This section contains the following topics:
System Locale Must Match the Language of Installation and Configuration Directories (169863)
Java Virtual Machine Installation Error on Solaris can be Ignored (149886)
Administrative UI and Internet Explorer 9 (149209)
Password Policy Message and Active Directory
Customized Password Change Messages
Certificate Revocation List Issuer
Deprecated CA SiteMinder® Key Tool Options
Policy Server Upgrade Requirement for 12.5 GA and 12.5 CR1
Considerations for Upgrading r6.x to r12.x
Considerations for Existing LDAP User Directory Connections Over SSL
Considerations for Localized Installations
Upgrading a Collocated Policy Server and Web Agent
Policy Server Upgrade Creates New Files
Connection Between PS on UNIX and SQL Server
Character Restriction for Passwords in Installations (72360)
Distributed CA Directory Server Policy Store
Importing Event Handler Libraries
Multi-Mastered LDAP Policy Stores
Multi–Mastered LDAP User Store Support Limitations (53677)
Compatibility with Other Products
Red Hat Enterprise Linux AS and ES Considerations
In addition to the CA SiteMinder® Upgrade Guide, CA Support Online includes valuable upgrade information. For more information, see the CA 12.52 Upgrade Information page.
To install and configure a CA SiteMinder® component to a non-English directory, set the system to the same locale as the directory. Also, make sure that you installed the required language packages so the system can display and users can type localized characters in the installer screens.
For the details on how to set locale and required language packages, refer to respective operating system documents.
To type local characters in international language versions of CA SiteMinder® installation and configuration programs in GUI mode, install fonts for that language on your operating environment.
For the RedHat Linux operating environment, download the packages shown in this document.
Symptom:
You are doing a console mode installation of a CA SiteMinder® product on a Solaris platform. The following error message displays: "Unable to install the Java Virtual Machine included with this installer."
Solution:
Ignore this error message. The error is a third-party issue and it has no functional impact.
If you are using Internet Explorer (IE) 9 to view the Administrative UI, run the Administrative UI in compatibility mode to submit the forms.
The following tables identify the installation executables for the following CA SiteMinder® components:
Note: Information appears by platform. For more information about supported operating systems, see the 12.52 CA SiteMinder® Platform Support Matrix on the Technical Support site.
Documentation
The CA SiteMinder® bookshelf is available on the Support site. The bookshelf does not require an installer. For more information, see Locate the Bookshelf.
Policy Server
Platform |
Installation Executable |
---|---|
Linux |
ca-ps-12.5-cr-linux.bin |
Solaris |
ca-ps-12.5-cr-sol.bin |
Windows |
ca-ps-12.5-cr-win32.exe |
Specifies the cumulative release number. The base 12.52 release does not include a cumulative release number.
Important! If you are running this wizard on Windows Server 2008, run the executable file with administrator permissions. Use these permissions even if you are logged in to the system as an administrator. For more information, see the release notes for your CA SiteMinder® component.
Administrative UI
Platform |
Installation Executable |
---|---|
Linux |
|
Solaris |
|
Windows |
|
Specifies the cumulative release number. The base 12.52 release does not include a cumulative release number.
Important! If you are running this wizard on Windows Server 2008, run the executable file with administrator permissions. Use these permissions even if you are logged in to the system as an administrator. For more information, see the release notes for your CA SiteMinder® component.
Report Server
Platform |
Installation Executable |
---|---|
Linux |
|
Solaris |
|
Windows |
|
Specifies the cumulative release number. The base 12.52 release does not include a cumulative release number.
Important! If you are running this wizard on Windows Server 2008, run the executable file with administrator permissions. Use these permissions even if you are logged in to the system as an administrator. For more information, see the release notes for your CA SiteMinder® component.
If you are upgrading to 12.52, the Password Services forms credential collector can present a password change message that users are not familiar with. If the following criteria are met, Active Directory users receive the password reuse message:
Note: For more information, see the Policy Server Configuration Guide.
This message states that a password change failed because an old password cannot be reused as new.
You can customize the password reuse message using the FCC properties template (smpwservicesUS–EN.properties). The template is located in web_agent_home\samples\forms.
Specifies the web agent installation path.
If Password Services is customized to send authentication failure messages based on CA SiteMinder® authentication reason codes, we recommend that you verify that your implementation handles all password message values (PasswordMsg) that the CA SiteMinder® SDK defines.
Password Services error handling is enhanced to:
This enhancement can result in users receiving messages that they are unfamiliar with.
If you are upgrading to 12.52 and a CRL is stored in an LDAP directory service, consider the following items:
If you are using key tool options in automated scripts, consider that the following options are deprecated:
This option is not being replaced and does not work with the accessLegacyKS argument. If a script uses this option:
Note: If a script also attempts to verify that a smkeydatabase was created successfully, the script fails. A smkeydatabase directory does not exist in an 12.52 Policy Server installation.
This option is deprecated. The removeAllCertificateData replaces this option. If a script uses the deleteDB option:
This option is not being replaced. If a script uses this option:
In previous releases, you used the smobjimport utility to import an upgrade CA SiteMinder® data interchange format (smdif) file. Importing an upgrade file, instead of the smpolicy file (smpolicy.smdif), prevented existing default objects that were modified from being overwritten.
This release no longer requires an upgrade file. You use the XPSInstall utility to import the smpolicy.xml file. When you import this file as part of an upgrade, it does not overwrite existing default objects that were modified.
Note: For more information about upgrading a policy store, see the CA SiteMinder® Upgrade Guide.
The format of certificates that are stored in the 12.52 policy store is different from certificates that are stored in Policy Server r12.5 GA and Policy Server r12.5 CR.
Therefore, export certificates that were imported into the Policy Store before CA SiteMinder® r12.5 CR2 before you upgrade and then reimport them.
Follow these steps:
If your Policy Server and policy store are operating in mixed-mode during an upgrade to 12.52, the following error message appears when you start the Policy Server:
[8114/21][Fri Oct 15 2010 09:10:26][CA.XPS:LDAP0014][ERROR] Error occurred during "Modify" for xpsParameter=CA.XPS::$PolicyStoreID,ou=XPS,ou=policysvr4,ou=siteminder,ou=netegrity,dc=PSRoot",text: Object class violation
[8114/21][Fri Oct 15 2010 09:10:26][CA.XPS:XPSIO024][ERROR] Save Policy Store ID failed.
This message is expected behavior and does not affect the CA SiteMinder® environment.
This message occurs because the r6.x policy store is not upgraded. Part of the upgrade process includes importing the policy store data definitions. The error appears in the CA SiteMinder® Policy Server log because the data definitions are not available in the policy store.
Configuring an LDAP user directory connection over SSL requires that you configure CA SiteMinder® to use your certificate database files.
The Policy Server requires that the certificate database files be in the Netscape cert8.db file format. Use the Mozilla Network Security Services (NSS) certutil application installed with the Policy Server to convert existing cert7.db certificate database files to cert8.db format.
Note: The following procedure details the specific options and arguments to complete the task. For a complete list of the NSS utility options and arguments, refer to the Mozilla documentation on the NSS project page.
Important! Before running a CA SiteMinder® utility or executable on Windows Server 2008, open the command line window with administrator permissions. Open the command line window this way, even if your account has administrator privileges.
To convert the certificate database file
Example: C:\Program Files\CA\SiteMinder\bin
Note: Windows has a native certutil utility. Verify that you are working from the Policy Server bin directory, or you can inadvertently run the Windows certutil utility.
certutil -L -d certificate_database_directory [-p prefix_name] -X
Specifies the directory that contains the certificate database files to convert.
(Optional) Specifies any prefix used when creating the existing cert7.db file (for example, my_cert7.db).
Certutil converts the existing cert7.db file to cert8.db format.
Consider the following limitations before installing the Policy Server on a system with a non–English operating system:
To set the locale for the System or other service accounts, see the Microsoft documentation.
The Policy Server and Web Agent installations include a CA ETPKI library.
For Windows operating environments, if a CA ETPKI library exists on the machine to which you are installing the Policy Server or Web Agent, the installer upgrades the existing ETPKI library to the version shipped with the component. The CA ETPKI library remains in its current location.
For UNIX operating environments, the installer will install the CA ETPKI library to the installation_location/ETPKI directory, even if another CA ETPKI library exists elsewhere on the UNIX file system.
Valid on Windows
Symptom:
If a Policy Server and Web Agent are installed to the same host system, after you upgrade the Policy Server, the IIS web server fails to start and an error is logged in the Event Viewer.
Solution:
Upgrade the Web Agent. The IIS web server starts after you upgrade the Web Agent.
During a Policy Server upgrade, the installer creates new versions of certain files for 12.52. The installer creates the following files in the policy_server_home/config directory:
The installer creates the following files in the policy_server_home/properties directory:
These 12.52 files use the .new extension: For example, the JVMOptions.txt file from the previous version remains untouched. The installer creates an 12.52 version of the JVMOptions.txt file that is named JVMOPtions.new.
If the original file included customized settings, be sure to modify the .new file with your customized settings. Rename the .new file with the extension from the original file.
For example, if you had custom settings in your JVMOptions.txt file, copy those changes to JVMOptions.txt.new. Rename the JVMOptions.txt.new to JVMOptions.txt.
When attempting to connect a SiteMinder Policy Server on Red Hat or Solaris to a Microsoft SQL Server 2008 database, you should correctly define the paths to the TraceFile, TraceDll and InstallDir parameters specified in the [ODBC] section of the system_odbc.ini file. Failure to do so may result in connectivity errors.
When installing the Policy Server, the CA Report Server, and the Administrative UI, you are asked to specify passwords for various components. Consider the following:
Policy Server
When entering password information, do not use the following characters as they are reserved or restricted:
CA Report Server
When entering password information, do not use the following characters as they are reserved or restricted:
Administrative UI
When entering password information, do not use the following characters as they are reserved or restricted:
If you are using multiple DSAs to function as a policy store, ensure that host information of the router DSA is listed first in the Policy Server Management Console. If you do not list the router DSA host information first, an error occurs when you attempt to install the policy store data definitions.
Note: For more information on configuring CA Directory Server as a policy store, refer to the Policy Server Installation Guide.
Consider the following before upgrading a Policy Sever to 12.52:
Note: The default location of the XPSAudit event handler library is policy_server_home\bin.
Specifies the Policy Server installation path.
The path to the event handler library is saved. The Event Handlers field appears disabled.
Note: By default, the only event handler library that appears in the Advanced tab is XPSAudit.dll.
Note: More information on using the XPSConfig utility to set event handler libraries exists in the Policy Server Administration Guide.
It is required that the MDAC versions installed on the client and server sides are compatible.
Note: More information exists in the Microsoft MDAC documentation.
LDAP directories using multi-master technology may be used as CA SiteMinder® policy stores. The following configuration is recommended when configuring an LDAP policy store in multi-master mode:
This master does not need to be the same as the master used for Administration. However, we recommend that you use the same master store for both keys and administration. In this configuration, all key store nodes should point to the master rather than a replica.
Note: If you use a master for key storage other than the master for administration, then all key stores must use the same key store value. No key store should be configured to function as both a policy store and a key store.
Due to possible synchronization issues, other configurations may cause inconsistent results, such as policy store corruption or Agent keys that are out of sync.
Contact CA SiteMinder® Support for assistance with other configurations.
The multi–mastered LDAP enhancement has the following limitations:
To ensure interoperability if you use multiple products, such as CA IdentityMinder and CA SiteMinder® Web Services Security check the Platform Support Matrices for the required releases of each product. The platform matrices exist on the Technical Support site.
This release includes an updated snmptrap.conf file. Before installation, back up and save the original snmptrap.conf file, located in siteminder_installation\config.
The following considerations apply to supported Windows operating environments:
Symptom:
A Data Execution Prevention (DEP) error can prevent the Policy Server from installing on Windows 2008 SP2.
Solution:
To configure DEP for essential programs and services
The System Properties dialog appears.
The Advanced tab opens.
The Performance Options dialog appears.
A message prompts you to restart the system.
Note: After you have successfully installed the Policy Server, you can revert the DEP settings for all programs and services.
For Windows Server 2008, the User Account Control feature helps prevent unauthorized changes to your system. When the User Account Control feature is enabled on the Windows Server 2008 operating environment, prerequisite steps are required before doing any of the following tasks with a CA SiteMinder® component:
Note: For more information about which CA SiteMinder® components support Windows Server 2008, see the CA SiteMinder® Platform Support matrix.
To run CA SiteMinder® installation or configuration wizards on a Windows Server 2008 system
The User Account Control dialog appears and prompts you for permission.
The wizard starts.
To access the CA SiteMinder® Policy Server Management Console on a Windows Server 2008 system
The User Account Control dialog appears and prompts you for permission.
The Policy Server Management Console opens.
To run CA SiteMinder® command–line tools or utilities on a Windows Server 2008 system
Cmd
The User Account Control dialog appears and prompts you for permission.
A command window with elevated privileges appears. The title bar text begins with Administrator:
If you are deploying CA SiteMinder® components on Windows 2008 SP2, we recommend installing and managing the components with the same user account. For example, if you use a domain account to install a component, use the same domain account to manage it. Failure to use the same user account to install and manage a CA SiteMinder® component can result in unexpected behavior.
The following considerations apply to Solaris.
The Policy Server and Web Agent are certified for global and non-global zones.
Note: More information on Solaris 10 support exists in the Policy Server Installation Guide.
Network connectivity errors appear in the smps log when gethostbyname() is called. These errors appear even though the directories are available on the network. This was a Solaris issue, which according to Sun bug ID 4353836, has been resolved.
Sun lists the following patches for Solaris 9:
Solaris 9
Symptom:
If your license file is older than January 2005, the Policy Server may experience problems reading the license file after an upgrade. You may receive a message stating that a valid end-user license cannot be found.
Solution:
Contact Technical Support, and request a new license file.
The Policy Server Installation Guide contains the system requirements required to install the Report Server. SAP BusinessObjects Enterprise provides additional patch specifications. Before installing the Report Server:
Specifies the location to which you copied the installation media.
Use this resource for Solaris 9 and 10 patch requirements only. This document also provides supported operating system and hardware requirements that CA SiteMinder® does not support. For supported operating systems, see the CA SiteMinder® 12.52 Platform Support Matrix. For system requirements, see the Policy Server Installation Guide.
The following considerations apply to Red Hat Enterprise Linux AS and ES.
A Policy Server installed on Red Hat AS requires the Korn shell. If you do not install a Korn shell on Red Hat AS, you cannot execute the commands that control the Policy Server from a command line, such as start-all and stop-all.
The following features are not supported by the Policy Server on Red Hat AS:
To use Apache 2.0 Web Server and ServletExec 5.0 on Red Hat AS
The ServletExec AS Java instance is created.
mod_servletexec2.c
Note: The directives are also present in the httpd.conf file of your Apache 1.3.x if you allowed the ServletExec installer to update the httpd.conf during installation. For more information on editing the httpd.conf file, refer to the New Atlanta Communication ServletExec documentation.
/servlet/TestServlet
The Policy Server Installation Guide contains the system requirements required to install the Report Server. SAP BusinessObjects Enterprise provides additional patch specifications. Before installing the Report Server:
Specifies the location to which you copied the installation media.
Use this resource for Red Hat 5 requirements only. This document also provides supported operating system and hardware requirements that CA SiteMinder® does not support. For supported operating systems, see the CA SiteMinder® 12.52 Platform Support Matrix. For system requirements, see the Policy Server Installation Guide.
Policy Servers that have not been enabled for IdentityMinder cannot be connected to policy stores that contain IdentityMinder objects. Policy Servers that have been enabled for IdentityMinder 5.6 SP2 can be connected to 12.52 policy stores that contain IdentityMinder objects.
Note: For more information about configuring and deploying IdentityMinder, see the IdentityMinder Web Edition Installation Guide.
This release does not include an NTLM authentication scheme template. This authentication scheme type has been replaced by the Windows Authentication template. Support for NTLM authentication is now provided through the new authentication scheme template.
Symptom:
Performance is impacted when using a SQL query scheme to find user data in a non-Unicode database. The performance degradation is because default Policy Server behavior is to append an "N" to the SQL query to enable Unicode searching.
Solution:
This is no longer an issue. To prevent performance degradation when using an SQL query scheme to find user data in a non-Unicode database, use the following procedure to disable Unicode searching:
HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Database\DisableMSSQLUnicodeSearch
Unicode searching is disabled.
STAR Issue: 20517732-01
CA SiteMinder® does not support the following features:
The following system management limitations exist:
Certain pop-up blockers or Web browsers may prevent the Administrative UI help window from opening. Many pop-up blockers allow the pop-up if you press CTRL while you click the link. You can also set your Web browser to allow pop-ups from the Administrative UI.
In previous versions of the Policy Server, two ODBC connections were created for each Policy Server service. The following registry setting overrode the default value and indicated the maximum total number of ODBC connections created by the Policy Server for all services:
Netegrity\SiteMinder\CurrentVersion\Database\UserDirectoryConnections
For 12.52 Policy Servers, the maximum number of connections is determined dynamically, based on five times the maximum number of threads specified in the Policy Server Management Console. (See the Performance group box of the Settings tab in the Management Console.)
If you are upgrading to the 12.52 Policy Server from a 5.x Policy Server, remove the UserDirectoryConnections registry setting. If you do not, and the value specified by the setting is less than the maximum number of threads calculated by the Policy Server, your Policy Server logs will contain many error messages. These messages will indicate that the value of the registry setting overrides the maximum number of connections calculated by the Policy Server.
The following Policy Server limitations exist:
A user whose password includes leading spaces may not be able to authenticate under the following combination of circumstances:
Note: A password policy may or may not be enabled.
If the Policy Server has Password Services enabled, changing the password may fail if the old password length exceeds 160 UTF8 octets and the new password length exceed 160 UTF8 octets.
Certificate mappings do not work when the IssuerDN field is longer than 57 characters for policy stores that are installed on the following directories:
In the Policy Server error log, you may see an occasional handshake error related to the shared secret, followed by a successful connection. This may occur if the shared secret rollover feature was enabled for the Web Agent communicating with the Policy Server. This behavior is expected as part of a normal shared secret rollover. You can ignore these errors.
When using the SecureID forms authentication scheme, if users do not enter their passwords correctly during their initial login, they are not granted access to resources despite providing correct credentials in subsequent tries. The Policy Server presents users with an internal server error and these users must restart the Web browser to continue.
The Policy Server's X.509 Client Certificate or Form authentication scheme is not working properly when using an alternate FCC location.
When the Policy Server is using an LDAP user store, users with characters such as &, * , \, and \\ in their user names are not getting authenticated and authorized properly. For example, the Policy Server does not authenticate or authorize these sample users:
On Solaris, when resources are protected by SafeWord authentication schemes, if you enable DEBUG or ALL logging in the SmSWEC.cfg SafeWord configuration file, the Policy Server fails. As a result, do not enable DEBUG or ALL logging for SafeWord authentication schemes. The SafeWord server is PremierAccess server, using protocol 200 or 201.
This limitation is related to this new AD feature from 6.0 SP 2:
"Enhanced User Account Management and Password Services Integration with Active Directory (SM5504) (28460) (23347) (24047) (25816)"
When following the instructions in section "Enabling Active Directory Integration Enhancement", be aware that this feature is only supported for the LDAP and not the AD namespace.
The Policy Server does not have the capability to roll over the radius log. Prior to the 6.0 release, you could roll over the radius log by running the smservauth -startlog command.
The smnssetup tool was removed from distribution in 6.0 SP 4. You should use the Policy Server Configuration Wizard (ca-ps-config) to configure:
The wizard gives you the option of using either a GUI or a console window. For more information, see the Policy Server Installation Guide.
When creating Policy Server objects in the Administrative UI, you have the option of creating a copy of an existing object of the same type. The copy option is not available for the following objects:
The following user directory limitation exists:
Given
A Policy Server is configured on Solaris to use two Oracle-based user stores: one is the primary user store and the other is the secondary user store.
Result
The time for the Policy Server to failover from the primary to the secondary, in the event of a network failure, may be as long as 8 minutes.
Solution
This time can be reduced by setting the TCP/IP setting, tcp_ip_abort_interval, to the desired time.
The following Perl scripting interface limitations exist:
On Solaris, a core dump results if you call use for AgentAPI before you call use for PolicyMgtAPI. If you are calling use for both modules, do so in the following order:
With methods that return an array, undef should be returned if an error occurs or there is nothing to return. However, these methods may incorrectly return a one-element array with the first element set to undef.
The Perl Scripting Interface does not support setting multi-valued Agent configuration parameters.
The following Japanese Policy Server limitation exists:
A Shared Secret for a CA SiteMinder® Agent in a Japanese operating system environment may have no more than 175 characters.
Copyright © 2013 CA.
All rights reserved.
|
|