Access Manager 4.4 Service Pack 1 Release Notes

March 2018

Access Manager 4.4 Service Pack (4.4.1) includes enhancements, improves usability, and resolves several previous issues.

Many of these improvements are made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure our products meet all your needs. You can post feedback in the Access Manager forum on our community website that also includes product notifications, blogs, and product user groups.

For information about the previous release, see Access Manager 4.4 Hotfix 1 Release Notes.

For more information about this release and for the latest release notes, see the Documentation page. To download this product, see the Product page.

For information about Access Manager support lifecycle, see the Product Support Lifecycle page.

1.0 What’s New?

The following sections outline the key features and functions provided by this version, as well as issues resolved in this release:

1.1 Enhancements

This release introduces the following enhancements:

Public Cloud Support

This release adds support for deploying the following Access Manager components as services on Amazon Web Services (AWS) EC2 and Microsoft Azure:

  • Administration Console

  • Identity Server

  • Access Gateway

NOTE:Deployment of Access Gateway Appliance and Analytics Server is not supported on AWS EC2 and Microsoft Azure.

You can deploy Access Manager in AWS EC2 and Microsoft Azure on any of the following operating systems:

  • SUSE Linux Enterprise Server (SLES) 12 SP3

  • Red Hat Enterprise Linux (RHEL) 7.4

For more information about deploying Access Manager on AWS EC2, see Deploying Access Manager on Amazon Web Services EC2 in the NetIQ Access Manager 4.4 Installation and Upgrade Guide.

For more information about deploying Access Manager on Microsoft Azure, see Deploying Access Manager on Microsoft Azure in the NetIQ Access Manager 4.4 Installation and Upgrade Guide.

Microsoft Azure Active Directory Support

This release adds support for Microsoft Azure Active Directory as the user store when Access Manager is deployed on Microsoft Azure.

Simplified Access Manager Connector for Cloud

Access Manager provides a connector that simplifies the procedure for creating a SAML 2.0 federated connection between an on-premises Access Manager setup and a cloud-based Access Manager setup.

This connector helps you to configure single sign-on (SSO) for the on-premise applications and cloud-based applications of an organization and provides seamless login experience to users.

For more information, see Configuring the Application for Access Manager on the Public Cloud in the Access Manager Applications Configuration Guide 4.4.

Business-to-Consumer Capabilities

This release introduces a demo interface that simplifies the Access Manager configuration process for the Business-to-Consumer (B2C) capabilities. 

This demo provides a single page to configure Access Manager-side options that are required for enabling B2C. You do not need to configure various settings on multiple pages, as was required in Access Manager 4.4. Using the demo wizard, you can configure the following items for B2C in Access Manager:

  • Reverse proxy

  • Certificate

  • Virtual attribute

  • Advanced Authentication server configuration

  • Self Service Password Reset server configuration

  • Identity Injection policies for Advanced Authentication and Self Service Password Reset

  • Risk-based policy

For more information, see Business To Consumer Wizard: Sample Configuration in the NetIQ Access Manager 4.4 Administration Guide.

Support for OpenID Connect Hybrid Flow

You can now use the hybrid flow for the OpenID authentication. For more information about this flow, see Authentication by Using Hybrid Flow in the NetIQ Access Manager 4.4 Administration Guide.

For information about using the hybrid flow for requesting and getting responses, see the API documentation.

Support for Invisible reCAPTCHA

This release supports invisible reCAPTCHA. For information about invisible reCAPTCHA, see Google developer guide for reCAPTCHA.

1.2 Operating System Upgrade

In addition to the existing supported platforms, this release supports installation of Access Manager components on Windows Server 2016.

NOTE:For more information about system requirements, see System Requirements in the NetIQ Access Manager 4.4 Installation and Upgrade Guide.

1.3 Updates for Dependent Components

This release adds support for the following dependent components:

  • eDirectory 9.0.4

  • Java 1.8.0_162

    NOTE:Java 1.8.0_162 supports TLS Session Hash and Extended Master Secret Extension. This provides an additional security layer for TLS/SSL communications. This additional security may impact the performance of loading the user portal login page. For an environment that does not require additional security, you can perform the steps mentioned in Section 5.4, The User Portal Login Page Takes Longer Time to Load.

  • Apache 2.4.29

  • OpenSSL 1.0.2n

  • Tomcat 8.0.48

  • iManager 3.0.4

NOTE:Access Manager 4.4.1 by default supports Tomcat 8.0.48 and OpenSSL 1.0.2n, but Administration Console uses Tomcat version 8.0.45 due to dependency on iManager.

1.4 Software Fixes

Access Manager 4.4.1 includes software fixes for the following components:

Administration Console

The following issues are fixed in Administration Console:

  • XSS Vulnerability in Administration Console (CVE-2018-7678). For more information, see TID 7022724.

Cannot Create Certificate After Installing Access Manager on Windows 2012 R2

After completing the installation when you try to create a certificate from the Administration Console Dashboard by using Security > Certificates > New, the Error creating certificate:class.java.lang.NullPointerExecption error message is displayed. For more information about this issue, see TID 7022705. (Bug 1077562)

With this release, you can create a certificate after Installing Access Manager on Windows 2012 R2 platform.

Identity Server

The following issues are fixed in Identity Server:

  • Cross-Site Request Forgery (CSRF) on User Portal Login Page (CVE-2018-7677). For more information, see TID 7022725.

Access Manager Shows Digesting and Signing SAML Assertions with SHA1 Algorithms

If you set the SAML advanced option SAML2 SIGN METHODDIGEST SHA256 to false, the signature method and the digest method in the assertion sent to the service provider uses SHA1 algorithm. (Bug 1071072)

Changing Encryption Certificate for SAML Service Provider Does Not Change the Encryption Algorithm in the Metadata

Assigning a new encryption certificate to a service provider does not change the encryption algorithm in the metadata for IDPSSODescriptor. (Bug 1065934)

Office 365 Applications Cannot Render Default Login Page with Access Manager

Javascript errors on login page prevent the proper display of Access Manager default login page. (Bug 1044092)

Hibernation Code Gives an Exception When Accessing or Adding Device Fingerprint

Identity Server throws errors when loading roles for users while executing Risk Based Authentication because of unavailability of roles. (Bug 1068726)

Identity Server Does Not Accept Passwords Containing Accents over Letters (åäö) Correctly

A filter is added to the web.xml file to allow the Identity Server to accept the passwords that contain accents over letters. (Bug 1042866)

In the web.xml file, uncomment or add the following content to enable this filter. This filter is disabled by default.

<filter>
                <filter-name>EncodingFilter</filter-name>

                <filter-class>org.apache.catalina.filters.SetCharacterEncodingFilter</filter-class>
                <init-param>
                        <param-name>encoding</param-name>
                        <param-value>UTF-8</param-value>
        </init-param>
                </filter>
        <filter-mapping>
                <filter-name>EncodingFilter</filter-name>
                <url-pattern>/*</url-pattern>
</filter-mapping>
The Login Page Does Not Render Properly After a Kerberos Authentication Method Failure

Issue: The fallback login page is not rendered properly after a Kerberos method authentication failure. (Bug 1003919)

Fix: The fallback login page now renders properly and retains customization as well. You no longer need to follow the configuration steps mentioned in TID 7015049.

SAML 2 Token Does Not Include the Format Attribute When Using WS-Trust for Authentication

When an STS client requests for a SAML 2 token with WS-Trust, Identity Server does not include the format attribute with the SAML2 NameID element. Therefore, the service provider cannot consume the assertion. (Bug 1059129)

Identity Server Fails to Validate the SAML 2 Authentication Request that Does Not Include the X509 Certificate

Identity Server does not validate the SAML 2 authentication request when a service provider sends signed SAML 2 AuthnRequest without embedding the X509 certificate. (Bug 1062578)

With this release, even if the SAML 2 AuthnRequest does not include X509 certificate, Identity Server validates the assertion by using the service provider’s metadata.

Identity Server Throws a Null Pointer Exception on WS-Federation Logout Request

The absence of wtrealm parameter in the WS-Federation logout request causes the Identity Server to throw a NullPointerException error. (Bug 1016148)

BasicSSO Connector Fails with MobileAccess but Works with Browser Based Portal

With this release, the BasicSSO connectors are updated and it works with MobileAccess. (Bug 1065025)

Access Gateway

The following issues are fixed in Access Gateway:

After Upgrading to Access Manager 4.4 and After the First Successful Tunnel Connection, All Subsequent Tunnel Connections Fail

The connection pool now gets initialized and multiple tunnel connections are allowed. (Bug 1062208)

Access Gateway Health Process Crashes While Unlocking the Mutex Lock

Health process crashes when the health thread tries to unlock the mutex without checking if it was locked properly. (Bug 1067954)

Duplicate Strict-Transport-Security Headers Are Present in the Requests to ESP and Identity Server

With this release, if the request contains multiple Strict-Transport-Security headers, one is passed on and the remaining headers are removed. (Bug 1033597)

2.0 Installing or Upgrading

After purchasing Access Manager 4.4.1, log in to the NetIQ Downloads page and follow the link that allows you to download the software.

The following files are available:

Table 1 Files Available for Access Manager 4.4.1

Filename

Description

AM_44_SP1_AccessManagerService_Linux64.tar.gz

Contains Identity Server and Administration Console .tar file for Linux.

AM_44_SP1_AccessManagerService_Win64.exe

Contains Identity Server and Administration Console .exe file for Windows Server.

AM_44_SP1_AccessGatewayAppliance.iso

Contains Access Gateway Appliance .iso file.

AM_44_SP1_AccessGatewayAppliance.tar.gz

Contains Access Gateway Appliance .tar file.

AM_44_SP1_AccessGatewayService_Win64.exe

Contains Access Gateway Service .exe file for Windows Server.

AM_44_SP1_AccessGatewayService_Linux64.tar.gz

Contains Access Gateway Service .tar file for Linux.

AM_44_SP1_AnalyticsServerAppliance.iso

Contains Analytics Server Appliance .iso file.

AM_44_SP1_AnalyticsServerAppliance.tar.gz

Contains Analytics Server Appliance .tar file.

For information about the upgrade paths, see Section 4.0, Supported Upgrade Paths. For more information about installing and upgrading, see the NetIQ Access Manager 4.4 Installation and Upgrade Guide.

IMPORTANT:Ensure that you do not use the BTRFS filesystem for installing Administration Console. For more information, see Section 5.6, The Administration Console Installation Fails on a SLES 12 Platform.

If you are upgrading from the Access Manager version that uses BTRFS, perform the steps mentioned in TID 7022755.

3.0 Verifying Version Number After Upgrading to 4.4.1

After upgrading to Access Manager 4.4.1, verify that the version number of the component is indicated as 4.4.1.0-148. To verify the version number, perform the following steps:

  1. In Administration Console Dashboard, click Troubleshooting > Version.

  2. Verify that the Version field lists 4.4.1.0-148.

4.0 Supported Upgrade Paths

To upgrade to Access Manager 4.4.1, you need to be on one of the following versions of Access Manager:

  • 4.2 Service Pack 5

  • 4.3 Service Pack 2

  • 4.3 Service Pack 3

  • 4.4

  • 4.4 Hotfix 1

For more information about upgrading Access Manager, see Upgrading Access Manager in the NetIQ Access Manager 4.4 Installation and Upgrade Guide.

5.0 Known Issues

NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.

5.1 Identity Server Cannot Retrieve Shared Secret Value from the eDirectory User Store

Issue: Identity server cannot retrieve shared secret value from eDirectory user store after upgrading Access Manager. (Bug 1077000)

Workaround: Perform the following steps:

  1. In the Identity Server global options, set the SAML2 SIGN METHODDIGEST SHA256 property to false.

  2. Click Devices > Identity Servers > Servers > Edit > SAML 2.0.

  3. Under Service Providers, change the SAML2 SIGN METHODDIGEST SHA256 property of each service provider to true.

  4. Update the Identity Server.

5.2 JCC Hangs After Adding or Deleting Appmarks through REST API

Issue: When you create or delete multiple appmarks rapidly using REST API, JCC hangs. (Bug 1073567)

Workaround: Add a delay of 1 second between the successive REST API calls to add or delete the appmarks.

5.3 Cannot Launch the Analytics Server Control Center

Issue: The Analytics Server control center does not open if it is accessed from a client machine that uses Java 9. (Bug 1081905)

Workaround: To use control center you require to launch it from the client machine that uses Java 8.

5.4 The User Portal Login Page Takes Longer Time to Load

Issue: This release includes Java 1.8.0_162, which supports TLS Session Hash and Extended Master Secret Extension for additional security (RFC 7627). When a user logs in to the user portal page from a browser that does not support RFC 7627, the user may encounter a delay in loading the user portal login page. (Bug 1078960)

Workaround: It is recommended to upgrade the client browsers to the latest version that supports TLS Session Hash and Extended Master Secret Extension.

If you do not require the additional security, you can disable the extensions on Identity Server by using the following steps:

For Linux:

  1. Edit /opt/novell/nam/idp/conf/tomcat.conf.

  2. Add JAVA_OPTS="${JAVA_OPTS} -Djdk.tls.useExtendedMasterSecret=false" at the end of the file.

  3. Restart the Identity Server by using the following command:

    /etc/init.d/novell-idp restart

For Windows:

  1. Go to C:\Program Files\Novell\Tomcat\bin, then click Tomcat8w.

  2. On the Apache Tomcat properties dialog box, click Java.

  3. In the Java Options field add the following:

    -Djdk.tls.useExtendedMasterSecret=false

  4. Click OK, then restart the Apache Tomcat 8.0 Tomcat8 service from the Services window.

5.5 The Secondary Administration Console Prompts for Authentication Even After Providing the Correct Credentials

Issue: When you log in to a secondary Administration Console, Administration Console keeps prompting for authentication. This issue occurs when you install the secondary Administration Console on Windows 2016 Server. (Bug 1002718)

Workaround: To work around this issue, perform the following steps:

  1. Generate an LDIF file by using the following command:

    C:\Novell\NDS\ice.exe -v -C -n -S LDAP -v -L C:\Novell\NDS\DIBFiles\CertServ\SSCert.der -s <Secondary AC IP> -p 636 -d <FQDN> -w <password> -F "(objectclass=ldapGroup)" -a "ldapAllowClearTextPassword" -D LDIF -v -f "<path_to_ldif>"

    Here, FQDN should be in the cn=admin,o=novell format.

  2. Edit the generated LDIF file with the following changes:

    • Search for the ldapAllowClearTextPassword entry, then set it to TRUE.

    • Remove the remaining entries.

      The LDIF file will look similar to the following:

      changetype: modify
      replace: ldapAllowClearTextPassword
      ldapAllowClearTextPassword: TRUE
  3. Reset the parameter by using the following command:

    C:\Novell\NDS\ice.exe -v -C -n -S LDIF -v -f "<path_to_edited_ldif>" -D LDAP -v -L C:\Novell\NDS\DIBFiles\CertServ\SSCert.der -s <Secondary AC IP> -p 636 -d <FQDN> -w <password>

    Here, FQDN should be in the cn=admin,o=novell format.

  4. Restart the eDirectory and the tomcat services.

5.6 The Administration Console Installation Fails on a SLES 12 Platform

Issue: The Administration Console installation fails when you install it on a SLES 12 platform with the BTRFS filesystem, which is the default filesystem. This issue occurs because the supported version of eDirectory does not allow creating database files on a BTRFS filesystem. (Bug 1077278)

Workaround: To workaround this issue, ensure that before installing Administration Console you change the filesystem from BTRFS to any other available filesystem.

5.7 Saving Few Modified Settings of Administration Console Take Longer Time

Issue: When saving changes to some of the settings of Administration Console configuration such as SAML 2.0, the browser may display the Waiting for <public ip_address of virtual machine> message for 2 minutes before proceeding to implement the changes. For more information about this issue, see TID 7022723. (Bug 1084363)

Workaround: When accessing the Administration Console from a browser, use a DNS name in the URL instead of an IP address. Also, ensure that the Administration Console virtual machine resolves this DNS name to its internal IP address, not to a public IP address that is assigned to the virtual machine.

5.8 The B2C Wizard Does Not Work on a Windows Platform

Issue: When you configure the Business to Consumer setup for Access Manager by using the B2C demo wizard, the configuration does not work. This issue occurs when Access Manager is installed on a Windows platform. (Bug 1084120)

Workaround: To use the B2C setup, you must configure the settings manually. For more information about configuring the B2C setup manually, see Business to Consumer Access Management in the NetIQ Access Manager 4.4 Administration Guide

5.9 Some Operating System Commands and Access Manager Utilities May Fail After Upgrading Administration Console on the SLES 12 Platform

After upgrading Administration Console on a SLES 12 platform, the curl and the zypper commands fail with the DEFAULT_SUSE error. For more information about this issue and how to resolve it, see TID 7021958 and TID 7022106.

5.10 reCAPTCHA Does Not Work After Upgrading Access Manger to 4.4.1

Issue: After upgrading Access Manger to 4.4.1, the following message is displayed if you had enabled reCAPTCHA before the upgrade:

This site key is not enabled for the invisible captcha.

This issue occurs because Access Manager 4.4.1 onwards, only the invisible reCAPTCHA is supported, which breaks the existing reCAPTCHA v2 configuration.

Workaround: To workaround this issue you must configure reCAPTCHA again to use invisible reCAPTCHA after the upgrade. For more information, see TID 7022809.

6.0 Contact Information

Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.

For detailed contact information, see the Support Contact Information website.

For general corporate and product information, see the NetIQ Corporate website.

For interactive conversations with your peers and NetIQ experts, become an active member of our community. The NetIQ online community provides product information, useful links to helpful resources, blogs, and social media channels.

7.0 Legal Notice

For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see https://www.netiq.com/company/legal/.

Copyright © 2018 NetIQ Corporation. All Rights Reserved.