Sun Java System Access Manager Policy Agent 2.2 Release Notes

Policy Agent 2.2–03 Update Release

The Policy Agent 2.2–03 update release includes fixes and enhancements for web agents and Java EE agents (formerly called J2EE agents). Consider updating to a version 2.2-03 web agent if you have not updated an agent with any of the hot patches since the Policy Agent 2.2–02 update, or if you need any of the fixes or enhancements in the 2.2-03 update.

Java EE Agents in the Policy Agent 2.2–03 Update Release

The Java EE agents in the Policy Agent 2.2–03 update release are available as patches on SunSolve: http://sunsolve.sun.com/. For a list of the problems fixed by each patch, check the README file included with the respective patch.

Patch IDs for Java EE Agents in the Policy Agent 2.2–03 Update Release

These patches are full installations. To install a version 2.2–03 agent, you must first uninstall your existing agent and then reinstall the new 2.2–03 agent.

Table 2 Patch IDs for Java EE Agents in the Policy Agent 2.2–03 Update Release


Version 2.2–03 Java EE Agent For	Patch ID
JBoss Application Server 4.0	143085-01
Oracle Application Server 10g	143086-01
Sun Java System Application Server 8.1/8.2/ 9.0/9.1	143089-01
Apache Tomcat 5.5 Servlet/JSP Container	143090-01
Apache Tomcat 6.0	143091-01
Oracle WebLogic Server/Portal 10	143092-01
Oracle WebLogic Server/Portal 8.1 SP4	143093-01
Oracle WebLogic Server 9.0/9.1	143094-01
Oracle WebLogic Server/Portal 9.2	143095-01
IBM WebSphere Application Server 5.1.1	143096-01
IBM WebSphere Application Server 6.0/6.1	143097-01
SAP Enterprise Portal 6.0 and Web Application Server 6.4	143098–01

Web Agents in the Policy Agent 2.2–03 Update Release

Patch IDs for Web Agents in the Policy Agent 2.2–03 Update Release

The web agents in the Policy Agent 2.2–03 update release are available as patches on SunSolve: http://sunsolve.sun.com/.

Table 3 Patch IDs for Web Agents in the Policy Agent 2.2–03 Update Release


Version 2.2–03 Web Agent For	Patch ID
Apache HTTP Server 2.0.x	141243-01
Apache HTTP Server 2.2.x	141244-01
IBM Lotus Domino 6.x, 7.0, 8.0	141245-01
Microsoft IIS 5.0	141246-01
Microsoft IIS 6.0	141247-01
Sun Java System Web Proxy Server 4.0	141248-01
Sun Java System Web Server 6.1	141249-01
Sun Java System Web Server 7.0	141250-01

To Download and Install a Version 2.2–03 Web Agent

Create a directory to download the patch. For example: v2.2-03_patch
In the directory from Step 1, download the patch for the agent you want to install from http://sunsolve.sun.com/. For example, for the Apache HTTP Server 2.2.x agent, download 141244-01.zip.
In the download directory, unzip the patch.

Each patch contains a README file and a separate ZIP file for each supported platform. The README file contains information about the patch, including a list of the bugs fixed in the patch (and bugs fixed in earlier releases).

For example, files for the Apache HTTP Server 2.2.x agent are:
- README.141244-01
- Solaris SPARC 64-bit systems: apache_v22_solaris_sparc64_agent.zip
- Solaris SPARC 32-bit systems: apache_v22_SunOS_agent.zip
- Linux 32-bit systems: apache_v22_Linux_agent.zip
- Linux 64-bit systems: apache_v22_linux64_agent.zip
- Solaris x86 systems: apache_v22_SunOS_x86_agent.zip
- Windows: apache_v22_WINNT_agent.zip
Unzip the file for your specific platform. For example, for Solaris SPARC 64-bit systems, unzip apache_v22_solaris_sparc64_agent.zip.

Some files have the .tar.gz extension. For example, to unpack the IBM Domino Server agent for Linux:

# gunzip -dc sun-one-policy-agent-2.2-domino6-linux.tar.gz | tar -xvof -

The files and directories required by the specific agent are then available in the zip-root/web_agents/agent-name directory, where zip-root is where you unzipped the file and agent-name identifies the specific agent. For example, for the Apache HTTP Server 2.2.x agent:

zip-root/web_agents/apache22_agent
Follow the installation and configuration procedures in the respective Policy Agent 2.2 guide in the following collection:

Policy Agent 2.2 documentation: http://docs.sun.com/coll/1322.1

Note: Each version 2.2–03 web agent requires a full installation. That is, you must uninstall your existing agent and then re-install the new version 2.2–03 agent.

Web Agents: Key Fixes and Enhancements in the Policy Agent 2.2-03 Update

IIS 6.0 agent supports POST data preservation (6735280)

The version 2.2–03 agent for Microsoft IIS 6.0 now supports POST data preservation. Users can preserve POST data, which is submitted to IIS 6.0 through HTML forms before the users log in to Access Manager.

To Configure POST Data Preservation for the IIS 6.0 Agent

Add the HTML pages containing the forms to the not-enforced URL list, as described in Configuring the Not-Enforced URL List in Sun Java System Access Manager Policy Agent 2.2 Guide for Microsoft Internet Information Services 6.0.
In the AMAgent.properties file for the IIS 6.0 agent, set the following properties:
- com.sun.am.policy.agents.config.postdata.preserve.enable = true
  
  Enables POST data preservation. The default is false.
- com.sun.am.policy.agents.config.postcache.entry.lifetime = interval
  
  Specifies the interval in minutes that the POST data stays valid in the IIS 6.0 agent cache. POST data cache entries that have existed beyond the specified time interval are automatically removed from the cache. The default time is 10 minutes.
Restart the IIS 6.0 server instance.

Web Proxy Server 4.0 agent can send GET request without header (6787007)

The version 2.2–03 agent for Sun Java System Web Proxy Server 4.0 can send a GET request without a header. Previously, this type of request caused a dump core, which resulted in a denial of service (DOS) security vulnerability.

For more information, check the Security Sun Alerts on http://sunsolve.sun.com/.

Web agents `libxml2.so` library is upgraded (6817868)

The libxml2.so library for version 2.2–03 web agents is upgraded from version 2.6.23 to version 2.7.3, in order to prevent a denial of service (DOS) security vulnerability.

For more information, check the Security Sun Alerts on http://sunsolve.sun.com/.

Not-enforced POST requests can be accessed in CDSSO mode (6789020)

For version 2.2–03 web agents in cross-domain single sign-on (CDSSO) mode, if a POST request is added to the not-enforced URL list, the browser now displays the POST data without redirecting to the Access Manager login page.

Web agent can handle new Access Manager 7.1 policy advices (6785022)

Version 2.2–03 web agents can handle the new Access Manager 7.1 policy advices for the AuthenticateToServiceConditionAdvice condition on 64–bit web containers.

Log entry added if web agent causes Apache Web Server to hang when the agent's log rotation fails (6804139)

A web agent can cause the Apache Web Server to hang if the agent's log rotation fails. A log entry to report this condition has been added in the version 2.2–03 release.

Workaround: Make sure that the correct permissions are set for the web agent log directory and that the partition where the logs are stored has enough space. Additional considerations for this issue are:

To prevent permissions failures for the web agent's log directory, make sure all web server child processes have write permissions to the log directory. For example, consider the agent for Apache HTTP Server. If the initial Apache HTTP Server web agent log file is opened by super user (root) and the log rotation will subsequently be attempted by a child process running as a different user (such as apache user), make sure that apache user has write permissions to the log directory.
In case of log rotation failures due to write permissions, the logs will be written to the web server's error log file.

IIS 6.0 agent supports agent URL override functionality (6829880)

The version 2.2–03 IIS 6.0 agent now supports the agent URL override functionality, if the following properties are set in the agent's AMAgent.properties file:

com.sun.am.policy.agents.config.override_protocol = true
com.sun.am.policy.agents.config.override_host = true
com.sun.am.policy.agents.config.override_port = true
com.sun.am.policy.agents.config.agenturi.prefix =
   https://iis-host.example.com:443/amagent
com.sun.am.policy.agents.config.fqdn.map = agent-host|load-balancer-host

These properties are used if the agent-protected web server is behind a load balancer or SSL over-loader and the external URL is different and should be overridden.

IIS 6.0 SharePoint agent redirects to access-denied page if user doesn't exist in Active Directory (6854317)

If a user doesn't exist in Microsoft Active Directory but is authenticated by Access Manager, the version 2.2–03 IIS 6.0 SharePoint agent now redirects the request to the access-denied page. Previously, the agent returned Error 403 (Forbidden) to the user.

Web Agents: Known Issues in the Policy Agent 2.2–03 Update Release

Agent for Apache HTTP Server 2.0.x on IBM AIX 5.3 requires `bos.rte.libc` fileset upgrade

On IBM AIX 5.3, if you are running the web agent for IBM HTTP Server based on Apache HTTP Server 2.0.x, the server sometimes crashes at startup.

Workaround. Upgrade the AIX bos.rte.libc fileset from Service Pack 7 to Service Pack 9 (AIX 5.3.0.68 to 5.3.0.70). For information see:

http://www-01.ibm.com/support/docview.wss?uid=isg1fileset-870201775

NSPR libraries need to be upgraded to version 4.7.0

For the version 2.2–03 web agents, the NSPR libraries need to be upgraded to version 4.7.0. Make sure that the upgraded NSPR libraries are picked up by the web server.

Version 2.2-02 agent for Apache HTTP Server 2.2.3 fails to start on Linux 5.0

The version 2.2-02 web agent for Apache HTTP Server 2.2.3 fails to start on Red Hat Linux 5.0 because the compatibility libraries are not installed. The OS includes /usr/lib/libstdc++.so.6 but not libstdc++.so.5.

Workaround: Install libstdc++.so.5 using the compat-libstdc++-33 RPM.