CP-VA-140100-0005 Release Notes

This Release Notes contains the following sections:
cis141
This Release Notes contains the following sections:
Note for CA Single Sign-On (Formerly CA SiteMinder) Users
For customers running CA Identity Manager integrated with CA Single Sign-On (formerly CA SiteMinder), please follow the given procedure after applying this cumulative patch:
  1. Run the below commands on each vApp node running CA Identity Manager:
    1. DisableIdmAuthFilterSecurity
    2. restart_im
      The "
      restart_im
      " command restarts CA Identity Manager on the application server node.
Defects Fixed
The following defects have been fixed in this Cumulative Patch:
Support Ticket
Engineering Ticket
Problem Summary
Root Cause and Additional Deployment Instructions
Associated Risk
DE328463
00890275
Issue with WildFly IAM REALM
Changed the Wildfly authentication method for the logging.jsp page from basic-auth to form-based.
This works around an issue with Wildfly 8.2.0 where a basic-auth setting for a given realm (e.g. /iam/im/logging.jsp) causes Wildfly to require credentials for ALL REALMS when HTTP requests containing basic-auth headers are received by the server.
1) After installing the hotfix, restart CA Identity Manager by running the "restart_im" command.
2) After restarting CA Identity Manager, the following changes will take place:
        2.1) A "login-config" element is added to the /opt/CA/wildfly-idm/standalone/deployments/iam_im.ear/user_console.war/WEB-INF/web.xml.
        2.2) The following HTML files are created in /opt/CA/wildfly-idm/standalone/deployments/iam_im.ear/user_console.war:
           2.2.1) wf_login.html - generic login page that is used to authenticate the user attempting to log in to the /iam/im/logging.jsp page
           2.2.2) wf_login_error.html - generic error page
        2.3) The "config" user is allowed to edit the above HTML files for customization purposes
3) There is no longer a need to have corresponding Wildfly application users who are defined on IDM JBoss as documented by the TEC note TEC1102637 - you may now safely disable any such defined application users by using the sudo /opt/CA/wildfly-idm/bin/add-user.sh command.
Low
INTERNAL
INTERNAL
Wildfly-portal logout-strings are not applied during startup
 
Low
INTERNAL
INTERNAL
Log files permissions for IDM
 
Low
N/A
DE308531
Removed the "MaxPermSize" parameter from IG startup configuration
The "MaxPermSize" parameter is no longer used in JDK8 and has no effect.
Low
INTERNAL
INTERNAL
Cannot delete Identity Governance log files
Added permissions for the "config" user to the IG log directory: /opt/CA/wildfly-ig/standalone/log
Low
INTERNAL
INTERNAL
Web-ui sometimes does not show the correct step during deployment (step 6 is shown instead of step 4)
 
Low
00903033
DE331023
When using External SQL Server DB - the database configuration page reports that the database is not empty. The following message is displayed:
The <PRODUCT> database/schema "<database name>" is not empty - the following objects were found: * 2 user tables
The issue happens on Microsoft SQL databases 2012 and above where Extended Events Tables a present.
On such databases, the tables "trace_xe_action_map" and "trace_xe_event_map" are mistakenly detected as user tables by the database cumulative prerequisite test that is performed on the vApp web-ui "Configure Database" page.
Medium
INTERNAL
INTERNAL
Downgraded rsync to a CentOS supported version. Fixed dependency issues with openssh, openssh-server, pkgconfig, xz-libs
 
Low
00909927
DE333298
Duplicate entries in a host file
Fixed an issue where the
/etc/hosts
file may get corrupted in an unrecoverable manner if the system undergoes a deployment operation after a malformed custom hosts file or a custom hosts file containing duplicate records is loaded.
This can lead to the Provisioning Server failing to start if either the "localhost" or the "ca-prov-srv" records in the /etc/hosts file are duplicates.
Medium
00913103
DE334172
Folder Logs SAP access denied
Fixed the "configure_im_jcs_logging_permissions" command so that it also assigns permissions to
sub-directories
of /opt/CA/IdentityManager/ConnectorServer/jcs/logs.
This command can be invoked at anytime by the "config" user, and is also invoked automatically as part of the JCS startup script.
Low
00898285
DE335483
Adding a server to the deployment fails on AWS platforms where the region has no default VPC defined - the "create Security Group" operation fails with error 255.
For regions where the default VPC was deleted and the instance is associated with a non-default VPC, you should insert the VPC ID into the following file before attempting to add a server to the vApp solution topology:
/opt/CA/VirtualAppliance/custom/aws-vpc-id
For example: vpc-65dce500
Low
Product Enhancements
The following behaviors have been changed in this Cumulative Patch:
Support Ticket
Engineering Ticket
Enhancement Description
Additional Deployment Instructions
INTERNAL
INTERNAL
Added permission to run the
loadkeys
command via sudo (for changing the keyboard layout on the CLI console)
To change the keyboard layout on the CLI console, run the loadkeys command followed by the language code (e.g. us, fr, de, it)
INTERNAL
INTERNAL
Display the free space usage on the "/" volume on the console after login
 
00888276
DE331395
Support for pre-login and post-login banner
  1. Run one or more of the below commands to edit the relevant pre/post login banner files:
    vim /opt/CA/VirtualAppliance/custom/login-prompt.pre vim /opt/CA/VirtualAppliance/custom/login-prompt.post
     
  2. Make the desired changes and save the file(s)
  3. Run the following command to apply the banner:
    configureLoginPrompt The following output is displayed:
    [INFO] Configuring pre-login banner [INFO] Configuring post-login banner
     
  4. Upon the next SSH or CLI login, the relevant pre and/or post banner will be displayed:
    login as: config
    PRE-LOGIN BANNER TEXT
    [email protected]<IP Address>'s password: Last login: <DATE> from <IP Address>
    POST-LOGIN BANNER TEXT
N/A
F59395
Support for Identity Governance login page customization
Edit the following file:
/opt/CA/VirtualAppliance/custom/IdentityGovernance/branding/login_page
After restarting Identity Governance, the changes will be reflected in:
eurekify.war/WEB-INF/classes/com/eurekify/web/Login_castyles-r7.html
N/A
US415558
Native product datasource passwords for IG and IP in standalone.xml are now encrypted using native IDM encryption libraries
The product datasources are only encrypted for nodes that are deployed after this cumulative patch is installed.
To have the product datasources encrypted on upgraded systems where the application node was already deployed when the cumulative patch was installed - you must run the "repair_service" command.
INTERNAL
INTERNAL
Passwords for newly added custom IP datasources are now encrypted using native IDM encryption libraries
 
INTERNAL
INTERNAL
Removing unused kernel images on boot to free disk space
 
INTERNAL
INTERNAL
Identity Portal main connector may fail to start after reboot if the only CA Identity Manager node is on the same server.
Even though Identity Portal starts
after
CA Identity Manager in the Linux startup sequence, the identityEnv environment may not be running by the time Identity Portal main connector starts.
As a result - the main connector may fail to start and the Identity Portal user console may not be available until the operator manually starts the main connector from Identity Portal admin UI.
The fix adds a new routine to Identity Portal's startup script - so that it waits for up to 10 minutes for the identityEnv environment to be started, and then attempt to start the main connector.
The following new behavior is introduced
:
Upon starting or restarting Identity Portal, the following text is displayed:
Starting WildFly (Portal):                                 [  OK  ]
[INFO] Waiting for Identity Portal Admin UI to start (timeout=300 seconds)
.
[INFO] Identity Portal Admin UI is started - waiting for CA Identity Manager to complete initialization (timeout=600 seconds)
................
[INFO] CA Identity Manager environment is started
[INFO] Attempting to start Identity Portal main connector (timeout=300 seconds)
[INFO] Successfully started Identity Portal main connector
00912432
DE333504
Support for deploying a DR-site
FIX #1:
The vApp now has the ability to perform a deployment without starting services, this is controlled by a flag file on the file system:
/opt/CA/VirtualAppliance/custom/dr_enabled
which should have a single line with the value of "
TRUE
"This functionality is mostly relevant for DR sites - serving as a "hot-standby" for a primary site, with the following assumptions:
  • The following components in the DR site are continuously replicated from the primary site (external implementation by the customer or CA Services):
    • User Store
    • Provisioning Directory
    • Database
  • The DR site should
    not
    have any database-dependent services running while it is in "
    standby
    " mode:
    • IDM
    • IG
    • IP
  • Also, while in "standby" mode - the database used by the DR site is read-only.
  • The database-dependent services on the DR site start
    only
    when the DR site needs to go LIVE (at this point, the database read-only flag is removed).
FIX #2:
To support a DR setup, added permission to replace the default keystore file that is used by Identity Portal for encryption/decryption operations, this file typically resides under
/opt/CA/IdentityPortal/sigma-keystore-tool/sigma.keystore
.
00902144
DE334519
IP Certification Read Timeout Error
Added custom file allowing to modify Identity Portal Connector (CXF) web-client properties (e.g. timeout values):
/opt/CA/VirtualAppliance/custom/IdentityPortal/cxf-webclient-properties.xml
00908868
DE335361
Use a single JasperReports server for two Virtual Appliance solutions
Allowing the use of a custom Jasper key for CA Identity Manager:
/opt/CA/VirtualAppliance/custom/IdentityManager/keystore
On every IDM startup, this key is copied to /opt/CA/wildfly-idm/modules/com/ca/iam/cajasper/main/ and also copied to all other IDM nodes in the solution to the
/opt/CA/VirtualAppliance/custom/IdentityManager/keystore
directory.