NetIQ Access Manager Appliance 3.2 IR1 Readme

July 2012

This Readme describes the NetIQ Access Manager 3.2 IR1 release.

For more information about the new features and enhancements added for Access Manager Appliance in this release, see NetIQ Access Manager Appliance 3.2 Installation Guide.

1.0 Upgrading to Access Manager Appliance 3.2 IR1

To upgrade to Access Manager Appliance version 3.2 IR1, ensure that you are on version 3.2.

The following file is available for 3.2 IR1:

Filename

 

Description

AM_32_IR1_AccessManagerAppliance_Linux_SLES11_64.tar.gz

 

Contains the upgrade for the Access Manager Appliance.

For upgrade and installation information:

1.1 Upgrade Instructions

For instructions on upgrading Access Manager Appliance from 3.2 to 3.2 IR1, see Upgrading Access Manager Appliance.

1.2 Installation Instructions

For installation instructions of Access Manager Appliance, see the NetIQ Access Manager Appliance 3.2 Installation Guide.

1.3 Verifying Version Numbers Before Upgrading

Before upgrading to Access Manager 3.2 IR1, ensure that you are on version 3.2.

To determine the existing version:

  1. In the Administration Console, click Access Manager > Auditing > Troubleshooting > Version.

  2. Examine the value in the Version field.

    Component

    Version

    Administration Console

    3.2.0.327

    Identity Server

    3.2.0.327

    Access Gateway Appliance

    3.2.0.327

    SSL VPN

    3.2.0.327

1.4 Verifying Version Numbers After Upgrading

After upgrading all the Access Manager components, verify their version as follows:

  1. In the Administration Console, click Access Manager > Auditing > Troubleshooting > Version.

  2. Examine the value in the Version field to verify that the component has been upgraded to 3.2 IR1.

    Component

    Version

    Administration Console

    3.2.0.370

    Identity Server

    3.2.0.370

    Access Gateway Appliance

    3.2.0.370

    SSL VPN

    3.2.0.370

2.0 Issues Fixed

Access Manager 3.2. IR1 release provides fixes for issues in the following components:

2.1 Administration Console

  • Fixed an issue with the Administration Console performance, which was due to the large number of LDAP connections. Now, the required LDAP connections are optimized. (Bug ID: 761356)

  • Fixed an issue where the Administration Console did not accept a password with special characters. It now accepts special characters in the admin password except colon (:) and double quotes (“). (Bug ID: 759355)

  • Fixed an issue where certificate related errors occurred when protected resources were accessed. (Bug ID: 758307)

  • Fixed an issue where the Auto import trusted root option was not displayed in the Specify server replica information screen. (Bug ID: 747924)

2.2 Identity Server

  • Fixed an issue where the Identity Server installation does not allow installation to proceed if the password for the Administration Console contains colon (:) and double quotes ("). (Bug ID: 754233)

  • Fixed an issue where the user’s unique identifier (GUID) could not be retrieved from the LDAP user store for sending in the attribute set to the service providers. Now, the GUID can be retrieved and sent. (Bug ID: 740232)

  • Fixed an issue where the SAML 2.0 response was generated without RelayState. (Bug ID: 761181)

  • Fixed an issue where the Identity Server XML log file got created in /opt/novell/nam/idp/webapps/nidp/WEB-INF/logs/, resulting in less space in the /opt partition than the /var partition. (Bug ID: 757552)

2.3 Access Gateway Appliance/Service

  • Fixed an intermittent issue where rewriter did not display the correct page. (Bug ID: 756636)

  • Fixed an issue where accessing the protected page was not redirected to the correct page. (Bug ID: 766771)

  • Fixed an issue where logging out did not happen completely in certain cluster scenarios and the Access Manager grants access to secure sites without asking for credentials. (Bug ID: 758755)

  • Fixed an issue where redirecting from HTTP to HTTPS resulted in browser redirection loop. This error occurred when the Force Secure Cookie option was enabled. (Bug ID: 758041)

  • Fixed an issue where the Via HTTP header is now sent to the backend server. (Bug ID: 757841)

  • Fixed an issue where the policy configuration requests from the Access Gateway Appliance to the ESP were not cached, thus overloading the ESP. (Bug ID: 762583).

  • Fixed an issue where a protected resource link accessed from a Microsoft Excel sheet resulted in the Unable to authenticate 404-esp error. (Bug ID: 768978)

  • Fixed an issue where Apache did not cache a file if the file size exceeded 1 MB. (Bug ID: 758173)

  • Fixed an issue when the values were different in /opt/novell/nam/mag/conf/server.xml and /etc/opt/novell/apache2/conf/httpd.conf files resulted in XML document structures must start and end within the same entity error. (Bug ID: 758767)

  • Fixed an issue with the Identity Injection policies when the resources were protected by the Non-Redirected Login contract in the Access Gateway. (Bug ID: 759509)

  • Fixed an issue where the incorrect logging format caused log analyzers like Webtrend to fail analyzing the extended logs. (Bug ID: 758313)

  • Fixed an issue where the Tomcat version was displayed as part of error pages. (Bug ID: 761589)

2.4 Installation

Fixed an issue where the installation fails to display a warning message if the memory is 3.7 GB or more but less than 4 GB. (Bug ID: 738200)

3.0 Known Issues

The following table lists the known issues and appropriate workaround in Access Manager 3.2 IR1:

Issue

Workaround

If the data posted to the Access Gateway before authentication exceeds 50 KB, the data will be lost. (Bug ID: 677375)

None.

The Alert feature with Access Gateway Appliance works only for configuration changes and when the service provider is restarted. (Bug ID: 752557)

None.

Changing the IP address of the Access Gateway Management interface fails. (Bug ID: 752788)

  1. Remove the Access Gateway Appliance from the cluster.

  2. Change the IP address of the Access Gateway Appliance from YaS.T

  3. Import the Access Gateway Appliance with the current configuration.

If the IP address and DNS servers are configured statically on MAC Leopard and the SSL VPN connection is established, the DNS resolution fails to use the DNS server’s IP address pushed from the SSL VPN server.

None.

When the DNS server is not reachable and ESP debug logging is enabled, each authentication request will be delayed by 20 to 30 seconds.

Add an /etc/hosts entry for authentication domain in the Access Gateway Appliance.

When the Remove Path on Fill option is enabled in the Path-Based Multi-Homing page, you may have some issues. For example, issues with the help links and Cancel button. (Bug ID: 700552)

None.

The Administration Console password does not accept special characters colon (:) and double quotes (“). (Bug ID: 763688)

None.

When Kerberos identifies an expired user, it does not redirect to the password management servlet resulting in a HTTP Status 500 error. (Bug ID: 765042)

None.

Error connecting to data store and the response of Access Gateway pages delayed. (Bug ID: 765648)

Copy the jdk1.6.0_26/jre/lib/jsse.jar to jdk1.6.0_30/jre/lib.

Rewrite does not work if the URLs are encoded. For example, if the page contains http%3a%2f%2fYourInternalDnsName%3aYourInternalListeningPort, rewrite does not work. This occurs while accessing the PeopleSoft and the SharePoint servers. (Bug ID: 767585)

None.

If a request to the Access Gateway Appliance from a browser has a query string that matches the data injected by the Identity Injection policy, it corrupts the existing query parameter values. (Bug ID: 764475)

None.

During upgrade, an HTTP 404 Page Not Found error occurs when you click the help link. (Bug ID: 770047)

Use the following link to access the correct pagehttp://www.netiq.com/documentation/novellaccessmanager32/sb_installation/data/b10jmps7.html.

4.0 Documentation

The following sources provide information about Access Manager:

5.0 Legal Notices

THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT, NETIQ CORPORATION PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY TO YOU.

This document and the software described in this document may not be lent, sold, or given away without the prior written permission of NetIQ Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of NetIQ Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data.

This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time.

© 2012 NetIQ Corporation and its affiliates. All Rights Reserved.

U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the government’s rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement.

Check Point, FireWall-1, VPN-1, Provider-1, and SiteManager-1 are trademarks or registered trademarks of Check Point Software Technologies Ltd.

Access Manager, ActiveAudit, ActiveView, Aegis, AppManager, Change Administrator, Change Guardian, Cloud Manager, Compliance Suite, the cube logo design, Directory and Resource Administrator, Directory Security Administrator, Domain Migration Administrator, Exchange Administrator, File Security Administrator, Group Policy Administrator, Group Policy Guardian, Group Policy Suite, IntelliPolicy, Knowledge Scripts, NetConnect, NetIQ, the NetIQ logo, PlateSpin, PlateSpin Recon, Privileged User Manager, PSAudit, PSDetect, PSPasswordManager, PSSecure, Secure Configuration Manager, Security Administration Suite, Security Manager, Server Consolidator, VigilEnt, and Vivinet are trademarks or registered trademarks of NetIQ Corporation or its affiliates in the USA. All other company and product names mentioned are used only for identification purposes and may be trademarks or registered trademarks of their respective companies.

For purposes of clarity, any module, adapter or other similar material ("Module") is licensed under the terms and conditions of the End User License Agreement for the applicable version of the NetIQ product or software to which it relates or interoperates with, and by accessing, copying or using a Module you agree to be bound by such terms. If you do not agree to the terms of the End User License Agreement you are not authorized to use, access or copy a Module and you must destroy all copies of the Module and contact NetIQ for further instructions.