Installation and Update Notes

This section provides information related to installing or updating Identity Manager, and the information is organized as follows:

Installation Notes

Upgrade Notes



Note	For Known Issues related to the installation and upgrade process, please refer to the Install and Update section of this document.

Installation Notes

The following information relates to the product installation process:

When installing PasswordSync, you must use the appropriate binary file for the operating system on which you are installing. The binary for 32-bit Windows is called IdmPwSync_x86.msi and the binary for 64-bit WINDOWS is called IdmPwSync_x64.msi.

When uninstalling PasswordSync, use the add/modify programs feature from the Windows Control Panel to ensure correct removal. Installing the wrong binary might appear to succeed, but PasswordSync will not operate properly. (ID-17290)

You must manually install Identity Manager on HP-UX.

The Identity Manager installation utility can now install or update to any installation directory name. You must create this directory prior to starting the installation process, or select to create the directory from the setup panel.

Running the Sun Identity Manager Gateway on a Windows system requires the Microsoft Active Directory Client extension. The DSClient can be found at the following location:

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q288358



Note	Refer to the Sun Identity Manager Installation publication for detailed product installation instructions.

Upgrade Notes

This section contains information and known issues related to upgrading Identity Manager from version 6.0 or version 7.0 to version 8.0.

The information in this section is organized as follows:

Before You Begin

Upgrade Issues

Refreshing User Objects



NoteS	See Identity Manager Upgrade for upgrade instructions and information. When upgrading Identity Manager, be sure to review the installation section for your application server in Sun Identity Manager Installation for application server-specific instructions. If your current Identity Manager installation has a large amount of custom work, you should contact Sun Professional Services for assistance with planning and executing your upgrade.

Before You Begin

You must be aware of the following information before starting the upgrade process:



Caution	If you are using an Oracle repository, the Identity Manager 8.0 repository DDL uses data types that are not properly handled by older Oracle JDBC drivers. The JDBC drivers in ojdbc14.jar do not properly read all of the columns in the log table. You must upgrade to the oracle11g_jdbc.jar drivers for Identity Manager to work properly.

Identity Manager 8.0 dedicates some new tables for Roles objects. You must use the sample scripts provided in the db_scripts directory to make the schema changes, create the new table structures, and move your existing data.



Note	Before updating the repository database table definitions, make a full backup of your repository tables. Refer to the db_scripts/upgradeto8.0from71.DBMSName script for more information.

If you are upgrading to Identity Manager 8.0, and have any custom code that calls UserUIConfig#getRepoIndexAttributes(), you must remove the code or change it to call Type.USER#getInlineAttributeNames().

Importing update.xml converts the values from the UserUIConfig RepoIndexAttrs into values of XML attributes on the TypeDataStore element for Type.USER within the RepositoryConfiguration object. The update.xml file includes the UserUIConfigUpdater.xml file, which contains an Import command that invokes UserUIConfigUpdater to convert RepoIndexAttrs. Conversion also sets a flag in SystemConfiguration that inhibits reconversion.

Any future changes to the inline attributes for Type.USER should be made by editing the RepositoryConfiguration object. If you change the inline attributes for Type.USER, you generally must refresh all Type.USER objects.



Note	Changes to RepositoryConfiguration do not affect an Identity Manager server until you restart that server.

Be sure to use only one Identity Manager server to import update.xml and that only one Identity Manager server is running during the upgrade. If you start any other Identity Manager servers during the upgrade, you must stop and restart those servers before making them available.

Be careful when you edit the super role field in the Role form because the super role itself may be a nested role. The super roles and subroles fields indicate a nesting of roles and their associated resources or resource groups. When applied to a user, the super role includes the resources associated with any designated subrole. The super role field is displayed to indicate the roles that include the displayed role.

During the upgrade process, Identity Manager analyzes all roles on the system and then updates any missing subroles and super roles links using the RoleUpdater class.

To check and upgrade roles outside of the upgrade process, you can import the new RoleUpdater configuration object that is provided in sample/forms/RoleUpdater.xml.
For example:

<?xml version='1.0' encoding='UTF-8'?>

<!DOCTYPE Waveset PUBLIC 'waveset.dtd' 'waveset.dtd'>

<Map>

</Map>

</ImportCommand>

</Waveset>

Where:

verbose: Provides verbose output when updating roles. Specify false to enable a silent update of roles.

noupdate: Determines whether the roles are updated. Specify false to get a report that only lists which roles will be updated.

nofixsubrolelinks: Determines whether super roles are updated with missing subrole links. This value is set to false by default and links will be repaired.

Administrators who need to view or edit the Identity Manager schema for Users or Roles must be in the IDM Schema Configuration AdminGroup and must have the IDM Schema Configuration capability.

The SPML 2.0 implementation in Identity Manager has changed in Identity Manager 8.0. In previous releases, the SPML objectclass attribute used in SPML messages was mapped directly to the objectclass attribute of Identity Manager User objects. The objectclass attribute is now mapped internally to the spml2ObjectClass attribute and is used internally for other purposes.

During the upgrade process the objectclass attribute value is automatically renamed for existing users. If your SPML 2.0 configuration contains forms that reference the objectclass attribute, you must manually change those references to spml2ObjectClass.

Identity Manager does not replace the sample spml2.xml configuration file during an upgrade. If you used the spml2.xml configuration file as a starting point, be aware that this file contains a form with references to objectclass that you must change to spml2ObjectClass. Change the objectclass attribute in forms (where it is used internally), but do not change the objectclass attribute in the target schema (where the attribute is exposed externally).

For UNIX environments, be sure that an install directory exists in one of the following locations, and that you can write to it:

For Linux/HP-UX: /var/opt/sun/install

For Solaris: /var/sadm/install

Any previously installed hotfixes are archived to the following directory:

$WSHOME/patches/HotfixName

Upgrade Issues

After upgrading, the changedFileList and notRestoredFileLists will contain the following files. These files should not display, and no action is required. (ID-9228)

bin/winnt/nspr4.dll

bin/winnt/jdic.dll

bin/winnt/MozEmbed.exe

bin/winnt/IeEmbed.exe

bin/winnt/AceApi.dll

bin/winnt/DominoAPIWrapper.dll

bin/winnt/DotNetWrapper.dll

bin/winnt/gateway.exe

bin/winnt/lhpwic.dll

bin/winnt/msems.inf

bin/winnt/pwicsvc.exe

bin/winnt/remedy.dll

bin/solaris/libjdic.so

bin/solaris/mozembed-solaris-gtk2

bin/linux/librfccm.so

bin/linux/libsapjcorfc.so

bin/linux/libjdic.so

bin/linux/mozembed-linux-gtk2

Identity Manager’s User Extended Attributes now fully supports multi-valued attributes. (ID-14863)



Note	You can add a multi-valued user extended attribute to the accounts list table, and it will render the list without error. However, attempting to sort on that column will yield the following error: java.lang.ClassCastException: java.util.ArrayList

An attribute condition that refers to a multi-valued extended attribute will evaluate correctly for a user object only after that user object has been re-serialized. If you want such an attribute condition to evaluate correctly for all user objects, then you must re-serialize all user objects. See Refreshing User Objects for instructions.

If you are upgrading from an Identity Manager version 6.x installation to version 7.x to version 8.0, and you want to start using the new Identity Manager end-user pages, you must manually change the system configuration ui.web.user.showMenu to true for the horizontal navigation bar to display. (ID-14901)

Also, if you want the new end user dashboard to display on the end-user home page, you must manually change the end user form mapping for Form Type 'endUserMenu'. Go to Configure > Form and Process Mapping > for Form Type 'endUserMenu' change the Form Name Mapped To to be 'End User Dashboard'.

You should also update the mapping for Form Type 'endUserWorkItemListExt'. Change the Form Name Mapped To to be 'End User Approvals List'.



Note	If you are upgrading directly from Identity Manager version 7.x to version 8.0, the preceding modifications are unnecessary.

If you are upgrading from version 6.0 or 7.0 to version 7.1 or version 8.0, and using LocalFiles, you must export all of your data before upgrading and then re-import the data after doing a clean installation of 7.1 or 8.0. (ID-15366)

If your installation contains a Remedy resource, you must place Remedy API libraries in the directory where the Gateway is installed. These libraries can be found on the Remedy server.

Table 1 Remedy API Libraries
Remedy 4.x and 5.x	Remedy 6.3	Remedy 7.0
arapiXX.dll arrpcXX.dll arutlXX.dll where XX matches the version of Remedy. For example, arapi45.dll on Remedy 4.5.	arapi63.dll arrpc63.dll arutl63.dll icudt20.dll icuin20.dll icuuc20.dll	arapi70.dll arrpc70.dll arutl70.dll icudt32.dll icuin32.dll icuuc32.dll

Upgrading to Identity Manager 8.0 automatically converts the User Extended Attributes object and QueryableAttrNames and SummaryAttrNames elements of the UserUIConfig object into the IDM Schema Configuration object. (ID-17784) The sample update.xml script contains an import command that invokes IDMSchemaConfigurationUpdater to convert legacy user schema configuration objects. Successful conversion of legacy user schema configuration objects performs the following:

Creates within IDM Schema Configuration an IDMObjectClassAttribute element for each extended attribute name from User Extended Attributes.

Flags as ‘summary’ any IDMObjectClassAttribute that corresponds to each value from the SummaryAttrNames element within UserUIConfig.

Flags as ‘queryable’ any IDMObjectClassAttribute that corresponds to each value from the QueryableAttrNames element within UserUIConfig.

Empties the SummaryAttrNames element within UserUIConfig.

Empties the QueryableAttrNames element within UserUIConfig.

Renames any extended attribute named objectClass to spml2ObjectClass. Legacy attributes named objectClass conflict with a core attribute in the Identity Manager 8.0 schema.

When you are upgrading to Identity Manager 8.0, and have any custom code that calls UserUIConfig#getRepoIndexAttributes(), you must remove the code or change it to call Type.USER#getInlineAttributeNames(). (ID-18051)

Importing update.xml converts the values from the UserUIConfig RepoIndexAttrs into values of XML attributes on the TypeDataStore element for Type.USER within the RepositoryConfiguration object. The update.xml file includes the UserUIConfigUpdater.xml file, which contains an import command that invokes UserUIConfigUpdater to convert RepoIndexAttrs. Conversion also sets a flag in SystemConfiguration that inhibits reconversion.



Note	Changes to RepositoryConfiguration do not affect an Identity Manager server until you restart that server.

Be sure to use only one Identity Manager server to import update.xml and have only one Identity Manager server running during the upgrade. (ID-18051)

If you start any other Identity Manager servers during the upgrade, you must stop and restart that server before making it available.

When upgrading to Identity Manager 8.0 from any Identity Manager release prior to Identity Manager 7.1, there might be ItemNotFound Exceptions in the upgrade log due to Identity Manager Service Provider Edition (SPE) objects being renamed to Identity Manager Service Provider within Identity Manager 8.0. (ID-18860)

Deprecated Features

Identity Manager 8.0 changed the display method of charts and graphs in reports. Reports created prior to Identity Manager 8.0 will display as expected in the Identity Manger 8.0 release; however, reports will not display as expected in subsequent major releases and patches. For example, a report created in Identity Manager 7.1 will display as expected in Identity Manager 8.0 and Identity Manager 8.0 Patch 1, but not in Identity Manager 9.0. (ID-17636)

Refreshing User Objects

Certain types of changes require an administrator to refresh all User objects. For example, you must refresh all User objects when you change the inline attributes for Type.USER in RepositoryConfiguration. Whenever you mark an attribute as queryable or summary in the IDMSchemaConfiguration object, you must refresh all User objects for the change to affect older, unmodified objects. The same logic applies when a new version of Identity Manager adds a new attribute, or when a new version of Identity Manager changes the values of an existing attribute — the upgrade process or an administrator must refresh all User objects for the change to affect older, unmodified objects.

There are three ways to reserialize existing users:

Modify an individual User object during normal operations.

For example, opening a user account through the user interface and saving it with or without modifications.

Disadvantage: This method is time-consuming, and the administrator must be meticulous to ensure all existing users are reserialized.

Use the lh refreshType utility to reserialize all users. The refreshType utility’s output is a refreshed list of users.

lh console

refreshType User

Disadvantage: Because the refreshType utility runs in the foreground and not the background, this process can be time-consuming. If you have a lot of users, reserializing them all takes a long time.

Use the Deferred Task Scanner.



Note	Before running the Deferred Task Scanner process, you must edit the System Configuration object using the Identity Manager Integrated Development Environment (Identity Manager IDE) or some other method. Search for 'refreshOfType' and remove the attributes for '2005Q4M3refreshOfTypeUserIsComplete' and '2005Q4M3refreshOfTypeUserUpperBound'. After editing the System Configuration object, you must import that object to repository for your changes to be present.

Disadvantage: This method causes the next Deferred Task Scanner run to take a long time because it examines and rewrites almost every User object. However, subsequent Deferred Task Scanner runs should execute at normal speed and duration.