Last Updated: October 14, 2016
Please note that the 12.5 documentation is found online at: https://docops.ca.com/docops.ca.com/ca-directory/12-5/EN.
CA Directory 12.5 does not support 32-bit platforms.
|Build # 12857 12.5|
|Directory Management UI
|Windows 64-bit||Click Here||Click Here||Click Here|
|Linux 64-bit||Click Here||Click Here||Click Here|
|Solaris x86 64-bit||Click Here||Click Here||N/A|
|Solaris Sparc 64-bit||Click Here||Click Here||N/A|
|AIX 64-bit||Click Here||N/A||N/A|
|HP-UX Itanium 64-bit||Click Here||N/A||N/A|
|Directory Management API
|Linux 64-bit DEB||Click Here||Click Here||Click Here|
|Linux 64-bit RPM||Click Here||Click Here||Click Here|
|Support Ticket #||Engineering Ticket #||Affected Component||Problem Summary|
|F19165||Management UI||Directory Management UI is now GA. This component is a new UI for managing DSA's. It is supported on Linux and Windows.
Please see the user guide for more information.
|US197155||DXserver||The 'dxserver init' command now supports configured log files to be deleted from, or commented, out of configuration files. This style of configuration change was previously only picked up on a restart.|
|F5490||DXagent||Dxagent is now GA. This component provides a RESTful service for managing DSA's. Dxagent is supported on Linux and Windows.
Please see the user guide for more information.
|DE224247||DXserver||An issues has been addressed for DXmanager configured DSAs, due to order of parsing the value of Rollover Alarm and Rollover Trace was re-initialized after being read.|
|DE206334||DXserver||When using multi-write groups in conjunction with MW-DISP, entry renames will now produce consistent modifyTimestamps across all replicating DSAs.|
|TA433660||DXserver||The dxserver status command now reports "Recoverable" to indicate that a DSA abnormally terminated but has transaction log enabled. "Inconsistent" state remains for a DSA that abnormally terminated with the transaction log disabled.|
|TA438986||DXserver||Upgraded embedded CAPKI to version 5.1.1.|
|DE203799||DXserver||The dxsoak tool now reports connection error instead of exiting with assertion failure.|
|DE203800||DXserver||The dxserver forcestop command now kills a DSA in the case where the DSA status is not "started".|
|DE176360||DXserver||An abnormally terminated router DSA no longer reports the status as "inconsistent". This will be reported as "stopped" instead as the router DSA not have a DB file attached.|
|TA372810||DXserver||CA Directory installer now supports user or group information sources other than files (/etc/passwd), for example LDAP source.|
|TA372811||DXserver||To allow using ports 1-1024 instead of using setuid, CA Directory installer on linux uses cap_net_bind_service capability. On Solaris a new rights profile is created and assigned to a directory user for the same purpose.|
|00419557||DE171636||DXserver||For the following configuration, it is difficult to stop all the DSAs servicing a specific multi-write group (region) when under a reasonable modify load:
* vanilla multi-write replication (MW-DISP not enabled)
* multi-write groups specified in the knowledge
* set wait-for-multiwrite = true;
To assist with maintenance activities that require all the DSAs from a specific group to be stopped, the command "set isolate-multi-write-group = true;" has been introduced.
An example procedure for stopping all the DSAs in a group is:
|DE202644||DXserver||An issue has been addressed where the DSA can be left in an unresponsive state when a client disconnects that has a large number of pending requests.|
|00471191||DE202354||DXserver||An issue has been resolved where a client performing dynamic group (member=<DN>) searches disconnects while the search is in progress. This has the potential to cause the DSA to crash. This issues was initially resolved in 12.0.17 under the exclude member attribute change (CES: 80679 RTC No: 160194) and has now been strengthened.
As part of this fix, the following assertion failure has been downgraded to a warning as this is triggered by the above disconnect:
The following assertion failure has also been fixed:
|DE175087||DXserver||Addressed MW-DISP recovery performance issue where operational attributes, required by MW-DISP, are explicitly excluded from the cache indexes.|
|DE186404||DXserver||A long standing SSL assertion failure has been addressed. The assertion failure is harmless, but can raise concerns when encountered in the alarm log. The root cause of the assertion is when the number of concurrent SSL connections increases beyond 20. This is normally seen when performing SSL stress testing where a client creates a lot of new connections.
/net/potaroo/release/BRANCHSP14.new/src/dsa/rstack/support/openssl.c(804): Assertion failed
Note: The line number tends to vary between releases ranging from 750-850.
|TA388654||DXserver||The dxsoak tool now includes a "-l <time limit>" option. The tool will run in continuous mode until <time limit> seconds have elapsed.
For example, to run the requests from searches.ldif for 60 seconds:
|US170076||DXserver||The new command "set dsp-link-count = <num>;" when set, will increase the number of outbound links from a router DSA to each subordinate DSA to <num>. By default, only a single outbound (DSP) link is created for each authentication level between DSAs. However, this can reduce router throughput in high volume environments, as the router DSA only has a single connection to send requests and receive responses from.
The "get dsas;" commandsetuid will display virtual references to the same DSA that will be used to create the outbound links.
Note: Setting <num> larger than 10 may degrade performance, so 'dsp-link-count' should be tuned to your specific environment.
|TA372800||DXserver||To bring DXcertgen in line with 3rd certificate authorities, the default key size of certificates generated using DXcertgen has been increased from 1024 bits to 2048 bits.|
|TA368117||DXserver||The SSL configuration has been enhanced to support a single personality certificate that can be shared among all DSAs. To configure a single certificate replace cert-dir with cert-file in the set ssl ... command. This will reduce the overhead when issuing DSA personality certificates from 3rd party certificate authorities where there are a large number of DSAs.
Note: This removes the restriction that the subjectDN must contain dsa-name.
set ssl = %7B
# trusted root CA that signed DSA certificates
|TA368120||DXserver||To complement TA368117, the dxcertgen tool has been enhanced to generate a generic personality certificate using the -g option. For example, the following command creates trusted.pem containing a root CA certificate and a generic DSA personality certificate under $DXHOME/config/ssld/personalities/%7Bgeneric%7D.pem that can be configured against all DSAs using the set ssl command above.
% dxcertgen -g %7Bgeneric%7D certs
|00410356||DE166038||DXserver||When multiple passwords are stored against a user entry, using the 'set enable-nonstandard-behaviour = true;' feature, a modify request removing a specific password value from the userPassword attribute will no longer remove all passwords. Only password specifically requested will be removed.|
|00411105||DE165704||DXserver||The DSA no longer crashes when an encrypted connection is terminated before the DSA has been able to negotiate the SSL/TLS protocol version.|
|00361898||DE165174||DXserver||The new command "set max-persistent-searches = <num>;" can be used to configure the maximum number of concurrent persistent searches. This was previously capped at 10, which is the default if max-persistent-searches is not set.
Note: Having a large number of active persistent searches may have a performance impact on directory updates.
|DE154880||DXserver||The "get users;" DXconsole command that displays the list of active connections has been expanded to provide diagnostics for links created using the concurrent-bind-user account. This will assist with checking that the concurrent-bind-user feature is correctly configured.|
|DE163192||DXserver||The new command "set dn-substring-match = true;" enables support for substring (wildcard) filtered searches against attributes with distinguishedName syntax. This makes the directory index distinguishedName values using the LDAP string form.
For example, the following attribute:
Will match following filters:
Note: The search filter does not support virtual attributes, for example, the member attribute populated by dynamic groups.
|00326444||DE144136||DXserver||An issue has been resolved where executing the start-up script ("/etc/init.d/dxserver start" or "service dxserver start") when the DSAs are already running will leave the running DSAs in an invalid run state. The invalid state is where the DSAs are running without pid files under $DXHOME/pid preventing the "dxserver status" and "dxserver stop" commands from working. Note: we recommend starting DSAs using the dxserver binary (as the configured dsa user) rather than start-up script.|
|00263264||DE138821||DXserver||A multi-write replication issue has been resolved when replicating over an SSL encrypted link. If the link between DSAs hangs up while a master is sending to a slave, the multi-write queue for the slave can enter an invalid state causing the master to stop replicating. When this occurs, the warning "No MW response from DSA '%7BSlave DSA Name%7D' in last 60 seconds" is displayed every minute until the master of restarted.|
|00334990||DE153975||DXserver||A dynamic group issue has been resolved that has the potential to cause the following alarm message to be continually displayed.
r:/head.new/dxgrid/src/dsa/rstack/support/xmpool.c(326): Assertion failed
|00332527||DE154865||DXserver||A CA Directory issue has been resolved where a search request returning a dynamic group will now populate the member attribute when a return attribute list is specified.
ServiceCloud No: 00328650 Rally No: DE144532
Note: %7BDN%7D must be the same in both sections of the filter.
|00314752||DE143115||DXserver||A timing issue has been resolved where the same DSA is used to process a view request with a search phase that includes dynamic group searches. A vie search would periodically return unwillingToPerform instead of the expected search result.|
|DE155915||DXserver||Newly created Windows DSA services are now configured as "Automatic (Delayed Start)" instead of "Automatic". This is to allow time for operating system networking services to start up that can impact hostname resolution.|
|00352422||DE157530||JXweb||Fixed an issue in JXweb where uploading jpegPhoto using Chrome browser would cause NullPointerException. This was because Chrome used mixed-case boundary string for the multi part form data and JXweb was not handling this correctly.|
|DE157588||DXserver||Some SSL information was missing in trace/logs following a previous enhancement in SP17. This is now fixed.|
|DE157589||DXserver||Fixed an issue where "get ciphers;" command was returning wrong set of values when the DSA was configured to use "protocol = tlsv12"|
|DE158234||DXserver||Fixed a search performance issue when relaxed-not-search is enabled. The root cause was the introduction of redundant conditions for a search filter that involves a nested not expression, eg. "((a=*)(!(|(a=j)(a=k))))".|
|DE139252||DXserver||The DSA will now use <num> threads (set user-threads = <num>;) when building indexes at start-up. Before this change, the DSA was limited to 8.|
|DE171433||DXserver||Fixed DSA crash in _GLOBAL_OFFSET_TABLE_ when built using later versions of gcc (eg. 4.8).|
|DE171227||DXserver||The maximum number of horizontal partitions support by the configuration of 30 has been removed. Any number of DSAs can serve in a horizontal partition configuration, as long as there is at least one DSA defined for each partition ID.|
|DE171204||DXserver||Fixed an SSL/TLS issue where dxsearch, dxmodify, dxrename & dxdelete would fail to negotiate a shared SSL protocol version when the DSA was configured to only use TLSv1.2 (protocol = tlsv12 in set ssl command).|
|DE174464||DXserver||The performance of the enhancement to roll-over log files when max-lines is reached (US32008) has been tuned to remove unnecessary delays when a log roll is in progress.|
|DE176094||DXserver||The dxinfo will no longer collect the same log file more than once. This issue was introduced by enhancement US179310.|
|DE175079||DXserver||The DSA no longer produces an assertion failure when cleaning up a SSL connection while a SSL handshake is in progress. This issue was introduced in newer versions of OpenSSL (>= CAPKI to 5.1.0).|
|DE186749||DXserver||A configuration validation check when using multi-write group hubs has been improved to ensure there is one hub for each group for each prefix. Previously, the check only ensured there was one hub for each group.|
|00454002||DE198421||DXserver||Fixed a memory leak issue that was introduced by a bug fix in SP17. A leak of 4kb occurred for each bind request, when password policy was enabled.|
|00440843||DE199294||DXserver||A performance issue has been resolved that occurred when the grid DB synchronized with disk for the first time after a restart. Symptoms of this issue include a "Forced sync" warning message and the DSA not servicing requests for an extended period of time.|
|00471975||DE202799||DXserver||Corrected unique attribute checking by not returning an error when the unique attribute is being replaced with the same value.|
|DE200933||DXserver||DSA no longer processes update operations in the main thread.|
|DE203165||DXserver||Fixed an issue where the DSA could hang when connections are aborted. The root cause was unlocking of a wrong mutex.|
|US149339||DXserver||CA Directory now supports scrypt and bcrypt hashing of the 'userPassword' attribute.
This is controlled by the 'set password-storage = <hashMethod>;' command, where <hashMethod> for the new algorithms can be 'scrypt' or 'bcrypt'.
|US222239||DXserver||The Linux version of DSA is now built with ASLR/PIE (Address Space Layout Randomisation) enabled. On systems that support ASLR, the dxserver process memory space is randomised to prevent exploits.|
|00487553||DE224006||DXserver||Fixed a crash when a slave DSA receives mwdisp deletions on parent entries with child entries. This crash only occurs when dxgrid-queue is false.|
|00487377||DE224007||DXserver||A slave dsa may switch out of recovery mode prematurely after applying shadow updates. This causes problems when there are still pending updates and the same time the slave dsa begins to accept client updates. This is now fixed such that the slave dsa always waits for a confirmation from the
master dsa, which is received after pending updates.