CA eTrust® SiteMinder® Policy Server r6.0 SP5 Readme

3.0 System Requirements
3.1 Windows
3.2 UNIX
3.3 Minimum JDK/JRE Version for SiteMinder 6.0 SP 5/6.x QMR 5

4.0 Installation Considerations
4.1 Upgrading the Policy Server from 4.61 SP5J or 6.0 SP1J
4.2 MDAC Versions
4.3 Compatibility with Other Products
4.4 Updated snmptrap File
4.5 Operational Changes from 5.x to 6.x
  4.5.1 Failed Password Change Requests
  4.5.2 Effect of Single Policy Server Process on Audit Logging to Text Files (19630)
  4.5.3 iPlanet Web Server Startup (24343)
  4.5.4 Policy Server User Interface Requires Sun Java Plug-in
  4.5.5 Report Files
  4.5.6 No Default Policy Store
  4.5.7 Remote Services Variables Superseded
  4.5.8 Cache Settings Simplified
  4.5.9 Changes to the Cache Model
4.6 Solaris Considerations
  4.6.1 Solaris 10 Support
  4.6.2 Required Operating System Patches on Solaris (24317, 28691)
  4.6.3 Network Connectivity Errors Appear in the SMPS Log due to a gethostbyname() Error (54190)
4.7 Red Hat Enterprise Linux Advanced Server Considerations
  4.7.1 Policy Server and Red Hat Enterprise Linux Advanced Server
  4.7.2 Updated Database Drivers for Red Hat Enterprise Linux AS 3.0 to 5.1 (47304) (42834)
  4.7.3 SiteMinder SDK and Red Hat Enterprise Linux Advanced Server (28268) (28203)
  4.7.4 Red Hat Enterprise Linux Advanced Server Requires Korn Shell (28782)
  4.7.5 Excluded Features on Red Hat Enterprise Linux Advanced Server
  4.7.6 Apache 2.0 Web Server and Servlet Exec 5.0 on Red Hat Enterprise Linux Advanced Server (29518, 28447)
4.8 HP-UX Considerations
  4.8.1 Required Operating System Patches on HP-UX
  4.8.2 Kernel Parameters
  4.8.3 Excluded Features on HP-UX
  4.8.4 Apache 1.3.28 Web Server Installation Fails on HP-UX 11i (28327) (28302)
  4.8.5 Apache 2.0 Web Server and Servlet Exec 5.0 on HP-UX 11i (29517, 28446)

5.0 General Considerations
5.1 IdentityMinder Object Support in v6.x Policy Stores (29351)
5.2 NTLM Authentication Scheme Replaced by Windows Authentication Scheme
5.3 Unsupported Features
5.4 System Management Limitations
  5.4.1 OneView Monitor GUI Alert Issue in Netscape 6.2.3 Browser (23634) (23128)
  5.4.2 Pop-up Blockers May Interfere with Help
  5.4.3 UserDirectoryConnections Registry Setting No Longer Required for Setting the Maximum Number of Connections (27442)
5.5 Policy Server Limitations
  5.5.1 Text Truncated When Installing Policy Server Using Exceed (25757)
  5.5.2 Error Changing Long Password When Password Services is Enabled (26942)
  5.5.3 Leading Spaces in User Password May Not Be Accepted (27619)
  5.5.4 DMS Configuration Wizard Next Button Disabled in Netscape 6.2.3 Browser (27208)
  5.5.5 Netscape 6.2.3 Browser Causes Missing Attribute Types in Response Attribute Editor (27214)
  5.5.6 Netscape 6.2.3 Browser Causes Unreadable Date in Time Dialog (27199)
  5.5.7 Netscape Browser Causes Missing Attributes in SiteMinder Response Dialog (44675, 44668)
  5.5.8 Certificate Mappings Issue with certain Policy Stores (27027, 30824, 29487)
  5.5.9 Handshake Errors with Shared Secret Rollover Enabled (27406)
  5.5.10 Policy Server's Sharing Same Policy Store Not Updated Consistently (39844) (39837)
  5.5.11 Internal Server Error When Using SecureID Forms Authentication Scheme (39664)
  5.5.12 X.509 Client Certificate or Form Authentication Scheme Issue (39669)
  5.5.13 Certain User Name Characters Keep Policy Server From Authenticating or Authorizing Users (39832)
  5.5.14 RBAC: Policy Server and IdentityMinder Application Name Issue (39777)
  5.5.15 RBAC: Policy Server and IdentityMinder Environment Roles/Tasks Issue (39776)
  5.5.16 DEBUG Logging With SafeWord Authentication Schemes Causes Policy Server to Fail (42222, 43051)
  5.5.17 Active Directory Integration Enhancement For LDAP Namespace (43264, 42601)
  5.5.18 Policy Server Does Not Support Roll Over of Radius Log (44398) (43729) (42348)
  5.5.19 smnssetup Tool Deprecated (44964) (45908) (46489)
  5.5.20 Policy Server Fails to Initialize Java Virtual Machine on Red Hat 3.0 (44649) (44971)
5.6 User Directory Limitations
  5.6.1 ODBC User Store Failover
5.7 Perl Scripting Interface Limitations
  5.7.1 Perl use Statement for PolicyMgtAPI Must Come Before Use Statement for AgentAPI (24755)
  5.7.2 Methods that Return Arrays May Return undef in a One-Element Array (28499)
  5.7.3 Perl Scripting Interface and Multi-valued Agent Configuration Parameters (37850)
5.8 Compatibility Limitations
  5.8.1 Oracle Parallel Server and Oracle Real Application Clusters Not Supported (27510)
5.9 Japanese Policy Server Limitations
  5.9.1 Agent Shared Secrets are Limited to 175 Characters (30967, 28882)

6.0 Known Issues
6.1 Testing SunOne Directory Server Connections on Windows
6.2 Password Screen does not Prompt for Multiple SafeWord Authenticators (56766)
6.3 Users are Incorrectly Redirected after Receiving a New SecureID PIN (56738)
6.4 Policy Server May Fail to Start due to a Dynamically Updated system_odbc.ini File
6.5 Policy Server Installer Lists an Unsupported Operating System
6.6 Mixed Certificate-Based Authentication Schemes (27997)
6.7 UserDN Equal to or Greater than 1024 Characters Causes a Password Change to Fail (53823)
6.8 Multi-mastered LDAP User Store Support Limitations (53677)
6.9 Policy Server Audit Logging Text File does not Audit Impersonator Events (52392)
6.10 Passwords for User Accounts Stored in Active Directory cannot be Locked (48125)
6.11 Affiliate Domain Limitation When Upgrading 6.0 Policy Server on Japanese System (46338) (45693)
6.12 Configuring Registration Services for 6.0 SP1J (29659, 29660)

8.0 International Support

9.0 Documentation
9.1 Integrated Documents
9.2 Option Pack Guide is Obsolete
9.3 Policy Server Help
9.4 Policy Design Guide Amendment
9.5 Formatting Error in Alphabetically Ordered Procedures
9.6 Release Numbers on Documentation

10.0 Contact Technical Support

1.0 Welcome

This file contains operating system support, installation considerations, known issues, fixes, and information about contacting CA Technical Support.

Before you install the Policy Server, ensure you are using a supported operating system and third-party software. For a list of supported operating systems, Web Servers, databases, Web browsers, LDAP Directory Servers, and servlet engines:

Log into the Technical Support site.

Search for the SiteMinder Platform Matrix for 6.0.

3.0 System Requirements

The following requirements must be met or exceeded for the SiteMinder Policy Server to install and run correctly.

3.1 Windows

The following requirements exist for Windows:

128 MB system RAM (minimum).

250 MB free hard disk space in the install location, and 180 MB of free space in the system's temporary file location.
Note: These requirements are based on a medium size policy database, which is approximately 1,000 policies.

Ensure that you have the required JRE version installed. For the required version, search for the SiteMinder Platform Matrix for 6.0 on the Technical Support site. You can download the latest JRE version at the Sun Developer Network (SDN).

Note: Additional non-system requirements exist in the Policy Server Installation Guide.

3.2 UNIX

The following requirements exist for UNIX:

128 MB RAM

300 MB free hard disk space, and 200 MB of free disk space in /tmp.
Note: Typically, 10 MB or less free disk space in /tmp is required for the daily operation of the Policy Server. The Policy Server creates files and named pipes under /tmp. The path to which these files and pipes are created cannot be changed.

Ensure that you have the required JRE version installed. For the required version, search for the SiteMinder Platform Matrix for 6.0 on the Technical Support site. You can download the latest JRE version which at the Sun Developer Network (SDN).

Note: Additional non-system requirements exist in the Policy Server Installation Guide.

3.3 Minimum JDK/JRE Version for SiteMinder 6.0 SP 5/6.x QMR 5

SiteMinder requires the use of JDK/JRE 1.5.0_01 or later, but note the following caveats:

JDK 1.5.0_06 through JDK 1.5.0_08 leaks handles on Windows platforms.
This issue is a result of a Sun Microsystems bug. Refer to Sun bug number 6399321.

JDK 1.5.0_05 causes ServletExec to crash on dual processor machines.

4.0 Installation Considerations

For Policy Server installation instructions, see the Policy Server Installation Guide.

4.1 Upgrading the Policy Server from 4.61 SP5J or 6.0 SP1J

Upgrading a Japanese Policy Server to 6.0 SP5 overwrites the localized version. The Japanese Policy Server is not being localized for 6.0 SP5.

4.2 MDAC Versions

It is required that the MDAC versions installed on the client and server sides are compatible.

Note: More information exists in the Microsoft MDAC documentation.

4.3 Compatibility with Other Products

To ensure interoperability if you use multiple products, such as IdentityMinder, Identity Manager, TransactionMinder, and eProvision, check the Platform Support Matrices for the required releases of each product. The platform matrices exist on the Technical Support site.

4.4 Updated snmptrap File

This service pack includes an updated snmptrap.conf file. Before installation, back up and save the original snmptrap.conf file, located in <siteminder_installation>\config.

4.5 Operational Changes from 5.x to 6.x

The following features behave differently in version 6.0 or later.

4.5.1 Failed Password Change Requests

When a 5.5 user submits a password change request that contains an invalid current password, the Password Change Information screen appears with a message stating that the current password is invalid. The user can provide the correct credential and change the password. In 6.x, this behavior has changed. If an On-Auth-Reject-Redirect response:

Is not bound to the policy configured with the user store, the Policy Server redirects the user to the login screen without the invalid current password message.

Is bound to the policy configured with the user store, the Policy Server redirects the user to the URL associated with the On-Auth-Reject-Redirect response.

Enabling the DisallowForceLogin registry key allows the 5.5 behavior in a 6.x environment. The registry key is located at:

HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\PolicyServer

The KeyType must be configured as REG_DWORD and the Value must be 0 (disabled) or 1 (enabled). The registry key is disabled by default.

If a value other than 0x1 is configured, the feature is disabled. If the registry key is disabled, the 6.x behavior is in effect.

4.5.2 Effect of Single Policy Server Process on Audit Logging to Text Files (19630)

Prior to SiteMinder v6.0, when the audit logging was configured to write to text files, each Policy Server process added to the configured base filename. The addition included a distinguishing string ( "_Acct", "_Adm", "_Auth" or "_Az" ) and a current date-time string. The v6.0 single-process Policy Server does not add distinguishing characters to the configured file name (other than appending .<number> when rolling over the log files).

Regarding the effect of new policy stores on audit logging, see Audit Logs (24116).

4.5.3 iPlanet Web Server Startup (24343)

An iPlanet Web server no longer starts automatically after configuration. This applies to all supported platforms.

4.5.4 Policy Server User Interface Requires Sun Java Plug-in

Viewing the Policy Server User Interface on supported versions of Microsoft Internet Explorer requires the Sun Java Plug-in.

To verify that the proper Java Plug-in is installed and enabled

Windows:

From the Control Panel, select Java Plug-In.

On the Browser tab, make sure that Microsoft Internet Explorer is checked and click Apply.

UNIX:

Follow the instructions for starting the Java Control Panel in the Java Plug-in Developer Guide for JSE 1.4.2.

If the plug-in is not set, the Policy Server User Interface stalls indefinitely at the Downloading Administration dialog box.

If you are still having difficulty getting the Policy Server User Interface to display, run the Policy Server User Interface Browser Compatibility Test. If the panel is a solid box, click Details for troubleshooting information.

4.5.5 Report Files

The Crystal Reports server is not distributed with Policy Server v6.0, as it was with previous releases. Policy Server v6.0 provides sample reports files (.rpt) that are compatible with Crystal Reports 9.0. These files are provided for customer convenience. CA does not provide support for using the sample files.

4.5.6 No Default Policy Store

The 6.0 Policy Server does not have a default policy store. In addition, Microsoft Access is no longer supported as a policy store. You can find a list databases at the SiteMinder Platform Matrix for 6.0 on the Technical Support site.

4.5.7 Remote Services Variables Superseded

Remote Services variables are superseded by Web Services variables.

4.5.8 Cache Settings Simplified

The Cache settings in the Policy Server Management Console have been simplified to a single setting.

4.5.9 Changes to the Cache Model

The cache model for SiteMinder 6.0 differs from the model for 5.x:

The Policy Store cache is no longer configurable.

The L2 cache is replaced by self-tuning per-object-class caches.

The User Authorization (AZ) cache size is configurable using the Policy Server Management Console. The cache can be tuned using the new counters available in the SiteMinder OneView Monitor.

4.6 Solaris Considerations

The following considerations apply to Solaris.

4.6.1 Solaris 10 Support

The Policy Server and Web Agent are certified for global and non-global zones.

Note: More information on Solaris 10 support exists in the Policy Server Installation Guide.

4.6.2 Required Operating System Patches on Solaris (24317, 28691)

The following table lists required and recommended patches by version:

Version	Required	Recommended
Solaris 8	108827-36 or any superseding patch 108434-09 or any superseding patch (C++ compiler patch from 108434-13) 112438-01 (to install the /dev/random interface) 111721-04	The latest recommended patch cluster
Solaris 9	111722-04 or any superseding patch 111711-15 or any superseding patch	none

You can find patches and their respective installation instructions at SunSolve.

4.6.3 Network Connectivity Errors Appear in the SMPS Log due to a gethostbyname() Error (54190)

Network connectivity errors appear in the smps log when gethostbyname() is called. These errors appear even though the directories are available on the network. This was a Solaris issue, which according to Sun bug ID 4353836, has been resolved. Sun lists the following patches for Solaris 8 and 9:

Solaris 8

108993-27 libc, libthread and libnsl, ldap patch. This patch has a dependency on KU 108528-24)

108820-02 nss_compat.so.1 patch

115583-01 /usr/lib/nss_user.so.1 patch

109326-11 libresolv.so.2 and in.named patch

113648-02 /usr/sbin/mount patch

115827-01 /sbin/sulogin and /sbin/netstrategy patch

Solaris 9

112874-16 (libc)

113319-12 (libnsl)

112970-05 (libresolv)

115545-01 (nss_files)

115542-01 (nss_user)

115544-01 (nss_compat)

4.7 Red Hat Enterprise Linux Advanced Server Considerations

The following considerations apply to the Red Hat Enterprise Linux Advanced Server.

4.7.1 Policy Server and Red Hat Enterprise Linux Advanced Server

The Policy Server was built using gcc 2.96 on Red Hat AS 2.1 and gcc 3.2.3 on Red Hat AS 3.0.

4.7.2 Updated Database Drivers for Red Hat Enterprise Linux AS 3.0 to 5.1 (47304) (42834)

If you are upgrading from 6.0 SP3 or earlier, the ODBC database drivers for Red Hat Enterprise Linux AS have been updated with new drivers. As a result, if your Linux Policy Server is using these drivers to connect to an ODBC policy store, you must update the DSN connection information in the system_odbc.ini file with the new driver settings.

4.7.3 SiteMinder SDK and Red Hat Enterprise Linux Advanced Server (28268) (28203)

The SiteMinder SDK was built using gcc 2.96 for Red Hat AS 2.1 and gcc 3.2.3 for Red Hat AS 3.0.

4.7.4 Red Hat Enterprise Linux Advanced Server Requires Korn Shell (28782)

A Policy Server installed on Red Hat AS requires the korn shell. If you do not install a korn shell on Red Hat AS, you cannot execute the commands that control the Policy Server from a command line, such as start-all and stop-all.

4.7.5 Excluded Features on Red Hat Enterprise Linux Advanced Server

The following features are not supported by the Policy Server on Red Hat AS:

Cryptocard authentication scheme

Safeword authentication scheme

Teleid authentication scheme

IdentityMinder & Role based Auth schemes

SiteMinder Test Tool

ACE (SecurID) authentication schemes

OCSP

Hardware Keys

4.7.6 Apache 2.0 Web Server and Servlet Exec 5.0 on Red Hat Enterprise Linux Advanced Server (29518, 28447)

To use Apache 2.0 Web Server and Servlet Exec 5.0 on Red Hat AS

Run the ServletExec 5.0 AS installer against Apache 1.3.x.
The Servlet Exec AS Java instance is created.

Run ServletExec and Apache 1.3.x, and make sure you can run /servlet/TestServlet.

Shutdown Apache 1.3.x, but leave Servlet Exec running.

Using anonymous FTP, access ftp://ftp.newatlanta.com/public/servletexec/4_2/patches and download:
```
mod_servletexec2.c
```
and
```
ReadMe.txt
```

Edit the httpd.conf file of your HP-Apache 2.x so that it contains the necessary Servlet Exec-specific directives.
Note: The directives are also present in the httpd.conf file of your Apache 1.3.x if you allowed the ServletExec installer to update the httpd.conf during installation. More information on editing the httpd.conf file exists in the SE 4.2 Installation Guide.

Start Apache 2.x.

Test the Web Server with ServletExec by accessing:
```
/servlet/TestServlet
```

4.8 HP-UX Considerations

The following considerations apply to HP-UX.

4.8.1 Required Operating System Patches on HP-UX

The following table lists required and recommended patches by version:

Version	Required	Recommended
HP-UX 11i	KRNG11i, PHSS_26263	none

Note: You may replace the above patches with the latest ld and linker tools cumulative patch.

It is recommended that you install the June 2003 or the latest available patch bundle for HP 11.x Operating system.

HP maintains a list of the recommended patches for using Java1.4.1. at: http://h18012.www1.hp.com/java/patches/index.html

4.8.2 Kernel Parameters

HP provides a tool called HPjconfig, which gives the list of recommended Kernel parameters for executing Java on HP-UX systems. Because the Policy Server uses Java, this tool should be used to determine the recommended Kernel Parameters. You can search for this tool at a the HP Web site: http://www.hp.com

4.8.3 Excluded Features on HP-UX

The following features are not supported by the Policy Server on HP-UX

Cryptocard authentication scheme

Safeword authentication scheme

Teleid authentication scheme

IdentityMinder & Role based Auth schemes

SiteMinder Test Tool

4.8.4 Apache 1.3.28 Web Server Installation Fails on HP-UX 11i (28327) (28302)

When you install the Apache 1.3.28 Web Server on HP-UX 11i, the installation program fails and issues a parsing error in the socket.h file during gmake. You can resolve this issue doing one of the following:

Rename the types.h header file

Compile Apache using the native HP compiler

To rename the types.h header file

Rename the types.h header file that comes with the gcc installation to types.old.
Note: The file is located in usr/local/lib/gcc-lib/hppa2.0n-hp-hpux11.00/3.2/include/sys

Move the types.h system header file from /usr/include/sys to the latter directory.

To compile Apache using the native HP compiler

Export and set the variable CC to the following: cc -Ae +02

Run the Apache configuration script.

Run gmake.

4.8.5 Apache 2.0 Web Server and Servlet Exec 5.0 on HP-UX 11i (29517, 28446)

To use Apache 2.0 Web Server and Servlet Exec 5.0 on HP-UX 11i

Install Apache v1.3.x.

Run Servlet Exec 5.0 AS installer against Apache 1.3.x.
The Servlet Exec AS Java instance is created.

Run Servlet Exec and Apache 1.3.x, and make sure you can run /servlet/TestServlet.

Shutdown Apache 1.3.x, but leave Servlet Exec running.

Install HP-Apache v2.x from the .depot file.
Note: By default, this file is installed in /opt/hpws/apache directory.

Modify the apxs script by changing:
```
$opt .= " -module -avoid-version $apr_ldflags
```
to
```
$opt .= " -rpath $CFG_LIBEXECDIR -module -avoid-version $apr_ldflags
```
The extra parameter indicates that the created library will be installed in $CFG_LIBEXECDIR

Note: This script is located in the /opt/hpws/apache/ bin directory.

Using anonymous FTP, access ftp://ftp.newatlanta.com/public/servletexec/4_2/patches/ and download:
```
mod_servletexec2.c
```

Execute the following command:

apxs -n servletexec -i -a -c -D XP_UNIX -D APR_WANT_BYTEFUNC mod_servletexec2.c

Edit the httpd.conf file of your HP-Apache 2.x to contain the necessary Servlet Exec-specific directives.
Note: The directives are also present in the httpd.conf of your Apache 1.3.x if you let the Servlet Exec installer update the httpd.conf during installation. More information on editing the file exists in the SE 4.2 Installation Guide.

Start HP-Apache 2.x.

Test the Web Server with Servlet Exec by accessing the following:
```
/servlet/TestServlet
```

5.0 General Considerations

5.1 IdentityMinder Object Support in v6.x Policy Stores (29351)

Policy Servers that have not been enabled for IdentityMinder cannot be connected to policy stores that contain IdentityMinder objects. Policy Servers that have been enabled for IdentityMinder 5.6 SP2 can be connected to v6.x policy stores that contain IdentityMinder objects.

Note: For more information about configuring and deploying IdentityMinder, see the CA eTrust IdentityMinder Web Edition Installation Guide.

5.2 NTLM Authentication Scheme Replaced by Windows Authentication Scheme

This service pack does not include an NTLM authentication scheme template. This authentication scheme type has been replaced by the Windows Authentication template. Support for NTLM authentication is now provided through the new authentication scheme template.

5.3 Unsupported Features

The following features are not supported:

Hardware key storage on Red Hat AS

ACE authentication (SecurID schemes) on Red Hat AS

Cryptocard authentication scheme on Red Hat AS and HP-UX

SafeWord authentication scheme on Red Hat AS and HP-UX

TeleID authentication scheme on Red Hat AS and HP-UX

DMS on Red Hat AS and HP-UX

SiteMinder Test Tool on Red Hat AS and HP-UX

OCSP on Red Hat AS

Hardware Keys on Red Hat AS

Password services with Microsoft Active Directory Global Catalog

Enhanced LDAP referrals with Microsoft Active Directory Application Mode (ADAM)

Enhanced LDAP referrals with Novell eDirectory

Enhanced LDAP referrals with Oracle OID 9.0.4 (Oracle bug 3512354)

Enhanced LDAP referrals with Siemens DirX is only supported for searches and writes. That is, password services write referrals is supported. However, enhanced referrals for binds and thus authentication is not supported.

5.4 System Management Limitations

The following system management limitations exist:

5.4.1 OneView Monitor GUI Alert Issue in Netscape 6.2.3 Browser (23634) (23128)

Alerts do not work in a OneView Monitor GUI window running in a Solaris Netscape 6.2.3 browser.

OneView Monitor GUI alerts do work in IE and higher versions of Netscape.

5.4.2 Pop-up Blockers May Interfere with Help

Certain pop-up blockers prevent the Policy Server User Interface help window from opening. Many pop-up blockers allow the pop-up if you press CTRL while you click the link.

5.4.3 UserDirectoryConnections Registry Setting No Longer Required for Setting the Maximum Number of Connections (27442)

In previous versions of the Policy Server, two ODBC connections were created for each Policy Server service. The following registry setting overrode the default value and indicated the maximum total number of ODBC connections created by the Policy Server for all services:

Netegrity\SiteMinder\CurrentVersion\Database\UserDirectoryConnections

For 6.0 Policy Servers, the maximum number of connections is determined dynamically, based on five times the maximum number of threads specified in the Policy Server Management Console. (See the Performance group box of the Settings tab in the Management Console.)

If you are upgrading to the 6.0 Policy Server from a 5.x Policy Server, remove the UserDirectoryConnections registry setting. If you do not, and the value specified by the setting is less than the maximum number of threads calculated by the Policy Server, your Policy Server logs will contain many error messages. These messages will indicate that the value of the registry setting overrides the maximum number of connections calculated by the Policy Server.

5.5 Policy Server Limitations

The following Policy Server limitations exist:

5.5.1 Text Truncated When Installing Policy Server Using Exceed (25757)

Running the Policy Server installer (nete-ps-6.0-sol.bin) or Policy Server Configuration Wizard (nete-ps-config.bin) using Exceed can cause text in the dialog box to truncate due to unavailable fonts on the Exceed server. This limitation has no affect on the Policy Server installation or configuration.

5.5.2 Error Changing Long Password When Password Services is Enabled (26942)

If the Policy Server has Password Services enabled, changing the password may fail if the old password length exceeds 160 UTF8 octets and the new password length exceed 160 UTF8 octets.

5.5.3 Leading Spaces in User Password May Not Be Accepted (27619)

A user whose password includes leading spaces may not be able to authenticate under the following combination of circumstances:

The Policy Server is running on Solaris.

The password with leading spaces is stored in an LDAP User Store.

Note: A password policy may or may not be enabled.

A related limitation has also been observed:

When an administrator attempts to set a user's password with leading spaces using the Netscape LDAP Console, the console removes the spaces before storing the password (if the Policy Server Admin UI is used to set the password, the spaces are left intact).

5.5.4 DMS Configuration Wizard Next Button Disabled in Netscape 6.2.3 Browser (27208)

On Solaris 2.8 or 2.9, if you are running the Policy Server User Interface using a Netscape 6.2.3 Web browser, the Next button on the Delegated Management Services Configuration Wizard is disabled, which keeps you from being able to run the wizard. To fix this problem, run the Policy Server UI through a Netscape 7.0 browser. You can access this wizard by selecting Tools > DMS Config Wizard.

5.5.5 Netscape 6.2.3 Browser Causes Missing Attribute Types in Response Attribute Editor (27214)

On Solaris 2.8 or 2.9, if you are running the Policy Server UI using a Netscape 6.2.3 Web browser, the Attribute drop-down menu in the SiteMinder Response Attribute Editor dialog box only lists the WebAgent-HTTP-Header-Variable response attribute type, which is incorrect since there should be several choices. This problem is caused by running the Policy Server UI using a Netscape 6.2.3 browser. To fix this problem, run the Policy Server UI with a Netscape 7.0 browser.

To access this dialog box

Select Edit > Create Response on the Domains tab.

Click Create.

5.5.6 Netscape 6.2.3 Browser Causes Unreadable Date in Time Dialog (27199)

On Solaris 2.8 or 2.9, if you are running the Policy Server UI using a Netscape 6.2.3 Web browser, there is an unreadable date in the Effective Starting Date or Expiration Date fields in the Time Dialog. This problem is caused by running the Policy Server UI using a Netscape 6.2.3 browser. To fix this problem, run the Policy Server UI with a Netscape 7.0 browser. To access this dialog box, select the Set button from the SiteMinder Policy dialog.

5.5.7 Netscape Browser Causes Missing Attributes in SiteMinder Response Dialog (44675, 44668)

On Red Hat Linux AS 3.0 and HP-UX 11i, if you are running the Policy Server UI using a Netscape 6 or 7 Web browser, attributes that you create do not appear in Attribute List on the SiteMinder Response Dialog. This problem is caused by running the Policy Server UI using a Netscape 6 or 7 browser. To fix this problem, run the Policy Server UI with a Microsoft Internet Explorer browser.

To access the SiteMinder Response Dialog, create a response under a domain.

5.5.8 Certificate Mappings Issue with certain Policy Stores (27027, 30824, 29487)

Certificate mappings do not work when the IssuerDN field is longer than 57 characters for policy stores installed on the following directories:

Novell eDirectory

Active Directory

Critical Path

5.5.9 Handshake Errors with Shared Secret Rollover Enabled (27406)

In the Policy Server error log, you may see an occasional handshake error related to the shared secret, followed by a successful connection. This may occur if the shared secret rollover feature was enabled for the Web Agent communicating with the Policy Server. This behavior is expected as part of a normal shared secret rollover. You can ignore these errors.

5.5.10 Policy Server's Sharing Same Policy Store Not Updated Consistently (39844) (39837)

If you have a frequently updated policy store shared by multiple Policy Servers, not all of the Policy Servers are updated consistently. This is caused by ServerCommand getting deleted before the Policy Servers had a chance to update their cache.

To fix this problem, increase the following DWORD registry setting:

SiteMinder\CurrentVersion\ObjectStore
Key: ServerCommandTimeDelay

Change value to 10.

5.5.11 Internal Server Error When Using SecureID Forms Authentication Scheme (39664)

When using the SecureID forms authentication scheme, if users mistype their passwords during their initial login, they are not granted access to resources despite providing correct credentials in subsequent tries. The Policy Server presents users with an internal server error and these users must restart the Web browser to continue.

5.5.12 X.509 Client Certificate or Form Authentication Scheme Issue (39669)

The Policy Server's X.509 Client Certificate or Form authentication scheme is not working properly when using an alternate FCC location.

5.5.13 Certain User Name Characters Keep Policy Server From Authenticating or Authorizing Users (39832)

When the Policy Server is using an LDAP user store, users with characters such as &, * , \, and \\ in their user names are not getting authenticated and authorized properly. For example, the Policy Server does not authenticate or authorize these sample users:

use&r1

use*r2

use\r3

use\\r4

5.5.14 RBAC: Policy Server and IdentityMinder Application Name Issue (39777)

When the Policy Server is configured to work with IdentityMinder 6.0, the name of the IdentityMinder application for the role/task assigned to the user are not appearing in the Policy Server response or in the Policy Server log files.

5.5.15 RBAC: Policy Server and IdentityMinder Environment Roles/Tasks Issue (39776)

When the Policy Server is configured to work with IdentityMinder 6.0, the roles and tasks associated with an authorized user's IdentityMinder environment do not appear in the Policy Server response sent out by the IdentityMinder application or in the Policy Server log files.

5.5.16 DEBUG Logging With SafeWord Authentication Schemes Causes Policy Server to Fail (42222, 43051)

On Solaris, when resources are protected by SafeWord authentication schemes, if you enable DEBUG or ALL logging in the SmSWEC.cfg SafeWord configuration file, the Policy Server fails. As a result, do not enable DEBUG or ALL logging for SafeWord authentication schemes. The SafeWord server is PremierAccess server, using protocol 200 or 201.

5.5.17 Active Directory Integration Enhancement For LDAP Namespace (43264, 42601)

This limitation is related to this new AD feature from 6.0 SP 2:

"Enhanced User Account Management and Password Services Integration with Active Directory (SM5504) (28460) (23347) (24047) (25816)"

When following the instructions in section "Enabling Active Directory Integration Enhancement", be aware that this feature is only supported for the LDAP and not the AD namespace.

5.5.18 Policy Server Does Not Support Roll Over of Radius Log (44398) (43729) (42348)

At the 6.0 release, the Policy Server does not have the capability to roll over the radius log. Prior to the 6.0 release, you could roll over the radius log by running the smservauth -startlog command.

5.5.19 smnssetup Tool Deprecated (44964) (45908) (46489)

The smnssetup tool was removed from distribution in 6.0 SP 4. You should use the Policy Server Configuration Wizard (nete-ps-config) to configure:

the OneView Monitor GUI

the Policy Server User Interface

the documentation virtual directory

SNMP support

Hardware Key Storage

a policy store

The wizards gives you the option of using either a GUI or a console window. For more information, see the Policy Server Installation Guide.

5.5.20 Policy Server Fails to Initialize Java Virtual Machine on Red Hat 3.0 (44649) (44971)

On Red Hat Linux Enterprise Server 3.0 with Update 5, the Policy Server may fail to initialize the Java Virtual Machine when running on a multi-processor machine. As a result, the following SiteMinder functionality does not work:

Java authentication schemes

Java active rules, policies, and responses

SAML federation

This problem is caused by an incompatibility between the Sun JDK on Linux and Red Hat's ExecShield, a kernel-based security feature. A workaround is to disable the ExecShield in the Linux SMP kernel only.

To decide if you want to disable the ExecShield, see Red Hat's "New Security Enhancements in Red Hat Enterprise Linux v.3, update 3" at http://www.redhat.com/f/pdf/rhel/WHP0006US_Execshield.pdf

To disable ExecShield in the Linux SMP kernel only

In the /etc/grub.conf file, set the noexec=off kernel parameter in the SMP kernel only, as noted in the following example:
title Red Hat Enterprise Linux AS (2.4.21-32.ELsmp)

root (hd0,0)

kernel /vmlinuz-2.4.21-32.ELsmp ro root=LABEL=/noexec=off

initrd /initrd-2.4.21-32.ELsmp.img

Reboot the machine.

5.6 User Directory Limitations

The following user directory limitation exists:

5.6.1 ODBC User Store Failover

Given

A Policy Server is configured on Solaris to use two Oracle-based user stores: one is the primary user store and the other is the secondary user store.

Result

The time for the Policy Server to failover from the primary to the secondary, in the event of a network failure, may be as long as 8 minutes.

Solution

This time can be reduced by setting the TCP/IP setting, tcp_ip_abort_interval, to the desired time.

5.7 Perl Scripting Interface Limitations

The following Perl scripting interface limitations exist:

5.7.1 Perl use Statement for PolicyMgtAPI Must Come Before Use Statement for AgentAPI (24755)

On Solaris, a core dump results if you call use for AgentAPI before you call use for PolicyMgtAPI. If you are calling use for both modules, do so in the following order:

use Netegrity::PolicyMgtAPI;

use Netegrity::AgentAPI;

5.7.2 Methods that Return Arrays May Return undef in a One-Element Array (28499)

With methods that return an array, undef should be returned if an error occurs or there is nothing to return. However, these methods may incorrectly return a one-element array with the first element set to undef.

5.7.3 Perl Scripting Interface and Multi-valued Agent Configuration Parameters (37850)

The Perl Scripting Interface does not support setting multi-valued Agent configuration parameters.

5.8 Compatibility Limitations

The following compatibility limitation exists:

5.8.1 Oracle Parallel Server and Oracle Real Application Clusters Not Supported (27510)

The 6.0 Policy Server's Oracle wire protocol drivers do not support the Oracle Parallel Server or Oracle Real Application Clusters.

5.9 Japanese Policy Server Limitations

The following Japanese Policy Server limitation exists:

5.9.1 Agent Shared Secrets are Limited to 175 Characters (30967, 28882)

A Shared Secret for a Netegrity Agent in a Japanese operating system environment may have no more than 175 characters.

6.0 Known Issues

The following known issues exist.

6.1 Testing SunOne Directory Server Connections on Windows

Problem: You may experience problems testing a SunOne directory server connection from the Policy Server Management Console if:

The machine that is hosting the Policy Server is also hosting the SunOne LDAP store.

You are starting the Policy Server Management Console from a location other than policy_server_home\bin.
- policy server home
  Specifies the Policy Server installation path.

This problem occurs because multiple versions of the same LDAP SDK library, nsldap32v50.dll, exist on the machine:

The Policy Server installer installs one version of the DLL to policy_server_home\bin. This version of the DLL does not cause problems when you attempt to test the connection.

SunOne installs another version of the DLL to the system directory, for example C:\WinNT\system32. This version of the DLL may cause problems when you attempt to test the connection.

Note: This DLL conflict does not affect Policy Server processes or any of the SiteMinder command-line tools.

On Windows, when any process calls the operating system (OS) library loader, the loader looks to specific locations, in the following order, to load the DLL:

The directory from which the process was launched

The current directory

The system directory, for example C:\WinNT\system32

The Windows directory, for example C:\WinNT\system

The directories that are listed in the PATH environment variable

Therefore, if you start the Policy Server Management Console from a location other than policy_server_home\bin, the OS library loader loads the DLL from the system directory, for example C:\WinNT\system32, which may cause problems when you test the connection.

Solution: Start the Policy Server Management Console from the policy_server_home\bin location.

6.2 Password Screen does not Prompt for Multiple SafeWord Authenticators (56766)

(Solaris 9) Users are unable to access protected resources when a SafeWord authentication scheme requires both fixed and token-based authenticators. The password screen only prompts users for one authenticator. Therefore, the user is unable to provide both types of credentials and cannot access the protected resource.

6.3 Users are Incorrectly Redirected after Receiving a New SecureID PIN (56738)

(Windows 2003) After users have received a new PIN, they are incorrectly redirected to a Diagnostic Information page that displays the following message: "Security Protection Fault: Unknown AuthReason." The latter occurs for both user and system-generated PINs.

6.4 Policy Server May Fail to Start due to a Dynamically Updated system_odbc.ini File

Problem: (HP-UX and Linux only) The Policy Server may fail to start because the system_odbc.ini file is dynamically updated.

Solution: After the Policy Server installation, save the file as Read-Only.

6.5 Policy Server Installer Lists an Unsupported Operating System

The Policy Server installer lists Linux Advanced Server 2.1 as a supported operating system. Linux Advanced Server 2.1 is not supported.

6.6 Mixed Certificate-Based Authentication Schemes (27997)

The following authentication schemes are affected by the value of the Web Agent parameter for FCC Compatibility Mode (FCCCompatMode):

Certificate or HTML Forms

Certificate and HTML Forms

Note: Refer to the "Configure Web Agents" chapter of the SiteMinder Agent Guide. The section titled "Configure Credential Collectors in a Mixed Environment" discusses the impact of FccCompatMode and several other Web Agent parameters as they relate to the authentication schemes noted above.

6.7 UserDN Equal to or Greater than 1024 Characters Causes a Password Change to Fail (53823)

A password change fails and the user receives an error message prompting them to contact the Security Administrator or Help Desk if the combination of the new password; old password; and user identity, which is comprised of the userID, Client IP and timestamp is equal to or exceeds 1024 characters.

6.8 Multi-mastered LDAP User Store Support Limitations (53677)

The multi-mastered LDAP enhancement has the following limitations:

The Policy Server does not support multi-mastered LDAP directory servers configured as policy stores.

The Policy Server only supports multi-mastered user stores in a backup capacity. Since Password Services makes frequent writes to the user store, you cannot simultaneously update user information in multiple master instances. In addition, the LDAP implementation could produce out-of-date information or data loss due to delayed replication.

Multi-mastered support does not extend to custom code such as custom authentication schemes.

6.9 Policy Server Audit Logging Text File does not Audit Impersonator Events (52392)

You can audit impersonator events in either an Oracle or SQL server database by creating the SiteMinder schema for audit logs and using the database for audit logging. For more information on creating the audit log schema and configuring the Policy Server Management Console for audit logging using an Oracle or SQL server database, see the Policy Server Installation Guide.

6.10 Passwords for User Accounts Stored in Active Directory cannot be Locked (48125)

SiteMinder continues to let users change their passwords when the "User cannot change password" feature is enabled for the accounts.

6.11 Affiliate Domain Limitation When Upgrading 6.0 Policy Server on Japanese System (46338) (45693)

If you upgrade a 6.0 SP 1 or earlier Japanese Policy Server to SP 5, the contents of any previous affiliate domain is not displayed in Policy Server User Interface.

6.12 Configuring Registration Services for 6.0 SP1J (29659, 29660)

When configuring User Self Registration using the SiteMinder 6.0 SP1J you must set the HttpheaderEncodingSpec parameter in the agent configuration object to UTF-8,RFC-2047.

If you do not, several of the registration forms function incorrectly for Japanese characters. For example:

The welcome JSP page (Welcome.jsp) shows bad characters for Japanese usernames and user directory names.

The link for 'Modify self profile' is missing on the launch.jsp page.

Users cannot modify their profiles after logging in to the Welcome.jsp.

7.0 Defects Fixed in SiteMinder Releases

The following sections detail the fixes made in each of the 6.0 service packs.

7.1 Defects Fixed for 6.0 SP5

Release 6.0 SP5 contains the following fixes:

7.1.1 Users Stored in Active Directory are not Authenticated over SSL (53615)

Users in an Active Directory namespace were not authenticated over SSL when the accounts were to force a password change on the next logon and the SaslBindEnabled registry key was enabled. This is no longer an issue.

7.1.2 CoreStreet OCSP Responder may cause Status Code 33 on Validation (54846)

This is no longer an issue.

7.1.3 Administratively Reset Accounts are Disabled on User Log in (55502)

SiteMinder accounts, which had exceeded the specified inactivity period but had yet to be disabled, were being administratively reset in Identity Manager. When a user attempted to log in, the SiteMinder password policy disabled the account due to inactivity, even though an administrator had enabled the account and reset the password. This is no longer an issue.

7.1.4 Activity by Administrator Report Incorrectly Lists Deleted Administrator Accounts (55601, 55257)

Administrator accounts that had been deleted prior to a password services request were incorrectly appearing in the Activity by Administrator report. The deleted accounts were listed as submitting the password services request, instead of the account that actually made the request. This is no longer an issue.

7.1.5 Authentication Schemes Clear Redirect URLs when Returning Failure (55773)

This is no longer an issue.

7.1.6 New Multi-Value Parameters are not Saved (55784)

Adding a new multi-value parameter to an agent configuration object did not work correctly. New multi-value parameters failed to save and did not appear in the parameters list. Multi-value parameters had to be saved as a single-value parameter prior to being saved as a multi-value parameter. This is no longer an issue.

7.1.7 Policy Server Installer Removes the Windows Services Configuration when Upgrading from Identity Manager 8.1 (55785)

This is no longer an issue.

7.1.8 Unprotected Realm is Incorrectly Protected (55890)

When an unprotected realm contained a disabled rule that was referenced by two or more policies, the resource in the unprotected realm was incorrectly considered protected. This is no longer an issue.

7.1.9 Pure Java AgentAPI.isProtected Sets Realmdef Members to Null for Unprotected Resources (55246)

This is no longer an issue.

7.1.10 Pure Java AgentAPI.login does not accept Null or Blank ClientIP (55247)

When the AgentAPI.login function was called with a null or blank IP, the function raised an exception. This is no longer an issue.

7.1.11 Policy Server Installation May Fail with Kernel Versions Lower than 2.4.21-27.EL (54534)

The Policy Server installation may have failed for Linux users using the JRockit JVM and Linux kernel versions lower than 2.4.21-27.EL. This problem was resolved in the RHEL3 U4 kernel in kernel version 2.4.21-27.EL.

7.1.12 System Generated PIN's are not displayed when SecureID Authentication is used (54105)

System generated PIN'S were not being displayed properly to the end user when SecureID authentication was used with Policy Server on Solaris. If system generated PINs were being used as part of SecurId authorization, the PIN was properly generated and set as the user's new PIN. However, the user received a 500 error instead of a screen showing the new PIN. The PIN value had to be read from the Policy Server log.This is no longer an issue.

Policy Server on Solaris has been modified so that authorization through SecureID will not fail if a system generated pin is requested.

7.1.13 User Authentication Fails using authenticateUser() Function (52937)

When using authenticateUser() from Java Policy Management API to authenticate users, the status was improperly returned and the user was not authenticated. This is no longer an issue.

7.1.14 Identity Minder Fails to Retrieve User with DN (53908)

This is no longer an issue. Policy Server has been modified to add support for the "DIRECTORY_SERVER_STICKINESS" property in Identity Minder. This option ensures that the same directory is used for validation on create object actions from within the Identity Minder interface, allowing the action to succeed without having to wait for the object to propagate to other LDAP servers.

7.1.15 Importing a Policy Store Fails on Solaris (54708)

When using a policy store exported from a 5.5 Policy Server with Policy Server Option Pack installed on Solaris to import to 6.0 Policy Server, the import was terminated abnormally. This is no longer an issue. The 5x policy store with option pack can now be successfully imported in to a new 6x policy store with option pack, without generating any segmentation fault error and core dumps on Solaris computers.

7.1.16 Improper Return of Policy Server Connection Status (54815)

When connection to Policy Server was not successful the API method Connect() returned a blank status. This is no longer an issue. The agent API method Connect() will return the correct status (SM_AGENTAPI_FAILURE) when connection to policy server is not successful.

7.1.17 Cannot Read License File After an Upgrade to PS6SP4CR06 on Solaris (54833)

IVNS.LIC cannot be read because it was installed as ivns.lic using a file name in lower case after an upgrade to PS6SP4CR06 on Solaris. This is no longer an issue. The user should rename ivns.lic to IVNS.LIC on Solaris to prevent problems with the DataDirect ODBC drivers.

7.1.18 Null Pointer Exception not Handled Properly for Java Policy Management API Functions (54842)

This is no longer an issue. Null pointer exceptions are properly handled for TrustedHost objects in SiteMinder SDK.

7.1.19 Upgrading From 6.0 SP4 CR2 to 6.0 SP4 CR6 Deletes the Admin Directory (54906)

Upgrading the Policy Server from 6.0 SP4 CR2 to 6.0 SP4 CR6 on Windows 2000 with the IIS Web Server running resulted in the admin directory being deleted. This is no longer an issue. The admin directory is not deleted when IIS Web Server is running.

Note: IIS Web Server should be stopped before the upgrade.

7.1.20 Radius Authentication Fails for More Than 1024 Radius Connections (54933)

This is no longer an issue. The radius authentication was upgraded to properly handle more than 1024 connections.

7.1.21 Incorrect Certificate Validation Error Message Referring Vtk_ValidateAddCertNew (55379)

This is no longer an issue. The incorrect certificate validation error message referring Vtk_ValidateAddCertNew has been changed to refer the proper method Vtk_ValidateAddCertRaw.

7.1.22 Console Policy Server Installer does not Mask Passwords (51919)

The 6.0 Policy Server console installer now masks passwords. Password-masking is available when the installer requests the following:

The Policy Store encryption key. The installer prompts the user to enter and confirm the encryption key. The installer checks for the minimum (6) and maximum (25) character length.

The Admin information for the policy store

The Super User account information for the policy store

The root password to configure SNMP

PKCS information for hardware key storage

The different user account failure information for the policy store

7.1.23 LDAP does not Connect Over SSL When the LDAP Host Name Resolves to more than 50 IP Addresses (53657)

This is no longer an issue, and LDAP uses the first IP address in the resolution list.

7.1.24 User is not Authenticated When the LDAP User DN Lookup End field Contains Double Byte Characters (54362)

User was not authenticated if the LDAP User DN Lookup End field contained Japanese double byte characters, unless the Japanese double byte characters were followed by an extra double byte space character. This is no longer an issue. The extra double byte space character is not required.

7.1.25 Authorization Scheme Messages are Lost When Multiple User Directories are Configured in the Same Domain (54385)

This is no longer an issue. User, error, and redirect messages are properly returned from authentication attempts in a domain for which multiple user directories are configured.

7.1.26 Domain Scope User is Unable to Call Function GetRealm( ) in the Perl SDK (54465)

This is no longer an issue. The Domain Scope user is able to call function GetRealm( ) in the Perl SDK. This behavior is in sync with that of the SiteMinder Administrator user interface.

7.1.27 Temporary Passwords do not Adhere to Password Policy Restrictions (54519)

When the Forgotten Password feature was used, the Policy Server created random temporary passwords that did not adhere to the password policy restrictions. This is no longer an issue, and temporary passwords now adhere to the password restrictions specified by the password policy. Supported restrictions include:

minimum length

maximum length

minimum upper case characters

minimum lower case characters

minimum digits

In the event that password policies are not applied to the user directory, the temporary password is:

six to twelve characters long

of capitals letters, lower case letters, and digits

7.1.28 Agent Keys are not Correctly Generating in Systems Using Dynamic Key Rollover (54669)

This is no longer an issue. Improved detection and logging of bad keys prevents the agent or users of the agent API routines createSSOToken ( ) and decodeSSOToken ( ) from using the bad keys.

7.1.29 Before Installing SiteMinder Policy Server on HP 11i, Verify the Existence of Patch PHCO_29029 (54845).

A verification check was added for PHCO_29029 patch before Policy Server installation on HP 11i. You no longer have to check for this patch.

7.1.30 Directory Mapping and Certificate Mapping Dialogs Limited by MaxObject Registry Key (47146)

The Directory Mapping and Certificate Mapping dialogs would only display the number of objects specified by the HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\ObjectStore\MaxObjects registry key. This occurred even if the actual number of objects exceeded the registry key value. For example, if 75 user directories existed and MaxObjects was set to 50, only the first 50 user directories were available from Directory Mapping dialog. This is no longer an issue. Previous and Next buttons let you view the remaining objects.

7.1.31 Resetting Stats Information Requires Restarting the Policy Server (47332)

This is no longer required. The -resetstats switch lets you reset counter information without restarting the Policy Server. The switch is provided with smpolicysrv and works as follows:

$ smpolicysrv -resetstats

This switch lets you reset the following counters:

Max Threads is reset to the Current Threads value.

Max Depth of the message queue is reset to the Current Depth of the message queue.

Max Connections is reset to Current Connections.

Msgs, Waits, Misses, and Exceeded limit are reset to zero.

7.1.32 The -stats Output only Shows the MaxDepth in the Policy Server Stats Output (47485)

The -stats switch for the smpolicysrv now logs the Current Depth of the message queue in the smps.log file.

7.1.33 Product, Platform, and Version Information are not Populated (53190)

Product, Platform, and Version Information are not Populated on a OneView Monitor that runs on RedHat AS 3.0 Linux. This is no longer an issue.

7.1.34 Signature Verification of AuthnRequest on Solaris IDP and SLO Transactions Fail (53693)

Signature verification of AuthnRequest and Single Logout processing failed because of certificates with large serial numbers. This is no longer an issue, as restrictions on serial number length have been removed.

7.1.35 CaCertificate Search Scope May Cause Timeouts (53933)

The LDAP CaCertificate had a search scope of 2, which increased the chance of timeouts while authenticating users in certain LDAP configurations. This is no longer an issue. The LDAP CaCertificate searches with a search scope of 0, which reduces the chance of timeout while authenticating users.

7.1.36 ODBC-driver Message Appears Unnecessarily (53941)

The Policy Server installer displayed a warning message to update the ODBC drivers when the updated drivers were present. This is no longer an issue. The message only appears if the required drivers need to be installed.

7.1.37 List of Clusters Changes Order Each Time Changes are Saved (54021)

This problem was specific to using Novell eDirectory Server as a policy store. The list of clusters that appears on the Host Configuration Object Properties tab randomly changed order each time OK or Apply was clicked. This is no longer an issue.

7.1.38 DMS API SmDmsUser.changePassword() Method Results in Multiple TransactEMS Requests During a Password Change (54045)

This is a no longer an issue. Retry logic has been added to the TLI layer to handle interruptions from the BEA JRockit JVM.

7.1.39 Lower case 'l' is Appended to the Port Number in the smps.log (54196)

A lower case "l" was appended to the port number in the snmps.log when the user directory connection was lost. This is no longer an issue.

7.1.40 Global Responses are not Sent to an Added Agent (54102)

When an agent was added to an agent group, global responses were not sent until the Policy Server was restarted. This is no longer an issue because the Global Realm is invalidated when the agent group is modified, which ensures that a Global Response is sent to a recently added agent without having to restart the Policy Server.

7.1.41 Commas (",") in the SubjectDN Attribute Value Causes Authentication Schemes to Fail (54245)

CertAndForm and CertAndBasic authentication schemes were not able to support certificates in which the SubjectDN attribute values contained a "," (comma). This is no longer an issue.

7.1.42 Policy Server Crashes When a Valid User Name and Blank Password are Submitted (54262)

This problem is specific to Solaris. The Policy Server crashed when a valid user name and a blank password were submitted to an Oracle user directory with the OOTB function in the Authenticate User query. This is no longer an issue.

7.1.43 Policy Server does not Start after Upgrading to 6.0 SP4 (53697)

This is no longer an issue.

7.1.44 SiteMinder Policy Server Hangs and must be Rebooted to Regain Stability (53815)

This is no longer an issue. The Policy server does not hang when a custom authentication scheme is created with smauthntlm library to allow the clients authentication request to be processed by the server being accessed.

7.1.45 Password History Updates When a CustomAuth Scheme Authenticates Based on an Attribute Other than the Password (52323)

This is no longer an issue. A password is added to the Password History if the custom authentication scheme authenticates using the default password and in scenarios where the function UserContext->fAuthticate( ) is called. When any other function, such as UserContext->GetProp, is used for authentication, the password is not added to the Password History.

7.1.46 Password Change Fails When UserDN is Greater than 256 Characters (52424)

This is no longer an issue. The buffer length used for creating Password Message has been increased and will allow DNs longer than 256 characters.

Note: The combination of new password, old password, and user identity consisting of userID, Client IP, and timestamp must always be less than 1024 characters.

7.1.47 Account Lockout Rule Ignored if User is Enabled through DMS (53699)

This is no longer an issue. Policy Server was modified. Reactivating a user through the DMS system will not result in deactivation of password policies.

7.1.48 SecurId Authentication Scheme not Working (53985)

A previous change had introduced support for non-browser clients, but part of the fix was appending ";ACS=x" to the URL, which was to be removed later. This was not done for the SecureID template. This is no longer an issue. The ACS=x parameter is removed from the URL before returning it to the web agent.

7.1.49 Apache Web Server Crashes When Accessed by Multiple Agents (54064)

This is valid for RedHat Linux 3.0. This is no longer an issue.

7.1.50 SiteMinder appears to be Experiencing Memory Leaks (52673)

This is no longer an issue. The way entries are allocated and freed in the Authorization cache is improved. This improvement prevents the Authorization cache from appearing to grow unbound in certain load scenarios. The Authorization cache should grow no larger than twice the value the registry specifies.

7.1.51 Users are Authenticated with Valid and Invalid Passwords after Upgrading (52796)

Users were authenticated with valid or invalid passwords after upgrading to 6.0.4.2 if the SiteMinder environment was using the OOTB sample stored procedure and a DB2 database. This is no longer an issue. New Datadirect 5.1 patched drivers are provided, which prevent users from being authenticated with invalid passwords.

7.1.52 Password Change Failure Shows the New Password in Clear Text in the Policy Server logs (53213)

This is no longer an issue.

7.1.53 AgentTLI crashes in memcpy() Called from: intCSmSerializable::Serialize(const long,const void*) (53299)

This is no longer an issue.

7.1.54 Saving a SafeWord HTML Form authentication scheme removes required information (53416)

The data in the SafeWord Configuration File field was removed when OK or Apply was clicked. This prevented the authentication scheme from being properly saved and created. This is no longer an issue.

7.1.55 Policy Server SNMP Events are not being Registered in HP Systems Insight Manager (53438)

This is no longer an issue.

7.1.56 Java Policy Management API methods, getRealmRealms and getRealmRules, are not Working Properly in SDK 6.0 (47895)

This is no longer an issue. The method getRealmRealms() returns the realms in the specified realm instead of all realms under the given domain. The method getRealmRules() returns the rules under the specified realm instead of all rules under all realms under the given domain.

7.1.57 ODBC Connectivity Test Crashes SiteMinder Management Console on Solaris (52266)

This is no longer an issue.

7.1.58 Export SMDIF Function, doExport(), does not Export the Data in Unicode/UTF Format (52969)

This is no longer an issue. The doExport() using SiteMinder Java API was successful with UTF-8 characters and the exported file contained data in the expected UTF-8 format. Similarly doImport of SiteMinder Java SDK also works properly and was able to import the data in desired format.

7.1.59 SDK SmTest.exe Tool does not Work (53111)

When the SDK is installed on a windows computer without a Policy Server, and the SmTest.exe is attempting to run it returns missing SHSMP.dll error. This is no longer an issue.

7.1.60 Increase in Authentication Time after Upgrading from 5.5 SP3 to 6.0.4 on HPUX (53162)

The authentication time was increased when the user was using the same Oracle policy store and user store. The cursor type when performing queries will return only a single value to avoid potential error. This is no longer an issue. The cursor type will retry query on Oracle when user store schemas contain a union or view.

7.1.61 Running smpolicysrv -stats Appends the lowercase 'l' Character to the Output (53283)

This is no longer an issue. smpolicysrv –stats does not append lowercase 'l' character to the value of Msgs, Waits, and Misses in the Thread pool line and prints the messages in the correct format.

7.1.62 smpolicysrv - stoptrace Command Causes the Console Tracing to Shutdown (48431)

On Windows, when trace logging to console was enabled, on running the command smpolicysrv -stoptrace, the tracing console window was forced to close. This is no longer an issue.

7.1.63 Password Change Fails if it Matches the Encrypted Value of Userpassword or UserDisabled fields in LDAP(51546)

Profile Attributes is a numeric setting for password policies. When this was set, if a new password matched any other profile attribute by that number of characters in a row, the password was rejected. This is no longer an issue. When a password policy specifies a profile attribute length, the Policy Server no longer considers the user's password as part of the profile.

7.1.64 Policy Server Creates New Threads and Terminates Them after a Short Duration (52006)

This is no longer an issue.

7.1.65 C++ Comments in the Code are not Compatible with Some C Compilers (52130)

This is no longer an issue. All C++ styled comments in the C Agent SDK were replaced with C style comments.

7.1.66 Policy Server does not Serve Requests while Rebuilding Policy Cache (52278)

This is no longer an issue. When using the admin UI to change policy store objects, the operational delay was eliminated when rebuilding a large policy cache.

7.1.67 Policy Resolution Fails When a RADIUS Agent Group is Configured for a Realm (52371)

With Policy Server configured for RADIUS authentication, the user was not authenticated when RADIUS realm was configured with an Agent Group. This is no longer an issue. The Policy Server will not verify the value of realm hint attribute if an Agent Group has been configured for RADIUS realm, and the RADIUS realm configured with Agent Group will be added to realm cache.

7.1.68 SiteMinder using LDAP Referral over SSL fails to connect when the Port Number is not Part of the Referred URL (52425)

When using referred URL containing LDAPS, it was being sent to the referred server on non-SSL port 389 instead of SSL port 636. This is no longer an issue. The force assignment of 389 as the port number is disabled for all cases when port is not mentioned in the referred URL. The secure option of the parsed URL is verified and the port 389 or 636 is set accordingly.

7.1.69 LDAP Filter Generated using the LDAP Expression Editor Displays a Syntax Error in the smps log (52687)

LDAP Expression Editor was adding additional spaces while creating the expression, which generated the syntax error, logged in Smps log. This is no longer an issue. LDAP Expression Editor is corrected to create syntactically correct expression without the additional spaces.

7.1.70 Integration of SiteMinder and IAM Toolkit are not Allowed using the Java Policy Management API (52769)

This is no longer an issue. The Java PM API has been enhanced with capabilities to return user groups and user attributes.

7.1.71 Policy Server Experiences Performance Degradation with the Profiler Enabled on Solaris (46553)

This is no longer an issue. Policy Server performance has been optimized when the profiler is enabled on Solaris. Additionally, the BufferedTracing check box is available on the Profiler tab in Policy Server Management Console. When selected, BufferedTracing lets the Policy Server run with the trace messages being buffered when written to the logs. This results in maximum performance. When unselected, messages are written to the trace logs without being buffered. This results in slower performance, but provides maximum compatibility with the previous log writing behavior.

7.1.72 Crash Related to Memory Corruption in the SmAuthCert library (43092)

While running STIs for some SmAuthCert changes, after the agentapi/authentication STI component was completed, the Policy Server was restarted. This caused memory corruption related crash in the SmAuthCert library. This is no longer an issue.

7.1.73 SiteMinder Single Sign-on (SSO) does not Work Across Multiple User Directories for the Same User Identity (45735)

This is no longer an issue. The Single Sign-on (SSO) feature of SiteMinder will now work across multiple user directories in disparate policy stores even if the user directory name or user DN differ across different user stores for the same actual user identity.

For this, a new Authentication-Validation directory mapping has been introduced. The Authentication-Validation maps authentication directory name to validation directory so that the user authenticated against one user directory can be validated against another user directory. The directory mapping can be done on Universal ID or User DN.

The Authentication-Validation mapping object has three attributes:

Authentication directory name

Validation directory OID

Mapping Type

7.1.74 Policy Server Stops Logging to Oracle after the Database Instance is Shutdown and Restarted (48305)

Policy Server was configured for audit logging to an ODBC database using bulk insertion. When the database was stopped and restarted the logging functions were interrupted. This is no longer an issue. The bulk insertion was fixed to get a refreshed view whenever the database connection is reset.

7.1.75 Policy Server does not Respond when the Centralized OneView Monitor Computer cannot be Reached (48750)

When using a centralized OneView Monitor service, WebAgents relay information to the remote OneView by sending an agent message to the Policy Server. While processing the message, the thread sending the message to the remote OneView was locked and this blocked other threads attempting to relay messages. This is no longer an issue. Policy server and OneView monitor communication was improved. Any problem with OneView monitor or the connection to the monitor will not affect Policy Server functionality or performance.

7.1.76 Received Errors while Installing the Policy Server When Importing a 5.5 Policy Store File (48765)

Run the SmObjImport command twice with the following options:

smobjimport -imypolicystore.smdif -d -w -c -k -v -f

The second time command would run smoothly and no data will be lost. The error messages appear during import using smobjimport, as objects that cannot be imported in the first pass are captured and added into a list of failed objects. These are retried during second pass, and so on, until the list of failed objects stabilizes. An informatory message Retrying failed objects appears during import of policy store using smobjimport, during every retry cycle when objects that failed to get imported from a previous cycle are imported again.

7.1.77 Received Error using Perl PPM with SiteMinder 6 SP4 (48775)

This is no longer an issue. The Windows reloc_perl command was updated to reflect the configured location in third party.

7.1.78 Received Session Timed Out Error in the Admin UI When Trying to Manage a Policy (48806)

When working with huge policy store, the Admin UI applet throws the "Your session may have timed out" error. This was due to the Admin UI applet trying to send a request to the policy-server using the TLI layer, which generates an exception. The problem was caused when the data received from Admin clients exceeded the dynamically allocated receive TLI buffer at the policy-server. The data is not received successfully at the policy-server and the connection was terminated, and Admin UI displayed the error. The value of maximum allowed size of TLI buffer at policy-server for handling Admin UI messages was set to 32KB.

This is no longer an issue. The buffer size for Admin UI and Policy Server communication is configurable using a registry key:

HKLM/Software/Netegrity/Siteminder/CurrentVersion/PolicyServer/Max AdmComm Buffer Size

If this key does not exist or has a value less than 256KB, the minimum default value is considered as 256 KB.

7.1.79 Changes in the User Directory Object will not Take Effect Without Restarting the Policy Server (48841)

This is no longer an issue. The User Directory cache for authentication or authorization is propagated without restarting the Policy Server.

7.1.80 Policy Rendered Non-editable in the Admin GUI Due to an Invalid IP address Passed in Custom Code (48918)

This is no longer an issue. An exception will be thrown when an invalid IP address is set. This validation check will prevent policy from being rendered non-editable.

7.1.81 Java Virtual Machine (JVM) Encounters Segmentation Violation and Terminates (48962)

When a null session object was passed to the Java AgentAPI authorize() method the JVM crashed. This is no longer an issue.

7.1.82 IP Restrictions not Returned Properly for a SiteMinder Policy (51509)

This is no longer an issue. The Java Policy Management API will return all IP restrictions for a SiteMinder policy.

7.1.83 The S98sm File is not Preserved or Backed up during Upgrade (51829)

This is no longer an issue. The existing S98sm script will be backed up during Policy Server upgrade. Additionally, nete_ps_root will be replaced by full path of SiteMinder installation in S98sm script during install, reinstall, or upgrade.

7.1.84 Authorization Server Threads Hang When Using ACE Authentication (48513)

When using ACE Authentication, the Authorization server threads hung and the Policy Server ran out of connection limits. This is no longer an issue. To avoid the possibility of hanging threads under heavy load conditions, RSA also suggests that RSA trace logging be turned off.

7.1.85 User Authentication Fails When LDAP Logic Operators are used in x.509 Custom Mapping (47908)

Using LDAP syntax to create search filters that contain logic operators caused user authentication to fail. A new registry key, LegacyCertMapping, allows legacy behavior in the certificate mapping and resolves the problem. The KeyType must be configured as REG_DWORD and the Value must be 0 (disabled) or 1 (enabled). If a value other than 0x1 is configured, or the registry value does not exist, this feature is disabled. The registry key is disabled by default. If the registry key is not enabled, the current behavior is in effect. The registry key is located at HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\PolicyServer.

7.1.86 smnssetup Script is Obsolete (44965)

This is no longer an issue. smnssetup was removed from UNIX kits.

7.1.87 RSA Ace Authentication Server Version 6.0 does not Work Properly with SiteMinder (45984)

This is no longer an issue. RSA Ace authentication is certified to work with SiteMinder.

7.1.88 Separate Admin Account for Policy Store not Listed in Management GUI (47125)

This is no longer an issue. The Management GUI lists the directory name for administrative user when the directory name is not the default one.

7.1.89 SAML 2.0 Assertion Validation Fails on the Service Provider (47252)

SAML 2.0 transaction fails when a valid port is appended to the Assertion Consumer Service URL in Service Provider object on Windows platform. This is no longer an issue. The SAML 2.0 assertion consumer will now accept assertions which specify the default port for the assertion consumer URL.

7.1.90 Smps Log Displays Invalid Credentials Error Message (47265)

This is no longer an issue. When incorrect User Directory credentials are entered and then corrected, the error message is not logged.

7.1.91 Received Operations Error When Trying to View AD Users (47354)

This is no longer an issue. The Windows Policy Server does a better job determining if a SASL bind is necessary when communicating with AD or ADAM directories using the AD directory namespace.

7.1.92 Event not Generated for User Logout in the SiteMinder Audit Logs (47614)

When a user is logged out from the protected website, no event for Logout is generated in the SiteMinder Audit logs. This is no longer an issue. Logout event will be logged in SiteMinder Audit Logs, when auditing is enabled.

7.1.93 LDAP Provider's AddEntry(DsAttrs) does not Follow Referrals When Enhanced Referral Processing is Enabled (47937)

The LDAP provider's AddEntry(DsAttrs) function is using the LDAP SDK directly instead of LdapAdd. This is no longer an issue. Policy Server now properly handles enhanced LDAP referrals when adding entries to an LDAP directory.

7.1.94 When Allow Nested Groups is Selected Only Users Contained in the First Group are Authorized (47946)

If more than one group is listed in a user policy and Allow Nested Group is selected, the authorization is restricted to the first group only. This is no longer an issue. The user contained in any of the groups is authorized.

7.1.95 Custom Code Calling user.addToGroup() Causes smpolicysrv to Crash (48023)

This is no longer an issue. Users are added and removed successfully to or from the group without crashing the policy server.

7.1.96 SmPolicyApi.getPolicyLinks() Triggers a Full Policy Store Cache Refresh Resulting in Poor Performance (48122)

This is no longer an issue. Java API function SmPolicyApi.getPolicyLinks() does not trigger a full policy store cache refresh.

7.1.97 SmPolicyApi.getUserDirSearchOrder() Returns OIDs instead of Names (48221)

The Java Policy Management SDK returns OID strings instead of object names for some methods. This is no longer an issue. The Java Policy Management SDK returns OID strings only for SiteMinder objects which cannot be identified by name property, for example, certificate and directory mappings.

7.1.98 Smobjexport does not Include All Configuration Parameters for Authentication Scheme (48519)

This is no longer an issue. The smobjexport tool now properly exports the field mappings of DCC authentication schemes using the -e flag.

7.1.99 Invalid Value in AuthenticationInstant Attribute (48584)

This is no longer an issue. The value for SAML assertion's AuthenticationInstant attribute is set to the time the user was authenticated at the IdP site.

7.1.100 SiteMinder Installer Overwrites Configuration Files during Upgrade (48704)

Before upgrading SiteMinder, do the following:

Add .properties to the list of filename extensions for backup under config subdirectory before upgrade.

Add .ini to the list of filename extensions for backup under db subdirectory before upgrade.

7.1.101 Policy Server Crashes When Trying to View Users in FederationWSCustomUser Store Directory (48846)

This problem is specific to the UNIX platform. This is no longer an issue.

7.1.102 OneView Monitor Page Displays NullPointerException (48928)

OneView Monitor page displays NullPointerException if the Accept-Language HTTP header is not sent by the user's web browser. This is no longer an issue. The OneView Monitor now defaults to English if no Accept-Language header is sent by the user's web browser.

7.1.103 DisallowForceLogin Registry Key (47157) (64413)

This service pack includes a new DisallowForceLogin registry key. When enabled, the Policy Server properly redirects users who have submitted a password change request that contains an invalid current password to the Password Change Information screen. This screen displays the invalid current password message. When disabled, the Policy Server redirects users to:

The login page that does not display the invalid current password message. This redirect occurs if an On-Auth-Reject-Redirect response is not bound to the policy configured with the user directory.

The URL associated with the On-Auth-Reject-Redirect response bound to the policy configured with the user directory

The key is located at HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\PolicyServer

To enable this key, this registry value must be configured as REG_DWORD and contain a value of 0x1. If you set the key to a value other than 0x1 or if the value does not exist, this feature is disabled.

Note: This key is disabled by default.

There are three cases affected by the DisallowForceLogin value.

Force password change or password expired.

Self Password change.

Optional password change.

7.1.104 Fix to SiteMinder Test Tool (47525)

When running in the basic or advanced modes, the SiteMinder Test Tool now successfully authenticates and authorizes users using x509 authentication.

7.2 Defects Fixed for 6.0 SP4

Release 6.0 SP4 contains the following fixes:

7.2.1 Fix in SiteMinder User Directory Dialog (19097)

The SiteMinder User Directory dialog is fixed so that if you enter extra characters after the port number when configuring an LDAP-based user store and then click View Contents, the Policy Server issues an error message. Before this fix, there was no error message.

7.2.2 Fix to Policy Server Management Console (42837)

When testing the connection between a Red Hat Linux AS 3.0-based Policy Server and a SQL Server-based policy store, the Policy Server Management Console issued an invalid warning message. This issue is now fixed and the Policy Server Management Console issues a successful connection message.

7.2.3 Policy Server and Sun v440 Servers (43735, 43492)

The Policy Server now has better performance running on Sun v440 servers.

7.2.4 Policy Server's Agent API Updated (44017)

The Policy Server's Agent API has been updated to correct an interaction between Web Agents (or other clients utilizing this API) and the Policy Server under certain load conditions.

7.2.5 Password Policy Pre-processing Updated (44293)

The Policy Server is updated to make sure that password policy pre-processing is applied to users' passwords during authentication.

7.2.6 Fix to smldapsetup -v option (44378, 41649)

When the Policy Server is using multiple LDAP policy stores for failover purposes and you run smldapsetup with the -v option, the utility now provides correct configuration information for each policy store. Previously, running the smldapsetup -v command did not correctly display all of the configuration information for each policy store.

7.2.7 Trusted Hosts and Directory Mappings Changes Now Written to Audit Logs (44379, 44216)

The Policy Server now logs any AuthAz directory mapping and TrustedHost object event activity changes to the SiteMinder audit log files.

7.2.8 Option Pack Variables Display Correctly in Policy Server User Interface (44395)

Policy Server Option Pack variables are now properly displayed in the Policy Server User Interface when the Policy Server is running in mixed mode. Mixed mode is where the 6.x Policy Server connects to a 5.x policy store.

7.2.9 Policy Server Enhancement for Active Directory-based User Stores (44721)

The Policy Server has been enhanced to improve its interaction with Active Directory-based user stores. When authenticating against an AD namespace, the Policy Server binds to Active Directory using SASL. If a user's common name (CN) is different from the user's Windows logon name, the user can still authenticate even if the EnableSaslBind registry setting exists on the Policy Server machine.

The EnableSaslBind setting is a DWORD registry key that you can set to 0 or 1:

HKLM\Software\Netegrity\SiteMinder\CurrentVersion\Ds\LDAPProvider\EnableSaslBind

This setting disables or enables the SASL protocol while authenticating users. For example, if EnableSaslBind does not exist and you configure this setting to 1, the bind occurs with SASL. If EnableSaslBind exists and you configure this setting to 0, the bind occurs with Simple Authentication mechanism.

7.2.10 Active Directory User Store Invalid Password Issue Fixed (44956)

If the Policy Server was connected to an Active Directory user store and was idle for a long period of time (for example, overnight), users could successfully authenticate after entering an invalid password. This issue is now fixed.

7.2.11 Oneview Monitor Failure Issue Fixed (44961)

This service pack fixes an issue where the Oneview Monitor failed under heavy SNMP load.

7.2.12 Renaming Host or Agent Configuration Object Not Allowed (45047, 36633)

The Policy Server User Interface no longer allows you to rename an existing Host or Agent Configuration Object.

7.2.13 Scope Switch Fix (45052, 44786)

This service pack includes a fix to the Policy Server to make sure that the scope switch specified for a given User Directory is adhered to during authentication.

If you set the scope to One Level, only users present at one level below the search root are found by the Policy Server and authenticated.

If you set the scope to Sub Tree, all the users present below the search root are found by the Policy Server and authenticated.

7.2.14 Policy Server Hanging Condition Fixed (45247, 45023)

This service pack includes a fix to a condition that caused the Policy Server to hang during shutdown.

7.2.15 Fix to Custom Certificate Mapping Feature (45362)

The Policy Server's custom certificate mapping feature involving multiple attributes of the same type are now handled correctly. The Policy Server now maps the particular index attribute in the certificate as specified in the certificate custom mapping expression.

7.2.16 OpenWave Directory Server Now Supported (46971, 46806)

The Policy Server is now certified to work with an OpenWave Directory Server user or policy store. The Openwave Directory Server does not support LDAP referrals.

Note: Configuration instructions exist in the SM60SPx_Openwave_Config.pdf file.

7.2.17 Shrink Memory Pool Enabled Registry Value (45457, 30630)

This service pack includes a new Shrink Memory Pool Enabled registry value that can be manually configure to shrink the amount of memory used by the Policy Server process. You can add this registry value at the following location:

HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\PolicyServer

To enable the Shrink Memory Pool Enabled feature, configure the registry value as REG_DWORD that contains a value of 0x1 in order.

To disable this feature, configure a value other than 0x1 or remove the registry value altogether. This feature is disabled by default.

7.2.18 Policy Server Relational Database Policy Store Issue (45462, 44294)

This service pack has a fix that allows the Policy Server to correct a failover to a secondary data source that is configured for an relational database policy store. Specifically, if the Policy Server is restarted and the policy store is shutdown or paused, the Policy Server connects to the secondary policy store.

7.2.19 Microsoft Active Directory Global Catalog User Store Enhancement (45879, 45054)

When the Policy Server is connected to a Microsoft Active Directory Global Catalog user store and a policy is configured to allow nested groups, the Policy Server uses a MemberOf attribute user record for more efficient searches.

7.2.20 ACE Debug Logging Fix (45882, 43976)

This service pack has a fix that allows the Policy Server to make sure that enabling ACE debug logging does not cause the Policy Server to terminate abnormally during authentication.

7.2.21 Policy Server Management Console Limitation on Red Hat AS 3.0 (47302) (42832)

If the Policy Server's policy store resided in either an Oracle or IBM DB2 database, the Policy Server Management Console failed when you click the "Test Connection" button on the Data tab. This issue in now fixed.

7.2.22 Perl Scripting Interface Limitation on Red Hat AS 3.0 (47304) (42834)

If the Policy Server's policy store resided in either an Oracle or IBM DB2 database, the Perl Scripting Interface failed at the following call while creating a new session:

$session=$pmgtbase->CreateSession()

This issue is now fixed.

7.2.23 DeadHandleListLiveTime Registry Setting Obsolete (47226) (47120)

The user directory LDAP server layer no longer relies on the DeadHandleListLiveTime registry setting. Now, dead LDAP handles are automatically managed by the Policy Server and no longer require any extra registry configuration by users. This change allows the Policy Server to manage user directory LDAP server issues more efficiently.

Due to this change, the following registry key is now obsolete:

HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\LDAPProvider\DeadHandleListLiveTime

7.2.24 SafeWord Debug Logging Failure (45953, 43097)

SafeWord debug logging no longer causes the Policy Server authentication service to fail. Previously, if you had a SafeWord HTML Forms Authentication Scheme configured in the Policy Server and enabled SafeWord debug logging, the Policy Server failed. This issue is fixed.

Note: For a Solaris Policy Server, the operating system must be at Solaris 9 or higher. In addition, the Safeword server must have the 3.1.1 patch04_01 installed.

7.2.25 Scripting Interface for Perl User Directory Contents Issue Fixed (46141)

In the Scripting Interface for Perl, the user directory contents are now properly shown for calls to GetContents() for custom directories.

7.2.26 Regular Expression Pattern Matching Issue Fixed (46322)

The Policy Server no longer fails using regular expression pattern matching under heavy load.

7.2.27 Parameter List Does Not Maintain Specified Order in Host Configuration and Agent Configuration Object Dialogs (46415)

The parameter list ascending/descending order issue in the SiteMinder Host Configuration and SiteMinder Agent Configuration Object Dialogs is now fixed.

7.2.28 Update to Profiler Log Files (46425)

The Policy Server's Profiler log files have been modified so that the:

User data field contains the login name of user.

User DN contains complete DN of the user.

7.2.29 State Attribute of the LDAP Schema Changed from "s" to "st" (46740)

When loaded into the LDAP Expression Editor or Certificate Mapping Dialogs, the "s" attribute is no longer labeled as "State". Now, it appears as "s". The Policy Server's LDAP Expression Editor honors unrecognized attributes and does not change them. As a result, opening an expression containing an "s" attribute does not cause the Policy Server to converted it to "st". Now, you need to manually enter the "s" attribute, as it no longer appears in the LDAP Expression Editor Dialog's drop-down menus. You can do this by typing "s" into the first field of the "Condition" input instead of selecting "st (State)" from the drop-down menu. You cannot create new certificate mappings using the "s" attribute, as such a configuration would not work. For certificate mappings, a third-party library translates the state attribute's OID in the certificate into the string "st", which until this fix, would not be recognized by the Policy Server.

7.2.30 Certificate-based Authentication Issue Fixed (46999, 46149)

Certificate-based authentication requiring certificate validation against an Active Directory-based user store no longer fails under heavy load conditions.

7.2.31 Update to Password Services (47020)

Password Services allows users to disable the tracking of successful and failed logins separately. Password policies that only track failed logins modify the user store upon a successful login only if it is necessary to reset the number of failed logins. This prevents failed login tracking from counting the cumulative number of failed logins when successful login tracking is disabled.

7.2.32 Password Services Failure Tracking Issue Fixed (47110, 38445)

When failure tracking is enabled in Password Services, the Policy Server no longer sends duplicate requests to modify the user's password data attribute.

7.2.33 Policy Server Caching Problem Fixed (47122)

The service pack fixes a caching problem that caused the Policy Server to fail during authorization after a large number of different users are authorized.

7.2.34 NTLM Authentication Scheme Failure Issue Fixed (47123)

The Policy Server no longer fails under heavy load when it is using an NTLM authentication scheme.

7.2.35 SafeWord Debug Logging Failure (45953, 43097, 47258)

Note: For a Solaris Policy Server, the operating system must be at Solaris 9 or higher. In addition, the Safeword server must have the 3.1.1 patch04_01 installed.

7.2.36 Viewing Active Directory User Directory Issue Fixed (46238)

This service pack fixes an issue where you could not view the content of a Windows 2000 Active Directory User Directory configured with the AD Namespace without specifying a certificate database.

7.3 Defects Fixed for 6.0 SP3

Release 6.0 SP3 contains the following fixes:

7.3.1 Accessing Now Protected or Unprotected Realms Behaves as Expected (39443)

The Policy Server has been updated to make sure that resources in protected/unprotected realms are correctly protected or unprotected as expected.

7.3.2 CRLs Reporting Error Message Fixed (39446, 40045)

On Windows and Solaris systems, the Policy Server's Cert-C libraries has been updated to correct an issue with CRLs reporting a "Failure in RSA Cert-C library getting CRL" error message.

7.3.3 Entering non-ASCII Characters For User Directory Objects (39635)

The Policy Server User Interface now allows you to enter non-ASCII characters for username credentials when configuring user directory objects.

7.3.4 Enhancement to smreghost (39712)

The smreghost utility has been enhanced to include a new optional -o parameter that enables you to overwrite an existing trusted host.

7.3.5 New Registry Entry to Fix Audit Logging Exceptions (39991, 39307)

On Windows, the Policy Server has been enhanced to remove errors caused by audit logging exceptions. This enhancement includes a new ConnectionHangwaitTime registry entry that you can set to avoid audit logging exceptions. The minimum setting for this value is 30 seconds. If you set this value to less than 30 seconds, the Policy Server ignores this value and uses the minimum value of 30 seconds.

The new registry entry is located:

HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Database\ConnectionHangwaitTime

In addition, to avoid the audit logging exception, the following registry variables need to be tuned at the following location:

HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Database

QueryTimeout
Suggested tuning is 30 seconds

Default: 15 seconds
LoginTimeout
Suggested tuning is 30 seconds

Default: 15 seconds
ConnectionHangwaitTime
Suggested tuning is 60 seconds

Default: 30 seconds

Note: This tuning is done to avoid any audit data loss; however, this tuning may lead to some performance issues. To improve performance, you can configure audit logging in a text file instead of a database.

7.3.6 Policy Server and Oracle Encrypted Passwords (39411, 38408)

The Policy Server has been updated to correctly handle authentication of system users in an Oracle database if you are using the Oracle encrypted password feature.

7.3.7 Correct Time Being Returned for LAST_MESSAGE_TIME Element (39645)

The Policy Server has been fixed to return the proper time value in seconds for the LAST_MESSAGE_TIME sub element of the AGENT_CONNECTION element in an smpublish report.

7.3.8 Update to Policy Server trace Logging (39670)

The Policy Server trace logging now functions correctly when there are more than 255 connections (or file handles). It is also recommended that you use a utility like ulimit on Solaris to increase the soft limit of file descriptors that can be opened in a session.

7.3.9 Return Values for Perl Methods ValidatePassword() and SetPassword() (40153, 40345)

These Perl Policy Management API methods now return correct values to reflect success or failure of the call.

7.3.10 Windows Authentication Scheme Template Enhancement (40201)

You can now configure a Windows Authentication Scheme template in the Policy Server User Interface.

7.3.11 New Perl Methods for Converting Between v4.x Agents and v5.x Agents (40299, 39714)

The following Perl PolicyMgtAgent methods let you convert between v4.x agents and v5.x agents:

ConvertFromLegacy()

ConvertToLegacy()

7.3.12 LDAP User Property Searches Enhancement (40337, 38805)

The Policy Server has been enhanced to correct the handling of user property searches in LDAP-based user stores that return no results.

7.3.13 Active Directory Integration Update (40338, 39912)

With the Active Directory integration enabled, the Policy Server has been enhanced to make sure that a user is not prompted for a password change when the DONT_EXPIRE_PASSWORD flag in the AD user state is set or enabled.

7.3.14 Policy Server Handling User Names in Parenthesis (40444, 39977)

During authentication and authorization, the Policy Server is enhanced to handle user names enclosed in parenthesis if you set the following registry variable:

HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\CurrentVersion\Ds\AllowUserNameWithinParentheses

If this registry setting:

Does not exist, the user names within the parentheses are not allowed during authentication and authorization.

Exists and the value is 0, the user names within parentheses are not allowed during authentication and authorization.

Exists and the value is 1, the user names with parentheses are allowed and not treated as a user attribute.

7.3.15 Realms and Resources Cache Searches Issue Fixed (40564)

The Policy Server now correctly performs realms and resources cache searches without failing.

7.3.16 Ignoring pwdLastSet in Active Directory Global Catalog (40627, 35293)

If the Policy Server is using Active Directory Global Catalog, the pwdLastSet attribute can be ignored if you manually add the following registry value:

SiteMinder\CurrentVersion\Ds\LDAPProvider\IgnoreADPwdLastSet

To enable this feature, set this REG_DWORD value to a non-zero value.

Note: This feature was removed in 6.0 SP2 and was added back in at v6.0 SP2_CR002.

7.3.17 API Enhancements (39725)

The Policy Server now includes the following C Policy Management API functions that retrieve any policy objects by name:

Sm_PolicyApi_GetAgentByName()

Sm_PolicyApi_GetAgentTypeByName()

Sm_PolicyApi_GetAgentTypeAttrByName()

Sm_PolicyApi_GetAgentConfigByName()

Sm_PolicyApi_GetHostConfigByName()

Sm_PolicyApi_GetTrustedHostByName()

Sm_PolicyApi_GetTrustedHostExByName()

Sm_PolicyApi_GetUserDirByName()

Sm_PolicyApi_GetAdminByName()

Sm_PolicyApi_GetSchemeByName()

Sm_PolicyApi_GetRegistrationSchemeByName()

Sm_PolicyApi_GetPasswordPolicyByName()

Sm_PolicyApi_GetODBCQuerySchemeByName()

Sm_PolicyApi_GetGroupByName()

Sm_PolicyApi_GetDomainByName()

Sm_PolicyApi_GetRealmByName()

Sm_PolicyApi_GetRuleByName()

Sm_PolicyApi_GetResponseByName()

Sm_PolicyApi_GetPolicyByName()

Sm_PolicyApi_GetGlobalRuleByName()

Sm_PolicyApi_GetGlobalResponseByName()

Sm_PolicyApi_GetGlobalPolicyByName()

Sm_PolicyApi_GetVariableTypeByName()

Sm_PolicyApi_GetVariableByName()

Sm_PolicyApi_GetAffiliateDomainByName()

Sm_PolicyApi_GetAffiliateByName()

The following existing PERL Policy Management APIs also had performance enhancements:

PolicyMgtSession methods

GetAdmin()

GetAffDomain()

GetAgent()

GetAgentConfig()

GetAgentGroup()

GetAgentType()

GetAuthScheme()

GetDomain()

GetGlobalPolicy()

GetGlobalResponse()

GetGlobalRule()

GetHostConfig()

GetODBCQueryScheme()

GetPwdPolicy()

GetRegScheme()

GetUserDir()

GetVariableType()

PolicyMgtDomain methods

GetPolicy()

GetRealm()

GetResponse()

GetResponseGroup()

GetRuleGroup()

GetVariable()

PolicyMgtRealm methods

GetChildRealm()

GetRule()

PolicyMgtAffDomain methods

GetAffiliate()

7.3.18 Import and Export of Perl Global... Methods (39979)

The Perl Policy Management API methods GlobalResponse(), GlobalRule(), and GlobalPolicy() can now be imported and exported correctly.

7.3.19 Policy Server Improved When Connecting to Large LDAP Policy Store (40062)

The Policy Server User Interface's performance has been improved if the Policy Server connects to LDAP-based policy store that contains extremely large amounts of data.

To improve of the performance of this type of configuration, set the following LDAP search timeout registry setting:

HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\LdapPolicyStore\SearchTimeout

You should set LDAP search timeout registry setting at a value that is large enough to keep the Policy Server from timing out when it is retrieving large amounts of policy store data from an LDAP server. The default value is 20 seconds.

Before setting this registry setting, you should consider the following factors:

Network speed and bandwidth

Size of LDAP search query response

LDAP directory server connection state

LDAP directory server load

Also, the following is a new Max AdmComm Buffer Size registry entry that allows you to tune the buffer size for the Policy Server User Interface:

HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\PolicyServer\Max AdmComm Buffer Size

This value defines the maximum amount of byte data in a single packet passed from the Policy Server to the Policy Server User Interface.

You can set this value between 256 KB to 2 GB and, when no setting exists, the default is 256 KB.

Note: Increasing the buffer size could result in decreased Policy Server performance.

7.3.20 Improvement to Policy Server Shutdown Log Messages (40149)

If the Policy Server stops running due to lack of file descriptors, it now outputs detailed error messages to the log files that explain what the problem is.

7.3.21 Improvements to Policy Server Failure To Start Messages (40316)

If the Policy Server fails to start due to missing mandatory registry keys, it now outputs detailed error messages to the log files that explain what the problem is.

7.3.22 Improvements to Policy Server Idle Client Connection Messages (40626)

The Policy Server now outputs the correct error message to the log files if there is a closure of idle but established client connections.

7.3.23 Policy Server Handling of Oracle Server Error Codes (40630, 40629)

The Policy Server has been fixed to handle a ORA-12154 error code from the Oracle database server and maps it to an appropriate error message instead of issuing an "Invalid Credentials" message.

7.3.24 Policy Server Shutdown Issue on Solaris (40669)

On Solaris, when an administrator shuts down a Policy Server while it is running under heavy load, the server shuts down gracefully.

7.3.25 Memory Growth Issue Fixed (40828)

The Policy Server has been fixed to alleviate a memory growth issue that occurs during realm and rule updates to the policy store.

7.3.26 Host Configuration Object No Longer Has An Extra Space (40904)

The Policy Server User Interface no longer adds an extra space when you are creating a multi-value Host Configuration Object. Previously, before this fix, the extra space in the Host Configuration Object caused the Agent to connect to the Policy Server User with an empty IP address.

7.3.27 Update to Policy Server's SM<SERVICE> -publish Directive (40946, 40545)

The Policy Server's SM<SERVICE> -publish directive now generates well-formed XML output with all the AGENT_CONNECTION elements even if there are a large number of Web Agent connections.

7.3.28 Policy Server Connections to Audit Log Databases (40964, 40932)

The Policy Server now correctly handles connections to audit logging databases when there are logging exceptions.

7.3.29 Windows Authentication Scheme Creation Fix (41112)

The Policy Server User Interface now properly creates Windows Authentication schemes for LDAP or Active Directory-based user stores.

7.3.30 Policy Server starts as expected in Mixed Mode (41133)

When you disable the "Enable Agent Key Generation" option in the Policy Server Management Console and the Policy Server is using mixed versions of the policy (6.0) and key (5.5) stores, the Policy Server starts as expected.

7.3.31 User Names Containing a Comma No Longer Cause an Oracle Database Error (42122, 41838, 41108)

When the Policy Server is using an Oracle user directory, users that have a comma in their user name are authenticated with the out-of-the-box Oracle function. Previously, before this fix, this type of user name would cause the Policy Server to throw a database error.

7.3.32 Enhancement to Policy Server Request Processing Handling (40315)

The Policy Server has been enhanced to ensure fair processing of Agent API and Agent connect requests during normal request processing.

7.3.33 Update to Password Generation During Self-registration (40540)

The Policy Server has been fixed to ensure correct generation of passwords during self-registration when the Policy Server is using an:

LDAP-based user directory with multi-byte character support.
OR

Oracle-based session store.

7.3.34 Update to the Policy Server Authentication Service (41008, 40306)

The Policy Server authentication service now accommodates the calling of the Policy API initialization (Sm_PolicyApi_Init) and Policy API release (Sm_PolicyApi_Release) methods inside the respective hook functions—SmAuthInit() and SmAuthRelease()—in a custom authentication scheme.

7.3.35 ODBC Tracing Fix for Policy Stores in Relational Databases (41098)

The Policy Server now properly executes when you enable ODBC tracing for a policy stores residing in a relational database.

Note: You should only enable ODBC tracing for troubleshooting purposes since it impacts Policy Server performance.

7.3.36 Policy Server Agent Key Management Issue (41497)

The Policy Server has been fixed to ensure proper Agent key management if the Policy Server is using separate policy and key stores residing in an Oracle databases.

7.3.37 Return Value for Perl Method GetAllRules() (41514)

This Perl Policy Management API method now returns the correct value when no rules are present in a given policy. This method is in object PolicyMgtPolicy.

7.3.38 Update to Policy Server Shared Secret Management (41519)

The Policy Server has been fixed to ensure correct handling of updates to temporal fields related to shared secret management when operating with legacy Web Agents.

7.3.39 Groups Returned from Perl Method GetAllAgentGroups() (41627)

This Perl Policy Management API method now returns all configured agent groups in the session. This method is in PolicyMgtSession.

7.3.40 Policy Server Startup Issue (41690)

On Solaris, the Policy Server is fixed to startup gracefully under heavy load conditions and to no longer dump core.

7.3.41 Solaris SiteMinder Agent API Shared Library Fix (41741, 41586)

The SiteMinder Agent API now modifies the linkage for the Agent API shared library on Solaris to be self-contained with respect to other third-party libraries used in the same process.

7.3.42 Policy Server Can Now Log Exceptions to Windows Event Viewer (41821, 41363)

The Policy Server has been enhanced to make sure that any exceptions occurring during audit logging are now recorded to the Windows Event Viewer, which is in addition to the SiteMinder logs.

Be aware of the following:

Events are logged under the ObjAuditLog and AccessAuditLog categories.

Any exceptions occurring in audit logging due to object management are recorded under the ObjAuditLog category.

Any exceptions occurring in audit logging due to user-related activities such as authentication, authorization, administration, and affiliate activity are recorded under the AccessAuditLog category.

To enable Policy Server logging to the Windows Event Viewer

Open the Windows Registry Editor.

Go to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\SiteMinder.

Change the CategoryCount registry key to 7.

7.3.43 Enhancement to SNMP Variables (41839, 41620)

The Policy Server is fixed to make sure that the following SNMP variables are correctly displayed in milliseconds:

webAgentLoginAvgTime

webAgentValidationAvgTime

webAgentAuthorizeAvgTime

7.3.44 Policy Server Return Correct Reason Codes from Custom Authentication Schemes (41843, 37718)

The Policy Server has been fixed to return the correct reason code from custom authentication schemes when a password policy is enabled for that scheme.

7.3.45 Return Value for Perl Method GetAllUsers() (42032)

This Perl Policy Management API method now returns the correct value when no users are present in a given policy. This method is in PolicyMgtPolicy.

7.3.46 Policy Server Processes Policy Changes Faster (42523)

The Policy Server has been optimized to ensure faster processing of policy changes made by custom applications developed using the PERL or C Policy Management APIs.

To enable the faster processing of policy changes do one of the following

Omit the PreLoadCache flag during the call to the initialization function.

Introduce a small time delay in the custom application to make sure there is adequate time for cache processing before exit.

7.3.47 Policy Server Invalid Realm Processing (40665)

The Policy Server is updated to ensure correct processing of client requests containing invalid realms.

7.3.48 Policy Server's Handling of Users Changing Passwords (41930)

The Policy Server is fixed to make sure that a user in a "Change Password State" is handled correctly when this user provides invalid credentials during login.

7.3.49 Update to CRL Lookup Function (41977)

The Policy Server CRL lookup mechanism has been enhanced to accommodate the Certificate Distribution Point's (CDP) field containing URL's in client certificates.

7.3.50 Improvements to smobjexport and smobjimport (42210)

Using smobjexport and smobjimport, you can now transfer policy store data using administrators from an external directory.

7.3.51 Update to Certificate Mapping Enhancement (42233)

The Policy Server v6.0 SP 2 release introduced support for multi-value components in certificate Issuer and Subject DN fields. However, these changes caused existing certificate mappings to fail when attributes were part of a multi-value DN.

The Policy Server is fixed to enable existing mappings to continue to function correctly. This fix adds backwards-compatibility functionality for single-attribute and simple custom mappings.

Note: Custom mappings that relied on attributes which occur multiple times in a DN (for example %{CN2} or %{UID2}) still behave differently than they did before if any of the attributes being mapped are part of a multi-valued DN component.

7.3.52 Policy Server's Handling of a User With Different Passwords in Two User Stores (42356)

If a user with the same login ID exists into two disparate directories with varying passwords and the entry in the first user directory is disabled, the Policy Server now enables access to a resource based on the credentials available in the second user directory.

7.3.53 DeadHandleListLiveTime Registry Setting Value Increased (42528, 41818)

The minimum default value of the Policy Server's DeadHandleListLiveTime registry setting has been increased to 3 minutes.

The DeadHandleListLiveTime registry setting is located here:

HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\LDAPProvider

7.3.54 Enhancement to Certificate Mapping Exact Match Functionality (42631)

The Policy Server certificate mapping exact match functionality has been enhanced to allow for optimized searches based on the DN field from the client certificate.

7.3.55 Update to PERL Policy Management API (CLI) (42771)

The PERL Policy Management API (CLI) has been corrected to make sure that Agent and Host configuration objects can now be correctly exported and imported.

7.3.56 Improvement to Certificate-based Authentication (42855, 42989)

The Policy Server has been fixed to ensure correct processing of attributes contained in a custom mapping expression during certificate-based authentication.

7.3.57 Policy Server's Policy Restrictions Updated (43063, 41644)

The Policy Server has been fixed to make sure that any password changes performed through the DMS API is validated to conform to policy restrictions set through the Policy Server User Interface.

7.3.58 Return Values for Perl Methods ValidatePassword() and SetPassword() (40153, 40345, 43120)

These Perl Policy Management API methods now return correct values to reflect success or failure of the call.

7.3.59 Policy Server Supports LDAP V3 Protocol (42979)

The Policy Server has been enhanced to use the LDAP V3 protocol for all applicable LDAP operations when this protocol is supported by a given LDAP directory server.

7.3.60 Flushing the Cache and Viewing Response Object Properties (27488)

While using the Policy Server User Interface, if you flush the cache, you cannot view response or global response object properties unless you click other objects in the UI and then click the original object again.

7.3.61 Limitation When Configuring Connections to Active Directory in Application Mode (ADAM) (30221, 29837)

SASL-based binds using Windows generic security services are not supported by ADAM. When the Policy Server is connected to an ADAM user store it will use simple LDAP binds instead of SASL-based LDAP binds.

Important! Simple LDAP binds are not secure. We strongly recommend using SSL-based LDAP connectivity for secure communication with ADAM.

7.3.62 Policy Server on Red Hat Enterprise Linux Advanced Server Could Hang when Using a DB2 User Store (31501)

When a Policy Server on Red Hat AS was configured to authenticate against a DB2 user store, the log and tracing files (smps.log and smtracedefault.log) grew rapidly in size. If this size exceeded that which was allowed by the operating system (typically 2GB), the Policy Server hanged. This issue is fixed.

The following was the workaround for this issue:

Set the smps.log (default name of the log file) file to roll over at less than 2 GB. CA recommends rolling the file at 1 GB. To configure log file rollover, use the Logs tab in the Policy Server Management Console. To minimize tracing to the smtracedefault.log (default name of the trace file) file, disable tracing or reduce the amount of information written to this file.

7.3.63 User Lookup With DB2 User Store May Not Work Correctly (31451)

The Policy Server cannot retrieve custom user attributes when using a DB2 user store. Error messages such as the following are recorded in the smps.log file:

[4212/3536][Tue Jun 08 2004 13:53:09] [SmDsOdbcProvider.cpp:738][ERROR] Database Error executing query ( 'select rtrim(Disabled),rtrim(UserID) from SmUser where Name = 'user1''). Error: Internal Error:Database error. Code is -4007 (DBMSG: <<<State = HY000 Internal Code = -440 - [DataDirect][ODBC DB2 Wire Protocol driver][DB2]No function or procedure was found with the specified name (RTRIM) and compatible arguments.>>>) .

[4212/3536][Tue Jun 08 2004 13:53:09][SmDsOdbcProvider.cpp:738][ERROR] Database Error executing query ( 'select rtrim(Disabled),rtrim(UserID) from SmUser where Name = 'user1''). Error: Internal Error: Database error. Code is -4007 (DBMSG: <<< State = HY000 Internal Code = -440 - [DataDirect][ODBC DB2 Wire Protocol driver][DB2]No function or procedure was found with the specified name (RTRIM) and compatible arguments.>>>).

7.3.64 Fix Entering Incorrect AD/ADAM User Directory Information in Policy Server User Interface (31504)

This service pack fixes an error if you enter incorrect user directory information in the Policy Server User Interface when specifying the AD namespace for ADAM or Active Directory.

If the Policy Server is configured to use ADAM or Active Directory as a user store and you enter incorrect AD namespace information in the User Directory dialog, the Policy Server fails. The Policy Server also fails if the settings are correct but it cannot contact the AD server.

Workaround: Enter correct AD namespace information in the User Directory dialog.

7.3.65 Web Services Variables Fail When Configured to use SSL (27636)

Web Service variables may fail to be evaluated under load if they are configured to use an SSL connection to a Web service.

7.3.66 Running Scripts Built with the Policy Management API (28556)

A script built with the Policy Management API must run as the same user who installed the Policy Server (for example, smuser on UNIX platforms).

7.3.67 Password Services and Multiple User Directories in Policy Domain Issue (40147, 19135)

If you have Password Services configured in a policy domain that contains more than one user directory and users enter an incorrect password when they are required to change their password, they are now redirected to the password change confirmation screen. Previously, they were incorrectly redirected to the login form screen.

Before this fix, the Password Services redirect only fired if the user directory within the password policy was the last user directory in the search order.

7.3.68 Improvements to Session Server's Handling of Heavy Load (31430, 29967)

Summary of Problem

When the session server was under heavy load, it generated errors when it added or removed new sessions from the session server database tables. At the same time, the session server also stopped removing expired and idled-out sessions from the session store. These issues were caused by maintenance queries taking longer than what the Policy Server allowed in the default query timeout setting.

Resolution

In this service pack, all of the issues listed in the "Summary of Problem" section are now fixed. The Policy Server can now better handle longer-running session server maintenance task queries—such as removing idled-out or expired sessions—using a new MaintenanceQueryTimeout registry setting.

You can modify the MaintenanceQueryTimeout setting at the following location:

HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\SessionServer

The default value is 60 seconds. However, if the session server is under heavy load, you need to increase this setting to a value large enough to allow the maintenance thread to complete all tasks successfully.

7.3.69 Policy Server Failed Due to Heavy Load from SMTest Script (43296)

The 6.0 SP2 CR03 Policy Server failed in DoAccounting when a policy domain was deleted under load created by a SitMinder Test script that included accounting and management requests. When the script was still running, the Policy Server core dumped each time smexec restarted the Policy Server. This is no longer an issue.

7.3.70 ODBC Tracing Caused Linux Policy Server to Dump Core (43676)

The Linux RHAS 2.1 Policy Server no longer core dumps when ODBC tracing is turned on.

7.3.71 Policy Server Uses Updated RSA ACE SDK Version (43221, 43815)

The Policy Server is upgraded to use the new RSA ACE SDK version 5.0.3.2

7.3.72 Policy Server Management Console Failure Fixed (42953)

The Policy Server Management Console no longer fails if you open the About dialog (Help > About) or set the SiteMinder super user password from the Super User tab.

7.3.73 Policy Server/User Directories Load Balancing Issue (43086) (41697)

In a load balancing configuration consisting of multiple LDAP user directories and Policy Servers, if one user directory is stopped, then all Policy Servers hang even though there are other user directories available for failover. In this example, you stop the user directory using the pstop command.

In this service pack, this issue is fixed and the user directory failover happens as expected.

7.3.74 ODBC Trace Logging Fix (42541)

The Policy Server no longer fails under load if ODBC trace logging is enabled.

This issue still exists on the Red Hat Enterprise Linux AS 3.0 platform.

7.3.75 Entering a Host Name in the SiteMinder Agent Dialog (44172)

The SiteMinder Agent Dialog now allows you to enter a host name in the IP Address or Host Name field if you are configuring a 4.x Agent. Previously, before this fix, the Policy Server would only allow you to enter an IP Address and not a host name.

7.4 Defects Fixed for 6.0 SP2

Release 6.0 SP2 contains the following fixes:

7.4.1 Resource in Unprotected Realm when Rule is Not Associated with a Policy (30672)

The Policy Server now protects a resource matching a rule under an unprotected realm when the rule is not associated with a policy.

7.4.2 New GetUserContext Function in C Policy API (31014, 29981)

A new GetUserContext function in the C Policy API populates the Sm_Api_UserContext_t structure.

7.4.3 Fix in Oracle Encrypted Password Feature (31266, 30582)

If you enable the Oracle encrypted password feature for an Oracle user store and then access this store using the Oracle Call Interface (OCI) namespace, authentication succeeds. Previously, before this fix, the Oracle encrypted password feature did not work when using OCI connections to the user store.

7.4.4 Improvements to CoInitialize() (31291, 31131)

The error handling and logging of function calls to CoInitialize() are improved. Now, if any of the CoInitialize() calls fail, the Policy Server now prints the error message along with the return value for CoInitialize().

7.4.5 smobjimport Failed When Importing Rules with a Large String Length (31330, 33709, 31187)

When importing a large policy store using the smobjimport utility, if a rule group has rules with object ID's containing a string length of more than 4095 characters, the utility no longer fails.

7.4.6 New Connections Caused Policy Server to Create Web Agent Handshake Timeouts (31362, 31003)

This service pack fixes a condition where new connections to the Policy Server would not receive the correct priority handling, which resulted in handshake timeouts with Web Agents.

7.4.7 Certificate Authentication Scheme Enhanced (31583, 31154)

The certificate authentication scheme for cert-only authentication is enhanced so that the Policy Server only performs certificate mapping functionality during the disambiguation and not in the authentication phase.

7.4.8 Policy Server Custom Authentication Scheme Race Condition Fixed (31604, 30989)

A failure, which results from a Policy Server race condition caused by a custom authentication scheme returning failure in the SmAuthInit() hook function, is fixed.

7.4.9 Migration Fix for Scripting Interface for Perl (31620, 31273)

When using the Scripting Interface for Perl, migrating policy store data now works correctly if you change from one policy store to another in the same Perl script.

7.4.10 Policy Server Clears Object Cache Correctly (31690, 31544)

The Policy Server now clears the object cache correctly when policy store context is released.

7.4.11 Fix for Policy Server User Interface When Using DMS Wizard (33682, 31199)

The Policy Server User Interface no longer hangs when running the DMS Configuration Wizard multiple times.

7.4.12 Policy Server Writing Keys to Separate ODBC Database (33698)

The Policy Server now updates key information correctly when it is configured to use a separate ODBC-based key store than the one used for the policy store.

7.4.13 Custom Active Response Causing Policy Server to Fail (33723, 31648)

This service pack fixes a Policy Server failure caused by a custom active response calling the SmQueryVersion() function.

7.4.14 Policy Server User Store Connection Enhancement (33920, 31616)

The Policy Server now tries to reestablish an LDAP connection immediately after it fails to connect to a user directory. Before this fix, the Policy Server had to wait for 30 seconds before it could reestablish the user store connection.

7.4.15 Certificate Authentication Schemes Enhancement (33940, 31652)

The Certificate+Basic and Certificate+Forms authentication schemes now only authenticate a user when the user name presented in the form is an exact match of the one in the certificate.

7.4.16 Missing Active Directory Policy Store Upgrade File Included (33845)

The 6.0 Policy Server installation program was missing the AD_Upgrade_SM4x_To_SM60.ldif file, which is required to upgrade a 4.61 SP5 Active Directory policy store to 6.0. This service pack includes this upgrade .ldif file.

For instructions on using the AD_Upgrade_SM4x_To_SM60.ldif file, see the Policy Server Upgrade Guide.

7.4.17 Enhancement to Policy Server Certificate Authentication Library (33936, 31595)

This service pack includes a fix that extends the list of well-known extensions handled by the Policy Server certificate authentication library. The Policy Server can now handle the dmdName attribute (OID 2.5.4.54), which allows certificates issued by issuers with a dmdName attribute in the IssuerDN to be used for successful authentication.

7.4.18 Policy Server Authentication Service calling Policy API Init and Release Functions (33966, 31579)

The Policy Server authentication service now accommodates calling the Policy API init and release functions at any location inside a custom authentication scheme.

7.4.19 Dynamic Search No Longer Causes Policy Server to Time Out (34157, 33822)

The Policy Server no longer times out when searching for users in dynamic groups if there is a large number of users that meet the dynamic group search filter criteria. Previously, before this fix, this dynamic search caused the Policy Server to time out, which resulted in users not getting authorized.

7.4.20 Policy Server No longer Hangs Due to SQL Server ODBC Connection (34215, 34084)

The SQL Server ODBC connection to the Policy Server no longer hangs. Previously, before this fix, this connection would hang since the Policy Server attempted to continuously reconnect to the SQL Server policy store.

7.4.21 Authorization or Authentication Event Rule Type Fix (33766)

The Policy Server did not protect resources that matched an Authorization or Authentication event rule type. In this service pack, this issue is fixed.

7.4.22 6.0 and 5.5 Policy Server Sharing Same Policy Store Issue (34079)

When a 6.0 and 5.5 Policy Server are sharing the same LDAP policy store, the 6.0 Policy Server now generates errors under load if you delete rules using the 5.5 Policy Server Policy Server User Interface.

7.4.23 Policy Server Does Not Fail When Removing Web Agent Connections (34265)

The Policy Server no longer fails intermittently when cleaning up Web Agent connections that are under heavy load.

7.4.24 Policy Server Resource Protection Status Issue (34418)

The Policy Server now returns the correct resource protection status when there is a rule with a wildcard (*) on the resource.

7.4.25 Certificate-based Authentication OCSP Connection Issue (34587) (34541)

During certificate-based authentication, if the you assign the IgnoreNonceExtension attribute to the value YES (which is case sensitive) in the smocsp.conf file, then the Nonce extension is disabled in the OCSP request, which is required by the CoreStreet responder for OCSP processing of certificate validity.

The following example smocsp.conf file shows the Nonce extension as being disabled in the OCSP request:

[
OCSPResponder
IssuerDN C=de,O=InsecureTestCertificate,CN=For Tests Only next
generation,E=insecure@test.insecure
AlternateIssuerDN C=de,O=InsecureTestCertificate,CN=For Tests Only next
generation,E=insecure@test.insecure
CACertDir 172.25.135.174:2351
CACertEP uid=CA Manager,ou=ocsp,dc=clearcase,dc=com
ResponderCertDir 172.25.135.174:2351
ResponderCertEP uid=Responder Manager,ou=ocsp,dc=clearcase,dc=com
ResponderCertAttr cacertificate
ResponderLocation ocsp.openvalidation.org:80
IgnoreNonceExtension YES
]

If the IgnoreNonceExtension attribute does not exist in the smocsp.conf file, then the Nonce extension remains enabled in the OCSP request, which is the default.

7.4.26 Java 1.4-based Policy Server User Interface Can Display All Agents (34410)

The Java 1.4-based Policy Server User Interface can now display larger number of Web Agents (for example, over 20) in an Agent group. Previously, before this fix, it was unable to display all of the Agents in an Agent group.

7.4.27 Policy Server and Oracle Wire Protocol Driver Issue (34524)

After applying this service pack, the Policy Server's ODBC connections to an Oracle policy store do not hang when using the Oracle wire protocol driver.

7.4.28 Active Directory User No Longer Generates Policy Errors (34636, 34125)

The Policy Server no longer generate errors when a user from an Active Directory user store changes their password on next login using the Active Directory console.

7.4.29 Error Messages in LDAP Policy Store Log Files (34643, 34212)

When the Policy Server encounters error messages while performing policy store searches in Active Directory, these messages now contain the correct LDAP error code. Previously, before this fix, these error codes were incorrect.

7.4.30 Policy Server Correctly Rolls Over Dynamic Agent Keys (34644, 34292)

If you set dynamic Agent keys to rollover either once or several times a day using the Set Rollover Frequency dialog box, the Policy Server did not rollover keys as configured. Now, the Policy Server correctly rolls over keys during the selected hour.

7.4.31 Policy Server Error Message When Using Replicated Policy Stores (34755, 34058)

In a Policy Server environment that contained several replicated LDAP policy stores, the Policy Server issued an incorrect "Object not found" error message instead of a "Your session may have timed out" message when it experienced a delay in propagation of newly created objects across the policy stores. In this service pack, this issue is fixed.

7.4.32 SNMP Traps Show the Community for Events in snmptrap.conf File (34795, 34251)

SNMP traps now show the community for the event set in the snmptrap.conf file.

This service pack includes an updated snmptrap.conf file. Before installing this service pack, back up and save the original snmptrap.conf file, which is located in <siteminder_installation>\config. This allows you to preserve any custom changes that you made to this file.

7.4.33 Policy Server and Active Directory Policy Store Errors (35194, 34319)

The Policy Server no longer shuts down when LDAP errors are encountered during a search in an Active Directory policy store.

However, the Policy Server does shut down if it encounters:

an ADMINLIMIT_EXCEEDED or SIZELIMIT_EXCEEDED error

a problem creating or parsing sorting and paging controls, which are essential in performing Active Directory-based searches.

7.4.34 Enhancements to JVMOptions.txt File (35251, 34632)

The JVMOptions.txt (located in <siteminder_installation>\config) initialization file now supports up to 63 options and can handle values that are up to 8K in size for each option.

7.4.35 Mapped User's Attribute in a SAML Assertion (29622)

This service pack includes a SAML assertion plugin solution that allows you to put a mapped user's attribute into a SAML assertion by allowing the Policy Server to obtain an arbitrary user's properties using the user directory's UserContext.GetDnProp().

7.4.36 Password Policy Fix (34086)

When the Policy Server is using an LDAP user directory, the Policy Server's password policy did not work properly if the user directory contained multiple users with the same user ID under different organizational units. Users are now redirected to the correct Web page if the number of failed login attempts exceeds the number specified in the password policy. Previously, users would get redirected to an error page.

7.4.37 Password Services Handling Account Lockout Fix (34176)

In the Policy Server's Password Services feature, this service pack fixes an error in handling account lockout due to the incorrect number of passwords being exceeded in a password policy.

Previously, if the password policy specified the account to be re-enabled after the lockout delay, users (who exceeded the maximum number of incorrect password attempts) would be incorrectly redirected to the "password expired" page if they again supplied an incorrect password in their first login attempt after the lockout time had passed.

Now, users are allowed to configure a number of bad password attempts immediately after the lockout time has expired.

7.4.38 Deleting a Rule Caused Policy Server to Fail (34673)

When running under heavy load, the Policy Server does no longer fails after you delete a rule using the Policy Server User Interface.

7.4.39 Ignoring pwdLastSet Attribute in Active Directory Global Catalog Support (35293)

The Policy Server's user store supports the Global Catalog Support feature in Active Directory. If you are using Active Directory Global Catalog Support, you can ignore the pwdLastSet attribute by doing the following:

Windows systems

From the Windows Start menu, select Run.

Enter regedit in the Run dialog box and click OK.

In the Registry Editor, navigate to:
\HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\LDAPProvider

Add the IgnoreADPwdLastSet REG_DWORD registry key and set to a non-zero value to ignore the pwdLastSet attribute.

UNIX systems

Navigate to <install dir>/siteminder/registry

Open sm.registry in a text editor.

Locate the following text in the file:
\HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\LDAPProvider

Locate the line that follows the line from step 3 and create the IgnoreADPwdLastSet REG_DWORD registry key.

Set the value to a non-zero value to ignore the pwdLastSet attribute.

7.4.40 IdentityMinder 6.0 Environments and Roles in the Policy Server User Interface (35381)

The 6.0 Policy Server now supports IdentityMinder 6.0 environment and role objects in the Policy Server User Interface.

7.4.41 Password Services Password Data Written to User Directory Fix (35693, 35436)

In the Policy Server's Password Services feature, this service pack fixes an error in password policy processing that caused password data to be written to the user directory when you set the password policy to disable login tracking.

After this fix, only certain exception conditions cause a write of the password data when you have login tracking disabled.

7.4.42 smobjimport/smobjexport Support IdentityMinder 6.0 Objects (35596) (35380)

The smobjimport and smobjexport utilities now support IdentityMinder 6.0 objects. To distinguish between IdentityMinder 5.6 and 6.0 objects, the following arguments have been added to smobjimport/smobjexport to use with the existing IdentityMinder arguments:

-im5
Used with -i, -j, -m to export IdentityMinder version 5 objects only.
-im6
Used with -i, -j, -m to export IdentityMinder version 6 objects only.
-m5
Used with -m to import IdentityMinder version 5 objects only.
-m6
Used with -m to import IdentityMinder version 6 objects only.

7.4.43 Affiliates Now Displayed for FederationWSCustomUserStore User Store (35412)

After applying this service pack to a Policy Server with the Option Pack installed, the Policy Server User Interface now correctly displays the affiliate objects associated with the FederationWSCustomUserStore user store. Previously, viewing the contents of the FederationWSCustomUserStore user store caused a session timeout. Further, if no affiliates exist, the user interface displays an Error 60 message.

7.4.44 Administrators From External User Directories Importing/Exporting Policy Store Data (36126, 35305)

Administrators, with system-level permissions, created in external user directories can now import and export policy store data using smobjimport or smobjexport if they supply the appropriate SiteMinder administrator credentials during import or export.

7.4.45 smobjexport Exports Specific Policy Domain Objects (36174, 35192)

The smobjexport utility now exports specific policy domain objects using the -e option if:

any of the realms contain an AuthAzMap object.

one of the user directories in the AuthAzMap object has an applicable PasswordPolicy.

Previously, before this fix, smobjexport would issue a bus error during export if the criteria from the list above was met.

7.4.46 Deleting Rule No Longer Causes the Policy Server to Fail (35957)

The Policy Server no longer fails when you delete a rule that is also accessed by a client application.

7.4.47 Policy Server Supports 5.2 SunOne LDAP Directory Server as a Policy Store (36133)

The Policy Server now supports a 5.2 SunOne LDAP Directory Server as a policy store. Previously, the smldapsetup utility would issue errors if you tried to import SiteMinder schema into a 5.2 SunOne LDAP Directory Server.

7.4.48 Improvement to Policy Store Type Identification (36747)

The Policy Server now performs optimal policy store type identification during startup or failover when using policy stores that reside in LDAP Directory Servers.

7.4.49 Agent API Supports 1024 File Descriptors on Solaris (36235) (34972)

On Solaris, the Agent API has been modified to accommodate environments that utilize more than 1024 file descriptors concurrently.

7.4.50 Policy Server Correctly Reconnects to Oracle Policy Store (36753,36425)

The Policy Server now reconnects correctly to an Oracle policy store when using the Oracle Wire protocol driver to communicate with an Oracle server that has been restarted due to a backup of the server.

7.4.51 Update to Policy Management API for Scripting Interface for Perl (36934, 36378)

The Policy Management API has been corrected to return a list of Agents from the policy store to the Scripting Interface for Perl regardless of Agent type or the correlation of the Agent's name to a trusted host.

7.4.52 Password Services and Users' Accounts Disabled Issue Fixed (37217, 36997, 37271)

On the SiteMinder Password Policy Dialog's Expiration tab in the Policy Server User Interface, if you configured a password policy to have the Policy Server disable users' accounts after three wrong login attempts and also selected the re-enable account option with the number of minutes left blank, users are disabled as expected. Previously, users accounts were enabled if they entered an invalid password a fourth time.

You access the SiteMinder Password Policy Dialog by selecting Edit > System Configuration > Create Password Policy.

In addition, the users' accounts remain disabled until they are re-enabled by an administrator.

7.4.53 Scripting Interface Can Import/Export Agent Configuration and Host Configuration Objects (37226, 36255)

You can now import or export Agent Configuration and Host Configuration Objects using the Scripting Interface for Perl. Before this fix, you were unable to do this.

7.4.54 Sm_Api_Version_V4_1 and Sm_Api_Version_V4 Not Supported (36275, 37239)

The API version constants Sm_Api_Version_V4_1 and Sm_Api_Version_V4 are not supported as documented in the Developer's Guide for C. These constants are intended for internal use only and you should use Sm_Api_Version_V3.

7.4.55 Update to Java DMS API Method (36234)

The Java DMS API method to modify a user's password now returns the correct status and reason code if you supply invalid credentials in the method call.

7.4.56 Policy Server Fix to Protect Resources Processed Against Blank Realms (36626)

The Policy Server is updated to make sure that resources processed against blank realms, which have rules defined in the realm, are protected.

7.4.57 Policy Server Fix Returns Correct Redirect Messages From Authentication Attempts (36925)

The Policy Server now correctly returns any user, error, and redirect messages from authentication attempts in domains that use multiple user directories.

7.4.58 Policy Server Processing Responses Improvement (37269, 36342)

The Policy Server now processes responses during a OnAccessReject action even if the Authorization user directory, which is configured in the Auth-AZ mapping, is not available.

The responses returned on an OnAccessReject action is limited to user class "ALL" when the Authorization user directory is not available.

7.4.59 IdentityMinder 5.6 Environment Objects Not Displaying in the Policy Server User Interface (37745, 37296)

The Policy Server now properly displays IdentityMinder 5.6 environment object trees in the Policy Server User Interface. After applying Policy Server v6.0 SP1 CR003, CR004, CR005, or CR006, IdentityMinder objects would not appear in the Policy Server User Interface. Now, this issue is fixed.

7.4.60 IdentityMinder 6.0 Environment Objects Not Displaying in the Policy Server User Interface (37743, 37469)

When the Policy Server is using an LDAP-based policy store, the Policy Server User Interface now displays IdentityMinder 6.0 environment objects. Previously, before this fix, these objects did not appear in the Policy Server User Interface.

7.4.61 IdentityMinder 5.6 and Policy Evaluation for RBAC Policies (37744) (37536)

Policy evaluation for role-based policies (RBAC) has been fixed for IdentityMinder 5.6 deployments.

7.4.62 Active expressions Fix (37517)

Active expressions using variable names containing character combinations including strings such as null, false, and true are correctly parsed.

7.4.63 Date Range Increased for Certificates Requiring OCSP Validation (37625, 37024)

The Policy Server now handles certificates requiring OCSP validation when the maximum year in the date range contains a year greater than 2038.

7.4.64 Policy Server Optimizes Cache Updates When Creating New Web Agents (37702, 37282)

The Policy Server has been fixed to optimize cache updates during creation of new Web Agents. The existing Agent groups are no longer removed from the policy store cache when you create new Agents.

7.4.65 Policy Server User Interface Certificate Mapping Update (37705, 37139)

The Policy Server User Interface now allows certificate mapping updates to be saved to the policy store if you enable the "Take from Certificate Extension" and perform CRL checking options.

7.4.66 Trace Logs and SQL_ATTR_QUERY_TIMEOUT Connection Attribute (37206)

The Policy Server trace logs do not contain any error messages pertaining to setting the SQL_ATTR_QUERY_TIMEOUT database connection attribute due to lack of support for this option in the driver used for the connection. In this service pack, this issue is fixed.

7.4.67 Race Conditions in Update of Policy Objects (37567)

The Policy Server can now accommodate any race conditions in the update of policy objects in a distributed configuration containing replicated policy stores. The Policy Server also returns an appropriate error response to requests made when the cache rebuild has failed in the Policy Server.

7.4.68 Policy Server Removal of Idle Agent Connections (37568)

The Policy Server has been fixed to ensure proper removal of idle Agent connections under certain load conditions.

7.4.69 Policy Server Logs Updated (37569, 38100)

The Policy Server logs contain correct error messages pertaining to the Policy Server accessing invalid or deleted realms under certain load conditions.

7.4.70 Policy Server Return Correct Reason Codes from Custom Authentication Schemes (37718)

The Policy Server has been fixed to return the correct reason code from custom authentication schemes when a password policy is enabled for that scheme.

7.4.71 Policy Server logs Updated for UserAz Cache (37993)

The Policy Server logs now contain correct messages pertaining to the state of the UserAz cache.

7.4.72 Policy Server Errors When Using ADAM Policy Store (38008)

During startup, the Policy Server no longer generates exceeding size limits errors for ADAM-based policy stores.

7.4.73 Policy Server Fires Rules Ending With a Wildcard (38181)

The Policy Server has been updated to accommodate the firing of rules in unprotected realms when the rule ends with a wildcard (*) character.

7.4.74 Policy Server Realms and Dependent Policy Objects Update (38409)

The Policy Server has been updated to make sure that realms and dependent policy objects are correctly updated in a distributed configuration that contains replicated policy stores.

7.4.75 Policy Server Returns Correct SMAUTHREASON Code (38803, 38411)

The Policy Server is fixed to accommodate the return of the correct SMAUTHREASON code upon user initiated password changes when a user is disabled and password services is enabled.

7.4.76 Updated to Java-based API Method AgentApi.init() (38813)

The Java-based API method AgentApi.init() is corrected to accommodate conditions when a null ServerDef object is added to an InitDef object that is used as a parameter to the init() method.

7.4.77 User Names Cannot Contain Parenthesis () (38963, 38923, 38707)

The Policy Server no longer permits users to log in with a user name that contains parenthesis (). For example, the Policy Server does not accept user names such as (Robm) or (Lisap). The Policy Server notes these login attempts as failures and puts a 'Username may not be enclosed within parenthesis: Can't proceed' error message in the authentication log file.

7.4.78 Fix for X.509 Certificates Larger Than 4096 Bytes (39366, 39051)

The Policy Server has been fixed so that X.509 certificate authentication works properly for certificates larger than 4096 bytes. This fix increases the limit for certificate binaries from 4096 to 8192 bytes and DNs from 1000 to 2000 bytes.

7.4.79 Policy Server and Shared Secret Rollover Configuration (39367, 38403)

The Policy Server User Interface now shows the saved Shared Secret Rollover configuration correctly. Before this fix, if you selected the Rollover Shared Secret every radio button in the Shared Secret Rollover tab on the SiteMinder Key Management dialog and specified a rollover period, the period value would change to zero after you saved the configuration.

7.4.80 SM_USERIMPERSONATORDIRNAME User Attribute HTTP Header Response Issue (39368, 39004)

The Policy Server now sets the SM_USERIMPERSONATORDIRNAME user attribute as an HTTP header response.

7.4.81 Policy Server No Longer Malforms the IssuerDN (39369, 39008)

For certificate mapping, if any attributes in the IssuerDN contain a comma, the Policy Server now properly reverses the IssuerDN. Before this fix, the Policy Server would malform the IssuerDN.

7.5 Defects Fixed for 6.0 SP1

Release 6.0 SP1 contains the following fixes:

7.5.1 1000 Entry Limit on Retrievals from Active Directory Policy Stores Removed (28006, 27667)

When configured to use an Active Directory policy store, the Policy Server can now successfully retrieve more than 1000 entries for any particular object.

7.5.2 IP Address Lookup While Configuring Agents 19100(15210)

When creating an Agent in the Policy Server User Interface, performing a valid IP address lookup will no longer result in a DNS lookup error.

7.5.3 Error 81 When Authenticating Against Active Directory Over SSL Using Enhanced LDAP Referrals (27945, 27544)

With the Policy Server configured to use enhanced referrals with Active Directory over SSL it will now correctly authenticate a user in the event of a connection timing out. Prior to this, error 81 was being returned to the authentication log.

7.5.4 List of Directories in the Manage User Dialog Incomplete (27892, 27678, 27875)

In the Policy Server User Interface, the Manage Users dialog box (Tools > Manage Users) contains a User Directory drop down list. This list now displays all user directories.

7.5.5 Problem Changing a Password Through Password Services When Agent and Policy Server Clocks are not Synchronized (27944, 27727)

In the event that password services is being used with an Agent that is communicating with two Policy Servers in round robin load balancing and the Policy Server clocks are out of synchronization, a new registry setting has been provided to ensure a user password can be successfully changed.

In the event that Policy Servers are running with different clock settings, create a registry entry:

ServerCommandTimeDelay (DWORD format)

under the

Hkey_localmachine\Software\Netegrity\SiteMinder\CurrentVersion\ObjectStore\

and set the value to the number of seconds that represents the time difference between the two Policy Servers.

7.5.6 Policy Server Cannot Make a Distribution Point Request to a PKI Certificate Authority (27974, 27599)

The Policy Server has been fixed to correctly retrieve distribution points from a certificate and thus can correctly make a formal Distribution Point request to the PKI Certificate Authority.

Supported formats are:

URL — ldap://<server-name>:<port_number>/<DN-of-Entity containing the CRL>

Example:

[1] CRL Distribution Point
Distribution Point Name:
Full Name:
URL=ldap://server.company.com:8080/uid=Certificate Manager,ou=people,dc=netegrity,dc=com

Directory Address — <DN-of-Entity containing the CRL>

Example:

[1] CRL Distribution Point
Distribution Point Name:
Full Name:
Directory Address: uid=Certificate Manager,ou=people,dc=netegrity,dc=com

Additional notes on supported formats:

When using the URL format, the server name and port contained in the URL has to exist in the list of configured user directories in the Policy Server. This is because the Policy Server needs credentials to access this user store when searching for the CRL attribute. Thus the directory server configured in the Certificate Mapping dialog box is not used.

When using the Directory Address format, the Policy Server uses the info obtained from the distribution point string as an entry point for searching the directory server configured in the Certificate Mapping dialog box.

When there are multiple distribution points in the certificate, the first Directory Address formatted distribution point gets used. Similarly when there are no Directory Address formatted distribution points, the first URL formatted distribution point gets used.

7.5.7 Erroneous Log Message for Asynchronous Calls Registry Setting (27998, 27893)

There was an error when the following registry value was set to 1:

Netegrity\SiteMinder\CurrentVersion\Database\AsynchronousCalls

The message written to the Policy Server logs has been fixed to indicate asynchronous database calls have been enabled.

7.5.8 Policy Management API Case-sensitivity (25113, 24697)

The policy management API login function has been updated to be case-insensitive.

7.5.9 LDAP Search Scope for CRL Retrieval (28202, 28090)

The scope of the LDAP search performed by the Policy Server for retrieving CRLs is now always scope base. Prior to this it was dependent on the user setting specified for the directory.

7.5.10 Error with Form Post Variables for Non-Option Pack Agents (28408, 28210)

The Policy Server will no longer go into an infinite loop if a form post variable is triggered by a Web Agent that does not have the Web Agent Option Pack installed.

7.5.11 -hc parameter Added to Usage Statement for smreghost (28492, 28307)

The usage statement for smreghost has been updated to include the required "-hc" parameter.

7.5.12 Perl Scripting Interface Allows Imports of Multiple Policies (28577, 28141)

The Scripting Interface for Perl has been fixed to import multiple policies.

7.5.13 Perl Scripting Interface Correctly Exports Trusted Host Objects (28580, 28145)

The Scripting Interface for Perl now correctly exports a trusted host object.

7.5.14 getAttribute and copyAttribute Methods Are Now Case Insensitive (27929, 27402)

The getAttribute and copyAttribute methods of the SDK's DMS API have been updated to be case-insensitive and as such now conform to RFC 2252.

7.5.15 smobjexport Now Correctly Handles Nested Realms (28572)

Searches for Realms are now correctly formulated against an LDAP store in order for SmObjExport to export nested realms correctly.

7.5.16 Global Rules Can Be Configured with Agent Groups (28865)

Global rules can now be configured with Agent groups.

7.5.17 OneView Monitor Correctly Displays Details Page (28910)

The OneView monitor has been fixed to display the 'Details' page correctly.

7.5.18 Policy Server Shuts Down Cleanly if Attempting to Connect to a Policy Store with IdentityMinder Objects (28700)

A Policy Server to be used with IdentityMinder requires Policy Server Extensions for IdentityMinder. Once the extensions have been installed, the Policy Server can connect to a Policy Store that includes IdentityMinder objects.

Prior to this fix the Policy Server would fail if it attempted to read a policy store that contained IdentityMinder objects. Now the Policy Server has been fixed so that if extensions are not installed, it will shutdown cleanly.

7.5.19 Impersonators and Impersonatees Can Exist in Different User Directories (29177)

The SiteMinder 6.0 Impersonation facility has been fixed such that Impersonator and Impersonatee can exist in different user directories.

7.5.20 Certificate Map Test Dialog Box Shows All Directories (29106)

The Policy Server User Interface has been fixed to correctly show all the LDAP directories from the directory drop-down list on the Certificate Map Test dialog box.

7.5.21 Accounting Service No Longer Consumes CPU (29621, 29528)

The accounting service has been fixed so that it will no longer spin and consume CPU time.

7.5.22 Trailing Spaces Removed from Responses with SQL Server Data (29367, 29008)

The Policy Server has been updated to ensure that any responses containing user attributes from a SQL Server user store are properly right-trimmed to remove trailing spaces. This ensures that the response to the client is also correctly formatted.

7.5.23 Policy Server Supports Active Directory 2003 Policy Stores (29320, 28820)

The Policy Server has been fixed to work with Active Directory 2003-based policy stores.

7.5.24 Policy Server Option Pack Correctly Parses Dates (29443)

The Policy Server Option Pack has been updated to correctly parse dates in SAML assertions when millisecond values are not present.

7.5.25 Terminating an Administration Session No Longer Conflicts with Other Administration Sessions (29401, 29052)

The administration server has been updated so that it will not fail when two sessions are connected to it and one of the two ends its session.

7.5.26 smobjexport -e Correctly Exports Password Policies (29924, 29577)

When using smobjexport with the -e option, password policies associated with a user directory of the domain are correctly exported.

7.5.27 Modified Response Attributes Maintain OID (29925, 29529)

Response attributes modified via the Policy Server User Interface are no longer saved with a new OID.

7.5.28 Policy Server Correctly Responds to ACE Server Failover (29995, 29793)

The Policy Server has been updated to correctly failover from one ACE server to another in the event of an ACE server failure.

7.5.29 Policy Server Behavior if an Oracle Policy Store is Not Available (29750, 29559)

The Policy Server will shut down or fail to start (and then attempt to restart) if the policy store (Oracle) is not available. This is to ensure all policy information has been completely and correctly read before managing access to resources.

7.5.30 Policy Server Correctly Handles CRL Distribution Points When Connected to the Secure Proxy Server (29523, 29221)

The Policy Server has been updated to correctly accommodate receipt and processing of CRL distribution point information from certificates handled by the Secure Proxy Server platform for certificate-based authentication.

7.5.31 Members of Dynamic Groups Can Be Authorized with a Scope of One (29939, 29361)

Users who are members of a dynamic LDAP group can now be authorized when the member URL has a scope of one.

7.5.32 getDomainObject and getObject API Functions Handle Mismatched Parameters (27366, 27145)

The Policy Server has been updated to gracefully handle the policy API functions getDomainObject() and getObject() being passed mismatched parameters.

7.5.33 Policy Server Option Pack Now Allows Rules to be Added to Custom Agent Types (30297, 29850)

The Policy Server has been updated so that if the Policy Server Option Pack is installed rules can continue to be added to a rule group that is configured with a custom Agent type.

7.5.34 Global Policies Now Function Correctly with Agent Groups (29942)

Global policies will now correctly fire for domain realms that use Agent groups and for global rules that use Agent groups.

7.5.35 Password Services Redirect Behavior with Active Directory (30273)

A User disabled (or password change required) in Active Directory will be redirected properly to the Password Services page when the User Directory is configured with the "AD" namespace.

7.5.36 IdentityMinder Domain Show/Hide Option (30016)

The Policy Server User Interface option to hide IdentityMinder Domains no longer hides non-IdentityMinder domains.

7.5.37 Safeword with HTML Forms Authentication Support for Multiple Authenticators (30299, 29532)

The Safeword HTML forms Auth Scheme has been updated to support multiple Safeword authenticators. This fix requires Web Agent 5QMR6 HF-004 OR 6.0 HF-005 or later.

7.5.38 Logging of Password Change Failures with Active Directory User Stores (30600, 30101)

When a password change fails because it is rejected by Active Directory, "****" is be written in the logs instead of the new password.

7.5.39 OnAuthReject Responses for ACE Users in Next Token Mode or New Pin Mode (30561, 30063)

When using ACE authentication, the Policy Server will no longer fire the standard OnAuthReject responses for the users in Next Token Mode or New Pin Mode.

7.5.40 Null Value Handling for Required Parameters Using the JAVA API SDK Methods (30563, 29582)

In the event that a Java Agent API SDK method receives a null value for a required parameter it will now return an error. Previously it would cause the JVM to fail.

7.5.41 Improved User Cache Flush Handling (29690, 28909)

The Policy Server's user authorization cache has been updated to support improved flush user functionality. As a result IdentityMinder role assignment changes will be immediately reflected in the IdentityMinder user console.

7.5.42 Policy Server User Interface Searches (30589, 30417)

When performing searches in the Policy Server User Interface, searches using strings with characters such as "*(" will no longer cause the administration server to shut down.

7.5.43 Configuring a Time Delay for Rebinding Attempts in LDAP Directories (30640, 30534, 30647)

When the Policy Server is using Active Directory as a user store over LDAP (using the AD namespace), the LDAP connections are frequently "Marked Close Pending". The Policy Server thread or ping server thread waits or sleeps for 5 seconds after a connection is Marked Close Pending and attempting to bind a new connection.

Users can configure a new registry setting 'BindLDAPServerDelay' in seconds to determine the amount of delay required before attempting to rebind to an LDAP server.

To set this registry value

Windows

From the Windows Start menu, select Run.

Enter regedit in the Run dialog box and click OK.

In the Registry Editor, navigate to:

\HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\LDAPProvider

Create or modify the following BindLDAPServerDelay registry key and set the value that you want in seconds. The key must be of the type REG_DWORD.

Note: If you do not manually configure this setting on the machine where the Policy Server.

UNIX

Navigate to <install dir>/siteminder/registry

Open sm.registry in a text editor.

Locate the following text in the file:

\HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\LDAPProvider

Locate the line that follows the line from step 3 and begins with:
BindLDAPServerDelay

Create or modify the following BindLDAPServerDelay registry key and set the value that you want in seconds.

Note: If you do not manually configure this setting on the machine where the Policy Server installed, then the Policy Server waits for 5 seconds, the default value.

7.5.44 Executing Java Active Expressions (30836)

The activeExpression.properties file is now included in the config\properties subdirectory of the Policy Server installation directory to accommodate execution of Java ActiveExpressions through the Java Authorization API.

7.5.45 Configuring a Time Delay for Cleanup of Connections Marked as "Closed Pending" (30839, 30838)

Users can create a new registry setting, DeadHandleListLiveTime, to configure the number of minutes that must elapse before LDAP connections marked Closed Pending will be cleaned up.

The value should be created in the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\LDAPProvider

It should be named DeadHandleListLiveTime and be of type REG_DWORD.

When this registry key is not found (recommended), a default of 10 minutes will be used. When this registry key is found and has a value of less than 1 minute, a default of 1 minute will be used.

7.5.46 Using the getAgentTypeAttr Function to Obtain the Agent Type Name (30909, 30336)

The Agent Type Attribute Name can be obtained if the Agent Type Attribute OID is known by using the newly added getAgentTypeAttr() function in the Java Policy API.

The sample code for this would be:

SmResponseAttr responseAttr = (SmResponseAttr) responseAttrs.get(i);
String agentTypeAttrOid = responseAttr.getAgentTypeAttr();
System.out.println( "Agent Type Attribute OID = " +  agentTypeAttrOid);
SmAgentTypeAttr agentattr = new SmAgentTypeAttr();
result = policyApi.getAgentTypeAttr(agentTypeAttrOid.getOidString(),
agentattr);
System.out.println( "Agent Type Attribute Name = " +  agentattr.getName());

7.5.47 UpdateAttributes Agent Call Recalculates Active Response Values (30912, 30213)

The UpdateAttributes call by the Agent will now recalculate active responses that originally had no data.

7.5.48 smobjexport -s No Longer Exports IdentityMinder Environments (30936, 30358)

IdentityMinder Environments are no longer exported when using the smobjexport utility to export a domain with the -s option.

7.5.49 smldapsetup Passing Large Policy Store Name Values (30963, 30572)

The smldapsetup utility no longer fails on passing large values for LDAP policy store server names.

7.5.50 Modifying Agent Configuration Objects with the PERL CLI (30969, 30554)

The PERL CLI no longer fails on modifying an association with a large value of AgentConfigObjects.

7.5.51 Processing Search Filters for DNs with Spaces Following Commas (30993, 30850)

SiteMinder will process valid search filters with DNs containing spaces after the comma character without reporting any errors.

7.5.52 Policy Server and Servlet Exec on Red Hat Enterprise Linux Advanced Server with Apache 1.3.28 (28444, 29045)

On Red Hat AS, the Policy Server and Servlet Exec are now functional with Apache Web Server v1.3.28.

7.5.53 Additional Components for TransactionMinder in the Profiler (30083, 30197)

If you have installed TransactionMinder, the following components are now available for the Profiler:

License

MetaData

To access the Profiler, go to the Profile Tab of the Policy Server Management Console. For information about using the Profiler, see the Policy Server Management document.

8.0 International Support

An internationalized product is an English product that runs correctly on local language versions of the required operating system and required third-party products, and supports local language data for input and output. Internationalized products also support the ability to specify local language conventions for date, time, currency and number formats.

A translated product (sometimes referred to as a localized product) is an internationalized product that includes local language support for the product's user interface, online help and other documentation, as well as local language default settings for date, time, currency, and number formats.

In addition to the English release of this product, CA supports only those languages listed in the following table.

Language	Internationalized	Translated
Brazilian-Portuguese	No	No
Chinese (Simplified)	Yes	No
Chinese (Traditional)	No	No
Czech	Yes	No
Danish	Yes	No
Dutch	Yes	No
Finnish	Yes	No
French	Yes	No
German	Yes	No
Greek	Yes	No
Hungarian	Yes	No
Italian	Yes	No
Japanese	Yes	No
Korean	Yes	No
Norwegian	Yes	No
Polish	Yes	No
Russian	Yes	No
Spanish	Yes	No
Swedish	Yes	No
Turkish	Yes	No

Note: If you run the product in a language environment not listed in the table, you may experience problems.

9.0 Documentation

The file names for the SiteMinder 6.0 SP 5/6.x QMR 5 guides are as follows:

Guide Name	File Name
SiteMinder Release Summary	siteminder_release_enu.pdf
Developer's Reference for Java	siteminder_java_dev_enu.zip
Developer's Guide for Java	siteminder_java_dev_enu.pdf
Developer's Guide for C	siteminder_c_dev_enu.pdf
Federation Security Services Guide	siteminder_fs_config_enu.pdf
Policy Server Installation Guide	siteminder_ps_install_enu.pdf
Policy Design Guide	siteminder_ps_config_enu.pdf
Policy Server Management	siteminder_ps_sysmgmt_enu.pdf
Policy Server Readme	readme-policy-server.html
Policy Server, Web Agent Option Pack Readme	readme-option-packs.html
Scripting Guide for Perl	siteminder_perl_scripting_enu.pdf
SDK Overview	siteminder_sdk_overview_enu.pdf
SDK Readme	readme-sdk.html
SAML Affiliate Agent Guide	siteminder_saa_config_enu.pdf
SAML Affiliate Agent Readme	readme-saml-affiliate-agent.html
SiteMinder Upgrade Guide	siteminder_upgrade_enu.pdf
SiteMinder Integrated Documents	siteminder_integdocs_ref.enu.zip
Tier II Directory Configuration Guide	siteminder_dir_config_enu.pdf
Web Agent Guide	siteminder_wa_config_enu.pdf
Web Agent Installation Guide	siteminder_wa_install_enu.pdf
Web Agent Readme	readme-web-agent.html

To view PDF files, you must download and install the Adobe Reader from the Adobe website if it is not already installed on your computer.

Updated guides will be available at the CA Technical Support site.

9.1 Integrated Documents

Integrated Documents lets you access all of the SiteMinder documentation from a central location. Viewing Integrated Documents requires an Internet browser.

Integrated Documents includes a:

Single expandable list of contents for all manuals

Full text search across all manuals

Single index across all manuals

9.2 Option Pack Guide is Obsolete

The Option Pack Guide no longer exists. The Option Pack Readme contains installation information and specifies the features that require Option Pack installation.

9.3 Policy Server Help

The topic titled Load Users into an ADAM User Store specifies incorrect syntax for the ldifde command. The syntax is listed as:

ldifde -i -f <user_store>.ldif -s <IP_Address> -t CA Portal

The correct syntax is:

ldifde -i -f <user_store>.ldif -s <IP_Address> -t <port_number>

where <user_store>.ldif is the name of the for your user store, <IP_Address> is the IP Address of the machine where ADAM is installed, and <port_number> is the port number.

9.4 Policy Design Guide Amendment

The topic titled Configure a Certificate Mapping does not specify how to escape reserved special characters in the certificate mapping syntax.

The following special characters in the Issuer DN must be prefixed with the escape character (\):

Commas (,)

Semicolons (;)

Quotes (")

Backslashes (\)

Plus character (+)

Greater than character (>)

Less than character (<)

Note: More information on reserved special characters for LDAP distinguished names exists at http://www.faqs.org/rfcs/rfc2253.html

9.5 Formatting Error in Alphabetically Ordered Procedures

The Integrated Documents and the Policy Server Installation Guide contain procedures that include alphabetically ordered sub procedures. The numbering in some of these sub procedures restarts unintentionally. This is a known issue, which will be fixed in the next release.

9.6 Release Numbers on Documentation

The release number on the title page of a document might not correspond to the current product release number; however, all documentation delivered with the product, regardless of release number on the title page, will support your use of the current product release. The release number changes only when a significant portion of a document changes to support a new or updated product release. If no substantive changes are made to a document, the release number does not change. For example, a document for r11 may still be valid for r11.1 or even r12. Documentation bookshelves always reflect the current product release number.

Occasionally, we must update documentation outside of a new or updated release. To indicate a minor change to the documentation that does not invalidate it for any releases that it supports, we update the edition number on the cover page. First editions do not have an edition number.

10.0 Contact Technical Support

For online technical assistance and a complete list of locations, primary service hours, and telephone numbers, contact Technical Support at http://ca.com/support.