The following outline the key features and functions provided by this version, as well as issues resolved in this release:
Section 1.5, Protecting Kerberized Resources with Kerberos Constrained Delegation
Section 1.7, Programmatic Access to the Identity Server and the Access Gateway Appliance Statistics
Section 1.8, Verification Before Removing the Access Gateway from a Cluster
Section 1.9, Tracking Average Local (LDAP) Authentication Time
Section 1.12, Change in Behavior of Protected Resource Path Matching
This version provides the following updated components:
Novell Audit Platform Agent for Linux 2.0.2.69
iManager 2.7.6
Java 1.7.0_04
Tomcat 7-7.0.32-1
The Inject JavaScript policy adds the configured JavaScript to a protected resource page, when used in interactive mode. You can create a standalone Inject JavaScript policy. You can also use this policy with the Form Fill policy. For more information on creating the JavaScript policy, see Creating an Inject JavaScript Policy
in the NetIQ Access Manager 3.2 SP2 Policy Guide.
While creating policies from the Administration Console, the Shared Secret Type option allows you to choose how the value you specified in the HTML form should be stored in the shared secret store. For more information, see Shared Secret Type:
in the NetIQ Access Manager 3.2 SP2 Policy Guide.
In the previous release, you were forced to use the same signing certificate for all configured service providers. The Identity Server is now enhanced to support multiple signing and encryption certificates.
In SLES, the and options are available only for Encryption and Signing certificates. The option allows you to replace only the default certificates.
For more information, see Configuring Communication Security for a SAML 2.0 Service Provider and Managing Certificates in a Keystore.
Protecting kerberized resources with KCD on Windows enhancement is provided in this release. For more information, see Protecting Kerberized Resources with Kerberos Constrained Delegation
in the NetIQ Access Manager 3.2 SP2 Access Gateway Guide.
Enhancements for creating and configuring an Inject Kerberos Ticket policy procedure is also provided. For more information see, Configuring an Inject Kerberos Ticket Policy
in NetIQ Access Manager 3.2 SP2 Policy Guide.
The Access Gateway has been enabled to display a post-authentication message. Now, after authentication, the Access Gateway displays the message Authentication successful, please wait while your requested page loads before final redirect to the originally requested URL.
For more information see, Enabling the Access Gateway to Display Post-Authentication Message
in the NetIQ Access Manager 3.2 SP2 Access Gateway Guide
Access Manager now supports programmatic access to the Identity Server statistics. To use this enhancement, enable the REST API. Access Manager is also enhanced to support a programmatic method to retrieve the statistics from an Access Gateway server. For more information, see Monitoring API for the Access Gateway Statistics
in the NetIQ Access Manager 3.2 SP2 Access Gateway Guide and Monitoring API for the Identity Server Statistics
in the NetIQ Access Manager 3.2 SP2 Identity Server Guide.
A confirmation prompt is now added for removing an Access Gateway from the cluster.
The Identity Server statistic is now added for tracking average local (LDAP) authentication time. This enhancement also includes showing a graph of this statistic over time.
From Access Manager 3.2 Service Pack 2 onwards, encryption uses the method and algorithm specified in the metadata of the service provider for encrypting the assertion. For more information on encrypt assertions, see Configuring Communication Security for a SAML 2.0 Service Provider
in the NetIQ Access Manager 3.2 SP2 Identity Server Guide.
While configuring a pin list, you can do the following:
Provide file extensions with path. For example, /picture/*.gif
Include asterisks (*) in file names and extension. For example, /documents/sd*sd.gif and /abc*ed
For more information, see URL Mask
in the NetIQ Access Manager 3.2 SP2 Access Gateway Guide.
This release changes how Access Manager matches the configuration of a protected resource. If you have a protected resource configured with /path/portal/*, it will not match request URL with /path/portal. This behavioral change may cause SSO failure to backend Web server.
For example, let us assume you have Protected Resource (PR1) configured with /path/portal/* with Identity Injection policy for initiating an SSO to the backend Web server and you send the following requests:
Prior to this release, both the requests matched PR1. With this release, request 1 does not match PR1 and hence SSO may fail if it requires an Identity Injection policy. To make it work, add an additional path in PR1 as /path/portal or you can modify /path/portal/* to /path/portal*. For more information, see TID 7012584.
The Access Manager Appliance installs a customized version of SLES 11. If you want to install the latest patches as they become available, see Upgrading Kernel to the Latest Security Patch in the NetIQ Access Manager 3.2 SP2 Installation Guide.
Access Manager 3.2 Service Pack 2 includes software fixes that resolve several previous issues in the Administration Console.
Issue: You cannot add or configure a port number along with the Web Server Host Name. (Bug 787378)
Fix: You can now append the port number to the Web Server Host Name field. For example, <web server hostname>:<web server port number>.
Issue: Access Manager is unable to import certificates with different certificate file formats. (Bug 815696)
Fix: Access Manager is now able to import certificates in DER, PEM and PKCS7 format along with different format certificates together.
Access Manager 3.2 Service Pack 2 includes software fixes that resolve several previous issues in the Identity Server.
Issue: When you configure a Kerberos contract with FALLBACK_AUTHCLASS by editing the Identity Server Cluster, it displays the default form-based authentication before the basic authentication UI is displayed. (Bug 790909)
Fix: To configure the basic authentication as a fall back authentication class, add any one of the following property:Property Name: FALLBACK_AUTHCLASSProperty Value: Basic or com.novell.nidp.authentication.local.BasicClass
When you submit a token after 15 seconds of the initial LDAP bind, the Identity server issues an LDAP unbind request and authentication fails. For more information, see TID 7012564. (Bug 794290)
When you enable the RADIUS token-based authentication on the Identity Server, it verifies the LDAP password before verifying the token. (Bug 794495)
Issue: PasswordFetchClass user lookup into iplanet Directory fails. (Bug 799701)
Fix: Password fetch will work if DN uses UID instead of CN for user look up in the LDAP directory.
Issue: The Identity Server is not setting the IDPEmail attribute, which is configured as an attribute to send, in the SAML 2.0 token. (Bug 807382)
Fix: The ECP URL for Office365 is https://IDP/nidp/saml2/soap.
There are issues authenticating to the Identity Server accessing Liberty or SAML metadata. The Identity Server fails to report to the Administration Console as the SSL connection fails to timeout. For more information, see TID 7012562. (Bug 792738)
Issue: Access Manager does not validate a JSP file if you have customized the file, such as customizing the login, logout, or error pages. If you modify JSP files you must sanitize the JSP file to prevent XSS attacks. For more information, see Preventing Cross-site Scripting Attacks and TID 7012486. (Bug 817557)
Fix: Sanitized the JSP file to prevent cross-site scripting attacks.
Issue: The Identity Server inserts only one value in a SAML 2.0 assertion, when there are multiple attributes with the same name. (Bug 800580)
Fix: The Identity Server now includes a remote attribute in the string to be encoded so that you get a unique encoded value for each constant value that you add.
Access Manager 3.2 Service Pack 2 includes software fixes that resolve several previous issues in the Access Gateway Service.
Increased Flexibility of Configuring Protected Resources Using Wild Characters
Logout Page Does Not Execute With the Customizations You Made
Form Fill Posts the Page When None of the Input Fields Match
Proxy Configuration Updates Are Not Occurring Until You Restart Apache
Changes in the Access Gateway Configuration Cause Service Interruption
The Access Gateway Fails Abruptly While Processing 302 Redirect Responses
Issues With nproduct.log File Growing and Audit Events Are Not Sent to NSure Audit Server
Issue: 403 error occurs while accessing protected resources after upgrading to version 3.2 for the URL paths configured as /path/path_*. (Bug 774381)
Fix: Implemented regular expressions in URL path matching for protected resources which allows flexibility in configuring the protected resources using wild characters.
Issue: The TCP tunnel connections remain active even after the idle timeout for the proxy is reached. (Bug 810717)
Fix: The TCP connections are getting closed based on the timeout values set.
Issue: When you have both Liberty and SAML 2.0 sessions running on the Identity Server and you log out of the Access Gateway, the logoutsuccess.jsp page does not execute with the customizations you have made to the logout page. You will be able to log out of the Access Gateway but the customizations you made are lost.
If the logutSuccess.jsp file is not loaded in a frame, the banner will not be displayed, and the Access Gateway will comment out the content in the logoutSuccess.jsp file. For more information on customizing the Access Gateway logout page, see Customizing the Access Gateway Logout Page
in the NetIQ Access Manager 3.2 SP2 Access Gateway Guide (Bug 792560)
Fix: Add the following line after the <body> tag in the logoutSuccess.jsp file:
<!-- BANNER LOADS IF THIS PAGE IS NOT LOADED IN REGULAR FRAME --><%@include file="logoutHeader.jsp"%>
Issue: The Form Fill Policy posts the page even if none of the input fields match. (Bug 804229)
Fix: The form is not automatically submitted and will be available for you in interactive mode.
The Web server health check fails to check the status of the back end Web servers with a message Worker connectivity not checked. For more information, see TID 7012561. (Bug 794482)
Issue: Changes you make to an existing policy are not reflected unless you restart Apache manually. For more information, refer to TID 7012560. (Bug 803525)
Fix: Proxy Configuration Updates are reflected without restarting Apache manually.
Issue: When updates are applied to the proxy servers, the Apache service on that device is restarted. This stops the existing httpd processes on the Access Gateway and causes Service Interruption. For more information, see TID 7012560. (Bug 778475)
Fix: Service is not interrupted as graceful restart is now supported in the Access Gateway.
Issue: Access Gateway fails abruptly while processing 302 redirect responses from Web server without a trailing / after hostname . For more information, see TID 7012558. (Bug 806978)
Fix: This release changes the Web server redirects to include the trailing / character sent with the 302 redirect.
Issue: You can use the jpegPhoto LDAP attribute to store your photo in JPEG format. This LDAP attribute does not inject the image into a custom HTTP header and returns a 400 Bad Request error. (Bug 780739)
Fix: Edit the index.php file and add the following line:
<img src="data:image/jpeg;base64,/9j/4....Base64 value got from custom header......."/>
Issue: The nproduct.log file keeps growing even though audit is not enabled. Another issue is that no audit events are sent to the NSure Audit server running on the Administration Console. (Bug 796294)
Fix: The issue with the log file has been resolved.
Issue: SSL VPN signing certificate has expired and the nidp.jar file contains an expired certificate. (Bug 816698)
Fix: No expired certificate related messages are now observed in the jar file.