Sun Java System Access Manager 7 2005Q4 Release Notes

Access Manager 7 2005Q4 Patch 2

Access Manager 7 2005Q4 patch 2 (revision 02) fixed a number of problems, as listed in the README file included with the patch. Patch 2 also includes the following new features and known issues:

New Features in Patch 2

Known Issues and Limitations in Patch 2

New Properties for the User Management, Identity Repository, and Service Management Caches

Patch 2 includes the following new properties for the User Management (Access Manager SDK), Identity Repository (IdRepo), and Service Management caches. These properties allow you to enable and disable the different caches independently, based on your deployment requirements, and to set the time to live (TTL) for the cache entries.

Table 3 New Properties for the User Management, Identity Repository, and Service Management Caches

Property 

Description 

New Properties to Enable and Disable Caches

com.iplanet.am.sdk.caching.enabled

Global property that enables (true) or disables (false) the Identity Repository (IdRepo), User Management, and Service Management caches. If true, or if the property is not present in the AMConfig.properties file, all three caches are enabled.

Note The following three properties to enable or disable the specific caches apply only if the previous global property is set to false.

com.sun.identity.amsdk.cache.enabled

Enables (true) or disables (false) only the User Management (Access Manager SDK) cache. 

com.sun.identity.idm.cache.enabled

Enables (true) or disables (false) only the Identity Repository (IdRepo) cache. 

com.sun.identity.sm.cache.enabled

Enables (true) or disables (false) only the Service Management cache. 

New User Management Cache Properties for TTL

com.iplanet.am.sdk.cache.entry.expire.enabled

Enables (true) or disables (false) the expiration time (as defined by the following two properties) for the User Management cache. 

com.iplanet.am.sdk.cache.entry.user.expire.time

Specifies the time in minutes that user entries for the User Management cache remain valid after their last modification. That is, after this specified time elapses (after the last modification or read from the directory), the data for the entry that is cached will expire. Then, new requests for data for these entries must be read from the directory. 

com.iplanet.am.sdk.cache.entry.default.expire.time

Specifies the time in minutes that non-user entries for the User Management cache remain valid after their last modification. That is, after this specified time elapses (after the last modification or read from the directory), the data for the entry that is cached will expire. Then, new requests for data for these entries must be read from the directory. New Identity Repository Cache Properties for TTL  

com.sun.identity.idm.cache.entry.expire.enabled

Enables (true) or disables (false) the expiration time (as defined by the following property) for the IdRepo cache.  

com.sun.identity.idm.cache.entry.default.expire.time

Specifies the time in minutes that non-user entries for the IdRepo cache remain valid after their last modification. That is, after this specified time elapses (after the last modification or read from the repository), the data for the entry that is cached will expire. Then, new requests for data for these entries must be read from the repository. 

Using the New Caching Properties

The Access Manager 7 2005Q4 patches do not automatically add the new caching properties to the AMConfig.properties file.

To use the new caching properties:

  1. With a text editor, add the properties and their values to the AMConfig.properties file in the following directory, depending on your platform:

    • Solaris systems: /etc/opt/SUNWam/config

    • Linux systems: /etc/opt/sun/identity/config

  2. Restart the Access Manager Web container for the values to take effect.

New Property for Federation Service Provider

The new com.sun.identity.federation.spadapter property defines the implementation class for com.sun.identity.federation.plugins.FederationSPAdapter, which is used to add application specific processing during Federation processing on the Service Provider side.

See also CR# 6385696: Existing and new IDPs and SPs are not visible.

LDAP Filter Condition Support

LDAP Filter Condition support is added in patch 2. A policy administrator can now specify an LDAP filter in the Condition while defining a policy. The Policy is applied to the user only if the LDAP entry of the user satisfies the LDAP filter specified in the Condition. The LDAP entry of the user is looked up from the directory specified in the Policy Configuration service.

To register and use the LDAP Filter Condition, run following commands after the Access Manager 7 patch 2 is installed shown with Access Manager installed in the default directory on Solaris systems:

# /opt/SUNWam/bin/amadmin -u amadmin 
-w amadmin_password 
-s /etc/opt/SUNWam/AddLDAPFilterCondition.xml
# /opt/SUNWam/bin/amadmin -u amadmin 
-w amadmin_password 
-t /etc/opt/SUNWam/amPolicyConfig_mod_ldfc.xml

Patch 5 Note If you added Access Manager 7 2005Q4 Patch 5 and ran the updateschema.sh script, you do not need to load these files using amadmin. For more information see New updateschema.sh script to load LDIF and XML files.

CR# 6283582: Num of login failures are not shared across Access Manager instances

After Access Manager 7 patch 2 is installed, run following commands, shown with Access Manager installed in the default directory in Solaris systems:

# cd DirectoryServer-base/shared/bin
# ./ldapmodify -h DirectoryServerHost -p DirectoryServerPort 
-D "cn=Directory Manager" -w DirectoryMangerPassword 
-a -f /etc/opt/SUNWam/accountLockout.ldif
# /opt/SUNWam/bin/amadmin -u amadmin 
-w amadmin_password 
-t /etc/opt/SUNWam/accountLockoutData.xml

The default value of DirectoryServer-base is /var/opt/mps/serverroot on Solaris systems and /var/opt/sun/directory-server on Linux systems.

Patch 5 Note If you added Access Manager 7 2005Q4 Patch 5 and ran the updateschema.sh script, you do not need to load these files using amadmin. For more information see New updateschema.sh script to load LDIF and XML files.

CR# 6293673: Need to retain the original session information when sending out session timeout notification

The new com.sun.identity.session.property.doNotTrimList property in the AMConfig.properties file can contain list of comma separated session property names. Once a session is timed out, the properties defined in this list will not be trimmed off, so that they can be accessed before the session is purged. For example:

com.sun.identity.session.property.doNotTrimList=UserId,HostName

CR# 6244578: Access Manager should warn user that the browser cookie support is disabled/not available

The new com.sun.identity.am.cookie.check property in the AMConfig.properties file indicates whether the server should check for the cookie support / cookie enabled in the browser. A value of true causes the server to check for the cookie support / cookie enabled in the browser and to throw an error page if the browser does not support or has not enabled cookies. This value should be set to false (which is the default) if the server is expected to support cookie-less mode for authentication functionality.

CR# 6236892: Image/Text place holder while CDCServlet is processing the AuthNResponse after login

The following new properties are added to AMConfig.properties file and are read by the CDCServlet:

CR# 6363157: New property disables persistent searches if absolutely required

The new com.sun.am.event.connection.disable.list property in the AMConfig.properties file specifies which event connection can be disabled. Values (case insensitive) can be:

aci - Changes to the aci attribute, with the search using the LDAP filter (aci=*)

sm - Changes in the Access Manager information tree (or service management node), which includes objects with the sunService or sunServiceComponent marker object class. For example, you might create a policy to define access privileges for a protected resource, or you might modify the rules, subjects, conditions, or response providers for an existing policy.

um - Changes in the user directory (or user management node). For example, you might change a user's name or address.

For example, to disable persistent searches for changes to the Access Manager information tree (or service management node):

com.sun.am.event.connection.disable.list=sm

To specify multiple values, separate each value with a comma.


Caution – Caution –

Persistent searches cause some performance overhead on Directory Server. If you determine that removing some of this performance overhead is absolutely critical in a production environment, you can disable one or more persistent searches using the com.sun.am.event.connection.disable.list property.

However, before disabling a persistent search, you should understand the limitations described above. It is strongly recommended that this property not be changed unless absolutely required. This property was introduced primarily to avoid overhead on Directory Server when multiple 2.1 J2EE agents are used, because each of these agents establishes these persistent searches. The 2.2 J2EE agents no longer establish these persistent searches, so you might not need to use this property.

For more information, see Document more information about disabling persistent searches (6486927).


CR# 6385696: Existing and new IDPs and SPs are not visible

The new com.sun.identity.federation.spadapter property in the AMConfig.properties file specifies the default implementation of the federation service provider adapter where the application can get assertions and response information. For example:

com.sun.identity.federation.spadapter=com.sun.identity.federation.plugins.FSDefaultSPAdapter