Resolved Issues

gateway92
For a list of the resolved issues in the Enterprise Service Manager, refer to
CA API Gateway ESM Release Notes v1.17.0.pdf
. This file is located under "CA API Management Technical Documentation" in Release Notes 9.3.
Issues Resolved in Version 9.2
Issue
Resolution
DE210665
Corrected a caching issue with the  Perform JDBC Query Assertion.
DE211092
Corrected the file permissions for
/etc/snmp/snmpd.conf
.
DE211168
Corrected a namespace prefix issue that affected the  Build SAML Protocol Request Assertion.
DE211382
Corrected an issue with multi-byte characters when using the "Customize Request Form POST Parameters" option in the  Route via HTTP(S) Assertion.
DE211504
Restored the missing "Create SSO Token" option in the  Authenticate Against CA Single Sign-On Assertion.
DE211506
Corrected the  Require HTTP Cookie Assertion to make it behave as documented.
DE211528
Corrected an issue that caused Cassandra connections to fail when unsupported cipher suites have been selected.
DE211606
DE211198
Corrected vulnerabilities in the Gateway.
DE211839
Corrected an error that occurred when attempting to change the Java Virtual Machine minimum memory.
DE212118
Corrected an issue that was causing unnecessary application events to be logged.
DE212151
Corrected an issue involving Kerberos token validation with the  Require WS-Security Kerberos Token Profile Credentials Assertion.
DE212302
Corrected the decryption issue with AES 256 that affected Kerberos-based assertions by updating the underlying library.
DE212809
Corrected an issue that prevented the  Route via HTTP(S) Assertion from using the cipher suites that are enabled by default.
DE212812
MQ messages now correctly route to the appropriate MQ Manager.
DE213018
Corrected the issue that inadvertently changed the data format values in MQ messages sent from the mainframe (from MQSTR to spaces).
DE220559
Corrected an issue where the changes made through
Edit WSDL
window does not get reflected after multiple edits.
DE223519
Restored the  Manage Gateway Licenses task, which was missing in the browser client version of the Policy Manager.
DE243871
The MQ Native Queue Listener now restarts automatically in situations where the MQ Queue Manager restarts or fails over.
US216345
Reissued a new certificate for the Policy Manager browser client.
Issues Resolved in Version 9.2 CR1
The 9.2 CR1 cumulative release addresses these issues.
Note:
The 9.2 CR1 release must be installed on a v9.2 Gateway.
 Issue
Resolution
DE269283
Corrected an issue that was causing severe performance degradation when using the  Apply XSL Transformation Assertion.
DE270482
Fixed an issue that occurred after upgrade to 9.2.00, where if certain legacy cipher suites were enabled on a listen port, the listen port would shut down and reject traffic.
DE274604
Fixed an issue that occurred after upgrade to 9.2.00, where if certain legacy cipher suites were enabled on Routing assertions, HTTP Options, or Cassandra connections, their outbound connection would always fail.
US302143
Corrected a caching issue with the  Perform JDBC Query Assertion. The maximum age for a JDBC connection has been increased from 500 ms to 5000 ms.
Issues Resolved in Version 9.2 CR2
The 9.2 CR2 cumulative release includes the contents of CR1 and addresses these issues. 
Note:
 The 9.2 CR2 release must be installed on a v9.2 Gateway.
Issue
Resolution
US299427
Corrected an issue where the statePool value was set to False in ServerHttpRoutingAssertion as a default system setting of Gateway.
US323165
Updated the JDK version to JDK 1.8.0 Update 121.
Restart CA API Gateway after you install the patch. 
F28296
You can run the Policy Manager using the Web Start Application. For more information, see Run the Policy Manager using Web Start Application in Start the Policy Manager.
Issues Resolved in Version 9.2 CR3
The 9.2 CR3 cumulative release includes the contents of CR2 and addresses these issues. 
Note:
 The 9.2 CR3 release must be installed on a v9.2 Gateway.
Issue
Resolution
DE292005
Corrected an issue where Decode JSON Web Token assertion was not failing when an invalid JWT signature is encountered.
As a solution, a new "
Fail on invalid signature
" option is added to the Decode JSON Web Token Assertion.
You must use the Policy Manager packaged with 9.2 CR3 to see the new option in the Decode JSON Web Token Assertion. This option is
not
present if you use the Policy Manager that was included with the base 9.2 version.
DE269876
Corrected an issue where the CA API Gateway can integrate with CA SSO by using a created SSO Token when generating a session other than the default SiteMinder SSO Zone.
As a solution, Create SSO Token, SSO Zone Name and None options are added in the Authenticate Against CA Single Sign-On Assertion Properties window. For more information, see Authenticate Against CA Single Sign-On Assertion.
Upgraded SSO SDK libraries in Gateway from 12.50 to 12.52.
US306982
Upgraded RSS BSAFE SSL-J library from version 6.2.1 to 6.2.2.
F38931
Improved the performance of MQNative through the outbound connection configuration. For more information, see MQ Native Queue Properties.
Issues Resolved in Version 9.2 CR4
The 9.2 CR4 cumulative release includes the contents of CR3 and addresses this issue. 
Note:
 The 9.2 CR4 release must be installed on a v9.2 Gateway.
Issue
Resolution
DE301792
Addressed issues with MQ Native after upgrading to version 9.2:
  • MQ Message application data is now converted to a format specified by the queue manager. This occurs when:
    This behavior is now the default. If issues arise that require reverting to pre-9.2CR4 behavior, set the
    io.mqConvertMessageApplicationDataFormat
    cluster property to "false".
  • Properties in an MQ Message can now be returned in the MQRFH2 header when reading a message from a queue, under the same conditions as above.
    To enable this behavior, set the
    io.mqForceReturnPropertiesInMQRFH2Header
      cluster property to "true".
    Note:
    There are implications to referencing context variables after enabling this property.
Issues Resolved in Version 9.2 CR5
The 9.2 CR5 cumulative release includes the contents of CR4 and addresses these issues. 
Note:
 The 9.2 CR5 release must be installed on a v9.2 Gateway.
Issue
Resolution
DE267962
Corrected an issue where the SiteMinder Policy Server validates the SMSESESSION.
As a solution, The Gateway now validates the idle timeout of SMSESSION.
DE282583
Corrected vulnerability in JSON web encryption.
DE298412
Corrected an issue where an error occurs when using the FTP commands.
DE307506
Updated the Process SAML Authentication Request Assertion to allow you to specify elements that are optional according to the SAML specifications.
DE307660
Corrected an issue where the status appears as CLOSE_WAIT when the OCSP Server connects the Policy Manager for the second instance.
US299569
Performance improvement of login to the Policy Manager.
US374097
Updated the JDK version to JDK8u141.
Restart CA API Gateway after you install the patch. 
Issues Resolved in Version 9.2 CR6
The 9.2 CR6 cumulative release includes the contents of CR5 and addresses these issues. 
Note:
 The 9.2 CR6 release must be installed on a v9.2 Gateway.
Issue
Resolution
DE299444
Implemented HTTP listeners for private thread pool.
DE303707
Corrected
Kerberos Smart Card login
issue. You can now successfully log in using
Kerberos Smart Card
after you upgrade from Gateway v8.3 to v9.2.
DE309991
Corrected an issue where the messages were not correctly processed using the Assertion
Message Request Size.
DE309992
Corrected an issue where the Audit Sink Policy does not convert Audit Record to XML when a null character appears in the audit record.
DE313916
Corrected an issue where an exception occurs in the Policy Manager Admin Session Manager.
DE315607, DE317038, DE311996, DE306906
Corrected an issue where the changes made in the cluster-wide property in one Gateway fail to reflect in another Gateway in the cluster. This issue occurs when the cluster-wide property is obtained from policy or service.
DE319017
Corrected an issue where Microservice assertion
QuickStartTemplateAssertion
&
JsonJoltAssertion
does not work with SSG 9.2.
Issues Resolved in Version 9.2 CR7
The 9.2 CR7 cumulative release includes the contents of CR6 and addresses these issues. 
Note:
 The 9.2 CR7 release must be installed on a v9.2 Gateway.
Issue
Resolution
DE320546
Corrected an issue where ESM migration was corrupting the cluster wide property.
DE322333
Corrected an intermittent undefined -1 error in the gateway clusters, when gateway tries to execute "Retrieve Kerberos Credentials" assertion.
DE324840
Corrected a performance issue where a lot of connections go into CLOSE_WAIT state during a batch process.
DE325506
Corrected an issue where authentication was rejected by SiteMinder Server when a non-default SSO zone name is specified along with "Regenerate SSO Token" option.
DE327036
Corrected an issue where the Decode JSON Web Token Assertion on failure was leading to the failure of the entire policy.
DE334950
Corrected a GMU migration issue where the
IPCheck
option on destination gateway is enabled automatically.
DE335057
Corrected Policy Manager stability issues.
DE335551
Corrected an issue in the
Dashboard Service Metrics
panel. The audit events are displayed in the
Gateway Audit Events
panel if you click
Show Audit Events
for a service when
All Services
is selected from
Published Service
drop-down but the
Gateway Audit Events
panel is empty when you select a service from the
Published Service
drop-down and click on the
Show Audit Events
for that particular service.
US424441
JDK updated to 1.8.0_152
US436688
Corrected an issue so the 9.2 Gateway can reconfigure to connect to a higher version database schema.
Issue Resolved in Version 9.2 CR8
The 9.2 CR8 cumulative release includes the contents of CR and addresses this issue. 
Note:
 The 9.2 CR8 release must be installed on a v9.2 Gateway.
Issue
Resolution
DE347523
Corrected an issue that caused Gateway response processing to fail if the request URL contains special characters that violate RFC 2396. For examples, characters such as '{' and '}'.
Issues Resolved in Version 9.2 CR9
The 9.2 CR9 cumulative release includes the contents of CR and addresses this issue. 
Note:
 The 9.2 CR9 release must be installed on a v9.2 Gateway.
If you have made customizations to the
/opt/SecureSpan/JDK
folder, back up this folder before installing 9.2 CR9. This cumulative release upgrades the JDK to 1.8.0_172 and reverts some customizations that were applied to
/opt/SecureSpan/JDK
. For example, removal of some
/jre/lib/ext
libraries and changes to the
java.security
file.
Using a Luna HSM?
If you did not back up java.security, you must reapply "com.safenetinc.luna.provider.createExtractableKeys=true" to
java.security
.
Issue
Resolution
DE288689
Enhanced the Gateway patching mechanism so that errors are reported with more detailed logging added to the logs.
DE319759
Corrected an issue where the process controller log was displaying an error "Couldn't get HOST.cpuTemp value (Couldn't get CPU temperature)".
DE331756
Applied various security updates to third party libraries.
DE333386
Corrected an issue that caused the Gateway to incorrectly report JSON structure validation errors.
DE336259
Added options to allow empty callback value and more supported signature methods RSA-256, RSA-512 in the  Generate OAuth Signature Base String Assertion.
DE337924
Corrected a memory issue that affected Hardware Security Modules connected to the Gateway.
DE339043
Corrected the following error in the  Access Resource Protected by Oracle Access Manager Assertion:
     OAM request failure: Illegal group reference
This occurred when you set "Get Session Token from" to a context variable.
DE342088
Corrected the  Query LDAP Assertion to correctly parse context variable in the base DN field.
DE342376
Corrected a security issue with the   Require SSH Credentials Assertion in the Gateway.  
DE342952
Introduced a checkbox,
Connection timeout
, to the  Route via Raw TCP Assertion. This allows you to specify the connection timeout value for socket connection.
DE343053
Introduced a check box,
Skip Validation
, to the  Access Resource Protected by Oracle Access Manager Assertion. This allows you to disable the client IP validation check against the IP in the session token.
DE343361
Corrected an issue where authorization fails when the Idle Session Timeout value is either not enabled or set to "0" in the  Authorize via CA Single Sign-On Assertion.
DE347523
Updated the Gateway so that you can prevent response processing from failing if the request URL contains "unwise" characters that violate RFC 2396. For examples, special characters such as '{' and '}'.
To allow characters that violate RFC 2396 in the request URL:
  1. Open this file for editing:
    /opt/SecureSpan/Gateway/node/default/etc/conf/system.properties
  2. Add this line to the file:
    tomcat.util.http.parser.HttpParser.requestTargetAllow = {}{}\<>
    Where: '
    {}{}\<>
    ' are the unwise characters to enable.
  3. Save and exit the properties files, and then restart the Gateway:
    # service ssg restart
DE353852
Corrected an issue that impacted the performance of signing JSON Web Tokens.
DE360787
Added a new option "Omit Host header" to the Route via HTTP(S) Assertion. This setting allows you to omit including a host header for HTTP/1.0.
DE361605
Removed all
3DES_EDE_CBC
ciphers
from the default supported cipher list by Oracle (as of JDK 1.8.0_171) for security reasons.
If you need any of these ciphers for legacy compatibility, do the following:
  1. Open the
    java.security
    file for editing.
  2. Modify
    jdk.tls.disabledAlgorithms
    to re-enable the ciphers by removing the "3DES_EDE_CBC" filter.
What happens next?
  • If you have any of the
    disabled ciphers
    selected in an
    existing
    listening port configuration, they remain selected. However, these ciphers
    will not work
    unless the
    jdk.tls.disabledAlgorithms
    setting is modified.
  • If you
    create a new
    listen port and do not see the deprecated ciphers, ensure
    jdk.tls.disabledAlgorithms
    setting is modified and then do the following.
Perform the following to make all deprecated ciphers visible in the Policy Manager UI:
  1. Open
    Policy Manager.ini
    for editing.
  2. Add this property:
    -Dcom.l7tech.console.connector.includeAllCiphers=true
  3. Save and exit, then restart the Policy Manager (if it was currently running).
  4. Open the properties for your listen port and then select the
    SSL/TLS Settings
    tab. All ciphers should be visible now.
  5. Select your deprecated cipher and save and exit.
The deprecated cipher will continue to be visible for this specific listen port even if the property in step 2 is removed.
Selecting Ciphers Elsewhere
In addition to the listen port, you can select ciphers elsewhere on the Gateway. Refer to Selecting Cipher Suites for a detailed description of other areas where you may need to also select your deprecated cipher.
DE363154
Corrected an issue that could cause the Gateway to wait indefinitely for an internal lock to clear.
DE364397
Corrected an error that occurred when switching paths in a Websocket connection.
US491695
Upgraded JDK to 1.8.0_172.
Issues Resolved in Version 9.2 CR10
The 9.2 CR10 cumulative release includes the contents of CR and addresses this issue. 
Note:
 The 9.2 CR10 release must be installed on a v9.2 Gateway.
Issue
Resolution
DE361031
Corrected an issue ( HSM FIPS Level 3) that caused excessive latency on the Gateway.
DE364342
Corrected an issue where XSL-Transformation might fail when a service is called with empty or invalid XML payload.
DE364397
Corrected an issue that produced an error when switching paths in a WebSocket connection.
DE364424
DE365643
Added the new 
pkix.crl.invalidateCrlCacheOnNextUpdate 
cluster property
This property invalidates the CRL on the next update time that is embedded in the CRL. The default value of this CWP is
 
false
. Set this property to 
true
 if you do not intend to use the cached value when stale.
DE365919
Corrected an issue with the Virtual Appliance Gateway where firewall rules and listen ports were shown in the wrong order in iptables. Reordering rules in the Manage Firewall Rules task now behave as expected.
DE366529
Corrected an issue that caused Route via HTTP assertion to throw an exception when multiple URLs are configured in the Route via HTTP assertion and all the URLs return 404 error.
DE367210
Corrected an OAuth Signature Base String Assertion issue that caused the Gateway to throw an error when the callback URL exceeded 200 characters.
DE371781
Corrected an issue that prevented Gateway from connecting to an Azure MySQL database due to the '@' special character requirement for the MySQL server admin login name (e.g., 'username@servername'). The '@' symbol is now recognized by Gateway for user names.
DE372677
Corrected an issue that caused the first line to be omitted when viewing logs from within the Policy Manager.
DE386980
Corrected a Salesforce Operation Assertion issue where Salesforce does not reflect changes when a field is updated from non-blank to blank.
US552050
Updated the JDK version to 8u192.
Note:
For more information, see JDK Release Notes in Oracle documentation.