Professional Documents
Culture Documents
Manager - 2.8
Release Information
Date: 22-Mar-2017
CA Privileged Access Manager - 2.8
This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as
the “Documentation”) is for your informational purposes only and is subject to change or withdrawal by CA at any time. This
Documentation is proprietary information of CA and may not be copied, transferred, reproduced, disclosed, modified or
duplicated, in whole or in part, without the prior written consent of CA.
If you are a licensed user of the software product(s) addressed in the Documentation, you may print or otherwise make
available a reasonable number of copies of the Documentation for internal use by you and your employees in connection with
that software, provided that all CA copyright notices and legends are affixed to each reproduced copy.
The right to print or otherwise make available copies of the Documentation is limited to the period during which the applicable
license for such software remains in full force and effect. Should the license terminate for any reason, it is your responsibility to
certify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed.
TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION “AS IS” WITHOUT WARRANTY OF ANY
KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE,
DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST
INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE OF THE
POSSIBILITY OF SUCH LOSS OR DAMAGE.
The use of any software product referenced in the Documentation is governed by the applicable license agreement and such
license agreement is not modified in any way by the terms of this notice.
Provided with “Restricted Rights.” Use, duplication or disclosure by the United States Government is subject to the restrictions
set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7014(b)(3), as applicable, or
their successors.
Copyright © 2017 CA. All rights reserved. All trademarks, trade names, service marks, and logos referenced herein belong to
their respective companies.
22-Mar-2017 3/62
Table of Contents
Release Information 4
Windows Proxy and A2A client do not restart properly (DE158681) ......................................................... 29
CA PAM Client authentication extended (US123147, US161920, US172209) ......................................... 29
Service credentials pass-through enabled (DE142973) ............................................................................ 30
Identification of Client in Mac menu bar (US151336) ................................................................................ 30
Terminal Customization Buffer Size fixed (DE155580) ............................................................................. 30
Command filtering restored for Cisco Devices (DE157542) ...................................................................... 30
SSH Service failure corrected (DE157835) ............................................................................................... 30
License signature verification restored (DE158116) ................................................................................. 30
AWS Access Key can now be changed (DE158710) ................................................................................ 31
CA PAM Client installer can now be launched on Windows 7 from IE download (DE159969) ................. 31
SFTP-to-SFTP and embedded SFTP-to-SFTP Services capability restored (DE161009) ....................... 31
Application re-keying supported for Services (DE161704) ........................................................................ 31
SSH connection activations now captured to sessions logs (DE164050) ................................................. 31
Web portal Services fixed (DE165022) ..................................................................................................... 31
SSH key can now be changed successfully using master account (DE171351) ...................................... 32
JAR file versioning improved (DE172919) ................................................................................................ 32
SAML reauthentication restored for password view (DE173160) .............................................................. 32
CA PAM Client can now successfully connect using FQDN (DE175139) ................................................. 32
Large number of unique connection sockets now possible (DE175740) .................................................. 32
CA PAM Client can now be used on Red Hat Enterprise Linux 7 (DE180452) ......................................... 32
Cluster member Virtual Management IP delegation corrected (DE186593) ............................................. 33
Certificate update no longer prevents autologin (DE197641) ................................................................... 33
Security vulnerability removed (DE157310) .............................................................................................. 33
OpenSSL update (DE161901) .................................................................................................................. 33
Cluster use of public IP addresses restored (DE158646) ......................................................................... 33
Cluster members freeze (DE159957) ........................................................................................................ 33
Cluster replication for Transparent Login Config settings restored (DE160203) ....................................... 34
Slow Access page loading resolved (DE154126) ..................................................................................... 34
Response to unsynchronized databases no longer preventing cluster restoration (DE165743) ............... 34
Command Filtering restored for PuTTY Telnet (DE136849) ..................................................................... 34
NFS share Security Safe setting restored for SSH recordings (DE142545) ............................................. 34
Auto-login via embedded Service settings restored (DE142973) .............................................................. 35
RADIUS password may now contain colon (DE144586) .......................................................................... 35
Logs for Scheduled Jobs include more information (DE156039) .............................................................. 35
ExternalAPI now available to a stopped cluster member (DE158501) ...................................................... 35
Visibility restored for session recordings (DE162262) ............................................................................... 35
FIPS security certificate update (DE162960) ............................................................................................ 36
Reauthentication mechanism restored (DE165300) ................................................................................. 36
Release Information 5
Credential Management messages restored to syslog (DE154447) ......................................................... 36
Partial SFA violation message displayed (DE158684) .............................................................................. 36
Non-admin Mac users are not able to use the CA PAM Client (DE187116) ............................................. 36
Disabled LDAP accounts are no longer authenticated using PKI ( DE175549 , DE157861, DE203043) .....
37
Auto-connection access was possible with checked-out credentials (DE140882) .................................... 37
License Warning was not rendered correctly (DE155253) ........................................................................ 37
ExternalAPI to access password did not always work due to mismapped fields (DE136845) .................. 37
Deleting a target account while an access policy was in effect could result in an erroneous policy
(DE136899) ............................................................................................................................................... 37
Appliance reboot following certificate update (DE197641) ........................................................................ 38
CLI command setPasswordViewReasons not working for UNIX (DE155598) .......................................... 38
Administrative Activities did not include Scheduled Jobs (DE154888) ..................................................... 38
Windows Domain Service account discovery not available (DE149277) .................................................. 38
Password View Policy (PVP) events were not captured sufficiently (DE155033) ..................................... 38
Windows Domain Services target account with change-on-view Password View Policy was not possible
(DE155912) ............................................................................................................................................... 39
Dual-approver Password View Policy can be unstable if User is in multiple CM User Groups (DE156483)
.................................................................................................................................................................. 39
Credential Management Filter button slow when there is a large number of Users (DE157043) ............. 39
Target Groups and Request Groups loaded slowly (DE157051) .............................................................. 39
Windows Domain Service logging omission (DE162026) ......................................................................... 39
LDAP+RSA User re-authentication failure (DE172096) ............................................................................ 40
Syslog message switch required reboot to toggle Credential Management capture (DE154447) ............ 40
Release Information 6
Access Issues ........................................................................................................................................... 45
Multiple RDP Application failure with 'Restrict Login' option ............................................................... 45
Xceedium Browser issues on Mac OS ................................................................................................ 45
Secondary Transparent Login in SSH connections ............................................................................ 45
Syntax error may prompt incorrect message (DE158475) .................................................................. 45
Always use password .......................................................................................................................... 45
Xceedium Browser PDF menu options limited on Mac (DE158476) ................................................... 46
Xceedium Browser and CA Privileged Access Manager Client Browser do not support plugins that
use NPAPI (DE161212) ...................................................................................................................... 46
^C may be appended at the end of command filtering violation messages (DE158479) .................... 46
Command filtering not working for native Telnet Service (DE158480) ............................................... 46
Windows Telnet applet may not work for AWS targets (DE158481) ................................................... 46
CLI Access Method applet may fail from use of certain characters (DE158486) ................................ 47
SAML auto-connect fails for PAT clustered CA Privileged Access Manager RPs (DE158488) .......... 47
RDP session closes when you open RDP application connection to Windows Server 2008
(DE158489) ......................................................................................................................................... 47
Issues with logging in with PIV card and Safari (DE158491) .............................................................. 47
Telnet and SSH access methods do not work when applet customization has invalid values
(DE161528) ......................................................................................................................................... 47
Cannot relaunch VNC applet after another device is accessed with auto-connect (DE140874) ........ 48
Services Issues ......................................................................................................................................... 48
Invalid Auto-Login method does not produce an error (DE158466) .................................................... 48
CA Privileged Access Manager does not automatically delete backup file (DE158470) .................... 49
Cannot launch embedded services sftpftpemb and sftpsftpemb (DE155628) .................................... 49
Credential Manager Issues ....................................................................................................................... 49
Multiple Scripts of the Same Name but in Different Directories (DE158576) ...................................... 49
UTF-8 only for CLI input ...................................................................................................................... 49
Fingerprint update not available (DE158578) ..................................................................................... 49
Database error causes blank Workflow My Requests page (DE158138) ........................................... 50
Case sensitivity ................................................................................................................................... 50
CA Privileged Access Manager Client Issues ........................................................................................... 50
Linux Desktop does Not Work PIV/CAC (DE276404) ......................................................................... 50
Client sometimes fails to connect after upgrading to 2.8 (DE244065) ................................................ 50
Older Linux installations require additional libraries (DE137968) ....................................................... 51
CA Privileged Access Manager Client download button disappears from the login page after applying
the 2.6 upgrade patch (DE160612) ..................................................................................................... 51
CA Privileged Access Manager Client Windows uninstaller deletes entire contents of installation
directory (DE162561) .......................................................................................................................... 51
A2A Client and Target Connector Issues .................................................................................................. 52
Account with elevated privileges in Cisco IOS is not supported by Cisco target connector (DE158580)
............................................................................................................................................................ 52
UNIX Client uninstaller does not remove THIRD_PARTY_LICENSE (DE158682) ............................. 52
Release Information 7
Logs, Reports, and Session Recording Issues ......................................................................................... 52
AWS S3 and session recording issues (DE158685) ........................................................................... 52
Attempt to complete Web Portal recording post-processing results in "Encoding Error" (DE158687) ....
52
Native SSH Service recording corrupted for edited commands (DE158688) ..................................... 53
CLI text search using keyboard shortcuts limitation (DE158689) ....................................................... 53
Default Mac OS auto scale setting causes slow playback of recorded sessions (DE158691) ........... 53
Upgrade Issues ......................................................................................................................................... 53
Cannot launch services after upgrade to release 2.6 (11303) ............................................................ 53
Existing Devices that use Embedded VNC cause upgrade failure (DE200033) ................................. 54
Other Issues .............................................................................................................................................. 55
CA Privileged Access Manager API Documentation feature not supported in Internet Explorer 9 ..... 55
Keyboard mapping issues (DE158692) ............................................................................................... 55
AWS Management Console page not available (DE197725) ............................................................. 55
The appliance intermittently crashes with a core dump after database restore ( DE206853 ) ............ 56
Unable to login to CA Privileged Access Manager using the RADIUS Authentication type when two
RADIUS servers are configured ( DE172566 ) ................................................................................... 56
Some versions of Java 8 might cause certificate errors ...................................................................... 56
Appliance is unable to connect to SFA (WinSFA_2.70a) installed on Windows 2008 R2 ( DE198762 )
............................................................................................................................................................ 56
Release Information 8
CA Privileged Access Manager - 2.8
Release Information
CA Privileged Access Manager 2.8 provides updated software, functionality, and fixed issues.
The content in this section provides information about the 2.8 release.
Installation Requirements (see page 10)
Supported Environments (see page 11)
New Features and Enhancements in 2.8 (see page 23)
Resolved Issues in 2.8 (see page 26)
Resolved Issues in 2.7 (see page 28)
Known Issues (see page 41)
Patch Releases (see page 57)
Related CA Technologies Products (see page 61)
Educational Resources (see page 62)
22-Mar-2017 9/62
CA Privileged Access Manager - 2.8
Installation Requirements
Ensure that the following requirements are met before installing CA Privileged Access Manager.
Software Compatibility
Before you upgrade, ensure that your existing installation is running a release and patch that you can
upgrade to the current release. Verify whether you can upgrade by reviewing CA Privileged Access
Manager Update Paths (https://docops.ca.com/display/CAPAM28/Update+Paths)
Hardware Appliance
There are no special requirements for installing a CA Privileged Access Manager hardware appliance.
Only general standalone computer hardware requirements apply.
Recommended memory: 16 GB
NICs: One interface Add any additional required interfaces before initial boot.
22-Mar-2017 10/62
CA Privileged Access Manager - 2.8
Supported Environments
CA Privileged Access Manager is a distributed system with a
Server
Appliance form Environmental Network placement CA component
factor access
Hardware physical chassis LCD on chassis
Any currently supported CA Privileged
GUI through direct
Access Manager release level
patch to chassis
VMware virtual VMware VMware console
machine (vm) vCenter
AWS AMI AWS N/A
instance Management
Console
22-Mar-2017 11/62
CA Privileged Access Manager - 2.8
Table features:
22-Mar-2017 12/62
CA Privileged Access Manager - 2.8
Supported Clients
By "clients", we mean those persons or machines which are users of an CA Privileged Access Manager
system. They can include any and all those identified in the following table. Other environments
might appear to work with the product, but CA Technologies does not support them.
Table features:
22-Mar-2017 13/62
CA Privileged Access Manager - 2.8
22-Mar-2017 14/62
CA Privileged Access Manager - 2.8
22-Mar-2017 15/62
CA Privileged Access Manager - 2.8
22-Mar-2017 16/62
CA Privileged Access Manager - 2.8
All Lang You can adjust this CA Privileged Access Manager setting in My Info, Keyboard
uag Layout. The default setting is AUTO. When set to AUTO and the client OS is
e Windows, the product communicates with Windows to identify its language.
sup The product then interprets keyboard input using a layout that corresponds as
port closely as possible to that language.
For any OS, Keyboard Layout setting can be set to one of the following specific-
language options:
DA – Danish
DE – German
EN-GB – English (UK)
EN-US – English (US)
ES – Spanish
FI – Finnish
FR – French
FR-BE – French (Belgium)
FR-CH – French (Switzerland)
HU – Hungarian
IW-IL – Hebrew
NO – Norwegian
PL – Polish
RU – Russian
SV – Swedish (International)
PIV Card
/CAC read
Smartc er
ard
Card Act
Authen
read ivI
tication
ing D
soft Act
war ivC
e lie
nt
6.0
or
6.1
Programmatic Access
The following table assumes non-human user access to CA Privileged Access Manager.
22-Mar-2017 17/62
CA Privileged Access Manager - 2.8
Java
programmatic
use of:
Java API
(any) Access and N/A (any)
Credential
Management:
Programmatic
use of:
ExternalAPI
Supported Targets
The tables below identify the options available for each environment.
22-Mar-2017 18/62
CA Privileged Access Manager - 2.8
Table features:
22-Mar-2017 19/62
CA Privileged Access Manager - 2.8
Credential Management
The following intermediaries are used for handling passwords:
Target Devices
Targets include the following types:
22-Mar-2017 20/62
CA Privileged Access Manager - 2.8
22-Mar-2017 21/62
CA Privileged Access Manager - 2.8
22-Mar-2017 22/62
CA Privileged Access Manager - 2.8
Important! The 2.8 release does not contain the following defect fixes and enhancements
that were included in the 2.7.0.05 and 2.7.1 patches :
SecureCRT transparent login does not work without autologin (Salesforce Case
00529711; Internal defect ID DE246965).
Putty intermittently fails to open connection (Salesforce case 00521100; Internal defect
ID DE241623).
Cluster out-of-sync because CSV import is timing out (Salesforce case 00580685;
Internal defect ID DE246231).
If you need any of these fixes or enhancements, wait for an upcoming 2.8.x patch that
includes them.
22-Mar-2017 23/62
CA Privileged Access Manager - 2.8
For more information about configuring an LDAP domain, see Configure Network Resources (
https://docops.ca.com/display/CAPAM28/Configure+Network+Resources).
Tip: If the LDAP connection fails after selecting the LDAPS option, verify that port 636 is
open on the LDAP domain.
22-Mar-2017 24/62
CA Privileged Access Manager - 2.8
22-Mar-2017 25/62
CA Privileged Access Manager - 2.8
Important! The 2.8 release does not contain the following defect fixes and enhancements
that are in the 2.7.0.05 and 2.7.1 patches :
SecureCRT transparent login does not work without autologin (Salesforce Case
00529711; Internal defect ID DE246965).
Putty intermittently fails to open connection (Salesforce case 00521100; Internal defect
ID DE241623).
Cluster out-of-sync because CSV import is timing out (Salesforce case 00580685;
Internal defect ID DE246231).
If you need any of these fixes or enhancements, wait for an upcoming 2.8.x patch that
includes them.
22-Mar-2017 26/62
CA Privileged Access Manager - 2.8
00495839 DE224286 User documentation for Target Script Connector Processor incorrect.
00503062 DE224512 Security issue when enabling one user to use the API account of
another user.
00492911 DE224516 Comma missing between the user group and port in gksyslog.log file.
00498776 DE227378 Dual authorization approval process not able to handle the "<" (less
than) character.
00514857 DE237932 After upgrading the product from 2.6.2, scheduled backups stopped
working.
00664001 DE241486 The year 2016 is hard-coded in Date/Time area for CA PAM 2.6 and CA
PAM 2.7
00580096 DE243225 IBM Users Getting NoSuchMethod Error.
00579054 DE243230 User is having issues accessing Access page after PAM 2.7 upgrade.
00582620 DE243798 PIV/CAC card access Customer can still gain access with revoked
credentials.
00584404 DE244357 Disk space getting full due to many PVR requests being generated.
22-Mar-2017 27/62
CA Privileged Access Manager - 2.8
22-Mar-2017 28/62
CA Privileged Access Manager - 2.8
22-Mar-2017 29/62
CA Privileged Access Manager - 2.8
22-Mar-2017 30/62
CA Privileged Access Manager - 2.8
22-Mar-2017 31/62
CA Privileged Access Manager - 2.8
22-Mar-2017 32/62
CA Privileged Access Manager - 2.8
22-Mar-2017 33/62
CA Privileged Access Manager - 2.8
22-Mar-2017 34/62
CA Privileged Access Manager - 2.8
Workaround To use ExternalAPI calls to a stopped cluster member, you must unlock the member
from the Config, Synchronization page.
22-Mar-2017 35/62
CA Privileged Access Manager - 2.8
22-Mar-2017 36/62
CA Privileged Access Manager - 2.8
22-Mar-2017 37/62
CA Privileged Access Manager - 2.8
22-Mar-2017 38/62
CA Privileged Access Manager - 2.8
22-Mar-2017 39/62
CA Privileged Access Manager - 2.8
22-Mar-2017 40/62
CA Privileged Access Manager - 2.8
Known Issues
This section describes the currently known issues and workarounds, where available.
Configuration Issues (see page 43)
Dashboard email indicator is initially incorrect (DE158230) (see page 43)
GB7-GB10 ports unavailable on Model X206P (DE158231) (see page 43)
Provisioning Issues (see page 43)
Use caution when entering regular expressions into command filter lists (DE161678,
DE161679) (see page 43)
Changes to SHA digest for Transparent Login of Windows RDP Applications (DE158232) (see
page 43)
Learn Tool may crash when using down arrow key (DE158283) (see page 44)
Learn Tool may fail to run again following a forced End Process (DE158286) (see page 44)
AWS API Proxy and NXS API Proxy Issues (see page 44)
Scripts not created for auto-registering clients (DE158287) (see page 44)
AWS API proxy does not upgrade properly (DE158289) (see page 44)
Database restore and AWS licensing restrictions (DE158290) (see page 45)
Access Issues (see page 45)
Multiple RDP Application failure with 'Restrict Login' option (see page 45)
Xceedium Browser issues on Mac OS (see page 45)
Secondary Transparent Login in SSH connections (see page 45)
Syntax error may prompt incorrect message (DE158475) (see page 45)
Always use password (see page 45)
Xceedium Browser PDF menu options limited on Mac (DE158476) (see page 46)
Xceedium Browser and CA Privileged Access Manager Client Browser do not support plugins
that use NPAPI (DE161212) (see page 46)
^C may be appended at the end of command filtering violation messages (DE158479) (see
page 46)
Command filtering not working for native Telnet Service (DE158480) (see page 46)
Windows Telnet applet may not work for AWS targets (DE158481) (see page 46)
CLI Access Method applet may fail from use of certain characters (DE158486) (see page 47)
SAML auto-connect fails for PAT clustered CA Privileged Access Manager RPs (DE158488) (see
page 47)
RDP session closes when you open RDP application connection to Windows Server 2008
(DE158489) (see page 47)
Issues with logging in with PIV card and Safari (DE158491) (see page 47)
Telnet and SSH access methods do not work when applet customization has invalid values
(DE161528) (see page 47)
Cannot relaunch VNC applet after another device is accessed with auto-connect (DE140874)
(see page 48)
Services Issues (see page 48)
Invalid Auto-Login method does not produce an error (DE158466) (see page 48)
CA Privileged Access Manager does not automatically delete backup file (DE158470) (see page
22-Mar-2017 41/62
CA Privileged Access Manager - 2.8
CA Privileged Access Manager does not automatically delete backup file (DE158470) (see page
49)
Cannot launch embedded services sftpftpemb and sftpsftpemb (DE155628) (see page 49)
Credential Manager Issues (see page 49)
Multiple Scripts of the Same Name but in Different Directories (DE158576) (see page 49)
UTF-8 only for CLI input (see page 49)
Fingerprint update not available (DE158578) (see page 49)
Database error causes blank Workflow My Requests page (DE158138) (see page 50)
Case sensitivity (see page 50)
CA Privileged Access Manager Client Issues (see page 50)
Linux Desktop does Not Work PIV/CAC (DE276404) (see page 50)
Client sometimes fails to connect after upgrading to 2.8 (DE244065) (see page 50)
Older Linux installations require additional libraries (DE137968) (see page 51)
CA Privileged Access Manager Client download button disappears from the login page after
applying the 2.6 upgrade patch (DE160612) (see page 51)
CA Privileged Access Manager Client Windows uninstaller deletes entire contents of
installation directory (DE162561) (see page 51)
A2A Client and Target Connector Issues (see page 52)
Account with elevated privileges in Cisco IOS is not supported by Cisco target connector
(DE158580) (see page 52)
UNIX Client uninstaller does not remove THIRD_PARTY_LICENSE (DE158682) (see page 52)
Logs, Reports, and Session Recording Issues (see page 52)
AWS S3 and session recording issues (DE158685) (see page 52)
Attempt to complete Web Portal recording post-processing results in "Encoding Error"
(DE158687) (see page 52)
Native SSH Service recording corrupted for edited commands (DE158688) (see page 53)
CLI text search using keyboard shortcuts limitation (DE158689) (see page 53)
Default Mac OS auto scale setting causes slow playback of recorded sessions (DE158691) (see
page 53)
Upgrade Issues (see page 53)
Cannot launch services after upgrade to release 2.6 (11303) (see page 53)
Existing Devices that use Embedded VNC cause upgrade failure (DE200033) (see page 54)
Other Issues (see page 55)
CA Privileged Access Manager API Documentation feature not supported in Internet Explorer 9
(see page 55)
Keyboard mapping issues (DE158692) (see page 55)
AWS Management Console page not available (DE197725) (see page 55)
The appliance intermittently crashes with a core dump after database restore (DE206853)
(see page 56)
Unable to login to CA Privileged Access Manager using the RADIUS Authentication type when
two RADIUS servers are configured (DE172566) (see page 56)
Some versions of Java 8 might cause certificate errors (see page 56)
Appliance is unable to connect to SFA (WinSFA_2.70a) installed on Windows 2008 R2
(DE198762) (see page 56)
22-Mar-2017 42/62
CA Privileged Access Manager - 2.8
Configuration Issues
Dashboard email indicator is initially incorrect (DE158230)
When you first login to CA Privileged Access Manager as an administrator, you are asked to change
the password and enter an email. After doing so, the Account Information: User ID indicator on the
dashboard still displays "Email Not Set".
Workaround: Log off CA Privileged Access Manager and log in again.
Provisioning Issues
Use caution when entering regular expressions into
command filter lists (DE161678, DE161679)
CA Privileged Access Manager allows you to enter a regular expression with a syntax error in a
command filter list (blacklist or whitelist). CA Privileged Access Manager notifies you of the error
during list execution. It also notifies you of the error during a native SSH or Telnet CA Privileged
Access Manager Service (aka "proxy") connection. The error can result in a connection termination.
The execution pop-up message may provide a vague explanation for action or for communication to
the Help Desk / CA Privileged Access Manager Support. The error does not appear in the session logs.
22-Mar-2017 43/62
CA Privileged Access Manager - 2.8
Workaround: Select Policy, Manage Passwords to display the Credential Manager GUI. From the
Credential Manager GUI:
2. Double-click the ID of the target alias called AWS API Proxy Access Accounts to display the
Authorization Details panel for that group mapping.
3. From the Authorization Details screen for AWS API Proxy Access Accounts, ensure the
following checkboxes are unselected: Check Execution Path, and Check File Path.
4. Click Save.
Repeat Steps 1-4 for the target alias called WMware NSX API Proxy Access Accounts.
22-Mar-2017 44/62
CA Privileged Access Manager - 2.8
Access Issues
Multiple RDP Application failure with 'Restrict Login' option
When two or more RDP Applications are provisioned in a policy that enables the "Restrict login if
agent is not running option", attempts to launch some of these RDP Applications may fail even when
the agent is running
22-Mar-2017 45/62
CA Privileged Access Manager - 2.8
22-Mar-2017 46/62
CA Privileged Access Manager - 2.8
Workaround: Remove the trailing question mark from the URL in Safari
(https://<CA_PAM_IP_address>/) and press Enter.
The applet window opens but nothing else occurs. You cannot input commands.
22-Mar-2017 47/62
CA Privileged Access Manager - 2.8
You are using a variety of VNC servers. Some use VNC protocol version 3.8 while others use VNC
protocol version 3.7 or older.
Your policy allows you to access multiple machines with VNC and auto-connect.
You auto-connect to an initial machine with VNC 3.8, then auto-connect to another machine with
VNC 3.7 or older, and then attempt to auto-connect to the initial machine again with VNC.
The second attempt to auto-connect to the initial machine with VNC may fail.
The issue exists because you are occasionally using VNC 3.7 or older. The new VNC applet
implements VNC protocol version 3.8. Therefore, the VNC access method, session recording, and
auto-connect functionality only supports VNC protocol version 3.8 or newer.
Workaround: Logout of CA Privileged Access Manager, log back into CA Privileged Access Manager,
and start a new VNC auto-connect session to the original machine.
Services Issues
Invalid Auto-Login method does not produce an error
(DE158466)
Specifying the auto-login method through a CSV file should be limited to:
0 (none)
If you specify the auto-login method as a decimal (for example, 4.4) in a CSV file and import, CA
Privileged Access Manager does not display an error message.
22-Mar-2017 48/62
CA Privileged Access Manager - 2.8
Workaround: To update request server finger print, run the following CLI command instead:
cmdName=updateRequestServer RequestServer.ID=Request_Server_ID RequestServer.
acceptPendingFingerprint=true
22-Mar-2017 49/62
CA Privileged Access Manager - 2.8
Case sensitivity
For the purposes of filtering and sorting displayed information, all fields in the Credential Manager
GUI are case sensitive except for the following:
Fields containing host names. Host names are used typically to look up IP addresses. Host names
fields appear on screens dealing with target servers, request servers, and other types of servers.
Fields containing device names. Device names are assigned to machines to help identify them.
Description fields. Descriptions contain additional information to identify an entity, such a policy,
a user group, or a role.
1. Delete the existing CA PAM Client install directory and all of its contents. For example, C:
\Program Files (x86)\CA PAM Client.
22-Mar-2017 50/62
CA Privileged Access Manager - 2.8
2. Reinstall the 2.8 client. For more information, see CA Privileged Access Manager Client for
Alternate Appliance Access (https://docops.ca.com/display/CAPAM28
/CA+Privileged+Access+Manager+Client+for+Alternate+Appliance+Access).
Workaround: After upgrading to 2.6, close your browser session and restart it. Alternatively, reload
the Global Settings page. Finally, you can set the field values in the Distribution Method column.
Workaround: Ensure that the CA Privileged Access Manager Client installation directory does not
contain any additional software.
22-Mar-2017 51/62
CA Privileged Access Manager - 2.8
Workaround: Use another account with privilege level 0 to manage the level 15 account.
Encoding error status may result, indicating the recording cannot be viewed.
File handling events involving a mapped drive are not marked in the recording.
22-Mar-2017 52/62
CA Privileged Access Manager - 2.8
Upgrade Issues
Cannot launch services after upgrade to release 2.6 (11303)
After upgrading to release 2.6, customers might see the following error message when they try to
launch any service: “Error occurred while trying to complete request. (12)”.
2. Scroll to the Sign CA Privileged Access Manager Applets pane. Click Sign applets with
Certificate.
22-Mar-2017 53/62
CA Privileged Access Manager - 2.8
IMPORTANT! Recovery from upgrade failure is possible only if you have made backups as
noted here.
Prevention
1. Remove Embedded VNC from the Access Methods panel of all Device records that use it
before upgrading to release 2.7.
2. Create backups for recovery in the unlikely, but catastrophic, case that Embedded VNC
remains in use on some Device.
Hardware appliances: Prepare database and configuration backups. Use the backup and
restore functions. The patch automatically performs a backup before running, so if it fails,
make note of the devices and then perform a restore.
Recovery
If Embedded VNC exists in any Device record during an upgrade to 2.7, the upgrade appears to
successfully complete. However, there will be a message in the yellow warning panel at the top of the
Dashboard page notifying the user of the upgrade failure. This message points to detailed
information -- including which Devices are affected -- in the session logs.
1. Perform restoration depending on your appliance form factor as noted earlier. If you are using
AMI instance appliances and for some reason restoration fails, call CA Support for new AMI
instances and assistance.
2. Attempt to remove all instances of the Embedded VNC Access Method for Devices that use it,
and retry the upgrade.
22-Mar-2017 54/62
CA Privileged Access Manager - 2.8
Other Issues
CA Privileged Access Manager API Documentation feature
not supported in Internet Explorer 9
The documentation and test feature of the External API, accessed by clicking the API Doc link from
the upper-right-hand menu, does not work correctly in Internet Explorer 9 (IE 9). Use IE 11 or the
current release of Firefox instead.
http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_inline-using.html
Workaround
3. Apply the following AWS AIM policy settings to its Policy field, and click Save:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:GetFederationToken",
"Resource": "*"
}
]
}
4. Be sure to use this (now revised) AWS Policy in the Services policy template for an applicable
User with xceedium.aws.amazon.com. (http://xceedium.aws.amazon.com)
22-Mar-2017 55/62
CA Privileged Access Manager - 2.8
Workaround: Configure the RADIUS server responsible for OTP as the last server in the list of
configured RADIUS servers in CA Privileged Access Manager.
22-Mar-2017 56/62
CA Privileged Access Manager - 2.8
Patch Releases
The content in this section provides information about CA Privileged Access Manager patch and
hotfix releases.
2.7.0.09 Hotfix (see page 57)
2.8.0.01 Hotfix (see page 58)
2.7.0.09 Hotfix
This content provides information about the 2.7.0.09 hotfix.
Resolved Issue (see page 57)
Prerequisites (see page 57)
Install the 2.7.0.09 Hotfix (see page 57)
Resolved Issue
The 2.7.0.09 hotfix resolves an issue with the year 2016 hard coded in the Date and Time
Configuration. The pull-down list for the Date now extends past the year 2016 in the CA PAM UI.
(Salesforce case number 00664001/Internal defect ID DE241486)
Prerequisites
Do the following tasks before installing this hotfix:
22-Mar-2017 57/62
2.
Note: If you do not see these items, contact CA Support for further
instructions.
4. Instruct all users to clear their Java caches before they next login.
2.8.0.01 Hotfix
This content provides information about the 2.8.0.01 hotfix.
Resolved Issue
The 2.8.0.01 hotfix resolves an issue where Putty intermittently failed to open a connection
(Salesforce case number 00521100/Internal defect ID DE241623).
Prerequisites
Do the following tasks before installing this patch:
22-Mar-2017 58/62
CA Privileged Access Manager - 2.8
Note: If you do not see these items, contact CA Support for further
instructions.
3. If your organization does not use the default appliance SSL certificate: Navigate to Config,
Security, and re-sign your JAR files.
5. Instruct all users to clear their Java caches before they next login.
22-Mar-2017 59/62
CA Privileged Access Manager - 2.8
22-Mar-2017 60/62
CA Privileged Access Manager - 2.8
AWS API Proxy – The supported release is 3.0 AWS. See the release-specific AWS API Proxy
Deployment Guide for further information.
Socket Filter Agents (SFAs) – To operate in FIPS mode, the supported releases are SFA 2.7 for
Windows, and SFA 2.7 for UNIX/Linux. To operate in non-FIPs mode, the supported releases are
SFA 2.1 for Windows, and either SFA 2.2, 2.3 or 2.4 for UNIX/Linux. See Set up Socket Filter Agents
(https://docops.ca.com/display/CAPAM28/Set+up+Socket+Filter+Agents) for further information.
CA Privileged Access Manager Credential Manager A2A Clients – The supported releases are CA
Privileged Access Manager 2.3, CA Privileged Access Manager 2.4, and CA Privileged Access
Manager 2.5. The A2A Client installers are available at the CA Privileged Access Manager Support
website. See Install an A2A Client for Credential Management (https://docops.ca.com/display
/CAPAM28/Install+an+A2A+Client+for+Credential+Management) for further information.
CA Privileged Access Manager Credential Manager Windows Proxy – The supported releases are
CA Privileged Access Manager 2.3, CA Privileged Access Manager 2.4, and CA Privileged Access
Manager 2.5. The Windows Proxy installer is available at the CA Privileged Access Manager
Support website. See Install a Windows Proxy for Credential Manager (https://docops.ca.com/display
/CAPAM28/Install+a+Windows+Proxy+for+Credential+Manager) for further information.
22-Mar-2017 61/62
CA Privileged Access Manager - 2.8
Educational Resources
CA Product Courses
The following CA Product courses are available on the CA Education Portal (user login is required).
Click the course name for more information and registration.
22-Mar-2017 62/62