Plugins not working correctly in iManager after applying iManager 2.7 SP6 Patch 1

  • 7012959
  • 30-Jul-2013
  • 15-Apr-2014

Environment

NetIQ iManager 2.7 SP6 Patch 4
NetIQ iManager 2.7 SP7

Situation

Plugins work fine on iManager 2.7 SP6.  However, after applying iManager 2.7 SP6 Patch 1 some plugins are not displaying data correctly:
 
- Can not add, modify, or delete a class or attribute mapping on a LDAP group object
- Clustering plugin is not displaying data
- Plugins are not showing values in pop-up screens
- JAVA IO exceptions are seen when using the plugin
- When using the IDM plugin the following error is observed:
Potential CSRF(Cross-site Request Forgery) detected against /nps/servlet/frameservice?taskId=DirXML.Overview

Resolution

There was a security enhancement required in Patch 1 that implements a feature designed to prevent cross site forgeries via tokens.  This has been implemented in iManager framework but also needs to be implemented in the plugins as well.
 
Option 1:  Use iManager's self update feature to get the latest plugin.
 
Option 2:  If the problematic plugin does not yet have an update the iManager AntiCSRF filter can be disabled.  The procedures on how to do this are below. 
Please note: the following procedure will disable the new Tomcat Anti-CSRF filter.  This will result in reduced protection from security vulnerabilities.  Please ensure the filter is turned back on once the plugin has been updated and works correctly.
 
1. Stop tomcat. 
/etc/init.d/novell-tomcat7 stop
 
2. Open /var/opt/novell/iManager/nps/WEB-INF/web.xml file.
 
3. Comment out the below filter configuration in the web.xml file and save the file.
(TOMCAT_HOME\webapps\nps\WEB-INF\web.xml)
 
There will be two sections commented out.
 
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
   <!-- **************************************************************************************************************** -->
   <!-- ********** There are two web.xml files (web.xml, webxmlfornpswar.xml). ********** -->
   <!-- ********** Make changes in all files ********** -->
   <!--        NOTE webxmlfornpswar.xml contains <security-constraints>, web.xml does not    -->
   <!-- **************************************************************************************************************** -->
        <display-name>Novell iManager 2.7</display-name>
        <description>Novell's Management Console</description>
<!--
        <filter>
      <filter-name>iManagerAntiCsrfFilter</filter-name>
        <display-name>iManagerAntiCsrfFilter</display-name>
        <description>Filter to prevent Cross Site Request Forgeries</description>
      <filter-class>com.novell.emframe.fw.filter.AntiCsrfServletFilter</filter-class>
    </filter>
-->
        <filter>
      <filter-name>XSS</filter-name>
        <display-name>XSS</display-name>
        <description></description>
      <filter-class>com.novell.emframe.fw.filter.CrossScriptingFilter</filter-class>
        </filter>
<!--
         <filter-mapping>
      <filter-name>iManagerAntiCsrfFilter</filter-name>
      <url-pattern>/*</url-pattern>
    </filter-mapping>
-->
        <filter-mapping>
         <filter-name>XSS</filter-name>
         <url-pattern>/*</url-pattern>
        </filter-mapping>
---------------------------------------- 
 
5. Restart/start tomcat.
/etc/init.d/novell-tomcat7 start
Please make sure the filter entry is correctly commented out, otherwise Tomcat will not start.
 
 
-------------------------------------------------------------------------------------------------------------------
 
Some customers have reported their plugins continue to not work properly even after having disabling the filter.  In that case please do one of the following.
 
A.  Clear the browser cache then close and restart browser.
B.  It appears, in some cases, the plugin is getting downloaded but the jsp file is not getting recompiled during the install.  This is due to a later timestamp on the existing iManager instance.  The following steps will force a recompile:
 
- Stop tomcat  (rcnovell-tomcat6 stop)
- Rename the folder /var/opt/novell/tomcat6/work/Catalina/localhost/nps to    var/opt/novell/tomcat6/work/Catalina/localhost/nps-old
- Start tomcat  (rcnovell-tomcat6 start)
 
Note:  replace the tomcat(x) with either 6 or 7 depending on your platform.