Previous Topic: Web Services Security (formerly SOA Security Manager) Release NotesNext Topic: Locate the Bookshelf


Welcome

This document contains information on CA SiteMinder® Web Services Security features, operating system support, installation considerations, known issues, and fixes.

System Requirements

The following requirements must be met or exceeded for CA SiteMinder® Web Services Security to install and run correctly.

Operating System Support

Before you install any CA SiteMinder® Web Services Security components, verify that you are using a supported operating system and third-party software.

More information:

Locate the Platform Support Matrix

Platform Support

For a complete list of supported web servers, application servers, databases, directories, web browsers, and CA interoperability requirements, see the CA SiteMinder® Web Services Security 12.52 Platform Support Matrix.

Note: CA SiteMinder® Web Services Security extensions that were formerly only available in the CA SOA Security Manager Policy Server are now integrated into the CA SiteMinder® Policy Server. Therefore, refer to the CA SiteMinder® 12.52 Platform Support Matrix for platform support information relating to the Policy Server.

More information

Locate the Platform Support Matrix

SiteMinder WSS Agent Requirements

The following minimum system requirements must be met for SiteMinder WSS Agents to install and run correctly.

Note: For additional non–system requirements, see the corresponding SiteMinder WSS Agent Guide.

Windows Server 2008 System Considerations

For Windows Server 2008, the User Account Control feature helps prevent unauthorized changes to your system. When the User Account Control feature is enabled on the Windows Server 2008 operating environment, prerequisite steps are required before doing any of the following tasks with a CA SiteMinder® component:

Note: For more information about which CA SiteMinder® components support Windows Server 2008, see the CA SiteMinder® Platform Support matrix.

To run CA SiteMinder® installation or configuration wizards on a Windows Server 2008 system

  1. Right–click the executable and select Run as administrator.

    The User Account Control dialog appears and prompts you for permission.

  2. Click Allow.

    The wizard starts.

To access the CA SiteMinder® Policy Server Management Console on a Windows Server 2008 system

  1. Right–click the shortcut and select Run as administrator.

    The User Account Control dialog appears and prompts you for permission.

  2. Click Allow.

    The Policy Server Management Console opens.

To run CA SiteMinder® command–line tools or utilities on a Windows Server 2008 system

  1. Open your Control Panel.
  2. Verify that your task bar and Start Menu Properties are set to Start menu and not Classic Start menu.
  3. Click Start and type the following in the Start Search field:
    Cmd
    
  4. Press Ctrl+Shift+Enter.

    The User Account Control dialog appears and prompts you for permission.

  5. Click Continue.

    A command window with elevated privileges appears. The title bar text begins with Administrator:

  6. Run the CA SiteMinder® command.

More information:

Contact CA Technologies

Installation and Upgrade Considerations

Compatibility with Other Products

To ensure interoperability if you use multiple products, such as SiteMinder, Identity Manager, and Federation Manager check the Platform Support Matrices for the required releases of each product.

More information:

Locate the Platform Support Matrix

System Locale Must Match the Language of Installation and Configuration Directories (169863)

To install and configure a CA SiteMinder® component to a non-English directory, set the system to the same locale as the directory. Also, make sure that you installed the required language packages so the system can display and users can type localized characters in the installer screens.

For the details on how to set locale and required language packages, refer to respective operating system documents.

Host registration Fails When Policy Server Has a Link-Scoped IPv6 Address When Configuring SOA Agent on Linux (136734)

Linux does not support connections to link-scoped IPv6 addresses without additional information: The name of the interface on which to do the networking. This means that when registering a Linux system as a trusted host during SiteMinder WSS Agent configuration, it fails with the following error when the IP address of the Policy Server is link-scoped:

Registration failed (bad ipAddress[:port] or unable to connect to Authentication server (-1)).

Workaround

Use global or site-scoped IPv6 addresses.

r12.1 SOA Agents and 12.52 SiteMinder WSS Agents Cannot Consume SAML Session Tickets Produced by the Other Agent Version (147478)

r12.0 SOA Agents encrypt and decrypt SAML Session Tickets using the RC2 algorithm. However, 12.52 SiteMinder WSS Agents encrypt and decrypt SAML Session Ticket using the Advanced Encryption Standard (AES) algorithm by default. As a result, r12.1 SOA Agents and 12.52 SiteMinder WSS Agents cannot consume SAML Session Tickets produced by the other agent version.

To configure a 12.52 SiteMinder WSS Agent to use the RC2 encryption algorithm to exchange SAML Session Tickets with r12.0 SOA Agents, set the BackwardEncryption parameter in the XmlToolkit.properties file for that agent.

Follow these steps:

  1. Navigate to one of the following locations:

    Note: The addresses that are provided are for Windows platforms. Substitute forward slashes (/) on UNIX platforms.

  2. Open XmlToolkit.properties in a text editor.
  3. Uncomment and modify the backwardencryption parameter line as follows:
    backwardencryption=yes
    
  4. Save and close the XmlToolkit.properties file.
  5. Restart the SiteMinder WSS Agent.

Windows Considerations

The following considerations apply to supported Windows operating environments:

Windows Server 2008 System Considerations

For Windows Server 2008, the User Account Control feature helps prevent unauthorized changes to your system. When the User Account Control feature is enabled on the Windows Server 2008 operating environment, prerequisite steps are required before doing any of the following tasks with a CA SiteMinder® component:

Note: For more information about which CA SiteMinder® components support Windows Server 2008, see the CA SiteMinder® Platform Support matrix.

To run CA SiteMinder® installation or configuration wizards on a Windows Server 2008 system

  1. Right–click the executable and select Run as administrator.

    The User Account Control dialog appears and prompts you for permission.

  2. Click Allow.

    The wizard starts.

To access the CA SiteMinder® Policy Server Management Console on a Windows Server 2008 system

  1. Right–click the shortcut and select Run as administrator.

    The User Account Control dialog appears and prompts you for permission.

  2. Click Allow.

    The Policy Server Management Console opens.

To run CA SiteMinder® command–line tools or utilities on a Windows Server 2008 system

  1. Open your Control Panel.
  2. Verify that your task bar and Start Menu Properties are set to Start menu and not Classic Start menu.
  3. Click Start and type the following in the Start Search field:
    Cmd
    
  4. Press Ctrl+Shift+Enter.

    The User Account Control dialog appears and prompts you for permission.

  5. Click Continue.

    A command window with elevated privileges appears. The title bar text begins with Administrator:

  6. Run the CA SiteMinder® command.

More information:

Contact CA Technologies

Deploying CA SiteMinder® Components

If you are deploying CA SiteMinder® components on Windows 2008 SP2, we recommend installing and managing the components with the same user account. For example, if you use a domain account to install a component, use the same domain account to manage it. Failure to use the same user account to install and manage a CA SiteMinder® component can result in unexpected behavior.

Solaris Considerations

The following considerations apply to Solaris.

Required Operating System Patches on Solaris (24317, 28691)

The following table lists required and recommended patches by version:

Version

Required

Recommended

Solaris 9

  • 111722-04 or any superseding patch
  • 111711-15 or any superseding patch

none

You can find patches and their respective installation instructions at SunSolve (http://sunsolve.sun.com).

Red Hat Enterprise Linux AS and ES Considerations

The following considerations apply to Red Hat Enterprise Linux AS and ES.

Apache 2.0 Web Server and ServletExec 5.0 on Red Hat Enterprise Linux AS (28447, 29518)

To use Apache 2.0 Web Server and ServletExec 5.0 on Red Hat AS

  1. Run the ServletExec 5.0 AS installer against Apache 1.3.x.

    The ServletExec AS Java instance is created.

  2. Run ServletExec and Apache 1.3.x, and make sure you can run /servlet/TestServlet.
  3. Shutdown Apache 1.3.x, but leave ServletExec running.
  4. Using anonymous FTP, access ftp://ftp.newatlanta.com/public/servletexec/4_2/patches and download the latest zip.
  5. Extract the following from the zip:
    mod_servletexec2.c
    
  6. Edit the httpd.conf file of your HP-Apache 2.x so that it contains the necessary ServletExec-specific directives.

    Note: The directives are also present in the httpd.conf file of your Apache 1.3.x if you allowed the ServletExec installer to update the httpd.conf during installation. For more information on editing the httpd.conf file, refer to the New Atlanta Communication ServletExec documentation.

  7. Start Apache 2.x.
  8. Test the Web Server with ServletExec by accessing:
    /servlet/TestServlet
    

Known Issues

General Issues

The following topics describe general known issues.

CA SiteMinder® Web Services Security Fails To Generate WS-Security Headers Using RSA-OAEP Encryption

CA SiteMinder® Web Services Security fails to create an encrypted WS-Security token when a response is configured to use the RSA-OAEP algorithm to encrypt the symmetric encryption key, generating the following error in tmxmltoolkit.log:

008-05-22 14:53:10,531 [INFO] handler.response.WSSecurityUsernameResponseHandler 8A2ADA6E-3D9B-57FB-35E3-9CC05471E849 - Cannot do encryption: unsupported key algorithm provided: rsa_oaep

Workaround

Configure the WS-Security header generating response to use the default rsa-1_5 algorithm to encrypt the symmetric encryption key.

Signing Not Working for SAML Session Tickets in SOAP Envelope (74036)

If configured to generate signed SAML Session Tickets in the SOAP envelope, CA SiteMinder® Web Services Security produces the SAML Session Ticket and places it in the SOAP envelope as expected, but the message is not signed.

Signing works correctly for SAML Session Tickets placed in HTTP headers or HTTP cookies.

Operation-Level Policy Changes Not Committed In Certain Situation When Configuring Application Policy From WSDL (69006)

When creating an application policy from a WSDL file, operation-level policy changes in the Define Web Service Protection Policy table are lost if you return to the top level by clicking the All Web Services link and then immediately click the Next button to proceed.

Workaround

After you have specified operation-level policy changes for a particular port, if you click the All Web Services to return to the top level of the Define Web Service Protection Policy table, click any other button or link (for example, the link for that port again) before clicking Next to ensure the operation-level changes are committed.

Clicking Back Button in Secure Web Services from WSDL Wizard Sometimes Causes "Array Index out of range error -1" (72176)

Clicking the Back button on the Secure Web Services from WSDL: Define Policies pane of the Secure Web Services from WSDL Wizard sometimes results in an "Array Index out of range error -1". This error is non-fatal and can be ignored.

Install Issues

The following topics describe known issues related to product installation and uninstallation.

Back Option Not Supported During Console Mode Install (74339)

The option to go back to reenter incorrectly supplied information is not supported during console mode installation on UNIX.

Uninstaller Fails with Errors (66522)

Attempting to uninstall any CA SiteMinder® Web Services Security component without the prerequisite level of JVM installed and correctly referenced in the system path causes the uninstaller to fail with one of the following errors:

Workaround

Make sure the JRE is in the PATH variable.

SOA Agent for Web Servers Issues

The following topics describe SiteMinder WSS Agent for Web Servers issues.

SiteMinder WSS Agent for Web Servers Failover to Secondary Policy Server Slow

If configured for failover and the primary Policy Server fails, the SiteMinder WSS Agent for Web Servers can take up to one minute to failover to the secondary Policy Server.

SiteMinder WSS Agent Configuration Wizard Fails Intermittently for IIS 7.x SiteMinder WSS Agent on Windows Server 2008 (142248)

Unattended configuration sometimes fails when attempting to configure the SiteMinder WSS Agent for Web Servers to work with IIS 7.x on Windows Server 2008. In this case, the following message is written to the log:

“Unable to write to applicationHost.conf file. Please Restart the IIS Webserver and redo the configuration.”

This issue occurs when the configuration wizard cannot stop IIS before it attempts to modify the IIS applicationHost.file and therefore cannot edit the file because it is still in use.

Workaround

Stop IIS 7.x before attempting unattended configuration of the SiteMinder WSS Agent.

SiteMinder WSS Agent for IBM WebSphere Issues

The following topics describe known issues in the SiteMinder WSS Agent for IBM WebSphere.

SiteMinder WSS Agent for IBM WebSphere Limitations

The SiteMinder WSS Agent for IBM WebSphere has the following limitations:

SiteMinder WSS Agent and SiteMinder Agent for IBM WebSphere Coexistence Limitation (61190)

The following use case for coexistence of SiteMinder WSS Agent for IBM WebSphere and SiteMinder Agent for IBM WebSphere is not supported:

If you do configure such an environment, the SiteMinder TAI Module will intercept web service requests that should be handled by the SiteMinder WSS Agent.

mustUnderstand Attribute Limitation (61018, 60551)

The SiteMinder WSS Agent for IBM WebSphere does not support generation of WS-Security mustUnderstand attributes.

You should not therefore assign responses that generate mustUnderstand attributes to policies associated with resources protected by the SiteMinder WSS Agent for IBM WebSphere.

XML Digital Signature Authentication Fails for Certain Payloads on SiteMinder WSS Agent for IBM WebSphere (60619)

For resources protected by the SiteMinder WSS Agent for IBM WebSphere, XML Digital Signature authentication is failing for certain XML payloads.

SiteMinder WSS Agent Configuration Wizard Cannot Unconfigure SiteMinder WSS Agent for WebSphere (66204)

The SiteMinder WSS Agent Configuration Wizard does not allow you to unconfigure the SiteMinder WSS Agent for WebSphere as it does for the SiteMinder WSS Agent for Web Servers.

Workaround

To unconfigure a SiteMinder WSS Agent for WebSphere (that is, to stop it from protecting web service resources in the WebSphere container), perform the following steps:

  1. Back out all configuration changes you made to configure your web services to invoke the SiteMinder WSS Agent JAX-RPC Handler from deployment descriptors. For more information, see the SiteMinder WSS Agent Configuration Guide.
  2. Uninstall the SiteMinder WSS Agent.
  3. Restart WebSphere.

SiteMinder WSS Agent for Oracle WebLogic Issues

The following topics describe known issues in the SiteMinder WSS Agent for Oracle WebLogic.

SiteMinder WSS Agent for Oracle WebLogic Limitations

The SiteMinder WSS Agent for Oracle WebLogic has the following limitations:

SiteMinder WSS Agent Configuration Wizard Cannot Unconfigure SiteMinder WSS Agent for WebLogic (66204)

The SiteMinder WSS Agent Configuration Wizard does not allow you to unconfigure the SiteMinder WSS Agent for WebLogic as it does for the SiteMinder WSS Agent for Web Servers.

Workaround

To unconfigure s SiteMinder WSS Agent for WebLogic (that is, to stop it from protecting web service resources in the WebLogic container), perform the following steps:

  1. Back out all configuration changes you made to configure your web services to invoke the SiteMinder WSS Agent JAX-RPC Handler from deployment descriptors or handler chain configuration files, as applicable. For more information, see the SiteMinder WSS Agent Configuration Guide.
  2. Uninstall the SiteMinder WSS Agent.
  3. Restart WebLogic.

CA SiteMinder® Agent for JBoss Issues

The following topics describe known issues in the CA SiteMinder® Agent for JBoss.

Uninstaller Fails with Errors (87704)

Attempting to uninstall the SiteMinder Agent for JBoss without the prerequisite level of JVM installed and correctly referenced in the system path causes the uninstaller to fail with one of the following errors:

Workaround

Make sure the JVM is in the system PATH variable.

XML Request Messages With Digitally Signed Envelopes or Headers Fail to Authenticate on JBoss 6.x (180005)

Symptom:

Due to an issue in JBoss, request messages with digitally signed envelopes or headers fail to authenticate on JBoss 6.x. This issue occurs for requests to web services protected by the WS-Security and XML Digital Signature authentication schemes.

An issue (support case 00997994) is open with JBoss to investigate.

XML Digital Signature Authentication Sometimes Fails When Entire Document is Signed (141772)

For resources protected by the SiteMinder WSS Agent for JBoss, XML Digital Signature authentication is failing for SOAP requests where the entire document is signed. This failure is because the JBoss container does not preserve whitespace between SOAP message elements.

Workaround

Program the web service client to remove all whitespace between SOAP message elements in the request message to match the space removal that JBoss performs upon receiving the message.

Installer Throws Erroneous Error When Supplying JVM Location (137843)

When the SiteMinder Agent for JBoss installer prompts for the JVM location, it displays an "Unable to install the Java Virtual Machine included with this installer" error message even when a valid path is entered.

Workaround

This error message is erroneous; the installer continues with the installation regardless of the error message.

CA SiteMinder® Web Services Security SDK Issues

The following topics describe known issues in the CA SiteMinder® Web Services Security SDK.

Web Service Client API XMLDocument Class signWSDocument Method Fails With Uninitialized Keystore Exception (133785)

When the signWSDocument method of the XMLDocument class of the Web Service Client API is called with a PEM format X.509 file argument, it fails with an "Uninitialized keystore" error.

Web Service Client API XMLDocument Class signWSDocument Method Fails to Decode DER Format Certificates (133787)

When the signWSDocument method of the XMLDocument class of the Web Service Client API is called with a DER format X.509 file argument, it throws an exception indicating it cannot parse the certificate.

Web Service Client API XMLDocument Class signDocument Method Produces XML Signatures with Unresolvable Reference URIs (133788)

When the signDocument method of the XMLDocument class of the Web Service Client API is called to sign a SOAP document with a DER format X.509 file argument, the method produces a signature that cannot be validated by a SiteMinder WSS Agent. The SOAP Body element is identified with the following syntactically correct attribute:

ID="Body" 

However, SiteMinder WSS Agents can only resolve references to "Id", not "ID" attributes (note the case: Id as opposed to ID).

Web Service Client API XMLDocument Class signDocument Method Throws a NullPointerException when Signing Non-SOAP XML Using an X.509 Certificate (133789)

When the signDocument method of the XMLDocument class of the Web Service Client API is called to sign a non-SOAP XML document with a null publicKeyFile argument and a valid X.509 file argument, the method throws a NullPointerException.

Defects Fixed in SOA Security Manager Releases

Defects Fixed in r12.1 SP3

The CA SiteMinder® Web Services Security r12.1 SP3 release contains the following fixes.

Authentication of Encrypyted Requests Intermittently Failing with Red Hat Policy Server (77348)

Attempts by all SOA Agent types to connect to a RedHat Policy server to authenticate an encrypted request fail intermittently.

Responses Configured to Generate Signed SAML Session Tickets Using Public Key Obtained from XML Digital Signature Authentication Produce Unsigned SAML Session Tickets (98865)

Generation of signed SAML Session Tickets using the public key obtained from a digital signature by the XML Digital Signature authentication scheme results in the generation of an unsigned rather than signed SAML Session Ticket.

That is, if a web service is protected by the XML Digital Signature authentication scheme and a SAML Session Ticket response is configured to extract the client's public key from the certificate and use it to sign the SAML assertion, the generated SAML Session Ticket is not signed as expected.

Workaround

Configure the policy to obtain the public key from a source other than the document with the digital certificate. For example, configure the response to obtain the public key from a client certificate sent over an SSL connection or from the user store.

WS-Security SAML 1.1 Holder of Key Assertion Not Accepted More Than Once (97266)

SOA Security Manager does not accept a WS-Security SAML 1.1 holder of key assertion token more than once; SAML 1.1 holder of key tokens cannot therefore be used in use cases where replay is required.

Workaround

SAML 2.0 holder of key tokens work as expected and can be used in to implement use cases in which replay is required.

Responses Defined When Creating an Application Within Secure Web Services from WSDL Operation Are Not Immediately Usable (70468)

If you choose to create the application object that will define your security policy from within the Secure Web Services from WSDL wizard any Responses created from the Responses tab of the Create Application nested task are not displayed or available for assignment in the Define web service protection policy table.

Workaround

If you need to bind responses to web service ports and operations on the Define Policies page of the Secure Web Services from WSDL wizard, you must create the application and the required responses prior to running the wizard.

SOA Agent for IBM WebSphere Fails Under Load on Windows

Because of a memory leak in com/ibm/ws/security/auth/AuthCache, the SOA Agent for IBM WebSphere fails under load.

An IBM support ticket (PMR 30393,756,000) is open for this issue.

Error Logged During Administrative UI Install on WebLogic (74188)

When you install the CA SiteMinder® Web Services Security Administrative UI in console mode on a Weblogic Application server, a non-fatal error “ERROR - Command failed: Installing Workflow Store Data “ is written to the install log. You can ignore this error.

Defects Fixed in r12.1 as of CR1

This CA SiteMinder® Web Services Security r12.1 release contains the following fixes.

Variables Created in Admin UI Containing Expression Keywords as Variable Name Substrings Being Resolved Incorrectly (71976)

Symptom:

Variables created in the CA SiteMinder® Web Services Security Administrative UI which contain expression keywords (or, and, and so on) as substrings of the variable name are resolved incorrectly by the expression editor. For example a variable named "RandomVariableName" will be incorrectly converted to the name "R&omVariableName" causing the expression to be evaluated incorrectly.

Solution:

This is no longer an issue.

SOA Agent Configuration Wizard Fails to Make Necessary Configuration File Changes for SOA Agent for Apache Web Server (78481)

Symptom:

The SOA Agent configuration wizard is not making required configuration changes in the httpd.conf file or creating the required webagent.conf file, preventing the SOA Agent from starting.

Solution:

This is no longer an issue.

Installer Properties File Used for Unattended Install Contains Bad Entries for SOA Admin UI on Windows (73363)

Symptom:

In the SOA installer property file created during install (SOA_HOME\install_config_info\ca-soasmr12-installer.properties), required double backslashes in pathnames in entries related to the SOA Admin UI are not present. For example, rather than the following expected entry:

DEFAULT_NETE_JAVA_HOME = E:\\ProgramFiles\\Java\\jdk1.5.0_01

The following incorrect entry is written in the file:

DEFAULT_NETE_JAVA_HOME has value E:ProgramFilesJavajdk1.5.0_01

Solution:

This is no longer an issue.

Uninstalling SOA Agent for IBM WebSphere Breaks the Application Server (72302)

Symptom:

When uninstalling the SOA Agent for IBM WebSphere, the CA SiteMinder® Web Services Security uninstaller incorrectly deletes the WS_HOME/java/jre/lib/ext and WS_HOME/lib/ext directories, preventing the IBM WebSphere Application Server from running.

Solution:

This is no longer an issue.

Uninstall Does Not Remove the ETPKI Folder (72027)

Symptom:

The SOA Security Manager r12.1 uninstaller does not removing the soa_home\siteminder\ETPKI folder.

Solution:

This is no longer an issue.

Uninstall Does Not Remove SDK (68885)

Symptom:

The CA SiteMinder® Web Services Security does not uninstall files associated with the CA SiteMinder® Web Services Security SDK.

Solution

This is no longer an issue.

Failover to Second Policy Server in Cluster Fails for SOA Agent for Web Servers (73808)

Symptom:

The SOA Agent for Web Servers does not failover to a secondary Policy Server in a clustered environment when the primary Policy Server fails.

Solution:

This is no longer an issue.

Documentation Install Does Not Remove Older Documentation in Upgrade Scenario (74629)

Symptom:

The CA SiteMinder® Web Services Security r12.1 documentation install leaves all existing r12.0 documentation files in place when upgrading to r12.1.

Solution:

This is no longer an issue.

International Support

An internationalized product is an English product that runs correctly on local language versions of the required operating system and required third-party products, and supports local language data for input and output. Internationalized products also support the ability to specify local language conventions for date, time, currency and number formats. CA SiteMinder® Web Services Security is an internationalized product.

A translated product (sometimes referred to as a localized product) is an internationalized product that includes local language support for the product user interface, online help and other documentation, and local language default settings for date, time, currency, and number formats. CA SiteMinder® Web Services Security is not a translated product.

Platform Support and Installation Media

Locate the Platform Support Matrix

Use the Platform Support Matrix to verify that the operating environment and other required third-party components are supported.

Follow these steps:

  1. Log in to the CA Support site.
  2. Locate the Technical Support section.
  3. Enter CA SiteMinder® in the Product Finder field.

    The CA SiteMinder® product page appears.

  4. Click Product Status, CA SiteMinder® Family of Products Platform Support Matrices.

Note: You can download the latest JDK and JRE versions at the Oracle Developer Network.