Release Notes

BEA AquaLogic Enterprise Security Version 2.1 Release Notes

This document includes release notes for BEA AquaLogic Enterprise Security 2.1 and 2.1 Service Pack 1:

Release Notes for AquaLogic Enterprise Security 2.1 Service Pack 1

This section describes features and changes in Service Pack 1 for BEA AquaLogic Enterprise Security 2.1. Be sure to see Release Notes for AquaLogic Enterprise Security 2.1 for information about features and changes, issues fixed, and known issues in that release.

This section covers the following topics:

What's New in BEA AquaLogic Enterprise Security 2.1 Service Pack 1

AquaLogic Enterprise Security 2.1 Service Pack 1 includes the following new features:

Support for installing the WebLogic Server SSM on the AIX 5.3 platform. For AIX installation procedures, see Installing the WebLogic Server v8.1 Security Service Module.
An Authorization cache feature for Web Services client applications. For information about this feature, see

Supported Configurations in BEA AquaLogic Enterprise Security 2.1 Service Pack 1

All platforms supported by AquaLogic Enterprise Security 2.1 are supported by this Service Pack. In addition:

Service Pack 1 adds support for running the WebLogic Server SSM on IBM AIX 5.3.
Cumulative Patch 4 adds support for Solaris 10 and Oracle 10g R2 (Oracle 10.2.0.1.0).

Installation Information

This section provides information about installing AquaLogic Enterprise Security 2.1 Service Pack 1. Service Pack 1 requires uninstalling your previous version of ALES and making a fresh installation.

Preparing to Install

If you have any previous versions of ALES installed and you want to keep your current ALES policy, export it using the ALES Policy Export tool.

Uninstall any previous versions of ALES you have installed.

Installation Procedure

To install ALES 2.1 SP1, run the appropriate installation program for your platform and the ALES product component. For installation instructions, see the following documentation:

ALES 2.1 SP1 includes files for use with each ALES 2.1 product and each supported operating system.

Administration Application:

ales211admin_rhas21_IA32.bin
ales211admin_rhas3_IA32.bin
ales211admin_solaris32.bin
ales211admin_win32.exe

Security Service Module:

ales211ssm_rhas21_IA32.bin
ales211ssm_rhas3_IA32.bin
ales211ssm_solaris32.bin
ales211ssm_aix32.jar
ales211ssm_win32.exe

Post-Installation Tasks

If you exported a previous ALES policy using the ALES Policy Export tool, after you complete the installation you can import it into ALES 2.1 sp1 using the ALES Policy Import tool.

Binding SCM to a Configurable IP Address

The following instructions are needed only if the SCM needs to bind to a configurable IP address.

Install ALES 2.1 sp1 for the Administration Application and Security Service Module.

Open for edit the BEA_HOME/ales21-scm/apps/scm-asi/SAR-INF/config.xml file.

Change the port on the public-soap-server to 7015 so that it looks as follows:

<public-soap-server>

    <listener host="<MachineIP>" port="7015" protocol="https">

...

Also change the IP address of the local-soap-server from 127.0.0.1 to your <MachineIP> so that it looks as follows:

<local-soap-server>

    <listener host="<MachineIP>" port="7013" protocol="https">

...

Edit the BEA_HOME/ales21-admin/config/WLESarme.conf file and add the following property to it:

scmHostname <MachineIP >

For any SSM instances already created the following file will also need this property. BEA_HOMEales21-ssm/<ssm-type>/instance/<instance-name>/conf/WLESarme.conf

Edit the ales21-admin/config/WLESWebLogic.conf and add the following Java System property to the correct place as follows:

wrapper.java.additional.26=-Dwles.scm.hostname=<MachineIP>

If you are using Tomcat as the web server to host the admin console app then you need to make the same edit to the WLESTomcat.conf file.

Edit BEA_HOME/ales21-admin/bin/WLESadmin.sh/bat and replace port 7013 with 7015 in the start() and init() functions.

If there are any SSMs installed on the same machine then the following changes need to be also made:

For a Web Services SSM instance, do the following:

Edit the BEA_HOME/ales21-ssm/webservice-ssm/instance/<instance-name>/config/security.properties to add the following Java property at the end as follows:

wles.scm.hostname=<MachineIP>

Edit the BEA_HOME/ales21-ssm/webservice-ssm/instance/<instance-name>/bin/set-env.sh/bat to add the following Java property at the correct place as follows:

set WLES_JAVA_OPTIONS=%WLES_JAVA_OPTIONS% -Dwles.scm.hostname=<MachineIP>

For a WLS SSM instance, edit the ales21-ssm/wls-ssm/instance/<instance-name>/bin/set-wls-env.sh/bat to add the following Java property at the correct place as follows:

set WLES_JAVA_OPTIONS=%WLES_JAVA_OPTIONS% -Dwles.scm.hostname=<MachineIP>

For a Java SSM instance, edit the ales21-ssm/java-ssm/instance/<instance-name>/bin/set-env.sh/bat to add the following Java property at the correct place as follows:

set WLES_JAVA_OPTIONS=%WLES_JAVA_OPTIONS% -Dwles.scm.hostname=<MachineIP>

The Service Pack changes have been made and the system can now be initialized. Now run the Oracle or Sybase schema installers from the ales21-admin/bin directory. Run either BEA_HOME/ales21-admin/bin/install_schema_oracle.sh/bat or BEA_HOME/ales21-admin/bin/install_schema_sybase.sh/bat depending on your database.

Note: The default domain name during install was asi and hence if you have not changed it then enter asi when the install schema scripts ask for domain instead of the default, which is the database user ID.

Known Issues Fixed in Service Pack 1 for BEA AquaLogic Enterprise Security 2.1

Table 1 lists the known issues fixed in this Service Pack 1 for AquaLogic Enterprise Security 2.1.

Table 1 Known Issues Fixed in this Release

Change Request Numbers	Description	Release Fixed
CR254557	Fixed an exception problem when using queryResources.	2.1sp1
CR257394	SCM should be able to bind to a configurable IP address or Hostname.	2.1sp1
CR210788	SCM or startup script deletes SCM cache on startup. See Binding SCM to a Configurable IP Address.	2.1sp1
CR267278	EJB could not be deployed to ALES-enabled WLS domain.	2.1sp1

Release Notes for AquaLogic Enterprise Security 2.1

The following topics are covered is this section:

For information about Service Pack 1 for AquaLogic Enterprise Security 2.1, see Release Notes for AquaLogic Enterprise Security 2.1 Service Pack 1.

AquaLogic Enterprise Security 2.1 Features and Changes

Welcome to BEA AquaLogic Enterprise Security 2.1! As the world's leading application infrastructure company, BEA® supplies a complete platform for building, integrating, and extending J2EE applications to provide business solutions. Companies select the BEA WebLogic® Platform^TM as their underlying software foundation to decrease the cost of information technology, leverage current and future assets, and improve productivity and responsiveness.

Now, BEA is extending its Application Security Infrastructure by offering the BEA AquaLogic Enterprise Security^TM product line—a family of security solutions that provide enhanced application security and includes: policy-based delegated administration, authentication with single sign-on, consolidated auditing, and dynamic-role and policy-based authorization with delegation.

BEA AquaLogic Enterprise Security products are designed with an open and flexible standards-based framework that enforces security through a set of security services. You can protect you applications and other resources by customizing these services to meet the specific requirements of your business.

This section covers the following topics:

What's New in BEA AquaLogic Enterprise Security 2.1

The following topics describe what is new in this release:

Management Enhancements

The following sections describe management enhancements:

Enhancements to BLM Java API

The BLM API has been enhanced to included configuration management operations so that the BLM supports all of the functionality offered by the Administration Console.

This BLM API provides programmatic access to the AquaLogic Enterprise Security policy management infrastructure. This is a Java API that uses SOAP to communicate with the central management services. In addition to using this API to create and manage of users, groups, roles, resources, and resource policies, you can now use it to define security configurations and to distribute those configurations to SSMs—all of the same functions supported by the Administration Console.

Public Web Service Interface for management operations

The Web Services API offers management interfaces to provide functionality similar to the Administration Console and BLM.

Administration Server Enhancements

Administration Server Does Not Depend on WebLogic Server—The Administration Server is supported on Tomcat 5.0.28 (Servlet 2.3). The Administration Server is also supported on BEA WebLogic Server 8.1, Sp4 and Sp5.
Administration Console Usability Enhancements—The Administration Console GUI has been updated for usability. The resulting GUI is more intuitive and easier to use.
Policy Distributor service has been merged into the BLM service.

SAML 1.1 Compliance

IIS and Apache SSMs implement SAML POST profile that is fully conformant to SAML 1.1 specifications. Also applications can invoke SAML Credential Mapper and SAML Identity Assertion to generate and verify SAML 1.1 compliant assertions.

Support for Single Sign-on with WebLogic Server Security Framework

In this release, the ALES identity asserter supports for single sign-on (SSO) between ALES and the WebLogic Server Security Framework such that SSO can be achieved between Web Servers protected by ALES and regular WebLogic Server/WebLogic Portal. With this support, user authenticated on ALES do not have to be re-authenticated to log into on WebLogic Server or WebLogic Portal.

Additional Platform Support

In this release of AquaLogic Enterprise Security, the following additional support has been added:

The Apache 2.0.54 Security Service Module (SSM) is supported on Microsoft Windows 2000 and 2003.
Oracle 10.1.0.4 is supported as a policy store.
The Administration Server is supported on Microsoft Windows 2003.

Support for Integration with the AquaLogic Data Services Platform

In this release, AquaLogic Enterprise Security can be used to protect AquaLogic Data Services Platform (ALDSP) data. You can use AquaLogic Enterprise Security to create and enforce a set of policies to control access to an entire data service or to individual fields returned by a data service. Integration with AquaLogic Data Services Platform v8.5 is supported.

Enhanced Policy Analysis Tool

The policy analysis tool has been enhanced to include role and group membership information.

WebLogic Server 8.1 Service Pack Compatibility

The BEA AquaLogic Enterprise Security Version 2.1 is certified as compatible with WebLogic Server 8.1, Service Pack 4 and Service Pack 5 (Service Packs 1, 2, and 3 are not supported).

Policy Data Export Tool Extended to Support XACML 2.0 Format

The Policy Export tool provided by the Administration Server now allows you to export policy data in XACML 2.0 format.

Support for Migration of WLES 4.2 Sp2 to ALES 2.1

Users of WebLogic Enterprise Security (WLES) 4.2 Sp2 can migrate to ALES 2.1 and export, modify, and import policy data written for WLES to ALES. For instructions, see Upgrading an Administration Server to AquaLogic Enterprise Security 2.1 in the Policy Managers Guide.

Supported Configurations

Table 3 lists the releases of BEA AquaLogic Enterprise Security for each platform BEA supports. The BEA AquaLogic Enterprise Security products can used on the following platforms:

Intel Pentium compatible Microsoft Windows 2000 Sp4 and later (for Professional, Server, and Advanced Server) and with Microsoft Windows 2003 Sp1 and later.
Sun Microsystems Sparc with Solaris (version 8 or 9)
Linux Red Hat Advanced Server 2.1 and 3.0 (Update 4)

Note: Windows XP is supported only as a platform to run the Administration Console. The Windows XP system display should be run in Classic Style to achieve compatibility with the Administration Console.

Table 2 lists the platform on which each AquaLogic Enterprise core component is supported.

Table 2 ALES Core Components

Component	Platforms	Operating System
Administration Console Browser	Microsoft Internet Explorer 6.0	Microsoft Windows 2000 Sp4 Microsoft Windows 2003 Sp1
Administration Server	WebLogic Server 8.1 Sp4 and Sp5 Tomcat 5.0.28	Sun Solaris 8, 9, 10(32-bit) Microsoft Windows 2000 Sp4 Microsoft Windows 2003 Sp1 Red Hat Advanced Server 2.1 Red Hat Advanced Server 3.0 Update 4 (32 bit)
Policy Store	Oracle 9.2.0.5, 10.1.0.4, and 10.2.0.1.0 Sybase 12.5.2
User Directory	Microsoft Windows NT Domain Microsoft Active Directory¹ SunONE Directory Server v5.2 Novell eDirectory v8.7.31 Open LDAP v2.2.24 Oracle 9.2.0.5, 10.1.0.4, and 10.2.0.1.0 Sybase 12.5.2

1. AD/AM is not currently supported.

Table 3 ALES Security Service Modules (SSMs)

SSM	Platform Version(s)	Windows 2000 Sp4 and later	Windows 2003 Sp1 and later	Solaris 8 and 9	Red Hat AS 2.1	Red Hat AS 3.0 (Update 4)
IIS Web Server	IIS 5.0	Yes	No	No	No	No
Apache Web Server	ASF Apache 2.0.54	Yes	Yes	Yes	No	Yes
Web Services	NA	Yes	Yes	Yes	Yes	Yes
BEA WebLogic Platform	WLS 8.1 Sp4, Sp5 WLP 8.1 Sp4, Sp5	Yes	Yes	Yes	Yes	Yes
Java	JDK 1.4.2	Yes	Yes	Yes	Yes	Yes

Internationalization

AquaLogic Enterprise Security 2.1 does not provide support for localization, either to support specific GUI languages or character code-sets. AquaLogic Enterprise Security 2.1 has not been certified on internationalized operating systems or databases.

Known Issues Fixed in this Release of BEA AquaLogic Enterprise Security 2.1

Table 4 lists the known issues fixed in this release of AquaLogic Enterprise Security 2.1.

Table 4 Known Issues Fixed in this Release

Change Request Numbers	Description	Release Fixed
CR236155	On setup, the installer creates several users and groups (`asiusers` and `asiadgrp`). However, if the machine was in a domain or had a password policy, the installer would fail if the you enter a password that does not adhere to the domain password policy.	2.1
CR210958	The Authorization and Role Mapping Engine (ARME) did not report the name of the missing attribute in an exception.	2.1
CR2465105	After 60 days, Microsoft Windows updated `userid` such that it prevented services from starting.	2.1
CR246245	Policy data exported for the Administration Server using the Policy Export tool could not be imported without manual intervention.	2.1
CR253300	The Base64 encoding/decoding attribute was required to be unchecked when configuring SAML Providers for use on SSMs.	2.1
CR191571	Security Provider MBean console display did not show additional attributes in the order in which they were defined.	2.1
CR233504	When using the Administration Console, You could not create or clone a `DENY` role mapping or authorization policy without first creating a `GRANT` policy and changing it to `DENY`. As the system user, when you tried to create a `DENY` policy, you received the following warning message: `user system is not authorized to perform the create operation on Policy/Rule/Deny within the //app/policy/WLES/admin` even though you were not trying to create a DENY policy for `//app/policy/WLES/admin`.	2.1
CR237686	On Microsoft Windows, the export-oracle-policy did not work for paths that contained spaces.	2.1
CR239841	The Database Authentication Provider failed to start when the Database Plugin was not available.	2.1

Known Issues in BEA AquaLogic Enterprise Security 2.1

This section describes known limitations in BEA AquaLogic Enterprise Security, Version 2.1 and may include a possible workaround or fix, where applicable. If an entry includes a CR (Change Request) number, a possible solution may be provided in a future BEA AquaLogic Enterprise Security 2.1 release where BEA will provide vendor specific code to fix the problem. Refer to the CR number to conveniently track the solution as problems are resolved.

Please contact your BEA Technical Support for assistance in tracking any unresolved problems. For contact information, see the section Contacting BEA Customer Support.

Table 5 lists the known issues in this release of AquaLogic Enterprise Security 2.1.

Table 5 Known Issues in this Release

Change Request Numbers	Description	Release Fixed
CR253783	When uninstalling the SSM or the SCM associated with the SSM on UNIX operating systems (Red Hat 2.1 and Solaris 9), and you select the option to delete the SCM installation directory, the directory is not deleted. CONFIGURATION: UNIX platforms. WORKAROUND: Delete the directory manually.
CR240914	The Combo SSM installer Hangs on the Active Directory Domain Controller page. When running the combo SSM installer on a Microsoft Windows 2000 Domain Controller (promoted because of using Active Directory), at the step where the installer prompts for ASI users and groups to be added, the installer hangs. The Event Viewer System Log contains the following comment: The DHCP/BINL service has determined that it is not authorized to service clients on this network for the Windows domain: `magellan.corp`. CONFIGURATION: Microsoft Windows Domain Controller promoted for Active Directory (dcpromo). WORKAROUND: None.
CR255269	Attempts to load a query name that ends with a space fail. Even though the procedure ends by displaying a success message, when you try to display the query, a message box pops up stating "the policy inquiry query is not found". CONFIGURATION: Solaris 9 and WebLogic Server 8.1 Sp4 WORKAROUND: None
CR254557	The queryResources feature does not work properly and an exception is thrown. CONFIGURATION: All. WORKAROUND: None	2.1sp1
CR133819	You cannot secure web servers or any resource that contains an IP address as a resource attribute because resource attributes that start with a number are not accepted. This prevents you from completely securing web servers that can be accessed by IP addresses as well as by host name. For example, you can write a policy to protect www.foo.com, but if you can access that same server as 10.0.10.45, you cannot write a policy to fully protect it. CONFIGURATION: All Microsoft Windows platforms. WORKAROUND: None.
CR253787	In the Administration Console, if you use the Filter function or role mapping policies or authorization policies and there is no policy to satisfy the filter that you enter, if you subsequently click the New button to enter a new role mapping or authorization policy, the policy appears in the right pane but it cannot be edited or cloned. Further, if you try to delete the policy, you get an "Object not found" error. on the other hand, if there is a policy that satisfies the defined filter, if you enter a new policy, everything works properly. CONFIGURATION: Administration Server on Microsoft Windows using Tomcat or WebLogic Server v8.1 Sp4. WORKAROUND: None

Contacting BEA Customer Support

Your feedback on the product documentation is important to us. Send us e-mail at docsupport@bea.com if you have questions or comments. Your comments will be reviewed directly by the BEA professionals who create and update the product documentation.

In your e-mail message, please indicate that you are using the documentation for the BEA AquaLogic Enterprise Security Version 2.1 release.

If you have any questions about this version of the BEA AquaLogic Enterprise Security product, or if you have problems installing and running the product, contact BEA Customer Support through BEA Web Support at http://support.bea.com. You can also contact Customer Support by using the contact information provided on the Customer Support Card, which is included in the product package.

When contacting Customer Support, be prepared to provide the following information:

Your name, e-mail address, phone number, and fax number
Your company name and company address
Your machine type and authorization codes
The name and version of the product you are using
A description of the problem and the content of pertinent error messages