Privileged Account Manager 3.7 includes new features, improves usability and resolves several previous issues.
Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the Privileged Account Manager Community Support Forum, our online community that also includes product information, blogs, and links to helpful resources.
The documentation for this product is available on the NetIQ website in HTML and PDF formats on a page that does not require you to log in. If you have suggestions for documentation improvements, click the comment icon on any page in the HTML version of the documentation posted at the Privileged Account Manager Documentation website. To download this product, see the Micro Focus Downloads website.
The following sections outline the key features and functions provided in this version, as well as the issues resolved in this release:
PAM now offers a new dashboard that serves as a single, quick access console, enabling PAM administrators to quickly identify any potential security issues and administrative tasks that need immediate attention.
For more information about the dashboard, see the Contextual Help in the administration console.
In addition to existing Advanced Authentication methods, PAM now supports RADIUS Client method.
PAM now supports Multi-Factor Authentication using a RADIUS server, enabling easy integration with any third-party RADIUS supported Multi-Factor Authentication products.
Database monitoring capabilities are now extended to the IBM Db2 database.
Credential checkout capabilities are now extended to the IBM Db2 database. PAM supports only the TCP protocol in this release.
PAM now enables credential checkout for Microsoft Azure in addition to other cloud services such as Red Hat OpenStack and Amazon Web Services (AWS). To get privileged access to these cloud services, you can now check out privileged account credentials from the user console.
Minimum access duration of emergency access request and credential checkout is reduced to 1 hour from 6 hours.
PAM now enables Submit User to connect to target systems. The administrators can now provide privilege access to multiple users with a single command control rule.
OpenSSH has been upgraded to version 7.9p1.
LDAP users (Microsoft Active Directory, NetIQ eDirectory, or OpenLDAP) can now get administration privileges for PAM framework through their LDAP group membership. This ability significantly simplifies the configuration process for providing framework roles to LDAP users.
PAM now provides short quick reference videos that serve as self-learning tutorials for PAM administrators.
To access these videos, in the administration console, click <user_name> at the top-right corner and select .
PAM now enables you to export keystrokes in a CSV format.
Privileged Account Manager 3.7 includes software fixes that resolve the following issues:
Audits are now captured successfully when Secure Boot is enabled. (Bug 1105024)
Changes made in either the Backup Manager or the Primary Manager using REST API are replicated in all the other managers.(Bug 1101042)
Issue: The approved emergency access sessions listed under Domain/Administrator, displays only Administrator. (Bug 1147175)tag does not display the domain name in the column. Instead, it displays only the user name. For example: Instead of
Fix:column now displays domain name/user name.
Issue: Users who are part of an account group are not authorized to access the pcksh session when the account group is added to the of the pcksh policy. (Bug 1131566)
Fix: Users in the account group are authorized to access the pcksh session.
The random agent crash issue observed on multiple Windows servers has been fixed. (Bug 1134687)
After registering the license, you now see the license information without a re-login. (Bug 1096076)
Issue: In the administration console, when you search for unregistered hosts by clicking Failed to list unregistered agents error is displayed. (Bug 832747,790444,1104360)> > , the
Fix: The unregistered hosts are displayed correctly.
SSH Relay adds a root login entry instead of PAM user login entry in the syslog of PAM server. To overcome this issue, the default log level of Syslog is set to QUIET. For more information, see the Knowledge Base Article 7023749.(Bug 1126023)
The NPAM service commands such as start, stop, restart, and status now work in SUSE Linux Enterprise Server 12 or later. (Bug 1041284)
SSH Relay to custom ports on target SSH hosts works successfully. (Bug 1155401)
When secondary authentication after login, is in progress, accessing PAM through another tab displays the login screen. (Bug 1146114)
Privileged Account Manager 3.7 fixes the issue of potentially unsafe CBC encryption (CVE-2019-0169).
For more information, see Disabling CBC Mode.
Support for old APIs (such as, SPF.Util, and Java APIs) will be discontinued from the next major release of PAM.
For the list of supported REST APIs, see https://<PAM_IP>/rest_api.
For information about hardware requirements, supported operating systems and browsers, see Privileged Account Manager 3.7 System Requirements and Sizing Guidelines.
For information about installing Privileged Account Manager 3.7, see the Privileged Account Manager Installation Guide.
You can upgrade to Privileged Account Manager 3.7 from Privileged Account Manager 3.6 or later. When you upgrade PAM to version 3.7, rollback of packages to PAM 3.6 or an earlier version is not supported.
WARNING:When you upgrade an Application SSO package from a previously installed version, the target server reboots automatically. Plan your downtime accordingly.
Micro Focus strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.
Workaround: Use any supported browser other than Microsoft Edge. (Bug 1155981)
Issue: In some rare scenarios, replication in Command Control module is inconsistent due to which the Backup Manager inconsistently processes the newly created Command Control rules, hence they are intermittently failing. (Bug 1039518)
Workaround: Promote the existing Primary Command Control module so the replication thread pushes the latest configuration to all the Backup Managers.
For more information, see the Knowledge Base Article 7022994.
Issue: SSH Java terminal displays random characters instead of the typed characters on Java SSH relay connection to certain network switches. (Bug 1086870)
Workaround: Use alternative SSH clients such as command line SSH or PuTTY, or MobaXterm, instead of Java SSH.
Issue: When you click (Bug 1095367)in the page, the updated data is not displayed.
Workaround: Clickin Internet Explorer browser instead of in the page.
Issue: For certain Linux and Unix sessions, the time zone for Start Time is different in the Reports and Keystrokes. (Bug 1041802)
Workaround: There is no workaround at this time.
Workaround: Install PAM License immediately after deploying PAM manager. If license is added later, re-register the agents after you add a new license. (Bug 1100050)
Issue: Selecting and moving multiple objects by using the Shift/ Ctrl key does not work. (Bug 915307)
Workaround: There is no workaround at this time.
Issue: RDP Relay fails with the error The remote computer requires Network Level Authentication, which your computer does not support. when Network Level Authentication (NLA) is enabled on the host. (Bug 774061)
Workaround: Perform the following to disable NLA on the remote desktop session host:
Click> > .
Deselectand click .
For more information about using PAM application SSO where NLA can be enabled, see the Knowledge Base Article 7020137
Issue: Audited Command Filter and Session End Filter are not available in the new administration console. (Bug 1130821)
Workaround: Continue using Audited Command Filter and Session End Filter in the old administration console. For Session End Filter, the alternate solution is to use Session Start Filter with the before and after match conditions in the new administration console.
Workaround: Use an SMTP server that does not have SSL and Authentication enabled. (Bug 1128134)
Workaround: Launch SSH relay session using any standard SSH clients.(Bug 1109771)
Issue: When SLES 12 SP4 is upgraded to the latest krb5 package, the Password Management and Windows Credential Checkout stops working. (Bug 1158344)
Workaround: Downgrade the krb5 package to the one supplied with Base SLES 12 SP4. This functionality is validated against the krb5-1.12.5-40.28.2.x86_64 package.
For more information, see the Knowledge Base Article 7024313.
For specific product issues, contact Micro Focus Support at https://www.microfocus.com/support-and-services/.
Additional technical information or advice is available from several sources:
© Copyright 2019 Micro Focus or one of its affiliates.
The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice.
For additional information, such as certification-related notices and trademarks, see http://www.microfocus.com/about/legal/.