![]() ![]() ![]() ![]() ![]() ![]() |
The following topics are covered is this section:
Welcome to BEA AquaLogic Enterprise Security 2.2! As the world's leading application infrastructure company, BEA® supplies a complete platform for building, integrating, and extending J2EE applications to provide business solutions. Companies select the BEA WebLogic® Platform™ as their underlying software foundation to decrease the cost of information technology, leverage current and future assets, and improve productivity and responsiveness.
BEA AquaLogic Enterprise Security™ extends BEA's Application Security Infrastructure by offering a family of security solutions that provide enhanced application security. Key features of BEA AquaLogic Enterprise Security include: policy-based delegated administration, authentication with single sign-on, consolidated auditing, and dynamic-role and policy-based authorization with delegation.
BEA AquaLogic Enterprise Security products are designed with an open and flexible standards-based framework that enforces security through a set of security services. You can protect you applications and other resources by customizing these services to meet the specific requirements of your business.
This section covers the following topics:
This section describes new and changed features for this release of AquaLogic Enterprise Security.
The performance statistics feature enables the collection of data about authentication and authorization for purposes of troubleshooting and performance analysis. The performance statistic feature is controlled by an Auditing security provider, the PerfDBAuditor provider. Performance statistics are gathered for each Security Service Module in your AquaLogic Enterprise Security installation. In order to collect performance statistics for an SSM, you must enable and configure a PerfDBAuditor provider for that SSM.
The performance statistics feature gathers the following information, for each SSM configuration ID and host name, aggregated for each time interval specified by the Performance Statistics Interval setting:
See Administration and Deployment Guide for additional information.
This release of AquaLogic Enterprise Security includes a client-side Authorization cache that allows an application using the Web Services SSM to take advantage of in-process caching to achieve performance improvements when making authorization calls.
The Web Services Authorization cache has been implemented as an Axis handler. The handler implementation allows you to add and remove the Authorization cache without affecting existing code. The Authorization cache can be configured through a Java API. If you do not use the configuration API to configure the cache, the default values for the cache will be used.
See Programming Security for Web Services for additional information.
This version of AquaLogic Enterprise Security allows external applications to ask authorization questions using the XACML protocol. This capability is supported only in the Web Services SSM.
The XACML service is implemented as an extension to the existing Authorization Service in the Web Service SSM, and uses the same configuration and administration scripts of the Web Service SSM. The XACML service is silently installed together with the Web Service SSM.
See Programming Security for Web Services for additional information.
This release of AquaLogic Enterprise Security includes a utility to help you upgrade from AquaLogic Enterprise Security 2.1. See Installing the Administration Server for additional information.
This release supports installation in silent mode, enabling installation on multiple hosts using scripts rather than requiring user interaction.
As of version 2.2 of ALES, the user who installs the Administration Server and SSMs does not require administrator privileges on a Windows platform, or root access on a Sun Solaris or Linux platform. The installation procedures set the file and directory permissions based on the user who runs the installer.
This release of AquaLogic Enterprise Security allows you to install the Administration Server and SSMs in non-US-English locales. If you install AquaLogic Enterprise Security on a non-US-English locale machine, the installation assumes that all other components with which AquaLogic Enterprise Security communicates will also be installed on the same non-US-English locale, including the policy RDBMS and the authentication source (LDAP or RDBMS).
The WebLogic Server 9.x Security Service Module integrates AquaLogic Enterprise Security with BEA WebLogic Server versions 9.1 and 9.2. It uses a different security framework from the one used in the WLS 8.1 SSM and the other AquaLogic Enterprise Security SSMs. When you install the WLS 9.x SSM, AquaLogic Enterprise Security uses the WLS 9.x security framework. As a consequence, when you use the WLS 9.x SSM, you configure security providers in the WebLogic Administration Console, rather than the AquaLogic Enterprise Security Administration Console. You still use the AquaLogic Enterprise Security Administration Console to create resources and to write security policies for all SSMs, and to configure providers in SSMs other than the WLS 9.x SSM. You must also use the AquaLogic Enterprise Security Administration Console to configure the deployment parent in the ASI Authorizer and ASI Role Mapper providers.
See Integrating ALES with Application Environments for additional information.
This release of AquaLogic Enterprise Security supports any of the WebLogic 9.x security providers. However, the Security Service Module for WebLogic Server 9.x is configured differently, as described in Integrating ALES with Application Environments.
You can also use the WebLogic Server 9.x WebLogicMBeanMaker to create any of the security provider types described in Developing WebLogic Security Providers.
The Web Services SSM includes a set of examples that illustrate Web Services client development in different environments. The examples are located in BEA_HOME
\ales22-ssm\examples
. For this release, the following new examples are included:
This release of AquaLogic Enterprise Security allows you to integrate with WebLogic Portal 9.2 server and portal applications, resulting in an enhanced set of security services for use in protecting WebLogic Portal. AquaLogic Enterprise Security participates in the authoring and management of policy for WebLogic Portal resources. Once AquaLogic Enterprise Security is integrated with WebLogic Portal, you use AquaLogic Enterprise Security Administration Server to manage resources related to portal desktops, books, pages, and portlets.
See Integrating ALES With Application Environments for additional information.
This release of AquaLogic Enterprise Security allows you to integrate AquaLogic Service Bus 2.5. AquaLogic Service Bus 2.5 (ALSB) is a configuration-based, policy-driven Enterprise Service Bus. It facilitates a loosely coupled architecture, facilitates enterprise-wide reuse of services, and centralizes management. You can use AquaLogic Enterprise Security to manage access control to ALSB's runtime resources, using the ALES WebLogic Server 9.x Security Service Module.
ALES secures only the runtime resources of ALSB, in general those resources that ALSB passes to isAccessAllowed(); it does not secure the resources used during ALSB configuration, such as the ALSB console.
See Integrating ALES With Application Environments for additional information.
This release of AquaLogic Enterprise Security supports the following additional platforms:
This release of AquaLogic Enterprise Security includes the following new examples. Each example has a readme file that describes its function.
BEA_HOME
\ales22-ssm\webservice-ssm\examples\ArmeMonitor
BEA_HOME
\ales22-ssm\webservice-ssm\examples\JavaWebServiceClient
BEA_HOME
\ales22-ssm\webservice-ssm\examples\SsmNet
BEA_HOME
\ales22-ssm\webservice-ssm\examples\SsmWorkshop
BEA_HOME
\ales22-ssm\webservice-ssm\examples\tools
BEA_HOME
\ales22-ssm\webservice-ssm\examples\XACMLClient
BEA_HOME
\ales22-ssm\wls-ssm\ALESEnabledWLPDomain
BEA_HOME
\ales22-ssm\wls-ssm\ALESEnabledWLSCluster
BEA_HOME
\ales22-ssm\wls-ssm\ArmeMonitor
BEA_HOME
\ales22-ssm\wls-ssm\ResourceConverter
BEA_HOME
\ales22-ssm\wls-ssm\SAMLServletExample
BEA_HOME
\ales22-ssm\wls-ssm\taglib
BEA_HOME
\ales22-ssm\wls-ssm\tools
In this release of AquaLogic Enterprise Security, the BLM API has been enhanced to allow you to send an Application Context to the auditing service.
The following BLM API methods have been added to provide for the Application Context:
BLMManager.create(java.util.Hashtable credentials, java.util.Hashtable appCtx)
. This method creates an instance of the BLMContextManager and initializes the BLMContextManager with an Application Context. The BLM then adds the Application Context data to all auditing messages associated with this BLM Context sent to the Audit provider.
BLMContextManager.setApplicationContext(Hashtable appCtx)
. This method replaces an existing application context with the new one provided. (You must have called BLMManager.create(java.util.Hashtable credentials, java.util.Hashtable appCtx)
method prior to calling setApplicationContext(Hashtable appCtx)
. All subsequent audit messages associated with this BLM Context have the Application Context added to them when they are sent to the Audit provider.
BLMContextManager.clearApplicationContext()
. This method clears the Application Context associated with this BLM Context so that it is no longer included with audit messages sent to the Audit provider.Table 1 lists the platform on which each AquaLogic Enterprise Security core component is supported.
Table 2 lists the AquaLogic Enterprise Security SSMs, the platforms on which they run, and operating systems under which they are supported.
Microsoft Active Directory 3
|
1Works with either Sun Java 2 SDK 1.4.2_08 or BEA JRockit 1.4.2_08 SDK. JRockit JVM supported on Intel hardware only. 2Works with either Sun Java 2 JDK 5.0 (JDK 1.5) or BEA JRockit 5.0 (JDK 1.5). JRockit JVM supported on Intel hardware only. 3AD/AM is not currently supported. |
Red Hat AS2 2.1, 3.0, 4.0
|
|||||
---|---|---|---|---|---|
Yes3
|
Yes4
|
||||
Microsoft .NET 1.1 & 2.055
|
|||||
Yes6
|
Yes7
|
||||
1Windows 2000 SP4 and higher, Windows 2003 SP1and higher. 2RedHat Advanced Server. 3Apache Web Server SSM is supported on Solaris 8 & 9 only. 4Apache Web Server SSM is supported on RHAS 3.0 only. 5.NET Web Services client on Windows 2000 and 2003 only. 6RHAS 2.1 is supported only for 8.1.x versions of WebLogic Server and WebLogic Portal. 7WebLogic Server SSM for AIX 5.3 supported on WLS 8.1.x, WLS 9.1, and WLP version 8.1.x only. |
This release of AquaLogic Enterprise Security allows you to install the Administration Server and SSMs in non-US-English locales. If you install AquaLogic Enterprise Security on a non-US-English locale machine, the installation assumes that all other components with which AquaLogic Enterprise Security communicates will also be installed on the same non-US-English locale, including the policy RDBMS and the authentication source (LDAP or RDBMS).
AquaLogic Enterprise Security 2.2 has not been certified on internationalized operating systems or databases.
Previous versions of ALES included the capability to use a metadirectory to import user identity information from external repositories and thereby achieve a unified view of all identity information.
See Configuring Metadirectories for a description of this feature in ALES 2.1.
The metadirectory capability is now deprecated and has been removed from ALES 2.2. The recommended approach is to use an Attribute Retriever, which can go directly to the data store, or multiple Attribute Retrivers if you need to access multiple data stores simultaneously for a unified view. You can also use AquaLogic Data Services Platform for data aggregation.
Table 4 lists the known issues fixed in this release of AquaLogic Enterprise Security 2.2.
This section describes known limitations in BEA AquaLogic Enterprise Security, Version 2.2 and may include a possible workaround or fix, where applicable. If an entry includes a CR (Change Request) number, a possible solution may be provided in a future BEA AquaLogic Enterprise Security release where BEA will provide vendor specific code to fix the problem. Refer to the CR number to conveniently track the solution as problems are resolved.
Please contact your BEA Technical Support for assistance in tracking any unresolved problems. For contact information, see the section Contacting BEA Customer Support.
Table 4 lists the known issues in this release of AquaLogic Enterprise Security 2.2.
The AquaLogic Enterprise Security Administration Console throws java.lang.StackOverflowError when loading the admin policy. The Administration Console can become inoperable or crash if using JRockit as the JVM. Otherwise, the error is non-fatal, non-critical.
CONFIGURATION: Administration Server running on the WebLogic Server 8.1 SP5 or 9.1 platforms on the Red Hat Adv. Server 2.1 & 3.0 operating system.
WORKAROUND: Use
Smart Update to get the patch (CR244418_81sp5_v1.jar) for WebLogic Server 8.1 SP5.
For WebLogic Server 9.1 the workaround is to apply a private patch. Contact BEA Customer Support to get the Patch ID and Passcode for this patch. Once you have this information, see
Installing Maintenance Updates and Service Packs for instructions on how to download and apply a private patch.
|
||||
The value of "CertificateValidityDuration" is not preserved when upgrading from ALES 2.1 to ALES 2.2. This problem occurs because ALES 2.1 does not correctly preserve the value of CA validity, and the ALES 2.2 upgrade installation is unable to retrieve the currently configured value.
|
||||
The Administration Server always starts the first time on a minimal bootstrap policy, and then proceeds to load its admin policy. Due to the addition of the <workcontext> resource in WebLogic Server 9.2, the first time the Admin server is run on WebLogic Server 9.2, the following error is displayed: (The error is truncated for formatting.)
<Error> <netuix> <BEA-423443> <Exception while initializing SingleFileServlet: [java.lang.AssertionError:
|
||||
There is a configuration conflict between the WebLogic Platform Domain use of Log4j and the AquaLogic Enterprise Security use of Log4j. Specifically, AquaLogic Enterprise Security sets the log4j configuration via a command line definition and by using a simple text-based file that defines a basic Log4j configuration. The WebLogic Platform Domain expects the defined Log4j configuration be an xml-based configuration.
After removing the log4j.configuration, it will look like this:
|
||||
|
||||
The build procedure for running the SAMLServletExample (
BEA_HOME\ales22-ssm\wls-ssm\example\SAMLServletExample ) requires modifications to run correctly.
|
||||
A Managed Server in a WebLogic Server 8.1 domain can fail to start as a result of an
EmbeddedLDAPException .
replica.num=1
|
||||
A javax.servlet.ServletException is thrown when starting WLS 9.1 domain with AquaLogic Enterprise Security. The exception does not impact any function of AquaLogic Enterprise Security.
|
||||
The readme for the EJBAppExample (
BEA_HOME \ales22-admin\examples\EJBAppExample ) requires an additional step. Without this additional step, after "ant load," the WebLogic Server Domain does not start properly and prompts that user "system" is not permitted to boot the server.
|
Your feedback on the product documentation is important to us. Send us e-mail at docsupport@bea.com if you have questions or comments. Your comments will be reviewed directly by the BEA professionals who create and update the product documentation.
In your e-mail message, please indicate that you are using the documentation for the BEA AquaLogic Enterprise Security Version 2.2 release.
If you have any questions about this version of the BEA AquaLogic Enterprise Security product, or if you have problems installing and running the product, contact BEA Customer Support through BEA Web Support at http: // support.bea.com. You can also contact Customer Support by using the contact information provided on the Customer Support Card, which is included in the product package.
When contacting Customer Support, be prepared to provide the following information:
![]() ![]() ![]() |