| CA |
2.0 Considerations
2.1 CA Access Control Endpoint Support for OEL 4 and 5
2.2 Install CA Access Control 32-bit Binaries on Linux x86 64-bit
2.3 libstdc++.so.5 Library Is Required On Linux Computers
2.4 Certified for Windows Server 2008
2.5 Windows Server 2008 Server Core Installation
2.6 Dates in Users Creation Date Report Are in GMT Time
2.7 Unified License Code for CA Access Control Premium Edition
2.8 Latest Reports File (.biar) and Import Configuration File (.xml)
3.0 Known Issues
3.1 Windows Endpoints Issues
3.1.1 Report Agent Registry Keys are Not Updated to SSL Mode
3.1.2 Windows Server 2008 Does Not Support SURROGATE Class
3.1.3 Restart Required After Restarting Trend Micro™ PC-cillin Antivirus
3.2 UNIX Endpoints Issues
3.2.1 AIX Upgrade Fails When You Use a Soft Link
3.3 Server Components Issues
3.3.1 Policy Deviation Calculator Does Not Recognize Deleted Files
3.3.2 Missing Data in Policy Versions Report
3.3.3 Cannot Install CA Business Intelligence in an Empty Directory
3.3.4 License Agreement for Japanese CA Access Control Report Server Installation Is Not Translated
3.3.5 Duplicated Policy Tab in Korean CA Access Control Enterprise Management
3.3.6 Unreadable Characters In Non-English Report Output
3.4 Documentation Issues
3.4.1 Latest Localized Documentation Not Available on ISO Images
3.4.2 Incorrect Parameter in restorepmd Command
3.4.3 Update to Release Notes Topic—SAN Support for Windows Endpoints
3.4.4 Undocumented Flag in setoptions Command
3.4.5 Undocumented secons -kt and secons -ktc Functions
3.4.5.1 secons -kt Function—Display Kernel Tables on UNIX
3.4.5.2 secons -ktc Function—Clean, Enable, or Disable Kernel Cache Tables on UNIX
3.4.5.3 Kernel Tables
3.4.5.4 Kernel Table Column Names
3.4.5.5 Cache Tables
3.4.5.6 Protected Resource Tables
3.4.5.7 Bypass Tables
Welcome to the CA Access Control r12.0 SP1 CR2 readme. This readme contains issues and other information discovered after publication. For a complete list of the known issues for this release and details about how the features and enhancements for this release might affect you, see the Release Notes.
This section describes considerations that affect product installation and use and were discovered after publication.
You can now install a CA Access Control endpoint on Linux x64 and x86 hardware that runs OEL (Oracle Enterprise Linux) 4 or 5.
To install CA Access Control 32-bit binaries on Linux x86 64-bit we recommend that you use the 120sp1_CR1_LINUX.tar.Z or 120sp1_CR1_LINUX_RPM.tar.Z installation packages, or later versions of these installation packages. These installation packages install 32-bit CA Access Control binaries on Linux x86 64-bit systems. If you are upgrading, these packages maintain compatibility with the previous 32-bit CA Access Control installation. Before you install CA Access Control, you must make sure that the following operating system 32-bit libraries are installed:
ld-linux.so.2, libICE.so.6, libSM.so.6, libX11.so.6, libXext.so.6, libXp.so.6, libXt.so.6, libc.so.6, libcrypt.so.1, libdl.so.2, libgcc_s.so.1, libm.so.6, libncurses.so.5, libnsl.so.1, libpam.so.0, libpthread.so.0, libresolv.so.2, libstdc++.so.5, libaudit.so.0 (RHEL 5 and OEL 5 only) The following is a list of relevant RPM packages that are required:
Before you install CA Access Control 32-bit binaries on a 32-bit or 64-bit Linux computer, you must make sure that the libstdc++.so.5 32-bit library is installed. If you do not install this library, the ReportAgent daemon will not start after you install CA Access Control.
CA Access Control has been certified for Windows Server 2008 (Windows Logo Program). You can find custom installation actions that are performed by the CA Access Control installation program on CA Support Online (Document ID: TEC493733) at:
https://support.ca.com/irj/portal/anonymous/phpdocs?filePath=0/154/154_techdocindex.html
Note: For more information on the Windows Logo Program, see Windows Hardware Developer Central.
To install CA Access Control on Windows Server 2008 Server Core, use a silent (non-interactive) CA Access Control installation.
In the CA Access Control Users Creation Date report, the creation time and date is displayed as GMT (Greenwich Mean Time). This ensures that the dates in the report are consistent for hosts in different timezones.
Because the CA Access Control Users Creation Date report uses GMT and not the host timezone, the creation time and date in the report may differ from the creation time and date displayed by the host.
From r12.0 SP1 CR1 onwards, CA Access Control Premium Edition has a unified license code. The CA Access Control Premium Edition license component names are 2E2U for both Windows and UNIX.
The Implementation Guide provides instructions for locating the CA Access Control reports file (.biar) and the import configuration file (.xml), which you need to customize the files for your RDBMS and environment. You can find the latest version of these files as a test fix on CA Support Online.
This section describes the known issues, workarounds, and solutions for CA Access Control that were discovered after publication.
This section describes known issues for CA Access Control Windows endpoints.
If you install the Report Agent in non-SSL mode, and after installation you change the Report Agent configuration to SSL mode, CA Access Control does not update the report_server and use_ssl registry entries in the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\AccessControl\ReportAgent
To fix this problem, after you change the Report Agent configuration to SSL mode, change the value of the registry entries as follows:
Impersonation interception (SURROGATE class functionality) is not supported on Windows Server 2008 endpoints.
If you install CA Access Control and Trend Micro™ PC-cillin Antivirus on the same computer:
This section describes known issues for CA Access Control UNIX endpoints.
On AIX, if you use a native package installation on a soft link to upgrade CA Access Control r12.0 SP1 to r12.0 SP1 CR1, or to r12.0 SP1 CR2, the upgrade fails and the r12.0 SP1 installation of CA Access Control is removed.
To avoid this problem, do not use a native package installation on a soft link to upgrade to CA Access Control r12.0 SP1 CR1 or CR2.
This section describes known issues for CA Access Control server components (CA Access Control Endpoint Management, CA Access Control Enterprise Management including advanced policy management, and Enterprise Reporting).
The policy deviation calculator checks the difference between the rules that should be deployed on an endpoint (as a result of policy deployment) and the actual rules that are deployed on the endpoint. However, if there is a dependency between two policies, the policy deviation calculator does not recognize when a FILE object has been deleted if the FILE object is associated with one of the dependent policies. Because of this, the policy deviation calculator does not display information about the deleted FILE object in the deviation log and error file.
In the Policy Versions report, no data is displayed in the Last Updated By column for policies that were deployed by the policydeploy utility. To avoid this issue, manage all policies through CA Access Control Enterprise Management.
If you try to install CA Business Intelligence in an empty directory, the installation does not proceed and the following message appears:
Validating Disk Space Requirement
To install CA Business Intelligence, create an object in the empty directory (for example, a folder or a text file) before you install the product.
When you install the localized Japanese version of CA Access Control Report Server on a Solaris computer, the license agreement is in English.
If you use a Korean browser to access the localized Korean version of CA Access Control Enterprise Management, the Policy subtab in the Policy Management tab appears twice.
When you export a non-English report to PDF, unreadable characters appear in the PDF output.
The latest localized documentation is not available for installation from the CA Access Control ISO images. When you install a localized version of the product, CA Access Control installs an older edition of the documentation.
Localized documentation will be available on CA Support Online after the Cumulative Release (CR) is released.
In the selang Reference Guide, a parameter for the restorepmd command is incorrect. The parent_pmd parameter should read parentpmd.
The restorepmd command should read as follows:
restorepmd pmdName [source(path)] [admin(user)] [xadmin(user)] [parentpmd(name)]
The SAN Support topic in Windows Endpoint Considerations section of the Release Notes should read:
CA Access Control supports a SAN (storage area network) environment when you install CA Access Control on:
Note: If the SAN is accessible from multiple hosts, install CA Access Control on each host that can access the SAN and use each installation to protect files on the SAN.
Note: The previous condition only applies when you install CA Access Control on a SAN disk. If you install CA Access Control on a local file system and use it to protect files on a SAN, you do not need to manually start CA Access Control each time you restart the computer.
If the SAN is accessible from multiple hosts and CA Access Control is installed on the SAN, and you want to install CA Access Control from a different host to the same location on the SAN, consider the following before you begin:
In the selang Reference Guide, a flag is not documented for the setoptions command. The additional flag is:
{setoptions | so} class (className) flags{+|-} I
This flag sets or clears case-sensitivity for objects in the specified class.
Note: This command is valid in the AC environment.
In the Reference Guide, the secons -kt and secons -ktc functions are not documented. The following topics explain these functions.
Valid on UNIX
The secons utility displays the kernel tables.
This command has the following format:
secons -kt number
Displays the specified kernel table.
Specifies the kernel table to display. number must be one of the following values:
Specifies to display the SpecPgm kernel table.
Specifies to display the TrustPg kernel table.
Specifies to display the LoginPg kernel table.
Specifies to display the DBfiles kernel table.
Specifies to display the FRegExp kernel table.
Specifies to display the DCMfile kernel table.
Specifies to display the AC pids kernel table.
Specifies to display the InoCach kernel table.
Note: Not valid on Linux.
Specifies to display the F cache kernel table.
Specifies to display the NetwDCM kernel table.
Specifies to display the MntDirs kernel table.
Specifies to display the F inode kernel table.
Specifies to display the STOPbyp kernel table.
Note: You cannot display this kernel table if STOP is not enabled.
Specifies to display the STOPexp kernel table.
Note: You cannot display this kernel table if STOP is not enabled.
Specifies to display the Family kernel table.
Specifies to display the DbgProt kernel table.
Specifies to display the TCPport kernel table.
Specifies to display the TCPoutp kernel table.
Specifies to display the ProcSrv kernel table.
Example: Display the DBfiles Kernel Table
The following example shows you an example of the output when you display the DBfiles kernel table:
secons -kt 4 DBfiles file ID i-node device program name 1 29 280391 356515 /opt/CA/AccessControl/seosdb/seos_ids.dat 2 3 0 0 /opt/CA/AccessControl/etc/privpgms.init
Valid on UNIX
The secons utility cleans, enables, or disables the kernel cache tables.
This command has the following format:
secons -ktc optionNumber
Specifies to clean, enable, or disable a kernel cache table.
Specifies the action to perform. optionNumber must be one of the following:
Cleans the F cache table.
Enables the F cache table.
Disables the F cache table.
Cleans the NetwDCM table.
Enables the NetwDCM table.
Disables the NetwDCM table.
Cleans the F inode table.
Note: Not valid on Linux.
Enables the F inode table.
Note: Not valid on Linux.
Disables the F inode table.
Note: Not valid on Linux.
Example: Clean the F cache Table
The following example cleans the F cache table:
secons -ktc 1
Kernel tables list frequently-accessed information to help improve CA Access Control performance. Kernel tables improve performance because CA Access Control does not need to check the database to permit, deny, or resolve events that are listed in the kernel tables.
CA Access Control includes the following types of kernel tables:
The following table provides information about each kernel table:
| Table Name | Type | Lists | Column Names | Configuration Setting |
|---|---|---|---|---|
| SpecPgm | Protected resource | All objects in the SPECIALPGM class | flags; user; oid; i-node; device; program | SPECIALPGM class records |
| TrustPg | Protected resource | All objects in the PROGRAM class | flags; i-node; device; program | PROGRAM class records |
| LoginPg | Protected resource | All objects in the LOGINAPPL class | flags; i-node; device; program name | LOGINAPPL class records |
| DBfiles | Protected resource | All objects in the FILE class | file ID; i-node; device; program | FILE class records Note: The maximum number of records in this table is defined by max_regular_file_rules in the SEOS_syscall section of the seos.ini file |
| FRegExp | Protected resource | Generic file access rules that are defined in the FILE class | fid; expression | Defined by a generic rule in a FILE class record Note: The maximum number of records in this table is defined by max_general_file_rules in the SEOS_syscall section of the seos.ini file |
| DCMfile | Bypass | Do-not-call-me files that you define using GAC | fid; user; type; access | GAC.init file |
| ACpids | Bypass | Process IDs for the CA Access Control daemons | pid; service; contractID | - |
| InoCach | Cache | Cached inodes | i-node; device; priority; entry | cache_enabled in the SEOS_syscall section of the seos.ini file |
| F cache | Cache | Cached file access authorization results | file ID; access; acee; answer; phash; prio | - |
| NetwDCM | Cache | Cached accepted incoming TCP connections | peer; port; local port; flag; prio | UseNetworkCache in the seosd section of the seos.ini file |
| MntDirs | Protected resource | Directories that CA Access Control protects from mounting | dir ID; i-node; device; mount point | - |
| F inode | Protected resource | Inode and device number of objects in the FILE class | file ID; i-node; device; links | - |
| STOPbyp | Bypass | Objects in the PROGRAM class for which CA Access Control does not provide STOP protection | i-node; device; program | If STOP is enabled, objects in this table have a SPECIALPGM record with the property pgmtype(STOP) |
| STOPexp | Bypass | Regular expressions that define objects in the PROGRAM class for which CA Access Control does not provide STOP protection | priority; n-chars; expression | If STOP is enabled, objects in this table are defined by a generic rule in a SPECIALPGM record with the property pgmtype(STOP) |
| Family | Bypass | CA Access Control daemons | service; pid; contractID | - |
| DbgProt | Protected resource | CA Access Control binaries that CA Access Control protects from debugging | pid; access; name in proc | - |
| TCPport | Bypass | Ports for which seos_syscall will not pass events to seosd | TCP port | bypass_TCPIP in the seosd section of the seos.ini file |
| TCPoutp | Bypass | Ports for which seos_syscall will not pass outgoing connection events to seosd | TCP port | bypass_outgoing_TCPIP in the seosd section of the seos.ini file |
| ProcServ | Process | Lists information about all the processes running in the system | #n; pid; ppid; acee; flags; uid; euid; zone; arg0; ACuser Note: There are many more internal columns in this table that are not displayed by the secons utility |
- |
The following list explains the kernel table column names:
Entry number in the kernel table.
Defines the type of access that CA Access Control permits, or the type of access that a user requested. The value is a sum of access types:
1-read
2-write
4-chown
8-chmod
16-rename
32-unlink
64-utimes
128-chattr
256-link
512-chdir
1024-create
Defines the ACEE of the user making the access request.
Defines the CA Access Control user name of the user.
Defines the response (permit or deny) that CA Access Control made to the access request. Valid values include:
0–deny
1–permit
Defines the program name, as defined in argument number 0 when the program executes.
(Solaris 10 only) Defines the contract process ID.
Defines the logical disk that the file resides on.
Defines the directory ID.
Defines the string value of the inode.
Defines the effective user ID.
Defines the expression (text pattern used for string matching) that specifies the resources to which the entry applies.
Defines the file ID that CA Access Control uses to identify the file.
Defines the bit mask flag for the entry.
Defines the inode number.
Defines the number of hard links of the file.
Defines the port on the local host that accepts the incoming TCP connection.
Defines the location in the directory to protect from mounting.
Defines the number of characters in the expression.
Defines the process name in the /proc file system.
Note: In the /proc file system, each process is represented as a file, and the file name is the process number.
Defines the object ID.
Defines the peer host address.
Defines the hash value of a path string.
Defines the process ID.
Defines the port from which the incoming TCP connection originated.
Defines the parent process ID.
Defines the priority of the entry in the kernel table. When the kernel table is full, the entry with the lowest priority is removed when CA Access Control writes a new entry to the kernel table.
Defines the name of the program.
Defines the name of the CA Access Control service (daemon).
Defines the TCP port to which the entry applies.
Defines the protected file type.
Defines the user ID.
(Solaris 10 only) Defines the zone ID.
Note: The value of this column is always 0 for a non-Solaris 10 computer.
There are three types of kernel cache tables:
When an identical authorization request is made, CA Access Control answers the request with the last response that is stored in the file cache table.
Note: The file cache tables is cleaned every 30 minutes and whenever a record changes in the following classes: CALENDAR, CONTAINER, FILE, GFILE, GROUP, HOLIDAY, PROGRAM, SECLABEL, SECLEVEL, SHIFT, and USER.
When CA Access Control needs to resolve an inode number to a file name, it checks the InoCach table before it checks the file system.
When CA Access Control receives an incoming TCP request that is identical to a request in the network cache, CA Access Control automatically permits the request.
You can use the secons utility to display, clean, enable, and disable kernel cache tables.
When CA Access Control intercepts an authorization request, it checks if the resource to which access is requested is listed in the protected resource tables in the kernel.
If the resource is listed in the protected resource tables, CA Access Control always sends an authorization request to the CA Access Control engine. If the resource is not listed in the protected resource table, CA Access Control may not send an authorization request to the engine but instead resolve the access request in the kernel.
When CA Access Control intercepts an authorization request, it checks if the resource to which access is requested is listed in the bypass tables in the kernel.
If the resource is listed in the bypass tables CA Access Control permits the access request. If the resource is not listed in the bypass tables CA Access Control passes the request to the CA Access Control authorization engine for further access checks.
Contact Technical Support
For your convenience, CA provides one site where you can access the information you need for your Home Office, Small Business, and Enterprise CA products. At http://ca.com/support, you can access the following:
Provide Feedback
If you have comments or questions about CA product documentation, you can send a message to techpubs@ca.com.
If you would like to provide feedback about CA product documentation, complete our short customer survey, which is also available on the CA Support website, found at http://ca.com/docs.