Novell Access Manager 3.1 SP1 IR3a Readme

March 23, 2010

This Readme describes the Novell® Access Manager 3.1 SP1 IR3a release.

1.0 Documentation

The following sources provide information about Novell® Access Manager:

2.0 Installing the Access Manager 3.1 SP1 IR3a Patch

Your system must be upgraded to 3.1 SP1 before applying this patch release. For installation and version information for 3.1 SP1, see the Access Manager 3.1 Readme.

The patch updates the Identity Server, the Administration Console, the Linux Access Gateway, and the SSL VPN server. The patch contains all the fixes from the 3.1 SP1 IR1 and IR2 releases.

The files for the IR3a release can be downloaded from Novell Downloads Web site. This patch contains the following files:

Table 1 Access Manager 3.1 SP1 IR3 Patch Files

Component

Purpose

Filename

Linux* Identity Server, Administration Console, SSL VPN Server

Patch

AM_31_SP1_IR3_IdentityServer_Linux.tar.gz

Windows* Identity Server and Administration Console

Patch

AM_31_SP1_IR3_IdentityServer_Windows.exe

Linux Access Gateway, SSL VPN Server

Patch

AM_31_SP1_IR3_lagrpms.tar.gz

Linux J2EE* Agents

Install

AM_31_SP1_IR3_ApplicationServerAgents_Linux.bin

Windows J2EE Agents

Install

AM_31_SP1_IR3_ApplicationServerAgents_Windows.exe

AIX* J2EE Agents

Install

AM_31_SP1_IR3_ApplicationServerAgents_AIX.bin

Solaris* J2EE Agents

Install

AM_31_SP1_IR3_ApplicationServerAgents_Solaris.bin

For upgrade instructions, see the following:

3.0 Verifying Version Numbers

The components of Access Manager 3.1 SP1 and its interim releases have the following version numbers:

Component

3.1 SP1

3.1 SP1 IR1

3.1 SP1 IR2

3.1 SP1 IR3a

Administration Console

3.1.1.215

3.1.1.235

3.1.1.247

3.1.1.265

Identity Server

3.1.1.215

3.1.1.235

3.1.1.247

3.1.1.265

Linux Access Gateway

3.1.1.215

3.1.1.235

3.1.1.247

3.1.1.265

J2EE Agents (all versions, all platforms)

3.1.1.215

3.1.1.235

3.1.1.247

3.1.1.265

SSL VPN

3.1.1.215

3.1.1.235

3.1.1.235

3.1.1.265

4.0 Known Issues in IR3a

4.1 Authentication Upgrade Issue

  • If you have configured the Identity Server to send attributes to the Access Gateway and if any of these attributes have empty values, users cannot authenticate until you have upgraded all your Identity Servers and Access Gateways to IR3 or you have disabled the sending of attributes until you have upgraded all components. For more information about this issue, see TID 7005475.

4.2 SSL VPN

  • If you are using Mozilla* tester builds such as Shiretoko (3.5.7), the automatic downloading of Java* fails. You must either select the Download Java option when prompted, or use the following URL:

    https://<SSLVPN base URL>:8443/sslvpn/login?forcejre=true
    
  • In an SSL VPN cluster, if one of the cluster nodes fails to come up after you upgrade the SSL VPN servers, stop all the services in all the cluster nodes and restart the services in all the nodes.

  • On a Mac* Leopard* client, if the user logs out of SSL VPN connection by selecting the Uninstall Enterprise mode option, then tries to log in again in Enterprise Mode, the following error might be displayed:

    AM.1019:Failed to start the Client using thin client. Please log out.
    

    To work around the issue, specify the following command to start novell-sslvpn-service manually:

    /System/Library/StartupItems/novell-sslvpn-service/novell-sslvpn-service start

  • When there is an error in an SSL VPN connection on Windows 7, an ActiveX* window is displayed. The SSL VPN tunnel is torn down only if the user closes this ActiveX window.

  • If you use Firefox* to establish an SSL VPN connection, and select the Clear Browser Private Data option while logging out, the logout fails. You must manually close the browser.

  • The SSL VPN service and the JCC service randomly go down when Tomcat is restarted. To work around this issue, the SSL VPN service and the JCC service must be manually restarted to establish connection.

  • When an SSL VPN server is installed along with the Linux Access Gateway appliance, the audit logging for SSL VPN events fails. This is because the etc/logevent.conf file is not updated with the audit server IP address and displays the default IP address is 127.0.0.1.

    To work around this issue, enable at least one event in the Access Gateway configuration for audit logging. This enables communication between the Platform agent and the audit server and enables audit logging for SSL VPN.

4.3 Linux Access Gateway

  • In a setup where the L4 switch monitors the health of Linux Access Gateway cluster nodes, you might see that the heartbeat requests occasionally take approximately 5-12 seconds to respond. This could result in the L4 switch temporarily marking this particular Linux Access Gateway node as down.

5.0 Bugs Fixed in 3.1 SP1 IR3a

5.1 Identity Server

  • Fixed a performance issue with Liberty profiles. The attribute services for Personal Profile, Employee Profile, Customized Profile, and Credential Profile all require that a Liberty User Profile object be created for each authenticated user. This object is created in the configuration data store under a Liberty User Profiles Container object.

    Access Manager was creating these objects even if none of these attribute services were enabled, which caused a substantial LDAP performance degradation. Checks were added to create or read these objects only if an attribute service that required them is enabled.

    Credential Profile is a special case because many customers use Credential Profile to store only authentication data, and the Credential Profile only stores such data in memory. It is never persisted to LDAP. Therefore, even though the Credential Profile is enabled, the Liberty User Profile object does not need to be created. A servlet initialization parameter (name=cpAuthorityType, value=memory) was added to the web.xml file to indicate that the Credential Profile is running in memory only mode. This tells Access Manager that Liberty User Profile objects are not needed for the Credential Profile.

  • Fixed an issue that prevented shared secret attributes from appearing in the list of attributes that could be added to an attribute set.

  • Fixed an issue with multiple LDAP replicas that prevented users from being redirected to the change password servlet.

  • Fixed an issue that caused the Force Authentication option of a request from a service provider to be ignored.

  • Fixed an issue with the Allow multiple browser session logout option that allowed the user to log in using two browsers, log out of one browser, and still remain logged in on the other browser.

  • Fixed an issue that caused an error to be displayed when a user clicked on a link in a Word document.

  • Fixed an issue that caused a null pointer exception when a user tried to log in again after closing the browser.

  • Fixed an issue that allowed the destination port to be incorrectly set to 0 when an Identity Server or ESP forwarded a request to the authoritative cluster member (the one holding the user's session). This issue was exhibited in the log files when the Proxy URL contained a port of 0.

  • Fixed an issue that caused redirection loops when the user was idle until the soft timeout expired.

  • Fixed an issue with the Use Introductions feature for the Liberty protocol.

  • Added code to look at the policy to determine if identities should be read during authentication.

  • Modified the OCSP validation process so that it isn’t required to match the number of OCSP responses with the number of certificates in the request.

  • Fixed a cross-site scripting vulnerability in target URLs.

5.2 Linux Access Gateway Appliance

  • Fixed an issue that caused the Linux Access Gateway to crash when an HTTP common log entry was added.

  • Fixed an issue that caused the Linux Access Gateway to crash when it was freeing memory.

  • Fixed an issue that caused the idle server connections count to exceed its limit.

  • Fixed the Linux Access Gateway crash when URLs with random extensions such as www.a.com/file.<random number> were being accessed.

  • Fixed an issue with pin-list that resulted in Linux Access Gateway dumping core during reliability test.

  • Fixed an issue with scache pool which was leading to Linux Access Gateway dumping core.

  • Fixed a format error in the outputtoscreen function that resulted in Linux Access Gateway crash.

  • Fixed an issue that was causing Linux Access Gateway to dump core when a list with an entry was added twice.

  • Fixed an issue that caused the Linux Access Gateway to crash while processing a Form Fill policy.

  • Fixed an issue with the VMController that was preventing the detection of the ics_dyn process hangs.

  • Fixed typos in the /etc/init.d/bmcfkd script.

  • Fixed a Form Fill issue that prevented some features of Teaming from working properly.

  • Form Fill now processes forms with complicated JavaScript functions when data is auto-submitted. You must create the following touch file to enable this:

    .enableInPlaceSilentFillNew

  • Fixed a memory leak issue caused by connections in the close/wait state.

  • Fixed an issue that caused the Linux Access Gateway to crash when the headers returned in the wrong format.

  • Fixed an issue that caused the Linux Access Gateway to crash because of the invalid TCP connections remaining on the system.

  • Fixed a rewriter issue that caused the Linux Access Gateway to crash when the response data contained a <link> HTML tag in the buffer boundary.

  • Fixed a debugger issue that resulted in adding connections automatically to the connection list.

  • Fixed an issue with the purge cache command that caused the Linux Access Gateway to go to a non-responsive mode.

  • Fixed a Form Fill issue that resulted in displaying the Select field during auto-submit.

  • Fixed an issue that caused the Linux Access Gateway to crash when changes were applied to the rewriter.

  • Fixed an issue that caused the close/wait count to go up to 600 within 37 hours.

  • Fixed an issue that caused the Linux Access Gateway to restart without creating a core dump.

  • Fixed an issue that caused the Linux Access Gateway to crash when the BuildOriginServerHTTPRequest function is performed.

  • Fixed an issue that caused the Linux Access Gateway to crash while applying changes to IR2 or earlier releases.

  • Introduced the .setsecureESP touch file, so that the JSESSIONID cookie of the Embedded Service Provider is marked as secure.

  • Fixed an issue that was causing the Linux Access Gateway to randomly crash and go into a non-responsive mode.

  • Fixed an issue that caused the Linux Access Gateway to crash when the server was restarted by the health script.

  • In a cluster setup, a logout from the authentication domain is now propagated to the non-authentication domain.

5.3 SSL VPN

  • Fixed an issue that was causing the client integrity check policy import to fail on Windows platform.

  • Fixed a Connection Manager issue that allowed wrong role to be applied, which caused problems with SSL VPN traffic rules.

  • Fixed an issue that caused the SSL VPN server to crash when a large number of roles were assigned to a user.

  • Fixed an issue with the ESP-enabled cluster setup because of which the SSL VPN client authentication failed.

6.0 Bugs Fixed in 3.1 SP1 IR2

6.1 Administration Console

  • Fixed an issue that prevented the administrator from modifying the parent proxy service if it had 55 path-based children.

  • Fixed a certificate issue that allowed the alias in an imported private keypair from a Java keystore to contain invalid characters. If the alias contains periods, they are now replaced with underscores.

6.2 Identity Server

  • Fixed an issue that allow session failover to keep expired X.509 sessions active.

  • Fixed an assertion issue that prevented the Identity Server from sending defined LDAP attributes in the assertion at authentication.

  • Fixed a federation issue that prevented an Identity Server that was acting as a SAML 2.0 identity provider from prompting the user for authentication credentials. The user had to select the authentication card before being prompted.

  • Fixed an issue that prevented custom login pages from displaying correctly when the contract contained two methods.

  • Fixed an issue that caused LDAP sessions to stay with one LDAP server when multiple servers were available.

  • Fixed an issue that caused upgrades to fail when an engineering build had been installed prior to the official release.

  • Fixed an issue that caused Identity Servers to randomly lose their connections to other Identity Servers in the cluster.

  • Fixed an issue that corrupted the session failover table when cluster was under heavy load.

6.3 Linux Access Gateway Appliance

  • Fixed an issue that caused the Linux Access Gateway to restart multiple times in a day.

  • Fixed an issue that was causing the Linux Access Gateway to core dump when an idle client connection timed out.

  • Fixed an issue with the rewriter that resulted in failure to rewrite some login pages on load.

  • Fixed an issue that was causing logouts to fail.

  • Fixed performance issues in systems with more than 4 GB memory.

  • Fixed a rewriter issue that was causing the Linux Access Gateway to crash.

7.0 Bugs Fixed in 3.1 SP1 IR1

7.1 Administration Console

  • Fixed an issue that allowed an empty attribute value to be written to the configuration datastore.

  • Fixed an issue that cause the CPU of the Administration Console to reach 100%.

7.2 Identity Server

  • Fixed an issue that prevented users from being redirected to the password expiration service.

  • Fixed an authentication issue so that the Identity Server forces a reauthentication when the IP address of the client changes.

  • Fixed an issue with Kerberos* authentication that prevented the Identity Server from prompting for basic authentication when the users failed the Kerberos authentication check.

7.3 Linux Access Gateway Appliance

  • The Linux Access Gateway now supports integration with Novell Teaming 2.0.

  • Fixed an issue with tunneling that caused the download of files larger than 100 MB to fail.

  • Fixed an issue with using exclusive locks to handle VCC requests, which caused the Linux Access Gateway to core dump.

  • Fixed an issue that cause the Identity Server to return a resource error (300101010) when Internet Explorer* is called from a URL stored in a Microsoft* Word document.

  • Fixed an issue with DNS names that have a two-letter top-level domain, such as www.novell.de.

7.4 SSL VPN Server

  • Fixed a security issue with the Client Integrity Check policies.

  • You can now import and export the Client Integrity Check policies.

8.0 Documentation Conventions

In this documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path.

A trademark symbol (®, ™, etc.) denotes a Novell trademark; an asterisk (*) denotes a third-party trademark

9.0 Legal Notices

Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.

Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.

Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the Novell International Trade Services Web page for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.

Copyright © 2009 - 2010 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.

For Novell trademarks, see the Novell Trademark and Service Mark list.

All third-party trademarks are the property of their respective owners.