Web Agents in the Policy Agent 3.0-01 Release (Sun OpenSSO Enterprise 8.0 Release Notes)

Sun OpenSSO Enterprise 8.0 Release Notes

Web Agents in the Policy Agent 3.0-01 Release

Patch IDs for Web Agents in the Policy Agent 3.0-01 Release

The following version 3.0–01 web agents are available on http://sunsolve.sun.com/.

Table 3 Patch IDs for Web Agents in the Policy Agent 3.0-01 Release


Version 3.0-01 Policy Agent For	Patch ID
Apache HTTP Server 2.0.x	144698–01
Apache HTTP Server 2.2.x	144699–01
Microsoft Internet Information Services (IIS) 6.0 Supported on Microsoft Windows Server 2003, with separate agents for 32–bit and 64–bit systems.	144700–01
Microsoft Internet Information Services (IIS) 7.0 and 7.5 Supported on Microsoft Windows Server 2008 R2, with separate agents for 32–bit and 64–bit systems.	144701–01
Sun Java System Web Proxy Server 4.0.x	144702–01
Sun Java System Web Server 7.0	144703–01

Enhancements and Changes for Web Agents in the Policy Agent 3.0-01 Release

For more information about web agent properties, see the Sun OpenSSO Enterprise Policy Agent 3.0 User’s Guide for Web Agents.

CR 6891373: New Properties Support POST Data Preservation With Sticky Sessions

In the 3.0–01 release, new properties support POST data preservation with sticky sessions configured. If you are using POST data preservation with a load balancer deployed in front of the agent, set the following properties for sticky sessions:

com.sun.am.policy.agents.config.postdata.preserve.stickysession.mode specifies the sticky session mode. The values can be COOKIE if the load balancer uses a cookie to get the sticky session or URL if the load balancer uses a query parameter in the URL to get the sticky session. For example:
```
com.sun.am.policy.agents.config.postdata.preserve.stickysession.mode = URL
```
com.sun.am.policy.agents.config.postdata.preserve.stickysession.value specifies the name and value of the cookie or query parameter used for the sticky session. For example:
```
com.sun.am.policy.agents.config.postdata.preserve.stickysession.value = AgentID=01
```

Important: For a sticky session to be set, you must set both of these properties correctly (and not to null).

These new properties are in the OpenSSOAgentConfiguration.properties file. Set these properties depending on the location of your agent's configuration repository. If the repository is local to the agent's host server, edit the agent's OpenSSOAgentConfiguration.properties file.

If the agent's configuration repository is centralized, use the OpenSSO Console:

Log in to the OpenSSO Administration Console.
Click Access Control, realm-name, Agents, Web, web-agent-name, and then Advanced.
Under Custom Properties, add both new properties with their corresponding values.
Click Save.

CR 6903850: Wildcard (*) Support Added for Not-Enforced Client IP List

The policy agent com.sun.identity.agents.config.notenforced.ip property in the OpenSSOAgentConfiguration.properties file now allows the wildcard character (*) to define an IP address. For example:

com.sun.identity.agents.config.notenforced.ip[2] = 192.168.11.*
com.sun.identity.agents.config.notenforced.ip[3] = *.10.10.*

Set this agent property depending on the location of your agent configuration repository. If the repository is centralized on the OpenSSO server, use the OpenSSO Console. If the repository is local to the agent's host server, edit the agent's OpenSSOAgentConfiguration.properties file.

CR 6947499: NSS_STRICT_NOFORK Must be Disabled for Version 3.0–01 Apache Agents

The NSS and NSPR libraries used in the policy agent 3.0–01 release have changed since the version 3.0 agents were released. Therefore, to use the version 3.0–01 Apache HTTP Server 2.0.x or Apache HTTP Server 2.2.x policy agent on any platform, the NSS_STRICT_NOFORK environment variable must be set to DISABLED.

Problems Fixed for Web Agents in the Policy Agent 3.0-01 Release

Problems Fixed For All Web Agents

Table 4 Problems Fixed For All Web Agents


CR or Issue	Description
1776	Not-enforced list does not work in special circumstances
3755	Non-IP Based Token Restrictions not working with Access Manager 7 and version 3.0 agents
4755	Log message sent by Web Server 7.0 2.2 agent has an empty `recMsg`
4836	Policy agent should encode special characters in cookies by URL encoding
4917	Log a "no policy or action decision found" message at warning level
5060	3.0 Apache agents have issue with agent logout feature
5155	Support for x-forwarded-for headers in web agents
5229	Expired `AppSSOToken` during agent configuration fetch
5259	Cannot use wildcard characters in the path info part of URL in not enforced list
5266	In CDSSO mode, corrupted headers are included in the response
5323	Web agents remove CDSSO parameters from URL incorrectly
5413	Application parameters getting corrupted when CDSSO parameters are removed from the query
5425	Composite advice getting duplicated whenever access manager is restarted
5434	Apache agent doesn't work properly with `mod_python` handler
5453	Requests with existing `iPlanetDirectoryPro` cookies can cause Assertion to be ignored during session upgrade in CDSSO mode
5538	Agent crashes web server when setting long value for `amlbcookie`
5552	Policy evaluation fails when the request URL contains query parameters
5637	Agent doesn't work due to variable initialization issue
5666	Problems when path info is "/"
6086	Agent enforce URL case sensitivity during policy evaluation
6903850	Provide wildcard (*) support for Not Enforced Client IP List
6953714	Agent hangs while fetching policy decision if user session is validated from cache and policy has expired
6954327	In CDSSO, double POST issue problem during session upgrade
6774751	Access Manager 7.1 protected page is jumbled when session is upgraded
6959619	Host name is not set correctly when there is a load balancer in front of the agent

Problems Fixed for the Apache HTTP Server 2.0.x and 2.2.x Agents

Table 5 Problems Fixed for the Apache HTTP Server 2.0.x and 2.2.x Agents


CR or Issue	Description
4501	Additional HTTP methods support for version 3.0 Apache agent
4799	Some extra information gets printed on protected pages intermittently
5640	Attributes headers issue with 3.0 agent on IBM AIX systems
6947499	Apache 2.2 agent does not work when SSL enabled

Problems Fixed for the Sun Java System Web Server 7.0 Agent

Table 6 Problems Fixed for the Sun Java System Web Server 7.0 Agent


CR or Issue	Description
4688	Web Server agent notifications not working with protocol and port rewriting
4815	Memory corruption with POST data preservation
4911	Cookie reset for CDSSO set on incorrect domain
4934	Problem with POST data preservation feature in Web Server 7.0 agent
5207	Need a sticky cookie for load balancing with POST data preservation
5218	POST preservation data feature doesn't work with virtual hosts
5526	POST data preservation is not used when PA redirects as a result of composite advice
5532	Agent crashes web server when root policy is not found
5706	Need sticky session for POST data preservation to use URL
6937576	IIS 6.0 and web server agents do no handle overridden URL properly
6958056	POST data preservation feature doesn't work with normal FQDN and virtual hosts

Problems Fixed for the Sun Java System Web Proxy Server 4.0.x Agent

Table 7 Problems Fixed for the Sun Java System Web Proxy Server 4.0.x Agent


CR or Issue	Description
4911	Cookie reset for CDSSO set on incorrect domain
5680	Policy agent 2.2-02 on Web Proxy Server 4.0.4 has memory leak
6937576	IIS 6.0 and Web Server agents do no handle overridden URL properly
6953702	Cannot access CGIs through Web Proxy Server 3.0 agent in CDSSO mode

Problems Fixed for the Microsoft Internet Information Services (IIS) 6.0 Agent

Table 8 Problems Fixed for the Microsoft Internet Information Services (IIS) 6.0 Agent


CR or Issue	Description
4815	Memory corruption with POST data preservation
4816	Random crashes with IIS 6.0 agent
5207	Need a sticky cookie for load balancing with POST data preservation
5218	POST preservation data feature doesn't work with virtual hosts
5526	POST data preservation is not used when PA redirects as a result of composite advice
5532	Agent crashes Web Server when root policy is not found
5621	IIS 6.0 agent is not responding with OK message to notifications from server
5706	Need sticky session for POST data preservation to use URL
6929312	IIS agent: Existing header as `reutersuuid` will be replaced by a new header that contains its key
6937576	IIS 6.0 and web server agents do not handle overridden URL properly
6958056	POST data preservation feature doesn't work with normal FQDN and virtual hosts

Problems Fixed for the Microsoft Internet Information Services (IIS) 7.0 Agent

Table 9 Problems Fixed for the Microsoft Internet Information Services (IIS) 7.0 Agent


CR or Issue	Description
5621	IIS 6.0 Agent is not responding with OK message to notifications from server
6929312	For IIS 7.0 agent, existing header as `reutersuuid` will be replaced by a new header that contains its key
6937576	IIS 6.0 and Web Server agents do no handle overriden URL properly
6956162	"Object Moved error" with redirects in Policy Agent 3.0 for IIS 7.0
6956232	Policy Agent 3.0 for IIS 7.0 changes ASP.NET session ID
6955905	Server problems when cookie reset is enabled in IIS 7.5
6934736	IIS 7.0 agent is not responding with OK message to notifications from server