Access Manager 4.4 Service Pack 3 Release Notes

November 2018

Access Manager 4.4 Service Pack 3 (4.4.3) includes enhancements, improves usability, and resolves several previous issues.

Many of these improvements are made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure our products meet all your needs. You can post feedback in the Access Manager forum on our community website that also includes product notifications, blogs, and product user groups.

For information about the previous release, see Access Manager 4.4 Service Pack 2 Release Notes.

For more information about this release and for the latest release notes, see the Documentation page. To download this product, see the Product page.

If you have suggestions for documentation improvements, click comment on this topic at the bottom of the specific page in the HTML version of the documentation posted at the Documentation page.

For information about Access Manager support lifecycle, see the Product Support Lifecycle page.

1.0 What’s New?

This release provides the following enhancements and fixes:

1.1 Enhancements

This release includes the following OAuth enhancements:

Support for the Form Post Response For Authorization Endpoint

This release supports the Form Post Response mode to return the response parameters, such as code, id_token, token, and state, as HTML form parameters to redirect_uri.

The JSON Web Key Set Endpoint Includes Optional Parameters

Along with the existing parameters, the JSON Web Key Set endpoint displays the optional parameters to comply with RFC 7517.

Support for Managing Token Revocation

A new option, Token Revocation is added to the OAuth Global Settings to manage the token revocation feature. By default, this option is enabled.

For more information about this option, see Token Revocation under Defining Global Settings in the NetIQ Access Manager 4.4 Administration Guide.

Access Manager OAuth Application Developer Guide

In addition to the existing deliverables, this release introduces the Access Manager OAuth Application Developer Guide in the developer documentation library.

The Access Manager OAuth Application Developer Guide is intended for client developers. This guide provides the information to help you build an OAuth-based client application when using Access Manager as the authorization server.

1.2 Operating System Upgrade

In addition to the existing supported platforms, this release adds support for RHEL 6.10.

NOTE:For more information about system requirements, see System Requirements in the NetIQ Access Manager 4.4 Installation and Upgrade Guide.

1.3 Updates for Dependent Components

This release adds support for the following dependent components:

  • eDirectory 9.1.1

  • Java 1.8.0-181

  • Apache 2.4.34

  • OpenSSL 1.0.2n

  • Tomcat 8.5.32

  • iManager 3.1.1.1

1.4 Software Fixes

This release includes software fixes for the following components:

Administration Console

The following issue is fixed in Administration Console:

Creating a New Virtual Attribute Throws an Error

This issue occurs because the size of the VirtualAttributeXML object in eDirectory exceeds the limit of the current data type. (Bug 1094251)

Identity Server

The following issues are fixed in Identity Server:

  • Zip Slip Vulnerability

  • Vulnerability in Identity Server (CVE-2018-12480). For more information, see TID 7023513.

  • Vulnerability while adding target query to SSO service in Identity Server (CVE-2018-17948). For more information, see TID 7023530.

OpenID Connect Authorization Code Flow Fails After Upgrading to Access Manager 4.4 SP2

OpenID connect authorization code flow gives an error because the nonce parameter is missing. (Bug 1102844)

The Access Manager JSON Web Key Uses Incorrect Base64 Encoding

Access Manager encodes the JWK values of the Keys parameter, such as n and e, by using the base64 encoding instead of base64URL encoding. This makes the Access Manager JSON Web key Set (JWKS) format non-compliant with RFC 7517. (Bug 1094264)

The UserInfo Request Fails Even When the Token Is Valid

The Access Manager UserInfo EndPoint and TokenInfo EndPoint do not recognize a valid access token and responds with the token invalid or token revoked message.

This is a random issue and occurs in an Identity Server cluster environment that includes multiple user store replica. (Bug 1104336)

Identity Server Does Not Redirect the User to the SAML 2.0 Service Provider

This issue occurs when an assertion is sent with a URL encoded RelayState value. (Bug 1100379)

The SAML 2.0 Authentication Request Does Not Get Signed with SHA256 When Using SAML 2.0 Redirect Flow

The SAML 2.0 redirect flow authentication request gets signed with SHA1 instead of SHA 256 when SAML2 SIGN METHODDIGEST SHA256 parameter is set to true.

This issue occurs because the default certificate private key algorithm is considered as SHA1 instead of SHA256. (Bug 1098908)

Users Cannot Register their Devices If They Did Not Complete the Registration Process in the First Attempt

Users are not able to register their devices if they cancel the process without specifying TOTP in the first attempt. When they retry to register, the registration page is not shown. This issue also occurs if a user enters an incorrect TOTP.

This issue occurs because TOTP authentication stores the secret key in the LDAP attribute without device registration. (Bug 1096821)

The X509 Dual Connector Contract Fails to Authenticate a User

In a cluster configuration, the JSESSIONID cookie of the proxy Identity Server is also sent with the intended cookie to the user's device. This prevents from identifying the correct session in the subsequent requests. (Bug 1092936)

Access Gateway

The following issues are fixed in Access Gateway:

Kerberos Constrained Delegation Fails in Windows Server 2012 R2 and 2016

This issue occurs because TGS exchange between Access Gateway and Kerberos Distribution Center fails. (Bug 982954)

Cookies Created by Access Gateway Do Not Overwrite the Browser Cookies

A cookie created by Access Gateway using an Identify Injection policy does not overwrite a browser cookie with the same name. Both cookies are sent to the application. (Bug 1102883)

2.0 Installing or Upgrading

After purchasing Access Manager 4.4.3, log in to the NetIQ Downloads page and follow the link that allows you to download the software.

The following files are available:

Table 1 Files Available for Access Manager 4.4.3

Filename

Description

AM_44_SP3_AccessManagerService_Linux64.tar.gz

Contains Identity Server and Administration Console .tar file for Linux.

AM_44_SP3_AccessManagerService_Win64.exe

Contains Identity Server and Administration Console .exe file for Windows Server.

AM_44_SP3_AccessGatewayAppliance.iso

Contains Access Gateway Appliance .iso file.

AM_44_SP3_AccessGatewayAppliance.tar.gz

Contains Access Gateway Appliance .tar file.

AM_44_SP3_AccessGatewayService_Win64.exe

Contains Access Gateway Service .exe file for Windows Server.

AM_44_SP3_AccessGatewayService_Linux64.tar.gz

Contains Access Gateway Service .tar file for Linux.

AM_44_SP3_AnalyticsServerAppliance.tar.gz

Contains Analytics Server Appliance .tar file.

NOTE:This release does not support a fresh installation of Analytics Server, but you can upgrade an existing Analytics Server to the latest version. So, if you are installing Analytics Server for the first time, then install Analytics Server 4.4 SP2 and upgrade to 4.4 SP3.

For information about the upgrade paths, see Section 4.0, Supported Upgrade Paths. For more information about installing and upgrading, see the NetIQ Access Manager 4.4 Installation and Upgrade Guide.

3.0 Verifying Version Number after Upgrading to 4.4.3

After upgrading to Access Manager 4.4.3, verify that the version number of the component is indicated as 4.4.3.0-93. To verify the version number, perform the following steps:

  1. In Administration Console Dashboard, click Troubleshooting > Version.

  2. Verify that the Version field lists 4.4.3.0-93.

4.0 Supported Upgrade Paths

To upgrade to Access Manager 4.4.3, you need to be on one of the following versions of Access Manager:

  • 4.3 Service Pack 3

  • 4.3 Service Pack 3 Hotfix 1

  • 4.4 Service Pack 1

  • 4.4 Service Pack 1 Hotfix 1

  • 4.4 Service Pack 2

For more information about upgrading Access Manager, see Upgrading Access Manager in the NetIQ Access Manager 4.4 Installation and Upgrade Guide.

5.0 Known Issues

NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.

5.1 Cannot Register a New Client Application

Issue: When a new client application is registered, a new object gets added to the eDirectory. When the number of registered client applications increases, the attribute storing the objects increases in size. This increase in size restricts further registration of the client application. This issue occurs when the number of client applications is approximately 650 or more. (Bug 1102902)

Workaround: None.

5.2 Users Do Not Receive Voice OTP If They Did Not Specify the OTP in the First Attempt

Issue: Users do not receive the voice OTP if they did not specify the OTP within the OTP period, in the first attempt. However, if they specify an incorrect OTP in the first attempt, then clicking Resend OTP sends a fresh voice OTP. (Bug 1097810)

Workaround: Execute the contract again.

5.3 The Advanced Authentication Chains Are Not Displayed When Creating a Method with Advanced Authentication Generic Class

Issue: When you create a method with the Advanced Authentication Generic class, the Advanced Authentication Chains field displays No Chains Configured and does not display the list of all the configured chains. This issue occurs after upgrading Access Manager from 4.3.3 or earlier supported versions to 4.4 or later. (Bug 1111616)

Workaround: Recreate the endpoints.

Recreating the endpoints

  1. Delete the existing endpoint from the Advanced Authentication server.

  2. On the Access Manager Administration Console, click Devices > Identity Servers > Shared Settings > Advanced Authentication

  3. In the Server Domain field, change the IP address of the Advanced Authentication server to a dummy IP address.

    For example, if the original IP address of Advanced Authentication server is 10.10.10.10, then change it to a dummy IP address such as, 10.10.20.20.

  4. Verify if the same dummy IP address is updated in the config.xml file on all the nodes of the same Identity Server cluster.

    Log in to the Identity Server terminals of the same cluster and check if the /etc/aaplugin/config.xml file has changed the IP address to the dummy IP address.

  5. Delete the /etc/aaplugin/config.xml files from all the nodes of Identity Server cluster.

  6. On the Access Manager Administration Console, click Devices > Identity Servers > Shared Settings > Advanced Authentication

  7. Specify the original IP address of the Advanced Authentication Server in the Server Domain field and apply the change.

    This updates the endpoints in the Advanced Authentication server.

    Verify that the config.xml file is created successfully on all the nodes of the Identity Server cluster.

6.0 Contact Information

Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.

For detailed contact information, see the Support Contact Information website.

For general corporate and product information, see the NetIQ Corporate website.

For interactive conversations with your peers and NetIQ experts, become an active member of our community. The NetIQ online community provides product information, useful links to helpful resources, blogs, and social media channels.

7.0 Legal Notice

For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see https://www.netiq.com/company/legal/.

Copyright © 2018 NetIQ Corporation. All Rights Reserved.