This Readme describes the Novell® Access Manager 3.1 SP1 release.
The following sources provide information about Novell Access Manager:
Access Manager Support. For TIDs and Cool Solutions articles, select for the and in the options.
After you have purchased Access Manager 3.1 SP1, log in to the Novell Customer Center and follow the link that allows you to download the software.
If you have purchased a previous release of Access Manager (3.0 SP4 or 3.1), download the patch files from Novell Downloads.
The following files are available:
Filename |
|
Description |
---|---|---|
AM_31_SP1_IdentityServer_Linux.tar.gz AM_31_SP1_IdentityServer_Linux.iso |
||
|
Contains the Linux* Identity Server, the Linux Administration Console, the SSL VPN Server that is installed as a standalone version with an embedded service provider, and the SSL VPN Server that must be protected by an Access Gateway. Can be used for installation and upgrade from 3.0 SP4 to 3.1 SP1, from 3.1 to 3.1 SP1, and from the evaluation version to the product version. |
|
AM_31_SP1_IdentityServer_Windows.exe |
|
|
|
Contains the Windows* Identity Server and Windows Administration Console. Can be used for installation and upgrade from 3.0 SP4 to 3.1 SP1, from 3.1 to 3.1 SP1, and from the evaluation version to the product version. |
|
AM_31_SP1_LinuxAccessGateway.iso |
|
|
|
Contains the CD image for the Linux Access Gateway and the SSL VPN Server that must be configured as a protected resource of the Access Gateway. Can be used only for installation. |
|
AM_31_SP1_lagrpms.tar.gz |
|
|
|
Contains the RPMs for the Linux Access Gateway and the SSL VPN Server that must be configured as a protected resource of the Access Gateway. Can be used for upgrading from 3.0 SP4 to 3.1 SP1, from 3.1 to 3.1 SP1, and from the evaluation version to the product version. This file is only available from Novell Downloads. |
For instructions on upgrading from 3.0 SP4 to 3.1 SP1, see “Upgrading from Access Manager 3.0 SP4 to Access Manager 3.1 SP1” in the Novell Access Manager Installation Guide. To verify that your components have been upgrade to 3.0 SP 4, see Verifying Version Numbers Before Upgrading.
For instructions on upgrading from 3.1 to 3.1 SP1, see “Upgrading Access Manager 3.1 to 3.1 SP1” in the Novell Access Manager Installation Guide. To verify that you Access Manager components are running 3.1, see Verifying Version Numbers Before Upgrading.
IMPORTANT:If you have installed a previous version of the Administration Console or the Identity Server on a machine that does not have at least 1 GB (Linux) or 1.2 GB (Windows), the upgrade to SP1 fails. The installation script now checks for available memory and aborts the upgrade if the machine does not have the required memory. This upgrade check is below the recommended minimum of 2 GB.
For installation instructions for the Access Manager Administration Console, the Identity Server, and the Linux Access Gateway, see the Novell Access Manager Installation Guide.
For installation instructions for the SSL VPN server, see the Novell SSL VPN Server Guide.
If you are upgrading from Access Manager 3.0, all components must be upgraded to at least SP4 before upgrading to Access Manager 3.1 SP1. You can, but it isn’t required, to have installed any of the interim releases.
In the Administration Console, click
> >Examine the value of the
field to see if it displays an SP4 version that is eligible for upgrading to 3.1 SP1.If you are upgrading from Access Manager 3.1, you can, but it isn’t required, to have installed any of the interim releases.
In the Administration Console, click
> >Examine the value of the
field to see if it displays a 3.1 version that is eligible for upgrading to 3.1 SP1.When you have finished upgrading your Access Manager components, verify that they have all been upgraded.
In the Administration Console, click
> >Examine the value of the
field to verify that the component has been upgraded 3.1 SP1.The J2EE* Agents are a free download and are available from Novell Downloads. The following files are available:
For installation instructions, see Novell Access Manager J2EE Agent Guide.
To install an evaluation version of Access Manager 3.1 SP1, download the following files from Novell Downloads.
The key for the high bandwidth SSL VPN server does not ship with the product because of export laws and restrictions. The high bandwidth version does not have the connection and performance restrictions that are part of the version that ships with the product. Your regular Novell sales channel can determine if the export law allows you to order the high bandwidth version at no extra cost.
After you have obtained authorization for the high bandwidth version, log in to the Novell Customer Center and follow the link that allows you to download the high bandwidth key.
Before upgrading from 3.0 SP4 to 3.1 SP1, you need to upgrade the operating system of your Administration Console and Identity Server machines from SUSE® Linux Enterprise Server (SLES) 9 to SLES 10 SP2. After completing the upgrade, you need to verify the UID of the D-BUS (messagebus) user on your secondary Administration Consoles. The SLES upgrade creates this user with the same ID as the novlwww user. You need to change this ID before continuing with the upgrade process.
Access the control center, then click
.Set the filter to
.Select the messagebus (User for D-BUS) user.
Click
.Click the
tab.Change the UID to another ID that is unique.
Click
.Click
.Added an option to back up the current configuration to the upgrade utility.
Added instructions on how to migrate the primary Administration Console to new hardware when secondary consoles are installed.
Updated the PKI modules to version 3.3.2 to fix a problem with importing trusted root certificates.
Fixed an issue with Internet Explorer* that caused the links on the Dashboard page not to work.
Fixed the Administration Console log files to use GMT with a 24-hour clock for time stamps in log entries.
Fixed a security vulnerability that permitted access to the system files from the Administration Console.
Fixed an issue that caused the editing of policies to become slower and slower.
Fixed an issue that caused backups to fail on a primary console that was promoted from a secondary console.
Fixed an issue that caused an upgrade to fail when the install.sh script was run from a CD.
Fixed an issue that prevented the administrator from receiving a notice that the Identity Server needed to be updated when the cluster is assigned to an Access Gateway.
Fixed an issue that caused upgrading policies from 3.0 to 3.1 to fail.
Fixed an issued that prevented the LDAP Group condition from displaying in the policy configuration pages for Authorization policies.
Fixed an issue that prevented a Secondary Administration Console on Windows from being promoted to a Primary Administration Console.
Fixed an issue with auditing that prevented the Novell Audit plug-in from installing when you select to install both the Administration Console and the Identity Server at the same time.
Fixed an issued that cause audit log entries to truncate after about 246 characters. The entries now include who made the change and the parameter that was changed.
Fixed an issue that prevented policy delegated administrators from creating policies or modifying existing policies.
Added information to the Identity Server Guide on how to force the Identity Server to use 128-bit encryption.
Added an option to the X.509 authentication class that forces a browser restart on logout.
Fixed a session limit issue that allowed a user to exceed the session limit when the Identity Servers were in a cluster.
Fixed issues with 3.1 custom login pages so that they work with 3.1 SP1. For more information about this process, see “Upgrading from Access Manager 3.1 to 3.1 SP1”.
Fixed a SAML 2 issue so that attribute statements now specify data types.
Fixed an issue that caused a HTTP Status 500 error when logging in to the User Portal.
Renamed the labels on the Identity Server Statistics page so that they more closely match the log entries in catalina.out and stdout.log.
Fixed the labeling of trust stores so that they are consistent.
Modified the documentation on how to create custom login pages to include more information on how to use properties with classes and methods.
Fixed a login issue that caused the request to lose its target if the user waited too long and the session timed out before the user entered the login credentials.
Fixed an issue with SAML 2 and OpenSSO so that the Identity Server more accurately reports integration issues.
Fixed an issue with customizing login pages.
Fixed an issue with the ctarget parameter.
Fixed an upgrade problem that caused extra files to be restored.
Fixed a SAML2 issue with the format parameter so that it is now an optional parameter.
Fixed an issue so that assertion messages appear in the log files for WS Federation and CardSpace.
Fixed an issue that caused LDAP Error 49 to occur when all of the attributes required for Novell SecretStore® were not created on the SAML affiliate object.
Fixed an issue that prevented the Identity Server from checking for both an expired password and a SecretStore lock.
Fixed an issue that allowed disabled Active Directory* accounts with X.509 authentication to authenticate. These accounts are now denied access.
Added a Force HTTP-Only Cookie option to the Reverse Proxies / Authentication page.
Fixed an issue that allows the auditing platform agent to consume all available threads.
Fixed a 404 status error that occurred when persistence between the Access Gateway and the Web servers was disabled.
Fixed a Form Fill issue that caused only a portion of a Java* script specified in the
option to be saved.You can now change the name of Linux Access Gateway proxy session cookie sent to the back-end Web server to match the iChain® session cookie by using the following touch file:
/var/novell/.matchLagIchainCookieName
Fixed issues with remote desktop connections established through the Linux Access Gateway TCP tunnel.
Fixed the resource leak issue in novell-vmc.
Fixed issues in converting double-byte characters in Linux Access Gateway broker redirection.
Fixed a memory leak issue that occurred after updating the authorization library.
Fixed a few issues with machines that had 4 GB RAM. If the Linux Access Gateway was already imported, these issues sometimes caused the server to fail. In new installations, the Linux Access Gateway sometimes failed to import.
Fixed rewriting of JavaScript* boundary issues.
Fixed an issue with protected resources file extensions so that the file search (/*.<file extension>) now applies to or matches subdirectories.
Fixed an issue that caused the lcache process going into defunct state.
Fixed issues pertaining to memory build-up because of connections piling up.
Multiple post requests that need authentication from the same user are now handled.
The ics_dyn process no longer restarts or crashes when the log file’s size grows beyond 2 GB.
The Linux Access Gateway no longer crashes if the
or logging profile types are enabled, and a log file’s size exceeds 2 GB.Fixed some issues with reporting the correct version on the
> page.Fixed an issue in redirecting a browser to the SSL VPN URL when the Citrix* server is enabled for single sign-on.
Fixed an issue with the security level check when a service attribute is configured for the client integrity check.
Fixed an error that occurred when trying to configure a registry entry for a client integrity check.
The Client Integrity Check policy now has the capability to verify if a Windows service is running or not.
The number of active SSL VPN connections is now properly displayed in the Administration Console.
The SSL VPN connection is now terminated if the user deletes any of the CIC resources after the SSL VPN connection is established.
Fixed an OpenVPN connection error related to the TUN adapter, which caused the SSL VPN connection to fail on Windows Vista* 64-bit servers.
An alert message is now displayed during NAT/L4 configuration if the IP address, Port, and Proto fields of the Enterprise mode and the Kiosk mode have the same values.
SSL VPN supports basic authentication for forward proxy.
Ensure that you synchronize the correct date, time, and time zone settings between the Identity Servers and Access Gateways servers. You must synchronize your servers to within one minute of each other. Otherwise, you encounter federation and session time-out errors. It is recommended that you use NTP for time synchronization.
Ensure that DNS names can be resolved.
Enable (allow) browser pop-ups for the Administration Console (administration server).
Access Manager 3.1 SP1 does not support installation of the Administration Console, Identity Server, Linux Access Gateway, and SSL VPN on a single machine.
Access Manager should not be used with Novell Teaming + Conferencing. Support for this product is being evaluated.
WebDAV connections to NetStorage do not work. Browser connections to NetStorage can be used.
During installation, you are never prompted for an installation path. The Administration Console and the Identity Server are always installed on C:.
There is a potential conflict during the installation of the iManager plug-ins when you have a version of the JRE* installed on the machine.
To work around this problem, you need to remove the JRE from the machine, install the Administration Console, then reinstall the version of the JRE you removed.
The VMI kernels have issues with Novell Access Manager that can be worked around by using the information in TID 700224: “Installing Admin Console on VMWare ESX guest using the SLES “VMI” kernel fails”.
If you create delegated administrators and allow them to use your machine and your browser session instead of closing the browser, the delegated administrator inherits all rights until the browser is closed.
After creating delegated administrators, make sure you close the browser if other users are going to be using your machine.
The Administration Console is slow to install on Linux with 64-bit hardware and on Windows. Please be patient. It can take up to an hour to install.
When you create a Form Fill or Identity Injection Policy and select Liberty attributes that are four levels deep, the attributes are sometimes not visible from an Internet Explorer browser. If this occurs on your machine, you need to use Firefox*.
Ports 389 and 636 need to be free. If the installation software prompts you to enter different ports because 389 and 636 are in use, the installation does not lay down a system that you can use.
You need to free the ports, then install the Administration Console.
The following issues apply to the Identity Server:
NMAS Client on Windows Displays a Blank Page When an Incorrect Password Is Entered
On a Windows Machine, You Cannot Change the Port to 80 or 443
The Root and Intermediate Revocation Checks Are Not Performed on an X.509 Contract
The User Store Is Unhealthy after Upgrading the Administration Console to 3.1 SP1
The SAML NMAS Method in Access Manager Is Incompatible with 64-bit eDirectory
If you have the NMAS client installed on a Windows machine, the Identity Server is configured to use NMAS as the default contract, you use Internet Explorer to log in to the User Portal application of the Identity Server, and you enter an incorrect password, an error is returned and you are then redirected to a blank page.
To solve the problem, reload the current page.
If you configure the base URL of the Identity Server to use port 80 or 443 rather than 8080 or 8443, the Identity Server cannot be accessed.
Besides specifying the port you want to use in the base URL, you also need to modify the server.xml file located in the \Program Files\Novell\Tomcat\conf directory. Change the ports from 8080 and 8443 to 80 and 443 and restart the Tomcat service.
If you configure the X.509 contract to perform root certificate authority checks, the leaf certificate is verified, but the certificates between the leaf and the root are not verified. This will be fixed in the next interim release of Access Manager
If you make modifications to the user store after upgrading the Administration Console but before upgrading the Identity Server, you break communication between the Identity Server and the user store.
To fix the communication problem, you need to upgrade the Identity Server to 3.1 SP1.
You cannot use 64-bit eDirectory™ with SecretStore® as a remote SecretStore because remote SecretStore requires a 64-bit SAML NMAS™ method, which is currently not available. If you want to use eDirectory 8.8 SP5 as a user store and a remote SecretStore, you need to use the 32-bit version.
Some Web applications have security restrictions so that a normal redirect to the Identity Server for session renewal fails. The browser might have the appearance of a hang, and JavaScript errors are often displayed. The frequency of this problem can be reduced by setting the Identity Server session timeout to a higher value.
If there are already values in the LDAP attribute for X509 Subject Name mapping and you enable
for the X509 authentication class, the LDAP attribute values are overwritten with the client certificate subject name.This section discusses the known issues that apply to the current release of the Linux Access Gateway.
When Using OpenOffice Tools with a WebDAV Connection, Multiple Sessions Are Created
Cookie and Session Issues Using Nautilis File Manager with WebDAV Connections
On a New Install, the Secure Logging Server Is Not Configured Correctly
After Reinstalling the Access Gateway, the Embedded Service Provider Won’t Start
Rewriter On and Off Flags Are Not Effective in Character Profile
Linux Access Gateway Goes To an Unresponsive Mode When Applying Pin List Changes
Issues with the Audit Server While Importing a Linux Access Gateway Configuration
Rewriter Does Not Handle the [oa] Option in Search and Replace
Form Fill Does Not Work if the Web Page Contains an Apostrophe
Form Fill Fails If the Web Server Does Not Send the Content Type
Form Fill Policy and the Refresh Data Every Option Restrictions
The Refresh Data Every Option Is Not Editable for a Form Fill Policy
The edit page for a proxy service (
> > > > ) hangs under the following conditions:Reverse Proxy is configured for SSL.
At least one Domain-Based proxy service has been configured.
The names of the authentication proxy service and the domain-based proxy service have at least two dot segments in their names. For example, host.novell.com and support.host.novell.com.
If you need to access this page to change the name or the cookie domain of the authentication proxy service, disable SSL, access the page, make the changes, click
, then enable SSL. The other configuration pages for this proxy service are available from the links in the .When using OpenOffice Writer and other tools over WebDAV connections, cookies that are set by the server are not included in requests from the OpenOffice client. As such, each WebDAV request from the client results in a new session being created. If you have limited user sessions, the limit can be quickly reached, which results in files left in a lock state or with IO errors.
To solve this problem, do not limit user sessions (
> > ) when users are using OpenOffice tools over a WebDAV connection.The Nautilus File Manager v2.12.2 in SUSE Linux Enterprise Desktop (SLED) 10 SP1 and SP2 does not include cookies when making WebDAV requests. As a result, when the WebDAV server is being accessed through a reverse proxy on the Linux Access Gateway, a new user session is created at the proxy for every WebDAV request sent from Nautilus. A simple file open can result in the creation of multiple sessions.
To solve this problem, do not limit user sessions (
> > ) when users are making WebDAV requests with the Nautilus File Manager.The logevent.conf file, which controls the configuration for the secure logging server, initializes the address of the logging server to 127.0.0.1 instead of the IP address specified in the Administration Console. By default, this address is the IP address of the Administration Console, but it can be configured for an external auditing server such as a Novell Sentinel server.
To fix the problem:
Log in to the Access Gateway as root.
Change to the /etc directory
Open the logevent.conf file and find the following line:
LogHost=127.0.0.1
Change the IP address to the address of your secure logging server.
Reboot the Access Gateway.
Sometimes when you reinstall the Access Gateway, the current configuration is not pushed to the machine. When this happens, the Embedded Service Provider can’t start.
To solve the problem:
In the Administration Console, click
> .Scroll to the
section.Select the Access Gateway that has the problem, then click
.If you have configured your Access Manager system to use a Novell Sentinel™ or Novell Audit server for auditing, the Novell Audit client sometimes disconnects from the auditing server. This usually happens when communication problems exist on the network. When this happens, the Linux Access Gateway might crash. This issue can also prevent the successful completion of any Linux Access Gateway configuration changes.
To solve this problem, make sure that no communication problems exist between the auditing client on the Linux Access Gateway and the auditing server. Novell is working on a fix for this issue.
You must use the text-mode installation for the VMWare* ESX platform. The GUI mode for the installation of Linux Access Gateway fails and falls back to the text mode on VMWare ESX.
The NOVELL_REWRITER_ON and NOVELL_REWRITER_OFF is not effective in the Linux Access Gateway character profile.
Linux Access Gateway might crash or go into an unresponsive state when applying changes to configuration, because of unresolved DNS names in the Pin List configuration or because the Pin List contained over 50 entries. When this issue occurs, log in to the Linux Access Gateway machine, then specify the following command to restart:
/etc/init.d/novell-vmc restart
To ensure that this issue does not occur, make sure that the host names configured in the Pin List are resolvable by DNS and maintain a minimal list of Pin List entries, before applying changes.
When importing a Linux Access Gateway configuration, it is possible that the imported configuration contains an Audit server IP address that is different from the Audit server IP address that has been configured in the Administration Console. Updating the Linux Access Gateway configuration does not correct this address problem. As long as the addresses differ, the Access Gateway can hang during subsequent updates or restarts because the Novell Audit Agent of the Access Gateway cannot connect to its configured Audit server.
You must force the Linux Access Gateway to change its Audit server settings.
In the Administration Console, click
> .Specify a different IP address for the Secure Logging Server, then click
.Click
, specify the correct IP address for the Secure Logging Server, then click .Update the Linux Access Gateway.
Reboot every Access Manager machine, starting with the Administration Console.
If you have already configured the other Access Manager machines to use the correct IP address of the Secure Logging Server, rebooting the Linux Access Gateway should be sufficient.
The character rewriter profile does not support the [oa] option to search and replace plain words and strings.
The
option does not work. For example, if you add https://www.mygroup.com, it is not excluded from the list. You must provide only the DNS name, such as www.mygroup.com.A Form Fill auto-submit fails when an input field in an HTML page contains name="submit".
The Linux Access Gateway Form Fill does not work if the Web page contains the apostrophe character.
Form Fill does not process the page if the Web server does not send the content type. Form Fill processes the following content types:
"text/html" "text/xml" "text/css" "text/javascript” "application/javascript" "application/x-javascript"
In a Form Fill policy, you can only set the
option to Request or Session. If you select a time to live, it is the same as selecting Request.If you use the
option in your Form Fill policy, you cannot change the order of the Form Fill action and the Form Login Failure action. When you create the policy, you must configure the actions in the order you want them executed. If you modify the order, the option becomes uneditable.When a SharePoint* server is accelerated by the Linux Access Gateway as a path-based multi-homing service, you cannot publish a PowerPoint* slide if your workstation has Internet Explorer 7.0 and Microsoft* Office 2007. You can use Internet Explorer 6.0 or Firefox browsers to publish a PowerPoint slide.
If you have enabled the debug level of logging for the laghttpheaders and lagsoapmessages log files, manual deletion of these log files causes the Linux Access Gateway to crash.
To work around this problem, restart the Linux Access Gateway after you manually delete the log files.
The following sections divide the known issues into general issues that apply to both the Enterprise mode and Kiosk mode and issues that apply only to the Enterprise mode and only to the Kiosk mode:
Cluster Members Do Not Listen on a Changed Communication Port
After Upgrading, Configuration Changes Made in the web.xml and config.txt Files Are Lost
SSL VPN Statistics Displayed in the Administration Console Are Not in Order
HTTP Applications Cannot Be Accessed When an SSL VPN Connection Is Made through the Forward Proxy
Tomcat Restart Following SSL VPN Authentication Loses Configuration Changes
On Windows Vista (32-bit and 64-bit) with Internet Explorer 8.0, the Wincic File Is Not Stored.
If you change the communication port of a cluster after the cluster was set up successfully, only the master server listens on the changed port. The non- primary cluster members fail to listen on the changed port. To work around this issue, restart Tomcat as follows in all the non-primary cluster members:
/etc/init.d/novell-sslvpn stop
/etc/init.d/novell-sslvpn start
The SSL VPN service randomly goes down when Tomcat is restarted. To work around this issue, the SSL VPN service must be manually restarted to establish connection.
When full tunneling is enabled in Mac* OS, traffic to resources in a user’s local subnet goes outside the tunnel.
When the Administration Console, Identity Server, and SSL VPN Server are installed on the same machine, the SSL VPN server sometimes gets into a pending state even when all of its commands have been successful.
To work around this problem:
In the Administration Console, click
> .Click the
link.Select all the commands, then click
> .If the device is still in a pending state, click
> .In the
section, select the SSL VPN server and remove the pending state.Novell SSL VPN 3.1 does not contain config.txt and web.xml files. The following configuration changes are lost after you upgrade to SSL VPN 3.1 version:
Enabling SSL VPN to connect only in Kiosk mode
Downloading an applet when a user uses Internet Explorer
Enabling SSL VPN connections to Citrix servers
You must configure these settings again by using the Administration Console. For more information, see “Configuring Users to Connect Only in Enterprise Mode or Kiosk Mode”, “Configuring SSL VPN to Download the Java Applet on Internet Explorer”, and “Configuring a Custom Login Policy for SSL VPN” in the Novell Access Manager SSL VPN Server Guide.
The SSL VPN connection statistics that are displayed in the Administration Console are not in any order.
If a client uses an HTTP forward proxy to establish the SSL VPN session, no HTTP application can be accessed over this SSL VPN connection because the browser is configured to use the forward proxy server for HTTP requests.
When Administration Console and SSL VPN server are on the same machine, if you configure the entire SSL VPN setup, change the ESP details, and restart Tomcat, then you lose all the configuration changes.
To work around this problem:
Configure the authentication configuration.
Save your changes.
Configure the remaining SSL VPN configuration settings.
On Windows Vista 32-bit in Internet Explorer 8.0, even though the session times out because of inactivity, it remains connected as long as it is idle. The exit page does not display the inactivity timeout error message. The ActiveX* pop-up window is displayed with the log filename and its location.
To work around this problem, click
in the ActiveX pop-up window. The control goes to the exit page, then the inactivity timeout error is displayed.If the User Access Control option is enabled on the host machine, the client machine with Windows Vista (32-bit and 64-bit) and Internet Explorer 8.0 cannot store the Wincic file from the host machine by using the forcejre option.
Firefox randomly goes into a non-responsive mode in multiple clients when running in Windows Kiosk mode.
Using Intel* Mac to access protected HTTP applications is not supported.
If you use 64-bit machines, you can access SSL VPN only in Enterprise mode. Accessing SSL VPN in Kiosk mode is not supported.
Domain name search does not work in the Kiosk mode in Macintosh*.
In SSL VPN Kiosk mode, the active mode of FTP is not supported.
Full Tunneling with Forward Proxy Enabled Is Not Supported for Web Client Applications
Tunnel Logs Display Full Tunnel Information in Split Tunnel Mode
SSL VPN Connection from a Vista 64-Bit Machine with the Firefox Browser Might Have Stability Issues
No Error Message Is Displayed for an Invalid Credential Entry on Windows 2000 Machines
Connection Fails in SSL VPN If the Root User Password Is Not Set in Macintosh
Full tunneling with a forward proxy enabled client network is not supported for Web client applications. This is because, in Enterprise Mode, a route is added in order to enable forward proxy. Using this route, any Web clients from that workstation can bypass the SSL VPN server by using the forward proxy.
If client debug logs are enabled, tunnel logs displayed in the Enterprise mode might contain information for full tunneling, even though only split tunneling is enabled for the user.
SSL VPN does not support 64-Bit Internet Explorer that uses an ActiveX connection to establish the initial login session.
If you are using a Windows Vista 64-bit machine and the Firefox browser to connect to SSL VPN, the connection might fail after running for a few hours, because of a Firefox browser stability issue. To work around this problem, make sure you upgrade to Firefox 3.0.10 or later.
On Windows 2000 machines, if a non-admin user tries to establish an SSL VPN connection in the Enterprise mode and specifies the wrong credentials for the admin user, no error messages are displayed. However, the user is denied access after trying to establish the connection.
In Macintosh, the SSL VPN connection fails if you log in as a root user and there is no password set for the root user. When there is no password set for the root user, the user can log in by using the credentials of the admin user.
The following sections discuss the know issues in J2EE agents for JBoss, WebSphere, and WebLogic
You cannot configure a base or SOAP URL for the Novell Access Manager J2EE Agent with port 65535.
In WebLogic J2EE agents, when users who do not have sufficient rights try to access resources for which they have been denied authorization, the following message is displayed:
There was a problem with your authentication
The required Web page is displayed if you refresh the page once.
In this documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path.
A trademark symbol (®, ™, etc.) denotes a Novell trademark; an asterisk (*) denotes a third-party trademark
Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the Novell International Trade Services Web page for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.
Copyright © 2008-2009 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.
Novell, Inc., has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed on the Novell Legal Patents Web page and one or more additional patents or pending patent applications in the U.S. and in other countries.
For Novell trademarks, see the Novell Trademark and Service Mark list.
All third-party trademarks are the property of their respective owners.