Sun Java System Access Manager Policy Agent 2.2 Release Notes
About Access Manager Policy Agent 2.2
What's New About Web Agents in This Release
Support for Fetching User Session Attributes
Policy-Based Response Attributes
Additional Method for Fetching the REMOTE_USER Server Variable
Malicious Header Attributes Automatically Cleared by Agents
Support for Heterogeneous Agent Types on the Same Machine
Support for Turning Off FQDN Mapping
Web Agents and Backward Compatibility With Access Manager 6.3
What's New About J2EE Agents in This Release
Removal of Dependencies on LDAP and on Administrative Accounts
Coexistence With Access Manager
Support for Client Identification Based on Custom HTTP Headers
Agent Specific Application for Housekeeping Tasks
Support for Flexible User Mapping Mechanisms
Support for Fetching User Session Attributes (J2EE Agents)
Support for Not-Enforced IP Lists
Support for Custom Response Headers
Support for Application Logout Integration
Support for Application Specific Agent Filter Operation Modes
Support for Affinity-Based Login URL Selection
Support for a Sample Application
J2EE Agents and Backward Compatibility With Access Manager 6.3
Policy Agent 2.2-05 Update Release
Web Agents in the Policy Agent 2.2-05 Update Release
Key Fixes and Enhancements in the Policy Agent 2.2-05 Update Release
Web agent behind load balancer now evaluates request against not-enforced client IP list (6915959)
Wildcard (*) support is added for not-enforced client IP list (6903850)
Web agents can map LDAP attributes to more than one HTTP header (6937504)
NSS libraries are upgraded to version 3.12.3 (6870161)
New properties for POST data preservation (6891373)
Known Issues in the Policy Agent 2.2-05 Update Release
In cookie hijacking mode, logout request hangs (6894077)
Policy Agent 2.2-04 Update Release
Web Agents in the Policy Agent 2.2-04 Update Release
Key Fixes and Enhancements in the Policy Agent 2.2-04 Update Release
Web agents have changes in the path info related properties (6854806)
NSS and NSPR libraries are bundled with web agents on Solaris and Linux systems (6794995)
Policy Agent 2.2-03 Update Release
Java EE Agents in the Policy Agent 2.2-03 Update Release
Patch IDs for Java EE Agents in the Policy Agent 2.2-03 Update Release
Web Agents in the Policy Agent 2.2-03 Update Release
Patch IDs for Web Agents in the Policy Agent 2.2-03 Update Release
Web Agents: Key Fixes and Enhancements in the Policy Agent 2.2-03 Update
IIS 6.0 agent supports POST data preservation (6735280)
Web Proxy Server 4.0 agent can send GET request without header (6787007)
Web agents libxml2.so library is upgraded (6817868)
Not-enforced POST requests can be accessed in CDSSO mode (6789020)
Web agent can handle new Access Manager 7.1 policy advices (6785022)
IIS 6.0 agent supports agent URL override functionality (6829880)
Web Agents: Known Issues in the Policy Agent 2.2-03 Update Release
Agent for Apache HTTP Server 2.0.x on IBM AIX 5.3 requires bos.rte.libc fileset upgrade
NSPR libraries need to be upgraded to version 4.7.0
Version 2.2-02 agent for Apache HTTP Server 2.2.3 fails to start on Linux 5.0
Policy Agent 2.2-02 Update Release
Policy Agent 2.2-02 Update For Web Agents
New Certifications and Support Added in 2.2-02 Web Agents
Large File Support For Apache 2.0 Agent
New Platform Support for 2.2-02 Web Agents
Policy Agent 2.2-02 Update For J2EE Agents
New Platform Support for 2.2-02 J2EE Agents
Key Fixes and Enhancements in the Policy Agent 2.2-02 Update
J2EE policy agent fails to log when the log action is LOG_DENY (6729386)
Performance issue resolved for policy agent (6768406)
For web agents, sunwMethod parameter is removed from the URL in CDSSO mode (6725383)
Composite advice can be included in the query instead of through a POST request (6676032)
Apache 2.0 agent supports additional HTTP methods for a Subversion repository (6647805)
For web agents, support is added to adjust the policy clock skew (6608463)
Policy Agent 2.2-01 Update Release
Policy Agent 2.2-01 Web Agents
Determining the Version of a Policy Agent 2.2 Web Agent
Key Fixes and Enhancements in Policy Agent 2.2-01 Web Agents
Request for specific session attributes to be populated in HTTP headers (6409146)
Web agents in the Policy Agent 2.2 release fail with Access Manager 6.3 (6490037)
Disabling Internet Explorer pop up when protocol changes from HTTP to HTTPS (6532260)
Program Database (.pdb) files should be part of agent binaries to help in debugging issues (6581272)
Other Additions to Policy Agent 2.2-01 Web Agents
The Key New Properties Added for Policy Agent 2.2-01 Web Agents
Property Added: com.sun.am.tcp_nodelay.enable
Property Added: com.sun.am.cookie.secure
Property Made Available: com.sun.am.replaypasswd.key
Property Added: com.sun.am.policy.agents.config.encode_url_special_chars.enable
Property Made Available: com.sun.am.policy.agents.config.no_child_thread_activation_delay
Properties Made Available for Microsoft Office SharePoint and Outlook Web Access
Access Manager and Policy Agent 2.2-01 Web Agents: Allowing Requests Using Non-Standard HTTP Methods
Supported HTTP Methods of Web Agents in Policy Agent 2.2-01
Policy Agent 2.2-01 Web Agents: Newly Supported HTTP Methods
Policy Agent 2.2-01 Web Agents: Support for INVALID Methods
Policy Agent 2.2-01 J2EE Agents
Determining the Version of a Policy Agent 2.2 J2EE Agent
Key Fixes and Enhancements in Policy Agent 2.2-01 J2EE Agents
The Key New Properties Added for Policy Agent 2.2-01 J2EE Agents
Property Made Available: com.sun.identity.enableUniqueSSOTokenCookie
Policy Agent 2.2: Problem Accessing Identities With IBM WebSphere Administration Console
Policy Agent 2.2-01: Overview of Fix for IBM WebSphere Administration Console Access Problem
Supported Servers in Policy Agent 2.2
Understanding Server and Operating System Support for Policy Agent 2.2
Web Agents and Minor Version Support of Servers and Operating Systems
J2EE Agents and Minor Version Support of Servers and Operating Systems
Supported Servers for Web Agents in Policy Agent 2.2
Supported Servers for J2EE Agents in Policy Agent 2.2
Compatibility With Access Manager and OpenSSO Enterprise
Installation Notes for Web Agents in Policy Agent 2.2
Uninstallation Script for Web Agents in Policy Agent 2.2
Installation Notes for J2EE Agents in Policy Agent 2.2
Using the agentadmin Program with J2EE Agents
Deploying the Agent Application
Combining a J2EE Agent With Access Manager (Conditional)
All Agents in Policy Agent 2.2
Individual Policy Agent 2.2 Guides Do Not Describe Precautions Against Cookie Hijacking
Web Agents in Policy Agent 2.2
All Web Agents in Policy Agent 2.2
On UNIX-based machines, all web agents require that the X11 DISPLAY variable be set properly.
A harmless error message appears in the web agent log files (6334519)
Web agent log entries are written to the wrong files (6301676)
Web Servers often cannot interpret hyphens used in header names
Error message issued during installation of Policy Agent 2.2 on Linux systems
Policy Agent 2.2 for Microsoft Internet Information Services 6.0 (Microsoft IIS 6.0)
When a specific environment variable is not properly set, the system might fail (6433790)
J2EE Agents in Policy Agent 2.2
All J2EE Agents in Policy Agent 2.2
A harmless error message appears in the J2EE agent log files (6301668)
Resources accessed with Internet Explorer 6.0 SP1 can result in 404 Not Found Error (6362249)
Harmless error messages related to JAX-RPC appear in the J2EE agent debug files (6325238)
Exceptions thrown when Access Manager uses polling with a J2EE agent (6452320)
J2EE agent installation prompts do not allow responses with leading or trailing spaces (6452708)
The first use of a resource protected by a declarative constraint results in a misdirect
Policy Agent 2.2 for Sun Java System Application Server 8.1
Policy Agent 2.2 for Apache Tomcat 5.5 Servlet/JSP Container
Policy Agent 2.2 for IBM WebSphere Application Server
The agentadmin --install command fails on Agent for IBM WebSphere Application Server (6385085)
Settings for CLASPATH variable are lost after agentadmin command is issued (6653936)
Policy Agent 2.2 for Oracle Application Server 10g
The sample application requires editing to work properly (6486895)
Policy Agent 2.2 documentation should reference OpenSSO (6857941)
Deprecation Notifications and Announcements
Policy agent update 2.2–02 includes fixes and enhancements released in hot patches since the Policy Agent 2.2–01 update. Consider updating to a new 2.2-02 agent if you have not updated your agent with any of these recent hot patches, or if you need any of the fixes or enhancements in the update.
Note -
Version 2.2–02 web and J2EE policy agents supersede the respective version 2.2 and 2.2–01 agents.
Support for Policy Agent 2.1 is being dropped, as noted in Deprecation Notifications and Announcements.
See also Compatibility With Access Manager and OpenSSO Enterprise.
The following Access Manager Policy Agent 2.2-02 web agents are available on My Oracle Support: https://support.oracle.com/.
Policy Agent 2.2-02 for Apache Web Server 2.0.54
Policy Agent 2.2-02 for Apache 2.2.9
Policy Agent 2.2-02 for IBM Lotus Domino Server 6.5 / 7.0
Policy Agent 2.2-02 for Microsoft IIS 5.0
Policy Agent 2.2-02 for Microsoft IIS 6.0
Policy Agent 2.2-02 for Sun Java System Web Server 6.1
Policy Agent 2.2-02 for Sun Java System Web Server 7.0
Policy Agent 2.2-02 for Web Proxy Server 4.0
Large file support is added for the Apache 2.0 agent. Support for the large file option is specifically needed because the latest versions of the Solaris 10 OS, both SPARC and x86 platforms, include a pre-installed Apache server with large file support enabled.
With update 2.2-02, two shared objects are included with the Apache agent:
libamapc2.largefile.so - The Apache server was built with the large file option enabled.
libamapc2.so - The Apache server was built with the large file option not enabled.
Non-large file support is the default. For an Apache 2.0 server with the large file option enabled, you might need to backup libamacp2.so and then copy libamapc2.largefile.so to the location of libamapac2.so.
To check for the large file option, use apxs -q CFLAGS. If the large file option is enabled, the command shows -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64. The agent's large file supported library is built using these compiler flags.
Important: If third-party components such as php or mod_perl are deployed on an Apache server that is built with the large file option set, these components also need to be compiled with the large file options set. Generally, use the Apache server header files during the compilation of these third-party components. Header files that are generated by Apache after enabling the large file support need to be used in these compilations.
In addition to the platforms listed in Supported Servers for Web Agents in Policy Agent 2.2, the following new platforms are added for web agents in the 2.2–02 update.
Table 5 New Platform Support for 2.2-02 Web Agents
|
The following Access Manager Policy Agent 2.2-02 J2EE agents are available on My Oracle Support: https://support.oracle.com/.
Apache Tomcat 6.0
Apache Tomcat 5.5 Servlet/JSP container
JBoss Application Server 4.0
IBM WebSphere Application Server 5.1.1
IBM WebSphere Application Server 6.0
BEA WebLogic Server 8.1 Service Pack 4
BEA WebLogic Server 9.0/9.1
BEA WebLogic Server 9.2
BEA WebLogic Server 10
IBM Domino Server 6.5/7.0
Oracle Application Server 10g
Sun Java System Application Server 8.1/8.2
Sun Java System Application Server 9.0/9.1
In addition to the platforms listed in Supported Servers for J2EE Agents in Policy Agent 2.2, the following new platforms are added for J2EE agents in the 2.2–02 update.
All version 2.2–02 J2EE agents on Red Hat Enterprise Linux AS 5.0, 32–bit and 64–bit, if the previous version of the agent was supported on Red Hat Enterprise Linux AS 3.0 and 4.0
Version 2.2-02 Apache Tomcat 6.0 agent on HP-UX 11i
J2EE policy agent fails to log when the log action is LOG_DENY (6729386)
For web agents, sunwMethod parameter is removed from the URL in CDSSO mode (6725383)
Composite advice can be included in the query instead of through a POST request (6676032)
Apache 2.0 agent supports additional HTTP methods for a Subversion repository (6647805)
For web agents, support is added to adjust the policy clock skew (6608463)
If the filter mode (com.sun.identity.agents.config.filter.mode property) is set to J2EE_POLICY or ALL (which is the default value set during the agent installation), the version 2.2–02 Oracle Application Server 10g agent returns an error in the amFilter log when a protected resource is accessed.
Workaround. See the additional task in the Post-Installation Steps Specific to Agent for Oracle Application Server 10g in Sun Java System Access Manager Policy Agent 2.2 Guide for Oracle Application Server 10g.
For a J2EE agent, the Audit Log properties in AMAgent.properties are set as:
com.sun.identity.agents.config.audit.accesstype = LOG_DENY com.sun.identity.agents.config.log.disposition = ALL
If a user for whom the access is denied to a J2EE protected resource tries to access a the resource in a deployed application, access to the protected resource is denied, but there is no entry in the logs for the deny action on either the Access Manager or J2EE agent side.
Workaround. None. This is a limitation of the product. For a J2EE policy to be evaluated, the control is given to the web container on which the agent is deployed, to determine the access policies. The web container doesn't send the access decision back to the agent for a resource that is protected with J2EE security policies. The web container just denies the access, and the agent cannot effectively log when the access is denied.
Previously, a delay occurred for the Microsoft IIS 5.0 agent when a user accessed a protected resource. When the agents were deployed on multiple servers, serious performance degradation occurred.
Workaround. The Policy Agent 2.2–02 update includes the following new property:
com.sun.am.policy.agents.config.policy_number_of_tries
If this property is set to 0 (the default value), you can prevent the delay for all agents.
For web agents, the sunwMethod parameter is removed from the URL in cross domain single sign-on (CDSSO) mode, because this parameter can cause problems with AJAX driven applications.
Web agents can use the following new property:
com.sun.am.policy.agents.config.use.sunwmethod
The default value is false, meaning that the sunwmethod parameter will not be used in CDSSO mode. For backward compatibility, if this property is set to true, CDSSO mode will function as it previously did.
The IBM Lotus Domino 7.0 agent previously displayed an internal server error (HTTP 500) if the Access Manager server was not responding.
Workaround. Set the following new property to the URL where you want the version 2.2–02 Lotus Domino 7.0 agent to redirect the client if the Access Manager server does not respond:
com.sun.am.policy.agents.config.errorpage.url
This new property also applies to the version 2.2–02 Apache 2.x agent.
When a web client accesses a resource and that request results in composite advice (sunamcompositeadvice) returned, the policy agent produces an auto-submitting HTML form, which can be difficult for a web client to interpret. Now, the following new property determines whether the composite advice is added in the query or through a POST request:
com.sun.am.use_redirect_for_advice
true: Composite advice will be added to the redirect URL.
false: Composite advice will be sent through a POST request.
The default is false.
The Apache 2.0 agent now recognizes these additional methods: VERSION_CONTROL, CHECKOUT, UNCHECKOUT, CHECKIN, UPDATE, LABEL, REPORT, MKWORKSPACE, MKACTIVITY, BASELINE_CONTROL, and MERGE. These methods are used for WebDAV versioning (RFC 3253) and specifically for a Subversion repository.
If the time on the web agent host machine differs from the Access Manager time, you might occasionally see an incorrect policy decision or an infinite re-direction. The following new property in AMAgent.properties adjusts the clock skew between the web agent and Access Manager machines:
com.sun.am.policy.agents.config.policy_clock_skew
This properties specifies the time in seconds used to adjust the time difference between the policy agent machine and the Access Manager machine, as follows:
Clock skew in seconds = AgentTime - AccessManagerTime
The default is zero (0).
You should also run a time syncing service to keep the time on the agent machine and the Access Manager machine as close as possible.