Release Notes - Novell iChain Version 2.2 Support Pack 3 July 22, 2004 This Readme contains known issues for the iChain 2.2 Support Pack 3 release. For the latest iChain 2.2 documentation, including updates to this Readme, see the Novell iChain Documentation Web page at http://www.novell.com/documentation/ichain22/index.html. Table of Contents 1.0 Installing This Support Pack 1.1 Backup the OAC.PROPERTIES File Before Installing This Support Pack 1.2 Information on Installing This Support Pack 2.0 Known Authorization Server Issues 2.1 The Resource Tab on the ACL Is Blank 2.2 Removing Protected Resources 2.3 Security Hole in FTP 2.4 Invalid Characters in iChain eDirectory Objects 2.5 Schema Attribute Problem 2.6 Having Multiple ISO Objects in the Same Tree Will Affect Access Control 2.7 Dynamic ACL Rules Are Not Viewable in ConsoleOne 3.0 Known Authentication Issues 3.1 Certificate Authentication Problems When the CRL Is Invalid 3.2 Enabling RADIUS Authentication for RADIUS Servers that Do Not Return a Fully Qualified eDirectory Name 3.3 RADIUS Token Authentication 3.4 Logging In to iChain as an Alias User 3.5 Secure Exchange Mutual Authentication Issue 3.6 Entering the LDAP Authentication Profile User Context 3.7 User Name Mismatch Error When Using RADIUS Authentication 3.8 Logout URL 3.9 Issue with Cross-Domain Authentication (CDA) on Accelerators 3.10 Trusted Root Container Is Not Used For Mutual Authentication When Secure Exchange Is Disabled 3.11 NMAS Radius Update Required for iChain RADIUS Token Authentication 3.12 Internal Server Error When Mutual Authentication Profile Is "OR"ed With LDAP Authentication Profile 3.13 Trying to "AND" LDAP and Radius Does Not Give Error in Admin Utility 3.14 Step-Up Cryptography Support 3.15 Risk For Possible DoS Attack When Using Mutual Authentication 4.0 Known Browser Issues 4.1 Netscape 6.0 Incompatibilities 4.2 Use Internet Explorer for Browser-Based Configuration 4.3 Issue with Netscape Browsers and Certificate Database Passwords 4.4 HTML Pages Displayed in Incorrectly Sized Frames 4.5 Accessing OnDemand Files Using an IE Browser 4.6 IE Still Displaying Local Cache After Logout 5.0 Known Proxy Server Issues 5.1 Valid Names When Configuring an Accelerator 5.2 Setting the LDAP Context Field After Importing a Configuration 5.3 Importing Proxy Service Configurations Containing Third-Party Certificates 5.4 Relative Path Links Required for Sites Accessed from Accelerators 5.5 Web Server Port Redirection Inconsistencies 5.6 New Certificates Do Not Show in the Accelerator Key ID List Until the Server Is Downed 5.7 Page Not Found Error in Port 443 or Port 80 Logout 5.8 NAT Stops Working After Reboot 5.9 iChain Support For HTTP 1.1 5.10 The Command Line Parser Does Not Handle the Question Mark (?) or Equal Sign (=) in URLs 5.11 DNS Names Can't Contain Underscores 5.12 DNS Names in Double-Byte Character Set Displays 5.13 Command Line and GUI Sluggishness During Startup 5.14 iChain Issue Importing a .NAS File with Multiple IP Addresses Bound to a Single Network Interface 5.15 Mapping Network Drives to the iChain Proxy Server 5.16 Tunneling Requires the DNS Field 5.17 Make Configuration Changes During Minimal Activity 5.18 Problems Signing CSR with Novell Certificate Server 5.19 Missing GIF Image 5.20 Importing a .NAS File that Has Child-Parent Ordering Will Cause Abends When Accessing Accelerators 5.21 Exporting or Importing a .NAS File with a Child from iChain 2.0 Will Cause an Error Message 5.22 Authentication Issue with PDF File Display 5.23 PowerPoint File Display Issue When Accessing Files With an Internet Explorer 6.0 SP Browser 5.24 Changing the URL for Password Management Servlet Requires Server Reboot 5.25 First Certificate Created Does Not Get Additional Trusted Roots 5.26 Issue With Daylight Saving Time Adjustment 5.27 Deleting the LDAP Proxy User May Cause an Abend in the iChain Proxy Server 5.28 Issue with Multiple Addresses Bound to a Single .NIC 5.29 Issue With Configuring the Web Server Address of an Accelerator With a DNS Name 5.30 Server Error Occurs When Accessing an Accelerator Configured With Authentication Profiles 5.31 Certificate Names Saved in eDirectory are Limited to 50 Characters 5.32 The Concurrent Login Feature Requires Reboot for Setting Changes to Take Effect 5.33 Color Palette Issues with the Java Runtime Environment 5.34 The iChain Proxy GUI Might Not Be Accessible Through a VPN 5.35 Communication Issues Between iChain and L4 Switches 5.36 Changes Won't Be Saved to the Subnet of a Network Interface if IP Addresses Are Assigned to an Accelerator 5.37 Updating iChain n100.lan Drivers 5.38 LDAP_Communication_Error Being Reported at iChain Console After Server Is Rebooted 5.39 Manually Disable Secure Exchange at Accelerator's Authentication Options Page 6.0 Known Multi-homing and Path-Based Issues 6.1 Changing an Existing Accelerator to Be A Multi-homing Child Causes Errors 6.2 Secure Fill Doesn't Function with a Child Accelerator When Using Path-Based or Domain-Based Multi-homing 6.3 Page Not Found Error When Accessing the Child of a Path-Based Multi-homing Accelerator 6.4 Issue With Making an Accelerator a Path-Based Master 6.5 Issue With the Content Attribute Using Path-Based Multi-homing 6.6 Issue With Disabling a Multi-homing Master Accelerator 6.7 Issue With Adding a Second IP Address to a Path- Based Multi-homing Accelerator 6.8 Issue With the Path-Based Multi-homing Accelerator of a Domain Broker 6.9 Issue With Changing an Accelerator That Was a Child of a Path-Based Multi-homing Master 6.10 Issue With Changing a Child Accelerator's Master to a Master With a Different Cookie Domain 6.11 Parent Logging Must Be Enabled Before Obtaining Logs for a Path-Based Multi-homing Child Accelerator 7.0 Known Session Broker Issues 7.1 Upgrade Session Broker to iChain 2.2 7.2 Failure Creating a Session Broker Key 7.3 Configuration Via the ConsoleOne Wizard 7.4 Errors When Using "Non-Redirectable" POST Requests 7.5 Session Data Cannot be Transferred Unless All Servers are Running the Same Release 8.0 Known Domain Broker Issues 8.1 Logout Issue When Cross-Domain Authentication is Used with Session Broker in iChain 2.1 8.2 Disabling the Domain Broker Using the Command Line Interface 8.3 Use Unique Cookie Domain Names in CDA Configurations 9.0 Known Form Fill Issues 9.1 Form Fill Does Not Use Modified LDAP Options Without Being Restarted 9.2 Form Fill Does Not Auto Load After Importing a .NAS Configuration File that Has Form Fill Authentication Enabled 9.3 Do Not Use Comments to Disable a Form Fill Policy 10.0 Known Custom Login/Logout Page Issues 10.1 Login Failure When Using Custom Login Page 10.2 Peripheral Files in a Custom Page on a Path-Based Multi-homing Child 11.0 Using the Mini FTP Server 11.1 Possible FTP System Usage Issues 11.2 Directory and File Names Cannot Contain Spaces 12.0 Known ConsoleOne Issues 12.1 Latest Version of ConsoleOne Required for iChain 2.2 12.2 iChain Setup Wizard Does Not Function in ConsoleOne 13.0 Known Interoperability Issues 13.1 Accessing the Interoperability Readme 13.2 Accessing the Interoperability Technical Information Document 14.0 Changes to the Rewriter 14.1 Default Mime Type Changes 14.2 Internal Rewriter Has Been Removed 15.0 Changes to OLAC 15.1 Changes to OLAC in iChain 2.2 and iChain 2.2 SP1 16.0 iChain Documentation 16.1 Accessing the Latest iChain Documentation 16.2 Information on Issues Corrected Since the Previous Release 17.0 Legal Information 17.1 Disclaimer, Copyright, and Patents 17.2 Trademarks 1.0 Installing This Support Pack 1.1 Backup the OAC.PROPERTIES File Before Installing This Support Pack When you install this support pack, all OLAC custom plug-ins might be overwritten. To avoid this issue, back up your oac.properties file before installing this support pack, then copy the file back over once the support pack is successfully installed. It is also recommended that you back up your tune.ncf and appstart.ncf files before beginning the installation. 1.2 Information on Installing This Support Pack For instructions on how to install this support pack, including recommendations for your production environment, see the Novell Technical Information Document at http://support.novell.com/cgi-bin/ search/searchtid.cgi?/2967439.htm. 2.0 Known Authorization Server Issues 2.1 The Resource Tab on the ACL Is Blank There is an incompatibility between attributes from either a BorderManager install or an early version of iChain. BorderManager contains the following attribute: BRDSRVS:outgoing acl. The resource attribute on the ACL object (shown in the Access Control tab) is named brdsrvsOutgoingAcl. For some reason, the LDIF operation to create the iChain attribute does not distinguish between the two names, and the iChain attribute is never created. See Technical Information Document #10063495 at www.support.novell.com for details and workaround information. 2.2 Removing Protected Resources When you delete a protected resource, all access control objects that referenced the deleted protected resource become invalid. For example, if you have an access control rule with multiple rules for several different protected resources and you delete one of the protected resources from the ISO object, you will receive an error that states, "ACLCHECK-3.55-6 ACL rules in NDS are invalid or old version" at the proxy services console. If you delete a protected resource from an ISO, you should use ConsoleOne to remove all references to the protected resource in all ACL rules associated with the ISO. 2.3 Security Hole in FTP There is an issue with using FTP between ConsoleOne and the iChain proxy server. The FTP connection between the console and the iChain server is not secure and can be traced to get the config user's password. You can avoid this problem by using FTP on the private network or using a direct cable from the workstation to the iChain Proxy Server. 2.4 Invalid Characters in iChain eDirectory Objects When creating iChain Service and/or iChain Access Control Rule objects in iChain, using commas (,) or semicolons (;) in the names can cause problems on the iChain Proxy Server. To avoid possible problems, do not use any commas or semicolons when naming these objects. If there are existing iChain objects with either of these characters in the names, it is best to delete and then re-create the objects. 2.5 Schema Attribute Problem Some users may see a problem after upgrading their iChain schema from iChain 2.0 to iChain 2.1 or 2.2. The symptom is that when a user tries to create a new ichainService object or modify an existing ichainService object, the following error message appears in ConsoleOne: "(Error -608) An attempt was made to add a property that is illegal to an object. The NetWare Directory Services schema determines what properties can be inherited by an object class." The internal schema problem is that the following attributes are exactly 32 characters: ichainPasswordExpirationInterval ichainPasswordUniqueRequiredFlag ichainSetPasswordDictionaryCheck When upgrading from iChain 2.0 to 2.1 or 2.2, these attributes already exist. Somehow the LDAP modify operation replaces the last character with a 1. The ichainService object then has references to the three attribute names, ichainPasswordExpirationInterva1", "ichainPasswordUniqueRequiredFla1", and "ichainSetPasswordDictionaryChec1". The snap-in code for ConsoleOne detects the problem and gives the above error message. The problem seems to occur when the iChain schema is loaded more than once within a short period of time on a NetWare version of eDirectory 8.6. The solution is to go into schema manager and add the correct names of the three attributes to the ichainService object (without the "1", as shown above). 2.6 Having Multiple ISO Objects in the Same Tree Will Affect Access Control If multiple ISO objects exist in the same tree, the protected resources configured on those objects should always use unique Resource Names. If duplicate names are used, improper user access (or denial of access) may occur. 2.7 Dynamic ACL Rules Are Not Viewable in ConsoleOne When you configure a dynamic ACL rule in ConsoleOne, the rule object does not display the dynamic ACL rule attributes after being saved. This is a cosmetic issue, as the Rule object attributes do include the correct dynamic ACL rule information. 3.0 Known Authentication Issues 3.1 Certificate Authentication Problems When the CRL Is Invalid An invalid Certificate Revocation List (CRL) will prevent mutual or certificate authentication from working properly. The CRL includes a dated time stamp indicating when the CRL is invalid. The Certificate Authority (CA) needs to update the CRL periodically with a new expiration date and time. If the CA does not update the CRL, perhaps because the CA is down or for any other reason, the CRL becomes invalid. During certificate or mutual authentication, the iChain Proxy Server compares the time stamp of the CRL with its own time and if the CRL time stamp has expired, then the authentication will fail. 3.2 Enabling RADIUS Authentication for RADIUS Servers that Do Not Return a Fully Qualified eDirectory Name To enable RADIUS Authentication for RADIUS servers that do not return a fully qualified NDS name, two parameters in the aclcheck authentication profile need to be set from the iChain command line: set authentication aclcheck ldap bindanonymous=no add authentication aclcheck ldap searchbase= o=novell (or appropriate container on your tree) apply If the bindanonymous features are not set correctly, you will receive the following error: "Information Alert Status: 500 Internal Server Error Description: Insufficient resources to complete the request. Please try your request again." 3.3 RADIUS Token Authentication RADIUS Token Authentication will work if the token is retrieved from the card using a PIN number. However, if token authentication is set up to have the token retrieved from the card using a challenge sent from the RADIUS server, the user gets a login failed message rather than being presented with the challenge. 3.4 Logging in to iChain as an Alias User Currently iChain does not support user aliases for authentication. Users cannot use aliases when logging in to an iChain server. 3.5 Secure Exchange Mutual Authentication Issue Secure Exchange mutual authentication doesn't carry from one accelerator to another. When you configure two separate accelerators with two different certificates and both accelerators have LDAP and Secure Exchange mutual authentication profiles together, the LDAP authentication carries from one accelerator to the other, but the Secure Exchange mutual authentication will prompt you to choose a user certificate. Any certificate can be chosen (including certificates that do not correspond to the LDAP-authenticated user), and no LDAP authentication is necessary for the new certificate's user name. 3.6 Entering the LDAP Authentication Profile User Context When modifying the LDAP authentication profile user context for the distinguished name from the iChain Web GUI, the field is free-form. This does not imply that iChain will correctly read any format of distinguished name. The format is: ou=,o= (that is, deeper containers precede the containers that contain them). If this format is not used, then the LDAP query to the authentication server will fail. 3.7 User Name Mismatch Error when Using RADIUS Authentication When using RADIUS token authentication with an NMAS RADIUS server, the RADIUS Dial Access System (DAS) object needs to be added as a trustee with read rights to the top container of the tree where the RADIUS users are located. Otherwise the CN of the user will be sent on to the iChain Proxy Server rather than the FDN of the user. When this happens, users will get an error "Status : 403 Forbidden. Description : User Name Mismatch." when trying to authenticate. 3.8 Logout URL When defining a link to log out, the HREF should be HREF="http:///cmd/ICSLogout". 3.9 Issue with Cross-Domain Authentication (CDA) on Accelerators For cross-domain authentication (CDA), all accelerators should set the same value for maximum idle time before requiring a new login. 3.10 Trusted Root Container Is Not Used For Mutual Authentication When Secure Exchange Is Disabled SSL mutual authentication will not work with an accelerator that does not have secure exchange enabled simply by putting the issuer (Certificate Authority) of the client's certificate into the trusted root container configured in the ISO object. However, if Secure Exchange is enabled on the accelerator, putting the issuer (Certificate Authority) of the client's certificate into the trusted root container configured in the ISO object will always allow SSL mutual authentication to work. To resolve the problem in the case where Secure Exchange is not enabled, try one of the following: 1) The iChain server certificate used for the accelerator (the one configured in iChain Admin utility under Configure > Web Server Accelerator > Modify > Certificate) needs to be signed by the same Certificate Authority as the client certificate. or 2) The iChain server certificate used for the accelerator (the one configured in iChain Admin utility under Configure > Web Server Accelerator > Modify > Certificate) needs to be created after the issuer (Certificate Authority) of the client's certificate is put into the trusted root container configured in the ISO object. or 3) The iChain server certificate used for the accelerator (the one configured in iChain Admin utility under Configure > Web Server Accelerator > Modify > Certificate) needs to be backed up, deleted, and restored after the issuer (Certificate Authority) of the client's certificate is put into the trusted root container configured in the ISO object. A SAML SOAP responder URL of "https:///cmd/mutExt/ samlext/saml/resp" uses mutual authentication and might run into the same issue. The same workaround might be necessary. 3.11 NMAS Radius Update Required for iChain Radius Token Authentication If you are using NetWare 5 with Support Pack 6 or higher, or NetWare 6 with Support Pack 3 or higher, you need to update these versions in order for the NMAS Radius Server to do iChain Radius Token authentication, See the Novell Technical Information document, "NMAS 2.0 and 2.1 Radius Authentication Fix" at http://support.novell.com/cgi-bin/search/ searchtid.cgi?/2965335.htm for the download and details. 3.12 Internal Server Error When Mutual Authentication Profile Is "OR"ed With LDAP Authentication Profile If an LDAP and Mutual SSL authentication profile are logically "OR"ed together, the browser might not be able to connect to the back-end Web application. Instead, an iChain error page like the following might display: "Information Alert. Status: 500 Internal Server Error. Description: Insufficient resources to complete the request." 3.13 Trying to "AND" LDAP and Radius Does Not Give Error in Admin Utility You cannot use LDAP and Radius authentication profiles together in the same accelerator configuration. If attempted, the Admin utility will not give you an error message, however, only the first authentication profile of the two is saved on the Apply. (Previous versions used to give an error if this was attempted.) 3.14 Step-Up Cryptography Support iChain supports Netscape's Step-Up Cryptography, but does not support Microsoft's Server Gated Cryptography. See the Novell iChain 2.2 Administration Guide for details on using Step-Up Cryptography. 3.15 Risk For Possible DoS Attack When Using Mutual Authentication There is a risk of a possible DoS attack if you are using mutual authentication and an attacker bombards the server using bad or mal-formed mutual authentication certificates. 4.0 Known Browser Issues 4.1 Netscape 6.0 Incompatibilities Because of several issues in Netscape 6.0 that deal with the proxy server administrative GUI, authentication problems, and incompatibilities with Windows 2000, Novell does not currently support the use of Netscape 6 with iChain 2.2. Novell has successfully tested iChain 2.2 with the following browsers: Internet Explorer 6.0 and 5.5, and Netscape 4.7 and 6.2. 4.2 Use Internet Explorer for Browser-Based Configuration Problems with Java running on Netscape browsers can cause difficulties when running the proxy services browser-based administration utility. To avoid this issue, use Internet Explorer to run the proxy services browser-based administration utility. 4.3 Issue with Netscape Browsers and Certificate Database Passwords An issue occurs with users setting up their Netscape browsers to prompt for the certificate database password each time they want to select a certificate. After entering the password, the browser will appear to hang and in some cases, it will eventually time out. This is because of a defect in Netscape. If the user enters the URL again without closing the browser, he or she will be prompted to select his or her certificate again and re-enter his or her password. After the second time, the user will be given access. 4.4 HTML Pages Displayed in Incorrectly Sized Frames Occasionally, iChain users may receive a login page that is displayed in an HTML frame that is too small to show all the fields. If input is required, such as authentication information, the user may need to access a previous page to get the frame sizes adjusted appropriately. 4.5 Accessing OnDemand files Using an IE Browser Users attempting to access OnDemand files from an IE browser may experience difficulty and receive the error message: "Internet Explorer was not able to open this Internet site. The requested site is either unavailable or cannot be found. Please try again later." To avoid this issue, complete the following steps: 1) Access the URL of the proxy server on which you installed the iChain Proxy Server software to launch the proxy services browser-based administration tool: http://10.1.1.1:1959/appliance/config.html 2) Click Configure > Web Server Accelerator > Modify > Secure Exchange Options. 3) Uncheck or verify that the Mark Pages Non-cacheable on the browser parameter is not checked. 4.6 IE Still Displaying Local Cache After Logout After logging out of a non-secure page in IE and clicking on the back arrow the last page will display because of the local cache. If a user tries to click on a link or go to any other pages, he or she will be prompted to authenticate. To solve this problem, you can do any of the following: - Use Secure Exchange for your entire Web site - Mark the pages on the server with a non-cacheable header - Inform the user that he or she needs to close his or her browser after logging out 5.0 Known Proxy Server Issues 5.1 Valid Names When Configuring an Accelerator Valid names to use when configuring an accelerator must be eight characters or less and cannot contain a dash (-) or underscore (_) character. In addition, the string "SSLPort" is a reserved string within iChain and cannot be used as a name for an accelerator. If you name an accelerator SSLPort, the accelerator configuration will not be saved. To avoid this issue, use a name other than SSLPort. 5.2 Setting the LDAP Context Field After Importing a Configuration When you import an appliance configuration from a floppy by using the Import/Export tab, your LDAP context field setting may be lost. To set the context field, click Configure > Authentication > LDAP Options > LDAP Contexts and verify or define the LDAP context for your configuration. 5.3 Importing Proxy Services Configurations Containing Third-Party Certificates When you are importing a previous iChain Proxy Server configuration from a floppy and that configuration contains references to third-party accelerator certificates (that is, "Auto" is NOT used), you can do one of the following: Select to import the certificates by doing the following: 1) Assign an IP address and gateway to the appliance. 2) Verify that the time is correct (including the timezone, etc.). 3) Restore the certificates. 4) Import the .nas file. OR If you want to follow a safer method, you can: 1) Import the .nas file. 1a) At the console, enter the command "import floppy" where is the name of the .nas file, but omits the .nas extension. 2) Restore the certificates. 2a) At the browser-based administration utility, go to the Home tab and select Certificate Maintenance. 2b) Set the IP address and gateway. 2c) Restore the certificates from the floppy. 3) Reimport the .nas file so that the certificates can be linked up. 5.4 Relative Path Links Required for Sites Accessed from Accelerators Users in iChain access a site using the accelerator- configured URL for the Web site. If a user accesses an absolute path link on the site, the Web server portion of the URL should be rewritten to access the accelerator- configured URL. Because this rewriting is not always effective, relative path links should be used for all Web sites that will be accessed via an accelerator connection. 5.5 Web Server Port Redirection Inconsistencies When an iChain accelerated and SSLized Web server sends a port redirect to the browser, the port redirect is not rewritten correctly in the location header. This incorrect redirection can make sites inaccessible. To avoid this issue, - Create a second accelerator to listen on the port to which the Web server sends redirects. Set this accelerator to redirect to another Secure Exchange service. NOTE: The redirect must be set to another Secure Exchange because the same port redirection cannot be used twice. or - Change the Web server so it does not send the redirect with the port override. or - Have users supply the required port and access the accelerator directly. 5.6 New Certificates Do Not Show in the Accelerator Key ID List Until the Server Is Downed When creating a new certificate with ConsoleOne, the new certificate will not appear in the Key ID list when configuring an accelerator until you down the iChain Proxy Server and bring it back up. 5.7 Page Not Found Error in Port 443 or Port 80 Logout A Page Not Found Error may occur when logging out without using the default 1959 port. 5.8 NAT Stops Working After Reboot If an iChain proxy server is configured with two NICs (one public and one private), when you have dynamic NAT enabled on the public NIC and the machine is configured to act as a router, problems occur with the NAT. If more than one IP address is assigned to the public NIC, when you reboot or click Apply, NAT will stop functioning. It will start functioning again if you disable and then re-enable the NAT on the public NIC. 5.9 iChain Support For HTTP 1.1 iChain is now capable of communicating with origin Web servers using the HTTP 1.1 protocol. The major features of HTTP 1.1 are implemented, although there might be some obscure features that might not be fully implemented due to the limitations in locating Web servers that use them. One of the main reasons for supporting HTTP 1.1 is to support the transfer encoding options of chunking, deflate, and gzip. Many of the large Web server products by default use these transfer encoding options. Another key HTTP 1.1 feature iChain now supports is returning content from the origin Web server based on the VARY response header. Responses with a VARY header will not be cached within iChain so that data returning to the client will not be data that is intended for another client. 5.10 The Command Line Parser Does Not Handle the Question Mark (?) or Equal Sign (=) in URLs When presented with a URL that contains a single question mark (?), a single equal sign (=), or a question mark immediately followed by an equal sign (?=), the command line parser attempts to access a help file or assign a variable value. If you need to configure the appliance with URLs that contain these characters, use the browser-based tool rather than the command line. NOTE: The command line parser correctly handles URLs containing an equal sign immediately followed by a question mark (=?). 5.11 DNS Names Can't Contain Underscores The use of an underscore (_) in a DNS name is highly discouraged. (See IETF 2396, August 1998.) To function properly, the use of the underscore character in DNS names of Accelerated Services requires a forward slash (/) at the end of the browser's URL address. 5.12 DNS Names in Double-Byte Character Set Displays Currently iChain supports double-byte character set (DBCS) URL display; however, it does not support DBCS in DNS names, because most Windows systems do not currently offer this type of support. Another known issue related to DBCS URL display is that the DBCS URL is displayed in URI format after the URL page is displayed on the browser. 5.13 Command Line and GUI Sluggishness During Startup Appliances with more than one disk drive execute mirroring and cloning processes when the system starts the first time. These one-time processes are required for system fault tolerance and must run to completion. While the processes are running, the console and the browser-based management tool might seem sluggish for a couple of minutes. Cache performance is also somewhat affected by the processes. IMPORTANT: Do not restart the appliance. This only causes the mirroring and cloning processes to restart and delays the arrival of normal system response times. 5.14 iChain Issue Importing a .NAS File with Multiple IP Addresses Bound to a Single Network Interface In iChain 2.0, before importing a .NAS file which contains multiple IP addresses bound to a single network interface, you need to do one of the following: 1) Set the proxy server's IP addresses before importing the .NAS file or 2) Edit the .NAS file and list the primary address first. A .NAS file exported from iChain 2.1 does not have this ordering problem. 5.15 Mapping Network Drives to the iChain Proxy Server To map a drive to the proxy server, an administrator will need to know the following items: 1) Rename c:\nwserver\ncpip.old to c:\nwserver\ncpip.nlm. 2) Change tune.ncf (sys:system\tune.ncf) to allow NCP access. Comments within this file explain the needed changes. 3) The default administrator name and password for the iChain Proxy Server are "ichainadmin" and "novell". Warning: For security purposes it is recommended that you change the default password after you enable NCP access. 5.16 Tunneling Requires the DNS Field In order for tunneling to be enabled, the DNS Name field must be filled in under the accelerator. The DNS field is not used by the tunnel, so the requirement is superficial and will be removed in later releases. 5.17 Make Configuration Changes During Minimal Activity It is recommended that configuration changes be made during times of minimal activity on the iChain Proxy Server. 5.18 Problems Signing CSR with Novell Certificate Server If you experience problems signing CSR with Novell Certificate Server, then you should verify that you have the latest available versions of the PKI snap-in and use those. 5.19 Missing GIF Image Symptom: When an html page has an embedded image that points to secure accelerated site/object, this image is displayed by IE as a red X. Netscape will display a broken image. If you browse to another object from the same Secure Exchange, accept the site certificate, and then click Back in the browser, (to go back to the first non-secure, non- accelerated page), the secured object will now display correctly. This problem can occur when the page references an object that is being accelerated by Secure Exchange and Secure Exchange is using a security certificate that is not signed by a Certificate Signing Authority that the browser trusts. If Secure Exchange is using a certificate from Verisign or Thawte, for example, and the browser has already imported the trusted root for Verisign or Thawte, then the image will display properly. Apparently, the browser is unable to prompt the user to accept the untrusted certificate for embedded objects or images. The best solution is to have Secure Excelerator use a certificate from a commonly trusted Certificate Signing Authority such as Verisign or Thawte. You might be able to resolve this issue by either using a real certificate on Secure Excelerator, or exporting the certificate from Excelerator, and importing it as a trusted root on the browser. 5.20 Importing a .NAS File that has Child-Parent Ordering Will Cause Abends When Accessing Accelerators When exporting a configuration with multi-homing accelerators to an .NAS file, the accelerator ordering may be incorrect. The ordering needs to be parent-child (parent accelerator followed by child accelerator). Importing an .NAS file with child-parent ordering yields a corrupt configuration. Accessing these corrupt accelerators will cause abends. To avoid this problem, edit the .NAS file to reorder accelerators to parent-child before importing. If this does not correct the problem, the accelerators will have to be deleted and recreated. 5.21 Exporting or Importing a .NAS File with a Child from iChain 2.0 Will Cause an Error Message If you create a path-based multi-homed child iChain 2.0 and then upgrade to 2.2, exporting a .NAS file and then later importing it will result in a "Write to Directory failed, http accelerator webserver or proxy IP can't be null" error message. In the NAS file the following line was left off of the child that had been created in 2.0: add accelerator XXXXX address=xxx.xxx.xxx.xxx If the child was created in 2.2 this line is automatically added to the NAS file during export. 5.22 Authentication Issue with PDF File Display If a PDF file that has been set up as a protected resource is accessed through a link that then requires the user to authenticate, the user will get an error message that says the PDF file is damaged and can't be opened when using an Internet Explorer (IE) browser. This is an issue that is fixed in the latest IE 6.0 support pack. To resolve this issue, update the IE browser with the latest support pack. 5.23 PowerPoint File Display Issue When Accessing Files With an Internet Explorer 6.0 SP Browser If a PowerPoint (PPT) file that has been set up as a protected resource is accessed through a link that then requires the user to authenticate, the user will get an error message that says the PPT file can't be opened when using an Internet Explorer. This is an issue that is fixed in the latest PowerPoint SP2. To resolve this issue, update the PPT application with the latest PPT support pack. 5.24 Changing URL for Password Management Servlet Requires Server Reboot After you have changed the URL for the password management servlet, you must reboot the iChain Proxy Server in order for the changes to take effect. 5.25 First Certificate Created Does Not Get Additional Trusted Roots The first certificate created after modifying the trusted root will not get additional trusted roots. To work around this problem, after the trusted root container is modified, the iChain Proxy Server(s) need to be rebooted or an Apply must be done before creating a new certificate. 5.26 Issue With Daylight Saving Time Adjustment The default settings for "Adjust clock for daylight savings changes" in the iChain Proxy Server browser-based administration tool and the actual iChain Proxy Server do not match. To get the iChain Proxy Server to match the iChain Proxy Server browser-based administration tool do the following: 1) In the Proxy Server browser-based administration tool, go to System > Timezone > then uncheck "Adjust clock for daylight saving changes". 2) Apply the changes. 3) Re-check the "Adjust clock for daylight saving changes" box. 4) Apply the changes. 5.27 Deleting LDAP Proxy User May Cause Abend in the iChain Proxy Server When configuring the proxy through the GUI interface, be careful not to delete the LDAP Proxy User (on the Access Control tab) and then apply the changes, as this will cause the iChain Proxy Server to abend. If you need to modify the LDAP Proxy User, remove the old user and add the new user before applying the changes. 5.28 Issue With Multiple Addresses Bound to a Single .NIC For servers that have multiple addresses bound to a single .NIC, you must have a Web accelerator assigned to the primary address for that .NIC (even if it is not used). If you do not create such a Web accelerator, you will not be able to access Web accelerators built on the secondary address. 5.29 Issue With Configuring the Web Server Address of an Accelerator With a DNS Name Configuring the Web server address of an accelerator with a DNS name may cause the accelerator service to not be initialized. After you do an apply, you must purge the cache. Purging the cache will resolve the issue and the service will then be initialized. 5.30 Server Error Occurs When Accessing an Accelerator Configured With Authentication Profiles You might get a "500 Internal Server Error" when accessing an accelerator that has been configured to "OR" an SSL authentication profile with another authentication profile. The error is seen under the following conditions: 1) The accelerator being used ORs SSL Mutual authentication with another authentication profile. 2) When accessing the authentication profile, SSL Mutual authentication is cancelled and the other authentication method is used. 3) The protected resource matching the request has OLAC parameters configured. 5.31 Certificate Names Saved in eDirectory are Limited to 50 Characters Certificate names saved in eDirectory must be DNS names that have 50 characters or less. 5.32 The Concurrent Login Feature Requires Reboot for Setting Changes to Take Effect The Concurrent Login feature might require you to reboot your machine in order for setting changes to take effect. Use the following commands as a workaround for this issue: 1) Set authentication limitconcurrentlogins=yes, then Apply. 2) Set authentication maxlogins=4 (or the number you choose), then Apply. 5.33 Color Palette Issues with the Java Runtime Environment Because of color palette issues with the Java Runtime Environment, we recommend that you do not use the proxy Web interface at 256 colors. 5.34 The iChain Proxy GUI Might Not Be Accessible Through a VPN If you try to access the iChain Proxy Server GUI using a VPN, it might cause your browser window to hang while loading client.jar and might display a security alert. This problem is reported with iChain version 2.2 and has not been a problem in iChain 2.1. This seems to be related to heavy loads through the VPN. 5.35 Communication Issues Between iChain and L4 Switches If your iChain server appears to stop communicating with an L4 switch (for example, Foundry ServerIron), or the next hop router on your network, the IP routing table on iChain might have become corrupted. To confirm this, check the routing table entries in TCPCON and verify whether a host entry exists for the L4 switch or router where the protocol is ICMP. If this is the case, set the following parameter at the system console screen of the iChain server with this command: "set always allow ip fragmentation = on" (for more details on this command, go to http://support.novell.com/cgi-bin/searchtid.cgi? 10018661.htm). Additionally, you must disable the processing of incoming ICMP redirects using the command "Set ICMP Redirect Timeout=0" at the system console screen of the iChain server. 5.36 Changes Won't Be Saved to the Subnet of a Network Interface if IP Addresses Are Assigned to an Accelerator Changes will not be saved to the subnet of a network interface if any of the IP addresses of that interface are assigned to an accelerator. The changes will appear to have been made until an Apply is completed; then they will revert back to the original settings. 5.37 Updating iChain n100.lan Drivers If you are using an n100 LAN card, we recommend that you update it with the latest drivers, since older drivers can produce communication issues with iChain. You can download the updated drivers at http://h18007.www1.hp.com/support/files/networking/ nics/Compaq_NC3134_Fast_Ethernet_NICs_Novell.html. Click the SP23496 link to download the drivers. 5.38 LDAP_Communication_Error Being Reported at iChain Console After Server Is Rebooted Due to a race condition, the iChain console might report an LDAP_Communication_Error message when the server is restarted. As a result, access to protected resources might result in 403 errors being reported at the browser. To work around this issue, do the following: 1. Execute the refreshcredentials command at the iChain console. 2. Unlock the server console using the unlock and debug commands, and type "aclcheck refresh all" at the server console. 5.39 Manually Disable Secure Exchange at Accelerator's Authentication Options Page On an accelerator's Authentication Options page, if Prompt for username/password over http is selected, you should manually disable Secure Exchange between the proxy and the origin Web server. If you do not disable it, users will be unable to connect to the origin Web server and they will see a 400 error: Invalid request line URI. 6.0 Known Multi-homing and Path-Based Issues 6.1 Changing an Existing Accelerator to be a Multi-homing Child Causes Errors If you change a pre-existing accelerator to be the child for path-based multi-homing or domain-based multi-homing, an error occurs when you click Apply. If you go back and change the child to a standalone accelerator again, its IP address will appear twice. It is best to delete the existing accelerator and create a new child accelerator. 6.2 Secure Fill Doesn't Function with Child Accelerator When Using Path-based or Domain-based Multi-homing When using path-based or domain-based multi-homing with the master configured to use Secure Fill, if the trusted root on the Web server for the master accelerator is the same as the trusted root on the Web server for the child accelerator, the master accelerator will work, but going through the child accelerator will produce an error that says, "Unable to connect to Origin Web Server." Turning off Secure Fill will solve the problem. 6.3 Page Not Found Error When Accessing the Child of a Path-Based Multi-Homing Accelerator Users attempting to access the child of a path-based, multi-homed accelerator may experience difficulty and receive a 404 error message that says the page cannot be found. To avoid this issue, after disabling Secure Exchange on a path-based multi-homing accelerator, the cache on the iChain Proxy Server needs to be purged. 6.4 Issue With Making an Accelerator a Path-Based Master The iChain Proxy Server GUI will allow you to make an un-enabled accelerator a path-based master to another, but when applied, this can cause damage to the proxy server, which will subsequently cause the server to abend on the next startup. Therefore, do not attempt to make an accelerator that is not enabled as a path-based master. 6.5 Issue With the Content Attribute Using Path-Based Multi-homing If you are using a meta tag with an HTTP-EQUIV attribute name set to "refresh" and the content URL set to a relative path, this will not be rewritten for path-based multi-homing. If you are not using path-based multi-homing, this content attribute will be rewritten correctly. 6.6 Issue With Disabling a Multi-homing Master Accelerator Disabling a multi-homing master accelerator will also disable all of its children. The iChain Proxy GUI, however, doesn't reflect that the children are disabled. 6.7 Issue With Adding Second IP Address to a Path-Based Multi-homing Accelerator If you have an accelerator that is already configured with path-based multi-homing and you add the second IP address to the master, path-based multi-homing will not work. 6.8 Issue With the Path-Based Multi-homing Accelerator of a Domain Broker A path-based multi-homing accelerator of a domain broker master cannot be disabled. 6.9 Issue With Changing an Accelerator That Was a Child of a Path-Based Multi-homing Master If you change an accelerator that has been a child of a path-based multi-homing master, you need to purge the cache in order for the accelerator to be recognized correctly. 6.10 Issue With Changing a Child Accelerator's Master to a Master With a Different Cookie Domain If a child accelerator's master is changed to a master with a different cookie domain, browsers might get the following error message when accessing the child accelerator: "Your browser must support cookies." To fix this problem, delete the child accelerator and recreate it. 6.11 Parent Logging Must Be Enabled Before Obtaining Logs for a Path-Based Multi-homing Child Accelerator If you want to obtain logs (Common, Extended) for a path-based multi-homing child accelerator, you must enable logging on the parent first. 7.0 Known Session Broker Issues 7.1 Upgrade Session Broker to iChain 2.2 To insure compatibility in a session broker environment, you should upgrade your session broker to iChain 2.2 before attempting to upgrade proxy servers individually. 7.2 Failure Creating a Session Broker Key The error, "Either no diskette is present, or the key to install was not found. Please insert the correct diskette and try again" may be returned when running the createsessionbrokerkey command. This error will occur if the floppy has non-deleteable files such as hidden, system, or read-only files or an existing directory. 7.3 Configuration Via the ConsoleOne Wizard When configuring the session broker IP address on the first page of the iChain Web Server Accelerator, the change will only be recognized by the proxy server if one (or both) of two requirements are met: 1. A subsequent page of the wizard is accessed before clicking Finish, or 2. Apply is either clicked from the iChain Web GUI or entered from the iChain console. Until at least one of these requirements are met, the iChain Proxy Server will not communicate with the session broker. 7.4 Errors When Using "Non-Redirectable" POST Requests iChain does not handle redirected POST requests. POST requests across cookie domains will error out, as will timed-out users redirecting a POST request. You can use the LDAP basic authentication profile as a possible work-around. 7.5 Session Data Cannot be Transferred Unless All Servers are Running the Same Release The format of the session data changed between the 2.0 release and 2.1 release of iChain. Therefore, user sessions/authentications cannot be shared through the Session Broker between iChain servers running the different releases. The 2.1 release of Session Broker is backward-compatible and the 2.0 release of Session Broker is forward-compatible if the authentication profiles are the same on all accelerators. For session data to be transferred, all servers must be running the same release. Note: This is not an issue between iChain 2.1 and 2.2 (it is an issue between 2.0 and later versions). 8.0 Known Domain Broker Issues 8.1 Logout Issue When Cross-Domain Authentication is Used With Session Broker in iChain 2.1 For security reasons, in iChain 2.1 users must close their browsers after logging out when Cross-Domain Authentication is used with Session Broker. This will still be an issue if you are using a 2.2 Session Broker with 2.2 proxy servers (not recommended). 8.2 Disabling the Domain Broker Using the Command Line Interface If you want to disable the Domain Broker, use the following commands on the iChain Proxy Server Command Line Interface (you cannot disable the Domain Broker from the GUI): accelerator beith authentication authovercd = No accelerator beith authentication authcddbenabled = No 8.3 Use Unique Cookie Domain Names in CDA Configurations You must use unique cookie domain names to control and regulate authentication. If you have similar cookie domain names, users will be able to authenticate even if an accelerator is not part of the Cross-Domain Authentication setup. 9.0 Known Form Fill Issues 9.1 Form Fill Does Not Use Modified LDAP Options Without Being Restarted After changing the LDAP options on the Access Control tab (for example, port, server IP address, LDAP user), Form Fill will not communicate to the LDAP server using the new settings. To work around this problem: 1) Disable Form Fill and click Apply. 2) Enable Form Fill and click Apply. Another option is to go to the iChain server's NetWare console and enter SSO REFRESH ALL. 9.2 Form Fill Does Not Auto Load After Importing a .NAS Configuration File that Has Form Fill Authentication Enabled When importing a .NAS configuration file that has Form Fill Authentication enabled, SSO.NLM might fail to load. You can load SSO.NLM from the iChain Proxy GUI by selecting the Configure icon, then selecting the Access Control page. Click the Refresh Form Fill button, then click Apply. 9.3 Do Not Use Comments to Disable a Form Fill Policy Comments with Form Fill cannot be used to disable a Form Fill policy. The workaround recommendation is to use and instead of and ->. 10.0 Known Custom Login/Logout Page Issues 10.1 Login Failure when Using Custom Login Page Failure to log in and indefinite reprompting for login can occur when using a custom login page. This problem will occur if any of the necessary fields on the login page (url, username, password, proxypath, or context) are the last value of the query string when sent to the iChain Proxy Server. This problem can be resolved by placing the login button value as the last value on the HTML page. 10.2 Peripheral Files in a Custom Page on Path-Based Multi-homing Child For path-based multi-homing child accelerators, (all other accelerators including host-based multi-homing children are fine), if a custom login/logout page directory has been specified, then all style sheets (Java scripts), images, and other peripheral files that are referenced in the login files should be placed in the directory of the parent. If the parent accelerator has a custom login page directory defined, the style sheets, JPGs, GIFs, etc. should be placed in that directory. If the parent has no custom login page directory defined, the peripheral files should be placed in the default directory SYS:ETC\PROXY\DATA. 11.0 Using the Mini FTP Server 11.1 Possible FTP System Usage Issues The system uses active FTP sessions to PUSH FTP data. This can cause active FTP to fail within a firewall environment. When PUSHing the log files to a remote FTP server, all accelerators with logging enabled will have their log files transferred. The iChain 2.2 Setup Wizard also uses FTP. If FTP is not enabled, you will not be able to use the wizard for configuration. This has the certain implications for using FTP with the appliance. 11.1.1 Access From a DOS Window is Limited You cannot access an appliance inside a firewall from a DOS window on a client that is outside the firewall. 11.1.2 Internet Explorer 5 Must Be Properly Configured To access an appliance inside a firewall using Internet Explorer 5 outside the firewall, you must configure the browser to use passive FTP. Complete the following steps: 1) In the browser, click Tools > Internet Options > Advanced. 2) Under Browsing, check Use Web-Based FTP. 3) Click OK. 11.2 Directory and File Names Cannot Contain Spaces The Mini FTP Server will not work with directory or file names that contain spaces. 12.0 Known ConsoleOne Issues 12.1 Latest Version of ConsoleOne Required for iChain 2.2 ConsoleOne 1.33 or later is required. If you are experiencing problems with running the iChain Wizard, reinstall the iChain snap-ins. 12.2 iChain Setup Wizard Does Not Function in ConsoleOne The iChain setup wizard does not function in ConsoleOne. If you find that the ISO object name is being populated incorrectly from the iChain wizard (for example, using iso.novell instead of cn=iso.o=novell), you need to uninstall ConsoleOne, then reinstall it from the iChain 2.2 Authorization Server CD. After you have reinstalled ConsoleOne, you need to reinstall the iChain snap-ins. 13.0 Known Interoperability Issues 13.1 Accessing the Interoperability Readme For the latest information on interoperability issues with iChain 2.2, see the online Interoperability Readme at http://www.novell.com/documentation/lg/ ichain22/index.html. 13.2 Accessing the Interoperability Technical Information Document For information on how to configure iChain with NetWare products, see TID 10078054, "Configuring iChain to Work With Other NetWare Products," at http://support.novell.com/cgi-bin/search/ searchtid.cgi?/10078054.htm. 14.0 Changes to the Rewriter 14.1 Default Mime Type Changes Text/plain is no longer a default mime type. If you want to have this mime type rewritten, you need to add it to the sys:etc\proxy\rewriter.cfg file in the [Mime Content-type] section. 14.2 Internal Rewriter Has Been Removed The [Internal Rewriter] section has been removed. In its place is a new command: set accelerator DisableRewriter=Yes|No This setting is exported to the .nas file. 15.0 Changes to OLAC 15.1 Changes to OLAC in iChain 2.2 and iChain 2.2 SP1 The following changes have been made to the OLAC configuration. For example, your OLAC configuration is: - Email, value = mail - CONSTANT "Const=a&b" When the user is authenticated and accessing the protected resource, the following parameters are passed to the Web server: As part of the header: in 2.1: X-email=john@novell.com X-const=a%26b in 2.2: X-email=john@novell.com X-const= in 2.2SP1: X-email=john@novell.com X-const=a&b As part of the URL (query string): email=john%40novell.com&const=a%26b The changes resolve an issue with the ampersand (&) character, which is a terminator for a value and was incorrectly interpreted. This issue is resolved with the iChain 2.2 SP1 release. One difference that still exists between iChain 2.2 SP1 and previous versions is that the header character is no longer escaped. You might need to check on the Web server to verify this difference. 16.0 iChain Documentation 16.1 Accessing the Latest iChain Documentation For the latest iChain documentation, including information on iChain setup and administration, go to http://www.novell.com/documentation and locate the iChain documentation in the alphabetical list. 16.2 Information on Issues Corrected Since the Previous Release For information on issues that have been corrected in iChain 2.2 since the previous release, see the Novell Technical Information Document at http:// support.novell.com/cgi-bin/search/searchtid.cgi?/ 2967439.htm. 17.0 Legal Information The iChain 2.2 licenses also include an equal quantity of eDirectory licenses for use solely with the iChain 2.2 product. 17.1 Disclaimer, Copyright, and Patents Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. You may not export or re-export this product in violation of any applicable laws or regulations including, without limitation, U.S. export regulations or the laws of the country in which you reside. This product may require export authorization from the U.S. Department of Commerce prior to exporting from the U.S. or Canada. Copyright (C) 2004 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher. U.S. Patent Nos. 5,349,642; 5,608,903; 5,671,414; 5,677,851; 5,758,344; 5,784,560; 5,818,936; 5,828,882; 5,832,275; 5,832,483; 5,832,487; 5,870,561; 5,870,739; 5,873,079; 5,878,415; 5,884,304; 5,913,025; 5,933,503; 5,933,826; 5,946,467; 5,956,718; 6,047,289; 6,065,017; 6,081,900; 6,105,132; 6,167,393. Patents Pending. 17.2 Trademarks Novell, iChain, NDS, and NetWare are registered trademarks of Novell, Inc. in the United States and other countries. BorderManager, ConsoleOne, eDirectory, NMAS, SecretStore and Novell Certificate Server are trademarks of Novell, Inc. Novell Technical Services is a service mark of Novell, Inc. All third-party trademarks are the property of their respective owners.