Privileged Account Manager 23.3.0 (v4.4.0) Release Notes

September 2023

Privileged Account Manager 4.4 includes new features, improves security, and resolves several previous issues.

Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the Privileged Account Manager Community Support Forum, our online community that also includes product information, blogs, and links to helpful resources.

The documentation for this product is available on the NetIQ website in HTML and PDF formats. If you have suggestions for documentation improvements, click the comment icon on any page in the HTML version of the documentation posted at the Privileged Account Manager Documentation website.

1.0 What’s New?

The following sections outline the key features and enhancements:

1.1 Support for Double-Byte Characters

Privileged Account Manager supports double-byte characters. With the double-byte code scheme, it is easy to represent diverse characters of some languages. With this capability Privileged Account Manager allows you to achieve the following:

  • Define and get privileged access to various features containing double byte characters

  • Define and procure SSH, RDP access with objects containing double byte characters.

  • Set up the authentication to various authentication types containing double byte characters.

For more information, see Support for Double Byte Characters.

1.2 Backup and Restore Utility for Disaster Recovery

From this release, administrators can define the measures to backup Privileged Account Manager configurations and audit data regularly and restore data in case of major catastrophes using the Backup and Recovery Utility. This utility is version independent.

For more information, see Using Backup and Restore Utility.

1.3 Support for Direct Application SSO for Windows Applications Using Access Control

In the Access Control policy, you can enable single sign-on to Windows and Linux applications.

For more information, see Direct Access Mode Using Access Control.

1.4 Audit Control for Windows Agent

You can enable Low-Level Session Audits option to access low-level audits, such as, File system, Registry etc. You can set this options as part of Access and Monitoring Options from Access Control permissions setting. This action might slow system performance.

NOTE:This option is enabled by default if you are upgrading from a previous version of Privileged Account Manager. On first time installation of Privileged Account Manager, you must enable this option manually.

For more information, see Permissions.

1.5 Enhancement of Privilege Account Manager Service Certificate

The Privileged Account Manager and agent service certificate is upgraded to 2048 bits with SHA256 signing. Also, the Privileged Account Manager HTTPS certificate is upgraded to be signed using SHA256. This applies to both fresh install as well as upgrade scenarios.

Certificate is updated from 1024 bits to 2048 bits. To verify this change enter command openssl s_client -connect <managerIP>:29120 -showcerts and openssl s_client -connect <managerIP>:443 -showcerts. Before upgrade 1024 bits is displayed and after upgrade the certificate is updated to reflect 2048 bits with SHA256.

1.6 Ability to Select the Encryption Method in Credential Vault

This release supports different encryption methods for credentials stored in Credential Vault in addition to AES-256 in the CBC mode. Administrators can apply the required encryption method to strengthen the data protection in Credential Vault. These encryption methods are FIPS compliant and works seamlessly even when switched to FIPS mode.

For more information, see Encryption Methods in Credential Vault.

1.7 Branding Update

NetIQ (Micro Focus) is now a part of OpenText. To adhere to the OpenText brand, the Cybersecurity portfolio products are being rebranded. The the name of products and components, user interfaces, logos, company name references, and documentation are all updated as part of the rebranding process. The OpenText versioning mechanism uses the CY.Q (Calendar year.Quarter) sequence. To follow the versioning change, Privileged Account Manager 4.4 is now known as Privileged Account Manager 23.3.0 (v4.4.0).

2.0 Software Fixes

This release includes the following software fixes:

Component

Bug ID

Issue

User Interface

338002

Unable to copy double-byte characters in clipboard settings in Privileged Account Manager.

Session Timeout

362051

Privileged Account Manager session timeout issue although user is active on the session.

Operating System

360073

RDP relay does not work on Windows 11 client.

RDP Web Relay

375099

Issue with the tab key behavior.

My Access

178331

Issue while switching between two screens in My Access page.

Access Control

378012

Resources not visible to users who are part of a user or resource pool.

Performance

361055

SQL server becomes unresponsive when an agent is installed or when a service is active.

User Role

390063

Issue while adding a user name containing a special character to a user role.

SSL Certificate

171608

Issue with SSL Certificate chain which contains RSA keys less than 2048 bits.

Password Management

311002

Change password fails for some Active Directory domain SSO users.

Access

400003

Issue with executing some commands from Application Command List for the second time.

My Access

380026

Issue with a delay to fetch resources displayed in the Access page.

Certificate

390097

Import of key and certificate for PKI fails with Invalid CA Certificate, CA Private Key pair in request error.

3.0 Deprecation of Features

Command Control

Command Control has been replaced by Access Control from Privileged Account Manager 4.0 release onwards. Since Command Control will be deprecated in the future releases, we recommend that you migrate all the policies to Access Control for seamless usage of the product.

4.0 System Requirements

For information about hardware requirements, supported operating systems, Privileged Account Manager features supported on different target systems, and browsers, see Privileged Account Manager 4.4 System Requirements and Sizing Guidelines.

5.0 Installing Privileged Account Manager 4.4

Download the software from the Software License and Download portal.

The following file is available with Privileged Account Manager 4.4:

Table 1 File Available for Privileged Account Manager 4.4

File/Folder name

Description

netiq-npam-packages-pam-4.4.iso

Contains the Privileged Account Manager 4.4 .iso file.

netiq-npam-packages-4.4.0-0.tar.gz

Contains the Privileged Account Manager 4.4 .tar file.

6.0 Upgrading Privileged Account Manager

You can upgrade to Privileged Account Manager 4.4 from Privileged Account Manager 4.1 or later. When you upgrade to Privileged Account Manager 4.4, a rollback of packages to version 4.1 or an earlier version is not supported.

For information about upgrading to Privileged Account Manager 4.4, see Upgrading Privileged Account Manager in the Privileged Account Manager Installation Guide.

Upgrade Considerations:

  • Refresh the browser after an SPF upgrade as the certificate has to be re approved for successful logging. This is because the HTTPS certificate are upgraded after Framework patch package upgrade.

  • On the PAM managers with taskmanager module, for password management module, the gssntlm library is no longer part of Privileged Account Manager installer file, therefore ensure that you install the gssntlmssp package when upgrading. For more information, see Password Management.

  • Delete and re-import the Privileged Account Manager certificates on each of the Application SSO agents because the HTTPS certificate is upgraded.

  • Low-Level Session Audits option is enabled by default in case you are upgrading from previous version of Privileged Account Manager. You can disable this option for Windows agent permission to improve the system performance.

7.0 Known Issues

Open Text strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact https://www.microfocus.com/support-and-services/.

7.1 Service is Unavailable if Invalid Address is Configured in the HTTPS Connector Console

Issue: This issue occurs if the PAM manager is configured with invalid IP address.

Workaround: Edit the connector.xml with correct IP. The connector.xml is located at c:\program files\netiq\npum\service\local\admin\connector.xml in the Windows and /opt/netiq/npum/service/local/admin/connector.xml in the Linux machine.

7.2 Primary Server is Unavailable

Issue: This issue occurs when Primary PAM server unavailable. Error: Failed to fetch sessions (Bug ID: 242030)

Workaround: Click OK. The page gets loaded with all the available sessions.

7.3 Privileged Account Manager Time Restriction Policy Have 8 Hours Delays

Issue: This is an expected behavior as Privileged Account Manager follows UTC time zone. (Bug ID: 250018)

Workaround: change the time format to UTC time:

  1. Click Access Control from Privileged Account Manager console.

  2. Click Assignments > Permissions

  3. Set UTC format in Time Restrictions.

8.0 Contacting Open Text

For specific product issues, contact Open Text Support at https://www.microfocus.com/support-and-services/

Additional technical information or advice is available from several sources: