6.0 agent supports agent URL override functionality (6829880)

The version 2.2–03 IIS 6.0 agent now supports the agent URL override functionality, if the following properties are set in the agent's AMAgent.properties file:

com.sun.am.policy.agents.config.override_protocol = true
com.sun.am.policy.agents.config.override_host = true
com.sun.am.policy.agents.config.override_port = true
com.sun.am.policy.agents.config.agenturi.prefix =
   https://iis-host.example.com:443/amagent
com.sun.am.policy.agents.config.fqdn.map = agent-host|load-balancer-host

These properties are used if the agent-protected web server is behind a load balancer or SSL over-loader and the external URL is different and should be overridden.

IIS 6.0 SharePoint agent redirects to access-denied page if user doesn't exist in Active Directory (6854317)

If a user doesn't exist in Microsoft Active Directory but is authenticated by Access Manager, the version 2.2–03 IIS 6.0 SharePoint agent now redirects the request to the access-denied page. Previously, the agent returned Error 403 (Forbidden) to the user.

Web Agents: Known Issues in the Policy Agent 2.2–03 Update Release

• Agent for Apache HTTP Server 2.0.x on IBM AIX 5.3 requires bos.rte.libc fileset upgrade

• NSPR libraries need to be upgraded to version 4.7.0

• Version 2.2-02 agent for Apache HTTP Server 2.2.3 fails to start on Linux 5.0

Agent for Apache HTTP Server 2.0.x on IBM AIX 5.3 requires bos.rte.libc fileset upgrade

On IBM AIX 5.3, if you are running the web agent for IBM HTTP Server based on Apache HTTP Server 2.0.x, the server sometimes crashes at startup.

Workaround. Upgrade the AIX bos.rte.libc fileset from Service Pack 7 to Service Pack 9 (AIX 5.3.0.68 to 5.3.0.70). For information see:

http://www-01.ibm.com/support/docview.wss?uid=isg1fileset-870201775

NSPR libraries need to be upgraded to version 4.7.0

For the version 2.2–03 web agents, the NSPR libraries need to be upgraded to version 4.7.0. Make sure that the upgraded NSPR libraries are picked up by the web server.

Version 2.2-02 agent for Apache HTTP Server 2.2.3 fails to start on Linux 5.0

The version 2.2-02 web agent for Apache HTTP Server 2.2.3 fails to start on Red Hat Linux 5.0 because the compatibility libraries are not installed. The OS includes /usr/lib/libstdc++.so.6 but not libstdc++.so.5.

Workaround: Install libstdc++.so.5 using the compat-libstdc++-33 RPM.