CA Directory 12.5 Latest Cumulative Release Download
{{search ? 'Close':'Search'}}

CA Directory 12.5
Latest Cumulative Release Download

Last Updated: October 14, 2016

Please note that the 12.5 documentation is found online at:

CA Directory 12.5 does not support 32-bit platforms.

Build # 12857 12.5
  Directory Server
Web Components
Directory Management UI
Windows 64-bit Click Here Click Here Click Here
Linux 64-bit Click Here Click Here Click Here
Solaris x86 64-bit Click Here Click Here N/A
Solaris Sparc 64-bit Click Here Click Here N/A
AIX 64-bit Click Here N/A N/A
HP-UX Itanium 64-bit Click Here N/A N/A


  Directory Server
Directory Management API
Directory Samples
Linux 64-bit DEB Click Here Click Here Click Here
Linux 64-bit RPM Click Here Click Here Click Here


Fixes in CA Directory 12.5

Support Ticket # Engineering Ticket # Affected Component Problem Summary
  F19165 Management UI Directory Management UI is now GA. This component is a new UI for managing DSA's. It is supported on Linux and Windows.
Please see the user guide for more information.
  US197155 DXserver The 'dxserver init' command now supports configured log files to be deleted from, or commented, out of configuration files. This style of configuration change was previously only picked up on a restart.
  F5490 DXagent Dxagent is now GA. This component provides a RESTful service for managing DSA's. Dxagent is supported on Linux and Windows.
Please see the user guide for more information.
  DE224247 DXserver An issues has been addressed for DXmanager configured DSAs, due to order of parsing the value of Rollover Alarm and Rollover Trace was re-initialized after being read.
  DE206334 DXserver When using multi-write groups in conjunction with MW-DISP, entry renames will now produce consistent modifyTimestamps across all replicating DSAs.
  TA433660 DXserver The dxserver status command now reports "Recoverable" to indicate that a DSA abnormally terminated but has transaction log enabled. "Inconsistent" state remains for a DSA that abnormally terminated with the transaction log disabled.
  TA438986 DXserver Upgraded embedded CAPKI to version 5.1.1.
  DE203799 DXserver The dxsoak tool now reports connection error instead of exiting with assertion failure.
  DE203800 DXserver The dxserver forcestop command now kills a DSA in the case where the DSA status is not "started".
  DE176360 DXserver An abnormally terminated router DSA no longer reports the status as "inconsistent". This will be reported as "stopped" instead as the router DSA not have a DB file attached.
  TA372810 DXserver CA Directory installer now supports user or group information sources other than files (/etc/passwd), for example LDAP source.
  TA372811 DXserver To allow using ports 1-1024 instead of using setuid, CA Directory installer on linux uses cap_net_bind_service capability. On Solaris a new rights profile is created and assigned to a directory user for the same purpose.
00419557 DE171636 DXserver For the following configuration, it is difficult to stop all the DSAs servicing a specific multi-write group (region) when under a reasonable modify load:
* vanilla multi-write replication (MW-DISP not enabled)
* multi-write groups specified in the knowledge
* set wait-for-multiwrite = true;


To assist with maintenance activities that require all the DSAs from a specific group to be stopped, the command "set isolate-multi-write-group = true;" has been introduced.

An example procedure for stopping all the DSAs in a group is:
* connect to DXconsole for each DSA that will be shut down and perform "set isolate-multi-write-group = true;", or temporarily enabled "set isolate-multi-write-group = true;" in the configuration and re-init the DSAs of a particular group individually
* once set, all connections to other groups and non-peer DSAs will be aborted, allowing replication within a group to complete while taking on no further updates from other groups/relays/routers
* when replication has completed the DSAs in the group may be stopped
* once stopped, if using the configuration based approach, the 'isolate-multi-write-group' command can be removed or set to false and DSAs can be started

  DE202644 DXserver An issue has been addressed where the DSA can be left in an unresponsive state when a client disconnects that has a large number of pending requests.
00471191 DE202354 DXserver An issue has been resolved where a client performing dynamic group (member=<DN>) searches disconnects while the search is in progress. This has the potential to cause the DSA to crash. This issues was initially resolved in 12.0.17 under the exclude member attribute change (CES: 80679 RTC No: 160194) and has now been strengthened.


As part of this fix, the following assertion failure has been downgraded to a warning as this is triggered by the above disconnect:
** FATAL ERROR **: Assertion failed (/release/

The following assertion failure has also been fixed:
** FATAL ERROR **: Assertion failed (/release/

  DE175087 DXserver Addressed MW-DISP recovery performance issue where operational attributes, required by MW-DISP, are explicitly excluded from the cache indexes.
  DE186404 DXserver A long standing SSL assertion failure has been addressed. The assertion failure is harmless, but can raise concerns when encountered in the alarm log. The root cause of the assertion is when the number of concurrent SSL connections increases beyond 20. This is normally seen when performing SSL stress testing where a client creates a lot of new connections.


/net/potaroo/release/ Assertion failed

Note: The line number tends to vary between releases ranging from 750-850.

  TA388654 DXserver The dxsoak tool now includes a "-l <time limit>" option. The tool will run in continuous mode until <time limit> seconds have elapsed.


For example, to run the requests from searches.ldif for 60 seconds:
% dxsoak -l 60 -t 8 -q 100 -h host:port -f searches.ldif

  US170076 DXserver The new command "set dsp-link-count = <num>;" when set, will increase the number of outbound links from a router DSA to each subordinate DSA to <num>. By default, only a single outbound (DSP) link is created for each authentication level between DSAs. However, this can reduce router throughput in high volume environments, as the router DSA only has a single connection to send requests and receive responses from.


The "get dsas;" commandsetuid  will display virtual references to the same DSA that will be used to create the outbound links.

Note: Setting <num> larger than 10 may degrade performance, so 'dsp-link-count' should be tuned to your specific environment.

  TA372800 DXserver To bring DXcertgen in line with 3rd certificate authorities, the default key size of certificates generated using DXcertgen has been increased from 1024 bits to 2048 bits.
  TA368117 DXserver The SSL configuration has been enhanced to support a single personality certificate that can be shared among all DSAs. To configure a single certificate replace cert-dir with cert-file in the set ssl ... command. This will reduce the overhead when issuing DSA personality certificates from 3rd party certificate authorities where there are a large number of DSAs.


Note: This removes the restriction that the subjectDN must contain dsa-name.

set ssl = %7B
# generic DSA personality certificate
cert-file = "config/ssld/personalities/generic.pem"

    # trusted root CA that signed DSA certificates
ca-file = "config/ssld/trusted.pem"
protocol = tls

  TA368120 DXserver To complement TA368117, the dxcertgen tool has been enhanced to generate a generic personality certificate using the -g option. For example, the following command creates trusted.pem containing a root CA certificate and a generic DSA personality certificate under $DXHOME/config/ssld/personalities/%7Bgeneric%7D.pem that can be configured against all DSAs using the set ssl command above.


% dxcertgen -g %7Bgeneric%7D certs

00410356 DE166038 DXserver When multiple passwords are stored against a user entry, using the 'set enable-nonstandard-behaviour = true;' feature, a modify request removing a specific password value from the userPassword attribute will no longer remove all passwords. Only password specifically requested will be removed.
00411105 DE165704 DXserver The DSA no longer crashes when an encrypted connection is terminated before the DSA has been able to negotiate the SSL/TLS protocol version.
00361898 DE165174 DXserver The new command "set max-persistent-searches = <num>;" can be used to configure the maximum number of concurrent persistent searches. This was previously capped at 10, which is the default if max-persistent-searches is not set.


Note: Having a large number of active persistent searches may have a performance impact on directory updates.

  DE154880 DXserver The "get users;" DXconsole command that displays the list of active connections has been expanded to provide diagnostics for links created using the concurrent-bind-user account. This will assist with checking that the concurrent-bind-user feature is correctly configured.
  DE163192 DXserver The new command "set dn-substring-match = true;" enables support for substring (wildcard) filtered searches against attributes with distinguishedName syntax. This makes the directory index distinguishedName values using the LDAP string form.


For example, the following attribute:

member: cn=joeBloggs,ou=users,o=CA,c=AU

Will match following filters:

Note: The search filter does not support virtual attributes, for example, the member attribute populated by dynamic groups.

00326444 DE144136 DXserver An issue has been resolved where executing the start-up script ("/etc/init.d/dxserver start" or "service dxserver start") when the DSAs are already running will leave the running DSAs in an invalid run state. The invalid state is where the DSAs are running without pid files under $DXHOME/pid preventing the "dxserver status" and "dxserver stop" commands from working. Note: we recommend starting DSAs using the dxserver binary (as the configured dsa user) rather than start-up script.
00263264 DE138821 DXserver A multi-write replication issue has been resolved when replicating over an SSL encrypted link. If the link between DSAs hangs up while a master is sending to a slave, the multi-write queue for the slave can enter an invalid state causing the master to stop replicating. When this occurs, the warning "No MW response from DSA '%7BSlave DSA Name%7D' in last 60 seconds" is displayed every minute until the master of restarted.
00334990 DE153975 DXserver A dynamic group issue has been resolved that has the potential to cause the following alarm message to be continually displayed.
r:/ Assertion failed
00332527 DE154865 DXserver A CA Directory issue has been resolved where a search request returning a dynamic group will now populate the member attribute when a return attribute list is specified.


ServiceCloud No: 00328650  Rally No: DE144532
To improve integration with WebSphere Application Server, dynamic group membership searches have been expanded to support LDAP filters of the following form:


Note: %7BDN%7D must be the same in both sections of the filter.

00314752 DE143115 DXserver A timing issue has been resolved where the same DSA is used to process a view request with a search phase that includes dynamic group searches. A vie search would periodically return unwillingToPerform instead of the expected search result.
  DE155915 DXserver Newly created Windows DSA services are now configured as "Automatic (Delayed Start)" instead of "Automatic". This is to allow time for operating system networking services to start up that can impact hostname resolution.
00352422 DE157530 JXweb Fixed an issue in JXweb where uploading jpegPhoto using Chrome browser would cause NullPointerException. This was because Chrome used mixed-case boundary string for the multi part form data and JXweb was not handling this correctly.
  DE157588 DXserver Some SSL information was missing in trace/logs following a previous enhancement in SP17. This is now fixed.
  DE157589 DXserver Fixed an issue where "get ciphers;" command was returning wrong set of values when the DSA was configured to use "protocol = tlsv12"
  DE158234 DXserver Fixed a search performance issue when relaxed-not-search is enabled. The root cause was the introduction of redundant conditions for a search filter that involves a nested not expression, eg. "((a=*)(!(|(a=j)(a=k))))".
  DE139252 DXserver The DSA will now use <num> threads (set user-threads = <num>;) when building indexes at start-up. Before this change, the DSA was limited to 8.
  DE171433 DXserver Fixed DSA crash in _GLOBAL_OFFSET_TABLE_ when built using later versions of gcc (eg. 4.8).
  DE171227 DXserver The maximum number of horizontal partitions support by the configuration of 30 has been removed. Any number of DSAs can serve in a horizontal partition configuration, as long as there is at least one DSA defined for each partition ID.
  DE171204 DXserver Fixed an SSL/TLS issue where dxsearch, dxmodify, dxrename & dxdelete would fail to negotiate a shared SSL protocol version when the DSA was configured to only use TLSv1.2 (protocol = tlsv12 in set ssl command).
  DE174464 DXserver The performance of the enhancement to roll-over log files when max-lines is reached (US32008) has been tuned to remove unnecessary delays when a log roll is in progress.
  DE176094 DXserver The dxinfo will no longer collect the same log file more than once. This issue was introduced by enhancement US179310.
  DE175079 DXserver The DSA no longer produces an assertion failure when cleaning up a SSL connection while a SSL handshake is in progress. This issue was introduced in newer versions of OpenSSL (>= CAPKI to 5.1.0).
  DE186749 DXserver A configuration validation check when using multi-write group hubs has been improved to ensure there is one hub for each group for each prefix. Previously, the check only ensured there was one hub for each group.
00454002 DE198421 DXserver Fixed a memory leak issue that was introduced by a bug fix in SP17. A leak of 4kb occurred for each bind request, when password policy was enabled.
00440843 DE199294 DXserver A performance issue has been resolved that occurred when the grid DB synchronized with disk for the first time after a restart. Symptoms of this issue include a "Forced sync" warning message and the DSA not servicing requests for an extended period of time.
00471975 DE202799 DXserver Corrected unique attribute checking by not returning an error when the unique attribute is being replaced with the same value.
  DE200933 DXserver DSA no longer processes update operations in the main thread.
  DE203165 DXserver Fixed an issue where the DSA could hang when connections are aborted. The root cause was unlocking of a wrong mutex.
  US149339 DXserver CA Directory now supports scrypt and bcrypt hashing of the 'userPassword' attribute.


This is controlled by the 'set password-storage = <hashMethod>;' command, where <hashMethod> for the new algorithms can be 'scrypt' or 'bcrypt'.

  US222239 DXserver The Linux version of DSA is now built with ASLR/PIE (Address Space Layout Randomisation) enabled. On systems that support ASLR, the dxserver process memory space is randomised to prevent exploits.
00487553 DE224006 DXserver Fixed a crash when a slave DSA receives mwdisp deletions on parent entries with child entries. This crash only occurs when dxgrid-queue is false.
00487377 DE224007 DXserver A slave dsa may switch out of recovery mode prematurely after applying shadow updates. This causes problems when there are still pending updates and the same time the slave dsa begins to accept client updates. This is now fixed such that the slave dsa always waits for a confirmation from the
master dsa, which is received after pending updates.

Chat with CA

Just give us some brief information and we'll connect you to the right CA Expert.

Our hours of availability are 8AM - 5PM CST.

All Fields Required


We're matching your request.

Unfortunately, we can't connect you to an agent. If you are not automatically redirected please click here.

  • {{}} will be helping you today.

    View Profile

  • Transfered to {{}}

    {{}} joined the conversation

    {{}} left the conversation

  • Your chat with {{$storage.chatSession.messages[$index - 1]}} has ended.
    Thank you for your interest in CA.

    How Did We Do?
    Let us know how we did so that we can maintain a quality experience.

    Take Our Survey >

agent is typing