| CA |
4.0 Installation Considerations
6.0 Known Issues
6.1 Third-Party License Agreements
6.1.1 CRC32
6.1.2 PerlEdit 1.08
6.1.3 MD5 Message Digest Algorithm
6.1.4 Triple DES Algorithm
6.1.5 XERCES
10.0 Contact Technical Support
Welcome to eTrust® Access Control r8 SP1 (eTrust AC) for Windows. This readme file provides late-breaking and other information that supplements the eTrust AC r8 SP1 printed documentation. This version contains all the enhancements and fixes from previous versions.
Fixes included in this CR are documented on Technical Support at http://ca.com/support and in the CR_FIXLIST file. The Technical Support website describes all of the fixes to eTrust AC. The CR_FIXLIST file describes only the fixes that were included in CR releases during this calendar year.
You can find the complete list of supported operating systems for this product on Technical Support in the CA Access Control Compatibility Matrix.
Minimum processor speed, memory, and disk space requirements for Windows:
In addition, you need disk space for your eTrust AC database, which is the repository of records describing your users and user groups, your protected files and other resources, and the authorizations that permit controlled access to the resources. For example, a database for one thousand users, one thousand files, and five hundred access rules, occupies approximately 2 MB of disk memory.
All CA enterprise products and their options require a license file, CA.OLF, for each computer within a network where CA software runs. When you purchase eTrust AC, you receive a license certificate that contains necessary information to successfully install and license the product.
To install an enterprise license file, copy the CA.OLF file (with the addition of the eTrust AC line) to the CA_license directory (for example, C:\CA_LIC).
If you plan to install eTrust AC and Panda Antivirus on the same computer, note that eTrust AC does not provide registry keys protection.
Turn off either the eTrust AC STOP feature or the McAfee Entercept buffer overflow protection feature.
Specifies whether to define the current computer as a DMS.
If you specify this option, you also need to specify:
Specifies whether to configure advanced policy management and reporting.
If you specify this option, you can also specify:
Specifies whether to create a DMA on the current computer.
If you specify this option, you also need to specify:
Note: You can also use the dmsmgr utility to install and configure advanced policy-based management. For more information, see the Reference Guide.
Important! Depending on the rules you have in the database, the number of audit events that eTrust AC records to the log file could significantly increase as a result of this feature. We recommend that you review your audit log file size and backup settings.
Note: For more information about full auditing and how to configure and use the registry settings for audit log backup, see the Documentation Addendum.
The following description is missing from the Reference Guide:
nameonly--Authorization engine looks for a TERMINAL record by name and if one is not found, ceases searching. It will ignore TERMINAL records with an IP address format.
HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\AccessControl\FsiDrv\BatchOplockStatus
For example, the property "audit mode" of the built-in object named "_default" of class TCP has a default value "Failure". If this property's value was changed to "All" then the upgrade process does not disable class TCP.
HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\AccessControl\FsiDrv\BatchOplockStatus
In an ongoing effort to improve the Cumulative Release (CR) process CA is changing the eTrust AC CR naming convention, moving from a YYMM (for example, 0710) representation to a standard numerical representation that will increment with each CR (such as CR 12, CR 13, and so on).
These changes improve supportability and align eTrust AC CR naming with other CA products. Attention has been paid to the upgrade process to ensure a smooth transition requiring no customer action when moving to a later CR or major release.
This change primarily affects the CR names, CR documentation, seversion output, native package versioning output and Windows versioning information.
eTrust AC can manage and protect both 32-bit and 64-bit applications.
Enhancements included in this CR are documented in a Documentation Addendum that you can find on SupportConnect. This guide provides additional information to complement the documentation set that is available for the GA release of eTrust AC that this CR belongs to.
Note: As the functionality is rolled into the next release of eTrust AC, the content in this guide will be integrated into the regular documentation set for that release.
HKLM\SOFTWARE\ComputerAssociates\AccessControl\SeOSD
Name: HostResolutionMode
Type: REG_DWORD.
Values:
0 -- HOST resolution is synchronous (current behavior)
1 -- HOST resolution is asynchronous (with 'Event Log' reporting)
The effects of this setting are:
2 -- HOST resolution is asynchronous (without 'Event Log' reporting).
Same as '1' with the exception that notification messages are not written anywhere.
Default: 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\drveng\Parameters\DisableLogonInterception
This registry value is type DWORD.
In order to tighten login security, eTrust AC does not allow users to log in without specifying a domain name. If this restriction causes problems with other applications, it can be compromised by setting the registry value AcceptEmptyDomainLogin of data type REG_DWORD under the registry key HKEY_LOCAL_MACHINE\Software\ComputerAssociates\eTrustAccessControl\FsiDrv to 1.
For example, eTrust Firewall requires you to modify this registry setting to work correctly.
This setting, called Allow log on without domain name, is also available when you install eTrust AC.
To ensure consistency, since sub-authentication can be triggered on any one of the DCs, you should apply the same eTrust AC logon policy on all DCs in the Windows domain.
Note: The user's 'grace' property may not be synchronized because a logon was authorized only on one of the DCs. Similarly, the 'Last Access Time' shows the time the user's last access time on that the same DC the user was authorized on.
eTrust AC installs a dictionary file for password quality checking. This file is taken from the standard UNIX installation and is generally available and widely known.
We strongly recommend that you extend or replace this file with a more sophisticated dictionary file.
During the evaluation phase, you may define some rules in error (such as rules denying access to the system directory or vital parts of the Windows registry). These rules can prevent users from logging on or executing commands. In such cases, it is very difficult to stop eTrust AC and fix these mistakes. An emergency exit is provided to assist you in resolving this type of problem.
The eTrust AC services are usually started automatically and immediately after a normal reboot. However, if Safe Mode with Networking is selected from the boot menu, the system starts without automatically starting the eTrust AC services.
This feature is needed only in the early stages of implementation and should be disabled later, since it can be used maliciously as a back door.
In order to disable this backdoor, define the registry value 'LockEE' of data type reg_dword under the registry key HKEY_LOCAL_MACHINE\Software\ComputerAssociates\ eTrustAccessControl\eTrustAccessControl\ and set it to 1.
You can activate or deactivate the interception of the eTrust AC filter driver by assigning different values to the registry value 'UseFsiDrv' under the registry key HKEY_LOCAL_MACHINE\Software\ComputerAssociates\ eTrustAccessControl\eTrustAccessControl\.
In order to activate interception, set 'UseFsiDrv' to 1; to deactivate call, set 'UseFsiDrv' to 0.
After changing this registry value, you should restart eTrust AC services.
Note: When the interception is deactivated, no eTrust AC rules apply.
If you plan to install both eTrust AC for Windows and eTrust Audit r1.5 on the same computer, make sure that eTrust AC archiving is disabled by setting the registry value BackUp_Date under the registry key HKEY_LOCAL_MACHINE\Software\ComputerAssociates\ eTrustAccessControl\logmgr to the default value of 'none'.
This ensures that eTrust AC archiving is replaced by the more flexible and powerful archiving provided by the eTrust Audit.
After you create a new database, run the CA software coexistence utility, eACoexist.exe. This utility is essential to updating the newly created database correctly and avoiding future conflicts between CA products and eTrust AC. To run the utility, from eTrust AC root directory issue the following command:
eACoexist.exe Coexistence
When you install eTrust AC on Windows XP SP2, eTrust AC opens a port, 8891, for TCP connections. This serves as the default port for eTrust AC agent-client connections.
auth SURROGATE USER.Administrator uid("NT AUTHORITY\SYSTEM") acc(R)
so dms+(new_dms_name)
Note: You will need to issue the same command if you did not specify the DMS node during installation, or if you want to replace or add the registered DMS on the end-point. However, when you specify DMS nodes to create during installation, the DMS is added to the database and you do not need to manually run the above command.
However, you can manage IA64 endpoints from an x86 system.
However, you can create reports remotely by running the utility on an x86 system.
However, you can manage IA64 endpoints from an x86 system.
However, you can create reports remotely by running the utility on an x86 system.
You can disable the following eTrust AC interceptions at the kernel level:
Even when the network, process, registry, and file classes are disabled and you are not using those classes to intercept kernel activity, the network, process, registry, and file interception processing code is initiated at boot time and working at run time, affecting performance. To improve performance, you can disable one or more interceptions from initiating at boot time.
To disable eTrust AC interceptions at the kernel level
The entries must be created under the following registry key:
HKLM\SYSTEM\CurrentControlSet\Services\drveng\Parameters
eTrust AC reloads without initializing the disabled interception types.
1607: Unable to install InstallShield Scripting Runtime
To work around this problem, use the full universal naming convention (UNC) path (for example, \\MyMachine\DriveE\InstallDir\PolicyManager).
For example, to create a Policy Model and define its parent, use the following command:
createpmd subs2 admins(abc123 root) auditors(abc123 root) desktop(pcp369499) \
parentpmd("aa@pcp369499,bb@pcp369499")
Situation: List all audit records that were logged between 17:00 yesterday and 08:00 today.
Command: seaudit -a -st 17:00 -et 08:00
The example should read:
Situation: List all audit records that were logged between 17:00 (the first day) and 08:00 (the following day), for all dates.
Command: seaudit -a -st 17:00 -et 08:00
The following third-party license agreements are missing from the Release Summary.
Portions of this product include software developed by Markus Friedl and are distributed in accordance with the following copyright and permission notices.
/* $OpenBSD: crc32.c,v 1.9 2003/02/12 21:39:50 markus Exp $ */
/*
* Copyright (c) 2003 Markus Friedl. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS|&"&| AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
You can use the Software by one user on one computer at a time. You will obtain a separate license for each additional user of the Software on your site. The total number of concurrent users of the Software at one site may not exceed the number of licenses granted to you for that site. Licensed users of the Software may install one additional copy on a machine at home.
The software is in use on a computer when it is loaded into the RAM or installed into the permanent memory (e.g., hard disk or other storage device) of that computer.
You may not sell, license, sub-license, lend, lease, rent, share, assign, transmit, telecommunicate, export, distribute or otherwise transfer the Software to others. You may not modify, reverse engineer, decompile, decrypt, extract or otherwise disassemble the Software. You may make only one copy of the Software for archival or backup purposes.
You agree not to remove any of IndigoSTAR's copyright, trade-mark and other proprietary notices from the Software.
Portions of this product include the RSA Data Security, Inc. MD5 Message-Digest Algorithm. The RSA Data Security software is distributed in accordance with the following license agreement.
/* MD5C.C - RSA Data Security, Inc., MD5 message-digest algorithm */
/* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All rights reserved.
License to copy and use this software is granted provided that it is identified as the "RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing this software or this function.
License is also granted to make and use derivative works provided that such works are identified as "derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing the derived work.
RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided "as is"
without express or implied warranty of any kind.
These notices must be retained in any copies of any part of this documentation and/or software.
*/
This product includes software developed by Eric Young and is distributed in accordance with the following license terms.
Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
All rights reserved.
This package is an DES implementation written by Eric Young (eay@cryptsoft.com).
The implementation was written so as to conform with MIT's libdes.
This library is free for commercial and non-commercial use as long as
the following conditions are aheared to. The following conditions
apply to all code found in this distribution.
Copyright remains Eric Young's, and as such any Copyright notices in
the code are not to be removed.
If this package is used in a product, Eric Young should be given attribution
as the author of that the SSL library. This can be in the form of a textual
message at program startup or in documentation (online or textual) provided
with the package.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software
must display the following acknowledgement:
This product includes software developed by Eric Young (eay@cryptsoft.com)
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS|&"&| AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
The license and distribution terms for any publically available version or
derivative of this code cannot be changed. i.e. this code cannot simply be
copied and put under another distrubution license
[including the GNU Public License.]
The reason behind this being stated in this direct manner is past
experience in code simply being copied and the attribution removed
from it and then being distributed as part of other packages. This
implementation was a non-trivial and unpaid effort.
/*
* Copyright 1999-2004 The Apache Software Foundation.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
The complete list of published bug fixes for this product can be found through Published Solutions on Support Online.
An internationalized product is an English product that runs correctly on local language versions of the required operating system and required third-party products, and supports local language data for input and output. Internationalized products also support the ability to specify local language conventions for date, time, currency and number formats.
A translated product (sometimes referred to as a localized product) is an internationalized product that includes local language support for the product's user interface, online help and other documentation, as well as local language default settings for date, time, currency, and number formats.
In addition to the English release of this product, CA supports only those languages listed in the following table.
| Language | Internationalized | Translated |
|---|---|---|
| Brazilian-Portuguese | Yes | No |
| Chinese (Simplified) | Yes | Yes |
| Chinese (Traditional) | No | No |
| Czech | Yes | No |
| Danish | Yes | No |
| Dutch | Yes | No |
| Finnish | Yes | No |
| French | Yes | No |
| German | Yes | No |
| Greek | Yes | No |
| Hungarian | Yes | No |
| Italian | Yes | No |
| Japanese | Yes | Yes |
| Korean | Yes | Yes |
| Norwegian | Yes | No |
| Polish | Yes | No |
| Russian | Yes | No |
| Spanish | Yes | No |
| Swedish | Yes | No |
| Turkish | Yes | No |
Note: If you run the product in a language environment not listed in the table, you may experience problems.
Important! The following eTrust AC components are not localized: mainframe password synchronization, Unicenter migration, advanced policy-based management and reporting, and the API samples.
Updated guides for this product are available at http://ca.com/support.
The PDF guides for this product are as follows:
To view PDF files, you must download and install the Adobe Reader from the Adobe website if it is not already installed on your computer.
Contact Technical Support
For your convenience, CA provides one site where you can access the information you need for your Home Office, Small Business, and Enterprise CA products. At http://ca.com/support, you can access the following:
Provide Feedback
If you have comments or questions about CA product documentation, you can send a message to techpubs@ca.com.