|
| Sun ONE Identity Server Policy Agent Release Notes |
Release Notes for Sun ONE Identity Server Policy Agents for Application Servers
Updated: January 2003
These release notes contain important information for Sun™ ONE Identity Server Policy Agents. Sun ONE Identity Server Policy Agents supports Sun ONE Identity Server 5.1. These notes contain information on new features and enhancements, installation notes, known problems, and other late-breaking issues are addressed here. Read this document before you begin using Sun ONE Identity Server Policy Agents.
These release notes contain the following sections:
What's New in This Release
What's New in This Release
Sun ONE Identity Server Policy Agent for PeopleSoft 8.3 running on Solaris 8 and HP-UX 11 platforms.
Supported Servers
WebLogic 6.1 SP2 on Solaris 8, Windows 2000 Server, and HP-UX 11
WebSphere 4.0.3 AE on Solaris 8
Sun ONE Application Server 7.0 on Solaris 8, Solaris 9, and Windows 2000 Server
Installation Notes
There are no special Installation Notes for this release. For details on installing Sun ONE Identity Server Policy Agent, see the J2EE Agent Guide at:
http://docs.sun.com/db/prod/s1idsrv#hic
Known Problems and Limitations
This section lists and describes the known problems and limitations for this release of Sun ONE Identity Server Policy Agents.
Agent uninstall restores the WebLogic Server configuration to its previous state.
When the Agent is installed on the WebLogic Server, it takes a backup of the WebLogic Server configuration file, config.xml. This backup is restored when you remove the Agent from the system by running the uninstallation program. Therefore, any changes that were made to the WebLogic Server configuration after the Agent is installed are likely to be lost due to the restoration of the backed up configuration. We recommend that you make the necessary changes to WebLogic Server configuration before installing the Agent.
Agent uninstall can corrupt the WebLogic Server configuration if the agent is uninstalled while the WebLogic Server is running.
This limitation is because of the fact that when the WebLogic Server is running, any changes to the server configuration which are done by the Agent uninstallation program will be lost, resulting in the malfunction of the WebLogic Server when it is started the next time. To avoid this problem, we recommend that you install/uninstall the Agent only when the WebLogic Server is not running.
WebLogic Server does not start properly when LDAPS is configured.
WebLogic Server does not start up correctly when Agent uses LDAPS. (#4714511)
Silent installation is not supported.
Expanding the installer panels does not resize the screen. (#4770281)
Command-line installation does not allow user to go back to previous step.
When a request is passed from Identity Server to Web Agent, the LDAP Attribute header name containing the lower case characters change to upper case, the header is prefixed with "HTTP" key, and hyphen (-) is changed to underscore (_). These changes are undone when the request is passed from Web Server to WebSphere Application Server. (#4767485)
The uninstallation program does not remove the package SUNWamwas if WebSphere configuration is done manually. (#4776991)
User may encounter session synchronization problem if Apache or iPlanet Web Server Policy Agent is used.
The LTPA authentication framework in WebSphere sets LtpaToken cookie in the browser session on successful authentication. This identifies the authenticated user to the WebSphere Application Server for the requests in that session. When Web Agent is installed, the authentication is managed by Identity Server. When a user session ends in Identity Server, the LtpaToken cookie in the request no longer identifies the authenticated user. Due to the continued presence of LtpaToken, WebSphere continues the execution in the context of the authenticated user represented by the LtpaToken. This problem is fixed in IBM HTTP Server Agent, using the Cookie Reset feature. (#4766715)
Workaround
Start the WebSphere Administrative Console using the following command:
# WAS_root_dir/bin/adminclient.sh
In the Administrative Console interface, choose Console > Security Center.
Uncheck the field "Enable Single Sign-On" and click OK.
Restart the WebSphere Server for changes to take effect.
Segmentation error
The child process is exited with a segmentation error when Apache server is used. This is identified as bug in Apache API ap_custom_response(..), which is used in the Agent code for redirection to Identity Server. More details are available at:
http://bugs.apache.org/index.cgi/full/6336
http://bugs.apache.org/index.cgi/full/8334
The Identity Server Policy Agent for WebSphere Application Server 4.0.3 is designed to enforce authentication and authorization for clients that interact with the application through the application server's web container. Typically, such clients are thin clients like web browsers that communicate with the application server's web container using HTTP or HTTPS protocols. If the client does not access the application through the HTTP or HTTPS protocols, thereby bypassing the web container of the application server, the Agent Interceptor component will not intercept the request. This is a likely case when the application is being accessed by a rich client using other protocols such as RMI over IIOP. Since the Agent Interceptor component is bypassed, the authentication cannot be enforced.
Clients that do not get authenticated by the Agent Interceptor do not possess sufficient credentials for the Agent Realm component to evaluate the necessary J2EE security policies. Therefore, such clients will be denied access to all protected resources. Alternatively, for security aware applications that use the programmatic J2EE security APIs provided in the application server will be given negative results by such APIs.
The Agent functionality does not work properly (access to protected resources always get declined) when the resources are accessed directly using the web container's internal HTTP transports, thus bypassing the web server.
WebSphere Server does not start properly when LDAPS is configured.
WebSphere Server does not start up properly when the Directory Server used by the Identity Server is configured for LDAPS. (#4714511)
The WebSphere Application Server does not invoke the Trust Association Interceptor when access is made to unprotected resources. If an unprotected resource accesses a secure resource, the access will always fail, even if the resource was accessed from an authenticated session, which has the roles for accessing the secure resource.
Workaround
All unprotected resources, which access protected resources must be secured with a dummy security constraint. Access to these resources should be limited to any authenticated user, by mapping the role associated with the dummy security constraint to the special subject "All Authenticated Users." This will ensure that the trust association is not bypassed when these resources are accessed. However, with this workaround the unprotected resource no longer remains truly unprotected.
Sun ONE Application Server 7.0
Silent installation hangs if agent is already installed
If agent is installed using the StateFile on a system where agent is already installed, the installation hangs. If you press `Enter' the installer does not exit. (#4785320)
Sun ONE Application Server does not start properly when LDAPS is configured.
Sun ONE Application Server does not start up correctly when Agent uses LDAPS. (#4714511)
Agent uninstall restores the PeopleSoft and WebLogic Server configuration to their previous state.
When the Agent is installed on the PeopleSoft Server, it takes a backup of the PeopleSoft and WebLogic Server configuration files. These backups are restored when you remove the Agent from the system by running the uninstallation program. Therefore, any changes that were made to these configuration files after the Agent is installed are likely to be lost due to the restoration of the backed up configuration. We recommend that you make the necessary changes to the Server configuration before installing the Agent.
Agent uninstall can corrupt the WebLogic Server configuration if the agent is uninstalled while the WebLogic Server is running.
This limitation is because of the fact that when the WebLogic Server is running, any changes to the server configuration that are done by the Agent uninstallation program will be lost, resulting in the malfunction of the WebLogic Server when it is started the next time. To avoid this problem, we recommend that you install/uninstall the Agent only when the WebLogic Server is not running.
Agent will not work properly when the Directory Server used by Identity Server is configured for LDAPS.
Agent will not work properly when the Directory Server used by Identity Server is configured for LDAPS. (#4714511)
How to Report Problems
Your feedback is welcome and extremely helpful for improving the product. Before contacting us to request assistance, please check the latest documentation for this release at this site: wwws.sun.com/software/products/identity_srvr/home_identity.html.
If you need further assistance or information about Identity Server Policy Agent, contact Technical Support: www.sun.com/supportraining/
So that we can best assist you in resolving problems, please be sure to include the following information:
Description of the problem, including the situation where the problem occurs and its impact on your operation
Machine type, operating system version, and product version, including any patches and other software that might be affecting the problem
Detailed steps on the methods you have used to reproduce the problem For problems involving the use of this product with other products, include the release number, and platform information for those products as well.
For More Information
Useful product information can be found at the following Internet locations:
Sun ONE Identity Server release notes and other documentation:
http://docs.sun.com/db/prod/s1idsrv#hic
Sun ONE product status:
http://www.sun.com/products
Sun ONE Professional Services information:
http://www.sun.com/service/support
Sun ONE developer information:
http://www.sun.com/developers/support
Last Updated January 17, 2003