Skip navigation
All Places > CA Security > CA Single Sign-On > Blog > 2016 > March
2016

CA Technologies Support is alerting customers to potential risks with CA Single Sign-On (CA SSO), formerly known as CA SiteMinder. Michael Brooks of BishopFox alerted CA to vulnerabilities that can allow a remote attacker to cause a denial of service or possibly gain sensitive information. CA has fixes that address the vulnerabilities.

 

The first vulnerability, CVE-2015-6853, occurs due to insufficient verification of requests in the CA SSO Domino web agent. A remote attacker can make a request that could result in a crash or the disclosure of sensitive information. CA has assigned this vulnerability a High risk rating. Only CA SSO customers using the Domino web agent are affected by this vulnerability.

 

The second vulnerability, CVE-2015-6854, occurs due to insufficient verification of requests in all CA SSO web agents other than the Domino web agent. A remote attacker can make a request that could result in a crash or disclose sensitive information. CA has assigned this vulnerability a High risk rating. The web agents in CA SSO versions 12.51 and 12.52 are not affected by this vulnerability. Secure Proxy Server (SPS) Agents, SharePoint Agents, Application Server Agents, ERP Agents, Web Agent Option Pack, and Custom Agents are also not affected by this vulnerability.

 

Read more at: CA20160323-01: Security Notice for CA Single Sign-On Web Agents - CA Technologies

List of vulnerability alerts: Vulnerability Alerts - View All - CA Technologies

Posted by Ujwol Shrestha - Principal Support Engineer in CA Security on March 17, 2016

 

Problem Summary

Console mode install (-i console) attempts to open X-windows irrespective of the console mode switch.

If X11 libarries are not installed, it even throws following error :

 

Additional Notes: FATAL ERROR - The Installer has failed due to an Unhandled Exception

java.lang.NoClassDefFoundError: Could not initialize class sun.awt.X11GraphicsEnvironment

 

Environment

Version : Any SSO version prior to r12.52 SP2

Component Affected : All

 

Root Cause

This is actually a bug with the third party software - Install Anywhere software that we use for building our installer,. It tries to initialize the X11 graphic component even during the console mode installation.

 

Workaround

Unset the DISPLAY by running following command before executing installer.

unset DISPLAY

 

Solution

This has been fixed in 12.52 SP2 onwards as we have upgraded the Install Anywhere to 2014 which has fix for this bug.

 

References

https://community.flexerasoftware.com/showthread.php?193768-Installer-crash-in-console-mode-if-display-is-set-(IA-2010-P…

Hello CA Single Sign-On Community Users,

 

Please find below the list of the latest Knowledge Base Articles  for Single Sign-On (Formerly CA SiteMinder) published or updated since 24th-Feb-2016 for your reference:

 

Identity Provider is getting the error, "Error Signing Assertion.", when trying to sign assertions.
How to fix errors from Signing Assertion in smkeydatabase.
Last Update: 3/9/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC486231

SMFSS error: com.netegrity.smerrlog.SmLogException: Failed to load smerrlog Caused by: java.lang.UnsatisfiedLinkError: smerrlog (No such file or directory)
How to resolve the following error: com.netegrity.smerrlog.SmLogException
Last Update: 3/9/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC488425

DSigException: Error in DSigVerifier
DSigException
Last Update: 3/9/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC486187

Separating Affwebservices with only the Application Server and Agent option pack
Can Affwebservices be used with only an Application Server or is a WebServer required for Federation?
Last Update: 3/9/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC486229

Why is the Value of response not cached under some circumstances even though response is configured to cache value?
This article explains even though response is configured to cache value, why the value of response is not cached under some circumstances.
Last Update: 3/9/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC470250

Error when setting up SSL between SPS 12.52 and backend application.
We have a backend IIS server, that we need to setup SSL between the Secure Proxy Server and the backend server. We are getting an error: "java.lang.RuntimeException: Unrecognized cipher suite" in the SPS nohup.out log.
Last Update: 3/8/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1439974

Java Virtual Machine failed memory allocation issue when starting the WAMUI in 32-bit Windows 2008.
We're getting the following error when trying to start up the WAMUI service in Windows 2008. There is insufficient memory for the Java Runtime Environment to continue. Native memory allocation (malloc) failed to allocate (X) bytes for Chunk::new
Last Update: 3/8/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1316487

User is not re-directed back to a Custom Login Form after a POST
User is not re-directed back to a Custom Login Form after a POST to the login.fcc with a blank Username and/or Password.
Last Update: 3/8/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC451680

SAML Metdata with AttributeService Fails to import from Administrative UI with Error "System error trying to perform entity import."
System errors trying to perform entity import whenever attempting to import a Metadata that contains AttributeService
Last Update: 3/8/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1297915

Unable to Import Identity Mapping Domain Object
This article discusses how to work around the problem of not being able to import an Identity Mapping Domain Object.
Last Update: 3/8/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1299634

SiteMinder SDK: usage of bin64, java64 and samples64 folders.
This article explains usage of bin64, java64 and samples64 folders with SiteMinder SDK.
Last Update: 3/8/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1582157

500 error with SAML auth scheme "not protected".
500 errors when SAML resource is not protected even though a realm was created and assigned a SAML auth scheme.
Last Update: 3/7/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC488426

FAILED_INVALID_RESPONSE_RETURNED after CRL imported
FWSTrace.log shows : Unable to get Assertion Consumer URL. Reason: FAILED_INVALID_RESPONSE_RETURNED
Last Update: 3/4/2016    Size: 82 kb    Type: Knowledge Base Articles    ID: TEC1997658

Issues renaming the Secure Proxy Server access log
We are trying to rename Secure Proxy server current access log to following format: accesslog.log, it was achieved by updating httpd.conf but an additional number is getting added to the filename like (accesslog.log.1448841600).
Last Update: 3/2/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1759004

The Secure Proxy Server Cannot Be Started Without a Valid Set Of Proxy Rules.
There is an issue with proxyrules.xml file. I saw an error in default log. [ERROR] - The Secure Proxy Server Cannot Be Started Without a Valid Set Of Proxy Rules. There was http 502 error return back to the user
Last Update: 3/2/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1929479

Error message "The AuthnRequest with AuthnContexts is not supported." in Siteminder 12.0 SP3 acting as SP.
We are getting the below error when Siteminder posts a SAML assertion. This is an SP-initiated use case. ERROR: The AuthnRequest with AuthnContexts is not supported.
Last Update: 3/2/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1832259

Sharepoint redirecting to unexistent page
After sign-in , sharepoint agent is redirecting to unexistent page
Last Update: 3/1/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1041826

Siteminder Web Agent semaphore INFO messages when in Apache Prefork MPM
why do I see Created semaphore 8421388 using key 0x6947862b so Often in Apache Error log
Last Update: 2/29/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1210152

Changing Siteminder AdminUI server name
If the server name has changed, do I need to Uninstall and re-install the Adminui ?
Last Update: 2/29/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1026082

Upgrade the SOA Security Manager Gateway from Version 12.1 to 12.1 SP3
Procedure to Upgrade the SOA Security Manager Gateway from Version 12.1 to 12.1 SP3
Last Update: 2/29/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC574134

ADD mode with an XPSExport utility
Migrate a domain object with ADD mode from one environment to another environment.
Last Update: 2/29/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1314503

Password policy data consideration when Upgrading Siteminder
Considerations for Upgrading Password Policy Data
Last Update: 2/27/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1045295

Siteminder compatibility with Oracle Wallet Application
We are seeing issues with an application using Oracle Wallet with SHA2 when Siteminder is enabled. It clocks for a while and the users see Page cannot be displayed. When Siteminder is disabled the application works fine. I am attaching all the required logs and platform information. Please review and respond ASAP. Webagent Version:12.50, Build = 813, Update = 01 OS: Linux 5.11 Policy Server Version: Version: 12.51; Update: 00.01; Build: 979; CR: 01 OS: Linux 5.11
Last Update: 2/25/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1323462

What should we do when we get this error message? [CSmDbUtilities.cpp:567][ERROR][sm-Odbc-00070] Error Code is 0 message is 'State = 08003 Internal Code = 0 - [Microsoft][ODBC Driver Manager] Connection not open'.
[sm-Odbc-00070];'State = 08003;Internal Code = 0 - [Microsoft][ODBC Driver Manager] Connection not open'.
Last Update: 2/25/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1934643

When should you do when you get this error message "Failed to create agent configuration"
"Failed to create agent configuration"
Last Update: 2/25/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1581017

what should you do when you get this error message, "The SMSESSION cookie is malformed, the session spec field is missing".
SMSESSION cookie is malformed;session spec field is missing
Last Update: 2/25/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1199389

Difference between the isapi6webagent.dll and IIS7webagent.dll
isapi6webagent.dll;iis7webagent.dll.
Last Update: 2/25/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1867088

Do we need to have ERP Agent 5.6 and 12.0 are compatible with Session Linker 12.52.
ERP Agent;SAP Agent; Siebel Agent;PeopleSoft Agent;SessionLinker
Last Update: 2/25/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1422071

where to find documentation on the installation and configuration of Session Linker?
SessionLinker Documentation
Last Update: 2/25/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1067008

Where do I find the Product Support Matrix (PSM) for for ERP Server Agents SiteMinder & SessionLinker for ERP Systems.
PSM , ERP,CRM,SAP,SIEBEL,PeopleSoft,PeopleTools,Oracle,SESSIONLINKER
Last Update: 2/25/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1515173

AdminUI: Partnership failed to activate
Using the AdminUI, each time that we were trying to activate a Partnership we were getting the following error: Error activating Partnership.
Last Update: 2/25/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1689372

Understand Policy server user authorization cache
User authorization cache for single sign-on policy server, what is the size, how are entries removed
Last Update: 2/24/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1405006

Error while installing the securre proxy server or policy server in RHEL 6
In RHEL 6 Installer is looking at a different place i.e. /etc/issue instead of /etc/redhat-release; Error "cat : etc/issue: permission denied" while installing the SPS and PS.
Last Update: 2/24/2016    Size: 82 kb    Type: Knowledge Base Articles    ID: TEC1793668

SPS Agent Inialization issue
During starting up the SPS server, some times agent for one of the virtual host doesnot initialize properly, which in turn shuts down the proxy engine.
Last Update: 2/24/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1370043

activeResponse error : Failed to get IIDSamlAttribute from Active Response
The attribs seem to have retrieved from saml assertion and set in the session store. However, the active response cannot seem to retrieve the saml attribs. We see the following activeResponse: Failed to get IIDSamlAttribute from Active Respo
Last Update: 2/24/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1473758

SAML2.0 Auth Scheme failure
Receiving an error in adminui "Failed to execute CreateSAMLv2IdPEvent" while creating an SAML authentication scheme SAML 1.x/2.0 and WSFED
Last Update: 2/24/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1229422

Supported latest Java version and how to upgrade
We got some JAVA related security vulnerabilities, for that we need to upgrade Java version or we have to apply latest patch.
Last Update: 2/24/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1616287

Configure CA Directory as a user directory for SiteMinder Advanced Password Services.
How to configure CA Directory as a user directory for SiteMinder Advanced Password Services.
Last Update: 2/23/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1919596

 

Please note that you can always access the full list going to the following link:

http://www.ca.com/us/support/ca-support-online/support-by-product/ca-single-sign-on.aspx?d=t&language=en&type=Knowledge&…

 

Feel free to post your questions in the community if you have question about any of these KB article.

 

Best Regards,

Ujwol Shrestha

Principal Support Engineer

CA Technologies