Access Manager Appliance 4.4 Service Pack (4.4.2) includes enhancements, improves usability, and resolves several previous issues.
Many of these improvements are made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure our products meet all your needs. You can post feedback in the Access Manager forum on our community website that also includes product notifications, blogs, and product user groups.
For information about the previous release, see Access Manager Appliance 4.4 Service Pack 1 Hotfix 1 Release Notes.
For more information about this release and for the latest release notes, see the Documentation page. To download this product, see the Product page.
If you have suggestions for documentation improvements, click comment on this topic at the bottom of the specific page in the HTML version of the documentation posted at the Documentation page.
For information about Access Manager support lifecycle, see the Product Support Lifecycle page.
This release provides the following enhancements and fixes:
This release supports the CORS (Cross-Origin Resource Sharing) preflight request. A CORS preflight request is sent before the actual request to check if it is safe to send the actual request. Access Manager includes an advanced option NAGPreflightUrls to use this functionality. For information about using this option, see NAGPreflightUrls under Configuring Advanced Options for a Domain-Based and Path-Based Multi-Homing Proxy Service
in the NetIQ Access Manager Appliance 4.4 Administration Guide.
Access Manager now supports the CORS requests with credentials, such as cookies, in the header. Access Manager includes an option to set the Access-Control-Allow-Credentials response header to true. For information about using this option, see the Access-Control-Allow-Credentials Header field under Defining Global Settings
in the NetIQ Access Manager Appliance 4.4 Administration Guide.
This release adds support for the key ID (kid) element in the JWKS endpoint. Access Manager now also supports the key ID (kid) value in the header of the access token and the ID tokens.
This release adds support for the following dependent components:
eDirectory 9.0.4
Java 1.8.0_172
Apache 2.4.33
OpenSSL 1.0.2n
Tomcat 8.0.51
iManager 3.0.4
NOTE:Access Manager 4.4.2 by default supports Tomcat 8.0.51 and OpenSSL 1.0.2n. However, Administration Console uses Tomcat version 8.0.45 due to dependency on iManager.
Access Manager 4.4.2 includes the following software fixes in Identity Server:
TOTP Authentication Fails If iPhone Is Used to Scan the QR Code
The X509 Certificate Does Not Work If OCSP, CRL-OCSP, or OCSP-CRL Is Selected
A Disabled or Blocked User Can Log In to Protected Resources through Social Authentication
The CORS Filter Is Not Enabled for the /.well-known/OpenID-configuration Endpoint and Keys Endpoint
Redirect URI Sends OAuth Authorization Code after Removing the Query String Parameters
OAuth Error 500 Is Displayed When Adding resourceServer=Identity Provider
WS-Trust ActAs Request Consisting of SAML Token with Attribute Statement Results in an Exception
Executing a Smart Card Contract in a Two-Connector Setup for X509 Authentication Gives an Error
An error message is displayed when you use iPhone to scan the QR code after executing the TOTP method. This issue occurs when the common name contains a space character between the first name and the last name. (Bug 1072396)
This issue occurs when your setup has the following configuration:
Session assurance has been enabled on Identity Server and Access Gateway.
You have configured external contracts with SAML or WS Federation. (Bug 1073669)
This issue occurs when you configure CRL and OCSP endpoints with X509 certificates. (Bug 1072371)
If a user’s account of a corresponding social profile is disabled or blocked in the user store, the user cannot log in to the intended web application. However, the user gets authenticated if the user logs in using social authentication. (Bug 972594)
This issue occurs because the Advanced Authentication class maintains a state on the user session which does not get cleared at the first authentication attempt but it gets cleared at the second attempt. (Bug 1060487)
The FIDO method does not get executed because the advanced authentication server appends the /account URI with an extra slash (/). This fix works with Advanced Authentication 6.0 and later versions. (Bug 1062262)
If you request /authz with Origin: xxx in the request, Identity Server sets the Allow-from: xxx in the response, but not for /.well-known/OpenID-configuration endpoint and keys endpoint. (Bug 1081525)
The query string parameters are not retained in both authorization code and implicit flow while sending the query string parameters in the redirect URI. (Bug 1085304)
This issue occurs if the resource server name contains a space character. (Bug 1086494)
This issue occurs if the ActAs request contains a previously obtained SAML token which consists of additional attribute statements. (Bug 1072580)
With this release, the line wrap in the signature and certificate strings of the SAML tokens can be disabled. (Bug 999649)
When using a two-connector setup for X509 authentication, users cannot authenticate when they access the default user portal and execute the smart card contract. However, authentication works when users access the legacy user portal and execute the smart card contract. (Bug 1056590)
After purchasing Access Manager Appliance 4.4.2, log in to the NetIQ Downloads page and follow the link that allows you to download the software.
The following files are available:
Table 1 Files Available for Access Manager Appliance 4.4.2
|
Filename |
Description |
|---|---|
|
AM_44_SP2_AccessManagerAppliance.iso |
Contains Access Manager Appliance .iso file. |
|
AM_44_SP2_AccessManagerAppliance.tar.gz |
Contains Access Manager Appliance .tar file. |
|
AM_44_SP2_AnalyticsServerAppliance.iso |
Contains Analytics Server Appliance .iso file. |
|
AM_44_SP2_AnalyticsServerAppliance.tar.gz |
Contains Analytics Server Appliance .tar file. |
For information about the upgrade paths, see Section 4.0, Supported Upgrade Paths. For more information about installing and upgrading, see the NetIQ Access Manager Appliance 4.4 Installation and Upgrade Guide.
After upgrading to Access Manager Appliance 4.4.2, verify that the version number of the component is indicated as 4.4.2.0-78. To verify the version number, perform the following steps:
In Administration Console Dashboard, click Troubleshooting > Version.
Verify that the Version field lists 4.4.2.0-78.
To upgrade to Access Manager Appliance 4.4.2, you need to be on one of the following versions of Access Manager:
4.3 Service Pack 3
4.4
4.4 Hotfix 1
4.4 Service Pack 1
4.4 Service Pack 1 Hotfix 1
For more information about upgrading Access Manager Appliance, see Upgrading Access Manager Appliance
in the NetIQ Access Manager Appliance 4.4 Installation and Upgrade Guide.
NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.
Issue: When new users register to B2C by using any social authentication provider, such as LinkedIn, the registration fails. This issue occurs when you upgrade to SSPR 4.3 version. (Bug 1096727)
Workaround: None.
Issue: If executing a risk-based authentication contract leads to a step-up authentication and if both the authentication methods are executed using different user stores, then the authentication fails. (Bug 1088119)
Workaround: None.
Issue: When you install Access Manager on SLES 12 SP3, then Zypper, SSH, OpenSSL, and Curl commands do not work. (Bug 1091902)
Workaround: Perform the following steps:
Move /lib64/libssl.so.1.0.0 and /lib64/libcrypto.so.1.0.0 to a directory, such as /tmp.
Move the following files that were renamed because of Access Manager installation:
/lib64/libssl.so.1.0.0_backup to /lib64/libssl.so.1.0.0
/lib64/libcrypto.so.1.0.0_backup to /lib64/libcrypto.so.1.0.0
To ensure that ambkup.sh and amdiagcfg.sh commands work, add the following:
source /opt/novell/eDirectory/bin/ndspath in the second line of /opt/novell/devman/bin/getparams.sh
This includes /opt/novell/lib64 and /opt/novell/eDirectory/lib64 in LD_LIBRARY_PATH.
Issue: When you create or delete multiple appmarks rapidly using REST API, JCC hangs. This issue occurs because Access Manager fails to call the updateIDPCluster() API. (Bug 1073567)
Workaround: Ensure to call the updateIDPCluster() API after creating or deleting appmarks and add a delay of 1 second between the successive REST API calls to add or delete the appmarks.
Issue: If a user has not enrolled for any second-factor authentication method in the Advanced Authentication portal, then after executing the first-factor authentication the user is not redirected to the enrollment page and does not see any error message. (Bug 1094337)
Workaround: Enroll for the second-factor authentication method on the Advanced Authentication portal.
Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.
For detailed contact information, see the Support Contact Information website.
For general corporate and product information, see the NetIQ Corporate website.
For interactive conversations with your peers and NetIQ experts, become an active member of our community. The NetIQ online community provides product information, useful links to helpful resources, blogs, and social media channels.
For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see https://www.netiq.com/company/legal/.
Copyright © 2018 NetIQ Corporation. All Rights Reserved.