Access Manager Appliance 4.4 Service Pack (4.4.1) includes enhancements, improves usability, and resolves several previous issues.
Many of these improvements are made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure our products meet all your needs. You can post feedback in the Access Manager forum on our community website that also includes product notifications, blogs, and product user groups.
For information about the previous release, see Access Manager Appliance 4.4 Hotfix 1 Release Notes.
For more information about this release and for the latest release notes, see the Documentation page. To download this product, see the Product page.
For information about Access Manager support lifecycle, see the Product Support Lifecycle page.
The following sections outline the key features and functions provided by this version, as well as issues resolved in this release:
This release introduces the following enhancements:
This release introduces a demo interface that simplifies the Access Manager configuration process for the Business-to-Consumer (B2C) capabilities.
This demo provides a single page to configure Access Manager-side options that are required for enabling B2C. You do not need to configure various settings on multiple pages, as was required in Access Manager 4.4. Using the demo wizard, you can configure the following items for B2C in Access Manager:
Reverse proxy
Certificate
Virtual attribute
Advanced Authentication server configuration
Self Service Password Reset server configuration
Identity Injection policies for Advanced Authentication and Self Service Password Reset
Risk-based policy
For more information, see Business To Consumer Wizard: Sample Configuration in the NetIQ Access Manager Appliance 4.4 Administration Guide.
You can now use the hybrid flow for the OpenID authentication. For more information about this flow, see Authentication by Using Hybrid Flow
in the NetIQ Access Manager Appliance 4.4 Administration Guide.
For information about using the hybrid flow for requesting and getting responses, see the API documentation.
This release supports invisible reCAPTCHA. For information about invisible reCAPTCHA, see Google developer guide for reCAPTCHA.
This release adds support for the following dependent components:
eDirectory 9.0.4
Java 1.8.0_162
NOTE:Java 1.8.0_162 supports TLS Session Hash and Extended Master Secret Extension. This provides an additional security layer for TLS/SSL communications. This additional security may impact the performance of loading the user portal login page. For an environment that does not require additional security, you can perform the steps mentioned in Section 5.4, The User Portal Login Page Takes Longer Time to Load.
Apache 2.4.29
OpenSSL 1.0.2n
Tomcat 8.0.48
iManager 3.0.4
NOTE:Access Manager 4.4.1 by default supports Tomcat 8.0.48 and OpenSSL 1.0.2n, but Administration Console uses Tomcat version 8.0.45 due to dependency on iManager.
Access Manager 4.4.1 includes software fixes for the following components:
The following issues are fixed in Identity Server:
Cross-Site Request Forgery (CSRF) on User Portal Login Page (CVE-2018-7677). For more information, see TID 7022725.
Access Manager Shows Digesting and Signing SAML Assertions with SHA1 Algorithms
Office 365 Applications Cannot Render Default Login Page with Access Manager
Hibernation Code Gives an Exception When Accessing or Adding Device Fingerprint
Identity Server Does Not Accept Passwords Containing Accents over Letters (åäö) Correctly
The Login Page Does Not Render Properly After a Kerberos Authentication Method Failure
SAML 2 Token Does Not Include the Format Attribute When Using WS-Trust for Authentication
Identity Server Throws a Null Pointer Exception on WS-Federation Logout Request
BasicSSO Connector Fails with MobileAccess but Works with Browser Based Portal
If you set the SAML advanced option SAML2 SIGN METHODDIGEST SHA256 to false, the signature method and the digest method in the assertion sent to the service provider uses SHA1 algorithm. (Bug 1071072)
Assigning a new encryption certificate to a service provider does not change the encryption algorithm in the metadata for IDPSSODescriptor. (Bug 1065934)
Javascript errors on login page prevent the proper display of Access Manager default login page. (Bug 1044092)
Identity Server throws errors when loading roles for users while executing Risk Based Authentication because of unavailability of roles. (Bug 1068726)
A filter is added to the web.xml file to allow the Identity Server to accept the passwords that contain accents over letters. (Bug 1042866)
In the web.xml file, uncomment or add the following content to enable this filter. This filter is disabled by default.
<filter> <filter-name>EncodingFilter</filter-name> <filter-class>org.apache.catalina.filters.SetCharacterEncodingFilter</filter-class> <init-param> <param-name>encoding</param-name> <param-value>UTF-8</param-value> </init-param> </filter> <filter-mapping> <filter-name>EncodingFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
Issue: The fallback login page is not rendered properly after a Kerberos method authentication failure. (Bug 1003919)
Fix: The fallback login page now renders properly and retains customization as well. You no longer need to follow the configuration steps mentioned in TID 7015049.
When an STS client requests for a SAML 2 token with WS-Trust, Identity Server does not include the format attribute with the SAML2 NameID element. Therefore, the service provider cannot consume the assertion. (Bug 1059129)
Identity Server does not validate the SAML 2 authentication request when a service provider sends signed SAML 2 AuthnRequest without embedding the X509 certificate. (Bug 1062578)
With this release, even if the SAML 2 AuthnRequest does not include X509 certificate, Identity Server validates the assertion by using the service provider’s metadata.
The absence of wtrealm parameter in the WS-Federation logout request causes the Identity Server to throw a NullPointerException error. (Bug 1016148)
With this release, the BasicSSO connectors are updated and it works with MobileAccess. (Bug 1065025)
The following issues are fixed in Access Gateway:
The connection pool now gets initialized and multiple tunnel connections are allowed. (Bug 1062208)
Health process crashes when the health thread tries to unlock the mutex without checking if it was locked properly. (Bug 1067954)
With this release, if the request contains multiple Strict-Transport-Security headers, one is passed on and the remaining headers are removed. (Bug 1033597)
After purchasing Access Manager Appliance 4.4.1, log in to the NetIQ Downloads page and follow the link that allows you to download the software.
The following files are available:
Table 1 Files Available for Access Manager Appliance 4.4.1
Filename |
Description |
---|---|
AM_44_SP1_AccessManagerAppliance.iso |
Contains Access Manager Appliance .iso file. |
AM_44_SP1_AccessManagerAppliance.tar.gz |
Contains Access Manager Appliance .tar file. |
AM_44_SP1_AnalyticsServerAppliance.iso |
Contains Analytics Server Appliance .iso file. |
AM_44_SP1_AnalyticsServerAppliance.tar.gz |
Contains Analytics Server Appliance .tar file. |
For information about the upgrade paths, see Section 4.0, Supported Upgrade Paths. For more information about installing and upgrading, see the NetIQ Access Manager Appliance 4.4 Installation and Upgrade Guide.
After upgrading to Access Manager Appliance 4.4.1, verify that the version number of the component is indicated as 4.4.1.0-148. To verify the version number, perform the following steps:
In Administration Console Dashboard, click Troubleshooting > Version.
Verify that the Version field lists 4.4.1.0-148.
To upgrade to Access Manager Appliance 4.4.1, you need to be on one of the following versions of Access Manager:
4.2 Service Pack 5
4.3 Service Pack 2
4.3 Service Pack 3
4.4
4.4 Hotfix 1
For more information about upgrading Access Manager Appliance, see Upgrading Access Manager Appliance
in the NetIQ Access Manager Appliance 4.4 Installation and Upgrade Guide.
NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.
Section 5.1, Identity Server Cannot Retrieve Shared Secret Value from the eDirectory User Store
Section 5.2, JCC Hangs After Adding or Deleting Appmarks through REST API
Section 5.3, Cannot Launch the Analytics Server Control Center
Section 5.4, The User Portal Login Page Takes Longer Time to Load
Section 5.5, The Installation Fails When Private IP Is Set for Administration Console
Section 5.6, reCAPTCHA Does Not Work After Upgrading Access Manger to 4.4.1
Issue: Identity server cannot retrieve shared secret value from eDirectory user store after upgrading Access Manager. (Bug 1077000)
Workaround: Perform the following steps:
In the Identity Server global options, set the SAML2 SIGN METHODDIGEST SHA256 property to false.
Click Devices > Identity Servers > Servers > Edit > SAML 2.0.
Under Service Providers, change the SAML2 SIGN METHODDIGEST SHA256 property of each service provider to true.
Update the Identity Server.
Issue: When you create or delete multiple appmarks rapidly using REST API, JCC hangs. (Bug 1073567)
Workaround: Add a delay of 1 second between the successive REST API calls to add or delete the appmarks.
Issue: The Analytics Server control center does not open if it is accessed from a client machine that uses Java 9. (Bug 1081905)
Workaround: To use control center you require to launch it from the client machine that uses Java 8.
Issue: This release includes Java 1.8.0_162, which supports TLS Session Hash and Extended Master Secret Extension for additional security (RFC 7627). When a user logs in to the user portal page from a browser that does not support RFC 7627, the user may encounter a delay in loading the user portal login page. (Bug 1078960)
Workaround: It is recommended to upgrade the client browsers to the latest version that supports TLS Session Hash and Extended Master Secret Extension.
If you do not require the additional security, you can disable the extensions on Identity Server by using the following steps:
Edit /opt/novell/nam/idp/conf/tomcat.conf.
Add JAVA_OPTS="${JAVA_OPTS} -Djdk.tls.useExtendedMasterSecret=false" at the end of the file.
Restart the Identity Server by using the following command:
/etc/init.d/novell-idp restart
The Access Manager installation fails when you configure a second NIC by specifying Private IP(Optional) for Administration Console. (Bug 1064721)
Issue: After upgrading Access Manger to 4.4.1, the following message is displayed if you had enabled reCAPTCHA before the upgrade:
This site key is not enabled for the invisible captcha.
This issue occurs because Access Manager 4.4.1 onwards, only the invisible reCAPTCHA is supported, which breaks the existing reCAPTCHA v2 configuration.
Workaround: To workaround this issue you must configure reCAPTCHA again to use invisible reCAPTCHA after the upgrade. For more information, see TID 7022809.
Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.
For detailed contact information, see the Support Contact Information website.
For general corporate and product information, see the NetIQ Corporate website.
For interactive conversations with your peers and NetIQ experts, become an active member of our community. The NetIQ online community provides product information, useful links to helpful resources, blogs, and social media channels.
For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see https://www.netiq.com/company/legal/.
Copyright © 2018 NetIQ Corporation. All Rights Reserved.