NetIQ Privileged Account Manager 3.5 Patch Update 3 Release Notes

July 2019

NetIQ Privileged Account Manager 3.5 P3 resolves some of the previous issues.

Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the Privileged Account Manager Community Support Forum, our online community that also includes product information, blogs, and links to helpful resources.

The documentation for this product is available on the NetIQ website in HTML and PDF formats on a page that does not require you to log in. If you have suggestions for documentation improvements, click the comment icon on any page in the HTML version of the documentation posted at the Privileged Account Manager Documentation website. To download this product, see the Micro Focus Downloads website.

1.0 Software Fixes

The following sections outline the issues resolved in this release:

1.1 Video Conversion Fails Intermittently with an Error

Issue: Privileged Account Manager terminates video processing after a 10 minute timeout period. The retry of the action also fails because the intermittent file still exists.

Fix: This patch update deletes the intermittent WebM file before the retry.(Bug 1135861)

1.2 Security Vulnerability Fix

This patch update resolves the authentication token vulnerability (CVE-2019-3491) with Privileged Account Manager endpoints.

1.3 Intermittent Windows Stop Error on the Windows Agent

This patch update provides a fix to address this error.(Bug 1132216)

1.4 Enhancement to Keystroke Auditing on Windows Server 2016 Standard Edition

(Bug 1139689)

2.0 System Requirements

For information about hardware requirements, supported operating systems, and browsers, see the Privileged Account Manager System Requirements.

3.0 Installing the Patch Update

3.1 Prerequisites

Before installing this patch update, ensure the following:

  • Privileged Account Manager must be on version 3.5 or later. To upgrade from versions prior to 3.5, you must first upgrade to 3.5. For more information about upgrading to Privileged Account Manager 3.5, see Upgrading Privileged Account Manager in the Privileged Account Manager Installation Guide.

  • Privileged Account Manager does not monitor active Windows sessions during this patch update. So, ensure that there are no active sessions during this patch update.

3.2 Updated Modules

This version of Privileged Account Manager 3.5 P3 updates the following modules:

  • Framework package (spf)

  • Administrative interface (admin)

  • Command control agent (rexec)

  • Storage and reporting of system and application audit events (audit)

  • Agent management (servers)

  • Provides framework authentication (auth)

  • Package Management Console (pkgman)

3.3 Installing 3.5 P3

Installing the patch update includes publishing the packages on the Package Manager and installing the published packages to the Hosts.

Publishing the Packages on the Package Manager

You can publish the packages on the package manager in the following ways:

Using Package Manager with NCC

  1. Configure the Package Manager by using the Novell Update Server:

    1. Log in to the Administration console.

    2. Click Package Manager > Settings.

    3. From the drop-down, select Novell Update Server.

    4. To view the update server information, select Advanced Settings.

      • Select the Packages check box.

      • Ensure that https is selected in the drop-down list.

      • Specify the entire URL for download as follows:

        nu.novell.com/PUM/packages

      • Ensure that the port number is 443.

      • Leave the last text field blank since /PUM/Packages is already added in the previous text field.

      NOTE:Ensure that you retain the default settings for other fields in this screen.

    5. Click Finish.

      For more details and alternate options to download packages to Package Manager, see Configuring the Package Manager.

  2. To push the packages to your host machines, continue with Installing the Packages on Host Machines.

Using Package Manager with a Local Server

  1. Download the patch update manually:

    1. On the NetIQ Downloads site, select the Basic Search tab.

    2. On the right pane, select Search Patches.

    3. On the Patch Finder page, select Privileged User Manager from the list of products.

    4. Click Search, then click Privileged Account Manager 3.5.

      This displays the current patch update.

    5. Download all the Superseded Patches and Current Patches for Privileged Account Manager.

  2. Repeat the following steps in a sequential order:

    1. Copy the netiq-npam-packages-3.5.0.x.tar.gz file to any of the Privileged Account Manager machines.

    2. Extract netiq-npam-packages-3.5.0.x.tar.gz into a temporary location, for example, /tmp/framework/ directory. 

      tar -xvf netiq-npam-packages-3.5.0.x.tar.gz

    3. Use the following command to publish the packages to the Package Manager:

      Replace <admin> with the name of your admin user.

      For Linux and UNIX platforms:

      /opt/netiq/npum/sbin/unifi -u <admin> distrib publish -d /tmp/framework

      For Windows platforms:

      c:\Program Files\netiq\npum\bin\unifi -u <admin> distrib publish -d c:\tmp\framework

    4. When prompted, enter the name and password for the administrator.

  3. To push the packages to your host machines, continue with Installing the Packages on Host Machines.

Installing the Packages on Host Machines

Prerequisite

Before installing the patch update, disconnect all the Privileged Account Manager sessions to the host on which you are installing this patch.

You can install the updated packages on all the hosts or selected hosts in the following ways:

Installing the Packages Through Command Line

You can install the packages on a Windows, LINUX, or UNIX through command line. For more information about the commands for installing the updated packages, see Upgrade and Rollback Packages section in the Privileged Account Manager Administration Guide.

Installing the Packages Through Administration Console

When you are installing the packages through the Administration Console, you can create a backup of the existing packages that you are replacing. To create the backup, you need to leave the Create backup option enabled when installing the patch update. Then, if you want to remove the update, you can use the Rollback Packages option.

When you are installing the packages through the Administration Console, you must first install the Framework Patch (spf) and then install other updated packages. Thus, these updated packages are listed in the Host Console only after installing the Framework patch.

To install the packages, perform the following:

  1. Log in to the Framework Manager console.

  2. (Conditional) If you want to install the patch update on all the hosts, perform the following:

    1. On the Home page of the console, click Hosts.

    2. Select the root domain.

    3. In the left pane, click Update Domain Packages.

    4. Select the latest Framework Patch (spf), then click Next.

    5. In the left pane, click Update Domain Packages.

    6. Select all the listed packages, then click Next.

    7. Click Finish.

    8. Repeat Step e, f, and g till no more packages are listed.

  3. (Conditional) If you want to install the patch update on selected hosts, perform the following:

    1. On the Home page of the console, click Hosts.

    2. Select the host on which you want to install this patch.

    3. In the left pane, click Update Packages.

    4. Select the latest Framework Patch (spf), then click Next.

    5. In the left pane, click Update Packages.

    6. Select all the listed packages, then click Next.

    7. Click Finish.

    8. Repeat Step e, f, and g till no more packages are listed.

4.0 Known Issues

Micro Focus strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.

4.1 Privileged Single Sign-on is not Supported in Microsoft Edge

Workaround: Use Microsoft Internet Explorer 11 to enable Privilege Single Sign-on in browsers with Local Group Policy configured. (Bug 1079379)

4.2 Secure Shel Java Terminal Displays Random Characters Instead of the Typed Characters

Issue: SSH Java terminal displays random characters instead of the typed characters on Java SSH relay connection to certain network switches. (Bug 1086870)

Workaround: Use alternative SSH clients such as command line SSH or PuTTY, or MobaXterm, instead of Java SSH.

4.3 Unable to Refresh Data In Access page While Using Internet Explorer 11

Issue: When you click Refresh in the Access page, the updated data is not displayed.(Bug 1095367)

Workaround: Click Refresh in Internet Explorer browser instead of Refresh in the Access page.

4.4 Time Zones Are Different In Reporting Console and Output

Issue: For certain Linux and Unix sessions, the time zone for Start Time is different in the Reporting Console and a playback of the session. (Bug 1041802)

Workaround: There is no workaround at this time.

4.5 All Registered Agents become Unregistered after License is added to Privileged Account Manager

Workaround: Install PAM License immediately after deploy PAM manager. If License is added later, re-register the agents after you add a new license. (Bug 1100050)

4.6 Audit videos do not Play in Microsoft Edge Browser

Workaround: Audit videos can be viewed in other supported browsers. (Bug 1037322)

4.7 PAM User Console cannot be Customized Branded

Workaround: There is no workaround at this time.(Bug 1094124)

4.8 Unable to login to PAM console by using Firefox Quantum and Edge browser, when Secondary Authentication is enable for biometrics devices

Issue: When you use Privileged Account Manager in Microsoft Edge of Firefox Quantum, after you install AAF 6.0, you are unable to enroll biometric devices. (Bug 1097960)

Workaround: There is no workaround for Firefox Quantum at this time. For the workaround while using Microsoft Edge, see Advanced Authentication System Requirements.

4.9 Newly Created Reports are not Listed Under My Views in Internet Explorer 11 Browser

Use browsers other than Internet Explorer 11. To view the list of supported browsers, see the Technical Information website. (Bug 1100985)

4.10 New sessions are not Updated in Session Table in Internet Explorer 11 browser

Use browsers other than Internet Explorer 11. To view the list of supported browsers, see the Technical Information website. (Bug 1100970)

4.11 Moving Multiple Objects Does Not Work

Issue: Selecting and moving multiple objects by using the Shift/ Ctrl key does not work. (Bug 915307)

Workaround: There is no workaround at this time.

4.12 The Run as privileged user Option Is Not Displayed on a Windows 2012 Server

Issue: When you right-click Start on a Windows 2012 server, the Run as privileged user option does not get displayed. (Bug 901032)

Workaround: To workaround this issue, right-click the application in the folder where the application is installed to execute Run as privileged user.

4.13 The Command Control Objects Are Not Displayed When Large Number of Objects Are Added Simultaneously

Issue: When Command Control Objects are added simultaneously in large numbers, the objects do not appear in the console. This is an intermittent behavior. (Bug 908307)

Workaround: There is no workaround at this time.

4.14 The Unregistered Hosts List Is Not Displayed

Issue: In the administration console, when you search for unregistered hosts by clicking Hosts > List Unregistered Hosts > IP Range, the Failed to list unregistered agents error is displayed. (Bug 832747)

Workaround: Ensure that when you install Agents, you register it with the Manager for Privileged Account Manager.

4.15 The Changes to the Syslog Settings Do Not Get Applied

Issue: In the Reporting console of Privileged Account Manager when you save the changes to syslog settings, such as select SSL, or Allow Persistent Connections, the changes are not applied. (Bug 895993)

Workaround: To workaround this issue, restart Privileged Account Manager.

4.16 Cannot Uninstall Privileged Account Manager 3.2 Through Windows Add/Remove Programs

Issue: Uninstalling Privileged Account Manager 3.2 through Windows Add/Remove Programs displays an error. This issue occurs only when the Privileged Account Manager is upgraded to 3.2 using Privileged Account Manager 3.2 installer. (Bug 1029461)

Workaround: Uninstall Privileged Account Manager through command line or Privileged Account Manager 3.2 installer.

5.0 Contact Information

For specific product issues, contact Micro Focus Support at https://www.microfocus.com/support-and-services/.

Additional technical information or advice is available from several sources:

6.0 Legal Notice

© Copyright 2019 Micro Focus or one of its affiliates.

The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice.

For additional information, such as certification-related notices and trademarks, see http://www.microfocus.com/about/legal/.