HP OpenView Select Access 6.0
Patch 2 Notes
October 14, 2005
This document provides an overview of the changes made to Select Access 6.0
for Patch 2. It contains important information not included in the manuals or in
online help.
In This Version
Password Reset
Installation Notes
Enhancements and Fixes
Known Problems, Limitations, and Workarounds
Documentation Errata
Integration with Other OpenView Solutions
Support
Legal Notices
New Features
-
Enhanced SOAP message processing by Axis Enforcers. The Enforcer plugin
for Axis servers now forwards the complete SOAP envelope to the
Policy Validator.
-
Temporary Password
store. This enhancement simplifies integrations with Microsoft Outlook
Web Access and SharePoint. See HP OpenView Select Access Integration Paper for
Microsoft Outlook Web Access for Exchange Server 2000/2003 and Microsoft Sharepoint Service 2.0 for more information.
-
Enhanced platform support.
Select Access now supports the servlet enforcer on Windows 2003 with this patch. For a comprehensive list of
other platforms supported by Select Access 6.0,
see Chapter 1 the HP OpenView Select Access 6.0 Installation Guide.
-
Enhanced integrations. Select Access now integrates with Microsoft ADAM
with this patch. For a comprehensive list of other integrations supported by Select Access
6.0,
see Chapter 1 the HP OpenView Select Access 6.0 Installation Guide.
-
Password reset. This allows end-users to reset passwords in their identity profile. You enable Password reset using
the procedure Configuring the web-based administration services in Chapter 5 of the HP OpenView Select Access 6.0
Installation Guide.
-
Personalization support for IIS Enforcer plugins. To extend personalization support to an alternative other than the
recommend COM object method of extracting personalization values from IIS HTTP headers, HP is distributing a new version of the IIS
Enforcer plugin. This new plugin exports HTTP headers in a similar method as other Enforcer plugins. However, rather than using the
HTTP_SA prefix, the IIS Enforcer plugin uses an SA prefix only.
HP recommends that you continue to use COM to extract your
personalization data from headers. Only use the alternate method if the COM method fails to work in your environment. For details on
how to configure personalization with the new IIS plugin, see To set up personalization for IIS Enforcer plugins in the HP OpenView Select Access 6.0 Patch 1 Notes. For details on how to use COM with IIS, see Using COM objects in the HP OpenView Select Access 6.0 Network Integration Guide.
-
New code signing certificate. In order to extend the validity period of the code signing certificate, HP has replaced the Verisign signing certificate with a Thawte Consulting signing certificate. As a result, the installer updates all files
in the /policy_builder/protected folder.
-
New integrations. This patch includes modifications and files that allow you to integrate
with the following third-party technologies:
- Domino 6.x servers
- OpenLDAP directories
For specific details on how to integrate Select Access with these two technologies, see the corresponding integration paper. You can obtain a copy of either integration paper by contacting your Select Access sales representative.
-
WSE Enforcer plugin enhancements. The WSE Enforcer plugin has been modified to support Integrated Windows Authentication (IWA). If you want to use IWA in a WS environment, you will need to perform specific setup tasks to set this up on your system. However, once you have taken the appropriate configuration steps, the behavior to authenticate users on the Select Access does not vary from other, more basic deployments. For details, see To configure a WS environment to use IWA in the HP OpenView Select Access 6.0 Patch 1 Notes.
-
SAML server modifications. To allow customers the ability to allow third-party SAML requests without authenticating with the destination site, HP has implemented a non-standard SAML configuration option. In a typical SAML deployment, two-way authentication is always required:
- The destination site has to authenticate with the source site.
- The source site has to make sure that the artifact request comes from the right destination site (the one the browser was
redirected to).
This prevents users from intercepting the artifact embedded in HTTP data steam and using it to request the user's SAML data. However, if this risk is not significant for your deployment, you can use the nonstandard authentication configuration. For details, see To allow SAML requests without site authentication in the HP OpenView Select Access 6.0 Patch 1 Notes.
Deprecated Features
- Keytools cryptographic libraries have been removed. They have been
replaced by Bouncy Castle Cryptographic APIs.
Enabling Password Resets
The Password Reset function allows administrators to determine when and how end users can change passwords if they are forgotten.
Because it is an administrative mechanism, Password Reset appears as a new function on Resources Tree as part of the
Administrative Access Functions branch. The responsibility of configuring and managing passwords via the reset
function is shared between administrators and end users. Once an administrator sets up the policy, the end-user can self-manage:
-
Answers to the secret questions that authenticate
the identity from a list defined by the administrator. The Administration server randomly chooses which questions are
displayed to the end-user. Only the authenticated user can modify answers as part of profile attributes in their user profile.
The questions that appear to the end-user may be shared across all identities in your identity data location. However, the answers the
end-user provides are unique to the user's individual profile. Note that Select Access prevents administrators from modifying answers themselves.
- The password that logs the end-user onto the system. End users can only change the password after they authenticate themselves via a
series of secret questions and answers, and only if the administrator gives the end-user the required entitlement to self-manage the password in their
profile.
The Password Reset policy also can enable disabled profiles. For example, if a user's identity profile is disabled because there are too many failed login attempts,
and the end-user successfully resets the passwords in that profile, the profile is automatically re-activated.
An administrator with the appropriate entitlement delegated to them can configure a Password Reset policy. If there are workflow rules
for this function, changing the configuration will trigger the workflow rules as well. However, workflow is not triggered by changes made by end users on the registration and/or profile self-management pages. This is because the
directory attributes used are internal attributes and cannot be used with workflow rules.
To use the Password Reset feature
- If you have not already done so, configure the Administration server to display the appropriate resource to end users who can reset their passwords. You configure the Administration server with the Setup Tool. In the Self Administration group on the Web Administration Setup screen, specify the path to the password reset resource. See Chapter 5 Configuring the Administration Server in the HP OpenView Select Access 6.0
Installation Guide.
- To manage password reset properties, create the Password Reset policy that controls what the end-user sees in that resource. End users cannot manage
Password Reset properties until the administrator configures and thereby activates the function.
Manually add a link to the Password modify password login and/or portal pages to include a link for password resets, using the URL you configured. The URL for the password reset JSP uses the following syntax:
https://hostname:9992/password_reset/reset.jsp
Only after the identity is authenticated, does the person get redirected to the reset page.- Modify the Password Reset JSP page to include any business-driven requirements, for example, adding a redirect back to your Home page. This is site-specific.
- Because you cannot configure workflow on password resets themselves, you may want to modify your Audit Settings to capture any events or messages you require. A new audit component, Password Management, is available in the Audit Entry dialog box. Password Management captures any password reset events or messages you require. Set the appropriate severity level for this component as needed. For details, see Configuring an Audit Policy in Chapter 14, Changing Audit Settings in the HP OpenView Select Access 6.0 Policy Builder Guide.
To configure the password reset policy
- Run the Policy Builder and click Tools -> Password Reset Configuration. The Password Reset Configuration dialog box appears. You can only configure a single reset policy for all user passwords.
Define a pool of questions by adding them to or deleting them from the editable Secret Questions list box. Use the corresponding buttons provided
for this task.
These secret questions are randomly selected by the Administration server and displayed to the end-user in the JSP page for resets. The number of questions must be equal to or greater than the number of questions to be displayed to the individual.
- In the Number of allocated secret questions box, enter the number of
questions you want to display to the end-user. The number of
questions must be equal to or greater than the number of correct
answers you will be configuring in Step b.
- In the Number of correct responses required for password reset box, enter
the number of correct answers the end-user must supply before the
password they give is reset by the system. The number of correct
responses must be less than or equal to the number of questions
displayed to the individual, which you configured in Step a.
Select Access prevents administrators from altering the answer to
the questions the end-user provides. Administrators can only alter
the secret questions.
- Click OK to commit your changes.
Understanding End Users' Answer Requirements
Depending on whether or not the end-user is a new identity or a
previously-registered one, the individual must meet specific criteria as
described below:
- New (unknown) users initially set up the answers to the secret questions
in the registration page. They can use any combination of characters or
numbers to create their answer. Empty answers cannot be submitted to the identity's profile.
Because, asterisks (*) (or asterisks with spaces) are treated as an
empty field, they are also not accepted by Select Access.
- Existing (known) users with a profile can set up the answers to the secret
questions in the profile self-management page. Like new users, existing
users can use any combination of characters or numbers to create their
answer. Pre-existing answers are masked by a series of asterisks; known
users can indicate "no change" by leaving the masked entry unchanged. However, if users add another character like "A" to a masked
answer, they permanently change the answer to something like
"A*******", not "A". Ensure you communicate this
risk to your identities.
Software and Hardware Requirements
For the hardware, software, and third-party requirements, see
System
requirements on page 11 of the
HP OpenView
Select Access 6.0 Installation Guide.
Miscellaneous Installation Notes
NOTE: After installing 6.0 Patch 2, you must regenerate the certificates. If you do not, when you select Clear Validator Cache using PB -> Tools, the message "Validator cannot be reached" appears. After starting the Administration server setup tool, choose
to regenerate certificates. You must regenerate certificates for all connecting components to correspond to the Administration server.
- After installing this patch, we recommend that you clear your Jar cache before
you run the Policy Builder. This ensures that the latest changes to the Policy
Builder are successfully implemented.
- New patch files installed by the patch installer cannot be removed by
the Select Access 6.0 uninstaller. This uninstaller cannot know which new
files were added by this installer. If you need to remove this product, use
the Select Access 6.0 uninstaller and manually delete any files that remain.
If you need to remove your IIS Enforcer plugin after applying Patch 2, follow this procedure to cleanly remove all
IIS filters from your system.
If you forget to run the MetabaseEditor command before running the
uninstaller, run Microsoft's MetaEdit utility and perform the following
actions for a clean unplugged state of
IIS:
- Search for the ScriptMap entry or select the Select Access
string from the map.
- Stop Select Access IIS Admin Service.
- Open a command prompt and type MetabaseEditor -r.
- Run the Select Access uninstaller to remove the II filter from
ISAPI filter list.
- If you are installing Select Access for the first time, HP recommends
that you follow the subsequent procedure. If you do not follow this
procedure, installer updates cannot be resolved correctly.
- Install Select Access 6.0, but do not configure any of the
components you install.
- Install Patch 2 for Select Access 6.0. This updates all components
with the requisite changes.
- Configure your components as required.
- Before you update, stop all Enforcer-protected services and close all
services windows. Otherwise, unpredictable conflicts can occur with Select
Access's installer and Setup Tool.
- Only administrators with local administration privileges (on Windows) or
administrators that can run installers as root (on Unix) should update
Select Access 6.0 with Patch 2.
- If you have an Entropy Gathering Daemon (EGD) installed on a Unix
system, Select Access uses it to generate random data for SSL. Select Access
will look for an EGD socket in the following locations:
/var/run/egd-pool
/dev/egd-pool
/etc/egd-pool
/etc/entropy
- If you are using Microsoft ADAM, there are four default LDFs that you can add during setup. You must add MS-InetOrgPerson.LDF and MS-User.LDF, located in the ADAM default directory, in order for the ADAM schema to load properly. These LDF are on the ADAM installation by default, but they must be selected when installing ADAM. If you do not select them when installing ADAM, you can add them later using ldifde.exe. See Chapter 2 of the HP OpenView Select Access Integration Paper for Microsoft Active Directory Application Mode (ADAM) Server for more information about integrating Select Access and ADAM.
NOTE: If
you are using Microsoft Active Directory Server (ADS) 2000, then you may need to
install the secretary schema extension before installing Select Access. This
extension is not required for Microsoft ADS 2003 or ADAM. This extension is
required on Microsoft ADS 2000 when you meet all of these conditions:
- Microsoft ADS 2000 is used as Select Access' Policy Data Location.
- This is your first time installing Select Access.
To load this extension, run the
load_secretary.bat script with your ADS domain
name as a parameter. For example, if your domain is
mydomain.com,
then the command to run the script is:
load_secretary "DC=MyDomain,DC=Com"
NOTE: If the EGD socket cannot be found, Select Access uses its own internal
mechanism to generate random data. Therefore, if you want to use the UNIX EGD,
ensure you have installed it in one of the locations listed above.
Installing Patch 2 on Windows Platforms
NOTE: If you are using Windows 2003,
stop the Windows Management Instrumentation service before installing Select Access. Restart the Windows Management
Instrumentation service after Select Access is installed.
- Start the Select Access installer by running the
setup_win32.exe executable file you have downloaded from HP's OpenView support site.
- The installer extracts the installation files, then prepares the Select
Access Install Wizard. When it has finished loading, the Welcome to HP SelectAccess Installation screen appears.
- Click Next. The License Agreement screen appears.
- Read the license agreement. When you understand and agree to the terms, click
the I accept option and click Next. The Choose Components to Patch screen
appears.
Only those components affected by Patch 2 appear in this list.
- Enabled (checkable) items indicate that a previously-installed component has an
update in this patch.
- Disabled items indicate components that are available for update with this
patch, but have not been installed on the host computer.
NOTE: HP recommends that you always update all detected components on a given host
computer as well as components deployed on various hosts on your network. This
avoids any unpredictable behaviors that might otherwise occur when varying
versions of Select Access components are deployed on your system.
- Click Next. The Pre-Installation Summary screen appears.
- Review this information.
- If your installation details are acceptable, click Install to begin the installation.
- If you want to make changes, click Previous to change the install settings as
required.
- If you have any Select Access services or Enforcer-protected services running
during the installation process, one or two message boxes may appear. Running
services during the installation process may prevent the installer from updating
existing Select Access files. The following two message boxes notify you of
these running services.
- For Select Access services, the message box lists the services the installer is
about to stop. Click Next to allow the installer to stop these services
automatically.
- For Enforcer-protected services, another message box prompts you to manually
stop any services on this host that are still running. Stop these services and
continue.
The Installing HP OpenView Select Access 6.0 Patch 2 screen appears and outlines
the installation progress of the components you selected to install.
- If you have an Administration server installed on the host, the Reconfigure
Administration Server screen appears. Click the Yes option to configure settings
for the new Password Reset feature included in this patch. See Password Reset for more information.
NOTE: After installing 6.0 Patch 2, you must regenerate the certificates. If you do not, when you select Clear Validator Cache using PB -> Tools, the message "Validator cannot be reached" appears. After starting the Administration server Setup Tool, choose
to regenerate certificates. You must regenerate certificates for all connecting components to correspond to the Administration server.
- If the installer has stopped any Select Access services, the Restart Select
Access Services screen appears when it has finished updating Select Access
components. If you need to restart one or more services the installer had stopped, check one
of the corresponding boxes and then click Next:
-
Yes, restart the services now allows the installer to restart the stopped
services. Message boxes appear as each service restarts.
- No, restart the services later
allows you to restart the services yourself, if your services have any
special startup parameters the installer may not be aware of.
- When the Installation Complete screen appears, click the Finish button to exit
the installer.
- If you manually stopped any Enforcer-protected services, restart them now.
|
Installing Patch 2 on Unix Platforms
NOTE: After installing 6.0 Patch 2, you must regenerate the certificates. If you do not, when you select Clear Validator Cache using PB -> Tools, the message "Validator cannot be reached" appears. After starting the Administration server Setup Tool, choose
to regenerate certificates. You must regenerate certificates for all connecting components to correspond to the Administration server.
- From
either the command line or command shell, change directories to the location
of the installer file.
- At the command prompt, run the corresponding Unix installer with the
console command line argument:
./setup_<platform> -i console
Where:
- <platform> is the Unix platform the program is going to run on.
- -i console tells the installer to run in console mode.
For example, on Solaris, enter:
./setup_solaris -i console
NOTE: Avoid exporting your display as an environment variable. Otherwise, the
installer runs in GUI mode even though you try to run it in console mode.
- At the Welcome to HP OpenView Select Access Installation prompt, press
Enter to continue to the License Agreement prompt.
- Read the license agreement. When you understand and agree to the terms, type
Y at the DO YOU ACCEPT THE TERMS OF THIS LICENSE AGREEMENT? prompt.
- At the Choose Components to Patch prompt, identify the components
you wish to update by typing the corresponding numbers in a comma-separated
list and press Enter.
Patchable components installed on this host computer are identified with a
number; patchable components that are not installed on this host are
identified with an asterisk (*). HP recommends that you always update all detected components to avoid any unpredictable behaviors that might otherwise occur as a result of an inconsistently applied update.
- When you have selected the components you wish to update, the installer
gives you a pre-installation summary for the components you selected. If this information is correct, press Enter to continue installing these
components.
- If you have any Select Access services or Enforcer-protected services
running during the installation process, one or two prompts may appear.
Running services during the installation process may prevent the installer
from updating existing Select Access files. The following two prompts notify
you of these running services.
- For Select Access services, the Running Select Access Services Detected
prompt lists the services the installer is about to stop. Type
1 if you want
to stop these services manually. Type 2 if the installer should
automatically stop the services that it has detected.
- For Enforcer-protected Web services, a separate prompt asks that you
manually stop any services on this host that are still running. Stop these
services and continue.
- The Installing HP Select Access 6.0 Patch 2 prompt provides messages on the
status of the installation progress of the components you selected to
install. If the installer has stopped any Select Access services, you are
prompted to restart these services when it has finished updating Select
Access components. At the Restart Select Access Services prompt, choose
whether or not you want to restart stopped services by typing the
corresponding number that is adjacent to each option:
- Yes, restart the services now - Typing 1 allows the installer to restart the
stopped services. Progress windows appear, informing you of each service the
installer is currently restarting.
- No, restart the services later - Typing 2 allows you to restart the stopped
services yourself, should you have any special startup parameters the
installer may not be aware of.
- When the installer is finished, an Installation Complete message appears.
Press Enter to exit the installer.
- With the update complete, restart all Enforcer-protected services that you
had manually stopped.
- Run the Setup Tool graphical user interface after you have installed
your components. To run the Setup
Tool in GUI mode, enter the following command:
<install_path>/shared/setuptool
NOTE: You can also run the Setup Tool on a
Windows host computer and copy the
corresponding XML configuration file to the Unix
host.
|
The following items are fixed in the current software release. To display details about each software fix, click the error description. To hide details, click again.
Enhancements
Validator CRL processing behavior has been corrected
When processing a MultiResourceQuery, the Validator adds some data elements only once for the entire query.
Performance between the Policy Validator and Enforcer plugins has been enhanced
The TCP Nagle algorithm on Enforcer <-> Validator sockets has been turned off to prevent the "stop-and-wait" delays that it creates when using SSL and a query-response protocol.
|
Fixes
Enforcer tuning parameters: labels and help text are
incorrect
| PROBLEM: |
Customers and support people have been tuning their Enforcer connection parameters incorrectly because the labels
and help text do not match the actual parameter implementation. |
|---|
| CAUSE: |
The UI labels on the fields for the parameters "Stop validator connection attempts
after X seconds" and "Consider validator unreachable after X seconds" are reversed. |
|---|
| FIX: |
The help text has been amended. |
|---|
SAML server generates invalid HTTP Host: headers
| PROBLEM: |
Other vendor SAML implementations refuse requests. |
|---|
| CAUSE: |
The problem occurs when a "SAML From Partner" is configured with a SOAP Responder URL that does not contain a port specifier, i.e. https://responder.example.com/saml/responder,
an HTTP Host header is sent with the port number "-1": GET /saml/responder HTTP/1.0 Host: responder.example.com:-1. |
|---|
| FIX: |
When configured with the default port number in the URL, the port number is not put in the HOST header. |
|---|
| PROBLEM: |
SAML assertions contain an element that has an optional "NameQualifier" attribute. There is no way to
configure the SA SAML server to interoperate with partners that do not send a NameQualifier. |
|---|
| FIX: |
The setup tool and SAML server have been modified to allow users to configure an empty list of "Security Domain"
settings (the SAML "NameQualifier"). If the list is empty, the SAML server ignores any NameQualifier in incoming assertions. |
|---|
SAML server can't be configured to ignore "attribute
namespace"
| PROBLEM: |
SA can't be configured to ignore the namespace on incoming SAML assertions to make setup easier. |
|---|
| CAUSE: |
SAML assertions include attributes, which are qualified with a string to associate a namespace with the attribute. |
|---|
| FIX: |
The setup tool and SAML server have been changed so that administrators can leave the "Attribute Namespace" list empty. If the list is
empty, the SAML server does not check the namespace on incoming assertions, so any string is allowed. Customers who want the additional check, can still configure a list of namespaces to explicitly match. |
|---|
SAML: Some other SAML vendors cannot parse our SOAP
messages
| PROBLEM: |
Some vendors require the SAML namespace declarations to be on the (and , in response messages). |
|---|
| CAUSE: |
The XML namespace declarations are all on the outer soap:Envelope element. |
|---|
| FIX: |
The XML namespace declarations for SAML have been moved onto the nested SAML elements inside the SOAP message. |
|---|
SAML: Validator does not quote SAML subjectnames when
creating temporary users
| PROBLEM: |
When adding a SAML user with a subject name of (for example) 'Smith, Joan', the validator does not properly quote the
',', so LDAP rejects the temporary user add request. |
|---|
| FIX: |
The internal DN builder was changed to properly quote special characters in the subject_name. |
|---|
Cannot create a password auth to search from Known Users when using Japanese Characters
| PROBLEM: |
When creating a password authentication server using Japanese characters and the User location lookup is set to "Known User", it will not work. |
|---|
| FIX: |
The English string "Known Users" is always stored into LDAP, regardless what I18N format it has been translated. |
|---|
Performance hit with large number of groups and roles
| PROBLEM: |
When a SA system has a large number of roles, and a user is a member of a large number of groups, performance
drops substantially. |
|---|
| CAUSE: |
SA does the role checks for each group, leading to a large number of LDAP queries (for example, 595 groups and 21 roles leads to 13,685 LDAP queries, taking approximately 40 seconds to perform). |
|---|
| FIX: |
Increasing the cache refresh interval will reduce the incidence of this problem, because the groups will be updated
independently as other users log in. Limit the number of groups users can be members of. |
|---|
Japanese "self registration" cannot find auth server
| PROBLEM: |
When creating a new registration server, named with Japanese characters the "403
access denied" page appears and the self-registration page could not be loaded. |
|---|
| CAUSE: |
The Policy Builder is writing the Japanese text for "Known Users" into the Auth Server config, but
the Validator is expecting the English string "Known Users". |
|---|
| FIX: |
The string "Known Users" that is displayed and localized is separated from the string "Known Users" that is written into
the XML. |
|---|
Importing Resources List only works for HTTP/HTTPS Protocol
| PROBLEM: |
Importing a resources list from a file doesn't support resources in protocols other than http/https. An exception occurs when importing resources in other protocols such as ftp, ldap, etc. and the resources cannot be imported into the resources tree. |
|---|
| CAUSE: |
The problem is caused by a deserialization failure on a URL object that is created by the constructor like URL(Context,
String, URLStreamHandler). |
|---|
| FIX: |
This limitation is bypassed. Only the string for serialization and deserialization is passed. The URL object is then constructed. |
|---|
Admin server binds to all addresses
| PROBLEM: |
If you set the Solaris 5.1.x admin server to use a specific IP address, the admin server will bind to
all addresses, effectively ignoring the configuration. |
|---|
| FIX: |
The admin server can now be restricted to a single IP address |
|---|
Folders and groups are shown as a dot if they are empty (SAML)
| PROBLEM: |
When you are browsing for a folder to put your partners in on the SAML assertion properties screen, folders are only shown as
folders if there is something in them. Any object of ou= should be shown as a folder, not a dot. Similarly, if it is a group,
it should be shown using a group icon, not a dot. |
|---|
|
Enforcer doesn't run properly under JRE 1.3 features
| PROBLEM: |
Customers must be able to run the enforcer API under JRE 1.3 and the Java enforcer API uses JRE 1.4 features. If the code tries to use any of the 1.4 features, failures occur, such as exception constructors that take another exception as a parameter and calls to URLDecoder.decode(String, String) (JRE 1.3 only supports the one-argument version of this method).
|
|---|
| CAUSE: |
The Java enforcer API uses several JRE 1.4 features, some directly and some through the com.hp.ov.selectaccess.util
package. |
|---|
|
TCP enforcer crashing fix
| PROBLEM: |
The tcp_enforcer on hpux and linux is not working. |
|---|
| CAUSE: |
The problem is caused by uninitialized pointers to XMLNode, which is itself is a pointer to XmlTreeNode. |
|---|
|
SAML artifact query MUST log response from server
| PROBLEM: |
When the artifact query from the SAML server (operating as Service Provider) to another SAML server (as IDP) fails, the response from the other SAML server is not shown. This makes it almost impossible to diagnose
configuration problems. |
|---|
|
Find a user does not work in web admin mode
| PROBLEM: |
An error page is displayed when trying to modify an existing user account using the web admin URL on the iplanet dir server.
The Show All Users option works very slowly. If you choose this option, you have to restart admin server to continue to work. |
|---|
|
| PROBLEM: |
SAML assertions contain an element that has an *optional* "NameQualifier" attribute. The SA 60 SAML
server has no way to configure a partner that does not put NameQualifier in their assertions. This causes interop failure. |
|---|
|
Group membership not saved when moving between tabs in the Add User screen
| PROBLEM: |
A user is added without the group membership being set. |
|---|
|
openLDAP integration enters passwords in cleartext when changed through PB
| PROBLEM: |
SA is not performing a "password change extended operation", therefore it is still storing the password as plain text. |
|---|
| FIX: |
An external reference was added. |
|---|
Cache from Policy Builder not refreshing
| PROBLEM: |
When the Policy Builder is open and a user is added, or when a user's record is updated but not through Policy Builder (i.e. direct to LDAP via the console, LDAP Browser, SI, etc.), the user tree does not reflect the change, even after "Refresh" is forced. The tree does update after a specific time period, somewhere in the range of 60 seconds. |
|---|
|
Select Access 6,0 Patch 1: Issue with the renaming an authentication server with Policy signing on
| PROBLEM: |
When Policy Signing is enabled from the Admin server setup, and you create an auth server with a special character, such as the "+" sign (test1+), when you rename this auth server, to "test1", you get a signature warnings. After you have endorsed these entries in the "Verify Signature" dialog box, when you go back to the list of auth servers, the auth server you renamed from "test1+" to "test1", has not been renamed and the administrator is no longer able to delete the auth server. Even after the admin server is re-start and the Java cache is clear, this entry is still present and cannot be deleted or modified. |
|---|
| CAUSE: |
This is related to a problem in the source code for handling authentication server renaming. |
|---|
|
User Properties fields are not acting correctly
| PROBLEM: |
If you go into a User's Properties, add them to a group AND make changes to their Account Management, save
the changes and exit, only the changes made to the Account Management are saved. The group membership
changes are not saved and the user is not added to the group. |
|---|
| CAUSE: |
The problem is caused by incorrect load/store functions in SubjectEditor.java. |
|---|
|
Enable password field with ADS and SSL
| PROBLEM: |
The Policy Builder does not display the password of an ADS user. |
|---|
|
User lifetime in directory not set when added by SAML
| PROBLEM: |
When configuring the SAML server, an option exists to lengthen the life of a transient user in the directory store ("Delete SAML users after"). This option does not seem to be set during configuration. |
|---|
|
The following items are listed incorrectly in the documentation and could not be fixed prior to the software release.
To display details about each documentation error, click the error summary. To hide details, click again.
Operating system support
| LOCATION: |
Chapter 1 in the HP OpenView Select Access 6.0 Installation Guide. |
|---|
| ERROR: |
The System Requirements section incorrectly states that Windows XP is a
supported operating system. |
|---|
| CORRECTION: |
The operating system Select Access does support is, in fact, Windows 2003. |
|---|
Upgrading from versions of Select Access previous to 5.0
| LOCATION: |
Chapter 2 in the HP OpenView Select Access 6.0 Installation Guide. |
|---|
| ERROR: |
This chapter erroneously includes details for upgrading from a version of
Select Access previous to Select Access 5.0. |
|---|
| CORRECTION: |
Upgrading from a version previous to 5.0 is not supported. |
|---|
CA eTrust setting
| LOCATION: |
Chapter 5 in
the HP
OpenView Select Access 6.0 Network Integration Guide. |
|---|
| ERROR: |
In the
section entitled "To modify the maximum operation parameter", the incorrect
value is given. |
|---|
| CORRECTION: |
To ensure
that the correct number of search results can be returned, the max-op-size
parameter should be configured with a value of 2000, not 1000 as stated in the
guide. |
|---|
Password dictionary name and location undocumented
| LOCATION: |
N/A |
|---|
| ERROR: |
An
undocumented filename and path required for the Password Dictionary feature. |
|---|
| CORRECTION: |
If you are
using a password policy that allows users to self-manage their passwords, and
want to use a password dictionary to support that policy, you must name the file
dictionary.txt and save it to the
<SA_install_path>\bin folder. Otherwise, Select
Access cannot find the appropriate file. |
|---|
You can integrate Select Access with the following OpenView products:
- Select Identity
- Select Federation
Please visit the HP OpenView support web site at:
http://www.hp.com/managementsoftware/support
This web site provides contact information and details about the products, services, and support that
HP OpenView offers.
HP OpenView online software support provides customer self-solve capabilities. It provides a fast and
efficient way to access interactive technical support tools needed to manage your business. As a valuable
support customer, you can benefit by being able to:
- Search for knowledge documents of interest
- Submit and track progress on support cases
- Submit enhancement requests online
- Download software patches
- Manage a support contract
- Look up HP support contacts
- Review information about available services
- Enter discussions with other software customers
- Research and register for software training
To view release notes and other documentation:
- On the Support page, click Support ->
Using our products, and then click
Product manuals.
The Product manuals search window opens. It is located at:
http://ovweb.external.hp.com/lpe/doc_serv/
- In the Product list, click [product name].
- In the Version list, click [version number].
- In the OS list, click [OS type].
- In the document list, select the document title.
- To retrieve the document, click Open or Download.
NOTE: To view files in PDF format (*.pdf), Adobe Acrobat Reader must be
installed on your system.
To download Adobe Acrobat Reader, go to the following URL:
http://www.adobe.com
© Copyright 2005 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice.
The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.