Novell ACCESS MANAGER 3.1 SP2 - README 2010 User Manual
Novell Access Manager 3.1 SP2
Readme
June 18, 2010
This Readme describes the Novell Access Manager 3.1 SP2 release.
Section 1, “Documentation,” on page 1
Section 2, “Installing Access Manager 3.1 SP2,” on page 1
Section 3, “Bugs Fixed in Access Manager 3.1 SP2,” on page 6
Section 4, “Known Issues in Access Manager 3.1 SP2,” on page 10
Section 5, “Legal Notices,” on page 30
1 Documentation
novdocx (en) 16 April 2010
Novell®
The following sources provide information about Novell Access Manager:
Documentation Web Site (http://www.novell.com/documentation/novellaccessmanager31/
index.html).
Access Manager Support (http://www.novell.com/support/microsites/microsite.do). For TIDs
and Cool Solutions articles, select Access Manager for the Product and Articles / Tips in the
Advanced Search options.
Novell Access Manager Product Site (http://www.novell.com/products/accessmanager/).
2 Installing Access Manager 3.1 SP2
Section 2.1, “Installing or Upgrading the Purchased Product,” on page 1
Section 2.2, “Downloading the J2EE Agents,” on page 5
Section 2.3, “Installing the Evaluation Version,” on page 6
Section 2.4, “Installing the High-Bandwidth SSL VPN Server,” on page 6
2.1 Installing or Upgrading the Purchased Product
After you have purchased Access Manager 3.1 SP2 or a previous release of Access Manager, log in
to the Novell Customer Center (http://www.novell.com/center) and follow the link that allows you
to download the software.
The following files are available:
Filename Description
AM_31_SP2_IdentityServer_Linux32.tar.gz
AM_31_SP2_IdentityServer_Linux32.iso
Novell Access Manager 3.1 SP2 Readme 1
Filename Description
Contains the Linux Identity Server, the Linux Administration Console, the SSL VPN Server
that is installed with an Embedded Service Provider, and the SSL VPN Server that must be
protected by an Access Gateway.
Can be used for installation and upgrade from 3.0 SP4 to 3.1 SP2, from 3.1 to 3.1 SP2, from
3.1.1 to 3.1 SP2, and from the evaluation version to the product version.
AM_31_SP2_IdentityServer_Win32.exe
Contains the Windows Identity Server and Windows Administration Console for Windows
Server 2003.
Can be used for installation and upgrade from 3.1 to 3.1 SP2, from 3.1.1 to 3.1 SP2, and
from the evaluation version to the product version.
AM_31_SP2_IdentityServer_Win64.exe
Contains the Windows Identity Server and Windows Administration Console for Windows
Server 2008.
Can be used only for installation.
novdocx (en) 16 April 2010
AM_31_SP2_AccessGatewayAppliance_Linux_SLES11.iso
Contains the CD image for the SUSE Linux Enterprise Server (SLES) 11 version of the
Access Gateway Appliance and the SSL VPN Server that must be configured as a protected
resource of the Access Gateway.
Can be used only for installation.
AM_31_SP2_AccessGatewayAppliance_Linux_SLES11.tar.gz
Contains the upgrade RPMs for upgrading the SLES 11 evaluation version of the Access
Gateway Appliance to the product version.
AM_31_SP2_AccessGatewayAppliance_Linux_SLES9.tar.gz
Contains the upgrade RPMs for the SLES 9 version of the Access Gateway Appliance and
the SSL VPN Server that must be configured as a protected resource of the Access
Gateway.
Can be used for upgrading from 3.0 SP4 to 3.1 SP2, from 3.1 to 3.1 SP2, from 3.1.1 to 3.1
SP2, and from the evaluation version to the product version.
AM_31_SP2_AccessGatewayService_Win64.exe
Contains the Access Gateway Service for Windows Server 2008 with a 64-bit operating
system.
Can be used only for installation.
AM_31_SP2_AccessGatewayService_Linux64.bin
Contains the Access Gateway Service for SLES 11 with a 64-bit operating system.
Can be used only for installation.
For upgrade and installation information:
“Upgrade Instructions” on page 3
“Installation Instructions” on page 3
2 Novell Access Manager 3.1 SP2 Readme
“Verifying Version Numbers Before Upgrading” on page 4
“Verifying Version Numbers After Upgrading” on page 5
2.1.1 Upgrade Instructions
For instructions on upgrading from 3.0 SP4 to 3.1 SP2, see “Upgrading from Access Manager 3.0
SP4 to Access Manager 3.1 SP2” (http://www.novell.com/documentation/novellaccessmanager31/
installation/data/bgfx9yh.html) in the Novell Access Manager Installation Guide (http://
www.novell.com/documentation/novellaccessmanager31/installation/data/bookinfo.html). To verify
that your components have been upgraded to 3.0 SP 4, see “Verifying Version Numbers Before
Upgrading” on page 4.
For instructions on upgrading from 3.1 to 3.1 SP2, see “Upgrading Access Manager 3.1 to 3.1 SP2”
(http://www.novell.com/documentation/novellaccessmanager31/installation/data/bk0lvlm.html) in
the Novell Access Manager Installation Guide (http://www.novell.com/documentation/
novellaccessmanager31/installation/data/bookinfo.html). To verify that your Access Manager
components are running 3.1, see “Verifying Version Numbers Before Upgrading” on page 4.
For instructions on upgrading from 3.1 SP1 to 3.1 SP2, see “Upgrading Access Manager 3.1 to 3.1
SP2” (http://www.novell.com/documentation/novellaccessmanager31/installation/data/
bn6ajpt.html) in the Novell Access Manager Installation Guide (http://www.novell.com/
documentation/novellaccessmanager31/installation/data/bookinfo.html). To verify that your Access
Manager components are running 3.1, see “Verifying Version Numbers Before Upgrading” on
page 4.
novdocx (en) 16 April 2010
IMPORTANT: If you have installed a previous version of the Administration Console or the
Identity Server on a machine that does not have at least 1 GB (Linux) or 1.2 GB (Windows) of
memory, the upgrade to SP2 fails. The installation script now checks for available memory and exits
the upgrade if the machine does not have the minimum required memory.
In addition to the files available through your Novell Customer Center (http://www.novell.com/
center) account, the following patch file is available from Novell Downloads (http://
download.novell.com/index.jsp).
Filename Description
AM_31_SP2_LAG300_keystorePathScript.sh
Contains a keystore cleanup script that needs to be run before upgrading an Access
Gateway Appliance that was first installed with version 3.0 to 3.1 SP2.
For more information about this script, see “Upgrading the SP4 Linux Access Gateways”
(http://www.novell.com/documentation/novellaccessmanager31/installation/data/
bgfx9yh.html#bhn7mjv) in the Novell Access Manager Installation Guide (http://
www.novell.com/documentation/novellaccessmanager31/installation/data/bookinfo.html).
2.1.2 Installation Instructions
For installation instructions for the Access Manager Administration Console, the Identity Server, the
Access Gateway Appliance, the Access Gateway Service, and the SSL VPN server, see the Novell
Access Manager Installation Guide (http://www.novell.com/documentation/
novellaccessmanager31/installation/data/bookinfo.html).
Novell Access Manager 3.1 SP2 Readme 3
2.1.3 Verifying Version Numbers Before Upgrading
If you are upgrading from Access Manager 3.0, all components must be upgraded to at least SP4
before upgrading to Access Manager 3.1 SP2.
1 In the Administration Console, click Access Manager > Auditing > Troubleshooting > Version.
2 Examine the value of the Version field to see if it displays a 3.0 SP4 version that is eligible for
upgrading to 3.1 SP2.
Component 3.0 SP4 3.0 SP4 IR1 3.0 SP4 IR2 3.0 SP4 IR3 3.0 SP4 IR4
Administration Console 3.0.4.38 3.0.4.56 3.0.4.60 3.0.4.70 3.0.4.94
Identity Server 3.0.4.38 3.0.4.56 3.0.4.60 3.04.70 3.0.4.94
Linux Access Gateway 3.0.4.38 3.0.4.56 3.0.4.60 3.0.4.70 3.0.4.94
NetWare Access Gateway 3.0.505 3.0.505a 3.0.505b 3.0.505g 3.0.505h
novdocx (en) 16 April 2010
J2EE Agents (all versions, all
platforms)
SSL VPN 3.0.4 3.0.4 3.0.4 3.0.4 3.0.4
3.0.4.38 3.0.4.56 3.0.4.60 3.0.4.70 3.0.4.94
Access Manager 3.1 and all of its interim releases are eligible for upgrading to 3.1 SP2.
1 In the Administration Console, click Access Manager > Auditing > Troubleshooting > Version.
2 Examine the value of the Version field to see if it displays a 3.1 version that is eligible for
upgrading to 3.1 SP2.
Component 3.1 3.1 IR1 3.1 IR2
Administration Console 3.1.0.420 3.1.0.425 3.1.0.431
Identity Server 3.1.0.420 3.1.0.425 3.1.0.431
Linux Access Gateway 3.1.0.420 3.1.0.425 3.1.0.431
J2EE Agents (all versions, all platforms) 3.1.0.420 3.1.0.425 3.1.0.431
SSL VPN 3.1.0 3.1.0 3.1.0
Access Manager 3.1 SP1 and all of its interim releases are eligible for upgrading to 3.1 SP2.
1 In the Administration Console, click Access Manager > Auditing > Troubleshooting > Version.
2 Examine the value of the Version field to see if it displays a 3.1 SP1 version that is eligible for
upgrading to 3.1 SP2.
Component 3.1 SP1 3.1 SP1 IR1 3.1 SP1 IR2 3.1 SP1 IR3
Administration Console 3.1.1.215 3.1.1.235 3.1.1.247 3.1.1.265
Identity Server 3.1.1.215 3.1.1.235 3.1.1.247 3.1.1.265
Linux Access Gateway 3.1.1.215 3.1.1.235 3.1.1.247 3.1.1.265
J2EE Agents (all versions, all platforms 3.1.1.215 3.1.1.235 3.1.1.247 3.1.1.265
4 Novell Access Manager 3.1 SP2 Readme
Component 3.1 SP1 3.1 SP1 IR1 3.1 SP1 IR2 3.1 SP1 IR3
SSLVPN 3.1.1.215 3.1.1.235 3.1.1.235 3.1.1.265
2.1.4 Verifying Version Numbers After Upgrading
When you have finished upgrading your Access Manager components, verify that they have all been
upgraded.
1 In the Administration Console, click Access Manager > Auditing > Troubleshooting > Version.
2 Examine the value of the Version field to verify that the component has been upgraded 3.1 SP2.
Component 3.1 SP2
Administration Console 3.1.2.281
Identity Server 3.1.2.281
Access Gateway (all versions, all platforms) 3.1.2.281
novdocx (en) 16 April 2010
J2EE Agents (all versions, all platforms) 3.1.2.281
SSL VPN 3.1.2.281
2.2 Downloading the J2EE Agents
The J2EE Agents are a free download and are available from Novell Downloads (http://
download.novell.com/index.jsp). The following files are available:
Filename Description
AM_31_SP2_ApplicationServerAgents_Windows.exe
Contains the J2EE Agents for Windows (JBoss, WebSphere, and WebLogic) and can only
be used for installation.
AM_31_SP2_ApplicationServerAgents_AIX.bin
Contains the J2EE Agents for AIX (WebSphere) and can only be used for installation.
AM_31_SP2_ApplicationServerAgents_Linux.bin
Contains the J2EE Agents for Linux (JBoss, WebSphere, and WebLogic) and can only be
used for installation.
AM_31_SP2_ApplicationServerAgents_Solaris.bin
Contains the J2EE Agents for Solaris (WebLogic) and can only be used for installation.
For installation instructions, see Novell Access Manager J2EE Agent Guide (http://
www.novell.com/documentation/novellaccessmanager31/j2eeagents/data/bookinfo.html).
Novell Access Manager 3.1 SP2 Readme 5
2.3 Installing the Evaluation Version
To install an evaluation version of Access Manager 3.1 SP2, download the following files from
Novell Downloads (http://download.novell.com/index.jsp). When the evaluation version is installed,
it displays 3.1.2.280 for the version number.
Filename Description
AM_31_SP2_IdentityServer_Linux32_Eval-0331.iso
Contains the Linux Identity Server, the Linux Administration Console, the SSL VPN Server
that is installed as a standalone version with an Embedded Service Provider, and the SSL
VPN Server that must be protected by an Access Gateway.
AM_31_SP2_IdentityServer_Win32_Eval-0331.exe
Contains the Windows Identity Server and Windows Administration Console.
AM_31_SP2_IdentityServer_Win64_Eval-0331.exe
Contains the Windows Identity Server and Windows Administration Console.
novdocx (en) 16 April 2010
AM_31_SP2_AccessGatewayAppliance_Eval-0331.iso
Contains the Linux Access Gateway and the SSL VPN Server that must be configured as a
protected resource of the Access Gateway.
AM_31_SP2_AccessGatewayService_Linux64_Eval-0331.bin
Contains the Linux Access Gateway Service.
AM_31_SP2_AccessGatewayAppliance_Win64_Eval-0331.exe
Contains the Windows Access Gateway Service.
For installation instructions, see the Novell Access Manager Installation Guide (http://
www.novell.com/documentation/novellaccessmanager31/installation/data/bookinfo.html).
2.4 Installing the High-Bandwidth SSL VPN Server
The key for the high-bandwidth SSL VPN server does not ship with the product because of export
laws and restrictions. The high-bandwidth version does not have the connection and performance
restrictions that are part of the version that ships with the product. Your regular Novell sales channel
can determine if the export law allows you to order the high-bandwidth version at no extra cost.
After you have obtained authorization for the high-bandwidth version, log in to the Novell Customer
Center (http://www.novell.com/center) and follow the link that allows you to download the high-
bandwidth key.
3 Bugs Fixed in Access Manager 3.1 SP2
Section 3.1, “Administration Console,” on page 7
Section 3.2, “Identity Server,” on page 7
Section 3.3, “Linux Access Gateway Appliance,” on page 9
Section 3.4, “SSL VPN,” on page 10
6 Novell Access Manager 3.1 SP2 Readme
3.1 Administration Console
Fixed an issue that allowed you to copy a policy before saving it, which created two policies
with the same ID.
When you apply changes to the Access Gateway Appliance or the Access Gateway Service, the
update command no longer remains in a pending state for 15 minutes.
Fixed an issue with an error message for the Access Gateway when configuring SSL for the
Web servers. The error message disappeared before the administrator could read it and
understand the problem.
Fixed an inconsistency issue with the name conventions for the Gateway Appliance and the
Gateway Service.
Fixed an issue with the uninstall program for the Linux Administration Console that left behind
/var/novell
the
On a Windows Server 2008 Administration Console, administrators can now back up or restore
certificates that have double-byte characters.
Added an information message to alert administrators that when they import a certificate, they
should make sure to add all the CA certificates in the certificate chain.
directory instead of removing it.
novdocx (en) 16 April 2010
Fixed a Tomcat restart issue when upgrading from 3.0 SP4 to 3.1 or later.
Return the X-Forwarded-For IP condition as a valid condition for an Access Gateway
Authorization policy.
Fixed an issue that caused an upgrade from 3.0 SP4 to 3.1 SP1 or later to fail.
3.2 Identity Server
Fixed an issue that displayed a blank page when an incorrect password was entered by an
NMAS Windows client.
Root and intermediate revocation checks can now be performed on an X.509 contract.
Fixed a performance issue with Liberty profiles. The attribute services for Personal Profile,
Employee Profile, Customized Profile, and Credential Profile all require that a Liberty User
Profile object be created for each authenticated user. This object is created in the configuration
data store under a Liberty User Profiles Container object.
Access Manager was creating these objects even if none of these attribute services were
enabled, which caused a substantial LDAP performance degradation. Checks were added to
create or read these objects only if an attribute service that required them is enabled.
Fixed an issue that prevented shared secret attributes from appearing in the list of attributes that
could be added to an attribute set.
Fixed an issue with multiple LDAP replicas that prevented users from being redirected to the
change password servlet.
Fixed an issue that caused the Force Authentication option of a request from a service provider
to be ignored.
Fixed an issue with the Allow multiple browser session logout option that allowed the user to
log in using two browsers, log out of one browser, and still remain logged in on the other
browser.
Fixed an issue that caused an error to display when a user clicked a link in a Word document.
Novell Access Manager 3.1 SP2 Readme 7
Fixed an issue that caused a null pointer exception when a user tried to log in again after
closing the browser.
Fixed an issue that allowed the destination port to be incorrectly set to 0 when an Identity
Server or Embedded Service Provider forwarded a request to the authoritative cluster member
(the one holding the user's session). This issue was exhibited in the log files when the proxy
URL contained a port of 0.
Fixed an issue that caused redirection loops when the user was idle until the soft timeout
expired.
Fixed an issue with the Use Introductions feature for the Liberty protocol.
Added code to look at the policy to determine if identities should be read during authentication.
Modified the OCSP validation process so that it isn’t required to match the number of OCSP
responses with the number of certificates in the request.
Fixed a cross-site scripting vulnerability in target URLs.
Fixed an issue that allowed session failover to keep expired X.509 sessions active.
Fixed an assertion issue that prevented the Identity Server from sending defined LDAP
attributes in the assertion at authentication.
Fixed a federation issue that prevented an Identity Server that was acting as a SAML 2.0
identity provider from prompting the user for authentication credentials. The user no longer
needs to select the authentication card before being prompted.
Fixed an issue that prevented custom login pages from displaying correctly when the contract
contained two methods.
novdocx (en) 16 April 2010
Fixed an issue that caused LDAP sessions to stay with one LDAP server when multiple servers
were available.
Fixed an issue that caused upgrades to fail when an engineering build was installed prior to the
official release.
Fixed an issue that caused Identity Servers to randomly lose their connections to other Identity
Servers in the cluster.
Fixed an issue that corrupted the session failover table when cluster was under heavy load.
Fixed an issue that prevented users from being redirected to the password expiration service.
Fixed an authentication issue so that the Identity Server forces a reauthentication when the IP
address of the client changes.
Fixed an issue with Kerberos authentication that prevented the Identity Server from prompting
for basic authentication when the users failed the Kerberos authentication check.
Added health checks for the signing, encryption, and SSL connector certificates.
Modified the display name for secret store attributes so that they are easier to identify.
Fixed an issue with non-redirected login, query strings with multiple parameters, and the basic
authentication class.
Fixed an issue with logging that caused an excessive amount of information to be logged to the
Access Gateway when the log level was set to Info on the Identity Server logging page.
Fixed an issue with the Linux Identity Server upgrade that prevented some RPMs from being
updated to the latest version.
Fixed a SAML 2.0 issue that prevented Firefox from handling an encoded target.
8 Novell Access Manager 3.1 SP2 Readme
Fixed a SAML 2.0 issue that prevented the Passive Authentication Only option from
succeeding when the required credentials were available.
Modified the behavior of the Identity Server so that SAML 2.0 messages with a post profile can
be signed.
Added the ability to select federated, transient, or unspecified as the identifier format for the
SAML 2.0 service provider.
Updated to the latest version of the Microsoft Visual C++ libraries to fix a security issue.
3.3 Linux Access Gateway Appliance
Fixed an issue with the curl command that caused the Access Gateway Appliance to restart
frequently with a Signal 11 error.
Fixed an issue that caused the Access Gateway Appliance login to loop when the Set Secure
Cookie option was enabled.
You can now stop the rewriter from rewriting URLs with an external DNS name with the help
/var/novell/.disableExternalDNSRewrite
of the
Fixed an issue with a function that tried to connect to the Web server in the background, which
was resulting in an Access Gateway Appliance crash.
Fixed an issue with log rotation that caused all of the Access Gateway Appliances in a cluster
to go down simultaneously.
Fixed the novell-vmc service crash that occurred every time the service was manually stopped
or started or every time the server operating software was restarted.
touch file.
novdocx (en) 16 April 2010
Fixed an issue that caused the browser with a POST request to redirect to Identity server for
authentication during a soft time out.
Fixed an issue that caused a delay of 45-60 seconds in Access Gateway Appliance and
Embedded Service Provider communication and resulted in the L4 switch marking the
appliance as down.
Fixed an issue that caused a Web application to fail.
Fixed an issue that caused the Access Gateway Appliance to crash when sending a POSTDATA
with form fill.
Fixed a stale file content problem when WebDAV with Teaming 2.1 was accelerated behind
Access Gateway Appliance.
Fixed an issue that caused the Access Gateway Appliance to crash when an HTTP common log
entry was added.
Fixed an issue that caused the connections to remain in the close_wait state.
Fixed an issue that caused the Access Gateway Appliance to crash when it was freeing
memory.
Fixed an Access Gateway Appliance crash caused by issues in Form Fill.
Fixed an issue that caused the idle server connections count to exceed its limit.
Fixed an issue with the pin list that resulted in the Access Gateway Appliance dumping core.
Fixed a format error in the
outputtoscreen
function that resulted in an Access Gateway
Appliance crash.
Fixed an issue that caused the Access Gateway Appliance to dump core when a list with an
entry was added twice.
Novell Access Manager 3.1 SP2 Readme 9
Loading...