> Release Notes > BEA AquaLogic Enterprise Security Version 2.5 Release Notes

Release Notes

     Previous  Next    Open TOC in new window    View as PDF - New Window  Get Adobe Reader - New Window
Content starts here

BEA AquaLogic Enterprise Security Version 2.5 Release Notes

The following topics are covered is this section:

 

AquaLogic Enterprise Security 2.5 Features and Changes

BEA AquaLogic Enterprise Security (ALES) is a fine-grained entitlements product that was designed to enable centralized management of access to both application resources and application objects. ALES uses a centrally administered, distributed security services architecture that supports hierarchical policies across heterogeneous application environments. It also provides a unified and adaptable security infrastructure that enables a service-oriented approach to securing distributed applications. It allows shared security infrastructure and services to be leveraged and re-used across the heterogeneous enterprise—improving security and increasing IT efficiency.

ALES includes the Administration Application and a set of Security Services Modules (SSM).

The ALES Administration Application provides centralized management of application entitlements, letting you control all of your security policies and configuration data from a single web-based console. Configuration, security policy, and user metadata for ALES-distributed Security Services Modules are managed and provisioned by the Administration Application. All administrative functions, including delegation, are fully configurable through administrative policies.

BEA AquaLogic Enterprise Security supports a variety of Security Service Modules (SSMs) that reside in the application environments protected by ALES. They provide the runtime enforcement of entitlements and integrate with the underlying security framework to provide services for authentication, auditing, role mapping, and credential mapping. The security framework also provides a simple application programming interface (API) that can be used by security and application developers to define security policies and services. SSMs are provided for the WebLogic Platform, Java applications, and non-Java applications through a generic Web Services SSM.

This section covers the following topics:

What's New in BEA AquaLogic Enterprise Security 2.5

This section describes new and changed features for this release of AquaLogic Enterprise Security.

This release of AquaLogic Enterprise Security has several new and changed features:

ARME and BLM Ported to Java

In this release of AquaLogic Enterprise Security, the ASIAuthorizer, which is also known as the authorization and role mapping engine (ARME), and the BLM have been ported to Java and no longer require separate services or processes. The WLESarme command is no longer needed and has been removed.

The ASIAuthorizer provider supports the use of Java plug-ins for custom rule extensions for evaluation and credential functions. The functions available for use are described in Using Java Extensions Plug-Ins.

SCM is Now Optional

In this release of AquaLogic Enterprise Security it is possible to deploy an SSM without the SCM. You can use the PolicyIX tool, described in PolicyIX in the Administration Reference, to communicate directly with the BLM and retrieve configuration data. The PolicyIX tool allows you to export configuration data (configured either through the ALES Administration Console or directly via the BLM API) for a given SSM to an XML file, and use it with the configured SSMs when the SCM is not available.

The SCM is always installed on the ALES Administration server.

See Installing an SSM Without an Associated SCM for more information.

New L10N Support

The Java, Web Services and WLS (8.1x and 9.x) SSMs are L10N ready for ALES 2.5. This includes all SSM components including the security framework, all related providers, and the ASIAuthorizer. The SSMs support the following functionality:

Note: The ALES SSM for Apache Web Server and the ALES SSM for Microsoft IIS are not L10N enabled for this release.

In addition, the BLM, the BLM Java and Web Service APIs, the Policy Distributor (PD) and the Administration Console are L10N ready. These components support the following functionality:

Note: Resource names are not multi-byte enabled (ASCII only).

Enhanced Auditing Support

Audit Events are generated for all cascading actions. For example, when a user is deleted, the user is removed from any groups of which they are a member, and the user attributes are deleted. These subsequent actions are now audited.

In addition, AquaLogic Enterprise Security now audits the following events associated with policy distribution:

These new audit events include the SSM ID and identify the policy set to be distributed

Transactional Support

Auditing and the BLM API can now be in the same transactional boundary. The BLM API methods allow you to specify that for a transaction to be successful, the events generated by the BLM API must be audited. If either the BLM API call fails or the auditing call fails, all changes are rolled back. Any calls made to the BLM API will produce an audited event.

In addition, it is now possible to define the transactional boundary for the BLM API such that multiple BLM API calls can be made within a single transaction. If any of the BLM calls fail, the entire transaction fails and all changes are rolled back. The BLMContextManager API has been updated to include transactional methods.

As of AquaLogic Enterprise Security version 2.5, the policyloader and PolicyIX are now transactional: all policies are loaded, or none.

Entitlements User Interface

This release of AquaLogic Enterprise Security includes a sample web-based Entitlements user interface. The functionality includes the following:

For information about setting up and using this user interface, see Using the Entitlements Management Tool in the Policy Managers Guide.

BEA Kodo is Now Used

BEA Kodo implements Sun's Enterprise JavaBeans Persistence 3.0 (JPA) and Java Data Objects (JDO) specifications for the transparent persistence of Java objects. AquaLogic Enterprise Security uses Kodo to provide database neutrality. This means that you no longer need to install the database client to use AquaLogic Enterprise Security.

See Installing the Administration Server for additional information.

Supported Configurations

Table 1 lists the platform on which each AquaLogic Enterprise Security core component is supported.

Table 1 Core Components
Component
Platforms
Operating Systems
Admin Console Browser
MS IE 6.0
Windows 2000 SP4, 2003 SP1 (x86, 32-bit)
Admin Server Platform:
WebLogic Server 8.1 SP4, SP5
WebLogic Server 9.1, 9.21
Tomcat 5.5.15
Sun Solaris 82, 9, 10 (SPARC, 32-bit)
Sun Solaris 82, 9, 10 (SPARC, 32-bit)
Windows 2000 SP4, 2003 SP1 (x86, 32-bit)
Red Hat Adv. Server 3.0 (x86, 32-bit)
Policy Store
Oracle 9.2.0.5, 10.1.2, 10.2.0.1
Sybase 12.5.23
MS-SQL 2000 & 20054
PointBase 5.1
 
User Directory
Microsoft Active Directory5
SunONE Directory Server v5.2
Novell eDirectory v8.7.31
Open LDAP v2.2.24
Oracle 9.2.0.5, 10.1.2, 10.2.0.1
Sybase 12.5.26
MS-SQL 2000 & 20057
PointBase 5.1
 

1Works with WLS configured to use either the Sun JVM or the JRockit JVM that ships with the 9.x version of the server. JRockit JVM supported on Intel hardware only.

2Sun Solaris 8 will not be supported until ALES 2.5 CP1

3Sybase 12.5.2 will not be supported until ALES 2.6

4MS SQL 2005 will not be supported until ALES 2.6

5AD/AM is not currently supported.

6Sybase 12.5.2 will not be supported until ALES 2.6

7MS SQL 2005 will not be supported until ALES 2.6

Table 2 lists the AquaLogic Enterprise Security SSMs, the platforms on which they run, and operating systems under which they are supported.

Note: ALES does not include the JDBC driver for MS SQL and PointBase. If you want to use MS SQL or PointBase for your database, you must download the appropriate JDBC driver. You must use the latest MS SQL 2005 JDBC driver with all versions of MS SQL.

Table 2 ALES Security Service Modules (SSMs) 
SSM
Platform Version(s)
Windows 2000,
20031
Solaris2
83, 9, 10
Red Hat AS4 3.0
AIX
5.35
IIS Web Server
IIS 5.0
Yes
No
No
No
Apache Web Server
ASF Apache 2.0.54
Yes
Yes6
Yes
Yes
Web Services
Microsoft .NET 1.1 & 2.07
WebLogic Workshop 9.0
Yes
Yes
Yes
Yes
BEA WebLogic Platform
WLS 8.1 Sp4, Sp5
WLP 8.1 Sp4, Sp5
WLS 9.1, 9.2
WLP8 9.2
Yes
Yes
Yes
Yes
Java
Sun JVM 1.4.2
Sun JVM 1.5.0
JRockit JVM 1.42 & 1.5.0
Yes
Yes
Yes
Yes

1Windows 2000 SP4 and higher, Windows 2003 SP1and higher.

2SPARC, 32-bit.

3Solaris 8 will not be supported until ALES 2.5 CP1.

4RedHat Advanced Server.

5AIX 5.3 will not be supported until ALES 2.6.

6Apache Web Server SSM is supported on Solaris 8 & 9 only.

7.NET Web Services client on Windows 2000 and 2003 only.

8Works with WLS configured to use either the Sun JVM or the JRockit JVM that ship with the 9.x version of the server. JRockit JVM supported on Intel hardware only.

 

Known Issues Fixed in this Release of BEA AquaLogic Enterprise Security 2.5

Table 3 lists the known issues fixed in this release of AquaLogic Enterprise Security 2.5.

Table 3 Known Issues Fixed in this Release
Change Request Numbers
Description
CR289188
Audit Event implementation classes declare member data static
CR289193
User authentication happening for a disabled user in ADS authentication provider
CR276673
sys_subjectgroup attribute is not being populated from Authenticated subject.
CR288567
Refresh schema does not init ALES system similar to Install schema scripts
CR288463
ALES22 is missing demoProviderTrust.jks in the Admin kit
CR287505
cacheclientconfig.wsdd file is missing in ALES 2.2 WS SSM installation
CR287486
failover-client-config.wsdd file is missing in ALES 2.2 installation
CR267115
Need to simplify the process of adding a custom Identity Asserter on edocs
CR287019
ALES22 is missing BEA optimized axis 1.2.1 axis.jar
CR284853
ALES21 providers do not appear on the Admin console in ALES22
CR285683
Wrong default adjudicator in Admin Console
CR285823
ALES SSM and Admin components can incorrectly read wrong entries from license.bea
CR285570
ASIAuthorizer provider has problems if "Pre Load Attributes" is set to "all" for WS SSM

 

Known Issues in BEA AquaLogic Enterprise Security 2.5

This section describes known limitations in BEA AquaLogic Enterprise Security, Version 2.5 and may include a possible workaround or fix, where applicable. If an entry includes a CR (Change Request) number, a possible solution may be provided in a future BEA AquaLogic Enterprise Security release where BEA will provide vendor specific code to fix the problem. Refer to the CR number to conveniently track the solution as problems are resolved.

Please contact your BEA Technical Support for assistance in tracking any unresolved problems. For contact information, see the section Contacting BEA Customer Support.

Table 4 lists the known issues in this release of AquaLogic Enterprise Security 2.5.

Table 4 Known Issues in This Release
CR
Description
CR299209
The help message of the ASISignal utility is incorrect. ASISignal supports the following actions only: ping, comtest, wait, waitready, and status. Actions restart, shutdown, and log are no longer supported.
CONFIGURATION: ALL
CR289692
If both the WLS 8 SSM and WLS 9 SSM are installed into the same BEA_HOME, the WLS 8 SSM instances enroll scripts will incorrectly point to the 1.5 JRE/JDK instead of the necessary 1.4.2 JRE/JDK.
CONFIGURATION: ALL
WORKAROUND: Manually change the JAVA_HOME in the enroll script to point to JRE 1.4.x. The enroll script is in BEA_HOME/ales25-ssm/wls-ssm/instance/instancename/adm where instancename is the name you assigned to the SSM instance when you created it.
CR300046
Do not create a user name that includes wildcard character such as % or *.
CONFIGURATION: ALL
CR300346
The SCM directory name cannot be specified during an upgrade from 2.2 to 2.5. The directory ales25-scm will be created automatically.
CONFIGURATION: ALL
CR300568
SSM configuration names must not start with provider types or the configuration cannot be exported using PolicyIX.
CONFIGURATION: ALL
WORKAROUND: Modify the name of the SSM configuration so it does not start with the following strings: "Adjudication","Auditing","Authentication","Authorization","CredentialMapping","RoleMapping"
CR300593
Policies that use LIKE and UNLIKE must use Java regular expressions. If you have existing policies that use LIKE and UNLIKE, review them to see that the regular expressions conform to Java regular expressions. See the Java documentation on regular expressions. http://java.sun.com/j2se/1.4.2/docs/api/java/util/regex/Pattern.html.
CONFIGURATION: ALL
CR300968
After installing a secondary admin server, the secondary admin server will fail to start.
CONFIGURATION: ALL
WORKAROUND: Run the script ales25-admin/bin/propogateInitialCache.[bat/sh] manually after the install process for the secondary admin server has been completed. The script will complete configuration of the secondary admin server.
CR302516
Policy constraints are not being validated when they are created.
CONFIGURATION: ALL.
WORKAROUND: Double check policy constraints to make sure that they do not contain typographical errors or reference non-existent attributes.
CR302300
When running in delete mode, the policyIX utility will throw an exception when deleting resources that are bound to delegate and deny rules. The user will need to manually remove the entries before that utility is run.
WORKAROUND: Delete or remove the resource from all Delegate and Deny rules using the Admin Console
CR303946
If an SSM that does not use an SCM fails to start with a ConfigurationException, change the wles.config.signer property to upper case. The wles.config.signer property contains the host name of the admin server.
For a Java SSM, the property is set in the BEA_HOME/ales25-ssm/java-ssm/instance/instancename/bin/set-env script.
For a WLS 8.1 SSM, the property is set in the BEA_HOME/ales25-ssm/ wls-ssm/instance/instancename/bin/set-wls-env script.
For a Web Services SSM, the property is set in the BEA_HOME/ales25-ssm/webservice-ssm/instance/instancename/config/security.properties file.
In the file paths above, instancename is the name you assigned to the SSM instance when you created it.
CR304025
In order to use PointBase with ALES 2.5, the default cache size and paging sizes need to have the following settings:
Database.pagesize = 30720
Cache.size = 10000
WORKAROUND: Edit the pointbase.ini file for your database and set the values there.
Edit the ALES database.properties file found in <bea_home>\ales25-admin\config\database.properties.
Append to the end of the javax.jdo.option.ConnectionURL
?,database.pagesize=30720,cache.size=10000
For example, javax.jdo.option.ConnectionURL:
jdbc:pointbase:server://localhost/asipolicy,database.pagesize=30720,cache.size=10000
CR302610
If you have configured an ASI Authorization provider to use metadirectory, you must modify the configuration after upgrading to 2.5. First, you must replace database server names with JDBC URLs. In 2.5, the field labeled "JDBC URLs" will have one or more database server names from your previous configuration. For example, the field may contain the Oracle service name "XE". That must be changed to an Oracle JDBC URL such as jdbc:oracle:thin:@united:1521:XE. Second, you must add a JDBC driver name in the field labeled JDBC Driver. For example, oracle.jdbc.driver.OracleDriver.
CR286171
On a slow machine or with slow database response, the Wrapper process that starts and monitors the WLS Admin process will stop the WLS process before it completes starting. If the WLS process fails to start the first time after an install, the console and BLM/PD web application will be partly deployed and fail to work even after the WLS process is started.
CONFIGURATION: ALL
WORKAROUND: Modify the wrapper.startup.timeout parameter in WLESAdmin.conf to a number of seconds sufficient to start the WLS process. If the web applications do not work correctly, undeploy them through the WLS administration console and restart the server.

 

Contacting BEA Customer Support

Your feedback on the product documentation is important to us. Send us e-mail at docsupport@bea.com if you have questions or comments. Your comments will be reviewed directly by the BEA professionals who create and update the product documentation.

In your e-mail message, please indicate that you are using the documentation for the BEA AquaLogic Enterprise Security Version 2.5 release.

If you have any questions about this version of the BEA AquaLogic Enterprise Security product, or if you have problems installing and running the product, contact BEA Customer Support through BEA Web Support at http: // support.bea.com. You can also contact Customer Support by using the contact information provided on the Customer Support Card, which is included in the product package.

When contacting Customer Support, be prepared to provide the following information:


  Back to Top       Previous  Next