Skip navigation
All Places > CA Security > Blog > 2016 > May
2016

Machine Learning is to Big Data as human learning is to life experience. It is the science of getting our computers to act instead of being just programmed. We interpolate and extrapolate from past experiences to deal with unfamiliar situations. We use data to make decisions that leads to taking actions. Our decisions are descriptive, diagnostic or predictive depending on the prior knowledge of “what happened”, “why did it happen” or “what will happen”. Machine learning (ML) with data analysis, models this behavior at massive scales, and it has significant applicability in the field of forensics, cybersecurity and information assurance.

 

Human learning is what we understand best and it continues to be the best form of learning. One way to look at machine learning is human-level artificial intelligence that can be applied broadly.

 

machine learning in cybersecurity.png

5-Step Learning

 

Machine learning, like human learning, is a 5-step process.

  1. Define the problem – eg, determine a domain to be safe versus malicious
  2. Harvest the data set – eg, train the data set to build better models
  3. Create a capability – eg, build new capability to detect novelty data patterns
  4. Validate the model – eg, use multiple capabilities created to form a model
  5. Operationalize – eg, use this model to make decisions; through continuous use this model gets trained (and becomes smarter to make predictions over time).

 

Machine learning, together with data science and big data has emerged as a mainstream technology in cybersecurity after proving its success in recommendation systems (like Amazon and Netflix) to voice recognition systems (like Apple Siri and Microsoft Cortana) to many other applications.

 

In cyber security, data models need to have predictive power to implicitly distinguish between normal benign network traffic and abnormal, potentially malicious traffic that can be an indicator of a cyber-attack vector. This is where machine learning is used to build classifiers, as the goal of the models is to provide a binary response (e.g., good or bad) to the network traffic being analyzed.

 

machine learning 2.png

4 Phases of Learning

 

Machine learning has gone through four phases of evolution: Collect / Analyze / Predict / Prescribe. These steps were initially in silos in cybersecurity because these ecosystems were built from the bottom up — experimenting with data, tools and choices — and building a set of practices and competencies around these disciplines.

 

The question is often asked how much data is enough. To give an idea of how much data needs to be processed, a medium–size network with 20,000 devices (servers, laptops, phones) transmit more than 50 TB of data in a 24–hour period. That means that over 5 GB of it must be analyzed every second to detect cyber-attacks, targeted threats and malware attributed to malicious users. While dealing with such volumes of data in real time poses difficult challenges, so one has to models that can detect cyber-attacks while both minimizing false positives (false alarms) and false negatives (failing to detect real threats).

 

3 V’s of Cybersecurity

 

Big Data is being created at the rate of 2.5 quintillion bytes per day. So, it is hard enough to find the haystack, let alone the needle in the haystack. Describing big data in a cybersecurity context consists of the following ten common sensor sources:

 

  1. alerts,
  2. events,
  3. logs,
  4. pcaps,
  5. network flow,
  6. threat feeds,
  7. DNS captures,
  8. web page text,
  9. social activity,
  10. audit trails.

 

Finding the patterns to describe big data analytics in a cybersecurity context has to mention the three V's: Volume, Variety and Velocity.

 

Volume:

Large quantities of data are necessary to build and test the models. The question is when is "large" large enough? Sample sizes are never large. If N (the sample size) is too small to get a sufficiently precise estimate, you need to get more data (or make more assumptions). But once N is “large enough,” you can start subdividing the data to learn more. N is never enough because if it were “enough” you’d already be on to the next problem for which you need more data.

 

Variability:

In applications of big data there are two types of data available: structured data versus unstructured data. For cybersecurity-specific data science models, Variability refers to the range of values that a given feature could take in a data set. The importance of having data with enough variability in building cyber security models is often underestimated. Network deployments in organizations – businesses, government agencies and private institutions – vary greatly. Commercial network applications are used differently across organizations and custom applications are developed for specific purposes. If the data sample on which a given model is tested lacks variability, the risk of an incorrect assessment of the model’s performance is high. If a given machine learning model has been built properly (e.g., without "overtraining", which happens when the model picks up very specific properties of the data on which it has been trained), it should be able to generalize to "unseen" data.

 

Velocity:

If one has to analyze hundreds of millions of records and every single query to the data set requires hours, building and testing models would be a cumbersome and tedious process. Being able to quickly iterate through the data, modify some parameters in a particular model and quickly assess its performance are all crucial aspects of the successful application of data science techniques to cyber security.

 

Thus, Volume, Variability and Velocity are essential characteristics of big data that have high relevance for applying data science to cyber security. Together these characteristics increase the "Value" of data in data science for cyber security.

 

2 Types of Cyber Battles

 

Threats evolve every single day. As attack surfaces increase in business infrastructures, so does the diversity of cyber-attacks. The two broadest types of threats are

  1. outside-in attacks, and
  2. inside-out attacks.

 

In both types of threats, a combination of machine-based and human-based inputs are required before making a decision and taking an action. This is why the bad guys tend to win while the good guys (defenders) are analyzing the threat vectors.

 

Analytical tools, in widespread use today, are categorized into three groups based on its sophistication and ability to emulate the human brain of a trained infosec analyst.

Basic-level descriptive analytics, i.e., “what happened” – 25% ML-based finding, 75% reliance on human analyst.

Intermediate-level diagnostic analytics, i.e., providing context to “why did it happen” – 50% ML-based finding; 50% reliance on human analyst.

Advanced predictive analytics, i.e., “what is likely to happen” – 75% ML-based finding; 25% reliance on human analyst.

 

1 Way to Secure Your Assets

 

The network defense of the future will consist of analytics-enhanced human operators interacting with the network. However, until then, one has to rely on ML plus humans to combat the threats.

 

ML is rapidly training computers (like we train humans) to create batter mouse traps for advanced threat vectors. As attack surfaces increase, so will the diversity of cyber-attacks. This post discussed the cybersecurity-specific basics of machine learning (in 5 steps) to categorize the threats (in 4 ways) by understanding the 3 V’s of threat analytics to safeguard the business against 2 types of common threats. At the end of the day it is about big algorithms (less about big data) working in concert with the right machine learning models to train the system to identify and remediate the threat risks.  

News, Blogs & Announcements

Leading Filipino Bank Safeguards Online Banking Experience with CA Strong Authentication

General Availability for CA Risk Authentication 3.1.01 CR01 and CA Strong Authentication 7.1.01 CR01

Latest Knowledge Base Articles published for CA Privileged Identity Manager (18-May-2016)

Latest Knowledge Base Articles published for CA Data Protection (18-May-16)

 

 

Previous Events

CA Single Sign-On 12.52 SP1 CR5 Enhancements [SLIDES]

Chat Transcript: Office Hours for CA Single Sign-On [MAY 2016]

 

Upcoming Events

Office Hours for CA Single Sign-On: A Live Online Chat [JUN 16]

Closing Network Backdoors: Best Practices to Control Third-Party Risks

WEBCAST: Top Reasons Why Identity Management Projects Fail & How to Avoid Them

Office Hours for CA Privileged Access Management: A Live Online Chat [JUN 9]

5/31 CardNotPresent.com Webcast - 3D Secure: It’s All About the Data

WEBCAST: Introduction to the Identity Performance Analytics

Office Hours for CA Advanced Authentication: A Live Online Chat [JUN 7]

 

Questions

Virtualization of Policy servers

SPS Agent for virtual host : default did not initialized properly

Reverse Modify Sync on IDM 12.6sp5

CA Identity Minder 12.6.2 integration with office 365:

Sharepoint 2010 Initiated SSO to Siteminder Protected Application

SPS to backend communication security

PX-Generate random password

IDM TEWS - Need sample SOAP request

SM WAM UI crashed when we update policy

AuthID 2 way encryption

 

New Ideas

Please Enhance Garbage Collect Stored Procedure

API: Managing Custom Lists

Support for multiple Email or Phone with external directory

support Amazon Linux AMI (CA Privileged Identity Manager)

CA PAM 2.6 : Email Notification before Password Expiry

Group based transparent login for Cisco Device

Certify Identity Manager for usage with MS-SQL with Merge Replication enabled.

leading Filipino Bank.png

 

Business

The bank serves retail, commercial, corporate and institutional clients. It operates hundreds of branches and many more ATMs across the country.

Challenge

With customers increasingly accessing online banking services from a variety of devices, the bank needed to ensure a consistent experience, particularly on smartphones.

Solution

Implemented in just three months, CA Strong Authentication provides a patented, software-based two-factor credential called the CA Auth ID, which protects against man-in-the middle and brute force attacks without changing the end user login process.

Benefit

As well as protecting thousands of customers and their online banking transactions, CA Strong Authentication has enabled the bank to comply with industry regulations that mandate two-factor authentication in the Philippines.


Read more at : Leading Filipino Bank Safeguards the Online Banking Experience for 10,000-plus Customers with CA Strong Authentication -…

In part 2 of this series I touched on some of the challenges involved in protecting IoT devices and what products currently exist that attempt to fill the security gaps.  In this entry I will dive deeper into the technical side of IoT Security.

Regardless of functionality, the security challenges that these devices face can be categorized into the following vulnerability layers:

Layers

Communication – Securing communications to and from the device.  Dynamic data encryption in the form of TLS is the industry standard, likely to remain in use for some time, and is easily implementable.  The technical challenge here is in protecting the artifacts required to ensure that the encryption remains secure; namely private keys.   There are existing solutions that can be deployed but it is crucial, in this and in all other layers, to remember that storage and runtime space on the device will likely be extremely limited.  As an example, the Raspberry Pi Compute Module is a prototyping kit intended for industrial applications and contains 512MB of RAM and 4GB of flash storage.  How many CA products can run under those limitations?  The range of memory and storage will vary depending on the device functionality, but the variance will likely not be that great.

Access – Securing and controlling remote access to the device.  Fundamental to all security systems is determining and enforcing who can and cannot gain access.  This functionality is well understood and implemented in the web-space, which should translate well into IoT.

Execution – Securing and controlling code execution on the device.  Un-monitored devices are ripe for being used in all sorts of virus and bot attack schemes; securing and verifying what code and when it can run is vital.

Data – Securing any data, especially Personally Identifiable Information (PII), on the device.  Due to storage constraints, very few devices will actually contain data that requires protection, but it may happen. When it does, this data must be properly handled and protected.

Physicality – Controlling, evaluating and monitoring the physical realities of the device.  This aspect of an IoT device is tricky.  Consider the previous example of a temperature sensor.  What if there is a sudden spike or dip in a reading?  How would the device monitor be able to tell if the change is due to the movement of the sun or an attack on the device?  Securing the device physically is the concern of the device owner; however, we should provide tools such as data analytics and machine learning to aide in the determination of the legitimacy of device’s readings and how to determine and react to potential attacks.

Properly protecting IoT devices will certainly be a challenge; however, one advantage we have is that we will be able to build on our own understanding of cybersecurity.  While existing products may or may not be sufficient to the task, existing knowledge and understanding will take us a long way. 

My next post will look at the market landscape for security within the Internet of Things.

Hello CA Single Sign-On Community Users,

 

Please find below the list of the latest Knowledge Base Articles  for Single Sign-On (Formerly CA SiteMinder) published or updated since 2nd April 2016 for your reference:

 

R12 SP2 Application Server Agent for WebSphere (TAI) fails to initialize after Java upgrade on WebSphere.
After upgrading WebSphere with Java 1.7, the Application Server Agent throws the following error in the SystemOut.log; Trust Association Init Unable to load Trust Association class com.netegrity.siteminder.websphere.auth.SmTrustAssociationInterceptor.
Last Update: 5/9/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1286701

Task Failed on modifying a policy object in Web Administrative UI with Oracle Directory Server as Policy Store.
"Unknown Failure" was shown on the screen and an LDAP Error was recorded in the smps.log at the time.
Last Update: 5/9/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1056057

Global response not triggering for Application with multiple components
Why is our configured Siteminder global response not triggering for Application with multiple components?
Last Update: 5/9/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1140466

Password Policy redirect
Redirect to a customized error page when password services is invoked.
Last Update: 5/7/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1741076

Policy store load failure.
After upgrading SiteMinder and the policy store a custom app that implements the Policy Management API sporadically fails to update objects.
Last Update: 5/6/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1989246

SharePoint Connection Wizard Errors
Getting "No existing SharePoint Connections!" when trying to create a new SharePoint Agent connection.
Last Update: 5/6/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1972332

Undocumented Fixes of Secure Proxy Server 12.51/12.52 SP1
This article explains Undocumented Fixes of SPS12.51/12.52 SP1. WAOP fixes are included in SPS as well: 134371 - SPS 12.51 CR06 139030 - SPS 12.52 SP01 CR01
Last Update: 5/6/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1567644

Seeing many "Policy store failed operation 'MultipleSearch' errors in the SMPS.log with R12.52 SP1 Policy Server.
With CA Directory 12.0.14 as a Policy Store, we are seeing many "Policy store failed operation 'MultipleSearch' for object type 'Root'. LDAP Error Doing UserDirectory_Fetch: 82: Local error" in the SMPS.log.
Last Update: 5/6/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1626754

Why password entries will be rejected when using the password dictionary for password services ?
What are the circumstances when a password will be rejected when using password dictionary feature for SiteMinder password services.
Last Update: 5/6/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1444634

FSS UI Does Not Appear in Installed Components
How to install the FSS Administrative UI to manage Policy Store objects instead of the WAMUI.
Last Update: 5/6/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1592822

Ignorable error message ”SEVERE: No global naming context defined for server” on SPS startup
This article explains an ignorable error message of SPS satrtup: ”SEVERE: No global naming context defined for server”.
Last Update: 5/6/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1557306

Policy Server showing spikes in connections multiple times a day
Policy server connections spike, normal queue grows – slow responses reported by the SSO agents on the webservers (20 seconds delays)
Last Update: 5/4/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1890108

CA Federation & Office 365 Integration: ObjectGUID as ImmutableID
This document explains CA Federation & Office 365 Integration: How to define ObjectGUID(binary attribute) as ImmutableID attribute in the Federation Partnership.
Last Update: 5/4/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1782098

'No SAML2 SP Provider found' Error in Federation
Meaning of 'No SAML2 SP Provider found' Error in Federation, SAML2 transaction.
Last Update: 5/4/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1689376

Dynamically setting AuthnContextClassRef in the assertions
Dynamically setting AuthnContextClassRef in the assertions based upon the authentication scheme or authentication level that the SSO user authenticated with; currently the Assertion Generator API does not have that information exposed to it.
Last Update: 5/4/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1354535

"Allow Protection Override" checkbook on the custom authentication-scheme.
Documentation(topic is, "custom-authentication-schemes") describes Allow Protection Override" checkbook on the authentication-scheme. This option specifies that the protection level in the library takes precedence over the protection level specified in t
Last Update: 5/4/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1674413

XSS Error in the browser, CA Federation & Office 365 Integration,
XSS Error in the browser, CA Federation & Office 365 Integration, as part of CA Federation and Office 365 integration when testing in Internet Explorer after authentication,
Last Update: 5/4/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1252731

SMPS Error: "Bad installation or configuration, Assertion handler can't be initialized. Leaving Assertion Generator Framework."
500 Error during CA Federation & Office 365 Transaction. SMPS Error: "Bad installation or configuration, Assertion handler can't be initialized. Leaving Assertion Generator Framework."
Last Update: 5/4/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1880219

How to resolve the "Error: Exception User might not have required permissions to get group information" when logging into the R12.52 SP1 ProxyUI.
When logging into the R12.52 SP1 Single Sign-On (fka SiteMinder) Access Control Gateway (fka Secure Proxy Server) ProxyUI an error message is displayed stating "Error: Exception User might not have required permissions to get group information"
Last Update: 5/3/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1304259

Unable to search for users or groups from SiteMinder in the PeoplePicker.
PeoplePicker searches from the Central Admin Server in SharePoint 2010 are not returning any results from SiteMinder.
Last Update: 5/3/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1808602

Disable Agent Discovery feature to prevent SiteMinder Policy Store corruption by Agent Instance objects in a Muti-Master replicated Policy Store environment.
Agent Discovery can cause corruption of Policy Store objects in a Multi-Maser replicated Policy Store environment and should be disabled in these environments.
Last Update: 5/3/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1889667

Is a cookie provider necessary between the Web Agents on a reverse proxy server and backend web servers?
In the case of both the reverse proxy server and the backend web servers have Web Agents installed, their cookie domains can be different. This article explains such case.
Last Update: 5/2/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1399808

What are the possible handshake errors in policy server?
Bad security handshake attempt
Last Update: 4/29/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1543455

R12.52 SP1 Federation Manager AdminUI is not accessible after an upgrade
Upgrading to R12.52 SP1 CR04 CA Federation Manager from previous CR causes AdminUI to be unavailable.
Last Update: 4/29/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1599058

LIMIT_EXCEEDED(4) with partial result error showing when accessing a resource
Access to a protected resource is refused only when the user is member of more than one group.
Last Update: 4/29/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1244697

Howto enabled debugging of SSL connections from the proxy-engine to the backend server in CA Access Gateway (formerly CA Secure Proxy Server)
The java runtime setting -Djavax.net.debug=all will show details of the SSL connection handshakes as well as log the transferred data.
Last Update: 4/29/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1860387

Convert HTTP to HTTPS requests using Secure Proxy Server
Convert HTTP to HTTPS requests using SPS via Apache module or SPS proxy rules
Last Update: 4/29/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1945397

Secure Connection to AD User Directory with StartTLS
We currently have a secure connection to an AD USER DIRECTORY over 636. Can we use a Start TLS connection to connect over 389, and if so, how would we configure that?
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1469283

Question about HCO policy server clusters
When configuring the policy servers in a cluster in the HCO, it asks for a single port number. For non-clustered HCOs, the policy server is always coded with three ports (e.g., 44441, 44442, 44443). How do we configure the cluster ports?
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1231237

Policy Server's “ServerCommandTimeDelay” is renamed to “MaxTimeDeltaBetweenServers” from R12.51 and above
This article addresses change in the registry key name for the Policy Server.
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1888869

Error: Username and password do not match
Increase entropy on policy server/WAM UI system
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1652849

There are consecutive spaces found in the installation home directory
'libidn.so.11' 32-bit library is not present on the machine
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1744609

Advanced Password Services only supports the Domain Model
Advanced Password Services is only supported by the Domain Model. Application Model is not supported.
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1427491

What is the /config/XPS.cfg file used for?
XPS XPSConfig xps.cfg utility configuration
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1607105

SP-initiated POST Binding in r12.0 SP3
Our application works only as SP initiated request. This application would POST SAML request to SiteMinder 12.0 SP3. The application requires HTTP-POST binding and cannot use HTTP-REDIRECT. How can this workflow be implemented?
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1301206

Setup of Riskminder fails after already having policy server setup.
Steps to resolve the issue where Riskminder service will not run when configuring it with the Configuration Wizard without using the Configuration Wizard to also setup the Policy Store.
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1951662

Federation not working in IE
Federated calls with IE are no longer working without re-authenticating, since upgrading to IE version 24
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1073418

Tombstoned object is preventing creation of new object with same name.
Tombstoned object is preventing creation of new object with same name. Will need to remove tombstoned object from Policy Store so that you can re-create it.
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1103262

Failed Handshake between Webagent and Policy Server.
What are the reason of a Failed Handshake between Webagent and Policy Server (need to re-register the Agent)
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC559187

Cannot Delete User Directory
User Directory still has references to it, so it could not be deleted.
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1866433

FSSUI: too many items
FSSUI will throw error about too many items when buffer is set too low.
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1025064

Secure Proxy Server does not start with Java 8 JDK
Java 8 JDK is not supported by the Secure Proxy Server. JDK 7 is supported.
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1308205

Resolving certificate errors for the SPS and Agent for SharePoint Tomcat Proxy.
Receiving a "Certificate for is not trusted or bad certificate" in the Secure Proxy Server/Agent for SharePoint Trace File when connecting to the back-end Server over SSL.
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1628104

Change the hostname in SiteMinder Administrative UI
We have R12.x Admin UI installed on Windows Server. The hostname of the Server has changed, is there any way to change the hostname in admin UI configuration so that I can access AdminUI with new hostname without reinstalling or modifying local hosts file
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1041056

(WARN) : [sm-xpsxps-03500] CA.SPS: No product library
When I am trying to run the XPS tools through command line, I am receiving the below message: (WARN) : [sm-xpsxps-03500] CA.SPS: No product library.
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1579314

User Directory with filter having 2 attributes for ID-From-Login
We are trying to allow the user to log in with the uid or email address. Even after creating a search filter to login with both Email ID/UID in User Directory definition, it does not get resolved to the ID entered by the user (ID-From-Login).
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1992791

Redirecting users after their idle session or maximum session times have been reached
This document covers the user of the IdleTimeoutURL and MaxTimeoutURL Agent Configuration Object settings.
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC490906

How to disable Policy Server automatic restart after the crash?
This article covers a setting in siteminder.conf that controls smexec's behavior.
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC507375

Tracksessiondomain parameter in ACO and use FQDN as the cookie domain
When we enable tracksessiondomain parameter in ACO and use FQDN as the cookie domain you get an error 10-0017 error log states that the domain is not in the cookie and when we run the agent in 4x compat mode.
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1770774

Request to back end server is timing out after specified timeout parameter
Request to back end server is timing out after few seconds and resulting with an error when they were posting some information to the back end server.

 

Enable logging in secure proxy server
enable logging like FWStrace, mod_jk and httpclient log in secure proxy server
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1805983

Web Agent and Policy Server Network Communication Disruption
This article describes the TCP keepalive based environment variable used in the components of CA SSO for improving network communication.
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1079236

Updating expired SSL certificates for the Virtual Hosts on the Single Sign-On Agent for SharePoint 2010/2013
This article discusses updating expired SSL certificates for the Apache Web Server Virtual Hosts on the R12.52 SP1 Single Sign-On Agent for SharePoint 2010/2013. These steps are also valid for updating the certificates for the Access Control Gateway.
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1926033

When installing CA Secure Gateway (formerly Secure Proxy Server) What is the "Master Key for Policy Server' ?
The "Master Key for Policy Server" is the Session Assurance Encryption Master Key. It must match the same entry as that entered on the Policy Server
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1883207

How to fix the deployment location of login pages on CA Access Gateway (formerly SPS Secure Proxy Server)
The login.fcc page is not deployed in the usual location on CA Access Gateway and need to be copied to the correct location.
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1977406

Details on install of JSafe JCE jar files : cryptoj.jar and cryptojFIPS.jar on CA Access Gateway (formerly Secure Proxy Server)
CA Access Gateway (formerly Secure Proxy Server) deploys several cryptoj.jar and cryptojFIPS.jar files this article explains what they do
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1243588

How to enabled CA Secure Gateway (formely Secure Proxy Server) to do NTLM authentication to the backend server
CA Secure Gateway (formerly Secure Proxy Server) can proxy onto backend servers that require NTLM authentication - this article shows how to setup that feature.
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1887945

Resolving Problems installing the Java JCE Unlimited Strength Jurisdiction Policy Files package
Many problems with encryption result from the Oracle JCE Unlimited Strength Jurisdiction Policy Files package not being installed correctly.
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1698523

Can multiple values be configured for LogOffURI parameter?
This document outlines how to configure multiple resources as LogOffURI's with Single Sign-On (formerly SiteMinder)
Last Update: 4/27/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC487762

What LDAP queries does Single Sign-On (formerly SiteMinder) execute upon clicking the View Contents button in User Directory Properties dialog box?
The queries executed are controlled by a registry setting covered in this document.
Last Update: 4/27/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC485119

Host Configuration Object clusters and EnableFailover
Details on when EnableFailover applies to a Host Configuration Object
Last Update: 4/27/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC583377

Single Sign-On Agent for PeopleSoft Agent API initialization error
The 12.51 version of the Single Sign-On Agent for PeopleSoft has new requirements on Unix operating systems to operate correctly.
Last Update: 4/27/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1420786

Response attribute WebAgent-OnValidate-Redirect & WebAgent-OnAuthAccept-Session-Variable missing in WAMUI.
Unable to find Response attribute missing in WAMUI.
Last Update: 4/27/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1120965

SAP WebAS agent 12.0 encrypted shared secret requirement
The 12.0 version of the SAP WebAS ERP agent requires the shared secret to be encrypted with a FIPS Compliant AES Algorithm
Last Update: 4/27/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1794035

CA Single Sign-On SAP WebAS ERP agent fails to initialize
A 10 second timeout value within the policy server may cause this, and newer versions of the policy server introduce a setting which allows the timeout to be increased.
Last Update: 4/27/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1073455

SAML2.0 SP initiated Authnrequest failing on the IDP with 500 Error (java.lang.NullPointerException)
Why am I getting [Exception caught in class com.netegrity.affiliateminder.webservices.saml2.SSO, method doGet: java.lang.NullPointerException]
Last Update: 4/27/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1122526

After installing the SPS, the Admin UI does not start and it reports many errors with the java beans. How can I solve it ?
Incorrect installation of Java causes java bean errors and jboss not bo be listening on its port
Last Update: 4/27/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1265197

SM Response attribute
How Siteminder (Policy Server version- 12.0.312.911) returns via SM response some attribute from ODBC after user being authenticated in LDAP?
Last Update: 4/27/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1939587

Increase number of connections to a specific LDAP User Directory
This article explains a Tips to increase number of connections to a specific LDAP User Directory when some performance issue is observed.
Last Update: 4/27/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1077574

JVM Error in the SSO Policy Server trace logs.
Hello support, We're facing a big issue with our sharepoint agents. For some reason it seems that the smsession cookie being passed from the siteminder agent to the federation component of the agent isn't valid. This happens intermittently and a refresh sometimes fixes the issue which tells me that the cookie is valid. I have attached the logs that can help you troubleshooting. Here's some info on our ecosystem : SiteMinder Agent for SharePoint, Version 12.0 QMR03, Update HF-05, Label 443 running on windows 2008 R2 SP1 Siteminder policy server 12.52.0001.154 running on redhat 5.11 Regards, Pierre
Last Update: 4/27/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1157464

"No Session" error in adminui and "Failed to decrypt persistent key error" in SMPS log.
Multiple set of keys in keystore may cause "No Session" error in adminui and "Failed to decrypt persistent key error" in SMPS log
Last Update: 4/27/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1599716

Does Policy server use SSL/TLS channel for Web Agent Communication.
SSL/TLS Channel usage by Policy server for communication with Web Agent.
Last Update: 4/27/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1893946

Where does Siteminder Management Console settings are saved?
Siteminder management console settings in policy server
Last Update: 4/27/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1899683

Failed to convert enabled state while trying to login to Admin UI with External admin store user.
Failed to convert enabled state while trying to login to Admin UI with External admin store user.
Last Update: 4/27/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1418057

Configuration Oracle HTTP webserver manual steps
WebAgent configuration for R12.0 Sp3 CR12 does not properly configure the webserver to allow it start apachectl and opmn.xml

SiteMinder with CA Directory as policy store store high availability
We have CA Directory as policy store we need to have high availability for disaster recovery purposes - minimize downtime in the event of network or system failure
Last Update: 4/26/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC577451

Dynamic LDAP groups for user store Oracle iPlanet LDAP directories ONLY
Does SSO support dynamic LDAP group for Oracle LDAP, if so how do we configure it
Last Update: 4/26/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1676115

Policy Server reports error "Failed to initialize Management Thread"
This technote gives solution about the specific error "Failed to initialize Management Thread"
Last Update: 4/26/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1764868

Not able to launch Smconsole through command line
Smconsole not getting started, when trying to open using ./smconsole command
Last Update: 4/26/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC587035

SP-Initiated POST request results in 400 Error
SP-Initiated POST request results in 400 Error: No SAMLRequest or SPID parameter in request to SAML2 Single Sign-On Service Ending SAML2 Single Sign-On Service request processing with HTTP error 400
Last Update: 4/26/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1344266

Policy Server start-all command throw error : /netegrity/siteminder/../aas/sbin/arrfenv: cannot open [No such file or directory]
This technotes explain how to fix an issue by running start-all command on the Policy Server
Last Update: 4/26/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1416985

Error message "The AuthnRequest with AuthnContexts is not supported." in Siteminder 12.0 SP3 acting as SP.
We are getting the below error when Siteminder posts a SAML assertion. This is an SP-initiated use case. ERROR: The AuthnRequest with AuthnContexts is not supported.
Last Update: 4/26/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1832259

Unable to connect to an Oracle 12c RAC during installation.
I have installed CA Federation Manager 12.52 and during configuration step it is unable to connect to an Oracle 12c RAC. The configuration fails after this step.
Last Update: 4/26/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1472153

Alternatives to renaming /dev/random to /dev/urandom
Your recommendation in your documentation to create a symlink of /dev/urandom and /dev/random has resulted in security concerns in our internal teams.
Last Update: 4/26/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1730285

Java Virtual Machine failed memory allocation issue when starting the WAMUI in 32-bit Windows 2008.
We're getting the following error when trying to start up the WAMUI service in Windows 2008. There is insufficient memory for the Java Runtime Environment to continue. Native memory allocation (malloc) failed to allocate (X) bytes for Chunk::new
Last Update: 4/26/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1316487

The Secure Proxy Server Cannot Be Started Without a Valid Set Of Proxy Rules.
There is an issue with proxyrules.xml file. I saw an error in default log. [ERROR] - The Secure Proxy Server Cannot Be Started Without a Valid Set Of Proxy Rules. There was http 502 error return back to the user
Last Update: 4/26/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1929479

Error when setting up SSL between SPS 12.52 and backend application.
We have a backend IIS server, that we need to setup SSL between the Secure Proxy Server and the backend server. We are getting an error: "java.lang.RuntimeException: Unrecognized cipher suite" in the SPS nohup.out log.
Last Update: 4/26/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1439974

Advanced Password Services - Message of the Day
Message of the Day will show the designated page to all applicable users the first (and only the first) time that they log in each day.
Last Update: 4/26/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1195168

Which is default value of "EnableSearchFilterCheck" ?
In R6 SP3 and later version, default value of "EnableSearchFilterCheck" is "1" internally.
Last Update: 4/26/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1060277

IWA authentication creds.ntc issues 404 error
IIS, IWA, Creds.ntc, 404, Error
Last Update: 4/26/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1657586

how to control the session expiry in a Federation setup
in an SP Partnership federation ,how to control the "Idle Timeout" and "Maximum Timeout" .
Last Update: 4/25/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1458523

what is the smVarType session attribute created in the session Store
smVarType session attribute can have multiple value ,what is the difference between all these values
Last Update: 4/25/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1771825

Configure Signing option in Legacy Federation (same concept applies to Partnership)
How to configure Siteminder to sign and process signatures in Federation setup
Last Update: 4/25/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1052508

Expression calculated header in a URL in a "WebAgent-OnAccept-Redirect"
how to Create expressions which retrieves an http header and insert value into URL
Last Update: 4/25/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1481041

Persistent cookies to transient cookies.
Process to change the agent configuration object persistent cookies configuration to transient cookies configuration.
Last Update: 4/25/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1493385

FSS Administration UI file extensions.
What file extensions are used by the FSS Administrative UI
Last Update: 4/25/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1578486

CA Single Sign On Integration With Offiice 365
CA Single Sign On policy server Active directory and Office 365
Last Update: 4/25/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1498134

Policy Server's LDAP store servers with load balancing
Information to assist customer in choosing to individually define host within CA SSO (f.k.a. SiteMinder) software to do health check and to load balance traffic. Or, to use an external software or hardware based load balancer.
Last Update: 4/25/2016    Size: 82 kb    Type: Knowledge Base Articles    ID: TEC1513892

How to run an Unattended Standalone Upgrade Installation of the Wamui (Windows and UNIX)
SiteMinder 12.52.0101.640 silent install and silent upgrade do not work. How to run an Unattended Standalone Upgrade Installation of the Wamui (Windows and UNIX)
Last Update: 4/22/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1524313

Increase MaxObjects value for the policy store in the Windows Registry
When running Siteminder/SSO FSSUI or AdminUI, user attempts to modify a policy by clicking on Add/remove. In the User tab the following message appears: “Search operation failed: timed out”
Last Update: 4/22/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1295883

How to export a SAML 2.0 partnership from one environment to another
If you would like to move a SAML 2.0 partnership from one environment to another, e.g. development to production, you can use the XPSexport function to move all objects associated with the partnership without needing to export the entire policy store.
Last Update: 4/22/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1893904

Commonly used CA Access Gateway (SPS) logs and configuration files
If you run into issues on Secure Proxy Server now known as CA Access Gateway, here is a guide on logs to troubleshoot and their locations
Last Update: 4/22/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1563845

Does Ca Single Sign-On Sdk Web Agents have to initiate the call to pull the new Agent key from Policy Server to retrieve a new Agent key?
Ca Single Sign-On Sdk is used by clients to built custom web agents. These agents retrieve Agent keys ,used to encrypt CA Single... cookies that may be read by all agents in a single sign-on env. This docs explains one of the sdk agents key processes.
Last Update: 4/22/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1459616

When dynamic agent keys are used, does the custom agt need to call doManagement to get agt cmds each time before it calls login or decodeToken
This q and a relates to sdk agents key management process flow.Agent keys are used to encrypt CA Single Sign-On cookies that may be read by all agents in a single sign-on env. Agent keys can be dynamic . Agent commands run before a login or decodeToken.
Last Update: 4/22/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1292002

After installing IDM, the Wamui displays '???key: page.display.error???' in red text.
This case/issue type document covers a particular problem when configuring idm in the ca sso admin ui.
Last Update: 4/21/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1917165

How to display IPv4 IPs OneView monitor
We tried to pull agent info from OneView Monitor. But it is posting in ipv6 format for hosts running on IIS. We need to convert the display to ipv4 on OneView monitor.
Last Update: 4/21/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1643575

How to enable Agent Discovery
We are trying to view agent-specific details in the Agent Instances list, however Agent Discovery seems to be disabled.
Last Update: 4/21/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1287121

Post Preservation encoding
Form post information is encoded and stored in form data SmPostPreserve. Can this be decoded manually?
Last Update: 4/21/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1579173

SessionLinker Installation and Configuration Documentation.
This document contains where to locate the Session Linker Installation and Documentation Guides.
Last Update: 4/21/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1067008

ERROR: Agent API initialization failed when running SmPortalVfy.exe
Getting below errors when running SmPortalVfy.exe from \CA\webagent\bin 4/16/16 6:39 AM [SM-APS-61103] Server MyServer at 127.0.0.1... 4/16/16 6:39 AM [SM-APS-61070] ERROR: Agent API initialization failed.
Last Update: 4/21/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1220238

Message: "Could not resolve agent" ; Returned Error Code = -14 while running SmPortalTest
Getting below errors when running SmPortalTest.exe from \CA\webagent\bin C:\CA\webagent\binSmPortalTest.exe abc [APS Version 12.52.0101.640 - SmPortalTest Rev 12.52.0101.640] Returned Error Code = -14 Message: "Could not resolve agent"
Last Update: 4/21/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1244998

Policy Server failed to connect to the LDAP policy store
Policy Server is logging “Error 91 - Can't connect to the LDAP server“ against the LDAP policy store
Last Update: 4/21/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1391568

How to solve the Linux AdminUI error "wrong username or password"
This technote gives a way to solve a specific error happening on Linux AdminUI.
Last Update: 4/20/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1639062

What does this error mean, SmServerConnection, connect, Exception calling TCP transport connect: java.nio.channels.UnresolvedAddressException?
java sdk pure jni SmServerConnection UnresolvedAddressException exception checkaddress
Last Update: 4/20/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1233665

How to enable mod_jk logging for CA Access Gateway (SPS)
In order to see more information for runtime events of communication from Apache to Tomcat you would want to enable mod_jk logging and set it to debug.
Last Update: 4/20/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1313831

How to update your Java JDK for your CA Access Gateway (SPS)
If you need to update your Java JDK version on your SPS server, follow these steps to tell the SPS to use the new versions.
Last Update: 4/20/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1918365

How to change the logging level of the server.log for CA Access Gateway (SPS)
In case you are having issues with you CA Access Gateway (SPS) and need to enable more logging in server.log to determine the cause of the issue.
Last Update: 4/20/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1369844

How to enable HTTPclient logging for CA Access Gateway (SPS)
In order to see transactional information and runtime events of communication from the SPS to a backend application you would want to enable HTTPclient logging.
Last Update: 4/20/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1073996

SAML assertions are not getting generated
Looping between the redirect.jsp and the authenticationURL
Last Update: 4/20/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1430667

systemctl and Web Agent startup settings for Red Hat Apache Web Server 2.4.x
This article explains how to setup Web Agent for Red Hat Apache Web Server 2.4.x/RHEL 7. It needs a special care of /etc/sysconfig/httpd and ca_wa_env.sh.
Last Update: 4/20/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1340867

Ignore APS during authentication call.
How to Ignore APS during authentication call.
Last Update: 4/20/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1566779

Cannot authorize with the group membership in Active Directory when the group is the Primary group.
Users are not authorized from Active Directory User Store when the user policy is Group Membership and the group is set to the Primary group of the users.
Last Update: 4/20/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1392334

Creating an “Idea” (Enhancement Request)
How to submit Ideas/Enhancement Requests through CA Communities.
Last Update: 4/19/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1579832

Starting LLAWP process under different user identities.
How to start the LLAWP process under Network service, Local system, LocalService, Custom Account.
Last Update: 4/19/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1901339

SM_USER header value in IWA authentication scheme.
How to change the format of SM_USER header from DOMAIN\UID format to UID in IWA authentication.
Last Update: 4/18/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1500602

AuthnRequest sign verification issue
Missing configuration data of DSigVerInfoIssuerDN or DSigVerInfoSerialNumber
Last Update: 4/18/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1449712

Performance issues observed after deploying/enabling CA directory as a session store in the environment
Single sign-on policy server can get into a state where it is unable to keep up with Session store maintenance when CA LDAP Directory is deployed as the session store that is not properly configured performance degradation can occur on the policy server
Last Update: 4/18/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1948652

smfedexport tool example non-functional
We are trying to use use the smfedexport tool to generate a federation metadata file using the example provided in the documentation, but we are getting errors complaining that invalid tags were entered.
Last Update: 4/18/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1909494

LDAP Error 81 user store in the smps log
Policy server error log shows LDAP Error 81 for connections to our user store why does this occur, under what circumstance, and can this be prevented?
Last Update: 4/18/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1536754

Enhancement Changes to SiteMinder Thread Model in version SM6.0.5.22 & R12.1.3
We have been using the product for many years is seems to have change over time. We are trying to understand how policy server process works as a single process/multiple threaded applications.
Last Update: 4/18/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC491240

LDAP Connections manager error to our active directory user store
Policy server error log shows LDAP Connections manager error in function prldap_set_session_option is not supported. Why does this occur, under what circumstance, and can this be prevented?
Last Update: 4/18/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1872328

Unable to Log Into Adminui
SunOne Oracle Directory Server XPSNumber=*
Last Update: 4/18/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1129233

LLAWP 100% CPU Consumption with 6.x Agent
permissions are missing
Last Update: 4/18/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1263416

Deformed response from webserver with webagent enabled
Webserver responded with deformed packets when webagent is enabled.
Last Update: 4/18/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1740224

Federation login failed with error 400
SP-initiated SSO is failing with error 400 - Reason: UNSUPPORTED_AUTHN_REQUEST_BINDING
Last Update: 4/18/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1351614

Getting SetCryptoConfig error while installing Policy server.
ERROR - Command failed: "C:\Users\Administrator\AppData\Local\Temp\1\487853.tmp\smreg" SetCryptoConfig "******" "0" "" "" ""\nReturn Value: 1\nStdout: {2}\nStderr: {3}
Last Update: 4/18/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1359533

LDAPPingTimeout Explained
LDAPPingTimeout
Last Update: 4/18/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1466133

AgentWaitTime Explained
AgentWaitTime
Last Update: 4/18/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1149456

How to Reset Encryption Key using MSSQL Databases
SQL Server as Policy Store
Last Update: 4/15/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC537906

Usage of JUEL in SAML Assertion Configuration
Passing assertion attributes in an assertion using a JUEL expression in partnership federation.
Last Update: 4/15/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1696554

Report Instance Was Not Successfully Created
Audit reports installation
Last Update: 4/15/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1783432

SAML assertions are not getting generated
LOOPING between the redirect.jsp and the authenticationURL
Last Update: 4/15/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1544433

Web agent unable to process SMSESSION
cookie is custom from a third party and not accepted
Last Update: 4/15/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1412751

How to restrict the use of Forgotten Password Service (FPS)?
Max Attempts Frequency in APS.cfg
Last Update: 4/15/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1044754

Why the ProxyUI login page does not load logo images correctly
SPS login page without images
Last Update: 4/15/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1014525

Why am I getting user account lockout issues when a User ID exists on 2 user Directories attached to siteminder Domain ?
user authenticates with the password from the second UD then the invalid password account on the first increments
Last Update: 4/15/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1613415

Federation Users Disappear
After modifying a partnership, the list of federation users is disappearing, effectively disabling the partnership.
Last Update: 4/15/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1234422

HCO Configuration: Cluster vs. Legacy failover/Load Balance
Which will take precedence when both a cluster and traditional or legacy failover/load balance hosts are configured?
Last Update: 4/15/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1304907

what version of Policy server is "CA Access Gateway for NetScaler SDX" supported with
is a license required for Citrix Netscaler agent and is it supported with 12 SP3 Siteminder Policy server
Last Update: 4/15/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1507074

XPSExport -xb and Host-specific configuration data
XPSExport; -xb option; Host-specific configuration data; XPSImport
Last Update: 4/15/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1328124

Attribute based access Authorization
I am unable to configure user Authorization based on an attribute value
Last Update: 4/15/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1928817

Accented characters included in SAML assertion attributes show up as '?'.
Some user attributes that are being included in SAML assertions contain accented characters such as è. Instead of showing up as they do in the user store, these accented characters are showing up as question marks (?).
Last Update: 4/15/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1155183

Are Windows Patches/Hotfixes Supported?
Do CA Single Sign-On components support all Windows patches, or only Service packs?
Last Update: 4/15/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1184304

SessionNotOnOrAfter parameter Causing Timeout on SP
Upon consumption of the assertion generated by Siteminder .the third party SP is generating a session for the user ,however this session is getting expired after 5 min
Last Update: 4/15/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1543175

clean up semaphores and shared memory by process ID on Redhat OS
I am using the kill-9 to stop the LLAWP process ,how can I cleanup the semaphores and shared Memory that are related to the LLAWP process
Last Update: 4/15/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1008266

Unable to run the audit report from admin ui.
Error returned upon running audit report from WAMUI: Unable to find servers in CMS Servername:6400 and cluster @Servername:6400 with kind fileserver and service FileStoreV2.All such servers could be down or disabled by the administrator.(FWM 01014)
Last Update: 4/15/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1709612

Deactivate the Federation partnership using XPSExplorer .
How to deactivate the federation partnership using XPSExplorer?
Last Update: 4/15/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1580417

Secure Proxy Server hangs under load
Secure Proxy Server becomes unresponsive as load increased to a certain level with following exception logged : java.lang.OutOfMemoryError: unable to create new native thread
Last Update: 4/14/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1435512

SM password policy is not invoked
User is not disabled after max failed login attempts defined in the SM password policy
Last Update: 4/14/2016    Size: 82 kb    Type: Knowledge Base Articles    ID: TEC1426162

Special Characters in Password Policy Name
Ampersand Wildcard illegal values
Last Update: 4/14/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1564684

CertDB Folder Missing after Upgrade
policy server upgrade
Last Update: 4/14/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1978875

Multiple one-view Monitors in policy server management console.
How to configure multiple policy servers to send one-view monitoring requests to a remote policy server.
Last Update: 4/14/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1988591

Open SQL Connections
Policy server ODBC open connections.
Last Update: 4/14/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1055844

Getting access denied when using SmX509CertAuth Version 3.7.3
SmX509CertAuthscheme usage with Policy server.
Last Update: 4/14/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1150946

Disable Advanced Auth in SPS
Modifying the server.conf file
Last Update: 4/14/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1844843

Cannot Enable Sign-Out in Office365 Partnership
Sign-Out Options Disabled
Last Update: 4/14/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1108228

Federation Single Logout Does Not Work
Logout fails with a 500 error
Last Update: 4/14/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1071309

Policy server ODBC open Connections to policy store.
Open connection of the policy server to the ODBC policy store and the housekeeping policy server query to the policy store database.
Last Update: 4/14/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1776037

RelayState truncated in SAML 2.0 POST
How to post RelayState data while posting assertion to consumer service?
Last Update: 4/14/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC529287

Security Token Service (STS) URL returns 404 error
Cannot access STS URL
Last Update: 4/14/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1454069

How to control authorization cache at policy server?
Use of DsInfoEnabled registry key
Last Update: 4/14/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC527999

How to download CA Single Sign-On (formerly SiteMinder) components
Step b step procedure to download CA Single Sign-On (formerly SiteMinder) components from support.ca.com
Last Update: 4/12/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1364894

Cannot fetch agent agent
This error is seen in smps log, indicating the policy server cannot fetch agent.
Last Update: 4/12/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1138796

Reasons why the affwebservices log might not be generated
Affwebservices Log Not Generated
Last Update: 4/12/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1564704

What do the values in the policy server stats output mean?
smpolicysrv -stats parameters
Last Update: 4/12/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1882665

Where do I find CA Single Sign On (SiteMinder) Downloads?
product download
Last Update: 4/12/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1920083

I cannot log in to Adminui Directly after Configuring Adminui External Authentication Store
error on adminui login
Last Update: 4/12/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1988243

Unable to launch the Policy Server Management Console
Error: Couldn't load javasmconsoleapi
Last Update: 4/12/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1332206

smreg –su password fails
Setting the CA Single Sign-On (Siteminder) Super User Password returns a popup
Last Update: 4/12/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1284157

Unable to logoff the ProxyUI
Unsuccessful logoff
Last Update: 4/12/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1960756

Do we need all certificate chain in the cert8.db when using SSL to connect to stores ?
when using complex cert chain to connect to LDAP Store, only one certificate from the chain is mandatory in the trusted store
Last Update: 4/11/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1765462

WS-Fed Lifetime entity timestamp error
Our WS-Fed partnership is failing due to an incorrect timestamp format generated for the Lifetime entity, rather than the expected ISO8601 format.
Last Update: 4/8/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1550216

The different CA SiteMinder Single sign on WebAgent modules on Windows.
The document will explain the different WebAgent modules (isapi6webagent.dll) and (IIS7webagent.dll).
Last Update: 4/8/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1867088

DSigException: Error in DSigVerifier
This exception occurs when no certificate can be found in the smkeydatabase which matches the issuer DN.
Last Update: 4/8/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC486187

Separating Affwebservices with only the Application Server and Agent option pack
Can Affwebservices be used with only an Application Server or is a WebServer required for Federation?
Last Update: 4/8/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC486229

Adminui Reinstall Fails On Unix/Linux
installation errors
Last Update: 4/7/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1924814

OneView Monitor displays ip of policy server as 0.0.0.0:1
In oneview monitor, all the ip address of the policy servers are displayed as 0.0.0.0:1 instead of its ipv4 ip address.
Last Update: 4/7/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1696832

CA Siteminder SMTestTool fails to launch with error referencing "Microsoft.VC80.MFC"
What should we do when we get this error message. “Activation context generation failed for "C:\setup\sso\aabbccx100\smtest.exe". Dependent Assembly Microsoft.VC80.MFC"
Last Update: 4/7/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1344887

SAML Service Provider User Attributes not seen in 12.52 SP1 Adminui After Upgrade from V6
SALM service provider Attributes ,legacy Federation migration
Last Update: 4/7/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1271764

Does EnableDynamicHCO work with traditional failover/load balance HCOs, or only clusters?
Dynamic HCO Details: clusters vs. traditional failover/load balance
Last Update: 4/7/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1428454

X.509 client certificate authentication results 403 error
Certificate Mapping must have an Issuer DN which is composed of comma-connected RDNs. Authentication is failed if RDNs are connected by "comma+space".
Last Update: 4/7/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1129895

SiteMinder SNMP logging on Unix
This article describes the three logs the SiteMinder SNMP process writes to on the Unix operating system.
Last Update: 4/5/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1642705

Policy Server crashes because it shares JVM with Wily
This technote discusses how to fix problems with the Policy Server when using Wily.
Last Update: 4/5/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC599368

How to solve a leakage of Privileged Information when running Apache as Reverse Proxy in front of a Web Agent.
This technote give tips on how to prevent leakage of priviledged information from an Apache Reverse Proxy in front of a Web Agent.
Last Update: 4/5/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC565902

When trying to reach the AdminUI, I get in browser "Page cannot be found"
This technote give tip when getting page cannot be found error when reaching the AdminUI.
Last Update: 4/5/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC584448

Is Policy Server restart required after importing certificates ?
This technote discusses about the need of restart the Policy Server when Certificates are added to the SmKeyDatabase
Last Update: 4/5/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC529630

How can we disable SSLv2/SSLv3 protocol in Federation Manager?
Modify server.conf and httpd-ssl.conf files to set SSL protocol and cipher configuration on FEDMA.
Last Update: 4/5/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1552086

What is the meaning of the WebAgent error message 20-0004?
What is the meaning of the WebAgent error message 20-0004?
Last Update: 4/5/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC479707

CA Directory connection failure / need to restart directory every 30 mins
When using CA Directory as user Store, need to restart it every 30 mins as connection becomes invalid due to bad syntax
Last Update: 4/4/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1616173

Why can't I change Idle timeout and Maximum timeout under partnership settings for a federation 3rd party product on the SP side
This question and answer is part of the subject of changing settings on the 3rd party product from the Ca Single Sign-On federation partnership side.
Last Update: 4/4/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1676776

How to make the Apache 2.4 to accept Web Agent Header Variables with Underscore Characters
This technote discusses the way to let the Apache 2.4 to accept header names with underscores.
Last Update: 4/4/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC606939

Why does LLAWP Process Not Start after Starting Web Server?
agent startup issue
Last Update: 4/4/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1928682

Smkeydatabase : How to Rebuild the Smkeydatabase for Federation
This technotes give a sample on how to recreate the Federation SmKeyDatabase from scratch.
Last Update: 4/4/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC542090

How to check which version of the Progress / DataDirect driver are we running ?
As we are using a 3rd party software for DB connection, it may be interesting to know the exact version
Last Update: 4/4/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1090197

Compatibility note about support of RSA 8.1 with CA Single Sign-On 12.52SP1
This technote gives precisions about supportability of the RSA Server.
Last Update: 4/4/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1934108

Tips on how to troubleshoot the SAML "DSigSigner Initialization Failing" error
This technote gives tips on how to troubleshoot the DSigSigner Initialization Failing error in the Policy Server
Last Update: 4/4/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC542084

SharePoint Office integration with CA Single Sign-On Web Agent as Reverse Proxy
This technote discusses about integration of office documents protection with CA Single Sign-On Web Agent.
Last Update: 4/4/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC537670

Multiple and Frequent initialization or Startup Stop Messages in Web agent Logs.
This technote discusses about informative logs lines that are seen in the log of the Web Agent.
Last Update: 4/4/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC541462

Apache service is not starting up on Windows
Apache Web Server fails to start while loading SiteMinder module mod_sm24/mod_sm22, and following error message appears in Windows event viewer.
Last Update: 4/3/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1957282

Steps to Re-register Admin UI
These steps describe the process of re-registering an Admin UI with the Policy server
Last Update: 4/3/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1547349

Please note that you can always access the full list going to the following link:

http://www.ca.com/us/support/ca-support-online/support-by-product/ca-single-sign-on.aspx?d=t&language=en&type=Knowledge&…

 

Feel free to post your questions in the community if you have question about any of these KB article.

 

Best Regards,

Ujwol Shrestha

Principal Support Engineer

CA Technologies

Big Data is almost a household term with not a single company out there not delving in it this year. One of the main enablers of Big Data has been the rise of Cybersecurity, and the "rise of the machines" with machine to machine interactions. M2M has caused Big Data to make the headlines with Cybersecurity. These seven myths and facts were compiled from a set of innovation forums where we reflected on the implications of Big Data on Cybersecurity.

 

 

7 FACTS ABOUT BIG DATA IN CYBER SECURITY

 

1. You are Big Data. Much of the world’s Big Data is created as metadata from users’ smartphones and GPS traffic.

Every day you create metadata with smartphone that enable GPS location services. Every picture you take, every Web site you visit, every route you map creates metadata, which is stored and available for analysis. With more than 5 billion mobile phones in use, including more than 1 billion smartphones in 2015, according to research firms, it’s no wonder that many enterprises and government organizations are interested in gleaning valuable content from the information.

 

2. Big Data tends to be mined poorly in cyber security to build ineffective threat analysis algorithms.

With all the metadata that exists, we are only now figuring out how to make sense of it and how to cultivate beneficial data from it. For one, enterprises traditionally haven’t had the resources in place to analyze metadata. As those investments increase, the mining for trends and useful analysis will increase as well.

 

3. Big Data in cyber security is automating tasks that used to involve tedious manual labor.

Software companies are developing tools that can not only analyze metadata, but also automate tasks to more quickly make use that data to their advantage. This allows companies to both be more flexible, but also make the analysis of Big Data much less costly than in the past.

 

4. Big Data is used in cybersecurity to categorize and classify cyber threats the same way Google ranks pages.

As more information is gleaned, algorithms for categorizing and classifying malware are being developed to help security providers. Most software companies use Big Data in four ways: first, to discuss CART (Classification and Regression Trees) for predictive classification of event modifiers; second, to make use of Shewhart Control Charts for outlier threat detection; third, use Splines for non-linear exploratory modeling; lastly, apply Goodness of Fit principle to check for stability of historical threat data and constructing a parsimonious model.

 

5. Big Data theory is moving faster than the reality of what an enterprise is capable of from both a technology and manpower standpoint.

Since much of Big Data is derived from user-centric behavior and usage, it moves lot faster than what an enterprise typically generates from its application systems. The 70% of the digital universe has been created by individuals not corporations. Even though the IT department of the enterprise store, protect and manage 70% of the digital data, the real power play is in the users’ hand. The user is in charge (not the IT department) and the epicenter for producing majority of the world’s digital data is in the hands of the users.  Big Data tsunami has caused technologies to be modernized to solve security challenges. What used to be stored in conventional RDBMS and later in NoSQL databases are insufficient and cannot be accessed by direct record access methods. The current technology of choice is not conventional RDBMS but a map-reduced database like Hadoop that operates off distributed hardware substrate.

 

6. Big Data is creating major shift in visualization of breaches and cyber-attacks.

Visualization of objects in excess of a few billion requires thinking differently. For instance, imagine the complexity of modeling huge data sets that grow in size in part because they are increasingly being gathered by ubiquitous information-sensing mobile devices, aerial sensory technologies, software logs, cameras, microphones, radio-frequency identification readers, wireless sensor networks. Right now, the largest memory requirements for visualizing Big Data working sets can’t be addressed by conventional computing models. That’s why the science of visualization has to be re-imagined and re-visited to visualize the looms in the data patterns in the case of events like privileged access violations, breaches and frauds.

 

7. Yesterday's endpoints have shifted to the users, with the proliferation of BYOD user devices are the today's endpoints.

With the advent of BYOD as the norm in the corporate environments, the real vulnerable endpoint of enterprises has turned out to be handhelds and smartphones. As more smartphones connect to corporate networks and data, it increases the vulnerabilities organizations face trying to secure all those additional points of entry in terms of cyber security.

 

CAT13117-BRAND_still_68.jpg

 

 

7 FICTIONS ABOUT BIG DATA & CYBER SECURITY

 

 

1. Cyber security companies are equipped to handle the volume and velocity of Big Data.

Like every business, security companies are also learning to wrap their hands around Big Data, eliminating potential vulnerabilities to ensure that the data is cleansed and cleaned for analysis. As the concept of Big Data grows and evolves, security companies also must perpetually grow and evolve too.

 

2. Security developers are easily extracting value from collected data.

There’s a saying “You don’t know what you don’t know” that applies to intelligence and cybersecurity analysts. Without proper analysis tools in place, one isn’t able to extract valuable content from the collected data. Only with those analysis tools, algorithms and applications can developers truly garner valuable insight from collected data.

 

3. Analytics is ready-made for security.

From the phrase “finding a needle in the haystack,” analytics is useless in “haystacks” of data where there are no “needles” to begin with. The hype has caused us to create massive data stacks with poor references (or indices) around those stacks. Any data analyst will attest to the fact that a better index of smaller datasets yield better analytics than a larger dataset with lame indices.

 

4. Leveraging Big Data in a cybersecurity context is as simple as using it for any generalized purpose.

Leveraging Big Data must first address the point in Fiction No. 3, that analytics is ready-made for security. Second, establishing a security “context” is the next problem. Security context can be established connecting the relationships (after map reducing the data itself) between data sets to reveal valuable insights in the patterns that were previously not correlated or compared. Mining for trends requires data to be managed coherently at first. Similarly mining for relationship requires trends be understood. Only after you have the data map reduced, and the trends in it understood, you can then mine for relationship among the trends of the map reduced data farms. Only after all of these prerequisites are achievable, you can establish the big security context of Big Data. Think of cybersecurity context as the metadata fabric of relationships, which is lot more powerful and useful for visualizing risks, threats and predictive analytics.

 

5. Big Data will cause major change in the cyber security industry within the next year.

No, the major change in the security industry will be in identifying anomalies that can be identified as advanced security attack vectors. Big Data and cyber security algorithms will join together and work in concert to realize value for businesses.

 

6. There is a belief that Big Data sets offer a higher form of intelligence that can generate insights that were previously impossible.

That’s not true by itself. We need to develop more algorithms that can offer more intelligence, not bigger data sets. The two kinds of algorithms are: Bayesian algorithms, which deal with prior occurrences, and predictive analytics, which is forward facing. Looking at the future, Big Context in security is going to be more innovative than Big Data in security.

 

7. Big Data searched with naive algorithms fails to yield what little data can yield using smarter algorithms.

It should be about the algorithms and not about the data. Better precision and better searching techniques will trap the breaches. Better algorithms and lesser data stacks will provide more value than lesser algorithms and Big Data stacks. The better net will catch better stuff.

 

110711-602.jpg

Meet Rob!

rob_lindberg.JPG

 

CA Communities username: RobLindberg

 

Company: CA Technologies

 

Title: Senior Principal Product Manager

 

Location: USA - Framingham, MA

 

Why brought you to CA?

I was part of the Concord Communications acquisition back in 2005, but shortly after (October 2005) joined the Security BU and have been part of the CA SSO (SiteMinder) development/product management organization ever since. At the time, I selected Security because I felt it was a growing and critical business aspect of what CA was delivering to customers and I continue to hold that belief.

 

Why is the CA Security Community valuable to you and the customers you serve?

The security community is a direct source of feedback on what we are doing and what customers need from the products we build. I’ve enjoyed the interactions and am occasionally surprised by information that I receive from polls and posts. Being in product management, the community is an excellent tool to engage with the customers that we serve.

 

Favorite dessert: Ben & Jerry’s – Coffee Coffee Buzz Buzz Buzz 

 

Favorite 3 movies of all time:

The Shawshank Redemption

Memento

Field of Dreams

 

Favorite hobbies/interests:

I am a proud member of Caleb Butler Lodge, Ancient Free and Accepted Masons, which is part of one of the oldest fraternities in the world – Freemasonry (and I promised not to tell anyone where to find the treasure of the Knights Templar). I also enjoy working at home on our small farm where I help take care of Ollie, Bubba, Jerimiah, Terrance, Cyrus, TT, Speckle, Harley, Kai, and Maggie (2 horses, 2 donkeys, 3 cats and 3 dogs respectively) and have fun driving around on my John Deere tractor.

 

If you were an animal, which animal would you be and why?

I think I would be a horse. I see the life they live on our farm and can imagine just relaxing and enjoying the outdoors, horsing around with my friends.

 

 

A note from Kristen: Rob - Thanks for being a valuable member of the CA Security Community!

News, Blogs & Announcements

Training now available: CA Identity Suite 12.6.x: Featuring CA Identity Governance 12.6.4 Foundations 200

Security and the Internet of Things - Part 2

End of Support Announcement for CA Federation Manager r12.1

General Availability Announcement for CA Single Sign-On 12.52 SP1 CR5 (formerly called CA SiteMinder)

General Availability Announcement:  CA Privileged Access Manager v2.6 

OAuth, OpenID Connect and JWT – What are they and why do you care Pt2

 

Tech Tips & Support Docs

How to track a process on Unix / AIX

Latest Knowledge Base Articles published for CA Privileged Identity Manager (02-May-2016) 

Latest Knowledge Base Articles published for CA Data Protection (02-May-16)

Tech Tip - CA Privileged Identity Manager: Change of jboss location after installation, on Windows environment.

Chat Transcript: Office Hours for CA Advanced Authentication [MAY 2016] 

Tech Tip - CA Identity Management and Governance Last week's Tech Docs

Tech Tip - CA Single Sign-On: Web Agent :: SMSESSION Cookie

Tech Tip - CA Single Sign-On: Redirect user to a customized error page when password services is invoked

Log Analyzer Tool for IMPS (Provisioning Server)

How to unlock an AD account upon resetting a password using Forgotten Password Reset task.

 

Questions

Answered

IWA without popup on screen

Policy server object migration ?

smpolicysrv service constant at 162% server CPU

 

Unanswered

 

I can't get a report from CA PIM and Bussiness Intelligence

RCM tool for everyone use

Certificate Authentication and Session Management

OTP

 

New Ideas

Session Assurance - Disregard POST Method

Scrypt password hashing request

CA directory ability to use Scrypt password hashing request

SAP R3 Connector - add mobile phone attribute

CA SiteMinder/Single Sign-On :: EnableDynamicHCO

SiteMinder Kerberos auth scheme that does not require constrained delegation

CA SiteMinder Agent for SharePoint 2016?

Enhancement Request: Certify SiteMinder 12.52 CR01 with Red Hat Directory Server 10.x

CA GM reports in XML Format

Prevent possible failures if using load balancers in front of LDAP

Single Sign-On SDK should be updated to provide detailed error messages.

 

Click here to view the CA Community Event Calendar!

Upcoming Security Events:

Office Hours for CA Privileged Access Management: A Live Online Chat [MAY 12] - https://communities.ca.com/events/2840

Office Hours for CA API Management: A Live Online Chat [MAY 12] - https://communities.ca.com/events/2845

WEBCAST: Understanding new session store & metric features in 12.52 sp1 cr5 - https://communities.ca.com/events/2857 

Office Hours for CA Single Sign-On: A Live Online Chat [MAY 19] - https://communities.ca.com/events/2839

Office Hours for CA Advanced Authentication: A Live Online Chat [JUN 7] - https://communities.ca.com/events/2855

110711-446.jpgIn Part 1 of this series I gave a high level outline of the threats and vulnerabilities in today’s Internet of Things (IoT).  In this post, I want to discuss a couple of existing solutions to this problem.

Why is it so hard?  The IoT device is security’s biggest challenge because the device is always “in the wild”.  In traditional IT Infrastructures, sensitive code and data remain safely behind sophisticated network security and within securely locked facilities.  IoT devices though, cannot rely on these security features; we can no longer say “Well, if someone has gotten onto the server then you have bigger problems”, because with IoT devices, the risk and likelihood of access is very real.

We must take a holistic look at device security and consider all avenues of protection and remediation.  It is not enough to simply try to secure communications and restrict virtual access to the device.  We have to secure aspects of functionality traditionally protected at a much higher, and wider level.  As an example, consider a temperature sensor – what if the temperature readout suddenly spikes 10 degrees?  Is the change because someone tampered with the device or because the sun is now shining directly on it?  Behavioral analytics and machine learning would help answer this question and allow for an alert to be sent if tampering is suspected.

Who is watching?  The need for comprehensive solutions to the IoT security problem has not gone unnoticed.  Companies such as Cisco, Symantec and digicert have published white papers discussing the dangers facing IoT and why we should all be worried.  These papers also include analysis into the types of security that need to be implemented, and the limitations and challenges that will be faced.  The offering of specific IoT solutions as an answer to these challenges though, is thus far inconsistent.

Cisco has published some thorough thoughts on the topic and point to their wide array of security products as potential solutions.  Symantec has dedicated a large portion of their website to discussing IoT security in general, while their solutions are focused on two distinct IoT flavors:  Automotive and Industrial Control Systems.  Digicert is branching into three other areas:  PKI Solutions, Healthcare IoT and Enterprise IoT, with the functionality being offered differing in each realm based on the deployment needs.  IBM is taking a somewhat different approach by publishing an IoT library called Libsecurity.  IBM wants application developers to take on the responsibility of security themselves via tools that can be used to bake security into their applications from the beginning.

Why are there no simple, packaged solutions suitable for all types of IoT?  Each of the above, and all the other emerging solutions, solve only a small fraction of the problem because this is an area where there will be no silver bullet.  The Internet of Things is a broad, all-encompassing term that is quickly becoming as overused and overloaded as “the Cloud”.  Each company to enter into this space is defining what IoT means to them and then setting out to solve their definition of the problem.  The challenge for the customer though is sifting through the different security offerings and trying to decide what is useful for them.  From what I can tell, there is no one yet who can claim IoT security expertise and given what is available, I think it likely to remain a “Wild Wild West” market for some time.

In my next installment, I will take a dip into the technical realities of security IoT.

News, Blogs & Announcements

FAQ: Customers migrating from Layer7tech.com to support.ca.com

Now accepting participants: CA Single Sign-On 12.6 Customer Validation (beta) program

Security and the Internet of Things - Part 1

Applying User Behavior Analytics to Web Access Management Systems

OAuth 2.0, OpenID Connect and JWT – What are they and why do you care? - Pt1 

 

Tech Tips & Support Docs

Latest Knowledge Base Articles published for CA Privileged Identity Manager (25-Apr-2016)

Latest Knowledge Base Articles published for CA Data Protection (25-Apr-16)

CA Identity Suite support for CA Business Intelligence 6.2

Tech Tip - CA Identity Management and Governance Last week's Tech Docs

Tech Tip - CA Privileged Identity Manager: How to change DB user password for session recording feature

Tech Tip - CA Single Sign-On: Convert HTTP to HTTPS requests using Secure Proxy Server

 

Questions

Answered

SiteMinder IWA support for Browsers

CA PAM Certification Exam

Manipulating http header with value "null"  to "NOVALUE" in siteminder

Getting data from Siteminder OneView via Spectrum through SNMP  

Unanswered

GM with AD Groups

Single Sign on for thick client based applications

Unable to load SiteMinder agent configuration object

 

New Ideas

Certify web agent in Red Hat 7.0

Support Domino agent for Windows 2012 R2 for CA SSO R12.51

user authentication using client certificate or iwa

Encrypt SiteMinder WAM UI KeyStore Password

Webagent Support for NGINX web server

Enhance Web Agent ACO to include parameter to allow parsing of ! character 

Ability to auto discovery of accounts in CA PAM

 

Videos

Webcast Replay: CA Identity Suite support for CA Business Intelligence 6.2

The Making of the New CNN Politics App, Built with CA Technologies

 

Click here to view the CA Community Event Calendar!

Upcoming Security Events:

Office Hours for CA Advanced Authentication: A Live Online Chat [MAY 3] - https://communities.ca.com/events/2837

Office Hours for CA Privileged Access Management: A Live Online Chat [MAY 12] - https://communities.ca.com/events/2840 

Office Hours for CA Single Sign-On: A Live Online Chat [MAY 19] - https://communities.ca.com/events/2839