Previous Topic: UNAB Known Issues

Next Topic: Documentation Known Issues

Release NotesKnown IssuesGeneral Known IssuesServer Components Known Issues

Server Components Known Issues

This section describes known issues for CA Access Control server components (CA Access Control Endpoint Management, CA Access Control Enterprise Management, and Enterprise Reporting).

Incomplete Privilege Account Discovery Process Due to Time Synchronization

Symptom:

I ran the account discovery wizard and I the list of privileged accounts is incomplete.

Solution:

The issue can occur if there is a time difference between the Enterprise Management Server, the Distribution Server or the CA Access Control endpoint. To resolve this issue, download the publish fix number RO47404 from the Support website.

PUPM Report Missing Approved Requests History After Upgrade

Symptom:

After I upgraded the Enterprise Management Server to r12.6.01, the following reports are missing approved requests history: Privileged Account Requests by Approver, Privileged Account Requests by Endpoint and Privileged Account Requests by Requester.

Solution:

To solve this issue download published fix RO47416. To deploy the publish fix, follow the instructions in the readme file included in the hot fix.

Hot Fix Required to Manage CA Access Control Endpoint Using CA Access Control for PUPM Endpoint Type

Valid on Linux

Symptom:

I installed the Enterprise Management Server on Linux and I try to discover privileged account on CA Access Control endpoint suing the CA Access Control for PUPM endpoint type. The discovery process fails to detect the administrator account.

Solution:

To solve this issue, install publish fix RO47411 on the Enterprise Management Server. To deploy the hot fix, follow the instructions in the readme file included in the hot fix.

Telnet Session is Not Supported by Open Sessions

Valid on Windows

Open session does not detect and recognize the Telnet session as a login. The Telnet session is not supported by open sessions on Windows.

Login Integration with PUPM Supported on Windows Agentless Endpoint Type Only

Valid on Windows Agentless Endpoint

CA Access Control login integration with PUPM is supported on Windows Agentless endpoint only and when class Regval is disabled on the target endpoint.

Unapproved Privileged Account Requests Not Preserved After Upgrade

Symptom:

When I perform a privileged account request and upgrade CA Access Control before approving the request, I receive a null pointer exception after upgrade.

Solution:

Perform the upgrade after approving the privileged account request.

Out of Memory Error:GC Overhead Limit Exceeded

Valid on UNIX

The following error message appear in the JBoss server log if the system or garbage collection settings are not properly configured:

"java.lang.OutOfMemoryError: GC overhead limit exceeded"

To solve this issue, do the following:

  1. Stop the JBoss application server.
  2. Navigate to the following directory, where JBOSS_HOME indicates the location where you installed JBoss: 
    JBOSS_HOME\bin
  3. Edit the run_idm.bat file.
  4. Locate the JAVA_OPTS variable and add the following arguments: 
    " -XX:+UseParNewGC -XX:+CMSParallelRemarkEnabled -XX:+UseConcMarkSweepGC %JAVA_OPTS%"
  5. Save the file and exit.
  6. Start the JBoss application server.

Example: the JAVA_OPTS variable

The following example shows the JAVA_OPTS variable after you added the new arguments:

set JAVA_OPTS=-Djava.security.policy=.\workpoint_client.policy -Xms512m -Xmx1024m -XX:MaxPermSize=256m -XX:+UseParNewGC -XX:+CMSParallelRemarkEnabled -XX:+UseConcMarkSweepGC %JAVA_OPTS%
Default Request Approver Not Configured

Valid on SunOne

If you use SunOne user directory, you need to configure the default request approver. You define the default request approver that all privileged account passwords requests are submitted to.

To configure the default request approver, do the following:

  1. Log in to CA Access Control Enterprise Management as a System Manager.
  2. Select Users and Groups, Tasks, Modify Admin Task.

    The Modify Admin Task: Search Admin Task window opens.

  3. Enter Privileged Account Request in the Name field, then click Search.

    CA Access Control Enterprise Management displays the results that match the search criteria.

  4. Select the Privileged Account Request and click Select.

    The Modify Admin Task: Privileged Account Request window opens.

  5. Navigate to the Events tab and select the workflow process

    The Workflow Process screen opens.

  6. In the Default Approver section, select Add Users.

    The Select User screen opens.

  7. Enter the name of the user you want to assign as a default approver and select Search.

    CA Access Control Enterprise Management displays the results according to the search criteria.

  8. Click Select.

    The user you selected is added as a default request approver.

  9. Click OK to exit.

Note: The default request approver you defined does not apply to users that you created before you installed the Enterprise Management Server. The default request approver for users that previously existed in the user directory is superamdin.

"No Managed Connections Available Within Configured Blocking Timeout" Error Message When Running Batch Operations

"Managed Connections Available Within Configured Blocking Timeout" error message received when you run batch tasks. For example, you attempt to run the automatic reset password task on a large group or accounts. The error message indicates that the JBoss application server has exhausted the available connections and cannot complete the task.

To work around this problem you need to increase the number of available connections in the pool:

  1. Stop the JBoss application server.
  2. Navigate to the following directory, where JBoss_HOME indicates the directory where you installed JBoss: 
    JBoss_HOME/server/default/deploy/
  3. Open the file imtaskpersistencedb-ds.xml for editing.
  4. Locate the <max-pool-size> tag and set the value to 40.
  5. Locate the <idle-timeout-minutes> tag and set the value to 1.
  6. Comment out (<!--) the <blocking-timout-millis> tag as follows: 
    <!--blocking-timeout-millis>5000</blocking-timeout-millis-->
  7. Save and close the file.
  8. Start the JBoss application server.

    You have increased the number of available connections in the pool. You can now run the task.

JBoss for Windows Sample Policy Failed to Deploy

The JBoss for Windows sample policy fails to deploy on an endpoint. The policy deployment process terminates with an internal error message indicating that a PROGRAM resource already exists.

To work around the problem, use the JBoss sample policy and modify the policy before you deploy it to create PROGRAM resources explicitly.

Error Message Displayed When Viewing Policy Management Reports in CA Access Control Enterprise Management

CA Access Control Enterprise Management displays a message that the task failed when attempting to view policy management reports.

To work around this problem, restart the JBoss application server and the CA Business Intelligence server (Report Portal).

A CA Access Control User Not Defined a Password Cannot Log Into the CA Access Control Enterprise Management Server

An CA Access Control user account without a password cannot log into the CA Access Control Enterprise Management Server.

Access Roles Are Not Supported in CA Access Control Enterprise Management

When you define admin role rules, select users that are members of admin roles. CA Access Control Enterprise Management does not support access roles. The access roles option should not appear in the interface.

"No Operation Required" Message When Modifying UNAB Host or Host Group

When modifying UNAB host or host group settings and submitting the changes, CA Access Control Enterprise Management displays the following message: "No operation required". Although this message indicates that no action was taken, the modifications you made to the UNAB host or host group were applied.

Control Characters May Cause an Application Exception

Control characters in the CA Access Control database may cause an application exception or render incorrectly in CA Access Control Endpoint Management and CA Access Control Enterprise Management.

Incomprehensible Characters In the User Interface

Symptom:

When I log into the CA Access Control Enterprise Management user interface, I see incomprehensible characters.

Solution:

The problem is that the database instance you are using does not fully support UTF8 international characters set. To correct this problem, you must reinstall CA Access Control Enterprise Management on a fully internationalized database instance.

Cannot Change the Trust Property of a Monitored File

In CA Access Control Endpoint Management, clearing the Trust check box on the Audit tab of a monitored file (SECFILE) resource fails when you try to save the changes.

To work around this issue and change this resource attribute, use selang.

CA Access Control Enterprise Management Time-Out When Creating Large Policies

The CA Access Control Enterprise Management user interface times out when you create a policy that contains more than 6000 commands. You cannot continue working in the user interface until CA Access Control Enterprise Management creates the policy. To work around this problem, open a new session by logging in to CA Access Control Enterprise Management from a new browser.

Cannot Deploy Policies That Contain a Trailing Backslash

Conventions for selang let you use a backslash character (\) as the last character of a line to indicate that the command continues on the following line. This is not supported by advanced policy management. Make sure that policy commands do not span multiple lines.

Note: The following sample policies CA Access Control provides contain a trailing backslash: _AC_WEBSERVICE, _APACHE, _JBOSS, _MS_SQL_SERVER, and _ORACLE.

Policy Script Validation Error Messages Are in a Different Language

Valid in CA Access Control Enterprise Management

If a policy deploys with errors, the selang result messages you see in CA Access Control Enterprise Management are in the installation language of the CA Access Control endpoint on the Enterprise Management server and not that of the CA Access Control Enterprise Management installation.

To see these messages in a localized language, you must install the CA Access Control endpoint on the Enterprise Management computer in the desired localized language before you install CA Access Control Enterprise Management.

Cannot View Audit Records for Terminals with Names Longer than 30 Characters

You cannot view audit records if the terminal name has more than 30 characters. This happens when CA Access Control Endpoint Management running on a Windows computer manages a UNIX endpoint.

PMDB Audit Records Are Not Visible When Managing the PMDB

When you manage a PMDB using CA Access Control Endpoint Management, you cannot see the PMDB’s audit records.

To work around this issue and view the audit records for the PMDB, connect to host where the PMDB resides.

Open Session For Network Devices Fails

If the privileged account name contains more than ten characters, open session for Network Devices fails.

"No Such Method" or "Failed to Reset Password" Error Message for Access Control for PUPM Endpoint Types

Valid on Linux

When you install the Enterprise Management Server on a Linux computer, you receive the following error message when you define Access Control for PUPM endpoints: "No Such Method".

If you specify that CA Access Control Enterprise Management resets a privileged account password on check in, when a user checks in a privileged account on an Access Control for PUPM endpoint they receive the following error message: "Failed to Reset Password".

Follow these steps:

  1. Stop the Java Connector Server. Do the following:
    1. Navigate to the following directory, where ACServerInstallDir refers to the directory where the Enterprise Management Server is installed: 
      ACServerInstallDir/Connector_Server/bin
    2. Run the following command: 
      ./im_jcs stop

      The Java Connector Server stops.

  2. Open the im_jcs script for editing.
  3. Locate and remove the following line from the script: 
    PREJAR="$FULLBASEPATH/bin/jcs-bootstrap.jar:$FULLBASEPATH/
conf:$FULLBASEPATH/lib/jcs.jar:"`echo $FULLBASEPATH/
lib/apacheds-server-main-*-app.jar`
  4. Copy the following line and paste it into the script: 
    PREJAR="$FULLBASEPATH/bin/jcs-bootstrap.jar:$FULLBASEPATH/
conf:$FULLBASEPATH/lib/jcs.jar:$FULLBASEPATH/
lib/nlog4j__V1.2.25.jar:"`echo $FULLBASEPATH/lib/apacheds-server-main-*-app.jar`

    Important! Delete the carriage returns in the line after you paste it into the script.

  5. Save the file.
  6. Start the Java Connector Server. 
    ./im_jcs start

    The Java Connector Server starts. You can now configure the Access Control for PUPM endpoint type.

Telnet Automatic Login Not Supported on Solaris After Upgarde

Valid on Solaris

Currently, Telnet automatic login is not supported on Solaris after you upgarde to CA Access Control r12.6.

Custom Participant Resolvers Removed After Upgrade

Custom participant resolvers that you configured are removed after you upgraded to CA Access Control r12.6.

We recommend that you make a note of the custom participant resolvers before you upgrade to CA Access Control r12.6 and recreate them once you completed the upgrade.

Changes to Windows Services and Scheduled Tasks Are Not Discovered

Valid on Windows Server 2003

Symptom:

When you change a Windows Service or Windows Scheduled Task, the changes cannot be discovered.

Solution:

This is a known Microsoft issue. After you change the service or task on the endpoint, delete the existing password consumer. Use the Service Account Discovery Wizard to create a password consumer.

Approval of Service Account Password Request Fails

After you submit a request for a service account password, the request is not sent to the request approver and you cannot check out the service account password.

No Audit Record for Password Retrieval by JDBC Password Consumer

The Enterprise Management Server does not write an audit record when a JDBC password consumer gets a password from CA Access Control Enterprise Management.

Error Message When You Use Automatic Login to Log in to Oracle Enterprise Manager

Valid on Oracle

An error message appears when you use the automatic login option to log into the Oracle Enterprise Manager after you checked out an administrator account password. The error message appears if you terminated the last session by closing the browser window without logging off.

Remote Desktop Connection Fails When Endpoint Prompts for Password

Valid on Windows

The Windows Remote Desktop automatic login script fails to log into the endpoint if the endpoint Terminal Services settings are configured to always prompt for password on login.

PUPM Accepts Ticket Numbers for Closed CA Service Desk Manager Tickets

Valid for integration with CA Service Desk Manager

If you specify the number for a closed CA Service Desk Manager issue or request ticket (ticket type=iss or cr) when you request access to a privileged account, CA Access Control Enterprise Management forwards the request to the approver.

Cannot Specify CA Service Desk Manager Change Order Ticket Number

Valid for integration with CA Service Desk Manager

If you specify the number for a CA Service Desk Manager change order ticket (ticket type=ch) when you request access to a privileged account, CA Access Control Enterprise Management does not forward the request to the approver.