Problem:
A trial version of the SiteMinder Policy Server can operate in FIPS-compatibility and FIPS-migration modes. Setting the Policy Server to operate in FIPS-only mode results in the Policy Server rejecting the trial license because the license was encrypted using algorithms that are not FIPS compliant.
Solution:
Ensure that the SiteMinder Policy Servers you want to migrate to FIPS-only mode are using a valid SiteMinder license and not a trial license.
Under certain circumstances, running analysis and audit-based reports may slow SiteMinder performance. We recommend analyzing the load patterns in your environment to determine the best time to run reports.
Do not use brackets around the IP address when using IPv6 ODBC data sources or the connection fails.
Example: use fec0::9255:20c:29ff:fe47:8089 instead of [fec0::9255:20c:29ff:fe47:8089]
Note: More information on IPv6-supported databases exists in the SiteMinder Platform Support Matrix.
Symptom:
(LDAP) The default Policy Server behavior is to treat a CertSerialNumber as a broken string of numbers. This behavior causes a custom certificate mapping to fail if the user directory stores the CertSerialNumber as an unbroken string of numbers. The Policy Server fails to lookup the user because the default LDAP search contains spaces.
Solution:
Enable the NoSpacesinCertNumbers registry setting. Enabling the registry setting causes the Policy Server to treat certificate serial numbers as an unbroken string of numbers for all serial number comparisons.
Location: HKEY_LOCAL_MACHINE/SOFTWARE/Netegrity/Siteminder/CurrentVersion/PolicyServer/NoSpacesInCertSerialNumbers
Values: 0 (disabled) 1 (enabled)
Default Value: 0
The following authentication schemes are affected by the value of the Web Agent parameter for FCC Compatibility Mode (FCCCompatMode):
Note: For more information about how FCC Compatibility Mode affects the listed authentication schemes, see the Web Agent Configuration Guide.
A password change fails and the user receives an error message prompting them to contact the Security Administrator or Help Desk if the combination of the new password; old password; and user identity, which is comprised of the userID, Client IP and time stamp is equal to or exceeds 1024 characters.
SiteMinder continues to let users change their passwords when the “User cannot change password" feature is enabled for the accounts.
Symptom:
A Linux Policy Server may not immediately delete sessions from an Oracle session store when the idle timeout setting for the realm is reached.
Solution:
The Policy Server does begin to delete sessions shortly after the idle timeout setting is reached. For example, if the idle timeout setting is 30 minutes, the Policy Server may begin deleting sessions at 45 minutes.
If the ODBC/SQLError component is enabled in the Policy Server trace log, Single Logout Services can cause the following errors to be written to the trace log:
[13:42:44.0] [CSmDbODBC.cpp:189] [CSmDbConnectionODBC::MapResult] [] [][-1] [Microsoft] [ODBC]
The error is expected behavior. The data is ultimately written to the session store database.
Problem:
The file webadapter.properties is not created in ServletExec's configuration folder, as expected. As a result, OneView Monitor does not work.
Solution:
After configuring OneView Monitor on an RHAS 4.0 platform with a supported web server, manually create the webadapter.properties file in ServletExec's configuration folder. The ServletExec adapter uses the properties in this file to rout HTTP requests from the web server to a ServletExec Application Server (AS) instance.
The webadapter.properties file contains the following properties:
Specifies a minimum number of seconds for the ServletExec adapter to poll the ServletExec AS instance.
Note: Setting this property to a positive number ensures that the ServletExec adapter polls the AS instance for the specified interval of time. As a result, the adapter is automatically updated when the instance's web application data is modified.
Examples:
servletexec.aliasCheckInterval=10
servletexec.aliasCheckInterval=-1
Use this value to disable polling.
Specifies the name of a ServletExec AS instance.
Specifies one or more host names or IP addresses separated by commas.
Note: These are the hosts for which the specified ServletExec AS instance is configured to process requests.
Examples:
servletexec.instance_name.hosts=www.abc.com:9090,www.ca.com
servletexec.instance_name.hosts=192.168.200.17,192.168.200.43:8000
servletexec.instance_name.hosts=all
Specifies that this ServletExec AS instance is configured to process requests from all hosts.
Specifies the IP address and port number of a ServletExec AS instance.
Note: This IP address and port number are used by the ServletExec adapter when forwarding HTTP requests from the web server to the specified ServletExec AS instance. Each instance must have a unique IP address/port number pair.
Example:
servletexec.instance_name.instances=127.0.0.1:8888
Specifies default values for the IP address and port number.
Specifies the number of connections that can be added to the connection pool when a connection is needed and the pool is empty.
Note: These connections are used by the ServletExec adapter to communicate with the specified ServletExec AS instance.
Example:
servletexec.instance_name.pool-increment=5
Specifies the maximum number of idle connections that can be present in the connection pool at any one time.
Note: This number applies to the connections that are used by the ServletExec adapter to communicate with the specified ServletExec AS instance.
Example:
servletexec.instance_name.pool-max-idle=10
Using the webadapter.properties file, the ServletExec adapter applies the following algorithm to each HTTP request:
Problem:
Responses and response groups cannot be edited or deleted in the context of a Create Domain or Modify Domain task.
Solution:
Edit and delete responses and response groups by clicking the Policies tab, Domains, and Response or Response Group.
Each EPM application can have multiple resources that are associated with it. However, each resource can have only one response that is associated with it.
Setting the password change flag for a particular user in an Active Directory (AD) user store invalidates the user’s old password. When the password change flag is set, entering any password on the login dialog redirects the user to the password change dialog. To create the new password, however, the user must match the old password in the field on the password change dialog.
This behavior results from password policies that are part of the AD user store and not from SiteMinder password policies and cannot be changed. Because the policies are integral to the AD user store, changing the namespace from AD to LDAP has no effect on this behavior.
Valid for Active Directory user directory connections configured over the LDAP namespace.
Symptom:
My Policy analysis reports are not returning user records.
Solution:
Use the Administrative UI to define an alias mapping between the inetOrgPerson attribute and the respective attribute in Active Directory.
Example: If the respective attribute is “user”, create an alias attribute mapping named inetOrgPerson and define the alias as “user”.
Note: For more information on attribute mapping, see User Attribute Mapping in the Policy Server Configuration Guide.
Copyright © 2012 CA Technologies.
All rights reserved.
|
|