Oracle® Access Manager Introduction 10g (10.1.4.2.0) Part Number B32410-01 |
|
|
View PDF |
This chapter describes a listing of new features introduced with Oracle Access Manager 10g (10.1.4.0.1) and provides pointers to additional information in the suite of product manuals. This chapter also describes the enhancements that are available when you apply Release 10.1.4 Patchset 1 (10.1.4.2.0) to your 10g (10.1.4.0.1) installation (or when you use the zero downtime upgrade method).
The following sections are included:
Triggering Authentication Actions After the ObSSOCookie Is Set
Enhancements Available with Release 10.1.4 Patch Set 1 (10.1.4.2.0)
The original product name, Oblix NetPoint (also known as Oracle COREid) has changed to Oracle Access Manager. Many component names remain the same. However, there are several important changes that you should know about, as shown in the following table:
All legacy references in the product or documentation should be understood to connote the new names.
Identity System function names and user interface changes have been made to improve usability
Access System function names and user interface changes have been made to improve usability
See Also:
This Oracle Access Manager Introduction provides an overview of 10g (10.1.4.0.1) and system behaviors.Oracle Access Manager 10g (10.1.4.0.1) provides support for 29 languages though the use of Unicode and UTF-8 encoding.
See Also:
This Oracle Access Manager Introduction provides an overview of globalization.The Oracle National Language Support Library (NLSL) is installed automatically with each component. However, you may need to perform specific tasks before installation when you have a non-English (AMERICAN) Operating System. You can install language packs in concert with components, or independently after component installation.
See Also:
Oracle Access Manager Installation GuideAutomated language processing occurs during an upgrade to Oracle Access Manager 10g (10.1.4.0.1). In addition, you may need to take specific actions before and after the upgrade to ensure that older plug-ins operate properly, incorporate workflows, ensure that auditing and access reporting work properly, and the like.
See Also:
Oracle Access Manager Upgrade GuideYou must perform specific tasks to use multiple installed languages and display information in various supported languages.
As a result of globalization and translation of messages into 29 languages, some .lst files have been transformed into .xml files
See Also:
Specific file names in all manuals in this suite of books.You must use form-based authentication for non-ASCII login credentials
Multibyte support impacts IdentityXML functions and parameters, compatability with XML pages, SOAP/IdentityXML requests, and Identity Event Plug-in data sent to executables; compatability with the Access Manager SDK, Access Manager APIs, and custom AccessGates.
See Also:
Oracle Access Manager Developer GuideOracle Access Manager uses a locale-based case insensitive sorting method when you click the column heading (Full Name, for example) in the search results table.
Multibyte support and custom C programming language Authorization Plug-in Interfaces behavior in 10g (10.1.4.0.1) (and earlier releases) is discussed, as well as backward compatability with custom authorization plug-ins.
See Also:
Oracle Access Manager Developer GuideGlobalization and multibyte support impacts stylesheets and customizations.
The Access Manager API was formerly known as the Access Server API as described in "Product and Component Name Changes". The following updates have been made:
A new lazyload method has been added to the ObUserSession constructor in the Access Manager API as a result of the WebGate rewrite.
See Also:
Oracle Access Manager Developer GuideNew diagnostics have been added as a result of the WebGate rewrite.
See Also:
Oracle Access Manager Developer GuideNew status codes have been added as a result of the WebGate rewrite.
See Also:
Oracle Access Manager Developer GuideYou can now audit to an Oracle Database as well as to Microsoft SQL Server. The Crystal Reports package is no longer provided with the Oracle Access Manager package. You must obtain this product from the vendor.
Disabling Authentication Schemes: It is no longer necessary to disable an authentication scheme before you modify it.
Persistent Cookies in Authentication Schemes: You can configure an authentication scheme that allows the user to log in for a period of time rather than a single session.
Overview: A brief overview of Oracle Access Manager 10g (10.1.4.0.1) product behaviors is outlined for quick reference.
See Also:
This Oracle Access Manager IntroductionSummary of Earlier Behaviors and New Behaviors in Upgraded Environments: Numerous changes have been made to support globalization. In addition, a number of other changes have been made to improve usability and performance. A brief overview of Oracle Access Manager 10g (10.1.4.0.1) product behaviors is outlined for quick reference.
See Also:
Oracle Access Manager Upgrade GuideInformation on configuring Oracle Access Manager for multiple directory searchbases, also called disjoint domains or realms, has been expanded.
You can dynamically assign a user to a target on a create user workflow. For example, you can define a create user workflow that enables user A to log in under ou=users
, invoke the workflow, and create user B whose entry is automatically determined to be in the same ou
as user A. This ability always existed in the Identity System, and is now explicitly documented in the chapter on workflows.
You can authorize users by querying external authentication systems.
When the Access System at a Service Provider site receives a request from a user in a federated environment, it may need to get additional information about the user from the user's Identity Provider. You can configure the Access System to query external Identity Providers for user authorization.
Oracle HTTP Server (OHS) support is provided with this release for WebPass, Access Manager, and WebGate components.
Oracle Internet Directory support is included in this release for general use.
Updates and additions to Apache v1 and v2 chapters.
A new chapter has been added that describes how to install the globalized product as well as describing how to prepare to install in multi-language environment.
Following the acquisition of OctetString by Oracle, this chapter moved from the Oracle Access Manager Integration Guide and includes minor changes for clarification, product branding, and new information to describe graphics.
See Also:
Oracle Access Manager Installation Guide.All chapters in the Oracle Access Manager Integration Guide describe implementation details for a specific integration
MIIS: The MIIS provisioning solution is deprecated in this release.
OracleAS Single Sign-On Server: You can configure single sign-on between the Access System and the . An older version of this chapter previously existed in the Oracle Access Manager Developer Guide. It provides updated information on configuring single sign-on between Oracle Access Manager and Oracle Application Server 10g (OracleAS 10g). When you configure single sign-on you also provide identity management functionality across the Web-based applications running on Oracle Application Servers, for example, Oracle eBusiness Suite, Oracle Forms, Portals, and other Access System-protected resources. Included in this new version is information about the OHS WebGate (Apache WebGate information has been removed).
SAP: The SAP Enterprise Portal 6.0 can now be protected by the Access System.
RSA Securid: Minor clarifications have been made to this chapter based on input from the field.
Security Connector for WebLogic SSPI: Several clarifications have been made to this chapter.
Oracle Virtual Directory: Integration with Oracle Virtual Directory (formerly known as OctetSTring Virtual Directory Engine) has been updated and moved to the Oracle Access Manager Installation Guide from the Oracle Access Manager Integration Guide.
WebSphere: The integration with WebSphere Application Server (WAS) 4 is deprecated in this release. The information in this chapter has been updated for WAS 5 and 6.
Plumtree: The previous integration with Plumtree Corporate Portal is supported in this release. However, that the most recent version of Plumtree Corporate Portal is now known as BEA Aqualogic Interaction.
Oracle Enterprise Manager 10gIdentity Management Pack : Out-of-box system modeling is provided for Oracle Access Manager and other products in the Oracle Identity and Access Management Suite. For more information, see the Oracle Enterprise Manager Concepts Guide and Oracle Enterprise Manager Advanced Configuration Guide. Online help is available through Oracle Enterprise Manager.
Changes to logging parameters take effect within one minute, rather than requiring you to restart the server where the changes were made.
There have been several schema changes in this release to support password policy enhancements and lost password management.
The following oblixPersonPwdPolicy attributes have been added: obAnsweredChallenges, obYetToBeAnsweredChallenges, obLastSuccessfulLoginTime, obLastFailedLoginTime.
A new object class named oblixLPMPolicy has been added.
This object class stores information about new lost password management policies, including the challenges and responses that have been configured and how challenge phrases are presented to users.
The following attributes have been added to oblixDBInstance: obDatabaseName, obDSNName
The following attributes have been added to oblixAAAEngineConfig: obSessionTokenCache, obMaxSessionTokenCacheElements
The definition of obCompoundData has been updated throughout the Oracle Access Manager Schema Description.
See Also:
Oracle Access Manager Schema Description.Until release 10g (10.1.4.0.1), the obVer attribute was purely informational. However starting with release 10g (10.1.4.0.1), the obVer attribute in the oblixOrgPerson class is used by the Identity and Access Servers to support encoding of multiple challenge phrase and response attributes for lost password management.
If you use complex stylesheets, you may want to increase the value of the StringStack parameter in globalparams.xml.
See Also:
Oracle Access Manager Customization Guide for stylesheet and parameter references.You can configure the minimum and maximum number of characters users can specify in a password. For lost password management, you can set multiple challenge-response pairs, create multiple stylesheets, and configure other aspects of the user's lost password management experience. You can also redirect users back to the originally requested page after resetting a password.
Oracle Access Manager 10g (10.1.4.0.1) supports multiple challenge phrases and response attributes using the value of the obVer attribute in the user entry (OblixOrgPerson) to indicate the encoding for challenge phrase and response attributes. This has implications when upgrading from an earlier release to Oracle Access Manager 10g (10.1.4.0.1).
See Also:
Oracle Access Manager Identity and Common Administration Guide and Oracle Access Manager Upgrade Guide.Web Services code samples have been added to illustrate how to use IdentityXML Web Services to make calls to a WebPass. Two samples have been added, to show how to create a Web service call when a WebPass is protected by a WebGate and when a WebPass is not protected by a WebGate.
See Also:
Oracle Access Manager Developer Guide.You can cause authentication actions to be executed after the ObSSOCookie is set.
Typically, authentication actions are triggered after authentication has been processed and before the ObSSOCookie is set. However, in a complex environment, the ObSSOCookie may be set before a user is redirected to a page containing a resource. In this case, you can configure an authentication scheme to trigger these events.
To optimize performance, you should ensure that your directory performance is optimal.
See Also:
Oracle Access Manager Deployment Guide.There are best practices for optimizing workflow performance.
To minimize the impact that workflows have on server performance, you can tune various parameters in workflowdbparams.xml. You can also tune various workflow search parameters to enhance performance.
See Also:
Oracle Access Manager Deployment Guide.There are best practices for optimizing network and Oracle Access Manager performance.
See Also:
Oracle Access Manager Deployment Guide.You can get a quick look at the upgrade paths from various starting releases, as well as the upgrade process.
There has been a change in the release numbering, which you should be aware of.
Review the summary of 10g (10.1.4.0.1) behaviors as compared with behaviors in previous releases
Find out what is preserved and what manual processes are needed after the upgrade.
See Also:
Oracle Access Manager Upgrade GuideWebGates have been updated to use the same code as the Access System, and WebGate configuration parameters that once existed in WebGateStatic.lst have been moved to the Access System Console. The WebGateStatic.lst file no longer exists.
After installing new WebGates or upgrading to 10g (10.1.4.0.1) WebGates, you can now configure such parameters as IPValidation
and IPValidationExceptions
from the Access System Console, Access System Configuration tab.
When you have older WebGates and new 10g (10.1.4.0.1) Access Servers, you must set the isBackwardCompatible
flag to "true
" in new 10g (10.1.4.0.1) Access Server globalparams.xml file.
Check for new details about customizing to allow auto-login.
Look for new information about denying access to unprotected resources automatically.
Oracle Access Manager 10g (10.1.4.0.1) updates specific software and configuration files contained in your existing 10g (10.1.4.0.1) Oracle home. The result is improvements to the reliability and performance of the software.
In addition, Oracle Access Manager 10g (10.1.4.0.1) provides additional functionality to several key features. The following table provides a summary of the additional features that are available to you after you apply the patch set to a 10g (10.1.4.0.1) installation.
Feature Description | More Information |
---|---|
Added deployment details and back up and recovery strategies | A new chapter has been added to describe various deployment strategies and scenarios for Oracle Access Manager. For details, see the chapter on deployment scenarios in the Oracle Access Manager Deployment Guide.
A new chapter has been added to outline various back up and recovery strategies for Oracle Access Manager installations. For details, see the chapter on back up and recovery strategies in the Oracle Access Manager Deployment Guide. |
Zero downtime upgrade method is provided as an alternative to the standard in-place component upgrade | You can now perform an upgrade without shutting down service to your Oracle Access Manager customers. The zero downtime upgrade method is provided as an alternative to the standard in-place component upgrade.
The Oracle Access Manager Upgrade Guide describes how you can perform a zero downtime upgrade. |
Added functions for updating the LDAP bind password | You may need to periodically update the LDAP bind password for the directory servers that communicate with Oracle Access Manager components. For example, you may want to update the LDAP bind password to comply with government regulations.
Functionality for updating the LDAP bind password has been added in this release. See the Oracle Access Manager Deployment Guide for details. Note that in previous releases, after updating the LDAP bind password, it was necessary to re-run setup. In this release, it is no longer necessary to rerun setup. |
Assigning a Delegate impersonation level to the client | In addition to configuring impersonation for resources on a computer that is protected by a WebGate, you can extend impersonation to other resources on the network. This is known as assigning a Delegate impersonation level to the client.
See the chapter on Windows Impersonation in the Oracle Access Manager Integration Guide for details. |
New configuration parameters for IdentityXML | When using IdentityXML, the XSLProcessor parameter in the file globalparams.xml indicates the processor to use when generating the page. The only officially supported value, default , indicates that the XDK processor should be used. The values XALAN or DGXT can be used for testing.
See the appendix on configuration parameters in the Oracle Access Manager Customization Guide for details. |
New parameter to halt automatic user data migration when performing a zero downtime upgrade | A new parameter in the globalparams.xml file, MigrateUserDataTo1014 , is used by the Identity Server and Access Server during a zero downtime upgrade. The value of MigrateUserDataTo1014 halts automatic user data migration when a user first logs in after upgrading. Only the multiple challenge and response attributes for Lost Password Management are affected.
See the zero downtime upgrade details in the Oracle Access Manager Upgrade Guide. |
Enhancements to xsl files | Enhancements have been made to certain xsl files to support a JavaScript-related fix and a number of large-group-related fixes. These xsl files are available when you install the 10.1.4.2.0 patch set.
For more information, see Oracle Access Manager Customization Guide. |
Log the time consumed by different types of calls to external components | You can now generate logs that show details about the time consumed by different types of calls to external components. Using this information, you can better assess whether requests to specific components are taking longer than expected.
For more information, see the Oracle Access Manager Identity and Common Administration Guide. |
Group performance is improved | For large static groups, for example, groups with over 10,000 members, operations that involve the group can cause memory to spike.
Group performance has been improved in this release. However, if you find that a large static group still affects performance, you can modify the default evaluation method for the group using the There are a number of additional actions that you can take to improve the performance of large groups. See the chapter on performance tuning in the Oracle Access Manager Deployment Guide for details. |
When auditing to a database, Oracle Instant Client binaries are now shipped with the Identity Server and Access Server | This eliminates the requirement for a 10.1.0.5 ORACLE_HOME on the computer that hosts them. |
NLS libraries and data files | Even if an environment variable is set to ORACLE_HOME or ORA_NLS10, or a third-party Web component refers to a different version of the NLS libraries and data files than the one used by Oracle Access Manager, Oracle Access Manager components choose NLS data files from the oracle_access_manager_component_install_dir. For more information, see the Oracle Access Manager Installation Guide. |
Limit the number of retries that the WebGate performs for a non-responsive server | A WebGate-to-Access Server timeout threshold specifies how long (in seconds) the WebGate waits for the Access Serverto respond before it considers it unreachable and attempts the request on a new connection. However, if the Access Server takes longer to service a request than the value of the timeout threshold, the WebGate abandons the request and retries the request on a new connection. Note that the new connection that is returned from the connection pool can be to the same Access Server, depending on your connection pool settings. Additionally, other Access Servers may also take longer to process the request than the time allowed by the threshold. In these cases, the WebGate can continue to retry the request until the Access Servers are shut down.
You can now configure a limit on the number of retries that the WebGate performs for a non-responsive server using the See the Oracle Access Manager Access Administration Guide for details. |
Preferred HTTP Host | With Oracle Access Manager 10.1.4.0.1, the Preferred HTTP Host field became required. This introduced issues for environments that support virtual hosting.
In this release, to support virtual hosts you set the Preferred HTTP Host value to HOST_HTTP_HEADER for most Web hosts or SERVER_NAME (Apache only). Additional configuration is required for IIS. See the chapter on configuring Access Servers and AccessGates in the Oracle Access Manager Access Administration Guide for details. |
New diagnostic tools | The Access Server and Identity Server have new diagnostic tools to help you work with an Oracle Technical Support representative to troubleshoot problems.
The diagnostic tools enable you to do the following:
See the Oracle Access Manager Identity and Common Administration Guide for details. |
Log file enhancements | Operating system error information is now included in the logs. For example, when an attempt to create a listener thread fails, the error code returned on GetLastError() is added to the log files. |
Switching from a Solaris platform to a Linux platform when upgrading to 10g (10.1.4.0.1) | The Oracle Access Manager Upgrade Guide includes a new chapter that explains how you can upgrade to 10g (10.1.4.0.1) while making a switch from a Solaris platform to a Linux platform. |
The webpass.xml file poll tracking refresh parameter is configurable | When setting up multiple Identity Servers or modifying WebPass, administrators can now configure the PollTrackingRefreshInterval in the webpass.xml file. This interval should be configured in seconds. There are implications when setting up multiple Identity Servers or modifying a WebPass instance.
See the Oracle Access Manager Identity and Common Administration Guide for details. |
Users can be logged in automatically after changing their password | To configure automatic login, the change password redirect URL must include STLogin=%applySTLogin% as a parameter.
The following is an example of a change password redirect URL that logs the user in: /http://machinename:portnumber/identity/oblix/apps/lost_password_mgmt/bin/lost_password_mgmt.cgi? program=redirectforchangepwd&login=%login%%userid%&backURL=% HostTarget%%RESOURCE%&STLogin=%applySTLogin%&target=top To implement this with a form-based authentication scheme, you must configure the challenge parameter See the Oracle Access Manager Identity and Common Administration Guide for details. |
Write a stack trace to a log file | If Oracle Access Manager experiences a core dump, it can now write a stack trace to a log file. To enable this functionality, you turn on logging at any minimal level.
You can send the log file that contains the stack trace information to Oracle, along with a report of the problem. See the appendix on troubleshooting in the Oracle Access Manager Identity and Common Administration Guide for details. |
New parameters for directory server failover | A new parameter in globalparams.xml named LDAPOperationTimeout sets an amount of time that the Identity Server, Access Server, or Policy Manager waits for a response from the directory server for a single entry of a search result before the component fails over to a secondary server, if one is configured.
A See the chapter on failover in the Oracle Access Manager Deployment Guide and the appendix on parameter files in the Oracle Access Manager Customization Guide for details. |
Resetting the LDAP bind password in configuration files | You may need to periodically update the LDAP bind password for the directory servers that communicate with Oracle Access Manager components. The ModifyLDAPBindPassword command enables you to reset the LDAP bind password in the Oracle Access Manager configuration files. You can reset the LDAP bind password without restarting any servers or re-running setup.
See the chapter on reconfiguring the system in theOracle Access Manager Deployment Guide for details. |
Directory server searches are minimized for certain operations | In previous releases, it could take a long time to create a large number of policy domains and URL prefixes in the Policy Manager. In this release, searches to the directory server have been minimized for these operations, resulting in better performance for these operations. |
Assigning a Delegate impersonation level to the client | In addition to configuring impersonation for resources on the computer that is protected by a WebGate, you can extend impersonation to other resources on the network. This is known as assigning a Delegate impersonation level to the client.
Note that the information on impersonation has moved from the Oracle Access Manager Access Administration Guide to the Oracle Access Manager Integration Guide See the chapter on configuring impersonation in the Oracle Access Manager Integration Guide for details. |
Integration Support Enhanced | Release 10.1.4 Patchset 1 (10.1.4.2.0):
Integration support includes SharePoint Office Server 2007. See the chapter on integrating with SharePoint in the Oracle Access Manager Integration Guide for details. Integration support with SAP NetWeaver is provided. See the chapter on integrating with SAP in the Oracle Access Manager Integration Guide for details. Integration support with Siebel in a multi-domain Active Directory environment is provided. See the chapter on integrating with Siebel in the Oracle Access Manager Integration Guide for details. Integration support with Weblogic 9.2 is provided. See the chapter on integrating with WebLogic in the Oracle Access Manager Integration Guide for details. Integration support with WebSphere 6.1 is provided. See the chapter on integrating with WebSphere in the Oracle Access Manager Integration Guide for details. |