Known Issues for Policy Server

This content lists Policy Server known issues, including the Administrative UI.
casso1283
This content lists Policy Server known issues, including the Administrative UI.
2
(Release 12.8.05) Symantec Branding is Not Displayed in OneView Monitor After In-place Upgrade
An in-place upgrade of Policy Server fails to display the latest product name and logo in OneView Monitor.
To resolve this issue, perform
one
of the following steps:
Important!
Performing either of these steps makes OneView Monitor discard its existing custom configurations.
  • Re-configure OneView Monitor to use the Symantec branding in product name and logo.
  • Deploy sitemindermonitor.war from
    siteminder_installation_path
    \monitor
    to
    Tomcat_installation_path
    \webapps
    , and restart Tomcat.
server.log Contains Incorrect Error Logs
Administrative UI logs the following errors in the server.log file during its startup:
ERROR [stderr] (MSC service thread 1-4) ERROR StatusLogger Log4j2 could not find a logging implementation. Please add log4j-core to the classpath. Using SimpleLogger to log to the console... ERROR [org.wildfly.extension.undertow] (MSC service thread 1-3) WFLYUT0074: Could not find TLD /WEB-INF/tlds/c.tld ERROR [org.apache.directory.api.ldap.model.entry.DefaultAttribute] (ServerService Thread Pool -- 70) ERR_13208_ATTRIBUTE_IS_SINGLE_VALUED The attribute 'm-description' is single valued, we can't add no more values into it ERROR [ims.Main] (ServerService Thread Pool -- 70) alias_report_ds is not defined.
However, the error logs can be safely ignored as they do not impact the functionality of SiteMinder.
Administrative UI Does Not Function as Expected in Internet Explorer 11
When Internet Explorer 11 is used to access Administrative UI in releases upto Release 12.8.04, creation of objects such as responses, variables, rules, and rule groups fails. 
Performance of SAML Signing and Encryption Transactions
SiteMinder
now uses a new cryptographic library in Java. During the load-driven testing in our isolated performance lab environment, we made the following observations in the SAML signing and encryption transactions:
  • When compared to the libraries of
    SiteMinder
    12.7 or
    SiteMinder
    12.6, the performance of this library is up to 15% slower during the transactions.
  • When compared to the libraries of
    SiteMinder
    12.5x, the performance of this library is 50% faster during the transactions.
However, the performance changes that you experience might not be the same as what we observed in our lab environment.
Performance of Transactions if IDENTITY_MAP is Enabled
Release 12.8.02
The IDENTITY_MAP function lets you retrieve user attributes from other user directories besides the authorization user directory. You can use the function in the following configurations:
  • Domains, Policy Expressions through Variables
  • Domains, Responses
  • Named Expressions
  • Applications, Roles
  • Applications, Responses
  • Federation Partnership
During the load-driven testing in our isolated performance lab environment, we observed that the performance of a transaction is up to 14% lower when the IDENTITY_MAP function is configured in a supported configuration. This is due to the additional evaluations that are required to process the function.
However, the performance changes that you experience might not be the same as what we observed in our lab environment.
Administrative Authentication with an SSL Enabled User Directory Fails
Symptom
:
The configuration of Administrative Authentication with an SSL enabled user directory fails with the following error:
An error occurred while updating the list of trusted CA certificates. Please ensure the trusted certificate you are using is valid. If the problem persists, check the error logs for additional details.
Solution
:
To resolve the issue, perform the following steps:
  1. Navigate to the following location:
    Windows
    :
    administrationUI_installation_home
    /bin/
    UNIX
    :
    administrationUI_installation_home
    /bin
  2. Open the following file:
    Windows
    : standalone.conf.bat file
    UNIX
    : standalone.conf file
  3. Add the following lines at the end of the file:
    Windows
    :
    set "JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.keyStorePassword=changeit"
    set "JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.trustStorePassword=changeit"
    set "JAVA_OPTS=%JAVA_OPTS% -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true"
    set "JAVA_OPTS=%JAVA_OPTS% -Dsun.security.ssl.allowUnsafeRenegotiation=true"
    UNIX
    :
    JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.keyStorePassword=changeit"
    JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStorePassword=changeit"
    JAVA_OPTS="$JAVA_OPTS -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true"
    JAVA_OPTS="$JAVA_OPTS -Dsun.security.ssl.allowUnsafeRenegotiation=true"
  4. Save the changes.
  5. Restart Administrative UI.
Certificate Validation Using CDP Extensions with LDAP Directory Address Fails
Symptom:
A Certificate Distribution Point (CDP) can retrieve a Certificate Revocation List (CRL) from different repositories such as LDAP, HTTP, or HTTPS. These repositories are referenced in the CDP extension of a certificate. While the Policy Server can successfully validate CDP Extensions with HTTP, HTTPS, and LDAP URLs, it is unable to parse the extensions with LDAP directory address. This issue results in an authentication failure and denies access to the user.
Workaround:
If your certificates are using only LDAP extensions with directory address, configure it as a CRL directory in the Certificate Mapping dialog. For more information, see CRL Checking Group Box. If your certificates are using multiple CDP extensions, move the LDAP extension with the directory address to the end of the extensions list. Otherwise, the Policy Server will not parse any extensions after the LDAP directory address extension.
Certificates Import with SMKeyTool Fails
Symptom
The SMKeyTool import option fails to import certificates that were exported from a previous
SiteMinder
release using the exportall command. Use one of the following solutions as applicable to your environment:
Solution 1:
If you have a Linux Policy Server connecting to an existing Oracle Policy Store, ensure EnableNCharSupport parameter is updated in the Policy Store DSN. For more information, see Upgrade Policy Server.
Solution 2:
If Solution 1 does not apply to you, follow the steps below to resolve the certificate import issue:
To resolve the issue, use the XCart option of XPSExplorer.
  1. Perform the following steps in your current Policy Server:
    1. Open XPSExplorer.
    2. Enter
      3
      for CDS Certificate.
    3. Enter
      S
      to search the XIDs.
    4. Enter
      X
      to add all XIDs to XCart.
    5. Enter
      Q
      twice to return to the previous menu.
    6. Enter
      X
      to open XCart Management.
    7. Enter
      N
      to save the XIDs in the cart as a new file, and specify a path and name for the new file in the following format:
      path
      /
      filename
      path
      Specifies the location where the file must be saved.
      filename
      Specifies the name of the file. By default, the file is saved in the .File format.
      Example
      : C:/certs/xids creates a file with the name
      xids.File
      in C:/certs.
    8. Enter
      *
      to return to the main menu.
    9. Enter
      Q
      to exit XPSExplorer.
    10. Execute the following command:
      XPSExport
      export_file
      -xf
      xids_file
      export_file
      Specifies the path to which the file with the XIDs objects must be exported.
      xids_file
      Specifies the path where the XIDs file was saved in Step 1g.
    11. When prompted, enter the passphrase that must be used to encrypt the sensitive information.
  2. On the 12.8 Policy Server, execute the following command:
    XPSImport
    export_file
    -pass
    passphrase
    export_file
    Specifies the path to which the XIDs objects were exported in Step 1j.
    passphrase
    Specifies the passphrase that was used to encrypt the sensitive information during the export.
Download export Option of Policy Migration API Fails in Internet Explorer
In the REST APIs interactive reference documentation, the
Download export
option in Response Body of the Policy Migration API export function fails to work in Internet Explorer.
Rule and Domain Policy Creation Fails in Internet Explorer 11
Symptom
:
In Internet Explorer 11, Policy Server fails to create a rule through the Rule dialog and a domain policy through the Domain Policy dialog.
Solution
:
This is a known issue. As a workaround, you can perform one of the following steps:
  • Use any other supported browser.
  • Create a rule or domain policy through the Domain dialog. For information, see Realm Dialog-Rules Section.
OSCP Configuration Fails
OCSP Configuration fails to validate the certificates with OCSP responder and incorrectly marks all the certificates as revoked.
SiteMinder Wire Protocols Documentation is Not Displayed
Symptom
:
When the supported SiteMinder Wire Protocols are accessed using the System DSN tab of 64-bit ODBC Data Source Administrator dialog, the Help option within the tab fails to open the documentation.
Solution
:
To view the documentation of SiteMinder Wire Protocols, navigate to
sso_installation_home
\bin\Help\wwhelp\wwhimpl
and open the api.htm file in a web browser.
Policy Server Fails to Load Key Store
Policy Server fails to load key store when SSL and noodle certificates are configured in using
Access Gateway
Administrative UI.
Domain Updates are Visible to Only One Legacy Administrator
In a domain that has multiple legacy administrators, any change such as addition or deletion of user directory is visible to only one legacy administrator. Other legacy administrators fail to see the changes.
Missing Value for SM-APS-00751
The value for SM-APS-00751 is missing in the APS.properties file.
Administrative UI fails to delete a User Directory
If CRL is enabled in a certificate mapping, Administrative UI fails to delete the associated user directory when CRL is disabled.
Large LDAP Queries are Truncated
Administrative UI truncates large LDAP query for user class in federation transactions.
Policy Server Throws Tunnel Agent Failure Message
During creation or modification of a role in Symantec Identity Manager User Console, Policy Server does not allow you to assign members who are already assigned to another role and throws the Tunnel Agent failure message.
WSS Agent Flushes with a Delay
WSS Agent flushes the user session information with a delay of 90 seconds from logout.
Browser Redirection is Incorrect in Request with AssertionConsumerServiceURL
If a request contains AssertionConsumerServiceURL, the browser is incorrectly redirected to the AssertionConsumerServiceURL value instead of the default ACS even though the Accept ACS URL in the Authnrequest value is disabled.
Encryption Key is Truncated
During the Policy Server installation, if you enter an encryption key that contains two '$' symbols, the value between the '$' symbols is truncated.
CRL Revocation Grace Period Configuration Fails
CRL Revocation Grace Period fails to work for user certificates.
Assertion Consumer Service URL is Not Marked Mandatory
The Assertion Consumer Service URL field is not marked mandatory during the configuration of Remote SP entities in Administrative UI.
Process Dump Displays Content in Unencrypted Format
The process dump intermittently displays parts of the XML responses in an unencrypted format.
XPSImport Fails when Cache Updates are Disabled
XPSImport fails when the cache updates are disabled in Administrative UI.
Certificate Parsing Fails
Certificate parsing fails intermittently when X509 and Forms authentication scheme is configured.
User Certificate Authentication Fails
When custom mapping is enabled, user certificate authentication fails if there is a mismatch in the case of the username in the certificate data and user store.
Cache Contains Deleted Objects
When objects are deleted using SDK, an object is deleted from the LDAP directory but not from the cache.
Cannot Grant Access to XPS Tools for Non-Super Users
Symptom:
A faulty security check is blocking granular access to the XPS tools for non-super users. You cannot grant access to individual XPS tools to an administrator who is not a super user.
Solution:
Grant all administrators super user privileges in the Administrative UI.
License Agreement Scroll Bar is Too Small
When you install any
SiteMinder
component on a Windows system, the scroll bar for the License Agreement is too small. This issue is a result of changes in the most recent updates of Oracle JRE used by the installation kits used.
Authentication Events in a Rule Apply to Entire Realm
Authentication events occur when a user accesses a resource that is protected by a rule with an OnAuth event. The Policy Server fires the rule during the authentication process. Unlike Web Agent actions or authorization events, authentication events always apply to the entire realm. You cannot create an OnAuth rule that applies to only a portion of a realm.
Advanced Password Services Forgotten Password Functionality Not Working for Multibyte Characters
The Advanced Password Services Forgotten Password Service (FPS) does not recognize multibyte characters. For example, if you attempt to enter your last name using Korean characters, you receive a message indicating that you are not a recognized user even if you are present in the user store.
Run the Administrative UI with Internet Explorer in Compatibility Mode
If you are using Internet Explorer (IE) version 9, 10, or 11 to view the Administrative UI, run the Administrative UI in IE compatibility mode. To enable compatibility mode in IE, refer to Microsoft documentation.
For example, to enable compatibility mode with IE version 11:
  1. Open Ineternet Explorer.
  2. From the browser menu, select Tools, Compatibility View Settings.
  3. Add the following Administrative UI URL to the list of websites:
    http://
    ui_host_system:port
    /iam/siteminder/adminui/
    ui_host_system:port
    is the system hosting the UI, for example system85.fowardinc.com:8080
The UI is now configured to run in compatibility mode.
Administrative UI Search Filters Are Not Working Properly
The following filtered searches in the Administrative UI are not operating properly:
  • Expiration date filter for Certificate Authorities—The search filter
    on or before
    must be the only operator that the UI provides. Expiration date is not intended to work with the search operators =, contains, ends with, and starts with.
  • OCSP Configuration and Certificate Validity filtered searches—Searches for these two features are not working. These features are available under the X509 Certificate Management option.
  • Filtered searches with string comparison operators— Searches that use the operators greater than, less than, less than or equal, and greater than or equal (
    >
    ,
    <
    ,
    <=
    ,
    >=)
    are not working correctly.
Java HotSpot(TM) Client VM Warning When Running smkeytool
Valid on UNIX
Symptom:
I ran the smkeytool command, and the following warning message appeared:
Java HotSpot(TM) Client VM warning: You have loaded library /Install/siteminder/bin/thirdparty/libjsafePKCS11.so which might have disabled stack guard. The VM will try to fix the stack guard now. It's highly recommended that
you fix the library with 'execstack -c <libfile>', or link it with '-z noexecstack'.
Solution:
This message appears when using newer versions of the JRE. This message does not affect functionality and can be safely ignored.
AD LDS Directory2012 Access Error
Symptom:
Configuring an external Administrative UI store for R12.52 for AD LDS Directory2012 was throwing the following error:
WARN [com.ca.commons.security.ssl.CustomDefaultStoreSSLSocketFactory] (main) initCAKeyStore: No trusted CA(s) found in default trust store. If -Djavax.net.ssl.trustStore is used to specify an alternative default trust store then check that it is valid, and trustStorePassword/trustStoreType are also specified and valid.
This error was occurring because the Administrative UI and the external authorization were using different certificates.
Solution:
Follow these steps to address this issue:
  1. Add the External Authentication certificates in the trustedkeystore.jks path, using keytool (available in Java).
  2. Enter the following command:
    keytool -import -trustcacerts -alias
    certificate_alias
    -keystore "
    installation_home
    /adminui/server/default/conf/trustStore.jks" -file
    location_of_certificate
    "
  3. Restart the Administrative UI services.
Administrative UI Displays the JavaScript Errors
Symptom:
The JavaScript errors are displayed when I access few pages such as Federation Partnership Creation, Certificate Management.
Solution:
Ensure that the operating system is updated with the latest service pack patches.
Policy Server Terminates Connection with Agents
Symptom:
The Policy Server terminates the connection with the Agents after six hours. This behavior is expected.
Solution:
This is no longer an issue. To retain the connection between the Policy Server and the Agent after six hours, create the KeepAgentConnections registry key in the following location:
HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\PolicyServer
KeepAgentConnections
Lets the Policy Server stay connected with the Agent after six hours.
Value
: 1
Administrative UI Contents Not Displaying Properly Due to Language Change
Symptom:
After you change the language for the browser, the contents of the Administrative UI still appear in the previously selected language.
Solution:
Whenever you change the language, clear the browser cache and restart the browser for the current language environment to take effect.
Post Processing Chain Value Causing OpenID Authentication Failure
Symptom:
OpenID authentication can fail after you upgrade from a version 12.5 Policy Server with the OpenID authentication scheme configured to Policy Server 12.8. The problem occurs when the value of the Post Processing Chain field for the OpenID authentication scheme is set to com.ca.sm.openid.command.StoreClaimsToContext.
Solution:
Modify the class name in the Post Processing Chain field to com.ca.sm.openid.command.StoreClaimsToContextasClaims so that the OpenID authentication scheme functions properly.
Policy Server Configuration Fails If the Supplied Database Name Contains Japanese Characters
Valid on UNIX
If the supplied Database Name value contains Japanese characters, the Policy Server Configuration Wizard fails.
Policy Server Management Console Cannot Connect to an Audit Store with a Multi-Byte Character Database Name (UNIX)
On UNIX and Linux platforms, the Policy Server Management Console fails to make a connection to an audit store if the database name contains multi-byte characters, returning Error Code-1063.
OpenID Authentication Scheme Usability Issue
Configuring the OpenID authentication scheme, requires manual editing of an XML file and copying it to all Policy Servers.
STAR issue: 20777171;1
Administrative UI Behavior Confusing After Inactivity Timeout
After a period of inactivity, the Administrative UI displays a dialog that states "Session expires in 5 mins; Click 'Ok' to extend the session."
This dialog persists even after the Administrative UI session expire after 5 minutes of further inactivity. Clicking OK after this time dismisses the dialog and appears to return you to the Administrative UI. However, clicking any link or task in the Administrative UI actually results in being logged out.
ASA Agents Can Enable TCP/IP Keep-Alives
Symptom:
ASA Agents now can enable TCP/IP Keep-Alives to prevent network outages from impacting ASA operations.
Solution:
Do one of the following tasks:
  • (Windows) Create the following system environment variable with a value of 1:
    SM_ENABLE_TCP_KEEPALIVE
  • (UNIX)
    1. Create the following system environment variable:
      SM_ENABLE_TCP_KEEPALIVE=1
    2. Export the environment variable.
: The value must be 0 (disabled) or 1 (enabled). If a value other than 0 or 1 is configured, the environment variable is disabled. If the environment variable is disabled, the Policy Server does not send KeepAlive packets to idle Web Agent connections.
Policy Server Can Terminate When Using Novell eDirectory as the Policy Store
When using Novell eDirectory 8.8 as the policy store, the Policy Server can abnormally terminate. Broadcom and Novell are investigating the issue.
Star issue 21526251-1.
Novell ticket number 10864464047.
SAML1.1 Partnership Artifact Transaction Fails With Delegated Authentication
The SAML1.1 partnership artifact transaction fails with delegated authentication when "NAME" is used as the query parameter.
For the artifact transaction to be successful, perform one of the following two workarounds:
  • When using the TestDA application, do not enter the Service Provider ID. If the NAME query parameter was used to initiate the SAML 1 request, the TestDA application returns both NAME and CONSUMERID resulting in the failure of the artifact transaction.
  • When dealing with a specific partnership, do not mix the usage of NAME and CONSUMERID. If you want to switch, restart the servlet container.
RSA SecureID Auth Scheme Not Supported in FIPS Mode
The Policy Server in FIPS mode is not supported for the RSA SecureID HTML form authentication scheme.
DSN Names with Non-ASCII Characters Not Supported
Only English characters can be used in Data Source Names (DSN) for ODBC databases that are used as a
SiteMinder
user, policy, or session store.
AttributeType Not Registered Error in the Administrative UI Log
On installing the Administrative UI, the Administrative UI log shows an error message that the AttributeType has not been registered. The Administrative UI uses ApacheDS which causes this error. You can ignore this error message.
Logout Events are Not Recorded in Some Cases
The logout event is not recorded in the following scenarios:
  • When the user closes the browser instead of clicking "Logout"
  • When the session expires after a long period of inactivity
Cannot Specify Non-English Path to Install Administrative UI
You cannot specify local (non-English) characters in the installation path of the Administrative UI.
Objects that Support Only English-Language Characters
The following objects support only English-language (US-ASCII) characters:
  • All cookie names.
  • All persistent cookie names.
  • The value of the SSOZoneName Agent configuration parameter.
  • Named expressions
The smldapsetup Utility Fails
The smldapsetup utility fails in the following cases:
  • The locale of the Policy Server machine differs from the locale of the LDAP machine.
  • The LDAP administrator username contains non-English characters.
First Tab in Group Appears in Administrative UI When Switching from View to Modify
Symptom:
I was viewing an object in the Administrative UI, but after I clicked Modify, the first tab appeared instead of the tab I was viewing.
Solution:
The first tab in a group appears after clicking Modify. This behavior is expected.
OCSPUpdater Does Not Support the SHA-224 Algorithm
The OCSPUpdater used for federation certificate validity checking cannot sign OCSP requests using the SHA-224 algorithm. The updater can only sign with the SHA-256, SHA-384, and SHA-512 algorithms.
smpolicysrv_snmp.log Not Generated
If SNMP is configured for auditing and the Policy Server fails to start–up,
SiteMinder
generates the SmStartupEvents.audit file. However, no SNMP events are generated.
SiteMinder
records the start-up events in the reference log file.
Browser Refresh and Back Buttons Cause Resubmission of Data
Symptom:
When you select the browser refresh or back button, the dialog where you have entered values gets resubmitted. The repeat operation puts the object that you are configuring into an invalid state.
Solution:
Avoid using the refresh and back buttons on the browser when using the Administrative UI.
Agent Discovery and IIS Web Agents
If a web agent is installed on a Microsoft IIS web server, the agent discovery feature does not identify the agent for the first−time until the agent intercepts a user request and passes it to the Policy Server.
Subsequent updates to the timestamp of the agent instance are dependent on how IIS is configured. If IIS is configured to shut down idle worker processes, the timestamp is not updated until the web server receives a subsequent request.
This is expected behavior. The behavior is a result of how the IIS web server functions.
Cache Time Limit While Creating a Response Attribute
While creating a response attribute in a response group, you can configure a time for which the cache is valid. Although the Administrative UI lets you enter any value, the maximum time allowed is 3600 seconds.
Active Directory Synchronization
When integrating Microsoft Active Directory with SiteMinder, Active Directory user stores that are clustered or configured for round robin and load balancing do not synchronize correctly between each use. As a result, some fields do not behave as expected. The unexpected behavior is associated with known Active Directory synchronization limitations.
Contact Microsoft to resolve problems associated with replication and synchronization.
STAR issue: 19249325–01
Policy Server Fails to Insert Audit Events into the Audit Database
Symptom:
Under heavy load, the Policy Server can fail to insert queued audit events into the audit store. If the failure occurs, the Policy Server log (smps.log) displays the following error:
[INFO] Failed attempt to bulk insert audit message: Code: -1044. DB Code: 2
Solution:
Two registry keys determine when the Policy Server inserts audit events into the audit database: SQLBulkInsertFlushInterval and SQLBulkInsertFlushRowCount:
  • SQLBulkInsertFlushInterval determines the frequency in which the Policy Server inserts queued audit events into the audit database. The default value of this registry key is 60 seconds. If 60 seconds elapses before the value defined by the SQLBulkInsertFlushRowCount is reached, the Policy Server inserts all queued audit events into the audit database.
  • SQLBulkInsertFlushRowCount determines how many audit events occur before the Policy Server inserts audit events into the audit database. The default value of this registry key is 1,000. If 1,000 audit events are queued before the value defined by SQLBulkInsertFlushInterval is reached, the Policy Server inserts all queued audit events into the audit database.
Modify the SQLBulkInsertFlushRowCount registry key to resolve the error message. Perform the following steps:
  1. Access the Policy Server host system and do one of the following:
    (Windows) Open the Registry Editor and navigate to HKEY_LOCAL_MACHINE\Software\Netegrity\SiteMinder\CurrentVersion\Reports\NamespaceProviders.
    (UNIX) Open the sm.registry file. The default location of this file is siteminder_home/registry.
    siteminder_home
    Specifies the Policy Server installation path.
  2. Increase the value of the SQLBulkInsertFlushRowCount registry key.
  3. Increase the value to be at least twice as large as the number of audit events that were created, per second, when the error appeared in the Policy Server log.
    Example
    : If 1,500 audit events occurred when the error appeared, increase the value to 3,000.
  4. Do one of the following:
    (Windows) Save the registry key and exit the Registry Editor.
    (UNIX) Save the sm.registry file.
  5. Restart the Policy Server.
Searches for Many Policy Objects (63721)
When searching on many policy objects using the Administrative UI, the connection between the Administrative UI and the Policy Server can time out and the Policy Server tunnel buffer can become corrupt. In such cases, the Administrative UI displays a connection timeout error and no search results are returned. To eliminate this problem, adjust the Administrative UI Policy Server connection timeout and create a registry key for the Policy Server tunnel buffer size.
To adjust the Policy Server connection timeout, perform the following steps:
  1. Log in to the Administrative UI.
  2. Click Administration, Admin UI, Modify Administration UI Connection, Search to open the Policy Server connection object.
  3. Select the appropriate Policy Server and click Submit.
  4. Set the Timeout field in the Advanced section to a large value, such as 2,000 seconds.
To create a registry key for the tunnel buffer size, perform the following steps:
  1. Create the following Policy Server registry key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\PolicyServer\Max AdmComm Buffer Size
  2. Set this registry key to a large value, such as 2,097,000 KB.
  3. Save the changes and exit the registry.
: Restart the Administrative UI if these symptoms persist following the connection timeout and buffer size changes.
XPSExport Creates Read Only File (65035)
XPSExport creates read-only output XML files, which XPSImport cannot use. To correct this problem, change the permissions on the output XML file to read/write before running XPSImport.
Windows LDAP Driver Version and FIPS Support
The Policy Server and the Windows LDAP directory drivers for policy stores and user stores have a configuration limitation that is related to FIPS 140.
When a Windows Policy Server is configured for FIPS-only operation, it does not restrict SSL to FIPS–only algorithms. This behavior occurs when the following conditions are met:
  • The Policy Server is using LDAP–over SSL for a policy store.
  • The Policy Server is using LDAP–over SSL for a user store.
The Policy Server is using LDAP–over SSL for a policy store and a user store.
Customers that must observe all FIPS-140 algorithm restrictions can modify the SSL configuration files and can deploy FIPS-compliant certificates.
IPv6 ODBC Data Sources
Do not use brackets around the IP address when using IPv6 ODBC data sources or the connection fails.
Example
: use fec0::9255:20c:29ff:fe47:8089 instead of [fec0::9255:20c:29ff:fe47:8089]
: More information about IPv6-supported databases exists in the
SiteMinder
Platform Support Matrix.
Searching CertSerialNumbers in a Custom Certificate Mapping Fails (59352)
Symptom:
(LDAP) The default Policy Server behavior is to treat a CertSerialNumber as a broken string of numbers. This behavior causes a custom certificate mapping to fail if the user directory stores the CertSerialNumber as an unbroken string of numbers. The Policy Server fails to lookup the user because the default LDAP search contains spaces.
Solution:
Enable the NoSpacesinCertNumbers registry setting. Enabling the registry setting causes the Policy Server to treat certificate serial numbers as an unbroken string of numbers for all serial number comparisons.
Location:
HKEY_LOCAL_MACHINE/SOFTWARE/Netegrity/Siteminder/CurrentVersion/PolicyServer/NoSpacesInCertSerialNumbers
Values
: 0 (disabled) 1 (enabled)
Default Value
: 0
Mixed Certificate-Based Authentication Schemes (27997)
The following authentication schemes are affected by the value of the Web Agent parameter for FCC Compatibility Mode (FCCCompatMode):
  • X509 Client Cert and Form Template
  • X509 Client Cert or Form Template
: For more information about how FCC Compatibility Mode affects the listed authentication schemes, see Web Agent Configuration.
Password Change Fails if UserDN is Equal to or Greater Than 1024 Characters (52424)
A password change fails and the user receives an error message prompting them to contact the Security Administrator or Help Desk if the combination of the new password; old password; and user identity, which is comprised of the userID, Client IP and time stamp is equal to or exceeds 1024 characters.
Passwords for User Accounts Stored in Active Directory Cannot Be Locked (48125)
The Policy Server continues to let users change their passwords when the “User cannot change password" feature is enabled for the accounts.
Linux Policy Server Does Not Delete Oracle Session Store Sessions (39143)
Symptom:
A Linux Policy Server cannot immediately delete sessions from an Oracle session store when the idle timeout setting for the realm is reached.
Solution:
The Policy Server does begin to delete sessions shortly after the idle timeout setting is reached. For example, if the idle timeout setting is 30 minutes, the Policy Server may begin deleting sessions at 45 minutes.
Single Logout Services Log Errors if ODBC/SQLError Component Enabled (41324)
If the ODBC/SQLError component is enabled in the Policy Server trace log, Single Logout Services can cause the following errors to be written to the trace log:
[13:42:44.0] [CSmDbODBC.cpp:189] [CSmDbConnectionODBC::MapResult] [] [][-1] [Microsoft] [ODBC]
The error is expected behavior. The data is ultimately written to the session store database.
Edit or Delete Responses and Response Groups
Symptom:
Responses and response groups cannot be edited or deleted in the context of a Create Domain or Modify Domain task.
Solution:
Edit and delete responses and response groups by clicking the Policies, Domains, Response or Response Group.
Enterprise Policy Management (EPM) Limitations
Each EPM application can have multiple resources that are associated with it. However, each resource can have only one response that is associated with it.
Policy Server May Fail to Start Due to a Dynamically Updated system_odbc.ini File (55265)
Symptom:
(Linux) The Policy Server can fail to start because the system_odbc.ini file is dynamically updated.
Solution:
After the Policy Server installation, save the file as Read-Only.
Oracle Issues
The following Oracle issues exist:
Administrative UI and Oracle Policy Store Objects (65782)
When you change policy store objects in an Oracle policy store using the Administrative UI, the changes are effective immediately; however, they may not be visible in the Administrative UI for up to 5 minutes.
Query Timeout and Oracle User Directories (68803)
The
SiteMinder
Query Timeout is not supported when the Policy Server is connected to an Oracle user directory. You can encounter this limitation when the Oracle response time is slow.
Root Directories Cannot Be Protected with Oracle HTTP Server 12c (62038)
Symptom:
My Oracle HTTP Server 12c does not start. I have policies to protect a root directory (/), and rules to protect all resources within that directory (*).
Solution:
The root directories cannot be protected on an Oracle HTTP Server 12c. Change your policies and rules accordingly.
Unable to Start Symantec Directory Instance (166740)
Symptom:
Unable to start the DSA instance after sourcing the APS Schema i.e.,
CA_APS-eTrust80-user.dxc
.
Solution:
To resolve the issue, follow these steps:
  1. Open the schema file
    CA_APS-eTrust80-user.dxc
    .
  2. Delete the line
    subclass-of-subschema
    under
    object-class (1.3.6.1.4.1.2552.1.1.9.1)
    .
  3. Restart the instance.
Note:
The solution is applicable to Symantec Directory version R12 SP14 and later.
CAPKI API Reads Certificate Serial Number Incorrectly
If a certificate serial number begins with zeroes, the CAPKI API truncates the zeroes and reads the certificate serial number.
Clean Up Submitted Tasks Option Fails with an Error Message
Issue:
When you run the cleanup of submitted tasks from the Administrative UI, you see the following error message:
“Error: Task failed”
Workaround:
This issue occurs as the Administrative UI is unable to delete the taskpersistence folder under /adminui/server/default/data/derby/siteminder/. Delete the taskpersistence folder manually.
Unable to Create Domain Policy from the Domain Policies Menu
Issue
:
When you create a Domain Policy from the Domain Policies menu of Administrative UI, you see the following error message:
Error: Task failed.
Fatal: Failed to execute CreatePolicyEvent. ERROR MESSAGE: SmApiWrappedException:null
Workaround:
Follow these steps:
  1. Navigate to Policies, Domain, Domains in the Administrative UI.
  2. Select the Domain for which you want to create the Domain Policy and click the Edit icon.
  3. Select the Policies tab and click Create.
Administrative UI Throws Errors and Warnings After 12.8 Installation
Issue:
When the Administrative UI starts after installation, you see several errors and warnings:
WARN [org.jboss.as.txn] (ServerService Thread Pool -- 44) JBAS010153: Node identifier property is set to the default value. Please make sure it is unique
[org.jboss.as.server.deployment] (MSC service thread 1-4) JBAS015852: Could not index class module-info.class at /siteminder/adminui/standalone/deployments/iam_siteminder.ear/library/log4j-api-2.10.0.jar: java.lang.IllegalStateException: Unknown tag! pos=4 poolCount = 24
WARN [org.jboss.as.dependency.private] (MSC service thread 1-2) JBAS018567: Deployment "deployment.iam_siteminder.ear.config" is using a private module ("org.jboss.as.jmx:main") which may be changed or removed in future versions without notice.
ERROR [stderr] (MSC service thread 1-4) ERROR StatusLogger No log4j2 configuration file found. Using default configuration: logging only errors to the console. Set system property 'log4j2.debug' to show Log4j2 internal initialization logging.
ERROR [org.wildfly.extension.undertow] (MSC service thread 1-4) Could not find tld /WEB-INF/tlds/c.tld
ERROR [org.apache.directory.server.schema.registries.DefaultAttributeTypeRegistry] (MSC service thread 1-3) attributeType w/ OID 2.5.4.16 not registered!
ERROR [stderr] (MSC service thread 1-4) ScriptEngineManager providers.next(): javax.script.ScriptEngineFactory: Provider com.sun.script.javascript.RhinoScriptEngineFactory not found
ERROR [stderr] (default task-7) ScriptEngineManager providers.next(): javax.script.ScriptEngineFactory: Provider com.sun.script.javascript.RhinoScriptEngineFactory not found
Workaround:
You can continue to use the Administrative UI. There is no functional impact due to these errors.
Administrative UI Fails to Connect to External Store Using TLS 1.2 Protocol
Issue:
Administrative UI does not support TLS 1.2 protocol. If you try connect the Administrative UI to an external store using TLS 1.2 protocol, the connection will fail.
smauditimport Crashes in Some Cases
Issue:
smauditimport crashes the Policy server, when you try import huge audit files. If you have enabled administrative events logging with Enhanced Tracing option, smauditimport can possibly cause a crash as well.
Legacy Administrator User Name is not Logged in Audit Log
Issue:
Legacy administrator user names are not logged in the smaccess.log. Transactions performed by the legacy administrators are logged in with the administrative UI trusted host name instead.
Policy Server Logs Fail to Roll Over On the Day of DST Change
Issue:
smps.log file fails to roll over on the day the DST is set to change. The log file of the previous day will be appended or overwritten depending on the conditions set for rollover.
User DN is Returned in OpenID Connect access_token
Issue:
User DN is returned in the OpenID Connect access token instead of the UID.
Workaround:
If you want the UID in the access token, configure custom claims to return the UID. For more information, see Generate Custom Claims.