Secure Configuration Manager 7.1 Service Pack 1 Release Notes

March 2019

Secure Configuration Manager 7.1 SP1 includes product upgrade and resolves previous issues.

Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure our products meet all your needs. You can post feedback in the Secure Configuration Manager forum, our community website that also includes product notifications, blogs, and product user groups.

The documentation for this product is available in HTML and PDF formats on a page that does not require you to log in. If you have suggestions for documentation improvements, click comment on this topic at the bottom of any page in the HTML version of the documentation posted at the Secure Configuration Manager Documentation page. To download this product, see the Secure Configuration Manager Product Upgrade website.

1.0 What’s New?

1.1 Open JDK

Secure Configuration Manager 7.1 SP1 replaces Oracle JDK with Azul Zulu OpenJDK, an open source alternative. This change does not have any functional impact. However Secure Configuration Manager, Micro Focus will no longer provide additional Oracle JDK updates for Secure Configuration Manager. Therefore, if there are security vulnerabilities or other bugs related to Oracle JDK, the primary solution is to upgrade to 7.1 SP1 or later.

1.2 SCAP 7.1.1 Module for Agents

The SCAP 7.1.1 Module for Agents no longer bundle Java. You must download Java 8 or later on your computer, if you want to use SCAP Windows Agent 7.1.1 or SCAP UNIX Agent 7.1.1 with Secure Configuration Manager 7.1.1.

Security Agent for Windows:

If you are using the SCAP Windows Agent with Secure Configuration Manager 7.1, you can upgrade the SCAP Windows Agent to 7.1.1. Upgrade the agent by using the Scap_Windows_Agent_7.1.1.0.msp file on the systems running the SCAP Windows Agents.

Security Agent for UNIX:

If you are using the SCAP UNIX Agent with Secure Configuration Manager 7.1, you can upgrade the SCAP UNIX Agent to 7.1.1. Upgrade the agent by using the file on the systems running the SCAP UNIX Agent.

For more information on upgrading the SCAP 7.1.1 Module for Agents, see the Installing or Upgrading the SCAP Module steps in the Secure Configuration Manager SCAP Module Installation & Configuration Guide .

1.3 Software Fixes

Cannot Download Large PDF Reports

Issue: Web console runs out of memory while downloading large PDF reports.

If you run a policy template that contains a large number of security checks against a large number of endpoints, the report in PDF format might contain hundreds of pages. The Web console cannot download such a large PDF file. (Bug 1087584)

Fix: The report now downloads.

Windows Console Login Fails with TLS 1.2 Enabled

Issue: Logging in to the Windows Console fails if you are using TLS 1.2 with Secure Configuration Manager. (Bug 1122755)

Fix: The Windows Console now communicates using TLS 1.2. To make the appropriate Microsoft SQL driver changes, see the Knowledgebase Article 7023700.

2.0 System Requirements

For information about hardware requirements, supported operating systems, and browsers, see the following resources:

3.0 Security Agent Requirements

This release supports the following security agent versions:

Security Agent for UNIX

7.6, 7.6.1

Security Agent for Windows

7.1, 7.0

4.0 Upgrading to This Release

You can upgrade to Secure Configuration Manager 7.1 SP1 from version 7.1.

For more information, see Upgrading in the Secure Configuration Manager Installation Guide.

4.1 Considerations for Upgrade

Before upgrading to this version, review the considerations for the following components and features:

Using TLS 1.2 with Secure Configuration Manager

You can upgrade only with TLS 1.0 enabled. However, if you have TLS 1.2 enabled, perform the following steps:

  1. Disable TLS 1.2.

  2. Enable TLS 1.0.

  3. Restart your computer.

  4. Upgrade to Secure Configuration Manager 7.1 SP1.

  5. Enable TLS 1.2.

  6. Restart the computer.

In a distributed environment, restart the Secure Configuration Manager related services. For example, restart the Dashboard services.

IMPORTANT:After you enable TLS 1.2, Secure Configuration Manager does not work on FIPS mode. There is no workaround for this issue.

Using a Domain User Account to Perform a Upgrade

You can upgrade Secure Configuration Manager components as a member of the computer’s Administrator group. You must run all the patch installers (.msp files) with administrative rights by using the command prompt. (Bug 1098523)

Upgrading on Windows 10

Security settings on Windows 10 computers might prevent you from starting the Secure Configuration Manager upgrade. The launch might either fail with an error indicating that another user canceled the operation, or fail without displaying any error. (Bug 1069836)

To upgrade on Windows 10, complete one of the following steps:

If you have not downloaded the installation files to the computer

Have your system administrator enable Do not preserve zone information in file attachments in the gpedit.msc group policy on the desired computer. Then download and perform the upgrade.

If you already downloaded the MSP files to the computer

Manually modify the MSP files.

  1. Right-click the file, then select Properties.

  2. In the General tab, select Unblock.

For more information, see the following explanations of this Microsoft issue:

Discovered Systems

The upgrade process removes all existing records from the Discovered Host table in the database. This means that the upgrade also removes all systems from the Discovered Systems content pane.

  • After you successfully upgrade Secure Configuration Manager and register your agents, the Asset Details and Discovery job automatically add application endpoints discovered on currently registered Windows and UNIX systems.

    To manually repopulate Discovered Systems with unmanaged systems, update the Discovery settings in the Core Services Configuration Utility, and then initiate the discovery process. For more information about discovery, see the Help and the User’s Guide for Secure Configuration Manager.

  • To discover systems in Active Directory, you must update the settings on the Discovery tab of the Core Services Configuration Utility.

Using Microsoft SQL Server with Secure Configuration Manager 7.1.1

Secure Configuration Manager 7.1 fails to import security checks and policy templates. This happens when Secure Configuration Manager 7.0 is installed with latest service packs of Microsoft SQL Server 2008, 2012, or 2014, or with Microsoft SQL Server 2016. Perform the steps mentioned in the Knowledgebase Article 7023551, before you upgrade to Secure Configuration Manager 7.1.1. (Bug 1116496)

5.0 Known Issues

Mirco Focus strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.

5.1 Issues that Affect Only the Web Console

The following issues apply only to the Web console, which this release introduces:

Displays an Erroneous Time for the Most Recent Change to a Batch-created Exception

Issue: When you view the details for a batch-created exception that has expired, the Web console erroneously updates the Date last modified. The time should reflect when the exception expired, which is midnight on the expiration date. Instead, the time corresponds with the moment that you refresh the page to view the details or run a policy template. (Bug 1099937)

Workaround: None.

Cannot Display Prediction Content in Internet Explorer 11

Issue: Microsoft Internet Explorer 11 does not support the underlying code that the Web console uses to display the Vulnerability and Compliance Prediction content in an assessment report. (Bug 1097429)

Workaround: To view the prediction content in an assessment report, use one of the other supported browsers, such as Google Chrome, Microsoft Edge, or Mozilla Firefox.

Some Security Checks Require the Wrong Parameter Value Type

Issue: In the Web console, the following security checks erroneously require you to specify an integer instead of alpha-numeric characters to indicate an enabled/disabled value for a parameter:


Security Check


FTP logging enabled


Ownership and permissions of files under /etc

Minimum Password length restrictions


Service status

User list by status

(Bug 1068913)

Workaround: When you run these security checks, enter 1 to represent enabled and 0 for disabled.

Alternatively, you can use the Windows console to run the security checks.

Anomalies when Viewing Jobs in Progress

The Web console might display the following anomalous behavior when you view a job that is in progress:

Fails to Display an Endpoint’s Status while the Job is in Progress

Issue: Some jobs might take longer than others to complete due to the number of security checks or endpoints being assessed. You can select a job that is still in progress to view its progress. However, the Web console might fail to display the status for one or more endpoints within the job. (Bug 1051613)

Displays an Erroneous Number of Endpoints

Issue: If you open a job that is in progress, the Web console might display an erroneous number of endpoints associated with the job. To determine the appropriate number of endpoints, check the value listed in the Name & Endpoints column of the Jobs > In Progress list. (Bug 1067395)

Workaround: None

Cannot View Delta or Task Reports

Issue: Although the Web console can display all jobs in the jobs queue for Secure Configuration Manager, The console cannot generate a report for tasks or delta reports.

Workaround: To view those reports, use the Windows console.

The Web console does provide enhanced views of assessment reports, as well as dynamic reporting. For more information, see the Help for the Web console and the User’s Guide for Secure Configuration Manager. (Bug 1069002)

Getting Started Tour Fails to Respond to Keyboard Arrow Keys

Issue: The Web console provides a Getting Started tour to help you explore new features in the product. To move from one page in the tour to the next, you must click the left or right arrows in the interface. The tour does not respond to presses of the keyboard arrows. (Bug 1069547)

Workaround: None.

Cannot View Some Reports Listed in the Jobs Queues

Issue: When you click View Report for a desired report, the Web console might display the following message:

Cannot display the report because it does not exist.

This message occurs in the following circumstances:

  • Someone deleted the report in the Web console. For example, a different user deleted the report, and your browser had not refreshed the list of reports.

  • The report existed in a previous version of Secure Configuration Manager. However, either no one had opened the report in that version or the report’s schedule expired before you upgraded to this release.

(Bug 1071856)

Workaround: Try opening the report in the Windows console. Once Secure Configuration Manager generates the report in the Windows console, you can view it in the Web console.

Internet Explorer 11 Might Fail to Display Icons in the Web Console

Issue: When you use Internet Explorer 11, the Web Console occasionally might fail to display icons or images. For example, the images that indicate Online and Offline endpoints might disappear. However, the text indicating the status of the endpoints continues to be visible. (Bug 1070011)

Workaround: If this issue occurs, clear the cache in Internet Explorer. Alternatively, use one of the other supported Web browsers, such as Firefox, Edge, or Chrome.

Cannot Use the Keyboard to View Charts in the Vulnerability & Compliance Prediction Tab

Issue: When you use the keyboard for navigation, the Vulnerability & Compliance Prediction tab in the assessment report fails to display the prediction chart and table for the selected endpoint. The console responds appropriately when you use the mouse to select the content. (Bug 1100180)

Workaround: None

Navigation Issues When Using a Screen Reader or the Keyboard

Issue: To support accessibility, you can use a screen reader or keyboard to navigate the Web console. However, some fields in the Web console might not behave as expected for your chosen navigation method.


  • To activate a dropdown menu, you might need to use the enter key rather than the spacebar key.

  • To select items in a dropdown menu, you might need to use the tab key, even though the screen reader prompts you to use the arrow key.

  • The screen reader cannot provide information about the contents of charts and graphs. However, it can read the legends associated with each chart or graph, which provide the same information in text format.

  • When you run a policy template or security check, you cannot use the keyboard to modify the Time Range value under Run Options.

(Bug 1069370, Bug 1068850)

Cannot Start Web Console while Core Services is Initializing

Issue: When you install Core Services, the initialization process for Core Services continues in the background even though you have completed and closed the installation program. A shorter initialization period occurs after you restart the NetIQ Core Services service.

If you attempt to launch the Web console before the initialization process completes, the console displays an error.

Workaround: You can refresh the page to establish a connection to Core Services. (Bug 1073053)

NOTE:The console can display some content without communication with Core Services. However, most content requires Core Services. For example, endpoint status.

Fails to Cancel All Selected Jobs

Issue: In the In Progress job queue, you can select multiple jobs then click Cancel to cancel the jobs. However, the Web console cancels only the most recent job. (Bug 1054179)

Workaround: To cancel jobs that are in progress, select only one job, then click Cancel. Then repeat the process for each job that you want to cancel.

Cannot Download SCAP Reports in PDF

Issue: Downloading SCAP reports fail with an error message Failed to download the report. Please try again..(Bug 1124750)

Workaround: Use Windows Console to download SCAP reports in PDF format.

5.2 Issues Related to Batch Exceptions

This release enables you to apply a batch-created exception that includes multiple policy templates for a particular set of endpoints or groups. This functionality works only in the Web console. In other Secure Configuration Manager components, the following issues might occur:

Exceptions Report Cannot List Some Exceptions Created in the Web Console

Issue: The Windows console does not support batch-created exceptions. Therefore, the Admin Report Exceptions, which you run in the Windows console, does not provide data about this type of exceptions.

NOTE:In the Web console, you can also create an exception within an assessment report. This exception applies only to the endpoints and security checks associated with that policy template run, which is similar behavior as creating an exception in the Windows console. The Exceptions report does include data for this type of exception, regardless of the console that created the exception.

Workaround: The Web console lists all exceptions, regardless of the console that created the exception. In the Web console, go to Utilities > Exceptions. Select all exceptions in the current tab, then click Export to CSV.

Dashboard Fails to Report the Number of Group Exceptions Applied

Issue: If you enable batch-created exceptions in the Web console, the Dashboard does not provide an indication that these exceptions exist. When you review an assessment report in the Dashboard, the GroupCheckExceptions field equals zero, rather than accurately reporting the number of exceptions that have been applied to the results.

Workaround: Disable batch-created exceptions. For more information, see Allowing Exceptions in the Web console in the Web console Help.

5.3 Sentinel Cannot Retrieve Event-only Data

Issue: Sentinel fails to retrieve the data when you configure Secure Configuration Manager to send events only. This issue occurs only when both Sentinel and Secure Configuration Manager are in FIPS mode.

Workaround: For more information about configuring FIPS mode, see Enabling FIPS Communication in the User’s Guide for Secure Configuration Manager. (Bug 1068366)

5.4 Core Services Log Lists Erroneous Windows Version after Installation

Issue: If you install a Secure Configuration Manager component on a computer running Windows Server 2016, the Core Services log lists an erroneous version for the Windows platform:

System: Windows NT (unknown)

Secure Configuration Manager does know that the platform is Windows Server 2016. The log simply lists the incorrect version. (Bug 1065829)

Workaround: None.

5.5 Issues with Security Agent for UNIX and Change Guardian

The following issues occur if you use Security Agent for UNIX 7.5.1 (UNIX agent) or later with both Change Guardian 5.0 and Secure Configuration Manager, and you use Change Guardian AM to upgrade or install the UNIX agent:

Agent Registration Fails in a New Installation of the Agent

Issue: When you install Security Agent for UNIX 7.5.1 or later, as part of a new installation of Change Guardian 5.0 on the same computer as Secure Configuration Manager, the agent registration fails in Secure Configuration Manager because of the dynamic certificate changes. (Bug 1045613)

Workaround: To configure Security Configuration Manager server, see the Knowledge Base Article 7023134.

Agent Registration Fails after Upgrading the Agent

Issue: Secure Configuration Manager fails to register the UNIX agent if you upgrade the agent to 7.5.1 or later using Change Guardian AM.

Workaround: Perform the following steps from UAM to re-register the UNIX agent in Secure Configuration Manager:

  1. Go to Configure > SCM Options.

  2. Click Configure.

  3. In the SCM Configuration window, ensure that the Core Services Address is same as the SCM Core IP Address, then click Save.

  4. Restart the agent service by selecting Stop and Start in the Agent Controls panel.


You can manually register the UNIX agent:

  1. Navigate to the /usr/netiq/bin file.

  2. Run the following command:

  3. To restart Secure Configuration Manager services, run the following command:

    #/etc/init.d/uvserv restart

5.6 Exporting Full Delta Reports to Microsoft Excel Format Fails

Issue: Secure Configuration Manager does not export full delta reports to Microsoft Excel format. (Bug 1001599)

Workaround: You can export delta reports in any other file formats such as .pdf, .tsv, .rtf, or .xml.

5.7 Problem with Clicking the Back Button While Upgrading in Distributed Setup

Issue: While upgrading Secure Configuration Manager to version 7.0 or later in the distributed setup in a computer where Core Services and the console are installed, the installation wizard displays incorrect screens if you click Back after the License Agreement screen. (Bug 994646)

Workaround: Cancel the upgrade process by closing the wizard, and start upgrading again.

5.8 Cannot Create, Install, or View Security Certificates Using the sslkey.bat File

Issue: You cannot create, install, or view security certificates in your Core Services computer by running the sslkey tool. Secure Configuration Manager displays an error when you run the sslkey.bat file. (Bug 971532)

Workaround: You can use any third-party tool to create, install, or view security certificates.

5.9 Weekly and Daily Scheduled Jobs Do Not Save and Apply the Updated Recurrence Time Schedule

Issue: When you edit an existing weekly or daily scheduled job for recurrence time schedule and save it, Secure Configuration Manager does not save and apply the updated recurrence schedule. The next run date is not updated as per the updated recurrence schedule. (Bug 971902)

Workaround: Delete the scheduled job you intend to update and create a new schedule job with the same parameters but with the new, intended recurrence time schedule.

5.10 Endpoint Registration Fails after Regenerating Crypto Keys

Issue: While registering or reregistering an endpoint, if you regenerate the crypto key for SSH, the registration fails. This occurs because the key is not replaced in the .ssh/known_hosts file. (Bug 860552)

Workaround: Delete the .ssh/known_hosts file and register the endpoint again.

5.11 Retry Option in the Installation Program Does Not Work on Windows 7 and Windows Server 2008 R2

Issue: When you try to uninstall a Secure Configuration Manager component using the installation program on a computer that has Windows 7 or Windows Server 2008 R2, and if some files that belong to the component are in use, the installation program displays a File in Use dialog box. If you click Retry in that dialog box, ideally uninstallation should not continue and the error message should persist, but uninstallation resumes. (Bug 893069)

Workaround: Install the Microsoft KB 2649868.

5.12 Issues with Check Output View when the Data is High

Issue: The check output view in Secure Configuration Manager reports has the following issues when the amount of the data is high:

  • The output view is incomplete.

  • The scroll bar function is not supported.

(Bug 852044)

Workaround: There is no workaround at this time.

5.13 Standalone AutoSync Service Does Not Run After Upgrade

Issue: In Secure Configuration Manager 7.1, if the standalone AutoSync Client is not installed on the default location, upgrading the AutoSync Client fails to start the AutoSync service.

Workaround: Perform the steps mentioned in the Knowledgebase Article 7023534 before you upgrade the AutoSync Client.

5.14 Running the AIX 6.1 SCAP 1.1 Template Returns an Error Message

Issue: After downloading the AIX 6.1 SCAP 1.1 template, if you import it to Secure Configuration Manager and run on an AIX endpoint, Secure Configuration Manager returns an error message No data returned from scat.

Workaround: Perform an offline assessment with the AIX template, and manually import the report to Secure Configuration Manager. For more information about offline assessment see the Secure Configuration Manager SCAP Module Installation & Configuration Guide.