Access Manager Appliance 4.4 Service Pack 2 Release Notes

June 2018

Access Manager Appliance 4.4 Service Pack (4.4.2) includes enhancements, improves usability, and resolves several previous issues.

Many of these improvements are made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure our products meet all your needs. You can post feedback in the Access Manager forum on our community website that also includes product notifications, blogs, and product user groups.

For information about the previous release, see Access Manager Appliance 4.4 Service Pack 1 Hotfix 1 Release Notes.

For more information about this release and for the latest release notes, see the Documentation page. To download this product, see the Product page.

If you have suggestions for documentation improvements, click comment on this topic at the bottom of the specific page in the HTML version of the documentation posted at the Documentation page.

For information about Access Manager support lifecycle, see the Product Support Lifecycle page.

1.0 What’s New?

This release provides the following enhancements and fixes:

1.1 Enhancements

CORS Preflight Support in Access Gateway

This release supports the CORS (Cross-Origin Resource Sharing) preflight request. A CORS preflight request is sent before the actual request to check if it is safe to send the actual request. Access Manager includes an advanced option NAGPreflightUrls to use this functionality. For information about using this option, see NAGPreflightUrls under Configuring Advanced Options for a Domain-Based and Path-Based Multi-Homing Proxy Service in the NetIQ Access Manager Appliance 4.4 Administration Guide.

Access-Control-Allow-Credentials Header in the OAuth Response

Access Manager now supports the CORS requests with credentials, such as cookies, in the header. Access Manager includes an option to set the Access-Control-Allow-Credentials response header to true. For information about using this option, see the Access-Control-Allow-Credentials Header field under Defining Global Settings in the NetIQ Access Manager Appliance 4.4 Administration Guide.

Key ID Support for the Access Token and the ID Token

This release adds support for the key ID (kid) element in the JWKS endpoint. Access Manager now also supports the key ID (kid) value in the header of the access token and the ID tokens.

1.2 Updates for Dependent Components

This release adds support for the following dependent components:

  • eDirectory 9.0.4

  • Java 1.8.0_172

  • Apache 2.4.33

  • OpenSSL 1.0.2n

  • Tomcat 8.0.51

  • iManager 3.0.4

NOTE:Access Manager 4.4.2 by default supports Tomcat 8.0.51 and OpenSSL 1.0.2n. However, Administration Console uses Tomcat version 8.0.45 due to dependency on iManager.

1.3 Software Fixes

Access Manager 4.4.2 includes the following software fixes in Identity Server:

TOTP Authentication Fails If iPhone Is Used to Scan the QR Code

An error message is displayed when you use iPhone to scan the QR code after executing the TOTP method. This issue occurs when the common name contains a space character between the first name and the last name. (Bug 1072396)

Remote Identity Server Does Not Redirect to the Web Page When External Contracts (SAML or WS Federation) Are Used

This issue occurs when your setup has the following configuration:

  • Session assurance has been enabled on Identity Server and Access Gateway.

  • You have configured external contracts with SAML or WS Federation. (Bug 1073669)

The X509 Certificate Does Not Work If OCSP, CRL-OCSP, or OCSP-CRL Is Selected

This issue occurs when you configure CRL and OCSP endpoints with X509 certificates. (Bug 1072371)

A Disabled or Blocked User Can Log In to Protected Resources through Social Authentication

If a user’s account of a corresponding social profile is disabled or blocked in the user store, the user cannot log in to the intended web application. However, the user gets authenticated if the user logs in using social authentication. (Bug 972594)

The Advanced Authentication Second-Factor Method Does Not Execute If SAML Force Authentication Is Enabled

This issue occurs because the Advanced Authentication class maintains a state on the user session which does not get cleared at the first authentication attempt but it gets cleared at the second attempt. (Bug 1060487)

Unable to Execute the FIDO Advanced Authentication Method

The FIDO method does not get executed because the advanced authentication server appends the /account URI with an extra slash (/). This fix works with Advanced Authentication 6.0 and later versions. (Bug 1062262)

The CORS Filter Is Not Enabled for the /.well-known/OpenID-configuration Endpoint and Keys Endpoint

If you request /authz with Origin: xxx in the request, Identity Server sets the Allow-from: xxx in the response, but not for /.well-known/OpenID-configuration endpoint and keys endpoint. (Bug 1081525)

Redirect URI Sends OAuth Authorization Code after Removing the Query String Parameters

The query string parameters are not retained in both authorization code and implicit flow while sending the query string parameters in the redirect URI. (Bug 1085304)

OAuth Error 500 Is Displayed When Adding resourceServer=Identity Provider

This issue occurs if the resource server name contains a space character. (Bug 1086494)

WS-Trust ActAs Request Consisting of SAML Token with Attribute Statement Results in an Exception

This issue occurs if the ActAs request contains a previously obtained SAML token which consists of additional attribute statements. (Bug 1072580)

Security Token Service Responses Are Line Wrapped

With this release, the line wrap in the signature and certificate strings of the SAML tokens can be disabled. (Bug 999649)

Executing a Smart Card Contract in a Two-Connector Setup for X509 Authentication Gives an Error

When using a two-connector setup for X509 authentication, users cannot authenticate when they access the default user portal and execute the smart card contract. However, authentication works when users access the legacy user portal and execute the smart card contract. (Bug 1056590)

2.0 Installing or Upgrading

After purchasing Access Manager Appliance 4.4.2, log in to the NetIQ Downloads page and follow the link that allows you to download the software.

The following files are available:

Table 1 Files Available for Access Manager Appliance 4.4.2




Contains Access Manager Appliance .iso file.


Contains Access Manager Appliance .tar file.


Contains Analytics Server Appliance .iso file.


Contains Analytics Server Appliance .tar file.

For information about the upgrade paths, see Section 4.0, Supported Upgrade Paths. For more information about installing and upgrading, see the NetIQ Access Manager Appliance 4.4 Installation and Upgrade Guide.

3.0 Verifying Version Number after Upgrading to 4.4.2

After upgrading to Access Manager Appliance 4.4.2, verify that the version number of the component is indicated as To verify the version number, perform the following steps:

  1. In Administration Console Dashboard, click Troubleshooting > Version.

  2. Verify that the Version field lists

4.0 Supported Upgrade Paths

To upgrade to Access Manager Appliance 4.4.2, you need to be on one of the following versions of Access Manager:

  • 4.3 Service Pack 3

  • 4.4

  • 4.4 Hotfix 1

  • 4.4 Service Pack 1

  • 4.4 Service Pack 1 Hotfix 1

For more information about upgrading Access Manager Appliance, see Upgrading Access Manager Appliance in the NetIQ Access Manager Appliance 4.4 Installation and Upgrade Guide.

5.0 Known Issues

NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.

5.1 New Users Registration Using Social Authentication Fails on the B2C Portal

Issue: When new users register to B2C by using any social authentication provider, such as LinkedIn, the registration fails. This issue occurs when you upgrade to SSPR 4.3 version. (Bug 1096727)

Workaround: None.

5.2 Step-Up Authentication Post Risk-Based Authentication Fails

Issue: If executing a risk-based authentication contract leads to a step-up authentication and if both the authentication methods are executed using different user stores, then the authentication fails. (Bug 1088119)

Workaround: None.

5.3 (SLES 12 SP3) Zypper, SSH, OpenSSL, and Curl Do Not Work after a Fresh Installation of Access Manager

Issue: When you install Access Manager on SLES 12 SP3, then Zypper, SSH, OpenSSL, and Curl commands do not work. (Bug 1091902)

Workaround: Perform the following steps:

  1. Move /lib64/ and /lib64/ to a directory, such as /tmp.

  2. Move the following files that were renamed because of Access Manager installation:

    • /lib64/ to /lib64/

    • /lib64/ to /lib64/

  3. To ensure that and commands work, add the following:

    • source /opt/novell/eDirectory/bin/ndspath in the second line of /opt/novell/devman/bin/

    This includes /opt/novell/lib64 and /opt/novell/eDirectory/lib64 in LD_LIBRARY_PATH.

5.4 JCC Hangs after Adding or Deleting Appmarks through REST API

Issue: When you create or delete multiple appmarks rapidly using REST API, JCC hangs. This issue occurs because Access Manager fails to call the updateIDPCluster() API. (Bug 1073567)

Workaround: Ensure to call the updateIDPCluster() API after creating or deleting appmarks and add a delay of 1 second between the successive REST API calls to add or delete the appmarks.

5.5 Second-Factor Authentication Page Does Not Appear after Executing the First-Factor Authentication Method

Issue: If a user has not enrolled for any second-factor authentication method in the Advanced Authentication portal, then after executing the first-factor authentication the user is not redirected to the enrollment page and does not see any error message. (Bug 1094337)

Workaround: Enroll for the second-factor authentication method on the Advanced Authentication portal.

6.0 Contact Information

Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email We value your input and look forward to hearing from you.

For detailed contact information, see the Support Contact Information website.

For general corporate and product information, see the NetIQ Corporate website.

For interactive conversations with your peers and NetIQ experts, become an active member of our community. The NetIQ online community provides product information, useful links to helpful resources, blogs, and social media channels.

7.0 Legal Notice

For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see

Copyright © 2018 NetIQ Corporation. All Rights Reserved.