Access Manager Appliance 4.4 Service Pack 1 Release Notes

March 2018

Access Manager Appliance 4.4 Service Pack (4.4.1) includes enhancements, improves usability, and resolves several previous issues.

Many of these improvements are made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure our products meet all your needs. You can post feedback in the Access Manager forum on our community website that also includes product notifications, blogs, and product user groups.

For information about the previous release, see Access Manager Appliance 4.4 Hotfix 1 Release Notes.

For more information about this release and for the latest release notes, see the Documentation page. To download this product, see the Product page.

For information about Access Manager support lifecycle, see the Product Support Lifecycle page.

1.0 What’s New?

The following sections outline the key features and functions provided by this version, as well as issues resolved in this release:

1.1 Enhancements

This release introduces the following enhancements:

Business-to-Consumer Capabilities

This release introduces a demo interface that simplifies the Access Manager configuration process for the Business-to-Consumer (B2C) capabilities. 

This demo provides a single page to configure Access Manager-side options that are required for enabling B2C. You do not need to configure various settings on multiple pages, as was required in Access Manager 4.4. Using the demo wizard, you can configure the following items for B2C in Access Manager:

  • Reverse proxy

  • Certificate

  • Virtual attribute

  • Advanced Authentication server configuration

  • Self Service Password Reset server configuration

  • Identity Injection policies for Advanced Authentication and Self Service Password Reset

  • Risk-based policy

For more information, see Business To Consumer Wizard: Sample Configuration in the NetIQ Access Manager Appliance 4.4 Administration Guide.

Support for OpenID Connect Hybrid Flow

You can now use the hybrid flow for the OpenID authentication. For more information about this flow, see Authentication by Using Hybrid Flow in the NetIQ Access Manager Appliance 4.4 Administration Guide.

For information about using the hybrid flow for requesting and getting responses, see the API documentation.

Support for Invisible reCAPTCHA

This release supports invisible reCAPTCHA. For information about invisible reCAPTCHA, see Google developer guide for reCAPTCHA.

1.2 Updates for Dependent Components

This release adds support for the following dependent components:

  • eDirectory 9.0.4

  • Java 1.8.0_162

    NOTE:Java 1.8.0_162 supports TLS Session Hash and Extended Master Secret Extension. This provides an additional security layer for TLS/SSL communications. This additional security may impact the performance of loading the user portal login page. For an environment that does not require additional security, you can perform the steps mentioned in Section 5.4, The User Portal Login Page Takes Longer Time to Load.

  • Apache 2.4.29

  • OpenSSL 1.0.2n

  • Tomcat 8.0.48

  • iManager 3.0.4

NOTE:Access Manager 4.4.1 by default supports Tomcat 8.0.48 and OpenSSL 1.0.2n, but Administration Console uses Tomcat version 8.0.45 due to dependency on iManager.

1.3 Software Fixes

Access Manager 4.4.1 includes software fixes for the following components:

Identity Server

The following issues are fixed in Identity Server:

  • Cross-Site Request Forgery (CSRF) on User Portal Login Page (CVE-2018-7677). For more information, see TID 7022725.

Access Manager Shows Digesting and Signing SAML Assertions with SHA1 Algorithms

If you set the SAML advanced option SAML2 SIGN METHODDIGEST SHA256 to false, the signature method and the digest method in the assertion sent to the service provider uses SHA1 algorithm. (Bug 1071072)

Changing Encryption Certificate for SAML Service Provider Does Not Change the Encryption Algorithm in the Metadata

Assigning a new encryption certificate to a service provider does not change the encryption algorithm in the metadata for IDPSSODescriptor. (Bug 1065934)

Office 365 Applications Cannot Render Default Login Page with Access Manager

Javascript errors on login page prevent the proper display of Access Manager default login page. (Bug 1044092)

Hibernation Code Gives an Exception When Accessing or Adding Device Fingerprint

Identity Server throws errors when loading roles for users while executing Risk Based Authentication because of unavailability of roles. (Bug 1068726)

Identity Server Does Not Accept Passwords Containing Accents over Letters (åäö) Correctly

A filter is added to the web.xml file to allow the Identity Server to accept the passwords that contain accents over letters. (Bug 1042866)

In the web.xml file, uncomment or add the following content to enable this filter. This filter is disabled by default.

<filter>
                <filter-name>EncodingFilter</filter-name>

                <filter-class>org.apache.catalina.filters.SetCharacterEncodingFilter</filter-class>
                <init-param>
                        <param-name>encoding</param-name>
                        <param-value>UTF-8</param-value>
        </init-param>
                </filter>
        <filter-mapping>
                <filter-name>EncodingFilter</filter-name>
                <url-pattern>/*</url-pattern>
</filter-mapping>
The Login Page Does Not Render Properly After a Kerberos Authentication Method Failure

Issue: The fallback login page is not rendered properly after a Kerberos method authentication failure. (Bug 1003919)

Fix: The fallback login page now renders properly and retains customization as well. You no longer need to follow the configuration steps mentioned in TID 7015049.

SAML 2 Token Does Not Include the Format Attribute When Using WS-Trust for Authentication

When an STS client requests for a SAML 2 token with WS-Trust, Identity Server does not include the format attribute with the SAML2 NameID element. Therefore, the service provider cannot consume the assertion. (Bug 1059129)

Identity Server Fails to Validate the SAML 2 Authentication Request that Does Not Include the X509 Certificate

Identity Server does not validate the SAML 2 authentication request when a service provider sends signed SAML 2 AuthnRequest without embedding the X509 certificate. (Bug 1062578)

With this release, even if the SAML 2 AuthnRequest does not include X509 certificate, Identity Server validates the assertion by using the service provider’s metadata.

Identity Server Throws a Null Pointer Exception on WS-Federation Logout Request

The absence of wtrealm parameter in the WS-Federation logout request causes the Identity Server to throw a NullPointerException error. (Bug 1016148)

BasicSSO Connector Fails with MobileAccess but Works with Browser Based Portal

With this release, the BasicSSO connectors are updated and it works with MobileAccess. (Bug 1065025)

Access Gateway

The following issues are fixed in Access Gateway:

After Upgrading to Access Manager 4.4 and After the First Successful Tunnel Connection, All Subsequent Tunnel Connections Fail

The connection pool now gets initialized and multiple tunnel connections are allowed. (Bug 1062208)

Access Gateway Health Process Crashes While Unlocking the Mutex Lock

Health process crashes when the health thread tries to unlock the mutex without checking if it was locked properly. (Bug 1067954)

Duplicate Strict-Transport-Security Headers Are Present in the Requests to ESP and Identity Server

With this release, if the request contains multiple Strict-Transport-Security headers, one is passed on and the remaining headers are removed. (Bug 1033597)

2.0 Installing or Upgrading

After purchasing Access Manager Appliance 4.4.1, log in to the NetIQ Downloads page and follow the link that allows you to download the software.

The following files are available:

Table 1 Files Available for Access Manager Appliance 4.4.1

Filename

Description

AM_44_SP1_AccessManagerAppliance.iso

Contains Access Manager Appliance .iso file.

AM_44_SP1_AccessManagerAppliance.tar.gz

Contains Access Manager Appliance .tar file.

AM_44_SP1_AnalyticsServerAppliance.iso

Contains Analytics Server Appliance .iso file.

AM_44_SP1_AnalyticsServerAppliance.tar.gz

Contains Analytics Server Appliance .tar file.

For information about the upgrade paths, see Section 4.0, Supported Upgrade Paths. For more information about installing and upgrading, see the NetIQ Access Manager Appliance 4.4 Installation and Upgrade Guide.

3.0 Verifying Version Number After Upgrading to 4.4.1

After upgrading to Access Manager Appliance 4.4.1, verify that the version number of the component is indicated as 4.4.1.0-148. To verify the version number, perform the following steps:

  1. In Administration Console Dashboard, click Troubleshooting > Version.

  2. Verify that the Version field lists 4.4.1.0-148.

4.0 Supported Upgrade Paths

To upgrade to Access Manager Appliance 4.4.1, you need to be on one of the following versions of Access Manager:

  • 4.2 Service Pack 5

  • 4.3 Service Pack 2

  • 4.3 Service Pack 3

  • 4.4

  • 4.4 Hotfix 1

For more information about upgrading Access Manager Appliance, see Upgrading Access Manager Appliance in the NetIQ Access Manager Appliance 4.4 Installation and Upgrade Guide.

5.0 Known Issues

NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.

5.1 Identity Server Cannot Retrieve Shared Secret Value from the eDirectory User Store

Issue: Identity server cannot retrieve shared secret value from eDirectory user store after upgrading Access Manager. (Bug 1077000)

Workaround: Perform the following steps:

  1. In the Identity Server global options, set the SAML2 SIGN METHODDIGEST SHA256 property to false.

  2. Click Devices > Identity Servers > Servers > Edit > SAML 2.0.

  3. Under Service Providers, change the SAML2 SIGN METHODDIGEST SHA256 property of each service provider to true.

  4. Update the Identity Server.

5.2 JCC Hangs After Adding or Deleting Appmarks through REST API

Issue: When you create or delete multiple appmarks rapidly using REST API, JCC hangs. (Bug 1073567)

Workaround: Add a delay of 1 second between the successive REST API calls to add or delete the appmarks.

5.3 Cannot Launch the Analytics Server Control Center

Issue: The Analytics Server control center does not open if it is accessed from a client machine that uses Java 9. (Bug 1081905)

Workaround: To use control center you require to launch it from the client machine that uses Java 8.

5.4 The User Portal Login Page Takes Longer Time to Load

Issue: This release includes Java 1.8.0_162, which supports TLS Session Hash and Extended Master Secret Extension for additional security (RFC 7627). When a user logs in to the user portal page from a browser that does not support RFC 7627, the user may encounter a delay in loading the user portal login page. (Bug 1078960)

Workaround: It is recommended to upgrade the client browsers to the latest version that supports TLS Session Hash and Extended Master Secret Extension.

If you do not require the additional security, you can disable the extensions on Identity Server by using the following steps:

  1. Edit /opt/novell/nam/idp/conf/tomcat.conf.

  2. Add JAVA_OPTS="${JAVA_OPTS} -Djdk.tls.useExtendedMasterSecret=false" at the end of the file.

  3. Restart the Identity Server by using the following command:

    /etc/init.d/novell-idp restart

5.5 The Installation Fails When Private IP Is Set for Administration Console

The Access Manager installation fails when you configure a second NIC by specifying Private IP(Optional) for Administration Console. (Bug 1064721)

5.6 reCAPTCHA Does Not Work After Upgrading Access Manger to 4.4.1

Issue: After upgrading Access Manger to 4.4.1, the following message is displayed if you had enabled reCAPTCHA before the upgrade:

This site key is not enabled for the invisible captcha.

This issue occurs because Access Manager 4.4.1 onwards, only the invisible reCAPTCHA is supported, which breaks the existing reCAPTCHA v2 configuration.

Workaround: To workaround this issue you must configure reCAPTCHA again to use invisible reCAPTCHA after the upgrade. For more information, see TID 7022809.

6.0 Contact Information

Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.

For detailed contact information, see the Support Contact Information website.

For general corporate and product information, see the NetIQ Corporate website.

For interactive conversations with your peers and NetIQ experts, become an active member of our community. The NetIQ online community provides product information, useful links to helpful resources, blogs, and social media channels.

7.0 Legal Notice

For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see https://www.netiq.com/company/legal/.

Copyright © 2018 NetIQ Corporation. All Rights Reserved.