Skip navigation
All People > Andrew Nguyen > Andrew Nguyen's Tech Tips
1 2 3 Previous Next

Andrew Nguyen's Tech Tips

36 posts

 

 

Add [ng-click="openUserAction(userAction, 'ATTACHMENTS', $event)"] as the CSS Selector name.

 

 

Click "Add attribute"

 

 

Choose "other"

 

 

Enter "display"

 

 

Fill in value as "none"

Improve loading of users current permissions

Improves the Current access rights loading performance (when user has many Provisioning Roles for example).

After deploying this fix you will need to make these changes in the ‘Sigma – Current Access’ admin task in IDM:

  1. Open the task’s ‘Tabs’ tab and remove the ‘Provisioning Roles’ and ‘Provisioing Roles Indirect’ tabs from the list.
  2. Edit the task’s Profile tab screen, ‘Sigma User Profile’:

Add a new Screen Logical Attribute. Name it “|provRoles|" and check the ‘Multi-valued’ checkbox.

 

 

Add the following code to the screen’s "Initialization Javascript" section:


function init(ScreenContext){

importClass(Packages.java.util.HashSet);

importClass(Packages.com.netegrity.llsdk6.imsimpl.securityengine.ProvisioningSecurityEngine);

                var iamsession = null;

 

                var results = new java.util.HashSet();

                var user = ScreenContext.getUser();

 

                try {

                iamsession = ProvisioningSecurityEngine.getIAMSession(user);

                var iamdomain = iamsession.getRootDomain();

                var iamUser = iamdomain.getUser(ProvisioningSecurityEngine.getProvisioningFriendlyName(user));

                if (iamUser != null) {

               var roleHandleList = iamUser.property("roleHandles");

                                                var iter = roleHandleList.iterator();

                                                while (iter.hasNext()) {

                                                                var role = iter.next();

               results.add(role.getBaseName());

                                                }

               }

                } catch (e) {

                                ScreenContext.logErrorMessage("##################### Failed to get prov roles: " + e, false);

                } finally {

                    if (iamsession != null)

                        iamsession.close();

                }

 

var vector = new java.util.Vector();

vector.addAll(results);

ScreenContext.setFieldMultiValue("|provRoles|",vector);

}

 

 

  1. Save the changes and restart the connector in Identity Portal.

The issue was in the way the CA Identity Manager displays error information after a user account has been locked out, which allowed attackers to brute-force credentials and use them after the account is no longer locked.

The system would display 'Error: Username and password do not match' when an incorrect username/password combination was used, which of course, makes sense. However, when correct credentials are used for a locked account, the user is redirected to /iam/im/pub/cui7/index.jsp?SMAUTHREASON=24&task.tag=passwordServices and the error message is: 'Error: You cannot access your account because you have exceeded the limit of login attempts.

 

The expected functionality is:
* Create IM password policy which specifies that user must be disabled after 3 successive failed login attempts
* Create a user (say) user1 with the password ‘test’
* Log on successfully
* Log on 3 times with the password ‘testxxxx’
* Log on a 4th time with the password ‘testxxx’. You should get a message that you are now disabled
* Log on a 5th time with the correct password ‘test’. You should get a message that you are now disabled

These steps noted previously was to test if the vulnerability existed in your system or not.


This functionality is handled by SSO Password Services, why did CA issue a patch for IDM?

Identity Manager and SSO handles authentication differently. If SSO was not integrated the above vulnerability would happen. IF SSO is integrated with Identity Manager, SSO handles all the authentication and would not be affected.

To make sure if this makes sense:

Authentication process:

With SSO-IDM

Login with SSO username and password.-> Authentication approves -> Session is sent to IDM

Without SSO,

Login with IDM username and password -> Authentication approves -> session is sent to IDM

Hopefully you can see how the authentication is handled differently. With SSO when authentication fails it would send a message to SSO about the failed login versus when the authentication fails with IDM it would send a message to IDM.

  1.         User Logon Name in Active Directory: libdo01@istavapp1402.local

 

  1.         Enable Active Directory and LDAP authentication in IG:
    1.           security.disable.ADAuthentication = True
    2.           security.disable = false

 

 

  1.           ldap.server: example: 130.119.61.216

 

 

  1.           security.credential.expiration.seconds = 60

 

 

  1.          security.disable.ssl.ADAUthentication = True

 

 

  1.        PersonID in IG Eurekify configuration: istavapp1402\libdo01
  2. Note: The user prefix should be pre-2000 domain complaint (without the .local suffix).

 

 

  1.        Login to IG: istavapp1402\libdo01
  2.            Note: If the system attribute default.domain is set to istavapp1402, then the prefix for the domain when signing into IG is not mandatory (login is permitted via  istavapp1402\libdo01 and with libdo01).
  3.           A restart of the IG application might be required to apply all system changes.

 

 

 

  1.         Login ID in IM: istavapp1402\libdo01

 

 

  1.          IM Login: Username: istavapp1402\libdo01

 

 

  1.         Login to IP: Username: istavapp1402\libdo01

 

 

There is an issue when the Limit on time allowed for a search is set to a value of 30 as seen below:

 

To enable to endpoints on Provisioning Manager, navigate here:

 

File -> Preferences -> Search

 

Increase the "Limit on time allowed for a search" to a value of 40.

 

Note: The latest Cumulative Patch for Identity Portal needs to be applied if using Virtual Appliance.

 

Ref: https://docops.ca.com/ca-identity-suite/14-1/EN/release-notes/ca-identity-suite-virtual-appliance-release-notes/virtual-… 

 

To set the branding for Identity Portal 14.1 for Virtual Appliance. Navigate to the Branding tab on the top on the bar as shown in the below image:

Click the Logo and select these attributes:

background-image

background-size

height

width

 

 

 

In the image above are some of the sample values I put in. Adjust these as necessary:

background-image: <image-name.jpg>

background-size: contain

height: 100

width: 150

 

The next is to change the logo on the icon when clicking the left-handed panel.

 

The above show

 

1) In the branding tab click the Key on the view section


2) Click Logo


3) Change logo to desired image. This will change the image on the login screen

 

For changing the logo on the panel on the left follow these steps:
1) Under custom click the "+" icon
2) Add this for the "Add CSS Selector Name"
[image-error="../static-html/images/CA_logo@2x.png"]
and
3) Add  .nav-menu-header 
The first custom script we have added: [image-error="../static-html/images/CA_logo@2x.png"] .

Follow these steps to add onto Identity Portal attributes
1) Click add attribute and look for other
2) enter in display -. value as "none"

In .nav-menu-header this one is a little tricky.

add background-image attribute, background-position, background-size and background-repeat

The values should be as lsited below:
background-image: select desired logo
background-position: right
background-size: contain
background-repeat: no-repeat

Question:

 

Why does this NullPointerException appear when doing a Bulk Load on CA Identity Manager?

 

org.apache.jasper.JasperException: java.lang.NullPointerException
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:409)
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:309)
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:242)

 

Answer:

 

Make sure all the required fields are filled out as this is required to upload users. For example, in the feeder file located here:

<CA_IDM_HOME_FOLDER>\IAM Suite\Identity Manager\tools\samples\Feeder\CSVSamples

 

This header line has the following attributes:

action,uid,givenName,sn,cn,userPassword,mail,%ORG_MEMBERSHIP_NAME%,%ORG_MEMBERSHIP%,departmentNumber,l,postalAddress

 

Try to use this sample and adjust as necessary as these attributes are mandatory or an error will appear.

 

action,uid,givenName,sn,cn,userPassword,%ORG_MEMBERSHIP_NAME%,%ORG_MEMBERSHIP%

Question:

Why doesn't the import work when we import the Active Directory Endpoint from Identity Governance? The Users get imported without a problem but the role and resources get the following errors:

 

ERROR [com.eurekify.batch.connectors.imports.impl.IMImport] (http-0.0.0.0-8080-3)
SEVERE [com.ca.iam.model.impl.IAMConverter] (import-connector thread-8) Write conversion fail

 

 

Answer:

This jar file was missing "jiam-14.0.0-183.jar" and when included in the libraries the import started to work correctly. 


One important component of database processing is the listener process. The key file to the listener process in Oracle 12c is the listener.ora configuration file. This file identifies two things:

Each database it will listen for

On what ports (default 1521)

The file is located in ORACLE_HOME/network/admin.

 

Example listener.ora file:

 

LISTENER=
(DESCRIPTION=
(ADDRESS_LIST=
(ADDRESS=(PROTOCOL=tcp)(HOST=sales-server)(PORT=1521))
(ADDRESS=(PROTOCOL=ipc)(KEY=extproc))))
SID_LIST_LISTENER=
(SID_LIST=
(SID_DESC=
(SID_NAME=plsextproc)
(ORACLE_HOME=/oracle10g)
(PROGRAM=extproc)))

 

 

check oracle listener status:

lsnrctl status

 

Configuring Passwords for Oracle Net Listener


Oracle Net Listener Control (lsnrctl) is the command-line utility for managing Oracle Net Listener configuration, including passwords. A password can be configured for the listener to provide security for listener administrative operations, such as starting or stopping the listener, viewing a list of supported services, or saving changes to the Listener Control configuration. However, as mentioned earlier, local administration of the listener is secure by default through the local operating system. Therefore configuring a password is neither required nor recommended for secure local administration.

 

To set a new encrypted password with the CHANGE_PASSWORD command, issue the following commands from the Listener Control utility:

 

LSNRCTL> CHANGE_PASSWORD
Old password: old_password
New password: new_secure_password
Reenter new password: new_secure_password
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=tpc)(HOST=sales-server)(PORT=1521)))
Password changed for LISTENER
The command completed successfully
LSNRCTL> SAVE_CONFIG

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=sales-server)(PORT=1521)))
Saved LISTENER configuration parameters.
Listener Parameter File /oracle/network/admin/listener.ora
Old Parameter File /oracle/network/admin/listener.bak
The command completed successfully

During my visit to this conference in NYC, I was able to experience some interesting topics on security. I recently made a presentation on May 15, 2017 discussing what I learned. Attached is the PDF of the presentation. Let me know if you have any thoughts or questions.

 

Topics Include:

  • What is Risk?
  • How-Tos of Information Security
  • Ransomware
  • Case Study of Ransomware
  • Veracode

A simple way to upload and create cases with CA Support.

 

Download: CA Remote Engineer CA RE - CA Technologies 

 

Documentation: CA Remote Engineer Home - CA Remote Engineer - 4.0 - CA Technologies Documentation 

Run standalone checkup

In this mode, the CA customer will be able to run a checkup and examine the report to see if the anomalies can be fixed by himself. In this mode, no case can be created or updated.

Steps:

  1. Select application from application list
  2. click on run checkup
  3. upon completion, user clicks on view complete diagnostic report to show the report in a browser window.

 

 

 

                            

 

Login and create a support case

In this mode, the CA customer will be able to create a a support case.

 

Steps:

  1. Login
  2. click on 'Create New'
  3. Enter the following info:
    1. Select Application from application list
    2. Enter case title
    3. Select severity
    4. Enter Description
    5. optional : check box that reads ' Do you want to help CA'
  4. Click on 'Run checkup and create case' button
  5. upon completion, user clicks on view complete diagnostic report to show the report in a browser window.

 

                                     

 

 

 

           

 

Login and update an existing support case

In this mode, the CA customer will be able to update an existing support case.

 

Steps:

  1. Login
  2. click on 'Update'
  3. Enter the following info:
    1. Select Existing case number
    2. Enter case details
    3. optional : check box that reads ' Do you want to help CA'
  4. Click on 'Run checkup and update case' button
  5. upon completion, user clicks on view complete diagnostic report to show the report in a browser window.

 

 

                                     

 

 

 

                  

Linked KB Doc: TEC1409866

 

When installing Identity Governance 14, an error occurs noting, "Windows error 2 occured while loading the JAVA VM" as pictured below:

 

 

This can be corrected by following the required steps:

 

1) Install Java JDK 1.8.0_71

2) Set appropriate java variables (Ex. JAVA_HOME, PATH)

3) In a new command window, run <setup file>.exe LAX_VM "<java-home>\bin\java.exe"

(Ex. "C:\Program Files\Java\jdk1.8.0_71\bin\java.exe")

4) When this window appears you may proceed with the installer:

 

This will help you bypass the LaunchAnywhere Error.

 

The CA Identity Suite Virtual Appliance (vApp) lets you install and deploy Identity Management and Governance products and their associated services quickly with minimal effort. The vApp image is provided in an Open Virtualization Architecture format (OVA) that is compatible with modern Virtualization platforms (see the Platform Support Matrix).

The vApp features a flexible and modular design that provides multiple environment types (Demo, Development, Staging and Production) and support for High Availability (H/A). The vApp is based on a Linux O/S, using Wildfly as the application server and Oracle (Express Edition) as an embedded database (applicable for non-production environments only).

The Virtual Appliance product contains the following CA Identity Suite components:

  • CA Identity Manager 14.0
  • CA Identity Governance 14.0
  • CA Identity Portal 14.0
  • CA Directory 14.0 (User Store)
  • CA Identity Manager Provisioning Server 14.0
  • CA Identity Manager Connector Server 14.0
  • Oracle database 11g Express Edition

Estimated time of install if done in demo mode is ~20 min.

 

Identity Suite Credentials - Default Credentials to Access User Interface of Deployed Services - CA Identity Suite - 14.0 - CA Technologies Documenta… 

 

Identity Suite Virtual Appliance 14.0 Documentation  - CA Identity Suite - Virtual Appliance - CA Identity Suite - 14.0 - CA Technologies Documentation 

 

Download site  - support.ca.com: Navigate to ->Identity Suite -> Release 14.0 -> Gen level 0000 -> Click "Go"

Filename is labelled:

CA Identity Suite Virtual Appliance r14.0 - ESD Only
DVD12080659E.ova

 

Virtual Appliance 12.6.8 Build - CA Identity Suite Virtual Appliance - 12.6.08 Cumulative Releases and Patches - CA Identity Suite - 12.6.8 - CA Technolo… 

 

Memory requirements and allocation (java heap size) for the components.

Here is a table summarizing the memory requirements per component in the different modes

Product

Memory requirements

DEMO, SANDBOX

NON-PRODUCTION, PRODUCTION

Connector Server

1GB

2GB

Provisioning Server

½ GB

6GB

Oracle embedded database

1GB

N/A

User Store

½ GB

4GB

Identity Manager

2GB

8GB

Identity Governance

1.5GB

8GB

Identity Portal

1.5GB

8GB

Central log server

1GB

4GB

When disabling Share My Work in Identity Governance users work are still being shared. How would I fully disable the work from being shared?

 

You would need to enable the Share My Work option and then disable each user indvidually before you disable the Share My Work option. This will stop sharing the work between the users and then you can disable Share My Work from configuration set: shareMyWork.enable set to false.

1. Complete the steps for installing GM on Jboss 6 EAP
2. Make sure server is not running
3. Run these steps in CMD:

$ keytool -genkey -alias foo -keyalg RSA -keystore foo.keystore -validity 10950

Enter keystore password: secret
Re-enter new password: secret
What is your first and last name?
[Unknown]: foo.acme.com
What is the name of your organizational unit?
[Unknown]: Foo
What is the name of your organization?
[Unknown]: acme corp
What is the name of your City or Locality?
[Unknown]: Duckburg
What is the name of your State or Province?
[Unknown]: Duckburg
What is the two-letter country code for this unit?
[Unknown]: WD
Is CN=foo.acme.com, OU=Foo, O=acme corp, L=Duckburg, ST=Duckburg, C=WD correct?
[no]: yes

Enter key password for <deva> secret
(RETURN if same as keystore password):
Re-enter new password: secret

4. Please note that after generating the foo.keystore file, it will be saved in the path you are in at CMD
5. Open this file in a text editor: standalone-full-ca-gm.xml
6.Search for this line:
socket-binding name="https" port="8443"
and change the port number from 8443 to 443

7. Find this line in the file and put it in a comment (i.e. <!--<value>-->):
connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"

8. Add this after the line in comment above:
connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http" redirect-port="443" /> <connector name="https" scheme="https" protocol="HTTP/1.1" socket-binding="https" enable-lookups="false" secure="true"> <ssl name="foo-ssl" password="secret" protocol="TLSv1" key-alias="foo" certificate-key-file="C:\jboss-eap-6.0\standalone\configuration\foo.keystore" /> </connector>

9. Note that you should point certificate-key-file above to the full path of your foo.keystore location

10. Make sure you import your server certificate in the Java keystore (Ex. keytool -import -trustcacerts -alias root -file myCreatedCert.crt -keystore cacerts)

11. Start the server and use URL: https://<server HOSTNAME>/eurekify/portal/loginForm