This section contains the following topics:
Incorrect Agent Configuration Object Note in Web Agent Option Pack Guide (171005)
Single Log Out after a ForceAuthN request results in Session Errors (153740)
System Error after a CA SiteMinder® Upgrade (154892)
Tomcat 6 Reference Removed from Documentation (159125)
Query String Redirection for Delegated Authentication is Only for Testing (165475)
Prerequisite for ODBC User Directory Setup for Federation (157633)
Information Missing for the smfedexport Command Options (155515)
Protection Against XML Signature Wrapping Attacks (168098)
Symptom:
The Web Agent Option Pack Guide contained the following incorrect note:
"Note: The Agent Configuration Object referenced in this WebAgent.conf file must be a new object that you create. Do not specify the object in use by the Web Agent installed in your environment."
Solution:
This note has been removed from the guide.
STAR issue: 21419266-1
Symptom:
The Policy Server log reports session errors when the following conditions are met:
Solution:
The issue is fixed. Session errors are no longer reported.
STAR issue: 20122645–1
Symptom:
The customer is required to track all SLOs in the audit log. The customer setup an unprotected realm with an anonymous authentication scheme on /affwebservices/public/saml2slo. Before the upgrade to CA SiteMinder® R12 SP3 CR2, this setup worked.
Solution:
The problem has been corrected. The customer gets a successful logout page.
Star Issue: 20160464;1
Symptom:
The Web Agent Option Pack Guide referenced Tomcat 6 in error.
Solution:
The section that is titled "Modify the Tomcat catalina.properties File (Tomcat 6.0.18 or higher)" has been removed from the Web Agent Option Pack Guide. Tomcat 6 is no longer supported as an application server.
STAR issue: 21093204-01
Symptom:
Query string redirection method for delegated authentication was not documented as an option only for test environments.
Solution:
The Partnership Federation Guide now says that if you configure the delegated authentication feature for single sign-on, do not use the query string method in a production environment. The query string redirection method is only for a testing environment as a proof of concept.
STAR issue: 21183744;1
Symptom:
The federation documentation must clarify that an ODBC user directory for a SAML-related configuration requires a properly defined SQL query scheme.
Solution:
The following note has been added to the User Directory chapter in the Legacy Federation Guide and the Partnership Federation Guide.
Note: To use an ODBC database for your federated configuration, set up the SQL query scheme and valid SQL queries before selecting an ODBC database as a user directory.
STAR issue: 21043182
Symptom:
No detailed information exists about the usage of the smfedexport command options, such as –pubkey,-sign and –signingcertalias.
Solution:
The Legacy Federation Guide has clearer explanations of the smfedexport command options.
STAR issue: 20969179-01
A malicious user can commit an XML signature wrapping attack by changing the content of a document without invalidating the signature. By default, software controls for the Policy Server and Web Agent Option Pack are set to defend against signature wrapping attacks. However, a third-party product can issue an XML document in a way that does not conform to XML specifications. As a result, the default signature checks can result in a signature verification failure.
Signature verification failures occur for the following reasons:
If a federation transaction fails, examine the smtracedefault.log file and the fwstrace.log file for a signature verification failure. These errors can indicate that the received XML document is not conforming to XML standards. As a workaround, you can disable the default Policy Server and Web Agent protection against signature wrapping attacks.
Important! If you disable the protection against signature vulnerabilities, determine another way to protect against these attacks.
To disable the XML signature wrapping checks:
web_agent_option_pack_ home/affwebservices/web-INF/classes.
Note: If the web agent option pack is installed on the same system as the web agent, the file resides in the web_agent_home directory.
Note: The value of the DisableUniqueIDCheck setting must be the same for the Policy Server and the Web Agent Option Pack.
STAR issue: 21321479;1
Copyright © 2013 CA.
All rights reserved.
|
|