Change Download Preference


{{errorInSavingPref}}
Current Preference
{{dwnldPreference}}
Change Preference to:

CA ControlMinder 12.7 release FIXLIST

Service Packs are accumulated therefore fixes included in previous releases are not mentioned in the FIXLIST

Last Updated: June 03, 2013

No. Severity Problem summary Package OS Cause of the problem Conditions Solution or workaround Reproduction steps Problem ID TestFix / PublishFix
1 3 Fixes an issue with ControlMinder where the password is not validated on the Sybase endpoint. AC126SP20018 All The problem occurs when creating a Sybase Endpoint, and an invalid password is entered for the admin account. SAM accepts the password and all further SAM activities involving accounts on this endpoint therefore fail.     Steps taken:
1. Sybase endpoint is created sucessfully with the correct admin password
2. Discovery of priv accounts is successful
3. Sybase endpoint is now modified with an incorrect password.
4. The status is a Success. The endpoint is sucessfully modified without any error message shown on the screen
5. The subsequent discovery of accounts throws an error (login issue) which it should
6. Modify the same Sybase endpoint now with the correct admin password
7. The step shows as success.
8. The subsequent discovery is a success
30 T5P7194, T5P7195
2 2 Fixes an issue with ControlMinder where the central database deployment scripts failed to deploy. AC126SP20038 All            
3 2 Fixes an issue with ControlMinder where the Identity Manager console is disabled after upgrade. The enabled=true token is overwritten. AC126SP20048 All            
4 3 Fixes an issue with ControlMinder where the filters used to query UARM does not properly work. AC126SP20055 All UARM does not support 1 bracket in the filter (event_logname EQUAL CA Access Control) OR (event_logname EQUAL eTrust Access Control) Should be ((event_logname EQUAL CA Access Control) OR (event_logname EQUAL eTrust Access Control)).   There are 2 possible workarounds:
1 . Open the idmmanage then Export the a role definitions and add the brakets then import the role definitions and restart the ENV

2 . In the ENTM GUI Users and Groups -=^ Tasks -=^ Modify Admin Tasks and then filter Reports to find the Resource by Host report. If you edit/modify this report in AC using the Tabs's tab there is a filter (event_logname EQUAL CA Access Control) OR (event_logname EQUAL eTrust Access Control) this filter needs to be changed to ((event_logname EQUAL CA Access Control) OR (event_logname EQUAL eTrust Access Control))
In the ENTM GUI Go to : Reports - CA Enterprise Log Manager Select and click on report link    
5 2 Fixes an issue with ControlMinder where the JBoss does not stop because Oracle service did not complete start up  AC126SP20062 Windows all            
6 2 Fixes an issue with ControlMinder where modifying and updating a policy through the UI fails. AC126SP20098 All The problem occurs because on modifying and upgrading a policy through the ENTM UI, the upgrade fails and shows a java exception in the JBoss server.log file.   Code change- Check if can access to array index number 2 when upgrading policy Not reproducible, sometimes when trying to upgrade policy at ENMT UI getting an error ArrayIndexOutOfBoundsException: 2 113 T5P0117
7 4 Enhanced the following ControlMinder SAM reports on UAR:
 User id creation / deletion (ENTM Users)
User id Password reset request (ENTM Users)
Request & Approver User addition / deletion
Request & Approver Group addition / deletion.
AC126SP20102
AC126SP20148
All         34 T50V002
8 1 Fixes an issue with ControlMinder where several date and time inaccuracies were found in the SAM Request page and CABI Reports. AC126SP20112 All         44, 38 T5P0127, T5P0122
9 3 Fixes an issue with ControlMinder where the SAM report shows incorrect time. AC126SP20126 All The problem occurs because the SAM interface shows incorrect time. For example a checkout operation was performed at 16pm (current time of server) but SAM interface shows that it was done 3 hours later (19 pm).   Convert LastSuccessConnectionDate field to browser time zone 1. perform check-out for privileged account.
2. at My Privileged Accounts page open press on Show at Show Details
3. Last Checkout Date field display as GMT time zone
40 T5P0124
10 3 Fixes an issue with ControlMinder SAM where the wrong method is used at the email template notification. AC126SP20127 All The wrong method is used at the email template notification. It takes the current logged in user email address instead of the original user who perform the request.     1. login EntM as requester
2. request privileged account with past start date. e.g. current daet/time: 4/23 16:00 start date: 4/23 15:30 valid until date: 4/23 16:30
3. login EntM as approver
4. approve the request -=^ notification email is sent to requester address; this is expected
5. login EntM as requester
6. request privileged account with future start date. e.g. current daet/time: 4/23 16:00 start date: 4/23 16:30 valid until date: 4/23 17:30
7. login EntM as approver
8. approve the request
9. wait till start date -=^ notification email is sent to approver address; this is NOT expected
   
11 2 Fixes an issue with ControlMinder where change authorization on a particular resource is not updated and new authorization is not applied. AC126SP20151 LINUX The problem occurs because there is issue with the cleanup. As a workaround change the order of the commands. First delete a calendar, next create the calendar.     1. Create a file resource (in the EP)and add an authorization with a calendar
2. Change the authorization by selecting a new calendar
3. Access to the file resource(in the EP) is blocked even though the authorization says that access should be allowed In the example audit below I am:
1. Adding a new file resource /tmp/MyFile.txt with default access none
2. Authorize user root to have full access with the calendar 2012_42
3. User root successfully accesses the file
4. Change the existing authorization to use the calendar 2012_43 instead (which should also give access)
5. User root is denied access to the file
   
12 2 Fixes an issue with ControlMinder where the xml files are accumulated by the report server in the JBoss temp directory and are not deleted. AC126SP20156 All The problem occurs because the report agent sends the same xml files with the same snapshot id by the same host name due to a duplicate PK at database.   Code change - Delete xml file while having a failure of processing the xml due to duplicate PK at database   140 T5P0136
13 2 Fixes an issue with ControlMinder where an error occurs after integrating with SiteMinder. When enabling the integration with SiteMinder the "Connection Object Name" (as displayed in the Management Console) shows an incorrect value of 00-. AC126SP20175 Windows all       Reproduction steps 1. install AC (create environment) using LDAP Directory with Settings HOST:PORT Credentials (straight by implementation guide) we have CA Directory as the user store.
2. Integrate AC with siteminder.
3. After enabling the AC integration with SiteMinder the "Connection Object Name" (as displayed in the Management Console) shows a value of 00- which I suspect is wrong.
122 T000054
14 4 Fixes an issue with ControlMinder where the policy version is sorted alphabetically rather than numerically. AC126SP20179 All       Reproduction Steps are
(1) Login to ControlMinder GUI
(2) navigate to "Policy Management" =^ "Policy" =^ "Policy" =^ "View Policy"
(3) Select a policy with 10 or more versions
(4) "Version History=^
(5) Sort on Version column.
120 T000053
15 3 Fixes an issue with ControlMinder where the ValidUntil filed is not presented in local time zone AC126SP20181 All       1. For Privileged Account set value to Check out Expiration filed
2. Check out this account
3. By Checked-out By: filed there is value for Valid Until date this value shoes as GMT time instead of browser time zone
40 T5P0124
16 2 Fixes an issue with ControlMinder where the Initiated by and Approved by fields in the View Submitted Tasks screen ignored the entered values and failed to return search results. AC126SP20206 All            
17 3 Fixes an issue with ControlMinder where searching 'My Privileged Accounts', Advanced option and select "Include break glass accounts" ControlMinder displays both Break Glass and shared accounts. AC126SP20215 All         42 T4A5073
18 3 Fixes an issue with ControlMinder where the  policy dependency button is missing in the UI. AC126SP20219 All The problem occurs because the add button in the UI is missing when adding elements to the table in Policy Management, Modify Policy, Policy Dependency.     1) Login to Control Minder ENTM UI by enterning credentials. 2) Go to Policy Management tab, select policy tab, select policy and click on Modify Policy. 3) Go to Policy Dependency tab. 4) In this section the following message is displayed "Add elements to the table using the 'Add' button". However there is no such button in the UI. 125 T000055
19 3 Fixes an issue with ControlMinder where the database integration does not work when SAM Oracle endpoint is defined with extra attributes. AC126SP20274 All   The existence of the Port and Service Name values within the PUPM endpoint definition A work around is to remove the Port and Service Name values from the PUPM endpoint definition.      
20 3 Fixes an issue with ControlMinder where the deployment audit takes longer than required for large deployments (around 7000 objects). AC126SP20289 All The problem occurs because ControlMinder does not have a mechanism to receive all the deployment objects from the DMS using paging. Using filters helps but not resolve the performance problem.   Fix Summary :
1. A new drop down menu was added to filter deployment audit by "Time Period". Values are " 1 Day, 7 Days, 30 Days, 60 Days, ALL" . default value is "7 Days" (Previously was "ALL)
2. The "Creation Date" column (that shows the deployment creation time) was changed to "Last Update" (show the deployment update time)
3. The deployment error column size increased from 8 lines to 100 lines.
Deployment Audit When we have many deployments and gdeployments (70000 objects), it takes many time (4-8 minutes) to receive the results in the deployment audit UI 132, 586 T4A7036, T4A7037, T4A7038, T4A7039
21 3 Fixes an issue with ControlMinder where session hijacking can occur. After a successful login a new session id is created to prevent session hijacking. AC126SP20294 All The problem occurs because the facesViewId parameter is vulnerable to non persistent cross site scripting.          
22 3 Fixes an issue with ControlMinder where a user (who has an open session and is in the My Accounts page) can access accounts and perform actions even when he is deleted. AC126SP20308 All The problem occurs because no user validation is executed in actions from the My Privileged Accounts page.     1. Create a user, provide this user access to privileged accounts.
2. On another computer open a browser and login as the new user.
3. Go to the "My Privileged Accounts" page.
4. From the original computer delete the user.
5. Go back to to new user's ENTM page, try to check-out an account.
6. You should see an "Error" without explanation.
50, 56 T537730, T537731
23 2 Fixes an issue with ControlMinder where SAM user login fails when integrating a password consumer to an endpoint with IPV6. The result is connection DB failure at the .asp page and data is not retrieved.                AC126SP20349 Windows 2008       1. Define endpoint type mssql and connect it to Windows 2008 machine which have ipv6
2. Define password consumer
3. When trying to fetch table data getting an error at the asp page
47 T5P0129
24 2 Fixes an issue with ControlMinder where the Message Queue 'create subscriber' function fails during installation AC126SP20354 All The problem occurs because during installation of ENTM, the  durable permission is not set to ac_server_to_endpoint_broadcast topic.          
25 2 Fixes an issue with ControlMinder where View My Tasks shows no results when an AD is the user store. AC126SP20373 All The problem occurs because of a regression issue due to a change in PersistenceProvider.insertTaskSessionEvent() in r12.6. AD user store   1. Use AD as user atore
2. Define at least one privileged account
3 Login as an ordinary user (must not be member of "System Manager") and access the task "Privileged Account Request" and submit a request for a privileged account.
4. As the same user access the task "View My Submitted Tasks". It will show no submitted tasks, although you just have submitted the above one. If doing the same by using the native user store the just submitted task will show up.
   
26 2 Fixes an issue with ControlMinder where Report Agent sends config entry duplicate record which doesn't contain any relevant data. Policy version field comes with long value which doesn't match database schema AC126SP20392 All The problem occurs because of the following points:
The snapshot xml is sent from the same host more then once.
 
The xsd definition report can't handle the version object as its too long to handle and can't be restored at the database.
      140 T5P0136
27 2 Fixes an issue with ControlMinder where database error occurs which discloses that the DB in use is SQL. AC126SP20398 All The problem occurs because a malicious input was provided for the parameters: Filter.0.Op
SQL Error appears in response: ORA-00936: Missing Expression .
         
28 2 Fixes an issue with ControlMinder where the cookie is not marked As HTTPOnly cookie attribute. This makes a valid user's session ID vulnerable to attacks. AC126SP20415 All The problem occurs because the HTTPOnly attribute is not set, the browser (which supports the attribute) allows any client-side script to access the value of the cookie. An attacker can thus gain access to a legitimate user's session ID.

         
29 2 Fixes an issue with ControlMinder where session fixation attacks occurs. AC126SP20417 All            
30 3 Fixes an issue with ControlMinder where in the task "Privileged Account Request" where user is able to specify a
"Start Date" and an "Valid Until Date", the "Start Date" will follow the language setting that you have in the browser, , but the "Valid Until Date"
will always be in English.
AC126SP20435 All       1. Create a Privileged Account Request (browser should be in non-english locale)
2. See that the month in Start Date and Valid Until Date are in different locales
   
31 3 Fixes an issue with ControlMinder where the Agent Manager terminates and restarts in an endless loop if specifying a bad config parameter for the Agent Manager, e.g. a not valid queryFilter the Agent Manager. AC126SP20438 All       1) install ENTM
2) Stop AC.
3) set a wrong filter in HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\AccessControl\Common\AgentManager\Plugins\AccountManager\QueryFilter
4) Start AC.
5) AgentManager will terminate but then immediately be re-started by the Watchdog end then terminate again and so on for-ever in an end-less loop.
592 T537728
32 2 Fixes an issue with ControlMinder where the Break Glass Justification field is disabled. AC126SP20450 All       1. Create break glass request with justification that contains more than four lines.
2. Open IE browser, and open the work item of the approver for the requested account.
3. The justification field has a scroll bar but it is disabled.
136, 123 T5P0131, T5P0125
33 2 Fixes an issue with ControlMinder where there was no audit of Breakglass approved and rejected events. AC126SP20451 All            
34 2 Fixes an issue with ControlMinder where there was no audit of Breakglass approved and rejected events. AC126SP20452 All         133 T50V009
35 3 Fixes an issue with ControlMinder where a hostname error occurs when selecting a group in the UNAB Policy creation. AC126SP20456 All Validation should be when inserting a user or group manually and not when searching the database of users and the compare should be if the user or group are in the database or active directory and not between the domain     1 .Go to Policy Managment =^ Unix Authentication Broker =^ Manage Host Login Authorization
2 . Select host
3 . Try to add user or grop from the user store .
4 . Warning will display "Cannot resolve domain name.
Verify that the host is registered in the domain that Active Directory is registered at"
135 T50V010
36 3 Fixes an issue with ControlMinder where the system Audit log shows no results when searching for Force. AC126SP20460 All       1.CheckOut any privileged account.
2.Force Check-in Checked account.
3.Go to System -=^ Audit -=^ View Submitted task search screen and setup search filter like "Force".where task name contains Force.
Problem: no results are returned
   
37 2 Fixes an issue with ControlMinder where users are able to use Privileged User accounts even after valid time expires. AC126SP20475 All The problem occurs because no validation is done when a user still has access to the account while performing check out.     1. Request a privileged account for account having an RDP for a period of 5 minutes
2. Approve the request
3. Login as requester and perform RDP with the requested account
4. Wait for 5 minutes do not navigate to any other page, a message box appears informing that the account accessibility expire and the RDP window close
5. Next attempt to RDP to the same account will success although the account is no longer avialble for the user
49 T000057
38 1 Fixes an issue with ControlMinder where CABI reports did not include information on who has privileges to perform Breakglass tasks. AC126SP20488 LINUX         56 T537731, T537733
39 2 Fixes an issue with ControlMinder where the participant resolver is not working properly.  AC126SP20502 All CUSTOM1_INFO field is not populated     1) Go To : C:\jboss-4.2.3.GA\server\default\deploy\IdentityMinder.ear\user_console.war\WEB-INF\lib Copy PrivilegedAccountApprover.jar into that folder
2) Enable idmmanage
3) Go to http://<box name>:18080/idmmanage/
4) Browse Home › Environments › ac-env › Advanced Settings › Workflow Participant Resolvers create new "Workflow Participant Resolver" Set Name as : PrivilegedAccountApprover (display) Description : any thing related to approver Class (IMPORTANT) : com.vcc.participantResolvers.PrivilegedAccountApprover 
5) Save - restart ac-env(in GUI)
6)Restart JBOSS
7) Then open GUI .. go to Modify Admin Task and Select "Privileged Account Request" select resolver Description as PrivilegedAccountApprover
8) Create privileged access role 'MyRole', set owner to required users in members section
9) Modify Previliged Account, select an account, go to information tab
a)enter owner field
b)Enter MyRole created, in custom1 field
46 T000056
40 3 Fixes an issue with ControlMinder where the deployment audit results are not displayed in the specified column. AC126SP20542 All       1. Unassign policy from host group with 3 hnodes. Make sure that the policy fail on one of them, (the deployment should contain errors)
2. perform deployment audit task from the UI, drill down to the unassign trigger, check that you see the deployment with output.
3. Try to sort by status or date. the output column should now displayed in a wrong row (for example with status success or fail instead of warning)
586 T4A7043
41 3 Fixes an issue with ControlMinder where the tibemsd process still runs even when the CA Access Control Message Queue service is stopped. AC1270064 Windows all The problem occurs because the service exits before terminating the tibemsd process.     Stop service "CA Access Control Message Queue" and verify that process tibemsd is still running 599 T537734
42 2 Fixes an issue with ControlMinder where during Server installation on Japanese operating system, garbled strings appeared in the summary screen AC1270306 Windows all