This section of the Oracle Waveset 8.1.1 Release Notes provides information about
Oracle Waveset 8.1.1 provides the following major new features:
Optimistic checkout. This feature allows more than one workflow to operate on a User object. See Oracle Waveset 8.1.1 Deployment Guide for more information.
Performance and scaling enhancements
Security enhancements
The Connector Framework provides a way to connect Oracle Waveset to target applications through the use of a connector. Identity Connectors and the Framework are part of an open source initiative that offers a generic and consistent way to provision resources with Oracle Waveset. Connectors have been decoupled from the core Oracle Waveset server, enabling them to be released independently of Oracle Waveset builds. In addition to the open source project website where additional connectors will be available for download, Oracle Waveset supports the following supported connectors:
Active Directory
Database Table
DB2
Domino
Exchange
LDAP
MySQL
Oracle
Oracle ERP
RSA Authentication
SAP
SPML v2
See the open-source project website, https://identityconnectors.dev.java.net/ for more information.
Additional connectors will be added in the near future.
This section provides additional information about the new features provided in Oracle Waveset 8.1.1. This information is organized into the following sections:
Blind copies (BCC) are now supported for email notifications. (ID-12699)
The SAP connector now handles schema-added Date values and null return values. (ID-22260)
The SAP connector populates multi-valued attribute tables correctly. (ID-22417)
Delegations to multiple users is no longer supported. For existing multi-user delegations, only the first user in the delegation will be used for delegation purposes. (ID-16644)
Logging of message details during encryption and decryption has been turned off in the Oracle Waveset Gateway. If you want this to be turned on, you must add the registry setting traceEncryptedInfo to the gateway registry key. See the Oracle Waveset 8.1.1 System Administrator’s Guide for more information. (ID-20491)
The gateway can now store date attributes in either UTC or local time. To use the UTC setting, set the Windows registry key storeDateInUTC to a value of 1. The default value of 0 configures the gateway to store date attributes using local time. (ID-22335)
Oracle Waveset now provides several JMX MBeans that are appropriate for diagnosing performance problems on test or production servers. These MBeans are now located in the Performance group of JConsole.
If you are running Oracle Waveset on the WebLogic application server, the Metro web services libraries need to be installed so that the Waveset / Oracle Identity Analytics integration will work properly. For details, see Step 5: Install the Metro Libraries (optional) in Oracle Waveset Installation. (ID-22628)
Do not use the sample Oracle Identity Analytics (Sun Role Manager) integration workflows included with Oracle Waveset 8.1.1. These workflows, located in the sample/wfrolemanager.xml file, are no longer current. Instead, use the sample workflows available from the Oracle Identity Analytics 11gR1 Documentation Wiki, located here: http://wikis.sun.com/x/L4NbD (ID-22627)
See Workflows regarding an update to the Create User workflow that impacts customers who have integrated Oracle Waveset with Oracle Identity Analytics (Sun Role Manager). (ID-22104)
Password Sync no longer uses registry entries under the “WOW64” reflected registry entries when it is installed on 64–bit versions of Microsoft Windows. The minimum version of the .NET framework has also changed to .NET 2.0 to make this possible. (ID-19550)
Updated the Synchronize User Password workflow to execute on behalf of a user whose password is updated so that PasswordExpiration and PasswordHistory properties are properly updated. (ID-22280)
The Oracle Waveset PasswordSync feature is now supported on Windows 2008 R2. (ID-22648)
The admin cache initializes faster when the server is started and you have hundreds of thousands of users. See Tuning Admin Cache Initialization in Oracle Waveset 8.1.1 System Administrator’s Guide for more information. (ID-22523)
Processing and performance are now considerably improved when you assign a controlled organization rule to an AdminRole or an AdminGroup, or an End User controlled organization rule is defined and the rule only requires a single waveset.accountId argument. Oracle Waveset no longer has to load the user view prior to evaluating the rule. (ID-22566)
Many operations will perform better under a large concurrent load. Response time improvements of 30% are common under heavy concurrent loads.
Reconciliation performance has been improved by as much as 50%.
Corrected a problem that caused the Update User capabilities to be lost when an administrator is assigned control of an organization dynamically. (ID-21202)
Added a default password policy for the default system accounts. Prior to this change, configurator (and several other system accounts, such as reset and startup, but not administrator) were exempt from having their account locked. This is no longer true. Customers should either ensure their policy does NOT allow configurator to be locked, or have alternative administrative accounts, preferably other than the default administrator, for such circumstances. (ID-22479)
The Oracle Waveset reconciler can now generate account identities calculated through a form. (ID-12456)
When a full reconciliation is canceled, the error message now states “Canceled the full reconciliation of [resource] running on [server]”. (ID-14554)
You can now configure how the Organizational Scope is displayed in an AuditLog report by using a new Configuration:ReportsConfig attribute named orgListFormat. (ID-22224)
where:
fullOrgList (default value) uses the original orgList format.
noOrgList completely suppresses the orgList in the report header.
shortOrgList uses the orgList format introduced in a previous release.
For example:
<Configuration authType='reportsConfig' id='#ID#Configuration:ReportsConfig' name='Reports Configuration' ...> <Extension> <Object> ... <Attribute name='orgListFormat' value='noOrgList'/> <Attribute name='orgListFormat' value='shortOrgList'/> <Attribute name='orgListFormat' value='fullOrgList'/> </Object> </Extension> ... </Configuration>
The orgListFormat attribute was also added to the Task Definition for AuditReportTask to override the value specified in the configuration. You can specify any of the preceding attribute values or, if no value is specified, the report uses the value from the configuration.
Added the preferPreparedStatements attribute to the RepositoryConfiguration Configuration object. When set to true, Oracle Waveset uses PreparedStatements whereever possible. By default this attribute is false. (ID-10968)
This attribute can improve repository performance under certain conditions.
The repository must use pooled connections.
The connections must support implicit statement caching.
Otherwise, this attribute may degrade performance. Oracle Waveset does not explicitly cache prepared statements from the client side of the JDBC call. It depends on the JDBC drivers to do that. Since statements are cached on the actual JDBC connection, if connection pooling is not used, there is no opportunity for the cached statements to be re-used. Normally this means Oracle Waveset must be configured to use an application server DataSource, and the DataSource must use JDBC drivers that support implicit connection pooling.
The following attributes are now supported when 5.3 SP9 is set for the version resource attribute for a SAP Access Control 5.3 resource. (ID-21863)
functionalArea
managerTelephone
requestorTelephone
sNCName
unsecureLogon
validFrom
validTo
Oracle Waveset has long had AttributeDefinitions associated with AccountAttributes on a resource. However, these were not always enforced. The ResourceViewer now enforces that if an AttributeDefinition exists with the same name as an AccountAttribute, then the properties of the AccountAttribute (such as its type) must match those of the AttributeDefinition. (ID-21267)
Added the Use ASUSPEND resource parameter to the Top Secret resource adapter. When selected, only the ASUSPEND command will be used to disable users. (ID-21290).
Added the resource parameter Account Iterator Privileges for the ACF2 resource adapter to provide filtering for account iteration. This resource attribute is multi-valued and the entries will be formatted into one IF(...) statement to be issued as part of the ACF LIST command. (ID-22307)
If you are running Oracle Waveset on the WebLogic application server and you are using the SAP Web Services resource adapter, the Metro web services libraries need to be installed. For details, see Step 5: Install the Metro Libraries (optional) in Oracle Waveset Installation. (ID-22628)
See Workflows regarding an update to the Create User workflow that impacts customers with SAP GRC integrations. (ID-22104)
Various directories at the web application context root that are not part of the web interface are accessible using HTTP GET. In particular, the file /config/Waveset.properties is accessible, and might contain sensitive data. The fix for this bug adds a security-constraint to the web application deployment descriptor (web.xml) to block HTTP access. (ID-20070)
New installations of Oracle Waveset version 8.1.1 will include this fix. However, any existing deployments, including those upgraded to version 8.1.1 need the following added to the deployment descriptor:
<security-constraint> <web-resource-collection> <web-resource-name>Unpublished Files</web-resource-name> <url-pattern>/bin/*</url-pattern> <url-pattern>/config/*</url-pattern> <url-pattern>/doc/*</url-pattern> <url-pattern>/exporter/*</url-pattern> <url-pattern>/patches/*</url-pattern> <url-pattern>/sample/*</url-pattern> </web-resource-collection> <auth-constraint/> </security-constraint>
When accessing a WorkItem or TaskInstance instance through the anonymous end-user interface (for example, user/anonWorkItemEdit.jsp), the URL is based on the repository ID of the instance. Authorization now requires the anonymousUser value set in the anonLogin.jsp page to match the owner field of the repository object. (ID-21434)
Oracle Waveset can be displayed in a frameset, leaving it vulnerable to a “clickjacking” attack. This is fixed by adding frame-detection logic in the HTML rendered for every page. (ID-22406)
Added a property to the Waveset.properties file that prevents stack trace information from being displayed. (ID-22409)
By default, Oracle Waveset returns stack trace information as HTML comments when some errors occur. The stack trace is not normally visible to the end-user, but can be revealed by showing the source of the page. This stack information is very useful when diagnosing a problem, but exposes information about the execution of the web application that could be considered a security risk. It is therefore suggested that production deployments turn off the rendering of stack information with the following setting in Waveset.properties.
ui.web.disableStackTraceComments=true
This change must be done manually on each Oracle Waveset server.
By default, Oracle Waveset gives specific error messages when a login attempt fails, allowing an attacker to determine whether an account name is valid. To provide only a generic 'login failed' message, change the settings under Security -> Login -> Login Application. (ID-22574)
The openspml2-toolkit.jar was updated to version 192-20100413 from openspml.dev.java.net, and includes several bug fixes. (ID-21987)
UserViewer can now build attributes from the accounts[Resource|AccountType] namespace. (ID-19082)
Previously, in the Create User workflow, when a policy violation check was executed, a temporary user object was created in the Top organization so that a Deferred Task could be associated with it. This behavior has changed. Going forward, the transient user object is now created in the same organization as the user. This change has been made to wfexternalpolicy.xml. Customers who use a custom workflow for external policy checks may need to merge this change with their workflow. (ID-22104)
This section describes the bugs fixed in Oracle Waveset 8.1.1, and the information is organized as follows:
When you are viewing a task results page and you change the sort column, the system now stays on the same page. (ID-19312)
Fixed an issue in which clicking Work Items and then attempting to edit a user from Find User results would result in the wrong form being displayed. (ID-20485)
The ActivityStatusPoller component no longer hangs when displaying the status of resource reconciliation tasks on the Reconciliation Status page. (ID-21800)
The Add button on the Audited Attribute Report page now works correctly. (ID-22040)
Previously, an approval would not be successful if the user data contained non-ASCII characters and the approval was signed with an XML digital signature. This condition has been fixed. (ID-22276)
The Transaction Signer applet now contains an Alt attribute. (ID-22308)
The Applet component now properly implements Alt attribute. (ID-22318)
Corrected the UI_IDMX_TXNCONFIG_FORM_FIELD_ENABLE_ASYNC message key in the WPMessages.properties file. (ID-22320)
Dashboard graph images are now properly loaded when Waveset is deployed on Websphere 6.x or 7.x. (ID-22385)
Some pages allow you to use optional attributes such as email or fullname instead of accountId to display a user name. The Approvals page now displays these optional attributes correctly. This bug corrects a regression introduced by bug 15935. (ID-22372)
Corrected a condition in the AsynchronousPublisher method that caused the application server to hang at shutdown. (ID 22330)
Oracle Waveset will now automatically reset the value of maxFileSizeKB to a smaller value if the configured value exceeds 2,147,483,647 bytes. Previously, if maxFileSizeKB was set too high, it prevented the application server from starting, and the problem could only be fixed by manually editing the value in the repository. (ID-22341).
Failure notification emails sent by Password Sync no longer contain the place holder text if no substitution information is available. The place holders $(accountId) , $(errorMessage) and $(sourceEndpoint) will be replaced with default text if no values are available. (ID-21809)
Failure notification emails sent by Password Sync no longer contain the place holder text “n” Each occurrence of the “n”combination in the body text will be replaced with a proper new line character before sending the email. (ID-21810)
Previously, Password Sync in direct mode could throw a null pointer exception on the Oracle Waveset server side if no sync action was performed. This in turn could lead to sending an incorrect failure email by the DLL. This exception is no longer thrown, and a informational message is logged in the trace log on the server. (ID-22221)
Password Sync no longer throws an exception due to invalid certificates when the “llow invalid certificates”option is set. (ID 22532).
Oracle Waveset now updates the account index correctly when a user is moved across organizations on a resource using native tools. This functionality works correctly whether you use bulk operations or edit the user in Oracle Waveset, assuming the identity template uses a variable to specify the organization. (ID-21211)
When running an Access Review Detail Report that includes results with Entitlement Status of “ending” Oracle Waveset no longer allows specifying a specific attestor. This is because pending attestations are not associated with an attestor until the attestations are approved, rejected, remediated or canceled. (ID-21782)
The Task Report template no longer throws a NoSuchElementException when enabling the “eport only tasks pending approval by”check box and selecting one user. (ID-22315)
Usage reports now display charts correctly when the ui.web.relativeURL=true property is set in the Waveset.properties file. (ID-22324)
User Summary Reports now display the Title and Description fields correctly. (ID-22376)
User Question Report now displays the correct Minimum Number of Questions Not Answered values. (ID-22434)
The RACF adapter now tests each connection only once when you select the Test Connection button. (ID-19245)
The Shell Script resource adapter now correctly performs the Change Password resource action. (ID-19579)
When tracing is enabled at level 4 for the LDAP resource adapter (class com.waveset.adapter.LDAPResourceAdapter), and a user account is added or the password is modified, the user's password is no longer revealed in the trace log. (ID-20509)
Oracle Waveset now allows non-conflicting further updates on accounts with pending changes on external resources. (ID-20846)
The search subdomains feature of the Active Directory resource adapter now works properly. (ID-21028)
The SAP connector correctly parses role names and profile names that contain a : (colon) or a | (vertical bar). (ID–21803)
Oracle Waveset now displays and creates resource objects when an LDAP resource adapter has multiple base contexts defined. (ID-21944)
The RACF LDAP resource adapter no longer automatically retries user searches that return zero results. (ID-22269)
Domino attributes that are mapped to Oracle Waveset data type INT can now be updated. Previously, removing attribute values of type INT in the resource attribute schema had no effect. (ID-22338)
During Active Sync, the LDAP resource adapter no longer throws a ClassCastException when the modifiersname value contains a non-ASCII character or is Binary (Base64 encoded). (ID-22354)
Provisioning requests will no longer timeout if the list of provisioners has been exhausted while waiting for the request to be completed. If the list of provisioners is exhausted, the last provisioner will be used and timeouts will be set to 0, indicating no timeout. This change of behavior will only apply to external resource requests configured with web services based resources. (ID-22410)
The Oracle ERP adapter now creates accounts that have a future start date correctly. (ID-22520)
The waveset.roleInfos attribute in the User view has been modified so that the assignmentType, assignedBy, and assignedByAuthoritativeSource attributes are removed from the view if the role is directly assigned. Before this change, roleInfos was constantly updated, and this could cause a resource account to be improperly provisioned or deprovisioned. (ID-22188)
Previously, searching for user in a dynamic organization with at least two directly assigned roles, Oracle Waveset would display only one role in a result table. This condition has been fixed. (ID-22458)
Corrected an error that prevented sessions from being properly updated with a last use time. As a result, sessions could time out, although they were continuously used. (ID-21617)
Previously, when a WavesetResult was requested with req.setAttribute("returnWavesetResult", "true"); the WavesetResult was not converted to XML, which meant it was not properly serialized. This condition has been corrected. (ID-22433)
Previously, you might see an increase in repository lock contention when concurrently executing the out-of-the-box “Rename Task” workflow in environments using multiple clustered Oracle Waveset servers. This contention caused some tasks to fail, but they continued to display their status as executing. These tasks no longer fail. (ID-14902)
224452