Copyright © 2011-2013 ForgeRock AS
Publication date: May 25, 2013
Notes covering prerequisites, fixes, known issues for OpenAM policy agents. OpenAM provides open source Authentication, Authorization, Entitlement and Federation software.
This chapter concerns OpenAM web policy agents. Web policy agents run in web servers and protect access to web pages.
A new web policy agent, Varnish, has been added. Varnish is a unique policy agent that does not require the Java environment and it has a unique set of instructions for the agentadmin command. Varnish also uses a directory called vmods. This is the location where you will need to handle any required installation or Varnish updates, and it requires the user to have administrative rights to update this directory for changes to take effect.
All of the web policy agents have been updated to include support for Internet Protocol version 6 (IPv6) support, in addition to support for IPv4.
IPv6 replaces IPv4 to fix the problems of IPv4 address exhaustion. The new protocol version increases the number of available internet addresses by using 128-bit addresses instead of 32-bit addresses of IPv4. IPv6 includes eight groups of hexadecimal digits to increase the number of available addresses.
Web policy agents can perform naming URL validation during the bootstrap phase, and can fail over from one OpenAM service to another (OPENAM-1258). Configure these capabilities by using the following bootstrap properties.
com.forgerock.agents.ext.url.validation.default.url.setIndicates order of service URLs for failover
com.forgerock.agents.ext.url.validation.levelControls the extent of naming URL validation
com.forgerock.agents.ext.url.validation.ping.intervalSets seconds between validation requests against the naming URL
com.forgerock.agents.ext.url.validation.ping.miss.countSets threshold of validation failures after which to fail over
com.forgerock.agents.ext.url.validation.ping.ok.countSets threshold of validation successes after which to fail back to
the first URL in the default.url.set list
See Bootstrap Configuration Properties for details.
Web policy agents now allow you to configure the naming of the URL validation net-connect timeout (OPENAM-1257).
Web policy agents now support IPv6 for notenforced IP addresses (OPENAM-1256).
A web policy agent is now available for Apache HTTPD Server 2.4 (OPENAM-1195).
Web policy agents now let you enable and disable Cache-Control headers for unauthenticated sessions (OPENAM-1087).
Web policy agents now let you preserve POST data when working with URI-based load balancing (OPENAM-980).
Web policy agents now let you configure whether to do an HTTP 302 redirect after processing the LARES POST (OPENAM-936).
Web policy agents now let you configure whether to URL encode the
session cookie sent with the LARES POST using the boolean property
com.forgerock.agents.cdsso.cookie.urlencode (OPENAM-915).
Web policy agents can now conditionally redirect users based on the incoming request URL (OPENAM-849).
Web policy agents now support the Expires attribute on cookies (OPENAM-815).
Web policy agents can now mark persistent cookies as HTTPOnly, to prevent scripts and third-party programs from accessing the cookies (OPENAM-804).
The IIS 7 web policy agents now has support for HTTP Basic authentication and password replay, thereby better supporting Microsoft OWA and SharePoint (OPENAM-773).
Web policy agents now allow use of regular expressions in Not Enforced URLs (OPENAM-772). In addition, regular expressions are supported for logout URLs and for rejecting access to invalid URLs.
This section covers software and hardware prerequisites for installing and running OpenAM web policy agents.
If you have a special request to support a combination not listed here, contact ForgeRock at info@forgerock.com.
All web policy agents except Microsoft IIS web agents require Java for installation. ForgeRock recommends the most recent release of Java 6 or later to ensure you have the latest security fixes.
ForgeRock has tested this release with Oracle Java SE JDK.
ForgeRock has tested this web policy agent release with the following web browsers.
Chrome release 16 and later
Firefox 3.6 and later
Internet Explorer 7 and later
Web policy agents support the following web servers.
Apache HTTP Server 2.0, 2.2, 2.4
Microsoft IIS 6, 7
Oracle iPlanet Web Server 7.0 (also known as Sun Web Server)
In this release, this web policy agent is not at feature parity with the other web policy agents and is lacking some fixes. In particular, this policy agent has the following known issues.
OPENAM-2180: Missing bootstrap file in WPA for SJSWS 7 should indicate this in error message
OPENAM-2178: SJSWS 7 agent debug log size parameter does not behave correctly for values below 3000
OPENAM-2177: SJSWS does not handle PDP cache expiration correctly
OPENAM-1889: Wrong password in combination with naming service failover causes internal error on OpenAM
OPENAM-1701: Internal exception is thrown upon login to WPA when c66encode is set to false
OPENAM-1523: Policy Agent fails to locate OpenAM server cookie value
This web policy agent has been tested only on 64-bit versions of Solaris.
Sun Proxy Server 4.0 (deprecated)
Apache HTTP web policy agents have been tested on Linux 2.6 or later, and on Oracle Solaris 10 or later. Apache HTTP web policy agents require Apache Portable Runtime 1.3.x or later. You can check your installation by running httpd -v. On some systems, the packaged version of Apache HTTP server uses earlier versions of APR that are not compatible with the current policy web agents.
The Microsoft IIS 6 web policy agent has been tested on Windows Server 2003.
The Microsoft IIS 7 web policy agent has been tested on Windows Server 2008 R2.
Before installing web policy agents on Solaris 10, make sure you have applied the latest shared library patch for C++, at least 119963-16 on SPARC, or 119964-12 on x86.
This section concerns OpenAM Web Policy Agents 3.2.0-SNAPSHOT.
IIS web policy agents no longer rely on the Windows registry to determine where to find configuration settings. Instead, IIS agents determine the relative location of their configuration properties files based on the location of the web policy agent DLL, and on the Site ID set by IIS at runtime.
The cleanest upgrade path is to uninstall the previous version of the IIS agent, and then install the new version of the IIS agent.
Naming URL validation was introduced after release 3.0.4. The initial
implementation of naming URL validation for web policy agents enabled
validation by default. Naming URL validation is now fully disabled by
default. You can adjust this setting by using the bootstrap configuration
property,
com.forgerock.agents.ext.url.validation.disable.
The following functionality is deprecated in OpenAM Web Policy Agents 3.2.0-SNAPSHOT, and is likely to be removed in a future release.
Web policy agent support for Sun Proxy Server is deprecated. Support for Sun Proxy Server is likely to be removed in a future release.
OpenAM web policy agent issues are tracked at https://bugster.forgerock.org/jira/browse/OPENAM.
The following bugs were fixed in release 3.2.0-SNAPSHOT. For details, see the OpenAM issue tracker.
TODO
The following important known issues remained open at the time release 3.2.0-SNAPSHOT became available. For details and information on other issues, see the OpenAM issue tracker.
TODO
This chapter concerns OpenAM Java EE policy agents. Java EE policy agents run in web application containers and protect Java EE applications.
OpenAM Java EE Policy Agents 3.2.0-SNAPSHOT Xpress is a milestone release from the main development branch of the product. The Xpress release contains selected key features and all current fixed issues. An Xpress release undergoes important functional testing but not the complete testing cycle that is done for a full Enterprise release.
Xpress releases are supported through ForgeRock subscriptions and are upgradeable to the Enterprise version, which has long term support.
The goal of an Xpress release is to enable you to start build phases earlier, with the most recent features, instead of having to wait for the Enterprise release date. Fixes to issues that are discovered in an Xpress release are delivered as patches to ForgeRock customers, and are guaranteed to be delivered in the Enterprise release that follows. Xpress releases are supported for a grace period after the Enterprise version has been released.
With the exception of these Release Notes, the official documentation for this release is still in progress, and is accessible at http://openam.forgerock.org/docs.html. The complete, validated documentation set will be available with the Enterprise release.
The Java EE agent goto URL can now be modified (OPENAM-1299).
The Apache Tomcat policy agent now supports Tomcat 7 as well (OPENAM-1273).
Java EE policy agents can now conditionally redirect users based on the incoming request URL (OPENAM-1265).
The auto-submitting form in FormLoginContent.txt
now parses as valid XML (OPENAM-674).
This section covers software and hardware prerequisites for installing and running OpenAM Java EE Policy Agents.
If you have a special request to support a combination not listed here, contact ForgeRock at info@forgerock.com.
Java EE policy agents run in a container using Java 6 or later. ForgeRock recommends the most recent release of Java 6 or later to ensure you have the latest security fixes.
ForgeRock has tested this release with Oracle Java SE JDK.
ForgeRock has tested this policy agent release with the following web browsers.
Chrome release 16 and later
Firefox 3.6 and later
Internet Explorer 7 and later
Java EE policy agents support the following Java EE application containers.
Apache Tomcat 6, 7
GlassFish v2, v3
IBM WebSphere Application Server 7, 8, 8.5
JBoss Enterprise Application Platform 5
Jetty 7
Oracle WebLogic Server 10g or later
Apache Tomcat Java EE policy agents have been tested on Linux 2.6 or later, and on Microsoft Windows Server 2008 R2.
GlassFish Java EE policy agents have been tested on Oracle Solaris 10 or later.
Other Java EE policy agents have been tested on Linux 2.6 or later.
Testing has focused on 64-bit operating systems.
This section concerns OpenAM Java EE Policy Agents 3.2.0-SNAPSHOT.
No major changes affecting compatibility have been made to the OpenAM Java EE Policy Agents in this release.
OpenAM Java EE policy agent issues are tracked at https://bugster.forgerock.org/jira/browse/OPENAM.
The following bugs were fixed in release 3.2.0-SNAPSHOT. For details, see the OpenAM issue tracker.
TODO
Not all features of OpenAM Java EE policy agents work with IPv6.
Apache Tomcat can fail to shut down properly when the Java EE policy
agent for Tomcat is deployed. To work around this limitation, add the
following to your Tomcat configuration in the <Server port="8005"
shutdown="SHUTDOWN"> section.
<Listener className="org.forgerock.agents.tomcat.v6.TomcatLifeCycleListener" />
The following important known issues remained open at the time release 3.2.0-SNAPSHOT became available. For details and information on other issues, see the OpenAM issue tracker.
TODO
If you have questions regarding OpenAM policy agents which are not answered by the documentation, there is a mailing list which can be found at https://lists.forgerock.org/mailman/listinfo/openam where you are likely to find an answer.
If you have found issues or reproducible bugs within OpenAM 3.2.0-SNAPSHOT policy agents, report them in https://bugster.forgerock.org.
When requesting help with a problem, include the following information:
Description of the problem, including when the problem occurs and its impact on your operation
Description of the environment, including the following information:
Machine type
Operating system and version
Web server or container and version
Java version
OpenAM policy agent and version
Any patches or other software that might be affecting the problem
Steps to reproduce the problem
Any relevant access and error logs, stack traces, or core dumps
You can purchase OpenAM support subscriptions and training courses from ForgeRock and from consulting partners around the world and in your area. To contact ForgeRock, send mail to info@forgerock.com. To find a partner in your area, see http://forgerock.com/partners/find-a-partner/.