eDirectory 8.8.8 Patch 7

January 2016

eDirectory 8.8.8 Patch 7 supersedes eDirectory 8.8.8 Patch 6.

For a full list of all issues resolved in eDirectory 8.8, including all patches, refer to TID 3426981, “History of Issues Resolved in eDirectory 8.8.x”.

For the list of software fixes and enhancements in the previous releases, see eDirectory 8.8.8 Patch 6 Release Notes.

To download this product, see the NetIQ Downloads Web site. For more information on eDirectory, see the eDirectory documentation Web site.

For information about security services that are bundled with eDirectory and other components used with eDirectory, see Section 7.0, Additional Documentation.

1.0 What’s New

This release includes the following platform updates and fixed issues:

1.1 Enhancements

Enhanced Certificate Server Plug-In for Signing Algorithm Feature of Certificate Authority

This release introduces the enhanced Certificate Server Plug-In for allowing the Certificate Authority to create default certificates with the CA’s signature algorithm during server health check when the CA is recreated with a new signature algorithm. To do this, enable the HealthCheck - Follow CA's Signing Algorithm under Server Self Provisioning in iManager.

To leverage this feature, upgrade your Certificate Server plug-in and eDirectory to version 8.8 SP8 Patch 7.

1.2 Updates for Dependent Components

In this release, the Java version has been updated to 1.8.0_66.

Upgrading the Java Version

  • Linux: There are no manual steps required to update the version of Java. After updating the patch, the Java version will be 1.8.0_66.

  • Windows: There are no manual steps required to update the version of Java. After updating the patch, the Java version will be 1.8.0_66.

1.3 Fixed Issues

eDirectory 8.8.8 Patch 7 includes the following software fixes that resolve several previous issues:

Resolved NTLS Vulnerability CVE-2015-3195

This patch updates eDirectory to resolve the NTLS vulnerability CVE-2015-3195.

NDSD Memory Leak Occurs After LDAP Configuration Code Path Is Executed

Issue: The memory leaks occur in the CreateListeners and the SetDefaultListenerURLs functions after the LDAP server configuration code path.

Fix: This patch updates the eDirectory code to avoid memory leak while executing the LDAP_server configuration code path.

Username Is Wrongly Placed in the TargetHostName Field When the Account Security Token Event is Modified

Issue: While changing the password for a user object, eDirectory sends a Modify Account Security Token event to the Syslog connector. The user name and the domain names were incorrectly placed in the TargetHostName and TargetHostDomain fields of the event.

Fix: This patch updates the XDAS audit library to correctly place the user name and the domain names in the corresponding fields of the event.

The Certificate Authority Signing Algorithm Feature Does not Work With the New Servers Added To An eDirectory Tree

Issue: The ‘Follow CA's Signature Algorithm’ feature was not working in all scenarios.

Fix: This patch updates eDirectory to enable the new servers added to the tree to work with the Follow CA’s Signing Algorithm feature.

Certificates Generated Using Certificate Signing Request Are Signed with SHA-1

Issue: After recreating the eDirectory tree’s CA to use the SHA-256, certificates generated through the Certificate Signing Request still use SHA-1 for certificate signing instead of SHA-256.

Fix: The iManager Certificate Server plug-in now provides a new option, Specify Certificate Parameters, to specify the signature algorithm while issuing certificates.

Resolved Issues with Server Self Provisioning And CRL Distribution Points

Issue: The Certificate Server fails to generate SSL CertificateDNS when CRL distribution points are changed.

Fix: This patch updates eDirectory to generate the SSL CertificateDNS when the CRL distribution points are changed.

2.0 System Requirements

For a detailed list of prerequisites for installing eDirectory, see the NetIQ eDirectory 8.8 SP8 Installation Guide.

3.0 Installing or Upgrading

To upgrade to eDirectory 8.8.8 Patch 7, go to the NetIQ Downloads page and follow the link that allows you to download the software.

NOTE:eDirectory 8.8.8 Patch 7 contains an older version of PA (Platform Agent) build that does not resolve the issue causing NDSD crash. Click here to download the latest version of PA that resolves this issue.

4.0 Supported Upgrade Paths

The installation program provides the ability to upgrade from eDirectory 8.8 SP8 onwards or perform a new installation.

Ensure that you are currently on any one of the following eDirectory versions, before upgrading to eDirectory 8.8.8 Patch 7:

  • 8.8.8

  • 8.8.8 Patch 1

  • 8.8.8 Patch 2

  • 8.8.8 Patch 3

  • 8.8.8 Patch 4

  • 8.8.8 Patch 5

  • 8.8.8 Patch 6

For more details, see Installing or Upgrading eDirectory in the NetIQ eDirectory 8.8 SP8 Installation Guide.

NOTE:If you have eDirectory 8.5.x or 8.6.x, you must first upgrade to eDirectory 8.7.x, then upgrade to eDirectory 8.8 SP8 and later.

5.0 Installing iManager Plug-Ins

  1. Download the iManager plug-in (eDir_88_iMan27_Plugins.npm) from the Downloads Web site.

  2. Install the NPM. For installation instructions, see NetIQ iManager 2.7.7 Installation Guide.

6.0 Known Issues

NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.

6.1 RHEL 7.2 Is Not Supported

This patch does not support eDirectory on Red Hat Enterprise Linux 7.2 platform.

7.0 Additional Documentation

7.1 iManager

For iManager information, refer to the iManager online documentation.

7.2 NMAS

For NMAS information, refer to the eDirectory online documentation page. This documentation is available as a zip file at the end of this page.

7.3 Password Management

For Password Management information, refer to the eDirectory online documentation page. This documentation is available as a zip file at the end of this page.

7.4 Certificate Server

For Certificate Server information, refer to the eDirectory online documentation page. This documentation is available as a zip file at the end of this page.

7.5 Novell International Cryptographic Infrastructure (NICI)

For NICI information, refer to the NICI online documentation.

7.6 eDirectory Issues on Open Enterprise Server

For more information on eDirectory issues on Open Enterprise Server (OES), refer to the OES Readme.