Release Notes › Policy Server Release Notes › General Considerations

General Considerations

IdentityMinder Object Support in Policy Stores (29351)

Policy Servers that have not been enabled for IdentityMinder cannot be connected to policy stores that contain IdentityMinder objects. Policy Servers that have been enabled for IdentityMinder 5.6 SP2 can be connected to 12.51 policy stores that contain IdentityMinder objects.

Note: For more information about configuring and deploying IdentityMinder, see the IdentityMinder Web Edition Installation Guide.

NTLM Authentication Scheme Replaced by Windows Authentication Scheme

This release does not include an NTLM authentication scheme template. This authentication scheme type has been replaced by the Windows Authentication template. Support for NTLM authentication is now provided through the new authentication scheme template.

Performance Issues Using SQL Query Schemes on Non-Unicode Databases (144327)

Symptom:

Performance is impacted when using a SQL query scheme to find user data in a non-Unicode database. The performance degradation is because default Policy Server behavior is to append an "N" to the SQL query to enable Unicode searching.

Solution:

This is no longer an issue. To prevent performance degradation when using an SQL query scheme to find user data in a non-Unicode database, use the following procedure to disable Unicode searching:

1. Create the following registry setting:

   HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Database\DisableMSSQLUnicodeSearch 
   

2. Set the value of the setting to 1.

   Unicode searching is disabled.

STAR Issue: 20517732-01

Unsupported Features

CA SiteMinder® does not support the following features:

• An external administrator user store with an Administrative UI configured with WebSphere
• SafeWord authentication scheme on Red Hat AS
• CA SiteMinder® Test Tool on Red Hat AS
• Password services with Microsoft Active Directory Global Catalog
• Password services with the Microsoft Active Directory 2008 fine grained password policy feature
• Enhanced LDAP referrals with Novell eDirectory
• CA SiteMinder® only supports enhanced LDAP referrals with Siemens DirX for searches and writes:
  • Password services write referrals is supported.
  • Enhanced referrals for binds and, thus authentication, is not supported.

System Management Limitations

The following system management limitations exist:

Pop-up Blockers May Interfere with Help

Certain pop-up blockers or Web browsers may prevent the Administrative UI help window from opening. Many pop-up blockers allow the pop-up if you press CTRL while you click the link. You can also set your Web browser to allow pop-ups from the Administrative UI.

Registry Setting No Longer Required for Setting the Maximum Number of Connections (27442)

In previous versions of the Policy Server, two ODBC connections were created for each Policy Server service. The following registry setting overrode the default value and indicated the maximum total number of ODBC connections created by the Policy Server for all services:

Netegrity\SiteMinder\CurrentVersion\Database\UserDirectoryConnections

For 12.51 Policy Servers, the maximum number of connections is determined dynamically, based on five times the maximum number of threads specified in the Policy Server Management Console. (See the Performance group box of the Settings tab in the Management Console.)

If you are upgrading to the 12.51 Policy Server from a 5.x Policy Server, remove the UserDirectoryConnections registry setting. If you do not, and the value specified by the setting is less than the maximum number of threads calculated by the Policy Server, your Policy Server logs will contain many error messages. These messages will indicate that the value of the registry setting overrides the maximum number of connections calculated by the Policy Server.

Policy Server Limitations

The following Policy Server limitations exist:

Leading Spaces in User Password May Not Be Accepted (27619)

A user whose password includes leading spaces may not be able to authenticate under the following combination of circumstances:

• The Policy Server is running on Solaris.
• The password with leading spaces is stored in an LDAP User Store.

Note: A password policy may or may not be enabled.

Error Changing Long Password When Password Services is Enabled (26942)

If the Policy Server has Password Services enabled, changing the password may fail if the old password length exceeds 160 UTF8 octets and the new password length exceed 160 UTF8 octets.

Certificate Mappings Issue with certain Policy Stores (27027, 30824, 29487)

Certificate mappings do not work when the IssuerDN field is longer than 57 characters for policy stores that are installed on the following directories:

• Novell eDirectory
• Active Directory

Handshake Errors with Shared Secret Rollover Enabled (27406)

In the Policy Server error log, you may see an occasional handshake error related to the shared secret, followed by a successful connection. This may occur if the shared secret rollover feature was enabled for the Web Agent communicating with the Policy Server. This behavior is expected as part of a normal shared secret rollover. You can ignore these errors.

Internal Server Error When Using SecureID Forms Authentication Scheme (39664)

When using the SecureID forms authentication scheme, if users do not enter their passwords correctly during their initial login, they are not granted access to resources despite providing correct credentials in subsequent tries. The Policy Server presents users with an internal server error and these users must restart the Web browser to continue.

X.509 Client Certificate or Form Authentication Scheme Issue (39669)

The Policy Server's X.509 Client Certificate or Form authentication scheme is not working properly when using an alternate FCC location.

Certain User Name Characters Cause Authenticating or Authorizing Problems (39832)

When the Policy Server is using an LDAP user store, users with characters such as &, * , \, and \\ in their user names are not getting authenticated and authorized properly. For example, the Policy Server does not authenticate or authorize these sample users:

• use&r1
• use*r2
• use\r3
• use\\r4

DEBUG Logging With SafeWord Authentication Causes Policy Server to Fail (42222, 43051)

On Solaris, when resources are protected by SafeWord authentication schemes, if you enable DEBUG or ALL logging in the SmSWEC.cfg SafeWord configuration file, the Policy Server fails. As a result, do not enable DEBUG or ALL logging for SafeWord authentication schemes. The SafeWord server is PremierAccess server, using protocol 200 or 201.

Active Directory Integration Enhancement For LDAP Namespace (43264, 42601)

This limitation is related to this new AD feature from 6.0 SP 2:

"Enhanced User Account Management and Password Services Integration with Active Directory (SM5504) (28460) (23347) (24047) (25816)"

When following the instructions in section "Enabling Active Directory Integration Enhancement", be aware that this feature is only supported for the LDAP and not the AD namespace.

Policy Server Does Not Support Roll Over of Radius Log (44398) (43729) (42348)

The Policy Server does not have the capability to roll over the radius log. Prior to the 6.0 release, you could roll over the radius log by running the smservauth -startlog command.

smnssetup Tool Deprecated (44964) (45908) (46489)

The smnssetup tool was removed from distribution in 6.0 SP 4. You should use the Policy Server Configuration Wizard (ca-ps-config) to configure:

• OneView Monitor GUI
• SNMP support
• Policy stores

The wizard gives you the option of using either a GUI or a console window. For more information, see the Policy Server Installation Guide.

Option to Create Copies of Existing Policy Server Objects

When creating Policy Server objects in the Administrative UI, you have the option of creating a copy of an existing object of the same type. The copy option is not available for the following objects:

• Agent Type
• AuthAz Directory Mapping
• AuthValidate Directory Mapping
• Certificate Mapping
• User Directory
• Application
• Application Resource
• Domain
• Policy
• Realm
• Response
• Response Attribute
• Rule
• Global Policy
• Global Response
• Global Rule
• Password Policy
• Administrator

User Directory Limitations

The following user directory limitation exists:

ODBC User Store Failover

Given

A Policy Server is configured on Solaris to use two Oracle-based user stores: one is the primary user store and the other is the secondary user store.

Result

The time for the Policy Server to failover from the primary to the secondary, in the event of a network failure, may be as long as 8 minutes.

Solution

This time can be reduced by setting the TCP/IP setting, tcp_ip_abort_interval, to the desired time.

Perl Scripting Interface Limitations

The following Perl scripting interface limitations exist:

Perl use Statement for PolicyMgtAPI Must Come Before Use Statement for AgentAPI (24755)

On Solaris, a core dump results if you call use for AgentAPI before you call use for PolicyMgtAPI. If you are calling use for both modules, do so in the following order:

• use Netegrity::PolicyMgtAPI;
• use Netegrity::AgentAPI;

Methods that Return Arrays May Return undef in a One-Element Array (28499)

With methods that return an array, undef should be returned if an error occurs or there is nothing to return. However, these methods may incorrectly return a one-element array with the first element set to undef.

Perl Scripting Interface and Multi-valued Agent Configuration Parameters (37850)

The Perl Scripting Interface does not support setting multi-valued Agent configuration parameters.

Japanese Policy Server Limitations

The following Japanese Policy Server limitation exists:

Agent Shared Secrets are Limited to 175 Characters (30967, 28882)

A Shared Secret for a CA SiteMinder® Agent in a Japanese operating system environment may have no more than 175 characters.