3.0 System Requirements
3.1 Server Roles
3.2 Client Computers
4.0 Installation Considerations
4.1 Policy Server installation Considerations
6.0 Known Issues
6.1 Installation
6.2 IA Manager
6.3 Self Service Configuration
6.4 Directory Server
6.5 Provisioning Server
6.6 Policy Server
6.7 Self Service
6.8 SPML Service
7.0 Documentation
7.1 IAM Common Components
7.2 eTrust Access Control
7.3 eTrust Admin
7.4 eTrust Directory
7.5 eTrust Single Sign-On
Welcome to eTrust™ Identity and Access Management (eTrust IAM). This Readme file provides late-breaking and other information for the eTrust Identity and Access Management Common Components, including the Identity and Access Manager (IA Manager), and accompanies the documentation for the eTrust IAM product suite.
The Common Components can be installed on specific operating systems as follows:
| Supported OS | Directory Server | Policy Server | Web Applications Server | Provisioning Server | Advanced Workflow Server |
|---|---|---|---|---|---|
| Windows 2000 Server or Advanced Server (SP4 or later) | Yes | Yes | Yes | Yes | Yes |
| Windows Server 2003 (Standard or Enterprise) | Yes | Yes | Yes | Yes | Yes |
The following sections describe the system requirements for the Common Components and any special requirements for the related servers.
To install any of the Common Components you will need a computer with a minimum hardware specification of:
You should adjust the hardware requirements based on the needs of your enterprise and cost-performance trade-offs. In general, Intel Quad Xeon 2.5 GHz 8GB RAM is recommended for high-end server, while the Intel Dual Xeon 3GHz 4GB RAM is recommended for mid-range deployment. Multiple mid-range servers can be deployed for a high-end deployment, with additional management overhead, if cost-performance trade-off is a critical factor.
eTrust IAM requires a web browser to be installed on computers that will access the various eTrust IAM web applications (IA Manager, Self Service, Self Service Configuration, SPML Service, and eTrust Advanced Workflow). The supported browsers are:
Do not use the installation program to upgrade previous versions of the eTrust IAM suite. Previous (beta) versions of eTrust Identity and Access Management Common Components must be uninstalled from your computer before installing this software.
You should not install this software over existing eTrust IAM components before making a complete backup of all user data.
If you have both the 7.0 Policy Server and Policy Manager installed on the same machine and you wish to perform an upgrade, you must uninstall the 7.0 Policy Manager first. Uninstalling the 7.0 Policy Manager after the upgrade causes some required registry keys and Access Control files to be removed, leaving the Policy Server unusable.
If you install the Policy Server on a Windows computer, you must either disable the screensaver or otherwise ensure that it doesn't run and lock the station before completing the Policy Server installation.
The embedded version of eTrust Directory r8 included with the eTrust Policy Server uses Advantage Ingres 2.6.
If you are using Windows Terminal Services, the Policy Server must be installed on the local screen and not from a remote Terminal Services Session.
This version of eTrust Identity and Access Management Common Components is certified in English.
This section describes known issues, workarounds, and solutions for this release of eTrust IAM.
The following sections describe known issues with the installation of eTrust Identity and Access Management Common Components.
The installation of IA Manager stores licensing information in the fixed path C:\Program Files\CA\SharedComponents\CA_LIC regardless of the default installation path chosen during installation.
When you install the JDK, an error message similar to the following may appear:
Java(TM) Update (1.4.2_04-b05) cannot be installed on this machine because the Java(TM) Virtual Machine is currently running. Please close all running Java(TM) applications, especially browsers. [Retry/Cancel]
This is a known issue in the JRE/JDK installer for Windows. For full details, see bug #4953793 on the Sun Developer Network web site
Workaround: To correct this error, follow these steps:
Note: You may need to click Retry multiple times before this is successful.
If clicking the Retry button is unsuccessful, continue with the following:
This initiates a rollback of the installation. Wait until the rollback has finished.
By default all folders and files will be located in C:\Program Files\CA\.
If you initiate a rollback of the installation by selecting Cancel while the installation program is running with the progress bar visible, in some instances the progress bar may continue to progress (sometimes as far as 100%).
If the nominated installation directory already exists on your computer at installation time (for example, from a previous eTrust IAM installation that failed to roll back or uninstall cleanly), a dialog box with the following information may appear during the installation:
A Java Virtual Machine (JVM) is being installed in "<IAMInstallDirectory>\_iamjvm" and will overwrite the contents of this directory. Do you want to overwrite this directory? (Yes/No/Cancel)
Workaround: To correct this error, follow these steps:
The installation program terminates.
Some components of the eTrust IAM do not uninstall completely. Some files and directories, including the web applications and the CA_APPSW directory, may be left behind on the computer.
Workaround: Manually delete the remaining directories and their contents after the uninstallation finishes.
Important! Do not manually delete any directories or files belonging to Apache Tomcat 4.1.29, JDK 1.4.2_04, or JRE 1.4.2_04. These are intentionally left behind on the computer. You can uninstall these programs using Control Panel, Add/Remove Programs.
IA Manager will not work if the installation path is not specified in ASCII (ENU) characters.
Workaround: Specify the installation path in ASCII (ENU) characters.
You will be prompted to supply passwords for various components during the installation. If you supply a password which does not comply with the password validation rules on the computer where the software is being installed then the software will be incorrectly installed.
Workaround: Ensure that the passwords you provide during the installation comply with the password validation rules of all domains configured.
The Path environment variable is appended with paths to the various components during the installation. This can cause the stored string length to exceed the maximum length allowed on Windows systems. If this occurs, other software installed on the system may not function correctly after installing eTrust IAM.
Workaround: To avoid this issue ensure that the Path environment variable does not exceed ~500 characters in total length before installing eTrust IAM.
A screen that lists the remaining computers where the installation needs to be run appears when the installation completes. If there are no remaining computers on which to install eTrust IAM, a message stating that the software 'must be installed on machine <blank>' appears. This message is incorrect and should be ignored.
You can choose the location where eTrust Directory is installed. However, make sure that the file path only includes typical English alphanumeric characters. File paths that include the following characters can cause problems with some components other than DXserver:
` ; ' ^ $ # @ % & ( ).
If you use the installation program to remove the Policy Server from a computer and then, without rebooting, run the same installation program to add the Policy Server back on that same computer, the installation will fail.
Workaround: After removing the Policy Server, reboot the computer before running the installation program to reinstall the Policy Server on the same computer.
You cannot run the installation program simultaneously on multiple computers due to issues with simultaneous updates to the IAM Install DSA. To enforce this, each instance of the installation program creates a lock on the IAM Install DSA when it first connects to the DSA. Any subsequent attempt to connect to the DSA will fail and the following message appears:
Unable to lock nominated machine The IAM installer was unable to gain an exclusive lock to the status of <IAM Install DSA computer> in the eTrust IAM Install DSA. It appears that there is another instance of the IAM installer running
where <IAM Install DSA computer> is the name of the computer that holds the lock.
This lock is automatically released when the installation program holding the lock exits, either by completing successfully or being deliberately cancelled by the user. The lock may incorrectly remain after an abnormal termination of the installation program. If this happens, the lock must be released before other installations can run.
Workaround: To release the lock, re-run the installation program on the computer that currently holds the lock, and on the Starting the Installation panel, select Yes, nominate the current computer, and provide the IAM Install DSA password. Click the Next button to successfully connect to the IAM Install DSA and then, on the following panel, click Cancel to quit the installation program and unlock the IAM Install DSA.
You may receive this error when the installation program attempts to connect to the IAM suite configuration database (IAM Install DSA) due to unavailability of the dxserver_iaminstall_xxx service. This is the expected behavior if you provided the incorrect password, the computer is unavailable, or the required dxserver_iaminstall_xxx service is stopped.
Verify that the service is running on the nominated Directory Server before trying again. If the message persists, check that you do not have a previously installed unlicensed copy of eTrust Directory r8 on the current computer. If you have, the installation program will be unable to create the IAM suite configuration database because the underlying Ingres database is slow to start after the eTrust Directory upgrade.
This error can also display if you tried to install a second instance of the Apache Tomcat 4.1.29 as part of the eTrust IAM installation (that is, CA Tomcat 4.1.29) on a computer that already has CA Tomcat 4.1.29 installed somewhere else. Check that you do not have CA Tomcat 4.1.29 already installed on the computer. If you have, during installation, choose to use this existing CA Tomcat 4.1.29 installation and point the installation program at it.
Workaround: To correct this error, follow these steps:
If you have CA Tomcat 4.1.29 already installed on this computer, cancel the installation, manually delete the eTrust IAM folder, and rerun the installation program. In the installation program, choose to use the existing Apache Tomcat 4.1.29 installation and point to the location where it is installed.
dn: cn=IAMInstall-Master,ou=IAM,o=CA objectClass: inetOrgPerson cn: IAMInstall-Master sn: Master userPassword: PASSWORD
where PASSWORD is the password you used for the IAM Install DSA during the eTrust IAM installation.
Note: Ensure that there are no trailing spaces on any of the lines in this file.
dxloaddb -p "ou=IAM,o=CA" c:\IAMInstall.ldi IAMdb
dxserver status
dxserver start IAMInstall_xxx
Note: IAMInstall_xxx must match the name of the IAM Install DSA revealed in the previous step.
del c:\IAMInstall.ldi
You should now be able to click Next on the installation program screen to complete the installation.
The installation program is unable to correctly remove only Advanced Workflow. The remaining aspects which are not removed are:
Workaround: Uninstall eTrust IAM completely and reinstall the required components.
eTrust IAM uses eTrust Directory r8 SP1 which includes Advantage Ingres 2.6. You cannot install it on a Windows machine that already runs eTrust Directory with Ingres r3. To find out which Ingres is used by eTrust Directory type the following command:
dxsetup -getii
The command displays the value of %II_SYSTEM% used by eTrust Directory. The Ingres version is described as Product Versions of the files in %II_SYSTEM%\ingres\bin.
The Close button will not close the Support Info dialog in the Control Panel, Add or Remove Programs. This is a known issue with Windows 2000 Server or Advanced Server and is published on the Microsoft Help and Support web site.
Workaround: Click X in the upper-right corner of the window to close the Support Info dialog.
The following sections describe known issues with IA Manager functionality.
When using the Session Administrator to end a user's session, if you enter a wildcard (for example, "A*") and select single user, the Kill Sessions button on the following window may not end the user's session.
Workaround: To correct this error, do any of the following:
When clicking on the Enterprise tab in IA Manager you may be prompted to install a Java Plug-in from the browser interface. The installation will fail and the plug-in must be installed separately.
Workaround: Install JRE on this computer. The JRE installation program can be found on Disk 1 of the Common Components in the following location:
\install\jreBase\j2re-1_4_2_04-windows-i586-p.exe
Alternatively, you can find the file on the Sun Developer Network web site. Download and install J2SE v 1.4.2_05 JRE Windows Offline Installation, Multi-language (j2re-1_4_2_05-windows-i586-p.exe, 14.91 MB).
Using the Back or Forward buttons on your browser results in unpredictable behavior when working in IA Manager.
Workaround: Do not use the Back or Forward buttons when you are working in IA Manager.
When you hold the Shift key down and then click an IA Manager button in the browser, or hold the Shift key down and then click on IA Manager data, standard browser behavior dictates that a new browser window opens. However, in IA Manager, the new window opens with an error message.
Workaround: Do not hold the Shift key down when you click in the IA Manager window.
IA Manager does not support special characters in object names. These characters include the following:
/ \ < > # "
Workaround: Do not use these characters in object names.
In some cases where very long entries are created in certain fields, the screen display of individual frames will expand beyond the physical constraints of the browser window and not be scrollable. This will cause some screen elements to become difficult to access and vertical or horizontal scroll bars may not be visible.
Workaround: Avoid long entries in these fields where possible. To scroll within frames with this problem, click and hold on an empty part of the window and then drag the cursor towards the border of that window.
You cannot manage administrative privileges from IA Manager. IA Manager values for managed endpoint types (namespaces) may be inconsistent with those installed. Do not attempt to manage administrative privileges from IA Manager.
Workaround: Manage administrative privileges from the Admin Manager. Refer to the eTrust Admin documentation for assistance on managing administrative privileges.
You cannot create new Admin Profiles or modify existing Admin Profiles with IA Manager. Do not attempt to create new Admin Profiles or modify existing Admin Profiles with IA Manager.
Note: IA Manager installs a set of system-wide Admin Profiles by default for reference purposes. IA Manager lets you submit changes for these profiles, but the system returns an error. They cannot be changed. These default profiles are not marked read-only.
Workaround: Create and modify Admin Profiles from the Admin Manager. Refer to the eTrust Admin documentation for assistance on performing these tasks.
You cannot create or modify existing SSO/WAC Provisioning Policies with IA Manager. Provisioning Policies created with Admin Manager can be applied in IA Manager but they cannot be modified or created in IA Manager.
Workaround: Create and modify SSO/WAC Provisioning Policies by using the Admin Manager.
When you modify global user attributes, the Apply Changes dialog appears. The Attribute list on this dialog includes attributes propagated to the accounts associated with the global user, and attributes applicable to the global user only. This list should not contain the attributes that are applicable to the global user only.
Workaround: Delete or do not apply any attributes that are applicable to the global user only.
URL paths with non-ASCII characters are not supported.
Workaround: Only use URL paths with ASCII (ENU) characters.
When the screen resolution is set to 800x600, you cannot log in because the scroll bar and buttons do not appear.
Workaround: This site requires resolution of 1024x768 or higher for proper viewing. To enable login from this window, close the Status window from Preferences.
When you use IA Manager for the first time, it uses your browser's default language. The translation file for non-English languages is incomplete, so if your browser's default language is non-English (or if you select a language other than English as a preference), the page labels contain carets and underscores.
Workaround: Override the browser default language by selecting the English language in the Preferences dialog.
If IA Manager is accessed from Internet Explorer on the Web Application Server computer, some large transactions may cause Internet Explorer to freeze.
Workaround: Use Internet Explorer to access IA Manager from a computer other than the Web Application Server.
If the timeout value expires while IA Manager is still processing a request, the user is not informed of the status of the current request. The default value for IA Manager is zero which means that IA Manager will not proceed until the request is completed. Where problems exist with the network or a remote component of the system this may result in long delays.
Timeout values are critical to the performance of distributed systems. A high timeout value may result in long delays before control is returned to the user. A low timeout value increases the likelihood of IA Manager not displaying the completion of requests. The "Response Timeout" setting in the IA Manager Preferences window lets you set a timeout value which suits your installation. To assign a no timeout value, choose a value of zero.
You may be unable to login to IA Manager from the login page when endpoint computers are unavailable. This error appears as an endlessly looping progress bar and is related to the timeout interval.
Workaround: From the login page, set your IA Manager preferences to assign a small timeout value (for example one minute). Login to IA Manager and then re-set your timeout value back to your preferred value.
Updates to search criteria elements which are made during a session may not be reflected in the search panels displayed in IA Manager. This is because IA Manager caches all the information which appears in the left-hand search panels of all screens at login time.
Workaround: To display refreshed search criteria, log out of IA Manager and then log in again.
IA Manager encounters problems performing on Internet Explorer on a Windows Server 2003. The Microsoft Windows Server 2003 Internet Explorer Enhanced Security Configuration component prevents IA Manager's JavaScript and JavaScript components from performing freely, resulting in incomplete transactions, request failures, incomplete screen rendering, inaccurate data transmission, and in some cases, complete failure to respond to a request.
A complete explanation of the Windows 2003 Internet Explorer Enhanced Security Configuration can be found on the Microsoft Download Center.
Workaround: As a best practice, Microsoft recommends that you do not browse the Web or download content such as device drivers, service packs, or Microsoft ActiveX components from a Windows Server 2003 computer. Following this guideline, we recommend that you browse to the IA Manager application from a non-Windows Server 2003 computer, or use a Mozilla browser to browse from a Windows Server 2003 computer. You can still install the Web Application Server or any other component of eTrust IAM on a Windows Server 2003 computer.
If you must use IA Manager in Internet Explorer from a Windows Server 2003 computer, disable the Internet Explorer Enhanced Security Configuration on the Windows Server 2003 computer where you are going to browse to the IA Manager application.
Important! Disabling the Internet Explorer Enhanced Security Configuration opens your system to an increased risk of malicious attack.
Password reset requests cannot be viewed from the current release of IA Manager.
Workaround: Use previous DAWI to view requests for password resets.
You can access the worklist via IA Manager. However, if you logout from the worklist (using the logout link), you cannot access the worklist via IA Manager again without restarting the browser. If you try to access the worklist via IA Manager again, you will receive an error.
Workaround: Do not use the worklist link in IA Manager after logging out of the worklist interface.
If you submit an approval while a previous approval submission is still processing, the worklist shows an error indicating that the engine is busy.
Workaround: You can go back to the form and resubmit, in which case the approval will proceed normally.
On the self-authentication page, if you provide a wrong answer in one of the fields, the password clue will disappear.
Workaround: Browse to the login page and click on the password clue link.
If you try to create or change a password to a global user's accounts and there is a problem with one of the accounts (for example it does not meet password requirements or the native system is down), only the global user's password is changed and the accounts' passwords remain unchanged.
The IA Manager's Endpoint screen provides a field for specifying a Default Policy that is to be associated with a specific endpoint. This can be done from the Endpoint screen for both Access Control and eTrust WAC SSO on the Configuration select page. The help for Default Policy incompletely specifies: "… the default policy is used when creating new accounts on this managed endpoint. This is useful when you want to manage users without using role-based administration." Although this is true, it is not complete. The Default Policy specifies a policy that will be associated with each account created during the discovery (that is, Explore and Correlate) of a specific endpoint, or enforced on an account that is created due to the drag-and-drop of a Global User onto a target endpoint. During discovery, the default policy is associated with the account but will not be enforced against the account. It will only be enforced if the account is then synchronized with policies. The policy will be immediately enforced against the account during a drag-and-drop operation (even if no roles and/or policies have been explicitly associated with the Global User).
IA Manager does not provide drag-and-drop functionality, and does not provide a method of synchronizing accounts with policies. To perform these operations you must use the Admin Manager. IA Manager lets you associate a default policy with an account during discovery of the specified endpoint, however, to synchronize the account with the policy, you must use the Admin Manager, under the Namespace tab, by right clicking on a selected endpoint, and selecting the Synchronize Accounts with Policies menu item.
The following sections describe known issues with the eTrust Identity and Access Management Self Service Configuration application functionality.
On the Self Registration tab, any unsaved changes are lost when a global user search is performed.
Workaround: Save changes on this screen before performing a global user search.
On the Self Registration tab, choosing a template user with no self administration rights will not allow the users created via self registration to log in to Self Service.
Workaround: Ensure that any template user chosen on the Self Registration tab has self administration privileges.
The online help describes advanced configuration changes you can make by modifying the appconfig_override.xml file. Please note that you must restart the Tomcat web service to activate these changes.
The entry eTrust Identity and Access Management Configuration appears in the Add/Remove Programs panel on the Web Application Server computer.
Do not uninstall this application separately – It will be uninstalled correctly if you uninstall eTrust IAM from this computer.
If a field is displayed as writable to a user but their profiles do not permit writing to this field, then an attempt to change it will result in a message explaining that there are insufficient privileges for the operation. This error is the result of the user interface specification managed by the Self Service Configuration conflicting with the Self Administrator profile in the Win32 GUI interface.
Workaround: You need to make changes to both the User Interface specification with the Self Service Configuration and the Self Administrator profile to ensure that both interfaces remain synchronized.
The following sections describe known issues with the Directory Server.
eTrust Directory is language certified for all data stored in the directory. However on some platforms, non-ASCII characters can cause problems in the eTrust Directory environment. The following items must include only the standard ASCII characters that appear in English:
When you use the eTrust installation program to reconfigure an existing Directory Server, you may be prompted to stop the Ingres Intelligent database during the installation. While this step is required to complete the installation, the eta_slapd service may not start correctly when the installation completes. If you are prompted to stop a service, please make note of any dependent services that are also stopped by this action – these will be listed in the dialog titled Stop Other Services.
Workaround: After completing the reconfiguration of a directory server you can reboot the system to correctly start the stopped services. Alternatively, if you do not wish to reboot the server, you can start the specific service by following these steps:
dxserver start all
The following sections describe known issues with the Provisioning Server.
When installing multiple Provisioning Servers, the root Provisioning Server has no authentication configured. This setting is necessary to enable subsequent Provisioning Servers to be successfully configured. You must change yhis setting on the root Provisioning Server after you have installed all Provisioning Servers to ensure that communications are authenticated.
Workaround: After the final Provisioning Server is installed, you will be prompted to re-enable authentication on the root Provisioning Server. To do this, follow these steps:
a. eTrust Admin LDAP server
C:\Program Files\CA\eTrust Directory\dxserver\config\settings\etrustadmin.dxc
# security controls set min-auth = clear-password; # set min-auth = none;
a. eTrust Directory – etrustadmin
The following sections describe known issues with the Policy Server.
To use an Active Directory data store through DXlink, you must switch off the ACLs of the PS DSA. For instructions see the chapter "Example Implementation", of the eTrust SSO Implementation Guide.
After installation, there is no need to add a terminal via the Policy Manager in order to access the Policy Server's configuration: all terminals will be able to access the Policy Manager.
If you remove an accessor (user or group) from a user data store, the Policy Server does not remove ACL entries defining rules for this accessor from the resources' ACLs in the policy data store. If you delete a user from the user data store and then add another user with the same name, the new user will be able to access the same resources that the old user could (if your policies are based on users and not based on attributes or groups).
The properties, PMDB and FULL_NAME, of the USER class in eTrust Access Control cannot be defined as database fields when defining user attributes for an eTrust Access Control-type user data store.
Some special characters are not supported in user names. Unsupported characters include the following:
% ( ) * [ ] | : ? / #
Workaround: Do not use these characters in user names.
The grace login count for client applications is not updated with their server applications.
In some cases, applications within hidden containers are also hidden. By design, applications under hidden containers should be visible under the hidden container's parent container.
Workaround: Remove the hidden attribute from the relevant containers.
The Limit Choice, Select Specific Session in a session profile causes the following errors to be displayed to the user upon reaching the maximum allowed number of sessions: 'Unable to fetch error description" followed by "Unable to get a list of current sessions". It is recommended that you do not use this option. After a certain number of logins by the same user, these errors will come up on first login attempt regardless of what the session profile is set to.
Workaround: Open a command prompt window and issue the following command to cleanup the user tokens:
dxdelete -h localhost:13390 -D cn=<ldap administrator name>,o=PS -w <ldap administrator password> "(cn=<username>)"
An Unknown Host error may be encountered if your Windows computers are not configured to automatically append DNS suffixes. The eTrust Directory DSAs are configured to use short hostnames to communicate with each other. Therefore, you must be able to communicate (ping, for example) between each machine in the server farm using only the short hostname rather than the fully qualified hostname (for example, ps1 rather than ps1.company.com). If this is not the current situation for each policy server, modify the Windows connection properties as follows:
The Control Panel opens.
The Properties dialog for the connection opens.
Internet Protocol (TCP/IP) Properties dialog opens.
The Add button becomes active, letting you add domain suffixes.
Note: Ensure that every hostname used for a Policy Server installation is unique across all domains.
You must assign the TCL scripts (stored in the script directory) with Windows permissions that let the user group "Users" and the user "ps-pers" use them. Failure to do this will result in an SSO Client error that reports "Error getting login data for the application <application name> application script is empty."
All 'message of the day' (MOTD) files should be formatted for DOS. If the MOTD files are formatted for UNIX, an 'I' character will appear at the end of every line.
When creating application authorization rules via selang, an incrementing rule id is assigned. In a server farm environment, this rule id can become unsynchronized in certain scenarios, including:
If the databases lose synchronization:
Workaround: To avoid this issue in selang, manually set the rule_name attribute when creating authorization rules. This issue does not occur when using the Policy Manager.
Replication of application login information may fail if you modify the Policy Server default user data store to use eTrust Access Control and one of the Policy Servers is offline temporarily. This does not happen if the Policy Server's default user data store is using eTrust Directory (the default setting).
Workaround: Set your default user data store to eTrust Directory.
If you install a Policy Server on a computer after the Provisioning Servers have been installed, the Policy Server will not automatically be listed as an endpoint on your Provisioning Server.
Workaround: Install at least one Policy Server before installing the Provisioning Servers. If you are installing the Policy Server after a Provisioning Server has already been installed, use the Admin Manager to add a namespace to a Policy Server and perform an explore and correlate to update and synchronize the Provisioning Servers. For information about updating and synchronizing the Provisioning Servers, see the eTrust Admin Implementation Guide.
After a Policy Server upgrade from 7.0 to r8, you will see an extra 'Notify_User' field in the User Properties dialog (under Configuration\Datastores\UserAttributes and UserDefinition). This extra field has a space at the end, for example, "notify_User@<ac_user_dir> " where <ac_user_dir> is your computer name or 'ps-farm' in a server farm setup.
Workaround: You must delete this second field.
During an upgrade from SSO Server 6.5 to Policy Server r8, applications with login type set to 'PassTicket' and 'AppTicket' will not retain their login type.
Workaround: Use the Policy Manager after upgrade to re-set the login type information for these types of applications.
After upgrading Policy Server to r8, when shutting down the computer, Ingres services may crash.
Workaround: Stop the 'Ingres Intelligent Database' service in the Windows Services Manager before rebooting.
When upgrading from SSO 7.0 to Policy Server r8, no custom registry settings for Policy Server are retained.
During upgrade from SSO Server 6.5 to Policy Server r8, Password Policies may lose their associated Applications.
Workaround: Reassign Password Policies to these Applications.
If you are upgrading, the migration scripts cannot differentiate between whether the password sync or password autogen options were disabled or simply not set. After migration, the password sync and password autogen fields will not be set if they were previously disabled for the user in the Access Control datastore.
When upgrading your Policy Servers (from 6.5sp2 to r8, or from 7.0 to r8), the ticket encryption key within the Authhost definition is lost.
Workaround: Go into the Policy Manager and ensure that you note down the AUTHHOST Ticket Encryption Key before commencing the upgrade. After the upgrade has successfully completed, re-enter this key in the AUTHHOST property in the Policy Manager.
If you previously had a resource defined with a backslash followed by a space in the name (for example "USER\ A") after an upgrade from 6.5 to r8, the name will no longer contain the backslash (for example, "USER A"). The same applies when migrating users from the Access Control data store to the ps-ldap data store.
If a GAPPL or GAUTHHOST resource was previously defined with a member that had commas in the name (for example, Doe,John), following an upgrade to r8, it will not be defined as a member of the group.
Workaround: Using the Policy Manager, all such GAPPL and GAUTHHOST members can be re-added to the group memberships manually.
When upgrading server farms from version 6.5 to 8.0, the 6.5 Policy Model Database (pmdb) will not be deleted. A new Policy Model Database PS_PMDB, is created by the installer and will be used as the default Policy Model Database.
Workaround: Backup the old policy model database and delete if not needed anymore.
The SSO Policy Server upgrade will only upgrade the default Policy Server data stores and the Active Directory (if you have one). If you have created customized data stores, you must record the settings, delete them then create and configure them manually.
The Policy Server update will not migrate administrative users and passwords as expected. This will affect administrator logon to the Policy Manager.
Workaround: Reset each administrative user's password after the upgrade. Use the administrative user created during upgrade to do this.
Once you have upgraded a server farm to r8, you must manually synchronize data stores. For more information see, the chapter "Implementing Server Farms" of the eTrust SSO Implementation Guide.
Before you upgrade the Policy Server you should backup the eTrust AC and the eTrust Directory data stores in production systems. For more information about backup and restore, see the chapter "Maintenance" of the eTrust SSO Administrator Guide.
When upgrading from Policy Server 7.0 to Policy Server r8, if group names in any LDAP-based data store contain backslashes, and there are users joined to the group, those users will no longer be part of the group.
Workaround: Remove all users from such groups, and re-add them after the upgrade process has completed.
Following an upgrade from 6.5 SP2 to r8 Policy Server, Web Resources will become Desktop Applications instead of URLs.
Workaround: Recreate your Web Resources as URLs for web applications or URL resources for Web Agents.
Every AUTHHOST (authentication host) must have only one authentication method associated with it. In previous versions you could have multiple authentication methods associated with one AUTHHOST. These AUTHHOST objects will be defined with using the AUTHHOST selected active authentication method.
Workaround: If you had more than one authentication method associated with an authentication host, before you upgrade: select the desired authentication method as active, and create a new authentication host for the orphaned authentication methods.
The following sections describe known issues with Self Service functionality.
Self Authentication is not available on multi-domain systems (multiple Provisioning Servers). If you attempt self authentication on multi-domain systems an internal session error message appears.
Self Authentication will fail if you select a custom field as either a mandatory or optional field in the Self Service Configuration application.
Workaround: Ensure that no custom fields are selected as mandatory or optional fields on the Self Authentication tab of the Self Service Configuration application.
The Password expiry functionality is currently triggered only by an explicit expiry date assigned to a Self Service user. Periodic password expiry is not yet functioning in the Self Service application.
Self Registration will fail if the initial form submission fails for any reason.
Workaround: To clear the error, you must return to the initial login screen to restart the Self Registration process.
When launching the Self Service application, a security warning may appear, asking whether the user wants to display secure and non-secure items. This is caused when external elements are linked to the secure web application. An example of this may be customizing the splash screen using the Self Service Configuration application to include graphics not stored in the secure web application.
Workaround: Copy all customization files to the secure web application before using the Self Service Configuration application to make use of these files.
A global user logging in to the Self Service application may encounter an exception error if:
If eTrust Admin is configured to use a Pluggable Authentication Module (PAM), every global account in eTrust Admin must have a matching account in the external security system referenced by PAM. A user will encounter an error when trying to self-authenticate with a valid global user account in eTrust Admin if the matching account does not exist in the external security system referenced by PAM.
Make sure that all global user accounts in eTrust Admin are synchronized with any external security system when PAM is enabled and ensure that global users are deleted when their matching PAM accounts are removed. Refer to the eTrust Admin Administrator's Guide for further information.
The following sections describe known issues with eTrust Identity and Access Management SPML Service functionality.
If the Common Components installation program did not correctly install a suitable self-signed certificate for Apache Tomcat on the Web Application Server, provisioning requests sent to the SPML Service from a Requesting Authority (RA) client may fail.
For information about RA client usage, see the eTrust IAM SPML Service – Getting Started Guide (specifically section 2.0 Test the eTrust IAM SPML Service) and eTrust IAM SPML Service – The Command Line RA. Both these documents can be accessed on the Web Application Server machine through Start, Programs, Computer Associates, eTrust, eTrust Identity and Access Management, eTrust IAM SPML Service Readme.
Workaround: Generate a new self-signed certificate for Apache Tomcat on the Web Application Server. For more information, see Configure SSL Support for Tomcat in your product's Implementation Guide. When prompted to enter a value for the CN property for the Issuer of the certificate, enter the fully-qualified hostname of the Web Application Server. Once the new certificate has been generated, import it into the JRE keystore on the computer on which you want to run the RA client (see eTrust IAM SPML Service – The Command Line RA for details).
Each guide in a documentation set has a unique Document Identification (DID) designation. The DID uses six characters to identify the guide, a hyphen, then two characters at the end to identify the edition and the language in which it is written. For example, G00670-1E identifies the first edition of the English version of the eTrust Identity and Access Management Readme (this document). When the second edition of this guide was published, the DID was incremented to G00670-2E.
The DID appears on the title page of PDF files. The DID without the hyphen is also used for the eight-character file name for PDF files on SupportConnect.
The DIDs and file names for eTrust Identity and Access Management Common Components documentation are:
| Guide Name | DID | File Name |
|---|---|---|
| eTrust Identity and Access Management Readme | G00670-4E | Readme_eTrust_IAM.html |
The DIDs and file names for eTrust Access Control documentation are:
| Guide Name | DID | File Name |
|---|---|---|
| eTrust Access Control Administrator Guide for UNIX and Linux | G00650-1E | ADMIN_U.pdf |
| eTrust Access Control Administrator Guide for Windows | G00658-1E | ADMIN_NT.pdf |
| eTrust Access Control Getting Started for UNIX and Linux | G00651-1E | GSG_U.pdf |
| eTrust Access Control Getting Started Guide for Windows | G00659-1E | GSG_NT.pdf |
| eTrust Access Control Implementation Guide | G00713-1E | IMPL_GUIDE.pdf |
| eTrust Access Control Reference Guide for UNIX and Linux | G00654-1E | REF_U.pdf |
| eTrust Access Control Reference Guide for Windows | G00661-1E | REF_NT.pdf |
| eTrust Access Control Release Summary for UNIX and Linux | G00655-1E | RELEASE_U.pdf |
| eTrust Access Control Release Summary for Windows | G00662-1E | RELEASE_NT.pdf |
| eTrust Access Control SDK Developer Guide | G00649-1E | SDK_GUIDE.pdf |
| eTrust Access Control User Guide for UNIX and Linux | G00656-1E | USER_U.pdf |
| eTrust Access Control Utilities Guide for UNIX and Linux | G00657-1E | UTIL_U.pdf |
The DIDs and file names for eTrust Admin documentation are:
| Guide Name | DID | File Name |
|---|---|---|
| eTrust Admin Implementation Guide | G00698-1E | G006981E.PDF |
| eTrust Admin Administrator Guide | G00716-1E | G007161E.pdf |
| eTrust Admin SDK Developer Guide | G00717-1E | G007171E.PDF |
| ACF2 Option Guide | G00718-1E | G007181E.pdf |
| Active Directory Services Option Guide | G00729-1E | G007291E.pdf |
| CA-Top Secret Option Guide | G00727-1E | G007271E.pdf |
| CleverPath Portal Option Guide | G00733-1E | G007331E.pdf |
| DB2 Option Guide | G00719-1E | G007191E.pdf |
| eTrust Access Control Application Security Option Guide | G00699-1E | G006991E.pdf |
| eTrust Access Control Option Guide | G00700-1E | G007001E.pdf |
| eTrust Imbedded IAM Option Guide | G00712-1E | G007121E.pdf |
| eTrust Single Sign-On Option Guide | G00555-1E | G005551E.pdf |
| eTrust Web Access Control Option Guide | G00728-1E | G007281E.pdf |
| Generic LDAP Option Guide | G00721-1E | G007211E.pdf |
| HP NonStop SAFEGUARD Option Guide | G00722-1E | G007221E.pdf |
| Lotus Notes/Domino Option Guide r8.1 | G00736-1E | G007361E.pdf |
| Microsoft Exchange 2000 Option Guide | G00730-1E | G007301E.pdf |
| Microsoft Exchange Option Guide | G00731-1E | G007311E.pdf |
| MS SQL Server Option Guide | G00723-1E | G007231E.pdf |
| NDS Option Guide | G00724-1E | G007241E.pdf |
| Open VMS Option Guide | G00725-1E | G007251E.pdf |
| Oracle Applications Option Guide r8.1 | G00742-1E | G007421E.pdf |
| Oracle Option Guide | G00738-1E | G007381E.pdf |
| OS/400 Option Guide | G00739-1E | G007391E.pdf |
| PeopleSoft Feed Option Guide | G00734-1E | G007341E.pdf |
| RACF Option Guide | G00726-1E | G007261E.pdf |
| RSA ACE (SecureID) Option Guide | G00594-1E | G005941E.pdf |
| SAP R3 Option Guide | G00740-1E | G007401E.pdf |
| Single Sign-On Option Guide | G00720-1E | G007201E.pdf |
| Universal Feed Option Guide | G00735-1E | G007351E.pdf |
| Universal Provisioning Option Guide r8.1 | G00741-1E | G007411E.pdf |
| UNIX Option Guide | G00732-1E | G007321E.pdf |
| Windows NT Option Guide | G00737-1E | G007371E.pdf |
The DIDs and file names for the eTrust Directory documentation are:
| Guide Name | DID | File Name |
|---|---|---|
| eTrust Directory Administrator Guide | G00505-1E | admin.pdf |
| eTrust Directory Getting Started | G00504-1E | getstart.pdf |
| eTrust Directory Release Summary | G00507-1E | release_summary.pdf |
| eTrust Directory SDK Developer Guide | G00562-1E | sdk_devguide.pdf |
| eTrust Directory User Guide | G00506-1E | userguide.pdf |
The DIDs and file names for eTrust Single Sign-On documentation are:
| Guide Name | DID | File Name |
|---|---|---|
| eTrust Single Sign-On Administrator Guide | G00676-1E | G006761E.pdf |
| eTrust Single Sign-On Getting Started | G00674-1E | G006741E.PDF |
| eTrust Single Sign-On Implementation Guide | G00675-1E | G006751E.pdf |
| eTrust Single Sign-On Release Summary | G00673-1E | G006731E.PDF |
| eTrust Single Sign-On Tcl Scripting Reference Guide | G00677-1E | G006771E.pdf |
| eTrust Single Sign-On selang Command Reference Guide | G00678-1E | G006781E.pdf |
For online technical assistance and a complete list of locations and telephone numbers, contact Customer Support at http://ca.com/support. Customer support is available 24 hours a day, 7 days a week.