NetIQ Access Manager 3.2 Service Pack 2 IR2 resolves several previous issues.
Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the Access Manager forum on Qmunity, our online community that also includes product information, blogs, and links to helpful resources.
For the list of software fixes and enhancements in the previous release, see Access Manager 3.2 SP2 Readme and Access Manager 3.2 Service Pack 2 IR1 Readme.
The documentation for this product is available on the NetIQ Web site in HTML and PDF formats on a page that does not require you to log in. If you have suggestions for documentation improvements, click Add Comment at the bottom of any page in the HTML version of the documentation posted at the Access Manager NetIQ Documentation page. To download this product, see the NetIQ Access Manager Products Web site.
The following sections outline the issues resolved in this release:
NetIQ Access Manager 3.2 Service Pack 2 IR2 includes software fixes that resolve several previous issues.
Issue: You cannot select the Use secure LDAP connections option while creating a replica in eDirectory to store secrets and the port communication with the newly added replica fails. (Bug 811887)
Fix: Configuring an eDirectory user store to use secretstore is now possible. You can select the Use secure LDAP connections option. The default port is set to 636 on the new server replica userstore screen.
Issue: The Identity Server prompts you to re-authenticate on SAML requests even though the Identity Server has already authenticated at a higher level contract. (Bug 832443)
Fix: If the authentication request has any context comparison parameter, check is performed on contract levels with already authenticated contracts at the Identity Server. If request is to check exact level or context comparison is not set, already authenticated contract level check will not be performed.
Issue: When the NetIdentity client is enabled and Kerberos authentication is configured, users are prompted for credentials twice even though correct credentials are used the first time. (Bug 833978)
Fix: If the Netidentity flag is enabled and the Netidentity header exists with the request, Kerberos will not be executed. Hence, users will not be asked for credentials the second time.
Issue: You can modify an LDAP attribute defined under the customization profile when you have authenticated to the Identity Server locally, but you will get an error message that you cannot modify when you are logged in from a remote Identity Server. (Bug 836097)
Fix: nidp.jar file has been updated and you can view and modify the customization profile.
Issue: Identity Server failover does not work as the Identity Server does not send the temporary user information to the failover server to recreate the session. (Bug 838608)
Fix: Identity server session failover works now.
Issue: On a Radius server, authentication fails when the login page is displayed the second time. (Bug 838625)
Fix: JSP changes have been made where the submitted parameter value now accepts the user entered value.
Issue: Federation fails if the SAML 2.0 post response contains signature whereas assertion does not. (Bug 842788)
Fix: Added nidp config property SAML2_AVOID_SIGN_AND_VALIDATE_ASSERTION_TRUSTEDPROVIDERS in the service provider. If response is signed and assertion is not, federation is successful. For more information, see Configuring SAML 2.0 to Sign Messages > Avoiding Assertion Signing Validation by Service Provider.
NetIQ Access Manager 3.2 Service Pack 2 IR2 includes software fixes that resolve several previous issues.
Issue: When GZip is enabled and you access Sentinel/Liferay portal through Access Manager, a blank page is displayed. (Bug 772808)
Fix: The Access Gateway will decompress the GZip data even if data is less than 10 bytes.
Issue: The Access Gateway does not work when the <form> tag includes an empty method element while processing a Form Fill policy. (Bug 823555)
Fix: Null check has been introduced and the Access Gateway works without any issue.
Issue: The Cached Status field is not logged though you have enabled the extended HTTP logging for a proxy service. (Bug 829714)
Fix: Added Cached Status field in the logging configuration.
Issue: There are looping issues on Windows Access Gateway when you re-authenticate after the original session times out. (Bug 835053)
Fix: Access Gateway sends a proper response informing the other cluster members if the session has expired.
Issue: When you access a protected resource with a valid basic authentication header (which will not redirect them for login to the NIDP server) will get access as expected but the common / extended logging entry stores them as a "public" user. (Bug 836066)
Fix: A valid user name will be logged instead of storing the user name as "public".
Issue: When you access a protected resource from the Access Gateway and change the IP address of the client, Access Forbidden or NULL message is displayed. (Bug 838228)
Fix: A valid error message is now displayed.
Issue: When you upload a file that contains NULL bytes, the upload is truncated. The Web server displays an error as the end of the HTTP transaction is missing. (Bug 838690)
Fix: You can now attach a file containing NULL bytes.
Issue: You are requested for multiple authentications when you open Microsoft Excel files through the Access Gateway. (Bug 839878)
Fix: Changes have been made for handling WebDAV options request, and you can now open the Microsoft Excel files without entering the credentials multiple times.
Issue: After accessing a protected resource, if you access a public resource of an Access Gateway with identity injection policy enabled, the credentials with which you logged in the first time is not injected into the header. (Bug 841228)
Fix: The parameters configured in the Identity Injection policy are now injected while accessing a public resource.
Issue: An incorrect DNS name is rewritten in the Location header. (Bug 841237)
Fix: The rewriter does not rewrite now if the back end URL contains the published name and the URL is /nesp/app/plogout.
Issue: In Microsoft Windows, the Access Gateway does not create extended logs for reverse proxy requests configured for extended logging. (Bug 841794)
Fix: Updates have been made to handle "/" and "\" for Microsoft Windows paths.
Issue: The Access Gateway does not rewrite the name from the back end server to a published name if you configure the Web server IP address as DNS name instead of the IP address. (Bug 848877)
Fix: If the Web server host name is configured as DNS name then the Access Gateway rewrites the URL if the back end DNS name exists as part of the URL.
Issue: Proxy service requests go to the same Web server, though the Session Stickiness and Persistence Connection have been disabled and round robin is enabled. (Bug 851138)
Fix: If Persistence Connection to Web server is disabled and Session Stickiness is enabled, the ZNPCQ003 cookie setting is not removed now.
To upgrade Access Manager 3.2 Service Pack 2 IR2, download the AM_32_SP2_IR2.zip, which contains the Access Manager Patch Tool and the patch file from Novell Downloads. To upgrade to this version, you must be using 3.2 Service Pack 2 or 3.2 Service Pack 2 IR1.
To install Access Manager 3.2 Service Pack 2, see the NetIQ Access Manager 3.2 SP2 Installation Guide.
You can upgrade from 3.2 Service Pack 2 or 3.2 Service Pack 2 IR1 to 3.2 Service Pack 2 IR2. for more information about upgrading to Access Manager3.2 Service Pack 2 IR2, see Upgrading Access Manager Using the Patch Process for Linux and Upgrading Access Manager 3.2 SP2 Using the Patch Process for Windows.
It is important to verify the version number of existing Access Manager components before you upgrade to 3.2 Service Pack 2 IR2. This ensures that you have the correct version of files on your system.
In the Administration Console, click Access Manager > Auditing > Troubleshooting > Version
Examine the value of the Version field to see if it displays a version that is eligible for upgrading to 3.2 Service Pack 2 IR2. The Version field should list 3.2.2-77 for 3.2 SP2 or 3.2.2-77 + IR1-107 for 3.2 Service Pack 2 IR1.
In the Administration Console, click Access Manager > Auditing > Troubleshooting > Version
Verify that the Version field lists 3.2.2-77 + IR2-117 when you upgrade from 3.2 SP2 and 3.2.2-77 + IR1-107, IR2-117 when you upgrade from 3.2 SP2 IR1.
NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.
Issue: An error occurs during SSL renegotiation after you select a client certificate while accessing a resource. (Bug 842019)
Workaround: Copy the CA certificates manually to the /etc/opt/novell/apache2/conf/cacerts/custom folder and restart Apache.
Issue: Load balancing does not occur equally among the Web servers in a proxy service setup. (Bug 842496)
Workaround: Restart the Access Gateway when you update the server instead of a graceful restart. Edit the agm.properties file, search for linux.apache.command.gracefulrestart and replace it with linux.apache.command.restart. Restart the Access Gateway by using the /etc/init.d/novell-mag restart command. For more information and to fix this issue, see TID 7014203.
Issue: The Access Gateway has performance and stability issues when the proxy is enabled in the verbose mode and errors are reported regularly in the error_log file. (Bug 842805)
Workaround: Enable syslog level logging on the Access Gateway Proxy server if the Access Gateway service is running on SLES or RedHat. For more information, see TID 7011611.
Issue: If you have imported metadata initially by using a URL or text and edited manually, then no authentication assertions are returned in response when Encrypt assertions and Want assertion to be signed options are selected. (Bug 846558)
Workaround: Reimport the metadata through URL or text and follow the documentation steps available athttps://www.netiq.com/documentation/netiqaccessmanager32/identityserverhelp/data/bjk7fd1.html#bpzkjib to enable message signing and use nidpconfig.properties for configuring it.
Issue: An error occurs after importing the SAML2 metadata when Certificate Revocation List (CRL) check is enabled. (Bug 856049)
Workaround: None.
Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.
For detailed contact information, see the Support Contact Information Web site.
For general corporate and product information, see the NetIQ Corporate Web site.
For interactive conversations with your peers and NetIQ experts, become an active member of our community. The NetIQ online community provides product information, useful links to helpful resources, blogs, and social media channels.
THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT, NETIQ CORPORATION PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY TO YOU.
For purposes of clarity, any module, adapter or other similar material (“Module”) is licensed under the terms and conditions of the End User License Agreement for the applicable version of the NetIQ product or software to which it relates or interoperates with, and by accessing, copying or using a Module you agree to be bound by such terms. If you do not agree to the terms of the End User License Agreement you are not authorized to use, access or copy a Module and you must destroy all copies of the Module and contact NetIQ for further instructions.
This document and the software described in this document may not be lent, sold, or given away without the prior written permission of NetIQ Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of NetIQ Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data.
This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time.
U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the government's rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement.
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
For information about NetIQ trademarks, see http://www.netiq.com/company/legal/.