CP-VA-140100-0002 Release Notes

This Release Notes contains the following sections:
cis141
This Release Notes contains the following sections:
Defects Fixed
The following defects have been fixed in this Cumulative Patch:
Support Ticket
Engineering Ticket
Problem Summary
Root Cause and Additional Deployment Instructions
Associated Risk
00802218
 DE308535
Email Branding - missing permissions on EurekifyBaseWebApplication_en.properties
Granted the following permissions for /opt/CA/wildfly-ig/standalone/deployments/eurekify.war/WEB-INF/classes/com/eurekify/web/application/EurekifyBaseWebApplication_en.properties:  -rw-
rw
-r-- 1 wildfly
config
Low
00806644
 DE308762
vApp 14.1 ova hangs on bootup
Fixed a bug in a startup script which causes the machine to hang on the second boot in case the first-time CLI-based initialization processes was terminated prematurely (normally by a disk resize that requires a reboot).
Low
00827500
 DE312763
Unable to update the sm_web_agent_name file unless IDM is restarted
 
Low
 INTERNAL
 INTERNAL
Removing the Central Log Server component stops the rsyslog daemon
 
Low
INTERNAL
DE316014
VApp Permissions for DX - Identity Portal resources and DX repo folders are not writeable by the "config" user after making modifications from the Admin UI
  1. Allowed the AdminUI (user: wildfly) write access to  /opt/CA/IdentityPortal/dxrepo
  2. Allowed "config" to create directories under /opt/CA/VirtualAppliance/custom/IdentityPortal
  3. Directory permissions for subdirectories of /opt/CA/VirtualAppliance/custom/ are reset after a server reboot - fixed.
  4. Added Custom DX repo well-known location with proper permissions for the "config" and "wildfly" users: /opt/CA/VirtualAppliance/custom/IdentityPortal/dxrepo_custom
Low
INTERNAL
INTERNAL
Identity Portal configurations import (mainly a Connector) fails during deployment in slow environments
Increased timeout from 5 to 10 minutes
Low
00763341
DE307687
In an IDM cluster setup, Admin Tasks submitted while a member node is powered off stay in "In Progress" state until the node is powered on
Added the following parameters in /opt/CA/wildfly-idm/standalone/configuration/ca-standalone-full-ha.xml:
   <reconnect-attempts>3</reconnect-attempts>   <use-duplicate-detection>true</use-duplicate-detection>   <forward-when-no-consumers>false</forward-when-no-consumers>
Low
00814528
DE310469
Deployment fails with error "Connector Server does not accept connections after 120 seconds"
This happens on systems where the Connector Server Admin UI startup takes longer than 120 seconds.
Increased the timeout to 600 seconds (10 minutes).
Low
INTERNAL
INTERNAL
The external database status is not shown on the vApp dashboard page if CA Identity Manager is not deployed
 
Low
INTERNAL
INTERNAL
During the first deployment from the vApp 14.1 OVA - the CA Identity Manager Management Console Password may not be set on the external database in slow environments due to a timeout in running IDM Password Tool.
Increased pwdtools timeout from 10 to 30 seconds (for operations that are performed by the vApp platform only)
Low
00830652
DE314241
IDM Connector on IP fails to start in environments where a web service call from IDM is not responded within 60 seconds
Increased vApp embedded Proxy timeout to 30 minutes.
Allowed customization of the proxy timeout using the file:
/opt/CA/VirtualAppliance/custom/vapp_proxy_timeout
Low
00851801
INTERNAL
Cannot deploy a Provisioning Server component after installing Identity Manager cumulative patch 1 for 14.1 (CP-IMV-140100-0001.tgz.gpg)
In order to workaround an issue with the 14.1-IM-CP1 patch: added a custom hook to the Provisioning Server startup script to automatically assign execute permissions to /opt/CA/IdentityManager/ProvisioningServer/bin/imps whenever the service is started.
 
Product Enhancements
The following behaviors have been changed in this Cumulative Patch:
Support Ticket
Engineering Ticket
Enhancement description
Additional Deployment Instructions
INTERNAL
CES86124
Allow syslog forwarding of O/S logs from any node (and not simply from Central Log Server nodes)
Added permission to use a custom syslog file /etc/rsyslog.d/rsyslog-custom.conf on all nodes
INTERNAL
INTERNAL
Removing a vApp-based Connector Server does not automatically unregisters it from the Provisioning Directory.
Automatically unregistering any "orphan" connector servers during every deployment
INTERNAL
INTERNAL
Added support for removing a service from the file-system
Added new alias:
remove_service
INTERNAL
INTERNAL
Support for modifying logging.properties (log4j configuration) for Wildfly-based products to overwrite the default logging rotation policies for the server log file (server.log)
Added permission to edit the
logging.properties
file for IDM, IP and IG (the file is on /opt/CA/wildfly-<PRODUCT>/standalone/configuration/)
INTERNAL
INTERNAL
Support for configuring permissions for JCS log files for the "config" user that may be arbitrarily written during JCS runtime, without the need to restart JCS
Added new alias:
configure_im_jcs_logging_permissions
00828323
DE312954
Support for Legacy reports branding (viewer.war)
Converted the legacy reports application (viewer.war) file to a directory and assigned write permissions on the following files to the config user:
  • /opt/CA/wildfly-ig/standalone/deployments/viewer.war/shared/resources/circleca.png
  • /opt/CA/wildfly-ig/standalone/deployments/viewer.war/shared/resources/LogoCustomerNewSmall.bmp
Note
:
these files are also symlinked on
/opt/CA/VirtualAppliance/custom/IdentityGovernance/branding/
00838301
DE315124
Firewall Details in Virtual Appliance - Added support for custom firewall configuration
Added support for modifying a custom firewall configuration file:
/opt/CA/VirtualAppliance/custom/iptables-firewall-configuration
INTERNAL
F20715/
US382208
Support for Wildfly HTTPS listener and SSL certificates for IDM, IP and IG
The following certificates and ports are used by the various applications:
Application
HTTPS Port
Certificate location
Identity Manager
8443
/opt/CA/VirtualAppliance/custom/wildfly-ssl-certificates/
caim-srv
Identity Portal
8444
/opt/CA/VirtualAppliance/custom/wildfly-ssl-certificates/
caip-srv
Identity Governance
8445
 /opt/CA/VirtualAppliance/custom/wildfly-ssl-certificates/
caig-srv
  • On every service restart:
    1. Self-signed certificates for each Wildfly application instances (IDM, IP, IG) are automatically generated in
      /opt/CA/VirtualAppliance/custom/wildfly-ssl-certificates/
      Note
      : If a certificate already exists in the directory, a new certificate will not be created and the existing certificate will be retained.
    2. The certificate is automatically imported into the server's java key-store.
      • The java key-store is unique per server and there is no synchronization of key-store data between hosts.
      • The certificates can be replaced with custom certificates (a restart to the service is required).
Enabling the HTTPS listener in standalone.xml
  • The following blocks are required in each application's standalone.xml configuration file in order for the HTTPS listener to be enabled (utilizing the certificate):
    <https-listener name="https" socket-binding="https" security-realm="WebSslRealm"/> 
     
    <security-realm name="WebSslRealm">
    <server-identities>
    <ssl>
    <keystore path="/opt/CA/VirtualAppliance/custom/wildfly-ssl-certificates/caim-srv" .../>
    </ssl>
    </server-identities>
    </security-realm>
The above configuration changes in standalone.xml are applied as follows:
  • The changes take place automatically for any
    new
    application nodes (IDM, IG or IP) that are deployed after the patch was installed
  • The changes take place automatically for existing IDM nodes as part of the patch installation.
  • For existing IG and IP nodes: you must manually run the "
    repair_service
    " command.
    Note
    : before running the repair_service command, you must backup any custom application-related files located on the file-system. Contact CA support or refer to the Administration Guide for more details on using the repair_service command.