{{search ? 'Close':'Search'}}

CA Directory 12.5
Latest Cumulative Release Download

Last Updated: December 20, 2016

Please note that the 12.5 documentation is found online at: https://docops.ca.com/ca-directory/12-5/EN.

CA Directory 12.5 does not support 32-bit platforms.

Build # 13559 12.5 SP1
  Directory Server
(DXgrid)
Web Components
(DXmanager)
Directory Management UI
(New)
DXagent
Windows 64-bit Click Here Click Here Click Here Click Here
Linux 64-bit Click Here Click Here Click Here Click Here
Solaris x86 64-bit Click Here Click Here N/A N/A
Solaris Sparc 64-bit Click Here Click Here N/A N/A
AIX 64-bit Click Here N/A N/A N/A
HP-UX Itanium 64-bit Click Here N/A N/A N/A

 

  Directory Server
(DXgrid)
Directory Management API
(DXagent)
Directory Samples
Linux 64-bit DEB Click Here Click Here Click Here
Linux 64-bit RPM Click Here Click Here Click Here

 

Fixes in CA Directory 12.5 SP1

Support Ticket # Engineering Ticket # Affected Component Problem Summary

 

US262453 & US262454

DXagent

Added standalone install package for DXagent that can be installed into prior versions of Directory up to and including 12.0.15.

 

US259556

Management UI

Added support for two modes of knowledge management, explicit and global. DSA knowledge references may be explicitly configured or automatically if the DSA is part of the global knowledge group.

 

DE262932

DXserver

When CA Directory is installed using an existing account (./dxsetup.sh -dxuser acct_name) or installed using a non-root account, an embedded version of CAPKI is used. An uninstall issues has been resolved when using the embedded version of CAPKI, where the uninstall attempts to remove a globally shared CAPKI installation /opt/CA/SharedComponents) that may not exist.

 

DE258722

DXagent

Fixed issue in DXagent where support for knowledge items credits and multi-write-attrs was missing.

 

US250305

DXserver

During a fresh install on a clean machine, CAPKI can now be installed to a custom location.

00621556

DE258119

DXserver

Improved error message when using dn-substring-match and the DN values stored in the .db are invalid. The DSA will no longer stop when indexing such values.

 

DE256119

DXagent

Fixed an issue in DXagent where the DSA forcestop action failed when running on Windows with a DXserver instance older than 12.5.

 

DE257880

DXagent

Fixed an issue in the CA Directory Windows installer that wasn't configuring the port number to be used by

DXagent. DXagent was always using the default port number 9443 regardless of what was specified by user during

installation.

00614094

DE256305

DXserver

Passwdtool failed with the error "Numerical result out of range" when /etc/group has large entries, such as groups

with many members. This is now fixed so that passwdtool would retry with larger buffer size when getgrnam/getpwnam

returns with error code ERANGE.

 

DE256162

Management UI

Directory Management UI Linux installer was prompting for port number and certificates on upgrade when it should not.

These values are now no longer being asked for and existing installation's configuration are retained following an

upgrade.

00606859

DE255000

DXserver

An issue has been addressed where modifyTimeStamp was not replicated in a multiwrite setup when password policies are enabled and a user is changing their own password.

00609632

DE254551

DXserver

This defect is a follow-up to DE224007. The previous fix requires a recovering DSA to receive an "empty modify" to switch out of

recovery mode. In a rolling upgrade scenario, DSA's of older versions/service packs do not send "empty modify" and the newly

upgraded DSA remains in recovery indefinitely. A timeout of 30 seconds in now implemented for a recovering DSA to wait for the

"empty modify".

00608367

DE254734

DXserver

Fixed an issue where CA Directory RPM upgrade was deleting the "dsa" user and some required files.

 

DE249815

DXagent

Fixed an issue where DXagent returned multiple copies of raw settings when multiple unsupported statements were on the same line.

 

DE249814

DXagent

Fixed an issue in DXagent when running as a daemon on Linux was failing to resolve relative path to swagger files.

 

DE246123

DXagent

Fixed an issue where DXagent failed to create a DSA witha "." in the name.

 

DE244418

DXagent

Fixed an issue when parsed by DXagent if a dxi file has multiple schema source statements on the same line, only the first is read and others are ignored.

00595578

DE249303

DXserver

An issue has been addressed preventing installs on AIX 6.x/7.x

 

DE206709

DXserver

Fixed incorrect error message being returned when unique attribute violations occur. The error message is corrected now so that it

contains only the attributes whose values violated uniqueness check.

 

DE204727

DXserver

Fixed a potential deadlock that could occur when a DSA is being shut down while it has ongoing multiwrite operations.

 

DE244385

DXserver

Removed restriction in dxserver installer that requires source directory and all its parent directories to be world

readable and executable. If permission issues are detected in source directory or in any of its parent directories

then the installer copies source files to a temporary directory before proceeding with the installation process.

 

DE243560

DXserver

Fixed an issue the dxserver installer where .dxprofile was not being sourced by .bash_profile.

 

DE243558

DXserver

The default shell defined for user 'dsa' was incorrect in the installer response file. This is now corrected to use bash.

 

DE248339

Management UI

Management UI Windows Installer has been enhanced to handle static files in the "public" sub-directory that change constantly.

 

DE243561

DXserver

Removed a misleading message "Please provide password for user <USER>" at the completion of DXserver installation.

 

DE250315

Management UI

Fixed Management UI windows custom installation that always place files into the standard location, even if a custom location is selected.

 

Fixes in CA Directory 12.5

Support Ticket # Engineering Ticket # Affected Component Problem Summary

 

F19165

Management UI

Directory Management UI is now GA. This component is a new UI for managing DSA's. It is supported on Linux and Windows.
Please see the user guide for more information.

 

US197155

DXserver

The 'dxserver init' command now supports configured log files to be deleted from, or commented, out of configuration files. This style of configuration change was previously only picked up on a restart.

 

F5490

DXagent

Dxagent is now GA. This component provides a RESTful service for managing DSA's. Dxagent is supported on Linux and Windows.
Please see the user guide for more information.

 

DE224247

DXserver

An issues has been addressed for DXmanager configured DSAs, due to order of parsing the value of Rollover Alarm and Rollover Trace was re-initialized after being read.

 

DE206334

DXserver

When using multi-write groups in conjunction with MW-DISP, entry renames will now produce consistent modifyTimestamps across all replicating DSAs.

 

TA433660

DXserver

The dxserver status command now reports "Recoverable" to indicate that a DSA abnormally terminated but has transaction log enabled. "Inconsistent" state remains for a DSA that abnormally terminated with the transaction log disabled.

 

TA438986

DXserver

Upgraded embedded CAPKI to version 5.1.1.

 

DE203799

DXserver

The dxsoak tool now reports connection error instead of exiting with assertion failure.

 

DE203800

DXserver

The dxserver forcestop command now kills a DSA in the case where the DSA status is not "started".

 

DE176360

DXserver

An abnormally terminated router DSA no longer reports the status as "inconsistent". This will be reported as "stopped" instead as the router DSA not have a DB file attached.

 

TA372810

DXserver

CA Directory installer now supports user or group information sources other than files (/etc/passwd), for example LDAP source.

 

TA372811

DXserver

To allow using ports 1-1024 instead of using setuid, CA Directory installer on linux uses cap_net_bind_service capability. On Solaris a new rights profile is created and assigned to a directory user for the same purpose.

00419557

DE171636

DXserver

For the following configuration, it is difficult to stop all the DSAs servicing a specific multi-write group (region) when under a reasonable modify load:
* vanilla multi-write replication (MW-DISP not enabled)
* multi-write groups specified in the knowledge
* set wait-for-multiwrite = true;

 

To assist with maintenance activities that require all the DSAs from a specific group to be stopped, the command "set isolate-multi-write-group = true;" has been introduced.

An example procedure for stopping all the DSAs in a group is:
* connect to DXconsole for each DSA that will be shut down and perform "set isolate-multi-write-group = true;", or temporarily enabled "set isolate-multi-write-group = true;" in the configuration and re-init the DSAs of a particular group individually
* once set, all connections to other groups and non-peer DSAs will be aborted, allowing replication within a group to complete while taking on no further updates from other groups/relays/routers
* when replication has completed the DSAs in the group may be stopped
* once stopped, if using the configuration based approach, the 'isolate-multi-write-group' command can be removed or set to false and DSAs can be started

 

DE202644

DXserver

An issue has been addressed where the DSA can be left in an unresponsive state when a client disconnects that has a large number of pending requests.

00471191

DE202354

DXserver

An issue has been resolved where a client performing dynamic group (member=<DN>) searches disconnects while the search is in progress. This has the potential to cause the DSA to crash. This issues was initially resolved in 12.0.17 under the exclude member attribute change (CES: 80679 RTC No: 160194) and has now been strengthened.

 

As part of this fix, the following assertion failure has been downgraded to a warning as this is triggered by the above disconnect:
** FATAL ERROR **: Assertion failed (/release/HEAD.new/dxgrid/src/dsa/user/roles.c???)

The following assertion failure has also been fixed:
** FATAL ERROR **: Assertion failed (/release/HEAD.new/dxgrid/src/dsa/user/uDynamicGroup.c129?)

 

DE175087

DXserver

Addressed MW-DISP recovery performance issue where operational attributes, required by MW-DISP, are explicitly excluded from the cache indexes.

 

DE186404

DXserver

A long standing SSL assertion failure has been addressed. The assertion failure is harmless, but can raise concerns when encountered in the alarm log. The root cause of the assertion is when the number of concurrent SSL connections increases beyond 20. This is normally seen when performing SSL stress testing where a client creates a lot of new connections.

 

/net/potaroo/release/BRANCHSP14.new/src/dsa/rstack/support/openssl.c(804): Assertion failed

Note: The line number tends to vary between releases ranging from 750-850.

 

TA388654

DXserver

The dxsoak tool now includes a "-l <time limit>" option. The tool will run in continuous mode until <time limit> seconds have elapsed.

 

For example, to run the requests from searches.ldif for 60 seconds:
% dxsoak -l 60 -t 8 -q 100 -h host:port -f searches.ldif

 

US170076

DXserver

The new command "set dsp-link-count = <num>;" when set, will increase the number of outbound links from a router DSA to each subordinate DSA to <num>. By default, only a single outbound (DSP) link is created for each authentication level between DSAs. However, this can reduce router throughput in high volume environments, as the router DSA only has a single connection to send requests and receive responses from.

 

The "get dsas;" commandsetuid  will display virtual references to the same DSA that will be used to create the outbound links.

Note: Setting <num> larger than 10 may degrade performance, so 'dsp-link-count' should be tuned to your specific environment.

 

TA372800

DXserver

To bring DXcertgen in line with 3rd certificate authorities, the default key size of certificates generated using DXcertgen has been increased from 1024 bits to 2048 bits.

 

TA368117

DXserver

The SSL configuration has been enhanced to support a single personality certificate that can be shared among all DSAs. To configure a single certificate replace cert-dir with cert-file in the set ssl ... command. This will reduce the overhead when issuing DSA personality certificates from 3rd party certificate authorities where there are a large number of DSAs.

 

Note: This removes the restriction that the subjectDN must contain dsa-name.

set ssl = %7B
# generic DSA personality certificate
cert-file = "config/ssld/personalities/generic.pem"

    # trusted root CA that signed DSA certificates
ca-file = "config/ssld/trusted.pem"
protocol = tls
%7D;

 

TA368120

DXserver

To complement TA368117, the dxcertgen tool has been enhanced to generate a generic personality certificate using the -g option. For example, the following command creates trusted.pem containing a root CA certificate and a generic DSA personality certificate under $DXHOME/config/ssld/personalities/%7Bgeneric%7D.pem that can be configured against all DSAs using the set ssl command above.

 

% dxcertgen -g %7Bgeneric%7D certs

00410356

DE166038

DXserver

When multiple passwords are stored against a user entry, using the 'set enable-nonstandard-behaviour = true;' feature, a modify request removing a specific password value from the userPassword attribute will no longer remove all passwords. Only password specifically requested will be removed.

00411105

DE165704

DXserver

The DSA no longer crashes when an encrypted connection is terminated before the DSA has been able to negotiate the SSL/TLS protocol version.

00361898

DE165174

DXserver

The new command "set max-persistent-searches = <num>;" can be used to configure the maximum number of concurrent persistent searches. This was previously capped at 10, which is the default if max-persistent-searches is not set.

 

Note: Having a large number of active persistent searches may have a performance impact on directory updates.

 

DE154880

DXserver

The "get users;" DXconsole command that displays the list of active connections has been expanded to provide diagnostics for links created using the concurrent-bind-user account. This will assist with checking that the concurrent-bind-user feature is correctly configured.

 

DE163192

DXserver

The new command "set dn-substring-match = true;" enables support for substring (wildcard) filtered searches against attributes with distinguishedName syntax. This makes the directory index distinguishedName values using the LDAP string form.

 

For example, the following attribute:

member: cn=joeBloggs,ou=users,o=CA,c=AU

Will match following filters:
(member=cn=joe*)
(member=*AU)
(member=*users*)

Note: The search filter does not support virtual attributes, for example, the member attribute populated by dynamic groups.

00326444

DE144136

DXserver

An issue has been resolved where executing the start-up script ("/etc/init.d/dxserver start" or "service dxserver start") when the DSAs are already running will leave the running DSAs in an invalid run state. The invalid state is where the DSAs are running without pid files under $DXHOME/pid preventing the "dxserver status" and "dxserver stop" commands from working. Note: we recommend starting DSAs using the dxserver binary (as the configured dsa user) rather than start-up script.

00263264

DE138821

DXserver

A multi-write replication issue has been resolved when replicating over an SSL encrypted link. If the link between DSAs hangs up while a master is sending to a slave, the multi-write queue for the slave can enter an invalid state causing the master to stop replicating. When this occurs, the warning "No MW response from DSA '%7BSlave DSA Name%7D' in last 60 seconds" is displayed every minute until the master of restarted.

00334990

DE153975

DXserver

A dynamic group issue has been resolved that has the potential to cause the following alarm message to be continually displayed.
r:/head.new/dxgrid/src/dsa/rstack/support/xmpool.c(326): Assertion failed

00332527

DE154865

DXserver

A CA Directory issue has been resolved where a search request returning a dynamic group will now populate the member attribute when a return attribute list is specified.

 

ServiceCloud No: 00328650  Rally No: DE144532
To improve integration with WebSphere Application Server, dynamic group membership searches have been expanded to support LDAP filters of the following form:

   (|(&(A)(B)(C)(...)(member=%7BDN%7D))(&(D)(E)(F)(...)(uniqueMember=%7BDN%7D)))

Note: %7BDN%7D must be the same in both sections of the filter.

00314752

DE143115

DXserver

A timing issue has been resolved where the same DSA is used to process a view request with a search phase that includes dynamic group searches. A vie search would periodically return unwillingToPerform instead of the expected search result.

 

DE155915

DXserver

Newly created Windows DSA services are now configured as "Automatic (Delayed Start)" instead of "Automatic". This is to allow time for operating system networking services to start up that can impact hostname resolution.

00352422

DE157530

JXweb

Fixed an issue in JXweb where uploading jpegPhoto using Chrome browser would cause NullPointerException. This was because Chrome used mixed-case boundary string for the multi part form data and JXweb was not handling this correctly.

 

DE157588

DXserver

Some SSL information was missing in trace/logs following a previous enhancement in SP17. This is now fixed.

 

DE157589

DXserver

Fixed an issue where "get ciphers;" command was returning wrong set of values when the DSA was configured to use "protocol = tlsv12"

 

DE158234

DXserver

Fixed a search performance issue when relaxed-not-search is enabled. The root cause was the introduction of redundant conditions for a search filter that involves a nested not expression, eg. "((a=*)(!(|(a=j)(a=k))))".

 

DE139252

DXserver

The DSA will now use <num> threads (set user-threads = <num>;) when building indexes at start-up. Before this change, the DSA was limited to 8.

 

DE171433

DXserver

Fixed DSA crash in _GLOBAL_OFFSET_TABLE_ when built using later versions of gcc (eg. 4.8).

 

DE171227

DXserver

The maximum number of horizontal partitions support by the configuration of 30 has been removed. Any number of DSAs can serve in a horizontal partition configuration, as long as there is at least one DSA defined for each partition ID.

 

DE171204

DXserver

Fixed an SSL/TLS issue where dxsearch, dxmodify, dxrename & dxdelete would fail to negotiate a shared SSL protocol version when the DSA was configured to only use TLSv1.2 (protocol = tlsv12 in set ssl command).

 

DE174464

DXserver

The performance of the enhancement to roll-over log files when max-lines is reached (US32008) has been tuned to remove unnecessary delays when a log roll is in progress.

 

DE176094

DXserver

The dxinfo will no longer collect the same log file more than once. This issue was introduced by enhancement US179310.

 

DE175079

DXserver

The DSA no longer produces an assertion failure when cleaning up a SSL connection while a SSL handshake is in progress. This issue was introduced in newer versions of OpenSSL (>= CAPKI to 5.1.0).

 

DE186749

DXserver

A configuration validation check when using multi-write group hubs has been improved to ensure there is one hub for each group for each prefix. Previously, the check only ensured there was one hub for each group.

00454002

DE198421

DXserver

Fixed a memory leak issue that was introduced by a bug fix in SP17. A leak of 4kb occurred for each bind request, when password policy was enabled.

00440843

DE199294

DXserver

A performance issue has been resolved that occurred when the grid DB synchronized with disk for the first time after a restart. Symptoms of this issue include a "Forced sync" warning message and the DSA not servicing requests for an extended period of time.

00471975

DE202799

DXserver

Corrected unique attribute checking by not returning an error when the unique attribute is being replaced with the same value.

 

DE200933

DXserver

DSA no longer processes update operations in the main thread.

 

DE203165

DXserver

Fixed an issue where the DSA could hang when connections are aborted. The root cause was unlocking of a wrong mutex.

 

US149339

DXserver

CA Directory now supports scrypt and bcrypt hashing of the 'userPassword' attribute.

 

This is controlled by the 'set password-storage = <hashMethod>;' command, where <hashMethod> for the new algorithms can be 'scrypt' or 'bcrypt'.

 

US222239

DXserver

The Linux version of DSA is now built with ASLR/PIE (Address Space Layout Randomisation) enabled. On systems that support ASLR, the dxserver process memory space is randomised to prevent exploits.

00487553

DE224006

DXserver

Fixed a crash when a slave DSA receives mwdisp deletions on parent entries with child entries. This crash only occurs when dxgrid-queue is false.

00487377

DE224007

DXserver

A slave dsa may switch out of recovery mode prematurely after applying shadow updates. This causes problems when there are still pending updates and the same time the slave dsa begins to accept client updates. This is now fixed such that the slave dsa always waits for a confirmation from the
master dsa, which is received after pending updates.

Chat with CA

Just give us some brief information and we'll connect you to the right CA ExpertCA sales representative.

Our hours of availability are 8AM - 5PM CST.

All Fields Required

connecting

We're matching your request.

Unfortunately, we can't connect you to an agent. If you are not automatically redirected please click here.

  • {{message.agentProfile.name}} will be helping you today.

    View Profile


  • Transfered to {{message.agentProfile.name}}

    {{message.agentProfile.name}} joined the conversation

    {{message.agentProfile.name}} left the conversation

  • Your chat with {{$storage.chatSession.messages[$index - 1].agentProfile.name}} has ended.
    Thank you for your interest in CA.


    Rate Your Chat Experience.

    {{chat.statusMsg}}

agent is typing