Oracle® Access Manager Deployment Guide 10g (10.1.4.3) Part Number E12490-01 |
|
|
View PDF |
This section describes new features of the Oracle Access Manager release 10.1.4. This includes details for 10g (10.1.4), 10g (10.1.4.2.0), and 10g (10.1.4.3).
The following sections are included:
Note:
For a comprehensive list of all new features and functions in Oracle Access Manager 10.1.4, and a description of where each is documented, see the chapter on what's new in the Oracle Access Manager Introduction.The original product name, Oblix NetPoint, has changed to Oracle Access Manager. Most component names remain the same. However, there are several important changes that you should know about, as shown in the following table:
All legacy references in the product or documentation should be understood to connote the new names.
Included in this release are new enhancements and bug fixes for 10g (10.1.4.3) in addition to all fixes and enhancements from 10g (10.1.4.2.0) bundle patches through BP07. The following topics describe 10g (10.1.4.3) enhancements described in this book:
Access System Performance Enhancements for Large Group Evaluations
Asynchronous Cache Flush Operations Between Identity and Access Servers
Error Handling for Message Channel Initialization During Cache Flush
Identity System Performance Enhancements for Large Group Evaluations
See Also:
Oracle Access Manager Introduction for a list of all new features and functionsThe following Access System performance enhancements for large group evaluations are provided with Oracle Access Manager 10g (10.1.4.3):
The Access Server (and Policy Manager when using the Access Tester) evaluates the group for membership as a type, only if that type is enabled. To improve performance during group evaluations when you do not use dynamic groups, or when you have dynamic groups but do not want to evaluate them while processing ObMyGroups, you can turn off dynamic group evaluation using the TurnOffDynamicGroupEvaluation
parameter in the Access Server (or Policy Manager) globalparams.xml file.
Access Server v7.0.2 provided the ability to disable nested group evaluation using the TurnOffNestedGroupEvaluation
parameter in the Access Server globalparams.xml file.
In 10g (10.1.4.3), a new algorithm can be used during group evaluation involving ObMyGroups: TurnOffNewAlgorithmForObmyGroups
. This algorithm in the Access Server globalparams.xml file works equally when you have static, dynamic, and nested groups.
The NestedQueryLDAPFilterSize
parameter can be used In the Access Server globalparams.xml file, if TurnOffNewAlgorithmForObmyGroups
is false
. This improves evaluation performance of ObMyGroups. With this parameter, the LDAP search query is divided and then executed. For more information, see the table on globalparams.xml in the chapter on parameters in the Oracle Access Manager Customization Guide.
The GroupCacheTimeout
parameter enables you to specify the amount of time an element remains valid in the Access Server group cache. The parameter must be added to the Access Server globalparams.xml file (or the Policy Manager file if you are using the Access Tester).
The GroupCacheMaxElement
parameter specifies the maximum number of elements that can be stored in the Access Server group cache. The parameter must be added to the Access Server globalparams.xml file (or the Policy Manager file if you are using the Access Tester).
Oracle Access Manager 10g (10.1.4.3) provides an asynchronous cache flush option to help streamline performance and avoid delays associated with synchronous cache flush operations on the Access System. With the asynchronous method, the request arrives at the Access Server and a response is sent immediately to the Identity Server without a delay.
Oracle Access Manager 10g (10.1.4.3) enhances the network layer shared by WebGate and Access Server. As a result, errors that might occur as a result of message channel initialization failure (due to a socket with an unlimited time period) are avoided. Today, the message channel stops sending and receiving messages and a WARNING level log message is recorded.
In the groupdbparams.xml file, TurnOffDynamicGroupEvaluation
and TurnOffNestedGroupEvaluation
can be set to true
to enhance performance during group evaluation by eliminating dynamic or nested groups when these are not used.
See Also:
Parameters chapter in the Oracle Access Manager Customization Guide and Chapter 3 in this guideWhen installing and configuring Oracle Access Manager, specific transport security guidelines must be observed, as described in previous topics. After installation and setup, you can choose to use mixed-mode communication for cache flush operations.
Oracle Access Manager 10g (10.1.4.2.0) provided a method that enabled you to use Open mode communication for cache flush requests between the Identity and Access Server while retaining Simple or Cert mode for all other requests. This type of configuration is known as mixed security mode (or mixed transport security mode) communication. Oracle Access Manager 10g (10.1.4.3) provides a streamlined method to implement mixed-mode communication for cache flush requests.
Oracle Access Manager 10g (10.1.4.3) provides new Language Pack installers. 10g (10.1.4.3) Language Packs are required in any 10g (10.1.4.3) deployment, whether it is a fresh installation or an upgraded and patched deployment.
Functionality that is new with 10g (10.1.4.2.0) and 10g (10.1.4.3) can include new messages, which might not be translated and could appear in only English.
See Also:
Oracle Access Manager Installation Guide.Earlier releases of Oracle Access Manager for Linux used the LinuxThreads library only. Using LinuxThreads required that you set the environment variable LD_ASSUME_KERNEL, which is used by the dynamic linker to decide what implementation of libraries is used. When you set LD_ASSUME_KERNEL to 2.4.19 the libraries in /lib/i686 are used dynamically.
RedHat Linux v5 and later releases support only Native POSIX Thread Library (NPTL), not LinuxThreads. To accommodate this change, Oracle Access Manager 10g (10.1.4.3) is compliant with NPTL specifications. However, LinuxThreads is used by default for all except Oracle Access Manager Web components for Oracle HTTP Server 11g.
Note:
On Linux, Oracle Access Manager Web components for Oracle HTTP Server 11g use only NPTL; you cannot use the LinuxThreads library. In this case, do not set the environment variable LD_ASSUME_KERNEL to 2.4.19.See Also:
Oracle Access Manager Installation Guide.Updates and additions have been made to this topic:
You can change basic components that you specified during Oracle Access Manager installation, such as the person object class or the directory server host.
See Also:
"Reconfiguring the System".New examples of updating the LDAP bind password now include a missing required parameter -i install_dir and other clarifications.
See Also:
"Updating the LDAP Bind Password".Oracle Access Manager 10g (10.1.4.3) provides a new function that enables you to specify a wait period for sockets during synchronous cache flush requests between multiple Access Servers. In this case, a socket waits for only a specified time for I/O completion. If the expected operation is not completed within the specified time, an error is reported and the request is sent to other Access Servers. With synchronous requests, WebPass and Policy Manager does not hang if one Access Server hangs.
In the Identity Server globalparams.xml file, you can use the negativeListForEntityAttributes
parameter to identify specific attributes that are not read or cached during view and modify profile operations.
See Also:
"Tuning the Internal DBAgent Cache"A new chapter has been added to discuss deployment types and tiers, deployment scenarios and environments, deployment categories, and deployment guidelines.
See Also:
Chapter 1The following Access System performance enhancements for large group evaluations are provided with Oracle Access Manager 10g (10.1.4.3):
The Access Server (and Policy Manager when using the Access Tester) evaluates the group for membership as a type, only if that type is enabled. To improve performance during group evaluations when you do not use dynamic groups, or when you have dynamic groups but do not want to evaluate them while processing ObMyGroups, you can turn off dynamic group evaluation using the TurnOffDynamicGroupEvaluation
parameter in the Access Server (or Policy Manager) globalparams.xml file.
Access Server v7.0.2 provided the ability to disable nested group evaluation using the TurnOffNestedGroupEvaluation
parameter in the Access Server globalparams.xml file.
In 10g (10.1.4.3), a new algorithm can be used during group evaluation involving ObMyGroups: TurnOffNewAlgorithmForObmyGroups
. This algorithm in the Access Server globalparams.xml file works equally when you have static, dynamic, and nested groups.
In the Access Server globalparams.xml file, you can use the NestedQueryLDAPFilterSize
parameter if TurnOffNewAlgorithmForObmyGroups
is false
to improve evaluation performance of ObMyGroups. With this parameter, the LDAP search query is divided and then executed.
The GroupCacheTimeout
parameter enables you to specify the amount of time an element remains valid in the Access Server group cache. The parameter is included in the Access Server globalparams.xml file (or the Policy Manager file if you are using the Access Tester).
The GroupCacheMaxElement
parameter specifies the maximum number of elements that can be stored in the Access Server group cache. The parameter is provided in the Access Server globalparams.xml file (or the Policy Manager file if you are using the Access Tester).
Several cache flush enhancements are available with Oracle Access Manager 10g (10.1.4.3), and new information is provided on these as follows:
Asynchronous cache flush from the Identity System to the Access System
Enhancing performance using mixed mode communication for cache flush requests
Synchronous cache flush operations between multiple Access Servers using a specified time period for I/O completion
New handling of message channel initialization failures
Chapter 5 has been reorganized and updated to provide more background information and clarify caching and cache flush operations
In the Access Server globalparams.xml file, the UserMgmtNodeEnabled
parameter can be used. This parameter controls the enabling and disabling of a feature that manages WebGate memory growth. For more information, see the chapter on parameters in the Oracle Access Manager Customization Guide.. See also, the tip on "Cache Flush Issues with Active Directory" in the Oracle Access Manager Access Administration Guide.
The chapter that describes capacity planning has been updated to provide even more helpful details.
See Also:
Chapter 2Information has been added on load balancing of LDAP data.
See Also:
"About Load Balancing of LDAP Data".A "heartbeat" polling mechanism facilitates immediate failover to a secondary directory server when the number of connections in the connection pool falls below the specified threshold level. Information has been added on setting the polling interval for failover.
Information on configuring failover for Policy Manager data has been added.
The Oracle Access Manager Configuration Manager has been deprecated and is no longer available. The overview has been removed from Chapter 8 of this guide.
You can change basic components that you specified during Oracle Access Manager installation, such as the person object class or the directory server host.
See Also:
"Reconfiguring the System".Several enhancements have been made to directory tuning documentation.
To optimize performance, you should ensure that your directory performance is optimal. In this release, information on directory tuning has been enhanced.
New guidelines for configuring the directory connection pool size has been added.
This release provides a new parameter for clearing the LDAP connection cache.
See Also:
"Directory Connection Pool Size".New parameters enable a component to fail over to a secondary directory server if the primary server takes too long to respond or too long to process a request.
Guidelines have been provided on configuring threads and queues, configuring group searches, and tuning Policy Manager LDAP searches.
Guidelines have been provided for optimizing directory searches that users perform with the Identity System applications.
See Also:
"Tuning Identity System Searches".Guidelines are provided to improve performance during group evaluations when you do not use dynamic groups or nested groups.
Guidelines are provided to optimize performance of the Group Manager application in the Identity System.
See Also:
"Tuning the Group Manager Application"There are best practices for optimizing workflow performance.
To minimize the impact that workflows have on server performance, you can tune various parameters in workflowdbparams.xml. You can also tune various workflow search parameters to enhance performance.
See Also:
"Tuning Workflows".There are best practices for optimizing network and Oracle Access Manager performance.
See Also:
"Tuning Your Network".If you do not use nested groups in your directory, you can improve group membership searches by turning off nested group evaluation.
See Also:
"Use Nested Groups with Caution".