Novell Access Manager 3.1 SP1 Readme

August 5, 2009

This Readme describes the Novell® Access Manager 3.1 SP1 release.

1.0 Documentation

The following sources provide information about Novell Access Manager:

2.0 Installing Access Manager 3.1 SP1

2.1 Installing or Upgrading the Purchased Product

After you have purchased Access Manager 3.1 SP1, log in to the Novell Customer Center and follow the link that allows you to download the software.

If you have purchased a previous release of Access Manager (3.0 SP4 or 3.1), download the patch files from Novell Downloads.

The following files are available:

Filename

 

Description

AM_31_SP1_IdentityServer_Linux.tar.gz

AM_31_SP1_IdentityServer_Linux.iso

 

Contains the Linux* Identity Server, the Linux Administration Console, the SSL VPN Server that is installed as a standalone version with an embedded service provider, and the SSL VPN Server that must be protected by an Access Gateway.

Can be used for installation and upgrade from 3.0 SP4 to 3.1 SP1, from 3.1 to 3.1 SP1, and from the evaluation version to the product version.

AM_31_SP1_IdentityServer_Windows.exe

 

 

Contains the Windows* Identity Server and Windows Administration Console.

Can be used for installation and upgrade from 3.0 SP4 to 3.1 SP1, from 3.1 to 3.1 SP1, and from the evaluation version to the product version.

AM_31_SP1_LinuxAccessGateway.iso

 

 

Contains the CD image for the Linux Access Gateway and the SSL VPN Server that must be configured as a protected resource of the Access Gateway.

Can be used only for installation.

AM_31_SP1_lagrpms.tar.gz

 

 

Contains the RPMs for the Linux Access Gateway and the SSL VPN Server that must be configured as a protected resource of the Access Gateway.

Can be used for upgrading from 3.0 SP4 to 3.1 SP1, from 3.1 to 3.1 SP1, and from the evaluation version to the product version. This file is only available from Novell Downloads.

For instructions on upgrading from 3.0 SP4 to 3.1 SP1, see “Upgrading from Access Manager 3.0 SP4 to Access Manager 3.1 SP1” in the Novell Access Manager Installation Guide. To verify that your components have been upgrade to 3.0 SP 4, see Verifying Version Numbers Before Upgrading.

For instructions on upgrading from 3.1 to 3.1 SP1, see “Upgrading Access Manager 3.1 to 3.1 SP1” in the Novell Access Manager Installation Guide. To verify that you Access Manager components are running 3.1, see Verifying Version Numbers Before Upgrading.

IMPORTANT:If you have installed a previous version of the Administration Console or the Identity Server on a machine that does not have at least 1 GB (Linux) or 1.2 GB (Windows), the upgrade to SP1 fails. The installation script now checks for available memory and aborts the upgrade if the machine does not have the required memory. This upgrade check is below the recommended minimum of 2 GB.

For installation instructions for the Access Manager Administration Console, the Identity Server, and the Linux Access Gateway, see the Novell Access Manager Installation Guide.

For installation instructions for the SSL VPN server, see the Novell SSL VPN Server Guide.

2.1.1 Verifying Version Numbers Before Upgrading

If you are upgrading from Access Manager 3.0, all components must be upgraded to at least SP4 before upgrading to Access Manager 3.1 SP1. You can, but it isn’t required, to have installed any of the interim releases.

  1. In the Administration Console, click Access Manager > Auditing > Troubleshooting > Version.

  2. Examine the value of the Version field to see if it displays an SP4 version that is eligible for upgrading to 3.1 SP1.

    Component

    3.0 SP4

    3.0 SP4 IR1

    3.0 SP4 IR2

    3.0 SP4 IR3

    Administration Console

    3.0.4.38

    3.0.4.56

    3.0.4.60

    3.0.4.70

    Identity Server

    3.0.4.38

    3.0.4.56

    3.0.4.60

    3.0.4.70

    Linux Access Gateway

    3.0.4.38

    3.0.4.56

    3.0.4.60

    3.0.4.70

    NetWare Access Gateway

    3.0.505

    3.0.505a

    3.0.505b

    3.0.505g

    J2EE Agents (all versions, all platforms)

    3.0.4.38

    3.0.4.56

    3.0.4.60

    3.0.4.70

    SSL VPN

    3.0.4

    3.0.4

    3.0.4

    3.0.4

If you are upgrading from Access Manager 3.1, you can, but it isn’t required, to have installed any of the interim releases.

  1. In the Administration Console, click Access Manager > Auditing > Troubleshooting > Version.

  2. Examine the value of the Version field to see if it displays a 3.1 version that is eligible for upgrading to 3.1 SP1.

    Component

    3.1

    3.1 IR1

    3.1 IR2

    Administration Console

    3.1.0.420

    3.1.0.425

    3.1.0.431

    Identity Server

    3.1.0.420

    3.1.0.425

    3.1.0.431

    Linux Access Gateway

    3.1.0.420

    3.1.0.425

    3.1.0.431

    J2EE Agents (all versions, all platforms)

    3.1.0.420

    3.1.0.425

    3.1.0.431

    SSL VPN

    3.1.0

    3.1.0

    3.1.0

2.1.2 Verifying Version Numbers After Upgrading

When you have finished upgrading your Access Manager components, verify that they have all been upgraded.

  1. In the Administration Console, click Access Manager > Auditing > Troubleshooting > Version.

  2. Examine the value of the Version field to verify that the component has been upgraded 3.1 SP1.

    Component

    3.1 SP1

    Administration Console

    3.1.1.215

    Identity Server

    3.1.1.215

    Linux Access Gateway

    3.1.1.215

    J2EE Agents (all versions, all platforms)

    3.1.1.215

    SSL VPN

    3.1.1.215

2.2 Downloading the J2EE Agents

The J2EE* Agents are a free download and are available from Novell Downloads. The following files are available:

Filename

Description

AM_31_SP1_ApplicationServerAgents_Windows.exe

 

Contains the J2EE Agents for Windows (JBoss*, WebSphere*, and WebLogic*) and can only be used for installation.

AM_31_SP1_ApplicationServerAgents_AIX.bin

 

Contains the J2EE Agents for AIX* (WebSphere) and can only be used for installation.

AM_31_SP1_ApplicationServerAgents_Linux.bin

 

Contains the J2EE Agents for Linux (JBoss, WebSphere, and WebLogic) and can only be used for installation.

AM_31_SP1_ApplicationServerAgents_Solaris.bin

 

Contains the J2EE Agents for Solaris* (WebLogic) and can only be used for installation.

For installation instructions, see Novell Access Manager J2EE Agent Guide.

2.3 Installing the Evaluation Version

To install an evaluation version of Access Manager 3.1 SP1, download the following files from Novell Downloads.

Filename

 

Description

AM_31_SP1_IdentityServer_Linux_Eval-0630.iso

Contains the Linux Identity Server, the Linux Administration Console, the SSL VPN Server that is installed as a standalone version with an embedded service provider, and the SSL VPN Server that must be protected by an Access Gateway.

AM_31_SP1_IdentityServer_Windows_Eval-0630.iso

Contains the Windows Identity Server and Windows Administration Console.

AM_31_SP1_LinuxAccessGateway_Eval-0630.iso

 

Contains the Linux Access Gateway and the SSL VPN Server that must be configured as a protected resource of the Access Gateway.

2.4 Installing the High Bandwidth SSL VPN Server

The key for the high bandwidth SSL VPN server does not ship with the product because of export laws and restrictions. The high bandwidth version does not have the connection and performance restrictions that are part of the version that ships with the product. Your regular Novell sales channel can determine if the export law allows you to order the high bandwidth version at no extra cost.

After you have obtained authorization for the high bandwidth version, log in to the Novell Customer Center and follow the link that allows you to download the high bandwidth key.

2.5 Upgrading from SLES 9 to SLES 10

Before upgrading from 3.0 SP4 to 3.1 SP1, you need to upgrade the operating system of your Administration Console and Identity Server machines from SUSE® Linux Enterprise Server (SLES) 9 to SLES 10 SP2. After completing the upgrade, you need to verify the UID of the D-BUS (messagebus) user on your secondary Administration Consoles. The SLES upgrade creates this user with the same ID as the novlwww user. You need to change this ID before continuing with the upgrade process.

  1. Access the control center, then click User Management.

  2. Set the filter to System Users.

  3. Select the messagebus (User for D-BUS) user.

  4. Click Edit.

  5. Click the Details tab.

  6. Change the UID to another ID that is unique.

  7. Click Accept.

  8. Click Finish.

3.0 Bugs Fixed in Access Manager 3.1 SP1

3.1 Administration Console

  • Added an option to back up the current configuration to the upgrade utility.

  • Added instructions on how to migrate the primary Administration Console to new hardware when secondary consoles are installed.

  • Updated the PKI modules to version 3.3.2 to fix a problem with importing trusted root certificates.

  • Fixed an issue with Internet Explorer* that caused the links on the Dashboard page not to work.

  • Fixed the Administration Console log files to use GMT with a 24-hour clock for time stamps in log entries.

  • Fixed a security vulnerability that permitted access to the system files from the Administration Console.

  • Fixed an issue that caused the editing of policies to become slower and slower.

  • Fixed an issue that caused backups to fail on a primary console that was promoted from a secondary console.

  • Fixed an issue that caused an upgrade to fail when the install.sh script was run from a CD.

  • Fixed an issue that prevented the administrator from receiving a notice that the Identity Server needed to be updated when the cluster is assigned to an Access Gateway.

  • Fixed an issue that caused upgrading policies from 3.0 to 3.1 to fail.

  • Fixed an issued that prevented the LDAP Group condition from displaying in the policy configuration pages for Authorization policies.

  • Fixed an issue that prevented a Secondary Administration Console on Windows from being promoted to a Primary Administration Console.

  • Fixed an issue with auditing that prevented the Novell Audit plug-in from installing when you select to install both the Administration Console and the Identity Server at the same time.

  • Fixed an issued that cause audit log entries to truncate after about 246 characters. The entries now include who made the change and the parameter that was changed.

  • Fixed an issue that prevented policy delegated administrators from creating policies or modifying existing policies.

3.2 Identity Server

  • Added information to the Identity Server Guide on how to force the Identity Server to use 128-bit encryption.

  • Added an option to the X.509 authentication class that forces a browser restart on logout.

  • Fixed a session limit issue that allowed a user to exceed the session limit when the Identity Servers were in a cluster.

  • Fixed issues with 3.1 custom login pages so that they work with 3.1 SP1. For more information about this process, see “Upgrading from Access Manager 3.1 to 3.1 SP1”.

  • Fixed a SAML 2 issue so that attribute statements now specify data types.

  • Fixed an issue that caused a HTTP Status 500 error when logging in to the User Portal.

  • Renamed the labels on the Identity Server Statistics page so that they more closely match the log entries in catalina.out and stdout.log.

  • Fixed the labeling of trust stores so that they are consistent.

  • Modified the documentation on how to create custom login pages to include more information on how to use properties with classes and methods.

  • Fixed a login issue that caused the request to lose its target if the user waited too long and the session timed out before the user entered the login credentials.

  • Fixed an issue with SAML 2 and OpenSSO so that the Identity Server more accurately reports integration issues.

  • Fixed an issue with customizing login pages.

  • Fixed an issue with the ctarget parameter.

  • Fixed an upgrade problem that caused extra files to be restored.

  • Fixed a SAML2 issue with the format parameter so that it is now an optional parameter.

  • Fixed an issue so that assertion messages appear in the log files for WS Federation and CardSpace.

  • Fixed an issue that caused LDAP Error 49 to occur when all of the attributes required for Novell SecretStore® were not created on the SAML affiliate object.

  • Fixed an issue that prevented the Identity Server from checking for both an expired password and a SecretStore lock.

  • Fixed an issue that allowed disabled Active Directory* accounts with X.509 authentication to authenticate. These accounts are now denied access.

3.3 Linux Access Gateway Appliance

  • Added a Force HTTP-Only Cookie option to the Reverse Proxies / Authentication page.

  • Fixed an issue that allows the auditing platform agent to consume all available threads.

  • Fixed a 404 status error that occurred when persistence between the Access Gateway and the Web servers was disabled.

  • Fixed a Form Fill issue that caused only a portion of a Java* script specified in the Statements to Execute on Submit option to be saved.

  • You can now change the name of Linux Access Gateway proxy session cookie sent to the back-end Web server to match the iChain® session cookie by using the following touch file:

    /var/novell/.matchLagIchainCookieName

  • Fixed issues with remote desktop connections established through the Linux Access Gateway TCP tunnel.

  • Fixed the resource leak issue in novell-vmc.

  • Fixed issues in converting double-byte characters in Linux Access Gateway broker redirection.

  • Fixed a memory leak issue that occurred after updating the authorization library.

  • Fixed a few issues with machines that had 4 GB RAM. If the Linux Access Gateway was already imported, these issues sometimes caused the server to fail. In new installations, the Linux Access Gateway sometimes failed to import.

  • Fixed rewriting of JavaScript* boundary issues.

  • Fixed an issue with protected resources file extensions so that the file search (/*.<file extension>) now applies to or matches subdirectories.

  • Fixed an issue that caused the lcache process going into defunct state.

  • Fixed issues pertaining to memory build-up because of connections piling up.

  • Multiple post requests that need authentication from the same user are now handled.

  • The ics_dyn process no longer restarts or crashes when the log file’s size grows beyond 2 GB.

  • The Linux Access Gateway no longer crashes if the extended or common logging profile types are enabled, and a log file’s size exceeds 2 GB.

3.4 SSL VPN

  • Fixed some issues with reporting the correct version on the Auditing > Device Health page.

  • Fixed an issue in redirecting a browser to the SSL VPN URL when the Citrix* server is enabled for single sign-on.

  • Fixed an issue with the security level check when a service attribute is configured for the client integrity check.

  • Fixed an error that occurred when trying to configure a registry entry for a client integrity check.

  • The Client Integrity Check policy now has the capability to verify if a Windows service is running or not.

  • The number of active SSL VPN connections is now properly displayed in the Administration Console.

  • The SSL VPN connection is now terminated if the user deletes any of the CIC resources after the SSL VPN connection is established.

  • Fixed an OpenVPN connection error related to the TUN adapter, which caused the SSL VPN connection to fail on Windows Vista* 64-bit servers.

  • An alert message is now displayed during NAT/L4 configuration if the IP address, Port, and Proto fields of the Enterprise mode and the Kiosk mode have the same values.

  • SSL VPN supports basic authentication for forward proxy.

4.0 Known Issues in Access Manager 3.1 SP1

4.1 Setup Considerations

  • Ensure that you synchronize the correct date, time, and time zone settings between the Identity Servers and Access Gateways servers. You must synchronize your servers to within one minute of each other. Otherwise, you encounter federation and session time-out errors. It is recommended that you use NTP for time synchronization.

  • Ensure that DNS names can be resolved.

  • Enable (allow) browser pop-ups for the Administration Console (administration server).

  • Access Manager 3.1 SP1 does not support installation of the Administration Console, Identity Server, Linux Access Gateway, and SSL VPN on a single machine.

  • Access Manager should not be used with Novell Teaming + Conferencing. Support for this product is being evaluated.

  • WebDAV connections to NetStorage do not work. Browser connections to NetStorage can be used.

4.2 Administration Console Known Issues

4.2.1 You Cannot Select an Install Path on Windows

During installation, you are never prompted for an installation path. The Administration Console and the Identity Server are always installed on C:.

4.2.2 iManager Plug-Ins Fail to Install

There is a potential conflict during the installation of the iManager plug-ins when you have a version of the JRE* installed on the machine.

To work around this problem, you need to remove the JRE from the machine, install the Administration Console, then reinstall the version of the JRE you removed.

4.2.3 Administration Console Fails to Install on VMWare ESX

The VMI kernels have issues with Novell Access Manager that can be worked around by using the information in TID 700224: “Installing Admin Console on VMWare ESX guest using the SLES “VMI” kernel fails”.

4.2.4 A Delegated Administrator Temporarily Inherits All Rights If the Browser Is Not Closed After Creating the Delegated Administrator

If you create delegated administrators and allow them to use your machine and your browser session instead of closing the browser, the delegated administrator inherits all rights until the browser is closed.

After creating delegated administrators, make sure you close the browser if other users are going to be using your machine.

4.2.5 Slow Install

The Administration Console is slow to install on Linux with 64-bit hardware and on Windows. Please be patient. It can take up to an hour to install.

4.2.6 Liberty Attributes Are Not Visible

When you create a Form Fill or Identity Injection Policy and select Liberty attributes that are four levels deep, the attributes are sometimes not visible from an Internet Explorer browser. If this occurs on your machine, you need to use Firefox*.

4.2.7 Installation Issue with Ports 389 and 636

Ports 389 and 636 need to be free. If the installation software prompts you to enter different ports because 389 and 636 are in use, the installation does not lay down a system that you can use.

You need to free the ports, then install the Administration Console.

4.3 Identity Server Known Issues

The following issues apply to the Identity Server:

4.3.1 NMAS Client on Windows Displays a Blank Page When an Incorrect Password Is Entered

If you have the NMAS client installed on a Windows machine, the Identity Server is configured to use NMAS as the default contract, you use Internet Explorer to log in to the User Portal application of the Identity Server, and you enter an incorrect password, an error is returned and you are then redirected to a blank page.

To solve the problem, reload the current page.

4.3.2 On a Windows Machine, You Cannot Change the Port to 80 or 443

If you configure the base URL of the Identity Server to use port 80 or 443 rather than 8080 or 8443, the Identity Server cannot be accessed.

Besides specifying the port you want to use in the base URL, you also need to modify the server.xml file located in the \Program Files\Novell\Tomcat\conf directory. Change the ports from 8080 and 8443 to 80 and 443 and restart the Tomcat service.

4.3.3 The Root and Intermediate Revocation Checks Are Not Performed on an X.509 Contract

If you configure the X.509 contract to perform root certificate authority checks, the leaf certificate is verified, but the certificates between the leaf and the root are not verified. This will be fixed in the next interim release of Access Manager

4.3.4 The User Store Is Unhealthy after Upgrading the Administration Console to 3.1 SP1

If you make modifications to the user store after upgrading the Administration Console but before upgrading the Identity Server, you break communication between the Identity Server and the user store.

To fix the communication problem, you need to upgrade the Identity Server to 3.1 SP1.

4.3.5 The SAML NMAS Method in Access Manager Is Incompatible with 64-bit eDirectory

You cannot use 64-bit eDirectory™ with SecretStore® as a remote SecretStore because remote SecretStore requires a 64-bit SAML NMAS™ method, which is currently not available. If you want to use eDirectory 8.8 SP5 as a user store and a remote SecretStore, you need to use the 32-bit version.

4.3.6 Problems with Session Timeout

Some Web applications have security restrictions so that a normal redirect to the Identity Server for session renewal fails. The browser might have the appearance of a hang, and JavaScript errors are often displayed. The frequency of this problem can be reduced by setting the Identity Server session timeout to a higher value.

4.3.7 Auto Provision X509

If there are already values in the LDAP attribute for X509 Subject Name mapping and you enable Auto Provision X509 for the X509 authentication class, the LDAP attribute values are overwritten with the client certificate subject name.

4.4 Linux Access Gateway Known Issues

This section discusses the known issues that apply to the current release of the Linux Access Gateway.

4.4.1 Unable to Open a Proxy Service Edit Page

The edit page for a proxy service (Devices > Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service]) hangs under the following conditions:

  • Reverse Proxy is configured for SSL.

  • At least one Domain-Based proxy service has been configured.

  • The names of the authentication proxy service and the domain-based proxy service have at least two dot segments in their names. For example, host.novell.com and support.host.novell.com.

If you need to access this page to change the name or the cookie domain of the authentication proxy service, disable SSL, access the page, make the changes, click OK, then enable SSL. The other configuration pages for this proxy service are available from the links in the Proxy Service List.

4.4.2 When Using OpenOffice Tools with a WebDAV Connection, Multiple Sessions Are Created

When using OpenOffice Writer and other tools over WebDAV connections, cookies that are set by the server are not included in requests from the OpenOffice client. As such, each WebDAV request from the client results in a new session being created. If you have limited user sessions, the limit can be quickly reached, which results in files left in a lock state or with IO errors.

To solve this problem, do not limit user sessions (Devices > Identity Servers > Edit) when users are using OpenOffice tools over a WebDAV connection.

4.4.3 Cookie and Session Issues Using Nautilis File Manager with WebDAV Connections

The Nautilus File Manager v2.12.2 in SUSE Linux Enterprise Desktop (SLED) 10 SP1 and SP2 does not include cookies when making WebDAV requests. As a result, when the WebDAV server is being accessed through a reverse proxy on the Linux Access Gateway, a new user session is created at the proxy for every WebDAV request sent from Nautilus. A simple file open can result in the creation of multiple sessions.

To solve this problem, do not limit user sessions (Devices > Identity Servers > Edit) when users are making WebDAV requests with the Nautilus File Manager.

4.4.4 On a New Install, the Secure Logging Server Is Not Configured Correctly

The logevent.conf file, which controls the configuration for the secure logging server, initializes the address of the logging server to 127.0.0.1 instead of the IP address specified in the Administration Console. By default, this address is the IP address of the Administration Console, but it can be configured for an external auditing server such as a Novell Sentinel server.

To fix the problem:

  1. Log in to the Access Gateway as root.

  2. Change to the /etc directory

  3. Open the logevent.conf file and find the following line:

    LogHost=127.0.0.1
    
  4. Change the IP address to the address of your secure logging server.

  5. Reboot the Access Gateway.

4.4.5 After Reinstalling the Access Gateway, the Embedded Service Provider Won’t Start

Sometimes when you reinstall the Access Gateway, the current configuration is not pushed to the machine. When this happens, the Embedded Service Provider can’t start.

To solve the problem:

  1. In the Administration Console, click Auditing > Troubleshooting.

  2. Scroll to the Current Access Gateway Configurations section.

  3. Select the Access Gateway that has the problem, then click Re-push Current Configuration.

4.4.6 Communication Problems between the Novell Audit Client and the Audit Server Might Crash the Linux Access Gateway

If you have configured your Access Manager system to use a Novell Sentinel™ or Novell Audit server for auditing, the Novell Audit client sometimes disconnects from the auditing server. This usually happens when communication problems exist on the network. When this happens, the Linux Access Gateway might crash. This issue can also prevent the successful completion of any Linux Access Gateway configuration changes.

To solve this problem, make sure that no communication problems exist between the auditing client on the Linux Access Gateway and the auditing server. Novell is working on a fix for this issue.

4.4.7 Installation on VMWare ESX Works in Text Mode Only

You must use the text-mode installation for the VMWare* ESX platform. The GUI mode for the installation of Linux Access Gateway fails and falls back to the text mode on VMWare ESX.

4.4.8 Rewriter On and Off Flags Are Not Effective in Character Profile

The NOVELL_REWRITER_ON and NOVELL_REWRITER_OFF is not effective in the Linux Access Gateway character profile.

4.4.9 Linux Access Gateway Goes To an Unresponsive Mode When Applying Pin List Changes

Linux Access Gateway might crash or go into an unresponsive state when applying changes to configuration, because of unresolved DNS names in the Pin List configuration or because the Pin List contained over 50 entries. When this issue occurs, log in to the Linux Access Gateway machine, then specify the following command to restart:

/etc/init.d/novell-vmc restart

To ensure that this issue does not occur, make sure that the host names configured in the Pin List are resolvable by DNS and maintain a minimal list of Pin List entries, before applying changes.

4.4.10 Issues with the Audit Server While Importing a Linux Access Gateway Configuration

When importing a Linux Access Gateway configuration, it is possible that the imported configuration contains an Audit server IP address that is different from the Audit server IP address that has been configured in the Administration Console. Updating the Linux Access Gateway configuration does not correct this address problem. As long as the addresses differ, the Access Gateway can hang during subsequent updates or restarts because the Novell Audit Agent of the Access Gateway cannot connect to its configured Audit server.

You must force the Linux Access Gateway to change its Audit server settings.

  1. In the Administration Console, click Access Manager > Auditing.

  2. Specify a different IP address for the Secure Logging Server, then click OK.

  3. Click Auditing, specify the correct IP address for the Secure Logging Server, then click OK.

  4. Update the Linux Access Gateway.

  5. Reboot every Access Manager machine, starting with the Administration Console.

    If you have already configured the other Access Manager machines to use the correct IP address of the Secure Logging Server, rebooting the Linux Access Gateway should be sufficient.

4.4.11 Rewriter Does Not Handle the [oa] Option in Search and Replace

The character rewriter profile does not support the [oa] option to search and replace plain words and strings.

4.4.12 Exclude Alias DNS with Scheme Option Does Not Work

The Exclude Alias DNS name with Scheme option does not work. For example, if you add https://www.mygroup.com, it is not excluded from the list. You must provide only the DNS name, such as www.mygroup.com.

4.4.13 Form Fill Auto Submit Issue

A Form Fill auto-submit fails when an input field in an HTML page contains name="submit".

4.4.14 Form Fill Does Not Work if the Web Page Contains an Apostrophe

The Linux Access Gateway Form Fill does not work if the Web page contains the apostrophe character.

4.4.15 Form Fill Fails If the Web Server Does Not Send the Content Type

Form Fill does not process the page if the Web server does not send the content type. Form Fill processes the following content types:

"text/html" "text/xml" "text/css" "text/javascript” "application/javascript" "application/x-javascript"

4.4.16 Form Fill Policy and the Refresh Data Every Option Restrictions

In a Form Fill policy, you can only set the Refresh Data Every option to Request or Session. If you select a time to live, it is the same as selecting Request.

4.4.17 The Refresh Data Every Option Is Not Editable for a Form Fill Policy

If you use the Refresh Data Every option in your Form Fill policy, you cannot change the order of the Form Fill action and the Form Login Failure action. When you create the policy, you must configure the actions in the order you want them executed. If you modify the order, the Refresh Data Every option becomes uneditable.

4.4.18 Publishing a PowerPoint Slide Operation on Microsoft Office 2007 Fails When SharePoint Is Accelerated as a Path-Based Multi-Homing Service

When a SharePoint* server is accelerated by the Linux Access Gateway as a path-based multi-homing service, you cannot publish a PowerPoint* slide if your workstation has Internet Explorer 7.0 and Microsoft* Office 2007. You can use Internet Explorer 6.0 or Firefox browsers to publish a PowerPoint slide.

4.4.19 Manual Deletion of the laghttpheaders and lagsoapmessages Log Files Causes a Linux Access Gateway Crash

If you have enabled the debug level of logging for the laghttpheaders and lagsoapmessages log files, manual deletion of these log files causes the Linux Access Gateway to crash.

To work around this problem, restart the Linux Access Gateway after you manually delete the log files.

4.5 SSL VPN Known Issues

The following sections divide the known issues into general issues that apply to both the Enterprise mode and Kiosk mode and issues that apply only to the Enterprise mode and only to the Kiosk mode:

4.5.1 General SSL VPN Issues

4.5.1.1 Cluster Members Do Not Listen on a Changed Communication Port

If you change the communication port of a cluster after the cluster was set up successfully, only the master server listens on the changed port. The non- primary cluster members fail to listen on the changed port. To work around this issue, restart Tomcat as follows in all the non-primary cluster members:

/etc/init.d/novell-sslvpn stop

/etc/init.d/novell-sslvpn start

4.5.1.2 SSL VPN Service Randomly Goes Down When Tomcat is Restarted

The SSL VPN service randomly goes down when Tomcat is restarted. To work around this issue, the SSL VPN service must be manually restarted to establish connection.

4.5.1.3 Full Tunneling Has Limitations with Mac OS

When full tunneling is enabled in Mac* OS, traffic to resources in a user’s local subnet goes outside the tunnel.

4.5.1.4 The SSL VPN Server Is in a Pending State

When the Administration Console, Identity Server, and SSL VPN Server are installed on the same machine, the SSL VPN server sometimes gets into a pending state even when all of its commands have been successful.

To work around this problem:

  1. In the Administration Console, click Devices > SSL VPNs.

  2. Click the Commands link.

  3. Select all the commands, then click Delete > Close.

  4. If the device is still in a pending state, click Auditing > Troubleshooting.

  5. In the Device Pending with No Commands section, select the SSL VPN server and remove the pending state.

4.5.1.5 After Upgrading, Configuration Changes Made in the web.xml and config.txt Files Are Lost

Novell SSL VPN 3.1 does not contain config.txt and web.xml files. The following configuration changes are lost after you upgrade to SSL VPN 3.1 version:

  • Enabling SSL VPN to connect only in Kiosk mode

  • Downloading an applet when a user uses Internet Explorer

  • Enabling SSL VPN connections to Citrix servers

You must configure these settings again by using the Administration Console. For more information, see “Configuring Users to Connect Only in Enterprise Mode or Kiosk Mode”, “Configuring SSL VPN to Download the Java Applet on Internet Explorer”, and “Configuring a Custom Login Policy for SSL VPN” in the Novell Access Manager SSL VPN Server Guide.

4.5.1.6 SSL VPN Statistics Displayed in the Administration Console Are Not in Order

The SSL VPN connection statistics that are displayed in the Administration Console are not in any order.

4.5.1.7 HTTP Applications Cannot Be Accessed When an SSL VPN Connection Is Made through the Forward Proxy

If a client uses an HTTP forward proxy to establish the SSL VPN session, no HTTP application can be accessed over this SSL VPN connection because the browser is configured to use the forward proxy server for HTTP requests.

4.5.1.8 Tomcat Restart Following SSL VPN Authentication Loses Configuration Changes

When Administration Console and SSL VPN server are on the same machine, if you configure the entire SSL VPN setup, change the ESP details, and restart Tomcat, then you lose all the configuration changes.

To work around this problem:

  1. Configure the authentication configuration.

  2. Save your changes.

  3. Configure the remaining SSL VPN configuration settings.

4.5.1.9 On Windows Vista (32-bit), in Internet Explorer 8.0, the User Session Is Not Disconnected after an Inactivity Time Out

On Windows Vista 32-bit in Internet Explorer 8.0, even though the session times out because of inactivity, it remains connected as long as it is idle. The exit page does not display the inactivity timeout error message. The ActiveX* pop-up window is displayed with the log filename and its location.

To work around this problem, click OK in the ActiveX pop-up window. The control goes to the exit page, then the inactivity timeout error is displayed.

4.5.1.10 On Windows Vista (32-bit and 64-bit) with Internet Explorer 8.0, the Wincic File Is Not Stored.

If the User Access Control option is enabled on the host machine, the client machine with Windows Vista (32-bit and 64-bit) and Internet Explorer 8.0 cannot store the Wincic file from the host machine by using the forcejre option.

4.5.2 Kiosk Mode Issues

4.5.2.1 Firefox Goes into a Non-Responsive Mode in Multiple Windows Kiosk Mode Clients

Firefox randomly goes into a non-responsive mode in multiple clients when running in Windows Kiosk mode.

4.5.2.2 Unable to Access Protected HTTP Applications on Intel Mac

Using Intel* Mac to access protected HTTP applications is not supported.

4.5.2.3 No Kiosk Mode Support for 64-Bit Clients

If you use 64-bit machines, you can access SSL VPN only in Enterprise mode. Accessing SSL VPN in Kiosk mode is not supported.

4.5.2.4 Domain Name Search Does Not Work in Macintosh

Domain name search does not work in the Kiosk mode in Macintosh*.

4.5.2.5 Active Mode FTP Is Not Supported in Kiosk Mode

In SSL VPN Kiosk mode, the active mode of FTP is not supported.

4.5.3 Enterprise Mode Issues

4.5.3.1 Full Tunneling with Forward Proxy Enabled Is Not Supported for Web Client Applications

Full tunneling with a forward proxy enabled client network is not supported for Web client applications. This is because, in Enterprise Mode, a route is added in order to enable forward proxy. Using this route, any Web clients from that workstation can bypass the SSL VPN server by using the forward proxy.

4.5.3.2 Tunnel Logs Display Full Tunnel Information in Split Tunnel Mode

If client debug logs are enabled, tunnel logs displayed in the Enterprise mode might contain information for full tunneling, even though only split tunneling is enabled for the user.

4.5.3.3 No Support for 64-bit Internet Explorer

SSL VPN does not support 64-Bit Internet Explorer that uses an ActiveX connection to establish the initial login session.

4.5.3.4 SSL VPN Connection from a Vista 64-Bit Machine with the Firefox Browser Might Have Stability Issues

If you are using a Windows Vista 64-bit machine and the Firefox browser to connect to SSL VPN, the connection might fail after running for a few hours, because of a Firefox browser stability issue. To work around this problem, make sure you upgrade to Firefox 3.0.10 or later.

4.5.3.5 No Error Message Is Displayed for an Invalid Credential Entry on Windows 2000 Machines

On Windows 2000 machines, if a non-admin user tries to establish an SSL VPN connection in the Enterprise mode and specifies the wrong credentials for the admin user, no error messages are displayed. However, the user is denied access after trying to establish the connection.

4.5.3.6 Connection Fails in SSL VPN If the Root User Password Is Not Set in Macintosh

In Macintosh, the SSL VPN connection fails if you log in as a root user and there is no password set for the root user. When there is no password set for the root user, the user can log in by using the credentials of the admin user.

4.6 J2EE Agent Known Issues

The following sections discuss the know issues in J2EE agents for JBoss, WebSphere, and WebLogic

4.6.1 Base URL and SOAP URL Cannot be Configured with Port 65535

You cannot configure a base or SOAP URL for the Novell Access Manager J2EE Agent with port 65535.

4.6.2 Authentication Error Is Displayed when a User Tries to Access Resources

In WebLogic J2EE agents, when users who do not have sufficient rights try to access resources for which they have been denied authorization, the following message is displayed:

There was a problem with your authentication

The required Web page is displayed if you refresh the page once.

5.0 Documentation Conventions

In this documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path.

A trademark symbol (®, ™, etc.) denotes a Novell trademark; an asterisk (*) denotes a third-party trademark

6.0 Legal Notices

Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.

Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.

Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the Novell International Trade Services Web page for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.

Copyright © 2008-2009 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.

Novell, Inc., has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed on the Novell Legal Patents Web page and one or more additional patents or pending patent applications in the U.S. and in other countries.

For Novell trademarks, see the Novell Trademark and Service Mark list.

All third-party trademarks are the property of their respective owners.