Release Notes - Novell iChain Version 2.1 May 10, 2002 Table of Contents 1.0 Known Authorization Server Issues 1.1 Resource Tab on ACL is Blank 1.2 Removing Protected Resources 1.3 Security Hole in FTP 1.4 Invalid Characters in iChain NDS Objects 1.5 Schema Attribute Problem 2.0 Known Authentication Issues 2.1 Certificate Authentication Problems When the CRL Is Invalid 2.3 Enabling RADIUS Authentication for RADIUS Servers that Do Not Return a Fully Qualified NDS Name 2.4 RADIUS Token Authentication 2.5 Logging in to iChain as an Alias User 2.6 Secure Exchange Mutual Authentication Issue 2.7 Entering the LDAP Authentication Profile User Context 2.8 User Name Mismatch Error when Using RADIUS Authentication 2.9 Logout URL 2.10 Running eDirectory 8.6 on Multiple LDAP Servers 3.0 Known Browser Issues 3.1 Netscape 6.0 Incompatibilities 3.2 Use Internet Explorer for Browser-based Configuration 3.3 Issue with Netscape Browsers and Certificate Database Passwords 3.4 HTML Pages Displayed in Incorrectly Sized Frames 3.5 Accessing OnDemand files Using an IE Browser 3.6 IE Still Displaying Local Cache After Logout 3.7 Browser Tool Access Requires Appliance Recycling after Initialization 3.8 Marking Pages As Non-Cacheable 4.0 Known Proxy Server Issues 4.1 Login Delimiters in Distinguished Names 4.2 Configuring Secure Exchange on Multiple Accelerators 4.3 Valid Names When Configuring an Accelerator 4.4 Setting the LDAP Context Field After Importing a Configuration 4.5 Importing Proxy Service Configurations Containing Third-Party Certificates 4.6 Relative Path Links Required for Sites Accessed from Accelerators 4.7 Web Server Port Redirection Inconsistencies 4.8 New Certificates Do Not Show in Accelerator Key ID List Until the Server Is Downed 4.9 Page Not Found Error in Port 443 or Port 80 Logout 4.10 NAT Stops Working After Reboot 4.11 iChain Does Not Fully Support HTTP 1.1 4.12 The Appliance Hangs on Restart 4.13 Command Line Parser Does Not Handle the Question Mark (?) or Equal Sign (=) in URLs 4.14 Re-imaging the Appliance Requires Powering It Off and On to Finish the Process 4.15 DNS Names Can't Contain Underscores 4.16 DNS Names in Double-Byte Character Set Displays 4.17 Use the Update Clones Option Both Before and After Upgrading 4.18 Command Line and GUI Sluggishness During Startup 4.19 Issue Importing .NAS File with Multiple IP Addresses Bound to a Single Network Interface 4.20 Mapping Network Drives to the iChain Proxy Server 4.21 Tunneling Requires DNS Field 4.22 Making Configuration Changes With High Activity 4.23 Problems Signing CSR with Novell Certificate Server 4.24 Missing GIF image 4.25 Importing an .NAS File that has Child-Parent Ordering Will Cause Abends When Accessing Accelerators 4.26 Exporting/Importing .NAS File with Child from 2.0 Will Cause Error Message 4.27 Proxy Server Reboot Issue with CD and Floppy 4.28 Authentication Issue with PDF File Display 4.29 Changing URL for Password Management Servlet Requires Rebooting 4.30 First Certificate Created Does Not Get Additional Trusted Roots 4.31 Issue With Daylight Savings Time Adjustment 4.32 Problem With Storing Certificate Contents in Certain Formats 4.32 Deleting LDAP Proxy User May Cause Abend in iChain Proxy Server 4.33 Unable to Get Past "Download Complete" State of an Upgrade 5.0 Known Multi-Homing and Path-Based Issues 5.1 Changing Existing Accelerators to be Multi-homed Child Causes Errors 5.2 Secure Fill Doesn't Function with Child Accelerator When Using Path-based or Domain-based Multi-Homing 5.3 Page Not Found Error When Accessing the Child of a Path-Based Multi-Homed Accelerator 5.4 Issue With Making an Accelerator a Path-Based Master 5.5 Issue With Content Attribute Using Path-Based Multi-Homing 5.6 Issue With Adding Second IP Address to Path-Based Multi-Homing Accelerator 5.7 Issue With Configuring Second IP Address When Path-Based Multi-Homing Accelerator 5.8 Issue With Path-Based Multi-Homed Accelerator of a Domain Broker 6.0 Known Session Broker Issues 6.1 Failure Creating Session Broker Key 6.2 Configuration via ConsoleOne Wizard 6.3 Errors When Using "Non-Redirectable" POST Requests 6.4 Session Data Cannot be Transferred Unless All Servers are Running the Same Release 7.0 Known Domain Broker Issues 7.1 Logout Issue When Cross-Domain Authentication is Used With Session Broker 7.2 Disabling the Domain Broker Using the Command Line Interface 8.0 Known Form Fill Issues 8.1 Form Fill Does Not Use Modified LDAP Options Without Being Restarted 9.0 Known Custom Login/Logout Page Issues 9.1 Login Failure when Using Custom Login Page 9.2 Peripheral Files in a Custom Page on Path-Based Multi-Homing Child 10.0 Using the Mini FTP Server 10.1 The Appliance Uses Passive FTP 10.2 Directory and File Names Cannot Contain Spaces 11.0 Known ConsoleOne Issues 11.1 Latest Version of ConsoleOne Required for iChain 2.1 12.0 iChain Documentation 12.1 Accessing the Latest iChain Documentation 13.0 Legal Information 13.1 Disclaimer, Copyright, and Patents 13.2 Trademarks 1.0 Known Authorization Server Issues 1.1 Resource Tab on ACL is Blank There is an incompatibility between attributes from either a BorderManager install or an early version of iChain. BorderManager contains the following attribute: BRDSRVS:outgoing acl. The resource attribute on the ACL object (shown in the Access Control tab) is named brdsrvsOutgoingAcl. For some reason, the LDIF operation to create the iChain attribute does not distinguish between the two names, and the iChain attribute is never created. See Technical Information Document #10063495 at www.support.novell.com for details and workaround information. 1.2 Removing Protected Resources When you delete a protected resource, all access control objects that referenced the deleted protected resource become invalid. For example, if you have an access control rule with multiple rules for several different protected resources and you delete one of the protected resources from the ISO object, you will receive an error that states, "ACLCHECK-3.55-6 ACL rules in NDS are invalid or old version" at the proxy services console. If you delete a protected resource from an ISO, you should use ConsoleOne to remove all references to the protected resource in all ACL rules associated with the ISO. 1.3 Security Hole in FTP There is an issue with using FTP between ConsoleOne and the iChain proxy server. The FTP connection between the console and the iChain server is not secure and can be traced to get the config user's password. You can avoid this problem by using FTP on the private network or using a direct cable from the workstation to the iChain Proxy Server. 1.4 Invalid Characters in iChain NDS Objects When creating iChain Service and/or iChain Access Control Rule objects in iChain, using commas (,) or semicolons (;) in the names can cause problems on the iChain Proxy Server. To avoid possible problems, do not use any commas or semicolons when naming these objects. If there are existing iChain objects with either of these characters in the names, it is best to delete and then re-create the objects. 1.5 Schema Attribute Problem Some users may see a problem after upgrading their iChain schema from iChain 2.0 to iChain 2.1. The symptom is that when a user tries to create a new ichainService object or modify an existing ichainService object, the following error message appears in ConsoleOne: "(Error -608) An attempt was made to add a property that is illegal to an object. The NetWare Directory Services schema determines what properties can be inherited by an object class." The internal schema problem is that the following attributes are exactly 32 characters: ichainPasswordExpirationInterval ichainPasswordUniqueRequiredFlag ichainSetPasswordDictionaryCheck When upgrading from iChain 2.0 to 2.1, these attributes already exist. Somehow the LDAP modify operation replaces the last character with a 1. The ichainService object then has references to the three attribute names, ichainPasswordExpirationInterva1", "ichainPasswordUniqueRequiredFla1", and "ichainSetPasswordDictionaryChec1". The snap-in code for ConsoleOne detects the problem and gives the above error message. The problem seems to occur when the iChain schema is loaded more than once within a short period of time on a NetWare version of eDirectory 8.6. The solution is to go into schema manager and add the correct names of the three attributes to the ichainService object (without the "1", as shown above). 2.0 Known Authentication Issues 2.1 Certificate Authentication Problems When the CRL Is Invalid An invalid Certificate Revocation List (CRL) will prevent mutual or certificate authentication from working properly. The CRL includes a dated time stamp indicating when the CRL is invalid. The Certificate Authority (CA) needs to update the CRL periodically with a new expiration date and time. If the CA does not update the CRL, perhaps because the CA is down or for any other reason, the CRL becomes invalid. During certificate or mutual authentication, the iChain Proxy Server compares the time stamp of the CRL with its own time and if the CRL time stamp has expired, then the authentication will fail. 2.3 Enabling RADIUS Authentication for RADIUS Servers that Do Not Return a Fully Qualified NDS Name To enable RADIUS Authentication for RADIUS servers that do not return a fully qualified NDS name, two parameters in the aclcheck authentication profile need to be set from the iChain command line: set authentication aclcheck ldap bindanonymous=no add authentication aclcheck ldap searchbase= o=novell (or appropriate container on your tree) apply If the bindanonymous features are not set correctly, you will receive the following error: "Information Alert Status: 500 Internal Server Error Description: Insufficient resources to complete the request. Please try your request again." 2.4 RADIUS Token Authentication RADIUS Token Authentication will work if the token is retrieved from the card using a PIN number. However, if token authentication is set up to have the token retrieved from the card using a challenge sent from the RADIUS server, the user gets a login failed message rather than being presented with the challenge. 2.5 Logging in to iChain as an Alias User Currently iChain does not support user aliases for authentication. Users cannot use aliases when logging in to an iChain server. 2.6 Secure Exchange Mutual Authentication Issue Secure Exchange mutual authentication doesn't carry from one accelerator to another. When you configure two separate accelerators with two different certificates and both accelerators have LDAP and Secure Exchange mutual authentication profiles together, the LDAP authentication carries from one accelerator to the other, but the Secure Exchange mutual authentication will prompt you to choose a user certificate. Any certificate can be chosen (including certificates that do not correspond to the LDAP-authenticated user), and no LDAP authentication is necessary for the new certificate's user name. 2.7 Entering the LDAP Authentication Profile User Context When modifying the LDAP authentication profile user context for the distinguished name from the iChain Web GUI, the field is free-form. This does not imply that iChain will correctly read any format of distinguished name. The format is: ou=,o= (that is, deeper containers precede the containers that contain them). If this format is not used, then the LDAP query to the authentication server will fail. 2.8 User Name Mismatch Error when Using RADIUS Authentication When using RADIUS token authentication with an NMAS RADIUS server, the RADIUS Dial Access System (DAS) object needs to be added as a trustee with read rights to the top container of the tree where the RADIUS users are located. Otherwise the CN of the user will be sent on to the iChain Proxy Server rather than the FDN of the user. When this happens, users will get an error "Status : 403 Forbidden. Description : User Name Mismatch." when trying to authenticate. 2.9 Logout URL When defining a link to log out, the HREF should be HREF="http:///cmd/ICSLogout". 2.10 Running eDirectory 8.6 on Multiple LDAP Servers Users should not install NetWare 5.1 servers into a tree whose master is either NetWare 6 or NetWare 5.1 running eDirectory 8.6. There is a backward compatibility issue in NICI and any NetWare 5.1 server that is installed into such a tree will not function properly as an LDAP server. The workaround for this issue is to run NetWare 6 on all of your LDAP servers, or run NetWare 5.x with eDirectory 8.5 as the master before adding any additional LDAP servers into your tree. An overlay NetWare 5.1 installation CD that addresses this issue will be available at a future date. 3.0 Known Browser Issues 3.1 Netscape 6.0 Incompatibilities Because of several issues in Netscape 6.0 that deal with the proxy server administrative GUI, authentication problems, and incompatibilities with Windows 2000, Novell does not currently support the use of Netscape 6 with iChain 2.1. Novell has successfully tested iChain 2.1 with the following browsers: Internet Explorer 6.0, 5.5, and Netscape 4.7 and 6.2. 3.2 Use Internet Explorer for Browser-Based Configuration Problems with Java running on Netscape browsers can cause difficulties when running the proxy services browser-based administration utility. To avoid this issue, use Internet Explorer to run the proxy services browser-based administration utility. 3.3 Issue with Netscape Browsers and Certificate Database Passwords An issue occurs with users setting up their Netscape browsers to prompt for the certificate database password each time they want to select a certificate. After entering the password, the browser will appear to hang and in some cases, it will eventually time out. This is because of a defect in Netscape. If the user enters the URL again without closing the browser, he or she will be prompted to select his or her certificate again and re-enter his or her password. After the second time, the user will be given access. 3.4 HTML Pages Displayed in Incorrectly Sized Frames Occasionally, iChain users may receive a login page that is displayed in an HTML frame that is too small to show all the fields. If input is required, such as authentication information, the user may need to access a previous page to get the frame sizes adjusted appropriately. 3.5 Accessing OnDemand files Using an IE Browser Users attempting to access OnDemand files from an IE browser may experience difficulty and receive the error message: "Internet Explorer was not able to open this Internet site. The requested site is either unavailable or cannot be found. Please try again later." To avoid this issue, complete the following steps: 1) Access the URL of the proxy server on which you installed the iChain Proxy Server software to launch the proxy services browser-based administration tool: http://10.1.1.1:1959/appliance/config.html 2) Click Configure > Web Server Accelerator > Modify > Secure Exchange Options. 3) Uncheck or verify that the Mark Pages Non-cacheable on the browser parameter is not checked. 3.6 IE Still Displaying Local Cache After Logout After logging out of a non-secure page in IE and clicking on the back arrow the last page will display because of the local cache. If a user tries to click on a link or go to any other pages, he or she will be prompted to authenticate. To solve this problem, you can do any of the following: - Use Secure Exchange for your entire Web site - Mark the pages on the server with a non-cacheable header - Inform the user that he or she needs to close his or her browser after logging out 3.7 Browser Tool Access Requires Appliance Recycling after Initialization Whenever you initialize an appliance with network IP address information, access through the browser- based management tool is suspended until the appliance has been shut down and recycled (its power switch has been toggled off and on). This applies to the initialization of both new appliances and appliances you have reimaged. 3.8 Marking Pages As Non-Cacheable The first time you set up an accelerator with Secure Exchange and you save it without marking the pages non-cacheable on the browser, if you exit out (close the browser), then reopen it, the field will be marked. 4.0 Known Proxy Server Issues 4.1 Login Delimiters in Distinguished Names Currently, the comma (,) is the default iChain login name delimiter. This means that user objects that contain a comma will be unable to log in to iChain. Future releases will support the dot (.) delimiter. When accessing the administration tool, however, dotted names are required. 4.2 Configuring Secure Exchange on Multiple Accelerators iChain allows you to set up multiple accelerators to support multi-homing configurations. Although you can set up multiple Web server accelerators to use the same IP address and port combinations to create a multi-homing configuration, SSL is not supported for this configuration. To support SSL, each accelerator should have a unique IP address and port combination. If you enable Secure Exchange on multiple accelerators, only the first accelerator can be set to the default SSL port of 443. All additional accelerators must be set with a different and unique SSL port value (for example, 444, 445, etc.) Although the administration interface appears to allow you to set multiple accelerators with the default value of 443, the configuration is not valid. The SSL port number will be valid only for the first accelerator. Subsequent accelerators will be non-operational until a valid port other than 443 is configured. To ensure proper operation of your Secure Exchange-enabled accelerators, you must also perform the following procedure for each accelerator to verify the correct parameter settings: 1) Access the URL of the proxy server on which you installed the iChain Proxy Server software to launch the proxy server browser-based administration tool: http://10.1.1.1:1959/appliance/config.html 2) Click Configure > Web Server Accelerator > Modify. 3) Check or verify that the Alternate Host Name check box is checked. 4) Specify or verify the name in the Web Server Host Name field. 5) Check or verify that the Return Error If Host Name Sent by Browser Does Not Match Accelerator DNS Host Name check box is checked. 4.3 Valid Names When Configuring an Accelerator Valid names to use when configuring an accelerator must be eight characters or less and cannot contain a dash (-) or underscore (_) character. In addition, the string "SSLPort" is a reserved string within iChain and cannot be used as a name for an accelerator. If you name an accelerator SSLPort, the accelerator configuration will not be saved. To avoid this issue, use a name other than SSLPort. 4.4 Setting the LDAP Context Field After Importing a Configuration When you import an appliance configuration from a floppy by using the Import/Export tab, your LDAP context field setting may be lost. To set the context field, click Configure > Authentication > LDAP Options > LDAP Contexts and verify or define the LDAP context for your configuration. 4.5 Importing Proxy Services Configurations Containing Third-Party Certificates When you are importing a previous proxy services configuration from a floppy and that configuration contains references to third-party accelerator certificates (that is, "Auto" is NOT used), you must perform the following to ensure proper operation: 1) Set the DATE/TIME and TIMEZONE before assigning the eth0 address. 2) Edit the .NAS file so that all accelerators have "sslkeyid=AUTO" 3) Verify that the import of the floppy configuration was successful (that is, all of the parameters imported properly, including your LDAP contexts). 4) Enter the command CLEAR ADMINACL SERVERADDRESS to initialize the GUI. 5) Re-install the appropriate third-party certificates and then reconfigure the accelerators to use them. 4.6 Relative Path Links Required for Sites Accessed from Accelerators Users in iChain access a site using the accelerator- configured URL for the Web site. If a user accesses an absolute path link on the site, the Web server portion of the URL should rewritten to access the accelerator- configured URL. Because this rewriting is not always effective, relative path links should be used for all Web sites that will be accessed via an accelerator connection. 4.7 Web Server Port Redirection Inconsistencies When an iChain accelerated and SSLized Web server sends a port redirect to the browser, the port redirect is not rewritten correctly in the location header. This incorrect redirection can make sites inaccessible. To avoid this issue, - Create a second accelerator to listen on port to which the Web server sends redirects. Set this accelerator to redirect to another Secure Exchange service. NOTE: The redirect must be set to another Secure Exchange because the same port redirection cannot be used twice. or - Change the Web server so it does not send the redirect with the port override. or - Have users supply the required port and access the accelerator directly. 4.8 New Certificates Do Not Show in Accelerator Key ID List Until the Server Is Downed When creating a new certificate with ConsoleOne, the new certificate will not appear in the Key ID list when configuring an accelerator until you down the iChain Proxy Server and bring it back up. 4.9 Page Not Found Error in Port 443 or Port 80 Logout A Page Not Found Error may occur when logging out without using the default 1959 port. 4.10 NAT Stops Working After Reboot If an iChain proxy server is configured with two NICs (one public and one private), when you have dynamic NAT enabled on the public NIC and the machine is configured to act as a router, problems occur with the NAT. If more than one IP address is assigned to the public NIC, when you reboot or click Apply, NAT will stop functioning. It will start functioning again if you disable and then re-enable the NAT on the public NIC. 4.11 iChain Does Not Fully Support HTTP 1.1 The iChain Proxy Server will only support HTTP 1.0 and not HTTP 1.1. If a page uses HTTP 1.1, communication between the Web browser and the iChain server may stop and the page may not be displayed. The Web server will need to serve up Web pages according to HTTP 1.0. 4.12 The Appliance Hangs on Restart The appliance will not restart completely when the following conditions exist in combination with each other: - The eth0 network adapter is connected to the network - The eth0 network adapter is configured with a valid IP address or has been reconfigured to use a 10-net address - No other network adapters have IP addresses set and they are not connected to the network - Factory settings have been restored from the browser-based management tool or the command line To get around this problem, do the following: 1) Disconnect eth0 from the network. 2) Manually restart the appliance. 3) After the appliance restarts and you hear the startup beep sequence, reconnect eth0 to the network. 4.13 Command Line Parser Does Not Handle the Question Mark (?) or Equal Sign (=) in URLs When presented with a URL that contains a single question mark (?), a single equal sign (=), or a question mark immediately followed by an equal sign (?=), the command line parser attempts to access a help file or assign a variable value. If you need to configure the appliance with URLs that contain these characters, use the browser-based tool rather than the command line. NOTE: The command line parser correctly handles URLs containing an equal sign immediately followed by a question mark (=?). 4.14 Re-imaging the Appliance Requires Powering It Off and On to Finish the Process The re-imaging instructions found in the Administration Guide > Using Other Appliance Services > Re-imaging Your System are incorrect. Step 4 under Re-imaging Your System should read as follows: Remove the system CD, shut down the appliance, and then recycle it (toggle the power switch off and on). 4.15 DNS Names Can't Contain Underscores The use of an underscore (_) in a DNS name is highly discouraged. (See IETF 2396, August 1998.) To function properly, the use of the underscore character in DNS names of Accelerated Services requires a forward slash (/) at the end of the browser's URL address. 4.16 DNS Names and Double-Byte Character Set Displays Currently iChain supports double-byte character set (DBCS) URL display; however, it does not support DBCS in DNS names, because most Windows systems do not currently offer this type of support. Another known issue related to DBCS URL display is that the DBCS URL is displayed in URI format after the URL page is displayed on the browser. 4.17 Use the Update Clones Option Both Before and After Upgrading The online documentation recommends updating the clone image after performing an upgrade. For more information, see Upgrading the Appliance > Making Sure you Upgrade the Clone Image After Upgrading in the online documentation. We strongly recommend that you also update the clone image BEFORE performing the upgrade, and then wait to update the clone image until you are sure the appliance is behaving as expected after the upgrade. To update the clone image, click System > Actions > Update Clones in the browser-based management tool. After the upgrade, if you are unhappy with results for any reason, you can revert back to the previous system image while also leaving the appliance's object cache intact. To restore a clone image, click System > Actions > Restore from Clones in the browser-based management tool. After you have verified the upgrade is performing as expected, you should then update the clone image to the upgraded version. 4.18 Command Line and GUI Sluggishness During Startup Appliances with more than one disk drive execute mirroring and cloning processes when the system starts the first time. These one-time processes are required for system fault tolerance and must run to completion. While the processes are running, the console and the browser-based management tool might seem sluggish for a couple of minutes. Cache performance is also somewhat affected by the processes. IMPORTANT: Do not restart the appliance. This only causes the mirroring and cloning processes to restart and delays the arrival of normal system response times. 4.19 Issue Importing .NAS File with Multiple IP Addresses Bound to a Single Network Interface Before importing a .NAS file, which contains multiple IP addresses bound to a single network interface, you will need to do the following: 1) Set the proxy server's IP addresses before importing the .NAS file or 2) Edit the .NAS file and list the primary address first. 4.20 Mapping Network Drives to the iChain Proxy Server To map a drive to the proxy server, an administrator will need to know the following items: 1) Change tune.ncf (sys:system\tune.ncf) to allow NCP access. Comments within this file explain the needed changes. 2) The default administrator name and password for the iChain Proxy Server are "ichainadmin" and "novell". Warning: For security purposes it is recommended that you change the default password after you enable NCP access. 4.21 Tunneling Requires DNS Field In order for tunneling to be enabled, the DNS Name field must be filled in under the accelerator. The DNS field is not used by the tunnel, so the requirement is superficial and will be removed in later releases. 4.22 Making Configuration Changes With High Activity It is recommended that configuration changes be made during times of minimal activity on the iChain Proxy Server. 4.23 Problems Signing CSR with Novell Certificate Server If you experience problems signing CSR with Novell Certificate Server, then you should verify that you have the latest available versions of the PKI snap-in and use those. 4.24 Missing GIF image Symptom: When a html page has an embedded image that points to secure accelerated site/object, this image is displayed by IE as a red X. Netscape will display a broken image. If you browse to another object from the same Secure Exchange, accept the site certificate, and then click Back in the browser, (to go back to the first non-secure, non- accelerated page), the secured object will now display correctly. This problem can occur when the page references an object that is being accelerated by Secure Exchange and Secure Exchange is using a security certificate that is not signed by a Certificate Signing Authority that the browser trusts. If Secure Exchange is using a certificate from VeriSign or Thawte, for example, and the browser has already imported the trusted root for Verisign or Thawte, then the image will display properly. Apparently, the browser is unable to prompt the user to accept the untrusted certificate for embedded objects or images. The best solution is to have Secure Excelerator use a certificate from a commonly trusted Certificate Signing Authority such as VeriSign or Thawte. You may be able to resolve this issue by either using a real certificate on Secure Excelerator, or exporting the certificate from Excelerator, and importing it as a trusted root on the browser. 4.25 Importing an .NAS File that has Child-Parent Ordering Will Cause Abends When Accessing Accelerators When exporting a configuration with multi-homing accelerators to an .NAS file, the accelerator ordering may be incorrect. The ordering needs to be parent-child (parent accelerator followed by child accelerator). Importing an .NAS file with child-parent ordering yields a corrupt configuration. Accessing these corrupt accelerators will cause abends. To avoid this problem, edit the .NAS file to reorder accelerators to parent-child before importing. If this does not correct the problem, the accelerators will have to be deleted and recreated. 4.26 Exporting/Importing .NAS File with Child from 2.0 Will Cause Error Message If you create a path-based multi-homed child iChain 2.0 and then upgrade to 2.1, exporting an .NAS file and then later importing it will result in a "Write to Directory failed, http accelerator webserver or proxy IP can't be null" error message. In the NAS file the following line was left off of the child that had been created in 2.0: add accelerator XXXXX address=xxx.xxx.xxx.xxx If the child was created in 2.1 this line is automatically added to the NAS file during export. 4.27 Proxy Server Reboot Issue with CD and Floppy After installing the iChain Proxy Server, it won't reboot from the CD or floppy drives. You have to reset the server CMOS settings to the factory defaults if you want to reinstall this server or it will not boot from the CD or floppy drives. 4.28 Authentication Issue with PDF File Display If a PDF file that has been set up as a protected resource is accessed through a link that then requires the user to authenticate, the user will get an error message that says the PDF file is damaged and can't be opened. To resolve this issue, the user should either refresh the browser page or log in prior to accessing the link that takes the user to the PDF file. 4.29 Changing URL for Password Management Servlet Requires Rebooting After you have changed the URL for the password management servlet, you must reboot the iChain Proxy Server in order for the changes to take effect. 4.30 First Certificate Created Does Not Get Additional Trusted Roots The first certificate created after modifying the trusted root will not get additional trusted roots. To work around this problem, after the trusted root container is modified, the iChain Proxy Server(s) need to be rebooted or an Apply must be done before creating a new certificate. 4.31 Issue With Daylight Savings Time Adjustment The default settings for "Adjust clock for daylight savings changes" in the iChain Proxy Server browser-based administration tool and the actual iChain Proxy Server do not match. To get the iChain Proxy Server to match the iChain Proxy Server browser-based administration tool do the following: 1) In the Proxy Server browser-based administration tool, go to System > Timezone > then uncheck "Adjust clock for daylight saving changes". 2) Apply the changes. 3) Re-check the "Adjust clock for daylight saving changes" box. 4) Apply the changes. 4.32 Problem With Storing Certificate Contents in Certain Formats When creating a certificate using the admin GUI, there is a problem storing the CA certificate contents and the server certificate contents in some formats. The certificate files need to be saved in Base64 in order for you to be able to cut and paste them into the admin GUI. Some applications (like ConsoleOne) use only a line feed to create a new line when saving the certificate files in Base64 format. Other applications (like Internet Explorer) use a carriage return and a line feed to create a new line when saving the certificate files in Base64 format. When only a line feed is used to create a new line in the Base64 certificate file, Notepad cannot be used to cut and paste the certificate file into the admin GUI because the certificate will never be saved. When only a line feed is used to create a new line in the Base64 certificate file, using WordPad to cut and paste the certificate into the admin GUI will allow you to finish creating the certificate. 4.33 Deleting LDAP Proxy User May Cause Abend in iChain Proxy Server When configuring the proxy through the GUI interface, be careful not to delete the LDAP Proxy User (on the Access Control tab) and then apply the changes, as this will cause the iChain Proxy Server to abend. If you need to modify the LDAP Proxy User, remove the old user and add the new user before applying the changes. 4.34 Unable to Get Past "Download Complete" State of an Upgrade If "Allow administration from specified clients" is configured in the iChain Proxy Server admin utility under the System > Admin ACL tab, then an Over the Wire Upgrade (OTWUG) will not get past the "download complete" state. If this problem occurs, the upgrade can be completed by doing one of two options: 1) The System > Admin ACL tab can be configured to allow all addresses or the loopback address (127.0.0.1) can be added to the specified clients address list. After the System > Admin ACL is reconfigured, restart the upgrade. OR 2) Enter the following two commands on the iChain proxy console: 2a) Install 2b) Restart 5.0 Known Multi-Homing and Path-Based Issues 5.1 Changing Existing Accelerators to be a Multi-homing Child Causes Errors If you change a pre-existing accelerator to be the child for path-based multi-homing or domain-based multi-homing, an error occurs when you click Apply. If you go back and change the child to a standalone accelerator again, its IP address will appear twice. It is best to delete the existing accelerator and create a new child accelerator. 5.2 Secure Fill Doesn't Function with Child Accelerator When Using Path-based or Domain-based Multi-Homing When using path-based or domain-based multi-homing with the master configured to use Secure Fill, if the trusted root on the Web server for the master accelerator is the same as the trusted root on the Web server for the child accelerator, the master accelerator will work, but going through the child accelerator will produce an error that says, "Unable to connect to Origin Web Server." Turning off Secure Fill will solve the problem. 5.3 Page Not Found Error When Accessing the Child of a Path-Based Multi-Homed Accelerator Users attempting to access the child of a path-based, multi-homed accelerator may experience difficulty and receive a 404 error message that says the page cannot be found. To avoid this issue, after disabling Secure Exchange on a path-based multi-homed accelerator, the cache on the iChain Proxy Server needs to be purged. 5.4 Issue With Making an Accelerator a Path-Based Master The iChain Proxy Server GUI will allow you to make an un-enabled accelerator a path-based master to another, but when applied, this can cause damage to the proxy server, which will subsequently cause the server to abend on the next startup. Therefore, do not attempt to make an accelerator that is not enabled as a path-based master. 5.5 Issue With Content Attribute Using Path-Based Multi-Homing If you are using a meta tag with an HTTP-EQUIV attribute name set to "refresh" and the content URL set to a relative path, this will not be rewritten for path-based multi-homing. If you are not using path-based multi-homing, this content attribute will be rewritten correctly. 5.6 Issue With Disabling a Multi-Homing Master Accelerator Disabling a multi-homing master accelerator will also disable all of its children. The iChain Proxy GUI, however, doesn't reflect that the children are disabled. 5.7 Issue With Adding Second IP Address to Path-Based Multi-Homing Accelerator If you have an accelerator that is already configured with path-based multi-homing and you add the second IP address to the master, path-based multi-homing will not work. 5.8 Issue With Path-Based Multi-Homed Accelerator of a Domain Broker A path-based multi-homed accelerator of a domain broker master cannot be disabled. 6.0 Known Session Broker Issues 6.1 Failure Creating Session Broker Key The error, "Either no diskette is present, or the key to install was not found. Please insert the correct diskette and try again" may be returned when running the createsessionbrokerkey command. This error will occur if the floppy has non-deleteable files such as hidden, system, or read-only files or an existing directory. 6.2 Configuration via ConsoleOne Wizard When configuring the session broker IP address on the first page of the iChain Web Server Accelerator, the change will only be recognized by the proxy server if one (or both) of two requirements are met: 1. A subsequent page of the wizard is accessed before clicking Finish, or 2. Apply is either clicked from the iChain Web GUI or entered from the iChain console. Until at least one of these requirements are met, the iChain Proxy Server will not communicate with the session broker. 6.3 Errors When Using "Non-Redirectable" POST Requests iChain does not handle redirected POST requests. POST requests across cookie domains will error out, as will timed-out users redirecting a POST request. 6.4 Session Data Cannot be Transferred Unless All Servers are Running the Same Release The format of the session data changed between the 2.0 release and 2.1 release of iChain. Therefore, user sessions/authentications cannot be shared through the Session Broker between iChain servers running the different releases. The 2.1 release of Session Broker is backward-compatible and the 2.0 release of Session Broker is forward-compatible if the authentication profiles are the same on all accelerators. For session data to be transferred, all servers must be running the same release. 7.0 Known Domain Broker Issues 7.1 Logout Issue When Cross-Domain Authentication is Used With Session Broker For security reasons, users must close their browsers after logging out when Cross-Domain Authentication is used with Session Broker. 7.2 Disabling the Domain Broker Using the Command Line Interface If you want to disable the Domain Broker, use the following commands on the iChain Proxy Server Command Line Interface (you cannot disable the Domain Broker from the GUI): accelerator beith authentication authovercd = No accelerator beith authentication authcddbenabled = No 8.0 Known Form Fill Issues 8.1 Form Fill Does Not Use Modified LDAP Options Without Being Restarted After changing the LDAP options on the Access Control tab (for example, port, server IP address, LDAP user), Form Fill will not communicate to the LDAP server using the new settings. To work around this problem: 1) Disable Form Fill and click Apply. 2) Enable Form Fill and click Apply. 9.0 Known Custom Login/Logout Page Issues 9.1 Login Failure when Using Custom Login Page Failure to log in and indefinite reprompting for login can occur when using a custom login page. This problem will occur if any of the necessary fields on the login page (url, username, password, proxypath, or context) are the last value of the query string when sent to the iChain Proxy Server. This problem can be resolved by placing the login button value as the last value on the HTML page. 9.2 Peripheral Files in a Custom Page on Path-Based Multi-Homing Child For path-based multi-homing child accelerators, (all other accelerators including host-based multi-homing children are fine), if a custom login/logout page directory has been specified, then all style sheets (Java scripts), images, and other peripheral files that are referenced in the login files should be placed in the directory of the parent. If the parent accelerator has a custom login page directory defined, the style sheets, JPGs, GIFs, etc. should be placed in that directory. If the parent has no custom login page directory defined, the peripheral files should be placed in the default directory SYS:ETC\PROXY\DATA. 10.0 Using the Mini FTP Server 10.1 The Appliance Uses Passive FTP The system uses passive FTP, and passive FTP fails if the FTP host is within a firewall. The iChain 2.1 Setup Wizard also uses FTP. If FTP is not enabled, you will not be able to use the wizard for configuration. This has the certain implications for using FTP with the appliance. 10.1.1 Access From a DOS Window is Limited You cannot access an appliance inside a firewall from a DOS window on a client that is outside the firewall. 10.1.2 Internet Explorer 5 Must Be Properly Configured To access an appliance inside a firewall using Internet Explorer 5 outside the firewall, you must configure the browser to use passive FTP. Complete the following steps: 1) In the browser, click Tools > Internet Options > Advanced. 2) Under Browsing, check Use Web-Based FTP. 3) Click OK. 10.2 Directory and File Names Cannot Contain Spaces The Mini FTP Server will not work with directory or file names that contain spaces. 11.0 Known ConsoleOne Issues 11.1 Latest Version of ConsoleOne Required for iChain 2.1 Console 1.2d will not work with iChain 2.1. ConsoleOne 1.3.2 or later is required. If you are experiencing problems with running the iChain Wizard, reinstall the iChain snap-ins. 12.0 iChain Documentation 12.1 Accessing the Latest iChain Documentation For the latest iChain documentation, including information on iChain setup and administration, go to http://www.novell.com/documentation and locate the iChain documentation in the alphabetical list. 13.0 Legal Information The iChain 2.1 licenses also include an equal quantity of eDirectory licenses for use solely with the iChain 2.1 product. 13.1 Disclaimer, Copyright, and Patents Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. You may not export or re-export this product in violation of any applicable laws or regulations including, without limitation, U.S. export regulations or the laws of the country in which you reside. This product may require export authorization from the U.S. Department of Commerce prior to exporting from the U.S. or Canada. Copyright (C) 2002 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher. U.S. Patent Nos. 5,349,642; 5,608,903; 5,671,414; 5,677,851; 5,758,344; 5,784,560; 5,818,936; 5,828,882; 5,832,275; 5,832,483; 5,832,487; 5,870,561; 5,870,739; 5,873,079; 5,878,415; 5,884,304; 5,913,025; 5,933,503; 5,933,826; 5,946,467; 5,956,718; 6,047,289; 6,065,017; 6,081,900; 6,105,132; 6,167,393. Patents Pending. 13.2 Trademarks Novell, iChain, NDS, and NetWare are registered trademarks of Novell, Inc. in the United States and other countries. BorderManager, ConsoleOne, eDirectory, NMAS, SecretStore and Novell Certificate Server are trademarks of Novell, Inc. Novell Technical Services is a service mark of Novell, Inc. All third-party trademarks are the property of their respective owners.