Novell Access Manager 3.0 SP1 IR3 Readme

January 8, 2008

1.0 Documentation

The following sources provide information about Novell® Access Manager:

2.0 Installing the 3.0 SP1 IR3 Release

If you did not upgrade your components to Access Manager 3.0 SP1 IR2, all Access Manager components need to be upgraded because the files for the embedded service provider were modified in IR2. If you upgraded your components to IR2, you only need to upgrade the Linux Access Gateway.

The patch file for upgrading the components to the IR3 release (nam3sp1ir3.tar.gz) can be downloaded from Novell Downloads Web site. This patch contains the following files:

Table 1 3.0 SP1 IR2 Patch File

Component

Filename

Administration Console, Identity Server, Linux* J2EE* Agents

AM_301_SP1_IR2_IdentityServer_Upgrade.tar

Windows* J2EE Agents

AM_301_SP1_IR2_ApplicationServerAgents_Windows.exe

Linux Access Gateway

AM_301_SP1_IR3_lagrpms.tar.gz

NetWare® Access Gateway

AM_301_SP1_IR2_NetWareAccessGateway_Upgrade.txt AM_301_SP1_IR2_NetWareAccessGateway_Upgrade.zip

2.1 Upgrading the Administration Console, Identity Server, and Linux J2EE Agents

  1. Log in as root on the system you need to patch.

  2. Copy the AM_301_SP1_IR2_IdentityServer_Upgrade.tar file to the system and unpack it.

    When the file is unpacked, you should see a manifest file, a nampatch.sh install script, and a patchIR2 directory. These three items need to be in the same directory.

  3. From this directory, enter the following command:

    ./nampatch.sh
    

    This patch installer does the following:

    • It warns connected users that services are being restarted.

    • If you have installed your Identity Server and Administration Console on the same machine, it detects this and patches both components.

    • It updates the embedded service provider of the Linux J2EE Agents.

    • Events from the patch process are logged to a file in the /tmp directory.

    • A backup of the files that are being replaced is stored in the $HOME directory.

IMPORTANT:If you decide to install another component to the system after running the patch installer (for example, add an Identity Server to a patched Administration Console), run the SP1 installation program. Then run the patch installer to patch the newly added component.

2.2 Upgrading the Linux Access Gateway

Before you upgrade the Linux Access Gateway, the LAG file (AM_301_SP1_IR3_lagrpms.tar.gz) needs to be renamed. In the download, it needs to have a version-specific name, but to use it in an upgrade, it needs the generic name. It should be renamed as follows:

AM_301_SP1_IR3_lagrpms.tar.gz renamed to lagrpms.tar.gz

For more information on upgrading the Linux Access Gateway, see Upgrading the Linux Access Gateway.

2.3 Upgrading the NetWare Access Gateway

Copy the two upgrade files (AM_301_SP1_IR2_NetWareAccessGateway_Upgrade.txt and AM_301_SP1_IR2_NetWareAccessGateway_Upgrade.zip) to a Web server that the NetWare Access Gateway can access, then perform the over-the-wire upgrade. This patch updates the gateway’s embedded service provider.

For more information on upgrading the NetWare Access Gateway, see Upgrading the NetWare Access Gateway.

2.4 Upgrading the Windows J2EE Agents

This patch updates the agent’s embedded service provider.

For upgrade information, see Upgrading the J2EE Agents.

2.5 Verifying Version Information for IR3

During the upgrade process for this release, you need to upgrade all Access Manager components. When you have finished, use the following procedure to verify that all components are at the correct version.

  1. In the Administration Console, click Access Manager > Overview.

    The Novell Access Manager box should display 3.0.1-264 as the version number for the Administration Console.

  2. Click Auditing > Troubleshooting > Version.

  3. Examine the value of the Version field for each component and ensure that it displays the correct version.

    Component

    Access Manager 3.0 SP1 IR2 Version Number

    Identity Server

    3.0.1.264

    Linux Access Gateway

    3.0.1.264.3

    NetWare Access Gateway

    3.0.364

    Linux J2EE Agents

    3.0.1.255

    The version number of the Linux J2EE Agents does not change when the patch is installed.

3.0 SP1 IR3 Fixes

The following issues are fixed in the IR3 version of the Linux Access Gateway:

  • Fixed an issue with vending correct data on a 304 response from the web server when the data is compressed and cached.

  • Fixed an issue that caused the proxy services to randomly restart.

4.0 SP1 IR2 Fixes

4.1 Identity Server

  • Fixed an issue with SAML 2 when using the POST profile.

  • Fixed an install issue that failed to identity the primary Administration Console.

  • Fixed an issue with the evaluation of a policy that required all conditions in a policy to use the same comparison type (either case sensitive or case insensitive). This fix requires an update to the Identity Server and the embedded service providers of the devices.

4.2 Administration Console

  • Fixed an issue with the restore script that caused an out-of-memory error.

4.3 Linux Access Gateway

The 3.0 SP1 IR2 patch contains all the fixes in the IR1 patch, plus some additional fixes.

  • A health check is now performed on Web servers, which are defined with a DNS name.

  • The Linux Access Gateway now sends system down alerts to the administration console.

  • Fixed the rewriter data structure corruption issue.

  • The Linux Access Gateway now appropriately handles the deflated compressed files.

  • Fixed issues with the reverse proxy service when there are more than 20 secondary IP addresses configured.

  • Fixed the phishing vulnerability threat that could have been caused by tampering with the login URL.

  • Fixed the problem in setting the cookie domain on server persistent cookies.

  • Fixed the order in which Linux Access Gateway sends certificates to the browser, when intermediate CA certificates need to be sent.

  • Fixed issues with the health check of Web servers so a health check can be returned when the Web server is defined by using a DNS name rather than an IP address.

  • Fixed issues with downloading large PDF files.

  • Fixed session timeout issues with Firefox* when a long POST occurs.

  • Added full GZIP functionality. When the Web server sends compressed data and the rewriter needs to process the data, the data is decompressed, rewritten, and then recompressed. When Form Fill needs to process the data, the date is decompressed and then processed.

  • Fixed issues with GroupWise® interoperability, which resulted in failure to download of files bigger than 128 KB.

  • Fixed HTTP processing so that it now supports the RPC_OUT_DATA and RPC_IN_DATA methods and forwards them to the Web server. This allows the Linux Access Gateway to support applications that are accelerated with RPC over HTTP.

5.0 Installing the 3.0 SP1 Release

The Novell Access Manager 3.0 SP1 release contains ISO files for installing the Access Manager components and a patch file for upgrading all components from a previous release.

5.1 The Patch File

The patch consists of one download file. The patch can be downloaded from Novell. The following table lists the files contained in the patch file (b4Fnam3sp1.tar.gz) that you can use to upgrade existing components or to install new instances:

Table 2 Access Manager 3.0 SP1 Upgrade Files

Component

Purpose

Filename

Identity Server, Administration Console, SSL VPN

Upgrade or Install

AM_301_SP1_IdentityServer.tar.gz

Linux Access Gateway, SSL VPN

Upgrade

AM_301_SP1_lagrpms.tar.gz

NetWare Access Gateway

Upgrade

AM_301_SP1_NetWareAccessGateway_Upgrade.txt

AM_301_SP1_NetWareAccessGateway_Upgrade.zip

AM_301_SP1_NAG_OSUpgrade.iso

Windows J2EE Agents

Upgrade or Install

AM_301_SP1_ApplicationServerAgents_Windows.exe

Linux J2EE Agents

Upgrade or Install

AM_301_SP1_ApplicationServerAgents_Linux.tar.gz

To upgrade to this release, you need to start the process by first backing up your current configuration. The Administration Console should be the first device you upgrade. You can then upgrade the various devices that you have imported into the Administration Console. We highly recommend that you upgrade all members of a cluster before moving to another type of device to upgrade. When you finish upgrading, it is recommended that you perform a system backup. If necessary, you can restore an RC2b backup to this release.

The LAG file (AM_301_SP1_lagrpms.tar.gz) needs to be renamed. In the patch download, it needs to have a version-specific name, but to use it in an upgrade, it needs the generic name. It should be renamed as follows:

AM_301_SP1_lagrpms.tar.gz renamed to lagrpms.tar.gz

For the Identity Server and the Administration Console, you need to copy the .tar.gz file to machine where these components are installed. For the Access Gateways, you need to copy the files to a server that is accessible to your Access Gateway and perform an over-the-wire upgrade. For more information about upgrading the Access Manager components, see the following:

For specific installation steps, installation requirements, and overview information, see the Novell Access Manager 3.0.1 Installation Guide.

5.2 Access Manager ISO Files

If you are installing Access Manager 3 SP1 from CD, the following ISO images are provided:

Table 3 Access Manager 3.0 SP1 ISO Files

Component

Purpose

Filename

Identity Server, Administration Console, SSL VPN

Upgrade or Install

AM_301_SP1_IdentityServer.iso

Linux Access Gateway, SSL VPN

Upgrade

AM_301_SP1_LinuxAccessGateway.iso

NetWare Access Gateway

Install

AM_301_SP1_NetWareAccessGateway.iso

For specific installation steps, installation requirements, and overview information, see the Novell Access Manager 3.0.1 Installation Guide.

5.3 Verifying the Upgrade to SP1

When you start the upgrade process for the SP1 release, you need to upgrade all Access Manager components. When you have finished, use the following procedure to verify that all components have been upgraded to SP1.

  1. In the Administration Console, click Access Manager > Overview.

    The Novell Access Manager box should display 3.0.1-255 as the version number for the Administration Console.

  2. Click Auditing > Troubleshooting > Version.

  3. Examine the value of the Version field and ensure that it displays the correct version.

    Component

    Access Manager 3.0 SP1 Version Number

    Identity Server

    3.0.1.255

    Linux Access Gateway

    3.0.1.255

    NetWare Access Gateway

    3.0.345

    J2EE Agents (all versions, all platforms)

    3.0.1.255

    SSL VPN

    3.0.1.118

6.0 SP1 Fixes

6.1 Administration Console (General)

  • Corrected audit entries.

  • Startup and shutdown audit events are now correctly reported.

  • Fixed issues with log files not rolling over after reaching a specific size and not being deleted when a specified number of rollover files exist.

  • Modified log entries in the catalina.out file so that no sensitive data is logged.

  • Fixed fields displaying %20 instead of a space.

  • Fixed embedded service provider logging issue.

  • Fixed Roma service hanging while applying a certificate import change.

  • Fixed Administration Console communication with the configuration store.

  • Fixed the amrestore.sh script to check for the UNZIP package.

  • Fixed the Internet Explorer pending state after applying the RC1 patch.

  • Fixed backup and restore issues for inactive components.

  • Fixed random Administration Console logout issues.

  • Fixed the schema validation error <AlertProfileIDRef UserInterfaceID="ID000025" AlertProfileIDRef="ID000025"/> in alerts.

6.2 Identity Server

  • X.509 Authentication Class enhancements that match a certificate to a user identity.

  • Cluster enhancements, including management changes in the Administration Console.

  • Certificate fixes for binary user certificates.

  • Fixed issues that caused mutual authentication to fail when the CRL file in the cache was stale.

  • Added the management IP address to the HTTP IP address translation for JGroups.

  • Simplified the use of JGroups JChannel by consolidating into a single Distributed Message Bus.

  • Fixed SAML 2.0 signing error. Artifact responses are no longer required to be signed. See TID 3903427.

  • In testing environments, you can now disable OCSP/CRL checks for server certificates by setting the Java* property com.novell.nidp.serverOCSPCRL="false".

  • Fixed a the cause of the Access Manager restore error AM#201002001: The backup file does not exist.

  • Fixed 404 Roma errors when configuring rewriter Additional Strings to Replace fields.

  • The system now deletes the admin.xml and manager.xml files from the Tomcat webapps directory after installation.

  • Fixed ESP proxying when using virtual addresses.

  • Corrected the Daylight Savings Time schema.

  • Fixed sslMutual certificate overwriting.

  • Fixed the Novell Audit client lcache process, which caused the Identity Server to run out of threads while waiting on event login.

  • Fixed an eDirectory™ update during IR2 upgrade to SP1.

  • Fixed the green health display on a failed Identity Server.

  • Fixed random Identity Server 503 responses from the Linux Access Gateway.

  • Fixed the SSL mutual authentication failure when validating user certificate (error AM#200104004).

  • Fixed an SSL VPN disconnect (error AM#100E) from having %22 in front of the URL.

  • Fixed the identity provider login when CRL is updated.

  • Fixed the installation to allow the Administration Console to be available for all network interface cards (NICs).

  • Fixed the occurrence of Unable to Authenticate errors during session refreshes.

  • Added a synchronized keyword to component logging entry points on the Identity Server to fix server responding issue.

  • Fixed the cause of Improper Redirects errors from loops plogin requests.

  • Fixed the cause of the 300101037 Unable to complete request at this time error issued instead of a redirect to plogin.

  • Fixed an embedded service provider failure when receiving a start command.

  • Fixed a POST SAML assertion failure in Firefox (RC2).

  • Fixed a cause of the NULL error when re-mapping attributes passed in a SAML2 assertion.

  • Fixed a possible security vulnerability with cross scripting.

6.3 General Access Gateway

  • Fixed the problem that prevented you from adding a Web server host name that contained just the host name without the domain.

  • Fixed the Access Gateway blank screen caused by an eDirectory communication problem.

  • Fixed the issue that caused the Access Gateway to have a pending status when no outstanding commands exist.

  • Fixed rewriter issues with the quote and double quote characters in replace strings.

  • Fixed the update process so you can now modify the contracts assigned to a protected resource without updating the Identity Server.

  • Fixed errors that prevented clustered embedded service providers from retrieving policy information from the Identity Server.

  • Fixed policy and clustering errors that occurred when changes were made to an Identity Injection policy.

  • Fixed the green light status, which was displaying when the origin Web server was down.

  • Fixed the Pin list displaying off-screen.

  • Fixed the proxy service redirect from HTTP to HTTPS.

  • Fixed policy requests in the Access Gateway cluster.

  • Fixed System is not up properly errors.

6.4 Linux Access Gateway

  • Fixed an invalid alert profile reference in Access Gateway troubleshooting.

  • Fixed upgrade problems.

  • Fixed the certificate push to an existing group of Linux Access Gateways.

  • Fixed issues with displaying Flash content when using the Internet Explorer 7.

  • Rewriter now rewrites all path-based multi-homing resources with the strip path enabled.

  • User information is now properly logged in the extended log.

  • Fixed the Linux Access Gateway crash because of multiple embedded service failures during a reconfiguration.

  • Fixed the Form Fill issue of injecting incorrect user information into the outgoing requests.

  • Fixed the error segmentation fault during Linux Access Gateway Advanced installation.

  • Fixed the Linux Access Gateway crash because of improper event handling in the Form Fill policy.

  • Fixed the Update link on the Access Gateway to apply configurations to cluster members.

  • You can now register more than one static route to the Linux Access Gateway configuration, through the Administration Console.

  • Fixed configuration changes when applied to the Linux Access Gateway.

  • Fixed the ability to delete additional DNS names in rewriter entries.

  • Fixed DNS health check reporting for the Linux Access Gateway.

  • Fixed configuration change cancellation when clicking OK on the Access Gateway Configuration page.

  • Fixed the rewriting of cross-domain URLs.

  • Fixed an issue with the configuration update between the Linux Access Gateways and the audit server, when changing the audit server’s IP address.

  • Fixed There exists a configured cluster member that is not active issue when adding a new Linux Access Gateway to a cluster. See TID 3095089.

  • Fixed the embedded service provider alert generated when no proxy service is configured.

  • Fixed the NTP health check on the Linux Access Gateway.

  • Removed the need to apply new IP addresses one at a time on the Linux Access Gateway.

  • Fixed issues with downloading large files.

  • The Linux Access Gateway now properly rewrites the cookie domain sent by the original server.

  • Fixed issues with the Form Fill auto submit option, when JavaScript* functions were used in the Web page.

  • Enabled the DNS Error for Hostname Mismatch option for the Path-based multi-homing services.

  • The rewriter can now rewrite PHP files with no content type.

  • A warning message is now displayed on the terminal when the Linux Access Gateway reaches the disk usage threshold.

  • Fixed issues leading to the Linux Access Gateway crash and 100 per cent CPU utilization, when a Pin List is configured. If you had configured a Pin List before upgrading the Linux Access Gateway, manually delete all the files located in the /var/novell/cca directory.

  • Fixed the Linux Access Gateway crash caused by a large POST request.

  • Fixed protected resource path handling to support the directory-specific wildcard pattern.

  • You can now add a network interface card to the Linux Access Gateway after the installation.

  • The Linux Access Gateway now verifies the browser IP addresses of the incoming authentication cookies.

  • Fixed Form Fill issues when JavaScript and the ACTION tag were used in the Web page.

  • Fixed Form Fill issues when the ACTION tag was missing in the HTML page.

  • Fixed the caching issue that led to incorrect information being injected into the outgoing request.

  • Fixed the Form Fill policy to be triggered when protected resource is accessed.

  • Fixed Linux Access Gateway issues that are responsible for the server randomly becoming unresponsive.

  • Fixed some rewriter issue that were responsible for random Linux Access Gateway crashes.

  • Fixed Form Fill issues with the auto submit option, which lead to 100 per cent CPU utilization.

  • Fixed the upgrade script to accept @ character in the password.

  • Fixed Form Fill issues that caused a Linux Access Gateway crash.

  • Fixed the Linux Access Gateway crash after the non-secure port used by the proxy services is changed.

6.5 NetWare Access Gateway

  • An L4 switch can now be configured to use an IP address or a DNS name to access the heartbeat health check.

  • Fixed issues with XML posts to the back-end application when the post is 2800 bytes or greater.

  • Fixed an abend that occurred when a character rewriter profile was a assigned to a proxy service.

6.6 SSL VPN

  • Fixed the SSL VPN client to display the Connected status only after the connection was established.

  • SSL VPN client now automatically updates when the server build is upgraded from one version to another.

  • Fixed the upgrade issues with the SSL VPN components.

6.7 Policies

  • A troubleshooting tool is available from the Policies Troubleshooting page (click Access Gateways > Auditing > Troubleshooting > Policies) that allows you to identify policies that contain no rules.

  • Fixed issues with secrets not being saved when Form Fill was configured to use a Novell SecretStore®.

  • Fixed issues that caused users to be denied access to resources after a configuration change was applied.

  • Fixed issues with single sign-on when the user’s session has been idle.

  • Fixed issues that caused Identity Injection policies to fail after an upgrade.

6.8 Certificates

  • Fixed clear text password display during failure to back-up certificates.

  • Fixed certificates being assigned to null keystores and null configurations.

7.0 New Features in SP1

The following sections briefly discuss the new features that were added between Access Manager 3.0 and Access Manager 3.0 SP1.

7.1 General Enhancements

The following general enhancements were added for SP1:

7.1.1 Audit Reporting

Consistent audit entry reporting between the Linux and NetWare Access Gateways was enhanced. The gateway audit events have also been enhanced to provide tracking information for users, requests, and protected resources where applicable.

7.1.2 Troubleshooting Page

A Troubleshooting page (click Access Manager > Auditing > Troubleshooting) has been added that allows you to delete or repair corrupted service configurations, view the version of all installed components so you can determine if a component needs to be upgraded, and remove policies that have been corrupted because of configuration errors.

7.1.3 Clustering

You now manage clusters and their members from the main page for the device (Identity Servers or Access Gateways). You can add or delete members and create new clusters from these pages.

7.1.4 Updating

You now apply device configuration changes from the main page for the device (Identity Servers, Access Gateways, J2EE Agents, or SSL VPNs). If you have modified only logging settings or policy references, the update option causes no interruption in services.

You can also select to update single members of a cluster or all members of a cluster.

7.1.5 Logging

Logging has been enhanced so that it is easier to trace transactions through clustered Identity Servers and Access Gateways.

  • To facilitate the use of non-interactive stream-oriented editors such as sgrep, sed, awk, and grep, beginning and ending log entry tags are included in all Access Manager log entries. This allows the extraction of complete single or multi-line log entries from log files. The beginning and ending tags <amLogEntry> and </amLogEntry>.

  • Mandatory date-time stamp and correlation tags and values are included on the same log entry line. This allows single line stream-oriented editors such as grep to locate log entries by using multiple correlating values.

  • The date-time stamp for Access Manager log entries has been standardized to use the W3C Profile of ISO8601, specifying a complete date plus hours, minutes and seconds expressed in UTC. Having a common date-time stamp format facilitates log entry searches based on date and time.

The Tomcat log files (/var/opt/novell/tomcat4/logs) and the Administration Console log files (/opt/volera/roma/logs) have been configured for log rollover.

7.1.6 Certificate Management

Certificate management has been simplified in the following ways:

  • Users are now warned when certificates are expiring within the next 30 days.

  • A new Command Status tab is available to view all certificate commands for the system. In the Administration Console, click Access Manager > Certificates > Command Status.

  • The Administration Console maintains only one copy of a trusted root certificate. When a duplicate is added, it is pushed to any device needing it, but the Administration Console does not create a duplicate copy.

  • When applying changes, the Update option provides information when certificate changes are the reason for the update.

  • Keypairs can be imported and exported in JKS format.

7.2 Identity Server Enhancements

The following enhancements were added to the Identity Server for SP1:

7.2.1 New Unsupported Feature

Kerberos* has been added to the SP1 release. It is not thoroughly tested, and it should not be used in a production environment. We are calling it to your attention so that you can look at it and provide feedback. It will be supported in the SP2 release.

7.2.2 Kerberos Fallback Authentication Methods

In situations where Kerberos (SPNEGO) authentication is enabled on the Identity Server, and Kerberos is not in the environment, or the user is trying to authenticate from outside of a firewall, Microsoft* SPNEGO falls back on NTLM, then on basic authentication. The Identity Server does not support NTLM in this release, so the system might cause the browser to prompt users twice for authentication. (To disable this in Windows Explorer, click Tools > Internet Options > Security > Custom Level, then scroll down to User Authentication. Enable Automatic logon with current user name and password.)

7.2.3 X.509 Authentication

X509 authentication with Auto Provision X509 appends values to the existing multi-valued attribute, such as sasAllowableNames, that already exist in the LDAP attribute. This means that both NDS® namespace ("." delimited) and LDAP namespace ("," delimited) strings can exist. This removes the need for those who are upgrading from Novell iChain® 2.3 to Access Manager to manually reconfigure all user objects to store the sasAllowableSubjectNames value in the new format.

7.2.4 Authentication Trust Levels

Authentication Trust Levels that allows a contract to be satisfied by another contract.

7.2.5 Authentication API

The Authentication API has been added, which allows for the creation of custom Authentication Classes.

7.2.6 Wildcard Certificates for Mutual SSL Soap Back-Channel Security

Wildcard certificates are now allowed for the mutual SSL SOAP back-channel security method.

7.2.7 Certificate Handling in Clustering

Client certificate handling in clustering (back-channel) mode has been enhanced.

7.2.8 Update Health from Server

Added an Update Health from Server action on the Servers page, to perform a health check for the device.

7.2.9 Role Assignment Audit Events

Role assignment audit events can be created during authentication to the Identity Server. You enable this on the Logging page in the Identity Server configuration when you enable the Login Provided or Login Consumed options.

7.2.10 Miscellaneous Identity Server Enhancements

  • The Published DNS Name for a Proxy Service can now be defined as a single name segment, that is, without dots.

  • Added viewInfo.jsp and viewInfo.php to the /unsupported directory of the Identity Server installation file. Use these files for troubleshooting identity injection. They display all the HTTP headers and query string data that is sent from the Access Gateway to the back-end server. These files should be removed from the Web server after troubleshooting is finished.

  • Added functionality to send a complete list of the HTTP listening IP addresses for all cluster members when sending a configuration to the ESP.

  • Added a prompt to specify location path of backup files. The system uses the logged-in user’s home directory as a default.

  • Added an Update Servers prompt after adding or deleting reverse proxy servers.

  • The upgrade process now provides the default Administration Console IP address.

  • Added the ability to restore a backup without requiring the ZIP file, which contains certificates.

7.3 Access Gateway Enhancements

The following enhancements were added to the Access Gateway for SP1:

7.3.1 Saving and Applying Modifications

When you are making configuration changes, the changes are saved in browser cache until you click Update on the Access Gateways page or your session times out. If you wait until your session times out before clicking Update, all changes are lost.

On the Configuration page for the Access Gateways, you can now select to have changes saved before they are applied. When you click OK, the changes are moved from browser cache and saved in the configuration store. You can then update the Access Gateway with these configuration changes at a later time. You can also select to revert, which cancels all configuration changes and restores the Access Gateway to its previous configuration. If one of the servers in a cluster is current in its configuration, the Revert button is not available.

The Update and Update All options on the Access Gateways page allow you to control whether a configuration change is applied to one member of a cluster or all members of a cluster.

The Update link contains options for logging and policy modifications. When these options are selected, the configuration change can be applied without restarting the embedded service provider.

7.3.2 Managing Policies for Multiple Protected Resources

A new view has been added to the Protected Resources page (click Access Manager > Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Protected Resources). The default view is the list of protected resources defined for the proxy service. You can now also select to view the protected resources by the policies they have been assigned to use. From the Policy View, you can select the link in the Used By column and manage the policy for multiple resources at the same time.

7.3.3 Exporting and Importing Configuration Settings

You can export an existing Access Gateway configuration as well as its dependent policies, and then import this configuration to a new machine. When exporting the file, you can select to password-protect the file, which encrypts the file.

This feature was designed as an aid in moving Access Gateways from a staging environment that uses old hardware to a production environment that uses new hardware.

7.3.4 Rewriter Enhancements

New rewriter profile options have been added to strip the path from the query string and from post data. Search strings have additional tokens such as [ew], [ep], and $path) that can be used for matching strings.

The Linux Access Gateway now rewrites HTML pages based on the configured word and character profiles and matches the functionality of the NetWare Access Gateway for this feature.

7.3.5 Proxy Service List

In the Proxy Service List, you can now click the arrow icon to view a list of the paths configured for the proxy service.

7.3.6 Group or Cluster Enhancements

Groups are now called clusters, and the Administration Console contains many modifications to make the management of a cluster easier and more intuitive. For example, from the main Access Gateways page, you can determine the status and the health of a cluster and each cluster member.

7.4 Policy Enhancements

The following policy enhancements were added for SP1:

  • Added .css and .odt files to the optimization list for Form Fill. Files that match the optimization list are excluded from the list that Form Fill uses to search for a match.

  • The redirect field in a Form Fill Login Failure policy now allows up to 1024 characters and accepts the ? character in the URL.

  • Form fill now allows a 0 for the form number. When the form number is 0, all of the forms on the page are filled with values for the respective tags.

  • Policy trace output has been enhanced.

  • Additional information has been added to the Policy page (click Access Manager > Policies). Instead of just listing the device that is using the policy in the Used By column, you can click for more information and see the list of resources that are using the policy. In the Used By column, Role policies display the Identity Server configurations for which the Role has been enabled.

7.5 SSL VPN Enhancements

  • Enterprise mode is now equipped to handle diversified applications.

  • Support for Windows Vista*.

  • Support for 64-bit clients.

  • Improved error messages.

  • Improved user interface.

  • Improved performance in Kiosk mode for TCP applications.

7.6 J2EE Agent

  • Windows 64-bit installation is now supported.

  • You can now upgrade your agents.

  • You can now restart the embedded service provider from the Administration Console.

8.0 iManager Functionality

Access Manager uses a modified version of Novell iManager, called the Administration Console. You cannot use standard iManager features or plug-ins with the Access Manager version of the product.

9.0 Known Issues

9.1 Setup Considerations

  • Ensure that you synchronize the correct date, time, and time zone settings between the Identity Servers and Access Gateways servers. You must synchronize your servers to within one minute of each other. Otherwise, you encounter federation and session time-out errors. It is recommended that you use NTP for time synchronization.

  • Ensure that DNS names can be resolved.

  • Enable (allow) browser pop-ups for the Administration Console (administration server).

  • Network Address Translation routers cannot be placed between Access Manager components. All Access Manager components need to be on the same side of a NAT router.

9.2 Logging: Multiple AM#300101010 Errors in Log File

Image display problems can arise when an unprotected page references multiple protected resources. Best practices for HTML are that you avoid situations where an unprotected page contains references to multiple, automatically loaded protected resources. For example, the unprotected page index.html might contain references to two GIF image files. Both GIF files are protected resources. The browser automatically attempts to load the GIF files during the initial load of index.html. Because of multiple requests happening at the same time, one or more of the GIFs may be denied access. To avoid this, you should add the page and index.html as a protected resource. Doing this avoids the possibility of missing GIFs.

9.3 Clustering Known Issues

9.3.1 L4 Switch

If you use an Alteon* L4 switch and do not enable the sticky bit, you must turn on Direct Access Mode, which allows a client to communicate with any real server’s load balanced service.

9.3.2 Rebooting Cluster Members

If you reboot too many machines at the same time, some of the machines might report a configuration store error and not start. This problem resolves itself eventually, but it can take five hours or longer.

To prevent this problem, reboot the cluster members individually, waiting until the rebooted machine has started before issuing the next reboot command. This is a known issue and will be fixed in a future release.

9.4 Administration Console Known Issues

This section discusses known issues for the Administration Console.

9.4.1 Running in a VMWare ESX Server Environment

If you are running Access Manager in a VMWare ESX Server environment (ESX Server 3.0.2) and your Access Gateway configuration contains a path-based multi-homing reverse proxy with over 200 protected resources, you might experience an extended delay (five minutes or more) when viewing the configuration page for the proxy.

9.4.2 Installing the Administration Console on a Minimal SLES Installation Fails

The Administration Console requires a GUI. The minimal SLES installation does not install a GUI. You need to install the Administration Console on a system on which you have installed a GUI.

9.4.3 Changing the IP Address of a Web Server When SSL Is Enabled

If you enable SSL between the proxy service and the Web server and then modify the IP address of the Web server, an exception is thrown. Both the old IP address and the new IP address are displayed in the list of Web servers. You need to select the old IP address, then click Delete. This bug will be fixed in the next support pack.

9.4.4 Using an Auditing Server Other Than the One on the Administration Console

If you set up Access Manager to use an auditing server other than the one installed on the Administration Console, devices that are imported after this configuration do not receive the IP address of the auditing server. When the device is rebooted, it tries to send auditing events to the auditing server on the Administration Console.

To work around this issue after importing new devices, you need to configure the auditing server to use the IP address of the Administration Console, then click OK. This saves the configuration to the Administration Console. Return to the Auditing page, reset the IP address to the address of the auditing server you want to use, then apply the configuration to all the devices imported into the Administration Console (use the Update links). After the configuration has been applied to the devices, reboot the devices.

For more information on how to change the IP address of the auditing server, see Specifying the Logging Server and Events in the Novell Access Manager 3.0 SP1 Administration Guide

9.4.5 Identity Injection or Form Fill for Single Sign-On

The iManager version used in the Administration Console is not compatible with Identity Injection or Form Fill for single sign-on.

9.4.6 Secondary Consoles

As long as the primary console is running, all configuration changes should be made at the primary console. If you make changes at both a primary console and a secondary console, browser caching can cause you to create an invalid configuration.

9.5 Identity Server Known Issues

The following issues apply to the Identity Server:

9.5.1 Affiliated Objects Missing SecretStore Schema

When you create a user store on the Identity Server (Local > User Stores) and define it as an external SecretStore (Liberty > Web Service Provider > Credential Profile) some attributes are not being created properly on the SAML affiliate object. The workaround is to access the user store configuration page (Local > User Stores), then exit. This action results in a check to verify that the schema, objects, and attributes exist, and it recreates the affiliate object from scratch, if necessary.

The following affiliate objects must exist:

authsamlCertContainerDN (container holding trusted certificates, such as SCC Trusted Root.Security) authsamlProviderID authsamlTrustedCertDN (list of trusted certificates) authsamlValidAfter (180 seconds default) authsamlValidBefore (180 seconds default)

If these attributes exist, the system works normally, but your Identity Server and SecretStore server are not synchronized for time. If time sync is an issue, you can change the 180-second default validity times as a workaround.

9.5.2 Account Lockout on Password Expiration Servlet

When users enter the grace login limit, and a password expiration servlet is specified on a Name/Password or Secure Name/Password (form-based) authentication contract, they are redirected to the password expiration servlet to change their passwords. If the user does not update the password correctly, or escapes out of the page for any reason, the account is locked.

9.5.3 Multiple Administrators

Currently, locking has not been implemented on the pages for modifying the Identity Server. If you have multiple administrators, they need to coordinate with each other so that only one administrator is modifying an Identity Server cluster at any given time.

9.5.4 Orphaned Objects in the Trust/Configuration Store

If you delete a User object in LDAP, the objects in the trust/configuration datastore related to that user can become orphaned. The system uses these objects for federated identity and user profiles. Currently, there are no known issues related to orphaned identity objects, other than they might affect system performance. Orphaned user profile objects might also affect user lookup operations, and therefore you should remove them.

To do so, you need to first delete the user’s profile before you delete a User object, as described in the following steps:

  1. In iManager or an LDAP browser, edit the attributes of the User object that will be deleted.

  2. Note the value of the User object’s GUID attribute (for eDirectory), objectGUID attribute (for Active Directory*), or the nsuniqueid attribute (for SunOne*).

  3. On the Access Manager trust/configuration datastore, locate any container that follow the following naming patterns:

    cn=LUP*,cn=SCC*,cn=cluster,cn=nids,ou=accessManagerContainer,o=novell,cn=LibertyUserProfiles*,cn=SCC*,cn=cluster,cn=nids,ou=accessManagerContainer,o=novell.

  4. Look for a child inside of these containers that is named using the GUID noted in step 3. There should only be one profile object for each GUID.

  5. Delete that child profile object.

  6. Repeat these steps for each User object that you want to delete.

  7. Delete the User objects.

9.5.5 Auto Provision X509

There are issues with the Auto Provision x509 option. If there are already values in the LDAP attribute for X509 Subject Name mapping, and you enable Auto Provision X509 for the X509 authentication class, the LDAP attribute values are overwritten with the client certificate subject name.

9.6 General Access Gateway Known Issues

9.6.1 Reinstalling a Failed Access Gateway

If the hardware of your Access Gateway fails and the Access Gateway is not a member of a cluster, you might receive the following message when you reinstall it:

Start unsuccessful. Reason: Unable to read keystore : /opt/novell/devman/jcc/certs/esp/signing.keystore.

If you receive this message, you need to use the following process to solve the problem.

  1. Add the failed Access Gateway to a cluster.

    Ignore the pending status of this command.

  2. Reinstall the Access Gateway, using a new IP addresses.

  3. Add the new Access Gateway to the cluster and make it the primary cluster server.

  4. Delete the failed Access Gateway from the cluster and from the Administration Console.

  5. (Optional) If you want the Access Gateway to use the old IP address, you can reinstall the Access Gateway by using the old IP address, add it to the cluster, make it the primary cluster server, then delete the Access Gateway that is using the new IP address from the cluster and from the Administration Console.

9.6.2 Purging the Cache After Making Configuration Changes

When you make certain configuration changes such as updating or changing certificates, changing the IP addresses of Web servers, or modifying the rewriter configuration, you are prompted to purge the cache. The cached objects must be updated for users to see the effects of such configuration changes. If your Access Gateways are in a cluster, you need to manage the purge process so your site remains accessible to your users. You should apply the configuration changes to one member of a cluster. When its status returns to healthy and current, issue the command to purge its cache. Then apply the changes to the next cluster member.

Do not issue a purge cache command when an Access Gateway has a pending configuration change. Wait until the configuration change completes.

9.6.3 Pending Commands after an Upgrade

Occasionally during an upgrade, the response to an upgrade command is lost, even though the command succeeds. This results in a pending status for the command, and this status is never updated to success.

To clear a pending command:

  1. In the Administration Console, click Access Manager > Access Gateway.

  2. Click the Commands link.

  3. Select the pending command, then click Delete.

  4. Click Close.

9.6.4 Form Fill Policies and Large Web Pages

Protected resources with Form Fill policies cannot service other Web pages greater than 128 KB.

When defining a protected resource for a Form Fill policy, make sure the protected resource path matches the URL to the form, thus excluding other non-form pages.

9.6.5 Form Fill Character Sets (UTF-8)

Novell supports only UTF-8 encoding (UCS Transformation Format 8) and ISO 8859-1. Otherwise, Form Fill translations to the SSO data store cannot be guaranteed.

9.6.6 Custom Deny Message in Authorization Policies

The Deny message in an Access Gateway Authorization policy can be no more than 3,908 characters long. If the message exceeds this limit, the message is not displayed.

9.6.7 Certificate Modifications

Both the Linux Access Gateway and the NetWare Access Gateway have the following issue when cancelling changes to certificate modifications:

If you make certificate changes on the Reverse Proxy or the Web Servers page, click the Configuration Panel link, and then on the Configuration page cancel the changes, the Reverse Proxy ends up with an invalid certificate. Return to the page and select the old certificate. As soon as you exit the page, the certificate is pushed to the device. Because the net results are that you did not change the certificate, you do not need to restart the embedded service provider.

9.6.8 Status Icon Displays Incorrectly

On the Group Configuration page, the Status icon might display a dash rather than a green check mark after making a valid configuration change. This will be fixed for 3.1.

9.7 Linux Access Gateway Known Issues

This section discusses the known issues that apply to the current release of the Linux Access Gateway.

9.7.1 Reimporting Issue

When reimporting a Linux Access Gateway with the initial configuration option, the health status displays the health of the previous configuration. You must apply changes from the administration Console for health status to display the new configuration. Alternatively, you can enter the /etc/init.d/novell-vmc restart command from the command line to restart the Access Gateway. This issue does not happen when you reimport the proxy with the current configuration option.

9.7.2 Importing a Linux Access Gateway Configuration

When importing a Linux Access Gateway configuration, it is possible that the imported configuration contains an Audit server IP address that is different from the Audit server IP address that has been configured in the Administration Console. Updating the Linux Access Gateway configuration does not correct this address problem. As long as the addresses differ, the Access Gateway can hang during subsequent updates or restarts because the Novell Audit Agent of the Access Gateway cannot connect to its configured Audit server.

You must force the Linux Access Gateway to change its Audit server settings.

  1. In the Administration Console, click Access Manager > Auditing.

  2. Specify a different IP address of the Secure Logging Server, then click OK.

  3. Click Auditing, specify the correct IP address of the Secure Logging Server, then click OK.

  4. Update the Linux Access Gateway.

  5. Reboot every Access Manager machine, starting with the Administration Console.

    If you have already configured the other Access Manager machines to use the correct IP address of the Secure Logging Server, rebooting the Linux Access Gateway should be sufficient.

9.7.3 Upgrading to SP1 Randomly Halts the Embedded Service Provider

After upgrading from RC2 to SP1, the embedded service provider sometimes is halted at the end of the upgrade process. When this happens, you need to restart the Linux Access Gateway. In the Administration Console, click Access Manager > Access Gateways, select the Access Gateway, then click Reboot.

9.7.4 Single Machine Installation Is Not Supported for this Release

This release does not support installation of the Administration Console, Identity Server, Linux Access Gateway, and SSL VPN on a single machine.

9.7.5 Content with Range Requests Are not Served When Accessed from Internet Explorer

When a PDF file is viewed from an Internet Explorer browser through the Linux Access Gateway, and if the browser generates a range request with a range header, then the browser goes into an endless loop.

To work around this problem, download and save the file to your local drive, then open it. You can also configure HTTP 1.0 from Linux Access Gateway to the browser.

9.7.6 Linux Access Gateway Version Is Incorrectly Displayed on the Administration Console

After the installation of Linux Access Gateway, wrong version of the product is displayed on the Administration Console. To get the correct version of the product, select Access Gateways > [Name of Server] > Upgrade or specify the following command from a Linux Access Gateway machine:

cat /etc/issue

9.7.7 YaST Goes into a Non-Responsive Mode When a Partition Is Deleted or Created by Using YaST

YaST goes into a non-responsible mode if you click Finish after adding, deleting, or modifying a partition by using YaST. To work around this problem, click Apply, then Quit instead of clicking Finish.

9.7.8 HP Proliant DL 360 G5 Does Not Support File Downloads through Linux Access Gateway

When the Linux Access Gateway is installed on an HP* Proliant* DL 360 G5 server, file download do not work.

9.7.9 Hostname Cannot Be Configured as linux

During installation, if you configure the hostname as linux, the Linux Access Gateway is not imported.

9.7.10 Administration Console Does Not Display System Down Alerts

The Administration Console does not display the System Down alert for Linux Access Gateway. You can use Novell Audit to receive information whenever the gateway is down. For more information on configuring the Linux Access Gateway to log system down information, see Enabling Access Gateway Audit Events in the Novell Access Manager 3.0 Administration Guide.

9.7.11 Issues While Importing Trusted Roots from Web Servers

The Linux Access Gateway requires both the Server Certificate and the Root CA to be present in the trusted roots imported from Web servers. If the trusted root imported from the Web server displays only the server certificate, select the Do Not Verify option from the Web Server Trusted Root drop-down list, when you are configuring SSL between the Proxy Service and Web servers. For more information, see Configuring SSL between the Proxy Service and the Web Servers.

9.7.12 Web Servers That Do Not Support TLS and Do Not Fall Back to SSLV3 Are Not Accelerated

The Linux Access Gateway uses the TLS protocol by default. However, some Web servers that do not support the TLS protocol abort the SSL handshake because they do not fall back to SSLV3.

To work around this problem, create the /var/novell/.doNotUseTLS touch file and restart the Linux Access Gateway. When this touch file is set, the Linux Access Gateway tries the SSLV3 protocol by default, instead of the TLS protocol.

9.7.13 Linux Access Gateway Does Not Accelerate Netware 6.5 Pre-SP3 Web Servers

The Web server closes the connection when the Linux Access Gateway sends the HTTP request to the Netware 6.5 pre-SP3 Web server, after the SSL handshake.

9.7.14 Cookies Set by JavaScript inside the Entity Are Not Rewritten

The Linux Access Gateway rewrites the path and domain only in those cookies that are set using the Set-Cookie header. The cookies set by JavaScript inside the entity are not rewritten by the Linux Access Gateway.

9.7.15 Rewriter Does Not Handle [ow], [w], and [oa] Options in Search and Replace Configuration

The character rewriter profile does not support the [w], [ow], and [oa] options to search and replace plain words and strings.

9.7.16 Exclude Alias DNS with Scheme Does Not Work

The Exclude Alias DNS name with Scheme option does not work. For example, if you add https://www.mygroup.com, it is not excluded from the list. You must provide only the DNS name, for example www.mygroup.com.

9.7.17 Form Fill Auto Submit Option Does Not Work with Multiple Forms on the Same Web Page

The Linux Access Gateway Form Fill fails to auto submit HTML pages with multiple <FORM> sections. For example, if you have an HTML login page, and the page contains two <FORM> sections as follows:

<HTML> <FORM name="form1"...> <INPUT name="username" type="text"...> </FORM> <FORM name="form2"...> <INPUT name="password" type="password"...> </FORM> </HTML>

Linux Access Gateway fills both the forms but does not auto submit them.

9.7.18 Form Fill Fails When a Policy Is Configured to Use String Constants

The Form Fill feature of Linux Access Gateway fails to fill the form when a policy is configured to use only string constants for all the input fields. But Form Fill works when a string constant is used in combination with other input field values, such as credential profile.

9.7.19 Form Fill Auto Submit Does Not Work When There Are JavaScript Errors on the Web Page

The Form Fill auto submit fails if there are JavaScript errors on the Web page. When it encounters the errors, it displays an invalid page message.

9.7.20 Form Fill Auto Submit Issue

Form Fill Auto submit fails when an input field in an HTML page contains name="submit"

9.7.21 Form Fill Does Not Work if the Web Page Contains an Apostrophe

The Linux Access Gateway Form Fill does not work if the Web page contains the apostrophe character.

9.7.22 Form Fill Fails if the Web Server Does Not Send the Content Type

Form Fill does not process the page if the Web server does not send the content type. Form Fill processes the following content types:

"text/html" "text/xml" "text/css" "text/javascript” "application/javascript" "application/x-javascript"

9.7.23 Server Health Status Is Shown As “Server is not reporting”

When the DNS Server is configured incorrectly, or when the DNS server is not operating, the health check module of Linux Access Gateway goes into an indefinite state. The administration console reports the status as “Server is not reporting”. To correct this symptom, the DNS server needs to be operating correctly. After the DNS server is operational, the Linux Access Gateway health check module recovers automatically.

9.8 NetWare Access Gateway Known Issues

The NetWare Access Gateway embeds NetWare 6.5 SP6. The following topics are known issues for this operating system and the Access Gateway:

9.8.1 Mutual SSL

When you upgrade to Access Manager 3.0 SP1, the upgrade process disables mutual SSL between the proxy service and the Web servers.

To re-enable mutual SSL, you need to select the SSL Mutual Certificate on the Web Servers page. Click Access Manager > Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Web Servers.

9.8.2 Form Fill Data Is Not Cached

The NetWare Access Gateway does not cache Form Fill data. Therefore, if you assign a Form Fill policy to a protected resource that uses a wildcard (*) in the URL path, the NetWare Access Gateway queries the Identity Server for Form Fill data each time a user accesses any page that matches the protected resource. It is strongly recommended that you specify a specific page when you assign a Form Fill policy to a protected resource.

The NetWare Access Gateway does cache Identity Injection and Authorization policy information for the lifetime of the user’s session, so the protected resources for these policies can use wildcards in their URL paths.

9.8.3 Secondary Administration Console Command Failure

You can push commands from the secondary Administration Console, but any commands dealing with the Certificate Authority fails, unless you move the Certificate Authority to the secondary server.

9.8.4 DNS Naming

Do not begin an Access Gateway server DNS name with a number.

9.8.5 Using an SSH Client with the Secure File Transfer Protocol

In order to transfer files to and from the NetWare Access Gateway server, and the SSH client that you are using for the transfer is configured with the Secure File Transfer Protocol (SFTP) enabled, you need to load ncpip.nlm and enable NCP™ for the SFTP.

WARNING:Enabling NCPIP is a security risk because it opens a listener on port 524 on all bound addresses.

To set up and configure NCPIP, add the following to the tune.ncf file:

load ncpip.old
SET NCP Exclude Addresses = ALL
SET NCP Include Addresses = 127.0.0.1

9.8.6 IDEATA.HAM Drivers and Serial ATA Controllers

You specify in the BIOS the modes to use for the IDEATA.HAM driver to work with a SATA controller. (Legacy or Compatible mode, and Enhanced mode.) You do not need to manipulate the driver or OS.

The IDESATA.HAM driver works with all AHCI controllers in pure AHCI mode, which is the recommended mode because it is the fastest. This driver is invoked instead of IDEATA.HAM only when the BIOS setting for the particular chip set is set to AHCI.

9.8.7 SSL Certificate Log Error with X.509 Authentication from the NetWare Access Gateway

If you set up an X.509 contract and use it to authenticate from the NetWare Access Gateway, you might see an error generated in the Identity Server log for certificate or SSL mutual authentication. This occurs during SSL re-negotiation between Tomcat and the Internet Explorer browser, and is possibly an IE bug. This error does not occur when using Firefox*. The Access Gateway can cause the error at the Identity Server by requesting the certificate authentication from the Identity Server, but it is not the only device that can cause the error. Any device requiring or requesting certificate authentication from the Identity Server, including the Identity Server itself, can cause the error. It is cosmetic.

9.8.8 Novell Remote Manager

NetWare abends can occur when using Novell Remote Manager Group Operations on a NetWare Access Gateway. We recommend that you do not use Novell Remote Manager on a NetWare Access Gateway.

9.9 SSL VPN Known Issues

The following sections divide the known issues into general issues that apply to both the Enterprise mode and Kiosk mode and issues that apply only to the Enterprise mode and only to the Kiosk mode:

9.9.1 General SSL VPN Issues

Use the Command Line to Restart the SSL VPN Servers

You must use the command line to restart the SSL VPN servers. The Start and Stop buttons in the Administration Console are not functional for this release. To restart the SSL VPN server, specify the following commands from the command line:

/etc/init.d/novell-sslvpn stop /etc/init.d/novell-sslvpn start

Logout Page Is Not Displayed if the User Does Not Have a Traffic Policy Defined

If the user does not have a traffic policy defined for the role, the user is denied access to the resources. However, the logout page is not displayed when user clicks the Logout button.

SSL VPN Client Randomly Displays the Nonsecure Items Dialog Box

The SSL VPN client randomly displays the Do you want to display the nonsecure items dialog box, after the connection is established. Click Yes to close the dialog box. If you do not click Yes, SSL VPN disconnects. You can also follow the steps given below to resolve the problem if you are planning to use SSL VPN for a long session.

  1. Open the Internet Explorer browser.

  2. Select Tools > Internet Options.

  3. Select the Security tab.

  4. Select Internet Zone, then click the Custom Level button.

  5. Select Enable for the Display mixed content option.

  6. Click OK.

9.9.2 Kiosk Mode Issues

Logout Page Display Issue

The SSL VPN logout page is not displayed to you after you click the Logout button when you use Internet Explorer 6.0 browser on a Windows 2000 machine to access SSL VPN in Kiosk mode. This issue does not occur when you access SSL VPN in Enterprise mode.

No Kiosk Mode Support for 64-bit Clients

If you use 64-bit machines, you can access SSL VPN only in Enterprise mode. Accessing SSL VPN in Kiosk mode is not supported.

Unable to Create SSL Listeners due to NICI Error

After you have upgraded to the Novell Access Manager 3.0 SP2 version, if you roll back to the SP1 or Iterative release (IR) versions, SSL listeners will not be created as there is a difference in the NICI versions used. To work around the problem, do the following with the SP1:

  1. Untar lagrpms.tar.gz

  2. Remove the nici rpm from the lagrpms directory.

  3. Re-tar the lagrpms directory as lagrpms.tar.gz

  4. Use the new lagrpms.tar.gz for upgrade.

Macintosh Client Issues

The Macintosh* Tiger OS client does not support GroupWise 7.0.

The First SSL VPN Session Throws an Error When the Second Session Is Closed

If you open a second SSL VPN session, when there is an active SSL VPN connection, you get an error saying the SSL VPN is already running. If you close the second session, the first connection throws the Policy resolver not responding error and disconnects.

Linux Browser Issues

In Linux, you cannot access protected HTTP traffic on the Firefox browser during the first SSL VPN connection, but subsequent connections work without problems.

To work around this problem, you can use another browser such as Mozilla to access the protected resource as follows:

  1. Establish an SSL VPN connection in the Kiosk mode.

  2. Create a shortcut or launcher for Firefox on the desktop.

  3. Click SSLize Desktop Applications.

  4. Log out of the SSL VPN.

  5. Launch Firefox by using the SSL VPN-enabled shortcut.

    The Firefox browser launches even though there is no SSL VPN connection.

  6. Establish an SSL VPN connection in the Kiosk mode.

    New tabs and new instances of the Firefox browser now tunnel HTTP traffic.

Browser Goes into a Non-Responsive Mode After Logging Out

When you connect to SSL VPN in the Kiosk mode on a Windows Vista machine, the browser goes into a non-responsive mode after you click the Logout button.

Issues with Toolbar Application

The Intlclock toolbar application running on the SUSE Linux Enterprise Desktop (SLED) 10 SP1 crashes when an SSL VPN connection is established or disconnected.

Applications in the Program Menu Are Not SSLized in Linux

In Linux, applications listed in the Program Menu are not SSLized.

Open Applications Are Not SSLized

Applications that are opened before the start of SSL VPN are not SSLized in Linux and Macintosh.

To enable SSL on the terminals that were opened before the start of SSL VPN, do one of the following:

  • Run tcsh at the tcsh or csh shell.

  • Run bash at the bash shell.

Domain Name Search Does Not Work in Macintosh

Domain name search does not work in the Kiosk mode in Macintosh.

Active Mode FTP Not Supported in Kiosk Mode

In SSL VPN Kiosk mode, the active mode FTP is not supported.

9.9.3 Enterprise Mode Issues

HTTP Applications Cannot be Accessed When SSL VPN Connection is made through the Forward Proxy

If a client uses HTTP forward proxy to establish the SSL VPN session, no HTTP application can be accessed over this SSL VPN connection as the browser is configured to use the forward proxy server for HTTP requests.

No Support for 64-bit Browser

SSL VPN does not support 64-bit browsers to establish the initial login session.

Restrictions for SSL VPN Certificate Names

SSL VPN certificate names can contain only alphanumeric characters, space, underscore (_), hyphen (-), the at symbol @, and dot (.).

OpenVPN Client Installation Requires the User Profile Path and the Windows Path to Exist on the Same Drive

The user profile path and the Windows path must exist on the same drive for the OpenVPN client to be installed. For example, if the user profile exists on the D:\ drive and the Windows profile exists on the C:\ drive, the OpenVPN client installation fails.

No Error Message Is Displayed on an Invalid Credential Entry in Windows 2000 Machines

In Windows 2000 machines, if a non-admin user tries to establish an SSL VPN connection in the Enterprise mode and specifies the wrong credentials for the admin user, no error messages are displayed. However, the user is denied access in the Enterprise mode after trying to establish the connection.

9.10 Certificates Known Issues

The following are known issues for certificates:

9.10.1 Certificate Issues after Upgrading to SP1

If your Linux Access Gateway has been configured to use the same certificate for SSL between the reverse proxy and the browsers and between the proxy and the Web servers, the certificate configuration might not be valid after the upgrade.

To fix the reverse proxy certificate, go to the Reverse Proxy page, select a different certificate, click OK, return to the Reverse Proxy page, select the correct certificate, then click OK.

To fix the mutual SSL certificate, go to the Web Server page, select the SSL Mutual Certificate, click OK, then apply the changes.

9.10.2 Browse Button for Importing a Private/Public Key Pair

In some combinations of Linux and Firefox, you might see the Browse button display incorrectly in the Import Private/Public Keypair window. This does not affect functionality.

9.10.3 Certificate Command Failure

Certificate commands are generated when you upgrade the Administration Console, and you should ensure that they have completed successfully. If a certificate command fails, note the certificate name, alias, and destination trust store or keystore, then duplicate the command by deleting, then adding the certificate or trusted root from the Certificates page (Certificates > Add Certificate to Keystores) or Trusted Roots page (Certificates > Trusted Roots) to the noted trust store/keystore with the noted alias.

9.11 J2EE Agent Known Issues

No audit log events occur on 64-bit platforms. There is currently no workaround for the WebSphere* Agent. For the JBoss* and WebLogic Agent, you can enable log events on 64-bit platforms by deleting the LogEvent.jar file and replacing it with the NAuditPA.jar file.

On Windows, the NAuditPA.jar file is located in Program Files\novell\Nsure Audit directory. On Linux, the file is located in /opt/novell/naudit/java/pa directory.

9.11.1 JBoss Agent

Delete the LogEvent.jar file in the server configuration lib directory (the location for the default configuration is the JBoss/server/default/lib directory). Copy the NAuditPA.jar file to this directory.

The LogEvent.jar file also needs to be deleted from the ESP directory (JBoss/server/default/deploy/nesp.ear/nesp.war/WEB-INF/lib). The NAuditPA.jar does not need to be added to this directory.

9.11.2 WebLogic Agent

Linux: Edit the WL_HOME/common/bin/commEnv.sh file. Change the ${AGENT_LIB}/LogEvent.jar path variable to /opt/novell/naudit/java/pa/NAuditPA.jar variable.

Delete the LogEvent.jar file from the ESP directory (nesp.ear/nesp.war/WEB-INF/lib).

Windows: Edit the WL_HOME/common/bin/commEnv.cmd file. Change the %AGENT_LIB%\LogEvent.jar path variable to Program Files\novell\audit\NAuditPA.jar variable.

Delete the LogEvent.jar file from the ESP directory (nesp.ear/nesp.war/WEB-INF/lib).

10.0 Documentation Conventions

In this documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path.

A trademark symbol (®, ™, etc.) denotes a Novell trademark; an asterisk (*) denotes a third-party trademark

11.0 Legal Notices

Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.

Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.

Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the Novell International Trade Services Web page for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.

Copyright © 2007-2008 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.

Novell, Inc., has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed on the Novell Legal Patents Web page and one or more additional patents or pending patent applications in the U.S. and in other countries.