NetIQ Access Manager 3.2 Service Pack 2 IR2

January, 2014

NetIQ Access Manager 3.2 Service Pack 2 IR2 resolves several previous issues.

Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the Access Manager forum on Qmunity, our online community that also includes product information, blogs, and links to helpful resources.

For the list of software fixes and enhancements in the previous release, see Access Manager 3.2 SP2 Readme and Access Manager 3.2 Service Pack 2 IR1 Readme.

The documentation for this product is available on the NetIQ Web site in HTML and PDF formats on a page that does not require you to log in. If you have suggestions for documentation improvements, click Add Comment at the bottom of any page in the HTML version of the documentation posted at the Access Manager NetIQ Documentation page. To download this product, see the NetIQ Access Manager Products Web site.

1.0 What’s New?

The following sections outline the issues resolved in this release:

1.1 Software Fixes for the Identity Server

NetIQ Access Manager 3.2 Service Pack 2 IR2 includes software fixes that resolve several previous issues.

Cannot Create Additional Replicas if Secret Store Is Enabled

Issue: You cannot select the Use secure LDAP connections option while creating a replica in eDirectory to store secrets and the port communication with the newly added replica fails. (Bug 811887)

Fix: Configuring an eDirectory user store to use secretstore is now possible. You can select the Use secure LDAP connections option. The default port is set to 636 on the new server replica userstore screen.

Single Sign-on Does Not Work With Different Contracts on SAML Requests

Issue: The Identity Server prompts you to re-authenticate on SAML requests even though the Identity Server has already authenticated at a higher level contract. (Bug 832443)

Fix: If the authentication request has any context comparison parameter, check is performed on contract levels with already authenticated contracts at the Identity Server. If request is to check exact level or context comparison is not set, already authenticated contract level check will not be performed.

NetIdentity Users are Prompted Twice for Credentials

Issue: When the NetIdentity client is enabled and Kerberos authentication is configured, users are prompted for credentials twice even though correct credentials are used the first time. (Bug 833978)

Fix: If the Netidentity flag is enabled and the Netidentity header exists with the request, Kerberos will not be executed. Hence, users will not be asked for credentials the second time.

Unable to Modify Customization Profile After Authenticating to Remote Identity Server

Issue: You can modify an LDAP attribute defined under the customization profile when you have authenticated to the Identity Server locally, but you will get an error message that you cannot modify when you are logged in from a remote Identity Server. (Bug 836097)

Fix: nidp.jar file has been updated and you can view and modify the customization profile.

Identity Server Session Failover Does Not Work With External Authentications

Issue: Identity Server failover does not work as the Identity Server does not send the temporary user information to the failover server to recreate the session. (Bug 838608)

Fix: Identity server session failover works now.

Radius Authentication With Token Fails

Issue: On a Radius server, authentication fails when the login page is displayed the second time. (Bug 838625)

Fix: JSP changes have been made where the submitted parameter value now accepts the user entered value.

Federation Fails if SAML 2.0 Post Response Is Signed

Issue: Federation fails if the SAML 2.0 post response contains signature whereas assertion does not. (Bug 842788)

Fix: Added nidp config property SAML2_AVOID_SIGN_AND_VALIDATE_ASSERTION_TRUSTEDPROVIDERS in the service provider. If response is signed and assertion is not, federation is successful. For more information, see Configuring SAML 2.0 to Sign Messages > Avoiding Assertion Signing Validation by Service Provider.

1.2 Software Fixes for the Access Gateway

NetIQ Access Manager 3.2 Service Pack 2 IR2 includes software fixes that resolve several previous issues.

GZip Compression Issues with Small Payloads Accelerating Sentinel or Liferay

Issue: When GZip is enabled and you access Sentinel/Liferay portal through Access Manager, a blank page is displayed. (Bug 772808)

Fix: The Access Gateway will decompress the GZip data even if data is less than 10 bytes.

Access Gateway Does Not Work When the <form> Tag Includes an Empty Method Element

Issue: The Access Gateway does not work when the <form> tag includes an empty method element while processing a Form Fill policy. (Bug 823555)

Fix: Null check has been introduced and the Access Gateway works without any issue.

Cannot Log Cached Status Extended Log Field

Issue: The Cached Status field is not logged though you have enabled the extended HTTP logging for a proxy service. (Bug 829714)

Fix: Added Cached Status field in the logging configuration.

Looping Issues in the Access Gateway on Microsoft Windows

Issue: There are looping issues on Windows Access Gateway when you re-authenticate after the original session times out. (Bug 835053)

Fix: Access Gateway sends a proper response informing the other cluster members if the session has expired.

Username Is Logged as a Public in Common/Extended Logging When Accessing Protected Resource with Non-Redirected Login

Issue: When you access a protected resource with a valid basic authentication header (which will not redirect them for login to the NIDP server) will get access as expected but the common / extended logging entry stores them as a "public" user. (Bug 836066)

Fix: A valid user name will be logged instead of storing the user name as "public".

IP Mismatch Errors Display an Incorrect Message

Issue: When you access a protected resource from the Access Gateway and change the IP address of the client, Access Forbidden or NULL message is displayed. (Bug 838228)

Fix: A valid error message is now displayed.

Error While Uploading a File Containing NULL Bytes

Issue: When you upload a file that contains NULL bytes, the upload is truncated. The Web server displays an error as the end of the HTTP transaction is missing. (Bug 838690)

Fix: You can now attach a file containing NULL bytes.

Multiple Authentication Requests While Opening Microsoft Excel Files

Issue: You are requested for multiple authentications when you open Microsoft Excel files through the Access Gateway. (Bug 839878)

Fix: Changes have been made for handling WebDAV options request, and you can now open the Microsoft Excel files without entering the credentials multiple times.

Identity Injection Fails to Inject Basic Authentication Information

Issue: After accessing a protected resource, if you access a public resource of an Access Gateway with identity injection policy enabled, the credentials with which you logged in the first time is not injected into the header. (Bug 841228)

Fix: The parameters configured in the Identity Injection policy are now injected while accessing a public resource.

A Rewriter Issue with /nesp/app/plogout URLs

Issue: An incorrect DNS name is rewritten in the Location header. (Bug 841237)

Fix: The rewriter does not rewrite now if the back end URL contains the published name and the URL is /nesp/app/plogout.

HTTP Logging Does Not Work on Windows Access Gateway Service

Issue: In Microsoft Windows, the Access Gateway does not create extended logs for reverse proxy requests configured for extended logging. (Bug 841794)

Fix: Updates have been made to handle "/" and "\" for Microsoft Windows paths.

Rewriter Fails to Rewrite Meta HTML Headers

Issue: The Access Gateway does not rewrite the name from the back end server to a published name if you configure the Web server IP address as DNS name instead of the IP address. (Bug 848877)

Fix: If the Web server host name is configured as DNS name then the Access Gateway rewrites the URL if the back end DNS name exists as part of the URL.

Proxy Service Requests Go to the Same Web Server Though Round Robin is Configured

Issue: Proxy service requests go to the same Web server, though the Session Stickiness and Persistence Connection have been disabled and round robin is enabled. (Bug 851138)

Fix: If Persistence Connection to Web server is disabled and Session Stickiness is enabled, the ZNPCQ003 cookie setting is not removed now.

2.0 Installing or Upgrading Access Manager

To upgrade Access Manager 3.2 Service Pack 2 IR2, download the, which contains the Access Manager Patch Tool and the patch file from Novell Downloads. To upgrade to this version, you must be using 3.2 Service Pack 2 or 3.2 Service Pack 2 IR1.

To install Access Manager 3.2 Service Pack 2, see the NetIQ Access Manager 3.2 SP2 Installation Guide.

You can upgrade from 3.2 Service Pack 2 or 3.2 Service Pack 2 IR1 to 3.2 Service Pack 2 IR2. for more information about upgrading to Access Manager3.2 Service Pack 2 IR2, see Upgrading Access Manager Using the Patch Process for Linux and Upgrading Access Manager 3.2 SP2 Using the Patch Process for Windows.

2.1 Verifying Version Numbers

It is important to verify the version number of existing Access Manager components before you upgrade to 3.2 Service Pack 2 IR2. This ensures that you have the correct version of files on your system.

Verifying Version Numbers Before Upgrading to 3.2 SP2 IR2

  1. In the Administration Console, click Access Manager > Auditing > Troubleshooting > Version

  2. Examine the value of the Version field to see if it displays a version that is eligible for upgrading to 3.2 Service Pack 2 IR2. The Version field should list 3.2.2-77 for 3.2 SP2 or 3.2.2-77 + IR1-107 for 3.2 Service Pack 2 IR1.

Verifying Version Numbers After Upgrading to 3.2 SP2 IR2

  1. In the Administration Console, click Access Manager > Auditing > Troubleshooting > Version

  2. Verify that the Version field lists 3.2.2-77 + IR2-117 when you upgrade from 3.2 SP2 and 3.2.2-77 + IR1-107, IR2-117 when you upgrade from 3.2 SP2 IR1.

3.0 Known Issues

NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.

3.1 Issue During SSL Renegotiation When X.509 Authentication is Configured

Issue: An error occurs during SSL renegotiation after you select a client certificate while accessing a resource. (Bug 842019)

Workaround: Copy the CA certificates manually to the /etc/opt/novell/apache2/conf/cacerts/custom folder and restart Apache.

3.2 Web Server Load Balancing Does Not Work

Issue: Load balancing does not occur equally among the Web servers in a proxy service setup. (Bug 842496)

Workaround: Restart the Access Gateway when you update the server instead of a graceful restart. Edit the file, search for linux.apache.command.gracefulrestart and replace it with linux.apache.command.restart. Restart the Access Gateway by using the /etc/init.d/novell-mag restart command. For more information and to fix this issue, see TID 7014203.

3.3 The Access Gateway Does Not Work When Syslog Level Logging to error_log Is Not Enabled

Issue: The Access Gateway has performance and stability issues when the proxy is enabled in the verbose mode and errors are reported regularly in the error_log file. (Bug 842805)

Workaround: Enable syslog level logging on the Access Gateway Proxy server if the Access Gateway service is running on SLES or RedHat. For more information, see TID 7011611.

3.4 Authentication Assertion Fails When Encrypt Assertions is Selected

Issue: If you have imported metadata initially by using a URL or text and edited manually, then no authentication assertions are returned in response when Encrypt assertions and Want assertion to be signed options are selected. (Bug 846558)

Workaround: Reimport the metadata through URL or text and follow the documentation steps available at to enable message signing and use for configuring it.

3.5 Certificate Verification Fails

Issue: An error occurs after importing the SAML2 metadata when Certificate Revocation List (CRL) check is enabled. (Bug 856049)

Workaround: None.

4.0 Contact Information

Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email We value your input and look forward to hearing from you.

For detailed contact information, see the Support Contact Information Web site.

For general corporate and product information, see the NetIQ Corporate Web site.

For interactive conversations with your peers and NetIQ experts, become an active member of our community. The NetIQ online community provides product information, useful links to helpful resources, blogs, and social media channels.

[Return to Top]