Release Notes
BEA AquaLogic Enterprise Security Version 2.1 Release Notes
The following topics are covered is this section:
AquaLogic Enterprise Security 2.1 Features and Changes
Welcome to BEA AquaLogic Enterprise Security 2.1! As the world's leading application infrastructure company, BEA® supplies a complete platform for building, integrating, and extending J2EE applications to provide business solutions. Companies select the BEA WebLogic® PlatformTM as their underlying software foundation to decrease the cost of information technology, leverage current and future assets, and improve productivity and responsiveness.
Now, BEA is extending its Application Security Infrastructure by offering the BEA AquaLogic Enterprise SecurityTM product line—a family of security solutions that provide enhanced application security and includes: policy-based delegated administration, authentication with single sign-on, consolidated auditing, and dynamic-role and policy-based authorization with delegation.
BEA AquaLogic Enterprise Security products are designed with an open and flexible standards-based framework that enforces security through a set of security services. You can protect you applications and other resources by customizing these services to meet the specific requirements of your business.
This section covers the following topics:
What's New in BEA AquaLogic Enterprise Security 2.1
The following topics describe what is new in this release:
Management Enhancements
The following sections describe management enhancements:
Enhancements to BLM Java API
The BLM API has been enhanced to included configuration management operations so that the BLM supports all of the functionality offered by the Administration Console.
This BLM API provides programmatic access to the AquaLogic Enterprise Security policy management infrastructure. This is a Java API that uses SOAP to communicate with the central management services. In addition to using this API to create and manage of users, groups, roles, resources, and resource policies, you can now use it to define security configurations and to distribute those configurations to SSMs—all of the same functions supported by the Administration Console.
Public Web Service Interface for management operations
The Web Services API offers management interfaces to provide functionality similar to the Administration Console and BLM.
Administration Server Enhancements
- Administration Server Does Not Depend on WebLogic Server—The Administration Server is supported on Tomcat 5.0.28 (Servlet 2.3). The Administration Server is also supported on BEA WebLogic Server 8.1, Sp4 and Sp5.
- Administration Console Usability Enhancements—The Administration Console GUI has been updated for usability. The resulting GUI is more intuitive and easier to use.
- Policy Distributor service has been merged into the BLM service.
SAML 1.1 Compliance
IIS and Apache SSMs implement SAML POST profile that is fully conformant to SAML 1.1 specifications. Also applications can invoke SAML Credential Mapper and SAML Identity Assertion to generate and verify SAML 1.1 compliant assertions.
Support for Single Sign-on with WebLogic Server Security Framework
In this release, the ALES identity asserter supports for single sign-on (SSO) between ALES and the WebLogic Server Security Framework such that SSO can be achieved between Web Servers protected by ALES and regular WebLogic Server/WebLogic Portal. With this support, user authenticated on ALES do not have to be re-authenticated to log into on WebLogic Server or WebLogic Portal.
Additional Platform Support
In this release of AquaLogic Enterprise Security, the following additional support has been added:
- The Apache 2.0.54 Security Service Module (SSM) is supported on Microsoft Windows 2000 and 2003.
- Oracle 10.1.0.4 is supported as a policy store.
- The Administration Server is supported on Microsoft Windows 2003.
Support for Integration with the AquaLogic Data Services Platform
In this release, AquaLogic Enterprise Security can be used to protect AquaLogic Data Services Platform (ALDSP) data. You can use AquaLogic Enterprise Security to create and enforce a set of policies to control access to an entire data service or to individual fields returned by a data service. Integration with AquaLogic Data Services Platform v8.5 is supported.
Enhanced Policy Analysis Tool
The policy analysis tool has been enhanced to include role and group membership information.
WebLogic Server 8.1 Service Pack Compatibility
The BEA AquaLogic Enterprise Security Version 2.1 is certified as compatible with WebLogic Server 8.1, Service Pack 4 and Service Pack 5 (Service Packs 1, 2, and 3 are not supported).
Policy Data Export Tool Extended to Support XACML 2.0 Format
The Policy Export tool provided by the Administration Server now allows you to export policy data in XACML 2.0 format.
Support for Migration of WLES 4.2 Sp2 to ALES 2.1
Users of WebLogic Enterprise Security (WLES) 4.2 Sp2 can migrate to ALES 2.1 and export, modify, and import policy data written for WLES to ALES. For instructions, see Upgrading an Administration Server to AquaLogic Enterprise Security 2.1 in the Policy Managers Guide.
Supported Configurations
Table 2 lists the releases of BEA AquaLogic Enterprise Security for each platform BEA supports. The BEA AquaLogic Enterprise Security products can used on the following platforms:
- Intel Pentium compatible Microsoft Windows 2000 Sp4 and later (for Professional, Server, and Advanced Server) and with Microsoft Windows 2003 Sp1 and later.
- Sun Microsystems Sparc with Solaris (version 8 or 9)
- Linux Red Hat Advanced Server 2.1 and 3.0 (Update 4)
Note: Windows XP is supported only as a platform to run the Administration Console. The Windows XP system display should be run in Classic Style to achieve compatibility with the Administration Console.
Table 1 lists the platform on which each AquaLogic Enterprise core component is supported.
Table 1 ALES Core Components
Component
|
Platforms
|
Operating System
|
Administration Console Browser
|
Microsoft Internet Explorer 6.0
|
Microsoft Windows 2000 Sp4 Microsoft Windows 2003 Sp1
|
Administration Server
|
WebLogic Server 8.1 Sp4 and Sp5
Tomcat 5.0.28
|
Sun Solaris 8, 9 (32-bit) Microsoft Windows 2000 Sp4 Microsoft Windows 2003 Sp1 Red Hat Advanced Server 2.1 Red Hat Advanced Server 3.0 Update 4 (32 bit)
|
Policy Store
|
Oracle 9.2.0.5 and 10.1.0.4
Sybase 12.5.2
|
|
User Directory
|
Microsoft Windows NT Domain
Microsoft Active Directory1
SunONE Directory Server v5.2
Novell eDirectory v8.7.31
Open LDAP v2.2.24
Oracle 9.2.0.5 and 10.1.0.4
Sybase 12.5.2
|
|
1.
AD/AM is not currently supported.
Table 2 ALES Security Service Modules (SSMs)
SSM
|
Platform Version(s)
|
Windows 2000 Sp4 and later
|
Windows 2003 Sp1 and later
|
Solaris 8 and 9
|
Red Hat AS 2.1
|
Red Hat AS 3.0 (Update 4)
|
IIS Web Server
|
IIS 5.0
|
Yes
|
No
|
No
|
No
|
No
|
Apache Web Server
|
ASF Apache 2.0.54
|
Yes
|
Yes
|
Yes
|
No
|
Yes
|
Web Services
|
NA
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
BEA WebLogic Platform
|
WLS 8.1 Sp4, Sp5
WLP 8.1 Sp4, Sp5
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
Java
|
JDK 1.4.2
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
Internationalization
AquaLogic Enterprise Security 2.1 does not provide support for localization, either to support specific GUI languages or character code-sets. AquaLogic Enterprise Security 2.1 has not been certified on internationalized operating systems or databases.
Known Issues Fixed in this Release of BEA AquaLogic Enterprise Security 2.1
Table 4 lists the known issues fixed in this release of AquaLogic Enterprise Security 2.1.
Table 3 Known Issues Fixed in this Release
Change Request Numbers
|
Description
|
Release Fixed
|
CR236155
|
On setup, the installer creates several users and groups (asiusers and asiadgrp ). However, if the machine was in a domain or had a password policy, the installer would fail if the you enter a password that does not adhere to the domain password policy.
|
2.1
|
CR210958
|
The Authorization and Role Mapping Engine (ARME) did not report the name of the missing attribute in an exception.
|
2.1
|
CR2465105
|
After 60 days, Microsoft Windows updated userid such that it prevented services from starting.
|
2.1
|
CR246245
|
Policy data exported for the Administration Server using the Policy Export tool could not be imported without manual intervention.
|
2.1
|
CR253300
|
The Base64 encoding/decoding attribute was required to be unchecked when configuring SAML Providers for use on SSMs.
|
2.1
|
CR191571
|
Security Provider MBean console display did not show additional attributes in the order in which they were defined.
|
2.1
|
CR233504
|
When using the Administration Console, You could not create or clone a DENY role mapping or authorization policy without first creating a GRANT policy and changing it to DENY . As the system user, when you tried to create a DENY policy, you received the following warning message:
user system is not authorized to perform the create operation on Policy/Rule/Deny within the //app/policy/WLES/admin
even though you were not trying to create a DENY policy for //app/policy/WLES/admin .
|
2.1
|
CR237686
|
On Microsoft Windows, the export-oracle-policy did not work for paths that contained spaces.
|
2.1
|
CR239841
|
The Database Authentication Provider failed to start when the Database Plugin was not available.
|
2.1
|
Known Issues in BEA AquaLogic Enterprise Security 2.1
This section describes known limitations in BEA AquaLogic Enterprise Security, Version 2.1 and may include a possible workaround or fix, where applicable. If an entry includes a CR (Change Request) number, a possible solution may be provided in a future BEA AquaLogic Enterprise Security 2.1 release where BEA will provide vendor specific code to fix the problem. Refer to the CR number to conveniently track the solution as problems are resolved.
Please contact your BEA Technical Support for assistance in tracking any unresolved problems. For contact information, see the section Contacting BEA Customer Support.
Table 4 lists the known issues in this release of AquaLogic Enterprise Security 2.1.
Table 4 Known Issues in this Release
Change Request Numbers
|
Description
|
Release Fixed
|
CR253783
|
When uninstalling the SSM or the SCM associated with the SSM on UNIX operating systems (Red Hat 2.1 and Solaris 9), and you select the option to delete the SCM installation directory, the directory is not deleted.
CONFIGURATION: UNIX platforms.
WORKAROUND: Delete the directory manually.
|
|
CR240914
|
The Combo SSM installer Hangs on the Active Directory Domain Controller page. When running the combo SSM installer on a Microsoft Windows 2000 Domain Controller (promoted because of using Active Directory), at the step where the installer prompts for ASI users and groups to be added, the installer hangs.
The Event Viewer System Log contains the following comment:
The DHCP/BINL service has determined that it is not authorized to service clients on this network for the Windows domain: magellan.corp .
CONFIGURATION: Microsoft Windows Domain Controller promoted for Active Directory (dcpromo).
WORKAROUND: None.
|
|
CR255269
|
Attempts to load a query name that ends with a space fail. Even though the procedure ends by displaying a success message, when you try to display the query, a message box pops up stating "the policy inquiry query is not found".
CONFIGURATION: Solaris 9 and WebLogic Server 8.1 Sp4
WORKAROUND: None
|
|
CR254557
|
The queryResources feature does not work properly and an exception is thrown.
CONFIGURATION: All.
WORKAROUND: None
|
|
CR133819
|
You cannot secure web servers or any resource that contains an IP address as a resource attribute because resource attributes that start with a number are not accepted. This prevents you from completely securing web servers that can be accessed by IP addresses as well as by host name. For example, you can write a policy to protect www.foo.com, but if you can access that same server as 10.0.10.45, you cannot write a policy to fully protect it.
CONFIGURATION: All Microsoft Windows platforms.
WORKAROUND: None.
|
|
CR253787
|
In the Administration Console, if you use the Filter function or role mapping policies or authorization policies and there is no policy to satisfy the filter that you enter, if you subsequently click the New button to enter a new role mapping or authorization policy, the policy appears in the right pane but it cannot be edited or cloned. Further, if you try to delete the policy, you get an "Object not found" error. on the other hand, if there is a policy that satisfies the defined filter, if you enter a new policy, everything works properly.
CONFIGURATION: Administration Server on Microsoft Windows using Tomcat or WebLogic Server v8.1 Sp4.
WORKAROUND: None
|
|
Contacting BEA Customer Support
Your feedback on the product documentation is important to us. Send us e-mail at docsupport@bea.com if you have questions or comments. Your comments will be reviewed directly by the BEA professionals who create and update the product documentation.
In your e-mail message, please indicate that you are using the documentation for the BEA AquaLogic Enterprise Security Version 2.1 release.
If you have any questions about this version of the BEA AquaLogic Enterprise Security product, or if you have problems installing and running the product, contact BEA Customer Support through BEA Web Support at http://support.bea.com. You can also contact Customer Support by using the contact information provided on the Customer Support Card, which is included in the product package.
When contacting Customer Support, be prepared to provide the following information:
- Your name, e-mail address, phone number, and fax number
- Your company name and company address
- Your machine type and authorization codes
- The name and version of the product you are using
- A description of the problem and the content of pertinent error messages