Installing or Upgrading the Purchased Products

This release of Access Manager Appliance 3.2 SP1 resolves several previous issues. The fixes included in this release supercede the fixes included in the 3.2 IR1 release. Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure our products meet all your needs.

You can post feedback in the Access Manager forum. For TIDs and Cool Solutions articles, go to Access Manager Support forum and select Access Manager for the Product and Articles / Tips in the Advanced Search options.

For more information about this release and for the latest release notes, see the Access Manager Documentation Web site. To download this product, see the Access Manager Product Web site.

Features in this Release

Compatibility with Office 365 services: You can use your existing LDAP credentials for single sign-on access to the Office 365 services. Single sign-on access is achieved by implementing federated authentication through SAML 2.0 where Access Manager acts as an identity provider and Office 365 acts as a service provider. For more information on configuring single sign-on with Office 365, see Additional Resources.

Fixes in this Release

The information in this section is classified based on the following:

Installation Issues
Administration Console
Identity Server
Access Gateway Service

For the list of software fixes and enhancements in the previous release, see 3.2 IR1 Readme.

Installation Issues

Including Special Characters in the Password Leads to Failure in Adding Access Manager Appliances to the Same Cluster

Issue:	When you install the primary Access Manager appliance with a complex password for example, Wwe&nadtd and then install a secondary Access Manager appliance pointing to the primary Access Manager, secondary Access Manager appliance installation fails. (Bug 763693)
Fix:	You can enter a password with special characters, except colon (:) and double quotes (") while installing the primary and secondary Access Manager appliances.

Administration Console

Simple Bind is Enabled by Default

Issue:	When you perform an LDAP search on a 3.2 server without username and password, it lists all the objects in the Access Manager container. This is not correct as anonymous simple bind should be disabled by default on the 3.2 server. (Bug 762310)
Fix:	Anonymous Simple Bind is disabled by default and an LDAP search without username and password does not display user objects.

The Administration Console Restore Script Does Not Restore a Renamed File

Issue:	When you back up an Administration Console’s configuration by running the `./ambkup.sh` script located at `/opt/novell/devman/bin`, a backup zip file is created. If you rename this file and restore the backup file running the `./amrestore.sh` script, the script fails. (Bug 763615)
Fix:	The `amrestore.sh` script restores backup files that have been renamed.

Error Installing the Audit Server on a 64-bit Platform

Issue:	The `install.sh` script reports an error stating that the Audit server has to be installed on a separate 64-bit machine. (Bug 745025)
Fix:	The warning message from the install script is removed because Audit server installation on a 64-bit machine is supported.

The Administration Console Creates Many LDAP Connections to the eDirectory

Issue:	The Administration Console establishes a large number of connections to eDirectory resulting in performance issues. (Bug 761356)
Fix:	Fixed the code that was incorrectly releasing the connection resources.

Auto Import Trusted Root Link Is Missing

Issue:	The auto import trusted root link exists in traditional Access Manager but is missing from the Access Manager Appliance. (Bug 771523)
Fix:	This link is included in the Access Manager Appliance.

Identity Server

An LDAP Search With Special Characters in User Distinguished Name Fails

Issue:	When you perform an LDAP search with special characters in the user distinguished name, the search fails. This is because the PasswordFetch class does not support special characters in the user distinguished name . (Bug 755510)
Fix:	PasswordFetch Class supports special characters in user distinguished name and LDAP searches work without any errors.

Cross-Site Scripting Issue Vulnerability in the Identity Server

Issue:	The Web application does not sanitize the input given by the user in the `login.jsp` file and makes the target URL vulnerable. (Bug 765801)
Fix:	The user inputs are encoded in the `login.jsp` file and the target URL is no longer vulnerable to cross-site scripting attacks.

ESP Considers Xms Value For Connection Throttle Calculations

Issue:	Instead of considering the Xmx value, the Identity server and ESP consider the Xms value for throttle calculation and connection throttling happens very early. (Bug 766098)
Fix:	The Identity Server considers Xmx value for connection throttling.

Kerberos Does Not Redirect to the Password Management Servlet

Issue:	When Kerberos identifies a user whose access has expired, it does not redirect to the password management servlet. This results in an HTTP status 500 error. (Bug 765042)
Fix:	The Kerberos authentication contract allows you to access a protected resource. The Access Gateway Service receives an assertion and gives access to the password change URL.

User Request to the Identity Servers During the Initialization Process Results in the HTTP Status 500 Error

Issue:	When the Identity Server is restarted or started for the first time, any request from the browser to the Identity Server during the initialisation process returns an HTTP Status 500 error. (Bug 763899)
Fix:	A warning message has been added to inform users that the service is not initialized completely.

Access Gateway Service

Session Stickiness to the Back-end Web Server is Not Persistent

Issue:	The session persistence to the back-end Web server is lost intermittently between the parent proxy service and the path-based child proxy services. If the session remains persistent on the parent proxy service, the child proxy session may not be persistent and vice versa. This can lead to the service being unavailable and can also lead to form fill issues. (Bug 757444)
Fix:	The session persistence to the back-end Web server remains intact.

Unresponsive Listener on Local Port

Issue:	The local port listener does not respond because the Access Gateway ESP does not cache the policy definition. (Bug 767659)
Fix:	The Access Gateway (ESP) retrieves the policy definition with the first policy configure request and responds from the ESP cache for subsequent requests.

The Idle Timeout Setting Is Not Updated in the Access Gateway Appliance

Issue:	The value of Idle Timeout does not update the Keep Alive Interval value that the Access Gateway uses. (Bug 759120)
Fix:	When you change the value of the Idle Timeout, the same value is updated to Keep Alive Interval value.

Web Server Failover Not Available With the Access Gateway Service

Issue:	In the Access Gateway Service, there is no option to specify Web server failover in the `TCP Connect Options` for Web servers. (Bug 771386)
Fix:	Web server failover option is available in the `TCP Connect Options` for Web servers in the Access Gateway Service and the Access Manager Appliance.

Auto Submit Displays a Blank Page When the Page Has Multiple Forms

Issue:	When a page that has multiple forms is auto-submitted, a blank page is displayed instead of a page with the values that were submitted. (Bug 774822)
Fix:	Auto submitting a page with multiple forms displays a page with the values that were submitted.

Apache Crashes While Sending Form Filled Policy Request

Issue:	When you have Form Fill enabled with the `DumpSoapMessages` advanced option set to on, and then accesses a protected resource, it causes Apache to crash. (Bug 773635)
Fix:	Accessing Form Fill policy with the DumpSoapMessages advanced option set to on for a protected resource works without causing Apache to crash. For more information about this option, see Advanced Gateway Service Options in the Access Gateway Guide.

TLS Handshake Error When the Access Gateway Service Performs a Heartbeat Check on a Web Server

Issue:	Some firewalls blacklist the IP address of a Web server when TCP connect is performed. (Bug 756756)
Fix:	This issue is fixed by setting the advanced option `EnableWSHandshake` to on so that the Access Gateway Service does a TCP connect and SSL handshake with the back-end SSL-enabled Web server. For more information about this option, see Advanced Gateway Service Options in the Access Gateway Guide.

The Access Gateway Appliance Passes Health Check After Reaching Low Memory Threshold

Issue:	The Access Gateway Appliance passes the health check even when the ESP reaches low memory threshold. This leads to new authentication requests being rejected but the L4 switch continues forwarding the request to the Access Gateway Appliance and the users receive 503 errors. (Bug 759065)
Fix:	Changes are done to calculate free memory instead of total memory and checks are introduced to calculate device health when a heartbeat is received.

The Audit Event Logs Display the IP Address of L4 Switch As the Source IP Address

Issue:	When the X-Forwarded-Header and Audit are enabled, the audit event logs show the source IP address of the L4 switch instead of the IP address of the Access Gateway Service. (Bug 766750)
Fix:	A new field is added to the event log to indicate the client IP address of the X-Forwarded-Header.

The Access Gateway Stops Responding to Client Requests During Log Rotation

Issue:	The Access Gateway Service crashes during the log rotate process.(Bug 768876)
Fix:	The logging process is changed by redirecting the error logs from the httpd child processes to syslog. For more information, see TID 7010977.

Page Redirection Error While Accessing a Resource

Issue:	When you access a resource through the Web browser, `The page isn't redirecting properly` error is shown. This happens during the login process after the credentials are submitted to the Identity Server. (Bug 760768)
Fix:	Session information is updated in the Identity Server.

Empty Authentication Header Variable Causes Application to Crash (HTTP 500 error)

Issue:	If you try to access a protected or public resource that has an Identity Injection policy assigned, before the authentication process is completed then the users get an HTTP 500 error. (Bug 769430)
Fix:	Ensure that `NAGGlobalOptions RemoveEmptyHeaderValue` is set to on. For more information about this option, see Advanced Gateway Service Options in the Access Gateway Guide.

Unexpected Non-Redirected Login Behavior

Issue:	When non-browser based clients with form-based Non-Redirected Login enabled provide an invalid Authentication Header to the proxy service, the proxy redirects the request to the Identity Server. (Bug 764827)
Fix:	Incorrect credentials from clients return a 401 status code error instead of redirecting the request to the Identity Server.

Non-Redirected Login Is Not Working

Issue:	An Identity Injection policy configured for a protected resource with Non-Redirected Login works the first time, but fails during subsequent requests. (Bug 759509)
Fix:	This issue occurs because the session cache did not have complete information for Non-Redirected Login. The session cache is now updated with Liberty ID that is subsequently used in ESP policies.

Difference in the Content Exchanged Between the Access Gateway Appliance and the Web Server

Issue:	There is difference in the data exchanged between the Access Gateway Appliance and the Web server. (Bug 739096)
Fix:	The difference in content exchanged between the Access Gateway Appliance and the Web server is resolved.

The Navigation Page of Vibe Not Appearing Intermittently

Issue:	The header page of Vibe is not getting loaded and this leads to issues in displaying the Vibe navigation page. (Bug 756636)
Fix:	The issue with memory pointers is resolved and the pages load without error.

Provide a Way to Cache More Than 1 MB

Issue:	Apache does not cache a file if the file size is more than 1 MB. (Bug 758173)
Fix:	Introduced the advanced option `CacheMaxFileSize` . The default value is increased to 5 MB. For more information about this option, see Advanced Gateway Service Options in the Access Gateway Guide.

302 Redirect Occurs After Updating the Configuration

Issue:	ESP clears the cached session and failover details after each configuration request due to change in the Access Gateway configuration. This results in 302 redirects for existing sessions. After the Identity Server configuration is updated, it results in a 302 error. (Bug 774728)
Fix:	ESP does not clear the existing session details after updating the configuration.

Error Connecting To the Data Store From the Administration Console

Issue:	When you go to the Access Gateway configuration page from the Administration Console and the response of Access Gateway is delayed, the following message is displayed: `Error connecting to data store.` (Bug 775222)
Fix:	The `tomcat7.conf` file has the java option `JAVA_OPTS= "${JAVA_OPTS} -Djsse.enableCBCProtection= false"` which improves the LDAP connection speed and the Access Gateway connects to the data store without any errors.

Secret Store Does Not Work When Form Fill Advanced Options Are Enabled

Issue:	Form credentials that are written successfully in the secret store during initial Form Fill request, will not be written correctly to the secret store if the following advanced options are enabled: (Bug 775826) `NAGGlobalOptions InPlaceSilent= on NAGGlobalOptions InPlaceSilentPolicyDoesSubmit=on`
Fix:	The credentials are written correctly to the secret store when the Form Fill Advanced options are enabled.

Missing Access Gateway Appliance Statistical Details

Issue:	Clicking `View` in the `Server Activity` tab or in any other tabs does not display all statistical details for the Access Gateway Appliance. (Bug 741570)
Fix:	The issue is resolved by populating the correct value in the fields.

Form Fill with Auto Submit Enabled Fails on Pages That Has Form Tag

Issue:	When the form that is filled with Auto Submit enabled is submitted to the Web server, it fails on pages that have form tag inside a script element. (Bug 777640)
Fix:	The form when filled and auto-submitted to the Web server, does not fail if the pages have the form tag inside a Java script.

The Access Gateway Does Not Cache the Identity Injection Policy Attribute Values

Issue:	The Access Gateway does not cache the Identity Injection policy attribute values after the first request. For subsequent requests the policy evaluation request is resent to the ESP. (Bug 775826)
Fix:	The policy evaluation request is serviced from the cache.

The Access Gateway Does Not Retain a Session After Idle Time Intervals

Issue:	When accessing protected resources through multiple domains at different idle time intervals, you have to re-authenticate because the details of the session you have accessed is not retained. (Bug 783946)
Fix:	The details of the session you have accessed is retained and you do not have to re-authenticate.

Error Installing Access Gateway Appliance in a Non-English Language

Issue:	While installing the Access Gateway Appliance, when you select a language other than English (default language) in the license screen, an error occurs. (Bug 771055)
Fix:	You can select other languages including the default English language in the license screen during the Access Gateway Appliance installation without any errors.

Return to Top

Installing or Upgrading the Purchased Products

After you have purchased Access Manager 3.2 SP1, log in to the Customer Centre and follow the link that allows you to download the software.

The AM_32_SP1_AccessManagerAppliance_Linux_SLES11_64.tar.gz file is available and contains upgrade for the Access Manager Appliance.

If you have purchased a previous release of Access Manager (3.2 or 3.2 IR1) and need to move to 3.2 SP1, download the patch files from Novell Downloads.

Following are the supported upgrade paths for 3.2 SP1:

Source Destination

3.2 3.2 SP1

3.2 IR1 3.2 SP1

Upgrading from 3.2 Onwards

To Upgrade from 3.2 Onwards

If you are already on Access manager Appliance 3.2, you can directly upgrade to 3.2 SP1 using the instructions at Upgrading Access Manager Appliance in the NetIQ Access Manager Appliance 3.2 SP1 Installation Guide.

Return to Top

Verifying Version Numbers

It is important to verify the version number of existing Access Manager components before you upgrade or migrate to 3.2 SP1. This ensures that you have the correct version of files on your system.

Verifying Version Number Before Upgrading to 3.2 SP1
Verifying Version Number After Upgrading to 3.2 SP1

Verifying Version Number Before Upgrading to 3.2 SP1

In the Administration Console, click Access Manager > Auditing > Troubleshooting > Version.
Examine the value of the Version field to see if it displays a version that is eligible for upgrading to 3.2 SP1.

Component 3.2 3.2 IR1

Administration Console 3.2.0.331 3.2.0.370

Identity Server 3.2.0.331 3.2.0.370

Access Gateway 3.2.0.331 3.2.0.370

SSL VPN 3.2.0.331 3.2.0.370

Verifying Version Number After Upgrading to 3.2 SP1

In the Administration Console, click Access Manager > Auditing > Troubleshooting > Version .
Examine the value of the Version field to see if it displays 3.2 SP1 version.

Component Versions

Administration Console 3.2.1.57

Identity Server 3.2.1.57

Access Gateway 3.2.1.57

SSL VPN 3.2.1.57

Return to Top

Issues in this Release

NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.

Issues With Extended Logging

Issue:

If you enable extended logging you will see the following issues: (Bug 750355, 783159, 783160, 783163, 783161)

Strings %t\ and %r\” appear twice in the LogFormat value.
Many Log Format options get logged without any information.
Value of Log Format does not change.
Hard disk space gets exhausted due to large number of log files. (Only observed on RHEL 6.3 platform)

Workaround:

No workaround for any of the above issues. If you enable extended logging on RHEL 6.3, ensure you limit the number of files to 2 and set the size for log rollover to 1 MB.

Issues With Sharepoint

Issue:

If you have configured Sharepoint as a path-based multi-homing service with the Remove path on fill option enabled, the following issues occur:

Few internal links fail to connect
Help and Cancel buttons dont work. (Bug 778237, 700552)

Workaround:

No workaround.

Welcome Page Displays Garbled Characters

Issue:	The user name in the Welcome page displays garbled characters when you create a user name with extended double byte characters such as <name>01 from the Administration Console. (Bug 737998)
Workaround:	No workaround.

Return to Top

Previous Releases

Access Manager Appliance 3.2 IR1

Return to Top

Contact Information

Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.

For detailed contact information, see the Support Contact Information Web site.

For general corporate and product information, see the NetIQ Corporate Web site.

For interactive conversations with your peers and NetIQ experts, become an active member of Qmunity, our community Web site that offers product forums, product notifications, blogs, and product user groups.

Return to Top

Legal Notice

THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT, NETIQ CORPORATION PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY TO YOU.
This document and the software described in this document may not be lent, sold, or given away without the prior written permission of NetIQ Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of NetIQ Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data.
This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time.
© 2012 NetIQ Corporation and its affiliates. All Rights Reserved.
U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the government’s rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement.
Check Point, FireWall-1, VPN-1, Provider-1, and SiteManager-1 are trademarks or registered trademarks of Check Point Software Technologies Ltd.
Access Manager, ActiveAudit, ActiveView, Aegis, AppManager, Change Administrator, Change Guardian, Cloud Manager, Compliance Suite, the cube logo design, Directory and Resource Administrator, Directory Security Administrator, Domain Migration Administrator, Exchange Administrator, File Security Administrator, Group Policy Administrator, Group Policy Guardian, Group Policy Suite, IntelliPolicy, Knowledge Scripts, NetConnect, NetIQ, the NetIQ logo, PlateSpin, PlateSpin Recon, Privileged User Manager, PSAudit, PSDetect, PSPasswordManager, PSSecure, Secure Configuration Manager, Security Administration Suite, Security Manager, Server Consolidator, VigilEnt, and Vivinet are trademarks or registered trademarks of NetIQ Corporation or its affiliates in the USA. All other company and product names mentioned are used only for identification purposes and may be trademarks or registered trademarks of their respective companies.
For purposes of clarity, any module, adapter or other similar material ("Module") is licensed under the terms and conditions of the End User License Agreement for the applicable version of the NetIQ product or software to which it relates or interoperates with, and by accessing, copying or using a Module you agree to be bound by such terms. If you do not agree to the terms of the End User License Agreement you are not authorized to use, access or copy a Module and you must destroy all copies of the Module and contact NetIQ for further instructions.
EXCEPT AS MAY BE EXPLICITLY SET FORTH IN THE APPLICABLE END USER LICENSE AGREEMENT, NOTHING HEREIN SHALL CONSTITUTE A WARRANTY AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF FITNESS FOR A PARTICULAR PURPOSE ARE HEREBY EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW AND ARE EXPRESSLY DISCLAIMED BY NETIQ, ITS SUPPLIERS AND LICENSORS.

Return to Top