Novell Home

iChain 2.3 Support Pack 2 Now Available

Novell Cool Solutions: Feature

Digg This - Slashdot This

Posted: 28 Jan 2005
 

This file contains updates for services contained in the iChain 2.3 product. The purpose of the patch is to provide a bundle of enhancements and fixes for issues that have surfaced since iChain 2.3 was released.

Enhancements:

  1. Certificate Management and Form Fill sections of the iChain Admin Guide have been updated substantially. See http://www.novell.com/documentation/ichain23/.


  2. By default, iChain removes the HTTP "Accept-Encoding" header for HTTP 1.0 browser requests. Added SET command to over-ride if needed. SYNTAX: set accelerator XXX sendacceptencodingheader = [NO | YES] where XXX is the name of the accelerator.


  3. Introduced a keep-alive on Session Broker connections to prevent firewalls/switches from tearing connections down.


  4. Multiple enhancements to Form Fill (SSO.NLM)including:
    1. Form Fill tags are not case sensitive any more.
    2. Allow for larger URLs in the Form Fill policy.
    3. Enhanced Protection is now set on Shared Secrets written by iChain to Secret Store by default.
    4. Enhanced logging.
    5. Intelligent and customizable return error handling .
    See TID 10095590: "Enhanced features for Form Fill (SSO.NLM) in iChain 2.3 patch ic23fp2.exe" for details.


  5. Added the following set command to change the way iChain handles CRL checking. SYNTAX:
    set authentication <mutual_profile_name> mutual revocationcheckmethod = [OCSP-CRL, OCSP, CRL]
    • OCSP-CRL. With this option enabled, iChain works the default way. A request that comes in will use OCSP, if enabled, and then CRL checking to see if the certificate is revoked.
    • OCSP. With this option enabled, iChain will only try OCSP to check for a revoked cert. If this fails, iChain will not fall back on a CRL check. This happens even if the client certificate has a CRL Distribution Point attribute pointing to a CRL server.
    • CRL. With this option enabled, iChain will only try the CRL server to check for a revoked cert. If this fails, iChain will not fall back on an OCSP check. This happens even if the client certificate has an AIA attribute pointing to an OCSP server.


  6. iChain will now trap to the debugger if Abend: EIP in PROXY.NLM at code start +000D15BBh is encountered. iChain previously would abend without< adequate information to resolve this issue. Should this build of iChain trap to the debugger, Please either get a coredump - preferred - or issue the following command at the debugger screen:
    ,sw (then hit Enter) and write the information down that is displayed. Call NTS with either the coredump or the information gathered. Once this abend is fixed, the debug trap will be removed. See TID 10095552 for more details.


  7. Enabled Linux FTP compatibility. Changed the response to an invalid FTP command from a "202 Command Not Implemented" to a "502 Command Not Implemented".


  8. Additional third-party certificate support has been added. iChain now supports DC, serialNumber and many other attributes.

Fixes since ic23sp1:

Security Related Issue(s):

  1. Changed OACINT to only bind to 127.0.0.1 by default. The address OACINT binds to can be changed by adding: Server Address= to sys:/iChain/oac/oac.properties in the [OAC] section

Defects Fixed:

  1. Fixed abend in PROXY.NLM workCB$Operation+19. Only happened on an abort coming from REWRITE.NLM.
  2. Server would abend if Session Broker was loaded with an undefined parameter.
  3. Fixed iChain23 SP1 abend at PROXY.NLM|alloc$Request+B. SendEndOfMessage was being called twice.
  4. Fixed abend that may occur importing NAS if the ISO object has a SAML auth server included in it.
  5. Fixed Abend in AuthLdapLoginWithTypeless. UNICODE issue.
  6. Fixed abend due to uninitialized local variable in ACLCHECK.NLM|URIstrstr:
  7. If SMTP alerting was enabled and there is a communication problem with the SMTP server any subsequent shutdown operation of the iChain server will cause that server to hang.
  8. Cleaned up unneeded files in sys:\etc\proxy (WCCP.CFG & CLUSTER.CFG).
  9. Could not view subject name of cert in iChain Admin GUI.
  10. Could not view current 'strongclientenable' settings.
  11. Fixed LDAP failover issue where iChain would only open 10 initial handles even with multiple LDAP servers.
  12. Setting Error messages to Japanese off of the Mini-web server would result in a debug trap loop.
  13. Images for PXYERR.HTM (and custom login pages) were not being loaded.
  14. Fixed issue where RefreshCredentials command at CLI indicated that the ISO object was not licensed if ISO had multiple license installed.
  15. Fixed issue with broken translated error pages introduced in build 2.3.249.
  16. ACLCHECK would report: "Get IP addr failed for hostname: host.novell.com." This message was left over from forward proxy code and is now suppressed by default. ACLCHECK can be loaded with /P to re-enable if desired.
  17. Protected Resources now handle URI's with multiple double slashes in them. The URI is now collapsed into a single / before it is processed. eg. http://www.novell.com//ichain/2.3/index.html will be rewritten as http://www.novell.com/ichain/2.3/index.html.
  18. Cleaned up output to logger screen.
  19. Some Linux clients could not connect to iChain due to an OpenSSL issue.
  20. Formfill would not fill out a form completely if the <post/> tag was removed from the policy for troubleshooting purposes.
  21. Fixed the memory leak in SSO.NLM when there is a mismatch between the policy and the form. Formfill now does not mangle the form, and now shows the following message on the SSO screen: *ERR*: Policy '%s': Form<->Policy Mismatch FieldName '%s': PolType '%s': FormType '%s' The error will assist the administrator in troubleshooting formfill issues.
  22. NW6SP3 updates were not installed on iChain 2.3 SP1 server when upgraded directly from iChain 2.2.
  23. Added a .SCH file to repair issue where BorderManager Outgoing Rule attribute conflicts with iChain attribute (brdsrvsOutgoingAcl) and the attribute is not created, or, when installing the iChain Schema Extension a second time the brdsrvOutgoingAcl attribute is removed. The .sch file and details can be found by extracting ic23scma.exe found in the b2ic23sp2 directory created when this patch is extracted.

Updated Documentation:

For more information, check out the updated iChain 2.3 SP2 Documentation.


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell