Identity Manager 8.1 Deployment Guide

This section contains new information and documentation corrections for the Sun Identity Manager Deployment Guide.

• The Adding Localization Support for the WIC in Sun Identity Manager Deployment Guide describes how to display export schema strings on the Data Exporter Type Configuration page in another language. However, these instructions should state that only customers who do not use the officially supported languages must perform these steps. Officially supported languages include Simplified Chinese, Traditional Chinese, Korean, Japanese, German, Spanish, French, Italian, and Brazilian Portuguese. (ID-19264)

  A localization jar file, containing a localized WICMessages.properties file, is co-packaged with Identity Manager 8.1. If you are using a localized Identity Manager system, you can view localized WICMessages.properties messages. For example, you can access the Identity Manager Administrator interface URL in a browser with lang=ja.

  In addition, the example used in this section is inappropriate. Because German is a supported language, German customers are not required to perform the steps in this section.

• This guide is missing the following description of login error codes: (ID-5657)

  Identity Manager provides the following error codes that custom code can check to determine login status. The actual string values are the numeric values in parentheses (for example, 101 or 102). The Constants.java file contains these error codes:

  LIGHTHOUSE_USER_NOT_FOUND             = 101;
  LIGHTHOUSE_AUTHN_FAILED               = 102;
  RESOURCE_AUTHN_SUCCESSFUL             = 104;
  RESOURCE_AUTHN_FAILED                 = 108;
  X509_CERT_NOT_FOUND                   = 110;
  END_USER_ATTEMPTED_LOGIN_TO_ADMIN_APP = 120;
  LIGHTHOUSE_USER_DISABLED              = 140;
  LIGHTHOUSE_USER_LOCKED                = 180;

System Configuration Object Documentation Changes

The description of the System Configuration object should contain the following information about these attributes:

ProvisioningDisabledUserShouldThrow – When set to true, any attempt to provision a disabled user to a resource will be prevented and will produce an error. When the attribute is not set to true, then the provisioning will still be prevented, but it will not produce an error. (ID-20064)

security.delegation.historyLength – Controls the number of previous delegations that are recorded. (ID-13331)

runPasswordLoginOnSuccess – When set to true, Identity Manager will run the Password Login workflow when a user logs in successfully by answering the authentication questions. By default, the value of this property is false. (ID-10030)

PasswordSyncThreshold - If password sync is enabled for a resource for which Identity Manager can also initiate password changes, you can use this setting to help prevent a loop-back password change. (ID-7887) When you initiate a password change from Identity Manager, it will set the password on the resource, and the PasswordSync library will notify Identity Manager of the change. Identity Manager will then compare the lastPasswordDate on the user object to the current time. If this difference is less than the PasswordSyncThreshold, Identity Manager will ignore the password change. In this way, the extra or unnecessary password change will be appropriately ignored.

PasswordSyncResourceExcludeList – Lists resource names that should always be excluded from synchronization.(ID-3275)

process.handleNativeChangeToAccountAttributes – When set to true, enables attribute value auditing. By default, this property is off. (Note: This enables attribute value auditing both for the reconciliation process and for the provisioner.) (ID-3275)

sources.subject – Specifies the login name of administrator designated as the owner of the source adapter task. (ID-19694

sources.host – Specifies the server on which the source adapter task runs.

security.saveNoValidateAllowedFormsAndWorkflows – Lists the IDs of forms and workflows that will be processed as a SaveNoValidate action. All other forms and workflows will be processed as a Save. If this list is not present, the behavior remains the same for all forms and workflows (all forms and workflows will be processed as SaveNoValidate.) (ID-19474)

Data Exporter Changes

Data Exporter provides the means to periodically export data that is managed or has been processed by Identity Manager to a set of DBMS tables for further processing. The export process is intentionally open to customizations, some of which may require manual intervention for the proper behavior. The Identity Manager configuration objects that are relevant to Data Exporter are preserved and updated appropriately. However, some exporter customization is done to files within the web application, and these take special handling.

During the upgrade process, Identity Manager overwrites all unmodified Data Exporter files in the $WSHOME and $WSHOME/exporter directories. If you made changes to any Data Exporter files, then the upgrade process leaves your modified version in place and installs the newer version of the file in $WSHOME/patches/Identity_Manager_8_1_0_0_Date/filesNotInstalled. If you want to merge the new functionality with your customizations, you must do this manually.

Note that the following files in $WSHOME are often customized:

model-export.dtd
model-export.xml
model-export.xsl
exporter/exporter.jar
exporter/create_warehouse.*
exporter/drop_warehouse.*
exporter/hbm/*.hbm.xml

The upgrade steps you must perform vary depending on whether you customized Data Exporter in 8.0 and your plans for Data Exporter in 8.1

• If you customized Data Exporter for 8.0 and want to implement the 8.1 features:

  1. Drop the warehouse schema.

  2. Upgrade Identity Manager.

  3. Recreate the schema with the new DDL in the $WSHOME/exporter directory.

     There are no schema upgrade scripts that will allow the schema to be modified with data in place. Therefore, if you need to preserve the data, you must export and then import the data. The 8.1 warehouse schema is table and field compatible with the previous version, although 8.1 added new tables and new fields to existing tables. The field order was also changed. As a result, your export needs to be a data-only export, not a DDL and data export.

  4. Merge customizations with the new 8.1 exporter files. If model-export.xml was customized, rebuild the exporter.jar file.

  5. Load the new warehouse schema.

• If you customized Data Exporter for 8.0 and you do not want to implement the 8.1 features:

  You can upgrade to 8.1 without performing any additional steps. However, if you upgrade to 8.1 Exporter but do not upgrade the warehouse DDL, the Warehouse Configuration page displays an error message that indicates the EXT_ADMINGROUP table is missing. This is an indication that the new 8.1 objects are in place, but the old 8.0 warehouse DDL is still loaded.

• If you did not customize Data Exporter for 8.0 and do not plan to implement the 8.1 features:

  1. Drop the warehouse schema.

  2. Upgrade Identity Manager.

  3. Load the new warehouse schema.

  ---

  Note –

  Data in the warehouse is left untouched. You do not need to change the DDL if model-export.xml was customized. If model-export.xml was not customized, then you must load the new DDL.

  ---

After 8.1 is installed, if the 8.1 version of model-export.xml is in place, you can see the new data types and attributes by looking at the schema file at http://server:port/idm/model-export.xml. New types and attributes are flagged with the 8.1 release number.