This section provides additional information about the new features provided in Oracle Waveset 8.1.1. This information is organized into the following sections:
Blind copies (BCC) are now supported for email notifications. (ID-12699)
The SAP connector now handles schema-added Date values and null return values. (ID-22260)
The SAP connector populates multi-valued attribute tables correctly. (ID-22417)
Delegations to multiple users is no longer supported. For existing multi-user delegations, only the first user in the delegation will be used for delegation purposes. (ID-16644)
Logging of message details during encryption and decryption has been turned off in the Oracle Waveset Gateway. If you want this to be turned on, you must add the registry setting traceEncryptedInfo to the gateway registry key. See the Oracle Waveset 8.1.1 System Administrator’s Guide for more information. (ID-20491)
The gateway can now store date attributes in either UTC or local time. To use the UTC setting, set the Windows registry key storeDateInUTC to a value of 1. The default value of 0 configures the gateway to store date attributes using local time. (ID-22335)
Oracle Waveset now provides several JMX MBeans that are appropriate for diagnosing performance problems on test or production servers. These MBeans are now located in the Performance group of JConsole.
If you are running Oracle Waveset on the WebLogic application server, the Metro web services libraries need to be installed so that the Waveset / Oracle Identity Analytics integration will work properly. For details, see Step 5: Install the Metro Libraries (optional) in Oracle Waveset Installation. (ID-22628)
Do not use the sample Oracle Identity Analytics (Sun Role Manager) integration workflows included with Oracle Waveset 8.1.1. These workflows, located in the sample/wfrolemanager.xml file, are no longer current. Instead, use the sample workflows available from the Oracle Identity Analytics 11gR1 Documentation Wiki, located here: http://wikis.sun.com/x/L4NbD (ID-22627)
See Workflows regarding an update to the Create User workflow that impacts customers who have integrated Oracle Waveset with Oracle Identity Analytics (Sun Role Manager). (ID-22104)
Password Sync no longer uses registry entries under the “WOW64” reflected registry entries when it is installed on 64–bit versions of Microsoft Windows. The minimum version of the .NET framework has also changed to .NET 2.0 to make this possible. (ID-19550)
Updated the Synchronize User Password workflow to execute on behalf of a user whose password is updated so that PasswordExpiration and PasswordHistory properties are properly updated. (ID-22280)
The Oracle Waveset PasswordSync feature is now supported on Windows 2008 R2. (ID-22648)
The admin cache initializes faster when the server is started and you have hundreds of thousands of users. See Tuning Admin Cache Initialization in Oracle Waveset 8.1.1 System Administrator’s Guide for more information. (ID-22523)
Processing and performance are now considerably improved when you assign a controlled organization rule to an AdminRole or an AdminGroup, or an End User controlled organization rule is defined and the rule only requires a single waveset.accountId argument. Oracle Waveset no longer has to load the user view prior to evaluating the rule. (ID-22566)
Many operations will perform better under a large concurrent load. Response time improvements of 30% are common under heavy concurrent loads.
Reconciliation performance has been improved by as much as 50%.
Corrected a problem that caused the Update User capabilities to be lost when an administrator is assigned control of an organization dynamically. (ID-21202)
Added a default password policy for the default system accounts. Prior to this change, configurator (and several other system accounts, such as reset and startup, but not administrator) were exempt from having their account locked. This is no longer true. Customers should either ensure their policy does NOT allow configurator to be locked, or have alternative administrative accounts, preferably other than the default administrator, for such circumstances. (ID-22479)
The Oracle Waveset reconciler can now generate account identities calculated through a form. (ID-12456)
When a full reconciliation is canceled, the error message now states “Canceled the full reconciliation of [resource] running on [server]”. (ID-14554)
You can now configure how the Organizational Scope is displayed in an AuditLog report by using a new Configuration:ReportsConfig attribute named orgListFormat. (ID-22224)
where:
fullOrgList (default value) uses the original orgList format.
noOrgList completely suppresses the orgList in the report header.
shortOrgList uses the orgList format introduced in a previous release.
For example:
<Configuration authType='reportsConfig' id='#ID#Configuration:ReportsConfig' name='Reports Configuration' ...> <Extension> <Object> ... <Attribute name='orgListFormat' value='noOrgList'/> <Attribute name='orgListFormat' value='shortOrgList'/> <Attribute name='orgListFormat' value='fullOrgList'/> </Object> </Extension> ... </Configuration>
The orgListFormat attribute was also added to the Task Definition for AuditReportTask to override the value specified in the configuration. You can specify any of the preceding attribute values or, if no value is specified, the report uses the value from the configuration.
Added the preferPreparedStatements attribute to the RepositoryConfiguration Configuration object. When set to true, Oracle Waveset uses PreparedStatements whereever possible. By default this attribute is false. (ID-10968)
This attribute can improve repository performance under certain conditions.
The repository must use pooled connections.
The connections must support implicit statement caching.
Otherwise, this attribute may degrade performance. Oracle Waveset does not explicitly cache prepared statements from the client side of the JDBC call. It depends on the JDBC drivers to do that. Since statements are cached on the actual JDBC connection, if connection pooling is not used, there is no opportunity for the cached statements to be re-used. Normally this means Oracle Waveset must be configured to use an application server DataSource, and the DataSource must use JDBC drivers that support implicit connection pooling.
The following attributes are now supported when 5.3 SP9 is set for the version resource attribute for a SAP Access Control 5.3 resource. (ID-21863)
functionalArea
managerTelephone
requestorTelephone
sNCName
unsecureLogon
validFrom
validTo
Oracle Waveset has long had AttributeDefinitions associated with AccountAttributes on a resource. However, these were not always enforced. The ResourceViewer now enforces that if an AttributeDefinition exists with the same name as an AccountAttribute, then the properties of the AccountAttribute (such as its type) must match those of the AttributeDefinition. (ID-21267)
Added the Use ASUSPEND resource parameter to the Top Secret resource adapter. When selected, only the ASUSPEND command will be used to disable users. (ID-21290).
Added the resource parameter Account Iterator Privileges for the ACF2 resource adapter to provide filtering for account iteration. This resource attribute is multi-valued and the entries will be formatted into one IF(...) statement to be issued as part of the ACF LIST command. (ID-22307)
If you are running Oracle Waveset on the WebLogic application server and you are using the SAP Web Services resource adapter, the Metro web services libraries need to be installed. For details, see Step 5: Install the Metro Libraries (optional) in Oracle Waveset Installation. (ID-22628)
See Workflows regarding an update to the Create User workflow that impacts customers with SAP GRC integrations. (ID-22104)
Various directories at the web application context root that are not part of the web interface are accessible using HTTP GET. In particular, the file /config/Waveset.properties is accessible, and might contain sensitive data. The fix for this bug adds a security-constraint to the web application deployment descriptor (web.xml) to block HTTP access. (ID-20070)
New installations of Oracle Waveset version 8.1.1 will include this fix. However, any existing deployments, including those upgraded to version 8.1.1 need the following added to the deployment descriptor:
<security-constraint> <web-resource-collection> <web-resource-name>Unpublished Files</web-resource-name> <url-pattern>/bin/*</url-pattern> <url-pattern>/config/*</url-pattern> <url-pattern>/doc/*</url-pattern> <url-pattern>/exporter/*</url-pattern> <url-pattern>/patches/*</url-pattern> <url-pattern>/sample/*</url-pattern> </web-resource-collection> <auth-constraint/> </security-constraint>
When accessing a WorkItem or TaskInstance instance through the anonymous end-user interface (for example, user/anonWorkItemEdit.jsp), the URL is based on the repository ID of the instance. Authorization now requires the anonymousUser value set in the anonLogin.jsp page to match the owner field of the repository object. (ID-21434)
Oracle Waveset can be displayed in a frameset, leaving it vulnerable to a “clickjacking” attack. This is fixed by adding frame-detection logic in the HTML rendered for every page. (ID-22406)
Added a property to the Waveset.properties file that prevents stack trace information from being displayed. (ID-22409)
By default, Oracle Waveset returns stack trace information as HTML comments when some errors occur. The stack trace is not normally visible to the end-user, but can be revealed by showing the source of the page. This stack information is very useful when diagnosing a problem, but exposes information about the execution of the web application that could be considered a security risk. It is therefore suggested that production deployments turn off the rendering of stack information with the following setting in Waveset.properties.
ui.web.disableStackTraceComments=true
This change must be done manually on each Oracle Waveset server.
By default, Oracle Waveset gives specific error messages when a login attempt fails, allowing an attacker to determine whether an account name is valid. To provide only a generic 'login failed' message, change the settings under Security -> Login -> Login Application. (ID-22574)
The openspml2-toolkit.jar was updated to version 192-20100413 from openspml.dev.java.net, and includes several bug fixes. (ID-21987)
UserViewer can now build attributes from the accounts[Resource|AccountType] namespace. (ID-19082)
Previously, in the Create User workflow, when a policy violation check was executed, a temporary user object was created in the Top organization so that a Deferred Task could be associated with it. This behavior has changed. Going forward, the transient user object is now created in the same organization as the user. This change has been made to wfexternalpolicy.xml. Customers who use a custom workflow for external policy checks may need to merge this change with their workflow. (ID-22104)