CA Access Control 12.6 FIXLIST - CA Technologies
{{search ? 'Close':'Search'}}

CA Access Control 12.6 FIXLIST

All Service Packs are accumulated therefore fixes included in previous releases are not mentioned in the FIXLIST

Last Updated: March 13, 2012

No. Severity Module Problem summary Package OS Cause of the problem Conditions Solution or workaround Reproduction steps Problem ID Test Fix ID / Published ID
1 3 Unix endpoint user mode Fixes an issue with Access Control where running secons -s by a non administrator user generates a shutdown deny audit log AC1263186 Unix all            
2 3 Unix endpoint user mode Fixes an issue with Access Control where if the login sequence is set with SGRPS, SGID will turn on the login trigger for SGRPS. AC1263240 Unix all         1444 T243595
3 2 Windows endpoint user mode Fixes an issue with Access Control on Windows where authenticated user accounts are displayed instead of native account only. AC1263273 Windows all      
  1. Launch ENTM
  2. Create Windows 7 Endpoint
  3. Configure a windows service with a native user
  4. Run service account discovery wizard
  5. Only native user accounts should display
   
4 3 Unix endpoint user mode Fixes an issue with Access Control on HPUX where an incorrect message appears, indicating that the password length exceeds the maximum defined length in tcb after you set the maximum length to 0. AC1263274 HPUX         1553 T243710
T243711
5 3 Unix endpoint user mode Fixes an issue with Access Control on AIX where the serevu utility sent repeated messages concerning multiple root failed login attempts. AC1263276 Unix all   In case that root makes failed login attempt for more than 3 times The solution is after we print the warning message about root, we should also reset the failed counter for root.
  1. install AC endpoint
  2. in seos.ini change the tokens as per shown below:
    serevu_use_pam_seos
  3. failed_login_file = /opt/CA/AccessControl/log/pam_seos_failed_logins.log
  4. use these two tokens and then make failed login 3 times for root.
    And then check /opt/CA/AccessControl/log/pam_seos_failed_logins.log, if root is on the file, then you should get the syslog.
  5. Now try to login as root with wrong password.
  6. now try to see the syslog file which should contain only 1 warning message for root wrong password.
1552 T243709
6 3 Unix endpoint user mode Fixes an issue with Access Control on HPUX when seos.audit is corrupted, selogrd or seaudit send multiple error messages to the syslog . AC1263279 Unix all When seos.audit is corrupted selogrd or seaudit may send lots of error message to syslog. the error message for every record that is corrupted.   The fix here is if the offset is consecutive, there is no need to send the error message over and over. run selogrd and seaudit. If there is no problem in seaudit or selogrd, then it works    
For example, if offset 1,2,3,4 and so on are corrupted, we send the message to syslog for 1,2,3,4…
7 3 Unix endpoint user mode Fixes an issue with Audit filtering for HOST record that does not work properly if a program name is specified. AC1263292 Unix all     The HOST record should be filtered by program name only if /usr/sbin/sshd is specified
  1. activate HOST class
    AC> so class+(HOST)
  2. modify HOST _default for auditing
    AC> er host _default audit(a)
    AC> auth host _default service(*) acc(a)
  3. login by ssh
    # ssh 0
  4. check audit log
    # seaudit -a -s today
    08 Dec 2010 17:36:03 P HOST ssh 180 3 localhost.localdomain /usr/sbin/sshd
    08 Dec 2010 17:36:04 P LOGIN root 59 2 localhost.localdomain SSH
    both host and login audit logs are recorded. this is expected.
  5. stop AC
    # secons -s
  6. add HOST filter with <program-path> in audit.cfg
    HOST;*;*;/tmp/aaa;*;P
    * <program-path> can be anything
  7. start AC
    # seload
  8. repeat step 3 and 4
    08 Dec 2010 17:38:45 P LOGIN root 59 2 localhost.localdomain SSH
    only login audit log is recorded. This is not expected since host audit record filter should not applied for different program path (/tmp/aaa vs /usr/sbin/sshd).
   
8 2 Windows endpoint user mode Fixes an issue with Access Control on Windows where caption label overlap in Review Settings screen occurred. AC1263319 Windows all      
  1. Launch AC Runtime SDK install from Product Explorer.
  2. Scroll through all the sections providing proper inputs.
  3. In Review Settings screen, found caption labels overlap.

Actual Result:
Found caption label overlap in Review Settings screen.

Expected Result:
There should not be any overlap of labels.

   
9 3 Windows endpoint user mode Fixes an issue with Access Control on Windows when you export rules from PMDB as local directory, the join command appears twice. AC1263325 Windows all      
  1. create a pmdb
    selang
    env pmd
    createpmd pmdb1@localhost
    q
  2. create join a native user to a group in the pmdb
    selang
    host pmdb1@
    nu testuser
    ng testgroup
    join testuser group(testgroup)
    q
  3. export pmdb
    secons -s
    cd .datapmdb1
    dbmgr -e -l
  4. verify multiple join command not appear. Before this fix it was:
    env nat
    join ("testuser") group('testgroup')
    env nat
    join ("testuser") group('testgroup')
501 T4CC099
10 2 WebGUI Fixes an issue with Access Control on Windows where the displayed value of the "Full name" field in the Endpoint AC1263337 All      
  1. Prepare Windows box (2003 or 2008)
  2. Install AC12.5 SP2, 3rd party products and 12.5SP2 Endpoint Management
  3. create new native user from "Users" <- "Users" and Groups" <- "Computer Management" <- "Administrative Tools" as below.
    User name: TEST01
    Full name: TEST01 FULLNAME
    Description: TEST01 DESC
    Password: Password01
    Confirm password: Paaword01
  4. Start Internet explorer and connect to Endpoint Management
  5. select "Users" tab
  6. click "Go"
  7. click *TEST01
  8. select "Native" tab
  9. You can confirm "TEST01" instead of "TEST01 FULLNAME" is displayed in "full name" field.
   
Management UI, is not equal to the value of the user properties screen of the native users.
11 2 Unix endpoint user mode Fixes an issue with Access Control on Solaris where the ReportAgent terminated unexpectedly. AC1263345 All         1557 T4B9063 (Solaris)
T4B9065 (HPUX)
T4B9066 (HPUX IA64)
T4B9067 (LINUX)
T4B9068 (LINUX x64)
T4B9069 (AIX)
T4B9070 (Windows x86)
T4B9071 (Windows x64)
12 3 Unix endpoint user mode Fixes an issue with Access Control on Solaris that causes a significant degradation in system performance. AC1263407 Unix all            
13 3 WebGUI Fixes an issue with PUPM where privileged accounts search with more than one criteria specified, does not display search results. AC1263412 All            
14 3 WebGUI Fixes an issue with Access Control on Windows where the Endpoint Management UI displayed an incorrect time format. AC1263418 All         38 T5P0034
15 3 Unix endpoint user mode Solved an issue with Access Control on Linux where after a user logs out, the user remains in another session (ssh) loose its ACEE. As a result, Access Control policies no longer work for the Access Control user. AC1263421 LINUX         1560 T4CC101
16 3 WebGUI Fixes an issue with PUPM where the valid until date in the CA Service Desk ticket request changed, causing failure to send the privileged account password request. AC1263423 All            
17 3 Windows endpoint user mode Fixes an issue with Access Control on Windows where exporting rules that includes the native join command, results in failure. AC1263426 Windows all         504 T4CC100
18 3 Windows endpoint user mode Fixes an issue with Access Control on Windows where the segrace command does not display grace count and password expiration dates. AC1263471 Windows all            
19 2 Unix endpoint user mode Fixes an issue with Access Control for UNIX where the Keyboard Logger audit file (kbl.audit%7D is not a member of the audit group that Access Control defines during the installation. As a result, users that are not members of the Keyboard Logger group cannot access the kbl.audit file. AC1263514 Unix all            
20 2 WebGUI Fixes an issue with Access Control on Windows, where if the expiration date and time of an approved privileged account request that the user checked out overlaps with the server down time, the automatic deletion AC1263518 All            
of privileged account exception is stopped
21 2 WebGUI Fixes an issue with PUPM where the password policy days checkbox is disabled. AC1263533 All            
22 3 WebGUI Fixes an issue with PUPM where the sort option in the My Privileged Accounts screen did not work. AC1263563 All      
  1. My Privileged Account List
  2. sort by Endpoint Name tab and Endpoint
  3. sort is not working
43 T5P0038
23 3 Unix endpoint user mode Improves AC audit filtering and allows INCLUDE and EXCLUDErules in config file. AC1263570 Unix all      
  1. Enable KBL
  2. create AC user audit(A)
  3. start AC
  4. login as test user, perform some activity
  5. Stop AC
  6. check kbl.auit saved trace records (seaudit -tr)
  7. Clean log directory
  8. edit <AC_dir>/etc/kblaudit.cfg like this
    [EXCLUDE]
    TRACE;*;*;*;*;*;*;*seos.ini*
    [INCLUDE]
    TRACE;*;*;*;*;*;*;*uname*
  9. Start AC
  10. Perform steps 4 - 6
    EXPECT: kbl.audit keeps records accordingly to filter rules
   
24 2 Unix endpoint user mode Solves an issue with UNAB, where thread-enabled version of libsqlite3.a was used for the nss_uxauth module. A non-threaded SQLite3 library was built and used for linking the nss_uxauth module AC1263599 LINUX thread-enabled version of libsqlite3.a used for the nss_uxauth module   To resolve the problem a non-threaded SQLite3 library was built and used for linking the nss_uxauth module   1574 T243736
25 3 Unix endpoint user mode Fixes an issue with Access Control where the seadmapi.a library was missing several UNAB API symbols that caused a linkage error AC1263664 Unix all seadmapi.a library was missing some UNAB API symbols which caused this linkage error   Added UNAB API objects and others to resolve unresolved symbols and their dependencies cd /opt/CA/AccessControl/apisamples/passwd    
gmake SOLARIS (or any other platform)
In general this can happen with other apisamples which link with 'seadmapi.a'.
26 2 Windows endpoint user mode Solves an issue with Access Control on Windows where the PMDB did not save PMDB history for native user accounts. AC1263724 Windows all PMDB synchronized subscribers don't get password history for native user. It means that when you created native user with password in MASTER pmdb, you can't login with this password after propagation.    
  1. install AC and create pmd as pmd1
  2. create native user with password in PMDB.
    eu pmdusr01 password(eTrust01)
  3. add subscriber with -n option as synchronize mode.
  4. check error log on PMDB. And then you can find fail to create the user at OS on subscriber.

Notes:

  1. You need to enable bi-directional password encryption to propagate password to new subscribers.
    > so password(rules(bidirectional))
  2. In case the target endpoint has native password policy that disallows creating users without password, an error will appear in the PMD error log. It does not mean the password is not propagated successfully
   
When add subscriber as synchronize mode, -n, native user on PMDB cannot deliver
to subscriber on Windows node as following error.
ERROR: Failed create USER acadmin
ERROR: failed to add NT Network user: Windows Error Code=2245...
 
 
 
 
 
27 2 Windows endpoint user mode Added the ability to assign new endpoints to a hostgroup according to hostnamecriteria, automatically. AC1263796 Windows all      
  1. Run the er GHNODE command on ENTM setting the criteria
  2. on endpoints matching that criteria execute the command
    dmsmgr -config -endpoint
    dmsmgr -config -dhname DH__@entmname
  3. start AC on the endpoint
  4. Once policyfetcher executes successfully on the endpoint these hosts must appear in the GNODE created with that criteria
   
28 3 Unix endpoint user mode Fixes an issue with Access Control on HPUX, even when token Undef_ForPacl is set to 0, undefined user in AC is checked for file access with UACC but PACL with uid(*). undefined user in AC should be checked by PACL with uid(*). AC1263824 Unix all      
  1. Set these tokens in Seos.ini
    osuser_enabled = no
    create_user_in_db = no
    Undef_ForPacl = 0
  2. Start AC
  3. Login to Selang
    AC>env native
    AC(native)>eu user1 password(user1)
    AC>nr file /tmp/filetest defacc(n) audit(all) owner(nobody)
    AC>auth file /tmp/filetest uid(*) via(pgm(/usr/bin/vi))
  4. Login as user1 and try opening the file and file opens for read only.
  5. Stop AC change the token to Undef_ForPacl = 1 and start again.
  6. Now try opening the file "Permission is denied"
    Hence Undef_ForPacl = 0, user1 is allowed with PACL and Undef_ForPacl = 1 UACC denies the file access.
   
29 3 Unix endpoint user mode Fixes an issue with Access Control on Solaris, where the upgrade process creates an incorrect link to backed up lib if the libsnmp.so.125.0.preTestFix is located in the lib directory AC1263889 Unix all            
30 3 WebGUI Fixes an issue with PUPM where password change did not occur. AC1263916 All One event or more was failed but it was recorded on the parent event   Adding more information on the VST event regarding the endpoint name and account name      
31 3 Unix endpoint user mode Fixes an issue with Access Control where the host name mask address was incorrectly interpreted. AC1263935 Unix all         1599 T243766 (Linux x86)
T243767 (Linux x64)
32 3 Unix endpoint user mode Fixes an issue with Access Control on UNIX, where the IP address is resolved locally, but not in the DNS. This caused Access Control to stall while waiting for the DNS to resolve the IP address. AC1263944 Unix all         1600 T243768
33 3 Unix endpoint user mode Added possibility to modify and reload audit filter without recycling AC. AC1263957 Unix all The AC currently reads audit filter configuration just once on startup   new "secons" option to make seosd to reload audit filter.      
34 2 WebGUI Fixes an issue with PUPM where the endpoint column size in the database could not contain the full DN of the endpoint. AC1263972 All       Create multiple endpoint by long name and with the same account manager 56 T5P0047
The column size in the database exceed it's size limit
35 3 Unix endpoint user mode Fixes an issue with Access Control for UNIX, where after upgrade, existing policy were deleted in case it included single quote in it AC1263986 Unix all            
36 2 Unix endpoint user mode Fixes an issue with UNAB, where If a user creates a computer object for the Unix client machine using Active Directory management tool (MMC), that object can not be programmatically extensible and any software that attempts to update it via LDAP will fail. AC1263987 Unix all            
37 3 Unix endpoint user mode Removes port 445 (Microsoft-ds) because UNAB does not use that port so no need to check it or report about it AC1264000 Unix all            
38 3 Unix endpoint user mode sepmd -e does not print error list on x64 AC1264003 LINUX-X64 Fixes an issue with Access Control on UNIX, where the sepmd -e command does not display the error list on x64 platform sepmd 64 bit binary  
  1. install AC12.5 SP3 x64 version on RHEL
  2. create PMDB0 as parent pmd
  3. set parent_pmd token as PMDB0@^=host name=^
  4. subscribe AC endpoint to PMDB0 # sepmd -s PMDB0 ^=host name=^
  5. start selang and connect to PMDB0 # selang AC=^ host PMDB0@ AC=^ eu TEST owner(testuser) (PMDB0@localhost) ERROR: Failed to fetch data for USER/GROUP testuser AC=^ exit *note: testuser is not existed on AC/PMDB to get above error purposely
  6. check PMDB0 error information as below # cd /^=AC-install-dir=^/policies/PMDB0 # ls -l ERR* -rw- 1 root root 235 May 10 11:11 ERROR_LOG * looks some data are written, but # sepmd -e PMDB0 CA Access Control sepmd v12.53.0.1517 - Policy Model management Copyright (c) 2010 CA. All rights reserved. * not shown any error
   
39 3 Unix endpoint user mode Added Japanese support for the keyboard logger records. AC1264019 Unix all Non ascii code is skipped. A command include Japanese  
  1. enable KBL
  2. create user user01 both AC and native from selang with audit(logins, loginf, f, interact)
  3. login TEST user
  4. enter command "mkdir /tmp/TESUTO # TESUTO: Japanese Kana characters
  5. enter command "mkdir /tmp/TESUTO/aaa" Confirm KBL output by "seaudit -kill -sid ^=nnn=^ -cmd".
    The output shows as below. 14 Sep 2010 11:29:38 P TRACE user01 4c8edc26:0000014e konsh01 KBL input rhel54-54 3337 XX: SessionCmd: mkdir /tmp/ 14 Sep 2010 11:30:00 P TRACE user01 4c8edc26:0000014e user01 KBL input rhel54-54 3337 XX: SessionCmd: mkdir /tmp//aaa XX: Kanji characters that stand for information.
   
40 3 Unix endpoint user mode Added a check for UNAB of sshd version on AIX for known problems AC1264023 AIX sshd v.5.4p1 supplied by IBM does not work properly with AIX security subsystem preventing logon of a valid AD user    
  1. set up a new AD user who is allowed to log in by UNAB.
  2. try to log in via ssh
  3. logon fails and depending on whether NIS is used one can or cannot log in via ssh later on (with NIS used, /etc./security/lastlog is not updated)
   
41 3 Unix endpoint user mode Enhanced support.sh to collect PMD policies AC1264024 Unix all            
42 3 Windows endpoint user mode Fixes an issue with Access Control on Windows, where audit records were not filtered in the audit.cfg file. AC1264025 Windows all access type "kill" is ignored.   Use '*' for access type of PROCESS

AC 12.5 SP4 / W2K8

  1. try to kill lsass.exe =^ taskkill /im lsass.exe -=^ this is denied as expected
  2. see audit log 20 May 2011 17:39:34 D PROCESS W2K8-X64Administrator Kill 601 10 c:w Windowssystem32lsass.exe C:Windowssystem32taskkill.exe
  3. stop AC and add following filter in audit.cfg and restart AC PROCESS;c:windowssystem32lsass.exe;*;*;Kill;D
  4. step 1-2 again [expected result] audit log of kill is filtered. [actual result] audit log of kill is not filtered. The audit log can be filtered if access type is changed to '*'. PROCESS;c:windowssystem32lsass.exe;*;*;*;D The access type of 'Kill' is described in Reference Guide.
   
43 3 Unix endpoint user mode Fixes an issue with Access Control on UNIX, where Access Control does not start after upgrade because of ???_updates files in a PMDB. AC1264035 Unix all libacdki.so is already removed when upgrade fail due to existence of ???_updates file in a PMDB. . upgrade fails due to existence of ???_updates file in a PMDB.  
  1. Create PMDB.
  2. Create "hostname_updates" file in PMDB directory. eg) [ACDir]/policies/PMDB/aaa_updates ==^ This file can be a dummy.
  3. Run install_base. ==^ This is aborted with below message(=expected).

    -- You are still updating this subscriber: aaa. You must finish updating this subscriber before upgrading, or you will lose this update. Note: You can use the -force flag to upgrade anyway.
  4. Cannot start AC by seload. # seload CA Access Control seload v12.53.0.1517 - Loader Utility Copyright (c) 2010 CA. All rights reserved. The token SEOS_syscall.LINUX_SeOS_Syscall_number, now set to '300'. CA Access Control system call is not loaded. ERROR: Timeout waiting for CA Access Control daemon. CA Access Control system call is not loaded
   
44 3 Unix endpoint user mode Fixes an issue with UNAB, where starting UNAB generated a code file for the ReportAgent. AC1264045 Unix all When one runs /opt/CA/AccessControlShared/bin/ReportAgent -debug 0 -task 3 -nowon a SELinux system which prevents 'eac_irapi.so' from loading due to text relocation restrictions a core is dumped due to missing exception handler    
  1. Install UNAB in default location.
  2. Run uxpreinstall, Register and activate.
  3. Now go to the following location /opt/CA/AccessControlShared/lbin, and configure the report agent as shown below:
    ./report_agent.sh config -server 10.130.229.26 -proto ssl -port 7243 -queue queue/snapshot -audit
  4. Now confirm the settings and restart the UNAB daemons.
    NOTE: As the report agent is configured restarting UNAB will also start Report Agent.
  5. Kill the report agent
  6. cd /opt/CA/AccessControlShared/bin
  7. Set the Acuxch key
  8. ./ReportAgent -debug 0 -now
   
45 3 Unix endpoint user mode Fixes an issue with Access Control on UNIX, where so class(file) flags+(w) does not catch syntax error AC1264047 Unix all so class(file) flags+(w) fails to return syntax error execute so class(file) flags+(w)   AC=^ so list | grep FILE FILE : Yes AC=^ so cwarnlist (localhost) Data for CA Access Control options ^=empty=^ AC=^ so class(file) flags+(w) -=^ NO ERROR (localhost) AC=^ so cwarnlist (localhost) Data for CA Access Control options -- ^=still empty=^    
46 3 Windows endpoint user mode Fixes an issue with Access Control for Windows, where the Japanese audit record "Successfully subscribed" was garbled AC1264048 Windows all Audit record "Successfully subscribed" was not written in UTF8 in pmd.auidt AC is installed Japanese system.  
  1. Create PMDB
  2. Add the subscriber =^ subs pmdb subs(subscriber)
  3. Check pmd.audit =^ seaudit -a -fn pmd.audit 4. You will see code 338 is garbled.
    It doesn't happen in English seos.msg. 24 May 2011 17:00:10 S UPDATE PMD SECV6Administrator 338 10 pmd1 secv6 host pmd1 ??TuXNCu??B
   
47 3 Windows endpoint user mode Fixes an issue with Access Control on Windows, where segraceW fail to work from remote host following a "can not connect to AC database" message, although the defenc.dll file is located in the current directory. AC1264070 Windows all defenc.dll is not found where "Encryption Package" is not defined (i.e. AC is not installed). SegraceW runs as standalone. Add Reg value "Encryption Package" in HKLMSOFTWAREComputerAssociatesAccessControl and define the encryption package.
  1. NETLOGON folder |_defenc.dll (Renamed the one from "Encryption Package" in the registry) |_SegraceW.exe |_batch script to run "segracew -s DC_host"
  2. Configure the logon script for the domain user to run the batch script. - Member(x86) Logon by the domain user. ==^ "ERROR: can not connect to AC database." Until SP3, it works with above configuration.. step: 1.install AC on DC 2.copy egraceW.exe and encryption package to NETLOGON shared folder on DC. default encryption package is aes256enc.dll
  3. rename the encryption package to defenc.dll
  4. open the NETLOGON from a workstation
  5. run egraceW.exe -s ^=DC hostname=^
  6. verify you don't get "ERROR: can not connect to AC database."
   
48 3 Unix endpoint user mode Fixes an issue with Access Control on UNIX, where seos token values were missing after upgrade. AC1264075 Unix all tokens ldap_xxx in seos section are not copied from original seos.ini    
  1. Defined tokens ldap_xxx in seos section
  2. Upgrade AC
  3. tokens ldap_xxx in seos.ini are not inherited
   
49 3 WebGUI Fixes an issue with Access Control on AIX, where creating a generic file rule in CA Access Control Enterprise Management fails. AC1264078 All Method validateName    

In the Endpoint Manager UI.

  1. Create a file rule for '/home/d000623s.*'
  2. Create a file rule for '/home/d000623*' and you will receive the error:
    Error: There is already a FILE entity with the name: /home/d000623*
   
Searching element that contains * cause the search function to act as a wild card
And all elements that containing the search criteria are retrieving
Therefore code needs to evaluate the retrieving results and check for duplicate element for each entry
50 1 Unix endpoint user mode Fixes an issue with Access Control on AIX, where *.tmp files were found in /etc/security. AC1264101 AIX      
  1. Test on AIX 6.1
  2. Stop AC (secons -s)
  3. useradd test01
  4. rm -f /etc/security/*.tmp
  5. Run 'selang -l': AC=^ env Unix Unix=^ ru test01
  6. ls -qal /etc/security/*.tmp -=^ You should NOT see any files created during the test
1618 T243782
51 3 unix endpoint kernel mode Fixes an issue with Access Control on HPUX, where the file path that seaudit displays is corrupted when bypass_realpath is enabled. AC1264103 HPUX 1.path name was not null terminated 2.used lookuppn() returned value that is last component of the path name set 1 to token bypass_realpath set 0 to token bypass_realpath      
52 2 WebGUI Fixes an issue with PUPM, where after creating and discovering privileged accounts on SSH endpoints, CA Access Control Enterprise Management displays an incorrect container. AC1264105 All back slash () and the double quotes (") cause the auto login script to fail   When SSH endpoint is not connected, add a default value of the account container field at Modify Privileged Account screen to show the correct container
  1. Create SSH PUPM end point
  2. Discover the end point
  3. Enter to the SSH account at Modify Privileged Account screen when the endpoint is down
  4. The shown container is wrong
60 T5P0052
53 2 WebGUI Fixes an issue with the Enterprise Management Server, where a back slahs and double quotes characters cause the automatic login scripts to fail. AC1264113 All back slash () and the double quotes (") cause the auto login script to fail   A wrong pre define default value was set on the container field
  1. Crate endpoint that contains back slash () or double quotes (") at the password
  2. Assigned to this endpoint Login application (RDP)
  3. Try to perform Automatic Login for this account , the operation failed
61 T5P0053
54 2 unix endpoint kernel mode Fixes an issue with Access Control on UNIX, where seos.ini tokens were not copied on upgrade. AC1264114 All            
55 4 WebGUI Fixes an issue with PUPM, where the password policy minimal length of 16 characters, failed due to a dummy check. AC1264124 All     Remove the validation that check weather Max Length is over 15 chars
  1. create password policy with Mind length 16 and max length 19
  2. assigned this policy to an account
  3. try to check out this account, the operation fails
62 T5P0054
56 3 Unix endpoint user mode Fixes an issue with Access Control on UNIX, where running the command secons -CD results in an infinite loop. AC1264127 All "rec userd" is not cleared while file records are when the period cache erasing is called. secons -CD goes into an infinite loop as "rec userd" and actual records differ. the period cache erasing is called after file activities is cached.        
57 4 WebGUI Fixes an issue with the Enterprise Management Server, on Linux where during role validation an exception for a user which should not be allow to see break glass account appeared. AC1264141 All during role validation we had an exception for a user which should not allow to see break glass    
  1. create a privileged account "demouser"
  2. duplicate Role PUPM USER to SamplePUPMUser and modify Membership to "user=jdoe" scope "accountname=*demo*" If you login with jdoe you will see the demouser pupm account in his priv accounts.
  3. disabled the OOTB "breaking glass" role (which should not have any effect) Login with jdoe again and no accounts are shown now.
   
58 2 WebGUI Fixes an issue with PUPM, where the Automatic Login option does not work if the password contains special characters, for example a dollar ($) sign, back slash () or double quotes ("). AC1264144 All      
  1. Crate endpoint that contains dollar sign ($) at the password
  2. Assigned to this endpoint Login application (RDP)
  3. Try to perform Automatic Login for this account , the operation
66 T5P0056
59 3 Unix endpoint kernel mode Fixes an issue with Access Control on Linux, where running secons -sk 2 caused the system to malfunction. AC1264147 LINUX-X86 conversion specifies of fine and f_sz for snprintf are not correct. run secons -kt 2 on LINUX X86   install AC on LINUX x86 start AC run secons -sk 2 -=^fatal exception in eac_TrustPg_prec()    
60 3 Win endpoint user mode Fixes an issue with Access Control on Windows, where defining TERMINAL rule that contains an IPv4 IP address only, results in selang failure to connect to seosdb. AC1264151 Windows all getaddrinfo could return IPv6 IP address on mixture env. Hence TERMINAL in IPv4 IP address does not match. IPv4 and v6 mixture(like Win2008). TERMINAL is defined in IPv4 IP address only. Token TerminalSearchOrder is name or IP. Define TERMINAL by hostname      
61 3 WebGUI Fixes an issue with Access Control on Linux, where the encoding of the login page was sent as basic charset and not translated AC1264159 All the encoding while loading the login page sent as basic charset and not translated    
  1. Install endpoint management on a machine with Japanese local
  2. Set the browser local to be Ja
  3. Open endpoint management login screen and without typing anything press login
    The message that you see is not clear
   
62 High Win endpoint kernel mode Fixes an issue with Access Control on Windows, where an incorrect processing of interceptions setup at driver reload occurred AC1264162 Windows all 1. Copy and paste mistake at interception processing 2. Incorrect processing of interception setup at driver reload    
  1. Install AC on Windows 2008 system
  2. Reboot and define blocking rule in build-in windows firewall
  3. Test the firewall rule - check that it's not working.
  4. Unload AC ( secons -s, net stop seosdrv, net stop drveng - order is IMPORTANT ).
  5. Test the firewall rule again - now it's working
  6. Restart AC( net start drveng, seosd -start, order IMPORTANT)
  7. Test AC network interception - it's not working.
   
63 3 Unix endpoint kernel mode Enhances the Access Control Keyboard Logger utility with the ability to begin tracing user actions when connecting to host. AC1264165 Unix all            
64 3 Unix endpoint user mode Fixes an issue with Access Control on UNIX, where a memory leak in seosd causes Access Control to stop responding when seosd reaches 1G in memory AC1264169 Unix all     This package adds functionality to AC watchdog. The watchdog will monitor size of seosd and will restart seosd if seosd process size is too big. It also changes watchdog to control size of uxauthd.      
65 3 Win endpoint user mode Fixes an issue with Access Control on Windows, where setoption for max_len/min_len aborts if no password rules are found in the database AC1264170 Windows all setoption for max_len/min_len abort if no password rules exist in the database. set max_len/min_len after password rules are disabled by so password(rules-) set other password rules first than max_len/min_len      
66 3 Unix endpoint user mode Fixes an issue with Access Control on UNIX, where running the sepmd -m generates the following error message: "Error in Maker-Checker command : No authorization to access the Policy Model" AC1264176 Unix all PMDB admin check for running user is done by a ticket after the ticket is removed. any option for sepmd -m(i.e. la, lo, l, d, and p) fails.        
67 3 Unix endpoint user mode We forgot to backup the file .pmd_error. AC1264187 Unix all Enhances the Access Control backup process by including the .pmd_error file. 1. There is a pmdb name pmdb. Please apply the fix sepmd and sepmdd. run this command. "sepmd -bd pmdb /work/backup". Check if there is a file named .pmd_error in /work/backup.    
2. run this command to backup the pmdb "sepmd -bd pmdb /work/backup".
68 4 Unix endpoint kernel mode Fixes an issue with Access Control on Linux, where if the redhat_release files have been manually modified, the kernel module cannot be found. AC1264201 Unix all redhat_release file has been manually modified causing AC kernel module cannot be found     Test install on OEL 5.5 where redhat_release file has been manually modified to contain "Carthage" instead of "Tikanga".    
69 3 Win endpoint user mode Fixes an issue with Access Control on Windows, where Access Control failed to add the CONSENT.EXE file to ApplyOnProcess after upgrade. AC1264213 Windows x64 Handling in case of 64 bit was missing in MergePlgApplyOnProcesss 64 bit box upgrade from old release that does not have CONSENT.EXE by default Add CONSENT.EXE to .InstrumentationPlugInsRunAsPlgApplyOnProcess by reg editor after upgrade
  1. install AC 12.5SP2 on Windows 64 bit box
  2. verify the value of ApplyOnProcess has no consent.exe. This is ok for SP2 HKLMSOFTWAREComputerAssociatesAccessControlInstrumentationPlugInsRunAsPlg ApplyOnProcess=runas.exe explorer.exe
  3. upgrade AC 12.5SP4
  4. verify consent.exe is added to ApplyOnProcess. SP4 does not add it.
   
70 3 WebGUI Fixes an issue with Access Control on Windows, where an error message appears when creating a password policy without the weekdays option selected. AC1264225 All      
  1. Create or modify password policy without week day checked for scheduling
  2. Error message appears ParseException:unexpeted end of expression error
64 T5P0055
71 2 Unix endpoint user mode Fixes an issue with Unix Access Control Unix where HOSTNET class Mask given as 255.255.255.255 is displayed as 0.0.0.255 AC1264231 Unix all       AC=^ er HOSTNET testnet owner(nobody) audit(a) mask(255.255.255.255) match(127.0.0.1) AC=^ sr HOSTNET testnet -=^ Mask is shown as 0.0.0.255.    
72 3 Win endpoint user mode Fixes an issue with Access Control on Windows, where seosd stops responding when the maximum number of entries in the audit.cfg audit file has been reached. AC1264239 Windows all seosd.exe couldn't handle the more 100 lines of entries in audit.cfg. Please add more than 109 lines of entries in audit.cfg and then start up seosd.exe. Please apply the fix seosd.exe or make sure the number of lines in audit.cfg are less than 100 lines. Please add 109 lines of entries to c:\program files\CA\AccessControl\data\auditl.cfg 1. stop AC \=^ secons -s 2. add 109 or more TRACE entry in audit.cfg I added following same 109 entries TRACE;*;*;*;*;*;*;* 3. start AC \=^ seosd -start seosd crash.    
73 3 Unix endpoint user mode Fixes an issue with Access Control on Linux, where if the Keyboard Logger is enabled, the "who am i" command is displayed twice. AC1264247 LINUX cmdlog checks utbuf-=^utmp_err, when it is not 0 it does not send logout event to agent and agent does not erase utmp line KBL function kbl_utmp_set_login() set utbuf-=^utmp_err = rv = 0; Not reproduced in Lab Customer reported that after different users logged in to the system using ssh the command "who am i" showed sometimes two lines of the same tty. [ acceso21 - caunix ]/home/caunix $ who am i u199956 pts/48 2011-07-11 11:17 (10.65.9.82) caunix pts/48 2011-07-12 11:36 (10.78.33.239) [ acceso21 - caunix ]/home/caunix $ tty /dev/pts/48 1570 T243783 (x64)
T243784 (x86)
74 4 Unix endpoint user mode Enhances Access Control to start if the redhat_release file has been altered. AC1264251 LINUX redhat_release file has been manually modified causing AC kernel module cannot be found redhat_release file has been manually modified causing AC kernel module cannot be found Solution Test install on OEL 5.5 where redhat_release file has been manually modified to contain "Carthage" instead of "Tikanga". Access Control fails to start.    
75 3 Unix endpoint user mode Fixes an issue with Access Control on Solaris where SEOS_load searches for the string "seos" in system configuration. The script assumes there already a device named "seos" and attempts to update it. AC1264258 SOLARIS The AC script SEOS_load searches "seos" device searching string "seos" in system configuration. There is different device which consists name of seosvol and it confuses SEOS_laod script. The script assumes there already exists device and tries update it. Solaris 10 + SEOS_use_ioctl Make more strict search, use pattern "/pseudo/seos" instead of "seos" Not reproduced in Lab, Customer sets SEOS_use_iotcl and runs SEOS_load ==^ failure # SEOS_load SEOS_load: Executing un/load exit file, /usr/seos/exits/LOAD/SEOS_load_int.always -pre SEOS_load: Updating device seos. SEOS_load: Couldn't update device. 1625 T540064
76 3 Win endpoint user mode Fixes an issue with Access Control on Windows, where the dbmgr utility creates crypto key files protection records for seosdb that are not required, after upgrade. AC1264259 Windows all install call dbmgr to create pmdb. dbmgr create crypto key files protection records for seosdb, which is not needed for pmdb. pmdb exist before upgrade remove the crypto key files protection records after upgrade

1.install AC

2.create PMDB selang =^env pmd =^create pmdb1

3.upgrade AC

4.verify crypto key files protection records does not exist in the pmdb selang =^host pmdb1@ =^find file

   
77 2 WebGUI Fixes an issue with the Enterprise Management Server, where the password policy doesn't prohibit any character, however if clientmanually reset the password and if password contain special characters it will pop up error message AC1264262 All Char set validation is missing the semicolon char    

1. create PUPM account

2. try to Reset Manually the password with semicolon char (;) getting a message The Password allowed characters does not comply with the password policy settings.

Change the password or use the recommended password

66 T5P0056
78 1 Unix endpoint user mode Fixes an issue with Access Control on Linux where root user could not login when AC PAM was active AC1264265 LINUX Login hangs when AC PAM auth hook comes before pam_unix Linux    

1. Test on Linux AS4.

2. Modify /etc/pam.d/system-auth so 'auth optional pam_seos.so' will

be placed one line BEFORE 'auth sufficient /lib/security/$ISA/pam_unix.so

likeauth nullok'

3. Start AC (seload).

4. AC> eu test01 password(123)

5. telnet localhost (login as user test01)

Before this fix telnet got hung right after providing user name

1632 TC61166 (x86)
TC61167 (x64)
79 1 Unix endpoint user mode Fixes an issue with Access Control on UNIX, where executing the command sepmd -db while specifying a relative path for the dest_path, renders the original PMDB directory un-usable. AC1264268 Unix all            
80 3 Win endpoint user mode Fixes an issue with Access Control Windows where if a user reconnect to an endpoint using Remote Desktop, the user receives the session id of the previous session. AC1264271 Windows all     save a list of disconnect session in seosd memory. In case the user is not authorized to login, search in the disconnect session list, if found then disconnect the user from the RDP session instead of logoff.

1. Create User in AC

2. Authorize the user to connect from terminal A.

3. Unauthorize the user to connect from terminal B.

4. Connect from terminal A using RDP.

5. Disconnect the RDP session.

6. Connect from terminal B using RDP.

7. The user will be logged off from both sessions.

523 T243804 (x86) T243805 (x64)
T243806 (IA64)
81 3 Win endpoint user mode Fixes an issue with Access Control on Windows, where a password change request intercepted is sent to the password PMDB as originating from user NT AUTHORITYSYSTEM and not the original user. AC1264272 Windows all hosts command reset changing user with a user obtained by local_seadmapi_WhoAmI() which was added in 12.SP3(AC1262144). User change own password via native password is managed by PMDB  

1. user log in GUI and change password with Ctrl+Alt+Del

2. Password change request send to local AC db and passwd_pmd to deliver it.

3. password change by service user such like NT AUTHORITYSYSTEM on PMD

4. deliver password by the user who is pwmanager.

5. set grace(1) since the change is update by Administrative user and not by original user

   
82 2 Win endpoint user mode Fixes an issue with Access Control on Windows that caused Access Control to stop responding if the parameter WaitingTimeout is set to INFINITE. AC1264273 Windows all In case of seosd is in long term timeout ( recovery, termination. crash ), the Subauthentication thread waiting WaitingTimeout = INFINITE for respond from seadmapi_IsServerRunning() locks other threads resulting to getting stuck further logons.   Resolved by assignment global Waitingtimeout to Registry value LogonTimeOut or default 4sec.   521 T5P7077
83 2 LINUX x64 Fixes an issue with Access Control on Linux, where the seagent daemon caused a system malfunction on startup. AC1264289 LINUX x64 Syscall intercepted via 32-bit syscall table tries to execute the 64-bit original syscall function that is not yet set and leads to system panic. See Invest. Notes. Solution is to hook the 64-bit syscall table before 32-bit syscall table. The workaround is to install 64-bit version of AC. Install AC on an X64 SLES 11 SP1 system and set AC to start automatically. Then reboot the system repeatedly, this may cause the system to crash. 1636 T3E7134
84 3 WebGUI Fixes an issue with PUPM, where after checking out an account password, the account status is not updated when using the Automatic Login option. AC1264302 All     Refresh My Account page while committing Auto log in application

1. go to My Privileged Accounts

2. ect account with Auto Login Application setting

3. commit Auto login

4. the Status was not changed to Check out

   
85 2 Unix endpoint user mode Fixes an issue with Access Control on HPUX, where the Access Control did not start on HP-UX 11.11 32-bit PA-RISC 1.1 system, because several components are not compatible. AC1264309 HPUX            
86 3 Unix endpoint user mode Fixes an issue with Access Control on AIX, where in case a username is longer than 8 characters, the user name is truncated. AC1264324 AIX      

1. Install AC

2. Selang

eu longnameuser02 password(123) audit(a)

3.Try Logging in with the user

4. Check the Seaudit -a

   
87 1 Unix endpoint user mode Fixes an issue with Access Control where if using SSH remote commands, the target system executing the command doesnot resolve the hostname that the command was issued from. AC1264328 LINUX      

1. Test on Linux.

2. Start AC.

3. AC> nf /usr/bin/df owner(nobody) audit(all) defacc(all)

4. AC> nu test01 password(123) grace-

5. ssh-l test01 0 df -h

6. See the host name in FILE audit for /usr/bin/df and see that it is not 0.0.0.0.

1633 TC61172
AC1264353
88 3 Unix endpoint user mode Fixes an issue with Access Control on Solaris, that when seosd stops responding, seoswd opens a new process that causes a defunct process from seoswd. AC1264331 Unix all      

1.Install AC

2.ps -ef | grep defunct

No Defunct process to begin with (if there is already a defunct process no more defunct process should be started by SEOSWD)

3. vi seos.ini

kill_ignore = no

4. start up AccessControl.

5. issec to find out the seosd pid.

6. kill [pid of seosd]

7. ps -ef | grep defunct

8.No Additional Defunct processes should appear.

1587 T243914 (AIX)
T132915 (Solaris)
T243916 (Linux x86)
T243917 (Linux X64)
T243942 (HPUX IA64)
89 2 Unix endpoint user mode Fixes an issue with Access Control on UNIX "sepmd -t pmdb auto" truncation.When updates.dat file grows to certain size, sepmdd will automatically truncate the file size of updates.dat. sepmdd didn't update the global offset correctly. AC1264332 Unix all The global offset is not updated correctly. sepmdd has to run auto truncate from within. updates.dat has to grow to a certain size limit. The limit is configurable in pmd.ini. Apply the fix sepmdd. or set trigger_auto_truncate = 1024, and then run "sepmd -t DH__WRITER auto" once a day.      
90 1   Fixes an issue with Access Control on UNIX, where the FILE audit for SSH <cmd> displays the HOST prefix. AC1264353           1633 TC61172
91 2 Unix endpoint user mode Fixes an issue with Access Control on AIX, where the Keyboard Logger utility did not collect data to print using the seaudit -cmd command. AC1264354 AIX   multijobs shell, KBL enabled  

check -cmd on AIX:

1. install AC, enable KBL, start AC

2. create interactive user

3. set tcsh as login shell for the user (in /etc/passwd).

4. login to the system as interactive user

5. do several Unix commands, among them passwd (password change)

6. exit session

7. print -cmd for this session, there is no commands

1637 TC61171
92 2 Unix endpoint user mode Fixes an issue with Access Control Unix where selogrd detects corrupted record while intensivewriting to audit is performed.In other conditions selogrd processes the same log without errors of corrupted error detection AC1264360 Unix all     On detecting corrupted record selogrd waits timeout = Interval*ChangeLogFactorand repeats read from the same offset of "bad" error and only than begins reading byte by byte skipping this record.Reproduction steps     T5P7080 (HPUX)
T5P7081 (HPUX IA64)
T5P7082 (AIX)
T5P7083 (SUN)
T5P7084 (LINUX)
93 1 Unix endpoint kernel mode Fixes an issue with Access Control on Linux, where is accessing files from scripts, the root user could access files that Access Control was protecting. This occurred because Access Control was not properly enforcing rules AC1264381 LINUX Parent/child execution sequence in AC interception when scripts are executing many commands   AC kernel interception creates a Process control block before spawning a child and thus fixed the sequence problem of parent/child   1642 TC61175
TC61191 (OEL)
94 2 WebGUI Fixes an upgrade issue with PUPM Access Control connector AC1264393 All            
95 2 Unix endpoint user mode Fixes an issue with UNAB where a cronjob of an AD user was not executed AC1264394 Unix all busy condition in the SQLite3 database requires closing a database if a reset with a backoff is not sufficient.   Closing database after a few unsuccessful access attempts ensures that a client's operation is not affected for long-running processes like cron. set up a recurring cron job for an AD user and observe its execution 16 TC61182
96 3 Unix endpoint kernel mode Adds Access Control support for OEL 5.7 AC1264395 LINUX New version of OEL.       1639 RO35746
97 3 Unix endpoint kernel mode Fixes an issue with Access Control on UNIX, where users cannot change the default value of the KILL_SIGNAL_MASK token. AC1264396 Unix all KILL_SIGNAL_MASK is defined in hexadecimal but SKI_syscall_init() doesn't handle hexadecimal and ignores it. the default value of KILL_SIGNAL_MASK is changed.        
98 2 WebGUI Fixes an issue with Access Control on Windows. Where a time out exception occurred while querying an endpoint with a large number of accounts. AC1264404 All     change the query of retrieving an account Select Name, Domain from Win32_UserAccount where Domain = '^=DOMAIN=^' AND Name='^=USER=^' AND LocalAccount = True This is not a reproducible bug. It happened on a customer site where having on the local machine accounts A huge number of users. We had a socket time out exception when trying to retrieve the user account And windows endpoint creation used to failed 70 T5P0060
99 2 Unix endpoint user mode Fixes an issue with Access Control where Access Control cannot start when NFS files are protected. AC1264409 HPUX NFS returns 0 or wrong i-node, path name resolver fails.   Use original path name when AC file name resolving fails to find path of NFS file. Not reproduced in Lab 1638 T3DB070
100 3 Unix endpoint user mode Fixes an issue with Access Control on Linux, where running the "who am i" command displays two lines of the same tty entry. AC1264413 LINUX The tty entry has not been deleted when session ends   Set DEAD utmp for both original tty and new KBL tty Not reproduced in Lab 1570 T3DB071 (Linux x86)
T3DB072 (Linux x64)
T3DB073 (Linux IA64)
T3DB074 (AIX)
T3DB075 (Solaris)
T3DB076 (HPUX)
T3DB077 (HPUX IA64)
101 3 Unix endpoint user mode Fixes an issue with Access Control on UNIX, where the "User must change password at next logon" is not cleared by sepass utility after user changes own password. AC1264421 Unix all "User must change password at next logon" is not cleared by sepass even own password change. "User must change password at next logon" is enabled user change own password by sepass  

AC> host pmdb1@

AC> nu test01 password(xxx)

4. enabled "User must change password at next logon" for native test01

On Unix:

1. define password pmdb

token : passwd_pmd = pmdb1@widnows host

2. create test user

AC> nu test01 password(xxx)

3. login by test01

4. change own password by sepass

sepass

Enter test01's old password:

Enter new password:

Verify new password:

logon windows:

user must change password as "User must change password at next logon" is still enabled.

  T4CC126
102 2 WebGUI Fixes an issue with PUPM, where if a user created a schedule password policy and after that the OU of the user changed, the Change Password task failed because the user who created the password policy was not located. AC1264448 All     The scheduled job keeps the initiator of the password policy creator and uses it to invoke the task

With AD user store only

1. Create a schedule password policy

2. Assign it to account

3. Change the user's who creates the password policy OU

4. The change password event failed

72 T5P0062
103 1 unix endpoint user mode Fixes an issue with UNAB where a fully migrated yes cannot log in to a Linux machine if the Active Directory domain controller is not available. AC1264453 LINUX Wrong windows group list because missed UPN in off-line mode   Add UNIX attributes to Windows group

1. Fully migrated user 'u1' is member of AD group w/o UNIX attributes 'g1'.

2. Login rule (local or enterprise) for group 'g'.

3. Run uxconsole and login in on-line mode

4. use FW to block tcp:389

5. Run xconsole and login in off-line mode

  TC61178 (Linux x86)
TC61179 (Linux x64) TC61180 for AIX
TC61181 for Solaris
104 3 Unix endpoint user mode Fixes an issue with Access Control on UNIX, where during installation, the FILE resource/etc/* is not imported in to seosdb. AC1264456 All            
105 2 Unix endpoint kernel mode Fixes an issue with Access Control on Solaris 10, where after restarting the internal zones, Access Control fails to enforce policy on users, because the users identity is lost AC1264457 SOLARIS   Solaris 10 zones environment. AC kernel code increments/decrements sessions counter correctly   1641 TC61174
106 2 unix endpoint kernel mode Enhanced Access Control for Solaris to support Solaris 10u9 + patch. AC1264466 SOLARIS OS include files have changed between Sol 10u9 and Sol 10u9 + patch. dotoprocs() has an additional argument that leads to the panic. panic on shutdown new kernel modules needed for Sol 10u9 with patch Install AC125 sp5 on: Solaris 10 u9 sparc + kernel patch 144500-19 Solaris 10 u9 X64 / x86 + kernel patch 144501-19 AC panics on shutdown 1640 T540074
T540075 (x64)
107 2 Windows kernel user mode Fixes an issue with Access Control for UNIX where short file name used in delete operation bypasses the partial match logicof Access Control AC1264469 Windows all Short name used in delete operation bypass our partial match logic.   Fixed code to match the case correctly

1. Under AC LOG folder create file seos1.audit.bak

2. Add AC rule with defacc(r) for the file full path wildmask at the end, i.e. ^=full path=^seos1.audit.bak*

3. Try to read the file - it should pass.

4. Try to delete the file via command line - it should be denied, if the issue is fixed).

   
108 3 WebGUI Fixes an issue with Access Control on Windows, where an error message is displayed in the Endpoint Management user interface AC1264472 All            
109 2 WebGUI Fixes an issue with PUPM and ObserveIT 5.3 where ObserveIT application error occurs when trying to view session recording viaOIT from EntM audit. AC1264480 All There might be multiple recording session on the same audit event.the record Ids are handles as one record id.   loop over the record ids, if there are multiple, and show each one of them as a separate link

1. log into EntM server via RDP.

2. open EntM WebUI (http://localhost:18080/iam/ac) and login as

superadmin/superadmin

3. navigate to [home] - [[My Accounts] - [My Privileged Accounts]

4. select "putty_oit" from [action] drop down list of test01@vmrh51x64-2

5. you can see putty window with test01 login and message box showing

sessionID.

6. close message box and logout from rhel via putty.

7. click yes to check-in test01.

8. navigate to [Privileged Accounts] - [Audit] - [Audit Privileged Accounts]

9. click search to show audit

10. click recording icon to show slide viewer.

-> you can see the session recording without any problems.

11. log into EntM server via another RDP session.

* leave the first RDP session as login; do not logout from the server.

12. do step 2-10 on the second RDP session.

-> you can see the sessionID in message box as comma separated multiple

value on step 5.

-> you will get an error in slide viewer

74 T5P0065
110 2   Fixes an issue with Access Control on Windows, where Access Control stops resending after running the secons -s command. AC1264487              
111 1   Fixes an issue with a Korean version of Access Control for UNIX , where after applying Keyboard Logger patch, the system stops responding. AC1264510              
112 3 unix endpoint kernel mode Fixes an issue with Access Control on AIX, where a timeout message appear on startup. AC1264532 AIX seload starts seosd and makes 9 attempts to get answer from seosd. Time interval between tries is 5 seconds. Total waiting time is 45 second. It takes about 50 seconds to seosd to start. AIX 6.1 seload will check tunable timeout parameter. User may set higher timeout if 45 second is not enough to start seosd. Not reproduced in lab 1646 T3DB078
113 2 Windows endpoint kernel mode Fixes an issue with Access Control on Windows, where the system stops responding on shared folder file access. AC1264549   drveng missed oplock related flag at open operation Access to shared files Added missed flag   525 T5P7090
114 2 Windows endpoint kernel mode Fixes an issue with Access Control on Windows, where a resource sharing violation conflict occurred that causes Access Control to stop responding AC1264570 Windows all Sharing violation System reboot Fixed Sharing violation Define rule for deviceharddiskvolume* with defacc(a) audit(f) owner(nobody) and check that no exists services fails to load after reboot.    
115 2 WebGUI Fixes an issue with Access Control on Windows, where the CredintialsSener contain clear text passwords AC1264578 Windows all            
116 3 Win endpoint user mode Fixes an issue with Access Control on 64 bit Windows, where eACSyncLockout.exe was not installed. AC1264585 Windows all eACSyncLockout.exe in not included in 64 bit AC    
  1. Install AC on 64bit system(X64 IA64)verify eACSyncLockout.exe is installed on <AC home>bin
  2. run eACSyncLockout.exe -startverify the service is startedenable Audit account management in local Auditing Policyenable Account lockout threshold in Account Lockout Policycreate PMDB and subscribe local hostset PMDB@local host to registry
    passwd_pmd/parent_pmdcreate testuser in AC/Nativeenable password class in ACperform failed login attempts by testuser till locked out in nativeverify testuser in AC is locked out
   
117 3 WebGUI Enhances the date and time picker option to display the user's GMT time. Also added 'Valid Until' and 'Start Date' options. AC1263411 All         82 T5P0072
Related code changes also resolves date time picker issue, localization related problems of the Privileged Account Request page dates in the Approve Privileged Account page. AC1264723
AC1264524
118 3   Enhances the date and time picker option in PUPM to display user's time for privileged account passwords request and approvals AC1264524         AC PUPM - Valid Until date fields timezone fix The new date picker is a component which holds both the date and the time. It should display the time in the user's browser GMT time zone. Behind the scene, the time zone will be saved in our DB at GMT 0 (conversion), and when the approver will need to check the date and time, it will be re-converted to his browser GMT. From user perspective, he will only see dates and times in his current browser GMT. Use cases to check: 1. User tries to request access to an account immediately for 1 hour. Administrator should approve the request, then the user will be able to access the account in this hour. 2. User tries to request access for future use, like in 30 min from now for a certain period of time. Administrator should approve, and the tester should wait to see if in 30 min the account is accessible for the user.    
119 3 Unix endpoint user mode Fixes an issue with Access Control on UNIX where the dbmgr -e -l failed to handle a group has members more than 15 members. AC1264540 Unix all When a group has a lot of members, dbmgr -e -l will try to break the command into two commands. We have a problem in the new command.     have a group that has more than 15 members. 1653 T243829
120 2   Fixes an issue with Access Control Out-of-the-box policies, where after upgrade, policies with space characters in their name, were not upgrade AC1264609              
121 2 Unix endpoint user mode Fixes an issue with Access Control on UNIX where clear text passwords appear in log files AC1264616 Unix all            
122 3 WebGUI Fixes an issue with PUPM endpoints where the Advanced option in the Create Endpoint window did not work properly AC1264642 All            
123 3 WebGUI Fixes an issue with PUPM, where if more then a single Active Directory endpoint is defined, the service discovery wizard displays incorrect results AC1264643 All      
  1. Create 2 AD endpoints
  2. Try service discovery for one of the AD endpoints.
  3. Try service discovery for another AD endpoint.
  4. Validate that display is correctly and you don't see endpoint from the first try
   
124 3 WebGUI Fixes an issue with PUPM, where a Cisco endpoint creation failed using SSH device endpoint type AC1264650 All            
125 3 WebGUI Fixes an issue with Access Control where the tooltip for the start time and end time fields are incorrectly displayed AC1264670 All            
126 3 WebGUI Fixes an issue with PUPM, where rediscovering an identical account with different password policy, does not overwrites the previous policy AC1264681 All            
127 2 Unix endpoint user mode Fixes an issue with the keyboard logger, where an incorrect user name (root) is displayed in the keyboard logger records instead of the root user (id=0) AC1264533 Unix all Logged uses system call for getting user name from uid. AC api should be used. PamPassUserInfo = 1 kbl_enabled = yes  
  1. Set kbl_enabled = yes PamPassUserInfo = 1
  2. Create user with uid=0 Define the user as interactive in selang Login via ssh as created user
  3. Check sewhoami -a shows correct user nameCheck KBL records for this session
   
128 2 Win endpoint user mode Fixed stability issues with Access Control on Windows AC1264635 Windows all            
129 2 Win endpoint kernel mode Fixes an issue with Access Control Windows where the server became unstable after installation and BSOD occurs due to cainstrm error with function failure return code processing AC1264679 Windows all            
130 1 WebGUI Fixes an issue with the Enterprise Management Server, where filtering by host name returns 100 results only and limits the user to search within those results only AC1264692 All     Improves deployment audit performance when there are many deployments and gdeployments by changing the ways we retrieve the data from the DMS.      
Fixes a null pointer exception that happens when there are more than 100 deployments.
Adds missing types (AutoAssign/delete hnode/ delete ghnode).
Show the On Behalf Of user in the Updater field.
Load deployment errors on demand (only when opening the result records)
131 2 WebGUI Fixes an issue with PUPM, where users cannot discover privileged account passwords on Solaris endpoint with more than 1000 users AC1264716 All            
132 2 Unix endpoint user mode Adds missing 32-bit nss and pam libraries to UNAB s390 support AC1264718 All            
133 2 WebGUI Fixes an upgrade issue with the Enterprise Management Server AC1264721 All            
134 3 WebGUI Fixes an issue with PUPM, where checking out a privileged account password from a SSH device fails AC1264646 All            
135 3 WebGUI Fixes an issue with PUPM where the automatic password reset of service accounts failed to reset the password AC1264690 All       Discovery of windows service accounts and password consumers, then executing automatic password reset for those accounts.    
136 2 WebGUI Fixes an issue with PUPM where the creation of SSH device endpoint type failed when done using the feeder option AC1264722 All            
137 3 WebGUI Fixes an issue with the Enterprise Management Server, where an error message appears when a requestor changes the start and end date of a privileged account password request AC1264723 All            
138 3 WebGUI Enhances the Access Control reports to include additional fields AC1264734 All            
139 2 Unix endpoint user mode Fixes stability issues with the ReportAgent on UNIX AC1264521 Unix all            
140 3 WebGUI Fixes an issue with PUPM where creating searching from an Active Directory user failed AC1264680 All            
141 3 WebGUI Fixes an issue with Access Control where an error message appeared when attempting to assign a policy to more than 10 endpoints AC1264713 All            
142 3 WebGUI Fixes an issue with PUPM, where the connection to ObserveIT Enterprise failed AC1264764 All            
143 2 WebGUI Fixes an issue with Access Control where the User DN could not be store in the PRIVILEGED_ACC_EXCEPTION table, which resulted in an error message AC1264770 All     Enlarge APPROVER_ID column in PRIVILEGED_ACC_EXCEPTION table User store AD
Try to approve privileged account request by user which has more than 80 characters in his DNThe update to PRIVILEGED_ACC_EXCEPTION table used to fail
   
144 2 WebGUI Fixes an issue with the Enterprise Management Server, where error messages appeared after changing the search root in the CA Identity Manager Management Console AC1264563 All            
145 3 WebGUI Fixes an issue with PUPM, where approver cannot approve or reject privileged account requests because of an error when opening the work list link AC1264773 All            

Chat with CA

Just give us some brief information and we'll connect you to the right CA Expert.

Our hours of availability are 8AM - 5PM CST.

All Fields Required

connecting

We're matching your request.

Unfortunately, we can't connect you to an agent. If you are not automatically redirected please click here.

  • {{message.agentProfile.name}} will be helping you today.

    View Profile


  • Transfered to {{message.agentProfile.name}}

    {{message.agentProfile.name}} joined the conversation

    {{message.agentProfile.name}} left the conversation

  • Your chat with {{$storage.chatSession.messages[$index - 1].agentProfile.name}} has ended.
    Thank you for your interest in CA.


    How Did We Do?
    Let us know how we did so that we can maintain a quality experience.

    Take Our Survey >

    Rate Your Chat Experience.

    {{chat.statusMsg}}

agent is typing