Sun Identity Manager 8.1 Release Notes

Chapter 3 Identity Manager 8.1 Features

This section of the Identity Manager 8.1 Release Notes provides information about

What's New in This Release

This section provides additional information about the new features provided in Identity Manager 8.1, and the information is organized into the following sections:

Sun's Patch Process

Beginning with the release of Identity Manager 7.1 Update 1, updates containing major and critical customer-reported bug fixes are now delivered through a patch process, which replaces the older hot-fix process.

Patches are developed, tested, and released in six-week intervals. These patches have a GUI installer as well as a manual installation option, and they update the files in /WEB-INF/lib . Instructions for installing the patch will be included in the patch Release Notes, which are distributed in PDF format. Any fixes to the Gateway or to Password Sync will be described in the Release Notes and will require updating with the installation of the patch.

Identity Manager patches are cumulative, so you can expect fewer problems with unique fixes. You should plan to update to the latest patch level when installing or upgrading to a major or minor release. For example, if patch 3 is available when you install or upgrade to 8.1, you should apply patch 3 after installing or upgrading to 8.1. You would not be required to install patches 1 and 2 because patch 3 contains all the functionality in the previous patches.

The patch process also makes it easier for you to track a fix by its actual bug number. However, it is still possible that a fix made against an older version may not yet be available in a newer version. Regardless of which process your current version of Identity Manager follows, you must confirm that the new, target Identity Manager version contains all of the bug fixes that you need.

When a new patch is released, an announcement is sent to all of customer support. Patches are available through customer support. Please contact Sun customer support at http://www.sun.com/service/online/us for the latest patch available.

Major Features

Identity Manager 8.1 provides the following major new features:

External Resource Management

This feature provides Identity Manager with the functionality to manage provisioning and auditing for applications in the enterprise that are not directly connected to Identity Manager through a resource adapter. This includes non-digital external resources such as laptops, cell phones, and security badges. Provisioning external resources via Identity Manager will result in one or more provisioners being notified via email or through Remedy Help Desk 6.3 notifications.

Connectors

The Connector Framework provides a new way to connect Identity Manager to target applications through the use of a connector. Identity Connectors and the Framework are part of an open source initiative that offers a generic and consistent way to provision resources with Identity Manager. Connectors have been decoupled from the core Identity Manager server, enabling them to be released independently of Identity Manager builds. In addition to the open source project website where additional connectors will be available for download, Identity Manager comes with the following supported connectors:

Microsoft Active Directory 2003 and 2008
SPML 2.0

See the open-source project website, https://identityconnectors.dev.java.net/ for more information.

Additional connectors will be added in the near future.

Sun Role Manager Integration

This integration focuses on Sun Role Manager versions 4.1.3 and higher. Identity Manager forms can now directly invoke Role Manager web services to notify and invoke roles operations on users. The Identity Manager Data Exporter already allows Role Manager to retrieve Identity Manager's users and roles; the latest 8.1 data exporter now provides:

Capabilities information that will enable better user mining.
Resource schema which will be leveraged in future Sun Role Manager versions.

Java Management Extensions (JMX)

Identity Manager uses JMX MBeans to provide performance data for the List, Create, Get, Modify, Delete and Authenticate operations. The following data are collected:

Count of operation
Moving Average time per operation
Minimum time per operation
Maximum time per operation
Collection start time
Resource Adapter class and version

Pluggable Security (AES) Support

Identity Manager supports Advanced Encryption Standard. AES is a symmetric key encryption technique that can be used instead of Data Encryption Standard (DES). AES is commonly used by government application to protect data.

XML Digital Signature (XML-DSig)

This feature offers a standard non-repudiation mechanism using the W3C XML Signature Syntax and Processing (XMLDSig). This enhancement provides the ability to create, store and display work item approvals in an XMLDSig format. This format also optionally allows the inclusion of RFC 3161–compliant time stamps.

SPML

Support for SPML2.0 has been enhanced. Identity Manager supports the search capability. In addition, audit logging is now supported.

Administrator and User Interfaces

Updated the Checkbox, Label, Radio, Select, Text, TextArea, and Container user interface components to properly render custom CSS styles. Previously, only the Button element would display custom styles. (ID-15025)
You can now configure custom classes on the debug trace page. (ID-15490)
Selecting one or more users and then going to the next page, no longer causes you to lose those selections when performing a multiple user action. (ID-15529)
The Login page does not remove spaces from password input boxes when you specify noTrim='true' in the AuthnProperty name='password' XML element. You can apply noTrim='true' on any other AuthnProperty. (ID-16434)
The size of the guidance help image can now be configured in the customStyle.css stylesheet. (ID-17360)
The version information that is displayed in the administrator interface by hovering over the Help button can be disabled by adding a new custom message catalog key UI_VERSION. Set the value to an empty string in a custom message catalog. (ID-17507)
The end user dashboard (home) page now displays the user's full name rather than the accountId. This can be modified by customizing the End User Dashboard form rather than changing a JSP. (ID-19006)
You can now set a list of IDs called saveNoValidateAllowedFormsAndWorkflows in the security attribute in the System Configuration object. When present, Identity Manager allows only forms and workflows in the list to be processed as a SaveNoValidate action. All other forms and workflows will be processed as a Save. If the list is not present, the behavior remains the same (that is, all forms and workflows can be processed as SaveNoValidate). (ID-19115)

Bulk Operations

Bulk operations can now provision for users with multiple accounts on a resource. (ID-13160)
Added the ability to unassign or unlink an account (using bulk operations) from a resource that had been configured as “read-only” (all resource features allowing update of accounts are disabled). Note that this is only possible using bulk operations. Previously, an attempt to unassign/unlink an account from a read-only resource would return an error indicating the resource does not exist. (ID–19048)

Delegations

Added the option to page approval workitems to avoid page timeouts. (ID-18544) The approval.jsp page now accepts the following properties:

Paging. If present, enables paging.
MaxRows. The number of rows to display on each page
orderBy. A sorting parameter

Modify the WorkItemList form by adding the following fields:

<Field name='PagingButtons'>
   <Display class='ButtonRow'>
      <Property name='align' value='right'/>
   </Display>
   <Disable>
      <not>
         <ref>viewOptions.Paging</ref>
      </not>
   </Disable>
   <Field name='action'>
      <Display class='Button'>
         <Property name='command' value='Recalculate'/>
         <Property name='label' value='&lt;&lt;'/>
         <Property name='value' value='first'/>
      </Display>
   </Field>
   <Field name='action'>
      <Display class='Button'>
         <Property name='command' value='Recalculate'/>
         <Property name='label' value='&lt;'/>
         <Property name='value' value='previous'/>
      </Display>
   </Field>
   <Field name='action'>
      <Display class='Button'>
         <Property name='command' value='Recalculate'/>
         <Property name='label' value='&gt;'/>
         <Property name='value' value='next'/>
      </Display>
   </Field>
   <Field name='action'>
      <Display class='Button'>
         <Property name='command' value='Recalculate'/>
         <Property name='label' value='&gt;&gt;'/>
         <Property name='value' value='last'/>
      </Display>
   </Field>
</Field>

The Multi Approval workflow process has been enhanced to support automatic conversion of a list of approvers to a list of approverObjects used for generating of approval work items. (ID-19238)

Documentation

The Sun Identity Manager documentation set has been reorganized. The following major changes have been made:
- The Administration book has been reorganized into two new books: a Business Administrator's Guide and a System Administrator's Guide
- The contents of the Tuning, Troubleshooting, and Error Messages book have been moved to the new System Administrator's Guide
- The SPML chapters in the Deployment Tools book are now located in the new Web Services Guide, and the Deployment Tools book has been dropped from the documentation set
- The Technical Deployment Overview book is now named the Deployment Guide
- The Workflows, Forms, and Views book is now named the Deployment Reference
- The documentation set includes a new title: Sun Identity Manager Overview
See the Related Books section of the Preface for a complete list of Sun Identity Manager titles.
Corrections and updates to Sun Identity Manager publications are now posted to the Identity Manager Documentation Updates website:

http://blogs.sun.com/idmdocupdates/

An RSS feed reader can be used to periodically check the website and notify you when updates are available. To subscribe, download a feed reader and click a link under Feeds on the right side of the page. Starting with version 8.0, separate feeds are available for each major release.

Installation and Upgrade

The database upgrade scripts add an index to the ownerId column of the accounts table. An upgrade of an installation with many accounts will take significant time to process the database upgrade script due to the creation of a new index on a large table. (ID-19314)
A problem with out-of-memory exceptions during upgrades has been fixed. Previously during upgrades, the Java VM maximum heap size was hardcoded to 256 MB. This hardcoded value has been removed. (ID-19407)

Now it is possible to set the JAVA_OPTS environment variable to a custom value. If no value is provided, a default value of 1024 MB is used.

To define the maximum heap size value, set the JAVA_OPTS environment variable using the form —XmxHeapSize where HeapSize is a value, such as 512m. An example is -Xmx512m.

Password Synchronization

Email notifications sent from PasswordSync now use UTF-8 encoding for the sender name, the subject, and the body of the email. All other header parts are encoded using plain ASCII as required by the email RFCs. (ID-14120)

Note that email notifications that use non-ASCII characters might not display correctly in all mail clients or on all operating systems.
Passwords containing spaces are encrypted and decrypted correctly now . (ID-17670)

If you are upgrading from 8.0 through 8.0.0.2 or 7.1.1 through 7.1.1.7 or prior to 7.1, you must re-install all instances of Password Sync and gateways.
PasswordSync now supports Windows Server 2008 (32 and 64-bit versions). (ID-18342)
Two new settings have been added to the Windows registry and the installer GUI to allow configuration of certificate behavior in PasswordSync. These settings replace the deprecated registry settings clientSecurityFlags and clientConnectionFlags. (ID-19140)

securityIgnoreCertRevoke. If set to 1, ignore certificate revocation errors.

securityAllowInvalidCert. If set to 1, allow certificates that fail safety checks.
PasswordSync's internal checks have been extended to guard against illegal values passed in as part of a password change that could cause a crash. (ID-19291)
The PasswordSync installer has been enhanced to allow for recording configuration parameters to a file during an install. Future installations can reference the file and replay the configuration settings. This allows all subsequent PasswordSync installations to be installed and configured silently. (ID-19311)

Performance

Deadlocks no longer occur over access to the authenticate cache. (ID-16926)
Improved the performance on the Create and Edit User pages. (ID-17066)

Identity Manager no longer by default checks all the users in an organization before determining whether an administrator has the rights and permissions to delegate a work item to a user. To revert to the previous default behavior, add the following statement to the account/modify.jsp file.
```
req.setOption(DelegateWorkItemsViewer.OP_CALL_DELEGATORS_AVAILABLE_USERS,"true");
```
If OP_CALL_DELEGATORS_AVAILABLE_USERS is set to true in the DelegateWorkItemsViewer, then Identity Manager searches through users to check whether the administrator has the permission to see users.
For a user with a dynamically rule-assigned admin role, the user's context is now passed as an argument during login. (ID-17964)
Performance has improved during logins to the Identity Manager User Interface when assigned resources have a display name attribute other than accountId defined. (ID-18885)

Policy

Added the Next password policy. In this policy, if the user answers incorrectly, Identity Manager displays the next question until the user answers an authentication question correctly and logs in, or is locked out based on the specified failure attempts limit. (ID-17307)

Reports

The contents of the Violation State of Violation Summary Report can now be localized. (ID-17011, 17042)
Reports can now be generated in landscape orientation as well as the default portrait orientation. In addition, the page size can be specified as legal as well as the default letter. (ID-17649)

Repository

Identity Manager now supports MySQL 5.0.60 SP1 Enterprise Server as a production repository. (ID-17735, ID-19703)
You can now use MySQL 5.1.30 Enterprise Server as your Identity Manager production repository, but you might need to change to your my.cnf file. Due to recent changes in MySQL's InnoDB code, the default binary logging format is now STATEMENT. Identity Manager uses a READ-COMMITTED transaction isolation level, so binary logging in STATEMENT mode produces an error similar to the following: (ID-20460).
com.waveset.util.IOException: java.sql.SQLException: Binary logging not possible. Message: Transaction level 'READ-COMMITTED' in InnoDB is not safe for binlog mode 'STATEMENT'
If you enable binary logging, set the mode to MIXED by adding the following line to your my.cnf file:
binlog_format=mixed
With this configuration change, you can use 5.1.30 as your repository without the binary logging exception. For more details, see MySQL bug #40360.
The Identity Manager Repository has been changed to work around MySQL defect 9021. The Repository's MysqlDataStore now generates a separate, named JOIN for each attribute condition. (Previously, the MysqlDataStore in some cases used SUBSELECTs and the EXISTS predicate.) (ID-15636)
The usage output for the setRepo command has been updated. The usage now lists -o as an option and explains that -o causes setRepo not to perform an initialization check on the new repository location. The usage also now shows the -U and -P flags in examples of direct JDBC connections. (ID-19475)

Resource Adapters

Netegrity SiteMinder 6.0 is now supported. Proper configuration of the PolicyServer and WebAgent for SiteMinder are necessary for the adapter to function correctly. (ID-6478)
The Active Directory resource adapter now provides a Home Directory Rights resource attribute that controls permission inheritance and the level of permission for the home directory. The default value is 0. A value of 0 indicates that it will not inherit and the user's permission will be FULL control. A value of 1 indicates that the permissions will be inherited and the user's permission will be FULL control. A value of 2 indicates that the permissions will not be inherited and the user's permission will be MODIFY control. A value of 3 indicates that the permissions will be inherited and the user's permission will be MODIFY control. MODIFY control consists of the rights: FILE_GENERIC_WRITE, FILE_GENERIC_READ, FILE_EXECUTE and DELETE. (ID-12881, 19706)
The database table resource adapter can now process a database column that is mapped to the accountId attribute and has a data type of integer. (ID-13362)
The LDAP resource adapter now synchronizes entries only under the predefined base contexts. (ID-15389)
Added the "Respect resource password policy change-after-reset" resource parameter to the LDAP resource adapter. When this option is enabled, and this resource is specified in a Login Module, and the resource's password policy is configured for change-after-reset, a user whose resource account password has been administratively reset will be required to change that password after successfully authenticating. (ID-16255)

In this release, this behavior is available only for those LDAP servers that return the "Netscape Password Expired" (unsolicited) response control (OID 2.16.840.1.113730.3.4.4) with the response to a successful bind operation. The combination of the successful bind attempt and the control is interpreted to mean the user's password has been administratively reset and must be changed. An LDAP server implementing the password policy change-after-reset feature will allow a user with a reset password that has successfully authenticated only to change the password; any other operation is rejected.

Furthermore, because Identity Manager performs all LDAP resource operations other than pass-through-authentication using an LDAP resource administrator account, certain LDAP servers will consider any user's password modification attempt as an administrative reset and never clear that status from the user's account. Such LDAP servers include:
- Sun Java Systems Directory Server 5.x configured to use rootDN (typically cn=directory manager) as the resource adapter connection account
- Sun Java Systems Directory Server 5.2 with passwordNonRootMayResetUserpwd:on.
- Sun Java Systems Directory Server 6.0 and later (including OpenDS)
The Domino resource adapter now supports the group provisioning ObjectType, implementing the ObjectFeatures create, delete, list, rename, saveas and update. (ID-16422)
The SecurId resource adapter supports account renames. (ID-16517)
The SAP resource adapter has been updated to handle CUA in a more robust manner. With the new forms and code changes, Identity Manager users can change CUA child systems as well as roles and profiles for those child systems on a SAP user basis. (ID-16819)

The characteristics of the profiles and activityGroups account attributes have changed. Both of these attributes now have a data type of complex. The profiles attribute now maps to the PROFILES resource user attribute, while the activityGroups attribute now maps to the ACTIVITYGROUPS resource user attribute.

Load the $WSHOME/web/sample/updateSAPforCUA.xml file to update these changes on your SAP resource adapters. New SAP resources contain these attributes, unless you create the resource by copying an existing resource that has not been updated.
Identity Manager now detects and traps Domino denial-of-service errors. (ID-16911)
The WRQ Attachmate 3270 Mainframe Adapter for Sun is supported. Refer to the Resource Reference for details on setting up this product. (ID-17031)
Linux resources support using sudo to manage the /usr/bin/chage command. (ID-17119)
Added support for Lotus Notes/Domino 8.0. (ID-17213)
The Scripted Gateway adapter now supports password synchronization. (ID-17813)
The Oracle ERP resource adapter now allows EMPLOYEE_NUMBER to contain both alphabetic and numeric characters. (ID-18239)
The OS400 resource adapter now supports special characters in passwords. (ID-18412)
Added the RACF Case Insensitive Excluded Resource Accounts and RACF_LDAP Case Insensitive Excluded Resource Accounts sample exclusion rules. These are defined in the sample/wfresource.xml file.
The MySQL resource adapter has been updated to inherit from the JdbcResourceAdapter. Existing MySQL resource attributes will be updated automatically. (ID-18835)
The Windows NT resource adapter is supported again. It is no longer deprecated. (ID-19170)
The LDAP resource adapter has a new Use Paged Result Control configuration parameter. When you enable this parameter, which is disabled by default, Identity Manager uses Paged Result Control instead of VLV Control for the Account Iterator in Reconciliation. Using the Use Paged Result Control configuration parameter improves performance as long as your LDAP resource adapter supports simple paging control. (ID-19231)
Added the Objecttypes to read from SAP HR resource parameter to the SAP HR adapter to allow processing of the organization IDOCs from SAP HR. This is a multi-valued attribute which currently supports the values of "P", "CP", "S", "C" and "O". (ID-19286)
The OracleERP resource adapter now supports an option that suppresses Identity Manager.s ability to prepend the administrator user's schema identifier (such as APPS) to the names of Oracle EBS administrative tables (such as FND_USER, FND_VIEWS, and so forth). This option is provided through a new resource attribute with the Do Not Use Schema Identifier display name, and the default value is FALSE. If you change this value to TRUE, the adapter can no longer prepend the schema identifier to administrative table names. (ID-19352)
The Active Directory adapter now supports the inetOrgPerson object class and other object classes derived from the user object class. (ID-19399)
Added the Maintain LDAP Group Membership parameter to the LDAP adapter to control whether Identity Manager or the LDAP resource is responsible for maintaining LDAP group membership when a user is renamed or deleted. (ID-19463)
Added the resource parameter ERROR_CODE_LIMIT to the Shell Script resource adapter. This parameter allows you determine which return code is an error. (ID-19858)
The SecurId adapters now support the following features: (ID-18665, 18671, 18672, 18673, 18676, 18677, 19726)
- Edit the user's first name, last name, and default shell.
- Fetch all valid ACE groups from the ACE server
- Search on an ACE group and return all users in that group.
- Fetch a list of all defined ACE agents from the ACE Server.
- Show all the groups that are activated on an ACE agent.
- Fetch all the Administrators and their Admin Level.
The gateway now supports the AES cipher in 128-bit, 192-bit and 256-bit keys for communication with the Identity Manager server. (ID-19738)

Roles

Identity Manager now recognizes the assignment of a UserForm through an Admin role when the Admin role is controlling a dynamic organization and the user is edited through the Find User page. (ID-18028)
The optional noroleconfigurationupdate argument to RoleUpdater can be specified during upgrades to bypass modifying the RoleConfiguration object to indicate if pre-8.0 roles will be allowed to be directly assignable to users. Setting this value to "true" will bypass the test to see if this change is necessary. (ID-18483)
All RoleAttribute logic is now case-insensitive. (ID-18766)
Report results now are available to a subject's organization and admin roles. (ID-19736)

Security

IDM 8.1 supports several new encryption options. (ID-16979, 17789)
- For encryption of server encryption keys, added support for PBE with AES (ECB mode) using a 256-bit key. This new option is similar to the existing PBE with DES mechanism but uses AES as the underlying cipher.
- For both data in the repository and for gateway communications, added support for AES with 128-, 192-, and 256-bit keys (ECB mode).
- Changed the "Manage Server Encryption" task as well to accommodate this new functionality.
Some of these new options require additional install and/or configuration steps as detailed in the Administrator's Guide.
Added a new "Login Recovery" authentication alternative to the "Forgot Password" security questions based login. (ID-18052)
Identity Manager now supports XMLDSIG format signed approvals. Previously, signed approvals were stored in the Identity Manager audit log in a proprietary format. This enhancement allows such approval records to be stored in an XMLDSIG standards compliant format thus offering better interoperability. Also supported is the ability to include an RFC 3161 compliant digital time stamp retrieved from an external time stamp authority. (ID-19011)
When pass through authentication is enabled, the change password functionality works correctly when a user's resource password has expired and the Identity Manager account ID and resource account ID are different. (ID-19218)
Fixed multiple cross-site request forgery (CSRF) vulnerabilities. (ID-19280, 19659, 19660, 19661, 19683, 20072) Any customizations to the includes/headStartUser.jsp and user/userHeader.jsp files must be manually updated.
Improved performance for dynamic organizations. The Waveset.properties file now contains several properties that define how Rule-Driven Members lists cached. (ID-19586)

Service Provider

You can configure the Service Provider end-user pages to force your servers to always process page requests using HTTPS. (ID-18509)

Tasks

The SourceAdapterTask can now be run by an administrator other than Configurator. (ID-15299) To specify a different administrator, add the following to the system configuration object:

<Attribute name='sources'>
   <Object>
      <Attribute name='hosts'/> <!-- any host is the default -->
      <Attribute name='subject' value='Configurator'/>
    </Object>
</Attribute>

Bugs Fixed in this Release

This section describes the bugs fixed in Identity Manager 8.1, and the information is organized as follows:

Administrator and User Interfaces

Added the tabindex property to the DatePicker class. (ID-15244)
Removed an extraneous Search button on the page that displays after clicking the ... button on the Forward Remediations page. (ID-17236)
An error is no longer returned when you edit or update a user and try to assign an idmManager that does not yet exist or is missing, (ID-17339)
Removed a duplicate “Indicates a required field” from the Create Access Scan page. (ID-17417)
Click-to-focus and select issues with the MultiSelect display component have been fixed in the Mac OS X JRE. (ID-17938)
A user who can log in to multiple interfaces is no longer logged into the wrong interface when the same user credentials are being used to log into another interface at the same time. (ID-18204, 18506)
Deprovisioning a user with multiple accounts from the Administrator Interface now completes successfully. (ID-18314)
On the Awaiting Approval page and other pages that contain tables of work items, if you click an action button, such as Approve or Reject without selecting a work item, an error message is now displayed. (ID-18472)
The administrator interface was not enforcing the challenge option when administrators used the Change My Password screen to change their password. The problem has been fixed. (ID-18578)
Changing a user password through the administrative interface no longer unnecessarily generates the "The password may not be empty" error. (ID-18579)
Corrected a problem in the Identity/Lighthouse login module where the Forgot Password option returned the following error: Missing value for required field "User ID", when user provided User ID. (ID-18939)
Fixed the ability to query with user roles via the Find User form. (ID-18986)
Fixed UI containers so that nested fields properly inherit the required property and the noNewRow property. (ID-19040)
Identity Manager now refers to the MaximumNumberOfChildrenPerNode (default is 100) attribute in ResourceUIConfig object to display node levels. If the number of child nodes exceeds this value, Identity Manager displays only the first 100 nodes that are returned. (ID-19434)
Corrected an unrecoverable error that occurred when editing a user in a dynamic organization. (ID-19519)
Previously, when you removed a user's Modify rights for task permissions, the user could no longer select a task, even when that user still had Delete rights and needed to select tasks for deletion. Now, the checkbox column is shown in the tasks list user interface even after the Modify permission has been removed. (ID-19718)
Images now render in the user interface when you enable relative URLs. (ID-19771, 19868)
Fixed the query creator so that it handlse all logical ANDs correctly in the Find User tab. (ID-19898)
Pending work items can be viewed in the results page on the end user interface by enabling the endableEndUserProcessDiagrams flag in the System Configuration object.(ID-19919)

Auditing

Audit log event reports now correctly indicate the interface that was used to respond to an attestation. (ID-16950)
When you set the xpress.traceFileOnly option to true in the Waveset.properties file, all XPRESS statement evaluations will generate trace messages to a file specified by xpress.traceFile. When the xpress.traceFile has a value, all trace messages will be redirected to both the Console and a file. (ID-19748)

Capabilities

Import/Export Administrators are no longer able to see administration pages and tabs they were not supposed to. (ID-19389)
The System Configuration Object is now blocked from being modified by unauthorized users. (ID-20224)

Forms

If you set the sortColumn value in a form that is invoked by a workflow, that value is no longer ignored. (ID-17781)

Delegation

If an administrator has current Organization Approval, Role Approval, or Resource Approval delegation for an organization, role, or resource and loses control of that object, the Delegations page in the user UI no longer displays an error message. (ID-18951)

Identity Manager IDE

The Identity Manager IDE no longer modifies a role's primaryobjectclass when th eIdentity Manager IDE does not know about custom role types. (ID-19672)
Performing Display Schema operations for custom role types no longer returns a NullPointerException on thedebug pages. (ID-19686)

Gateway

Registry key exchanges between the gateway and the Identity Manager server will no longer fail if the machine running the gateway does not have a registry for the gateway. (ID-17137)
A spurious error reported during the gateway shutdown has been resolved. As a side effect, the messages written during startup and shutdown are now written to the gateway trace logs if tracing is turned on, or to the console if tracing is not on. (ID-19310)

Logging

The system now logs the IP address of a client instead of the IP address of a load balancer that sends a request. (ID-17774)
Identity Manager trace logging now fills the maximum configured number of trace log files before beginning to overwrite existing log files. (ID-19102)
Activity Report pages now use the Message field to display any additional information about audit events. (ID-19257)
In previous releases, tasks that encountered resource account provisioning failures were sometimes logged as successes in activity reports. This problem is now corrected. (ID-19283)
An error message is now displayed when a delete is attempted on a Log or SysLog object, except when running the System Log Maintenance Task or the AuditLog Maintenance Task. (Those tasks use a different method to delete objects of these types.) (ID-19356)
The Resource Account Change Password and Resource Account Reset Password operations are now audit logged with the Change Password or Reset Password audit action. In addition, the "Change Resource Account Password" workflow is now changed so that the "Audit" activity is only called when a failure occurs before the call to the changeResourceAccountPassword workflow service. (ID-19359)
Fixed an issue where the results of an access review were not audited correctly. (ID-19548)
Operations on the Server object are now audited. (ID-19606)
Resource Group modifications (Create, Update, Delete) are now audited. The Resource Group object is also known as an Application object, so the ApplicationViewer is used to operate on an Application object. Therefore, the Application viewer is where the auditing occurs. (ID-19607)
An audit log record with a failure status is now published when a delete user operation fails. (ID-19722)

Password Synchronization

PasswordSync can now correctly send administrators e-mails when user e-mails have been disabled. (ID 18110)
A possible crash caused by a NULL reference in PasswordSync was fixed. (ID-19042)
Test connections using valid certificates and self-signed certificates now work correctly. (ID-19216)
Corrected two potential buffer overruns. In both cases, buffers of fixed length could be overrun by content that was larger than the buffer. These buffers are now dynamically allocated to ensure they are large enough. (ID-19358)
Password synchronization for computer accounts has been disabled. (ID-19366)
The default install directory for Password Sync files has been changed to match the product name. (ID-20276) By default, the application will now be installed in C:\Program Files\Sun Microsystems\Sun Identity Manager PasswordSync. The default directory on the 64–bit version of Windows is C:\Program Files (x86)\Sun Microsystems\Sun Identity Manager PasswordSync\

Policy

Password policy now correctly validates any extended ASCII characters that are entered for the "must not contain words" condition. This condition also now differentiates between a complete word match and a string attribute match when displaying a Policy Violation message. (ID-19384)

Provisioning

A NullPointerException no longer occurs during a retry task when a reprovision with retry fails on a secondary operation. (ID-19826)

Reports

Older versions of Risk Analysis reports produced a TaskResult object that contained XML that was not valid per the waveset.dtd. Consequently, these TaskResult objects could not be re-imported into Identity Manager. New executions of the Risk Analysis reports produce valid XML that can be re-imported. (ID-14419)

Use the following procedure to update and import old TaskResult objects:
1. Export the TaskRef to a file, such as object.xml
2. Run the following command from a UNIX shell. A corrected version of the file is written to object-fixed.xml.
```
cat object.xml | sed -e s/'&#xA;'//g | sed -e s/'&#xA; '//g | sed -e
s/'&#xA;  '//g | sed -e s/'&#xA;  '//g > object-fixed.xml
```
3. Import the object-fixed.xml file into Identity Manager
By default Audit records are placed in the same ObjectGroup that the Object the record refers to is in. The ApproverReportTask is in the All ObjectGroup, so the audit record indicating the report was run is also placed in the All ObjectGroup. (ID-16363)

This means the audit record is visible to all administrators. If this is not desirable, then either change the MemberObjectGroup of the ApproverReportTask TaskInstance to a more appropriate ObjectGroup, or add the following XML to the AuditReport Task:
```
<Field name='excludeAll'>
   <Display class='Hidden'>
      <Property name='value' value='true'/>
   </Display>
</Field>
```
The "Interface" and "Attribute Changes" options for the X-Axis and Y-Axis for reports of type Usage Report are now mapped to valid queryable values, and a NullPointerException will not occur. "Attribute Changes" now maps to Attribute.ACCT_ATTR_CHANGES. "Interface" maps to the newly created Attribute.INTERFACE, which is a synonym for Attribute.CLIENT. (ID-16769)
The Account Index Report can now be generated properly for a user who doesn't control the Top organization. (ID-16643)
The Resource User report displays administrator names correctly. (ID-17650)
If an error occurs while generating a report in PDF format, an error message is now displayed correctly. (ID-17979)
Cloning a report now works correctly. (ID-18187)
Identity Manager no longer returns a NullPointerException when a User Report includes Extended User Attributes as its search options. (ID-19567)
Fixed an Access Denied error that occured when a user that has been assigned more than one AdminRole tried to create a report. (ID-20067)
Task reports now display column names correctly. (ID–20131)

Repository

The MySQL error "Column 'id' in field list is ambiguous" no longer occurs when a user clicks an audit policy link in the "All Compliance Violation" report. The repository now generates DML that qualifies this column name. (ID-19900)

Resource Adapters

The name of a Change Resource Password task is now displayed correctly. (ID-6947)
A problem has been corrected with the Sybase adapter that caused the adapter to attempt to reconcile with the default Sybase system database when the database defined in the resource adapter was not available. (ID-15867)
Tabs (\u0009) now work as field delimiters for Flat File Active Sync resources. (ID-16780)
Enhanced tracing capabilities in the Scripted JDBC resource adapter. (ID16900)
The gateway no longer overwrites the ServerKeyFileName value in the Domino Server's notes.ini file when Domino Server and the Lotus Notes client are installed on the same machine. (ID-17216)
Creating a new user with the force_change flag explicitly set to false now works correctly with Solaris resources. (ID-17401)
The Gateway service now re-establishes its database connection to SecurID in the event that SecureID is restarted. (ID-17443)
Corrected a problem where the gateway encryption key was not being updated when ScriptedGateway was the only gateway resource. (ID-17556)
Two error situations while creating a user in Active Directory now show the correct and readable error: the account already exist and the account ID has an improper format. (ID-17587)
The SecurId ACE Server UNIX adapter now tests whether pooled connections are viable. (ID-17673)
Identity Manager now ignores the use of Lotus Domino group name aliases and does not cause invalid object errors if they are used natively. (ID-17739)
The Domino adapter deletes script files that are created during create and post update actions.(ID-18136)
The Active Directory resource adapter now correctly processes non-zero exit codes from delete before actions. (ID-18241)
A Lotus Domino resource now returns connections to the connection pool properly. (ID-18417)
The Name account attribute for the Exchange 2007 adapter is a create only attribute. Modification of the attribute causes undefined side effects and could leave the user unmanageable from Identity Manager and is therefore no longer supported. (ID-18606)
Gateway resource adapters no longer overwrite read-only account attributes. (ID-18932)
The OracleERP resource adapter no longer returns a no data found error when looking up responsibilities that have not yet been provisioned to users. (ID-19056)
The OracleERP resource adapter no longer returns an error when looking up a responsibility that has a non-unique name. (ID-19057)
The LDAP resource adapter no longer requests a uniqueMember attribute when testing a group membership. (ID-19134)
Fixed a memory leak in the Domino Gateway adapter. (ID-19139)
The gateway no longer crashes when a "get info" message is sent to a Scripted Gateway resource (ID-19249).
The Manage Server Encryption task no longer corrupts objects of the type GatewayEncryptionKey when it stores a time stamped copy of the key. (ID-19250)
Corrected a problem where the SAP resource adapter could not unlock users who were locked after too many wrong logins. (ID-19252)
The deprecated DominoActiveSyncAdapter is no longer delivered. The Domino resource adapter now contains this functionality. (ID-19281)
The gateway no longer crashes when running a reconcile on a Windows NT resource. (ID-19295)
The NDS gateway no longer sends a false warning message about the User class when processing non-user NDS objects. (ID-19362)
Legacy Exchange 2000/2003-enabled mail users are now reported as AD-only users (RecipientType equals User) when Exchange 2007 support on the adapter is turned on. Exchange 2000/2003 users can be distinguished from AD-only users by the legacyExchangeDN and other Exchange 2000/2003 attributes. (ID-19393)
Now the Uid is not unique error is thrown when changing a user ID to the same value as another user ID in the Red Hat Linux resource. (ID-19395)
Identity Manager now correctly passes SAP Access Enforcer custom attributes to Access Enforcer. (ID-19427)
LDAP groups with multiple objectClasses are now stored correctly. (ID-19436)
The Solaris, HPUX, AIX, and Linux adapters running NIS now prevent you from creating an account with a uid in use or changing the uid to that of an account that already exists. (ID-19465)
The gateway now returns Exchange 2007 attributes correctly if they are requested as part of the getAllObjects() call on an Active Directory adapter. (ID-19492)
The AIX adapter no longer deletes all group members when updated with invalid users. (ID-19516)
Fixed an issue the occurred when deleting a user's primary group on Red Hat and AIX. If the resource threw an exception and failed to delete the group, the Administrator Interface would report a success. The error is now reported correctly. (ID-19520)
Identity Manager now correctly interprets the error code returned from Red Hat Enterprise Linux 5 when a user is assigned to a nonexistent group. (ID-19523)
Using non-root access through SSH from the shell script adapter now works correctly. (ID-19583)
Using the ExcludedAccountsRule for operation updates no longer yields a null accountID. (ID-19585)
Using LDAP reserved characters, such as an asterisk (*), for LDAP authentication no longer locks out all LDAP users. (ID-19588)
The AIX resource adapter updates secondary group list correctly. (ID-19628)
The Oracle resource adapter now allows you to use the question mark (?) and braces ({ }) characters in an account password. (ID-19653)
The SecurId ACE Server for Windows adapter has been enhanced to so that the adapter now confirms that both the gateway and the backing SecurId environment are responding to queries for work. (ID-19667)
Full reconciliation now correctly alters account disabled status. The LDAP resource adapter now checks disabled status during reconciliation. (ID-19708)
Now, when you create or modify a user with an invalid login shell for NIS resources, an error occurs. (ID-19755)
Identity Manager no longer loses updates in Active Directory while running synchronization. (ID-19905)
A disabled user's SiteminderLDAP account status will now be displayed correctly on the Edit User page using Tabbed User Form. (ID-19931)
The Windows NT resource adapter no longer supports groupType resource objects. (ID-19791)
The SecurId UNIX resource adapter processes comma-separated group values correctly. (ID-20152)
An administrator can assign more than one group and client to a user in the SecurId Windows adapter. (ID-20153).
The control characters (0x00-0x1f, 0x7f) in a user password will throw error for Linux, AIX, Solaris, HPUX, and ShellScript resource adapters. (ID-20174)

Roles

A contained role now must be removed from the role(s) to which it has been assigned before it can be deleted. (ID-18981)
A problem that prevented system deployers from saving and importing roles in the Identity Manager IDE has been fixed. (ID-19036)
Fixed a problem that caused Identity Manager running on JDK 1.6 to fail to assign roles assigned to a Business Role. A symptom of the problem included Identity Manager identifying a Business Role as an IT Role after the Business Role was assigned. This problem was limited to JDK 1.6. (ID-19086)
Corrected a problem where the SPML viewer threw a ClassCastException when setting a ResourceAttribute value to a String value while modifying a role. (ID-19177)
A problem that prevented roles from being assigned to users by way of custom user forms has been fixed. The problem occurred when roles were assigned using non-refreshable UI components, such as the text box. (ID-19241)
The following functions now work correctly for users with dynamic admin roles: (ID-19456)
- Canceling approvals
- Viewing the history of a work item
- Running a report
RoleAttribute list values now perform correctly. (ID-19981)

Service Provider

An issue has been corrected that occurred when Identity Manager Service Provider is configured to use the organization attribute. An Identity Manager administrator that does not control Top was unable to update Service Provider end-users and received the following error: "User must have a value for the 'org' attribute." (ID-18329)

Session API

The EmailUtil API call and sendEmailToAddress() method now handle a null HTTP Request sent as arguments to the call. The method now checks for the null case when determining the locale from the HTTP Request and defaults correctly to the appropriate locale without a NullPointerException. (ID-17755)

Synchronization

When a server running Active Sync for a resource with startup type "Automatic with Failover" is not able to connect to the Identity Manager repository, the task will not poll the resource for changes. If the Active Sync task can establish a connection with the repository at a later scheduled polling time, it will exit if another Active Sync task for that resource has already been started on another Identity Manager server in the cluster. (ID-19452)

Views

When the SystemConfiguration attribute named ProvisioningDisabledUserShouldThrow is set to true, any attempt to provision a disabled user to a resource will be prevented and will produce an error. When the attribute is not set to true, then the provisioning will still be prevented, but it will NOT produce an error. (ID-19433)

Additional Bugs Fixed

17055, 18242, 19019, 19065, 19244, 19288, 19651, 20352