Access Manager 4.3 Service Pack 1 Release Notes

February 2017

Access Manager 4.3 Service Pack 1 (4.3.1) includes enhancements, improves usability, and resolves several previous issues.

Many of these improvements are made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure our products meet all your needs. You can post feedback in the Access Manager forum on our community website that also includes product notifications, blogs, and product user groups.

For information about the previous release, see Access Manager 4.3 Release Notes.

For more information about this release and for the latest release notes, see the Documentation page. To download this product, see the Product Upgrade page.

The general support for Access Manager 4.3 ends on 31st May 2018. For more information, see the Product Support Lifecycle page.

1.0 What’s New?

Access Manager 4.3.1 provides the following enhancement and fixes in this release:

1.1 Operating System Support

In addition to the existing supported platforms, this release supports installation of Access Manager components on the following platforms:

  • RHEL 7.3

  • SLES 12 SP2

1.2 Updates for Dependent Components

This release adds support for the following dependent components:

  • eDirectory

  • Java 1.8.0_121

  • OpenSSL 1.0.2k

  • Tomcat 8.0.39

  • iManager

NOTE:Access Manager 4.3.1 by default supports Tomcat 8.0.39 and OpenSSL 1.0.2k. However, Administration Console uses Tomcat version 7.0.68 due to dependency on iManager.

1.3 Browser Support

For accessing Access Gateway and Identity Server: This release adds support for the latest versions of the following browsers:

  • Internet Explorer

  • Chrome

  • Firefox

  • Safari

For accessing user portal and Administration Console: This release adds support for the following versions of the browsers:

  • Chrome 56.0.2924.87

  • Firefox 51.0.1

  • Internet Explorer 11.576.14393.0 Update Versions 11.0.38 (KB32033621)

  • Edge 38.14393.0.0/ EdgeHTML 14.14393 (only for user portal)

1.4 Enhanced Analytics Dashboard

This release introduces the following graphs in addition to the existing graphs:

  • Most Accessed Users

  • Client IP Addresses

  • Most Used Contracts

  • Failed Authentications

For information about enabling the required audit events, see Enabling Events for Each Graph.

1.5 Fixed Issues

This release includes software fixes for the following components:

Administration Console

The following issue is fixed in Administration Console:

The Administration Console Configuration Is Not Restored When You Change the Hostname

Issue: While restoring the Administration Console configuration by using amrestore, the restore fails if youspecify a different hostname. This happens because the hostname in the Certificate Authority (CA) also gets changed and does not match with the one that was originally specified. Hence, amrestore fails and you cannot restore Administration Console. [Bug 1009556]

Fix: This issue is fixed. The hostname in CA remains unchanged even when you change the hostname.

Identity Server

The following issues are fixed in Identity Server:

Issue with the Kerberos Fall Back Contract When Used with Name/ Password Authentication

Issue: When you configure the Kerberos fall back by using name and password authentication class, Access Manager allows authentication by using the default contract, but does not redirect the request to resource server.

Hence, users cannot access a resource server even when they are authenticated by using the default contract. [Bug 899646]

Fix: This issue is resolved. The users can access the resource server when Kerberos fall back contract is configured.

WS Federation Fails for .Net Applications

Issue: When a .NET WS-Federation service provider federates with an Access Manager STS/ WS-Federation identity provider, an error occurs and federation fails. This happens when you import the metadata to the .Net service provider. [Bug 918163]

Fix: This issue is resolved. The WS-Federation metadata can be obtained by using Samlv2Meta as described in the WS-Federation 1.1 and 1.2 specification. Also, to obtain the metadata, use the <base-url>/nidp/wsfed/metadata?type=Samlv2Meta URL format.

The Mobile device registration contract Field Allows Only the Username and Password Contract

Issue: In the Mobile device registration contract field, the only contract available is the username and password contract. [Bug 998693]

Fix: This issue is resolved. You can choose any required contract under Mobile device registration contract field.

The Kerberos Fall Back Login Page Does Not Display the New Portal with Customized Branding

Issue: When Kerberos fails, the fall back authentication login page does not show the custom branding.[Bug 1003919]

Fix: This issue is resolved. The fall back login page displays the custom branding.

The AuthnContextCLassRef Statement Does Not Match with that of the Service Provider

Issue: When Access Manager is a service provider, it cannot set custom authentication class references in AuthnRequest's AuthnContextClassRef element during spsend. This happens because the SAML 2.0 identity provider authentication card allows to configure only fixed set of authentication types when Requested By is set to Use Types.[Bug 1001488]

Fix: This issue is resolved with the introduction of the SAML 2 CUSTOM AUTHNCONTEXT CLASS REF LIST advance option. In Identity Server configuration, click SAML 2.0 > IDP name > Configuration > options > New, set SAML2 CUSTOM AUTHNCONTEXT CLASS REF LIST to specify one or more custom authentication class references. You can use the delimiter, &,to specify more than one references.

Risk-based Authentication Step Up Never Shows Executed Method within its Own Context

Issue: When you configure the step up authentication using the risk contract, the step up method is displayed inside the primary method’s context. [Bug 1005305]

Fix: This issue is resolved. The step up method is shown in its own context, not inside the primary method's context.

Access Gateway

The following issues are fixed in Access Gateway:

The Access Gateway Logout Page Does Not Display the Customized Branding

Issue: When the branding of the User Portal page is changed, the Access Gateway logout page does not display those changes. [Bug 1019019]

Fix: The /AGLogout and /nesp/app/logout pages now display the branding as it is configured on the User Portal. For this fix to work, ensure that you update the Access Gateway configuration after changing the branding.

To update Access Gateway configuration, you can perform any one of the following:

  • Click Troubleshooting > Current Access Gateway Configurations > Re-push Current Configuration

  • Make some negligible changes to Access Gateway cluster to activate the update status, then click Update

  • Restart Access Gateway

Adding an IP Address to Access Gateway Appliance Removes the loopback Interface Configuration File

Issue: When you reboot an Access Gateway Appliance and update its configuration after adding a secondary IP address, the loopback interface configuration file, etc/sysconfig/network/ifcfg-lo, is removed. [Bug 1019022]

Fix: This issue is resolved. When you you reboot and update the AG configuration after adding the IP address to Access manager Appliance, the loopback interface is not removed.

A Mangled Cookie Includes Multiple Values

Issue: When accessing protected resources in the same domain, multiple values get assigned to a mangled cookie. [Bug 1009962]

Fix: This issue is resolved. A mangled cookie includes only the latest cookie value.

Access to a Secure Web Server Fails with Unknown CA After Upgrading to Access Manager 4.3

Issue: When users access the secure web servers, the browser displays the 502 error instead of launching the application. This happens because there was an issue with calculating the certificate hash. [Bug 1010876]

Fix: This issue is resolved. After upgrading to Access manager 4.3.1, the certificate hash is calculated properly.

Cannot Disable the HTTP Strict Transport Security Protocol on Access Gateway After Upgrading to Access Manager 4.3

Issue: After upgrading Access Manager to 4.3, you cannot disable the HTTP Strict Transport Security (HSTS) on Access Gateway. [Bug 1011260]

Fix: The issue is resolved. A new global advanced option, SetStrictTransportSecurity, is introduced to disable and enable HSTS now as the Access Gateway injects the modified attributes.

Additional Characters Are Introduced When Adding the Post Data for Parking

Issue: Access Gateway adds extra bytes when parking the post data that results in invalid content-length to post the data. [Bug 1014817]

Fix: This issue is resolved. The extra bytes are not added when parking the post data and content-length is correct to post the data.

For more information about this issue and its resolution, see TID 7018493.

Cannot Inject LDAPCredentials to Back-End Servers When the PreAuthRiskBasedAuthenticationClass Contract is Executed

Issue: When a contract contains PreAuthRiskBasedAuthenticationClass, you cannot inject LDAPCredentials to the back-end web servers. [Bug 1022068]

Fix: The issue is resolved. LDAPCredentials are cached and can be injected into backend servers even for PreAuthRiskBasedAuthenticationClass contract.

2.0 Installing or Upgrading

After purchasing Access Manager 4.3.1, log in to the NetIQ Downloads page and follow the link that allows you to download the software. The following files are available:

Table 1 Files Available for Access Manager 4.3




Contains Identity Server and Administration Console .tar file for Linux.


Contains Identity Server and Administration Console .exe file for Windows Server.


Contains Access Gateway Appliance .iso file.


Contains Access Gateway Appliance .tar file.


Contains Access Gateway Service .exe file for Windows Server.


Contains Access Gateway Service .tar file for Linux.


Contains Analytics Server Appliance .iso file.

For information about the upgrade paths, see Section 3.0, Supported Upgrade Paths. For more information about installing and upgrading, see the NetIQ Access Manager 4.3 Installation and Upgrade Guide.

3.0 Supported Upgrade Paths

To upgrade to Access Manager 4.3.1, you need to be on one of the following versions of Access Manager:

  • 4.1.x

    • 4.1 Service Pack 2 Hotfix 1

  • 4.2.x

    • 4.2 Service Pack 2

    • 4.2 Service Pack 3

  • 4.3

For more information about upgrading Access Manager, see UpgradingAccess Manager in the NetIQ Access Manager 4.3 Installation and Upgrade Guide.

4.0 Verifying Version Number After Upgrading to 4.3.1

After upgrading to Access Manager 4.3.1, verify that the version number of the component is indicated as To verify the version number, perform the following steps:

  1. In Administration Console Dashboard, click Troubleshooting > Version.

  2. Verify that the Version field lists

5.0 Known Issues

NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.

5.1 Backup and Restore Fails After Upgrading Operating System from SLES 12.1 to 12.2 Generates Error

Issue: After upgrading SLES 12.1 to 12.2, the and commands fail to execute in Administration Console. An error is logged in their respective log files. [Bug 1022984]

Workaround: Run the following commands in Administration Console in the following order:

  • ldconfig



5.2 ESP Global Option Configuration Does Not Work at the First Attempt

Issue: When you configure an ESP global option, it does not get applied to all Access Gateway ESPs at the first attempt. This is an intermittent issue. Also, if you disable a specific option by adding pound symbol (#), it may get deleted from the list. [Bug 1002542]

Workaround: Re-configure the ESP global options. If you require to add a pound symbol to any option for later use, copy and save the option from the list to a file and use it when required.

5.3 Invalid Value Error When Adding a New Rule for OAuth in an Identity Injection Policy

Issue: When you add a new rule for OAuth in the identity injection policy, the older values display the Invalid value message. This is an intermittent issue. [Bug 1003262]

Workaround: Cancel the modification and reopen the policy for editing.

5.4 The Modifications Done in the Legacy SAML2 Page Does Not Synchronize with the Value in the Applications Interface

Issue: After a SAML 2.0 application is created by using Applications under Administration Tasks, the applications task may not reflect the values of settings that are modified by using the legacy page, which is, under the SAML 2.0 tab of the identity provider cluster. [Bug 1022909]

Workaround: There is no workaround, but if the metadata is modified using the legacy SAML 2.0 page, avoid further changes to the Application Connector Setup section in the Applications task to avoid overwriting the metadata that was manually configured in the legacy page.

5.5 Identity Server Returns Insecure Additional HTTP Cookies

Issue: Identity Server returns insecure additional HTTP cookies. This happens because Tomcat sets additional cookies that are not enabled with secure flag. [Bug 999087]

Workaround: Add the following in the web.xml file of Identity Server at /opt/novell/nam/idp/webapps/nidp/WEB-INF/web.xml:


6.0 Contact Information

Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email We value your input and look forward to hearing from you.

For detailed contact information, see the Support Contact Information Web site.

For general corporate and product information, see the NetIQ Corporate Web site.

For interactive conversations with your peers and NetIQ experts, become an active member of Qmunity, our community Web site that offers product forums, product notifications, blogs, and product user groups.