Important known issues concerning web agents are separated in this document into the following categories:
The following known issues exist that affect all web agents in Policy Agent 2.2.
To set the X11 DISPLAY variable properly, set the variable to a valid X server before installing or uninstalling the web agent. This condition applies even when the install or uninstall command is performed from the command line using the -nodisplay argument.
An error message appears when many concurrent users access the web agent. The error message is as follows: LogService::process() logRecWrite SAXParseException. This exception occurs in the Access Manager log in the following directory: /var/opt/SUNWam/debug. This problem is due to a bug in the multi-threaded logging mechanism of the web agent. However, no known effect to the web agent or the respective Access Manager instance occurs with this error message.
Workaround: You can ignore this message.
When a large number of logging entries are recorded, log rotation fails and the log entries are redirected from the web agent log files to the error log files of the web container. These redirected log entries get written as stderr. The log files then accumulate on the web container without being automatically deleted.
Workaround: During production, do not use fine-grained logging levels, such as levels 4 or 5. These logging levels are only appropriate for short periods of time, such as for debugging.
For example, Agent for Sun Java System Web Server 6.1 does not support the 64-bit release of Sun Java System Web Server 6.1.
Workaround:Except when using Agent for Apache HTTP Server 2.0.54, do not use a web agent with a 64-bit version of the supported web container.
When you set the following property in the web agent AMAgent.properties configuration file, be aware of the web server behavior that typically applies:
Most web servers demonstrate the following behavior:
Prefix the header name by HTTP_.
Replace all lower case letters with upper case letters.
Replace all hyphens with underscores.
Therefore, use underscores “_” rather than hyphens “-” in the header name mapped to the LDAP attribute name to avoid problems. For example, the following property setting could be problematic:
com.sun.am.policy.agents.config.profile.attribute.map = cn|common-name
Web servers search for the header HTTP_COMMON_NAME, and would not find HTTP_COMMON-NAME.
You can use the following property to customize the “HTTP_” prefix:
The following example demonstrates how this property can be set:
com.sun.am.policy.agents.config.profile.attribute.cookie.prefix = EXAMPLE_
When the Linux operating system is installed, specific components can be selected. Occasionally the specific components of the operating system selected lack the libraries necessary for Policy Agent 2.2 to function. When the complete Linux operating system is installed, all the required libraries are available. The libraries that are required for the agent to function are as follows: NSPR, NSS, and libxml2.
Workaround: If the Linux operating system you are using is not complete, install the latest versions of these libraries as described in the steps that follow:
At the time this note was added, the latest version of the NSPR library packages was NSPR 4.6.x , while the latest version of the NSS library package was NSS 3.11.x.
To Install Missing Libraries for Policy Agent 2.2 on Linux Systems
Install the NSS, and libxml2 libraries. These libraries are usually available as part of Linux installation media. NSPR and NSS are available as part of Mozilla binaries/development packages. You can also check the following sites:
Since the com.sun.am.ignore.naming_service property is not documented in the individual web agent guides, it is explained in this release note.
Starting with Access Manager 7.0, if a load balancer is deployed in front of an Access Manager host, by default the naming response (for all services) uses the protocol, host, and port number of the load balancer.
However, for Access Manager 6.3, the naming response by default uses the protocol, host and port number of the individual Access Manager Server instances. The web agents must then replace the protocol, host, and port number of the individual Access Manager Server instances with the protocol, host, and port number of the of the load balancer. In this scenario, for Policy Agent 2.2, configure the web agent to use the correct server information by setting the com.sun.am.ignore.naming_service property as shown in the workaround that follows.
Workaround: Add the following property to the web agent AMAgent.properties configuration file and set the value to true as indicated:
com.sun.am.ignore.naming_service = true
While the com.sun.am.ignore.naming_service property is not visible in the web agent AMAgent.properties configuration file, it exists in the web agent and is by default set to false. Therefore, you must add both the property and the value.
The value for this property is the number of milliseconds the agent waits to receive responses from Access Manager. Once the amount of time that has passed matches the value set for this property, any incomplete transactions are dropped and an error is issued indicating that one of the connections has failed.
The default value is 0. When set to 0, the socket remains open indefinitely. In most cases, the value should remain at 0.
Workaround: Not applicable.
The following known problem exists that affects Agent for Microsoft IIS 6.0.
This problem involves the following global environment variable:
Workaround: Before you install this agent, set this environment variable as shown:
NSPR_NATIVE_THREADS_ONLY = 1