Notes covering prerequisites, fixes, known issues for OpenAM Java EE policy agents. OpenAM provides open source Authentication, Authorization, Entitlement and Federation software.
Chapter 1. Java EE Policy Agents 3.3
This chapter concerns OpenAM Java EE policy agents. Java EE policy agents run in web application containers and protect Java EE applications.
1.1. New in JavaEE Policy Agents 3.3
The Java EE agent goto URL can now be modified (OPENAM-1299).
The Apache Tomcat policy agent now supports Tomcat 7 as well (OPENAM-1273).
Java EE policy agents can now conditionally redirect users based on the incoming request URL (OPENAM-1265).
The auto-submitting form in
FormLoginContent.txtnow parses as valid XML (OPENAM-674).
1.2. Before You Install OpenAM Java EE Policy Agents
This section covers software and hardware prerequisites for installing and running OpenAM Java EE Policy Agents.
If you have a special request to support a combination not listed here, contact ForgeRock at info@forgerock.com.
1.2.1. Java EE Agents Java Requirements
Java EE policy agents run in a Java EE Web container. All Java EE policy require Java Development Kit 6 or Java Development Kit 7. ForgeRock recommends the most recent update to ensure you have the latest security fixes.
ForgeRock has tested this release with Oracle Java SE JDK.
1.2.2. Java EE Agents Browsers Tested
ForgeRock has tested this policy agent release with the following web browsers.
Chrome release 16 and later
Firefox 3.6 and later
Internet Explorer 7 and later
1.2.3. Web Application Container Requirements
Java EE policy agents support the following Java EE application containers.
Apache Tomcat 6, 7
GlassFish v2, v3 (at least 3.1)
IBM WebSphere Application Server 7, 8, 8.5
JBoss Enterprise Application Platform 5 and 6, JBoss Application Server 7
Jetty 7 (at least 7.6.13), 8 (at least 8.1.13)
Oracle WebLogic Server 10g, 11g, 12c
1.2.4. Java EE Agents Platform Requirements
Apache Tomcat Java EE policy agents have been tested on Linux 2.6 or later, and on Microsoft Windows Server 2008 R2.
GlassFish Java EE policy agents have been tested on Oracle Solaris 10 or later.
Other Java EE policy agents have been tested on Linux 2.6 or later.
Testing has focused on 64-bit operating systems.
1.2.5. Java EE Agents Hardware Requirements
You can deploy OpenAM Java EE policy agents on any hardware supported for the combination of software required.
ForgeRock has tested this release on x86 and x64 based systems.
1.3. Java EE Policy Agent Compatibility
This section concerns OpenAM Java EE Policy Agents 3.3.
1.3.1. Major Changes to Java EE Policy Agent Functionality
No major changes affecting compatibility have been made to the OpenAM Java EE Policy Agents in this release.
1.3.2. Deprecated Functionality
Support for Oracle WebLogic 10g is deprecated and is likely to be removed in a future release.
1.3.3. Removed Functionality
No functionality has been removed in this release.
1.4. Java EE Policy Agents Fixes, Limitations, & Known Issues
OpenAM Java EE policy agent issues are tracked at https://bugster.forgerock.org/jira/browse/OPENAM.
1.4.1. Key Fixes
The following bugs were fixed in release 3.3. For details, see the OpenAM issue tracker.
OPENAM-1775: Java EE agent should not encapsulate exceptions coming out of applications
OPENAM-1357: WebSphere Policy Agent authentication issue for syncNode script when OpenAM authentication chain updated to not use Datastore as first module.
OPENAM-1220: Invalid date header -1 with Java agents
OPENAM-665: Uninstallation of agent on Glassfish 3 does cleanly reset security-service element correctly.
OPENAM-390: Hot-deployment fails for J2EE Agents
OPENAM-276: Agent logout throws 403 after logout if cookie encoding is enabled
OPENAM-212: RemoteUser still setted after logout when accessing not enforced URL
1.4.2. Limitations
Not all features of OpenAM Java EE policy agents work with IPv6.
Apache Tomcat can fail to shut down properly when the Java EE policy
agent for Tomcat is deployed. To work around this limitation, add the
following to your Tomcat configuration in the <Server port="8005"
shutdown="SHUTDOWN"> section.
<Listener className="org.forgerock.agents.tomcat.v6.TomcatLifeCycleListener" />
When setting com.sun.identity.agents.config.notenforced.ip,
know that loopback addresses are not considered valid IPs
for the Not Enforced IP list.
The policy agent ignores the loopback address if specified.
1.4.3. Known Issues
The following important known issues remained open at the time release 3.3 became available. For details and information on other issues, see the OpenAM issue tracker.
OPENAM-3209: Tomcat 6 agent custom-install does not modify global web.xml
OPENAM-3162: AgentRemoteConfigUtils failover logic is erroneous
OPENAM-2974: agentadmin should allow to configure multiple instances for the same agent on the same host
OPENAM-1991: Tomcat doesn't shutdown properly with J2EE agent for the tomcat.
OPENAM-1849: J2EE profile attribute mapper cannot handle identities with special chars in universal ID
OPENAM-1206: J2EE agent silent install isn't silent
OPENAM-1106: Null messages in the error log
OPENAM-868: J2EE Agent strips off servlet context when processing request for JSF application (Apache Trinidad)
OPENAM-605: Tomcat J2ee Agent initialization fails on Windows 2003
OPENAM-211: J2EE agents are unable to work, if the container was started prior to OpenAM
Chapter 2. How to Report Problems & Provide Feedback
If you have questions regarding OpenAM policy agents which are not answered by the documentation, there is a mailing list which can be found at https://lists.forgerock.org/mailman/listinfo/openam where you are likely to find an answer.
If you have found issues or reproducible bugs within OpenAM 3.3 policy agents, report them in https://bugster.forgerock.org.
When requesting help with a problem, include the following information:
Description of the problem, including when the problem occurs and its impact on your operation
Description of the environment, including the following information:
Machine type
Operating system and version
Web server or container and version
Java version
OpenAM policy agent and version
Any patches or other software that might be affecting the problem
Steps to reproduce the problem
Any relevant access and error logs, stack traces, or core dumps
Chapter 3. Support
You can purchase OpenAM support subscriptions and training courses from ForgeRock and from consulting partners around the world and in your area. To contact ForgeRock, send mail to info@forgerock.com. To find a partner in your area, see http://forgerock.com/partners/find-a-partner/.