CA Privileged Access Manager - 2.8 - ENU - Release Information - 20170322 PDF

CA Privileged Access
Manager - 2.8
Release Information
Date: 22-Mar-2017
CA Privileged Access Manager - 2.8
This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as
the “Documentation”) is for your informational purposes only and is subject to change or withdrawal by CA at any time. This
Documentation is proprietary information of CA and may not be copied, transferred, reproduced, disclosed, modified or
duplicated, in whole or in part, without the prior written consent of CA.
If you are a licensed user of the software product(s) addressed in the Documentation, you may print or otherwise make
available a reasonable number of copies of the Documentation for internal use by you and your employees in connection with
that software, provided that all CA copyright notices and legends are affixed to each reproduced copy.
The right to print or otherwise make available copies of the Documentation is limited to the period during which the applicable
license for such software remains in full force and effect. Should the license terminate for any reason, it is your responsibility to
certify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed.
TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION “AS IS” WITHOUT WARRANTY OF ANY
KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE,
DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST
INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE OF THE
POSSIBILITY OF SUCH LOSS OR DAMAGE.
The use of any software product referenced in the Documentation is governed by the applicable license agreement and such
license agreement is not modified in any way by the terms of this notice.
The manufacturer of this Documentation is CA.
Provided with “Restricted Rights.” Use, duplication or disclosure by the United States Government is subject to the restrictions
set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7014(b)(3), as applicable, or
their successors.
Copyright © 2017 CA. All rights reserved. All trademarks, trade names, service marks, and logos referenced herein belong to
their respective companies.
22-Mar-2017 3/62
Table of Contents
Installation Requirements .......................................................................... 10

Software Compatibility ............................................................................................................................... 10
Hardware Appliance .................................................................................................................................. 10
AWS AMI Instance .................................................................................................................................... 10
VMware OVA Instance .............................................................................................................................. 10
Supported Environments ........................................................................... 11

Server Appliance Types ............................................................................................................................ 11
Supported Integration Components .......................................................................................................... 11
Supported Clients ...................................................................................................................................... 13
Access by User to GUI Using Native Workstation Environment ......................................................... 13
Access by User in Other Environments ............................................................................................... 16
Programmatic Access ......................................................................................................................... 17
Supported Targets ..................................................................................................................................... 18
Target Device Intermediaries .............................................................................................................. 19
Access ........................................................................................................................................ 19
Credential Management ............................................................................................................. 20
Target Devices .................................................................................................................................... 20
New Features and Enhancements in 2.8 .................................................. 23

Integration with CA Threat Analytics ......................................................................................................... 23
Palo Alto Target Connector ....................................................................................................................... 24
LDAP Over SSL (LDAPS) Support ............................................................................................................ 24
Extra LDAP Attributes for Password Modification ..................................................................................... 24
Enhancements to Support Integration with Other CA Products ................................................................ 24
New Deploying Section in the User Documentation .................................................................................. 25
Resolved Issues in 2.8 .............................................................................. 26
Resolved Issues in 2.7 .............................................................................. 28
Release Information 4
Windows Proxy and A2A client do not restart properly (DE158681) ......................................................... 29
CA PAM Client authentication extended (US123147, US161920, US172209) ......................................... 29
Service credentials pass-through enabled (DE142973) ............................................................................ 30
Identification of Client in Mac menu bar (US151336) ................................................................................ 30
Terminal Customization Buffer Size fixed (DE155580) ............................................................................. 30
Command filtering restored for Cisco Devices (DE157542) ...................................................................... 30
SSH Service failure corrected (DE157835) ............................................................................................... 30
License signature verification restored (DE158116) ................................................................................. 30
AWS Access Key can now be changed (DE158710) ................................................................................ 31
CA PAM Client installer can now be launched on Windows 7 from IE download (DE159969) ................. 31
SFTP-to-SFTP and embedded SFTP-to-SFTP Services capability restored (DE161009) ....................... 31
Application re-keying supported for Services (DE161704) ........................................................................ 31
SSH connection activations now captured to sessions logs (DE164050) ................................................. 31
Web portal Services fixed (DE165022) ..................................................................................................... 31
SSH key can now be changed successfully using master account (DE171351) ...................................... 32
JAR file versioning improved (DE172919) ................................................................................................ 32
SAML reauthentication restored for password view (DE173160) .............................................................. 32
CA PAM Client can now successfully connect using FQDN (DE175139) ................................................. 32
Large number of unique connection sockets now possible (DE175740) .................................................. 32
CA PAM Client can now be used on Red Hat Enterprise Linux 7 (DE180452) ......................................... 32
Cluster member Virtual Management IP delegation corrected (DE186593) ............................................. 33
Certificate update no longer prevents autologin (DE197641) ................................................................... 33
Security vulnerability removed (DE157310) .............................................................................................. 33
OpenSSL update (DE161901) .................................................................................................................. 33
Cluster use of public IP addresses restored (DE158646) ......................................................................... 33
Cluster members freeze (DE159957) ........................................................................................................ 33
Cluster replication for Transparent Login Config settings restored (DE160203) ....................................... 34
Slow Access page loading resolved (DE154126) ..................................................................................... 34
Response to unsynchronized databases no longer preventing cluster restoration (DE165743) ............... 34
Command Filtering restored for PuTTY Telnet (DE136849) ..................................................................... 34
NFS share Security Safe setting restored for SSH recordings (DE142545) ............................................. 34
Auto-login via embedded Service settings restored (DE142973) .............................................................. 35
RADIUS password may now contain colon (DE144586) .......................................................................... 35
Logs for Scheduled Jobs include more information (DE156039) .............................................................. 35
ExternalAPI now available to a stopped cluster member (DE158501) ...................................................... 35
Visibility restored for session recordings (DE162262) ............................................................................... 35
FIPS security certificate update (DE162960) ............................................................................................ 36
Reauthentication mechanism restored (DE165300) ................................................................................. 36
Credential Management messages restored to syslog (DE154447) ......................................................... 36
Partial SFA violation message displayed (DE158684) .............................................................................. 36
Non-admin Mac users are not able to use the CA PAM Client (DE187116) ............................................. 36
Disabled LDAP accounts are no longer authenticated using PKI ( DE175549 , DE157861, DE203043) .....
37
Auto-connection access was possible with checked-out credentials (DE140882) .................................... 37
License Warning was not rendered correctly (DE155253) ........................................................................ 37
ExternalAPI to access password did not always work due to mismapped fields (DE136845) .................. 37
Deleting a target account while an access policy was in effect could result in an erroneous policy
(DE136899) ............................................................................................................................................... 37
Appliance reboot following certificate update (DE197641) ........................................................................ 38
CLI command setPasswordViewReasons not working for UNIX (DE155598) .......................................... 38
Administrative Activities did not include Scheduled Jobs (DE154888) ..................................................... 38
Windows Domain Service account discovery not available (DE149277) .................................................. 38
Password View Policy (PVP) events were not captured sufficiently (DE155033) ..................................... 38
Windows Domain Services target account with change-on-view Password View Policy was not possible
(DE155912) ............................................................................................................................................... 39
Dual-approver Password View Policy can be unstable if User is in multiple CM User Groups (DE156483)
.................................................................................................................................................................. 39
Credential Management Filter button slow when there is a large number of Users (DE157043) ............. 39
Target Groups and Request Groups loaded slowly (DE157051) .............................................................. 39
Windows Domain Service logging omission (DE162026) ......................................................................... 39
LDAP+RSA User re-authentication failure (DE172096) ............................................................................ 40
Syslog message switch required reboot to toggle Credential Management capture (DE154447) ............ 40
Known Issues ............................................................................................ 41

Configuration Issues .................................................................................................................................. 43
Dashboard email indicator is initially incorrect (DE158230) ................................................................ 43
GB7-GB10 ports unavailable on Model X206P (DE158231) .............................................................. 43
Provisioning Issues ................................................................................................................................... 43
Use caution when entering regular expressions into command filter lists (DE161678, DE161679) ... 43
Changes to SHA digest for Transparent Login of Windows RDP Applications (DE158232) .............. 43
Learn Tool may crash when using down arrow key (DE158283) ........................................................ 44
Learn Tool may fail to run again following a forced End Process (DE158286) ................................... 44
AWS API Proxy and NXS API Proxy Issues ............................................................................................. 44
Scripts not created for auto-registering clients (DE158287) ............................................................... 44
AWS API proxy does not upgrade properly (DE158289) .................................................................... 44
Database restore and AWS licensing restrictions (DE158290) ........................................................... 45
Access Issues ........................................................................................................................................... 45
Multiple RDP Application failure with 'Restrict Login' option ............................................................... 45
Xceedium Browser issues on Mac OS ................................................................................................ 45
Secondary Transparent Login in SSH connections ............................................................................ 45
Syntax error may prompt incorrect message (DE158475) .................................................................. 45
Always use password .......................................................................................................................... 45
Xceedium Browser PDF menu options limited on Mac (DE158476) ................................................... 46
Xceedium Browser and CA Privileged Access Manager Client Browser do not support plugins that
use NPAPI (DE161212) ...................................................................................................................... 46
^C may be appended at the end of command filtering violation messages (DE158479) .................... 46
Command filtering not working for native Telnet Service (DE158480) ............................................... 46
Windows Telnet applet may not work for AWS targets (DE158481) ................................................... 46
CLI Access Method applet may fail from use of certain characters (DE158486) ................................ 47
SAML auto-connect fails for PAT clustered CA Privileged Access Manager RPs (DE158488) .......... 47
RDP session closes when you open RDP application connection to Windows Server 2008
(DE158489) ......................................................................................................................................... 47
Issues with logging in with PIV card and Safari (DE158491) .............................................................. 47
Telnet and SSH access methods do not work when applet customization has invalid values
(DE161528) ......................................................................................................................................... 47
Cannot relaunch VNC applet after another device is accessed with auto-connect (DE140874) ........ 48
Services Issues ......................................................................................................................................... 48
Invalid Auto-Login method does not produce an error (DE158466) .................................................... 48
CA Privileged Access Manager does not automatically delete backup file (DE158470) .................... 49
Cannot launch embedded services sftpftpemb and sftpsftpemb (DE155628) .................................... 49
Credential Manager Issues ....................................................................................................................... 49
Multiple Scripts of the Same Name but in Different Directories (DE158576) ...................................... 49
UTF-8 only for CLI input ...................................................................................................................... 49
Fingerprint update not available (DE158578) ..................................................................................... 49
Database error causes blank Workflow My Requests page (DE158138) ........................................... 50
Case sensitivity ................................................................................................................................... 50
CA Privileged Access Manager Client Issues ........................................................................................... 50
Linux Desktop does Not Work PIV/CAC (DE276404) ......................................................................... 50
Client sometimes fails to connect after upgrading to 2.8 (DE244065) ................................................ 50
Older Linux installations require additional libraries (DE137968) ....................................................... 51
CA Privileged Access Manager Client download button disappears from the login page after applying
the 2.6 upgrade patch (DE160612) ..................................................................................................... 51
CA Privileged Access Manager Client Windows uninstaller deletes entire contents of installation
directory (DE162561) .......................................................................................................................... 51
A2A Client and Target Connector Issues .................................................................................................. 52
Account with elevated privileges in Cisco IOS is not supported by Cisco target connector (DE158580)
............................................................................................................................................................ 52
UNIX Client uninstaller does not remove THIRD_PARTY_LICENSE (DE158682) ............................. 52
Logs, Reports, and Session Recording Issues ......................................................................................... 52
AWS S3 and session recording issues (DE158685) ........................................................................... 52
Attempt to complete Web Portal recording post-processing results in "Encoding Error" (DE158687) ....
52
Native SSH Service recording corrupted for edited commands (DE158688) ..................................... 53
CLI text search using keyboard shortcuts limitation (DE158689) ....................................................... 53
Default Mac OS auto scale setting causes slow playback of recorded sessions (DE158691) ........... 53
Upgrade Issues ......................................................................................................................................... 53
Cannot launch services after upgrade to release 2.6 (11303) ............................................................ 53
Existing Devices that use Embedded VNC cause upgrade failure (DE200033) ................................. 54
Other Issues .............................................................................................................................................. 55
CA Privileged Access Manager API Documentation feature not supported in Internet Explorer 9 ..... 55
Keyboard mapping issues (DE158692) ............................................................................................... 55
AWS Management Console page not available (DE197725) ............................................................. 55
The appliance intermittently crashes with a core dump after database restore ( DE206853 ) ............ 56
Unable to login to CA Privileged Access Manager using the RADIUS Authentication type when two
RADIUS servers are configured ( DE172566 ) ................................................................................... 56
Some versions of Java 8 might cause certificate errors ...................................................................... 56
Appliance is unable to connect to SFA (WinSFA_2.70a) installed on Windows 2008 R2 ( DE198762 )
............................................................................................................................................................ 56
Patch Releases ......................................................................................... 57

2.7.0.09 Hotfix ........................................................................................................................................... 57
Resolved Issue .................................................................................................................................... 57
Prerequisites ....................................................................................................................................... 57
Install the 2.7.0.09 Hotfix ..................................................................................................................... 57
2.8.0.01 Hotfix ........................................................................................................................................... 58
Resolved Issue .................................................................................................................................... 58
Prerequisites ....................................................................................................................................... 58
Install the 2.8.0.01 Hotfix ..................................................................................................................... 59
Related CA Technologies Products .......................................................... 61
Educational Resources ............................................................................. 62
Release Information
CA Privileged Access Manager 2.8 provides updated software, functionality, and fixed issues.
The content in this section provides information about the 2.8 release.
Installation Requirements (see page 10)
Supported Environments (see page 11)
New Features and Enhancements in 2.8 (see page 23)
Resolved Issues in 2.8 (see page 26)
Resolved Issues in 2.7 (see page 28)
Known Issues (see page 41)
Patch Releases (see page 57)
Related CA Technologies Products (see page 61)
Educational Resources (see page 62)
22-Mar-2017 9/62
Installation Requirements
Ensure that the following requirements are met before installing CA Privileged Access Manager.
Software Compatibility
Before you upgrade, ensure that your existing installation is running a release and patch that you can
upgrade to the current release. Verify whether you can upgrade by reviewing CA Privileged Access
Manager Update Paths (https://docops.ca.com/display/CAPAM28/Update+Paths)
See Upgrading (https://docops.ca.com/display/CAPAM28/Upgrading) for the upgrade procedures.
Hardware Appliance
There are no special requirements for installing a CA Privileged Access Manager hardware appliance.
Only general standalone computer hardware requirements apply.
AWS AMI Instance

To install an AWS AMI instance of the product, use an AWS instance type of C3 Large for production.
For evaluation or testing, an instance type of M3 Medium is sufficient.
VMware OVA Instance

We supply an OVA containing the VMware OVA template and support files. To install a VMware OVA
instance, ensure that the following resources are assigned to the VM:
CPU: one virtual processor with one virtual core
Recommended memory: 16 GB
Storage: 8-GB disk
NICs: One interface Add any additional required interfaces before initial boot.
22-Mar-2017 10/62
Supported Environments
CA Privileged Access Manager is a distributed system with a
Server (see page 11)(or Server Clusters (https://docops.ca.com/display/CAPAM28

/Set+up+Clusters+for+High+Availability+Deployments))
and three major interacting environments:
Integration Components (see page 11)
Clients (see page 13)
Targets (see page 18)
Server Appliance Types

The product server is hosted on an appliance, or shared in an appliance cluster. These appliances take
the forms identified in the table below.
Server
Appliance form Environmental Network placement CA component
factor access
Hardware physical chassis LCD on chassis
Any currently supported CA Privileged
GUI through direct
Access Manager release level
patch to chassis
VMware virtual VMware VMware console
machine (vm) vCenter
AWS AMI AWS N/A
instance Management
Console
Supported Integration Components

Integration components are functions on independent machines that supply, or serve, the CA
Privileged Access Manager server with processing and information. Some components can also
function as targets .
22-Mar-2017 11/62
Table features:
Bullet items in any cell indicate mutually exclusive options.
Bold items indicate CA product or part names.
Table: Server Resources
Scope Function Type/Protocol Subtype Supported

All Directories (data) LDAP Microsoft Active Directory
OpenLDAP
(User attributes,
Other LDAP v3 compliant
User Authn/Authz,
Device definition,
etc.)
SAML IdP (any SAML-conforming)
SP
(RP)
RADIUS
RSA RSA SecurID, with RSA Authentication
Manager
TACACS+
OCSP
CRL
Storage MySQL
(logs)
Splunk
Syslog
SNMP Trap server
Poll server
Storage NFS
(session
recordings)
CIFS
AWS S3
Timeservers Authenticated NTP.org (http://NTP.org) NTP server
NTP 4.2.6x
NTP
22-Mar-2017 12/62
Scope Function Type/Protocol Subtype Supported

Credential HSMs SafeNet Luna SA
Managem
SafeNet Luna PCI-E
ent
Thales nShield Connect
Supported Clients
By "clients", we mean those persons or machines which are users of an CA Privileged Access Manager
system. They can include any and all those identified in the following table. Other environments
might appear to work with the product, but CA Technologies does not support them.
Table features:
Access by User to GUI Using Native Workstation

Environment
The following table assumes a human user at a client workstation using their native environment to
access CA Privileged Access Manager using the web-based GUI.
OS Oracle Java Browser
22-Mar-2017 13/62
Windows Server 2008 R2 JRE Internet Explorer

(32-bit or 64-bit) Latest update level Microsoft Internet Explorer (IE)
Windows Server 2012 R2 available from Oracle for 9 or 11
(64-bit) Version 7 CA Technologies
Windows 7 (32-bit or 64-bit) Version 8 up to update recommends that you use IE
101. See Known Issues (http 11.
Windows 8.1 (32-bit or 64-
s://docops.ca.com/display IE 10 is not supported.
bit)
/CAPAM27/Known+Issues) Microsoft Edge® is not
Windows 10 (32-bit or 64- for more details. supported.
bit)
IE Compatibility Mode is not
Do not use Java 6 with the supported.
Windows 8 is not supported. product.
Only Windows 8.1 is supported. If you use IE 9, the following
Depending on the number of issues apply:
required simultaneous The ExternalAPI (REST
sessions and other operational API) documentation/test
parameters, customers might feature (invoked from
need to increase minimum and the API Doc menu item)
maximum heap settings. is not supported.
The bottom of GUI field
If you continue to use the inputs might be clipped
product GUI from previous making the input hard to
releases, CA Technologies read. CA Technologies
recommends that you enable recommends that you
Java caching. If you use the CA use IE 11 instead.
PAM Client, you do not need
to enable Java caching. Firefox
Mozilla Firefox 45 or later
CA Technologies
recommends that you
enable the following Firefox
option: Tools, Options,
Advanced icon, Update tab,
Firefox updates panel,
Automatically install
updates
Firefox 38.4.0 ESR has
known issues interacting
with Java applets, and is not
supported. See https://bugzil
la.mozilla.org/show_bug.cgi?
id=1140616 and https://ww
w.java.com/en/download
/installed.jsp?
detect=jre&try=1.
Google Chrome is not supported for

any release of the product.
22-Mar-2017 14/62
Mac OS X 10.9 (Mavericks) or Latest update level Apple Safari 7 or later

later available from Oracle for Mozilla Firefox 45 or later
Version 7
CA Technologies CA Privileged CA Technologies
Version 8 up to update 73. recommends that you
Access Manager Assistant
See Known Issues (https://d enable the following Firefox
ocops.ca.com/display option: Tools, Options,
The user must download and
/CAPAM27/Known+Issues) Advanced icon, Update tab,
run this utility from the link that
for more details. Firefox updates panel,
is provided on the product login
page, below the white login Automatically install
box. See the CA Privileged updates
Access Manager Firefox 38.4.0 ESR has
Implementation Guide for known issues interacting
details. with Java applets, and is not
/installed.jsp?
detect=jre&try=1.

The Xceedium Browser (for target

directory access) has limited
support on Mac OS. See Known
Issues (https://docops.ca.com/display
/CAPAM27/Known+Issues) for details.
Debian-based distributions Latest update level Mozilla Firefox 45 or later
(such as Ubuntu, Mint, or Pear) available from Oracle for CA Technologies
with Linux kernel 3.0 or later. Version 7 recommends that you
Version 8 up to update 73. enable the following option:
See Known Issues (https://d Tools, Options, Advanced
ocops.ca.com/display icon, Update tab, Firefox
/CAPAM27/Known+Issues) updates panel,
for more details. Automatically install
updates
Firefox 38.4.0 ESR has
known issues interacting
with Java applets, and is not
/installed.jsp?
detect=jre&try=1.

22-Mar-2017 15/62
Access by User in Other Environments

The following table assumes a human user at a client workstation to access CA Privileged Access
Manager.
Scope Typ CA Supported Environments

e Comp
onent
VNC N/A When configured as a CA Privileged Access Manager Service, any brand of VNC
clien client can be used successfully. However, the product cannot record service
t sessions.
sup
port
Creden User cliTool Oracle Java JRE:
tial use .jar Latest update level available from Oracle for Version 7
Manag of:
Version 8 up to update 101. See Known Issues (https://docops.ca.com/display
ement
/CAPAM27/Known+Issues) for more details.
(Re
mot
e)
CLI
All Exte N/A Manual test use:
rnal See environment for Type="Browser access in native environment"
API
All CA Windo Windows 7 (32-bit, 64-bit)
(option PA ws
Windows 8.1 (32-bit, 64-bit)
al GUI) M
Clie Windows 10 (32-bit, 64-bit)
nt Mac Mac OS X 10.11.5 El Capitan
OS X
Mac OS X 10.10 Yosemite
Linux Fedora Workstation 23 (32-bit)
x86
Ubuntu 14.04.3 LTS (32-bit)
Linux Fedora Workstation 23 (64-bit)
x64
Ubuntu 14.04.3 LTS (64-bit)
All VNC When configured as a CA Privileged Access Manager Service, any brand of VNC
clien client can be used successfully. However, the product cannot record service
t sessions.
sup
port
22-Mar-2017 16/62
All Lang You can adjust this CA Privileged Access Manager setting in My Info, Keyboard
uag Layout. The default setting is AUTO. When set to AUTO and the client OS is
e Windows, the product communicates with Windows to identify its language.
sup The product then interprets keyboard input using a layout that corresponds as
port closely as possible to that language.
For any OS, Keyboard Layout setting can be set to one of the following specific-
language options:
DA – Danish
DE – German
EN-GB – English (UK)
EN-US – English (US)
ES – Spanish
FI – Finnish
FR – French
FR-BE – French (Belgium)
FR-CH – French (Switzerland)
HU – Hungarian
IW-IL – Hebrew
NO – Norwegian
PL – Polish
RU – Russian
SV – Swedish (International)
PIV Card
/CAC read
Smartc er
ard
Card Act
Authen
read ivI
tication
ing D
soft Act
war ivC
e lie
nt
6.0
or
6.1
Programmatic Access
The following table assumes non-human user access to CA Privileged Access Manager.
Host Scope: Type CA Supported Environments

Compon
ents
22-Mar-2017 17/62
Requestor Credential Windows Windows 7, Minimum patch level: 6.1.7600

Management: installers:
Windows 8.1, Any patch level
Recommend 32-
ed Programmatic Windows Server 2008 R2, Minimum patch level:
bit
minimum: (script) 6.0.6001
64-
invocation of: Windows Server 2012 R2, Any patch level
bit
32 MB RAM
A2A Client
for each
Available
OS
hard drive
space: Unix RHEL 5.0 (x86)
32-bit: /Linux
Solaris 10 SPARC
120 MB installers
64-bit:
170 MB
(any) Credential Oracle Java JRE:
Management: Latest update level available from Oracle for Version 7
Version 8 up to update 101. See Known Issues (https://d
Programmatic
ocops.ca.com/display/CAPAM27/Known+Issues) for more
use of: cliTool.
details.
jar
CLI
(any) Credential
Management:
Java
programmatic
use of:
Java API
(any) Access and N/A (any)
Credential
Management:
Programmatic
use of:
ExternalAPI
Supported Targets
The tables below identify the options available for each environment.
22-Mar-2017 18/62
Table features:
Target Device Intermediaries

Access
The following intermediaries are used for device access:
Function CA Software Versions Supported

Name Environments
RDP RDP Access (bundled with CA any supported client workstation
connection: OS Method Privileged Manager
(applet) release)
N/A N/A RDP communication application on
any supported client workstation
("Service")
N/A N/A any supported client workstation
RDP RDP (bundled with CA any supported client workstation
connection: Application Privileged Manager
Application Access release)
Method
(applet)
SSH SSH Access (bundled with CA any supported client workstation
connection Method Privileged Manager
(applet) release)
N/A N/A SSH communication application on
any supported client workstation
("Service")
N/A N/A any supported client workstation
Leapfrog Socket Filter Release 2.1 for Windows (Installed only on the target host)
blocking Agent
Release 2.3 for Unix (Installed only on the target host)
(an installer is provided for

each Unix and Linux type)
22-Mar-2017 19/62

Name Environments
Windows- Learn Tool (bundled with CA Privileged
target Manager release)
Secondary
Transparent
Login
configuration
AWS API AWS API Release 2.1 AWS AMI instance appliance
access Proxy
VMware NSX NSX API Proxy AWS AMI instance appliance
API access
Target pre- Windows Release 4.10 Installed either on the target host or
processing Proxy other Windows host with:
Windows 7, with minimum patch
level 6.1.7600
Windows Server 2008 R2, with
minimum patch level 6.0.6001
Credential Management
The following intermediaries are used for handling passwords:

Name Environments
Target pre- Windows Proxy Release Installed either on the target host or other Windows
processing 4.10 host with:
Windows 7, with minimum patch level 6.1.7600
Windows Server 2008 R2, with minimum patch
level 6.0.6001
Target Devices
Targets include the following types:
Scope Target Function Supported Notes

Environments
Acces OS access Any Windows OS
s and RDP server
Application Windows Server Secondary transparent login is supported for any
access, by way 2008 R2 (64-bit) target application, used either within a CA Privileged
of secondary Access Manager RDP Access Method applet session
Windows Server
transparent or directly as an RDP Application
2012 R2 (64-bit)
login
22-Mar-2017 20/62

Environments
Application Windows OS, RDP
access server, and target
application
OS access Any Unix or Linux
Application sudo For effective security, configure sudo, pbrun, or the
access, by way custom commands on the target server such that
BeyondTrust®
of secondary they require a password each time they are invoked.
PowerBroker® pb
transparent
run
login
custom
commands
Leapfrog Windows Server
blocking 2008 (32 bit or 64
bit)
Windows Server
2008 R2 (64 bit)
Windows Server
2012 R2 (64 bit)
AIX 7
Debian 7 (32 bit or
64 bit)
Red Hat
Enterprise Linux
(EL) 6 (32 bit or 64
bit)
Red Hat EL 5 (32
bit or 64 bit)
SUSE Linux 11 (32
bit or 64 bit)
SUSE Linux 10 (32
bit or 64 bit)
Windows-target Windows OS and
Secondary RDP server
Transparent
Login
configuration
AWS API access AWS Management
Console
VMware NSX VMware NSX
API access
22-Mar-2017 21/62

Environments
Crede Windows OS Installed Windows
ntial password Proxy either on the
Mana handling target host or other
geme Windows host with:
nt Windows 7, with
minimum patch
level 6.1.7600
Windows Server
2008 R2, with
minimum patch
level 6.0.6001
22-Mar-2017 22/62
New Features and Enhancements in 2.8

This topic identifies features and notable enhancements that have been introduced from the time of
the last major GA version (Release 2.7) of the product.
Important! The 2.8 release does not contain the following defect fixes and enhancements
that were included in the 2.7.0.05 and 2.7.1 patches :
SecureCRT transparent login does not work without autologin (Salesforce Case
00529711; Internal defect ID DE246965).
Issue with Putty/SecureCRT Auto-Connect ( Salesforce Case 00494275; Internal defect

ID DE200481).
Putty intermittently fails to open connection (Salesforce case 00521100; Internal defect
ID DE241623).
Cluster out-of-sync because CSV import is timing out (Salesforce case 00580685;
Internal defect ID DE246231).
Enhancement: Add external storage to virtual appliances (Salesforce case 00604503 ;

defect ID DE174582) .
If you need any of these fixes or enhancements, wait for an upcoming 2.8.x patch that
includes them.
Integration with CA Threat Analytics (see page 23)

Palo Alto Target Connector (see page 24)
LDAP Over SSL (LDAPS) Support (see page 24)
Extra LDAP Attributes for Password Modification (see page 24)
Enhancements to Support Integration with Other CA Products (see page 24)
New Deploying Section in the User Documentation (see page 25)
Integration with CA Threat Analytics

CA Threat Analytics continuously analyzes user activity data supplied to it by CA Privileged Access
Manager. CA Threat Analytics sends back user-specific risk assessment decisions so that CA Privileged
Access Manager can appropriately control, or mitigate, user activity. Future user actions are
dynamically controlled in an automated and predictable way that is based on their historical access
behavior. See Integrate with CA Threat Analytics (https://docops.ca.com/display/CAPAM28
/Integrate+with+CA+Threat+Analytics) for more information.
22-Mar-2017 23/62
Palo Alto Target Connector

A new Palo Alto target connector allows you to manage accounts on Palo Alto routers and PAN-OS.
This connector uses the SSHv2 protocol for communication.
LDAP Over SSL (LDAPS) Support

2.8 adds the option to configure an LDAP domain using an LDAP over SSL (LDAPS) connection. The
LDAPS setting is located on the Config, 3rd Party page in the Add LDAP Domain panel, selectable
from the SSL Usage drop-down list. When selected, the Port field is automatically populated with the
default port number for LDAPS connections (636).
For more information about configuring an LDAP domain, see Configure Network Resources (
https://docops.ca.com/display/CAPAM28/Configure+Network+Resources).
Tip: If the LDAP connection fails after selecting the LDAPS option, verify that port 636 is
open on the LDAP domain.
Extra LDAP Attributes for Password Modification

CA Privileged Access Manager now allows you to specify attribute name/value pairs to be updated
with password modifications. For LDAP applications that implement the OpenLDAP
shadowLastChange attribute, we provide the dynamic value %EPOCH_DAYS%. This dynamic attribute
evaluates to the current number of days since the epoch (1/1/1970). See LDAP Target Connector (
https://docops.ca.com/display/CAPAM28/LDAP+Target+Connector#LDAPTargetConnector-
AddLDAPTargetApplicationGUIDetails) for more information.
Enhancements to Support Integration with Other

CA Products
2.8 provides several enhancements to support integration with upcoming releases of other CA
products.
22-Mar-2017 24/62
New Deploying Section in the User

Documentation
The user documentation has a new section titled Deploying. This section explains how to set up the
CA Privileged Access Manager appliance (physical and virtual), configure initial network connections,
implement clustering, and complete other tasks to establish your environment. Much of the
information was previously located under the Implementing section.
22-Mar-2017 25/62
Resolved Issues in 2.8

The following table lists the issues that are resolved in release 2.8.
Important! The 2.8 release does not contain the following defect fixes and enhancements
that are in the 2.7.0.05 and 2.7.1 patches :
SecureCRT transparent login does not work without autologin (Salesforce Case
00529711; Internal defect ID DE246965).
Issue with Putty/SecureCRT Auto-Connect ( Salesforce Case 00494275; Internal defect

ID DE200481).
Putty intermittently fails to open connection (Salesforce case 00521100; Internal defect
ID DE241623).
Cluster out-of-sync because CSV import is timing out (Salesforce case 00580685;
Internal defect ID DE246231).
Enhancement: Add external storage to virtual appliances (Salesforce case 00604503 ;

defect ID DE174582) .
If you need any of these fixes or enhancements, wait for an upcoming 2.8.x patch that
includes them.
Salesforce Internal Issue Description

Case Number Defect ID
00492258 DE149414 On the dashboard, the MAC address is empty.
00492749 DE160810 The Send Interval time on the Reports page Automatic Mailer must
not be a constant value set at 2:00AM.
00492275 DE165740 Session recording configuration lost on reboot.
00488589 DE175466 Not able to open the LDAP Browser
00489253 DE175549 User with PIV login for the LDAP account can still get through Access
Page when LDAP account is disabled.
00490804 DE175746 User disabled messages are missing from syslog. When a user is
disabled because of inactivity messages are only written to the session
log.
00495510 DE177770 Cluster out of synch.
00493152 DE197665 Certificate does not delete when it says it successfully deleted.
00473260 DE203069 Password creation & expiration time wrong for many users.
TR: 12363 DE203608 Log table is not created on the external log server.
00484080 DE206434 Report lists all Privileged Accounts.
22-Mar-2017 26/62
00495839 DE224286 User documentation for Target Script Connector Processor incorrect.
00503062 DE224512 Security issue when enabling one user to use the API account of
another user.
00492911 DE224516 Comma missing between the user group and port in gksyslog.log file.
00498776 DE227378 Dual authorization approval process not able to handle the "<" (less
than) character.
00514857 DE237932 After upgrading the product from 2.6.2, scheduled backups stopped
working.
00664001 DE241486 The year 2016 is hard-coded in Date/Time area for CA PAM 2.6 and CA
PAM 2.7
00580096 DE243225 IBM Users Getting NoSuchMethod Error.
00579054 DE243230 User is having issues accessing Access page after PAM 2.7 upgrade.
00582620 DE243798 PIV/CAC card access Customer can still gain access with revoked
credentials.
00584404 DE244357 Disk space getting full due to many PVR requests being generated.
22-Mar-2017 27/62
Resolved Issues in 2.7

This topic describes the product issues that were corrected in release 2.6.
Windows Proxy and A2A client do not restart properly (DE158681) (see page 29)
CA PAM Client authentication extended (US123147, US161920, US172209) (see page 29)
Service credentials pass-through enabled (DE142973) (see page 30)
Identification of Client in Mac menu bar (US151336) (see page 30)
Terminal Customization Buffer Size fixed (DE155580) (see page 30)
Command filtering restored for Cisco Devices (DE157542) (see page 30)
SSH Service failure corrected (DE157835) (see page 30)
License signature verification restored (DE158116) (see page 30)
AWS Access Key can now be changed (DE158710) (see page 31)
CA PAM Client installer can now be launched on Windows 7 from IE download (DE159969) (see
page 31)
SFTP-to-SFTP and embedded SFTP-to-SFTP Services capability restored (DE161009) (see page 31)
Application re-keying supported for Services (DE161704) (see page 31)
SSH connection activations now captured to sessions logs (DE164050) (see page 31)
Web portal Services fixed (DE165022) (see page 31)
SSH key can now be changed successfully using master account (DE171351) (see page 32)
JAR file versioning improved (DE172919) (see page 32)
SAML reauthentication restored for password view (DE173160) (see page 32)
CA PAM Client can now successfully connect using FQDN (DE175139) (see page 32)
Large number of unique connection sockets now possible (DE175740) (see page 32)
CA PAM Client can now be used on Red Hat Enterprise Linux 7 (DE180452) (see page 32)
Cluster member Virtual Management IP delegation corrected (DE186593) (see page 33)
Certificate update no longer prevents autologin (DE197641) (see page 33)
Security vulnerability removed (DE157310) (see page 33)
OpenSSL update (DE161901) (see page 33)
Cluster use of public IP addresses restored (DE158646) (see page 33)
Cluster members freeze (DE159957) (see page 33)
Cluster replication for Transparent Login Config settings restored (DE160203) (see page 34)
Slow Access page loading resolved (DE154126) (see page 34)
Response to unsynchronized databases no longer preventing cluster restoration (DE165743) (see
page 34)
Command Filtering restored for PuTTY Telnet (DE136849) (see page 34)
NFS share Security Safe setting restored for SSH recordings (DE142545) (see page 34)
Auto-login via embedded Service settings restored (DE142973) (see page 35)
RADIUS password may now contain colon (DE144586) (see page 35)
Logs for Scheduled Jobs include more information (DE156039) (see page 35)
ExternalAPI now available to a stopped cluster member (DE158501) (see page 35)
Visibility restored for session recordings (DE162262) (see page 35)
FIPS security certificate update (DE162960) (see page 36)
22-Mar-2017 28/62
FIPS security certificate update (DE162960) (see page 36)

Reauthentication mechanism restored (DE165300) (see page 36)
Credential Management messages restored to syslog (DE154447) (see page 36)
Partial SFA violation message displayed (DE158684) (see page 36)
Non-admin Mac users are not able to use the CA PAM Client (DE187116) (see page 36)
Disabled LDAP accounts are no longer authenticated using PKI (DE175549, DE157861, DE203043)
(see page 37)
Auto-connection access was possible with checked-out credentials (DE140882) (see page 37)
License Warning was not rendered correctly (DE155253) (see page 37)
ExternalAPI to access password did not always work due to mismapped fields (DE136845) (see
page 37)
Deleting a target account while an access policy was in effect could result in an erroneous policy
(DE136899) (see page 37)
Appliance reboot following certificate update (DE197641) (see page 38)
CLI command setPasswordViewReasons not working for UNIX (DE155598) (see page 38)
Administrative Activities did not include Scheduled Jobs (DE154888) (see page 38)
Windows Domain Service account discovery not available (DE149277) (see page 38)
Password View Policy (PVP) events were not captured sufficiently (DE155033) (see page 38)
Windows Domain Services target account with change-on-view Password View Policy was not
possible (DE155912) (see page 39)
Dual-approver Password View Policy can be unstable if User is in multiple CM User Groups
(DE156483) (see page 39)
Credential Management Filter button slow when there is a large number of Users (DE157043)
(see page 39)
Target Groups and Request Groups loaded slowly (DE157051) (see page 39)
Windows Domain Service logging omission (DE162026) (see page 39)
LDAP+RSA User re-authentication failure (DE172096) (see page )
Syslog message switch required reboot to toggle Credential Management capture (DE154447)
(see page 40)
Windows Proxy and A2A client do not restart

properly (DE158681)
In previous releases, services from A2A clients and Windows proxy may not start automatically after
installation or after a stop and start sequence.
CA PAM Client authentication extended

(US123147, US161920, US172209)
The 2.6 CA PAM Client did not provide the options to process login using the SAML, RADIUS, RADIUS
challenge and response, RSA, or RSA+LDAP authentication methods that have been otherwise
available through GUI login.
22-Mar-2017 29/62
Service credentials pass-through enabled

(DE142973)
In releases 2.5 through at least 2.5.2, the Client Application string in a TCP/UDP Service record did not
successfully apply any embedded <user> and <password> tokens to the application.
Identification of Client in Mac menu bar

(US151336)
On a Mac running the CA PAM Client, the menu bar now displays “CA PAM” rather than “Main” so it
is clearer to the user.
Terminal Customization Buffer Size fixed

(DE155580)
In release 2.5.4, the Buffer Size either on the General Settings page and in each Device record did not
use its default value of “100” or any saved value, but instead appeared fixed at “550”.
Command filtering restored for Cisco Devices

(DE157542)
Command filters on Cisco 2900 series routers triggered the issuance of a warning message upon a
command violation, but allowed execution of the forbidden command.
SSH Service failure corrected (DE157835)

Beginning with release 2.5, when multiple TCP/UDP Services were set up using the same Local IP,
simultaneous connections would conflict with each other, so that only one of the connections was
directed to the correct target device.
License signature verification restored

(DE158116)
The signature of a license file was not being properly verified.
22-Mar-2017 30/62
AWS Access Key can now be changed (DE158710)

From Xsuite 2.4.4.9 onward, the Access Key ID and Secret Access Key fields for a Credential
Management target account that holds AWS access credentials could not be updated (field contents
were dimmed (gray text) and could not be edited).
CA PAM Client installer can now be launched on

Windows 7 from IE download (DE159969)
When a CA PAM Client installer was downloaded from Windows 7 using Internet Explorer, it could
not successfully be launched due to a signature failure.
SFTP-to-SFTP and embedded SFTP-to-SFTP

Services capability restored (DE161009)
In release 2.6 and later, the default-provided Services sftpsftp and sftpsftpemb were not completing
connections.
Application re-keying supported for Services

(DE161704)
Previously, after a Service was defined to use an application that is configured to rotate an SSH
session key (after reaching a data or time threshold or interval) and renegotiate that session, this was
not permitted when used within a CA Privileged Access Manager Session.
SSH connection activations now captured to

sessions logs (DE164050)
CA Privileged Access Manager now emits a message to the session logs whenever a connection is
made to the appliance using SSH.
Web portal Services fixed (DE165022)

Web portal (HTTP) Services were not working correctly, and were prompting the message “Not a
valid protocol version”.
22-Mar-2017 31/62
SSH key can now be changed successfully using

master account (DE171351)
When SSH key change was executed by Credential Management using a master account for a target
Linux/Unix Device, the exchange was not being successfully completed.
JAR file versioning improved (DE172919)

JAR files are now versioned with a four-part number (for example, “2.6.2.0”) instead of three to
manage versioned files better and avoid conflicts.
SAML reauthentication restored for password

view (DE173160)
When a request to check out a password was made by a previously authenticated User by SAML at
login, reauthentication was not being executed.
CA PAM Client can now successfully connect

using FQDN (DE175139)
When a target DNS-based name was used (instead of an IP address), the CA PAM Client would not
successfully connect and display the appropriate connection interface; however, the process
remained running.
Large number of unique connection sockets now

possible (DE175740)
Previously, when many unique local listening sockets were defined in Services, the Access page could
fail to load because a memory limit was reached.
CA PAM Client can now be used on Red Hat

Enterprise Linux 7 (DE180452)
Running the CA PAM Client installer onto Red Hat Enterprise Linux 7 would result in a launch error.
22-Mar-2017 32/62
Cluster member Virtual Management IP

delegation corrected (DE186593)
When a cluster was configured in which the IP address corresponding to the Virtual Management IP
FQDN was in the same subnet as that IP corresponding to the primary FQDN, the primary member
incorrectly assumed the load balancer role even when accessed through its own FQDN rather than
through the FQDN of the VIP.
Certificate update no longer prevents autologin

(DE197641)
When a security certificate was updated, and to permit autologin to a target Device, CA Privileged
Access Manager required a reboot but allowed this to be done later, resulting in pre-reboot autologin
failures. With this upgrade, the certificate update function no longer requires a reboot.
Security vulnerability removed (DE157310)

CA learned that a Man-in-the-Browser (MITB) attack against release 2.5.4 was possible, and could
intercept unencrypted credentials to prevent session recording. This exposure has been removed.
OpenSSL update (DE161901)

Following recent OpenSSL updates to address CVE-2016-2108 and other vulnerabilities, CA Privileged
Access Manager was upgraded with the latest applicable OpenSSL, release 1.0.1t.
Cluster use of public IP addresses restored

(DE158646)
For several releases, cluster synchronization has not allowed use of public IP addresses. Public
addresses were permitted, but it was eventually decided that too frequently DNS servers and
networks were insufficiently reliable to engage DNS without triggering cluster heartbeat timeouts.
However, with this release CA has updated its cluster management by adding all cluster members to
the /etc/hosts file. This expedites lookups and sufficiently prevents synchronization timeouts.
Cluster members freeze (DE159957)

Cluster members would occasionally freeze due to phantom read operations, which can result after
neglected database locks.
22-Mar-2017 33/62
Cluster replication for Transparent Login Config

settings restored (DE160203)
After an administrator defines a Transparent Login Config (through target device learning or template
editing) on a cluster member, the markup file that is stored in the RDP Applications, Transparent
Login Configs modal view is not replicated to other cluster members.
Slow Access page loading resolved (DE154126)

Access page loading speed on release 2.5.4 was hampered by use of temporary data structures that
were unnecessarily invoked over a cluster and only for certain limited-privilege administration roles.
Response to unsynchronized databases no longer

preventing cluster restoration (DE165743)
After Credential Management databases fell out of sync, CA Privileged Access Manager was not able
to restore its cluster due to an incorrect timeout.
Command Filtering restored for PuTTY Telnet

(DE136849)
Command Filtering was not working in release 2.5 for a native Telnet CA Privileged Access Manager
Service that used PuTTY.
NFS share Security Safe setting restored for SSH

recordings (DE142545)
When CA Privileged Access Manager 2.5.2 was configured for ‘Text-based recording’ using an NFS-
mounted directory and the ‘Security Safe’ access restriction (‘Present an error and do not connect’
whenever the mount is unavailable), it was still possible to record SSH sessions.
22-Mar-2017 34/62
Auto-login via embedded Service settings

restored (DE142973)
In the Client Application field of a TCP/UDP Service template, you can embed the literals <user> and
<password> to execute auto-login at the Service target (or back end or endpoint) device, for example:
"C:\WinSCP\WinSCP.exe" sftp://<user>:<password>@<Local IP>:<First Port>
This did not work in the release 2.5.x series.
RADIUS password may now contain colon

(DE144586)
For a user that is authenticated using RADIUS, the user password is now permitted to contain a colon
(":").
Logs for Scheduled Jobs include more

information (DE156039)
The Tomcat log entries for Scheduled Jobs did not include certain information that is useful for
troubleshooting issues. After the 2.6.1 patch is applied, the job name, the account or account group
being updated or verified, and successful LDAP request duration are now included.
ExternalAPI now available to a stopped cluster

member (DE158501)
The ExternalAPI could not be used on a cluster member while the cluster was defined but stopped.
Workaround To use ExternalAPI calls to a stopped cluster member, you must unlock the member
from the Config, Synchronization page.
Visibility restored for session recordings

(DE162262)
An incorrect application of read permissions had prevented session recordings from being
consistently visible.
22-Mar-2017 35/62
FIPS security certificate update (DE162960)

For release 2.5.0, putting the appliance into FIPS mode reverted the SSL certificate to the now-
expired CA-supplied default certificate. This is now corrected.
Reauthentication mechanism restored

(DE165300)
Whenever two methods of authentication were required (such as LDAP with RSA) an attempt to view
the password or to execute an auto-login had resulted in a generic HTTP status 500 Internal Server
Error.
Credential Management messages restored to

syslog (DE154447)
Credential Management log messages were not being captured to the external syslog.
Partial SFA violation message displayed

(DE158684)
Only the first string is shown in SFA violation message in case the user uses 'Enter' button as delimiter
between strings.
Non-admin Mac users are not able to use the CA

PAM Client (DE187116)
Non-admin Mac users are not able to use the CA PAM Client. After downloading and installing the
client that they are able to log in, but when the access page is loading they get a prompt requesting
admin permission to open the sockets.
22-Mar-2017 36/62
Disabled LDAP accounts are no longer

authenticated using PKI ( DE175549 , DE157861,
DE203043)
LDAP provisioned users whose accounts had been disabled could still gain access through PKI tokens
(such as PIV ID cards).
Auto-connection access was possible with

checked-out credentials (DE140882)
It was possible to access a target Device using auto-connection when policy-assigned SSO credentials
were checked out.
License Warning was not rendered correctly

(DE155253)
The Warning text that is configured through Global Settings was rendered without interpreting
embedded HTML tags, so that the tags would appear in the output on the login page.
ExternalAPI to access password did not always

work due to mismapped fields (DE136845)
When trying to access an account password using ExternalAPI, two fields were not mapped correctly
from the executable to the database, and thus unexpected behavior occurred: The
requestPeriodStart (Start Date) operated as reasonDetail (Reason), and vice versa.
Deleting a target account while an access policy

was in effect could result in an erroneous policy
(DE136899)
When you created a Device, then a target application and target account on it, and then an access
policy that (only) authorized account password view, but then later deleted the account, the policy
record would remain and would have an empty password policy entry.
22-Mar-2017 37/62
Appliance reboot following certificate update

(DE197641)
Following installation of a new system certificate, it was necessary to reboot the appliance.
Otherwise (before the next reboot) the new certificate was not recognized.
CLI command setPasswordViewReasons not

working for UNIX (DE155598)
The Credential Management CLI command setPasswordViewReasons was not working on UNIX target
Devices.
Administrative Activities did not include

Scheduled Jobs (DE154888)
The Credential Management Administrative Activities report did not include the Scheduled Jobs
events.
Windows Domain Service account discovery not

available (DE149277)
The Windows Domain Service account discovery was not available in releases 2.5 and 2.6 because an
internal variable was set incorrectly.
Password View Policy (PVP) events were not

captured sufficiently (DE155033)
When Password View Policy (PVP) was updated or deleted the events generated were not sufficient
described. For example, logs did not include the PVP name.
22-Mar-2017 38/62
Windows Domain Services target account with

change-on-view Password View Policy was not
possible (DE155912)
A Windows Domain Services target account with Password View Policy containing change-on-view
could not be saved and so could not be used.
Dual-approver Password View Policy can be

unstable if User is in multiple CM User Groups
(DE156483)
If a dual-approver Password View Policy has been applied to a target account, approval may not be
resolvable if the User is a member of multiple Credential Management User Groups.
Credential Management Filter button slow when

there is a large number of Users (DE157043)
The Credential Management GUI Filter button executed slowly when there was a large number of
Users, even when no filter criterion was used.
Target Groups and Request Groups loaded slowly

(DE157051)
The Target Groups and Request Groups pages in the Credential Management GUI were loading very
slowly.
Windows Domain Service logging omission

(DE162026)
The Windows Domain Service target connector did not log a failure to retrieve an SSL certificate.
22-Mar-2017 39/62
LDAP+RSA User re-authentication failure

(DE172096)
An LDAP+RSA authenticated User was not able to re-authenticate in order to view a password.
Syslog message switch required reboot to toggle

Credential Management capture (DE154447)
The Enable checkbox in the Config, Logs, Syslog Settings panel did not affect Credential Management
syslog entries, either to start or to stop capture, until a reboot had taken effect.
22-Mar-2017 40/62
Known Issues
This section describes the currently known issues and workarounds, where available.
Configuration Issues (see page 43)
Dashboard email indicator is initially incorrect (DE158230) (see page 43)
GB7-GB10 ports unavailable on Model X206P (DE158231) (see page 43)
Provisioning Issues (see page 43)
Use caution when entering regular expressions into command filter lists (DE161678,
DE161679) (see page 43)
Changes to SHA digest for Transparent Login of Windows RDP Applications (DE158232) (see
page 43)
Learn Tool may crash when using down arrow key (DE158283) (see page 44)
Learn Tool may fail to run again following a forced End Process (DE158286) (see page 44)
AWS API Proxy and NXS API Proxy Issues (see page 44)
Scripts not created for auto-registering clients (DE158287) (see page 44)
AWS API proxy does not upgrade properly (DE158289) (see page 44)
Database restore and AWS licensing restrictions (DE158290) (see page 45)
Access Issues (see page 45)
Multiple RDP Application failure with 'Restrict Login' option (see page 45)
Xceedium Browser issues on Mac OS (see page 45)
Secondary Transparent Login in SSH connections (see page 45)
Syntax error may prompt incorrect message (DE158475) (see page 45)
Always use password (see page 45)
Xceedium Browser PDF menu options limited on Mac (DE158476) (see page 46)
Xceedium Browser and CA Privileged Access Manager Client Browser do not support plugins
that use NPAPI (DE161212) (see page 46)
^C may be appended at the end of command filtering violation messages (DE158479) (see
page 46)
Command filtering not working for native Telnet Service (DE158480) (see page 46)
Windows Telnet applet may not work for AWS targets (DE158481) (see page 46)
CLI Access Method applet may fail from use of certain characters (DE158486) (see page 47)
SAML auto-connect fails for PAT clustered CA Privileged Access Manager RPs (DE158488) (see
page 47)
RDP session closes when you open RDP application connection to Windows Server 2008
(DE158489) (see page 47)
Issues with logging in with PIV card and Safari (DE158491) (see page 47)
Telnet and SSH access methods do not work when applet customization has invalid values
(DE161528) (see page 47)
Cannot relaunch VNC applet after another device is accessed with auto-connect (DE140874)
(see page 48)
Services Issues (see page 48)
Invalid Auto-Login method does not produce an error (DE158466) (see page 48)
CA Privileged Access Manager does not automatically delete backup file (DE158470) (see page
22-Mar-2017 41/62
CA Privileged Access Manager does not automatically delete backup file (DE158470) (see page
49)
Cannot launch embedded services sftpftpemb and sftpsftpemb (DE155628) (see page 49)
Credential Manager Issues (see page 49)
Multiple Scripts of the Same Name but in Different Directories (DE158576) (see page 49)
UTF-8 only for CLI input (see page 49)
Fingerprint update not available (DE158578) (see page 49)
Database error causes blank Workflow My Requests page (DE158138) (see page 50)
Case sensitivity (see page 50)
CA Privileged Access Manager Client Issues (see page 50)
Linux Desktop does Not Work PIV/CAC (DE276404) (see page 50)
Client sometimes fails to connect after upgrading to 2.8 (DE244065) (see page 50)
Older Linux installations require additional libraries (DE137968) (see page 51)
CA Privileged Access Manager Client download button disappears from the login page after
applying the 2.6 upgrade patch (DE160612) (see page 51)
CA Privileged Access Manager Client Windows uninstaller deletes entire contents of
installation directory (DE162561) (see page 51)
A2A Client and Target Connector Issues (see page 52)
Account with elevated privileges in Cisco IOS is not supported by Cisco target connector
(DE158580) (see page 52)
UNIX Client uninstaller does not remove THIRD_PARTY_LICENSE (DE158682) (see page 52)
Logs, Reports, and Session Recording Issues (see page 52)
AWS S3 and session recording issues (DE158685) (see page 52)
Attempt to complete Web Portal recording post-processing results in "Encoding Error"
(DE158687) (see page 52)
Native SSH Service recording corrupted for edited commands (DE158688) (see page 53)
CLI text search using keyboard shortcuts limitation (DE158689) (see page 53)
Default Mac OS auto scale setting causes slow playback of recorded sessions (DE158691) (see
page 53)
Upgrade Issues (see page 53)
Cannot launch services after upgrade to release 2.6 (11303) (see page 53)
Existing Devices that use Embedded VNC cause upgrade failure (DE200033) (see page 54)
Other Issues (see page 55)
CA Privileged Access Manager API Documentation feature not supported in Internet Explorer 9
(see page 55)
Keyboard mapping issues (DE158692) (see page 55)
AWS Management Console page not available (DE197725) (see page 55)
The appliance intermittently crashes with a core dump after database restore (DE206853)
(see page 56)
Unable to login to CA Privileged Access Manager using the RADIUS Authentication type when
two RADIUS servers are configured (DE172566) (see page 56)
Some versions of Java 8 might cause certificate errors (see page 56)
Appliance is unable to connect to SFA (WinSFA_2.70a) installed on Windows 2008 R2
(DE198762) (see page 56)
22-Mar-2017 42/62
Configuration Issues
Dashboard email indicator is initially incorrect (DE158230)
When you first login to CA Privileged Access Manager as an administrator, you are asked to change
the password and enter an email. After doing so, the Account Information: User ID indicator on the
dashboard still displays "Email Not Set".
Workaround: Log off CA Privileged Access Manager and log in again.
GB7-GB10 ports unavailable on Model X206P (DE158231)

On CA Privileged Access Manager hardware model X206P, the Ethernet ports GB7 through GB10 are
not available.
Workaround: Return the appliance RMA to CA Technologies for reconfiguration.
Provisioning Issues
Use caution when entering regular expressions into
command filter lists (DE161678, DE161679)
CA Privileged Access Manager allows you to enter a regular expression with a syntax error in a
command filter list (blacklist or whitelist). CA Privileged Access Manager notifies you of the error
during list execution. It also notifies you of the error during a native SSH or Telnet CA Privileged
Access Manager Service (aka "proxy") connection. The error can result in a connection termination.
The execution pop-up message may provide a vague explanation for action or for communication to
the Help Desk / CA Privileged Access Manager Support. The error does not appear in the session logs.
Changes to SHA digest for Transparent Login of Windows

RDP Applications (DE158232)
The SHA-1 algorithm previously used has been upgraded to SHA-512 to improve security. However, if
the Application Fingerprint field is currently populated for an RDP Application (Services, RDP
Applications, [application record], Transparent Login panel) in 2.4.x, then after upgrade to 2.7 this
hash must be recalculated by using the Get Application Fingerprint button in the Windows
Transparent Login Learn Tool GUI. (See CA Privileged Access Manager 2.4 FP2 New Features Guide for
details.) The new value should then be entered into that Application Fingerprint field.
22-Mar-2017 43/62
Learn Tool may crash when using down arrow key

(DE158283)
After opening the drop-down Learn Tool configuration list, using your down arrow key to navigate
this list can cause the Learn Tool to crash.
Learn Tool may fail to run again following a forced End

Process (DE158286)
After opening Windows Task Manager on a Learn Tool target, if you end the XsuiteTLLearnTool.exe
process, the Learn Tool may fail to start upon a subsequent access to the target.
AWS API Proxy and NXS API Proxy Issues

Scripts not created for auto-registering clients (DE158287)
When an NSX API Proxy client auto-registers (through a whitelist), no A2A Script is listed in the
Credential Manager Script List panel.
Workaround: Select Policy, Manage Passwords to display the Credential Manager GUI. From the
Credential Manager GUI:
1. Select A2A, Mappings to display the Authorization Mapping web page.
2. Double-click the ID of the target alias called AWS API Proxy Access Accounts to display the
Authorization Details panel for that group mapping.
3. From the Authorization Details screen for AWS API Proxy Access Accounts, ensure the
following checkboxes are unselected: Check Execution Path, and Check File Path.
4. Click Save.
Repeat Steps 1-4 for the target alias called WMware NSX API Proxy Access Accounts.
AWS API proxy does not upgrade properly (DE158289)

After upgrading to Release 2.7, current users of the AWS API proxy need to reconfigure their setup.
Refer to Single-Appliance Software Upgrade (https://docops.ca.com/display/CAPAM28/Single-
Appliance+Software+Upgrade).
22-Mar-2017 44/62
Database restore and AWS licensing restrictions

(DE158290)
This issue deals with a scenario when restoring a database from a Device that is not licensed for AWS.
If that database is restored to a device that is licensed for AWS, the restore is successful but you are
unable to use any functionality related to AWS. The situation is not correctable.
Access Issues
Multiple RDP Application failure with 'Restrict Login' option
When two or more RDP Applications are provisioned in a policy that enables the "Restrict login if
agent is not running option", attempts to launch some of these RDP Applications may fail even when
the agent is running
Xceedium Browser issues on Mac OS

Keyboard input does not work for web plugins used by the Xceedium Browser on Mac OS X. This
includes Java and Flash. However, mouse controls are fully operational.
Secondary Transparent Login in SSH connections

See the FP 2.4.4 New Features Guide for important information about configuration and usage.
Syntax error may prompt incorrect message (DE158475)

If you enter a syntax error within a sudo or pbrun compound command (for example, within a 'for'
loop or within a multi-command line), this may generate an incorrect error message. Thus you may
want to check for any syntax errors before closely interpreting error messages in this environment.
Always use password

To prevent compromised security, configure sudo/pbrun so that it always requires a password for
each command execution.
22-Mar-2017 45/62
Xceedium Browser PDF menu options limited on Mac

(DE158476)
When the Xceedium Browser is used on a Mac to open a PDF, some PDF buttons (including Save and
Print) are not currently available.
Xceedium Browser and CA Privileged Access Manager Client

Browser do not support plugins that use NPAPI (DE161212)
Both the Xceedium Browser and the CA Privileged Access Manager Client Browser are based on
JxBrowser. CA Privileged Access Manager has upgraded its version of JxBrowser to increase security.
Consequently, neither Xceedium Browser nor the CA Privileged Access Manager Client Browser
support plugins that use the older NPAPI architecture, such as Adobe Flash and Oracle Java. The
browsers fail to load pages that use NPAPI plugins.
Workaround: Replace plugins that use NPAPI with versions that use PPAPI. For Adobe Flash, see
http://get.adobe.com/flashplayer/otherversions/ (http://get.adobe.com/flashplayer/otherversions/). For
Oracle Java, there is no PPAPI equivalent.
^C may be appended at the end of command filtering

violation messages (DE158479)
When a command filtering violation message has been configured, after a violation the message is
displayed, but may show characters Control-C: ^C appended to the message.
Command filtering not working for native Telnet Service

(DE158480)
It is currently not possible to successfully apply command filtering to a native Telnet CA Privileged
Access Manager Service. Command filtering can be configured, but it does not successfully prevent
User action on the target, and CA Privileged Access Manager does not issue alerts in the case of
violations.
Windows Telnet applet may not work for AWS targets

(DE158481)
It is not currently possible to successfully log in to an AWS AMI instance Windows target Device using
the Telnet Access Method applet.
22-Mar-2017 46/62
CLI Access Method applet may fail from use of certain

characters (DE158486)
It has been observed that use of certain non-ASCII characters in an SSH or Telnet Access Method
applet window such as those with diacritical marks (for example, æ å ø ö ü ä ß) can cause Java to
hang.
SAML auto-connect fails for PAT clustered CA Privileged

Access Manager RPs (DE158488)
There are issues when CA Privileged Access Manager is used as an IdP parsing an RP metadata cluster
that uses PAT. If an auto-connect session is attempted, the session fails with error messages to
contact the administrator.
RDP session closes when you open RDP application

connection to Windows Server 2008 (DE158489)
An RDP application transparent login connection to Windows Server 2008 may be dropped if the case
of the string specified in Launch Path does not match that of the true path.
Issues with logging in with PIV card and Safari (DE158491)

Users on OS X with Safari trying to login using their PIV card may find that the PKI Login button on the
CA Privileged Access Manager login screen does not work. Instead, the CA Privileged Access Manager
login screen is redisplayed without the PKI Login button and Safari displays a URL with a trailing
question mark, for example, https://<CA_PAM_IP_address>/?.
Workaround: Remove the trailing question mark from the URL in Safari
(https://<CA_PAM_IP_address>/) and press Enter.
Telnet and SSH access methods do not work when applet

customization has invalid values (DE161528)
This issue occurs if you navigate to Global Settings, Applet Customization, Configure Terminal Settings
and input invalid values for the Background Color field or the Cursor Foreground field.
The applet window opens but nothing else occurs. You cannot input commands.
22-Mar-2017 47/62
Cannot relaunch VNC applet after another device is

accessed with auto-connect (DE140874)
This issue exists for the following specific scenario:
You are using a variety of VNC servers. Some use VNC protocol version 3.8 while others use VNC
protocol version 3.7 or older.
Your policy allows you to access multiple machines with VNC and auto-connect.
You auto-connect to an initial machine with VNC 3.8, then auto-connect to another machine with
VNC 3.7 or older, and then attempt to auto-connect to the initial machine again with VNC.
The second attempt to auto-connect to the initial machine with VNC may fail.
The issue exists because you are occasionally using VNC 3.7 or older. The new VNC applet
implements VNC protocol version 3.8. Therefore, the VNC access method, session recording, and
auto-connect functionality only supports VNC protocol version 3.8 or newer.
Workaround: Logout of CA Privileged Access Manager, log back into CA Privileged Access Manager,
and start a new VNC auto-connect session to the original machine.
Services Issues
Invalid Auto-Login method does not produce an error
(DE158466)
Specifying the auto-login method through a CSV file should be limited to:
0 (none)
1 (CA Privileged Access Manager HTML WebSSO)
2 (VMware vCloud Director)
3 (VMware vShield Manager)
4 (VMware vSphere Web Client)
5 (CA Privileged Access Manager HTTP WebSSO).
If you specify the auto-login method as a decimal (for example, 4.4) in a CSV file and import, CA
Privileged Access Manager does not display an error message.
22-Mar-2017 48/62
CA Privileged Access Manager does not automatically

delete backup file (DE158470)
When configuring automated backup you have the option to specify an external backup server. There
is also an option to delete the local copy of the database and config backup files from CA Privileged
Access Manager once the files are sent to the external server. Currently the database file is not
deleted automatically after it has been sent to the external server.
Workaround: Manually delete the database file.
Cannot launch embedded services sftpftpemb and

sftpsftpemb (DE155628)
When configured on a Windows 2008 64-bit machine, the sftpftpemb service failed to launch when
managed by CA Privileged Access Manager policy. When configured on a Linux RedHat 6 64-bit
machine, the sftpsftpemb service failed to launch when managed by CA Privileged Access Manager
policy. In both cases, there was no entry in the log files or in the Java console.
Credential Manager Issues

Multiple Scripts of the Same Name but in Different
Directories (DE158576)
CA Privileged Access Manager does not allow A2A credential management using multiple scripts of
the same name but located in different directories, unless the scripts are executed from different
directories.
UTF-8 only for CLI input

CA Privileged Access Manager currently does not evaluate CLI input encoding and instead assumes it
is all UTF-8. Thus other input, such as UTF-16, is misinterpreted as garbled.
Fingerprint update not available (DE158578)

It is currently not possible to update an A2A Client Device fingerprint using the Credential Manager
A2A, Clients, [Client:]Client Details page.
Workaround: To update request server finger print, run the following CLI command instead:
cmdName=updateRequestServer RequestServer.ID=Request_Server_ID RequestServer.
acceptPendingFingerprint=true
22-Mar-2017 49/62
Database error causes blank Workflow My Requests page

(DE158138)
This issue occurs when the user is a member of a user group with an associated target group that has
a filter on a Target Application field.
Case sensitivity
For the purposes of filtering and sorting displayed information, all fields in the Credential Manager
GUI are case sensitive except for the following:
Fields containing host names. Host names are used typically to look up IP addresses. Host names
fields appear on screens dealing with target servers, request servers, and other types of servers.
Fields containing device names. Device names are assigned to machines to help identify them.
Description fields. Descriptions contain additional information to identify an entity, such a policy,
a user group, or a role.
Fields containing user information such as a user name.

Case insensitivity applies strictly to the fields in the previous list. Other fields may displays names,
but unless they are host names, device names or user names, the field is case sensitive for sorting
and filtering.
CA Privileged Access Manager Client Issues

Linux Desktop does Not Work PIV/CAC (DE276404)
Linux desktop users cannot log in to any sessions requiring PIV/CAC. Only Windows or MAC desktops
work with PIV/CAC.
Client sometimes fails to connect after upgrading to 2.8

(DE244065)
After upgrading from to 2.8 from 2.6.x or 2.7, the Client sometimes fails to connect to the CA
Privileged Access Manager server and displays the following error message:
Inner error has occurred during the login.
com.ca.client.a.as.f()Lcom/ca/client/proxy/c;
Workaround: Do the following procedure:
1. Delete the existing CA PAM Client install directory and all of its contents. For example, C:
\Program Files (x86)\CA PAM Client.
22-Mar-2017 50/62
2. Reinstall the 2.8 client. For more information, see CA Privileged Access Manager Client for
Alternate Appliance Access (https://docops.ca.com/display/CAPAM28
/CA+Privileged+Access+Manager+Client+for+Alternate+Appliance+Access).
Older Linux installations require additional libraries

(DE137968)
This issue occurs when the CA Privileged Access Manager Client is installed on a workstation that uses
older versions of Linux. The CA Privileged Access Manager Client uses the libXss.so (http://libXss.so).1
library from libXScrnSaver and the libgconf package. These libraries and packages may not be
included in older versions of Linux.
Workaround: Ensure libXScrnSaver and libgconf are available on the workstation before you install
the CA Privileged Access Manager Client.
CA Privileged Access Manager Client download button

disappears from the login page after applying the 2.6
upgrade patch (DE160612)
The 2.6 upgrade patch introduces new form elements on the Global Settings page. The new Client
Settings row contains a Distribution Method column with two radio buttons: Internet and Intranet. In
some cases, no button is selected by default.
Workaround: After upgrading to 2.6, close your browser session and restart it. Alternatively, reload
the Global Settings page. Finally, you can set the field values in the Distribution Method column.
CA Privileged Access Manager Client Windows uninstaller

deletes entire contents of installation directory (DE162561)
The CA Privileged Access Manager Client Windows uninstaller deletes the entire contents of the
directory where the CA Privileged Access Manager Client was installed. If the default installation
directory is used, there is no issue. However, if you installed the CA Privileged Access Manager Client
in an existing directory that contains other software, the uninstaller removes the CA Privileged Access
Manager Client software and the other software.
Workaround: Ensure that the CA Privileged Access Manager Client installation directory does not
contain any additional software.
22-Mar-2017 51/62
A2A Client and Target Connector Issues

Account with elevated privileges in Cisco IOS is not
supported by Cisco target connector (DE158580)
An account in Cisco IOS that has Elevated Privileges level 15 is not required to provide credentials
when "enable" command is used. That configuration is currently not supported by the CA Privileged
Access Manager Cisco target connector. Such an account cannot be managed by the target
application.
Workaround: Use another account with privilege level 0 to manage the level 15 account.
UNIX Client uninstaller does not remove

THIRD_PARTY_LICENSE (DE158682)
The UNIX A2A Client installer puts file THIRD_PARTY_LICENSE in /opt/cloakware. The uninstaller does
not remove the file.
Logs, Reports, and Session Recording Issues

AWS S3 and session recording issues (DE158685)
Errors have been observed for graphical recordings of RDP sessions when stored in AWS S3:
Recording may not take place.
Encoding error status may result, indicating the recording cannot be viewed.
File handling events involving a mapped drive are not marked in the recording.
Attempt to complete Web Portal recording post-processing

results in "Encoding Error" (DE158687)
If you have an NFS mount that is disconnected during a Web Portal session recording, and then you
attempt post-processing of the recording by clicking the Recording in Progress link, processing occurs
but afterward the link indicates Encoding Error. The recording is still viewable up until the point of
NFS disconnection.
22-Mar-2017 52/62
Native SSH Service recording corrupted for edited

commands (DE158688)
A line command that is edited before execution by a User during a recorded native SSH Service
session may not display the edited portion in the recording. For example, if a User repositions the
cursor earlier in a line command, the (re-typed) characters following it may not appear in the
recording.
CLI text search using keyboard shortcuts limitation

(DE158689)
When you use the new CLI text search interface, applying a backward search by using keyboard
shortcut [Shift]+[Enter], and you reach the end of the file, the associated notification message
appears but too quickly disappears.
Default Mac OS auto scale setting causes slow playback of

recorded sessions (DE158691)
On Mac OS, the default is to have the Auto Scale option enabled (checked). This setting causes the
playback of a recorded session to be extremely slow.
Workaround: Ensure the Mac OS Auto Scale setting is unchecked.
Upgrade Issues
Cannot launch services after upgrade to release 2.6 (11303)
After upgrading to release 2.6, customers might see the following error message when they try to
launch any service: “Error occurred while trying to complete request. (12)”.
Workaround: Resign all applets as follows:
1. Select Config, Security to display the Security web page.
2. Scroll to the Sign CA Privileged Access Manager Applets pane. Click Sign applets with
Certificate.
3. Restart CA Privileged Access Manager.
22-Mar-2017 53/62
Existing Devices that use Embedded VNC cause upgrade

failure (DE200033)
The Access Method for Embedded VNC is deprecated. If any Devices are using it during an upgrade to
2.7, the upgrade fails, and the appliance suffers a severe loss in functionality that can be remedied
only when backups are available.
IMPORTANT! Recovery from upgrade failure is possible only if you have made backups as
noted here.
Prevention
Follow these steps:
1. Remove Embedded VNC from the Access Methods panel of all Device records that use it
before upgrading to release 2.7.
2. Create backups for recovery in the unlikely, but catastrophic, case that Embedded VNC
remains in use on some Device.
Hardware appliances: Prepare database and configuration backups. Use the backup and
restore functions. The patch automatically performs a backup before running, so if it fails,
make note of the devices and then perform a restore.
VMware VM appliances: Create a VM snapshot of the appliance.
AWS AMI instance appliances: Prepare database and configuration backups.
Recovery
If Embedded VNC exists in any Device record during an upgrade to 2.7, the upgrade appears to
successfully complete. However, there will be a message in the yellow warning panel at the top of the
Dashboard page notifying the user of the upgrade failure. This message points to detailed
information -- including which Devices are affected -- in the session logs.
Follow these steps:
1. Perform restoration depending on your appliance form factor as noted earlier. If you are using
AMI instance appliances and for some reason restoration fails, call CA Support for new AMI
instances and assistance.
2. Attempt to remove all instances of the Embedded VNC Access Method for Devices that use it,
and retry the upgrade.
22-Mar-2017 54/62
Other Issues
CA Privileged Access Manager API Documentation feature
not supported in Internet Explorer 9
The documentation and test feature of the External API, accessed by clicking the API Doc link from
the upper-right-hand menu, does not work correctly in Internet Explorer 9 (IE 9). Use IE 11 or the
current release of Firefox instead.
Keyboard mapping issues (DE158692)

When using a Linux or Mac OS client, keyboard mapping of some keys for languages other than
English would not work correctly for some keyboards.
AWS Management Console page not available (DE197725)

To ensure transparent login access to this site from CA Privileged Access Manager, the AWS
Management Console policy settings require that current appropriate AWS policy is applied. The
default settings and any custom settings need communication with AWS. (http://docs.aws.amazon.com
/IAM/latest/UserGuide/access_policies_inline-using.html)
http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_inline-using.html
Workaround
1. In Policy, Manage Policy, click the AWS Policies link.
2. Select an existing, or create a new, AWS Policy.
3. Apply the following AWS AIM policy settings to its Policy field, and click Save:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:GetFederationToken",
"Resource": "*"
}
]
}
4. Be sure to use this (now revised) AWS Policy in the Services policy template for an applicable
User with xceedium.aws.amazon.com. (http://xceedium.aws.amazon.com)
22-Mar-2017 55/62
The appliance intermittently crashes with a core dump

after database restore ( DE206853 )
There is no functional impact. The restore is not affected.
Unable to login to CA Privileged Access Manager using the

RADIUS Authentication type when two RADIUS servers are
configured ( DE172566 )
Redundant RADIUS servers would sometimes fail for CHAP authentication when used with One Time
Passwords (OTP), causing login failures.
Workaround: Configure the RADIUS server responsible for OTP as the last server in the list of
configured RADIUS servers in CA Privileged Access Manager.
Some versions of Java 8 might cause certificate errors

Java 8u74 and later versions may cause a "Failed to validate certificate" message when CA Privileged
Access Manager tries to load it.
Workaround: If you use Java 8, use update version 73 or earlier.
Appliance is unable to connect to SFA (WinSFA_2.70a)

installed on Windows 2008 R2 ( DE198762 )
When a policy with a SF blacklist is used to restrict access to a device, the message "gatekeeper[xxxx]:
telnetproxy, fail to activate SFA, SFA enforced, service discarded" is logged, indicating the SFA
connection issue.
22-Mar-2017 56/62
Patch Releases
The content in this section provides information about CA Privileged Access Manager patch and
hotfix releases.
2.7.0.09 Hotfix (see page 57)
2.8.0.01 Hotfix (see page 58)
2.7.0.09 Hotfix
This content provides information about the 2.7.0.09 hotfix.
Resolved Issue (see page 57)
Prerequisites (see page 57)
Install the 2.7.0.09 Hotfix (see page 57)
Resolved Issue
The 2.7.0.09 hotfix resolves an issue with the year 2016 hard coded in the Date and Time
Configuration. The pull-down list for the Date now extends past the year 2016 in the CA PAM UI.
(Salesforce case number 00664001/Internal defect ID DE241486)
Prerequisites
Do the following tasks before installing this hotfix:
Update CA Privileged Access Manager to release 2.7 or 2.7.1.
Obtain the hotfix from CA Support: CAPAM_2.7.0.9.p.zip
Install the 2.7.0.09 Hotfix

The hotfix takes less than 5 minutes to install on each appliance. A maintenance window ( Config,
Diagnostic, Maintenance Mode) is recommended but not required. Use this procedure to install the
2.7.0.09 hotfix.
Follow these steps:
1. In a clustered environment, turn of the cluster
2. Do the following steps on each CA Privileged Access Manager appliance:
a. Log in to CA Privileged Access Manager as an administrator (such as “super”) that has

access to the Config, Upgrade, and Sessions, Logs pages.
22-Mar-2017 57/62
2.
b. Navigate to Config, Upgrade.
c. Browse to the patch location and Upload it to the appliance.

Your screen might show a blank page before a screen redisplays.
d. You are asked to confirm the upgrade. Click Proceed.

The hotfix takes a few minutes to install.
e. Verify that the following items are present:
At the top of the page, a (green) confirmation message: “Upgrade Successful.

There is no need to reboot.”
In the Upgrade History panel, the line item “ CAPAM_2.7.0.09 HH:MM:SSMM/DD

/YY”
Note: If you do not see these items, contact CA Support for further
instructions.
3. Turn on your cluster, if applicable.
4. Instruct all users to clear their Java caches before they next login.
The hotfix is effective and users can log in to the appliance.
2.8.0.01 Hotfix
This content provides information about the 2.8.0.01 hotfix.
Resolved Issue (see page 58)

Prerequisites (see page 58)
Install the 2.8.0.01 Hotfix (see page 59)
Resolved Issue
The 2.8.0.01 hotfix resolves an issue where Putty intermittently failed to open a connection
(Salesforce case number 00521100/Internal defect ID DE241623).
Prerequisites
Do the following tasks before installing this patch:
Update CA Privileged Access Manager to release 2.8.
22-Mar-2017 58/62
Obtain the hotfix from CA Support: CAPAM_2.8.0.01.p.bin
Install the 2.8.0.01 Hotfix

The patch takes less than a minute to install on each appliance. A maintenance window ( Config,
Diagnostic, Maintenance Mode) is recommended but not required. Use this procedure to install the
2.8.0.01 hotfix.
Important! This procedure requires a reboot.
Follow these steps:
1. In a clustered environment, turn of the cluster
2. Do the following steps on each CA Privileged Access Manager appliance:
a. Log in to CA Privileged Access Manager as an administrator (such as “super”) that has

access to the Config, Upgrade, and Sessions, Logs pages.
b. Navigate to Config, Upgrade.
c. Browse to the patch location and Upload it to the appliance.

Over a few minutes time, your screen might display a blank page before returning,
d. You are asked to confirm the upgrade. Click Proceed.

The patch installs.
e. Verify that the following items are present:
At the top of the page, a (green) confirmation message: “Upgrade Successful.

There is no need to reboot.”
In the Upgrade History panel, the line item “ CA_PAM_2.8.0.01 HH:MM:SSMM/DD

/YY”
Note: If you do not see these items, contact CA Support for further
instructions.
3. If your organization does not use the default appliance SSL certificate: Navigate to Config,
Security, and re-sign your JAR files.
4. Turn on your cluster, if applicable.
5. Instruct all users to clear their Java caches before they next login.
22-Mar-2017 59/62
The patch is effective and users can log in to the appliance.
22-Mar-2017 60/62
Related CA Technologies Products

The following CA Technologies products integrate with CA Privileged Access Manager but are
released independently:
AWS API Proxy – The supported release is 3.0 AWS. See the release-specific AWS API Proxy
Deployment Guide for further information.
Socket Filter Agents (SFAs) – To operate in FIPS mode, the supported releases are SFA 2.7 for
Windows, and SFA 2.7 for UNIX/Linux. To operate in non-FIPs mode, the supported releases are
SFA 2.1 for Windows, and either SFA 2.2, 2.3 or 2.4 for UNIX/Linux. See Set up Socket Filter Agents
(https://docops.ca.com/display/CAPAM28/Set+up+Socket+Filter+Agents) for further information.
CA Privileged Access Manager Credential Manager A2A Clients – The supported releases are CA
Privileged Access Manager 2.3, CA Privileged Access Manager 2.4, and CA Privileged Access
Manager 2.5. The A2A Client installers are available at the CA Privileged Access Manager Support
website. See Install an A2A Client for Credential Management (https://docops.ca.com/display
/CAPAM28/Install+an+A2A+Client+for+Credential+Management) for further information.
CA Privileged Access Manager Credential Manager Windows Proxy – The supported releases are
CA Privileged Access Manager 2.3, CA Privileged Access Manager 2.4, and CA Privileged Access
Manager 2.5. The Windows Proxy installer is available at the CA Privileged Access Manager
Support website. See Install a Windows Proxy for Credential Manager (https://docops.ca.com/display
/CAPAM28/Install+a+Windows+Proxy+for+Credential+Manager) for further information.
22-Mar-2017 61/62
Educational Resources
CA Product Courses
The following CA Product courses are available on the CA Education Portal (user login is required).
Click the course name for more information and registration.
Course Course Name Category Audience

Number
04PIM2 PreGA Privileged Access Manager 2.7: Differences 200 (http://marketplace WBT Employe
0220 .ca.com/education/prega-privileged-access-manager-2-7-differences-200.html) e,
Partner
22-Mar-2017 62/62

CA Privileged Access Manager - 2.8 - ENU - Release Information - 20170322 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CA Privileged Access Manager - 2.8 - ENU - Release Information - 20170322 PDF

Uploaded by

Copyright:

Available Formats

CA Privileged Access

The manufacturer of this Documentation is CA.

Installation Requirements .......................................................................... 10

Supported Environments ........................................................................... 11

New Features and Enhancements in 2.8 .................................................. 23

Resolved Issues in 2.8 .............................................................................. 26

Resolved Issues in 2.7 .............................................................................. 28

Known Issues ............................................................................................ 41

Patch Releases ......................................................................................... 57

Related CA Technologies Products .......................................................... 61

Educational Resources ............................................................................. 62

See Upgrading (https://docops.ca.com/display/CAPAM28/Upgrading) for the upgrade procedures.

AWS AMI Instance

VMware OVA Instance

CPU: one virtual processor with one virtual core

Storage: 8-GB disk

Server (see page 11)(or Server Clusters (https://docops.ca.com/display/CAPAM28

and three major interacting environments:

Integration Components (see page 11)

Clients (see page 13)

Targets (see page 18)

Server Appliance Types

Supported Integration Components

Bullet items in any cell indicate mutually exclusive options.

Bold items indicate CA product or part names.

Table: Server Resources

Scope Function Type/Protocol Subtype Supported

Scope Function Type/Protocol Subtype Supported

Bullet items in any cell indicate mutually exclusive options.

Bold items indicate CA product or part names.

Access by User to GUI Using Native Workstation

OS Oracle Java Browser

Windows Server 2008 R2 JRE Internet Explorer

Google Chrome is not supported for

Mac OS X 10.9 (Mavericks) or Latest update level Apple Safari 7 or later

Google Chrome is not supported for

The Xceedium Browser (for target

Google Chrome is not supported for

Access by User in Other Environments

Scope Typ CA Supported Environments

Host Scope: Type CA Supported Environments

Requestor Credential Windows Windows 7, Minimum patch level: 6.1.7600

Bullet items in any cell indicate mutually exclusive options.

Bold items indicate CA product or part names.

Target Device Intermediaries

Function CA Software Versions Supported

(an installer is provided for

Function CA Software Versions Supported

Function CA Software Versions Supported

Scope Target Function Supported Notes

Scope Target Function Supported Notes

Scope Target Function Supported Notes

New Features and Enhancements in 2.8

Issue with Putty/SecureCRT Auto-Connect ( Salesforce Case 00494275; Internal defect

Enhancement: Add external storage to virtual appliances (Salesforce case 00604503 ;

Integration with CA Threat Analytics (see page 23)

Integration with CA Threat Analytics

Palo Alto Target Connector

LDAP Over SSL (LDAPS) Support

Extra LDAP Attributes for Password Modification

Enhancements to Support Integration with Other

New Deploying Section in the User

Resolved Issues in 2.8