Access Manager 5.1 Beta Discussion

Dear community members,

In response to valuable feedback from our Beta participants, we are initiating this dedicated thread to foster constructive discussions.

Kindly utilize this platform to share your experiences, address any issues encountered, and provide valuable feedback and suggestions.

We eagerly anticipate hearing from you!

Best regards,

Access Manager Beta Management Team!

  • 0  

    Hi Anup,

    if someone missed to participate in the beta can we still use nam@opentext.com to request access?

    Best Regards

    Klaus

  • 0   in reply to   

    Yes, that's right Klaus!

  • 0

    Our PSE/DSE is going to create cases for the following. I'm copying here for fellow beta tester awareness.

    In just 1 day of testing, here’s the 23 issues I’ve recorded so far:

     

     

    • Install and Upgrade Guide, Pages 44 & 45 – Prerequisites for Admin Console. Centralize all Admin Console related module/RPM requirements into the table. Most of the module requirements are in the table, but then over the years people have strangely added several ABOVE the table and AFTER the table. Sloppy! People are bound to miss some this way, so be consistent and get them all into the table and removed from the above and below sections around it. Specifically, need to put the first 3 bullets (iputils, wget, mozilla-nss-certs) into the table below them, as well as the "checkbox" (curiously, not a bullet) below the table that says "net-snmp" is a required module.

     

    • Install and Upgrade Guide, Pages 44 & 45 – Prerequisites for Admin Console. Remove the last table entry of "libXtst6-32bit Has dependency on iManager". Per the other "Release Notes" doc for NAM 5.1 Beta: "The iManager framework of Access Manager and its dependencies are removed." – So, this “libXtst6-32bit” module apparently is no longer actually required, and should likely then be scrubbed from this table of required modules/RPM’s.

     

    • Install and Upgrade Guide, Pages 44 & 45 – Prerequisites for Admin Console. The table fails to mention other required modules that the Admin Console installer itself will forcibly make SUSE install if missing: xorg-x11-libs, perl-XML-Writer or insserv-compat. These 3 should be added to the table.

     

     

    • Install and Upgrade Guide, Page 52 – Prerequisites for Identity Server. This Identity Servers "Prerequisites" section lacks consistency with the same section for Administration Console, which itself has a nicely formatted table of required modules/RPM's. Right now, some required Identity Server modules are listed as just "Notes"... for instance the "NOTE:" for "insserv-compat" on page 51, but then on the next page there are 6 separate bullets for other RPM's that are also required. For consistency and improved visibility, move all Identity Server required modules into a similarly formatted table as is supplied for the Administration Console prerequisites.

     

    • Install and Upgrade Guide, Page 55 – “Translating Identity Server Configuration Port” section. Under “Port Forwarding” there’s an unformatted bullet aka leading hyphen ("-") in front of the "cat" command line for “ip_forward”, which is not actually supposed to be part of the command, but the presence of that unformatted bullet aka leading hyphen there is both confusing and unnecessary, and also not consistent with other example command-lines also listed on the same page, which do not include a leading unformatted bullet aka leading hyphen.

     

    • Install and Upgrade Guide, Pages 56 & 57 – the suggested “Redirected Script” is too dated (from 2010!), based on SLES 10/11 SysV init script syntax. And, it requires manual editing to identify the IP plus does not support more than 1 IP, which is commonly required on an IDP server that will be hosting X509 custom error responses. While the sample script can be made to work on SLES 12/15, it really needs to be updated to be based on modern principles on systemd based systems. I am attaching a better script (“service_redirect.sh.txt”) that I’ve created that they should instead provide as an example, which detects if SLES 10/11 and deploys SysV/init script edition or if SLES12/15 is detected then it instead sets the service up using modern systemd syntax/features; also auto-senses and supports multiple IP’s with no manual input required to identify all IP’s; also includes a much more meaningful “status” option than theirs with live iptables rules being displayed. Could really remove the SLES 10/11 detection/SysV alternatives in the code to cut the script size in half – NAM doesn’t even support anything less than SLES 12 on systemd now. Works for both Admin Console standalone servers as well as Identity Server standalone servers, to allow them to run their services on standard http/https (80/443) rather than non-standard 8080/8443.

     

    • Admin Console stand-alone installation as well as Identity Server stand-alone installation: For the installer-created logs in "/tmp/novell_access_manager" all of the logs whose names begin with "install_*" are incorrectly flagged as executable code! This of course creates a potential security vulnerability, in addition to just being plain wrong. This needs to change from mode 674 to 644, and would then be consistent with all of the other logs in the same folder that begin with "configure_*". Same issue also on the subdirectory "/tmp/novell_access_manager/backup" files on both AC and IDP.

     

    • During the Identity Server installation, two of the status lines for the items being installed do not include a carriage return afterwards, leading the next item to be installed to be improperly concatenated onto the same line.  First one is "Installing the Access Manager Server Communications: Installing JCC:” And shortly after a second one is "Installing the Identity Server:Installing NIDP SSL:" Very sloppy, and inconsistent with all other component items that are displayed as installed on this same screen that do include carriage returns. See first screenshot below.

     

    • NAM 5.1 Beta - Admin Console is running ancient eDirectory 9.2.5 (2.5 years old, Aug 2021), which besides being several years old and many known stability and performance bugs, it also includes at least FOUR documented security vulnerabilities. The latest eDirectory 9.2.8 isn't even all that "new" (June 2023) and should easily have been included in this NAM 5.1 beta release here in January 2024.

     

    • NAM 5.1 Beta for all NAM components, if allowed to continue in this state into a production/public release, is putting customers at extreme risk! All NAM components are installing ancient Apache Tomcat 9.0.65 (July 2022). The latest in that same Tomcat branch is 9.0.85 (January 2024), which almost two dozen releases in between. There is a large amount of very serious security vulnerabilities present in the currently embedded release, not to mention stability and performance fixes. While this is bad for the Admin Console, it is especially terrible risk for the INTERNET-FACING Identity Servers and Access Gateways!

     

    • NAM 5.1 Beta for all NAM components, if allowed to continue in this state into a production/public release, is putting customers at risk! All NAM components are installing Java/JDK 1.8.0-342 (July 2022). The latest in this same JDK branch is 1.8.0-382 (October 2023). While this is bad for the Admin Console, it is especially terrible risk for the INTERNET-FACING Identity Servers and Access Gateways!

     

    • NAM 5.1 Beta for all NAM components, if allowed to continue in this state into a production/public release, is putting customers at risk! All NAM components are installing an EOL branch of OpenSSL (1.0.2). That entire branch went end of life 3 years ago, in December 2019. Need to transition this critical encryption-in-transit layer to modern 1.1.1 LTS or really 3.1.0/3.2.0 branches. While this is bad for the Admin Console, it is especially terrible risk for the INTERNET-FACING Identity Servers and Access Gateways!

     

    • NAM Access Gateway OVF is still setting a low performance, legacy virtual SCSI Controller on the newly created VM guest: "LSI Logic." Instead, you need to be setting the high performance "VMware Paravirtual" as the virtual SCSI controller.

     

    • Creating new IDP Cluster (or really anywhere that any of the new UI screens exist)... context sensitive help button doesn't do anything when clicked.

     

    • When setting up User Stores on a new IDP cluster, a single "Password Reveal" button should reveal both the initially typed password as well as the confirmed password field, to ensure both fields typed correctly. Right now it only reveals the first password field. Yes, input validation checks won't allow screen to proceed if both fields don't match. You aren't protecting anyone in any meaningful way by only revealing one field rather than both of them! Don't create two Password Reveal buttons; instead relocate the existing single button already present to an appropriate location that reveals/hides both fields when toggled.

     

    • IDP server "Statistics" screen for any given entries with a "Graph" link to their right, when clicked, the legend at the bottom of that screen for the single data point has the first character of its name hidden/truncated. This was observed in the latest version of Firefox on Windows 10.

     

    • After creating IDP cluster with a "Session Limits" value left at the wizard-suggested value of 60 minutes for the “Default Timeout”, when later editing the IDP cluster, that same field now says “3600” minutes. Guessing that is supposed to be seconds, not minutes. But displaying in seconds is not useful concerning Contracts and the client session idle timeout. Showing in minutes is appropriate, but this calculation needs to be fixed to reflect “60” and the verbiage of minutes needs to remain.

     

    • Edit IDP cluster --> Configuration --> Defaults. None of the values in any of the drop-downs are sorted! We have dozens of contracts in Prod. All drop-downs should case-insensitive alphabetically sort their values!

     

    • Edit IDP cluster --> Configuration --> Properties, click the "+" symbol to choose a New Option. None of the Property Types in the long list are sorted, making a chaotic sloppy mess to visually sift through in attempting to locate the one you want. Case-insensitive alphabetic sort is required!

     

    • IDP cluster, unlike the AG cluster, lacks the ability to REVERT CHANGES if you accidently make a change (or changes) you don't want to keep. This is frightening for administrators in large, mission critical Prod environments!

     

    • IDP cluster, unlike an AG cluster, has no visual indicators as to what area of configuration has a change queued up with changes when an “Update” configuration is waiting to be clicked. Ideally, not only would the affected sections proposed for commit be summarized like the AG already does, but it should really even do better than that and provide a delta compare list somewhere of all the value changes (before and the proposed after).

     

    More to come when I resume testing tomorrow…

  • 0   in reply to 

    Dear Stefan,

    A heartfelt thank you for your invaluable Beta feedback! Your insights and commitment to improvement are truly appreciated. We're eager to receive your next set of feedback.

    Meanwhile, I'm collaborating with our community team to establish a dedicated page for Beta feedback. I completely understand and share your concerns about the current discussion thread approach. Please bear with us as we work to address this.

    Best regards,

    Anup.

  • 0 in reply to   

    My pleasure, Anup.

  • 0

    Another 19 issues for my NAM Beta 5.1 “Day 2” testing:

    • NAM Admin Console's own login screen is missing basic security controls of multi-factor authentication for itself, leaving it as an easy target for compromise. MFA is no longer a nice to have best practice; it's a regulatory requirement for US government and government contractors (CMMC, DFARS, etc). Administrative interfaces like NAM's Admin Console provide a window into an enterprise's mission critical infrastructure: reverse proxies and identity federation (core elements of any IAM strategy, which also opens up all NAM protected systems for potential compromise as well). Since the NAM Admin Console in NAM 5.1 Beta is going through a complete revamp, I'm surprised this wasn't addressed. NAM's Admin Console should facilitate a simple, native email OTP service (for customers without AA) as well possibly provide an option to integrate with AA. All of our other security technologies' administrative interfaces in our tech stack either provide native MFA options or integrate with our MFA platform. I'm sure NAM's WAM/IAM competitors do as well.

     

    • Admin Console --> Inconsistent naming convention for NAM server component tiles. Rename "Identity Server Clusters" to simply "Identity Servers" (plural); either do that, or rename both "Access Gateways" and "Analytics Servers" tiles to "Access Gateway Clusters" and "Analytics Server Clusters" respectively... but that seems awkward and too wordy. Just fix "Identity Server Clusters" to simply "Identity Servers".

     

    • Admin Console, on the main landing page, Access Gateways is NOT one of the tiles with a padlock that disables access to that area. However, once I register an Access Gateway and click on that tile, though the new Access Gateway node does show up, the first menu option for "New Cluster..." is grayed out, preventing any meaningful configuration to occur.

     

    • Admin Console --> click the Access Gateway tile. If you edit an AG node and navigate to any of the deeper configuration options for a node, all of the elements of the bread-crumb/hyperlink trail in the top-left corner are grayed out/broken.

     

    • Admin Console --> Identity Servers --> IDP Global Settings --> Attribute Sets. Sloppy unsorted list! We add quite a few of these in our Prod environment to support our 200+ SAML Service Providers who all seem to have unique requirements. The only sane way to present large lists or drop-downs of data is to apply case-INsensitive sorts, in this case to the Name column.

     

    • Admin Console --> Identity Servers --> IDP Global Settings --> Attribute Sets --> click on the hyperlink of any existing Attribute Set --> click the "Mapping" tab --> table is an unsorted, jumbled mess! This list is HUGE in our Prod environment. First, you need to apply a default case-INsensitive sort to the "Local Attribute" column. Second, you need to make it possible to toggle sorting by *any* of the other columns (especially Remote Attribute) simply by clicking the column heading.

     

    • Admin Console --> Identity Servers --> IDP Global Settings --> Custom Attributes --> LDAP Attribute --> List is sorted as case-sensitive. Needs to be case-INsensitive instead. Case-sensitive sorted creates an unintuitive and often times frustrating display. There is no value in segregating attributes differently if they begin with, say, an uppercase G vs a lowercase g.

     

    • Admin Console --> Identity Servers --> click the vertical ellipses (3 dots) --> Cluster Statistics --> "Free Memory" -- two problems. 1) what is the measurement? MB? GB? Percentage (%)? You don't explain! 2) Do we really need FIVE decimal points, presuming this value is meant to be a percentage? If you display any decimal point at all, just one point should be plenty. SAME PROBLEM exists on the individual Server/Node "Statistics" and "Live Statistics Monitoring" screens, when displaying "Free Memory"

     

    • Admin Console --> Identity Servers --> Edit a cluster --> Authentication --> Classes --> Sloppy unsorted list! We have dozens of Classes in Prod. Should case-INsensitive alphabetically sorted!

     

    • Admin Console --> Identity Servers --> Edit a cluster --> Authentication --> Methods --> Sloppy unsorted list! We have dozens of Methods in Prod. Should case-INsensitive alphabetically sorted!

     

    • Admin Console --> Identity Servers --> Edit a cluster --> Authentication --> Contracts --> Sloppy unsorted list! We have dozens of Contracts in Prod. FIRST, it should case-INsensitive alphabetically sorted on "Name" column. SECOND, you need to make it possible to toggle sorting by *any* of the other columns simply by clicking the column heading.

     

    • Admin Console --> Identity Servers --> Edit a cluster --> Authentication --> Classes --> would be really useful to see a column with hyperlinked values that summarize how many Methods are using each Class, and if that metric's hyperlink is clicked for any given Class row, it should display the names of those Methods. Greater facilitates good situational awareness when you have a large environment with lots of configuration -- as well as housekeeping to easily identify Classes are orphaned and no longer used, ripe for deletion.

     

    • Admin Console --> Identity Servers --> Edit a cluster --> Authentication --> Methods --> would be really useful to see a column with hyperlinked values that summarize how many Contracts are using each Method, and if that metric's hyperlink is clicked for any given Method row, it should display the names of those Contracts. Greater facilitates good situational awareness when you have a large environment with lots of configuration -- as well as housekeeping to easily identify Methods are orphaned and no longer used, ripe for deletion.

     

    • Admin Console --> Identity Servers --> Edit a cluster --> Authentication --> Contracts --> would be really useful to see a column with hyperlinked values that summarize how many Reverse Proxy/Proxy Services as well as SAML/OAuth federations are using each Contract, and if that metric's hyperlink is clicked for any given Contract row, it should display the names of those RP/Proxy Services and SAML/OAuth federations (grouped separately by type). Greater facilitates good situational awareness when you have a large environment with lots of configuration -- as well as housekeeping to easily identify Contracts are orphaned and no longer used, ripe for deletion.

     

    • Admin Console --> Identity Servers --> Edit a cluster --> Authentication --> Contracts --> select any existing Contract --> click the edit button for Authentication Methods --> list of Methods is an unsorted mess. Needs to be case-INsensitive sort!

     

    • Admin Console --> Identity Servers --> Edit a cluster --> Authentication --> Contracts --> select any existing Contract --> click "Advanced Settings" button --> select "Options" tab --> click the "+" to add a new Option --> the list of Property Type values in a sloppy mess. Needs case-INsensitive sort!

     

    • Admin Console --> Identity Servers --> Edit a cluster --> Audit and Logging --> Audit Logging --> some of the lower tiles have options whose names exceed the side of the tile/box, overring into other boxes or the margins. Recommend uniformly increasing the width of all tiles/boxes to accommodate. See first attached screenshot below.

     

    • Admin Console --> Configure Email --> if you check "Enable" but then decide to click the "Cancel" button without Saving, you suddenly get a grayed-out screen with a way too faint pop-up about unsaved changes and wishing to continue, but neither that pop-up or the parent screen are clickable. Only option is to do a hard browser "Refresh" button to wake NAM Admin Console back up. This was at least observed in the latest version of Firefox on Windows 10.

     

    • Admin Console --> Mobile Access --> if you check "Enable" but then decide to click the "Cancel" button without Saving, you suddenly get a grayed-out screen with a way too faint pop-up about unsaved changes and wishing to continue, but neither that pop-up or the parent screen are clickable. Only option is to do a hard browser "Refresh" button to wake NAM Admin Console back up. This was at least observed in the latest version of Firefox on Windows 10.
  • 0   in reply to 

    Thanks a lot Stefan for all your feedback. We are reviewing each one of them. We will get back to you shortly.

  • Suggested Answer

    0

    Community Members!

    Here is the link to the new discussions forum!  (Missing Forum) 

    Use this platform to share your experiences, address any issues encountered, and provide valuable feedback and suggestions. 

    Thank you!

    Liz Knappen

    Community Manager