Web Agents: Key Fixes and Enhancements in the Policy Agent 2.2-03 Update

• IIS 6.0 agent supports POST data preservation (6735280)

• Web Proxy Server 4.0 agent can send GET request without header (6787007)

• Web agents libxml2.so library is upgraded (6817868)

• Not-enforced POST requests can be accessed in CDSSO mode (6789020)

• Web agent can handle new Access Manager 7.1 policy advices (6785022)

• Log entry added if web agent causes Apache Web Server to hang when the agent's log rotation fails (6804139)

• IIS 6.0 agent supports agent URL override functionality (6829880)

• IIS 6.0 SharePoint agent redirects to access-denied page if user doesn't exist in Active Directory (6854317)

IIS 6.0 agent supports POST data preservation (6735280)

The version 2.2–03 agent for Microsoft IIS 6.0 now supports POST data preservation. Users can preserve POST data, which is submitted to IIS 6.0 through HTML forms before the users log in to Access Manager.

To Configure POST Data Preservation for the IIS 6.0 Agent

1. Add the HTML pages containing the forms to the not-enforced URL list, as described in Configuring the Not-Enforced URL List in Sun Java System Access Manager Policy Agent 2.2 Guide for Microsoft Internet Information Services 6.0.

2. In the AMAgent.properties file for the IIS 6.0 agent, set the following properties:

   • com.sun.am.policy.agents.config.postdata.preserve.enable = true

     Enables POST data preservation. The default is false.

   • com.sun.am.policy.agents.config.postcache.entry.lifetime = interval

     Specifies the interval in minutes that the POST data stays valid in the IIS 6.0 agent cache. POST data cache entries that have existed beyond the specified time interval are automatically removed from the cache. The default time is 10 minutes.

3. Restart the IIS 6.0 server instance.

Web Proxy Server 4.0 agent can send GET request without header (6787007)

The version 2.2–03 agent for Sun Java System Web Proxy Server 4.0 can send a GET request without a header. Previously, this type of request caused a dump core, which resulted in a denial of service (DOS) security vulnerability.

For more information, check the Security Sun Alerts on http://sunsolve.sun.com/.

Web agents libxml2.so library is upgraded (6817868)

The libxml2.so library for version 2.2–03 web agents is upgraded from version 2.6.23 to version 2.7.3, in order to prevent a denial of service (DOS) security vulnerability.

For more information, check the Security Sun Alerts on http://sunsolve.sun.com/.

Not-enforced POST requests can be accessed in CDSSO mode (6789020)

For version 2.2–03 web agents in cross-domain single sign-on (CDSSO) mode, if a POST request is added to the not-enforced URL list, the browser now displays the POST data without redirecting to the Access Manager login page.

Web agent can handle new Access Manager 7.1 policy advices (6785022)

Version 2.2–03 web agents can handle the new Access Manager 7.1 policy advices for the AuthenticateToServiceConditionAdvice condition on 64–bit web containers.

Log entry added if web agent causes Apache Web Server to hang when the agent's log rotation fails (6804139)

A web agent can cause the Apache Web Server to hang if the agent's log rotation fails. A log entry to report this condition has been added in the version 2.2–03 release.

Workaround: Make sure that the correct permissions are set for the web agent log directory and that the partition where the logs are stored has enough space. Additional considerations for this issue are:

• To prevent permissions failures for the web agent's log directory, make sure all web server child processes have write permissions to the log directory. For example, consider the agent for Apache HTTP Server. If the initial Apache HTTP Server web agent log file is opened by super user (root) and the log rotation will subsequently be attempted by a child process running as a different user (such as apache user), make sure that apache user has write permissions to the log directory.

• In case of log rotation failures due to write permissions, the logs will be written to the web server's error log file.

IIS 6.0 agent supports agent URL override functionality (6829880)

The version 2.2–03 IIS 6.0 agent now supports the agent URL override functionality, if the following properties are set in the agent's AMAgent.properties file:

com.sun.am.policy.agents.config.override_protocol = true
com.sun.am.policy.agents.config.override_host = true
com.sun.am.policy.agents.config.override_port = true
com.sun.am.policy.agents.config.agenturi.prefix =
   https://iis-host.example.com:443/amagent
com.sun.am.policy.agents.config.fqdn.map = agent-host|load-balancer-host

These properties are used if the agent-protected web server is behind a load balancer or SSL over-loader and the external URL is different and should be overridden.

IIS 6.0 SharePoint agent redirects to access-denied page if user doesn't exist in Active Directory (6854317)

If a user doesn't exist in Microsoft Active Directory but is authenticated by Access Manager, the version 2.2–03 IIS 6.0 SharePoint agent now redirects the request to the access-denied page. Previously, the agent returned Error 403 (Forbidden) to the user.