Skip navigation
All Places > CA Security > Blog > 2016 > July
2016

News & Announcements

CA PAM 2.6.2 now available

General Availability Announcement for CA Privileged Access Manager 2.6.2

CA Single Sign-On Proactive Notification Advisory

Logs, CA Support, and FileZilla

Community Hack: Setting Your Time Zone

Image Pages Have Arrived

 

Tech Tips & Support Docs

Tech Tip : CA Single Sign-On :: CA SPS:Agent for virtual host : XXXX did not initialized properly

Latest Knowledge Base Articles published for CA Privileged Identity Manager (18-Jul-2016) 

Tech Tip - CA Identity Management and Governance Last week's Tech Docs

Tech Tip - CA Privileged IdentityManager: How to get canonical hostname on UNIX

Chat Transcript: Office Hours for CA Privileged Access Management [JULY 2016]

Tech Tip : CA Single Sign-On :: Policy Server::x509 Cert mapping case sensitive

CA PAM Update Paths Document

[SLIDES] Week 4 - It's for Applications too

Tech Tip : CA Single Sign-On :: Policy Server::X509 Cert mapping for ODBC user store

 

Videos

Privileged Access Management: It’s for Applications too

 

Answered Questions

SystemManager role

Unable to provision title with length > 64 to AD

Policy server restart after database failure?

Executing Create User Via TEWS

Policy Express Logic

SSO not working between SiteMinder r12.0 SP3 to r12.52 SP1 policy server in parallel upgrade

Instant Access and Siteminder Session

Multiple Policy Server version in same Linux machine

Siteminder migration order

SAML federation no longer work when upgrading web agent + agent optionpack to r12.52

ambiguous message from explore&correlate task

 

Open Questions

Doesn't redirect to login page.

CA webagent issues on IIS

"Obtaining" the Idle-Timeout Value "left" in a CA SSO Session

Install Multiple Policy Server

CA PAM - Details required to on-board different devices

CA PAM - CA IDM

CA Directory R12 Sp18 Index/Caching information

CA IDM 12.6.7 Reporting Server Connecting Issue

 

New Ideas

Connector Generator tab is grayed out for MS SQL database server Connector

Disable spaces in password policy

Support Wildcard filter in PIM Role for Memberof

Enhance External API to allow creation of Windows Target Applications

Allow choice of Oracle parameters for JasperReport server

Option to overwrite trusted host in Web Agent Configuration Wizard

Need to have agent correctly encode/decode hashtag in URL

Added Report Feature for Password View Policies

SSO as IdP using OAuth 2.0

 

Upcoming Events

Big Data in Cybersecurity [JUL 26]

Office Hours for CA Single Sign-On: A Live Online Chat [JUL 28]

Privileged Access Management: Supplementing with fine-grained Host controls [JUL 29]

Office Hours for CA Advanced Authentication: A Live Online Chat [AUG 2]

Privileged Access Management: Securing the Cloud [AUG 5]

Simplifying Secure Server Access Control: Why Upgrade to CA Privileged Access Manager Server Control [AUG 16]

Office Hours for CA Privileged Access Management: A Live Online Chat [AUG 18]

 

Kudos!

Thanks for answering questions this week...

bekla01

Marline_ODea

Ujwol

Palaka_Bhattacharya

raych04

Patrick-Dussault

wonsa03

KennyV

News & Announcements

Register for CA World '16 | November 14 – 18, 2016

June 2016 Cybersecurity News You Can Use Customer Newsletter

New eBook: Reduce Friction and Decrease Abandonment for CNP Transactions With Payment Security From CA

General Availability for CA Risk Authentication and CA Strong Authentication 8.1.3  

Why Upgrade to CA AA 8.x.pdf

 

Tech Tips & Support Docs

Tech Tip - CA Privileged Identity Manager: how to start serevu daemon automatically

Tech Tip - CA Single Sign-On: Setting up IBM DB2 v9.5 as Policy Store

Tech Tip : CA Single Sign-On :: Policy Server::UnsatisfiedLinkError

Tech Tip - CA PIM: How to clean the Session Recordings from the Central DB?

Tech Tip - Privileged Access Management Client Does Not Launch

Tech Tip - CA Privileged Access Manager: External API call fails with 401 error

Tech Tip : CA Single Sign-On :: Policy Server::Unable to read object smSessionId

Tech Tip - CA Privileged Access Manager: Vulnerability scan against CA PAM 2.5.X appliance reports vulnerable Splunk Forwarder listener

[SLIDES] Week 3 - Not Just a Credential Vault

CABI SAP Business Objects and Redhat Troubleshooting Exercise

Tech Tip - CA Single Sign-On: R12.52 SP1 CR5 Secure Proxy Server crashes

Tech Tip : CA Single Sign-On :: Policy Server::CR apply process

Tech Tip : CA Single Sign-On :: CA SPS:Agent for virtual host : XXXX did not initialized properly

Latest Knowledge Base Articles published for CA Privileged Identity Manager (18-Jul-2016) 

 

Videos

Tackling the Weakest Link for E-Commerce Fraud

Privileged Access Management: Not Just a Credential Vault

 

Questions

Answered*

CA Single Sign-On

CA SSO : What is the use/advantage of Agent Id feature?

SPS  URL Character Limit

Webagent errors

apache failed to start after install the siteminder agent

List all persistent realms

Hyphen in URL - CA SSO

CA SSO Secure Proxy Server - HTML Form authentication

Sharepoint 2010 and CA SSO Federation?

CA Identity Suite

Unlock Endpoint Accounts - CA Identity Portal

Unanswered

Click on a question below to help 'em out!

CA Directory

Mark attribute as "sensitive" or "secret" or ...

Events to be monitored in CA directory replication issues

CA Privileged Access Management

CA PAM - Prerequisites for web portal integration

CA Single Sign-On

SP Init fails with POST not valid

LAYER7 - Is it possible to automate the deployment of policies via a 3rd party tool

CA Identity Suite

SystemManager role

 

 

New Ideas

Click on an idea below to vote it up or down.

CA Single Sign-On

Support FSS admin UI on IBM HTTP server

Web Agent Silent configuration with trusted host overwrite option

CERT. REQUEST r12.5 WebAgent - APACHE 2.4 on W2K8R2

CA Identity Suite

Active Directory custom attributes on IM

Native support for integration between CA-IDM 12.6.07 and Microsoft Exchange 2016

Extend Identity Manager Provisioning Attributes to support Long International Names

CA Identity Governance - Option to schedule 'start full correlation'

CA Data Protection

Extend the number of audit resolutions

 

Click here to view the CA Community Event Calendar!

Upcoming Security Events:

Office Hours for CA Privileged Access Management: A Live Online Chat [JUL 21]

Privileged Access Management: It’s for Applications too [JUL 22]

Big Data in Cybersecurity [JUL 26]

Office Hours for CA Single Sign-On: A Live Online Chat [JUL 28]

Privileged Access Management: Supplementing with fine-grained Host controls [JUL 29]

Office Hours for CA Advanced Authentication: A Live Online Chat [AUG 2]

Privileged Access Management: Securing the Cloud [AUG 5]

Simplifying Secure Server Access Control: Why Upgrade to CA Privileged Access Manager Server Control [AUG 16]

 

*Thank you to those who helped answer questions this week!

Stephen_McQuiggan

Pete_Burant

Karmeng

Palaka_Bhattacharya

Julien_Nitot

HubertDennis

News & Announcements

Now On-Demand: Navigating a Perfect Storm of Payments Disruption

FAQ: Xceedium customers migrating from support.xceedium.com to support.ca.com

CA PAM Change is Coming: Xceedium customers migrating to support.ca.com

Legacy Xccedium Support - Change is Coming

 

Tech Tips & Support Docs

Chat Transcript: Office Hours for CA Advanced Authentication [JULY 2016]

Tech Tip - CA Single Sign-On:Policy Server: IBM DB2 Connection Fails

SSO Policy Server r12.5 Defect Fixes History

SSO Web Agent r12.52 Defect Fixes History

SSO Web Agent r12.51 Defect Fixes History

SSO Web Agent r12.5 Defect Fixes History

Tech Tip - CA Identity Management and Governance Last week's Tech Docs

Tech Tip - CA Single Sign-On: Request through SPS is not advancing as backend IIS returns status code of 301

Installing CABI BO on Linux with an Oracle Database

[SLIDES] Week 2 - Simplicity Matters

 

Videos

[REPLAY] Privileged Access Management: Simplicity Matters

 

Questions

Answered*

CA Single Sign-On

Siteminder communication issue

CA Single Sign On - Supported agent for JBOSS AS 7.1.1 ? \

Policy Server on Linux and Polistore on MS SQL Server?

SAMLResponse Encoding Format?

Web Agent Silent Installation with trusted host overwrite option

CA SSO Step-up Authentication

How to manage Siteminder Agent + Fed log permissions properly?

Negative pattern matching in rules

Siteminder IIS web agent compatability matrix

Federation for oracle RPAS

CA Identity Suite

NLS_LANG for custom connector

CA Privileged Access Management

CA Privileged Access Manager (Xceedium)

Unanswered

Click on a question below to help 'em out!

Spaces added to resource URL after SPS upgrade

Localisation of siteminder login page

Attributes override when explore and correlate two CSV files

 

 

New Ideas

Click on an idea below to vote it up or down.

CA Privileged Access Management

CA ControlMinder - Allow variables modification without needing to restart

Transparent Login KSH Support

Custom Connector framework from CA PAM Appliance

Passing Windows Credentials thru to Novell Client Log-in Window

CA PAM -- Realtime Monitoring of Vendor Access

Replace Server IP Address with Device Name at top of PuTTY and SecureCRT services box

CA Single Sign-On

CA SSO (SiteMinder) Support on Docker Container Platforms

Certification - PS 12.52 - edirectory 9.x

Support for JBoss AS 7.1.1.Final

WebSphere V8.5.5.x on z/OS

TAI and WebSphere V8.5.5.x on z/OS

CA SPS : SPS ProxyUI Domain Creation

CA Identity Suite

Improvement in Admin Email Address enhancement

CA Directory

Logging MW updates

Disable log file via DSA 'init' operation

 

Click here to view the CA Community Event Calendar!

Upcoming Security Events:

 

Privileged Access Management: Not Just a Credential Vault [JUL 15]

Office Hours for CA Privileged Access Management: A Live Online Chat [JUL 21]

Privileged Access Management: It’s for Applications too [JUL 22]

Big Data in Cybersecurity [JUL 26]

Office Hours for CA Single Sign-On: A Live Online Chat [JUL 28]

Privileged Access Management: Supplementing with fine-grained Host controls [JUL 29]

Office Hours for CA Advanced Authentication: A Live Online Chat [AUG 2]

Privileged Access Management: Securing the Cloud [AUG 5]

 

*Thank you to those who helped answer questions this week!

Patrick-Dussault

Stephen_McQuiggan

FBruno

Sharana

liuho03

gresa05

HubertDennis

R12.52 SP1 CR07

===========

The following issues were fixed in Web Agent:

Salesforce Case NumberInternal Defect IDIssue Description
00692205DE280513Web agent crashes when the machines use IPV6 addresses.

 

R12.52 SP1 CR06

===========

 

Salesforce Case NumberInternal Defect IDIssue Description

0006287

00280305

DE66914

DE130868

Web Agent End URL is not redirecting using HTTPS but instead it was redirecting to HTTP.

00138155

DE85420

Post preservation flow is not working and it is throwing HTTP 500 error for webserver when content compression is enabled for text/html type for Oracle iPlanet webserver.

00150872

DE104195

login.sfcc goes into infinite redirect loop when resource is protected using X509 Cert or forms authentication scheme and the resource is accessed from the browser.

00311456

DE139919

Before authentication, Policy Server trims trailing spaces or carriage returns whenever username contains these characters but SMUSER header contains username with carriage return characters.

00345282

DE157331

In WebAgent Trace, ResponseTime is not logged in milliseconds.

00356972

DE159608

Password change form is not being displayed for German locale.

00353589

DE162245

Browser throws HTTP 502.3 error when trying to access the URL behind IIS+ARR and that URL contains non-standard ASCII characters.

00449099

DE186996

APS libraries are missing in Solaris 64-bit Web Agent.

00303302DE138108Service Provider fails with “java.lang.NullPointerException” while consuming an IDP generated assertion with the SP feature SingleAssertionUsage option is enabled.
00216581DE143166

Web Agent is not failing back to the first Policy Server and requests are not processed successfully when starting the first Policy Server.

00424351DE172435

CA Access Gateway is vulnerable to an XXE injection attack and able to retrieve confidential data and access sensitive files on the server, for example the "passwd" file.

00511425DE232200Agent crashes the web server when you access FCC page for impersonation flow.

 

 

R12.52 SP1 CR05

===========

 

Salesforce Case NumberInternal Defect IDIssue Description
22000073-01DE65940The SAML 1.1 default target configuration is inconsistent in FSS UI and Administrative UI.
00085491DE72409The WebAgent-OnAccept-Redirect response fails to work for POST requests when the ACO uses LegacyCookieProvider and CookieProvider.
00146918DE74047The LLAWP Process shutdown delays if the  default value of RequestTimeout value is changed in HCO.
00176713DE75598Web Agent Option Pack fails to honor the SSOTrustedZone parameter.
00075954DE78997When LegacyCookieProvider is set to YES, the PUT and HEAD methods are converted to GET after redirection to cookie provider.
00061182DE82998The TargetAsRelativeURI ACO parameter fails to evaluate response URIs.
00061182DE83176The TargetAsRelativeURI ACO parameter evaluates the OnAuthAccept response URI.
00219262DE92856The Multivalued HTTP headers are not displayed for Apache webserver when PreserverHeaders is set to YES.
00186932DE100675Web Agent displays  the “Bad or missing context 'SESSION struct'” error for a valid condition.
00250498DE103898The Forward proxy fails to work with Web Agent deployed on Apache 2.4.x, resulting in the 500 server error.
00248797DE130894Web Agent throws the following error when the client makes a call with empty host header using the HTTP/1.1 protocol: “Unable to resolve server host name. Exiting with HTTP 500 server error '10-0004'.
00220954DE137855AuthnRequest sent by HTTP POST binding does not contain the the Destination attribute.
00220523DE138229The Web Agent configuration wizard fails to detect the Oracle HTTP Server instance when it is installed outside of ORACLE_HOME.
00226217DE138412SAML2.0 Response signing throws an exception if no assertion is found in the SAML Response.
21907654DE138955If a request includes an IP address that is unresolved, access to the application fails though the request through a proxy server to the same application is successful.
00118306DE139891The password change reason is not passed to Change Password form during POST.
00261138DE144425Federation web services fail to validate the URL passed in the wreply query parameter and may redirect the user to a phishing website.
00037176DE156074The SAML 2.0 SLO with SOAP binding fails with the 500 server error if the SS_EXPIRYDATA5 file is changed.
00349861DE158102The ISAPI filter for 64-bit web agent is missing in IIS Manager after the agent upgrade.
00195376DE66836The functionality of Flush All overrides the rollover configuration defined in LoggerConfig.properties, and rolls the Web Agent Option Pack logs.
00173114DE72556The time unit in SmPortal.cfg is incorrectly represented in milliseconds.
00095363DE99753The Apache Web Agent causes high CPU usage.
00190162DE100770The web agent configuration wizard fails to update the opmn.xml with Oracle HTTP Server 11g.
00149984DE109460If CSSErrorFile is set to a local file path, Web Agent appends extra text strings to the error page.
0009305DE109479Apache webserver fails to start and determine the path to the .properties file when web agent is enabled.

 

R12.52 SP1 CR04

===========

Product: CA SiteMinder Web Agent 12.52 SP01 CR04

December 30, 2015      CA SiteMinder Web Agent 12.52 SP01 CR04 contains fixes for the following tracking numbers:

Tracking #             Problem description

----------                 -------------------

RTC 168683 / DE94552   CA SiteMinder agents do not support auto authorization.

RTC 161418 / DE86190   The installer displays a misleading error message when incorrect host registration credentials are provided.

RTC 155671 / DE78890   Web Agent reports the HTTP 500 Server error when the Cookie Provider is not defined.

RTC 153157 / DE104171  Web Agent displays the HTTP 500 Server error when  a URL ending with .sac extension is accessed.

RTC 163694 / DE111843  HTTP Response of BadCSSCharsFound contains incorrect HTML data.

RTC 161317 / DE86714   Web agent crashes if the HTTP_OPENID_DISC cookie is not present in headers for the OpenID authentication provider.

RTC 141833 / DE79301   Duplicate ICU shared library files are present in  the ICU third-party folder.

RTC 160850 / DE102716  The Impersonation flow fails when the FCC Compat mode is set to YES.

RTC 162925 / DE74697   The SMUSRMSG cookie appears even after  successful authentication.

RTC 157785 / DE106171  The Windows Step-up Authentication challenges user with the NTLM dialog with an access denied error.

RTC 151777 / DE84661   Web Agent initializes though an agent is not configured to a website.

RTC 162301 / DE74396   The SMIDENTITY cookie gets deleted on log out.

RTC 162681 / DE73068   The Web Agent configuration wizard does not add the SSLClientAuth directive for any x509    authentication scheme.

RTC 142415 / DE66081   The Windows PATH variable appends duplicate values after reinstalling Web Agent.

RTC 137831/137834 /    The web agent vulnerability in SMAUTHREASON with

DE72676/DE72835        non-numeric data is exposed to JSP/JavaScript attack.

RTC 137739/156919 /    The SunOne WebAgent terminates abruptly when

DE72506/DE66473        a large URL ends with the '%' character.

 

R12.52 SP1 CR03

===========

September 21, 2015 SiteMinder Web Agent 12.52 SP01 CR03 contains fixes for the following tracking numbers:

Tracking # Problem description

----------       -------------------

161399 CSS Vulnerability (When URL contains % character at the end, Webagent is sending junk characters in response) in Siteminder forms templates (For non-agent framework).

 

R12.52 SP1 CR02

===========

July 17, 2015 SiteMinder Web Agent 12.52 SP01 CR02 contains fixes for the following tracking numbers:

Tracking # Problem description

---------- -------------------

53246/154235 After enabling the Web Agent, names.nsf and WebAgent logs are not displayed properly.

150033 Apache child process terminates abnormally.

71834 Agent on IIS 7.5 continuously restarts after second web site is added to the web server.

142331 SAMLDataPlugin fails to accept the UseSecureCookies ACO parameter for Web Agent on the target application of  Service Provider.

46137 Web Agent configuration on RedHat 7 for Rehat Apache does not place the SSL tags in ssl.conf

124667 HTTP headers using methods other than OPTIONS and HEAD are not auto authorized.

153984 Configuration wizard is corrupting iPlanet server.xml

149188 When threshold percentage is set to more than 50%, web agent connections fail to connect to all the policy  servers in the cluster. The following error occurs:

Unable to load SiteMinder agent configuration object. Check that you are using the right agent configuration object and that it exists in your policy server.

145807 The URL access request blocks when you access a URL which contains %c0%af with isAllowUTF8NonCanonical flag set to no in ACO.

141054/158053 Web agent does not recognize semi colon as a parameter delimiter.

155275 Upgrade CAPKI to version 4.3.8

 

R12.52 SP1 CR01

===========

February 13, 2015 SiteMinder Web Agent 12.52 SP01 CR01 contains fixe for the following tracking numbers:

Tracking # Problem description

----------      ---------------------------

137092 Cookie-domain functionality fails when you enable the smconnector at Service Provider side.

64778 Web Agent support for Apache 2.4 on Windows 2008 R2.

126082 SOA Security Manager uses basic credentials when there is no SOAP body in request for the resources that are protected with WS-Security AuthScheme.

119501 Agent fails to display log messages when you configure Domino Agent on IBM AIX.

70656 IIS w3wp process terminates intermittently under heavy load.

121054 IIS w3wp terminates abruptly and creates multiple log files in a shorter duration.

85711 Web Agent support for Apache graceful restart on LINUX.

98537 Agent forces re-authentication in a Multi-Domain SSO environment, when both the MASTER domain cookies expire.

 

R12.52 CR01

===========

March 4, 2014 SiteMinder Web Agent 12.52 CR01 contains fixes for the following tracking numbers:

Tracking # Problem description

---------- -------------------

This component is not released as part of 12.52 CR01.

News & Announcements

CA Viewpoint: Preparing for EU Payment Security Directive (PSD2) and How CA Can Help

Will be collecting vote totals EOD July 22nd

Proactive Notification Advisory 12.52 SP1 CR5 CA Single Sign-On Policy Server is abnormally terminating on UNIX platforms.

 

Tech Tips & Support Docs

Remote CLI or JAVA API

SSO Policy Server r12.52/r12.6/r12.7 Defect Fixes History

Tech Tip - CA Single Sign-On : SPS sends Data "Unknown=17" to APM when a Proxy Rule is fired

Tech Tip - CA Identity Management and Governance Last week's Tech Docs

SSO Policy Server r12.51 Defect Fixes History

Latest Knowledge Base Articles published for CA Privileged Identity Manager (04-Jul-2016)

Tech Tip - CA Single Sign-On: AD service account getting locked out frequently

 

Videos

Security Risk Based Authorization

Identity Suite: Esteja aberto para o acesso, e fechado para as ameaças.

Privileged Access Manager: Controle de acesso e segurança totais

 

Questions

Answered*

How can I change the password of the Store Administrator of IDentity Minder? What about the procedure of changing the password of etadmin and SiteMinder admin?

CA Siteminder and Sharepoint integration in RHEL

PERL CLI Single Sign On 12.52

Supervisor Login

X509 AuthScheme with Load Balancer?

Unable to Start Web agent getting syntax errors

parallel SSO?

error running RoleDefGenerator

Inbound synchronization not working, notification queue issue

CA Directory - dsa-password

sharepoint 2010 integration with siteminder

CA PAM - Test Drive

Unanswered

Click on a question below to help 'em out!

Detection of a new device - ca advanced Auth

Multiple LLAWP Process in SM WA Login Server

CA PAM - DistributionServer and SELang

Unable to get username on password services after enabling DisallowUsernameInURL on policy server

 

New Ideas

Click on an idea below to vote it up or down.

CA Single Sign-On

Certified webagent  for IIS on Windows 2014 & 2016.

SSO WebAgent

Support of websockets in SPS

Enhancement Request: Migration of Legacy Federation Affiliate Domains

Policy Server on Unix should read from /dev/urandom by default

CA Privileged Access Management

Client is requesting Powershell to be supported in A2A clients

Function for SEOSDB to be rebuild automatically

Automate Password Changes to IIS and FTS credentials

HMTL5 and Chrome support

[ER for PIM] Terminal Class on Windows EP does not recognize the Gateway IP address .

CA Identity Suite

Improve IM environment export process

CA Secure Cloud

Tenant creation fails with the handshake alert: unrecognised name.

 

Click here to view the CA Community Event Calendar!

Upcoming Security Events:

Privileged Access Management: Simplicity Matters [JUL 8]

Privileged Access Management: Not Just a Credential Vault [JUL 15]

Office Hours for CA Privileged Access Management: A Live Online Chat [JUL 21]

Privileged Access Management: It’s for Applications too [JUL 22]

Office Hours for CA Single Sign-On: A Live Online Chat [JUL 28]

Privileged Access Management: Supplementing with fine-grained Host controls [JUL 29]

 

*Thank you to those who helped answer questions this week!

gresa05

Ujwol

Sagi_Gabay

KennyV

RinatM

Sharana

Venkatesh_G

Stephen_McQuiggan

ronro03

mcdju01

liuho03

Lluis_Domenech