This section describes known issues for CA ControlMinder server components (CA ControlMinder Endpoint Management, CA ControlMinder Enterprise Management, and Enterprise Reporting).
Symptom:
When I check out an operation administrator account password of from an SSH endpoint type, the following message appear:
java.lang.Exception: too many results found for account handle:ACCOUNT_HANDLE_NOT_INITIALIZED
Solution:
This is a known issue with the SAM feeder. The problem occur when you attempt to check out a connected operation administrator account password that you created using the feeder (ADMIN_ACCOUNT_IS_DISCONNECTED=false) when more than one operation administrator account is defined.
To workaround this issue, do the following:
Symptom:
When I restart the Enterprise Management Server after installing the third-party components and the Enterprise Management Server, the server.log file shows the following errors:
Solution:
This behavior is a known issue. Verify that CA ControlMinder services are started. The Enterprise Management requires that CA ControlMinder is running. If the JBoss Application Server services are not started, perform one of the following:
Note: The Task Engine may take some time to load the first time you start it.
Symptom:
When I disable an Active Directory user with Japanese characters in the CA ControlMinder Enterprise Management, the task fails. The user can still log in to the Enterprise Management Server.
Solution:
This behavior is a known issue.
Symptom:
When I modify a password consumer event and verify the action, it appears as Unknown Action.
Solution:
This behavior is a known issue.
Symptom:
The privileged account password history change date is displayed in the time zone of the JBoss server, and not the time zone of the client that is running the web browser.
Solution:
None.
Valid on Linux
Symptom:
After I upgraded the Enterprise Management Server, I cannot locate the assigned and effective policies on the hosts.
Solution:
During the Enterprise Management Server upgrade process, the installation uses the dbmgr -export function to export the existing policies to selang commands. Due to an error in the process, the installation did not import the policies back in to the database.
To fix this issue, install the following test fixes before you upgrade the Enterprise Management Server:
During Installation of CA Enterprise Management, the following error message is displayed in the Add Roles and Features Wizard: "The following feature could not be installed: NET Framework3.5 (includes .NET2.0 and 3.0)"
Close the error message pop-up box and continue with the installation. This error message does not affect the server installation.
If either the Enterprise Management Server or the requester are in daylight savings time (DST), the following occurs when submitting a privileged account request:
Symptom:
Following an Endpoint Management uninstall of a nondefault drive installation, all JBoss and JDK files are not deleted due to JBoss and JDK package limitations.
Solution:
After the Enterprise Management uninstall, manually remove the JBoss and JDK ControlMinder folders.
Symptom:
When I remove one of two CA ControlMinder endpoints or a CA ControlMinder DNS, data from the removed component still appears in the Policy Management reports.
Solution:
To delete endpoint snapshot data from the reports, run the following command on the Enterprise Management database:
Delete from SNAPSHOTINFO where HOSTID = host_to_delete_name
To delete endpoint snapshot data for Oracle, run the following commands on the Enterprise Management database:
Delete from GROUPINFO where hostid = host_to_delete_name Delete from resac where hostid = host_to_delete_name Delete from UACC where hostid = host_to_delete_name Delete from USERREVACL where hostid = host_to_delete_name Delete from NODE where hostid = host_to_delete_name Delete from SPECIALPGMTYPE where hostid =host_to_delete_name Delete from ACL where hostid = host_to_delete_name Delete from resinfo where hostid =host_to_delete_name Delete from seos where hostid = host_to_delete_name Delete from USERACMODE where hostid = host_to_delete_name Delete from USERAC where hostid = host_to_delete_name Delete from userinfo where hostid = host_to_delete_name
For Example:
Delete from SNAPSHOTINFO where HOSTID = 'hostname@ca.com
Delete from SNAPSHOTINFO where HOSTID = DMS__@hostname@ca.com
The following known issues occur when you click View to search View Recorded Sessions in the CA ControlMinder Endpoint Management Recorded Sessions tab:
Open session does not work in iOS 5 due to a problem with iOS. The command to select open sessions in iOS, returns closed sessions as well.
Symptom:
If a PMDB is created with more than 25 characters, then its subscribers are not listed when, you view it using the Endpoint Management user interface.
Solution:
This is a known issue with the Endpoint Management user interface. Use the sepmd utility to view the list of subscribers. The command has the following format:
sepmd -l pmd
Lists the subscribers of the Policy Model.
Specifies the name of the Policy Model.
Valid on Windows
Open session does not detect and recognize the Telnet session as a login. The Telnet session is not supported by open sessions on Windows.
Valid on SunOne and CA Directory
If you use SunOne or the CA Directory user directory, configure the default request approver. You define the default request approver that all privileged account passwords requests are submitted to.
Follow these steps:
The Modify Admin Task: Search Admin Task window opens.
CA ControlMinder Enterprise Management displays the results that match the search criteria.
The Modify Admin Task: Privileged Account Request window opens.
The Workflow Process screen opens.
The Select User screen opens.
CA ControlMinder Enterprise Management displays the results according to the search criteria.
The user that you selected is added as a default request approver.
Note: The default request approver that you defined does not apply to users that you created before you installed the Enterprise Management Server. The default request approver for users that previously existed in the user directory is superamdin.
"Managed Connections Available Within Configured Blocking Timeout" error message received when you run batch tasks. For example, you attempt to run the automatic reset password task on a large group or accounts. The error message indicates that the JBoss application server has exhausted the available connections and cannot complete the task.
To work around this problem you need to increase the number of available connections in the pool:
JBoss_HOME/server/default/deploy/
<!--blocking-timeout-millis>5000</blocking-timeout-millis-->
You have increased the number of available connections in the pool. You can now run the task.
The JBoss for Windows sample policy fails to deploy on an endpoint. The policy deployment process terminates with an internal error message indicating that a PROGRAM resource already exists.
To work around the problem, use the JBoss sample policy and modify the policy before you deploy it to create PROGRAM resources explicitly.
CA ControlMinder Enterprise Management displays a message that the task failed when attempting to view policy management reports.
To work around this problem, restart the JBoss application server and the CA Business Intelligence server (Report Portal).
An CA ControlMinder user account without a password cannot log into the CA ControlMinder Enterprise Management Server.
When you define admin role rules, select users that are members of admin roles. CA ControlMinder Enterprise Management does not support access roles. The access roles option should not appear in the interface.
When modifying UNAB host or host group settings and submitting the changes, CA ControlMinder Enterprise Management displays the following message: "No operation required". Although this message indicates that no action was taken, the modifications you made to the UNAB host or host group were applied.
Control characters in the CA ControlMinder database may cause an application exception or render incorrectly in CA ControlMinder Endpoint Management and CA ControlMinder Enterprise Management.
Symptom:
When I log into the CA ControlMinder Enterprise Management user interface, I see incomprehensible characters.
Solution:
The problem is that the database instance you are using does not fully support UTF8 international characters set. To correct this problem, you must reinstall CA ControlMinder Enterprise Management on a fully internationalized database instance.
In CA ControlMinder Endpoint Management, clearing the Trust check box on the Audit tab of a monitored file (SECFILE) resource fails when you try to save the changes.
To work around this issue and change this resource attribute, use selang.
The CA ControlMinder Enterprise Management user interface times out when you create a policy that contains more than 6000 commands. You cannot continue working in the user interface until CA ControlMinder Enterprise Management creates the policy. To work around this problem, open a new session by logging in to CA ControlMinder Enterprise Management from a new browser.
Conventions for selang let you use a backslash character (\) as the last character of a line to indicate that the command continues on the following line. This is not supported by advanced policy management. Make sure that policy commands do not span multiple lines.
Note: The following sample policies CA ControlMinder provides contain a trailing backslash: _AC_WEBSERVICE, _APACHE, _JBOSS, _MS_SQL_SERVER, and _ORACLE.
Valid in CA ControlMinder Enterprise Management
If a policy deploys with errors, the selang result messages you see in CA ControlMinder Enterprise Management are in the installation language of the CA ControlMinder endpoint on the Enterprise Management server and not that of the CA ControlMinder Enterprise Management installation.
To see these messages in a localized language, you must install the CA ControlMinder endpoint on the Enterprise Management computer in the desired localized language before you install CA ControlMinder Enterprise Management.
You cannot view audit records if the terminal name has more than 30 characters. This happens when CA ControlMinder Endpoint Management running on a Windows computer manages a UNIX endpoint.
When you manage a PMDB using CA ControlMinder Endpoint Management, you cannot see the PMDB’s audit records.
To work around this issue and view the audit records for the PMDB, connect to host where the PMDB resides.
If the privileged account name contains more than ten characters, open session for Network Devices fails.
Valid on Linux
When you install the Enterprise Management Server on a Linux computer, you receive the following error message when you define Access Control for SAM endpoints: "No Such Method".
If you specify that CA ControlMinder Enterprise Management resets a privileged account password on check in, when a user checks in a privileged account on an Access Control for SAM endpoint they receive the following error message: "Failed to Reset Password".
Follow these steps:
ACServerInstallDir/Connector_Server/bin
./im_jcs stop
The Java Connector Server stops.
PREJAR="$FULLBASEPATH/bin/jcs-bootstrap.jar:$FULLBASEPATH/ conf:$FULLBASEPATH/lib/jcs.jar:"`echo $FULLBASEPATH/ lib/apacheds-server-main-*-app.jar`
PREJAR="$FULLBASEPATH/bin/jcs-bootstrap.jar:$FULLBASEPATH/ conf:$FULLBASEPATH/lib/jcs.jar:$FULLBASEPATH/ lib/nlog4j__V1.2.25.jar:"`echo $FULLBASEPATH/lib/apacheds-server-main-*-app.jar`
Important! Delete the carriage returns in the line after you paste it into the script.
./im_jcs start
The Java Connector Server starts. You can now configure the Access Control for SAM endpoint type.
Valid on Solaris
The Telnet automatic login is not supported on Solaris after you upgrade to CA ControlMinder 12.7.
Valid on Windows Server 2003
Symptom:
When you change a Windows Service or Windows Scheduled Task, the changes cannot be discovered.
Solution:
This is a known Microsoft issue. After you change the service or task on the endpoint, delete the existing password consumer. Use the Service Account Discovery Wizard to create a password consumer.
After you submit a request for a service account password, the request is not sent to the request approver and you cannot check out the service account password.
The Enterprise Management Server does not write an audit record when a JDBC password consumer gets a password from CA ControlMinder Enterprise Management.
Valid on Oracle
An error message appears when you use the automatic login option to log into the Oracle Enterprise Manager after you checked out an administrator account password. The error message appears if you terminated the last session by closing the browser window without logging off.
Valid on Windows
The Windows Remote Desktop automatic login script fails to log into the endpoint if the endpoint Terminal Services settings are configured to always prompt for password on login.
Valid for integration with CA Service Desk Manager
If you specify the number for a closed CA Service Desk Manager issue or request ticket (ticket type=iss or cr) when you request access to a privileged account, CA ControlMinder Enterprise Management forwards the request to the approver.
Valid for integration with CA Service Desk Manager
If you specify the number for a CA Service Desk Manager change order ticket (ticket type=ch) when you request access to a privileged account, CA ControlMinder Enterprise Management does not forward the request to the approver.
In Linux Enterprise Management or with a Linux Distribution Server, I cannot verify exclusive sessions to prevent check-in if open sessions are available to that endpoint.
Follow these steps:
Note: This change is recommended only if one of the Distribution Server/Enterprise Management operating systems is Windows.
After I change an Active Directory requester organizational unit, tasks that were submitted under the old organizational unit do not appear in My View Submitted Task.
This is a known issue that results from limitations in the Active Directory search method.
Copyright © 2013 CA Technologies.
All rights reserved.
|
|