Privileged Account Manager 3.6 Patch 2 Release Notes

November 2019

NetIQ Privileged Account Manager 3.6 P2 includes a new feature and resolves previous issues.

Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the Privileged Account Manager Community Support Forum, our online community that also includes product information, blogs, and links to helpful resources.

The documentation for this product is available on the NetIQ website in HTML and PDF formats on a page that does not require you to log in. If you have suggestions for documentation improvements, click the comment icon on any page in the HTML version of the documentation posted at the Privileged Account Manager Documentation website. To download this product, see the Micro Focus Downloads website.

1.0 What’s New?

The following sections outline a key feature and the issues resolved in this release:

1.1 Radius Client Method Support in Advanced Authentication

In addition to existing Advanced Authentication methods, PAM now supports the RADIUS Client method.

1.2 Software Fixes

Agent Crashes and Displays the Access Violation Error

The random agent crash issue observed on multiple Windows servers does not occur anymore. (Bug 1156733)

SSH Relay to a SSH Target Host Fails if You Use a Custom Port Other Than Port 22

SSH Relay to custom ports on target SSH hosts works successfully. (Bug 1146036)

When Secondary Authentication after Login, is in Progress, Accessing PAM Through Another Tab Displays Your Landing Page Without Data

When secondary authentication after login, is in progress, accessing PAM through another tab displays the login screen. (Bug 1148388)

1.3 Security Vulnerability Fix

Privileged Account Manager 3.6 P2 fixes the potentially unsafe Cipher Block Chaining (CBC) encryption issue (CVE-2019-0169).

In PAM, CBC mode is enabled by default. Therefore, you must disable the CBC mode.

  • When you disable CBC Mode:

    • Ensures that CBC mode is not used for communication by product components such as PAM Manager, PAM Agent, PAM Administration Console, PAM User Console, and target applications.

    • The primary registry manager is disabled first, followed by the other registry managers, and then the associated agents. Automatic re-registration of agents happens once in two days. Therefore, it may take up to two days for CBC mode to be disabled automatically on all the agents.

    • For agents in Offline state, CBC mode will be disabled only after the status changes to Online and the agents are re-registered with the manager.

To disable CBC mode:

  1. Ensure that all the packages are upgraded to the latest version on all PAM agents and managers.

  2. Log in to the PAM Administration Console.

  3. Click Hosts > Host Status, and then click the Disable button next to CBC Mode.

  4. (Conditional) To disable CBC mode immediately on agents, re-register agents manually. For more information about re-registering agents manually, see the Privileged Account Manager Administration Guide.

2.0 System Requirements

For information about hardware requirements, supported operating systems, and browsers, see Privileged Account Manager 3.6 System Requirements.

3.0 Upgrading Privileged Account Manager

You can upgrade to Privileged Account Manager only from version 3.6. and later. For information about upgrading Privileged Account Manager, see Upgrading Privileged Account Manager.

NOTE:Privileged Account Manager does not monitor active Windows sessions during this patch. So, ensure that there are no active sessions when installing this patch.

4.0 Updated Modules

This version of Privileged Account Manager 3.6 P2 updates the following modules:

  • Access Control Console <access>

  • Command Control Agent <rexec>

  • Access Manager <auth>

  • Registry manager <registry>

  • Agent Console <servers>

  • Package Management Console <pkgman>

  • Privileged Credential Manager <prvcrdvlt>

  • Registry Agent <regclnt>

  • SSH Relay Agent <sshrelay>

  • Administration Manager <admin>

  • Framework Patch <spf>

5.0 Known Issues

Micro Focus strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.

5.1 Unable to Use NetIQ Advanced Authentication if Chain is not Configured with LDAP Password Method as the First Entry

Workaround: To use NetIQ Advanced authentication, configure Chain with LDAP Password method as the first entry. (Bug 1140608)

5.2 Privileged Single Sign-on to Microsoft Edge is not Supported

Workaround: Use any supported browser other than Microsoft Edge. (Bug 1079379)

5.3 Secure Shell Java Terminal Displays Random Characters Instead of the Typed Characters

Issue: SSH Java terminal displays random characters instead of the typed characters on Java SSH relay connection to certain network switches. (Bug 1086870)

Workaround: Use alternative SSH clients such as command line SSH or PuTTY, or MobaXterm, instead of Java SSH.

5.4 Unable to Refresh Data In Access page While Using Internet Explorer 11

Issue: When you click Refresh in the Access page, the updated data is not displayed.(Bug 1095367)

Workaround: Click Refresh in Internet Explorer browser instead of Refresh in the Access page.

5.5 Time Zones Are Different In Reports and Keystrokes

Issue: For certain Linux and Unix sessions, the time zone for Start Time is different in the Reports and Keystrokes. (Bug 1041802)

Workaround: There is no workaround at this time.

5.6 All Registered Agents become Unregistered after License is added to Privileged Account Manager

Workaround: Install PAM License immediately after deploying PAM manager. If license is added later, re-register the agents after you add a new license. (Bug 1100050)

5.7 Audit Videos do not Play in Microsoft Edge

Workaround: Use any of the other supported browsers to view Audit videos. (Bug 1037322)

5.8 PAM User Console cannot be Custom Branded

Workaround: There is no workaround at this time.(Bug 1094124)

5.9 Unable to Log into PAM Console by Using Firefox Quantum and Edge browser, When Secondary Authentication is Enabled for Biometric Devices

Issue: When you use Privileged Account Manager in Microsoft Edge or Firefox Quantum, after you install AAF 6.0, you are unable to enroll biometric devices. (Bug 1097960)

Workaround: There is no workaround for Firefox Quantum at this time. For the workaround while using Microsoft Edge, see the Privileged Account Manager 3.6 System Requirements.

5.10 Newly Created Reports are not Listed Under My Reports in Internet Explorer 11 Browser

Use browsers other than Internet Explorer 11. To view the list of supported browsers, see the Privileged Account Manager 3.6 System Requirements. (Bug 1100985)

5.11 New sessions are not Updated in Session Table in Internet Explorer 11 browser

Use browsers other than Internet Explorer 11. To view the list of supported browsers, see the Privileged Account Manager 3.6 System Requirements. (Bug 1100970)

5.12 Moving Multiple Objects Does Not Work

Issue: Selecting and moving multiple objects by using the Shift/ Ctrl key does not work. (Bug 915307)

Workaround: There is no workaround at this time.

5.13 The Run as privileged user Option Is Not Displayed on a Windows 2012 Server Start Menu

Issue: When you right-click Start menu on a Windows 2012 server, the Run as privileged user option does not get displayed. (Bug 901032)

Workaround: To workaround this issue, right-click the application in the folder where the application is installed to execute Run as privileged user.

5.14 The Command Control Objects Are Not Displayed When Large Number of Objects Are Added Simultaneously

Issue: When Command Control Objects are added simultaneously in large numbers, the objects do not appear in the console. This is an intermittent behavior. (Bug 908307)

Workaround: There is no workaround at this time.

5.15 The Unregistered Hosts List Is Not Working

Issue: In the administration console, when you search for unregistered hosts by clicking Hosts > List Unregistered Hosts > IP Range, the Failed to list unregistered agents error is displayed. (Bug 832747,790444, 1104360)

Workaround: Ensure that when you install Agents, you register it with the Manager for Privileged Account Manager. However, there is no workaround to register multiple unregistered hosts at the same time.

5.16 The Changes to the Syslog Settings Do Not Get Applied

Issue: In the Reporting console of Privileged Account Manager when you save the changes to syslog settings, such as select SSL, or Allow Persistent Connections, the changes are not applied. (Bug 895993)

Workaround: To workaround this issue, restart Privileged Account Manager.

5.17 RDP Relay Does Not Work When Network Level Authentication Is Enabled

Issue: RDP Relay fails with the error The remote computer requires Network Level Authentication, which your computer does not support. when Network Level Authentication (NLA) is enabled on the host. (Bug 774061)

Workaround: Perform the following to disable NLA on the remote desktop session host:

  1. Click Control Panel > System > Remote Settings.

  2. Deselect Allow connections only from computers running Remote Desktop with Network Level Authentication and click OK.

For more information about using PAM application SSO where NLA can be enabled, see the Knowledge Base Article 7020137

5.18 NPAM Service Commands Do Not Work In SUSE Linux Enterprise Server 12 or Later

Issue: The NPAM service commands such as start, stop, restart, and status do not work in SUSE Linux Enterprise Server 12 or later. (Bug 1041284)

Workaround: To workaround this issue, perform ONE of the following:

  • Kill and restart the NPAM process using the following command:

    pkill unifid

    /etc/init.d/npum start

  • Reboot the system using the following command:



    shutdown -r now

After performing one of the preceding steps, you can verify the NPAM process running status by executing the following command:

/etc/init.d/npum status

5.19 Cannot Launch SSH Relay Session from User Console in FIPS mode

Workaround: Launch SSH relay session using any other standard SSH clients.(Bug 1109771)

6.0 Contacting Micro Focus

For specific product issues, contact Micro Focus Support at

Additional technical information or advice is available from several sources: