Access Manager 4.5 Release Notes

April 2019

Access Manager 4.5 includes new features, enhancements, improves usability, and resolves several previous issues.

Many of these improvements are made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure our products meet all your needs.

For information about the previous release, see Access Manager 4.4.4 Release Notes.

For more information about this release and for the latest release notes, see the Documentation page. To download this product, see the Product page.

If you have suggestions for documentation improvements, click comment on this topic at the top or bottom of the specific page in the HTML version of the documentation posted at the Documentation page.

For information about Access Manager support lifecycle, see the Product Support Lifecycle page.

1.0 What’s New?

The following sections outline the key features and functions provided by this version, as well as issues resolved in this release:

1.1 New Features and Enhancements

This release introduces the following new features and enhancements:

Access Gateway Appliance Installer Is Now Available in the OVF Format

This release introduces the Access Gateway Appliance installer in the OVF format. This installer creates a virtual machine with Access Gateway on a SLES 12 SP3 operating system.

To deploy the OVF installer, you require VMWare ESXi 5.5 or later. The installer includes Common Appliance Framework (CAF). CAF provides an Access Gateway configuration console to update the Access Gateway server configuration. After installation, you must log in to CAF and register Access Gateway Appliance with Administration Console. For information about registering Access Gateway Appliance with Administration Console, see ”Configuring Access Gateway Appliance” in the NetIQ Access Manager 4.5 Installation and Upgrade Guide.

For more information about installing Access Gateway Appliance, see “Installing Access Gateway Appliance” in the NetIQ Access Manager 4.5 Installation and Upgrade Guide.

Auto Scaling of Access Manager on Amazon Web Services

Access Manager now supports auto scaling of Identity Server and Access Gateway on Amazon Web Services (AWS). Access Manager uses the CloudFormation template to deploy the auto scaling configuration in an existing Access Manager setup on AWS. Auto scaling performs the following actions:

  • Automatic creation and deletion of Identity Server and Access Gateway instances to match users’ requirements. It ensures the cost-effective operation of Access Manager.

  • Automatic replacement of faulty instances with new instances. It ensures that Access Manager is always available.

To provision auto scaling of Access Manager in AWS, you must have working instances of Administration Console, Access Gateway cluster, and Identity Server cluster on AWS. For more information about deploying Access Manager on AWS, see “Deploying Access Manager on Amazon Web Services EC2” in NetIQ Access Manager 4.5 Installation and Upgrade Guide.

For more information about auto scaling of Access Manager on AWS, see “Auto Scaling Access Manager on AWS” in the NetIQ Access Manager 4.5 Installation and Upgrade Guide.

OAuth Enhancements

Access Manager provides the following enhancements to the OAuth support for better application interoperability, flexibility, and improved security. The enhancements include:

Support for Introspection of an Access Token or a Refresh Token

An authorized resource server can introspect an access token or a refresh token to check the status of the token.

When a client application sends a token to a resource server for authorization, the resource server must know whether the token is valid. To check the status of the token, the resource server can send an API request to the authorization server (Identity Server) introspection endpoint. This endpoint responds with a JSON document that includes the token status (active: true or false) and the meta information of the token. For more information about token introspection, see RFC 7662.

The Token Introspect Endpoint is listed in the Endpoint summary page of OAuth & OpenID Connect. For information about the request and response for introspecting a token, see “Token Introspect Endpoint” in Access Manager 4.5 OAuth Application Developer Guide.

HTTP Basic Authentication Support to Authenticate Client Applications

Access Manager now supports the requests containing client credentials within the basic authorization header. The client application can use any of the following ways to request for a token:

  • Use client_id and client_secret in the request body parameters.

  • Send the client credentials in the basic authorization header. For more information, see RFC 6749.

The request containing client credentials within the basic authorization header is supported for the following endpoints:

The ID Token Signing Algorithm for the Response Is Now Mandatory During the Client Registration

ID Token Signed Response Algorithm is now a mandatory field if you have selected Token Types: as ID Token during the client registration. For more information, see “Registering OAuth Client Applications”.

Support for Adding User Attributes to an ID Token and Adding Claims to both Access and ID Tokens

You can now add the required user attributes and user claims/ permissions to ID token. Also, you can add claims/permissions to access token. For more information about configuring the scope for ID and Access tokens and see “Configuring User Claims or Permission in Scope”.

Support for Multiple Response Type Encoding

You can specify the response mode as query, fragment, or form_post in the request to the authorization endpoint. Also, you can specify the none response type when sending the request to the authorization endpoint. For more information about the request parameters, see “Authorization Endpoint”.

For information about response types and response modes, see OAuth 2.0 Multiple Response Type Encoding Practices.

Enhanced Metadata Endpoint

In addition to the existing details, the metadata endpoint now provides the following details:

  • Revocation Endpoint

  • Introspection Endpoint

  • Supported response type

  • Supported response mode

  • Token endpoint authentication method

  • Supported revocation endpoint authentication methods

  • Supported introspection endpoint authentication methods

For more information about metadata endpoint, see “Metadata Endpoint”.

The TokenInfo Endpoint Is Deprecated

The TokenInfo Endpoint is deprecated. Therefore, it will not be enhanced any longer. You can use Token introspection to know the status of the token. For information about the endpoints, see “Viewing Endpoint Details”.

Support for Using Tokens in the Binary Format

The default format for tokens is JWT. To continue using tokens in the binary format, you can configure the OAUTH TOKENS IN BINARY FORMAT setting in the Identity Server global options. It is recommended to use the default JWT format. However, if the legacy client application cannot manage JWT tokens, then use this setting until you update the client application to use JWT tokens.

If this setting is selected, the new features, such as token encryption using resource server keys and token revocation, will not be available. For more information about this setting, see Configuring Identity Server Global Options in the Access Manager 4.5 Administration Guide.

Enhanced Application Connector Catalog

The Application Connector Cataloghas been updated with new SAML and SSO Assistant connectors. In addition, the catalog now provides the following tabs to categorize connectors based on the type and to improve the search:

Support for Provisioning User Accounts Using SaaS Account Management

SaaS Account Management (SAM) in Access Manager enables you to provision user accounts to your SaaS providers automatically. SAM performs the following actions based on changes made to the user store and user groups that are configured at the SAML Application Configuration page in Access Manager:

  • Automatically provision user accounts to supported SAML applications.

  • Synchronize any changes you make in your user store.

  • Automatically deprovision accounts for connected applications based on changes made in your user store.

The provisioning and deprovisioning can also happen if you make changes in the Account Management tab of the connector where it is imported.

To provision SAML accounts by using SAM, you must first purchase and deploy the SAM appliance and configure the appropriate SAM connector for the SAML application. For more information about deploying the SAM appliance and SAM connectors, see the NetIQ SaaS Account Management Installation Guide and SaaS Account Management Connectors Guide.

Access Manager provides a number of SAML connectors that support account provisioning when SAM is deployed. To see the list of all account management connectors that Access Manager provides, see Application Connector Catalog > Account Management.

Secure API Manager Integration

You can integrate Access Manager with Secure API Manager to extend Access Manager’s capability of securing micro-services, REST-based web services, IoT devices, and legacy API systems.

Secure API Manager uses the OAuth feature of Access Manager to allow token-based authorization for the API requests.

For information about Secure API Manager, see Secure API Manager Documentation.

Access Manager and Advanced Authentication Integration Guide

This release introduces Access Manager and Advanced Authentication Integration Guide in the documentation library. This guide provides the step-by-step information to integrate Advanced Authentication with Access Manager to use multi-factor authentication.

For more information, see Multi-Factor Authentication Using Advanced Authentication.

1.2 Operating System Upgrade

In addition to the existing supported platforms, this release supports installation of Access Manager components on SLES 12 SP4.

NOTE:For more information about system requirements, see “System Requirements” in the NetIQ Access Manager 4.5 Installation and Upgrade Guide.

1.3 Updates for Dependent Components

This release adds support for the following dependent components:

  • Apache 2.4.37

  • eDirectory

  • iManager 3.1.2

  • OpenSSL 1.0.2r

  • ZuluOpenJDK 1.8.0_192

1.4 OpenID Certification

Access Manager is now OpenID Connect certified for the following OpenID Provider conformance profiles:

  • Basic

  • Implicit

  • Hybrid

  • Config

For more information, see the OpenID Certification page.

1.5 Security Fix

(For Windows) Access Manager addresses a potential vulnerability that is caused by the DLL preloading attack.

1.6 Software Fixes

Access Manager 4.5 includes software fixes for the following components:

Identity Server

The following issues are fixed in Identity Server:

Enabling Session Assurance Causes Issues

Issue 1: When Session Assurance is enabled, customization of top.jsp is removed. This issue occurs because the parameters posted to the /nidp/app/login location are deleted. This issue occurs in Access Manager 4.3. (Bug 1074840)

Issue 2: When Session Assurance is enabled, the external authentication to Identity Server fails to redirect to Access Gateway. (Bug 1079654)

Fix: From this release, Session Assurance starts working when a request that requires user login is received from the user’s browser. The regular Session Assurance checks are enabled after the user authenticates successfully.

Customization of the TOTP Form Is Lost When Used After Kerberos Method

Issue: When a contract contains Kerberos as the first method and TOTP as the second method, customization of the top section of the page is lost during the TOTP authentication. This issue occurs only when the Kerberos method is executed successfully without a fallback to another method. This issue occurs only when the Kerberos method is executed successfully without a fallback to another method. (Bug 1111268)

Fix: A check is introduced to ensure that the TOTP form is not missing the customization. If the TOTP form is missing the customization, the TOTP form is reloaded with customization.

OAuth Endpoints Do Not Accept Unencrypted Tokens

TokenInfo, UserInfo, and Token Introspect fail to accept the signed token in the authorization header because the token is not encrypted. Also, the signed token is not introspected by the Token Introspect endpoint. (Bug 1102336)

Identity Server Is Not Updated When the LDAP Server Replica Is Not Reachable

Issue: When the user store replicas are not reachable, the Identity Server update moves to the pending state and takes a longer time to update. Also, the heartbeat URL takes a longer time to display the Identity Server health. If the heartbeat URL is configured at the load balancer, the load balancer will stop Identity Servers. (Bug 1121936)

Fix: From this release, the LDAP Operation timeout and the Idle Connection timeout configured in Administration Console are now considered by Identity Servers while making LDAP connection to the user stores.

Access Manager Does Not Support the Multi-Value antiClickjacking XSS Controls

Issue: In a multi-domain environment, Identity Server authentication fails while using the single value of the anticlickjacking X-FRAME-OPTIONS header. (Bug 1079346)

Fix: Access Manager allows configuring custom response headers for every Identity Servers. You can also create the Content Security Policy header that can be used for securing the communication between the client browser and Identity Server.

For more information, see “Configuring the Custom Response Header for an Identity Server Cluster” in the Access Manager 4.5 Administration Guide.

Access Manager Does Not Add A New OpenID Connect Application

Issue: When an OpenID Connect application is created, Administration Console stores the application attributes in eDirectory. eDirectory can store the string type attributes up to a limit. If you create a new application after the limit is reached, the Unexpected error message is displayed. (Bug 1104160)

Fix: From this release, the nidsOAuth2CFGXML attribute type is changed from string to stream to fix this issue.

Access Gateway

The following issues are fixed in Access Gateway:

The Favicon.ico Requests Cause Browser Connection Limitations

Issue: Access Gateway considers the client’s request for the favicon.ico as public and each request creates a new TCP connection or uses an existing one. When a limit is specified for the number of connections per user session, the favicon.ico requests can block new client requests. (Bug 1110753)

Fix: The following two options are introduced to block the favicon.ico requests. It prevents the favicon.ico requests to create new TCP connections.

NAGGlobalOptions DisableFavicon

NAGHostOptions DisableFavicon

For more information about these options, see “Configuring Global Advanced Options” and “Configuring Advanced Options for a Domain-Based and Path-Based Multi-Homing Proxy Service” in the Access Manager 4.5 Administration Guide.

Access Gateway Considers Valid URLs As XSS Attack

Issue: The reference header of every browser request is checked for possible XSS attacks. An administrator can not specify exceptions to skip this check. (Bug 1083726)

Fix: The following fixes are introduced to fix this issue:

2.0 Installing or Upgrading

After purchasing Access Manager 4.5, log in to the NetIQ Downloads page and follow the link that allows you to download the software.

The following files are available:

NOTE:After the 4.5 release, the .exe files have been replaced with the .zip files. Hence, you may find mismatch in the dates of publishing the files.

Table 1 Files Available for Access Manager 4.5




Contains Identity Server and Administration Console .tar file for Linux.

Contains Identity Server and Administration Console .exe file for Windows Server.


Contains Access Gateway Appliance OVF template.

Contains Access Gateway Service .exe file for Windows Server.


Contains Access Gateway Service .tar file for Linux.

NOTE:This release does not provide files for installing or upgrading Analytics Server. For a fresh installation of Analytics Server, use AM_442_AnalyticsServerAppliance.iso file, and then upgrade Analytics Server to 4.4 Service Pack 3 by using AM_443_AnalyticsServerAppliance.tar.gz file. If you are already using a previous version of Analytics Server, then upgrade to Analytics Server 4.4 Service Pack 3.

For information about the upgrade paths, see Supported Upgrade Paths. For more information about installing and upgrading, see the NetIQ Access Manager 4.5 Installation and Upgrade Guide.

3.0 Verifying Version Number After Upgrading to 4.5

After upgrading to Access Manager 4.5, verify that the version number of the component is indicated as To verify the version number, perform the following steps:

  1. In Administration Console Dashboard, click Troubleshooting > Version.

  2. Verify that the Version field lists

4.0 Supported Upgrade Paths

To upgrade to Access Manager 4.5, you must be on one of the following versions of Access Manager:

  • 4.4 Service Pack 4

  • 4.4 Service Pack 3

  • 4.4 Service Pack 2

For more information about upgrading Access Manager, see Upgrading Access Manager in the NetIQ Access Manager 4.5 Installation and Upgrade Guide.

5.0 Known Issues

NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.

5.1 Creating the EC Certificate Displays the PKI -1217 Error Message

Issue: Fresh installation of Access Manager 4.5 does not create the ECDSA Root CA certificate and displays the PKI -1217 error message. (Bug 1126123)

Workaround: No workaround is available.

5.2 Issue in Using an EC Certificate as the OAuth Signing Certificate

Issue: The JSON Web Key Set endpoint stops working when you assign an EC certificate as the OAuth signing certificate. This issue occurs because the SAML metadata does not accept the EC certificate for signing and encryption. (Bug 1124189) and (Bug 1128131)

Workaround: Use the REST certificate as OAuth signing certificate.

5.3 iManager Displays Certificate Revocation List Endpionts

Issue: When Access Manager is upgraded to the 4.5 version, all new certificates created by iManager include a list of Certificate Revocation List (CRL) endpoints. The endpoints refer to the configuration store IP address. CRL endpoints are disabled for the fresh installation of Access Manager 4.5. (Bug 1126434)

Workaround: See TID 7023739.

5.4 Promoting a Secondary Administration Console to Primary Does Not Work Properly

Issue: When a secondary Administration Console is promoted to primary Administration Console then it does not allow installation of new Identity Servers. (Bug 1122742)

Workaround: See TID 7023786.

5.5 The iManager Certificate Server CRL List on the Certificate Authority Object Is Empty

Issue: The CRL tab of iManager Certificate Server Plugin does not display the CRL Endpoints. This issue occurs because the ndspkiCRLContainerDN attribute is missing from the Certificate Authority object. (Bug 1126281)

Workaround: No workaround is available.

5.6 Single Sign-On to Skype for Business Does Not Work

Issue: You cannot log in to Skype for Business 2016 using the Identity Server login page. This issue occurs because Access Manager uses the JQuery version that is higher than the version used in the earlier release of Access Manager. The higher version is used for preventing any security vulnerability and this version of jQuery is not compatible with the Skype for Business 2016 application. (Bug 1126708)

Workaround: To continue using an old version of jQuery, which is less secure, you can replace the new jQuery files with the old file. For more information about how to replace these files, see Single Sign-on Fails in Skype for Business 2016 in the Access Manager 4.5 Administration Guide.

5.7 Code Promotion Does Not Support Importing Identity Server Custom Files on Windows Server 2016

Issue:After performing Code Promotion, you must import Identify Server custom files manually on Windows. (Bug 1128822)

Workaround: Perform the following steps to import Identity Server custom files manually:

  1. Extract the exported Code Promotion file (NAMExportedConfig_***.namcfg). During the extraction process, if prompted, provide the same password given while exporting the configuration.

  2. After extracting the configuration file, go to the exportedconfig > exportedCustomConfig folder.

  3. Extract the respective custom configuration zip file for Identity Server (SCC*.tar.gz) and manually copy custom files to Identity Server devices.

    • You can see the list of custom files those are successfully imported in the filesSucceeded file available in the exportedCustomConfig > customfiles folder. All custom files, which are successfully imported, are available in the C#-# folder name representing the Windows C:\ partition.

    • Custom files located in C:\Program Files\Novell\Tomcat\webapps\nidp\jsp\main_custom.jsp are available in the C#-#\ Program Files\Novell\Tomcat\webapps\nidp\jsp\ folder.

    • The novlwww users have the file permissions, such as Full Control, Modify, and Read&Execute to perform file operations on custom files.

6.0 Contact Information

Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email We value your input and look forward to hearing from you.

For detailed contact information, see the Support Contact Information website.

For general corporate and product information, see the NetIQ Corporate website.

For interactive conversations with your peers and NetIQ experts, become an active member of our community. The NetIQ online community provides product information, useful links to helpful resources, blogs, and social media channels.

7.0 Legal Notice

For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see

Copyright © 2019 NetIQ Corporation. All Rights Reserved.