February 11, 2009
This Readme contains the new features, the fixes, and known issues for iChain 2.3 Support Pack 6. For the latest iChain 2.3 documentation, including updates to this Readme, see the Novell iChain Documentation Web page.
The following sources provide information about Novell iChain:
Installation: Installing the iChain Proxy Server
Online product documentation: Novell iChain 2.3
iChain 2.3 SP6 adds no new features, but the following issues are fixed in SP6.
Fixed a Form Fill issue that caused upper case password characters to be changed to lower case characters when doing a masked post.
Fixed an issue that cause iChain to have high utilization after an apply.
Fixed the issue that caused iChain to return the error 502 Mal-formed reply from origin server with compressed data.
Fixed the issued that prevented EV certificates from getting initialized correctly.
Fixed the issued with GZIP compression that caused iChain to add the ISIZE footer as data when the ISIZE footer was chunked.
Updated the Audit platform agent.
Enabled aclcheck normalization for dynamic queries.
Fixed an abend in proxy.nlm.
Removed the simulated EOF in GZIP and IP address check fixes.
Updated LDAP SDK NLMs.
Fixed the set-cookie issue on rename cookie.
Fixed the Console stats (double 400 error).
Fixed Nessus scan crashes in the proxy.
Cleaned up chunking.
Added error messages to warn users that an accelerator cannot have two authentication profiles of the same type (LDAP, Radius, or Mutual).
Resolved an error that prevented single sign-on to a Citrix Metaframe server without an NFuse server.
Resolved issues with compressing and decompressing GZIP files.
Resolved issues with Flash and Plone applications.
Fixed an abend problem in the DNS code.
Fixed an issue that caused the system to crash when a user modified Twiki content using the preview feature.
Fixed a SAML issue.
Fixed a memory corruption problem that caused iChain to drop into the debugger.
Fixed a problem that allowed users with extended characters in their names to be granted access when they should have been denied access.
Fixed the error that caused iChain to rewrite the destination URL with an extra double quote at the end.
Fixed a %u escape code.
Fixed the ////// bug.
Fixed it so you now can use different LDAP trees for authentication and authorization.
Added a log message so that the common iChain log reports 0 bytes in the case of an HTTP status 304.
Fixed a problem with GZIP encoding that caused a 504 gateway timeout due to incorrect handling of chunked data.
Removed the following console error message: “ACL rules in NDS are invalid or of old version.”
Fixed a security issue concerning the POSTing of credential data to iChain
Fixed problems with multi-byte range.
Removed csaudi.
Fixed a garbled Novell Audit message.
Fixed a bug in the plerror.c file.
Fixed a compile warning that displayed in production code.
Fixed the error that caused iChain 2.3.343 to break when the REPORT command was used.
Fixed an error that caused iChain not to check the source IP address for the session cookie (-ri switch has not been used)
Fixed a proxy log issue (sensitive trap in VerifyWriteDataBuffer).
An abend that occurs when 50 thousand or more users attempt to access resources on iChain at the same time.
The Health and LDAP pool screens that were not updating accurately.
Upgrading to iChain 2.3 SP5, which caused the machine to come up as an evaluation copy with users unable to authenticate to iChain.
“400 Bad Request” errors after upgrading to iChain 2.3 SP5.
SSO.NLM not loading after upgrading to iChain 2.3 SP5.
Issues with time zones that do not have daylight saving settings.
Internal rewriter issue that caused certain HREFs not to be rewritten when the string is deeply embedded on the page.
The DSSTART and DSEND parameters in the .NAS file now work. The which parameter is no longer invalid.
iChain incorrectly reformatting string in GET request.
Verify that you are running iChain 2.3 SP1 (2.3.257) or later before applying this OTWUG (Over-The-Wire-UpGrade). The OTWUG cannot upgrade an iChain 2.2 server to iChain 2.3
Back-up all configuration files and third-party certificates.
If the iChain server has a cloned drive (multiple drives), you need either to perform a clone update prior to the upgrade or to export the CURRENT.NAS, TUNE.NCF, APPSTART.NCF, MESSAGES.CFG (if customized), any third-party certificates, and any other customized login pages or files to floppy for backup purposes. Remove the floppy.
For information about this process, see Using the Enhanced Configuration Export.
(Recommendation) Test the upgrade thoroughly in an environment that mirrors the production environment prior to deployment.
NCPIP.NLM: For security reasons, C:/NWSERVER/NCPIP.NLM is renamed to NCPIP.OLD. If login to the iChain server is desired, copy NCPIP.OLD to NCPIP.NLM and future OTWUGS will not keep re-naming the file. Or, load C:/NWSERVER/NCPIP.OLD in the SYS:/SYSTEM/TUNE.NCF file.
OAC.PROPERTIES: When you install this support pack, any OLAC custom plug-ins are overwritten. To avoid this issue, back up your OAC.PROPERTIES file before installing this support pack, then copy the file back over once the support pack is successfully installed. If you have not modified the file previously, skip this step.
APPSTART.NCF: Make note of any customized load lines in APPSTART.NCF prior to applying the patch. Do not include load logevent and load lcache if they appear in your current file.
MESSAGES.CFG: This file is updated. If you have modified this file, you need to back it up so you can restore it when the upgrade is completed.
TELNET: This protocol is disabled by default for security reasons. If Telnet is used for administrative purposes you will need to re-enable it after applying this patch. Import the TELNETON configuration file from the Web application under the System >Import/Export tab.
Download the patch from Novell and extract it. The ic23sp6.zip file extracts into three files:
ichain23sp6.zip is the OTWUG (Over The Wire UpGrade) file.
ichain23sp6.txt is the installation file for the OTWUG.
ic23sp6.txt is the readme for the patch.
Copy the ichain23sp6.zip and ichain23sp6.txt files to a directory on a Web server that can be accessed by the iChain appliance and a workstation that can run the iChain Web application.
Temporarily disable all accelerators or block public traffic.
(Conditional) If the Allow administration from specified clients option has been configured, add the IP address of the iChain server to the list.
Modify the URL line in the ichain23sp6.txt file so that it contains the appropriate path/URL to the ichain23sp6.zip file.The file contains the following line:
url=http://**location**/ichain23sp6.zip
You need to modify this line to match the location of the ZIP file. For example if you copied the ZIP file to the default root directory of a Web server with the IP address 10.10.10.1, change the line to the following:
url=http://10.10.10.1/ichain23sp6.zip.
In the Web application, click System > Upgrade >Install from URL.
Enter the URL to the .txt file. Using the example above, specify the following:
http://10.10.10.1/ichain23sp6.txt.
This option needs to point to the .txt installation file, not the .zip file.
Select the Enable download and the Enable install check boxes.
Specify the time to begin the download and install.
Click Apply.
Allow 10 to 15 minutes (and several re-boots) to complete the process.
This section describes issues which exist in the product. For a description of issues which have been found in previous releases and which cannot be resolved because of how iChain interacts with other components, products, and protocols, see Appendix A in the Novell iChain 2.3 Administration Guide.
iChain 2.3 SP6 has the following known issues:
eDirectory allows users to use a double quote (") as a special character in passwords. iChain can authenticate users with such a password, but you cannot use Form Fill to inject such a password into a form. Form Fill fails when you do. Other special characters can be used in passwords with Form Fill.
If you are using Form Fill, you need to instruct your users not to use the double quote character in their passwords.
You might experience a gradual performance drop as drive space fills up when using a single large COS partition on a hardware-based RAID system. The disk I/O and dirty sectors can remain high in these circumstances. It is best to disable the RAID and let iChain treat the drives as separate physical drives, which will automatically create COS partitions for each drive. If this is not possible, one solution is to create multiple separate RAID 0 drives (one for each physical drive) so that iChain views these as separate drives.
This feature is not enabled in this release.
Two problems prevent the Citrix Java client from accessing applications through iChain on a MetaFrame server:
Base 64 Encoding: Versions of the Citrix Java client previous to version 9.3.1865 incorrectly encoded the authentication string for HTTP basic authentication, and eight characters of authentication information were lost. You need to use Citrix Presentation Server Client for Java 9.4 or later.
Form Fill: iChain 2.3 SP4 has problems with the connect request extracted from the Citrix Java client because the IP address is surrounded with quotes. You need to use iChain 2.3 Service Pack 4 Interim Release IR1a or later.
If you are using external certificates larger than 2 KB, you need to update your NetIdentity clients to use the latest version of the ZenAgent, which is available in ZEN7 SP1-HP2. The agents been updated so that it has a 4 KB certificate limit.
NOTE:Please review the list of feature changes. The appstart.ncf file has been modified. If you use the wrong upgrade procedures, you can create serious configuration problems.
The following features have been modified in SP5:
appstart.ncf File: If you select to upgrade to this version, be aware that you cannot use an old version of the appstart.ncf file. The load order of the NLMs has been modified, so an older version of the appstart.ncf file (older than iChain 2.3 SP4 IR3) is not compatible with the appstart.ncf file that ships with iChain 2.3 SP5.
Save your old appstart.ncf file and copy your customized commands to the end of the appstart.ncf file installed by iChain 2.3 SP5.
Dynamic Groups. The default value for dynamic group option (/g) for aclcheck has changed from enabled to off. If you are using dynamic groups and have enabled this option in previous releases, add the following line to the end of the appstart.ncf file.
aclcheck /g1
LDAP Fail Over: iChain 2.3 SP5 has numerous changes for LDAP and LDAP fail over. See Using LDAP Server Load Balancing and Failover.
Daylight Savings: iChain 2.3 SP5 now conforms to the daylight savings time changes that have been implemented by the United States and Australia (Perth) governments. To effect these changes on your system, go to the iChain GUI > System > Timezone tab, select a different timezone, then select your proper timezone again. This adjusts the start and end dates for daylight savings to the new correct times. Once these changes are applied, the system will start using the new settings.
OLAC Communication Errors: If an error occurs when the accelerator is using the Java server channel, the request returns an error page. Previous to iChain 2.3 SP5, iChain would continue processing the request and send the request to the back-end Web server without any OLAC data.
OLAC SecretStore Plug-In: You configure the SecretStore plug-in with an oac.properties file. The Provider URL option is no longer used in this configuration file. The ACLCHECK profile is used to communicate with eDirectory for SecretStore information. In previous releases, you could configure OLAC to use different LDAP trees for single sign-on as documented in Novell Cool Solutions. This functionality is not currently supported and will be enabled again in a future release.
LDAP Timeout Commands: The LDAP timeout for obtaining a complete list of protected resources was set to a 10 second limit. This search timeout is now configurable as well as the LDAP bind timeout. See the “Setting Timeouts and Pool Limits for LDAP Profiles” section in Using Authentication Profiles.
Login URLs: Error 226 has been introduced. URLs used in login are validated against accelerators on the iChain appliance. If they are invalid, the following error is returned:
"Illegal URL Destination. Possible Phishing Attempt!"
This is to block hackers from abusing iChain to steal people's identities.
Form Fill not working after restart.
Receive 400 Bad Request because SessionBroker IP not being read.
Registered iChain box comes up as unregistered.
Receive 403 errors because ACLCHECK did not read configuration.
Abend in LDAPGetServerList.
Abend when request is aborted (multiple fixes).
Abend when no messages.cfg file exists (default) when alternate language is selected.
Abend in SetTokenOnSessionID when SSL handle is null - likely due to an abort.
Abend in client chunking when nextSegment is NULL.
ACLCheck abend - bad dynamicGroups pointer
Unloading sb.nlm causes an abend.
Abend in NWUTIL.NLM FindSection$ConfigFile.
Abend: EIP in PROXY.NLM at code start +001C8FBAh.
Proxy server hangs on boot up if the LDAP server accepts an LDAP query but does not reply.
Debug trap hit when basic auth uses an extended character.
Debug trap hit when entering path based multi homed accelerator directly.
Fixed Form Fill ability to use <maskedPost/>.
ff_lower_upper = "upper" now works on ~ values.
When attempting to use the <injectStaticValue> tags in a Form Fill policy, static values aren't injected.
The GroupWise 7.1 WebAccess login form is not compatible with iChain Form Fill.
Form Fill doesn't trigger when URLs containing form has a DLL extension.
OLAC data not injected when using SSL LDAP.
iChain does not always pass configured OLAC data to the origin server as configured.
OLAC data is not being passed when OLAC is being refreshed.
Pulling OLAC data from SecretStore does not function properly in IR3.
When you click on the Refresh OLAC button, the command appears to work, but the any new settings are not used.
FTP LogPush now properly handles servers that send Welcome messages larger than 256 bytes in the initial response packet.
Unable to push logs to server with multi-line banner message.
FTP LogPush now times out on failed file transfer.
“502 Bad Gateway Malformed reply from origin” with chunking enabled.
Client chunking hits a debug break when a buffer contains only a CRLF.
Chunking issue when sizes equal.
Public resource 500 Error after Mutual Authentication.
403 Forbidden error after period of inactivity.
Firefox 2.x and IE7 timeout when connecting to an SSL accelerated site or when doing SSL authentication for an HTTP site.
SAML server throwing exception on NW65 when client authentication is enabled.
LDAP authentication does not work if user password contains special German “umlaut' characters.
XTrier Authentication fails with 3rd Party Certificate bigger than 2048 byes.
Cross Site Scripting issue: The URL is no longer returned in the body, only in the header. Browsers, which do not support 302, display “You are using an Old browser.”
When a user's password is expired with grace logins remaining, iChain is not redirecting the user to the configured Password Management Servlet URL.
Intruder Locked account is not displaying the appropriate error message; it is returning the user to the login page.
NetIdentitiy login breaks when iChain fails over to a secondary box.
Mini FTP server would not start if the section was missing from proxy.cfg.
Mini FTP Server doesn't allow access to /etc/custom.
Mini FTP Server allows PWD when not authenticated
Mini FTP Server does not limit number of invalid logins.
Large file download support is now 4G-1byte = 2^32-1.
Alerts not sent when Web server status goes to down.
Changes to SNMP cause a server reboot every time you do an apply.
Removed RS232 support for the iChain console.
Using dots in the certificate subject name produces a “User Name Not Found” error.
Memory leak during shutdown of server.
OTWUG sometimes hangs on final reboot.
iChain 2.3 LAN drivers are causing communication problems and need to be updated with the corresponding drivers from NetWare 6.5 SP5.
OACINT module did not release 1 resource running appstop.ncf
The accelerator does not initialize with two web server entries without doing a second apply.
ACL substitution using %PATH% variable not matching directory path.
Updated the iChain GUI with the new Daylight Savings Time changes.
We now provide a standard way to load custom rewriter scripts at boot time which will persist through reboots and upgrades.
New LDAP load balancing and failover code was implemented. See Section 5.1, Modified Features.
Upgrade automatically creates \etc\custom and \rdb\outbox if they don't already exist.
Default dynamic group support now defaults to off. See Section 5.1, Modified Features.
LDAP SearchTimeOut value is not sufficient (10 seconds) and is not tunable. New commands were added. See Section 5.1, Modified Features.
iChain SP4 includes the newest version of SecretStore modules, which are compatible with eDirectory 8.8. If you are using SecretStore and eDirectory 8.7.3.x, you need to upgrade your eDirectory servers with these new modules.
To download these new server modules, see the SecretStore Developer Kit for C or the SecretStore Developer Kit for Java.
The iChain 2.3 Support Pack 4 resolves defects that were discovered since the previous Support Pack. As new versions of component files have become available, these have been updated in SP4. This release contains the following:
Hit debug trap when entering path based multi homed accelerator directly
LDAP authentication does not work if user password contains extended characters
“400 bad request” when an email subject contains a double quote characters.
Updated LAN drivers in the nw6sp5e.zip file
Updated to latest NetWare 6.0 TCP/IP stack
Updated SecretStore files
AddressIsValid hits debug break when calling ValidateAddressRange
The load rewriter /s parameter does not work, rwfilter command might cause an abend
iChain 2.3 server abend at Proxy.NLM|FastScheduleWorkToDo+1E
iChain abend in Proxy.NLM|iaSendRedirectToLoginBroker during login process
User cannot authenticate with iAgent if the requested original URL user accessing contains more than 1024 chars
Basic Auth username containing a dot '.' is escaped when it shouldn't be
Cannot set NIC speed to 1000 in iChain GUI
iChain FTP LogPush fails when Windows FTP server has multi-line MOTD.
403 forbidden errors when iChain no longer unencodes URLs before doing an ACL substitution check
iChain GUI always shows Accelerator “Browser Host Name enable” is enabled - even when not enabled
iChain mutual authentication ASN.1 Error decoding CRL Distribution List
iChain mutual authentication fails when root certificates with same issuer name and different issuer IDs exist
Email alerting fails - socket is reset by iChain when an ACK is received with no data
Javascript Form Fill issues
Broken certificate chain using certain 3rd party server certificates on iChain
400 Bad Request using Form Fill - missing leading slash
Cosmetic “bit length overflow” and other messages displayed on logger console
iChain 2.3 SP3 server abends in FastCopyRepeatQuoteReturnOffset()
Double slash in query string is causing the iChain server to enter the debugger
Expired certificate allows access to protected resource
Custom rewriter fails after upgrading to SP3
NICI returns error “-1423” while importing a certificate from a PKCS#12 (pfx) envelope.
Abend PROXY.NLM when TCP connection aborted to origin server (iaAuthenticateUser+286)
Abend in NILE.NLM during mutual authentication (tsw_ssl3_server_handshake_continue+54C)
iChain Basic Auth authentication fails if password contains + or & characters
iChain Cross Site Scripting security issue with initial 302 redirect responses from proxy server
Form fill corrupting PDF files so that length of PDF data does not match what Web server sent
Abend in ACLCHECK.NLM (ACLFreeDNList+4F)
Session broker (SB.NLM) throwing “NICI_E_DATA_LEN_RANGEDecrypt failed” error code:-1417
Random 403 errors generated using eDirectory Dynamic groups for ACL
Abend on shutdown when iAgent user details is on the screen.
Authentication events sent to Novell Audit have wrong URL if Basic or NetIdentity auth is enabled
iChain server Abend in SERVER.NLM (OutputToString+B19)
Domain based multi-homing name for child accelerator invalid when overwriting domain cookie
“The value for a parameter was not valid: noexport” error backing up or exporting certificate from CLI
Running factory setting restore does not overwrite the new settings available for the export trustedroot/certs functionality
The base operating system has been upgraded to NetWare 6 SP5.
Load balancing divides a computer’s workload between two or more computers so more work can be accomplished in the same amount of time. For authentication, load balancing commonly distributes credential search requests in a fixed sequential order to the different servers.
In this documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path.
A trademark symbol (®, TM, etc.) denotes a Novell trademark; an asterisk (*) denotes a third-party trademark
Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export, or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. Please refer to the Novell International Trade Services Web page for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.
Copyright © 2008 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.
Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed on the Novell Legal Patents Web page and one or more additional patents or pending patent applications in the U.S. and in other countries.
For Novell trademarks, see the Novell Trademark and Service Mark list.
All third-party trademarks are the property of their respective owners.