> Release Notes > BEA AquaLogic Enterprise Security Version 2.2 Release Notes

Release Notes

     Previous  Next    Open TOC in new window    View as PDF - New Window  Get Adobe Reader - New Window
Content starts here

BEA AquaLogic Enterprise Security Version 2.2 Release Notes

The following topics are covered is this section:

 

AquaLogic Enterprise Security 2.2 Features and Changes

Welcome to BEA AquaLogic Enterprise Security 2.2! As the world's leading application infrastructure company, BEA® supplies a complete platform for building, integrating, and extending J2EE applications to provide business solutions. Companies select the BEA WebLogic® Platform™ as their underlying software foundation to decrease the cost of information technology, leverage current and future assets, and improve productivity and responsiveness.

BEA AquaLogic Enterprise Security™ extends BEA's Application Security Infrastructure by offering a family of security solutions that provide enhanced application security. Key features of BEA AquaLogic Enterprise Security include: policy-based delegated administration, authentication with single sign-on, consolidated auditing, and dynamic-role and policy-based authorization with delegation.

BEA AquaLogic Enterprise Security products are designed with an open and flexible standards-based framework that enforces security through a set of security services. You can protect you applications and other resources by customizing these services to meet the specific requirements of your business.

This section covers the following topics:

What's New in BEA AquaLogic Enterprise Security 2.2

This section describes new and changed features for this release of AquaLogic Enterprise Security.

Performance Statistics

The performance statistics feature enables the collection of data about authentication and authorization for purposes of troubleshooting and performance analysis. The performance statistic feature is controlled by an Auditing security provider, the PerfDBAuditor provider. Performance statistics are gathered for each Security Service Module in your AquaLogic Enterprise Security installation. In order to collect performance statistics for an SSM, you must enable and configure a PerfDBAuditor provider for that SSM.

The performance statistics feature gathers the following information, for each SSM configuration ID and host name, aggregated for each time interval specified by the Performance Statistics Interval setting:

See Administration and Deployment Guide for additional information.

Web Services Client Authorization Cache

This release of AquaLogic Enterprise Security includes a client-side Authorization cache that allows an application using the Web Services SSM to take advantage of in-process caching to achieve performance improvements when making authorization calls.

The Web Services Authorization cache has been implemented as an Axis handler. The handler implementation allows you to add and remove the Authorization cache without affecting existing code. The Authorization cache can be configured through a Java API. If you do not use the configuration API to configure the cache, the default values for the cache will be used.

See Programming Security for Web Services for additional information.

Authorization Via XACML

This version of AquaLogic Enterprise Security allows external applications to ask authorization questions using the XACML protocol. This capability is supported only in the Web Services SSM.

The XACML service is implemented as an extension to the existing Authorization Service in the Web Service SSM, and uses the same configuration and administration scripts of the Web Service SSM. The XACML service is silently installed together with the Web Service SSM.

See Programming Security for Web Services for additional information.

New Installation Features

This release of AquaLogic Enterprise Security includes a utility to help you upgrade from AquaLogic Enterprise Security 2.1. See Installing the Administration Server for additional information.

This release supports installation in silent mode, enabling installation on multiple hosts using scripts rather than requiring user interaction.

As of version 2.2 of ALES, the user who installs the Administration Server and SSMs does not require administrator privileges on a Windows platform, or root access on a Sun Solaris or Linux platform. The installation procedures set the file and directory permissions based on the user who runs the installer.

Support for non US-English Locales

This release of AquaLogic Enterprise Security allows you to install the Administration Server and SSMs in non-US-English locales. If you install AquaLogic Enterprise Security on a non-US-English locale machine, the installation assumes that all other components with which AquaLogic Enterprise Security communicates will also be installed on the same non-US-English locale, including the policy RDBMS and the authentication source (LDAP or RDBMS).

WebLogic Server 9.x SSM Added

The WebLogic Server 9.x Security Service Module integrates AquaLogic Enterprise Security with BEA WebLogic Server versions 9.1 and 9.2. It uses a different security framework from the one used in the WLS 8.1 SSM and the other AquaLogic Enterprise Security SSMs. When you install the WLS 9.x SSM, AquaLogic Enterprise Security uses the WLS 9.x security framework. As a consequence, when you use the WLS 9.x SSM, you configure security providers in the WebLogic Administration Console, rather than the AquaLogic Enterprise Security Administration Console. You still use the AquaLogic Enterprise Security Administration Console to create resources and to write security policies for all SSMs, and to configure providers in SSMs other than the WLS 9.x SSM. You must also use the AquaLogic Enterprise Security Administration Console to configure the deployment parent in the ASI Authorizer and ASI Role Mapper providers.

See Integrating ALES with Application Environments for additional information.

WebLogic 9.x Security Providers Supported

This release of AquaLogic Enterprise Security supports any of the WebLogic 9.x security providers. However, the Security Service Module for WebLogic Server 9.x is configured differently, as described in Integrating ALES with Application Environments.

You can also use the WebLogic Server 9.x WebLogicMBeanMaker to create any of the security provider types described in Developing WebLogic Security Providers.

Web Services SSM Now Supports Microsoft .Net and WebLogic Workshop 9.0 Clients

The Web Services SSM includes a set of examples that illustrate Web Services client development in different environments. The examples are located in BEA_HOME\ales22-ssm\examples. For this release, the following new examples are included:

ssmWorkshop

Demonstrates how to access the ALES Web Services SSM through its published WSDL in a WebLogic Workshop 8.1 or 9.x environment.

ssmNET

Demonstrates how to access the ALES Web Services SSM through its published WSDL in the .NET 1.1 or 2.0 environment.

WebLogic Portal 9.2 Integration Supported

This release of AquaLogic Enterprise Security allows you to integrate with WebLogic Portal 9.2 server and portal applications, resulting in an enhanced set of security services for use in protecting WebLogic Portal. AquaLogic Enterprise Security participates in the authoring and management of policy for WebLogic Portal resources. Once AquaLogic Enterprise Security is integrated with WebLogic Portal, you use AquaLogic Enterprise Security Administration Server to manage resources related to portal desktops, books, pages, and portlets.

See Integrating ALES With Application Environments for additional information.

AquaLogic Service Bus Integration Supported

This release of AquaLogic Enterprise Security allows you to integrate AquaLogic Service Bus 2.5. AquaLogic Service Bus 2.5 (ALSB) is a configuration-based, policy-driven Enterprise Service Bus. It facilitates a loosely coupled architecture, facilitates enterprise-wide reuse of services, and centralizes management. You can use AquaLogic Enterprise Security to manage access control to ALSB's runtime resources, using the ALES WebLogic Server 9.x Security Service Module.

ALES secures only the runtime resources of ALSB, in general those resources that ALSB passes to isAccessAllowed(); it does not secure the resources used during ALSB configuration, such as the ALSB console.

See Integrating ALES With Application Environments for additional information.

Additional Platforms Supported

This release of AquaLogic Enterprise Security supports the following additional platforms:

New Examples

This release of AquaLogic Enterprise Security includes the following new examples. Each example has a readme file that describes its function.

Adding Application Context from the BLM API

In this release of AquaLogic Enterprise Security, the BLM API has been enhanced to allow you to send an Application Context to the auditing service.

The following BLM API methods have been added to provide for the Application Context:

Supported Configurations

Table 1 lists the platform on which each AquaLogic Enterprise Security core component is supported.

Table 2 lists the AquaLogic Enterprise Security SSMs, the platforms on which they run, and operating systems under which they are supported.

Table 1 ALES Core Components 
Component
Platforms
Operating System
Administration Console Browser
Microsoft Internet Explorer, Version 6.0 or later. In addition, the Java Plug-in for Internet Explorer from the Java Runtime Environment (JRE) 1.4.1 or greater is required.
Microsoft Windows 2000 Sp4
Microsoft Windows 2003 Sp1
Administration Server
WebLogic Server 8.1 SP4, SP51
WebLogic Server 9.1, 9.22
Tomcat 5.5.15
Sun Solaris 8, 9, 10 (32-bit)
Windows 2000 SP4, 2003 SP1
Red Hat Adv. Server 2.1, 3.0, 4.0
Policy Store
Oracle 9.2.0.5, 10.1.2, 10.2.0.1
Sybase 12.5.2
 
User Directory
Microsoft Windows NT Domain
Microsoft Active Directory 3
SunONE Directory Server v5.2
Novell eDirectory v8.7.31
Open LDAP v2.2.24
Oracle 9.2.0.5, 10.1.2, 10.2.0.1
Sybase 12.5.2
 

1Works with either Sun Java 2 SDK 1.4.2_08 or BEA JRockit 1.4.2_08 SDK. JRockit JVM supported on Intel hardware only.

2Works with either Sun Java 2 JDK 5.0 (JDK 1.5) or BEA JRockit 5.0 (JDK 1.5). JRockit JVM supported on Intel hardware only.

3AD/AM is not currently supported.

Table 2 ALES Security Service Modules (SSMs) 
SSM
Platform Version(s)
Windows 2000,
20031
Solaris
8, 9, 10
Red Hat AS2 2.1, 3.0, 4.0
AIX
5.3
IIS Web Server
IIS 5.0
Yes
No
No
No
Apache Web Server
ASF Apache 2.0.54
Yes
Yes3
Yes4
Yes
Web Services
Microsoft .NET 1.1 & 2.055
WebLogic Workshop 9.0
Yes
Yes
Yes
Yes
BEA WebLogic Platform
WLS 8.1 Sp4, Sp5
WLP 8.1 Sp4, Sp5
WLS 9.1, 9.2
WLP 9.2
Yes
Yes
Yes6
Yes7
Java
Sun JVM 1.4.2
Sun JVM 1.5.0
Yes
Yes
Yes
Yes

1Windows 2000 SP4 and higher, Windows 2003 SP1and higher.

2RedHat Advanced Server.

3Apache Web Server SSM is supported on Solaris 8 & 9 only.

4Apache Web Server SSM is supported on RHAS 3.0 only.

5.NET Web Services client on Windows 2000 and 2003 only.

6RHAS 2.1 is supported only for 8.1.x versions of WebLogic Server and WebLogic Portal.

7WebLogic Server SSM for AIX 5.3 supported on WLS 8.1.x, WLS 9.1, and WLP version 8.1.x only.

Internationalization

This release of AquaLogic Enterprise Security allows you to install the Administration Server and SSMs in non-US-English locales. If you install AquaLogic Enterprise Security on a non-US-English locale machine, the installation assumes that all other components with which AquaLogic Enterprise Security communicates will also be installed on the same non-US-English locale, including the policy RDBMS and the authentication source (LDAP or RDBMS).

AquaLogic Enterprise Security 2.2 has not been certified on internationalized operating systems or databases.

Metadirectory Support Deprecated and Removed

Previous versions of ALES included the capability to use a metadirectory to import user identity information from external repositories and thereby achieve a unified view of all identity information.

See Configuring Metadirectories for a description of this feature in ALES 2.1.

The metadirectory capability is now deprecated and has been removed from ALES 2.2. The recommended approach is to use an Attribute Retriever, which can go directly to the data store, or multiple Attribute Retrivers if you need to access multiple data stores simultaneously for a unified view. You can also use AquaLogic Data Services Platform for data aggregation.

 

Known Issues Fixed in this Release of BEA AquaLogic Enterprise Security 2.2

Table 4 lists the known issues fixed in this release of AquaLogic Enterprise Security 2.2.

Table 3 Known Issues Fixed in this Release 
Change Request Numbers
Description
Release Fixed
CR253783
When uninstalling the SSM or the SCM associated with the SSM on UNIX operating systems (Red Hat 2.1 and Solaris 9), and you select the option to delete the SCM installation directory, the directory is not deleted.
CONFIGURATION: UNIX platforms.
WORKAROUND: Delete the directory manually.
2.2
CR240914
The Combo SSM installer Hangs on the Active Directory Domain Controller page. When running the combo SSM installer on a Microsoft Windows 2000 Domain Controller (promoted because of using Active Directory), at the step where the installer prompts for ASI users and groups to be added, the installer hangs.
The Event Viewer System Log contains the following comment:
The DHCP/BINL service has determined that it is not authorized to service clients on this network for the Windows domain: magellan.corp.
CONFIGURATION: Microsoft Windows Domain Controller promoted for Active Directory (dcpromo).
WORKAROUND: None.
2.2
CR255269
Attempts to load a query name that ends with a space fail. Even though the procedure ends by displaying a success message, when you try to display the query, a message box pops up stating "the policy inquiry query is not found".
CONFIGURATION: Solaris 9 and WebLogic Server 8.1 Sp4
WORKAROUND: None
2.2
CR133819
You cannot secure web servers or any resource that contains an IP address as a resource attribute because resource attributes that start with a number are not accepted. This prevents you from completely securing web servers that can be accessed by IP addresses as well as by host name. For example, you can write a policy to protect www.foo.com, but if you can access that same server as 10.0.10.45, you cannot write a policy to fully protect it.
CONFIGURATION: All Microsoft Windows platforms.
WORKAROUND: None.
2.2
CR253787
In the Administration Console, if you use the Filter function or role mapping policies or authorization policies and there is no policy to satisfy the filter that you enter, if you subsequently click the New button to enter a new role mapping or authorization policy, the policy appears in the right pane but it cannot be edited or cloned. Further, if you try to delete the policy, you get an "Object not found" error. on the other hand, if there is a policy that satisfies the defined filter, if you enter a new policy, everything works properly.
CONFIGURATION: Administration Server on Microsoft Windows using Tomcat or WebLogic Server v8.1 Sp4.
WORKAROUND: None
2.2

 

Known Issues in BEA AquaLogic Enterprise Security 2.2

This section describes known limitations in BEA AquaLogic Enterprise Security, Version 2.2 and may include a possible workaround or fix, where applicable. If an entry includes a CR (Change Request) number, a possible solution may be provided in a future BEA AquaLogic Enterprise Security release where BEA will provide vendor specific code to fix the problem. Refer to the CR number to conveniently track the solution as problems are resolved.

Please contact your BEA Technical Support for assistance in tracking any unresolved problems. For contact information, see the section Contacting BEA Customer Support.

Table 4 lists the known issues in this release of AquaLogic Enterprise Security 2.2.

Table 4 Known Issues in this Release 
Change Request Numbers
Description
Release Fixed
CR282308
If both the WLS 8 SSM and WLS 9 SSM are installed into the same BEA_HOME, the WLS 8 SSM instances enroll scripts will incorrectly point to the 1.5 JRE/JDK instead of the necessary 1.4.2 JRE/JDK.
CONFIGURATION: All
WORKAROUND: Manually change the JAVA_HOME in the enroll script to point to JRE 1.4.x.
 
CR275316
The AquaLogic Enterprise Security Administration Console throws java.lang.StackOverflowError when loading the admin policy. The Administration Console can become inoperable or crash if using JRockit as the JVM. Otherwise, the error is non-fatal, non-critical.
CONFIGURATION: Administration Server running on the WebLogic Server 8.1 SP5 or 9.1 platforms on the Red Hat Adv. Server 2.1 & 3.0 operating system.
WORKAROUND: Use Smart Update to get the patch (CR244418_81sp5_v1.jar) for WebLogic Server 8.1 SP5.
For WebLogic Server 9.1 the workaround is to apply a private patch. Contact BEA Customer Support to get the Patch ID and Passcode for this patch. Once you have this information, see Installing Maintenance Updates and Service Packs for instructions on how to download and apply a private patch.

Note: Only customers with a valid support contract for BEA products can download private patches and Service Pack updates.

  
CR282669
The value of "CertificateValidityDuration" is not preserved when upgrading from ALES 2.1 to ALES 2.2. This problem occurs because ALES 2.1 does not correctly preserve the value of CA validity, and the ALES 2.2 upgrade installation is unable to retrieve the currently configured value.
The installation defaults to a value of 10 to prevent the Console from a startup failure. However, you can change this value before you install ALES 2.2.
Steps to modify the default value of 10:
  1. Edit BEA_HOME/ales21-admin/config/admin_install.properties
  2. Replace the string "@certificate.duration@" with the desired value.
  3. Run the ALES 2.2 installation.
  
CR282677
If you want to upgrade an AquaLogic Enterprise Security 2.1 SSM that is installed on the same machine as the Administration Console, you must upgrade the Administration Console first. This is because the SSM upgrade procedure also updates the SCM.
CONFIGURATION: ALL
WORKAROUND: Upgrade the Administration Console first.
 
CR275074
The Web Services SSM WSDL is not currently supported by WebLogic Workshop 9.2
CONFIGURATION: ALL
WORKAROUND: None
 
CR283351
The Administration Server starts with an exception the first time it is started.
The Administration Server always starts the first time on a minimal bootstrap policy, and then proceeds to load its admin policy. Due to the addition of the <workcontext> resource in WebLogic Server 9.2, the first time the Admin server is run on WebLogic Server 9.2, the following error is displayed: (The error is truncated for formatting.)
<Error> <netuix> <BEA-423443> <Exception while initializing SingleFileServlet: [java.lang.AssertionError:
java.security.AccessControlException: No READ permission for key:
"weblogic.diagnostics.DiagnosticContext"].
INFO | jvm 1 | 2006/06/22 10:11:02 | java.lang.AssertionError:
java.security.AccessControlException: No READ permission for key:
"weblogic.diagnostics.DiagnosticContext"
INFO | jvm 1 | 2006/06/22 10:11:02 | at
weblogic.logging.MessageLogger.log(MessageLogger.java:117)
:
INFO | jvm 1 | 2006/06/22 10:11:04 | <Jun 22, 2006 10:11:04 AM CST>
<Warning> <WorkManager> <BEA-002919> <Unable to find a WorkManager with name weblogic.admin.HTTP. Dispatch policy weblogic.admin.HTTP will map to the default WorkManager for the application asiconsole>
CONFIGURATION: AquaLogic Enterprise Security Administration Server on WebLogic Server 9.2.
WORKAROUND: Although the error is not fatal to the Administration Server operation, the recommendation is to restart the Administration Server to ensure proper access to the WebLogic Server console for that WebLogic Server instance.
 
CR228213
There is a configuration conflict between the WebLogic Platform Domain use of Log4j and the AquaLogic Enterprise Security use of Log4j. Specifically, AquaLogic Enterprise Security sets the log4j configuration via a command line definition and by using a simple text-based file that defines a basic Log4j configuration. The WebLogic Platform Domain expects the defined Log4j configuration be an xml-based configuration.
CONFIGURATIONS: ALL
WORKAROUND: To use AquaLogic Enterprise Security with a WebLogic Platform Domain, do the following:
  1. Remove the Log4j.configuration definition in the set-wls-env.bat/sh around line 46. The line should look like this:

    2. set WLES_JAVA_OPTIONS=%WLES_JAVA_OPTIONS% -Dlog4j.configuration="file:%INSTANCE_HOME%/config/log4j.properties"

    After removing the log4j.configuration, it will look like this:

    set WLES_JAVA_OPTIONS=%WLES_JAVA_OPTIONS% -Dlog4j.ignoreTCL=true

  2. Add the AquaLogic Enterprise Security log configuration in workshopLogCfg.xml. An example follows:

    3. <appender name="ALES_LOGFILE" class="org.apache.log4j.RollingFileAppender">

    <param name="File" value="d:/bea/ales21-ssm/wls-ssm/instance/test/log/system_console.log" />

    <param name="Append" value="true" />

    <param name="MaxFileSize" value="5000KB" />

    <param name="Threshold" value="debug" />

    <layout class="org.apache.log4j.PatternLayout">

    <param name="ConversionPattern" value="%d [%t] %-5p %c:%L - %m%n" />

    </layout>

    </appender>

 
CR228213
(Continued)

<appender name="CONSOLE_LOG" class="org.apache.log4j.ConsoleAppender">

<param name="Target" value="System.out"/>

<param name="Threshold" value="debug"/>

<layout class="org.apache.log4j.PatternLayout">

<param name="ConversionPattern" value="%d [%t] %-5p %c - %m%n"/>

</layout>

</appender>

<!-- sample ALES logging categories -->

<!-- <category name="com.bea.security.providers">

<priority value="debug"/>

<appender-ref ref="ALES_LOGFILE"/>

<appender-ref ref="CONSOLE_LOG"/>

</category>

-->

 
CR280479
The build procedure for running the SAMLServletExample (BEA_HOME\ales22-ssm\wls-ssm\example\SAMLServletExample) requires modifications to run correctly.
  1. Add <fileset dir="${bea.home}/weblogic81/server/lib"/>" to build.xml to make "ant dist" work.

    2. <path id="build.classpath">
    <fileset dir="${ales.admin.home}/lib"/>
    <fileset dir="${bea.home}/weblogic81/server/lib"/>
    </path>

  2. In the following three files under SAMLServletExample\src\web, change "localhost" to the appropriate <HOST_NAME>:
    • index.html
    • site1.jsp
    • site2.jsp

      • to account for the possibility that the service is not on the localhost.

 
CR261376
A Managed Server in a WebLogic Server 8.1 domain can fail to start as a result of an EmbeddedLDAPException.
CONFIGURATION: WebLogic Server 8.1 with WLS 8.1 SSM
WORKAROUND: For each Managed Server in the domain, create the following folder:
<DomainHome>/<ManagedServerName>/ldap/ldapfiles
Create the file:
<DomainHome>/<AdminServerName>/ldap/conf/replicas.prop
with the following content:
replica.num=1
replica.0.name=<ManagedServerName>
replica.0.base=dc\=<DomainName>
replica.0.port=<ManagedServerListenPort>
replica.0.hostname=<ManagedServerHostName>
replica.0.masterurl=ldap\://<AdminServerHostName>\:<AdminServerListenPort >/
replica.0.masterid=<AdminServerName>
replica.0.binddn=cn\=Admin
replica.0.consumerid=<ManagedServerName>
If there is more than one Managed Server in the domain, set:
replica.num=<NumberOfManagedServers>
and include in the replicas.prop file a set of replica.<X> entries for each of the Managed Servers.
 
CR283049
AquaLogic Enterprise Security 2.2 includes a utility to help you upgrade from AquaLogic Enterprise Security 2.1. If the Administration Server uses WebLogic Server as the servlet container, WebLogic Server must be located in the same BEA_HOME as AquaLogic Enterprise Security 2.1.
CONFIGURATION: All
WORKAROUND: None.
 
None
AquaLogic Enterprise Security 2.2 includes a utility to help you upgrade from AquaLogic Enterprise Security 2.1. The upgrade script runs only when GUI mode is available.
CONFIGURATION: All
WORKAROUND: None
 
CR282858
A javax.servlet.ServletException is thrown when starting WLS 9.1 domain with AquaLogic Enterprise Security. The exception does not impact any function of AquaLogic Enterprise Security.
CONFIGURATION: WLS9 SSM, WebLogic 9.1
WORKAROUND: There are two workarounds to this problem. The first is to add the following line to the log4j configuration file:
llog4j.logger.org.apache.beehive.netui.core.urltemplates.URLTemplateDescriptor=FATAL
The second workaround is to omit the following entry from set-wls-env.sh:
WLES_JAVA_OPTIONS="${WLES_JAVA_OPTIONS} -Dlog4j.configuration=file:${INSTANCE_HOME}/config/log4j.propertes
 
None
During a non-Adminisrators-user install or upgrade to AquaLogic Enterprise Security 2.2 on a Windows platform, the related services cannot be created.
CONFIGURATION: AquaLogic Enterprise Security 2.2 on a Windows platform
WORKAROUND: The only way to start the Administration Console or SCM is to use the command line, such as "WLESadmin.bat console."
 
CR284054
The readme for the EJBAppExample (BEA_HOME\ales22-admin\examples\EJBAppExample) requires an additional step. Without this additional step, after "ant load," the WebLogic Server Domain does not start properly and prompts that user "system" is not permitted to boot the server.
After creating the WebLogic Server Domain, add that user inside the AquaLogic Enterprise Security 2.2 Administration Console and assign it the Admin role.
CONFIGURATION: All
WORKAROUND: None
 

 

Contacting BEA Customer Support

Your feedback on the product documentation is important to us. Send us e-mail at docsupport@bea.com if you have questions or comments. Your comments will be reviewed directly by the BEA professionals who create and update the product documentation.

In your e-mail message, please indicate that you are using the documentation for the BEA AquaLogic Enterprise Security Version 2.2 release.

If you have any questions about this version of the BEA AquaLogic Enterprise Security product, or if you have problems installing and running the product, contact BEA Customer Support through BEA Web Support at http: // support.bea.com. You can also contact Customer Support by using the contact information provided on the Customer Support Card, which is included in the product package.

When contacting Customer Support, be prepared to provide the following information:


  Back to Top       Previous  Next