Novell Access Manager 3.1 SP2 Readme

2.1.1 Upgrade Instructions

For instructions on upgrading from 3.0 SP4 to 3.1 SP2, see “Upgrading from Access Manager 3.0 SP4 to Access Manager 3.1 SP2” in the Novell Access Manager Installation Guide. To verify that your components have been upgraded to 3.0 SP 4, see Verifying Version Numbers Before Upgrading.

For instructions on upgrading from 3.1 to 3.1 SP2, see “Upgrading Access Manager 3.1 to 3.1 SP2” in the Novell Access Manager Installation Guide. To verify that your Access Manager components are running 3.1, see Verifying Version Numbers Before Upgrading.

For instructions on upgrading from 3.1 SP1 to 3.1 SP2, see “Upgrading Access Manager 3.1 to 3.1 SP2” in the Novell Access Manager Installation Guide. To verify that your Access Manager components are running 3.1, see Verifying Version Numbers Before Upgrading.

In addition to the files available through your Novell Customer Center account, the following patch file is available from Novell Downloads.

2.1.2 Installation Instructions

For installation instructions for the Access Manager Administration Console, the Identity Server, the Access Gateway Appliance, the Access Gateway Service, and the SSL VPN server, see the Novell Access Manager Installation Guide.

2.1.3 Verifying Version Numbers Before Upgrading

If you are upgrading from Access Manager 3.0, all components must be upgraded to at least SP4 before upgrading to Access Manager 3.1 SP2.

Access Manager 3.1 and all of its interim releases are eligible for upgrading to 3.1 SP2.

Access Manager 3.1 SP1 and all of its interim releases are eligible for upgrading to 3.1 SP2.

2.1.4 Verifying Version Numbers After Upgrading

When you have finished upgrading your Access Manager components, verify that they have all been upgraded.

4.2.1 Upgrading from SLES 9 to SLES 10

Before upgrading from 3.0 SP4 to 3.1 SP2, you need to upgrade the operating system of your Administration Console and Identity Server machines from SUSE Linux Enterprise Server (SLES) 9 to SLES 10 SP2.

If you do an operating system upgrade rather than a fresh install of the operating system, you need to verify the UID of the D-BUS (messagebus) user on your secondary Administration Consoles. The SLES upgrade creates this user with the same ID as the novlwww user. You need to change this ID before continuing with the upgrade process.

4.2.2 For the Windows 2003 or Windows 2008 Platforms, When You Upgrade from the Evaluation Version of the Administration Console to the Product Version, the Automatic Backup Fails

The upgrade program prompts you to perform a backup, but if you answer yes to the prompt, the process fails to create the backup files.

To work around this issue, create a backup before upgrading. Then, when you are prompted to perform a backup, answer no to the prompt.

4.2.3 For the Windows 2008 Platform, When You Upgrade from the Evaluation Version of the Administration Console to the Product Version, You Cannot Log In to the Administration Console

On Windows Server 2008, you cannot upgrade the evaluation version of the Administration Console to the product version. If you try, you receive the following error when you attempt to log in:

 (Error -634) The target server does not have a copy of what the source server is requesting. Or, the source server has no objects that match the request and has no referrals on which to search for the object.

To work around this issue, you need to wait for the SP2 IR1 release, which will fix this problem.

4.2.4 After Upgrading from SP1 to SP2, Users Cannot Access Resources that Use Policies

If you have policies that protect Access Gateway resources and then upgrade from Access Manager 3.1 SP1 to 3.1 SP2, sometimes not all of the timeouts are pushed to the Embedded Service Provider of the Access Gateway. When users try to access these resources after the upgrade, they receive 403 errors.

To work around this issue, you need to change the Authentication Timeout of the contract (click Identity Servers > Edit > Local > [Name of Contract]), then update the Identity Servers and the Access Gateways.

For more information on this issue, see TID 7007113.

4.3.1 Current Date Condition Does Not Work When Letters Are Used to Specify the Month

When you create an Access Gateway Authorization policy with the Current Date condition, you need to specify the format of the Value field. If you select a format that allows you to specify the month with letters, the policy creation fails. To workaround this issue, select a format that allows you to use numbers for the month.

4.3.2 Intermittently, Configuration Updates Might Take 10 to 15 Minutes

When you make changes to a cluster of devices (Access Gateways, Identity Servers, or SSL VPNS servers), the status and the command status on the device page can show a pending status for up to 15 minutes. The pending command is usually a service provider refresh.

The problem cannot be reliably duplicated, but it seems to occur intermittently with the following types of updates, which trigger a Tomcat restart without prompting the user:

It also occurs intermittently with the following updates, which prompt the user to restart Tomcat:

Until this issue is resolved, you should make changes for the options listed above when the impact of the delay is minimal.

For more information on this issue, see TID 7005580.

4.3.3 After an Upgrade, Certificates Cannot Be Imported

You might receive the following error message when trying to import a certificate on a Linux Administration Console:

Unable to load NPKIAPI - library could not be found com.novell.security.japi.pki.NPKIAPI.loadLibrary(NPKIAPI.java:1684)

If you see this message, check the Tomcat configuration file located in the /etc/opt/novell/tomcat5/ directory for the following lines:

LD_LIBRARY_PATH=/usr/lib:/opt/novell/lib 
           
LD_LIBRARY_PATH=/var/opt/novell/iManager/nps/WEB-INF/bin/linux:/var/opt/novell/iManager/nps/WEB-INF/bin:/opt/novell/iManager/lib:$LD_LIBRARY_PATH 
export LD_LIBRARY_PATH

If these lines are missing, add them to the file, then restart Tomcat.

4.3.4 The Administration Console on Windows Server 2008 Runs Out of Memory

When the Administration Console is installed on a Windows Server 2008 R2 server and the server is running as a VMware image, the Administration Console crashes with an out of memory error.

To solve this issue, turn off the SNMP agent on eDirectory.

4.3.5 The Status of the Connection to the LDAP Server Replicas Is Unclear

In the Administration Console, the status of the connection to a user store indicates whether the Administration Console can connect to the server replica. If the Administration Console and the Identity Server are installed on the same machine, the status is quite accurate. If they are installed on different machines, the status does not indicate whether the Identity Server can connect to the server replica.

4.3.6 You Cannot Select the Install Path for a Windows Administration Console

When you install a Windows Administration Console, you are not prompted for a installation location. Because of the dependencies the Administration Console has with other components that require an installation location of \Program Files\Novell, this functionality cannot be offered.

4.3.7 Administration Console Fails to Install on VMWare ESX

The VMI kernels have issues with Novell Access Manager that can be worked around by using the information in TID 700224: “Installing Admin Console on VMWare ESX guest using the SLES “VMI” kernel fails”.

4.3.8 A Delegated Administrator Temporarily Inherits All Rights If the Browser Is Not Closed After Creating the Delegated Administrator

If you create delegated administrators and allow them to use your machine and your browser session instead of closing the browser, the delegated administrator inherits all rights until the browser is closed.

After creating delegated administrators, make sure you close the browser if other users are going to be using your machine.

4.3.9 Slow Install

The Administration Console is slow to install on Windows and on Linux with 64-bit hardware. Please be patient. It can take up to an hour to install.

4.3.10 Liberty Attributes Are Not Visible

When you create a Form Fill or Identity Injection Policy and select Liberty attributes that are four levels deep, the attributes are sometimes not visible from an Internet Explorer browser. If this occurs on your machine, you need to use Firefox.

4.3.11 Installation Issue with Ports 389 and 636

Ports 389 and 636 need to be free. If the installation software prompts you to enter different ports because 389 and 636 are in use, the installation fails.

You need to free the ports, then install the Administration Console.

4.3.12 iManager Plug-Ins Fail to Install

There is a potential conflict during the installation of the iManager plug-ins when you have a version of the JRE installed on the machine. To fix this issue, you need to remove the JRE from the machine, install the Administration Console, then reinstall the version of the JRE you removed.

4.3.13 The Access Gateway Service Fails to Cache Events If the Audit Server Is Stopped

If the audit server is stopped in Administration Console, the Access Gateway Service fails to cache events. The audit events are not written to the Access Gateway Service cache or written to the audit log after the audit server is started.

(Error -634) The target server does not have a copy of what the source server is requesting. Or, the source server has no objects that match the request and has no referrals on which to search for the object.

To work around this issue, you need to wait for the SP2 IR1 release, which will fix this problem.

4.4.1 You Cannot Select the Install Path for a Windows Identity Server

When you install a Windows Identity Server, you are not prompted for an installation location. Because of the dependencies the Identity Server has with other components that require an installation location of \Program Files\Novell, this functionality cannot be offered.

4.4.2 After You Make a Change, the Cluster Fails to Return to a Green Status

After you make a change to a cluster and update the cluster members, if only one member displays a green status and the others remain in a pending state, you might have a corrupted datastore entry.

If you suspect that the cause is a corrupted datastore entry:

For more information on the issue, see TID 7005800.

4.4.3 When You Attempt to Add a Windows Identity Server to a Cluster, the Action Fails with a Keystore Error

If the configuration datastore is corrupted, you cannot add members to a cluster.

If you suspect that the cause is a corrupted datastore entry:

For more information on the issue, see TID 7005799

4.4.4 After Migrating an Identity Server from Windows 2003 to Windows 2008, Personal Cards Cannot Be Used for Authentication

Windows CardSpace Personal Cards cannot be currently be used for authentication when the Identity Server is migrated from Windows Server 2003 to Windows Server 2008.

If you are using CardSpace, do not migrate your Windows Identity Servers to Windows Server 2008 until this issue has been fixed.

4.4.5 When You Reinstall the Identity Server on a Windows Machine, Commands Remain in a Pending State

If you install the Identity Server on a Windows Server 2003 machine that also contains the Administration Console, uninstall the Identity Server, then try to reinstall the Identity Server, some commands remain in a pending state.

To fix this issue, delete the pending commands.

4.4.6 X.509 Authentication with Other Methods

When you configure a method for X.509 authentication, you cannot select multiple methods and also enable the Force browser restart on logout option. When you have this type of configuration, users cannot authenticate and the following message is displayed:

Error: Your session has been logged out. Please Restart the Browser.

Users can successfully authenticate when you have the following configurations:

4.4.7 HTML Frames Are Lost after a Redirect

Frames on a protected resource page are lost under the following conditions:

For the workaround to fix this problem, see “HTML frames lost when being redirected to Access Manager login or logout pages”.

4.4.8 The SAML NMAS Method in Access Manager Is Incompatible with 64-bit eDirectory

You cannot use 64-bit eDirectory with SecretStore as a remote SecretStore because a remote SecretStore requires a 64-bit SAML NMAS method, which is currently not available. If you want to use eDirectory 8.8 SP5 as a user store and a remote SecretStore, you need to use the 32-bit version.

4.4.9 Problems with Session Timeout

Some Web applications have security restrictions so that a normal redirect to the Identity Server for session renewal fails. The browser might appear of a hang, and JavaScript errors are often displayed. The frequency of this problem can be reduced by setting the Identity Server session timeout to a higher value.

4.4.10 Auto Provision X509

If there are already values in the LDAP attribute for X509 Subject Name mapping and you enable Auto Provision X509 for the X509 authentication class, the LDAP attribute values are overwritten with the client certificate subject name.

4.6.1 Gzip Has Been Disabled on the SLES 11 Version of the Access Gateway Appliance

When Gzip is enabled and the file is chunked encoded, users cannot download the file from a Web server protected by the SLES 11 version of the Access Gateway Appliance.

To work around this issue, Gzip is disabled when you install or migrate to the SLES 11 version of the Access Gateway Appliance. This issue will be fixed in SP2 IR1.

4.6.2 Passing Query Parameters to the Plogout Page Does Not Work As Expected

When you pass query string parameters to the /nesp/app/plogout page, they are not being passed to the logoutSuccess.jsp file as explained in “Calling Different Logout Pages” in the Access Gateway Guide. This causes custom logout pages to fail.

To work around this issue, see TID 7006449.

4.6.3 NetStorage Only Partially Works with the Access Gateway Appliance

Browser connections to NetStorage can be used. WebDAV connections to NetStorage do not work.

4.6.4 After a Change, the Cluster Fails to Return to a Green Status

After you make a change to the cluster and update the cluster members, only one member displays a green status and the others remain in a pending state.

If you suspect that the cause is a corrupted datastore entry:

For more information on the issue, see TID 7005800

4.6.5 The Time Zone Selection Page Displays Both Asia/Calcutta and Asia/Kolkata Options

When you install the Access Gateway Appliance, the Asia/Calcutta and Asia/Kolkata options are both displayed. Select one of the options, depending on your operating software:

4.6.6 XML Validation Errors Occur When Applying Changes to the Access Gateway

After upgrading, you might see XML validation errors when you apply configuration changes to the Access Gateway. If you see an XML validation error, check the /opt/volera/roma/logs/app_sc.0.log to verify if the following message is present:

validateXML(E)org.jdom.input.JDOMParseException: Error on line 6488: cvc-id.1: There is no ID/IDREF binding for IDREF 'Alert_<string>

If this message is in the file:

4.6.7 When a Browser Session Terminates, All Origin Web Server Session Cookies Are Not Terminated

If a browser session with an Access Gateway terminates, all origin Web server HTTP session cookies are not terminated.

For example, if two users (User-A and User-B) use the same browser client to access a protected resource, then User-A authenticates to a protected resource, the origin server of the protected resource establishes a session with browser client using HTTP session cookies.

If User-A logs out of the Access Gateway by using the logout URL or because of an idle timeout, the session cookie from the origin Web server remains intact. User-B can then authenticate to Access Gateway, and resume the session to the origin Web server from User-A.

To work around this issue, see Clearing Novell Access Manager Application Sessions

4.6.8 Lotus Domino WebAccess Server Cannot be Configured as a Path-Based Multi-Homing Service

You cannot configure Lotus Domino WebAccess Server as a path-based multi-homing service. However, you can configure it as a domain-based multi-homing service.

4.6.9 The Secondary Network Gateway Address Is Deleted If the Network Interface Is Restarted

The secondary gateway IP address for the Access Gateway is deleted when the network interfaces are restarted.

You must add the network gateway address again by using the following command:

route add -net <IP address> netmask<netmask> gw <gateway IP>

4.6.10 Reverting to an Earlier Snapshot of the Access Gateway Might Cause Multiple Crashes

If you are using a VM environment such as ESXi 4.0, reverting to an earlier snapshot of the Access Gateway might result in multiple crashes.

To work around the issue, clear the cache and restart novell-vmc as follows, after reverting the snapshot:

rm /var/novell/.~newInstall
/etc/init.d/novell-vmc restart

4.6.11 Incorrect Health Status Is Reported and the Listener Creation Fails If the Port Is Used by Another Process

The Access Gateway Appliance health is reported as green even if the listener creation fails. This occurs because the service creation status of the Access Gateway Appliance reflects the status of the open port. When the port is used by any other process, the Access Gateway cannot distinguish between its own service and the other process.

For example, when the SSL VPN server is installed with the Access Gateway, and port 443 is used by OpenVPN, the service creation fails if you try to create an Access Gateway proxy service that uses port 443,. However, because the health check is looking only for the open port 443, the status is displayed as healthy.

To work around this issue, check netstat after creating the service to confirm if the ics_dyn process of the Access Gateway is running on the corresponding port.

4.6.12 An Error Occurs When a User Tries to Download Access Manager Logs through Internet Explorer 7 and 8

When a user tries to download Access Manager logs by using either Internet Explorer 7 or 8, the Failed to execute command error is displayed.

To work around this issue:

4.6.13 The Enforce 128-Bit Encryption between Access Gateway and Web Server Option Is Not Functional in this Release

The Enforce 128-Bit Encryption between Access Gateway and Web Server option in the Devices > Access Gateways > Edit > [Name of Reverse Proxy] > > TCP Listen Options page is not functional for this release.

4.6.14 Unable to Connect to Access Gateway with Low and Medium Ciphers

The browser is unable to connect to Access Gateway when the Enforce 128-Bit Encryption between Browser and Access Gateway option is enabled with low and medium ciphers.

4.6.15 Multiple Sessions Are Created When You Use OpenOffice Tools with a WebDAV Connection

When you use OpenOffice Writer and other tools over WebDAV connections, cookies that are set by the server are not included in requests from the OpenOffice client. As a result, each WebDAV request from the client creates a new session. If you have limited user sessions, the limit can be quickly reached, which results in files left in a locked state or with IO errors.

To solve this problem, do not limit user sessions (Devices > Identity Servers > Edit) when users are using OpenOffice tools over a WebDAV connection.

4.6.16 Cookie and Session Issues with Nautilus File Manager and WebDAV Connections

The Nautilus File Manager v2.12.2 in SUSE Linux Enterprise Desktop (SLED) 10 SP1 and SP2 does not include cookies when making WebDAV requests. As a result, when the WebDAV server is accessed through a reverse proxy on the Access Gateway, a new user session is created at the proxy for every WebDAV request sent from Nautilus. A simple file open can result in the creation of multiple sessions.

To solve this problem, do not limit user sessions (Devices > Identity Servers > Edit) when users are making WebDAV requests with the Nautilus File Manager.

4.6.17 On a New Install, the Secure Logging Server Is Not Configured Correctly

The logevent.conf file, which controls the configuration for the secure logging server, initializes the address of the logging server to 127.0.0.1 instead of the IP address specified in the Administration Console. By default, this address is the IP address of the Administration Console, but it can be configured for an external auditing server such as a Novell Sentinel server.

To fix the problem:

4.6.18 Communication Problems between the Novell Audit Client and the Audit Server Might Crash the Linux Access Gateway

If you have configured your Access Manager system to use a Novell Sentinel or Novell Audit server for auditing, the Novell Audit client sometimes disconnects from the auditing server. This usually happens when communication problems exist on the network. When this happens, the Linux Access Gateway might crash. This issue can also prevent the successful completion of any Linux Access Gateway configuration changes.

To solve this problem, make sure that no communication problems exist between the auditing client on the Linux Access Gateway and the auditing server.

4.6.19 Installation on VMWare ESX Works in Text Mode Only

You must use the text-mode installation for the VMWare ESX platform. The GUI mode for the installation of Linux Access Gateway fails and falls back to the text mode on VMWare ESX.

4.6.20 Rewriter On and Off Flags Are Not Effective in a Character Profile

The NOVELL_REWRITER_ON and NOVELL_REWRITER_OFF tags are not effective in the Access Gateway character profile.

4.6.21 Issues with the Audit Server While Importing an Access Gateway Configuration

When you importing an Access Gateway configuration, the imported configuration might contain an audit server IP address that is different from the audit server IP address that was configured in the Administration Console. Updating the Access Gateway configuration does not correct this address problem. As long as the addresses differ, the Access Gateway can hang during subsequent updates or restarts because the Novell Audit Agent of the Access Gateway cannot connect to its configured audit server.

You must force the Linux Access Gateway to change its Audit server settings.

4.6.22 The Rewriter Does Not Handle the [oa] Option in Search and Replace

The character rewriter profile does not support the [oa] option to search and replace plain words and strings.

4.6.23 Exclude Alias DNS with Scheme Option Does Not Work

The Exclude Alias DNS name with Scheme option does not work. For example, if you add https://www.mygroup.com, it is not excluded from the list. You must provide only the DNS name, such as www.mygroup.com.

4.6.24 Form Fill Auto Submit Issue

A Form Fill auto-submit fails when an input field in an HTML page contains name="submit".

4.6.25 Form Fill Does Not Work if the Web Page Contains an Apostrophe

The Linux Access Gateway Form Fill does not work if the Web page contains the apostrophe character.

4.6.26 Form Fill Fails If the Web Server Does Not Send the Content Type

Form Fill does not process the page if the Web server does not send the content type. Form Fill processes the following content types:

"text/html" "text/xml" "text/css" "text/javascript” "application/javascript" "application/x-javascript"

4.6.27 Form Fill Policy and the Refresh Data Every Option Restrictions

In a Form Fill policy, you can only set the Refresh Data Every option to Request or Session. If you select a time to live, it is the same as selecting Request.

4.6.28 Manual Deletion of the laghttpheaders and lagsoapmessages Log Files Causes a Linux Access Gateway Crash

If you have enabled the debug level of logging for the laghttpheaders and lagsoapmessages log files, manual deletion of these log files causes the Linux Access Gateway to crash.

To work around this problem, restart the Linux Access Gateway after you manually delete the log files.

4.6.29 The Access Gateway Does Not Validate the Scheme

The Access Gateway does not validate the scheme. You must use the additional DNS List for scheme validation.

4.6.30 Network Installation of a SLES 11 Access Gateway Results in Signature Error

To avoid a signature error for the network mode of installation on SLES11, use the Access Gateway Appliance ISO CD rather than a bootable CD.

4.6.31 Browser Spins on Login in the Access Gateway Cluster Setup

When a browser is closed after accessing a protected resource and the Identity Server login page is displayed, subsequent access to a resource by using the browser creates a loop.

To work around this problem, clear the browser cookies or close the browser instance and try again..

4.7.1 The Access Gateway Service Has Not Been Thoroughly Tested Behind an SSL Terminator

If you place an SSL terminator in front of the Access Gateway Service and enable the Behind Third Party SSL Terminator option, some URLs might not be rewritten correctly.

If you try this configuration, report any problems to Novell Support.

4.7.2 The Log Profile Page Provides Incorrect Information for the Backup Files Option

When you configure a log profile (click Devices > Access Gateways > Edit > Logging > [Profile Name]) and set a value for the Maximum Backup Files option, a 0 (zero) value indicates that you do not want any backup files created and a blank value indicates that you want one backup file created. Ignore the message on the page about what these values mean.

4.7.3 The Advanced Log Level Option Displays Incorrectly in Internet Explorer 7 and 8

The Advanced Log Level option (click Access Gateways > Edit > Logging > Log Filters > [Filter Name]) does not appear to be a link, if you are using the Internet Explorer 7 or 8 to access the Administration Console. However, you can still click the option to display the configuration page.

4.7.4 Cannot Delete an Access Gateway Service

If you have an unconfigured Identity Server and you try to delete an Access Gateway Service from the Administration Console, the deletion fails and throws an exception.

To delete the Access Gateway Service, either delete the Identity Server first or configure the Identity Server.

4.7.5 When the Audit Server Stops and Starts, the Audit Server Does Not Receive All Cached Events

When the audit server stops, the events are supposed to be cached until the audit server comes back online. When the audit server is back online, the cached events are supposed to be sent to the audit server. This functionality is not working reliably for the Access Gateway Service.

4.7.6 If the Form Has an Empty Action Element, the Access Gateway Service Fails to Fill In the Action Element

The Access Gateway Service does not correctly process the following type of action element in a form:

<FORM name="logonForm" method="post" action="" >

To work around this issue, create a custom rewriter profile for the form to fill the action element with a valid value or wait for SP2 IR1.

4.7.7 Enabling Password Management Support Might Cause Authentication Errors

On the Linux Access Gateway Appliance, the /var/novell/.PasswordMgmt touch file is required to support the Identity Manager Password Management feature. With this configuration in a cluster deployed behind an L4 switch, users might occasionally report a failure to authenticate with an error indicating that the browser detected infinite redirects. This happens when session stickiness fails at the L4 device for /nesp service URLs.

To work around this issue, you should clear the browser cookies, then restart the browser before accessing the resource again.

4.8.1 General SSL VPN Issues

You are seeing this message because ActiveX control is not installed in your Internet Explorer. To establish the Novell SSL VPN connection, do one of the following:

4.8.2 Kiosk Mode Issues

4.8.3 Enterprise Mode Issues

4.9.1 Authentication Error Is Displayed When a User Tries to Access Resources

In WebLogic J2EE agents, when users who do not have sufficient rights try to access resources for which they have been denied authorization, the following message is displayed:

There was a problem with your authentication

The required Web page is displayed if you refresh the page once.

4.9.2 Base URL and SOAP URL Cannot Be Configured with Port 65535

You cannot configure a base or SOAP URL for the Novell Access Manager J2EE Agent with port 65535.