Sun Java[TM] System Identity Manager 7.1 Release Notes |
Known Issues
This section of the Identity Manager 7.1 Release Notes lists known issues and workarounds for:
Identity ManagerThis section describes known issues and workarounds for Identity Manager, and the information is organized as follows:
General
- Required fields set on the resource schema map are only checked when a user account is created (ID-220). If a field is to be required on user updates, then the user form should be configured to ensure that the field is required.
- No checking is done on organization name, administrator name, account name, user attribute name (left hand side of schema map), or task names for invalid characters (ID-1145, 1206, 1679, 1734, 1767, 2413, 3331). You cannot use a dollar ($), a comma (,), a period (.), an apostrophe ('), an ampersand (&), a left bracket ([), a right bracket (]), or a colon (:) in the name for these types of objects.
- A misleading error message is given on the account page if you try to perform an action after your session has timed out (ID-1223).
- The calendar object is not fully viewable if the browser is using large fonts
(ID-2120).- The Select All checkbox on the Find Results page and the List Task page does not become un-selected if one of the items in the list is un-selected (ID-5090). The selectAll checkbox is ignored during the resulting action if not all of the members in the list have their checkbox selected.
- If you make a change to a custom message catalog, it is necessary to restart the server in order to see your changes. (ID-6792)
- The current mechanism for detecting a failed Server assumes that all the systems in an Identity Manager cluster are synchronized with respect to time. (ID-7064) With the default failure interval of five minutes, if one server is five minutes out of sync with another, the server that is ahead will declare the server that is behind to be dead, causing unpredictable results.
- On Windows, if you are logging in as a user whose name contains double-byte characters and the default encoding for the machine only supports single-byte characters, you must set the USER_JPI_PROFILE environment variable to an existing directory whose name contains only single byte characters. (ID-8540)
- If an expanded node contains less than one page of data and you insert a new child of that node (for example, if you are creating a User in the organization) before the first record on the page, Identity Manager will insert a page with one item before the current page on the subsequent refresh. (ID-12151)
- If you modify a Role form to change the showSuperAndSubRoles variable from 0 to 1, and then import a super role object definition file containing existing subroles from the Configure tab; those subroles will not be modified to include the <SuperRoles> section. However, if you use the Identity Manager graphic user interface to create a super role, the subroles referenced by that super role will be updated. (ID-15053)
This issue can occur with roles created outside Identity Manager that have references to existing roles (either subroles or super roles) already in the system.
When importing these roles, the roles that already exist in the system are not updated to reflect the new relationships; for example, referential integrity is not maintained. Use the RoleUpdater to check and correct the referential integrity if roles are imported in this way.
Workaround: See ID-15482, described in Roles.
To update, perform these steps:
- Update the gateway hosting time functions from
http://www.microsoft.com/windows/timezone/dst2007.mspx
(Identity Manager obtains gateway hosting time functions from the Windows operating system.)
- Upgrade to a compliant version of Java on the application server.
Identity Manager Installation provides directions for shutting down, upgrading, and restarting your application server.- Review the list of tasks scheduled to start within the new extended periods of DST (see the following for more details about when these periods occur).
After applying the DST patches, you must reschedule any items that are scheduled to start within this time frame. Any recurrent items that run at least once after you have applied the DST patch, and before the beginning of these periods, will run at their expected times.
Refer to Java upgrades or use the tzupdater tool (http://java.sun.com/developer/technicalArticles/Intl/USDST/) to address DST issues.
Also see Sun Alert for Java.Daylight Savings Time (DST) in the United States and Canada has been extended to begin earlier and end later than in previous years. These extended periods of DST are from the second Sunday of March to the first Sunday of April, and from the last Sunday of October to the first Sunday of November. For 2007, these periods are from March 11th to April 1st, and from October 28th to November 4th. Issues caused by non-compliant software will continue indefinitely until the software is made compliant.
- If you modify settings (such as adding additional column attributes) on an existing changelog, these modifications might not appear in a pre-existing changelog CSV file. (ID-15973)
- Strings that are displayed in the tabs of the TabPanel display component (used, for example, in the Tabbed User Form) will wrap if they contain spaces. To change this behavior so that the strings do not wrap, the following two lines should be added to $WSHOME/styles/customStyle.css:
table.Tab2TblNew td {background-image:url(../images/tabs/level2_deselect.jpg);background-repeat:repeat-x;b ackground-position:left top;background-color:#C4CBD1;border:solid 1px #8f989f;white-space:nowrap}
table.Tab2TblNew td.Tab2TblSelTd {border-bottom:none;background-image:url(../images/tabs/level3_selected.jpg);backgroun d-repeat:repeat-x;background-position:left bottom;background-color:#F2F4F3;border-left:solid 1px #8f989f;border-right:solid 1px #8f989f;border-top:solid 1px #8f989f;white-space:nowrap}
- While in a localized Identity Manager session, users might encounter partial localization (a mix of English and the selected language) in Process Diagram applets. (ID-16139)
- When editing a role, if a second role is included as both a super role and a sub-role, a circular reference will exist, possibly resulting in a StackOverflowError. (ID-16326)
- Direct-mode password synchronization requires SimpleRpcHandler to be configured in the web.xml file. By default, this handler is not provided as a handler for the rpcrouter2 servlet. (ID-16469) To use direct-mode password synchronization, set the handlers initialization parameter in the following way:
Install and Update
Note
For issues that affect only this release, see Installation and Update Notes.
- There is no database upgrade script for the Service Provider transaction store. When upgrading from Identity Manager 5.6 (Service Provider Edition 1.0) or Identity Manager 6.0 to 7.0 or 7.1, a new column ('userId') has to be added to the existing table. The sample database scripts (create_spe_tables.*) in this release show the expected type and the default maximum value length of this column. (ID-16423)
- While upgrading, under rare circumstances the following error may be seen when attempting to run update.xml:
Account Management
- It is possible to create NT accounts that have account names longer than 20 characters and that the NT native tools cannot manage (ID-710).
- An administrator cannot save resources or roles that contain organizations that he does not manage (ID-839).
- Sorting the columns on the Provisioning Results page adds additional empty rows to the results (ID-1105).
- Approvals of several hundred user accounts take a considerable amount of time (ID-1149).
- Updating a user without making any modifications does not show detailed results page (ID-2327).
- When creating a new user or adding a resource to an existing user, if the distinguished name for the user is incorrect, the incorrect value is cached until the administrator logs out (ID-2508). Attempts to re-create the user after fixing the distinguished name are not successful until after the administrator logs out.
- Windows Active Directory requires the gateway to run as an administrator who can create directories (ID-2919). Identity Manager can create home directories on Windows 2000 systems. The home directory account creation is being performed by the user the gateway process is running as, instead of the administrator specified in the resource definition.
- If an Identity Manager user is created and assigned to a Windows Active Directory resource where the user account already exists, the user will be created without a GUID attribute in the resource info (ID-5114). This GUID is used to detect changes to the user's organization or name in the Directory. Running reconcile from the resource will fix this problem.
- When creating a user, a warning is given if you add a Role to the user that contains a resource that is directly assigned (ID-5385).
- A “Forward To” administrator cannot be specified when a user is being created. This option can only be set when editing the user (ID-5695).
Approvals
Auditing
- During a scan, there is no support for retrying user accounts that could not be fetched from resources, or where other failures occur. These failures are reported when the scan is complete, but there is no automated way to rescan the accounts. (ID-9112)
- Identity Auditor attempts to keep users in compliance between policy scans by enforcing policy whenever the user is edited. If editing a user that has assigned audit policies and also is in violation of a policy, you cannot save changes to the user, even if the change is as simple as moving a user to another organization. (ID-9504)
Workaround: Use the right-click move (or find then move) functionality on the user applet, or temporarily disable the audit policy checks.
To disable the auditor policy checks, edit the system configuration and remove userViewValidators property. This property which has a value of a List of strings is added during the import of init.xml or upgrade.xml.
- In the AuditPolicy, Resource and Organization Violation History reports, implementing logarithmic scaling for a STACK chart type may result in unusual display behavior. (ID-9522)
- Currently, the Auditor Access Scan Report administrator cannot schedule an Audit Policy Scan. An error, Error message: Create access denied to Subject auditadmin on type TaskSchedule is displayed. To schedule any task, administrators must have create privileges for the TaskSchedule authType. (ID-14713)
- If you have created Audit Policy Scan reports in previous versions of Identity Auditor, these reports will not be visible when you upgrade to Identity Manager 7.0. To correct this, an administrator with the Auditor Report Administrator capability (or higher) can edit these specific reports and change the visibility to run. (ID-14881)
- When running Audit Scans that produce multiple violations, Auditor might create a remediation workflow to manage processing of the violations. The default MySQL setting for max_allowed_packet (1M) is too small for a workflow with dozens of violations. If this limit is reached, Auditor will not start the remediation workflow.
- Audit policy names cannot contain these characters: ' (apostrophe), . (period), | (line), [ (left bracket), ] (right bracket), , (comma), : (colon), $ (dollar sign), " (double quote), = (equals sign). (ID-16078)
- Changing severity and priority values for Compliance Violation remediations can be misleading. The initial values in the form are not the current values of the Compliance Violations. They are the last values set when making a change. It is important that you know what severity/priority value you want while still viewing the list view, because you cannot determine the current values when on the page that lets you change the values. (ID-16040)
- ComplianceViolations created before the IdM 7.1 upgrade will not allow the severity or priority to be set. The error message returned indicates that the Compliance Violation no longer exists, but this is incorrect. The violation does exist, but IdM is unable to set the severity or priority. (ID-16420)
Integrated Development Environment (IDE)
- Renaming objects using Identity Manager IDE should be done through the right-click context menu in the Projects explorer, instead of editing the XML using the editor. (ID-13828)
- The XML Navigator has been disabled in IDM IDE. Windows ->Navigator opens the Navigator panel and <No view available> is displayed. (ID-13390)
- Project delete functionality is not supported. (ID-14013)
- When closing a project, the Discard All option does not work properly. If you wish to discard your changes to an object, you must close the editor window and select Discard. This is a known issue with NetBeans (bug 84236). (ID-14164)
- If you are working with the standard Identity Manager IDE project, start the bundled Tomcat instance, and the Tomcat Manager dialog displays, it generally indicates one of the following conditions: (ID-15546)
This is a known NetBeans issue.
Workaround: You must insure that only one Tomcat instance is running on the host machine and configured to listen on the same port as the bundled Tomcat.
The credentials stored as part of the bundled Tomcat server must match those stored on the Server Manager’s Username and Password fields. For more information about these field values, go to the following website:
- The Clone Document feature does not work. (ID-15725)
- If you perform a diff action on a document and do not save your changes, the diff action will not show any results. Currently, there is no warning message to indicate this situation. the Identity Manager IDE can only perform a diff action against the file contents, and not what is shown in the Editor window. (ID-15952)
- If you perform a diff action on a directory containing unsaved files, no results will display in the Diff Output window. (ID-15955)
- When using the expression builder to create an invoke statement, a window is opened that displays the Javadoc for the selected method. Currently, you cannot use the scroll bars to scroll through the document. This means that for some methods, the window will not display the entire Javadoc. (ID-16093)
Workarounds:
- Once you have selected the method the java doc will be transferred temporarily to the bottom of the expression window. You will be able to scroll through the entire java doc here, however this is only a temporary copy and once you click away into another expression element or a different expression entirely it will not be restored.
- Use the regular Javadoc, which is provided in the Image/REF/javadoc directory of the installation media.
Login Configuration
- Pass-through authentication module does not work for the Domino resource (ID-1646).
- Changes made to the Administrator Login Setup and User Login Setup pages are not visible to other administrators logged in (ID-3487). To see the changes, the other administrators will need to log out of the Administrator Interface and log back in.
- If an Administrator logs in and selects Change My Password, and then selects another tab, their account is locked until the lock expires. (ID-3705)
Organizations
- When deleting multiple organizations, if the delete fails on one organization, all the remaining organizations are not deleted (ID-517).
- Renaming an organization when there are provisioning requests pending that have users belonging to the organization will cause the provision request to fail (ID-564).
Policies and Capabilities
- The Identity Manager account policy attribute Reset Notification Option has a value option of “administrator” that has no effect (ID-944). The only viable options are “immediate” and “user”.
- When deleting multiple roles, if an error is encountered, the entire operation will stop instead of continuing to the other roles (ID-1168).
- The minimum number of questions a user must answer can be set to a value greater than the number of defined questions (ID-1834). If this situation occurs, the user will not be able to log in using the “Forgot My Password” option.
- The Default Lighthouse Account Policy cannot be cloned by editing the policy, changing the name, and selecting to create a new object (ID-5147).
Reconcile and Import Users
- Importing users from a CSV file does not update resource attributes if the user already exists in Identity Manager (ID-2041).
- Comma-separated-value (CSV) file that is loaded with single quotes (') in the account IDs are translated to question marks (?) (ID-2100).
- Scheduled tasks will not show up in a search on the "Find Tasks" page when using the "Is Scheduled" option (ID-5001).
- Reconciliation fails when run against a Red Hat version 8 resource (ID-6087).
- Reconciliation of an Oracle ERP resource will complete with errors if connection pooling on the resource is enabled (ID-6386). Workaround is to turn off connection pooling during reconciliation.
Reports
- Audit Log entries may not be recorded for large results (ID-5050).
- The ticker will not display when selected if there are organizations with apostrophes (') in their name (ID-5653).
- If you attempt to run an Administrator Report and select to Report only Administrators which belong to a specific organization which has no administrators, a java.lang.NullPointerException error is returned (ID-5722).
Resources
- Resource test button does not test all fields (ID-51).
- Resource port assignments can be set to values greater than 65535 (ID-59).
- Bad error message displayed when setting incorrect Active Directory group name (ID-393). If you attempt to set an Active Directory group name to “groupname” instead of “cn=groupname,cn=builtin,dc=waveset,dc=com” an error message stating “array index out of bounds” is displayed.
- Required account attributes are sometimes ignored if there is another resource with the same account attribute name that does not have the required flag set (ID-1161).
- If an administrator attempts to add an organization to a resource that he does not have rights over, an error will appear. The edit of the resource must then be canceled and the resource edited again to make any other changes to the resource (ID-1274).
- The error message when a resource account password or username is not correct on a PeopleSoft resource is not clear (ID-2235). The error message states:
- Windows Active Directory resource actions that use the %DISPLAY_INFO_CODE% exit status cause the action to fail with errors (ID-2827).
- Windows NT resource actions that return a non-zero exit code do not cause the action to fail (ID-2828).
- Setting a user's primary group ID on Active Directory cannot be done when creating the user (ID-3221).
- Resource IP addresses are cached in the JVM after the hostname is resolved to an IP address. If a resource IP address is changed, the application server must be restarted for Identity Manager to detect the change (ID-3635). This is a setting in the Sun JDK (version 1.3 and higher) and can be controlled with the sun.net.inetaddr.ttl property, which is typically set in jre/lib/security/java.security.
- You cannot create multiple accounts for a single user on Oracle resources (ID-3832).
- End-users cannot use the self-discovery feature for Domino resource accounts (ID-4775).
- If a user is moved from or to a sub-container within the Active Directory organization, the Active Sync adapter will detect the change, but when you view the user on the edit page, (or make a change and view the confirmation page) the user's accountId is still displayed as the original DN (distinguished name) (ID-4950). Because we use GUID to modify the user, this will not cause any operational problems. Running a reconcile against the resource will fix the problem.
- If a user is moved from an Organization (OU) to a sub-organization, the LDAP ChangeLog adapter will not recognize the change and assumes the user has been deleted. The user object is then locked in Identity Manager (if that is the current setting), and a new account is not created for the moved account (ID-4953).
- The pooled connections used by the UNIX resource adapters can be left in an undetermined state if an error occurs while executing a command or script (ID-5406).
- NDS organizations can be created in the top level of the tree only by setting the Base Context for the resource to "[ROOT]" (ID-5509).
- On NDS, if you edit a field (such Grace Login Limit) on the initial provision, and do not provide values for the boolean fields, all the boolean fields are set to false (ID-6770). This prevents you from setting the other fields on the restriction tab which require certain check box values to be true. To avoid this, always ensure all your boolean fields are true when you expect them to be, so they are properly pushed when editing other fields.
- If you change the password for a UNIX machine using the Manage Connection --> Change Resource Password feature, the task name that appears is:
- You cannot use the manage connection feature for UNIX resources that use NIS (ID-6948). An error is thrown because the password you are trying to change is for root, but NIS does not manage the root account.
- When updating users by selecting update from an Identity Manager organization, users with a Sun One ID Server account will get an error if those users were created natively and loaded into Identity Manager (ID-7094). The work around is to update those users individually.
- Identity Manager still contains the following deprecated classes:
- An error occurs when trying to delete a user who has an account on the PeopleSoft Component Interface resource. This resource currently does not support account deletions. (ID-9000)
- If you leave the New Resource Object wizard without clicking the Save or Cancel button, the abandoned form may not be destroyed and may interfere with the creation of subsequent new resource objects. (ID-11033) This leads to an error that says
Until now, the resource adapter would set a quota on a temporary tablespace — even if the oracleTempTSQuota attribute was not mapped. This behavior has changed. If you map the oracleTempTSQuota attribute, the old behavior is maintained (no change), but if you remove the mapping, no quota will be set on the temporary tablespace.
Workaround: For Oracle 10gR2 installations, remove the oracleTempTSQuota attribute from the resource adapter.
- There are two known issues with the Remedy Integration template editor. (ID-14729)
- NDS/Groupwise users created by Identity Manager that possess the Access and AccountID fields can appear to not have their corresponding values saved when inspected by certain viewers within the NDS Console 1 application (for example, by selecting user's properties and then selecting the Groupwise tab).
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Waveset PUBLIC 'waveset.dtd' 'waveset.dtd'>
<Waveset>
<Rule name='IS_DELETE'>
<Description>Should the active sync event delete the user?</Description>
<or>
<eq><ref>activeSync.Status</ref><s>T</s></eq>
<eq><ref>activeSync.Status</ref><s>L</s></eq>
</or>
</Rule>
</Waveset>
<Field name='includeResponsibilities'>
<Display class='Checkbox' action='true'>
<Property name='title' value='Add Direct Responsibilities'/>
</Display>
<Default>
<cond>
<gt>
<length>
<ref>global.responsibilities</ref>
</length>
<i>0</i>
</gt>
<s>true</s>
</cond>
</Default>
<Disable>
<not>
<ref>global.showOracleERPFields</ref>
</not>
</Disable>
</Field>Resource Object Management
Resource Groups
Security
The StackOverflowError was caused by an infinite loop resulting from the Expansion permission evaluation.
This issue was resolved by adding two new User View boolean options:
These options will always be passed when you request a User View be passed to a rule. Setting these options to true prevents form derivation and expansion from occurring.
Servers
- Customers using Identity Manager 4.x should be sure that their hosting server is not using an ambiguous time zone. For example, EST can be used in either Australia or the United States. However, using GMT+10 or GMT-6 is unambiguous. (ID-8297)
- The com.waveset.rpm.SimpleRpcHandler class has been deprecated as of 7.1 (ID-14756)
- Add the following servlet definition to the deployment descriptor
<servlet>
<servlet-name>rpcrouter3</servlet-name>
<display-name>OpenSPML SOAP Router</display-name>
<description>no description</description>
<servlet-class>
org.openspml.server.SOAPRouter
</servlet-class><init-param>
<param-name>handlers</param-name>
<param-value>com.waveset.rpc.PasswordSyncHandler</param-value>
</init-param><init-param>
<param-name>spmlHandler</param-name>
<param-value>com.waveset.rpc.SpmlHandler</param-value>
</init-param><init-param>
<param-name>rpcHandler</param-name>
<param-value>com.waveset.rpc.RemoteSessionHandler</param-value>
</init-param>
</servlet>- Add the following servlet mapping to the deployment descriptor:
<servlet-mapping>
<servlet-name>rpcrouter3</servlet-name>
<url-pattern>/servlet/rpcrouter3</url-pattern>
</servlet-mapping>To use createView with RemoteSession, you need to use the rpcrouter3 servlet. To access the rpcrouter3 servlet, you need to use the RemoteSession(URL, String, EncryptedData) constructor.
- Microsoft SQL Server 2000's locking characteristics can cause deadlock errors under certain heavy load conditions in Sun Identity Manager. (ID-16068)
Workaround: Upgrade from Microsoft SQLServer 2000 to Microsoft SQLServer 2005 using native mode.
Microsoft SQLServer 2005 (which has new functionality called Snapshot Isolation) has been tested with Identity Manager under heavy load, and does not exhibit the same deadlocking problems as SQLServer 2000.
Some customers also found it useful to alter their database to use READ_COMMITTED_SNAPSHOT as follows:
Sun Identity Manager Gateway
Tasks
- Administrators with Identity Manager Administrator privileges cannot view the manage tasks page if there is a Risk Analysis task in the list of tasks (ID-1225).
- Administrators who do not control Top cannot create Discovery or ResourceScanner scheduled tasks (ID-1414).
- The Find Task page does not display the number of tasks matching the search criteria (ID-5152).
- Delegated administrators who do not control Top can schedule tasks and view the task results, but cannot view the task after it has been created (ID-6659). The scheduled task was placed in Top and the delegated administrator does not have rights to view the object.
- A field named Deferred Tasks was added to the library. It provides the ability to list deferred tasks on a user. To implement this field, the following line must be added the Tabbed User Form and Tabbed View User Form (ID-7660).
Workflow, Forms, Rules, and XPRESS
- If you use global.attrname variables for fields in your user form, and the attribute is shared among more than one resource, you should also define a Derivation rule (ID-5074). Otherwise, if the attribute has been changed natively on one of the resources, the attribute may or may not be picked up and propagated to the other resources.
- Cannot use special strings beginning with & in HTML components of forms. For example, will no longer appear as a space. This issue was introduced because of a change to support special characters (&\<>') in Select lists (ID-5548).
- Form, workflow and rule comments contained in <Comment> tags have 
 strings in them representing the line feed character (ID-6243). These characters are only seen when viewing the XML for these objects; the Identity Manager server and Business Process Editor will process these characters properly.
- If you use the delete templates with bulk actions, they will override the bulk action behavior with no indication that this action occurred. (ID-10320)
- If you use the Resource Table User Form for editing users, when editing a user's resource, the resource attributes are not fetched when the form first appears.
Service Provider EditionThis section describes known issues and workarounds for Identity Manager SPE.
- When working with SPE dashboards: If graphs take several minutes to load the first time, then you should verify that your browser is not configured to use the Microsoft Java Virtual Machine (MSJVM). Identity Manager SPE does not support using MSJVM to run browser applets. (ID-10837)
- Some configuration options that appear in the Identity Manager Administrator interface are not used with Identity Manager SPE. (ID-10843). Among these are:
- By default, auditing is not performed when using the checkinObject and deleteObject IDMXContext API calls. Auditing has to be explicitly requested by setting the IDMXContext.OP_AUDIT key to true in the option map passed to these methods. The createAndLinkUser() method in the ApiUsage class shows how to request auditing. (ID-11261)
- Dashboard graph name changes do not work properly. Although the new name is displayed when editing the graph, the graph is not referenced by the new name on any other pages. (ID-11690)
- The default Service Provider login module group expects the Service Provider resource to be named 'SPE End-User Directory'. If the name of the resource is different, then the Service Provider end-user login page will not function properly. The page will not show the login related fields. (ID-14891)
Workaround: The preferred method of starting and stopping is either through the product interface on the Resource page, or programmatically (for example, from a workflow) through the SessionUtil methods to start and stop SPE Sync. To prevent SPE Sync from starting automatically whenever an Identity Manager server instance is started, you must disable it from the Synchronization Policy for the resource. Stopping SPE Sync through the UI or SessionUtil method will merely stop synchronization until another Identity Manager server instance is started.
Workaround: You must set the following properties in the IBM 1.5 JDK:
- In the was-install/java/jre/lib directory, rename the jaxb.properties.sample to jax.properties and uncomment these two lines:
javax.xml.parsers.SAXParserFactory=
org.apache.xerces.jaxp.SAXParserFactoryImpl
javax.xml.parsers.DocumentBuilderFactory=
org.apache.xerces.jaxp.DocumentBuilderFactoryImpl- Save the file and restart the application server.