| CA Technologies |
2.3 ACM--FIPS 140-2 Encryption
2.4 Integration with CA Service Desk and CMDB
2.6 Multi-tenancy does not Support SSL or HTTPS
2.7 CA Configuration Automation - CA Catalyst Connector Events
2.8 CA Business Intelligence(CABI) 3.3 SP1 Patch is Available to Resolve Reporting Issues
2.9 Processor Logical Count Field Displays the Number of Virtual Processors
2.10 Reporting and CMDB Integration Require Microsoft SQL Native Client on OLE Databases
2.11 Unregistering CA Configuration Automation from CA EEM when Uninstalling
2.12 X.509 Certificate Support for CA EEM r12
3.0 Bugs Fixed in Current Release
4.1 Access Profiles Using SSH Fail to Discover Windows 2008 Servers
4.2 Agent-based Discovery and SSH-based Discovery do not Always Return the Same Data
4.3 Agent Installation Fails Because of Unknown User Name or Bad Password
4.4 Agent Installation Fails on Windows and Displays a Visual C++ Error
4.5 Agent Installer does not Display a Scroll Bar
4.6 Browser Controls Display the User Interface Captions Based on the Operating System Locale
4.7 CABI Reporting Limitations
4.8 CA Configuration Automation 12.8 Upgrade Limitation
4.9 CABI Java Certificate Expires on September 8 2013
4.10 CA EEM r12 Displays Error Messages During Installation
4.11 CA Spectrum Blueprints Require Modifications to the sudoes File for SSH Discovery
4.12 CA Catalyst Server and CA Catalyst Container Installation Limitation
4.13 CA Catalyst Container not Compatible with Windows 2012 Server
4.14 CA Configuration Automation Server Time and the Browser Machine Time must be in Sync
4.16 CA Configuration Automation Does not Integrate with CA EEM r12 if FIPS is Enabled
4.17 Certain Reports Require NDG Discovery Before Report is Run
4.18 Checksum Values Can Impact Change Detection Results
4.19 CIs are not Exported Completely to CA CMDB on a Japanese Environment
4.20 Configuration Parameters that Include Non-English Characters May Not Be Displayed Properly
4.21 Configure Windows Domain Account Access for SQL Server Component Blueprint
4.23 Context Launch is not Supported for Virtual Servers
4.24 Crystal Reports Viewer Prompts for Data Entry when Refreshed
4.26 Dashboard Errors Appear if Flash is not Install on Internet Explorer
4.28 Discovery of Databases Requires JDBC Drivers
4.29 Discovery of EMC Symmetrix and CLARiiON Storage Systems Fails
4.30 Display Issues with the Localized Reports
4.31 Error Appears During the Solaris Server Discovery with a sudo Account
4.32 Fatal Error Message Appears During BusinessObjects Installation
4.33 Filters are not Working on Localized Data using Oracle
4.35 Installing CA Configuration Automation Server on Linux Requires Manual Import of Reports
4.37 java.lang.StackOverflowError Message Appears
4.38 License Agreement Text does not Display Correctly
4.39 Linux and UNIX Servers Require that PasswordAuthentication is Enabled for SSH Access
4.40 Linux Guest VMs are not Discovered on Hyper-V Host VMs
4.41 Linux or Solaris CA Configuration Automation Server Install Error Message
4.42 Locate Agents and SSH Does Not Find Secure Agents
4.43 Macro Execution Disabled with SSH Access Mode
4.44 Named SQL Server Instance Does not Work with Non-default Port
4.45 NDG Must be Installed to an ASCII Path
4.46 No Details Display for Indirect Relationships
4.47 Only ASCII Strings are Supported as SNMP Parameters
4.48 Oracle Databases Require Unicode for Multilingual Environments
4.50 Password Values Are Not Migrated Properly From CA Cohesion ACM to CA Configuration Automation
4.51 Remote Agent Installation Fails if Operating System is set to "Linux or UNIX"
4.52 Report Fails when More than 1000 Filter Entries are Used
4.53 Rule Compliance (Server) Reports do not Include Element In Context Results in a Column
4.54 Rule Definitions Reports do not Display Data Type Rules
4.55 SSH, Telnet , and WMI Discovery Limitations
4.56 Stop Discovery May Not be Initiated or be Delayed
4.57 system_user Owns Certain CA Configuration Automation Server Operations and Content
4.58 Telnet Discovery Fails on Windows Servers
4.60 Unicode Characters in Agent cert Password are not Supported
4.62 Unable to Log in to CA Configuration Automation Server after an Upgrade to 12.8
4.63 Unable to Run the ccautil SDK Utility in Secure Mode
5.0 Troubleshooting Client Authentication
5.1 Client Authentication is not Supported with the CA EEM SDK
5.2 Enable Client Authentication is not Supported
5.3 Unable to Connect to CCA Server with HTTPS Connection Using Mozilla Firefox Browser
5.4 Unable to Log in to CA Configuration Automation
5.6 Unable to View CA Configuration Automation User Interface After I Select a Certificate
5.8 User Authentication Fails and Displays EE_AUTHFAILED Authentication Failed Error
5.9 User Authentication Fails and Displays EE_POZERROR Repository Error
The Readme contains issues and other information discovered after publication. For important information about new or changed features, and information to help you implement the product, see the Release Notes.
For the latest version of this readme file, visit http://ca.com/support. Expand Technical Support in the left pane, then click Enterprise, and log in to CA Support Online after the page refreshes. After you log in, select Documentation from the left pane, then select product, release, and language from the drop-down menus and click Go. All documents for the release are listed and available for download.
This section contains information about general CA Configuration Automation product behavior and known issues.
CA Configuration Automation r12.8 SP01 is certified for Oracle 11g ASM environments on the following platforms:
Oracle Database 11g (11.2.0.1) available on ASM Cluster Configuration with Oracle RAC
Oracle Database 11g (11.2.0.1) available on standalone ASM
By default the Apache Tomcat Server accepts all the SSL ciphers. (Optional) To handle the data security during the client-server communication in a secure mode, you can disable the weak SSL ciphers.
To disable the weak SSL ciphers, update the server.xml file. The server.xml file is available at the following location:
%CCA_INSTALLATION_DIR%\tomcat\conf\
To update the server.xml file, follow these steps:
For example:
ciphers="SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
Note: You can add or remove ciphers in the server.xml file. Only the ciphers that are added in the server.xml file are accepted and the remaining ciphers are disabled.
In case of CA Configuration Automation Server Upgrade, please backup ciphers attribute from server.xml before upgrade and add same to server.xml after upgrade to disable weak SSL Ciphers.
CA Configuration Automation supports Federal Information Processing Standards (FIPS) 140-2 encryption.
FIPS 140-2 publication is a security standard for the cryptographic libraries and algorithms a product should use for encryption. FIPS 140-2 encryption affects the communication of all sensitive data between components of CA products and third-party products. FIPS 140-2 specifies the requirements for using cryptographic algorithms within a security system protecting sensitive, unclassified data.
CA Configuration Automation uses the Advanced Encryption Standard (AES) adapted by the US government. CA Configuration Automation incorporates the RSA BSAFE SSL-J version 5.1.1 and Crypto-C ME v2.0 cryptographic libraries, which have been validated as meeting the FIPS 140-2 Security Requirements for Cryptographic Modules on all supported server and agent platforms except the Solaris on Intel agent platform. The Solaris on Intel agent platform uses AES, but does not use the validated cryptographic libraries.
The integration of Configuration Automation and the CMDB component of CA ServiceDesk can be implemented in the following ways:
Catalyst and the CCA connector is the recommended method for integrating the two products. Additionally, CA Catalyst is the foundation for integrating other CA products.
The Japanese language image in this release provides localized versions of CA Configuration Automation and all related components.
SSL and HTTPS are not supported for either the Master or Tenant instance of the CA Configuration Automation Server.
If events are enabled after data is created in CA Configuration Automation, use CA Catalyst jobs to push existing servers, services, and components to CA Catalyst.
CABI 3.3 SP1 patch is equivalent to SAP BOXI 3.1 SP6 patch. Download the CABI 3.3 SP1 patch from the following site:
ftp://ftpstage.ca.com/CAproducts/CABI/CABI-3.x/boeXIR3_SP6/Windows/
You can install the CABI 3.3 SP1 patch on the Windows machine with the following CABI releases:
Note: For more information about the new features and bug fixes, and how to install CA Business Intelligence, see the xi31_sp6_whats_new_en documents, and CABI 3.3 SP1 Release Notes respectively.
The Server Details, Hardware page displays details about the hardware on which the selected server runs.
Due to limitations of the information available for WMI access to virtual machines running Windows operating systems, the Processor Logical Count field shows the number of virtual processors. It does not consider the number of cores per processor or hyper-threading capability of the processors.
If you use an OLE DB while importing the BIAR file (as described in Appendix A of the CA CMDB r12.5 and CA ACM r12 Integration Guide), you must have the Microsoft SQL Native Client (SQLNCLI) installed on the computer where you have CA Business Intelligence installed.
Microsoft Knowledge Base Article 910016 recommends using Microsoft SQL Native Client which includes OLEDB and ODBC connectivity. BusinessObjects Enterprise (included in CA Business Intelligence) follows Microsoft's recommendation to configure OLEDB connectivity for SQL Server 2005 and SQL Server 2008 to use SQLNCLI.
The following link is to the knowledge base article: http://support.microsoft.com/kb/910016.
Continue to use the instructions in Appendix A of the CA CMDB r12.5 and CA ACM r12 Integration Guide to import the BIAR file, but do not perform the procedure described in the Modify the oledb.sbo File section with this version of CA Configuration Automation.
When uninstalling CA Configuration Automation you have the option of unregistering CA Configuration Automation from CA EEM.
Note: If you are uninstalling CA EEM, you must unregister all applications (including CA Configuration Automation) before running the uninstall program. Refer to the CA EEM documentation for more details. The CA EEM documentation is available on the CA Configuration Automation distribution media in the \dvd1\EEM folder. Open the Documentation.hta file to access the documentation bookshelf.
CCA supports client authentication using X.509 certificate. Before you configure X.509 certificate authentication, ensure that the following prerequisites have been met:
In general, perform the following steps to configure CA Configuration Automation to use X.509 certificates:
For more information about security certificates, see Creating and Managing Security Certificates in the Product Guide or online help.
You can also configure X.509 certificate security using the CCA SDK. For more information, see the SDK Support for Client Authentication using X.509 Certificates section in the Product Guide, or Online help.
Test PTF Problem Descriptions of support issues for which fix is available in current release.
Test PTF ID: T5IE191
NDG discovery does not discover Solaris local zones having duplicate IP's within one Global Zone. Currently NDG discovers Solaris local zones which has exclusive IP's i.e. no duplicate within one Global Zone with respect to IP or MAC address.
NDG discovery does not discover Processor, Memory and BIOS details related to Xen Linux Guests.
NDG discovery of Microsoft Hyper-V 2012 platform does not show host-guest relationships.
Oracle Database 10g/11g blueprint currently discovers Oracle Database Server but not the database instances of it. However these blueprints allow to manage database data as well as configuration data of any one database instance as part of its given database name and user credentials. Also there is no concrete mechanism available now to manage different database instances in an Oracle Database Server.
Limitations Of NDG Discovery
Non soft agent discovery on a non-global zone server(s) will delete the existing IP aliases discovered by the earlier soft agent discovery since the adapter will not have any MACaddress and are bound to update with newer values.
Most of the hardware details like Processor, Memory, BIOS, etc. won't be available because the commands like prtdiag, csmbios, etc do not work on non-global zones.
A new server will be created in CCA for the same IP address for which the existing servers either does not match on hostname or MAC address with the current discovered information.
Test PTF ID: T5JZ252
NDG soft agent commands are failing during discovery. problem is due to these soft agent commands path is not set properly in the PATH variable which thus results in the command failure.
Test PTF ID: T51T024
Incorrect Authentication summary in NDG Log tab for VCenter 5.1
Test PTF ID: T51T025
Export a selection of servers and then importing the same into a Network Profile results in error.
Security Vulnerabilities issues related to Apache Tomcat Server accepting all the SSL ciphers which is embedded with in CCA Server.
Test PTF ID: T51T028
When viewing the network profiles, sorting on Credental Vault does not sort as expected.
Test PTF ID: T51T029
Restrict Discovery to Target Servers for Communication Relationships option doesn't work as expected.
Test PTF ID: T51T033
Sorting on Credential Vault Profile does not work when set "Use Default" value.
Filter does not work when set Use Default or empty string for Credential Vault Profile.
Test PTF ID: T51T039
Key size of CCA Security Certificates need to be updated to produce 2048 bit length when generated.
Test PTF ID: T5JZ255
Virtual machine having removable device CDROM when discovered via NDG adds a single quote in CDROM device name. If this VM is exported to CMDB the export fails.
If CA Configuration Automation tries to discover a Windows 2008 Server that uses copSSH, the discovery will either time out or fail with a message similar to the following displayed on the Log tab page:
CCA-DIS-8518: Discovery failed on Server "factotum.ca.com" Error message=com.ca.acm.server.discovery.common. ServerAccessException: com.ca.acm.server.discovery.common.ServerAccessException: com.maverick.ssh.SshException: com.maverick.ssh.SshException
Agent-based discovery and SSH-based discovery do not always return the same data format because they may be using different methods to obtain the data. Compare or Change Detection operations between the two sets of data may return differences as the data is formatted differently.
When remotely installing an agent from the CA Configuration Automation Server UI, the user account specified in the access profile must be a valid user on both the Grid Node host and the remote server where the agent is being installed.
Additionally, the following requirements must be met for different user types defined in an access profile:
When installing a 32- or 64-bit agent on computers using Windows operating systems, the following Windows error message appears:
Microsoft Visual C++ 2010 (x64 or x86) Redistributable Setup Error
Installation Did Not Succeed
Microsoft Visual C++ 2010 (x64 or x86) Redistributable failed to install with the error: 2146762485
This error is caused by a previously installed Microsoft Patch, and can be resolved by registering a set of files.
To register the Softpub.dll, Wintrust.dll, Initpki.dll, and Mssip32.dll files:
A command window appears.
For additional information, see http://support.microsoft.com/kb/956702.
The CA Configuration Automation Agent installation program does not display a scroll bar on some screens when the text exceeds the number of characters a field can display.
CA Configuration Automation Server uses browser controls to display confirmation, alert, and file upload dialogs in the user interface. The browser controls depend on the operating system locale not the language settings of the browser. For example, when you set English as the browser language on a Japanese operating system, the browser controls displays Japanese characters in the CA Configuration Automation Server user interface.
The CABI reporting functionality has the following limitations:
After you upgrade to CA Configuration Automation 12.8, you cannot view the crystal report instances that are created before the upgrade. This limitation is due to the SAP bug# 0000864035 2013.
Before you upgrade to CA Configuration Automation 12.8, follow these steps to save the crystal reports instances:
The Report Templates page appears.
The Crystal reports are saved to your local disk. Now, you can view and analyze the crystal reports off-line.
The AG Java certificate for the following CABI versions will expire on September 8 2013:
If you run the Java 1.6 update 45 or newer version, the following options are selected by default in the Java Report panel:
Depending on the CABI version that is installed on your machine, a popup message appears.
To avoid the CABI Java Certificate error, follow these steps:
The following error messages can appear when installing EEM Server r12 (64 bit) on Windows Server 2008:
The following errors appear because the CA directory is locked by another installed application:
To avoid this issue, specify a path instead of using the default path.
To solve the Fail to perform upgrade checks No previous installation of EIAM found error, perform the following steps:
C:\Program Files\CA\SC\
The following CA Spectrum blueprints require you to edit the /etc/sudoers file for successful discovery using the SSH Access profile:
These blueprints contain configuration parameters and executables that use the sudo command in their scripts. Running these scripts remotely requires you to comment out the requiretty entry in the /etc/sudoers file as follows:
#Defaults requiretty
The remote installation of the CA Catalyst Container or CA Catalyst Server from the CCA installer fails with errors. To install the CA Catalyst Server or Container successfully, do one of the following:
The CA Catalyst Container is not compatible with Windows 2012. To install the CA Catalyst Container on Windows 2012, use the Windows 7 or Windows 2008 compatibility mode, and point it to CA Catalyst Server installed on a supported version of Windows.
To make the CA Catalyst Container compatible with Windows 2012 server, follow these steps:
The CA Catalyst installation or setup now runs as the system is in the compatibility mode.
The CA Configuration Automation Server time and the browser machine time must be in synch to avoid any job scheduling errors. The CA Configuration Automation Server and browser machine can be in different time zones.
After you upgrade the CA Configuration Automation Server from 12.5 sp02 (Patch 3 build) to 12.8, the Server Properties blueprint is duplicated as follows:
Delete the Server Properties (Japanese) blueprint from the upgraded CA Configuration Automation Server.
To delete the Blueprint
The blueprint is deleted.
CA Configuration Automation r12.8 does not work with CA EEM r12 if FIPS mode is enabled.
To avoid this, set the FIPSMode parameter to off in the igateway configuration file located in the CA EEM installation directory %SC%\iTechnology\ as follows:
<FIPSMode>off</FIPSMode>
Note: %SC% represents the Shared Components directory, typically C:\Program Files\CA\SC (Windows).
Some reports (for example, Application Inventory) use data obtained from an NDG discovery to populate the report results. Before running an NDG report, ensure the corresponding NDG data is available in the CA Configuration Automation.
CA Configuration Automation uses cyclic redundancy check (CRC) checksums for the following purposes:
A problem was identified in CA Configuration Automation r12.5. SP02 with CRC checksum values, where there is a difference in checksum values calculated on systems with different locales if the data on which the checksum is calculated has non-English data.
This is resolved in r12.6, but the update cannot resolve the problem with pre-existing, non-English data. This results in differences when change detection is run against discovered data collected before the update and discovered data after applying the update in a non-English environment.
The affected areas are as follows:
When you export data from CA Configuration Automation to CA CMDB using a BusinessObjects reports server on a Japanese environment, CIs are not exported completely because the generated cmdb_export.xml file is not in UTF-8 encoding format.
Do the following to export the CIs completely:
The cmdb_export.xml file gets generated.
GRLoader -s http://<ServiceDeskHostname>:<ServiceDeskPort> -u <Username> -p <password> -i <location of the export report>-tf <location of translation file> -n -a -N <Location of Nx.env> -E
The CIs are exported completely to CA CMDB on a Japanese environment.
Configuration parameters that include non-English characters may not be displayed properly. To display the non-English characters, increase the fileget.encoding.detector.retries property value, and refresh the server.
Follow these steps:
The Properties page appears.
Note: The default value of the fileget.encoding.detector.retries property is 3.
The configuration parameters now display the non-English characters.
CA Configuration Automation Agent supports the functionality for discovering and acquiring configuration data for SQL Server component blueprint by using the domain account access. For SSH discovery to support domain account access, the following configuration changes are required in CCA Server and CCA Grid Node:
Note: jTDS is an open source 100 percent pure Java (type 4) JDBC 3.0 driver for Microsoft SQL Server (6.5, 7, 2000 and 2005) and Sybase (10, 11, 12, and 15)
Important! A CA Configuration Automation Agent running on Linux or UNIX cannot communicate to Microsoft SQL Server running on a Windows host. You cannot access Microsoft SQL Server using domain credentials with the Microsoft JDBC driver. You must add a domain user in SQL Server for SSH and CA Configuration Automation Agent to support domain account access.
A security certificate is required to display CA EEM within the context of CA Configuration Automation. The CA EEM installation program creates the required security certificate using an unqualified host name.
The CA Configuration Automation Server installation program prompts you for the EEM Server name in the CA Embedded Entitlements Manager Configuration screen. By default, the installation program populates the EEM Server Name field with the unqualified name of the local host (that is, the computer where CA Configuration Automation Server is being installed). The CA Configuration Automation Server stores this default name—or whatever you enter—in the Properties table on the Configuration tab page. If this entry does not match the EEM Server name used in the security certificate, the error message appears when you attempt to access the Access Management tab page.
For more information, see the Install the CA EEM Security Certificate and Configure the EEM Host Property topic in the CA Configuration Automation online help or the Product Guide.
The CA Configuration Automation Product Guide and online help incorrectly state that you can construct a URL to launch the CA Configuration Automation Server UI using the type=sv parameter to specify the server virtualization type. This parameter is not supported.
Reports generated using the Crystal Report format appear in the Crystal Report viewer. The buttons and options displayed in the viewer are features provided by the BusinessObjects XI Crystal Reports viewer.
If you click Refresh in the report viewer, you are prompted to reenter values for the refresh operation. This is because CA Configuration Automation reports have their values set by CA Configuration Automation initially.
You can avoid this behavior by regenerating the report from CA Configuration Automation instead of using the Refresh button in the Crystal Reports viewer.
The following error occurs when you use the Mozilla Firefox 15.0.1 browser to open the Access Management tab from the Administration link: Error: This Connection is Untrusted Error code: sec_error_ca_cert_invalid.
Follow these steps:
The EEM Server page is displayed.
The Access Management content is displayed.
If you open the CA Configuration Automation Dashboards panel using Internet Explorer without Adobe Flash installed, a series of error messages appear. You must install Adobe Flash to avoid these errors.
The CA Configuration Automation installation media includes CA EEM r12 CR01. If you have already installed a version of CA EEM prior to r8.4 SP3, you must reset the password of the default CA Configuration Automation administrator user (by default, ccaadmin) configured during the CA Configuration Automation Server installation, before it can be used.
Reset the password using the CA EEM UI.
Component discovery and refresh operations using SSH or WMI access modes require the appropriate JDBC driver to discover or refresh database software. If the driver is not downloaded and installed, a message similar to the following one appears and the discovery or refresh operation fails:
ACM-DIS-8577: Discovery of component blueprint "PostgreSQL (UNIX)" on server "sun029mnz.ca.com" requires the JDBC driver "org.postgresql.Driver". Please install this driver.
You can download the drivers from the following locations:
|
Database |
Download Location |
|
DB2 |
https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=swg-idsdjs |
|
Sybase |
|
|
MYSQL |
|
|
Postgres |
The downloaded JAR file must be copied to the following location on the CA Configuration Automation Server:
<CCA_Server_Installation_Directory>\tomcat\webapps\ROOT\WEB-INF\lib
NDG uses the EMC SMI-S provider to discover EMC Symmetrix and CLARiiON storage systems. If a newly provisioned LUN in these storage systems is not discovered by NDG, manually run the refsys command from the SMI-S command line to refresh the SMI-S provider.
Localized reports have the following display issues:
Perform the following tasks to solve the display issues:
C:\Windows\Fonts
<FONT NAME="Arial Unicode MS">
<FONTFAMILY PLATFORM="ttf" NAME="Arial Unicode MS">
<FONTATTRIBUTE BOLD="false" ITALIC="false" LOGICAL="Arial Unicode MS"
PHYSICAL="ARIALUNI.TTF"/>
</FONTFAMILY>
<FONTFAMILY PLATFORM="win" NAME="Arial Unicode MS"/>
<FONTFAMILY PLATFORM="java" NAME=" 'Arial Unicode MS', 'Arial Unicode MS'"/>
<FONTFAMILY PLATFORM="html" NAME=" 'Arial Unicode MS', 'Arial Unicode MS'"/>
</FONT>
The fontalias.xml file is located in the <BusinessObjectsInstallationPath>\BusinessObjects Enterprise 12.0\win32_x86\fonts folder.
While performing discovery on the Solaris server with sudo account, the following error occurs:
com.maverick.ssh.SshException: pipe failed: Too many open files
This error is due to the limits set for the file descriptors in Solaris. To set the file descriptor limits, add the following command in the /etc/system file, and then restart the Solaris server.
set rlim_fd_max=65536
set rlim_fd_cur=65536
Note: For more information about the Solaris file descriptor settings, see the Oracle documentation.
To install the BusinessObjects reporting functionality contained in CA Business Intelligence, you need 12.5 GB of disk space to install the base product plus patches to the base product. If you have enough space to install the base product (5.6 GB) but less than the required 12.5 GB, a Fatal Error message appears when the patch installation runs out of disk space.
After you close the error message, the installation appears to continue without failing.
To view details about details about the installation failure and reinstall
The file is located in the following location:
<install_directory>\BusinessObjects Enterprise 12.0\Logging
If you accepted the default installation directory, the file is located in the following location:
C:\Program Files\CA\SharedComponents\CommonReporting3\BusinessObjects Enterprise 12.0\Logging.
When you use Oracle to create management profiles with localized data and apply filters on any field, the localized profiles are not created.
There is a known Firefox issue where Firefox 3.6.13 displays the following error message when some users log in to the CA Configuration Automation Server:
500 The call failed on the server; see server log for details
The solution to this issue is to use a different browser, or a more recent, uncertified version of Firefox.
When installing CA Configuration Automation Server on 32-bit or 64-bit Linux servers, reports cannot be imported into the BusinessObjects reports server. The installation completes without an error message appearing, but the following error message is added to the install_debug.log file when the installation program attempts to connect to the BusinessObjects reports server:
BOXI connection successful.
Importing biar file complete: exitcode=255
importBiar: stdout:
Starting the reporting deploy utility
Error finding configuration file: ["/tmp/install.dir.5818/biar_import.xml"]
Importing Business Objects Complete.
BusinessObjects includes a utility called BIConfig for manually importing reports into BusinessObjects that you must use before generating reports from your Linux CA Configuration Automation Server host.
Note:
Run the biconfig utility to import CCA Reports into BusinessObjects
This username and password were entered during the CA Configuration Automation Server installation in the database configuration screen. The database password is not included in the file for security reasons.
By default, the cca_biar_import.xml file is located in the following location:
biconfig -h "<host>" [-n "CA Portal"] -u "<user>" [-p "<password>"] [-s "<security>"] -f "<XML-config-file-name>" | -x "XML-config-string>" [-i[f] "<BIAR-file-path>"] [--help]
Specifies the BusinessObjects CMS host.
Specifies the BusinessObjects CMS port.
Defaults: 6400
Specifies the BusinessObjects CMS user.
Specifies the BusinessObjects CMS password for the specified user.
Default: blank (that is, an empty string)
Specifies the BusinessObjects Security.
Default: secEnterprise
Specifies the BIAR file name or absolute path (the biconfig folder is used to search for the configuration file if only the file name is specified).
By default, the CCA_r12.biar file is located in the following location:
Specifies the xml configuration file name or absolute path. If <XML-config-string> is not passed, then <XML-config-file-name> is required (the biconfig folder is used to search for the configuration file if only the file name is specified).
By default, the cca_biar_import.xml file is located in the following location:
Specifies the xml configuration string. If <XML-config-file-name> is not specified, <XML-config-string> must be passed.
Note: All double quotes in the <XML-config-string> must be replaced with "\"" before passed in.
Imports the BIAR file first, followed by the rest of configuration.
Imports the BIAR file at the end.
Displays the command's help page. Use this options without any other arguments.
Examples:
biconfig -h "boxisys1" -u "administrator" -f "c:/myscripts/addusers.xml"
biconfig -h "boxisys1" -u "administrator" -if "c:/biar/test.biar" -f "c:/myscripts/setmembership.xml"
biconfig -h "boxisys1" -u "administrator" -i "c:/biar/test.biar" -f "c:/myscripts/setschedules.xml"
Note: The double quotes in the string are escaped with a "\" and the whole string is double quoted.
biconfig -h "boxisys1" -n "6500" -u "administrator" -p "confidential" -s "secEnterprise" -x "<?xml version=\"1.0\"?> <biconfig version=\"1.0\"> <step priority=\"1\"> <add> <biar-file name=\"my.biar\"> <networklayer>ODBC</networklayer> <rdms>MS SQL Server 2005</rdms> <username>user</username> <password>password</password> <datasource>mySystemDSN</datasource><server>myserver</server> </biar-file> </add> </step> <step priority=\"2\"><replace> <refresh-folder-reports> <path>CA Reports/myReportFolder</path> <type>crystalreport</type> </refresh-folder-reports> </replace> </step> </biconfig>"
The output messages for the BIConfig utility are displayed to the console window.
Importing the blueprints from CA Configuration Automation r12.8.SP01 to older CA Configuration Automation versions encrypts the default values when the corresponding Visibility value is set to Hide Value.
The default values are encrypted because the older versions of CA Configuration Automation do not handle the masking of the default value set to Hide Value.
If you use bulk SDK client API methods, they may fail and display the following message:
java.lang.StackOverflowError.
To avoid this issue, increase the native stack size using the following JVM option to increase the stack size to two megabytes:
>java -Xss2m
If the issue persists, increase the native stack size to a higher value until the error message does not appear.
When installing CCA Server, CCA Grid Node, or CA Configuration Automation Agent on UNIX or Linux platforms using the Japanese installers in console mode, the license agreement text may not display correctly. This happens when the environment is running a locale that is not using the correct encoding.
To display the license text correctly, you must set the environment to use a locale that uses one of the following encodings:
All Linux and UNIX servers configured for NDG discovery using SSH access require that the PasswordAuthentication configuration option is set to yes in the file /etc/ssh/sshd_config file on each Linux and UNIX server.
Discovery operations using Network Discovery Gateway Soft Agent methodology cannot discover Linux guest VMs on Hyper-V host VMs. This is a limitation of how Hyper-V communicates with its guests using Integration Service as a data exchange service. The Integration Services for Linux do not support data exchange service.
For more information see http://technet.microsoft.com/en-us/library/cc794868(WS.10).aspx or search technet.microsoft.com for the document About Virtual Machines and Guest Operating Systems.
When you run the CA Configuration Automation Server installer on Linux or Solaris platforms, one of the following error messages appear when you click the Run the CA Configuration Automation Server Installation Wizard link, or execute the./setupsolaris.bin or setuplinux.bin command:
This error message appears because your local web browser—which is used by the installation program—is using an older version of Mozilla GTK. Update your browser to a more recent version that includes Mozilla GTK2.
The Locate Agents and SSH functionality (available from the Select Actions drop-down list on the Servers tab page) does not find CA Configuration Automation Agents that are secured by an agent certificate. It only locates unsecured agents.
Macro execution is disabled with SSH Access Mode, because macros are used in remediation tasks. As remediation is not supported through SSH, macros are also disabled with SSH access mode.
When the CCA Server is using a named SQL Server instance, the BusinessObjects server cannot communicate if it uses a non‑default port for the named instance.
You must create a new DSN connection under SYSTEM DSN on the BusinessObjects host server to connect to the SQL Server named instance. The name of the SYSTEM DSN must be the same as the database name (specified in the BusinessObjects connection parameters ex.cca).
Testing has shown potential for issues in the Packet Analysis engine if NDG is installed to a non-ASCII path.
In the Graph View, Service Profiles typically display relationship details when you place you cursor over the line that represents the relationship. There is a limitation with the third-party software CA Configuration Automation uses to generate graph views: it does not show details for indirect relationships.
Indirect relationships are relationships from a node to a child node of another node.
Based on RFC 1157 (http://www.ietf.org/rfc/rfc1157.txt), CA Configuration Automation only supports ASCII strings as SNMP parameters.
If you are using an Oracle database in a multilingual environment, you must configure it to use the Unicode (AL32UTF8) character set.
Refer to the Oracle documentation for information about setting the NLS_CHARACTERSET parameter.
Oracle 10g Database Instance(Unix) v10.* r1.0.0 and Oracle 11g Database Instance (UNIX) v11.* r1.0.0 blueprints discover the database instances only if the database is created using Database Configuration Assistant (DBCA).
When we create a database using DBCA, the oratab file is generated. CA Configuration Automation uses the entries of the database instances in the oratab file to discover the database instances.
When you migrate data from CA Cohesion ACM to CA Configuration Automation, passwords with encrypted parameter values may not migrate correctly, or the migrated passwords may remain encrypted.
You cannot install CA Configuration Automation Agents remotely on Linux servers that have been assigned an operating system of "Linux or UNIX" by a discovery operation. If you attempt to perform a remote agent install under this circumstance, the following message appears:
CCA-RI-1413:Remote Agent Install Failed.
OS Platform not supported by remote agent installation.
To avoid this error, manually change the operating system to Linux before installing the CA Configuration Automation Agent.
BusinessObjects reporting cannot generate a report that has more than 1000 filter entires.
For example, when you select more than 1000 ports on the Filter tab for the following reports, the reports fails:
When the Element In Context option is selected for the Rule Compliance (Server) report, the report output does display the Element in Context information in its own column like it does for the other selected options. Instead, to avoid crowding the information into a small column, the information is linked at the top of the report output.
Data Type rules are not included in Rule Definition reports because whatever is defined in the Blueprint is going to have a default Data Type, which would cause the report to return a very large number of records when the report is executed.
All rules other than Data Type are displayed in the report.
Component discovery using SSH, Telnet, and WMI fails under the following circumstances:
When you select Stop Discovery from the Select Actions drop‑down list on the Servers tab page, there can be a delay before the operation to stop the discovery begins. You should be sure a Job Submitted message appears near the top of the page to confirm the operation was submitted.
CA Configuration Automation includes an internal user called system_user that owns certain processes and is credited as the creator of some predefined content (for example, predefined Blueprints and predefined visualization graphs).
This user is similar to the Windows user SYSTEM (if you open the Processes tab of the Windows Task Manager you will see SYSTEM in the User Name field for many processes) in that it is an internal user that is not created by an administrator or assigned a user ID. This user does not have an entry in CA EEM, and cannot log into the CA Configuration Automation UI.
The system_user user appears in the User Identifier column of Log pages including, but not limited to:
The Created By column of the Blueprints tab page also displays system_user for each of the predefined Blueprints.
If you run a Telnet discovery from a Windows CA Configuration Automation Server host, and the discovery fails or does not complete, increase the maximum connections allowed by the Telnet service. By default, the maximum number of connections is two.
Enter the following command in a command prompt to increase the possible number of connections to 99:
tlntadmn config maxconn = 99
If Telnet discovery takes a long time or does not return the expected results for the Red Hat Enterprise Linux 5 target servers, change the per_source parameter to a higher value and restart the xinetd service. The per_source parameter is available in the Defined Access Restriction Defaults section of the /etc/xinetd.conf file.
Note: The default value of the per_source parameter is 10.
Agent cert password with unicode characters generates SOAP Fault error during agent start-up. Thus, the Agent cert password must not contain Unicode characters.
After you upgrade from CA ACM to CA Configuration Automation, you will not be able to create security certificates due to change in filenames. Also, the Security Summary in Security Certificates tab displays that the Certificate Authority is not created for the existing CA ACM security certificates.
Rename a few files and run some queries that let you create security certificates:
Follow these steps:
\security\private\acmca.key
The following queries update the acm_certificates table entries:
The following queries update the acm_prop table entries:
Now, you are ready to create security certificates. For more information about how to create security certificates, see the CA Configuration Automation Product Guide. The Certificates table displays old certificate name and purpose values for the existing certificates. Now, the Security Summary in Security Certificates tab displays that the Certificate Authority is created.
One of the following errors appear when you log in to the CA Configuration Automation Server after you upgrade to r12.8:
Note: The error message appears in English in the localized Japanese release.
When the The response cannot be deserialized error appears, clear the browser cache and log in to the CA Configuration Automation Server.
Symptom:
When I run the ccautil SDK utility in a secure mode, the product returns the following error:
Connot connect to CCA Server [servername:8080], Error: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Solution:
The CCA server stores the keystore and truststore files in the lib folder. To make the certificate information available to the ccautil SDK utility, modify the Java parameters in the ccautil.bat file. The Java parameters specify the path of the keystore and truststore files, and the password to access the files.
Note: Use the server password that you created during the certificate creation.
Modify the ccautil.bat file as the following code snippet shows:
%TEMP_JAVA_HOME%\bin\java" -Djavax.net.ssl.keyStore="C:\Program Files\CA\CCA Server\lib\cca.keystore"
-Djavax.net.ssl.keyStorePassword="<password>" -Djavax.net.ssl.trustStore="C:\Program Files\CA\CCA Server\lib\cca.truststore" -Djavax.net.ssl.trustStorePassword="<password>" -Xss2m -classpath "%CCA_UTIL_HOME%\sdk\lib\*" com.ca.acm.sdk.utility.CommandLineUtility %
The following error occurs when you use the Google Chrome browser to open the Access Management tab from the Administration link:
Error 501 (net: ERR_INSECURE_RESPONSE) : UNKNOWN error
The error occurs when you view a page with an Inline Frame (iframe) that loads an HTTPS page with an invalid Secure Sockets Layer (SSL) certificate.
Follow these steps:
A message opens so you can confirm that you want to accept the certificate and proceed.
A new tab opens to display the content.
The original frame reloads and the Access Management content is displayed.
When you upgrade from CA ACM 12 SP02 to CA Configuration Automation, you will not be able to view Access Policies and Users in Access Management Tab. To view the Access Policies and Users, delete the browser history including the Form data, and then log in to CA Configuration Automation.
Guest VMs cannot be discovered with host servers on the following workstation type virtualization products unless they are specified on the Inclusions page of the Create Network Profile wizard:
For more information about creating Network Profiles, see the Network Management chapter in the Product Guide.
By default, the CCA Softagent does discover the host/guest relationships for the following virtualization products:
This troubleshooting section describes common issues encountered when you enable client authentication. It also suggests actions you can take to resolve these issues.
Symptom:
When I enable client authentication from the Security Certificates table, the following error occurs:
CCA-CT-9493: Client Authentication is not supported with the EEM SDK API. Please upgrade to the latest EEM SDK API (version 12 or higher).
Solution:
The CA EEM Server version is older than r12.0. To support the client authentication with the CA EEM Server, perform the following steps:
Symptom:
When I enable the client authentication from the Security Certificate table in the CCA Server UI, the following error message appears:
CCA-CT-9492: Client Authentication is not supported with the EEM server. Please upgrade to the latest EEM (version 12 or higher).
Solution:
The CA EEM Server version is older than r12.0. To support the client authentication with the CA EEM Server, perform the following steps:
Symptom:
I am unable to connect to the CCA Server when I use HTTPS and a Mozilla Firefox browser. The connection fails with the following error, and error code:
Secure Connection Failed, Error code: sec_error_reused_issuer_and_serial
Solution:
Firefox stores the old server certificate instances of a server. Delete the cert8.db file from the following location:
C:\Documents and Settings\<yourname>\Application Data\Mozilla\Firefox\Profiles\<profile>
Symptom:
I am unable to log in to CA Configuration Automation, and the following error occurs:
Solution:
This error occurs in the following circumstances:
To resolve the issues where the client certificate is not available on your computer, import the client certificate from the %CCA_INSTALLATION_DIR%\security\certs directory into your browser.
To disable the client authentication, change the configuration as follows:
update acm_prop set value = 'false' where name = 'client.auth.enabled' and grp='eem'; commit (for oracle)
Symptom:
I am unable to select a different client certificate form the CA Configuration Automation login screen.
Solution:
The browser stores the previously selected certificate information. To delete all the certificate instances, close all open browser applications, open a new browser window, and log in to CA Configuration Automation again.
Symptom:
After I select a security certificate from the available certificate list, I am unable to view the CA Configuration Automation user interface. The following error occurs:
Solution:
The communication between the CCA Server and the client fails if you provide a certificate that is created from a different certificate authority. To resolve the issue, perform the following steps:
Symptom:
I am unable to log out from CA Configuration Automation Server using the Mozilla Firefox browser when the client authentication is enabled.
Solution:
To logout successfully from CA Configuration Automation Server, set the dom.allow_scripts_to_close_windows property to True in the Mozilla Firefox browser.
Follow these steps:
The browser properties are listed.
Symptom:
When I log in to CA Configuration Automation, the following error occurs:
CA-AA-9021: User Authentication Failed.EE_AUTHFAILED Authentication Failed
Solutions:
This can happen when the Client Authentication is enabled in CCA Server, but the Enable Certification Validation check box is not selected in CA EEM Server. The eiam.javasdk.log file (located in %CCA Server%\logs\ eiam.javasdk.log folder) displays the following EEM Client SDK log message:
WARN 2012-01-05 03:55:06,698 [http-48484-3] [com.ca.eiam.SafeContext] validateUserCertificate - LoginFailed
To avoid this issue, perform the following steps:
This can also happen when the wrong tomcat.keystore file is configured in CA EEM Server. The certvalidation.log file displays the following EEM Server log message:
DEBUG 2011-12-28 07:21:50,100 [Thread-2] [com.ca.eiam.server.certvalidation.CertValidator] validate: cetpath building
failed [certificate: EMAILADDRESS=CATechSupport@ca.com, CN=ccaadmin, OU=Client Authetication, O=CA Inc., ST=NY, C=US, serial: 4, issuer: EMAILADDRESS=CATechSupport@ca.com, CN=CCA, C=US, L=Islandia, ST=NY, OU=CCA Certificate Authority, O=CA Inc.]
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
at com.ca.eiam.server.certvalidation.CertValidator.validate(CertValidator.java:382)
at com.ca.eiam.server.certvalidation.CertValidatorService.validate(CertValidatorService.java:152)
WARN 2011-12-28 07:21:50,102 [Thread-2] [com.ca.eiam.server.certvalidation.CertValidatorService] validate: certificate not valid [certificate: EMAILADDRESS=CATechSupport@ca.com, CN=ccaadmin, OU=Client Authetication, O=CA Inc., ST=NY, C=US
The certvalidation.log file located in the %SC%\EmbeddedEntitlementsManager\logs\ folder.
To avoid this issue, copy the tomcat.keystore file from the %CCA installation%\lib\ directory to the CA EEM Server %EmbeddedEntitlementsManager%\ca directory.
This can also happen when the Revocation Mechanism option is enabled in the CA EEM Server, and the Certificate Revocation (.crl) file is not available in the %EmbeddedEntitlementsManager%\crls directory on the CA EEM Server.
The following EEM Server Log message occurs in the certvalidation.log file located in the %SC%\EmbeddedEntitlementsManager\logs\ location:
DEBUG 2011-12-29 02:12:08,609 [Thread-64] [com.ca.eiam.server.certvalidation.CertValidator] validate: cetpath
validation failed [certificate: EMAILADDRESS=CATechSupport@ca.com, CN=pucch03, OU=Client Authetication, O=CA Inc., ST=NY, C=US, serial: 3, issuer: EMAILADDRESS=CATechSupport@ca.com, CN=CCA, C=US, L=Islandia, ST=NY, OU=CCA Certificate Authority, O=CA Inc.]
java.security.cert.CertPathValidatorException: revocation status check failed: no CRL found
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(Unknown Source)
at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(Unknown Source)
To avoid this issue, perform one of the following tasks:
This can also happen when the User Mapping field is configured incorrectly in CA EEM Server. The eiam.javasdk.log file (located in %CCA_INSTALLED_DIR %\logs\ folder) displays the following EEM Client SDK log message:
WARN 2011-12-29 01:06:25,190 [http-58181-6] [com.ca.eiam.SafeContext] validateUserCertificate - LoginFailed
The certvalidation.log (located in the %SC%\EmbeddedEntitlementsManager\logs\ folder) file displays the following EEM Server log message:
ERROR 2011-12-29 01:12:56,133 [Thread-27] [com.ca.eiam.server.certvalidation.CertValidatorService] validate: failed to validate certificate [certificate: EMAILADDRESS=CATechSupport@ca.com, CN=pucch03, OU=Client Authetication, O=CA Inc., ST=NY, C=US] java.security.cert.CertificateParsingException: certificate does not have alternate subject information.
To avoid this issue, perform the following steps:
This can also happen when the client certificate is revoked from the CA EEM Server LDAP user store. The certvalidation.log file (located in the %SC%\EmbeddedEntitlementsManager\logs\ folder) displays the following EEM Server Log message:
DEBUG 2011-12-29 02:28:46,331 [Thread-4] [com.ca.eiam.server.certvalidation.CertValidator] validate: cetpath validation failed [certificate: EMAILADDRESS=CATechSupport@ca.com, CN=pucch03, OU=Client Authetication, O=CA Inc., ST=NY, C=US, serial: 3, issuer: EMAILADDRESS=CATechSupport@ca.com, CN=CCA, C=US, L=Islandia, ST=NY, OU=CCA Certificate Authority, O=CA Inc.]
java.security.cert.CertPathValidatorException: Certificate has been revoked, reason: unspecified at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(Unknown Source) at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(Unknown Source)
Perform one to the following tasks to authorize the user:
This can also happen when the CA EEM Server password is changed after you enabled the client authentication. The eiam.javasdk.log file displays the following EEM Client SDK log message:
[Authenticate Error: Authentication Failed, Authenticate Error: Authentication Failed, Identity Attempted: eiamadmin]
com.ca.eiam.SafePasswordException: EE_AUTHFAILED Authentication Failed
at com.ca.eiam.SafeContext.authenticateWithPassword(SafeContext.java:1860)
at com.ca.eiam.SafeContextFactory.createSafeContext(SafeContextFactory.java:546)
at com.ca.eiam.SafeContextFactory.createSafeContext(SafeContextFactory.java:450)
at com.ca.eiam.SafeContextFactory.getSafeContextFromConfig(SafeContextFactory.java:313)
at com.ca.acm.eem.service.UserManagementService.validateUserCertificate(UserManagementService.java:134)
at com.ca.acm.security.SecurityContext.validateCertificate(SecurityContext.java:167)
at com.ca.acm.server.ACMServiceImpl.login(ACMServiceImpl.java:107)
To avoid this issue, generate the secure (munge) password using the command-line EEMUtil utility available in %CCA_INSTALLED_DIR %\bin directory as follows.
<UserAuth>
<Username>eiamadmin</Username>
<Password>FRwCDglUXkQY</Password>
</UserAuth>
Symptom:
When I log in to CA Configuration Automation, the following error occurs:
CA-AA-9021: User Authentication Failed.EE_POZERROR Repository Error.
Solution:
This error occurs when the user is not available in the CA EEM Server LDAP user store, or when the Username Extraction Pattern is incorrectly configured in the CA EEM Server.
To resolve the issue of the user not being available in the LDAP user store, create a user in the CA EEM Server LDAP user store, and assign a role to the user.
When you incorrectly configure the Username Extraction Pattern, the eiam.javasdk.log file (located in the %CCA_INSTALLED_DIR %\logs directory) displays the following error message:
ERROR 2011-12-29 06:47:34,026 [http-58181-1] [com.ca.eiam.poz.PozFactory] attachPoz - exception
com.ca.eiam.poz.PozException: PozFactory.attach: unable to attach
at com.ca.eiam.poz.PozFactory.attachPoz(PozFactory.java:371)
at com.ca.eiam.SafeContext.attach(SafeContext.java:1569)
at com.ca.acm.eem.service.UserManagementService.validateUserCertificate(UserManagementService.java:143)
at com.ca.acm.security.SecurityContext.validateCertificate(SecurityContext.java:167)
at com.ca.acm.server.ACMServiceImpl.login(ACMServiceImpl.java:107)
To resolve the Username Extraction Pattern configuration issue, perform the following steps:
Contact CA Support
For your convenience, CA Technologies provides one site where you can access the information that you need for your Home Office, Small Business, and Enterprise CA Technologies products. At http://ca.com/support, you can access the following resources:
Providing Feedback About Product Documentation
If you have comments or questions about CA Technologies product documentation, you can send a message to techpubs@ca.com.
To provide feedback about CA Technologies product documentation, complete our short customer survey which is available on the CA Support website at http://ca.com/docs.
Copyright © 2014 CA. All rights reserved. All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.