Defects Fixed in 12.7.02

Note:  12.7.02 was tested for the Meltdown and Spectre Vulnerabilities on Windows Server 2012 R2 x64 systems, there was no impact on the functionality or performance of . The test was performed using the windows8.1-kb4056898-v2-x86_f0781f0b1d96c7b12a18c66f99cf94447b2fa07f.msu patch. For information about the Windows patch, see Microsoft Documentation.
casso127
Note
CA Single Sign-On
 12.7.02 was tested for the Meltdown and Spectre Vulnerabilities on Windows Server 2012 R2 x64 systems, there was no impact on the functionality or performance of 
CA Single Sign-On
. The test was performed using the 
windows8.1-kb4056898-v2-x86_f0781f0b1d96c7b12a18c66f99cf94447b2fa07f.msu
 patch. For information about the Windows patch, see Microsoft Documentation.
The following defects are fixed in 
CA Single Sign-On
12.7.02:
Policy Server
The following defects are fixed in Policy Server:
Salesforce Case Number
Internal Defect ID
Issue Description
00742690
DE292285
Policy Server fails to throw ServerErrorFile when validtargetdomain is configured, and a request has an invalid target and it is directed to a cookie provider.
00736347
DE297393
Policy Server crashes when it tries to dereference a pointer from a directory of a non-existent user.
00760779
DE299597
Policy Server fails to let delegated non-super users create Identity Mapping in Administrative UI.
00724208
DE301316
If a user store name is updated, Policy Server fails to update it in the user search criteria that uses the user directory in Identity Mapping.
00753754
DE302304
If a user is a member of 200 or more groups, user authorization fails in an application that is configured in EPM Domain.
00641179
DE305487
APS password change fails if the user directory object name that is defined for the CPW program exceeds 255 characters.
00793702
DE306281
Policy Server fails to fetch a value when response header is set to samaccountname instead of sAMAccountName.
00805145
DE308864
If a network delay exists at Policy Server when a protected resource is accessed, CA Directory throws the
Already exists
error.
00805290
DE309503
The XML Parse error occurs when user tries to import the exported policy store of 12.52 SP1 CR02 using the xpsexport and xpsimport tools.
00826951
DE313821
The ca_ps_env.ksh file has incorrect references to 32-bit libraries.
00686204,
00752695
DE313825
If Post Form variable is configured in an expression, cookie contains incorrect response values and user request fails.
00745582
DE313827
Subrealm fails to inherit updated agent group information from its parent realm.
00826051,
00797753
DE313845
When AD LDS 2012 is used as policy store, the Policy Server configuration fails if OU is part of the root DN.
00825087,
00868336,
00890470,
00931671
DE314149
Kerberos authentication fails if the ticket_lifetime expires.
00828907
DE315854
Policy Server fails to identify AD Global Catalog that results in invalid search filter for nested groups with users.
00831103
DE315869
CA Single Sign-On
fails to redirect inactive or disabled users to password services URL, and allows the users to access applications.
00847112
DE317752
Certificate authentication hangs when a large CRL of about 4.5MB file is used.
00809608
DE319341
The QS function of a cookie variable fails to retrieve items of a query string of a resource.
00746866
DE327423
The login response increases when multiple variables exist in a persistent session.
n/a
DE331436
NSS is upgraded to NSS 3.30.2.
00774090
DE331892
When AD is used as a user store, SSL with Policy Server fails if Namespace uses AD as LDAP.
00916290
DE334605
User names with ~ fail to access resources in OpenID Connect configuration, and receive the Internal Server Error with error code 400 in
CA Access Gateway
.
00849582
DE327030
Policy Server fails to connect to policy store under heavy load, and throws the LDAP Error 81 or Local Error 82 error.
00879252
DE326697
Invalid entries in an authorization header of Authentication and Authorization web services results in non-XML format responses.
Administrative UI
Salesforce Case Number
Internal Defect ID 
 Issue Description
00755039
DE296240
smjndisetup.bat fails and displays the following error:
The program is unable to determine the appropriate JDBC driver to use when connecting to the object store database.
00842334,
00805582
DE309523
REST APIs fail to modify federation configuration.
00860284
DE320356
Wildfly returns the server and x-powered-by headers.
00881585
DE326178
Administrative UI fails to display the task menu at login after changing Administrator to Super User.
00886279
DE326965
The search functionality fails if the search string contains non-English characters when
starts with
and
ends with
filters are used.
00897313
DE329497
Administrative UI displays a different realm during rule creation.
00892867,
00903415
DE330211
The 
REST APIs
 link in the footer of Administrative UI fails to open the interactive reference documentation.
00899210
DE331493
When Enable SLO option is selected during partnership creation at IdP, Administrative UI mandates the LDAP value.
00912269
DE335788
Administrative UI fails to modify SP partnerships.
SDK
The following issues are fixed in SDK:
Salesforce Case Number
Internal Defect ID 
 Issue Description
00647610
DE311138
smjavagentapi displays incorrect path of smhost.conf in the smjsdksample.properties file.
00814366
DE311378
DMS API retrieves empty properties when setPropertyNames is used.
00818375,
00853953
DE311672
The SSO portion of REST APIs fails to decode tokens generated by the security endpoint.
00795183,
00801007
DE331178
Custom agent fails to write cookie information in session store.
00907110
DE336833
The DecodeSSOToken method in Java SDK allows decoding SMSession using Padding Oracle Attack.
Federation
The following issues are fixed in Federation:
Salesforce Case Number
Internal Defect ID 
 Issue Description
00739693
DE320859
oAuthLogin page ignores AuthzServerID, processes OAuthStateDataCookie value, and redirects users to the login page that is configured in OAuthStateDataCookie.
00653365
DE325866
FWS ignores the persistentcookies ACO parameter when it is enabled.
00858357
DE320033
When
CA Single Sign-On
is configured as OpenID Connect Provider, an error occurs when Client makes a back channel request to
CA Single Sign-On
OIDC Provider for user info.
00755505
DE304170
In a federation partnership with
CA Single Sign-On
is IdP, if AuthNRequest has an AssertionConsumerServiceURL but it does not have a binding with the ACS URL,
CA Single Sign-On
logs NO_BINDING_SPECIFIED error in the Policy Server trace logs.
CA Access Gateway
The following issues are fixed in
CA Access Gateway
:
Salesforce Case Number
Internal Defect ID
Issue Description
00482319,
00383002,
00917814
DE205010
When cookie provider, maxtimeout URL or idle timeout URL parameters are configured and a user tries to access a resource with an expired cookie, fails to redirect the user and the browser loops.
00623867
 
DE264180
CA Access Gateway
fails to preserve the HTTP_SM_UNIVERSALID header value for an unprotected realm.
00335041
DE272474
CA Access Gateway
fails to return the domain cookie header to clients if the cookie request that is sent from the host-only backend server does not contain the domain.
00669941
DE279396
Browser loops if all the following criteria are met:
  • Cookie provider is configured
  • Two cookies with similar names exist
  • One cookie is a subset of the other
  • User accesses a resource with an expired cookie
00925301,
00847757,
00842961
DE323842
CA Access Gateway
sends two SMSESSION cookies to backend server.
00801040
DE324608
When additional attributes from form login are used as Post Variables and are used in an expression to evaluate a policy, fails to resolve these variables and results in authorization failure.
00879765
DE325440
Apache Tomcat is upgraded to Apache Tomcat 7.0.82.
Apache HTTP Server is upgraded to Apache HTTP Server 2.4.29.
00836501
DE326128
affwebservice.log displays the ACS_FAILED_PROCESS_FAILURE message when SLO is configured and the application is accessed.
00786285
DE327010 
Agent receives FLUSH_THIS_USER with a delay after a user logs out.
00695808
DE329855
CA Access Gateway
fails to honor the max-size parameter when a connection-oriented authentication scheme is configured.
00866357
00888455
DE330124
CA Access Gateway
fails to log the IP address of a client in smaccess.log if the client request navigates through the STS module.
00769753
DE330135
CA Access Gateway
fails to update the Active Responses though the Recalculate Value Every option is configured.