Skip Headers
Oracle® OpenSSO Policy Agent 3.0 Release Notes
Release 3.0
E23266-09
Go to Documentation Home
Home		 Go to Table of Contents
Contents		 Go to Feedback page
Contact Us
Go to previous page
Previous
PDF · Mobi · ePub

1 Oracle OpenSSO Policy Agent 3.0 Release Notes

The Oracle OpenSSO Policy Agent 3.0 Release Notes contain the following information about both Java EE (formerly called J2EE) agents and web agents:

1.1 About Version 3.0 Policy Agents

Version 3.0 Policy Agents are closely integrated with Oracle OpenSSO 8.0 server. For more information, see the following guides:

  • Sun OpenSSO Enterprise Policy Agent 3.0 User's Guide for J2EE Agents

  • Sun OpenSSO Enterprise Policy Agent 3.0 User's Guide for Web Agents

  • Individual Policy Agent 3.0 guides

The documentation for version 3.0 Policy Agents and Oracle OpenSSO 8.0 server is available in the following library:

http://docs.oracle.com/cd/E19681-01/index.html

1.2 Policy Agent 3.0-07 Release for Web Agents

This section includes the following information:

1.2.1 Web Agents in the Policy Agent 3.0-07 Release

The version 3.0-07 web agents shown in Table 1-1 are available on My Oracle Support.

To download a version 3.0.0.7 policy agent patch:

  1. Sign in (or register if you are a new user) on the My Oracle Support site:

    https://support.oracle.com/

  2. Click Patches & Updates.

  3. Under Patch Search, click Product or Family (Advanced).

  4. For the search criteria, select:

    • Product: Oracle OpenSSO

    • Release: Oracle OpenSSO Policy Agent 3.0

    • Description: contains 3.0.07

  5. Check Exclude superseded patches.

  6. Click Search.

  7. On the Patch Advanced Search Results, scroll down until you find the patch you want by using criteria such as the agent name, platform, and the 32-bit or 64-bit version.

    If your search results are on multiple pages, you might need to check the additional pages until you find the patch you want.

  8. Under Patch Name, click the link to initiate the download.


Note:

In the Policy Agent 3.0-07 release, patches are identified by name or number rather than a patch ID.

Table 1-1 Patch Numbers and Platforms for Web Agents in the Policy Agent 3.0-07 Release

Version 3.0-07 Policy Agent For Platform Patch Name or Number

Apache 2.2 Agent

Oracle Solaris 10 SPARC, 64-bit

22665680

Web Server 7.0

Oracle Solaris 10 SPARC 64 bit

22665643

IIS 7.x

Windows 2008 64 bit

22665590

Domino Server 8.5

AIX 6.1 - 32 bit

22665727

Domino Server 8.5

Windows 2008 64 bit

22665727

1.2.2 Enhancements and Changes for Web Agents in the Policy Agent 3.0-07 Release

This release includes the following enhancements and changes:

1.2.2.1 NSS libraries are upgraded to version 3.21

The NSS libraries for web agents in the Policy Agent 3.0-07 release are upgraded to version 3.21.

1.3 Policy Agent 3.0-06 Release for Web Agents

This section includes the following information:

1.3.1 Web Agents in the Policy Agent 3.0-06 Release

The version 3.0-06 web agents shown in Table 1-2 are available on My Oracle Support.

To download a version 3.0.0.6 policy agent patch:

  1. Sign in (or register if you are a new user) on the My Oracle Support site:

    https://support.oracle.com/

  2. Click Patches & Updates.

  3. Under Patch Search, click Product or Family (Advanced).

  4. For the search criteria, select:

    • Product: Oracle OpenSSO

    • Release: Oracle OpenSSO Policy Agent 3.0

    • Description: contains 3.0.06

  5. Check Exclude superseded patches.

  6. Click Search.

  7. On the Patch Advanced Search Results, scroll down until you find the patch you want by using criteria such as the agent name, platform, and the 32-bit or 64-bit version.

    If your search results are on multiple pages, you might need to check the additional pages until you find the patch you want.

  8. Under Patch Name, click the link to initiate the download.


Note:

In the Policy Agent 3.0-06 release, patches are identified by name or number rather than a patch ID.

Table 1-2 Patch Numbers and Platforms for Web Agents in the Policy Agent 3.0-06 Release

Version 3.0-06 Policy Agent For Platform Patch Name or Number

Apache HTTP Server 2.2.x

Oracle Solaris 10 SPARC, 64-bit

21073037

Microsoft Internet Information Services (IIS) 7.x

Microsoft Windows 2008, 64-bit

21073097

Oracle iPlanet Web Server 7.x (formerly Sun Java System Web Server 7.x)

Oracle Solaris 10 SPARC, 64-bit

21073067

IBM Domino Server 8.5.2

Microsoft Windows 2008, 64-bit

IBM AIX 6.1, 32-bit

21073122

1.3.2 Enhancements and Changes for Web Agents in the Policy Agent 3.0-06 Release

This release includes the following enhancements and changes:

1.3.2.1 NSS libraries are upgraded to version 3.17.4

The NSS libraries for web agents in the Policy Agent 3.0-06 release are upgraded to version 3.17.4.

1.3.3 Problems Fixed for Web Agents in the Policy Agent 3.0-06 Release

Table 1-3 describes the bugs fixed in this release.

Table 1-3 Problems Fixed for Web Agents in the Policy Agent 3.0-06 Release

Bug Number Description

20597364

NSS libraries are upgraded to version 3.17.4

19244710

Version 3.0-03 Apache 2.2 agent doesn't refresh stale policies and returns error 403

16175478

Domino Server crashes when profile, session fetch.mode=HTTP_COOKIE & response fetch.mode=HTTP_HEADER

19361696

Domino Server crashes when profile fetch.mode=HTTP_HEADER & session fetch.mode=HTTP_COOKIE

20251403

For version 3.0-05 Web Server 7.x agent, delay occurs before redirecting to second level of authentication when POST data preservation is used with composite advice

18401874

Version 3.0-04 agent for Domino 8.5.2 on Windows 2003 64-bit returns "Error while iterating over the header values: buffer too small" in amAgent debug file

19874737

IIS agents should not require Host header as per HTTP/1.0 specification

14096674

For version 3.0-03 Web Proxy Server agent, delay occurs before redirecting to second level of authentication when POST data preservation is used with composite advice

18600536

Fix for bug 18600526

1.4 Policy Agent 3.0-05 Release for Web Agents

This section includes the following information:

1.4.1 Web Agents in the Policy Agent 3.0-05 Release

The version 3.0-05 web agents shown in Table 1-4 are available on My Oracle Support.

To download a version 3.0.0.5 policy agent patch:

  1. Sign in (or register if you are a new user) on the My Oracle Support site:

    https://support.oracle.com/

  2. Click Patches & Updates.

  3. Under Patch Search, click Product or Family (Advanced).

  4. For the search criteria, select:

    • Product: Oracle OpenSSO

    • Release: Oracle OpenSSO Policy Agent 3.0

    • Description: contains 3.0.0.5

  5. Check Exclude superseded patches.

  6. Click Search.

  7. On the Patch Advanced Search Results, scroll down until you find the patch you want by using criteria such as the agent name, platform, and the 32-bit or 64-bit version.

    If your search results are on multiple pages, you might need to check the additional pages until you find the patch you want.

  8. Under Patch Name, click the link to initiate the download.

Table 1-4 Patch IDs and Platforms for Web Agents in the Policy Agent 3.0-05 Release

Version 3.0-05 Policy Agent For Platform Patch ID

Apache HTTP Server 2.2.x

Red Hat Enterprise Linux (RHEL) 4, 32-bit and 64-bit

Microsoft Windows 2003, 32-bit

Oracle Solaris 10 SPARC, 64-bit

144699-05

Microsoft Internet Information Services (IIS) 6.x

Microsoft Windows 2003, 32-bit and 64-bit

144700-05

Microsoft Internet Information Services (IIS) 7.x

Microsoft Windows 2008, 32-bit and 64-bit

144701-05

Oracle iPlanet Web Server 7.x (formerly Sun Java System Web Server 7.x)

Oracle Solaris 10 SPARC, 32-bit and 64-bit

Oracle Solaris 10 x86, 64-bit

Red Hat Enterprise Linux (RHEL) 4, 64-bit

Microsoft Windows 2003, 32 bit

144703-05

IBM Domino Server 8.5.2

Microsoft Windows 2003, 64-bit

Microsoft Windows 2008, 64-bit

IBM AIX 6.1

149027-03

1.4.2 Enhancements and Changes for Web Agents in the Policy Agent 3.0-05 Release

This release includes the following enhancements and changes:

1.4.2.1 NSS libraries are upgraded to version 3.16

The NSS libraries for web agents in the Policy Agent 3.0-05 release are upgraded to version 3.16.


Note:

When running the version 3.0-05 Domino Server web agent in SSL mode with the version 3.16 NSS libraries, the following message is displayed on the Domino Server console: 
SSLDisableExportCiphers> Server key (1024 bits) too strong for 
EXPORT ciphers. Disabling cipher RSA_EXPORT_WITH_RC4_40_MD5

This message is for information only, and no action is required. The explanation for this message is:

This is to make SSL more standards compliant. Disabling weak ciphers is the right thing to do when the server key is strong. Using export-grade ciphers with an RSA server key stronger than 512-bits is explicitly prohibited in the SSL v3 and TLS specifications.

1.4.2.2 New supported platforms are added for web agents

The following new supported platforms are added in the Policy Agent 3.0-05 release:

  • Apache HTTP Server 2.2.x agent:

    • Oracle Solaris 10 SPARC, 64-bit

    • Red Hat Enterprise Linux (RHEL) 4, 64-bit

  • Oracle iPlanet Web Server 7.x (formerly Sun Java System Web Server 7.x) agent:

    • Oracle Solaris 10 SPARC, 32-bit

For a list of all supported platforms, see Table 1-4, "Patch IDs and Platforms for Web Agents in the Policy Agent 3.0-05 Release".

1.4.3 Problems Fixed for Web Agents in the Policy Agent 3.0-05 Release

Table 1-5 describes the bugs fixed in this release.

Table 1-5 Problems Fixed for Web Agents in the Policy Agent 3.0-05 Release

Bug Number Description

18385564

IIS 7.0 agent install for one website affects other websites in multi-site setup

18508682

IIS 7.0 agent uninstall in a multi-site environment uninstalls all other agents

18276350

NSS libraries are upgraded to version 3.16

See Section 1.4.2, "Enhancements and Changes for Web Agents in the Policy Agent 3.0-05 Release."

1.4.4 Known Issues for Web Agents in the Policy Agent 3.0-05 Release

Table 1-6 describes the known issues in this release.

Table 1-6 Known Issues for Web Agents in the Policy Agent 3.0-05 Release

Bug Number Description

19243036

The Apache 2.2 web agent version information shows twice in the amAgent debug file.

19360542

In a multi-site environment, the IIS 7.0 agent is not getting installed on some of the sites.

19361209

Access Denied (error 403) occurs for the Apache 2.2 agent when the cache object goes stale.

19361696

Domino Server crashes for the 64-bit Domino agent on 64-bit Windows 2008 systems when the agent profiles are set as follows:

  • profile fetch.mode=HTTP_HEADER & session fetch.mode=HTTP_COOKIE

    or

  • profile,session fetch.mode=HTTP_COOKIE & response fetch.mode=HTTP_HEADER

    or

  • profile,response fetch.mode=HTTP_COOKIE & session fetch.mode=HTTP_HEADER

1.5 Policy Agent 3.0-04 Release for Web Agents

This section includes the following information:

1.5.1 Web Agents in the Policy Agent 3.0-04 Release

The version 3.0-04 web agents shown in Table 1-7 are available on My Oracle Support:

https://support.oracle.com/

To download a version 3.0.0.4 policy agent patch:

  1. Sign in (or register if you are a new user) on the My Oracle Support site:

    https://support.oracle.com/

  2. Click Patches & Updates.

  3. Under Patch Search, click Product or Family (Advanced).

  4. For the search criteria, select:

    • Product: Oracle OpenSSO

    • Release: Oracle OpenSSO Policy Agent 3.0

    • Description: contains 3.0.0.4

  5. Check Exclude superseded patches.

  6. Click Search.

  7. On the Patch Advanced Search Results, scroll down until you find the patch you want by using criteria such as the agent name, platform, and the 32-bit or 64-bit version.

    If your search results are on multiple pages, you might need to check the additional pages until you find the patch you want.

  8. Under Patch Name, click the link to initiate the download.

Table 1-7 Patch IDs and Platforms for Web Agents in the Policy Agent 3.0-04 Release

Version 3.0-04 Policy Agent For Platform Patch ID

Apache HTTP Server 2.2.x

Red Hat Enterprise Linux (RHEL) 4, 32-bit

Microsoft Windows 2003, 32-bit

144699-04

Microsoft Internet Information Services (IIS) 6.0

Microsoft Windows 2003, 32-bit and 64-bit

144700-04

Microsoft Internet Information Services (IIS) 7.x

Microsoft Windows 2008, 32-bit and 64-bit

144701-04

Oracle iPlanet Web Proxy Server 4.0.x

(formerly Sun Java System Web Proxy Server 4.0.x)

Red Hat Enterprise Linux (RHEL) 4 and 5, 32-bit

144702-04

Oracle iPlanet Web Server 7.x

(formerly Sun Java System Web Server 7.x)

Oracle Solaris 10 SPARC, 64-bit

Oracle Solaris 10 x86, 64-bit

Red Hat Enterprise Linux (RHEL) 4, 64-bit

Microsoft Windows 2003, 32 bit

144703-04

IBM Domino Server 8.5.2

Microsoft Windows 2003, 64-bit

Microsoft Windows 2008, 64-bit

IBM AIX 6.1

149027-02

1.5.2 Enhancements and Changes for Web Agents in the Policy Agent 3.0-04 Release

This release includes the following enhancements and changes:

1.5.2.1 NSS libraries are upgraded to version 3.14.3

The NSS libraries for web agents in the Policy Agent 3.0-04 release are upgraded to version 3.14.3.

1.5.2.2 MD5 hash algorithm is disabled by default

In Network Security Services (NSS) 3.14.3, support for certificate signatures using the MD5 hash algorithm is disabled by default. Since web agents in the Policy Agent 3.0-04 release are upgraded with NSS 3.14.3 libraries, certificate signatures that use the MD5 hash algorithm will be rejected.

1.5.3 Problems Fixed for Web Agents in the Policy Agent 3.0-04 Release

Table 1-8 describes the bugs fixed in this release.

Table 1-8 Problems Fixed for Web Agents in the Policy Agent 3.0-04 Release

Bug Number Description

14288146

Web Proxy Server with agent 3.0-01 crashes in getAllPolicyDecisions after Solaris 10 upgrade from u9 to u10

14198837

Child thread activation delay occurs in agent 3.0-02 for Apache HTTP Server 2.0.x

13822510

Agent 3.0-02 for IIS 7.5 causes AJAX page rendering issues

14760459

Agent 3.0-03 for Web Server 7.0 cannot failover if the primary OpenSSO virtual IP (VIP) is down

15851499

Looping occurs for agent 3.0-03 for Web Server 7.0 when a global virtual IP (VIP) is used for two OpenSSO sites

14708567

Agent 3.0-02 for Web Server 7.0 runs out of memory

16341680

Agent 3.0-03 for Domino Server crashes when installed on Domino Server 8.5.3

16785852

Agent 3.0-03 for Domino Server 8.5.2 fails to load DSAPI module if Domino is configured for multiple instances

16813888

Web Policy agent 3.0-03 throws HTTP 500 error

16889248

Domino Server crashes after installing agent 3.0-03 for Domino Server and restarting OpenSSO server

16212212

Fixes bug 16212212

1.6 Policy Agent 3.0-03 Release for Web Agents

This section includes the following information:

For installation information, see Installation of Version 3.0-0x Policy Agents in Patch Releases.

1.6.1 Web Agents in the Policy Agent 3.0-03 Release

The version 3.0-03 web agents shown in Table 1-9 are available on My Oracle Support:

https://support.oracle.com/

Table 1-9 Patch IDs for Web Agents in the Policy Agent 3.0-03 Release

Version 3.0-03 Policy Agent For Patch ID

Apache HTTP Server 2.0.x

144698-03

Apache HTTP Server 2.2.x

144699-03

Microsoft Internet Information Services (IIS) 6.0

144700-03

Microsoft Internet Information Services (IIS) 7.x

144701-03

Sun Java System Web Proxy Server 4.0.x

144702-03

Sun Java System Web Server 7.0

144703-03

IBM Domino Server 8.5.2

149027-01

1.6.2 Enhancements and Changes for Web Agents in the Policy Agent 3.0-03 Release

This release includes the following enhancements and changes:

1.6.2.1 POST data preservation support added for Web Proxy Server agent

The version 3.0-03 agent for Web Proxy Server 4.0.x now supports POST data preservation. Users can preserve POST data, which is submitted to Web Proxy Server through HTML forms before the users log in to Oracle OpenSSO server.

1.6.2.2 Web agent is now supported for Domino Server 8.5.2

The Policy Agent 3.0-03 release includes a new web agent for Domino Server 8.5.2. This agent is supported on the following platforms:

  • Oracle Solaris 10 SPARC 32-bit platform

  • Microsoft Windows 2003 and Windows 2008, both 32-bit and 64-bit platforms

  • IBM AIX version 6.1

  • Red Hat Enterprise Linux (RHEL) 5.5, 32-bit agent on 32-bit Domino Server running on both 32-bit and 64-bit RHEL 5.5

1.6.2.3 Support for SUSE Linux 10.3 and SUSE Linux 11.1 64-bit is added for Web Proxy Server and Web Server agents

The web agent for Web Proxy Server 4.0.x is now certified on SUSE Linux 10 SP3 64-bit and SUSE Linux 11.1 64-bit for the 32-bit agent on 32-bit Web Proxy Server.

The web agent for Web Server 7.0 is now certified on SUSE Linux 10 SP3 64-bit and SUSE Linux 11.1 64-bit platforms.

1.6.2.4 Support for Windows 2008 64-bit is added for the Apache 2.2.x agent

The web agent for Apache Server 2.2.x is now certified on the Windows 2008, 64-bit platform for the 32-bit agent on a 32-bit Apache server.

1.6.2.5 New property is added to support cache control in IIS 7.x Agent

The Policy Agent 3.0-03 release includes the following new property to enable or disable the cache control in the IIS 7.x agent:

com.sun.identity.agents.config.iis7.cache.control.enabled

Values of this property can be:

  • true - Store and cache static files in the browser.

  • false (default)- Do not store and cache static files in the browser.

Set this property depending on the location of the agent's configuration repository.

If the repository is local to the agent's host server, add the property to the agent's OpenSSOAgentConfiguration.properties file.

If the agent's configuration repository is centralized, use the OpenSSO Administration Console as follows:

  1. Log in to the OpenSSO Administration Console.

  2. Select Access Control, Realm, Agents, and then Advanced.

  3. Under Custom Properties, add the new property with its corresponding value. For example:

    com.sun.identity.agents.config.iis7.cache.control.enabled=true

  4. Click Save.

This new property is hot-swappable, so you do not need to restart the agent's deployment container for the new value to take effect.

1.6.3 Problems Fixed for Web Agents in the Policy Agent 3.0-03 Release

Table 1-10 describes the bugs fixed in this release.

Table 1-10 Problems Fixed for Web Agents in the Policy Agent 3.0-03 Release

Bug Number Description

13693563

POST data preservation support required for Web Proxy Server 4.0.x

13703330

Policy agent for Web Proxy Server 4.0.x posts form submitted as get when session times out

13577537

Policy agent for Web Proxy Server 4.0.x support added for SUSE Linux 11 (32-bit)

13577526

Policy agent for Web Proxy Server 4.0.x support added for SUSE Linux 11 (64-bit)

13449568

Secure cookie for Apache 2.2.X agent is not working with CD SSO enabled

13419852

Certification on SUSE Linux 10.x added for Web Proxy Server 4.0.x agent

13329057

Certification on SUSE Linux 10.x added for Web Proxy Server 4.0.x and Web Server 7.0 agents

13079971

Cache control support added for IIS 7.x agent

12545649

Apache 2.0 agent on Windows, installation crypt error

12305636

Web Proxy Server 4.0.x does not render logout URL correctly

1.7 Policy Agent 3.0-02 Release for Web Agents

The Policy Agent 3.0-02 release currently includes web agents only. This section describes:

1.7.1 Web Agents in the Policy Agent 3.0-02 Release

The following version 3.0-02 web agents are available on https://support.oracle.com/.

Table 1-11 Patch IDs for Web Agents in the Policy Agent 3.0-02 Release

Version 3.0-02 Policy Agent For Patch ID

Apache HTTP Server 2.0.x

144698-02

Apache HTTP Server 2.2.x

144699-02

Microsoft Internet Information Services (IIS) 6.0

144700-02

Microsoft Internet Information Services (IIS) 7.0 and 7.5

144701-02

Sun Java System Web Proxy Server 4.0.x

144702-02

Sun Java System Web Server 7.0

144703-02

1.7.2 Enhancements and Changes for Web Agents in the Policy Agent 3.0-02 Release

1.7.2.1 CR 6967818: Basic authentication support added for IIS 6.x and IIS 7.x agents

In the Policy Agent 3.0-02 release, basic authentication support is implemented for both the IIS 6.x and IIS 7.x agents. With basic authentication, the agent populates the authorization header so that the browser doesn't prompt users for the username and password. This section describes:

1.7.2.1.1 Configuring OpenSSO Server for Basic Authentication

Perform the steps in this section for both the IIS 6.x and IIS 7.x agents.

To configure OpenSSO server, follow these steps:

  1. Configure the ReplayPasswd class as a post-authorization plug-in:

    1. Log in to the OpenSSO Administration console.

    2. Click Access Control, realm-name, and then Authentication.

    3. Under General, click Advanced Properties.

    4. Scroll down to the Authentication Post Processing Classes field.

    5. In New Value, enter com.sun.identity.authentication.spi.ReplayPasswd and then click Add.

    6. Click Save.

  2. Generate and set the shared key:

    1. Run the following command to generate a shared key:

      java -classpath amserver.jar com.sun.identity.common.DESGenKey

      An example of the output is: "Key ==> a+CYxFITqD4="

      Note. The location of the amserver.jar file depends on the web container you are using for OpenSSO server.

    2. Log in to the OpenSSO Administration console.

    3. Click Configuration, Servers and Sites, and then the Server Name link.

    4. Click Advanced and then add the com.sun.am.replaypasswd.key property with the key you generated in Step a.

    5. Click Save and log out of the console.

  3. Restart the OpenSSO server.

1.7.2.1.2 Configuring an IIS 6.x Agent for Basic Authentication

Before you begin, you must install the version 3.0-02 IIS 6.x agent and define the same user and password pairs on the Windows machine as in OpenSSO server.

To configure an IIS 6.x agent, follow these steps:

  1. In the IIS 6.x manager, open the properties window of the website where the agent is installed.

  2. In the Directory Security tab, edit the Authentication and Access Control.

  3. Select Basic Authentication. All the other check boxes should be unchecked.

  4. In the properties window of the web server, select the ISAPI Filters tab.

  5. Add the Agent Auth Filter. The executable name is PolicyAgent-base\bin\amiis6auth.dll.

    For example: C:\Agents\web_agents\iis6_agent\bin\amiis6auth.dll

  6. Set the agent properties depending on the agent configuration.

    If you are using centralized agent configuration, set the following properties in the OpenSSO Administration console:

    1. Click Access Control, realm-name, Agents, Web, and then the name of the IIS 6.x agent.

    2. Click Advanced and then under Microsoft IIS Server, enter the following values:

    3. Click Save.

    If you are using local agent configuration, set the following properties in the OpenSSOAgentConfiguration.properties file:

  7. Restart the IIS 6.x server

1.7.2.1.3 Configuring an IIS 7.x Agent for Basic Authentication

Before you begin, you must install the version 3.0-02 IIS 7.x agent and define the same user and password pairs on the Windows machine as in OpenSSO server.

To configure an IIS 7.x agent, follow these steps:

  1. In the IIS 7.x manager, select the website in the left panel and open the Authentication page.

  2. Enable the Basic Authentication. All the other authentications should be disabled.

  3. Set the agent properties depending on the agent configuration.

    If you are using centralized agent configuration, set the following properties in the OpenSSO Administration console:

    1. Click Access Control, realm-name, Agents, Web, and then the name of the IIS 7.x agent.

    2. Click Advanced and then under Microsoft IIS Server, enter the following values:

    3. Click Save.

    If you are using local agent configuration, set the following properties in the OpenSSOAgentConfiguration.properties file:

  4. Restart the IIS 7.x server.

1.7.2.2 CR 6923788: POST data preservation support added for IIS 7.x agent

The version 3.0-02 agent for IIS 7.x now supports POST data preservation. Users can preserve POST data, which is submitted to IIS 7.x through HTML forms before the users log in to OpenSSO server.

1.7.2.3 CR 6921240: Policy Clock Skew value required for "Stale resource is not removed" fix

The Policy Agent 3.0-02 release fixes CR 6921240 (stale resource is not removed). However, for all web agents, you must also set the Policy Clock Skew (com.sun.identity.agents.config.policy.clock.skew agent property) to a value greater than zero.

  1. Set the Policy Clock Skew value depending on the agent configuration.

    If you are using centralized agent configuration, set the property in the OpenSSO server Administration console:

    1. Click Access Control, realm-name, Agents, Web, and then the name of the IIS agent.

    2. Click OpenSSO Services and then enter a value greater than zero in the Policy Clock Skew field.

    3. Click Save.

    If you are using local agent configuration, set the property in the OpenSSOAgentConfiguration.properties file. For example:

    com.sun.identity.agents.config.policy.clock.skew=2

  2. Restart the agent's web container.

1.7.3 Problems Fixed for Web Agents in the Policy Agent 3.0-02 Release

Table 1-12 Problems Fixed for Web Agents in the Policy Agent 3.0-02 Release

CR Number Description

6967818

Basic authentication support added for IIS 6.x and IIS 7.x agents

6932276

Possible "Memory Access violation" in agent code, causing the IIS 6.0 agent to hang

6923788

Support is added for POST data preservation in IIS 7.x agent

6967332

POST data preservation is not working in CDSSO mode for IIS 7 agent

6965534

Policy decision is not getting enforced if time on the agent and server machines are not synchronized

6921240

Stale resource is not removed for web agents

6978660

Remote logging messages are empty in the remote log file on OpenSSO server

6971977

Agent redirection issues occur for policies with max session timeout condition

6977659

IIS agent gets SAML assertion and returns the protected resource but without a 302 redirect

6977675

Resetting cookie to avoid double assertion post is not present or handled

6827797

HTTP header corruption occurs when profile attribute map has long URL (title, dn, and uid)

6972364

"Invalid Home Directory for Apache Server" error occurs during migration from Apache 2.2 agent

6804139

Web agent causes web server to hang if agent's log rotation fails

1.8 Policy Agent 3.0-02 Release for Java EE Agents

The Policy Agent 3.0-02 release now includes Java EE agents. This section describes:


See also:

1.8.1 Java EE Agents in the Policy Agent 3.0-02 Release

The following version 3.0-02 Java EE agents are available on My Oracle Support:

https://support.oracle.com/

Table 1-13 Patch IDs for Java EE Agents in the Policy Agent 3.0-02 Release

Version 3.0-02 Policy Agent For Patch ID

Oracle WebLogic Server 11g Release 1 (10.3.3, 10.3.4, and 10.3.6)

Oracle WebLogic Server 10g Release 3 (10.3)

BEA WebLogic Server 9.2 and 10.0

BEA WebLogic Portal 9.2, 10.0, and 10.2

145385-02

Sun GlassFish 2.1, V2 UR1, V2 UR2, and v3

Sun Java System Application Server 8.1, 8.2, 9.0, and 9.1

145383-02

Apache Tomcat 6.0.x

145384-02

JBoss Application Server 4.x and 5.x

145382-02

IBM WebSphere Application Server 6.1 and 7.0

IBM WebSphere Portal Server 6.1

145386-02

1.8.2 Enhancements and Changes for Java EE Agents in the Policy Agent 3.0-02 Release

This section describes the following enhancements and changes:

1.8.2.1 Support for IBM WebSphere Application Server Version 8.0.0.5

The version 3.0-02 IBM WebSphere Application Server agent (patch ID 145386-02) is supported on WebSphere Application Server Version 8.0.0.5, with these requirements:

  • 64-bit JVM/JDK on either the Red Hat Enterprise Linux 5.8 or Oracle Enterprise Linux 5.8 platform

  • Oracle OpenSSO 8.0 Update 2 Patch 5 (patch ID 141655-09)

    For more information, see the Oracle OpenSSO 8.0 Update 2 Release Notes.

1.8.2.2 Bundled Oracle OpenSSO Client SDK

The version 3.0-02 Java EE agents bundle the latest Oracle OpenSSO Client SDK (openssoclientsdk.jar), which is the same Client SDK version included with Oracle OpenSSO 8.0 Update 2 Patch 5.

1.8.3 Problems Fixed for Java EE Agents in the Policy Agent 3.0-02 Release

Table 1-14 Problems Fixed for Java EE Agents in the Policy Agent 3.0-02 Release

Bug ID Description

13396442

Composite advice is not working on WebLogic Server 10.3.4 Policy Agent 3.0-01 in CDSSO mode

12565502

J2EE Policy Agent 3.x blocks web container startup if Oracle OpenSSO server is down

13478808

J2EE Policy Agent 3.0 getDateHeader method returns exceptions on WebLogic Server 9.2

14500703

J2EE policy agents need to include the latest Oracle OpenSSO client SDK

1.9 Policy Agent 3.0-01 Release for Java EE and Web Agents

The Policy Agent 3.0-01 release includes both Java EE agents and web agents:

1.9.1 Java EE Agents in the Policy Agent 3.0-01 Release

1.9.1.1 Patch IDs for Java EE Agents in the Policy Agent 3.0-01 Release

The following version 3.0-01 Java EE agents are available on https://support.oracle.com/.

Table 1-15 Patch IDs for Java EE Agents in the Policy Agent 3.0-01 Release

Version 3.0-01 Policy Agent For Patch ID

Oracle WebLogic Server 11g Release 1 (10.3.3)

Oracle WebLogic Server 10g Release 3 (10.3)

Oracle WebLogic Server 9.2 and 10.0

Oracle WebLogic Portal 9.2, 10.0, and 10.2

145385-01

Sun GlassFish 2.1, V2 UR1, V2 UR2, and v3

Sun Java System Application Server 8.1, 8.2, 9.0, and 9.1

145383-01

Apache Tomcat 6.0.x

145384-01

JBoss Application Server 4.x and 5.x

145382-01

IBM WebSphere Application Server 6.1 and 7.0

IBM WebSphere Portal Server 6.1

145386-01

1.9.1.2 Enhancements and Changes for Java EE Agents in the Policy Agent 3.0-01 Release


Note:

Version 3.0 and later Java EE agents require JDK 1.5 or later on the server where you plan to install the agent. Although some web containers such as JBoss Application Server 4.x and Application Server 8.x can run using JDK 1.4, JDK 1.5 or later is required for both the agent web container and the agentadmin program.

1.9.1.2.1 Support is added for GlassFish v3

The version 3.0-01 Java EE agent for Sun Java System Application Server and GlassFish v2 also supports GlassFish v3. See also Patch IDs for Java EE Agents in the Policy Agent 3.0-01 Release.

1.9.1.2.2 Issue 5633: New property is added to reset session idle time for not-enforced URLs

Version 3.0-01 Java EE agents include the following new property to specify whether the session idle timeout should be reset after a user with a valid session accesses a URL in the not-enforced list:

com.sun.identity.agents.config.notenforced.refresh.session.idletime

Values for this property can be:

  • true: The session idle time is reset after a user with a valid session accesses a URL in the not-enforced list.

  • false (default): The session idle time is not reset.

Set this property depending on the location of the agent's configuration repository. If the repository is local to the agent's host server, add the property to the agent's OpenSSOAgentConfiguration.properties file and restart the OpenSSO server instance.

If the agent's configuration repository is centralized, use the OpenSSO Administration Console as follows:

  1. Log in to the OpenSSO Administration Console.

  2. Click Access Control, realm-name, Agents, J2EE, j2ee-agent-name, and then Advanced.

  3. Under Custom Properties, add the new property with its corresponding value.

  4. Click Save.

1.9.1.2.3 Issue 6107: JBoss Application Server agent supports custom principal feature

JBoss Application Server 4.x and 5.x login modules support the custom principal feature, which allows users to specify a custom principal in the JBoss AS configuration. The version 3.0-01 agent for JBoss AS 4.x and 5.x also supports the custom principal feature.

To use this feature, add the following line to the <login-module> element in the JBOSS_HOME/server/default/conf/am-login-config.xml file:

<module-option name = "principalClass">com.sample.CustomPrincipal</module-option>

For example, the <login-module> element should then be as follows:

<login-module code = "com.sun.identity.agents.jboss.v40.AmJBossLoginModule" 
                  flag = "required">
    <module-option name = "unauthenticatedIdentity">anonymous</module-option>
    <module-option name = "principalClass">com.sample.CustomPrincipal</module-option>
</login-module>

In this example, com.sample.CustomPrincipal is the custom principal implementation class name. This class must be in the JBoss AS classpath.

1.9.1.2.4 Issue 6108: JBoss Application Server agent redirects to the client's requested URI

If the requested URI is using J2EE_POLICY or ALL filter mode and a user accesses a resource protected with J2EE policies by the version 3.0-01 JBoss AS 4.x and 5.x agent, the user is redirected to the client's requested resource after authentication by OpenSSO 8.0 server. Previously, the user was redirected to the client's home page.

1.9.1.3 Issues and Workarounds for Java EE Agents in the Policy Agent 3.0-01 Release

1.9.1.3.1 CR 6976312: Install fails for WebSphere Application Server agent using IBM JDK on all systems except AIX

If you run the agentadmin or agentadmin.bat script to install the version 3.0-01 policy agent for IBM WebSphere Application Server 6.1/7.0 or IBM WebSphere Portal Server 6.1 using the IBM JDK on systems other than IBM AIX, the installation fails because the script cannot find the IBM JCE provider.

Workaround: Add following JAVA options to the agentadmin or agentadmin.bat script and then rerun the installation:

AGENT_OPTS="-DamKeyGenDescriptor.provider=IBMJCE
-DamCryptoDescriptor.provider=IBMJCE
-DamRandomGenProvider=IBMJCE"
1.9.1.3.2 CR 6976304: WebSphere Application Server administrative console cannot be accessed

After you install the version 3.0-01 policy agent for WebSphere Application Server 6.1/7.0 or IBM WebSphere Portal Server 6.1, you cannot access the WebSphere administrative console.

Workaround. In the WebSphere Application Server agent profile, add the WebSphere administrative console URL in the Agent Root URL for CDSSO list, as follows:

  1. Log in to the OpenSSO Administration Console.

  2. Click Access Control, realm-name, Agents, J2EE, and then the j2ee-agent-name.

  3. In Agent Root URL for CDSSO, add the WebSphere administrative console URL.

  4. Click Save.

1.9.1.3.3 CR 6976308: WebSphere Application Server administrative console redirects to an incorrect URL in CDSSO mode

After you install the version 3.0-01 policy agent for WebSphere Application Server 6.1/7.0 or IBM WebSphere Portal Server 6.1 in cross-domain single sign-on (CDSSO) mode and try to access the administrative console, you are redirected to an incorrect agentapp URL. The URL port is pointing to the admin port instead of the agentapp instance port.

Workaround. In the URL in the browser address bar, manually specify the correct port number for the agentapp instance.

1.9.1.4 Problems Fixed for Java EE Agents in the Policy Agent 3.0-01 Release

Table 1-16 Problems Fixed for Java EE Agents in the Policy Agent 3.0-01 Release

CR or Issue Description

6121

401 error is returned instead of a 302 error when the client presents an invalid SSO Token

4461

Security context exception occurred with JBoss AS agent

6107

Custom principal in JBoss AS 4.3 is not working with J2EE agent

6108

J2EE Agent 3.0 for JBoss AS does not redirect to client request

4969

Tomcat agent J2EE tests are denied when debug level set to error mode

2779

J2EE agents should have the agentadmin script executable permission set by default

5008

GlassFish v3 server fails to start with invalid format error

5012

Tomcat 6.0 version 3.0 agent returns error with not-enforced IP list

5764

agentadmin script does not set up classpath correctly on GlassFish V3

4677

Tomcat 6.0 agent membership removal causes HTTP 403 access denied error

5197

Application logout does not clean up sessions

5744

Issue with URL pattern matching for port number in J2EE agents

4959

HTTPS session binding should be enabled by default in agent profile

5024

When not-enforced IP is used, accessing application of declarative security returns configuration error

5071

J2EE agent with CDSSO, cookie hijacking, and composite advice has second login issue

5633

J2EE agent does not reset session idle time for not-enforced URLs

5627

IP Resource condition fails if login URL in agent profile has resource=true included

6933534

Tomcat 6.0 version 3.0 agent classes are not added to classpath resulting in Tomcat startup failure

1.9.2 Web Agents in the Policy Agent 3.0-01 Release

1.9.2.1 Patch IDs for Web Agents in the Policy Agent 3.0-01 Release

The following version 3.0-01 web agents are available on https://support.oracle.com/.

Table 1-17 Patch IDs for Web Agents in the Policy Agent 3.0-01 Release

Version 3.0-01 Policy Agent For Patch ID

Apache HTTP Server 2.0.x

144698-01

Apache HTTP Server 2.2.x

144699-01

Microsoft Internet Information Services (IIS) 6.0

Supported on Microsoft Windows Server 2003, with separate agents for 32-bit and 64-bit systems.

144700-01

Microsoft Internet Information Services (IIS) 7.0 and 7.5

Supported on Microsoft Windows Server 2008 R2, with separate agents for 32-bit and 64-bit systems.

144701-01

Sun Java System Web Proxy Server 4.0.x

144702-01

Sun Java System Web Server 7.0

144703-01

1.9.2.2 Enhancements and Changes for Web Agents in the Policy Agent 3.0-01 Release

For more information about web agent properties, see the Oracle OpenSSO Policy Agent 3.0 User's Guide for Web Agents.

1.9.2.2.1 CR 6891373: New Properties Support POST Data Preservation With Sticky Sessions

In the 3.0-01 release, new properties support POST data preservation with sticky sessions configured. If you are using POST data preservation with a load balancer deployed in front of the agent, set the following properties for sticky sessions:

  • com.sun.am.policy.agents.config.postdata.preserve.stickysession.mode specifies the sticky session mode. The values can be COOKIE if the load balancer uses a cookie to get the sticky session or URL if the load balancer uses a query parameter in the URL to get the sticky session. For example:

    com.sun.am.policy.agents.config.postdata.preserve.stickysession.mode = URL

  • com.sun.am.policy.agents.config.postdata.preserve.stickysession.value specifies the name and value of the cookie or query parameter used for the sticky session. For example:

    com.sun.am.policy.agents.config.postdata.preserve.stickysession.value = AgentID=01

Important: For a sticky session to be set, you must set both of these properties correctly (and not to null).

These new properties are in the OpenSSOAgentConfiguration.properties file. Set these properties depending on the location of your agent's configuration repository. If the repository is local to the agent's host server, edit the agent's OpenSSOAgentConfiguration.properties file.

If the agent's configuration repository is centralized, use the OpenSSO Console:

  1. Log in to the OpenSSO Administration Console.

  2. Click Access Control, realm-name, Agents, Web, web-agent-name, and then Advanced.

  3. Under Custom Properties, add both new properties with their corresponding values.

  4. Click Save.

1.9.2.2.2 CR 6903850: Wildcard (*) Support Added for Not-Enforced Client IP List

The policy agent com.sun.identity.agents.config.notenforced.ip property in the OpenSSOAgentConfiguration.properties file now allows the wildcard character (*) to define an IP address. For example:

com.sun.identity.agents.config.notenforced.ip[2] = 192.168.11.*
com.sun.identity.agents.config.notenforced.ip[3] = *.10.10.*

Set this agent property depending on the location of your agent configuration repository. If the repository is centralized on the OpenSSO server, use the OpenSSO Console. If the repository is local to the agent's host server, edit the agent's OpenSSOAgentConfiguration.properties file.

1.9.2.2.3 CR 6947499: NSS_STRICT_NOFORK Must be Disabled for Version 3.0-01 Apache Agents

The NSS and NSPR libraries used in the policy agent 3.0-01 release have changed since the version 3.0 agents were released. Therefore, to use the version 3.0-01 Apache HTTP Server 2.0.x or Apache HTTP Server 2.2.x policy agent on any platform, the NSS_STRICT_NOFORK environment variable must be set to DISABLED.

1.9.2.3 Problems Fixed for Web Agents in the Policy Agent 3.0-01 Release

1.9.2.3.1 Problems Fixed For All Web Agents

Table 1-18 Problems Fixed For All Web Agents

CR or Issue Description

1776

Not-enforced list does not work in special circumstances

3755

Non-IP Based Token Restrictions not working with Access Manager 7 and version 3.0 agents

4755

Log message sent by Web Server 7.0 2.2 agent has an empty recMsg

4836

Policy agent should encode special characters in cookies by URL encoding

4917

Log a "no policy or action decision found" message at warning level

5060

3.0 Apache agents have issue with agent logout feature

5155

Support for x-forwarded-for headers in web agents

5229

Expired AppSSOToken during agent configuration fetch

5259

Cannot use wildcard characters in the path info part of URL in not enforced list

5266

In CDSSO mode, corrupted headers are included in the response

5323

Web agents remove CDSSO parameters from URL incorrectly

5413

Application parameters getting corrupted when CDSSO parameters are removed from the query

5425

Composite advice getting duplicated whenever access manager is restarted

5434

Apache agent doesn't work properly with mod_python handler

5453

Requests with existing iPlanetDirectoryPro cookies can cause Assertion to be ignored during session upgrade in CDSSO mode

5538

Agent crashes web server when setting long value for amlbcookie

5552

Policy evaluation fails when the request URL contains query parameters

5637

Agent doesn't work due to variable initialization issue

5666

Problems when path info is "/"

6086

Agent enforce URL case sensitivity during policy evaluation

6903850

Provide wildcard (*) support for Not Enforced Client IP List

6953714

Agent hangs while fetching policy decision if user session is validated from cache and policy has expired

6954327

In CDSSO, double POST issue problem during session upgrade

6774751

Access Manager 7.1 protected page is jumbled when session is upgraded

6959619

Host name is not set correctly when there is a load balancer in front of the agent

1.9.2.3.2 Problems Fixed for the Apache HTTP Server 2.0.x and 2.2.x Agents

Table 1-19 Problems Fixed for the Apache HTTP Server 2.0.x and 2.2.x Agents

CR or Issue Description

4501

Additional HTTP methods support for version 3.0 Apache agent

4799

Some extra information gets printed on protected pages intermittently

5640

Attributes headers issue with 3.0 agent on IBM AIX systems

6947499

Apache 2.2 agent does not work when SSL enabled

1.9.2.3.3 Problems Fixed for the Sun Java System Web Server 7.0 Agent

Table 1-20 Problems Fixed for the Sun Java System Web Server 7.0 Agent

CR or Issue Description

4688

Web Server agent notifications not working with protocol and port rewriting

4815

Memory corruption with POST data preservation

4911

Cookie reset for CDSSO set on incorrect domain

4934

Problem with POST data preservation feature in Web Server 7.0 agent

5207

Need a sticky cookie for load balancing with POST data preservation

5218

POST preservation data feature doesn't work with virtual hosts

5526

POST data preservation is not used when PA redirects as a result of composite advice

5532

Agent crashes web server when root policy is not found

5706

Need sticky session for POST data preservation to use URL

6937576

IIS 6.0 and web server agents do no handle overridden URL properly

6958056

POST data preservation feature doesn't work with normal FQDN and virtual hosts

1.9.2.3.4 Problems Fixed for the Sun Java System Web Proxy Server 4.0.x Agent

Table 1-21 Problems Fixed for the Sun Java System Web Proxy Server 4.0.x Agent

CR or Issue Description

4911

Cookie reset for CDSSO set on incorrect domain

5680

Policy agent 2.2-02 on Web Proxy Server 4.0.4 has memory leak

6937576

IIS 6.0 and Web Server agents do no handle overridden URL properly

6953702

Cannot access CGIs through Web Proxy Server 3.0 agent in CDSSO mode

1.9.2.3.5 Problems Fixed for the Microsoft Internet Information Services (IIS) 6.0 Agent

Table 1-22 Problems Fixed for the Microsoft Internet Information Services (IIS) 6.0 Agent

CR or Issue Description

4815

Memory corruption with POST data preservation

4816

Random crashes with IIS 6.0 agent

5207

Need a sticky cookie for load balancing with POST data preservation

5218

POST preservation data feature doesn't work with virtual hosts

5526

POST data preservation is not used when PA redirects as a result of composite advice

5532

Agent crashes Web Server when root policy is not found

5621

IIS 6.0 agent is not responding with OK message to notifications from server

5706

Need sticky session for POST data preservation to use URL

6929312

IIS agent: Existing header as reutersuuid will be replaced by a new header that contains its key

6937576

IIS 6.0 and web server agents do not handle overridden URL properly

6958056

POST data preservation feature doesn't work with normal FQDN and virtual hosts

1.9.2.3.6 Problems Fixed for the Microsoft Internet Information Services (IIS) 7.0 Agent

Table 1-23 Problems Fixed for the Microsoft Internet Information Services (IIS) 7.0 Agent

CR or Issue Description

5621

IIS 6.0 Agent is not responding with OK message to notifications from server

6929312

For IIS 7.0 agent, existing header as reutersuuid will be replaced by a new header that contains its key

6937576

IIS 6.0 and Web Server agents do no handle overriden URL properly

6956162

"Object Moved error" with redirects in Policy Agent 3.0 for IIS 7.0

6956232

Policy Agent 3.0 for IIS 7.0 changes ASP.NET session ID

6955905

Server problems when cookie reset is enabled in IIS 7.5

6934736

IIS 7.0 agent is not responding with OK message to notifications from server

1.10 Installation of Version 3.0-0x Policy Agents in Patch Releases

A version 3.0.-0x policy agent released in a patch requires a full installation. If you have an earlier version 3.0 policy agent already installed, you must uninstall that agent and then reinstall the new version 3.0 agent.

To install a version 3.0.-0x policy agent, follow these steps:

  1. If you have an earlier policy agent installed, uninstall the agent by following the instructions in the respective Policy Agent 3.0 guide in this documentation library:

    http://docs.oracle.com/cd/E19681-01/index.html


    Caution:

    Before you uninstall the agent, back up your existing agent deployment. For example, for the Apache HTTP Server 2.2.x agent, back up the files under AgentHome/web_agents/apache22_agent, where AgentHome is where you installed the agent.

  2. Create a directory to download the version 3.0-0x patch file.

  3. Download the agent you want to install from My Oracle Support:

    https://support.oracle.com/

  4. In the download directory, unzip the version 3.0-0x patch file.

    A patch for an agent contains a README file and separate ZIP files for each platform supported by the specific agent you downloaded.

  5. Unzip the file for your specific platform.

    The files and directories required by the specific agent are then available in the following directory:

    zip-root/agent-type/agent-name

    where:

    • zip-root is where you unzipped the file.

    • agent-type is either j2ee_agents or web_agents.

    • agent-name identifies the specific agent.

  6. Check the README available with the agent for more information about the agent for your specific platform.

  7. Install and configure the version 3.0-0x agent by following the instructions in the respective Policy Agent 3.0 guide.


Note:

Version 3.0.-0x policy agents require JDK 1.5 or later on the server where you plan to install the agent. Before you run the agentadmin program to install the agent, make sure you have the required JDK installed and then set your JAVA_HOME environment variable to point to the JDK installation directory.

1.11 Documentation Errata

This section describes the following Policy Agent 3.0 documentation errata:

1.11.1 Restarting OpenSSO server and agents after patch installation

The OpenSSO documentation does not mention that after you upgrade (or downgrade) an OpenSSO installation by installing an OpenSSO patch, you must restart the OpenSSO server and all policy agents that you have deployed.

1.11.2 Using camel case for com.iplanet.am.session.agentSessionIdleTime parameter

References in the OpenSSO 8.0 documentation (and the Access Manager 7.1 AMConfig.properties file) show this parameter with all lowercase letters, but that format does not set the idle timeout value for agent sessions.

When you set the idle timeout value, specify the parameter as follows:

com.iplanet.am.session.agentSessionIdleTime

1.11.3 Configuring Web Agent Log Rotation

The "Configuring Web Agent Log Rotation" section in the Sun OpenSSO Enterprise Policy Agent 3.0 User's Guide for Web Agents (http://docs.oracle.com/cd/E19316-01/820-5816/adtai/index.html) describes local audit log files only. The following sections add new information about debug log files and correct some of the information about audit log files:

1.11.3.1 Debug Log Files

Debug log files store troubleshooting information. The debug log files are rotated automatically, because the com.sun.identity.agents.config.debug.file.rotate property is enabled by default.

When this property is not enabled, no log rotation occurs for the debug log files.

The following properties are also related to debug log file rotation:

  • The value of the following web agent property, which is available in the OpenSSOAgentBootstrap.properties file, indicates the location of the debug log file:

    com.sun.identity.agents.config.debug.file

    This property is not available in the Oracle OpenSSO Console. Since the agent debug log file is created during agent installation, the location of that file is assigned to the bootstrap file property at that time.

  • The value of the web agent property labeled Debug Log Rotation Size (Tab: Global, Name: com.sun.identity.agents.config.debug.file.size) indicates the maximum number of bytes the debug log file holds.

    You can set this property in the Oracle OpenSSO Console. This property controls the log file size when a new debug log file is created when the current debug log file reaches a specific size. The debug log file size should be a minimum of 3000 bytes. The default size is 10 megabytes.

1.11.3.2 Local Audit Log Files

The log rotation described in this section refers to logs that store audit-related information locally.

The local logs are not rotated automatically, since by default, the Rotate Local Audit Log property is disabled. When this property is enabled, new log rotation occurs for the local log file. (This information is incorrect in the Sun OpenSSO Enterprise Policy Agent 3.0 User's Guide for Web Agents.)

The following properties are also related to audit log file rotation:

  • The value of the following web agent property, which is available in the OpenSSOAgentBootstrap.properties file, indicates the location of the local audit log file:

    com.sun.identity.agents.config.local.logfile

    This property is not available in the Oracle OpenSSO Console. Since a local audit file is created during agent installation, the location of that file is assigned to the bootstrap file property at that time.

  • The value of the web agent property labeled Local Audit Log Rotation Size (Tab: Global, Name: com.sun.identity.agents.config.local.log.size) indicates the maximum number of bytes the local audit log file holds. You can set this agent property in Oracle OpenSSO Console. Default size is 50 megabytes.

1.11.4 Installing the Policy Agent for Oracle WebLogic Server/Portal 10

The installation instructions in the Policy Agent 3.0 Guide for Oracle WebLogic Server/Portal 10 do not mention the following sequence of steps required to install the version 3.x Java EE agent in a standalone environment with managed servers before you add a PolicyAgentProvider:

  1. Stop the WebLogic Server Administration Server and all managed servers in the standalone environment.

  2. Install the agent.

  3. Start the Administration Server.

  4. Add the PolicyAgentProvider and activate the settings in the Administration Server Console.

  5. Start the managed servers.

1.11.5 Performing Postinstallation for the Agent on WebLogic Server 10.3.6 on a SUSE Linux Platform

The postinstallation instructions in the Policy Agent 3.0 Guide for Oracle WebLogic Server/Portal 10 do not mention the following additional postinstallation steps required for the version 3.x Java EE agent on Oracle WebLogic Server 11g (10.3.6) on a SUSE Linux platform:

  1. Open the WebLogic Server startup file startWebLogic.sh in an editor.

  2. In the startWebLogic.sh file, modify the following line:

    Change: securerandom.source=file:/dev/urandom

    To: securerandom.source=file:/dev/./urandom

  3. Save the file.

Go to previous page
Previous
Go to Table of Contents
Contents		 Go to Feedback page
Contact Us