Symptom:
After you change the language in the browser, the contents of the Administrative UI still appear in the previously selected language.
Solution:
Whenever you change the language, clear the browser cache and restart the browser for the current language environment to take effect.
Symptom:
OpenID authentication can fail after you upgrade from a version 12.5 Policy Server with the OpenID authentication scheme configured to a version 12.52 Policy Server. The problem occurs when the value of the Post Processing Chain field for the OpenID authentication scheme is set to com.ca.sm.openid.command.StoreClaimsToContext.
Solution:
Modify the class name in the Post Processing Chain field to com.ca.sm.openid.command.StoreClaimsToContextasClaims so that the OpenID authentication scheme functions properly.
Symptom:
The OK and CANCEL buttons do not work when configuring XPath expressions for a DCC web service authentication scheme. This behavior exists only when using Internet Explorer version 9.
Solution:
Run Internet Explorer in Compatibility View as follows:
Once you turn on Compatibility View, Internet Explorer will automatically show that site in Compatibility View each time you visit. You can turn it off by tapping or clicking the button again. Or, you can clear the entire list of sites using Compatibility View by deleting your browsing history.
The Policy Server Configuration Wizard fails if the supplied Database Name value contains Japanese characters.
On UNIX and Linux platforms, the Policy Server Management Console fails to make a connection to an audit store if the database name contains multi-byte characters, returning Error Code-1063.
Configuring the OpenID authentication scheme, requires manual editing of an XML file and copying it to all Policy Servers.
STAR issue: 20777171;1
After a period of inactivity, the Administrative UI displays a dialog that states "Session expires in 5 mins; Click 'Ok' to extend the session."
This dialog persists even after the Administrative UI session expire after 5 minutes of further inactivity. Clicking OK after this time dismisses the dialog and appears to return you to the Administrative UI. However, clicking any link or task in the Administrative UI actually results in being logged out.
Symptom:
The View SiteMinder Reports operation is unable to communicate with the Report Server If the Policy Server connection to the Report Server was configured using the server IP address.
Solution:
Configure the connection to the Report Server using the Report Server hostname, not its IP address.
Symptom:
ASA Agents now can enable TCP/IP Keep-Alives to prevent network outages from impacting ASA operations.
Solution:
Do one of the following:
SM_ENABLE_TCP_KEEPALIVE
SM_ENABLE_TCP_KEEPALIVE=1
Note: The value must be 0 (disabled) or 1 (enabled). If a value other than 0 or 1 is configured, the environment variable is disabled. If the environment variable is disabled, the Policy Server does not send KeepAlive packets to idle Web Agent connections.
When using Novell eDirectory 8.8 as the policy store, the Policy Server can abnormally terminate. CA Technologies and Novell are investigating the issue.
Star issue 21526251-1.
Novell ticket number 10864464047.
Symptom:
The cabi-linux-3_3_0_2 installer for a Red Hat Linux 6 32-bit machine is expecting a 64-bit library. The following error message displays during the installation of the Report Server:
****************************** Linux: Your system is missing required components (STU00120): ****************************** Missing patch: libXext-1.1-3.el6.x86_64 Missing patch: libXext-devel-1.1-3.el6.x86_64 If you continue your installation may not work correctly. (STU00109) Please press Enter to continue...
Solution:
Ignore the error message and proceed with the installation. The Reports Server successfully installs despite this error message.
The SAML1.1 partnership artifact transaction fails with delegated authentication when "NAME" is used as the query parameter.
For the artifact transaction to be successful, perform one of the following two workarounds:
The Policy Server in FIPS mode on Solaris 11 is not supported for the RSA SecureID HTML form authentication scheme.
Only English characters can be used in Data Source Names (DSN) for ODBC databases that are used as a CA SiteMinder® user, policy, or session store.
On installing the Administrative UI, the Administrative UI log shows an error message that the AttributeType has not been registered. The Administrative UI uses ApacheDS which causes this error. You can ignore this error message.
You cannot specify local (non-English) characters in the installation path of the Administrative UI.
Symptom:
I cannot log in to the FSS Administrative UI.
Solution:
The FSS Administrative UI could possibly have a 4.x agent name with local (non‑English) characters. The FSS Administrative UI does not support the use of local (non‑English) characters in 4.x Agent names.
Although CA SiteMinder® 12.52 is internationalized, the following objects support English-language (US-ASCII) characters only:
The smldapsetup utility fails in the following cases:
Symptom:
My report has no data. I did not see an error message.
Solution:
This problem occurs if the end time for the report occurs earlier the start time for the report. Verify that the end time occurs later than the start time and run the report again.
Symptom:
I was viewing an object in the Administrative UI, but after I clicked Modify, the first tab appeared instead of the tab I was viewing.
Solution:
The first tab in a group appears after clicking Modify. This behavior is expected.
The OCSPUpdater used for federation certificate validity checking cannot sign OCSP requests using the SHA-224 algorithm. The updater can only sign with the SHA-256, SHA-384, and SHA-512 algorithms.
If SNMP is configured for auditing and the Policy Server fails to start–up, CA SiteMinder® generates the SmStartupEvents.audit file. However, no SNMP events are generated. CA SiteMinder® records the start–up events in the reference log file.
With CA SiteMinder® 12.52, you cannot configure the report server on a non–default port. The report server requires port 6400.
Symptom:
When you select the browser refresh or back button, the dialog where you have entered values gets resubmitted. The repeat operation puts the object that you are configuring into an invalid state.
Solution:
Avoid using the refresh and back buttons on the browser when using the Administrative UI.
If a web agent is installed on a Microsoft IIS web server, the agent discovery feature does not identify the agent for the first−time until the agent intercepts a user request and passes it to the Policy Server.
Subsequent updates to the timestamp of the agent instance are dependent on how IIS is configured. If IIS is configured to shut down idle worker processes, the timestamp is not updated until the web server receives a subsequent request.
This is normal expected behavior. The behavior is a result of how the IIS web server functions.
Valid on Windows
Symptom:
When I uninstall SAP BusinessObjects Enterprise, some files and registry entries remain.
Solution:
These items are left behind deliberately. These items are required if a user wants the information available for a new installation.
To remove the files and registry entries on Windows 32–bit platforms
Note: The default installation directory is C:\Program Files\CA\SC\CommonReporting3.
HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\Shared\CommonReporting3 HKEY_CURRENT_USER\Software\Business Objects HKEY_USERS\.DEFAULT\Software\Business Objects HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BOE120SIASIANODENAME HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BOE120MySQL HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BOE120Tomcat HKEY_LOCAL_MACHINE\SOFTWARE\Apache Software Foundation\Procrun 2.0\BOE120SIA<SIANODENAME>HKEY_LOCAL_MACHINE\SOFTWARE\Apache Software Foundation\Procrun 2.0\BOE120Tomcat HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\INSTALLDIR
The leftover files and registry entries are removed.
To remove the files and registry entries on Windows 64–bit platforms
installation_directory\CommonReporting3.
Note: The default installation directory is C:\Program Files(x86)\CA\SC\CommonReporting3.
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\Business Objects
The leftover files and registry entries are removed.
While creating a response attribute in a response group, you can configure a time for which the cache is valid. Although the Administrative UI lets you enter any value, the maximum time allowed is 3600 seconds.
When integrating Microsoft Active Directory with SiteMinder, Active Directory user stores that are clustered or configured for round robin load balancing may not synchronize correctly between each use. As a result, some fields may not behave as expected. The unexpected behavior is associated with known Active Directory synchronization limitations.
Contact Microsoft to resolve problems associated with replication and synchronization.
STAR issue: 19249325–01
For Windows Server 2008, the User Account Control feature helps prevent unauthorized changes to your system. When the User Account Control feature is enabled on the Windows Server 2008 operating environment, prerequisite steps are required before doing any of the following tasks with a CA SiteMinder® component:
Note: For more information about which CA SiteMinder® components support Windows Server 2008, see the CA SiteMinder® Platform Support matrix.
To run CA SiteMinder® installation or configuration wizards on a Windows Server 2008 system
The User Account Control dialog appears and prompts you for permission.
The wizard starts.
To access the CA SiteMinder® Policy Server Management Console on a Windows Server 2008 system
The User Account Control dialog appears and prompts you for permission.
The Policy Server Management Console opens.
To run CA SiteMinder® command–line tools or utilities on a Windows Server 2008 system
Cmd
The User Account Control dialog appears and prompts you for permission.
A command window with elevated privileges appears. The title bar text begins with Administrator:
Symptom:
The Oracle RAC nodes propagate changes within 7 seconds. CA SiteMinder® could read and write objects to a policy store, user store, session store, or audit store more often. As a result, the default Oracle RAC propagation window can result in CA SiteMinder® errors. These CA SiteMinder® errors occur because the write operation was made into one node and the read operation was made to another node.
Solution:
Configure the following setting in the Oracle RAC cluster:
MAX_COMMIT_PROPAGATION_DELAY=0
Note: For more information about configuring this setting, see the Oracle documentation.
Symptom:
Under heavy load, the Policy Server may fail to insert queued audit events into the audit store. If the failure occurs, the CA SiteMinder® Policy Server log (smps.log) displays the following error:
[INFO] Failed attempt to bulk insert audit message: Code: -1044. DB Code: 2
Solution:
Two registry keys determine when the Policy Server inserts audit events into the audit database: SQLBulkInsertFlushInterval and SQLBulkInsertFlushRowCount:
Modify the SQLBulkInsertFlushRowCount registry key to resolve the error message.
To modify the registry key
Specifies the Policy Server installation path.
Increase the value to be at least twice as large as the number of audit events that were created, per second, when the error appeared in the CA SiteMinder® Policy Server log.
Example: If 1,500 audit events occurred when the error appeared, increase the value to 3,000.
Symptom:
The Policy Server takes an exceedingly long time to start when version 6.0 of Sun Java System Directory Server EE is functioning as the policy store.
Solution:
A known indexing issue with version 6.0 results in the performance problem. Regenerate the existing policy store indexes.
Note: Version 6.3.1 of Sun Java Systems Directory Server EE contains fixes that affect the behavior of indexes. These fixes prevent the problem.
Important! The suffix DN is unavailable when you re–index the policy store.
To re–index the policy store
dsadm reindex -b -t xpsNumber -t xpsValue -t xpsSortKey -t xpsCategory -t xpsParameter -t xpsIndexedObject -t xpsTombstone instance_path policysvr4
Specifies the Sun Java System Directory Server EE installation path.
Specifies the path to the directory server instance functioning as the policy store.
Note: For more information about dsadm command, see your vendor–specific documentation.
Symptom:
I have configured version 6.3.1 of Sun Java System Directory Server EE as a policy store. The directory logs contain warnings stating that the search is not indexed.
Solution:
This is expected behavior and CA SiteMinder® performance is not affected. Restart the directory server instance to stop the warnings.
When searching on many policy objects using the Administrative UI, the connection between the Administrative UI and the Policy Server can time out, the Policy Server tunnel buffer can become corrupt, or both. In such cases, the Administrative UI displays a connection timeout error and no search results are returned. To eliminate this problem, adjust the Administrative UI Policy Server connection timeout and create a registry key for the Policy Server tunnel buffer size.
To adjust the Policy Server connection timeout
The Policy Server connection timeout is now increased.
To create a registry key for the tunnel buffer size
HKLM\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\PolicyServer\
Max AdmComm Buffer Size
Note: Restart the Administrative UI if these symptoms persist following the connection timeout and buffer size changes.
XPSExport creates read only output XML files, which XPSImport cannot use. To correct this problem, change the permissions on the output XML file to read/write before running XPSImport.
The Policy Server and the Windows LDAP directory drivers for policy stores and user stores have a configuration limitation that is related to FIPS 140.
When a Windows Policy Server is configured for FIPS-only operation, it does not restrict SSL to FIPS–only algorithms. This behavior occurs when the following conditions are met:
The Policy Server is using LDAP–over SSL for a policy store and a user store.
Customers that must observe all FIPS-140 algorithm restrictions can modify the SSL configuration files and can deploy FIPS-compliant certificates.
Under certain circumstances, running analysis and audit-based reports may slow CA SiteMinder® performance. We recommend analyzing the load patterns in your environment to determine the best time to run reports.
Do not use brackets around the IP address when using IPv6 ODBC data sources or the connection fails.
Example: use fec0::9255:20c:29ff:fe47:8089 instead of [fec0::9255:20c:29ff:fe47:8089]
Note: More information on IPv6-supported databases exists in the CA SiteMinder® Platform Support Matrix.
Symptom:
(LDAP) The default Policy Server behavior is to treat a CertSerialNumber as a broken string of numbers. This behavior causes a custom certificate mapping to fail if the user directory stores the CertSerialNumber as an unbroken string of numbers. The Policy Server fails to lookup the user because the default LDAP search contains spaces.
Solution:
Enable the NoSpacesinCertNumbers registry setting. Enabling the registry setting causes the Policy Server to treat certificate serial numbers as an unbroken string of numbers for all serial number comparisons.
Location: HKEY_LOCAL_MACHINE/SOFTWARE/Netegrity/Siteminder/CurrentVersion/PolicyServer/NoSpacesInCertSerialNumbers
Values: 0 (disabled) 1 (enabled)
Default Value: 0
The following authentication schemes are affected by the value of the Web Agent parameter for FCC Compatibility Mode (FCCCompatMode):
Note: For more information about how FCC Compatibility Mode affects the listed authentication schemes, see the Web Agent Configuration Guide.
A password change fails and the user receives an error message prompting them to contact the Security Administrator or Help Desk if the combination of the new password; old password; and user identity, which is comprised of the userID, Client IP and time stamp is equal to or exceeds 1024 characters.
CA SiteMinder® continues to let users change their passwords when the “User cannot change password" feature is enabled for the accounts.
Symptom:
A Linux Policy Server may not immediately delete sessions from an Oracle session store when the idle timeout setting for the realm is reached.
Solution:
The Policy Server does begin to delete sessions shortly after the idle timeout setting is reached. For example, if the idle timeout setting is 30 minutes, the Policy Server may begin deleting sessions at 45 minutes.
If the ODBC/SQLError component is enabled in the Policy Server trace log, Single Logout Services can cause the following errors to be written to the trace log:
[13:42:44.0] [CSmDbODBC.cpp:189] [CSmDbConnectionODBC::MapResult] [] [][-1] [Microsoft] [ODBC]
The error is expected behavior. The data is ultimately written to the session store database.
Problem:
The file webadapter.properties is not created in ServletExec's configuration folder, as expected. As a result, OneView Monitor does not work.
Solution:
After configuring OneView Monitor on an RHAS 4.0 platform with a supported web server, manually create the webadapter.properties file in ServletExec's configuration folder. The ServletExec adapter uses the properties in this file to rout HTTP requests from the web server to a ServletExec Application Server (AS) instance.
The webadapter.properties file contains the following properties:
Specifies a minimum number of seconds for the ServletExec adapter to poll the ServletExec AS instance.
Note: Setting this property to a positive number ensures that the ServletExec adapter polls the AS instance for the specified interval of time. As a result, the adapter is automatically updated when the instance's web application data is modified.
Examples:
servletexec.aliasCheckInterval=10
servletexec.aliasCheckInterval=-1
Use this value to disable polling.
Specifies the name of a ServletExec AS instance.
Specifies one or more host names or IP addresses separated by commas.
Note: These are the hosts for which the specified ServletExec AS instance is configured to process requests.
Examples:
servletexec.instance_name.hosts=www.abc.com:9090,www.ca.com
servletexec.instance_name.hosts=192.168.200.17,192.168.200.43:8000
servletexec.instance_name.hosts=all
Specifies that this ServletExec AS instance is configured to process requests from all hosts.
Specifies the IP address and port number of a ServletExec AS instance.
Note: This IP address and port number are used by the ServletExec adapter when forwarding HTTP requests from the web server to the specified ServletExec AS instance. Each instance must have a unique IP address/port number pair.
Example:
servletexec.instance_name.instances=127.0.0.1:8888
Specifies default values for the IP address and port number.
Specifies the number of connections that can be added to the connection pool when a connection is needed and the pool is empty.
Note: These connections are used by the ServletExec adapter to communicate with the specified ServletExec AS instance.
Example:
servletexec.instance_name.pool-increment=5
Specifies the maximum number of idle connections that can be present in the connection pool at any one time.
Note: This number applies to the connections that are used by the ServletExec adapter to communicate with the specified ServletExec AS instance.
Example:
servletexec.instance_name.pool-max-idle=10
Using the webadapter.properties file, the ServletExec adapter applies the following algorithm to each HTTP request:
Problem:
Responses and response groups cannot be edited or deleted in the context of a Create Domain or Modify Domain task.
Solution:
Edit and delete responses and response groups by clicking the Policies tab, Domains, and Response or Response Group.
Each EPM application can have multiple resources that are associated with it. However, each resource can have only one response that is associated with it.
Setting the password change flag for a particular user in an Active Directory (AD) user store invalidates the user’s old password. When the password change flag is set, entering any password on the login dialog redirects the user to the password change dialog. To create the new password, however, the user must match the old password in the field on the password change dialog.
This behavior results from password policies that are part of the AD user store and not from SiteMinder password policies and cannot be changed. Because the policies are integral to the AD user store, changing the namespace from AD to LDAP has no effect on this behavior.
Valid for Active Directory user directory connections configured over the LDAP namespace.
Symptom:
My Policy analysis reports are not returning user records.
Solution:
Use the Administrative UI to define an alias mapping between the inetOrgPerson attribute and the respective attribute in Active Directory.
Example: If the respective attribute is “user”, create an alias attribute mapping named inetOrgPerson and define the alias as “user”.
Note: For more information on attribute mapping, see User Attribute Mapping in the Policy Server Configuration Guide.
The Application Resources Dialog topic in the Administrative UI Online Help includes the following incorrect statement about wildcard characters in the Resource field:
Note: Asterisk (*) and question mark (?) characters are treated as literal characters in resource filters (not wildcards).
Asterisk (*) characters are in fact treated as wildcards so the statement should actually read as follows:
Note: The question mark (?) character is treated as a literal character in resource filters (not as a wildcard).
STAR issue: 21576159-1
The following Oracle issues exist:
When you are using an Oracle policy store and you make changes to policy store objects in the Administrative UI, the changes are effective immediately; however, they may not be visible in the Administrative UI for up to 5 minutes.
The SiteMinder Query Timeout is not supported when the Policy Server is connected to an Oracle user directory. You may encounter this limitation when the Oracle response time is very slow.
The following Policy Server issues exist:
Symptom:
(Linux) The Policy Server may fail to start because the system_odbc.ini file is dynamically updated.
Solution:
After the Policy Server installation, save the file as Read-Only.
Symptom:
If your Policy Server and policy store are operating in mixed-mode during an upgrade to 12.52, the following error message appears after the Policy Server starts:
[CA.XPS:LDAP0014][ERROR] Error occurred during "Modify" for xpsParameter=CA.XPS::$PolicyStoreID,ou=XPS,ou=policysvr4,ou=siteminder,ou=netegrity,dc=PSRoot ,text: Object class violation
[CA.XPS:XPSIO024][ERROR] Save Policy Store ID failed.
Solution:
This message is expected behavior and does not affect the CA SiteMinder® environment.
This message occurs because the r6.x policy store is not upgraded. Part of the upgrade process includes importing the policy store data definitions. The error appears in the CA SiteMinder® Policy Server log because the data definitions are not available in the policy store.
STAR issue: 19759432–01 and 20134656–01
The following Solaris issues exist:
Users are unable to access protected resources when a SafeWord authentication scheme requires both fixed and token-based authenticators. The password screen only prompts users for one authenticator. Therefore, the user is unable to provide both types of credentials and cannot access the protected resource.
Symptom:
An issue occurs with the Java Cryptography Extension (JCE) and legacy federation (formerly Federation Security Services) encryption. This issue happens when an legacy federation Policy Server on Solaris is using certain versions of the JRE. When the Policy Server is acting as an IdP, SAML assertion encryption could possibly fail. If the Policy Server is acting as an SP, SAML assertion decryption could possibly fail.
Solution:
Modify the java.security file in jre_root/lib/security so that the sun.security.provider.Sun provider is registered as the first provider.
Note: Other supported platforms with different versions of Java could possibly exhibit this problem. Apply the same solution.
Symptom:
Solution:
Modify the java.security file so that the sun.security.provider.Sun provider is registered as the first provider in the list. The java.security file is in the directory jre_root/lib/security.
Note: Other supported platforms with different versions of Java could possibly exhibit this problem. Apply the same solution.
The following APS issues exist:
Symptom:
On Windows Server 2008, Advanced Password Services uses functions deemed unsafe by Microsoft Security Development Lifecycle (SDL).
Solution:
This is no longer an issue. The unsafe functions have been replaced.
Symptom:
When configuring APS, you create 4.x Agent objects to represent for the Help Desk (APSAdmin), Forgotten Password (FPS), and Change Password interface client components. However, agents that are configured to act as 4.x Agents do not support IPv6 addresses.
Solution:
In a pure IPv6 environment, install and configure the APS client components on the same system as the Policy Server and use a loopback IP address (for example, 127.0.0.1) in the agent configuration.
Otherwise, use an IPv4 and IPv6 mixed environment.
Copyright © 2013 CA.
All rights reserved.
|
|