Change Download Preference


{{errorInSavingPref}}
Current Preference
{{dwnldPreference}}
Change Preference to:

CA ControlMinder r12.6-SP1 FIXLIST

All Service Packs are accumulated therefore fixes included in previous releases are not mentioned in the FIXLIST

Last Updated: June 27, 2012

No. Severity Module Problem summary Package OS Cause of the problem Conditions Solution or workaround Reproduction steps PID TestFix
1 3 Unix endpoint user mode Fixes an issue with Access Control where Audit routing fails when trying to send from 64-bit system to 32-bit collector and encryption mode is "eTrust". AC126SP10010 UNIX ALL The selogrd obtains and uses an incorrect key for encryption. The encryption function key length value on 32-bit saves as 4 bytes, and on 64-bit saves as 8 bytes. When encryption equals eTrust The solution is to save key length as "unsigned int" which is 4 bytes on both 32-bit and 64-bit systems. 1. Choose 32-bit collector (Solaris, AIX) and 64-bit emitter machine (Linux x86_64).
2. Set UseEncryption = eTrust (in seos.ini) both collector and emitter.
3. Run both collector and emitter command "sechkey -k ^=some_key=^".
4. Start selogrcd (collector).
5. Start "selogrd -d" (emitter) ==^ RPC error 11
1672 T3DB088
2 3 UNAB Fixes an issue where a regression bug was introduced into uxconsole AC126SP10012 UNIX ALL   N/A pass the right parameter while calling the uxauth_krb5_preauth API so that the domain part of an account name is not truncated register with verbosity level 3 with an RFC-822-style account name and check the principal that is used. It should be a principal matching the account. Note: currently, following Unix conventions, user account is treated opaquely and no conversion is applied to it, i.e., it has to follow internally-imposed Kerberos conventions where the part after the @ sign is expected to be in uppercase.    
3 1 Unix endpoint kernel mode Fixes an issue with Access Control where the entry value in the file descriptor table increases. AC126SP10024 HPUX IA64         1612 TC61133 (IA64 ), TC61134 (PA-RISC)
4 1 Unix endpoint kernel mode Fixes an issue with Access Control where some folders or files that were not allowed for certain users, are allowed, and some folders or files that were allowed are denied. AC126SP10035 HPUX IA64 AC randomly denies access to certain files to the user used by the SAS N/A N/A N/A 1729 TC61240
5 1 ENTM Fixes an issue with Access Control where it takes 8 minutes to receive results from the deployment audit. AC126SP10048 ALL     Improve deployment audit performance where deployments (>10000) and gdeployments (>3000) by changing the way we retrieve the data from the DMS, fix a null pointer exception that happens when there are more than 100 deployments. Add missing types (AutoAssign/delete hnode/ delete ghnode), show the On Behalf Of user in the Updator field and Load deployment errors on demand (only when opening the result records).   84 T5P0074
6 3 ENTM PUPM reports retrieved from the ENTM console are now updated with history data.
The reports are:
1.Privilleged Accounts Request by Approver
2.Privilleged Accounts Request by Endpoint
3.Privilleged Accounts Request by Requestor
AC126SP10055 ALL       Steps to replicate the problem with the scenario:
Case A:
- A user requests for Privileged Account request for say 30 minutes
- The Approver approves the request for 30 minutes
Capture the snapshot before the expiry of 30 minutes of request
Generate the Report and display the report, the report contains the
Approver Details
------------------
Case B:
- A user requests for Privileged Account request for say 30 minutes
- The Approver approves the request for 30 minutes
Capture the snapshot say 10 to 15 minutes after the expiry of the requested
time frame of 30 minutes
- Request raised at 9:00 AM for 30 minutes
- Approved at 9:00 AM
- Snapshot captured at 9:45 AM
Generate the report and display the report, the report is blank
86 T5P0075
7 3 Windows endpoint user mode Fixes an issue with Access Control when max_len is set 0 customer is not allowed when password rule exist in DB. AC126SP10073 WINDOWS ALL max_len 0 is not allowed set 0 to max_len password rule exist in db N/A 1.first command is successful -=^ this is ok. AC=^ eg profgrp password(rules( min_len(6) max_len(0))) 2.second command give the error -=^ this should be successful AC=^ eg profgrp password(rules( min_len(6) max_len(0))) AC=^ eg profgrp password(rules( max_len(0) min_len(6))) AC=^ eg profgrp password(rules( max_len(0))) AC=^ eg profgrp password(rules( min_len(6))) ERROR: Password minimum length cannot be greater than maximum length    
8 2 Unix endpoint user mode Fixes an issue where wrong program in FILE audit for programs were executed from scripts within trusted scripts AC126SP10090 UNIX ALL            
9 2 ENTM Fixes an issue with Access Control where User DN is too large to be stored in the PRIVILEGED_ACC_EXCEPTION table. AC126SP10094 ALL User DN is too large to be stored in the PRIVILEGED_ACC_EXCEPTION table.   Enlarge APPROVER_ID column in PRIVILEGED_ACC_EXCEPTION table User store AD Try to approve privileged account request by user which as more that 80 characters in his DN The update to PRIVILEGED_ACC_EXCEPTION table used to fail    
10 2 Unix endpoint kernel mode Fixes an issue with Access Control where FILE protection does not work. AC126SP10104 AIX AIX 5.3 OS TL 12 uses "kopen" not intercepted by AC Technology Level (TL) 12 new SEOS_syscall module, OSMIC=b for Technology Level (TL) 12 AC=^ ef ^=test_file_path=^ defaccess(n) owner(nobody) # cat ^=test_file_path=^ ==^ result success, there is not FILE in trace and no audit records    
11 2 Unix endpoint user mode Fixes an issue where the process 'agent' is displayed only when 'issec' is executed. AC126SP10112 UNIX ALL         1681 TC61201 (HP)
TC61202 (SUNOS)
12 3 Unix endpoint user mode Fixes an issue with Access Control where policy deployment fails on Solaris if the policy name is Japanese(DBCS). AC126SP10113 SUN SOLARIS Local data on unix is handled in multibyte which is mismatch with remote(windows) data in UTF8. Enterprise management - windows Endpoint - Unix EUC/SJIS system No 1. Create the Japanese name policy via ENTM WebUI. (Policy Management -=^ Policy -=^ Create Policy) 2. Assign this policy to the Solaris end point. (Policy Management -=^ Policy -=^ Assignment -=^ Assign Policy) 3. Deploy it using policyfetcher. 4. It should fail, please check policyfetcher.log and audit.log. Seems the policy name is garbled. policyfetcher.log:(not garbled but ERROR) 16:38:33@Oct 14 2011 - ERROR: command "rmres POLICY (" #01") noexit" returned failures, rv = 10031 audit.log:(garbled) 14 Oct 2011 16:38:33 F UPDATE RULESET +policyfetcher 305 0 \\0x01A5? \0x022301 etr758-sol-1 rmres RULESET ("\\0x01A5? \0x022301") noexit    
13 2 Windows endpoint user mode Fixes an issue with Access Control where user SYSTEM defined through ADMIN_USERS_LIST is removed by setup running in NT AUTHORITY\\SYSTEM context(Local System). AC126SP10116 WINDOWS ALL     Setup removes user SYSTEM from seosdb only if runs in context of regular user not as Local System.      
14 1 UNAB Fixes an issue with Access Control where uxconsole core dumps on user registration. AC126SP10118 UNIX ALL         1649 T243828
15 3 Windows endpoint user mode Fixes an issue with Access Control where seosd terminated unexpectedly with more than 1000 TRACE entry in audit.cfg. AC126SP10131 WINDOWS ALL User trace fileter records exceed static array. audit.cfg has more than 1000 TRACE entry. Reference Guide updated to note that maximum limit for the trace filter is 1000 records. Verify Reference Guide> Configuration Files> audit.cfg File Filter Audit Records> audit.cfg File Trace Messages On a User Events Filter Syntax 1. stop AC \=^ secons -s 2. add more than 1000 lines TRACE entry in audit.cfg I added following same 109 entries TRACE;*;*;*;*;*;*;* 3. start AC \=^ seosd -start    
16 2 ENTM Fixes an issue with Access Control where Privileged Account custom fields are not updated through PUPM Feeder. AC126SP10133 ALL       Repro steps:
1. Launch EntM as admin user
2. Create a windows endpoint
3. Try to create a account for the same endpoint using feeder with custom
fields

Actual result:
1. Account got created w/o custom fields
2. CSV file moved to processed folder
3. Audit shows success

Expected Result:
Account should be created with custom fields
90 T5P0079
17 3 ENTM Fixes an issue with Access Control where PUPM XML files in previous versions could not be overwritten due to same object name with different object ID. Consequently when importing the old BIAR on top of existing reports the import of these XML files has failed. AC126SP10153 ALL       Steps to replicate the problem with the scenario:
Case A:
- A user requests for Privileged Account request for say 30 minutes
- The Approver approves the request for 30 minutes
Capture the snapshot before the expiry of 30 minutes of request
Generate the Report and display the report, the report contains the
Approver Details
------------------
Case B:
- A user requests for Privileged Account request for say 30 minutes
- The Approver approves the request for 30 minutes
Capture the snapshot say 10 to 15 minutes after the expiry of the requested
time frame of 30 minutes
- Request raised at 9:00 AM for 30 minutes
- Approved at 9:00 AM
- Snapshot captured at 9:45 AM
Generate the report and display the report, the report is blank
86 T5P0075
18 3 Unix endpoint user mode Fixes an issue with Access Control where PROGRAM/SECFILE untrusted even if the class is turned off. AC126SP10155 UNIX ALL watchdog doesn't check the CLASS is off when untrust/or audit the PROGRAM/SECFILE define PROGRAM/SECFILE resource disable class PROGRAM/SECFIL untrust the program/secfile   AC=^nr program /usr/bin/more audit(all) defacc(x) AC=^so class-(PROGRAM) #touch /usr/bin/more I saw "U PROGRAM" event but I can run the more command. Currently, the more command is untrusted. So, please run the following commands. AC=^cr program /usr/bin/more trust #touch /usr/bin/more I think that you will see the same event. 01 Dec 2011 15:17:05 S UPDATE PROGRAM root 305 0 /usr/bin/more asoklb23 cr program /usr/bin/more trust 01 Dec 2011 15:18:11 O LOGOUT _seagent 49 2 01 Dec 2011 15:18:26 U PROGRAM seoswd 1 512 /usr/bin/more    
19 3 ENTM Fixes an issue with Access Control where it takes 8 minutes to receive results from the deployment audit. AC126SP10159 ALL     Improve deployment audit performance where deployments (>10000) and gdeployments (>3000) by changing the way we retrieve the data from the DMS, fix a null pointer exception that happens when there are more than 100 deployments. Add missing types (AutoAssign/delete hnode/ delete ghnode), show the On Behalf Of user in the Updator field and Load deployment errors on demand (only when opening the result records).   84 T5P0074
20 3 Unix endpoint user mode Fixes an issue with Access Control where list too long message doesn't clearly indicate the list. AC126SP10165 UNIX ALL The printing command doesn't point to the list but to the end of the list The join command include more than 40 users in one command. Give less than 40 users to one command. AC=^ nu t00 AC=^ nu t01 ... AC=^ nu t40 -=^ create 41 users AC=^ ng acgroups AC=^ join (t00 t01 t02 t03 t04 t05 t06 t07 ... t39 t40) group(acgroups) -=^ join 41 users to a group ERROR: Syntax error ERROR: ) group(acgroups) a value list may only contain up to 40 values -=^ error message doesn't clearly indicate the list    
21 1 Unix endpoint kernel mode Fixes an issue with Access Control for a system crash on Solaris 10 race condition between unmount of NFS file system and AC kernel code during path resolving for a file in the same NFS file system. This race condition AC126SP10166 SUN SOLARIS         1687 TC61204
22 3 Windows endpoint user mode Fixes an issue with Access Control where abnormal process class log is recorded. AC126SP10170 WINDOWS ALL         539 T5P7110
23 3 Windows endpoint user mode Fixes an issue with Access Control where PROGRAM/SECFILE untrusted even if the class is off. AC126SP10177 WINDOWS ALL The watchdog doesn't check if the CLASS is turned off when untrust/ or audit the PROGRAM/SECFILE Define PROGRAM/SECFILE resource disable class PROGRAM/SECFIL untrust the program/secfile   AC=^nr program /usr/bin/more audit(all) defacc(x) AC=^so class-(PROGRAM) #touch /usr/bin/more I saw "U PROGRAM" event but I can run the more command. Currently, the more command is untrusted. So, please run the following commands. AC=^cr program /usr/bin/more trust #touch /usr/bin/more I think that you will see the same event. 01 Dec 2011 15:17:05 S UPDATE PROGRAM root 305 0 /usr/bin/more asoklb23 cr program /usr/bin/more trust 01 Dec 2011 15:18:11 O LOGOUT _seagent 49 2 01 Dec 2011 15:18:26 U PROGRAM seoswd 1 512 /usr/bin/more    
24 2 Windows endpoint user mode Fixes an issue with Access Control installed on Windows 2003, where the Active Directory protected by Access Control generates audit reports with the wrong user name. AC126SP10179 Windows 2003 Absense of delegation thread token check   Added missing check   535 T5P7101
25 2 Windows endpoint user mode Fixes an issue with Access Control where Blue Screen errors appeared in Windows 2003 R2 x64 servers. The dump files listed the faulting components as drveng.sys. AC126SP10188 Windows 2003         537 T5P7102
26 3 Win endpoint kernel mode Fixes an issue with Access Control where SURROGATE on "Run as administrator" is not audited. AC126SP10203 Windows x86 The API GetModuleHandleW(secur32.dl) fails for "The specified module could not be found". Because of the initialization failure SURROGATE is not processed. Win2008 R2 SURROGATE on CONSENT.EXE   1. set rules. so class+(SURROGATE) er SURROGATE USER._default audit(a) eu user001 password(123) 2. login by user001. 3. Right click any .exe file and select "Run as administrator". 4. There should be SURROGATE log but not in audit.log. [Findings] 1. "runas.exe" is OK in Win2008 R2. eg) runas /user:administrator cmd.exe 15 Jun 2011 01:01:15 P SURROGATE user001 Read 1059 3 USER.FUJTO05-VM11165\administrator C:\Windows\System32\runas.exe ETR755L1-WIN-1.ca.com 2. Both "runas.exe" and "consent.exe" are OK in case of Win2008 x86. 3. "consent.exe" is not added in the reg key in case upgrading from r12.5SP2. It is added in case of Win2008 x86. ^=ACROOT=^\Instrumentation\PlugIns\RunAsPlg\ApplyOnProcess ==^ Please investigate it as well.    
27 2 Windows endpoint user mode Fixes an issue where BSOD is caused by kernel mode stack depletion when running recurrent SPGM propagate check for newly created process AC126SP10205 WINDOWS ALL     Adds safeguards to prevent stack depletion      
28 2 Win endpoint kernel mode Fixes an issue where missing code to properly deny access all openprocess mask AC126SP10227 WINDOWS ALL Missing code to properly deny access all openprocess mask   Fixed access masks Steps to reproduce:
1. Run task manager
2. Right click on seosd.exe process and choose crash dump option
Actual result: Seosd hang
Expected result: Should report deny of operation
   
29 3 ENTM Fixes an issue where on the privilege account request screen in the Japanese environment, a message is shown both in English and Japanese. AC126SP10230 ALL     Since this execution method is called from a new thread, the locale was not initialize, hence the default one (en) was loaded get the locale from task session and set it on Localizer for any message localization use. The locale kept in hash where the key is current running thread, need to clean the map from this entry by the end of the action System browser locale: jp 1. Discover privileged account 2. brows to the new account, the friendly name of the account was not localized 82 T5P0072
30 2 Win endpoint kernel mode Fixes an issue with access to freed memory. AC126SP10233 WINDOWS ALL Access to freed memory AC stop Added additional memory verification checks.      
31 1 Unix endpoint user mode Fixes an issue with Access Control where a deny for _default SURROGATE occurs when running SU from CRONJOB. AC126SP10240 UNIX ALL            
32 2 ENTM Fixes an issue where two events are reported for the same action Create Privileged Account Exception Not Started Event and Grant Privileged Account Request Event. AC126SP10247 ALL     Remove audit report, Create Privileged Account Exception Not Started Event to ppm audit. 1. Create privileged account request 2. Approve the request 3. Brows to PPM audit page there are two identical reported task events 82 T5P0072
33 3 ENTM Fixes an issue with Access Control when an exception occurs where an account cannot be found and the work item remains in working list. AC126SP10248 ALL     Catch the exception, allow the process to complete and report a warning message Warning: [ApprovePrivilegedAccountRequest:imstask.label.task.ApprovePrivilegedAccountRequest.name] The ACCOUNT PASSWORD: name: "monawwar" on "ahmmo04-test" Accounts ("Windows Agentless") no longer exists Delete the object from monitor objects as well 1. Request the privileged account. (This account should not be an endpoint administrator) 2. Delete the privileged account by superadmin. Privileged Account -=^ Delete Privileged Account 3. Login by superadmin and you will see the above error when clicking the Work List, cannot approve nor reject the request any more.. 82 T5P0072
34 2 Windows endpoint user mode Fixes an issue with Access Control where the ReportAgent consumes too large amount of memory (more then 1GB). AC126SP10250 Windows all         540 T5P7111
35 3 Windows endpoint user mode Fixes an issue with Access Control where "password last change" for the native user shows current time if password change never happen. AC126SP10253 L The password_age is 0, so password change never happens so cur_time - password_age = cur_time. Password change never happens N/A 1.create a native user 2.AC=^ su testuser nt if you repeat step 2 "password last change" shows current time    
36 3 Unix endpoint user mode Fixes an issue with Access Control where some PMDB rules are added after upgrading from r12.5SP5 to r12.6. AC126SP10265 UNIX ALL The dbmgr is being used for creation of pmdb on upgrade whereas the creapmd is generally used. The dbmgr creates some predefined endpoint policies which are not created by creapmd. When upgrading from 12.5 SP5 with PMDB to 12.6 No [Step] 1.create PMDB in r12.5SP5. selang =^env pmd =^create pmdb1 2. export its rules. eg) dbmgr -e -l -f =^ /tmp/r12.5 3. upgrade AC to r12.6. 4. export pmdb1 rules. eg) dbmgr -e -l -f =^ /tmp/r12.6 5. compare their outputs.    
37 2 ENTM Fixes an issue when the user logs in to ENTM via SiteMinder and requests for a privileged account, the dates at approver page are shifting and appearing in the web UI as GMT time zone. AC126SP10272 ALL When logging in through SiteMinder the browser time zone is not initialized.   When having time zone at browserTimezone attribute get it otherwise use the server time zone which has been initialize in it's declaration 1. Login as requester via SiteMinder interface.
2. Request for Privileged Account ,for example Dec 16 19:00 - 19:30.
3. Logout requester and login Approver.
4. Click worklist and select Privileged Account tab. the start date shifts to GMT time zone.
7 T5P0080
38 3 Unix endpoint user mode Fixes an issue when "Password was changed recently, cannot be changed again at this time." by password quality check is not audited. AC126SP10274 UNIX ALL The password quality check is done and audited by seosd but password policy min_life is checked by sepass at stage of initialization sepass is denied by password policy min_life   1. Create user and enable PASSWORD class. AC=^ eu user01 AC=^ so class+(PASSWORD) 2. Add min_life property. AC=^ eu user01 min_life(1) 3. Change password via sepass by user01 $ sepass 4. Repeat step 3. ==^ It is rejected due to min_life(1) -- expected. $ sepass CA Access Control sepass v12.60.0.1165 - Password replacement Copyright (c) 2010 CA. All rights reserved. Password was changed recently, cannot be changed again at this time. 5. Check audit.log, there is no log of stage code:12.    
39 2 UNAB Fixes an issue with Access Control where the AD user of a UNIX primary group was not found because of difference between userPrincipalName and sAMAccountName. AC126SP10276 UNIX ALL AD user UNIX primary group was not found because of difference between userPrincipalName and sAMAccountName.     login with AD user account with specific attributes    
40 3 Unix endpoint user mode Fixes an issue with Access Control where the watchdog starts Report Agent if it is enabled and is down. AC126SP10280 UNIX ALL Report Agent memory usage. The watchdog periodically starts report agent according to configuration.       540 T5P7111
41 3 Unix endpoint user mode Fixes an issue with Access Control where an additional special character '\' is added before the special character. AC126SP10283 UNIX ALL Handling some cases that comes with '\' is different between dbmgr -e and selang -f. Object name include '\' or ' '. No 1. create user with special characters AC=^ eu ("NT AUTHORITY\SYSTEM") AC=^ f user NT* NT AUTHORITY\SYSTEM 2. export rule by dbmgr -e # dbmgr -e -r -c USER | grep NT =^ /tmp/user.out # cat /tmp/user.out editusr ("NT\ AUTHORITY\\SYSTEM") owner('root') audit(FAILURE LOGINSUCCESS LOGINFAILURE) 3. import the exported rule # selang -f /tmp/user.out Successfully created USER NT\ AUTHORITY\\SYSTEM 4. check user AC=^ f user NT* NT AUTHORITY\SYSTEM NT\ AUTHORITY\\SYSTEM Please note ' '(space) will be exported as ' ' but '\ ' after 12.6.    
42 2 ENTM Fixes an issue with Access Control where the user is not able to undeploy UNAB policy on the endpoint. AC126SP10284 ALL       For some host, create a policy with one group say UNAB - It happens fine
For some host, remove the group - It happens fine
For some host, edit the same by adding another group say UNAB - It
happens fine
For some host, remove the group - It says Task submitted. No changes
made
   
43 2 ENTM Fixes an issue with Access Control where the log is being reported during the check-in commit and for the Force check-in event. AC126SP10285 ALL     Escaping audit log when performing Force Check in. the Audit log report at Force Check in event 1. Login as requester(pupmusr01) and request as 11:00 - 12:00
2. Approve by Approver(superadmin)
3. while privileged account is enable, check out by requester(pupmusr01).
4. login as PUPM Administrator( superadmin ) .
5. force check-in for privileged account.
6. check audit log for this event.
91 T5P0081
44 2 ENTM Fixes an issue where an error message appears when the user tries to change his own password from the PUPM GUI. The error message is as follows: "Error: Password validation failed: Connection timed out." AC126SP10296 ALL   PUPM integrated with SiteMinder Skip the routing to Site Minder, use AC to perform password polices actions 1. open web browser and connect to PUPM integrated with SM. 2. SiteMinder login screen shows up login to account 3. PUPM screen shows up 4. click Home tab 5. click second link from left 6. click "change my password" 7. Change My Password screen shows up Enter new Password / Confirm Password 8. click "submit" button AT VST there is an error "Error: Password validation failed: Connection timeout." on the screen. 91 T5P0081
45 3 UNAB Fixes an issue with Access Control when the client logs into server with Domain B and tires to edit Domain A's user only Domains B groups show for Domains A user. AC126SP10313 UNIX ALL   N/A N/A N/A    
46 2 ENTM Fixes an issue with Access Control when user logs in through SiteMinder, the User DN is the logged in user name while the user ID should be present. AC126SP10314 ALL N/A N/A Get User DN by getting the unique name Changing a methods call to getUser().getUniqueName() instead of getUserDN() 1. Login to ENTM via SiteMinder login screen.
2. Navigate to My Privileged Accounts
3. Select Checkout action.
91 T5P0081
47 2 Unix endpoint user mode Fixes an issue with Access Control where the ReportAgent consumes too large amount of memory. AC126SP10323 UNIX ALL N/A N/A N/A N/A 540 T5P7114
48 3 UNAB Fixes an issue with Access Control where uxconsole core dumps on user registration. AC126SP10339 UNIX ALL   N/A N/A Have a considerable delay between creation of a computer object and setting a password on it. The replication_allowance token allows one to set that wait to a desired value. 1649 T243828
49 2 ENTM Fixes an issue where an error message appears when the user tries to change his own password from the PUPM GUI. The error message is as follows: "Error: Password validation failed: Connection timed out." AC126SP10341 ALL N/A PUPM integrated with SiteMinder N/A N/A 91 T5P0081
50 2 ENTM Fixes an issue with Access Control where events are recorded twice, during check-out and during check-in, both relates to the same session ID. AC126SP10342 ALL N/A N/A Skip of recording a check in event in case having a check out event 1. Login to ENTM
2. Navigate to "My Privileged Accounts" from "Home" tab.
3. Check out an account.
4. After completion of check out, then check in it.
5. Navigate to "Audit Privileged Accounts" screen and click search.
Privileged Accounts -> Audit
6. You will see the check in log is duplicated.
91 T5P0081
51 2 ENTM Fixes an issue with Access Control where temporary password displayed after password reset may not be shown. However, it is displayed correctly in the email. AC126SP10349 ALL       1. User clicks 'Forgot password' at login.
2. User answers security question.
3. Password is displayed.
4. User logs in with this password and resets the account password
successfully.
   
52 3 Windows endpoint user mode, Unix endpoint user mode Fixes an issue with Access Control where the DH WRITER DMS and DH are loaded and not responding. This results in the DMS subscriber of the DH__WRITER to become unresponsive as well as the DH subscriber of the DMS. AC126SP10357 ALL     Workaround - send a policy to all the endpoints to adjust the policyfetcher setting (main change is that the policyfetcher will read deployments every 6 hours which should improve the load on the DH). add a filter file to the DH__WRITER to filter out deployments errors during the recovery process (to limit commands that written to the DH__WRITER audit file). Solution: 1. Policyfetcher : Don't send removed deployments to the DH__WRITER (if not exist on the DH) 2. Policyfetcher : Control the number of deployment errors that the policyfetcher sends to the DH__WRITER 3. Policyfetcher : Reload its setting every interval. 4. Policyfetcher - Change the default setting. (increase the values) 5. DMS - don't create gdeployment objects that not contain any related deployment. (this should improve the deployment audit performance)      
53 2 ENTM Fixes an issue with Access Control where the user is unable to remove policy dependency. AC126SP10369 ALL     Manually corrected the policies using selang, however, the Web UI was not able to remove the policy dependency.      
54 2 UNAB Fixes an issue with Access Control where cm_postinstall.sh only installs CAWIN if it is running HP-UX 11.23 and 11.31. AC126SP10377 UNIX ALL UNAB installation doesn't install CAWIN on HP-UX 11.11. cm_postinstall.sh script only checks HP-UX 11.23 and 11.31 and fails to check 11.11. HP-UX 11.11 Make cm_postinstall.sh handle HP-UX 11.11. On an HP-UX 11.11 system without CAWIN installed, install UNAB. CAWIN will not get installed. 20 T3E7139
55 2 ENTM Fixes an issue with Access Control where endpoints are not completely deleted. AC126SP10380 ALL The audit
logs and the deletion task is not present.
         
56 3 Windows endpoint user mode Fixes an issue with Access Control when wild character * is used in selang, devcalc returns incorrect result. AC126SP10386 WINDOWS ALL ruleset use %systemroot" while the database is using the value of systemroot. You'll have to create a policy using windows system variables. Please apply the fix devcalc. Create a policy using %SystemRoot% in the rules. assign the policy to an hnode. run "selang=^start devcalc" and "get devcalc", you will see the DIFF. 1680, 545 T243901 (Sun Solaris), T243902 (Linux x86), T243903 (Linux X64), T243904 (Linux Aix), T243907 (Sun Solaris), T243906 (Windows x64)
57 3 Windows endpoint user mode Fixes an issue with Access Control where password rule and parameter are delivered from pmdb, but Admin password Change and Passwd Change User does not update. AC126SP10430 WINDOWS ALL AC user password change was forced on BDC as in NT domain the SAM is read-only. Active directory Replication is configured. Native user password change command is filtered by PMDB CREATE NATIVE USER * * NOPASS EDIT NATIVE USER * * NOPASS   1. Configure Active directory Replication both node. node1 is primary. Install AC on both node.
2. Create pmd1 on node2 and subscriber as local db on node2.
3. Set PMD filter as following:
CREATE NATIVE USER * * NOPASS
EDIT NATIVE USER * * NOPASS
* * * * * PASS
4. Check offset address.
5. Create user01 native on pmd1 at node2.
eu user01 password(eTrust01) profile(mzhadm)
6. Subscribe localdb on node1 with offset at step 4.
7. Compare user01 property both node1 and node2.
   
58 3 Unix endpoint user mode Fixes an issue where OS SMF does not import seosload service because manifest was not removed from standard repository which causes seload -r localhost to fail AC126SP10441 SUN SOLARIS     uninstall:
#rm /lib/svc/manifest/network/seosload-tcp6.xml
#svcadm restart manifest-import
seload -r localhost    
59 1 ENTM Fixes an issue with Access Control when losing a connection to JMS retry to connect with new creates connection factory. AC126SP10452 ALL Sometimes the in memory the JMS connection factory is corrupted.   Do not use the in memory connection factory recreate the connection factory and try to get the session again Sometimes the in memory JMS connection factory is corrupted this case can't be reproduced In case need to send JMS message getting an error jmsexception could not create a session 93 T5P0083
60 2 ENTM Fixes an issue with Access Control where the checked-out Privileged Account checks in when another user uses the same account. AC126SP10461 ALL     Reload account password object before performing any action 1. Login to the server as Administrator. 2. Start Firefox and login with user A 3. Start IE and login as user B. 4. Brows to both users My account tab verify that both users have privileges for the same account 5. User A checks out the account in Firefox. 6. user B checks out in IE. 7. Confirm the same password is checked out in the both windows. 8. Press "Search" button in user A Firefox window. 9. "Checked Out" status is cleared in the screen. 96 RO45508
61 3 Windows endpoint user mode Fixes an issue with Access Control where effective username incorrectly shows domain name for local user. AC126SP10475 WINDOWS ALL The domain name is given to sub auth for local user is what remote machine belong, this is not we want to use. AC machine is a domain member. Remote machine is different domain member Access AC machine by local user of AC machine   AC server (w2k8-2) is member of domain TEST clinet1 (tanma07-xp) is member of domain TANT-A01 client2 (vmw1) is domain controller of domain TEST 1. create shared directory on AC server ('temp' in this case) 2. create AC/Native user for this test on AC server AC=^ nu sharetest password(*****) * sharetest user only exists as AC server local user, not in any other domains or servers. 3. create file rule for shared directory AC=^ nf d:\temp\* defacc(a) audit(a) own(nobody) AC=^ nf d:\temp\*$DATA defacc(a) audit(n) own(nobody) * the second rule is not mandatory; it will eliminate lots of data stream logs 4. access to shared directory on AC server from client1 by sharetest user start -=^ run -=^ enter '\\w2k8-2\temp' and OK -=^ enter 'sharetest' as user and its password 5. see audit log on AC server \=^ seaudit -a -sd today 13 Jan 2012 16:59:39 P LOGIN sharetest 1059 2 TANMA07-XP C:\Windows\System32\lsass.exe 13 Jan 2012 16:59:39 P FILE sharetest Read 59 3 D:\temp\audit.log System Networking Process TANMA07-XP TANT-A01\sharetest [expected result] Effective user is W2K8-2\sharetest. (^=ACserver=^\username) [actual result] Effective user is TANT-A01\sharetest (^=domain of clinet1=^\username) 6. run step 3 from client2 and see audit log 13 Jan 2012 17:06:22 P LOGIN sharetest 1059 2 VMW1 C:\Windows\System32\lsass.exe 13 Jan 2012 17:06:22 P FILE sharetest Read, Create 59 3 D:\temp\Desktop.ini System Networking Process VMW1 W2K8-2\sharetest -=^ this is expected result (effective user is W2K8-2\sharetest). AC server and accessed client is same domain (TEST) This doesn't happen if AC server is not a member of domain.    
62 2 Unix endpoint kernel mode Fixes an issue with Access Control where a server CPU utilization increases by 20% on a server when the agent running without policies being enforced. AC126SP10485 SUN SOLARIS Memory leak in realpath cache.       1700 TC61213
63 2 UNAB Fixes an issue with Access Control where the user can't start UNAB in the global zone. AC126SP10493 SUN SOLARIS Issue is because script uxauthd.sh uses output of 'ps -ef' tocheck if uxauthd is already running and on Solaris 10 global zone this command return aslo processes running in local zones. N/A N/A N/A 21 T5P7134
64 1 Unix endpoint user mode Fixes an issue with Access Control where substituting user with the native OS command 'SU' to a new user AC user viewed with sewhoami command is the new user. AC126SP10500 UNIX ALL N/A N/A     1701 TC61214 (LINUX_x86), TC61214 (LINUX_x86_64)
65 3 ENTM Fixes an issue with Access Control where password policy with integrated system with SiteMinder doesn't work. AC126SP10506 ALL N/A PUPM integrated with SiteMinder Skip routing to site minder use native password policy 1. ergare ENMT with site minder 2. to create or modify password policy under Users and group tab 3.Getting an error 96 T5P0090
66 1 UNAB Fixes an issue where rules engine in agent was case sensitive when comparing group name with domain. Domain name was in upper case for user groups and in low case for login policies. AC126SP10508 UNIX ALL This is because sqlite3 operator IN is case sensitive when compare users groups with groups in login policy. User has group usysadmin@MGT.AD but in policy was rule for usysadmin@mgt.ad   Workaround - change rule to have domain name in proper case.      
67 3 Unix endpoint user mode Fixes an issue with Access Control where a blank message is displayed in the syslog when shutting down Access Control. AC126SP10510 SUN SOLARIS Extra empty syslog message was caused by an extra blank after the '\n' at the end of the previous message. N/A N/A N/A    
68 2 Unix endpoint kernel mode Fixes an issue where the stub_execve has changed so the position of the call offset is off by 2 bytes. AC126SP10513 LINUX x64 The stub_execve has changed so the position of the call offset is off by 2 bytes. SLES 11 sp1 X64 with kernel 2.6.32.46   Running prior to this fix on SLES 11sp1 with kernel 2.6.32.46 and above will cause a panic at start up of AC.    
69 2 Unix endpoint kernel mode Fixes an issue with Access Control where AC does not start on the new kernel 2.6.32-300 for Oracle Linux 5.7. AC126SP10531 LINUX all         1703 AC12.5 SP5 T540114 (32 bit seosd), AC12.5 SP5 T540115 (64 bit seosd), AC12.6 T540116 (32 bit seosd), AC12.6 T540117 (64 bit seosd)
70 1 Unix endpoint user mode Fixes an issue with Access Control where substituting user with the native OS command 'SU' to a new user AC user viewed with sewhoami command is the new user. AC126SP10546 UNIX ALL N/A     1. Start a TRACE and recreate the problem.
a. Start trace: secons -tc -t+
b. Recreate the problem
c. Stop trace: secons -t-
d. send the trace file $SEOSDIR/log/seosd.trace
Where $SEOSDIR is your Access Control directory on the system
2. Send all files in the $SEOSDIR\log directory.
In seos.ini set
debug_level=low
trace_to=file
then start AC and send to us the seos_debug file and trace.
1701 TC61215
71 2 Windows endpoint user mode Fixes an issue with Access Control where if a request to verify password timeout all subsequent requests from eACPasswordFltr to seosd returns "Server communication error". AC126SP10555 WINDOWS ALL If TransactNamedPipe() timeout and not reinitialized, subsequent calls get ERROR_PIPE_BUSY. TransactNamedPipe() to verify password timeout. Increase PasswordTimeOut 1.set 0 to PasswordTimeOut 2.create AC/native user AC=^ eu testuser password(testuser) 3.change user password via native tool 4.if it successfully timeout, native tool returns "The password does not meet the password policy requirements...". This is ok as PasswordTimeOut is short to reproduce the issue. 5.change native user password via native tool again 6.this operation should return "The password does not meet the password policy requirements..." but succeed because seadmapi_IsServerRunning() returns "Server communication error"(originally ERROR_PIPE_BUSY") which is considered seosd is not running. Default answer is allow in this case. 7.check AC user property. "Pwd changed by" should be updated but actually not as set new password fails due to "Server communication error" 548 T4CC142
72 3 ENTM Fixes an issue with Access Control where only the first 100 endpoints are displayed in the WorldView. AC126SP10565 ALL     Fix and improve the search method to return all values   96 RO45508
73 2 Unix endpoint user mode Fixes an issue with Access Control where after AC services are restarted the user suspended is sent to the local seos and not the password pmdb by serevu. AC126SP10570 UNIX ALL serevu clear last connection info when AC is not running but last host info was not cleared so serevu execute "env seos" but "hosts %s ; env seos" as considered the current user suspend command is to send to same destination as the result user suspend was sent to seos but passwd pmd. ./seos.ini passwd_pmdb = localpmd@localhost parent_pmd = localpmd@localhost ./serevu.cfg *,DPMDS,FOREVER AC is once stopped till serevu find "AC is not running". When stop AC services stop serevu as well. 1.configure as follows ./seos.ini passwd_pmdb = localpmd@localhost parent_pmd = localpmd@localhost ./serevu.cfg *,DPMDS,FOREVER 2.run AC services and serevu 3.create localpmd and subscribe localhost AC=^ env pmd AC createpmd localpmd subs(localhost) 4.create testuser from localpmd AC=^ host localpmd AC=^ nu testuser password(testuser) 5.check the user was propagated to localhost AC=^ su testuser 6.perform failed login attempts by testuser to suspend 7.check user suspend is sent to localpmd and propagated to localhost AC=^ su testuser AC=^ host localpmd AC=^ su testuser 7.stop AC services except serevu 8.wait till serevu write "AC is not running" in messages 9.start AC services 10.enable testuser from localpmd AC=^ host localpmd AC=^ eu testuser suspend- 11.check the user is enabled in localhost AC=^ su testuser 12.perform failed login attemps by testuser to suspend 13.verify user suspend is sent to localpmd and propagated to localhost Before the fix user suspend was sent to localhost only not localpmd 1704 T4CC141
74 2 Windows endpoint user mode Fixes an issue with Access Control where the Windows silent installation specifies Advance Policy Management Client as installed even when ADV_POLICY_MNGT_CLIENT=0. AC126SP10590 WINDOWS ALL            
75 3 Windows endpoint user mode Fixes an issue with Access Control where after unsetenv HOME the sesu command crashes with AC126SP10597 UNIX ALL "sesu" sends output of getenv("HOME") to sprintf command. In case this environment variable is not defined the sesu sends NULL to sprintf leading to crash. unsetenv HOME Check return value of getenv("HOME") unsetenv HOME =^ ./sesu root -c sh Segmentation fault (core dumped) 1718 T3DB102
76 3 Unix endpoint user mode Fixes an issue where sepmd -L incorrectly prints "distribution is locked" message when a host is unreachable. AC126SP10599 UNIX ALL The function checks if pmd is locked before printing list. if pmdcl_is_bk_locked() returns false "distribution is locked message" is printed whatever real error is. A pmd host is not unreachable   1. Install AC on Linux box named MY-HOST 2. Create PMDB0 3. sepmd -s PMDB0 MY-HOST 4. Stop AC and change parent_pmd = PMDB0@MY-HOST 5. Start AC 6. confirm PMDB0 propagate normally 7. Add line in /etc/hosts 192.168.99.99 GHOST # ip address is not resolved one. 8. sepmd -s PMDB0 GHOST 9. enter selang command in PMDB0 # selang -c "hosts PMDB0@; eu TEST audit(a)" 10. execute "sepmd -L PMDB0" Then you can confirm Lock message is displayed after waiting 2 minutes or so. ### output message confuse AC users. Please output proper message in this scenario.    
77 3 UNAB Fixes an issue with Access Control where uxauthd crashes when user DN contained PU with 'DC' inside. AC126SP10622 SUN SOLARIS When uxauthd looking for domain part, it erroneously cosider SDC          
78 3 Windows endpoint user mode Fixes an issue with Access Control where character '|' was not escaped. AC126SP10650 WINDOWS ALL Character '|' was not escaped. AC=^ so password(rules(prohibited(!"#$%&'\(\)=~\|\\))) there is a char '|' in the selang command. Apply the fix selang. run the command below, AC=^ so password(rules(prohibited(!"#$%&'\(\)=~\|\\))) you will see the problem.    
79 3 Unix endpoint user mode Fixes an issue with Access Control where in the PAM configuration file pam_unix is set before requisite and the AC Native package has external dependencies. AC126SP10651 All A new file is created in file modification and we never change the back the original file mode. Problem occurs in AC install and AC uninstall only.   please see steps in description. 1669 TC61196
80 3 Unix endpoint user mode Fixes an issue with Access Control where seagent consumes high CPU usage. AC126SP10661 All According to debug log collected from the client's machine, the high CPU usage is caused by an endless loop in a tcp/ip call that the seagent make. seagent make an tcp/ip call and that call is trapped in an endless loop. Problem could be reproduced on a busy network environment. Apply the fix seagent. There are no reproducing steps. 1708 T243923
81 2 ENTM Fixes an issue with Access Control where overriding occurs when requesting privileged account for the same account by the same user more than once. AC126SP10667 ALL       1. Login EntM UI as requester and request a privileged account with future
time range
e.g.
current time is 04:00 P.M
request time 05:00 P.M - 06:00 P.M
2. Login EntM UI as approver and approve above request
3. Login EntM UI as requester again and request same privileged account
with different time range
e.g.
request time 07:00 P.M - 08:00 P.M
This causes override of previous approved request.
10 T5P0088
82 3 Unix endpoint kernel mode Fixes an issue with Access Control where sewhoami from GDM terminal shows repv GDM login user which is not defined in AC. AC126SP10692 LINUX all Process exit handler bypass procserver_clean_gdm if acee == 0(_undefined) osuser_enabled=no previously GDM logged in user is not defined in AC   [Env] AC r12.5SP5, r12.6 / RHEL [Problem] "root" is shown as general user by sewhoami while "id" shows "root". [Step] 1. login by general user(non root) via console(gdm-binary). 2. logout from console. 3. login by root via console(gdm-binary). 4. Open the terminal window and run "sewhoami" and "id". "sewhoami" shows the previous user name while "id" is root. [Finding] It occurs when osuser_enabled=no or general user is not in ladb.    
83 2 Unix endpoint user mode Fixes an issue with Access Control where errors cause SELOGRD. to crash on User Trace. AC126SP10693 UNIX ALL Stability problem in code responsible for transformation audit records before sending to syslog.       1706 T5P7139
84 3 Windows endpoint user mode, Unix endpoint user mode Fixes an issue with Access Control where upgrade policy fails if a policy contain a deleted version. AC126SP10715 Windows all, Unix all            
85 1 Unix endpoint user mode Fixes an issue with Access Control where AIX - OSMD wrongly calculated by getvar and thus SEOS_syscall link was missing. AC126SP10753 AIX In customer environment, there are two results which starts from "lbolt" in
an output of "nm -p -X32_64 /unix", so "OSMD" was set as "64 <LF> 64".
As a result, symbolic link for "64" was created in the current directory
like below.

Sym_link_ /opt/CA/AccessControl/bin/SEOS_syscall.710.64 64
/opt/CA/AccessControl/bin/SEOS_syscall

# lbin/getvar.sh OSMD
64
64

# nm -p -X32_64 /unix | awk '/ lbolt/'
      1711 T3E7143
86 2 Windows endpoint user mode Fixes an issue with Access Control where the native user's login daytime restrictions are not shown correctly in selang NT environment and changing it from selang causes wrong change in the native user. AC126SP10770 Windows x64 Adjusted restriction_array from localtime to GMT(or GMT to localtime) was not returned properly to calling function. Local time is not GMT Windows DC x64   1. Create native user.
2. Check native user login daytime restrictions by native tool.
-> by default, login is permitted anyday, anytime (1.png)
3. Check daytime restriction for native user from selang
\> selang
AC> env nt
AC(nt)> su user tanma07
[expected result]
daytime shows "Anyday Anytime"
[actual result]
daytime shows "Anyday 00:00 to 00:00"
4. Change daytime restriction from native tool
(set deny Sunday all times - 2.png)
5. Check daytime restriction for native user from selang again
-> daytime still shows "Anyday 00:00 to 00:00"
6. Change daytime restriction from selang
AC(nt)> eu user tanma07 restrictions(d(Mon,Tue,Wed,Thu,Fri) t(0900:1800))
7. Check native user login daytime restrictions by native tool.
[expected result]
change from selang is reflected to native user correctly.
[actual result]
all days all times becomes deny
   
87 2 ENTM Fixes an issue with Access Control where the same message is reported twice. AC126SP10783 ALL     To Avoid of duplicate reported events, check if the event was added to the returned vector the key of the event is Task session Id, Account Name , End point type and observe IT session Delete duplicate validation message 1. Login as superadmin
2. Go to Home > My Privileged Account
3. One of account select and check out in Action list
4. Check in at same account
5. Check audit log Privileged Accounts > Audit > Audit Privileged Accounts
6. Check audit log
12 T5P0091
88 2 ENTM Fixes an issue with Access Control where the server.log file shows errors. AC126SP10797 ALL This error is related to initialize env. The log the system are ignore when the task is loaded.     During Jboss start up observing a reported error ERROR [ims.llsdk.environment] Plugin specified an object type [ACCOUNT PASSWORD] for which there is already    
89 2 Unix endpoint user mode Fixes an issue with Access Control where when the ACEE table is full, seosd does not enter periodic jobs, missing timer event from watchdog. AC126SP10802 All The wachdog maintains dynamic queue of events to be handled. After handling current event watchdog removes it from queue. When all events are done the watchdog is refreshing queue adding all internal events again to queue. The problem is that some handlers add new event to queue. As result queue is never empty and watchdog does not add internal events to queue. The AC DB has extended policy including many untrusted programs. The watchdog checks programs trust status and generates new events to be handled. Change watchdog timer handler, after sending timer message put event again to watchdog queue. ACEE table leak reproduced with customer's DB and seos.ini 1710 T3DB100
90 2 UNAB Fixes an issue where NSS calls failed due nss.db was locked (busy). To avoid this lock error handling was improved. AC126SP10809 SUN SOLARIS   N/A N/A N/A    
91 2 ENTM Fixes an issue with Access Control where client found the password change event recorded as GMT when he checked in as privileged account. AC126SP10815 ALL Different dates and times are shown in the adjacent fields without timezone code.     1. Requester check out Privileged Account via Enterprise Management GUI.
2. Approver force checkin
3. See the audit log for force checkin event.
12 T5P0091
92 3 ENTM Fixes an issue with Access Control where the PUPM UI Slowness after adding 20,000 accounts Disney performance - myaccountsTab AC126SP10832 ALL Problem occurs when 20,000+ accounts are defined in PUPM with 3,000+ endpoints.       16 T5P0102
93 3 Unix endpoint user mode Fixes an issue with Access Control where sebuildla -h -l does not add host that has more than one addrinfo to ladb. AC126SP10844 UNIX ALL sebuildla -h -l does not add host that has more than one addrinfo to ladb. Host in hostlist has more than one addrinfo /etc/hosts: 10.181.226.185 ayng11 ayng11hl ::10.181.226.185 ayng11 ayng11hl # IPv6 # cat /opt/CA/AccessControl/ladb/hostlist ayng11   /etc/hosts: 10.181.226.185 ayng11 ayng11hl ::10.181.226.185 ayng11 ayng11hl # IPv6 # cat /opt/CA/AccessControl/ladb/hostlist ayng11 # sebuildla -h -l CA Access Control: Creating hosts look-aside database using a list file. No host entries were found. If /etc/hosts entry is below, it is OK to update ladb with sebuildla -h -l. /etc/hosts: 10.181.226.185 ayng11 ayng11hl 1714 T4CC143
94 2 UNAB Fixes an issue with Access Control where the short hostname support in uxpreinstall. AC126SP10858 UNIX ALL            
95 2 Win endpoint kernel mode Fixes an issue with Access Control where the AC protection does not work for the drive. AC126SP10876 WINDOWS ALL Volume mount type selection code too restrictive   Removed volume type selection code      
96 3 Unix endpoint user mode Fixes an issue with Access Control where seosini -s shows "Invalid or incomplete multibyte or wide character" when AC is running. AC126SP10892 LINUX all After fail to write a token to seos.ini AC print errno but on lunxu errno is overwritten before print it for some reasons. seini -s fails as AC is running on lunux   start AC # seini -s serevu.def_disable_time "FOREVER" seini: ERROR setting token serevu.def_disable_time to 'FOREVER':Invalid or incomplete multibyte or wide character    
97 2 ENTM Fixes an issue with Access Control where during installation the license agreement is in English and not the translated language. AC126SP10900 ALL            
98 2 ENTM Fixes an issue with Access Control where the month and date are displayed incorrectly. AC126SP10901 ALL            
99 2 ENTM Fixes an issue where Access Control fails to fetch disconnected endpoint type from the DB. AC126SP10912 ALL Disconnected endpoint type doesn't exists at DB, since it was not driven by JCS (it should not be driven by JCS, this is ubnormal endpoint type )   Avoid of retrieving Disconnected endpoint type from DB since it doesn't exist there Create a disconnected endpoint and then a disconnected account on this endpoint. Then failed to reset password manual    
100 3 Unix endpoint user mode Fixes an issue with failed SSH login. AC126SP10926 UNIX ALL Cannot find shared libcrypt KBL enabled emove flag -lcrypt from compilation. The cmdlog does not need it. seos.ini kbl_enabled=yes AC=^ eu test audit(interactive) =^ ssh ismesl12 -l test Password: ld.so.1: -sh: fatal: libcrypt_d.so.1: open failed: No such file or directory Connection to ismesl12 closed. ==^ CONNECTION fails 1719 T3DB103
101 3 Unix endpoint user mode Fixes an issue with Access Control where an unexpected output from "who am i" after "su". AC126SP10953 All Both original user and root are tracked by AC KBL. After command "su" KBL starts new session and new tty. As result "who" looks for root tty in utmp database KBL enabled, "root" has audit flag "interactive" Take user name from seosd when building new utmp record. The seosd keeps originally logged in user. seos.ini kbl_enabled = yes AC=^ nu test audit(interactive) AC=^ eu root audit(interactive) AC=^ auth program /work/opt/CA/AccessControl/bin/sesudo uid(test) access(a) AC=^ nr sudo su data('/bin/su') defaccess(a) login as user 'test' -sh-3.00$ tty /dev/pts/4 -sh-3.00$ /work/opt/CA/AccessControl/bin/sesudo su [root@ismelx77 /]# tty /dev/pts/5 [root@ismelx77 /]# who am i root pts/5 Feb 28 22:44 (ismesl07.memco.co.il) EXPECT: user "test", not root 1716 T3DB101
102 3 Unix endpoint kernel mode Fixes an issue with Access Control where KBL tests fail, audit records for KBL are not saved. AC126SP10954 LINUX all The AC kernel does not replace shell path and exec does not run "cmdlog" on i86. bug after package AC126SP10190 KBL enabled There are in my_exec code several ifdefs for different platforms. Some platforms should call SEOS_do_execve(user_pn.pn_path). This structure "user_pn.pn_path) keeps replaced path. test UTIL/kbl_admPassNoAudLgff    
103 1 ENTM Fixes an issue with Access Control pre-requisites installer where the names of the JDK installation is placed incorrectly in the localized programs folder. AC126SP10961 ALL            
104 2 ENTM Fixes an issue with Access Control where if ObserveIT agent/server is not available, then the user still has access to the open remote session. AC126SP10964 ALL No reference to a failed observe it session   Edit the VB script, Close window session if session recording was not started (the retured token is 0000000-0000-0000-0000-000000000000) Configure endpoint to have Observe it recording. if Observe IT recording session was not started properly, still the window session remains open    
105 3 Unix endpoint user mode Fixes an issue where the username is defined in upper case in LDAP or AD. AC126SP10972 UNIX ALL The problem is when the user login in lower case (enter the name in lower case). A mis-match occurs in sewhoami.   we can use loginflag(none) as a workaround. When loginflag(none) is used, the user name is resolved in ladb.   1722 T243956
106 2 UNAB Fixes an issue with Access Control where multiple UNAB restarts happen while AC is installed after the UNAB Installation. AC126SP10974 UNIX ALL Long time reason - installation on that machine takes a long time          
107 1 Unix endpoint user mode Fixes an issue ReportAgent - Sending SIGTERM to pid 0 (if root then this kills almost all processes) at 23:30. AC126SP10980 UNIX ALL     Apply AC126SP10980 or stop ReportAgent.   1711 RO46016
108 1 Unix endpoint user mode Fixes an issue Login sequence not working for SSH - Linux AS5.x. AC126SP10982 UNIX ALL After upgrade AC from r12.5 SP3 to r12.5 SP5, AC does not recognize LOGIN     1. Install AC r12.5 SP3 on RHEL 5.5(x86)
2. Change rule at LOGINAPPL as following:
er LOGINAPPL SSH loginflags(none)
3. Login as non-root user.
4. Check LOGIN log at audit log and sewhoami command output.
check both of them shows login user name
5. Stop AC and kernel and upgrade from r12.5 SP3 to r12.5 SP5.
6. Review SSH rule and there is no change from step 2.
7. Login as non-root user again.
   
109 2 ENTM Fixes an issue with Access Control where Worldview date sort order are sorted alphanumerically on the name of the month rather than the number of the month. AC126SP11004 ALL The column get property definition set the Last update filed as date string     Sorting Last Staus field at the world view page doesn't sort by date, but by string value 102 T5P0098
110 2 ENTM Fixes an issue with Access Control where customer can see no update in the UI when executing 5 users delete exception. It does not occurred equal or under 4 user. AC126SP11013 ALL   AC with SiteMinder Integration   1. Login as requester, 2000013
2. Create request for 5 or more Privileged Account.
to Start exception duration is between now and 1 hour as default.
3. Login as approver, 3010003
4. Approved all request
5. Login as superadmin.
6. To delete all exception go to exception list.
7. Delete above exception account
8. Please see in Audit log for Privileged Account
   
111 1 Unix endpoint user mode Fixes an issue with Access Control where AC erases the system-auth symbolic link and it becomes a real link. AC126SP11037 LINUX all The move command removes the system-auth link and creates a system-auth file instead.          
112 2 ENTM Fixes an issue with Access Control where when selecting a native group at endpoint management the an error message appears. AC126SP11049 ALL Trying to cast a group property to the wrong property type   Code change: Casting the group property to the appropriate type 1. Create a PMDB 2. Stop Access Control 3. Connect to the PMDB in stand along mode (selang -p wind_policy) 4. Change the environment to native environment (env native) 5. Create a new group (say -- ng a) 6. Add a native user to this group 7. Start Access Control 8. From selang, connect to the PMDB, change the environment to native 9. The show group returns the name of the Group and the user added to this Group Problem:: -------------------- 10. Start the Endpoint Management UI and connect to the PMDB 11. Search for the Groups (internal groups) 12. The Group 'a' is listed 13. Clicking on this Group generates an error 103 T5P0100
113 2 Windows endpoint user mode Fixes an issue with Access Control where the selang command fails to update property DIAL_PERMISSION. AC126SP11070 WINDOWS ALL The error is returned since the API is called with the structure RAS_USER_0 Windows 2008 N/A =^selang AC=^ environment nt AC(nt)=^ cu win_acnt1 gen_prop(DIAL_PERMISSION) gen_val(1) (localhost) NT : ==== ERROR: Failed to update USER win_acnt1 ERROR: NT Set user DialIn Property failed : Windows error code = 1003 (Cannot complete this function.)    
114 2 ENTM Fixes an issue with Access Control where JUSTIFICATION Field at approver world item has no scroll bar. AC126SP11088 ALL     Code Change- Remove the "disabled" element allowing the scrolling bar to be active at IE browser at the justification field 1. Create pribileged account request with justification that contains more then four lined.
2. Open IE browser, and open the work item of the approver for the requested account.
3. the justification field has a scroll bar but it is enabled.
   
115 2 ENTM Fixes an issue with Access Control where an error occurs when the scoping rule dynamically needs to be resolved with User object. AC126SP11112 ALL When having scoping rule which need dynamicly to be resolved with User object, getting an error since the Context (which holds handle to User) is null.   Code Change- Add method for findManagedObjects getting the context as parameter 1. Created a new role which is a copy of the OOTB Role "Break Glass". 2.Define scoping rule having the following rule: where (Account Name = admin's User ID 3.Create some Privileged accounts that have the name "per" 4.Create user by name "per" 5.log in with the new user, at My Provileged Accounts page select advance abd check the break glass check box. submit the search 6. No results retrieves    
116 2 Unix endpoint user mode Fixes an issue with Access Control where
seosd crash accessing null pointer.
AC126SP11114 All seosd file table search attempt access empty table slot. ----------------------- INTERNAL: Possibly file audit event comes from kernel after file was removed in DB. The seosd cleans both kernel file table and kernel file cache when removing file entry. However possibly event was already routed to seosd while deleting file in DB no specific conditions Check file table entry before accessing it Not reproduced in Lab 1725 T3DB106
117 3 Windows endpoint user mode Fixes an issue with Access Control where own password change fails in native PMDB when the current user does not exist. AC126SP11117 WINDOWS ALL Own user creation with password attribute in native pmdb is not allowed. own user creation with password attribute in native pmdb setoptions cng_ownpwd is enabled Create own user without password attribute in native PMDB first, then update the user with password attribute. 1. Create pmdb and subs localhost
2. Make sure the follwoing policies are set to seosdb and pmdb setoptions class-(PASSWORD) setoptions cng_adminpwd setoptions cng_ownpwd setoptions password(rules(bidirectional))
3. Set parent_pmd to pmdb@localhost
4. Create a user with admin attr in pmdb and propagate it AC=^ ho pmdb@ AC=^ eu user password(**********) AC=^ auth terminal localhost uid(user) acc(a)
5. Unsubs localhost
6. Remove the user from native pmdb AC=^ ho pmdb@ AC=^ env native AC=^ ru user
7. Subs localhost
8. Login the server with that user and connect to the pmdb. AC=^ ho pmdb@
9. Change the own password. AC=^ eu user password(**********) (pmdb@localhost) USER Successfully updated user (pmdb@localhost) Native: === ERROR: Operation not allowed -----=^ this should be successfull
   
118 2 Windows endpoint user mode Fixes an issue with Access Control Winservice problem. AC126SP11123 WINDOWS ALL Some rules for windows services seem not to have the expected effect, that is, one can set up a rule for a window service that allows only to stop the service, but the service can then be equally started.   Softened validation checks er WINSERVICE spooler own(nobody) defacc(r,stop)
net stop spooler <----Works
net start spooler <----Works but according to the rule above, shouldn't
555 T243962
T243963
119 3 Windows endpoint user mode Fixes an issue with Access Control where the password disable is defaulted as 60 minutes. AC126SP11127 Windows all Disable(0) is defaulted as 60(minutes) Execute so password(disable(0)) in native environment N/A AC=^ env nt AC(nt)=^ so list (localhost) NT : ==== Data for Windows Account Policies ----------------------------------------------------------- ... Password fails : 0 Disable : 30 Off hours disconnect : 8 Reset count after : 30 ... AC(nt)=^ so password(disable(0)) (localhost) NT : ==== Successfully updated CA Access Control options AC(nt)=^ so list (localhost) NT : ==== Data for Windows Account Policies ----------------------------------------------------------- ... Password fails : 5 Disable : 60 ^==== Strange! We can't set 0 Off hours disconnect : 8 Reset count after : 30 ... # open "Local Security Policy" again and check "Account lockout policy" # you can confirm "Account lockout duration" as 60, not 0. It should be as 0.    
120 3 Windows endpoint user mode, Unix endpoint user mode Fixes an issue with Access Control where DMS is unresponsive. AC126SP11145 All   The command contains property ON_BEHAVE_OF. Need the fix seagent. Create a policy and assign a policy to an hnode. check the error log for DMS__. "sepmd -e DMS__". ERROR: You cannot use more than one value for property ON_BEHAVE_OF.    
121 3 ENTM Fixes an issue with Access Control where the return to search button takes the user to a random page. AC126SP11210 ALL It is framework issue the item are not on the session N\A N\A Create reports more then the pageing size(20). Go To : Reports -=^ View My Reports -=^ Click on the serach button a list of results will display on the page navigate to the next page and select (check) a item then click on select button the report will display Next click on the button Return To Search the search page return to the first page .    
122 3 ENTM Fixes an issue with Access Control where the UI shows a incorrect summary in the Policy Model of the ENTM. AC126SP11223 ALL Refer to wrong count in the server N/A N/A Go To Endpoint Managment -=^ Policy Model Create or delete suscribe the total of suscribers will increase only should be change according to the suscribers list and not the erros    
123 2 UNAB Fixes an issue with Access Control where the user cannot register UNAB. AC126SP11225 UNIX ALL uxpreinstall output reports major problems with resolver setup.          
124 3 UNAB Fixes an issue with Access Control where the support.sh script overwrites the local etc/syslog.conf and /var/adm messages files on a non-Linux system. AC126SP11228 UNIX ALL In support.sh, when crate logfiles.tar it specifies absolute file path.   Use relative file path when creating logfiles.tar. Run support.sh to generate a support.tar.Z. Retrieve logfiles.tar from support.tar.Z. Run "tar vtf logfile.tar" to list contents. Check if files are using absolute file path.    
125 1 ENTM Fixes an the following issue with Access Control:
1. Anyone can access getScript URL.
2. Ticket is not one time ticket.
3. No authentication is needed for accessing this URL.
AC126SP11254 ALL 1. Ticket is not one time ticket. 2. Access can be made without authentication.   1. Ticket for getScript URL is valid only once. 2. Checking agent type of URL requestor to verify it is correct. Using sniffer, user could catch auto login request of privileged account and from there see the repsonse of ENTM server to the foolowing URL: 17 T537709
126 2 ENTM Fixes an issue with Access Control where the user cannot upgrade from SP5 to MARS. AC126SP11260 ALL Upgrade gives a mesasage that the database version cannot be detected and the upgrade of the database will not be perfromed.          
127 3 Unix endpoint user mode Fixes an issue with Access Control where an incorrect Japanese message appears. AC126SP11265 UNIX ALL       seaudit -t | grep ^14 will show: 14 Password contains pattern from old password    
128 1 ENTM Fixes an issue that occurs when creating account using a csv feeder which has Boolean values written with capital letters, the UI AC126SP11316 ALL     Compares Boolean values with Ignore case 1. Create csv file for privileged account feerder creation. 2. set som boolean fields such as CHANGE_PASSWORD_ON_CHECKOUT with caps lettrets (TRUE) 3.Run the feeder and enter to the new created account the filed marked with caps letter as TRUE shows as false 20 T5P0104
129 3 Windows endpoint user mode Fixes an issue with Access Control where grace count decreases to 2 after login in. AC126SP11323 Windows all Dual login events are created and AC sub auth package catch them 1.DC on Win2008 R2 2.login after lock the screen N/A Windows 2008 R2(x64) as DC / AC R12.5 SP4 1.enable AC password class 2.create a test user with grace count 3.login DC by the test user via GINA 4.verify 1 grace count is decremented 5.lock the screen by open Start -=^ Lock 6.login DC again 7.verify dual LOGIN audit record appear and 2 grace count is decremented 07 May 2012 13:38:10 P LOGIN murte01 55 2 AD.test.com C:\Windows\System32\lsass.exe 07 May 2012 13:38:10 P LOGIN murte01 55 2 AD.test.com C:\Windows\System32\lsass.exe 8.add the reg value [HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\AccessControl\SeOSD] "GraceDecrementInterval"=5000(=5000 msec) 9.start AC and repeat step 5,6 10.verify dual LOGIN audit record appear and only 1 grace count is decremented    
130 1 UNAB Fixes an issue with Access Control where generate_comp_name() creates the same names for multiple machines. AC126SP11336 UNIX ALL If hostname is longer than 15 characters then uxconsole generates a shorter name.          
131 3 ENTM Fixes an issue with Access Control where the ENTM UI performs slowly for Access Control policies. AC126SP11342 ALL     Improve the performance in the World View implementation Try to search on a database with 6000 PUPM endpoints and 2000 AC hosts (DMS) response slow. customer reported of ~45 seconds 96 T5P0090
132 1 ENTM Fixes an issue with Access Control where user cant modify password using CSV file. AC126SP11387 ALL     DO not reset account password for disconnected account There is a Reset Privileged Account Password Event for accounts modified with PUPM Feeder even though the account is defined as DISCONNECTED. 23 T5P0106
133 2 ENTM Fixes an issue with Access Control where when the User Store is AD then the results of view my submitted task retrieves by user DN. AC126SP11410 ALL     Store user DN in case of having AD as user store else store the user name User store is AD Logged in to ENMT brows to My Accounts =^ Self Manager View My Submitted Tasks No results retrieves although some activities made behalf of the login user 22 T537711
134 1 Unix endpoint kernel mode Fixes an issue with Access Control where OS_procserver_terminal_set() tried to free a kernel memory allocated by itself and it panicked due to redzone violation. AC126SP11418 UNIX ALL Memory overflow. When SEOS_procserver_terminal_set() failed to COPYIN terminal information from user space and had to retrieve it from internal kernel table. Use COPYINSTR instead of COPYIN to handle it as string and also allocate memory of size len + 1.   1730 T3E7144
135 1 Unix endpoint kernel mode Fixes an issue with Access Control where OS_procserver_terminal_set() tried to free a kernel memory allocated by itself and it panicked due to redzone violation. AC126SP11418 UNIX ALL Memory overflow. When SEOS_procserver_terminal_set() failed to COPYIN terminal information from user space and had to retrieve it from internal kernel table. Use COPYINSTR instead of COPYIN to handle it as string and also allocate memory of size len + 1.   1730 T3E7144