Skip to content

WAM Release Notes

This guide describes the latest Web Access Manager information, including: new features, supported operating systems and environments, warning and restrictions.

preface WAM Release Notes

WAM 9.0.10 Release Notes

Specifications

Technical details

Attribute Details
Operating Systems Windows , RHEL , Oracle Linux
Configuration Directories Active Directory , Oracle Direcory , 389ds , OpenLDAP, OpenDJ
User Directories Windows , RHEL , Oracle Linux
JRE Version JRE => 1.8 (OpenJDK JRE)
Java Webstart IcedTea Web

Platform / Environment

RHEL, Oracle Linux , Windows OS , Container*

WAM in Container

WAM may be deployed in docker container. The current WAM’s distribution is not packaged as a container as the deployment strategy may differ depending on the different usage of WAM. There is no known limitation of WAM in docker, provided that dependent components are installed (Java, network tools, NTP synchronization, …). Be aware that if a certificate authentication is configured, the end of the SSL connection must be the WAM container and not an intermediary reverse proxy

Be aware that WAM requires:
● persistent volumes for /etc/conf and /usr/evidian where WAM is installed.
● persistent or predefined users and group:
– users: ‘lpfadmin’, ‘lpfsg’ and ‘lpfap2’
– group: ‘lpfadmin’ containing users ‘lpfadmin’, ‘lpfsg’ and ‘lpfap2’

Java (OpenJDK)

java -version

javac -version

# Java Webstart
javaws -version 

update-alternatives --list java

whereis java

Supported Directories

User Directories

## User Directories
Active Directory Windows 2003 Server, Windows 2008 Server, Windows 2012,
Windows 2016, Windows 2019 Server, Windows Server 2022.
Oracle Directory Server Enterprise Edition 11g Release 1 and upper version.
389 Directory Server Version 1.2.10, and upper version.
OpenLDAP version 2 2.4, 2.3 or 2.4 on Red Hat Linux.
OpenDJ, any version on any system.
Evidian AccessMaster SIB in version 7.0 or 9.0.
IBM Lotus Notes/Domino version 6.0.
Novell eDirectory version 8.7.
NEC Enterprise Directory Server version 3.1.
Siemens or Atos DirX directory

Secure Configuration Directory

## Secure Configuration Directory
OpenDJ, any version, on Linux.
Microsoft AD LDS Windows 2008/2012R2/2016/2019/2022.
Oracle Directory Server Enterprise Edition 11g Release 1 and upper version.
389 Directory Server Version 1.2.10 and upper version.
Oracle Unified Directory (OUD) 11g Release 2.
Atos DirX, 8.5 and upper version

Warnings / Restrictions

Installation in Virtual Machines and time shifting

If Web Access Manager is installed in a virtual machine, be aware that there could be unpredictable behaviors if the virtual machine is not able to maintain a correct timing or if the system is undersized

NTP

In any case, use an NTP client to synchronize the system time with an external time server.

**Installation in Virtual Machines and time shifting**

If Web Access Manager is installed in a virtual machine, be aware that there could be
unpredictable behaviors if the virtual machine is not able to maintain a correct timing or
if the system is undersized

!!! note "NTP"

    In any case, use an NTP client to synchronize the system time with an external time server.

Installation in container

WAM may be deployed in docker container. The current WAM’s distribution is not packaged as a container as the deployment strategy may differ depending on the different usage of WAM. There is no known limitation of WAM in docker, provided that dependent components are installed (Java, network tools, NTP synchronization, …).

Be aware that if a certificate authentication is configured, the end of the SSL connection must be the WAM container and not an intermediary reverse proxy

Docker container

persistent volumes for /etc/conf and /usr/evidian where WAM is installed.

persistent or predefined users and group:

– users: ‘lpfadmin’, ‘lpfsg’ and ‘lpfap2’

– group: ‘lpfadmin’ containing users ‘lpfadmin’, ‘lpfsg’ and ‘lpfap2’

DNS and host naming

The WAM host must resolve its own hostname with the correct IP address.

Be aware that on some Linux systems, when the network interfaces are configured/installed after the OS installation, the hostname is sometime resolved as 127.0.0.1 or ::1. In that case edit and modify the /etc/hosts file to associate the correct IP address with the correct name.

FQDN

Use hostname naming compatible with DNS naming convention, i.e. no uppercase character, no symbolic character, see DNS naming RFC for more details.

Always use Fully Qualified Domain Name (FQDN) instead of IP addresses.The protected Web Servers must use a consistent URL naming, and never mix URLs with IP address and URLs with FQDN; it may lead to unpredictable behaviors.

Windows Installation and specific restrictions

Always use the Web Access Manager installer under the Administrator user. Using another user, with administrator privileges, may lead to unpredictable results in the installation, and may require manual operations to correct some file permission rights.

if Web Access Manager is installed on the same host running the IIS server and the lpfauthserv.exe CGI, the configuration file lpfauthserv.conf must be in the directory $LPF_ROOT_DIR/config/. The $LPF_ROOT_DIR must be defined in the system environment and must point where the Technical details required DLLs and configuration file belong.

An error message will be returned and will be displayed by the lpfauthserv.exe CGI, if its configuration file cannot be found.

Never Install

Never install Web Access Manager in a directory path containing a parenthesis “(“ or “)”.Never install Web Access Manager from or to a directory mounted from another host.

The installation path and the files to install must belong to a local device of the host.

Usage Guidelines

NTP

Installation in Virtual Machines and time shifting

In any case, use an NTP client to synchronize the system time with an external time server.

Container

Installation in containe

There is no known limitation of WAM in docker, provided that dependent components are installed (Java, network tools, NTP synchronization).

DNS

DNS and host naming

The WAM host must resolve its own hostname with the correct IP address.

Use hostname naming compatible with DNS naming convention, i.e. no uppercase character, no symbolic character, see DNS naming RFC for more details. Always use Fully Qualified Domain Name (FQDN) instead of IP addresses.

The protected Web Servers must use a consistent URL naming, and never mix URLs with IP address and URLs with FQDN; it may lead to unpredictable behaviors

Firewall

Firewall and standard system installation

Be aware that the built-in firewall rules of a fresh OS installation, may block any incoming connections on unknown ports.

For example, on a Centos system, the firewall won’t allow connections on default WAM’s administration port 9119. You must configure a firewall rule or disable temporary the firewall using “iptables --flush

On Windows

Windows Installation and specific restrictions

Always use the Web Access Manager installer under the Administrator user.

When using the native Windows Kerberos authentication, using the procedure described in Web Access Manager Administrator's Guide

Never install Web Access Manager in a directory path containing a parenthesis “(“ or “)”

Never install Web Access Manager from or to a directory mounted from another host. The installation path and the files to install must belong to a local device of the host.

Reboot

Start of WAM services on Windows after reboot limitation

Use the Windows command sc.exe config depend [args] to setup dependencies.Use sc.exe config /help for more details on this command.

Provisioning

Account base creation before provisioning on Windows

If you plan to use an external provisioning, it is required to restart the Web Access Manager Administration Server using the command “lpfadmin.exe restart.

CORS

Cross-origin resource sharing (CORS)

These directives are not updated or modified during installation of a new WAM version. It is recommended to check that the existing directives are still compatible with the current deployment. After update, warnings are displayed with the list of predefined rules. You must check the actual rules used in your configuration.

OpenLDAP

Windows Installation and specific restrictions

Always use the Web Access Manager installer under the Administrator user.

HB/LB Safekit

High Availability and Load Balancing with Evidian SafeKit Option

Always use the Web Access Manager installer under the Administrator user.

Mobile-ESSO

Web Access Manager and Enterprise SSO: Mobile E-SSO option

Always use the Web Access Manager installer under the Administrator user.

SASL

SASL Not Supported with OpenLDAP as user directory

Always use the Web Access Manager installer under the Administrator user.

SAML Inter-Domain

Windows Installation and specific restrictions

Always use the Web Access Manager installer under the Administrator user.

Logout

Windows Installation and specific restrictions

Always use the Web Access Manager installer under the Administrator user.

SELinux

Windows Installation and specific restrictions

If the ‘/tmp/’ doesn’t allow the execution permission, you must specify in the command line of the installer, a path for a temporary directory with execution privilege. The installer may fail if it is not allowed to read-write some installation files with the ‘root’ privilege.

If SELinux is installed, installation failures or file access errors must be checked by verifying “avc: denied” log and other errors log from ‘/var/log/messages’. You must also check the ‘/etc/sysconfig/selinux’ policy file

SAML IdP

SMTP

SAML assertions

Active Sync

Active Sync and authenticated OPTIONS HTTP method

502 HTTP

Unexpected 502 HTTP code in Reverse Proxy mode

When WAM is used as a reverse proxy, using Remote Web Agents or portals, in front of some web servers, it may occur some unexpected closure of connexion from the web server. These closures may be generated by a weakness in the HTTP pool handling from the web server

SetEnv proxy-initial-not-pooled 1

CentOS

Starting WAM services on CentOS 8 with graphical desktop

If you use the CentOS 8/9 graphical desktop, then applying the configuration in WAM administration console or restarting WAM services with lpfrestart command leaves some WAM services stopped.

You need to apply the configuration or execute lpfrestart again to have all the WAM services started and ready.

It is recommended to connect to the WAM gateway using ssh, or to use the WAM Administration console from another host.

Indexation

Windows Installation and specific restrictions

Once the WAM LDAP Schema is installed in a configuration directory, you MUST create indexes on the directory 

objectClass: for equality
lpfAceOwner: for presence equality and substring
lpfAceType: for presence and equality
lpfAccountOwner: for presence equality and substring
lpfAccountType: for presence and equality
lpfUserPkValue: for presence and equality
uid: for presence and equality
lpfExpirationDate: for presence and equality
lpfSamlRequestId: for equality
mail: for equality
lpfLinkedIdentities: for substring
lpfOIDCId: for equality
lpfOIDCType: for equality
lpfOIDCClientId: for equality

lpfOIDCUserId: for equality
lpfOIDCAuthHolderId: for equality
lpfIsLocked: for equality
lpfOIDCRef: for equality
lpfOIDCAccessCode: for equality
lpfOIDCTokenValue: for equality
lpfOIDCRefreshTokenId: for equality
lpfOIDCIdTokenId: for equality
lpfOIDCCreatorId: for equality
lpfOIDCDeviceCode: for equality
lpfOIDCUserCode: for equality
lpfSamlRelayState: for equality
lpfSecondaryLogin: for equality
lpfApplicationGroupName : for presence and equality
lpfDisplayName : for presence and equality

Cluster Gateways

Windows Installation and specific restrictions

Once the WAM LDAP Schema is installed in a configuration directory, you MUST create indexes on the directory