Novell

This is Your Open EnterpriseTM

iChain 2.3 Support Pack 5 Interim Release 4 2.3.410

This document (5006541) is provided subject to the disclaimer at the end of this document.

patches this patch supersedes

This patch does not supersede any other patches.

patches that supersede this patch

This patch is not superseded by any other patches.

patch attributes

Security patch: No
Priority: Optional
Distribution Type: Public
http://download.novell.com/Download?buildid=c1L-wr16e1Y~

document

Revision: 8
Document ID: 5006541
Creation Date: 2007-10-04 20:11:53
Modified Date: 2008-05-14 14:10:53

abstract

iChain 2.3 Support Pack 5 Interim Release 4 version 2.3.410 This file contains updates for services contained in the iChain 2.3 product. iChain 2.3 SP1 (build 2.3.257) or later is a pre-requisite. The purpose of the patch is to provide a bundle of enhancements and fixes for issues that have surfaced since iChain 2.3 Support Pack 5a was released.

details

PREREQUISITE: Verify that iChain is patched to version 2.3.257 or later prior to installing this OTWUG (Over-The-Wire-UpGrade).

RECOMMENDATION: Test thoroughly in an environment that mirrors the production environment prior to deployment.

ic23sp5ir4.zip is a ZIP file that will extract into three files:

1. readme.html is the readme for the patch.
2. ic23sp5ir4.zip: OTWUG (Over The Wire UpGrade).
3. ic23sp5ir4.txt: OTWUG INSTALL FILE.

SPECIAL NOTES FOR THIS OTWUG:

This OTWUG will NOT upgrade an iChain 2.2 server to iChain 2.3.
Ensure that you are running iChain 2.3 SP1 (2.3.257) or later before
applying this patch.

NCPIP.NLM
For security reasons, C:/NWSERVER/NCPIP.NLM is renamed to NCPIP.OLD.
If login to the iChain server is desired copy NCPIP.OLD to NCPIP.NLM
and future OTWUGS will not keep re-naming the file. Or, load
C:/NWSERVER/NCPIP.OLD in the SYS:/SYSTEM/TUNE.NCF file.

OAC.PROPERTIES
When you install this support pack, any OLAC custom plug-ins will be
overwritten. To avoid this issue, back up your oac.properties file
before installing this support pack, then copy the file back over
once the support pack is successfully installed. If you have not
modified the file previously, skip this step.

APPSTART.NCF
Make note of any customized load lines in appstart.ncf prior to
applying the patch. Do NOT include "load logevent" and "load lcache"
if they appear in your current file.

MESSAGES.CFG will be updated.

TELNET will be disabled by default for security reasons.
If TELNET is used for administrative purposes you will need to
re-enable it after applying this patch. Import the TELNETON
configuration file from the ADMIN GUI under the
System | Import/Export tab.


Installing ic23sp5ir4.zip:

1) Verify the iChain server is at version 2.3.257 or later before installing
this Support Pack.
2) Back-up all configuration files and third-party certificates.
a. If the iChain server has a cloned drive (multiple drives), a clone
update should be preformed prior to the upgrade, or
b. Export the CURRENT.NAS, TUNE.NCF, APPSTART.NCF, MESSAGES.CFG (if
customized), any third-party certificates, and any other customized
login pages or files to floppy for backup purposes. Remove the floppy.
Also see the "Using the Enhanced Configuration Export" section of the
online iChain Administration Guide for advanced export options.
3) Copy ic23sp5ir4.zip & ic23sp5ir4.txt to a directory on a Web
Server that can be accessed by the iChain appliance and a workstation that
will run the iChain Appliance Configuration GUI.
4) Temporarily disable all accelerators or block public traffic.
5) If "Allow administration from specified clients" has been configured, add
the IP address of the iChain server to the list.
6) Modify the URL line in the ic23sp5ir4.txt file so that it contains the
appropriate path/URL to the ic23sp5ir4.zip file. Example: If the zip
file was placed at the default/root directory of a Web Server with the IP
address 10.10.10.1 then change url=http://**location**/ic23sp5ir4.zip
to url=http://10.10.10.1/ic23sp5ir4.zip.
7) In the Appliance Configuration GUI under System | Upgrade | Install from
URL, put in the matching URL to the .txt file. Using the example above:
http://10.10.10.1/ic23sp5ir4.txt. NOTE: Point to the .txt installation
file, not the .zip file.
8) Check the "Enable download" and "Enable install" boxes.
9) Specify times to begin the download and install.
10) Click on "Apply". Allow 10 to 15 minutes (and several re-boots) to
complete the process.

FIXES:

Fixes since ic23sp5ir3.exe (2.3.408):

1. Removed "simulated EOF" in GZIP, IP address check fixes.
2. Updated LDAP sdk nlms
3. set-cookie on 'rename cookie'
4. Fix Console stats (double 400 error)
5. Nessus scan crashes the Proxy.
6. Chunking cleanup



Fixes since ic23sp5ir2.exe (2.3.405):

1. ACLCHECK returns: "URL, too long http://URL".
2. Memory corruption causing break and drop into debugger.
3. No error message if adding two similar profiles (LDAP) to an accelerator.
4. ABEND in DNS code with iChain 2.3 Sp5a applied.
5. HTML rewriting is not working when the profile contains URL and string for rewriting.
6. Misc. ABEND.
7. Version 2.3.406b (July 2, 2007) Proxy ABEND: Server process or CPU hog abend when accessed by AM SSLVPN 183 and 186 build.
8. "Forward authentication header" is in wrong format for double-byte usernames.
9. Usernames with extended char's on ACL "Exception List" not working, user granted access but should not be.
10. SAML Broken in 2.3 Sp5 IR1.
11. Fixed: Can bypass intrusion detection/prevention systems that scan HTTP traffic.
12. iChain 2.3.345 system crash when user modifies twiki content using "preview" feature.
13. iChain does not calculate a new content-length header after decompressing gzipped GIF files.
14. Problems with Flash applications and Plone.
15. SSO to Citrix Metaframe server without using an NFuse server does not work with iChain 2.3 SP5 IR1 anymore.
16. [JPN]Management Console menu shows as "?????".



Fixes since ic23sp5ir1.exe (2.3.403):

1. iChain 2.3.404 rewrites the Destination URL with an extra double quote at the end
2. Fix %u escape code
3. Fix ////// bug
4. Fix for: Cannot use different LDAP trees for authentication and authorization
5. Customer wants that the common iChain logs reports 0 bytes in the case of an HTTP status 304
6. Problem with GZIP encoding - 504 gateway timeout due to incorrect handling of chunked data
7. Removed console error messages of: "ACL rules in NDS are invalid or of old version"
8. Security concern POSTing credential data to iChain
9. Fix: Multi Byterange problems
10. Removed csaudit
11. Fix: NSure Audit message garbled
12. Fix: Backport GZIP / Chunking (II)
13. Fix bug in plerror.c
14. Fix compile warning in production
15. iChain 2.3.343 breaks on REPORT command
16. Fix: iChain does not check the source IP address for the session cookie (-ri switch has not been used)
17. Proxy log issue (Sensitive trap in VerifyWriteDataBuffer)
18. Fix: Getting an XML validation error from DM because "Second" != "second"


Fixes since ic23sp5a (2.3.347):

1. CPU hog abends with 50,000+ simultaneous users authenticating to iChain
2. LDAP server status reported as down for 15 minutes after changes applied
3. Rewriter not rewriting certain HREF based URLs in path based multihomed environment
4. iChain incorrectly reformatting string in GET request
5. Time zone exception when setting up iChain to use a Timezone which doesn't have DST, like Arizona.


Known Issues:

Known issues for iChain 2.3 are identified in the online release notes at http://www.novell.com/documentation/ichain23/readme/readme.html

File List:

05/15/2003 10:00 AM 43 1px_spacer.gif
10/01/2007 03:52 PM 142,417 aclcheck.nlm
08/13/2003 02:33 PM 104 appboot.ncf
08/13/2003 02:34 PM 611 appcopy.ncf
08/02/2007 04:19 PM 66,533 appjni.nlm
12/11/2006 10:47 AM 689 appstart.ncf
06/04/2003 12:25 PM 2,293 autoexec.ncf
08/02/2007 04:20 PM 77,573 autovol.nlm
10/01/2007 03:42 PM 9,021 brdsrv.nlm
08/26/2005 03:25 PM 110,155 bsdsock.nlm
05/15/2003 10:00 AM 354 btnlogin_en.gif
01/11/2002 02:28 PM 372 btnreset_en.gif
10/01/2007 04:06 PM 7 buildver.txt
10/01/2007 03:52 PM 74,908 caconfig.nlm
04/13/2007 03:59 PM 7,934 calogldp.sam
04/13/2007 04:00 PM 5,933 caloglfn.sam
04/13/2007 04:05 PM 6,605 calograd.sam
10/01/2007 03:52 PM 16,266 capatch.nlm
01/03/2007 02:01 PM 134,062 ccs.xlm
08/02/2007 04:20 PM 28,540 cert.nlm
10/02/2003 09:27 AM 3,353 CertMaint.html
08/02/2007 04:19 PM 449,215 certmaint.jar
02/06/2007 04:36 PM 3,809 Cleanup.nas
06/08/2005 05:00 PM 313 cleanup.ncf
08/02/2007 04:18 PM 1,239,248 client.jar
08/02/2007 04:20 PM 19,491 cmdlin.nlm
06/15/2005 12:07 PM 759 command.nas
01/03/2007 02:01 PM 586,126 domxeng.xlm
05/23/2003 02:11 PM 41 dsoffset.ncf
01/16/2001 04:32 PM 63 dummy
05/19/2003 05:23 PM 3,588 edir_h1_ppc.gif
10/19/2004 03:01 PM 149 ErrorMap.cfg
10/01/2007 03:52 PM 4,925 ErrorMap.NLM
10/19/2004 03:09 PM 7,904 ERR_LDAP.CFG
10/19/2004 03:13 PM 11,876 ERR_NICI.CFG
10/19/2004 03:09 PM 9,319 ERR_SSS.CFG
10/19/2004 03:14 PM 9,229 ERR_WSOK.CFG
08/02/2007 04:19 PM 369,029 extend.jar
08/02/2007 04:19 PM 18,455 extend.upd
09/07/2005 09:28 AM 8,159 factory.nas
06/16/2005 11:26 AM 1,172 FixOtwug.ncf
08/02/2007 04:19 PM 1,292 iagntjni.nlm
03/05/2004 03:57 PM 4,567 iChain.jks
10/30/2003 05:28 PM 63,990 ichain.mib
03/12/2004 10:09 AM 551,268 iChainInstall.pdf
03/12/2004 09:48 AM 101,249 iChainQuickStart.pdf
02/13/2007 10:03 AM 7,730 iChainUpgrade.nas
08/02/2007 04:20 PM 2,417 icscon.nlm
07/02/2007 02:34 PM 139 icsinfo.txt
10/22/2003 12:52 PM 1,816 ics_ca.b64
08/02/2007 04:18 PM 23,593 images.jar
05/11/2005 11:40 AM 1,689 index.htm
06/09/2004 09:17 AM 238 info.txt
07/21/2005 03:21 PM 1,423 install.nas
09/24/2003 02:29 PM 1,077 int.der
06/17/2002 01:58 PM 14,739 jstcp.old
04/04/2005 01:58 PM 45,857 KEYINST.NLM
12/01/2003 02:58 PM 486,525 lcache.nlm
08/21/2007 06:34 AM 184,273 ldapsdk.nlm
08/21/2007 06:34 AM 898,696 ldapssl.nlm
08/21/2007 06:34 AM 34,307 ldapx.nlm
06/29/2005 08:23 AM 1,177 license.nas
03/01/2004 04:17 PM 16,675 license.txt
08/21/2007 06:33 AM 192,451 lldapsdk.nlm
08/21/2007 06:33 AM 899,326 lldapssl.nlm
08/21/2007 06:33 AM 34,863 lldapx.nlm
12/01/2003 02:58 PM 491,680 logevent.nlm
02/10/2007 03:44 PM 2,454 logging.dtd
02/10/2007 03:40 PM 2,346 logging.properties
06/29/2007 03:53 PM 51,578 messages.cfg
03/18/2003 01:35 PM 3,023 nbmalert.msg
07/21/2004 11:46 AM 39,113 nbmalert.nlm
01/03/2007 02:01 PM 57,462 nicisdi.xlm
10/01/2007 03:43 PM 213,592 nile.nlm
08/02/2005 03:00 PM 464,166 Novxeng.xlm
02/01/2006 03:07 PM 303,238 npkiapi.nlm
02/01/2006 02:39 PM 264,143 npkit.nlm
03/06/2006 11:48 AM 63,774 nssldp.nlm
03/06/2006 11:48 AM 32,722 nsss.nlm
10/30/2003 12:04 PM 790,448 ntls.nlm
02/22/2006 03:41 PM 64,412,255 nw6sp5e.zip
08/02/2007 04:20 PM 39,556 nwimage.nlm
10/01/2007 03:42 PM 59,655 nwutil.nlm
08/02/2007 04:15 PM 56,754 oac.jar
06/18/2003 11:09 AM 210 oac.properties
10/01/2007 03:53 PM 38,271 Oacint.nlm
08/02/2007 04:20 PM 31,644 oeminst.nlm
10/01/2007 03:52 PM 9,626 persist.NLM
02/01/2006 03:30 PM 952,182 pki.nlm
11/20/2004 01:23 PM 277,496 pkiapi.nlm
10/02/2003 09:27 AM 3,414 popconfig.html
02/28/2005 03:02 PM 44,032 PRODUCTS.DAT
05/20/2005 01:39 PM 5,379 proxy.msg
10/01/2007 03:51 PM 1,189,501 proxy.nlm
10/01/2007 03:44 PM 35,882 proxycfg.nlm
02/03/2004 03:28 PM 5,105 radchaln.htm
02/03/2004 03:28 PM 5,105 radchaln.sam
10/01/2007 03:52 PM 39,523 radchk.nlm
12/04/2006 01:58 PM 72 readme
01/26/2005 10:34 AM 33,440 readme.txt
08/02/2007 04:20 PM 10,837 regjni.nlm
06/04/2004 04:23 PM 231 restore.ncf
05/23/2003 09:14 AM 189 RestoreFromClones.NCF
10/01/2007 03:52 PM 10,975 rewrite.nlm
01/21/2004 02:02 PM 7,768 rewriter.sam
01/03/2007 02:01 PM 25,127 sasdfm.xlm
10/01/2007 03:52 PM 49,391 sb.nlm
08/02/2007 04:15 PM 392,178 server.jar
08/02/2007 04:15 PM 20,385 server.upd
08/02/2007 04:20 PM 19,861 SetSrvIP.nlm
08/13/2003 02:34 PM 221 slpoff.ncf
08/13/2003 02:35 PM 221 slpon.ncf
10/01/2007 03:44 PM 85,990 sso.nlm
10/11/2006 10:34 AM 874 stop.ncf
08/23/2005 04:31 PM 804,009 tcp.nlm
09/02/2005 01:08 PM 590,912 tcpip.nlm
03/01/2004 02:11 PM 39 TelnetOn.nas
05/23/2003 09:15 AM 186 UpdateClones.NCF
08/02/2007 04:21 PM 4,035 updscr.nlm
03/15/2004 01:35 PM 8,268 whatsnew.txt
01/03/2007 02:01 PM 223,580 xim.xlm
01/03/2007 02:01 PM 209,147 xmgr.xlm
01/03/2007 02:01 PM 179,788 xsup.xlm
10/01/2007 03:42 PM 37,297 zlib.nlm

file contents

Compressed File Name: ic23sp5ir4.zip

Files IncludedSizeDate
ic23sp5ir4/ic23sp5ir4/ic23sp5ir4.txt112 bytes2007-10-04 20:05:23
ic23sp5ir4/ic23sp5ir4/ic23sp5ir4.zip70.0 MB (73440088)2007-10-04 20:32:52
ic23sp5ir4/ic23sp5ir4/readme.html18.7 KB (19197)2007-10-04 20:05:24
readme_5006541.htmlN/A2008-05-14 14:10:55

disclaimer

The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.

Novell is a registered trademark of Novell, Inc. in the United States and other countries. SUSE is a registered trademark of SUSE Linux AG, a Novell business. *All third-party trademarks are the property of their respective owners.

© 2007 Novell, Inc. All Rights Reserved.