The Policy Agent 3.0-01 release includes both Java EE (formerly called J2EE) agents and web agents:
Patch IDs for Java EE Agents in the Policy Agent 3.0-01 Release
Enhancements and Changes for Java EE Agents in the Policy Agent 3.0-01 Release
Issues and Workarounds for Java EE Agents in the Policy Agent 3.0-01 Release
Problems Fixed for Java EE Agents in the Policy Agent 3.0-01 Release
The following version 3.0–01 Java EE agents are available on http://sunsolve.sun.com/.
Table 1 Patch IDs for Java EE Agents in the Policy Agent 3.0-01 Release
Version 3.0-01 Policy Agent For |
Patch ID |
---|---|
Oracle WebLogic Server 11g Release 1 (10.3.3) Oracle WebLogic Server 10g Release 3 (10.3) Oracle WebLogic Server 9.2 and 10.0 Oracle WebLogic Portal 9.2, 10.0, and 10.2 |
145385-01 |
Sun GlassFish 2.1, V2 UR1, V2 UR2, and v3 Sun Java System Application Server 8.1, 8.2, 9.0, and 9.1 |
145383-01 |
Apache Tomcat 6.0.x |
145384-01 |
JBoss Application Server 4.x and 5.x |
145382-01 |
IBM WebSphere Application Server 6.1 and 7.0 IBM WebSphere Portal Server 6.1 |
145386-01 |
Issue 5633: New property is added to reset session idle time for not-enforced URLs
Issue 6107: JBoss Application Server agent supports custom principal feature
Issue 6108: JBoss Application Server agent redirects to the client's requested URI
Version 3.0 and later Java EE agents require JDK 1.5 or later on the server where you plan to install the agent. Although some web containers such as JBoss Application Server 4.x and Application Server 8.x can run using JDK 1.4, JDK 1.5 or later is required for both the agent web container and the agentadmin program.
The version 3.0–01 Java EE agent for Sun Java System Application Server and GlassFish v2 also supports GlassFish v3. See also Patch IDs for Java EE Agents in the Policy Agent 3.0-01 Release.
Version 3.0–01 Java EE agents include the following new property to specify whether the session idle timeout should be reset after a user with a valid session accesses a URL in the not-enforced list:
com.sun.identity.agents.config.notenforced.refresh.session.idletime
Values for this property can be:
true: The session idle time is reset after a user with a valid session accesses a URL in the not-enforced list.
false (default): The session idle time is not reset.
Set this property depending on the location of the agent's configuration repository. If the repository is local to the agent's host server, add the property to the agent's OpenSSOAgentConfiguration.properties file and restart the OpenSSO server instance.
If the agent's configuration repository is centralized, use the OpenSSO Administration Console as follows:
Log in to the OpenSSO Administration Console.
Click Access Control, realm-name, Agents, J2EE, j2ee-agent-name, and then Advanced.
Under Custom Properties, add the new property with its corresponding value.
Click Save.
JBoss Application Server 4.x and 5.x login modules support the custom principal feature, which allows users to specify a custom principal in the JBoss AS configuration. The version 3.0–01 agent for JBoss AS 4.x and 5.x also supports the custom principal feature.
To use this feature, add the following line to the <login-module> element in the JBOSS_HOME/server/default/conf/am-login-config.xml file:
<module-option name = "principalClass">com.sample.CustomPrincipal</module-option>
For example, the <login-module> element should then be as follows:
<login-module code = "com.sun.identity.agents.jboss.v40.AmJBossLoginModule" flag = "required"> <module-option name = "unauthenticatedIdentity">anonymous</module-option> <module-option name = "principalClass">com.sample.CustomPrincipal</module-option> </login-module>
In this example, com.sample.CustomPrincipal is the custom principal implementation class name. This class must be in the JBoss AS classpath.
If the requested URI is using J2EE_POLICY or ALL filter mode and a user accesses a resource protected with J2EE policies by the version 3.0–01 JBoss AS 4.x and 5.x agent, the user is redirected to the client's requested resource after authentication by OpenSSO 8.0 server. Previously, the user was redirected to the client's home page.
If you run the agentadmin or agentadmin.bat script to install the version 3.0-01 policy agent for IBM WebSphere Application Server 6.1/7.0 or IBM WebSphere Portal Server 6.1 using the IBM JDK on systems other than IBM AIX, the installation fails because the script cannot find the IBM JCE provider.
Workaround: Add following JAVA options to the agentadmin or agentadmin.bat script and then rerun the installation:
AGENT_OPTS="-DamKeyGenDescriptor.provider=IBMJCE -DamCryptoDescriptor.provider=IBMJCE -DamRandomGenProvider=IBMJCE"
After you install the version 3.0-01 policy agent for WebSphere Application Server 6.1/7.0 or IBM WebSphere Portal Server 6.1, you cannot access the WebSphere administrative console.
Workaround. In the WebSphere Application Server agent profile, add the WebSphere administrative console URL in the Agent Root URL for CDSSO list, as follows:
Log in to the OpenSSO Administration Console.
Click Access Control, realm-name, Agents, J2EE, and then the j2ee-agent-name.
In Agent Root URL for CDSSO, add the WebSphere administrative console URL.
Click Save.
After you install the version 3.0-01 policy agent for WebSphere Application Server 6.1/7.0 or IBM WebSphere Portal Server 6.1 in cross-domain single sign-on (CDSSO) mode and try to access the administrative console, you are redirected to an incorrect agentapp URL. The URL port is pointing to the admin port instead of the agentapp instance port.
Workaround. In the URL in the browser address bar, manually specify the correct port number for the agentapp instance.
CR or Issue |
Description |
---|---|
6121 |
401 error is returned instead of a 302 error when the client presents an invalid SSO Token |
4461 |
Security context exception occurred with JBoss AS agent |
6107 |
Custom principal in JBoss AS 4.3 is not working with J2EE agent |
6108 |
J2EE Agent 3.0 for JBoss AS does not redirect to client request |
4969 |
Tomcat agent J2EE tests are denied when debug level set to error mode |
2779 |
J2EE agents should have the agentadmin script executable permission set by default |
5008 |
GlassFish v3 server fails to start with invalid format error |
5012 |
Tomcat 6.0 version 3.0 agent returns error with not-enforced IP list |
5764 |
agentadmin script does not set up classpath correctly on GlassFish V3 |
4677 |
Tomcat 6.0 agent membership removal causes HTTP 403 access denied error |
5197 |
Application logout does not clean up sessions |
5744 |
Issue with URL pattern matching for port number in J2EE agents |
4959 |
HTTPS session binding should be enabled by default in agent profile |
5024 |
When not-enforced IP is used, accessing application of declarative security returns configuration error |
5071 |
J2EE agent with CDSSO, cookie hijacking, and composite advice has second login issue |
5633 |
J2EE agent does not reset session idle time for not-enforced URLs |
5627 |
IP Resource condition fails if login URL in agent profile has resource=true included |
6933534 |
Tomcat 6.0 version 3.0 agent classes are not added to classpath resulting in Tomcat startup failure |
Enhancements and Changes for Web Agents in the Policy Agent 3.0-01 Release
Problems Fixed for Web Agents in the Policy Agent 3.0-01 Release
The following version 3.0–01 web agents are available on http://sunsolve.sun.com/.
Table 3 Patch IDs for Web Agents in the Policy Agent 3.0-01 Release
Version 3.0-01 Policy Agent For |
Patch ID |
---|---|
Apache HTTP Server 2.0.x |
144698–01 |
Apache HTTP Server 2.2.x |
144699–01 |
Microsoft Internet Information Services (IIS) 6.0 Supported on Microsoft Windows Server 2003, with separate agents for 32–bit and 64–bit systems. |
144700–01 |
Microsoft Internet Information Services (IIS) 7.0 and 7.5 Supported on Microsoft Windows Server 2008 R2, with separate agents for 32–bit and 64–bit systems. |
144701–01 |
Sun Java System Web Proxy Server 4.0.x |
144702–01 |
Sun Java System Web Server 7.0 |
144703–01 |
CR 6891373: New Properties Support POST Data Preservation With Sticky Sessions
CR 6903850: Wildcard (*) Support Added for Not-Enforced Client IP List
CR 6947499: NSS_STRICT_NOFORK Must be Disabled for Version 3.0–01 Apache Agents
For more information about web agent properties, see the Sun OpenSSO Enterprise Policy Agent 3.0 User’s Guide for Web Agents.
In the 3.0–01 release, new properties support POST data preservation with sticky sessions configured. If you are using POST data preservation with a load balancer deployed in front of the agent, set the following properties for sticky sessions:
com.sun.am.policy.agents.config.postdata.preserve.stickysession.mode specifies the sticky session mode. The values can be COOKIE if the load balancer uses a cookie to get the sticky session or URL if the load balancer uses a query parameter in the URL to get the sticky session. For example:
com.sun.am.policy.agents.config.postdata.preserve.stickysession.mode = URL
com.sun.am.policy.agents.config.postdata.preserve.stickysession.value specifies the name and value of the cookie or query parameter used for the sticky session. For example:
com.sun.am.policy.agents.config.postdata.preserve.stickysession.value = AgentID=01
Important: For a sticky session to be set, you must set both of these properties correctly (and not to null).
These new properties are in the OpenSSOAgentConfiguration.properties file. Set these properties depending on the location of your agent's configuration repository. If the repository is local to the agent's host server, edit the agent's OpenSSOAgentConfiguration.properties file.
If the agent's configuration repository is centralized, use the OpenSSO Console:
Log in to the OpenSSO Administration Console.
Click Access Control, realm-name, Agents, Web, web-agent-name, and then Advanced.
Under Custom Properties, add both new properties with their corresponding values.
Click Save.
The policy agent com.sun.identity.agents.config.notenforced.ip property in the OpenSSOAgentConfiguration.properties file now allows the wildcard character (*) to define an IP address. For example:
com.sun.identity.agents.config.notenforced.ip[2] = 192.168.11.* com.sun.identity.agents.config.notenforced.ip[3] = *.10.10.*
Set this agent property depending on the location of your agent configuration repository. If the repository is centralized on the OpenSSO server, use the OpenSSO Console. If the repository is local to the agent's host server, edit the agent's OpenSSOAgentConfiguration.properties file.
The NSS and NSPR libraries used in the policy agent 3.0–01 release have changed since the version 3.0 agents were released. Therefore, to use the version 3.0–01 Apache HTTP Server 2.0.x or Apache HTTP Server 2.2.x policy agent on any platform, the NSS_STRICT_NOFORK environment variable must be set to DISABLED.
Problems Fixed for the Apache HTTP Server 2.0.x and 2.2.x Agents
Problems Fixed for the Sun Java System Web Proxy Server 4.0.x Agent
Problems Fixed for the Microsoft Internet Information Services (IIS) 6.0 Agent
Problems Fixed for the Microsoft Internet Information Services (IIS) 7.0 Agent
CR or Issue |
Description |
---|---|
1776 |
Not-enforced list does not work in special circumstances |
3755 |
Non-IP Based Token Restrictions not working with Access Manager 7 and version 3.0 agents |
4755 |
Log message sent by Web Server 7.0 2.2 agent has an empty recMsg |
4836 |
Policy agent should encode special characters in cookies by URL encoding |
4917 |
Log a "no policy or action decision found" message at warning level |
5060 |
3.0 Apache agents have issue with agent logout feature |
5155 |
Support for x-forwarded-for headers in web agents |
5229 |
Expired AppSSOToken during agent configuration fetch |
5259 |
Cannot use wildcard characters in the path info part of URL in not enforced list |
5266 |
In CDSSO mode, corrupted headers are included in the response |
5323 |
Web agents remove CDSSO parameters from URL incorrectly |
5413 |
Application parameters getting corrupted when CDSSO parameters are removed from the query |
5425 |
Composite advice getting duplicated whenever access manager is restarted |
5434 |
Apache agent doesn't work properly with mod_python handler |
5453 |
Requests with existing iPlanetDirectoryPro cookies can cause Assertion to be ignored during session upgrade in CDSSO mode |
5538 |
Agent crashes web server when setting long value for amlbcookie |
5552 |
Policy evaluation fails when the request URL contains query parameters |
5637 |
Agent doesn't work due to variable initialization issue |
5666 |
Problems when path info is "/" |
6086 |
Agent enforce URL case sensitivity during policy evaluation |
6903850 |
Provide wildcard (*) support for Not Enforced Client IP List |
6953714 |
Agent hangs while fetching policy decision if user session is validated from cache and policy has expired |
6954327 |
In CDSSO, double POST issue problem during session upgrade |
6774751 |
Access Manager 7.1 protected page is jumbled when session is upgraded |
6959619 |
Host name is not set correctly when there is a load balancer in front of the agent |
CR or Issue |
Description |
---|---|
4501 |
Additional HTTP methods support for version 3.0 Apache agent |
4799 |
Some extra information gets printed on protected pages intermittently |
5640 |
Attributes headers issue with 3.0 agent on IBM AIX systems |
6947499 |
Apache 2.2 agent does not work when SSL enabled |
CR or Issue |
Description |
---|---|
4688 |
Web Server agent notifications not working with protocol and port rewriting |
4815 |
Memory corruption with POST data preservation |
4911 |
Cookie reset for CDSSO set on incorrect domain |
4934 |
Problem with POST data preservation feature in Web Server 7.0 agent |
5207 |
Need a sticky cookie for load balancing with POST data preservation |
5218 |
POST preservation data feature doesn't work with virtual hosts |
5526 |
POST data preservation is not used when PA redirects as a result of composite advice |
5532 |
Agent crashes web server when root policy is not found |
5706 |
Need sticky session for POST data preservation to use URL |
6937576 |
IIS 6.0 and web server agents do no handle overridden URL properly |
6958056 |
POST data preservation feature doesn't work with normal FQDN and virtual hosts |
CR or Issue |
Description |
---|---|
4911 |
Cookie reset for CDSSO set on incorrect domain |
5680 |
Policy agent 2.2-02 on Web Proxy Server 4.0.4 has memory leak |
6937576 |
IIS 6.0 and Web Server agents do no handle overridden URL properly |
6953702 |
Cannot access CGIs through Web Proxy Server 3.0 agent in CDSSO mode |
CR or Issue |
Description |
---|---|
4815 |
Memory corruption with POST data preservation |
4816 |
Random crashes with IIS 6.0 agent |
5207 |
Need a sticky cookie for load balancing with POST data preservation |
5218 |
POST preservation data feature doesn't work with virtual hosts |
5526 |
POST data preservation is not used when PA redirects as a result of composite advice |
5532 |
Agent crashes Web Server when root policy is not found |
5621 |
IIS 6.0 agent is not responding with OK message to notifications from server |
5706 |
Need sticky session for POST data preservation to use URL |
6929312 |
IIS agent: Existing header as reutersuuid will be replaced by a new header that contains its key |
6937576 |
IIS 6.0 and web server agents do not handle overridden URL properly |
6958056 |
POST data preservation feature doesn't work with normal FQDN and virtual hosts |
CR or Issue |
Description |
---|---|
5621 |
IIS 6.0 Agent is not responding with OK message to notifications from server |
6929312 |
For IIS 7.0 agent, existing header as reutersuuid will be replaced by a new header that contains its key |
6937576 |
IIS 6.0 and Web Server agents do no handle overriden URL properly |
6956162 |
"Object Moved error" with redirects in Policy Agent 3.0 for IIS 7.0 |
6956232 |
Policy Agent 3.0 for IIS 7.0 changes ASP.NET session ID |
6955905 |
Server problems when cookie reset is enabled in IIS 7.5 |
6934736 |
IIS 7.0 agent is not responding with OK message to notifications from server |
A version 3.0-01 policy agent requires a full installation. If you have a version 3.0 agent already installed, you must uninstall the existing version 3.0 agent and then reinstall the new version 3.0-01 agent. To install a version 3.01–01 agent, follow these steps:
If you have a version 3.0 agent installed, uninstall the agent by following the instructions in the respective Policy Agent 3.0 guide in the OpenSSO Enterprise 8.0 documentation collection: http://docs.sun.com/coll/1767.1.
Important: Before you uninstall the agent, back up your existing agent deployment. For example, for the Apache HTTP Server 2.2.x agent, back up the files under AgentHome/web_agents/apache22_agent, where AgentHome is where you installed the agent.
Create a directory to download the version 3.0–01 patch file.
Download the patch for the agent you want to install from http://sunsolve.sun.com/.
In the download directory, unzip the version 3.0–01 patch file. A patch for a web agent contain a README file and separate ZIP files for each platform supported by the specific agent you downloaded. A patch for a Java EE agent contains one ZIP file for all supported platforms.
Unzip the file for your specific platform.
The files and directories required by the specific agent are then available in the zip-root/web_agents/agent-name directory, where zip-root is where you unzipped the file and agent-name identifies the specific agent.
Check the README available with the agent for more information about the agent for your specific platform.
Install and configure the version 3.0–01 agent by following the instructions in the respective Policy Agent 3.0 guide in the OpenSSO Enterprise 8.0 documentation collection: http://docs.sun.com/coll/1767.1.
Note: Version 3.0 and later agents require JDK 1.5 or later on the server where you plan to install the agent. Before you run the agentadmin program to install the agent, set your JAVA_HOME environment variable to point to the JDK installation directory.