CA ControlMinder 12.7 - CumulativeFix-3 (CF3) FIXLIST
3912
24 May 2019
24 May 2019
| Severity | Module | Problem summary | Package | OS | Cause of the problem | Conditions | Solution or workaround | Reproduction steps |
| 2 | ENTM | Fixes an issue with Sybase endpoint where under the "Discovered Accounts" Column Discovers privileged accounts shows with a checkmark but once modified those accounts and assign them to a group they no longer have a check under the "Discovered Account" column | AC1271047 | All | The Container Name for Sybase Endpoint on Endpoint side is "SYBASE Accounts" but in our configuration file we have container name as "Sybase Accounts". | The Container Name for Sybase Endpoint is changed from "Sybase Accounts" to "SYBASE Accounts" in configuration file. | 1. Discover two accounts. 2. After Discovery rerun the discovery and you will see two check boxes showing the accounts have been discovered. 3. Modify the Privileged Account and give it a group owner. 4. Discover the accounts again and you will see that the checkbox has been removed. | |
| 3 | ENTM | Fixes an issue where the priority column is missing from the privileged accounts, audit search results in case the filter is used for task priority. | AC1270958 | All | Trigger name was Overwritten in QRTZ_TRIGGER table, if we checkout same privileged account by two PUPM users within the first user privileged account checkout expiration time. Due to that trigger is firing only once. So privileged account is checked-in by one user. | Checkout the Privileged account by First PUPM user then Checkout the same privileged account by Second PUPM user then will observe both PUPM users have a Single JobName and Trigger(example:UniqueID-privilegedaccountname).Changed the JobName and Trigger name like UniqueID-privilegedaccountname-UserUniqueName. | 1.Modify any Privileged Account(example: test privileged account) Go to PrivilegedAccounts-=^Accounts-=^Modify Privileged Account then set(example:5mns) the "Check out Expiration (Minutes):" and save it. 2.Create two PUPM users(example:test1,test2) 3.Checkout test privileged account by using test1. 4.Checkout test privileged account by using test2 5.Wait for 5mns after checkout. Observe test is checked-in after 5mns by test1 user successfully, but with test2, test privileged account will not be checked-in, even after timeout expiration. | |
| 3 | ENTM | Fixes an issue where the account and endpoint details were missing from the audit search results. | AC1270960 | All | It was because port number is not assigned for apache's friendly URL as per the documentation and we have released a fix T5P0158 which was designed considering our documentation in mind. | Code Changes: To support apache server configured without port | Configure apache without port 1. Setup Primary ENTM and LB ENTM and configure it with apache 2. Create a user and mark to change password on login. 3. Access the URL with friendly URL and login with the created user at step 2 Actual Result: User details are empty Expected Result: user details must be filled | |
| 3 | ENTM | Fixes an issue where while adding a user account, it was possible to add string as phone number instead of digits. | AC1270968 | All | Inheriting custom fields from endpoint just in case they were not filled in the new created account | 1. create privileged account 2. fill the Information tab fields (Department and Custom 1 - Custom 5 fields) 3. Submit 4. View the new created account the custom fields were not saved | ||
| 2 | ENTM | Fixes an issue with the privileged account feeder where the CHECKOUT_ONLY_AUTO_LOGIN property was not properly updated | AC1270979 | All | Problem occur because we are converting date to Long value which will be the number of seconds since January 1, 1970, 00:00:00 GMT. The date stored in DB is in UTC when we are converting that date to Long value we are converting it to the long value of the server's time zone as a result value sent to audit queue is wrong. | Code Changes: Need to consider date as UTC and need to convert date to long value considering the UTC time zone. | After upgrading CM to version 12.8, the client's SAM events are being created with an incorrect time stamp. - SAM events in 12.8 are reported by UAR to occur in the future. - UAR has not used any special offsets for TIBCO in the past. An account was checked out at 3:56 PM. UAR reports it as 8:55:54 PM because we are in GMT -5 Epoch , Event_Date = 1392429354 Friday, February 14, 2014 8:55:54 PM GMT-5 Epoch, Checkout Date = 1392429373 Friday, February 14, 2014 8:56:13 PM GMT-5 EST Eastern Standard Time GMT-5:00 -18000 | |
| 3 | ENTM | Fixes an issue with the Endpoint Management where an error message appears while attempting to create a TCP resource | AC1270982 | All | Login Application Job does cleanup activity of invalid tickets which are leftover, every 60 seconds. | |||
| 2 | ENTM | Fixes an issue where SAM events were not sent to the Message Queue audit queue | AC1271035 | All | Code Change- keep the base url host name as the host the request came from | 1. Setup Primary ENTM 2. Setup LB ENTM 3. Create a user and mark to change password on login. 4. Go to the LB ENTM and login. the user details remained empty | ||
| 3 | ENTM | Fixes an issue where the time to live value that was specified was wrongly calculated. Rather than calculating the value as minutes, the value was calculates as seconds. | AC1271039 | All | When retrieving the user password and associating it with a span id, the function assumes '^=' character as a start of an html tag, and hence all the characters after it are ignored. | 1. ENTM WebUI Login 2. Home-=^My Privileged Accounts 3. checkout against a user 4. select "Copy to Clipboard" In this case: If the generated password has '^=' char, all chars after ^= are not copied . | ||
| 3 | ENTM | Fixes an issue where the Cleanup Submitted Tasks ends with an error message after upgrading from 12.7 CF2 to 12.8 GA | AC1271041 | All | Code Changes: Need to put validation in place while deleting the account. | 1. Checkout an account. 2. Go to Delete privileged account and delete the checked out account Expected Result: System must throw error saying account is checked out. Actual Result: System is deleting the account though it is checked out. | ||
| 3 | ENTM | Fixes an issue where the Business Phone and Cell Phone fields validation did not work properly. | AC1271027 | All | MS functions SetForegroundWindow and SetFocus does not bring the putty window to front and the putty window cant get the keyboard focus, therefore the first char of the password is not sent to the putty window. In order to bring the window to front need to simulate keyboard event right after the call to SetForegroundWindow and SetFocus | try to auto login through putty session continuously then observed sometimes “Access denied” even though password and username is correct(printed the password and username in putty.vbs). | ||
| 3 | ENTM | Fixes an issue where the system failed to change a password according to the password policy setting. | AC1271028 | All | 1. create endpoint via rest API 2. browse to View endpoint page at Privileged Accounts-=^ENDPOINT-=^View Endpoint the password is shown as clear text at password field | |||
| 3 | ENTM | Fixes an issue where an account in a localized environment is deleted when deleting the endpoint although the account is checked out. | AC1271029 | All | Account is stored in localized format but database query is not handling localized comparison | handle Localized comparison in Database properly | 1 Create and Endpoint and discover the Privileged accounts in localized environment (Japanese) 2. do check-out for few accounts then try to delete check-out accounts. NOTE: The same scenario working if we create endpoint and discover the privileged accounts through English browser. Expected result: System must throw error saying account is checked out. Actual result: System is deleting the account though it is checked out. | |
| 2 | ENTM | Fixes an issue where the job that handles the 'In progress' tasks does not handle all task sessions In progress, rather it only updated the events. Therefore, some existing tasks at task session table shows "In Progress" state. | AC1271033 | All | ||||
| 2 | ENTM | Fixes an issue where the system failed to change a password according to the password policy setting. | AC1271034 | All | At the time of password policy execution | Fixed time calculation using the "to time" in password policy. | 1. create a Password Policy. 2. With Password Expiration Interval 1 days. 3. Set Time Interval from 00:00 to 01:00 on everyday. 4. Modify some account and set password policy as newly created password policy. Expected Result: Everyday password of accounts must change at 00:00. Actual Result : Password changes after 2 days. | |
| 3 | ENTM | Fixes an issue where the "Checked-out By" field is left empty for several checked out passwords in case the system locale is not English | AC1271018 | All | Date is not getting formatted based on the locale, if the locale is other than English. | Irrespective of the locale formatting the date in common format and displaying correctly. | 1.Modify any Privileged Account Go to PrivilegedAccounts-=^Accounts-=^Modify Privileged Account then set(example:5mns) the "Check out Expiration (Minutes):" and save it. 2.Set browser language as Japanese(japan[ja-JP]) 3.Checkout the Same Privileged Account. 4.Click on Show Details then Observe Checked-out By: will be empty | |
| 3 | ENTM | Fixes an issue where resetting a user password using the Password Must Change open, results in an error string index out of bound. The behaviout was observed in case the base URL in the CA IdentityMinder Management Console is missing the port number. | AC1271019 | All | 1. Configure ENTM with Apache reverse proxy or with IIS such a way that you don't need to provide port number while accessing ENTM Apache Reverse Proxy: Listen on port number 443 or 80 in httpd.conf so that you can access the ENTM URL without providing port number 2. Update Base URL in IDMMANAGE Access ENTM URL without port number 3. Login with superadmin and reset password for any sam user and select change password on next login 4. logout as superadmin and login as sam user Expected Result: it must redirect to page to reset password Actual Result: Page show String index out of bound exception | |||
| 3 | ENTM | Fixes an issue where the password change by checkout via RDP login is not listed in “Show Previous Account Passwords” | AC1271022 | All | While doing RDP we are not executing CreateAccountPasswordHistoryEvent that makes an entry in the show previous account passwords. | I changed in the method called while RDP and password changes are getting listed. | 1. create endpoint with login application (RDP). 2. create account for the endpoint with [Change Password on Check out] checked 3. execute normal checkout for the account 4. check [Show Previous Account Passwords] for the account. The password change in step3 is listed in password history as expected 5. execute automatic login (RDP) for the account 6. check [Show Previous Account Passwords] for the account. The password change in step5 is not listed in password history This is the problem 7. logout from RDP and click Yes to checkin confirmation dialog 8. check [Show Previous Account Passwords] for the account -=^ the password change in step7 is listed in password history as expected The password change by check out via automatic login is not listed in password history in [Show Previous Account Passwords] while other password changes are listed. | |
| 2 | ENTM | Fixes an issue where the Check Out Expiration does not work in case the account is checked out by two users. | AC1271023 | All | Trigger name was Overwritten in QRTZ_TRIGGER table, if we checkout same privileged account by two PUPM users within the first user privileged account checkout expiration time. Due to that trigger is firing only once. So privileged account is checked-in by one user. | Checkout the Privileged account by First PUPM user then Checkout the same privileged account by Second PUPM user then will observe both PUPM users have a Single JobName and Trigger(example:UniqueID-privilegedaccountname).Changed the JobName and Trigger name like UniqueID-privilegedaccountname-UserUniqueName. | 1.Modify any Privileged Account(example: test privileged account) Go to PrivilegedAccounts-=^Accounts-=^Modify Privileged Account then set(example:5mns) the "Check out Expiration (Minutes):" and save it. 2.Create two PUPM users(example:test1,test2) 3.Checkout test privileged account by using test1. 4.Checkout test privileged account by using test2 5.Wait for 5mns after checkout. Observe test is checked-in after 5mns by test1 user successfully, but with test2, test privileged account will not be checked-in, even after timeout expiration. | |
| 2 | ENTM | Fixes an issue where in load balancing environment when setting a user password profile as PASSWORD MUST CHANGE, user is redirected to the primary machine to reset password page however gets page without the user's details and there is no way to provide user login details | AC1271026 | All | It was because port number is not assigned for apache's friendly URL as per the documentation and we have released a fix T5P0158 which was designed considering our documentation in mind. | Code Changes: To support apache server configured without port | Configure apache without port 1. Setup Primary ENTM and LB ENTM and configure it with apache 2. Create a user and mark to change password on login. 3. Access the URL with friendly URL and login with the created user at step 2 Actual Result: User details are empty Expected Result: user details must be filled | |
| 3 | ENTM | Fixes an issue where data in the custom information fields in the create privileged account page are overridden by endpoint information data | AC1271011 | All | Inheriting custom fields from endpoint just in case they were not filled in the new created account | 1. create privileged account 2. fill the Information tab fields (Department and Custom 1 - Custom 5 fields) 3. Submit 4. View the new created account the custom fields were not saved | ||
| 2 | ENTM | Fixes an issue where after upgrading to 12.8, the SAM events are created with an incorrect time stamp. SAM events in 12.8 are reported by UAR to occur in the future. | AC1271014 | All | Problem occur because we are converting date to Long value which will be the number of seconds since January 1, 1970, 00:00:00 GMT. The date stored in DB is in UTC when we are converting that date to Long value we are converting it to the long value of the server's time zone as a result value sent to audit queue is wrong. | Code Changes: Need to consider date as UTC and need to convert date to long value considering the UTC time zone. | After upgrading CM to version 12.8, the client's SAM events are being created with an incorrect time stamp. - SAM events in 12.8 are reported by UAR to occur in the future. - UAR has not used any special offsets for TIBCO in the past. An account was checked out at 3:56 PM. UAR reports it as 8:55:54 PM because we are in GMT -5 Epoch , Event_Date = 1392429354 Friday, February 14, 2014 8:55:54 PM GMT-5 Epoch, Checkout Date = 1392429373 Friday, February 14, 2014 8:56:13 PM GMT-5 EST Eastern Standard Time GMT-5:00 -18000 | |
| 3 | ENTM | Fixes an issue where a string index out of bound error message appears when resetting a user password with the "Password Must Change" checked. | AC1271015 | All | When reset user password with Password Must Change is checked, page is throwing error string index out of bound, this will occur only if base url in idmmanage is not having the port number | 1. Configure ENTM with Apache reverse proxy or with IIS such a way that you don't need to provide port number while accessing ENTM Apache Reverse Proxy: Listen on port number 443 or 80 in httpd.conf so that you can access the ENTM URL without providing port number 2. Update Base URL in IDMMANAGE Access ENTM URL without port number 3. Login with superadmin and reset password for any sam user and select change password on next login 4. logout as superadmin and login as sam user Expected Result: it must redirect to page to reset password Actual Result: Page show String index out of bound exception | ||
| 3 | ENTM | Fixes a problem during Checkout Operations via AutoLogin (i.e. RDP) where third party tools such as RDP and PUTTY are not launched and it repeatedly checks-out silently. | AC1271000 | All | Login Application Job does cleanup activity of invalid tickets which are leftover, every 60 seconds. | |||
| 2 | ENTM | Fixes an issue with the LB environment where the retrieve base urn refers to the primary machine instead of the LB machine. | AC1271001 | LINUX | Code Change- keep the base url host name as the host the request came from | 1. Setup Primary ENTM 2. Setup LB ENTM 3. Create a user and mark to change password on login. 4. Go to the LB ENTM and login. the user details remained empty | ||
| 2 | ENTM | Fixes an issue where coping a password that contains '<' character results in all characters after '<' not being copied. | AC1271005 | All | When retrieving the user password and associating it with a span id, the function assumes '^=' character as a start of an html tag, and hence all the characters after it are ignored. | This happens only when if the password contains '^=' symbol followed by a alphabet.(not if ^= is followed by numeral or symbol). | 1. ENTM WebUI Login 2. Home-=^My Privileged Accounts 3. checkout against a user 4. select "Copy to Clipboard" In this case: If the generated password has '^=' char, all chars after ^= are not copied . | |
| 3 | ENTM | Fixes a issue where spaces in ENTM passwords were not supported though Windows policy permitted spaces | AC1271007 | All | Code Changes: To allow spaces between characters for password | 1. Create an windows Agentless Endpoint. 2. Create a disconnected privileged account for the same endpoint and provide the password with spaces. Expected Result: Account must be created as windows policy is allowing spaces between characters. Actual Result: Server is throwing error saying password does not match the policy requirements. | ||
| 2 | ENTM | Fixes an issue where an admin is allowed to delete an account that is checked out | AC1271009 | All | Code Changes: Need to put validation in place while deleting the account. | 1. Checkout an account. 2. Go to Delete privileged account and delete the checked out account Expected Result: System must throw error saying account is checked out. Actual Result: System is deleting the account though it is checked out. | ||
| 2 | ENTM | Fixes an issue where Observe Approve, Reject and Refresh buttons are enabled for non-admin users | AC1270984 | All | Disabling Approve, Reject and Refresh buttons for non-admin users. | 1.Login into ENTM 2.Go to Users and Groups-=^Roles-=^Manage Work Items-=^Manage User's Work Items-=^ Select a non adminlogin User 3.Observe Approve, Reject and Refresh buttons were enabled. | ||
| 3 | ENTM | Fixes an issue where time is incorrectly displayed when Requester and Approver are in a different time zones while DST is enabled | AC1270991 | All | 1.While printing out the Last updated time on work item list, directly server time instead of client side browser time is being sent. 2.While displaying the time in show password details, server time, without being converted to client side browser time, is being sent as data. | N/A | 1.While printing out the Last updated time on work item list, server time is converted to client time first and then displayed. 2.While displaying the time in show password details, server time is converted to client side browser time and then being sent for display. | 1. When a privileged account is requested , Request appears on Approver's Home page / Waiting for Approval page . "Last Updated On" time is Enterprise Management server time and not browser time . 2.In Show previous Account passwords page , When "Show Password" is clicked , Password is displayed on top of the screen , Time displayed here is Server time . |
| 3 | ENTM | Fixes an issue where exporting Shared Accounts with "endpoints with failures" option to a CSV file fails | AC1270994 | All | 1. In World View, select Shared Accounts 2. Search: Endpoint Name = * 3. Click "endpoints with failures" "Export" link It should download csv file and contain the required data | |||
| 2 | ENTM | Fixes an issue where occasionally user receives an “Access denied” message when trying to log in using PUTTY even though password and username is correct | AC1270998 | All | MS functions SetForegroundWindow and SetFocus does not bring the putty window to front and the putty window cant get the keyboard focus, therefore the first char of the password is not sent to the putty window. In order to bring the window to front need to simulate keyboard event right after the call to SetForegroundWindow and SetFocus | try to auto login through putty session continuously then observed sometimes “Access denied” even though password and username is correct(printed the password and username in putty.vbs). | ||
| 2 | ENTM | Fixes an issue where creating an endpoint using REST API results in saving the password incorrectly in the database | AC1270999 | All | 1. create endpoint via rest API 2. browse to View endpoint page at Privileged Accounts-=^ENDPOINT-=^View Endpoint the password is shown as clear text at password field |