Enhancements to Core Services

Web Containers supported

• Sun Java System Web Server 7.0

• Sun Java System Application Server 8.2

• BEA WL 8.1 SP4

• IBM WebSphere 5.1.1.6

Monitoring Framework Integration

Access Manager can use the JES Monitoring Framework to monitor the following:

• Authentication

  • Number of authentications attempted

  • Number of remote authentications attempted (optional)

  • Number of successful authentications

  • Number of failed authentications

  • Number of successful logout operations

  • Number of failed logout operations (optional)

  • Transaction time for each module if possible, both running and waiting states

  • Connectivity failures for backend servers

• Sessions

  • Size of the session table, which indicates the maximum number of sessions

  • Number of active sessions using an incremental counter

  • Session failover, including the number of “stored” sessions, or the session count using an incremental counter, and the number of operations performed on the failover DB, including read, write, delete, and number of operations

• User Management / Identity Repository/ Session Management Service

  • Maximum cache size

  • Cache related statistics such as number of hits, ratio, peak, current size, and so forth

  • Transaction time for operations, both running and waiting

• Policy

  • Number of policies in cache

  • Number of policyManagers in cache

  • Number of service names in policyListeners cache

  • Number of services in resultsCache

  • Number of tokenIDs in sessionListernerRgistry

  • Number of service names in policyListenerRegistry

  • Number of tokenIDs in role cache

  • Number of service names in resourceNames cache

  • Number of entries for SubjectEvaluationCache

  • Number of PolicyEvaluators in cache

  • Number of policy change listeners in cache

  • Transaction time for policy evaluation processing

• Federation

  • Number of artifacts in table for a given provider

  • Number of assertions in table for a given provider

  • Number of session entries in a given table for a given provider ID

• SAML

  • Size of artifact map

  • Size of assertion map

Authentication module

• Distributed Authentication service is not required to use only one server for load-balanced deployments.

• Authentication service and server is not required to use only one server for load-balanced deployments.

• Composite advices support among Authentication service, Policy Agents, and Policy service. This support includes the AuthenticateToRealm condition, AuthenticateToService condition, and realm qualification to all conditions.

• Advising organization using realm qualified Authentication conditions.

• Authentication configurations/authentication chains (AuthServiceCondition).

• Module-based authentication can now be disallowed if Authentication chaining is enforced.

• Distributed Authentication service supports Certificate authentication module.

• Added CertAuth to Distributed Authentication UI to make the UI a full featured credential extractor presentation.

• New Datastore authentication module is an out-of-box module that authenticates against the configured datastore for a given realm.

• Account lockout configuration now persistent across multiple AM server instances.

• Chaining of post-processing SPI classes.

Policy module

• Support for policy definition based on service-based authentication.

• A new policy condition added: AuthenticateToRealmCondition.

• Support for one-level wild card compare to facilitate the ability to protect the contents of a directory without protecting its sub-directory.

• Support for LDAP filter condition. The policy admin can specify an LDAP filter in the Condition while defining a policy.

• Policies can be created in subrealms without explicit referral policies from the parent realm if an organization alias referral is enabled in the global policy configuration.

• AuthLevelCondition can specify the realm name in addition to the authentication level.

• AuthSchemeCondition can specify the realm name in addition to the authentication module name.

Service Management module

• Support for storing the Service Management/Policy configuration in Active Directory

Access Manager SDK

• Support APIs for authenticating users to a default Identity Repository framework database

Web Services support

• Liberty ID-WSF SOAP provider: Authentication provider that encapsulates the Liberty ID-WSF SOAP binding as implemented by Access Manager. This provider consists of a client and server provider.

• HTTP layer SSO provider: HttpServlet layer authentication provider that encapsulates server-side Access Manager-based SSO.

Installation module

• Repackaging Access Manager as a J2EE Application resulting in a single WAR file to become web deployable

Delegation module

• Support for grouping of delegation privileges

Logging

• Support for delegation in logging module - Delegation controls which identities are authorized to write to or read from the log files.

• Support JCE Based SecureLogHelper - This addition enables the use of JCE in addition to JSS as a security provider for Secure Logging implementation.