Key Fixes and Enhancements in the Policy Agent 2.2-02 Update

• J2EE_POLICY and ALL filter modes do not work on 2.2-02 J2EE Agent on Oracle Application Server 10g (6790321)

• J2EE policy agent fails to log when the log action is LOG_DENY (6729386)

• Performance issue resolved for policy agent (6768406)

• For web agents, sunwMethod parameter is removed from the URL in CDSSO mode (6725383)

• Domino 7.0 agent redirects client to URL instead of displaying a 500 error if Access Manager server is not responding (6715064)

• Composite advice can be included in the query instead of through a POST request (6676032)

• Apache 2.0 agent supports additional HTTP methods for a Subversion repository (6647805)

• For web agents, support is added to adjust the policy clock skew (6608463)

J2EE_POLICY and ALL filter modes do not work on 2.2-02 J2EE Agent on Oracle Application Server 10g (6790321)

If the filter mode (com.sun.identity.agents.config.filter.mode property) is set to J2EE_POLICY or ALL (which is the default value set during the agent installation), the version 2.2–02 Oracle Application Server 10g agent returns an error in the amFilter log when a protected resource is accessed.

Workaround. See the additional task in the Post-Installation Steps Specific to Agent for Oracle Application Server 10g in Sun Java System Access Manager Policy Agent 2.2 Guide for Oracle Application Server 10g.

J2EE policy agent fails to log when the log action is LOG_DENY (6729386)

For a J2EE agent, the Audit Log properties in AMAgent.properties are set as:

com.sun.identity.agents.config.audit.accesstype = LOG_DENY
com.sun.identity.agents.config.log.disposition = ALL

If a user for whom the access is denied to a J2EE protected resource tries to access a the resource in a deployed application, access to the protected resource is denied, but there is no entry in the logs for the deny action on either the Access Manager or J2EE agent side.

Workaround. None. This is a limitation of the product. For a J2EE policy to be evaluated, the control is given to the web container on which the agent is deployed, to determine the access policies. The web container doesn't send the access decision back to the agent for a resource that is protected with J2EE security policies. The web container just denies the access, and the agent cannot effectively log when the access is denied.

Performance issue resolved for policy agent (6768406)

Previously, a delay occurred for the Microsoft IIS 5.0 agent when a user accessed a protected resource. When the agents were deployed on multiple servers, serious performance degradation occurred.

Workaround. The Policy Agent 2.2–02 update includes the following new property:

com.sun.am.policy.agents.config.policy_number_of_tries

If this property is set to 0 (the default value), you can prevent the delay for all agents.

For web agents, sunwMethod parameter is removed from the URL in CDSSO mode (6725383)

For web agents, the sunwMethod parameter is removed from the URL in cross domain single sign-on (CDSSO) mode, because this parameter can cause problems with AJAX driven applications.

Web agents can use the following new property:

com.sun.am.policy.agents.config.use.sunwmethod

The default value is false, meaning that the sunwmethod parameter will not be used in CDSSO mode. For backward compatibility, if this property is set to true, CDSSO mode will function as it previously did.

Domino 7.0 agent redirects client to URL instead of displaying a 500 error if Access Manager server is not responding (6715064)

The IBM Lotus Domino 7.0 agent previously displayed an internal server error (HTTP 500) if the Access Manager server was not responding.

Workaround. Set the following new property to the URL where you want the version 2.2–02 Lotus Domino 7.0 agent to redirect the client if the Access Manager server does not respond:

com.sun.am.policy.agents.config.errorpage.url

This new property also applies to the version 2.2–02 Apache 2.x agent.

Composite advice can be included in the query instead of through a POST request (6676032)

When a web client accesses a resource and that request results in composite advice (sunamcompositeadvice) returned, the policy agent produces an auto-submitting HTML form, which can be difficult for a web client to interpret. Now, the following new property determines whether the composite advice is added in the query or through a POST request:

com.sun.am.use_redirect_for_advice

• true: Composite advice will be added to the redirect URL.

• false: Composite advice will be sent through a POST request.

The default is false.

Apache 2.0 agent supports additional HTTP methods for a Subversion repository (6647805)

The Apache 2.0 agent now recognizes these additional methods: VERSION_CONTROL, CHECKOUT, UNCHECKOUT, CHECKIN, UPDATE, LABEL, REPORT, MKWORKSPACE, MKACTIVITY, BASELINE_CONTROL, and MERGE. These methods are used for WebDAV versioning (RFC 3253) and specifically for a Subversion repository.

For web agents, support is added to adjust the policy clock skew (6608463)

If the time on the web agent host machine differs from the Access Manager time, you might occasionally see an incorrect policy decision or an infinite re-direction. The following new property in AMAgent.properties adjusts the clock skew between the web agent and Access Manager machines:

com.sun.am.policy.agents.config.policy_clock_skew

This properties specifies the time in seconds used to adjust the time difference between the policy agent machine and the Access Manager machine, as follows:

Clock skew in seconds = AgentTime - AccessManagerTime

The default is zero (0).

You should also run a time syncing service to keep the time on the agent machine and the Access Manager machine as close as possible.