Readme File for Cisco Secure Access Control Server (ACS) 
Release: ACS 5.2.0.26 Patch: 5-2-0-26-5.tar.gpg
=======================================================================================

This patch fixes:

*Bug Id: 

Patch 1:
- CSCth82664 	ACS DB need to be compressed as a maintenance operation 
- CSCtg87278 	ACS not able to establish SSL tunnel with LDAP server with CRL verif
- CSCth78269 	ACSTRANSACTIONS table is not cleaned properly during bulk operations
- CSCth62139 	ACS authentication rate decreases with internal user attributes
- CSCti90973 	Adding "User is in management hierarchy" flag to T\+ authorization policy
- CSCsu69983 	Restoring a configuration disconnects deployment and causes replication

Patch 2:
- CSCth57441 	ACS 5.1 - HDD Failure doesn't prevent RT to process incoming requests 	  	
- CSCtg49699 	ACS 5 fails to join AD Domain 	  	
- CSCti22161 	ACS 5.1 AD admin password length too short 	  	
- CSCti98492 	ACS5 tries to connect only to 3 DC's 
- CSCtj15764 	ACS5 will not accept two certificates with same SKI
- CSCtj32663 	Most significant bit is not set on the MS MPPE Keys 
- CSCtj31250 	Windows 7 PEAP fast reconnect fails with ACS5 
- CSCtj32835 	Group fetch does not work for 8 hours after joining a new domain 
- CSCtj36382 	Find AD Global catalog may fail in certain scenrio 	  	
- CSCtj87187 	Trust for client with EAP-TLS not stored with allow dup option 
- CSCtj86607 	ACS 5.1 HTTP 500 errors, requiring mgmt service restart 	
- CSCtk08342 	ACS becomes disconnected from Active Directory when DNS replies delayed 	  	
- CSCtk08423 	ACS reconnects to different DCs if AD namespace is disjointed 	  	
- CSCtk32168 	Add an option to change password when password expires (T+ and Radius) 	  	
- CSCtk32178 	Add an option for pass never expired for specific users 	  	
- CSCtk32664 	ACS sends change-pass request to a wrong id-store in the sequence 	  	
- CSCtk32683 	Add option for checking user existence in internal before authenticate 
- CSCtl12831	Superadmin role has no permissions for authentication settings
- CSCtj34574 	Change and view speed/duplex settings via CLI in ACS 

Patch 3:
- CSCti68031 	ACS5 sees DC= in the certificate subject as invalid DN
- CSCti42591 	NDG Locations disappeared from GUI
- CSCth77468 	ACS 5.1 not including 'C' and 'V' values in MS-CHAP-v2 Failure Packet
- CSCth72626 	MS-CHAPv2 Responses with bad Flags value will not be dropped    
- CSCtf78048 	Discovery of host's account domain is very inefficient      
- CSCtk32073 	Network Device Groups are not evaluated properly in Device Filters    
- CSCtj38410 	ACS sends TLS SessionTicket which can break compatibility with LDAPS    
- CSCtk31968 	Getting exception while doing user attribute retrieval in    
- CSCtj89705 	ACS 5 Import of internal user attribute fails for attribute with default    
- CSCth68051 	network devices after migration - import/update doesn't work    
- CSCtl71157 	ACS runtime does not send system status and health
- CSCtl23615	Unable to retrieve AD group info. Centrify library error

Patch 4:
- CSCth12406  ACS 5 does not have option to disable local account on failed attempts     
- CSCtl75467  ACS5.2 High CPU usage due to failure in startup of adclient      
- CSCsz74681  Distribution Management MGM REPLICATION Execute failed       
- CSCtk96981  import process fails with FATAL error after importing high volume of devices   
- CSCth66302  Radius Authentication Request Rejected due to critical logging Error      

Patch 5:
- CSCtl97325  UserInManagementHierarchy should be applied also for Internal-Hosts
- CSCto34685  Speed/duplex settings not persistent across reboots 
- CSCtn97709  ACS 5.2 acs-config mode was hung   
- CSCtn25264  acsLocalStore.logs are unexpectedly deleted when restarting services.   
- CSCto62144  ACS 5 import should support none strict csv file header 
- CSCtk16271  ACS5: CLI DNIS values switch columns when Submit is clicked 
- CSCtc36013  ESX secondaries can't handle transactions gap during large users Import 
 


Patch 5-2-0-26-5.tar.gpg consists of files: 
===========================================
acsadmin.war
acs-audit-5.2.0.26.B.3075.jar
acs-bl-api-5.2.0.26.B.3075.jar
acs-bl-framework-5.2.0.26.B.3075.jar
acs-common-5.2.0.26.B.3075.jar
acs-db-5.2.0.26.B.3075.jar
acs-distributedmanagement-5.2.0.26.B.3075.jar
acs-infomodel-5.2.0.26.B.3075.jar
acs-internalcli-5.2.0.26.B.3075.jar
acs-replication-5.2.0.26.B.3075.jar
acs-transfer-utils-5.2.0.26.B.3075.jar
acs-userfailedattempt-5.2.0.26.B.3075.jar
ad-check-run.sh
adclient
ad-java-check-run.sh
centrifydc.conf
CLI.war
compress_db.sh
dataupgrade-5.0.jar
ldapadd
ldapcompare
ldapdelete
ldapmodify
ldapmodrdn
ldapsearch
libActiveDirectoryIDStore.so
libCryptoLib.so
libCryptoLib.so.sign
libDictionary3.so
libeap.so
libeda.so.0
libIdentitySequenceWorkflow.so
libInternalIDStore.so
liblber-2.2.so.7.0.19
libldap-2.2.so.7.0.19
libLDAPIDStore.so
libLogging.so
liblrpc.so.0.0.0
libMessageCatalog.so
libRadiusAuthenFlow.so
libRadiusCommon.so
libRadiusRequestFlow.so
libTacacsAuthenFlows.so
libUserFailedAttempt.so
libUserFailedAttemptEvent.so
libUserFailedAttemptFlow.so
mgmt.sh
PI.war
restore.sh
rt_daemon
start_acs_cli.exp

Prerequisites
=============

This is a patch for release ACS 5.2.0.26.5 ACS 5.2.0.26 must be installed before installing this
patch. Other prerequisites are same as for ACS 5.2.0.26 (FCS Version)


What the Patch Fixes
====================
The patch fixes for the DDTS 

- CSCth82664  ACS DB need to be compressed as a maintenance operation 
 This fix introduced new CLI command in the acs config that should be use only on the primary node.
 The CLI command: 'acs-config database-compress [truncate_log]'
 This maintenance operation compress the ACS DB by rebuilding each table in the database and releasing unused space.
 The command has also option to release the replication transaction table. 
 
 Before initiating the command, you should move all the secondary nodes to local mode. 
 Then you should initiate the command on the primary node. 
 When the DB compress is completed and all the services are up, you should reconnect the secondary nodes, one by one.
 On reconnection the secondaries, full-sync between the primary and the secondary will be initiate automatically.    

- CSCth78269 ACSTRANSACTIONS table is not cleaned properly during bulk operations 
The cleaning of the ACS transaction table (a table which keeps configuration change logs) was changed to be more intensive.
We only keep the last 2k configuration transactions.


 - CSCsu69983 Restoring a configuration disconnects deployment and causes replication
In the distributed setup ,when customer restores the backup on cli,it will  throws a
warning message and you will have to configure each secondary to re-connect with primary .

- CSCti90973 Adding "User is in management hierarchy" flag to T\+ authorization policy
In this solution a hierarchical label is assigned to each device that represents
 the administrative location of this device within the organizations management hierarchy.
 For instance, "All:US:NY:MyMgmtCenter" denotes that the device is in "MyMgmtCenter" which is in NY which is in the US.
  Permissions are granted to the user based on their assigned level within the management hierarchy. 
  For instance, if a user has an assigned level of "All:US:NY", that user will be granted permission when accessing 
  through any device with a hierarchy that starts with "All:US:NY". 
  The following sections describe in detail how to configure this solution.  

- CSCtg87278  ACS not able to establish SSL tunnel with LDAP server with CRL verification
This fix allows establish of SSL tunnel with LDAP server with CRL verification.


- CSCth62139  ACS authentication rate decreases with internal user attributes
The fix includes 2 parts :
1. Read only attributes value from request from DB (without user information - UserName, Password, EnablePassword, LastLoginTimae etc...).
2. Check default attribute value without try-catch mechanism.

- CSCti68031 ACS5 sees DC= in the certificate subject as invalid DN
With this fix DC= is allowed as part of the certificate subject when
generating a certificate signing request.

- CSCti42591 NDG Locations disappeared from GUI
This fix enables the NDG locations to appear on the NDG GUI even after adding an attribute with name 'location' for internal users. 

-CSCtk32073  Network Device Groups are not evaluated properly in Device Filters    
The fix is in Device Filter creation. Therfore already created Device Filter using 
ACS 5.2 before patch 3 should be removed and created again.



- CSCsz74681  Distribution Management MGM REPLICATION Execute failed
There was mismatch in the transaction sequence while adding or updating some configuration which resulted in replication failure in secondary.
It has been fixed to take care of storing the records in sequence to resolve the replication issue due to transaction mismatch.

- CSCtk96981  import process fails with FATAL error after importing high volume of devices
When we trying to import Network Devices into ACS 5.2 via the CLI. The import fails after processing a few requests. No log file is generated in the repository with the failure reason like  More than one row with the given identifier was found.
After applying my fix ,import process is not failing and log file also generated in the repository.


Version patch will be displayed  :
#show application version acs

Cisco ACS VERSION INFORMATION
---------------------------------------------
Version : 5.2.0.26.5
Internal Build ID : B.3075
Patches : 
5-2-0-26-5


Instructions on how to install the patch 
========================================
1. open CLI console
2. define new repository in which the 5-2-0-26-5.tar.gpg resides
3. issue: 'acs patch install 5-2-0-26-5.tar.gpg repository YOUR_REPOSITORY'
4. verify installation by getting the following version information via CLI by issuing:
#show application version acs

Cisco ACS VERSION INFORMATION
-----------------------------
Version : 5.2.0.26.5
Internal Build ID : B.3075
Patches : 
5-2-0-26-5

Instructions on how to remove the patch 
========================================
1. open CLI console
2. isuue: 'acs patch remove 5-2-0-26-5'
3. verify patch removal by getting the following version information via CLI by issuing:
#show application version acs

Cisco ACS VERSION INFORMATION
=============================
Version : 5.2.0.26
Internal Build ID: B.3075
Patches:

=======================================================================
Copyright (C) 2011 Cisco Systems, Inc. All rights reserved.
 
Cisco and Cisco Systems are registered trademarks of Cisco Systems,
Inc., in the U.S. and certain other countries. All other trademarks
mentioned in this document are the property of their respective owners.
=======================================================================