NetIQ Privileged Account Manager 3.6 P2 includes a new feature and resolves previous issues.
Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the Privileged Account Manager Community Support Forum, our online community that also includes product information, blogs, and links to helpful resources.
The documentation for this product is available on the NetIQ website in HTML and PDF formats on a page that does not require you to log in. If you have suggestions for documentation improvements, click the comment icon on any page in the HTML version of the documentation posted at the Privileged Account Manager Documentation website. To download this product, see the Micro Focus Downloads website.
The following sections outline a key feature and the issues resolved in this release:
In addition to existing Advanced Authentication methods, PAM now supports the RADIUS Client method.
The random agent crash issue observed on multiple Windows servers does not occur anymore. (Bug 1156733)
SSH Relay to custom ports on target SSH hosts works successfully. (Bug 1146036)
When secondary authentication after login, is in progress, accessing PAM through another tab displays the login screen. (Bug 1148388)
Privileged Account Manager 3.6 P2 fixes the potentially unsafe Cipher Block Chaining (CBC) encryption issue (CVE-2019-0169).
In PAM, CBC mode is enabled by default. Therefore, you must disable the CBC mode.
When you disable CBC Mode:
Ensures that CBC mode is not used for communication by product components such as PAM Manager, PAM Agent, PAM Administration Console, PAM User Console, and target applications.
The primary registry manager is disabled first, followed by the other registry managers, and then the associated agents. Automatic re-registration of agents happens once in two days. Therefore, it may take up to two days for CBC mode to be disabled automatically on all the agents.
For agents in Offline state, CBC mode will be disabled only after the status changes to Online and the agents are re-registered with the manager.
To disable CBC mode:
Ensure that all the packages are upgraded to the latest version on all PAM agents and managers.
Log in to the PAM Administration Console.
Click Hosts > Host Status, and then click the Disable button next to CBC Mode.
(Conditional) To disable CBC mode immediately on agents, re-register agents manually. For more information about re-registering agents manually, see the Privileged Account Manager Administration Guide.
For information about hardware requirements, supported operating systems, and browsers, see Privileged Account Manager 3.6 System Requirements.
You can upgrade to Privileged Account Manager 3.6.0.2 only from version 3.6. and later. For information about upgrading Privileged Account Manager, see Upgrading Privileged Account Manager.
NOTE:Privileged Account Manager does not monitor active Windows sessions during this patch. So, ensure that there are no active sessions when installing this patch.
This version of Privileged Account Manager 3.6 P2 updates the following modules:
Access Control Console <access>
Command Control Agent <rexec>
Access Manager <auth>
Registry manager <registry>
Agent Console <servers>
Package Management Console <pkgman>
Privileged Credential Manager <prvcrdvlt>
Registry Agent <regclnt>
SSH Relay Agent <sshrelay>
Administration Manager <admin>
Framework Patch <spf>
Micro Focus strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.
Section 5.2, Privileged Single Sign-on to Microsoft Edge is not Supported
Section 5.3, Secure Shell Java Terminal Displays Random Characters Instead of the Typed Characters
Section 5.4, Unable to Refresh Data In Access page While Using Internet Explorer 11
Section 5.5, Time Zones Are Different In Reports and Keystrokes
Section 5.10, Newly Created Reports are not Listed Under My Reports in Internet Explorer 11 Browser
Section 5.11, New sessions are not Updated in Session Table in Internet Explorer 11 browser
Section 5.13, The Run as privileged user Option Is Not Displayed on a Windows 2012 Server Start Menu
Section 5.16, The Changes to the Syslog Settings Do Not Get Applied
Section 5.17, RDP Relay Does Not Work When Network Level Authentication Is Enabled
Section 5.18, NPAM Service Commands Do Not Work In SUSE Linux Enterprise Server 12 or Later
Section 5.19, Cannot Launch SSH Relay Session from User Console in FIPS mode
Workaround: To use NetIQ Advanced authentication, configure Chain with LDAP Password method as the first entry. (Bug 1140608)
Workaround: Use any supported browser other than Microsoft Edge. (Bug 1079379)
Issue: SSH Java terminal displays random characters instead of the typed characters on Java SSH relay connection to certain network switches. (Bug 1086870)
Workaround: Use alternative SSH clients such as command line SSH or PuTTY, or MobaXterm, instead of Java SSH.
Issue: When you click Refresh in the Access page, the updated data is not displayed.(Bug 1095367)
Workaround: Click Refresh in Internet Explorer browser instead of Refresh in the Access page.
Issue: For certain Linux and Unix sessions, the time zone for Start Time is different in the Reports and Keystrokes. (Bug 1041802)
Workaround: There is no workaround at this time.
Workaround: Install PAM License immediately after deploying PAM manager. If license is added later, re-register the agents after you add a new license. (Bug 1100050)
Workaround: Use any of the other supported browsers to view Audit videos. (Bug 1037322)
Workaround: There is no workaround at this time.(Bug 1094124)
Issue: When you use Privileged Account Manager in Microsoft Edge or Firefox Quantum, after you install AAF 6.0, you are unable to enroll biometric devices. (Bug 1097960)
Workaround: There is no workaround for Firefox Quantum at this time. For the workaround while using Microsoft Edge, see the Privileged Account Manager 3.6 System Requirements.
Use browsers other than Internet Explorer 11. To view the list of supported browsers, see the Privileged Account Manager 3.6 System Requirements. (Bug 1100985)
Use browsers other than Internet Explorer 11. To view the list of supported browsers, see the Privileged Account Manager 3.6 System Requirements. (Bug 1100970)
Issue: Selecting and moving multiple objects by using the Shift/ Ctrl key does not work. (Bug 915307)
Workaround: There is no workaround at this time.
Issue: When you right-click Start menu on a Windows 2012 server, the Run as privileged user option does not get displayed. (Bug 901032)
Workaround: To workaround this issue, right-click the application in the folder where the application is installed to execute Run as privileged user.
Issue: When Command Control Objects are added simultaneously in large numbers, the objects do not appear in the console. This is an intermittent behavior. (Bug 908307)
Workaround: There is no workaround at this time.
Issue: In the administration console, when you search for unregistered hosts by clicking Hosts > List Unregistered Hosts > IP Range, the Failed to list unregistered agents error is displayed. (Bug 832747,790444, 1104360)
Workaround: Ensure that when you install Agents, you register it with the Manager for Privileged Account Manager. However, there is no workaround to register multiple unregistered hosts at the same time.
Issue: In the Reporting console of Privileged Account Manager when you save the changes to syslog settings, such as select SSL, or Allow Persistent Connections, the changes are not applied. (Bug 895993)
Workaround: To workaround this issue, restart Privileged Account Manager.
Issue: RDP Relay fails with the error The remote computer requires Network Level Authentication, which your computer does not support. when Network Level Authentication (NLA) is enabled on the host. (Bug 774061)
Workaround: Perform the following to disable NLA on the remote desktop session host:
Click Control Panel > System > Remote Settings.
Deselect Allow connections only from computers running Remote Desktop with Network Level Authentication and click OK.
For more information about using PAM application SSO where NLA can be enabled, see the Knowledge Base Article 7020137
Issue: The NPAM service commands such as start, stop, restart, and status do not work in SUSE Linux Enterprise Server 12 or later. (Bug 1041284)
Workaround: To workaround this issue, perform ONE of the following:
Kill and restart the NPAM process using the following command:
pkill unifid
/etc/init.d/npum start
Reboot the system using the following command:
reboot
(or)
shutdown -r now
After performing one of the preceding steps, you can verify the NPAM process running status by executing the following command:
/etc/init.d/npum status
Workaround: Launch SSH relay session using any other standard SSH clients.(Bug 1109771)
For specific product issues, contact Micro Focus Support at https://www.microfocus.com/support-and-services/.
Additional technical information or advice is available from several sources:
Product documentation, Knowledge Base articles, and videos: https://www.microfocus.com/support-and-services/
The Micro Focus Community pages: https://www.microfocus.com/communities/
© Copyright 2019 Micro Focus or one of its affiliates.
The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice.
For additional information, such as certification-related notices and trademarks, see http://www.microfocus.com/about/legal/.