Previous Topic: UNAB Known IssuesNext Topic: Documentation Known Issues


Server Components Known Issues

This section describes known issues for CA ControlMinder server components (CA ControlMinder Endpoint Management, CA ControlMinder Enterprise Management, and Enterprise Reporting).

Error Message Appears When Attempting to Check Out an Operation Administrator Account Password

Symptom:

When I check out an operation administrator account password of from an SSH endpoint type, the following message appear:

java.lang.Exception: too many results found for account handle:ACCOUNT_HANDLE_NOT_INITIALIZED

Solution:

This is a known issue with the SAM feeder. The problem occur when you attempt to check out a connected operation administrator account password that you created using the feeder (ADMIN_ACCOUNT_IS_DISCONNECTED=false) when more than one operation administrator account is defined.

To workaround this issue, do the following:

Error Messages Appear in JBoss Server Log File After Enterprise Management Server Installation

Symptom:

When I restart the Enterprise Management Server after installing the third-party components and the Enterprise Management Server, the server.log file shows the following errors:

Solution:

This behavior is a known issue. Verify that CA ControlMinder services are started. The Enterprise Management requires that CA ControlMinder is running. If the JBoss Application Server services are not started, perform one of the following:

Active Directory Users with Japanese Characters Cannot Be Disabled

Symptom:

When I disable an Active Directory user with Japanese characters in the CA ControlMinder Enterprise Management, the task fails. The user can still log in to the Enterprise Management Server.

Solution:

This behavior is a known issue.

Modify Password Consumer Event Action Appears as Unknown Action

Symptom:

When I modify a password consumer event and verify the action, it appears as Unknown Action.

Solution:

This behavior is a known issue.

Wrong Time Zone in SAM Password History

Symptom:

The privileged account password history change date is displayed in the time zone of the JBoss server, and not the time zone of the client that is running the web browser.

Solution:

None.

dbmgr -export Function Fails to Export Effective and Assigned Policies After Upgrade

Valid on Linux

Symptom:

After I upgraded the Enterprise Management Server, I cannot locate the assigned and effective policies on the hosts.

Solution:

During the Enterprise Management Server upgrade process, the installation uses the dbmgr -export function to export the existing policies to selang commands. Due to an error in the process, the installation did not import the policies back in to the database.

To fix this issue, install the following test fixes before you upgrade the Enterprise Management Server:

.NET Framework Error Message Displayed During Installation

During Installation of CA Enterprise Management, the following error message is displayed in the Add Roles and Features Wizard: "The following feature could not be installed: NET Framework3.5 (includes .NET2.0 and 3.0)"

Close the error message pop-up box and continue with the installation. This error message does not affect the server installation.

Privileged Account Requests and Daylight Savings Time (DST)

If either the Enterprise Management Server or the requester are in daylight savings time (DST), the following occurs when submitting a privileged account request:

Uninstall Does Not Delete JBoss and JDK Files

Symptom:

Following an Endpoint Management uninstall of a nondefault drive installation, all JBoss and JDK files are not deleted due to JBoss and JDK package limitations.

Solution:

After the Enterprise Management uninstall, manually remove the JBoss and JDK ControlMinder folders.

How to Delete Old Hosts From the Database Report Tables

Symptom:

When I remove one of two CA ControlMinder endpoints or a CA ControlMinder DNS, data from the removed component still appears in the Policy Management reports.

Solution:

To delete endpoint snapshot data from the reports, run the following command on the Enterprise Management database:

Delete from SNAPSHOTINFO where HOSTID = host_to_delete_name

To delete endpoint snapshot data for Oracle, run the following commands on the Enterprise Management database:

Delete from GROUPINFO where hostid = host_to_delete_name
Delete from resac where hostid = host_to_delete_name
Delete from UACC where hostid = host_to_delete_name
Delete from USERREVACL where hostid = host_to_delete_name
Delete from NODE where hostid = host_to_delete_name
Delete from SPECIALPGMTYPE where hostid =host_to_delete_name
Delete from ACL where hostid = host_to_delete_name
Delete from resinfo where hostid =host_to_delete_name
Delete from seos where hostid = host_to_delete_name
Delete from USERACMODE  where hostid = host_to_delete_name
Delete from USERAC where hostid = host_to_delete_name
Delete from userinfo where hostid = host_to_delete_name

For Example:

Searching in View Recorded Sessions

The following known issues occur when you click View to search View Recorded Sessions in the CA ControlMinder Endpoint Management Recorded Sessions tab:

Open Session Does Not Work In iOS 5

Open session does not work in iOS 5 due to a problem with iOS. The command to select open sessions in iOS, returns closed sessions as well.

PMDB Subscribers Not Listed When PMDB Name Exceeds Than 25 Characters

Symptom:

If a PMDB is created with more than 25 characters, then its subscribers are not listed when, you view it using the Endpoint Management user interface.

Solution:

This is a known issue with the Endpoint Management user interface. Use the sepmd utility to view the list of subscribers. The command has the following format:

sepmd -l pmd
-l

Lists the subscribers of the Policy Model.

pmd

Specifies the name of the Policy Model.

Telnet Session is Not Supported by Open Sessions

Valid on Windows

Open session does not detect and recognize the Telnet session as a login. The Telnet session is not supported by open sessions on Windows.

Default Request Approver Not Configured

Valid on SunOne and CA Directory

If you use SunOne or the CA Directory user directory, configure the default request approver. You define the default request approver that all privileged account passwords requests are submitted to.

Follow these steps:

  1. Log in to CA ControlMinder Enterprise Management as a System Manager.
  2. Select Users and Groups, Tasks, Modify Admin Task.

    The Modify Admin Task: Search Admin Task window opens.

  3. Enter Privileged Account Request in the Name field, then click Search.

    CA ControlMinder Enterprise Management displays the results that match the search criteria.

  4. Select the Privileged Account Request and click Select.

    The Modify Admin Task: Privileged Account Request window opens.

  5. Navigate to the Events tab and select the workflow process.

    The Workflow Process screen opens.

  6. In the Default Approver section, select Add Users.

    The Select User screen opens.

  7. Enter the name of the user you want to assign as a default approver and select Search.

    CA ControlMinder Enterprise Management displays the results according to the search criteria.

  8. Click Select.

    The user that you selected is added as a default request approver.

  9. Click OK to exit.

Note: The default request approver that you defined does not apply to users that you created before you installed the Enterprise Management Server. The default request approver for users that previously existed in the user directory is superamdin.

"No Managed Connections Available Within Configured Blocking Timeout" Error Message When Running Batch Operations

"Managed Connections Available Within Configured Blocking Timeout" error message received when you run batch tasks. For example, you attempt to run the automatic reset password task on a large group or accounts. The error message indicates that the JBoss application server has exhausted the available connections and cannot complete the task.

To work around this problem you need to increase the number of available connections in the pool:

  1. Stop the JBoss application server.
  2. Navigate to the following directory, where JBoss_HOME indicates the directory where you installed JBoss:
    JBoss_HOME/server/default/deploy/
    
  3. Open the file imtaskpersistencedb-ds.xml for editing.
  4. Locate the <max-pool-size> tag and set the value to 40.
  5. Locate the <idle-timeout-minutes> tag and set the value to 1.
  6. Comment out (<!--) the <blocking-timout-millis> tag as follows:
    <!--blocking-timeout-millis>5000</blocking-timeout-millis-->
    
  7. Save and close the file.
  8. Start the JBoss application server.

    You have increased the number of available connections in the pool. You can now run the task.

JBoss for Windows Sample Policy Failed to Deploy

The JBoss for Windows sample policy fails to deploy on an endpoint. The policy deployment process terminates with an internal error message indicating that a PROGRAM resource already exists.

To work around the problem, use the JBoss sample policy and modify the policy before you deploy it to create PROGRAM resources explicitly.

Error Message Displayed When Viewing Policy Management Reports in CA ControlMinder Enterprise Management

CA ControlMinder Enterprise Management displays a message that the task failed when attempting to view policy management reports.

To work around this problem, restart the JBoss application server and the CA Business Intelligence server (Report Portal).

A CA ControlMinder User Not Defined a Password Cannot Log Into the CA ControlMinder Enterprise Management Server

An CA ControlMinder user account without a password cannot log into the CA ControlMinder Enterprise Management Server.

Access Roles Are Not Supported in CA ControlMinder Enterprise Management

When you define admin role rules, select users that are members of admin roles. CA ControlMinder Enterprise Management does not support access roles. The access roles option should not appear in the interface.

"No Operation Required" Message When Modifying UNAB Host or Host Group

When modifying UNAB host or host group settings and submitting the changes, CA ControlMinder Enterprise Management displays the following message: "No operation required". Although this message indicates that no action was taken, the modifications you made to the UNAB host or host group were applied.

Control Characters May Cause an Application Exception

Control characters in the CA ControlMinder database may cause an application exception or render incorrectly in CA ControlMinder Endpoint Management and CA ControlMinder Enterprise Management.

Incomprehensible Characters In the User Interface

Symptom:

When I log into the CA ControlMinder Enterprise Management user interface, I see incomprehensible characters.

Solution:

The problem is that the database instance you are using does not fully support UTF8 international characters set. To correct this problem, you must reinstall CA ControlMinder Enterprise Management on a fully internationalized database instance.

Cannot Change the Trust Property of a Monitored File

In CA ControlMinder Endpoint Management, clearing the Trust check box on the Audit tab of a monitored file (SECFILE) resource fails when you try to save the changes.

To work around this issue and change this resource attribute, use selang.

CA ControlMinder Enterprise Management Time-Out When Creating Large Policies

The CA ControlMinder Enterprise Management user interface times out when you create a policy that contains more than 6000 commands. You cannot continue working in the user interface until CA ControlMinder Enterprise Management creates the policy. To work around this problem, open a new session by logging in to CA ControlMinder Enterprise Management from a new browser.

Cannot Deploy Policies That Contain a Trailing Backslash

Conventions for selang let you use a backslash character (\) as the last character of a line to indicate that the command continues on the following line. This is not supported by advanced policy management. Make sure that policy commands do not span multiple lines.

Note: The following sample policies CA ControlMinder provides contain a trailing backslash: _AC_WEBSERVICE, _APACHE, _JBOSS, _MS_SQL_SERVER, and _ORACLE.

Policy Script Validation Error Messages Are in a Different Language

Valid in CA ControlMinder Enterprise Management

If a policy deploys with errors, the selang result messages you see in CA ControlMinder Enterprise Management are in the installation language of the CA ControlMinder endpoint on the Enterprise Management server and not that of the CA ControlMinder Enterprise Management installation.

To see these messages in a localized language, you must install the CA ControlMinder endpoint on the Enterprise Management computer in the desired localized language before you install CA ControlMinder Enterprise Management.

Cannot View Audit Records for Terminals with Names Longer than 30 Characters

You cannot view audit records if the terminal name has more than 30 characters. This happens when CA ControlMinder Endpoint Management running on a Windows computer manages a UNIX endpoint.

PMDB Audit Records Are Not Visible When Managing the PMDB

When you manage a PMDB using CA ControlMinder Endpoint Management, you cannot see the PMDB’s audit records.

To work around this issue and view the audit records for the PMDB, connect to host where the PMDB resides.

Open Session For Network Devices Fails

If the privileged account name contains more than ten characters, open session for Network Devices fails.

"No Such Method" or "Failed to Reset Password" Error Message for Access Control for SAM Endpoint Types

Valid on Linux

When you install the Enterprise Management Server on a Linux computer, you receive the following error message when you define Access Control for SAM endpoints: "No Such Method".

If you specify that CA ControlMinder Enterprise Management resets a privileged account password on check in, when a user checks in a privileged account on an Access Control for SAM endpoint they receive the following error message: "Failed to Reset Password".

Follow these steps:

  1. Stop the Java Connector Server. Do the following:
    1. Navigate to the following directory, where ACServerInstallDir refers to the directory where the Enterprise Management Server is installed:
      ACServerInstallDir/Connector_Server/bin
      
    2. Run the following command:
      ./im_jcs stop
      

      The Java Connector Server stops.

  2. Open the im_jcs script for editing.
  3. Locate and remove the following line from the script:
    PREJAR="$FULLBASEPATH/bin/jcs-bootstrap.jar:$FULLBASEPATH/
    conf:$FULLBASEPATH/lib/jcs.jar:"`echo $FULLBASEPATH/
    lib/apacheds-server-main-*-app.jar`
    
  4. Copy the following line and paste it into the script:
    PREJAR="$FULLBASEPATH/bin/jcs-bootstrap.jar:$FULLBASEPATH/
    conf:$FULLBASEPATH/lib/jcs.jar:$FULLBASEPATH/
    lib/nlog4j__V1.2.25.jar:"`echo $FULLBASEPATH/lib/apacheds-server-main-*-app.jar`
    

    Important! Delete the carriage returns in the line after you paste it into the script.

  5. Save the file.
  6. Start the Java Connector Server.
    ./im_jcs start
    

    The Java Connector Server starts. You can now configure the Access Control for SAM endpoint type.

Telnet Automatic Login Not Supported on Solaris After Upgrade

Valid on Solaris

The Telnet automatic login is not supported on Solaris after you upgrade to CA ControlMinder 12.7.

Changes to Windows Services and Scheduled Tasks Are Not Discovered

Valid on Windows Server 2003

Symptom:

When you change a Windows Service or Windows Scheduled Task, the changes cannot be discovered.

Solution:

This is a known Microsoft issue. After you change the service or task on the endpoint, delete the existing password consumer. Use the Service Account Discovery Wizard to create a password consumer.

Approval of Service Account Password Request Fails

After you submit a request for a service account password, the request is not sent to the request approver and you cannot check out the service account password.

No Audit Record for Password Retrieval by JDBC Password Consumer

The Enterprise Management Server does not write an audit record when a JDBC password consumer gets a password from CA ControlMinder Enterprise Management.

Error Message When You Use Automatic Login to Log in to Oracle Enterprise Manager

Valid on Oracle

An error message appears when you use the automatic login option to log into the Oracle Enterprise Manager after you checked out an administrator account password. The error message appears if you terminated the last session by closing the browser window without logging off.

Remote Desktop Connection Fails When Endpoint Prompts for Password

Valid on Windows

The Windows Remote Desktop automatic login script fails to log into the endpoint if the endpoint Terminal Services settings are configured to always prompt for password on login.

SAM Accepts Ticket Numbers for Closed CA Service Desk Manager Tickets

Valid for integration with CA Service Desk Manager

If you specify the number for a closed CA Service Desk Manager issue or request ticket (ticket type=iss or cr) when you request access to a privileged account, CA ControlMinder Enterprise Management forwards the request to the approver.

Cannot Specify CA Service Desk Manager Change Order Ticket Number

Valid for integration with CA Service Desk Manager

If you specify the number for a CA Service Desk Manager change order ticket (ticket type=ch) when you request access to a privileged account, CA ControlMinder Enterprise Management does not forward the request to the approver.

Cannot Verify Exclusive Sessions to Prevent Check In
Symptom:

In Linux Enterprise Management or with a Linux Distribution Server, I cannot verify exclusive sessions to prevent check-in if open sessions are available to that endpoint.

Solution:

Follow these steps:

  1. Stop CA ControlMinder services.
  2. On the Linux Enterprise Management Distribution Server, go to directory (AccessControlServer_HOME/APMS/AccessControlShared) and open accommon.ini for editing.
  3. Go to the [AccountManager] section and search for 'exclude_endpoint_types'.
  4. Enter the 'Windows Agentless' value after the '=' symbol. For example, exclude_endpoint_types = Windows Agentless. Separate multiple endpoint types with commas.
  5. Start CA ControlMinder services.

Note: This change is recommended only if one of the Distribution Server/Enterprise Management operating systems is Windows.

New Topic (183)
Valid on Windows

After I change an Active Directory requester organizational unit, tasks that were submitted under the old organizational unit do not appear in My View Submitted Task.

This is a known issue that results from limitations in the Active Directory search method.