Child pages
  • OpenAM Web Policy Agents 3.0.4 Release Notes
Skip to end of metadata
Go to start of metadata

What's New in Web Policy Agents 3.0.4

The Web Policy Agent 3.0.4 release is an incremental release, including several enhancements, and fixing a number of bugs.

Enhancement to notenforced.ip settings

This enhancement, OPENAM-630, allows you to use IPv4 netmasks and IP ranges instead of wildcards as values for notenforced.ip in the policy agent configuration.

Set the following custom parameter in the configuration file to enable use of netmasks and IP ranges:

com.forgerock.agents.config.notenforced.ip.handler=cidr

When the custom parameter is defined, then wildcards are ignored in the settings for notenforced.ip. Instead, you can use settings such as those shown in the following examples.

Netmask Example

To disable policy agent enforcement for addresses in 192.168.1.0 to 192.168.1.255, use the following setting.

notenforced.ip = 192.168.1.0/24

Currently the policy agent stops evaluating properties after reaching an invalid netmask in the list.

IP Range Example

To disable policy agent enforcement for addresses between 192.168.1.10 to 192.168.1.127 inclusive, use the following setting.

notenforced.ip = 192.168.1.10-192.168.1.127

You must restart the policy agent after changing the values for the change to take effect.

Bugs Fixed in this Release

  • OPENAM-284: Web Agents fail if not enforced URL is malformed
  • OPENAM-289: Path Info handling in the Web Agents is mis-handled
  • OPENAM-426: IIS6 Agent Install Script fails when spaces in path
  • OPENAM-437: Session is not maintained in IIS7 agent
  • OPENAM-620: Apache httpd server dumps core if child is terminated
  • OPENAM-654: Apache 2.2 PA, does not forward composite advice to DAS Auth module (session refresh condition)
  • OPENAM-722: Apache 2.2 on Windows crashes after installing Agent 3.0.3
  • OPENAM-728: Apache webagent does not work on 64 bits with SSL
  • OPENAM-754: Option to send composite advice in the query instead of sending it through a POST request (To enable GET, set the custom agent parameter, com.sun.am.use_redirect_for_advice=true. Default is false.)
  • OPENAM-765: None of global shared memory features (notifications, post-data-preservation) are working on apache22 policy agent on Linux

Enhancements in this Release

  • OPENAM-630: Improve the not enforced IP configuration functionality in the C SDK
  • OPENAM-692: Improve and simplify the Web Policy Agent build on Windows

Known Issues in This Release

The Web Policy Agents 3.0.4 contain a number of outstanding issues that have been noted in the OpenAM bug tracker. Please check the bug tracker for open bugs.

As mentioned in OPENAM-724, policy agent configuration files must have valid values for properties ending in the following strings.

.cookie.name
.fqdn.default
.agenturi.prefix
.naming.url
.login.url
.instance.name
.username
.password
.connection_timeout
.policy_clock_skew

Policy agents assume these properties are correctly set in the agent configuration file, and can core dump if attempting to use a required, but missing property value.

Policy agents do not check whether required values exist when reading configuration files. Instead policy agents stop reading the properties at the first failure. Furthermore, if invalid values are included in the configuration file, then the policy agent loads the invalid value without checking, and later attempts to use the invalid value. This can result in invalid values being passed to policy agent methods, such that the issue manifests itself some time after the policy agent has read the configuration file and started.

Apache Portable Runtime 1.3.x Required

The Apache 2.2 web policy agent requires at least Apache Portable Runtime 1.3.x. You can check the version used in your installation by running httpd -V.

OpenAM Documentation

There is a substantial quantity of documentation available for OpenAM available on this Wiki, with ForgeRock continuing to work on providing an up to date documentation for the current release of OpenAM. For additional documentation you can check the OpenSSO Enterprise 8.0 documentation, which is mostly applicable to OpenAM.

How to Report Problems and Provide Feedback

If you have questions regarding OpenAM which are not answered by the documentation, there is a lively mailing list which can be found at https://lists.forgerock.org/mailman/listinfo/openam where you are likely to find an answer.

If you have found issues or reproducible bugs within OpenAM or the policy agents, report them in https://bugster.forgerock.org.

If you are requesting help for a problem, please include the following information:

  • Description of the problem, including when the problem occurs and its impact on your operation
  • Machine type, operating system version, web container and version, JDK version, and OpenAM release version, including any patches or other software that might be affecting the problem
  • Steps to reproduce the problem
  • Any error logs or core dumps
  • No labels