New Features Summary - Novell iChain 2.2 Support Pack 3 July 22, 2004 Table of Contents 1.0 New Features in iChain Version 2.2 SP3 1.1 Form Fill Enhancements 1.1.1 Local File System Storage 1.1.2 Tag 1.1.3 Extensions Ignored During GET Requests 1.1.4 Simple Policy Validation 1.1.5 New Command 1.2 NCPIP.NLM File Renamed 1.3 OAC.PROPERTIES File Updated 1.4 APPSTART.NCF File Updated 1.5 MESSAGES.CPG File Updated 1.6 Telnet Disabled by Default 1.7 Please Login Is Translatable 1.8 New Protect Privatekey Check Box 1.9 Support for Modifying Build Version in Via Header 1.10 Security Alerts 1.10.1 Support for Disabling Telnet Listener 1.10.2 Cross Site Scripting Modified 1.10.3 Support for Enabling Secure Bit On Cookies 1.11 Support for Disabling Revocaton Checking of Certificates 2.0 New Features in iChain Version 2.2 SP2 2.1 Support for OLAC Internal Data Source Feature 2.2 Support for Step-Up Cryptography 2.3 Change to Command for Disabling the Internal Rewriter per Accelerator 2.4 Troubleshooting HTTP 1.0/1.1 3.0 New Features in iChain Version 2.2 SP1 3.1 Support for SAML Extension for Novell iChain 3.2 Support for WAP Devices 3.3 Internal Rewriter Updates 3.4 Custom Rewriter Updates 3.5 Form Fill Tag 3.6 Updated iChain Administration GUI to Support Japanese Configurations 3.7 Removed NCP Access 3.8 Support for Novell Nsure Audit 4.0 New Features in iChain Version 2.2 4.1 NetWare 6 is Base Operating System 4.2 Web Server Accelerator Tab - Enhanced User Interface 4.3 Web Server Accelerator Dialog Box - Enable/ Disable Checkbox 4.4 Web Server Accelerator Dialog Box - Multi- homing Options - Ends With Radio Button 4.5 Web Server Accelerator Dialog Box- Secure Exchange Options - Trusted Roots Import 4.6 Web Server Accelerator Dialog Box - Mark Pages Non-cacheable on the Browser Check Box Moved and Relabeled 4.7 Certificate Maintenance Tab - Certificate Information Dialog Box 4.8 Certificate Maintenance - Create Certificate Dialog Box 4.9 Certificate Maintenance - Store Certificate Dialog Box 4.10 Support for Organizational Roles and eDirectory Dynamic Groups 4.11 Form Fill Enhancements 4.11.1 GET Method 4.11.2 Data Security 4.11.3 Static Value Injection 4.11.4 Multiple Languages 4.11.5 Shared Secrets 4.12 User-Selectable Drivers 4.13 OLAC Enhancements 4.13.1 Command Line Handler 4.13.2 Request Timeout 4.13.3 Passing the User DN 4.13.4 Internationalization 4.13.5 Plug-in For SecretStore Credentials 4.14 Self-Provisioning Servlets Enhancements 4.15 LDAP Authentication Enhancement 4.16 HTTP 1.1 Support 4.17 Concurrent Login Restrictions 5.0 Legal Information 5.1 Disclaimer, Copyright, Export Notice, and Patents 5.2 Trademarks 1.0 New Features in iChain Version 2.2 SP3 1.1 Form Fill Enhancements The following Form Fill Enhancements are included with this support pack: 1.1.1 Local File System Storage Form Fill supports a file stored on the local file system as follows: {Filename} where, if {FileName} does not contain slashes (\ /) or a colon (:), it is a file that is expected to be in SYS:ETC\Proxy\Appliance\Config\User\Formfill. Otherwise, it will assume it as an absolute path. You can use multiple tags like this, but the maximum size is limited to 1MB. This directory is reachable by FTPing to the iChain server. 1.1.2 Tag In a policy, you can use the tag. This also requires or . This tag allows single sign-on (SSO) usage to modify the HTML page with the changes needed for (masked)Post, but you are able to view the source before posting the information. This feature allows you to debug without the need of a sniffer. 1.1.3 Extensions Ignored During GET Requests The following GET request extensions are ignored for SSO purposes: .gif .jpg .jpeg .png .zip .jar These extensions are quickly ignored, and should allow SSO to process more quickly, especially with wildcard policies. 1.1.4 Simple Policy Validation SSO Contains a simple policy validation. It will parse the policies and show the following errors if a problem occurs: ICS_SERVER:sso refresh rule SSO_4: REFRESH! REFRESH! Rule.... SSO_R: LocalPolicy 'sys:\etc\proxy\appliance\config\user\form fill\formfill.xml' ERROR: Policy imanagerLogin: Invalid '' - Expected '**UNKNOWN**' ERROR: Policy imanagerLogin: Invalid '' - Expected '**UNKNOWN**' ERROR: Policy smgsimailLogin: Missing and/or ERROR: Policy iconstruye: Invalid '' - Expected '' ERROR: Policy dphclanierLoginFailure: deleteRemembered rule esigndphcLogin not found SSO_4: Rules(length = 34993) have been refreshed! SSO_4: Not using SecretStore! 1.1.5 New Command The command line interpreter routine has been changed to allow SSO parameters to be changed on the fly. Also, the following new command was introduced:SSO|FFICHAIN REFRESH LDAP|RULE|ALL where | stands for "or" in this case, so SSO REFRESH LDAP is one possible command. 1.2 NCPIP.NLM File Renamed For security reasons, the NCPIP.NLM file was renamed to NCPIP.OLD. If you want to log in to the iChain server, you must rename this file to its original name after you complete the over-the-wire upgrade for this support pack. 1.3 OAC.PROPERTIES File Updated When you install this support pack, any custom plug-ins are overwritten. To avoid this issue, back up your oac.properties file before you install this support pack, then copy the file back over once the support pack has successfully installed. If you haven't previously modified your oac.properties file, you do not need to back it up before installing this support pack. 1.4 APPSTART.NCF File Updated Prior to installing this support pack, you should make note of any customized lines in your appstart.ncf file. Do not include load logevent or load cache if they appear in your current file. If these lines are present in appstart.ncf, you might get the following abend: Abend on POO: SERVER-5.60-8716: Thread performed illegal recursive LOADER operation when current LOADER state is non-recursive OS version: Novell Netware 5.60.02 July 10, 2002 ...Debug symbols are enabled! Running Process: Server 03 Process Stack: 16 20 E3 FC E0 02 04 D0 01 00 00 00 5E 9B E0 FC FC 65 8F D0 61 17 OB FC 4C 6F 61 64 69 6E 67 20 4D 6F 64 75 6C 65 20 4C 43 41 43 48 45 2E 4E 4C 1.5 MESSAGES.CPG File Updated Messages.cpg will be updated when you install this support pack. 1.6 Telnet Disabled By Default Telnet is disabled by default in this support pack for security reasons. If you use Telnet for administrative purposes, you need to re-enable it after you have successfully completed the support pack installation. You do this by importing the TELNETON configuration file from the Proxy Administration Tool. Go to System, then click the Import/Export tab. 1.7 Please Login Is Translatable Please Login is translatable with this support pack. 1.8 New Protect Privatekey Check Box You can use the Protect Privatekey check box to mark certificates as non- exportable during certificate creation. 1.9 Support for Modifying Build Version in Via Header You can modify the build version sent in the Via Header by using the viaheaderbuildversion option in the /etc/proxy/proxy.cfg file. For example, if you add the following line to the proxy.cfg file: [HTTP Headers] viaheaderbuildversion=2.2 it appears as (iChain 2.2) in the via header. Otherwise, it appears with the standard build version, such as (iChain 2.2.120). 1.10 Security Alerts The following security alerts are included with this support pack: 1.10.1 Support for Disabling Telnet Listener You can disable the Telnet Listener on TCP port 23. The syntax is as follows: To display settings, use get listener To change settings, use set listener telnet enable=YES|NO Telnet is disabled by default. If no password is set, any password is accepted. 1.10.2 Cross Site Scripting Modified In cross site scripting, the url= login is no longer vulnerable to XSS. 1.10.3 Support for Enabling Secure Bit on Cookies You can enable the secure bit on cookies by editing the appstart.ncf file to load proxy.nlm with the -cs version. Syntax: load proxy -cs All of your accelerators must have secure exchange enabled for you to use this feature. 1.11 Support for Disabling Revocation Checking of Certificates A new setting has been introduced to allow you to turn off revocation checking of certificates. This setting should only be used for troubleshooting purposes, since it makes the use of certificates unsecure. You configure this setting at the command line. The configuration is done through the SSL profile: set authentication mutual disablerevocationchecks = yes/no where is the name of your SSL mutual authentication profile. 2.0 New Features in iChain Version 2.2 SP2 2.1 Support For OLAC Internal Data Source Feature The INTERNAL OLAC data source obtains user information that is available in the proxy. This allows the login query string to be passed to the Web server. It displays content based on login information. See Chapter 5, "Setting Up Web Single Sign-on Services" in the Novell iChain 2.2 Administration Guide for more details. 2.2 Support For Step-Up Cryptography Step-Up Cryptography is a variation of SSL that provides a way for weaker clients to detect the need for strong cryptography. This feature is referred to as Server Gated Cryptography (SGC) by Microsoft, and Step-Up Cryptography by Netscape. iChain supports Netscape’s Step-Up Cryptography. This feature is especially applicable for users running on Windows 98, Windows NT, users with older browsers (Internet Explorer 5.0, 5.5, and Netscape 4.7x), and machines that are used outside the United States. For details on how to configure Step-Up Cryptography, see Chapter 7, "Using and Tuning iChain Features," in the Novell iChain 2.2 Administration Guide. 2.3 Change to Command For Disabling the Internal Rewriter Per Accelerator By default, the internal rewriter is enabled for all accelerators. The internal rewriter can slow performance due to the overhead of parsing. In some cases, a Web site might not have content with URL references that need to be rewritten. The internal rewriter can be disabled on a per- accelerator basis using the following set command on the command line of the iChain machine. The following is an example of how you would use this command: SET ACCELERATOR DisableRewriter=Yes where AcceleratorName is the name of the accelerator for which you want to disable rewriting. This action is permanent upon reboot and is exported to the .nas file. 2.4 Troubleshooting HTTP 1.0/1.1 If your Web servers are experiencing issues with having HTTP 1.1 requests sent to them, you can using the following troubleshooting command that enables an HTTP 1.1 request from a browser to be translated to an HTTP 1.0 request so that the Web server will respond correctly. The following is an example of how you would use this command: SET ACCELERATOR ForceHTTP10ToOrigin=Yes where AcceleratorName is the name of the accelerator for which you want to translate HTTP 1.1 requests to HTTP 1.0. Purge the cache afterwards, then HTTP 1.0 requests can be sent to the origin server. This action is permanent upon reboot and is exported to the .nas file. 3.0 New Features in iChain Version 2.2 SP1 3.1 Support for SAML Extension for Novell iChain Novell iChain 2.2 SP1 provides the iChain- related components to support the new SAML Extension for Novell iChain. SAML (Security Assertions Markup Language) is an XML specification for exchange authentication and authorization information. The capability SAML provides with iChain includes single sign-on (to and from) other SAML 1.0-enabled systems. These could be systems within your own organization or the systems of your business partners. For more information on SAML extension for Novell iChain, see the documentation at http://www.novell.com/documentation/lg/saml/ index.html. 3.2 Support for WAP Devices Support has been added for devices that use Simple HTML or WAP (WML). The capability this provides is authentication to iChain-protected devices using a WAP device and single sign-on to GroupWise WebAccess. 3.3 Internal Rewriter Updates The following updates have been made to the Internal Rewriter: Added [Exclude] support to the rewriter.cfg file so that you can specify a single URL or a URL path which will not be processed by the rewriter. Added support for source page control of rewriter, using and tags. Any HTML content after a tag will not be rewritten until a tag is encountered or the end of the HTML data is reached. The following tags change the behavior of the rewriting of values in HTML pages. Most rewriting will still occur, but not the values The internal rewriter now specifically looks at the MIME types of the pages passed back. iChain does not look at the file extensions. The original code looked at the extension first, and then verified whether it was one of the specified mime types. However, if the extension didn't match, it would not look at the mime type. The text/plain entry has been removed from the default mime type list. If you experience issues with broken links or certain links not being rewritten, try adding text/plain to the rewriter.cfg as a workaround. 3.4 Custom Rewriter Updates Added a [mime content-type] heading for the custom rewriter configuration. When used, it causes [extension] to be ignored. 3.5 Form Fill Tag If a single login page contains multiple forms (having many pairs of
and
tags), you can use the tag to specify which form instance to fill. Usually there is only one form in a login page. To use the tag, enter N, where N is the form number of the form to be filled. The first form is number 1, the second is number 2, and so on. For example, your tag might look like the following: test www.novell.com/signon_welcome.screen 2 .................. ................... 3.6 Updated iChain Administration GUI to Support Japanese Configurations Browsers configured with the Japanese language set can now successfully manage the iChain Proxy Server using the Proxy Administration GUI. 3.7 Removed NCP Access A number of customers enable NCP to gain file access to the iChain Proxy Server. Although this does not affect any resources that iChain is protecting Novell wants to ensure that NCP is only enabled and disabled correctly by NetWare- trained professionals. In accordance with this requirement the module that controls NCP access (NCPIP.NLM) has been renamed to NCPIP.OLD and will not be loaded by default. The file is located in the \nwserver directory. You can either load NCPIP.OLD by typing "LOAD NCPIP.OLD" at the proxy debug console, which will give you temporary access to NCP over IP (until the module in unloaded or the proxy server is restarted), or you can use the Toolbox utility to rename this file for a permanent change. 3.8 Support For Novell Nsure Audit iChain supports Novell Nsure Audit. Novell Nsure Audit is a centralized, cross-platform auditing service. It collects event data from multiple applications across multiple platforms and writes the data to a single, non-repudiable data store. Nsure Audit is also capable of creating filtered data stores. Based on criteria you define, Nsure Audit will capture specific types of events and write those events to secondary data stores. The Nsure Audit configuration functionality is managed through the iChain Command Line Interface (CLI). The configuration can be set and viewed using get log and set log commands. For more information, see Appendix F, "Using iChain With Novell Nsure Audit" in the Novell iChain 2.2 Administration Guide. 4.0 New Features in iChain Version 2.2 4.1 NetWare 6 is Base Operating System NetWare 6 has replaced NetWare 5.1 as the base operating system for iChain 2.2. 4.2 Web Server Accelerator Tab - Enhanced User Interface An enhanced user interface has been provided for the Configure > Web Server Accelerator tab. This new view provides the user with the ability to quickly view the details for accelerators, and it adds the ability to view the groupings of accelerators that have a master-slave (parent- child) relationship. With the new interface, a user can choose to view all the accelerators, just the master accelerators, or just the child accelerators. This makes viewing the groupings as easy as clicking a button. Additionally, a filter field has been added that gives the user the ability to display only accelerators that match the value typed into the field. When an accelerator in the list of accelerators is highlighted, information such as the host name, master or child accelerators, web server address and port, accelerator address and port, and other settings are displayed in a view-only section on the page. As with the old user interface, accelerators can be created, modified, or deleted with the click of a button. 4.3 Web Server Accelerator Dialog Box - Enable/Disable Check Box With the enhancement of the Web Server Accelerator tab, it became necessary to restore the accelerator enable/disable checkbox in the Web Server Accelerator dialog box. When a user creates a new accelerator by clicking on the Insert button, or modifies an existing accelerator by clicking on the Modify button on the Configure > Web Server Accelerator tab, the Web Server Accelerator dialog box is displayed. The Enable This Accelerator Check Box at the top left corner of the dialog box is now visible and allows the user to enable or disable the accelerator. 4.4 Web Server Accelerator Dialog Box - Multi-homing Options - Ends With Radio Button The Ends With option has been removed from the multi-homing options dialog box. For path-based multi-homing, the only option is to use what used to be termed Starts With for the sub-path. If path-based multi-homing is used, the sub-path will default to Starts With and the user can select whether to remove the sub-path, which was available previously. 4.5 Web Server Accelerator Dialog Box - Secure Exchange Options - Trusted Roots Import The ability to import trusted roots in the Secure Exchange Options dialog has been removed. When the Secure Exchange Options button is clicked in the Web Server Accelerator dialog box, the Secure Exchange Options dialog box is displayed. The list of trusted roots and the ability to import trusted roots was also removed. The only remaining options on the dialog box are Mark Pages Non-cacheable on the Browser and Enable Secure Access Between Secure Exchange and Web Server. 4.6 Web Server Accelerator Dialog Box - Mark Pages Non-cacheable on the Browser Check Box Moved and Relabeled The Mark Pages Non-cacheable on the Browser check box originally located in the Secure Exchange Options dialog has been moved and relabeled. The check box was moved to the Web Server Accelerator dialog box and its setting now applies to the whole accelerator, not just to the secure exchange settings. Also, the label on the checkbox was changed to read Allow Pages to be Cached at the Browser" to match the text used for this setting on the proxy server. A view-only check box was added to the Configure > Web Server Accelerator tab Details section to reflect the state of this setting for the highlighted accelerator. 4.7 Certificate Maintenance Tab - Certificate Information Dialog Box The Certificate Information on the Home > Certificate Maintenance tab has changed. A new line, Organizational Unit, has been added to display that value. The View CSR, Store Certificate, and Export CA Certificate buttons were moved to the side of the dialog box to provide room for the information change. 4.8 Certificate Maintenance - Create Certificate Dialog Box The Create Certificate dialog box has changed. When a user chooses to create a certificate, he or she clicks the Create button on the Home > Certificate Maintenance tab. This displays the Create Certificate dialog box, where two changes have been made. First, the Verisign check box was removed. Second, an Organizational Unit text field was added. When creating an externally signed certificate, the user must supply values for all the text fields shown. After clicking the OK button to return to the Home > Certificate Maintenance tab, the user then clicks on the Apply button to start the process to create the certificate. 4.9 Certificate Maintenance - Store Certificate Dialog Box The Store Certificate dialog box has changed. After an external certificate Create process has begun, the user needs to click the Store Certificate button on the Home > Certificate Maintenance tab to display the Store Certificate dialog box. In this dialog, the user pastes the CA (trusted root) certificate and Server certificate contents into the appropriate fields and then clicks the Create button to Create the certificate. A new check box, No Trusted Root Certificate Available, has been added. When it is checked, the CA Certificate contents field is disabled and the user only needs to paste a value in the Server Certificate contents field. This will be used in the case where a trusted root is not available to paste into the upper field. 4.10 Support for Organizational Roles and eDirectory Dynamic Groups An administrator can now set access control rules on organizational roles and eDirectory dynamic groups, such as including them in the Apply To list of an ACL rule. 4.11 Form Fill Enhancements The following are Form Fill enhancements in iChain 2.2: 4.11.1 GET Method Form Fill now supports the GET method in addition to the POST method for submitting user's credentials. 4.11.2 Data Security Form Fill enhances the data security (reduces the possibilities of exposing sensitive data) during the auto posting by adding the new tag . 4.11.3 Static Value Injection Form Fill supports the static value injection, Java script, and case conversion (values of LDAP attributes only) for serving more application login forms. 4.11.4 Multiple Languages Form Fill supports different languages at the login page. 4.11.5 Shared Secrets Form Fill supports Novell's Shared Secrets. Form Fill can save a user's credentials in Shared Secrets and allow other applications to share these user credentials in order to make single sign-on possible. 4.12 User-Selectable Drivers In order to support a greater variety of hardware, iChain 2.2 provides an option for the user to select network, disk, and adapter modules that were not shipped with iChain. Immediately after the initial image copy from CD, the installation will prompt you whether to select custom drivers. If you select Yes, the installation will stop in HDetect.nlm to allow you to select the correct drivers for the system in the same manner as the Netware 6 installation. Because of the iChain imaging process, you will need to do this twice during the installation. If you select No, or no selection is made within 30 seconds, iChain will automatically detect the drivers as in iChain 2.1 and earlier versions. 4.13 OLAC Enhancements The following are OLAC enhancements in iChain 2.2: 4.13.1 Command Line Handler iChain 2.2 includes a command line handler to dynamically change certain options in OLAC. The debug levels (/d1 and /d2) are now available for you to enter on the command line at the NetWare System Console screen (for example, oacint /d1). You can verify the changes and the effects of the changes by viewing the OACINT screen. 4.13.2 Request Timeout You can now set the OLAC Request Timeout (in number of seconds) while communicating to the OACJAVA server (for example, oacint /t15). 4.13.3 Passing the User DN OLAC now passes the user DN to origin servers (Web servers) as part of the query string and/or header. 4.13.4 Internationalization OLAC now supports internationalization standards. OLAC has been changed to always pass UTF-8 characters (which covers most of the charsets, including ASCII). Applications that do not interpret the UTF-8 character sets need to be changed to do so. 4.13.5 Plug-in For SecretStore Credentials OLAC now has a plug-in for accessing a user's SecretStore credentials. 4.14 Self-Provisioning Servlets Enhancements In addition to User maintenance and Password Maintenance servlets (for authenticated sessions), there are two additional features that also affect the way user passwords are changed: - Password Challenge/Response: This is "forgotten password" functionality that will allow users to create a question with a specific answer (stored as an MD5 Hash) that, when responded to correctly, will allow them to change their passwords without entering a current password. - Password Hint: This allows users to enter a line of text that will give them a hint if they have forgotten the password. The two features are exclusive and either of two can be enabled at any given point in time. Both features are disabled by default. 4.15 LDAP Authentication Enhancement A new check box on the LDAP Authentication options screen allows Basic (401) authentication as either an alternative or a substitute for the iChain login form/page. This feature allows iChain to process a request, log in the user if necessary, and return the response without having a programmer deal with login redirects or the parsing of login pages and forms. The iChain cookie is returned in response for possible use in subsequent requests. If authorization headers are optional, the user who is not authenticated will be redirected to the standard iChain login page. If the headers are mandatory, a 401 status will be returned, the browser will request the user's credentials, and then the request will be resubmitted along with the user's credentials. In this mode, the CDA features are disabled. We do not recommend Basic Authentication for use with users/browsers because of security issues relating to lack of control of the credentials on the wire. The primary use is anticipated to be programming-related, where the credentials can be passed in an authorization header along with a request. That way, a programmer retains control over the exposure of the credentials. 4.16 HTTP 1.1 Support iChain is now capable of communicating with origin Web servers using the HTTP 1.1 protocol. The major features of HTTP 1.1 are implemented, although there are still some features that are not fully implemented. One of the main reasons for supporting HTTP 1.1 is to support the transfer encoding options of chunking, deflate, and gzip. Many of the large Web server products by default use these transfer encoding options. The initial release of iChain 2.1 will not support the transfer encoding options of compress and trailers. Another key HTTP 1.1 feature iChain now supports is returning content from the origin Web server based on the VARY response header. The VARY header is used to tell a cache that the response was returned based on specific information found in the request header. An example is content that is returned based on the browser's preferred language. 4.17 Concurrent Login Restrictions The following commands have been added to set features of concurrent login restrictions. These commands are entered from the iChain console. Note: Concurrent Login Restrictions should not be used in a Session Broker setting. Also, after changing these options, we recommend that you reboot the iChain Proxy Server. set authentication limitconcurrentlogins = (yes/no) This turns on the concurrent login restriction feature. When it is set to yes, the following two commands will control the functioning of the feature. set authentication maxlogins = (nonzero positive integer) This sets the number of concurrent logins that are allowed. After the maximum number of logins is reached, a user will either be denied access, or an older instance will be logged out. In order for the concurrent login feature to function, you must set both MaxLogins as well as LimitConcurrentLogins, applying your changes each time. The following is an example of the commands you would use: 1) Set authentication limitconcurrentlogins=yes, then Apply. 2) Set authentication maxlogins=4 (or the number you choose), then Apply. set authentication logoutoldest = (yes/no) This command determines what action to take once the maximum number of logins is reached. When set to yes, the least recently accessed connection of the user will be logged out and a new login will be performed. When set to no, the new login will be rejected with a message that indicates that the maximum number of logins has been exceeded. The default is no. If you are using SSL as an authentication method for your accelerators, you need to make sure that the Send an error page when a Mutual SSL error occurs option is enabled. Otherwise, users will get a blank page when they reach their authentication limits. 5.0 Legal Information 5.1 Disclaimer, Copyright, Export Notice, and Patents Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes. This product may require export authorization from the U.S. Department of Commerce prior to exporting from the U.S. or Canada. Copyright (C) 2004 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher. U.S. Patent Nos. 5,349,642; 5,608,903; 5,671,414; 5,677,851; 5,758,344; 5,784,560; 5,818,936; 5,828,882; 5,832,275; 5,832,483; 5,832,487; 5,870,561; 5,870,739; 5,873,079; 5,878,415; 5,884,304; 5,913,025; 5,933,503; 5,933,826; 5,946,467; 5,956,718; 6,047,289; 6,065,017; 6,081,900; 6,105,132; 6,167,393. Patents Pending. 5.2 Trademarks Novell, iChain, and NetWare are registered trademarks of Novell, Inc. in the United States and other countries. eDirectory, Nsure, and SecretStore are trademarks of Novell, Inc. All third-party trademarks are the property of their respective owners.