Previous Topic: Defects Fixed in 12.5Next Topic: Documentation to Protect Administrative UI using CA SiteMinder® SPS (182613)


Defects Fixed in 12.51

Administrative UI Localization Strings Missing [148680]

Symptom:

A few strings were missing from the Administrative UI localization bundles.

Symptom:

This problem was fixed indirectly with the FW upgrade to version 2.2.

Star issue 20680999;1

More Than One Way Is Available to Locate a Web Page within a Set of Web Pages [149533]

Symptom:

VPAT standard states: “More than one way is available to locate a Web page within a set of Web pages except where the Web page is the result of, or a step in, a process."

Solution:

The Administrative UI now includes site map link in the footer, which launches a page that displays all the available. Clicking the link launches the task.

Hostname Missing in CA SiteMinder® Trace Logs [151003]

Symptom:

In the CA SiteMinder® trace log, the Hostname did not appear in the Data column for the Received Agent Request line.

Solution:

This problem has been corrected.

Star issue 20720366-1

HTTPSClient.java Truncates One Byte in Response [151370]

Symptom:

HTTPSClient.java truncated one byte in a response in an SSL communication.

Solution:

This problem has been fixed.

Star issue 20709184

The Administrative UI Was Not Displaying the Failover Threshold Value [152997]

Symptom:

The Administrative UI did not display the Failover Threshold for a Host Configuraiton Object created in the FSS UI.

Solution:

This issue has been corrected.

Star issue 20736264;1

The Session Portion in the Anonymous Authentication Scheme Was Not Disabled in Firefox or Safari Browsers [154723]

Symptom:

When modifying an authentication scheme for a realm to Anonymous, the Session portion was not disabled for the Firefox and Safari browsers.This flaw allowed a user to modify the maximum and idle timeout.

Solution:

This problem been corrected.

Star issue 20917601-1

Date in Activity-By-User Report Incorrect [153070]

Symptom:

After the administrator generated the activity-by-user report, the date in the detail section (the date below the name of the web agent) was incorrect.

Solution:

The date has been corrected.

Star issue 20601274-2

The saml.namespace.prefix Did Not Change [153074]

Symptom:

The saml.namespace.prefix did not change from saml to ns1 after a couple of attempts.

Solution:

The root cause was to reset the value of namespace prefix explicitly for WSFED protocol to ns1. After further analysis we found that setting this namespace is to print the value of the assertion with the prefix ns1 in the WSFED protocol.

This issue has been fixed.

Star issues 20572229;1+20666241;1+20700082;01

The VEXIST Function Was Not Working [153135]

Symptom:

The VEXIST function was not working as expected. The documentation states that the VEXIST function accepts a named expression, a context variable, or user attribute. The function determines whether the input parameter is defined.

Solution:

This issue has been fixed.

Start issue 20468703;01

Policy Server Was Unable to Reestablish Connection with Database [153300]

Symptom:

After a database is refreshed and restarted, the Policy Server cannot connect to the database. The workaround was to modify the User Directory definition, or to stop and start Policy Server.

Solution:

By default, the Policy Server does not retry a database connection in case of invalid credentials. You can enable the retrial of connection by enabling a key EnableRetryForInvalidCredentialsError in the registry. To disable EnableRetryForInvalidCredentialsError, set its value to zero (the default).

Star issue 20775937

Error Message When Saving SAML Authentication Schemes Following Upgrade (CQ153307)

Symptom:

After upgrading the product from 6.0.4 to 12.0.3, I received the following error message when trying to save or update my SAML authentication schemes:

Issuer value must be unique for all SAML 1.1 POST Auth Schemes

Solution:

This issue is fixed.

Time Stamp Anomaly in Audit Logs [153382]

Symptom:

A customer was trying to import audit logs into ODBC database using the smauditimport utility. The customer noted that the smauditimport uses local time and the GMT offset is stripped off during insertion of records into database.

Solution:

This issue has been addressed using the gmtime instead of the localtime.

Star issues 20779428-1,20808318-1

Policy Server R12 Sp3 Build 258 Solaris 10 Set-up Failure [153536]

Symptom:

Core dump file showed that the failure happened during LDAP result processing.

Solution:

This issue has been fixed.

Star issue 20763726-2

Named Expressions Using Non-ASCII Characters Failed [153544]

Symptom:

An exception occurred when the named expression used a non-ASCII character. The customer was unable to create another expression afterwards.

Solution:

This problem has been corrected. Named expressions now allow non_ASCII characters.

Star issue 20830571

Admin Applet Only Allows 10 IP Addresses in Policy [153776]

Symptom:

On a Policy Server version 6.0 SP5 CR15 the IP Addresses tab of Policy accepts no more than ten IP addresses. After the administrator adds the tenth IP address, the ADD button is grayed out.

Support tested with R12 and saw the same limitation with FSS UI. There is no such limitation when using the Administrative UI.

Solution:

This issue has been corrected.

Star issue 20318453

SAML Target with Query Parameter at Realm Failed [153791]

Symptom:

Because unique SAML authentication schemes are set at the realm level, they specify the complete target including the query string. When the query string is specified, the Service Provider sees the resource as not protected by the FWS and results in a 500 error.

Solution:

The code that determines whether the URL is protected now adds any query parameter that is on the request.

Event Viewer Error Occurred When SM r6sp6cr2 Policy Server Started Up [153912]

Symptom:

This error occurred when a user accessed a protected resource using the certorform authscheme.

Solution:

This error has been fixed.

Star issue 20571107;1

XPSCounter Was Not Working When a Connection to SSL Enabled UD (ODBC) [153920]

Symptom:

Customer was getting segmentation fault when using the XPSCounter program with SSL enabled UD (ODBC). XPSCounter worked fine with a non-SSL port.

Solution:

This problem has been corrected.

Star issue 20809282-1

Accessing Agent Configuration Objects from the FSS UI Caused a Policy Server Failure [154104]

Symptom:

While accessing ACO from the FSS UI, the Policy Server reads property section. If the property section contains an invalid entry, the Policy Server fails..

Solution:

Validate the property section before accessing the properties.

Star issue 20797838

Policy Server Profiler Did Not Add Headers at the Start of a New Log [154520]

Symptom:

Unlike the Web Agent Trace, which puts in headers at the start of each new log file, the Policy Server profiler does not. This inhibits the ability to appropriately follow and correct problems within log files.

Solution:

This problem has been addressed.

Star issue 20890141;01

Missing TransactionID in Authentication Message in Policy Server Profiler Trace Logs [155208]

Symptom:

In The Policy Server Profiler Trace logs, the TransactionID was not logged in the line where Authentication Status message is logged.

Solution:

This issue has been fixed.

Star issue 20955265-1

SMSAVEDSESSION Deleted After Access Resource Not Allow Impersonation [155736]

Symptom:

With an impersonation session, the user gets a SAVEDSESSION cookie and an impersonated SMSESSION cookie. The SAVEDESSION Cookie is sometimes deleted on a challenge. Because the SAVEDESSION cookie is deleted, the user fails to log out impersonation using @smpopsession=true.

Solution:

The problem has been corrected.

Star issue 20881788-1

Auto-sweep Setting Would not Change to False (CQ157057)

Symptom:

The auto-sweep setting for the XPS-tools would not change to false.

Solution:

This issue is fixed.

STAR Issue # 21044876:01

Password Policy can Prevent RSA Ace/SecureID Password Change (157216)

Symptom:

If a password policy is configured to force a lower case character and a new user is required to change the PIN, the change fails.

Solution:

This issue is fixed.

STAR issue: 20958896

Issue with Switching the LOG LOCAL TIME Registry [158101]

Symptom:

When the LogLocalTime parameter was set 0x1, the SMPS events appear in Local Time. When the LogLocalTime parameter was set 0x0, the SMPS logged events with GMT time. If the Policy Server failed to read the LogLocalTime parameter during an update, the LocalTime was changing from LocalTime to GMT.

Solution:

An explicit condition is set to check for the local time. If this operation is successful, then Logger Timezone is adjusted accordingly. If the Policy Server fails, the existing TimeZone value is preserved.

Star issue 20683202-1

Policy Server in Mixed Environment Fails (158841)

Symptom:

A 12.0.3 cr09 Policy Server failed randomly when communicating with a 6.0.5 cr09 policy store.

Solution:

The issue is fixed. The Policy Server does not randomly fail in the mixed-–mode environment.

STAR issue: 21052167–2

One View Monitor Shows Null Pointer Exception [158990]

Symptom:

A client created a custom table in the One View Monitor. The client added a field in the table. The monitor displayed null pointer exception. In other words, NULL checks are missing for variables, which results in NULL-pointer exceptions.

Solution:

The problem has been addressed. Null pointer exceptions occur.

Star issue 21010205-1

Bulk Loading Audit Records Fails on Oracle (161705)

Symptom:

The bulk loading functionality of the smauditimport utility does not work for an Oracle audit store.

Solution:

The issue is fixed. The utility can be used to bulk load records in to an Oracle audit store.

STAR issue: 21045785–1

PS Configuration Wizard Does Not Allow For Retry for LDAP Configuration [157947]

Symptom:

The Policy Server configuration wizard did not give the retry option to change any LDAP-related information. The wizard only showed abort and exited. When the configuration was rerun, the configuration was stuck at the step of importing the objects.

Solution:

The wizard now supports the retry option for the LDAP configuration.

Start issue 20991445

Kerberos Ticket in HTTP Header causes Authentication Failure (159208)

Symptom:

If the Kerberos token in the HTTP authorization header is more than 4096 bytes, Kerberos authentication fails.

Solution:

This issue is fixed.

STAR issue: 20906310–1

Cannot Create a Federation Partnership in the Administrative UI on Windows Server 2008 R2 with French Language Pack (159616)

Symptom:

On Windows Server 2008 R2 with the French language pack, federation partnership creation fails with the following error message in the Policy Server log:

09:37:45,021 DEBUG [NamesExceptionHandler] Exception while reading 5328e4c6_sqljdbc.jar
java.util.zip.ZipException: error in opening zip file

Solution:

This is no longer an issue.

STAR issue: 21081194-1

Administrative UI and FSS UI Inconsistencies in Host Configuration Object - Clusters Configuration [159938]

Symptom:

In the HostConfig object, the cluster configuration failover threshold percentage was not reflected in Administrative UI. The FSS UI was working correctly.

Solution:

This issue has been corrected.

Star issue 20736264-1

SharePoint PeoplePicker Timeouts (CQ160259)

Symptom:

My SharePoint people picker times out when I search a large database. I do not want to disable the loopback feature.

Solution:

This issue is fixed with the following registry setting:

EnableSorting

For more information, see the Agent for SharePoint Guide.

STAR Issue # 20956438:01

Policy Server Reports ODBC Error with Audit Store (161511)

Symptom:

If the following conditions are met, the Policy Server reports an ODBC error with the audit store when stopped:

Solution:

The issue is fixed.

Java Stack Trace Provided Sensitive Information [161676]

Symptom:

A Java stack trace report provided detailed information that can possibly be valuable to an attacker.

Solution:

This problem was resolved in FW 2.2. The Java stack trace is no longer shown in the Administrative UI.

Star issue 21164212

Enabling Secure Cookies

Symptom:

Information about how to enable secure cookies after registering the Administrative UI with HTTPS was unavailable.

Solution:

This is no longer an issue. The Policy Server Installation Guide has been updated.

STAR Issue: 21164228

Cookie Issue: HttpOnly Flag Not Set [161680]

Symptom:

If an attacker finds a flaw in the application such as cross-site scripting, then the attacker system can appropriate the cookie. Setting the HttpOnly attribute means that client side Javascript cannot read the cookie.

Solution:

Set httpOnly flag for cookies.

Star issue 21164232

SAML Token Claim Did Not Include All Active Directory Groups [161738]

Symptom:

A SAML token claim that was sent from SiteMinder to SharePoint did not include all Active Directory Groups for some users.

Solution:

The problem has been resolved.

Star issue 21159815-1

IBM Directory Server Referrals and SiteMinder

Symptom:

Information about whether the IBM Directory Server referrals are compatible with CA SiteMinder® was unavailable.

Solution:

This is no longer an issue. The Policy Server Configuration Guide has been updated.

STAR Issue: 21278328-1

Policy Server Memory Consumption Increases during Policy Store Import (167569)

Symptom:

Importing a policy store in parallel with cache updates can result in a gradual increase of Policy Server memory consumption.

Solution:

This issue is fixed.

STAR issue: 21072845–2

Administrative UI Allows Browser to Store and Autocomplete Password Field Contents (161675)

Symptom:

The Administrative UI allows a user browser to remember credentials entered into the password field for later autocompletion of that field. This is a security risk as the stored credentials can be captured by an attacker who gains access to the system on which the credentials are saved.

Solution:

This is no longer an issue. The Administrative UI does not allow the browser to store the contents of the password field.

STAR issue: 21164211

Administrative UI Susceptible to Clickjacking Attacks

Symptom:

The Administrative UI is susceptible to clickjacking (also known as "UI redress attacks"), in which an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link or typing login information on another page when they intend to click or type on the Administrative UI login page.

Solution:

This is no longer an issue. The Administrative UI does not open inside an invisible frame and instead displays an error message.

STAR Issue: 21164191

Problem with AKI Attributes on Certificates (CQ164030)

Valid on Windows

Symptom:

I have problems configuring my SSL connections when the certificates for my directory servers use the AKI attribute.

Solution:

This issue is fixed. 12.52 SP1 uses an upgraded LDAP SDK that does not have this issue.

STAR Issue # 21125449:01

Unable to Create a Search Query in the Administrative UI (165003)

Symptom:

The Administrative UI expression editor does not support queries that include multiple parenthesis.

Example:

(&(c3sBillableStatus=0)(|(c3sAuthorizedProductId=SciFinder)(c3sAuthorizedProductId=SCIFINDER-ACADEMIC)))

Solution:

The issue is fixed. The expression editor supports queries that include multiple parenthesis.

STAR issue: 20993066–1

Global Authorization Events and Anonymous Authentication (165663)

Symptom:

If a realm is protected with the Anonymous authentication scheme, global authorization events are not processed.

Solution:

The issue is fixed.

STAR issue: 21203859–1

Cannot Create User Name with Special Characters

Symptom:

A user name that contains the following special characters causes an error during authentication:

% + " & [ \ ] ^ ' { | } < > #, / \r \n * =.

Solution:

Use regular alphanumeric characters in user names.

Policy Server Failed under Load of DoManagement Calls [168102/168994]

Symptom:

The Policy Server was failing on Red Hat 5. The customer did not identify any particular activities that seemed to be causing the problem.

Solution:

The Policy Server no longer fails under this condition. The Process ID of the Policy Server through the duration of the DoManagement call remains the same.