Access Manager 4.4 Service Pack 3 (4.4.3) includes enhancements, improves usability, and resolves several previous issues.
Many of these improvements are made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure our products meet all your needs. You can post feedback in the Access Manager forum on our community website that also includes product notifications, blogs, and product user groups.
For information about the previous release, see Access Manager 4.4 Service Pack 2 Release Notes.
If you have suggestions for documentation improvements, click Documentation page.at the bottom of the specific page in the HTML version of the documentation posted at the
For information about Access Manager support lifecycle, see the Product Support Lifecycle page.
This release provides the following enhancements and fixes:
This release includes the following OAuth enhancements:
This release supports the Form Post Response mode to return the response parameters, such as code, id_token, token, and state, as HTML form parameters to redirect_uri.
Along with the existing parameters, the JSON Web Key Set endpoint displays the optional parameters to comply with RFC 7517.
A new option,is added to the OAuth to manage the token revocation feature. By default, this option is enabled.
In addition to the existing deliverables, this release introduces the Access Manager OAuth Application Developer Guide in the developer documentation library.
The Access Manager OAuth Application Developer Guide is intended for client developers. This guide provides the information to help you build an OAuth-based client application when using Access Manager as the authorization server.
In addition to the existing supported platforms, this release adds support for RHEL 6.10.
NOTE:For more information about system requirements, see NetIQ Access Manager 4.4 Installation and Upgrade Guide.
This release adds support for the following dependent components:
This release includes software fixes for the following components:
The following issue is fixed in Administration Console:
This issue occurs because the size of the VirtualAttributeXML object in eDirectory exceeds the limit of the current data type. (Bug 1094251)
The following issues are fixed in Identity Server:
OpenID connect authorization code flow gives an error because the nonce parameter is missing. (Bug 1102844)
Access Manager encodes the JWK values of the Keys parameter, such as n and e, by using the base64 encoding instead of base64URL encoding. This makes the Access Manager JSON Web key Set (JWKS) format non-compliant with RFC 7517. (Bug 1094264)
The Access Manager token invalid or token revoked message.and do not recognize a valid access token and responds with the
This is a random issue and occurs in an Identity Server cluster environment that includes multiple user store replica. (Bug 1104336)
This issue occurs when an assertion is sent with a URL encoded RelayState value. (Bug 1100379)
The SAML 2.0 redirect flow authentication request gets signed with SHA1 instead of SHA 256 when SAML2 SIGN METHODDIGEST SHA256 parameter is set to true.
This issue occurs because the default certificate private key algorithm is considered as SHA1 instead of SHA256. (Bug 1098908)
Users are not able to register their devices if they cancel the process without specifying TOTP in the first attempt. When they retry to register, the registration page is not shown. This issue also occurs if a user enters an incorrect TOTP.
This issue occurs because TOTP authentication stores the secret key in the LDAP attribute without device registration. (Bug 1096821)
In a cluster configuration, the JSESSIONID cookie of the proxy Identity Server is also sent with the intended cookie to the user's device. This prevents from identifying the correct session in the subsequent requests. (Bug 1092936)
The following issues are fixed in Access Gateway:
This issue occurs because TGS exchange between Access Gateway and Kerberos Distribution Center fails. (Bug 982954)
A cookie created by Access Gateway using an Identify Injection policy does not overwrite a browser cookie with the same name. Both cookies are sent to the application. (Bug 1102883)
After purchasing Access Manager 4.4.3, log in to the NetIQ Downloads page and follow the link that allows you to download the software.
The following files are available:
Table 1 Files Available for Access Manager 4.4.3
Contains Identity Server and Administration Console .tar file for Linux.
Contains Identity Server and Administration Console .exe file for Windows Server.
Contains Access Gateway Appliance .iso file.
Contains Access Gateway Appliance .tar file.
Contains Access Gateway Service .exe file for Windows Server.
Contains Access Gateway Service .tar file for Linux.
Contains Analytics Server Appliance .tar file.
NOTE:This release does not support a fresh installation of Analytics Server, but you can upgrade an existing Analytics Server to the latest version. So, if you are installing Analytics Server for the first time, then install Analytics Server 4.4 SP2 and upgrade to 4.4 SP3.
For information about the upgrade paths, see Section 4.0, Supported Upgrade Paths. For more information about installing and upgrading, see the NetIQ Access Manager 4.4 Installation and Upgrade Guide.
NOTE:Before upgrading Access Manager, ensure to check the Troubleshooting Section in the NetIQ Access Manager 4.4 Installation and Upgrade Guide.
After upgrading to Access Manager 4.4.3, verify that the version number of the component is indicated as 126.96.36.199-93. To verify the version number, perform the following steps:
In Administration Console Dashboard, click> .
Verify that the 188.8.131.52-93.field lists
To upgrade to Access Manager 4.4.3, you need to be on one of the following versions of Access Manager:
4.3 Service Pack 3
4.3 Service Pack 3 Hotfix 1
4.4 Service Pack 1
4.4 Service Pack 1 Hotfix 1
4.4 Service Pack 2
For more information about upgrading Access Manager, see NetIQ Access Manager 4.4 Installation and Upgrade Guide.
NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.
Issue: When a new client application is registered, a new object gets added to the eDirectory. When the number of registered client applications increases, the attribute storing the objects increases in size. This increase in size restricts further registration of the client application. This issue occurs when the number of client applications is approximately 650 or more. (Bug 1102902)
Issue: Users do not receive the voice OTP if they did not specify the OTP within the OTP period, in the first attempt. However, if they specify an incorrect OTP in the first attempt, then clicking (Bug 1097810)sends a fresh voice OTP.
Workaround: Execute the contract again.
Issue: When you create a method with the Advanced Authentication Generic class, the (Bug 1111616)field displays and does not display the list of all the configured chains. This issue occurs after upgrading Access Manager from 4.3.3 or earlier supported versions to 4.4 or later.
Workaround: Recreate the endpoints.
Recreating the endpoints
Delete the existing endpoint from the Advanced Authentication server.
On the Access Manager Administration Console, click> > >
In thefield, change the IP address of the Advanced Authentication server to a dummy IP address.
For example, if the original IP address of Advanced Authentication server is 10.10.10.10, then change it to a dummy IP address such as, 10.10.20.20.
Verify if the same dummy IP address is updated in the config.xml file on all the nodes of the same Identity Server cluster.
Log in to the Identity Server terminals of the same cluster and check if the /etc/aaplugin/config.xml file has changed the IP address to the dummy IP address.
Delete the /etc/aaplugin/config.xml files from all the nodes of Identity Server cluster.
On the Access Manager Administration Console, click> > >
Specify the original IP address of the Advanced Authentication Server in thefield and apply the change.
This updates the endpoints in the Advanced Authentication server.
Verify that the config.xml file is created successfully on all the nodes of the Identity Server cluster.
Issue: After converting the Secondary Administration Console to Primary Administration Console, the converted Administration Console does not work because it fails to communicate with other servers. (Bug 1122742)
Issue: This issue occurs because there is an incorrect setting in the Tomcat Java options of JNDI. (Bug 1117444)
Workaround: Perform the steps mentioned in TID 7023648.
Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.
For detailed contact information, see the Support Contact Information website.
For general corporate and product information, see the NetIQ Corporate website.
For interactive conversations with your peers and NetIQ experts, become an active member of our community. The NetIQ online community provides product information, useful links to helpful resources, blogs, and social media channels.
For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see https://www.netiq.com/company/legal/.
Copyright © 2018 NetIQ Corporation. All Rights Reserved.