Hello CA Single Sign-On Community Users,
Please find below the list of the latest Knowledge Base Articles for Single Sign-On (Formerly CA SiteMinder)published or updated since 22nd June 2016 for your reference:
'AgentDiscoveryEnabled' Not Available in XPSConfig After Upgrading.
The Policy Server was upgraded to CA Siteminder r12.51 CR08 in order to take advantage of the ability to disable Agent Discovery. This feature was introduced in r12.51 CR07. 'DisableAgentDiscovery' isn't present in XPSConfig after upgrade.
Last Update: 7/28/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1541845
FSS AdminUI 500 error
After configuring the webagent on linux machine the new FSS UI is not working and getting 500 internal server error.
Last Update: 7/28/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1887042
CA SSO r12.52 Reports are not Opening When Being Viewed
Using CA SSO r12.52 Report Server, when attempting to View a report which has already been generated, the page shows empty and the report is not returned.
Last Update: 7/28/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1925365
Restart Policy Server when you update sm.registry file.
This article explains the required restart of Policy Server when changing value in sm.registry on Linux.
Last Update: 7/28/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1696518
CA Siteminder Vulnerabilities CVE-2015-6853 & CVE-2015-6854
CVE-2015-6853 & CVE-2015-6854: A remote attacker can make a request that could result in a crash or the disclosure of sensitive information.
Last Update: 7/27/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1552755
ODBC Policy Store restrictions
When migrating LDAP Policy Store to PostgreSQL, XPSImport encountered an error caused by that AgentName length was over 4000 characters.
Last Update: 7/27/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1859089
In order for the Web Agent to work properly on the Oracle HTTP Server, the necessary environment variables need to be set.
Modify the ohs.plugins.nodemanager.properties and add the environment variables
Last Update: 7/26/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1832669
Configuring specific authenticatipon schemes on the Web Agent on an Oracle HTTP Server requires specific SSLVerifyClient settings.
1. Change the value of the SSLVerifyClient directive from within the httpd.conf used by the Oracle HTTP Server to the necessary value: a. SSLVerifyClient optional b. SSLVerifyClient required
Last Update: 7/26/2016 Size: 82 kb Type: Knowledge Base Articles ID: TEC1563022
Configuring Cert and Form authentication scheme using the Web Agent configuration wizard does not throw an error, however the scheme does not work.
CA Single Sign-On Web Agent for Apache on IBM IHS(HTTP) server Cert and Form auth scheme does not work.
Last Update: 7/26/2016 Size: 82 kb Type: Knowledge Base Articles ID: TEC1923838
How to correct the error message, “Syntax error on line 974 of /opt/IBM/HTTPServer/conf/httpd.conf: SSL0331W: Invalid argument for SSLClientAuth: require".
“Syntax error on line 974 of /opt/IBM/HTTPServer/conf/httpd.conf: SSL0331W: Invalid argument for SSLClientAuth: require (null). The 1st value must be 0, 1, 2, none, optional, required, or required_reset”
Last Update: 7/26/2016 Size: 82 kb Type: Knowledge Base Articles ID: TEC1639554
How to correct this error message, "Syntax error on line 975 of /opt/IBM/HTTPServer/conf/httpd.conf: Invalid command 'SSLOptions"
Syntax error on line 975 of /opt/IBM/HTTPServer/conf/httpd.conf: Invalid command 'SSLOptions', perhaps misspelled or defined by a module not included in the server configuration
Last Update: 7/26/2016 Size: 82 kb Type: Knowledge Base Articles ID: TEC1234981
About DisAllowUTF8NonCanonical in ACO parameter.
When I request to WebAgent with URL contained encoding data, WebAgent rejects my request because of 403 error.
Last Update: 7/26/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1698396
Dynamic Policy Server Cluster support with Application Server Agents
Can the "enableDynamicHCO" parameter be defined for the Application Server Agents in their SmHost.conf files to implement the Dynamic Policy Server Clusters?
Last Update: 7/25/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1384387
JBoss physical memory is growing.
JBoss physical memory size is huge , because dat files under adminui_install/server/default/data/derby/siteminder/taskpersistance/seg0 are increasing.
Last Update: 7/25/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1524751
About "Flash All" command in AdminUI.
By "Flash All" command in AdminUI, which caches are cleared ?
Last Update: 7/25/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1392185
The sequence of Cookie Provider structure in use of Form Authentication.
Is there some Cookie Provider sequence in use of Form Authentication ?
Last Update: 7/25/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1701466
R12.52SP2 WAMUI didn't install as Window service when the install path is D:\
WAMUI service is not installed as Window service after installation complete
Last Update: 7/25/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1209297
Unable to start RedHat Apache 2.4 (on RHEL 7 64-bit)
Your Apache 2.4 fails to start with the ca sso web agent installed
Last Update: 7/22/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1306032
How to configure Autosweeper using XPSConfig
Instructions on how to configure Autosweep using XPSConfig.
Last Update: 7/22/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1449256
Password Services and Active Directory Global Catalog support Trigger unexpected behavior
n
Last Update: 7/22/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1188463
Manually uninstall IIS web agent
Provide steps on how to manually uninstall IIS web agent if uninstaller didn't work
Last Update: 7/22/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1904547
About SQL schema in case of Authenticating user.
When is the timing of "AuthAttempt" and "AuthReject" in smaccess.log ?
Last Update: 7/21/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1376291
Is it possible to register "*" in IgnoreURL ACO ?
In ACO parameter IgnoreURL, is it possible to set wild card (*) ?
Last Update: 7/20/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1402307
What is meaning of IPC messages in nohup.out log ?
In nohup.out log, under SPS_INSTALL/proxy-engine/logs directory, many below messages are output.
Last Update: 7/20/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1267465
Sm_AgentApi errors
Information on the causes of Sm_AgentApi errors and what the error codes mean.
Last Update: 7/19/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1829552
What does the error, "You cannot start the Secure Proxy Server as root", mean?
The proxyserver.sh checks to see if the user running the script is the same as root. Use the sps-ctl script as documented in the CA Access Gateway Bookshelf instead.
Last Update: 7/19/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1644143
How to download CA Single Sign-On (formerly SiteMinder) components
Step b step procedure to download CA Single Sign-On (formerly SiteMinder) components from support.ca.com
Last Update: 7/19/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1364894
User AZ Cache in policy server
Information on User AZ Cache registry setting
Last Update: 7/19/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC544401
Invalid Master Key
Installing an r12.52 Policy Server. During the Policy Server Configuration Wizard, when prompted to enter the 'Master Key" the following error: Invalid Master Key! Master Key should have Latin Characters [a-zA-Z0-9_] only.
Last Update: 7/18/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1829014
After Policy Store Import, Legacy Federation Object don't show up
This technote discusses how to fix a issue after importing data in the Policy Store
Last Update: 7/18/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1659722
For the ERP Agent for Siebel, why should we put the library libSmSecurityProvider75.so in the Siebel server bin/ directory
This technote discusses about the needs of putting some libraries in specific directory of the Siebel Server
Last Update: 7/18/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1792347
Identity Mapping with Federation
Is Identity Mapping supported for Federation?
Last Update: 7/18/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1426214
Failed Handshake between Webagent and Policy Server.
What are the reason of a Failed Handshake between Webagent and Policy Server (need to re-register the Agent)
Last Update: 7/18/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC559187
Max Connections at Policy Server in Apache prefork mode.
In use of Apache prefork mode, how much "Max Connections" are needed at least at Policy Server ?
Last Update: 7/15/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1818474
Are SiteMinder logs enable to output as syslog ?
Yes, but only Policy Server Audit log (smaccess.log) is enable.
Last Update: 7/15/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1185574
NAT between Web Agent and the policy server
Since we have not explicitly certified any of the CA SSO component with NAT explicitly, I recommend you to use it after performing sufficient verification of operation.
Last Update: 7/15/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1282269
Failed to create index key errors (i.e. ObjectCalss=xpsKey) on executing xpssweeper command.
Find and remove policy store indexes (i.e. ObjectCalss=xpsKey)
Last Update: 7/14/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1881072
Policy Server crashes while loading JVM for any custom java code on non-Windows.
After applying a CR, the policy server crashes.
Last Update: 7/14/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1238638
XPSExport for Policy Backup
Hello, We need to make changes for policies and in case if I have to roll back my changes what would be the best option to use for XPSExport. Please suggest. Thanks Pradeep M
Last Update: 7/13/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1600301
Signed SP Initiated Request: Signature verification failing at 3rd party IDP
"Can not verify digital signature" error at 3rd party IDP when signature cannot be verified for a signed AuthNRequest or SAMLRequest from CA Federation.
Last Update: 7/13/2016 Size: 82 kb Type: Knowledge Base Articles ID: TEC1525465
XML External Entity Injection(XXE) - Vulnerability for /affwebservices/router/*
XXE Vulnerability for /affwebservices/router/* Affiliate Agent
Last Update: 7/13/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1416553
Audit DB attribute values
Post SiteMinder upgrade from 12.5 to 12.52 SP1 CR04, new attribute values are not getting written in Audit DB. We have updated the new schema also. We are able to see the attribute in the tables but not the values. The historic data is not changed.
Last Update: 7/13/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1458982
Using the User Agent Header in the Proxy Rules.
Does the CA SiteMinder Agent for SharePoint support blocking by the incoming user agent string?
Last Update: 7/13/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1108305
after SPS upgrade to R12.52 CR4, a space character is added to resource URL after a semicolon.
If a semicolon is used in a URL, on a HTTP redirect (302), a “Space” encoded as %25 is added after the semicolon.
Last Update: 7/13/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1924624
"Failed to get session server provider namespace from registry" after after the upgrade of the Policy Server from 12SP3CR11 to 12.52SP01CR04
How to correct "failed to get session server provider namespace from registry" 12.0 SP3 CR11 to 12.52 SP1 CR04
Last Update: 7/12/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1891807
Why is SPS causing reauthentication pop-up to appear as text rather than being executed as javascript ?
Sometimes the my backend application needs reauthentication and so a javascript popup should be displayed in the browser, but instead I see a regular webpage with the javascript contents.
Last Update: 7/12/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1691393
IIS Agent does not serve login forms when Default Application Pool is not running.
The Default Application Pool in IIS is needed to serve siteminder agent pages.
Last Update: 7/12/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1205093
How works the IP Session validation at the Policy Server level ?
This technote discusses about the Session IP validation functionality.
Last Update: 7/12/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1588007
Problem to login with AdminUI - Username and Password is incorrect
After a restart of the Linux box, impossible to login with the AdminUI even after a re-registration - Username and Password is incorrect - due to small amount of entropy.
Last Update: 7/12/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1431348
How do the CA Single Sign On custom sdk API agents get updated agent keys from the doManagement call function?
Just need confirmation on how the custom API agts get updated keys from doManagement call function?
Last Update: 7/12/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1171204
500 error when the target contains ? in a URL
We are receiving 500 error whenever we make a request with the target containing "?" in the URL.
Last Update: 7/12/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1940395
Unable to startup apache server with libsmerrlog.so error
Apache error log return error Cannot load /niceapps/CA/webagent/bin/libmod_sm22.so into server: libsmerrlog.so: cannot open shared object file: No such file or directory
Last Update: 7/12/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1337522
Linux Web Agent configuration wizard unable to detect the IBM IHS(HTTP) server.
Linux Web Agent configuration wizard requires LD_LIBRARY_PATH to include the IBM IHS /lib path to detect the IBM IHS(HTTP) server properly.
Last Update: 7/11/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1277199
How and when you can use Multiple Virtual Hosts each with a different ACO setting.
You are looking to establish the following: Apache -- 2 vhosts -- both pointing to their on ACO -- having their own agent and Policies as well. NOTE: You need to separate the ACO and not just AgentName within 1 ACO.
Last Update: 7/8/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1522023
Checking what the bit level in the IIS Application Pool is set to when the WebAgent on IIS / LLAWP Will Not Start.
Your installing a new Web agent on IIS and have configured it to communicate with your policy server. It will register but the LLAWP process will not start. Your unable to get any logging out of the web agent log files.
Last Update: 7/8/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1525121
Installation of Agent succeeds but Agent does not initialize
Despite successful host registration, IIS starts but not able to service requests.
Last Update: 7/8/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1546878
Using XPSSweeper as an option to fix the AgentInstance@: Object's Globally Unique ID (GUID) has not been set error.
You are probably getting the error [Validate][ERROR] :AgentInstance@: Object's Globally Unique ID (GUID) has not been set because you were not running the XPSSweeper to remove stale policy objects regularly.
Last Update: 7/7/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1041817
Unexpected character encoding before URL hook (?) after siteminder authentication
When accessing a resource containing special char (#) in the URL, this is transformed to %23 during the authentication process. Use ACO Localization = No fix the problem.
Last Update: 7/6/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1921813
SPS running out of memory and restart during load
SPS crashes and restart due to memory usage - unable to create new native thread. This is due to a bad tuning of the SPS : Decrease the max memory from 3340m to 2048m
Last Update: 7/6/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1894177
Time based Auditlog Rollover does not work
smaccess log not rolling over for time based rollover
Last Update: 7/6/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1625128
Question on X.509 Client Certificate Authentication when using an SSL offloader
This article belongs to Q&A category and explains X.509 Client Certificate Scheme requirement/restrinction as well as a solution module to enhance it.
Last Update: 7/6/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1334947
Is there some configuration to record the username in the audit store ?
By default we do store the DN of the user in the audit store (Auth/AZ) events, could we use the username instead ? NO.
Last Update: 7/5/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1516291
IIS webagent crashes / What should we check to prevent those in the IIS configuration ?
Check the IIS configuration after the installation and especially web.config for preqs.
Last Update: 7/5/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1390793
When the Policy Server switches from Primary to Secondary Policy Store, does Policy Server bulk fetch against the Secondary Policy Store ?
This technote discusses about the behavior expected when Policy Server does bulk fetch against the Policy Store
Last Update: 7/5/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1310611
In FSSUI, how does the Policy Option "Search Any Attribute" work?
This technote gives tips on how the Policy option "Search Any Attribute" works.
Last Update: 7/5/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1831546
Can Cookie Provider request Policy Server for IP validation with the IP present in the session spec ?
This technote discusses a specific behavior of the cookie provider
Last Update: 7/5/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1980418
Unable to create audit directory when I started the Policy Server
This technote explains and provides guidance to solve a specific error on the Policy Server
Last Update: 7/5/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1642595
SAML IDP Initiatiation Issue, loop after authentication
During Federation IDP intiated transaction, we get redirected to the /redirect/redirect.jsp
Last Update: 7/5/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1910717
Secure Proxy Server intermittently reports Noodle_Interupted IOException or Noodle_GenericException.
Noodle_Interupted IOException Noodle_GenericException SPS
Last Update: 7/1/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1234143
User Lookup for Attribute and Name ID Services
Purpose of the field under the SSO and SLO tab
Last Update: 6/27/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1599397
smaccess.log fails to roll over intermittently.
This article explains a defect of audit log (smaccess.log) roll over problem and an information on the fix.
Last Update: 6/27/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1807844
Error message: exception report instance was not successfully created.
reporting server error: fatal failed to execute the next reporting instance event. Error message: exception report instance was not successfully created. Receive this error with every report when r12.52 sp 2
Last Update: 6/24/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1380695
How does Java AgentAPI manage Agent Key and Shared Secret rollover?
This article answers to a questions on custom Agent using Java Agent API: How does Java AgentAPI manage Agent Key and Shared Secret rollover?
Last Update: 6/24/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1288159
request.getRemoteUser() is returning null
Weblogic returns "null" in response to getRemoteUser() call to guard against a security vulnerability – identity spoofing.
Last Update: 6/22/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC529297
Please note that you can always access the full list going to the following link:
CA Single Sign-On - CA Technologies
Feel free to post your questions in the community if you have question about any of these KB article.
Best Regards,
Ujwol Shrestha
Principal Support Engineer
CA Technologies