Oracle® OpenSSO Policy Agent 3.0 Release Notes Release 3.0 E23266-09 |
|
|
PDF · Mobi · ePub |
The Oracle OpenSSO Policy Agent 3.0 Release Notes contain the following information about both Java EE (formerly called J2EE) agents and web agents:
Section 1.8, "Policy Agent 3.0-02 Release for Java EE Agents"
Section 1.9, "Policy Agent 3.0-01 Release for Java EE and Web Agents"
Section 1.10, "Installation of Version 3.0-0x Policy Agents in Patch Releases"
Version 3.0 Policy Agents are closely integrated with Oracle OpenSSO 8.0 server. For more information, see the following guides:
Sun OpenSSO Enterprise Policy Agent 3.0 User's Guide for J2EE Agents
Sun OpenSSO Enterprise Policy Agent 3.0 User's Guide for Web Agents
Individual Policy Agent 3.0 guides
The documentation for version 3.0 Policy Agents and Oracle OpenSSO 8.0 server is available in the following library:
This section includes the following information:
Section 1.2.1, "Web Agents in the Policy Agent 3.0-07 Release"
Section 1.2.2, "Enhancements and Changes for Web Agents in the Policy Agent 3.0-07 Release"
The version 3.0-07 web agents shown in Table 1-1 are available on My Oracle Support.
To download a version 3.0.0.7 policy agent patch:
Sign in (or register if you are a new user) on the My Oracle Support site:
Click Patches & Updates.
Under Patch Search, click Product or Family (Advanced).
For the search criteria, select:
Product: Oracle OpenSSO
Release: Oracle OpenSSO Policy Agent 3.0
Description: contains 3.0.07
Check Exclude superseded patches.
Click Search.
On the Patch Advanced Search Results, scroll down until you find the patch you want by using criteria such as the agent name, platform, and the 32-bit or 64-bit version.
If your search results are on multiple pages, you might need to check the additional pages until you find the patch you want.
Under Patch Name, click the link to initiate the download.
Note: In the Policy Agent 3.0-07 release, patches are identified by name or number rather than a patch ID. |
Table 1-1 Patch Numbers and Platforms for Web Agents in the Policy Agent 3.0-07 Release
Version 3.0-07 Policy Agent For | Platform | Patch Name or Number |
---|---|---|
Apache 2.2 Agent |
Oracle Solaris 10 SPARC, 64-bit |
22665680 |
Web Server 7.0 |
Oracle Solaris 10 SPARC 64 bit |
22665643 |
IIS 7.x |
Windows 2008 64 bit |
22665590 |
Domino Server 8.5 |
AIX 6.1 - 32 bit |
22665727 |
Domino Server 8.5 |
Windows 2008 64 bit |
22665727 |
This section includes the following information:
Section 1.3.1, "Web Agents in the Policy Agent 3.0-06 Release"
Section 1.3.2, "Enhancements and Changes for Web Agents in the Policy Agent 3.0-06 Release"
Section 1.3.3, "Problems Fixed for Web Agents in the Policy Agent 3.0-06 Release"
The version 3.0-06 web agents shown in Table 1-2 are available on My Oracle Support.
To download a version 3.0.0.6 policy agent patch:
Sign in (or register if you are a new user) on the My Oracle Support site:
Click Patches & Updates.
Under Patch Search, click Product or Family (Advanced).
For the search criteria, select:
Product: Oracle OpenSSO
Release: Oracle OpenSSO Policy Agent 3.0
Description: contains 3.0.06
Check Exclude superseded patches.
Click Search.
On the Patch Advanced Search Results, scroll down until you find the patch you want by using criteria such as the agent name, platform, and the 32-bit or 64-bit version.
If your search results are on multiple pages, you might need to check the additional pages until you find the patch you want.
Under Patch Name, click the link to initiate the download.
Note: In the Policy Agent 3.0-06 release, patches are identified by name or number rather than a patch ID. |
Table 1-2 Patch Numbers and Platforms for Web Agents in the Policy Agent 3.0-06 Release
Version 3.0-06 Policy Agent For | Platform | Patch Name or Number |
---|---|---|
Apache HTTP Server 2.2.x |
Oracle Solaris 10 SPARC, 64-bit |
21073037 |
Microsoft Internet Information Services (IIS) 7.x |
Microsoft Windows 2008, 64-bit |
21073097 |
Oracle iPlanet Web Server 7.x (formerly Sun Java System Web Server 7.x) |
Oracle Solaris 10 SPARC, 64-bit |
21073067 |
IBM Domino Server 8.5.2 |
Microsoft Windows 2008, 64-bit IBM AIX 6.1, 32-bit |
21073122 |
This release includes the following enhancements and changes:
Table 1-3 describes the bugs fixed in this release.
Table 1-3 Problems Fixed for Web Agents in the Policy Agent 3.0-06 Release
Bug Number | Description |
---|---|
20597364 |
NSS libraries are upgraded to version 3.17.4 |
19244710 |
Version 3.0-03 Apache 2.2 agent doesn't refresh stale policies and returns error 403 |
16175478 |
Domino Server crashes when profile, session fetch.mode=HTTP_COOKIE & response fetch.mode=HTTP_HEADER |
19361696 |
Domino Server crashes when profile fetch.mode=HTTP_HEADER & session fetch.mode=HTTP_COOKIE |
20251403 |
For version 3.0-05 Web Server 7.x agent, delay occurs before redirecting to second level of authentication when POST data preservation is used with composite advice |
18401874 |
Version 3.0-04 agent for Domino 8.5.2 on Windows 2003 64-bit returns "Error while iterating over the header values: buffer too small" in |
19874737 |
IIS agents should not require Host header as per HTTP/1.0 specification |
14096674 |
For version 3.0-03 Web Proxy Server agent, delay occurs before redirecting to second level of authentication when POST data preservation is used with composite advice |
18600536 |
Fix for bug 18600526 |
This section includes the following information:
Section 1.4.1, "Web Agents in the Policy Agent 3.0-05 Release"
Section 1.4.2, "Enhancements and Changes for Web Agents in the Policy Agent 3.0-05 Release"
Section 1.4.3, "Problems Fixed for Web Agents in the Policy Agent 3.0-05 Release"
Section 1.4.4, "Known Issues for Web Agents in the Policy Agent 3.0-05 Release"
The version 3.0-05 web agents shown in Table 1-4 are available on My Oracle Support.
To download a version 3.0.0.5 policy agent patch:
Sign in (or register if you are a new user) on the My Oracle Support site:
Click Patches & Updates.
Under Patch Search, click Product or Family (Advanced).
For the search criteria, select:
Product: Oracle OpenSSO
Release: Oracle OpenSSO Policy Agent 3.0
Description: contains 3.0.0.5
Check Exclude superseded patches.
Click Search.
On the Patch Advanced Search Results, scroll down until you find the patch you want by using criteria such as the agent name, platform, and the 32-bit or 64-bit version.
If your search results are on multiple pages, you might need to check the additional pages until you find the patch you want.
Under Patch Name, click the link to initiate the download.
Table 1-4 Patch IDs and Platforms for Web Agents in the Policy Agent 3.0-05 Release
Version 3.0-05 Policy Agent For | Platform | Patch ID |
---|---|---|
Apache HTTP Server 2.2.x |
Red Hat Enterprise Linux (RHEL) 4, 32-bit and 64-bit Microsoft Windows 2003, 32-bit Oracle Solaris 10 SPARC, 64-bit |
144699-05 |
Microsoft Internet Information Services (IIS) 6.x |
Microsoft Windows 2003, 32-bit and 64-bit |
144700-05 |
Microsoft Internet Information Services (IIS) 7.x |
Microsoft Windows 2008, 32-bit and 64-bit |
144701-05 |
Oracle iPlanet Web Server 7.x (formerly Sun Java System Web Server 7.x) |
Oracle Solaris 10 SPARC, 32-bit and 64-bit Oracle Solaris 10 x86, 64-bit Red Hat Enterprise Linux (RHEL) 4, 64-bit Microsoft Windows 2003, 32 bit |
144703-05 |
IBM Domino Server 8.5.2 |
Microsoft Windows 2003, 64-bit Microsoft Windows 2008, 64-bit IBM AIX 6.1 |
149027-03 |
This release includes the following enhancements and changes:
Section 1.4.2.1, "NSS libraries are upgraded to version 3.16"
Section 1.4.2.2, "New supported platforms are added for web agents"
The NSS libraries for web agents in the Policy Agent 3.0-05 release are upgraded to version 3.16.
Note: When running the version 3.0-05 Domino Server web agent in SSL mode with the version 3.16 NSS libraries, the following message is displayed on the Domino Server console:SSLDisableExportCiphers> Server key (1024 bits) too strong for EXPORT ciphers. Disabling cipher RSA_EXPORT_WITH_RC4_40_MD5 This message is for information only, and no action is required. The explanation for this message is: This is to make SSL more standards compliant. Disabling weak ciphers is the right thing to do when the server key is strong. Using export-grade ciphers with an RSA server key stronger than 512-bits is explicitly prohibited in the SSL v3 and TLS specifications. |
The following new supported platforms are added in the Policy Agent 3.0-05 release:
Apache HTTP Server 2.2.x agent:
Oracle Solaris 10 SPARC, 64-bit
Red Hat Enterprise Linux (RHEL) 4, 64-bit
Oracle iPlanet Web Server 7.x (formerly Sun Java System Web Server 7.x) agent:
Oracle Solaris 10 SPARC, 32-bit
For a list of all supported platforms, see Table 1-4, "Patch IDs and Platforms for Web Agents in the Policy Agent 3.0-05 Release".
Table 1-5 describes the bugs fixed in this release.
Table 1-5 Problems Fixed for Web Agents in the Policy Agent 3.0-05 Release
Bug Number | Description |
---|---|
18385564 |
IIS 7.0 agent install for one website affects other websites in multi-site setup |
18508682 |
IIS 7.0 agent uninstall in a multi-site environment uninstalls all other agents |
18276350 |
NSS libraries are upgraded to version 3.16 See Section 1.4.2, "Enhancements and Changes for Web Agents in the Policy Agent 3.0-05 Release." |
Table 1-6 describes the known issues in this release.
Table 1-6 Known Issues for Web Agents in the Policy Agent 3.0-05 Release
Bug Number | Description |
---|---|
19243036 |
The Apache 2.2 web agent version information shows twice in the |
19360542 |
In a multi-site environment, the IIS 7.0 agent is not getting installed on some of the sites. |
19361209 |
Access Denied (error 403) occurs for the Apache 2.2 agent when the cache object goes stale. |
19361696 |
Domino Server crashes for the 64-bit Domino agent on 64-bit Windows 2008 systems when the agent profiles are set as follows:
|
This section includes the following information:
Section 1.5.1, "Web Agents in the Policy Agent 3.0-04 Release"
Section 1.5.2, "Enhancements and Changes for Web Agents in the Policy Agent 3.0-04 Release"
Section 1.5.3, "Problems Fixed for Web Agents in the Policy Agent 3.0-04 Release"
The version 3.0-04 web agents shown in Table 1-7 are available on My Oracle Support:
To download a version 3.0.0.4 policy agent patch:
Sign in (or register if you are a new user) on the My Oracle Support site:
Click Patches & Updates.
Under Patch Search, click Product or Family (Advanced).
For the search criteria, select:
Product: Oracle OpenSSO
Release: Oracle OpenSSO Policy Agent 3.0
Description: contains 3.0.0.4
Check Exclude superseded patches.
Click Search.
On the Patch Advanced Search Results, scroll down until you find the patch you want by using criteria such as the agent name, platform, and the 32-bit or 64-bit version.
If your search results are on multiple pages, you might need to check the additional pages until you find the patch you want.
Under Patch Name, click the link to initiate the download.
Table 1-7 Patch IDs and Platforms for Web Agents in the Policy Agent 3.0-04 Release
Version 3.0-04 Policy Agent For | Platform | Patch ID |
---|---|---|
Apache HTTP Server 2.2.x |
Red Hat Enterprise Linux (RHEL) 4, 32-bit Microsoft Windows 2003, 32-bit |
144699-04 |
Microsoft Internet Information Services (IIS) 6.0 |
Microsoft Windows 2003, 32-bit and 64-bit |
144700-04 |
Microsoft Internet Information Services (IIS) 7.x |
Microsoft Windows 2008, 32-bit and 64-bit |
144701-04 |
Oracle iPlanet Web Proxy Server 4.0.x (formerly Sun Java System Web Proxy Server 4.0.x) |
Red Hat Enterprise Linux (RHEL) 4 and 5, 32-bit |
144702-04 |
Oracle iPlanet Web Server 7.x (formerly Sun Java System Web Server 7.x) |
Oracle Solaris 10 SPARC, 64-bit Oracle Solaris 10 x86, 64-bit Red Hat Enterprise Linux (RHEL) 4, 64-bit Microsoft Windows 2003, 32 bit |
144703-04 |
IBM Domino Server 8.5.2 |
Microsoft Windows 2003, 64-bit Microsoft Windows 2008, 64-bit IBM AIX 6.1 |
149027-02 |
This release includes the following enhancements and changes:
Section 1.5.2.1, "NSS libraries are upgraded to version 3.14.3"
Section 1.5.2.2, "MD5 hash algorithm is disabled by default"
The NSS libraries for web agents in the Policy Agent 3.0-04 release are upgraded to version 3.14.3.
In Network Security Services (NSS) 3.14.3, support for certificate signatures using the MD5 hash algorithm is disabled by default. Since web agents in the Policy Agent 3.0-04 release are upgraded with NSS 3.14.3 libraries, certificate signatures that use the MD5 hash algorithm will be rejected.
Table 1-8 describes the bugs fixed in this release.
Table 1-8 Problems Fixed for Web Agents in the Policy Agent 3.0-04 Release
Bug Number | Description |
---|---|
14288146 |
Web Proxy Server with agent 3.0-01 crashes in getAllPolicyDecisions after Solaris 10 upgrade from u9 to u10 |
14198837 |
Child thread activation delay occurs in agent 3.0-02 for Apache HTTP Server 2.0.x |
13822510 |
Agent 3.0-02 for IIS 7.5 causes AJAX page rendering issues |
14760459 |
Agent 3.0-03 for Web Server 7.0 cannot failover if the primary OpenSSO virtual IP (VIP) is down |
15851499 |
Looping occurs for agent 3.0-03 for Web Server 7.0 when a global virtual IP (VIP) is used for two OpenSSO sites |
14708567 |
Agent 3.0-02 for Web Server 7.0 runs out of memory |
16341680 |
Agent 3.0-03 for Domino Server crashes when installed on Domino Server 8.5.3 |
16785852 |
Agent 3.0-03 for Domino Server 8.5.2 fails to load DSAPI module if Domino is configured for multiple instances |
16813888 |
Web Policy agent 3.0-03 throws HTTP 500 error |
16889248 |
Domino Server crashes after installing agent 3.0-03 for Domino Server and restarting OpenSSO server |
16212212 |
Fixes bug 16212212 |
This section includes the following information:
Enhancements and Changes for Web Agents in the Policy Agent 3.0-03 Release
Problems Fixed for Web Agents in the Policy Agent 3.0-03 Release
For installation information, see Installation of Version 3.0-0x Policy Agents in Patch Releases.
The version 3.0-03 web agents shown in Table 1-9 are available on My Oracle Support:
Table 1-9 Patch IDs for Web Agents in the Policy Agent 3.0-03 Release
Version 3.0-03 Policy Agent For | Patch ID |
---|---|
Apache HTTP Server 2.0.x |
144698-03 |
Apache HTTP Server 2.2.x |
144699-03 |
Microsoft Internet Information Services (IIS) 6.0 |
144700-03 |
Microsoft Internet Information Services (IIS) 7.x |
144701-03 |
Sun Java System Web Proxy Server 4.0.x |
144702-03 |
Sun Java System Web Server 7.0 |
144703-03 |
IBM Domino Server 8.5.2 |
149027-01 |
This release includes the following enhancements and changes:
POST data preservation support added for Web Proxy Server agent
Support for Windows 2008 64-bit is added for the Apache 2.2.x agent
New property is added to support cache control in IIS 7.x Agent
The version 3.0-03 agent for Web Proxy Server 4.0.x now supports POST data preservation. Users can preserve POST data, which is submitted to Web Proxy Server through HTML forms before the users log in to Oracle OpenSSO server.
The Policy Agent 3.0-03 release includes a new web agent for Domino Server 8.5.2. This agent is supported on the following platforms:
Oracle Solaris 10 SPARC 32-bit platform
Microsoft Windows 2003 and Windows 2008, both 32-bit and 64-bit platforms
IBM AIX version 6.1
Red Hat Enterprise Linux (RHEL) 5.5, 32-bit agent on 32-bit Domino Server running on both 32-bit and 64-bit RHEL 5.5
The web agent for Web Proxy Server 4.0.x is now certified on SUSE Linux 10 SP3 64-bit and SUSE Linux 11.1 64-bit for the 32-bit agent on 32-bit Web Proxy Server.
The web agent for Web Server 7.0 is now certified on SUSE Linux 10 SP3 64-bit and SUSE Linux 11.1 64-bit platforms.
The web agent for Apache Server 2.2.x is now certified on the Windows 2008, 64-bit platform for the 32-bit agent on a 32-bit Apache server.
The Policy Agent 3.0-03 release includes the following new property to enable or disable the cache control in the IIS 7.x agent:
com.sun.identity.agents.config.iis7.cache.control.enabled
Values of this property can be:
true - Store and cache static files in the browser.
false (default)- Do not store and cache static files in the browser.
Set this property depending on the location of the agent's configuration repository.
If the repository is local to the agent's host server, add the property to the agent's OpenSSOAgentConfiguration.properties file.
If the agent's configuration repository is centralized, use the OpenSSO Administration Console as follows:
Log in to the OpenSSO Administration Console.
Select Access Control, Realm, Agents, and then Advanced.
Under Custom Properties, add the new property with its corresponding value. For example:
com.sun.identity.agents.config.iis7.cache.control.enabled=true
Click Save.
This new property is hot-swappable, so you do not need to restart the agent's deployment container for the new value to take effect.
Table 1-10 describes the bugs fixed in this release.
Table 1-10 Problems Fixed for Web Agents in the Policy Agent 3.0-03 Release
Bug Number | Description |
---|---|
13693563 |
POST data preservation support required for Web Proxy Server 4.0.x |
13703330 |
Policy agent for Web Proxy Server 4.0.x posts form submitted as get when session times out |
13577537 |
Policy agent for Web Proxy Server 4.0.x support added for SUSE Linux 11 (32-bit) |
13577526 |
Policy agent for Web Proxy Server 4.0.x support added for SUSE Linux 11 (64-bit) |
13449568 |
Secure cookie for Apache 2.2.X agent is not working with CD SSO enabled |
13419852 |
Certification on SUSE Linux 10.x added for Web Proxy Server 4.0.x agent |
13329057 |
Certification on SUSE Linux 10.x added for Web Proxy Server 4.0.x and Web Server 7.0 agents |
13079971 |
Cache control support added for IIS 7.x agent |
12545649 |
Apache 2.0 agent on Windows, installation crypt error |
12305636 |
Web Proxy Server 4.0.x does not render logout URL correctly |
The Policy Agent 3.0-02 release currently includes web agents only. This section describes:
Enhancements and Changes for Web Agents in the Policy Agent 3.0-02 Release
Problems Fixed for Web Agents in the Policy Agent 3.0-02 Release
The following version 3.0-02 web agents are available on https://support.oracle.com/
.
Table 1-11 Patch IDs for Web Agents in the Policy Agent 3.0-02 Release
Version 3.0-02 Policy Agent For | Patch ID |
---|---|
Apache HTTP Server 2.0.x |
144698-02 |
Apache HTTP Server 2.2.x |
144699-02 |
Microsoft Internet Information Services (IIS) 6.0 |
144700-02 |
Microsoft Internet Information Services (IIS) 7.0 and 7.5 |
144701-02 |
Sun Java System Web Proxy Server 4.0.x |
144702-02 |
Sun Java System Web Server 7.0 |
144703-02 |
CR 6967818: Basic authentication support added for IIS 6.x and IIS 7.x agents
CR 6923788: POST data preservation support added for IIS 7.x agent
CR 6921240: Policy Clock Skew value required for "Stale resource is not removed" fix
In the Policy Agent 3.0-02 release, basic authentication support is implemented for both the IIS 6.x and IIS 7.x agents. With basic authentication, the agent populates the authorization header so that the browser doesn't prompt users for the username and password. This section describes:
Perform the steps in this section for both the IIS 6.x and IIS 7.x agents.
To configure OpenSSO server, follow these steps:
Configure the ReplayPasswd
class as a post-authorization plug-in:
Log in to the OpenSSO Administration console.
Click Access Control, realm-name
, and then Authentication.
Under General, click Advanced Properties.
Scroll down to the Authentication Post Processing Classes field.
In New Value, enter com.sun.identity.authentication.spi.ReplayPasswd
and then click Add.
Click Save.
Generate and set the shared key:
Run the following command to generate a shared key:
java -classpath amserver.jar com.sun.identity.common.DESGenKey
An example of the output is: "Key ==> a+CYxFITqD4="
Note. The location of the amserver.jar
file depends on the web container you are using for OpenSSO server.
Log in to the OpenSSO Administration console.
Click Configuration, Servers and Sites, and then the Server Name link.
Click Advanced and then add the com.sun.am.replaypasswd.key
property with the key you generated in Step a.
Click Save and log out of the console.
Restart the OpenSSO server.
Before you begin, you must install the version 3.0-02 IIS 6.x agent and define the same user and password pairs on the Windows machine as in OpenSSO server.
To configure an IIS 6.x agent, follow these steps:
In the IIS 6.x manager, open the properties window of the website where the agent is installed.
In the Directory Security tab, edit the Authentication and Access Control.
Select Basic Authentication. All the other check boxes should be unchecked.
In the properties window of the web server, select the ISAPI Filters tab.
Add the Agent Auth Filter. The executable name is PolicyAgent-base
\bin\amiis6auth.dll
.
For example: C:\Agents\web_agents\iis6_agent\bin\amiis6auth.dll
Set the agent properties depending on the agent configuration.
If you are using centralized agent configuration, set the following properties in the OpenSSO Administration console:
Click Access Control, realm-name
, Agents, Web, and then the name of the IIS 6.x agent.
Click Advanced and then under Microsoft IIS Server, enter the following values:
Authentication Type: Basic
Replay Password Key: Key you generated in Configuring OpenSSO Server for Basic Authentication.
Click Save.
If you are using local agent configuration, set the following properties in the OpenSSOAgentConfiguration.properties
file:
com.sun.identity.agents.config.iis.auth.type = Basic
com.sun.identity.agents.config.replaypasswd.key =
Key you generated in Configuring OpenSSO Server for Basic Authentication
Restart the IIS 6.x server
Before you begin, you must install the version 3.0-02 IIS 7.x agent and define the same user and password pairs on the Windows machine as in OpenSSO server.
To configure an IIS 7.x agent, follow these steps:
In the IIS 7.x manager, select the website in the left panel and open the Authentication page.
Enable the Basic Authentication. All the other authentications should be disabled.
Set the agent properties depending on the agent configuration.
If you are using centralized agent configuration, set the following properties in the OpenSSO Administration console:
Click Access Control, realm-name
, Agents, Web, and then the name of the IIS 7.x agent.
Click Advanced and then under Microsoft IIS Server, enter the following values:
Authentication Type: Basic
Replay Password Key: Key you generated in Configuring OpenSSO Server for Basic Authentication.
Click Save.
If you are using local agent configuration, set the following properties in the OpenSSOAgentConfiguration.properties
file:
com.sun.identity.agents.config.iis.auth.type = Basic
com.sun.identity.agents.config.replaypasswd.key =
Key you generated in Configuring OpenSSO Server for Basic Authentication
Restart the IIS 7.x server.
The version 3.0-02 agent for IIS 7.x now supports POST data preservation. Users can preserve POST data, which is submitted to IIS 7.x through HTML forms before the users log in to OpenSSO server.
The Policy Agent 3.0-02 release fixes CR 6921240 (stale resource is not removed). However, for all web agents, you must also set the Policy Clock Skew (com.sun.identity.agents.config.policy.clock.skew
agent property) to a value greater than zero.
Set the Policy Clock Skew value depending on the agent configuration.
If you are using centralized agent configuration, set the property in the OpenSSO server Administration console:
Click Access Control, realm-name
, Agents, Web, and then the name of the IIS agent.
Click OpenSSO Services and then enter a value greater than zero in the Policy Clock Skew field.
Click Save.
If you are using local agent configuration, set the property in the OpenSSOAgentConfiguration.properties
file. For example:
com.sun.identity.agents.config.policy.clock.skew=2
Restart the agent's web container.
Table 1-12 Problems Fixed for Web Agents in the Policy Agent 3.0-02 Release
CR Number | Description |
---|---|
6967818 |
Basic authentication support added for IIS 6.x and IIS 7.x agents |
6932276 |
Possible "Memory Access violation" in agent code, causing the IIS 6.0 agent to hang |
6923788 |
Support is added for POST data preservation in IIS 7.x agent |
6967332 |
POST data preservation is not working in CDSSO mode for IIS 7 agent |
6965534 |
Policy decision is not getting enforced if time on the agent and server machines are not synchronized |
6921240 |
Stale resource is not removed for web agents |
6978660 |
Remote logging messages are empty in the remote log file on OpenSSO server |
6971977 |
Agent redirection issues occur for policies with max session timeout condition |
6977659 |
IIS agent gets SAML assertion and returns the protected resource but without a 302 redirect |
6977675 |
Resetting cookie to avoid double assertion post is not present or handled |
6827797 |
HTTP header corruption occurs when profile attribute map has long URL (title, dn, and uid) |
6972364 |
"Invalid Home Directory for Apache Server" error occurs during migration from Apache 2.2 agent |
6804139 |
Web agent causes web server to hang if agent's log rotation fails |
The Policy Agent 3.0-02 release now includes Java EE agents. This section describes:
Section 1.8.1, "Java EE Agents in the Policy Agent 3.0-02 Release"
Section 1.8.2, "Enhancements and Changes for Java EE Agents in the Policy Agent 3.0-02 Release"
Section 1.8.3, "Problems Fixed for Java EE Agents in the Policy Agent 3.0-02 Release"
The following version 3.0-02 Java EE agents are available on My Oracle Support:
Table 1-13 Patch IDs for Java EE Agents in the Policy Agent 3.0-02 Release
Version 3.0-02 Policy Agent For | Patch ID |
---|---|
Oracle WebLogic Server 11g Release 1 (10.3.3, 10.3.4, and 10.3.6) Oracle WebLogic Server 10g Release 3 (10.3) BEA WebLogic Server 9.2 and 10.0 BEA WebLogic Portal 9.2, 10.0, and 10.2 |
145385-02 |
Sun GlassFish 2.1, V2 UR1, V2 UR2, and v3 Sun Java System Application Server 8.1, 8.2, 9.0, and 9.1 |
145383-02 |
Apache Tomcat 6.0.x |
145384-02 |
JBoss Application Server 4.x and 5.x |
145382-02 |
IBM WebSphere Application Server 6.1 and 7.0 IBM WebSphere Portal Server 6.1 |
145386-02 |
This section describes the following enhancements and changes:
The version 3.0-02 IBM WebSphere Application Server agent (patch ID 145386-02) is supported on WebSphere Application Server Version 8.0.0.5, with these requirements:
64-bit JVM/JDK on either the Red Hat Enterprise Linux 5.8 or Oracle Enterprise Linux 5.8 platform
Oracle OpenSSO 8.0 Update 2 Patch 5 (patch ID 141655-09)
For more information, see the Oracle OpenSSO 8.0 Update 2 Release Notes.
The version 3.0-02 Java EE agents bundle the latest Oracle OpenSSO Client SDK (openssoclientsdk.jar
), which is the same Client SDK version included with Oracle OpenSSO 8.0 Update 2 Patch 5.
Table 1-14 Problems Fixed for Java EE Agents in the Policy Agent 3.0-02 Release
Bug ID | Description |
---|---|
13396442 |
Composite advice is not working on WebLogic Server 10.3.4 Policy Agent 3.0-01 in CDSSO mode |
12565502 |
J2EE Policy Agent 3.x blocks web container startup if Oracle OpenSSO server is down |
13478808 |
J2EE Policy Agent 3.0 getDateHeader method returns exceptions on WebLogic Server 9.2 |
14500703 |
J2EE policy agents need to include the latest Oracle OpenSSO client SDK |
The Policy Agent 3.0-01 release includes both Java EE agents and web agents:
Patch IDs for Java EE Agents in the Policy Agent 3.0-01 Release
Enhancements and Changes for Java EE Agents in the Policy Agent 3.0-01 Release
Issues and Workarounds for Java EE Agents in the Policy Agent 3.0-01 Release
Problems Fixed for Java EE Agents in the Policy Agent 3.0-01 Release
The following version 3.0-01 Java EE agents are available on https://support.oracle.com/
.
Table 1-15 Patch IDs for Java EE Agents in the Policy Agent 3.0-01 Release
Version 3.0-01 Policy Agent For | Patch ID |
---|---|
Oracle WebLogic Server 11g Release 1 (10.3.3) Oracle WebLogic Server 10g Release 3 (10.3) Oracle WebLogic Server 9.2 and 10.0 Oracle WebLogic Portal 9.2, 10.0, and 10.2 |
145385-01 |
Sun GlassFish 2.1, V2 UR1, V2 UR2, and v3 Sun Java System Application Server 8.1, 8.2, 9.0, and 9.1 |
145383-01 |
Apache Tomcat 6.0.x |
145384-01 |
JBoss Application Server 4.x and 5.x |
145382-01 |
IBM WebSphere Application Server 6.1 and 7.0 IBM WebSphere Portal Server 6.1 |
145386-01 |
Issue 5633: New property is added to reset session idle time for not-enforced URLs
Issue 6107: JBoss Application Server agent supports custom principal feature
Issue 6108: JBoss Application Server agent redirects to the client's requested URI
Note: Version 3.0 and later Java EE agents require JDK 1.5 or later on the server where you plan to install the agent. Although some web containers such as JBoss Application Server 4.x and Application Server 8.x can run using JDK 1.4, JDK 1.5 or later is required for both the agent web container and theagentadmin program. |
The version 3.0-01 Java EE agent for Sun Java System Application Server and GlassFish v2 also supports GlassFish v3. See also Patch IDs for Java EE Agents in the Policy Agent 3.0-01 Release.
Version 3.0-01 Java EE agents include the following new property to specify whether the session idle timeout should be reset after a user with a valid session accesses a URL in the not-enforced list:
com.sun.identity.agents.config.notenforced.refresh.session.idletime
Values for this property can be:
true
: The session idle time is reset after a user with a valid session accesses a URL in the not-enforced list.
false
(default): The session idle time is not reset.
Set this property depending on the location of the agent's configuration repository. If the repository is local to the agent's host server, add the property to the agent's OpenSSOAgentConfiguration.properties
file and restart the OpenSSO server instance.
If the agent's configuration repository is centralized, use the OpenSSO Administration Console as follows:
Log in to the OpenSSO Administration Console.
Click Access Control, realm-name
, Agents, J2EE, j2ee-agent-name
, and then Advanced.
Under Custom Properties, add the new property with its corresponding value.
Click Save.
JBoss Application Server 4.x and 5.x login modules support the custom principal feature, which allows users to specify a custom principal in the JBoss AS configuration. The version 3.0-01 agent for JBoss AS 4.x and 5.x also supports the custom principal feature.
To use this feature, add the following line to the <login-module>
element in the JBOSS_HOME
/server/default/conf/am-login-config.xml
file:
<module-option name = "principalClass">com.sample.CustomPrincipal</module-option>
For example, the <login-module>
element should then be as follows:
<login-module code = "com.sun.identity.agents.jboss.v40.AmJBossLoginModule" flag = "required"> <module-option name = "unauthenticatedIdentity">anonymous</module-option> <module-option name = "principalClass">com.sample.CustomPrincipal</module-option> </login-module>
In this example, com.sample.CustomPrincipal
is the custom principal implementation class name. This class must be in the JBoss AS classpath
.
If the requested URI is using J2EE_POLICY
or ALL
filter mode and a user accesses a resource protected with J2EE policies by the version 3.0-01 JBoss AS 4.x and 5.x agent, the user is redirected to the client's requested resource after authentication by OpenSSO 8.0 server. Previously, the user was redirected to the client's home page.
If you run the agentadmin
or agentadmin.bat
script to install the version 3.0-01 policy agent for IBM WebSphere Application Server 6.1/7.0 or IBM WebSphere Portal Server 6.1 using the IBM JDK on systems other than IBM AIX, the installation fails because the script cannot find the IBM JCE provider.
Workaround: Add following JAVA options to the agentadmin
or agentadmin.bat
script and then rerun the installation:
AGENT_OPTS="-DamKeyGenDescriptor.provider=IBMJCE -DamCryptoDescriptor.provider=IBMJCE -DamRandomGenProvider=IBMJCE"
After you install the version 3.0-01 policy agent for WebSphere Application Server 6.1/7.0 or IBM WebSphere Portal Server 6.1, you cannot access the WebSphere administrative console.
Workaround. In the WebSphere Application Server agent profile, add the WebSphere administrative console URL in the Agent Root URL for CDSSO list, as follows:
Log in to the OpenSSO Administration Console.
Click Access Control, realm-name
, Agents, J2EE, and then the j2ee-agent-name
.
In Agent Root URL for CDSSO, add the WebSphere administrative console URL.
Click Save.
After you install the version 3.0-01 policy agent for WebSphere Application Server 6.1/7.0 or IBM WebSphere Portal Server 6.1 in cross-domain single sign-on (CDSSO) mode and try to access the administrative console, you are redirected to an incorrect agentapp
URL. The URL port is pointing to the admin port instead of the agentapp
instance port.
Workaround. In the URL in the browser address bar, manually specify the correct port number for the agentapp
instance.
Table 1-16 Problems Fixed for Java EE Agents in the Policy Agent 3.0-01 Release
CR or Issue | Description |
---|---|
6121 |
401 error is returned instead of a 302 error when the client presents an invalid SSO Token |
4461 |
Security context exception occurred with JBoss AS agent |
6107 |
Custom principal in JBoss AS 4.3 is not working with J2EE agent |
6108 |
J2EE Agent 3.0 for JBoss AS does not redirect to client request |
4969 |
Tomcat agent J2EE tests are denied when debug level set to error mode |
2779 |
J2EE agents should have the |
5008 |
GlassFish v3 server fails to start with invalid format error |
5012 |
Tomcat 6.0 version 3.0 agent returns error with not-enforced IP list |
5764 |
|
4677 |
Tomcat 6.0 agent membership removal causes HTTP 403 access denied error |
5197 |
Application logout does not clean up sessions |
5744 |
Issue with URL pattern matching for port number in J2EE agents |
4959 |
HTTPS session binding should be enabled by default in agent profile |
5024 |
When not-enforced IP is used, accessing application of declarative security returns configuration error |
5071 |
J2EE agent with CDSSO, cookie hijacking, and composite advice has second login issue |
5633 |
J2EE agent does not reset session idle time for not-enforced URLs |
5627 |
IP Resource condition fails if login URL in agent profile has |
6933534 |
Tomcat 6.0 version 3.0 agent classes are not added to |
Enhancements and Changes for Web Agents in the Policy Agent 3.0-01 Release
Problems Fixed for Web Agents in the Policy Agent 3.0-01 Release
The following version 3.0-01 web agents are available on https://support.oracle.com/
.
Table 1-17 Patch IDs for Web Agents in the Policy Agent 3.0-01 Release
Version 3.0-01 Policy Agent For | Patch ID |
---|---|
Apache HTTP Server 2.0.x |
144698-01 |
Apache HTTP Server 2.2.x |
144699-01 |
Microsoft Internet Information Services (IIS) 6.0 Supported on Microsoft Windows Server 2003, with separate agents for 32-bit and 64-bit systems. |
144700-01 |
Microsoft Internet Information Services (IIS) 7.0 and 7.5 Supported on Microsoft Windows Server 2008 R2, with separate agents for 32-bit and 64-bit systems. |
144701-01 |
Sun Java System Web Proxy Server 4.0.x |
144702-01 |
Sun Java System Web Server 7.0 |
144703-01 |
CR 6891373: New Properties Support POST Data Preservation With Sticky Sessions
CR 6903850: Wildcard (*) Support Added for Not-Enforced Client IP List
CR 6947499: NSS_STRICT_NOFORK Must be Disabled for Version 3.0-01 Apache Agents
For more information about web agent properties, see the Oracle OpenSSO Policy Agent 3.0 User's Guide for Web Agents.
In the 3.0-01 release, new properties support POST data preservation with sticky sessions configured. If you are using POST data preservation with a load balancer deployed in front of the agent, set the following properties for sticky sessions:
com.sun.am.policy.agents.config.postdata.preserve.stickysession.mode
specifies the sticky session mode. The values can be COOKIE
if the load balancer uses a cookie to get the sticky session or URL
if the load balancer uses a query parameter in the URL to get the sticky session. For example:
com.sun.am.policy.agents.config.postdata.preserve.stickysession.mode = URL
com.sun.am.policy.agents.config.postdata.preserve.stickysession.value
specifies the name and value of the cookie or query parameter used for the sticky session. For example:
com.sun.am.policy.agents.config.postdata.preserve.stickysession.value = AgentID=01
Important: For a sticky session to be set, you must set both of these properties correctly (and not to null).
These new properties are in the OpenSSOAgentConfiguration.properties
file. Set these properties depending on the location of your agent's configuration repository. If the repository is local to the agent's host server, edit the agent's OpenSSOAgentConfiguration.properties
file.
If the agent's configuration repository is centralized, use the OpenSSO Console:
Log in to the OpenSSO Administration Console.
Click Access Control, realm-name
, Agents, Web, web-agent-name
, and then Advanced.
Under Custom Properties, add both new properties with their corresponding values.
Click Save.
The policy agent com.sun.identity.agents.config.notenforced.ip
property in the OpenSSOAgentConfiguration.properties
file now allows the wildcard character (*) to define an IP address. For example:
com.sun.identity.agents.config.notenforced.ip[2] = 192.168.11.* com.sun.identity.agents.config.notenforced.ip[3] = *.10.10.*
Set this agent property depending on the location of your agent configuration repository. If the repository is centralized on the OpenSSO server, use the OpenSSO Console. If the repository is local to the agent's host server, edit the agent's OpenSSOAgentConfiguration.properties
file.
The NSS and NSPR libraries used in the policy agent 3.0-01 release have changed since the version 3.0 agents were released. Therefore, to use the version 3.0-01 Apache HTTP Server 2.0.x or Apache HTTP Server 2.2.x policy agent on any platform, the NSS_STRICT_NOFORK
environment variable must be set to DISABLED
.
Problems Fixed for the Apache HTTP Server 2.0.x and 2.2.x Agents
Problems Fixed for the Sun Java System Web Proxy Server 4.0.x Agent
Problems Fixed for the Microsoft Internet Information Services (IIS) 6.0 Agent
Problems Fixed for the Microsoft Internet Information Services (IIS) 7.0 Agent
Table 1-18 Problems Fixed For All Web Agents
CR or Issue | Description |
---|---|
1776 |
Not-enforced list does not work in special circumstances |
3755 |
Non-IP Based Token Restrictions not working with Access Manager 7 and version 3.0 agents |
4755 |
Log message sent by Web Server 7.0 2.2 agent has an empty |
4836 |
Policy agent should encode special characters in cookies by URL encoding |
4917 |
Log a "no policy or action decision found" message at warning level |
5060 |
3.0 Apache agents have issue with agent logout feature |
5155 |
Support for x-forwarded-for headers in web agents |
5229 |
Expired |
5259 |
Cannot use wildcard characters in the path info part of URL in not enforced list |
5266 |
In CDSSO mode, corrupted headers are included in the response |
5323 |
Web agents remove CDSSO parameters from URL incorrectly |
5413 |
Application parameters getting corrupted when CDSSO parameters are removed from the query |
5425 |
Composite advice getting duplicated whenever access manager is restarted |
5434 |
Apache agent doesn't work properly with |
5453 |
Requests with existing |
5538 |
Agent crashes web server when setting long value for |
5552 |
Policy evaluation fails when the request URL contains query parameters |
5637 |
Agent doesn't work due to variable initialization issue |
5666 |
Problems when path info is "/" |
6086 |
Agent enforce URL case sensitivity during policy evaluation |
6903850 |
Provide wildcard (*) support for Not Enforced Client IP List |
6953714 |
Agent hangs while fetching policy decision if user session is validated from cache and policy has expired |
6954327 |
In CDSSO, double POST issue problem during session upgrade |
6774751 |
Access Manager 7.1 protected page is jumbled when session is upgraded |
6959619 |
Host name is not set correctly when there is a load balancer in front of the agent |
Table 1-19 Problems Fixed for the Apache HTTP Server 2.0.x and 2.2.x Agents
CR or Issue | Description |
---|---|
4501 |
Additional HTTP methods support for version 3.0 Apache agent |
4799 |
Some extra information gets printed on protected pages intermittently |
5640 |
Attributes headers issue with 3.0 agent on IBM AIX systems |
6947499 |
Apache 2.2 agent does not work when SSL enabled |
Table 1-20 Problems Fixed for the Sun Java System Web Server 7.0 Agent
CR or Issue | Description |
---|---|
4688 |
Web Server agent notifications not working with protocol and port rewriting |
4815 |
Memory corruption with POST data preservation |
4911 |
Cookie reset for CDSSO set on incorrect domain |
4934 |
Problem with POST data preservation feature in Web Server 7.0 agent |
5207 |
Need a sticky cookie for load balancing with POST data preservation |
5218 |
POST preservation data feature doesn't work with virtual hosts |
5526 |
POST data preservation is not used when PA redirects as a result of composite advice |
5532 |
Agent crashes web server when root policy is not found |
5706 |
Need sticky session for POST data preservation to use URL |
6937576 |
IIS 6.0 and web server agents do no handle overridden URL properly |
6958056 |
POST data preservation feature doesn't work with normal FQDN and virtual hosts |
Table 1-21 Problems Fixed for the Sun Java System Web Proxy Server 4.0.x Agent
CR or Issue | Description |
---|---|
4911 |
Cookie reset for CDSSO set on incorrect domain |
5680 |
Policy agent 2.2-02 on Web Proxy Server 4.0.4 has memory leak |
6937576 |
IIS 6.0 and Web Server agents do no handle overridden URL properly |
6953702 |
Cannot access CGIs through Web Proxy Server 3.0 agent in CDSSO mode |
Table 1-22 Problems Fixed for the Microsoft Internet Information Services (IIS) 6.0 Agent
CR or Issue | Description |
---|---|
4815 |
Memory corruption with POST data preservation |
4816 |
Random crashes with IIS 6.0 agent |
5207 |
Need a sticky cookie for load balancing with POST data preservation |
5218 |
POST preservation data feature doesn't work with virtual hosts |
5526 |
POST data preservation is not used when PA redirects as a result of composite advice |
5532 |
Agent crashes Web Server when root policy is not found |
5621 |
IIS 6.0 agent is not responding with OK message to notifications from server |
5706 |
Need sticky session for POST data preservation to use URL |
6929312 |
IIS agent: Existing header as |
6937576 |
IIS 6.0 and web server agents do not handle overridden URL properly |
6958056 |
POST data preservation feature doesn't work with normal FQDN and virtual hosts |
Table 1-23 Problems Fixed for the Microsoft Internet Information Services (IIS) 7.0 Agent
CR or Issue | Description |
---|---|
5621 |
IIS 6.0 Agent is not responding with OK message to notifications from server |
6929312 |
For IIS 7.0 agent, existing header as |
6937576 |
IIS 6.0 and Web Server agents do no handle overriden URL properly |
6956162 |
"Object Moved error" with redirects in Policy Agent 3.0 for IIS 7.0 |
6956232 |
Policy Agent 3.0 for IIS 7.0 changes ASP.NET session ID |
6955905 |
Server problems when cookie reset is enabled in IIS 7.5 |
6934736 |
IIS 7.0 agent is not responding with OK message to notifications from server |
A version 3.0.-0x policy agent released in a patch requires a full installation. If you have an earlier version 3.0 policy agent already installed, you must uninstall that agent and then reinstall the new version 3.0 agent.
To install a version 3.0.-0x policy agent, follow these steps:
If you have an earlier policy agent installed, uninstall the agent by following the instructions in the respective Policy Agent 3.0 guide in this documentation library:
http://docs.oracle.com/cd/E19681-01/index.html
Caution: Before you uninstall the agent, back up your existing agent deployment. For example, for the Apache HTTP Server 2.2.x agent, back up the files underAgentHome /web_agents/apache22_agent , where AgentHome is where you installed the agent. |
Create a directory to download the version 3.0-0x patch file.
Download the agent you want to install from My Oracle Support:
In the download directory, unzip the version 3.0-0x patch file.
A patch for an agent contains a README file and separate ZIP files for each platform supported by the specific agent you downloaded.
Unzip the file for your specific platform.
The files and directories required by the specific agent are then available in the following directory:
zip-root/agent-type/agent-name
where:
zip-root
is where you unzipped the file.
agent-type
is either j2ee_agents
or web_agents
.
agent-name
identifies the specific agent.
Check the README available with the agent for more information about the agent for your specific platform.
Install and configure the version 3.0-0x agent by following the instructions in the respective Policy Agent 3.0 guide.
Note: Version 3.0.-0x policy agents require JDK 1.5 or later on the server where you plan to install the agent. Before you run theagentadmin program to install the agent, make sure you have the required JDK installed and then set your JAVA_HOME environment variable to point to the JDK installation directory. |
This section describes the following Policy Agent 3.0 documentation errata:
Section 1.11.1, "Restarting OpenSSO server and agents after patch installation"
Section 1.11.2, "Using camel case for com.iplanet.am.session.agentSessionIdleTime
parameter"
Section 1.11.4, "Installing the Policy Agent for Oracle WebLogic Server/Portal 10"
The OpenSSO documentation does not mention that after you upgrade (or downgrade) an OpenSSO installation by installing an OpenSSO patch, you must restart the OpenSSO server and all policy agents that you have deployed.
com.iplanet.am.session.agentSessionIdleTime
parameterReferences in the OpenSSO 8.0 documentation (and the Access Manager 7.1 AMConfig.properties
file) show this parameter with all lowercase letters, but that format does not set the idle timeout value for agent sessions.
When you set the idle timeout value, specify the parameter as follows:
com.iplanet.am.session.agentSessionIdleTime
The "Configuring Web Agent Log Rotation" section in the Sun OpenSSO Enterprise Policy Agent 3.0 User's Guide for Web Agents (http://docs.oracle.com/cd/E19316-01/820-5816/adtai/index.html
) describes local audit log files only. The following sections add new information about debug log files and correct some of the information about audit log files:
Debug log files store troubleshooting information. The debug log files are rotated automatically, because the com.sun.identity.agents.config.debug.file.rotate
property is enabled by default.
When this property is not enabled, no log rotation occurs for the debug log files.
The following properties are also related to debug log file rotation:
The value of the following web agent property, which is available in the OpenSSOAgentBootstrap.properties
file, indicates the location of the debug log file:
com.sun.identity.agents.config.debug.file
This property is not available in the Oracle OpenSSO Console. Since the agent debug log file is created during agent installation, the location of that file is assigned to the bootstrap file property at that time.
The value of the web agent property labeled Debug Log Rotation Size (Tab: Global, Name: com.sun.identity.agents.config.debug.file.size
) indicates the maximum number of bytes the debug log file holds.
You can set this property in the Oracle OpenSSO Console. This property controls the log file size when a new debug log file is created when the current debug log file reaches a specific size. The debug log file size should be a minimum of 3000 bytes. The default size is 10 megabytes.
The log rotation described in this section refers to logs that store audit-related information locally.
The local logs are not rotated automatically, since by default, the Rotate Local Audit Log property is disabled. When this property is enabled, new log rotation occurs for the local log file. (This information is incorrect in the Sun OpenSSO Enterprise Policy Agent 3.0 User's Guide for Web Agents.)
The following properties are also related to audit log file rotation:
The value of the following web agent property, which is available in the OpenSSOAgentBootstrap.properties
file, indicates the location of the local audit log file:
com.sun.identity.agents.config.local.logfile
This property is not available in the Oracle OpenSSO Console. Since a local audit file is created during agent installation, the location of that file is assigned to the bootstrap file property at that time.
The value of the web agent property labeled Local Audit Log Rotation Size (Tab: Global, Name: com.sun.identity.agents.config.local.log.size
) indicates the maximum number of bytes the local audit log file holds. You can set this agent property in Oracle OpenSSO Console. Default size is 50 megabytes.
The installation instructions in the Policy Agent 3.0 Guide for Oracle WebLogic Server/Portal 10 do not mention the following sequence of steps required to install the version 3.x Java EE agent in a standalone environment with managed servers before you add a PolicyAgentProvider:
Stop the WebLogic Server Administration Server and all managed servers in the standalone environment.
Install the agent.
Start the Administration Server.
Add the PolicyAgentProvider and activate the settings in the Administration Server Console.
Start the managed servers.
The postinstallation instructions in the Policy Agent 3.0 Guide for Oracle WebLogic Server/Portal 10 do not mention the following additional postinstallation steps required for the version 3.x Java EE agent on Oracle WebLogic Server 11g (10.3.6) on a SUSE Linux platform:
Open the WebLogic Server startup file startWebLogic.sh
in an editor.
In the startWebLogic.sh
file, modify the following line:
Change: securerandom.source=file:/dev/urandom
To: securerandom.source=file:/dev/./urandom
Save the file.