CA |
3.0 Installation Considerations
7.1 SAP CUA (New) Known Issues
7.1 PeopleSoft (New) Known Issues
This CR
provides maintenance release for all eTrust Admin 8.1 SP2 customers. Follow the
installation instructions specific to your configuration in order to execute
the upgrade to this CR.
Updated support matrix and system
requirements for this product are available at: http://support.ca.com/
When an
option is newly installed following an installation of a CR, if the CR contains
changes that apply to that option, the CR must be re-installed in order to
obtain those changes.
Back up existing data before uninstalling. Uninstall
will remove the entire application.
SAP CUA &
PeopleSoft
The
following packages are required to run the SAP and PeopleSoft Connector which
can be retrieved from CR22 and later build packages for either Solaris or
Windows
§§ eTrust Admin Provisioning
Server 8.1 SP2 CR
§§ eTrust Admin Provisioning
Repository 8.1 SP2 CR
§§ CA Identity Manager Java Connector Server 8.1 SP2 CR
§§ Identity Manager Connector Xpress 8.1 SP2 CR
§§ eTrust Admin Manager 8.1 SP2
CR
The
following components are optional:
§§ eTrust Admin SPML Server 8.1
SP2 CR
§§ eTrust Admin JIAM SDK 8.1 SP2
CR
SAP Java Connector
(JCS)
SAP Java
Connector supports SAP Kernel versions 6.40 and above. Previous versions of SAP
should be managed using the C++ connector.
Password
Synchronization Agent_x64
The
following package is required to run the Password Synchronization Agent x64 bit
which can be retrieved from CR21 build packages for Windows.
§§ eTrust Admin Password
Synchronization Agent x64 bit 8.1 SP2 CR
Remote Exchange 2007
Agent
The
following package is required to run the Exchange 2007 Agent x64 bit which can be
retrieved from CR21 build packages for Windows.
§§ eTrust Admin Remote Exchange
2007 x64 bit 8.1 SP2 CR
Admin
Server Windows
1) For Upgrade execute setup.exe
2) For Fresh Install refer to r8.1SP2 Implementation
Guide.
Admin
Server UNIX
1) Execute ./setup
Once the upgrade is completed, login as slapd user
2) su – etaslapd
3) schemagen –n COS
4) eta restart
When upgrading to CRn, Full Upgrade option must be
selected.
PS: If Custom Connectors are deployed with Admin
Server and it is being upgraded to this CR, following steps need to be carried
out.
Windows and Solaris
1. Redeploy Custom
Connector built using the Admin SDK from this CR.
Solaris Only
2. Edit
<instdir>/data/etrust_admin.conf file with following text.
Include
“/opt/CA/eTrustAdminServer/data/etrust_XXX.schema”
Where XXX is the name of your
connector.
Remote
Repository Windows
1) Execute setup.exe
Remote
Repository UNIX
1) Execute ./setup
Distributed
SuperAgent Windows
1) For Upgrade execute setup.exe
2) For new Install refer to Implementation Guide
Remote
Admin Manager Windows
1) For Upgrade execute setup.exe
2) For new Install refer to Implementation Guide
Manual
Zip
1) Unzip CR_Manual_Updates-<version number>.zip
2) Follow the Manual Installation Steps section below
Remote
RSA Agent UNIX
Prerequisites: Make sure /etc/system contains 'set semsys:seminfo_shmmni=135'. If the value is lower than 135 or
missing eCS installation will fail. A reboot is required if the value is added
or changed.
1) Execute ./setup
Postrequisites: Authorize the etrust admin server for
cam/caft with 'cafthost -a <hostname>'
Remote
E2K7 Agent Windows
Prerequisites: Microsoft Visual C++ 2008 Feature Pack
Redistributable Package (x64)
1) Execute setup.exe
JIAM SDK
1)
Execute setup.exe
SAP (C++)
SAPNamespace.dll now uses the Unicode
version of the SAP RFC library, which is librfc32U.dll. This Unicode RFC
library comes with SAP Front End >= 6.40. In existing customers
deployment that has the older version of the SAP Front End installed, an
upgrade is needed.
librfc32U.dll is compatible with both non Unicode and Unicode
versions of SAP servers. This newer library is also backward compatible with
older SAP servers, all the way back to 4.6C.
SDK
Environment on Solaris
To create a Provisioning SDK build
and development environment on Solaris, complete the following
steps.
To set up a build environment on Solaris
1. Install Sun Studio 10 or 11
2. Install GNU make-3.81 (for example: make-3.81-sol10-sparc-local.gz package
from www.sunfreeware.com)
3. Install GNU gcc-3.4.6 (for example: gcc-3.4.6-sol10-sparc-local.gz package
from www.sunfreeware.com)
4. Install GNU libiconv (for example: libiconv-1.11-sol10-sparc-local.gz
package from www.sunfreeware.com)
5. Set environment variables: DEVROOT and LD_LIBRARY_PATH
Source the /opt/CA/eTrustAdminSDK/setetasdkenv.sh script (. ./setetasdkenv.sh)
sets these environment variables.
6. Add the Sun Studio bin directory to the PATH (for example: /opt/SUNWspro/bin)
7. Add Gnu make location, /usr/local/bin to the PATH (GNU make is installed in
this directory by default)
8. Change to the SDK directories under /opt/CA/eTrutAdminSDK/admin/samples
9. Run the following command line:
make –f makefile.unix
The generated libraries will be placed under
/opt/CA/eTrustAdminSDK/admin/lib
SPML
1) Execute setup.exe
Self
Service
1) Execute setup.jar
SelfServiceConfig
1) Execute setup.jar
IAM
Manager
1) Execute setup.jar
Advanced
Workflow
1) Execute “setup.jar –P ingresInstall.installCode=XX”
where XX could be something like EI, CP, or II depending on which Ingres instance
you plan to use as the underlying Ingres repository for Advanced Workflow.
Note: In some environments additional installation
steps are required which involve changes to the Ingres character set,
dumping/re-loading of all Ingres databases, and recycling of Ingres. If your
installation is aborted due to Ingres character set please read the section
titled Updating Advanced Workflow under the Manual Installation Instructions
section below.
ConnectorXpress
1) Execute setup.exe
Upgrading
from 8.1 GA & 8.1SP1 CR10
In the
instance where Ingres 2.6 is installed and databases need to be backed up
1) Run IAM CC backup installer using Setupwin32.exe
a. Select
the location of IAM CC backup installer.
b. Select the
DSA’s that need to be backed up.
c. When
prompted browse to the location of the knowledge files. (If required)
d. Select
the temporary databases that need to be added to destroy batch file.
e. If you
have databases that are not part of Admin Server, then installer will prompt
you with additional databases to be added to destroy batch file but these
databases cannot be backed up using IAM CC installer and would need to be
backed up manually.
f. Click on
Finish button.
g. Open
Command prompt and change directory to the IAM CC backup data location.
(By default "C:\Program Files\CA\eTrust Identity and Access
Management\BackupInstaller")
h. Confirm
that Data is backed up correctly by verifying the LDIF files.
2) Run the Admin Backup installer with the command line
BACKUP_DATABASES=0 (this will backup Admin Configurations without backing
up the databases )
Start /WAIT "eTrust Admin Backup Install" ~\etadm-backupdb-windows-8.1sp2-<CR_version number>\setup.exe /w /s /v"/L*v %TEMP%\etaservbck_nobckdb_inst.log
BACKUP_DATABASES=0"
3)
Once
confirmed, run batch file created by the IAM CC backup installer, using
command:
destroyDatabases.date.bat NOTPARTOFIAM
This need to be done
only if Admin is installed as a Stand alone product and not using IAM CC CD.
4)
Confirm
that databases have been removed by executing the following in a command
prompt:
dxlistdb
There should be no databases
listed.
5) Run the directory installer to upgrade Ingres and
eTrust Directory to the latest version. eTrust
Directory recommends installing the latest version of ETD (build 1115 as of
this writing).
6) Run the Admin Server upgrade, this will completely
remove the entire existing installation and re-install it with existing
passwords.
7) Run the restore
batch file created by the IAM CC Backup Installer using the command
reloadDatabases.date.bat NOTPARTOFIAM
** Make sure you are using the correct
etaindex.bat for the release. Etaindex.bat for 8.1sp2_<CR_version number> has been included in
etadm-repository-windows
package.
Place latest etaindex.bat file in
BackupInstaller folder “ ~\CA\eTrust
Identity and Access Management\BackupInstaller”
8) Run the Admin restore task using 8.1.2 GA Repository
Restore. Installer will detect that there are no databases to restore
and it will restore the eTrust Admin configurations to the previous settings.
~
\ETA812_IAM_20060721\NT\eTSRESWi\DISK1\setup.exe
9) If Oracle option is
installed, run Oracle Migration utility (“ORAmigrate8.1sp1.exe”) available from
“~\CA\eTrust Admin Backup\Backup\Utility\ORA”.
** To execute the
utility, follow the instructions available in the Readme file available from
“~\CA\eTrust Admin Backup\Backup\Utility\ORA\ORAmigrate8.1sp1.Readme.txt”
10) Restart the Provisioning services.
11) Log back into Admin using the original username and
password. It will contain all the original data.
PS: During upgrade
user is advised to run LND scripts post upgrade, this message can be safely
ignored.
Changes
to the Admin Manager
Logging Tab
Modification – Two fields on the logging tabs have been updated to more
accurately reflect their destination log files:
eTrust Log is now named Common Services
Text File is now named eTrust Admin
Updating
the eCS
To update
the eCS on Windows you only need to run the “CA Enterprise Common Services.exe”
located in the CR_Manual_Updates.zip under the ECS folder.
To update
the eCS on UNIX you need to extract the “ECS_8_2_UNIX_R.tar” located in the
CR_Manual_Updates.zip under the ECS folder and run the following command
“./eCSinstall.sh <installation path> <Caller ID> 0 1” such as
./eCSinstall.sh /opt/CA/SharedComponents/eTrustCommonServices/ “eTrust Admin” 0
1
After
upgrading eCS on UNIX, there may still be temporary files containing white
spaces in their name. These files are no longer used and can be removed by
executing eCSstop.sh and then executing eCSstart.sh from within the eTrust
Common Services “scripts” directory.
Admin
Server should be updated/installed prior to updating
ECS. The ECS bin folder must be specified in the “System Path Environment”
before installing Admin Server or the Admin Server services will fail to start.
Updating
Ingres on remote Admin Manager systems
If there is
no instance of Ingres on the target machine, eTrust Admin Manager installs by
default Ingres /Net r2.6 which can interoperate with Ingres DBMS r2.6 and/or
r3. If you want to use Ingres /Net r3 with eTrust Admin Manager, then you need
to install it before installing eTrust Admin Manager. Steps to install Ingres
/Net r3:
1) Unzip the Ingres r3 installation (file:
ingres-3.0.3.zip located in the CR_Manual_Updates.zip under the INGRESR3
folder).
2) Execute the script file silent_install.bat which installs
Ingres /Net r3 silently.
Note 1: The
Ingres /Net r3 parameters are defined in the response file IngresNet.rsp. By
default the target folder is “C:\Program Files\CA\Ingres [EI]”. If you want to
change the target folder, change all the occurrences of the above string in the
IngresNet.rsp to the actual target. It is recommended to keep “[EI]” in the
folder name, e.g. change to “D:\IngresNet [EI]”
Note 2:
Ingres /Net r3 installation will NOT update any previous Ingres /Net r2.6
instance. It creates a new Ingres /Net r3 instance instead. Therefore, you need
to update eTrust Admin data sources in order for the reporting to be
operational. Follow the steps:
1) Open a DOS screen
2) Execute successively QADELRPT.exe and QACRRPT.exe
3) Execute successively DELARCHDBRPT.exe and
CRARCHDBRPT.exe
Updating
the remote eTrust Directory Schema
1) Copy the updated *.dxc schema files located under the
SCHEMA folder in the Manual Update zip to the %DXHOME%\config\schema folder on
your eTrust Directory system.
2) Execute the command
"dxserver init all".
Updating
the Admin SDK
A memory
leak was found in the sample source code shipped with the sample files in the
original version of eTrust Admin 8.1 SP2. Corrections have been made to the
sample files that are included in the Manual Update zip file. If you have used
the SDK to create any Common DLL Program Exit based custom code, you should
review these changes and make appropriate adjustments to your custom code. In
order to prevent overwriting of any code changes that may have been made to
your sample source code on your eTrust Admin system, the CR installer did not
replace the samples on your system. If you are not yet using the samples for
your custom code, you can overwrite the old sample code with the new version.
By default,
the original SDK sample code was installed under
C:\Program
Files\CA\eTrust Admin SDK\eTrust\Admin\Samples\ProgramExits
Issue
#1:
The first
code change affects the following file:
\ExitXMLBlock.cpp
Set the static variable
g_pImplementation to Null when defined.
In the ExitXMLBlock
constructor, add a conditional check to only convert pzcValue and set
g_pImplentation if g_pImplentation is set to NULL.
In
the ~ExitXMLBlock destructor, delete m_pXmlBuilder.
In the Build_Return_XML method, add a conditional check for pDocument and delete it and set its value to NULL if needed.
In the SDK's
CASDKGUI.cpp, the RenameEntry() function contained
code that displayed the rename dialog and performed the object rename.
This code was used instead of the rename functionality in the common
code. The common code handles the rename operation properly, and should
be used whenever possible. To do this, the SDK function should be changed
to contain only one line of code:
return ETA_GUIEXIT_PASSTHRU;
This tells the common code that it should handle the dialog display and perform
the rename, and eliminates the rename problem.
See the new sample
code for more details.
Updating the ACF/RACF/TSS Option
The ACF, TSS, and
RAC options now support the creation and deletion of a TSO alias. Updated
DSI modules are required for this functionality. Re-run the DSI
installation to each system where DSI is installed to update these files.
The following are 2
new configuration options that can be added to your eTrust_ACF.conf,
eTrust_TSS.conf or eTrust_RAC.conf file to enable TSO Alias support.
CreateAlias relate
[catalog]
DeleteAlias
The relate parameter
is required and names the user catalog for which the alias is being
defined. The Catalog parameter is optional and will default to master
catalog.
The Alias value is
always the value of the ACF2, TSS, or RACF Account.
The configuration
options are defined on a per-directory basis; which means they should be
specified after each directory definition for which you want Alias
support.
As stated above, the
Alias definition will occur on add and modify requests for Accounts where:
1) The directory is
properly configured with the CreateAlias config option and
2) The Account is
being granted TSO access. For ACF2, this means the Account is given the
TSO Facility Access field (appears on the MVS – Priv. Pg2 tab). For TSS,
any attribute on the MVS – TSO tab except for Multiple UADS Passwords.
For RACF, any attribute on the TSO tab.
DeleteAlias takes no
parameters and will attempt a Delete Alias command for any Account being
deleted.
No error messages
are returned for defining or deleting an alias. If these are not
occurring successfully, turn on debugging in the eTrust Admin Provisioning
server and view the output statements that begin with ‘Response from Define
Alias’ and ‘Response from Delete Alias’. If the problem
cannot be determined from this output, contact CA support.
eTrust Admin runs with all
supported releases of CA-ACF2.
If you are running
CA-ACF2 9.0 SP02 or CA-ACF2 9.0 SP01 with z/OS 1.8 support added you will need
to initialize the new password phrase fields in the User Defined fields:
PWP-DATA 00/00/00
PWP-VIO 0
If these fields are
not initialized you will get an error when/if you Synchronize Accounts with
Policies. These fields have been added to CA-ACF2 in preparation for the new
Password Phase support.
Updating the
LDAP-SDK
The steps to map an
LDAP attribute to eTrust Admin's suspension state facility is similar to the
ones needed to extend the Generic LDAP Option. The only difference is the
addition of three parameters to specify the attribute name along with the
values to use for marking an object as active or suspended. If the attribute
being mapped is defined in an auxiliary object class, then the
AuxiliaryObjectClass keyword must be set to the name of this object class. The
following is an extension definition file for Novell's eDirectory LDAP
server. It is a complete functioning example.
##################################################
# Account Suspension
Facility: Novell eDirectory
#
# 1.1 EAO2 Object
Type
ObjectType: account
# 1.2 Auxiliary
Object Class Name
AuxiliaryObjectClass:
ndsLoginProperties
##################################################
# 1.3 Suspension
Attribute
SuspensionAttribute:
loginDisabled
SuspensionAccountActiveValue:
FALSE
SuspensionAccountDisabledValue:
TRUE
##################################################
#
2.
ATTRIBUTES
attribute:
loginDisabled
syntax:
dirString
guiControl:
none
Use the steps
described in the previous section to update the LDAP Option plug-ins.
Note that you will not need to update the parser table. If the attribute being
mapped is defined as an operational attribute, then the extension definition
file simply needs to omit the AuxiliaryObjectClass keyword. The following is a
complete functional example to map Sun ONE Directory's nsAccountLock attribute:
##################################################
# Account Suspension
Facility: Sun ONE Directory
#
# 1.1 EAO2 Object
Type
ObjectType: account
##################################################
# 1.3 Suspension
Attribute
SuspensionAttribute:
nsAccountLock
SuspensionAccountActiveValue:
false
SuspensionAccountDisabledValue:
true
##################################################
#
2.
ATTRIBUTES
attribute:
nsAccountLock
syntax:
dirString
guiControl:
none
Updating the LDAP
Option
A new environment
variable ETRADM_LDA_NDSADDSEARCHDELAY can be set to a decimal integer value
greater or equal to zero that specifies the number of seconds to sleep after an
unsuccessful create account operation and before the search request to see if
the object was actually created. The Superagent must be reset if the value is
changed.
Updating the ADS
Option
Existing
installations must be “migrated” by refreshing the ADS/E2K directories that
have already been acquired. To update the existing Administrative Repository,
you can run a simple script to get the new values for the Mailbox Server,
Mailbox Stores, and Home MTA for each ADS directory in their installation. The
script would be something like:
ldapsearch –h <HOST> –p
20389 –D <bind DN> -w <bind password> -b <directory base DN>
-s base “(objectClass=eTADSDirectory)” eTExploreUpdateEtrust
For example:
ldapsearch –h myhostserver –p
20389 –D “eTGlobalUserName=etaadmin,eTGlobalUserContainerName=Global Users,
eTNamespaceName=CommonObjects,dc=MYDOMAIN,dc=eta” -w mypassword -b
“eTADSDirectoryName=MyADS,eTNamespaceName=ActiveDirectory,dc=MYDOMAIN,dc=eta”
-s base “(objectClass=eTADSDirectory)” eTExploreUpdateEtrust
Updating the
Exchange 2000 Option (Remote Agent)
You need to
uninstall the Remote Agent and then re-install the updated Remote Agent.
Servers previously defined in CAM/CAFT will need to be re-entered. You can view
the currently configured CAM/CAFT servers list by executing “cafthost –l”.
After the re-install of the Remote Agent you will need to re-configure the
CAM/CAFT servers list by adding each server using the “cafthost –a
<server>” command.
Updating the FND
Option
For performance
reasons, the attribute eTFNDResponsibilityList is only returned on base level
Account searches. If you require this value to be returned all of the time, set
the following environment variable: ETRADM_GET_FNDRESPONSIBILITYLIST = 1
The following
environment variable can be set to allow the eTLocked attribute to be handled
(eTLocked and eTSuspended will affect the same native suspension facility) by
ADD and MODIFY operations: ETRADM_FND_MAPLOCKTOSUSPEND = 1
Lotus Notes (LND) Option in a distributed environment
When installing
Lotus Notes option in an eTrust Admin distributed environment, the Superagent
Server and eTrust Manager are not hosted on the eTrust Provisioning Server
machine.
In this sort of
environment, some post installation procedures may need to be conducted on all
the machines hosting Superagent Server and eTrust Manager:
1) extract Setup.id from LND.cab (in eTrust Admin Server
installation package), copy Setup.id to %etahome%\data\ if it doesn’t exist
already.
2) add the Lotus Notes directory path (e.g. C:\Program
Files\lotus\notes) to the system PATH environment variable if it doesn’t exist
already.
Updating the Lotus
Notes Domino (LND) Option
1) The Lotus Notes 6.x client must
be in the system path.
2) Select either the LND5 or LND6
folder located in the Manual Update zip file.
3) Copy the ldagtcli.dll to the
%ETAHOME%\Bin folder.
4) Copy the DMOLNDConfig.exe and
ldagt.exe to the lotus\Notes folder.
The LND Option now
supports up to ten custom single-valued text attributes. In order to
manage LND custom attributes via eTrust Admin, you must create a text file
named “lndschema.ext” and place it in the %ETAHOME%\Data directory. This
file should contain each custom field name as it appears in the design of the
Domino Directory, each name on a separate line in the file. For more
information on adding custom attributes to the Domino Directory, see Domino
Administrator Help topic “Methods for extending the schema”.
The Superagent must
be recycled anytime the “lndschema.ext” file is updated otherwise modifications
to the attribute may fail with an error that the properties you want to update
are not yet implemented in modification.
A registry value is
now available to control whether the “Move Person’s Name in Hierarchy”
administration process request created during a Move In Hierarchy request will
be automatically completed and the “Initiate Rename in Domino Directory”
request then automatically created, or whether the original behavior will
remain, which is to require the Administrator to use the “Name Move Requests”
view of the Administration Requests database to manually complete the move.
The following string value can be set on a per directory basis. If
it is present, and if it is set to “yes”, the new behavior will be used.
Otherwise, the original (default) behavior will be used. The actual
name of the directory will replace <DIRECTORY NAME> below:
HKEY LOCAL MACHINE\SOFTWARE\ComputerAssociates\eTrust Admin\Lotus
Domino\<DIRECTORY NAME>\CompleteMoveInHier
After a Move In Hierarchy request is submitted via eTrust Admin, the ID
file attached to the Archive document does not yet contain the new name.
The move must first be completed by the Domino Administration Process in
order to update the ID on the user’s system (i.e. the user must log into their
Notes client to accept the new name). In order to update the ID in the
Archive database, the agents that have been provided for initially populating
the Archive database may also be used to update a renamed ID file. An
e-mail can be sent to a user who has been moved or renamed containing a button which
they should be instructed to click on after their ID file has been updated with
the new name. This button should activate the “Send ID to Archive DB”
agent which retrieves the ID file and sends it to the Archive database.
An agent in the Archive database, “Update ID File”, will then update the
Archive document for that user with the updated ID file. Complete details
on these agents can be found in the “Archive Database Data Collection” section
of the LND Option Guide.
A new agent
“(RenameWebUser)” exists in the Archive DB template. This agent handles the
creation of the “Initiate Web User Rename in Domino Directory” request in the
Adminp database when a web-only user is renamed. The agent should either be
copied to the user’s Archive database, or the design of the database should be
replaced using the new template in order to add the new agent. These web-only
users will not have any ID files, and only have Internet Passwords. They may be
renamed (common name change), but not moved or recertified, since they have no
ID file.
Introduced
a new Notes Environment variable to allow changing the filename of ID file send
in the Memo when changing the password. New environment variable in
Notes.ini: $Password_Change_FileName
yes -> the Filename will be identical to the
Archive 's Filename
no (or does not exist) -> the Filename
is "user.id"
The script etautil_addarchive.bat will add Archive documents (with ID
and password) for users into the Archive database, and will also update the
status of those accounts to “normal”. Each account for which an Archive
document is to be created must be listed in a separate text file used as input
to the script. The text file should contain the following information,
separated by commas, using one line per user:
Common Name,Organization,ID File Path,Password
For example:
lnd
user20,O=cai,C:\Program Files\lotus\notes\data\IDs\luser20.id,password
lnd
user21,O=cai,C:\Program Files\lotus\notes\data\IDs\luser21.id,password
lnd user22,O=cai,C:\Program
Files\lotus\notes\data\IDs\luser22.id,password
Note that only one organization or organizational unit can be processed
at a time, so all users in the input file must be in the same O or OU. In
addition, the ID files must actually exist in the location specified in the
input file.
There are several variables in the script which need to be edited prior
to running it. These are:
DOMAIN=<the eTrust Admin Domain Name>
USER=<the name of the administrative global user, e.g. etaadmin>
PWD=<the administrative user's password>
DIRECTORY=<the LND Directory name>
INFILE=<the full path to the file containing user ID/password info,
e.g. C:\input.txt>
ORG=<the full LND Organization or Organizational Unit name where all
the users in the input file are located, e.g. eTLNDOrganizationName=O:cai or
eTLNDOrganizationalUnitName=OU:ou1,eTLNDOrganizationName=O:cai>
Updating the UNIX
Option
The UNIX Option has
been modified to notify (i.e. no longer ignore) when a native Post-Exit fails.
A new parameter named “Report error” in the [POST-exit] section of the
ExitSetup.ini configuration file will be handled by the Unix Remote Agent. If
set to “No” (default), the return code of the Post-exit script will be ignored
as it does today. If set to “Yes”, the return code of the Post-exit script will
be caught and if different than 0, the Remote Agent will return a new error
code and an error message stating that the Post-Exit failed: “Main command
succeeded but Post-exit is ON ERROR.” The Unix ETC/
When changing the Account
Home Directory, the previous Home Directory can now be automatically moved to
the new one by setting "MoveExistingHomeDirectory" variable in Unix
Remote Agent Config file (`cat /etc/catngdmopath.tng `/scripts/Config):
MoveExistingHomeDirectory=yes
When setting the
"ETA_GLOBAL_GROUP" environment variable to 1, it is now possible to
create the same Group with the same GID across a list of Unix Servers. A new
"List of Servers" tab has been added to allow the selection of the
other servers where to create this Group. When deleting a Group, the Accounts
having this group GID as their primary group GID can now be automatically
updated to a "fallback" gid by setting the "fallback_gid"
variable in the Unix Remote Agent Config file (`cat /etc/catngdmopath.tng`/scripts/Config):
fallback_gid=60002
Admin
Server can now apply a centrally stored Group ID to all new Groups created
using the ETC connector. Set the OS environment variable ETA_CENTRAL_GROUP_ID=1
on the Admin server machine to enable this feature. This will display another
option when creating or modifying Unix user groups for
"Central Storage" to select the group ID. The initial value of this
central storage can be set in the Domain Configuration tab of the Admin
Manager. Under "Namespace/Unix ETC/Central Group ID:Next
GID".
Updating the NSK Option
CCI timeout can now
be configured via the environment variable ETRUST_TIMEOUT. The default value is
120 seconds.
Updating the Legacy Webi (EAOWebi)
1) You need to stop your servlet-engine
(e.g. Tomcat).
2) Backup your existing
EAOWebi.jar file making sure not to keep the .jar extension.
3) Copy updated EAOWebi.jar file
located under the EAOWebi folder in the Manual Update zip to your
servlet-engine machine.
4) Overlay the support folder
located under EAOWebi folder in the Manual Update zip to your servlet-engine
machine's webapps\EAOWebi folder.
5) Edit
EAOWebi.properties config file to include new parameters if desired. New
parameters are described further below.
6) Restart your servlet-engine.
You can now trigger
a change Self Auth Questions and Answer screen to appear before the change
expired password screen similar to how it can be configured to appear before
the Self-Auth Change Password screen. By default Change Self Auth Q&A
screen will not appear unless you set the following two parameters in
EAOWebi.properties file.
Change_Questions_On_Expired_Pwd=true
custom_attribute_to_store_QA_change_expired_pwd_boolean=eTCustomFieldxx (where
xx is a valid Custom Field)
After the first time
the Self Auth Questions are reset, the eTCustomFieldxx specified will be set to
the value 1 and future password expiration screens will not be first presented
with a Self Auth Change Question window.
Additionally, by
default existing Self Auth Questions and Answers will not be visible on the
Self Auth Change Questions screen. You cane make them visible by setting the
following parameter in the EAOWebi.properties file.
hide_qa_on_expired_pwd_reset_modify=false
You can now control
how many invalid self-auth q&a attempts will lead to suspension of the
global user. If the parameter is not set it will default to 3 attempts.
QA_failures_before_suspend=3
Updating the Legacy
workflow (EAOWF)
1) You need to stop your
servlet-engine (e.g. Tomcat).
2) Backup your existing EAOWF.jar
file making sure not to keep the .jar extension.
3) Copy the updated EAOWF.jar file
located under the EAOWF folder in the Manual Update zip to your servlet-engine
machine.
4) Restart your servlet-engine .
New EAOWF.propeties
parameters:
1) You can control if all task
should continue after one task fails by adding the parameter:
auto_fail_tasks_after_failure=false
Updating the
Reporting
Confirm that the registry
key on Remote Admin Managers is set properly (where mydomain is your Admin
Server Domain Name) under [HKLM]\SOFTWARE\ComputerAssociates\eTrust
Admin\Domains\mydomain
If you are using the
Choose Domain Tree feature will need to make sure the values are set properly
for each domain listed under [HKLM]\SOFTWARE\ComputerAssociates\eTrust
Admin\DomainTrees
eTDSASuffix =
dc=mydomain,dc=eta (confirm it is set with proper domain name)
eTDSADbSuffix =
dc=mydomain,dc=etadb (add this with proper domain name)
eTPasswordDB = HashedPassword (add this with value taken from the Admin Server registry)
Once the installation process has delivered the files, the reporting table for PKI must be created. At a command prompt, run the command:
>UpdIngRpt PKI
Updating the GINA
If GINA is already
installed you only need to replace the existing cube.exe on the system with the
updated cube.exe located in the CR_Manual Updates.zip file under the GINA
folder. If you have not installed GINA yet you can run the GINA installer. You
cannot use the GINA installer to upgrade an existing installation of GINA.
The GINA Option is now compatible with Identix BioLogon 4.1 and higher.
Previous versions of Identix BioLogon suppressed a WM_PAINT message that
was necessary for the GINA Option to work with it. This message is
available as of version 4.1. The dialogs.xml file on each system
requiring the GINA Option to link to the BioLogon GINA needs to contain the
following section relevant to the itgina. Note that the positioning and
text of each link is configurable. The values below are only suggestions.
<itgina.dll>
<ids>
<id>101</id>
</ids>
<dialogunits>
<link1>
<left>165</left>
<top>140</top>
<height>14</height>
<width>90</width>
</link1>
<link2>
<left>165</left>
<top>153</top>
<height>14</height>
<width>90</width>
</link2>
</dialogunits>
<colors>
<bg></bg>
</colors>
<formids>
<username>0</username>
</formids>
<strings>
<lang_1033>
<link1>Forgot password?</link1>
<link2>Account locked?</link2>
</lang_1033>
<lang_1034>
<link1>Forgot password?</link1>
<link2>Account locked?</link2>
</lang_1034>
<lang_2052>
<link1>Forgot password?</link1>
<link2>Account locked?</link2>
</lang_2052>
</strings>
</itgina.dll>
Updating the OS400 SOAP library
When the target system
is a V6R1 endpoint, the error “Server returned contenttype other than text/xml”
occurs when acquiring directory or changing password for a directory. In order
to fix this problem, you will need to re-deploy the AS4 webservice component on
the SOAP server, or manually copy the AS400.jar from CR_Manual_Updates to the
SOAP server machine. The location for AS400.jar is depending on which
webservice container you are using. If you are using JRUN, the file can be
found under %JRUN_HOME%\servers\lib)
Updating the OS400
PSYNC
Passwords changed
inside OS400 system and propagated to the rest of the Admin can be upper case.
This is due to the OS400's case insensitive nature. Depending on your OS400
configuration passwords may be case sensitive. This fix allows you to specify
either to-lower or to-upper as the desired behaviour for passwords being
synched back to the associated Admin Global user. This agent build is for V5R2
and later.
This fix adds a new
configuration parameter "pwd_case_action" which can be set to
"pwd_to_uppercase" or "pwd_to_lowercase". In addition there
is also "pwd_case_unchanged" which is the default value.
The default behavior
should be followed when: not specifying a value for
"pwd_case_action"; specifying an invalid value for "pwd_case_action";
or not specifying "pwd_case_action" at all. The default behavior will
be the same as the existing behavior. This means any sites using the 0S400
password synch agent should be able to update with no change in behavior.
Updating OS400
Reporting
The fix in CR17 addresses a problem where the names of OS400 directories
were truncated to 10 characters in reports.
This fix changes the size of directory name field in the os400 table of
the reporting database from 10 characters to 50 characters. If you want to make use of the longer
directory names in your reports you will have to recreate the table QA2ACCAS4
with the new size. The recommended
procedure involves destroying and recreating the entire reporting database. Please ensure you backup any data you wish to
keep before commencing the update procedure.
··
This procedure will first
destroy the current reporting database, and then create a new one, using the
new “ingrpt.sql” script file updated by this fix. This file is in “%DXHOME%\Reporting\Config”.
··
Open a command prompt.
··
CD to the CA_APPSW folder,
generally located at one of the following locations:
o C:\Program
Files\CA\SharedComponents\CA_APPSW
o C:\CA_APPSW
··
Run the command:
QADELRPT.exe
o Note: this must be issued
by the ID who owns the database.
··
After that command
finishes, run QACRRPT.exe
o Note: this must be issued
by the ID who owns the database.
The updated reporting database will need to be reloaded before reports
can be viewed.
Updating the Remote VMS Agent
Follow the
instructions under the VMS folder in the Manual Update zip file.
Identity Manager Integration
The attribute
eTIMDynamicQuery was marked NotSearchable in eTrust Admin r8.1 SP2. This
marking is removed, to allow integration with Identity Manager r8.1 SP1.
Upgrade impact: If
you are upgrading an existing eTrust Admin r8.1 SP2 database to a later
version, the index for eTIMDynamicQuery needs to be added. This is done by
running the etaindex script (etaindex.bat or etaindex.sh). If the index is not
added, the database etrusadmin will fail to start.
If you upgrade from
an existing eTrust Admin r8.1 SP1 (or earlier) database, no special action is
required.
Updating Advanced Workflow
Starting in CR13
eTrust Admin includes a new version of the Workflow engine. This version
includes irreversible schema changes that are performed during the
update. Insure that the database is fully backed up and recoverable before
proceeding with the Advanced Workflow update.
To assist in achieving best results with Advanced Workflow, please consult the document CA Workflow Best Practices. This document explains the means to achieve optimum results with the products.
In some environments
additional installation steps are required Advanced Workflow requires that the
Ingres character set be configured to WIN1252. By default, the Ingres installed
with eTrust Directory is installed with the Ingres character set of IBMPC850.
You can check the II_CHARSETxx value (where xx is the Ingres installation code)
by running the command “ingprenv”. You can change the II_CHARSETxx value by
running the command “ingsetenv II_CHARSETxx WIN1252” where xx is the Ingres
installation code (i.e. EI).
Changes will not
take affect until Ingres is restarted. Also, when changing the Ingres character
set you should dump out all of your Ingres databases, destroy the databases,
re-create the databases after Ingres is restarted, and then re-load the dumped
data. The following commands can be used for those operations:
To create a database
you can use the Ingres command “createdb <dbname>”.
To destroy a
database you can use the Ingres command “destroydb <dbname>”.
To dump/load a
database you can use the Ingres command “copydb <dbname>” to create the
dump and load sql scripts:
To dump use the command “sql <dbname> < copy.out”
To load use the command “sql <dbname> < copy.in”
Note: You will need
to re-index any databases used by eTrust Directory after destroying and
re-creating them.
You can test the
JDBC connectivity to the Advanced Workflow database to confirm it is working
before running the Advanced Workflow installer by executing the following
command (replace host with the proper hostname):
java –classpath
“%II_SYSTEM%/ingres/lib/iijdbc.jar”;”%II_SYSTEM%/ingres/lib” JdbcInfo
“jdbc:ingres://HOST:EI7/workflow;autocommit_mode=multi;cursor_mode=readonly”
Steps to upgrade Advanced WorkFlow
for IAM CC Users
1. Dump the Database
Copydb <dbname>
This shall create two files copy.in and copy.out
sql <dbname> < copy.out
2. Destroy the Database
after dumping the Database
Destroydb
<dbname>
3. Modify the Character
Set
ingsetenv II_CHARSETxx WIN1252
4. Verify that it has
been set as expected using following command
Ingprenv
Expected Output: II_CHARSET**=WIN1252
5. Create DB
createdb –i <dbname>
6. Load DB
Sql <dbname> < copy.in
7. Restart Ingres.
8. Verify JDBC connectivity using following command.
java –classpath
“%II_SYSTEM%/ingres[EI]/lib/iijdbc.jar”;”%II_SYSTEM%/ingres/lib” JdbcInfo
“jdbc:ingres://HOST:EI7/workflow;autocommit_mode=multi;cursor_mode=readonly”
9. Upgrade Advanced
Workflow.
Large process
instance data blobs can create major data storage issues for the containing
database. This version of CA Workflow resolves this problem. To address
migration concerns, the newly optimized behavior must be selected by turning
server parameter UseSnapshots to true. This is the recommended setting
for nearly all customers. UseSnapshots is a server parameter that is set
to either true or false on the Server tab in the Workflow Design Environment
(IDE).
Provisioning
Repository Performance Tuning for Dynamic Namespace Option
We recommend the
provisioning repository performance tuning be done using the eTrust Directory
dxtunedb command immediately after a large number of objects are added to the
repository. With the introduction of the Dynamic Namespace option, the
following three Ingres commands need to be executed following each dxtunedb
command:
optimizedb –zr499 –zu240 <database name> -rsubsearch –acid
optimizedb –zr499 –zu240 <database name> -rdit –aparent –ardnkey –aeid
sql <database name> > set trace point RD010 \g
Updating Unifeed
The Unifeed option
must be updated manually. Copy the files from the Manual Update zip to
the installed path and recycle Web application server.
Updating CA (eTrust)
Directory
eTrust Admin 8.1 SP2 does not support CA (eTrust) Directory r12. Do not
upgrade the Directory to r12.
Deploying
the JCS SDK Connector
The following are the correct
steps for deploying Java Connector Server (JCS) SDK Connector (which is a
static connector).
1.
Install CA Admin 8.1 SP2 CR# (CR11 or later)
2.
Install Admin 8.1 SP2 SDK and compile and then deploy
it as per eTrust Admin SDK Developer's Guide, Chapter 3. Note: At this point
ensure that you are be able to acquire and explore Admin's SDK Directory
through Admin Manager.
3.
Install Sun J2SE Development Kit 5.0 Update 11
(1.5.0_11). This is required by the latest JCS CR. Set the variable JAVA_HOME
to the J2SDK installed location.
4.
Install Apache Ant 1.6.5 and add it to the System
Environment variable path
5.
Install Java Connector Server (JCS) 8.1 SP2 CR#
6.
Install Java Connector Server (JCS) SDK 8.1 SP2 CR#
and compile it using the command "ant dist"
7.
Copy the file
<jcs_sdk>\build\dist\lib\jcs-connector-sdk.jar to directory C:\Program
Files\CA\Identity Manager\Connector Server\lib
8.
Restart the JCS service.
9.
Install Connector Express 8.1 SP2 CR#
10. Run/launch Identity Manager
(Java) Connector Xpress and add/register with a Provisioning Server.
11. To specify the Java Connector
Server to manage SDK Namespace, navigate to
<hostname>\<Domainname>\Namespaces\SDK
Namespace. Right click on the "SDK Namespace" and select "Set
Managing CS...". Then select "JCS_<hostname>_xxxx" item
(the Use the default CS for Provisioning Server option should be unchecked) and
click ok.
Note: Now the Java Connector Server will service the SDK Namespace.
JCS SDK Connector is a static
connector. For a JCS static connector, the developer must create/develop the
corresponding C++ GUI Plugin components.
The requirement of step 2 in the instruction above is to provide the following:
·
To
create/develop a C++ GUI Plug-in for the namespace
·
To
create/develop a Parser Table for the namespace
·
To
create/develop a xxxPOP.EXE for the namespace
·
To
Generate schema
files, eTrust_xxx.schema and eTrust_xxx.dxc for the
namespace.
Thus, a developer must
create/provide a C++ GUI Plaug-in when developing a jcs custom connector based
on the Java SDK connector.
For Java Dynamic Connector it is not required for the developer to create the
corresponding C++ GUI Plug-in. It will use the existing Dyn Namespace's GUI
Plug-in.
The Connector Xpress is used to create dynamic namespaces based on the JNDI or
JDBC datasource. For these two types of data source, the jcs-connector-jndi.jar
and jcs-connector-jdbc.jar are already provided as part of JCS installation.
Note that for JCS 8.1 SP2 it is not possible create custom (you own) DYN
Namespaces. For further details please see JCS Implemetation Guide, JCS
Programming Guide and Connector Xpress help.
For dynamic connector, there is no .jar file generate by Connector Xpress or
and it is required to be developed/provided by the developer.
Please see the Connector Xpress online help from creating a new Namespace
(Dynamic Connector) to Deploying Metadata and then to the Explore/Correlate
Endpoint System as show in the diagram in the Connector Xpress online help in
section "Connector Xpress Process Flow".
Certifications
Note regarding connector functionality: Supported connector functionality at the time of the 8.1SP2 release remains stable. Extensions to the connectors, to support new functionality within versions of target systems released after this time must be raised as Corporate Escalations.
Problem 1288 – CR1 -
CERT: CERTIFIED eTrust Admin Server WITH eTrust Directory r8.1 Build 942
Problem 1289 – CR2 -
CERT: CERTIFIED eTrust Admin Server WITH eTrust Directory r8.1 Build 983
Problem 1286 – CR3 -
CERT: CERTIFIED eTrust Admin Server WITH WINDOWS 2003 SERVER R2
Problem 1287 – CR3 -
CERT: CERTIFIED eTrust Admin Server WITH eTrust Directory r8.1 Build 1000
Problem 1279 – CR3 -
CERT: CERTIFIED NSK WITH GUARDIAN H06.06
Problem 1277 – CR3 -
CERT: CERTIFIED RSA WITH SECUREID V6.1 WINDOWS
Problem 1325 – CR5 -
CERT: CERTIFIED SAP Option WITH SAP ECC 6.0
Problem 1394 – CR5 -
CERT: CERTIFIED IE7
Problem 1345 – CR6 -
CERT: CERTIFIED MS SQL Server Option WITH Microsoft SQL Server 2005
Problem 1346 – CR6 -
CERT: CERTIFIED eTrust Admin Server WITH eTrust Directory r8.1 Build 1026
Problem 1347 – CR6 -
CERT: CERTIFIED WITH eCS r8.2.7
Problem 1393 – CR7 -
CERT: CERTIFIED eTrust Admin Server WITH eTrust Directory r8.1 Build 1072
Problem 1421 – CR8 -
CERT: CERTIFIED MS SQL Server Option WITH Microsoft SQL Server 2005 SP1
Problem 1423 – CR8 -
CERT: CERTIFIED VMware ESX 3.0 as managed UNIX endpoint
Problem 1441 – CR9 -
CERT: CERTIFIED WITH ECS r8.2.9
Problem 1442 – CR9 -
CERT: CERTIFIED eTrust Admin Server WITH eTrust Directory r8.1 Build 1115
Problem 1443 – CR9 -
CERT: CERTIFIED MANAGING SIEBEL CRM
V8.0
Problem 1460 – CR10
- CERT: CERTIFIED MANAGE MS
EXCHANGE 2007
Problem 1461 – CR10
- CERT: CERTIFIED MANAGER WINDOWS 64BIT ADS
Problem 1462 – CR10
- CERT: CERTIFIED 8.1 SP2 CR10 ADMIN SERVER ON WINDOWS 2003 SP2
Problem 1463 – CR10 -
CERT: CERTIFIED ADMIN MANAGER ON MS VISTA
Problem 1464 – CR10
- CERT: CERTIFIED MANAGE WINDOWS
Problem 1465 – CR10
- CERT: CERTIFIED
Problem 1485 – CR10
- CERT: CERTIFIED 8.1 SP2 CR10 ADMIN SERVER WITH DIRECTORY 8.1 BLD 1115
Problem 1486 – CR10 - CERT: CERTIFIED 8.1 SP2 CR10 ADVWF BUILT WITH CA WORKFLOW 1.0.19.28
Problem 1537 – CR11 - CERT: 8.1 SP2 CR11 ADMIN SERVER WITH DIRECTORY 8.1 BLD 1158
Problem 1538 – CR11 - CERT: 8.1 SP2 CR10 ADVWF BUILT WITH CA WORKFLOW 1.0.19.43
Problem 1539 – CR11 - CERT: MANAGE MS SQL 2005 SP2
Problem 1540 – CR11 - CERT: MANAGE NOVELL SUSE LINUX 10.1
Problem 1541 – CR11 - CERT: MANAGE MYSAP ERP 2005
Problem 1571 – CR12
- CERT: SUSE LINUX 10.1 FOR Z/OS
Problem 1572 – CR12
- CERT: SSO 8.1 (GAP)
Problem 1573 – CR12 - CERT: ADVANCED WORKFLOW 8.1 (CAWF V50)
Problem 1574 – CR12 - CERT: ADMIN 8.1 SP1 CR10 WITH ETD 8.1 B1115
Problem 1616 - CR14 - CERT: XPRESS CONNECTOR MYSQL DB
Problem 1620 - CR14
- CERT: CERTIFIED FND OPTION WITH ORACLE FINANCIALS r12
Problem 1660 - CR14
– CERT: CERTIFIED UNIX OPTION WITH HP-UX V11IV3
Problem 1621 - CR14 - CERT: ADVANCED WORKFLOW WITH MSSQL
Problem 1661 – CR15
– CERT: REPORTING ON DYN USER ACCOUNTS
Problem 1662 – CR15
– CERT: CERTIFIED UNIX OPTION WITH AIX 6.1
Problem 1641 – CR16
- CERT: CERTIFIED LND OPTION WITH LOTUS NOTES DOMINO 8.0
Problem 1642 – CR16
- CERT: CERTIFIED UNIX OPTION WITH REDHAT 5.1
Problem 1680 – CR17 – CERT: CERTIFIED
MANAGE ACCESS CONTROL 8.0 SP1
Problem 1686 – CR17 – CERT: CERTIFIED
ADMIN MANAGER ON MS VISTA SP1
Problem 1687 – CR17 – CERT: CERTIFIED
MANAGE WINDOWS
Problem 1695 – CR18 - CERT:
SUPPORT-AD2008-PROVISIONING
Problem 1737 – CR20 - CERT: ADMIN SERVER
AND OTHER COMPONENTS ON VMWARE ESX 3.5
Problem 1749 – CR21 – CERT: OS400 –
CERTIFIED AS400 CONNECTOR FUNCTIONALITY WITH OS400 VERSION 6 REV1
Problem 1750 – CR21 – CERT: CERTIFIED
ADMIN MANAGER WITH MICROSOFT VISTA.
Problem 1749 – CR22 – CERT: OS400 –
CERTIFIED AS400 PASSWORD SYNC AGENT WITH OS400 VERSION 6 REV1
Problem 1769 – CR22 – CERT: CERTIFIED
INGRES PATCH 12834
Problem 1771 - CR22 - CERT: EXCHANGE 2007 LINKED AND SHARED
MAILBOXES
Problem 1780 – CR23 – CERT: CA DIRECTORY
8.1 BUILD 1278
Problem 1813 – CR26 – CERT: CERTIFIED
PASSWORD SYNC AGENT WITH ADS2008
INSTALL
Problem 1363 – CR7 -
INSTALL: UNIX SERVER DUPLICATE DC
Problem 1377 – CR7 -
INSTALL: FAILBACK TO LOCALHOST DURING INSTALL
Problem 1381 – CR7 -
INSTALL: MDAC
Problem 1424 – CR9 -
INSTALL: ADMIN MANAGER SILENT INSTALLER FAILS
Problem 1466 – CR10
- INSTALL: REMOTE MANAGER NOW INSTALLS INGRES R3
Problem 1467 – CR10
- INSTALL: CORRECT PROBLEM INSTALLING OVER ECS 8.2.9
Problem 1469 – CR10
- INSTALL: REPOSITORY
UPGRADE-STOP OVERWRITING ORIGINAL FILES
Problem 1501 – CR10 - INSTALL: UPGRADE FROM 811+CR7 OR HIGHER FAILS
Problem 1542 – CR11 - INSTALL: ECS 8.2.9 UNINST ERROR
Problem 1543 – CR11 - INSTALL: ADMIN MANAGER UPGRADE ERROR
Problem 1544 – CR11 - INSTALL: ALLOW ADMIN SERVER INSTALL ON PSYNC MACHINE
Problem 1545 – CR11 - INSTALL: ALLOW EXCHANGE REMOTE AGENT TO BE UPGRADED
Problem 1569 - CR12 - INSTALL: SystemPATHLength
Problem 1632 - CR15
- INSTALL: BIN FOLDER MISSING
Problem 1643 – CR16
- INSTALL: ADDED CONFIG FILES TO MANUAL UPDATES
Problem 1683 – CR17
- INSTALL: CHECKDSADB FAILING
Problem 1683 – CR17
- INSTALL: SP2CR16 SLAPD NOT STARTING
CORE Server
Problem 1159 - CR1 -
CORE: ROLE NAME LIMITED TO 50 CHARS
Problem 1182 - CR1 -
CORE: INVALID FORMATTING SYNTAX
Problem 1187 - CR1 -
CORE: PROG EXIT FAILURE SETS WRONG ERROR CODE
Problem 1190 - CR1 -
CORE: IMPLEMENTED REDUCED-MEMORY USAGE EXPLORE OPTION
Problem 1199 - CR1 -
CORE: MEMBER OF LIST NOT RESET
Problem 1229 – CR2 -
CORE: ETIMDYNAMICQUERY INDEXED
Problem 1252 – CR3 -
CORE: INCREASE GLOBAL USER FIRST NAME MAX LENGTH TO 50
Problem 1264 – CR3 -
CORE: MULTI-DOMAIN DELETE INCLUSION FAILS
Problem 1290 – CR4 -
CORE: INCREASE ROLENAME TO 255 CHARACTERS
Problem 1291 – CR4 -
CORE: SYNC TRUNCATES LEADING ZEROS
Problem 1292 – CR4 -
CORE: eTExcludeAccountDN NOT CASE INSENSITIVE
Problem 1293 – CR4 -
CORE: RETURN PROPER JAPANESE ERROR MESSAGE
Problem 1313 – CR5 -
CORE: INCORRECT STRING FORMATTING
Problem 1318 – CR5 -
CORE: CORRECT BUFFER OVERWRITE IF ATTR VALUE > 16384 CHARS
Problem 1336 – CR6 -
CORE: SOAP PROGRAM EXIT INVOCATION FAILED
Problem 1373 – CR11 - CORE: ADDING NEW DOMAIN
Problem 1382 – CR7 -
CORE: ADD GU UC NAME CORRUPTION
Problem 1383 – CR7 -
CORE: GU&ACC WHEN
GUNAME UC
Problem 1384 – CR7 -
CORE: ETSELFCHANGE
Problem 1385 – CR7 -
CORE: POLICY RENAME
Problem 1386 – CR7 -
CORE: SA HANG DIR DELETE
Problem 1392 – CR7 -
CORE: POLICYNAME RULE
CHECKED
Problem 1407 – CR8 -
CORE: SOAP PROGRAM EXIT
INVOKE FAILS
Problem 1408 – CR8 -
CORE: LOGGING LABELS
CLARIFIED
Problem 1409 – CR8 -
CORE: NO OPERATION DETAILS
Problem 1416 – CR11 - CORE: POLICY USER DEFINED FIELD
Problem 1439 – CR9 –
CORE: ADMIN PROFILES
FILTERING
Problem 1440 – CR9 –
CORE: LOGGING NOT
INITIALIZED
Problem 1449 – CR10
– CORE: .NET SOAP EXIT
INVOCATION FAILS
Problem 1471 – CR10
– CORE: CORRELATION ATTRIBUTE CHANGES
Problem 1472 – CR10
– CORE: LOG DLL LOAD
FAILURES
Problem 1473 – CR10
– CORE: CORRECT LOGGING
MESSAGES
Problem 1474 – CR10
– CORE: CHECK PASSWORD
PROFILE IGNORING PSYNC ENABLED FLAG
Problem 1475 – CR10
– CORE: REMOVE GU FROM
ADMPROFILE STOPS SLAPD
Problem 1487 – CR10
– CORE: SEARCH FILTERS
SOMETIMES IGNORED
Problem 1488 – CR10
– CORE: LOW MEMORY EXPLORE
CORRECTIONS
Problem 1499 – CR10
– CORE: ADMIN MANAGER
CRASHED
Problem 1500 – CR10
– CORE: REMEMBER PENDING CHANGES
BETWEEN TABS
Problem 1502 – CR10
– CORE: ACCOUNTS NOT
SUPPORTED IN NAMESPACE
Problem 1514 – CR11 - CORE: UNKNOWN OPER DETAILS
Problem 1520 – CR11 - CORE: EXCEPTION VIOLATION
Problem 1521 – CR11 - CORE: DR WATSON ON ETAUTIL -O
Problem 1522 – CR11 - CORE: INCREASE ETHOMESERVEREXC MAX LENGTH
Problem 1523 – CR11 - CORE: TLS PORT NOT CHECKED
Problem 1613 - CR14 - CORE: EMAIL DISSAPPEARS
Problem 1611 - CR14 - CORE: ETA_E_1247, DATES
Problem 1625 - CR15 - GUI: DEPRECATED ATTRS SHOWN
Problem 1622 - CR15
- CORE: LOG WHICH ETACONFIG.DLL HAS BEEN USED
Problem 1636 – CR16
- CORE:DON'T CHANGE SUSPEND DATE ON RE-SUSPEND
Problem 1644 – CR16
- CORE: EXTEND CUSTOM GLOBAL USER ATTRIBUTES TO 700
Problem 1664 – CR17
– CORE: GLOBAL USER'S GUI:FULLNAME TRAILING WHITESPC
Problem 1691 – CR18
- CORE: USER SYNC ADD MULTIPLE POLICIES ATTRIBUTES NOT CORRECT
Problem 1704 – CR19
- CORE: DPATH VALUE, SERVICES FAIL
Problem 1705 – CR19
- CORE: ETSUSPENDED BEHAVIOR
Problem 1718 – CR20
- CORE: LOG EXCEPTION SETTING LEVEL IN LOGS
Problem 1738 – CR21
- CORE: SOAP COM EXIT, EMPTY INPUT
Problem 1741 – CR21
- CORE: WIDE INDEXES NEEDED
Problem 1751 – CR22
- SA: LOG UNBIND REQUEST STATUS
Problem 1761 – CR22
- CORE:CRASH WITH NO ETID VALUE
Problem 1764 – CR22
- CORE: GU MISSING PASSWORD
Problem 1774 – CR23
– CORE:ERRORS FOR SEARCHES AT STARTUP
Problem 1776 – CR23
– CCS: SUPERAGENT CRASH
Problem 1777 – CR23
– SLOW AND FAILING LDAP SEARCHES
Problem 1817 – CR25
– GUI: REMOTE PROV. MGR NOT LISTING ANY CONNECTOR TYPES
Problem 1818 – CR25
– GUI: ADMIN MANAGER DOES NOT USE THE DEFAULT FAILOVER SERVER
Problem 1803 – CR26
– SLAPD CPU USAGE TOO HIGH
Problem 1804 – CR26
– GUI: ADMIN MANAGER HANG ON VISTA
SDK
Problem 1387 – CR7 -
SDK: PWD MASKED IN POLICY
Problem 1689 – CR18
- SDK: RENAME ADS ACCOUNT PROBLEM
Problem 1747 – CR22
– CSDK: PROGRAM EXIT FOR SOLARIS
Reporting
Problem 1157 - CR1 -
RPT: REMOTE MANAGER INVALID CREDENTIALS GUEXTRACT
Problem 1208 – CR2 -
RPT: JAPANESE MB CHARS FOR ACCOUNT OR FULL NAME ARE GARBLED
Problem 1252 – CR3 -
RPT: INCREASE GLOBAL USER FIRST NAME MAX LENGTH TO 50
Problem 1261 – CR3 -
RPT: NO ROLE EDITED IN REPORT WHEN MULTI ROLES
Problem 1271 – CR4 -
RPT: FAILING E_CO0040 COPY: UNEXPECTED END OF USER DATA
Problem 1290 – CR4 -
RPT: INCREASE ROLENAME TO 255 CHARACTERS
Problem 1420 – CR4 - RPT: GUEXTRACT CONNECTION ERROR: LDAP_SIMPLE_BIND()
Problem 1524 – CR11 - RPT: EMPTY REPORTS
Problem 1525 – CR11
- RPT: UNABLE TO LOAD DLL
Problem 1789 – CR25
– RPT: SELF AUTH QUESTION & ANSWER BLANK IN REPORTS
GINA
Problem 1321 – CR6 -
GINA: CUBE KEYSTROKE PROBLEM
Problem 1348 – CR6 -
GINA: SECURITY VULNERABILITY
Problem 1398 – CR8 -
GINA: REDIRECT HTTP 404 PAGES
Problem 1470 – CR10 - GINA: ADD SUPPORT FOR IDENTIX BIOLOGON 4.1
Problem 1627 - CR15
- GINA: ISN'T AVAILABLE FOR JAPANESE
Problem 1690 – CR18
- GINA: CUBE BOTTOM RIGHT CORNER
Problem 1792 – CR25
– GINA: CUBE NOT BLOCKING CTRL-P
Problem 1801 – CR26
– GINA VULNERABILITY THRU CERTIFICATE EXPORT WIZARD
PSYNC
Problem 1335 – CR6 -
PSYNC: CONFIG WIZARD FAILS IF DOMAIN IS DC=ETA
Problem 1469 – CR10
- PSYNC: ADD DATE TO LOG
TIMESTAMPS
Problem 1584 – CR21
- PSYNC: PASSWORD SYNC AGENT ON WINDOWS X64
Problem 1810 – CR26
– PSYNC: TIMEOUT SETTING INEFFECTIVE IF ETA SERVER NOT RESPOND
DSI
Problem 1418 – CR8 -
DSI: DEFINE AND DELETE A TSO ALIAS
Problem 1645 – CR16
- DSI: CANNOT USE Z/OS OPTIONS WITH DSI R12 SERVER
ACF2 Option
Problem 1162 - CR1 -
ACF: ACQUIRE WITH SEMICOLON, SLAPD FAILS TO START
Problem 1198 - CR1 -
ACF: LOADING DIRECTORY PROPERTY PAGE W/ MANY POLICIES
Problem 1212 – CR2 -
ACF: ACQUIRE WITH PLUS SIGN, SLAPD FAILS TO START
Problem 1220 – CR2 -
ACF: SEARCH FOR DEFAULT POLICY ON DIR PROP PAGE ENABLES APPLY
Problem 1282 – CR5 -
ACF: INVALID CONN INFO ACCESS
Problem 1417 – CR8 -
ACF: MULTI POLICIES PRIVILEGES
Problem 1416 – CR9 -
ACF: POLICY USER DEFINED FIELD
Problem 1435 – CR9 -
ACF: SEC AUTHID FILL UP
Problem 1436 – CR9 -
ACF: SEC AUTHID SEARCH
Problem 1437 – CR9 -
ACF: SEC AUTHID SEARCH WITH *
Problem 1438 – CR9 - ACF: STATUS OUT-OF-SYNC ATTRIBUTE
Problem 1416 – CR11 - ACF: POLICY USER DEFINED FIELD
Problem 1557 – CR12
- ACF: SEC AUTHIDS SEARCH
Problem 1709 – CR19
- ACF: RE-ESTABLISH DSI CONNECTION
Problem 1758 – CR22
– ACF2: NOT RETRIEVING USER ID ATTRIBUTE WHEN IN
Problem 1793 – CR25
– ACF2: R12 NEW ATTRIBUTES
RACF Option
Problem 1162 - CR1 -
RACF: ACQUIRE WITH SEMICOLON, SLAPD FAILS TO START
Problem 1172 - CR1 -
RACF: CRASH
Problem 1188 - CR1 -
RACF: UNABLE TO ADD EXISTING UNEXPLORED USER OR GROUP
Problem 1213 – CR2 -
RACF: ACQUIRE WITH PLUS SIGN, SLAPD FAILS TO START
Problem 1216 – CR2 -
RACF: POLICY LIMITS USERID TO 8 CHARS
Problem 1217 – CR2 -
RACF: INSTALLATION DATA TRUNCATED
Problem 1219 – CR2 -
RACF: BUFFER OVERFLOW
Problem 1294 – CR5 -
RACF: RE-EXPLORE CAUSES GROUP DELETE AND RE-ADD
Problem 1329 – CR5 -
RACF: ADD SUPPORT FOR TSO ALIAS
Problem 1351 – CR6 -
RACF: ACCOUNT NAME TRUNCATED
Problem 1352 – CR6 -
RACF: DFLT GROUP 7 NOT 8
Problem 1353 – CR6 -
RACF: INSTALLATION DATA ERROR
Problem 1354 – CR6 -
RACF: PASSWORD INTERVAL
Problem 1410 – CR8 -
RACF: NOT POPULATING WORKATTR
Problem 1438 – CR9 - RACF: STATUS OUT-OF-SYNC ATTRIBUTE
Problem 1566 - CR12 - RACF: SP CHARS NOT ACCEPTED
Problem 1567 - CR12 - RACF: REVOKE DATE RESUME DATE
Problem 1580 - CR14 - RACF: GUI SEARCH LIMIT IMPACT
Problem 1631 - CR15
- RACF: EXPLORE ACCOUNTS FAIL
Problem 1659 – CR17
- RACF: INSTDATA LOST BLANKS
Problem 1708 – CR19
- RACF: RE-ESTABLISH TERMINATED CONNECTION
Problem 1729 – CR20
- RACF: AUTO-MIGRATING MESSAGE
Problem 1759 – CR22
– RACF:PASSPHASE ATTR CAUSES SLAPD ASSERT/SHUTDOWN
Problem 1767 – CR23
– RACF:EXPLORE FAIL, NO ICH31005I MESSAGE
TSS Option
Problem 1162 - CR1 -
TSS: ACQUIRE WITH SEMICOLON, SLAPD FAILS TO START
Problem 1214 – CR2 -
TSS: ACQUIRE WITH PLUS SIGN, SLAPD FAILS TO START
Problem 1295 – CR4 -
TSS: HANDLE TSS TYPE=GROUP IN POLICY
Problem 1330 – CR5 -
TSS: ADD SUPPORT FOR TSO ALIAS
Problem 1417 – CR8 -
TSS: MULTI POLICIES PRIVILEGES
Problem 1416 – CR9 -
TSS: POLICY USER DEFINED FIELD
Problem 1438 – CR9 -
TSS: STATUS OUT-OF-SYNC ATTRIBUTE
Problem 1673 – CR18
– TSS: RECONNECT AFTER DISCONNECT
Access Control Option
Problem 1232 – CR2 -
ACC: FAIL TO CREATE GROUPS
Problem 1248 – CR2 -
ACC: PARAMETER IS INCORRECT ERROR MESSAGE
Problem 1296 – CR4 -
ACC: UNIX-FLAG-IN-ACC-OPTION
Problem 1476 - CR10
- ACC: MAKE ETACCDIRECTORYNAME REQUIRED
Problem 1640 – CR16
- ACC: SUPERAGENT CRASHES WHEN MULTPLE EXPLORES WITH TIMEOUT
Problem 1680 – CR17
- ACC: CERTIFIED FOR EAC 8.0 SP1
Problem 1757 – CR23
– ACC: SA FREEZE UNDER LOAD
Problem 1786 – CR24
– ACC: MULTI-THREADED CONNECTOR (WINDOWS)
ADS/E2K Option
Problem 1075 - CR1 -
ADS: PERFORMANCE
Problem 1147 - CR1 -
ADS: ADS:POLICY'S HOME FOLDER 'TO' FIELD WON'T ACCEPT RULESTRINGS
Problem 1154 - CR1 -
ADS: DUPLICATING GROUP COULD TERMINATE GUI
Problem 1158 - CR1 -
ADS: REMOVE DEFAULT VALUE FOR COUNTRY IN POLICY
Problem 1163 - CR1 -
ADS: ACQUIRE FAILS BECAUSE OF LEGACYEXCHANGEDN
Problem 1165 - CR1 -
ADS: EMAIL ADDRESS NOT MANAGED VIA POLICIES
Problem 1185 - CR1 -
ADS: MOVING AD ORG UNIT
Problem 1191 - CR1 -
ADS: ADD SUPPORT FOR "MANAGER CAN UPDATE MAMBERSHIP LIST"
Problem 1192 - CR1 -
ADS: KEEP EMPTY VALUED ATTRIBUTE IN PAYLOAD
Problem 1198 - CR1 -
ADS: LOADING DIRECTORY PROPERTY PAGE W/ MANY POLICIES
Problem 1205 - CR1 -
ADS: ADD 2K MBRS TO GRP FAILS
Problem 1206 - CR1 -
ADS: EMPTY MAILBOX RIGHTS RETURNED OPERATIONS ERROR
Problem 1220 – CR2 -
ADS: SEARCH FOR DEFAULT POLICY ON DIR PROP PAGE ENABLES APPLY
Problem 1324 – CR5 -
ADS: SESSION DETAILS SYNTAX
Problem 1326 – CR5 -
ADS: TS SESSION SYNTAX
Problem 1327 – CR5 -
ADS: EXCHANGE SERVER CLUSTER
Problem 1331 – CR5 -
ADS: MOVING OUS
Problem 1359 – CR6 -
ADS: CAN'T SET HOME DIR
Problem 1360 – CR6 -
ADS: HOME FOLDER BUTTON
Problem 1388 – CR7 -
ADS: ETSELFCHANGE SETS MUST CHANGE PASSWORD
Problem 1389 – CR7 -
ADS: EXCHANGE DNS WITH COMMAS
Problem 1397 – CR8 -
ADS: LEGACYEXCHANGEDN NOT COMPUTED PROPERLY
Problem 1401 – CR8 -
ADS: CAN'T OPEN POLICY PROPERTY PAGE
Problem 1477 – CR10
- ADS: BOLD CAPABILITY ATTRIBUTES
Problem 1495 – CR10
- ADS: PRE-EXPIRE PASSWORD
Problem 1496 – CR10:
MAILBOX MOVE FAILS
Problem 1497 – CR10: MAILBOX RIGHTS NOT APPLIED AFTER MOVING
Problem 1513 – CR11 - ADS: CHANGING MAILNICKNAME CHANGES LEGACYEXCHANGEDN
Problem 1547 – CR12 - ADS: PLUG-IN EXCEPTION
Problem 1550 – CR12 - ADS: DUPLICATE SMTP MAIL ADDRESS
Problem 1558 – CR12 - E2K: DUPLICATE ACCOUNT
Problem 1559 – CR12
- SUPERAGENT CONNECTION BREAKS
Problem 1560 – CR12 - ADS:INVALID FPRINTF()
Problem 1561 – CR12 - ADS: HOME DIRECTORY FAILURE
Problem 1562 – CR12 - ADS: HOMEDIR INHERIT PERMS
Problem 1607 - CR14
- ADS:BLANK ERROR FOR CALLBACK
Problem 1647 – CR16
- ADS: ACCOUNT NOT SHOWING DATA
Problem 1648 – CR16
- ADS: CUSTOM FEED CRASH SA
Problem 1634 – CR16
- E2K:MODIFY MB RIGHTS CRASHES GUI
Problem 1646 - CR17
– ADS: CAN'T EXPLORE JAPANESE OUS
Problem 1685 – CR17
- ADS: EXPLORE / ATTRIBUTE MAP
Problem 1652 – CR17
– E2K: EXCHANGE SERVER NAME TOO LONG
Problem 1694 – CR18 -
ADS: JAPANESE CHARACTER DISPLAY PROBLEMS
Problem 1706 – CR18
- ADS: CANT MODIFY SMTP ADDRESS
Problem 1703 – CR19
- ADS: MANAGED BY TAB MOD FAILED
Problem 1713 – CR19
- ADS:
Problem 1702 – CR20
- ADS: JAPANESE CHARS IN MGR FIELD
Problem 1723 – CR20
- ADS: CONTACTS MISSES SMTP ADDR
Problem 1726 – CR20
- ADS: TERMINAL SERVICES SET/GET ERROR
Problem 1727 – CR20
- E2K: ENH ERROR MESSAGES
Problem 1731 – CR20
- E2K: MB RULE STRING FAILURE
Problem 1736 – CR21
– ADS: ATTR DIAL-IN TO BE CAPABILITY ATTR
Problem 1743 – CR21
- ADS: ENHANCE HOME FOLDER RIGHTS CREATION
Problem 1745 – CR21
– ADS: ADD EXCH2007 FEATURES
Problem 1746 – CR22
– E2K: ADS:GROUP NAME WITH PERIOD IN IT
Problem 1753 – CR22
– ADS: STORAGE LIMITS
Problem 1754 – CR22
– ADS: LOGON NAME INVALID
Problem 1756 – CR22
– ADS: LOGGED IN AS CREDENTIALS DON'T WORK
Problem 1765 – CR22
– ADS: MULTI-VALUE
RULESTRING
Problem 1783 – CR25
– E2K: ETADSMDBUSEDEFAULTS DEFAULT VALUE SHOULD BE TRUE
Problem 1790 – CR25
– ADS: GROUP MEMBERSHIP ASSG FAILURE JAP
CES 48248 - CR25 –
ADS: CREATE LEGACY MAILBOX IN EXCHANGE 2007
Problem 1796 – CR26
– E2K: ETA MANAGER CAN NOT CHANGE PRIMARY EMAIL ADDRESS
Problem 1802 – CR26
– ADS FAILOVER CAUSES INTERMITTENT SUPERAGENT HANG
Problem 1807 – CR26 –
ADS: COMMAND FILE MISSING VAR CONTINUE EXECUTION
Problem 1797 – CR26
– EX2K7: MAILBOX CREATION FAILED IN SLOW AD DUPLICATION ENV
Problem 1809 – CR26
– ADS: ERROR EXPLORING USER WITH HIDEFROMEXCHANGEADDRBOOK ATTR
DB2 Option
Problem 1198 - CR1 -
DB2: LOADING DIRECTORY PROPERTY PAGE W/ MANY POLICIES
Problem 1220 – CR2 -
DB2: SEARCH FOR DEFAULT POLICY ON DIR PROP PAGE ENABLES APPLY
Problem 1268 – CR3 –
DB2: CAN'T USE OFFSET IN POLICY
DBZ Option
Problem 1531 - CR11
- DBZ: SLOW RESPONSE ON ADD VIEW
DYN Option
Problem 1240 – CR2 -
DYN: MAX LENGTH FOR INT
Problem 1241 – CR2 -
DYN: MSSQL SMALLDATETIME
Problem 1242 – CR2 -
DYN: ACCEPT INVALID DATE/TIMES
Problem 1243 – CR2 -
DYN: ORACLE9 NEGATIVE NUMBERS
Problem 1244 – CR2 -
DYN: LEADING ZEROS IN INTS
Problem 1245 – CR2 -
DYN: ORACLE DATE CAUSES ERROR
Problem 1246 – CR2 -
DYN: ORACLE INTERVAL TYPES
Problem 1253 – CR3 -
DYN: DEADD ALWAYS SETS LOCKED
Problem 1254 – CR3 -
DYN: GUI:SIGNED INT
Problem 1300 – CR4 -
DYN: UPGRADE XSD LIBRARY TO 2.2.3.0
Problem 1355 – CR6 -
DYN: ADD ISOBFUSCATED
Problem 1356 – CR6 -
DYN: JDBC DEFAULT VALS POLICY
Problem 1357 – CR6 -
DYN: STATIC DIR SHEET
Problem 1358 – CR6 -
DYN: TIME FIELD NOT IGNORED
Problem 1399 – CR8 - DYN: RULESTRINGS FOR INT VARS
Problem 1630 - CR15 - DYN: CANNT SEARCH ON ONE-LVL
Problem 1626 - CR15
- DYN: READING USERS FROM GROUP PAGE CRASHES GUI
Problem 1778 – CR25
- DYN: %P% in default Policy
Problem 1811 – CR26 – DYN: GLOBAL USER SEARCH FOR ACCOUNT IN DYN NAMESPACE
EIAM Option
Problem 1267 – CR3 -
EIAM: CAN'T USE OFFSET IN POLICY
JCS
Problem 1615 - CR14 - JCS: BUILD.XML ERROR ADDNG DIR
Problem 1629 - CR15
- JCS: EXP/CORR BY CONNECTOR
Problem 1700 – CR19-
JCS: INCORRECT INTEGERS HANDLING
Problem 1710 – CR19-
JCS: FILTER LDAPSEARCH
Problem 1770 – CR23
– JCS: DEPLOY OF JCS CONNECTOR
Problem 1785 – CR25
– JCS: CONNXP FORCES ISREQUIRED ON NOT NULL COLUMNS
LDAP Option
Problem 1193 - CR1 -
LDAP: IMPROVE FILTERING
Problem 1210 – CR2 -
LDAP: GROUP MEMBERSHIP DOESN'T APPEAR IN GUI
Problem 1362 – CR7 -
LDAP: UN PRINTABLE CHARACTER IN TEL NUMBER
Problem 1503 – CR10
- LDAP: ADD NEW SUSPENSION ATTRIBUTE
Problem 1504 – CR10
- LDAP:RESPONSE AFTER SA RESTART
Problem 1505 – CR10
- LDAP: TWO ACCOUNTS CREATED
Problem 1601 - CR14
- LDAP: EXPLORE LDAP FAILURE
Problem 1721 – CR20
- LDAP: DIRECTORY DETAILS NOT EDITABLE WHEN MISCONFIGURED
Problem 1734 – CR20
- LDAP: EDIRECTORY ETSUSPENDED
Problem 1760 – CR22
– LDA: SUPERAGENT
CRASH
LND Option
Problem 1146 - CR1 -
LND: GROUPNAME WITH THAI NAME > 29 CAUSE LDAGT TO CRASH
Problem 1150 - CR1 -
LND: ADD GROUP MEMBESHIP MEMBER NOT ADD
Problem 1166 - CR1 -
LND: DMOCONFIG FAILS ON JAPANESE OS
Problem 1167 - CR1 -
LND: CREATE JAPANESE ACCOUNT NAME FAILS
Problem 1168 - CR1 -
LND: CREATE JAPANESE ORG UNIT NAME FAILS
Problem 1169 - CR1 -
LND: ORG NAME MANGLED
Problem 1170 - CR1 -
LND: LND-ERROR MSGS MANGLED
Problem 1174 - CR1 -
LND: ORGUNIT TAB NAME
Problem 1175 - CR1 -
LND: GUI LASTNAME ALIGNED
Problem 1176 - CR1 -
LND: GROUP TYPE IS GREYED OUT
Problem 1177 - CR1 -
LND: SPECIAL CHR ACCNT VIEW
Problem 1178 - CR1 -
LND: GROUP DESCRIPTION MISSING
Problem 1179 - CR1 -
LND: ACCOUNT CREATION FAILS
Problem 1202 - CR1 -
LND: POLICY NO SHORTNAME GEN
Problem 1209 – CR2 -
LND: POLICY UNABLE TO CHANGE MAIL TEMPLATE
Problem 1211 – CR2 -
LND: GUI CAUSE A FAILURE IN NOTES API
Problem 1227 – CR2 -
LND: DUPLICATE POLICY FAILURE
Problem 1230 – CR2 -
LND: INCORRECT LOGGING MESSAGES LDS INSTEAD OF LND
Problem 1231 – CR2 -
LND: ADD FUNCTIONALITY TO MOVE USER'S MAIL FILE
Problem 1256 – CR3 -
LND: DISPLAY ACCOUNT CRASH THE AGENT
Problem 1257 – CR3 -
LND: DISPLAY ACCOUNT PERFORMANCE
Problem 1265 – CR3 -
LND: EXPLORATION ALWAYS MAPPING
Problem 1266 – CR3 -
LND: EXPLORATION PERFORMANCE
Problem 1280 – CR3 -
LND: SUPPORT ALTERNATE NAMES AND LANGUAGES
Problem 1281 – CR3 -
LND: SUPPORT FOR EMPLOYEE ID AND ASSIGNED POLICY
Problem 1297 – CR4 -
LND: SUPPORT FOR SECONDARY EMAIL ADDRESS
Problem 1298 – CR4 -
LND: EXTENSION OF THE LND GROUP NAME TO HANDLE 256 CHARACTER
Problem 1134 – CR5 -
LND: CANNOT EXPLORE SOME GROUP
Problem 1319 – CR5 -
LND: LND: DMOLNDCONFIG CRASH
Problem 1323 – CR5 -
LND: CUSTOM DEFINED ATTRIBUTES
Problem 1343 – CR6 –
LND: SUPPORT FOR SPECIFYING PAB
Problem 1365 – CR7 –
LND: DATEPICKER CONTROL REVERSE TO SHORT DATE
Problem 1375 – CR7 –
LND: ID EXPIRATION DATE DIFFERS
Problem 1376 – CR7 –
LND: ONLY RESET INTERNET PASSWORD
Problem 1402 – CR8 –
LND: ARCHIVE DB EXPIRATION DATE EMPTY
Problem 1422 – CR9 –
LND: AMBIGOUS NAME AFTER RENAME
Problem 1422 – CR9 –
LND: WEB ONLY USERS
Problem 1427 – CR10
– LND: NO GROUP DISPLAY WHEN USER UNIQUE OU
Problem 1432 – CR10
– LND: "ADD USER TO
PAB" ALWAYS SET WHEN DUPLICATE
Problem 1446 – CR10
– LND: GUI DUPLICATE POLICY
GROUP ARE EMPTY
Problem 1452 – CR10
– LND: LDAGT HANG
Problem 1506 – CR10
– LND: CONFIGURABLE ID FILE
FILENAME
Problem 1507 – CR10
– LND: LOAD LND USER ID
Problem 1508 – CR10
– LND: MOVING AN ACCOUNT TO
NEW CERT.
Problem 1509 – CR10
– LND: ID FILE. NEW NOTES
VARIABLE
Problem 1510 – CR10 – LND: LOGIN NAME SHOWN ON EVERY TAB
Problem 1528 - CR11 - LND: ARCHIVE DB LAST NAME
Problem 1516 - CR12 - LND: OU NAME WITH A DOT CHAR
Problem 1565 - CR12 - LND: FAILD ON FIELD CHANGING
Problem 1519 - CR12
- LND: RULE STRINGS ON LND POLICY NOT POSSIBLE
Problem 1548 - CR12 - LND: WRONG ACL ON MAILBOX WHEN USE ADMINP
Problem 1549 - CR12 - LND: DELETE PERSON DOCUMENT WHEN MOVE FAILURE
Problem 1551 - CR12 - LND: MOVE MAILBOX PROBLEM
Problem 1552 - CR12 - LND: COMAPNY AND CELL PHONE ATT NOT UPDATED
Problem 1639 – CR16
- LND: NEW OU > MAX 64
Problem 1669 – CR17
- LND: ADD CERTIFER FAILED
Problem 1670 – CR17
- LND: PROVISIONING CASE MISMATCH ORGUNIT
Problem 1692 – CR18
- LND: HISTORY TAB NOT SYNC
Problem 1715 – CR19
- LND: CHANGING PASSWORD CAUSES MAIBOX MOVEMENT
Problem 1717 – CR19
- LND: FORMALIZED CERTIFIER NAME
Problem 1725 – CR20
- LND: POSS. GUI CRASH
Problem 1730 – CR20
- LND: MOVE IN HIERARCHY MOVES MAILBOX
Problem 1733 – CR21
- LND: TERMINATE ORPHAN LDAGT.EXE
Problem 1755 – CR22
- LND: DOMINO SERVER NAME LENGTH OVER 18 CHARACTERS
Problem 1763 – CR22
- LND: ETLNDJOBTITLE LENGTH
Problem 1766 – CR23
– LND: CANNOT CHANGE PASSWORD
Problem 1772 – CR23
– DELETE LOTUS DOMINO ACCOUNT
Problem 1795 – CR26
– LND: AGENT CHANGES DOMINO SERVER CONFIGURATION TIMESTAMP
NDS Option
Problem 1478 - CR10
- NDS: NDS GROUP DESCRIPTION
NSK Option
Problem 1201 - CR1 -
NSK: PERF 2 ACCOUNT DESEARCH
Problem 1479 - CR10
- NSK: ADD CONFIGURABLE CCI TIMEOUT
NT Option
Problem 1405 - CR10 - NT: NTSAUTIL FAILS UNABLE TO LOCATE RASSAPI.DLL
Problem 1529 - CR11
- NT: CANNOT SPECIFY SUBSTRING
Oracle Option
Problem 1181 - CR1 -
ORACLE: TRAILING SEMICOLON ON SQL STATEMENTS
Problem 1198 - CR1 -
ORACLE: LOADING DIRECTORY PROPERTY PAGE W/ MANY POLICIES
Problem 1220 – CR2 -
ORACLE: SEARCH FOR DEFAULT POLICY ON DIR PROP PAGE ENABLES APPLY
Problem 1313 – CR5 -
ORACLE: INCORRECT STRING FORMATTING
Problem 1317 – CR5 -
ORACLE: LOCKEDBIT AND SUSPENDED
Problem 1349 – CR6 -
ORACLE: ETORAUSRPOLNAME DEPRECATED
Problem 1350 – CR6 -
ORACLE: DIR REQUIRED FIELDS
Problem 1480 – CR10
- ORACLE: LOGGING MESSAGES WRONG
Oracle Applications Option
Problem 1156 - CR1 -
FND: RESPONSIBILITYLIST ONLY RETURNED ON BASE SEARCH
Problem 1233 – CR2 -
FND: TRAILING SEMICOLONS
Problem 1234 – CR2 -
FND: LEAKS DATASOURCES
Problem 1235 – CR2 -
FND: SLAPD CRASHES
Problem 1267 – CR3 -
FND: CAN'T USE OFFSET IN POLICY
Problem 1391 – CR7 -
FND: ACCOUNT SUSPENDED
Problem 1395 – CR7 -
FND: UNABLE TO CLEAR THE SINGLE VALUE FIELDS
Problem 1444 – CR9 -
FND: EXPIRE PASSWORD TIME
Problem 1498 – CR10
- FND: USER
RESPONSIBILITIES ERRPR
Problem 1526 - CR11 - FND: ERROR EXECUTING "SELECT
Problem 1619 - CR14
- FND:USER RESPONSBILITIES
Problem 1679 – CR18 - FND: SUPERAGENT CRASHING
OS/390 Option
Problem 1438 - CR12
- OS390: ACF: STATUS OUT-OF-SYNC ATTRI
Problem 1699 – CR19
- OS390: HANDLE ETSUSPEND SYNC ISSUE
OS400 Option
Problem 1198 - CR1 -
OS400: LOADING DIRECTORY PROPERTY PAGE W/ MANY POLICIES
Problem 1220 – CR2 -
OS400: SEARCH FOR DEFAULT POLICY ON DIR PROP PAGE ENABLES APPLY
Problem 1262 – CR3 -
OS400: ERROR PARSING XML WITH OS400 NATIVE EXIT
Problem 1263 – CR3 -
OS400: NATIVE EXIT ACCOUNTNAME PASSED INSTEAD OF FULL BUFFER
Problem 1390 – CR7 - OS400: DOCUMENT PASSWORD SEARCH
Problem 1527 - CR11 - OS400: POL GROUP PROFILE NAME
Problem 1681 – CR17
- OS400: PSYNC PASSWORD CASE
Problem 1682 – CR17
- OS400: REPORT TRUNCATION
PKI Option
Problem 1530 - CR11 - PKI: MODIFY DIR AS NON PKI ADMI
PLS Option
Problem 1151 - CR1 -
PLS: INCORRECT STRING CALL CORRUPTS MEMORY.
Problem 1186 - CR1 - PLS: IMPROVE PERFORMANCE AND ALLOW SETTING AUTH RULE PER APP
Problem 1555 - CR12
- PLS: APPLICATION LOGIN ID FIELD INCREASED TO 50 CHARS
Problem 1788 – CR25 – PLS: EXPLORE FAILURE ON TOO MANY USERS
RSA Option
Problem 1276 – CR3 -
RSA: ACE SECUREID PIN RESET
Problem 1278 – CR3 -
RSA: UNIX REMOTE AGENT
Problem 1301 – CR4 -
RSA: PROHIBIT UNALLOWED CHARACTERS
Problem 1333 – CR5 -
RSA: ADD ACNT 2 MANY TOKEN/PWD
Problem 1608 - CR14
- RSA: TOKEN EXPIRATION
Problem 1609 - CR14 - RSA EXPLORATION ERROR
Problem 1610 - CR14 - RSA: RESET BUTTON BUG
Problem 1618 - CR14 - RSA: EXPLORE/CORRELATE FAILS
Problem 1649 – CR16
- RSA: ACCOUNT NAME WITH SPACES
Problem 1775 – CR23
– RSA: FAIL TO DELETE ADMIN USER
SAP Option
Problem 1152 - CR1 -
SAP: UPDATE OF USERGROUP GETS CORRUPTED IF SHORTER
Problem 1153 - CR1 -
SAP: USER FORMAT NOT REFRESHED ON FIRST/LAST UPDATE
Problem 1189 – CR2 -
SAP: INCORRECT MESSAGE SYNTAX
Problem 1239 – CR2 -
SAP: ROLENAME AND PROFILENAME
Problem 1374 – CR7 -
SAP: CONFIGURE IF PASSWORDS MUST BE CHANGES AFTER RESET
Problem 1411 – CR8 -
SAP: PWD CAN'T BE > 8 CHARS
Problem 1546 – CR12
- SAP: ACCOUNT NOT LOCKED AS IT SHOULD BE
Problem 1650 – CR16
- SAP: CHOOSE FRIENDLY SAP DIRECTORY NAMES.
Problem 1697 – CR18
– SAP: NOT PRE-EXPIRE PASSWORD ON CHANGE
Problem 1720 – CR20
- SAP: LICENSE DATA SET/UNSET
Problem 1722 – CR20
- SAP: ACCOUNT NUMBER HASHES
Problem 1735 – CR22
- SAP:UNICODE SUPPORT (INCL. CROATIAN)
Problem 1748 – CR22
- SAP:JCS NOT EXPLORING ACCOUNTS
Problem 1819 – CR25
- COULD NOT CREATE SAP NAMESPACES WITH SAP 7.0.
SQL Option
Problem 1198 - CR1 -
SQL: LOADING DIRECTORY PROPERTY PAGE W/ MANY POLICIES
Problem 1207 - CR1 -
SQL: SERVER POLICY KILL MGR
Problem 1220 – CR2 -
SQL: SEARCH FOR DEFAULT POLICY ON DIR PROP PAGE ENABLES APPLY
Problem 1396 – CR7 -
SQL: EXPLORE WITH 4K LOGINS HANGS SUPERAGENT
Problem 1369 – CR8 -
SQL: CANNOT GRANT OR DENY ACCESS TO A LOGIN WITH SQL AUTHENTICATION
Problem 1429 – CR10
- SQL: EXPLORE / INCORRECT
SYNTAX NEAR THE KEYWORD
Problem 1447 – CR10
- SQL: LOGIN NOT UPDATED WHEN NO RELATED SQL USER
Problem 1481 – CR10
- SQL: MULTI-LINE IN THE LOG
Problem 1675 – CR17
- SQL: EXPLORE FREEZES SERVER
Problem 1672 – CR18
- SQL: USERNAME DOES NOT HAVE DOMAIN/SERVER PREFIX
Problem 1724 – CR20
- SQL: CAN'T VIEW MS SQL ACCOUNT
Problem 1820 – CR25
– SQL: SQL CONNECTOR
LOGGING NEEDS MORE DETAILS.
Single Sign-On (SSO) Option
Problem 1577 - CR14
- SSO: ADMIN - SSO WAC OPTION
Problem 1667 – CR17 -
SSO: LOGININFOS PB
SIEBEL Option
Problem 1194 - CR1 -
SBL: MANAGE POSITION OBJECTS
Problem 1238 - CR1 -
SBL: SOME MANDATORY FIELDS NOT
Problem 1322 – CR5 -
SBL: RESPONSIBILITY/DIVISION/POSITION/VIEW OBJECTS
Problem 1490 – CR10
- SBL: SUSPEND REMOVES FIELDS
Problem 1491 – CR10
- SBL: INCORRECT ERROR MESSAGE
Problem 1492 – CR10
- SBL: UNABLE TO REMOVE POSITION
Problem 1493 – CR10
- SBL: CAPABILITY ATTRIBUTE NOT BOLDED
Problem 1494 – CR10 - SBL: EXPLORE DIVISION FAIL
Problem 1532 - CR11 - SBL: POLICY WEAK SYNC
Problem 1533 - CR11
- SBL: RESPONSIBILITY VIEW HALT
Problem 1614 - CR14
– SBL: RESPONSBLT DUPLICATE FAIL
Problem 1617 - CR14 - SBL: UNABLE TO RESUME SBL ACC
Problem 1653 – CR17
- SBL: POOR PERFORMANCE DUPL RESP WITH MANY VIEWS
Problem 1614 – CR19
- SBL: RESPONSBLT DUPLICATE FAIL
UNIX-ETC Option
Problem 1198 - CR1 -
UNIX-ETC: LOADING DIRECTORY PROPERTY PAGE W/ MANY POLICIES
Problem 1220 – CR2 -
UNIX-ETC: SEARCH FOR DEFAULT POLICY ON DIR PROP PAGE ENABLES APPLY
Problem 1307 – CR4 -
UNIX-ETC: HP PASSWORD SHADOW FILE
Problem 1285 – CR5 -
UNIX-ETC: GROUP LAST CHARACTER TRUNCATE
Problem 1312 – CR5 -
UNIX-ETC: UNKNOWN OPTION OR INCORRECT PARAMETER
Problem 1199 – CR7 -
UNIX-ETC: MEMBER OF LIST NOT
RESET
Problem 1371 – CR8 -
UNIX-ETC: PRIMARY GROUPS DO NOT
APPEAR SORTED
Problem 1428 – CR10
- UNIX-ETC: PASSWD EXPIRE DOESN'T WORK
Problem 1458 – CR10
- UNIX-ETC: ACCOUNT HOME DIRECTORY ENHANCEMENTS
Problem 1459 – CR10
- UNIX-ETC: GROUP GID ENHANCEMENTS
Problem 1482 – CR10
- UNIX-ETC: CAFT HANDLE LEAK
Problem 1483 – CR10 -
UNIX-ETC: RETURN REMOTE AGENT VERS.
Problem 1484 – CR10 -
UNIX-ETC: EXTEND BUFFER SIZE
Problem 1579 - CR14
– UNIX-ETC: CANNOT CHANGE PASSWORD
Problem 1714 – CR19
- UNIX: GROUP GIDS NOT CHECKED FOR UNIQUENESS
Problem 1716 – CR19
- UNIX-ETC: GROUP TRANSFER INCLUDES NON EXISTENT ACCOUNTS
Problem 1779 – CR23
– UNIX-ETC: HPUX PASSWORD LENGTH
Problem 1800 – CR26
– UNIX-ETC: UNIX GROUP EXTENSION INCLUDES USERS
Problem 1805 – CR26
– ETC: DELETE GROUP FROM SELECTED SERVER ONLY
Problem 1814 – CR26
– UNIX: GID NOT CENTRALLY STORED
UNIX-NIS Option
Problem 1307 – CR4 -
UNIX-NIS: HP PASSWORD SHADOW FILE
Problem 1308 – CR4 -
UNIX-NIS: PRE AND POST EXECUTION OF SHELL COMMANDS
Problem 1285 – CR5 -
UNIX-NIS: GROUP LAST CHARACTER TRUNCATE
Problem 1314 – CR5 -
UNIX-NIS: CORE DUMP DISPLAY GROUP MEMBERSHI
Problem 1315 – CR5 -
UNIX-NIS: ETNISHOMEDIRCREATION WRONGLY REAPPLIED
Problem 1316 – CR5 -
UNIX-NIS: CORE DUMP GROUP NAME TOO LONG
Problem 1320 – CR5 -
UNIX-NIS: SHADOW EXPIRED FLAG NOT RESET
Problem 1428 – CR10 -
UNIX-NIS: PASSWD EXPIRE
DOESN'T WORK
Problem 1457 – CR10
- UNIX-NIS: NETGROUPS IN
Problem 1482 – CR10
- UNIX-NIS: CAFT HANDLE LEAK
Problem 1489 – CR10
- UNIX-NIS: SEND DOMAIN NAME TO
EXIT
Problem 1696 – CR18 –
UNIX-NIS+: BLANK INPUT TO GUI SHOULD WRITE EMPTY COLUMN
Problem 1808 – CR26
– UNIX: REMOTE AGENT DOES NOT SUPPORT BLOWFISH ENCRYPTION
UNIX-REM Option
Problem 1568 - CR12
- UNIX: DISAPPEARANCE OF ACCOUNTS
Problem 1740 – CR21
- UNIX: SETTING PASSWORD DOES NOT CLEAR MUST CHANGE PASSWD FLAG
Problem 1744 – CR21
- UNIX: SOLARIS USERNAME LENGTH
UPO Option
Problem 1198 - CR1 -
UPO: LOADING DIRECTORY PROPERTY PAGE W/ MANY POLICIES
Problem 1220 – CR2 -
UPO: SEARCH FOR DEFAULT POLICY ON DIR PROP PAGE ENABLES APPLY
Problem 1299 – CR4 -
UPO: DON'T ADD EXTRA <ETEXITCUSTOMDATA> TAG
Problem 1309 – CR5 -
UPO: INVALID MEMORY COPY SHUTDOWN SUPERAGENT
Problem 1310 – CR5 -
UPO: INVALID MEMORY IN DISPLAY STRING
Problem 1328 – CR5 -
UPO: MEMORY LEAKS IN AGENT
Problem 1344 – CR6 -
UPO: SUSPEND AN UPO ACCOUNT
Problem 1604 - CR14
- UPO: TAB SEQUENCE
Problem 1688 – CR18
- UPO: POLICY NAME W/ COLON
Problem 1791 - CR25
– UPO: SUPERAGENT HANGING
Problem 1806 – CR26
– UPO: DIRECT REQUESTS TO ALTERNATE ETA SERVER VIA GUI
VMS Option
Problem 1195 - CR1 -
VMS: ADDED SUPPORT FOR ADDITONAL ACCOUNT FLAGS
Problem 1196 - CR1 -
VMS: ADD NATIVE EXIT SUPPORT
Problem 1236 – CR2 -
VMS: PRE/POST EXIT ERROR MESSAGES
Problem 1237 – CR2 -
VMS: ON POLICY CREAT RIGHTS NOT
Problem 1815 – CR25
– VMS: VMS ACCOUNTS ARE NOT DISABLED BY
ADMIN
Legacy Webi
Problem 1184 - CR1 -
EAOWebi: SCRIPT ERRORS
Problem 1252 – CR3 -
EAOWebi: INCREASE GLOBAL USER FIRST NAME MAX LENGTH TO 50
Problem 1302 – CR4 -
EAOWebi: BUTTONS NOT ALIGNED
Problem 1303 – CR4 -
EAOWebi: ROLE DISPLAY DOMAIN
Problem 1304 – CR4 -
EAOWebi: ROLE MOREINFO BROKE
Problem 1367 – CR7 -
EAOWebi: CHANGE Q&A ON EXPIRED PASSWORDS
Problem 1400 – CR8 -
EAOWebi: ALLOW CONFIG OF SELF-AUTH FAILURES GU SUSPEND
Problem 1553 – CR12
- EAOWebi: ADD FRAME BUST TO EAOLOGIN AND EAOLOGOUT
Legacy Workflow
Problem 1164 - CR1 -
EAOWF: ALLOW CONFIGURING FOR FAIL SUBSEQUENT TASKS
Problem 1173 - CR1 -
EAOWF: PRE-MATURE ESCALATION WHEN SLAPD DOWN
Problem 1252 – CR3 -
EAOWF: INCREASE GLOBAL USER FIRST NAME MAX LENGTH TO 50
Problem 1305 – CR4 -
EAOWF: ROLES NOT SHOWING VALUES
Problem 1752 - CR22
- EAOWF: REQUESTS NOT DELEGATING IN PROVISIONING WF
UniFeed
Problem 1223 – CR3 -
UNI: DIRSYNC WARNING MESSAGES
Problem 1603 - CR14
- UFO: PASSWORD LENGTH
Problem 1732 – CR20
- UFEED: UFO FEEDS FAILED AGAIN
SelfService
Problem 1161 - CR1 -
SSRV: SELFSERVICE 40 CHAR LIMIT TITLE
Problem 1197 - CR1 -
JIAM: ADD SIEBEL SUPPORT TO JIAM INTERFACE
Problem 1221 – CR2 -
SSRV: XP SP2 BREAKS GINA
Problem 1247 – CR2 -
JIAM: FORCED DELETE INCORRECT
Problem 1252 – CR3 -
SSRV: INCREASE GLOBAL USER FIRST NAME MAX LENGTH TO 50
Problem 1306 – CR4 - SSRV:
NON-CONTIGUOUS Q&A ENTRIES CAUSE PROBLEMS
Problem 1334 – CR6 -
SSRV: ANSWERS AREN'T DELETED
Problem 1340 – CR7 -
SSRV: REQ. FIELD
Problem 1341 – CR7 -
SSRV: PASSWORD TEXTBOX
Problem 1342 – CR7 -
SSRV: NO SUCCESS MSG ON FAILURE
Problem 1379 – CR7 -
SSRV: CONFIRMATION MESSAGE
Problem 1380 – CR7 -
SSRV: IE7 CURSOR STICKS
Problem 1605 - CR14 - SSRV: VULNERABLE URLS
Problem 1612 - CR14
- SSRV: IAM Self Service GINA problem
Problem 1676 – CR17
- JIAM: EXPLORING NON-HIERARCHICAL NAMESPACES
Problem 1711 – CR19
- SSRV: SSL FAILURE
Problem 1762 – CR22
- JIAM: SELFSERVICE PASSWORDCHANGE
SelfServiceConfig
Problem 1412 – CR8 -
SSCFG: OPTIONAL FIELD ERROR
Problem 1413 – CR8 -
SSCFG: ERROR CONFG SELF AUTH
IAManager
Problem 1197 - CR1 -
JIAM: ADD SIEBEL SUPPORT TO JIAM INTERFACE
Problem 1290 – CR4 -
IAMI: INCREASE ROLENAME TO 255 CHARACTERS
AdvWF
Problem 1197 - CR1 -
JIAM: ADD SIEBEL SUPPORT TO JIAM INTERFACE
Problem 1406 – CR8 -
ADVWF: CHECK INGRES CHAR SET
CES 48667 – ADVWF:
ERROR ENCRYPTING PASSWORD POST UPGRADE FROM ADMIN 8.1
SPML
Problem 1197 - CR1 -
JIAM: ADD SIEBEL SUPPORT TO JIAM INTERFACE
Problem 1247 – CR2 -
JIAM: FORCED DELETE INCORRECT
Problem 1332 – CR5 -
SPML: SPMLMANAGER DYN SUPPORT
Problem 1361 – CR6 -
JIAM: ETFNDUSEAOLONLY
Problem 1350 – CR7 - SPML: DIR REQUIRED FIELDS
Problem 1515 - CR11 - SPML: P/W DISPLAYED IN SPML LOGS
Problem 1534 - CR11 - SPML: FRENCH NAMESPACE
Problem 1535 - CR11 - SPML: SEARCH SPECIAL + HANDLES
Problem 1536 - CR11
- SPML: TOMCAT OUT OF MEMORY
Problem 1651 – CR16
- SPML: ADVANCED WORKFLOW CANNOT CONNECT TO SPML SERVER
JIAM SDK
Problem 1197 - CR1 -
JIAM: ADD SIEBEL SUPPORT TO JIAM INTERFACE
Problem 1222 – CR2 -
JIAM: INCORRECT DEFAULT PROPERTY
Problem 1247 – CR2 -
JIAM: FORCED DELETE INCORRECT
Problem 1378 – CR7 -
JIAM: INIT EXTENSIONS
Problem 1414 – CR8 -
JIAM: IAMUser.syncToAccounts
Problem 1415 – CR8 -
JIAM: IAMCONTAINER.GETCHILDCONTAINERHANDLES
Problem 1433 – CR9 -
JIAM: ROLE NAME CASE
Problem 1434 – CR9 -
JIAM: ETSELFCHANGE
Problem 1606 - CR14 - JIAM: LOCKS UNDER STRESS
Problem 1633 - CR15
- JIAM: COMMIT EXCEPTION
Problem 1655 - CR16
- JIAM: ADD SUPPORTED API FOR INTERNAL DN
Problem 1656 – CR16
- JIAM: RDTUTILITY RESERVED KEYS
Problem 1657 – CR16
- JIAM: SUPPORT ADDITIONAL USER CUSTOM FIELDS
Problem 1658 – CR16
- JIAM: SENDING OUT AN INCORRECT SEARCH QUERY
Problem 1707 – CR18
- JIAM: ESCAPING CHARACTERS IN FILTER STRING
ConnectorXpress
Problem 1275 – CR3 – XPRESS: CORRECT HELP SYSTEM
Problem 1563 – CR12
– XPRESS: CHANGE A PROVISIONING ROLE
Problem 1654 – CR16
- CONXP: 50 CHARS IN NAMESPACE
Problem 1794 – CR26
– CONNXP: UNCLEAR EXPECTED VALUE
Bindeta Utility
Problem 1698 – CR20 –
UNKN: ENHANCE BINDETA LOGGING
Utilities
Problem 1784 – CR25
– UTIL: RMELDERS.TCL NOT HANDLING TIMESTAMPS
INSTALL/UNINSTALL
If the PATH
environment variable is greater than 1024 characters the IAM install will not
work.
You may need to
decrease the length by converting long folder names to short names or possibly
temporarily removing path entries and restoring them back after the install is
complete.
On the UNIX server,
do not select to perfom a binaries only upgrade in the installer. Doing so will
result in the eTrust Admin not starting.
Attempting to uninstall Admin Server from a machine with ECS 8.2.9 installed will generate an error that /opt/CA/SharedComponents/eTrustCommonServices/scripts/eCSuninstall.sh could not be found. You can uninstall ECS 8.2.9 by running /opt/CA/SharedComponents/EnterpriseCommonServices/scripts/eCSuninstall.sh
Attempting to
uninstall via the Windows "Add/Remove Programs" and selecting
"CA eTrust Identity and Access Management" when a cumulative release
(CR) has been applied to a previous release, fails. This is because
"..\CA\eTrust Identity and Access Management\_iamuninst" does not
have the "CA eTrust Admin Server.msi" that matches the CR version
installed. Copy the MSI matching the installed CR into the above location
and then run the uninstall.
If you install a
Solaris domain as Primary, then attach Windows alternate servers with non-ASCII
characters in the domain, the Solaris installer mangles names incorrectly, i.e.
ESPAÑA is mangled into ESPA001DA.
Installation of exchange
remote agents (Exchange 2000/2003 and Exchange 2007) requires a reboot.
CORE
If you require a
policy to contain the percent (%) character you must first escape it so that it
will be used as a literal (%%). This is because rule strings use the percent
(%) character as the leading and terminating characters. Failing to use a
double percent may result in an unmatched percentage error.
There is a known limitation for escaped rule strings: Entering a rule string such as:
TLDAContainerName=UCU01:1,8%
in an LDAP Policy in the Account container section will produce an error message from the eTA Manager.
If Solaris is configured for IPv6, the eta_connector will have fail to start and core dump. IPv6 must not be present on the system.
All users (including
cn=etaanon,dc=eta) can do the following operations:
- list domain (dc) objects
- read attributes of domain objects
- list namespace objects
- read attributes of namespace objects (new
The constraint
"objectclass=*" should not be contained in search filters as
performance will be impacted. "objectclass=*" is not a
part of the filter search for global users. Custom PAM code that uses
"objectclass=*" should be updated accordingly.
A new fix allows a
global user to be created with role successfully (when changing the "Store
user passwords" to "No"), . Whether the
account on the endpoint can be created depends on the password policy of the
specific endpoint.
ADS
The Admin ADS Option will now check to see if the newly assigned smtp email address already belongs to another object and if so it will return an error that the value is already in use. Having duplicate smtp email addresses may result in delivery errors. A system administrator should check their existing environment and remove any duplicate or unwanted addresses.
The Admin ADS Option
will now allow the user to specify the behavior when creating the profile home
directory. The default is the current behavior of only allowing the
account that the folder is created for to access it.
The new supported behavior is to not set the account to have permission to
access the folder but to inherit the permission from the parent folder.
This new behavior is controlled by the directory configuration
HomeDirInheritPermission. I.E., if the eTADSconfig attribute on the
directory has the value: HomeDirinheritPermission=1 then this new behavior is
selected. If this option is enabled the administrator must manually alter
the NTFS security permissions and allow the appropriate account access to this
folder.
Check-account-sync
always shows Contact's attribute 'accountExpires' as out of sync. Active
Directory Contact does not have this attribute in its schema so it should not
be considered during synchronization.
"eTADSmsNPAllowDialin" is shown as out of sync when
doing check-account-sync on ADS Contact object. This should not be the case
since this attribute does not belong to contact object. The attribute should be
ignored by the sync algorithm. This issue is not reproducible using Admin
Manager since Admin Manager does not allow setting of this attribute.
The CA supplied
program exit ADSOptExits.dll (for ADS Connector) has been enhanced to allow
variables that do not match data supplied by the server.
In cases where a
specific variable (for example, %mail% may not be provisioned if a mailbox is
not created) is used in command scripts system administrators can define an
environment variable ETA_ADS_OPT_ALLOW_MISSING_VARS (the value of the variable
is not examined). Processing of the command file will now continue and the
missing variable will be replaced with empty text (zero characters). The
default behaviour is unchanged – processing will be aborted for missing
variables.
Advanced Workflow
A package has been added to facilitate the process of migrating eTrust Admin Advanced Workflow data from an Ingres database to an MS SQL Server 2000 database and ensuring that Advanced Workflow functions with the new database. Consult the document Advanced Workflow migration to MS SQL Server in the awf_migration.zip file for more information.
ACF2
DSI should already
be running prior to starting SLAPD otherwise access to ACF2 accounts will not
be accessible.
DFS
Changes have been
made to support the creation of home folders on Distributed File System (DFS)
environments. For this functionality to work correctly the "eTrust
Admin Superagent" service must be set to "log on as: etaslapd"
(default). Note that this account must have imported the AD certificate
to support SSL.
DYN
eTDYNPolicy will not
accept a non-integer as one of the values for a multi-valued capability integer
attribute; this prevents rule strings from being used.
Performing a sub-domain search in an environment with multiple DYN namespaces defined will result in all of the defined DYN namespaces being searched/returned.
There is a problem
when you attempt to create a new Account or Group in the DYN provisioning
manager plug-in talking to a JDBC namespace by:
1) bringing up the “Directory Content”
panel for a directory
2) highlighting the root node in the
“Container tree”
3) selecting “DYN Account” or “DYN Group”
in the “Object type” selector
4) clicking the “New “ button on the
“Create new content” panel.
This results in an error message displayed in a dialog with the text:
JCS: missing “eTDYNAccountConatinerName=Accounts' in DN”
near the end (there
is a similar message for Groups). Trying to select “DYN Container” in step 3)
results in a blank screen.
To avoid this problem, insure that you select the Accounts or Groups containers
when you create accounts or groups respectively.
Using Admin Manager,
it is possible to click on the ‘New’ button for DYN Container for a JDBC DYN
Namespace. This will only open a blank eTDYNContainer property sheet, as
only JNDI DYN Namespaces support the management of Containers. When
setting up the Explore and Correlate/Correlation Attribute for a DYN Namespace,
extra attributes that are were not allocated during the mapping of your DYN
namespace will appear in the drop down list. Use ConnectorXpress to
export the Mapping Summary file to identify which DYN attributes apply.
When you acquire JNDI DYN Endpoint using Admin Manager, base DN (a required
field) and LDAP Version fields are located in a separate tab called
“General’. Also fields titled ‘System Logon’ need to be populated with a
Bind DN value
The same account
will appear many times in Accounts Profiles by Name template if the account has
attributes with multiple values. Similarly, the same group will appear many
times in Groups Profiles by Name template if the group has attributes with
multiple values.
In the default
parser table, some attributes are mandatory.
To override a
mandatory attribute in the default parser table with a non-mandatory attribute
in the new parser table, use __EMPTYVALUE__ (4 underscore, 2 on each side).
For example:
in the policy.pti
(default parser table):
default = %P%
in the dynparse.pty
default = __EMPTYVALUE__
and set overrride to yes
override = yes
EAOWEBI Web Interface
A new parameter
called enable_bust_frame can now be set to true in the EAOWebi.properties page
which will force EAOLogin and EAO2Logout to be loaded into the main window
instead of a frame.
Exchange 2000/2003 (E2K)
Currently, managing
both Exchange 2003 and Exchange 2007 in a mixed Exchange 2003/2007 environment
is not supported. If you have updated your Microsoft Active Directory
schema by running the Exchange 2007 Setup tool in either your domain and/or
forest, eTrust Admin will automatically identify all Exchange servers in the
domain as Exchange 2007. If you wish to continue managing Exchange 2003
servers only, you must first disable the Exchange 2007 functionality via a
registry key on the machine(s) running the eTrust Admin Superagent(s).
To disable Exchange
2007, the following steps need to be performed manually:
1) open the following registry key via regedit:
HKLM\SOFTWARE\ComputerAssociates\eTrust Admin
2) under the registry key, add a new string value: DisableExchange2007
3) set DisableExchange2007 value to 1 or 2. The values are as follows:.
·
Setting DisableExchange2007 = 1 will disable most Exchange 2007 functionality and treat
all Exchange servers as 2000/3. See the
Exchange 2007 section for more details.
·
Setting DisableExchange2007 = 2 will allow both Exchange 2003 and Exchange 2007
with reduced functionality. See below
for more details.
4) restart Superagent service.
[Note] The ADS log will include a message about if the setting is on or
off.
If you have followed the steps above and set the DisableExchange2007 to
2, please note the following applies to managed
Exchange 2000/3 directories:
·
Mailbox rights cannot be managed.
·
Send-As permissions cannot be managed.
·
When creating or modifying an Exchange 2000/3 Policy, clicking on the
‘Mailbox Types’ button will enable the Exchange 2007 functionality. Mailboxes will not be created on Exchange
2000/3 based systems and no error message will be returned. Do not click on the ‘Mailbox Types’ button if
you wish to create or manage Exchange 2000/3 Mailboxes via that policy.
If you do not apply this change the superagent will be unable to
correctly manage the Exchange 2003 functionality.
CA Admin cannot create
Exchange 2000/2003 mailbox via an Exchange 2007 specified policy.
Due to introduction
of support in eTrust Admin for Exchange 2000/2003 servers running in clustered
environment, exchange mailbox rights can now be managed through policy only if
actual values are selected in the policy for “Mailbox Server” and “Mailbox Store”
(under “Exchange General” tab). That is, rule strings %EXCHS% and %EXCMS%
cannot be used if mailbox rights are managed through the policy.
In Exchange 2000,
Instant messaging attributes are not set correctly on the policy.
It is only
noticeable if managed endpoint name contains spaces.
Consider these names
as an example:
''Active Directory 2000" -- Will expose the problem
"ads” -- Will NOT expose
the problem
Attempting to add an
account from a child or parent domain to the mailbox rights list of an account
will fail.
Mailbox move
operation fails when run with Exchange 2000 server when mailbox is being moved
between different stores on the same exchange server.
Using Admin Manager
it is not possible to add objects to message restrictions list in active
directory group. eTA Manager allows user to include
object using eTA Manager but once the change is applied the entries are removed
from the list.
Using Admin Manager
it is not possible to add objects to message restrictions list in contact's
policy. When add button is pressed, which should bring up search dialog error
message is returned "The Parameter is incorrect"
If two mail servers
have the same Storage Group / Mailbox Database name, then upon account
creation, the MDB+Storage group is listed twice and creation fails
If adding an account to the permission list (mailbox rights or send-as)
via the external domain or forest SHIFT+ADD method fails, the displayed list
may inaccurately indicate that the failed account has been added to the list
after a fail message has been displayed. Refreshing the account
properties page will clear any incorrect entries.
Exchange 2007
Currently, managing both Exchange 2003 and Exchange 2007 in a mixed
Exchange 2003/2007 environment is not supported. If you have chosen to
follow the steps outlined under the Exchange 2003 Known Issues and have set the
registry key value to 1, the following will be disabled for Exchange 2007:
1.
mailbox creation
§ user mailbox (CR21)
§ linked mailbox, shared
mailbox, room mailbox, equipment mailbox (CR22)
2.
mailbox deletion
3.
mailbox movement
4.
mailbox permission management
5. mailbox AD permission
management
If you have added
the registry key and set the value to 2, please note the following:
1. By default,
Mailboxes will be created as “Legacy Mailboxes”. For example, right clicking on an account and
selecting ‘custom > create mailbox’ will create a Legacy Mailbox.
2. If you wish to
create Exchange 2007 Mailboxes please set the mailbox type on the appropriate
policy. If you do not set the mailbox
type, mailboxes created by the policy will be of type ‘Legacy Mailbox’.
The Exchange 2007
remote agent has to be installed on all managed Exchange 2007 servers.
The Exchange 2007 remote agent is unable to move Exchange 2007 mailbox across
AD forest
The following mailbox
types can only be created via the use of a eTrust Admin Policy (Exchange
General tab, ‘Mailbox Type’ button):
·
Linked Mailbox
·
Shared Mailbox
·
Room Mailbox
·
Equipment Mailbox
Once created, these mailboxes can be managed directly or via the
policy. It is not possible to change the
mailbox type after creation
Exchange 2007 does not
accept a Mail Alias with white space; please make sure there is no white space
in Mail Alias fields on eTrust admin Manager or etautil.exe command line or any
other third-party facilities.
Attempting to add an
account from a child or parent domain to the mailbox rights list of an account
will fail. Hold down the SHIFT Key while
clicking ADD to directly add an account or group from another forest or domain.
Exchange Server 2007
allows administrators to select both 'Accept messages from only senders in the
following list' and 'reject messages from senders in the following list'. CA Admin Manager will only allow one to be
selected, as was behaviour in Exchange 2003.
If both are natively selected in Exchange 2007, this functionality is
working in CA Admin.
Unlike previous
versions of Exchange server, Exchange Server 2007 does not allow creation of a
user mailbox for suspended accounts. All other types of
mailbox will have their associated user disabled. Such accounts will not have their suspension
state propagated from the Global User.
Any attempts to use
an alternate Exchange Gateway (not the machine itself but another exchange 2007
server in the forest) will fail.
If two mail servers
have the same Storage Group / Mailbox Database name, then upon account
creation, the MDB+Storage group is listed twice and creation fails
Groups or accounts
added via the SHIFT+ADD method on the mailbox rights page will have the 'read
only' field, SEND-AS set to TRUE. Objects added via the conventional method
will have this field empty.
Selecting ‘Send-As’
from the Exchange Advanced tab will clear any new changes made to ‘Mailbox
Rights’, and vice-versa. Apply changes
from one page before updating the other.
It is possible to
set the storage limits incorrectly, resulting in invalid data being applied to
the mailbox. Ensure that ‘Issue Warning’
is always smaller than ‘Prohibit Send’, and ‘Prohibit Send’ is always smaller
than ‘Prohibit Send and receive’.
If the FQDN of the managed
AD directory contains a trailing white space, an error ‘Modify failed: Search of Global Catalog for
proxyAddresses’ may be displayed. Ensure
there are no white spaces after the FQDN host name on the directory properties
page.
The ADS connector uses the remote agent for all Exchange 2007 related
operations. This will result in slower performance on operations
involving mailbox management when compared to management of Exchange 2000/2003.
To apply an email address to a mail enabled group, first create the
group and then add the intended e-mail address(es) via
the e-mail addresses tab.
2) set the value to 2
GINA
To prevent a Security Vulnerability via the “Save As”
dialog, users can no longer use the “Browse” button in the “Certificate Export
Wizard” dialog to browse to the computer where the certificate will be saved
to.
If a user wishes to save the certificate simply
enter/type the filename (without the .cer extension) with full path details and
continue with the wizard.
LND
LND Policy will not handle directory detail if it is
created by SPML.
Full management of accounts in secondary Domino
Directories is now supported. Accounts may be explored and created in a
secondary directory (i.e. directory other than names.nsf, that is served by
Directory Assistance), and may also be modified, recertified, renamed, moved,
and deleted. Groups may be explored, modified, and deleted in a secondary
directory, although they can only be created in the primary directory. When
suspending accounts in a secondary directory, they will be added to the deny
access group “Suspended_0” in the primary directory. This group is created on
the primary directory of the registration server specified to DMOLNDConfig.exe
when it is run during initial configuration of the LND Option.
It is not currently possible to add two groups that
have the same name, but that exist in different Domino Directories, to another
group. This is because Domino removes duplicate names from the Members field on
Group documents, and in Domino, group names appear in the Members field without
the directory name. For example, in eTrust Admin, the groups
“names.nsf:LocalDomainAdmins” and “secnames.nsf:LocalDomainAdmins” would both
be added to the Members field of another group as “LocalDomainAdmins” and
therefore the duplicate would be removed by Domino, leaving only one instance
of “LocalDomainAdmins.”
LND directory names can not exceed the total number of
bytes allowed by eTrust Directory (approximately 120 bytes). Therefore if a LND
directory name contains multi-byte characters, it will not be able to contain
the full 64 characters that a directory name using only single-byte characters
could contain. For example, if the directory name contains entirely multi-byte
characters, no more than 29 characters may be used in the name. If the name
contains a mixture of multi-byte and single-byte characters, the total
characters allowed will vary.
A registry value is
now available to control whether a particular Public Address Book should be the
only source of account information used for a particular LND endpoint.
The following string value can be set on a per directory basis. It
should contain the data directory relative file name of the desired PAB.
The actual name of the directory should replace <DIRECTORY NAME>
below:
HKEY LOCAL
MACHINE\SOFTWARE\ComputerAssociates\eTrust Admin\Lotus Domino\<DIRECTORY
NAME>\PABName
Depending on your
Domino server “Administration Process” settings, you may experience the
following error “Modification failed: SuperAgent Modify failed: unable to set
mail database quota” when duplicating LND Account that has “Create
Mailbox using Adminp Process” option and mail database quota or warning set.
Workaround:
1. Once duplicate LND
Account is created and its mailbox gets created, you can set mail database
quota and warning using eTrust Admin.
2. Change the
“Administration Process” settings of your Domino Server to decrease the
interval and increase the maximum number of threads.
Creating LND group
and setting group member in the same etautil or SPML request fails and causes
the “…Read failed: Operations error” every time you try to access any LND
object.
Workaround:
1. If you experience
such issue, re-start SuperAgent
2. Create Groups using
etautil or SPML without setting LND Group members. Once the groups is created
set LND group members using eTrust Admin Manager.
3. Addition, removal or
replacement of members from LND group through etautil or SPML is not supported.
Addition, removal or
replacement of members from LND group through etautil or SPML is not supported.
Workaround
1. Use eTrust Admin
Manager for adding or removing members from LND group
The LND Option now
manages additional attributes which are not manageable via the SPML (JIAM) such
as eTLNDAltFullName, eTLNDAltFullNameLanguage, eTLNDAltQualifyingOU,
eTLNDNewMailFolder, eTLNDEmployeeID, eTLNDAssignedPolicy.
It is not currently
possible to reliably extract the alternate qualifying OU name, if it exists,
from the alternate name during account exploration. Therefore, this field
will not be populated on explored accounts. It can be populated after
exploration either by renaming the user and setting it either to its current or
a new value (however, this will generate a rename request in the Adminp
database, so it is not the recommended method unless at least one of the
account name components is truly being changed). It can also be populated
by modifying the eTAltQualifyingOU attribute on the account to reflect the current
alternate OU name. This can be accomplished via a directory browser such
as JXplorer or via a script (e.g. etautil command). This is the
recommended method if the goal is merely to set the alternate OU to its current
value without actually renaming the user. This method will not change the
name – it merely sets the eTAltQualifyingOU attribute, which is used by eTrust
Admin to hold the alternate OU name.
If an Alternate Name
or Alternate Org Unit is set for a LND account after selecting the blank option
from the dropdown list for Alternate Language, the account will be created and
its alternate name information visible in eTrust Admin Manager. However,
the alternate name information has not been added to the user’s ID file and
will not be visible in Domino Administrator. Conversely, if an Alternate
Language is configured but no Alternate Name or Alternate Org Unit is set, the
Alternate Language will be visible for the account in eTA Manager, but not in
Domino Administrator and the alternate name information will not be added to
the user’s ID file.
The eTrust Admin LND
Option now provides support for the management of alternate names on LND
accounts. In order to add alternate name information to an account ID,
that ID must be certified by a certifier ID that itself has at least one
alternate name configured. The LND Option does not currently include the
management of alternate languages on certifier ID files, so the administrator
must perform some additional steps prior to using this new functionality:
First, the certifier
IDs must be configured with alternate names using Domino Administrator (see
Domino Administrator Help under the subject “Adding an alternate language and
name to a user ID” for further details on completing this step).
Second, once the
certifier IDs contain alternate name information, the existing Certifier
documents for each certifier must be updated in the Certifiers database.
This is because the alternate name information is contained within the
certifier ID file. To do this, the administrator must open the Certifier
documents using the Domino Administrator client, delete the existing certifier
ID file, and attach the updated certifier ID file in its place. In
addition, if the password field on the Certifier document is empty, the correct
ID password must be added to this field. NOTE: Updating the
certifier ID files is necessary any time the alternate name information is
changed in a certifier ID file. If the original certifier IDs added to
the Certifier database already contain the proper information, this step is not
necessary.
Third, each
Organization or Organizational Unit certifier that contains alternate name
information needs to be updated within the eTrust Admin database. A new
multi-valued attribute, eTLNDOrgCertAltLanguageList, has been added to contain
all the languages supported by certifier. This attribute must contain the
applicable language code, not the name of the language (see the list below for
supported language codes). This can be accomplished by running a simple
etautil script, or by using a directory browser such as JXplorer. For
example:
etautil -d MYDOMAIN
-u etaadmin -p password update 'eTLNDDirectoryName=LND-R7,eTNamespaceName=Lotus
Domino Server,dc=MYDOMAIN,dc=eta' eTLNDOrganization eTLNDOrganizationName='O:cai'
to +eTLNDOrgCertAltLanguageList='ko' +eTLNDOrgCertAltLanguageList='fr'
Only those valid
languages added to the Organization or Organizational Unit objects in the eTrust
Admin database will be displayed as choices when creating accounts using that
Org or OU. An attempt to add an invalid code will result in an error. The
languages on the Org and Org Unit certifiers are not actively managed. There is
no checking done for the language code and if a language that is not supported
is added to the org or org. unit and selected during account creation or rename
– failures will occur. The workaround is to use etautil to remove the incorrect
value.
Languages supported
for alternate names and their associated codes are:
Language
Language code
Albanian
|
sq |
Arabic
|
ar |
Bulgarian
|
bg |
Byelorussian
|
be |
Catalan
|
ca |
Chinese
(Simplified)
|
zh-CN
|
Chinese
(Traditional)
|
zh-TW |
Croatian
|
hr |
Czech
|
cs |
Danish
|
da |
Dutch
|
nl |
English
|
en |
Estonian
|
et |
Finnish
|
fi |
French
|
fr |
German
|
de |
Greek
|
el |
Gujarati
|
gu |
Hebrew
|
he |
Hindi
|
hi |
Hungarian
|
hu |
Icelandic
|
is |
Indonesian
|
id |
Italian
|
it |
Japanese
|
ja |
Konkani |
x-KOK
|
Korean
|
ko |
Latvian
|
lv |
Lithuanian
|
lt |
Macedonian
|
mk |
Malay
|
ms |
Marathi
|
mr |
Norwegian
|
no |
Polish
|
pl |
Portuguese
|
pt |
Romanian
|
ro |
Russian
|
ru |
Serbian
|
sr |
Slovak
|
sk |
Slovenian
|
sl |
Spanish
|
es |
Swedish
|
sv |
Tamil
|
ta |
Telugu |
te |
Thai
|
th |
Turkish
|
tr |
Ukrainian
|
|
Vietnamese
|
vi |
The eTA Manager Policy Attributes tab page for the LND
option will generate an error when displaying a policy previously edited via a
etautil script that substitutes the newly supported %...% rule string for a
container(org.Unit).
The Directory dropdown list box in Policy Attributes tab page is not populated with the LND directory as expected. Running an etautil script with a rule string substituted for the container value in a policy will result in the directory value being removed, thus rendering policy attributes unmodifiable via eTA manager.
The user can still see which container an account has been created in, by searching for the account and viewing the Profile tab page in the account properties.
If user wishes to see in what container values exist, then JXplorer or etautil script can be used to search for container values.
Sample etautil Container Search script
To view Organization or Organization Unit that is set in a Policy:
etautil -u <user> -p <password> select 'eTLNDPolicyContainerName=LND Policies,eTNamespaceName=CommonObjects' eTLNDPolicy eTLNDPolicyName=<Policy Name> list eTAccountContainer
To view the directory that is assigned to the Policy:
etautil -u <user> -p <password> select 'eTSubordinateClass=eTLNDDirectory,eTSuperiorClass=eTLNDPolicy,eTInclusionContainerName=Inclusions,eTNamespaceName=CommonObjects' eTInclusionObject eTSuperiorClassEntry=”eTLNDPolicyName=<Policy Name> *” list eTSubordinateClassEntry
Clarification of the behavior of the
"Last Name" and "User Name" views in the archive database:
Both the "User Name" and the
"Last Name" views assume that the last word in a name is actually the
last name and therefore sort upon whatever follows the last space in the user
name. Take for example the name "Dick van Dyke". An account
with this name will appear under "D" for "Dyke" in both the
"Last Name" and "User Name" views as "Dyke, Dick
van" and "Dick van Dyke" respectively.
However, if the name were "Dick
vanDyke" it would appear under "V" for "van" in both
views, as "vanDyke, Dick" in the "Last Name" view and as
"Dick vanDyke" in the "User Name" view.
The same applies for users with only a
last name and no first or middle name. If there is a space in the name,
the sorting will be done using the last word in the last name.
Rule strings for Default Certifiers
can be viewed and modified on LND Policies via eTA Manager.
Lotus Notes
(LND) Option with manually changed certifier name
-------------------------------------------------------------------------------
In some rare environments, the certifier names of some Organization Units were
manually changed to lowercase or uppercase, resulting in a failure when doing a
case-sensitive account search
Usually re-exploration should correct the problem. But if re-exploration is not
acceptable, the following can be a workaround:
1. On Superagent server, create following string registry entry with blank
value
HKLMSoftwareComputerAssociateseTrust AdminLotus Domino<LND
DIR>EnabledOrgunitMapping
2. On Superagent server, create a text file, <Program Files
dir>LotusnotesOrgunit.ini, with following format:
[Orgunit]
OUn=<Lotus_Notes_OU_Certifier_Canonical_Name>
Note:
a. 'n' is a index for the Organization Units Certifier names, starting from 0
b. The value should be the canonical certifier name in the Lotus Notes Server,
LND Connector use it to transform the inner LND account canonical name to the
identifiable form in Domino Server during searching a person document.
c. An example:
[Orgunit]
OU0=OU=OuA/O=ca
OU1=OU=OuB/O=ca
If
the SuperAgent crashed, it could leave an orphaned instance of ldagt.exe
running, which Admin uses to communicate with Lotus Notes. A change has been
made which will allow an optional configuration setting to attempt to terminate
these processes when the SuperAgent restarts, using the Notes NSD.EXE utility.
To enable this setting, create a registry entry under
HKLM\SOFTWARE\ComputerAssociates\eTrust Admin. Name the entry
LNDTerminateLdagtWaitSeconds, and create it as a DWORD value.
After a start or restart of the SuperAgent, the first attempt to access any LND
endoint causes the initialization of the the LND option. As part of this
initialization, Admin will now search for the LNDTerminateLdagtWaitSeconds
registry key. If this key is found, the value will be read. If the value is 0
or negative, it will be ignored. If the value is a positive number, it will
indicate the longest amount of time, in seconds, that the LND option will wait
for the call to NSD.EXE to complete before continuing.
Siebel
In order to support suspended account
resumption, the provisioning server has been modified to persist account state
as part of the account modification operation. More information about
this significant change can be found in the Siebel Connector Guide and the
Siebel Connector Online Help.
“Enable create user position feature”
flag can be specified for a Siebel directory only after first exploration of
that directory.
“Associated division” field on a
“Create Position” property page of a Siebel user and policy sheets is not
marked as mandatory. However it must be specified when creation of a new
position for a user is chosen and a name of a position is provided.
Siebel allows objects to have
duplicate names, but eTrust Admin does not so while exploring a Siebel endpoint
that contains objects with duplicate names, errors such as object already
exists will be seen.
Siebel 8 requires
the Siebel 8 client to be installed on the same machine as the Admin Server and
Superagent. Siebel 7.x and Siebel 8 clients cannot co-exist on the same machine
so in order to manage both versions you will need to use a
Distributed Superagent architecture.
Exploration failures
may be encountered due to Siebel having two Administrator Positions. Since
there are two Siebel Administrator Positions, if the Siebel Administrator
position is assigned to a Siebel User, viewing the Siebel User may show the
Siebel Administrator assigned twice.
The primary position has now been
classified as a capability attribute. However, please note: If you create
a policy where the value for the Primary Position is not explicitly set, then
performing account synchronization, will not change the primary position to one
from the newly assigned policy. In order for a policy to change the primary
postion of an account, the value for primary position must be explicitly specified
in the policy.
Oracle
During Profile create/modify, you are unable to set numerical values for both the
keep field and the keep for field if the “keep password history” is selected.
Oracle Applications (FND)
After Oracle Applications directory is
loaded to the memory, an attempt to stop the Superagent results in an
application error popup.
Note that exploration will fail until
the charset portion of the NLS_LANG (in the registry) is updated to UTF8.
OS400
When creating a
group object, the groupID must be specified with a value greater than 0. This
is not currently enforced by all clients.
Also, changing the
groupID of an account object to a value greater than 0 or changing the groupID
of a group object to a value of 0 will cause the object type to change and
leave the Administrative Repository out of sync with the endpoint.
Workaround:
Re-explore the endpoint to re-sync the Administrative Repository with the
endpoint.
PKI
When the PKI profile
and entrust.ini files are located on a remote system, the Super Agent User (by
default “etaslpad”) needs to be created on the machine where the profile and
entrust.ini files are stored, otherwise the Super Agent User doesn’t have
permission to access those files and you will not be able to acquire the end
point. Note: If you are using the administrative share on Windows
machines, the Super Agent User needs to be added to the administrator group.
PLS
Length of the
Application LoginID has been increased from 21 to 50 chars to handle long
rulestrings.
RACF
Support for
Norwegian character translation for the Name and TSO Procedure fields gas been
added. Setting a system environment variable ETANORWAY=1 on the eTA
Server machine is what triggers the translation to occur. Note that only
a system
environment variable will work. Also note that this fix applies only to
Windows.
RSA
Note: As of CR13 the RSA agent is not backwards compatible. Insure that the RSA
agent is upgraded in synchronization with other upgraded components.
The Dollar character
($) cannot be used in any attributes of RSA accounts, groups or policies.
Note:
To improve RSA connector performance during exploration, agent plug-in will return
account names only. Correspondingly, only one session will be opened on RSA
server during exploration. This will limit correlation functionality,
particularly if a global user creation mode is chosen. It will not be possible
to populate first/last/full names of global users from RSA accounts during
correlation.
This solution is considered interim.
Default behavior is same as before. To configure improved performance at cost
of correlation/mapping you need to configure a new environment variable ETRADM_FASTER_RSA_EXPLORE
and set it to value of 1.
UNIX
A Unix-ETC/NIS Group
with special characters (RFC 2253) in its name cannot be added to or removed
from/to a Unix-ETC/NIS Account using the GUI ETC/NIS Account property sheet
("Member Off" Tab). When trying to do this, the following error
message is raised: “modification failed: Attribute 'Group Memberships' may not
contain the character '\'”
Workaround: Use the
Unix-ETC/NIS Group sheet to add or remove Account(s) to/from this Group
It is possible to
use etautil to assign non-existant Netgroups to an account.
Novell SuSe 10.x are distributed with an /etc/shadow file that is missing
entries for "haldaemon" and "messagebus" although they are
present in /etc/passwd file. If such an endpoint is explored, exploration
failures will occur in eTrust Admin. To workaround
this, run the "pwconv" tool to add both entries to the /etc/shadow
file.
On Linux endpoint,
UNIX-ETC remote agent requires the following library pre-existed.
- libstdc++-libc6.2-2.so.3
If the library does not exist, please install corresponding compat-libstdc++
libraries before installation of the remote agent.
UPO
When viewing a UPO directory property
page, running a search for policies (but not changing the default policy) has
the effect of unnecessarily modifying the page and enabling the
"apply" button.
The UPO Directory page now has 3
additional field under “eTrust Provisioning Server:
·
Host
name – The Provisioning Server to send requests to. This can be “localhost” for
a single Provisioning Server configuration, or the name of an alternative
Provisioning Server.
·
Port
Number: Typically 20389, or 20390 (TLS)
·
SSL/TLS
enabled: Check this to use SSL/TLS. The port specified above has to be the
corresponding port at the destination to match the usage of this feature.
VMS
In case of pre- or post- VMS native
exit failures, VMS_W_9004 ("Cannot communicate with host") is
returned.
Rights can be specified only when
modifying an OpenVMS policy; a new policy has to be saved and then updated with
a rights list.
Connector Xpress
Directory Attribute
Mapping page.
Account Attribute drop down list.
1. The list contains all attributes
from the parser table not actually used by the customer for this namespace.
2. The attribute name is an actual
name not the Display name as specified in the Connector Xpress.
Creating requests to add accounts,
groups and policies with invalid/non-mapped attributed for the DYN namespace.
The requests are executed successfully and the objects are created. For
example, Account has attributes:
string-0, ignoreCase-0, ignoreCase-1,int-0 but
I can still create the account with string-0, string-1, string-2 etc. even
through string-1 and string-2 are not defined for the account. Attributes
should be validated somehow.
When mapping a DYN-int generic
attribute to a number field with 10 digit length, entering some values for the
field in an account, the number gets stored in the repository with leading
zeros (e.g. Enter 456 and the number is 0000000456). If mapping the account to
global user attributes, you can see these leading zeros.
Connector Express
gives a default maxLength of 16 characters when mapping an Admin (string)
attribute to a MS SQL “smalldatetime” database column. This is insufficient to
store the required information.
Workaround:
Manually search for
and modify the “maxLength” value (30 characters is enough) for the affected
attribute when the user reaches the “Generate Metadata” screen, or save the
unmodified metadata to an XML file and modify the XML with a text
editor.
Connector Xpress now allows String sync on single valued string attributes.
JCS
If JCS services are not available
after a restart, or if the error message "Failed to load KRBSCRIPT No such
file or directory" is observed, possibly in concert with other failure
messages such as "DSA unwilling to perform", use one of the following
workarounds:
·
Restart eta server, or
·
Re-enter the CS password
in the CS Config in ConXp
If the system was upgraded from a
previous CR, the following parameter may not be set in the eta_slapd.conf file
(windows) or the eta_server.conf file (unix) and
should be added to the file:
# The sockbuf_max_incoming parameter controls the maximum size
in bytes
# of incoming packets. The SLAPD server will forcibly close
any connection
# where packets larger than this limit are received.
# The default value (256 Kbytes) has been increased here to 2
megabytes in
# order to accommodate transmission and storage of metadata
XML as required
# by the namespaces of Connector Manager and the Java
Connector Hub.
sock_buf_incoming
2097152
When adding a new object via an
LDAP ADD request which referred to non-existent objects through associations
(e.g. adding a new native group that refers to non-existent native accounts) , JCS now throws LdapInvalidAttributesException
(with decimal code 19 = CONSTRAINT_VIOLATION) instead of
LdapNameNotFoundException (decimal code 16).
Note: Subsequent to the JCS 1.0 release which coincided with CR11,
legal clearance was received for including the DB2 driver and Windows license
file in the JCS and Connector Xpress installers.
Therefore when using either of these components to
talk to a DB2 endpoint on Windows the instructions under the “JDBC DB2 Vendor
Support Activation” heading of Chapter 2 “Installing Java CS”
of the “Java Connector Server Implementation Guide” can now be ignored –
connectivity is now supported “out of the box” and manual activation is no
longer required. When talking to a DB2 z/Os endpoint, only the
db2jcc_license_cisuz.jar file needs to be copied manually as the db2jcc.jar
file is the same driver used for Windows and is therefore already present “out
of the box”.
Out of the box the
JDBC DYN connector cannot handle attributes that are mandatory (i.e. NOT NULL)
columns in the endpoint database but that are not really mandatory attributes
from a user perspective. The NullValueClassConverter ClassConverter handles
this case by mapping empty attribute values to a known null value. Typically
this known null value will just be populating the NOT NULL column with spaces.
An example of where this might occur is a legacy database system has a
description field that is NOT NULL on the table being mapped to a user account.
We don’t want to force administrators to have to enter a description for a user
just to create a new account. So instead we dont make the description field
mandatory and use the NullValueClassConverter to handle storing of an empty
value. This Converter only supports character based columns such as char and
varchar.
Configuring JCS to
Load the Converter:
The
NullValueClassConverter plugin is shipped with the JDBC connector. To enable
the plugin it should be configured in an override connector.xml for the JDBC
namespace. Typically this is done by renaming the file SAMPLE.connector.xml
that is in "C:\Program Files\CA\Identity Manager\Connector
Server\conf\override\jdbc". It should be renamed to connector.xml and
edited adding the necesary configuration information.
Add an new node for "classPluginConfigs" under
"converters" property node. In the default file there are already two
property nodes one for "typeToPluginMap" and another for
"propertyPluginConfigs". The new "classPluginConfigs"
property node should be added after them at the same level. See below for an
example configuration.
Example
classPluginConfigs property node that configures a NullValueClassConverter to
store null values as spaces:
--------------------------------------------------------------------
<property
name="classPluginConfigs">
<list>
<bean
class="com.ca.jcs.cfg.MetaPluginConfig">
<property
name="pluginClass">
<value>com.ca.jcs.jdbc.NullValueClassConverter</value>
</property>
<property
name="pluginConfig">
<bean
class="com.ca.jcs.jdbc.NullValueClassConverter$NullValueConverterConfig">
<property
name="nullValue">
<value> </value>
</property>
</bean>
</property>
<property
name="metadataPropNames">
<list>
<value>useSpecialNullValue</value>
</list>
</property>
</bean>
</list>
</property>
---------------------------------------------------
Important points
from configuration:
- The property
"metadataPropNames" has a value of "useSpecialNullValue".
This is the name of the metadata attribute that needs to be added to the
Connector Xpress Dyn mapping onto each attribute that is going to handled by this plugin. JCS will check for the presence
of this metadata attribute before enabling the plugin.
- In the
pluginConfig there is a property called "nullValue" this is a space
in the default case. This is because in standard configuration for an Oracle
database an empty string is considered to be a NULL. Changing this to other
values is possible but may require additional configuration of the endpoint
database. Some databases such as DB2 are happy storing an empty string.
Configuring
attributes:
Either using
connector express or otherwise edit the metadata for
your Dyn namespace. Add a new boolean metadata
attribute to the attribute that you want to be handled using
NullValueClassConverter. Set the metadata attribute name to
"useSpecialNullValue" with boolean value
"true". Then set the "isRequired" metadata attribute to
"false". Repeat this procedure for all attributes that you want
handled this way.
The default policy
will need to be updated too. For all account attributes that have been changed
to not mandatory the corresponding attribute on the default policy will need to
be made non-mandatory as well.
Example: the
"Description" attribute of your account is mapped to
"eTDYN-str-01". In Connector XPress expand the
"eTDYN-str-01" node. Select the metadata sub-node and click on the
"Add" button at the top of the screen. Select the new metadata
attribute node and change the name to "useSpecialNullValue". Then change
it's type to boolean and set the value to true. Then
scroll down to the "isRequired" metadata attribute on
"eTDYN-str-01" and change its value from "true" to
"false"
JCS SDK
Re-exploring a
managed JCS SDK directory will remove the contents of that directory. Avoid re-exploring SDK directories
Pressing Help (F1)
for SDK ‘directory’ and ‘properties’ pages will return a ‘page not found’
error. To view the
help for these pages, please use the eTrust Admin Manager Help to navigate to
the pages via ‘Connectors’ > ‘SDK’ > ‘reference.’
N16
If firewall is on,
firewall inbound rules need to be added for CAM/CAFT executables. This is
specifically needed to be done if MS VISTA endpoint will be managed using
eTrust Admin.
LDAP
The LDAP connector does not support
search filters with strings containing multiple wildcards, because it may
require the SuperAgent to be restarted.
For example, the search filter "(eTLDADN=*steve*)"
and "(eTLDADN=*a*b*c)"are
not supported.
"(&(eTLDADN=*steve)(eTLDADN=steve*))"
returns the expected results
Oracle Internet Directory pops up an incorrect error
message as "DSA UNWILLING TO PERFORM" when the password is too short.
The minimum password length is 10.
SPML
User is unable to
manage any DYN Namespaces that have been created with non-ASCII characters in the
metadata, including the namespace name using SPML clients. Please use other
clients such as Admin manager and etautil to manage your DYN Namespaces.
If running many
transactions using SPML server, it is possible for Tomcat to throw “out of
memory” exceptions. In this instance you will need to re-start Tomcat
application/service in order to continue using any application deployed on
tomcat.
Unable to set a
proper date value in the format yyyy-mm-dd for an attribute that is mapped in
JIAM to a “Date’’ data type. You will need to set the date using the following
format yyyy-mm-ddT00:00:00
When searching for a
value of an attribute that is mapped in JIAM to a “Date’’ data type, the
returned value will be in the following format yyyy-mm-ddT00:00:00
If the SPML Manager
and SPML Server are different versions, various failures might occur.
Please ensure that both SPML Manager and SPML Server versions are always in
sync. Follow the instructions described under eTrust IAM SPML Requesting Authority
web page to download and set up the SPML Manager
Using SPMLManager, a request that contains no requestID, and an
incorrect identifier causes an error: "Received unknown SOAP exception:
com.ca.commons.spml.client.SoapFaultException:SOAP-ENV:Client,
SPML request could not be parsed from null, please contact the system
administrator.” This will leave the SPML
Service in a state where it can not even respond to correctly formed SPML
requests. The work around for this
problem is to disable validation of SPML requests and responses.
The following steps will
turn off validation of SPML requests in Tomcat installed as a service:
1) Open Regedit
2) Navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Apache Tomcat
4.1\Parameters
3) Add 1 to the value of
"JVM Option Count"
4) Add new String value
"JVM Option Number X" where X is equal to "JVM option
count" - 1. I.e. the option numbers start at zero.
5) Set the value of new
string value to "-Dcom.ca.commons.spml.noXmlValidation=true".
6) Restart Tomcat service.
Otherwise if you are running
Tomcat from the command line the startup batch file will need to be modified.
To add this functionality to
SPMLManager and Workflow IDE, we will need to edit the batch files of each one,
and add the line "-Dcom.ca.commons.spml.noXmlValidation=true"
to each one. e.g. SPML Manager
looks like this:
"@echo off
REM To turn off XML validation, please set the
REM system variable -Dcom.ca.commons.spml.noXmlValidation=true
REM To skip SSL hostname verification, please
set the
REM system variable
-Dcom.ca.commons.spml.skipSslHostnameVerification=true
set
TRUSTSTORE=%HOMEDRIVE%%HOMEPATH%\.spmlkeystore
set
TRUSTSTORE_PASSWORD=changeit
java -Djavax.net.ssl.trustStore="%TRUSTSTORE%" -Djavax.net.ssl.trustStorePassword="%TRUSTSTORE_PASSWORD%"
-classpath .;lib\raclients.jar com.ca.iam.spmlclients.v1.SpmlManager"
and will look
like this:
"@echo off
REM To turn off XML validation, please set the
REM system variable -Dcom.ca.commons.spml.noXmlValidation=true
REM To skip SSL hostname verification, please
set the
REM system variable
-Dcom.ca.commons.spml.skipSslHostnameVerification=true
set
TRUSTSTORE=%HOMEDRIVE%%HOMEPATH%\.spmlkeystore
set
TRUSTSTORE_PASSWORD=changeit
java -Djavax.net.ssl.trustStore="%TRUSTSTORE%"
-Dcom.ca.commons.spml.noXmlValidation=true
-Djavax.net.ssl.trustStorePassword="%TRUSTSTORE_PASSWORD%"
-classpath .;lib\raclients.jar com.ca.iam.spmlclients.v1.SpmlManager"
Active Directory connector’s parser table has been
extended to contain new attributes required for managing Exchange 2007
endpoints. These new attributes
are not present in SPML.
When modifying an account through SPML to add a policy to
it the following error message is returned by option plugin "Read failed:
Failed to find home server DN.". This error only occurs when Exchange
Gateway is defined in directory's property page. Otherwise the operation is ok.
Reporting
When upgrading to the latest CR, the reporting database
is reset. The reporting database will need to be reloaded
before reports can be viewed.
If you need to retain your existing reports please
contact CA Support (http://support.ca.com)
for further information.
eTrust Admin Reporting is
not supported on MS Vista.
Reporting for the PKI option is now supported.
After upgrading from ETA 8.1to ETA 8.1sp2 reports that
showed which users had set their self authentication questions and answers no
longer work. Prior to ETA 8.1sp2 the reporting system connected to the
underlying repository (port 20391) rather than connection to the Provisioning
Server (port 20389). The connection to the repository returned the encrypted questions
and answers that indicated which user had set their questions and answers. The
removal of the ability to connect to the repository was one of several security
enhancements. The Provisioning Server has restrictions that prevent it from
returning security sensitive information such as the self auth Q&A when
enumerating users. To resolve this problem a configuration parameter has been
added to the Provisioning Server to allow authorized users to check if the self
auth Q&A have been set on a selection of global users without revealing the
actual values.
The new parameter is Compatibility/Self Q&A
Replacement Message and is found under "Domain Configuration" on the
"System" tab of the Admin Manager.
Set this parameter to the message you want returned to
indicate a self authentication question or answer has been set. The parameter
should be left blank or empty if you want to disable the ability to check the
Q&As have been set. By default this feature is
disabled. In normal usage global user self authentication Q&A attributes
are only retrieved for a single specified user when explicitly requested. This
allows the Admin Server to log when these Q&As are
viewed. However some reporting tools have been implemented to
check user compliance self authentication requirements by enumerating users
that have not set their Q&A. This parameter allows these reports to
work as they did on earlier versions Admin prior to 8.1sp2. Base searches
(reads) of global users are unaffected by this parameter, authorized
administrators can retrieve the actual values of these user attributes.
SAP
In SAP R3 Directory window, ‘SAP
Directory Name’ field is a mandatory field and needs to be denoted with
an asterisk (*).
When the option "Changed passwords are
expired" is not enabled, this is known to cause failure when creating new
SAP accounts on CUA Master SAP Kernel 6.40. It is recommended to enable this
option as this is the default behavior in SAP.
When the option "Changed passwords are
expired" is not enabled, a password change for an existing SAP account may
fail with the message "PASSWORD NOT ALLOWED" if password policy is
set in SAP. Subsequently, the account may be set with an unknown password. When
this happens, repeat the password change with a different password until the
change is successful. If password change results in the "PASSWORD NOT
ALLOWED" error but "Changed passwords are expired" option is
enabled, then the account's password will be unchanged. It is recommended to
enable this option as this is the default behavior in SAP.
Applying some of the entries in the
selection dialog for the field “Name supp:” on the “Address” page of account
does not work. The workaround for this issue is to enter the valid value for
the field in the edit box directly.
The values in the selection dialog for the
field “Name supp:” on the “Address” page are wrong when creating SAP Policy.
The workaround for this issue is to enter valid values in the edit box for the
field directly.
The email address of an account can not be
removed once the account has been created. The workaround will be to use the
SAP native tool to remove the email address from the account.
If the account is created with a blank
space, it will cause the exploration to fail. This only applies to the C++
connector.
Croatian UNICODE characters are not acceptable characters to enter for
the domain component of an email address.
Creating or modifying an account’s email address. E.g:
<Name/Identifier>@<Domain> with
Croatian UNICODE characters, will fail the operation.
This applies to the domain component of the email address
(<Name/Identifier>@<Domain>), as UNICODE characters are not
supported in the name of the email.
7.1.1 SAP Assign Group
Error
The Add button on the Groups tab sometimes fails to return
the list of available user groups on the SAP System. To add user groups, you
can use the New line button on the tab. You will need to know the exact user
group name if you use this method.
7.1.2 Assigning
Contractual User Types
When assigning a contractual user type to a user on the
License Data tab, the change can only be applied to the Master system, not any
of the child systems.
It is possible to change the contractual license types for
the children natively.
7.1.3
When setting a global user's status to suspended and
propagating the change to a SAP account, the account attribute eTSuspended is
not set to 1. As a result, when a global user is suspended, all associated
accounts within the SAP CUA environment are locked correctly but when viewed in
Self Service or Identity Manager, these accounts are listed as locked only
instead of locked and suspended. When the global user is resumed or activated
again, associated accounts are unlocked correctly.
7.1.4 Mandatory
Fields in the Contractual User Type Attribute
The Contractual User Type that can be specified on the
account's License Data tab cannot have mandatory fields other than the LIC_TYPE
field. For example, if you have to specify the name of a SAP R3 System (SYSID)
to use a Contractual User Type, the assignment will fail and you will get an
error saying that there is a missing value for the Name of the SAP R3 System.
7.1.5 Concurrent
Requests Delays
If there is a large number of concurrent requests executed
against the connector, performance can be adversely affected.
7.1.6 Add Button on
Groups Tab (SAP Account Property Sheet)
For SAP account and policy properties, the Add button will
list the groups when the endpoint is SAP NW2004s and above. For others, use the
New Line button to add groups to the account.
7.1.7 Schema Migration (Solaris
only)
When upgrading/migrating from SAP C++ connector to SAP JCS
connector on Solaris, the account cannot be created because of the error
message "eTSAPSNCIsUsed: attribute type undefined. for sap connector. To
resolve this issue simply apply the following workaround:
1. su – etaslapd
2. schemagen –n SAP
3. eta restart
The following is a guide for system configuration requirements that have
to be met before attempting to perform an endpoint explore.
1. Ensure that total memory
(physical + paging file) is adequate. For a PeopleSoft system with 250,000 user
profiles, allow 1G for IMPS and 512M for JCS.
2. Ingres disk space should be
adequate. For 250,000 user profiles, allow 1G.
3. Increase Jvmmx setting for
JCS to 512.
An instance of JCS can
manage only one version of PeopleTools. To manage PeopleSoft installations with
different PeopleTools versions, a separate JCS instance must be installed for
each PeopleTools version. ConnectorXpress can then be used to set the managing
CS (JCS instance) for each endpoint.
PeopleSoft reserves a few
numbers above the configured port number for connecting to the JOLT /
PeopleSoft Application Server. When connecting to any of these port numbers,
the JOLT interface library used by the connector may go into an indeterminate
state. PeopleSoft recommends not to use any of these port numbers when
connecting to JOLT. However, in case of a mistake in configuring an endpoint to
use any of these port numbers, a 30 second timeout is provided by the
connector. In these situations, an error message will be sent by the connector,
and the only solution is to restart JCS.
On high load situations,
some transactions may fail (tests performed using 50 threads running
simultaneously, with each thread performing 50 transactions consecutively,
having around 2 failed transactions). This is due to the connection timeout
being hit (being due to existing connections becoming invalid, resulting in new
connection attempts). In these cases, just retry the transactions when the load
has reduced.
In order for PPS to work with IM, the files jiam.jar
and cacommons.jar need to be replaced with updated files which are available
from deployed “etadm-jiam-windows-8.1sp2-CR” package (default location:
C:\Program Files\CA\eTrust JIAM SDK\lib). In IM, these files are located in
"app server install dir\deployment dir\IdentityManager.ear\library\”.
After replacing these files the Application server will need to be restarted.
Some operations consist of multiple transactions
between the connector and the remote PeopleSoft system. Such operations
include, but are not limited to, assigning multiple Roles as Grantors/Grantees
of another Role, and exploration of PeopleSoft objects. Performing these
operations usually takes up time. For example, assigning 5000 Roles as another
Role's Grantor may take several minutes.
Furthermore, these transactions may require
locking/unlocking of PeopleSoft database tables. Thus, if these operations are
performed simultaneously, it is probable that the total time to complete all
the operations will be more than the combined time of the individual
operations.
In some cases there can be
performance issues when updating multi-valued PeopleSoft permission list
attributes. This occurs because Admin Manager sends replace requests to the JCS
when updating PeopleSoft attributes. Multi-valued attributes with a very large
number of values can take a few minutes to update. Replace request replaces all
of the old values with the current set of values, therefore the time taken to
complete an update request is as dependant on the original number of values
associated with the attribute as it is the number of values added, removed or
changed. For example, it is not uncommon for PeopleSoft permission list menus
to have a large number of menus and associated component/page permissions
therefore any changes, even if it is adding a single menu, can be time
consuming
When deleting
Permission lists that are currently in use with PeopleSoft Roles or User
Profiles, an error message is encountered which
cannot be fully displayed in the Message window, due to character
restrictions.
This error
message can be obtained by copying and pasting into a word document.
When using
Identity manger user console deployed on a WebSphere v6.0.2.17 application
server to view policies created in Provisioning Manager an error message
“java.lang.Error: PropertyDescriptor: internal error while merging PDs“ is
encountered. As a workaround policies can be viewed using the Provisioning
Manager.
For email
addresses, functionality has been added to be able to correlate the User
Profile's primary email address to a global attribute. To do so, a new account
attribute, CorrelatePrimaryEmail, must be used in the attribute mapping tab.
The value for this attribute is calculated.
The names of
PeopleSoft User Profiles and Roles are case-insensitive in the PPS Connector.
While it is possible to create two User Profiles or two Roles with the same
name, differing only in case, such as "MyRole" and
"myrole" using PeopleSoft native tools, such objects will be
considered the same by the connector, and an "Object already exists"
error will be reported during exploration.
For online technical
assistance and a complete list of locations, primary service hours, and
telephone numbers, contact Technical Support at http://support.ca.com/.
Copyright © 2007 CA. All rights reserved.