Access Manager 4.1 Release Notes

March 2015

Access Manager 4.1 includes new features, enhancements, improves usability, and resolves several previous issues.

Many of these improvements are made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure our products meet all your needs. You can post feedback in the Access Manager forum on Qmunity, our community Web site that also includes product notifications, logs, and product user groups.

For information about the previous release, see Access Manager 4.0 SP1 Hotfix 3 Release Notes.

For more information about this release and for the latest release notes, see the Documentation page. To download this product, see the Product Upgrade page.

1.0 What’s New?

Access Manager 4.1 provides the following key features, enhancements, and fixes in this release:


The SSL VPN component is removed from Access Manager 4.1 onwards. After you upgrade to Access Manager 4.1, manually remove the referenced proxy services and protected resources. Access Manager indicates the Access Gateway cluster health in yellow if you do not remove the referenced proxy services and protected resources.

1.1 New Features

This release introduces the following new features:

Risk-Based Authentication

This release introduces an authentication technique called Risk-based authentication.Risk-based authentication provides context-aware access control that acts to balance the level of trust against risk. It enables organizations to address access-related risks while improving the user experience. Risk-based authentication allows runtime validation of an access request, and then take an appropriate actions such as asking for advanced authentication or denying access. For more information about configuring Risk-based authentication, see “Risk-Based Authentication”.

OAuth And OpenID Connect

This release introduces support for OAuth and OpenID Connect. OAuth 2.0 is an open protocol to allow secure authorization. It enables users to allow third-party clients to access users’ private resources. Users do not need to share their credentials. The third-party clients can be web applications, mobile phones, handheld devices, and desktop applications. OAuth provides a method to issue Access tokens to third-party clients with the user's approval. The third-party client can then use the Access token to access protected resources hosted by the resource server.OAuth allows users to control the access to web resources by scope, action, and time. Access Manager uses OpenID Connect along with OAuth. OpenID Connect implements a single sign-on protocol on top of the OAuth authorization process. It allows clients to verify the identity of a user based on the authentication performed by the Identity Server (authorization server). It also allows client applications to obtain a user’s basic profile information. For more information about configuring OAuth and OpenID Connect, see Configuring OAuth and OpenID Connect.

Code Promotion

Code Promotion helps you replicate the configuration data of Access Manager from one setup to another. You can export the configuration data as a password-protected encrypted file, then import this file into another Access Manager system and seamlessly replicate the configuration into the target system.The exported configuration data includes generic Identity Server cluster configuration, customization files, proxy services, protected resources, and policy configuration. This exported data is independent of the device specific data and network specific data. Therefore, you can use Code Promotion to replicate configuration between two Access Manager systems that are in different networks, with a different number of devices, and with different user stores. For more information about Code Promotion, see Code Promotion.


Access Manager uses Sentinel Solution Pack to generate reports. This solution pack consists of predefined report definitions. Access Manager requires NetIQ Sentinel or Sentinel Log Manager to use this feature. You can use these reports to analyze users’ accesses to applications protected by Access Manager, in auditing, and for compliance purposes. For more information about Reporting, see Reporting.

Support to Launch Login Pages on a Handheld Device

With this feature, the mobile login pages become more responsive. You can customize the logo and the header size for better readability on a hand-held device. For more information about how to customize the mobile login page, see Customizing the Identity Server Login Page.

Simplified Mobile Access Integration

With this feature, integration with the Mobile Access is simplified. You do not need to log in to the Administration Console to configure any settings. For more information about using Mobile Access with Access Manager, see Using NetIQ® CloudAccess as a Trusted Identity Provider for NetIQ® Access Manager.

1.2 Operating System Support

In addition to the platforms introduced in Access Manager 4.0 SP1 release, this release adds support for the following platforms:

  • RHEL 6.6 and RHEL 7.0

  • SLES 12

1.3 Updates for Dependent Components

This release adds support for the following dependent components:

NOTE:On Windows, the Administration Console and Identity Server use Tomcat version 7.0.56. The Tomcat version is not upgraded to version 8.0.18 due to dependency on iManager. On Linux, only the Administration Console is not upgraded to the latest Tomcat version.

Access Manager 4.1 by default supports Tomcat 8.0.18 and OpenSSL 1.0.1m. Due to this, the Identity Server and Access Gateway disable requests from clients that are on versions lower than TLS1. However, the Access Gateway can continue communication with web servers that are on versions lower than TLS1.

1.4 Browser Support

This release adds support for latest versions of the following browsers:

  • Internet Explorer 11 (Non Metro UI)

  • Chrome

1.5 Enhancements

This release introduces the following enhancements:

Capability to Bookmark a Protected Resource

In this release, you can bookmark a protected resource. The Identity Server login page now includes a target in the URL. When you try to log in to the resource that is bookmarked, Access Manager authenticates you and redirects you to the resource.If you have bookmarked a resource earlier, ensure that you update the existing bookmark with the new one.

NOTE:You cannot bookmark a login page that is used in a federation setup.

Office 365 Support for Multi-Domains

In this release, you can configure Office 365 to support multiple domains. This is achieved by using STS_OFFICE365_MULTI_DOMAIN_SUPPORT_AUTO parameter in the file. This ensures that if you have users included in different domains, these users can access Office 365 services using the Issuer URI specific their domain. For more information about configuring Office 365 service, see Configuring Federation with Office 365 Services for Multiple Domains.

Encryption of Access Gateway Session Cookie

The Access Gateway session cookie sent as a query parameter during cross-domain authentication is encrypted to prevent security issues. For additional security, you can change the default key used for this encryption by using the NAGSessionKey advanced option. For more information about this advanced option, see Advanced Access Gateway Options.

Updating Session ID After Authentication

The session fixation issue is fixed by updating the session ID after authentication. Post authentication, the session ID is regenerated each time. For more information about the Advanced Access Gateway option, see Advanced Access Gateway Options. For more information about the Identity Server Advanced option, see Enabling Secure Cookies.

Single Sign-On to Office 365 By Using the Latest Version of iOS Apps

This release introduces an enhancement that allows you to single sign-on from latest iOS apps version to Office 365. For more information see, Configuring Single Sign-On for Office 365 Services.

Facility to Encode the Attribute Value

This release provides different options to encode the values of attributes in an attribute set. The available encoding options are: Special Characters Encoded, Not Encoded and Entire Value Encoded.

HTML Rewriter Supports IPP Protocol For Print

The HTML Rewriter now supports Internet Printing Protocol (IPP) protocol. This enables printing through NetIQ Access Manager.

1.6 Fixed Issues

This release includes software fixes for the following components:

Administration Console

The following issues are fixed in the Administration Console component:

Existing Access Privileges of Delegated Administrators are Revoked If a New Node is Added to the Cluster

Issue: If you add a new node in a cluster, Access Manager revokes the existing access rights of delegated administrators. [Bug 891068]

Fix: This issue is resolved now and the existing privileges of delegated administrators are not revoked even if a new node is added to the cluster.

Curly Bracket in the URL Leads to Policy Evaluation Failure and User is Logged Out

Issue: If the protected resource URL contains an unescaped curly bracket ({}) it leads to a policy evaluation failure and the user is denied access. [Bug 885682]

Fix: This issue is fixed and now unescaped curly brackets are allowed in authorization policy URLs.

Identity Server

The following issue is fixed in the Identity Server component:

Certificate Validation is Unsuccessful During SAML Assertions

Issue: The validation of expired certificate is unsuccessful in SAML assertions. [Bug 899649]

Fix: This issue is now resolved as the SAML assertions with expired certificates are rejected.

Access Gateway

The following issues are fixed in the Access Gateway component:

Authentication Error in Office 2013 Files

Issue: Multiple authentication errors are seen while accessing Office 2013 files. [Bug 899905]

Fix: This issue is resolved now and the users can access Office 2013 files seamlessly in Access Manager.

Login Form Does Not Support the .doc Extension

Issue: The Form Fill policy is not processed when the Login Form has the .doc file extension. [Bug 889599]

Fix: This issue is now resolved and the Login Form supports the .doc extension.

Frequent Crashes Due to ActiveMQ API

Issue: The Apache HTTPd crashes frequently due to the ActiveMQ API. [Bug 865204]

Fix: This issue is resolved and the ActiveMQ API no longer crashes.

Form Fill Policy Fails Intermittently

Issue: The Form Fill policy fails intermittently due to heavy load. [Bug 916540]

Fix: This issue is now resolved by adding conditions to re-evaluate Form Fill policy during null response under load conditions.

HttpOnly Flag is Not Set On Non-ESP Proxy

Issue: The HttpOnly flag is not set on non-ESP proxy even after you enable it globally and on the proxy service. [Bug 899885]

Fix: This issue is resolved now as the HttpOnly flag is set correctly on non-ESP.

Form Fill Masking Fails to Re-Calculate Valid Content Length

Issue: When Form Fill masking is enabled, Access Gateway fails to re-calculate content length after the data is unmasked. This leads to SSO failure. [Bug 899135]

Fix: This issue is resolved now as the content length is getting re-calculated correctly.

Custom Policy Injects Incorrect Values

Issue: The Custom policy injects incorrect values even after the attribute is updated. [Bug 865775]

Fix: This issue is resolved now and the Custom policy injects updated attribute values.

Host HTTP Header Attack

Issue: In the Access Gateway, a Host HTTP Header attack exists. An additional HTTP header is added with the original header. This header redirects you to a malicious URL. [Bug 905262]

Fix: This issue is resolved now as the Access Gateway in no longer susceptible to host HTTP Header attack.

2.0 Installing or Upgrading

After purchasing Access Manager 4.1, log in to the NetIQ Downloads page and follow the link that allows you to download the software. The following files are available:

Table 1 Files Available for Access Manager 4.1.




Contains the Identity Server, the Administration Console for Linux.


Contains the Identity Server and the Administration Console for Windows Server.


Contains the Access Gateway Appliance iso.


Contains the Access Gateway Appliance tar file.


Contains the Access Gateway Service for Windows Server.


Contains the Access Gateway Service tar file.

3.0 Supported Upgrade Paths

To upgrade to Access Manager 4.1, you need to be either on Access Manager 3.2 Service Pack 2 or higher or on Access Manager 4.0 or higher

From 3.2.x:

  • 3.2 Service Pack 2

  • 3.2 Service Pack 2 IR1

  • 3.2 Service Pack 2 IR2

  • 3.2 Service Pack 2 IR3

  • 3.2 Service Pack 3

  • 3.2 Service Pack 3 HF1

From 4.0.x:

  • 4.0

  • 4.0 HF1

  • 4.0 HF2

  • 4.0 HF3

  • 4.0 Service Pack 1

  • 4.0 Service Pack 1 HF1

  • 4.0 Service Pack 1 HF2

  • 4.0 Service Pack 1 HF3

For more information on upgrading Access Manager 4.1, see UpgradingAccess Manager.

4.0 Verifying Version Numbers

To ensure that you have the correct version of files before you upgrading to Access Manager 4.1, verify the existing Access Manager version.

4.1 Verifying Version Number Before and After Upgrading to 4.1

Before upgrading, it is important to verify the version number of the existing Access Manager components. This ensures that you have the correct version of files on your system.

After upgrading to Access Manager 4.1, verify that the version number of the component is indicated as in the Version field.

5.0 Known Issues

NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.

5.1 Risk-Based Cookie is not Created if the Primary Authentication Method is Same for Primary and Secondary Authentication Contract

Issue: If you have successfully authenticated using additional authentication, a cookie is not created if both the primary and secondary contracts have the same primary authentication method. [Bug 920988]

Workaround: While configuring the primary and secondary authentication contracts, ensure that the contracts do not use the same primary authentication method.

5.2 Rule Execution Fails if an IP Address Rule is Configured Using IP Subnet Condition

Issue: When you configure an IP Address Rule using IP Subnet Condition the rule execution fails even though the IP subnet is valid. [Bug 897927]

Workaround: It is not possible to configure a rule using the IP subnet condition. Instead, use the IP range condition if you want to configure an IP address rule with an IP subnet condition.

5.3 The HTTP Rewriter Rewrites the SRC URL Incorrectly

Issue: The HTTP Rewriter rewrites SRC URL incorrectly when the links are from different HTTP chunks. This is a random issue. [Bug 884593]

Workaround: None.

5.4 Memory Leak Leads to HTTPd Crash

Issue: The HTTPd crashes due to frequent graceful restarts. This is due to the increase in the size of the memory leaks that occurs during each graceful restart. [Bug 916011]

Workaround: Disable graceful restart by applying the following configuration change.

Locate /opt/novell/nam/mag/webapps/agm/WEB-INF/ and change the command to linux.apache.command.gracefulrestart command=restart. You have to reconnect to regain the existing connections while applying changes.

5.5 An Error Message Is Not Displayed When the Backend Server Is Unavailable

Issue: Access Manager does not display any error message when the backend server is unavailable. [Bug 869274]

Workaround: In the error document /opt/novell/apache2/share/apache2/error/HTTP_SERVICE_UNAVAILABLE.html.var, change the $REDIRECT_URL value to /\/$ instead of /\/$/.

5.6 The amdiagcfg Stylesheet Does Not Include Access Manager 4.1 Feature Configurations

Issue: The amdiagcfg stylesheet does not include configuration details of features introduced in Access Manager 4.1. [Bug 922011]

Workaround: None.

6.0 Contact Information

Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email We value your input and look forward to hearing from you.

For detailed contact information, see the Support Contact Information Web site.

For general corporate and product information, see the NetIQ Corporate Web site.

For interactive conversations with your peers and NetIQ experts, become an active member of Qmunity, our community Web site that offers product forums, product notifications, blogs, and product user groups.