Skip Headers
Oracle® Identity Manager Release Notes
Release 9.1.0

Part Number E10367-03
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Feedback page
Contact Us

  View PDF

Oracle® Identity Manager

Release Notes

Release 9.1.0

E10367-03

August 2008

This document contains release notes for Oracle Identity Manager release 9.1.0 and includes the following topics:

1 Oracle Identity Manager Documentation

The following guides are located on your installation media. You can refer to them for detailed information about Oracle Identity Manager.

Note:

For information about updates to the Oracle Identity Manager release 9.1.0 documentation set, visit Oracle Technology Network at

http://www.oracle.com/technology/documentation/index.html

2 What's New in Oracle Identity Manager Release 9.1.0

The following sections discuss what's new in Oracle Identity Manager release 9.1.0:

2.1 New Features and Enhancements

This section discusses the following new features and enhancements:

2.1.1 Attestation Enhancements

Attestation enhancements in this release can be divided into the following categories:

Attestation Process Configuration Enhancements

The following are attestation process configuration enhancements:

  • The definition of user scope and resource scope can be based on rule-based expressions. These expressions can be used to specify if the scope includes the hierarchy for hierarchical attributes such as organization, user's manager, location, user group, and department.

  • A new multiselect attribute has been introduced for the resource entity. This attribute enables the categorization of resources based on mandate and attestation frequency. This enables administrators to create a regulatory-mandate attestation process.

  • In addition to a specific reviewer or the user's manager, a reviewer that you select can be a resource administrator, resource authorizer, or a named group user.

  • You can configure a grace period for attestation. After the grace period has passed, on the basis of a priority-based algorithm, the attestation request is automatically delegated to a specific user from the attestation process owner group.

Attestation Request Run-Time Enhancements

The following are attestation request run-time enhancements:

  • Attestation requests that are in the Declined state are automatically delegated to a specific user from the attestation process owner group. This enables process owners of the requests to delegate the requests to new reviewers.

  • Attestation reviewer comments are automatically propagated to the associated corrective process tasks.

Attestation Audit and Analytical Enhancements

Administrators can drill down into responses from all historical runs of an attestation process.

2.1.2 New Standard Reports and Exception Reports

Details of new standard reports and exception reports are divided across the following sections:

Standard Reports

The following standard reports have been introduced in this release:

  • Account Activity in Resource

    This report provides details of various user-related provisioning activities including creation and deletion of user account profiles for a given resource.

  • Resource Activity

    This report provides various provisioning-related metrics for a given resource, including the number of users provisioned/deprovisioned, policy retrofits, password resets, requests, and approvals.

  • Reports for Created, Deleted, Disabled, and Unlocked Users

    These reports provide details of users created, deleted or deprovisioned, unlocked, or disabled in a specific time period for specific resources. The details include reasons for these actions.

  • Password Reset Success Failure

    This report provides password reset metrics, including password changes attempted by beneficiaries of other users and the outcome of password reset attempts. The report allows aggregation of password reset metrics by time interval.

  • Delegated Administrators & Permissions By Organization

    This report provides detailed information about administrative user groups, group memberships, and privileges granted to the groups for organizations.

  • Delegated Administrators & Permissions By Resource

    This report provides information about the administrative user groups, including group memberships and the associated privileges granted to the groups for resources.

  • Organization Structure

    This report provides the hierarchical organization structure including all suborganizations identified through a recursive search. The report also includes details of users in the organizations.

  • Requests Details by Status

    This report provides details (such as requester, current approver, and current status) of all requests. In addition, this report displays details of resources that will be provisioned as a result of the request approval.

  • Requests Initiated

    This report provides the current status of all requests initiated during the specified time interval.

  • Task Assignment History

    This report provides the assignment history of tasks.

Exception Reports

The following exception reports have been introduced in this release:

  • Rogue Accounts by Resource

    This report provides details of all rogue accounts for the specified resource. It also includes the attestation data required to determine if the rogue accounts represent accepted exceptions in the system.

  • Fine Grained Entitlement Exceptions By Resource

    This report provides details of all entitlement exceptions for all users of a specified resource. It also includes the corresponding attestation data required to determine if the entitlement exceptions represent accepted exceptions in the system.

2.1.3 Graphical Workflow Designer

The Graphical Workflow Designer module has been added to the Administrative and User Console. This user interface simplifies the creation and maintenance of provisioning and approval workflows, as well as the management of tasks in the Task Library.

For more information, refer to Oracle Identity Manager Administrative and User Console Guide.

2.1.4 Configuration of Multiple Trusted Sources for Reconciliation

From this release onward, you can:

  • Configure multiple target systems as trusted sources for users belonging to specific user types.

    For example, Microsoft Active Directory is used as the trusted source for information about users belonging to the Contractor user type, and Oracle e-Business Suite is used as the trusted source for information about users belonging to the Employee user type.

  • Configure multiple target systems as trusted sources for different attributes of the OIM User.

    For example, Microsoft Active Directory is used as the trusted source for employees' first names and last names, and IBM Lotus Notes is used as the trusted source for employees' e-mail addresses.

For more information, refer to Oracle Identity Manager Design Console Guide.

Note:

If you are using a predefined connector, then refer to the Oracle Identity Manager Connector Pack release notes and documentation to determine whether or not this feature is supported for the release of the connector that you are using.

2.1.5 Group Profile Auditing

Group profile auditing features have been included in this release. Like the user profile auditing module, the group profile auditing module includes changes to group profile attributes, group administrators, and direct subgroups.

For more information, refer to Oracle Identity Manager Audit Report Developer's Guide.

2.1.6 SPML Web Service

The SPML Web Service is an interface for inbound SPML-based provisioning requests. This Web service supports the creation, modification, deletion, and lookup of OIM Users, user groups and organizations. It also provides features for managing references (such as assignment and revocation of group memberships), reset of user passwords, and disabling and reenabling of user accounts.

Note:

The SPML Web Service supports the SPML v2.0 specification.

For more information about this feature, refer to Oracle Identity Manager Tools Reference.

2.2 Reduced Need for Customization

This section discusses features that reduce the need for customization:

2.2.1 Password Policy Management Enhancements

The enhanced password policy management feature provides various options for defining and associating complex password policies with resource objects.

For more information, refer to Oracle Identity Manager Design Console Guide.

2.2.2 Display of Adapter-Related Error Messages on the Administrative and User Console

You can create and enable the display of custom error messages for adapter-related operations on the Administrative and User Console. This enhancement makes it easy to identify the cause of errors encountered during adapter operations.

For information about this feature, refer to Oracle Identity Manager Design Console Guide and Oracle Identity Manager Tools Reference Guide.

2.3 Ease of Deployment

The following new features are related to the ease of deployment:

2.3.1 Installing Connectors by Using the Administrative and User Console

In earlier releases, the procedure to deploy predefined connectors required you to manually perform the tasks that constitute the deployment procedure. From this release onward, the major deployment tasks are automated when you use the connector installation pages of the Administrative and User Console.

Note:

For more information, refer to Oracle Identity Manager Administrative and User Console Guide.

Before you use the Administrative and User Console to install a predefined connector, refer to the Oracle Identity Manager Connector Pack release notes and documentation to determine whether or not the automated installation of that release of the connector is supported.

2.3.2 Generic Technology Connector Enhancements

Enhancements made to this release of the generic technology connector framework can be divided into the following categories:

See Also:

Oracle Identity Manager Administrative and User Console Guide for detailed information about generic technology connectors
2.3.2.1 Framework Enhancements

This section discusses the following generic technology connector framework enhancements:

Metadata Detection and Definition

The following are metadata detection and definition enhancements:

  • Support for manual definition of metadata

    The unavailability of sample target system data does not stop you from creating a generic technology connector. If metadata detection does not take place, you can manually create fields and field mappings and then complete the connector creation process.

  • Support for new field types

    You can designate user attribute fields as lookup fields. In addition, you can assign password-like properties to fields. These new features of the generic technology connector framework are the same as those available through the Design Console.

  • Display of all OIM User attributes on the Step 3: Modify Connector Configuration page

    On the Step 3: Modify Connector Configuration page, the OIM - User data set now shows all the OIM User attributes. In the earlier release, the display of fields was restricted to the ones that were most commonly used.

  • Enhanced features for adding or editing fields on the Step 3: Modify Connector Configuration page

    An enhanced set of validations is applied when you add or edit fields on the Step 3: Modify Connector Configuration page. In addition, the options that are available on the Form Designer form of the Design Console are now available when you add or edit fields.

  • Attributes of the ID field are editable

    On the Step 3: Modify Connector Configuration page, you can modify some of the attributes of the ID field. The ID field stores the value that uniquely identifies a user in Oracle Identity Manager and in the target system.

Data Transformations

The following are data transformation enhancements:

  • Transformation providers

    The Concatenation Transformation Provider and Translation Transformation Provider are predefined providers that are shipped with this release. In addition, you can create custom Transformation Providers.

  • Support for provisioning and reconciliation date formats

    You can specify the format in which date values can be accepted by the generic technology connector during reconciliation. In addition, you can specify the format into which date values must be converted before they are sent to the target system during provisioning.

Reconciliation

The following are reconciliation enhancements:

  • Trusted source reconciliation

    You can configure a generic technology connector for trusted source reconciliation.

  • User account status reconciliation

    User account status information is used to track whether or not the owner of a target system account is to be allowed to access and use the account. You can use a generic technology connector to implement user account status reconciliation.

  • Reconciliation of Multivalued Attribute Data (Child Data) Deletion

    You can specify whether or not you want to reconcile into Oracle Identity Manager the deletion of multivalued attribute data on the target system.

  • Support for the "Multiple Trusted Source Reconciliation" feature

    As mentioned earlier in this section, the "Multiple Trusted Source Reconciliation" feature has been introduced in this release of Oracle Identity Manager. Generic technology connectors that you create have built-in support for this feature.

Provisioning

The following is a provisioning enhancement:

Provisioning is triggered when values of any OIM - User fields are changed. In other words, if you create mappings between fields of the OIM - User data set and fields of the Provisioning Staging data set, then provisioning is triggered for changes made in any field of the OIM User.

Support for Custom Provider Development

If the predefined providers do not address your provider requirements, then you can create and use custom providers. This release includes comprehensive documentation, Javadocs, and samples that you can use while creating custom providers.

Task Automation

The following are task automation enhancements:

  • Support for automatic adapter compilation

    In the earlier release, you had to manually compile the adapter that is created when a generic technology connector is created. From this release onward, the adapter is automatically compiled after the generic technology connector is created.

  • Automatic purging of cache

    Provider cache is automatically purged if an error occurs during generic technology connector creation. You need not restart Oracle Identity Manager to clear the cache before you can retry creating a generic technology connector.

2.3.2.2 Predefined Provider Enhancements

This section discusses the following predefined provider enhancements:

SPML Provisioning Format Provider enhancements

The SPML Provisioning Format Provider is SOAP-compatible, and it can send and receive SPML requests and responses that are based on the SPML v2.0 specification.

Web Services Provisioning Transport Provider enhancements

The Web Services Provisioning Transport Provider can be used to communicate over Secure Sockets Layer (SSL) with a target system Web service. The SOAP message sent through this provider can be authenticated using either WS-Security authentication or custom authentication.

Support for Provisioning Operations on a Target Oracle Identity Manager Installation

A generic technology connector in which you include the SPML Provisioning Format Provider can be used to perform provisioning operations on a target Oracle Identity Manager installation.

Flat-File Reconciliation Enhancements

The metadata detection process has been enhanced to enable the display of error messages for certain types of errors. You can extend this functionality to include custom error messages.

2.3.3 Creating and Managing IT Resources and Scheduled Tasks by Using the Administrative and User Console

In earlier releases, functionality to create and manage IT resources and scheduled tasks was available only in the Design Console. From this release onward, this functionality is also available in the Administrative and User Console.

For more information, refer to Oracle Identity Manager Administrative and User Console Guide. Specific features of this functionality that are available only in the Design Console are listed in the sections of Oracle Identity Manager Administrative and User Console Guide that discuss these features.

2.4 Others

This section discusses additional enhancements made in this release:

2.4.1 Enhanced Multilanguage Support

The Danish language has been added to the list of supported languages. Refer to the "Certified Languages" section for the complete list of supported languages.

2.4.2 Managing the Display of Open Tasks

The Remove Open Tasks scheduled task has been introduced to manage the removal of references to pending approval and open tasks after a user-specified amount of time. This feature helps speed up the retrieval and display of tasks on the Welcome, Pending Approval, and Open Task pages of the Administrative and User Console. Note that the pending approval and open tasks are not removed from the system. On the Tracking Request page, you can still search for and display tasks whose references have been removed.

For more information, refer Oracle Identity Manager Administrative and User Console Guide.

2.4.3 Automated Adapter Compilation

From this release onward, adapters are compiled automatically when you import connector XML files by using the Deployment Manager.

For information about this feature, refer to Oracle Identity Manager Tools Reference.

2.4.4 Diagnostic Dashboard Enhancements

The following tests have been added to the set of tests that you can run by using the Diagnostic Dashboard utility:

  • Test Basic Connectivity

  • Test Provisioning

  • Test Reconciliation

Note:

For more information, refer to Oracle Identity Manager Administrative and User Console Guide.

If you want to run these tests on a predefined connector, then first refer to the Oracle Identity Manager Connector Pack release notes and documentation for information about whether or not these tests are supported for the connector.

2.4.5 Support for Java 2 Security

From this release onward, Oracle Identity Manager supports Java 2 Security. For instructions to implement Java 2 Security, refer to the Oracle Identity Manager Installation and Configuration Guide for the application server that you use.

2.4.6 Multiple JMS Queues

In earlier releases, Oracle Identity Manager used a single JMS queue (named xlQueue) for all asynchronous operations including requests, reconciliation, attestation, and offline tasks. From this release onward, by default, Oracle Identity Manager uses separate JMS queues for specific operations to optimize JMS queue processing.

For more information, refer to the Oracle Identity Manager Installation and Configuration Guide for the application server that you use.

2.4.7 Task Archival Utility

The Task Archival utility is a command-line interface utility that archives completed tasks from the active task tables.

For more information, refer to Oracle Identity Manager Best Practices Guide.

2.4.8 User Account Status Reconciliation

From this release onward, you can configure user account status reconciliation for trusted sources and target resources. For details, refer to Oracle Identity Manager Design Console Guide and Oracle Identity Manager Administrative and User Console Guide.

2.4.9 Enhancements in Certified Components

In this release, the following components have been added to the list of certified components:

  • IBM WebSphere Application Server 6.1.0.9

  • Microsoft Internet Explorer 7.0

2.4.10 Instructions to Configure SSL for the Design Console

Instructions to configure SSL communication with the Design Console have been documented in the "Installing and Configuring the Oracle Identity Manager Design Console" chapter of the Oracle Identity Manager Installation and Configuration Guide for the application server that you use.

2.4.11 Instructions to Configure the Advanced Queuing (AQ) Feature for JMS Queues

Instructions on configuring database-based storage of JMS queues are provided in the "Setting Up Database-Based Storage of JMS Queues (Recommended)" section of Oracle Identity Manager Installation and Configuration Guide for Oracle Application Server.

3 Certified Components

This section identifies components certified with Oracle Identity Manager release 9.1.0 and contains the following topics:

3.1 Certified Operating Systems

Oracle Identity Manager release 9.1.0 is certified for the following operating systems:

  • AIX 5L Version 5.3 (pSeries 64-bit)

  • Microsoft Windows Server 2003 R2

  • Microsoft Windows Server 2003 R2 (EMT/AMD/IA 64-bit)

  • Oracle Enterprise Linux Release 4

  • Oracle Enterprise Linux Release 4 (EMT/AMD 64-bit)

  • Oracle Enterprise Linux Release 5

  • Oracle Enterprise Linux Release 5 (EMT/AMD 64-bit)

  • Oracle Virtualization Server - EL4

  • Red Hat Enterprise Linux AS Release 4

  • Red Hat Enterprise Linux AS Release 4 (EMT/ADM/IA 64-bit)

  • Solaris Operating System 10 (UltraSparc 64-bit)

  • HP-UX 11.23 (PA-RISC/IA 64-bit)

  • SUSE Linux Enterprise Server 10

  • SUSE Linux Enterprise Server 10 (EMT/AMD/IA 64-Bit)

3.2 Certified Application Servers

Oracle Identity Manager release 9.1.0 is certified for the following application servers:

  • BEA WebLogic Server 8.1 SP6 and later service packs

  • IBM WebSphere Application Server 6.1.0.9 and later fix packs (that is, 6.1.0.11 and later)

  • JBoss Application Server 4.0.3 SP1 and later service packs

    Note:

    In Oracle Identity Manager release 9.1.0, JBoss Application Server supports only nonclustered environments.
  • Oracle Application Server 10.1.3.3 (Upgrade patch 10.1.3.3 applied on top of the base package bundled in Oracle SOA Suite 10g Release 10.1.3.1)

3.3 Certified Databases

Oracle Identity Manager release 9.1.0 is certified for the following databases:

  • Oracle Database Deployment

    • Oracle9i Database Enterprise Edition release 9.2.0.7 and later patch sets (that is, 9.2.0.8 and later)

    • Oracle Database 10g Enterprise Edition releases:

      • 10.1.0.5 and later patch sets (that is, 10.1.0.6 and later)

      • 10.2.0.1 and later patch sets (that is, 10.2.0.2 and later)

    • Oracle Database 10g Standard Edition release 10.2.0.3

    • Oracle Database 11g Standard Edition release 11.1.0.6 and later patch sets

    • Oracle Database 11g Enterprise Edition release 11.1.0.6 and later patch sets

  • Oracle RAC Deployment

    • Oracle Database 10g Enterprise Edition release 10.2.0.3 and later patch sets

    • Oracle Database 11g Enterprise Edition release 11.1.0.6 and later patch sets

Note:

Oracle Identity Manager release 9.1.0 does not support Microsoft SQL Server 2005.

3.4 Certified JDKs

For each certified application server, Oracle Identity Manager release 9.1.0 is certified for the JDKs listed in Table 1.

Table 1 Certified JDKs

Application Server Certified JDK

BEA WebLogic Server

For Microsoft Windows:

  • Sun JDK 1.4.2_15 and later (that is, 1.4.2_x)

  • BEA jrockit_R27.3.1-jdk 1.4.2_14 and later (that is, 1.4.2_x)

For Linux:

BEA jrockit_R27.3.1-jdk 1.4.2_14 and later (that is, 1.4.2_x)

IBM WebSphere Application Server

IBM JDK 1.5.0 and later (supported with IBM WebSphere)

JBoss Application Server

Sun JDK 1.4.2_15 and later (that is, 1.4.2_x)

Oracle Application Server

Sun JDK 1.5.0_06 and later

Sun JDK 1.5.0_12 and later (for Microsoft Windows Vista Ultimate only)

IBM JDK 1.5.0 and later, included with Oracle Application Server (for AIX only)


3.5 Certified Configurations

Oracle Identity Manager release 9.1.0 is certified for the configurations listed in Table 2.

Note:

Unless stated otherwise, the configurations listed in Table 2 are certified for both clustered and nonclustered configurations.

For information about the certified releases of application servers and databases, refer to the "Certified Application Servers" and "Certified Databases" sections.

Table 2 Certified Configurations for Release 9.1.0

Operating System Application Server Database Languages

AIX

IBM WebSphere Application Server

Oracle Database

All 10 administrative languages and Danish

 

Oracle Application Server

Oracle Database

All 10 administrative languages and Danish

Microsoft Windows Server

BEA WebLogic Server

Oracle Database

All 10 administrative languages and Danish

 

IBM WebSphere Application Server

Oracle Database

All 10 administrative languages and Danish

 

JBoss Application Server

Note: For nonclustered environments only.

Oracle Database

All 10 administrative languages and Danish

 

Oracle Application Server

Oracle Database

All 10 administrative languages and Danish

Microsoft Windows Vista Ultimate

Oracle Application Server

Refer to the note after this table for additional information about the Microsoft Windows Vista and Oracle Application Server combination.

Oracle Database

All 10 administrative languages and Danish

Oracle Enterprise Linux

Oracle Application Server

Oracle Database

All 10 administrative languages and Danish

Oracle Virtualization Server

Oracle Application Server

Oracle Database

All 10 administrative languages and Danish

Red Hat Enterprise Linux AS

BEA WebLogic Server

Oracle Database

All 10 administrative languages and Danish

 

IBM WebSphere Application Server

Oracle Database

All 10 administrative languages and Danish

 

JBoss Application Server

Note: For nonclustered environments only.

Oracle Database

All 10 administrative languages and Danish

 

Oracle Application Server

Oracle Database

All 10 administrative languages and Danish

Solaris Operating System

BEA WebLogic Server

Oracle Database

All 10 administrative languages and Danish

 

JBoss Application Server

Note: For nonclustered environments only.

Oracle Database

All 10 administrative languages and Danish

 

Oracle Application Server

Oracle Database

All 10 administrative languages and Danish

 

IBM WebSphere Application Server

Oracle Database

All 10 administrative languages and Danish

HP-UX

Oracle Application Server

Oracle Database

All 10 administrative languages and Danish

SUSE Linux Enterprise 10

Oracle Application Server

Oracle Database

All 10 administrative languages and Danish

 

JBoss Application Server

Note: For nonclustered environments only.

Oracle Database

All 10 administrative languages and Danish


Note:

  • For the production deployment of Oracle Identity Manager, you must configure Oracle AQ as the JMS provider. Because of Bug 6718332, Oracle AQ-based JMS cannot be configured on Microsoft Vista at this time. Microsoft Vista is, therefore, supported for only nonclustered development environments with file-based JMS.

  • To update Oracle Application Server JDKs for DST 2007 compliance, you must use the appropriate time zone update utility from your JDK vendor. For information about using JDK vendor time zone update utilities, refer to Note 414153.1 on the OracleMetaLink Web site.

    You can access the OracleMetaLink Web site at

    https://metalink.oracle.com/

3.6 Certified Design Console Operating Systems

The Design Console of Oracle Identity Manager release 9.1.0 is certified on the following operating systems:

  • Microsoft Windows Server 2003

  • Microsoft Windows XP

  • Microsoft Windows Vista Ultimate, for an Oracle Identity Manager installation on Oracle Application Server running on Microsoft Windows Vista Ultimate

3.7 Certified Remote Manager Operating Systems

The Remote Manager of Oracle Identity Manager release 9.1.0 is certified on the following operating systems:

Note:

The 64-bit operating systems mentioned in the following list are supported only with 32-bit JDK.
  • Microsoft Windows Server 2003 R2

  • Microsoft Windows Server 2003 R2 (EMT/AMD 64-bit)

  • Oracle Enterprise Linux Release 4

  • Oracle Enterprise Linux Release 4 (EMT/AMD 64-bit)

  • Oracle Enterprise Linux Release 5

  • Oracle Enterprise Linux Release 5 (EMT/AMD 64-bit)

  • Red Hat Enterprise Linux AS Release 4

  • Red Hat Enterprise Linux AS Release 4 (EMT/ADM/IA 64-bit)

  • Solaris Operating System 10 (UltraSparc 64-bit)

  • HP-UX 11.23 (PA-RISC/IA 64-bit)

  • SUSE Linux Enterprise Server 10

  • SUSE Linux Enterprise Server 10 (EMT/AMD/IA 64-Bit)

3.8 Certified Single Sign-On Components

Oracle Identity Manager release 9.1.0 is certified for Single Sign-On with the following components:

  • Oracle Access Manager 10.1.4.0.1 (formerly known as Oracle COREid) using both ASCII and non-ASCII character logins.

    Note:

    Single Sign-On with Oracle Access Manager 10.1.4.0.1 for non-ASCII character logins requires an Oracle Access Manager patch. Contact your Oracle Support representative and refer to Bug 5552617 for information about the appropriate Oracle Access Manager patch.
  • OracleAS Single Sign-On 10g 10.1.4.0.1 for both ASCII and non-ASCII character logins.

  • RSA ClearTrust 5.5 for ASCII character logins only.

See Also:

Oracle Identity Manager Best Practices Guide for additional information about configuring Single Sign-On for Oracle Identity Manager with Oracle Access Manager and OracleAS Single Sign-On

3.9 Certified Languages

Oracle Identity Manager release 9.1.0 is certified for the following languages:

  • Chinese (Simplified)

  • Chinese (Traditional)

  • Danish

  • English

  • French

  • German

  • Italian

  • Japanese

  • Korean

  • Portuguese (Brazilian)

    The combination of the Portuguese (Brazilian) locale and IBM WebSphere Application Server is not supported. For more information, refer to APAR IZ01077 on the IBM WebSphere Application Server Web site.

  • Spanish

See Also:

Oracle Identity Manager Globalization Guide for detailed information about Oracle Identity Manager globalization support

3.10 Certified Web Browsers

Oracle Identity Manager release 9.1.0 is certified for Microsoft Internet Explorer 6.0 (SP2) and Internet Explorer 7 with SUN Java Plug-in 1.4.2_xx.

4 Resolved Issues

Oracle Identity Manager release 9.1.0 resolves the known issues from previous releases listed in Table 3.

Table 3 Issues Resolved by Release 9.1.0

Bug # Description

5180356

The maximum length for the name of a group was limited to 30 characters. In release 9.1.0, this field size has been increased to 2000.

5180622

Disabled users could be assigned as approvers.

5345236

Resource dependencies were not correctly displayed by the Deployment Manager.

5355907

In Historical reports, the User Status filter of the search results displayed the historical status in addition to the current status of the user. It should display only the current status of the user.

5472481

The Resource Access List report would retrieve records of deleted users.

5473780

When you shut down Oracle Application Server, the shutdown process does not continue until it times out.

5572632

List entries on User Defined Forms (UDFs) were not correctly ordered.

5582818

When using the Request Wizard, status-based filtering was not supported.

5635699

On some pages of the Administrative and User Console, users' first and last names were not displayed along with the user ID.

5722940

If a target user in a request was disabled while the request was pending approval, then the user was still provisioned with the resource after the approvals were completed.

5738024

When a user was deleted, resource objects associated with the user were not revoked.

5749592

Expand the input parameters for Resource Access List report to include UDF fields.

5740274, 5741955, 5741957, 5572825

If the User ID Reuse property was enabled, then the user could not:

  • Create requests (during both Create User and Self-Service Request operations)

  • Be assigned as a proxy

  • Have their account unlocked by the Oracle Identity Manager administrator if their account were locked after multiple login attempts with incorrect passwords

5751018

A single user was not allowed to belong to more than 1000 groups, through either direct or indirect group membership.

5850591

Menu items were displayed in inconsistent order on the Assign Menu Item page.

5855534

The CSV Export Reporting feature did not support data filtering based on UDF input parameters.

5881279

In the Administrative and User Console, users could not cancel a rejected task.

5894269

Child table data was not updated completely after reconciliation.

5900783

The All parameter for the PurgeCache utility was case-sensitive.

5906333

When parents objects were approved, corresponding child (dependent) objects in the same request that were in the Waiting state were not provisioned.

5946898

When you reassigned an open task to a group, the TableGenerator_jsp exception was thrown.

5950480

On the Search Member Groups and Search Member Users pages, the UDF search criteria were not supported.

5958717

The current status of the Xellerate Organization resource object would not reflect the most recent status change.

5960996

For an Oracle Identity Manager installation running on Oracle Application Server, an appropriate error message is displayed when you try to log in with an expired password.

5962155

On the Resource Detail page, resources with the Waiting status were not displayed when you selected the Users Associated With This Resource menu item under Resource management.

5966360

For lookups on Oracle Identity Manager wizard forms, the attributes on which lookup values could be filtered were not configurable.

5972327

If a target organization in a request were disabled while the request was pending approval, then the organization was still provisioned with the resource after the approvals were completed.

5973216

The Employee type was not displayed in decoded form when using the lookup query.

6007987

The Oracle Identity Manager Installer did not enforce confirmation of the WebLogic Administrative Console password when the Confirm Password value was not provided.

6010176

Some reconciliation events could not be processed and remained in Event Received state after reconciliation completion.

6011557

When a resource was provisioned for a user through a request, the request ID was not displayed on the User Resource Profile page.

6012554

Under Resource Management in the Administrative and User Console, the "User Associated with this Resource" selection may display duplicate entries.

6017967

When an e-mail definition was opened from the search done on an empty Email Definition form, the variable targets were not refreshed and process data information could not be added to the e-mail definition.

6019070

Information about using the "Increasing the Oracle Application Server Heap Size" setting has been documented in Oracle Identity Manager Installation and Configuration Guide for Oracle Application Server.

6021828, 6071356

The "Request More Information" actions, such as Include Add Comments, Change Request Status, and Send Notification to Requester, were not successful.

6030253

In the User Profile History report, records other than those effective for the specified date range were displayed.

6031304

On the My Request page, users could not filter requests against the "Request Raised for me" criterion.

6037360

During attestation process definition, the user's resource status could not be used as the attestation resource scope. In addition, the attestation process scope included the "Revoked" and "Waiting" statuses when the resource status scope was not defined.

6041881

When a proxy user rejected a request, the approval details were updated with the original approver instead of the proxy. In addition, the rejected task could not be reassigned to another user.

6055618

Creation of rules for User Defined Fields for self-registration was not supported.

6055716

Creation of rules for using the Organization Name attribute as an element for self-registration was not supported.

6073842

When an approver requested additional information from a user after the manager's approval, the approval sequence showed that the manager's approval was completed by the approver and not by the manager.

6194484

The User Profile Audit post processor failed to correctly update the data in the reporting table when the original user profile data was missing.

6369028

If an approval process denied a parent resource object for an organization, then the dependent resource object was not automatically revoked.

6378508

While defining approval tasks, request-related e-mail definitions were not displayed.


5 Known Issues and Workarounds

This section describes known issues for Oracle Identity Manager release 9.1.0. If a suitable workaround exists for a known issue, it is listed with the description of the issue to provide a temporary solution.

This section contains the following topics:

5.1 Installation Known Issues

This section describes known issues related to the installation of Oracle Identity Manager release 9.1.0 components. This section contains the following topics:

5.1.1 Encrypting Oracle Identity Manager Database Password in the xell-ds.xml File for JBoss Application Server (Bug 6472946)

By default, JBoss Application Server does not encrypt data source passwords, as described in the JBoss document at

http://wiki.jboss.org/wiki/Wiki.jsp?page=EncryptingDataSourcePasswords

This section describes how to encrypt the Oracle Identity Manager database password in JBoss Application Server deployments. Specifically, you must perform the following steps to manually encrypt a password, and then modify the xell-ds.xml and login-config.xml files so that they can access the encrypted form of the password instead of the clear text version:

  1. Open a console window and navigate to the JBOSS_HOME directory.

  2. Run one of the following commands to encrypt the Oracle Identity Manager database password. In this command, replace password with the actual password that you want to encrypt.

    UNIX/Linux

    java -cp "JBOSS_HOME/lib/jboss-jmx.jar:lib/jboss-common.jar:server/ default/lib/jboss-jca.jar:server/default/lib/jbosssx.jar"org.jboss.resource.security.SecureIdentityLoginModule password
    

    Microsoft Windows

    java -cp "JBOSS_HOME/lib/jboss-jmx.jar;lib/jboss-common.jar;server/ default/lib/jboss-jca.jar;server/default/lib/jbosssx.jar" org.jboss.resource.security.SecureIdentityLoginModule password
    
  3. The command you run in the previous step returns an encoded form of the password you specify. For example, the password Welcome1 is encoded as 3146f9cc50afd6a6df8592078de921bc. Highlight and copy the encoded password.

  4. Open the JBOSS_HOME/server/default/deploy/xell-ds.xml file in a text editor.

  5. Delete the <user-name> and <password> elements from the <local-tx-datasource> element.

  6. Add the following <security-domain> element to the end of the <local-tx-datasource> element:

    <security-domain>EncryptDBPassword</security-domain>
    
  7. Delete the <xa-datasource-property name="User"> and <xa-datasource-property name="Password"> elements from the <xa-datasource> element.

  8. Add the following <security-domain> element to the end of the <xa-datasource> element:

    <security-domain>EncryptXADBPassword</security-domain>
    
  9. Save and close the JBOSS_HOME/server/default/deploy/xell-ds.xml file.

  10. Open the JBOSS_HOME/server/default/conf/login-config.xml file in a text editor.

  11. Add the following elements to the <application-policy> element:

    Note:

    Replace datasource_username with the datasource user name and encoded_password with the encoded password you copy in Step 3.
    <application-policy name = "EncryptDBPassword">
     <authentication>
      <login-module code = "org.jboss.resource.security.SecureIdentityLoginModule" flag = "required">
       <module-option name = "username">datasource_username</module-option>
       <module-option name = "password">encoded_password</module-option>
       <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=jdbc/xlDS</module-option>
      </login-module>
     </authentication>
    </application-policy>
    
    <application-policy name = "EncryptXADBPassword">
     <authentication>
      <login-module code = "org.jboss.resource.security.SecureIdentityLoginModule" flag = "required">
       <module-option name = "username">datasource_username</module-option>
       <module-option name = "password">encoded_password</module-option>
       <module-option name = "managedConnectionFactoryName">jboss.jca:service=XATxCM,name=jdbc/xlXADS</module-option>
      </login-module>
     </authentication>
    </application-policy>
    
  12. Save and close the JBOSS_HOME/server/default/deploy/login-config.xml file.

5.1.2 Installer Program Does Not Verify WebLogic Server Name (Bug 5389372)

During installation on BEA WebLogic, the Oracle Identity Manager Installer does not verify the application server name. If you enter the wrong BEA WebLogic server name, then the installation process fails at the end.

For example, suppose you want to install Oracle Identity Manager on a BEA WebLogic installation named myWebLogic. On the Weblogic Application Server Information page of the Installer, you enter the IP address for myWeblogic, but incorrectly enter yourWebLogic as the name of the application server. The Installer begins the installation process although the application server name is incorrect, and the installation process fails at the end.

To avoid this issue, when installing Oracle Identity Manager, double-check the name of the BEA WebLogic Server installation that you enter.

5.1.3 Inaccurate Error Message Displayed When Canceling the Oracle Identity Manager Server Installation (Bug 5401425)

Clicking the Cancel button while Oracle Identity Manager is being installed results in the display of the following error message:

The current operation cannot be cancelled.

You can ignore this error message. Clicking the Cancel button does stop the Oracle Identity Manager server installation process.

5.1.4 Installation Fails When the Database User Name Includes Special Characters (Bug 5563636)

The Oracle Identity Manager Installer fails when you specify a string that includes any of the following special characters for the database user name:

  • Asterisks (*)

  • Commas (,)

  • Hyphens (-)

  • Apostrophes or single quotation marks (')

  • Double quotation marks (")

To avoid this issue, you must specify a database user name that meets the following criteria:

  • All characters are alphanumeric.

  • The first character is a letter.

  • Special characters are not included.

5.1.5 Installer Window May Not Get Focus On Startup (Bug 6373008)

When the language selection window opens on starting the Oracle Identity Manager Installer, the window may not get the focus while there are other open windows on the same computer. You must click the Installer window in the taskbar and then continue with the installation process by selecting a language.

5.1.6 "Null input buffer" Exception Thrown During Installation Can Be Ignored

During installation, the Null input buffer exception thrown while attempting to encrypt empty or NULL fields can be safely ignored.

5.2 General Known Issues

This section describes known issues related to the general run-time operation of Oracle Identity Manager release 9.1.0, including known issues for Oracle Identity Manager server and known issues for the Administrative and User Console not related to reporting.

This section contains the following topics:

5.2.1 Exception May Be Thrown While Using SSO to Log In to Administrative and User Console When Oracle Identity Manager Is Installed in a UNIX/Linux Environment (Bug 5969651)

An exception similar to the following one may be thrown the first time you log in to the Administrative and User Console using SSO in a UNIX/Linux environment:

[XELLERATE.WEBAPP],Class/Method: tcWebAdminHomeAction/setChallengeQuestions encounter some problems: USER_QUES_NOT_DEFINED
Thor.API.Exceptions.tcAPIException: USER_QUES_NOT_DEFINED

To resolve this issue, you must use the Design Console to assign a value of FALSE to the Force to set questions at startup system property.

5.2.2 Invalid JDK Combinations

The combination of a Remote Manager on IBM JDK and the Oracle Identity Manager server on Sun JDK is not supported. Similarly, the combination of a Remote Manager on Sun JDK and the Oracle Identity Manager server on IBM JDK is also not supported.

5.2.3 Stack Overflow Exception Thrown When Importing an XML File (Bug 5350771)

When you import an XML file, a stack overflow exception may be thrown if the import operation changes the organizational hierarchy. You can safely ignore this exception.

5.2.4 Pending Approvals Cannot Be Filtered by Requester Name (Bug 5365516)

If you attempt to use the Requester filter to refine the results in the Pending Approvals page, a message indicating that the search did not return any results is displayed. You can use the Requester filter only to refine results by requester ID and not by requester first name or last name.

5.2.5 All Records Returned When Filtering Records by the Date Type User Defined Field (Bug 5376321) and Searching Using Character Strings (Bug 5354752)

In the Administrative and User Console, searching based on the Date Type User Defined Field may return all records instead of just the records matching the specified dates. Using character string input as search criteria may also return all records. To avoid these issues, use the following date format:

YYYY-MM-DD

5.2.6 Date Value Entered in Incorrect Format in the Administrative and User Console Date Fields Causes an Error Message to Be Displayed (Bug 5533945)

All dates in the Administrative and User Console must be edited using the calendar icon associated with the Date field. Do not edit dates directly by entering text in a Date field. Instead, use that field's calendar icon to edit the date value.

5.2.7 Errors When Modifying Settings and Assignments for Internal System-Seeded Users (Bug 5357781)

Do not modify any settings or assignments for internal system-seeded users. If you attempt to modify any settings or assignments for internal system-seeded users, then you may encounter errors.

5.2.8 Error Message Displayed After Single Sign-On Timeout Interval in Deployment Manager or WorkFlow Visualizer Windows (Bug 5553411)

After a Single Sign-On session times out, clicking Restart in the Deployment Manager or WorkFlow Visualizer window of the Administrative and User Console may cause a "Client-Side error occurred" error message to be displayed. If this message is displayed, close the browser and then access the Administrative and User Console by using a new browser window.

5.2.9 Null Pointer Exception Thrown When Running the purgecache.bat Utility (Bug 5388849)

When you run the purgecache.bat utility, the following exception is thrown:

java.lang.NullPointerException
     at
com.opensymphony.oscache.base.AbstractCacheAdministrator
     .finalizeListeners(Abs
tractCacheAdministrator.java:323)
     at
com.opensymphony.oscache.general.GeneralCacheAdministrator
     .destroy(GeneralCacheAdministrator.java:168)
     at net.sf.hibernate.cache.OSCache.destroy(OSCache.java:59)
     at
net.sf.hibernate.cache.ReadWriteCache.destroy(ReadWriteCache.java:215)
     at
net.sf.hibernate.impl.SessionFactoryImpl.close(SessionFactoryImpl.java:542)

This exception can be safely ignored.

5.2.10 Challenge Questions Page Displayed in Error in Single Sign-On Mode When "Force to set questions at startup" System Property Set to TRUE (Bug 5565798)

In the Single Sign-On mode, when the Force to set questions at startup system property is set to TRUE, the Challenge Questions page is displayed instead of the Welcome page of the Administrative and User Console. In the Single Sign-On mode, the Force to set questions at startup system property must be set to FALSE.

5.2.11 System Error May Occur When Accessing Administrative and User Console After Database Is Restarted (Bug 5563616)

Each application server exhibits different behavior when a database connection is lost during execution. While JBoss Application Server can automatically reestablish a database connection, BEA WebLogic Server and IBM WebSphere Application Server cannot. For BEA WebLogic, you can define settings for testing reserved connections, in which case the connections are established automatically. For IBM WebSphere, you must configure your database for high-availability.

5.2.12 Warning Page May Be Displayed in the Administrative and User Console After Receiving "Illegal Script Tag or Characters" Message and Clicking the Back Button (Bug 5676771)

In Microsoft Windows Server 2003 Service Pack 1 (SP1) environments, the "Warning: Page has Expired" page may be displayed if you click the Back button after the "Illegal Script tag or Characters" error message is displayed. You can go back to the first page for creation by clicking the Refresh button on the browser toolbar.

5.2.13 Benign Warning Messages May Appear in Oracle Application Server Log File After Installing Release 9.1.0 and Starting Oracle Application Server (Bug 5840687)

After installing Oracle Identity Manager release 9.1.0 on Oracle Application Server and then starting Oracle Application Server, warning messages regarding files with the same name but that are not identical may appear in the Oracle Application Server log file. These warning messages are benign and can be safely ignored.

5.2.14 Deployment Manager Requires JRE 1.4.2 (Bug 5565793)

An export operation using the Deployment Manager may encounter problems when Microsoft Internet Explorer is configured to use Microsoft Virtual Machine. To reset the default Virtual Machine:

  1. Download and install the Sun JRE 1.4.2_xx from the following Web site:

    http://java.sun.com/

  2. Select Tools from the Internet Explorer menu.

  3. Select Internet Options.

  4. Select the Advanced tab.

  5. Scroll down to Java (Sun).

  6. Check Use Java 2v1.4.2_xx for <applet>.

  7. Scroll down to Microsoft VM.

  8. Deselect Java console enabled and Java logging enabled.

  9. Restart the computer.

Note:

JRE 1.4.2 is not required to run the Oracle Identity Manager Administrative and User Console—it is only required to run the Deployment Manager.

5.2.15 Exception May Be Encountered for JBoss Deployments on Linux if the Linux Kernel Includes IPv6 Support (Bug 5637999)

If you are running JBoss Application Server on Linux and the Linux kernel supports IPv6, you may encounter the following exception:

IP_MULTICAST_IF:

java.net.SocketException: bad argument for IP_MULTICAST_IF: address not bound
to any interface at java.net.PlainDatagramSocketImpl.socketSetOption(Native
Method) at
java.net.PlainDatagramSocketImpl.setOption(PlainDatagramSocketImpl.java:295)

This exception is caused by versions of Sun Microsystems JDK, up to and including JDK 5. If you do not need IPv6 support, you can avoid this exception by disabling IPv6 support in the JVM by adding -Djava.net.preferIPv4Stack=true to the OIM_HOME/bin/xlStartServer.sh Java command used to start JBoss Application Server.

5.2.16 Multiple Entries for the Same Request ID Are Displayed on the Pending Approvals Page in Administrative and User Console (Bug 5910393)

When more than one approval task is assigned to a user, multiple entries for the same request ID are displayed on the Pending Approvals page in the Administrative and User Console. You can select any of the displayed entries to perform the approval process.

5.2.17 Boolean Type Check Box of the User Defined Field Is Not Displayed on Request Submitted Form (Bug 5374307)

The Request Submitted form of the Design Console does not display the Boolean Type User Defined Field check box. If the User Defined Field is set to the Boolean type, then the Request Submitted form displays the number 1 instead of the check box. If the Boolean type is not enabled, then the Request Submitted form displays a blank space.

5.2.18 "Illegal Script Tag or Characters" Message Is Displayed in Lookup Forms

In the Administrative and User Console, the "Illegal Script Tag or Characters" message is displayed if you enter the less than symbol (<), greater than symbol (>), or any combination of these symbols (such as << or >>) in a text field on any page that also has a lookup form, and then click the magnifying glass icon.

If this happens, close the lookup form, remove the illegal characters from the text field, and then click the magnifying glass icon to continue with the procedure.

See Also:

The "Special Character Restrictions" section in Oracle Identity Manager Globalization Guide

5.2.19 Error Message Logged When a Scheduled Task Is Viewed or Modified (Bug 6379143)

When you view or modify a scheduled task on the Administrative and User Console, the following message may be recorded in the application server log file:

MessageDateFieldBean, localName='messageDateField': Illegal character (space) in "name" attribute

You can ignore this message.

5.2.20 User Profile Information Specified in E-mail Definition Is Not Valid for Approval Tasks (Bug 5671866)

The user profile information, which is specified in e-mail definitions of type General, is not valid for approval tasks.

5.2.21 Exception Thrown on Logging in to WebSphere 6.1.0.9 (Bug 6355328)

After installing IBM WebSphere Application Server 6.1.0.9, when you restart the server and log in to the Administrative Console as xelsysadm, an exception is thrown. However, this does not affect functionality and you can safely ignore the exception.

5.2.22 WSLoginFailedException May Be Thrown in IBM WebSphere Log (Bug 6442226)

The com.ibm.websphere.security.auth.WSLoginFailedException exception may be thrown for IBM WebSphere 6.1.0.9 configurations. You can ignore this exception.

This exception has been acknowledged by IBM, and you can refer to the following IBM Web page for more information:

http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg1PK47479

5.2.23 IllegalArgumentException and CacheException May Be Thrown After Application Server Is Started (Bug 6415213)

Note:

This applies only to IBM WebSphere and Oracle Application Server.

The java.lang.IllegalArgumentException and oracle.cabo.image.cache.CacheException exceptions may be thrown after the application server is started. You can ignore these exceptions.

5.2.24 User Password Reset Is Not Supported by SPML Web Service When Password Policies Are Enabled (Bug 6430243)

If password policies are enabled in Oracle Identity Manager, then the SPML Web Service does not support password reset operations.

5.2.25 Search Button Must Be Clicked Twice to Search for a Scheduled Task After Changing the State (Bug 6493690)

On the Administrative and User Console, you can enable or disable a scheduled task displayed in the search results table for scheduled tasks. However, if you search for a scheduled task after you change its state, you must click the Search button once and then again for the task with the modified state to be displayed.

5.2.26 NullPointerException Written to Log File When Oracle Application Server Is Shut Down (Bug 6471061)

When you shut down Oracle Application Server, the java.lang.NullPointerException from the com.thortech.xl.cache.CacheUtil component is written to the application server log file. You can safely ignore this exception.

5.2.27 Some Postinstallation Tests Offered by the Diagnostic Dashboard Are Displayed in the List of Preinstallation Tests (Bug 6512066)

When you use the Diagnostic Dashboard, although the Test Basic Connectivity, Test Provisioning, and Test Reconciliation tests are available even before you install Oracle Identity Manager, you can use these tests only after you install Oracle Identity Manager.

5.2.28 Special Characters Are Not Allowed in Attestation Process Definition (Bug 6514208)

Special characters are not supported in the attestation process definition. Only alphanumeric characters and the underscore (_) character can be included.

5.2.29 Columns Names Are Displayed Instead of Labels If an Attestation Scope Is Defined Using User-Defined Fields (Bug 6517060)

While defining an attestation process using the Administrative and User Console, if an attestation scope is defined using user-defined fields (UDFs) on the User Scope or Resource Scope page, then columns names are displayed instead of labels in the list of selected attributes.

5.2.30 Reconciliation Event Does Not Exist/Reconciliation Message Failed Log Messages

During reconciliation, an error message similar to the following may be written to the logs:

[XELLERATE.JMS],The Reconciliation Event with key 512312 does not exist
[XELLERATE.JMS],Processing Reconciliation Message with ID 512312 failed.

Depending on the application server retry settings, these messages are retried for the specified number of times. If JMS is not able to process these messages after the specified number of retries, then these messages are moved to the dead letter queue.

5.2.31 Multiple Trusted Source Flag and Reconciliation Sequence Flag Not Displayed in the Administrative and User Console (Bugs 6626902 and 6625149)

On the Resource Detail page of the Administrative and User Console, the newly introduced Multiple Trusted Source flag and Reconciliation Sequence flag are not displayed. These flags can be viewed in the Design Console.

5.2.32 Error Message Not Displayed on Assign Proxy Page (Bug 6607120)

On the Assign Proxy page, no error message is displayed when the start date or end date is earlier than the current date.

5.2.33 Resource Name Field of the Create Attestation Process Is Case-Sensitive

In the Create Attestation process, the Resource Name field is case-sensitive. To correctly configure the attestation process, you must use the exact spelling and case (uppercase and lowercase) of the resource name.

5.2.34 Retry Interval and Retry Attempt Limit Values Not Displayed on Task Details Page (Bug 6633903)

The Retry Interval and Retry Attempt Limit values are not displayed on the Task Details page of the Workflow Visualizer.

5.2.35 Changes to JDBC Connection Pool Attributes May Result in Database User Account Getting Locked (Bug 6621085)

If JDBC connection pool attributes are changed on Oracle Application Server, then the "ORA-28000: the account is locked" error message may be written to the application server log. When this error occurs, the database user account is locked. This is a known issue with Oracle Application Server when using an indirect password in the connection pool. Oracle Identity Manager connection pools use an indirect password.

If you want to change a connection pool attribute by using the Oracle Application Server Administrative Console, then you can work around this problem as follows:

  1. Log in to the Oracle Application Server Administrative Console, and stop the application named Xellerate.

  2. Change the connection pool attributes.

  3. Restart Oracle Application Server.

  4. Log in to the Oracle Application Server Administrative Console, and start the Xellerate application.

5.2.36 Previously Viewed Workflow Displayed on Creating a New Workflow Event (Bug 6645226)

In the Graphical Workflow Designer, when you click Save after adding a new Workflow Event, the previously viewed workflow is displayed instead of the newly created workflow event.

5.2.37 User ID Containing Special Characters Is Not Displayed in User ID Lookup Fields

During user creation in the Administrative and User Console, if special characters are included in the User ID value, then look-up fields for user IDs will not be able to display that specific user ID. For information about special character restrictions, refer to Oracle Identity Manager Globalization Guide.

5.2.38 Database Error May Be Thrown When Disabling an Organization (Bug 6608036)

When disabling an organization that has child organizations, a database error message may be displayed in addition to the Oracle Identity Manager error message. To avoid this problem, remove parent-child associations before disabling an organization.

5.2.39 Session Timeout System Error Thrown During Workflow Creation Can Be Ignored (Bug 6645683)

A session timeout error may be thrown during creation of a workflow. You can safely ignore this error.

5.2.40 Authentication Warning in BEA WebLogic Server Logs (Bug 6714117)

An exception similar to the following one may be thrown in the BEA WebLogic Server logs:

<Security> <BEA-090078> <User user in security realm myrealm has had 5 invalid login attempts, locking account for 30 minutes.> 
<Security> <BEA-090403> <Authentication for user User denied> 

Because this warning message does not interfere with the run-time operation of Oracle Identity Manager, it can be safely ignored.

5.2.41 Known Issue in JBoss Application Server May Result in the java.lang.ClassCircularityError Exception

If you are running Oracle Identity Manager on JBoss Application Server, then the java.lang.ClassCircularityError exception may be thrown because of a known issue in Sun JVM. If this occurs, then implement the workaround given on the following JBoss Web page:

http://wiki.jboss.org/wiki/Wiki.jsp?page=ClassPreloadService

5.2.42 "Page Cannot Be Found" Error Message May Be Displayed When You Enable or Disable a Scheduled Task (Bug 6738274)

The "Page Cannot Be Found" error message may be displayed in the Administrative and User Console when you try to enable or disable a scheduled task by using the Enable or Disable link in the search results table displayed on searching for tasks by their state (Enabled or Disabled).

5.2.43 Known Issues Related to Generic Technology Connectors

Refer to the "Known Issues of Generic Technology Connectors" chapter of Oracle Identity Manager Administrative and User Console.

5.2.44 Exception May Be Thrown When a Scheduled Task Runs for Many Hours

For Oracle Identity Manager on Oracle Application Server, the following exception may be thrown when a scheduled task runs for many hours:

Primary Server went down going to get a fresh object elsewhere in the cluster.
com.evermind.server.rmi.RMIConnectionException: LRU connection

This exception has no impact on the functioning of Oracle Identity Manager and can be ignored.

5.2.45 Exception May Be Thrown When the PurgeCache.sh Script Runs on UNIX (Bug 6807733)

When you run the PurgeCache.sh script on UNIX, you might get the following error message:

./PurgeCache.sh: test: unknown operator ==

To resolve this issue:

  1. Open the PurgeCache.sh script in edit mode.

  2. Search for the following:

    if [ "$1" == "" ]

  3. Modify this line to the following:

    if [ "$1" = "" ]

  4. Save the PurgeCache.sh script.

5.2.46 Mapping Icons Are Not Displayed While Configuring Data Flow (Bug 6807841)

If your application server is running on UNIX, you might not be able to map form fields by using the Form Data Flow and Reconciliation Data Flow features of the Workflow Designer because the mapping icons are not displayed. To work around this issue, use the Design Console to create field mappings.

5.3 Design Console Known Issues

This section describes known issues related to tasks performed using the release 9.1.0 Design Console—it does not contain known issues related to the installation of the Design Console or its translated text. This section contains the following topics:

5.3.1 Invoking FVC Utility on IBM WebSphere May Display "Realm/Cell is Null" Error (Bug 5563654)

When attempting to use the FVC utility in IBM WebSphere deployments, a dialog box with the error message Realm/cell is Null may be displayed. You can close the dialog box and ignore this error message to continue.

To avoid this issue entirely, change the properties in the WEBSPHERE_HOME\AppClient\properties\sas.client.props file to the following:

Note:

WEBSPHERE_HOME represents the location where IBM WebSphere is installed.

Change the existing values to the following:

  • Com.ibm.CORBA.loginSource = properties

  • Com.ibm.CORBA.loginTimeout = 300

  • Com.ibm.CORBA.securityEnabled = true

  • Com.ibm.CORBA.loginUserid = xelsysadm

  • Com.ibm.CORBA.loginPassword = xelsysadm

5.3.2 Form Designer Feature Does Not Support Special Characters for Column Name (Bug 5373011)

The Form Designer form in the Design Console will not save entries that contain any of the following special characters in the Column Name field:

; / % = | + , \ ' " < >

5.3.3 xlclient.cmd Executable of Design Console Does Not Launch If Paths Include a Space (Bug 5853425)

The xlclient.cmd executable that launches the Design Console will fail if directory paths in the executable contain spaces.

You will have a space in a directory path in xlclient.cmd if you installed the Design Console in a location that contains a space, for example, C:\Program Files\OIM\xlclient\java. In addition, you will have a space in a directory path in xlclient.cmd if while installing the Design Console you chose to use a JRE other than the one bundled with the Design Console and the path to that JRE includes a space, for example, C:\Program Files\Java\j2re1.4.2_15.

To avoid this issue, do not install the Design Console in a directory whose path includes a space and do not specify a JRE using a directory path that includes a space. Another way to avoid this issue is to add double quotation marks (") to the paths in the xlclient.cmd executable that include spaces. For example:

Use the following approach if you install the Design Console in a directory whose path includes a space:

"C:\Program Files\OIM\xlclient\java"\bin\java %DEBUG_OPTS% ^
-DXL.ExtendedErrorOptions=TRUE -DXL.HomeDir="C:\Program Files\OIM\xlclient" ^
-Djava.security.policy=config\xl.policy ^
-Dlog4j.configuration=config\log.properties ^
-Djava.security.manager 
-Djava.security.auth.login.config=config\auth.conf ^
com.thortech.xl.client.base.tcAppWindow -server server

Use the following approach if the path of the JRE directory that you specify includes a space:

"C:\Program Files\Java\j2re1.4.2_15"\bin\java %DEBUG_OPTS% ^
-DXL.ExtendedErrorOptions=TRUE -DXL.HomeDir=C:\oracle\xlclient ^
-Djava.security.policy=config\xl.policy ^
-Dlog4j.configuration=config\log.properties ^
-Djava.security.manager 
-Djava.security.auth.login.config=config\auth.conf ^
com.thortech.xl.client.base.tcAppWindow -server server

5.3.4 Default Tasks Not Added to Resource Object After Changing Its Process Definition Type (Bug 5637994)

In the Design Console, after changing the Process Definition type for a Resource Object from Approval to Provisioning, or from Provisioning to Approval, the Resource Object is not updated with the default tasks associated with each type of Process Definition. To avoid this issue, do not change the Process Definition type after setting it initially.

5.3.5 Cannot Delete User Defined Fields When the Required and Visible Properties are Set to True (Bug 5486223)

Attempting to delete User Defined Fields in the Design Console when the Required and Visible properties are set to true causes an error message to be displayed. To avoid this issue, first delete the properties and then delete the User Defined Column.

5.3.6 Cannot Save Multiple Rules Simultaneously (Bug 5457386)

The Rule Designer feature in the Design Console cannot save multiple rules simultaneously. To avoid this issue, save each rule before creating additional rules.

5.3.7 Toolbars in Creating New Task Window May Be Disabled When Multiple Creating New Task Windows Are Open (Bug 5514864)

Toolbars in the Creating New Task window may be disabled after adding event handlers or adapters from the Integration tab when using the same Create New Task window for a second time to add a task (by clicking the New Form icon). To avoid this issue, close the Creating New Task window before creating another task.

5.3.8 Error Thrown When the Caret (^) Character Is Encountered in a Challenge Question

While setting challenge questions in the Lookup.WebClient.Questions lookup definition, you must not include the caret (^) character in the text of the questions. The Design Console does not stop you from entering this character, but the Administrative and User Console will throw an error when this character is encountered.

5.3.9 Error Messages Displayed on the Password Policies Form Are Concatenated (Bug 6444500)

An error message is displayed if there is conflicting input on the Password Policies form. For example, an error message is displayed if the minimum password length specified is greater than the maximum length. If there is more than one set of conflicting input, then the errors messages that are displayed are concatenated.

5.3.10 Time-Stamp Display Issues May Be Seen on the Design Console When Used with Non-English Locales (Bug 6459815)

When you use the Design Console with non-English locales, you may encounter time-stamp display issues. To avoid this problem, replace all the files and directories under OIM_DC_HOME/java with the JRE 1.4.2_15 files and directories.

5.3.11 User Group Name Attribute for Reconciliation Mapping (Bug 6608943)

While defining reconciliation field mappings for trusted sources, you must not use the User Group Name user attribute.

5.3.12 Single Quotation Mark Cannot Be Included in IT Resource Instance Name (Bug 6643202)

Single quotation marks are not supported in the name of an IT resource. If a single quotation mark is included in the Name field on the IT Resources form, then a system error message is displayed.

5.3.13 Passwords As Child Table Fields Are Not Supported (Bug 6703251)

Although you can use the Design Console to mark child table fields as password fields, Oracle Identity Manager does not support passwords as child table fields.

5.3.14 Remote Manager Status Is Not Displayed as "Running" In the Design Console (Bug 6685642)

When you use Oracle Identity Manager on Oracle Application Server, the status of the Remote Manager is not displayed as "Running" in the Design Console.

5.4 Reports Known Issues

This section describes known issues related to reporting functionality in release 9.1.0. This section contains the following topics:

5.4.1 Group Membership History Report Does Not Differentiate Between Active and Deleted Groups (Bug 5249535)

When you run a Group Membership History report, the report results do not differentiate between active and deleted groups.

5.4.2 User Disabled and User Unlocked Reports Display Current Values (Bug 6371878)

The User Profile columns in the User Disabled and User Unlocked reports display current values instead of historical values.

5.4.3 Resource Name Lookup Window on the Input Parameters Page for Some Reports May Incorrectly Display Organization Resources (Bug 5493332)

In the Administrative and User Console, clicking the Resource Name lookup icon on the Input Parameters page for various reports will display a lookup window. This lookup window may incorrectly display Organization resources in addition to User resources for the following reports:

  • Resource Access List

  • Entitlement Summary

  • Resource Access List History

  • Resource Password Expiration

  • Account Activity in Resource

  • Task Assignment History

  • Rogue Accounts By Resource

  • Fine Grained Entitlement Exceptions By Resource

Ignore the Organization resources listed in the lookup window. Running these reports for Organization resources will return no data.

5.4.4 Reports May Not Differentiate Between Information for Deleted Users and Information for Users Created with the Same User IDs As the Deleted Users (Bug 5741951)

Reports may not differentiate between information for a deleted user and information for a user that was created with the same user ID as the deleted user, regardless of whether or not the User ID Reuse property is enabled.

5.5 Globalization Known Issues

This section describes known issues in release 9.1.0 related only to globalization or translation. This section contains the following topics:

5.5.1 Installer Programs for Non-English Languages May Contain Some English Text (Bug 5232751)

The release 9.1.0 Installer programs for non-English languages may contain some untranslated text that is displayed in English.

5.5.2 Some Administrative and User Console Windows Display Text for Default Locale Setting After Timing Out (Bug 5545626)

In the Administrative and User Console, if the Export and Import pages of the Deployment Manager or the Workflow Visualizer page are open and the session times out, then the text on these pages may be displayed in the language of the default locale of the system where Oracle Identity Manager is installed. After closing the session timeout window and clicking any of the Administrative and User Console menu options, the Oracle Identity Manager Logout page is displayed and may also be displayed in the language of the default locale of the system where Oracle Identity Manager is installed.

5.5.3 Notes Field on the Task Details Page Not Localized For Reconciliation Tasks (Bug 5512136)

In the Administrative and User Console, some text in the Notes field on the Task Details page may be displayed in English in non-English environments. Task instances that have the following names may encounter this issue:

  • Reconciliation Update Received

  • Reconciliation Insert Received

  • Reconciliation Delete Received

5.5.4 English Characters Required for Some Attributes

Release 9.1.0 requires that you use only English characters for the following:

  • Installation paths and directory names (Bug 5397854)

  • Host names (Bug 5360993)

  • E-mail addresses (Bug 5397105)

  • If used, external certificate names and certificate content (Bug 5387397)

  • The Administrative and User Console requires that you use only English characters for the E-mail Address fields on the Create/Edit User, Account Profile, and Self-Registration pages. In addition, when installing the Remote Manager, you must use only English characters for the Service Name on the Configuration page (Bug 5460100).

Refer to Oracle Identity Manager Globalization Guide for detailed information about the character restrictions for various components and attributes.

5.5.5 Some Information in Workflow Visualizer May Be Displayed as Box Characters (Bug 5704436)

Some information may be displayed as box characters in the Workflow Visualizer of the Administrative and User Console due to a known limitation with Java Applets and globalized characters. The browser JVM displays only those characters that are in the current locale of the system where Oracle Identity Manager is installed. Globalized characters are displayed correctly in applets only if you set the browser to the same locale as the system where Oracle Identity Manager is installed.

5.5.6 Report in Non-English Environments Requires English Values for Filter Parameters (Bug 5511190)

In non-English environments, the following report requires that the given filter parameter use only English values:

Report: Entitlement Summary

Filter parameter: Account Status

For example, filtering on Account Status in the Entitlement Summary report in non-English environments and using a translated version of the status Active will return nothing. You must use the English value Active.

5.5.7 Deployment Manager Import and Export Features Include an Untranslatable String (Bug 5501127)

The Administrative and User Console's Deployment Manager import and export features use the Java AWT file dialog box that shows the All Files (*.*) string in the dialog box filter. The All Files (*.*) string is not translated for any locale and is displayed in English. This limitation is caused by the Java implementation, and the string cannot be translated. For more information, refer to the Sun Microsystems report for Bug ID 4152317 at

http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4152317

5.5.8 Names of Log Files for Oracle Identity Manager Utilities Do Not Include Time Stamp for Some Non-English Locales (Bug 5850607)

When you use the Reconciliation Archival utility or Task Archival utility, the name of the log files for some non-English environments may not include the time stamp. For example, for the Reconciliation Archival utility, you may see a log file that looks something like Arch_Recon____15_56.log instead of Arch_Recon_Wed_31_2007_03_31.log.

5.5.9 Pre-Populate Adapter Error Messages Do Not Support Localized Display of Date and Time

The server-side date and time displayed in the error message on the Administrative and User Console when a pre-populate adapter error is encountered are not localized.

5.5.10 Some Asian Languages Not Displayed Correctly With Sun JDK 1.4 (Bug 6314961)

Some Asian languages may not be displayed correctly with Sun JDK 1.4 on the Deployment Manager if you launch it on a non-Asian Windows computer in spite of installing a language package on the client host. If you encounter this issue, install SUN Java Plug-in 1.5.

5.5.11 Names of IT Resource Parameters Displayed in the Administrative and User Console Are Not Localized (Bug 6455617)

The names of IT resource parameters displayed on the "Manage IT Resources" pages of the Administrative and User Console are not localized.

5.5.12 Inconsistent Ordering of Names in Columns of Some Reports in Non-English Environments (Bugs 5557974 and 6457618)

In non-English environments, the ordering of first and last names in some reports does not correspond to the browser locale of the logged in user. Table 4 lists the reports and their columns in which first and last names may be displayed in inconsistent order. You can modify the display of first and last names by modifying the stored procedures for these reports.

Table 4 Reports and Columns in Which First and Last Names May Be Inconsistently Ordered

Report Sectional Header Sectional Table Display Format

Attestation Requests by Process

Reviewer

NA

FirstName LastName

Attestation Process List

NA

Reviewer

FirstName LastName

Policy List

NA

Created By

FirstName MiddleName LastName

Policy Detail

Created By

NA

FirstName LastName

Organization Structure

NA

Manager Name

FirstName MiddleName LastName

Requests Initiated

NA

Requester

FirstName MiddleName LastName

Requests Details by Status

Requester

NA

FirstName MiddleName LastName

Group Membership

Group Created By

NA

FirstName LastName

Task Assignment History

NA

Assigner User Name

FirstName LastName

Account Activity in Resource

NA

Manager Name

FirstName LastName

User Resource Access History

NA

Manager Name, Provisioned By

FirstName LastName

Group Membership History

Group Created By

NA

FirstName LastName


5.5.13 Error Message Displayed While Trying to Delete Menu Items Is Not Localized (Bug 6503868)

While trying to delete a menu item, you may encounter an error message that is not localized.

5.5.14 Localization to the Chinese (Simplified), Chinese (Traditional), and Portuguese (Brazilian) Languages Not Supported (Bug 6728226)

If Oracle Single Sign-On is used to provide authentication service to Oracle Identity Manager, then localization to the Chinese (Simplified), Chinese (Traditional), and Portuguese (Brazilian) languages is not supported. This is due to a known bug (6728226) in the Oracle Single Sign-On Plug-in deployed on Oracle HTTP Server.

6 API Changes

Refer to the "What's New" chapter in Oracle Identity Manager API Usage Guide for information about API changes made in this release.

7 Documentation Accessibility

Our goal is to make Oracle products, services, and supporting documentation accessible, with good usability, to the disabled community. To that end, our documentation includes features that make information available to users of assistive technology. This documentation is available in HTML format, and contains markup to facilitate access by the disabled community. Accessibility standards will continue to evolve over time, and Oracle is actively engaged with other market-leading technology vendors to address technical obstacles so that our documentation can be accessible to all of our customers. For more information, visit the Oracle Accessibility Program Web site at

http://www.oracle.com/accessibility/

Accessibility of Code Examples in Documentation

Screen readers may not always correctly read the code examples in this document. The conventions for writing code require that closing braces should appear on an otherwise empty line; however, some screen readers may not always read a line of text that consists solely of a bracket or brace.

Accessibility of Links to External Web Sites in Documentation

This documentation may contain links to Web sites of other companies or organizations that Oracle does not own or control. Oracle neither evaluates nor makes any representations regarding the accessibility of these Web sites.

TTY Access to Oracle Support Services

Oracle provides dedicated Text Telephone (TTY) access to Oracle Support Services within the United States of America 24 hours a day, 7 days a week. For TTY support, call 800.446.2398. Outside the United States, call +1.407.458.2479.


Oracle Identity Manager Release Notes Release 9.1.0

E10367-03

Copyright © 2007, 2008, Oracle. All rights reserved.

The Programs (which include both the software and documentation) contain proprietary information; they are provided under a license agreement containing restrictions on use and disclosure and are also protected by copyright, patent, and other intellectual and industrial property laws. Reverse engineering, disassembly, or decompilation of the Programs, except to the extent required to obtain interoperability with other independently created software or as specified by law, is prohibited.

The information contained in this document is subject to change without notice. If you find any problems in the documentation, please report them to us in writing. This document is not warranted to be error-free. Except as may be expressly permitted in your license agreement for these Programs, no part of these Programs may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose.

If the Programs are delivered to the United States Government or anyone licensing or using the Programs on behalf of the United States Government, the following notice is applicable:

U.S. GOVERNMENT RIGHTS Programs, software, databases, and related documentation and technical data delivered to U.S. Government customers are "commercial computer software" or "commercial technical data" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the Programs, including documentation and technical data, shall be subject to the licensing restrictions set forth in the applicable Oracle license agreement, and, to the extent applicable, the additional rights set forth in FAR 52.227-19, Commercial Computer Software--Restricted Rights (June 1987). Oracle USA, Inc., 500 Oracle Parkway, Redwood City, CA 94065.

The Programs are not intended for use in any nuclear, aviation, mass transit, medical, or other inherently dangerous applications. It shall be the licensee's responsibility to take all appropriate fail-safe, backup, redundancy and other measures to ensure the safe use of such applications if the Programs are used for such purposes, and we disclaim liability for any damages caused by such use of the Programs.

Oracle, JD Edwards, PeopleSoft, and Siebel are registered trademarks of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.

The Programs may provide links to Web sites and access to content, products, and services from third parties. Oracle is not responsible for the availability of, or any content provided on, third-party Web sites. You bear all risks associated with the use of such content. If you choose to purchase any products or services from a third party, the relationship is directly between you and the third party. Oracle is not responsible for: (a) the quality of third-party products or services; or (b) fulfilling any of the terms of the agreement with the third party, including delivery of products or services and warranty obligations related to purchased products or services. Oracle is not responsible for any loss or damage of any sort that you may incur from dealing with any third party.