15.13 Managing the Preferred Host in 10g WebGates

In previous 10g releases, the preferred host was a mandatory parameter which could be made optional through configuration. In the current implementation of Access Manager, the value of the preferred host parameter in the agent profile is a mandatory field populated when the profile is created. Thus when migrating agent profiles from Access Manager 10g, this parameter might have no value. Because of the empty preferred host value in a migrated agent profile, the Access Manager 11g console does not allow the administrator to modify the agent profile.

Since the current migration process does not support migration when this parameter is empty, the following actions have been incorporated into the migration process.

  • During the migration of agent profiles with no preferred host value, the host identifier defined as the value of AUTO_UPDATE_HOSTID will be set as the preferred host. This will work for 11g WebGates as well as 10g WebGates.


    In the getClientConfigResponse() method, the AUTO_UPDATE_HOSTID host identifier will be replaced with an empty string so that the preferred host will not be set in ObAccessClient.xml. In these cases, the WebGate will read the host from the HTTP header. Because the user can modify the HTTP header, this vulnerability is indicated as follows.

    • The 11g Access Manager console displays the agent profile with a red mark indicating that the value of the preferred host is blank.

    • The agent's GetClientConfig() method indicates that the empty preferred host is null.

  • The ALLOWBLANKPREFERREDHOST flag will be added and action taken based on its value. In cases where it is set to true, the empty string will be sent to the agent as the preferred host. In cases where it is set to false, the server will send a fatal error to the agent.

Use the setAllowEmptyHostIdentifier WLST command, described in the following section, to manage this feature.