Defects Fixed in 12.52

Contents
sm1252sp1
Contents
Policy Server
Event Library File Documentation (178452)
Symptom:
Information about adding an Event Library file (eventsnmp.dll) while using a monitoring service to monitor the Policy Server was not available.
Solution:
This is no longer an issue. The 
Policy Server Administration 
documentation has been updated.
STAR Issue: 21567951;1
Apache Process Aborts on Accessing login.fcc File (177053)
Symptom:
The Apache process aborts on accessing the login.fcc file using an incorrect path.
Solution:
This is no longer an issue.
STAR Issue: 21565391-1
Create Partnership Drop-down Not Displaying Properly (176737)
Symptom:
The Create Partnership drop-down menu is not displayed properly in the Administrative UI.
Solution:
This is no longer an issue.
STAR Issue: 21556418;1
Information to Upgrade r12 Policy Server is Unclear (176533)
Symptom:
The 
Upgrade 
documentation does not have clear instructions about how to upgrade an r12.x Policy Server to r12.52 when smkeydatabase is in use.
Solution:
This is no longer an issue. The Migration Considerations section has been updated.
STAR Issue: 21535336-1
Administrative UI Not Working After Upgrade (176504)
Symptom:
On upgrading the Administrative UI to 12.51, the Administrative UI is not working properly.
Solution:
This is no longer an issue.
STAR Issue: 21275704-3
The Administrative UI Failed while Manipulating Federation Partnerships (175622)
Symptom:
The Administrative UI slowed down and failed with an AGENTAPI_FAILURE while manipulating Federation partnerships.
Solution:
This problem is fixed.
Star issue 21493650-1.
Authorization Fails with EPM Application (175148)
Symptom:
If the role uses BELOW and if the user directories are configured in the load balancing mode, authorization fails with the EPM application,
Solution:
This is no longer an issue.
STAR Issue: 21517922-1
Administrative UI Added an Extra Pair of Parenthesis on the LDAP Notation (174905)
Symptom:
When a user tried to add users to a Domain Policy, the Administrative UI was adding an extra pair of parenthesis on the LDAP Notation.
Solution:
The JavaScript code now only adds parenthesis in a complex LDAP expression.
Star issue 21506542-1.
The smkeytool Was Not Importing Two Files in R12.51 cr01 (174693)
Symptom:
Smkeytool was generating an error while running the following command:
smkeytool.sh -addprivkey -alias testcert -keyfile SampleAppPrivKey.key -certfile SampleAppCert.crt
This command worked in previous versions.
Solution:
This issue has been corrected.
Star issue 21514671.
 
Latin ISO Users in AD AD LDS User Store Were not Able to Authenticate (174354 172053)
Symptom:
The Policy Server authenticated English users without any issues. Non English users, however, in AD with AD namespace were not authenticated
Solution:
This is no longer a problem.
Star issue 21430448;1.
 
VLV Indexing on Some LDAP User Directories Causes 
CA Single Sign-On
 Agent Group Lookups to Fail (174279)
Symptom:
Flaws in the Virtual List View (VLV) implementation on some LDAP user directories can cause 
CA Single Sign-On
 Agent group lookups to fail, returning zero entries and raising a “directory unwilling to perform" error.
Solution:
If you experience 
CA Single Sign-On
 Agent group lookup failures as described, disable VLV lookups on the Policy Server.
Create the registry key EnableVLV of type DWORD at the following location:
HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\Siteminder\CurrentVersion\DS\LDAPProvider
  • EnableVLV
    Disables or enables VLV for LDAP directory lookups. To disable VLV, set EnableVLV to 0. To enable VLV, set EnableVLV to 1. 
    Values
    : 0 (disabled) or 1 (enabled).
    Default
    : 1 (enabled).
STAR issue: 20397633-1
Upgrade Results in Suddden Spike in CPU Usage (174236)
Symptom:
Upgrading from r6 to 12.51 results in the smpolicysrv process using 100 percentage of CPU usage.
Solution:
This is no longer an issue.
STAR Issue: 21507336;1
CA Single Sign-On
 Web Services Documentation (173173)
Symptom:
The URLs to load the WSDL and WADL files and the REST URI were incorrect.
Solution:
This is no longer an issue. The Web Services Scenarios
 
documentation has been updated.
STAR Issue: 21483616-1
The Administrative UI Was Not Properly Localized (173072)
Symptom:
When installing the Administrative UI on a French OS and accessing with a browser with locale in English, some part of the login page was in French. Everything is required to bein English.
Solution:
This is no longer a problem.
Star issue: 21480703-01
The Policy Server Was Randomly Failing (172992)
Symptom:
Th Policy Server was randomly failing in a customer environment. The core dump analysis verified that the failure was due to inappropriate data casting while printing the error logs.
Solution:
This issue is not longer a problem.
Star issue 21467303;1.
 
Wrong Location for jar files in shfedimport.sh (172882)
Symptom:
When we ran the smfedimport.sh, we got a java.lang.NoClassDefFoundError. We noticed the java script calls for certain jar files in the /opt/software/ca/siteminder/bin/thirdparty/ location but they are actually located in /opt/software/ca/siteminder/bin/endorsed.
Solution:
The location of the jar files is now correct.in the script.
Star issue 21476994-1.
 
Using Custom Authentication Scheme Results in Memory Leak (172871)
Symptom:
Using a custom authentication scheme results in a memory leak in the Policy Server.
Solution:
This is no longer an issue.
STAR Issue: 21411442;2
Error in Authentication REST Interface Tag (172762)
Symptom:
The end tag of the login responses for the Authentication REST Interface had a blank space.
Solution:
This is no longer an issue. The 
Policy Server Configuration 
documentation has been updated.
STAR Issue: 21467829;1
Slow PS Response When Modifying ACOs (172272)
Symptom:
When users modified an ACO, they experiences a 7-10 minutes lag before the Administrative UI displayed the final “task completed” message.
Solution:
This issue has been corrected.
Star issue 21437423-1.
 
Identity Mapping Not Working (172128)
Symptom:
The identity mappings between LDAP or ODBC directories and the custom directories are not working.
Solution:
This is no longer an issue.
STAR Issue: 21452663-1
Web Agent or Web Agent Option Pack Failed to Start (172124)
Symptom:
When first policy server listed in HCO is down, the web agent or web agent option pack did not start or initialize. When there are multiple policy servers defined in HCO, with Failover option NO, and the first policy server in the list is down, then WA or WAOP is not connecting to any other PS and not initialized.
Solution:
This is no longer a problem.
Star issue 21450634-1
Test Tool Basic Playback Mode does not work if Policy Server is running in FIPS only Mode (154109)
Symptom:
If the Policy Server is running in FIPS only mode, then the Basic Play Back Mode of the 
CA Single Sign-On
 Test Tool does not work correctly.
Solution:
This is no longer an issue. The Test Tool has been fixed. A new topic has been added: "How to Use the Test Tool in a FIPS-only Environment."
STAR issue: 20890864-1
Error in Processing Active Expression
Symptom:
CA Single Sign-On
 was throwing an error when retrieving a web services variable. The error in smtracedefault.log was: "Failed with error 'SmJavaAPI: Expression evaluation returned a null."
Solution:
This problem has been corrected.
Star issue: 21392046
Exception When Editing Users in SAML SP Object
Symptom:
When attempting to edit an existing user entry within a SAML Service Provider Object, the Administrative UI encounteredd an exception. This exception was seen after importing a policy store from V6.
Solution:
This is no longer an issue.
Star issue: 21399289-1
Administrative UI Console Was Missing Entire Section
Symptom:
The Administrative UI console was missing an entire section of "user attribute" for custom directory setup.
Solution:
This is no longer an issue.
Star issue: 21406240-1
Entity Type Changes from Remote IDP to Remote SP During Import (170262)
Symptom:
When trying to import metadata having multiple entities, the first entity in the list is imported rather than the one that is selected.
Solution:
This is no longer an issue.
STAR Issue: 21386774-1
Missing Authentication Authorization Web Service Default Settings Template in Administrative UI
Symptom:
The documentation for this web service referenced the AuthAzServiceDefaultSettings template ito create a new ACO, but it did not yet exist.
Solution:
A template is now available. The documentation has been corrected to correspond with the template.
Star issue: 21388970-1
Policy Server not Rolling Logs (170020)
Symptom:
The customer was unable to get their logs to roll automatically, which was causing the policy server to become non-operational. The process never crashed. It only failed to operate properly when thelog file got to 2 GB in size.
Solution:
This is no longer an issue.
Star issue: 21349366-1
Bad Search Filter Error (169127)
Symptom:
When you import a policy server using XPSimport, a bad search filter error is displayed.
Solution:
This is no longer an issue.
STAR Issue: 21329382-1
Unable to Edit SQL Entry within a Policy
Symptom:
The Policy User tab lists the user policy objects for the SQL ODBC users. When the user clicked on the edit icon in modify mode, the user was unable to edit.
Solution:
This is no longer an issue..
Star issue: 21148478;3
Default Values of ACO Parameters in Web Agent Configuration Documentation Unclear (155294)
Symptom:
The defaults values for the BadFormChars, BadCssChars, and BadUrlChars ACO parameters in the 
Web Agent Configuration 
documentation are not clear.
Solution:
This is no longer an issue. The documentation has been updated.
STAR Issue: 20933042-1
CA Single Sign-On
 Agent for JBoss Documentation Provides Incorrect Directions for UNIX Environment Settings (165866)
Symptom:
The "Set the JBoss Environment on UNIX" topic incorrectly states that JBOSS_CLASSPATH entries should be separated using a semicolon (;).
Solution:
This is no longer an issue. The documentation has been updated to show the use of a colon (:) to separate JBOSS_CLASSPATH entries.
STAR issue: 21264939-01
List of Required Linux Libraries in Policy Server Installation Documentation is Incomplete (169240, 169427)
Symptom:
The topic "Required Linux Libraries" in the Policy Server Installation documentation does not contain all the libraries that are necessary.
Solution:
This is no longer an issue. The documentation has been updated.
STAR issue: 21343328-04
The Policy Server Configuration Documentation Contains Incorrect Information About Impersonation Scheme Prerequisites (PROD00172378)
Symptom:
The topic "Impersonation Scheme Prerequisites" in the Policy Server Configuration documentation incorrectly states that smauthimpersonate.dll (Windows) andsmauthimpersonate (UNIX) are installed with the Web Agent. These files are actually installed on the Policy Server.
Solution:
This is no longer an issue. The documentation has been updated.
STAR issue: 21467135;1
Administrative UI Linux Prerequisite Information in Policy Server Installation Documentation Needs Consolidation (171403)
Symptom:
Different Administrative UI Linux requirements are included in two sections in the 
Policy Server Configuration 
documentation
.
Solution:
This is no longer an issue. The Linux requirements have now been consolidated.
STAR issue: 21436925-1
Additional Information About Bulk Loading Audit Data ODBC Database Required in Policy Server Administration Documentation (159529)
Symptom:
The 
Policy Server Administration 
documentation should state that the Enable bulk load option in the ODBC Oracle Wire Protocol Driver Setup dialog must not be set when importing audit data into an Oracle database using the -b option.
Solution:
This is no longer an issue. The documentation has been updated.
STAR issue: 21045785-
Addition of the OpenID Authentication Plug-in
Symptom:
The OpenID Authentication scheme requires a new plug-in for web servers that are doing authentication.
Solution:
The plug-in has been incorporated into 
CA Single Sign-On
.
Star issue:20777360;1
Federation 
Asserting Party Not Accepting ACS URL in an Authentication Request (170971)
Symptom:
CA Single Sign-On
 Federation was not accepting and processing the Assertion Consumer Service URL in the incoming authentication request. The system did not verify whether the authentication request had an Assertion Consumer Service URL defined.
Solution:
For an IdP-to-SP partnership, the Administrative UI has a new check box labeled 
Accept ACS URL in the Authnrequest
. This check box is in the SSO section of the SSO and SLO step of the partnership configuration. To confirm that the URL is present and valid in the authentication request, and it is in the metadata, select this option.
STAR issue: 21361990
decryptionkeyalias Option Missing for the smfedexport Tool (178702)
Symptom:
The -decryptionkeyalias command option was missing from the list of smfedexport command options.
Solution:
The -decryptionkeyalias command option is now in the table of command options.
STAR issue: 21594883-01
PS Exception When Retrieving Password (175936)
Symptom:
Policy server (FIPS only) threw the following exception while searching for IDP information for an SP-initiated request:
Exception while attempting to retrieve passwords:
java.lang.SecurityException: class "com.netegrity.util.ct"'s signer information does not match signer information of other classes in the same package.
Solution:
This issue has been corrected.
Star issue 21530627-01.
 
GetUserProp() Function Created a Policy Server Failure (174951)
Symptom:
WS-FED Assertion Generation GetUserProp() function was causing a Policy Server failure.
Solution:
This issue is no longer a problem..
Star issue 21505894.
SAML Response Error (172963)
Symptom:
The user encountered the error "ACS_BAD_SAMLRESPONSE_XML" while running federation partnership in Siteminder FSS 12.51.
Solution:
CA Single Sign-On
 Federation is no longer shipping dom.jar and sax.jar file, which were causing the problem.
Star issue 21478695-1
Updates to the Web Agent Option Pack Documentation (171546)
The following updates were made to the 
Web Agent Option Pack 
documentation
:
  • Create a WebAgent.conf File—Removed the note, which stated that the agent configuration object referenced in the WebAgent.conf file must be a new object.
  • Properties File for Federation Web Services—Revised the description of the AgentConfigLocation setting. This topic applies to the WebLogic, WebSphere, JBOSS, and Tomcat servers.
  • Agent Configuration Object Settings Used by FWS—Added this section to describe agent settings that the Federation Web Services application uses.
STAR issue: 21429459
Wrong Recipient Selected for an Assertion (171113)
Symptom:
In an indexed list of Assertion Consumer Service URLs, 
CA Single Sign-On
 Federation generated the assertion with the first entry in the list as the Recipient. The Recipient is required to match the index number.
Solution:
This issue is no longer a problem.
Star issues 21423322;1+21287493;1
SAML SSO Failure (169294)
Symptom:
SAML SSO was failing with "Could not parse SAMLresponse. Error message: null" as well as "ACS_BAD_SAMLRESPONSE_XML".
Solution:
This issue is no longer a problem.
Star issue 21313265;1.
Web Agent
Updating web.config File Stalls Site (176078)
Symptom:
With an IIS 7.5 web agent, whenever the web.config file is updated, the users are redirected to an error page.
Solution:
This is no longer an issue.
STAR Issue: 21485869-2
User Re-challenged On Exceeding Cookie Limit (172356)
Symptom:
User is rechallenged when the cookie limit exceeds 4 KB. If the Web Agent is disabled, the user is not rechallenged until the cookie limit reaches the web server defined limit of 16 KB.
Solution:
This is no longer an issue.
STAR Issue: 21466755-1
SAML 1.1 Artifact Transaction Fails on Consumer Side (179871)
Symptom:
When you execute an SAML1.1 Artifact transaction with affiliate name in local characters, the transaction fails on the consumer side and displays an error message.
Solution:
This is a known issue. For a successful SAML1.1 Artifact transaction, do not use local characters in affiliate names.
SDK
Agent SDK Updated to Support SSO Zones (168974)
Symptom:
Web agents accepted session cookies with no SSO zone name. This omission gave a session cookie from an old agent full access to all zones, regardless of configuration. This was a security defect in the SSO Zone implementation.
Solution:
The CreateSSOToken interface now supports inserting the SM_AGENTAPI_ATTR_SSOZONE attribute into the session token. The DecodeSSOToken reads the SSOZONE attribute from the provided token and places its value in the attribute list.
The JAVA Agent APi SDK, includes the new attribute type ATTR_SSOZONE in the AttributeList class.
If the token has no SSOZONE attribute, the default value is "SM."
Star issue:21313153;1
Failure of the createSession() Method in the SmSessionServer Class (171759)
Symptom
:
The createSession() method in SmSessionServer class (com.netegrity.policyserver.smapi) failed to create a session in 12.0.5.02 build 841, but reportedly worked in 12.5.0.0 (GA) and confirmed to work in 6.0.6.10.
Solution
:
The issue is a result of an incorrect merge and has been corrected.
Star issue 21440836-1
Impossible to Modify the Description of an Object Using the SDK (170888)
Symptom
:
Users were not a ble modify the description of an ACO using the SDK API.
Solution
:
This issues has been corrected.
CA Access Gateway
Server 500 Error while Accessing the 
CA Access Gateway
 User Interface (178615)
Symptom: 
The 
CA Access Gateway
 was formerly protected using a form-based authentication scheme. This method worked with r12.5. However, with r12.51 using this method caused a server 500 error.
Solution:
This issue is no longer valid in12.52 because the installer protects the UI by default. The existing protection topic is updated with the new procedure.
Star issue 21482778-1.
Updates to 
CA Access Gateway
 Documentation (178610)
Symptom:
The documentation required be corrected for the configuration of 
CA Access Gateway
 AdminUI (r12.51).
Solution:
The documentation has been fixed indirectly ecause the UI has been updated in r12.52.
Star issue 21595300-1.
The 
CA Access Gateway
 Failed to Mask the Destination URL (177119)
Symptom:
The 
CA Access Gateway
 was failing to mask the destination application URL even after using the the following Forward rule.
proxy_rules.xml :
<nete:case value="/ucmepp/">
<nete:forward filter="UCM">
" target=_blankhttp://xt99s.na.ko.com:16183/ucmepp/$1</nete:forward>
</nete:case>
Solution:
This problem is fixed.
Star issue 21468512-1.
 
SAMLDataPlugin Was Missing in 
CA Access Gateway
 Install (174197)
Symptom:
SAMLDataPlugin was not included in the 
CA Access Gateway
 Installation. This plug-in is required for HTTP Header Redirect Mode to work.
Solution:
The plug-in is now included in the installation.
Administrative User Inferface URL Not Clear
Symptom:
The URL to launch the Administrative User Interface did not specify that the Tomcat port has to be specified with the fully qualified host name.
Solution:
This is no longer an issue. The documentation has been updated.
STAR Issue: 21482552-1
Protect the Administrative User Interface Documentation (173062)
Symptom:
The procedure to protect the Administrative User Interface (UI) has an error.
Solution:
This is no longer an issue. In this release, the Administrative UI is protected as part of the installation.
STAR Issue: 21482512-1
Extra Space in Closing TAG (172764)
Symptom:
The 
CA Single Sign-On
 Web Services Scenarios Guide, Authentication REST Interface section for the authentication web service logout request" had a space in the closing TAG.
Solution:
The space has been removed.
Star Issue 21467829;1
 
Extra Space in TAG Name (172760)
Symptom:
The
CA Single Sign-On
 Web Services Scenarios Guide,, Authentication REST Interface section on page 15 had a space shown in the value for the LoginResponse.authenticationResponses.response.name TAG.
Solution:
The extra space was removed.
Star issue 21467829;1.
Mismatched TAGS in Web Services Document (172758)
Symptom:
The
CA Single Sign-On
 Web Services Scenarios Guide, Authentication REST Interface, Login Response section had mismatched TAGS for an HTTP return code 200.
Solution:
The documentation has been corrected.
Star issue 21467829;1.
CA Access Gateway
 Displays Destination Application URL (172522)
Symptom:
Version r12.5 does not mask the destination application URL even when the forward proxy rules are used.
Solution:
This is no longer an issue. The filteroverridepreservehost parameter has been added to the server.conf file.
STAR Issue: 21468512-1
HTTP Headers Redirect Mode Was Not Working (172422)
Solution:
HTTP Headers Redirect were not working.
Symptom:
This problem has been corrected. The attribute data appears in the headers as appropriate.
CA Access Gateway
Start-up Problem
Symptom:
The customer was seeing the following error:
*** glibc detected *** /apps/java/jdk1.6.0_43/bin/java: double free or corruption (!prev): 0x09107de8 *** ======= Backtrace: ========= /lib/libc.so.6[0x2b99a1] /lib/libc.so.6[0x2bc0e1] /usr/lib/libstdc++.so.6(_ZdlPv+0x22)[0xa0394df2] /usr/lib/libstdc++.so.6(_ZdaPv+0x1e)[0xa0394e4e] /apps/secure-proxy/agentframework/bin/libSPS60Agent.so(_ZN13CSmNamedMutex20GetDefaultServerPathEv+0xf7)[0xa1aa2e43]
Solution:
This is no longer an issue:
Star issue: 21374490-1
Advanced Password Services
Forgotten Password Service (FPS) Fails When Configured on Apache HTTP Server (112542)
Symptom:
When an Apache HTTP Server is configured to serve the Forgotten Password Service JSP files, Apache returns a 500 Internal Server Error message instead of the JSP page.
Solution:
The default sample JSP pages that are provided with the Forgotten Password Service are not compatible with the latest Apache JSP implementation. Use the new sample JSPs located in the Alternates subdirectory.