|
Oracle® Identity Manager Release Notes
Release 9.0.1 B28075-01 |
|
 Previous |
Release Notes
Release 9.0.1
B28075-01
May 2006
This document contains release notes for Oracle Identity Manager Release 9.0.1. It includes these topics:
|
Note: Oracle Identity Manager Connectors, which were previously referred to as resource adapters, are no longer bundled with Oracle Identity Manager. Oracle Identity Manager Connectors are now distributed several times a year in the Oracle Identity Manager Connector Pack, independent from Oracle Identity Manager. |
|
See Also: The following documentation, located on your installation media, for detailed information on Oracle Identity Manager:
|
Oracle Identity Manager Release 9.0 introduces new audit and compliance features ranging from data availability to process automation. Customers can now implement a systematic methodology to fulfill recurring audit and compliance requirements. The requirements include regulatory mandates such as Sarbanes-Oxley and internal information security best practices. Additional new features include:
Extended user profile auditing enables customers to capture a wider and deeper range of historical data related to user profiles. This information enables an enterprise to identify "Who Has What When and How" regarding individual user access to IT resources. This feature can determine the exact mechanism that triggered the grant of an access right to an individual user.
Embedded reporting framework improves the accessibility to and manageability of all transactional and historical data. This includes the following:
A reporting, or secondary, database that is separate from the main Oracle Identity Manager database
An embedded reporting engine with CSV export capability
A pluggable architecture to facilitate standard reports
Enhanced support for third-party reporting tools
A framework for customizing the metadata of the reporting database
Attestation functionality: Attestation is the process of having people or system managers confirm people's access rights on a periodic basis. Existing Sarbanes-Oxley requirements demand enterprises to perform attestation for all financially significant systems every 3 to 6 months. In Release 9.0, Oracle Identity Manager delivers a flexible attestation solution to help enterprise customers meet these regulatory requirements. By setting up attestation processes with Oracle Identity Manager, enterprise customers can automate the process of generation, delivery, review, sign-off, delegation, tracking, and archiving of user access right reports for reviewers on a scheduled or ad-hoc basis.
Enhanced Deployment Manager functionality handles IT resources as a special case by giving users the option to either create a new instance or provide parameter values to the imported instance.
|
Note:
|
Oracle Identity Manager Release 9.0.1 is certified for clustered and non-clustered installations with the configurations listed in Table 1.
Table 1 Oracle Identity Manager Release 9.0.1 Certified Configurations
| Application Server | Platform | Database |
|---|---|---|
|
WebSphere 5.1.1.5 |
Windows 2003 Windows 2003 RedHat Linux AS 4.2 RedHat Linux AS 4.1 RedHat Linux AS 4.1 Solaris 9 Solaris 9 AIX 5L 5.3 |
Oracle 10.2.0.1 Oracle 9.2.0.7 Oracle 10.2.0.1 Oracle 10.2.0.1 Oracle 9.2.0.7 Oracle 10.2.0.1 Oracle 9.2.0.7 Oracle 10.2.0.1 |
|
WebLogic 8.1 SP4 |
Windows 2003 Windows 2003 Windows 2003 Solaris 10 Solaris 10 |
Oracle 10.2.0.1 Oracle 9.2.0.7 SQL Server 2000 SP3a Oracle 10.2.0.1 Oracle 9.2.0.7 |
|
JBoss 4.0.2 |
Windows 2003 Windows 2003 Windows 2003 RedHat Linux AS 4.1 |
Oracle 10.2.0.1 Oracle 9.2.0.7 SQL Server 2000 SP3a SQL Server 2000 SP3a |
The following additional components have been certified as part of the Release 9.0.1:
Single Sign-On with COREid 7.0/RSA ClearTrust 5.5
Microsoft Internet Explorer 6.0
Oracle Identity Manager Design Console OS Support
Windows 2003 (all versions)
Windows XP (all versions)
This section describes installation and configuration issues and their workarounds for Oracle Identity Manager Release 9.0.1. It contains the following topics:
SSO Login Fails When "Force to set questions at startup" is TRUE (Issue 5991)
The Attestation Tab is Visible in the Workflow Visualizer (Issue 6071)
An Exception is Thrown When JBoss is Started on Linux (Issue 6087)
Installation Fails When The Database User Name Includes Special Characters (Issue 6220)
Oracle Identity Manager Not Certified for WebSphere 5.1.1.5 /SQL Server Configuration (Issue 7135)
Warning Message Displayed During Installation from Distribution Media (Issue 7160)
The Oracle Identity Manager Web client does not support password reset questions in single sign-on mode. Therefore, when the "Force to set questions at startup" flag is set to TRUE, login fails. The workaround for this problem is:
Log into the Design Console as xelsysadm.
Search for the system configuration parameter "Force to set questions at startup", set it to FALSE, then save the change.
Each application server exhibits different behavior when a database connection is lost during execution. While JBoss can automatically re-establish database connection, WebLogic and WebSphere cannot. With WebLogic, you can define settings for testing reserved connections, in which case the connections are established automatically. For WebSphere, you must configure your database for high-availability.
The tab associated with the new Attestation feature is visible in read-only mode within the Workflow Visualizer when you install Oracle Identity Manager without the optional Oracle Identity Manager Auditing and Compliance module. This is to enable transition to the Auditing and Compliance feature.
You can enable the Attestation tab by installing the Auditing and Compliance module.
The second and subsequent times a JBoss application server starts, it attempts to create a table that already exists and throws the following exception: "There is already an object named'JMS_MESSAGES' in the database". This DEBUG-level message does not have any effect on functionality.
To avoid this message, complete the following steps:
After your JBoss application has started successfully once, launch a plain-text editor, then navigate to one of the following directories:
jboss_home\server\default\deploy\jms if your environment is unclustered.
jboss_home\server\all\deploy\jms if your environment is clustered.
Open the mssql-jdbc2-service.xml file.
Set the CREATE_TABLES_ON_STARTUP flag to FALSE, then save and close the file. Ensure not to perform the preceding steps until after the initial, successful start up of your JBoss application server.
The Oracle Identity Manager installer fails when you specify a string that includes special characters such as *,-,', or " for the database user name.
The workaround is to ensure that you specify a database user name that meets the following conditions:
All characters are alphanumeric
The first character is a letter
The string does not contain any special characters
Export using the Deployment Manager may experience problems when Internet Explorer is configured to use Microsoft Virtual Machine.
To reset the default Virtual Machine, perform the following steps:
Download and install the Sun JRE 1.4.2_xx from http://java.sun.com/.
Select Tools from the Internet Explorer menu.
Select Internet Options.
Select the Advanced tab.
Scroll down to "Java (Sun)".
Check "Use Java 2v1.4.2_xx for <applet>".
Scroll down to "Microsoft VM".
Uncheck "Java console enabled" and "Java logging enabled".
Restart the computer.
|
Note: JRE 1.4.2 is not required to run the Oracle Identity Manager Administrative and User Console; it is only required to run Deployment Manager. |
If you are upgrading from a previous version, note that a new foreign key constraint for adj_parent_key column in adj table has been added to the Revision 9.0.1 schema. Creation of this constraint may fail during the upgrade process as this logical data dependency was not enforced by Deployment Utility in the past. Please contact Oracle support in case of issues with such a failure.
Oracle Identity Manager Release 9.0.1 is not certified for a WebSphere 5.1.1.5/SQL Server configuration.
When installing Oracle Identity Manager 9.0.1 from the distribution media (CD-ROM) in UNIX/Linux environment, when you select the Oracle Identity Manager application to install, a warning message related to changing permission for del_xl_dir.sh may appear. This message can be safely ignored.
Table 2 lists installation and configuration issues that are resolved in Release 9.0.1:
Table 2 Resolved Installation and Configuration issues in Release 9.0.1
| Issue # | Description |
|---|---|
|
5480 |
Exception Thrown During Installation of Design Console |
|
5956 |
APIs Not Loaded for Oracle Identity Manager API Task in UNIX Environments |
|
6801 |
Cluster property should be set to true in xlconfig.xml for clustered installation |
|
7094 |
Incorrect KeyManagerFactory values for the remote manager installation |
|
na |
Option now available to skip installation of bundled JDK |
This section describes general issues and their workarounds for Oracle Identity Manager Release 9.0.1. It contains the following topics:
Administrative and User Console Client User ID Change Limitations (Issues 5389, 5405)
Errors Occur During Login When a User is Not Assigned to the All Users Group (Issue 5416)
Deployment Manager 8.5 is Not Compatible with Later Releases (Issue 5624)
"Who Has What" Report Requires a Group for a User (Issue 6669)
Errors when Provisioning a Resource to XELSELFREG (Issue 6680)
Exception: ConcurrentModificationException on JBoss 4.0.2 Cluster (Issue 6518)
In Websphere, Challenge Q&A Link does not Reset Password (Issue 3024)
Design Console displays the "Realm/Cell is Null" Error (Issue 5479)
Oracle Identity Manager client doesn't appear in "Add or Remove Programs" (Issue 6870)
Using Backspace Key in the Design Console Installer on AIX Creates Random Values (Issue 7129)
Object Form's Object Data Values with Different Column Names appear in the Web client (Issue 6612)
Oracle Identity Manager Product and Documentation Refer to Thor and Xellerate (Issue 7142)
Refer to the Oracle Identity Manager API Usage Guide for information on API changes that were introduced as part of Release 9.0.1. Also, refer to the API JavaDocs included with the release for a full description of all implemented interface functionality.
To trigger a task associated with a change to a parent form field, the name of the task must be "field Updated", where field is the name of the parent form field. If the task is not named according to this convention, then it will not be triggered during field update.
The Administrative and User Console currently allows changes to all Oracle Identity Manager user IDs. For this reason, Administrative and User Console users must be careful not to change their own user IDs, or the user IDs of any seeded system users, such as XELSYSADM.
If a user is not assigned to the All Users group, an error occurs when the user attempts to log in. To resolve this issue, assign the user to the All Users group.
You must disable pop-up blockers to ensure proper functionality for the Deployment Manager and Workflow Visualizer components.
Files exported using the Deployment Manager 8.5 cannot be imported with Deployment Manager 8.5.1, 8.5.2, 8.5.3, or 9.0.1. To import files with Deployment Manager 9.0.1, they must also be exported with Deployment Manager 8.5.1, 8.5.2, 8.5.3, 8.5.3.1, or 9.0.1.
|
Note: Deployment Manager 9.0.1 is backwards-compatible with Deployment Manager 8.5.3, 8.5.2, and 8.5.1. Deployment Manager 8.5.3 is backwards-compatible with Deployment Manager 8.5.2 and 8.5.1. Deployment Manager 8.5.2 is backwards-compatible with Deployment Manager 8.5.1. |
When you click the Close button, the session time out popup window for the Deployment Manager and workflow visualizer does not close.
When downgrading a form, or removing fields from it, the UPA table entries remain for the removed fields. This is not a common operation.
If the secondary (reporting) database is unavailable during User Profile Audit message processing, the corresponding audit messages fail. In order to prevent potential loss of audit data, disable the "Re-issue Audit Message Task" schedule task and contact Oracle Support.
The "Who has What" report assumes "ALL USERS" as the group when a group is not specified for a user search. None of the target users that do not belong to the "ALL USERS" group appear.
There may be JSP errors when attempting to provision a resource to XELSELFREG. Do not modify any settings or assignments for internal system seeded users.
You may notice an exception such as the following in your Oracle Identity Manager Log file. This results from an exception in the MS SQL Server that can be seen in the SQL Server system log using the Computer Event Viewer as "MSDTC recycle". A sample error message follows:
00:38:45,950 WARN [TransactionImpl] XAException: tx=TransactionImpl:XidImpl[FormatId=257, GlobalId=lin4qe02/2020, BranchQual=, localId=2020] errorCode=XAER_RMERRjavax.transaction.xa.XAException: [Microsoft][SQLServer 2000 Driver for JDBC][SQLServer]xa_start (40000) returns -8
This issue is logged with Microsoft as Support Issue SRX06109607041.
The JBoss application server may generate the following exception in a clustered configuration resulting in a cluster failure when replicating session data:
16:43:07,296 ERROR [JBossCacheManager] processSessionRepl: failed with exception: java.util.ConcurrentModificationException 16:43:07,296 WARN [InstantSnapshotManager] Failed to replicate sessionID:GzUYJdxlSLVxS7ssRtvWwQ**.tqx00
Steps to reproduce:
Login as admin user in Web Client.
Click the Reset Password link on the home page and change the password.
Now click the Challenge Q&A link on the home page.
You will be prompted for a password,enter the new password.
It will not except the new password. It will accept the old password instead.
|
Note: Do not logout after changing the password until you have verified that the password update was successful. |
When the Design Console runs on a separate machine other than the server, then an error dialog box with "Realm/cell is Null" message is displayed. You should close this dialog box for the client to continue running.
The workaround is to ensure that you change the properties in the AppClient\properties\sas.client.props directory.
Original values are:
Com.ibm.CORBA.loginSource = prompt
Com.ibm.CORBA.loginTimeout = 300
Com.ibm.CORBA.securityEnabled = true
Com.ibm.CORBA.loginUserid =
Com.ibm.CORBA.loginPassword =
Change the values to:
Com.ibm.CORBA.loginSource = properties
Com.ibm.CORBA.loginTimeout = 300
Com.ibm.CORBA.securityEnabled = true
Com.ibm.CORBA.loginUserid = xelsysadm
Com.ibm.CORBA.loginPassword = xelsysadm
Oracle Identity Manager Design Console is not visible in the Control Pannel, Add or Remove Programs option. This is to ensure that you can install more than one version of Oracle Identity Manager on a machine, when needed.
Searching Date type UDFs is not supported for user groups, organizations, or resources.
While running the Design Console installer on AIX, if you use the Backspace key, some junk values appear in the text that has been entered. Use only the keys that has been setup to erase the text being entered, and using other keys does not work.
However, sometimes the text might be erased properly on the console but the installer might create directories with control or non-visible characters.
Workaround to this problem is:
To determine what key is setup to erase text being entered type the following command:
stty all
If the result shows that "^H" is setup to erase text, you should use Control-H key to erase the text. If you want to use the Backspace key for erasing text, then type the following command:
stty erase ^?
After you perform the above steps, you can use the Backspace key to erase the text.
While installing the Remote Manager, on the Remote Manager Configuration page, choose "Yes" for the RMI Over SSL option. Choosing Yes enables you to run the Remote Manager effectively. Non-SSL mode is not supported.
In case of radio button fields, when using a lookup query the "Column Names" property is redundant and not used from the webclient but is required to save the form.The functionality in webclient is such that for Radio buttons, the "Column names" property is not used at all. Instead, when there is more than one column returned in the query, the first column is the encoded value that is saved to the database and the second column is the decoded value displayed to the user.
When there is only one column in the query, that becomes both the encoded and decoded value. Hence, when defining a Radio button field specify the Column Names property as any column name to save the form. But the ones that will be used are those that are obtained from the query.
The PurgeCache.bat utility fails on Windows systems if the CLASSPATH does not include the log4j libraries. To resolve this issue:
Open the XL_HOME\bin\PurgeCache.bat file in a text editor.
Locate the following statement:
set CLASSPATH=%CLASSPATH%;%XEL_EXT%\crimson.jar;%XEL_EXT%\dom.jar;%XEL_EXT%\oscache.jar;%XEL_EXT%\commons-logging.jar;%XEL_EXT%\javagroups-all.jar
Append the path to the log4j libraries to the preceding statement as follows:
set CLASSPATH=%CLASSPATH%;%XEL_EXT%\crimson.jar;%XEL_EXT%\dom.jar;%XEL_EXT%\oscache.jar;%XEL_EXT%\commons-logging.jar;%XEL_EXT%\javagroups-all.jar;%XEL_EXT%\log4j-1.2.8.jar
This is a transitional release of Oracle Identity Manager following Oracle's acquisition of Thor Technologies. For this reason, some parts of the product and documentation still refer to the original Thor company name and Xellerate product name. For example, Oracle Identity Manager installs to a subdirectory named xellerate beneath the specified installation directory. References to Thor and Xellerate will be rebranded in future releases.
A valid user must be specified for delegation when specifying actions for attestation or any entered data will be lost when you click the Save button.
The following general issues have been resolved in Release 9.0.1:
Table 3 Resolved General issues in Release 9.0.1
| Issue # | Description |
|---|---|
|
4985 |
Date Field Default Value Limitation |
|
5023 |
"old value" checkbox may not work for process form/object form fields case |
|
5242 |
Dependency Created Between Two Resources of Different Target Types |
|
5517 |
Exported and Imported Files Cannot Include "sysadm" |
|
5532 |
Dependent approval tasks fail to trigger |
|
5561 |
Config Property to control whether enabling a user enables disabled provisioned resources or not |
|
5573 |
Deployment Manager and Workflow Rendering may not function on SSO configuration |
|
5591 |
Hide system validation confirmation step from user request tracking view |
|
5604 |
When creating a Group or Organization, the user's Group memberships are automatically added as Administrative |
|
5645 |
Deployment Manager won't export Data Object Info |
|
5709 |
Task Assignment rule may fail |
|
6673 |
"Allowed Reports" may not get imported as part of the group |
|
6713 |
Password Policies->Min special characters,Max Special Characters discrepancy |
|
6732 |
Sorting in Reassign of Approval Tasks page may not work in the first two clicks |
|
6813 |
Access Policy may not save value for checkboxes |
|
6819 |
Assignment rules for task does not appear on Workflow Vizualizer window |
|
6829 |
Optional property to not include counter values on Administrative and User Console home page for high volume data |
|
6859 |
XIP 9.0 server installer does not handle JVM check correctly |
|
6884 |
Error while importing a group with UDF type Date. |
|
6886 |
API exceptions while bring up user defined lookup field |
|
6937 |
Exporting Form may not show the Entity Adapter Dependencies |
|
6945 |
Not able to modify the value for checkbox for the process form/objectform if default value is "1" |
|
6993 |
Unable to update the permissions to the Reconciliation Manager/Rules object in the user groups. |
|
7045 |
Deployment Manager may fail to notify of password validation failures |
|
6723 |
Changing Application server host name didn't change xlConfig.xml in Design Console installer. |
|
na |
Added protect authentication module from SQL injection attacks |
|
na |
Added salted CBC encryption option |
|
na |
JAVA_HOME variable for JBoss installation now set automatically |
Our goal is to make Oracle products, services, and supporting documentation accessible, with good usability, to the disabled community. To that end, our documentation includes features that make information available to users of assistive technology. This documentation is available in HTML format, and contains markup to facilitate access by the disabled community. Accessibility standards will continue to evolve over time, and Oracle is actively engaged with other market-leading technology vendors to address technical obstacles so that our documentation can be accessible to all of our customers. For more information, visit the Oracle Accessibility Program Web site at
http://www.oracle.com/accessibility/
Accessibility of Code Examples in Documentation
Screen readers may not always correctly read the code examples in this document. The conventions for writing code require that closing braces should appear on an otherwise empty line; however, some screen readers may not always read a line of text that consists solely of a bracket or brace.
Accessibility of Links to External Web Sites in Documentation
This documentation may contain links to Web sites of other companies or organizations that Oracle does not own or control. Oracle neither evaluates nor makes any representations regarding the accessibility of these Web sites.
TTY Access to Oracle Support Services
Oracle provides dedicated Text Telephone (TTY) access to Oracle Support Services within the United States of America 24 hours a day, seven days a week. For TTY support, call 800.446.2398.
Oracle Identity Manager Release Notes, Release 9.0.1
B28075-01
Copyright © 2005, 2006, Oracle. All rights reserved.
The Programs (which include both the software and documentation) contain proprietary information; they are provided under a license agreement containing restrictions on use and disclosure and are also protected by copyright, patent, and other intellectual and industrial property laws. Reverse engineering, disassembly, or decompilation of the Programs, except to the extent required to obtain interoperability with other independently created software or as specified by law, is prohibited.
The information contained in this document is subject to change without notice. If you find any problems in the documentation, please report them to us in writing. This document is not warranted to be error-free. Except as may be expressly permitted in your license agreement for these Programs, no part of these Programs may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose.
If the Programs are delivered to the United States Government or anyone licensing or using the Programs on behalf of the United States Government, the following notice is applicable:
U.S. GOVERNMENT RIGHTS Programs, software, databases, and related documentation and technical data delivered to U.S. Government customers are "commercial computer software" or "commercial technical data" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the Programs, including documentation and technical data, shall be subject to the licensing restrictions set forth in the applicable Oracle license agreement, and, to the extent applicable, the additional rights set forth in FAR 52.227-19, Commercial Computer Software--Restricted Rights (June 1987). Oracle USA, Inc., 500 Oracle Parkway, Redwood City, CA 94065.
The Programs are not intended for use in any nuclear, aviation, mass transit, medical, or other inherently dangerous applications. It shall be the licensee's responsibility to take all appropriate fail-safe, backup, redundancy and other measures to ensure the safe use of such applications if the Programs are used for such purposes, and we disclaim liability for any damages caused by such use of the Programs.
Oracle, JD Edwards, PeopleSoft, and Retek are registered trademarks of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.
The Programs may provide links to Web sites and access to content, products, and services from third parties. Oracle is not responsible for the availability of, or any content provided on, third-party Web sites. You bear all risks associated with the use of such content. If you choose to purchase any products or services from a third party, the relationship is directly between you and the third party. Oracle is not responsible for: (a) the quality of third-party products or services; or (b) fulfilling any of the terms of the agreement with the third party, including delivery of products or services and warranty obligations related to purchased products or services. Oracle is not responsible for any loss or damage of any sort that you may incur from dealing with any third party.
