Hello CA Single Sign-On Community Users,
Please find below the list of the latest Knowledge Base Articles for Single Sign-On (Formerly CA SiteMinder)published or updated since 29th July 2016 for your reference:
While setting up a new policy server and policy store, getting the following error while running XPSDDInstall SmMaster.xdd Save Policy Store ID failed. Unable to initialize the XPS library.
Trying to install a new policy store (CA Directory) When running XPSDD install we are getting errors. Error occurred during "Modify" for xpsParameter=CA.XPS::$PolicyStoreID,ou=XPS,ou=policysvr4,ou=siteminder,ou=netegrity,O=test", text: Invalid DN syntax
Last Update: 9/7/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1714652
Xpsexport return Segmentation fault
R12SP3 xpsexport return segmentation fault
Last Update: 9/7/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1970106
What is FORMCRED cookie ?
FORMCRED Cookie and it's purpose
Last Update: 9/7/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1028321
Reports are coming blank while we try to download
Siteminder is integrated with ControlMinder.While accessing the reports from the Control Minder, reports can be viewed properly but while downloading the reports blank page is being displayed.
Last Update: 9/6/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1007723
SDK Custom Agent "Error retrying connection"
This technote discusses a specific log line from the SDK Agent.
Last Update: 9/6/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1701094
FWS Agent generates new Siteminder Session Cookie
FWS Agent generates new Siteminder Session Cookie from R12.51 release onwards
Last Update: 9/6/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1766179
What the meaning of each sockets error codes ?
Would you tell me about the meaning of each socket error code ?
Last Update: 9/5/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1855955
Can't stop AdminUI service properly.
When customer stopped AdminUI service, Windows service manager error as below occured, and can't stop properly.
Last Update: 9/5/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1319367
Encountered service.bat error.
When customer was about to "service install" command, below error message occured.
Last Update: 9/5/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1385076
WebAgent reject encoded request contained "%c0".
Although customer set "no" to "DisallowUtf8NonCanonical", WebAgent reject URL encoded query contained "%b".
Last Update: 9/5/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1378153
In Tomcat environment, SMSESSION cookie is not decode by WebAgent.
In SSO environment launched Tomcat, WebAgent can't decode SMSESSION cookie, because SMSESSION cookie contains double quatation("").
Last Update: 9/5/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1569166
Federation request is failing with Request doesn't contain session ID header error
Request doesn't contain session ID header. Session cookie[SMSESSION]is not valid
Last Update: 9/2/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1828202
Why Resource Filter is grayed in a OnAuth Rule in the AdminUI ?
This technote discusses about a specific behavior of the AdminUI when modifying an OnAuth Rule.
Last Update: 9/2/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1640245
Running XPSSweeper on Multiple Policy Servers at the Same Time
This technote discusses if we can more than one XPSSweeper command at time
Last Update: 9/2/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1710379
SDK Agent shows error java.io.IOException: Connection reset by peer
This technote discusses about a specific error seen during run time.
Last Update: 9/2/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1202265
ASA Agent 12SP2CR01 WebLogic 12C Download Link
This technote discusses about the link to use to download the ASA Agent
Last Update: 9/2/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1909761
Policy Server Data Import fails with Failed updating RootConfig Object Error
This technote discusses about limitation in the Policy Store data
Last Update: 9/2/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1487199
On Federation Transactions, the Policy Server doesn't look in to the right User Store to find the User
This technote discusses a work around about an issue fixed in 12.52
Last Update: 9/2/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1275204
SPS sends Data "Unknown=17" to APM when a Proxy Rule is fired
This technote discusses about the configuration of the SPS Proxy Rules when integrated with APM.
Last Update: 9/2/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1097603
SPS is slow to load Certificates at Start Time
This technote discusses about the performances of SPS to deliver the first request when certificates need to be loaded
Last Update: 9/2/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1720318
Partnership Entity is not visible in drop down when configuring WSFed RP->IP partnership
This knowledge document explains why the Legacy Partnership entity is not showing up, and which SAML Token Types are supported.
Last Update: 9/2/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1159351
SmRegHost.sh failing for custom agent host registration
SmRegHost.sh fails on Linux when trying to register a custom 64-bit, Pure Java Custom Agent.
Last Update: 9/1/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1810531
IIS :: Web Agent : Multiple ACO.
IIS :: Web Agent : Multiple ACO. Explains enhancement as well.
Last Update: 9/1/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC511371
IdP and SP sharing the Same Domain Name Problem in Federation Journey
This technote discusses about the problem of sharing the same domainname between IdP and SP in Federation Journey
Last Update: 8/31/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1490797
Backslash character ‘\’ (0x5C) in a form can be detected by BadFormChars
If a backslash character [\] is set to BadFormChars, does Web Agent block both of [\] and [%5c] in the form data?
Last Update: 8/31/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1447818
Configuration of Data Source using Oracle RAC Database using SCAN on Linux
This article explains how to Configure Data Source using Oracle RAC Database using SCAN on Linux.
Last Update: 8/31/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1260051
AgentName ACO Parameter Limit
This knowledge document explains why you could reach a limit in AgentName ACO parameter and how to solve it.
Last Update: 8/30/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1685548
Unable to set User Directory using the AdminUI : [Oracle] ORA-12899: value too large for column
Trying to modify a User Directory adding more servers and get an error in the AdminUI. value too large for column "SCHEMA"."SMUSERDIRECTORY5"."SERVER" It is certified to increase the column
Last Update: 8/30/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1250572
How to enable Active Directory Accounts using DMS API ?
Developing application to create accounts in Active Directory using DMS API, by default accounts are created with disabled state. You need to set the UserAccountControl properly.
Last Update: 8/30/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1760612
Web Agent reports error : Error creating semaphore using key 0xc81d247f - No space left on device (28)
Having multiple Apache Instance running with Web Agent on existing server, I cannot start all instances
Last Update: 8/29/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1910693
Daylight Saving Time (DST) Changes on Policy Server and Web Agent Servers
DST changes affecting Policy Server and Web Agent, and actions needed to prepare the change.
Last Update: 8/29/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1051986
Why the Web Agent for IIS installer modifies the web.config httpErrors existingReponse ?
The Web Agent for IIS installer modifies the httpErrors errorMode="Custom" existingResponse="Replace" with existingResponse="PassThrough". This is done to raise error that could happen in the product.
Last Update: 8/29/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1666597
Web Agent is not redirecting properly when using Cookie Provider - Loop between Web Agent and Cookie Provider
When using a Cookie Provider to access resources protected by an Anonymous Auth scheme, the browser loops between the application and the Cookie Provider, and we see the application Web Agent fails to validate the SESSION (IDENTITY coookie).
Last Update: 8/29/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1922588
Can we use relative path in Active Expressions ?
Developing a Custom Active Response that needs to read a property file, the code cannot access the file from a Relative Path
Last Update: 8/29/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1962266
Does SiteMinder 12.52SP1 support SHA-256 for SSL connection to Policy and User Store ?
Yes, Siteminder support SHA2 SHA-256 with 12.52SP1
Last Update: 8/29/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1637999
What is the recommended way to manage policy when there are mixed version of policy servers and adminui?
We are upgrading from 12.50 to 12.51 and currently in mixed mode. What is the recommended way to manage/administer this environment?
Last Update: 8/29/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1987399
CA API Gateway (formerly layer 7) fails to communicate with SiteMinder policy server (in FIPS mode) via the SiteMinder agent SDK.
CA API gateway communication issue with FIPS mode policy server
Last Update: 8/26/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1333249
Which work should be implemented first, upgrade and domain modification?
Since upgrade and domain change are another work, superiority are not decided in order of implementation.
Last Update: 8/26/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1260725
How to Enable SPS logs
How to Enable Secure Proxy Logging to help troubleshoot
Last Update: 8/25/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1528615
Enabling CA Access Gateway (formerly Secure Proxy Server) to send client certificate for authentication to a backend server
Setting up a client certificate for access to backend server in CA Access Gateway
Last Update: 8/25/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1059255
Siteminder administrator audit events in smaccess log
Information on how to log administrator audit events in smacess log
Last Update: 8/25/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1889902
SDK Custom Java Agent not initializing.
JCE patch("Unlimited Strength Jurisdiction") is required for Custom Java Agents
Last Update: 8/25/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1668961
LLAWP process CPU usage goes to 100%+
CPU Spikes to 100%+ after semaphores are removed by RHEL 7.2
Last Update: 8/23/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1235063
Notice for Oracle Java 1.7 & Oracle Java 1.8 Support
What SSO Components are supported with JAVA 1.8 ? What is the plan for SSO components running on JAVA 1.7 when it comes to security fixes ?
Last Update: 8/18/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1525557
FMATTR doesn't work for User Attribute Mapped Experssions
FMATTR prefix for use in printing out multi-value attributes as separate assertion attributes, rather than one carrot (^) delineated single line does not work for User Store Attribute Mapping expressions.
Last Update: 8/18/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1537107
Audit DB assertion validity attributes for non-Fed webagent requests
Some federation specific attribute values are getting updated for non-federated applications
Last Update: 8/17/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1175106
Error parsing an SLO message
When the user does an IDP-initiated Single Logout on saml2slo URL, we get an Error parsing an SLO error.
Last Update: 8/17/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1395119
Is there a security risk by adding .eot file to the IgnoreExt ACO?
EOT stands for Embedded OpenType Font. It allows the fonts used in the creation of a document to travel with that document, ensuring that a user sees documents exactly as the designer intended.
Last Update: 8/17/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1914264
Do you know of a way to verify the version of the RSA ACE Client in use by the Policy Server?
I know we were told CR05 now uses 8.1.3, but I'm curious to know if there is a way to confirm the version (for example, running commands like ldconfig on the lib).
Last Update: 8/16/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1165169
CA Access Gateway (formerly Secure Proxy Server): Commonly Tuned Parameters
How to tune CA Access Gateway (SPS) parameters in order to suit typical production environment processing needs.
Last Update: 8/15/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1929227
Resolving certificate errors for the SPS and Agent for SharePoint Tomcat Proxy.
Receiving a "Certificate for is not trusted or bad certificate" in the Secure Proxy Server/Agent for SharePoint Trace File when connecting to the back-end Server over SSL.
Last Update: 8/12/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1628104
How to resolve the "WSFED_SSO_NO_PROVIDER_ID" error for the Single Sign On Agent for SharePoint 2010/2013
After creating the SharePoint Connection, users are receiving a 403 response and the following error is logged in the Federation.log; No WSFED provider information found for RP
Last Update: 8/11/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1813362
x.509 certificate auth schemes Support for PIV/CAC cards
Does x.509 certificate auth support PIV/CAC cards using a pin code
Last Update: 8/10/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1223417
Http Headers with Special characters are getting URL Encoded Through the SAMLDataPlugin
When using Siteminder as SP ,why the Returned http Headers are getting URL encoded upon Assertion consuption
Last Update: 8/10/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1904612
How is the resolved Cookie Domain determined for a Single Sign On (fka SiteMinder) Agent?
Why are there two SMSESSION cookies created; one for domain A and the other for a subdomain of A.
Last Update: 8/9/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1300426
Steps to Re-register Admin UI
These steps describe the process of re-registering an Admin UI with the Policy server
Last Update: 8/8/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1547349
XPSRegClient and XPSExport failed.
When customer executed XPSRegClient command, below error occured and not execute properly.
Last Update: 8/8/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1990485
authentication check when multiple users are found for authentication
If the password matches either one of them the user can login. Is this technically correct behavior?
Last Update: 8/3/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1575144
Federation suddenly fails and no assertion being generated. FWSTrace.log shows SAML2Response=NO.
How to troubleshoot SAML2Response=NO
Last Update: 8/3/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1790565
Restart Policy Server when you update sm.registry file.
This article explains the required restart of Policy Server when changing value in sm.registry on Linux.
Last Update: 8/3/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1696518
Manually uninstall IIS web agent
Provide steps on how to manually uninstall IIS web agent if uninstaller didn't work
Last Update: 8/3/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1904547
Policy Server fails to locate certificate in smkeydatabase
Policy Server failed to locate the certificate due to the special character or ASCII character in the issuer DN
Last Update: 8/2/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1178062
Saving user login credentials
Explain how to setup form authentication with the option to have credentials saved for future use and how this feature works
Last Update: 8/2/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1098721
Request through SPS is not advancing as backend IIS returns status code of 301
Request through SPS is not advancing as backend IIS returns status code of 301rr
Last Update: 8/2/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1040125
What is the /config/XPS.cfg file used for?
Whenever the XPSConfig utility is used to make any changes to the default settings, these changes are stored in the XPS.cfg file. The file itself should only be created and modified by the XPSConfig utility.
Last Update: 8/2/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1607105
What does this error mean, SmServerConnection, connect, Exception calling TCP transport connect: java.nio.channels.UnresolvedAddressException?
The exception occurs when the address being used to connect to is unresolvable. In this case the Policy Server address. It could be an invalid IP address, an unresolvable hostname or a typo in the address.
Last Update: 8/2/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1233665
Getting "No Private key of Certificate chain received from policy server" in the SiteMinder logs when attempting to create SAML 1.1 artifact.
SAML 1.1 Artifact Failure
Last Update: 8/2/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1646668
Custom agent periodically crashing when making various Agent API calls.
Custom agent crashing
Last Update: 8/2/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1744713
Time-out in Federation
The timeout values in Federation are only used if Delegated Authentication is in used.
Last Update: 8/2/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1463162
What Encryption Scheme, Padding Scheme and Block cipher modes of operation are used in partnership federation in Single Sign-On ?
XML Encryption is to be used in the specification of SAML2.0 used in a partnership federation.
Last Update: 8/2/2016 Size: 82 kb Type: Knowledge Base Articles ID: TEC1857012
How to correct this error message, "Syntax error on line 975 of /opt/IBM/HTTPServer/conf/httpd.conf: Invalid command 'SSLOptions"
Syntax error on line 975 of /opt/IBM/HTTPServer/conf/httpd.conf: Invalid command 'SSLOptions', perhaps misspelled or defined by a module not included in the server configuration
Last Update: 8/1/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1234981
How to correct the error message, “Syntax error on line 974 of /opt/IBM/HTTPServer/conf/httpd.conf: SSL0331W: Invalid argument for SSLClientAuth: require".
“Syntax error on line 974 of /opt/IBM/HTTPServer/conf/httpd.conf: SSL0331W: Invalid argument for SSLClientAuth: require (null). The 1st value must be 0, 1, 2, none, optional, required, or required_reset”
Last Update: 8/1/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1639554
Configuring Cert and Form authentication scheme using the Web Agent configuration wizard does not throw an error, however the scheme does not work.
CA Single Sign-On Web Agent for Apache on IBM IHS(HTTP) server Cert and Form auth scheme does not work.
Last Update: 8/1/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1923838
Configuring specific authenticatipon schemes on the Web Agent on an Oracle HTTP Server requires specific SSLVerifyClient settings.
Change the value of the SSLVerifyClient directive from within the httpd.conf used by the Oracle HTTP Server to the necessary value: a. SSLVerifyClient optional b. SSLVerifyClient required
Last Update: 8/1/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1563022
Changing the IP address Impact on Agent and Policy server
Will changing the IP address on the Agent or Policy server Impact the Trust relation
Last Update: 7/29/2016 Size: 83 kb Type: Knowledge Base Articles ID: TEC1847543
Please note that you can always access the full list going to the following link:
CA Single Sign-On - CA Technologies
Feel free to post your questions in the community if you have question about any of these KB article.
Best Regards,
Ujwol Shrestha
Principal Support Engineer
CA Technologies