This content provides information about the 18.104.22.168 hotfix.
This hotfix resolves the following issues:
- If the Re-authenticate for Auto-Connect setting is enabled for a password view policy, the auto-connect dialog appears twice when a user tries to auto-connect to an application. This issue occurs when transparent login is enabled for the target but not for the policy. (Salesforce case number:00984429/Internal defect ID: DE352143)
HP Service Manager is configured as a target application. A password view policy is configured with auto-connect enabled to access the target application. When a user tries to auto-connect from the Access page, that user is unable to connect. (Salesforce case number:00940229/Internal defect ID: DE358833)
This hotfix includes other hotfixes that resolved the following issues:
- Hotfix 3.1.1.01: Standard users are prevented from asking a CA Privileged Access Manager administrator for permission to view user data. When a user tries to send a permissions request, the user sees the error message,
You do not have sufficient privileges to perform this operation. (Salesforce case number: 00948377/Internal defect ID DE343117).
- Hotfix 3.1.1.03: Users cannot authenticate to CA Privileged Access Manager using credentials that are stored on a TACACS server. The query that the appliance sends to the database returns a list of all target servers instead of only the TACACS server. The first server that handles the authentication is not a TACACS server, causing the user login to fail. (Salesforce case number: 00971944/Internal defect ID: DE348248)
- Hotfix 3.1.1.05: The AS/400 (IBM i) Target Connector did not support SSL/TLS secure connections.
- Hotfix 3.1.1.07: You cannot select the Enable Login Integration checkbox in the policy to allow integration with CA Privileged Access Manager Server Control (Salesforce case number: 00959682/Internal defect ID: DE348834)
- Hotfix 22.214.171.124: Fixed the following defects:
- You can create a UNIX target application using the Remote CLI, but the application does not display properly in the CA PAM UI. (Salesforce case number: 00946305/Internal Defect ID: DE343074)
- On the Access page in the UI, the Application Name entries in the Available Credentials window are truncated so you cannot read the full name. (Salesforce case number: 00964491/Internal Defect ID: DE351593)
- When you add a target UNIX application using the Remote CLI, the application does not display in the CA PAM UI. Navigate to Credentials, Manage Targets, Applications, and select the application. All the tabs for the application are missing. (Salesforce case number: 00977574/Internal Defect ID: DE349824)
- Hotfix 126.96.36.199: Fixed the following defects:
- After you upgrade from Release 2.7 to 3.1.1, the SSH and Web Portal access methods no longer work when the cluster is activated. Also, you cannot view old session recordings that were made before the upgrade. (Salesforce case numbers: 00981751/Internal Defect ID: DE352160)
- On the Access page of the UI, filtering the list of devices using the Address column returns incorrect results (Salesforce case numbers: 00977595, 00983257, 00977595, 00983257, 00984570, 01006781/Internal Defect ID: DE350779)
- The viewAccountPassword permission is required to make an API call. This requirement is not valid. (Salesforce case number: 00995116/Internal defect ID: DE355279)
- Hotfix 188.8.131.52: Fixed the following defects:
- When login timeout is set to 1 minute, all users are locked out of CA Privileged Access Manager after logging out (Salesforce case number: 01007991/Internal defect ID: DE357320)
- The Access Name field is not populated on the list of AWS Target accounts from which the customer wants to select. (Salesforce case number: 00964491/Internal Defect ID: DE360221)
This hotfix includes Hotfix 3.1.1.05 that provides the following functional changes:
IBM i (AS/400) SSL/TLS Capability (Hotfix 3.1.1.05)
This hotfix adds SSL/TLS support for the IBM i connector (formerly AS/400) to compatible endpoint systems.
Target servers must be running OS/400, i5/OS, or IBM i, at these maintenance levels: PTFs (Program Temporary Fix) on IBM i platform:
- V7R3: SI65622
- V7R2: SI65619
- V7R1: SI65613
The IBM i application type defaults to using SSL/TLS. If you upgrade an existing IBM i (or AS/400) application, it continues without SSL/TLS. You must re-enable SSL/TLS. If you are adding a new IBM i application that does not support SSL or TLS, disable SSL/TLS.
To enable SLL/TLS for an IBM i target connector in the UI, follow these steps:
- For existing applications, go to Credentials, Manage Targets, Applications, and Update the application.
- Select the IBM i tab.
- Select the SSL/TLS Enabled checkbox.
- Optionally, you can view the server certificate. Select the magnifying glass Search icon.
- Click OK to save.
The certificate is installed. Your IBM i system is ready for SSL/TLS connections. Any password verification or changes to IBM i target accounts for this application now use an SSL/TLS connection.
If your IBM i endpoint does not support SSL/TLS connections, an error occurs.
To disable SLL/TLS for an IBM i target connector in the UI, follow these steps:
- Follow the steps in Add Target Applications for new applications.
- For Application Type, select IBM i.
- Select the IBM i tab.
- Clear the SSL/TLS Enabled checkbox to disable SSL/TLS.
- Click OK to save.
New CLI Command
One new command is added to the AS/400 Target Connector for the Credential Manager CLI:
Specify whether to use a secure (SSL or TLS) connection.
Do the following tasks before installing this patch:
Install the 184.108.40.206 Hotfix
The hotfix takes several minutes to install on each server.
Note: This procedure initiates a reboot of the appliance.
Before you install the hotfix:
- To prevent logins to CA Privileged Access Manager during configuration changes, turn on Maintenance Mode. Maintenance Mode is not required, but it stops disruptions from user activity.
To enable Maintenance Mode:
- Select Configuration, Diagnostics, System.
- On the Modes page, turn on Maintenance Mode.
- If you have a clustered environment, turn off the cluster.
Follow these steps on each server in your environment:
- Log in to the UI as an administrator with Global Administrator permissions.
- Navigate to Configuration, Upgrade.
- On the Patches page, click Choose File and browse to the location of the patch file on your local system.
- Click Upload and Apply.
During the upload, you might temporarily see a blank page. The hotfix gets installed and the appliance reboots.
- Verify that the hotfix installation is successful. Look for a message at the top of the page that indicates upgrade success. Also, ensure the Upgrade History lists the patch and the date and time it was applied. If you do not see this information, contact CA Support for further instructions.
- Log out from the UI.
- Log back in to the UI and verify that you can access devices on the Access page.
After you successfully apply this hotfix, complete the following steps:
- If applicable, turn on the cluster.
- If applicable, turn off Maintenance Mode.
- Instruct all users who connect to the appliance through a browser, to clear their Java caches before they log in again.
Revert the Hotfix
To revert to a previous hotfix, install the revert hotfix, CAPAM_220.127.116.11-revert.p.bin. The installation instructions for the revert hotfix are the same as the hotfix.
To revert two or more hotfixes, install each revert hotfix in reverse sequence until you have reached the target hotfix.