test

Sun OpenSSO Enterprise 8.0 Release Notes

Policy Agent 3.0-02 Release

The Policy Agent 3.0-02 release currently includes web agents only. This section describes:

Web Agents in the Policy Agent 3.0-02 Release

The following version 3.0–02 web agents are available on My Oracle Support: https://support.oracle.com/.

Table 1 Patch IDs for Web Agents in the Policy Agent 3.0-02 Release

Version 3.0-02 Policy Agent For
Patch ID
Apache HTTP Server 2.0.x
144698-02
Apache HTTP Server 2.2.x
144699-02
Microsoft Internet Information Services (IIS) 6.0
144700-02
Microsoft Internet Information Services (IIS) 7.0 and 7.5
144701-02
Sun Java System Web Proxy Server 4.0.x
144702-02
Sun Java System Web Server 7.0
144703-02

Enhancements and Changes for Web Agents in the Policy Agent 3.0-02 Release

CR 6967818: Basic authentication support added for IIS 6.x and IIS 7.x agents

In the Policy Agent 3.0-02 release, basic authentication support is implemented for both the IIS 6.x and IIS 7.x agents. With basic authentication, the agent populates the authorization header so that the browser doesn't prompt users for the username and password. This section describes:

Configuring OpenSSO Server for Basic Authentication

Perform the steps in this section for both the IIS 6.x and IIS 7.x agents.

To configure OpenSSO server, follow these steps:

  1. Configure the ReplayPasswd class as a post-authorization plug-in:

    1. Log in to the OpenSSO Administration console.

    2. Click Access Control, realm-name, and then Authentication.

    3. Under General, click Advanced Properties.

    4. Scroll down to the Authentication Post Processing Classes field.

    5. In New Value, enter com.sun.identity.authentication.spi.ReplayPasswd and then click Add.

    6. Click Save.

  2. Generate and set the shared key:

    1. Run the following command to generate a shared key:

      java -classpath amserver.jar com.sun.identity.common.DESGenKey

      An example of the output is: "Key ==> a+CYxFITqD4="

      Note. The location of the amserver.jar file depends on the web container you are using for OpenSSO server.

    2. Log in to the OpenSSO Administration console.

    3. Click Configuration, Servers and Sites, and then the Server Name link.

    4. Click Advanced and then add the com.sun.am.replaypasswd.key property with the key you generated in Step a.

    5. Click Save and log out of the console.

  3. Restart the OpenSSO server.

Configuring an IIS 6.x Agent for Basic Authentication

Before you begin, you must install the version 3.0–02 IIS 6.x agent and define the same user and password pairs on the Windows machine as in OpenSSO server.

To configure an IIS 6.x agent, follow these steps:

  1. In the IIS 6.x manager, open the properties window of the website where the agent is installed.

  2. In the Directory Security tab, edit the Authentication and Access Control.

  3. Select Basic Authentication. All the other check boxes should be unchecked.

  4. In the properties window of the web server, select the ISAPI Filters tab.

  5. Add the Agent Auth Filter. The executable name is PolicyAgent-base\bin\amiis6auth.dll.

    For example: C:\Agents\web_agents\iis6_agent\bin\amiis6auth.dll

  6. Set the agent properties depending on the agent configuration.

    If you are using centralized agent configuration, set the following properties in the OpenSSO Administration console:

    1. Click Access Control, realm-name, Agents, Web, and then the name of the IIS 6.x agent.

    2. Click Advanced and then under Microsoft IIS Server, enter the following values:

    3. Click Save.

    If you are using local agent configuration, set the following properties in the OpenSSOAgentConfiguration.properties file:

  7. Restart the IIS 6.x server

Configuring an IIS 7.x Agent for Basic Authentication

Before you begin, you must install the version 3.0–02 IIS 7.x agent and define the same user and password pairs on the Windows machine as in OpenSSO server.

To configure an IIS 7.x agent, follow these steps:

  1. In the IIS 7.x manager, select the website in the left panel and open the Authentication page.

  2. Enable the Basic Authentication. All the other authentications should be disabled.

  3. Set the agent properties depending on the agent configuration.

    If you are using centralized agent configuration, set the following properties in the OpenSSO Administration console:

    1. Click Access Control, realm-name, Agents, Web, and then the name of the IIS 7.x agent.

    2. Click Advanced and then under Microsoft IIS Server, enter the following values:

    3. Click Save.

    If you are using local agent configuration, set the following properties in the OpenSSOAgentConfiguration.properties file:

  4. Restart the IIS 7.x server.

CR 6923788: POST data preservation support added for IIS 7.x agent

The version 3.0–02 agent for IIS 7.x now supports POST data preservation. Users can preserve POST data, which is submitted to IIS 7.x through HTML forms before the users log in to OpenSSO server.

CR 6921240: Policy Clock Skew value required for “Stale resource is not removed” fix

The Policy Agent 3.0–02 release fixes CR 6921240 (stale resource is not removed). However, for all web agents, you must also set the Policy Clock Skew (com.sun.identity.agents.config.policy.clock.skew agent property) to a value greater than zero.

  1. Set the Policy Clock Skew value depending on the agent configuration.

    If you are using centralized agent configuration, set the property in the OpenSSO server Administration console:

    1. Click Access Control, realm-name, Agents, Web, and then the name of the IIS agent.

    2. Click OpenSSO Services and then enter a value greater than zero in the Policy Clock Skew field.

    3. Click Save.

    If you are using local agent configuration, set the property in the OpenSSOAgentConfiguration.properties file. For example:

    com.sun.identity.agents.config.policy.clock.skew=2

  2. Restart the agent's web container.

Problems Fixed for Web Agents in the Policy Agent 3.0-02 Release

Table 2 Problems Fixed for Web Agents in the Policy Agent 3.0-02 Release

CR Number
Description
6967818
Basic authentication support added for IIS 6.x and IIS 7.x agents
6932276
Possible "Memory Access violation" in agent code, causing the IIS 6.0 agent to hang
6923788
Support is added for POST data preservation in IIS 7.x agent
6967332
POST data preservation is not working in CDSSO mode for IIS 7 agent
6965534
Policy decision is not getting enforced if time on the agent and server machines are not synchronized
6921240
Stale resource is not removed for web agents
6978660
Remote logging messages are empty in the remote log file on OpenSSO server
6971977
Agent redirection issues occur for policies with max session timeout condition
6977659
IIS agent gets SAML assertion and returns the protected resource but without a 302 redirect
6977675
Resetting cookie to avoid double assertion post is not present or handled
6827797
HTTP header corruption occurs when profile attribute map has long URL (title, dn, and uid)
6972364
"Invalid Home Directory for Apache Server" error occurs during migration from Apache 2.2 agent
6804139
Web agent causes web server to hang if agent's log rotation fails

Installation of Version 3.0-02 Policy Agents

A version 3.0-02 policy agent requires a full installation. If you have a an earlier policy agent already installed, you must uninstall that agent and then reinstall the new version 3.0-02 agent. To install a version 3.0-02 agent, follow these steps:

  1. If you have an earlier policy agent installed, uninstall the agent by following the instructions in the respective Policy Agent 3.0 guide in the OpenSSO Enterprise 8.0 documentation collection: http://docs.sun.com/coll/1767.1.

    Important: Before you uninstall the agent, back up your existing agent deployment. For example, for the Apache HTTP Server 2.2.x agent, back up the files under AgentHome/web_agents/apache22_agent, where AgentHome is where you installed the agent.

  2. Create a directory to download the version 3.0-02 patch file.

  3. Download the agent you want to install from My Oracle Support:

    https://support.oracle.com/

  4. In the download directory, unzip the version 3.0-02 patch file. A patch for a web agent contain a README file and separate ZIP files for each platform supported by the specific agent you downloaded.

  5. Unzip the file for your specific platform.

    The files and directories required by the specific agent are then available in the zip-root/web_agents/agent-name directory, where zip-root is where you unzipped the file and agent-name identifies the specific agent.

    Check the README available with the agent for more information about the agent for your specific platform.

  6. Install and configure the version 3.0-02 agent by following the instructions in the respective Policy Agent 3.0 guide in the OpenSSO Enterprise 8.0 documentation collection: http://docs.sun.com/coll/1767.1.

    Note: Version 3.0 and later agents require JDK 1.5 or later on the server where you plan to install the agent. Before you run the agentadmin program to install the agent, set your JAVA_HOME environment variable to point to the JDK installation directory.