This section provides additional information about the new features provided in Identity Manager 8.1, and the information is organized into the following sections:
Beginning with the release of Identity Manager 7.1 Update 1, updates containing major and critical customer-reported bug fixes are now delivered through a patch process, which replaces the older hot-fix process.
Patches are developed, tested, and released in six-week intervals. These patches have a GUI installer as well as a manual installation option, and they update the files in /WEB-INF/lib . Instructions for installing the patch will be included in the patch Release Notes, which are distributed in PDF format. Any fixes to the Gateway or to Password Sync will be described in the Release Notes and will require updating with the installation of the patch.
Identity Manager patches are cumulative, so you can expect fewer problems with unique fixes. You should plan to update to the latest patch level when installing or upgrading to a major or minor release. For example, if patch 3 is available when you install or upgrade to 8.1, you should apply patch 3 after installing or upgrading to 8.1. You would not be required to install patches 1 and 2 because patch 3 contains all the functionality in the previous patches.
The patch process also makes it easier for you to track a fix by its actual bug number. However, it is still possible that a fix made against an older version may not yet be available in a newer version. Regardless of which process your current version of Identity Manager follows, you must confirm that the new, target Identity Manager version contains all of the bug fixes that you need.
When a new patch is released, an announcement is sent to all of customer support. Patches are available through customer support. Please contact Sun customer support at http://www.sun.com/service/online/us for the latest patch available.
Identity Manager 8.1 provides the following major new features:
This feature provides Identity Manager with the functionality to manage provisioning and auditing for applications in the enterprise that are not directly connected to Identity Manager through a resource adapter. This includes non-digital external resources such as laptops, cell phones, and security badges. Provisioning external resources via Identity Manager will result in one or more provisioners being notified via email or through Remedy Help Desk 6.3 notifications.
The Connector Framework provides a new way to connect Identity Manager to target applications through the use of a connector. Identity Connectors and the Framework are part of an open source initiative that offers a generic and consistent way to provision resources with Identity Manager. Connectors have been decoupled from the core Identity Manager server, enabling them to be released independently of Identity Manager builds. In addition to the open source project website where additional connectors will be available for download, Identity Manager comes with the following supported connectors:
Microsoft Active Directory 2003 and 2008
See the open-source project website, https://identityconnectors.dev.java.net/ for more information.
Additional connectors will be added in the near future.
This integration focuses on Sun Role Manager versions 4.1.3 and higher. Identity Manager forms can now directly invoke Role Manager web services to notify and invoke roles operations on users. The Identity Manager Data Exporter already allows Role Manager to retrieve Identity Manager's users and roles; the latest 8.1 data exporter now provides:
Capabilities information that will enable better user mining.
Resource schema which will be leveraged in future Sun Role Manager versions.
Identity Manager uses JMX MBeans to provide performance data for the List, Create, Get, Modify, Delete and Authenticate operations. The following data are collected:
Count of operation
Moving Average time per operation
Minimum time per operation
Maximum time per operation
Collection start time
Resource Adapter class and version
Identity Manager supports Advanced Encryption Standard. AES is a symmetric key encryption technique that can be used instead of Data Encryption Standard (DES). AES is commonly used by government application to protect data.
This feature offers a standard non-repudiation mechanism using the W3C XML Signature Syntax and Processing (XMLDSig). This enhancement provides the ability to create, store and display work item approvals in an XMLDSig format. This format also optionally allows the inclusion of RFC 3161–compliant time stamps.
Support for SPML2.0 has been enhanced. Identity Manager supports the search capability. In addition, audit logging is now supported.
Updated the Checkbox, Label, Radio, Select, Text, TextArea, and Container user interface components to properly render custom CSS styles. Previously, only the Button element would display custom styles. (ID-15025)
You can now configure custom classes on the debug trace page. (ID-15490)
Selecting one or more users and then going to the next page, no longer causes you to lose those selections when performing a multiple user action. (ID-15529)
The Login page does not remove spaces from password input boxes when you specify noTrim='true' in the AuthnProperty name='password' XML element. You can apply noTrim='true' on any other AuthnProperty. (ID-16434)
The size of the guidance help image can now be configured in the customStyle.css stylesheet. (ID-17360)
The version information that is displayed in the administrator interface by hovering over the Help button can be disabled by adding a new custom message catalog key UI_VERSION. Set the value to an empty string in a custom message catalog. (ID-17507)
The end user dashboard (home) page now displays the user's full name rather than the accountId. This can be modified by customizing the End User Dashboard form rather than changing a JSP. (ID-19006)
You can now set a list of IDs called saveNoValidateAllowedFormsAndWorkflows in the security attribute in the System Configuration object. When present, Identity Manager allows only forms and workflows in the list to be processed as a SaveNoValidate action. All other forms and workflows will be processed as a Save. If the list is not present, the behavior remains the same (that is, all forms and workflows can be processed as SaveNoValidate). (ID-19115)
Bulk operations can now provision for users with multiple accounts on a resource. (ID-13160)
Added the ability to unassign or unlink an account (using bulk operations) from a resource that had been configured as “read-only” (all resource features allowing update of accounts are disabled). Note that this is only possible using bulk operations. Previously, an attempt to unassign/unlink an account from a read-only resource would return an error indicating the resource does not exist. (ID–19048)
Added the option to page approval workitems to avoid page timeouts. (ID-18544) The approval.jsp page now accepts the following properties:
Paging. If present, enables paging.
MaxRows. The number of rows to display on each page
orderBy. A sorting parameter
Modify the WorkItemList form by adding the following fields:
<Field name='PagingButtons'> <Display class='ButtonRow'> <Property name='align' value='right'/> </Display> <Disable> <not> <ref>viewOptions.Paging</ref> </not> </Disable> <Field name='action'> <Display class='Button'> <Property name='command' value='Recalculate'/> <Property name='label' value='<<'/> <Property name='value' value='first'/> </Display> </Field> <Field name='action'> <Display class='Button'> <Property name='command' value='Recalculate'/> <Property name='label' value='<'/> <Property name='value' value='previous'/> </Display> </Field> <Field name='action'> <Display class='Button'> <Property name='command' value='Recalculate'/> <Property name='label' value='>'/> <Property name='value' value='next'/> </Display> </Field> <Field name='action'> <Display class='Button'> <Property name='command' value='Recalculate'/> <Property name='label' value='>>'/> <Property name='value' value='last'/> </Display> </Field> </Field>
The Multi Approval workflow process has been enhanced to support automatic conversion of a list of approvers to a list of approverObjects used for generating of approval work items. (ID-19238)
The Sun Identity Manager documentation set has been reorganized. The following major changes have been made:
The Administration book has been reorganized into two new books: a Business Administrator's Guide and a System Administrator's Guide
The contents of the Tuning, Troubleshooting, and Error Messages book have been moved to the new System Administrator's Guide
The SPML chapters in the Deployment Tools book are now located in the new Web Services Guide, and the Deployment Tools book has been dropped from the documentation set
The Technical Deployment Overview book is now named the Deployment Guide
The Workflows, Forms, and Views book is now named the Deployment Reference
The documentation set includes a new title: Sun Identity Manager Overview
See the Related Books section of the Preface for a complete list of Sun Identity Manager titles.
Corrections and updates to Sun Identity Manager publications are now posted to the Identity Manager Documentation Updates website:
An RSS feed reader can be used to periodically check the website and notify you when updates are available. To subscribe, download a feed reader and click a link under Feeds on the right side of the page. Starting with version 8.0, separate feeds are available for each major release.
The database upgrade scripts add an index to the ownerId column of the accounts table. An upgrade of an installation with many accounts will take significant time to process the database upgrade script due to the creation of a new index on a large table. (ID-19314)
A problem with out-of-memory exceptions during upgrades has been fixed. Previously during upgrades, the Java VM maximum heap size was hardcoded to 256 MB. This hardcoded value has been removed. (ID-19407)
Now it is possible to set the JAVA_OPTS environment variable to a custom value. If no value is provided, a default value of 1024 MB is used.
To define the maximum heap size value, set the JAVA_OPTS environment variable using the form —XmxHeapSize where HeapSize is a value, such as 512m. An example is -Xmx512m.
Email notifications sent from PasswordSync now use UTF-8 encoding for the sender name, the subject, and the body of the email. All other header parts are encoded using plain ASCII as required by the email RFCs. (ID-14120)
Note that email notifications that use non-ASCII characters might not display correctly in all mail clients or on all operating systems.
Passwords containing spaces are encrypted and decrypted correctly now . (ID-17670)
If you are upgrading from 8.0 through 220.127.116.11 or 7.1.1 through 18.104.22.168 or prior to 7.1, you must re-install all instances of Password Sync and gateways.
PasswordSync now supports Windows Server 2008 (32 and 64-bit versions). (ID-18342)
Two new settings have been added to the Windows registry and the installer GUI to allow configuration of certificate behavior in PasswordSync. These settings replace the deprecated registry settings clientSecurityFlags and clientConnectionFlags. (ID-19140)
securityIgnoreCertRevoke. If set to 1, ignore certificate revocation errors.
securityAllowInvalidCert. If set to 1, allow certificates that fail safety checks.
PasswordSync's internal checks have been extended to guard against illegal values passed in as part of a password change that could cause a crash. (ID-19291)
The PasswordSync installer has been enhanced to allow for recording configuration parameters to a file during an install. Future installations can reference the file and replay the configuration settings. This allows all subsequent PasswordSync installations to be installed and configured silently. (ID-19311)
Deadlocks no longer occur over access to the authenticate cache. (ID-16926)
Improved the performance on the Create and Edit User pages. (ID-17066)
Identity Manager no longer by default checks all the users in an organization before determining whether an administrator has the rights and permissions to delegate a work item to a user. To revert to the previous default behavior, add the following statement to the account/modify.jsp file.
If OP_CALL_DELEGATORS_AVAILABLE_USERS is set to true in the DelegateWorkItemsViewer, then Identity Manager searches through users to check whether the administrator has the permission to see users.
For a user with a dynamically rule-assigned admin role, the user's context is now passed as an argument during login. (ID-17964)
Performance has improved during logins to the Identity Manager User Interface when assigned resources have a display name attribute other than accountId defined. (ID-18885)
Added the Next password policy. In this policy, if the user answers incorrectly, Identity Manager displays the next question until the user answers an authentication question correctly and logs in, or is locked out based on the specified failure attempts limit. (ID-17307)
The contents of the Violation State of Violation Summary Report can now be localized. (ID-17011, 17042)
Reports can now be generated in landscape orientation as well as the default portrait orientation. In addition, the page size can be specified as legal as well as the default letter. (ID-17649)
Identity Manager now supports MySQL 5.0.60 SP1 Enterprise Server as a production repository. (ID-17735, ID-19703)
You can now use MySQL 5.1.30 Enterprise Server as your Identity Manager production repository, but you might need to change to your my.cnf file. Due to recent changes in MySQL's InnoDB code, the default binary logging format is now STATEMENT. Identity Manager uses a READ-COMMITTED transaction isolation level, so binary logging in STATEMENT mode produces an error similar to the following: (ID-20460).
com.waveset.util.IOException: java.sql.SQLException: Binary logging not possible. Message: Transaction level 'READ-COMMITTED' in InnoDB is not safe for binlog mode 'STATEMENT'
If you enable binary logging, set the mode to MIXED by adding the following line to your my.cnf file:
With this configuration change, you can use 5.1.30 as your repository without the binary logging exception. For more details, see MySQL bug #40360.
The Identity Manager Repository has been changed to work around MySQL defect 9021. The Repository's MysqlDataStore now generates a separate, named JOIN for each attribute condition. (Previously, the MysqlDataStore in some cases used SUBSELECTs and the EXISTS predicate.) (ID-15636)
The usage output for the setRepo command has been updated. The usage now lists -o as an option and explains that -o causes setRepo not to perform an initialization check on the new repository location. The usage also now shows the -U and -P flags in examples of direct JDBC connections. (ID-19475)
Netegrity SiteMinder 6.0 is now supported. Proper configuration of the PolicyServer and WebAgent for SiteMinder are necessary for the adapter to function correctly. (ID-6478)
The Active Directory resource adapter now provides a Home Directory Rights resource attribute that controls permission inheritance and the level of permission for the home directory. The default value is 0. A value of 0 indicates that it will not inherit and the user's permission will be FULL control. A value of 1 indicates that the permissions will be inherited and the user's permission will be FULL control. A value of 2 indicates that the permissions will not be inherited and the user's permission will be MODIFY control. A value of 3 indicates that the permissions will be inherited and the user's permission will be MODIFY control. MODIFY control consists of the rights: FILE_GENERIC_WRITE, FILE_GENERIC_READ, FILE_EXECUTE and DELETE. (ID-12881, 19706)
The database table resource adapter can now process a database column that is mapped to the accountId attribute and has a data type of integer. (ID-13362)
The LDAP resource adapter now synchronizes entries only under the predefined base contexts. (ID-15389)
Added the "Respect resource password policy change-after-reset" resource parameter to the LDAP resource adapter. When this option is enabled, and this resource is specified in a Login Module, and the resource's password policy is configured for change-after-reset, a user whose resource account password has been administratively reset will be required to change that password after successfully authenticating. (ID-16255)
In this release, this behavior is available only for those LDAP servers that return the "Netscape Password Expired" (unsolicited) response control (OID 2.16.840.1.113722.214.171.124) with the response to a successful bind operation. The combination of the successful bind attempt and the control is interpreted to mean the user's password has been administratively reset and must be changed. An LDAP server implementing the password policy change-after-reset feature will allow a user with a reset password that has successfully authenticated only to change the password; any other operation is rejected.
Furthermore, because Identity Manager performs all LDAP resource operations other than pass-through-authentication using an LDAP resource administrator account, certain LDAP servers will consider any user's password modification attempt as an administrative reset and never clear that status from the user's account. Such LDAP servers include:
Sun Java Systems Directory Server 5.x configured to use rootDN (typically cn=directory manager) as the resource adapter connection account
Sun Java Systems Directory Server 5.2 with passwordNonRootMayResetUserpwd:on.
Sun Java Systems Directory Server 6.0 and later (including OpenDS)
The Domino resource adapter now supports the group provisioning ObjectType, implementing the ObjectFeatures create, delete, list, rename, saveas and update. (ID-16422)
The SecurId resource adapter supports account renames. (ID-16517)
The SAP resource adapter has been updated to handle CUA in a more robust manner. With the new forms and code changes, Identity Manager users can change CUA child systems as well as roles and profiles for those child systems on a SAP user basis. (ID-16819)
The characteristics of the profiles and activityGroups account attributes have changed. Both of these attributes now have a data type of complex. The profiles attribute now maps to the PROFILES resource user attribute, while the activityGroups attribute now maps to the ACTIVITYGROUPS resource user attribute.
Load the $WSHOME/web/sample/updateSAPforCUA.xml file to update these changes on your SAP resource adapters. New SAP resources contain these attributes, unless you create the resource by copying an existing resource that has not been updated.
Identity Manager now detects and traps Domino denial-of-service errors. (ID-16911)
The WRQ Attachmate 3270 Mainframe Adapter for Sun is supported. Refer to the Resource Reference for details on setting up this product. (ID-17031)
Linux resources support using sudo to manage the /usr/bin/chage command. (ID-17119)
Added support for Lotus Notes/Domino 8.0. (ID-17213)
The Scripted Gateway adapter now supports password synchronization. (ID-17813)
The Oracle ERP resource adapter now allows EMPLOYEE_NUMBER to contain both alphabetic and numeric characters. (ID-18239)
The OS400 resource adapter now supports special characters in passwords. (ID-18412)
Added the RACF Case Insensitive Excluded Resource Accounts and RACF_LDAP Case Insensitive Excluded Resource Accounts sample exclusion rules. These are defined in the sample/wfresource.xml file.
The MySQL resource adapter has been updated to inherit from the JdbcResourceAdapter. Existing MySQL resource attributes will be updated automatically. (ID-18835)
The Windows NT resource adapter is supported again. It is no longer deprecated. (ID-19170)
The LDAP resource adapter has a new Use Paged Result Control configuration parameter. When you enable this parameter, which is disabled by default, Identity Manager uses Paged Result Control instead of VLV Control for the Account Iterator in Reconciliation. Using the Use Paged Result Control configuration parameter improves performance as long as your LDAP resource adapter supports simple paging control. (ID-19231)
Added the Objecttypes to read from SAP HR resource parameter to the SAP HR adapter to allow processing of the organization IDOCs from SAP HR. This is a multi-valued attribute which currently supports the values of "P", "CP", "S", "C" and "O". (ID-19286)
The OracleERP resource adapter now supports an option that suppresses Identity Manager.s ability to prepend the administrator user's schema identifier (such as APPS) to the names of Oracle EBS administrative tables (such as FND_USER, FND_VIEWS, and so forth). This option is provided through a new resource attribute with the Do Not Use Schema Identifier display name, and the default value is FALSE. If you change this value to TRUE, the adapter can no longer prepend the schema identifier to administrative table names. (ID-19352)
The Active Directory adapter now supports the inetOrgPerson object class and other object classes derived from the user object class. (ID-19399)
Added the Maintain LDAP Group Membership parameter to the LDAP adapter to control whether Identity Manager or the LDAP resource is responsible for maintaining LDAP group membership when a user is renamed or deleted. (ID-19463)
Added the resource parameter ERROR_CODE_LIMIT to the Shell Script resource adapter. This parameter allows you determine which return code is an error. (ID-19858)
The SecurId adapters now support the following features: (ID-18665, 18671, 18672, 18673, 18676, 18677, 19726)
Edit the user's first name, last name, and default shell.
Fetch all valid ACE groups from the ACE server
Search on an ACE group and return all users in that group.
Fetch a list of all defined ACE agents from the ACE Server.
Show all the groups that are activated on an ACE agent.
Fetch all the Administrators and their Admin Level.
The gateway now supports the AES cipher in 128-bit, 192-bit and 256-bit keys for communication with the Identity Manager server. (ID-19738)
Identity Manager now recognizes the assignment of a UserForm through an Admin role when the Admin role is controlling a dynamic organization and the user is edited through the Find User page. (ID-18028)
The optional noroleconfigurationupdate argument to RoleUpdater can be specified during upgrades to bypass modifying the RoleConfiguration object to indicate if pre-8.0 roles will be allowed to be directly assignable to users. Setting this value to "true" will bypass the test to see if this change is necessary. (ID-18483)
All RoleAttribute logic is now case-insensitive. (ID-18766)
Report results now are available to a subject's organization and admin roles. (ID-19736)
IDM 8.1 supports several new encryption options. (ID-16979, 17789)
For encryption of server encryption keys, added support for PBE with AES (ECB mode) using a 256-bit key. This new option is similar to the existing PBE with DES mechanism but uses AES as the underlying cipher.
For both data in the repository and for gateway communications, added support for AES with 128-, 192-, and 256-bit keys (ECB mode).
Changed the "Manage Server Encryption" task as well to accommodate this new functionality.
Some of these new options require additional install and/or configuration steps as detailed in the Administrator's Guide.
Added a new "Login Recovery" authentication alternative to the "Forgot Password" security questions based login. (ID-18052)
Identity Manager now supports XMLDSIG format signed approvals. Previously, signed approvals were stored in the Identity Manager audit log in a proprietary format. This enhancement allows such approval records to be stored in an XMLDSIG standards compliant format thus offering better interoperability. Also supported is the ability to include an RFC 3161 compliant digital time stamp retrieved from an external time stamp authority. (ID-19011)
When pass through authentication is enabled, the change password functionality works correctly when a user's resource password has expired and the Identity Manager account ID and resource account ID are different. (ID-19218)
Fixed multiple cross-site request forgery (CSRF) vulnerabilities. (ID-19280, 19659, 19660, 19661, 19683, 20072) Any customizations to the includes/headStartUser.jsp and user/userHeader.jsp files must be manually updated.
Improved performance for dynamic organizations. The Waveset.properties file now contains several properties that define how Rule-Driven Members lists cached. (ID-19586)
You can configure the Service Provider end-user pages to force your servers to always process page requests using HTTPS. (ID-18509)
The SourceAdapterTask can now be run by an administrator other than Configurator. (ID-15299) To specify a different administrator, add the following to the system configuration object:
<Attribute name='sources'> <Object> <Attribute name='hosts'/> <!-- any host is the default --> <Attribute name='subject' value='Configurator'/> </Object> </Attribute>