Patch IDs for Web Agents in the Policy Agent 2.2–03 Update Release
Web Agents: Key Fixes and Enhancements in the Policy Agent 2.2-03 Update
Web Agents: Known Issues in the Policy Agent 2.2–03 Update Release
The web agents in the Policy Agent 2.2–03 update release are available as patches on SunSolve: http://sunsolve.sun.com/.
Table 3 Patch IDs for Web Agents in the Policy Agent 2.2–03 Update Release
Version 2.2–03 Web Agent For |
Patch ID |
---|---|
Apache HTTP Server 2.0.x |
141243-01 |
Apache HTTP Server 2.2.x |
141244-01 |
IBM Lotus Domino 6.x, 7.0, 8.0 |
141245-01 |
Microsoft IIS 5.0 |
141246-01 |
Microsoft IIS 6.0 |
141247-01 |
Sun Java System Web Proxy Server 4.0 |
141248-01 |
Sun Java System Web Server 6.1 |
141249-01 |
Sun Java System Web Server 7.0 |
141250-01 |
To Download and Install a Version 2.2–03 Web Agent
Create a directory to download the patch. For example: v2.2-03_patch
In the directory from Step 1, download the patch for the agent you want to install from http://sunsolve.sun.com/. For example, for the Apache HTTP Server 2.2.x agent, download 141244-01.zip.
In the download directory, unzip the patch.
Each patch contains a README file and a separate ZIP file for each supported platform. The README file contains information about the patch, including a list of the bugs fixed in the patch (and bugs fixed in earlier releases).
For example, files for the Apache HTTP Server 2.2.x agent are:
README.141244-01
Solaris SPARC 64-bit systems: apache_v22_solaris_sparc64_agent.zip
Solaris SPARC 32-bit systems: apache_v22_SunOS_agent.zip
Linux 32-bit systems: apache_v22_Linux_agent.zip
Linux 64-bit systems: apache_v22_linux64_agent.zip
Solaris x86 systems: apache_v22_SunOS_x86_agent.zip
Windows: apache_v22_WINNT_agent.zip
Unzip the file for your specific platform. For example, for Solaris SPARC 64-bit systems, unzip apache_v22_solaris_sparc64_agent.zip.
Some files have the .tar.gz extension. For example, to unpack the IBM Domino Server agent for Linux:
# gunzip -dc sun-one-policy-agent-2.2-domino6-linux.tar.gz | tar -xvof -
The files and directories required by the specific agent are then available in the zip-root/web_agents/agent-name directory, where zip-root is where you unzipped the file and agent-name identifies the specific agent. For example, for the Apache HTTP Server 2.2.x agent:
zip-root/web_agents/apache22_agent
Follow the installation and configuration procedures in the respective Policy Agent 2.2 guide in the following collection:
Policy Agent 2.2 documentation: http://docs.sun.com/coll/1322.1
Note: Each version 2.2–03 web agent requires a full installation. That is, you must uninstall your existing agent and then re-install the new version 2.2–03 agent.
Web Proxy Server 4.0 agent can send GET request without header (6787007)
Not-enforced POST requests can be accessed in CDSSO mode (6789020)
Web agent can handle new Access Manager 7.1 policy advices (6785022)
IIS 6.0 agent supports agent URL override functionality (6829880)
The version 2.2–03 agent for Microsoft IIS 6.0 now supports POST data preservation. Users can preserve POST data, which is submitted to IIS 6.0 through HTML forms before the users log in to Access Manager.
To Configure POST Data Preservation for the IIS 6.0 Agent
Add the HTML pages containing the forms to the not-enforced URL list, as described in Configuring the Not-Enforced URL List in Sun Java System Access Manager Policy Agent 2.2 Guide for Microsoft Internet Information Services 6.0.
In the AMAgent.properties file for the IIS 6.0 agent, set the following properties:
com.sun.am.policy.agents.config.postdata.preserve.enable = true
Enables POST data preservation. The default is false.
com.sun.am.policy.agents.config.postcache.entry.lifetime = interval
Specifies the interval in minutes that the POST data stays valid in the IIS 6.0 agent cache. POST data cache entries that have existed beyond the specified time interval are automatically removed from the cache. The default time is 10 minutes.
Restart the IIS 6.0 server instance.
The version 2.2–03 agent for Sun Java System Web Proxy Server 4.0 can send a GET request without a header. Previously, this type of request caused a dump core, which resulted in a denial of service (DOS) security vulnerability.
For more information, check the Security Sun Alerts on http://sunsolve.sun.com/.
The libxml2.so library for version 2.2–03 web agents is upgraded from version 2.6.23 to version 2.7.3, in order to prevent a denial of service (DOS) security vulnerability.
For more information, check the Security Sun Alerts on http://sunsolve.sun.com/.
For version 2.2–03 web agents in cross-domain single sign-on (CDSSO) mode, if a POST request is added to the not-enforced URL list, the browser now displays the POST data without redirecting to the Access Manager login page.
Version 2.2–03 web agents can handle the new Access Manager 7.1 policy advices for the AuthenticateToServiceConditionAdvice condition on 64–bit web containers.
A web agent can cause the Apache Web Server to hang if the agent's log rotation fails. A log entry to report this condition has been added in the version 2.2–03 release.
Workaround: Make sure that the correct permissions are set for the web agent log directory and that the partition where the logs are stored has enough space. Additional considerations for this issue are:
To prevent permissions failures for the web agent's log directory, make sure all web server child processes have write permissions to the log directory. For example, consider the agent for Apache HTTP Server. If the initial Apache HTTP Server web agent log file is opened by super user (root) and the log rotation will subsequently be attempted by a child process running as a different user (such as apache user), make sure that apache user has write permissions to the log directory.
In case of log rotation failures due to write permissions, the logs will be written to the web server's error log file.
The version 2.2–03 IIS 6.0 agent now supports the agent URL override functionality, if the following properties are set in the agent's AMAgent.properties file:
com.sun.am.policy.agents.config.override_protocol = true com.sun.am.policy.agents.config.override_host = true com.sun.am.policy.agents.config.override_port = true com.sun.am.policy.agents.config.agenturi.prefix = https://iis-host.example.com:443/amagent com.sun.am.policy.agents.config.fqdn.map = agent-host|load-balancer-host
These properties are used if the agent-protected web server is behind a load balancer or SSL over-loader and the external URL is different and should be overridden.
If a user doesn't exist in Microsoft Active Directory but is authenticated by Access Manager, the version 2.2–03 IIS 6.0 SharePoint agent now redirects the request to the access-denied page. Previously, the agent returned Error 403 (Forbidden) to the user.
Agent for Apache HTTP Server 2.0.x on IBM AIX 5.3 requires bos.rte.libc fileset upgrade
Version 2.2-02 agent for Apache HTTP Server 2.2.3 fails to start on Linux 5.0
On IBM AIX 5.3, if you are running the web agent for IBM HTTP Server based on Apache HTTP Server 2.0.x, the server sometimes crashes at startup.
Workaround. Upgrade the AIX bos.rte.libc fileset from Service Pack 7 to Service Pack 9 (AIX 5.3.0.68 to 5.3.0.70). For information see:
http://www-01.ibm.com/support/docview.wss?uid=isg1fileset-870201775
For the version 2.2–03 web agents, the NSPR libraries need to be upgraded to version 4.7.0. Make sure that the upgraded NSPR libraries are picked up by the web server.
The version 2.2-02 web agent for Apache HTTP Server 2.2.3 fails to start on Red Hat Linux 5.0 because the compatibility libraries are not installed. The OS includes /usr/lib/libstdc++.so.6 but not libstdc++.so.5.
Workaround: Install libstdc++.so.5 using the compat-libstdc++-33 RPM.