Policy Agent 2.2–04 Update Release

The Policy Agent 2.2-04 update release currently includes fixes and enhancements for web agents:

• Web Agents in the Policy Agent 2.2-04 Update Release

• Key Fixes and Enhancements in the Policy Agent 2.2-04 Update Release

Web Agents in the Policy Agent 2.2-04 Update Release

Table 1 Web Agents in the Policy Agent 2.2-04 Update Release

Version 2.2-04 Policy Agent For	Patch ID
Apache HTTP Server 2.0.x	141243-02
Apache HTTP Server 2.2.x	141244-02
Microsoft IIS 5.0	141246-02
Microsoft IIS 6.0	141247-02
Sun Java System Web Proxy Server 4.0	141248-02
Sun Java System Web Server 6.1	141249-02
Sun Java System Web Server 7.0	141250-02
Note: A version 2.2–04 policy agent for IBM Lotus Domino 6.x, 7.0, and 8.0 is not currently available.

To Download and Install a Version 2.2–04 Web Agent

1. Create a download directory to download the patch. For example: v2.2-04_agent

2. In the download directory from Step 1, download the patch for the agent you want to install from http://sunsolve.sun.com/.

   For example, for the Apache HTTP Server 2.2.x agent, download 141244-02.zip.

3. In the download directory, unzip the patch.

   Each patch contains a README file and a separate ZIP file for each supported platform. The README file contains information about the patch, including a list of the bugs fixed in the patch (and bugs fixed in earlier releases).

   For example, files for the Apache HTTP Server 2.2.x agent are:

   • README.141244-02

   • Solaris SPARC 64-bit systems: apache_v22_solaris_sparc64_agent.zip

   • Solaris SPARC 32-bit systems: apache_v22_SunOS_agent.zip

   • Linux 32-bit systems: apache_v22_Linux_agent.zip

   • Linux 64-bit systems: apache_v22_linux64_agent.zip

   • Solaris x86 systems: apache_v22_SunOS_x86_agent.zip

   • Windows: apache_v22_WINNT_agent.zip

4. Unzip the file for your specific platform. For example, for Solaris SPARC 64-bit systems, unzip apache_v22_solaris_sparc64_agent.zip.

   The files and directories required by the specific agent are then available in the zip-root/web_agents/agent-name directory, where zip-root is where you unzipped the file and agent-name identifies the specific agent. For example, for the Apache HTTP Server 2.2.x agent:

   zip-root/web_agents/apache22_agent

5. Follow the installation and configuration procedures in the respective Policy Agent 2.2 guide in the following collection:

   Policy Agent 2.2 documentation: http://docs.sun.com/coll/1322.1

   Note: Each version 2.2–04 web agent requires a full installation. That is, you must uninstall your existing agent and then re-install the new version 2.2–04 agent.

Key Fixes and Enhancements in the Policy Agent 2.2-04 Update Release

• IIS 6.0 agent behind a load balancer now evaluates requests against not-enforced client IP list (6894700, 6864977)

• Sticky cookie support added for web agents behind a load balancer with POST data preservation (6836393)

• Apache HTTP Server 2.0.x and 2.2.x agents can encode special characters in cookies by URL encoding (6814694)

• Web agents have changes in the path info related properties (6854806)

• NSS and NSPR libraries are bundled with web agents on Solaris and Linux systems (6794995)

IIS 6.0 agent behind a load balancer now evaluates requests against not-enforced client IP list (6894700, 6864977)

Previously, if a load balancer or proxy was configured in front of the Microsoft IIS 6.0 agent and a user attempted to access a protected resource from a machine whose IP was in the not-enforced client IP list, the user would be redirected to the Access Manager or OpenSSO server, since the agent used the IP of the proxy instead of the client machine.

The Policy Agent Update 2.2-04 release includes the following new properties in AMAgent.properties that you can set if a load balancer is deployed in front of the IIS 6.0 agent and you want the agent to evaluate the request against the not-enforced client IP list:

• com.sun.agents.load_balancer.enable enables (true) or disables (false) the option to evaluate the request against the not-enforced client IP list, if a load balancer is deployed in front of the IIS 6.0 agent. The default is false. The following two properties are not used unless this property has a value of true.

• com.sun.am.policy.agents.config.client.ip.header is the name of the HTTP header that contains client IP, which depends on the type of load balancer you are using. If not used, leave this property blank.

• com.sun.am.policy.agents.config.client.hostname.header is the name of the HTTP header that contains the hostname of the client. If not used, leave this property blank.

After you set these properties, restart the IIS 6.0 instance.

Note. These new properties apply only to the IIS 6.0 agent. CR 6894700 fixes the 32-bit IIS 6.0 agent, and CR 6864977 fixes the 64-bit IIS 6.0 agent and OWA.

Sticky cookie support added for web agents behind a load balancer with POST data preservation (6836393)

For web agents that support POST data preservation and are deployed behind a load balancer, the Policy Agent 2.2-04 update release includes the new com.sun.am.policy.agents.config.postdata.preserve.lbcookie property in AMAgent.properties to ensure that the POST data are preserved when using the load balancer.

To use this feature, set the following properties in the AMAgent.properties file:

com.sun.am.policy.agents.config.postdata.preserve.enable = true
com.sun.am.policy.agents.config.postdata.preserve.lbcookie = palbcookie=01

After you set these properties, restart the web agent container.

Note. The new com.sun.am.policy.agents.config.postdata.preserve.lbcookie property applies only to the IIS 6.0, Web Server 6.1, and Web Server 7.0 agents, which are the only agents that support POST data preservation.

Apache HTTP Server 2.0.x and 2.2.x agents can encode special characters in cookies by URL encoding (6814694)

The version 2.2–04 Apache HTTP Server 2.0.x and Apache HTTP Server 2.2.x agents can use the new com.sun.am.policy.agents.config.encode_cookie_special_chars.enable property in AMAgent.properties to enable encoding for special characters in cookies. The default value for this property is false.

To enable the encoding, set the property to true and restart the Apache HTTP Server web container.

Web agents have changes in the path info related properties (6854806)

The Policy Agent 2.2-04 update release now has two properties related to the path info, allowing you to decouple the possibility to ignore the path info for the policy evaluation from the possibility to ignore the path info when evaluating the URL against the not-enforced list. These properties are:

• The com.sun.am.policy.agents.config.ignore_path_info property existed in the previous releases. In the Policy Agent 2.2-04 update release, this property indicates only whether the path information and query should be stripped from the request URL before the URL is evaluated by Access Manager. The default value is false.

• The new com.sun.am.policy.agents.config.ignore_path_info_for_not_enforced_list property indicates whether the path information and query should be stripped from the request URL before being compared with the URLs of the not-enforced list when those URLs contain a wild-card (*) character. For security reasons, the default value is true.

NSS and NSPR libraries are bundled with web agents on Solaris and Linux systems (6794995)

On Solaris and Linux systems, web agents in the Policy Agent 2.2-04 update release now include the following Sun NSS and NSPR libraries:

• NSS 3.11.9

• NSPR 4.7

These libraries are already included on other operating systems.