Policy Server Product Limitations

This content describes Policy Server product limitations.
This content describes Policy Server product limitations.
Unsupported Features
CA Single Sign-On
 does not support the following features:
  • An external administrator user store with an Administrative UI configured with WebSphere
  • SafeWord authentication scheme
  • Test Tool on Red Hat AS
  • Password services with Microsoft Active Directory Global Catalog
  • Password services with the Microsoft Active Directory 2008 fine grained password policy feature
  • Enhanced LDAP referrals with Novell eDirectory
  • Enhanced LDAP referrals, the following exception:
    The product supports enhanced LDAP referrals only with Siemens DirX for searches and writes:
    • Password services write referrals is supported.
    • Enhanced referrals for binds and, thus authentication, is not supported.
Policy Server Limitations
The following Policy Server limitations exist:
Multiple $ is Unsupported in Encryption Key
The Encryption Key value that is configured during the Policy Server installation can contain only one $ character.
Unsupported Characters in Regular Expressions for Resource Matching
The following characters are not supported in Regular Expressions for resource matching:
  • A{n} 
  • A{n,} 
  • A{n,m}
RSA SecurID Authentication Schemes Are Not Supported on Red Hat Linux 7
RSA does not have an available SDK for Red Hat Enterprise Linux 7.0 for this release. The RSA SecurID authentication schemes are not available for this release on Red Hat Enterprise Linux 7.0.
However, RSA provides an SDK for Red Hat Enterprise Linux 7.1 and later. The RSA SecurID authentication schemes are available for this release on Red Hat Enterprise Linux 7.1 and later.
Performance of Request Processing may Degrade when Audit Store has Huge Data
You need to archive the audit records periodically to prevent the Audit Store from accumulating data.
Mixed Environment Can Cause Failed to Load Tunnel Service Library 'daserver' Error (177458) 
You might see the following error in the smps.log file when you upgrade the Policy Server to release 12.6.01 while
CA Access Gateway
is release 12.52 SP1 or a prior version:
Failed to load tunnel service library 'daserver'. System error: The specified module could not be found.
To suppress this error, do one of the following steps in the
file that is located in the \secure-proxy\proxy-engine\conf folder:
  • Delete
    Advanced Auth Application
    , and
    UI Application
  • Mark the
    parameter to
    in all the three tags as shown next
<Context name="AALoginService">
<Context name="Advanced Auth Application">
<Context name="UI Application">
Closing ca-ps-config Installer Abruptly May Corrupt ca-ps-installer.properties File
Any forced or abrupt closing of the ca-ps-config installer can corrupt ca-ps-installer.properties file. This can cause errors on re-running the installer. 
Do the following steps to resolve this issue:
  1. Replace the ca-ps-installer.properties file with the original properties file (by default, the installer creates a backup of the original file in the \SiteMinder\install_config_info\ folder).
  2. Run the ca-ps-config installer from siteMinder\install_config_info\ location.
Error Changing Long Password When Password Services is Enabled (26942)
If the Policy Server has Password Services enabled, changing the password can fail if the old password length exceeds 160 UTF8 octets and the new password length exceed 160 UTF8 octets.
Certificate Mappings Issue with Certain Policy Stores (27027, 30824, 29487)
Certificate mappings do not work when the IssuerDN field is longer than 57 characters for policy stores that are installed on the following directories:
  • Novell eDirectory
  • Active Directory
Handshake Errors with Shared Secret Rollover Enabled (27406)
In the Policy Server error log, you can see an occasional handshake error related to the shared secret, followed by a successful connection. This can occur if the shared secret rollover feature was enabled for the Web Agent communicating with the Policy Server. This behavior is expected as part of a normal shared secret rollover. You can ignore these errors.
Internal Server Error When Using SecureID Forms Authentication Scheme (39664)
When using the SecureID forms authentication scheme, if users enter their passwords incorrectly during an initial login, they are not granted access to resources despite providing correct credentials in subsequent tries. The Policy Server presents users with an internal server error and these users must restart the web browser to continue.
X.509 Client Certificate or Form Authentication Scheme Issue (39669)
The Policy Server's X.509 Client Certificate or Form authentication scheme is not working properly when using an alternate FCC location.
Certain User Name Characters Cause Authenticating or Authorizing Problems (39832)
When the Policy Server is using an LDAP user store, users with characters such as * , \, and \\ in their user names are not getting authenticated and authorized properly. For example, the Policy Server does not authenticate or authorize these sample users:
  • use*r2
  • use\r3
  • use\\r4
Active Directory Integration Enhancement For LDAP Namespace (43264, 42601)
This limitation is related to this new AD feature from 6.0 SP 2:
"Enhanced User Account Management and Password Services Integration with Active Directory (SM5504) (28460) (23347) (24047) (25816)"
When following the instructions in section "Enabling Active Directory Integration Enhancement", this integration enhancement is only supported for the LDAP and not the AD namespace.
Policy Server Does Not Support Roll Over of Radius Log (44398) (43729) (42348)
The Policy Server cannot roll over the radius log. Prior to the 6.0 release, you could roll over the radius log by running the smservauth -startlog command.
smnssetup Tool Deprecated (44964) (45908) (46489)
The smnssetup tool was removed from distribution in 6.0 SP 4. Use the Policy Server Configuration Wizard (ca-ps-config) to configure:
  • OneView Monitor GUI
  • SNMP support
  • Policy stores
The wizard gives you the option of using either a GUI or a console window.
Option to Create Copies of Existing Policy Server Objects
When creating Policy Server objects in the Administrative UI, you can create a copy of an existing object of the same type. However, the copy option is not available for the following objects:
  • Agent Type
  • AuthAz Directory Mapping
  • AuthValidate Directory Mapping
  • Certificate Mapping
  • User Directory
  • Application
  • Application Resource
  • Domain
  • Policy
  • Realm
  • Response
  • Response Attribute
  • Rule
  • Global Policy
  • Global Response
  • Global Rule
  • Password Policy
  • Administrator
Perl Scripting Interface Limitation
The following Perl scripting interface limitation exists:
Perl Scripting Interface and Multi-valued Agent Configuration Parameters (37850)
The Perl Scripting Interface does not support setting multi-valued Agent configuration parameters.
Japanese Policy Server Limitation
The following Japanese Policy Server limitation exists:
Agent Shared Secrets Are Limited to 175 Characters (30967, 28882)
A shared secret for a  
CA Single Sign-On
 Agent in a Japanese operating system environment can have no more than 175 characters.