Skip navigation
All Places > CA Security > Blog > Authors Ujwol Shrestha

CA Security

4 Posts authored by: Ujwol Shrestha Employee

Hello CA Single Sign-On Community Users,

 

Please find below the list of the latest Knowledge Base Articles  for Single Sign-On (Formerly CA SiteMinder)published or updated since 8th September 2016 for your reference:

 

WSFED entities not showing up in Partnership config dropdown
WSFED entities may not show up in a Partnership configuration if the entities themselves are configured improperly
Last Update: 2016-10-24    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1305435

How to Use Multiple User Directories in a Partnership
This short guide is how to use multiple User Directories (i.e. LDAP and ODBC) in a Partnership. Helpful if migrating users from one User Store to another without having an outage.
Last Update: 2016-10-24    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1725014

Certificates Uploaded to Policy Store don't show up in WAMUI
Occasionally, certificates that are uploaded to the WAMUI will not show up in the certificate list, and will show a "certificate already exists method"
Last Update: 2016-10-24    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1259976

How to download CA Single Sign-On (formerly SiteMinder) components
Step b step procedure to download CA Single Sign-On (formerly SiteMinder) components from support.ca.com
Last Update: 2016-10-24    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1364894

Best practice on importing Agent Keys
Importing agent keys results in duplicate set
Last Update: 2016-10-24    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1392087

Failed updating KeyManagement object 1a-fa347804-9d33-11d3-8025-006008aaae5b. Status: 'Unknown Failure'
Unable to import KeyManagement object during smkeyimport. Agnet keys are imported fine , only the KeyManagement object fails to import.
Last Update: 2016-10-24    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1164436

Configuring SharePoint Workflow 2013 and the Single Sign On Agent for SharePoint 2010/2013
Details configurations required to integrate SharePoint 2013 and Workflow Manager Client 1.0 with the CA Single Sign On Agent for SharePoint
Last Update: 2016-10-21    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1729148

Protecting my SOAP Resource with WS-Security, I get the error Signature-0 was not accepted
This technote discusses about a specific error when configuring ws-security with timestamp.
Last Update: 2016-10-21    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1691635

Member group and Member Organizations search filter not working as expected
Member group and Member Organizations search filter not working taking the wild char or text based search filter
Last Update: 2016-10-21    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1074542

ExecutionTimeThreshold Introudced
Purpose of ExecutionTimeThreshold
Last Update: 2016-10-21    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1390939

XPath expression for Web Service Variable returning only first result
XPATH expression not working
Last Update: 2016-10-19    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1303225

Policy Server : Policy Stores Failover : CA Directory in SSL
How to configure CA Directory Policy store in SSL
Last Update: 2016-10-18    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1852061

Client IP and SMSESSION IP do not match after WAOP upgrade
IP Validation Failing after WAOP upgrade to 12.52
Last Update: 2016-10-18    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1968307

XPSImport is failing due to AgentType missing error in WebAgent Actions
(FATAL) : [sm-xpsxps-05810] Import failed Rule Action(s) (HEAD) do not match AgentType Rule Action(s) do not match AgentType
Last Update: 2016-10-14    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1427656

Accessing CA Directory Policy Store with restricted bind Users
This technote discusses the supportability to restrict the branches from the ldap tree for the bind user.
Last Update: 2016-10-14    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1988193

How can I redirect Users with expired password to custom fcc instead of smpwservices.fcc?
How do I get Siteminder to redirect users with expired password to my custom fcc instead of out of the box smpwservices.fcc?
Last Update: 2016-10-14    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1492067

Expired AD User password redirect customm fcc
Active Directory Users with expired password are being redirected to the out of the box smpwservices.fcc instead of our custom fcc while being redirected to change their password.
Last Update: 2016-10-14    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1942727

Policy Server :: Unable to Start : LDAP Policy Store Configuration
This technote discusses a problem when upgrading the Policy Server to R12.52 from R12.x which fails to start.
Last Update: 2016-10-13    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1525441

How to execute host registration for Java Agent API when ksh is not installed on the computer.
This explains how to execute host registration for Java Agent API when ksh is not installed on the computer.
Last Update: 2016-10-12    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1956964

CA SSO Report Server strategy
CA Report Server from CA Technologies as a component of the product.
Last Update: 2016-10-12    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1820619

About detail of Shared Secret between WebAgent and Policy Server.
What is the difference of Shared Secret, SmHost.conf and Policy Store ?
Last Update: 2016-10-12    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1089812

Agent for SharePoint :: SharePoint 2010 and SharePoint 2013 Instances : Protecting with the same Agent instance
I would like to use the same Agent for SharePoint instance, which is already protecting a SharePoint 2010 Server, to protect another distinct SharePoint 2013 Server. Can I do that?
Last Update: 2016-10-10    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1066617

Where can I find the CR Download Page for CA Single Sign-On (SiteMinder) ?
This technote discusses about where to find specific CR for SiteMinder
Last Update: 2016-10-10    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1616521

MS SQL 2016 support for Single Sign-on stores
Does Single Sign-on currently support the use of Microsoft SQL 2016 for stores e.g. policy store, user store, session store, audit store and password services?
Last Update: 2016-10-06    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1766333

CA Single Sign-On (SiteMinder) - Problem installing the SSO WAMUI on a drive other than the default C: drive
When trying to install the CA Single Sign-On (SiteMinder) AdminUI on a non-default drive, the service fails to install and the AdminUI fails to start when manually run via batch script.
Last Update: 2016-10-06    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1035638

 

Configure WebAgent for Apache multiple virtual hosts
Does apache virtual host support separate WebAgent for each Host, so thatwe could assign separate WebAgent.conf file and ACO for each virtual host?
Last Update: 2016-10-06    Size: 82 kb    Type: Knowledge Base Articles    ID: TEC1355714

LLAWP process is buggy after executed kill -9 command
In R12.52 SP1 CR05, we encountered 500 error after shutting down LLAWP process by using "kill -9".
Last Update: 2016-10-06    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1421423

LLAWP doesn't start
When httpd was started by apachectl -start, but LLAWP didn't start completely.
Last Update: 2016-10-06    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1883834

Right format for specifying Ciphers in server.conf for CA Access Gateway (formerly Secure Proxy Server)
CA Access Gateway Ciphers format for server.conf
Last Update: 2016-10-06    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1643058

How to setup a policy to Authorize User by the Authentication level
configure an authorization policy based on the Authentication level
Last Update: 2016-10-05    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1845593

Is it require to reboot Policy Server for failover of ODBC data source?
The reboot of a policy server is unnecessary, since policy server will reconnect when a policy server detects restoration of DB#1 in the case of the premise and a work outline of an inquiry.
Last Update: 2016-10-05    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1176053

How to decrypt Federation Open Format Cookie (Java)
Steps to consume (decrypt) Federation OFC cookie generated by Policy server
Last Update: 2016-10-04    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1539809

XPS Transaction COMMIT has failed errors for AgentInstance in smps logs
[CreateObject][ERROR][sm-xpsxps-00540] Previous error occurred on object "CA.SM::AgentInstance@PS-agent" [CommitOrTestRollback][ERROR][sm-xpsxps-00740] XPS Transaction COMMIT has failed. [CreateOrUpdateImpl][ERROR][CA-SM-Assert] Assert failed: Commit
Last Update: 2016-10-04    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1596363

Could not find service provider information for sp/idp
Exception while attempting to retrieve passwords: java.lang.NoClassDefFoundError: Could not initialize class javax.crypto.JceSecurity at javax.crypto.Cipher.getInstance(Cipher.java:643)
Last Update: 2016-10-04    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1446925

Post Preservation going into loop when going to the Cookie Provider
This technote discusses about the limits of using and configuring a Web Agent to act as Cookie Provider
Last Update: 2016-10-04    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1580684

How Webagent select the Policy Server where it will send request ?
This tech docs explains you how the WebAgent select PS to who it will send a request. It is doing intelligent round robin.
Last Update: 2016-10-04    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1351868

How to troubleshoot Failover/Failback between WebAgent and Policy Server ?
If you exprience some Failover/Failback to may want to check why. You need to use the AgentConMgr.conf and decompose by PID/TID to check each invidual thread
Last Update: 2016-10-04    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1983777

Set-Cookie: SMSESSION=LOGGEDOFF missing from the response on a log off request
LogoffUri not working
Last Update: 2016-10-03    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1494272

SPS is not able to connect to backend
Connection refused remotely, no process is listening on the remote address/port
Last Update: 2016-10-03    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1369467

Can we have two Apache web servers protected with two Web Agents on the same server?
This document enumerates the conditions to have two different Apache web servers with two different Web Agents on the same box
Last Update: 2016-10-03    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1012216

Performance Impact of Password Policy settings
The reason that password policy influences performance is for the writing to a user store to occur.
Last Update: 2016-10-03    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1210052

How to handle certificate authentication when UID is mapped to UserID or Email Address ?
This technote discusses about a workaround to make the certificate authentication succeeds when the UID should be found in more than one attribute.
Last Update: 2016-09-30    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1074295

How to configure the Policy Server Registry Key EnableSearchFilterCheck ?
This technote discusses about the details on the registry key EnableSearchFilterCheck and its possible values
Last Update: 2016-09-30    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1630034

Can access existing session from different browsers after Session Assurance setup
This document describes how to properly test the Session Assurance feature and explains why some tests could fail
Last Update: 2016-09-30    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1392984

SiteMinder WebAS ERP Agent connectivity issues
We are observing intermittent SAP ERP agent connectivity issues with the Policy server
Last Update: 2016-09-30    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1664939

username in smtoken being encoded
username in smtoken being url encoded during password change process.
Last Update: 2016-09-30    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1867466

About taskpersistence folder under derby folder.
What info is contained derby folder under adminui install path ?
Last Update: 2016-09-29    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1544737

How can we achieve high availability for Kerberos authentication?
Kerberos auth creating keytab files using FQND for smps service noting that the service MUST be resolved DNS forward and reverse. We have two policy server not option to add load balance service names in the Kerberos authentication scheme
Last Update: 2016-09-28    Size: 82 kb    Type: Knowledge Base Articles    ID: TEC1213853

How to get more information if CA Access Gateway (SPS) is failing SSL connection with back end ?
Tips to troubleshoot SSL connection between SPS and Backend : use -Djavax.net.debug=all
Last Update: 2016-09-28    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1950639

About the content of messages when XPSImport is executed.
About the meaning of messages which is output by executing XPSImport command.
Last Update: 2016-09-28    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1246825

 

Policy Server cannot connect to CA Directory through LDAPS when using TLSv1.1 only
This document shows the configuration parameters needed to be done in CA Directory to support TLSv1.1 for CA SiteMinder Policy Server connectivity.
Last Update: 2016-09-27    Size: 82 kb    Type: Knowledge Base Articles    ID: TEC1843713

How to validate SSO token
how to write a sample java SDK agent to validate existing SSO token(SMSESSION cookie )
Last Update: 2016-09-27    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1608436

XPSSweeper Auto Schedule not generating XPSSweeper log
Instructions/Best Practices on How to configure XPSSweeper Auto scheduling to generate XPSSweeper log
Last Update: 2016-09-26    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1993675

Linux Smconsole java.io.IOException Cannot run program "null\system32\tasklist.exe" error
A console error happens when I start smconsole with policy server not running. If the policy server is running and I start smconsole, it comes up fine. The console error happens when I click the stop button.
Last Update: 2016-09-26    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1695471

Expression builder within Domain Policies do not work correctly
Trying to build a domain expression within the domain (domain policies edit policy expression edit) however, there are problems with the expression builder.
Last Update: 2016-09-26    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1924447

Policy server crashes after rule with response redirect
Rule for onAuthAttempt, and a response with WebAgent-OnReject-Redirect crashes policy server after the rule is hit.
Last Update: 2016-09-26    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1694225

Not able to start SessionLinker with apache WebServer
Using Session Linker with apache webserver there could be a problem on starting it because you are not sharing the /tmp directory.
Last Update: 2016-09-26    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1895555

How to migrate Affiliate domain from 12 SP3 to 12.52 using smobjexport and smobjimport tools
Migrate Affiliate domains from 12 SP3 to 12.52
Last Update: 2016-09-22    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1830083

SPS Server will stop servicing requests after some time when STS is deployed / enabled
Exception: java.lang.StackOverflowError thrown from the UncaughtExceptionHandler in thread
Last Update: 2016-09-22    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1467488

After Web Agent upgrade from 12SP3 to 12.52SP1, the .fcc page shows its code instead of the login page.
This technote discusses about the solution for the .fcc code that could be shown in the browser instead of the login page
Last Update: 2016-09-22    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1978163

Issues with using Regular expression in domain
We have many applications and webservices coming in. We tried to reduce the work by using regular expressions, however it is not functioning correctly.
Last Update: 2016-09-21    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1132122

XPSSweeper Output question
We see three numbers being displayed after running XPSSweeper. We want to know what they mean.
Last Update: 2016-09-21    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1530309

Users not Getting Authorized
We are unable to login, with no errors being reported in the logs. Disabling Single-Sign On allows the user to access the application.
Last Update: 2016-09-21    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1126741

Report Server & Audit report connections details
Where does report server connection, audit report connections are stored
Last Update: 2016-09-21    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1843996

Why is my SSL-enabled apache not starting with a message stating "cannot read password from file" ?
Having ssl-enabled apache in SPS using a server key and certificate, the http daemon fails to start with a message about a failure to read password from file
Last Update: 2016-09-21    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1556076

TAI Connector configuration
Do we need to install the SIteMinder Agent for IBM WebSphere v12 to get this TAI connector functionality enabled?
Last Update: 2016-09-21    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1917158

How to configure APS Forgot Password (FPS) Interface
Steps to configure APS FPS interface
Last Update: 2016-09-21    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1323498

SPS is not starting after applying the workaround solution for XXE (XML External Entity) vulnerability
ProxyServer initialization failed;Caused by: org.apache.catalina.LifecycleException: Failed to start component;Caused by: org.apache.catalina.LifecycleException: A child container failed during start;InitCatalina failed ('Failed to start component [Standa
Last Update: 2016-09-20    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1840176

How much is the max length (in characters) of a SMSession cookie?
The SMSession cookie length is not fixed. The SMSession cookie will generally be between 800 bytes an 1K.
Last Update: 2016-09-20    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC588181

Unable to start CA SPS Services after enable httpd SSL
SPS unable to startup after enable httpd ssl with error unable to read pass phrase
Last Update: 2016-09-20    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1551985

Import certificate failed in WAMUI causing no certificate displayed in WAMUI
Import certificates failed causing two certificates with same alias in certificate store
Last Update: 2016-09-20    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1326351

smobjimport invokes XPSSweeper when it is successfully completed.
This article explains the specification of smobjimport functionality in r12.5x.
Last Update: 2016-09-20    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1067866

Encrypted Active Response
How to send and consume encrypted active response
Last Update: 2016-09-20    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1703842

How to configure Open Format Cookie and consume it
Send and consume open format cookie
Last Update: 2016-09-20    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1487052

x509 Cert mapping case sensitive
defect - certificate mapping is case sensitive if custom expression mapping is used
Last Update: 2016-09-19    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1730883

 

X.509 Cert Authentication with Apache Agent
How to configure X.509 cert authentication with CA Single-On Web Agent on Apache web server
Last Update: 2016-09-19    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1741628

Workaround for XXE (XML External Entity) type attack
XXE (XML External Entity) type attack
Last Update: 2016-09-19    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1051415

Kerberos authentication using AES256 encryption
Use case Linux policy server, Secure Proxy Server, windows 2008R KDC conifgured with Kerberos authentication using AES256 SHA1 encryption
Last Update: 2016-09-16    Size: 82 kb    Type: Knowledge Base Articles    ID: TEC1940867

Kerberos authentication using AES 256bit encryption failing
Deployment use case Secure Proxy Server 12.52 SP1 Linux with policy server 12.52 SP1 also on Linux implement Kerberos Authentication using AES 256 bit encryption against Active Directory KDC
Last Update: 2016-09-16    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1921291

Key Management tab is missing
Key Management tab is missing in adminui; how to add Key Management tab in adminui
Last Update: 2016-09-16    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1702097

Failed to initialize event handler library error
Failed to initialize event handler library “/opt/CA/siteminder/lib/libEventIntroscopeprovider.so"
Last Update: 2016-09-16    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1748102

Required Linux Libraries for Web Agent r12.51 CR06 or later (64-bit) on Red Hat 7.x (64-bit)
This article explains the installation requirement for newly certified platform.
Last Update: 2016-09-16    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1450842

How to change the admin password with Federation Manager ?
You may want to change the admin user password to login to the FedMa adminUI, please use XPSConfig
Last Update: 2016-09-15    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1529369

Temporary password
Is there a SiteMinder API that will create a temporary password which expires after 24 hours if not changed?
Last Update: 2016-09-14    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1411884

OAUTH Partnership Error Dispatcher object thrown unknown exception while processing the message
Dispatcher object thrown unknown exception while processing the message. Message: Connection timed out: connect Exception occurred while message dispatcher (srca) object trying to send SOAP request message to the SAML producer
Last Update: 2016-09-14    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1584113

Support for TLS 1.1 and TLS 1.2 on CA Access Gateway (formerly CA Secure Proxy Server)
support for TLS1.1 and TLS 1.2 on SPS; do we support TLS 1.1 and TLS 1.2 on SPS ?
Last Update: 2016-09-13    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1873991

Can't stop AdminUI service properly.
When customer stopped AdminUI service, Windows service manager error as below occured, and can't stop properly.
Last Update: 2016-09-13    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1319367

Juel Expressions in SAML Assertions
Juel expressions are not working
Last Update: 2016-09-09    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1945124

Failed to create delegated GSSAPI token on behalf of HTTP/server03.domain.lab@DOMAIN.LAB for smps@server02.domain.lab: Minor Status=-1765328377, Major Status=851968, Message=Server not found in Kerberos database
While setting up kerberos authentication, I am getting "Server not found in Kerberos database" in the web agent trace log file.
Last Update: 2016-09-09    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1214508

KDC has no support for encryption type while getting initial credentials
We are trying to setup kerberos on siteminder and running into the following error. kinit: KDC has no support for encryption type while getting initial credentials
Last Update: 2016-09-09    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1213796

SiteMinder Policy Server failed to load JVM library.
Failed to initialize tunnel service library 'smjavaapi'. SmJavaAPI: Unable to get a JVM environment.
Last Update: 2016-09-08    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC477998

Password Data should be set to 0?
This document explains Password Data attribute type and why cannot be reset by a third party by setting the field manually.
Last Update: 2016-09-08    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1167658

SDK Agent cannot decode SMSESSION Cookie after rolling 3 Times the Agent Keys
This technote discusses about the behavior of the decryption when Agent Keys are rolled.
Last Update: 2016-09-08    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1853933

 

Please note that you can always access the full list going to the following link:

CA Single Sign-On 

 

Best Regards,

Ujwol Shrestha

Principal Support Engineer

CA Technologies

R12.52 SP1 CR07

===========

The following issues were fixed in Web Agent:

Salesforce Case NumberInternal Defect IDIssue Description
00692205DE280513Web agent crashes when the machines use IPV6 addresses.

 

R12.52 SP1 CR06

===========

 

Salesforce Case NumberInternal Defect IDIssue Description

0006287

00280305

DE66914

DE130868

Web Agent End URL is not redirecting using HTTPS but instead it was redirecting to HTTP.

00138155

DE85420

Post preservation flow is not working and it is throwing HTTP 500 error for webserver when content compression is enabled for text/html type for Oracle iPlanet webserver.

00150872

DE104195

login.sfcc goes into infinite redirect loop when resource is protected using X509 Cert or forms authentication scheme and the resource is accessed from the browser.

00311456

DE139919

Before authentication, Policy Server trims trailing spaces or carriage returns whenever username contains these characters but SMUSER header contains username with carriage return characters.

00345282

DE157331

In WebAgent Trace, ResponseTime is not logged in milliseconds.

00356972

DE159608

Password change form is not being displayed for German locale.

00353589

DE162245

Browser throws HTTP 502.3 error when trying to access the URL behind IIS+ARR and that URL contains non-standard ASCII characters.

00449099

DE186996

APS libraries are missing in Solaris 64-bit Web Agent.

00303302DE138108Service Provider fails with “java.lang.NullPointerException” while consuming an IDP generated assertion with the SP feature SingleAssertionUsage option is enabled.
00216581DE143166

Web Agent is not failing back to the first Policy Server and requests are not processed successfully when starting the first Policy Server.

00424351DE172435

CA Access Gateway is vulnerable to an XXE injection attack and able to retrieve confidential data and access sensitive files on the server, for example the "passwd" file.

00511425DE232200Agent crashes the web server when you access FCC page for impersonation flow.

 

 

R12.52 SP1 CR05

===========

 

Salesforce Case NumberInternal Defect IDIssue Description
22000073-01DE65940The SAML 1.1 default target configuration is inconsistent in FSS UI and Administrative UI.
00085491DE72409The WebAgent-OnAccept-Redirect response fails to work for POST requests when the ACO uses LegacyCookieProvider and CookieProvider.
00146918DE74047The LLAWP Process shutdown delays if the  default value of RequestTimeout value is changed in HCO.
00176713DE75598Web Agent Option Pack fails to honor the SSOTrustedZone parameter.
00075954DE78997When LegacyCookieProvider is set to YES, the PUT and HEAD methods are converted to GET after redirection to cookie provider.
00061182DE82998The TargetAsRelativeURI ACO parameter fails to evaluate response URIs.
00061182DE83176The TargetAsRelativeURI ACO parameter evaluates the OnAuthAccept response URI.
00219262DE92856The Multivalued HTTP headers are not displayed for Apache webserver when PreserverHeaders is set to YES.
00186932DE100675Web Agent displays  the “Bad or missing context 'SESSION struct'” error for a valid condition.
00250498DE103898The Forward proxy fails to work with Web Agent deployed on Apache 2.4.x, resulting in the 500 server error.
00248797DE130894Web Agent throws the following error when the client makes a call with empty host header using the HTTP/1.1 protocol: “Unable to resolve server host name. Exiting with HTTP 500 server error '10-0004'.
00220954DE137855AuthnRequest sent by HTTP POST binding does not contain the the Destination attribute.
00220523DE138229The Web Agent configuration wizard fails to detect the Oracle HTTP Server instance when it is installed outside of ORACLE_HOME.
00226217DE138412SAML2.0 Response signing throws an exception if no assertion is found in the SAML Response.
21907654DE138955If a request includes an IP address that is unresolved, access to the application fails though the request through a proxy server to the same application is successful.
00118306DE139891The password change reason is not passed to Change Password form during POST.
00261138DE144425Federation web services fail to validate the URL passed in the wreply query parameter and may redirect the user to a phishing website.
00037176DE156074The SAML 2.0 SLO with SOAP binding fails with the 500 server error if the SS_EXPIRYDATA5 file is changed.
00349861DE158102The ISAPI filter for 64-bit web agent is missing in IIS Manager after the agent upgrade.
00195376DE66836The functionality of Flush All overrides the rollover configuration defined in LoggerConfig.properties, and rolls the Web Agent Option Pack logs.
00173114DE72556The time unit in SmPortal.cfg is incorrectly represented in milliseconds.
00095363DE99753The Apache Web Agent causes high CPU usage.
00190162DE100770The web agent configuration wizard fails to update the opmn.xml with Oracle HTTP Server 11g.
00149984DE109460If CSSErrorFile is set to a local file path, Web Agent appends extra text strings to the error page.
0009305DE109479Apache webserver fails to start and determine the path to the .properties file when web agent is enabled.

 

R12.52 SP1 CR04

===========

Product: CA SiteMinder Web Agent 12.52 SP01 CR04

December 30, 2015      CA SiteMinder Web Agent 12.52 SP01 CR04 contains fixes for the following tracking numbers:

Tracking #             Problem description

----------                 -------------------

RTC 168683 / DE94552   CA SiteMinder agents do not support auto authorization.

RTC 161418 / DE86190   The installer displays a misleading error message when incorrect host registration credentials are provided.

RTC 155671 / DE78890   Web Agent reports the HTTP 500 Server error when the Cookie Provider is not defined.

RTC 153157 / DE104171  Web Agent displays the HTTP 500 Server error when  a URL ending with .sac extension is accessed.

RTC 163694 / DE111843  HTTP Response of BadCSSCharsFound contains incorrect HTML data.

RTC 161317 / DE86714   Web agent crashes if the HTTP_OPENID_DISC cookie is not present in headers for the OpenID authentication provider.

RTC 141833 / DE79301   Duplicate ICU shared library files are present in  the ICU third-party folder.

RTC 160850 / DE102716  The Impersonation flow fails when the FCC Compat mode is set to YES.

RTC 162925 / DE74697   The SMUSRMSG cookie appears even after  successful authentication.

RTC 157785 / DE106171  The Windows Step-up Authentication challenges user with the NTLM dialog with an access denied error.

RTC 151777 / DE84661   Web Agent initializes though an agent is not configured to a website.

RTC 162301 / DE74396   The SMIDENTITY cookie gets deleted on log out.

RTC 162681 / DE73068   The Web Agent configuration wizard does not add the SSLClientAuth directive for any x509    authentication scheme.

RTC 142415 / DE66081   The Windows PATH variable appends duplicate values after reinstalling Web Agent.

RTC 137831/137834 /    The web agent vulnerability in SMAUTHREASON with

DE72676/DE72835        non-numeric data is exposed to JSP/JavaScript attack.

RTC 137739/156919 /    The SunOne WebAgent terminates abruptly when

DE72506/DE66473        a large URL ends with the '%' character.

 

R12.52 SP1 CR03

===========

September 21, 2015 SiteMinder Web Agent 12.52 SP01 CR03 contains fixes for the following tracking numbers:

Tracking # Problem description

----------       -------------------

161399 CSS Vulnerability (When URL contains % character at the end, Webagent is sending junk characters in response) in Siteminder forms templates (For non-agent framework).

 

R12.52 SP1 CR02

===========

July 17, 2015 SiteMinder Web Agent 12.52 SP01 CR02 contains fixes for the following tracking numbers:

Tracking # Problem description

---------- -------------------

53246/154235 After enabling the Web Agent, names.nsf and WebAgent logs are not displayed properly.

150033 Apache child process terminates abnormally.

71834 Agent on IIS 7.5 continuously restarts after second web site is added to the web server.

142331 SAMLDataPlugin fails to accept the UseSecureCookies ACO parameter for Web Agent on the target application of  Service Provider.

46137 Web Agent configuration on RedHat 7 for Rehat Apache does not place the SSL tags in ssl.conf

124667 HTTP headers using methods other than OPTIONS and HEAD are not auto authorized.

153984 Configuration wizard is corrupting iPlanet server.xml

149188 When threshold percentage is set to more than 50%, web agent connections fail to connect to all the policy  servers in the cluster. The following error occurs:

Unable to load SiteMinder agent configuration object. Check that you are using the right agent configuration object and that it exists in your policy server.

145807 The URL access request blocks when you access a URL which contains %c0%af with isAllowUTF8NonCanonical flag set to no in ACO.

141054/158053 Web agent does not recognize semi colon as a parameter delimiter.

155275 Upgrade CAPKI to version 4.3.8

 

R12.52 SP1 CR01

===========

February 13, 2015 SiteMinder Web Agent 12.52 SP01 CR01 contains fixe for the following tracking numbers:

Tracking # Problem description

----------      ---------------------------

137092 Cookie-domain functionality fails when you enable the smconnector at Service Provider side.

64778 Web Agent support for Apache 2.4 on Windows 2008 R2.

126082 SOA Security Manager uses basic credentials when there is no SOAP body in request for the resources that are protected with WS-Security AuthScheme.

119501 Agent fails to display log messages when you configure Domino Agent on IBM AIX.

70656 IIS w3wp process terminates intermittently under heavy load.

121054 IIS w3wp terminates abruptly and creates multiple log files in a shorter duration.

85711 Web Agent support for Apache graceful restart on LINUX.

98537 Agent forces re-authentication in a Multi-Domain SSO environment, when both the MASTER domain cookies expire.

 

R12.52 CR01

===========

March 4, 2014 SiteMinder Web Agent 12.52 CR01 contains fixes for the following tracking numbers:

Tracking # Problem description

---------- -------------------

This component is not released as part of 12.52 CR01.

Hello CA Single Sign-On Community Users,

 

Please find below the list of the latest Knowledge Base Articles  for Single Sign-On (Formerly CA SiteMinder) published or updated since 2nd April 2016 for your reference:

 

R12 SP2 Application Server Agent for WebSphere (TAI) fails to initialize after Java upgrade on WebSphere.
After upgrading WebSphere with Java 1.7, the Application Server Agent throws the following error in the SystemOut.log; Trust Association Init Unable to load Trust Association class com.netegrity.siteminder.websphere.auth.SmTrustAssociationInterceptor.
Last Update: 5/9/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1286701

Task Failed on modifying a policy object in Web Administrative UI with Oracle Directory Server as Policy Store.
"Unknown Failure" was shown on the screen and an LDAP Error was recorded in the smps.log at the time.
Last Update: 5/9/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1056057

Global response not triggering for Application with multiple components
Why is our configured Siteminder global response not triggering for Application with multiple components?
Last Update: 5/9/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1140466

Password Policy redirect
Redirect to a customized error page when password services is invoked.
Last Update: 5/7/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1741076

Policy store load failure.
After upgrading SiteMinder and the policy store a custom app that implements the Policy Management API sporadically fails to update objects.
Last Update: 5/6/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1989246

SharePoint Connection Wizard Errors
Getting "No existing SharePoint Connections!" when trying to create a new SharePoint Agent connection.
Last Update: 5/6/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1972332

Undocumented Fixes of Secure Proxy Server 12.51/12.52 SP1
This article explains Undocumented Fixes of SPS12.51/12.52 SP1. WAOP fixes are included in SPS as well: 134371 - SPS 12.51 CR06 139030 - SPS 12.52 SP01 CR01
Last Update: 5/6/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1567644

Seeing many "Policy store failed operation 'MultipleSearch' errors in the SMPS.log with R12.52 SP1 Policy Server.
With CA Directory 12.0.14 as a Policy Store, we are seeing many "Policy store failed operation 'MultipleSearch' for object type 'Root'. LDAP Error Doing UserDirectory_Fetch: 82: Local error" in the SMPS.log.
Last Update: 5/6/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1626754

Why password entries will be rejected when using the password dictionary for password services ?
What are the circumstances when a password will be rejected when using password dictionary feature for SiteMinder password services.
Last Update: 5/6/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1444634

FSS UI Does Not Appear in Installed Components
How to install the FSS Administrative UI to manage Policy Store objects instead of the WAMUI.
Last Update: 5/6/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1592822

Ignorable error message ”SEVERE: No global naming context defined for server” on SPS startup
This article explains an ignorable error message of SPS satrtup: ”SEVERE: No global naming context defined for server”.
Last Update: 5/6/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1557306

Policy Server showing spikes in connections multiple times a day
Policy server connections spike, normal queue grows – slow responses reported by the SSO agents on the webservers (20 seconds delays)
Last Update: 5/4/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1890108

CA Federation & Office 365 Integration: ObjectGUID as ImmutableID
This document explains CA Federation & Office 365 Integration: How to define ObjectGUID(binary attribute) as ImmutableID attribute in the Federation Partnership.
Last Update: 5/4/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1782098

'No SAML2 SP Provider found' Error in Federation
Meaning of 'No SAML2 SP Provider found' Error in Federation, SAML2 transaction.
Last Update: 5/4/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1689376

Dynamically setting AuthnContextClassRef in the assertions
Dynamically setting AuthnContextClassRef in the assertions based upon the authentication scheme or authentication level that the SSO user authenticated with; currently the Assertion Generator API does not have that information exposed to it.
Last Update: 5/4/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1354535

"Allow Protection Override" checkbook on the custom authentication-scheme.
Documentation(topic is, "custom-authentication-schemes") describes Allow Protection Override" checkbook on the authentication-scheme. This option specifies that the protection level in the library takes precedence over the protection level specified in t
Last Update: 5/4/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1674413

XSS Error in the browser, CA Federation & Office 365 Integration,
XSS Error in the browser, CA Federation & Office 365 Integration, as part of CA Federation and Office 365 integration when testing in Internet Explorer after authentication,
Last Update: 5/4/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1252731

SMPS Error: "Bad installation or configuration, Assertion handler can't be initialized. Leaving Assertion Generator Framework."
500 Error during CA Federation & Office 365 Transaction. SMPS Error: "Bad installation or configuration, Assertion handler can't be initialized. Leaving Assertion Generator Framework."
Last Update: 5/4/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1880219

How to resolve the "Error: Exception User might not have required permissions to get group information" when logging into the R12.52 SP1 ProxyUI.
When logging into the R12.52 SP1 Single Sign-On (fka SiteMinder) Access Control Gateway (fka Secure Proxy Server) ProxyUI an error message is displayed stating "Error: Exception User might not have required permissions to get group information"
Last Update: 5/3/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1304259

Unable to search for users or groups from SiteMinder in the PeoplePicker.
PeoplePicker searches from the Central Admin Server in SharePoint 2010 are not returning any results from SiteMinder.
Last Update: 5/3/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1808602

Disable Agent Discovery feature to prevent SiteMinder Policy Store corruption by Agent Instance objects in a Muti-Master replicated Policy Store environment.
Agent Discovery can cause corruption of Policy Store objects in a Multi-Maser replicated Policy Store environment and should be disabled in these environments.
Last Update: 5/3/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1889667

Is a cookie provider necessary between the Web Agents on a reverse proxy server and backend web servers?
In the case of both the reverse proxy server and the backend web servers have Web Agents installed, their cookie domains can be different. This article explains such case.
Last Update: 5/2/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1399808

What are the possible handshake errors in policy server?
Bad security handshake attempt
Last Update: 4/29/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1543455

R12.52 SP1 Federation Manager AdminUI is not accessible after an upgrade
Upgrading to R12.52 SP1 CR04 CA Federation Manager from previous CR causes AdminUI to be unavailable.
Last Update: 4/29/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1599058

LIMIT_EXCEEDED(4) with partial result error showing when accessing a resource
Access to a protected resource is refused only when the user is member of more than one group.
Last Update: 4/29/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1244697

Howto enabled debugging of SSL connections from the proxy-engine to the backend server in CA Access Gateway (formerly CA Secure Proxy Server)
The java runtime setting -Djavax.net.debug=all will show details of the SSL connection handshakes as well as log the transferred data.
Last Update: 4/29/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1860387

Convert HTTP to HTTPS requests using Secure Proxy Server
Convert HTTP to HTTPS requests using SPS via Apache module or SPS proxy rules
Last Update: 4/29/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1945397

Secure Connection to AD User Directory with StartTLS
We currently have a secure connection to an AD USER DIRECTORY over 636. Can we use a Start TLS connection to connect over 389, and if so, how would we configure that?
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1469283

Question about HCO policy server clusters
When configuring the policy servers in a cluster in the HCO, it asks for a single port number. For non-clustered HCOs, the policy server is always coded with three ports (e.g., 44441, 44442, 44443). How do we configure the cluster ports?
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1231237

Policy Server's “ServerCommandTimeDelay” is renamed to “MaxTimeDeltaBetweenServers” from R12.51 and above
This article addresses change in the registry key name for the Policy Server.
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1888869

Error: Username and password do not match
Increase entropy on policy server/WAM UI system
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1652849

There are consecutive spaces found in the installation home directory
'libidn.so.11' 32-bit library is not present on the machine
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1744609

Advanced Password Services only supports the Domain Model
Advanced Password Services is only supported by the Domain Model. Application Model is not supported.
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1427491

What is the /config/XPS.cfg file used for?
XPS XPSConfig xps.cfg utility configuration
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1607105

SP-initiated POST Binding in r12.0 SP3
Our application works only as SP initiated request. This application would POST SAML request to SiteMinder 12.0 SP3. The application requires HTTP-POST binding and cannot use HTTP-REDIRECT. How can this workflow be implemented?
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1301206

Setup of Riskminder fails after already having policy server setup.
Steps to resolve the issue where Riskminder service will not run when configuring it with the Configuration Wizard without using the Configuration Wizard to also setup the Policy Store.
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1951662

Federation not working in IE
Federated calls with IE are no longer working without re-authenticating, since upgrading to IE version 24
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1073418

Tombstoned object is preventing creation of new object with same name.
Tombstoned object is preventing creation of new object with same name. Will need to remove tombstoned object from Policy Store so that you can re-create it.
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1103262

Failed Handshake between Webagent and Policy Server.
What are the reason of a Failed Handshake between Webagent and Policy Server (need to re-register the Agent)
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC559187

Cannot Delete User Directory
User Directory still has references to it, so it could not be deleted.
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1866433

FSSUI: too many items
FSSUI will throw error about too many items when buffer is set too low.
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1025064

Secure Proxy Server does not start with Java 8 JDK
Java 8 JDK is not supported by the Secure Proxy Server. JDK 7 is supported.
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1308205

Resolving certificate errors for the SPS and Agent for SharePoint Tomcat Proxy.
Receiving a "Certificate for is not trusted or bad certificate" in the Secure Proxy Server/Agent for SharePoint Trace File when connecting to the back-end Server over SSL.
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1628104

Change the hostname in SiteMinder Administrative UI
We have R12.x Admin UI installed on Windows Server. The hostname of the Server has changed, is there any way to change the hostname in admin UI configuration so that I can access AdminUI with new hostname without reinstalling or modifying local hosts file
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1041056

(WARN) : [sm-xpsxps-03500] CA.SPS: No product library
When I am trying to run the XPS tools through command line, I am receiving the below message: (WARN) : [sm-xpsxps-03500] CA.SPS: No product library.
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1579314

User Directory with filter having 2 attributes for ID-From-Login
We are trying to allow the user to log in with the uid or email address. Even after creating a search filter to login with both Email ID/UID in User Directory definition, it does not get resolved to the ID entered by the user (ID-From-Login).
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1992791

Redirecting users after their idle session or maximum session times have been reached
This document covers the user of the IdleTimeoutURL and MaxTimeoutURL Agent Configuration Object settings.
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC490906

How to disable Policy Server automatic restart after the crash?
This article covers a setting in siteminder.conf that controls smexec's behavior.
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC507375

Tracksessiondomain parameter in ACO and use FQDN as the cookie domain
When we enable tracksessiondomain parameter in ACO and use FQDN as the cookie domain you get an error 10-0017 error log states that the domain is not in the cookie and when we run the agent in 4x compat mode.
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1770774

Request to back end server is timing out after specified timeout parameter
Request to back end server is timing out after few seconds and resulting with an error when they were posting some information to the back end server.

 

Enable logging in secure proxy server
enable logging like FWStrace, mod_jk and httpclient log in secure proxy server
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1805983

Web Agent and Policy Server Network Communication Disruption
This article describes the TCP keepalive based environment variable used in the components of CA SSO for improving network communication.
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1079236

Updating expired SSL certificates for the Virtual Hosts on the Single Sign-On Agent for SharePoint 2010/2013
This article discusses updating expired SSL certificates for the Apache Web Server Virtual Hosts on the R12.52 SP1 Single Sign-On Agent for SharePoint 2010/2013. These steps are also valid for updating the certificates for the Access Control Gateway.
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1926033

When installing CA Secure Gateway (formerly Secure Proxy Server) What is the "Master Key for Policy Server' ?
The "Master Key for Policy Server" is the Session Assurance Encryption Master Key. It must match the same entry as that entered on the Policy Server
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1883207

How to fix the deployment location of login pages on CA Access Gateway (formerly SPS Secure Proxy Server)
The login.fcc page is not deployed in the usual location on CA Access Gateway and need to be copied to the correct location.
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1977406

Details on install of JSafe JCE jar files : cryptoj.jar and cryptojFIPS.jar on CA Access Gateway (formerly Secure Proxy Server)
CA Access Gateway (formerly Secure Proxy Server) deploys several cryptoj.jar and cryptojFIPS.jar files this article explains what they do
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1243588

How to enabled CA Secure Gateway (formely Secure Proxy Server) to do NTLM authentication to the backend server
CA Secure Gateway (formerly Secure Proxy Server) can proxy onto backend servers that require NTLM authentication - this article shows how to setup that feature.
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1887945

Resolving Problems installing the Java JCE Unlimited Strength Jurisdiction Policy Files package
Many problems with encryption result from the Oracle JCE Unlimited Strength Jurisdiction Policy Files package not being installed correctly.
Last Update: 4/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1698523

Can multiple values be configured for LogOffURI parameter?
This document outlines how to configure multiple resources as LogOffURI's with Single Sign-On (formerly SiteMinder)
Last Update: 4/27/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC487762

What LDAP queries does Single Sign-On (formerly SiteMinder) execute upon clicking the View Contents button in User Directory Properties dialog box?
The queries executed are controlled by a registry setting covered in this document.
Last Update: 4/27/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC485119

Host Configuration Object clusters and EnableFailover
Details on when EnableFailover applies to a Host Configuration Object
Last Update: 4/27/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC583377

Single Sign-On Agent for PeopleSoft Agent API initialization error
The 12.51 version of the Single Sign-On Agent for PeopleSoft has new requirements on Unix operating systems to operate correctly.
Last Update: 4/27/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1420786

Response attribute WebAgent-OnValidate-Redirect & WebAgent-OnAuthAccept-Session-Variable missing in WAMUI.
Unable to find Response attribute missing in WAMUI.
Last Update: 4/27/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1120965

SAP WebAS agent 12.0 encrypted shared secret requirement
The 12.0 version of the SAP WebAS ERP agent requires the shared secret to be encrypted with a FIPS Compliant AES Algorithm
Last Update: 4/27/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1794035

CA Single Sign-On SAP WebAS ERP agent fails to initialize
A 10 second timeout value within the policy server may cause this, and newer versions of the policy server introduce a setting which allows the timeout to be increased.
Last Update: 4/27/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1073455

SAML2.0 SP initiated Authnrequest failing on the IDP with 500 Error (java.lang.NullPointerException)
Why am I getting [Exception caught in class com.netegrity.affiliateminder.webservices.saml2.SSO, method doGet: java.lang.NullPointerException]
Last Update: 4/27/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1122526

After installing the SPS, the Admin UI does not start and it reports many errors with the java beans. How can I solve it ?
Incorrect installation of Java causes java bean errors and jboss not bo be listening on its port
Last Update: 4/27/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1265197

SM Response attribute
How Siteminder (Policy Server version- 12.0.312.911) returns via SM response some attribute from ODBC after user being authenticated in LDAP?
Last Update: 4/27/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1939587

Increase number of connections to a specific LDAP User Directory
This article explains a Tips to increase number of connections to a specific LDAP User Directory when some performance issue is observed.
Last Update: 4/27/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1077574

JVM Error in the SSO Policy Server trace logs.
Hello support, We're facing a big issue with our sharepoint agents. For some reason it seems that the smsession cookie being passed from the siteminder agent to the federation component of the agent isn't valid. This happens intermittently and a refresh sometimes fixes the issue which tells me that the cookie is valid. I have attached the logs that can help you troubleshooting. Here's some info on our ecosystem : SiteMinder Agent for SharePoint, Version 12.0 QMR03, Update HF-05, Label 443 running on windows 2008 R2 SP1 Siteminder policy server 12.52.0001.154 running on redhat 5.11 Regards, Pierre
Last Update: 4/27/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1157464

"No Session" error in adminui and "Failed to decrypt persistent key error" in SMPS log.
Multiple set of keys in keystore may cause "No Session" error in adminui and "Failed to decrypt persistent key error" in SMPS log
Last Update: 4/27/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1599716

Does Policy server use SSL/TLS channel for Web Agent Communication.
SSL/TLS Channel usage by Policy server for communication with Web Agent.
Last Update: 4/27/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1893946

Where does Siteminder Management Console settings are saved?
Siteminder management console settings in policy server
Last Update: 4/27/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1899683

Failed to convert enabled state while trying to login to Admin UI with External admin store user.
Failed to convert enabled state while trying to login to Admin UI with External admin store user.
Last Update: 4/27/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1418057

Configuration Oracle HTTP webserver manual steps
WebAgent configuration for R12.0 Sp3 CR12 does not properly configure the webserver to allow it start apachectl and opmn.xml

SiteMinder with CA Directory as policy store store high availability
We have CA Directory as policy store we need to have high availability for disaster recovery purposes - minimize downtime in the event of network or system failure
Last Update: 4/26/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC577451

Dynamic LDAP groups for user store Oracle iPlanet LDAP directories ONLY
Does SSO support dynamic LDAP group for Oracle LDAP, if so how do we configure it
Last Update: 4/26/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1676115

Policy Server reports error "Failed to initialize Management Thread"
This technote gives solution about the specific error "Failed to initialize Management Thread"
Last Update: 4/26/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1764868

Not able to launch Smconsole through command line
Smconsole not getting started, when trying to open using ./smconsole command
Last Update: 4/26/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC587035

SP-Initiated POST request results in 400 Error
SP-Initiated POST request results in 400 Error: No SAMLRequest or SPID parameter in request to SAML2 Single Sign-On Service Ending SAML2 Single Sign-On Service request processing with HTTP error 400
Last Update: 4/26/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1344266

Policy Server start-all command throw error : /netegrity/siteminder/../aas/sbin/arrfenv: cannot open [No such file or directory]
This technotes explain how to fix an issue by running start-all command on the Policy Server
Last Update: 4/26/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1416985

Error message "The AuthnRequest with AuthnContexts is not supported." in Siteminder 12.0 SP3 acting as SP.
We are getting the below error when Siteminder posts a SAML assertion. This is an SP-initiated use case. ERROR: The AuthnRequest with AuthnContexts is not supported.
Last Update: 4/26/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1832259

Unable to connect to an Oracle 12c RAC during installation.
I have installed CA Federation Manager 12.52 and during configuration step it is unable to connect to an Oracle 12c RAC. The configuration fails after this step.
Last Update: 4/26/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1472153

Alternatives to renaming /dev/random to /dev/urandom
Your recommendation in your documentation to create a symlink of /dev/urandom and /dev/random has resulted in security concerns in our internal teams.
Last Update: 4/26/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1730285

Java Virtual Machine failed memory allocation issue when starting the WAMUI in 32-bit Windows 2008.
We're getting the following error when trying to start up the WAMUI service in Windows 2008. There is insufficient memory for the Java Runtime Environment to continue. Native memory allocation (malloc) failed to allocate (X) bytes for Chunk::new
Last Update: 4/26/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1316487

The Secure Proxy Server Cannot Be Started Without a Valid Set Of Proxy Rules.
There is an issue with proxyrules.xml file. I saw an error in default log. [ERROR] - The Secure Proxy Server Cannot Be Started Without a Valid Set Of Proxy Rules. There was http 502 error return back to the user
Last Update: 4/26/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1929479

Error when setting up SSL between SPS 12.52 and backend application.
We have a backend IIS server, that we need to setup SSL between the Secure Proxy Server and the backend server. We are getting an error: "java.lang.RuntimeException: Unrecognized cipher suite" in the SPS nohup.out log.
Last Update: 4/26/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1439974

Advanced Password Services - Message of the Day
Message of the Day will show the designated page to all applicable users the first (and only the first) time that they log in each day.
Last Update: 4/26/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1195168

Which is default value of "EnableSearchFilterCheck" ?
In R6 SP3 and later version, default value of "EnableSearchFilterCheck" is "1" internally.
Last Update: 4/26/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1060277

IWA authentication creds.ntc issues 404 error
IIS, IWA, Creds.ntc, 404, Error
Last Update: 4/26/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1657586

how to control the session expiry in a Federation setup
in an SP Partnership federation ,how to control the "Idle Timeout" and "Maximum Timeout" .
Last Update: 4/25/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1458523

what is the smVarType session attribute created in the session Store
smVarType session attribute can have multiple value ,what is the difference between all these values
Last Update: 4/25/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1771825

Configure Signing option in Legacy Federation (same concept applies to Partnership)
How to configure Siteminder to sign and process signatures in Federation setup
Last Update: 4/25/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1052508

Expression calculated header in a URL in a "WebAgent-OnAccept-Redirect"
how to Create expressions which retrieves an http header and insert value into URL
Last Update: 4/25/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1481041

Persistent cookies to transient cookies.
Process to change the agent configuration object persistent cookies configuration to transient cookies configuration.
Last Update: 4/25/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1493385

FSS Administration UI file extensions.
What file extensions are used by the FSS Administrative UI
Last Update: 4/25/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1578486

CA Single Sign On Integration With Offiice 365
CA Single Sign On policy server Active directory and Office 365
Last Update: 4/25/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1498134

Policy Server's LDAP store servers with load balancing
Information to assist customer in choosing to individually define host within CA SSO (f.k.a. SiteMinder) software to do health check and to load balance traffic. Or, to use an external software or hardware based load balancer.
Last Update: 4/25/2016    Size: 82 kb    Type: Knowledge Base Articles    ID: TEC1513892

How to run an Unattended Standalone Upgrade Installation of the Wamui (Windows and UNIX)
SiteMinder 12.52.0101.640 silent install and silent upgrade do not work. How to run an Unattended Standalone Upgrade Installation of the Wamui (Windows and UNIX)
Last Update: 4/22/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1524313

Increase MaxObjects value for the policy store in the Windows Registry
When running Siteminder/SSO FSSUI or AdminUI, user attempts to modify a policy by clicking on Add/remove. In the User tab the following message appears: “Search operation failed: timed out”
Last Update: 4/22/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1295883

How to export a SAML 2.0 partnership from one environment to another
If you would like to move a SAML 2.0 partnership from one environment to another, e.g. development to production, you can use the XPSexport function to move all objects associated with the partnership without needing to export the entire policy store.
Last Update: 4/22/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1893904

Commonly used CA Access Gateway (SPS) logs and configuration files
If you run into issues on Secure Proxy Server now known as CA Access Gateway, here is a guide on logs to troubleshoot and their locations
Last Update: 4/22/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1563845

Does Ca Single Sign-On Sdk Web Agents have to initiate the call to pull the new Agent key from Policy Server to retrieve a new Agent key?
Ca Single Sign-On Sdk is used by clients to built custom web agents. These agents retrieve Agent keys ,used to encrypt CA Single... cookies that may be read by all agents in a single sign-on env. This docs explains one of the sdk agents key processes.
Last Update: 4/22/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1459616

When dynamic agent keys are used, does the custom agt need to call doManagement to get agt cmds each time before it calls login or decodeToken
This q and a relates to sdk agents key management process flow.Agent keys are used to encrypt CA Single Sign-On cookies that may be read by all agents in a single sign-on env. Agent keys can be dynamic . Agent commands run before a login or decodeToken.
Last Update: 4/22/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1292002

After installing IDM, the Wamui displays '???key: page.display.error???' in red text.
This case/issue type document covers a particular problem when configuring idm in the ca sso admin ui.
Last Update: 4/21/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1917165

How to display IPv4 IPs OneView monitor
We tried to pull agent info from OneView Monitor. But it is posting in ipv6 format for hosts running on IIS. We need to convert the display to ipv4 on OneView monitor.
Last Update: 4/21/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1643575

How to enable Agent Discovery
We are trying to view agent-specific details in the Agent Instances list, however Agent Discovery seems to be disabled.
Last Update: 4/21/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1287121

Post Preservation encoding
Form post information is encoded and stored in form data SmPostPreserve. Can this be decoded manually?
Last Update: 4/21/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1579173

SessionLinker Installation and Configuration Documentation.
This document contains where to locate the Session Linker Installation and Documentation Guides.
Last Update: 4/21/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1067008

ERROR: Agent API initialization failed when running SmPortalVfy.exe
Getting below errors when running SmPortalVfy.exe from \CA\webagent\bin 4/16/16 6:39 AM [SM-APS-61103] Server MyServer at 127.0.0.1... 4/16/16 6:39 AM [SM-APS-61070] ERROR: Agent API initialization failed.
Last Update: 4/21/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1220238

Message: "Could not resolve agent" ; Returned Error Code = -14 while running SmPortalTest
Getting below errors when running SmPortalTest.exe from \CA\webagent\bin C:\CA\webagent\binSmPortalTest.exe abc [APS Version 12.52.0101.640 - SmPortalTest Rev 12.52.0101.640] Returned Error Code = -14 Message: "Could not resolve agent"
Last Update: 4/21/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1244998

Policy Server failed to connect to the LDAP policy store
Policy Server is logging “Error 91 - Can't connect to the LDAP server“ against the LDAP policy store
Last Update: 4/21/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1391568

How to solve the Linux AdminUI error "wrong username or password"
This technote gives a way to solve a specific error happening on Linux AdminUI.
Last Update: 4/20/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1639062

What does this error mean, SmServerConnection, connect, Exception calling TCP transport connect: java.nio.channels.UnresolvedAddressException?
java sdk pure jni SmServerConnection UnresolvedAddressException exception checkaddress
Last Update: 4/20/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1233665

How to enable mod_jk logging for CA Access Gateway (SPS)
In order to see more information for runtime events of communication from Apache to Tomcat you would want to enable mod_jk logging and set it to debug.
Last Update: 4/20/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1313831

How to update your Java JDK for your CA Access Gateway (SPS)
If you need to update your Java JDK version on your SPS server, follow these steps to tell the SPS to use the new versions.
Last Update: 4/20/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1918365

How to change the logging level of the server.log for CA Access Gateway (SPS)
In case you are having issues with you CA Access Gateway (SPS) and need to enable more logging in server.log to determine the cause of the issue.
Last Update: 4/20/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1369844

How to enable HTTPclient logging for CA Access Gateway (SPS)
In order to see transactional information and runtime events of communication from the SPS to a backend application you would want to enable HTTPclient logging.
Last Update: 4/20/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1073996

SAML assertions are not getting generated
Looping between the redirect.jsp and the authenticationURL
Last Update: 4/20/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1430667

systemctl and Web Agent startup settings for Red Hat Apache Web Server 2.4.x
This article explains how to setup Web Agent for Red Hat Apache Web Server 2.4.x/RHEL 7. It needs a special care of /etc/sysconfig/httpd and ca_wa_env.sh.
Last Update: 4/20/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1340867

Ignore APS during authentication call.
How to Ignore APS during authentication call.
Last Update: 4/20/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1566779

Cannot authorize with the group membership in Active Directory when the group is the Primary group.
Users are not authorized from Active Directory User Store when the user policy is Group Membership and the group is set to the Primary group of the users.
Last Update: 4/20/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1392334

Creating an “Idea” (Enhancement Request)
How to submit Ideas/Enhancement Requests through CA Communities.
Last Update: 4/19/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1579832

Starting LLAWP process under different user identities.
How to start the LLAWP process under Network service, Local system, LocalService, Custom Account.
Last Update: 4/19/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1901339

SM_USER header value in IWA authentication scheme.
How to change the format of SM_USER header from DOMAIN\UID format to UID in IWA authentication.
Last Update: 4/18/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1500602

AuthnRequest sign verification issue
Missing configuration data of DSigVerInfoIssuerDN or DSigVerInfoSerialNumber
Last Update: 4/18/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1449712

Performance issues observed after deploying/enabling CA directory as a session store in the environment
Single sign-on policy server can get into a state where it is unable to keep up with Session store maintenance when CA LDAP Directory is deployed as the session store that is not properly configured performance degradation can occur on the policy server
Last Update: 4/18/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1948652

smfedexport tool example non-functional
We are trying to use use the smfedexport tool to generate a federation metadata file using the example provided in the documentation, but we are getting errors complaining that invalid tags were entered.
Last Update: 4/18/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1909494

LDAP Error 81 user store in the smps log
Policy server error log shows LDAP Error 81 for connections to our user store why does this occur, under what circumstance, and can this be prevented?
Last Update: 4/18/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1536754

Enhancement Changes to SiteMinder Thread Model in version SM6.0.5.22 & R12.1.3
We have been using the product for many years is seems to have change over time. We are trying to understand how policy server process works as a single process/multiple threaded applications.
Last Update: 4/18/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC491240

LDAP Connections manager error to our active directory user store
Policy server error log shows LDAP Connections manager error in function prldap_set_session_option is not supported. Why does this occur, under what circumstance, and can this be prevented?
Last Update: 4/18/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1872328

Unable to Log Into Adminui
SunOne Oracle Directory Server XPSNumber=*
Last Update: 4/18/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1129233

LLAWP 100% CPU Consumption with 6.x Agent
permissions are missing
Last Update: 4/18/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1263416

Deformed response from webserver with webagent enabled
Webserver responded with deformed packets when webagent is enabled.
Last Update: 4/18/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1740224

Federation login failed with error 400
SP-initiated SSO is failing with error 400 - Reason: UNSUPPORTED_AUTHN_REQUEST_BINDING
Last Update: 4/18/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1351614

Getting SetCryptoConfig error while installing Policy server.
ERROR - Command failed: "C:\Users\Administrator\AppData\Local\Temp\1\487853.tmp\smreg" SetCryptoConfig "******" "0" "" "" ""\nReturn Value: 1\nStdout: {2}\nStderr: {3}
Last Update: 4/18/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1359533

LDAPPingTimeout Explained
LDAPPingTimeout
Last Update: 4/18/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1466133

AgentWaitTime Explained
AgentWaitTime
Last Update: 4/18/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1149456

How to Reset Encryption Key using MSSQL Databases
SQL Server as Policy Store
Last Update: 4/15/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC537906

Usage of JUEL in SAML Assertion Configuration
Passing assertion attributes in an assertion using a JUEL expression in partnership federation.
Last Update: 4/15/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1696554

Report Instance Was Not Successfully Created
Audit reports installation
Last Update: 4/15/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1783432

SAML assertions are not getting generated
LOOPING between the redirect.jsp and the authenticationURL
Last Update: 4/15/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1544433

Web agent unable to process SMSESSION
cookie is custom from a third party and not accepted
Last Update: 4/15/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1412751

How to restrict the use of Forgotten Password Service (FPS)?
Max Attempts Frequency in APS.cfg
Last Update: 4/15/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1044754

Why the ProxyUI login page does not load logo images correctly
SPS login page without images
Last Update: 4/15/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1014525

Why am I getting user account lockout issues when a User ID exists on 2 user Directories attached to siteminder Domain ?
user authenticates with the password from the second UD then the invalid password account on the first increments
Last Update: 4/15/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1613415

Federation Users Disappear
After modifying a partnership, the list of federation users is disappearing, effectively disabling the partnership.
Last Update: 4/15/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1234422

HCO Configuration: Cluster vs. Legacy failover/Load Balance
Which will take precedence when both a cluster and traditional or legacy failover/load balance hosts are configured?
Last Update: 4/15/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1304907

what version of Policy server is "CA Access Gateway for NetScaler SDX" supported with
is a license required for Citrix Netscaler agent and is it supported with 12 SP3 Siteminder Policy server
Last Update: 4/15/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1507074

XPSExport -xb and Host-specific configuration data
XPSExport; -xb option; Host-specific configuration data; XPSImport
Last Update: 4/15/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1328124

Attribute based access Authorization
I am unable to configure user Authorization based on an attribute value
Last Update: 4/15/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1928817

Accented characters included in SAML assertion attributes show up as '?'.
Some user attributes that are being included in SAML assertions contain accented characters such as è. Instead of showing up as they do in the user store, these accented characters are showing up as question marks (?).
Last Update: 4/15/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1155183

Are Windows Patches/Hotfixes Supported?
Do CA Single Sign-On components support all Windows patches, or only Service packs?
Last Update: 4/15/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1184304

SessionNotOnOrAfter parameter Causing Timeout on SP
Upon consumption of the assertion generated by Siteminder .the third party SP is generating a session for the user ,however this session is getting expired after 5 min
Last Update: 4/15/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1543175

clean up semaphores and shared memory by process ID on Redhat OS
I am using the kill-9 to stop the LLAWP process ,how can I cleanup the semaphores and shared Memory that are related to the LLAWP process
Last Update: 4/15/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1008266

Unable to run the audit report from admin ui.
Error returned upon running audit report from WAMUI: Unable to find servers in CMS Servername:6400 and cluster @Servername:6400 with kind fileserver and service FileStoreV2.All such servers could be down or disabled by the administrator.(FWM 01014)
Last Update: 4/15/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1709612

Deactivate the Federation partnership using XPSExplorer .
How to deactivate the federation partnership using XPSExplorer?
Last Update: 4/15/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1580417

Secure Proxy Server hangs under load
Secure Proxy Server becomes unresponsive as load increased to a certain level with following exception logged : java.lang.OutOfMemoryError: unable to create new native thread
Last Update: 4/14/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1435512

SM password policy is not invoked
User is not disabled after max failed login attempts defined in the SM password policy
Last Update: 4/14/2016    Size: 82 kb    Type: Knowledge Base Articles    ID: TEC1426162

Special Characters in Password Policy Name
Ampersand Wildcard illegal values
Last Update: 4/14/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1564684

CertDB Folder Missing after Upgrade
policy server upgrade
Last Update: 4/14/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1978875

Multiple one-view Monitors in policy server management console.
How to configure multiple policy servers to send one-view monitoring requests to a remote policy server.
Last Update: 4/14/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1988591

Open SQL Connections
Policy server ODBC open connections.
Last Update: 4/14/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1055844

Getting access denied when using SmX509CertAuth Version 3.7.3
SmX509CertAuthscheme usage with Policy server.
Last Update: 4/14/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1150946

Disable Advanced Auth in SPS
Modifying the server.conf file
Last Update: 4/14/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1844843

Cannot Enable Sign-Out in Office365 Partnership
Sign-Out Options Disabled
Last Update: 4/14/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1108228

Federation Single Logout Does Not Work
Logout fails with a 500 error
Last Update: 4/14/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1071309

Policy server ODBC open Connections to policy store.
Open connection of the policy server to the ODBC policy store and the housekeeping policy server query to the policy store database.
Last Update: 4/14/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1776037

RelayState truncated in SAML 2.0 POST
How to post RelayState data while posting assertion to consumer service?
Last Update: 4/14/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC529287

Security Token Service (STS) URL returns 404 error
Cannot access STS URL
Last Update: 4/14/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1454069

How to control authorization cache at policy server?
Use of DsInfoEnabled registry key
Last Update: 4/14/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC527999

How to download CA Single Sign-On (formerly SiteMinder) components
Step b step procedure to download CA Single Sign-On (formerly SiteMinder) components from support.ca.com
Last Update: 4/12/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1364894

Cannot fetch agent agent
This error is seen in smps log, indicating the policy server cannot fetch agent.
Last Update: 4/12/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1138796

Reasons why the affwebservices log might not be generated
Affwebservices Log Not Generated
Last Update: 4/12/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1564704

What do the values in the policy server stats output mean?
smpolicysrv -stats parameters
Last Update: 4/12/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1882665

Where do I find CA Single Sign On (SiteMinder) Downloads?
product download
Last Update: 4/12/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1920083

I cannot log in to Adminui Directly after Configuring Adminui External Authentication Store
error on adminui login
Last Update: 4/12/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1988243

Unable to launch the Policy Server Management Console
Error: Couldn't load javasmconsoleapi
Last Update: 4/12/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1332206

smreg –su password fails
Setting the CA Single Sign-On (Siteminder) Super User Password returns a popup
Last Update: 4/12/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1284157

Unable to logoff the ProxyUI
Unsuccessful logoff
Last Update: 4/12/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1960756

Do we need all certificate chain in the cert8.db when using SSL to connect to stores ?
when using complex cert chain to connect to LDAP Store, only one certificate from the chain is mandatory in the trusted store
Last Update: 4/11/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1765462

WS-Fed Lifetime entity timestamp error
Our WS-Fed partnership is failing due to an incorrect timestamp format generated for the Lifetime entity, rather than the expected ISO8601 format.
Last Update: 4/8/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1550216

The different CA SiteMinder Single sign on WebAgent modules on Windows.
The document will explain the different WebAgent modules (isapi6webagent.dll) and (IIS7webagent.dll).
Last Update: 4/8/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1867088

DSigException: Error in DSigVerifier
This exception occurs when no certificate can be found in the smkeydatabase which matches the issuer DN.
Last Update: 4/8/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC486187

Separating Affwebservices with only the Application Server and Agent option pack
Can Affwebservices be used with only an Application Server or is a WebServer required for Federation?
Last Update: 4/8/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC486229

Adminui Reinstall Fails On Unix/Linux
installation errors
Last Update: 4/7/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1924814

OneView Monitor displays ip of policy server as 0.0.0.0:1
In oneview monitor, all the ip address of the policy servers are displayed as 0.0.0.0:1 instead of its ipv4 ip address.
Last Update: 4/7/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1696832

CA Siteminder SMTestTool fails to launch with error referencing "Microsoft.VC80.MFC"
What should we do when we get this error message. “Activation context generation failed for "C:\setup\sso\aabbccx100\smtest.exe". Dependent Assembly Microsoft.VC80.MFC"
Last Update: 4/7/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1344887

SAML Service Provider User Attributes not seen in 12.52 SP1 Adminui After Upgrade from V6
SALM service provider Attributes ,legacy Federation migration
Last Update: 4/7/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1271764

Does EnableDynamicHCO work with traditional failover/load balance HCOs, or only clusters?
Dynamic HCO Details: clusters vs. traditional failover/load balance
Last Update: 4/7/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1428454

X.509 client certificate authentication results 403 error
Certificate Mapping must have an Issuer DN which is composed of comma-connected RDNs. Authentication is failed if RDNs are connected by "comma+space".
Last Update: 4/7/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1129895

SiteMinder SNMP logging on Unix
This article describes the three logs the SiteMinder SNMP process writes to on the Unix operating system.
Last Update: 4/5/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1642705

Policy Server crashes because it shares JVM with Wily
This technote discusses how to fix problems with the Policy Server when using Wily.
Last Update: 4/5/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC599368

How to solve a leakage of Privileged Information when running Apache as Reverse Proxy in front of a Web Agent.
This technote give tips on how to prevent leakage of priviledged information from an Apache Reverse Proxy in front of a Web Agent.
Last Update: 4/5/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC565902

When trying to reach the AdminUI, I get in browser "Page cannot be found"
This technote give tip when getting page cannot be found error when reaching the AdminUI.
Last Update: 4/5/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC584448

Is Policy Server restart required after importing certificates ?
This technote discusses about the need of restart the Policy Server when Certificates are added to the SmKeyDatabase
Last Update: 4/5/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC529630

How can we disable SSLv2/SSLv3 protocol in Federation Manager?
Modify server.conf and httpd-ssl.conf files to set SSL protocol and cipher configuration on FEDMA.
Last Update: 4/5/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1552086

What is the meaning of the WebAgent error message 20-0004?
What is the meaning of the WebAgent error message 20-0004?
Last Update: 4/5/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC479707

CA Directory connection failure / need to restart directory every 30 mins
When using CA Directory as user Store, need to restart it every 30 mins as connection becomes invalid due to bad syntax
Last Update: 4/4/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1616173

Why can't I change Idle timeout and Maximum timeout under partnership settings for a federation 3rd party product on the SP side
This question and answer is part of the subject of changing settings on the 3rd party product from the Ca Single Sign-On federation partnership side.
Last Update: 4/4/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1676776

How to make the Apache 2.4 to accept Web Agent Header Variables with Underscore Characters
This technote discusses the way to let the Apache 2.4 to accept header names with underscores.
Last Update: 4/4/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC606939

Why does LLAWP Process Not Start after Starting Web Server?
agent startup issue
Last Update: 4/4/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1928682

Smkeydatabase : How to Rebuild the Smkeydatabase for Federation
This technotes give a sample on how to recreate the Federation SmKeyDatabase from scratch.
Last Update: 4/4/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC542090

How to check which version of the Progress / DataDirect driver are we running ?
As we are using a 3rd party software for DB connection, it may be interesting to know the exact version
Last Update: 4/4/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1090197

Compatibility note about support of RSA 8.1 with CA Single Sign-On 12.52SP1
This technote gives precisions about supportability of the RSA Server.
Last Update: 4/4/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1934108

Tips on how to troubleshoot the SAML "DSigSigner Initialization Failing" error
This technote gives tips on how to troubleshoot the DSigSigner Initialization Failing error in the Policy Server
Last Update: 4/4/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC542084

SharePoint Office integration with CA Single Sign-On Web Agent as Reverse Proxy
This technote discusses about integration of office documents protection with CA Single Sign-On Web Agent.
Last Update: 4/4/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC537670

Multiple and Frequent initialization or Startup Stop Messages in Web agent Logs.
This technote discusses about informative logs lines that are seen in the log of the Web Agent.
Last Update: 4/4/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC541462

Apache service is not starting up on Windows
Apache Web Server fails to start while loading SiteMinder module mod_sm24/mod_sm22, and following error message appears in Windows event viewer.
Last Update: 4/3/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1957282

Steps to Re-register Admin UI
These steps describe the process of re-registering an Admin UI with the Policy server
Last Update: 4/3/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1547349

Please note that you can always access the full list going to the following link:

http://www.ca.com/us/support/ca-support-online/support-by-product/ca-single-sign-on.aspx?d=t&language=en&type=Knowledge&…

 

Feel free to post your questions in the community if you have question about any of these KB article.

 

Best Regards,

Ujwol Shrestha

Principal Support Engineer

CA Technologies

Posted by Ujwol Shrestha - Principal Support Engineer in CA Security on Feb 2, 2016

 

Envrionment :

  • Oracle HTTP Server 11g
  • Siteminder Web Agent : 12.5+

Step 1. Changes to httpd.conf file at <Instance Directory>\instance1\config\OHS\ohs1

 

1. Add LoadModule entry to the DSO Support Section

The following line(s) are added to the Dynamic Shared Object (DSO) Support configuration section, which precedes the Main server configuration section of the file.

LoadModule sm_module "<web_agent_home>/win64/bin/mod_sm22.dll"

Note:

The SiteMinder Agent requires one of the following modules in order to load:

Apache 2.0

LoadModule sm_module web_agent_home/bin/libmod_sm20.so

Apache 2.0 running on Windows

LoadModule sm_module web_agent_home/bin/mod_sm20.dll

Apache 2.2 running on Windows

LoadModule sm_module web_agent_home/bin/mod_sm22.dll

2. Add SmInitFile Entry

This entry is placed after the LoadModule entry that you added in (1). A full path is used, not a relative path.

SmInitFile "<Instance Directory>/instance1/config/OHS/ohs1/WebAgent.conf"

 

3. Alias Entries Added

In the Aliases section of the file, following entries are added to enable SiteMinder features.

 

Note:

The Alias /siteminderagent/ “<web_agent_home>/samples/” entry must come after all other aliases in the Aliases section.

 

AliasMatch /siteminderagent/nocert/[0-9]+/(.*) "<web_agent_home>/win64/$1"

<Directory "<web_agent_home>/win64/$1">

Options Indexes MultiViews

AllowOverride None

Order allow,deny

Allow from all

</Directory>

Alias /siteminderagent/pwcgi/ "<web_agent_home>/win64/pw/"

<Directory "<web_agent_home>/win64/pw/">

Options Indexes MultiViews ExecCGI

AllowOverride None

Order allow,deny

Allow from all

</Directory>

Alias /siteminderagent/pw/ "<web_agent_home>/win64/pw/"

<Directory "<web_agent_home>/win64/pw/">

Options Indexes MultiViews ExecCGI

AllowOverride None

Order allow,deny

Allow from all

</Directory>

Alias /siteminderagent/ "<web_agent_home>/win64/samples/"

<Directory "<web_agent_home>/win64/samples/">

Options Indexes MultiViews

AllowOverride None

Order allow,deny

Allow from all

 

Step 2. Create WebAgent.conf file with the following content and copy it in <Instance Directory>\instance1\config\OHS\ohs1

 

# WebAgent.conf - configuration file for SiteMinder Web Agent

# Web Agent Version = 12.51, Build = 1402, Update = 07

 

LOCALE=en-US

 

#agentname="<AgentName>, <IPAddress>"

HostConfigFile="<web_agent_home>\win64\config\SmHost.conf"

AgentConfigObject="<aco_name>"

EnableWebAgent="YES"

ServerPath=""

#localconfigfile="<Instance Directory>\instance1\config\OHS\ohs1\LocalConfig.conf"

LoadPlugin="<web_agent_home>\win64\bin\HttpPlugin.dll"

#LoadPlugin="<web_agent_home>\win64\bin\Affiliate10Plugin.dll"

#LoadPlugin="<web_agent_home>\win64\bin\SAMLAffiliatePlugin.dll"

#LoadPlugin="<web_agent_home>\win64\bin\eTSSOPlugin.dll"

#LoadPlugin="<web_agent_home>\win64\bin\IntroscopePlugin.dll"

#LoadPlugin="<web_agent_home>\win64\bin\SAMLDataPlugin.dll"

#LoadPlugin="<web_agent_home>\win64\bin\OpenIDPlugin.dll"

#LoadPlugin="<web_agent_home>\win64\bin\DisambiguatePlugin.dll"

#LoadPlugin="<web_agent_home>\win64\bin\OAuthPlugin.dll"

AgentIdFile="<Instance Directory>\instance1\config\OHS\ohs1\AgentId.dat"

 

Step 3. Create AgentId.dat file with the following content and copy it in <Instance Directory>\instance1\config\OHS\ohs1

 

GUID=000080fe0000000075939d10c0597d33-0bf0-5643dc86-0bf4-0339021c

(Specify unique GUID value for each of the Agent Instance )

 

Step 4. Change opmn.xml file at <Instance Directory>\instance1\config\OPMN\opmn

=======================================================================

Add following lines after

<ias-instance id="instance1" name="instance1">

<environment>

 

section

 

<variable id="NETE_WA_PATH" value="<web_agent_home>/win64/bin"/>

<variable id="NETE_WA_ROOT" value="<web_agent_home>/win64" />

<variable id="PATH" value="$NETE_WA_PATH;$PATH"/>

 

 

Note:

     1. All the sections within <> need to be changed with the actual path

     2. After making all these changes OS needs to be restarted.

 

Attachment:

All the sample files are attached for reference.