This Readme describes the Novell Access Manager 3.1 SP4 IR1 release.
The following sources provide information about Novell Access Manager:
Access Manager Support. For TIDs and Cool Solutions articles, select for the and in the options.
Log in to the Novell Customer Center and follow the link that allows you to download the software.
The following files are available:
Filename |
|
Description |
---|---|---|
AM_31_SP4_IR1_IdentityServer_Linux32.tar.gz |
||
|
Contains the Linux Identity Server, the Linux Administration Console, the ESP-enabled SSL VPN Server, and the Traditional SSL VPN. |
|
AM_31_SP4_IR1_IdentityServer_Win32.exe |
|
|
|
Contains the Windows Identity Server and Windows Administration Console for Window 2003. |
|
AM_31_SP4_IR1_IdentityServer_Win64.exe |
|
|
|
Contains the Windows Identity Server and Windows Administration Console for Windows 2008. |
|
AM_31_SP4_IR1_AccessGatewayAppliance_Linux_SLES11.tar.gz |
||
|
Contains the upgrade RPMs for SLES 11 version of the Access Gateway Appliance and the Traditional SSL VPN. |
|
AM_31_SP4_IR1_AccessGatewayAppliance_Linux_SLES9.tar.gz |
||
|
Contains the upgrade RPMs for SLES 9 version of the Access Gateway Appliance and the Traditional SSL VPN. |
|
AM_31_SP4_IR1_AccessGatewayService_Win64.exe |
||
|
Contains the Access Gateway Service for Windows Server 2008 R2 with a 64-bit operating system. |
|
AM_31_SP4_IR1_AccessGatewayService_Linux64.bin |
||
|
Contains the Access Gateway Service for SLES 11 with a 64-bit operating system. |
|
AM_31_SP4_IR1_ApplicationServerAgents_AIX.bin |
||
|
Contains the Agents service for the AIX platform. |
|
AM_31_SP4_IR1_ApplicationServerAgents_Linux.bin |
||
|
Contains the Agents service for the Linux platform. |
|
AM_31_SP4_IR1_ApplicationServerAgents_Solaris.bin |
||
|
Contains the Agents service for the Solaris platform. |
|
AM_31_SP4_IR1_ApplicationServerAgents_Windows.exe |
||
|
Contains the Agents service for the Windows platform. |
For upgrade and installation information:
You can upgrade to Access Manager 3.1 SP4 IR1 release either from 3.1 SP3 IR2 or 3.1 SP4.
Table 1 Supported Upgrade Paths for 3.1 SP4 IR1
Source |
Target |
---|---|
3.1 SP3 IR 2 |
3.1 SP4 IR1 |
3.1 SP4 |
3.1 SP4 IR1 |
Before you upgrade to 3.1 SP4 IR1, it is important to verify the current version of Access Manager. To verify that your components are running 3.1 SP3 IR2, see Verifying That You Are on 3.1 SP3 IR2
For instructions on upgrading from 3.1 SP3 IR2, see Upgrading Access Manager Components
Before you upgrade to 3.1 SP4 IR1, it is important to verify the current version of Access Manager. To verify that your components are running 3.1 SP4, see Verifying That You Are on 3.1 SP4
For instructions on upgrading from 3.1 SP4, see Upgrading Access Manager Components
For the Access Manager Administration Console, the Identity Server, the Linux Access Gateway Appliance, the Access Gateway Service, and the SSL VPN installation instructions, see the Novell Access Manager 3.1 SP4 Installation Guide.
To confirm that you are on Access Manager version 3.1 SP3 IR2, do the following.
In the Administration Console, click
> >Examine the value in the
field to verify that the component version is 3.1 SP3 IR2.
Component |
Version |
---|---|
Administration Console |
3.1.3.292 |
Identity Server |
3.1.3.292 |
Linux Access Gateway |
3.1.3.292 |
Access Gateway Services |
3.1.3.292 |
SSL VPN |
3.1.3.292 |
To confirm that you are on Access Manager version 3.1 SP4, do the following.
In the Administration Console, click
> >Examine the value in the
field to verify that the component version is 3.1 SP4.
Component |
Version |
---|---|
Administration Console |
3.1.4.27 |
Identity Server |
3.1.4.27 |
Linux Access Gateway |
3.1.4.27 |
Access Gateway Services |
3.1.4.27 |
SSL VPN |
3.1.4.27 |
When you have finished upgrading your Access Manager components to 3.1 SP4 IR1, verify that they have all been upgraded.
In the Administration Console, click
> >Examine the value in the
field to verify that the component has been upgraded to 3.1 SP4 IR1.
Component |
Version |
---|---|
Administration Console |
3.1.4.57 |
Identity Server |
3.1.4.57 |
Linux Access Gateway |
3.1.4.57 |
Access Gateway Services |
3.1.4.57 |
SSL VPN |
3.1.4.57 |
The key for the high-bandwidth SSL VPN server does not ship with the product because of export laws and restrictions. The high-bandwidth version does not have the connection and performance restrictions that are part of the version that ships with the product. Your regular Novell sales channel can determine if the export law allows you to order the high-bandwidth version at no extra cost.
After you have obtained authorization for the high-bandwidth version, log in to the Novell Customer Center and follow the link that allows you to download the high-bandwidth key.
The following bugs are fixed between 3.1 SP4 and 3.1 SP4 IR1 releases:
Fixed an issue where running the install.sh script on a 64-bit platform displays an error. The error message states to install the Audit Server on a separate server.
Fixed an issue where carriage returns and line feeds in a URL generated by a custom web application were not supported.
Fixed an issue where the Auto-submit functionality stops working with the touch files /var/novell/.enableInPlaceSilentFill, and /var/novell/.enableInPlaceSilentFillNew.
Fixed an issue that caused random process restarts while rewriting extended characters in a web page.
Fixed a potential cross-site scripting issue with the Linux Access Gateway redirects from HTTP to HTTPS where an HREF element was included in the returned page.
Fixed an issue where downloading files larger than 1.5 GB in size caused the proxy to crash.
Fixed an issue where the ics_dyn process showed high CPU utilization.
Fixed a proxy crash when a protected resource which had the Form‐Fill policy enabled, used wild cards in the URL.
Fixed an issue with re‐writing of the Referer HTTP header after an upgrade from version 3.1 SP2 to version 3.1 SP3.
Fixed an issue with service selection in path based multihoming when multiple slashes (/) were present in the service configuration.
Fixed an issue when disabling the
option led to problems in accessing the applications.Fixed an issue with session persistence in the backend servers.
Fixed the TCP time out issue in tunneling under heavy load.
Fixed an issue to display the correct error codes in the browser for authentication failures.
Fixed an issue with the custom LDAP user store plug-in while upgrading from version 3.1 SP1 to version 3.1 SP2.
Fixed an issue to display the correct message when the user password expires.
Fixed an issue where the non-localized User-Agent did not go back to the default language.
Fixed an issue to display the LogoutSuccess page when you access AGLogout with a third-party SAML 2.0 service provider (SAML 2.0 SP). SAML 2.0 SP supports only front channel logout.
On the Linux Access Gateway Appliance, the support for unknown HTTP methods is provided with help of the /var/novell/.AllowUnknownHTTPMethods touch file.
For more information on touch files, see Using Touch Files
The Linux Access Gateway Appliance supports extended logging. The Access Gateway Service also supports extended logging, but it uses the log profile of the parent and ignores the log profile assigned to the path.
All the role policies for LDAP connections go to a single replica instead of going to different replicas. This causes an issue in load balancing.
When the
and options are enabled, the SAML 2.0 response misses few attributes in the assertion. To workaround this issue do the following:In the Administration Console,
.Under the Security section, deselect the following check boxes:
Encrypt assertions
Encrypt name identifiers
Click
to confirm the changes.When you cancel the changes made to the Access Gateway configuration from the
tab you are prompted to do an . This occurs when you navigate to the Access Gateway Servers page by using the Bread Crumbs feature.To workaround this issue, cancel the configuration changes and navigate to the Access Gateways Servers page by using the
button.The query parameters to the logout URL are ignored when the WS-Federation authentication is involved. Customizing the logoutSuccess.jsp file to use these query parameters does not work.
To workaround this issue, customize the logoutSuccess.jsp file to use query parameters passed into /nidp/app/logout.
When the passwordFetch class is executed and you send an LDAP user attribute query, the query goes to the password fetch directory instead of the user store which is used for user authentication.
When you create a user by using the
option, the following error is displayed:/base/CrtUserAcctAJAXSuccess.jsp File Not Found
Ignore this error as the user is created.
This issue is observed when the audit server is not reachable.
To work around this issue, do the following:
Add the following lines to /etc/logevent.conf file to force the Access Gateway Service to use caching:
LogForceCaching=Y
LogCacheLimitAction=roll cache
Add the following lines to the beginning of the start function in the /etc/init.d/novell-tomcat5 file. These lines ensure that the lcache process is started by the root user.
set n=`ps -aef | grep lcache | grep root | wc -l` if [ eval $n != "2" ]; then killall -9 lcache >/dev/null 2>&1 LCACHE_USER="root" su - $LCACHE_USER -c "/opt/novell/naudit/lcache -int:600 -c &" fi
When the naudit service is stopped by using /etc/init.d/novell-naudit stop command, occasionally other important services such as Tomcat and JCC also stop. This causes interruption of services.
To work around this issue, manually restart the Tomcat and JCC services. For information, see the TID.
If you have two contracts and the
option is enabled for one of them, the first user authentication does not overwrite the second user authentication. It displays the following error message:Unable to authenticate. (409-esp-7271673232708786).
This issue is not observed with the Linux Access Gateway. For more information, see the TID.
The SSL VPN works in Enterprise mode, but it crashes on Windows Explorer browser that uses ActiveX.
If you restore or downgrade the Windows XP client to Windows XP SP3, the SSL VPN works properly in the kiosk mode.
This issue is not observed on Firefox browsers using Java.
If the IP address and DNS servers are configured statically on Mac Leopard and a successful SSL VPN connection is established, the DNS resolution fails to use the DNS server IP address sent from the SSL VPN server.
When you install the Administration Console and the Identity Server on Windows 2008, you cannot completely uninstall the components. The uninstall program hangs before it cleans all the files and the registry entries. To workaround this issue, seehttp://www.netiq.com/documentation/novellaccessmanager31/readme/accessmanager_readme_sp2_ir3.html#br1og3r in the Novell Access Manager 3.1 SP2 IR3a Readme.
You cannot upload large files to an IIS 7.x web server where SSL is enabled between the Linux Access Gateway and IIS 7 server. The maximum upload size depends on the network setup. For information, see the TID.
When you create rules for the role conditions first time by using the
tab, it will be displayed appropriately. When you try to modify this existing role with OR conditions, the role is not updated.To workaround this issue, delete the existing created role condition and recreate a new role condition.
If you try to access the Brokering URL after configuring a service provider Brokering group with the Shibboleth identity provider, it fails to access the target application.
Because of an issue, the operating system returns the 27.0.0.2 entry when the hostname is resolved. This causes the 127.0.0.2 to be the default address of the listener when the device is added to the cluster.
To workaround this issue:
Go to the proxy service page. Change the listening IP address to the other cluster member, then select the correct IP address again.
Click
to save the changes.Verify the correct address and add the device to the cluster.
Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the Novell International Trade Services Web page for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.
Copyright © 2012 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.
For Novell trademarks, see the Novell Trademark and Service Mark list.
All third-party trademarks are the property of their respective owners.