CA

eTrust^® Admin 8.1 SP2 CR26 Readme

1.0 Welcome

2.0 System Requirements  

3.0 Installation Considerations

4.0 Installation Instructions

5.0 Manual Installation Steps

6.0 Published Fixes

7.0 Known Issues

7.1 SAP CUA (New) Known Issues

7.1 PeopleSoft (New) Known Issues

8.0 Contact Technical Support

 

---

1.0 Welcome

This CR provides maintenance release for all eTrust Admin 8.1 SP2 customers. Follow the installation instructions specific to your configuration in order to execute the upgrade to this CR.

2.0 System Requirements

Updated support matrix and system requirements for this product are available at: http://support.ca.com/ 

 

 

3.0 Installation Considerations

When an option is newly installed following an installation of a CR, if the CR contains changes that apply to that option, the CR must be re-installed in order to obtain those changes.

Back up existing data before uninstalling. Uninstall will remove the entire application.

SAP CUA & PeopleSoft

The following packages are required to run the SAP and PeopleSoft Connector which can be retrieved from CR22 and later build packages for either Solaris or Windows

§§      eTrust Admin Provisioning Server 8.1 SP2 CR

§§      eTrust Admin Provisioning Repository 8.1 SP2 CR

§§      CA Identity Manager Java Connector Server 8.1 SP2 CR

§§      Identity Manager Connector Xpress 8.1 SP2 CR

§§      eTrust Admin Manager 8.1 SP2 CR

The following components are optional:

§§      eTrust Admin SPML Server 8.1 SP2 CR

§§      eTrust Admin JIAM SDK 8.1 SP2 CR

 

SAP Java Connector (JCS)

SAP Java Connector supports SAP Kernel versions 6.40 and above. Previous versions of SAP should be managed using the C++ connector.

 

Password Synchronization Agent_x64

The following package is required to run the Password Synchronization Agent x64 bit which can be retrieved from CR21 build packages for Windows.

§§      eTrust Admin Password Synchronization Agent x64 bit 8.1 SP2 CR

Remote Exchange 2007 Agent

The following package is required to run the Exchange 2007 Agent x64 bit which can be retrieved from CR21 build packages for Windows.

§§      eTrust Admin Remote Exchange 2007 x64 bit 8.1 SP2 CR

 

4.0 Installation Instructions

Admin Server Windows

1)     For Upgrade execute setup.exe

2)     For Fresh Install refer to r8.1SP2 Implementation Guide.

Admin Server UNIX          

1)     Execute ./setup

Once the upgrade is completed, login as slapd user

2)     su – etaslapd

3)     schemagen –n COS

4)     eta restart

When upgrading to CRn, Full Upgrade option must be selected.

PS:  If Custom Connectors are deployed with Admin Server and it is being upgraded to this CR, following steps need to be carried out.

Windows and Solaris

1.     Redeploy Custom Connector built using the Admin SDK from this CR.

Solaris Only

2.     Edit <instdir>/data/etrust_admin.conf file with following text.

Include “/opt/CA/eTrustAdminServer/data/etrust_XXX.schema”

Where XXX is the name of your connector.

Remote Repository Windows

1)     Execute setup.exe

Remote Repository UNIX

1)     Execute ./setup

Distributed SuperAgent Windows

1)     For Upgrade execute setup.exe

2)     For new Install refer to Implementation Guide

Remote Admin Manager Windows

1)     For Upgrade execute setup.exe

2)     For new Install refer to Implementation Guide

Manual Zip

1)     Unzip CR_Manual_Updates-<version number>.zip

2)     Follow the Manual Installation Steps section below

Remote RSA Agent UNIX

Prerequisites: Make sure /etc/system contains 'set semsys:seminfo_shmmni=135'. If the value is lower than 135 or missing eCS installation will fail. A reboot is required if the value is added or changed.

1)     Execute ./setup

Postrequisites: Authorize the etrust admin server for cam/caft with 'cafthost -a <hostname>'

Remote E2K7 Agent Windows

Prerequisites:  Microsoft Visual C++ 2008 Feature Pack Redistributable Package (x64)

1)     Execute setup.exe

JIAM SDK

1)    Execute setup.exe

 

SAP (C++)

SAPNamespace.dll now uses the Unicode version of the SAP RFC library, which is librfc32U.dll. This Unicode RFC library comes with SAP Front End >= 6.40. In existing customers deployment that has the older version of the SAP Front End installed, an upgrade is needed.

librfc32U.dll is compatible with both non Unicode and Unicode versions of SAP servers. This newer library is also backward compatible with older SAP servers, all the way back to 4.6C.

 

SDK Environment on Solaris

To create a Provisioning SDK build and development environment on Solaris, complete the following steps.
To set up a build environment on Solaris

1. Install Sun Studio 10 or 11
2. Install GNU make-3.81 (for example: make-3.81-sol10-sparc-local.gz package from www.sunfreeware.com)
3. Install GNU gcc-3.4.6 (for example: gcc-3.4.6-sol10-sparc-local.gz package from www.sunfreeware.com)
4. Install GNU libiconv (for example: libiconv-1.11-sol10-sparc-local.gz package from www.sunfreeware.com)
5. Set environment variables: DEVROOT and LD_LIBRARY_PATH
Source the /opt/CA/eTrustAdminSDK/setetasdkenv.sh script (. ./setetasdkenv.sh) sets these environment variables.
6. Add the Sun Studio bin directory to the PATH (for example: /opt/SUNWspro/bin)
7. Add Gnu make location, /usr/local/bin to the PATH (GNU make is installed in this directory by default)
8. Change to the SDK directories under /opt/CA/eTrutAdminSDK/admin/samples
9. Run the following command line:
make –f makefile.unix

The generated libraries will be placed under /opt/CA/eTrustAdminSDK/admin/lib 

 

SPML

1)     Execute setup.exe

Self Service

1)     Execute setup.jar

SelfServiceConfig

1)     Execute setup.jar

IAM Manager

1)     Execute setup.jar

Advanced Workflow

1)     Execute “setup.jar –P ingresInstall.installCode=XX” where XX could be something like EI, CP, or II depending on which Ingres instance you plan to use as the underlying Ingres repository for Advanced Workflow.

Note: In some environments additional installation steps are required which involve changes to the Ingres character set, dumping/re-loading of all Ingres databases, and recycling of Ingres. If your installation is aborted due to Ingres character set please read the section titled Updating Advanced Workflow under the Manual Installation Instructions section below.

ConnectorXpress

1)     Execute setup.exe

Upgrading from 8.1 GA & 8.1SP1 CR10

In the instance where Ingres 2.6 is installed and databases need to be backed up

     1)    Run IAM CC backup installer using Setupwin32.exe

a.        Select the location of IAM CC backup installer.

b.        Select the DSA’s that need to be backed up.

c.        When prompted browse to the location of the knowledge files.  (If required)

d.        Select the temporary databases that need to be added to destroy batch file.

e.        If you have databases that are not part of Admin Server, then installer will prompt you with additional databases to be added to destroy batch file but these databases cannot be backed up using IAM CC installer and would need to be backed up manually.

f.         Click on Finish button.

g.        Open Command prompt and change directory to the IAM CC backup data location. (By default "C:\Program Files\CA\eTrust Identity and Access Management\BackupInstaller")

h.        Confirm that Data is backed up correctly by verifying the LDIF files.

     2)    Run the Admin Backup installer with the command line BACKUP_DATABASES=0 (this will backup Admin Configurations without backing up the databases ) 

                       Start /WAIT "eTrust Admin Backup Install" ~\etadm-backupdb-windows-8.1sp2-<CR_version number>\setup.exe /w /s /v"/L*v  %TEMP%\etaservbck_nobckdb_inst.log BACKUP_DATABASES=0"

3)          Once confirmed, run batch file created by the IAM CC backup installer, using command:

destroyDatabases.date.bat NOTPARTOFIAM

This need to be done only if Admin is installed as a Stand alone product and not using IAM CC CD.

4)          Confirm that databases have been removed by executing the following in a command prompt:

dxlistdb

There should be no databases listed.

     5)    Run the directory installer to upgrade Ingres and eTrust Directory to the latest version.   eTrust Directory recommends installing the latest version of ETD (build 1115 as of this writing).

     6)    Run the Admin Server upgrade, this will completely remove the entire existing installation and re-install it with existing passwords.

7)          Run the restore batch file created by the IAM CC Backup Installer using the command

reloadDatabases.date.bat NOTPARTOFIAM

  ** Make sure you are using the correct etaindex.bat for the release. Etaindex.bat for 8.1sp2_<CR_version number> has been included in

    etadm-repository-windows package.

   Place latest etaindex.bat file in BackupInstaller folder   “ ~\CA\eTrust Identity and Access Management\BackupInstaller”

     8)    Run the Admin restore task using 8.1.2 GA Repository Restore. Installer will detect that there are no databases to restore and it will restore the eTrust Admin configurations to the previous settings.

~ \ETA812_IAM_20060721\NT\eTSRESWi\DISK1\setup.exe

9)           If Oracle option is installed, run Oracle Migration utility (“ORAmigrate8.1sp1.exe”) available from “~\CA\eTrust Admin Backup\Backup\Utility\ORA”.

       ** To execute the utility, follow the instructions available in the Readme file available from “~\CA\eTrust Admin Backup\Backup\Utility\ORA\ORAmigrate8.1sp1.Readme.txt”

     10)   Restart the Provisioning services.

     11)   Log back into Admin using the original username and password. It will contain all the original data.

PS: During upgrade user is advised to run LND scripts post upgrade, this message can be safely ignored.

5.0 Manual Installation Steps

Changes to the Admin Manager

Logging Tab Modification – Two fields on the logging tabs have been updated to more accurately reflect their destination log files:

          eTrust Log is now named Common Services

          Text File is now named eTrust Admin

Updating the eCS

To update the eCS on Windows you only need to run the “CA Enterprise Common Services.exe” located in the CR_Manual_Updates.zip under the ECS folder.

To update the eCS on UNIX you need to extract the “ECS_8_2_UNIX_R.tar” located in the CR_Manual_Updates.zip under the ECS folder and run the following command “./eCSinstall.sh <installation path> <Caller ID> 0 1” such as

          ./eCSinstall.sh /opt/CA/SharedComponents/eTrustCommonServices/ “eTrust Admin” 0 1

After upgrading eCS on UNIX, there may still be temporary files containing white spaces in their name. These files are no longer used and can be removed by executing eCSstop.sh and then executing eCSstart.sh from within the eTrust Common Services “scripts” directory.

Admin Server should be updated/installed prior to updating ECS. The ECS bin folder must be specified in the “System Path Environment” before installing Admin Server or the Admin Server services will fail to start.

Updating Ingres on remote Admin Manager systems

If there is no instance of Ingres on the target machine, eTrust Admin Manager installs by default Ingres /Net r2.6 which can interoperate with Ingres DBMS r2.6 and/or r3. If you want to use Ingres /Net r3 with eTrust Admin Manager, then you need to install it before installing eTrust Admin Manager. Steps to install Ingres /Net r3:

1)     Unzip the Ingres r3 installation (file: ingres-3.0.3.zip located in the CR_Manual_Updates.zip under the INGRESR3 folder).

2)     Execute the script file silent_install.bat which installs Ingres /Net r3 silently.

Note 1: The Ingres /Net r3 parameters are defined in the response file IngresNet.rsp. By default the target folder is “C:\Program Files\CA\Ingres [EI]”. If you want to change the target folder, change all the occurrences of the above string in the IngresNet.rsp to the actual target. It is recommended to keep “[EI]” in the folder name, e.g. change to “D:\IngresNet [EI]”

Note 2: Ingres /Net r3 installation will NOT update any previous Ingres /Net r2.6 instance. It creates a new Ingres /Net r3 instance instead. Therefore, you need to update eTrust Admin data sources in order for the reporting to be operational. Follow the steps:

1)     Open a DOS screen

2)     Execute successively QADELRPT.exe and QACRRPT.exe

3)     Execute successively DELARCHDBRPT.exe and CRARCHDBRPT.exe

Updating the remote eTrust Directory Schema

1)     Copy the updated *.dxc schema files located under the SCHEMA folder in the Manual Update zip to the %DXHOME%\config\schema folder on your eTrust Directory system.

2)     Execute the command "dxserver init all".

Updating the Admin SDK

A memory leak was found in the sample source code shipped with the sample files in the original version of eTrust Admin 8.1 SP2. Corrections have been made to the sample files that are included in the Manual Update zip file. If you have used the SDK to create any Common DLL Program Exit based custom code, you should review these changes and make appropriate adjustments to your custom code. In order to prevent overwriting of any code changes that may have been made to your sample source code on your eTrust Admin system, the CR installer did not replace the samples on your system. If you are not yet using the samples for your custom code, you can overwrite the old sample code with the new version.

By default, the original SDK sample code was installed under

C:\Program Files\CA\eTrust Admin SDK\eTrust\Admin\Samples\ProgramExits

Issue #1:

The first code change affects the following file:

   \ExitXMLBlock.cpp

Set the static variable g_pImplementation to Null when defined.

In the ExitXMLBlock constructor, add a conditional check to only convert pzcValue and set g_pImplentation if g_pImplentation is set to NULL.

In the ~ExitXMLBlock destructor, delete m_pXmlBuilder.

In the Build_Return_XML method, add a conditional check for pDocument and delete it and set its value to NULL if needed.

In the SDK's CASDKGUI.cpp, the RenameEntry() function contained code that displayed the rename dialog and performed the object rename.  This code was used instead of the rename functionality in the common code.  The common code handles the rename operation properly, and should be used whenever possible.  To do this, the SDK function should be changed to contain only one line of code:

    return ETA_GUIEXIT_PASSTHRU;

This tells the common code that it should handle the dialog display and perform the rename, and eliminates the rename problem. 

See the new sample code for more details.

Updating the ACF/RACF/TSS Option

The ACF, TSS, and RAC options now support the creation and deletion of a TSO alias.  Updated DSI modules are required for this functionality.  Re-run the DSI installation to each system where DSI is installed to update these files. 

The following are 2 new configuration options that can be added to your eTrust_ACF.conf, eTrust_TSS.conf or eTrust_RAC.conf file to enable TSO Alias support.

CreateAlias relate [catalog]

DeleteAlias

The relate parameter is required and names the user catalog for which the alias is being defined.  The Catalog parameter is optional and will default to master catalog.

The Alias value is always the value of the ACF2, TSS, or RACF Account.

The configuration options are defined on a per-directory basis; which means they should be specified after each directory definition for which you want Alias support. 

As stated above, the Alias definition will occur on add and modify requests for Accounts where:

1) The directory is properly configured with the CreateAlias config option and

2) The Account is being granted TSO access.  For ACF2, this means the Account is given the TSO Facility Access field (appears on the MVS – Priv. Pg2 tab).  For TSS, any attribute on the MVS – TSO tab except for Multiple UADS Passwords.  For RACF, any attribute on the TSO tab. 

DeleteAlias takes no parameters and will attempt a Delete Alias command for any Account being deleted. 

No error messages are returned for defining or deleting an alias.  If these are not occurring successfully, turn on debugging in the eTrust Admin Provisioning server and view the output statements that begin with ‘Response from Define Alias’ and ‘Response from Delete Alias’.  If the problem cannot be determined from this output, contact CA support. 

eTrust Admin runs with all supported releases of CA-ACF2.

If you are running CA-ACF2 9.0 SP02 or CA-ACF2 9.0 SP01 with z/OS 1.8 support added you will need to initialize the new password phrase fields in the User Defined fields:

            PWP-DATA          00/00/00

            PWP-VIO            0

If these fields are not initialized you will get an error when/if you Synchronize Accounts with Policies. These fields have been added to CA-ACF2 in preparation for the new Password Phase support.

Updating the LDAP-SDK

The steps to map an LDAP attribute to eTrust Admin's suspension state facility is similar to the ones needed to extend the Generic LDAP Option. The only difference is the addition of three parameters to specify the attribute name along with the values to use for marking an object as active or suspended. If the attribute being mapped is defined in an auxiliary object class, then the AuxiliaryObjectClass keyword must be set to the name of this object class. The following is an extension definition file for Novell's eDirectory LDAP server.  It is a complete functioning example.

##################################################

# Account Suspension Facility: Novell eDirectory

#

# 1.1 EAO2 Object Type

ObjectType: account

# 1.2 Auxiliary Object Class Name

AuxiliaryObjectClass: ndsLoginProperties

##################################################

# 1.3 Suspension Attribute

SuspensionAttribute:            loginDisabled

SuspensionAccountActiveValue:   FALSE

SuspensionAccountDisabledValue: TRUE

##################################################

# 2. ATTRIBUTES

attribute:      loginDisabled

syntax:         dirString

guiControl:     none

 

Use the steps described in the previous section to update the LDAP Option plug-ins.  Note that you will not need to update the parser table. If the attribute being mapped is defined as an operational attribute, then the extension definition file simply needs to omit the AuxiliaryObjectClass keyword. The following is a complete functional example to map Sun ONE Directory's nsAccountLock attribute:

 

##################################################

# Account Suspension Facility: Sun ONE Directory

#

# 1.1 EAO2 Object Type

ObjectType: account

##################################################

# 1.3 Suspension Attribute

SuspensionAttribute:            nsAccountLock

SuspensionAccountActiveValue:   false

SuspensionAccountDisabledValue: true

##################################################

# 2. ATTRIBUTES

attribute:              nsAccountLock

syntax:                 dirString

guiControl:             none

Updating the LDAP Option

A new environment variable ETRADM_LDA_NDSADDSEARCHDELAY can be set to a decimal integer value greater or equal to zero that specifies the number of seconds to sleep after an unsuccessful create account operation and before the search request to see if the object was actually created. The Superagent must be reset if the value is changed.

Updating the ADS Option

Existing installations must be “migrated” by refreshing the ADS/E2K directories that have already been acquired. To update the existing Administrative Repository, you can run a simple script to get the new values for the Mailbox Server, Mailbox Stores, and Home MTA for each ADS directory in their installation. The script would be something like:

ldapsearch –h <HOST> –p 20389 –D <bind DN> -w <bind password> -b <directory base DN> -s base “(objectClass=eTADSDirectory)” eTExploreUpdateEtrust

For example:

ldapsearch –h myhostserver –p 20389 –D “eTGlobalUserName=etaadmin,eTGlobalUserContainerName=Global Users, eTNamespaceName=CommonObjects,dc=MYDOMAIN,dc=eta” -w mypassword -b “eTADSDirectoryName=MyADS,eTNamespaceName=ActiveDirectory,dc=MYDOMAIN,dc=eta” -s base “(objectClass=eTADSDirectory)” eTExploreUpdateEtrust

Updating the Exchange 2000 Option (Remote Agent)

You need to uninstall the Remote Agent and then re-install the updated Remote Agent. Servers previously defined in CAM/CAFT will need to be re-entered. You can view the currently configured CAM/CAFT servers list by executing “cafthost –l”. After the re-install of the Remote Agent you will need to re-configure the CAM/CAFT servers list by adding each server using the “cafthost –a <server>” command.

Updating the FND Option

For performance reasons, the attribute eTFNDResponsibilityList is only returned on base level Account searches. If you require this value to be returned all of the time, set the following environment variable: ETRADM_GET_FNDRESPONSIBILITYLIST = 1

The following environment variable can be set to allow the eTLocked attribute to be handled (eTLocked and eTSuspended will affect the same native suspension facility) by ADD and MODIFY operations: ETRADM_FND_MAPLOCKTOSUSPEND = 1

Lotus Notes (LND) Option in a distributed environment

When installing Lotus Notes option in an eTrust Admin distributed environment, the Superagent Server and eTrust Manager are not hosted on the eTrust Provisioning Server machine. 

In this sort of environment, some post installation procedures may need to be conducted on all the machines hosting Superagent Server and eTrust Manager:

1) extract Setup.id from LND.cab (in eTrust Admin Server installation package), copy Setup.id to %etahome%\data\ if it doesn’t exist already.

2) add the Lotus Notes directory path (e.g. C:\Program Files\lotus\notes) to the system PATH environment variable if it doesn’t exist already.

Updating the Lotus Notes Domino (LND) Option

1)     The Lotus Notes 6.x client must be in the system path.

2)     Select either the LND5 or LND6 folder located in the Manual Update zip file.

3)     Copy the ldagtcli.dll to the %ETAHOME%\Bin folder.

4)     Copy the DMOLNDConfig.exe and ldagt.exe to the lotus\Notes folder.

The LND Option now supports up to ten custom single-valued text attributes.  In order to manage LND custom attributes via eTrust Admin, you must create a text file named “lndschema.ext” and place it in the %ETAHOME%\Data directory.  This file should contain each custom field name as it appears in the design of the Domino Directory, each name on a separate line in the file.  For more information on adding custom attributes to the Domino Directory, see Domino Administrator Help topic “Methods for extending the schema”.

The Superagent must be recycled anytime the “lndschema.ext” file is updated otherwise modifications to the attribute may fail with an error that the properties you want to update are not yet implemented in modification.

A registry value is now available to control whether the “Move Person’s Name in Hierarchy” administration process request created during a Move In Hierarchy request will be automatically completed and the “Initiate Rename in Domino Directory” request then automatically created, or whether the original behavior will remain, which is to require the Administrator to use the “Name Move Requests” view of the Administration Requests database to manually complete the move.  The following string value can be set on a per directory basis.  If it is present, and if it is set to “yes”, the new behavior will be used.  Otherwise, the original (default) behavior will be used.  The actual name of the directory will replace <DIRECTORY NAME> below:

            HKEY LOCAL MACHINE\SOFTWARE\ComputerAssociates\eTrust Admin\Lotus Domino\<DIRECTORY NAME>\CompleteMoveInHier

After a Move In Hierarchy request is submitted via eTrust Admin, the ID file attached to the Archive document does not yet contain the new name.  The move must first be completed by the Domino Administration Process in order to update the ID on the user’s system (i.e. the user must log into their Notes client to accept the new name).  In order to update the ID in the Archive database, the agents that have been provided for initially populating the Archive database may also be used to update a renamed ID file.  An e-mail can be sent to a user who has been moved or renamed containing a button which they should be instructed to click on after their ID file has been updated with the new name.  This button should activate the “Send ID to Archive DB” agent which retrieves the ID file and sends it to the Archive database.  An agent in the Archive database, “Update ID File”, will then update the Archive document for that user with the updated ID file.  Complete details on these agents can be found in the “Archive Database Data Collection” section of the LND Option Guide.

A new agent “(RenameWebUser)” exists in the Archive DB template. This agent handles the creation of the “Initiate Web User Rename in Domino Directory” request in the Adminp database when a web-only user is renamed. The agent should either be copied to the user’s Archive database, or the design of the database should be replaced using the new template in order to add the new agent. These web-only users will not have any ID files, and only have Internet Passwords. They may be renamed (common name change), but not moved or recertified, since they have no ID file.

Introduced a new Notes Environment variable to allow changing the filename of ID file send in the Memo when changing the password. New environment variable in Notes.ini:   $Password_Change_FileName

             yes -> the Filename will be identical to the Archive 's Filename

             no (or does not exist) ->  the Filename is "user.id"

The script etautil_addarchive.bat will add Archive documents (with ID and password) for users into the Archive database, and will also update the status of those accounts to “normal”.  Each account for which an Archive document is to be created must be listed in a separate text file used as input to the script.  The text file should contain the following information, separated by commas, using one line per user:

 

Common Name,Organization,ID File Path,Password

 

For example:

lnd user20,O=cai,C:\Program Files\lotus\notes\data\IDs\luser20.id,password

lnd user21,O=cai,C:\Program Files\lotus\notes\data\IDs\luser21.id,password

lnd user22,O=cai,C:\Program Files\lotus\notes\data\IDs\luser22.id,password

 

Note that only one organization or organizational unit can be processed at a time, so all users in the input file must be in the same O or OU.  In addition, the ID files must actually exist in the location specified in the input file.

 

There are several variables in the script which need to be edited prior to running it.  These are:

 

DOMAIN=<the eTrust Admin Domain Name>

USER=<the name of the administrative global user, e.g. etaadmin>

PWD=<the administrative user's password>

DIRECTORY=<the LND Directory name>

INFILE=<the full path to the file containing user ID/password info, e.g. C:\input.txt>

ORG=<the full LND Organization or Organizational Unit name where all the users in the input file are located, e.g. eTLNDOrganizationName=O:cai or eTLNDOrganizationalUnitName=OU:ou1,eTLNDOrganizationName=O:cai>

Updating the UNIX Option

The UNIX Option has been modified to notify (i.e. no longer ignore) when a native Post-Exit fails. A new parameter named “Report error” in the [POST-exit] section of the ExitSetup.ini configuration file will be handled by the Unix Remote Agent. If set to “No” (default), the return code of the Post-exit script will be ignored as it does today. If set to “Yes”, the return code of the Post-exit script will be caught and if different than 0, the Remote Agent will return a new error code and an error message stating that the Post-Exit failed: “Main command succeeded but Post-exit is ON ERROR.” The Unix ETC/NIS agent plug-ins convert the return code to a “Warning” like LDAP_RESULTS_TOO_LARGE code so that the message is logged but the operation is still considered as successful by the Admin Server.

When changing the Account Home Directory, the previous Home Directory can now be automatically moved to the new one by setting "MoveExistingHomeDirectory" variable in Unix Remote Agent Config file (`cat /etc/catngdmopath.tng `/scripts/Config): MoveExistingHomeDirectory=yes

When setting the "ETA_GLOBAL_GROUP" environment variable to 1, it is now possible to create the same Group with the same GID across a list of Unix Servers. A new "List of Servers" tab has been added to allow the selection of the other servers where to create this Group. When deleting a Group, the Accounts having this group GID as their primary group GID can now be automatically updated to a "fallback" gid by setting the "fallback_gid" variable in the Unix Remote Agent Config file (`cat /etc/catngdmopath.tng`/scripts/Config): fallback_gid=60002

Admin Server can now apply a centrally stored Group ID to all new Groups created using the ETC connector. Set the OS environment variable ETA_CENTRAL_GROUP_ID=1 on the Admin server machine to enable this feature. This will display another option when creating or modifying Unix user groups for "Central Storage" to select the group ID. The initial value of this central storage can be set in the Domain Configuration tab of the Admin Manager. Under "Namespace/Unix ETC/Central Group ID:Next GID". 

Updating the NSK Option

CCI timeout can now be configured via the environment variable ETRUST_TIMEOUT. The default value is 120 seconds.

Updating the Legacy Webi (EAOWebi)

1)     You need to stop your servlet-engine (e.g. Tomcat).

2)     Backup your existing EAOWebi.jar file making sure not to keep the .jar extension.

3)     Copy updated EAOWebi.jar file located under the EAOWebi folder in the Manual Update zip to your servlet-engine machine.

4)     Overlay the support folder located under EAOWebi folder in the Manual Update zip to your servlet-engine machine's webapps\EAOWebi folder.

5)  Edit EAOWebi.properties config file to include new parameters if desired. New parameters are described further below.

6)     Restart your servlet-engine.

You can now trigger a change Self Auth Questions and Answer screen to appear before the change expired password screen similar to how it can be configured to appear before the Self-Auth Change Password screen. By default Change Self Auth Q&A screen will not appear unless you set the following two parameters in EAOWebi.properties file.

            Change_Questions_On_Expired_Pwd=true

            custom_attribute_to_store_QA_change_expired_pwd_boolean=eTCustomFieldxx (where xx is a valid Custom Field)

After the first time the Self Auth Questions are reset, the eTCustomFieldxx specified will be set to the value 1 and future password expiration screens will not be first presented with a Self Auth Change Question window.

Additionally, by default existing Self Auth Questions and Answers will not be visible on the Self Auth Change Questions screen. You cane make them visible by setting the following parameter in the EAOWebi.properties file.

            hide_qa_on_expired_pwd_reset_modify=false

You can now control how many invalid self-auth q&a attempts will lead to suspension of the global user. If the parameter is not set it will default to 3 attempts.

            QA_failures_before_suspend=3

 

Updating the Legacy workflow (EAOWF)

1)     You need to stop your servlet-engine (e.g. Tomcat).

2)     Backup your existing EAOWF.jar file making sure not to keep the .jar extension.

3)     Copy the updated EAOWF.jar file located under the EAOWF folder in the Manual Update zip to your servlet-engine machine.

4)     Restart your servlet-engine .

New EAOWF.propeties parameters:

1)     You can control if all task should continue after one task fails by adding the parameter: auto_fail_tasks_after_failure=false

Updating the Reporting

Confirm that the registry key on Remote Admin Managers is set properly (where mydomain is your Admin Server Domain Name) under [HKLM]\SOFTWARE\ComputerAssociates\eTrust Admin\Domains\mydomain

If you are using the Choose Domain Tree feature will need to make sure the values are set properly for each domain listed under [HKLM]\SOFTWARE\ComputerAssociates\eTrust Admin\DomainTrees

eTDSASuffix = dc=mydomain,dc=eta (confirm it is set with proper domain name)

eTDSADbSuffix = dc=mydomain,dc=etadb (add this with proper domain name)

eTPasswordDB = HashedPassword (add this with value taken from the Admin Server registry)

Once the installation process has delivered the files, the reporting table for PKI must be created.  At a command prompt, run the command:

>UpdIngRpt PKI

Updating the GINA

If GINA is already installed you only need to replace the existing cube.exe on the system with the updated cube.exe located in the CR_Manual Updates.zip file under the GINA folder. If you have not installed GINA yet you can run the GINA installer. You cannot use the GINA installer to upgrade an existing installation of GINA.

The GINA Option is now compatible with Identix BioLogon 4.1 and higher.  Previous versions of Identix BioLogon suppressed a WM_PAINT message that was necessary for the GINA Option to work with it.  This message is available as of version 4.1.  The dialogs.xml file on each system requiring the GINA Option to link to the BioLogon GINA needs to contain the following section relevant to the itgina.  Note that the positioning and text of each link is configurable.  The values below are only suggestions.

 

                <itgina.dll>

                        <ids>

                                <id>101</id>

                        </ids>

                        <dialogunits>

                                    <link1>

                                        <left>165</left>

                                        <top>140</top>

                                        <height>14</height>

                                        <width>90</width>

                                    </link1>

                                    <link2>

                                        <left>165</left>

                                        <top>153</top>

                                        <height>14</height>

                                        <width>90</width>

                                    </link2>

                        </dialogunits>

                        <colors>

                                    <bg></bg>

                        </colors>

                        <formids>

                                <username>0</username>

                        </formids>

                        <strings>

                                    <lang_1033>

                                        <link1>Forgot password?</link1>

                                        <link2>Account locked?</link2>

                                    </lang_1033>

                                    <lang_1034>

                                        <link1>Forgot password?</link1>

                                        <link2>Account locked?</link2>

                                    </lang_1034>

                                    <lang_2052>

                                        <link1>Forgot password?</link1>

                                        <link2>Account locked?</link2>

                                    </lang_2052>

                        </strings>

                </itgina.dll>

Updating the OS400 SOAP library

When the target system is a V6R1 endpoint, the error “Server returned contenttype other than text/xml” occurs when acquiring directory or changing password for a directory. In order to fix this problem, you will need to re-deploy the AS4 webservice component on the SOAP server, or manually copy the AS400.jar from CR_Manual_Updates to the SOAP server machine. The location for AS400.jar is depending on which webservice container you are using. If you are using JRUN, the file can be found under %JRUN_HOME%\servers\lib)

Updating the OS400 PSYNC

Passwords changed inside OS400 system and propagated to the rest of the Admin can be upper case. This is due to the OS400's case insensitive nature. Depending on your OS400 configuration passwords may be case sensitive. This fix allows you to specify either to-lower or to-upper as the desired behaviour for passwords being synched back to the associated Admin Global user. This agent build is for V5R2 and later.

This fix adds a new configuration parameter "pwd_case_action" which can be set to "pwd_to_uppercase" or "pwd_to_lowercase". In addition there is also "pwd_case_unchanged" which is the default value.

The default behavior should be followed when: not specifying a value for "pwd_case_action"; specifying an invalid value for "pwd_case_action"; or not specifying "pwd_case_action" at all. The default behavior will be the same as the existing behavior. This means any sites using the 0S400 password synch agent should be able to update with no change in behavior.

Updating OS400 Reporting

The fix in CR17 addresses a problem where the names of OS400 directories were truncated to 10 characters in reports.  This fix changes the size of directory name field in the os400 table of the reporting database from 10 characters to 50 characters.  If you want to make use of the longer directory names in your reports you will have to recreate the table QA2ACCAS4 with the new size.  The recommended procedure involves destroying and recreating the entire reporting database.  Please ensure you backup any data you wish to keep before commencing the update procedure.

··      This procedure will first destroy the current reporting database, and then create a new one, using the new “ingrpt.sql” script file updated by this fix.  This file is in “%DXHOME%\Reporting\Config”.

··      Open a command prompt.

··      CD to the CA_APPSW folder, generally located at one of the following locations:

o        C:\Program Files\CA\SharedComponents\CA_APPSW

o        C:\CA_APPSW

··      Run the command: QADELRPT.exe

o        Note: this must be issued by the ID who owns the database.

··      After that command finishes, run QACRRPT.exe

o        Note: this must be issued by the ID who owns the database.

The updated reporting database will need to be reloaded before reports can be viewed.

Updating the Remote VMS Agent

Follow the instructions under the VMS folder in the Manual Update zip file.

Identity Manager Integration

The attribute eTIMDynamicQuery was marked NotSearchable in eTrust Admin r8.1 SP2. This marking is removed, to allow integration with Identity Manager r8.1 SP1.

Upgrade impact: If you are upgrading an existing eTrust Admin r8.1 SP2 database to a later version, the index for eTIMDynamicQuery needs to be added. This is done by running the etaindex script (etaindex.bat or etaindex.sh). If the index is not added, the database etrusadmin will fail to start.

If you upgrade from an existing eTrust Admin r8.1 SP1 (or earlier) database, no special action is required.

Updating Advanced Workflow

Starting in CR13 eTrust Admin includes a new version of the Workflow engine.  This version includes irreversible schema changes that are performed during the
update.  Insure that the database is fully backed up and recoverable before proceeding with the Advanced Workflow update.

To assist in achieving best results with Advanced Workflow, please consult the document CA Workflow Best Practices.  This document explains the means to achieve optimum results with the products.

In some environments additional installation steps are required Advanced Workflow requires that the Ingres character set be configured to WIN1252. By default, the Ingres installed with eTrust Directory is installed with the Ingres character set of IBMPC850. You can check the II_CHARSETxx value (where xx is the Ingres installation code) by running the command “ingprenv”. You can change the II_CHARSETxx value by running the command “ingsetenv II_CHARSETxx WIN1252” where xx is the Ingres installation code (i.e. EI).

Changes will not take affect until Ingres is restarted. Also, when changing the Ingres character set you should dump out all of your Ingres databases, destroy the databases, re-create the databases after Ingres is restarted, and then re-load the dumped data. The following commands can be used for those operations:

To create a database you can use the Ingres command “createdb <dbname>”.

To destroy a database you can use the Ingres command “destroydb <dbname>”.

To dump/load a database you can use the Ingres command “copydb <dbname>” to create the dump and load sql scripts:

            To dump use the command “sql <dbname> < copy.out”

            To load use the command “sql <dbname> < copy.in”

Note: You will need to re-index any databases used by eTrust Directory after destroying and re-creating them.

You can test the JDBC connectivity to the Advanced Workflow database to confirm it is working before running the Advanced Workflow installer by executing the following command (replace host with the proper hostname):

java –classpath “%II_SYSTEM%/ingres/lib/iijdbc.jar”;”%II_SYSTEM%/ingres/lib” JdbcInfo “jdbc:ingres://HOST:EI7/workflow;autocommit_mode=multi;cursor_mode=readonly”

Steps to upgrade Advanced WorkFlow for IAM CC Users

 

1.      Dump the Database

Copydb <dbname>

 This shall create two files copy.in and copy.out

  sql <dbname> < copy.out

 

2.      Destroy the Database after dumping the Database

Destroydb <dbname>

 

3.      Modify the Character Set 

ingsetenv II_CHARSETxx WIN1252

 

4.      Verify that it has been set as expected using following command         

Ingprenv

           

Expected Output:   II_CHARSET**=WIN1252

 

5.      Create DB

createdb –i  <dbname>

 

6.      Load DB

Sql <dbname> < copy.in

 

7.      Restart Ingres.
 

8.      Verify JDBC connectivity using following command.

java –classpath “%II_SYSTEM%/ingres[EI]/lib/iijdbc.jar”;”%II_SYSTEM%/ingres/lib” JdbcInfo “jdbc:ingres://HOST:EI7/workflow;autocommit_mode=multi;cursor_mode=readonly”

9.      Upgrade Advanced Workflow.

Large process instance data blobs can create major data storage issues for the containing database. This version of CA Workflow resolves this problem.  To address migration concerns, the newly optimized behavior must be selected by turning server parameter UseSnapshots to true.  This is the recommended setting for nearly all customers.  UseSnapshots is a server parameter that is set to either true or false on the Server tab in the Workflow Design Environment (IDE).

Provisioning Repository Performance Tuning for Dynamic Namespace Option

We recommend the provisioning repository performance tuning be done using the eTrust Directory dxtunedb command immediately after a large number of objects are added to the repository. With the introduction of the Dynamic Namespace option, the following three Ingres commands need to be executed following each dxtunedb command:

            optimizedb –zr499 –zu240 <database name> -rsubsearch –acid

            optimizedb –zr499 –zu240 <database name> -rdit –aparent –ardnkey –aeid

            sql <database name> > set trace point RD010 \g

Updating Unifeed

The Unifeed option must be updated manually.  Copy the files from the Manual Update zip to the installed path and recycle Web application server.

 

Updating CA (eTrust) Directory

eTrust Admin 8.1 SP2 does not support CA (eTrust) Directory r12. Do not upgrade the Directory to r12.

Deploying the JCS SDK Connector

The following are the correct steps for deploying Java Connector Server (JCS) SDK Connector (which is a static connector).

1.    Install CA Admin 8.1 SP2 CR# (CR11 or later)

2.    Install Admin 8.1 SP2 SDK and compile and then deploy it as per eTrust Admin SDK Developer's Guide, Chapter 3. Note: At this point ensure that you are be able to acquire and explore Admin's SDK Directory through Admin Manager.

3.    Install Sun J2SE Development Kit 5.0 Update 11 (1.5.0_11). This is required by the latest JCS CR. Set the variable JAVA_HOME to the J2SDK installed location.

4.    Install Apache Ant 1.6.5 and add it to the System Environment variable path

5.    Install Java Connector Server (JCS) 8.1 SP2 CR#

6.    Install Java Connector Server (JCS) SDK 8.1 SP2 CR# and compile it using the command "ant dist"

7.    Copy the file <jcs_sdk>\build\dist\lib\jcs-connector-sdk.jar to directory C:\Program Files\CA\Identity Manager\Connector Server\lib

8.    Restart the JCS service.

9.    Install Connector Express 8.1 SP2 CR#

10. Run/launch Identity Manager (Java) Connector Xpress and add/register with a Provisioning Server.

11. To specify the Java Connector Server to manage SDK Namespace, navigate to

<hostname>\<Domainname>\Namespaces\SDK Namespace. Right click on the "SDK Namespace" and select "Set Managing CS...". Then select "JCS_<hostname>_xxxx" item (the Use the default CS for Provisioning Server option should be unchecked) and click ok.

Note: Now the Java Connector Server will service the SDK Namespace.

JCS SDK Connector is a static connector. For a JCS static connector, the developer must create/develop the corresponding C++ GUI Plugin components.
The requirement of step 2 in the instruction above is to provide the following:

·         To create/develop a C++ GUI Plug-in for the namespace

·         To create/develop a Parser Table for the namespace

·         To create/develop a xxxPOP.EXE for the namespace

·         To Generate schema files, eTrust_xxx.schema and eTrust_xxx.dxc for the
namespace.

Thus, a developer must create/provide a C++ GUI Plaug-in when developing a jcs custom connector based on the Java SDK connector.

For Java Dynamic Connector it is not required for the developer to create the corresponding C++ GUI Plug-in. It will use the existing Dyn Namespace's GUI Plug-in.
The Connector Xpress is used to create dynamic namespaces based on the JNDI or JDBC datasource. For these two types of data source, the jcs-connector-jndi.jar and jcs-connector-jdbc.jar are already provided as part of JCS installation. Note that for JCS 8.1 SP2 it is not possible create custom (you own) DYN Namespaces. For further details please see JCS Implemetation Guide, JCS Programming Guide and Connector Xpress help.

For dynamic connector, there is no .jar file generate by Connector Xpress or and it is required to be developed/provided by the developer.

Please see the Connector Xpress online help from creating a new Namespace (Dynamic Connector) to Deploying Metadata and then to the Explore/Correlate Endpoint System as show in the diagram in the Connector Xpress online help in section "Connector Xpress Process Flow". 

 

 

6.0 Published Fixes

Certifications

Note regarding connector functionality:  Supported connector functionality at the time of the 8.1SP2 release remains stable.  Extensions to the connectors, to support new functionality within versions of target systems released after this time must be raised as Corporate Escalations.

Problem 1288 – CR1 - CERT: CERTIFIED eTrust Admin Server WITH eTrust Directory r8.1 Build 942

Problem 1289 – CR2 - CERT: CERTIFIED eTrust Admin Server WITH eTrust Directory r8.1 Build 983

Problem 1286 – CR3 - CERT: CERTIFIED eTrust Admin Server WITH WINDOWS 2003 SERVER R2

Problem 1287 – CR3 - CERT: CERTIFIED eTrust Admin Server WITH eTrust Directory r8.1 Build 1000

Problem 1279 – CR3 - CERT: CERTIFIED NSK WITH GUARDIAN H06.06

Problem 1277 – CR3 - CERT: CERTIFIED RSA WITH SECUREID V6.1 WINDOWS

Problem 1325 – CR5 - CERT: CERTIFIED SAP Option WITH SAP ECC 6.0

Problem 1394 – CR5 - CERT: CERTIFIED IE7

Problem 1345 – CR6 - CERT: CERTIFIED MS SQL Server Option WITH Microsoft SQL Server 2005

Problem 1346 – CR6 - CERT: CERTIFIED eTrust Admin Server WITH eTrust Directory r8.1 Build 1026

Problem 1347 – CR6 - CERT: CERTIFIED WITH eCS r8.2.7

Problem 1393 – CR7 - CERT: CERTIFIED eTrust Admin Server WITH eTrust Directory r8.1 Build 1072

Problem 1421 – CR8 - CERT: CERTIFIED MS SQL Server Option WITH Microsoft SQL Server 2005 SP1

Problem 1423 – CR8 - CERT: CERTIFIED VMware ESX 3.0 as managed UNIX endpoint

Problem 1441 – CR9 - CERT: CERTIFIED WITH ECS r8.2.9

Problem 1442 – CR9 - CERT: CERTIFIED eTrust Admin Server WITH eTrust Directory r8.1 Build 1115

Problem 1443 – CR9 - CERT: CERTIFIED MANAGING SIEBEL CRM V8.0

Problem 1460 – CR10 - CERT: CERTIFIED MANAGE MS EXCHANGE 2007

Problem 1461 – CR10 - CERT: CERTIFIED MANAGER WINDOWS 64BIT ADS

Problem 1462 – CR10 - CERT: CERTIFIED 8.1 SP2 CR10 ADMIN SERVER ON WINDOWS 2003 SP2

Problem 1463 – CR10 - CERT: CERTIFIED ADMIN MANAGER ON MS VISTA

Problem 1464 – CR10 - CERT: CERTIFIED MANAGE WINDOWS VISTA

Problem 1465 – CR10 - CERT: CERTIFIED CAM 1.11 BUILD 54_16

Problem 1485 – CR10 - CERT: CERTIFIED 8.1 SP2 CR10 ADMIN SERVER WITH DIRECTORY 8.1 BLD 1115

Problem 1486 – CR10 - CERT: CERTIFIED 8.1 SP2 CR10 ADVWF BUILT WITH CA WORKFLOW 1.0.19.28

Problem 1537 – CR11 - CERT: 8.1 SP2 CR11 ADMIN SERVER WITH DIRECTORY 8.1 BLD 1158

Problem 1538 – CR11 - CERT: 8.1 SP2 CR10 ADVWF BUILT WITH CA WORKFLOW 1.0.19.43

Problem 1539 – CR11 - CERT: MANAGE MS SQL 2005 SP2

Problem 1540 – CR11 - CERT: MANAGE NOVELL SUSE LINUX 10.1

Problem 1541 – CR11 - CERT: MANAGE MYSAP ERP 2005

Problem 1571 – CR12 - CERT: SUSE LINUX 10.1 FOR Z/OS

Problem 1572 – CR12 - CERT: SSO 8.1 (GAP)

Problem 1573 – CR12 - CERT: ADVANCED WORKFLOW 8.1 (CAWF V50)

Problem 1574 – CR12 - CERT: ADMIN 8.1 SP1 CR10 WITH ETD 8.1 B1115

Problem 1616 - CR14 - CERT: XPRESS CONNECTOR MYSQL DB

Problem 1620 - CR14 - CERT: CERTIFIED FND OPTION WITH ORACLE FINANCIALS r12

Problem 1660 - CR14 – CERT: CERTIFIED UNIX OPTION WITH HP-UX V11IV3

Problem 1621 - CR14 - CERT: ADVANCED WORKFLOW WITH MSSQL

Problem 1661 – CR15 – CERT: REPORTING ON DYN USER ACCOUNTS

Problem 1662 – CR15 – CERT: CERTIFIED UNIX OPTION WITH AIX 6.1

Problem 1641 – CR16 - CERT: CERTIFIED LND OPTION WITH LOTUS NOTES DOMINO 8.0

Problem 1642 – CR16 - CERT: CERTIFIED UNIX OPTION WITH REDHAT 5.1

Problem 1680 – CR17 – CERT: CERTIFIED MANAGE ACCESS CONTROL 8.0 SP1

 

Problem 1686 – CR17 – CERT: CERTIFIED ADMIN MANAGER ON MS VISTA SP1

 

Problem 1687 – CR17 – CERT: CERTIFIED MANAGE WINDOWS VISTA SP1

 

Problem 1695 – CR18 - CERT: SUPPORT-AD2008-PROVISIONING

 

Problem 1737 – CR20 - CERT: ADMIN SERVER AND OTHER COMPONENTS ON VMWARE ESX 3.5

 

Problem 1749 – CR21 – CERT: OS400 – CERTIFIED AS400 CONNECTOR FUNCTIONALITY WITH OS400 VERSION 6 REV1

 

Problem 1750 – CR21 – CERT: CERTIFIED ADMIN MANAGER WITH MICROSOFT VISTA. 

 

Problem 1749 – CR22 – CERT: OS400 – CERTIFIED AS400 PASSWORD SYNC AGENT WITH OS400 VERSION 6 REV1

 

Problem 1769 – CR22 – CERT: CERTIFIED INGRES PATCH 12834

 

Problem 1771 -  CR22 - CERT: EXCHANGE 2007 LINKED AND SHARED MAILBOXES

 

Problem 1780 – CR23 – CERT: CA DIRECTORY 8.1 BUILD 1278

 

Problem 1813 – CR26 – CERT: CERTIFIED PASSWORD SYNC AGENT WITH ADS2008

 

INSTALL

Problem 1363 – CR7 - INSTALL: UNIX SERVER DUPLICATE DC

Problem 1377 – CR7 - INSTALL: FAILBACK TO LOCALHOST DURING INSTALL

Problem 1381 – CR7 - INSTALL: MDAC

Problem 1424 – CR9 - INSTALL: ADMIN MANAGER SILENT INSTALLER FAILS

Problem 1466 – CR10 - INSTALL: REMOTE MANAGER NOW INSTALLS INGRES R3

Problem 1467 – CR10 - INSTALL: CORRECT PROBLEM INSTALLING OVER ECS 8.2.9

Problem 1469 – CR10 - INSTALL: REPOSITORY UPGRADE-STOP OVERWRITING ORIGINAL FILES

Problem 1501 – CR10 - INSTALL: UPGRADE FROM 811+CR7 OR HIGHER FAILS

Problem 1542 – CR11 - INSTALL: ECS 8.2.9 UNINST ERROR

Problem 1543 – CR11 - INSTALL: ADMIN MANAGER UPGRADE ERROR

Problem 1544 – CR11 - INSTALL: ALLOW ADMIN SERVER INSTALL ON PSYNC MACHINE

Problem 1545 – CR11 - INSTALL: ALLOW EXCHANGE REMOTE AGENT TO BE UPGRADED

Problem 1569 - CR12 - INSTALL: SystemPATHLength

Problem 1632 - CR15 - INSTALL: BIN FOLDER MISSING

Problem 1643 – CR16 - INSTALL: ADDED CONFIG FILES TO MANUAL UPDATES

Problem 1683 – CR17 - INSTALL: CHECKDSADB FAILING

Problem 1683 – CR17 - INSTALL: SP2CR16 SLAPD NOT STARTING

 

CORE Server

Problem 1159 - CR1 - CORE: ROLE NAME LIMITED TO 50 CHARS

Problem 1182 - CR1 - CORE: INVALID FORMATTING SYNTAX

Problem 1187 - CR1 - CORE: PROG EXIT FAILURE SETS WRONG ERROR CODE

Problem 1190 - CR1 - CORE: IMPLEMENTED REDUCED-MEMORY USAGE EXPLORE OPTION

Problem 1199 - CR1 - CORE: MEMBER OF LIST NOT RESET

Problem 1229 – CR2 - CORE: ETIMDYNAMICQUERY INDEXED

Problem 1252 – CR3 - CORE: INCREASE GLOBAL USER FIRST NAME MAX LENGTH TO 50

Problem 1264 – CR3 - CORE: MULTI-DOMAIN DELETE INCLUSION FAILS

Problem 1290 – CR4 - CORE: INCREASE ROLENAME TO 255 CHARACTERS

Problem 1291 – CR4 - CORE: SYNC TRUNCATES LEADING ZEROS

Problem 1292 – CR4 - CORE: eTExcludeAccountDN NOT CASE INSENSITIVE

Problem 1293 – CR4 - CORE: RETURN PROPER JAPANESE ERROR MESSAGE

Problem 1313 – CR5 - CORE: INCORRECT STRING FORMATTING

Problem 1318 – CR5 - CORE: CORRECT BUFFER OVERWRITE IF ATTR VALUE > 16384 CHARS

Problem 1336 – CR6 - CORE: SOAP PROGRAM EXIT INVOCATION FAILED

Problem 1373 – CR11 - CORE: ADDING NEW DOMAIN

Problem 1382 – CR7 - CORE: ADD GU UC NAME CORRUPTION

Problem 1383 – CR7 - CORE: GU&ACC WHEN GUNAME UC

Problem 1384 – CR7 - CORE: ETSELFCHANGE

Problem 1385 – CR7 - CORE: POLICY RENAME

Problem 1386 – CR7 - CORE: SA HANG DIR DELETE

Problem 1392 – CR7 - CORE: POLICYNAME RULE CHECKED

Problem 1407 – CR8 - CORE: SOAP PROGRAM EXIT INVOKE FAILS

Problem 1408 – CR8 - CORE: LOGGING LABELS CLARIFIED

Problem 1409 – CR8 - CORE: NO OPERATION DETAILS

Problem 1416 – CR11 - CORE: POLICY USER DEFINED FIELD

Problem 1439 – CR9 – CORE: ADMIN PROFILES FILTERING

Problem 1440 – CR9 – CORE: LOGGING NOT INITIALIZED

Problem 1449 – CR10 – CORE: .NET SOAP EXIT INVOCATION FAILS

Problem 1471 – CR10 – CORE: CORRELATION ATTRIBUTE CHANGES

Problem 1472 – CR10 – CORE: LOG DLL LOAD FAILURES

Problem 1473 – CR10 – CORE: CORRECT LOGGING MESSAGES

Problem 1474 – CR10 – CORE: CHECK PASSWORD PROFILE IGNORING PSYNC ENABLED FLAG

Problem 1475 – CR10 – CORE: REMOVE GU FROM ADMPROFILE STOPS SLAPD

Problem 1487 – CR10 – CORE: SEARCH FILTERS SOMETIMES IGNORED

Problem 1488 – CR10 – CORE: LOW MEMORY EXPLORE CORRECTIONS

Problem 1499 – CR10 – CORE: ADMIN MANAGER CRASHED

Problem 1500 – CR10 – CORE: REMEMBER PENDING CHANGES BETWEEN TABS

Problem 1502 – CR10 – CORE: ACCOUNTS NOT SUPPORTED IN NAMESPACE

Problem 1514 – CR11 - CORE: UNKNOWN OPER DETAILS

Problem 1520 – CR11 - CORE: EXCEPTION VIOLATION

Problem 1521 – CR11 - CORE: DR WATSON ON ETAUTIL -O

Problem 1522 – CR11 - CORE: INCREASE ETHOMESERVEREXC MAX LENGTH

Problem 1523 – CR11 - CORE: TLS PORT NOT CHECKED

Problem 1613 - CR14 - CORE: EMAIL DISSAPPEARS

Problem 1611 - CR14 - CORE: ETA_E_1247, DATES

Problem 1625 - CR15 - GUI: DEPRECATED ATTRS SHOWN

Problem 1622 - CR15 - CORE: LOG WHICH ETACONFIG.DLL HAS BEEN USED

Problem 1636 – CR16 - CORE:DON'T CHANGE SUSPEND DATE ON RE-SUSPEND

Problem 1644 – CR16 - CORE: EXTEND CUSTOM GLOBAL USER ATTRIBUTES TO 700

Problem 1664 – CR17 – CORE: GLOBAL USER'S GUI:FULLNAME TRAILING WHITESPC

Problem 1691 – CR18 - CORE: USER SYNC ADD MULTIPLE POLICIES ATTRIBUTES NOT CORRECT

Problem 1704 – CR19 - CORE: DPATH VALUE, SERVICES FAIL

Problem 1705 – CR19 - CORE: ETSUSPENDED BEHAVIOR

Problem 1718 – CR20 - CORE: LOG EXCEPTION SETTING LEVEL IN LOGS

Problem 1738 – CR21 - CORE: SOAP COM EXIT, EMPTY INPUT

Problem 1741 – CR21 - CORE: WIDE INDEXES NEEDED

Problem 1751 – CR22 - SA: LOG UNBIND REQUEST STATUS

Problem 1761 – CR22 - CORE:CRASH WITH NO ETID VALUE

Problem 1764 – CR22 - CORE: GU MISSING PASSWORD

Problem 1774 – CR23 – CORE:ERRORS FOR SEARCHES AT STARTUP

Problem 1776 – CR23 – CCS: SUPERAGENT CRASH

Problem 1777 – CR23 – SLOW AND FAILING LDAP SEARCHES

Problem 1817 – CR25 – GUI: REMOTE PROV. MGR NOT LISTING ANY CONNECTOR TYPES

Problem 1818 – CR25 – GUI: ADMIN MANAGER DOES NOT USE THE DEFAULT FAILOVER SERVER

Problem 1803 – CR26 – SLAPD CPU USAGE TOO HIGH

Problem 1804 – CR26 – GUI: ADMIN MANAGER HANG ON VISTA

SDK

Problem 1387 – CR7 - SDK: PWD MASKED IN POLICY

Problem 1689 – CR18 - SDK: RENAME ADS ACCOUNT PROBLEM

Problem 1747 – CR22 – CSDK: PROGRAM EXIT FOR SOLARIS

Reporting

Problem 1157 - CR1 - RPT: REMOTE MANAGER INVALID CREDENTIALS GUEXTRACT

Problem 1208 – CR2 - RPT: JAPANESE MB CHARS FOR ACCOUNT OR FULL NAME ARE GARBLED

Problem 1252 – CR3 - RPT: INCREASE GLOBAL USER FIRST NAME MAX LENGTH TO 50

Problem 1261 – CR3 - RPT: NO ROLE EDITED IN REPORT WHEN MULTI ROLES

Problem 1271 – CR4 - RPT: FAILING E_CO0040 COPY: UNEXPECTED END OF USER DATA

Problem 1290 – CR4 - RPT: INCREASE ROLENAME TO 255 CHARACTERS

Problem 1420 – CR4 - RPT: GUEXTRACT CONNECTION ERROR: LDAP_SIMPLE_BIND()

Problem 1524 – CR11 - RPT: EMPTY REPORTS

Problem 1525 – CR11 - RPT: UNABLE TO LOAD DLL

Problem 1789 – CR25 – RPT: SELF AUTH QUESTION & ANSWER BLANK IN REPORTS

GINA

Problem 1321 – CR6 - GINA: CUBE KEYSTROKE PROBLEM

Problem 1348 – CR6 - GINA: SECURITY VULNERABILITY

Problem 1398 – CR8 - GINA: REDIRECT HTTP 404 PAGES

Problem 1470 – CR10 - GINA: ADD SUPPORT FOR IDENTIX BIOLOGON 4.1

Problem 1627 - CR15 - GINA: ISN'T AVAILABLE FOR JAPANESE

Problem 1690 – CR18 - GINA: CUBE BOTTOM RIGHT CORNER

Problem 1792 – CR25 – GINA: CUBE NOT BLOCKING CTRL-P

Problem 1801 – CR26 – GINA VULNERABILITY THRU CERTIFICATE EXPORT WIZARD

PSYNC

Problem 1335 – CR6 - PSYNC: CONFIG WIZARD FAILS IF DOMAIN IS DC=ETA

Problem 1469 – CR10 - PSYNC: ADD DATE TO LOG TIMESTAMPS

Problem 1584 – CR21 - PSYNC: PASSWORD SYNC AGENT ON WINDOWS X64

Problem 1810 – CR26 – PSYNC: TIMEOUT SETTING INEFFECTIVE IF ETA SERVER NOT RESPOND

DSI

Problem 1418 – CR8 - DSI: DEFINE AND DELETE A TSO ALIAS

Problem 1645 – CR16 - DSI: CANNOT USE Z/OS OPTIONS WITH DSI R12 SERVER

ACF2 Option

Problem 1162 - CR1 - ACF: ACQUIRE WITH SEMICOLON, SLAPD FAILS TO START

Problem 1198 - CR1 - ACF: LOADING DIRECTORY PROPERTY PAGE W/ MANY POLICIES

Problem 1212 – CR2 - ACF: ACQUIRE WITH PLUS SIGN, SLAPD FAILS TO START

Problem 1220 – CR2 - ACF: SEARCH FOR DEFAULT POLICY ON DIR PROP PAGE ENABLES APPLY

Problem 1282 – CR5 - ACF: INVALID CONN INFO ACCESS

Problem 1417 – CR8 - ACF: MULTI POLICIES PRIVILEGES

Problem 1416 – CR9 - ACF: POLICY USER DEFINED FIELD

Problem 1435 – CR9 - ACF: SEC AUTHID FILL UP

Problem 1436 – CR9 - ACF: SEC AUTHID SEARCH

Problem 1437 – CR9 - ACF: SEC AUTHID SEARCH WITH *

Problem 1438 – CR9 - ACF: STATUS OUT-OF-SYNC ATTRIBUTE

Problem 1416 – CR11 - ACF: POLICY USER DEFINED FIELD

Problem 1557 – CR12 - ACF: SEC AUTHIDS SEARCH

Problem 1709 – CR19 - ACF: RE-ESTABLISH DSI CONNECTION

Problem 1758 – CR22 – ACF2: NOT RETRIEVING USER ID ATTRIBUTE WHEN IN NORWAY LOCALE

Problem 1793 – CR25 – ACF2: R12 NEW ATTRIBUTES

 

RACF Option

Problem 1162 - CR1 - RACF: ACQUIRE WITH SEMICOLON, SLAPD FAILS TO START

Problem 1172 - CR1 - RACF: CRASH

Problem 1188 - CR1 - RACF: UNABLE TO ADD EXISTING UNEXPLORED USER OR GROUP

Problem 1213 – CR2 - RACF: ACQUIRE WITH PLUS SIGN, SLAPD FAILS TO START

Problem 1216 – CR2 - RACF: POLICY LIMITS USERID TO 8 CHARS

Problem 1217 – CR2 - RACF: INSTALLATION DATA TRUNCATED

Problem 1219 – CR2 - RACF: BUFFER OVERFLOW

Problem 1294 – CR5 - RACF: RE-EXPLORE CAUSES GROUP DELETE AND RE-ADD

Problem 1329 – CR5 - RACF: ADD SUPPORT FOR TSO ALIAS

Problem 1351 – CR6 - RACF: ACCOUNT NAME TRUNCATED

Problem 1352 – CR6 - RACF: DFLT GROUP 7 NOT 8

Problem 1353 – CR6 - RACF: INSTALLATION DATA ERROR

Problem 1354 – CR6 - RACF: PASSWORD INTERVAL

Problem 1410 – CR8 - RACF: NOT POPULATING WORKATTR

Problem 1438 – CR9 - RACF: STATUS OUT-OF-SYNC ATTRIBUTE

Problem 1566 - CR12 - RACF: SP CHARS NOT ACCEPTED

Problem 1567 - CR12 - RACF: REVOKE DATE RESUME DATE

Problem 1580 - CR14 - RACF: GUI SEARCH LIMIT IMPACT

Problem 1631 - CR15 - RACF: EXPLORE ACCOUNTS FAIL

Problem 1659 – CR17 - RACF: INSTDATA LOST BLANKS

Problem 1708 – CR19 - RACF: RE-ESTABLISH TERMINATED CONNECTION

Problem 1729 – CR20 - RACF: AUTO-MIGRATING MESSAGE

Problem 1759 – CR22 – RACF:PASSPHASE ATTR CAUSES SLAPD ASSERT/SHUTDOWN

Problem 1767 – CR23 – RACF:EXPLORE FAIL, NO ICH31005I MESSAGE

 

TSS Option

Problem 1162 - CR1 - TSS: ACQUIRE WITH SEMICOLON, SLAPD FAILS TO START

Problem 1214 – CR2 - TSS: ACQUIRE WITH PLUS SIGN, SLAPD FAILS TO START

Problem 1295 – CR4 - TSS: HANDLE TSS TYPE=GROUP IN POLICY

Problem 1330 – CR5 - TSS: ADD SUPPORT FOR TSO ALIAS

Problem 1417 – CR8 - TSS: MULTI POLICIES PRIVILEGES

Problem 1416 – CR9 - TSS: POLICY USER DEFINED FIELD

Problem 1438 – CR9 - TSS: STATUS OUT-OF-SYNC ATTRIBUTE

Problem 1673 – CR18 – TSS: RECONNECT AFTER DISCONNECT

Access Control Option

Problem 1232 – CR2 - ACC: FAIL TO CREATE GROUPS

Problem 1248 – CR2 - ACC: PARAMETER IS INCORRECT ERROR MESSAGE

Problem 1296 – CR4 - ACC: UNIX-FLAG-IN-ACC-OPTION

Problem 1476 - CR10 - ACC: MAKE ETACCDIRECTORYNAME REQUIRED

Problem 1640 – CR16 - ACC: SUPERAGENT CRASHES WHEN MULTPLE EXPLORES WITH TIMEOUT

Problem 1680 – CR17 - ACC: CERTIFIED FOR EAC 8.0 SP1

Problem 1757 – CR23 – ACC: SA FREEZE UNDER LOAD

Problem 1786 – CR24 – ACC: MULTI-THREADED CONNECTOR (WINDOWS)

ADS/E2K Option

Problem 1075 - CR1 - ADS: PERFORMANCE

Problem 1147 - CR1 - ADS: ADS:POLICY'S HOME FOLDER 'TO' FIELD WON'T ACCEPT RULESTRINGS

Problem 1154 - CR1 - ADS: DUPLICATING GROUP COULD TERMINATE GUI

Problem 1158 - CR1 - ADS: REMOVE DEFAULT VALUE FOR COUNTRY IN POLICY

Problem 1163 - CR1 - ADS: ACQUIRE FAILS BECAUSE OF LEGACYEXCHANGEDN

Problem 1165 - CR1 - ADS: EMAIL ADDRESS NOT MANAGED VIA POLICIES

Problem 1185 - CR1 - ADS: MOVING AD ORG UNIT

Problem 1191 - CR1 - ADS: ADD SUPPORT FOR "MANAGER CAN UPDATE MAMBERSHIP LIST"

Problem 1192 - CR1 - ADS: KEEP EMPTY VALUED ATTRIBUTE IN PAYLOAD

Problem 1198 - CR1 - ADS: LOADING DIRECTORY PROPERTY PAGE W/ MANY POLICIES

Problem 1205 - CR1 - ADS: ADD 2K MBRS TO GRP FAILS

Problem 1206 - CR1 - ADS: EMPTY MAILBOX RIGHTS RETURNED OPERATIONS ERROR

Problem 1220 – CR2 - ADS: SEARCH FOR DEFAULT POLICY ON DIR PROP PAGE ENABLES APPLY

Problem 1324 – CR5 - ADS: SESSION DETAILS SYNTAX

Problem 1326 – CR5 - ADS: TS SESSION SYNTAX

Problem 1327 – CR5 - ADS: EXCHANGE SERVER CLUSTER

Problem 1331 – CR5 - ADS: MOVING OUS

Problem 1359 – CR6 - ADS: CAN'T SET HOME DIR

Problem 1360 – CR6 - ADS: HOME FOLDER BUTTON

Problem 1388 – CR7 - ADS: ETSELFCHANGE SETS MUST CHANGE PASSWORD

Problem 1389 – CR7 - ADS: EXCHANGE DNS WITH COMMAS

Problem 1397 – CR8 - ADS: LEGACYEXCHANGEDN NOT COMPUTED PROPERLY

Problem 1401 – CR8 - ADS: CAN'T OPEN POLICY PROPERTY PAGE

Problem 1477 – CR10 - ADS: BOLD CAPABILITY ATTRIBUTES

Problem 1495 – CR10 - ADS: PRE-EXPIRE PASSWORD

Problem 1496 – CR10: MAILBOX MOVE FAILS

Problem 1497 – CR10: MAILBOX RIGHTS NOT APPLIED AFTER MOVING

Problem 1513 – CR11 - ADS: CHANGING MAILNICKNAME CHANGES LEGACYEXCHANGEDN

Problem 1547 – CR12 - ADS: PLUG-IN EXCEPTION

Problem 1550 – CR12 - ADS: DUPLICATE SMTP MAIL ADDRESS

Problem 1558 – CR12 - E2K: DUPLICATE ACCOUNT

Problem 1559 – CR12 - SUPERAGENT CONNECTION BREAKS

Problem 1560 – CR12 - ADS:INVALID FPRINTF()

Problem 1561 – CR12 - ADS: HOME DIRECTORY FAILURE

Problem 1562 – CR12 - ADS: HOMEDIR INHERIT PERMS

Problem 1607 - CR14 - ADS:BLANK ERROR FOR CALLBACK

Problem 1647 – CR16 - ADS: ACCOUNT NOT SHOWING DATA

Problem 1648 – CR16 - ADS: CUSTOM FEED CRASH SA

Problem 1634 – CR16 - E2K:MODIFY MB RIGHTS CRASHES GUI

Problem 1646 - CR17 – ADS: CAN'T EXPLORE JAPANESE OUS

Problem 1685 – CR17 - ADS: EXPLORE / ATTRIBUTE MAP

Problem 1652 – CR17 – E2K: EXCHANGE SERVER NAME TOO LONG

Problem 1694 – CR18 - ADS: JAPANESE CHARACTER DISPLAY PROBLEMS

Problem 1706 – CR18 - ADS: CANT MODIFY SMTP ADDRESS

Problem 1703 – CR19 - ADS: MANAGED BY TAB MOD FAILED

Problem 1713 – CR19 - ADS: CAM TIMEOUT VALUES

Problem 1702 – CR20 - ADS: JAPANESE CHARS IN MGR FIELD

Problem 1723 – CR20 - ADS: CONTACTS MISSES SMTP ADDR

Problem 1726 – CR20 - ADS: TERMINAL SERVICES SET/GET ERROR

Problem 1727 – CR20 - E2K: ENH ERROR MESSAGES

Problem 1731 – CR20 - E2K: MB RULE STRING FAILURE

Problem 1736 – CR21 – ADS: ATTR DIAL-IN TO BE CAPABILITY ATTR

Problem 1743 – CR21 - ADS: ENHANCE HOME FOLDER RIGHTS CREATION

Problem 1745 – CR21 – ADS: ADD EXCH2007 FEATURES

Problem 1746 – CR22 – E2K: ADS:GROUP NAME WITH PERIOD IN IT

Problem 1753 – CR22 – ADS: STORAGE LIMITS

Problem 1754 – CR22 – ADS: LOGON NAME INVALID

Problem 1756 – CR22 – ADS: LOGGED IN AS CREDENTIALS DON'T WORK

Problem 1765 – CR22 – ADS: MULTI-VALUE RULESTRING

Problem 1783 – CR25 – E2K: ETADSMDBUSEDEFAULTS DEFAULT VALUE SHOULD BE TRUE

Problem 1790 – CR25 – ADS: GROUP MEMBERSHIP ASSG FAILURE JAP

CES 48248 - CR25 – ADS: CREATE LEGACY MAILBOX IN EXCHANGE 2007

Problem 1796 – CR26 – E2K: ETA MANAGER CAN NOT CHANGE  PRIMARY EMAIL ADDRESS

Problem 1802 – CR26 – ADS FAILOVER CAUSES INTERMITTENT SUPERAGENT HANG

Problem 1807 – CR26 – ADS: COMMAND FILE MISSING VAR CONTINUE EXECUTION

Problem 1797 – CR26 – EX2K7: MAILBOX CREATION FAILED IN SLOW AD DUPLICATION ENV

Problem 1809 – CR26 – ADS: ERROR EXPLORING USER WITH HIDEFROMEXCHANGEADDRBOOK ATTR

 

DB2 Option

Problem 1198 - CR1 - DB2: LOADING DIRECTORY PROPERTY PAGE W/ MANY POLICIES

Problem 1220 – CR2 - DB2: SEARCH FOR DEFAULT POLICY ON DIR PROP PAGE ENABLES APPLY

Problem 1268 – CR3 – DB2: CAN'T USE OFFSET IN POLICY

DBZ Option

Problem 1531 - CR11 - DBZ: SLOW RESPONSE ON ADD VIEW

DYN Option

Problem 1240 – CR2 - DYN: MAX LENGTH FOR INT

Problem 1241 – CR2 - DYN: MSSQL SMALLDATETIME

Problem 1242 – CR2 - DYN: ACCEPT INVALID DATE/TIMES

Problem 1243 – CR2 - DYN: ORACLE9 NEGATIVE NUMBERS

Problem 1244 – CR2 - DYN: LEADING ZEROS IN INTS

Problem 1245 – CR2 - DYN: ORACLE DATE CAUSES ERROR

Problem 1246 – CR2 - DYN: ORACLE INTERVAL TYPES

Problem 1253 – CR3 - DYN: DEADD ALWAYS SETS LOCKED

Problem 1254 – CR3 - DYN: GUI:SIGNED INT

Problem 1300 – CR4 - DYN: UPGRADE XSD LIBRARY TO 2.2.3.0

Problem 1355 – CR6 - DYN: ADD ISOBFUSCATED

Problem 1356 – CR6 - DYN: JDBC DEFAULT VALS POLICY

Problem 1357 – CR6 - DYN: STATIC DIR SHEET

Problem 1358 – CR6 - DYN: TIME FIELD NOT IGNORED

Problem 1399 – CR8 - DYN: RULESTRINGS FOR INT VARS

Problem 1630 - CR15 - DYN: CANNT SEARCH ON ONE-LVL

Problem 1626 - CR15 - DYN: READING USERS FROM GROUP PAGE CRASHES GUI

Problem 1778 – CR25 - DYN: %P% in default Policy

Problem 1811 – CR26 – DYN: GLOBAL USER SEARCH FOR ACCOUNT IN DYN NAMESPACE

EIAM Option

Problem 1267 – CR3 - EIAM: CAN'T USE OFFSET IN POLICY

JCS

Problem 1615 - CR14 - JCS: BUILD.XML ERROR ADDNG DIR

Problem 1629 - CR15 - JCS: EXP/CORR BY CONNECTOR

Problem 1700 – CR19- JCS: INCORRECT INTEGERS HANDLING

Problem 1710 – CR19- JCS: FILTER LDAPSEARCH

Problem 1770 – CR23 – JCS: DEPLOY OF JCS CONNECTOR

Problem 1785 – CR25 – JCS: CONNXP FORCES ISREQUIRED ON NOT NULL COLUMNS

LDAP Option

Problem 1193 - CR1 - LDAP: IMPROVE FILTERING

Problem 1210 – CR2 - LDAP: GROUP MEMBERSHIP DOESN'T APPEAR IN GUI

Problem 1362 – CR7 - LDAP: UN PRINTABLE CHARACTER IN TEL NUMBER

Problem 1503 – CR10 - LDAP: ADD NEW SUSPENSION ATTRIBUTE

Problem 1504 – CR10 - LDAP:RESPONSE AFTER SA RESTART

Problem 1505 – CR10 - LDAP: TWO ACCOUNTS CREATED

Problem 1601 - CR14 - LDAP: EXPLORE LDAP FAILURE

Problem 1721 – CR20 - LDAP: DIRECTORY DETAILS NOT EDITABLE WHEN MISCONFIGURED

Problem 1734 – CR20 - LDAP: EDIRECTORY ETSUSPENDED

Problem 1760 – CR22 – LDA: SUPERAGENT CRASH

LND Option

Problem 1146 - CR1 - LND: GROUPNAME WITH THAI NAME > 29 CAUSE LDAGT TO CRASH

Problem 1150 - CR1 - LND: ADD GROUP MEMBESHIP MEMBER NOT ADD

Problem 1166 - CR1 - LND: DMOCONFIG FAILS ON JAPANESE OS

Problem 1167 - CR1 - LND: CREATE JAPANESE ACCOUNT NAME FAILS

Problem 1168 - CR1 - LND: CREATE JAPANESE ORG UNIT NAME FAILS

Problem 1169 - CR1 - LND: ORG NAME MANGLED

Problem 1170 - CR1 - LND: LND-ERROR MSGS MANGLED

Problem 1174 - CR1 - LND: ORGUNIT TAB NAME

Problem 1175 - CR1 - LND: GUI LASTNAME ALIGNED

Problem 1176 - CR1 - LND: GROUP TYPE IS GREYED OUT

Problem 1177 - CR1 - LND: SPECIAL CHR ACCNT VIEW

Problem 1178 - CR1 - LND: GROUP DESCRIPTION MISSING

Problem 1179 - CR1 - LND: ACCOUNT CREATION FAILS

Problem 1202 - CR1 - LND: POLICY NO SHORTNAME GEN

Problem 1209 – CR2 - LND: POLICY UNABLE TO CHANGE MAIL TEMPLATE

Problem 1211 – CR2 - LND: GUI CAUSE A FAILURE IN NOTES API

Problem 1227 – CR2 - LND: DUPLICATE POLICY FAILURE

Problem 1230 – CR2 - LND: INCORRECT LOGGING MESSAGES LDS INSTEAD OF LND

Problem 1231 – CR2 - LND: ADD FUNCTIONALITY TO MOVE USER'S MAIL FILE

Problem 1256 – CR3 - LND: DISPLAY ACCOUNT CRASH THE AGENT

Problem 1257 – CR3 - LND: DISPLAY ACCOUNT PERFORMANCE

Problem 1265 – CR3 - LND: EXPLORATION ALWAYS MAPPING

Problem 1266 – CR3 - LND: EXPLORATION PERFORMANCE

Problem 1280 – CR3 - LND: SUPPORT ALTERNATE NAMES AND LANGUAGES

Problem 1281 – CR3 - LND: SUPPORT FOR  EMPLOYEE ID  AND  ASSIGNED POLICY

Problem 1297 – CR4 - LND: SUPPORT FOR SECONDARY EMAIL ADDRESS

Problem 1298 – CR4 - LND: EXTENSION OF THE LND GROUP NAME TO HANDLE 256 CHARACTER

Problem 1134 – CR5 - LND: CANNOT EXPLORE SOME GROUP

Problem 1319 – CR5 - LND: LND: DMOLNDCONFIG CRASH

Problem 1323 – CR5 - LND: CUSTOM DEFINED ATTRIBUTES

Problem 1343 – CR6 – LND: SUPPORT FOR SPECIFYING PAB

Problem 1365 – CR7 – LND: DATEPICKER CONTROL REVERSE TO SHORT DATE

Problem 1375 – CR7 – LND: ID EXPIRATION DATE DIFFERS

Problem 1376 – CR7 – LND: ONLY RESET INTERNET PASSWORD

Problem 1402 – CR8 – LND: ARCHIVE DB EXPIRATION DATE EMPTY

Problem 1422 – CR9 – LND: AMBIGOUS NAME AFTER RENAME

Problem 1422 – CR9 – LND: WEB ONLY USERS

Problem 1427 – CR10 – LND: NO GROUP DISPLAY WHEN USER UNIQUE OU

Problem 1432 – CR10 – LND: "ADD USER TO PAB" ALWAYS SET WHEN DUPLICATE

Problem 1446 – CR10 – LND: GUI DUPLICATE POLICY GROUP ARE EMPTY

Problem 1452 – CR10 – LND: LDAGT HANG

Problem 1506 – CR10 – LND: CONFIGURABLE ID FILE FILENAME

Problem 1507 – CR10 – LND: LOAD LND USER ID

Problem 1508 – CR10 – LND: MOVING AN ACCOUNT TO NEW CERT.

Problem 1509 – CR10 – LND: ID FILE. NEW NOTES VARIABLE

Problem 1510 – CR10 – LND: LOGIN NAME SHOWN ON EVERY TAB

Problem 1528 - CR11 - LND: ARCHIVE DB LAST NAME

Problem 1516 - CR12 - LND: OU NAME WITH A DOT CHAR

Problem 1565 - CR12 - LND: FAILD ON FIELD CHANGING

Problem 1519 - CR12 - LND: RULE STRINGS ON LND POLICY NOT POSSIBLE

Problem 1548 - CR12 - LND: WRONG ACL ON MAILBOX WHEN USE ADMINP

Problem 1549 - CR12 - LND: DELETE PERSON DOCUMENT WHEN MOVE FAILURE

Problem 1551 - CR12 - LND: MOVE MAILBOX PROBLEM

Problem 1552 - CR12 - LND: COMAPNY AND CELL PHONE ATT NOT UPDATED

Problem 1639 – CR16 - LND: NEW OU > MAX 64

Problem 1669 – CR17 - LND: ADD CERTIFER FAILED

Problem 1670 – CR17 - LND: PROVISIONING CASE MISMATCH ORGUNIT

Problem 1692 – CR18 - LND: HISTORY TAB NOT SYNC

Problem 1715 – CR19 - LND: CHANGING PASSWORD CAUSES MAIBOX MOVEMENT

Problem 1717 – CR19 - LND: FORMALIZED CERTIFIER NAME

Problem 1725 – CR20 - LND: POSS. GUI CRASH

Problem 1730 – CR20 - LND: MOVE IN HIERARCHY MOVES MAILBOX

Problem 1733 – CR21 - LND: TERMINATE ORPHAN LDAGT.EXE

Problem 1755 – CR22 - LND: DOMINO SERVER NAME LENGTH OVER 18 CHARACTERS

Problem 1763 – CR22 - LND: ETLNDJOBTITLE LENGTH

Problem 1766 – CR23 – LND: CANNOT CHANGE PASSWORD

Problem 1772 – CR23 – DELETE LOTUS DOMINO ACCOUNT

Problem 1795 – CR26 – LND: AGENT CHANGES DOMINO SERVER CONFIGURATION TIMESTAMP

NDS Option

Problem 1478 - CR10 - NDS: NDS GROUP DESCRIPTION

NSK Option

Problem 1201 - CR1 - NSK: PERF 2 ACCOUNT DESEARCH

Problem 1479 - CR10 - NSK: ADD CONFIGURABLE CCI TIMEOUT

NT Option

Problem 1405 - CR10 - NT: NTSAUTIL FAILS UNABLE TO LOCATE RASSAPI.DLL

Problem 1529 - CR11 - NT: CANNOT SPECIFY SUBSTRING

Oracle Option

Problem 1181 - CR1 - ORACLE: TRAILING SEMICOLON ON SQL STATEMENTS

Problem 1198 - CR1 - ORACLE: LOADING DIRECTORY PROPERTY PAGE W/ MANY POLICIES

Problem 1220 – CR2 - ORACLE: SEARCH FOR DEFAULT POLICY ON DIR PROP PAGE ENABLES APPLY

Problem 1313 – CR5 - ORACLE: INCORRECT STRING FORMATTING

Problem 1317 – CR5 - ORACLE: LOCKEDBIT AND SUSPENDED

Problem 1349 – CR6 - ORACLE: ETORAUSRPOLNAME DEPRECATED

Problem 1350 – CR6 - ORACLE: DIR REQUIRED FIELDS

Problem 1480 – CR10 - ORACLE: LOGGING MESSAGES WRONG

Oracle Applications Option

Problem 1156 - CR1 - FND: RESPONSIBILITYLIST ONLY RETURNED ON BASE SEARCH

Problem 1233 – CR2 - FND: TRAILING SEMICOLONS

Problem 1234 – CR2 - FND: LEAKS DATASOURCES

Problem 1235 – CR2 - FND: SLAPD CRASHES

Problem 1267 – CR3 - FND: CAN'T USE OFFSET IN POLICY

Problem 1391 – CR7 - FND: ACCOUNT SUSPENDED

Problem 1395 – CR7 - FND: UNABLE TO CLEAR THE SINGLE VALUE FIELDS

Problem 1444 – CR9 - FND: EXPIRE PASSWORD TIME

Problem 1498 – CR10 - FND: USER RESPONSIBILITIES ERRPR

Problem 1526 - CR11 - FND: ERROR EXECUTING "SELECT

Problem 1619 - CR14 - FND:USER RESPONSBILITIES

Problem 1679 – CR18 - FND: SUPERAGENT CRASHING

OS/390 Option

Problem 1438 - CR12 - OS390: ACF: STATUS OUT-OF-SYNC ATTRI

Problem 1699 – CR19 - OS390: HANDLE ETSUSPEND SYNC ISSUE

 

OS400 Option

Problem 1198 - CR1 - OS400: LOADING DIRECTORY PROPERTY PAGE W/ MANY POLICIES

Problem 1220 – CR2 - OS400: SEARCH FOR DEFAULT POLICY ON DIR PROP PAGE ENABLES APPLY

Problem 1262 – CR3 - OS400: ERROR PARSING XML WITH OS400 NATIVE EXIT

Problem 1263 – CR3 - OS400: NATIVE EXIT ACCOUNTNAME PASSED INSTEAD OF FULL BUFFER

Problem 1390 – CR7 - OS400: DOCUMENT PASSWORD SEARCH

Problem 1527 - CR11 - OS400: POL GROUP PROFILE NAME

Problem 1681 – CR17 - OS400: PSYNC PASSWORD CASE

Problem 1682 – CR17 - OS400: REPORT TRUNCATION

 

PKI Option

Problem 1530 - CR11 - PKI: MODIFY DIR AS NON PKI ADMI

 

PLS Option

Problem 1151 - CR1 - PLS: INCORRECT STRING CALL CORRUPTS MEMORY.

Problem 1186 - CR1 - PLS: IMPROVE PERFORMANCE AND ALLOW SETTING AUTH RULE PER APP

Problem 1555 - CR12 - PLS: APPLICATION LOGIN ID FIELD INCREASED TO 50 CHARS

Problem 1788 – CR25 – PLS: EXPLORE FAILURE ON TOO MANY USERS

RSA Option

Problem 1276 – CR3 - RSA: ACE SECUREID PIN RESET

Problem 1278 – CR3 - RSA: UNIX REMOTE AGENT

Problem 1301 – CR4 - RSA: PROHIBIT UNALLOWED CHARACTERS

Problem 1333 – CR5 - RSA: ADD ACNT 2 MANY TOKEN/PWD

Problem 1608 - CR14 - RSA: TOKEN EXPIRATION

Problem 1609 - CR14 - RSA EXPLORATION ERROR

Problem 1610 - CR14 - RSA: RESET BUTTON BUG

Problem 1618 - CR14 - RSA: EXPLORE/CORRELATE FAILS

Problem 1649 – CR16 - RSA: ACCOUNT NAME WITH SPACES

Problem 1775 – CR23 – RSA: FAIL TO DELETE ADMIN USER

SAP Option

Problem 1152 - CR1 - SAP: UPDATE OF USERGROUP GETS CORRUPTED IF SHORTER

Problem 1153 - CR1 - SAP: USER FORMAT NOT REFRESHED ON FIRST/LAST UPDATE

Problem 1189 – CR2 - SAP: INCORRECT MESSAGE SYNTAX

Problem 1239 – CR2 - SAP: ROLENAME AND PROFILENAME

Problem 1374 – CR7 - SAP: CONFIGURE IF PASSWORDS MUST BE CHANGES AFTER RESET

Problem 1411 – CR8 - SAP: PWD CAN'T BE > 8 CHARS

Problem 1546 – CR12 - SAP: ACCOUNT NOT LOCKED AS IT SHOULD BE

Problem 1650 – CR16 - SAP: CHOOSE FRIENDLY SAP DIRECTORY NAMES.

Problem 1697 – CR18 – SAP: NOT PRE-EXPIRE PASSWORD ON CHANGE

Problem 1720 – CR20 - SAP: LICENSE DATA SET/UNSET

Problem 1722 – CR20 - SAP: ACCOUNT NUMBER HASHES

Problem 1735 – CR22 - SAP:UNICODE SUPPORT (INCL. CROATIAN)

Problem 1748 – CR22 - SAP:JCS NOT EXPLORING ACCOUNTS

Problem 1819 – CR25 - COULD NOT CREATE SAP NAMESPACES WITH SAP 7.0.

SQL Option

Problem 1198 - CR1 - SQL: LOADING DIRECTORY PROPERTY PAGE W/ MANY POLICIES

Problem 1207 - CR1 - SQL: SERVER POLICY KILL MGR

Problem 1220 – CR2 - SQL: SEARCH FOR DEFAULT POLICY ON DIR PROP PAGE ENABLES APPLY

Problem 1396 – CR7 - SQL: EXPLORE WITH 4K LOGINS HANGS SUPERAGENT

Problem 1369 – CR8 - SQL: CANNOT GRANT OR DENY ACCESS TO A LOGIN WITH SQL AUTHENTICATION

Problem 1429 – CR10 - SQL: EXPLORE / INCORRECT SYNTAX NEAR THE KEYWORD

Problem 1447 – CR10 - SQL: LOGIN NOT UPDATED WHEN NO RELATED SQL USER

Problem 1481 – CR10 - SQL: MULTI-LINE IN THE LOG

Problem 1675 – CR17 - SQL: EXPLORE FREEZES SERVER

Problem 1672 – CR18 - SQL: USERNAME DOES NOT HAVE DOMAIN/SERVER PREFIX

Problem 1724 – CR20 - SQL: CAN'T VIEW MS SQL ACCOUNT

Problem 1820 – CR25 – SQL: SQL CONNECTOR  LOGGING NEEDS MORE DETAILS.

Single Sign-On (SSO) Option

Problem 1577 - CR14 - SSO: ADMIN - SSO WAC OPTION

Problem 1667 – CR17 - SSO: LOGININFOS PB

 

SIEBEL Option

Problem 1194 - CR1 - SBL: MANAGE POSITION OBJECTS

Problem 1238 - CR1 - SBL: SOME MANDATORY FIELDS NOT

Problem 1322 – CR5 - SBL: RESPONSIBILITY/DIVISION/POSITION/VIEW OBJECTS

Problem 1490 – CR10 - SBL: SUSPEND REMOVES FIELDS

Problem 1491 – CR10 - SBL: INCORRECT ERROR MESSAGE

Problem 1492 – CR10 - SBL: UNABLE TO REMOVE POSITION

Problem 1493 – CR10 - SBL: CAPABILITY ATTRIBUTE NOT BOLDED

Problem 1494 – CR10 - SBL: EXPLORE DIVISION FAIL

Problem 1532 - CR11 - SBL: POLICY WEAK SYNC

Problem 1533 - CR11 - SBL: RESPONSIBILITY VIEW HALT

Problem 1614 - CR14 – SBL: RESPONSBLT DUPLICATE FAIL

Problem 1617 - CR14 - SBL: UNABLE TO RESUME SBL ACC

Problem 1653 – CR17 - SBL: POOR PERFORMANCE DUPL RESP WITH MANY VIEWS

Problem 1614 – CR19 - SBL: RESPONSBLT DUPLICATE FAIL

UNIX-ETC Option

Problem 1198 - CR1 - UNIX-ETC: LOADING DIRECTORY PROPERTY PAGE W/ MANY POLICIES

Problem 1220 – CR2 - UNIX-ETC: SEARCH FOR DEFAULT POLICY ON DIR PROP PAGE ENABLES APPLY

Problem 1307 – CR4 - UNIX-ETC: HP PASSWORD SHADOW FILE

Problem 1285 – CR5 - UNIX-ETC: GROUP LAST CHARACTER TRUNCATE

Problem 1312 – CR5 - UNIX-ETC: UNKNOWN OPTION OR INCORRECT PARAMETER

Problem 1199 – CR7 - UNIX-ETC: MEMBER OF LIST NOT RESET

Problem 1371 – CR8 - UNIX-ETC: PRIMARY GROUPS DO NOT APPEAR SORTED

Problem 1428 – CR10 - UNIX-ETC: PASSWD EXPIRE DOESN'T WORK

Problem 1458 – CR10 - UNIX-ETC: ACCOUNT HOME DIRECTORY ENHANCEMENTS

Problem 1459 – CR10 - UNIX-ETC: GROUP GID ENHANCEMENTS

Problem 1482 – CR10 - UNIX-ETC: CAFT HANDLE LEAK

Problem 1483 – CR10 - UNIX-ETC: RETURN REMOTE AGENT VERS.

Problem 1484 – CR10 - UNIX-ETC: EXTEND BUFFER SIZE

Problem 1579 - CR14 – UNIX-ETC: CANNOT CHANGE PASSWORD

Problem 1714 – CR19 - UNIX: GROUP GIDS NOT CHECKED FOR UNIQUENESS

Problem 1716 – CR19 - UNIX-ETC: GROUP TRANSFER INCLUDES NON EXISTENT ACCOUNTS

Problem 1779 – CR23 – UNIX-ETC: HPUX PASSWORD LENGTH

Problem 1800 – CR26 – UNIX-ETC: UNIX GROUP EXTENSION INCLUDES USERS

Problem 1805 – CR26 – ETC: DELETE GROUP FROM SELECTED SERVER ONLY

Problem 1814 – CR26 – UNIX: GID NOT CENTRALLY STORED

UNIX-NIS Option

Problem 1307 – CR4 - UNIX-NIS: HP PASSWORD SHADOW FILE

Problem 1308 – CR4 - UNIX-NIS: PRE AND POST EXECUTION OF SHELL COMMANDS

Problem 1285 – CR5 - UNIX-NIS: GROUP LAST CHARACTER TRUNCATE

Problem 1314 – CR5 - UNIX-NIS: CORE DUMP DISPLAY GROUP MEMBERSHI

Problem 1315 – CR5 - UNIX-NIS: ETNISHOMEDIRCREATION WRONGLY REAPPLIED

Problem 1316 – CR5 - UNIX-NIS: CORE DUMP GROUP NAME TOO LONG

Problem 1320 – CR5 - UNIX-NIS: SHADOW EXPIRED FLAG NOT RESET

Problem 1428 – CR10 - UNIX-NIS: PASSWD EXPIRE DOESN'T WORK

Problem 1457 – CR10 - UNIX-NIS: NETGROUPS IN NIS+

Problem 1482 – CR10 - UNIX-NIS: CAFT HANDLE LEAK

Problem 1489 – CR10 - UNIX-NIS: SEND DOMAIN NAME TO EXIT

Problem 1696 – CR18 – UNIX-NIS+: BLANK INPUT TO GUI SHOULD WRITE EMPTY COLUMN

Problem 1808 – CR26 – UNIX: REMOTE AGENT DOES NOT SUPPORT BLOWFISH ENCRYPTION

UNIX-REM Option

Problem 1568 - CR12 - UNIX: DISAPPEARANCE OF ACCOUNTS

Problem 1740 – CR21 - UNIX: SETTING PASSWORD DOES NOT CLEAR MUST CHANGE PASSWD FLAG

Problem 1744 – CR21 - UNIX: SOLARIS USERNAME LENGTH

 

UPO Option

Problem 1198 - CR1 - UPO: LOADING DIRECTORY PROPERTY PAGE W/ MANY POLICIES

Problem 1220 – CR2 - UPO: SEARCH FOR DEFAULT POLICY ON DIR PROP PAGE ENABLES APPLY

Problem 1299 – CR4 - UPO: DON'T ADD EXTRA <ETEXITCUSTOMDATA> TAG

Problem 1309 – CR5 - UPO: INVALID MEMORY COPY SHUTDOWN SUPERAGENT

Problem 1310 – CR5 - UPO: INVALID MEMORY IN DISPLAY STRING

Problem 1328 – CR5 - UPO: MEMORY LEAKS IN AGENT

Problem 1344 – CR6 - UPO: SUSPEND AN UPO ACCOUNT

Problem 1604 - CR14 - UPO: TAB SEQUENCE

Problem 1688 – CR18 - UPO: POLICY NAME W/ COLON

Problem 1791 - CR25 – UPO: SUPERAGENT HANGING

Problem 1806 – CR26 – UPO: DIRECT REQUESTS TO ALTERNATE ETA SERVER VIA GUI

VMS Option

Problem 1195 - CR1 - VMS: ADDED SUPPORT FOR ADDITONAL ACCOUNT FLAGS

Problem 1196 - CR1 - VMS: ADD NATIVE EXIT SUPPORT

Problem 1236 – CR2 - VMS: PRE/POST EXIT ERROR MESSAGES

Problem 1237 – CR2 - VMS: ON POLICY CREAT RIGHTS NOT

Problem 1815 – CR25 – VMS: VMS ACCOUNTS ARE NOT DISABLED BY ADMIN

Legacy Webi

Problem 1184 - CR1 - EAOWebi: SCRIPT ERRORS

Problem 1252 – CR3 - EAOWebi: INCREASE GLOBAL USER FIRST NAME MAX LENGTH TO 50

Problem 1302 – CR4 - EAOWebi: BUTTONS NOT ALIGNED

Problem 1303 – CR4 - EAOWebi: ROLE DISPLAY DOMAIN

Problem 1304 – CR4 - EAOWebi: ROLE MOREINFO BROKE

Problem 1367 – CR7 - EAOWebi: CHANGE Q&A ON EXPIRED PASSWORDS

Problem 1400 – CR8 - EAOWebi: ALLOW CONFIG OF SELF-AUTH FAILURES GU SUSPEND

Problem 1553 – CR12 - EAOWebi: ADD FRAME BUST TO EAOLOGIN AND EAOLOGOUT

Legacy Workflow

Problem 1164 - CR1 - EAOWF: ALLOW CONFIGURING FOR FAIL SUBSEQUENT TASKS

Problem 1173 - CR1 - EAOWF: PRE-MATURE ESCALATION WHEN SLAPD DOWN

Problem 1252 – CR3 - EAOWF: INCREASE GLOBAL USER FIRST NAME MAX LENGTH TO 50

Problem 1305 – CR4 - EAOWF: ROLES NOT SHOWING VALUES

Problem 1752 - CR22 - EAOWF: REQUESTS NOT DELEGATING IN PROVISIONING WF

UniFeed

Problem 1223 – CR3 - UNI: DIRSYNC WARNING MESSAGES

Problem 1603 - CR14 - UFO: PASSWORD LENGTH

Problem 1732 – CR20 - UFEED: UFO FEEDS FAILED AGAIN

SelfService

Problem 1161 - CR1 - SSRV: SELFSERVICE 40 CHAR LIMIT TITLE

Problem 1197 - CR1 - JIAM: ADD SIEBEL SUPPORT TO JIAM INTERFACE

Problem 1221 – CR2 - SSRV: XP SP2 BREAKS GINA

Problem 1247 – CR2 - JIAM: FORCED DELETE INCORRECT

Problem 1252 – CR3 - SSRV: INCREASE GLOBAL USER FIRST NAME MAX LENGTH TO 50

Problem 1306 – CR4 - SSRV: NON-CONTIGUOUS Q&A ENTRIES CAUSE PROBLEMS

Problem 1334 – CR6 - SSRV: ANSWERS AREN'T DELETED

Problem 1340 – CR7 - SSRV: REQ. FIELD

Problem 1341 – CR7 - SSRV: PASSWORD TEXTBOX

Problem 1342 – CR7 - SSRV: NO SUCCESS MSG ON FAILURE

Problem 1379 – CR7 - SSRV: CONFIRMATION MESSAGE

Problem 1380 – CR7 - SSRV: IE7 CURSOR STICKS

Problem 1605 - CR14 - SSRV: VULNERABLE URLS

Problem 1612 - CR14 - SSRV: IAM Self Service GINA problem

Problem 1676 – CR17 - JIAM: EXPLORING NON-HIERARCHICAL NAMESPACES

Problem 1711 – CR19 - SSRV: SSL FAILURE

Problem 1762 – CR22 - JIAM: SELFSERVICE PASSWORDCHANGE

SelfServiceConfig

Problem 1412 – CR8 - SSCFG: OPTIONAL FIELD ERROR

Problem 1413 – CR8 - SSCFG: ERROR CONFG SELF AUTH

IAManager

Problem 1197 - CR1 - JIAM: ADD SIEBEL SUPPORT TO JIAM INTERFACE

Problem 1290 – CR4 - IAMI: INCREASE ROLENAME TO 255 CHARACTERS

AdvWF

Problem 1197 - CR1 - JIAM: ADD SIEBEL SUPPORT TO JIAM INTERFACE

Problem 1406 – CR8 - ADVWF: CHECK INGRES CHAR SET

CES 48667 – ADVWF: ERROR ENCRYPTING PASSWORD POST UPGRADE FROM ADMIN 8.1

SPML

Problem 1197 - CR1 - JIAM: ADD SIEBEL SUPPORT TO JIAM INTERFACE

Problem 1247 – CR2 - JIAM: FORCED DELETE INCORRECT

Problem 1332 – CR5 - SPML: SPMLMANAGER DYN SUPPORT

Problem 1361 – CR6 - JIAM: ETFNDUSEAOLONLY

Problem 1350 – CR7 - SPML: DIR REQUIRED FIELDS

Problem 1515 - CR11 - SPML: P/W DISPLAYED IN SPML LOGS

Problem 1534 - CR11 - SPML: FRENCH NAMESPACE

Problem 1535 - CR11 - SPML: SEARCH SPECIAL + HANDLES

Problem 1536 - CR11 - SPML: TOMCAT OUT OF MEMORY

Problem 1651 – CR16 - SPML: ADVANCED WORKFLOW CANNOT CONNECT TO SPML SERVER

JIAM SDK

Problem 1197 - CR1 - JIAM: ADD SIEBEL SUPPORT TO JIAM INTERFACE

Problem 1222 – CR2 - JIAM: INCORRECT DEFAULT PROPERTY

Problem 1247 – CR2 - JIAM: FORCED DELETE INCORRECT

Problem 1378 – CR7 - JIAM: INIT EXTENSIONS

Problem 1414 – CR8 - JIAM: IAMUser.syncToAccounts

Problem 1415 – CR8 - JIAM: IAMCONTAINER.GETCHILDCONTAINERHANDLES

Problem 1433 – CR9 - JIAM: ROLE NAME CASE

Problem 1434 – CR9 - JIAM: ETSELFCHANGE

Problem 1606 - CR14 - JIAM: LOCKS UNDER STRESS

Problem 1633 - CR15 - JIAM: COMMIT EXCEPTION

Problem 1655 - CR16 - JIAM: ADD SUPPORTED API FOR INTERNAL DN

Problem 1656 – CR16 - JIAM: RDTUTILITY RESERVED KEYS

Problem 1657 – CR16 - JIAM: SUPPORT ADDITIONAL USER CUSTOM FIELDS

Problem 1658 – CR16 - JIAM: SENDING OUT AN INCORRECT SEARCH QUERY

Problem 1707 – CR18 - JIAM: ESCAPING CHARACTERS IN FILTER STRING

ConnectorXpress

Problem 1275 – CR3 – XPRESS: CORRECT HELP SYSTEM

Problem 1563 – CR12 – XPRESS: CHANGE A PROVISIONING ROLE

Problem 1654 – CR16 - CONXP: 50 CHARS IN NAMESPACE

Problem 1794 – CR26 – CONNXP: UNCLEAR EXPECTED VALUE

Bindeta Utility

Problem 1698 – CR20 – UNKN: ENHANCE BINDETA LOGGING

 

Utilities

Problem 1784 – CR25 – UTIL: RMELDERS.TCL NOT HANDLING TIMESTAMPS

7.0 Known Issues

INSTALL/UNINSTALL

If the PATH environment variable is greater than 1024 characters the IAM install will not work.

You may need to decrease the length by converting long folder names to short names or possibly temporarily removing path entries and restoring them back after the install is complete.

On the UNIX server, do not select to perfom a binaries only upgrade in the installer. Doing so will result in the eTrust Admin not starting.

Attempting to uninstall Admin Server from a machine with ECS 8.2.9 installed will generate an error that /opt/CA/SharedComponents/eTrustCommonServices/scripts/eCSuninstall.sh could not be found. You can uninstall ECS 8.2.9 by running /opt/CA/SharedComponents/EnterpriseCommonServices/scripts/eCSuninstall.sh

Attempting to uninstall via the Windows "Add/Remove Programs" and selecting "CA eTrust Identity and Access Management" when a cumulative release (CR) has been applied to a previous release, fails.  This is because "..\CA\eTrust Identity and Access Management\_iamuninst" does not have the "CA eTrust Admin Server.msi" that matches the CR version installed.  Copy the MSI matching the installed CR into the above location and then run the uninstall.

If you install a Solaris domain as Primary, then attach Windows alternate servers with non-ASCII characters in the domain, the Solaris installer mangles names incorrectly, i.e. ESPAÑA is mangled into ESPA001DA.

Installation of exchange remote agents (Exchange 2000/2003 and Exchange 2007) requires a reboot.

CORE

If you require a policy to contain the percent (%) character you must first escape it so that it will be used as a literal (%%). This is because rule strings use the percent (%) character as the leading and terminating characters. Failing to use a double percent may result in an unmatched percentage error.

There is a known limitation for escaped rule strings:  Entering a rule string such as:

TLDAContainerName=UCU01:1,8%

in an LDAP Policy in the Account container section will produce an error message from the eTA Manager.

If Solaris is configured for IPv6, the eta_connector will have fail to start and core dump. IPv6 must not be present on the system.

All users (including cn=etaanon,dc=eta) can do the following operations:
-    list domain (dc) objects
-    read attributes of domain objects
-    list namespace objects
-    read attributes of namespace objects (new

The constraint "objectclass=*" should not be contained in search filters as performance will be impacted.   "objectclass=*" is not a part of the filter search for global users.  Custom PAM code that uses "objectclass=*" should be updated accordingly.

A new fix allows a global user to be created with role successfully (when changing the "Store user passwords" to "No"), . Whether the account on the endpoint can be created depends on the password policy of the specific endpoint. 

ADS

The Admin ADS Option will now check to see if the newly assigned smtp email address already belongs to another object and if so it will return an error that the value is already in use. Having duplicate smtp email addresses may result in delivery errors. A system administrator should check their existing environment and remove any duplicate or unwanted addresses.

The Admin ADS Option will now allow the user to specify the behavior when creating the profile home directory.  The default is the current behavior of only allowing the account that the folder is created for to access it.

The new supported behavior is to not set the account to have permission to access the folder but to inherit the permission from the parent folder.  This new behavior is controlled by the directory configuration HomeDirInheritPermission.  I.E., if the eTADSconfig attribute on the directory has the value: HomeDirinheritPermission=1 then this new behavior is selected.  If this option is enabled the administrator must manually alter the NTFS security permissions and allow the appropriate account access to this folder.

Check-account-sync always shows Contact's attribute 'accountExpires' as out of sync. Active Directory Contact does not have this attribute in its schema so it should not be considered during synchronization.

"eTADSmsNPAllowDialin" is shown as out of sync when doing check-account-sync on ADS Contact object. This should not be the case since this attribute does not belong to contact object. The attribute should be ignored by the sync algorithm. This issue is not reproducible using Admin Manager since Admin Manager does not allow setting of this attribute.

The CA supplied program exit ADSOptExits.dll (for ADS Connector) has been enhanced to allow variables that do not match data supplied by the server.

In cases where a specific variable (for example, %mail% may not be provisioned if a mailbox is not created) is used in command scripts system administrators can define an environment variable ETA_ADS_OPT_ALLOW_MISSING_VARS (the value of the variable is not examined). Processing of the command file will now continue and the missing variable will be replaced with empty text (zero characters). The default behaviour is unchanged – processing will be aborted for missing variables.

Advanced Workflow

A package has been added to facilitate the process of migrating eTrust Admin Advanced Workflow data from an Ingres database to an MS SQL Server 2000 database and ensuring that Advanced Workflow functions with the new database.  Consult the document Advanced Workflow migration to MS SQL Server in the awf_migration.zip file for more information.

ACF2

DSI should already be running prior to starting SLAPD otherwise access to ACF2 accounts will not be accessible.

DFS

Changes have been made to support the creation of home folders on Distributed File System (DFS) environments.  For this functionality to work correctly the "eTrust Admin Superagent" service must be set to "log on as: etaslapd" (default).  Note that this account must have imported the AD certificate to support SSL.


DYN

eTDYNPolicy will not accept a non-integer as one of the values for a multi-valued capability integer attribute; this prevents rule strings from being used.

Performing a sub-domain search in an environment with multiple DYN namespaces defined will result in all of the defined DYN namespaces being searched/returned. 

There is a problem when you attempt to create a new Account or Group in the DYN provisioning manager plug-in talking to a JDBC namespace by:

1)       bringing up the “Directory Content” panel for a directory
2)       highlighting the root node in the “Container tree”
3)       selecting “DYN Account” or “DYN Group” in the “Object type” selector
4)       clicking the “New “ button on the “Create new content” panel.

This results in an error message displayed in a dialog with the text:

JCS: missing “eTDYNAccountConatinerName=Accounts' in DN”

near the end (there is a similar message for Groups). Trying to select “DYN Container” in step 3) results in a blank screen. 

To avoid this problem, insure that you select the Accounts or Groups containers when you create accounts or groups respectively.

Using Admin Manager, it is possible to click on the ‘New’ button for DYN Container for a JDBC DYN Namespace.  This will only open a blank eTDYNContainer property sheet, as only JNDI DYN Namespaces support the management of Containers.  When setting up the Explore and Correlate/Correlation Attribute for a DYN Namespace, extra attributes that are were not allocated during the mapping of your DYN namespace will appear in the drop down list.  Use ConnectorXpress to export the Mapping Summary file to identify which DYN attributes apply.  When you acquire JNDI DYN Endpoint using Admin Manager, base DN (a required field) and LDAP Version fields are located in a separate tab called “General’.  Also fields titled ‘System Logon’ need to be populated with a Bind DN value

The same account will appear many times in Accounts Profiles by Name template if the account has attributes with multiple values. Similarly, the same group will appear many times in Groups Profiles by Name template if the group has attributes with multiple values.

 

In the default parser table, some attributes are mandatory.

To override a mandatory attribute in the default parser table with a non-mandatory attribute in the new parser table, use __EMPTYVALUE__ (4 underscore, 2 on each side).

For example:

in the policy.pti (default parser table):
default = %P%
in the dynparse.pty
default = __EMPTYVALUE__
and set overrride to yes
override = yes

EAOWEBI Web Interface

A new parameter called enable_bust_frame can now be set to true in the EAOWebi.properties page which will force EAOLogin and EAO2Logout to be loaded into the main window instead of a frame.

Exchange 2000/2003 (E2K)

 

Currently, managing both Exchange 2003 and Exchange 2007 in a mixed Exchange 2003/2007 environment is not supported.  If you have updated your Microsoft Active Directory schema by running the Exchange 2007 Setup tool in either your domain and/or forest, eTrust Admin will automatically identify all Exchange servers in the domain as Exchange 2007.  If you wish to continue managing Exchange 2003 servers only, you must first disable the Exchange 2007 functionality via a registry key on the machine(s) running the eTrust Admin Superagent(s).

 

To disable Exchange 2007, the following steps need to be performed manually:
1) open the following registry key via regedit:
    HKLM\SOFTWARE\ComputerAssociates\eTrust Admin
2) under the registry key, add a new string value: DisableExchange2007
3) set DisableExchange2007 value to 1 or 2.  The values are as follows:.

·         Setting DisableExchange2007 = 1 will disable most  Exchange 2007 functionality and treat all Exchange servers as 2000/3.  See the Exchange 2007 section for more details.

·         Setting DisableExchange2007 = 2 will allow both Exchange 2003 and Exchange 2007 with reduced functionality.  See below for more details.

4) restart Superagent service.

[Note] The ADS log will include a message about if the setting is on or off.

 

If you have followed the steps above and set the DisableExchange2007 to 2, please note the following applies to managed Exchange 2000/3 directories:

 

·         Mailbox rights cannot be managed.

·         Send-As permissions cannot be managed.

·         When creating or modifying an Exchange 2000/3 Policy, clicking on the ‘Mailbox Types’ button will enable the Exchange 2007 functionality.  Mailboxes will not be created on Exchange 2000/3 based systems and no error message will be returned.  Do not click on the ‘Mailbox Types’ button if you wish to create or manage Exchange 2000/3 Mailboxes via that policy.

 

If you do not apply this change the superagent will be unable to correctly manage the Exchange 2003 functionality.

 

CA Admin cannot create Exchange 2000/2003 mailbox via an Exchange 2007 specified policy.

 

Due to introduction of support in eTrust Admin for Exchange 2000/2003 servers running in clustered environment, exchange mailbox rights can now be managed through policy only if actual values are selected in the policy for “Mailbox Server” and “Mailbox Store” (under “Exchange General” tab). That is, rule strings %EXCHS% and %EXCMS% cannot be used if mailbox rights are managed through the policy.

 

In Exchange 2000, Instant messaging attributes are not set correctly on the policy.

It is only noticeable if managed endpoint name contains spaces.

Consider these names as an example:

            ''Active Directory 2000"     -- Will expose the problem

            "ads”                              -- Will NOT expose the problem

 

Attempting to add an account from a child or parent domain to the mailbox rights list of an account will fail.

 

Mailbox move operation fails when run with Exchange 2000 server when mailbox is being moved between different stores on the same exchange server.

 

Using Admin Manager it is not possible to add objects to message restrictions list in active directory group. eTA Manager allows user to include object using eTA Manager but once the change is applied the entries are removed from the list.

 

Using Admin Manager it is not possible to add objects to message restrictions list in contact's policy. When add button is pressed, which should bring up search dialog error message is returned "The Parameter is incorrect"

 

If two mail servers have the same Storage Group / Mailbox Database name, then upon account creation, the MDB+Storage group is listed twice and creation fails

 

If adding an account to the permission list (mailbox rights or send-as) via the external domain or forest SHIFT+ADD method fails, the displayed list may inaccurately indicate that the failed account has been added to the list after a fail message has been displayed.  Refreshing the account properties page will clear any incorrect entries.

 

Exchange 2007

 

Currently, managing both Exchange 2003 and Exchange 2007 in a mixed Exchange 2003/2007 environment is not supported.  If you have chosen to follow the steps outlined under the Exchange 2003 Known Issues and have set the registry key value to 1, the following will be disabled for Exchange 2007:

1.    mailbox creation

§ user mailbox (CR21)

§ linked mailbox, shared mailbox, room mailbox, equipment mailbox (CR22)

2.    mailbox deletion

3.    mailbox movement

4.    mailbox permission management

5.    mailbox AD permission management

If you have added the registry key and set the value to 2, please note the following:

 

1.    By default, Mailboxes will be created as “Legacy Mailboxes”.  For example, right clicking on an account and selecting ‘custom > create mailbox’ will create a Legacy Mailbox.

2.    If you wish to create Exchange 2007 Mailboxes please set the mailbox type on the appropriate policy.  If you do not set the mailbox type, mailboxes created by the policy will be of type ‘Legacy Mailbox’.

 

The Exchange 2007 remote agent has to be installed on all managed Exchange 2007 servers.

The Exchange 2007 remote agent is unable to move Exchange 2007 mailbox across AD forest

The following mailbox types can only be created via the use of a eTrust Admin Policy (Exchange General tab, ‘Mailbox Type’ button):

·         Linked Mailbox

·         Shared Mailbox

·         Room Mailbox

·         Equipment Mailbox

Once created, these mailboxes can be managed directly or via the policy.  It is not possible to change the mailbox type after creation

Exchange 2007 does not accept a Mail Alias with white space; please make sure there is no white space in Mail Alias fields on eTrust admin Manager or etautil.exe command line or any other third-party facilities.

 

Attempting to add an account from a child or parent domain to the mailbox rights list of an account will fail.  Hold down the SHIFT Key while clicking ADD to directly add an account or group from another forest or domain.

 

Exchange Server 2007 allows administrators to select both 'Accept messages from only senders in the following list' and 'reject messages from senders in the following list'.  CA Admin Manager will only allow one to be selected, as was behaviour in Exchange 2003.  If both are natively selected in Exchange 2007, this functionality is working in CA Admin.

 

Unlike previous versions of Exchange server, Exchange Server 2007 does not allow creation of a user mailbox for suspended accounts. All other types of mailbox will have their associated user disabled.  Such accounts will not have their suspension state propagated from the Global User.

 

Any attempts to use an alternate Exchange Gateway (not the machine itself but another exchange 2007 server in the forest) will fail.

 

If two mail servers have the same Storage Group / Mailbox Database name, then upon account creation, the MDB+Storage group is listed twice and creation fails

 

Groups or accounts added via the SHIFT+ADD method on the mailbox rights page will have the 'read only' field, SEND-AS set to TRUE.  Objects added via the conventional method will have this field empty.

 

Selecting ‘Send-As’ from the Exchange Advanced tab will clear any new changes made to ‘Mailbox Rights’, and vice-versa.   Apply changes from one page before updating the other.

 

It is possible to set the storage limits incorrectly, resulting in invalid data being applied to the mailbox.  Ensure that ‘Issue Warning’ is always smaller than ‘Prohibit Send’, and ‘Prohibit Send’ is always smaller than ‘Prohibit Send and receive’.

 

If the FQDN of the managed AD directory contains a trailing white space, an error ‘Modify failed: Search of Global Catalog for proxyAddresses’ may be displayed.  Ensure there are no white spaces after the FQDN host name on the directory properties page.

 

The ADS connector uses the remote agent for all Exchange 2007 related operations.  This will result in slower performance on operations involving mailbox management when compared to management of Exchange 2000/2003.

 

To apply an email address to a mail enabled group, first create the group and then add the intended e-mail address(es) via the e-mail addresses tab.

 

2) set the value to 2

 

GINA

 

To prevent a Security Vulnerability via the “Save As” dialog, users can no longer use the “Browse” button in the “Certificate Export Wizard” dialog to browse to the computer where the certificate will be saved to.

 

If a user wishes to save the certificate simply enter/type the filename (without the .cer extension) with full path details and continue with the wizard.

LND

LND Policy will not handle directory detail if it is created by SPML.

Full management of accounts in secondary Domino Directories is now supported. Accounts may be explored and created in a secondary directory (i.e. directory other than names.nsf, that is served by Directory Assistance), and may also be modified, recertified, renamed, moved, and deleted. Groups may be explored, modified, and deleted in a secondary directory, although they can only be created in the primary directory. When suspending accounts in a secondary directory, they will be added to the deny access group “Suspended_0” in the primary directory. This group is created on the primary directory of the registration server specified to DMOLNDConfig.exe when it is run during initial configuration of the LND Option.

It is not currently possible to add two groups that have the same name, but that exist in different Domino Directories, to another group. This is because Domino removes duplicate names from the Members field on Group documents, and in Domino, group names appear in the Members field without the directory name. For example, in eTrust Admin, the groups “names.nsf:LocalDomainAdmins” and “secnames.nsf:LocalDomainAdmins” would both be added to the Members field of another group as “LocalDomainAdmins” and therefore the duplicate would be removed by Domino, leaving only one instance of “LocalDomainAdmins.”

LND directory names can not exceed the total number of bytes allowed by eTrust Directory (approximately 120 bytes). Therefore if a LND directory name contains multi-byte characters, it will not be able to contain the full 64 characters that a directory name using only single-byte characters could contain. For example, if the directory name contains entirely multi-byte characters, no more than 29 characters may be used in the name. If the name contains a mixture of multi-byte and single-byte characters, the total characters allowed will vary.

A registry value is now available to control whether a particular Public Address Book should be the only source of account information used for a particular LND endpoint.  The following string value can be set on a per directory basis.  It should contain the data directory relative file name of the desired PAB.  The actual name of the directory should replace <DIRECTORY NAME> below:

HKEY LOCAL MACHINE\SOFTWARE\ComputerAssociates\eTrust Admin\Lotus Domino\<DIRECTORY NAME>\PABName

 

Depending on your Domino server “Administration Process” settings, you may experience the following error “Modification failed: SuperAgent Modify failed: unable to set mail database quota” when duplicating LND Account that has  “Create Mailbox using Adminp Process” option and mail database quota or warning set.

Workaround:

1.      Once duplicate LND Account is created and its mailbox gets created, you can set mail database quota and warning using eTrust Admin.

2.      Change the “Administration Process” settings of your Domino Server to decrease the interval and increase the maximum number of threads.

Creating LND group and setting group member in the same etautil or SPML request fails and causes the “…Read failed: Operations error” every time you try to access any LND object.

Workaround:

1.      If you experience such issue, re-start SuperAgent

2.      Create Groups using etautil or SPML without setting LND Group members. Once the groups is created set LND group members using eTrust Admin Manager.

3.      Addition, removal or replacement of members from LND group through etautil or SPML is not supported.

 

Addition, removal or replacement of members from LND group through etautil or SPML is not supported.

Workaround

1.      Use eTrust Admin Manager for adding or removing members from LND group

 

The LND Option now manages additional attributes which are not manageable via the SPML (JIAM) such as eTLNDAltFullName, eTLNDAltFullNameLanguage, eTLNDAltQualifyingOU, eTLNDNewMailFolder, eTLNDEmployeeID, eTLNDAssignedPolicy.

 

It is not currently possible to reliably extract the alternate qualifying OU name, if it exists, from the alternate name during account exploration.  Therefore, this field will not be populated on explored accounts.  It can be populated after exploration either by renaming the user and setting it either to its current or a new value (however, this will generate a rename request in the Adminp database, so it is not the recommended method unless at least one of the account name components is truly being changed).  It can also be populated by modifying the eTAltQualifyingOU attribute on the account to reflect the current alternate OU name.  This can be accomplished via a directory browser such as JXplorer or via a script (e.g. etautil command).  This is the recommended method if the goal is merely to set the alternate OU to its current value without actually renaming the user.  This method will not change the name – it merely sets the eTAltQualifyingOU attribute, which is used by eTrust Admin to hold the alternate OU name.

 

If an Alternate Name or Alternate Org Unit is set for a LND account after selecting the blank option from the dropdown list for Alternate Language, the account will be created and its alternate name information visible in eTrust Admin Manager.  However, the alternate name information has not been added to the user’s ID file and will not be visible in Domino Administrator.  Conversely, if an Alternate Language is configured but no Alternate Name or Alternate Org Unit is set, the Alternate Language will be visible for the account in eTA Manager, but not in Domino Administrator and the alternate name information will not be added to the user’s ID file.

 

The eTrust Admin LND Option now provides support for the management of alternate names on LND accounts.  In order to add alternate name information to an account ID, that ID must be certified by a certifier ID that itself has at least one alternate name configured.  The LND Option does not currently include the management of alternate languages on certifier ID files, so the administrator must perform some additional steps prior to using this new functionality:

 

First, the certifier IDs must be configured with alternate names using Domino Administrator (see Domino Administrator Help under the subject “Adding an alternate language and name to a user ID” for further details on completing this step).

 

Second, once the certifier IDs contain alternate name information, the existing Certifier documents for each certifier must be updated in the Certifiers database.  This is because the alternate name information is contained within the certifier ID file.  To do this, the administrator must open the Certifier documents using the Domino Administrator client, delete the existing certifier ID file, and attach the updated certifier ID file in its place.  In addition, if the password field on the Certifier document is empty, the correct ID password must be added to this field.  NOTE:  Updating the certifier ID files is necessary any time the alternate name information is changed in a certifier ID file.  If the original certifier IDs added to the Certifier database already contain the proper information, this step is not necessary. 

 

Third, each Organization or Organizational Unit certifier that contains alternate name information needs to be updated within the eTrust Admin database.  A new multi-valued attribute, eTLNDOrgCertAltLanguageList, has been added to contain all the languages supported by certifier.  This attribute must contain the applicable language code, not the name of the language (see the list below for supported language codes).  This can be accomplished by running a simple etautil script, or by using a directory browser such as JXplorer.  For example:

 

etautil -d MYDOMAIN -u etaadmin -p password update 'eTLNDDirectoryName=LND-R7,eTNamespaceName=Lotus Domino Server,dc=MYDOMAIN,dc=eta' eTLNDOrganization eTLNDOrganizationName='O:cai' to +eTLNDOrgCertAltLanguageList='ko' +eTLNDOrgCertAltLanguageList='fr'

 

Only those valid languages added to the Organization or Organizational Unit objects in the eTrust Admin database will be displayed as choices when creating accounts using that Org or OU.  An attempt to add an invalid code will result in an error. The languages on the Org and Org Unit certifiers are not actively managed. There is no checking done for the language code and if a language that is not supported is added to the org or org. unit and selected during account creation or rename – failures will occur. The workaround is to use etautil to remove the incorrect value.

 

Languages supported for alternate names and their associated codes are:

 

Language                                       Language code

Albanian	sq
Arabic	ar
Bulgarian	bg
Byelorussian	be
Catalan	ca
Chinese (Simplified)	zh-CN
Chinese (Traditional)	zh-TW
Croatian	hr
Czech	cs
Danish	da
Dutch	nl
English	en
Estonian	et
Finnish	fi
French	fr
German	de
Greek	el
Gujarati	gu
Hebrew	he
Hindi	hi
Hungarian	hu
Icelandic	is
Indonesian	id
Italian	it
Japanese	ja
Konkani	x-KOK
Korean	ko
Latvian	lv
Lithuanian	lt
Macedonian	mk
Malay	ms
Marathi	mr
Norwegian	no
Polish	pl
Portuguese	pt
Romanian	ro
Russian	ru
Serbian	sr
Slovak	sk
Slovenian	sl
Spanish	es
Swedish	sv
Tamil	ta
Telugu	te
Thai	th
Turkish	tr
Ukrainian	uk
Vietnamese	vi

The eTA Manager Policy Attributes tab page for the LND option will generate an error when displaying a policy previously edited via a etautil script that substitutes the newly supported %...% rule string for a container(org.Unit).

The Directory dropdown list box in Policy Attributes tab page is not populated with the LND directory as expected. Running an etautil script with a rule string substituted for the container value in a policy will result in the directory value being removed, thus rendering policy attributes unmodifiable via eTA manager.

The user can still see which container an account has been created in, by searching for the account and viewing the Profile tab page in the account properties.

If user wishes to see in what container values exist, then JXplorer or etautil script can be used to search for container values.

Sample etautil Container Search script
 
To view Organization or Organization Unit that is set in a Policy:

etautil -u <user> -p <password> select 'eTLNDPolicyContainerName=LND Policies,eTNamespaceName=CommonObjects' eTLNDPolicy eTLNDPolicyName=<Policy Name> list eTAccountContainer

To view the directory that is assigned to the Policy:

Clarification of the behavior of the "Last Name" and "User Name" views in the archive database:

Both the "User Name" and the "Last Name" views assume that the last word in a name is actually the last name and therefore sort upon whatever follows the last space in the user name.  Take for example the name "Dick van Dyke".  An account with this name will appear under "D" for "Dyke" in both the "Last Name" and "User Name" views as "Dyke, Dick van" and "Dick van Dyke" respectively.

However, if the name were "Dick vanDyke" it would appear under "V" for "van" in both views, as "vanDyke, Dick" in the "Last Name" view and as "Dick vanDyke" in the "User Name" view. 

The same applies for users with only a last name and no first or middle name.  If there is a space in the name, the sorting will be done using the last word in the last name.

Rule strings for Default Certifiers can be viewed and modified on LND Policies via eTA Manager.

Lotus Notes (LND) Option with manually changed certifier name
-------------------------------------------------------------------------------
In some rare environments, the certifier names of some Organization Units were manually changed to lowercase or uppercase, resulting in a failure when doing a case-sensitive account search

Usually re-exploration should correct the problem. But if re-exploration is not acceptable, the following can be a workaround:
1. On Superagent server, create following string registry entry with blank value
HKLMSoftwareComputerAssociateseTrust AdminLotus Domino<LND DIR>EnabledOrgunitMapping

2. On Superagent server, create a text file, <Program Files dir>LotusnotesOrgunit.ini, with following format:
[Orgunit]
OUn=<Lotus_Notes_OU_Certifier_Canonical_Name>

Note:
a. 'n' is a index for the Organization Units Certifier names, starting from 0
b. The value should be the canonical certifier name in the Lotus Notes Server, LND Connector use it to transform the inner LND account canonical name to the identifiable form in Domino Server during searching a person document.
c. An example:
[Orgunit]
OU0=OU=OuA/O=ca
OU1=OU=OuB/O=ca 

If the SuperAgent crashed, it could leave an orphaned instance of ldagt.exe running, which Admin uses to communicate with Lotus Notes. A change has been made which will allow an optional configuration setting to attempt to terminate these processes when the SuperAgent restarts, using the Notes NSD.EXE utility.
To enable this setting, create a registry entry under HKLM\SOFTWARE\ComputerAssociates\eTrust Admin. Name the entry LNDTerminateLdagtWaitSeconds, and create it as a DWORD value.

After a start or restart of the SuperAgent, the first attempt to access any LND endoint causes the initialization of the the LND option. As part of this initialization, Admin will now search for the LNDTerminateLdagtWaitSeconds registry key. If this key is found, the value will be read. If the value is 0 or negative, it will be ignored. If the value is a positive number, it will indicate the longest amount of time, in seconds, that the LND option will wait for the call to NSD.EXE to complete before continuing.

Siebel

In order to support suspended account resumption, the provisioning server has been modified to persist account state as part of the account modification operation.  More information about this significant change can be found in the Siebel Connector Guide and the Siebel Connector Online Help.

“Enable create user position feature” flag can be specified for a Siebel directory only after first exploration of that directory.

“Associated division” field on a “Create Position” property page of a Siebel user and policy sheets is not marked as mandatory. However it must be specified when creation of a new position for a user is chosen and a name of a position is provided.

Siebel allows objects to have duplicate names, but eTrust Admin does not so while exploring a Siebel endpoint that contains objects with duplicate names, errors such as object already exists will be seen.

Siebel 8 requires the Siebel 8 client to be installed on the same machine as the Admin Server and Superagent. Siebel 7.x and Siebel 8 clients cannot co-exist on the same machine so in order to manage both versions you will need to use a Distributed Superagent architecture.

 

Exploration failures may be encountered due to Siebel having two Administrator Positions. Since there are two Siebel Administrator Positions, if the Siebel Administrator position is assigned to a Siebel User, viewing the Siebel User may show the Siebel Administrator assigned twice.

The primary position has now been classified as a capability attribute. However, please note:  If you create a policy where the value for the Primary Position is not explicitly set, then performing account synchronization, will not change the primary position to one from the newly assigned policy. In order for a policy to change the primary postion of an account, the value for primary position must be explicitly specified in the policy.

Oracle

During Profile create/modify, you are unable to set numerical values for both the keep field and the keep for field if the “keep password history” is selected.

Oracle Applications (FND)

After Oracle Applications directory is loaded to the memory, an attempt to stop the Superagent results in an application error popup. 

Note that exploration will fail until the charset portion of the NLS_LANG (in the registry) is updated to UTF8.

OS400

 

When creating a group object, the groupID must be specified with a value greater than 0. This is not currently enforced by all clients.

 

Also, changing the groupID of an account object to a value greater than 0 or changing the groupID of a group object to a value of 0 will cause the object type to change and leave the Administrative Repository out of sync with the endpoint.

 

Workaround: Re-explore the endpoint to re-sync the Administrative Repository with the endpoint.

 

PKI

 

When the PKI profile and entrust.ini files are located on a remote system, the Super Agent User (by default “etaslpad”) needs to be created on the machine where the profile and entrust.ini files are stored, otherwise the Super Agent User doesn’t have permission to access those files and you will not be able to acquire the end point.  Note: If you are using the administrative share on Windows machines, the Super Agent User needs to be added to the administrator group.
 

PLS

 

Length of the Application LoginID has been increased from 21 to 50 chars to handle long rulestrings.

 

 

RACF

 

Support for Norwegian character translation for the Name and TSO Procedure fields gas been added.  Setting a system environment variable ETANORWAY=1 on the eTA Server machine is what triggers the translation to occur.  Note that only a system environment variable will work.  Also note that this fix applies only to Windows.

RSA

Note: As of CR13 the RSA agent is not backwards compatible. Insure that the RSA agent is upgraded in synchronization with other upgraded components.

 

The Dollar character ($) cannot be used in any attributes of RSA accounts, groups or policies.  

 

Default behavior is same as before. To configure improved performance at cost of correlation/mapping you need to configure a new environment variable ETRADM_FASTER_RSA_EXPLORE and set it to value of 1.

 

UNIX

A Unix-ETC/NIS Group with special characters (RFC 2253) in its name cannot be added to or removed from/to a Unix-ETC/NIS Account using the GUI ETC/NIS Account property sheet ("Member Off" Tab).  When trying to do this, the following error message is raised: “modification failed: Attribute 'Group Memberships' may not contain the character '\'”

 

Workaround: Use the Unix-ETC/NIS Group sheet to add or remove Account(s) to/from this Group

 

It is possible to use etautil to assign non-existant Netgroups to an account. 

Novell SuSe 10.x are distributed with an /etc/shadow file that is missing entries for "haldaemon" and "messagebus" although they are present in /etc/passwd file.  If such an endpoint is explored, exploration failures will occur in eTrust Admin.  To workaround this, run the "pwconv" tool to add both entries to the /etc/shadow file.

 

On Linux endpoint, UNIX-ETC remote agent requires the following library pre-existed.
 - libstdc++-libc6.2-2.so.3
If the library does not exist, please install corresponding compat-libstdc++ libraries before installation of the remote agent.

UPO

When viewing a UPO directory property page, running a search for policies (but not changing the default policy) has the effect of unnecessarily modifying the page and enabling the "apply" button.

The UPO Directory page now has 3 additional field under “eTrust Provisioning Server:

·         Host name – The Provisioning Server to send requests to. This can be “localhost” for a single Provisioning Server configuration, or the name of an alternative Provisioning Server.

·         Port Number: Typically 20389, or 20390 (TLS)

·         SSL/TLS enabled: Check this to use SSL/TLS. The port specified above has to be the corresponding port at the destination to match the usage of this feature.

VMS

In case of pre- or post- VMS native exit failures, VMS_W_9004 ("Cannot communicate with host") is returned.

Rights can be specified only when modifying an OpenVMS policy; a new policy has to be saved and then updated with a rights list.

Connector Xpress

Directory Attribute Mapping page. Account Attribute drop down list.

1. The list contains all attributes from the parser table not actually used by the customer for this namespace.

2. The attribute name is an actual name not the Display name as specified in the Connector Xpress.

Creating requests to add accounts, groups and policies with invalid/non-mapped attributed for the DYN namespace. The requests are executed successfully and the objects are created. For example, Account has attributes:

string-0, ignoreCase-0, ignoreCase-1,int-0 but I can still create the account with string-0, string-1, string-2 etc. even through string-1 and string-2 are not defined for the account. Attributes should be validated somehow.

When mapping a DYN-int generic attribute to a number field with 10 digit length, entering some values for the field in an account, the number gets stored in the repository with leading zeros (e.g. Enter 456 and the number is 0000000456). If mapping the account to global user attributes, you can see these leading zeros.

Connector Express gives a default maxLength of 16 characters when mapping an Admin (string) attribute to a MS SQL “smalldatetime” database column. This is insufficient to store the required information.

Workaround:

Manually search for and modify the “maxLength” value (30 characters is enough) for the affected attribute when the user reaches the “Generate Metadata” screen, or save the unmodified metadata to an XML file and modify the XML with a text editor.   

Connector Xpress now allows String sync on single valued string attributes.

JCS

If JCS services are not available after a restart, or if the error message "Failed to load KRBSCRIPT No such file or directory" is observed, possibly in concert with other failure messages such as "DSA unwilling to perform", use one of the following workarounds:

·                Restart eta server, or

·                Re-enter the CS password in the CS Config in ConXp

If the system was upgraded from a previous CR, the following parameter may not be set in the eta_slapd.conf file (windows) or the eta_server.conf file (unix) and should be added to the file:

# The sockbuf_max_incoming parameter controls the maximum size in bytes

# of incoming packets. The SLAPD server will forcibly close any connection

# where packets larger than this limit are received.

# The default value (256 Kbytes) has been increased here to 2 megabytes in

# order to accommodate transmission and storage of metadata XML as required

# by the namespaces of Connector Manager and the Java Connector Hub.

sock_buf_incoming 2097152

When adding a new object via an LDAP ADD request which referred to non-existent objects through associations (e.g. adding a new native group that refers to non-existent native accounts) , JCS now throws LdapInvalidAttributesException (with decimal code 19 = CONSTRAINT_VIOLATION) instead of LdapNameNotFoundException (decimal code 16).

 

 

Out of the box the JDBC DYN connector cannot handle attributes that are mandatory (i.e. NOT NULL) columns in the endpoint database but that are not really mandatory attributes from a user perspective. The NullValueClassConverter ClassConverter handles this case by mapping empty attribute values to a known null value. Typically this known null value will just be populating the NOT NULL column with spaces. An example of where this might occur is a legacy database system has a description field that is NOT NULL on the table being mapped to a user account. We don’t want to force administrators to have to enter a description for a user just to create a new account. So instead we dont make the description field mandatory and use the NullValueClassConverter to handle storing of an empty value. This Converter only supports character based columns such as char and varchar.

 

Configuring JCS to Load the Converter:

The NullValueClassConverter plugin is shipped with the JDBC connector. To enable the plugin it should be configured in an override connector.xml for the JDBC namespace. Typically this is done by renaming the file SAMPLE.connector.xml that is in "C:\Program Files\CA\Identity Manager\Connector Server\conf\override\jdbc". It should be renamed to connector.xml and edited adding the necesary configuration information.

 

Add an new node for "classPluginConfigs" under "converters" property node. In the default file there are already two property nodes one for "typeToPluginMap" and another for "propertyPluginConfigs". The new "classPluginConfigs" property node should be added after them at the same level. See below for an example configuration.

 

Example classPluginConfigs property node that configures a NullValueClassConverter to store null values as spaces:

--------------------------------------------------------------------

<property name="classPluginConfigs">

<list>

<bean class="com.ca.jcs.cfg.MetaPluginConfig">

<property name="pluginClass">

<value>com.ca.jcs.jdbc.NullValueClassConverter</value>

</property>

<property name="pluginConfig">

<bean class="com.ca.jcs.jdbc.NullValueClassConverter$NullValueConverterConfig">

<property name="nullValue">

<value> </value>

</property>

</bean>

</property>

<property name="metadataPropNames">

<list>

<value>useSpecialNullValue</value>

</list>

</property>

</bean>

</list>

</property>

---------------------------------------------------

 

Important points from configuration:

- The property "metadataPropNames" has a value of "useSpecialNullValue". This is the name of the metadata attribute that needs to be added to the Connector Xpress Dyn mapping onto each attribute that is going to handled by this plugin. JCS will check for the presence of this metadata attribute before enabling the plugin.

- In the pluginConfig there is a property called "nullValue" this is a space in the default case. This is because in standard configuration for an Oracle database an empty string is considered to be a NULL. Changing this to other values is possible but may require additional configuration of the endpoint database. Some databases such as DB2 are happy storing an empty string.

 

Configuring attributes:

Either using connector express or otherwise edit the metadata for your Dyn namespace. Add a new boolean metadata attribute to the attribute that you want to be handled using NullValueClassConverter. Set the metadata attribute name to "useSpecialNullValue" with boolean value "true". Then set the "isRequired" metadata attribute to "false". Repeat this procedure for all attributes that you want handled this way.

The default policy will need to be updated too. For all account attributes that have been changed to not mandatory the corresponding attribute on the default policy will need to be made non-mandatory as well.

 

Example: the "Description" attribute of your account is mapped to "eTDYN-str-01". In Connector XPress expand the "eTDYN-str-01" node. Select the metadata sub-node and click on the "Add" button at the top of the screen. Select the new metadata attribute node and change the name to "useSpecialNullValue". Then change it's type to boolean and set the value to true. Then scroll down to the "isRequired" metadata attribute on "eTDYN-str-01" and change its value from "true" to "false"

JCS SDK

Re-exploring a managed JCS SDK directory will remove the contents of that directory.  Avoid re-exploring SDK directories

 

Pressing Help (F1) for SDK ‘directory’ and ‘properties’ pages will return a ‘page not found’ error.  To view the help for these pages, please use the eTrust Admin Manager Help to navigate to the pages via ‘Connectors’ > ‘SDK’ > ‘reference.’

 

N16

If firewall is on, firewall inbound rules need to be added for CAM/CAFT executables. This is specifically needed to be done if MS VISTA endpoint will be managed using eTrust Admin.

 

LDAP

The LDAP connector does not support search filters with strings containing multiple wildcards, because it may require the SuperAgent to be restarted.
For example, the search filter "(eTLDADN=*steve*)" and "(eTLDADN=*a*b*c)"are not supported.
"(&(eTLDADN=*steve)(eTLDADN=steve*))"  returns the expected results

Oracle Internet Directory pops up an incorrect error message as "DSA UNWILLING TO PERFORM" when the password is too short. The minimum password length is 10.

 

SPML

User is unable to manage any DYN Namespaces that have been created with non-ASCII characters in the metadata, including the namespace name using SPML clients. Please use other clients such as Admin manager and etautil to manage your DYN Namespaces.

 

If running many transactions using SPML server, it is possible for Tomcat to throw “out of memory” exceptions. In this instance you will need to re-start Tomcat application/service in order to continue using any application deployed on tomcat.

 

Unable to set a proper date value in the format yyyy-mm-dd for an attribute that is mapped in JIAM to a “Date’’ data type. You will need to set the date using the following format  yyyy-mm-ddT00:00:00

 

When searching for a value of an attribute that is mapped in JIAM to a “Date’’ data type, the returned value will be in the following format  yyyy-mm-ddT00:00:00

 

If the SPML Manager and SPML Server are different versions, various failures might occur.  Please ensure that both SPML Manager and SPML Server versions are always in sync.  Follow the instructions described under eTrust IAM SPML Requesting Authority web page to download and set up the SPML Manager

 

Using SPMLManager, a request that contains no requestID, and an incorrect identifier causes an error: "Received unknown SOAP exception: com.ca.commons.spml.client.SoapFaultException:SOAP-ENV:Client, SPML request could not be parsed from null, please contact the system administrator.”  This will leave the SPML Service in a state where it can not even respond to correctly formed SPML requests.  The work around for this problem is to disable validation of SPML requests and responses.

 

The following steps will turn off validation of SPML requests in Tomcat installed as a service:

1) Open Regedit

2) Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Apache Tomcat 4.1\Parameters

3) Add 1 to the value of "JVM Option Count"

4) Add new String value "JVM Option Number X" where X is equal to "JVM option count" - 1. I.e. the option numbers start at zero.

5) Set the value of new string value to "-Dcom.ca.commons.spml.noXmlValidation=true".

6) Restart Tomcat service.

 

Otherwise if you are running Tomcat from the command line the startup batch file will need to be modified.

To add this functionality to SPMLManager and Workflow IDE, we will need to edit the batch files of each one, and add the line                                      "-Dcom.ca.commons.spml.noXmlValidation=true"

to each one. e.g. SPML  Manager looks like this:

"@echo off

REM To turn off XML validation, please set the

REM system variable -Dcom.ca.commons.spml.noXmlValidation=true

 

REM To skip SSL hostname verification, please set the

REM system variable -Dcom.ca.commons.spml.skipSslHostnameVerification=true

 

set TRUSTSTORE=%HOMEDRIVE%%HOMEPATH%\.spmlkeystore

set TRUSTSTORE_PASSWORD=changeit

 

 

and will look like this:

"@echo off

REM To turn off XML validation, please set the

REM system variable -Dcom.ca.commons.spml.noXmlValidation=true

 

REM To skip SSL hostname verification, please set the

REM system variable -Dcom.ca.commons.spml.skipSslHostnameVerification=true

 

set TRUSTSTORE=%HOMEDRIVE%%HOMEPATH%\.spmlkeystore

set TRUSTSTORE_PASSWORD=changeit

 

 

Active Directory connector’s parser table has been extended to contain new attributes required for managing Exchange 2007 endpoints. These new           attributes are not present in SPML.

When modifying an account through SPML to add a policy to it the following error message is returned by option plugin "Read failed: Failed to find home server DN.". This error only occurs when Exchange Gateway is defined in directory's property page. Otherwise the operation is ok.

 

Reporting

When upgrading to the latest CR, the reporting database is reset. The reporting database will need to be reloaded before reports can be viewed.

If you need to retain your existing reports please contact CA Support (http://support.ca.com) for further information.

 

eTrust Admin Reporting is not supported on MS Vista. 

 

Reporting for the PKI option is now supported.

 

After upgrading from ETA 8.1to ETA 8.1sp2 reports that showed which users had set their self authentication questions and answers no longer work. Prior to ETA 8.1sp2 the reporting system connected to the underlying repository (port 20391) rather than connection to the Provisioning Server (port 20389). The connection to the repository returned the encrypted questions and answers that indicated which user had set their questions and answers. The removal of the ability to connect to the repository was one of several security enhancements. The Provisioning Server has restrictions that prevent it from returning security sensitive information such as the self auth Q&A when enumerating users. To resolve this problem a configuration parameter has been added to the Provisioning Server to allow authorized users to check if the self auth Q&A have been set on a selection of global users without revealing the actual values.

 

The new parameter is Compatibility/Self Q&A Replacement Message and is found under "Domain Configuration" on the "System" tab of the Admin Manager.

 

Set this parameter to the message you want returned to indicate a self authentication question or answer has been set. The parameter should be left blank or empty if you want to disable the ability to check the Q&As have been set. By default this feature is disabled. In normal usage global user self authentication Q&A attributes are only retrieved for a single specified user when explicitly requested. This allows the Admin Server to log when these Q&As are viewed. However some reporting tools have been implemented to check user compliance self authentication requirements by enumerating users that have not set their Q&A. This parameter allows these reports to work as they did on earlier versions Admin prior to 8.1sp2. Base searches (reads) of global users are unaffected by this parameter, authorized administrators can retrieve the actual values of these user attributes.

 

 

SAP

 

In SAP R3 Directory window,  ‘SAP Directory Name’ field is a mandatory field  and needs to be denoted with an asterisk (*).

 

When the option "Changed passwords are expired" is not enabled, this is known to cause failure when creating new SAP accounts on CUA Master SAP Kernel 6.40. It is recommended to enable this option as this is the default behavior in SAP.

 

When the option "Changed passwords are expired" is not enabled, a password change for an existing SAP account may fail with the message "PASSWORD NOT ALLOWED" if password policy is set in SAP. Subsequently, the account may be set with an unknown password. When this happens, repeat the password change with a different password until the change is successful. If password change results in the "PASSWORD NOT ALLOWED" error but "Changed passwords are expired" option is enabled, then the account's password will be unchanged. It is recommended to enable this option as this is the default behavior in SAP.

 

Applying some of the entries in the selection dialog for the field “Name supp:” on the “Address” page of account does not work. The workaround for this issue is to enter the valid value for the field in the edit box directly.

 

The values in the selection dialog for the field “Name supp:” on the “Address” page are wrong when creating SAP Policy. The workaround for this issue is to enter valid values in the edit box for the field directly.

 

The email address of an account can not be removed once the account has been created. The workaround will be to use the SAP native tool to remove the email address from the account.

 

If the account is created with a blank space, it will cause the exploration to fail. This only applies to the C++ connector.

 

Croatian UNICODE characters are not acceptable characters to enter for the domain component of an email address.

Creating or modifying an account’s email address. E.g: <Name/Identifier>@<Domain>  with Croatian UNICODE characters, will fail the operation.

This applies to the domain component of the email address (<Name/Identifier>@<Domain>), as UNICODE characters are not supported in the name of the email.

 

 

 

7.1 SAP CUA (New) Known Issues

7.1.1 SAP Assign Group Error

The Add button on the Groups tab sometimes fails to return the list of available user groups on the SAP System. To add user groups, you can use the New line button on the tab. You will need to know the exact user group name if you use this method.

7.1.2 Assigning Contractual User Types

When assigning a contractual user type to a user on the License Data tab, the change can only be applied to the Master system, not any of the child systems.

It is possible to change the contractual license types for the children natively.

7.1.3 Account Suspension State not Displayed Correctly

When setting a global user's status to suspended and propagating the change to a SAP account, the account attribute eTSuspended is not set to 1. As a result, when a global user is suspended, all associated accounts within the SAP CUA environment are locked correctly but when viewed in Self Service or Identity Manager, these accounts are listed as locked only instead of locked and suspended. When the global user is resumed or activated again, associated accounts are unlocked correctly.

7.1.4 Mandatory Fields in the Contractual User Type Attribute

The Contractual User Type that can be specified on the account's License Data tab cannot have mandatory fields other than the LIC_TYPE field. For example, if you have to specify the name of a SAP R3 System (SYSID) to use a Contractual User Type, the assignment will fail and you will get an error saying that there is a missing value for the Name of the SAP R3 System.

7.1.5 Concurrent Requests Delays

If there is a large number of concurrent requests executed against the connector, performance can be adversely affected.

7.1.6 Add Button on Groups Tab (SAP Account Property Sheet)

For SAP account and policy properties, the Add button will list the groups when the endpoint is SAP NW2004s and above. For others, use the New Line button to add groups to the account.

7.1.7 Schema Migration (Solaris only)

When upgrading/migrating from SAP C++ connector to SAP JCS connector on Solaris, the account cannot be created because of the error message "eTSAPSNCIsUsed: attribute type undefined. for sap connector. To resolve this issue simply apply the following workaround:

1.      su – etaslapd

2.      schemagen –n SAP

3.      eta restart

7.2 PeopleSoft (New)

The following is a guide for system configuration requirements that have to be met before attempting to perform an endpoint explore.

1.      Ensure that total memory (physical + paging file) is adequate. For a PeopleSoft system with 250,000 user profiles, allow 1G for IMPS and 512M for JCS.

2.      Ingres disk space should be adequate. For 250,000 user profiles, allow 1G.

3.      Increase Jvmmx setting for JCS to 512.

 

 

 

An instance of JCS can manage only one version of PeopleTools. To manage PeopleSoft installations with different PeopleTools versions, a separate JCS instance must be installed for each PeopleTools version. ConnectorXpress can then be used to set the managing CS (JCS instance) for each endpoint.

 

PeopleSoft reserves a few numbers above the configured port number for connecting to the JOLT / PeopleSoft Application Server. When connecting to any of these port numbers, the JOLT interface library used by the connector may go into an indeterminate state. PeopleSoft recommends not to use any of these port numbers when connecting to JOLT. However, in case of a mistake in configuring an endpoint to use any of these port numbers, a 30 second timeout is provided by the connector. In these situations, an error message will be sent by the connector, and the only solution is to restart JCS.

 

 

On high load situations, some transactions may fail (tests performed using 50 threads running simultaneously, with each thread performing 50 transactions consecutively, having around 2 failed transactions). This is due to the connection timeout being hit (being due to existing connections becoming invalid, resulting in new connection attempts). In these cases, just retry the transactions when the load has reduced.

 

In order for PPS to work with IM, the files jiam.jar and cacommons.jar need to be replaced with updated files which are available from deployed “etadm-jiam-windows-8.1sp2-CR” package (default location: C:\Program Files\CA\eTrust JIAM SDK\lib). In IM, these files are located in "app server install dir\deployment dir\IdentityManager.ear\library\”. After replacing these files the Application server will need to be restarted.

 

Some operations consist of multiple transactions between the connector and the remote PeopleSoft system. Such operations include, but are not limited to, assigning multiple Roles as Grantors/Grantees of another Role, and exploration of PeopleSoft objects. Performing these operations usually takes up time. For example, assigning 5000 Roles as another Role's Grantor may take several minutes.

 

Furthermore, these transactions may require locking/unlocking of PeopleSoft database tables. Thus, if these operations are performed simultaneously, it is probable that the total time to complete all the operations will be more than the combined time of the individual operations.

 

In some cases there can be performance issues when updating multi-valued PeopleSoft permission list attributes. This occurs because Admin Manager sends replace requests to the JCS when updating PeopleSoft attributes. Multi-valued attributes with a very large number of values can take a few minutes to update. Replace request replaces all of the old values with the current set of values, therefore the time taken to complete an update request is as dependant on the original number of values associated with the attribute as it is the number of values added, removed or changed. For example, it is not uncommon for PeopleSoft permission list menus to have a large number of menus and associated component/page permissions therefore any changes, even if it is adding a single menu, can be time consuming

 

 

 

When deleting Permission lists that are currently in use with PeopleSoft Roles or User Profiles, an error message is encountered which  cannot be fully displayed in the Message window, due to character restrictions. 

This error message can be obtained by copying and pasting into a word document.

 

 

When using Identity manger user console deployed on a WebSphere v6.0.2.17 application server to view policies created in Provisioning Manager an error message “java.lang.Error: PropertyDescriptor: internal error while merging PDs“ is encountered. As a workaround policies can be viewed using the Provisioning Manager.

 

For email addresses, functionality has been added to be able to correlate the User Profile's primary email address to a global attribute. To do so, a new account attribute, CorrelatePrimaryEmail, must be used in the attribute mapping tab. The value for this attribute is calculated.

 

The names of PeopleSoft User Profiles and Roles are case-insensitive in the PPS Connector. While it is possible to create two User Profiles or two Roles with the same name, differing only in case, such as "MyRole" and "myrole" using PeopleSoft native tools, such objects will be considered the same by the connector, and an "Object already exists" error will be reported during exploration.

8.0 Contact Technical Support

For online technical assistance and a complete list of locations, primary service hours, and telephone numbers, contact Technical Support at http://support.ca.com/.

Copyright © 2007 CA. All rights reserved.