Release Notes › Policy Server Release Notes › Known Issues › Application Objects Appear in the Policy Server User Interface › Importing Policy Store Data that is in Clear–Text (161395)

Importing Policy Store Data that is in Clear–Text (161395)

Symptom:

If a file contains sensitive data in clear–text, the SiteMinder object import utility lets you import it without using a required argument. The following option is required when importing data in clear–text:

-c

Importing the data without the required argument can result in a corrupted policy store.

Solution:

The Policy Server Administration Guide includes a warning about using the required option when importing a file that contains sensitive data in clear–text.

More information:

Import Policy Data Using smobjimport

Report Without Data (145002)

Symptom:

My report has no data. I did not see an error message.

Solution:

This problem occurs if the end time for the report occurs earlier the start time for the report. Verify that the end time occurs later than the start time and run the report again.

First Tab in Group Appears in Administrative UI When Switching from View to Modify (146508)

Symptom:

I was viewing an object in the Administrative UI, but after I clicked Modify, the first tab appeared instead of the tab I was viewing.

Solution:

The first tab in a group appears after clicking Modify. This behavior is expected.

OCSPUpdater Does Not Support the SHA-224 Algorithm (150477,150474)

The OCSPUpdater used for federation certificate validity checking cannot sign OCSP requests using the SHA-224 algorithm. The updater can only sign with the SHA-256, SHA-384, and SHA-512 algorithms.

smpolicysrv_snmp.log Not Generated (147959)

If SNMP is configured for auditing and the Policy Server fails to start–up, SiteMinder generates the SmStartupEvents.audit file. However, no SNMP events are generated. SiteMinder records the start–up events in the reference log file.

Report Server Configuration (150327,119313)

With SiteMinder r12.5, you cannot configure the report server on a non–default port. The report server requires port 6400.

Browser Refresh and Back Buttons Cause Resubmission of Data (149633)

Symptom:

When you select the browser refresh or back button, the dialog where you have entered values gets resubmitted. The repeat operation puts the object that you are configuring into an invalid state.

Solution:

Avoid using the refresh and back buttons on the browser when using the Administrative UI.

Agent Discovery and IIS Web Agents (134318)

If a web agent is installed on a Microsoft IIS web server, the agent discovery feature does not identify the agent for the first−time until the agent intercepts a user request and passes it to the Policy Server.

Subsequent updates to the timestamp of the agent instance are dependent on how IIS is configured. If IIS is configured to shut down idle worker processes, the timestamp is not updated until the web server receives a subsequent request.

This is normal expected behavior. The behavior is a result of how the IIS web server functions.

Uninstalling the Report Server Leaves Files and Registry Entries

Valid on Windows

Symptom:

When I uninstall SAP BusinessObjects Enterprise, some files and registry entries remain.

Solution:

These items are left behind deliberately. These items are required if a user wants the information available for a new installation.

To remove the files and registry entries on Windows 32–bit platforms

1. After uninstalling SAP BusinessObjects Enterprise, delete all files in the installation directory.

   Note: The default installation directory is C:\Program Files\CA\SC\CommonReporting3.

2. Delete the following registry entries:

   HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\Shared\CommonReporting3
   HKEY_CURRENT_USER\Software\Business Objects
   HKEY_USERS\.DEFAULT\Software\Business Objects
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BOE120SIASIANODENAME
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BOE120MySQL
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BOE120Tomcat
   HKEY_LOCAL_MACHINE\SOFTWARE\Apache Software Foundation\Procrun
   2.0\BOE120SIA<SIANODENAME>HKEY_LOCAL_MACHINE\SOFTWARE\Apache Software Foundation\Procrun 2.0\BOE120Tomcat
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\INSTALLDIR
   

   The leftover files and registry entries are removed.

To remove the files and registry entries on Windows 64–bit platforms

1. After uninstalling SAP BusinessObjects Enterprise, delete the following directory:

   installation_directory\CommonReporting3.

   Note: The default installation directory is C:\Program Files(x86)\CA\SC\CommonReporting3.

2. Delete the following registry entry:

   HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\Business Objects
   

   The leftover files and registry entries are removed.

Cache Time Limit while Creating a Response Attribute

While creating a response attribute in a response group, you can configure a time for which the cache is valid. Although the Administrative UI lets you enter any value, the maximum time allowed is 3600 seconds.

Active Directory Synchronization (115248)

When integrating Microsoft Active Directory with SiteMinder, Active Directory user stores that are clustered or configured for round robin load balancing may not synchronize correctly between each use. As a result, some fields may not behave as expected. The unexpected behavior is associated with known Active Directory synchronization limitations.

Contact Microsoft to resolve problems associated with replication and synchronization.

STAR issue: 19249325–01

Windows Server 2008 System Considerations

For Windows Server 2008, the User Account Control feature helps prevent unauthorized changes to your system. When the User Account Control feature is enabled on the Windows Server 2008 operating environment, prerequisite steps are required before doing any of the following tasks with a SiteMinder component:

• Installation
• Configuration
• Administration
• Upgrade

Note: For more information about which SiteMinder components support Windows Server 2008, see the SiteMinder Platform Support matrix.

To run SiteMinder installation or configuration wizards on a Windows Server 2008 system

1. Right–click the executable and select Run as administrator.

   The User Account Control dialog appears and prompts you for permission.

2. Click Allow.

   The wizard starts.

To access the SiteMinder Policy Server Management Console on a Windows Server 2008 system

1. Right–click the shortcut and select Run as administrator.

   The User Account Control dialog appears and prompts you for permission.

2. Click Allow.

   The Policy Server Management Console opens.

To run SiteMinder command–line tools or utilities on a Windows Server 2008 system

1. Open your Control Panel.
2. Verify that your task bar and Start Menu Properties are set to Start menu and not Classic Start menu.
3. Click Start and type the following in the Start Search field:

   Cmd
   

4. Press Ctrl+Shift+Enter.

   The User Account Control dialog appears and prompts you for permission.

5. Click Continue.

   A command window with elevated privileges appears. The title bar text begins with Administrator:

6. Run the SiteMinder command.

More information:

Contact CA Technologies

Oracle RAC Propagation Window Results in SiteMinder Errors

Symptom:

The Oracle RAC nodes propagate changes within 7 seconds. SiteMinder could read and write objects to a policy store, user store, session store, or audit store more often. As a result, the default Oracle RAC propagation window can result in SiteMinder errors. These SiteMinder errors occur because the write operation was made into one node and the read operation was made to another node.

Solution:

Configure the following setting in the Oracle RAC cluster:

MAX_COMMIT_PROPAGATION_DELAY=0

Note: For more information about configuring this setting, see the Oracle documentation.

Policy Server may Fail to Insert Audit Events into the Audit Database

Symptom:

Under heavy load, the Policy Server may fail to insert queued audit events into the audit store. If the failure occurs, the SiteMinder Policy Server log (smps.log) displays the following error:

[INFO] Failed attempt to bulk insert audit message: Code: -1044. DB Code: 2

Solution:

Two registry keys determine when the Policy Server inserts audit events into the audit database: SQLBulkInsertFlushInterval and SQLBulkInsertFlushRowCount:

• SQLBulkInsertFlushInterval determines the frequency in which the Policy Server inserts queued audit events into the audit database. The default value of this registry key is 60 seconds. If 60 seconds elapses before the value defined by the SQLBulkInsertFlushRowCount is reached, the Policy Server inserts all queued audit events into the audit database.
• SQLBulkInsertFlushRowCount determines how many audit events occur before the Policy Server inserts audit events into the audit database. The default value of this registry key is 1,000. If 1,000 audit events are queued before the value defined by SQLBulkInsertFlushInterval is reached, the Policy Server inserts all queued audit events into the audit database.

Modify the SQLBulkInsertFlushRowCount registry key to resolve the error message.

To modify the registry key

1. Access the Policy Server host system and do one of the following:
   • (Windows) Open the Registry Editor and navigate to HKEY_LOCAL_MACHINE\Software\Netegrity\SiteMinder\CurrentVersion\Reports\NamespaceProviders.
   • (UNIX) Open the sm.registry file. The default location of this file is siteminder_home/registry.

     siteminder_home

     Specifies the Policy Server installation path.

2. Increase the value of the SQLBulkInsertFlushRowCount registry key.

   Increase the value to be at least twice as large as the number of audit events that were created, per second, when the error appeared in the SiteMinder Policy Server log.

   Example: If 1,500 audit events occurred when the error appeared, increase the value to 3,000.

3. Do one of the following:
   • (Windows) Save the registry key and exit the Registry Editor.
   • (UNIX) Save the sm.registry file.
4. Restart the Policy Server.

Policy Server Performance with a Sun Java System Directory Server EE Policy Store

Symptom:

The Policy Server takes an exceedingly long time to start when version 6.0 of Sun Java System Directory Server EE is functioning as the policy store.

Solution:

A known indexing issue with version 6.0 results in the performance problem. Regenerate the existing policy store indexes.

Note: Version 6.3.1 of Sun Java Systems Directory Server EE contains fixes that affect the behavior of indexes. These fixes prevent the problem.

Important! The suffix DN is unavailable when you re–index the policy store.

To re–index the policy store

1. Log into the directory server host.
2. Navigate to the directory_server_install\bin and run the following command:

   dsadm reindex -b -t xpsNumber -t xpsValue -t xpsSortKey -t xpsCategory -t xpsParameter -t xpsIndexedObject
   -t xpsTombstone instance_path policysvr4
   

   directory_server_install

   Specifies the Sun Java System Directory Server EE installation path.

   instance_path

   Specifies the path to the directory server instance functioning as the policy store.

   Note: For more information about dsadm command, see your vendor–specific documentation.

3. Restart the directory server instance.

Sun Java System Directory Server EE Logs Warn that the Search is Not Indexed

Symptom:

I have configured version 6.3.1 of Sun Java System Directory Server EE as a policy store. The directory logs contain warnings stating that the search is not indexed.

Solution:

This is expected behavior and SiteMinder performance is not affected. Restart the directory server instance to stop the warnings.

Searches for Many Policy Objects (63721)

When searching on many policy objects using the Administrative UI, the connection between the Administrative UI and the Policy Server can time out, the Policy Server tunnel buffer can become corrupt, or both. In such cases, the Administrative UI displays a connection timeout error and no search results are returned. To eliminate this problem, adjust the Administrative UI Policy Server connection timeout and create a registry key for the Policy Server tunnel buffer size.

To adjust the Policy Server connection timeout

1. Log in to the Administrative UI.
2. Click Administration, Admin UI, Modify Administration UI Connection, Search to open the Policy Server connection object.
3. Select the appropriate Policy Server and click Submit.
4. Set the Timeout field in the Advanced section to a large value, such as 2,000 seconds.

The Policy Server connection timeout is now increased.

To create a registry key for the tunnel buffer size

1. Create the following Policy Server registry key:

   HKLM\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\PolicyServer\
   Max AdmComm Buffer Size

2. Set this registry key to a large value, such as 2,097,000 KB.
3. Save the changes and exit the registry.

Note: Restart the Administrative UI if these symptoms persist following the connection timeout and buffer size changes.

XPSExport Creates Read Only File (65035)

XPSExport creates read only output XML files, which XPSImport cannot use. To correct this problem, change the permissions on the output XML file to read/write before running XPSImport.