|
Sun[TM] Identity Manager 8.0 Release Notes |
Identity Manager 8.0 Known Issues
This section of the Release Notes lists known issues and workarounds for Identity Manager 8.0
Known IssuesThis section of the Identity Manager 8.0 Release Notes lists known issues and workarounds:
General
- Required fields set on the resource schema map are only checked when a user account is created (ID-220). If a field is to be required on user updates, then the user form should be configured to ensure that the field is required.
- No checking is done on organization name, administrator name, account name, user attribute name (left hand side of schema map), or task names for invalid characters (ID-1145, 1206, 1679, 1734, 1767, 2413, 3331). You cannot use a dollar ($), a comma (,), a period (.), an apostrophe ('), an ampersand (&), a left bracket ([), a right bracket (]), or a colon (:) in the name for these types of objects.
- A misleading error message is given on the account page if you try to perform an action after your session has timed out (ID-1223).
- The calendar object is not fully viewable if the browser is using large fonts (ID-2120).
- The Select All checkbox on the Find Results page and the List Task page does not become un-selected if one of the items in the list is un-selected (ID-5090). The selectAll checkbox is ignored during the resulting action if not all of the members in the list have their checkbox selected.
- If you make a change to a custom message catalog, it is necessary to restart the server in order to see your changes. (ID-6792)
- The current mechanism for detecting a failed Server assumes that all the systems in an Identity Manager cluster are synchronized with respect to time. (ID-7064) With the default failure interval of five minutes, if one server is five minutes out of sync with another, the server that is ahead will declare the server that is behind to be dead, causing unpredictable results.
- On Windows, if you are logging in as a user whose name contains double-byte characters and the default encoding for the machine only supports single-byte characters, you must set the USER_JPI_PROFILE environment variable to an existing directory whose name contains only single byte characters. (ID-8540)
- If you extract a resource to an XML file using the File Format as XML option, and then select CSV File Format from the dropdown list, the following message dialog is displayed:
- If an expanded node contains less than one page of data and you insert a new child of that node (for example, if you are creating a User in the organization) before the first record on the page, Identity Manager will insert a page with one item before the current page on the subsequent refresh. (ID-12151)
- If you modify a Role form to change the showSuperAndSubRoles variable from 0 to 1, and then import a super role object definition file containing existing subroles from the Configure tab; those subroles will not be modified to include the <SuperRoles> section. However, if you use the Identity Manager graphic user interface to create a super role, the subroles referenced by that super role will be updated. (ID-15053)
This issue can occur with roles created outside Identity Manager that have references to existing roles (either subroles or super roles) already in the system.
When importing these roles, the roles that already exist in the system are not updated to reflect the new relationships; for example, referential integrity is not maintained. Use the RoleUpdater to check and correct the referential integrity if roles are imported in this way.
Workaround: See ID-15482, described in Roles.
Workarounds:
- Edit adminrolemodify.jsp to stop passing id as a query string.
<%
String bodyAttributes = “onload=\”selectFirstEditField();\””;
try {
String id = requestState.getParameter(“id”);
if (id = = null) {
:
}
else {
form.setTitle(Messages.UI_ADMIN_ROLES_JSP_EDIT_ROLE_TITLE);
form.setSubTitle(Messages.UI_ADMIN_ROLES_JSP_EDIT_ROLE_SUBTITLE);
// stop passing id as a query string
//form.setPostURL(response.encodeURL(“security/adminrolemodify.jsp?id=”+id));
form.setPostURL(response.encodeURL(“security/adminrolemodify.jsp”));
}
- Edit adminrolemodify.jsp to encode the id query parameter value.
<%
String bodyAttributes = “onload=\”selectFirstEditField();\””;
try {
String id = requestState.getParameter(“id”);
if (id = = null) {
:
}
else {
form.setTitle(Messages.UI_ADMIN_ROLES_JSP_EDIT_ROLE_TITLE);
form.setSubTitle(Messages.UI_ADMIN_ROLES_JSP_EDIT_ROLE_SUBTITLE);
// encode id query parameter value
//form.setPostURL(response.encodeURL(“security/adminrolemodify.jsp?id=”+id ));
form.setPostURL(response.encodeURL(“security/adminrolemodify.jsp”?id=”
+ com.waveset.util.URLUTF8Encoder.encode(id)));
}
table.Tab2TblNew td
{background-image:url(../images/tabs/level2_deselect.jpg);background-repeat:repeat-x;b ackground-position:left top;background-color:#C4CBD1;border:solid 1px #8f989f;white-space:nowrap}table.Tab2TblNew td.Tab2TblSelTd
{border-bottom:none;background-image:url(../images/tabs/level3_selected.jpg);backgroun d-repeat:repeat-x;background-position:left bottom;background-color:#F2F4F3;border-left:solid 1px #8f989f;border-right:solid 1px #8f989f;border-top:solid 1px #8f989f;white-space:nowrap}
- While in a localized Identity Manager session, users might encounter partial localization (a mix of English and the selected language) in Process Diagram applets. (ID-16139)
- The Repository Configuration object has an attribute named maxAttrValLength. The value of this attribute is ignored, and is always 255. (ID-16261)
- Direct-mode password synchronization requires SimpleRpcHandler to be configured in the web.xml file. By default, this handler is not provided as a handler for the rpcrouter2 servlet. (ID-16469) To use direct-mode password synchronization, set the handlers initialization parameter in the following way:
<init-param>
<param-name>handlers</param-name>
<param-value>com.waveset.rpc.SimpleRpcHandler,com.waveset.rpc.PasswordSyncHandler
</param-value></init-param>
- The String Quality Policy page displays text in vertical lines. (ID-18551)
- Role type delegations will override role approval delegations made for a specific role. (ID-18559) For example, if future role work item types for one or more specific roles are delegated to user one, while all future business role work items are delegated to user two, the specific roles from the first delegation will be delegated to user two rather than user one. The scenario delegation summary follows:
- Roles contained by other roles can now be conditionally assigned to users when their parent role is assigned. A condition can be specified on the association between the parent and contained role when editing the parent role. A condition can be created or can reference a rule. If a rule is specified, all user view attributes required for the evaluation of the rule must be specified via rule argument. (ID-18734)
- The data warehouse message catalog, WICMessages.properties, is loaded based on the server location instead of the user's location. (ID-18898) For example, if an application server is running in a Japanese locale, the query attributes will be displayed in Japanese, even if the user's interface is normally in English.
- Identity Manager 8.0 added a new queryable attribute, assignedRoles, which references all direct and indirect roles assigned to a user. (ID-18921) Prior releases contain the still available queryable attribute, role, which only contains roles directly assigned to users. The upgrade process only automatically refreshes users with indirect roles to enable population of assignedRoles. A report for users Assigned a Role will not return all users assigned to a role in an upgraded environment until all users have been refreshed.
Install and Update
The update.xml file is imported during the upgrade process. The import attempts to log in as configurator with the default password. If the login fails, an error is displayed, and the upgrade program prompts you for the correct login information. If you provide the correct information, the upgrade continues. When looking through the log file for the upgrade process, you can see the error message when the default log in fails, but you do not see any further information about the upgrade in the log file. This issue does not affect the upgrade, only the log file.
To prevent the error, you must edit the script and change the following line:
INSERT INTO waveset.roleobj SELECT * from waveset.object where type = 'Role';
Modify the line to read as follows:
INSERT INTO waveset.roleobj (SELECT id, type, name, lockinfo, modified, repomod, summary, attr1, attr2, attr3, attr4, attr5, counter, xmlSize, xml FROM waveset.object WHERE type='Role');
The explicit column names are necessary because the columns in an upgraded 7.1 database are in a different order.
Auditing
- During a scan, there is no support for retrying user accounts that could not be fetched from resources, or where other failures occur. These failures are reported when the scan is complete, but there is no automated way to rescan the accounts. (ID-9112)
- Identity Auditor attempts to keep users in compliance between policy scans by enforcing policy whenever the user is edited. If editing a user that has assigned audit policies and also is in violation of a policy, you cannot save changes to the user, even if the change is as simple as moving a user to another organization. (ID-9504)
Workaround: Use the right-click move (or find then move) functionality on the user applet, or temporarily disable the audit policy checks.
To disable the auditor policy checks, edit the system configuration and remove userViewValidators property. This property which has a value of a List of strings is added during the import of init.xml or upgrade.xml.
- Logarithmic scaling on Audit Policy reports is not implemented. (ID-9522)
- Currently, the Auditor Access Scan Report administrator cannot schedule an Audit Policy Scan. An error, Error message: Create access denied to Subject auditadmin on type TaskSchedule is displayed. To schedule any task, administrators must have create privileges for the TaskSchedule authType. (ID-14713)
- When running Audit Scans that produce multiple violations, Auditor might create a remediation workflow to manage processing of the violations. (ID-15830) The default MySQL setting for max_allowed_packet (1M) is too small for a workflow with dozens of violations. If this limit is reached, Auditor will not start the remediation workflow.
- Changing severity and priority values for Compliance Violation remediations can be misleading. The initial values in the form are not the current values of the Compliance Violations. They are the last values set when making a change. It is important that you know what severity/priority value you want while still viewing the list view, because you cannot determine the current values when on the page that lets you change the values. (ID-16040)
- Audit policy names cannot contain these characters: ' (apostrophe), . (period), | (line), [ (left bracket), ] (right bracket), , (comma), : (colon), $ (dollar sign), " (double quote), = (equals sign). (ID-16078)
- ComplianceViolations created before the IdM 7.1 upgrade will not allow the severity or priority to be set. The error message returned indicates that the Compliance Violation no longer exists, but this is incorrect. The violation does exist, but IdM is unable to set the severity or priority. (ID-16420)
Data Exporter
- The Data Exporter can be configured to run as any Identity Manager administrator with the appropriate capabilities. The export task runs as a daemon, and is started and monitored by the Identity Manager scheduler. Audit records created by the Data Exporter will show the subject of the Identity Manager scheduler (Scheduler:IDMServer), rather than the subject the task is configured to use. (ID-18055)
- Forensic query does not support Edit/Modify actions against role types. (ID-18769)
Identity Manager Service Provider
This problem may be corrected by setting the following values in Portal Server’s /etc/opt/SUNWam/config/AMConfig.properties file, and then restarting the web container:
com.iplanet.security.encryptor=com.iplanet.services.util.JCEEncryption
com.iplanet.security.SSLSocketFactoryImpl=netscape.ldap.factory.
JSSESocketFactory
com.iplanet.security.SecureRandomFactoryImpl=com.iplanet.am.util.
SecureRandomFactoryImpl
- Some configuration options that appear in the Identity Manager Administrator interface are not used with Identity Manager Service Provider. (ID-10843). Among these are:
- By default, auditing is not performed when using the checkinObject and deleteObject IDMXContext API calls. Auditing has to be explicitly requested by setting the IDMXContext.OP_AUDIT key to true in the option map passed to these methods. The createAndLinkUser() method in the ApiUsage class shows how to request auditing. (ID-11261)
- The default Service Provider login module group expects the Service Provider resource to be named 'SPE End-User Directory'. If the name of the resource is different, then the Service Provider end-user login page will not function properly. The page will not show the login related fields. (ID-14891)
Workaround: The preferred method of starting and stopping is either through the product interface on the Resource page, or programmatically (for example, from a workflow) through the SessionUtil methods to start and stop SPE Sync. To prevent SPE Sync from starting automatically whenever an Identity Manager server instance is started, you must disable it from the Synchronization Policy for the resource. Stopping SPE Sync through the UI or SessionUtil method will merely stop synchronization until another Identity Manager server instance is started.
Workaround: You must set the following properties in the IBM 1.5 JDK:
- In the was-install/java/jre/lib directory, rename the jaxb.properties.sample to jax.properties and uncomment these two lines:
javax.xml.parsers.SAXParserFactory=
org.apache.xerces.jaxp.SAXParserFactoryImpl
javax.xml.parsers.DocumentBuilderFactory=
org.apache.xerces.jaxp.DocumentBuilderFactoryImpl
- Save the file and restart the application server.
Login Configuration
- Pass-through authentication module does not work for the Domino resource (ID-1646).
- Changes made to the Administrator Login Setup and User Login Setup pages are not visible to other administrators logged in (ID-3487). To see the changes, the other administrators will need to log out of the Administrator Interface and log back in.
- If an Administrator logs in and selects Change My Password, and then selects another tab, their account is locked until the lock expires. (ID-3705)
Organizations
Policies and Capabilities
- The Identity Manager account policy attribute Reset Notification Option has a value option of “administrator” that has no effect (ID-944). The only viable options are “immediate” and “user”.
- When deleting multiple roles, if an error is encountered, the entire operation will stop instead of continuing to the other roles (ID-1168).
- The minimum number of questions a user must answer can be set to a value greater than the number of defined questions (ID-1834). If this situation occurs, the user will not be able to log in using the “Forgot My Password” option.
- The Default Lighthouse Account Policy cannot be cloned by editing the policy, changing the name, and selecting to create a new object (ID-5147).
Reconcile and Import Users
- When executing Load From Resource, and the resource supports ACCOUNT_CASE_INSENSITIVE_IDS, if the user's accountId differs in case from the accountId stored in Identity Manager’s ResourceInfo user object, a second ResourceInfo will be added to the user object with the accountId in the same case as reported by the resource.
Reports
- Numbers display in the Priority and Severity columns of the Violation Summary Report instead of text descriptions. (ID-16932)
- The Violation Summary Report does not include fixed violations. The report only includes violations that are currently active (new or recurring) or mitigated. (ID-16933)
- The Violation State column in the Violation Summary Report should be localized. (ID-17011)
- Add an EXEMPTED option to the Possible States drop-down menu in the Violation Summary Report. (ID-17042)
- When several conditions are specified to generate a usage report, the graph displays correctly on the Report Result page, but the fixed line width will truncate the conditional text. (ID-17224)
- All Inactive Account Scan reports do not display their results on the View Risk Analysis page. To view the result from these reports, go to the Server Tasks page. (ID-17255)
- The User Question report does not display the report title when Question Policy is not configured. (ID-17415)
- The Resource User report lists Reset Administrator as a user, but Reset Administrator is a hidden user that should not be displayed. (ID-17650)
Resources
- Resource test button does not test all fields. (ID-51)
- Resource port assignments can be set to values greater than 65535. (ID-59)
- Bad error message displayed when setting incorrect Active Directory group name. (ID-393) If you attempt to set an Active Directory group name to “groupname” instead of “cn=groupname,cn=builtin,dc=waveset,dc=com” an error message stating “array index out of bounds” is displayed.
- Required account attributes are sometimes ignored if there is another resource with the same account attribute name that does not have the required flag set. (ID-1161)
- If an administrator attempts to add an organization to a resource that he does not have rights over, an error will appear. The edit of the resource must then be canceled and the resource edited again to make any other changes to the resource. (ID-1274)
- The error message when a resource account password or username is not correct on a PeopleSoft resource is not clear. (ID-2235) The error message states:
- Resource IP addresses are cached in the JVM after the hostname is resolved to an IP address. If a resource IP address is changed, the application server must be restarted for Identity Manager to detect the change. (ID-3635) This is a setting in the Sun JDK (version 1.3 and higher) and can be controlled with the sun.net.inetaddr.ttl property, which is typically set in jre/lib/security/java.security.
- You cannot create multiple accounts for a single user on Oracle resources. (ID-3832)
- End-users cannot use the self-discovery feature for Domino resource accounts. (ID-4775)
- If a user is moved from or to a sub-container within the Active Directory organization, the Active Sync adapter will detect the change, but when you view the user on the edit page, (or make a change and view the confirmation page) the user's accountId is still displayed as the original DN (distinguished name). (ID-4950) Because we use GUID to modify the user, this will not cause any operational problems. Running a reconcile against the resource will fix the problem.
- If a user is moved from an Organization (OU) to a sub-organization, the LDAP ChangeLog adapter will not recognize the change and assumes the user has been deleted. The user object is then locked in Identity Manager (if that is the current setting), and a new account is not created for the moved account. (ID-4953)
- The pooled connections used by the UNIX resource adapters can be left in an undetermined state if an error occurs while executing a command or script. (ID-5406)
- NDS organizations can be created in the top level of the tree only by setting the Base Context for the resource to "[ROOT]". (ID-5509)
- On NDS, if you edit a field (such Grace Login Limit) on the initial provision, and do not provide values for the boolean fields, all the boolean fields are set to false. (ID-6770) This prevents you from setting the other fields on the restriction tab which require certain check box values to be true. To avoid this, always ensure all your boolean fields are true when you expect them to be, so they are properly pushed when editing other fields.
- If you change the password for a UNIX machine using the Manage Connection --> Change Resource Password feature, the task name that appears is:
- When updating users by selecting update from an Identity Manager organization, users with a Sun One ID Server account will get an error if those users were created natively and loaded into Identity Manager. (ID-7094) The work around is to update those users individually.
- Identity Manager still contains the following deprecated classes:
- There are two known issues with the Remedy Integration template editor. (ID-14729)
- A regression causes Identity Manager password synchronization to fail when used with Sun JavaTM System Directory Server Enterprise Edition 6.0, 6.1, and 6.2. The failure will be corrected in the Directory Server 6.3 release. If versions 6.0, 6.1, or 6.2 are required to work with Identity Manager, please request a Directory Server hotfix from Support, referencing Directory Server bug 6604342. (ID-14895)
- When you expand the resource objects of a Sun Java™ System Access Manager 7.0 resource from the Resources tab, you might see the following error: (ID-15525)
Error listing objects. ==> com.waveset.util.WavesetException: Error trying to get attribute value for attribute 'guid'. ==> java.lang.IllegalAccessError: tried to access method com.sun.identity.idm.AMIdentity.getUniversalId()Ljava/lang/String; from class com.waveset.adapter.SunAccessManagerRealmResourceAdapter
- Due to interoperability issues between WebSphere data sources and Oracle JDBC drivers, Oracle customers who want to use a WebSphere data source with Identity Manager must use Oracle 10g R2 and the corresponding JDBC driver. (The Oracle 9 JDBC driver will not work with a WebSphere data source and Identity Manager.) (ID-16167)
- NDS/Groupwise users created by Identity Manager that possess the Access and AccountID fields can appear to not have their corresponding values saved when inspected by certain viewers within the NDS Console 1 application (for example, by selecting user's properties and then selecting the Groupwise tab).
- WRQ looks though the classpath to discover its own entry. From that entry, WRQ computes the directory where the JAR is stored, and then uses that directory to read the .JAW (licensing file). However, both BEA and WebSphere use non-standard protocol names (BEA uses zip, and WebSphere uses wsjar) rather than the standard JAR, which is the protocol the WRQ code assumes exists. (ID-16709, 17319)
- A Sealing violation exception might occur when you use Identity Manager 7.1 or 8.0 with Oracle 10g on Sun Java™ System Application Server Enterprise Edition 8.2. The problem can be caused by having more than one Oracle JDBC JAR file in the CLASSPATH or by having an incompatible version of the JDBC JAR file in the CLASSPATH. (ID-17311)
- Before creating a new resource, be sure to enable the resource type in the list of configured types. Otherwise, the newly created resource object may not have all the required fields. (ID-17324)
- The default value of the Create Directory attribute is inconsistent among Unix OS resources. (ID-18301)
- When Identity Manager is using a locale with a multibyte character set, the bulk action results do not generate the CSV filename correctly. (ID-18661)
Roles
- When manually entering activation or deactivation dates for a user's roles, the fields automatically submit when you click out or tab out of the field. This behavior causes a "Form Already Submitted" message to display if you click Save after manually changing the date in the activation or deactivation fields. (ID-18927)
- Deleting a role should check for references to it as a contained role and then by users. If the process finds either of these references, then an error is thrown and the role is not deleted. (ID-18981)
However, the process has a problem checking for references by other roles, where the role is removed from its parent roles even though it should not be removed. The role is not deleted because it is still refererenced by users. References to the contained role remain on the User object, even though the parent role no longer contains that role.
Before deleting a role, you must verify that the role is not contained by any roles or assigned to any users, either directly or indirectly.
Server
Sun Identity Manager Gateway
Tasks
- The Find Task page does not display the number of tasks matching the search criteria (ID-5152).
- Delegated administrators who do not control Top can schedule tasks and view the task results, but cannot view the task after it has been created (ID-6659). The scheduled task was placed in Top and the delegated administrator does not have rights to view the object.
- A field named Deferred Tasks was added to the library. It provides the ability to list deferred tasks on a user. To implement this field, the following line must be added the Tabbed User Form and Tabbed View User Form (ID-7660).
Workflow, Forms, Rules, and XPRESS
- If you use global.attrname variables for fields in your user form, and the attribute is shared among more than one resource, you should also define a Derivation rule. (ID-5074) Otherwise, if the attribute has been changed natively on one of the resources, the attribute may or may not be picked up and propagated to the other resources.
- Cannot use special strings beginning with & in HTML components of forms. For example, will no longer appear as a space. This issue was introduced because of a change to support special characters (&\<>') in Select lists. (ID-5548)
- Form, workflow and rule comments contained in <Comment> tags have 
 strings in them representing the line feed character. (ID-6243) These characters are only seen when viewing the XML for these objects; the Identity Manager server and Business Process Editor will process these characters properly.
- If you use the Resource Table User Form for editing users, when editing a user's resource, the resource attributes are not fetched when the form first appears.