This Readme describes the Novell Access Manager 3.1 SP4 release.
The following sources provide information about Novell Access Manager:
Access Manager Support. For TIDs and Cool Solutions articles, select for the and in the options.
After you have obtained Access Manager 3.1 SP4 or a previous release of Access Manager, log in to the Novell Customer Center, then follow the link that allows you to download the software.
The following files are available:
For upgrade and installation information:
For instructions on upgrading from 3.1 SP3, 3.1 SP3 IR2 to 3.1 SP4, see Upgrading Access Manager Components
in the Novell Access Manager 3.1 SP4 Installation Guide. To verify that your components are running 3.1 SP3, 3.1 SP3 IR2 see Verifying Version Numbers before Upgrading.
Any Access Manager version prior to 3.1 SP3 should be first upgraded to 3.1 SP3. For more information on upgrading to 3.1 SP3, see Novell Access Manager 3.1 SP3 Installation Guide
For installation instructions for the Access Manager Administration Console, the Identity Server, the Access Gateway Appliance, the Access Gateway Service, and the SSL VPN server, see the Novell Access Manager 3.1 SP4 Installation Guide.
If you are upgrading from Access Manager 3.0, all components must be first upgraded to Access Manager 3.1 SP3 before upgrading to Access Manager 3.1 SP4.
In the Administration Console, click
> >Examine the value in the
field. The following table indicates the versions that can be upgraded to 3.1 SP4.When you have finished upgrading your Access Manager components, verify that they have all been upgraded.
The key for the high-bandwidth SSL VPN server does not ship with the product because of export laws and restrictions. The high-bandwidth version does not have the connection and performance restrictions that are part of the version that ships with the product. Your regular Novell sales channel can determine if the export law allows you to order the high-bandwidth version at no extra cost.
After you have obtained authorization for the high-bandwidth version, log in to the Novell Customer Center and follow the link that allows you to download the high-bandwidth key.
The following bugs are fixed between 3.1 SP3 and 3.1 SP4 releases:
Fixed an issue where clicking the Share Settings TABs with no configuration changes causes an IDP update to get applied
Fixed an issue in Administration Console where Linux Access Gateway updates sometimes stay in the pending state indefinitely when configuration is applied through the Apply All operation.
Fixed an issue where the Access Gateway Service Management IP address could not be configured.
Fixed a PasswordMush exception issue while accessing the local identity provider in the user store.
Fixed an issue where the Enhanced Smart Card method did not work.
Fixed an issue where the value of a shared secret could not be changed with a custom authentication class.
Fixed an issue to include the Identity Provider Session Timeout attribute in the assertion.
Fixed an issue to provide the ability to map a federated user with transient name identifier to a local user using the matching attribute.
Fixed an issue associated with SP Brokering where a null pointer exception is generated when logging out from the target service provider.
Fixed an issue where the login page did not pre-populate the username in the user name field after an initial login request failed.
Fixed an issue with the SAML 1.1 post profile to include the assertion consumer URL within the “Recipient” tag.
Fixed an issue where 300101032 error generated processing a SAML assertion when the “Assertion Validity Window” parameter is configured.
Fixed an issue where intruder lockouts occur in a multiple replica environment when a user grace login count is less than the number of LDAP replicas configured.
Fixed an issue where “"There are no login connections available. Please try again later." message is returned to the user after entering incorrect credentials.
Fixed an “Array Index Out of Bounds” exception which occurred while accessing an Access Gateway appliance protected resource after removing an IDP server from a 2- node cluster and applying update.
Fixed an issue when a user is not redirected to the password management servlet after authenticating to the identity provider server in an active directory environment.
Fixed an issue where the users could not access SAML Intersite transfer URL target parameter after upgrading to 3.1 SP3.
Fixed an issue where the debug logs were being printed without enabling logging into the identity provider server.
Fixed an issue where the Tomcat version was displayed on the error pages.
Fixed a potential security vulnerability issue on the identity provider login page with the localized help file frames.
Fixed a 302 redirect issue in the “Relay State” which was URL encoded after consuming a SAML response.
Fixed an issue where the password fetch method does not get executed at our SAML2.0 Service Provider while consuming an assertion from the identity provider server through the inter-site transfer URL
Fixed an issue where the user could not set a value for SAML 2.0 RequestedAuthnContext comparison except “Exact.”
Fixed an issue where authentication failed for WSFederation with SharePoint 2010 after applying 3.1 SP3 when the times for the identity provider WSFed were not synchronized. For more information, see Assertion Validity Window.
Fixed an issue where the Kerberos authentication failed when the request was proxied by an identity provider to another identity provider.
Fixed an issue where the cluster cookies did not have any secure and HTTPOnly options. These options are not enabled by default, and the web.xml options are introduced to enable these options. For more information, see Enabling Secure or HTTPOnly Flags for Cluster Cookies.
Fixed an issue where the service provider generated two SAML SSO requests, resulting in two session indexes that caused incomplete single logout.
Fixed an issue when the identity server in a cluster received a SAML 2.0 logout request where the authentication was performed on a different node.
Fixed an issue where a SAML 2.0 attribute query response did not populate the inResponseTo attribute in SubjectConfirmation.
Fixed an issue where SAML 2.0 ignored the Front Channel Logout option in the logout initiated by the Access Gateway Appliance. For more information, see Defining Options for Liberty or SAML 2.0
Fixed an issue with Rewriter where HTML page includes apostroph characters.
Fixed an issue where the Access Gateway added a suffix containing the characters "%00" in the URL while using the Safari browser.
Fixed an issue where Access Gateway did not support RFC 5746.
Fixed an issue where Access Gateway was not forwarding the range request to the back-end server in some scenarios.
Fixed an issue where Linux Access Gateway did not complete uncompressing the gzip compressed JavaScript files (file.js.gz).
Fixed an issue where secondary IP addresses were disordered or missing after applying configuration updates.
Fixed an issue where users were getting blank pages while accessing resources through Linux Access Gateway.
Fixed an issue where Linux Access Gateway could not work with the Lotus Domino server over https. For more information, see Linux Access Gateway Does Not Work with the Lotus Domino Server Over HTTPS
in Novell Access Manager 3.1 SP4 Access Gateway Guide.
Fixed an issue where rewriting of a path based multi homing accelerator was not working after upgrading to SP3 resulting in a 404 Not Found error.
Fixed an Access Gateway appliance crash after applying the configuration changes immediately after a purge cache when the high availability feature is enabled.
Fixed an issue associated with the Access Gateway Appliance crashing in the rewriter by changing the configuration. The rewriter configuration now works as expected with vmc restarts that are related to the Purge Cache command.
Fixed a cross site scripting issue with the embedded service provider.
Fixed a potential ics_dyn gateway process restart issue, which occurred when the system configuration was applied.
Fixed an issue associated with the Access Gateway appliance that occurred when sending duplicate range requests to the back-end server.
Fixed an issue with the Access Gateway appliance prompting for re-authentication when the password management touch file was enabled, despite the user running a valid session.
Fixed an issue where the Access Gateway appliance did not do a complete TLS handshake during the health check to the back-end server.
Fixed a random Access Gateway appliance crash that caused while updating the configuration with a new protected resource when upgrading from 3.1.2 IR2 to 3.1.2 IR3.
Fixed an issue where the SAML authorization response did not include the authorization request when authentication to the identity server fails.
Fixed an issue with Range requests where the Access Gateway Appliance sends the same request twice to the Web server, resulting in random server crashes.
Fixed an issue where Access Gateway Appliance crashes when the Web server sent content-length response header value smaller than the actual content.
Fixed a login issue in the cluster environment with Access Gateway Appliance when the user name contained double byte characters in it.
Fixed an issue with the Access Gateway Appliance where the user got an error message “403 Forbidden Description: Detected URL tampering.”
Fixed a memory leak issue that caused a core dump with Access Gateway Appliance.
Fixed an issue with the OpenHRE login page. If the value for the form number was configured as 0 in the Form Fill policy, the login page was truncated.
Fixed an issue where random process restarts occurred in SP3.
Fixed an issue in the authorization policy with multiple LDAP OU evaluation failures after upgrading from 3.1SP2 to 3.1SP3.
Fixed an issue where the /var/novell/.disableWSHealth touch file was not working. This touch file helps avoid the device health being marked as bad because of some unreachable Web servers. For more information, see disableWSHealth
Fixed an issue where the user’s private information was getting logged to the soapmessages log file under specific configurations.
Fixed a 403 forbidden issue that resulted when the user posted large data (more than 56 KiloBytes in size) after a session timeout. The Administrator can change the post data parking size limit. For more information, see ParkingSizeInKiloBytes
Fixed an issue where the source port of the connection to the Web server was incorrect in the ics_dyn.log file.
Fixed an issue where the Access Gateway Appliance crashed while being redirected from http to https when the host name header exceeds 4k bytes.
Fixed a crash issue with Access Gateway in custom login sequence environment where /nesp/app/plogin request reaches proxy with POST data.
Fixed an issue where 400 bad requests was observed in the reliability tests for large file scripts.
Fixed an issue where Access Gateway Service was crashing on Windows.
Fixed an issue where Access Gateway Service did not support RFC 5746.
Fixed an issue where Access Gateway Service was crashing regularly with AJAX applications.
Fixed the 100% CPU utilization issue with Access Gateway Service under high load.
Fixed an issue that caused the parent process to crash whenever one of the child processes crashed in the Windows platform.
Fixed an issue where the Access Gateway Service rewriter removed “%2” incorrectly from the url being rewritten.
Fixed a delay issue with the Access Gateway Service when the audit server was not reachable or not responding.
Fixed a login issue with the Access Gateway Service if users wait for 3+ min at the IDP login page and then submits their credentials.
Fixed an issue where Access Gateway Service session cookie architecture was different from Access Gateway Appliance session cookie architecture.
Fixed an issue in SSL VPN where the stunnel client (kiosk mode) could not validate server certificate if the trust chain includes one or more Intermediate Root Certs.
Fixed an issue where users could not connect to the OpenVPN service when 60 static route entries were present on the SSL VPN server.
Fixed a DNS update issue with MAC Leopard, when the IP address configuration along with the DNS server entries are obtained from the DHCP server.
Fixed an issue with the MAC OS java process hitting 100% CPU utilisation immediately after connecting to the SSL VPN.
Fixed an issue where the MAC keychain info was lost after the SSLVPN connection.
Fixed Access Manager security vulnerability issues in the Java Runtime Environment.
Occasionally, when the naudit service is stopped by using /etc/init.d/novell-naudit stop command, other important services such as Tomcat and JCC also stop, which causes interruption of services.
To work around this issue, manually restart the Tomcat and JCC services. For information, seehttp://www.novell.com/support/php/search.do?cmd=displayKC&docType=kc&externalId=7008991&sliceId=1&docTypeID=DT_TID_1_1&dialogID=120228708&stateId=0%200%20247101813 in the TID.
If you have two contracts, and the
option is enabled for one of them, the first user authentication does not overwrite the second user authentication. It displays the following error message:“Unable to authenticate. (409-esp-7271673232708786).”
This issue is not observed with the Linux Access Gateway. For more information, seehttp://www.novell.com/support/php/search.do?cmd=displayKC&docType=kc&externalId=7008992&sliceId=1&docTypeID=DT_TID_1_1&dialogID=120228779&stateId=0%200%20247101935 in the TID.
The SSL VPN client works properly in Enterprise mode, but crashes Windows Explorer using ActiveX.
If you restore/downgrade the Windows XP client to Windows XP SP3, the SSL VPN client works properly in Kiosk mode.
This issue is not observed with Firefox using Java.
If the IP address and DNS servers are configured statically on MAC Leopard and a successful SSL VPN connection is established, the DNS resolution fails to use the DNS server IP address pushed from the SSL VPN server.
When you install the Administration Console and the Identity Server on a Windows 2008 machine, you cannot completely uninstall the components. The uninstall program hangs before it cleans all the files and the registry entries. To workaround this issue, see../../readme/accessmanager_readme_sp2_ir3.html#br1og3r in the Novell Access Manager 3.1 SP2 IR3a Readme.
You cannot upload large files to an IIS 7.x Web server where SSL is enabled between the Linux Access Gateway and IIS 7 server. The maximum upload size depends on the network setup. For information, seehttp://www.novell.com/support/php/search.do?cmd=displayKC&docType=kc&externalId=7008505&sliceId=1&docTypeID=DT_TID_1_1&dialogID=120156265&stateId=0%200%20246847206 in the TID.
For more information, see http://www.novell.com/support/php/search.do?cmd=displayKC&docType=kc&externalId=7008862&sliceId=2&docTypeID=DT_TID_1_1&dialogID=269551712&stateId=0%200%20269553602
Using Brokering tab when you create rules for the role conditions first time, it will be displayed appropriately and the second time when you want to modify the existing role with OR conditions then the same is not updated and displayed.
To workaround this issue, delete the existing created role condition and recreate a new role condition.
If you try to access the Brokering URL after configuring an SP Brokering group with the Shibboleth Identity Provider, it fails to access the target application.
Because of an issue, the operating system returns the 27.0.0.2 entry when the hostname is resolved. This causes the 127.0.0.2 to be the default address of the listener when the device is added to the cluster.
To workaround this issue:
Go to the proxy service page. Change the listening IP address to the other cluster member, then select the correct IP address again.
Click
to save the changes.Verify the correct address and add the device to the cluster.
If the IP address and DNS servers are configured statically on MAC Leopard and a successful SSL VPN connection is established from it, then the DNS resolution fails to use the DNS server IP address pushed from the SSL VPN server.
Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the Novell International Trade Services Web page for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.
Copyright © 2011 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.
For Novell trademarks, see the Novell Trademark and Service Mark list.
All third-party trademarks are the property of their respective owners.