Layer7 Access Management

Latest Knowledge Base Articles for Single Sign-On (Formerly CA SiteMinder) [29/7/2016]

By Ujwol posted 07-29-2016 01:40 AM

  

Hello CA Single Sign-On Community Users,

 

Please find below the list of the latest Knowledge Base Articles  for Single Sign-On (Formerly CA SiteMinder)published or updated since 22nd June 2016 for your reference:

 

'AgentDiscoveryEnabled' Not Available in XPSConfig After Upgrading.
The Policy Server was upgraded to CA Siteminder r12.51 CR08 in order to take advantage of the ability to disable Agent Discovery. This feature was introduced in r12.51 CR07. 'DisableAgentDiscovery' isn't present in XPSConfig after upgrade.
Last Update: 7/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1541845

FSS AdminUI 500 error
After configuring the webagent on linux machine the new FSS UI is not working and getting 500 internal server error.
Last Update: 7/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1887042

CA SSO r12.52 Reports are not Opening When Being Viewed
Using CA SSO r12.52 Report Server, when attempting to View a report which has already been generated, the page shows empty and the report is not returned.
Last Update: 7/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1925365

Restart Policy Server when you update sm.registry file.
This article explains the required restart of Policy Server when changing value in sm.registry on Linux.
Last Update: 7/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1696518

CA Siteminder Vulnerabilities CVE-2015-6853 & CVE-2015-6854
CVE-2015-6853 & CVE-2015-6854: A remote attacker can make a request that could result in a crash or the disclosure of sensitive information.
Last Update: 7/27/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1552755

ODBC Policy Store restrictions
When migrating LDAP Policy Store to PostgreSQL, XPSImport encountered an error caused by that AgentName length was over 4000 characters.
Last Update: 7/27/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1859089

In order for the Web Agent to work properly on the Oracle HTTP Server, the necessary environment variables need to be set.
Modify the ohs.plugins.nodemanager.properties and add the environment variables
Last Update: 7/26/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1832669

Configuring specific authenticatipon schemes on the Web Agent on an Oracle HTTP Server requires specific SSLVerifyClient settings.
1. Change the value of the SSLVerifyClient directive from within the httpd.conf used by the Oracle HTTP Server to the necessary value: a. SSLVerifyClient optional b. SSLVerifyClient required
Last Update: 7/26/2016    Size: 82 kb    Type: Knowledge Base Articles    ID: TEC1563022

Configuring Cert and Form authentication scheme using the Web Agent configuration wizard does not throw an error, however the scheme does not work.
CA Single Sign-On Web Agent for Apache on IBM IHS(HTTP) server Cert and Form auth scheme does not work.
Last Update: 7/26/2016    Size: 82 kb    Type: Knowledge Base Articles    ID: TEC1923838

How to correct the error message, “Syntax error on line 974 of /opt/IBM/HTTPServer/conf/httpd.conf: SSL0331W: Invalid argument for SSLClientAuth: require".
“Syntax error on line 974 of /opt/IBM/HTTPServer/conf/httpd.conf: SSL0331W: Invalid argument for SSLClientAuth: require (null). The 1st value must be 0, 1, 2, none, optional, required, or required_reset”
Last Update: 7/26/2016    Size: 82 kb    Type: Knowledge Base Articles    ID: TEC1639554

How to correct this error message, "Syntax error on line 975 of /opt/IBM/HTTPServer/conf/httpd.conf: Invalid command 'SSLOptions"
Syntax error on line 975 of /opt/IBM/HTTPServer/conf/httpd.conf: Invalid command 'SSLOptions', perhaps misspelled or defined by a module not included in the server configuration
Last Update: 7/26/2016    Size: 82 kb    Type: Knowledge Base Articles    ID: TEC1234981

About DisAllowUTF8NonCanonical in ACO parameter.
When I request to WebAgent with URL contained encoding data, WebAgent rejects my request because of 403 error.
Last Update: 7/26/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1698396

Dynamic Policy Server Cluster support with Application Server Agents
Can the "enableDynamicHCO" parameter be defined for the Application Server Agents in their SmHost.conf files to implement the Dynamic Policy Server Clusters?
Last Update: 7/25/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1384387

JBoss physical memory is growing.
JBoss physical memory size is huge , because dat files under adminui_install/server/default/data/derby/siteminder/taskpersistance/seg0 are increasing.
Last Update: 7/25/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1524751

About "Flash All" command in AdminUI.
By "Flash All" command in AdminUI, which caches are cleared ?
Last Update: 7/25/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1392185

The sequence of Cookie Provider structure in use of Form Authentication.
Is there some Cookie Provider sequence in use of Form Authentication ?
Last Update: 7/25/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1701466

R12.52SP2 WAMUI didn't install as Window service when the install path is D:\
WAMUI service is not installed as Window service after installation complete
Last Update: 7/25/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1209297

Unable to start RedHat Apache 2.4 (on RHEL 7 64-bit)
Your Apache 2.4 fails to start with the ca sso web agent installed
Last Update: 7/22/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1306032

How to configure Autosweeper using XPSConfig
Instructions on how to configure Autosweep using XPSConfig.
Last Update: 7/22/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1449256

Password Services and Active Directory Global Catalog support Trigger unexpected behavior
n
Last Update: 7/22/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1188463

Manually uninstall IIS web agent
Provide steps on how to manually uninstall IIS web agent if uninstaller didn't work
Last Update: 7/22/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1904547

About SQL schema in case of Authenticating user.
When is the timing of "AuthAttempt" and "AuthReject" in smaccess.log ?
Last Update: 7/21/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1376291

Is it possible to register "*" in IgnoreURL ACO ?
In ACO parameter IgnoreURL, is it possible to set wild card (*) ?
Last Update: 7/20/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1402307

What is meaning of IPC messages in nohup.out log ?
In nohup.out log, under SPS_INSTALL/proxy-engine/logs directory, many below messages are output.
Last Update: 7/20/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1267465

Sm_AgentApi errors
Information on the causes of Sm_AgentApi errors and what the error codes mean.
Last Update: 7/19/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1829552

What does the error, "You cannot start the Secure Proxy Server as root", mean?
The proxyserver.sh checks to see if the user running the script is the same as root. Use the sps-ctl script as documented in the CA Access Gateway Bookshelf instead.
Last Update: 7/19/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1644143

How to download CA Single Sign-On (formerly SiteMinder) components
Step b step procedure to download CA Single Sign-On (formerly SiteMinder) components from support.ca.com
Last Update: 7/19/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1364894

User AZ Cache in policy server
Information on User AZ Cache registry setting
Last Update: 7/19/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC544401

Invalid Master Key
Installing an r12.52 Policy Server. During the Policy Server Configuration Wizard, when prompted to enter the 'Master Key" the following error: Invalid Master Key! Master Key should have Latin Characters [a-zA-Z0-9_] only.
Last Update: 7/18/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1829014

After Policy Store Import, Legacy Federation Object don't show up
This technote discusses how to fix a issue after importing data in the Policy Store
Last Update: 7/18/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1659722

For the ERP Agent for Siebel, why should we put the library libSmSecurityProvider75.so in the Siebel server bin/ directory
This technote discusses about the needs of putting some libraries in specific directory of the Siebel Server
Last Update: 7/18/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1792347

Identity Mapping with Federation
Is Identity Mapping supported for Federation?
Last Update: 7/18/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1426214

Failed Handshake between Webagent and Policy Server.
What are the reason of a Failed Handshake between Webagent and Policy Server (need to re-register the Agent)
Last Update: 7/18/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC559187

Max Connections at Policy Server in Apache prefork mode.
In use of Apache prefork mode, how much "Max Connections" are needed at least at Policy Server ?
Last Update: 7/15/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1818474

Are SiteMinder logs enable to output as syslog ?
Yes, but only Policy Server Audit log (smaccess.log) is enable.
Last Update: 7/15/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1185574

NAT between Web Agent and the policy server
Since we have not explicitly certified any of the CA SSO component with NAT explicitly, I recommend you to use it after performing sufficient verification of operation.
Last Update: 7/15/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1282269

Failed to create index key errors (i.e. ObjectCalss=xpsKey) on executing xpssweeper command.
Find and remove policy store indexes (i.e. ObjectCalss=xpsKey)
Last Update: 7/14/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1881072

Policy Server crashes while loading JVM for any custom java code on non-Windows.
After applying a CR, the policy server crashes.
Last Update: 7/14/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1238638

XPSExport for Policy Backup
Hello, We need to make changes for policies and in case if I have to roll back my changes what would be the best option to use for XPSExport. Please suggest. Thanks Pradeep M
Last Update: 7/13/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1600301

Signed SP Initiated Request: Signature verification failing at 3rd party IDP
"Can not verify digital signature" error at 3rd party IDP when signature cannot be verified for a signed AuthNRequest or SAMLRequest from CA Federation.
Last Update: 7/13/2016    Size: 82 kb    Type: Knowledge Base Articles    ID: TEC1525465

XML External Entity Injection(XXE) - Vulnerability for /affwebservices/router/*
XXE Vulnerability for /affwebservices/router/* Affiliate Agent
Last Update: 7/13/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1416553

Audit DB attribute values
Post SiteMinder upgrade from 12.5 to 12.52 SP1 CR04, new attribute values are not getting written in Audit DB. We have updated the new schema also. We are able to see the attribute in the tables but not the values. The historic data is not changed.
Last Update: 7/13/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1458982

Using the User Agent Header in the Proxy Rules.
Does the CA SiteMinder Agent for SharePoint support blocking by the incoming user agent string?
Last Update: 7/13/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1108305

after SPS upgrade to R12.52 CR4, a space character is added to resource URL after a semicolon.
If a semicolon is used in a URL, on a HTTP redirect (302), a “Space” encoded as %25 is added after the semicolon.
Last Update: 7/13/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1924624

"Failed to get session server provider namespace from registry" after after the upgrade of the Policy Server from 12SP3CR11 to 12.52SP01CR04
How to correct "failed to get session server provider namespace from registry" 12.0 SP3 CR11 to 12.52 SP1 CR04
Last Update: 7/12/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1891807

Why is SPS causing reauthentication pop-up to appear as text rather than being executed as javascript ?
Sometimes the my backend application needs reauthentication and so a javascript popup should be displayed in the browser, but instead I see a regular webpage with the javascript contents.
Last Update: 7/12/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1691393

IIS Agent does not serve login forms when Default Application Pool is not running.
The Default Application Pool in IIS is needed to serve siteminder agent pages.
Last Update: 7/12/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1205093

How works the IP Session validation at the Policy Server level ?
This technote discusses about the Session IP validation functionality.
Last Update: 7/12/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1588007

Problem to login with AdminUI - Username and Password is incorrect
After a restart of the Linux box, impossible to login with the AdminUI even after a re-registration - Username and Password is incorrect - due to small amount of entropy.
Last Update: 7/12/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1431348

How do the CA Single Sign On custom sdk API agents get updated agent keys from the doManagement call function?
Just need confirmation on how the custom API agts get updated keys from doManagement call function?
Last Update: 7/12/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1171204

500 error when the target contains ? in a URL
We are receiving 500 error whenever we make a request with the target containing "?" in the URL.
Last Update: 7/12/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1940395

Unable to startup apache server with libsmerrlog.so error
Apache error log return error Cannot load /niceapps/CA/webagent/bin/libmod_sm22.so into server: libsmerrlog.so: cannot open shared object file: No such file or directory
Last Update: 7/12/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1337522

Linux Web Agent configuration wizard unable to detect the IBM IHS(HTTP) server.
Linux Web Agent configuration wizard requires LD_LIBRARY_PATH to include the IBM IHS /lib path to detect the IBM IHS(HTTP) server properly.
Last Update: 7/11/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1277199

How and when you can use Multiple Virtual Hosts each with a different ACO setting.
You are looking to establish the following: Apache -- 2 vhosts -- both pointing to their on ACO -- having their own agent and Policies as well. NOTE: You need to separate the ACO and not just AgentName within 1 ACO.
Last Update: 7/8/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1522023

Checking what the bit level in the IIS Application Pool is set to when the WebAgent on IIS / LLAWP Will Not Start.
Your installing a new Web agent on IIS and have configured it to communicate with your policy server. It will register but the LLAWP process will not start. Your unable to get any logging out of the web agent log files.
Last Update: 7/8/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1525121

Installation of Agent succeeds but Agent does not initialize
Despite successful host registration, IIS starts but not able to service requests.
Last Update: 7/8/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1546878

Using XPSSweeper as an option to fix the AgentInstance@: Object's Globally Unique ID (GUID) has not been set error.
You are probably getting the error [Validate][ERROR] :AgentInstance@: Object's Globally Unique ID (GUID) has not been set because you were not running the XPSSweeper to remove stale policy objects regularly.
Last Update: 7/7/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1041817

Unexpected character encoding before URL hook (?) after siteminder authentication
When accessing a resource containing special char (#) in the URL, this is transformed to %23 during the authentication process. Use ACO Localization = No fix the problem.
Last Update: 7/6/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1921813

SPS running out of memory and restart during load
SPS crashes and restart due to memory usage - unable to create new native thread. This is due to a bad tuning of the SPS : Decrease the max memory from 3340m to 2048m
Last Update: 7/6/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1894177

Time based Auditlog Rollover does not work
smaccess log not rolling over for time based rollover
Last Update: 7/6/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1625128

Question on X.509 Client Certificate Authentication when using an SSL offloader
This article belongs to Q&A category and explains X.509 Client Certificate Scheme requirement/restrinction as well as a solution module to enhance it.
Last Update: 7/6/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1334947

Is there some configuration to record the username in the audit store ?
By default we do store the DN of the user in the audit store (Auth/AZ) events, could we use the username instead ? NO.
Last Update: 7/5/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1516291

IIS webagent crashes / What should we check to prevent those in the IIS configuration ?
Check the IIS configuration after the installation and especially web.config for preqs.
Last Update: 7/5/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1390793

When the Policy Server switches from Primary to Secondary Policy Store, does Policy Server bulk fetch against the Secondary Policy Store ?
This technote discusses about the behavior expected when Policy Server does bulk fetch against the Policy Store
Last Update: 7/5/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1310611

In FSSUI, how does the Policy Option "Search Any Attribute" work?
This technote gives tips on how the Policy option "Search Any Attribute" works.
Last Update: 7/5/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1831546

Can Cookie Provider request Policy Server for IP validation with the IP present in the session spec ?
This technote discusses a specific behavior of the cookie provider
Last Update: 7/5/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1980418

Unable to create audit directory when I started the Policy Server
This technote explains and provides guidance to solve a specific error on the Policy Server
Last Update: 7/5/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1642595

SAML IDP Initiatiation Issue, loop after authentication
During Federation IDP intiated transaction, we get redirected to the /redirect/redirect.jsp
Last Update: 7/5/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1910717

Secure Proxy Server intermittently reports Noodle_Interupted IOException or Noodle_GenericException.
Noodle_Interupted IOException Noodle_GenericException SPS
Last Update: 7/1/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1234143

User Lookup for Attribute and Name ID Services
Purpose of the field under the SSO and SLO tab
Last Update: 6/27/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1599397

smaccess.log fails to roll over intermittently.
This article explains a defect of audit log (smaccess.log) roll over problem and an information on the fix.
Last Update: 6/27/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1807844

Error message: exception report instance was not successfully created.
reporting server error: fatal failed to execute the next reporting instance event. Error message: exception report instance was not successfully created. Receive this error with every report when r12.52 sp 2
Last Update: 6/24/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1380695

How does Java AgentAPI manage Agent Key and Shared Secret rollover?
This article answers to a questions on custom Agent using Java Agent API: How does Java AgentAPI manage Agent Key and Shared Secret rollover?
Last Update: 6/24/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1288159

request.getRemoteUser() is returning null
Weblogic returns "null" in response to getRemoteUser() call to guard against a security vulnerability – identity spoofing.
Last Update: 6/22/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC529297

 

 

 

Please note that you can always access the full list going to the following link:

CA Single Sign-On - CA Technologies

Feel free to post your questions in the community if you have question about any of these KB article.

 

Best Regards,

Ujwol Shrestha

Principal Support Engineer

CA Technologies

0 comments
2 views