March 8, 2007
The following source provides information about Novell® Access Manager:
If you downloaded the evaluation version of Access Manager, the product expires on September 30, 2007. Access Manager will not function correctly after this date.
The file ( nam3ir2.tar.gz) for the Novell Access Manager 3.0 IR2 contains the files for upgrading the Administration Console, the Identity Server, the NetWare Access Gateway, and the Linux Access Gateway. You need to decompress this file into its various components.
Table 1 IR2 Upgrade Files
Linux Access Gateway SSL VPN
NetWare Access Gateway
Identity Server Administration Console SSL VPN
The existing J2EE agents have been tested to work with the IR2 update.
For the Access Gateways, you need to copy these files to a server that is accessible to your Access Gateway. For the Identity Server and the Administration Console, you need to copy the .tar.gz file to machine where these components are installed. See Upgrading Access Manager Components.
This section briefly discusses issues addressed for IR2.
Role assignment audit events can be created during authentication to the Identity Server. You enabled this on the Logging page in the Identity Server configuration when you enable theor options.
Fixed the Linux Access Gateway crash which occured while applying changes made to path-based multi-homing acceleration with SSL enabled.
The Linux Access Gateway and SSL VPN installed on the same machine can now be upgraded using the lagupgrade.sh file.
You can now register more than one static routes to the Linux Access Gateway configuration, through the administration console.
Fixed issues leading to the Linux Access Gateway crash and 100 per cent CPU utilisation, when Pin List is configured. If you had configured Pin List before upgrading the Linux Access Gateway, manually delete all the files located in the /var/novell/cca directory.
Resolved issues leading to Linux Access Gateway crash, when Identity Injection or Form Fill policies were configured with the LDAP user certificate policy.
Fixed proxy tunnelling issues.
Form Fill now injects proper credentials for duplicate LDAP attributes.
Fixed the rewriter configuration issue related to /var/novell/.rewriter. You need not create the file manually.
Enhanced rewriter functionality to work with special characters for Search and Replace.
Fixed issues leading to the Linux Access Gateway crash while receiving error responses for Form Fill requests.
You can now run the SSL VPN Applet on the Internet Explorer browser, with minor configuration changes in the web.xml file. (See “Configuring SSL VPN to Download Applet on Internet Explorer” in Configuring the SSL VPN Gateway.
Fixed issues with the SSL VPN keepalive, leading to connection time out while being active in applications.
Fixed issues leading to SSL VPN connection failure, when trying to restore the backed up SSL VPN server configuration.
Fixed the issues with Gnome applet, leading to SSL VPN crash when the Gnome desktop was restarted on SLED 10.
Fixed SSL VPN upgrade.
Fixed policy.txt security issue (regarding ActiveX controls in IE) to prevent a user from gaining access to resources on a corporate LAN.
A Linux and Windows version of the J2EE Agent is now available for WebLogic from the Download Eval option on the Novell Access Manager site. Select to download the Application Server Agents for Windows or Linux. Each download contains all the agents for that platform. Currently, JBoss, WebSphere, and WebLogic Agents are included in the download.
The JBoss and WebSphere Agents have not been functionally modified. If you have already installed a previous version of these agents, do not use this latest download to upgrade them. You need to wait until SP1. All agents work with the FCS, IR1, and IR2 versions of the Identity Server, Access Gateway, and Administration Console.
Telnet access no longer fails after an upgrade.
Re-import issue now clears out all old configuration settings.
This section briefly discusses issues addressed for IR1.
Added management IP address to HTTP IP address translation for JGroups.
Simplified the use of JGroups JChannel by consolidating into a single Distributed Message Bus.
Fixed SAML 2.0 signing error. Artifact responses are no longer required to be signed. See TID 3903427.
In testing environments, you can disable OCSP/CRL checks for server certificates by setting java property com.novell.nidp.serverOCSPCRL="false".
Added functionality to send a complete list of the HTTP listening IP addresses for all cluster members when sending a configuration to the ESP.
Added prompt to specify location path of backup files. The system uses the logged-in user’s home directory as a default.
Fixed the cause of Access Manager restore error (AM#201002001: The backup file does not exist).
Added Update Servers prompt after adding or deleting reverse proxy servers.
Upgrade process now provides the default Administration Console IP address.
Added ability to restore backup without requiring the ZIP file, which contains certificates.
Fixed 404 Roma errors when configuring rewriter Additional Strings to Replace fields.
The system deletes the admin.xml and manager.xml files from tomcat webapps directory after installation.
Fixed ESP proxying using virtual addresses.
Corrected Daylight Savings Time schema.
Fixed sslMutual certificate overwriting.
The Published DNS Name for a Proxy Service may now defined as a single name segment, meaning, without dots.
Added viewInfo.jsp and viewInfo.php to the /unsupported directory of the Identity Server installation file. Use these files for troubleshooting identity injection. They display all the HTTP headers and query string data that is sent from the Access Gateway to the back-end server. These files should be removed from the Web server after troubleshooting is finished.
Implemented the mechanism to preserve the POST data during authentication redirection. The maximum size of POST data that can be preserved in the Linux Access Gateway during authentication redirection is 50 KB. The POST data above this limit will be lost.
Fixed the authentication looping issue which occurred for requests sent after the session time-out.
Updated the identity data caching policy of Linux Access Gateway to match that of the NetWare Access Gateway and iChain. The identity data caching is now valid throughout the user authentication session. This reduces the page download time.
Fixed issues with Linux Access Gateway not serving the POST request when the identity injection is enabled and the Identity Server session soft time-out has been reached.
The identity injection data will not be logged in ics_dyn logs and lagsoapmessages.
Fixed the authentication issue with the server persistence cookie, which led to authentication failure.
Updated the cookie ID setting to fix issues with Web server persistence for path based multi-homing services.
Fixed the issue with the Linux Access Gateway not using the new certificate after applying the certificate configuration changes.
The rollover functionality has been introduced for Linux Access Gateway log files.
Fixed the Linux Access Gateway crash when the clock=pit configuration is enabled in bootloader on VMWare.
Updated the prompts and syntaxes in thescript.
Fixed the 504 Gateway time-out error which occurred while downloading large files.
Updated the daylight savings settings to work with the changes that the USA and Australia (Perth) governments have made. To update the NetWare Access Gateway, you need to update to the Access Manager 3.0 IR1 release. Then in the Administration Console, click> > > . The page detects the old settings and updates them to the new settings. Confirm the update, then apply the changes.
Modified NILE to support IE 7.
Fixed issues with FTP so that it works with pure FTP and so that a failed file transfer time-outs after three minutes.
Made minor changes to the search and replace feature of the HTML rewriter.
Access Manager uses a modified version of Novell iManager, called the Administration Console. You cannot use standard iManager features or plug-ins with the Access Manager version of the product.
Ensure that you synchronize the correct date, time, and time zone settings between the Identity Servers and Access Gateways servers. You must synchronize your servers to within one minute of each other. Otherwise, you will encounter federation and session time-out errors. It is recommended that you use NTP for time synchronization.
Ensure that DNS names can be resolved.
Enable (allow) browser pop-ups for the Administration Console (administration server).
Network Address Translation routers cannot be placed between Access Manager components. All Access Manager components need to be on the same side of a NAT router.
This section discusses known issues for the Administration Console.
Changing the administrator password can result in an intruder lock-out. Do not change this password until SP1.
Certificate management commands issued from a secondary Administration Console can work only if the primary console is also running properly. Other commands can work independent of the primary console.
The iManager version used in the Administration Console is not compatible with Identity Injection or Form Fill for single sign-on.
The Uninstalling process for an Identity Server does not work from the CD. You must copy the uninstall.sh file from the CD or from the downloaded .tar file to the novell-access-manager-3. x directory on the server, and run the script.
If the Administration Console is on a different server from the Identity Server, you cannot automatically import metadata for a trusted provider. However, you can manually copy and paste the metadata. This is an SSL issue that will be fixed for SP1.
If you use SLES 10 as a user store, you will experience system performance problems and reduced functionality. This setup is not recommended.
This section discusses identity federation issues.
Most errors that occur during federation occur because of time synchronization problems between servers. Ensure that you have synchronized server settings, as described in Section 7.0, Setup Considerations. Time synchronization should be within one minute.
When the user denies consent to federate after clicking a Liberty link and logging in at the identity provider, the system displays an error page. You can ignore this error. The user should return to the service provider login page. This issue will be fixed for SP1.
If the name of a contract has any special characters other than a space, it is possible to delete the contract even if it has been assigned as the contract for a protected resource. This makes the Access Gateway unusable. Avoid naming contracts with special characters such as slashes or dashes. If you need to delete such a contract, make sure that no Access Gateway resource is using the contract.
The following sections divide the known issues into general issues that apply to both Access Gateways and into issues that are platform specific:
Both the Linux* Access Gateway and the NetWare® Access Gateway have the following issues:
If you make certificate changes on the Reverse Proxy or the Web Servers page, click thelink, and then on the Configuration page cancel the changes, the Reverse Proxy ends up with an invalid certificate. Return to the page and select the old certificate. As soon as you exit the page, the certificate is pushed to the device. Because the net results are that you did not change the certificate, you do not need to restart the embedded service provider.
You should use the Schedule Changes button only when you do not need to make any other configuration changes to the Access Manager components between the time you schedule the changes and when the changes are actually applied. If an Access Gateway change is still pending when you make configuration changes to policies or the Identity Server, the configuration of your Access Gateway and its protected resources can become invalid.
The NetWare Access Gateway embeds NetWare 6.5 SP3. The following topics are known issues for this operating system and the Access Gateway:
The NetWare Access Gateway does not cache Form Fill data. Therefore, if you assign a Form Fill policy to a protected resource that uses a wildcard (*) in the URL path, the NetWare Access Gateway queries the Identity Server for Form Fill data each time a user accesses any page that matches the protected resource. It is strongly recommended that you specify a specific page when you assign a Form Fill policy to a protected resource.
The NetWare Access Gateway does cache Identity Injection and Authorization policy information for the lifetime of the user’s session, so the protected resources for these policies can use wildcards in their URL paths.
If you create a reverse proxy and configure it to use SSL (port 443) and do not select the option to, port 80 is still reserved for this reverse proxy. You cannot configure a second reverse proxy to use port 80 for HTTP until you reserve a different port, such as 81, for the first reverse proxy.
In the Administration Console, click> > .
Specify 81 (or another port other than 80) for the.
Apply your changes.
You can now create a second reverse proxy to use port 80 for the. You can also reconfigure the first reverse proxy and deselect the option. The port you have configured for HTTP redirection remains reserved for this reverse proxy.
You can push commands from the secondary Administration Console, but any commands dealing with the Certificate Authority will fail, unless you move the Certificate Authority to the secondary server.
Do not begin an Access Gateway server DNS name with a number.
In order to transfer files to and from the NetWare Access Gateway server and the SSH client that you are using for the transfer is configured with the Secure File Transfer Protocol (SFTP) enabled, you need to load ncpip.nlm and enable NCP™ for the SFTP.
WARNING:Enabling NCPIP is a security risk because it opens a listener on port 524 on all bound addresses.
To set up and configure NCPIP, add the following to the tune.ncf file:
load ncpip.old SET NCP Exclude Addresses = ALL SET NCP Include Addresses = 127.0.0.1
The system produces a large amount of logger screen activity under the following conditions:
The Identity Server and the NetWare Access Gateway server are out of time sync
The event log is too large and users attempt to log in to a protected resource
Pressing F5 to clear the screen either during the events or after several have been logged results in an abend.
Novell supports only UTF-8 encoding (UCS Transformation Format 8) and ISO 8859-1. Otherwise, Form Fill translations to the SSO data store cannot be guaranteed.
You specify in the BIOS the modes to use for the IDEATA.HAM driver to work with SATA controller. (Legacy or Compatible mode, and Enhanced mode.) You do not need to manipulate the driver or OS.
The IDESATA.HAM driver works with all AHCI controllers in pure AHCI mode, which is the recommended mode because it is the fastest. This driver is invoked instead of IDEATA.HAM only when the BIOS setting for the particular chipset is set to AHCI.
If you set up an X.509 contract and use it to authenticate from NetWare Access Gateway, you might see an error generated in the Identity Server log for certificate or SSL mutual authentication. This occurs during SSL re-negotiation between Tomcat and the Internet Explorer browser, and is possibly an IE bug. This error does not occur when using Firefox. The Access Gateway can cause the error at the Identity Server by requesting the certificate authentication from the Identity Server, but it is not the only device that can cause the error. Any device requiring or requesting certificate authentication from the Identity Server, including the Identity Server itself, can cause the error. It is cosmetic.
NetWare abends can occur when using Novell Remote Manager Group Operations on a NetWare Access Gateway. We recommend that you do not use Novell Remote Manager on a NetWare Access Gateway.
This section discusses the known issues that apply to the current release of the Linux Access Gateway.
When the Linux Access Gateway sends the HTTP request to the Netware 6.5 pre-SP3 Web server, it closes the connection after the SSL handshake.
Problem: The Linux Access Gateway might randomly fail to execute the following command:
Solution: Use the following commands to shut down and restart the Linux Access Gateway:
killall -9 vmcontroller killall -9 ics_dyn /etc/init.d/novell-vmc start
When you purge cache from the Administration Console, the system randomly displays Failed status even though the action is successful.
Zip, PDF and BMP files do not open if you try to open them directly from the Internet Explorer browser. However, you can save the files to your local disk and open them.
If you want to open the files directly from the Internet Explorer browser:
In the Administration Console, click.
Click the name of the reverse proxy. The Reverse Proxy page is displayed.
Click the reverse proxy service. The Reverse Proxy Service page is displayed.
Click, then click .
During installation, if you configure the hostname as Linux, the Linux Access Gateway is not imported.
If you have configured changes to the rewriter profile and the changes are not being reflected after clicking /var/novell/.rewriter before you restart the Linux Access Gateway., restart the Linux Access Gateway. If you must make frequent changes to the rewriter profile and if you want to avoid restarting the Linux Access Gateway, then create an empty file
The Pin List functionality does not work for the Linux Access Gateway.
Web server persistence in path-based multi-homing does not work. If you have configured path-based multi-homing, do not accelerate multiple Web servers.
You cannot configure more than four paths under a single path-based sub service.
The Linux Access Gateway requires both the Server Certificate and the Root CA to be present in the trusted roots imported from Web servers. If the trusted root imported from the Web server displays only the server certificate, select the Novell Access Manager 3.0 Administration Guide .option from the drop-down list, when you are configuring SSL between the Proxy Service and Web servers. For more information, see
If you have configured multiple Web servers accelerated by a single reverse service, the browser might randomly hang while trying to authenticate. If this happens, clear cookies and retry.
The following are known issues for the J2EE* agent.
Novell supports JBoss 4.0.3 SP1, WebLogic 9.2, and WebSphere* 22.214.171.124. JBoss 4.0.5 is the current JBoss release, and there are known issues with logging.
Problem: The JBoss server is installed using the Jboss Installer .jar file. When the J2EE agent is installed, the agent cannot configure JACC. Authorization does not work after the J2EE agent is configured.
Solution: The JBoss server has a slightly different configuration when set up from one of the compressed JBoss downloads ( tar.gz or zip). Use one of these downloads with the Default or All configurations option.
This is a bug with JBoss. Restarting does not fix this issue. If you want to restrict access to SSL on JBoss, disable the HTTP port in JBoss and enable only the SSL port or configure SSL in the web.xml file. WebSphere and WebLogic do not have a problem with enforcing SSL.
Problem: If WebSphere is running with additional Java 2 security checks, it cannot import into the Administration Console.
Solution: In the WebSphere console, turn off the additional Java 2 security checks or create a policy that grants full access to the nesp application.
The following are known issues for SSL VPN:
The Macintosh* Tiger OS client does not support GroupWise 7.0.
In Linux, you cannot access the protected HTTP traffic on another instance of the browser used to connect to the SSL VPN gateway. For example, if you have used the Firefox browser to connect to the SSL VPN gateway, you cannot access the protected HTTP traffic on another instance of Firefox. However, you can use another browser, such as Mozilla, to access the protected resource.
In Linux, applications listed in the Program Menu are not SSLized.
Domain name search does not work for non-administrators. The user must be an administrator in Windows* and a root user in Linux and Macintosh.
Applications that are opened before the start of SSL VPN are not SSLized in Linux and Macintosh.
To enable SSL on the terminals that were opened before the start of SSL VPN, do the following:
Run tcsh at the tcsh or csh shell.
Run bash at the bash shell.
In SSL VPN, the active mode FTP does not work through the Stunnel.
The following are known issues for certificates:
After you create a new certificate, the subject name on the Certificates page might be displayed with slashes. This is cosmetic and does not affect functionality. When you export or import the certificate, the slashes are not present. This issue will be fixed for SP1.
The Access Gateway does not support importing certificates in JKS format. If you have a private/public key pair in JKS format, you must convert this certificate to PKCS12 (*. pfx) or (*. p12) format before importing it into Access Manager and assigning it to a device. If you try to import a certificate in the JKS format, you receive a -1403 error. This issue will be fixed in SP1.
In some combinations of Linux and Firefox*, you might see the Browse button display incorrectly in the Import Private/Public Keypair window. This does not affect functionality.
Web applications accessed through path-based multi-homing proxy services with theoption enabled are likely to cause problems. We recommend that the Novell Web applications not be used with this configuration. Other types of multi-homing proxy services can be used.
Investigation into a solution for this problem is in progress. In the meantime, do not enable theoption.
Support for NetIdentity as a means of authentication to a proxy service has been removed. Background authentication to a proxy service using NetIdentity no longer works. This also impacts interoperability with ZENworks® for Desktops.
NOTE:NetIdentity can still be used for background authentication to accelerated Web applications such as NetStorage after proxy login has occurred manually.
WebDAV methods used to establish a connection are not supported through proxy services to a protected resource that requires authentication. The connection fails and an error message is returned from the Access Gateway. You can use WebDAV for public resources, SSL VPN, or a tunnel.
You cannot configure eGuide for simultaneous logout from the Access Gateway. You can create a Form Fill policy to provide simultaneous logout.
The IDM portal has the following issues:
Identity Injection: A Java* exception occurs when you set up an Identity Injection policy for the URL of the login portlet (http://hostname:port/IDM/portal/portlet/IDMLoginPortlet). When using Identity Injection for single sign-on, use the URL of the guest page (http://hostname:port/IDM) instead of specifying the full path.
Calendar Portlet: The Calendar portlet does not work with Access Gateway. You can use the GroupWise WebAccess portlet instead of the Calendar portlet.
Intermittent Time-outs: Intermittent time-outs can occur when you are using the Webmail portlet protected by a Linux Access Gateway. The user can refresh the browser or retry the failed operation.
GroupWise Mail Portlet: The GroupWise Mail portlet returns a cookie path value of /servlet/webacc instead of /gw/webacc as configured. This causes the user to be prompted for authentication when performing actions such as creating a new mail message. You can use the GroupWise WebAccess portlet instead of the GroupWise Mail portlet.
NetWare Access Gateway: The Novell iFolder® 2 synchronization traffic uses POST packets. Session idle time-out is not affected by POSTs, so the authenticated session expires despite synchronization activity. Full re-authentication occurs (in the background) on the next synchronization interval after expiration. This behavior does not affect the user experience and seems to cause no problems except the extra traffic and overhead.
Linux Access Gateway: The iFolder 2 fat client cannot connect through a Linux Access Gateway reverse proxy with a protected resource. You can use the SSL VPN, a public resource, or a tunnel to provide access.
Fat Client: The iFolder 3.2 fat client cannot connect to a reverse proxy with a protected resource. You can use the iFolder 3.2 Web Access feature instead of the iFolder client.
Simultaneous Logout: You cannot configure iFolder Web Access for simultaneous logout from the Access Gateway. You can create a Form Fill policy to provide simultaneous logout.
The iFolder 3.4 Linux client cannot connect through an Access Gateway reverse proxy with a protected resource.
iPrint is not supported through Access Gateway.
Single Sign-On: You cannot configure iManager 2.6 for single sign-on through an authorization header. You can create a Form Fill policy to provide single sign-on.
Simultaneous Logout: You cannot configure iManager 2.6 for simultaneous logout from Access Gateway. You can create a Form Fill policy to provide simultaneous logout.
Credentials for URLs with a colon appear to be recorded, but they are not displayed in CASA Manager.
The SecureLogin client does not detect the Identity Server login form when the browser has been redirected from the Access Gateway for authentication. Direct logins from the browser to the Identity Server work properly.
NetIdentity: Because Access Manager does not support NetIdentity, the ZENworks for Desktops agent and plug-ins cannot connect to a Middle Tier Server through an Access Gateway protected resource that requires authentication. The ZENworks for Desktops agent and plug-ins can connect to the Middle Tier Server through an Access Gateway tunnel or a public protected resource.
SSL VPN: The ZENworks for Desktops agent and plug-ins cannot connect to the Middle Tier Server through an SSL VPN. The ZENworks for Desktops agent and plug-ins can connect to the Middle Tier Server through an Access Gateway tunnel or a public protected resource.
In this documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path.
A trademark symbol (® , ™, etc.) denotes a Novell trademark; an asterisk (*) denotes a third-party trademark
Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export, or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. Please refer to www.novell.com/info/exports/ for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.
Copyright © 2006-2007 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.
Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed at http://www.novell.com/company/legal/patents/ and one or more additional patents or pending patent applications in the U.S. and in other countries.
Novell is a registered trademark of Novell, Inc. in the United States and other countries.
SUSE is a registered trademark of Novell, Inc., in the United States and other countries.
All third-party trademarks are the property of their respective owners.