Sun Java System Access Manager Policy Agent 2.2 Release Notes
About Access Manager Policy Agent 2.2
What's New About Web Agents in This Release
Support for Fetching User Session Attributes
Policy-Based Response Attributes
Additional Method for Fetching the REMOTE_USER Server Variable
Malicious Header Attributes Automatically Cleared by Agents
Support for Heterogeneous Agent Types on the Same Machine
Support for Turning Off FQDN Mapping
Web Agents and Backward Compatibility With Access Manager 6.3
What's New About J2EE Agents in This Release
Removal of Dependencies on LDAP and on Administrative Accounts
Coexistence With Access Manager
Support for Client Identification Based on Custom HTTP Headers
Agent Specific Application for Housekeeping Tasks
Support for Flexible User Mapping Mechanisms
Support for Fetching User Session Attributes (J2EE Agents)
Support for Not-Enforced IP Lists
Support for Custom Response Headers
Support for Application Logout Integration
Support for Application Specific Agent Filter Operation Modes
Support for Affinity-Based Login URL Selection
Support for a Sample Application
J2EE Agents and Backward Compatibility With Access Manager 6.3
Policy Agent 2.2-05 Update Release
Web Agents in the Policy Agent 2.2-05 Update Release
Key Fixes and Enhancements in the Policy Agent 2.2-05 Update Release
Web agent behind load balancer now evaluates request against not-enforced client IP list (6915959)
Wildcard (*) support is added for not-enforced client IP list (6903850)
Web agents can map LDAP attributes to more than one HTTP header (6937504)
NSS libraries are upgraded to version 3.12.3 (6870161)
New properties for POST data preservation (6891373)
Policy Agent 2.2-04 Update Release
Web Agents in the Policy Agent 2.2-04 Update Release
Key Fixes and Enhancements in the Policy Agent 2.2-04 Update Release
Web agents have changes in the path info related properties (6854806)
NSS and NSPR libraries are bundled with web agents on Solaris and Linux systems (6794995)
Policy Agent 2.2-03 Update Release
Java EE Agents in the Policy Agent 2.2-03 Update Release
Patch IDs for Java EE Agents in the Policy Agent 2.2-03 Update Release
Web Agents in the Policy Agent 2.2-03 Update Release
Patch IDs for Web Agents in the Policy Agent 2.2-03 Update Release
Web Agents: Key Fixes and Enhancements in the Policy Agent 2.2-03 Update
IIS 6.0 agent supports POST data preservation (6735280)
Web Proxy Server 4.0 agent can send GET request without header (6787007)
Web agents libxml2.so library is upgraded (6817868)
Not-enforced POST requests can be accessed in CDSSO mode (6789020)
Web agent can handle new Access Manager 7.1 policy advices (6785022)
IIS 6.0 agent supports agent URL override functionality (6829880)
Web Agents: Known Issues in the Policy Agent 2.2-03 Update Release
Agent for Apache HTTP Server 2.0.x on IBM AIX 5.3 requires bos.rte.libc fileset upgrade
NSPR libraries need to be upgraded to version 4.7.0
Version 2.2-02 agent for Apache HTTP Server 2.2.3 fails to start on Linux 5.0
Policy Agent 2.2-02 Update Release
Policy Agent 2.2-02 Update For Web Agents
New Certifications and Support Added in 2.2-02 Web Agents
Large File Support For Apache 2.0 Agent
New Platform Support for 2.2-02 Web Agents
Policy Agent 2.2-02 Update For J2EE Agents
New Platform Support for 2.2-02 J2EE Agents
Key Fixes and Enhancements in the Policy Agent 2.2-02 Update
J2EE policy agent fails to log when the log action is LOG_DENY (6729386)
Performance issue resolved for policy agent (6768406)
For web agents, sunwMethod parameter is removed from the URL in CDSSO mode (6725383)
Composite advice can be included in the query instead of through a POST request (6676032)
Apache 2.0 agent supports additional HTTP methods for a Subversion repository (6647805)
For web agents, support is added to adjust the policy clock skew (6608463)
Policy Agent 2.2-01 Update Release
Policy Agent 2.2-01 Web Agents
Determining the Version of a Policy Agent 2.2 Web Agent
Key Fixes and Enhancements in Policy Agent 2.2-01 Web Agents
Request for specific session attributes to be populated in HTTP headers (6409146)
Web agents in the Policy Agent 2.2 release fail with Access Manager 6.3 (6490037)
Disabling Internet Explorer pop up when protocol changes from HTTP to HTTPS (6532260)
Program Database (.pdb) files should be part of agent binaries to help in debugging issues (6581272)
Other Additions to Policy Agent 2.2-01 Web Agents
The Key New Properties Added for Policy Agent 2.2-01 Web Agents
Property Added: com.sun.am.tcp_nodelay.enable
Property Added: com.sun.am.cookie.secure
Property Made Available: com.sun.am.replaypasswd.key
Property Added: com.sun.am.policy.agents.config.encode_url_special_chars.enable
Property Made Available: com.sun.am.policy.agents.config.no_child_thread_activation_delay
Properties Made Available for Microsoft Office SharePoint and Outlook Web Access
Access Manager and Policy Agent 2.2-01 Web Agents: Allowing Requests Using Non-Standard HTTP Methods
Supported HTTP Methods of Web Agents in Policy Agent 2.2-01
Policy Agent 2.2-01 Web Agents: Newly Supported HTTP Methods
Policy Agent 2.2-01 Web Agents: Support for INVALID Methods
Policy Agent 2.2-01 J2EE Agents
Determining the Version of a Policy Agent 2.2 J2EE Agent
Key Fixes and Enhancements in Policy Agent 2.2-01 J2EE Agents
The Key New Properties Added for Policy Agent 2.2-01 J2EE Agents
Property Made Available: com.sun.identity.enableUniqueSSOTokenCookie
Policy Agent 2.2: Problem Accessing Identities With IBM WebSphere Administration Console
Policy Agent 2.2-01: Overview of Fix for IBM WebSphere Administration Console Access Problem
Supported Servers in Policy Agent 2.2
Understanding Server and Operating System Support for Policy Agent 2.2
Web Agents and Minor Version Support of Servers and Operating Systems
J2EE Agents and Minor Version Support of Servers and Operating Systems
Supported Servers for Web Agents in Policy Agent 2.2
Supported Servers for J2EE Agents in Policy Agent 2.2
Compatibility With Access Manager and OpenSSO Enterprise
Installation Notes for Web Agents in Policy Agent 2.2
Uninstallation Script for Web Agents in Policy Agent 2.2
Installation Notes for J2EE Agents in Policy Agent 2.2
Using the agentadmin Program with J2EE Agents
Deploying the Agent Application
Combining a J2EE Agent With Access Manager (Conditional)
All Agents in Policy Agent 2.2
Individual Policy Agent 2.2 Guides Do Not Describe Precautions Against Cookie Hijacking
Web Agents in Policy Agent 2.2
All Web Agents in Policy Agent 2.2
On UNIX-based machines, all web agents require that the X11 DISPLAY variable be set properly.
A harmless error message appears in the web agent log files (6334519)
Web agent log entries are written to the wrong files (6301676)
Web Servers often cannot interpret hyphens used in header names
Error message issued during installation of Policy Agent 2.2 on Linux systems
Policy Agent 2.2 for Microsoft Internet Information Services 6.0 (Microsoft IIS 6.0)
When a specific environment variable is not properly set, the system might fail (6433790)
J2EE Agents in Policy Agent 2.2
All J2EE Agents in Policy Agent 2.2
A harmless error message appears in the J2EE agent log files (6301668)
Resources accessed with Internet Explorer 6.0 SP1 can result in 404 Not Found Error (6362249)
Harmless error messages related to JAX-RPC appear in the J2EE agent debug files (6325238)
Exceptions thrown when Access Manager uses polling with a J2EE agent (6452320)
J2EE agent installation prompts do not allow responses with leading or trailing spaces (6452708)
The first use of a resource protected by a declarative constraint results in a misdirect
Policy Agent 2.2 for Sun Java System Application Server 8.1
Policy Agent 2.2 for Apache Tomcat 5.5 Servlet/JSP Container
Policy Agent 2.2 for IBM WebSphere Application Server
The agentadmin --install command fails on Agent for IBM WebSphere Application Server (6385085)
Settings for CLASPATH variable are lost after agentadmin command is issued (6653936)
Policy Agent 2.2 for Oracle Application Server 10g
The sample application requires editing to work properly (6486895)
Policy Agent 2.2 documentation should reference OpenSSO (6857941)
Deprecation Notifications and Announcements
The Policy Agent 2.2-05 update release currently includes fixes and enhancements for web agents. This section describes the following:
Table 1 Web Agents in the Policy Agent 2.2-05 Update Release
|
To Download and Install a Version 2.2–05 Web Agent
Create a download directory to download the patch. For example: v2.2-05_agent
In the download directory from Step 1, download the patch for the agent you want to install from My Oracle Support: https://support.oracle.com/.
For example, for the Apache HTTP Server 2.2.x agent, download 141244-03.zip.
In the download directory, unzip the patch.
Each patch contains a README file and a separate ZIP file for each supported platform. The README file contains information about the patch, including a list of the bugs fixed in the patch.
For example, files for the Apache HTTP Server 2.2.x agent are:
README.141244-03
Solaris SPARC 64-bit systems: apache_v22_solaris_sparc64_agent.zip
Solaris SPARC 32-bit systems: apache_v22_SunOS_agent.zip
Linux 32-bit systems: apache_v22_Linux_agent.zip
Linux 64-bit systems: apache_v22_linux64_agent.zip
Solaris x86 systems: apache_v22_SunOS_x86_agent.zip
Windows: apache_v22_WINNT_agent.zip
Unzip the file for your specific platform. For example, for Solaris SPARC 64-bit systems, unzip apache_v22_solaris_sparc64_agent.zip.
The files and directories required by the specific agent are then available in the zip-root/web_agents/agent-name directory, where zip-root is where you unzipped the file and agent-name identifies the specific agent. For example, for the Apache HTTP Server 2.2.x agent:
zip-root/web_agents/apache22_agent
Follow the installation and configuration procedures in the respective Policy Agent 2.2 guide in the following collection:
Policy Agent 2.2 documentation: http://download.oracle.com/docs/cd/E19534-01/index.html
Note: Each version 2.2–05 web agent requires a full installation. That is, you must uninstall your existing agent and then re-install the new version 2.2–05 agent.
Web agent behind load balancer now evaluates request against not-enforced client IP list (6915959)
Wildcard (*) support is added for not-enforced client IP list (6903850)
Web agents can map LDAP attributes to more than one HTTP header (6937504)
The Policy Agent Update 2.2-05 release allows you to configure the web agent to evaluate the request against the not-enforced client IP list, when a load balancer is deployed in front of the agent.
The following properties in the AMAgent.properties file support this feature:
com.sun.agents.load_balancer.enable enables (true) or disables (false) the option to evaluate the request against the not-enforced client IP list, if a load balancer is deployed in front of the agent. The default is false.
The following two properties are not used unless this property has a value of true.
com.sun.am.policy.agents.config.client.ip.header is the name of the HTTP header that contains client IP, which depends on the type of load balancer you are using. If not used, leave this property blank.
com.sun.am.policy.agents.config.client.hostname.header is the name of the HTTP header that contains the hostname of the client. If not used, leave this property blank.
After you set these properties, restart the agent web container instance.
Note - The Policy Agent Update 2.2-04 release implemented this feature for the Microsoft IIS 6.0 agent. The Policy Agent Update 2.2-05 release extends this feature to the other web agents in this release. See also IIS 6.0 agent behind a load balancer now evaluates requests against not-enforced client IP list (6894700, 6864977).
The Policy Agent 2.2–05 release allows wildcard characters (*) in the not-enforced client IP list for web agents. This list can include both exact IP addresses and IP addresses that contain a asterisk (*) to represent one or more characters.
To specify the not-enforced client IP list, set the com.sun.identity.agents.config.notenforced.ip property in the AMAgent.properties file, with multiple IP addresses separated by a comma. For example:
com.sun.identity.agents.config.notenforced.ip = 192.168.*.*,*.10.10.*
After you set this property, restart the agent web container instance.
The Policy Agent 2.2–05 release allows web agents to map the same LDAP attribute to different HTTP headers or cookies. To specify this mapping, set the com.sun.am.policy.agents.config.profile.attribute.map property in the AMAgent.properties file, using a colon (:) to separate the names. For example:
com.sun.am.policy.agents.config.profile.attribute.map = cn|name1:name2:name3
After you set this property, restart the agent web container instance.
To prevent security issues, the NSS libraries for web agents in the Policy Agent 2.2–05 release are upgraded to version 3.12.3 for all platforms, including Oracle Solaris, Microsoft Windows, HP-UX, Linux, and IBM AIX systems.
For web agents that support POST data preservation and are deployed behind a load balancer, the Policy Agent 2.2-05 release allows you to send the sticky session information as a parameter in the URL rather than a cookie. Previously, this information was sent as part of a cookie and used the com.sun.am.policy.agents.config.postdata.preserve.lbcookie property.
Currently, the Microsoft IIS 6.0, Sun Java System Web Server 6.1, and Sun Java System Web Server 7.0 web agents support POST data preservation.
In the Policy Agent 2.2-05 release, these agents do not use the com.sun.am.policy.agents.config.postdata.preserve.lbcookie property for POST data preservation. Instead, these agents use the following new properties:
com.sun.am.policy.agents.config.postdata.preserve.stickysession.mode specifies the sticky session mode. Values can be URL or COOKIE. For example:
com.sun.am.policy.agents.config.postdata.preserve.stickysession.mode=URL
com.sun.am.policy.agents.config.postdata.preserve.stickysession.value specifies the name of the sticky cookie or query parameter and its value. For example:
com.sun.am.policy.agents.config.postdata.preserve.stickysession.value=agentID=01
After you set these properties, restart the agent web container.
In cookie hijacking mode, logout requests are not handled properly and session invalidation does not happen. This problem is fixed in OpenSSO 8.0 Update 2, Access Manager 7.1 patch 5, and Access Manager 7 2005Q4 patch 12. However, this problem still occurs when version 2.2-05 agents are used with OpenSSO 8.0 Update 1 patch 2 and the older patch releases.