Skip navigation
All Places > CA Security > CA Single Sign-On > Blog > 2016 > July
2016

Hello CA Single Sign-On Community Users,

 

Please find below the list of the latest Knowledge Base Articles  for Single Sign-On (Formerly CA SiteMinder)published or updated since 22nd June 2016 for your reference:

 

'AgentDiscoveryEnabled' Not Available in XPSConfig After Upgrading.
The Policy Server was upgraded to CA Siteminder r12.51 CR08 in order to take advantage of the ability to disable Agent Discovery. This feature was introduced in r12.51 CR07. 'DisableAgentDiscovery' isn't present in XPSConfig after upgrade.
Last Update: 7/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1541845

FSS AdminUI 500 error
After configuring the webagent on linux machine the new FSS UI is not working and getting 500 internal server error.
Last Update: 7/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1887042

CA SSO r12.52 Reports are not Opening When Being Viewed
Using CA SSO r12.52 Report Server, when attempting to View a report which has already been generated, the page shows empty and the report is not returned.
Last Update: 7/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1925365

Restart Policy Server when you update sm.registry file.
This article explains the required restart of Policy Server when changing value in sm.registry on Linux.
Last Update: 7/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1696518

CA Siteminder Vulnerabilities CVE-2015-6853 & CVE-2015-6854
CVE-2015-6853 & CVE-2015-6854: A remote attacker can make a request that could result in a crash or the disclosure of sensitive information.
Last Update: 7/27/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1552755

ODBC Policy Store restrictions
When migrating LDAP Policy Store to PostgreSQL, XPSImport encountered an error caused by that AgentName length was over 4000 characters.
Last Update: 7/27/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1859089

In order for the Web Agent to work properly on the Oracle HTTP Server, the necessary environment variables need to be set.
Modify the ohs.plugins.nodemanager.properties and add the environment variables
Last Update: 7/26/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1832669

Configuring specific authenticatipon schemes on the Web Agent on an Oracle HTTP Server requires specific SSLVerifyClient settings.
1. Change the value of the SSLVerifyClient directive from within the httpd.conf used by the Oracle HTTP Server to the necessary value: a. SSLVerifyClient optional b. SSLVerifyClient required
Last Update: 7/26/2016    Size: 82 kb    Type: Knowledge Base Articles    ID: TEC1563022

Configuring Cert and Form authentication scheme using the Web Agent configuration wizard does not throw an error, however the scheme does not work.
CA Single Sign-On Web Agent for Apache on IBM IHS(HTTP) server Cert and Form auth scheme does not work.
Last Update: 7/26/2016    Size: 82 kb    Type: Knowledge Base Articles    ID: TEC1923838

How to correct the error message, “Syntax error on line 974 of /opt/IBM/HTTPServer/conf/httpd.conf: SSL0331W: Invalid argument for SSLClientAuth: require".
“Syntax error on line 974 of /opt/IBM/HTTPServer/conf/httpd.conf: SSL0331W: Invalid argument for SSLClientAuth: require (null). The 1st value must be 0, 1, 2, none, optional, required, or required_reset”
Last Update: 7/26/2016    Size: 82 kb    Type: Knowledge Base Articles    ID: TEC1639554

How to correct this error message, "Syntax error on line 975 of /opt/IBM/HTTPServer/conf/httpd.conf: Invalid command 'SSLOptions"
Syntax error on line 975 of /opt/IBM/HTTPServer/conf/httpd.conf: Invalid command 'SSLOptions', perhaps misspelled or defined by a module not included in the server configuration
Last Update: 7/26/2016    Size: 82 kb    Type: Knowledge Base Articles    ID: TEC1234981

About DisAllowUTF8NonCanonical in ACO parameter.
When I request to WebAgent with URL contained encoding data, WebAgent rejects my request because of 403 error.
Last Update: 7/26/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1698396

Dynamic Policy Server Cluster support with Application Server Agents
Can the "enableDynamicHCO" parameter be defined for the Application Server Agents in their SmHost.conf files to implement the Dynamic Policy Server Clusters?
Last Update: 7/25/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1384387

JBoss physical memory is growing.
JBoss physical memory size is huge , because dat files under adminui_install/server/default/data/derby/siteminder/taskpersistance/seg0 are increasing.
Last Update: 7/25/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1524751

About "Flash All" command in AdminUI.
By "Flash All" command in AdminUI, which caches are cleared ?
Last Update: 7/25/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1392185

The sequence of Cookie Provider structure in use of Form Authentication.
Is there some Cookie Provider sequence in use of Form Authentication ?
Last Update: 7/25/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1701466

R12.52SP2 WAMUI didn't install as Window service when the install path is D:\
WAMUI service is not installed as Window service after installation complete
Last Update: 7/25/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1209297

Unable to start RedHat Apache 2.4 (on RHEL 7 64-bit)
Your Apache 2.4 fails to start with the ca sso web agent installed
Last Update: 7/22/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1306032

How to configure Autosweeper using XPSConfig
Instructions on how to configure Autosweep using XPSConfig.
Last Update: 7/22/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1449256

Password Services and Active Directory Global Catalog support Trigger unexpected behavior
n
Last Update: 7/22/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1188463

Manually uninstall IIS web agent
Provide steps on how to manually uninstall IIS web agent if uninstaller didn't work
Last Update: 7/22/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1904547

About SQL schema in case of Authenticating user.
When is the timing of "AuthAttempt" and "AuthReject" in smaccess.log ?
Last Update: 7/21/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1376291

Is it possible to register "*" in IgnoreURL ACO ?
In ACO parameter IgnoreURL, is it possible to set wild card (*) ?
Last Update: 7/20/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1402307

What is meaning of IPC messages in nohup.out log ?
In nohup.out log, under SPS_INSTALL/proxy-engine/logs directory, many below messages are output.
Last Update: 7/20/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1267465

Sm_AgentApi errors
Information on the causes of Sm_AgentApi errors and what the error codes mean.
Last Update: 7/19/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1829552

What does the error, "You cannot start the Secure Proxy Server as root", mean?
The proxyserver.sh checks to see if the user running the script is the same as root. Use the sps-ctl script as documented in the CA Access Gateway Bookshelf instead.
Last Update: 7/19/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1644143

How to download CA Single Sign-On (formerly SiteMinder) components
Step b step procedure to download CA Single Sign-On (formerly SiteMinder) components from support.ca.com
Last Update: 7/19/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1364894

User AZ Cache in policy server
Information on User AZ Cache registry setting
Last Update: 7/19/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC544401

Invalid Master Key
Installing an r12.52 Policy Server. During the Policy Server Configuration Wizard, when prompted to enter the 'Master Key" the following error: Invalid Master Key! Master Key should have Latin Characters [a-zA-Z0-9_] only.
Last Update: 7/18/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1829014

After Policy Store Import, Legacy Federation Object don't show up
This technote discusses how to fix a issue after importing data in the Policy Store
Last Update: 7/18/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1659722

For the ERP Agent for Siebel, why should we put the library libSmSecurityProvider75.so in the Siebel server bin/ directory
This technote discusses about the needs of putting some libraries in specific directory of the Siebel Server
Last Update: 7/18/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1792347

Identity Mapping with Federation
Is Identity Mapping supported for Federation?
Last Update: 7/18/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1426214

Failed Handshake between Webagent and Policy Server.
What are the reason of a Failed Handshake between Webagent and Policy Server (need to re-register the Agent)
Last Update: 7/18/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC559187

Max Connections at Policy Server in Apache prefork mode.
In use of Apache prefork mode, how much "Max Connections" are needed at least at Policy Server ?
Last Update: 7/15/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1818474

Are SiteMinder logs enable to output as syslog ?
Yes, but only Policy Server Audit log (smaccess.log) is enable.
Last Update: 7/15/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1185574

NAT between Web Agent and the policy server
Since we have not explicitly certified any of the CA SSO component with NAT explicitly, I recommend you to use it after performing sufficient verification of operation.
Last Update: 7/15/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1282269

Failed to create index key errors (i.e. ObjectCalss=xpsKey) on executing xpssweeper command.
Find and remove policy store indexes (i.e. ObjectCalss=xpsKey)
Last Update: 7/14/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1881072

Policy Server crashes while loading JVM for any custom java code on non-Windows.
After applying a CR, the policy server crashes.
Last Update: 7/14/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1238638

XPSExport for Policy Backup
Hello, We need to make changes for policies and in case if I have to roll back my changes what would be the best option to use for XPSExport. Please suggest. Thanks Pradeep M
Last Update: 7/13/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1600301

Signed SP Initiated Request: Signature verification failing at 3rd party IDP
"Can not verify digital signature" error at 3rd party IDP when signature cannot be verified for a signed AuthNRequest or SAMLRequest from CA Federation.
Last Update: 7/13/2016    Size: 82 kb    Type: Knowledge Base Articles    ID: TEC1525465

XML External Entity Injection(XXE) - Vulnerability for /affwebservices/router/*
XXE Vulnerability for /affwebservices/router/* Affiliate Agent
Last Update: 7/13/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1416553

Audit DB attribute values
Post SiteMinder upgrade from 12.5 to 12.52 SP1 CR04, new attribute values are not getting written in Audit DB. We have updated the new schema also. We are able to see the attribute in the tables but not the values. The historic data is not changed.
Last Update: 7/13/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1458982

Using the User Agent Header in the Proxy Rules.
Does the CA SiteMinder Agent for SharePoint support blocking by the incoming user agent string?
Last Update: 7/13/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1108305

after SPS upgrade to R12.52 CR4, a space character is added to resource URL after a semicolon.
If a semicolon is used in a URL, on a HTTP redirect (302), a “Space” encoded as %25 is added after the semicolon.
Last Update: 7/13/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1924624

"Failed to get session server provider namespace from registry" after after the upgrade of the Policy Server from 12SP3CR11 to 12.52SP01CR04
How to correct "failed to get session server provider namespace from registry" 12.0 SP3 CR11 to 12.52 SP1 CR04
Last Update: 7/12/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1891807

Why is SPS causing reauthentication pop-up to appear as text rather than being executed as javascript ?
Sometimes the my backend application needs reauthentication and so a javascript popup should be displayed in the browser, but instead I see a regular webpage with the javascript contents.
Last Update: 7/12/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1691393

IIS Agent does not serve login forms when Default Application Pool is not running.
The Default Application Pool in IIS is needed to serve siteminder agent pages.
Last Update: 7/12/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1205093

How works the IP Session validation at the Policy Server level ?
This technote discusses about the Session IP validation functionality.
Last Update: 7/12/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1588007

Problem to login with AdminUI - Username and Password is incorrect
After a restart of the Linux box, impossible to login with the AdminUI even after a re-registration - Username and Password is incorrect - due to small amount of entropy.
Last Update: 7/12/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1431348

How do the CA Single Sign On custom sdk API agents get updated agent keys from the doManagement call function?
Just need confirmation on how the custom API agts get updated keys from doManagement call function?
Last Update: 7/12/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1171204

500 error when the target contains ? in a URL
We are receiving 500 error whenever we make a request with the target containing "?" in the URL.
Last Update: 7/12/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1940395

Unable to startup apache server with libsmerrlog.so error
Apache error log return error Cannot load /niceapps/CA/webagent/bin/libmod_sm22.so into server: libsmerrlog.so: cannot open shared object file: No such file or directory
Last Update: 7/12/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1337522

Linux Web Agent configuration wizard unable to detect the IBM IHS(HTTP) server.
Linux Web Agent configuration wizard requires LD_LIBRARY_PATH to include the IBM IHS /lib path to detect the IBM IHS(HTTP) server properly.
Last Update: 7/11/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1277199

How and when you can use Multiple Virtual Hosts each with a different ACO setting.
You are looking to establish the following: Apache -- 2 vhosts -- both pointing to their on ACO -- having their own agent and Policies as well. NOTE: You need to separate the ACO and not just AgentName within 1 ACO.
Last Update: 7/8/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1522023

Checking what the bit level in the IIS Application Pool is set to when the WebAgent on IIS / LLAWP Will Not Start.
Your installing a new Web agent on IIS and have configured it to communicate with your policy server. It will register but the LLAWP process will not start. Your unable to get any logging out of the web agent log files.
Last Update: 7/8/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1525121

Installation of Agent succeeds but Agent does not initialize
Despite successful host registration, IIS starts but not able to service requests.
Last Update: 7/8/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1546878

Using XPSSweeper as an option to fix the AgentInstance@: Object's Globally Unique ID (GUID) has not been set error.
You are probably getting the error [Validate][ERROR] :AgentInstance@: Object's Globally Unique ID (GUID) has not been set because you were not running the XPSSweeper to remove stale policy objects regularly.
Last Update: 7/7/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1041817

Unexpected character encoding before URL hook (?) after siteminder authentication
When accessing a resource containing special char (#) in the URL, this is transformed to %23 during the authentication process. Use ACO Localization = No fix the problem.
Last Update: 7/6/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1921813

SPS running out of memory and restart during load
SPS crashes and restart due to memory usage - unable to create new native thread. This is due to a bad tuning of the SPS : Decrease the max memory from 3340m to 2048m
Last Update: 7/6/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1894177

Time based Auditlog Rollover does not work
smaccess log not rolling over for time based rollover
Last Update: 7/6/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1625128

Question on X.509 Client Certificate Authentication when using an SSL offloader
This article belongs to Q&A category and explains X.509 Client Certificate Scheme requirement/restrinction as well as a solution module to enhance it.
Last Update: 7/6/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1334947

Is there some configuration to record the username in the audit store ?
By default we do store the DN of the user in the audit store (Auth/AZ) events, could we use the username instead ? NO.
Last Update: 7/5/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1516291

IIS webagent crashes / What should we check to prevent those in the IIS configuration ?
Check the IIS configuration after the installation and especially web.config for preqs.
Last Update: 7/5/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1390793

When the Policy Server switches from Primary to Secondary Policy Store, does Policy Server bulk fetch against the Secondary Policy Store ?
This technote discusses about the behavior expected when Policy Server does bulk fetch against the Policy Store
Last Update: 7/5/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1310611

In FSSUI, how does the Policy Option "Search Any Attribute" work?
This technote gives tips on how the Policy option "Search Any Attribute" works.
Last Update: 7/5/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1831546

Can Cookie Provider request Policy Server for IP validation with the IP present in the session spec ?
This technote discusses a specific behavior of the cookie provider
Last Update: 7/5/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1980418

Unable to create audit directory when I started the Policy Server
This technote explains and provides guidance to solve a specific error on the Policy Server
Last Update: 7/5/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1642595

SAML IDP Initiatiation Issue, loop after authentication
During Federation IDP intiated transaction, we get redirected to the /redirect/redirect.jsp
Last Update: 7/5/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1910717

Secure Proxy Server intermittently reports Noodle_Interupted IOException or Noodle_GenericException.
Noodle_Interupted IOException Noodle_GenericException SPS
Last Update: 7/1/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1234143

User Lookup for Attribute and Name ID Services
Purpose of the field under the SSO and SLO tab
Last Update: 6/27/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1599397

smaccess.log fails to roll over intermittently.
This article explains a defect of audit log (smaccess.log) roll over problem and an information on the fix.
Last Update: 6/27/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1807844

Error message: exception report instance was not successfully created.
reporting server error: fatal failed to execute the next reporting instance event. Error message: exception report instance was not successfully created. Receive this error with every report when r12.52 sp 2
Last Update: 6/24/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1380695

How does Java AgentAPI manage Agent Key and Shared Secret rollover?
This article answers to a questions on custom Agent using Java Agent API: How does Java AgentAPI manage Agent Key and Shared Secret rollover?
Last Update: 6/24/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1288159

request.getRemoteUser() is returning null
Weblogic returns "null" in response to getRemoteUser() call to guard against a security vulnerability – identity spoofing.
Last Update: 6/22/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC529297

 

 

 

Please note that you can always access the full list going to the following link:

CA Single Sign-On - CA Technologies

Feel free to post your questions in the community if you have question about any of these KB article.

 

Best Regards,

Ujwol Shrestha

Principal Support Engineer

CA Technologies

Summary:

How to configure X.509 cert authentication with CA Single-On Web Agent on IIS web server

Environment:

  • Policy Server : R12.52 SP1 and above
  • User Store : ANY LDAP
  • Web Server : IIS 7.5

Pre-requisites:

You have already obtained following three required certificates in .pfx format:

  • Trusted CA root certificate.(let's call it rootCA.pfx)
  • Server Certificate from a trusted CA.(let's call it server.pfx)
  • Client Certificate from a trusted CA.(let's call it client.p12/pfx)

(Refer : Tech Tip : How to create self signed RootCA/Server/User Certificates using OpenSSL )

Instructions:

 

Changes on the IIS Web Server

1. Open mmc console, add the certificate for the Local Computer

clip_image004    

2. Import the CA root certificate to Trusted Root Certification Authorities.

 

3. Open Inetmgr and click Server Certificates under server node.

4. Import the server certificate by clicking on the Import link on the Actions pane.

5. Select the website which needs the X.509 certificate authentication.

On the Actions pane, click Bindings...

Click Add

Select Type = https, and choose the SSL certificate as the server certificate that was imported in the previous step.

6. Navigate to the cert folder under "siteminderagent" virtual directory and click SSL Settings

7. In the middle panel select Require SSL and Require for Client certificates.

    Click Apply on the Action pane.

8. Ensure that Anonymous Authentication is DISABLED for "cert" folder

 

 

Changes on the Policy Server

 

1. Create X.509 certificate authentication scheme as below :

2.Create Domain, Realm, Rule (get/post), Policy . Protect the realm with the X.509 authentication scheme.

3. Click Certificate Mapings under Directory and create mapping as below.

Note :

  • Ensure that the Issuer DN matches exactly as in the user certificate.
  • Choose the mapping attribute as per the Active Directory LDAP User DN lookup configuration

 

 

Changes on the client machine

1. Open MMC console and import the client certificate and CA root certificate. Import them to the Current User account.

 

How to Test

1. From the client machine access the IIS resource protected with X.509 authenication scheme.

2. It will prompt you to select the client/user certificate. Choose the appropriate user certificate and click Ok.

Issue

After install the adminui pre-req and the adminui installer, there were no Admin UI services installed in the Windows Services screen and the JBoss was not started. The WAMUI install path is D:\Program Files (x86)

 

sc1.png

 

Environment:

R12.52SP2 on Windows 2012R2

 

Cause:
Folder created prior to enable 8dot3name has no short name set.
The shortname of D:\Program Files (x86) is not defined.
Enable the 8dot3name should have the shortname set if you create the folder after the enable 8dot3name.

If the folder was created prior to that enable, the short name is not defined.

You can check if short name set with dir /x command.

ie:

D:\>dir /x
Volume in drive D is New Volume
Volume Serial Number is 70DC-1E45

Directory of D:\

06/17/2016  12:53 PM    <DIR>          PROGRA~1     Program Files (x86)
07/11/2016  05:47 AM    <DIR>          PROGRA~3     Program FilesDisable
07/11/2016  05:49 AM    <DIR>          PROGRA~2     Program FilesEnable

 

Resolution:

1.

a) Enable 8dot3name

ie:

fsutil 8dot3name set D:\

b) Set short name using fsutil

ie:

fsutil file setshortname "D:\Program Files" PROGRA~1
fsutil file setshortname "D:\Program Files (x86)" PROGRA~2

c) Reinstall WAMUI

2.

a) Recreate the folder after enable 8dot3name for the drive

ie:

fsutil 8dot3name set D:\

b) Reinstall WAMUI

Introduction:

How to configure X509 certificate mapping for ODBC user store (e.g MSSQL, Oracle Database etc.)?

 

Environment:

Policy Server : ANY

User Store :  ODBC - ANY

 

Instructions:

Step 1. Note the Issuer DN from the user certificate.

 

Step 2.   Create certificate mapping.

Specify the exact Issuer DN from the user certificate.

Specify Directory Type as ODBC

Select  Single Attribute mapping and choose the Attribute Name that needs to be mapped from the certificate.

For e.g. choose CN (Common Name) for the mapping from the certificate.

Step 3.  Adjust the SQL Schema for the ODBC directory as required. The default SQL schema uses "Name" parameter for user Init as highlighted in the query below.

For e.g. The default InitUser query is : SELECT NAME FROM <DataSource> Where Name = '%s%'       

Here, the place holder %s% will be replaced by the mapped attribute extracted from the user's certificate Subject DN.

 

 

 

For e.g. for the below user's certificate , as the "CN" attribute is mapped in the "Cert Mapping" , the CN value  "Guest"   is extracted and replaced in the %S% place holder in the user Init Sql query as below :

SELECT NAME FROM <DataSource> Where Name = 'Guest'

   

Sample Log

===========

[Certificate's Issuer DN found in mapping rules][][][][][][][][][][][C=AU,ST=NSW,L=Sydney,O=CA,OU=Support,CN=RootCA,E=rootca@ca.com]

..

 

[map subjectDN (C=AU,ST=NSW,L=Melbourne,O=CA,OU=Dev,CN=Guest,E=guest@ca.com)  using string: '(%{CN})']

..

..

[Name is (CN.CN) Value is (Guest)]

..

[SmAuthenticate][][][][Guest][][][][][][][][][Sm_AuthApi_Success][][][][][][][][Will be authenticating user.]

..

[CDb.cpp:204][CSmRecordset::DoSelect][][][][][][][][][][][][][][][][][][][][][Start processing SQL statement.][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][SELECT Name FROM SmUser WHERE Name = 'Guest'][][][][][][][][]

 

Additional Information:

N/A

Issue:

When using x509 certificate authentication scheme, the certificate mapping is case sensitive if custom expression mapping is used.

 

For e.g let's say the mapping is using custom expression as below :

mail = %{E}

 

 

The certificate itself has the email address in lowercase as below:

However, if the user email address is Mixed case or UPPERCASE on the directory as below :

 

 

Then, the authentication fails with the following error on the policy server trace logs :

[SmAuthCert.cpp:6081][SmAuthenticate][][][][][][][][][][][][][][][][][][][][][Mismatch of attribute values][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[SmAuthCert.cpp:6365][SmAuthenticate][][][][CN=Kelly Wong,CN=Users,DC=ad,DC=lab][][][][][][][][][][][][][][][][][Authentication failed][][][][][][][][][][CN=Kelly Wong,CN=Users,DC=ad,DC=lab][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

Environment:

  • Policy Server : R12.51 CR10, R12.52 SP1 CR7, 12.6 SP2, 12.7
  • User Store : ANY LDAP

Cause:

This is a known defect and engineering is working on to fix the issue.

 

Resolution/Workaround:

This issue has been identified only while using custom mapping.

This issue is not there if using "Single Attribute" mapping as below.

While using "Single Attribute" certificate mapping, search is case insensitive so it works as expected.

 

 

Current Status (25/09/2017) :

The issue is still not fixed until following version :

  • R12.51 CR10
  • R12.52 SP1 CR7
  • 12.6 SP2
  • 12.7

The issue is fixed in :

  • 12.7 SP1

(Please open support ticket if an urgent fix is required)

 

Additional Information:

While using custom expression mapping, you will also need to set following registry :

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\SiteMinder\CurrentVersion\PolicyServer, and open EnableCustomExprOnly=1

Issue/Problem/Symptoms:

Single Sign-On Secure Proxy Engine fails to start up with the following error :

[ERROR] Agent for virtual host : XXXX did not initialized properly

Where, XXXX is the name of the virtual host.

Environment:

CA Access Gateway (formerly CA Secure Proxy Server ) : ANY

Cause:

There could be multiple cause for this particular error, but one of the most common cause or this error is, the handshake error between the SPS agent and the Policy Server.

You can find this out from looking at the smps.log for the time frame corresponding to the error in the server.log .

[1860/2604][Mon Jul 18 2016 13:59:03][CServer.cpp:1959][ERROR][sm-Tunnel-00050] Handshake error: Shared secret incorrect for this client
[1860/2604][Mon Jul 18 2016 13:59:03][CServer.cpp:2121][ERROR][sm-Server-01070] Failed handshake with 155.35.245.129:49184

Resolution/Workaround:

Re-register trusted host using the following command from <Secure_Proxy>\agentframework\bin

smreghost –i <PS_IP>:44441,44442,44443 -u "siteminder" –p <password>  -hn <trustedhost> -hc <hco> -cf COMPAT

and then copy the SmHost.conf file and replace the existing SmHost.conf.

Additional Information:

N/A

Summary:

 

This documents outline steps that needs to be followed while applying CR (cumulative release) patch on Single Sign-On Policy Server.

 

 

Environment:

  • Policy Server Version : r12.5 and above
  • OS : :Any

Instructions:

 

Pre-requisites

  • (UNIX) If you execute the Policy Server across different subnets, it can crash. Run the Policy Server installer directly on the host system.
  • (UNIX) Apply the Policy Server patch using an account with at least the same permissions as the user who installed the Policy Server. For example, if a root user installed the Policy Server, apply the Policy Sever patch using a root user.
  • (UNIX) The user account applying the patch on the Policy Server must have executable permissions on the directory that contains the installation media. If the user account does not have these permissions, run the following command:

       chmod +x installation_media

 

Before you apply patch

Step 1 : Remove the Policy Server from the environment by stopping it. Removing the Policy Server    

            prevents CA Single Sign-On Agents from contacting the Policy Server during the upgrade.

Step 2 : Shut down all instances of the Policy Server Management Console.

Step 3 : Backup Policy server installation directory.

Step 4 : Backup Policy Store

             Perform full policy store backup using following XPSExport command :

              XPSExport fullpolicystore.xml -xb -npass

Step 5 : Backup Policy store at LDAP/ODBC level

             If possible it is also advisable to backup policy store data at the LDAP or ODBC level as     

             applicable.

             For e.g. for the LDAP store, a full LDIF export backup can be performed. Similarly, for say

             ODBC policy store, the full backup of the policy store database can be done.

Step 6 : Break Policy store replication (if any)

Step 7 : Backup local configurations using the Policy Server Management console.

             File --> Save Settings --> Save as "smconsole.smc"

             This will be handy to revert any local configuration if it gets reset to default during the patching

             process (which is not expected).

 

 

Apply Patch

 

Step 1 : Download the latest (or recommended) CR binary from support.ca.com website.

Step 2 : (Unix) Source the policy server environment script (ca_ps_env.ksh) from the policy server

             installation directory

Step 3 : Navigate to the installation executable directory and execute the installer.

Step 4 : The installer prompts you to select the components. When selecting components:

      • Reconfigure components that had been previously configured for the environment. Be sure to select the respective components. (e.g web server)
      • During the upgrade, leave the policy store check box on the configuration wizard cleared to preserve your existing policy store. If you check this, this might reset your policy store.
      • However, the configuration wizard prompts you for the encryption key for the advanced authentication server. This key is stored on each Policy Server, but all Policy Servers require the same key.
      • Use the same encryption key for the Advanced Authentication server that you used previously.

 

Apply Policy Store Fix

 

You can refer to r12.x policy store upgrade procedure for this :

How to Upgrade an r12.x Policy Store - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation

You would basically have to run following command :

Step 1 : Open a command window and navigate to siteminder_home\xps\dd and run following command :

             XPSDDInstall SmMaster.xdd

Step 2 : Open a command window and navigate to siteminder_home\db and run following command :

             XPSImport smpolicy.xml -npass , or

             XPSImport smpolicy-secure.xml -npass

Step 3 : Run XPSSweeper

Step 4 : Restart Policy server

 

Additional Information:

N/A

CA Single Sign-On Tech Tip by Sau Lai Wong, Principal Support Engineer for 18th July 2016

Issue:

Tomcat Proxy-Engine is crashing with SPS R12.52 SP1 CR5 release.

 

Following is logged in the nohup.log:

Jun 11, 2016 11:11:11 AM org.apache.catalina.loader.WebappClassLoader loadClass
INFO: Illegal access: this web application instance has been stopped already.  Could not load org.apache.commons.pool.impl.CursorableLinkedList$Cursor.  The eventual following stack trace is caused by an error thrown for debugging purposes as well as to attempt to terminate the thread which caused the illegal access, and has no functional impact.
java.lang.IllegalStateException
    at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1612)
    at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1571)
    at org.apache.commons.pool.impl.CursorableLinkedList.cursor(CursorableLinkedList.java:305)
    at org.apache.commons.pool.impl.GenericObjectPool.evict(GenericObjectPool.java:1488)
    at org.apache.commons.pool.impl.GenericObjectPool$Evictor.run(GenericObjectPool.java:1700)
    at java.util.TimerThread.mainLoop(Timer.java:555)
    at java.util.TimerThread.run(Timer.java:505)

Exception in thread "Timer-1" java.lang.NoClassDefFoundError: org/apache/commons/pool/impl/CursorableLinkedList$Cursor
    at org.apache.commons.pool.impl.CursorableLinkedList.cursor(CursorableLinkedList.java:305)
    at org.apache.commons.pool.impl.GenericObjectPool.evict(GenericObjectPool.java:1488)
    at org.apache.commons.pool.impl.GenericObjectPool$Evictor.run(GenericObjectPool.java:1700)
    at java.util.TimerThread.mainLoop(Timer.java:555)
    at java.util.TimerThread.run(Timer.java:505)
Caused by: java.lang.ClassNotFoundException: org.apache.commons.pool.impl.CursorableLinkedList$Cursor
    at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1720)
    at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1571)
    ... 5 more
#
# A fatal error has been detected by the Java Runtime Environment:
#
#  EXCEPTION_UNCAUGHT_CXX_EXCEPTION (0xe06d7363) at pc=0x764ac54f, pid=1111, tid=0x00001374
#
# JRE version: Java(TM) SE Runtime Environment (7.0_101-b31) (build 1.7.0_101-b31)
# Java VM: Java HotSpot(TM) Client VM (24.101-b31 mixed mode windows-x86 )
# Problematic frame:
# C  [KERNELBASE.dll+0xc54f]
#
# Core dump written. Default location: d:\Program Files (x86)\CA\secure-proxy\proxy-engine\hs_err_pid1111.mdmp
#
# An error report file with more information is saved as:
# d:\Program Files (x86)\CA\secure-proxy\proxy-engine\hs_err_pid1111.log
#
# If you would like to submit a bug report, please visit:
#  
http://bugreport.java.com/bugreport/crash.jsp
# The crash happened outside the Java Virtual Machine in native code.
# See problematic frame for where to report the bug.
#

Environment:

R12.52 SP1 CR5 Secure Proxy Server

 

Cause:

Stack trace from hs_err_pidxxxx.log:

Stack: [0x5ca20000,0x5ca70000],  sp=0x5ca6ec48,  free space=315k
Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code)
C  [KERNELBASE.dll+0xc54f]
C  [MSVCR80.dll+0x28e89]
C  [MSVCP80.dll+0x2b3e7]
C  [MSVCP80.dll+0x38e7]
C  [MSVCP80.dll+0x4845]
C  [SPS60Agent.dll+0x58cd]
C  [HttpPlugin.dll+0xa758]

The core file analysis indicates that the crash happened under specific circumstances while SMSESSION cookie is being deleted. The crash is introduced by a fix (DE99753) incorporated with CR5 release.

 

Resolution:

Crash condition is addressed. Fix is scheduled to be released with R12.52 SP1 CR6 SPS release.

Issue:

When using LDAP Session Store,  following errors are logged occasionally in smps.log

  • Unable to read object smSessionId=XXXXX
  • Fail to create object smSessionId=XXXXX

Environment:

  • Policy Server : R12.52 SP1 CR1 and below.
  • Session Store : ANY LDAP

Cause:

These errors are logged in both smps.log & smtracedefault.log,  if session logout is performed after persistent session has expired (and/Or deleted ) with LDAP session store.

 

Resolution/Workaround:

This has been now fixed in R12.52 SP1 CR2. Now, these errors are no more logged in smps.log and are tracked only in the smtracedefault.log.

So to get rid of these of errors customer need to apply R12.52 SP1 CR2 patch

 

Additional Information:

SSO Policy Server r12.52 Defect Fixes History

Issue/Problem/Symptoms:

  • Single Sign-On Policy server fails to startup with no error in the event viewer.
  • Single Sign-on Policy Server Management console (smconsole.bat) fails to startup with following error:
Couldn't load javasmconsoleapi
Exception in thread "main" java.lang.UnsatisfiedLinkError: com.netegrity.sm.smconsole.services.SmConsoleAPI.java_api_init()Z

image Environment:

  • Policy Server Version : R12.52 SP2
  • Policy Server OS : Windows 2012 R2

Cause:Single Sign-On R12.52 SP2 Policy server installs following version of Microsoft Visual C++ Redistributable :

  • Microsoft Visual C++ 2005 Version 8.0.61001
  • Microsoft Visual C++ 2010 x86 Version 10.0.30319
  • Microsoft Visual C++ 2013 x86 Version 12.0.21005.1

 

Before Policy Server Install :

image

 

After Policy  Server Install:

image

 

If any of these Visual C++ Redistributable packages gets uninstalled, it might cause Policy server fail to startup as well cause the Policy server management console fail to load as it might not be able to satisfy the dependent libraries.

In this particular case, somehow Microsoft Visual C++ 2013 got removed, so that was causing Policy server unable to find "mfc120.dll" . This was identified after capturing the Process Monitor (procmon.exe) log as below .

This library should exists under C:\Windows\SysWow64 directory if Visual C++ 2013 patch was installed.

 

image

 

Resolution/Workaround:

Ensure the latest updates for Microsoft Visual C++ 2005,2010,2013 x86  is installed.

In this particular case, as the issue was with missing Microsoft Visual C++ 2013 Update 5 was installed to resolve the issue.

Download link for Microsoft Visual C++ 2013  Update 5 Redistributable packages.

https://support.microsoft.com/en-au/kb/3138367

 

Alternatively, Policy server could also be reinstalled to fix the missing libraries.

Additional Information:

N/A

CA Single Sign-On Tech Tip by Sau Lai Wong, Principal Support Engineer for 12th July 2016

 

1. Create a new database on IBM DB2 server.

 

2. Setup Siteminder schema with sm_db2_ps.sql from <siteminder>\db\tier2\DB2 directory. Copy the sm_db2_ps.sql content into a query (from DB2 Control Center against the new database) and execute the query.

 

3. Getting some errors against some database table creation:

==============================================

CREATE TABLE smactiveexpr5 ( activeexproid VARCHAR(64) NOT NULL, domainoid VARCHAR(64) NOT NULL, usesvariables INTEGER NOT NULL DEFAULT 0, expr VARCHAR(4000), PRIMARY KEY (activeexproid) )

DB21034E The command was processed as an SQL statement because it was not a valid Command Line Processor command. During SQL processing it returned: SQL0286N A default table space could not be found with a page size of at least "8192" that authorization ID "DB2ADMIN" is authorized to use. SQLSTATE=42727

 

CREATE TABLE smvariable5 ( variableoid VARCHAR(64) NOT NULL, domainoid VARCHAR(64) NOT NULL, variablename VARCHAR(255) NOT NULL, definition VARCHAR(4000) NOT NULL, prefetchflag INTEGER NOT NULL DEFAULT 0, returntype INTEGER NOT NULL DEFAULT 0, metadata VARCHAR(4000), variabletype VARCHAR(64), variabledesc VARCHAR(1024), PRIMARY KEY (variableoid) )

DB21034E The command was processed as an SQL statement because it was not a valid Command Line Processor command. During SQL processing it returned: SQL0286N A default table space could not be found with a page size of at least "16384" that authorization ID "DB2ADMIN" is authorized to use. SQLSTATE=42727

 

CREATE TABLE smodbcquery4 ( odbcqueryoid VARCHAR(64) NOT NULL, odbcqueryname VARCHAR(255) NOT NULL, odbcquerydesc VARCHAR(255), queryenumerate VARCHAR(2000), querygetobjinfo VARCHAR(2000), querylookup VARCHAR(2000), queryinituser VARCHAR(2000), queryauthenticateuser VARCHAR(2000), querygetuserprop VARCHAR(2000), querysetuserprop VARCHAR(2000), querygetuserprops VARCHAR(2000), querylookupuser VARCHAR(2000), querygetgroups VARCHAR(2000), queryisgroupmember VARCHAR(2000), querygetgroupprop VARCHAR(2000), querysetgroupprop VARCHAR(2000), querygetgroupprops VARCHAR(2000), querylookupgroup VARCHAR(2000), querysetpassword VARCHAR(2000), PRIMARY KEY (odbcqueryoid), UNIQUE (odbcqueryname) )

DB21034E The command was processed as an SQL statement because it was not a valid Command Line Processor command. During SQL processing it returned: SQL0286N A default table space could not be found with a page size of at least "32768" that authorization ID "DB2ADMIN" is authorized to use.  SQLSTATE=42727

==============================================

 

4. Create buffer pools with various sizes and table spaces that associated with each buffer pool:

db2 create bufferpool bp8k pagesize 8K

db2 create tablespace db8k pagesize 8K bufferpool bp8K

 

db2 create bufferpool bp16k pagesize 16K

db2 create tablespace db16k pagesize 16K bufferpool bp16K

 

db2 create bufferpool bp32k pagesize 32K

db2 create tablespace db32k pagesize 32K bufferpool bp32

 

5. Run the sm_db2_ps.sql script again and it’s executed successfully this time.

 

6. Copy XPS schema file DB2.sql from <siteminder>\xps\db directory to the IBM DB2 server.

 

7. Open Command Window from DB2 and execute the following command:

td@ -v -f C:\Users\Administrator\Desktop\db2.sql

 

 

8. Once the above script executed successfully, configure the IBM DB2 Data Source (via system_odbc.ini (UNIX) or ODBC Data Source) and configure Policy Server to reference this IBM DB2 as policy store (via SM Management Console).

 

9. Reset Siteminder superuser password with following command:

smreg –su <password>

 

10. Import the Default Policy Store Data Definitions, run the following command from Policy Server (<sitmeinder>\xps\dd):

XPSDDInstall SmMaster.xdd

 

 

11. Getting the following error from XPSDDInstall command:

==============================================

[XPSDDInstall - XPS Version 12.52.0101.640]

Log output: /opt/CA/siteminder/log/XPSDDInstall.2016-07-11_152449.log

Initializing database, please wait...

(ERROR) : [sm-xpsxps-00870] An error occurred when calling "SQLExecDirect" for "Initial Policy Data Read" query

(ERROR) : [sm-xpsxps-00810] Native Diagnostic: HY000:-1585 [DataDirect][ODBC DB2 Wire Protocol driver][UDB DB2 for Windows, UNIX, and Linux]A system temporary table space with sufficient page size does not exist.

(ERROR) : [sm-xpsxps-00810] Native Diagnostic: 56098:-727 [DataDirect][ODBC DB2 Wire Protocol driver][UDB DB2 for Windows, UNIX, and Linux]An error occurred during implicit system action type '2'. Information returned for the error includes SQLCODE '-1585', SQLSTATE '54048' and message tokens ''.

(ERROR) : [sm-xadobj-00020] Failed to initialize global objects.

(FATAL) : [sm-xpsxps-03570] SiteMinder interface initialization failed.

(FATAL) : [sm-xpsxps-04120] Unable to initialize the XPS library.

==============================================

 

12. Create system temporary table spaces associated with the various size of buffer pool:

db2 CREATE SYSTEM TEMPORARY TABLESPACE ts8k PAGESIZE 8192 MANAGED BY SYSTEM USING ('C:\DB2 9.5\ts8k', 'C:\ts8k') bufferpool bp8k

 

db2 CREATE SYSTEM TEMPORARY TABLESPACE ts16k PAGESIZE 16384 MANAGED BY SYSTEM USING ('C:\DB2 9.5\ts16k', 'C:\ts16k') bufferpool bp16k

 

db2 CREATE SYSTEM TEMPORARY TABLESPACE ts32k PAGESIZE 32768 MANAGED BY SYSTEM USING ('C:\DB2 9.5\ts32k', 'C:\ts32k') bufferpool bp32k

 

13. Run XPSDDInstall again and it’s executed successfully this time.

 

14. Import the Default Policy Store Objects, run the following command from Policy Server (<siteminder>\db):

XPSImport smpolicy.xml –npass

 

15. Once the import is executed successfully, start Policy Server and check on the smps.log.

 

 

NOTE: Ensure that the admin account defined in the SM Management Console has the appropriate privileges for the driver to create and bind packages with this specified admin. These privileges are BINDADD for binding packages, CREATEIN on the collection specified by the Package Collection option, and GRANT EXECUTE on the PUBLIC group for executing the packages. These are typically the permissions of a Database Administrator (DBA).

 

Test  with bind27 executable residing under <siteminder>\odbc\bin -- bind27 <DSN> . It will return with error if user does not have the privilege/ authority to create package.

 

Example:
[smuser@wonsa03-I151000 bin]$ ./bind27 'SiteMinder Data Source'
Datasource not found.[smuser@wonsa03-I151000 bin]$ ./bind27 'SiteMinder Data Source'
User Name: ssoadmin
Password:
SecurityMechanism: ''
Creating packages ...Packages created and bound.

 

Also, by default, Policy Server through ODBC driver is sending clear-text user credentials (AuthenticatioMethod=0) to DB2 for authentication. If other authentication method is configured at DB2, please update AuthenticationMethod accordingly.

CA Single Sign-On Tech Tip by Sau Lai Wong, Principal Support Engineer for 7th July 2016

 

Issue:

Federation login is failing at IdP -- Secure Proxy Server as Identity Provider and third-party Federation Gateway as Service Provider. No error from the internet browser.

 

Environment:

Secure Proxy Server: R12.52 SP1 CR4

 

Cause:

The default page under IIS virtual directory is used to invoke IdP-initiated federation. However, the request failed at the point of where SPS is forwarding the request to the backend IIS.

 

== SPS agent trace ==

[07/05/2016][21:56:54][5936][5760][15a90c68-43f0a390-04e49fda-24d4e3bb-b3ea128e-3f56][ProxyValve::invoke][ProxyValve.invoke() Setting HTTP status to 200 allowing this request to proceeed. Return Code from HLA = 4]
[07/05/2016][21:56:54][5936][5760][15a90c68-43f0a390-04e49fda-24d4e3bb-b3ea128e-3f56][Tomcat5serializedAgentData.setStatus][Setting response status = 200]
[07/05/2016][21:56:54][5936][5760][15a90c68-43f0a390-04e49fda-24d4e3bb-b3ea128e-3f56][ProxyValve::invoke][The agent finished processing the request.]
[07/05/2016][21:56:54][5936][5760][15a90c68-43f0a390-04e49fda-24d4e3bb-b3ea128e-3f56][Noodle::service][Method is: GET Content length is: 0]
[07/05/2016][21:56:54][5936][5760][15a90c68-43f0a390-04e49fda-24d4e3bb-b3ea128e-3f56][addRequestHeaders][Need to preseve Proxy HOST Header.Sending Proxy Host to the backend web server]
[07/05/2016][21:56:54][5936][5760][15a90c68-43f0a390-04e49fda-24d4e3bb-b3ea128e-3f56][execute][Sending request to backend = support.ca.com url = http://support.ca.com/protected]
[07/05/2016][21:56:54][5936][5760][15a90c68-43f0a390-04e49fda-24d4e3bb-b3ea128e-3f56][requestConnection(): ][Get connection: HttpRoute[{}->http://support.ca.com], timeout = 180000]
[07/05/2016][21:56:54][5936][5760][15a90c68-43f0a390-04e49fda-24d4e3bb-b3ea128e-3f56][openConnection()][Connecting to support.ca.com/172.88.99.100]
[07/05/2016][21:56:54][5936][5760][15a90c68-43f0a390-04e49fda-24d4e3bb-b3ea128e-3f56][execute][Response status code from backend webserver is 301]
[07/05/2016][21:56:54][5936][5760][15a90c68-43f0a390-04e49fda-24d4e3bb-b3ea128e-3f56][Noodle::doGet][Received redirect status code = 301]

 

== HTTP Client log ==

Jul 05, 2016 9:56:54 PM org.apache.http.impl.conn.Wire wire
FINE: << "<head><title>Document Moved</title></head>[\n]"
Jul 05, 2016 9:56:54 PM org.apache.http.impl.conn.Wire wire
FINE: << "<body><h1>Object Moved</h1>This document may be found <a HREF=http://support.ca.com/protected/>here</a></body>"

 

The status code of 301 is returned because IIS is expecting trailing slash since the URI is referencing a directory:

https://support.microsoft.com/en-au/kb/298408

 

The user request ended at the redirection to the backend, with no further advancement.

 

Resolution:

Add trailing slash to the URL or specify the default page e.g: index.asp in the URL.

R12.5 CR05

==========

08/14/2015 Web Agent 12.5 CR05 contains fixes for the following tracking numbers:

Tracking # Problem description

---------- ---------------------

151777/160612 Web Agent is getting initialized even though agent is not configured to the website.

55818/160827 Web Agent on IIS 7.5 continuously restarts after the second website is added to the web server.

143255/161324 Web Agent termniates abruptly while processing the OpenID response if the HTTP_OPENID_DISC cookie is unavailable in the response.

160822/161397 CSS Vulnerability in Siteminder Forms Templates.

54925/160500 Web Agent crashes intermittently on IIS when authentication header exceeded 256 characters in length.

155958 Wrong SSL tags are placed in the web server configuration file during Web Agent configuration.

 

R12.5 CR04

==========

11/11/2013 Web Agent 12.5 CR04 contains fixes for the following tracking numbers:

Tracking # Problem d scription

---------- -------------------

175588/171158/175911 A user is authenticated to the correct user with Integrated Windows Authentication.

176729/169984 The Web Agent now implements the idle timeout that is configured in Realm for URLs, which do not  contain resource (for example: http://server.example.com/protected/).

172785/158207 Integrated WIndows Authentication now detects real client IP in a Load Balancer environment.

177131 The FCC template files are fixed to address the "Insufficient Cross Frame Prevention" vulnerability that allows FCC pages to be accessed in a frame.

177762/153433 HTML encoding capability is added to FCC processing. A new ACO parameter named fcchtmlencoding" is added to enable HTML encoding to all values inserted into FCC variables  (noted by the syntax $$varname$$). For more information  about "fcchtmlencoding", see the online documentation.

 

Following certifications are included in Weg Agent r12.5 CR4 release:

  1. Support for Web Agent (32 & 64-bit) with Apache 2.4 (32 & 64-bit)

  on RHEL 5, RHEL6, Solaris 10 SPARC, Solaris 10 (x86), AIX 6.1,

  and AIX 7.1.

  2. Support for Web Agent (64-bit) with Oracle HTTP Server 11g (64-bit)

  on Windows 2008 R2 and RHEL 6.

  3. Support for Web Agent (32 & 64-bit) on Windows 2008 SP2.

  4. Support for Web Agent (32 & 64-bit) with ASF Apache 2.2.x

  (32 & 64-bit) on AIX 7.1 (64-bit).

  5. Support for Web Agent (32-bit) with IHS 8.5 on Windows 2008 R2.

 

R12.5 CR03

==========

 

6/9/2013 Web Agent 12.5 CR03 contains fixes for the following tracking numbers:

Tracking #      Problem description

----------          -------------------

172310          The Web Agent installer installs the required Microsoft VC runtime when the Windows 32-bit installer is used on 64-bit machines/operating systems.

171690          The Web Agent installer copies the templates and PWS.fcc files that are required for the smpwservicescgi

functionality.

163689          The Web Agent configuration wizard configures IBM HTTP Server 8.0 successfully.

 

R12.5 CR02

==========

1/24/2013 Web Agent 12.5 CR02 contains fixes for the following tracking numbers:

Tracking #    Problem description

----------        -------------------

163314        The Web Agent installer now properly copies the libxerces-c.so.21 library on the Solaris 10 (sparc) 64-bit platform.

148319/162047 If IIS 7.x is in integrated mode and ServletExec or Tomcat is the servlet container, resources will now be protected.

151871/162836 The Web browser no longer goes into endless loop when the following criteria are met:

- Anonymous authentication scheme is configured.

- A cookie provider is configured.

150865/164629 Protection levels will now work with IIS 7 when ARR (Application request routing) is used. This fix introduces a new ACO parameter "EarlyCookieCommit". The new parameter defults to "no", which means that cookie are set very late during the processing of the request

149256/164630 The Web Agent is no longer susceptible to redirection to an external site after password confirmation. A recently added ACO Parameters, BadTargetChars, has default values of  /\  and  /%09/  characters. If the TARGET field contains any characters specified in this parameter, the Web Agen tblocks the request.

154373/164659 Kerberos authentication now works for users who have a large number of group memberships in a Windows Active Directory.

164700        The Web Agent installer can now register with a Policy Server that is configured for the FIPS-only communication mode.

 

R12.5 CR01

==========

Product: SiteMinder Web Agent 12.5 CR01

10/26/2012      Web Agent 12.5 CR01 contains fixes for the following tracking numbers:

Tracking #      Problem description

----------             -------------------

160638      Web Agent now redirects to WebAgent-OnAccept-Redirect URL when configured in an OnAuthAccept rule

157086      Web Agent configuration wizard now finds the 32-bit version of the Apache 2.2.19 web server on the Windows Server 2008 R2 platform.

158356      Web Agent installer now updates PATH environment variable with 64-bit folder first in the order.

R12.51 CR08

=========

March 2,2016 SiteMinder Web Agent 12.51 CR08 contains fixes for the following tracking numbers:

Tracking # Problem description

----------      -------------------

DE68466 The Windows Step-up Authentication challenges user with the NTLM dialog with an access denied error.

DE71348 If CSSErrorFile is set to a local file path, Web Agent appends extra text strings to the error  page.

DE74795 Apache webserver fails to start and determine the path to the .properties file when web agent is enabled.

DE77231 The SMUSRMSG cookie appears even after successful authentication.

DE86771 Web agent crashes if the HTTP_OPENID_DISC cookie is not present in headers for the OpenID

authentication provider.

DE91647 Duplicate ICU shared library files are present in the ICU third-party folder.

DE99651 The SMIDENTITY cookie gets deleted on log out.

DE101425 The web agent configuration wizard fails to update the opmn.xml with Oracle HTTP Server 11g.

DE104560 HTTP Response of BadCSSCharsFound contains incorrect HTML data.

DE101425 The web agent configuration wizard fails to update the opmn.xml with Oracle HTTP Server 11g.

DE104560 HTTP Response of BadCSSCharsFound contains incorrect HTML data.

DE106113 The time unit in SmPortal.cfg is incorrectly represented in milliseconds.

DE106339 Enabling EnableAuditing and disabling IgnoreQueryData create unexpected audit log entries.

DE134829 Web Agent encodes special characters before the r.hook '?' during a redirect to the cookie provider.

 

R12.51 CR07

=========

September 30, 2015 SiteMinder Web Agent 12.51 CR07 contains fixes for the following tracking numbers:

Tracking # Problem description

----------     -------------------

53752 The /siteminderagent/pw virtual directory does not contain the template files and PWS.fcc files.

161398 CSS Vulnerability exists in Siteminder Forms Templates of non-agent framework Web Agents.

127012 The IIS worker process crashes under load after 60 hours as the web agent fails to initialize.

55714 The Windows PATH variable is appended with duplicate values after reinstalling Web Agent.

163053 CAPKI is upgraded to CAPKI 4.3.8 release.

156629 The Apache Web Agent causes high CPU usage.

161175 Web Agent is getting initialized even though agent is not configured to the website.

161606 Web Agent replaces the space character with the "+" character during the post preservation process if the multipart/form-data encryption is used.

146604 Web agent host registration fails when the CA SiteMinder administrator password contains the "%" character.

 

The Web Agent r12.51 CR07 release contains the following certifications:

Support for Web Agent on Red Hat JWS HTTP Server 3.0 (64-bit) on RHEL 6 (64-bit)

 

R12.51 CR06

=========

May 22, 2015 SiteMinder Web Agent 12.51 CR06 contains fixes for the following tracking numbers:

Tracking # Problem description

---------- -------------------

141160 SAMLDataPlugin fails to accept the UseSecureCookies ACO parameter for Web Agent on the target application of Service Provider.

119892 Agent log output is incorrect for DefaultAppPool that is enabled with 32-bit applications.

74661 Agent fails to display the page in the browser when you re-authenticate after the timeout.

152968 ACO parameter AutoAuthorizeOptions limits only to OPTIONS method if you enable it. A new ACO parameter

AutoAuthorizeHttpMethods comprises OPTIONS and HEAD methods by default. You can add additional methods to  this parameter.

71833 Agent on IIS 7.5 continuously restarts after you add the second web site to the Web Server.

114493 The URL access request blocks when you access a URL which contains %c0%af with DisAllowUTF8NonCanonical flag set to no in ACO.

 

R12.51 CR05

=========

November 28, 2014 SiteMinder Web Agent 12.51 CR05 contains fixes for the following tracking numbers:

Tracking # Problem description

---------- -------------------

139097 IBM Domino Web Server 8.53 64-bit on AIX 7.1 64-bit terminates abruptly, when you enable the Web Agent.

126845 Web Agent erroneously deletes the third party cookie which contains string SMSESSION.

73275 Forms credentials collector page fails to display with ZOS web agent.

65158 Exit impersonation terminates abruptly in 12.5x due to  the missing SMSAVEDSESSION cookie.

62057 The Web Agent vulnerability in SMAUTHREASON with non-numeric data, is exposed to JSP/JavaScript attack.

137042 Number of open file handles keep increasing on IBM Domino Web Server 8.5.3 64-bit on AIX 7.1 (64-bit) when Web Agent is in use.

73267 On re-authentication for a POST request, a plus character gets changed to a space character in postpreservationdata.

136920 Apache based Web Agent module terminates abruptly due to improper error handling.

 

The Web Agent r12.51 CR05 release contains the following certifications:

  • Support for Web Agent on IBM Domino Web Server 8.53 64-bit on AIX 7.1 (64-bit)
  • Support for Web Agent on Apache 2.4 (64-bit) on Windows 2012 (64-bit)

 

R12.51 CR04

=========

July 31, 2014 SiteMinder Web Agent 12.51 CR04 contains fixes for the following tracking numbers:

Tracking # Problem description

---------- -------------------

54393, 62081 The Apache agent appends the default error document while accessing a FCC page.

53621,62089 Web Agent configured with forms authentication scheme generates different return codes for a valid user

name/invalid password and invalid user name/invalid password.

55007 DefaultAppPool in IIS terminates abruptly if the user account is locked after the defined incorrect

password attempts.

54137, 62083 DefaultAppPool in IIS terminates abruptly if the NTLM header length exceeds 256 characters.

55020 IIS terminates abruptly when it authenticates an already authenticated user.

55115 Web Agent terminates abruptly when trying to resolve a host name that contains invalid characters.

55021 The Apache WebAgent does not support graceful Apache restart.

62993, 73395 Web Agent requests User ID again when the Password Force Change policy is configured.

54308, 62088 SSO functionality fails to work when user session moves from non-persistent session to persist

session.

55892, 79811 If the Web Agent is configured, the Apache's FastCGI modules goes in to the zombie/defunct state.

55676, 73268 A plus character '+' changes to ' ' on re-authentication of a POST request in postpreservationdata.

52762, 62063 The SunOne WebAgent terminates abruptly when a large URL ends with the '%' character.

55227, 55294 The Web Agent fails to display the Login.fcc page properly in HP-Itanium platform.

63369 Silent Installation and Configuration of Web Agent on IIS 8 are not working as expected.

53774 The Policy Server fail-over takes longer than expected.

54835 Web Agent's log contains time stamps in different time zones.

54285 Web Agent for OHS 12c and OHS 12c-64 bit are not supported on Linux platform.

62888 Web Agent for OHS 12c-64 bit is not supported on Windows platform.

55280, 62050 Web Agent re-challenges the user for authentication when the user tries to download the XLS files from

browser.

55724 Web Agent reports -1, -2 erros and Policy Server reports 107 error when a resource is accessed after idle timeout.

54542, 62065 Web Agent crashes under load.

53357, 62070 User gets re-challenged when cookie size exceeds the configured limit.

97578 The SmPortalVfy.exe utility displays an incorrect Policy Server version.

55010 Unable to receive "x-frame-options" header variable in response while accessing a resource.

55435,54982, 73266 Log in fails when a user with no authorization privilege tries to login if the HttpheaderEncodingSpec=UTF-8,RFC-2047 and ProxyAgent=yes options are set.

 

R12.51 CR03

=========

March 27, 2014 SiteMinder Web Agent 12.51 CR03 contains fixes for the following tracking numbers:

Tracking # Problem description

--------- -------------------

177053,178647 When login.fcc is accessed with incorrect URL,the Apache process terminates abruptly.

175608 The performance degrades when WWSI is integrated with a Web Agent on IIS Server.

167113,178153 The urlencode function in FCC encoding fails to encode $.

171814,178540 The curly brackets in SMTOKEN cause the hardware load balancer to block the request.

173905,178659 The NTLM authentication fails on IIS Web Agent when the NTCExt ACO parameter is not defined.

170800,178668 The Domino Web Agent terminates abruptly when processing requests with long URLs.

166924,178152 Agent Name containing a character listed in the BadFormChars ACO parameter fails to allow access  to a protected resource.

167938,178155 User redirection to password services page fails when smretries is set to 1 and the user is disabled

due to inactivity.

139097,180801 IIS Web Agent 7.5 terminates abruptly if the DisableUserNameVars ACO is disabled.

178163,170655 Web Agent fails to trace TransactionID that is used for authentication.

178594 Web Agent fails to protect resource on IIS Web Server when IISCacheDisable ACO parameter is enabled.

178650,176078 With an IIS 7.5 web agent, whenever the web.config file is updated, the users are redirected to an error page.

181962,178666,171690 Web Agent fails to copy the PWS.fcc template file in to the /siteminderagent/pw virtual directory.

178669,169009 Web Agent for Apache 2.2 fails to preserve header values even when the PreserveHeaders ACO parameter is enabled.

178670 Web Agent on Apache Web Server appends extra bytes while serving the HTML Form authentication page.

178994 Web Agent is now certified for Windows 2012 (x64) platform.

 

R12.51 CR02

=========

February 25, 2014 SiteMinder Web Agent 12.51 CR02 contains fixes for the following tracking numbers:

Tracking # Problem description

---------- -------------------

This component is not released as part of 12.51 CR2.

 

R12.51 CR01

=========

July 3, 2013 Web Agent 12.51 CR01 contains fixes for the following tracking numbers:

Tracking # Problem description

---------- -------------------

165048 The Web Agent installer now correctly detects the Oracle HTTP Server 11g on Windows 2008 R2 64-bit

168230 When the "Enable Webagent" parameter is set to yes in an ACO, the web agent no longer reports the value of this parameter twice in the agent log file.

168299 The Web Agent configuration wizard will now allow administrators to preserve or overwrite configuration of

web server instances which were previously configured

168674 The web agent now supports new "overlooksessionaspattern" configuration parameter

169173 The Web Agent installer now correctly installs filter component for a Domino Web Server on the AIX operating

system

169329 The IIS Web Server log now correctly reports return codes from the Web agent

169796 The Web Agent Configuration wizard now correctly configures the "Certificate or Form" authentication scheme

on Apache 2.2 web servers.

170234 The Web Agent installer now correctly installs 32-bit IIS ISAPI filters on Windows 64-bit operating systems

170580 The Web Agent now correctly constructs the redirection URL when ConstructFullPwsvcUrl parameter is set to yes and the Password Policy Redirection URL contains a fully qualified URL

170592 The IIS Web Agent no longer doubles response attributes when PreserveHeaders setting is set and a resource is accessed by default document

170619 The Web Agent will now start properly when it is configured to use more than 1024 log files.

170687 The Web Agent now correctly handles query parameters defined in the "Target URL" attribute of an authentication  scheme

170994 The SmPortal.cfg file is installed in the correct directory for the Web Agent.

171017 The IIS7 Web Agent no longer spawns child requests for every request processed resulting in increased performance

171042 Various language translation issues in default fcc template files have been addressed in this release

171158 A user is authenticated to the correct user with Integrated Windows Authentication

171208 The Web Agent will no longer send frequent Agent Discovery updates to the Policy Server

R12.5 CR05

==========

Product: SiteMinder 12.5 CR05 Policy Server

08/14/2015 Policy Server 12.5 CR05 contains fixes for the following tracking numbers:

Tracking # Problem description

---------- -------------------

55611/160506 Policy Server terminates abruptly when the username has a special character (%).

53329/160562 Web Agent or Web Agent Option Pack cannot initialize when the first Policy Server listed in the HCO is down, if the HCO is configured in round-robin mode.

160679 Data Direct drivers are upgraded to version 7.1.5 across all the platforms.

98975/160503 If a web agent response attribute is deleted, the remaining attributes are not sent in the response during authentication unless the Policy Server is restarted.

79748/160505 XPSExport utility terminates abruptly when you export workspace entries.

160568 ETPKI is upgraded to ETPKI 4.3.8 release.

55802/160501 Administrative UI fails to handle a large amount of Indexed Assertion Consumer Service (ACS) data.

 

R12.5 CR04

==========

11/11/2013 Policy Server 12.5 CR04 contains fixes for the following tracking numbers:

 

Tracking # Problem description

----------      -------------------

175311/171208 The Policy Server no longer performs frequent policy store updates related to the Agent Discovery functionality

177089 The Administration UI (WAM UI) installer now launches successfully on the Solaris platform.

11/11/2013: Policy Server Option Pack 12.5 CR04 contains fixes for the Tracking # Descriptionracking numbers:

---------- -----------

There are no resolutions in this CR.

 

R12.5 CR03

==========

 

6/9/2013      Policy Server 12.5 CR03 contains fixes for the following tracking numbers:

 

Tracking #        Problem description

----------            ----------------------------

167696/171942   Policy Server populates the correct user name in the smaccess.log during impersonated authentication.

168102/171943   Policy Server no longer terminates abruptly during the roll-over of the XPSAudit files.

171944                The agent instances are no longer getting updated for every 30 seconds.

171945                The CQ 160848 that was resolved and documented in r12.5 CR02 required re-importing of certificates during an upgrade. This requirement is no longer necessary from 12.5 CR03, you need not re-import the certificates during an upgrade.

157938/163880   The ServletExec filter functions after running the Policy Server configuration wizard on the Windows2008 R2 platform

 

R12.5 CR02

==========

1/24/2013      Policy Server 12.5 CR02 contains fixes for the following tracking numbers:

 

Tracking #        Problem description

--------------        ---------------------------

160607            If load balancing is configured in the Administrative UI, the Policy Server will now authorize users in Active Directory.

161793            If a user provides invalid credentials, the Policy Server will no longer abnormally terminate when processing an OnAuthAttempt rule that is bound to an Enterprise Policy Management (EPM) application.

161988            If an OpenID authentication scheme is configured, the Policy Server now verifies the "assertion" with the OpenID provider. This behavior prevents a replay attack with the OpenID assertion.

157938            While configuring the FSS UI, the Policy Server installer now checks for the CGI IIS role in the Windows 2008/Windows 2008 R2 platforms.

160848            The Administrative UI and SiteMinder key tool (smkeytool) will now be able to import and store the certificates in the policy store if the key length is greater than 1024. For more information about preserving the previously imported certificates to see "Policy Server Upgrade Requirement for 12.5 GA and 12.5 CR1" in this readme file.

160293/164029     The Policy Server can now communicate over SSL with LDAP directory servers that specify an AKI    (Authority Key Identifier) attribute in the certificate.

159354            The Policy Server logic has been optimized to execute as follows when authenticating users in an ODBC database:

a) Validate the distinguished name (DN) with the SQL query configured in "InitUser". This steps checks whether the DN  is a user or not.

b) If the above does not produce result, execute the SQL query configured in "GetGroupProp". This steps checks          whether the DN is a user or not. This optimization prevents the Policy Server from executing a UNION-based SQL query that is configured in "Get User/Group" for every "user" authentication.

158631/163943     The Admin Applet/FSS UI will now allow more than 10 IP addresses in a policy definition.

162301            A dead lock condition in the LDAP authentication layer is fixed.

162318            The Policy Server now properly protects resources when using an r6.x extended policy store.

162951            OpenID authentication no longer fails with the following error when multiple user directories are configured in the Domain: "nonce verification failed".

150671/164657     The CA SSO SiteMinder (smauthetsso) authentication scheme now works in the FIPS-mode of communication on the Windows platform.

154373/164659     The Kerberos authentication now works for users who have a large number of group memberships in a Microsoft Windows Active Directory.

154521/164660     A race condition in the Policy Server is fixed. This condition prevented updates to agent configuration objects through the Java policy management API.

164607            The Policy Server now allows host registration with smreghost when pointing to an r6.x extended policy store.

 

R12.5 CR01

==========

 

10/26/2012      Policy Server 12.5 CR01 contains fixes for the following tracing numbers:

Tracking #     Problem description

----------          --------------------------

160138         The Policy Server will now be able to authenticate users from a user directory with password policies using an r6.x policy store.

157948          The Policy Server configuration wizard now shows the minimum required JDK/JRE version as 1.6.0.30.

158655          XPSDDInstall will no longer abnormally terminates when upgrading from r12 SP3 to r12.5 Policy Server.

157701, 157949     WAM UI no longer deletes the "Policy" objects during modify operations on "Realm"/"Policy" after an R6.x policy store is imported.

153459         The Policy Server configuration wizard no longer fails when using Disk drives other than C: in the Windows platform.

160825         The Policy Server installer no longer hangs if encryption key contains the dollar sign($) character.

155738         The Policy Server installer now configures IPlanet web server/ASF Apache 32-bit for FSS UI when "Web Server" option is selected during an installation.

154130         The  boolean  User Directory Attribute Mapping type now works in R12.5 Policy Server.

160301         The Policy Server installer now installs the SPSObjects.xdd file.

151725/150968      Policy Server will no longer exits abnormally on Linux platforms when Identity Manager integration is enabled.

161230         The smldapsetup utility now configures the cert7.db file even if it was configured previously.

160910         The Administrative UI upgrade from r12.5 GA to r12.5 CR01 now works properly.

 

Product: SiteMinder Policy Server Option Pack 12.5 CR01

10/26/2012:    Policy Server Option Pack 12.5 CR01 contains fixes for the following tracking numbers:

Tracking #     Description

----------     -----------

160725      WS-FED SLO no longer fails with an M_TUNNEL_SLO_FAILURE_INVALID_DATA error

161076      In conjunction with the Web Agent option pack r12.5 CR01 release or the Secure Proxy Server r12.5 CR01 release, several fixes are made in the XML signature verification that occurs during the SAML assertion validation phase. Use the following parameters in the xsw.properties file to enable or disable these fixes:                DisableXSWCheck=true|false

DisableUniqueIDCheck=true|false

161321      The Policy Server installer no longer installs the wsfed.properties file.

Posted by Ujwol Shrestha - Principal Support Engineer in CA Security on July 6, 2016

http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/TEC3808899.aspx PublishedIBM DB2 data source connection fails with error : [DataDirect][ODBC DB2 Wire Protocol driver]Specified security mechanism, (Unknown), is not supported by server.]

Alternate error: [DataDirect][ODBC DB2 Wire Protocol driver]Command Not Supported.

CA Single Sign -On6/7/2016
CA Single Sign-On Tech Tip by Sau Lai Wong, Principal Support Engineer for 5th July 2016

 

Issue:

Active Directory service account (admin account defined with the AD user store setup) is getting locked out frequently.

End users are able to login to protected resources accordingly.

 

Environment:

Policy Server: R12.52 SP1

User Directory: Active Directory with LDAP namespace

“Enhance Active Directory Integration” is unchecked

 

Cause:

With “Use authenticated user’s security context” checked in the user store setup, Policy Server validates the service account against ADSI when end user is authenticated (despite the authorization status).

 

During this validation, Policy Server sends encrypted password to ADSI. However, ADSI does not accept encrypted password hence this validation failure increases service account’s badPwdCount. Eventually the account is locked out when max failed attempts threshold is reached.

 

Resolution:

This defect is addressed with R12.52 SP1 CR4 release. Policy Server now sends clear text password to ADSI for service account validation.

R12.51 CR10

========

Salesforce Case NumberInternal Defect IDIssue Description
00318299DE177275XPSSweeper tool terminates abnormally.
00305791DE138534The exported metadata incorrectly displays SHA1, when SHA256 is selected in Entity or Partnership.
00128842DE104232SmConsole fails to display the correct status of the Policy Server service in Windows.
21726567-01DE71949Administrative UI does not display certificates that contain non-ASCII characters.
00056803DE94666Policy Server experiences high CPU usage.
00453641DE204132Perl CLI fails to fetch authentication scheme for a realm. It occurs when the session is established with Admin privileges of the domain to which the realm belongs to.
00429715DE175174Assertion encryption displays an error on the IDP side if the certificates contain non-ASCII characters in IssuerDN.
00372539DE165552Policy Server terminates abnormally when Application model is used in conjunction with an OnAuthAttempt rule.
00083756DE103841Policy Server terminates abnormally when a connection to the LDAP server is lost.
 00124386DE74014Policy Server for Windows builds incorrect search filters for SharePoint Agent requests.

R12.51 CR08

========

Product: SiteMinder 12.51 CR08 Policy Server

March 2,2016          Policy Server 12.51 CR08 contains fixes for the following tracking numbers:

Tracking #            Problem description

----------            -------------------

DE67107      Policy Server crashes on the IM tunnel agent call.

DE68852      Policy Server partially reloads the cache when an Agent connects to the Policy Server with an incorrect shared secret.

DE73006/DE103002      Policy Server allows the log in of a locked out user when the Enhanced AD integration is  enabled.

DE74053      The SM access log file fails to display fields in the first line.

DE75247      APS ignores the data specified in the curly braces  {} for the Lockout Mail.

DE87088      Administrative UI does not display certificates with non ASCII characters.

DE91647      Duplicate ICU shared library files are present in the ICU third-party folder.

DE95386      Policy Server fails to retrieve the value for special Attributes such as DominoAccessGroups.

DE103154    Policy Server crashes during LDAP failover.

DE106181    Policy Server terminates abruptly when policy store connection is lost.

DE108024    Backreference regular expression fails with SiteMinder password policy.

 

R12.51 CR07

========

Product: SiteMinder 12.51 CR07 Policy Server

September 30, 2015    Policy Server 12.51 CR07 contains fixes for the following tracking numbers:

Tracking #            Problem description

----------            -------------------

161180          The SMUSRMSG cookie allows phishing for valid usernames with Novell eDirectory as a user store.

140418          Policy Server is overloaded and requires a restart

159571          Modification of few user attributes using the DMS API results in the modification of all the user attributes.

150914          If a policy is associated with rule and rule groups, retrieval of rules from the rule groups fails.

150154          When the key store is separate and multiple requests come from web agents to Policy Server, some agents fail to get agent keys with the following error message in the smps log:

"Policy store failed operation 'MultipleSearch' for object type 'AgentKey'"

151430          FSS UI session times out as an admin logs in.

163053          CAPKI is upgraded to CAPKI 4.3.8 release.

120472          Policy Server terminates abnormally and does not recover when LDAP Directory Server hangs due to network connectivity issues.

153351          The XPS parameter $AgentConnectionMaxLifetime is  read continuously even though the dynamic flag is  set to false.

147368          Policy Server fails to send an active response value when the authorization API returns empty sing.

164641          Policy Server crashes repeatedly due to an incorrect log message format.

138503          Policy Server terminates abnormally while rebuilding secondary caches.

151478          Policy Server installer displays the following incorrect non-fatal error in the install logs on Linux whenever the libidn library is missing: "There are consecutive spaces found in the installation home directory. Ensure that the         installation home directory does not contain consecutive spaces."

54881            The User Directory Attribute mapping fails when the response attribute type is WebAgent-HTTP-Open-Format-Cookie.

161360          Rerunning XPSDDInstall on LDAP stores to restore the Data Dictionary fails with the  Duplicate entry detected error when the dictionary object entries are present in the xpsXIDKey table but the objects are missing from the xpsObjects table.

 

R12.51 CR06

========

Product: SiteMinder 12.51 CR06 Policy Server

May 22, 2015    Policy Server 12.51 CR06 contains fixes for the following tracking numbers:

Tracking #      Problem description

----------      -------------------

55861           Policy Server displays Bulk loading of records is not supported by driver error when you import SiteMinder audit data into SQL database.

75049           Policy Server displays CERTREVOKED error in place of CRLEXPIRED for an expired CRL.

138673         Password Dictionary check fails when you reset the password while having the restrictions in password  policies.

147270         The publish command for Policy Server displays a file error to the smps log on UNIX platform.

119485         OneView Monitor displays 404 error in logs when the images of OneView Monitor do not exist in the  /sitemindermonitor/images/buttons/ location.

144183         Smreghost prompts for password if you do not provide -p option when the command is valid.

137784         Policy Server terminates intermittently because of missing null check.

98943           Policy Server terminates abruptly when the user name of  the directory contains special characters especially a  percent symbol (%).

148874         Policy Server fails to connect to the CA Directory through TLS protocol.

153379         Data Direct drivers are upgraded to version 7.1.5 across all the platforms.

74880           Policy Server terminates intermittently because of APSMail.DLL while using the Forgotten Password functionality when the XSHADOW feature is enabled in  the exchange server.

148876         CAPKI is upgraded to CAPKI 4.3.5 release.

74376           Key store gets updated when Global Tools Setting in Policy Server is modified.

145979         Policy Server closes the connection with SAP ERP Agent with 10 second idle timeout. The idle timeout session has been made configurable.

71914           WS Federation transaction fails at Assertion Generator when policy store is temporarily inaccessible.

127391         Federation transaction displays 500 error if the user name contains an apostrophe in the email.

73123           Reuse Count does not work when you reset the password.

134776         Advanced Password Services displays an incorrect error message when a new password is not accepted.

116644         XPSExport utility terminates abruptly when you export workspace Entries.

 

R12.51 CR05

========

 

Product: SiteMinder 12.51 CR05 Policy Server

November 28, 2014    Policy Server 12.51 CR05 contains fixes for the following tracking numbers:

Tracking #      Problem description

----------      -------------------

134641/136917   XPSSweeper fails to migrate the service provider for existing and New IDP-SP Partnerships when you run the XPSSweeper.

129007         Policy Management API fails to send the plain password, while retrieving the user directory object.

71902           Forgot password service fails while using the stored procedures.

74616           Policy Store displays an error message (Unable to read object  smSessionId) in smps.log, when you use a CA Directory Session as a Session Store.

74549           The smaccess.log and the smps.log files fail to roll over intermittently.

137087         Policy Server terminates abruptly due to memory leak in active expression evaluation.

64603           SAML object attributes are not displayed on the Administrative UI.

62710           The Policy Server LDAP fails, when you invoke the IDP initiation Federation transaction.

72073           Directory Server log fails, when "KeepAgentConnections" returns an error in the Policy Store.

53748           Java DMS API returns incorrect error code during change password API.

70791           ConfigManager.CheckACO.fails, when you use cluster configuration for HCO.

126730         CAPKI is upgraded to CAPKI 4.3.5 release.

72218           SM_catagory for AgentInstance object is missing in category.txt file. This causes error on loading.tmp  files into the Oracle database, when you process audit related to these objects.

70530           XPSExport with "-npass" argument option fails and encrypts the passwords in the output file.

136915         SASL bind fails, when you upgrade the Active Directory of R12.51 CR04.

72751           APS fails to handle the execution of ODBS stored procedure.

115814         XPSExport terminates abruptly due to null pointer access.

55820           APSExpire command fails when you change the name in the SmUser column name in the APS table.

54813           The date on the generated report does not match the date on the audit report.

 

R12.51 CR04

========

Product: SiteMinder 12.51 CR04 Policy Server

July 31, 2014   Policy Server 12.51 CR04 contains fixes for the  following tracking numbers:

Tracking #      Problem description

----------      -------------------

62061,54414, 54006   Cache update logs an error in the CDS.log file.

53424           The PreserveHeaders and FccForceIsProcted ACO parameters are misspelt in the ApacheDefaultSettings ACO object template.

54949           XPSRegClient terminates abnormally when it failed to fetch the administrator password.

55489           Intermittent authorization failure occurs when SSO is configured between the Policy Server R6 and R 12.51 versions.

54962           XPSSweeper process terminates abnormally due to valid class deletion during the cleanup routine.

55501           The Policy Server enters the Event ID and Category ID column values as 0 in the Audit database under       load.

53891           The Policy Server terminates abnormally during shutdown.

54483           The smpolicy-secure.xml file provides more restrictive security settings than the smpolicy.xml file.

55504           The smpoliysrv -publish command displays the connection information as 0.

53673,62080The smjdbcsetup.sh script fails to display the database type in the menu.

55592,55593Administrative UI displays an error when a sub-realm is created under a realm in EPM Applications without saving the realm.

55206           LDAP search calls from the Housekeeping thread takes long time to complete.

53929,62090The EPM Application Role authorization fails when the user directory is configured in the load balancing mode.

55826           The XPSImport utility fails to import with -npass option if the import file contains sensitive data.

55148           The XPSImport utility fails to import due to objects fetched from the LDAP store are not sorted properly.

54076,62052The Policy Server terminates abnormally when Active Expression is used in Response for authorization.

55455           Introduced a switch to configure AgentDiscovery feature through XPSConfig utility.

There are 3 possible values for this configuration (0=Disabled, 1=Auto Discover, 2 is Enabled). The default value for this parameter is 1 ( Auto Discover) in which case we check the policy store for any AgentInstance objects and update this  parameter to  0 (Disabled) if no objects are found or to 2 (Enabled) if we find those objects. Since this parameter is global in nature, it is stored in the policy store and is available to all the policy servers in the server farm. When the Agent Discovery feature is disabled atrace messageis logged in the policyserver trace logs.

53767,63118 If AD/ADLDS is used as a user store (in "AD" namespace), authorization fails when Latin ISO characters are used in the user names.

75067           The Policy Server terminates abruptly when the "Registration File" option is not available during                Administrative UI log in.

55837,74141 If util.jar, util_sdk.jar jars are present in CLASSPATH, the browser throws an Error 500 when a                 realm that is protected by SAML2.0 Authentication Scheme is accessed.

72481           The smmigratecds utility throws the NoClassDefFoundError error when -validate or -migrate option is specified.

53860           The Password Error message does not appear when localization parameter is set to NO in ACO.

54999           The smmigratecds utility displays incorrect messages  when the -validate and -migrate options are used for expired certificates.

64837           The Policy Server terminates abruptly when editing/viewing the Active Directory based user directory.

55788           The smaccess log file fails to display fields in the first line of the file the file rotates.

55803           The Policy Server terminates abruptly at cache lookup.

55845           Active Directory locks user accounts though the correct credentials are entered.

62740,98322     The Policy Server fails to fetch more than 128 records from the LDAP based policy store.

64797           The XPSExport utility displays an incorrect description for the -m parameter.

70613,70774     The Policy Server terminates abnormally when MS SQL is configured as policy store and LDAP is configured as a key store.

64812           The XPSExport utility throws an encrypted password when the -npass switch is specified during migration.

54831,62053     The XPSExport utility with -xs switch terminates abruptly when the store contains node that does not    have any Administrator associated with it.

55290           The smreghost utility with -o switch fails if HostName contains upper case alphabets.

70606           The smfedexport utility fails to export metadata if  pubkey or  sign option is usedd.

55333           The Change Information option in the Policy Server installer fails to function.

52506,62073     The initialization of SmdsLdapConnMgr is displayed as an error instead of a warning in the              policy server's smps.log.

62085           The XpsSweeper utility throws errors when it is run after a federation partnership is deactivated.

54458,55385     The password policy fails to get triggered when a custom authentication scheme is used.

63116           The Policy Server sends RC2 encrypted password for a bind when adding a user directory to federation       partnership.

54688,54360     The Policy Server logs the "Unable to obtain OS random data" error in the log file when a guest user       on windows tries to run the XPS tools.

54556,62055     The Policy Server updates the Audit logging in an interval of 3 seconds rather than the configured time.

55394           KeepAgentConnections parameter does not contain parameters to support sending soft or hard close       when AgentConnectionMaxLifetime time out is reached.

74204           CAPKI need to be upgraded to 4.3.4 for addressing recent openssl vulnerabilities.

54580, 62071    The Metadata import fails for the Service Provide entry from a Muti-Entity XML metada file.

54580,55061     The smfedexport utility fails to export metadata if  pubkey or  sign options is used

55718           The resource bundle error is displayed when smfedimport.sh is run.

55687, 62084    WS-Fed throws a SAML Assertion failure due to an incorrect sequence of the XML elements.

54901, 62066    Insufficient tracing in XPS layer while creating an external administrator object.

54473, 62072   APS displays incorrect information on password change.

 

R12.51 CR03

========

Product: SiteMinder 12.51 CR03 Policy Server

March 27, 2014   Policy Server 12.51 CR03 contains fixes for the

                  following tracking numbers:

Tracking #      Problem description

----------      -------------------

172138                The smreg and XPSSecurity utilities are missing in the Policy Server installer.

164620,178151   The signature validation of SAML assertion takes a longer processing time under heavy server load.

169294,178156   The SAML assertion parse fails due to incorrect jars in the classpath.

170020,178159   Policy Server fails to roll over logs.

170507,178162,178658,173913    When a user directory is used in multiple  partnerships, Policy Server authenticates only  the first user.

171321,178539   Policy Server terminates abruptly during LDAP search under heavy request load.

176491,178649   During the Policy Server process shutdown, Policy Server terminates abruptly due to improper unloading of libraries.

175936,178651   Policy Server gives error due to unsigned jars.

175936,178651   During the IDP information search, Policy Server throws an error due to unsigned jars.

174693,178653   smkeytool fails to import the separate certificate and key files.

174236,178656   Upgrading from r6 to 12.51 results in the smpolicysrv process using 100 percentage of CPU usage.

171252,178667   Policy Server throws an error when retrieving the Web Services variable.

171489,179201   smaccess.log does not log the Administrative UI changes even when Enhance Enable Tracing and LogObj  are enabled.

166520                In an edit mode, the Session Timeouts option is cleared for all components of an application.

174951,178652   WS-FED Assertion Generation GetUserProp() function was causing a Policy Server failure.

173800,181152   Policy Server terminated abruptly when a UDP packet is sent on port 44444 with a single byte containing  0x08 or 0x88.

177760,181467   Upgrade of Java Update 45 blocks the FSS UI applet jar.

175068                Policy Server terminates abruptly while authenticating a legacy administrator when the               Administrative UI is protected by a custom java authentication scheme.

179879,182416   When we edit a domain, a policy loses its users that we configured from the authorization directory       mapping.

181643,182418   xpssweeper throws errors related to user policy and federation users after configuring a federation       partnership.

183017,183445   Policy Server terminates abruptly when the primary policy store in the failover configuration stops.

178158,169970   Policy Server terminates abruptly if the audit database stops.

178593,172971   Policy Server fails to trace the search failure during LDAP user directory failover.

178661,172871   Using a custom authentication scheme results in a memory leak in Policy Server.

179824,170745   Policy Server intermittently terminates due to double free call.

180969,178905   XPSImport with the -validate option fails to validate against CA_SiteMinder_WAM-XPS2.xsd.

176719,178646   APS throws an invalid weight error during a password change if the password is listed as a restricted   word in the dictionary.

 

R12.51 CR02

========

Product: SiteMinder 12.51 CR02 Policy Server

 

February 25, 2014    Policy Server 12.51 CR02 contains fixes for the following tracking numbers:

 

Tracking #      Problem description

----------      --------------------------------

 

174236, 182271  Upgrading from r6 to 12.51 results in the smpolicysrv process using 100 percentage of CPU usage.

172992, 182272  The Policy Server was randomly failing in a customer environment during key store fail-over. The core dump analysis verified that the failure was due to inappropriate data casting while printing the error logs.

181423, 182270  If the encryption key in the EncryptionKey.txt file contains null characters, the file from r6.0, r12.0 SP3, and r12.5 is incompatible with r12.51 CR01.

177001, 182980  During the data export, smkeyexport and the -k and -c options of smobjexport do not decrypt the keys.

 

R12.51 CR01

========

Product: SiteMinder 12.51 CR01 Policy Server

July 3, 2013    Policy Server 12.51 CR01 contains fixes for the following tracking numbers:

Tracking #      Problem description

----------      -------------------

141018          The Policy Server now keeps all sensitive data encrypted in memory

158227          An issue when the Policy Server can take up to three minutes to shutdown has been resolved

158911          The DMS API now correctly returns group membership when an unlimited page size is used with CA Directory

62974          Any OnAuthAttempt events are now triggered in EPM model

165833          The XPSExplorer no longer displays passwords in clear text when passwords are being typed

166560          The Default and non-default tags are now correctly logged in syslog

167068          The Policy Server can now be configured to store values of UserDN and user name attributes in sm_objname  and  sm_objid  columns of the audit database respectively

167675          A typographical error in the header of the smaccess.log file has been corrected

168047          The OneView monitor now appears correctly in non-English environments

168170          The Policy Server no longer crashes when creating Attribute Mapping when "Expression" is selected but its definition is empty

168718          The Policy Server no longer leaks memory while performing text-based audit-logging under heavy load conditions

169037          The Policy Server now logs a list of loaded event providers in smps log file

169347          The authentication calls in authorization APIs no longer fail with the custom active expressions

169412          The Certificate authentication scheme now correctly decodes multivalue RDN in certificate DN

169458          The startup times of the XPS tools with LDAP policy stores have been improved

169678          The performance of Java Policy Management API has been improved

169708          When using DLP integration, you no longer have to edit axis2c.xml file to be able to create applications from WAM UI

169734, 170190, The performance of the Policy Server has been improved

171012

169765          The audit schema for the DB2 database now supports assertion auditing

169950, 169948, Various language translation issues have been addressed

169980, 170002, in this release

170079, 170087,

170089, 170092,

170093, 170114,

171064

169963, 170166, The smobjimport command no longer fails with illegal XML

170098          characters error while importing SiteMinder r6 smdif files

170095          The Policy Server installer now installs APSAPI libraries and APSAPI.h header file

170116          The Policy Server now correctly generates agent commands when an ACO or HCO object is created or modified through the Policy Management API

170264          The Linux Policy Server no longer crashes on authentication requests when referrals are enabled in an      Active Directory user store

170270, 170502  The Policy Server configuration wizard can now properly configure ADLDS or ODSEE 11g as a policy store

170321          The SiteMinder Policy Server configuration wizard now correctly configures One View monitor with ServletExec on Linux

170328          An issue with key trace messages not being reported to the Policy Server trace log has been resolved in this release

170582          The Wily Manager now correctly reports Policy Server status when password policies are not configured or Identity Minder integration is not enabled

171208          The Policy Server will no longer perform frequent updates of the policy store related to the Agent Discovery functionality

171256          The XPSImport no longer fails with an XML parser error when encountering invalid XML characters in the input file

R12.7 SP01

==============

Salesforce Case NumberInternal Defect IDIssue Description
00498623DE273154OneView Monitor throws the 404 error when it is configured in silent mode.
00619199DE275849The Policy Server installer always tries to install OneView Monitor without honoring the value of DEFAULT_OVMGUI_CHOICE in the ca-ps-installer.properties file.
00607752DE283213

Policy Server fails to delete policy objects from cache if they are added or deleted using SDK.

00703448DE290373

The pure Java DMS API getAttributes method fails to return user attributes.

00733959DE290975

User authentications fails after upgrade if client certification authentication and CRL are configured.

00717678DE291074

XPSImport fails if cache updates are disabled in Policy Server.

00593328DE295222Translation fails with the APSXLateTest utility.
00753695DE298363

The single sign-on fails due to null Agent Keys in AgentCommand.

00770808DE300558Administrative UI fails to register with Policy Server if the default bootstrap timeout expires.
00241489DE300887

Authentication fails if there is a mismatch in the user certificate name and its name in the user store.

00767401DE301991

OneView Monitor on Tomcat fills the standard output log file frequently.

00651747DE306481

Administrative UI fails to reflect the correct agent group membership information if agent or agent group is created using SDK and mapped to an existing agent group.

00754192DE306598The audit logs written in syslog truncates at 1024 characters when the Enhanced Tracing registry key is enabled.
00809861DE309353Encrypting the assertion throws an error on the IdP side when the certificate contains non-ASCII characters in IssuerDN.

R12.6 SP02

==============

 

Policy Server 

Salesforce Case NumberInternal Defect IDIssue Description
00296881

DE192239

DE198724

Policy Server leaks memory while processing LDAP referrals.
00648650DE269849Policy Server fails to recognize the Enable CustomExprOnly registry key, the registry key is no longer supported.
00531325DE250435XPSSweeper throws the "CA.SM::SAMLv2IdP.Name is not set" error when upgrading from Release 12.0 SP3 to Release 12.6.
 00531325 DE246886 XPSSweeper throws the "CA.SM::SAMLv2IdP.Name is not set" error when upgrading from Release 12.0 SP3 to Release 12.6: :"ERROR MESSAGE: SmApiWrappedException:CA.SM::UserDirectory@0e-000ed1bc-28a6-181b-8cc9-01017f001d7f".
n/a DE254448 Policy Server crashes during the shutdown when X509 authentication scheme is configured.
 00474687 DE250284 COMPONENT fails to prompt user to change the password though it expired, and accepts the expired login credentials.
 00636971 DE268856 During the Policy Server installation in the console mode, the Policy Server configuration wizard fails to point to the default value in the Choose Features menu and it prompts for Super User account password in default installation setup.

 

Administrative UI

Salesforce Case NumberInternal Defect IDIssue Description
00516766DE242603Domain policy fails to work when the Search filter contains "not" for searching users.
00494403DE244464The Member Group and Organization selection fails to persist across multiple pages under creation of roles for applications.

CA Access Gateway 

Salesforce Case NumberInternal Defect IDIssue Description
 00335041DE242989CA Access Gateway fails to return the domain cookie header to clients if the cookie request that is sent from the host-only backend server does not contain the domain.

 

R12.6 SP01

==============

Salesforce Case NumberInternal Defect IDIssue Description
593340DE247886Administrative UI performance degrades when the Federation Partnerships and Certificate Management features are used.
n/aDE245176XPSSweeper stops responding and its CPU usage is 100%.  

 

R12.52 SP02 CR01

==============

Salesforce Case NumberInternal Defect IDIssue Description
n/aDE78525Enabling Session Assurance breaks the existing on-auth-accept-redirect responses used by the GD modules.
00216178DE118729The socket timeout and connection timeout values cause exceptions in OAuth authentication scheme.
00032401DE133069Search for Super User permission results in errors if the user is passed with Active Directory (AD) context.
00236681DE135488Policy Server truncates assertion data if the size of active response in assertion exceeds 48K.
00303348DE135629CAPKI version is upgraded to CAPKI 4.3.9.
00177393DE139043Administrative UI throws an exception when creating or modifying a new domain and adding a new user directory to it.
00305791DE139934The exported metadata shows SHA1 though SHA256 as selected in Entity or Partnership.
00103617DE140166During the Policy Server installation in console mode, the Policy Server configuration wizard does not point to the default value in the Choose Features menu.
00258335DE143015Smconsole throws the following error if you enable the profiler by clicking apply or save button after the Policy Server upgrade: key not found: smc.AdvAuthDataSourceEmpty
00285735DE144421The Identity Mapping objects that are exported using XPSExport fail to get imported in to another Policy Store.
00328359DE154573Users are not listed in the EEM UI when the displayName filter is used.

 

R2.52 SP01 CR08

==============

Salesforce Case NumberInternal Defect IDIssue Description

00302490

00461931

DE139629

DE200163

Policy Server fails to record the audit log.

00069481DE140271

The Policy Server responses are delayed when it handles requests with a delay of at least one second.

00339507DE157079SDK Policy API call getAgent fails to find the agent.
00335233DE159112

The start-all command fails intermittently to execute completely when the stop-all and start-all commands are executed repeatedly.

00364477DE159909The Kerberos libraries are upgraded to Release 1.11.
00365506DE171963

Policy Server fails to retain custom headers when a user successfully logs on to an application and navigates to another page within the application.

00366537DE172890

After unlocking a user account, Policy Server fails to allow the user to log in to the application in the first attempt.

00418724DE175935The Policy Server access logs fail to roll over accurately.

00437744

00183506

DE176727

DE94709

Policy Server fails to generate metrics/statistics for APM user store that is configured in a directory mapping.

00443477DE198382

The FMATTR attribute fails to separate multi-value attributes when it is used with an expression in the attribute values.

00463800DE202900Policy Server fails to generate the WS-Federation SAML 1.1 assertion when multi-value attributes are configured.
00472333DE203466

Perl API generates a core dump when we try to add more values to the ValidateTargetDomains ACO parameter.

00481735

00719355

DE204495

DE287256

Policy server Management thread displays the Error 9 waiting for server management messages error in the smps.log file.

00497374

00519167

DE227108

DE246312

Policy Server fails to return ACO parameters that contain '#' when smagentapi is used in SDK.

00505938

00632270

00470058

DE227173

DE274161

DE224107

The APS LDAP transactions exhibit performance issues during the LDAP connection processing requests.

00485748DE237602Policy Server fails to connect to the backend of LDAPS when TLSv1.1 is used.
00455538DE237693

Policy Server crashes when the X509 authentication scheme is accessed.

00485641DE238341

Policy Server truncates the SAML AUTTHN-Request that it successfully received earlier, and throws an XML parser error.

00453641DE244404

Perl CLI fails to fetch the authentication scheme of a realm when the session is established with the Administrator privileges of the domain to which the realm belongs.

00593328DE245883Translation fails with the APSXLateTest utility.
00449099DE250710

The APS libraries are missing in Solaris 64-bit Web Agent.

00607752DE256008Policy Server fails to delete policy objects from cache if they are added or deleted using SDK.

00372539

00817098

DE258092

DE311005

Policy Server terminates abnormally when Application model is used in conjunction with an OnAuthAttempt rule.
   
00652318DE270502

Policy Server fails to preserve assertion attributes in WSFED/SAML1.1 federation partnership.

00664489

00295831

DE275087

DE136643

Sort Controls are not disabled on LDAP during user search.

00680051DE279215

The WSFED IP-to-RP partnerships fail to display the configured value of Minimum Authentication Level in federation partnerships.

00688005DE284023

When an application is protected with the RSA authenticatioon scheme, Policy Server fails to allow users to log in to the application after idle timeout value expires.

 00709833DE284336

Policy Server shuts down slowly that causes the stop-all script to forcibly kill the smpolicysrv process with an explicit SIGKILL command.

00717678DE286779

XPSImport fails when it is run on a Policy Server on which caches updates are disabled.

00474687

00597575

DE205706

DE237817

Policy Server fails to prompt for a password change though the password has expired, and it accepts the credentials of the locked out user.

00760779DE297518Policy Server fails to let delegated non-super users create Identity Mapping in Administrative UI.
00775720DE315872Policy Server crashes when it is integrated with APM 13.0.

 

R2.52 SP01 CR07

==============

Salesforce Case NumberInternal Defect IDIssue Description
00691198DE282824User store fails with the Cannot contact LDAP server error during a search under heavy load.  

 

R2.52 SP01 CR06

==============

Salesforce Case NumberInternal Defect IDIssue Description

00236681

DE102140

Policy Server truncates assertion data if the size of active response in assertion exceeds 48K.

21955636-01

DE105858

Policy Server intermittently crashes when processing certificates.

00103617

DE106225

During Policy Server installation in console mode, Policy Server configuration wizard does not point to the default value in the Choose Features menu.

00258335

DE124902

Smconsole throws the following error if you enable the profiler by clicking apply or save button after the Policy Server upgrade:

key not found: smc.AdvAuthDataSourceEmpty

00206326

DE133031

Policy Server restarts with Module Faults.

00285735

DE134112

The Identity Mapping objects that are exported using XPSExport fail to get imported in to another Policy Store. 

00174746

DE137239

Protected Resources became unprotected when Policy Server restarts.

00305816

DE137802

Policy Server cache build failure on secondary Policy Server with error "Cannot fetch agent" or "Secondary cache build failure", during administrative changes.

00301544

DE140495

XPSExport crashes when running XPSExport from the command line.

00420620

00312398

DE171901

DE142908

Policy Server generates a core dump upon stopping the server.

00347228

DE156811

smfedexport is not considering the alias given in the command and it always signs xml data with first certificate in the list.

00434175

00346464

DE199271

DE157832

Changes are not reflected in Administrative UI when updating the objects through XPSImport.

00349379

00349379

DE186906

DE159627

Active Response is not cached hence experiencing slow response due to the need to send two different OnAccessAccept active response headers (PROXY_REMOTE_USER and proxy-remote-user) to meet each applications needs.

00374788

DE162137

Policy Server crashes while running the publish command.

21957952-01

DE164000

Performance degrades in R12.52 SP1 compared to R12 SP3 CR10.

00483471

00371347

DE206486

DE165142

Policy Server hangs when connected to Oracle 12c User Store using Administrative UI.

00354719

DE166084

Performance issues were observed in Policy Server during the DB connection processing requests.

00318299

DE201257

DE177286

XPSSweeper tool crashes abruptly.

00419440

DE177765

Policy Server hangs when connection limit is exceeded.

00370648

00449759
00413584
00380676
00337693
00328269
00444984

DE197591

DE187115
DE172081
DE163488
DE156901
DE144249
DE186346

Encrypting the assertion throws an error on the IDP side when cert contains non-ASCI characters in the IssuerDN.

00296881

DE192239

Policy Server leaks memory while processing LDAP referrals.

00469210

DE204579

Secure Session Assurance throws an error when trying to access the protected resource.

00475766

DE204581

Upgrade fails in SPS.

00474687

DE237816

User is not prompted for password change though the password is expired and locked out user credentials are accepted.

00265979
00351582
00327704
0024814
00256060

DE78566
DE157547
DE144175
DE103106
DE129844

Apache Commons Collection vulnerability found in 3.2.1.jar and it is  fixed in 3.2.2. and 4.1.
00303302DE138108Service Provider fails with “java.lang.NullPointerException” while consuming an IDP generated assertion with the SP feature SingleAssertionUsage option is enabled.
00216581DE143166

Web Agent is not failing back to the first Policy Server and requests are not processed successfully when starting the first Policy Server.

00311237DE144432

Dynamic Rollover of agent keys is not happening on time where it is set in the Administrative UI.

00309822DE143104

In Administrative UI, creating and submitting a realm takes time.

00222654DE144528

Agent Key does not rollover when it is configured to rollover on a specific day of the week.

R2.52 SP01 CR05

==============

 

Salesforce Case Number

Internal Defect IDIssue Description
22000073-01DE65940The SAML 1.1 default target configuration is inconsistent in FSS UI and Administrative UI.
00200658DE67510The “ReEnableAfterIncorrectPwd” method of the Policy Management API returns incorrect value.
00203863DE68350Policy Server leaks memory while processing the list of server commands.
00215858DE68366The authentication fails if the username contains &.
00061182DE82998The TargetAsRelativeURI ACO parameter fails to evaluate response URIs.
00069814DE91886The CA RiskMinder service fails to start after the Policy Server reconfiguration because of the Inaccurate SmCommand status.
00219841DE93650URLENCODE fails to handle internationalization characters.
21566865-01DE96366User groups are not populated under roles for Applications for the AD user store.
00144339DE96440The Policy objects imported using XPSImport fail to reflect immediately in the Administrative UI for ADLDS as a Policy Store.
21911402-01DE99403CA Single Sign-On sends the ObjErr_NotFound error as an access error to CA Wily.
00250192DE101595The Authreason codes from Policy Server are not same as the AD response irrespective of the status of isADEnhanced.
00262154DE102899Policy Server fails to parse the format correctly when username contains "%Z".
00228620DE103707The legacy federation objects are migrated every time when XPSSweeper is executed even if there is no modification to the objects.
21971630-0121971630-01The transactions processing speed of Policy Server slows down when CA Directory is used as the session store. The session store size grows exponentially and session deletes are not in sync with the rate of new sessions added to the session store.
00230350DE109200Policy Server intermittently crashes due to buffer over run.
00216178DE118731The socket and connection timeout values cause exceptions in OAuth authentication scheme.
00128842DE130935Smconsole fails to reflect the correct status of Policy Server service for Windows.
00287102DE131010The Policy Server installer includes the database versions in the configuration wizard.
00277901DE131284During the processing of SQL statements containing a NULL, Policy Server results in transport error and hangs the connection.
00259449DE133165There is no option to diagnose performance issues without enabling tracing.
00083756DE135369Policy Server crashes with the loss of LDAP connectivity.
00226144DE138326XPSExplorer allows the addition of the same policy object in XCart twice causing XPSExport to fail.
00230716DE142657The Administrative Operations by Administrator report results in the updated unknown error.
00122286DE155270TrustedHostObject created or updated on the primary Policy Server is not reflected on the secondary Administrative UI.
21875003-01DE75251APS ignores the data specified in the curly braces {} for the Lockout Mail.
00297523DE137668Policy Server terminates abruptly while authenticating a legacy administrator when the Administrative UI is protected by a custom java authentication scheme.
21900345-01DE68861Administrative UI displays FedXPSException for federation naming conflicts.
00202238DE72174The User ID Attribute Name and User Information Services fields are not marked mandatory in the OAuth Partnership page of Administrative UI.
0010847DE74101The Allow Nested Groups option fails to function for AD Namespace during a partnership federation creation.
00177393DE95585Administrative UI throws an exception when creating or modifying a new domain and adding a new user directory to it.
00032401DE112053Search for super user permission results in errors if the user is passed with AD context.
00301430DE137749Deletion of objects in the Web Services Authentication Scheme throws the following error: "AttributeNotPresentException".
00305791DE139933The Metadata export shows SHA1 though SHA256 is selected in Entity or Partnership.

00425273

00417153

00417389

 

R2.52 SP01 CR04

==============

December 30, 2015      CA SiteMinder Policy Server 12.52 SP01 CR04

                        contains fixes for the following tracking numbers:

Tracking #            Problem description

----------            -------------------

RTC 159147 / DE99789  Policy Server for Windows builds search filters

                        incorrectly for SharePoint Agent requests.

RTC 144453 / DE90644  Policy Server fails to retrieve the value for

                        special attributes such as DominoAccessGroups.

RTC 165424 / DE85265  Authorization fails to work with Identity Mapping.

RTC 154234 / DE94402  The Radius server authentication fails due to

                        incorrect Policy Server IP address.

RTC 158902 / DE93911  Policy Server fails to start if more than one

                        Global Domains are defined in Policy Store.

RTC 63534 / DE104786  The CA RiskMinder startup log reports the

                        following FATAL error:

                        "Mon Apr 28 15:52:41.229 2014 FATAL: pid 24728 tid

                        1: 2: 0: Quitting".

RTC 163452 / DE112391  Policy Server experiences high CPU usage.

RTC 163750 / DE111906  The metadata export fails with unexpected system

                        error.

RTC 153157 / DE104171  Web Agent displays the HTTP 500 Server error when

                        a URL ending with .sac extension is accessed.

RTC 153178 / DE104554  The password change from the Java DMS API results

                        in an inconsistent behaviour.

RTC 159570 / DE104660  Modification of few user attributes using the DMS

                        API results in the modification of all the user

                        attributes.

RTC 141833 / DE79301  Duplicate ICU shared library files are present in

                        the ICU third-party folder.

RTC 148852 / DE114208  CA SiteMinder SPS authenticates a user

                        successfully though the user credentials contain

                        leading or trailing spaces.

RTC 154402 / DE91831  The socket error:9999 occurs during initialization

                        of the Policy Server.

RTC 159700 / DE103500  Policy Server fails to send an active response

                        when the "Enable Null Value Response" registry is

                        set to 0x1.

RTC 156152 / DE90351  CA SiteMinder fails to replace the place holders

                        for Risk Minder.

RTC 156789 / DE67270  Sm_AgentApi_Init fails due to select() call.

RTC 167520 / DE104578  The CA RiskMinder service fails to start after the

                        Policy Server reconfiguration.

RTC 154889 / DE96766  The silent mode upgrade of Policy Server upgrades

                        the Policy Store.

RTC 139480 / DE96132  CA SiteMinder FSS UI fails to open if an expired

                        certificate exists.

RTC 118937 / DE107119  Enabling Session Assurance breaks the existing

                        on-auth-accept redirect responses used by the

                        GD modules.

RTC 141895 / DE82640  smpolicy.xml contains incorrect default attributes

                        for the Sharepointdefaultsettings ACO.

RTC 149104 / DE101138  Deadlock with the ACE initialization functions

                        causes Policy Server to generate a core.

RTC 147509 / DE74786  The FedObjects partnership service returns success

                        when transaction commit fails.

RTC 166137 / DE67238  Policy Server crashes on the IM tunnel agent call.

RTC 150117 / DE102338  The smreg -su requires Policy Server restart for

                        password reset.

RTC 155562 / DE78433  The smmigratecds tool crashes with the

                        java.lang.Exception error when -validate is used.

RTC 154392 / DE89586  Policy Server crashes during LDAP failover.

RTC 150754 / DE99826  Administrative UI screen does not display in

                        Japanese language in Internet Explorer 8.

RTC 168791 / DE94469  RSA AceLibrary is upgraded to version 8.1.3

RTC 165810 / DE81830  Scoped Administrator experiences poor performance

                        of Administrative UI.

RTC 159398 / DE103333  Policy Server installer displays the following

                        incorrect non-fatal error in the install logs on

                        Linux whenever the libidn library is missing:

                        "There are consecutive spaces found in the

                        installation home directory. Ensure that the

                        installation home directory does not contain

                        consecutive spaces".

RTC 163151 / DE106953  Policy Server allows the log in of a locked out

                        user when the Enhanced AD integration is enabled.

RTC 137833/158995 /    The smaccess log file fails to display fields in

DE71698/DE95265        the first line.

RTC 157372/163655 /    The SMUSRMSG cookie allows phishing for valid

DE75322/DE113070      usernames with Novell eDirectory as a user store.

 

R2.52 SP01 CR03

==============

Policy server was not released for CR03.

 

R2.52 SP01 CR02

==============

Product: SiteMinder Policy Server 12.52 SP01 CR02

July 17, 2015 Policy Server 12.52 SP01 CR02 contains fixes for the following tracking numbers:

Tracking # Problem description

---------- -------------------

127127 When setting the registry key KeepAgentConnections as 2, the directory server (policy store) log fills up with below log statement many times: msgId=30638 - RESULT err=32

125079 When using Passwordservices, LoginFailure count resets to zero after the account is disabled due to too many login attempts.

134424 Policy Server terminates abnormally when shared secret in the store is larger than 256 bytes.

150155 When the key store is separate and multiple requests com from web agents to Policy Server, some agents fail to get agent keys with the following error msg in the smps log:Policy store failed operation 'MultipleSearch' for object type 'AgentKey'

119472 The date on the generated report does not match the date on the audit report.

147235 Number of LDAP search calls are more during authorization when using the INGROUP expression.

146237 Attempting to retrieve rules associated with a policy having rules and rule groups associated with it, returns an invalid value.

154875 Install Anywhere must be upgraded

64886 Administrative UI does not display certificates with non ASCII characters 149490 SASL Bind fails with Active Directory

137829 Administrative UI fails to display the rules during policy creation under a domain.

72274 WILY reporting Policy Store as RED

151453 Enabling EnableAuditing and disabling IgnoreQueryData creates unexpected audit log entries.

81449 SM_catagory for AgentInstance object is missing in category.txt file. This causes error on loading.tmp files into the Oracle database, when you process audit related to these objects.

145059/144842 Policy Server fails to implement the changes done to rollover frequency configuration once the rollover begins.

153353 The XPS parameter $AgentConnectionMaxLifetime is being read continuously even though the dynamic flag is set to false

135032 Session Assurance is not getting configured if Policy Server is installed in silent mode.

72517 Running XPSCounter against an Active Directory user store fails

154967 FSS UI session times out as an admin logs in.

139126 SM returns smauthreasoon code 0 when Illegal characters are found in username.

141439 Audit logging not working if Postgres is used as the audit store.

144185 smreghost must prompt for the password

63022 KeepAgentConnections parameter does not contain parameters  to support sending soft or hard close when AgentConnectionMaxLifetime time out is reached.

155251 Policy Server terminates abnormally while rebuilding secondary caches.

145890 Error messages displayed when IDP is using an incorrect Public Key/cert for encrypting the assertion, is misleading.

98387 Policy Store displays an error message (Unable to read object smSessionId) in smps.log when you use a CA Directory Server as a Session Store.

144051 Policy Server terminates abnormally and does not recover when LDAP Directory Server hangs due to network  connectivity issues.

144576 The correct offset from GMT is not being displayed correctly in the access.log.

143552 Realms are not displayed in the Administrative UI whenviewing from Domains

141981 Administrative UI is throwing NullPointer Exception during creation/modification of workspace having IDP  partnership.

148504 Identity mapping failing with R12.52 SP1 due to search criterion in ODBC.

147257/150174 Policy Server terminates abnormally crashes due to RpcDispatcher::evalCall

142193 APS CPW embedded form does not allow to disable autocomplete.

158072 R12.5 SiteMinder returns smauthreasoon code 0 when Illegal characters are used in the username.

155298 DataDirect Upgrade to version 7.1.5.

155275 Upgrade CAPKI to version 4.3.8

146073 Policy Server closes the connection with SAP ERP Agent with 10 second idle timeout. The idle timeout session has been made configurable.

135760 Upon shutdown Policy Server crashing when an auth scheme was released.

 

R2.52 SP01 CR01

==============

Product: SiteMinder 12.52 SP01 CR01 Policy Server

February 13, 2015 Policy Server 12.52 SP01 CR01 contains fixes for the following tracking numbers:

Tracking # Problem description

---------- -------------------

64139 Policy Server terminates abruptly because of ACE authentication error.

75274 Policy Server terminates abruptly when Active Expression is authorized as response attribute.

71915 WS Federation transaction fails at Assertion Generator when policy store is temporarily inaccessible.

55835 Policy Server displays java.sql.SQLIntegrityConstraintViolationException error when you run the Audit and Analysis report because of null value in Column 'RPT_INSTANCE_ID'.

55627 CCS Integration fails when you upgrade Policy Server from 12.51 to 12.52.

111439 XPS import fails when you change the expression name in policy store.

134407 Policy Management API fails to send the plain password to Identity Minder.

116213 Policy Server terminates abruptly when the user name of the directory contains special characters especially a percent symbol (%).

55850 Administrative UI fails to activate multiple WS-Federation partnership from Identity Provider to Resource Partner when you use the same RP ID for different partnerships.

116645 XPSExport utility fails abruptly when you export workspace entries.

75050 Policy Server displays CERTREVOKED error instead of CRLEXPIRED error for the expired certificate, when you use the X509 client cert authentication.

138677 Policy Server fails to connect to the CA Directory through TLS  protocol.

139117 Policy Server fails to connect to the CA Directory when the Session transaction store delays by 11milli seconds or more.

70771 Policy Server terminates abruptly when policy store is  configured with SQL and key store is configured as LDAP.

85501 Support for bulk import and export of CDS objects has been  added.

65216 Policy Server displays Policy Server did not start properly  error message during start up.

137785 Policy Server terminates intermittently because of missing  null check.

71917 Policy Server displays "Bulk loading of records is not  supported by driver" error when you import SM audit data into SQL database.

74943 The commented ACO properties get deleted using modifyAgentConfig API.

118104 Policy Server terminates abruptly when XPSExport is run with  the xb switch.

127251 XPSSweeper tool terminates abruptly.

116609 APS change password and forgot password fails for the ODBC  stored procedure.

125655 Policy Server displays "SamlValidator (Pass 2) Caught unknown  exception or error" error when you migrate SAML application from Release 6 to Release 12.52.

114013 Policy Server start-all script displays "unexpected operator/operand" error.

119486 OneView Monitor asks for gif images that do not exist in the SM installation location.

139332 APS displays an incorrect error message when a new password is not accepted.

55134 Policy Server fails to set content-length header when the message body is empty.

139460 Policy Server displays null pointer exception error if the Assertion attribute does not exist in LDAP.

119956 RSA ACE SDK library upgraded to version 8.1.2 on Linux.

125654 RelayState truncates at first occurrence of %22 when you post SAMLResponse to assertionconsumer.

73540 WS-Federation partnership activation fails because of object creation failure in the Novell eDirectory policy store.

74881 Policy Server terminates intermittently because of APSMail.DLL while using the "Forgotten Password" functionality when the XSHADOW feature is enabled in the exchange server.

73587 Policy Server fails to generate WS-FED SAML 1.1 assertion when you configure the multi-value attributes.

73371 APSExpire command fails when you change the name in the SmUser column name of the APS table.

74377 Key store gets updated when Global Tools Setting in Policy Server is modified.

127212 Upgrade to CAPKI 4.3.5 release.

72916 Backreference regular expression fails with SiteMinder password policy.

138621 Federation transaction displays 500 error if the user name contains an apostrophe in the email.

135786 XPSSweeper displays "Failed to migrate the service provider for SAML1.1 partnership" error.

117317 The smaccess.log and smps.log files fail to rollover intermittently.

72210 Federation Partnership fails because of Null PointerException.

117890 Policy Server partially reloads the cache when an Agent connects to the Policy Server with an incorrect shared secret.

 

R2.52 CR01

==============

Product: SiteMinder 12.52 CR01 Policy Server

March 4, 2014 Policy Server 12.52 CR01 contains fixes for the following tracking numbers:

Tracking # Problem description

---------- -------------------

181423/181647 If the encryption key in the EncryptionKey.txt file contains null characters, the file from r6.0, r12.0 SP3, and r12.5 is incompatible with r12.51 CR01.

177001/182984 During the data export, smkeyexport and the -k and  -c options of smobjexport do not decrypt the keys.

182908 The Administrative UI (WAM UI) fails to display the imported certificates in the X509 Certification Management tab.