NovellAccessManager3.
1SP3IR2Readme1NovellNovellAccessManager3.
1SP3IR2ReadmeJuly19,2011ThisReadmedescribestheNovellAccessManager3.
1SP3IR2release.
Section1,"Documentation,"onpage1Section2,"UpgradingtoAccessManager3.
1SP3IR2,"onpage1Section3,"BugsFixedinAccessManager3.
1SP3IR2,"onpage4Section4,"KnownIssuesinAccessManager3.
1SP3IR2,"onpage6Section5,"LegalNotices,"onpage91DocumentationThefollowingsourcesprovideinformationaboutNovellAccessManager:DocumentationWebSite(http://www.
novell.
com/documentation/novellaccessmanager31/index.
html).
AccessManagerSupport(http://www.
novell.
com/support/microsites/microsite.
do).
ForTIDsandCoolSolutionsarticles,selectAccessManagerfortheProductandArticles/TipsintheAdvancedSearchoptions.
NovellAccessManagerProductSite(http://www.
novell.
com/products/accessmanager/).
2UpgradingtoAccessManager3.
1SP3IR2Section2.
1,"UpgradingthePurchasedProduct,"onpage1Section2.
2,"InstallingtheHigh-BandwidthSSLVPNServer,"onpage42.
1UpgradingthePurchasedProductAfteryouhaveobtainedAccessManager3.
1SP3IR2orapreviousreleaseofAccessManager,logintotheNovellCustomerCenter(http://www.
novell.
com/center),thenfollowthelinkthatallowsyoutodownloadthesoftware.
Thefollowingfilesareavailable:FilenameDescriptionAM_31_SP3_IR2_IdentityServer_Linux32.
tar.
gzContainstheLinuxIdentityServer,theLinuxAdministrationConsole,theESP-enabledSSLVPNServer,andtheTraditionalSSLVPNServer.
AM_31_SP3_IR2_IdentityServer_Win32.
exe2NovellAccessManager3.
1SP3IR2ReadmeForupgradeandinstallationinformation:"UpgradeInstructions"onpage2"InstallationInstructions"onpage3"VerifyingVersionNumbersBeforeUpgrading"onpage3"VerifyingVersionNumbersAfterUpgrading"onpage3ContainstheWindowsIdentityServerandWindowsAdministrationConsoleforWindowsServer2003.
AM_31_SP3_IR2_IdentityServer_Win64.
exeContainstheWindowsIdentityServerandWindowsAdministrationConsoleforWindowsServer2008.
AM_31_SP3_IR2_AccessGatewayAppliance_Linux_SLES9.
tar.
gzContainstheupgradeRPMsforthe(SUSELinuxEnterpriseServer)9versionoftheAccessGatewayApplianceandtheTraditionalSSLVPNserver.
AM_31_SP3_IR2_AccessGatewayAppliance_Linux_SLES11.
tar.
gzContainstheupgradeRPMsforthe(SUSELinuxEnterpriseServer)11versionoftheAccessGatewayApplianceandtheTraditionalSSLVPNserver.
AM_31_SP3_ConfigurationUpgrade.
zipContainsthescripttoenablethesessionstickinessoptionforexistingproxyservicesandallowtargetoptionfortheintersitetransferservice.
Thisoptionisdisabledonanupgradefrom3.
1SP2IR3to3.
1SP3IR2.
AM_31_SP3_IR2_AccessGatewayService_Win64.
exeContainstheAccessGatewayServiceforWindowsServer2008R2witha64-bitoperatingsystem.
AM_31_SP3_IR2_AccessGatewayService_Linux64.
binContainstheAccessGatewayServicefor(SUSELinuxEnterpriseServer)11witha64-bitoperatingsystem.
AM_31_SP3_IR2_ApplicationServerAgents_AIX.
binContainstheAgentsservicefortheAIXplatform.
AM_31_SP3_IR2_ApplicationServerAgents_Linux.
binContainstheAgentsservicefortheLinuxplatform.
AM_31_SP3_IR2_ApplicationServerAgents_Solaris.
binContainstheAgentsservicefortheSolarisplatform.
AM_31_SP3_IR2_ApplicationServerAgents_Windows.
exeContainstheAgentsservicefortheWindowsplatform.
FilenameDescriptionNovellAccessManager3.
1SP3IR2Readme32.
1.
1UpgradeInstructionsForinstructionsonupgradingfrom3.
1SP3,3.
1SP3IR1to3.
1SP3IR2,see"UpgradingAccessManagerComponents"intheNovellAccessManager3.
1SP3InstallationGuide.
Toverifythatyourcomponentsarerunning3.
1SP3,3.
1SP3IR1see"VerifyingVersionNumbersbeforeUpgrading"onpage3.
AnyAccessManagerversionpriorto3.
1SP2IR2shouldbefirstupgradedto3.
1SP3.
Formoreinformationonupgradingto3.
1SP3,seetheNovellAccessManager3.
1SP3InstallationGuide.
2.
1.
2InstallationInstructionsForinstallationinstructionsfortheAccessManagerAdministrationConsole,theIdentityServer,theAccessGatewayAppliance,theAccessGatewayService,andtheSSLVPNserver,seetheNovellAccessManager3.
1SP3InstallationGuide.
2.
1.
3VerifyingVersionNumbersbeforeUpgradingIfyouareupgradingfromAccessManager3.
0,allcomponentsmustbefirstupgradedtoAccessManager3.
1SP3beforeupgradingtoAccessManager3.
1SP3IR2.
1IntheAdministrationConsole,clickAccessManager>Auditing>Troubleshooting>Version.
2ExaminethevalueintheVersionfield.
Thefollowingtableindicatestheversionsthatcanbeupgradedto3.
1SP3IR2.
2.
1.
4VerifyingVersionNumbersafterUpgradingWhenyouhavefinishedupgradingyourAccessManagercomponents,verifythattheyhaveallbeenupgraded.
1IntheAdministrationConsole,clickAccessManager>Auditing>Troubleshooting>Version.
2ExaminethevalueintheVersionfieldtoverifythatthecomponenthasbeenupgradedto3.
1SP3IR2.
Component3.
1SP33.
1SP3IR1AdministrationConsole3.
1.
3.
2473.
1.
3.
273IdentityServer3.
1.
3.
2473.
1.
3.
273LinuxAccessGateway3.
1.
3.
2473.
1.
3.
273AccessGatewayServices3.
1.
3.
2473.
1.
3.
273SSLVPN3.
1.
3.
2473.
1.
3.
273Component3.
1SP3IR2AdministrationConsole3.
1.
3.
292IdentityServer3.
1.
3.
292LinuxAccessGateway3.
1.
3.
292AccessGatewayServices3.
1.
3.
2924NovellAccessManager3.
1SP3IR2Readme2.
2InstallingtheHigh-BandwidthSSLVPNServerThekeyforthehigh-bandwidthSSLVPNserverdoesnotshipwiththeproductbecauseofexportlawsandrestrictions.
Thehigh-bandwidthversiondoesnothavetheconnectionandperformancerestrictionsthatarepartoftheversionthatshipswiththeproduct.
YourregularNovellsaleschannelcandetermineiftheexportlawallowsyoutoorderthehigh-bandwidthversionatnoextracost.
Afteryouhaveobtainedauthorizationforthehigh-bandwidthversion,logintotheNovellCustomerCenter(http://www.
novell.
com/center)andfollowthelinkthatallowsyoutodownloadthehigh-bandwidthkey.
3BugsFixedinAccessManager3.
1SP3IR2Section3.
1,"IdentityServer,"onpage4Section3.
2,"LinuxAccessGatewayAppliance,"onpage5Section3.
3,"AccessGatewayService,"onpage53.
1IdentityServerFixedanissuewherethepasswordfetchmethoddoesnotgetexecutedatourSAML2.
0ServiceProviderwhileconsuminganassertionfromtheidentityproviderserverthroughtheinter-sitetransferURLFixedanissuewheretheusercouldnotsetavalueforSAML2.
0RequestedAuthnContextcomparisonexcept"Exact.
"FixedanissuewhereauthenticationfailedforWSFederationwithSharePoint2010afterapplying3.
1SP3whenthetimesfortheidentityproviderWSFedwerenotsynchronized.
Formoreinformation,see"AssertionValidityWindow.
"FixedanissuewheretheKerberosauthenticationfailedwhentherequestwasproxiedbyanidentityprovidertoanotheridentityprovider.
FixedanissuewheretheclustercookiesdidnothaveanysecureandHTTPOnlyoptions.
Theseoptionsarenotenabledbydefault,andtheweb.
xmloptionsareintroducedtoenabletheseoptions.
Formoreinformation,see"EnablingSecureorHTTPOnlyFlagsforClusterCookies.
"FixedanissuewheretheserviceprovidergeneratedtwoSAMLSSOrequests,resultingintwosessionindexesthatcausedincompletesinglelogout.
FixedanissuewhentheidentityserverinaclusterreceivedaSAML2.
0logoutrequestwheretheauthenticationwasperformedonadifferentnode.
FixedanissuewhereaSAML2.
0attributequeryresponsedidnotpopulatetheinResponseToattributeinSubjectConfirmation.
SSLVPN3.
1.
3.
292Component3.
1SP3IR2NovellAccessManager3.
1SP3IR2Readme5FixedanissuewhereSAML2.
0ignoredtheFrontChannelLogoutoptioninthelogoutinitiatedbytheAccessGatewayAppliance.
Formoreinformation,see"DefiningOptionsforLibertyorSAML2.
0"3.
2LinuxAccessGatewayApplianceFixedanissuewithRangerequestswheretheAccessGatewayAppliancesendsthesamerequesttwicetotheWebserver,resultinginrandomservercrashes.
FixedanissuewhereAccessGatewayAppliancecrasheswhentheWebserversentcontent-lengthresponseheadervaluesmallerthantheactualcontent.
FixedaloginissueintheclusterenvironmentwithAccessGatewayAppliancewhentheusernamecontaineddoublebytecharactersinit.
FixedanissuewiththeAccessGatewayAppliancewheretheusergotanerrormessage"403ForbiddenDescription:DetectedURLtampering.
"FixedamemoryleakissuethatcausedacoredumpwithAccessGatewayAppliance.
FixedanissuewiththeOpenHREloginpage.
Ifthevaluefortheformnumberwasconfiguredas0intheFormFillpolicy,theloginpagewastruncated.
FixedanissuewhererandomprocessrestartsoccurredinSP3.
FixedanissueintheauthorizationpolicywithmultipleLDAPOUevaluationfailuresafterupgradingfrom3.
1SP2to3.
1SP3.
Fixedanissuewherethe/var/novell/.
disableWSHealthtouchfilewasnotworking.
ThistouchfilehelpsavoidthedevicehealthbeingmarkedasbadbecauseofsomeunreachableWebservers.
Formoreinformation,see"disableWSHealth"Fixedanissuewheretheuser'sprivateinformationwasgettingloggedtothesoapmessageslogfileunderspecificconfigurations.
Fixeda403forbiddenissuethatresultedwhentheuserpostedlargedata(morethan56KiloBytesinsize)afterasessiontimeout.
TheAdministratorcanchangethepostdataparkingsizelimit.
Formoreinformation,see"ParkingSizeInKiloBytes"FixedanissuewherethesourceportoftheconnectiontotheWebserverwasincorrectintheics_dyn.
logfile.
FixedanissuewheretheAccessGatewayAppliancecrashedwhilebeingredirectedfromhttptohttpswhenthehostnameheaderexceeds4kbytes.
FixedacrashissuewithAccessGatewayincustomloginsequenceenvironmentwhere/nesp/app/ploginrequestreachesproxywithPOSTdata.
Fixedanissuewhere400badrequestswasobservedinthereliabilitytestsforlargefilescripts.
3.
3AccessGatewayServiceFixedanissuewheretheAccessGatewayServicerewriterremoved"%2"incorrectlyfromtheurlbeingrewritten.
6NovellAccessManager3.
1SP3IR2ReadmeFixedadelayissuewiththeAccessGatewayServicewhentheauditserverwasnotreachableornotresponding.
FixedaloginissuewiththeAccessGatewayServiceifuserswaitfor3+minattheIDPloginpageandthensubmitstheircredentials.
FixedanissuewhereAccessGatewayServicesessioncookiearchitecturewasdifferentfromAccessGatewayAppliancesessioncookiearchitecture.
FixedanissuewheretheAccessGatewayServiceperformancedropsby90%whentheauditserverisnotreachable.
4KnownIssuesinAccessManager3.
1SP3IR2Section4.
1,"StoppingthenauditServiceSubsequentlyStopsJCCandTomcatServices,"onpage6Section4.
2,"AuthenticationErrorIftheOverwriteRealUserorOverwriteTemporaryUserOptionIsEnabled,"onpage7Section4.
3,"TheSSLVPNCausesaWindowsExplorerCrashinKioskMode,"onpage7Section4.
4,"VulnerabilityIssuesinJRESecurity,"onpage7Section4.
5,"ServiceUnavailabilityCausedbyaSLES11Issue,"onpage7Section4.
6,"DNSResolutionbyUsingDNSServersPushedfromSSLVPNfailsonMacLeopard,"onpage8Section4.
7,"OnWindowsServer2008,YouCannotUninstalltheAdministrationConsole,"onpage8Section4.
8,"ErrorwhileUploadingLargeFilestoanIIS7.
xback-endWebServerthroughtheLinuxAccessGatewayAppliance,"onpage8Section4.
9,"ErrorinSecondaryIPaddressesafterPushingConfigurationUpdates,"onpage8Section4.
10,"The"includethesessiontimeoutattributeintheassertion"FeatureDoesNotWork,"onpage8Section4.
11,"IssuewithSSLVPNWhileValidatingServerCertificates,"onpage8Section4.
12,"LinuxAccessGatewayApplianceDoesNotSupportRFC5746,"onpage94.
1StoppingthenauditServiceSubsequentlyStopsJCCandTomcatServicesOccasionally,whenthenauditserviceisstoppedbyusing/etc/init.
d/novell-nauditstopcommand,otherimportantservicessuchasTomcatandJCCalsostop,whichcausesinterruptionofservices.
Toworkaroundthisissue,manuallyrestarttheTomcatandJCCservices.
Forinformation,see(http://www.
novell.
com/support/php/search.
docmd=displayKC&docType=kc&externalId=7008991&sliceId=1&docTypeID=DT_TID_1_1&dialogID=120228708&stateId=0%200%20247101813)intheTID.
NovellAccessManager3.
1SP3IR2Readme74.
2AuthenticationErrorIftheOverwriteRealUserorOverwriteTemporaryUserOptionIsEnabledIfyouhavetwocontracts,andtheOverwriteRealUseroptionisenabledforoneofthem,thefirstuserauthenticationdoesnotoverwritetheseconduserauthentication.
Itdisplaysthefollowingerrormessage:"Unabletoauthenticate.
(409-esp-7271673232708786).
"ThisissueisnotobservedwiththeLinuxAccessGateway.
Formoreinformation,see(http://www.
novell.
com/support/php/search.
docmd=displayKC&docType=kc&externalId=7008992&sliceId=1&docTypeID=DT_TID_1_1&dialogID=120228779&stateId=0%200%20247101935)intheTID.
4.
3TheSSLVPNCausesaWindowsExplorerCrashinKioskModeTheSSLVPNclientworksproperlyinEnterprisemode,butcrashesWindowsExplorerusingActiveX.
Ifyourestore/downgradetheWindowsXPclienttoWindowsXPSP3,theSSLVPNclientworksproperlyinKioskmode.
ThisissueisnotobservedwithFirefoxusingJava.
4.
4VulnerabilityIssuesinJRESecurityToworkaroundtheJREsecurityvulnerabilityissue,see(http://www.
novell.
com/support/php/search.
docmd=displayKC&docType=kc&externalId=7008129&sliceId=1&docTypeID=DT_TID_1_1&dialogID=216290409&stateId=0%200%20216288812)intheTID.
4.
5ServiceUnavailabilityCausedbyaSLES11IssueInSLES11,theoperatingsystemreturnsthe27.
0.
0.
2entrywhenthehostnameisresolved.
Thiscausesthe127.
0.
0.
2tobethedefaultaddressofthelistenerwhenthedeviceisaddedtothecluster.
Toworkaroundthisissue:1Gototheproxyservicepage.
ChangethelisteningIPaddresstotheotherclustermember,thenselectthecorrectIPaddressagain.
2ClickUpdatetosavethechanges.
3Verifythecorrectaddress,thenaddthedevicetothecluster.
IMPORTANT:DonotrefertothedeploymentscenariosinthecontextsensitivehelpavailablewiththeAccessManager3.
1.
3build.
RefertothisinformationintheIdentityServerGuide.
Formoreinformation,see(http://www.
novell.
com/support/php/search.
docmd=displayKC&docType=kc&externalId=7008978&sliceId=1&docTypeID=DT_TID_1_1&dialogID=120230000&stateId=0%200%20247107319)intheTID.
8NovellAccessManager3.
1SP3IR2Readme4.
6DNSResolutionbyUsingDNSServersPushedfromSSLVPNfailsonMacLeopardIftheIPaddressandDNSserversareconfiguredstaticallyonMACLeopardandasuccessfulSSLVPNconnectionisestablished,theDNSresolutionfailstousetheDNSserverIPaddresspushedfromtheSSLVPNserver.
4.
7OnWindowsServer2008,YouCannotUninstalltheAdministrationConsoleWhenyouinstalltheAdministrationConsoleandtheIdentityServeronaWindows2008machine,youcannotcompletelyuninstallthecomponents.
Theuninstallprogramhangsbeforeitcleansallthefilesandtheregistryentries.
Toworkaroundthisissue,see(http://www.
novell.
com/documentation/novellaccessmanager31/readme/accessmanager_readme_sp2_ir3.
html#br1og3r)intheNovellAccessManager3.
1SP2IR3aReadme.
4.
8ErrorwhileUploadingLargeFilestoanIIS7.
xback-endWebServerthroughtheLinuxAccessGatewayApplianceYoucannotuploadlargefilestoanIIS7.
xWebserverwhereSSLisenabledbetweentheLinuxAccessGatewayandIIS7server.
Themaximumuploadsizedependsonthenetworksetup.
Forinformation,see(http://www.
novell.
com/support/php/search.
docmd=displayKC&docType=kc&externalId=7008505&sliceId=1&docTypeID=DT_TID_1_1&dialogID=120156265&stateId=0%200%20246847206)intheTID.
4.
9ErrorinSecondaryIPaddressesafterPushingConfigurationUpdatesWithsecuritypatchesinstalledontheSLES11LinuxAccessGatewaymachine,thesecondaryIPaddressismissingafterpushingconfigurationupdatesfromtheAdministrationConsoletotheLinuxAccessGatewaydevice.
Toworkaroundthisissue:1Backupthefile/etc/sysconfig/network/ifcfg-eth-id-thenremoveitfromthedirectory.
2PushtheconfigurationfromtheAdministrationConsole.
4.
10The"includethesessiontimeoutattributeintheassertion"FeatureDoesNotWorkToworkaroundthisissue,keeptheSPRemotecontracttimeoutthesameastheremoteidentityprovidersessiontimeout.
4.
11IssuewithSSLVPNWhileValidatingServerCertificatesTheSSLVPNclientcannotvalidateservercertificateifthetrustchainincludesoneormoreintermediaterootcertificates.
Formoreinformation,see(http://www.
novell.
com/support/php/search.
docmd=displayKC&docType=kc&externalId=7008465&sliceId=2&docTypeID=DT_TID_1_1&dialogID=247083053&stateId=0%200%20247079487)intheTID.
NovellAccessManager3.
1SP3IR2Readme94.
12LinuxAccessGatewayApplianceDoesNotSupportRFC5746UntilaLinuxAcessGatewayversionincludingsupportforRFC5746willnotbereleased,theworkaroundistousetheLinuxAccessGatewayService,insteadoftheappliance.
Forinformation,see(http://www.
novell.
com/support/viewContent.
doexternalId=7008600&sliceId=1)intheTID.
5LegalNoticesNovell,Inc.
,makesnorepresentationsorwarrantieswithrespecttothecontentsoruseofthisdocumentation,andspecificallydisclaimsanyexpressorimpliedwarrantiesofmerchantabilityorfitnessforanyparticularpurpose.
Further,Novell,Inc.
,reservestherighttorevisethispublicationandtomakechangestoitscontent,atanytime,withoutobligationtonotifyanypersonorentityofsuchrevisionsorchanges.
Further,Novell,Inc.
,makesnorepresentationsorwarrantieswithrespecttoanysoftware,andspecificallydisclaimsanyexpressorimpliedwarrantiesofmerchantabilityorfitnessforanyparticularpurpose.
Further,Novell,Inc.
,reservestherighttomakechangestoanyandallpartsofNovellsoftware,atanytime,withoutanyobligationtonotifyanypersonorentityofsuchchanges.
AnyproductsortechnicalinformationprovidedunderthisAgreementmaybesubjecttoU.
S.
exportcontrolsandthetradelawsofothercountries.
Youagreetocomplywithallexportcontrolregulationsandtoobtainanyrequiredlicensesorclassificationtoexport,re-exportorimportdeliverables.
Youagreenottoexportorre-exporttoentitiesonthecurrentU.
S.
exportexclusionlistsortoanyembargoedorterroristcountriesasspecifiedintheU.
S.
exportlaws.
Youagreetonotusedeliverablesforprohibitednuclear,missile,orchemicalbiologicalweaponryenduses.
SeetheNovellInternationalTradeServicesWebpage(http://www.
novell.
com/info/exports/)formoreinformationonexportingNovellsoftware.
Novellassumesnoresponsibilityforyourfailuretoobtainanynecessaryexportapprovals.
Copyright2011Novell,Inc.
Allrightsreserved.
Nopartofthispublicationmaybereproduced,photocopied,storedonaretrievalsystem,ortransmittedwithouttheexpresswrittenconsentofthepublisher.
ForNovelltrademarks,seetheNovellTrademarkandServiceMarklist(http://www.
novell.
com/).
Allthird-partytrademarksarethepropertyoftheirrespectiveowners.
专心做抗投诉服务器的VirtVPS上线瑞士机房,看中的就是瑞士对隐私的保护,有需要欧洲抗投诉VPS的朋友不要错过了。VirtVPS这次上新的瑞士服务器采用E-2276G处理器,Windows/Linux操作系统可选。VirtVPS成立于2018年,主营荷兰、芬兰、德国、英国机房的离岸虚拟主机托管、VPS、独立服务器、游戏服务器和外汇服务器业务。VirtVPS 提供世界上最全面的安全、完全受保护和私...
看到群里网友们在讨论由于不清楚的原因,有同学的网站无法访问。他的网站是没有用HTTPS的,直接访问他的HTTP是无法访问的,通过PING测试可以看到解析地址已经比较乱,应该是所谓的DNS污染。其中有网友提到采用HTTPS加密证书试试。因为HTTP和HTTPS走的不是一个端口,之前有网友这样测试过是可以缓解这样的问题。这样通过将网站绑定设置HTTPS之后,是可以打开的,看来网站的80端口出现问题,而...
收到10gbiz发来的7月份优惠方案,中国香港、美国洛杉矶机房VPS主机4折优惠码,优惠后洛杉矶VPS月付2.36美元起,香港VPS月付2.75美元起。这是一家2020年成立的主机商,提供的产品包括独立服务器租用和VPS主机等,数据中心在美国洛杉矶、圣何塞和中国香港。商家VPS主机基于KVM架构,支持使用PayPal或者支付宝付款。洛杉矶VPS架构CPU内存硬盘带宽系统价格单核512MB10GB1...
403forbidden为你推荐
操作http在线代理怎么样设置代理,让别人看我的IP是别的地方,不是我真实的IP?开启javascript怎样手动开启Javascript360公司迁至天津天津360公司?360开户哪家好?360开户费多少?360推广怎么样?360效果怎么样?360和百度相比哪个更合适?flashfxp下载我想下载一个FlashFXP 4.0.0 Build 1510 简体中文版的软件,可是不知道下载地址,希望大家帮帮我?csamy腾讯公司电话腾讯总公司服务热线是多少可信网站可信网站 是自己去注册的还是由做网站 的人帮弄的?oa办公软件价格一套OA办公系统多少钱免费代理加盟免费加盟代销怎么回事,能具体介绍下么
域名出售 提供香港vps 最新代理服务器ip 服务器评测 香港机房 免费名片模板 12u机柜尺寸 免费博客空间 中国特价网 qq数据库下载 有益网络 国外免费全能空间 合租空间 河南移动m值兑换 四核服务器 空间购买 西安服务器托管 下载速度测试 web应用服务器 免费网络空间 更多