Release Notes - Novell iChain 2.3 Support Pack 6

February 11, 2009

This Readme contains the new features, the fixes, and known issues for iChain 2.3 Support Pack 6. For the latest iChain 2.3 documentation, including updates to this Readme, see the Novell iChain Documentation Web page.

1.0 Documentation

The following sources provide information about Novell iChain:

2.0 Issues Fixed in iChain 2.3 SP6

iChain 2.3 SP6 adds no new features, but the following issues are fixed in SP6.

  • Fixed a Form Fill issue that caused upper case password characters to be changed to lower case characters when doing a masked post.

  • Fixed an issue that cause iChain to have high utilization after an apply.

  • Fixed the issue that caused iChain to return the error 502 Mal-formed reply from origin server with compressed data.

  • Fixed the issued that prevented EV certificates from getting initialized correctly.

  • Fixed the issued with GZIP compression that caused iChain to add the ISIZE footer as data when the ISIZE footer was chunked.

  • Updated the Audit platform agent.

  • Enabled aclcheck normalization for dynamic queries.

  • Fixed an abend in proxy.nlm.

  • Removed the simulated EOF in GZIP and IP address check fixes.

  • Updated LDAP SDK NLMs.

  • Fixed the set-cookie issue on rename cookie.

  • Fixed the Console stats (double 400 error).

  • Fixed Nessus scan crashes in the proxy.

  • Cleaned up chunking.

  • Added error messages to warn users that an accelerator cannot have two authentication profiles of the same type (LDAP, Radius, or Mutual).

  • Resolved an error that prevented single sign-on to a Citrix Metaframe server without an NFuse server.

  • Resolved issues with compressing and decompressing GZIP files.

  • Resolved issues with Flash and Plone applications.

  • Fixed an abend problem in the DNS code.

  • Fixed an issue that caused the system to crash when a user modified Twiki content using the preview feature.

  • Fixed a SAML issue.

  • Fixed a memory corruption problem that caused iChain to drop into the debugger.

  • Fixed a problem that allowed users with extended characters in their names to be granted access when they should have been denied access.

  • Fixed the error that caused iChain to rewrite the destination URL with an extra double quote at the end.

  • Fixed a %u escape code.

  • Fixed the ////// bug.

  • Fixed it so you now can use different LDAP trees for authentication and authorization.

  • Added a log message so that the common iChain log reports 0 bytes in the case of an HTTP status 304.

  • Fixed a problem with GZIP encoding that caused a 504 gateway timeout due to incorrect handling of chunked data.

  • Removed the following console error message: “ACL rules in NDS are invalid or of old version.”

  • Fixed a security issue concerning the POSTing of credential data to iChain

  • Fixed problems with multi-byte range.

  • Removed csaudi.

  • Fixed a garbled Novell Audit message.

  • Fixed a bug in the plerror.c file.

  • Fixed a compile warning that displayed in production code.

  • Fixed the error that caused iChain 2.3.343 to break when the REPORT command was used.

  • Fixed an error that caused iChain not to check the source IP address for the session cookie (-ri switch has not been used)

  • Fixed a proxy log issue (sensitive trap in VerifyWriteDataBuffer).

  • An abend that occurs when 50 thousand or more users attempt to access resources on iChain at the same time.

  • The Health and LDAP pool screens that were not updating accurately.

  • Upgrading to iChain 2.3 SP5, which caused the machine to come up as an evaluation copy with users unable to authenticate to iChain.

  • “400 Bad Request” errors after upgrading to iChain 2.3 SP5.

  • SSO.NLM not loading after upgrading to iChain 2.3 SP5.

  • Issues with time zones that do not have daylight saving settings.

  • Internal rewriter issue that caused certain HREFs not to be rewritten when the string is deeply embedded on the page.

  • The DSSTART and DSEND parameters in the .NAS file now work. The which parameter is no longer invalid.

  • iChain incorrectly reformatting string in GET request.

3.0 Deploying iChain 2.3 SP6

3.1 Prerequisites for Upgrading to iChain 2.3 SP6

  • Verify that you are running iChain 2.3 SP1 (2.3.257) or later before applying this OTWUG (Over-The-Wire-UpGrade). The OTWUG cannot upgrade an iChain 2.2 server to iChain 2.3

  • Back-up all configuration files and third-party certificates.

  • If the iChain server has a cloned drive (multiple drives), you need either to perform a clone update prior to the upgrade or to export the CURRENT.NAS, TUNE.NCF, APPSTART.NCF, MESSAGES.CFG (if customized), any third-party certificates, and any other customized login pages or files to floppy for backup purposes. Remove the floppy.

    For information about this process, see Using the Enhanced Configuration Export.

  • (Recommendation) Test the upgrade thoroughly in an environment that mirrors the production environment prior to deployment.

3.2 Notes about the Modifications Made during the Upgrade Process

NCPIP.NLM: For security reasons, C:/NWSERVER/NCPIP.NLM is renamed to NCPIP.OLD. If login to the iChain server is desired, copy NCPIP.OLD to NCPIP.NLM and future OTWUGS will not keep re-naming the file. Or, load C:/NWSERVER/NCPIP.OLD in the SYS:/SYSTEM/TUNE.NCF file.

OAC.PROPERTIES: When you install this support pack, any OLAC custom plug-ins are overwritten. To avoid this issue, back up your OAC.PROPERTIES file before installing this support pack, then copy the file back over once the support pack is successfully installed. If you have not modified the file previously, skip this step.

APPSTART.NCF: Make note of any customized load lines in APPSTART.NCF prior to applying the patch. Do not include load logevent and load lcache if they appear in your current file.

MESSAGES.CFG: This file is updated. If you have modified this file, you need to back it up so you can restore it when the upgrade is completed.

TELNET: This protocol is disabled by default for security reasons. If Telnet is used for administrative purposes you will need to re-enable it after applying this patch. Import the TELNETON configuration file from the Web application under the System >Import/Export tab.

3.3 Installing iChain 2.3 SP6

  1. Download the patch from Novell and extract it. The file extracts into three files:

    • is the OTWUG (Over The Wire UpGrade) file.

    • ichain23sp6.txt is the installation file for the OTWUG.

    • ic23sp6.txt is the readme for the patch.

  2. Copy the and ichain23sp6.txt files to a directory on a Web server that can be accessed by the iChain appliance and a workstation that can run the iChain Web application.

  3. Temporarily disable all accelerators or block public traffic.

  4. (Conditional) If the Allow administration from specified clients option has been configured, add the IP address of the iChain server to the list.

  5. Modify the URL line in the ichain23sp6.txt file so that it contains the appropriate path/URL to the file.The file contains the following line:


    You need to modify this line to match the location of the ZIP file. For example if you copied the ZIP file to the default root directory of a Web server with the IP address, change the line to the following:

  6. In the Web application, click System > Upgrade >Install from URL.

  7. Enter the URL to the .txt file. Using the example above, specify the following: 

    This option needs to point to the .txt installation file, not the .zip file.

  8. Select the Enable download and the Enable install check boxes.

  9. Specify the time to begin the download and install.

  10. Click Apply.

    Allow 10 to 15 minutes (and several re-boots) to complete the process.

4.0 iChain 2.3 SP6 Known Issues

This section describes issues which exist in the product. For a description of issues which have been found in previous releases and which cannot be resolved because of how iChain interacts with other components, products, and protocols, see Appendix A in the Novell iChain 2.3 Administration Guide.

iChain 2.3 SP6 has the following known issues:

4.1 Passwords which Contain a Double Quote Character

eDirectory allows users to use a double quote (") as a special character in passwords. iChain can authenticate users with such a password, but you cannot use Form Fill to inject such a password into a form. Form Fill fails when you do. Other special characters can be used in passwords with Form Fill.

If you are using Form Fill, you need to instruct your users not to use the double quote character in their passwords.

4.2 Disk I/O Remains at 100% When Using Single Large COS Partition

You might experience a gradual performance drop as drive space fills up when using a single large COS partition on a hardware-based RAID system. The disk I/O and dirty sectors can remain high in these circumstances. It is best to disable the RAID and let iChain treat the drives as separate physical drives, which will automatically create COS partitions for each drive. If this is not possible, one solution is to create multiple separate RAID 0 drives (one for each physical drive) so that iChain views these as separate drives.

4.3 Dynamic Bypass Does Not Function in iChain 2.3

This feature is not enabled in this release.

4.4 The Citrix Java Client Cannot Access Applications through iChain

Two problems prevent the Citrix Java client from accessing applications through iChain on a MetaFrame server:

Base 64 Encoding: Versions of the Citrix Java client previous to version 9.3.1865 incorrectly encoded the authentication string for HTTP basic authentication, and eight characters of authentication information were lost. You need to use Citrix Presentation Server Client for Java 9.4 or later.

Form Fill: iChain 2.3 SP4 has problems with the connect request extracted from the Citrix Java client because the IP address is surrounded with quotes. You need to use iChain 2.3 Service Pack 4 Interim Release IR1a or later.

4.5 NetIdentity Clients Cannot Use Certificates Larger than 2 KB

If you are using external certificates larger than 2 KB, you need to update your NetIdentity clients to use the latest version of the ZenAgent, which is available in ZEN7 SP1-HP2. The agents been updated so that it has a 4 KB certificate limit.

5.0 What Was New in iChain 2.3 SP5

NOTE:Please review the list of feature changes. The appstart.ncf file has been modified. If you use the wrong upgrade procedures, you can create serious configuration problems.

5.1 Modified Features

The following features have been modified in SP5:

  • appstart.ncf File: If you select to upgrade to this version, be aware that you cannot use an old version of the appstart.ncf file. The load order of the NLMs has been modified, so an older version of the appstart.ncf file (older than iChain 2.3 SP4 IR3) is not compatible with the appstart.ncf file that ships with iChain 2.3 SP5.

    Save your old appstart.ncf file and copy your customized commands to the end of the appstart.ncf file installed by iChain 2.3 SP5.

  • Dynamic Groups. The default value for dynamic group option (/g) for aclcheck has changed from enabled to off. If you are using dynamic groups and have enabled this option in previous releases, add the following line to the end of the appstart.ncf file.

    aclcheck /g1
  • LDAP Fail Over: iChain 2.3 SP5 has numerous changes for LDAP and LDAP fail over. See Using LDAP Server Load Balancing and Failover.

  • Daylight Savings: iChain 2.3 SP5 now conforms to the daylight savings time changes that have been implemented by the United States and Australia (Perth) governments. To effect these changes on your system, go to the iChain GUI > System > Timezone tab, select a different timezone, then select your proper timezone again. This adjusts the start and end dates for daylight savings to the new correct times. Once these changes are applied, the system will start using the new settings.

  • OLAC Communication Errors: If an error occurs when the accelerator is using the Java server channel, the request returns an error page. Previous to iChain 2.3 SP5, iChain would continue processing the request and send the request to the back-end Web server without any OLAC data.

  • OLAC SecretStore Plug-In: You configure the SecretStore plug-in with an file. The Provider URL option is no longer used in this configuration file. The ACLCHECK profile is used to communicate with eDirectory for SecretStore information. In previous releases, you could configure OLAC to use different LDAP trees for single sign-on as documented in Novell Cool Solutions. This functionality is not currently supported and will be enabled again in a future release.

  • LDAP Timeout Commands: The LDAP timeout for obtaining a complete list of protected resources was set to a 10 second limit. This search timeout is now configurable as well as the LDAP bind timeout. See the “Setting Timeouts and Pool Limits for LDAP Profiles” section in Using Authentication Profiles.

  • Login URLs: Error 226 has been introduced. URLs used in login are validated against accelerators on the iChain appliance. If they are invalid, the following error is returned:

    "Illegal URL Destination. Possible Phishing Attempt!" 

    This is to block hackers from abusing iChain to steal people's identities.

5.2 Fixed Issues

  • Form Fill not working after restart.

  • Receive 400 Bad Request because SessionBroker IP not being read.

  • Registered iChain box comes up as unregistered.

  • Receive 403 errors because ACLCHECK did not read configuration.

  • Abend in LDAPGetServerList.

  • Abend when request is aborted (multiple fixes).

  • Abend when no messages.cfg file exists (default) when alternate language is selected.

  • Abend in SetTokenOnSessionID when SSL handle is null - likely due to an abort.

  • Abend in client chunking when nextSegment is NULL.

  • ACLCheck abend - bad dynamicGroups pointer

  • Unloading sb.nlm causes an abend.

  • Abend in NWUTIL.NLM FindSection$ConfigFile.

  • Abend: EIP in PROXY.NLM at code start +001C8FBAh.

  • Proxy server hangs on boot up if the LDAP server accepts an LDAP query but does not reply.

  • Debug trap hit when basic auth uses an extended character.

  • Debug trap hit when entering path based multi homed accelerator directly.

  • Fixed Form Fill ability to use <maskedPost/>.

  • ff_lower_upper = "upper" now works on ~ values.

  • When attempting to use the <injectStaticValue> tags in a Form Fill policy, static values aren't injected.

  • The GroupWise 7.1 WebAccess login form is not compatible with iChain Form Fill.

  • Form Fill doesn't trigger when URLs containing form has a DLL extension.

  • OLAC data not injected when using SSL LDAP.

  • iChain does not always pass configured OLAC data to the origin server as configured.

  • OLAC data is not being passed when OLAC is being refreshed.

  • Pulling OLAC data from SecretStore does not function properly in IR3.

  • When you click on the Refresh OLAC button, the command appears to work, but the any new settings are not used.

  • FTP LogPush now properly handles servers that send Welcome messages larger than 256 bytes in the initial response packet.

  • Unable to push logs to server with multi-line banner message.

  • FTP LogPush now times out on failed file transfer.

  • “502 Bad Gateway Malformed reply from origin” with chunking enabled.

  • Client chunking hits a debug break when a buffer contains only a CRLF.

  • Chunking issue when sizes equal.

  • Public resource 500 Error after Mutual Authentication.

  • 403 Forbidden error after period of inactivity.

  • Firefox 2.x and IE7 timeout when connecting to an SSL accelerated site or when doing SSL authentication for an HTTP site.

  • SAML server throwing exception on NW65 when client authentication is enabled.

  • LDAP authentication does not work if user password contains special German “umlaut' characters.

  • XTrier Authentication fails with 3rd Party Certificate bigger than 2048 byes.

  • Cross Site Scripting issue: The URL is no longer returned in the body, only in the header. Browsers, which do not support 302, display “You are using an Old browser.”

  • When a user's password is expired with grace logins remaining, iChain is not redirecting the user to the configured Password Management Servlet URL.

  • Intruder Locked account is not displaying the appropriate error message; it is returning the user to the login page.

  • NetIdentitiy login breaks when iChain fails over to a secondary box.

  • Mini FTP server would not start if the section was missing from proxy.cfg.

  • Mini FTP Server doesn't allow access to /etc/custom.

  • Mini FTP Server allows PWD when not authenticated

  • Mini FTP Server does not limit number of invalid logins.

  • Large file download support is now 4G-1byte = 2^32-1.

  • Alerts not sent when Web server status goes to down.

  • Changes to SNMP cause a server reboot every time you do an apply.

  • Removed RS232 support for the iChain console.

  • Using dots in the certificate subject name produces a “User Name Not Found” error.

  • Memory leak during shutdown of server.

  • OTWUG sometimes hangs on final reboot.

  • iChain 2.3 LAN drivers are causing communication problems and need to be updated with the corresponding drivers from NetWare 6.5 SP5.

  • OACINT module did not release 1 resource running appstop.ncf

  • The accelerator does not initialize with two web server entries without doing a second apply.

  • ACL substitution using %PATH% variable not matching directory path.

  • Updated the iChain GUI with the new Daylight Savings Time changes.

  • We now provide a standard way to load custom rewriter scripts at boot time which will persist through reboots and upgrades.

  • New LDAP load balancing and failover code was implemented. See Section 5.1, Modified Features.

  • Upgrade automatically creates \etc\custom and \rdb\outbox if they don't already exist.

  • Default dynamic group support now defaults to off. See Section 5.1, Modified Features.

  • LDAP SearchTimeOut value is not sufficient (10 seconds) and is not tunable. New commands were added. See Section 5.1, Modified Features.

6.0 What Was New in iChain 2.3 SP4

6.1 New Version of SecretStore

iChain SP4 includes the newest version of SecretStore modules, which are compatible with eDirectory 8.8. If you are using SecretStore and eDirectory 8.7.3.x, you need to upgrade your eDirectory servers with these new modules.

To download these new server modules, see the SecretStore Developer Kit for C or the SecretStore Developer Kit for Java.

6.2 Fixed Issues

The iChain 2.3 Support Pack 4 resolves defects that were discovered since the previous Support Pack. As new versions of component files have become available, these have been updated in SP4. This release contains the following:

  • Hit debug trap when entering path based multi homed accelerator directly

  • LDAP authentication does not work if user password contains extended characters

  • “400 bad request” when an email subject contains a double quote characters.

  • Updated LAN drivers in the file

  • Updated to latest NetWare 6.0 TCP/IP stack

  • Updated SecretStore files

  • AddressIsValid hits debug break when calling ValidateAddressRange

  • The load rewriter /s parameter does not work, rwfilter command might cause an abend

  • iChain 2.3 server abend at Proxy.NLM|FastScheduleWorkToDo+1E

  • iChain abend in Proxy.NLM|iaSendRedirectToLoginBroker during login process

  • User cannot authenticate with iAgent if the requested original URL user accessing contains more than 1024 chars

  • Basic Auth username containing a dot '.' is escaped when it shouldn't be

  • Cannot set NIC speed to 1000 in iChain GUI

  • iChain FTP LogPush fails when Windows FTP server has multi-line MOTD.

  • 403 forbidden errors when iChain no longer unencodes URLs before doing an ACL substitution check

  • iChain GUI always shows Accelerator “Browser Host Name enable” is enabled - even when not enabled

  • iChain mutual authentication ASN.1 Error decoding CRL Distribution List

  • iChain mutual authentication fails when root certificates with same issuer name and different issuer IDs exist

  • Email alerting fails - socket is reset by iChain when an ACK is received with no data

  • Javascript Form Fill issues

  • Broken certificate chain using certain 3rd party server certificates on iChain

  • 400 Bad Request using Form Fill - missing leading slash

  • Cosmetic “bit length overflow” and other messages displayed on logger console

  • iChain 2.3 SP3 server abends in FastCopyRepeatQuoteReturnOffset()

  • Double slash in query string is causing the iChain server to enter the debugger

  • Expired certificate allows access to protected resource

  • Custom rewriter fails after upgrading to SP3

  • NICI returns error “-1423” while importing a certificate from a PKCS#12 (pfx) envelope.

  • Abend PROXY.NLM when TCP connection aborted to origin server (iaAuthenticateUser+286)

  • Abend in NILE.NLM during mutual authentication (tsw_ssl3_server_handshake_continue+54C)

  • iChain Basic Auth authentication fails if password contains + or & characters

  • iChain Cross Site Scripting security issue with initial 302 redirect responses from proxy server

  • Form fill corrupting PDF files so that length of PDF data does not match what Web server sent

  • Abend in ACLCHECK.NLM (ACLFreeDNList+4F)

  • Session broker (SB.NLM) throwing “NICI_E_DATA_LEN_RANGEDecrypt failed” error code:-1417

  • Random 403 errors generated using eDirectory Dynamic groups for ACL

  • Abend on shutdown when iAgent user details is on the screen.

  • Authentication events sent to Novell Audit have wrong URL if Basic or NetIdentity auth is enabled

  • iChain server Abend in SERVER.NLM (OutputToString+B19)

  • Domain based multi-homing name for child accelerator invalid when overwriting domain cookie

  • “The value for a parameter was not valid: noexport” error backing up or exporting certificate from CLI

  • Running factory setting restore does not overwrite the new settings available for the export trustedroot/certs functionality

7.0 What Was New in iChain 2.3 SP3

7.1 Upgraded to NetWare 6 SP5

The base operating system has been upgraded to NetWare 6 SP5.

7.2 RADIUS Load Balancing and Failover

Load balancing divides a computer’s workload between two or more computers so more work can be accomplished in the same amount of time. For authentication, load balancing commonly distributes credential search requests in a fixed sequential order to the different servers.

8.0 Documentation Conventions

In this documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path.

A trademark symbol (®, TM, etc.) denotes a Novell trademark; an asterisk (*) denotes a third-party trademark