Skip Headers
Oracle® Access Manager Introduction
10g (10.1.4.0.1)

Part Number B25342-01
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

5 Overview of 10g (10.1.4.0.1) Behaviors

This chapter provides a brief summary of Oracle Access Manager 10g (10.1.4.0.1) behaviors and mentions earlier behaviors (if those were different).


Note:

10g (10.1.4.0.1) refers to any Oracle Access Manager release in the 10.1.4 series (for example, 10.1.4.0.1 and 10.1.4.0.2 when that becomes available).

Topics include:

5.1 General Behavior Summary

A number of earlier product behaviors have changed to support product globalization. In addition, new features have been added and changes have been made to improve product usability and performance.

If you have upgraded an earlier installation to Oracle Access Manager 10g (10.1.4.0.1), some backward compatibility is enabled during the upgrade and some manual processing must occur. For more information about upgrading, see the Oracle Access Manager Upgrade Guide, which includes details about components and third-party products that are no longer supported.

To ensure that you always have the most up to date information, support details are not presented in manuals. For the latest platform and support information, be sure to see the Certify tab at https://metalink.oracle.com.

To use Metalink

  1. Navigate to http://metalink.oracle.com.

  2. Log in to Metalink as directed

  3. Click the Certify tab.

  4. Click View Certifications by Product.

  5. Select the Application Server option and click Submit.

  6. Choose Oracle Application Server and click Submit.

Whether you install the Identity System alone or include the Access System, Table 5-1 briefly summarizes overall Oracle Access Manager 10g (10.1.4.0.1) behaviors.

Table 5-1 General Oracle Access Manager Behavior Summary

Function Behavior

Acquiring and Using Multiple Languages

Early product releases provided messages for end users and administrators in only the English language. Starting with release 6.5, support for translatable messages was provided through Language Packs for certain Latin-1 languages (French and German). Oracle Access Manager 10g (10.1.4.0.1) provides support for nearly a dozen Administrator languages and over two dozen end-user languages, as described in Chapter 4, "About Globalization and Multibyte Support". When you install the product without a Language Pack, only English is available.

Administrative information can be displayed in the Administrators languages listed in Table 4-1 only. When installing components with Oracle-provided Language Packs, you can choose the language (locale) to be used as the default for administrative tasks. If administrative pages are requested in any other language (based on browser settings), the language that was selected as the default during product installation is used to display the pages. See the Oracle Access Manager Installation Guide for installation details.

After installing Oracle Access Manager with Oracle-provided Language Packs, you must enable all languages to be used, then configure Oracle Access Manager to use the installed languages by entering display names for attributes, tabs, and panels as described in the Oracle Access Manager Identity and Common Administration Guide.

Messages in Oracle Access Manager stylesheets depend upon a language. Beginning with release 6.5, messages have been brought out of the stylesheets and defined separately as variables in msgctlg.xsl (and msgctlg.js for JavaScript files). In addition, each stylesheet has a corresponding language-specific thin wrapper stored in IdentityServer_install_dir\identity\oblix\lang\langTag\style0 to segregate the main functionality of the stylesheet template from language-specific messages in the stylesheets. For more information, see the Oracle Access Manager Customization Guide.

Auditing and Access Reporting

To support all available languages, definitions of oblix_audit_events, oblix_rpt_as_reports, oblix_rpt_as_resources, and oblix_rpt_as_users tables have changed. For details, see the Oracle Access Manager Identity and Common Administration Guide.

The Crystal Reports package is no longer provided with the Oracle Access Manager package. You must obtain this product from the vendor.

You can now audit to an Oracle Database as well as to Microsoft SQL Server. Support for MySQL is deprecated in this release.

When configuring Audit Policies in the Identity System Console, you can specify a list of profile attributes for every audit record. Profile attributes (Full Name, Employee Number, Department Number, and the like) are specific to the user performing the action/event being audited (Search or View Profile or Modify Profile, for example). The purpose of profile attributes is to help you identify the user performing the action/event.

Warning: To avoid exposing a challenge phrase or response attribute, Oracle recommends that you do not select these as profile attributes for auditing. If you add a challenge phrase or response as a profile attribute, it is audited in proprietary encoded format.

Before auditing in an environment you upgraded to 10g (10.1.4.0.1), you must retain the original database and data, create a new database instance for use with 10g (10.1.4.0.1), generate new tables, and import earlier data before you start auditing (this last item is a must only if you want to query/generate reports using both old and new data), as described in the Oracle Access Manager Upgrade Guide.

Automatic Schema Update Support for ADAM

Removed due to an ldifde.exe tool licensing issue. For ADAM, the schema must be updated manually, as described in the Oracle Access Manager Installation Guide.

C++ Programs

When upgrading from releases earlier than 7.0, you may need to recompile C++ programs created with the Software Developer Kit and APIs after the upgrade. See other topics in this chapter for an overview of the impact on Identity System event plug-ins; Access Manager SDK, Access Manager API, and custom AccessGates; and custom authentication and authorization plug-ins and interfaces. See also, the Oracle Access Manager Developer Guide.

Cache Flush

A 10g (10.1.4.0.1) Identity Server cannot flush the cache of an earlier Access Server, which impacts environments that you upgrade. To eliminate problems, you must upgrade the Access Server to 10g (10.1.4.0.1). If you install a new Access Server, ensure that it is backward compatible. See information on the Access Server in Table 5-3.

Certificate Store and Localized Certificates

You can request and add localized certificates containing non-ASCII text in all fields except Email and Country (per x509 standards).

Starting with release 7.0 and continuing with 10g (10.1.4.0.1), the default certificate store format and name has changed to cert8.db.

When you upgrade to 10g (10.1.4.0.1), the old certificate store is used. 10g (10.1.4.0.1) works with both the cert7.db (upgraded environments) and cert8.db (new installations) certificate store. Generating a new certificate store occurs transparently whenever you add, modify, or delete certificates using configureAAAServer, setup_ois, or setup_accessmanager utilities. For more information, see the Oracle Access Manager Identity and Common Administration Guide.

Compilers for Plug-ins

Starting with release 7.0, components on Solaris and Linux are compiled using the GCC v3.3.2 C++ compiler to address multi-threading issues encountered with earlier compiler releases.

After upgrading to 10g (10.1.4.0.1), you must recompile custom plug-ins from release 5.x or 6.x using the GCC v3.3.2 C++ compiler available from your vendor. This includes Identity Event plug-ins and custom authentication and authorization plug-ins. For details, see the Oracle Access Manager Upgrade Guide.

Configuration Files

Earlier releases of Oracle Access Manager managed certain information (including but not limited to directory connection information and WebGate parameters) solely through XML and LST configuration files. Release 10g (10.1.4.0.1) provides the ability to manage this information through the Identity System Console and Access System Console. See also "Directory Server Connection Details" (in this table) and "WebGates" (in Table 5-3, "Access System Behavior Summary").

Connection Pool Details

Starting with release 7.0, connection pooling was consolidated to support failover across the entire system. The directory connection pool does not depend on directory type. There is some impact when upgrading (depending on the configuration of your earlier installation to each directory server that is configured). See the topic on directory server failover in this table. For more information, see the Oracle Access Manager Upgrade Guide and Oracle Access Manager Deployment Guide.

Console-based Command-Line Interfaces

Oracle Access Manager command-line tools have been modified to automatically detect the server locale and use it for processing. To override the server locale you may set either the COREID_NLS_LANG or NLS_LANG environment variables to toggle auto-detection off and take precedence over the server locale. For details, see the Oracle Access Manager Installation Guide. When set, NLS_LANG takes precedence over LANG and COREID_NLS_LANG takes precedence over NLS_LANG.

Customized Styles

Product functionality depends, in part, on stylesheet files in the latest \style0 and \shared directories. Starting with Oracle Access Manager release 6.5, to support multiple languages the location of JavaScript, stylesheets, and images changed. The directory structure introduced with release 6.5 continues with 10g (10.1.4.0.1). For general information about stylesheets and customization, see the Oracle Access Manager Customization Guide.

Customized .XSL style files, images, and JavaScript files are not migrated during an upgrade. If files in your earlier Oracle Access Manager \style0 directory were customized, you must manually edit the newer version files in \style0 and \shared directories after the upgrade. For more information, see the discussion on incorporating custom items in the Oracle Access Manager Upgrade Guide.

Database Input and Output

Oracle Access Manager 10g (10.1.4.0.1) supports the Unicode character set. In new installations, Oracle recommends that you choose a Unicode character set for your database. For more information, see Chapter 4, "About Globalization and Multibyte Support".

Earlier Oracle Access Manager releases used the Latin-1 character set. As a result the varchar type for the columns of audit and reporting related tables was sufficient. 10g (10.1.4.0.1) supports an internationalized character set. As a result, the audit record may contain data with non Latin-1 characters (Chinese, Japanese, Arabic, and the like). For more information, see details about auditing and access reporting in this table.

Date and Time Formats

In the 10g (10.1.4.0.1) Identity System, the date format remains the same as in the last release and is not internationalized (on the Diagnostics page and Ticket Information page for example). However, month names taken from Identity System message catalogs are displayed in the locale specified by the browser. As in earlier releases, date order formats (MM/DD/YYYY versus DD/MM/YYYY and the like) can be configured by modifying object class attributes in the Identity System Console as described in the Oracle Access Manager Identity and Common Administration Guide. On the Ticket Information page, the date is displayed in the format specified in the obDateType parameter in the globalparams.xml file. Weekday names do not appear anywhere within the Identity System.

In the Access System, month names, the date-order format (MM/DD/YYYY versus DD/MM/YYYY), and weekday names are displayed according to the locale specified for the browser. In the Access System, month and weekday names are not taken from message catalog files.

Default Product Page

As in earlier releases, there can be only one static HTML page at the address /identity/oblix/index.html and one static HTML page at the address /access/oblix/index.html. These static product pages always use the default Administrator language selected during Identity Server and Policy Manager installation at this location. Starting with release 6.5, the product supported multiple Latin-1 languages (French, German). The default product page behavior remains the same as in earlier releases. See also information about HTML pages later within this table.

Directory Profiles and Database Instance Profiles

In earlier releases, the Identity System included directory profiles and database instance profiles. A directory profile (also known as a directory server profile) contains the connection information for one or more directory servers that share the same namespace and operational requirements for Read, Write, Search, and so on. The connection information includes a name, a domain or namespace to which it applies, a directory type, and a set of operations.

Starting with release 6.5, the Access System began partially using directory profiles and database instance profiles for accessing user data. Also, these directory profiles replace the UserDB.lst, GroupDB.lst, UserDBFailover.lst, and GroupDBFailover.lst configuration files that were used in earlier Access System releases.

In 10g (10.1.4.0.1), a directory profile is created automatically each time you install an Identity Server, Policy Manager, or Access Server and specify new directory server connection information. You can create additional directory server profiles for load balancing and failover after installation.

When you upgrade an earlier Policy Manager or Access Server, a message appears during the incremental upgrade to release 6.5. The message "DB Profiles created" refers to the directory server profile that is created. See also information on connection pools, earlier in this table.

Directory Server Connection Details vs. XML Files

Earlier releases managed directory connection information solely through XML configuration files. Recently, Oracle Access Manager provided the ability to manage this information through the interface using the Directory Profile page in the Identity System Console and the Access System Console. However, some configuration and policy data is still managed through XML files.

Directory Server Failover

Your earlier implementation may include failover between an Oracle Access Manager server and the directory server.

Following data upgrades, the Access Server handles multiple directory servers using directory profiles that are automatically created during the upgrade between release 6.1.0 and 6.5. After upgrading, it is a good idea to verify that the failover configuration you had in the earlier release operates as expected as described in the Oracle Access Manager Deployment Guide.

See also information on connection pool details mentioned earlier in this table, and information about message and parameter .lst files that are transformed into .xml files.

Directory Server Interface

The 10g (10.1.4.0.1) directory server interface reads, processes, and stores data using UTF-8 encoding.

Directory Structure

When you install 10g (10.1.4.0.1) components, you can name the top-level directory as you like. With each installed component, Oracle Access Manager appends an identifier to the directory name you assign. For example:

IdentityServer_install_dir\identity

AccessServer_install_dir\access

In each case, a directory named \oblix\oracle\nlstrl is created after the automatic installation of the Oracle National Language Support Library (not available in earlier releases).

For more information, see the Oracle Access Manager Installation Guide.

Domain Names, URIs, and URLs

10g (10.1.4.0.1) supports ASCII characters only for domain names, URIs, and URLs. This is the same as in earlier releases. There is no support for internationalized characters.

Encryption Schemes

Cookies are encrypted using a configurable encryption key known as a shared secret. In release 5.x, the RC4 encryption scheme was recommended for shared secret keys. In release 6.x, the RC6 encryption scheme was recommended. Starting with release 7.0, AES became the default Access System encryption scheme. For more information, see shared secret details later in Table 5-3 and the Oracle Access Manager Access Administration Guide.

The Identity System continues to use RC6 encryption for Lost Password Management responses.

Failover and Failback

Release 7 introduced a heartbeat polling mechanism to facilitate immediate failover to a secondary directory server when the number of connections in the connection pool falls below the specified threshold level. Additionally, a failback mechanism facilitates switching from the secondary directory server back to the primary server as soon as the preferred connection has been recovered.

The heartbeat feature polls the primary directory server connections periodically to verify the availability of the directory service (and by implication, the network). When the host cannot be reached, further attempts to connect to that host are blocked for the specified Sleep For interval, rather than for the TCP timeout used previously.

If the directory service is not available, the heartbeat mechanism immediately initiates failover to the secondary directory server. Thus, failover can take place without being triggered by an incoming directory service request and a subsequent TCP timeout. A new parameter in globalparams.xml determines the timeout interval for establishing a connection.

In situations where the enterprise network performance is poor, the heartbeat feature can trigger false alarms and tear down already-established connections. Therefore, the heartbeat_enabled parameter in the globalparams.xml enables you to activate or deactivate the heartbeat mechanism in response to current network conditions. By default the heartbeat feature is activated.

For more information, see theOracle Access Manager Deployment Guide.

File and Path Names

With 10g (10.1.4.0.1) only ASCII characters are supported in file and path names. This is the same as in earlier releases.

Graphical User Interface

A number of changes have been made to improve and clarify the Web-based graphical user interface. The user interface is introduced in the this guide and described throughout the suite of manuals.

HTML Pages

In 10g (10.1.4.0.1), all HTML pages generated by Oracle Access Manager use UTF-8 encoding. This encoding is communicated to Web browsers using the Content-Type HTTP header and META tags. See also information about default product pages mentioned earlier in this table.

Message and Parameter Catalogs

Release 10g (10.1.4.0.1) includes .XML parameter and message catalog files. The exception to this rule includes files that are used during an upgrade. In 10g (10.1.4.0.1), message files reside in specific directories for each installed language. For example: IdentityServer_install_dir/identity/oblix/lang/langTag /oblixbasemsg.xml. For more information, see the Oracle Access Manager Customization Guide.

Minimum Number of Search Characters

In earlier releases, you needed to enter at least three characters when performing a search in Identity System applications. In 10g (10.1.4.0.1) there is no minimum number of characters required. As in earlier releases, you can control the minimum number of characters that users must enter in the search field as described in Oracle Access Manager Customization Guide.

Names Assigned by Administrators and Product Names

Some product and component names have changed. Certain function names have been made consistent between the Access and Identity Systems as noun phrases. During an upgrade, earlier names are changed to the new name. For more information, see "Product and Component Name Changes" on page -xiii.

However, any service names assigned by an administrator during installation or configuration are not changed during an upgrade. Therefore if you have a service named "COREid Server" or "NetPoint Server", these names remain intact after the upgrade. Also, earlier authentication scheme names and policy domain names assigned by an administrator remain unchanged after an upgrade.

Namespaces for Policy Data and User Data Stored Separately

Before release 6.5, the namespaces for policy data and user data stored in two separate directories had to be unique. During an upgrade to 10g (10.1.4.0.1) you need to confirm this uniqueness to ensure that multi-language capability can be enabled. For more information, see the Oracle Access Manager Upgrade Guide.

Object Classes and Attributes

There have been several schema changes in 10g (10.1.4.0.1). for more information, see Oracle Access Manager Schema Description.

Password Policies and Lost Password Management

This release contains password policy and password management enhancements. You can configure the minimum and maximum number of characters users can specify in a password. For lost password management, you can set multiple challenge-response pairs, create multiple style sheets, and configure other aspects of the user's lost password management experience. You can also redirect users back to the originally requested page after resetting a password. For more information, see the Oracle Access Manager Identity and Common Administration Guide.

Reconfiguring the Logging Framework without a Restart

In 10g (10.1.4.0.1), you may reconfigure the logging framework without restarting the servers. To do this an administrator must manually update the logging configuration for each component:

Identity Server

WebPass

Policy Manager

Access Server

WebGate

Changes to logging parameters take affect within one minute, rather than requiring you to restart the server where the changes were made. For more information, see the Oracle Access Manager Identity and Common Administration Guide.

Support Changes

There have been a number of changes in supported platforms and third-party versions. You can now locate complete platform support details under the Certify tab at https://metalink.oracle.com. To use Metalink:

  • Log in to Metalink as directed.

  • Click the Certify tab.

  • Click View Certifications by Product.

  • Select the Application Server option and click Submit.

  • Choose Oracle Application Server and click Submit.

Transport Security for the Directory Server

When you configure SSL mode for the directory server, only server authentication is supported. Client certificates are not supported. Oracle Access Manager verifies the server certificate against the Root CA certificate that you imported during product setup. For more information, see the Oracle Access Manager Access Administration Guide.

XML Catalogs and XSL Stylesheet Encoding

For non-English languages, XML message files have encoding set as UTF-8, because ISO-8859-1 encoding cannot represent all characters in all languages. When no encoding is specified, UTF-8 is used as the default. Some English-only files still use ISO-8859-1 encoding. For more information, see the Oracle Access Manager Customization Guide.

Web Server Configuration Files

There have been no changes for globalization and UTF-8 support in any Web server configuration files. However, the importantnotes.txt file has been removed and the information that was in this file is now documented in an appendix in the Oracle Access Manager Installation Guide.


5.2 Identity System Behavior Summary

Table 5-2 briefly summarizes 10g (10.1.4.0.1) Identity System behaviors.

Table 5-2 Identity System Behavior Summary

Function Behavior

Challenge and Response Attributes

Starting with 10g (10.1.4.0.1), both the challenge phrase and response attributes must be on the same panel in Identity System applications. Challenge phrases and responses are displayed one after the other even though these are not configured one after the other in the panel. If a panel contains only the challenge attribute, it will be displayed in the Profile page without a response. If the panel contains only the response (without the challenge attribute), the response will not be displayed in the Profile Page at all.

For details about configuring these, see the Oracle Access Manager Identity and Common Administration Guide. For details about combining these on a single panel after the upgrade, see the Oracle Access Manager Upgrade Guide. For changes to IdentityXML, see the Oracle Access Manager Developer Guide.

Identity Server Backward Compatibility

Starting with 10g (10.1.4.0.1), the Identity Server uses UTF-8 encoding and plug-in data will contain UTF-8 data. Earlier custom plug-ins send and receive data in Latin-1 encoding.

Backward compatibility with earlier custom plug-ins is automatic. However, when you add a new 10g (10.1.4.0.1) Identity Server to an upgraded environment, you need manually set the encoding flag in the Identity Server oblixpppcatalog.lst to enable communication with earlier plug-ins and interfaces. For details, see the Oracle Access Manager Installation Guide.

Identity System Event Plug-ins

With release 10g (10.1.4.0.1), the Identity Server uses UTF-8 encoding; plug-in data will contain UTF-8 data. For more information, see the Oracle Access Manager Developer Guide.

Backward compatibility between an upgraded Identity Server and earlier Identity Event plug-ins is automatic. For details about adding a new Identity Server to an upgraded environment, see the Oracle Access Manager Installation Guide.

IdentityXML and SOAP Requests

Starting with release 6.5, certain syntax changes were made for IdentityXML requests. Oracle recommends that you use the latest syntax for your customizations. However, the earlier syntax should still operate without problem.

In 10g (10.1.4.0.1), UTF-8 encoding is used for XML pages, for SOAP/IdentityXML requests, and for Identity Event Plug-in data sent to executables.

For more information and new syntax descriptions, see the Oracle Access Manager Developer Guide.

Java Applets

A user working in an English locale cannot view applets in multi-byte languages. To work with applets in a multi-byte language, the locale on the user's machine must be set to the same language. Setting browser encoding will not work.

There is a known limitation of Java applets in JDK1.1.7. Oracle Access Manager 10g (10.1.4.0.1), applets with non-ASCII data can only be displayed properly on machines running with a native encoded operating system.

For more information about acquiring and using languages, see Table 5-1, "General Oracle Access Manager Behavior Summary". See also the Oracle Access Manager Identity and Common Administration Guide.

Mail Notification

In 10g (10.1.4.0.1) UTF-8 "B" (Base64 encoding) is used.MIME headers for all mails non-MHTML mail message are set as follows: MIME-Version: 1.0; Content-Type: text/plain; charset=UTF-8; Content-Transfer-Encoding: 8bit.

Minimum Number of Search Characters

In earlier releases, you needed to enter at least three characters when performing a search in Identity System applications (User Manager, Group Manager, and Organization Manager). In 10g (10.1.4.0.1) there is no minimum number of characters required. By default, you can enter no characters. As in earlier releases, to help users narrow their search criteria you can control the minimum number of characters that users must enter in the search field by setting the searchStringMinimumLength parameter in oblixadminparams.xml. See the Oracle Access Manager Customization Guide for details.

Multi-Step Identity Workflow Engine

You can model your business processes in the Identity System using workflows. In earlier releases, you could use a workflow to issue, revoke, and renew certificates. However, this is no longer supported.

Oracle Identity Protocol (OIP)

The Oracle Identity Protocol (formerly known as the NetPoint Identity Protocol) facilitates communication between Identity Servers and associated WebPass instances. There are no changes in the protocol for globalization.

Password Policies and Password Management Runtime

In 10g (10.1.4.0.1), internationalized characters are supported in password policies. In earlier releases, password policies worked only with Latin1 characters when enforcing policy constraints. There are no Password Management runtime changes.

Portal Inserts and URI Query Strings

In 10g (10.1.4.0.1), the encoding of data in the URI query string is UTF-8 encoding. However, earlier Portal Inserts in installations that have been upgraded to 10g (10.1.4.0.1) require modification after upgrading. For more information, see the Oracle Access Manager Upgrade Guide.

PresentationXML Directories

Before release 6.5, the PresentationXML library was provided under two directories and distributed depending upon how the files were likely to be used. For example, stylesheets that define the default Oracle Access Manager Classic Style were maintained in flat files in \IdentityServer_install_dir\identity\oblix\apps\AppName. Starting with release 6.5 and continuing through 10g (10.1.4.0.1), the PresentationXML library is now stored in different directories. For more information, see the Oracle Access Manager Customization Guide.

Sorting User Search Results

In the User Manager, Group Manager and Org. Manager, search results are sorted using a locale-based case insensitive method when you click the column heading (Full Name, for example) in the search results table.

Web Services Code

The Oracle Access Manager product now provides sample code for implementing Web services using IdentityXML. For more information, see the Oracle Access Manager Developer Guide.


5.3 Access System Behavior Summary

Table 5-3 briefly summarizes 10g (10.1.4.0.1) Access System behaviors.

Table 5-3 Access System Behavior Summary

Function Behavior

Access Server Backward Compatibility

Earlier custom plug-ins sent and received data in Latin-1 encoding. In 10g (10.1.4.0.1), Access Servers use UTF-8 encoding and 10g (10.1.4.0.1) custom plug-in data will be UTF-8 encoded. In 10g (10.1.4.0.1), cookie encryption and decryption is accomplished by the Access Server.

When you upgrade an earlier Access Server to 10g (10.1.4.0.1), a new parameter is set in the Access Server globalparams.xml file automatically. This provides backward compatibility with earlier custom plug-ins and interfaces, as well as earlier WebGates and custom AccessGates. For more information, see the Oracle Access Manager Upgrade Guide

When you add a new Access Server to an upgraded environment, you need manually set the value in the Access Server globalparams.xml to enable backward compatibility. For more information, see the Oracle Access Manager Installation Guide.

Access Manager SDK, Access Manager API, and Custom AccessGates

10g (10.1.4.0.1) Access Servers use UTF-8 encoding automatically. In addition, the Access Manager SDK (formerly the Access Server SDK) and Access Manager API (formerly known as the Access Server API) are used to create custom AccessGates. Custom AccessGates use UTF-8 encoding automatically.

For Java interfaces and the Java implementation of the Access Manager API, there have been no external changes for 10g (10.1.4.0.1). JNI calls use UTF-16 encoded Java string objects. Earlier Oracle Access Manager releases converted this data to Latin-1. 10g (10.1.4.0.1) Access Servers and AccessGates use UTF-8 encoding automatically.

The 10g (10.1.4.0.1) Access Manager SDK and custom 10g (10.1.4.0.1) AccessGates are not backward compatible with earlier Access Servers, nor with the earlier Access Manager SDK and AccessGates. However, you can use earlier AccessGates with 10g (10.1.4.0.1) Access Servers that are enabled to be backward compatible.

Authentication Scheme Updates

In 10g (10.1.4.0.1) it is no longer necessary to disable an authentication scheme before you modify it. Also, in 10g (10.1.4.0.1) you can configure an authentication scheme that allows the user to log in for a period of time rather than a single session.

Authorization Rules and Access Policies

Starting with release 6.5, Authorization rules are grouped under a tab named "Authorization Rules". Also, a new authorization inconclusive state was introduced in release 7.x (apart from authorization success and failure states).

During an upgrade the rules are renamed using a combination of the Policy Domain name to which the rule belongs, followed by the Authorization Rule name: PolicyDomain_AuthorizationRuleName.When your earlier installation included authorization failure redirects, you need to complete a procedure after the upgrade to assure proper authorization failure re-directs. For more information, see the Oracle Access Manager Upgrade Guide.

Custom Authentication and Authorization Plug-in Interfaces

Before 10g (10.1.4.0.1), the Authentication Plug-In API and Authorization Plug-In API for C used Latin-1 encoding for data exchanged between the Access Server and the custom plug-ins. In 10g (10.1.4.0.1), the Authentication Plug-In API and Authorization Plug-In API for C use UTF-8 encoding for plug-in processing. There is no change for .NET (managed code) plug-ins.

Directory Profiles

Release 6.5 introduced support for directory server profiles for the Access Server and Policy Manager. During a Policy Manager upgrade from any release before 7.x, a new directory server profile is added automatically. However, the values for Initial Connections and Maximum Connections are not retained during the Policy Manager upgrade.

After upgrading, Oracle recommends that you verify and validate that new directory server profiles were properly created and that load-balancing and failover settings in Access System directory server profiles are configured as expected. For more information about directory profiles, see Table 5-1, "General Oracle Access Manager Behavior Summary".

Form-based Authentication

10g (10.1.4.0.1) WebGates accept input data only in UTF-8 encoding. To ensure that character set encoding for the login form is set to UTF-8, add the following META tag to the HEAD tag of the login form HTML page: <META http-equiv="Content-Type" content="text/html;charset=utf-8">. For more information, see the Oracle Access Manager Access Administration Guide.

Maximum Elements in Session Token Cache

In earlier releases, the default value for this parameter was 100000. However, in Oracle Access Manager 10g (10.1.4.0.1), the default value has changed to 10000. You can find this parameter by navigating to the Access System Console, Access System Configuration tab, Access Server Configuration function. Look on the Details for Access Server page. For more information, see the Oracle Access Manager Access Administration Guide.

Oracle Access Protocol

In 10g (10.1.4.0.1), UTF-8 encoding is used to for communication between Access System components to accommodate globalization. The OAP was formerly known as the NetPoint Access Protocol (NAP). For information about the Access Server and backward compatibility, see earlier discussions in this table.

Policy Manager API

The Policy Manager API was formerly known as the Access Management API. In 10g (10.1.4.0.1),

  • In the C language API, the ObAMMasterAuditRule_getEscapeCharacter remains and you may continue using this. However, the audit escape character must be an ASCII character; otherwise the return value is incorrect. In this case, you must modify your C code to use the new API.

  • On Java clients, the ObAMMasterAuditRule_getEscapeCharacter works correctly and you can continue using this even when the audit escape character is not an ASCII character.

  • In the C language API, a new ObAMMasterAuditRule_getUTF8EscapeCharacter has been added, which returns a pointer to the UTF-8 encoded audit escape character.

For more information, see the Oracle Access Manager Developer Guide.

Preferred HTTP Host

This WebGate configuration parameter is now mandatory before WebGate installation and must be configured with an appropriate value whenever a WebGate is added. (From the Access System Console, select Access System Configuration, Add New AccessGate.) This parameter defines how the hostname appears in all HTTP requests as users attempt to access the protected Web server. The hostname within the HTTP request is translated into the value entered into this field (regardless of the way the hostname was defined in an HTTP request from a user). For more information, see the Oracle Access Manager Installation Guide.

Shared Secret

The location of the shared secret key remains unchanged from earlier releases. However, in 10g (10.1.4.0.1), cookie encryption/decryption is handled by the Access Server. During an upgrade to 10g (10.1.4.0.1), the earlier encryption scheme is retained. For more information about Access Servers and WebGates, see other items in this table.

If you change the shared secret during a user session, the user does not need to re-authenticate. If a cookie is being decrypted with the old shared secret and the cookie is refreshed, it is encrypted with the new shared secret. For more information, see the Oracle Access Manager Access Administration Guide.

Triggering Authentication Actions After the ObSSOCookie Is Set

You can cause authentication actions to be executed after the ObSSOCookie is set. Typically, authentication actions are triggered after authentication has been processed and before the ObSSOCookie is set. However, in a complex environment, the ObSSOCookie may be set before a user is redirected to a page containing a resource. In this case, you can configure an authentication scheme to trigger these events. See also Oracle Access Manager Access Administration Guide.

WebGates

In earlier releases, cookie encryption and decryption was accomplished by WebGates and AccessGates. In 10g (10.1.4.0.1), cookie encryption and decryption is accomplished by the Access Server. WebGates and AccessGates no longer need the shared secret key.

10g (10.1.4.0.1) WebGates have been redesigned and the WebGatestatic.lst file has been replaced with options you can configure using the Access System Console, Access System Configuration tab. See the Oracle Access Manager Access Administration Guide for details.

Earlier WebGates may coexist with 10g (10.1.4.0.1) Access Servers. However, each Access Server must be backward compatible with earlier WebGates. For more information, see details about Access Servers in this table, and the Oracle Access Manager Upgrade Guide.

The code for WebGates has been rewritten so that 10g (10.1.4.0.1) WebGates and AccessGates share the same code base. For more information, see the Oracle Access Manager Developer Guide.