Defects Fixed in 12.52 SP1 CR02

The following defects are fixed in  12.52 SP1 CR02:
sm1252sp1
The following defects are fixed in 
CA Single Sign-On
 12.52 SP1 CR02:
1
Policy Server
The following issues are fixed in Policy Server:
Support Case Number
Internal Defect ID
Issue Description
21700397-01
55917
Check boxes to select or deselect entries in the DLP Classifications list on the Application General tab in the Administrative Ui are grayed out and cannot be used.
NA
63022
The KeepAgentConnections parameter does not contain options to support sending soft or hard close when AgentConnectionMaxLifetime time out is reached.
21779906-01
64440
Attempting to add a user with multiple CNs as an administrator in the Administrative UI results in a fatal error.
NA
154875
Install Anywhere must be upgraded.
21726567-01, 21945425-01
64886
Administrative UI does not display certificates with non ASCII characters.
NA
72274
WILY reports Policy Server as RED.
21808252-01
72517
Configuring and running the XPSCounter utility against an Active Directory User Store fails with a "Counter Service Failed" error message.
21610816-01
73784
The Administrative UI is imposing a limitation on the amount of data that can be managed when adding multiple Assertion Consumer Service (ACS) URLs.
21848698-01
74494
The Administrative UI incorrectly lists global responses under domain responses.
21821071-01, 21645477-1
81449
Category of the AgentInstance objects is not available in the Categories text file available in the \audit\samples\ location.
NA
98387
Policy store displays the following error message in smps.log while using a CA Directory Server as a Session Store.
Unable to read object smSessionId
NA
119472
Date on the audit report generated by the database and the report server does not match.
21904716-01
120832
The Policy Management API C++ sample (smpolicyapiexample.cpp) does not compile successfully.
21820124-01
125079
When using Password Services, LoginFailure count resets to zero after the account is disabled due to too many login attempts.
21799192-01, 21806086-01, 21773577-01
127127
Setting the KeepAgentConnections registry key to allow the Policy Server to retain connections to Web Agents more than six hours produces error 32 "No Such Object" errors.
21936160-01
128131
Setting EnableFailOver=0 using Hostconfig.EnableFailOver incorrectly results in enable failover set empty instead of no in HCO.
21926944-01
134424
The Policy Server crashes when a shared secret in the store is larger than 256 bytes.
21946166-01
135032
Session Assurance is not configured when the Policy Server is installed in unattended mode.
NA
137829
In the Administrative UI, rules are not displayed while creating policy under domain.
NA
138728
Submitting a change to a domain with a large number of policies results in a delay and high CPU usage
NA
139126, 158072
CA Single Sign-On returns smauthreasoon code 0 when Illegal characters are found in username.
21993886-01
140226
Penetration testing showed the Administrative UI is susceptible to clickjacking, also known as a UI redress attack.
NA
141439
Audit logging not working if Postgres is used as the audit store.
21888094-01;21970626-01
141981
Administrative UI displays NullPointer Exception during the creation/modification of a workspace having IDP partnership.
21985096-01
143552
For certain policy stores, the Administrative UI displays no realms when you click Policies, Domain, Realms. For these stores, the UI also throws an exception if you click the Realms tab while modifying a domain.
21998742-01
143401
The Administrative UI server.log displays the following error:
ERROR [root] Unable to load the cdslog4j.properties file. All
Certificate Data Store error messages will be routed to the console
21900251-01
144051
When using an SSL connection to the LDAP user directory, the Policy Server hangs and does not recover when the LDAP Directory Server has a network issue.
22050423-01
144828
If a new WSFED partnership creation operation (using the duplicate option) is canceled half way through, existing STS Agent and STS ACO objects are deleted.
21972077-01
145059, 144842
If a key rollover frequency is configured (for example, every hour) and then it is changed to another scheduled time (for example, Saturday at 12.00), after a manual rollover the rollover itself happens more times during the same day and so doesn’t wait until Saturday as configured.
22051787-1
147235
When the INGROUP expression is used to search for user membership of an Application object, excessive LDAP search calls are generated.
NA
146237
Attempting to retrieve rules associated with a policy having rules and rule groups associated with it, returns an invalid error.
NA
149490
SASL bind fails if the Policy Server is using Active Directory to authenticate a user.
00046619
150051
The Identity Mapping Object display in the Administrative UI is distorted after being saved in the Policy Store.
00040564
150103
On the Domain, Policy, Users settings screen, the Administrative UI display an LDAP Notification is incorrectly truncated at 8192 bytes.
NA
150155
When the key store is separate and multiple requests come from Web Agents to Policy Server, some agents fail to get agent keys with the following error message in smps.log:
Policy store failed operation 'MultipleSearch' for object type 'AgentKey'
00042776
150449
On the Domain, Policy, Users settings screen, the Administrative UI display of a specific Search Expression shows incorrect an LDAP Notification. The displayed Notification is actually another User Search Expression listed in Users tab.
NA
151453
Enabling EnableAuditing and disabling IgnoreQueryData results in irrelevant audit log entries.
21799192-01, 21806086-01, 21773577-01
153353
Policy Store Directory Server log fills with error 32 "No Such Object" searching for "CA. SM::$AgentConnectionMaxLifetime" when that parameter is not set.
NA
154967
Users cannot log in to Federation Security Services User Interface (FSS UI). After entering correct credentials, a "Your session may have timed out" error dialog appears and the UI closes when the error message is dismissed.
NA
147257, 150174
When a Admin UI session is allowed to idle and expire and the user then logs in again, the Policy Server crashes due to a java exception.
NA
148504
In a environment with an LDAP user store and an ODBC user store, identity mapping with "Universal ID" search criterion fails.
NA
144576
The smaccess.log file displays incorrect offset values for servers in certain regions.
NA
155251
The policy server crashes or hangs. Crashed policy servers restart, hung policy servers must be restarted.
NA
144185
The smreghost command requires an admin password to be entered as part of the command, which makes it visible in the command stack or process list.
NA
145890
Error messages displayed when IDP is using an incorrect Public Key/cert for encrypting the assertion, is necessary.
NA
142193
APS CPW embedded form does not allow to disable auotcomplete.
NA
155298
DataDirect Upgrade to version 7.1.5.
NA
155275
Upgrade of CAPKI to version 4.3.8.
NA
146073
Policy Server closes the connection with SAP ERP Agent with 10 second idle timeout. The idle timeout session has been made configurable.
NA
135760
Upon shutdown, Policy Server crashes when an auth scheme is released.
NA
137828
CPU Usage is high when updating a policy.
NA
136522
Deactivating a Federation Partnership and modifying the partnership removes the federated users.
Federation
The following issue is fixed in Federation:
Support Case Number
Internal Defect ID
Issue Description
NA
157895
The following software were upgraded in this release:
  • OpenSSL to 1.0.10
  • Apache to 2.4.12
  • Tomcat to 7.0.59
SDK
The following issues are fixed in SDK:
Support Case Number
Internal Defect ID
Issue Description
NA
143456
No message is displayed when the Policy Server runs with empty encryption keys.
21897524-1
121336
JAVA Policy API call getAgentConfig is incorrectly case sensitive which can prevent searches from returning expected results. For example, an Agent Configuration Object created with capital case is not returned if searched with lower case.
21967501-1
149444
Custom agents built using the Java Agent SDK produce "No active cluster found to process connection request" error messages.
NA
128131
SmHostConfig.get/SetEnableFailovernot working as expected.
NA
155275
Upgrade of CAPKI to 4.3.8.
Web Agent
The following issues are fixed in Web Agent:
Support Case Number
Internal Defect ID
Issue Description
NA
53246, 154235
The Web Agent for IBM Domino is not able to display the names.nsf file properly on UNIX platforms.
00045654
150033
The Web Agent on an Apache web server running with a Red Hat operating system failed multiple times.
21748891-01
71834
The Web Agent is running on an IIS Web Server 7.5 and deployed to the default web site. A second web site is added to the web server. The agent initially processes requests correctly but then it gets caught in a pattern of continuously shutting down and restarting. This cycle is repeated until the second web site is removed and the web server restarted.
22007572-01
142331
If the UseSecureCookies ACO parameter is set to Yes, the SAMLDataPlugin setting in the WebAgent.conf file is preventing secure cookies from being set at the SP. This situation occurs when CA Single Sign-On is at the IdP and the SP in a federated partnership.
NA
146137
An Apache web server 2.4 running Linux is configured with any X.509 or advanced authentication scheme. The Web Agent is not placing SSL directives, such as SSLVerifyClient and SSLOptions in the ssl.conf file.
21819066-01
124667
The existing AutoAuthorizeOptions parameter configures an agent to allow unchallenged access to resources using the OPTIONS HTTP request method only. Customer needs the ability to configure the Web Agent to allow unchallenged access to resources using specified HTTP request
method.
NA
153984
The Web Agent configuration wizard incorrectly modifies the iPlanet server.xml file:
If the server.xml file contains the <client-auth-timeout> and <client-auth> subelements under the <ssl> element, the Agent replaces the <client-auth-timeout> directive with <client-auth>. The result is duplicate entries in the file and the iPlanet web server fails to start.
If server.xml file contains <ssl3-tls-ciphers> or <ssl2-ciphers> subelements, the Agent puts the <client-auth> entry inside one of the cipher entries and the iPlanet server fails to start fail.
00039854
149188
The Agent is trying to establish a connection to several Policy Servers configured in a cluster. However, when the Web Agent tries to start, an error occurs. A message indicating that the agent configuration object cannot load displays in the Apache error log.
NA
145807
The Agent blocks a request to a URL when the URL contains the character %c0%af and the ACO parameter DisAllowUTF8NonCanonical is set to No.
NA
158053, 141054
Web Agent fails to challenge a user under certain conditions, and incorrectly auto-authorizes the user request when the resource is protected by Web Agent but Application Server grants access to it.
NA
155275
Upgrade of CAPKI to version 4.3.8.
NA
150271
Unauthorized Access Redirect URL is not redirecting the user to the expected page.
NA
142045
SAML 1.1 artifact transaction is failing at SP side when back channel is client cert after upgrade from R 12 SP3 CR 11 to R 12.52 SP1.
CA Access Gateway
The following defects are fixed in 
CA Access Gateway
:
Support Case Number
Internal Defect ID
Issue Description
NA
137367
When SSL is enabled, CA Access Gateway does not use SSLv3 as the default SSL protocol.
21633299-1
118900
The Web Agent Option Pack does not ship the sax.jar, dom.jar, and namespace.jar files but CA Access Gateway ships.
00032768
NA
The ignoreext ACO does not function as in Web Agent when the .fcc extension is used.
NA
152516
Custom error pages for the errors thrown by the backend server are not displayed.
Advanced Password Services
The following issues are fixed in Advanced Password Services:
Support Case Number
Internal Defect ID
Issue Description
NA
142193
The Change Password form generated by SmCPW.exe file in APS doesn’t embed autocomplete=”off” which allows browsers to auto fill forms and password managers to prompt for saving passwords. This can be a security risk.