Change Download Preference

Current Preference
Change Preference to:

CA ControlMinder r12.6-CR1 FIXLIST

All Service Packs are accumulated therefore fixes included in previous releases are not mentioned in the FIXLIST

Last Updated: June 27, 2012

No. Severity Module Problem summary Package OS Cause of the problem Conditions Solution or workaround Reproduction steps Problem ID Test Fix ID / Published ID
1 3 Win endpoint user mode, Unix endpoint user mode

The response time from ENTM is very slow when tried to retrieve data about the Hosts/policies/deployment audit.

The fix include the following main fixes:

  1. Improve the performance of the UI when browsing to Deployment Audit screen which fetch data from a large scale of DMS.
  2. Performance improvement of Policy Management search screens and World View.
  3. Add the ability to assign unlimited number of hosts to host group in one transaction.

The fix include few more fixes:

  1. Increase the host/policy/host group search column from 20 characters to 255.
  2. Add missing search types like Auto Assign and include them in the type search options. (this eliminate the errors for missing types in the jboss.)
  3. Fix NULL pointer exception there are more than 100 deployments in the DMS database.
  4. Fix pop up search (in deployment audit and assign policy screens) to show all the objects.
  5. Fix the world view tab "Results By Managed Devices" to show all the objects.


  1. Using the status filter in the deployment audit will not improve the performance.
  2. Deployment audit: Using wildcard (*) in host/policy/host group filters you can use only "*" or the full object name (i.e. name* is not allowed)

    Do not change the lang query_size registry on the DMS it should be as the default 100.

    To receive the best performance using the deployment audit, use the host or the policy filter.
AC1264856 All         84 T5P0074
2 3 Win endpoint user mode,Unix endpoint user mode DH WRITER DMS and DH are over loaded and not responding. This causes the DMS subscriber of the DH__WRITER to stop responding as well as the DH subscriber of the DMS AC1264860 All    

Workaround - send a policy to all the endpoints to adjust the policyfetcher setting (main change is that the policyfetcher will read deployments every 6 hours which should improve the load on the DH). add a filter file to the DH__WRITER to filter out deployments errors during the recovery process (to limit commands that written to the DH__WRITER audit file).


  1. Policyfetcher : Don't send removed deployments to the DH__WRITER (if not exist on the DH)
  2. Policyfetcher : Control the number of deployment errors that the policyfetcher sends to the DH__WRITER
  3. Policyfetcher : Reload its setting every interval.
  4. Policyfetcher - Change the default setting. (increase the values)
  5. DMS - don't create gdeployment objects that not contain any related deployment. (this should improve the deployment audit performance)
3 3 ENTM ENTM is able to modify password of RACF endpoint account even though a wrong password policy is assigned to RACF prv account.RACF does not allow AC1264552 All            
4 3 ENTM AC126_oracle_script.sql is missing comment line "/*Script Version...".
Because ORACLE must set blank at following "/*"
So, while customer run the deployment script for ORACLE, it gets error:
SP2-0103: Nothing in SQL buffer to run.
AC1264636 Windows 2008     Insert spaces at the comments sign to avoid a failure of executing the script      
5 2 Unix endpoint user mode selogrd crashed on USER TRACE record when configured to route target "syslog" AC1264973 UNIX All When selogrd daemon starts the following errors appear:

...selogrd[27680]: [ID 110003 daemon.error] Error 6152
[m] setting up API destinations.

...selogrd[27680]: [ID 230063 daemon.error] Error

description: Could not resolve API extension function
      1706 T5P7139
6 2 ENTM When customer checks out and checks in In same session, the audit log is
duplicated at Privileged Account Audit log.
AC1264964 Windows 2008     To Avoid of duplicate reported events, check if the event was added to the returned vector the key of the event is Task session Id, Account Name , End point type and observe IT session Delete duplicate validation message request for Privileged Account with Valid until date earlier than the Start Date, there are two validation message each one of them is duplicate Check-out and check-in account. Two identical audit records are seen in Privileged Account Audit 12 T5P0091
7 2 Windows endpoint user mode The FILE entry in audit,cfg does not stop writing records generated by access to protected internally AC file resources. AC1264966 All      
  1. stop AC and edit audit.cfg
    add following entry to audit.cfg
    FILE;C:Program FilesCAAccessControlData*;*;*;*;D
  2. start AC
  3. access to <ACDIR>Datahelp> echo aaa > "C:Program FilesCAAccessControlDataaaa" access denied
  4. check audit log
    • no audit log for the access on step 3.
    • this is expected
  5. access to <ACDIR>Datahelp again> echo aaa > "C:Program FilesCAAccessControlDatahelpaaa" access denied
  6. check audit log
    [expected result] the access log for step 5 is filtered same as step 4
550 T5P7150
8 1 Windows endpoint user mode memory leak with seosagent when commands are continously sent to the DMS and DH__WRITER AC1264971 All      
  1. Check the memory growing issue:
    define a user with short name or change an existing user to short name - i.e
    - use101 instead of <domain>\user01.

    With this user run selang script(file with many selang commands) using "selan
    g -f" the script should host to the DMS and perfrom many commands. run another script that sends commands to the DH__WRITER
547 T5P7138
9 2 ENTM If there is approved privileged account request, the request for same
privileged account causes override of previous approved request even if the request time range for both request is not overlapped.
AC1264953 Windows 2008      
  1. login EntM UI as requester and request a privileged account with future time range

    current time is 04:00 P.M
    request time 05:00 P.M - 06:00 P.M
  2. login EntM UI as approver and approve above request
  3. login EntM UI as requester again and request same privileged account
    with different time range

    request time 07:00 P.M - 08:00 P.M
    This will cause override of previous approved request.
10 T5P0088
10 2 ENTM Password change event recorded as GMT when
he checked in as privileged account
AC1264954 Windows 2008 Customer found the password change event recorded as GMT when he checked in as privileged account.

At time of TASKSESSION description in audit log, 9 hours behind now.
  1. Requester check out Privileged Account via Enterprise Management GUI.
  2. Approver force checkin
  3. See the audit log for force checkin event.
12 T5P0091
11 2 ENTM If multiple accounts are selected on automatic account reset and one of account failed, audit log shows same failed logs for all accounts though the reset for the other accounts is not failed. And password history failed to save for the account whose password is actually reset. AC1264957 Windows 2008      
  1. create 3 native accounts on Windows endpoint (let's say test01, test02
    and test03)
  2. create windows agentless endpoint and create privileged account for above 3 accounts via [Discover Privileged Accounts Wizard]
  3. on [Automatic Account Reset], select above 3 accounts and reset.
  4. on [Show Previous Account Passwords], check the latest password for each
    account and confirm the password is valid (login using the password).
    -> all 3 accounts can login using the password. this is expected behaviour.
  5. remove one of native account to generate error; in this case let's
    remove test2
  6. do step 3 again
    • this failed because test02 was removed on endpoint in step 5.
  7. check audit log on [Audit Privileged Accounts]
    there are 3 same audit logs for each account though password reset for
    test01 and test03 was completed successfully. The task detail (clicking
    left button of each audit log) shows same included events for all logs; completed two reset events and one is failed. And also, there are two failed events for saving password history.
  8. do step 4 again.
    test01 and test03 cannot log into endpoint using the latest password shown.

    This can prove that password reset for test01 and test03 completed successfully (password was changed) but saving password history failed.
10 T5P0088
12 3 ENTM Problem to filter hosts in the WorldView if the host not exist in the first 100 hosts. AC1264920 All Bug in the World View search implementation   Fix and improve the search method to return all values Try to filter for host (i.e s*) that is not in the first 100 results (100 results found using *) 96 T5P0090 / RO45508
13 2 ENTM While monitor service is running one request data is override the othe request data AC1264928 Windows 2008     Transfer the data by the account password object and by task session
  1. create two privileged account request for future start date
  2. Approve the requests
  3. While monitor service is running one request data is override the othe request data
9 T5P0087
14 2 ENTM Two events are reported for the same task session one is Privileged account exception event the second is Check in evebt. both are reported for the same task session thus are shown two event with the same details at the Audit page AC1264902 Windows 2008 Two events are reported for the same task session one is Privileged account exception event the second is Check in evebt. both are reported for the same task session thus are shown two event with the same details at the Audit page   Avoid of duplicate audit events while having a privileged account Exception event. Skip of reporting the second event (check in account event)to PPM Audit table
  1. Request an privileged account with Auto log in setting and set the valid until to be 5 minutes ahead
  2. Approve the request
  3. log in as a requestore and Auto log in tho the requested account
  4. Wait untill the account expiration (time of valid until date).
  5. at the Audit privileged account there are two identical reported events
9 T5P0085
15 2 ENTM Start Date is not converted to browser time zone AC1264908 Windows 2008 After PU request is approved, then create another request. Then override message is displayed but displayed date and time is 9 hour behind.   Convert start date to be despaly as browser time zone For message The user was granted access to the account, that has a Start Date %7B0%7D. Continuing you will override all previous requests.
  1. create a Priv Accnt request start date one hour from now
  2. Approve the request
  3. Request Priv Accnt request as same account
9 T5P0088
16 2 ENTM ENTM with Oracle/dxlink setup throws an error AC1264910 Windows All install Mars CR build v 1293 userstore Dxlink
platform-Windows 2k8r2

Object store->Oracle11
userStore-> Dxlink

After installation,when I click on endpoint I get the following error

Ora01-400:Cant Insert NULL into("<DBusernam>"."TaskSession"."Org_dn")
17 3 ENTM Password policy with integrated system with site minder doesn't work AC1264912 Windows 2008 Password policy with integrated system with site minder doesn't work   Skip routing to site minder use native password policy
  1. ergare ENMT with site minder
  2. to create or modify password policy under Users and group tab
  3. Getting an error
9 T5P0085
18 2 ENTM When having a pendin Not started request, the dalidation for the next request for the same account throw an exception AC1264918 Windows 2008     Allow to have more than one waiting request at Privileged account not started. Filter out Approved request (AccountPasswordsSearchHandler) for MY accounts tab which are duplicated by user Id and account Id
  1. create 3 different requests for the same account, each request had a future start date and future end date Each request with different stat date and end date
  2. I approved all 3 requests
  3. re login as a requestor and request for the same account for the 4th time. Can't proceed with the request
9 T5P0085
19 1 ENTM Sometines the in memory JMS connection factory is corrupted AC1264895 Windows All DELETE PRIVILEGED ACCOUNT Exception   do not use the in memory connection factory recreate the connection factory and try to get the session again Sometines the in memory JMS connection factory is corrupted this case can't be reproduced In case need to senf JMS message getting an error jmsexception could not create a session    
20 2 ENTM Port down from 12.6 SP1 AC1264897 Windows 2008     Reset Action List after comitting an action
  1. Login to ENMT
  2. Navigate to Home -=^ My Accounts -=^ My Privileged Accounts page.
  3. Select "RDP(Recording)" from the Actions of the user at the bottom of the page.
  4. Actions of all Windows Agentless accounts turn into "RDP(Recording)".
  5. The contents of the page remain after logging off the remote desktop and letting our ActiveX component check-in the password.
  6. Close and reopen the My Privileged Accounts page, then the page is updated properly.
8 T5P0085
21 2 ENTM the account object is cached in Both browser by the same time performing any action on one user browser update the database but the other task session still keep the old instance account object AC1264899 Windows 2008     Reload account password object before performing any action
  1. Login to the server as Administrator.
  2. Start Firefox and login with user A
  3. Start IE and login as user B.
  4. Brows to bith users My account tab verify that both users have oriviliges for the same account
  5. User A checks out the account in Firefox.
  6. user B checks out in IE.
  7. Confirm the same password is checked out in the both windows.
  8. Press "Search" button in user A Firefox window.
  9. "Checked Out" status is cleared in the screen.
8 T5P0085
22 3 ENTM ENTM with Ora/dxlink setup throws an error AC1264900 Windows All       Steps:
install Mars CR build v 1293 userstore Dxlink platform-Windows 2k8r2 Object store-=^Oracle11 userStore-=^ Dxlink After installation,when I click on endpoint I get the following error Ora01-400:Cant Insert NULL into("^=DBusernam=^"."TaskSession"."Org_dn") Installation logs and screenshot is uploaded at ftp://istadv10//R12_6_CR/QA/20748716

Note: This issue was a showstopper in mars.So Oracle Db was not supported with Dxlink in Mars.
23 2   When an endpoint is deleted, it does not go through and prompts an
ssl://localhost:7243 error
AC1264881 Windows the CA message Queue service was not turned on. We go ahead and turn on the CA message queue service. Log into the pupm to try delete the endpoint again. However, it is not the list and is assumed to be deleted. We check the audit logs and the deletion task is not present.          
24 2 ENTM if the temporary password has a > , the
characters proceeding it are not displayed. However, the temporary password
is displayed correctly in the email notification.
AC1264882 Windows            
25 2 ENTM There is areference ID to user table when the user delete no reference found to user table AC1264883 Windows     Store the user name instead its reverence ID
  1. Setup ENTM with RDBMS as user store
  2. Create a user and permit user to request privileged accounts.
  3. Request and checkout/checkin a privileged account with this user.
  4. View Privileged Accounts -=^ Audit Privileged Accounts to confirm username is displayed properly in Initiated by column
  5. Delete the user from Enterprise Management. Wait a minute or two to process deletion completely and confirm user is deleted.
  6. View System -=^ Audit Privileged Accounts data. The username is displayed as a number in the Initiated by column where previously it had been the username
26 2 ENTM When log in through Site Minder User DN is the loged in user name while we are expecting to have the user ID AC1264854 Windows 2008     Get User DN by getting the unique name Changing a methos call to getUser().getUniqueName() insteed of getUserDN()
  1. login to EntM via Site Minder login screen.
  2. navigate to My Privileged Accounts
  3. select Checkout action. ==^ there is no Checkin action appears.
8 T5P0081
27 2 ENTM Events are recorded towice, during check out event and during check in enevt, both relates to the same session ID AC1264863 Windows 2008     Skip of recording a check in event in case having a check out event
  1. login to EntM
  2. Navigate to "My Privileged Accounts" from "Home" tab.
  3. Check out an account.
  4. After completion of check out, then check in it.
  5. Navigate to "Audit Privileged Accounts" screen and click search. Privileged Accounts -=^ Audit
  6. You will see the check in log is duplicated.
8 T5P0081
28 2 UNAB Unable to undeploy unab policy on the endpoint AC1264836 Linux      

For some host, create a policy with one group say UNAB - It happens fine
For same host, remove the group - It happens fine
For same host, edit the same by adding another group say UNAB - It
happens fine
For same host, remove the group - It says Task submitted. No changes

Expected Result:
The change should be made. The policy should be undeployed.

Actual Result:
It says Task submitted. No changes made which is wrong.

96 T5P0090
29 3 ENTM Assign many hosts to host group, cause error AC1264839 ALL    
  1. Increase the selang command definition from 512 to 256
  2. Issue selang commands in a loop (to assign hosts to host group) 15 hosts per command.
  3. Return with failure if we try to create an existing host group.
  84 T5P0074
30 2 ENTM the browser time zone is initialize during the log in page when loh in through Site Minder the browser time zone is not initialize AC1264840 Windows 2008     When having time zone at broserTimezone attribute get it otherwise use the server time zone which has been initialize in it's declaration
  1. login as requester via SiteMinder interface
  2. request for Privileged Account ,for example Dec 16 19:00 - 19:30
  3. logout requester and login Approver.
  4. click worklist and select Privileged Account tab. the start date shifts to GMT time zone
91 T5P0081
31 2 ENTM The log is neing reported during the check in commit and for the Force check in event AC1264848 Windows 2008     Escaping audit log when performing Force Check in. the Audit log report at Force Check in event
  1. login as requester(pupmusr01) and request as 11:00 - 12:00
  2. Approve by Approver(superadmin)
  3. while privileged account is enable, check out by requester(pupmusr01).
  4. login as PUPM Administrator(superadmin)
  5. force check-in for privileged account.
  6. check audit log for this event. Duplicated log for force check-in as 2 line.
91 T5P0081
32 2 ENTM Checking the password policy is rauting to Site Minder which try to handle the action fails AC1264850 Windows 2008     Skip the routing to Site Minder, use AC to perform password polcies actions
  1. open web browser and connect to PUPM integrated with SM.
  2. SiteMinder login screen shows up login to account
  3. PUPM screen shows up
  4. click Home tab
  5. click second link from left
  6. click "change my password"
  7. Change My Password screen shows up Enter new Password / Confirm Password
  8. click "submit" button AT VST there is an error "Error: Password validation failed: Connection timeout." on the screen.
91 T5P0081
33 2 ENTM Two evets ate reported for the same acion Create Privileged Account Exception Not Started Event and Grant Privileged Account Request Event AC1264830 Windows 2008     Remove audit report, Create Privileged Account Exception Not Started Event to ppm audit.
  1. Create privileged account request
  2. Approve the request
  3. Brows to PPM audit page there are two identical reported task events
82 T5P0072
34 3 ENTM Sine the account could not be found we had an exception and the work item remains in working list AC1264831 Windows 2008     Catch the exception, allow the process to complete and report a warning message Warning: [] The ACCOUNT PASSWORD: name: "monawwar" on "ahmmo04-test" Accounts ("Windows Agentless") no longer exists Delete the object from monitor objects as well
  1. Request the privileged account. (This account should not be an endpoint administrator)
  2. Delete the privileged account by superadmin. Privileged Account -=^ Delete Privileged Account
  3. Login by superadmin and you will see the above error when clicking the Work List, cannot approve nor reject the request any more.
82 T5P0072
35 3 ENTM All ui performing action are initialized to client browser locale. The locale is store in hash map, the key is the current running locale. when performing discivery privileged account by using the wizard, it's done in a new thread which the local is not stores in the hash map AC1264832 Windows 2008     Since this execution method is called from a new thread, the locale was not initialize, hence the default one (en) was loaded get the locale from task session and set it on Localizer for any message localization use. The locale kept in hash where the key is current running thread, need to clean the map from this entry by the end of the action

System browser locale: jp

  1. Discover privileged account
  2. brows to the new account, the freindly name of the account was not localized
82 T5P0072
36 3 ENTM   AC1264797 Windows            
37 2 ENTM   AC1264798 Windows      
  1. Launch entm as admin user
  2. Create a windows endpoint
  3. Try to create a account for the same endpoint using feeder with custom fields

Actual result:

  1. Account got created w/o custom fields
  2. CSV file moved to processed folder
  3. Audit shows success

Expected Result:
Account should be created with custom fields

90 T5P0079
38 3 ENTM Policy Management search screen working very slow, as well as the World View AC1264809 ALL The response time from ENTM is very slow when tried to retrieve data about the Hosts/policies/deployment audit.

Wondering if there are any performance tuning steps that can be taken care of inorder to have a better response time
      84 T5P0074
39 2     AC1264777              
40 2 SEOSU Unable to remove a policy dependency AC1264791 UNIX Modify Policy fails with the following errors. I have tryed re-start of ENTM console browser from the actual console machine and a remote machine. The "same signature" error persists.