Readme File for Cisco Secure Access Control System (ACS) 
Release: ACS 5.8.0.32 and ACS 5.8.1.4
Patch: 5-8-0-32-5.tar.gpg
=======================================================================================

This patch fixes:

Patch 1:

* Bug Id: 

CSCuv67311 Improve TPS for MS-RPC based multiple simultaneous requests through AD
CSCux66025 Memory increased when retrieving AD groups/attributes from GUI
CSCux66660 ACS Mgmt service unresponsive after restoring Full Backup


Patch 2:

* Bug Id: 

CSCut99902 Identity groups dont display when slash exist in any id group description
CSCuu75750 ACS5: Unable to replace End Station Filters with .csv file
CSCuu82493 Evaluation of acs5 for OpenSSL June 2015
CSCuw33071 Scheduled backup in ACS 5.7  fails when we use rsa keys while using sftp
CSCuv10632 Cisco ACS reporting "Failed to modify webapp state"
CSCuv58437 Editing the name of saved report is not working
CSCuv95363 ACS -- after reload "scheduled reports" stops working
CSCuv99693 ACS 5.6 doesn't allow use of special characters in Command Sets
CSCuw09481 ACS 5.7 Vulnerable to CVE2015-5600
CSCuw21552 ACS 5.7 Configuration Audit Scheduled Report showing incorrect filter
CSCuw24694 Cisco ACS SSH Login Denial of Service (DoS) Vulnerability
CSCuw24705 Cisco ACS Reflective XSS Vulnerability
CSCuw55386 ACS 5.7: management not started after view full backup restore from GUI
CSCuw70238 Not able to save Scheduled Reports with clock time zone  Etc/GMT+/-7
CSCuw84970 Evaluation of acs5 for NTP_October_2015
CSCuw24710 Cisco ACS Dom-based XSS Vulnerability
CSCuw89910 ACS 5.5 fails to join AD when password includes characters >
CSCuu66563 Searching functionality ACS 5.7 shows additional fields after cancelling
CSCuv88038 firefox 39.0 and ACS 5.7 compatibility issues
CSCuw81477 ENH : Allow "show users  status" CLI for Read -only user
CSCuw24700 Cisco ACS SQL Injection Vulnerability
CSCuw81495 PWD Change - PWD Types not  displayed after applying filter FF ver>39
CSCux34781 Evaluation of acs5 for Java_December_2015
CSCux39905 Cisco ACS evaluation for CVE-2015-6564
CSCur92646 SSLv3/TLS Renegotiation Stream Injection issue noticed in ACS 5.7
CSCuw24655 Cisco ACS Role Based Access Control URL Lack of Protection Vulnerability
CSCuw24661 Cisco ACS Role Based Access Control Weak Protection Vulnerability
CSCuw89652 Not able to edit acsadmin account details when timezone contain + symbol
CSCux43519 Authentication lookup portlet feature in 5.7 gives internal error
CSCux33426 ACS 5.7 Cannot import filters for NDG which has & in the name
CSCux33250 ACS 5.7: UCP password change with "enable password hash" not working
CSCux07030 ACS 5.5 15020 Could not find selected Shell Profiles
CSCux04983 ACS 5.7 - Administrator Entitlement Report does not run
CSCut77567 APRIL 2015 NTPd Vulnerabilities
CSCux44063 ACS 5.7 Secure Syslog connection issue during log collector restart
CSCux81584 ACS 5.6p4 more than 2 GB Backup file fails when using an FTP repository
CSCuy09740 ACS View report does not list the latest records
CSCuy05184 Users are disabling when they enable Disable user account with IDS
CSCux95189 Evaluation of acs5 for NTP_January_2016
CSCuv10688 Cisco ACS reporting false  positive for AD status "node not responding"
CSCuy13890 LogRecovery is affected when a syslog attribute length is > 1K
CSCuy09734 Not able to edit Enable Password Hash users with password complexity
CSCuy11959 ACS 5.x subnet overlap error for ipv6
CSCuy12884 ACS 5.8 unable to reterive AD-group info for Binary Cert Comparison.
CSCuy36585 Evaluation of acs5 for glibc_feb_2016
CSCuy23574 Radius packets are dropped when zeros are appended at the end
CSCuy23108 User is not disable while config pwd type as AD due to max failedattempt
CSCuy89193 ACS 5.8 - adclient - Execution failed

Patch 3:

* Bug Id:

CSCuz48986 ACS: Editing Service Selection Rules in Firefox 46 erases all rules

Patch 4:

* Bug Id:

CSCuu29920 ENH: Add TLS 1.2 support on ACS 5.X
CSCuy50131 Supporting Weak Ciphers in ACS 5.8
CSCuz75323 Supporting ECC in ACS 5.8
CSCuy59628 Unable to edit Network Device entries with a IP Range
CSCux98281 DBPurge fails with Log Recovery feature enabled
CSCuy63004 Catalina.log reaches 100-200GB in size
CSCuy45998 ACS 5.7 does not allow user password to be unlocked
CSCuy54597 Evaluation of acs5 for OpenSSL March 2016
CSCuy63906 ACS creates db dumps in /home dir instead of db home
CSCuy73706 Loss of ACS logs because Insufficent semaphore
CSCuy81798 bulk operation: update TACACS shared key over 32 characters
CSCuy44452 ACS 5.7/5.8 | Change password on next login issue with enable pwd hash
CSCuy92415 Runtime is not monitored after upgrade to 5.8 without log collector
CSCuz03320 ACS 5.8: REST call, loginFailureCount does not resets to 0 automatically
CSCuz27273 ENH: Policy Export: Support for file download to client computer
CSCuz40534 ACS 5.8 p2- report showing a blank page for a specific user.
CSCuz45645 ACS error ProvisioningAdmin and OperationsAdmin Role should not combined
CSCuz48986 ACS: Editing Service Selection Rules in Firefox 46 erases all rules
CSCuz50074 PBIS core files is not generated during AD Connector crash

Patch 5:

* Bug Id:

CSCuy92367 ACS is vulnerable to CVE-2016-1907
CSCux16057 ACS 5.5/5.6 reverts back to local with 7609-S NTP running 12.2(33)SRD3
CSCuy78327 Purge on Feb 29 is deleting all logs
CSCuz12297 Promotion got failed when we configure RSA SecurID Token Servers
CSCuz24101 management process is Execution failed after reload ACS
CSCuz43689 ACS View database Restore from GUI fails sometimes with sudo errors
CSCuz50048 CommandSet Arugments with double quotes causes brower to hang
CSCuz41442 ACS 5.7/5.8 PAC provisioning failing with Credential Time TLV
CSCuz52505 Evaluation of acs5 for OpenSSL May 2016
CSCuy88722 "AD Connector is not available\" error message thrown while join the AD
CSCuz11125 Logging Recovery process creates duplicate records in log collector
CSCuz49536 LogRecovery after restore takes a long time and not working properly
CSCuz49544 Logging Recovery: Few logs are missing during recovery
CSCva00401 ACS 5.8 AD Admin users cannot view reports
CSCuz98731 ACS 5.7 CLI Admin Unlock via iso boot ineffective for Patch 2 and 3
CSCuz86412 Not able to update Password Hash enabled users through RESTAP
CSCuz73164 Password hashing fail if disabled Tacacs enable password settings
CSCuz69016 ACS 5.8 database failure ADOperations alarm
CSCuz28260 ACS Admin Access by Radius identity Server send incorrect NAS IP address
CSCva23984 ACS should not be accessible using unsupported browser	  
CSCva42072 RuntimeDebugLog.config flag is not working in 5.8
CSCva42079 Runtime restart once hit space limit reached
CSCva43184 Domain unusable due to KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN message - PBIS integration
CSCuz11163 Logging Recovery time interval needs to be fine-tuned
CSCux97425 ACS 5.7/5.8 LDAPS "Test Configuration" check returning error
 
Patch 5-8-0-32-5.tar.gpg consists of: 

* files  	

ACSViewWebServices.war
Rest.war
RunMACReport_view.jsp
acs
acs-aac-5.8.0.32.B.442.jar
acs-bl-framework-5.8.0.32.B.442.jar
acs-common-5.8.0.32.B.442.jar
acs-db-5.8.0.32.B.442.jar
acs-distributedmanagement-5.8.0.32.B.442.jar
acs-internalcli-5.8.0.32.B.442.jar
acs-logrotate
acs-msgbus-5.8.0.32.B.442.jar
acs-realm-5.8.0.32.B.442.jar
acs-replication-5.8.0.32.B.442.jar
acs-transfer-utils-5.8.0.32.B.442.jar
acsadmin.war
acsview.war
acsview_cli.sh
acsview_compress_check.sh
acsview_compress_db.sh
acsview_restore_to_cleandb.sh
acsview_upgrade_reports.sql
ad_client.sh
backup.sh
change_encryption.sh
clients.war
collection-5.0.jar
com.springsource.org.apache.commons.collections-3.2.0.jar
common-reports-5.0.jar
commons-collections-3.2.2.jar
commons-collections-3.2.jar
dataupgrade-5.0.jar
dbdump.sh
dbms-5.0.jar
dbpurge-5.0.jar
dbupgrade.sh
export-policy.sh
fullbackup.sh
incrbackup.sh
jss-4.3.3.jar
liferay.war
libActiveDirectoryIDStore.so
libCryptoLib.so
libCryptoService.so
libEnableAuthenticator.so
libLDAPIDStore.so
libLogging.so
libPAPAuthenticator.so
libRadiusCommon.so
libRadiusServer.so
libRadiusTokenIDStore.so
libRuleEngine.so
libSecureSyslogServer.so
libService.so
libUserFailedAttemptEvent.so
libcrypto.so.1.0.0
libeap.so
libjss4.so
liblog4cxx.so.10
libssl.so.1.0.0
libtacacs.so
list
logrecovery-5.0.jar
mgmt.sh
monit_script.sh
nssutils.sh
reduce_db.sh
reset-config.sh
restore.sh
rptframework-5.0.jar
run-logforward.sh
run.sh
sa_config.sh
setenvforsftp.sh
support.sh
sybaseupgrade.sh
view-logserver.war
viewbackup.sh
viewrestore.sh


*adeos-patch

CARSOpenSSH-2.0cars-1.x86_64.rpm
CARSReposMgr-2.0cars-1.x86_64.rpm
CARSUserStore-2.0cars-1.x86_64.rpm
CARSXferMgr-2.0cars-1.x86_64.rpm
CARSysApi-2.0cars-1.x86_64.rpm
GPCECdp-2.0gpce-1.x86_64.rpm
GPCESetup-2.0gpce-1.x86_64.rpm
GPCEUtil-2.0gpce-1.x86_64.rpm
carssh-2.0cars-1.x86_64.rpm
ciscossl-1.0.1t-4.13.282.x86_64.rpm
glibc-2.12-1.166.el6_7.7.x86_64.rpm
glibc-common-2.12-1.166.el6_7.7.x86_64.rpm
glibc-devel-2.12-1.166.el6_7.7.x86_64.rpm
glibc-headers-2.12-1.166.el6_7.7.x86_64.rpm
nscd-2.12-1.166.el6_7.7.x86_64.rpm
ntp-4.2.6p5-5.el6.4.x86_64.rpm
ntpdate-4.2.6p5-5.el6.4.x86_64.rpm

*adclient-patch

adrt-runtime-ADRT_2.1.0-005-x86_64.rpm

Prerequisites
=============

This patch should be installed only on top of ACS 5.8.0.32 or ACS 5.8.1.4 FCS release. If you have installed FCS version of ACS 5.8.0.32 
(without any patch), the "show version" output, would display the following for ACS Version.

Version : 5.8.0.32
Internal Build ID : B.442


If you have installed FCS version of ACS 5.8.1.4 (without any patch), the "show version" output, would display the following for ACS Version.

Version : 5.8.1.4
Internal Build ID : B.462


Patch 5-8-0-32-1 Fixes
======================

- CSCuv67311 Improve TPS for MS-RPC based multiple simultaneous requests through AD

In ACS 5.8, During processing of Authentication(All supported types), Get Groups, Get Attributes and other requests ACS reads 
from various configuration options. Reading data from registry for each request impacts performance. This performance issue 
is resolved by caching the configuration in a data structure in memory. Any configuration changes will also be stored in persistent 
storage and so will be retained across restarts of ACS.  Following this change ACS performance with Active Directory in 5.8 exceeds 
that for the previous release

- CSCux66025 Memory increased when retrieving AD groups/attributes from GUI
In ACS 5.8, we observed a memory leak during Get Groups and Get Attributes functionality from GUI. This bug addresses same.

- CSCux66660 ACS Mgmt service unresponsive after restoring Full Backup

In ACS 5.8 after restoring full backup or application backup having the view database, ACS management services is shown as
nonresponsive instead of running. This bug addresses such issue and after fix management process will be in running state instead of 
non-responsive

Patch 5-8-0-32-2 Fixes
======================

- CSCut99902 Identity groups don’t display when slash exist in any id group description

After the fix, ACS GUI displays Identity Groups even though group name and description is having "\".

- CSCuu75750 ACS5: Unable to replace End Station Filters with .csv file

Editing already configured End Station Filter with more entries is not working. ACS is throwing "Resource not found".
This issue is fixed in patch 2.

- CSCuw33071 Scheduled backup in ACS 5.7  fails when we use rsa keys while using sftp

After the fix, Scheduled Backup will work with SFTP repositories enabled with Public Key authentication.

- CSCuu82493 Evaluation of acs5 for OpenSSL June 2015

This fix address the following OpenSSL vulnerabilities CVE-2015-4000 CVE-2015-1788 CVE-2015-1789 CVE-2015-1790 CVE-2015-1792 
CVE-2015-1791 CVE-2014-8176

- CSCuv10632 Cisco ACS reporting "Failed to modify webapp state"

There is problem in communication between ACS CLI and management. After the fix, ACS is able to establish RMI connection from CLI to management. 
Hence CLI the operations show/configure of all the possible interfaces ( PI, UCP, MIGRATION and VIEW ) are working fine.

- CSCuv58437 Editing the name of saved report is not working

After editing Saved Report, ACS is not able to generate the saved report. After the fix, ACS is able to run the report.

- CSCuv95363 ACS -- after reload "scheduled reports" stops working

This fix addresses issue of scheduled reports stops working after reload.

- CSCuv99693 ACS 5.6 doesn't allow use of special characters in Command Sets

ACS is not allowing some of the special characters like (,) and + in Command Sets as RegEx. After the fix, ACS will allow all the
special characters required for Regular Expression in Command Sets.

- CSCuw09481 ACS 5.7 Vulnerable to CVE2015-5600

ACS 5.8 patch 2 addresses the vulnerability CVE2015-5600. ACS upgraded to latest openssh version OpenSSH_7.1p1 to fix the vulnerability.

- CSCuw21552 ACS 5.7 Configuration Audit Scheduled Report showing incorrect filter

After the fix, from the M&T GUI all the filters shows fine for Configuration Audit Scheduled Report.

- CSCuw24694 Cisco ACS SSH Login Denial of Service (DoS) Vulnerability

After the fix, ACS SSH shell is not crashed when more than 512 characters are passed to any CLI and closed properly by throwing
error message.

- CSCuw24705 Cisco ACS Reflective XSS Vulnerability

This fix addresses the Reflective XSS reported in few of M&T pages ( Dashboard and Reports pages ).

- CSCuw55386 ACS 5.7: management not started after view full backup restore from GUI

After the fix, management is able to come up ( running state ) after full restore from GUI.

- CSCuw70238 Not able to save Scheduled Reports with clock time zone  Etc/GMT+/-7

After the fix, ACS is allowing to create Scheduled Reports when time zone is set to Etc/GMT+/-7

- CSCuw84970 Evaluation of acs5 for NTP_October_2015

This fix addresses the NTP vulnerabilities identified by CVE-2015-7691; CVE-2015-7692; CVE-2015-7701; CVE-2015-7702; CVE-2015-7703; 
CVE-2015-7704; CVE-2015-7705; CVE-2015-7848; CVE-2015-7849; CVE-2015-7850; CVE-2015-7851; CVE-2015-7852; CVE-2015-7853; CVE-2015-7854; 
CVE-2015-7855; CVE-2015-7871

- CSCuw24710 Cisco ACS Dom-based XSS Vulnerability

This fix addresses the Dom based XSS vulnerability in few of the M&T pages.

- CSCuw89910 ACS 5.5 fails to join AD when password includes characters >

After the fix, ACS is able to join to AD even though password is having special chars like < or >.

- CSCuu66563 Searching functionality ACS 5.7 shows additional fields after cancelling

In ACS 5.8, from GUI if filters are used for any type of ACS objects based on the name filter, then Edit the object and without modifying 
any data clicking cancel is adding multiple filters ( three filters ) to the GUI. This patch fixes such issue and GUI will show single filter only.

- CSCuv88038 firefox 39.0 and ACS 5.7 compatibility issues

In ACS 5.8, from GUI if filters are used for searching Devices/Users based on the name, Edit the object, then ACS is not showing any of the Identity
Groups/Network Device Groups after clicking on Select button. This is fixed in this patch. We can be able to modify the Device/User data with new 
Identity Group/Network Device Group.

- CSCuw81477 ENH : Allow "show users  status" CLI for Read -only user

In ACS 5.8, Read-Only CLI admin don't have permission to execute the command "show users status". This command will display list of all CLI
administrators along with their ROLE. This patch provides the permission to execute the command. But while executing "show users", ACS will throw
"Internal error during command execution" which is expected with this patch, as there is no permission for the command "show users".

- CSCuw24700 Cisco ACS SQL Injection Vulnerability

This fix addresses the SQL Injection reported in M&T Dashboard pages.

- CSCuw81495 PWD Change - PWD Types not  displayed after applying filter FF ver>39

In ACS 5.8, from GUI if filters are used for searching Users based on the name, the click on Change Password, click on Select button
to change the Password Type, but ACS is not showing any password type. This particular issue is fixed in this patch.

- CSCux34781 Evaluation of acs5 for Java_December_2015

This fix addresses the vulnerabilities reported in Apache Commons library using by Java identified by CVE: CVE-2015-4852

- CSCux39905 Cisco ACS evaluation for CVE-2015-6564

This fix addresses the vulnerabilities reported in CVE-2015-6564.

- CSCur92646 SSLv3/TLS Renegotiation Stream Injection issue noticed in ACS 5.7

After the fix, ACS will not allow Renegotiation and throws error when any client is trying to re-negotiate with ACS.
This is fixed for port 443.

- CSCuw24655 Cisco ACS Role Based Access Control URL Lack of Protection Vulnerability

After the fix, direct access to URL ( liferay/user/wdwmro1k/ ) is restricted.

- CSCuw24661 Cisco ACS Role Based Access Control Weak Protection Vulnerability

After the fix, Report page url ( acsview/pages/flex/ReportMain.swf ) is restricted based on authorization configured in GUI.

- CSCuw89652 Not able to edit acsadmin account details when timezone contain + symbol

After the fix, ACS is allowing to edit the Administrator accounts when timezone is having + symbol.

- CSCux43519 Authentication lookup portlet feature in 5.7 gives internal error

This is applicable only to new reports available in ACS 5.6, 5.7 and 5.8 ( Adobe Flex based reports ). 
In ACS 5.8, Authentication Lookup Portlet from Dashboard is forwarding to old report links which are not available. 
After the fix, ACS is forwarding to proper Report URL's.

- CSCux33426 ACS 5.7 Cannot import filters for NDG which has & in the name

After the fix, ACS is able to import Device Filters from GUI even though NDG name is having &.

- CSCux33250 ACS 5.7: UCP password change with "enable password hash" not working

After the fix, UCP interface is working for the internal users enabled with password hashing.

- CSCux07030 ACS 5.5 15020 Could not find selected Shell Profiles

In ACS 5.8 patch 1, if right operand value is Hierarchical type and left operand value is String type for user dictionary attribute 
in authorization policy then hitting policy rule is failing. After the fix, the comparison between String and Hierarchical types works fine."

- CSCux04983 ACS 5.7 - Administrator Entitlement Report does not run

After the fix, ACS Administrator Entitlement report is running successfully and able to export as well.

- CSCut77567 APRIL 2015 NTPd Vulnerabilities

This fix addresses the NTP vulnerabilities identified by CVE-2015-1798 and CVE-2015-1799.

- CSCux44063 ACS 5.7 Secure Syslog connection issue during log collector restart

If Secure syslog TCP connection is closed at log collector ungracefully ( by hard reboot or disbale syslog interface) ,the Secure TCP Syslog 
is s not working at all once the log collector is up. 
This patch fixes this issue. With the fix,  the Secure Syslog will start properly after restart of Log collector.

- CSCux81584 ACS 5.6p4 more than 2 GB Backup file fails when using an FTP repository

After the fix, ACS is able to take large backups ( more than 2 GB ) to FTP repository.

- CSCuy09740 ACS View report does not list the latest records

During the report generation, if more than 25K records is returned, report is not showing the recent records. 
This issue exists in all types of AAA reports.
After the fix, recent records will be shown in the report.

- CSCuy05184 Users are disabling when they enable Disable user account with IDS

After the fix, ACS will not disable users even though the users are authenticated against Identity Sequence.

- CSCux95189 Evaluation of acs5 for NTP_January_2016

This fix addresses the NTP vulnerabilities identified by CVE-2015-7973, CVE-2015-7974, CVE-2015-7975, CVE-2015-7976, CVE-2015-7977, 
CVE-2015-7978, CVE-2015-7979, CVE-2015-8138, CVE-2015-8139, CVE-2015-8140, CVE-2015-8158.

- CSCuv10688 Cisco ACS reporting false  positive for AD status "node not responding"

After the fix, Primary AD GUI shows the secondary AD status correctly.

- CSCuy13890 LogRecovery is affected when a syslog attribute length is > 1K

When the syslog message length exceeds 1024 (supported maximum syslog size), RT appends “…” at the current fragment and 
skips all the remaining fragments in syslog message. Such messages are not processed by log collector and keeps asking for the missing log messages.
The fix takes care of sending all the data without truncation and log collector is able to process the message successfully.

- CSCuy09734 Not able to edit Enable Password Hash users with password complexity

After the fix, ACS allows to edit the Users even password hash is enabled and all the password Complexities are configured.

- CSCuy11959 ACS 5.x subnet overlap error for ipv6

This fix is specific to following scenario.
When trying to add following IPv6 addresses from GUI, ACS throws overlap error, even though it is not. This fix addresses same.

fc00::c:a96:ee41/128
fc00::c:a96:ee42/128


- CSCuy12884 ACS 5.8 unable to reterive AD-group info for Binary Cert Comparison.

When "Binary Certificate Comparison with Certificate retrieved from LDAP or Active Directory” is enabled in Certificate Authentication Profile,
User groups and attributes are not fetched after successful authentication.
This patch fixes the issue and user groups and attributes are fetched properly after successful authentication.

- CSCuy36585 Evaluation of acs5 for glibc_feb_2016

This fix addresses the glibc vulnerabilities identified by CVE-2015-7547. During patch install, ACS asks for reboot as this is required
for security fixes.

- CSCuy23574 Radius packets are dropped when zeros are appended at the end

After the fix, ACS is able to parse Access-Request packets even though zeros are padded at the end of the packet.

- CSCuy23108 User is not disable while config pwd type as AD due to max failed attempt

After the fix, User is disabled when the password type is configured as AD due to max failed attempts configuration.

- CSCuy89193 ACS 5.8 - adclient - Execution failed

After the fix, restoring 5.5/5.6/5.7 configuration backups works fine and adclient process is running successfully.

Patch 5-8-0-32-3 Fixes
======================

- CSCuz48986 ACS: Editing Service Selection Rules in Firefox 46 erases all rules

There were issues while adding or editing of Service Selection Rules/Identity Rules/Authorization Rules in ACS with Firefox 46 and 46.0.1 browsers.
This bug fix resolves the issue.

Patch 5-8-0-32-4 Fixes
======================

- CSCuu29920 ENH: Add TLS 1.2 support on ACS 5.X

This enhancement is to support TLS 1.2 in ACS. There are two aspects in which ACS need TLS 1.2 support.

1. GUI ( https ) access via TLS 1.2.
====================================

By default TLS 1.1 and 1.2 are enabled and 1.0 is disabled for https access.
For compatibility reasons, TLS 1.0 can be enabled by enabling check box "Enable TLS 1.0 for https access" from following new GUI
"System Administration > Configuration > Global System Options > Security Settings".

After enabling this from Primary, User will be prompted with confirmation message to restart Primary management only. The changes will be replicated
to all the other Secondary’s in the deployment, but for the changes to take affect restarting management service is required manually from CLI in each secondary.

The following steps are required to restart management service from CLI.

Login to Secondary CLI and then issue following command.

ACS/admin# acs stop management
Stopping management

Check the management service status using "show application status acs" command.
The number of processes displayed here depends on the Node Type. In the following case, Node is Secondary and Log collector.

ACS/admin# show application status acs

ACS role: SECONDARY

Process 'database'                  running
Process 'management'                not monitored
Process 'runtime'                   running
Process 'adclient'                  running
Process 'ntpd'                      running
Process 'view-database'             running
Process 'view-jobmanager'           not monitored
Process 'view-alertmanager'         not monitored
Process 'view-collector'            running
Process 'view-logprocessor'         not monitored

After management went to "not-monitored", issue following command to start.

ACS/admin# acs start management
Starting management

Make sure that all services comes up after start. Repeat same procedure for each Secondary Node in the deployment.


2. AAA flow via TLS 1.2.
=======================

By default all TLS 1.0, 1.1 and 1.2 are enabled for AAA flow.
The configuration options are provided to disable TLS 1.0 and SHA-1 ciphers from following new GUI 
"System Administration > Configuration > Global System Options > Security Settings".

Enable TLS 1.0 only for legacy clients - This will enable/disable TLS 1.0 for AAA flow.
Enable SHA-1 only for legacy clients   - This will enable/disable SHA-1 ciphers for AAA flow.

No further operations are required apart from configuring GUI with these values to disable TLS 1.0/SHA-1 ciphers.

- CSCuz75323 Supporting ECC in ACS 5.8

This enhancement is to support ECC ciphers to provide high security. The following are the  few relaxations to ECC certificates ( in case FIPS is enabled ).

1.  The  minimum supported key size of ECC certificate is 224 ( which is equal to 2048 of RSA key size)
2.  There is no check for PKCS#8 format for private key ( which means non PKCS#8 format for EC type should be allowed even in FIPS mode)

Note that ECC ciphers are supported only for AAA flows.

- CSCuy50131 Supporting Weak Ciphers in ACS 5.8

By default ACS disables all weak ciphers similar to TLS_RSA_WITH_RC4_128_SHA for any Authentication protocol which uses EAP-TLS as inner method.
This patch provides the configuration option "Allow weak ciphers for EAP" to enable those weak ciphers for legacy clients.
This configuration is available under "Allow Protocols" section of Access Service.

- CSCuy59628 Unable to edit Network Device entries with a IP Range

ACS throws overlap error in case of editing AAA Client with Range and Exclude list defined. After the fix, ACS allowes to create AAA Client in such scenario.

- CSCux98281 DB Purge fails with Log Recovery feature enabled

If logging recovery is enabled, during DB purge cleaning up of Logging Recovery table is taking long time if the table is having more entries.
Few times DB purge is taking an hour and creating side effects for other operations. This patch fixes such issue and DB Purge works fine even though logging
recovery is enabled.

- CSCuy63004 Catalina.log reaches 100-200GB in size

Due to insufficient file descriptors, ACS is not able communicate with other nodes in the deployment.
This patch increases the file descriptors in ACS to avoid the issue.

- CSCuy45998 ACS 5.7 does not allow user password to be unlocked

From ACS CLI, If the Administrator is locked because of failed login counter exceeded, ACS is not allowing to login even though such Administrator 
has deleted and re-added using different Administrator. After the fix, ACS CLI allows to login if such admin has deleted and re-added.

- CSCuy54597 Evaluation of acs5 for OpenSSL March 2016

This fix addresses the OpenSSL vulnerabilities identified by CVE-2016-0800, CVE-2016-0705, CVE-2016-0798, CVE-2016-0797, CVE-2016-0799, CVE-2016-0702,
CVE-2016-0703 and CVE-2016-0704.

- CSCuy63906 ACS creates db dumps in /home dir instead of db home

In case of either configuration database or log collector database crash, the crash files are getting created
under /home/acsuser or /home/admin directory. As the size of the /home partition is less, these directories are getting filled and consequently
could not login to ACS via CLI and few other operations also might fail. After the fix, ACS creates crash files in 
"/opt/CSCOacs/db/dbsrv/diagnostics". But ACS is not going to remove these files automatically as they may need for further analysis. 

- CSCuy73706 Loss of ACS logs because Insufficient semaphore

If ACS process "view-logprocessor" restarts multiple times for a period of 10 hours, ACS is leaking semaphores. After the fix, ACS is not leaking the semaphores.

- CSCuy81798 bulk operation: update TACACS shared key over 32 characters

The RADIUS/TACACS share secret key length from GUI and import interface are defined as different. GUI is allowing 128 where as import flow allows only 32.
Updating Internal User ( created from GUI with secret key greater than 32 ) fails from Import flow. After the fix, import works with secret keys of length upto 128.

- CSCuy44452 ACS 5.7/5.8 | Change password on next login issue with enable pwd hash

For Protocol User, If Password Hashing and Change Password on next login are enabled, ACS is not able to update new password.
After the fix, ACS is able to update the password successfully.

- CSCuy92415 Runtime is not monitored after upgrade to 5.8 without log collector

In ACS 5.8 it is possible to set "No Log Collector" for any ACS Node. In such node, after upgrade to 5.8 runtime is going to not-monitored.
After the fix, even though ACS Node is set to "No Log Collector" runtime will come up successfully.

- CSCuz03320 ACS 5.8: REST call, loginFailureCount does not resets to 0 automatically

Using REST, Enabling already disabled User is not resetting the "loginFailureCount" value to 0. This patch fixes this issue.

- CSCuz27273 ENH: Policy Export: Support for file download to client computer

This patch enhances Policy Export functionality with following
1. It is possible to configure policy export without encryption.
2. It is possible to download the policy export file to client computer as well.

- CSCuz40534 ACS 5.8 p2- report showing a blank page for a specific user.

In ACS 5.8 patch 3, if Administrator Roles are assigned dynamically using Authorization Rules, Reports page shows as blank. After the fix, irrespective of 
Role assignment ( Static or Dynamic ) Reports shows as expected.

- CSCuz45645 ACS error ProvisioningAdmin and OperationsAdmin Role should not combined

While creating Authorization Rules with more than 12 External Groups as a Condition, ACS throws error message 
"ProvisioningAdmin and OperationsAdmin Role should not combined with any of other roles. Please remove roles accordingly".
After the fix, ACS allows to create Authorization Rules with more than 12 External Groups as a condition.

- CSCuz48986 ACS: Editing Service Selection Rules in Firefox 46 erases all rules

Using Firefox 46 and FF 46.0.1 browser version, Loading or Editing of Service Selection Rules / Identity Rules/ Authorization Rules is not working.
After installing this patch, ACS will be able to load/edit the Rules as expected.

- CSCuz50074 PBIS core files is not generated during AD Connector crash

This patch fixes issue of not generating cores in case of AD Client crash. After the fix similar to runtime, AD client as well generates the core in the
same location /opt/CSCOacs/runtime. These files will be picked up by the support bundle.


Patch 5-8-0-32-5 Fixes
======================

- CSCuy92367 ACS is vulnerable to CVE-2016-1907

This fix addresses CVE-2016-1907 vulnerability

- CSCux16057 ACS 5.5/5.6 reverts back to local with 7609-S NTP running 12.2(33)SRD3

The NTP reverts to local with either ACS 5.5 or 5.6 with the latest patch on. ACS 5.7 and 5.8 works as expected.

- CSCuy78327 Purge on Feb 29 is deleting all logs

When purge runs on 29th Feb, it deletes all the logs. This fix addresses this issue.

- CSCuz12297 Promotion got failed when we configure RSA SecurID Token Servers

Configuring RSA on ACS followed by stopping the services on primary and trying to promote the secondary, fails. This fix addresses this issue.

- CSCuz24101 management process is Execution failed after reload ACS

This fix addresses the issue of management not being responsive due to null entries in the hosts file.

- CSCuz43689 ACS View database Restore from GUI fails sometimes with sudo errors

This fix addresses the issue of GUI backup failure due to sudo errors.

- CSCuz50048 CommandSet Arugments with double quotes causes brower to hang

Configuring command set arguments with double quotes creates issues during submit and browser hangs. This fix eliminates this issue.

- CSCuz41442 ACS 5.7/5.8 PAC provisioning failing with Credential Time TLV

The PAC provisioned by ACS 5.7/5.8 to the devices is corrupted. This fix addresses this issue.

- CSCuz52505 Evaluation of acs5 for OpenSSL May 2016

This fix addresses CVE-2016-2108 CVE-2016-2107 CVE-2016-2105 CVE-2016-2106 CVE-2016-2109 CVE-2016-2176 vulnerabilities.

- CSCuy88722 "AD Connector is not available\" error message thrown while join the AD

ACS displays "AD Connector is not available" error while joining ACS to AD. This fix eliminates this issue.

- CSCuz11125 Logging Recovery process creates duplicate records in log collector

This fix addresses the issue of creating duplicate records during log recovery.

- CSCuz49536 LogRecovery after restore takes a long time and not working properly

After this fix, logging recovery functions well during restore.

- CSCuz49544 Logging Recovery: Few logs are missing during recovery

This fix addresses the issue of logs being missed during recovery.
			 
- CSCva00401 ACS 5.8 AD Admin users cannot view reports

ACSAdmin accounts in AD are not able to view ACSView reports. This fix addresses this issue.

- CSCuz98731 ACS 5.7 CLI Admin Unlock via iso boot ineffective for Patch 2 and 3

After this fix, CLI admin accounts can be unlocked/change password using ISO boot.

- CSCuz86412 Not able to update Password Hash enabled users through RESTAP

For users with password hash enabled, password change via REST API fails. This is addressed as a part of this defect.

- CSCuz73164 Password hashing fail if disabled Tacacs enable password settings

For ACS internal users, when the password is hashed and "TACACS Enable password" is disabled under "System Administration > Users >Authentication Settings", ACS gives "wrong password" error when running into "enable" mode on T+ device. This fix addresses this issue.

- CSCuz69016 ACS 5.8 database failure ADOperations alarm

If the sequence number of the AD operations is more than 2147483647, an alarm is generated under Monitoring and Reports > Alarms > Inbox, with the acs node name and AD operations as task and the particular operation is not stored in database. This fix addresses this issue.

- CSCuz28260 ACS Admin Access by Radius identity Server send incorrect NAS IP address

When ACS is used as RADIUS Identity Server for another ACS, the NAS IP stored is of the PC or proxy device in the logs. This fix addresses this issue and displays the proper NAS IP.

- CSCva23984 ACS should not be accessible using unsupported browser

This fix restricts access to ACS GUI over unsupported browser. Please refer release-notes for the list of supported browsers.
	  
- CSCva42072 RuntimeDebugLog.config flag is not working in 5.8

With this fix, the number of runtime files  being generated is based on the value specified in RuntimeDebugLog.config.

- CSCva42079 Runtime restart once hit space limit reached

After this fix, when the context limit is reached, runtime will restart.

- CSCva43184 Domain unusable due to KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN message - PBIS integration

With this fix, AD status should not be offline/unavailable/unusable when the error KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN is encountered. It should be able to switch to proper DC.

- CSCuz11163 Logging Recovery time interval needs to be fine-tuned

With this fix, logging recovery will now be configurable with 2mins/4mins/6mins/8mins interval along with already available options.

- CSCux97425 ACS 5.7/5.8 LDAPS "Test Configuration" check returning error

When a certain certificate is being used for LDAP connection, Test configuration fails with SSL errors though Test Connection and authentication continue to work fine.
This is due to the Java being used in ACS (1.6). With Java 1.7, Test Configuration/Test Connection works fine which is added in ACS since 5.8 patch 4.


Known Issues:
============

None

Instructions on how to install the patch 
========================================
1. open CLI console
2. define new repository in which the 5-8-0-32-5.tar.gpg resides
3. issue: 'acs patch install 5-8-0-32-5.tar.gpg repository YOUR_REPOSITORY'
4. verify installation by getting the following version information via CLI by issuing:

#show application version acs ( If ACS 5.8.0.32 FCS has installed )
Cisco ACS VERSION INFORMATION
-----------------------------
Version : 5.8.0.32.5
Internal Build ID : B.442
Patches :
5-8-0-32-5


#show application version acs ( If ACS 5.8.1.4 FCS has installed )
Cisco ACS VERSION INFORMATION
-----------------------------
Version : 5.8.1.4.5
Internal Build ID : B.462
Patches :
5-8-0-32-5

Instructions on how to remove the patch 
=======================================
1. open CLI console
2. issue: 'acs patch remove 5-8-0-32-5'
3. verify patch removal by getting the following version information via CLI by issuing:
#show application version acs ( The version will be ACS 5.8 FCS)
Cisco ACS VERSION INFORMATION
=============================
Version : 5.8.0.32
Internal Build ID : B.442
Patches :

#show application version acs ( The version will be ACS 5.8.1 FCS)
Cisco ACS VERSION INFORMATION
=============================
Version : 5.8.1.4
Internal Build ID : B.462
Patches :

=======================================================================
Copyright (C) 2016 Cisco Systems, Inc. All rights reserved. 
Cisco and Cisco Systems are registered trademarks of Cisco Systems,Inc., 
in the U.S. and certain other countries. All other trademarks mentioned 
in this document are the property of their respective owners.
=======================================================================