CP-VA-140100-0005 Release Notes
This Release Notes contains the following sections:
This Release Notes contains the following sections:
Note for CA Single Sign-On (Formerly CA SiteMinder) Users
For customers running CA Identity Manager integrated with CA Single Sign-On (formerly CA SiteMinder), please follow the given procedure after applying this cumulative patch:
- Run the below commands on each vApp node running CA Identity Manager:
- restart_imThe "restart_im" command restarts CA Identity Manager on the application server node.
The following defects have been fixed in this Cumulative Patch:
Root Cause and Additional Deployment Instructions
Issue with WildFly IAM REALM
Changed the Wildfly authentication method for the logging.jsp page from basic-auth to form-based.
This works around an issue with Wildfly 8.2.0 where a basic-auth setting for a given realm (e.g. /iam/im/logging.jsp) causes Wildfly to require credentials for ALL REALMS when HTTP requests containing basic-auth headers are received by the server.
1) After installing the hotfix, restart CA Identity Manager by running the "restart_im" command.
2) After restarting CA Identity Manager, the following changes will take place:
2.1) A "login-config" element is added to the /opt/CA/wildfly-idm/standalone/deployments/iam_im.ear/user_console.war/WEB-INF/web.xml.
2.2) The following HTML files are created in /opt/CA/wildfly-idm/standalone/deployments/iam_im.ear/user_console.war:
2.2.1) wf_login.html - generic login page that is used to authenticate the user attempting to log in to the /iam/im/logging.jsp page
2.2.2) wf_login_error.html - generic error page
2.3) The "config" user is allowed to edit the above HTML files for customization purposes
3) There is no longer a need to have corresponding Wildfly application users who are defined on IDM JBoss as documented by the TEC note TEC1102637 - you may now safely disable any such defined application users by using the sudo /opt/CA/wildfly-idm/bin/add-user.sh command.
Wildfly-portal logout-strings are not applied during startup
Log files permissions for IDM
Removed the "MaxPermSize" parameter from IG startup configuration
The "MaxPermSize" parameter is no longer used in JDK8 and has no effect.
Cannot delete Identity Governance log files
Added permissions for the "config" user to the IG log directory: /opt/CA/wildfly-ig/standalone/log
Web-ui sometimes does not show the correct step during deployment (step 6 is shown instead of step 4)
When using External SQL Server DB - the database configuration page reports that the database is not empty. The following message is displayed:
The <PRODUCT> database/schema "<database name>" is not empty - the following objects were found: * 2 user tables
The issue happens on Microsoft SQL databases 2012 and above where Extended Events Tables a present.
On such databases, the tables "trace_xe_action_map" and "trace_xe_event_map" are mistakenly detected as user tables by the database cumulative prerequisite test that is performed on the vApp web-ui "Configure Database" page.
Downgraded rsync to a CentOS supported version. Fixed dependency issues with openssh, openssh-server, pkgconfig, xz-libs
Duplicate entries in a host file
Fixed an issue where the
/etc/hostsfile may get corrupted in an unrecoverable manner if the system undergoes a deployment operation after a malformed custom hosts file or a custom hosts file containing duplicate records is loaded.
This can lead to the Provisioning Server failing to start if either the "localhost" or the "ca-prov-srv" records in the /etc/hosts file are duplicates.
Folder Logs SAP access denied
Fixed the "configure_im_jcs_logging_permissions" command so that it also assigns permissions to
This command can be invoked at anytime by the "config" user, and is also invoked automatically as part of the JCS startup script.
Adding a server to the deployment fails on AWS platforms where the region has no default VPC defined - the "create Security Group" operation fails with error 255.
For regions where the default VPC was deleted and the instance is associated with a non-default VPC, you should insert the VPC ID into the following file before attempting to add a server to the vApp solution topology:
For example: vpc-65dce500
The following behaviors have been changed in this Cumulative Patch:
Additional Deployment Instructions
Added permission to run the
loadkeyscommand via sudo (for changing the keyboard layout on the CLI console)
To change the keyboard layout on the CLI console, run the loadkeys command followed by the language code (e.g. us, fr, de, it)
Display the free space usage on the "/" volume on the console after login
Support for pre-login and post-login banner
Support for Identity Governance login page customization
Edit the following file:
After restarting Identity Governance, the changes will be reflected in:
Native product datasource passwords for IG and IP in standalone.xml are now encrypted using native IDM encryption libraries
The product datasources are only encrypted for nodes that are deployed after this cumulative patch is installed.
To have the product datasources encrypted on upgraded systems where the application node was already deployed when the cumulative patch was installed - you must run the "repair_service" command.
Passwords for newly added custom IP datasources are now encrypted using native IDM encryption libraries
Removing unused kernel images on boot to free disk space
Identity Portal main connector may fail to start after reboot if the only CA Identity Manager node is on the same server.
Even though Identity Portal starts
afterCA Identity Manager in the Linux startup sequence, the identityEnv environment may not be running by the time Identity Portal main connector starts.
As a result - the main connector may fail to start and the Identity Portal user console may not be available until the operator manually starts the main connector from Identity Portal admin UI.
The fix adds a new routine to Identity Portal's startup script - so that it waits for up to 10 minutes for the identityEnv environment to be started, and then attempt to start the main connector.
The following new behavior is introduced:
Starting WildFly (Portal): [ OK ]
[INFO] Waiting for Identity Portal Admin UI to start (timeout=300 seconds)
[INFO] Identity Portal Admin UI is started - waiting for CA Identity Manager to complete initialization (timeout=600 seconds)
[INFO] CA Identity Manager environment is started
[INFO] Attempting to start Identity Portal main connector (timeout=300 seconds)
[INFO] Successfully started Identity Portal main connector
Support for deploying a DR-site
The vApp now has the ability to perform a deployment without starting services, this is controlled by a flag file on the file system:
/opt/CA/VirtualAppliance/custom/dr_enabledwhich should have a single line with the value of "
TRUE"This functionality is mostly relevant for DR sites - serving as a "hot-standby" for a primary site, with the following assumptions:
To support a DR setup, added permission to replace the default keystore file that is used by Identity Portal for encryption/decryption operations, this file typically resides under
IP Certification Read Timeout Error
Added custom file allowing to modify Identity Portal Connector (CXF) web-client properties (e.g. timeout values):
Use a single JasperReports server for two Virtual Appliance solutions
Allowing the use of a custom Jasper key for CA Identity Manager:
/opt/CA/VirtualAppliance/custom/IdentityManager/keystoreOn every IDM startup, this key is copied to /opt/CA/wildfly-idm/modules/com/ca/iam/cajasper/main/ and also copied to all other IDM nodes in the solution to the