May 5, 2009
The following sources provide information about Novell® Access Manager:
Access Manager Support For TIDs and Cool Solution articles, select for the and select in the options.
Your system must be upgraded to 3.1 before applying this patch release. For installation and version information for 3.1, see the Access Manager 3.1 Readme.
The patch files for upgrading the components to the IR2 release can be downloaded from Novell Downloads Web site. This patch contains the following files:
Table 1 Access Manager 3.1 IR2 Patch Files
The following sections explain how to upgrade the various components:
If the Identity Server and Administration Console are installed on the same machine, both components are patched. If you are planning to add an Identity Server to an Administration Console machine, you should add the 3.1 Identity Server before applying the patch.
Log in as root on the machine you need to patch.
Copy the AM_31_IR2_IdentityServer_Upgrade_Linux.tar.gz file to the machine and unpack it.
When the file is unpacked, you should see a manifest file, a nampatch.sh install script, and a patchIR2 directory. These three items need to be in the same directory.
From this directory, enter the following command:
./nampatch.sh
This patch installer does the following:
It warns connected users that services are being restarted.
If you have installed your Identity Server and Administration Console on the same machine, it detects this and patches both components.
Events from the patch process are logged to a file in the /tmp directory.
A backup of the files that are being replaced is stored in the $HOME directory.
(Optional) Verify the upgraded version number:
If the Identity Server and Administration Console components are installed on the same machine, both components are patched. If you are planning to add an Identity Server to an Administration Console machine, you should add the 3.1 Identity Server before applying the patch.
Log in as an administrator on the machine you need to patch.
Copy the AM_31_IR2_IdentityServer_Upgrade_Windows.exe file to the machine.
Execute the file.
Click .
Accept the license, then click .
Review the installation summary, then click .
The patch installer performs the following tasks:
Stops the services, including Tomcat.
Replaces JAR files specific to the component. If you have installed your Identity Server and Administration Console on the same machine, it detects this and patches both components.
Backs up the JAR files that are replaced to the C:\Program Files\Novell\patch directory.
Click .
The patch installer starts the services, including Tomcat.
(Optional) Verify the upgraded version number:
As long as the original ZIP file in the patch directory exists, you can uninstall the patch. To uninstall the patch:
Click > .
Select the .
Click .
The services are stopped and the JAR files in the patch directory are restored.
Click .
The services are started, including Tomcat. The restored files are given the date and time of the restore rather than their build date and time.
NOTE:The Linux Access Gateway 3.1 IR2 patch file, which is approximately 290 MB, is bigger than the 3.0 IR patch file. This is primarily because of the inclusion of latest Tomcat files and JDK* in this patch.
Even though this patch file is large, it is just a patch. Your Linux Access Gateway must be upgraded to Access Manger 3.1 before you can install this patch.
Before you upgrade the Linux Access Gateway Appliance, the file (AM_31_IR2_lagrpms.tar.gz) needs to be renamed. In the download, it needs to have a version-specific name, but to use it in an upgrade, it needs the generic name. It should be renamed as follows:
AM_31_IR2_lagrpms.tar.gz renamed to lagrpms.tar.gz
For more information on the various methods for upgrading the Linux Appliance, see “Upgrading the Linux Access Gateway” in the Novell Access Manager Installation Guide.
When it is upgraded to 3.1 IR2, the Linux Access Gateway Appliance displays the following version:
3.1.0.431
If SSL VPN is installed along with the Linux Access Gateway, you can patch the server by using the lagupgrade.sh upgrade script. For more information, see “Upgrading the Linux Access Gateway” in the Novell Access Manager Installation Guide.
If SSL VPN is installed on a separate machine or along with the Identity server, follow the steps given below to install the patch file:
Untar the tar.gz file using the following command:
tar -xzvf <filename>
Replace <filename> with the actual filename of the SSL VPN IR2 patch file. For more information on the actual filename, see Table 1, Access Manager 3.1 IR2 Patch Files.
The tar file contains the SSL VPN IR2 RPMs and the upgrade script sslvpn-upgrade.sh.
Log in as root.
Run the following upgrade script to patch the SSL VPN server:
sh sslvpn-upgrade.sh
The SSL VPN server is upgraded to the IR2 patch version.
When it is upgraded to 3.1 IR2, the SSL VPN server displays the following version:
novl-sslvpn-3.1.0-213.noarch.rpm novl-sslvpn-servlet-3.1.0-431.noarch.rpm
For devices configured to generate audit events (an Identity Server or an Access Gateway):
Add the following two lines to the logevent.conf file in the /etc directory (Linux) or the logevent.cfg file in the C:\Windows directory (Windows):
LogCachePort=1288 LogEnginePort=289
IMPORTANT:If you have configured the audit server to use a port other than 289, specify that port in the LogEnginePort line.
Reboot the machine.
Restarting the Identity Server or Access Gateway is not enough. The operating system needs to be rebooted.
If your Identity Server is installed on the same machine as the Administration Console, you can make this modification, but it is not required for the lcache module of the Audit Platform Agent to start. It is required if the Identity Server is installed without the Administration Console.
For more information about this file, see “Configuring the Platform Agent”.
Failure to make this modification causes the lcache module to fail, which in turn degrades the performance of Access Manager. The most noticeable effect is longer login times.
The J2EE agents cannot be upgraded to IR2. They can only be reinstalled. To reinstall, you need to remove the agent, then install the new version. For more information, see the Novell Access Manager Agent Guide.
Fixed a security vulnerability that permitted access to the system files from the Administration Console.
Fixed an issue that caused the editing of policies to become slower and slower.
Fixed a login issue that caused the request to lose its target if the user waited too long and the session timed out before the user entered the login credentials.
Fixed an issue with SAML 2 and OpenSSO so that the Identity Server more accurately reports integration issues.
Fixed a 404 status error that occurred when persistence between the Access Gateway and the Web servers was disabled.
Fixed a Form Fill issue that caused only a portion of a Java* script specified in the option to be saved.
You can now change the name of Linux Access Gateway proxy session cookie sent to the back-end Web server to match the iChain® session cookie by using the following touch file:
/var/novell/.matchLagIchainCookieName
Fixed issues with remote desktop connections established through the Linux Access Gateway TCP tunnel.
Fixed the resource leak issue in novell-vmc.
Fixed issues in converting double byte characters in Linux Access Gateway broker redirection.
Fixed a memory leak issue that occurred after updating the authorization library.
Fixed some issues with reporting the correct version on the > page.
Fixed an issue in redirecting a browser to the SSL VPN URL when the Citrix* server is enabled for single sign-on.
Fixed an issue with the security level check when a service attribute is configured for the client integrity check.
Fixed an error that occurred when trying to configure a registry entry for a client integrity check.
Fixed an issue that caused backups to fail on a primary console that was promoted from a secondary console.
Fixed an issue that caused an upgrade to fail when the install.sh script was run from a CD.
Fixed an issue that prevented the administrator from receiving a notice that the Identity Server needed to updated when the cluster is assigned to an Access Gateway.
Fixed an issue that caused upgrading policies from 3.0 to 3.1 to fail.
Fixed an issue with customizing login pages.
Fixed an issue with the ctarget parameter.
Fixed an upgrade problem that caused extra files to be restored.
Fixed a SAML2 issue with the format parameter so that it is now an optional parameter.
Fixed an issue so that assertion messages appear in the log files for WS Federation and CardSpace.
Fixed a few issues with machines that had 4 GB RAM. If the Linux Access Gateway was already imported, these issues sometimes caused the server to fail. In new installations, the Linux Access Gateway sometimes failed to import.
The Client Integrity Check policy now has the capability to verify if a Windows service is running or not.
The number of active SSL VPN connection is now properly displayed in the Administration Console.
The SSL VPN connection is now terminated if the user deletes any of the CIC resources after the SSL VPN connection is established.
Fixed an OpenVPN connection error related to the TUN adapter, which caused the SSL VPN connection to fail on Windows Vista* 64-bit servers.
In this documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path.
A trademark symbol (®, ™, etc.) denotes a Novell trademark; an asterisk (*) denotes a third-party trademark
Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the Novell International Trade Services Web page for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.
Copyright © 2009 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.
Novell, Inc., has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed on the Novell Legal Patents Web page and one or more additional patents or pending patent applications in the U.S. and in other countries.
For Novell trademarks, see the Novell Trademark and Service Mark list.
All third-party trademarks are the property of their respective owners.