Release Notes › Policy Server Release Notes › Installation and Upgrade Considerations › Unsupported Features › Policy Server Fails to Initialize Java Virtual Machine on Red Hat AS 3.0 (44649) (44971)

Policy Server Fails to Initialize Java Virtual Machine on Red Hat AS 3.0 (44649) (44971)

On Red Hat Linux Enterprise AS 3.0 with Update 5, the Policy Server may fail to initialize the Java Virtual Machine when running on a multi-processor machine. As a result, the following SiteMinder functionality does not work:

• Java authentication schemes
• Java active rules, policies, and responses
• SAML federation

This problem is caused by an incompatibility between the Sun JDK on Linux and Red Hat's ExecShield, a kernel-based security feature. A work-around is to disable the ExecShield in the Linux SMP kernel only.

To decide if you want to disable the ExecShield, see Red Hat's "New Security Enhancements in Red Hat Enterprise Linux v.3, update 3" at http://www.redhat.com/f/pdf/rhel/WHP0006US_Execshield.pdf.

To disable ExecShield in the Linux SMP kernel only

1. In the /etc/grub.conf file, set the noexec=off kernel parameter in the SMP kernel only, as noted in the following example:

   title Red Hat Enterprise Linux AS (2.4.21-32.ELsmp)

   root (hd0,0)

   kernel /vmlinuz-2.4.21-32.ELsmp ro root=LABEL=/noexec=off

   initrd /initrd-2.4.21-32.ELsmp.img

2. Reboot the machine.

Option to Create Copies of Existing Policy Server Objects

When creating Policy Server objects in the Administrative UI, you have the option of creating a copy of an existing object of the same type. The copy option is not available for the following objects:

• Agent Type
• AuthAz Directory Mapping
• AuthValidate Directory Mapping
• Certificate Mapping
• User Directory
• Application
• Application Resource
• Domain
• Policy
• Realm
• Response
• Response Attribute
• Rule
• Global Policy
• Global Response
• Global Rule
• Password Policy
• Administrator

User Directory Limitations

The following user directory limitation exists:

ODBC User Store Failover

Given

A Policy Server is configured on Solaris to use two Oracle-based user stores: one is the primary user store and the other is the secondary user store.

Result

The time for the Policy Server to failover from the primary to the secondary, in the event of a network failure, may be as long as 8 minutes.

Solution

This time can be reduced by setting the TCP/IP setting, tcp_ip_abort_interval, to the desired time.

Perl Scripting Interface Limitations

The following Perl scripting interface limitations exist:

Perl use Statement for PolicyMgtAPI Must Come Before Use Statement for AgentAPI (24755)

On Solaris, a core dump results if you call use for AgentAPI before you call use for PolicyMgtAPI. If you are calling use for both modules, do so in the following order:

• use Netegrity::PolicyMgtAPI;
• use Netegrity::AgentAPI;

Methods that Return Arrays May Return undef in a One-Element Array (28499)

With methods that return an array, undef should be returned if an error occurs or there is nothing to return. However, these methods may incorrectly return a one-element array with the first element set to undef.

Perl Scripting Interface and Multi-valued Agent Configuration Parameters (37850)

The Perl Scripting Interface does not support setting multi-valued Agent configuration parameters.

Japanese Policy Server Limitations

The following Japanese Policy Server limitation exists:

Agent Shared Secrets are Limited to 175 Characters (30967, 28882)

A Shared Secret for a SiteMinder Agent in a Japanese operating system environment may have no more than 175 characters.