|No. ||Severity ||Module ||Problem summary ||Package ||OS ||Cause of the problem ||Conditions ||Solution or workaround ||Reproduction steps ||Problem ID ||Test Fix ID / Published ID |
|1 ||3 ||Win endpoint user mode, Unix endpoint user mode || |
The response time from ENTM is very slow when tried to retrieve data about the Hosts/policies/deployment audit.
The fix include the following main fixes:
- Improve the performance of the UI when browsing to Deployment Audit screen which fetch data from a large scale of DMS.
- Performance improvement of Policy Management search screens and World View.
- Add the ability to assign unlimited number of hosts to host group in one transaction.
The fix include few more fixes:
- Increase the host/policy/host group search column from 20 characters to 255.
- Add missing search types like Auto Assign and include them in the type search options. (this eliminate the errors for missing types in the jboss.)
- Fix NULL pointer exception there are more than 100 deployments in the DMS database.
- Fix pop up search (in deployment audit and assign policy screens) to show all the objects.
- Fix the world view tab "Results By Managed Devices" to show all the objects.
- Using the status filter in the deployment audit will not improve the performance.
- Deployment audit: Using wildcard (*) in host/policy/host group filters you can use only "*" or the full object name (i.e. name* is not allowed)
Do not change the lang query_size registry on the DMS it should be as the default 100.
To receive the best performance using the deployment audit, use the host or the policy filter.
|AC1264856 ||All || || || || ||84 ||T5P0074 |
|2 ||3 ||Win endpoint user mode,Unix endpoint user mode ||DH WRITER DMS and DH are over loaded and not responding. This causes the DMS subscriber of the DH__WRITER to stop responding as well as the DH subscriber of the DMS ||AC1264860 ||All || || || |
Workaround - send a policy to all the endpoints to adjust the policyfetcher setting (main change is that the policyfetcher will read deployments every 6 hours which should improve the load on the DH). add a filter file to the DH__WRITER to filter out deployments errors during the recovery process (to limit commands that written to the DH__WRITER audit file).
- Policyfetcher : Don't send removed deployments to the DH__WRITER (if not exist on the DH)
- Policyfetcher : Control the number of deployment errors that the policyfetcher sends to the DH__WRITER
- Policyfetcher : Reload its setting every interval.
- Policyfetcher - Change the default setting. (increase the values)
- DMS - don't create gdeployment objects that not contain any related deployment. (this should improve the deployment audit performance)
| || || |
|3 ||3 ||ENTM ||ENTM is able to modify password of RACF endpoint account even though a wrong password policy is assigned to RACF prv account.RACF does not allow ||AC1264552 ||All || || || || || || |
|4 ||3 ||ENTM ||AC126_oracle_script.sql is missing comment line "/*Script Version...". |
Because ORACLE must set blank at following "/*"
So, while customer run the deployment script for ORACLE, it gets error:
SP2-0103: Nothing in SQL buffer to run.
|AC1264636 ||Windows 2008 || || ||Insert spaces at the comments sign to avoid a failure of executing the script || || || |
|5 ||2 ||Unix endpoint user mode ||selogrd crashed on USER TRACE record when configured to route target "syslog" ||AC1264973 ||UNIX All ||When selogrd daemon starts the following errors appear: |
...selogrd: [ID 110003 daemon.error] Error 6152
[m] setting up API destinations.
...selogrd: [ID 230063 daemon.error] Error
description: Could not resolve API extension function
| || || ||1706 ||T5P7139 |
|6 ||2 ||ENTM ||When customer checks out and checks in In same session, the audit log is |
duplicated at Privileged Account Audit log.
|AC1264964 ||Windows 2008 || || ||To Avoid of duplicate reported events, check if the event was added to the returned vector the key of the event is Task session Id, Account Name , End point type and observe IT session Delete duplicate validation message ||request for Privileged Account with Valid until date earlier than the Start Date, there are two validation message each one of them is duplicate Check-out and check-in account. Two identical audit records are seen in Privileged Account Audit ||12 ||T5P0091 |
|7 ||2 ||Windows endpoint user mode ||The FILE entry in audit,cfg does not stop writing records generated by access to protected internally AC file resources. ||AC1264966 ||All || || || || |
- stop AC and edit audit.cfg
add following entry to audit.cfg
- start AC
- access to <ACDIR>Datahelp> echo aaa > "C:Program FilesCAAccessControlDataaaa" access denied
- check audit log
- no audit log for the access on step 3.
- this is expected
- access to <ACDIR>Datahelp again> echo aaa > "C:Program FilesCAAccessControlDatahelpaaa" access denied
- check audit log
[expected result] the access log for step 5 is filtered same as step 4
| 550 ||T5P7150 |
|8 ||1 ||Windows endpoint user mode ||memory leak with seosagent when commands are continously sent to the DMS and DH__WRITER ||AC1264971 ||All || || || || |
- Check the memory growing issue:
define a user with short name or change an existing user to short name - i.e
- use101 instead of <domain>\user01.
With this user run selang script(file with many selang commands) using "selan
g -f" the script should host to the DMS and perfrom many commands. run another script that sends commands to the DH__WRITER
|547 ||T5P7138 |
|9 ||2 ||ENTM ||If there is approved privileged account request, the request for same |
privileged account causes override of previous approved request even if the request time range for both request is not overlapped.
|AC1264953 ||Windows 2008 || || || || |
- login EntM UI as requester and request a privileged account with future time range
current time is 04:00 P.M
request time 05:00 P.M - 06:00 P.M
- login EntM UI as approver and approve above request
- login EntM UI as requester again and request same privileged account
with different time range
request time 07:00 P.M - 08:00 P.M
This will cause override of previous approved request.
|10 ||T5P0088 |
|10 ||2 ||ENTM ||Password change event recorded as GMT when |
he checked in as privileged account
|AC1264954 ||Windows 2008 ||Customer found the password change event recorded as GMT when he checked in as privileged account. |
At time of TASKSESSION description in audit log, 9 hours behind now.
| || || |
- Requester check out Privileged Account via Enterprise Management GUI.
- Approver force checkin
- See the audit log for force checkin event.
|12 ||T5P0091 |
|11 ||2 ||ENTM ||If multiple accounts are selected on automatic account reset and one of account failed, audit log shows same failed logs for all accounts though the reset for the other accounts is not failed. And password history failed to save for the account whose password is actually reset. ||AC1264957 ||Windows 2008 || || || || |
- create 3 native accounts on Windows endpoint (let's say test01, test02
- create windows agentless endpoint and create privileged account for above 3 accounts via [Discover Privileged Accounts Wizard]
- on [Automatic Account Reset], select above 3 accounts and reset.
- on [Show Previous Account Passwords], check the latest password for each
account and confirm the password is valid (login using the password).
-> all 3 accounts can login using the password. this is expected behaviour.
- remove one of native account to generate error; in this case let's
- do step 3 again
check audit log on [Audit Privileged Accounts]
- this failed because test02 was removed on endpoint in step 5.
there are 3 same audit logs for each account though password reset for
test01 and test03 was completed successfully. The task detail (clicking
left button of each audit log) shows same included events for all logs; completed two reset events and one is failed. And also, there are two failed events for saving password history. do step 4 again.
test01 and test03 cannot log into endpoint using the latest password shown.
This can prove that password reset for test01 and test03 completed successfully (password was changed) but saving password history failed.
|10 ||T5P0088 |
|12 ||3 ||ENTM ||Problem to filter hosts in the WorldView if the host not exist in the first 100 hosts. ||AC1264920 ||All ||Bug in the World View search implementation || ||Fix and improve the search method to return all values ||Try to filter for host (i.e s*) that is not in the first 100 results (100 results found using *) ||96 ||T5P0090 / RO45508 |
|13 ||2 ||ENTM ||While monitor service is running one request data is override the othe request data ||AC1264928 ||Windows 2008 || || ||Transfer the data by the account password object and by task session || |
- create two privileged account request for future start date
- Approve the requests
- While monitor service is running one request data is override the othe request data
|9 ||T5P0087 |
|14 ||2 ||ENTM ||Two events are reported for the same task session one is Privileged account exception event the second is Check in evebt. both are reported for the same task session thus are shown two event with the same details at the Audit page ||AC1264902 ||Windows 2008 ||Two events are reported for the same task session one is Privileged account exception event the second is Check in evebt. both are reported for the same task session thus are shown two event with the same details at the Audit page || ||Avoid of duplicate audit events while having a privileged account Exception event. Skip of reporting the second event (check in account event)to PPM Audit table || |
- Request an privileged account with Auto log in setting and set the valid until to be 5 minutes ahead
- Approve the request
- log in as a requestore and Auto log in tho the requested account
- Wait untill the account expiration (time of valid until date).
- at the Audit privileged account there are two identical reported events
|9 ||T5P0085 |
|15 ||2 ||ENTM ||Start Date is not converted to browser time zone ||AC1264908 ||Windows 2008 ||After PU request is approved, then create another request. Then override message is displayed but displayed date and time is 9 hour behind. || ||Convert start date to be despaly as browser time zone For message The user was granted access to the account, that has a Start Date %7B0%7D. Continuing you will override all previous requests. || |
- create a Priv Accnt request start date one hour from now
- Approve the request
- Request Priv Accnt request as same account
|9 ||T5P0088 |
|16 ||2 ||ENTM ||ENTM with Oracle/dxlink setup throws an error ||AC1264910 ||Windows All ||install Mars CR build v 1293 userstore Dxlink |
After installation,when I click on endpoint I get the following error
Ora01-400:Cant Insert NULL into("<DBusernam>"."TaskSession"."Org_dn")
| || || || || |
|17 ||3 ||ENTM ||Password policy with integrated system with site minder doesn't work ||AC1264912 ||Windows 2008 ||Password policy with integrated system with site minder doesn't work || ||Skip routing to site minder use native password policy || |
- ergare ENMT with site minder
- to create or modify password policy under Users and group tab
- Getting an error
|9 ||T5P0085 |
|18 ||2 ||ENTM ||When having a pendin Not started request, the dalidation for the next request for the same account throw an exception ||AC1264918 ||Windows 2008 || || ||Allow to have more than one waiting request at Privileged account not started. Filter out Approved request (AccountPasswordsSearchHandler) for MY accounts tab which are duplicated by user Id and account Id || |
- create 3 different requests for the same account, each request had a future start date and future end date Each request with different stat date and end date
- I approved all 3 requests
- re login as a requestor and request for the same account for the 4th time. Can't proceed with the request
|9 ||T5P0085 |
|19 ||1 ||ENTM ||Sometines the in memory JMS connection factory is corrupted ||AC1264895 ||Windows All ||DELETE PRIVILEGED ACCOUNT Exception || ||do not use the in memory connection factory recreate the connection factory and try to get the session again ||Sometines the in memory JMS connection factory is corrupted this case can't be reproduced In case need to senf JMS message getting an error jmsexception could not create a session || || |
|20 ||2 ||ENTM ||Port down from 12.6 SP1 ||AC1264897 ||Windows 2008 || || ||Reset Action List after comitting an action || |
- Login to ENMT
- Navigate to Home -=^ My Accounts -=^ My Privileged Accounts page.
- Select "RDP(Recording)" from the Actions of the user at the bottom of the page.
- Actions of all Windows Agentless accounts turn into "RDP(Recording)".
- The contents of the page remain after logging off the remote desktop and letting our ActiveX component check-in the password.
- Close and reopen the My Privileged Accounts page, then the page is updated properly.
|8 ||T5P0085 |
|21 ||2 ||ENTM ||the account object is cached in Both browser by the same time performing any action on one user browser update the database but the other task session still keep the old instance account object ||AC1264899 ||Windows 2008 || || ||Reload account password object before performing any action || |
- Login to the server as Administrator.
- Start Firefox and login with user A
- Start IE and login as user B.
- Brows to bith users My account tab verify that both users have oriviliges for the same account
- User A checks out the account in Firefox.
- user B checks out in IE.
- Confirm the same password is checked out in the both windows.
- Press "Search" button in user A Firefox window.
- "Checked Out" status is cleared in the screen.
|8 ||T5P0085 |
|22 ||3 ||ENTM ||ENTM with Ora/dxlink setup throws an error ||AC1264900 ||Windows All || || || ||Steps: |
install Mars CR build v 1293 userstore Dxlink platform-Windows 2k8r2 Object store-=^Oracle11 userStore-=^ Dxlink After installation,when I click on endpoint I get the following error Ora01-400:Cant Insert NULL into("^=DBusernam=^"."TaskSession"."Org_dn") Installation logs and screenshot is uploaded at ftp://istadv10//R12_6_CR/QA/20748716
Note: This issue was a showstopper in mars.So Oracle Db was not supported with Dxlink in Mars.
| || |
|23 ||2 || ||When an endpoint is deleted, it does not go through and prompts an |
|AC1264881 ||Windows ||the CA message Queue service was not turned on. We go ahead and turn on the CA message queue service. Log into the pupm to try delete the endpoint again. However, it is not the list and is assumed to be deleted. We check the audit logs and the deletion task is not present. || || || || || |
|24 ||2 ||ENTM ||if the temporary password has a > , the |
characters proceeding it are not displayed. However, the temporary password
is displayed correctly in the email notification.
|AC1264882 ||Windows || || || || || || |
|25 ||2 ||ENTM ||There is areference ID to user table when the user delete no reference found to user table ||AC1264883 ||Windows || || ||Store the user name instead its reverence ID || |
- Setup ENTM with RDBMS as user store
- Create a user and permit user to request privileged accounts.
- Request and checkout/checkin a privileged account with this user.
- View Privileged Accounts -=^ Audit Privileged Accounts to confirm username is displayed properly in Initiated by column
- Delete the user from Enterprise Management. Wait a minute or two to process deletion completely and confirm user is deleted.
- View System -=^ Audit Privileged Accounts data. The username is displayed as a number in the Initiated by column where previously it had been the username
| || |
|26 ||2 ||ENTM ||When log in through Site Minder User DN is the loged in user name while we are expecting to have the user ID ||AC1264854 ||Windows 2008 || || ||Get User DN by getting the unique name Changing a methos call to getUser().getUniqueName() insteed of getUserDN() || |
- login to EntM via Site Minder login screen.
- navigate to My Privileged Accounts
- select Checkout action. ==^ there is no Checkin action appears.
|8 ||T5P0081 |
|27 ||2 ||ENTM ||Events are recorded towice, during check out event and during check in enevt, both relates to the same session ID ||AC1264863 ||Windows 2008 || || ||Skip of recording a check in event in case having a check out event || |
- login to EntM
- Navigate to "My Privileged Accounts" from "Home" tab.
- Check out an account.
- After completion of check out, then check in it.
- Navigate to "Audit Privileged Accounts" screen and click search. Privileged Accounts -=^ Audit
- You will see the check in log is duplicated.
|8 ||T5P0081 |
|28 ||2 ||UNAB ||Unable to undeploy unab policy on the endpoint ||AC1264836 ||Linux || || || || |
For some host, create a policy with one group say UNAB - It happens fine
For same host, remove the group - It happens fine
For same host, edit the same by adding another group say UNAB - It
For same host, remove the group - It says Task submitted. No changes
The change should be made. The policy should be undeployed.
It says Task submitted. No changes made which is wrong.
|96 ||T5P0090 |
|29 ||3 ||ENTM ||Assign many hosts to host group, cause error ||AC1264839 ||ALL || || || |
- Increase the selang command definition from 512 to 256
- Issue selang commands in a loop (to assign hosts to host group) 15 hosts per command.
- Return with failure if we try to create an existing host group.
| ||84 ||T5P0074 |
|30 ||2 ||ENTM ||the browser time zone is initialize during the log in page when loh in through Site Minder the browser time zone is not initialize ||AC1264840 ||Windows 2008 || || ||When having time zone at broserTimezone attribute get it otherwise use the server time zone which has been initialize in it's declaration || |
- login as requester via SiteMinder interface
- request for Privileged Account ,for example Dec 16 19:00 - 19:30
- logout requester and login Approver.
- click worklist and select Privileged Account tab. the start date shifts to GMT time zone
|91 ||T5P0081 |
|31 ||2 ||ENTM ||The log is neing reported during the check in commit and for the Force check in event ||AC1264848 ||Windows 2008 || || ||Escaping audit log when performing Force Check in. the Audit log report at Force Check in event || |
- login as requester(pupmusr01) and request as 11:00 - 12:00
- Approve by Approver(superadmin)
- while privileged account is enable, check out by requester(pupmusr01).
- login as PUPM Administrator(superadmin)
- force check-in for privileged account.
- check audit log for this event. Duplicated log for force check-in as 2 line.
|91 ||T5P0081 |
|32 ||2 ||ENTM ||Checking the password policy is rauting to Site Minder which try to handle the action fails ||AC1264850 ||Windows 2008 || || ||Skip the routing to Site Minder, use AC to perform password polcies actions || |
- open web browser and connect to PUPM integrated with SM.
- SiteMinder login screen shows up login to account
- PUPM screen shows up
- click Home tab
- click second link from left
- click "change my password"
- Change My Password screen shows up Enter new Password / Confirm Password
- click "submit" button AT VST there is an error "Error: Password validation failed: Connection timeout." on the screen.
|91 ||T5P0081 |
|33 ||2 ||ENTM ||Two evets ate reported for the same acion Create Privileged Account Exception Not Started Event and Grant Privileged Account Request Event ||AC1264830 ||Windows 2008 || || ||Remove audit report, Create Privileged Account Exception Not Started Event to ppm audit. || |
- Create privileged account request
- Approve the request
- Brows to PPM audit page there are two identical reported task events
|82 ||T5P0072 |
|34 ||3 ||ENTM ||Sine the account could not be found we had an exception and the work item remains in working list ||AC1264831 ||Windows 2008 || || ||Catch the exception, allow the process to complete and report a warning message Warning: [ApprovePrivilegedAccountRequest:imstask.label.task.ApprovePrivilegedAccountRequest.name] The ACCOUNT PASSWORD: name: "monawwar" on "ahmmo04-test" Accounts ("Windows Agentless") no longer exists Delete the object from monitor objects as well || |
- Request the privileged account. (This account should not be an endpoint administrator)
- Delete the privileged account by superadmin. Privileged Account -=^ Delete Privileged Account
- Login by superadmin and you will see the above error when clicking the Work List, cannot approve nor reject the request any more.
|82 ||T5P0072 |
|35 ||3 ||ENTM ||All ui performing action are initialized to client browser locale. The locale is store in hash map, the key is the current running locale. when performing discivery privileged account by using the wizard, it's done in a new thread which the local is not stores in the hash map ||AC1264832 ||Windows 2008 || || ||Since this execution method is called from a new thread, the locale was not initialize, hence the default one (en) was loaded get the locale from task session and set it on Localizer for any message localization use. The locale kept in hash where the key is current running thread, need to clean the map from this entry by the end of the action || |
System browser locale: jp
- Discover privileged account
- brows to the new account, the freindly name of the account was not localized
|82 ||T5P0072 |
|36 ||3 ||ENTM || ||AC1264797 ||Windows || || || || || || |
|37 ||2 ||ENTM || ||AC1264798 ||Windows || || || || |
- Launch entm as admin user
- Create a windows endpoint
- Try to create a account for the same endpoint using feeder with custom fields
- Account got created w/o custom fields
- CSV file moved to processed folder
- Audit shows success
Account should be created with custom fields
|90 ||T5P0079 |
|38 ||3 ||ENTM ||Policy Management search screen working very slow, as well as the World View ||AC1264809 ||ALL ||The response time from ENTM is very slow when tried to retrieve data about the Hosts/policies/deployment audit. |
Wondering if there are any performance tuning steps that can be taken care of inorder to have a better response time
| || || ||84 ||T5P0074 |
|39 ||2 || || ||AC1264777 || || || || || || || |
|40 ||2 ||SEOSU ||Unable to remove a policy dependency ||AC1264791 ||UNIX ||Modify Policy fails with the following errors. I have tryed re-start of ENTM console browser from the actual console machine and a remote machine. The "same signature" error persists. || || || || || |