Novell Access Manager 3.0 SP3 IR2 Readme

June 4, 2008

This Readme describes the new features, fixes, and known issues in the Support Pack 3 release. It has been updated to also describe the SP3 Interim Release 1.

1.0 Documentation

The following sources provide information about Novell® Access Manager:

  • Product Documentation Web Site

    As long as the SP3 documentation is posted on a beta Web site, some links in the documentation are invalid. They become valid only after the documentation is posted on the Documentation Web site.

  • Access Manager Support (support TIDs)

2.0 Access Manager 3.0 SP3 IR2

If your Access Manager system has experienced any of the problems listed in Section 2.3, Bugs Fixed in SP3 IR1 and IR2, you should upgrade to the IR2 release. If you upgrade one component, you should upgrade all components.

2.1 Installing the IR2 Patch

Your system must be upgraded to SP3 before applying this patch release. For installation and version information for SP3, see Section 3.0, Installing the 3.0 SP3 Release.

The patch file for upgrading the components to the IR2 release (nam3sp3ir2.tar.gz) can be downloaded from Novell Downloads Web site. This patch contains the following files:

Table 1 Access Manager 3.0 SP3 IR1 Patch File

Component

Purpose

Filename

Administration Console and Identity Server

Upgrade

AM_303_SP3_IR2_IdentityServer_Upgrade.tar.gz

Linux* Access Gateway

Upgrade

AM_303_SP3_IR2_lagrpms.tar.gz

SSL VPN (low bandwidth)

Upgrade

AM_303_SP3_IR2_sslvpnrpms.tar.gz

The following sections explain how to upgrade the various components:

2.1.1 Upgrading the Identity Server and Administration Console to IR2

  1. Log in as root on the machine you need to patch.

  2. Copy the AM_303_SP3_IR2_IdentityServer_Upgrade.tar.gz file to the machine and unpack it.

    When the file is unpacked, you should see a manifest file, a nampatch.sh install script, and a patchIR1 directory. These three items need to be in the same directory.

  3. From this directory, enter the following command:

    ./nampatch.sh
    

    This patch installer does the following:

    • It warns connected users that services are being restarted.

    • If you have installed your Identity Server and Administration Console on the same machine, it detects this and patches both components.

    • Events from the patch process are logged to a file in the /tmp directory.

    • A backup of the files that are being replaced is stored in the $HOME directory.

  4. (Optional) Verify the upgraded version number:

    1. In the Administration Console, click Access Manager > Auditing > Troubleshooting > Version.

    2. Check the version number for the component you upgraded:

      Component

      Version

      Identity Server

      3.0.3.56

      Administration Console

      3.0.3-56

2.1.2 Upgrading the Linux Access Gateway to IR2

Before you upgrade the Linux Access Gateway, the Linux Access Gateway file (AM_303_SP3_IR2_lagrpms.tar.gz) needs to be renamed. In the download, it needs to have a version-specific name, but to use it in an upgrade, it needs the generic name. It should be renamed as follows:

AM_303_SP3_IR2_lagrpms.tar.gz renamed to lagrpms.tar.gz

For more information on the various methods for upgrading the Linux Access Gateway, see “Upgrading the Linux Access Gateway” in the Novell Access Manager Installation Guide.

When upgraded to 3.0 SP3 IR2, the Linux Access Gateway displays the following version:

3.0.3.56

2.1.3 Upgrading SSL VPN to SP3 IR2

IMPORTANT:The SSL VPN file that ships with IR2 is the same file that shipped with IR1. If you updated your SSL VPN server in IR1, you do not need to update it for IR2.

Select the correct patch file according to the version of SSL VPN you have installed:

  • To upgrade the low bandwidth version of SSL VPN, extract the AM_303_SP3_IR2_sslvpnrpms.tar.gz file from the patch file.

  • To upgrade the high bandwidth version of SSL VPN, download the AM_303_SP3_IR1_HB_sslvpnrpms.tar.gz file from the Novell Customer Center. The high bandwidth version is subject to certain export restrictions. Check with your sales representative to see if you are eligible to receive this version.

WARNING:If you use the AM_303_SP3_IR2_sslvpnrpms.tar.gz file to upgrade the high bandwidth SSL VPN, you downgrade your system to the low bandwidth version, which causes serious performance and configuration issues. Make sure you use the correct file for the version you have installed.

To check the version of SSL VPN that is currently installed on your system, enter the following command:

rpm -qa|grep novl-sslvpn

The RPM names for high bandwidth version appear with an _hb.

NOTE:To upgrade from the SP3 low bandwidth version of SSL VPN to the high bandwidth version of SSL VPN, refer to “Installing the High Bandwidth Version of SSL VPN” in the Novell Access Manager Installation Guide. Perform this upgrade before installing the patch.

Refer to “Upgrading the SSL VPN Server” in the Novell Access Manager Installation Guide for instructions for all installations of SSL VPN: installed as standalone component, installed with the Identity Server or Administration Console, or installed with the Linux Access Gateway.

The version number for SSL VPN, after the upgrading to IR2, is 3.0.2.01.

2.1.4 Upgrading the J2EE Agents to IR2

SP3 IR2 modified the nidp.jar file that contains the embedded service provider code. Access Manager runs more efficiently when all embedded service providers are running the same code.

2.1.4.1 Upgrading the Linux J2EE Agents to IR2
  1. Log in as root on the agent machine you need to patch.

  2. Copy the AM_302_SP3_IR2_IdentityServer_Upgrade.tar.gz file to the agent machine and unpack it.

    When the file is unpacked, you should see a manifest file, a nampatch.sh install script, and a patchIR1 directory. These three items need to be in the same directory.

  3. From this directory, enter the following command:

    ./nampatch.sh
    

This patch installer does the following:

  • It warns connected users that services are being restarted.

  • Events from the patch process are logged to a file in the /tmp directory.

  • A backup of the files that are being replaced is stored in the $HOME directory.

  • The version of the Agent does not change with this procedure.

2.1.4.2 Upgrading the Windows J2EE Agents to IR2
  1. Unzip the nam3sp3ir2.tar.gz patch file.

  2. Copy the AM_302_SP3_IR2_IdentityServer_Upgrade.tar.gz file to the computer where the agent is installed and unzip it.

    When the file is unzipped, you should see a manifest file, a nampatch.sh install script, and a patchIR2 directory. The patchIR2 directory contains the nidp.jar file.

  3. Shut down the Application Server.

  4. Copy the nidp.jar file in the patchIR1 directory so that it replaces the nidp.jar file of the agent.

    The easiest way to replace the nidp.jar file is to do a search on the drive for nidp.jar, then replace the files with the new one. These files are located in the following directories in a typical installation:

    WebSphere: c:\Program Files\IBM\WebSphere\AppServer\profiles\ default\installedApps\am3-was6-agentNode01Cell\NIDPJ2EEApp.ear\ nesp.war\WEB-INF\lib\nidp.jar

    WebLogic: Two locations.

    c:\bea\user_projects\domains\base_domain\servers\AdminServer\tmp\_WL_user\AccessManagerEmbeddedServiceProvider\pagp7x\war\WEB-INF\lib\nidp.jar
    c:\Novell\nesp.ear\nesp.war\WEB-INF\lib\nidp.jar
    

    JBoss: c:\jboss\jboss-4.0.3SP1\server\default\tmp\deploy\ tmp3756nesp.ear-contents\nesp-exp.war\WEB-INF\lib\nidp.jar

  5. Start the Application Server.

    The version of the Agent does not change with this procedure.

2.1.5 Upgrading the NetWare Access Gateway to IR2

SP3 IR1 modified the nidp.jar file that contains the embedded service provider code. Access Manager runs more efficiently when all embedded service providers are running the same code.

To upgrade the NetWare Access Gateway:

  1. Unzip the nam3sp3ir2.tar.gz patch file.

  2. Unzip the AM_302_SP3_IR2_IdentityServer_Upgrade.tar.gz file.

    When the file is unzipped, you should see a manifest file, a nampatch.sh install script, and a patchIR1 directory. The patchIR1 directory contains the nidp.jar file.

  3. Stop the NetWare Access Gateway.

  4. Copy the nidp.jar file to sys:\tomcat\4\webapps\nesp\WEB-INF\lib and replace the existing nipd.jar file.

  5. Start the NetWare Access Gateway.

    The version of the NetWare Access Gateway does not change with this procedure.

2.2 New Interim Release Features

2.2.1 Protected Resource Feature

You can now specify a query string in the URL path of a resource protected on the Linux Access Gateway. For example:

URL path: /test/index.html?test=test

By default, the Linux Access Gateway ignores query strings when matching URL paths. To use the query string for matching, you must enable the feature by creating the following touch file:

/var/novell/.prWithQuestionMark 

You need to restart the Access Gateway to activate this feature.

If this file is present and the request URL has a query string, the Access Gateway searches for a URL path with a matching query string. If it can’t find a match, the request returns a resource not found error. If you enable this feature, you need to make sure to add the query string to the URL paths of the protected resources.

Without the touch file, the Access Gateway ignores the query string and uses just the path to find a match.

In SP4, this feature will no longer require the touch file. It will also perform two searches. If the request URL has a query string, it will first search for a match with the query string. If it can’t find a match, it will remove the query string and search for a match using just the path.

2.2.2 Ensuring Secure Cookies

If you configure SSL between the browsers and the Linux Access Gateway, you can configure the embedded service provider so that it always sends secure cookies. See Avoiding Non-Secure Cookies.

2.3 Bugs Fixed in SP3 IR1 and IR2

2.3.1 Linux Access Gateway

  • Fixed issues with the rewriter so that the rewriter does not parse the binary files.

  • Fixed the Linux Access Gateway crash, that occured when applying configuration changes more than 200 times.

  • Fixed the healthcheck failure issue, when an internal DNS was used. The health check of the DNS name server is ignored when the touch file /var/novell/.ignoreDnsServerHealth is used and the health will report green.

  • Fixed issues in handling partial content multibyte range responses.

  • Fixed the Form Fill failure which occured when an improper soap request was sent from proxy to embedded service provider when via header is present.

  • Added an option that forces the embedded service provider to send secure cookies. See Avoiding Non-Secure Cookies.

  • Fixed an issue with the Linux Access Gateway, so that it now sends only the URL without the query parameters to the embedded service provider for ACL policy evaluation.

  • Rewriting of the URL is now case insensitive.

  • Enabled support for the ? character in the protected resource path.

  • Fixed issues with HTTP Common/Extended Logging so that the Access Gateway now writes to these files when multiple SSL proxy services are active.

  • Fixed issues that occurred on receiving the wrong content type from a Web server on a 304 response.

  • Fixed an issue with requests that have a URL length of 3665 characters.

  • Fixed the random Form Fill issue that caused the services to restart.

  • Fixed the issue that caused the Linux Access Gateway to crash during a migration from iChain® to the Linux Access Gateway.

  • You can now configure the Linux Access Gateway to set its authentication cookie with the secure keyword in order to prevent the browser from sending this cookie on a non-HTTPS channel.

    If the touch file /var/novell/.EnableSecureCookie is present, HTTPS services set the authentication cookie with the keyword secure. If the touch file /var/novell/.ForceSecureCookie is present, even the HTTP services have the authentication cookie set with the keyword secure. This allows handling of scenarios such as the Linux Access Gateway placed behind a Cisco SSL accelerator.

  • You can now configure the Linux Access Gateway to set its authentication cookie with the HttpOnly keyword, to prevent scripts from accessing the cookie. To enable this, you must have the touch file /var/novell/.EnableHttpOnlyCookie.

2.3.2 Identity Server

  • Fixed an issue with the Identity Server health check that cause it to fail on HTTP.

  • Fixed a security issue with the User Portal application.

2.3.3 Administration Console

  • Fixed an issue that caused all the embedded service providers in an Access Gateway cluster to restart when Update was selected. When you make a configuration change that requires the restart of all embedded service providers in a cluster, Update All becomes the only available option.

  • Fixed the Access Gateway protected resource page so that it now allows you to specify a ? character in the URL path.

2.3.4 SSL VPN

These issues were fixed in IR1.

  • Fixed an issue that caused Stunnel to stop responding when its log file size exceeded the maximum limit in a single day.

  • Fixed some issues that prevented SSL VPN access in both Kiosk as well as Enterprise mode on Windows* Vista* with the User Account Control feature enabled.

3.0 Installing the 3.0 SP3 Release

The Novell Access Manager 3.0 SP3 release contains ISO files for installing the Access Manager components and a patch file for upgrading all components from SP2.

3.1 The Patch File

The patch consists of one download file, which can be downloaded from Novell.

The following table lists the files contained in the patch file, which you can use to upgrade existing components or to install new instances:

Table 2 Access Manager 3.0 SP3 Upgrade Files

Component

Purpose

Filename

Identity Server, Administration Console, SSL VPN

Upgrade or Install

AM_303_SP3_IdentityServer.tar.gz

Linux Access Gateway, SSL VPN

Upgrade

AM_303_SP3_lagrpms.tar.gz

NetWare® Access Gateway

Upgrade

AM_303_SP3_NetWareAccessGateway_Upgrade.txt

AM_303_SP3_NetWareAccessGateway_Upgrade.zip

Windows* J2EE Agents

Upgrade or Install

AM_303_SP3_ApplicationServerAgents_Windows.exe

Linux J2EE Agents

Upgrade or Install

AM_303_SP3_ApplicationServerAgents_Linux.tar.gz

To upgrade to this release, you should first back up your current configuration. The Administration Console should be the first device you upgrade. You can then upgrade the various devices that you have imported into the Administration Console. We highly recommend that you upgrade all members of a cluster before moving to another type of device to upgrade. When you finish upgrading, you should perform a system backup.

For specific installation steps, installation requirements, and overview information, see the Novell Access Manager Installation Guide.

3.1.1 Upgrading the Identity Server and Administration Console

For the Identity Server and the Administration Console, copy the .tar.gz file to machine where these components are installed. For the Access Gateways, copy the files to a server that is accessible to your Access Gateway, then perform an over-the-wire upgrade. For more information about upgrading the Access Manager components, see “Upgrading Access Manager Components” in the Novell Access Manager Installation Guide.

3.1.2 Upgrading the Linux Access Gateway

The Linux Access Gateway file (AM_303_SP3_lagrpms.tar.gz) must be renamed. In the patch download, it needs to have a version-specific name, but for an upgrade, it needs the generic name. It should be renamed as follows:

AM_303_SP3_lagrpms.tar.gz renamed to lagrpms.tar.gz

3.1.3 Upgrading the J2EE Agents

For instructions on upgrading the agents, see “Upgrading the J2EE Agents” in the Novell Access Manager J2EE Agent Guide.

For a known issue when upgrading the Linux Agents, see The Health of the Linux Agent Is Not Green after Upgrading.

3.1.4 SP2 Version Numbers

To verify that all components have been upgraded to SP2:

  1. In the Administration Console, click Access Manager > Auditing > Troubleshooting > Version.

  2. Examine the value of the Version field to see if it displays a version that is eligible for upgrading. All the versions in the following table can be used to upgrade to SP3. The SP3 version contains all of the fixes that were available in SP2 IR1.

    Component

    Access Manager 3.0 SP2 Version Numbers

    SP2

    SP2 IR1

    Administration Console

    3.0.2.56

    3.0.2.71

    Identity Server

    3.0.2.56

    3.0.2.71

    Linux Access Gateway

    3.0.2.56

    3.0.2.71

    NetWare Access Gateway

    3.0.410

    3.0.410

    J2EE Agents* (all versions, all platforms)

    3.0.2.56

    3.0.2.56

    SSL VPN

    3.0.2

    3.0.2.01

3.1.5 Verifying the Upgrade to SP3

When you start the upgrade process for the SP3 release, you need to upgrade all Access Manager components. When you have finished, use the following procedure to verify that all components have been upgraded to SP3.

  1. In the Administration Console, click Access Manager > Auditing > Troubleshooting > Version.

  2. Examine the value of the Version field to see if it displays the correct version.

    Component

    Access Manager 3.0 SP3 Version Number

    Administration Console

    3.0.3. 40

    Identity Server

    3.0.3.40

    Linux Access Gateway

    3.0.3.40

    NetWare Access Gateway

    3.0.502

    J2EE Agents (all versions, all platforms)

    3.0.3.40

    SSL VPN

    3.0.3

3.2 Access Manager ISO Files

ISO images are available from the Novell Customer Center for the product and from Novell Downloads for the evaluation version.

Table 3 ISO Images for the Product Version of Access Manager 3.0 SP3

Component

Purpose

Filename

Identity Server, Administration Console, SSL VPN

Upgrade or Install

AM_303_SP3_IdentityServer.iso

Linux Access Gateway, SSL VPN

Install

AM_303_SP3_LinuxAccessGateway.iso

NetWare Access Gateway

Install

AM_303_SP3_NetWareAccessGateway.iso

Table 4 ISO Images for the Evaluation Version of Access Manager 3.0 SP3

Component

Purpose

Filename

Identity Server, Administration Console, SSL VPN

Upgrade or Install

AM_303_SP3_IdentityServer_Eval-1130.iso

Linux Access Gateway, SSL VPN

Install

AM_303_SP3_LinuxAccessGateway_Eval-1130.iso

NetWare Access Gateway

Install

AM_303_SP3_NetWareAccessGateway_Eval-1130.iso

For specific installation steps, installation requirements, and overview information, see the Novell Access Manager 3.0 SP3 Installation Guide.

3.2.1 Upgrading from the Evaluation Version to the Product Version

After purchasing the Access Manager product, upgrade your evaluation version to the product version. If you install the evaluation version of SP3, you need to buy SP3, then upgrade to the product version of SP3. The evaluation version for SP3 is build 39, which is one version less than the product version, which is build 40. This allows you to upgrade from the evaluation version to the product version.

3.3 Upgrading to the High Bandwidth SSL VPN Server

The high bandwidth SSL VPN server does not ship with the product because of export laws and restrictions. The high bandwidth version does not have the connection and performance restrictions that are part of the version that ships with the product. Your regular Novell sales channel can determine if the export law allows you to order the high bandwidth version at no extra cost.

After you have purchased (for free) the high bandwidth version, log in to the Novell Customer Center and you will see a link that allows you to download the high bandwidth version.

For installation instructions, see “Installing SSL VPN” in the Novell Access Manager Installation Guide.

4.0 New Features in SP3

The following new features were added between Access Manager 3.0 SP2 and Access Manager 3.0 SP3:

  • The Identity Server can now be configured to use a netHSM* server for the signing certificate.

  • The Identity Server now checks and reports on the health of its SSL port.

  • If you are using Novell SecretStore® on your eDirectory™ user store, the Identity Server can be configured to prompt the user for a passphrase when the secret store becomes locked. There is one minor issue with this new feature. See Form Fill and Identity Injection Silently Fail.

  • The Linux Access Gateway error pages can now be modified and localized. The modifications apply to all proxy services; it cannot be done for an individual proxy service.

    IMPORTANT:This new method is incompatible with the process for customizing error pages in previous versions of Access Manager. If you used that process, your customized error pages do not work in SP3. You need to use the new process. See “Customizing Error Pages for the Linux Access Gateway” in the Novell Access Manager Administration Guide.

  • The Linux Access Gateway reports on how it is responding to health checks received from an L4 switch. If more than 31 checks are queued without a response, the health of the Access Gateway is changed to red. For more information, see “Monitoring the Health of an Access Gateway” in the Novell Access Manager Administration Guide.

  • SSL VPN can now be accessed on Leopard* version of Intel* Macintosh* machines.

5.0 SP3 Fixes

5.1 Identity Server

  • Fixed an issue that prevented the administrator from deleting an identity provider or a service provider.

  • Fixed an issue with Liberty federation that prevented a user from federating accounts.

  • Fixed an issue with SAML 1.1 that prevented authentication after an expired certificate was replaced with a current certificate.

  • Added a properties file for the Dutch language so that the login page can be customized.

5.2 Administration Console

  • Fixed an issue with Novell Audit that caused the system to slow down or hang.

  • Fixed the issues with installing the Administration Console on a minimal SUSE® Linux Enterprise Server (SLES) installation so that the installer is warned about any missing RPMs.

5.3 General Access Gateway

  • Fixed a Form Fill policy issue that inserted an invalid value for the X509 serial number in the Credential Profile.

  • Fixed a rewriter issue where the input fields for search and replace were limited to 255 characters. The input fields now have a limit of 2047 characters.

5.4 Linux Access Gateway

  • Fixed a Form Fill problem with check boxes and radio buttons that caused the Linux Access Gateway to crash.

  • Fixed a bug with the outbound connection option on the Connect Options page for Web servers.

  • Fixed a bug so the Linux Access Gateway can now display the L4 health check status in the Administration Console.

  • Fixed issues with server persistence to the back-end Web servers.

  • Fixed a Linux Access Gateway crash that occurred while allocating scache entry in the server-side code.

  • Fixed issues with the Linux Access Gateway cache setting, which resulted in the Linux Access Gateway going into the non-responsive mode when a Web page accessed through Firefox* is refreshed.

  • Fixed an issue that caused the Linux Access Gateway to become non-responsive after running for about two hours.

  • Modified the DNS code to fix a Linux Access Gateway crash.

  • Fixed a Linux Access Gateway crash that randomly occurred when the user issued a /AGLogout request.

  • Fixed some issues with the Form Fill code to send the POST data to the Web server without modifying, unless some unmasking was done.

  • Fixed an issue with handling the Insert Text Into Header option in Form Fill.

  • Fixed an issue in Linux Access Gateway Form Fill to automatically submit the page if at least one of the input fields configured in the policy matches with the one on the HTML page. If no input fields match, then Form Fill skips filling the page.

  • The alphanumeric strings can now be rewritten by using the word profile of rewriter.

  • Fixed issues with search and replace strings that spanned across two non-contiguous buffer segments.

  • Fixed some issues in the COS module that caused the Linux Access Gateway to go into a non-responsive mode when more than five threads were waiting on the disk read.

  • Fixed the 403 Forbidden error that occurred because a path variable being passed to the encodeURI() function was not being rewritten.

  • The Decline button on Read Appt can now be deselected.

  • Fixed issues with sending chunk data to a Web server on POST data.

  • Fixed a Linux Access Gateway crash when creating more than 64 domain-based subservices.

  • Fixed an issue with Linux Access Gateway denying access to the double-byte folders of the Web server, when configured with a reverse proxy that has two protected resources and two different authentication contracts.

  • Fixed an issue on passing /nesp/app/heartbeat to the Web servers for non-authentication-domain hosts.

  • Fixed a server persistence issue when simple failover was enabled.

5.5 SSL VPN

  • The maximum size of a route in Enterprise mode is now increased to 2048 characters.

  • You can now assign a maximum of 32 roles with a maximum of 64 characters each to a user.

  • Fixed an issue that occurred when SSL VPN was connected through a forward proxy in the Kiosk mode.

  • SSL VPN can now be configured to connect in Kiosk mode only.

  • Fixed an SSL VPN connection failure when downloading files larger than 2 GB.

  • Fixed a random Firefox 1.5.0.4 browser crash in Kiosk mode, while running on SUSE Linux Enterprise Desktop (SLED)10.

  • Fixed an OpenVPN connection error that caused the SSL VPN connection to terminate.

  • Fixed an issue with the OpenVPN applet, which was not uninstalling the client when the Linux Access Gateway went down.

  • Fixed some issues with the Kiosk mode processes that were not terminated after clicking the logout button, if consecutive logins and logouts were performed in the same browser window.

5.6 NetWare Access Gateway

  • Fixed an issue that prevented proxy service log files from being deleted as scheduled.

6.0 Known Issues

6.1 Setup Considerations

  • Ensure that you synchronize the correct date, time, and time zone settings between the Identity Servers and Access Gateways servers. You must synchronize your servers to within one minute of each other. Otherwise, you encounter federation and session time-out errors. It is recommended that you use NTP for time synchronization.

  • Ensure that DNS names can be resolved.

  • Enable (allow) browser pop-ups for the Administration Console (administration server).

  • Network Address Translation routers cannot be placed between Access Manager components. All Access Manager components must be on the same side of a NAT router.

6.2 Logging Known Issues

Image display problems can arise when an unprotected page references multiple protected resources. The best practices for HTML is to avoid situations where an unprotected page contains references to multiple, automatically loaded protected resources. For example, the unprotected page index.html might contain references to two GIF image files. Both GIF files are protected resources. The browser automatically attempts to load the GIF files during the initial load of index.html. Because of multiple requests happening at the same time, one or more of the GIFs might be denied access. To avoid this, you should add the page and index.html as a protected resource. Doing this avoids the possibility of missing GIFs.

6.3 Clustering Known Issues

6.3.1 L4 Switch

If you use an Alteon* L4 switch and do not enable the sticky bit, you must turn on Direct Access Mode, which allows a client to communicate with any real server’s load-balanced service.

6.3.2 Rebooting Cluster Members

If you reboot too many machines at the same time, some of the machines might report a configuration store error and not start. This problem resolves itself eventually, but it can take several hours.

To prevent this problem, reboot the cluster members individually, waiting until a rebooted machine has started before issuing the next reboot command. This is a known issue and will be fixed in a future release.

6.4 Administration Console Known Issues

This section discusses known issues for the Administration Console.

6.4.1 Configuration Datastore Crashes

If you are having problems keeping the Administration Console running because eDirectory and Tomcat stop working, your configuration might be triggering a known issue with eDirectory 8.8.1.

Try the following workaround:

  1. Create a link in the etc directory for the nici.cfg file.

  2. Enter the following commands:

    cd /etc
    ln -sf /etc/opt/novell/nici.cfg nici.cfg
    
  3. Restart eDirectory:

    /etc/init.d/ndsd start
    
  4. Restart Tomcat:

    /etc/init.d/novell-tomcat4 restart
    

If this does not solve the problem, contact Novell.

6.4.2 iManager Functionality

Access Manager uses a modified version of Novell iManager called the Administration Console. You cannot use standard iManager features or plug-ins with the Access Manager version of the product.

6.4.3 Running in a VMware ESX Server Environment

If you are running Access Manager in a VMware* ESX Server environment (ESX Server 3.0.2) and your Access Gateway configuration contains a path-based multi-homing reverse proxy with over 200 protected resources, you might experience an extended delay (five minutes or more) when viewing the configuration page for the proxy.

6.4.4 Using an Auditing Server Other Than the One on the Administration Console

If you set up Access Manager to use an auditing server other than the one installed on the Administration Console, devices that are imported after this configuration do not receive the IP address of the auditing server. When the device is rebooted, it tries to send auditing events to the auditing server on the Administration Console.

To work around this issue after importing new devices, configure the auditing server to use the IP address of the Administration Console, then click OK. This saves the configuration to the Administration Console. Return to the Auditing page, reset the IP address to the address of the auditing server you want to use, then apply the configuration to all the devices imported into the Administration Console (use the Update links). After the configuration has been applied to the devices, reboot the devices.

For more information on how to change the IP address of the auditing server, see “Specifying the Logging Server and Events” in the Novell Access Manager 3.0 SP2 Administration Guide

6.4.5 Identity Injection or Form Fill for Single Sign-On

The iManager version used in the Administration Console is not compatible with Identity Injection or Form Fill for single sign-on.

6.4.6 Secondary Consoles

As long as the primary console is running, all configuration changes should be made at the primary console. If you make changes at both a primary console and a secondary console, browser caching can cause you to create an invalid configuration.

6.5 Identity Server Known Issues

The following issues apply to the Identity Server:

6.5.1 Affiliated Objects Are Missing the SecretStore Schema

When you create a user store on the Identity Server (Local > User Stores) and define it as an external Novell SecretStore (Liberty > Web Service Provider > Credential Profile) some attributes are not being created properly on the SAML affiliate object. The workaround is to access the user store configuration page (Local > User Stores), then exit. This action results in a check to verify that the schema, objects, and attributes exist, and it re-creates the affiliate object, if necessary.

The following affiliate objects must exist:

authsamlCertContainerDN (container holding trusted certificates, such as SCC Trusted Root.Security)
authsamlProviderID 
authsamlTrustedCertDN (list of trusted certificates)
authsamlValidAfter (180 seconds default)
authsamlValidBefore (180 seconds default)

If these attributes exist, the system works normally, but your Identity Server and SecretStore server are not synchronized for time. If time sync is an issue, you can change the 180-second default validity times as a workaround.

6.5.2 Account Lockout on a Password Expiration Servlet

When users are within the grace login limit, and a password expiration servlet is specified on a Name/Password or Secure Name/Password (form-based) authentication contract, they are redirected to the password expiration servlet to change their passwords. If the user does not update the password correctly, or escapes out of the page for any reason, the account is locked.

6.5.3 Multiple Administrators

Currently, locking has not been implemented on the pages for modifying the Identity Server. If you have multiple administrators, they must coordinate with each other so that only one administrator is modifying an Identity Server cluster at any given time.

6.5.4 Orphaned Objects in the Trust/Configuration Store

If you delete a User object in LDAP, the objects in the trust/configuration datastore related to that user can become orphaned. The system uses these objects for federated identity and user profiles. Currently, there are no known issues related to orphaned identity objects, but they might affect system performance. Orphaned user profile objects might also affect user lookup operations, and therefore you should remove them.

To do so, you first delete the user’s profile before you delete a User object, as described in the following steps:

  1. In iManager or an LDAP browser, edit the attributes of the User object that you are going to delete.

  2. Note the value of the User object’s GUID attribute (for eDirectory), objectGUID attribute (for Active Directory*), or the nsuniqueid attribute (for SunOne*).

  3. On the Access Manager trust/configuration datastore, locate any containers that use the following naming patterns:

    cn=LUP*,cn=SCC*,cn=cluster,cn=nids,ou=accessManagerContainer,o=novell,cn=LibertyUserProfiles*,cn=SCC*,cn=cluster,cn=nids,ou=accessManagerContainer,o=novell.

  4. Look for a child inside of these containers that is named by using the GUID noted in Step 3. There should only be one profile object for each GUID.

  5. Delete that child profile object.

  6. Repeat these steps for each User object that you want to delete.

  7. Delete the User objects.

6.5.5 Auto Provision X509

There are issues with the Auto Provision X509 option. If there are already values in the LDAP attribute for X509 Subject Name mapping, and you enable Auto Provision X509 for the X509 authentication class, the LDAP attribute values are overwritten with the client certificate subject name.

6.6 General Access Gateway Known Issues

6.6.1 The Rewriter Does Not Rewrite the Location Header When the Hostname Contains Uppercase Characters

When the Location Header coming from the Web server contains a hostname with uppercase characters such as DSM2300.dsm.novell.com, the header is not rewritten.

The current solution is to make sure users do not enter URLs in uppercase and that the hostnames for all Web servers used by Access Manager are in lowercase.

This issue will be fixed in SP4.

6.6.2 Form Fill and Identity Injection Silently Fail

Login with Form Fill or Identity Injection can fail when all of the following conditions occur:

  • Your user store is configured to use Novell SecretStore.

  • The shared secrets needed for Form Fill or Identity Injection are locked because the shared secrets are used by another application that is using the enhanced security feature. For example, if the application writes a secret called ssn, and you use that same secret in a Form Fill or Identity Injection policy, that secret is locked whenever the admin changes the user’s password. Access Manager does not use the enhanced security feature when it writes shared secrets.

The new unlock feature for SecretStore can resolve this issue. See “Determining a Strategy for Unlocking the SecretStore in the Novell Access Manager Administration Guide.

6.6.3 Reinstalling a Failed Access Gateway

If the hardware of your Access Gateway fails and the Access Gateway is not a member of a cluster, you might receive the following message when you reinstall it:

Start unsuccessful. Reason: Unable to read keystore : /opt/novell/devman/jcc/certs/esp/signing.keystore.

If you receive this message, use the following process to solve the problem:

  1. Add the failed Access Gateway to a cluster.

    Ignore the pending status of this command.

  2. Reinstall the Access Gateway with a new IP address.

  3. Add the new Access Gateway to the cluster and make it the primary cluster server.

  4. Delete the failed Access Gateway from the cluster and from the Administration Console.

  5. (Optional) If you want the Access Gateway to use the old IP address:

    1. Reinstall the Access Gateway by using the old IP address.

    2. Add it to the cluster.

    3. Make it the primary cluster server.

    4. Delete the Access Gateway that is using the new IP address from the cluster and from the Administration Console.

6.6.4 Pending Commands After an Upgrade

Occasionally during an upgrade, the response to an upgrade command is lost, even though the command succeeds. This results in a pending status for the command, and this status is never updated to success.

To clear a pending command:

  1. In the Administration Console, click Access Manager > Access Gateway.

  2. Click the Commands link.

  3. Select the pending command, then click Delete.

  4. Click Close.

6.6.5 Form Fill Character Sets (UTF-8)

Novell supports only UTF-8 encoding (UCS Transformation Format 8) and ISO 8859-1. Otherwise, Form Fill translations to the SSO data store cannot be guaranteed.

6.6.6 Certificate Modifications

Both the Linux Access Gateway and the NetWare Access Gateway have the following issue when cancelling changes to certificate modifications:

If you make certificate changes on the Reverse Proxy or the Web Servers page, click the Configuration Panel link, and then cancel the changes on the Configuration page, the Reverse Proxy is configured with an invalid certificate. Return to the page and select the old certificate. As soon as you exit the page, the certificate is pushed to the device. Because you did not change the certificate, you do not need to restart the embedded service provider.

6.7 Linux Access Gateway Known Issues

This section discusses the known issues that apply to the current release of the Linux Access Gateway.

6.7.1 NSure Audit Client Causes the Linux Access Gateway to Crash

If you have configured your Access Manager system to use a Novell Sentinel or Novell Audit server for auditing, the NSure audit client sometimes disconnects from the auditing server. This usually happens when communication problems exist on the network. When this happens, the Linux Access Gateway might crash. It can also prevent the successful completion of any Linux Access Gateway configuration changes.

To solve this problem, make sure that no communication problems exist between the auditing client on the Linux Access Gateway and the auditing server. Novell is working on a fix for this issue.

6.7.2 Reimporting a Linux Access Gateway

When reimporting a Linux Access Gateway with the initial configuration option, the health status displays the health of the previous configuration. You must apply changes from the Administration Console for health status to display the new configuration. Alternatively, you can enter the /etc/init.d/novell-vmc restart command from the command line to restart the Access Gateway. This issue does not happen when you reimport the proxy with the current configuration option.

6.7.3 Importing a Linux Access Gateway Configuration

When importing a Linux Access Gateway configuration, it is possible that the imported configuration contains an Audit server IP address that is different from the Audit server IP address that has been configured in the Administration Console. Updating the Linux Access Gateway configuration does not correct this address problem. As long as the addresses differ, the Access Gateway can hang during subsequent updates or restarts because the Novell Audit Agent of the Access Gateway cannot connect to its configured Audit server.

You must force the Linux Access Gateway to change its Audit server settings.

  1. In the Administration Console, click Access Manager > Auditing.

  2. Specify a different IP address for the Secure Logging Server, then click OK.

  3. Click Auditing, specify the correct IP address for the Secure Logging Server, then click OK.

  4. Update the Linux Access Gateway.

  5. Reboot every Access Manager machine, starting with the Administration Console.

    If you have already configured the other Access Manager machines to use the correct IP address of the Secure Logging Server, rebooting the Linux Access Gateway should be sufficient.

6.7.4 Upgrading Randomly Halts the Embedded Service Provider

After upgrading, the embedded service provider sometimes halts at the end of the upgrade process. When this happens, restart the Linux Access Gateway. In the Administration Console, click Access Manager > Access Gateways, select the Access Gateway, then click Reboot.

6.7.5 Single Machine Installation Is Not Supported for this Release

This release does not support installation of the Administration Console, Identity Server, Linux Access Gateway, and SSL VPN on a single machine.

6.7.6 Linux Access Gateway Version Is Incorrectly Displayed on the Administration Console

After the installation of the Linux Access Gateway, the wrong version of the product is displayed on the Administration Console. To get the correct version of the product, select Access Gateways > <Name of Server> > Upgrade or specify the following command from a Linux Access Gateway machine:

cat /etc/issue

6.7.7 YaST Goes into a Non-Responsive Mode When a Partition Is Deleted or Created by Using YaST

YaST goes into a non-responsive mode if you click Finish after adding, deleting, or modifying a partition by using YaST. To work around this problem, click Apply, then click Quit instead of clicking Finish.

6.7.8 Hostname Cannot Be Configured As linux

During installation, if you configure the hostname as linux, the Linux Access Gateway is not imported.

6.7.9 Issues When Importing Trusted Roots from Web Servers

The Linux Access Gateway requires both the Server Certificate and the Root CA to be present in the trusted roots imported from Web servers. If the trusted root imported from the Web server displays only the server certificate, select the Do Not Verify option from the Web Server Trusted Root drop-down list when you are configuring SSL between the Proxy Service and Web servers. For more information, see “Configuring SSL between the Proxy Service and the Web Servers” in the Novell Access Manager Administration Guide.

6.7.10 Web Servers That Do Not Support TLS and Do Not Fall Back to SSLV3 Are Not Accelerated

The Linux Access Gateway uses the TLS protocol by default. However, some Web servers that do not support the TLS protocol abort the SSL handshake because they do not fall back to SSLV3.

To work around this problem, create the /var/novell/.doNotUseTLS touch file and restart the Linux Access Gateway. When this touch file is set, the Linux Access Gateway tries the SSLV3 protocol by default, instead of the TLS protocol.

6.7.11 Linux Access Gateway Does Not Accelerate Netware 6.5 Pre-SP3 Web Servers

The Web server closes the connection when the Linux Access Gateway sends the HTTP request to the Netware 6.5 pre-SP3 Web server, after the SSL handshake.

6.7.12 Cookies Set by JavaScript inside the Entity Are Not Rewritten

The Linux Access Gateway rewrites the path and domain only in those cookies that are set by using the Set-Cookie header. The cookies set by JavaScript* inside the entity are not rewritten by the Linux Access Gateway.

6.7.13 Rewriter Does Not Handle [ow], [w], and [oa] Options in Search and Replace

The character rewriter profile does not support the [w], [ow], and [oa] options to search and replace plain words and strings.

6.7.14 Exclude Alias DNS with Scheme Option Does Not Work

The Exclude Alias DNS name with Scheme option does not work. For example, if you add https://www.mygroup.com, it is not excluded from the list. You must provide only the DNS name, such as www.mygroup.com.

6.7.15 Form Fill Auto-Submit Option Does Not Work with Multiple Forms on the Same Web Page

The Linux Access Gateway Form Fill fails to auto-submit HTML pages with multiple <FORM> sections. For example, if you have an HTML login page, and the page contains two <FORM> sections as follows:

<HTML> <FORM name="form1"...> <INPUT name="username" type="text"...> </FORM> <FORM name="form2"...> <INPUT name="password" type="password"...> </FORM> </HTML>

Linux Access Gateway fills both the forms but does not auto-submit them. To use the auto-submit feature, there can only be one form on the page.

6.7.16 Form Fill Fails When a Policy Is Configured to Use String Constants

The Form Fill feature of Linux Access Gateway fails to fill the form when a policy is configured to use only string constants for all the input fields. However, Form Fill works when a string constant is used in combination with other input field values, such as credential profile.

6.7.17 Form Fill Auto Submit Issue

Form Fill auto-submit fails when an input field in an HTML page contains name="submit".

6.7.18 Form Fill Does Not Work if the Web Page Contains an Apostrophe

The Linux Access Gateway Form Fill does not work if the Web page contains the apostrophe character.

6.7.19 Form Fill Fails If the Web Server Does Not Send the Content Type

Form Fill does not process the page if the Web server does not send the content type. Form Fill processes the following content types:

"text/html" "text/xml" "text/css" "text/javascript” "application/javascript" "application/x-javascript"

6.8 NetWare Access Gateway Known Issues

The NetWare Access Gateway embeds NetWare 6.5 SP6. The following topics are known issues for this operating system and the Access Gateway:

6.8.1 Mutual SSL

When you upgrade to Access Manager 3.0 SP1, the upgrade process disables mutual SSL between the proxy service and the Web servers.

To re-enable mutual SSL, select the SSL Mutual Certificate on the Web Servers page. Click Access Manager > Access Gateways > Edit > <Name of Reverse Proxy> > <Name of Proxy Service> > Web Servers.

6.8.2 Form Fill Data Is Not Cached

The NetWare Access Gateway does not cache Form Fill data. Therefore, if you assign a Form Fill policy to a protected resource that uses a wildcard (*) in the URL path, the NetWare Access Gateway queries the Identity Server for Form Fill data each time a user accesses any page that matches the protected resource. It is strongly recommended that you specify a specific page when you assign a Form Fill policy to a protected resource.

The NetWare Access Gateway does cache Identity Injection and Authorization policy information for the lifetime of the user’s session, so the protected resources for these policies can use wildcards in their URL paths.

6.8.3 Secondary Administration Console Command Failure

You can push commands from the secondary Administration Console, but any commands dealing with the Certificate Authority fail, unless you move the Certificate Authority to the secondary server.

6.8.4 DNS Naming

Do not begin an Access Gateway server DNS name with a number.

6.8.5 Using an SSH Client with the Secure File Transfer Protocol

In order to transfer files to and from the NetWare Access Gateway server when the SSH client that you are using for the transfer is configured with the Secure File Transfer Protocol (SFTP) enabled, you must load ncpip.nlm and enable NCP™ for the SFTP.

WARNING:Enabling NCPIP is a security risk because it opens a listener on port 524 on all bound addresses.

To set up and configure NCPIP, add the following to the tune.ncf file:

load ncpip.old
SET NCP Exclude Addresses = ALL
SET NCP Include Addresses = 127.0.0.1

6.8.6 IDEATA.HAM Drivers and Serial ATA Controllers

In the BIOS you specify the modes to use for the IDEATA.HAM driver to work with a SATA controller. (Legacy, Compatible, or Enhanced mode.) You do not need to manipulate the driver or OS.

The IDESATA.HAM driver works with all AHCI controllers in pure AHCI mode, which is the recommended mode because it is the fastest. This driver is invoked instead of IDEATA.HAM only when the BIOS setting for the particular chip set is set to AHCI.

6.8.7 SSL Certificate Log Error with X.509 Authentication from the NetWare Access Gateway

If you set up an X.509 contract and use it to authenticate from the NetWare Access Gateway, you might see an error generated in the Identity Server log for certificate or SSL mutual authentication. This occurs during SSL re-negotiation between Tomcat and the Internet Explorer* browser, and is possibly an IE bug. This error does not occur with Firefox. The Access Gateway can cause the error at the Identity Server by requesting the certificate authentication from the Identity Server, but it is not the only device that can cause the error. Any device requiring or requesting certificate authentication from the Identity Server, including the Identity Server itself, can cause the error. It is cosmetic.

6.8.8 Novell Remote Manager

NetWare abends can occur when Novell Remote Manager Group Operations are used on a NetWare Access Gateway. We recommend that you do not use Novell Remote Manager on a NetWare Access Gateway.

6.9 SSL VPN Known Issues

The following sections divide the known issues into general issues that apply to both the Enterprise mode and Kiosk mode and issues that apply only to the Enterprise mode and only to the Kiosk mode:

6.9.1 General SSL VPN Issues

6.9.1.1 SSL VPN Session Running on JRE 1.4 Disconnects after Approximately 10 Hours

The SSL VPN client sessions running on JRE* 1.4 are disconnected after being in use for approximately 10 hours. To work around this problem, use JRE 1.5 or later.

6.9.1.2 SSL VPN Server Goes Down When More Than 50 Roles Are Associated to a Single Traffic Rule

The SSL VPN server might go down when you create a traffic rules with more than 50 roles for each traffic rule.

6.9.1.3 SSL VPN Connection on Windows Through Forward Proxy Fails When Authentication Is Enabled

When Authentication is enabled in forward proxy, the SSL VPN connection fails on a Windows client.

6.9.1.4 Using the Command Line to Restart the SSL VPN Server

You must use the command line to restart an SSL VPN server. The Start and Stop buttons in the Administration Console are not functional for this release. To restart the SSL VPN server, specify the following commands from the command line:

/etc/init.d/novell-sslvpn stop /etc/init.d/novell-sslvpn start

6.9.1.5 SSL VPN Statistics Displayed in the Administration Console Are Not In Order

The SSL VPN connection statistics that are displayed in the Administration Console are not in any order.

6.9.1.6 Logout Page Is Not Displayed

If the user does not have a traffic policy defined for the role, the user is denied access to the resources. However, the logout page is not displayed when user clicks the Logout button.

6.9.1.7 SSL VPN Client Randomly Displays the Nonsecure Items Dialog Box

The SSL VPN client randomly displays the Do you want to display the nonsecure items dialog box after the connection is established. Click Yes to close the dialog box. If you do not click Yes, SSL VPN disconnects. You can also follow the steps given below to resolve the problem if you are planning to use SSL VPN for a long session.

  1. Open the Internet Explorer browser.

  2. Select Tools > Internet Options.

  3. Select the Security tab.

  4. Select Internet Zone, then click the Custom Level button.

  5. Select Enable for the Display mixed content option.

  6. Click OK.

6.9.1.8 HTTP Applications Cannot be Accessed When an SSL VPN Connection Is Made through the Forward Proxy

If a client uses an HTTP forward proxy to establish the SSL VPN session, no HTTP application can be accessed over this SSL VPN connection because the browser is configured to use the forward proxy server for HTTP requests.

6.9.1.9 Throughput of UDP traffic through the SSL VPN Encrypted Tunnel Is Low

The throughput of UDP traffic through the SSL VPN encrypted tunnel is low when compared to the TCP traffic.

6.9.2 Kiosk Mode Issues

6.9.2.1 ActiveX Download Requires Admin Privileges

If you are a non-admin user using Internet Explorer to establish an SSL VPN connection for the first time, the ActiveX* download fails. This happens because you must have admin rights to download ActiveX. This issue might also occur if you have upgraded from an older version. If you want to access SSL VPN by using the Internet Explorer, you must add the forcejre=true command to the end of the URL. For more information, see Configuring SSL VPN to Download the Applet on Internet Explorer in the Novell Access Manager 3.0 SP 3 Administration Guide.

You can use Firefox to connect to SSL VPN in Kiosk mode.

6.9.2.2 Firefox Goes into a Non-Responsive Mode in Multiple Windows Kiosk Mode Clients

Firefox randomly goes into a non-responsive mode in multiple clients running in Windows Kiosk mode.

6.9.2.3 Logout Page Display Issue

The SSL VPN logout page is not displayed to you after you click the Logout button when you use the Internet Explorer 6.0 browser on a Windows 2000 machine to access SSL VPN in Kiosk mode. This issue does not occur when you access SSL VPN in Enterprise mode.

6.9.2.4 Issues with Citrix Server Connection through SSL VPN

When a user attempts to disconnect the Citrix* server connection established through SSL VPN, the SSL VPN connection is refreshed. The attempts to reconnect to the SSL VPN server fail because the previous connection is not disconnected or terminated.

6.9.2.5 SSL VPN Client Component Installation Fails in Internet Explorer Protected Mode

The SSL VPN client component installation fails when the Enable Protected Mode option is enabled in Internet Explorer. When the User Account Control feature of Windows Vista is enabled, the Enable Protected Mode feature of Internet Explorer is selected by default. To work around this problem, browse to Tools > Internet Options > Security and deselect the Enable Protected Mode option.

6.9.2.6 ActiveX Does Not Display the Dialog Box for a Non-Admin User

If you are a non-admin user who used SSL VPN in the Enterprise mode, and if you are trying to access SSL VPN through the Internet Explorer browser on the same machine, the dialog box prompting you to specify the administrator username and password is not displayed. The SSL VPN connection is established in the Kiosk mode. If you are a non-admin user and want to access SSL VPN by using the Internet Explorer, you must add the forcejre=true command to the end of the URL.

For more information, see Configuring SSL VPN to Download the Applet on Internet Explorer in the Novell Access Manager 3.0 SP 3 Administration Guide.

6.9.2.7 No Kiosk Mode Support for 64-Bit Clients

If you use 64-bit machines, you can access SSL VPN only in Enterprise mode. Accessing SSL VPN in Kiosk mode is not supported.

6.9.2.8 Unable to Create SSL Listeners Because of a NICI Error

If you upgrade to the Novell Access Manager 3.0 SP2 version, then roll back to the SP1 release, SSL listeners are not created because there is a difference in the NICI versions used. To work around the problem, do the following in SP1:

  1. Untar lagrpms.tar.gz.

  2. Remove the nici-<version>.rpm from the lagrpms directory.

  3. Re-tar the lagrpms directory as lagrpms.tar.gz.

  4. Use the new lagrpms.tar.gz for upgrading.

6.9.2.9 Macintosh Client Issues

The Macintosh Tiger OS client does not support GroupWise® 7.0.

6.9.2.10 Linux Browser Issues

In Linux, you cannot access protected HTTP traffic on the Firefox browser during the first SSL VPN connection, but subsequent connections work without problems.

To work around this problem, you can use another browser to access the protected resource as follows:

  1. Establish an SSL VPN connection in the Kiosk mode.

  2. Create a shortcut or launcher for Firefox on the desktop.

  3. Click SSLize Desktop Applications.

  4. Log out of the SSL VPN.

  5. Launch Firefox by using the SSL VPN-enabled shortcut.

    The Firefox browser launches even though there is no SSL VPN connection.

  6. Establish an SSL VPN connection in the Kiosk mode.

    New tabs and new instances of the Firefox browser now tunnel HTTP traffic.

6.9.2.11 Browser Goes into a Non-Responsive Mode After Logging Out

When you connect to SSL VPN in the Kiosk mode on a Windows Vista machine, the browser goes into a non-responsive mode after you click the Logout button.

6.9.2.12 Issues with the Intlclock Toolbar Application

The Intlclock toolbar application running on the SUSE Linux Enterprise Desktop (SLED) 10 SP1 crashes when an SSL VPN connection is established or disconnected.

6.9.2.13 Applications in the Program Menu Are Not SSLized in Linux

In Linux, applications listed in the Program Menu are not SSLized.

6.9.2.14 Domain Name Search Does Not Work in Macintosh

Domain name search does not work in the Kiosk mode in Macintosh.

6.9.2.15 Active Mode FTP is Not Supported in Kiosk Mode

In SSL VPN Kiosk mode, the active mode of FTP is not supported.

6.9.3 Enterprise Mode Issues

6.9.3.1 Enterprise Mode Clients Randomly Disconnect

The Enterprise mode connection might occasionally be disconnected after being in use for approximately five hours, if the openVPN component stops responding.

6.9.3.2 No Support for 64-Bit Browsers

SSL VPN does not support 64-bit browsers to establish the initial login session.

6.9.3.3 Restrictions for SSL VPN Certificate Names

SSL VPN certificate names can contain only alphanumeric characters, space, underscore (_), hyphen (-), the at symbol @, and the dot (.).

6.9.3.4 No Error Message Is Displayed on an Invalid Credential Entry on Windows 2000 Machines

On Windows 2000 machines, if a non-admin user tries to establish an SSL VPN connection in the Enterprise mode and specifies the wrong credentials for the admin user, no error messages are displayed. However, the user is denied access after trying to establish the connection.

6.9.3.5 OpenVPN Connection Failed Error

When a user reconnects to SSL VPN server, the 1701:OpenVPN Connection Failed error is displayed.

6.9.3.6 Connection Fails in SSL VPN if Root user password is not set in Macintosh

In Macintosh, SSL VPN connection fails if you log in as a root user and there is no password set for the root user. When there is no password set for the root user, the user can log in as an admin user, by using the credentials of the admin user.

6.10 Certificates Known Issues

The following are known issues for certificates:

6.10.1 Browse Button for Importing a Private/Public Key Pair

In some combinations of Linux and Firefox, you might see the Browse button display incorrectly in the Import Private/Public Keypair window. This does not affect functionality.

6.10.2 Certificate Command Failure

Certificate commands are generated when you upgrade the Administration Console, and you should ensure that they have completed successfully. In the Administration Console, click Access Manager > Certificates > Command Status.

If a certificate command fails, note the store, then click Auditing > Troubleshooting > Certificates. Select the store, then click Re-push certificates to push the certificates to the store.

6.11 J2EE Agent Known Issues

6.11.1 The Health of the Linux Agent Is Not Green after Upgrading

When upgrading a Linux Agent, you get an error on the Health page for the agent that says the ESP cannot read the signing.keystore file in /opt/novell/devman/jcc/certs/esp/<id>/ directory.

To correct this problem:

  1. Remove or move the connector.keystore, signing.keystore, encryption.keystore, and truststore.keystore from the /opt/novell/devman/jcc/certs/esp/<id>/ directory.

  2. Click Access Manager > Auditing > Troubleshooting > Certificates.

  3. In the Keystore section, scroll to the agent certificates and select the Signing, Encryption, and ESP Mutual SSL certificates.

  4. In the Trust Stores section, scroll to the agent trust stores and select the ESP Trust Store.

  5. Click Re-push certificates.

  6. Click the J2EE Agents link.

  7. Select the agent.

  8. Click Actions > Service Provider > Start Service Provider.

6.11.2 Audit Log Event Problems on 64-Bit Platforms

No audit log events occur on 64-bit platforms. There is currently no workaround for the WebSphere* Agent. For the JBoss* and WebLogic* Agents, you can enable log events on 64-bit platforms by deleting the LogEvent.jar file and replacing it with the NAuditPA.jar file.

On Windows, the NAuditPA.jar file is located in Program Files\novell\Nsure Audit directory. On Linux, the file is located in /opt/novell/naudit/java/pa directory.

6.11.2.1 JBoss Agent

Delete the LogEvent.jar file in the server configuration lib directory (the location for the default configuration is the JBoss/server/default/lib directory). Copy the NAuditPA.jar file to this directory.

The LogEvent.jar file also needs to be deleted from the ESP directory (JBoss/server/default/deploy/nesp.ear/nesp.war/WEB-INF/lib). The NAuditPA.jar does not need to be added to this directory.

6.11.2.2 WebLogic Agent

Linux: Edit the WL_HOME/common/bin/commEnv.sh file. Change the ${AGENT_LIB}/LogEvent.jar path variable to /opt/novell/naudit/java/pa/NAuditPA.jar variable.

Delete the LogEvent.jar file from the ESP directory (nesp.ear/nesp.war/WEB-INF/lib).

Windows: Edit the WL_HOME/common/bin/commEnv.cmd file. Change the %AGENT_LIB%\LogEvent.jar path variable to Program Files\novell\audit\NAuditPA.jar variable.

Delete the LogEvent.jar file from the ESP directory (nesp.ear/nesp.war/WEB-INF/lib).

7.0 Documentation Conventions

In this documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path.

A trademark symbol (®, ™, etc.) denotes a Novell trademark; an asterisk (*) denotes a third-party trademark

8.0 Legal Notices

Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.

Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.

Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the Novell International Trade Services Web page for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.

Copyright © 2007-2008 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.

Novell, Inc., has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed on the Novell Legal Patents Web page and one or more additional patents or pending patent applications in the U.S. and in other countries.

For Novell trademarks, see the Novell Trademark and Service Mark list.

All third-party trademarks are the property of their respective owners.