Policy Server Release Notes

CA SiteMinder Web Access
Manager
®
Policy Server Release Notes
r12 SP1
This documentation and any related computer software help programs (hereinafter referred to as the
“Documentation”) is for the end user’s informational purposes only and is subject to change or withdrawal by CA at
any time.
This Documentation may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in
part, without the prior written consent of CA. This Documentation is confidential and proprietary information of CA
and protected by the copyright laws of the United States and international treaties.
Notwithstanding the foregoing, licensed users may print a reasonable number of copies of the Documentation for
their own internal use, and may make one copy of the related software as reasonably required for back-up and
disaster recovery purposes, provided that all CA copyright notices and legends are affixed to each reproduced copy.
Only authorized employees, consultants, or agents of the user who are bound by the provisions of the license for
the Product are permitted to have access to such copies.
The right to print copies of the Documentation and to make a copy of the related software is limited to the period
during which the applicable license for the Product remains in full force and effect. Should the license terminate for
any reason, it shall be the user’s responsibility to certify in writing to CA that all copies and partial copies of the
Documentation have been returned to CA or destroyed.
EXCEPT AS OTHERWISE STATED IN THE APPLICABLE LICENSE AGREEMENT, TO THE EXTENT PERMITTED BY
APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING
WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE
OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO THE END USER OR ANY THIRD PARTY FOR ANY
LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT
LIMITATION, LOST PROFITS, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY
ADVISED OF SUCH LOSS OR DAMAGE.
The use of any product referenced in the Documentation is governed by the end user’s applicable license
agreement.
The manufacturer of this Documentation is CA.
Provided with “Restricted Rights.” Use, duplication or disclosure by the United States Government is subject to the
restrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.2277014(b)(3), as applicable, or their successors.
All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.
Copyright © 2008 CA. All rights reserved.
Contact CA
Contact Technical Support
For online technical assistance and a complete list of locations, primary service
hours, and telephone numbers, contact Technical Support at
http://ca.com/support.
Provide Feedback
If you have comments or questions about CA product documentation, you can
send a message to techpubs@ca.com.
If you would like to provide feedback about CA product documentation, please
complete our short customer survey, which is also available on the CA Support
website.
Contents
Chapter 1: Welcome
11
Chapter 2: New Features
13
Arcot WebFort Strong Authentication System ................................................... 13
SiteMinder Information Card Authentication Scheme (ICAS) ..................................... 13
Certificate Utility For SiteMinder Policy Server .................................................. 13
Licensing Feature ............................................................................. 14
Flush Web Agent Requests From Policy Server .................................................. 14
Federation Security Services Administrative UI ................................................. 14
Chapter 3: Changes to Existing Features
15
Policy Server Option Pack Features Moved to Core Product ...................................... 15
Logging Administrator Changes to Policy Store Objects .......................................... 16
Custom Event Handler Libraries ............................................................... 16
Chapter 4: Operating System Support
17
Chapter 5: Software Requirements
19
Policy Server Requirements ................................................................... 19
Windows ................................................................................. 19
UNIX ..................................................................................... 20
JDK/JRE Considerations ................................................................... 21
Administrative UI Requirements ............................................................... 21
Windows ................................................................................. 21
UNIX ..................................................................................... 22
Report Server Requirements .................................................................. 22
Windows ................................................................................. 23
UNIX ..................................................................................... 23
Chapter 6: Installation and Upgrade Considerations
25
ETPKI Library Installation ..................................................................... 26
Console Mode Installation Restriction for Administrative UI ...................................... 26
Administrative UI Installations on UNIX Require Root Privileges .................................. 26
Character Restriction for Passwords in Installations (72360) ..................................... 26
Contents 5
Uninstalling the Administrative UI from UNIX May Not Remove All Files .......................... 27
Importing Event Handler Libraries ............................................................. 27
Application Objects in the FSS Administrative UI ................................................ 28
Mapping %FULL_NAME% in the Directory.xml File .............................................. 29
Configure Oracle as an Audit Database (65281) ................................................ 29
Report Server and the SunOne Directory Server ................................................ 31
IPv6 Addresses and Object Store Connections (65040) .......................................... 32
Upgrading a Japanese Policy Server............................................................ 32
MDAC Versions ............................................................................... 32
Compatibility with Other Products.............................................................. 32
Updated snmptrap File ........................................................................ 32
ODBC Timeout When Upgrading from 6.0 SP5 to r12 SP1 (64228) ............................... 33
Operational Changes from 5.x ................................................................. 33
Failed Password Change Requests ......................................................... 33
Effect of Single Policy Server Process on Audit Logging to Text Files (19630).................. 33
iPlanet Web Server Startup (24343) ....................................................... 34
No Default Policy Store .................................................................... 34
Remote Services Variables Superseded ..................................................... 34
Cache Settings Simplified ................................................................. 34
Changes to the Cache Model ............................................................... 34
Solaris Considerations ........................................................................ 34
Solaris 10 Support ........................................................................ 35
Requirement for Starting the Report Server on Solaris (72461) .............................. 35
Required Operating System Patches on Solaris (24317, 28691) .............................. 35
Errors in the SMPS Log due to a gethostbyname() Error (54190) ............................. 36
Upgrading a Solaris Policy Server (57935) .................................................. 36
Red Hat Enterprise Linux AS and ES Considerations ............................................. 36
Updated Database Drivers for Red Hat Enterprise Linux AS 3.0 to 5.1 (42834, 47304)......... 36
SiteMinder SDK and Red Hat Enterprise Linux AS (28203, 28268) ............................ 37
Red Hat Enterprise Linux AS Requires Korn Shell (28782) ................................... 37
Excluded Features on Red Hat Enterprise Linux AS .......................................... 37
Apache 2.0 Web Server and Servlet Exec 5.0 on Red Hat Enterprise Linux AS (28447, 29518) . 37
HP-UX Considerations ......................................................................... 38
Required Operating System Patches on HP-UX .............................................. 38
Kernel Parameters ........................................................................ 38
Excluded Features on HP-UX ............................................................... 39
Apache 1.3.28 Web Server Installation Fails on HP-UX 11i (28327) (28302) .................. 39
Apache 2.0 Web Server and Servlet Exec 5.0 on HP-UX 11i (29517, 28446) .................. 39
Chapter 7: General Considerations
41
Application Objects Appear in the Policy Server User Interface ................................... 41
IdentityMinder Object Support in Policy Stores (29351) ......................................... 41
6 Policy Server Release Notes
NTLM Authentication Scheme Replaced by Windows Authentication Scheme ...................... 42
Unsupported Features ........................................................................ 42
System Management Limitations .............................................................. 42
Pop-up Blockers May Interfere with Help ................................................... 43
Registry Setting No Longer Required for Setting the Maximum Number of Connections (27442) 43
Policy Server Limitations ...................................................................... 43
Error Changing Long Password When Password Services is Enabled (26942) .................. 43
Submit Parent Realms Before Creating Sub-realms (72485) ................................. 44
Leading Spaces in User Password May Not Be Accepted (27619) ............................. 44
Certificate Mappings Issue with certain Policy Stores (27027, 30824, 29487) ................. 44
Handshake Errors with Shared Secret Rollover Enabled (27406) ............................. 44
Policy Servers Sharing Policy Store Not Updated Consistently (39844) (39837) ............... 45
Internal Server Error When Using SecureID Forms Authentication Scheme (39664) ........... 45
X.509 Client Certificate or Form Authentication Scheme Issue (39669) ....................... 45
Certain User Name Characters Cause Authenticating or Authorizing Problems (39832)......... 45
DEBUG Logging With SafeWord Authentication Causes Policy Server to Fail (42222, 43051) ... 46
Active Directory Integration Enhancement For LDAP Namespace (43264, 42601) ............. 46
Policy Server Does Not Support Roll Over of Radius Log (44398) (43729) (42348) ............ 46
smnssetup Tool Deprecated (44964) (45908) (46489) ...................................... 46
Policy Server Fails to Initialize Java Virtual Machine on Red Hat AS 3.0 (44649) (44971) ...... 47
User Directory Limitations ..................................................................... 47
ODBC User Store Failover ................................................................. 47
Perl Scripting Interface Limitations............................................................. 48
Perl use Statement for PolicyMgtAPI Must Come Before Use Statement for AgentAPI (24755) .. 48
Methods that Return Arrays May Return undef in a One-Element Array (28499) ............... 48
Perl Scripting Interface and Multi-valued Agent Configuration Parameters (37850) ............ 48
Compatibility Limitations ...................................................................... 48
Oracle Parallel Server and Oracle Real Application Clusters Not Supported (27510) ............ 48
Japanese Policy Server Limitations ............................................................. 49
Agent Shared Secrets are Limited to 175 Characters (30967, 28882)......................... 49
Chapter 8: Known Issues
51
Searches for Large Number of Policy Objects (63721) ........................................... 52
XPSExport Creates Read Only File (65035) ..................................................... 52
Windows LDAP Driver Version and FIPS/IPv6 Support ........................................... 53
Trial Version of Policy Server Supports Only FIPS-compatibility and FIPS-migration Mode (64416) . 53
Reports and SiteMinder Performance ........................................................... 53
IPv6 ODBC Data Sources ...................................................................... 54
Searching CertSerialNumbers in a Custom Certificate Mapping Fails (59352) ..................... 54
Users are Incorrectly Redirected after Receiving a New SecureID PIN (56738) .................... 54
Mixed Certificate-Based Authentication Schemes (27997) ....................................... 55
Password Change Fails if UserDN Equal to or Greater than 1024 Characters (52424) .............. 55
Contents 7
Multi-mastered LDAP User Store Support Limitations (53677) ................................... 55
Policy Server Audit Logging Text File does not Audit Impersonator Events (52235) ................ 55
Passwords for User Accounts Stored in Active Directory cannot be Locked (48125) ................ 56
Testing SunOne Directory Server Connections on Windows ...................................... 56
Linux Policy Server Does Not Delete Oracle Session Store Sessions (39143) ...................... 57
Affiliate Domain Limitation When Upgrading 6.0 Policy Server on Japanese System (46338) (45693)57
Single Logout Services Log Errors if ODBC/SQLError Component Enabled (41324) ................ 57
Incompatible SiteMinder Releases for Federation Security Services (44790) ...................... 58
Deleting Multiple Roles (72207) ............................................................... 58
Manually Create the webadapter.properties File (72353) ........................................ 59
Edit the InfoCard.properties File for Unix Platforms (72698) ..................................... 60
Netscape Issues .............................................................................. 61
Netscape 6.2.3 Browser Causes Unreadable Date in Time Dialog (27199) ..................... 61
Netscape 6.2.3 Browser Causes Missing Attribute Types in Response Attribute Editor (27214) . 61
Netscape Browser Causes Missing Attributes in SiteMinder Response Dialog (44668, 44675) ... 61
Oracle Issues ................................................................................. 62
Administrative UI and Oracle Policy Store Objects (65782) .................................. 62
SiteMinder Query Timeout and Oracle User Directories (68803) .............................. 62
Policy Server Issues .......................................................................... 62
Policy Server May Fail to Start due to a Dynamically Updated system_odbc.ini File (55265) .... 62
Policy Server Installer Lists an Unsupported Operating System (55924) ...................... 62
Policy Server Ignores all Response Attributes with NULL Values (70010) ...................... 62
Solaris Issues ................................................................................ 63
Password Screen does not Prompt for Multiple SafeWord Authenticators (56766).............. 63
Federation Encryption Issue with JCE on Solaris (71293) .................................... 63
Chapter 9: Defects Fixed in SiteMinder Releases
65
Defects Fixed for r12 SP1 ..................................................................... 65
Policy Server Fails to Recover Policy Store Connection (64563) .............................. 65
Nested Realms with the Same Name Causes an Error (65698) ............................... 65
Granular Import Options for XPSImport Fail for an ADAM/Active Directory Policy Store (65758) 66
RADIUS Response Attributes Fail to Save (65534) .......................................... 66
Non-fatal Errors appear in the Administrative UI Installation Log ............................. 66
Solaris Reports Fail to Build (65951) ....................................................... 66
Applications do not Support Multiple Roles (66460) ......................................... 67
Policy Administrators cannot select User Directories (66008)................................. 67
Domain Administrators cannot select Authentication Schemes (65665) ....................... 67
Security Scopes do not appear for Security Category (65724) ............................... 67
Report Server Installer does not Check Space Requirement (65044) ......................... 68
Role Descriptions are not Saved (66274) ................................................... 68
Upgrade SMDIFs missing a SAML 1.x Single Sign-on Property ................................ 68
8 Policy Server Release Notes
Chapter 10: International Support
69
Chapter 11: Documentation
71
Guide Names ................................................................................. 71
SiteMinder Bookshelf ......................................................................... 72
Release Numbers on Documentation ........................................................... 72
Contents 9
Chapter 1: Welcome
This document contains information on Policy Server and the SiteMinder Web
Access Manager Administrative UI features, operating system support,
installation considerations, known issues and fixes.
Chapter 1: Welcome 11
Chapter 2: New Features
This section contains the following topics:
Arcot WebFort Strong Authentication System (see page 13)
SiteMinder Information Card Authentication Scheme (ICAS) (see page 13)
Certificate Utility For SiteMinder Policy Server (see page 13)
Licensing Feature (see page 14)
Flush Web Agent Requests From Policy Server (see page 14)
Federation Security Services Administrative UI (see page 14)
Arcot WebFort Strong Authentication System
SiteMinder r12 SP1 is compatible with the Arcot WebFort Strong Authentication
System. For information on how to use WebFort with SiteMinder, see the
Supplemental Products tab on the CA SiteMinder Web Access Manager product
page of the CA web site: http://www.ca.com/us/internet-access-control.aspx.
SiteMinder Information Card Authentication Scheme (ICAS)
SiteMinder Information Card Authentication Scheme (ICAS) is a SiteMinder
authentication scheme that supports Windows CardSpace. Each instance of
ICAS is configured as a custom authentication scheme in the Administrative UI
and implemented like any other SiteMinder custom authentication scheme.
Certificate Utility For SiteMinder Policy Server
You can use a third-party certificate utility to manage your SSL certificates.
This eliminates the need to have a specific web browser SDK version installed
in your environment.
One such certificate utility is Network Security Services (NSS) utility (version
3.2.2). You can download the appropriate file for your operating system from
Mozilla.
Documentation for this tool can also be found on the Mozilla NSS project page.
Important! When using this tool on Windows Server 2003, you must use the
full path to the executable file.
Chapter 2: New Features 13
Licensing Feature
Licensing Feature
SiteMinder r12 SP1 gives you the ability to count the number of users in your
SiteMinder environment so you can comply with the terms of your SiteMinder
licensing agreement.
Note: For more information, see the Policy Server Administration Guide.
Flush Web Agent Requests From Policy Server
The Policy Server tools for SiteMinder r12 SP1 include an option to remove
timed-out Web Agent requests from the Policy Server.
Note: For more information, see the Policy Server Administration Guide.
Federation Security Services Administrative UI
The FSS Administrative UI is an applet-based application that is installed with
the Policy Server. The federation-specific UI objects consist of affiliates
(consumers, service providers, resource partners) and SAML authentication
schemes that you configure to support SiteMinder's Federation Security
Services.
The intent of the FSS Administrative UI is to let you manage SiteMinder
Federation Security Services. If you are familiar with previous versions of the
SiteMinder Policy Server User Interface, you will notice that all SiteMinder
objects appear in the FSS Administrative UI, except the application objects for
Enterprise Policy Management (EPM). You may use the FSS Administrative UI
to manage these objects. If you need information while using the FSS
Administrative UI, please consult the online help.
14 Policy Server Release Notes
Chapter 3: Changes to Existing Features
This section contains the following topics:
Policy Server Option Pack Features Moved to Core Product (see page 15)
Logging Administrator Changes to Policy Store Objects (see page 16)
Custom Event Handler Libraries (see page 16)
Policy Server Option Pack Features Moved to Core Product
Prior to this release, the Policy Server Option Pack required a separate
installation. Beginning in r12 SP1, Policy Server Options Pack features are
installed with the Policy Server and include:
■
SiteMinder Federation Security Services
Note: More information on Federation Security Services in the Federation
Security Services Guide.
■
eTelligent Rules—eTelligent Rules let you define fine-grained accesscontrol policy expressions, which are SiteMinder policy attributes, and can
include operators and custom-defined variables. eTelligent Rules are
evaluated at runtime, when a user needs access to a protected resource
on a Web site.
Note: More information on eTelligent Rules exists in the Policy Server
Configuration Guide.
■
Web service variables—Let you add variables to SiteMinder policies to
make authorization decisions. Web service variables are resolved through
web service calls to local or remote data sources.
Note: More information on Web service variables exists in the Policy
Server Configuration Guide.
■
C sample program smpolicyapi—To be run, optionally, after you install the
Policy Server. The smpolicyapi supports the manipulation of policy store
data related to affiliates and affiliate domains.
Note: More information on the smpolicyapi exists in the Programming
Guide for C.
Important! Although installed with the Policy Server, the Policy Server Option
Pack features continue to be licensed separately from SiteMinder. Contact your
CA account representative for more information on licensing.
Chapter 3: Changes to Existing Features 15
Logging Administrator Changes to Policy Store Objects
Logging Administrator Changes to Policy Store Objects
Logging administrator changes to policy store objects is no longer configured
in the Policy Server Management Console. Rather, you use the XPSConfig
utility to enable or disable administrator logging. By default, an r12 SP1 Policy
Server is enabled to log administrator changes to policy store objects. Use the
XPSConfig utility to disable administrator logging if it is not required.
Note: More information on configuring administrator logging exists in the
Policy Server Administration Guide.
Custom Event Handler Libraries
For SiteMinder r12 SP1, you can no longer add custom event handler libraries
to the Policy Server using the Policy Server Management Console. You must
use the XPSConfig tool instead to add custom event handler libraries. If you
have upgraded to r12 SP1 from a previous release, you must use the
XPSConfig tool to specify any existing custom event handler libraries.
Note: For more information, see the Policy Server Administration Guide.
16 Policy Server Release Notes
Chapter 4: Operating System Support
Before you install the Policy Server and the Administrative UI, ensure you are
using a supported operating system and third-party software.
Note: For a list of supported CA and third-party components, refer to the
SiteMinder r12 SP1 Platform Support Matrix on the Technical Support site.
To locate the support matrix from the Support site
1.
Click Technical Support.
2.
Click Support By Product or Solution.
3.
Select CA SiteMinder Web Access Manager from the Select a Product or
Solution Page list.
4.
Click Platform Support Matrices in the Product Status group box.
You can download the latest JDK and JRE versions at the Sun Developer
Network.
Chapter 4: Operating System Support 17
Chapter 5: Software Requirements
This section contains the following topics:
Policy Server Requirements (see page 19)
Administrative UI Requirements (see page 21)
Report Server Requirements (see page 22)
Policy Server Requirements
The following requirements must be met or exceeded for the SiteMinder Policy
Server to install and run correctly.
Windows
The following requirements exist for Windows:
■
512 MB system RAM (minimum).
■
270 MB free hard disk space in the install location, and 180 MB of free
space in the system's temporary file location.
Note: These requirements are based on a medium size policy database,
which is approximately 1,000 policies.
■
Ensure that you have the required JRE version installed.
Additional non-system requirements exist in the Policy Server Installation
Guide.
Note: For a list of supported CA and third-party components, refer to the
SiteMinder r12 SP1 Platform Support Matrix on the Technical Support site.
To locate the support matrix from the Support site
1.
Click Technical Support.
2.
Click Support By Product or Solution.
3.
Select CA SiteMinder Web Access Manager from the Select a Product or
Solution Page list.
4.
Click Platform Support Matrices in the Product Status group box.
You can download the latest JDK and JRE versions at the Sun Developer
Network.
Chapter 5: Software Requirements 19
Policy Server Requirements
UNIX
The following requirements exist for UNIX:
■
512 MB RAM
■
300 MB free hard disk space, and 200 MB of free disk space in /tmp.
Note: Typically, 10 MB or less free disk space in /tmp is required for the
daily operation of the Policy Server. The Policy Server creates files and
named pipes under /tmp. The path to which these files and pipes are
created cannot be changed.
■
Ensure that you have the required JRE version installed.
Additional non-system requirements exist in the Policy Server Installation
Guide.
Note: For a list of supported CA and third-party components, refer to the
SiteMinder r12 SP1 Platform Support Matrix on the Technical Support site.
To locate the support matrix from the Support site
1.
Click Technical Support.
2.
Click Support By Product or Solution.
3.
Select CA SiteMinder Web Access Manager from the Select a Product or
Solution Page list.
4.
Click Platform Support Matrices in the Product Status group box.
You can download the latest JDK and JRE versions at the Sun Developer
Network.
20 Policy Server Release Notes
Administrative UI Requirements
JDK/JRE Considerations
Consider the following when using a supported JDK/JRE:
■
JDK 1.5.0_06 through JDK 1.5.0_09 leaks handles on Windows and Solaris
platforms.
This issue is a result of a Sun Microsystems bug. Refer to Sun bug number
6399321.
■
JDK 1.5.0_05 through JDK 1.5.0_09 causes ServletExec to crash on dual
processor machines.
Note: For a list of supported CA and third-party components, refer to the
SiteMinder r12 SP1 Platform Support Matrix on the Technical Support site.
To locate the support matrix from the Support site
1.
Click Technical Support.
2.
Click Support By Product or Solution.
3.
Select CA SiteMinder Web Access Manager from the Select a Product or
Solution Page list.
4.
Click Platform Support Matrices in the Product Status group box.
You can download the latest JDK and JRE versions at the Sun Developer
Network.
Administrative UI Requirements
The following requirements must be met or exceeded for the Administrative UI
to install and run correctly.
Windows
The following Windows requirements exist for the Administrative UI:
■
CPU—Single or dual-processor, Intel Pentium III (or compatible), 700-900
MHZ.
■
Memory—512 MB system RAM. We recommend 1 GB.
Note: If you are running WebSphere, 2 GB system RAM is required.
■
Available disk space—540 MB.
Note: If you are running WebSphere, 2 GB of available disk space is
required.
■
Temp directory space—450 MB.
Chapter 5: Software Requirements 21
Report Server Requirements
■
JDK—The required JDK version is installed on the system to which you are
installing the Administrative UI.
■
Screen resolution—1024 x 768 or higher resolution with 256 colors or
better to properly view the Administrative UI.
■
Web browser—a supported Web browser to view the Administrative UI.
Note: Additional non-system requirements exist in the Policy Server
Installation Guide.
UNIX
The following UNIX requirements exist for the Administrative UI:
■
■
CPU
–
Solaris—Sparc Workstation 440 MHz
–
Red Hat Linux—Single or dual-processor, Intel Pentium III (or
compatible), 700-900 MHZ
Memory—512 MB system RAM. We recommend 1 GB.
Note: If you are running WebSphere, 2 GB system RAM is required.
■
Available disk space—540 MB.
Note: If you are running WebSphere, 2 GB of available disk space is
required.
■
Temp directory space—450 MB.
■
JDK—The required JDK version is installed on the system to which you are
installing the Administrative UI.
■
Screen resolution—1024 x 768 or higher resolution with 256 colors or
better to properly view the Administrative UI.
■
Web browser—a supported Web browser to view the Administrative UI.
Note: Additional non-system requirements exist in the Policy Server
Installation Guide.
Report Server Requirements
The following requirements must be met or exceeded for the report server to
install and run correctly.
Note: Although you can install and run the report server from the same
machine that is hosting the Administrative UI, we recommend installing the
report server on a separate machine.
22 Policy Server Release Notes
Report Server Requirements
Windows
The following Windows requirements exist for the report server:
■
CPU—Single or dual-processor, Intel Pentium III (or compatible), 700-900
MHZ.
■
Memory—512 MB system RAM.
Note: We recommend 1 GB.
■
Available disk space—4 GB.
Note: This is the required space to install the report server. This
requirement does not account for the disk space required to store reports.
■
Temp directory space—1 GB.
■
Screen resolution—1024 x 768 or higher resolution with 256 colors or
better to properly view reports in the Administrative UI.
■
Web browser—a supported Web browser to view the reports in the
Administrative UI.
Note: Additional non-system requirements exist in the Policy Server
Installation Guide.
UNIX
The following UNIX requirements exist for the report server:
■
CPU—Sparc Workstation 440 MHz.
■
Memory—512 MB system RAM.
Note: We recommend 1 GB.
■
Available disk space—4 GB.
Note: This is the required space to install the report server. This
requirement does not account for the disk space required to store reports.
■
Temp directory space—1 GB.
■
Screen resolution—1024 x 768 or higher resolution with 256 colors or
better to properly view reports in the Administrative UI.
■
Web browser—a supported Web browser to view reports in the
Administrative UI.
Note: Additional non-system requirements exist in the Policy Server
Installation Guide.
Chapter 5: Software Requirements 23
Chapter 6: Installation and Upgrade
Considerations
This section contains the following topics:
ETPKI Library Installation (see page 26)
Console Mode Installation Restriction for Administrative UI (see page 26)
Administrative UI Installations on UNIX Require Root Privileges (see page 26)
Character Restriction for Passwords in Installations (72360) (see page 26)
Uninstalling the Administrative UI from UNIX May Not Remove All Files (see
page 27)
Importing Event Handler Libraries (see page 27)
Application Objects in the FSS Administrative UI (see page 28)
Mapping %FULL_NAME% in the Directory.xml File (see page 29)
Configure Oracle as an Audit Database (65281) (see page 29)
Report Server and the SunOne Directory Server (see page 31)
IPv6 Addresses and Object Store Connections (65040) (see page 32)
Upgrading a Japanese Policy Server (see page 32)
MDAC Versions (see page 32)
Compatibility with Other Products (see page 32)
Updated snmptrap File (see page 32)
ODBC Timeout When Upgrading from 6.0 SP5 to r12 SP1 (64228) (see page
33)
Operational Changes from 5.x (see page 33)
Solaris Considerations (see page 34)
Red Hat Enterprise Linux AS and ES Considerations (see page 36)
HP-UX Considerations (see page 38)
Chapter 6: Installation and Upgrade Considerations 25
ETPKI Library Installation
ETPKI Library Installation
The Policy Server and Web Agent installations include a CA ETPKI library which
is installed in the following directory:
installation_location
Specifies the Policy Server or Web Agent installation path.
Consider the following:
■
For Windows platforms, if a CA ETPKI library exists on the machine to
which you are installing the Policy Server or Web Agent, the installer
upgrades the existing ETPKI library to the version shipped with the
component. The CA ETPKI library remains in its current location.
■
For UNIX platforms, the installer will install the CA ETPKI library to the
installation_location/ETPKI directory, even if another CA ETPKI library
exists elsewhere on the UNIX file system.
Console Mode Installation Restriction for Administrative UI
For console mode installation of the Administrative UI, SQL 2005 stores are
not supported. There is no such restriction for the GUI mode and silent mode
installation.
Administrative UI Installations on UNIX Require Root
Privileges
Root privileges are required to install the Administrative UI on UNIX systems.
Note: For more information, see the SiteMinder Policy Server Installation
Guide.
Character Restriction for Passwords in Installations (72360)
When installing the Policy Server, the Administrative UI and the Report Server,
you are asked to specify passwords for various components. When entering
any password during installation, do not use a dollar sign ($) as part of the
password. The dollar sign is a reserved character in InstallAnywhere, the
software package used to develop SiteMinder installations. InstallAnywhere
interprets the dollar sign as the start of an InstallAnywhere variable.
26 Policy Server Release Notes
Uninstalling the Administrative UI from UNIX May Not Remove All Files
Uninstalling the Administrative UI from UNIX May Not
Remove All Files
When you uninstall the Administrative UI from any UNIX platform, all files may
not properly be removed from your system.
To uninstall the Administrative UI completely from UNIX platforms
1.
Navigate to the directory
administrative_ui_home/IAM_Suite/siteminderWAM and run the following
command:
iam-suite-uninstall.sh
Follow the wizard to uninstall the Administrative UI.
2.
Navigate to the /var directory and do the following:
a.
Delete the .CA_IAM_FW.registry file.
b.
Open the file .com.zerog.registry.xml and delete only the section that
begins <feature name="Framework"... and ends </feature>.
These steps should completely uninstall the Administrative UI.
Importing Event Handler Libraries
Consider the following before upgrading a Policy Sever to r12 SP1:
■
If the Policy Server Management Console Advanced tab does not contain
event handler libraries, the XPSAudit event handler library (XPSAudit.dll) is
added to the Event Handlers field. No further action is required.
■
If the Policy Server Management Console Advanced tab does contain event
handler libraries, complete the following after upgrading the Policy Server:
1.
Open the Policy Server Management Console and click the Advanced
Tab.
2.
In the Event Handlers field, replace the path to the current event
handler library with the path to the XPSAudit event handler library.
Note: The default location of the XPSAudit event handler library is
policy_server_home\bin.
policy_server_home
Specifies the Policy Server installation path.
Chapter 6: Installation and Upgrade Considerations 27
Application Objects in the FSS Administrative UI
3.
Click Apply.
The path to the event handler library is saved. The Event Handlers
field appears disabled.
Note: By default, the only event handler library that appears in the
Advanced tab is XPSAudit.dll.
4.
Use the XPSConfig utility to set additional event handler libraries,
previously used or otherwise, to the XPSAudit list.
Note: More information on using the XPSConfig utility to set event
handler libraries exists in the Policy Server Administration Guide.
Application Objects in the FSS Administrative UI
If you created Enterprise Policy Management (EPM) applications using the r12
Administrative UI, consider the following after upgrading to r12 SP1:
■
The underlying SiteMinder components related to each application appear
in the FSS Administrative UI. For example, the policy domain associated
with an application appears in the Domains tab in the FSS Administrative
UI.
■
Do not modify the related, individual components using the FSS
Administrative UI.
■
Only use the r12 SP1 Administrative UI to modify applications created
using the r12 Administrative UI.
To prevent the underlying components related to r12 applications from
appearing in the FSS Administrative UI
1.
Log into the r12 SP1 Administrative UI.
2.
Click Policies, Applications.
3.
Click Applications, Modify Application.
The Modify Application screen appears.
4.
Search for each application created prior to the upgrade.
28 Policy Server Release Notes
Mapping %FULL_NAME% in the Directory.xml File
5.
For each application:
a.
Open the application.
b.
Click Submit.
Note: You do not have to make changes to the application. You are
only required to re-submit the application.
The application is saved and the underlying components related to the
application no longer appear in the FSS Administrative UI.
Note: The underlying SiteMinder components related to applications created
using the r12 SP1 Administrative UI do not appear in the FSS Administrative
UI.
Mapping %FULL_NAME% in the Directory.xml File
When configuring the directory.xml file for Administrative UI installation, the
well-known attribute %FULL_NAME% needs to map to a single physical
attribute. Do not use an expression to calculate the value of %FULL_NAME%
because it causes the user search to fail when creating or modifying an
administrator.
Configure Oracle as an Audit Database (65281)
Audit reports are unavailable if the audit database is hosted by an Oracle 9i or
10g database server. If you choose to use Oracle as an audit database, you
have to complete the following extra configuration tasks:
■
Import report templates into the Report Server database.
■
Install the Oracle 9i database client.
To import the report templates into the Report Server database
1.
Select Start, Programs, CA, IAM Report Server, BusinessObjects Enterprise
Java InfoView.
The InfoView log-on screen displays.
2.
Log on as Administrator and enter the administrator password you
assigned when installing the Report Server.
The main InfoView console opens.
Chapter 6: Installation and Upgrade Considerations 29
Configure Oracle as an Audit Database (65281)
3.
Select the SiteMinder folder in the left pane and then select and delete the
following report templates in the right pane:
■
AdminOperationsByAdmin
■
DeniedAuthorizations
■
DeniedResources
■
ResourceActivity
■
UserActivity
4.
Log off InfoView and close your web browser.
5.
Select Start, Programs, CA, IAM Report Server, Import Wizard to start the
Report Server Import Wizard.
If this is the first time you are using the Wizard, the Wizard installs
automatically.
Important! The Import Wizard is only available on a Windows installation
of the Report Server. If you are running the Report Server on UNIX, install
a second instance of the Report Server on Windows. During the import
process, select the CMS Service used by the Unix Report Server.
6.
Select Next in the Welcome to the Import Wizard dialog.
The Source Environment dialog displays.
7.
Do the following:
a.
In the Source drop down field, select select Business Intelligence
Archive Resource (BIAR) file.
b.
In the BIAR File field, use the ellipsis button to locate and select the
siteminder-reports-oracle.biar file. This file should be at the top level
of the file structure on the DVD or web kit.
c.
Click Next.
The Destination Environment dialog displays.
8.
Enter values for the CMS Name, User Name, and Password fields for the
Report Server database. You specified these values during the Report
Server installation. Click Next.
Note: For UNIX users, remember to specify the CMS Service used by the
UNIX Report Server.
The Select objects to import dialog displays.
9.
Ensure that only the Import folders and objects check box is selected;
deselect all other check boxes, including the options under Import folders
and objects. Click Next.
A note on importing universes dialog displays.
30 Policy Server Release Notes
Report Server and the SunOne Directory Server
10. Review the note and click Next.
The Incremental import dialog displays.
11. Select the Overwrite object contents and Overwrite object rights check
boxes then click Next.
A note on importing universes dialog displays.
12. Review the note and click Next.
The Folders and objects dialog displays.
13. Select the SiteMinder folder and click Next.
Note: Ensure the Import all instances of each selected report and object
package check box is not be checked.
A note on importing universes dialog displays.
14. Review the note and click Next.
The Ready to import dialog displays.
15. Click Finish.
The import begins.
16. When the import is complete, click View Log in the final dialog and make
sure that all objects are imported without errors.
17. Click Done to exit the Import Wizard.
To configure the Oracle 9i database client
1.
Configure the Administrative UI object store on an MS SQL Server
database.
2.
Install the Oracle 9i database client.
3.
Copy the JDBC driver %ORACLE_HOME%\jdbc\lib\ojdbc14.jar to the
following location:
%JBOSS_HOME%\server\default\lib
4.
Create an Audit Report connection and select the Oracle database.
Report Server and the SunOne Directory Server
The following installation limitations exist between the report server and the
SunOne directory server:
■
You cannot install the report server on a machine where a SunOne LDAP
directory server is installed.
■
You cannot install a SunOne LDAP directory server on a machine where
the report server is installed.
Chapter 6: Installation and Upgrade Considerations 31
IPv6 Addresses and Object Store Connections (65040)
IPv6 Addresses and Object Store Connections (65040)
When you specify an object store connection during the Administrative UI
installation, do not enter an IPv6 address. Instead, enter a hostname.
IPv6 addresses are not supported for object store connections.
Upgrading a Japanese Policy Server
The r12 SP1 version of the Policy Server is not localized for the Japanese
language. Upgrading the Policy Server to r12 SP1 results in a version that is
not localized for Japanese.
MDAC Versions
It is required that the MDAC versions installed on the client and server sides
are compatible.
Note: More information exists in the Microsoft MDAC documentation.
Compatibility with Other Products
To ensure interoperability if you use multiple products, such as IdentityMinder,
Identity Manager, TransactionMinder, and eProvision, check the Platform
Support Matrices for the required releases of each product. The platform
matrices exist on the Technical Support site.
Updated snmptrap File
This release includes an updated snmptrap.conf file. Before installation, back
up and save the original snmptrap.conf file, located in
siteminder_installation\config.
32 Policy Server Release Notes
ODBC Timeout When Upgrading from 6.0 SP5 to r12 SP1 (64228)
ODBC Timeout When Upgrading from 6.0 SP5 to r12 SP1
(64228)
When upgrading SiteMinder from 6.0 SP5 to r12.0 SP1 on a Windows platform,
uninstall all DataDirect ODBC drivers and freshly install DataDirect 5.3 ODBC
drivers. These steps prevent database timeout errors when SiteMinder is
deployed.
Operational Changes from 5.x
The following features behave differently in version r12 SP1.
Failed Password Change Requests
In a 5.5 environment, when a user submits a password change request that
contains an invalid current password, the Password Change Information screen
appears with a message stating that the old password is incorrect. The user
can provide the correct credential and change the password. In r12 SP1, the
Policy Server redirects the user to the login screen without the message.
Enabling the DisallowForceLogin registry key allows the 5.5 behavior in a r12
SP1 environment. The registry key is located at:
HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\PolicyServer
The KeyType must be configured as REG_DWORD and the Value must be 0
(disabled) or 1 (enabled). The registry key is disabled by default.
If a value other than 0x1 is configured, the feature is disabled. If the registry
key is disabled, the r12 SP1 behavior is in effect.
Effect of Single Policy Server Process on Audit Logging to Text Files (19630)
Prior to SiteMinder 6.0, when the audit logging was configured to write to text
files, each Policy Server process added to the configured base filename. The
addition included a distinguishing string ( "_Acct", "_Adm", "_Auth" or "_Az" )
and a current date-time string. The r12 SP1 single-process Policy Server does
not add distinguishing characters to the configured file name (other than
appending .<number> when rolling over the log files).
Regarding the effect of new policy stores on audit logging, see Audit Logs
(24116).
Chapter 6: Installation and Upgrade Considerations 33
Solaris Considerations
iPlanet Web Server Startup (24343)
An iPlanet Web server no longer starts automatically after configuration. This
applies to all supported platforms.
No Default Policy Store
The r12 SP1 Policy Server does not have a default policy store. In addition,
Microsoft Access is no longer supported as a policy store. You can find a list of
supported databases at the SiteMinder Platform Matrix for r12 SP1 on the
Technical Support site.
Remote Services Variables Superseded
Remote Services variables are superseded by Web Services variables.
Cache Settings Simplified
The Cache settings in the Policy Server Management Console have been
simplified to a single setting.
Changes to the Cache Model
The cache model for SiteMinder r12 SP1 differs from the model for 5.x:
■
The Policy Store cache is no longer configurable.
■
The L2 cache is replaced by self-tuning per-object-class caches.
■
The User Authorization (AZ) cache size is configurable using the Policy
Server Management Console. The cache can be tuned using the new
counters available in the SiteMinder OneView Monitor.
Solaris Considerations
The following considerations apply to Solaris.
34 Policy Server Release Notes
Solaris Considerations
Solaris 10 Support
The Policy Server and Web Agent are certified for global and non-global zones.
Note: More information on Solaris 10 support exists in the Policy Server
Installation Guide.
Requirement for Starting the Report Server on Solaris (72461)
Before starting the Report Server on Solaris, source the setupenv.sh file.
Sourcing this file is required for the Report Server to operate properly.
To source the file setupenv.sh:
1.
Navigate to the directory
report_server_home/iamreportserver/external/scripts.
2.
Enter the following command:
. ./setupenv.sh
3.
Restart the Report Server after sourcing the file. Use the following
commands:
stopservers
followed by
startservers
The Report Server will now function as expected.
Required Operating System Patches on Solaris (24317, 28691)
The following table lists required and recommended patches by version:
Version
Required
Recommended
Solaris 9
„
111722-04 or any superseding patch
„
111711-15 or any superseding patch
none
You can find patches and their respective installation instructions at SunSolve
(http://sunsolve.sun.com).
Chapter 6: Installation and Upgrade Considerations 35
Red Hat Enterprise Linux AS and ES Considerations
Errors in the SMPS Log due to a gethostbyname() Error (54190)
Network connectivity errors appear in the smps log when gethostbyname() is
called. These errors appear even though the directories are available on the
network. This was a Solaris issue, which according to Sun bug ID 4353836,
has been resolved.
Sun lists the following patches for Solaris 9:
Solaris 9
■
112874-16 (libc)
■
113319-12 (libnsl)
■
112970-05 (libresolv)
■
115545-01 (nss_files)
■
115542-01 (nss_user)
■
115544-01 (nss_compat)
Upgrading a Solaris Policy Server (57935)
Problem:
If your license file is older than January 2005, the Policy Server may
experience problems reading the license file after an upgrade. You may receive
a message stating that a valid end-user license cannot be found.
Solution:
Contact Technical Support, and request a new license file.
Red Hat Enterprise Linux AS and ES Considerations
The following considerations apply to Red Hat Enterprise Linux AS and ES.
Updated Database Drivers for Red Hat Enterprise Linux AS 3.0 to 5.1 (42834,
47304)
If you are upgrading from 6.0 SP3 or earlier, the ODBC database drivers for
Red Hat Enterprise Linux AS have been updated with new drivers. As a result,
if your Linux Policy Server is using these drivers to connect to an ODBC policy
store, you must update the DSN connection information in the system_odbc.ini
file with the new driver settings.
36 Policy Server Release Notes
Red Hat Enterprise Linux AS and ES Considerations
SiteMinder SDK and Red Hat Enterprise Linux AS (28203, 28268)
The SiteMinder SDK was built using gcc 3.2.3 for Red Hat AS 3.0.
Red Hat Enterprise Linux AS Requires Korn Shell (28782)
A Policy Server installed on Red Hat AS requires the korn shell. If you do not
install a korn shell on Red Hat AS, you cannot execute the commands that
control the Policy Server from a command line, such as start-all and stop-all.
Excluded Features on Red Hat Enterprise Linux AS
The following features are not supported by the Policy Server on Red Hat AS:
■
Cryptocard authentication scheme
■
OCSP
■
Safeword authentication scheme
■
SiteMinder Test Tool
■
Teleid authentication scheme
Apache 2.0 Web Server and Servlet Exec 5.0 on Red Hat Enterprise Linux AS
(28447, 29518)
To use Apache 2.0 Web Server and Servlet Exec 5.0 on Red Hat AS
1.
Run the ServletExec 5.0 AS installer against Apache 1.3.x.
The Servlet Exec AS Java instance is created.
2.
Run ServletExec and Apache 1.3.x, and make sure you can run
/servlet/TestServlet.
3.
Shutdown Apache 1.3.x, but leave Servlet Exec running.
4.
Using anonymous FTP, access
ftp://ftp.newatlanta.com/public/servletexec/4_2/patches and download:
mod_servletexec2.c
and
ReadMe.txt
Chapter 6: Installation and Upgrade Considerations 37
HP-UX Considerations
5.
Edit the httpd.conf file of your HP-Apache 2.x so that it contains the
necessary Servlet Exec-specific directives.
Note: The directives are also present in the httpd.conf file of your Apache
1.3.x if you allowed the ServletExec installer to update the httpd.conf
during installation. More information on editing the httpd.conf file exists in
the SE 4.2 Installation Guide.
6.
Start Apache 2.x.
7.
Test the Web Server with ServletExec by accessing:
/servlet/TestServlet
HP-UX Considerations
The following considerations apply to HP-UX.
Required Operating System Patches on HP-UX
The following table lists required and recommended patches by version:
Version
Required
Recommended
HP-UX 11i
KRNG11i, PHSS_26263,
PHCO_29029
none
Note: You may replace the above patches with the latest ld and linker tools
cumulative patch.
It is recommended that you install the June 2003 or the latest available patch
bundle for HP 11.x Operating system.
HP maintains a list of the recommended patches for using Java1.4.1. at:
http://h18012.www1.hp.com/java/patches/index.html
Kernel Parameters
HP provides a tool called HPjconfig, which gives the list of recommended
Kernel parameters for executing Java on HP-UX systems. Because the Policy
Server uses Java, this tool should be used to determine the recommended
Kernel Parameters. You can search for this tool at a the HP Web site:
http://www.hp.com
38 Policy Server Release Notes
HP-UX Considerations
Excluded Features on HP-UX
The following features are not supported by the Policy Server on HP-UX
■
Cryptocard authentication scheme
■
Safeword authentication scheme
■
Teleid authentication scheme
■
SiteMinder Test Tool
■
FIPS or Ipv6
Apache 1.3.28 Web Server Installation Fails on HP-UX 11i (28327) (28302)
When you install the Apache 1.3.28 Web Server on HP-UX 11i, the installation
program fails and issues a parsing error in the socket.h file during gmake. You
can resolve this issue doing one of the following:
■
Rename the types.h header file
■
Compile Apache using the native HP compiler
To rename the types.h header file
1.
Rename the types.h header file that comes with the gcc installation to
types.old.
Note: The file is located in usr/local/lib/gcc-lib/hppa2.0n-hphpux11.00/3.2/include/sys
2.
Move the types.h system header file from /usr/include/sys to the latter
directory.
To compile Apache using the native HP compiler
1.
Export and set the variable CC to the following: cc -Ae +02
2.
Run the Apache configuration script.
3.
Run gmake.
Apache 2.0 Web Server and Servlet Exec 5.0 on HP-UX 11i (29517, 28446)
To use Apache 2.0 Web Server and Servlet Exec 5.0 on HP-UX 11i
1.
Install Apache v1.3.x.
2.
Run Servlet Exec 5.0 AS installer against Apache 1.3.x.
The Servlet Exec AS Java instance is created.
Chapter 6: Installation and Upgrade Considerations 39
HP-UX Considerations
3.
Run Servlet Exec and Apache 1.3.x, and make sure you can run
/servlet/TestServlet.
4.
Shutdown Apache 1.3.x, but leave Servlet Exec running.
5.
Install HP-Apache v2.x from the .depot file.
Note: By default, this file is installed in /opt/hpws/apache directory.
6.
Modify the apxs script by changing:
$opt .= " -module -avoid-version $apr_ldflags
to
$opt .= " -rpath $CFG_LIBEXECDIR -module -avoid-version $apr_ldflags
The extra parameter indicates that the created library will be installed in
$CFG_LIBEXECDIR
Note: This script is located in the /opt/hpws/apache/ bin directory.
7.
Using anonymous FTP, access
ftp://ftp.newatlanta.com/public/servletexec/4_2/patches/ and download:
mod_servletexec2.c
8.
Execute the following command:
apxs -n servletexec -i -a -c -D XP_UNIX -D APR_WANT_BYTEFUNC mod_servletexec2.c
9.
Edit the httpd.conf file of your HP-Apache 2.x to contain the necessary
Servlet Exec-specific directives.
Note: The directives are also present in the httpd.conf of your Apache
1.3.x if you let the Servlet Exec installer update the httpd.conf during
installation. More information on editing the file exists in the SE 4.2
Installation Guide.
10. Start HP-Apache 2.x.
11. Test the Web Server with Servlet Exec by accessing the following:
/servlet/TestServlet
40 Policy Server Release Notes
Chapter 7: General Considerations
This section contains the following topics:
Application Objects Appear in the Policy Server User Interface (see page 41)
IdentityMinder Object Support in Policy Stores (29351) (see page 41)
NTLM Authentication Scheme Replaced by Windows Authentication Scheme
(see page 42)
Unsupported Features (see page 42)
System Management Limitations (see page 42)
Policy Server Limitations (see page 43)
User Directory Limitations (see page 47)
Perl Scripting Interface Limitations (see page 48)
Compatibility Limitations (see page 48)
Japanese Policy Server Limitations (see page 49)
Application Objects Appear in the Policy Server User
Interface
If you are using Enterprise Policy Management in a 6.0 SP5 environment,
application-related objects you create using the Administrative UI also appear
in the Java applet-based Policy Server User Interface. Do not modify these
objects from the Policy Server User Interface. You should only modify
application-related objects using the Administrative UI.
IdentityMinder Object Support in Policy Stores (29351)
Policy Servers that have not been enabled for IdentityMinder cannot be
connected to policy stores that contain IdentityMinder objects. Policy Servers
that have been enabled for IdentityMinder 5.6 SP2 can be connected to r12
SP1 policy stores that contain IdentityMinder objects.
Note: For more information about configuring and deploying IdentityMinder,
see the IdentityMinder Web Edition Installation Guide.
Chapter 7: General Considerations 41
NTLM Authentication Scheme Replaced by Windows Authentication Scheme
NTLM Authentication Scheme Replaced by Windows
Authentication Scheme
This release does not include an NTLM authentication scheme template. This
authentication scheme type has been replaced by the Windows Authentication
template. Support for NTLM authentication is now provided through the new
authentication scheme template.
Unsupported Features
The following features are not supported by SiteMinder:
■
Identity Manager roles
■
Cryptocard authentication scheme on Red Hat AS and HP-UX
■
SafeWord authentication scheme on Red Hat AS and HP-UX
■
TeleID authentication scheme on Red Hat AS and HP-UX
■
DMS on Red Hat AS and HP-UX
■
SiteMinder Test Tool on Red Hat AS and HP-UX
■
OCSP on Red Hat AS
■
Password services with Microsoft Active Directory Global Catalog
■
Enhanced LDAP referrals with Microsoft Active Directory Application Mode
(ADAM)
■
Enhanced LDAP referrals with Novell eDirectory
■
Enhanced LDAP referrals with Oracle OID 9.0.4 (Oracle bug 3512354)
■
Enhanced LDAP referrals with Siemens DirX is only supported for searches
and writes. That is, password services write referrals is supported.
However, enhanced referrals for binds and thus authentication is not
supported.
■
FIPS and IPV6 on HPUX Policy Server
System Management Limitations
The following system management limitations exist:
42 Policy Server Release Notes
Policy Server Limitations
Pop-up Blockers May Interfere with Help
Certain pop-up blockers or Web browsers may prevent the Administrative UI
help window from opening. Many pop-up blockers allow the pop-up if you
press CTRL while you click the link. You can also set your Web browser to
allow pop-ups from the Administrative UI.
Registry Setting No Longer Required for Setting the Maximum Number of
Connections (27442)
In previous versions of the Policy Server, two ODBC connections were created
for each Policy Server service. The following registry setting overrode the
default value and indicated the maximum total number of ODBC connections
created by the Policy Server for all services:
Netegrity\SiteMinder\CurrentVersion\Database\UserDirectoryConnections
For r12 SP1 Policy Servers, the maximum number of connections is
determined dynamically, based on five times the maximum number of threads
specified in the Policy Server Management Console. (See the Performance
group box of the Settings tab in the Management Console.)
If you are upgrading to the r12 SP1 Policy Server from a 5.x Policy Server,
remove the UserDirectoryConnections registry setting. If you do not, and the
value specified by the setting is less than the maximum number of threads
calculated by the Policy Server, your Policy Server logs will contain many error
messages. These messages will indicate that the value of the registry setting
overrides the maximum number of connections calculated by the Policy
Server.
Policy Server Limitations
The following Policy Server limitations exist:
Error Changing Long Password When Password Services is Enabled (26942)
If the Policy Server has Password Services enabled, changing the password
may fail if the old password length exceeds 160 UTF8 octets and the new
password length exceed 160 UTF8 octets.
Chapter 7: General Considerations 43
Policy Server Limitations
Submit Parent Realms Before Creating Sub-realms (72485)
To create a sub-realm in the Administrative UI, the parent realm must be
submitted before a sub-realm can be created. Attempting to create a subrealm under a parent realm that has not yet been submitted fails and may
cause the Administrative UI to return a "task pending" message.
To avoid this problem, ensure sub-realms are only created under parent
realms that already exist in the policy store.
Leading Spaces in User Password May Not Be Accepted (27619)
A user whose password includes leading spaces may not be able to
authenticate under the following combination of circumstances:
■
The Policy Server is running on Solaris.
■
The password with leading spaces is stored in an LDAP User Store.
Note: A password policy may or may not be enabled.
A related limitation has also been observed:
When an administrator attempts to set a user's password with leading spaces
using the Netscape LDAP Console, the console removes the spaces before
storing the password (if the Policy Server Admin UI is used to set the
password, the spaces are left intact).
Certificate Mappings Issue with certain Policy Stores (27027, 30824, 29487)
Certificate mappings do not work when the IssuerDN field is longer than 57
characters for policy stores installed on the following directories:
■
Novell eDirectory
■
Active Directory
■
Critical Path
Handshake Errors with Shared Secret Rollover Enabled (27406)
In the Policy Server error log, you may see an occasional handshake error
related to the shared secret, followed by a successful connection. This may
occur if the shared secret rollover feature was enabled for the Web Agent
communicating with the Policy Server. This behavior is expected as part of a
normal shared secret rollover. You can ignore these errors.
44 Policy Server Release Notes
Policy Server Limitations
Policy Servers Sharing Policy Store Not Updated Consistently (39844) (39837)
If you have a frequently updated policy store shared by multiple Policy
Servers, not all of the Policy Servers are updated consistently. This is caused
by ServerCommand getting deleted before the Policy Servers had a chance to
update their cache.
To fix this problem, increase the following DWORD registry setting:
SiteMinder\CurrentVersion\ObjectStore
Key: ServerCommandTimeDelay
Change value to 10.
Internal Server Error When Using SecureID Forms Authentication Scheme (39664)
When using the SecureID forms authentication scheme, if users do not enter
their passwords correctly during their initial login, they are not granted access
to resources despite providing correct credentials in subsequent tries. The
Policy Server presents users with an internal server error and these users
must restart the Web browser to continue.
X.509 Client Certificate or Form Authentication Scheme Issue (39669)
The Policy Server's X.509 Client Certificate or Form authentication scheme is
not working properly when using an alternate FCC location.
Certain User Name Characters Cause Authenticating or Authorizing Problems
(39832)
When the Policy Server is using an LDAP user store, users with characters
such as &, * , \, and \\ in their user names are not getting authenticated and
authorized properly. For example, the Policy Server does not authenticate or
authorize these sample users:
■
use&r1
■
use*r2
■
use\r3
■
use\\r4
Chapter 7: General Considerations 45
Policy Server Limitations
DEBUG Logging With SafeWord Authentication Causes Policy Server to Fail
(42222, 43051)
On Solaris, when resources are protected by SafeWord authentication
schemes, if you enable DEBUG or ALL logging in the SmSWEC.cfg SafeWord
configuration file, the Policy Server fails. As a result, do not enable DEBUG or
ALL logging for SafeWord authentication schemes. The SafeWord server is
PremierAccess server, using protocol 200 or 201.
Active Directory Integration Enhancement For LDAP Namespace (43264, 42601)
This limitation is related to this new AD feature from 6.0 SP 2:
"Enhanced User Account Management and Password Services Integration with
Active Directory (SM5504) (28460) (23347) (24047) (25816)"
When following the instructions in section "Enabling Active Directory
Integration Enhancement", be aware that this feature is only supported for the
LDAP and not the AD namespace.
Policy Server Does Not Support Roll Over of Radius Log (44398) (43729) (42348)
The Policy Server does not have the capability to roll over the radius log. Prior
to the 6.0 release, you could roll over the radius log by running the
smservauth -startlog command.
smnssetup Tool Deprecated (44964) (45908) (46489)
The smnssetup tool was removed from distribution in 6.0 SP 4. You should use
the Policy Server Configuration Wizard (ca-ps-config) to configure:
■
the OneView Monitor GUI
■
SNMP support
■
a policy store
The wizards gives you the option of using either a GUI or a console window.
For more information, see the Policy Server Installation Guide.
46 Policy Server Release Notes
User Directory Limitations
Policy Server Fails to Initialize Java Virtual Machine on Red Hat AS 3.0 (44649)
(44971)
On Red Hat Linux Enterprise AS 3.0 with Update 5, the Policy Server may fail
to initialize the Java Virtual Machine when running on a multi-processor
machine. As a result, the following SiteMinder functionality does not work:
■
Java authentication schemes
■
Java active rules, policies, and responses
■
SAML federation
This problem is caused by an incompatibility between the Sun JDK on Linux
and Red Hat's ExecShield, a kernel-based security feature. A work-around is to
disable the ExecShield in the Linux SMP kernel only.
To decide if you want to disable the ExecShield, see Red Hat's "New Security
Enhancements in Red Hat Enterprise Linux v.3, update 3" at
http://www.redhat.com/f/pdf/rhel/WHP0006US_Execshield.pdf.
To disable ExecShield in the Linux SMP kernel only
1.
In the /etc/grub.conf file, set the noexec=off kernel parameter in the SMP
kernel only, as noted in the following example:
title Red Hat Enterprise Linux AS (2.4.21-32.ELsmp)
root (hd0,0)
kernel /vmlinuz-2.4.21-32.ELsmp ro root=LABEL=/noexec=off
initrd /initrd-2.4.21-32.ELsmp.img
2.
Reboot the machine.
User Directory Limitations
The following user directory limitation exists:
ODBC User Store Failover
Given
A Policy Server is configured on Solaris to use two Oracle-based user stores:
one is the primary user store and the other is the secondary user store.
Result
The time for the Policy Server to failover from the primary to the secondary, in
the event of a network failure, may be as long as 8 minutes.
Chapter 7: General Considerations 47
Perl Scripting Interface Limitations
Solution
This time can be reduced by setting the TCP/IP setting, tcp_ip_abort_interval,
to the desired time.
Perl Scripting Interface Limitations
The following Perl scripting interface limitations exist:
Perl use Statement for PolicyMgtAPI Must Come Before Use Statement for
AgentAPI (24755)
On Solaris, a core dump results if you call use for AgentAPI before you call use
for PolicyMgtAPI. If you are calling use for both modules, do so in the following
order:
■
use Netegrity::PolicyMgtAPI;
■
use Netegrity::AgentAPI;
Methods that Return Arrays May Return undef in a One-Element Array (28499)
With methods that return an array, undef should be returned if an error occurs
or there is nothing to return. However, these methods may incorrectly return a
one-element array with the first element set to undef.
Perl Scripting Interface and Multi-valued Agent Configuration Parameters
(37850)
The Perl Scripting Interface does not support setting multi-valued Agent
configuration parameters.
Compatibility Limitations
The following compatibility limitation exists:
Oracle Parallel Server and Oracle Real Application Clusters Not Supported
(27510)
The r12 SP1 Policy Server's Oracle wire protocol drivers do not support the
Oracle Parallel Server or Oracle Real Application Clusters.
48 Policy Server Release Notes
Japanese Policy Server Limitations
Japanese Policy Server Limitations
The following Japanese Policy Server limitation exists:
Agent Shared Secrets are Limited to 175 Characters (30967, 28882)
A Shared Secret for a SiteMinder Agent in a Japanese operating system
environment may have no more than 175 characters.
Chapter 7: General Considerations 49
Chapter 8: Known Issues
This section contains the following topics:
Searches for Large Number of Policy Objects (63721) (see page 52)
XPSExport Creates Read Only File (65035) (see page 52)
Windows LDAP Driver Version and FIPS/IPv6 Support (see page 53)
Trial Version of Policy Server Supports Only FIPS-compatibility and FIPSmigration Mode (64416) (see page 53)
Reports and SiteMinder Performance (see page 53)
IPv6 ODBC Data Sources (see page 54)
Searching CertSerialNumbers in a Custom Certificate Mapping Fails (59352)
(see page 54)
Users are Incorrectly Redirected after Receiving a New SecureID PIN (56738)
(see page 54)
Mixed Certificate-Based Authentication Schemes (27997) (see page 55)
Password Change Fails if UserDN Equal to or Greater than 1024 Characters
(52424) (see page 55)
Multi-mastered LDAP User Store Support Limitations (53677) (see page 55)
Policy Server Audit Logging Text File does not Audit Impersonator Events
(52235) (see page 55)
Passwords for User Accounts Stored in Active Directory cannot be Locked
(48125) (see page 56)
Testing SunOne Directory Server Connections on Windows (see page 56)
Linux Policy Server Does Not Delete Oracle Session Store Sessions (39143)
(see page 57)
Affiliate Domain Limitation When Upgrading 6.0 Policy Server on Japanese
System (46338) (45693) (see page 57)
Single Logout Services Log Errors if ODBC/SQLError Component Enabled
(41324) (see page 57)
Incompatible SiteMinder Releases for Federation Security Services (44790)
(see page 58)
Deleting Multiple Roles (72207) (see page 58)
Manually Create the webadapter.properties File (72353) (see page 59)
Edit the InfoCard.properties File for Unix Platforms (72698) (see page 60)
Netscape Issues (see page 61)
Oracle Issues (see page 62)
Policy Server Issues (see page 62)
Solaris Issues (see page 63)
Chapter 8: Known Issues 51
Searches for Large Number of Policy Objects (63721)
Searches for Large Number of Policy Objects (63721)
When searching on a large number of policy objects via the Administrative UI,
the connection between the Administrative UI and the Policy Server may time
out and/or the Policy Server tunnel buffer may become corrupt. In such cases,
the Administrative UI displays a connection timeout error and no search
results are returned. To eliminate this problem, adjust the Administrative UI
Policy Server connection timeout and create a registry key for the Policy
Server tunnel buffer size.
To adjust the Policy Server connection timeout
1.
Login to the Administrative UI.
2.
Click Administration, Connections, UI, Modify Administration UI
Connection, Search to open the Policy Server connection object.
3.
Select the appropriate Policy Server and click Submit.
4.
Set the Timeout field in the Advanced section to a large value, such as
2,000 seconds.
The Policy Server connection timeout is now increased.
To create a registry key for the tunnel buffer size
1.
Create the following Policy Server registry key:
HKLM\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\PolicyServer\
Max AdmComm Buffer Size
2.
Set this registry key to a large value, such as 5,910,496 bytes (0x5a2fe0).
3.
Save the changes and exit the registry.
Note: Restart the Administrative UI if these symptoms persist following the
connection timeout and buffer size changes.
XPSExport Creates Read Only File (65035)
XPSExport creates read only output XML files, which XPSImport cannot use. To
correct this problem, change the permissions on the output XML file to
read/write before running XPSImport.
52 Policy Server Release Notes
Windows LDAP Driver Version and FIPS/IPv6 Support
Windows LDAP Driver Version and FIPS/IPv6 Support
For the initial release of the SiteMinder r12 SP1 Policy Server, Windows LDAP
directory drivers for policy stores and user stores have configuration
limitations related to IPv6 and/or FIPS 140:
■
The LDAP drivers do not support IPv6 connections, so while a Windowsbased Policy Server may be configured to service Agent IPv6 connections,
if it accesses LDAP stores, the LDAP connections must be configured for
IPv4.
■
When a Windows Policy Server is configured for FIPS-only operation and is
using LDAP-over-SSL for Policy/User Stores, it does not restrict SSL to
FIPS-only algorithms.
Customers wishing to strictly observe all FIPS-140 algorithm restrictions
may modify the SSL configuration files accordingly and deploy FIPScompliant certificates.
Trial Version of Policy Server Supports Only FIPScompatibility and FIPS-migration Mode (64416)
Problem:
A trial version of the SiteMinder Policy Server can operate in FIPS-compatibility
and FIPS-migration modes. Setting the Policy Server to operate in FIPS-only
mode results in the Policy Server rejecting the trial license because the license
was encrypted using algorithms that are not FIPS compliant.
Solution:
Ensure that the SiteMinder Policy Servers you want to migrate to FIPS-only
mode are using a valid SiteMinder license and not a trial license.
Reports and SiteMinder Performance
Under certain circumstances, running analysis and audit-based reports may
slow SiteMinder performance. We recommend analyzing the load patterns in
your environment to determine the best time to run reports.
Chapter 8: Known Issues 53
IPv6 ODBC Data Sources
IPv6 ODBC Data Sources
Do not use brackets around the IP address when using IPv6 ODBC data
sources or the connection fails.
Example: use fec0::9255:20c:29ff:fe47:8089 instead of
[fec0::9255:20c:29ff:fe47:8089]
Note: More information on IPv6-supported databases exists in the SiteMinder
Platform Support Matrix.
Searching CertSerialNumbers in a Custom Certificate
Mapping Fails (59352)
Problem:
(LDAP) The default Policy Server behavior is to treat a CertSerialNumber as a
broken string of numbers. This behavior causes a custom certificate mapping
to fail if the user directory stores the CertSerialNumber as an unbroken string
of numbers. The Policy Server fails to lookup the user because the default
LDAP search contains spaces.
Solution:
Enable the NoSpacesinCertNumbers registry setting. Enabling the registry
setting causes the Policy Server to treat certificate serial numbers as an
unbroken string of numbers for all serial number comparisons.
Location:
HKEY_LOCAL_MACHINE/SOFTWARE/Netegrity/Siteminder/CurrentVersion/Polic
yServer/NoSpacesInCertSerialNumbers
Values: 0 (disabled) 1 (enabled)
Default Value: 0
Users are Incorrectly Redirected after Receiving a New
SecureID PIN (56738)
(Windows 2003) After users have received a new PIN, they are incorrectly
redirected to a Diagnostic Information page that displays the following
message: "Security Protection Fault: Unknown AuthReason." The latter occurs
for both user and system-generated PINs.
54 Policy Server Release Notes
Mixed Certificate-Based Authentication Schemes (27997)
Mixed Certificate-Based Authentication Schemes (27997)
The following authentication schemes are affected by the value of the Web
Agent parameter for FCC Compatibility Mode (FCCCompatMode):
■
Certificate or HTML Forms
■
Certificate and HTML Forms
Note: More information on how FCC Compatibility Mode affects the listed
authentication schemes exist in the Web Agent Configuration Guide.
Password Change Fails if UserDN Equal to or Greater than
1024 Characters (52424)
A password change fails and the user receives an error message prompting
them to contact the Security Administrator or Help Desk if the combination of
the new password; old password; and user identity, which is comprised of the
userID, Client IP and time stamp is equal to or exceeds 1024 characters.
Multi-mastered LDAP User Store Support Limitations (53677)
The multi-mastered LDAP enhancement has the following limitations:
■
The Policy Server does not support multi-mastered LDAP directory servers
configured as policy stores.
■
The Policy Server only supports multi-mastered user stores in a backup
capacity. Since Password Services makes frequent writes to the user store,
you cannot simultaneously update user information in multiple master
instances. In addition, the LDAP implementation could produce out-of-date
information or data loss due to delayed replication.
■
Multi-mastered support does not extend to custom code such as custom
authentication schemes.
Policy Server Audit Logging Text File does not Audit
Impersonator Events (52235)
You can audit impersonator events in either an Oracle or SQL server database
by creating the SiteMinder schema for audit logs and using the database for
audit logging. For more information on creating the audit log schema and
configuring the Policy Server Management Console for audit logging using an
Oracle or SQL server database, see the Policy Server Installation Guide.
Chapter 8: Known Issues 55
Passwords for User Accounts Stored in Active Directory cannot be Locked (48125)
Passwords for User Accounts Stored in Active Directory
cannot be Locked (48125)
SiteMinder continues to let users change their passwords when the “User
cannot change password" feature is enabled for the accounts.
Testing SunOne Directory Server Connections on Windows
Problem: You may experience problems testing a SunOne directory server
connection from the Policy Server Management Console if:
■
The machine that is hosting the Policy Server is also hosting the SunOne
LDAP store.
■
You are starting the Policy Server Management Console from a location
other than policy_server_home\bin.
policy server home
Specifies the Policy Server installation path.
This problem occurs because multiple versions of the same LDAP SDK library,
nsldap32v50.dll, exist on the machine:
■
The Policy Server installer installs one version of the DLL to
policy_server_home\bin. This version of the DLL does not cause problems
when you attempt to test the connection.
■
SunOne installs another version of the DLL to the system directory, for
example C:\WinNT\system32. This version of the DLL may cause problems
when you attempt to test the connection.
Note: This DLL conflict does not affect Policy Server processes or any of the
SiteMinder command-line tools.
On Windows, when any process calls the operating system (OS) library loader,
the loader looks to specific locations, in the following order, to load the DLL:
1.
The directory from which the process was launched
2.
The current directory
3.
The system directory, for example C:\WinNT\system32
4.
The Windows directory, for example C:\WinNT\system
5.
The directories that are listed in the PATH environment variable
56 Policy Server Release Notes
Linux Policy Server Does Not Delete Oracle Session Store Sessions (39143)
Therefore, if you start the Policy Server Management Console from a location
other than policy_server_home\bin, the OS library loader loads the DLL from
the system directory, for example C:\WinNT\system32, which may cause
problems when you test the connection.
Solution: Start the Policy Server Management Console from the
policy_server_home\bin location.
Linux Policy Server Does Not Delete Oracle Session Store
Sessions (39143)
Problem:
A Linux Policy Server may not immediately delete sessions from an Oracle
session store when the idle timeout setting for the realm is reached.
Solution:
The Policy Server does begin to delete sessions shortly after the idle timeout
setting is reached. For example, if the idle timeout setting is 30 minutes, the
Policy Server may begin deleting sessions at 45 minutes.
Affiliate Domain Limitation When Upgrading 6.0 Policy Server
on Japanese System (46338) (45693)
If you upgrade a 6.0 SP 1 or earlier Japanese Policy Server to r12 SP1, the
contents of any previous affiliate domain are not displayed in FSS
Administrative UI.
Single Logout Services Log Errors if ODBC/SQLError
Component Enabled (41324)
If the ODBC/SQLError component is enabled in the Policy Server trace log,
Single Logout Services may cause the following errors to be written to the
trace log:
[13:42:44.0] [CSmDbODBC.cpp:189] [CSmDbConnectionODBC::MapResult] [] [][-1] [Microsoft] [ODBC]
This is normal and the data is ultimately written to the session server
database.
Chapter 8: Known Issues 57
Incompatible SiteMinder Releases for Federation Security Services (44790)
Incompatible SiteMinder Releases for Federation Security
Services (44790)
SiteMinder versions 6.0 SP 3/6.x QMR 3 and later configured as a SAML 1.x
consumer and the SAML Affiliate Agent 6.x QMR 3 and later are incompatible
with SiteMinder versions 6.0 SP 2/v6.x QMR 2 and earlier configured as a
SAML 1.x producer. The incompatibility is due to changes made in SiteMinder
6.0 SP 3/6.x QMR 3 to ensure conformance to the SAML specification based on
the PingID certification tests.
Deleting Multiple Roles (72207)
Problem:
Deleting multiple roles from an application sometimes results in a "Task failed"
message. This message means that one or more roles could not be removed
from the policy store. In this situation, there is no harm to the integrity of the
data in the policy store.
Solution:
To delete multiple roles, delete one role, submit the task for processing, and
wait for the task's completion before deleting another role.
58 Policy Server Release Notes
Manually Create the webadapter.properties File (72353)
Manually Create the webadapter.properties File (72353)
Problem:
The file webadapter.properties is not created in ServletExec's configuration
folder, as expected. As a result, OneView Monitor does not work.
Solution:
After configuring OneView Monitor on an RHAS 4.0 platform with a supported
web server, manually create the webadapter.properties file in ServletExec's
configuration folder. The ServletExec adapter uses the properties in this file to
rout HTTP requests from the web server to a ServletExec Application Server
(AS) instance.
The webadapter.properties file contains the following properties:
servletexec.aliasCheckInterval
Specifies a minimum number of seconds for the ServletExec adapter to
poll the ServletExec AS instance.
Note: Setting this property to a positive number ensures that the
ServletExec adapter polls the AS instance for the specified interval of time.
As a result, the adapter is automatically updated when the instance's web
application data is modified.
Examples:
servletexec.aliasCheckInterval=10
servletexec.aliasCheckInterval=-1
Use this value to disable polling.
instance_name
Specifies the name of a ServletExec AS instance.
servletexec.instance_name.hosts
Specifies one or more host names or IP addresses separated by commas.
Note: These are the hosts for which the specified ServletExec AS instance
is configured to process requests.
Examples:
servletexec.instance_name.hosts=www.abc.com:9090,www.ca.com
servletexec.instance_name.hosts=192.168.200.17,192.168.200.43:8000
servletexec.instance_name.hosts=all
Specifies that this ServletExec AS instance is configured to process
requests from all hosts.
servletexec.instance_name.instances
Specifies the IP address and port number of a ServletExec AS instance.
Chapter 8: Known Issues 59
Edit the InfoCard.properties File for Unix Platforms (72698)
Note: This IP address and port number are used by the ServletExec
adapter when forwarding HTTP requests from the web server to the
specified ServletExec AS instance. Each instance must have a unique IP
address/port number pair.
Example:
servletexec.instance_name.instances=127.0.0.1:8888
Specifies default values for the IP address and port number.
servletexec.instance_name.pool-increment
Specifies the number of connections that can be added to the connection
pool when a connection is needed and the pool is empty.
Note: These connections are used by the ServletExec adapter to
communicate with the specified ServletExec AS instance.
Example:
servletexec.instance_name.pool-increment=5
servletexec.instance_name.pool-max-idle
Specifies the maximum number of idle connections that can be present in
the connection pool at any one time.
Note: This number applies to the connections that are used by the
ServletExec adapter to communicate with the specified ServletExec AS
instance.
Example:
servletexec.instance_name.pool-max-idle=10
Using the webadapter.properties file, the ServletExec adapter applies the
following algorithm to each HTTP request:
1.
Locate all ServletExec AS instances that are configured for the host
specified in the HTTP request.
2.
Find a match between the URL in the HTTP request and the .instances
property of one of the instances located in step 1.
3.
Forward the HTTP request to the resulting ServletExec AS instance.
Edit the InfoCard.properties File for Unix Platforms (72698)
Problem
Filenames are case-sensitive on Unix platforms.
Solution
Change all instances of infocard.fcc to InfoCard.fcc in the InfoCard.properties
file.
60 Policy Server Release Notes
Netscape Issues
Netscape Issues
The following Netscape issues exist:
Netscape 6.2.3 Browser Causes Unreadable Date in Time Dialog (27199)
On Solaris 2.9, if you are running the FSS Administrative UI using a Netscape
6.2.3 Web browser, there is an unreadable date in the Effective Starting Date
or Expiration Date fields in the Time Dialog. This problem is caused by running
the FSS Administrative UI using a Netscape 6.2.3 browser. To fix this problem,
run the FSS Administrative UI with a Netscape 7.0 browser. To access this
dialog box, select the Set button from the SiteMinder Policy dialog.
Netscape 6.2.3 Browser Causes Missing Attribute Types in Response Attribute
Editor (27214)
On Solaris 2.9, if you are running the FSS Administrative UI using a Netscape
6.2.3 Web browser, the Attribute drop-down menu in the SiteMinder Response
Attribute Editor dialog box only lists the WebAgent-HTTP-Header-Variable
response attribute type, which is incorrect since there should be several
choices. This problem is caused by running the FSS Administrative UI using a
Netscape 6.2.3 browser. To fix this problem, run the FSS Administrative UI
with a Netscape 7.0 browser.
To access this dialog box
1.
Select Edit > Create Response on the Domains tab.
2.
Click Create.
Netscape Browser Causes Missing Attributes in SiteMinder Response Dialog
(44668, 44675)
On Red Hat Linux AS 3.0 and HP-UX 11i, if you are running the FSS
Administrative UI using a Netscape 6 or 7 Web browser, attributes that you
create do not appear in Attribute List on the SiteMinder Response Dialog. This
problem is caused by running the Policy Server UI using a Netscape 6 or 7
browser. To fix this problem, run the Policy Server UI with a Microsoft Internet
Explorer browser.
To access the SiteMinder Response Dialog, create a response under a domain.
Chapter 8: Known Issues 61
Oracle Issues
Oracle Issues
The following Oracle issues exist:
Administrative UI and Oracle Policy Store Objects (65782)
When you are using an Oracle policy store and you make changes to policy
store objects in the Administrative UI, the changes are effective immediately;
however, they may not be visible in the Administrative UI for up to 5 minutes.
SiteMinder Query Timeout and Oracle User Directories (68803)
The SiteMinder Query Timeout is not supported when the Policy Server is
connected to an Oracle user directory. You may encounter this limitation when
the Oracle response time is very slow.
Policy Server Issues
The following Policy Server issues exist:
Policy Server May Fail to Start due to a Dynamically Updated system_odbc.ini
File (55265)
Problem: (HP-UX and Linux only) The Policy Server may fail to start
because the system_odbc.ini file is dynamically updated.
Solution: After the Policy Server installation, save the file as Read-Only.
Policy Server Installer Lists an Unsupported Operating System (55924)
The Policy Server installer lists Linux Advanced Server 2.1 as a supported
operating system. Linux Advanced Server 2.1 is not supported.
Policy Server Ignores all Response Attributes with NULL Values (70010)
The Policy Server ignores all response attributes with NULL values and does
not send response attributes with NULL values to Web Agents.
62 Policy Server Release Notes
Solaris Issues
Solaris Issues
The following Solaris issues exist:
Password Screen does not Prompt for Multiple SafeWord Authenticators (56766)
(Solaris 9) Users are unable to access protected resources when a SafeWord
authentication scheme requires both fixed and token-based authenticators.
The password screen only prompts users for one authenticator. Therefore, the
user is unable to provide both types of credentials and cannot access the
protected resource.
Federation Encryption Issue with JCE on Solaris (71293)
Problem: There is an issue with the Java Cryptography Extension (JCE) and
Federation Security Services encryption when an Federation Security Services
Policy Server on Solaris is using JRE 1.5.0.12. When the Policy Server is acting
as an IdP, SAML assertion encryption may fail. If the Policy Server is acting as
an SP, SAML assertion decryption may fail.
Solution: Modify the java.security file in jre_root/lib/security so that the
sun.security.provider.Sun provider is registered as the first provider.
Note: Other supported platform with later versions of Java may also exhibit
this problem. Apply the same solution.
Chapter 8: Known Issues 63
Chapter 9: Defects Fixed in SiteMinder
Releases
This section contains the following topics:
Defects Fixed for r12 SP1 (see page 65)
Defects Fixed for r12 SP1
SiteMinder r12 SP1 contains the following fixes:
Policy Server Fails to Recover Policy Store Connection (64563)
Symptom:
The Policy Server fails to recover connections to the policy store after a
network failure.
Solution:
This is no longer an issue.
Nested Realms with the Same Name Causes an Error (65698)
Symptom:
Creating nested realms with the same name under the same parent domain
results in the following error: "Duplicate value of attribute." This error also
presents itself during an upgrade if existing nested realms under the same
parent domain have the same name.
Solution:
This is no longer an issue. Nested realms with the same name under the same
parent domain do not result in an error.
Chapter 9: Defects Fixed in SiteMinder Releases 65
Defects Fixed for r12 SP1
Granular Import Options for XPSImport Fail for an ADAM/Active Directory Policy
Store (65758)
Symptom:
While trying to run XPSImport with an ADAM or Active Directory policy store,
objects were not properly imported or updated using the XPSImport
ADD/OVERLAY/REPLACE options.
Solution:
This is no longer an issue. The ADD/OVERLAY/REPLACE options properly
import or update policy store objects in an ADAM or Active Directory policy
store.
RADIUS Response Attributes Fail to Save (65534)
Symptom:
Response attributes cannot be saved for a response being protected by a
RADIUS agent.
Solution:
This is no longer an issue.
Non-fatal Errors appear in the Administrative UI Installation Log
Symptom:
Non-fatal errors appear in the Administrative UI installation log.
Solution:
This is no longer an issue. Non-fatal error messages do not appear in the
Administrative UI installation log.
Solaris Reports Fail to Build (65951)
Symptom:
If the Policy Server is installed on a supported Solaris system, the Users by
Resource and Resources by User reports fail to return valid information.
Solution:
This is no longer an issue. Both reports return valid information, regardless of
the platform to which the Policy Server is installed.
66 Policy Server Release Notes
Defects Fixed for r12 SP1
Applications do not Support Multiple Roles (66460)
Symptom:
You cannot modify an application to include multiple roles.
Solution:
This is no longer a problem. An application can include more than one role.
Policy Administrators cannot select User Directories (66008)
Symptom:
Administrators restricted to policy administration cannot select user directories
when creating a policy.
Solution:
This is no longer a problem. A policy administrator may select user directories
when creating a policy.
Domain Administrators cannot select Authentication Schemes (65665)
Symptom:
Administrators restricted to domain administration cannot select
authentication schemes when creating a realm.
Solution:
This is no longer a problem. A domain administrator may select authentication
schemes when creating a realm.
Security Scopes do not appear for Security Category (65724)
Symptom:
When creating an Administrative UI administrator, you are unable to specify
security scopes for the respective security category. The Select object scope
screen does not display the valid domains or applications for the security
category.
Solution:
This is no longer a problem. The appropriate domains or applications appear
when attempting to assign a security scope to a security category.
Chapter 9: Defects Fixed in SiteMinder Releases 67
Defects Fixed for r12 SP1
Report Server Installer does not Check Space Requirement (65044)
Valid on UNIX only.
Symptom:
The Report Server installer does not check the available size in /opt to
determine if there is enough space to successfully complete the installation.
Rather, the installation completes with errors.
Solution:
The Report Server installer checks the available size in /opt. If the space
requirement is not met, the installer prompts users to quit the installation and
to make more space available before continuing.
Role Descriptions are not Saved (66274)
Symptom:
You can not save a description when creating a role.
Solution:
This is no longer an issue.
Upgrade SMDIFs missing a SAML 1.x Single Sign-on Property
Symptom:
In 6.0 SP5 CR 04, a new property was added to the smpolicy.smdif file to
support the use of redirect URLs for SAML 1.x single sign-on; however, this
property was not included in the upgrade SMDIF files. As a result, federated
environments were required to re-import smpolicy.smdif after upgrading the
policy store to capture the property.
Solution:
This is no longer an issue. The upgrade SMDIF files now include the property
that supports the use of redirect URLs for SAML 1.x single sign-on. Reimporting smpolicy.smdif is not required after upgrading a policy store to r12
SP1.
68 Policy Server Release Notes
Chapter 10: International Support
An internationalized product is an English product that runs correctly on local
language versions of the required operating system and required third-party
products, and supports local language data for input and output.
Internationalized products also support the ability to specify local language
conventions for date, time, currency and number formats.
A translated product (sometimes referred to as a localized product) is an
internationalized product that includes local language support for the product's
user interface, online help and other documentation, as well as local language
default settings for date, time, currency, and number formats.
In addition to the English release of this product, SiteMinder supports only
those languages listed in the following table.
Language
Internationalized
Translated
Brazilian-Portuguese Yes
No
Chinese (Simplified)
Yes
No
Chinese (Traditional) Yes
No
Czech
Yes
No
Danish
Yes
No
Dutch
Yes
No
Finnish
Yes
No
French
Yes
No
German
Yes
No
Greek
Yes
No
Hungarian
Yes
No
Italian
Yes
No
Japanese
Yes
No
Korean
Yes
No
Norwegian
Yes
No
Polish
Yes
No
Russian
Yes
No
Spanish
Yes
No
Chapter 10: International Support 69
Defects Fixed for r12 SP1
Language
Internationalized
Translated
Swedish
Yes
No
Turkish
Yes
No
Note: If you run the product in a language environment not listed in the table,
you may experience problems.
70 Policy Server Release Notes
Chapter 11: Documentation
This section contains the following topics:
Guide Names (see page 71)
SiteMinder Bookshelf (see page 72)
Release Numbers on Documentation (see page 72)
Guide Names
The names of the SiteMinder guides are as follows:
Guide
Policy Server Release Notes
Web Agent Release Notes
SDK Release Notes
API Reference Guide for Java
Programming Guide for Java
API Reference Guide for C
Programming Guide for Perl
SDK Overview Guide
Policy Server Installation Guide
Upgrade Guide
Policy Server Configuration Guide
Policy Server Administration Guide
Web Agent Installation Guide
Web Agent Configuration Guide
Web Agent Option Pack Guide
Federation Security Services Guide
Federation Security Services Release Notes
SAML Affiliate Agent Release Notes
SAML Affiliate Agent Guide
Directory Configuration Guide
Chapter 11: Documentation 71
SiteMinder Bookshelf
To view PDF files, you must download and install Adobe Reader from the
Adobe web site if it is not already installed on your computer.
SiteMinder Bookshelf
You can find complete information about SiteMinder by installing the
SiteMinder bookshelf. The SiteMinder bookshelf lets you:
■
Use a single console to view all documents published for SiteMinder.
■
Use a single alphabetical index to find a topic in any document.
■
Search all documents for one or more words.
SiteMinder product documentation is installed separately. We recommend that
you install the documentation before beginning the installation process.
Documentation installation programs are available for download from the CA
Technical Support site.
Release Numbers on Documentation
The release number on the title page of a document might not correspond to
the current product release number; however, all documentation delivered
with the product, regardless of release number on the title page, will support
your use of the current product release.
The release number changes only when a significant portion of a document
changes to support a new or updated product release. If no substantive
changes are made to a document, the release number does not change. For
example, a document for r12 may still be valid for r12 SP1. Documentation
bookshelves always reflect the current product release number.
Occasionally, we must update documentation outside of a new or updated
release. To indicate a minor change to the documentation that does not
invalidate it for any releases that it supports, we update the edition number on
the cover page. First editions do not have an edition number.
72 Policy Server Release Notes
Download PDF
Similar pages