Oracle® Access Manager Access Administration Guide 10g (10.1.4.3) Part Number E12488-01 |
|
|
View PDF |
This section describes new features of the Oracle Access Manager release 10.1.4. This includes details for 10g (10.1.4.0.1), 10g (10.1.4.2.0), and 10g (10.1.4.3).
The following sections are included:
Triggering Authentication Actions After the ObSSOCookie Is Set
Associating WebGates with Specific Virtual Hosts, Directories, and Files
Configuring Lotus Domino and Windows Impersonation Single Sign-On
Note:
For a comprehensive list of all new features and functions in Oracle Access Manager 10.1.4, and a description of where each is documented, see the chapter on what's new in the Oracle Access Manager Introduction.The original product name, Oblix NetPoint, has changed to Oracle Access Manager. Most component names remain the same. However, there are several important changes that you should know about, as shown in the following table:
All legacy references in the product or documentation should be understood to connote the new names.
Included in this release are new enhancements and bug fixes for 10g (10.1.4.3) in addition to all fixes and enhancements from 10g (10.1.4.2.0) bundle patches through BP07. The following topics describe 10g (10.1.4.3) enhancements described in this book:
See Also:
Oracle Access Manager Introduction for a list of all new features and functionsSeveral clarifications have been made with regard to the Access Management Service in WebGate and Access Server profiles. This setting is Off by default. When set to On, the Access Server starts servicing requests from AccessGates. The Access Management Service must be On for associated Access Servers and AccessGates. The Access Management Service must be On for associated Access Servers and AccessGates. WebGates do not require the Access Management Service, unless an associated Access Server uses it.
New information has been added to describe how to use Access Tester when you have custom authentication or authorization plug-ins.
See Also:
"Using Access Tester"Oracle has added a new, optional, and configurable challenge parameter (maxpostdatabytes
) for form-based authentication schemes only. Use of the maxpostdatabytes
challenge parameter is similar to other challenge parameters (form, creds, action, and passthrough).
See Also:
Appendix A, "Form-Based Authentication"The oblixGSN objectclass in the directory server is used in the cache flush mechanism. It contains a global sequence number (a value in the obSeqNo attribute) that represents the flush request number. When you have multiple Access Servers writing to multiple directory servers, however, changes could cause the global sequence number in the directory servers to get out of sync. Thus, corresponding entries in the directory servers might become corrupted, which can lead to inconsistent performance in Oracle Access Manager.
Oracle Access Manager provides functionality that enables you to detect corrupted GSNs in the directory server from the command-line tool (recovergsncorruption) in the following path: PolicyManager_install_dir\access\oblix\tools. If corruption is discovered, you can initiate recovery processing after disabling the cache flush operation between Identity Servers and Access Servers.
See Also:
Oracle Access Manager supports Internet Protocol Version 4 (IPv4). However, you can configure Oracle Access Manager to work with clients that support IPv6 by setting up a reverse proxy server.
Messages for minor releases (10g (10.1.4.2.0) and 10g (10.1.4.3)) added for new functionality might not be translated and can appear in English only.
Earlier releases of Oracle Access Manager for Linux used the LinuxThreads library only. Using LinuxThreads required that you set the environment variable LD_ASSUME_KERNEL, which is used by the dynamic linker to decide what implementation of libraries is used. When you set LD_ASSUME_KERNEL to 2.4.19 the libraries in /lib/i686 are used dynamically.
RedHat Linux v5 and later releases support only Native POSIX Thread Library (NPTL), not LinuxThreads. To accommodate this change, Oracle Access Manager 10g (10.1.4.3) is compliant with NPTL specifications. However, LinuxThreads is used by default for all except Oracle Access Manager Web components for Oracle HTTP Server 11g.
Note:
On Linux, Oracle Access Manager Web components for Oracle HTTP Server 11g use only NPTL; you cannot use the LinuxThreads library. In this case, do not set the environment variable LD_ASSUME_KERNEL to 2.4.19.Several new tips have been added to the troubleshooting details in this guide:
Several new user-defined parameters have been added for use in WebGate configuration profiles.
ContentLengthFor401Response
idleSessionTimeoutLogic
ProxySSLHeaderVar
RetainDownstreamPostData
SUN61HttpProtocolVersion
WebGates have been updated to use the same code as the Access System, and WebGate configuration parameters that once existed in WebGateStatic.lst have been moved to the Access System user interface.
After installing the new WebGates, you can now configure such parameters as IPValidation and IPValidationExceptions from the Access System GUI. The WebGateStatic.lst file no longer exists.
WebGates can work behind a reverse proxy.
Information on setting up a WebGate behind a reverse proxy has been added to this book.
See Also:
"Placing a WebGate Behind a Reverse Proxy".Preferred HTTP Hosts are now required, and special configuration is needed to support virtual Web hosting.
In this release, you must supply a Preferred HTTP Host when configuring a WebGate. If you use virtual Web hosting, there are new parameters for specifying a preferred HTTP host when your environment supports virtual hosting.
The documentation on URL prefixes and patterns has been updated for clarity.
WebGates can work behind a reverse proxy.
Information on setting up a WebGate behind a reverse proxy has been added to this book.
See Also:
"Placing a WebGate Behind a Reverse Proxy".You can cause authentication actions to be executed after the ObSSOCookie is set.
Typically, authentication actions are triggered after authentication has been processed and before the ObSSOCookie is set. However, in a complex environment, the ObSSOCookie may be set before a user is redirected to a page containing a resource. In this case, you can configure an authentication scheme to trigger these events.
Information has been added about the differences between configuring a form on the server where the WebGate resides and configuring it on a server other than the one hosting the WebGate.
Information has been added about configuring single logout from applications that use form-based authentication.
See Also:
"Configuring Logout".It is no longer necessary to disable an authentication scheme before you modify it.
See Also:
Configuring User Authentication.You can configure an authentication scheme that allows the user to log in for a time period rather than a single session.
Non-ASCII characters are not permitted in HTTP headers or cookies. Thus, non-ASCII characters are not supported in the header variable Name and Return Attribute fields when you define authentication rule actions.
You can configure the Oracle Access Manager single sign-on logout URL to point to a logout.html
file in the language of the user's browser.
See Also:
"Configuring a Single Sign-On Logout URL".A section has been added on creating custom single sign-on logout URLs and logout pages.
See Also:
"Configuring Logout".You can configure the WebGate to only work with specific virtual hosts, directories, and files.
An additional parameter has been added to this plug-in, to be used for Lost Password Management, when a WebPass is on a different server from the WebGate that protects the requested resource.
See Also:
"Validate Password Plug-In"The appendix on using the Access System to override Windows-enabled Impersonation has been moved.
See Also:
Oracle Access Manager Integration Guide.The information on configuring single sign-on with Lotus Domino and Windows Impersonation has been moved to another book in this suite.
See Also:
Oracle Access Manager Integration Guide.Information on troubleshooting that was dispersed throughout this manual has been consolidated in a separate appendix.
See Also:
"Troubleshooting Oracle Access Manager".You can now write diagnostic information to a log file.
See Also:
"Capturing Diagnostic Information".New troubleshooting topics have been added.