Thursday, December 12, 2013

OpenAM Web Policy Agents 3.3.0

Have you tried the latest OpenAM Web Policy Agents 3.3.0?

It would be good to do some homework before installing/upgrading. I find this a good start point.

Some highlights below:

Important Changes to Web Policy Agent Functionality
  • IIS web policy agents no longer rely on the Windows registry to determine where to find configuration settings. 
  • The default policy evaluation mode for new policy agent profiles is now self rather than subtree, in order to better scale for large numbers of policy rules.
Deprecated Functionality
  • Support for Microsoft IIS 6 is deprecated, and likely to be removed in a future release.
Removed Functionality
  • Web policy agent support for Apache HTTP Server 2.0 is no longer provided in this release.
  • Web policy agent support for Oracle iPlanet Web Proxy Server (formerly Sun Java System Web Sun Proxy Server) is no longer provided in this release.

The default policy evaluation mode set to self is a good move. This allows the agent to scale better. No one will miss Apache HTTP Server 2.0 and Oracle iPlanet Web Proxy Server. However, there'll still be some customers still using Microsoft IIS 6. 

Top new features I personally welcome:

  • All of the web policy agents have been updated to include support for Internet Protocol version 6 (IPv6) support, in addition to support for IPv4.
  • This release adds a new web policy agent for Varnish Cache.
  • Web policy agents now support IPv6 for notenforced IP addresses.
  • A web policy agent is now available for Apache HTTPD Server 2.4.
  • Web policy agents can now conditionally redirect users based on the incoming request URL
  • The IIS 7 web policy agents now has support for HTTP Basic authentication and password replay, thereby better supporting Microsoft OWA and SharePoint

IPv6 seems common these days. Agent-support for IPv6 is very welcomed. 

I was at a customer site more than 6 months ago. This customer has OpenSSO deployed and I was asked about IPv6 support in OpenAM. I sent an email to ForgeRock and was informed IPv6 will be supported fairly soon. It has arrived!

I was told by the same customer that another product vendor had indicated IPv6 on their roadmap. Well, it's still on the roadmap as of today. Nothing has updated since. Sales pitch. Yes, typical salesman.

It is also fairly common for SharePoint integration these days. Almost every customer of ours own a Microsoft Active Directory and they usually require integration with their SharePoint server. (Side track a bit: Do not ever forget AD in code development and QA. :> These are real paying customers! ) 

Lastly, some limitations to take note of:

  • Web policy agents for IIS do not support Web gardens nor multi-process mode. 
  • If you are running an Apache Web agent on RHEL 6 (CentOS 6), and are also running SELinux in enforcing mode, Apache may fail to restart with a 'Permission denied' message, with a pointer to a file in the/path/to/web_agents/apache2x_agent/lib directory. SELinux expects most library files to be configured with alib_t label; you can set that up with the chcon -t lib_t /path/to/web_agents/apache2x_agent/lib/*.so andsemanage fcontext -a -t lib_t /path/to/web_agents/apache2x_agent/lib/*.so commands.

I'll be trying the new agent as soon as I wrap up testing OpenAM 11.0.


No comments:

Post a Comment