Release Notes RSA Access Manager Server 6.2 SP3

July 21, 2015

Introduction This document lists what’s new and changed in RSA Access Manager Server (Access Manager Server) 6.2 SP3. It includes additional installation information, as well as workarounds for known issues. Read this document before installing the software. This document contains the following sections: • What's New in This Release • Supported Components • Deprecated Components • Fixed Issues and Enhancements • Known Issues • Support and Service These Release Notes may be updated. The most current version can be found on RSA SecurCare Online at https://knowledge.rsasecurity.com.

What's New in This Release This section describes the major changes introduced in this release of Access Manager Server. For detailed information about each change, see the appropriate Access Manager Server guide. Adaptive Authentication enhancements: • Support for SecurID as an Adaptive Authentication credential type. Access Manager Server supports SecurID as an Adaptive Authentication credential type to provide enhanced security by authenticating a user using RSA Authentication Manager. • Ability to identify and configure different Adaptive Authentication policies for the resources and applications protected by Access Manager Server. Runtime API enhancements: • Calls to the authentication runtime API with “token option on” now return a user token when an administrative token is present. • For implementations with multiple authentication types, multiple logon failures are only counted once if the cleartrust.aserver.multi_authn.increment.failed.count.once parameter in the aserver.conf configuration file is set to true. Additional datastore support: • Oracle 12c • OpenDJ 2.6 • ActiveDirectory 2012 R2 Additional Application Server support: • WebLogic Server 12cR2 (12.1.3), (64-bit) • Apache Tomcat 8.0 • JBoss Enterprise Application Platform 6.2

July 2015 1 RSA Access Manager Server 6.2 SP3 Release Notes

Additional platform support: • Red Hat Enterprise Linux 7, 64-bit • IBM AIX 7.1 on Power PC, 64-bit

Supported Components This section lists the versions of the components this release of Access Manager Server is designed to support. For installation and configuration information for these components, see the Access Manager Server Installation and Configuration Guide.

Supported Operating Environments This release of Access Manager Server is designed to support the following operating environments: • Microsoft Windows Server 2008 SP2, 32-bit and 64-bit • Microsoft Windows Server 2008 R2 SP1, 64-bit • Microsoft Windows Server 2012 R2, 64-bit • Microsoft Windows Server 2012 Standard, 64-bit • Red Hat Enterprise Linux 6.6, 64-bit • Red Hat Enterprise Linux 7.0, 64-bit • SUSE Linux Enterprise Server 10, 64-bit • SUSE Linux Enterprise Server 11, 64-bit • IBM AIX 6.1 PowerPC, 64-bit • IBM AIX 7.1 PowerPC, 64-bit • Oracle Solaris 10 on SPARC v9, 64-bit • Oracle Solaris 11 on SPARC v9, 64-bit • VMware vSphere 5.x.

Supported Application Servers This release of Access Manager Server is designed to support the following application server software for the Self-Service Console and Admin Console: • Apache Tomcat 7.0 and 8.0 • IBM WebSphere Application Server 7.0 and 8.0 • JBoss Enterprise Application Platform 6.2 • Oracle WebLogic Server 11gR1 (10.3.6) and 12cR2 (12.1.3)

Note: Starting with Access Manager Server 6.2, RSA no longer provides Oracle WebLogic Application Server and supporting JDK’s to existing and new customers. It is the customers responsibility to supply these technologies as environmental pre-requisites before deploying (for example, a fresh install or upgrade) Access Manager Server. Access Manager Server continues to be tested and supported on Oracle WebLogic Application Server and supporting JDK’s. For specific platform information, see the Access Manager Server data sheet.

2 July 2015 RSA Access Manager Server 6.2 SP3 Release Notes

Supported Browsers This release of Access Manager Server is designed to support the following browsers for the Self-Service Console and Admin Console: • Mozilla Firefox • Microsoft Internet Explorer 8, 9, 10, and 11 • Google Chrome • Safari 6.0.5.

Supported Data Store Servers This release of Access Manager Server is designed to support the following data store software: SQL: • Oracle 11g R2, 11g R2 RAC, and 12c • Sybase Adaptive Enterprise Server 15.5 • Microsoft SQL 2008, 2008 Release 2, and 2012 SP2 LDAP: • Microsoft Active Directory (AD) on Windows Server 2008, Windows Server 2012, and Windows Server 2012 R2 • Microsoft Active Directory Lightweight Directory Services (AD LDS) on Windows Server 2008. This is in addition to existing support for AD. • Microsoft AD in combination with AD LDS on Microsoft Windows Server 2008 • Oracle Directory Server 11.1.1.7.0 • Novell eDirectory 8.8.0 • OpenDJ 2.4.3 and 2.6

Supported Java Development Kit From Access Manager Server 6.2 and later, the Java Development Kit (JDK) is not part of the standard shipment. Ensure you use either a 32-bit or 64-bit JDK on a 64-bit operating system, and a 32-bit JDK on a 32-bit operating system. To successfully use the stronger cipher suites and encryption algorithms, the Unlimited Strength Jurisdiction Policy Files must also be downloaded and installed. The JDK vendor and version determines the Jurisdiction Policy File to download. This release of Access Manager Server is designed to support the following JDKs: • IBM JDK 1.6 and 1.7 • Oracle JDK 1.6, 1.7, and 1.8

Supported Access Manager Agents This release of Access Manager Server is designed to support Access Manager Agent 5.0.x.

Supported Adaptive Authentication This release of Access Manager Server is designed to support Adaptive Authentication 7.1 P6.

Supported Authentication Manager This release of Access Manager Server is designed to support Authentication Manager 8.1.

July 2015 3 RSA Access Manager Server 6.2 SP3 Release Notes

Deprecated Components In this release of Access manager Server, the following operating environments are deprecated: • Red Hat Enterprise Linux 5.0 ES, 64-bit • Red Hat Enterprise Linux 5.5 ES, 32-bit and 64-bit • Red Hat Enterprise Linux 6.0 ES, 64-bit • Red Hat Enterprise Linux 6.3.0 ES, 64-bit.

Fixed Issues and Enhancements This section lists the fixed issues and enhancements in this release of Access Manager Server, categorized as follows: • Fixed Issues • Enhancements. • Hot Fixes Rolled Up from Previous Releases

Fixed Issues

Issue Number Description

CTSRV-5310 Entering an invalid user ID on the Self Service Console results in an “invalid user ID” error message instead of “invalid user ID or password”.

CTSRV-6217 In the Server logs, the ‘date’ column name is missing in the normal logging mode.

CTSRV-6262 Unique User Session (UUS) has no time-to-live (TTL) for users that just close the browser.

CTSRV-6315 When the keyserver is misconfigured it is possible for the number of keys to exceed 15. This needs to log a critical event to the dispatcher log.

CTSRV-6357 The LDAP datastore restriction for new user registration needs to be removed.

CTSRV-6375 Access Manager entitlements server uses MD5 algorithm to hash LDAP entity domain names into member lists.

CTSRV-6381 SSHA256 needs to be an allowed value for password_hash_algorithm in the iPlanet LDAP configuration file.

CTSRV-6405 Manually upgrading to Access Manager Server 6.2 SP2 breaks the existing aserver.enc and eserver.enc files.

CTSRV-6434 A ClassCastException causes critical aserver failure.

CTSRV-6453 The aserver maintains a bad connection when Oracle is restarted.

Enhancements

Issue Number Description

CTSRV-5486 If attempt_multiple_authentications=true, each failed authentication attempt increments the lockout count. The lockout count should be incremented only once regardless of the number of failed authentications in the chain. CTSRV-6097 Support required for OpenDJ 2.6. CTSRV-6260 Calls to the authentication runtime API with “token option on” should only return a user token when an administrative token is present. CTSRV-6319 Database support required for Oracle 12C. CTSRV-6378 SecurID needs to be added as a credential type in Adaptive Authentication.

4 July 2015 RSA Access Manager Server 6.2 SP3 Release Notes

Issue Number Description

CTSRV-6390 Operating support required for Red Hat Enterprise Linux 7.0. CTSRV-6395 Access Manager Agent needs the ability to pass Adaptive Authentication custom facts to Adaptive Authentication Server. CTSRV-6397 Admin GUI support required for WebLogic Server 12cR2 (12.1.2), 64-bit. CTSRV-6401 Support required for ActiveDirectory 2012 R2.

Hot Fixes Rolled Up from Previous Releases

Hot Fix Issue Number Description

6.2.2.01 CTSRV-6346 Method to reset PASSWORD.FAILED_COUNT explicitly to zero. CTSRV-6316

6.2.2.02 CTSRV-6382 The user property value, ctscSecretQuestionAnswer does not display properly in Access CTSRV-6374 Manager Server 6.2 SP2.

6.2.2.03 CTSRV-6385 Cannot disable the SSLv3 protocol. CTSRV-6384

6.2.2.04 CTSRV-6115 New administrative users in a new administrative group, with a new administrative role, cannot edit user properties.

6.2.2.05 CTSRV-6429 Access Manager jars and wars must be signed with new code signing certificate.

6.2.2.06 CTSRV-6468 Disable export grade ciphers to mitigate the impact of CVE-2015-0204.

Known Issues This section describes known, unresolved issues in this release of Access Manager Server. Where a workaround or fix is available, it is noted or referenced in detail. For many of the workarounds in this section, you must have administrative privileges. If you do not have the required privileges, contact your administrator.

Certificate tool does not accept an underscore character. Issue Number: CTSRV-1743 Problem: When attempting to generate a keystore file, the certool prints the error message, “Error generating PKCS#12 file”. The Certificate Tool (certool) does not accept any certificate authority common name that includes an underscore character. Workaround: None.

Runtime API TOKEN_ERRORs contains insufficient information. Issue Number: CTSRV-1745 Problem: If an API client program passes a broken token to the Runtime API, the API returns insufficient error details. The return values depend on the method called: • IsUserInGroup() and getGroupsForUser() returns an empty map. • createToken(), getTokenValue(), getTokenValues(), setTokenValue(), setTokenValues(), and validateToken() throws a sirrus.runtime.TokenException. • All other methods of sirrus.runtime.RuntimeAPI, which take a user argument, return the map with a single entry: { "EXCEPTION_MESSAGE", "" }. These methods are authenticate(), authorize(), getUserProperty(), and getUserProperties(). Workaround: None.

July 2015 5 RSA Access Manager Server 6.2 SP3 Release Notes

Token problems can occur when running under Linux on VMware. Issue Number: CTSRV-2983 Problem: When running the Authorization Server under a Linux guest operating system on top of VMware, the RSA Access Manager token may not be updated as expected in response to Runtime API or Agent requests, even though the interval specified by .notouch_window has elapsed. This is due to a problem in VMware. Workaround: For information, see this support page on the VMware web site.

Server side sorting is not supported for OpenDJ. Issue Number: CTSRV-5436 Problem: Server side sorting is not supported for OpenDJ. This is a limitation with SDK. Workaround: None.

FIPS mode not supported for SecurID Authentication. Issue Number: CTSRV-5533 Problem: SecurID is not FIPS 140 compliant. For this reason, FIPS mode cannot be enabled for the Access Manager Server when SecurID authentication is configured. Workaround: None.

Fix display of Breadcrumb Links on Admin GUI. Issue Number: CTSRV-5931 Problem: Breadcrumb links on Admin GUI pages needs to be changed as per UxD GTK standards Workaround: None

In watcher list m/c Bind device option is displayed in the passcode page. Issue Number: CTSRV-6009 Problem: Remember me checkbox is displayed on the user's watcher machine list. Workaround: None uus.conf is added during upgrade to 6.2 even if Unique User Session is not configured in 6.1. Issue Number: CTSRV-6010 Problem: As per the expected behavior for upgrade, if Unique User Session is not configured in 6.1, the related conf file (uus.conf) should not be added to the conf folder in upgraded 6.2 servers. Workaround: None

Special symbols appear in License agreement in the installers. Issue Number: CTSRV-6016 Problem: When you read through the license agreement in the installers, you will find some special symbols. Workaround: None.

Apply re-skinning to Online Help UI on the Access Manager Admin GUI. Issue Number: CTSRV-6022 Problem: The Online Help UI of Admin GUI does not have the same look-and-feel as the re-skinned UI. Workaround: None

Admin GUI WAR file deployment on a Jboss server fails. Issue Number: CTSRV-6459 Problem: As part of the Access Manager Server qualification with JBoss EAP 6.2, deployment of the Access Manager Admin GUI WAR file fails. Workaround: Deploy the WAR file manually by exploding it into a WAR folder, as specified in the JBoss Admin Guide (https://docs.jboss.org/author/display/AS7/Admin+Guide#AdminGuide-FileSystemDeployments).

6 July 2015 RSA Access Manager Server 6.2 SP3 Release Notes

Support and Service

RSA SecurCare Online https://knowledge.rsasecurity.com

Customer Support Information www.rsa.com/support

RSA Secured Partner Solutions Directory www.rsasecured.com

Copyright © 2015 EMC Corporation. All Rights Reserved. Published in the USA.

Trademarks RSA, the RSA Logo and EMC are either registered trademarks or trademarks of EMC Corporation in the United States and/or other countries. All other trademarks used herein are the property of their respective owners. For a list of EMC trademarks, go to http://www.emc.com/legal/emc-corporation-trademarks.htm.

July 2015 7