Change Download Preference

Current Preference
Change Preference to:

CA Directory 12.6
Latest Cumulative Release Download

Last Updated: July 27, 2017

Please note that the 12.6 documentation is found online at:

CA Directory 12.6 does not support 32-bit platforms.

Build # 14056 12.6 SP3
  Directory Server
Web Components
Directory Management UI
Windows 64-bit Click Here Click Here Click Here Click Here
Linux 64-bit Click Here Click Here Click Here Click Here
Solaris x86 64-bit Click Here Click Here N/A N/A
Solaris Sparc 64-bit Click Here Click Here N/A N/A
AIX 64-bit Click Here N/A N/A N/A
HP-UX Itanium 64-bit Click Here N/A N/A N/A


  Directory Server
Directory Management API
Directory Samples
Linux 64-bit DEB Click Here Click Here Click Here
Linux 64-bit RPM Click Here Click Here Click Here

Fixes in CA Directory 12.6 SP3

Support Ticket # Engineering Ticket # Affected Component Problem Summary
  DE306578 Management UI Configuration items containing multiple DNs are now supported. Entering a comma in inputs with dn=true defined in the schema no longer adds a new tag.
  US344778 DXserver CA Directory can contain entries that are critical to the operation of CA Directory and applications. If these entries are accidently removed or renamed then this has the potential to cause unexpected outages. Access controls are the first line of defence to ensure these entries aren't updated, but there are circumstances where this protection isn't enough, for example, if a super-user is performing updates via a LDAP browser.

The new command 'set critical-entries = <DN list>;' can be set to prevent these entries and their parent entries from being renamed or removed.

For example,

set critical-entries = <c AU><ou users><cn admin>,
<c AU><ou groups>,
<c AU><ou users><cn admin : uid 1234>;   # multi-valued RDN example

A rename/remove of the following entries will be prevented with unwillingToPerform:
* <c AU>
* <c AU><ou users>
* <c AU><ou users><cn admin>
* <c AU><ou groups>
* <c AU><ou users><cn admin : uid 1234>

If "set role-subtree = <c AU><ou groups>;" is configured, then this will now be protected by critical-entries is renaming this entry may cause access controls to start failing.

  DE300927 DXserver & Management UI Fixed a defect where the Management UI and DXserver Windows installers were not deleting the installation folder on uninstall.
 00768195 DE300383 DXserver ON AIX a user is no longer required to be a member of 'bin' group in order to install/upgrade CA Directory.
 00741609 DE304458 DXserver An issue has been resolved where a rename request specifying a new naming attribute was permitted even though the attribute did not exist in the object class list for that entry.

For example,
dn: ou=acme,c=au
objectClass: organizationalUnit

A rename request of ou=acme,c=au with a new RDN of cn=acme would be permitted, even though cn is not supported by the organizationalUnit object class.

This behavior has been corrected, however, there maybe use cases that rely on this non-standard behvior. If this is the case, the original functionality can be re-instated, 'set rename-check-oc = false;'

  DE304222 DXagent Fixed an issue where DXagent returned DSA knowledge in reverse order. If the DSA config was modified in the Management UI this resulted in the knowledge being persisted in reverse order.
  DE300928 Management UI Fixed a defect in Management UI windows installer where the backup dialog prompt was hidden during uninstallation.
  DE303910 Management UI Fixed a defect in the Management UI installer for Linux where a hostname FQDN failure is not correctly detected to abort the installation. This resulted in the web server certificate to be an empty file.
 00754930 DE298852 Management UI Fixed a defect where the 'Edit DSA' modal would hang due to a syntax error in its config, preventing the UI from determining if the DSA is a data or router DSA.
  DE296274 Management UI Added management UI product version information in the about box.
 00780276 DE302449 Management UI Fixed an vulnerability issue in management UI. The solution is to intercept the error code "File not found" and return a generic error message so that no internal directory structure information can be revealed and no script injection can be done.
 00778822 DE302549 DXserver Fixed an issue in DXserver where access control roles are not propagated to subordinate/peer DSAs, which causes access control denial in the subordinate/peer DSAs.
 00756389           DE299080 SCIM 1.0 server Fixed an issue in SCIM 1.0 server that when connections became invalid (e.g. shut down from DSA end due to time out), those connections were not destroyed and still returned to the pool which caused later problems.
 00743318 DE292979 DXserver The force-encrypt-auth setting is now ignored for local DXconsole connections. Bind authentications in cleartext are always allowed if clients are connected to the local DXconsole port (console-port).
 00771362 DE300157 DXserver Fixed an issue in DXserver where when in FIPS mode the Protocol configuration was ignored and always used TLS 1.0.
00753364 DE295295 DXmanager Fixed an assertion failure in dxadmind that led to a crash. This can only occur in a specific scenario where sending of persistent search response encounters a short write and at the same time the socket is being closed. The fix involves a partial merge of openldap fix for ITS#4667.

Fixes in CA Directory 12.6 SP2

Support Ticket # Engineering Ticket # Affected Component Problem Summary
  DE293205 DXserver A potential DXserver memory leak has been addressed when LDAP clients abort connections while in the process of performing a large number of asynchronous requests.
  DE291770 DXserver Improved DXserver memory utilization when sending a lot of small requests/responses and the connection is blocked.
  DE291765 Management UI Fixed Management UI installer that regenerated DSA certificates in upgrade mode. It now generates certificates for Management UI embedded DSA only.
  DE278370 DXserver Fixed Unix Directory uninstaller that asked for user input in silent mode.
  DE286134 Management UI Added missing management UI specific settings to the response file generated on Windows.
  DE285848 Management UI Fixed Directory Windows installer response file generation where invalid DXmanager related entries were created
  DE276940 Management UI Fixed Management UI Windows installer failure in repair mode.
  DE277331 Management UI Fixed Management UI Linux installer incorrectly providing ability to install older version on top of a newer version.
  DE276894 DXagent Fixed install problem on Linux where temporary file remaind efter installation.
  DE286863 DXserver Fixed an uninstall problem on Unix where dsa user was deleted but dxserver folder remained and was owned by undefined user.
  DE286882 DXserver Added installation option to choose a method that allow the DXserver on Unix to listen on ports <= 1024. On Linux and Solaris a safer approach can be chosen rather than make dxserver binary root and set 'setuid' flag.

On Linux a safer approach is to assign 'cap_net_bind_service' capability to the binary. On Solaris a safer approach is to use a new rights profile.
  DE277472 & DE281464 Management UI Fixed Management UI not giving user ability to edit embedded DSA if any dxagents were unreachable.
  US313125 Management UI Excluding embedded DSA(s) whose prefix ends with “o=management-ui” when importing DSA(s) for a host.
  DE290952 DXagent Fixed an issue in DXagent that occurs when some special characters are included in string type settings. Enabled relative path conversion for SSL path based settings.
  DE283561 & DE256361 DXagent Fixed inconsistent escaping of horizontal partitioning configuration in DXagent. Relaxed partition count checking in DXtools & DXagent to allow partitions to be created in Management UI.
00714415 DE288357 Management UI Fixed Management UI Windows installer failure when the selected target is on a volume that does not have short filename (8dot3) enabled. Typically this problem is observed when installing on other than drive C:.
  DE262933 DXserver Fixed an internal issue in DXemptydb utility where it would crash when invoked with no arguments.

Fixes in CA Directory 12.6 SP1

Support Ticket # Engineering Ticket # Affected Component Problem Summary
  DE286863 DXserver Fixed dxserver folder cleanup on Unix during uninstall, where the uninstaller deleted dsa user but left dxserver folder owned by undefined user.
  DE286882 DXserver Adding new LEGACY_SETUID resonse file variable to allow using legacy SETUID flag approach for DSA to listen to ports in range 1-1024.
00665085 DE273676 DXserver Fixed DXserver crash on Windows platform. Root cause of the problem was incorrect usage of a 32-bit variable to store a 64-bit value. This caused DXserver to reference an invalid memory address when the 64-bit value was greater than 2147483647.
00660525 DE272674 & DE277704 DXserver Defect DE206334 has been backed out under the above change. While this produces consistent modifyTimestamps for renames, it had the side effect of impacting data integrity. When an entry is updated on one DSA and renamed on another while the link between them was down. During conflict resolution the more recent rename now wins over the update ensure the entries (apart from modifyTimestamp) are identical.

Fixes in CA Directory 12.6

Support Ticket # Engineering Ticket # Affected Component Problem Summary
  DE277481 DXagent A DXagent setup issue has been resolved where certificate creation would fail for long hostnames.
  US287317 DXserver To assist with migration from Oracle Directory Server Enterprise Edition (ODSEE), CA Directory has received several enhancements.

Please consult the “Migrating from Oracle Directory Server Enterprise Edition to CA Directory” Guide in the product documentation for further details.

Now supports a continuous mode of operation. The option -e that ignores issues that prevent entries from loading and continuous processing the LDIF. This works in both normal and dry run modes.

A new tool is now shipped in the CA Directory packages to assist with migration of ODSEE password policy configuration and exported data. Please consult the documentation for further details.

Phased migration - To allow for a phased migration from ODSEE, CA Directory now supports two-way replication.

  CA Directory -> ODSEE (DXlink replication)
* When replicating over DXlink, multi-write will always replicate using the configured LDAP DSA Name and LDAP DSA password user.
* Replication now supports Multwrite Ignore Attrs to specify a list of attributes that should not be included when replicating add and modify requests.

  ODSEE -> CA Directory
CA Directory now supports pull replication from ODSEE using the retro changelog feature. This can be configured via the following command or via the Settings tab in the Management UI:

  set pull-replication = %7B
source = "dxlink"
location = <cn changelog>
interval   = 10
window-size = 20
retries     = 30
ignore-attrs = aci, pwdFailureTime, pwdAccountLockedTime, pwdHistory, passwordHistory, modifiersName, modifyTimestamp

source: is the DSA name from the DXlink reference or unmanaged DSA (UI)
location: is where the retro changelog entries are stored
interval: Number of seconds between when replication is performed
window-size: The window of updates retrieved per replication request
retries: The number attempts where no entries were retrieved before logging an alert
ignore-attrs: Attributes from ODSEE to ignore from add and modify requests
  F33742 Management UI The Management UI have been internationalized. Localized resources have been added for Japanese and French.
  DE276228 DXserver The ldif2dxc tool has been enhanced when presented with non-standard's compliant schema. When a structural object class definition is missing a super class, it is not longer treated as abstract. The object class will be kept as structural and a super class of "top" included in the definition.
  DE275936 DXagent An issue has been resolved in DXagent where when uploading a DSA DB file on Windows, the Local Service user was not assigned appropriate file permissions.
  TA528192 DXserver New "-e" option is added to dxloaddb tool, which allows dxloaddb to ignore errors in LDIF file and continues processing. This does not include errors in object relations, where an object cannot be found for a relative DN. These errors are fatal and cannot be ignored.
  DE272171 Management UI In Linux Management UI installer default option is changed to N for 'Do you want to use your own certificates to secure Management UI web server communications?' question. Also added certificate and private key validation:  check if provided file can be accessed, check if provided files actually contains a certificate and a private key, check if provided certificate matches the private key.
  DE274620 DXserver An issue has been resolved where CAPKI package remains installed after CA Directory is uninstalled on Windows.
  DE272662 Management UI An issue with express install of CA Directory Management UI on Linux has been resoved where the installer asks for mangement UI details instead of using defauls values, and does not install dxagent.
  DE256362 Management UI An issue with CA Directory installer on Linux has been resolved where, if CA Directory is installed on top of the Management UI, the DXUIHOME environment variable becomes unset, which prevents the Management UI to work properly.
  US285006 Management UI Data functionality removed from DSA update modal and placed in new 'Upload' modal.
  US285028 Management UI Management UI now supports a default password policy. Password policies are also displayed in a more intuitive tab form.
  DE275583 DXserver An issue has been resolved where configuration redefintion alarms were erroneously logged for password policy settings that may be set multiple times for different policies.
  US257139 DXserver and Management UI CA Directory is now certified on Windows 2016
  US257138 DXserver and Management UI CA Directory is now certified on RHEL 7.3
  US257137 DXserver and Management UI CA Directory is now certified on CentOS 7.3
  DE265364 Management UI A Management UI issue has been resolved during DSA creation, where DB file uploading would result in an error.
  US261705 DXserver For synchronous multi-write replication, when updates are sent and enter the pending state the DSA now stores a timeout on each queued item. This timeout is cleared when an acknowlegement is received.
When queueing a new item the DSA will now check if the first item in the queue has timed out, if so an alarm is logged.
  DE274939 DXserver To improve compatibility with the Management UI/DXagent, the dxnewdsa tool no longer accepts multi-byte DSA names. DSA names are now restricted to the following range of characters [a-zA-Z0-9-_.].
00660525 DE272674 DXserver A MW-DISP conflict resolution issue has been resolved where:
* dsa1 and dsa2 lose contact
* entryA is renamed to entryB on dsa1
* entryA is updated on dsa2 (with old name)

When contact is re-established
* MW-DISP recovery from dsa1 -> dsa2 will continually fail
* The entry will no longer by synchronized between dsa1 and dsa2 as the update
will be applied using the old name

The DSA will now resolve this conflict by allowing the rename to be applied during MW-DISP recovery from dsa1 -> dsa2 and the DSA will attempt to apply the update from dsa1 to the renamed entry.
  DE271462 DXserver Fixed an issue that prevents weak hash algorithm usage in FIPS mode warning to be logged if the SSL configuration precedes password-storage setting in configuration file.
  US209892 DXserver When a search request exceeds max-op-time or exceeds non-zero value of time-log-search-threshold with time logging enabled. The search filter is examined for attributes that are not indexed. A warning is logged for each non-indexed attribute.
E.g. WARN : Attribute used in filter: mail is not indexed
These warnings assist in the diagnosis of abnormally slow requests and assist in the tuning of indexes.
  US261211 DXserver Stats log now includes two new items CPU Seconds and CPU kTicks. CPU Seconds is the number of seconds within the last minute that the DSA scheduler iterated at least once. CPU kTicks is the number of times the DSA scheduler iterated in the last minute, each unit is 1000 ticks.
A new setting has been introduced "cpu-starvation-threshold" this defaults to 5, to disable set to -1. If the CPU starvation threshold is exceeded an alarm is logged indicating that CPU starvation has been detected.
For example if the DSA has the default threshold of 5 seconds and CPU Seconds falls below 55 seconds in the last minute an alarm is logged. Or if the stats log entry is overdue by more than 5 seconds e.g it was logged at 20170118.150411 instead of 20170118.150400 it is overdue by 11 seconds and has exceeded the threshold.
CPU starvation alarms may correlate with abnormally slow requests in a customers environment and provide an indication of root cause such as a VMware vMotion event.
  US271932 & US271933 DXserver Upgraded to CAPKI 5.2.0. An alarm message will now be logged if password-storage is set to a non FIPS compliant algorithm when the DSA
is configured to run in FIPS mode.
00609880 DE265302 DXserver Dxloaddb utility aborts when it encounters malformed GeneralizedTime attribute values. This avoids creating a DB file that contains corrupted values.