Identity Installation Pack 2005Q4M3 Features

2 Identity Installation Pack 2005Q4M3 Features

Before installing or upgrading the Sun Java™ System Identiy Installation Pack software, review the Notes on Installation and Update section of these release notes and any documentation provided with the most recent Identity Manager v5 service pack.

New Features

This section gives a summary and details new features for Identity Installation Pack 2005Q4M3.

Features Summary

This section contains a summary of major new features for this release. See the individual sections in this chapter for details.

There is now a new skin for the Identity Manager user interface with new navigation tabs. (ID-11077, 11079)

A new system log provides a place where critical exceptions are logged. Many system messages and errors for Identity Manager are now recorded in the repository instead of being written to stderr/stdout. (ID-2914)

Users may now define their own authentication questions using the All, Any, or Random question policies. (ID4808)

The following new adapters are now available:

JMS Adapter

Generic Gateway script adapter (supports Blackberry)

Java Enterprise Systems Messaging and Calendar Service

Generic Unix script adapter

SuSE Enterprise 9 adapter

Existing adapters now support the following software versions:

Access Manager v7

AIX 5L v5.3

Websphere 6 (application server, not adapter)

Siebel CRM supporting managing accounts in Siebel business components other than Employee.

You may now disable features on resource adapters. The administration interface allows you to disable features for each individual resource instance. (ID-6192)

Added the Meta-Directory's Universal Connector (UTC) functionality for the change log. (ID-7077)

Failover to alternate domain controllers when a failure occurs during the active synchronization process is now supported. (ID-7537)

PasswordSync has been redesigned. It now works in conjunction with Java Messaging Server message queues. See for Identity Manager Administration more information. (ID-7649, 10268)

Identity Manager now has support for tamper-resistant audit logs. Refer to Identity Manager Administration for information on enabling them and reporting on audit log breaches. (ID-8688)

There is a new account list page and new resource list page. The switch for selecting which resource list viewer to execute is the ResourceListViewer in the ResourceUIConfig object. Valid values are “treetable” for the new viewer and “applet” for the account applet.(ID-10496)

Identity Manager now supports Digitally Signed Approvals. Refer to Identity Manager Administration for information on enabling and configuring. (ID-9137)

A new feature called Identity Attributes has been added to Identity Manager. Identity Attributes can be configured to control inter-resource data flow for the administrative user interface, end user interface, Active Sync, bulk actions, and SPML. (ID-10867)

There is now the ability to lock Identity Manager users. (ID-10851)

A new helpTool feature allows you to search Identity Manager online help and documentation files, which are in HTML format. For more information, see Using helpTool in the Documentation Additions and Corrections chapter. (ID-11620)

Documentation

For this release, the Identity Manager Technical Deployment and Identity Manager Technical Reference publications were reorganized into the following books:

Identity Manager Technical Deployment Overview — Conceptual overview of the Identity Manager product (including object architectures) with an introduction to basic product components.

Identity Manager Workflows, Forms, and Views — Reference and procedural information that describe how to use the Identity Manager workflows, forms, and views — including information about the tools you need to customize these objects.

Identity Manager Deployment Tools — Reference and procedural information that describe how to use different Identity Manager deployment tools; including rules and rules libraries, common tasks and processes, dictionary support, and the SOAP-based Web service interface provided by the Identity Manager server.

Identity Manager Resources Reference — Reference and procedural information that describe how to load and synchronize account information from a resource into Sun Java™ System Identity Manager.

Identity Manager Audit Logging — Reference and procedural information that describe how to load and synchronize account information from a resource into Sun Java™ System Identity Manager.

Identity Manager Tuning, Troubleshooting, and Error Messages — Reference and procedural information that describe Identity Manager error messages and exceptions, and provide instructions for tracing and troubleshooting problems you might encounter as you work.

The following tables identify into which books specific chapters were relocated:


Identity Manager Technical Deployment Chapter	New Book Location
Introduction to the Business Process Editor	Identity Manager Deployment Tools
Private Labeling of Identity Manager	Identity Manager Technical Deployment Overview
Identity Manager Workflow	Identity Manager Workflows, Forms, and Views
Identity Manager Forms	Identity Manager Workflows, Forms, and Views
Identity Manager Views	Identity Manager Workflows, Forms, and Views
Adapter Development	Identity Manager Deployment Tools
Adding Actions to Resources	Identity Manager Resources Reference
Identity Manager Auditing	Identity Manager Audit Logging
Data Loading and Synchronization	Identity Manager Technical Deployment Overview
Data Loading Scenarios	Identity Manager Technical Deployment Overview
LDAP Deployment Scenario	Identity Manager Technical Deployment Overview
Identity Manager PasswordSync	Identity Manager Administration (renamed Synchronizing LDAP Passwords)
Troubleshooting and Tracing	Identity Manager Tuning, Troubleshooting, and Error Messages
Configuring Dictionary Support	Identity Manager Deployment Tools
Configuring User Actions	Identity Manager Workflows, Forms, and Views
Performance Tuning	Identity Manager Tuning, Troubleshooting, and Error Messages
Form and Process Mappings	Identity Manager Workflows, Forms, and Views
Variable Name Spaces	Identity Manager Deployment Tools
Customized Message Catalogs	No longer maintained in product documentation.
Enabling Internationalization	Identity Manager Technical Deployment Overview


Identity Manager Technical Reference Chapter	New Book Location
XPRESS Language	Identity Manager Workflows, Forms, and Views
XML Object Language	Identity Manager Workflows, Forms, and Views
HTML Display Components	Identity Manager Workflows, Forms, and Views
FormUtil Methods	Identity Manager Workflows, Forms, and Views
Rules	Identity Manager Deployment Tools
Workflow Services	Identity Manager Workflows, Forms, and Views
Identity Manager Web Services	Identity Manager Deployment Tools
Resources Reference	Identity Manager Resources Reference
AttrParse	Identity Manager Resources Reference
Errors and Exceptions	Identity Manager Tuning, Troubleshooting, and Error Messages
Audit Log Database Schema	Identity Manager Audit Logging
Firewalls or Proxy Servers	Identity Manager Deployment Tools

Administrative and User Interfaces

The deprovision page has additional new functionality. (ID-8530) Refer to Identity Manager Administration for information.

The Delete User capability now has four capabilities:

Delete User

Deprovision User

Unassign User

Unlink User.

The (Bulk) Delete User now has four capabilities:

(Bulk) Delete User

(Bulk) Deprovision User

(Bulk) Unassign User

(Bulk) Unlink User.

Resources Page

Returning to Applet View for the Resources Page

Note applet viewer has been deprecated. This procedure is provided for backwards compatibility purposes only. (ID-11415)

Identity Manager provides a switch for returning to applet view resource display on the Resources page.

Using the Business Process Editor (BPE), open the ResourceUIConfig object. For information on using the BPE, see Introduction to the Business Process Editor in Identity Manager Deployment Tools.

Replace treetable with applet as the value for the ResourceListViewer attribute.

Save the object, and restart Identity Manager. The product will subsequently display the applet viewer on the Resources page.

treetable

applet

treetable

Returning to Applet View for the Accounts Page

Note applet viewer has been deprecated. This procedure is provided for backwards compatibility purposes only. (ID-11415)

Identity Manager provides a switch for returning to applet view resource display on the Accounts page.

Using the Business Process Editor (BPE), open the UserUIConfig object. for information on using the BPE, see Introduction to the Business Process Editor in Identity Manager Deployment Tools.

Replace treetable with applet as the value for the UserListViewer attribute.

<String>treetable</String>

</UserListViewer>

</UserUIConfig>

Save the object, and restart Identity Manager. The product will subsequently display the applet view on the Accounts page.

treetable

applet

treetable

There is now a help page per report type in both Identity Auditor and Identity Manager. I prior release there was one help page for all report. (ID-11279)

Business Process Editor

The BPE has been enhanced with the notion of a workspace, where repository connection information, options, breakpoints, open sources, and autosave files are saved. (ID-9857)

There have been a number of changes to the user interface:

On opening the BPE you must either select a new workspace or click Create new workspace to create a new one.

The editor options form no longer has Default server, Default user, Default password, etc. These are now all setup as part of the workspace. A given workspace is tied to a specific repository.

The File> Connect to repository menu item is now gone. Connections now always happen automatically.

In the debugger, the menu item Debug> Breakpoints is gone. This is because the breakpoints dialog is now part of the debugger panel.

On the Breakpoints panel, there is a new Sources breakpoints tab that lists all of the source breakpoints so you can quickly navigate to them and clear them.

There is no longer a Launch debugger dialog. This information is now part of the workspace and this happens automatically.

The BPE now supports editing TabPanel, WizardPanel forms as well as SortingTable, InlineHelp and ErrorMessage fields. (ID-10418)

lh

The lh and lh.bat scripts now import an environment file for deployment specific variables. For example, when using a WebSphere 5 datasource for the repository, extra environment variables are required. Sample files for this purpose are included in sample/other/idm-env.*.ws5. (ID-10443)

Logging

Identity Manager now supports Digitally Signed Approvals. Refer to Identity Manager Administration for information on enabling and configuring. (ID-9137)

PasswordSync

PasswordSync now operates against any JMS enabled message queue.
(ID-10268)

Reconciliation and Discovery

When scheduling reconciliation, you can now provide the name of a Rule to be used to customize the schedule. For example, the Rule can push Reconciliations scheduled for a Saturday to the following Monday. (ID-8538)

Repository

The Identity Manager Repository now performs Oracle-proprietary handling for the CLOB columns. The sample scripts for Oracle now define the xml column as data type CLOB (rather than LONG VARCHAR). (ID-5286)

The Identity Manager Repository now supports MySQL 4.1 and no longer supports MySQL 4.0. If you wish to preserve MySQL 4.0 data you must upgrade to MySQL 4.1 following the procedures described in the script upgradeto2005Q4M3.mysql during the upgrade to the 2005Q4M3 release. (ID-10041)

The database upgrade scripts now add two optional columns to the log table: sequence and xml. These columns enable new features such as signed log records and signed approval records. (ID-11013)

The performance of the IDM Repository's 'set' operation has been improved. (ID-11673)

Resources

Active Sync

ERP Resources

The PeopleSoftCompIntfcAdapter now supports reconciliation, load from resource, and user listing. (ID-8872)

A new resource adapter Siebel CRM is available. It supports managing accounts in Siebel business components other than Employee. (ID-11022)

Directory Resources

The LDAP Resource Adapter is now capable of detecting password changes in Sun Java System Directory Server via Active Sync. The feature requires installing a custom plugin in the target directory server (see the Identity Manager Resources Reference for more information). (ID-8870)

The LDAP resource adapter now supports assigning posixGroup membership to LDAP accounts as well as management (create, update, and delete) of posixGroup entries. (ID-9748)

Gateway Resources

Failover to alternate domain controllers when a failure occurs during the Active Sync process is now supported. If a failure is detected while polling an Active Directory resource, a configurable workflow process can be called to facilitate the failover to an alternate domain controller. (ID-7537)

A new resource attribute Authentication Timeout to Active Directory resource adapter has been added. This is for pass-through authentication only. It prevents the adapter from hanging if there is a problem on the gateway side. (ID-9526)

Security

The new User AdminRole can be used to assign administrator capabilities to an end user at runtime. See Identity Manager Administration for more details. (ID-6607)

Added support for user supplied authentication questions when using the All, Any, or Random question policies. (ID4808)

All, Random and Any enables a full list of questions to answer

RoundRobin: selects one question from the list of available questions and allows the user to create an answer to that ONE question.

There is now a new capability called License Administrator. See the Identity Manager Administration for more information on using this new capability. (ID-7481)

Server

The Deferred Task Scanner now catches and reports errors that occur when the scanner is processing individual objects. Certain types of failures that occur up front (for example, a failure to list objects) can still stop the entire scan. However, an error that is specific to a particular object no longer stops the entire scan. (ID-10967)

Defects Fixed in This Release

This section details defects fixed in Identity Installation Pack 2005Q4M3.

Administrator Interface

Role Synchronization results no longer display a numeric ID. It now displays a user friendly display name. (ID-6937)

The Identity Manager web application now supports version 2.3 of the Servlet Specification. As a result, version 5 of the Websphere Application Server now allows the Identity Manager web application to use a Websphere Application Server Version 4 Data Source. (ID-7913)

For all versions, images representing country flags are no longer included in the product distribution. (ID-8937)

LoginApps can now be disabled via the Administrator interface. (ID-9021)

The Active Processes page now shows only one time value, which is in the description field and is in 24hr format. (ID-9472)

The SimpleTable user interface component now correctly honors the noWrap property as set in the form XPRESS. (ID-9763)

You now have the option to have the sunrise create accounts in two different ways with the check box on the sunrise tab. Also, a deferred task is now used to enable the user and create resource accounts that were deferred. (ID-10174)

Only rules of the appropriate subtype are listed in Correlation and Confirmation selection lists for Active Sync configuration. (ID-10247)

An error displaying Active Sync status before it is available (for example, quickly after starting Active Sync) no longer occurs. (ID-10475)

The anonymous login page can now be used concurrently to obtain a ResetSession in Identity Manager. (ID-10846)

Active Sync for a resource can now be stopped and started from any server in an Identity Manager cluster. (ID-10821)

There is now the ability to lock Identity Manager users. (ID-10851)

The Find User results page now features an Edit button. In addition, after selecting and editing a user in the results list, the interface now returns to the Find User results page. (ID-10913)

The Role Synchronization task now works correctly. (ID-11190)

The property gui.enableTaskTemplateEditor has been removed from the Waveset.properties file. This option is now on by default. (ID-11611)

The Find Tasks page (task/findtasks.jsp) no longer hangs when the number of tasks that match the specified selection criteria exceeds the result limit. (ID-11803)

The ChangeLog now supports delete operations, but if you are not using a single resource as an authoritative source, some data values will be missing. The accountId, if part of the Identity Attributes and the ChangeLog View, will be present. (ID-11917)

Audit

Identity Manager now has support for tamper-resistant audit logs. Refer to Identity Manager Administration for information on enabling them and reporting on audit log breaches. (ID-8688)

Business Process Editor

The BPE no longer supports creating hierarchical libraries. (ID-9971)

IE Bridge is no longer an option for the Preferred web browser
(under Tools > Options) in the BPE. (ID-10617)

Forms

There are new sample LDAP Create and Update Group forms to allow non-unique member names. This represents a change of behavior that may affect a customer that was using the work around of decrypting the field inside the validation expression. (ID-8831)

Identity Manager now temporarily decrypts the field inside the validation expression prior to running the validation expression. If you are using the work around of decrypting the field inside the validation expression and if the expression expected it to be an EncryptedData and called decryptToString, you may get an obscure exception in the form. If you are using this method, remove it when you upgrade. (ID-9024)

New methods have been added to FormUtil and WorkflowServices to check string quality against named policy. This aids in debugging password policy mismatches. (ID-9689)

ResourceForms to manage resource object types can now be specified for each resource instance. Previously, ResourceForms could only be specified at the resource type level. (ID-9753)

The StripNonAlphaNumeric rule now returns correct substrings. (ID-10275)

When editing a User, the list of available Resources that can be excluded now only include Resources assigned indirectly via Role and/or ResourceGroup assignments. Directly assigned Resources should not be included in this list. (ID-11585)

Identity Auditor

In the user interface the Manage Connections selection from the resource right click menu now functions properly. (ID-10379)

There is now functionality to return new read-only attributes for Auditing and Reporting. (ID-11015)

In the user interface compliance graphs now successfully display in servlet containers with small default page buffer sizes. (ID-11174)

The correct labels are now displayed when adding or updating a user. (ID-11887)

Identity Manager SPE

By default, auditing is not performed when using the checkinObject and deleteObject IDMXContext API calls. Auditing has to be explicitly requested by setting the IDMXContext.OP_AUDIT key to true in the option map passed to these methods. The createAndLinkUser method in the ApiUsage class shows how to request auditing. (ID-11261)

Installation and Update

Cryptix .jar files are no longer included with software installation, and are no longer supported. (ID-8238)

If you have customized the waveset.properties file, make sure that the security.jce.workaround property is set to a value of false, or removed. If set to a value of true, then an exception is thrown.

The installer now imports update.xml automatically. (ID-8269)

The following jars were removed because of licensing issues. These jars are required for the following resource adapter. Each is labeled below with information on how to get the jars from the vendor. (ID-9338)

Adapter: OS400ResourceAdapter

URL: http://jt400.sourceforge.net

Project: JTOpen

JAR: jt400.jar

Version: 2.03

Adapter: ONTDirectorySmartAdapter

URL: http://my.opennetwork.com

Project: Directory Smart

JARs: dsclass.jar, DSUtils.jar

Version: N/A

When running Setup, the LocateIndexPanel no longer offers JDBC 2.0 Data Source as a separate choice. Instead, this panel now offers JDBC Driver and Data Source for each supported DBMS. (ID-9903)

The Java platform version required to support to the current Identity system software is JDK 1.4.2. (ID-10347)

Identity Installation Pack setup now defaults to using Free use license unless otherwise specified. (ID-11720)

javax/mail/MessagingException

For some application servers, you may need to download and install the following .jar files to WEB-INF/lib directory:

mail.jar - http://java.sun.com/products/javamail

activation.jar - http://java.sun.com/products/beans/glasgow/iaf.html

If not installed, you may receive the javax/mail/MessagingException, and may not be able to successfully create Identity Manager users. (ID-10207)

lh Command

The lh set license command has been revised. (ID-10715)

Usage

License [options] { status | set {parameters} }

Options

-U username (if Configurator user is renamed)

-P password (if Configurator password is changed)

Parameters

The parameters for the set option must be in one of these forms:

{ -f <file> }
{ <stdin> }

Logging

Many system messages and errors for Identity Manager are now recorded in the repository instead of being written to stderr/stdout. (ID-2914)

For deployments with custom Java code installed: be aware that the tracing facility implemented by com.waveset.util.Trace and com.waveset.adapter.Trace has been replaced with a new facility in com.sun.idm.logging.Trace. While the old facility is still supported, it is now marked deprecated and customers are advised to begin migrating to the new facility. (ID-10494)

Localization

Internationalization is now enabled by default. (ID-7216)

Many previously unlocalized messages are now localized. (ID-7709)

Column names in the default instance of the All Compliance Violations report are now localized. (ID-9728)

Various text fields of the Expired Password report now appear in the appropriate language. (ID-9920)

All EmailTemplate objects are now internationalized. The object names remain the same as before, but the displayName attribute is set to a message tag which contains the language specific name for the object. (ID-10627)

The csv reports generated by Identity Manager and Identity Auditor are now encoded in UTF-8. To properly view these spreadsheets, it might be necessary to change the default extension of the report to an unrecognized extension so that the spreadsheet application allows you to select the encoding of the file. (ID-10667)

PasswordSync

The values put in the trace log now match the actual registry names. (ID-9575)

An email is now sent to the enduser and/or an administrator when an error is returned when attempting to queue the password update. (ID-9947)

PasswordSync now has a new design effecting JMS and email settings. The User tab is now only accessible if you add -direct to the command-line.
(ID-11118)

Reconciliation

Reconciliation policy now allows multiple reconciliation servers to be specified, allowing continuation of service if one server becomes unavailable. (ID-9627)

Reconciliation requests can no longer hang the administrator interface indefinitely. (ID-10326)

Errors from reconciliation workflows are now viewable as part of the reconciliation results. Additionally, errors in the pre-reconcile workflow now prevent the reconcile from continuing. (ID-10334)

Introduced flag suppressing reconciliation policy lookups during resource applet displays. This may improve performance for deployments with large number of resources (400+) of the same type. (ID-11697)

Reporting

A default Historical User Changes Report has been added that shows actions made to a user over a specified period of time. (ID-9720)

After reporttasks.xml has been imported the pending changes options on the User Summary report should return the proper list of users. (ID-11377)

Repository

Volatile task related objects (for example, instances of Type.WORK_ITEM, Type.TASK_INSTANCE, Type.TASK_RESULT and Type.TASK_RESULT_PAGE) are now stored in a separate pair of database tables (task, taskattr) rather than the default tables (object, attribute). (ID-8813)

The indexes on the ACCOUNT table have been reworked to improve the performance of the Repository (as well as to decrease DBMS index maintenance overhead). (ID-9742)

The database upgrade scripts now change the accountName column of the account table to be not null for every DBMS except DB2. (ID-9749)

The setRepo command now preserves correctly JNDI properties that are specified as command-line arguments. (ID-10136)

Whenever an object's XML string grows beyond the configured limit, the Repository's exception message now identifies the offending object. (ID-10670) For example:

Item 'User:joebob' length (5937) exceeds configured maximum (5000).

This release deprecates the following methods:

com.waveset.object.Attribute#getDbColumnName

com.waveset.object.Attribute#getDbColumnLength

No custom code should depend on these methods.

Searching for users contained by an organization with more than a thousand sub-organizations no longer causes an error on Oracle. (ID-10559)

The Identity Manager Repository no longer fails under Oracle 9 or Oracle 10 when A Bind value of length potentially greater than 4000 bytes follows binding for LOB or LONG. (ID-10693)

Identity Installation Pack now exposes an Attribute.CONTAINED_BY_OBJECT_GROUP (containedByObjectGroup) that allows callers to query more efficiently based on object group containment (for example, based on direct as well as indirect containment within the organization hierarchy that IDM object groups define.) (ID-11392)

Organizations (for example, instances of Type.OBJECT_GROUP) are now stored in a separate pair of database tables (org, orgattr) rather than in the default tables (object, attribute). This improves performance, scalability, and maintainability of Identity Manager organizations. (ID-11393)

Identity Manager Repository initialization automatically constructs an appropriate subclass of RelationalDataStore if you attempt to access an Oracle, MySQL, DB2 or SQL Server database with a generic RelationalDataStore.

In order to avoid this overhead, you should use Setup or setRepo to specify that DBMS as the repository location type. (ID-11429)

A UserMemberRule that fetches more than a thousand users associated with a sub-organization no longer causes an error on Oracle. (ID-11432)

The Identity Manager Repository no longer fails under Oracle 9 or Oracle 10 when an object's summary string is longer than 1000 characters. (ID-11565)

Resources

Active Sync

For all Active Sync resources, if the Active Sync logging directory does not exist, Identity Manager attempts to create the directory. If it cannot be created, an error message is written to the trace file. (ID-10291)

ERP

The SAP adapter no longer throws a NullPointerException when the SAP system that it is connecting with does not contain the PASSWORD_FORMAL_CHECK function module. (ID-9946)

The SAP HR Active Sync adapter now can return a List object for attributes that contain multiple values. In addition, the attributes are now specified as a path expression so that arbitrary attributes in deeper levels of the IDoc can be retrieved. (ID-10387)

The SAP resource adapter no longer supports the SAP Note 750390 Installed? resource attribute. (ID-10039)

A change was made to the view SQL for AUDIT_EFFDT_LH Record in the Peoplesoft project so that creates/updates/deletes would not be duplicated in Identity Manager. (ID-10481)

Gateway

A logic flaw in how text lists are loaded has been corrected. Gateway crashes were occurring when the Domino extension processes a text list attribute which was empty. (ID-9581)

Host name comparison is case insensitive when scheduling tasks now. This relates to the host name used for waveset.hostname and in sources.<Resource>.hosts and sources.hosts. (ID-9606)

The SecurID adapters now support the retrieval of adminLevel, adminTaskList, adminTaskListTasks, adminGroup, adminSite values from the resource within our Forms environment. (ID-9750)

When reconciling users from a Domino resource, the reconciliation process now not terminates after Block Count users are processed. Block Count is the an agent adapter parameter used to limit the maximum number of users that a block can hold during an operation. (ID-10929)

Domino after actions now runs when the account name (identity), returned from the resource, is different than the one specified in the resource's Identity Template. (This is usually due to differences in character case). (ID-11156)

Other Resources

For the LDAP Listener Active Sync adapter, the Attributes to Synchronize resource attribute now work correctly when left blank (changes are not filtered), and LDAP delete events are processed correctly. (ID-5658)

The following deprecated method has been removed from the ResourceAdapterBase class in order to eliminate the dependency on the HostAccess class on the classes that it depends on:

protected void runResourceAttributeJavascriptAction(String resAttrName,

HostAccess hostAccess, HostAccessLogin hostAccessLogin,

String user, EncryptedData password) throws Exception

Customized adapters that reference that method should be modified such that they extend the HostAccessResourceAdapter which has the implementation of this method. (ID-6033)

The administration interface now allows you to disable features for each individual resource instance. (ID-6192)

The HPUX Resource Adapter can now assign a user identification when creating a user. (ID-7348)

SunISResourceAdapter has been renamed SunAccessManagerResourceAdapter. The SunISResourceAdapter has been deprecated. (ID-7556)

All associated sample forms have been added as well:

SunAMUserForm.xml

SunAMUpdateStaticGroupForm.xml

SunAMUpdateRoleForm.xml

SunAMUpdateOrganizationForm.xml

SunAMUpdateFilteredGroupForm.xml

SunAMUpdateDynamicGroupForm.xml

SunAMCreateStaticGroupForm.xml

SunAMCreateRoleForm.xml

SunAMCreateOrganizationForm.xml

SunAMCreateFilteredGroupForm.xml

SunAMCreateDynamicGroupForm.xml

If you re-compile a customer adapter it may fail because it depends on the com.waveset.object.Constants being implemented in a parent class. To fix the problem merely reference the field statically for each compile failure. (ID-8215)

For instance:

/tmp/wd151610/waveset/idm/backward/5_0SP1/com/waveset/adapter/DominoHt tpResourceAdapter.java:270:

cannot resolve symbol

symbol : variable DOMINO_PASSWORD

location: class com.waveset.adapter.DominoHttpResourceAdapter

+ " <AuthnProperty name='"+DOMINO_PASSWORD+"'

displayName='"+Messages.UI_PWD_LABEL+"' formFieldType='password'/>\n"

One might see unable to resolve 'DOMINO_PASSWORD'. Simply append 'Constants.' to the beginning and add the import 'com.waveset.object.Constants' to fix the problem.

The LDAP resource adapter has been enhanced to preserve a user's groups across a rename. (ID-8348)

In the database table adaptor, column names now allow spaces or other non-standard characters. (ID-9016)

Launch time for active sync polling now respects start time, date, and polling intervals. If the start date and start time are specified as active sync parameters, then the initial poll() time respects these fields appropriately. If no start date or start time are specified, or if only one of these fields is specified, the poll is launched immediately. (ID-9083)

The LDAP resource adapters have been enhanced to permit the specification of a mechanism, and parameter, to use when enabling/disabling LDAP accounts. (ID-9774)

Sample skeleton adapter code has been simplified and updated to utilize the IAPIFactory for Active Sync implementation. (ID-9985)

The FlatFile adapter XMLResourceAdapter, and the types derived from it, no longer create a new (possibly partial) account on that resource. (ID-10127)

Administrators must be granted privileges to run the certain commands with sudo on UNIX systems. You can use a test connection to test whether

These commands exist in the administrator user’s path

The administrative user can write to /tmp

The administrative user has rights to run certain commands

DatabaseTable adapter now supports an ORDER BY clause. (ID-10546)

Host resource adapters now do not enforce maximum connections for an affinity admin across multiple host resources connecting to the same host. Instead, the maximum connections is enforced for affinity administrators within each host resource.(ID-11001)

If you have multiple host resources managing the same system and they are currently configured to use the same administrator accounts, the resources may need to be updated to ensure that the same administrator is not attempting to perform actions on the resource at the same time.

More than one Active Sync adapter can now be configured with a startup type of Automatic with failover. (ID-11014)

The Solaris adapter no longer prints an error message if a acquire script mutex lock file is deleted by another Identity Manager provisioning process on the Solaris system. (ID-11044)

All UNIX adapters now set the WSUSER_<attribute_name> variables to null if the attribute has a null value (or empty string). Previously the value of the WSUSER_<attribute_name> was used when <attribute_name> did not have a value or had a value of the empty string. (ID-11113)

TopSecret can now manage OPTIME and OPID attributes from the CICS segment. It also can now be configured to support additional custom attributes. (ID-11249)

If Reconciliation is attempted against a (stock) FlatFile resource, the error message is now the following instead of an exception (ID-11340):

The adapter must support iterating accounts in order to reconcile accounts on resource <Resource Name>.

IdPak 2005Q4M3 moves several constants related to STARTUP_TYPE from com.waveset.object.Attribute to com.waveset.object.Resource:

STARTUP_TYPE_AUTO

STARTUP_TYPE_AUTO_FAILOVER

STARTUP_TYPE_MANUAL

STARTUP_TYPE_DISABLED

STARTUP_TYPES

STARTUP_TYPES_DISPLAY_NAMES

The deprecated constants in com.waveset.object.Attribute will be removed in a future release. Custom code that refers to the deprecated constants should be changed to refer to the new constants in com.waveset.object.Resource. (ID-11675)

Database connections are now closed as soon as possible during iteration and polling, preventing unused connections from being held unnecessarily. (ID-11986)

Reporting

There are now no <br> HTML tags found in reports that are downloaded into CSV or PDF. (ID-10237)

The font used when generating reports is controlled on a global-basis by editing the settings on the Configure> Reports page. It can also be overridden by editing the configuration for each report. (ID-10641)

Security

There is now a new property questionLogin.bypassChangePassword for bypassing the change password challenge following a successful question login. See the Identity Manager Administration for more information on using this new feature. (ID-10465)

The Javadocs for the following FormUtil methods have been corrected or enhanced (ID-11592):

getAdministrators

getApprovers

getApproverNames

getSimilarApprovers

getSimilarApproverNames

getUsers

There are now new arguments passed to an organizations userMemberRule. (ID-11621)

Identity Manager for new installations now uses the PKCS#5 (PBE) key for key encryption key instead of the default key and generates a unique server encryption key instead of using the default key. (ID-11719)

This will ensure that all new installs won't have the same key encryption key or server encryption key. Pre-existing installs will continue to work based on how they were configured regarding key encryption keys and server encryption keys.

Server

The performance of the Deferred Task Scanner now completes more quickly and consumes fewer resources. (ID 7763)

Identity Manager now requires access to the tmp directory. (ID-7804) In order to accommodate this, if your application server uses a security policy, you need to add the following permission:

permission java.io.FilePermission "${java.io.tmpdir}"${/}*" "read,write"

There is now a new way to select which objects to include or exclude in an AdminRole. The create/edit AdminRole user interface has changed with respect to how you select the list of objects to include or exclude once one or more controlled Organizations have been selected. (ID-9002)

The Include Related Items feature has been added to WorkItem view. This allows information about other active work items in the process to be displayed on the approval form.(ID-9157)

The directory savedObjects now resides under the /WEB-INF directory for security reasons. (ID-10506)

The Deferred Task Scanner no longer crashes with a NullPointerException after catching a fatal exception. (ID-11155)

Performance issues relating to the ForwardTo drop box for approvals have been addressed. This issue typically occurred when there are many administrators (+1000) with capabilities assigned via Admin Roles. (ID-11507)

WorkItem processing has been enhanced to avoid unnecessary fetching of the associated TaskInstance. (ID-11668)

The console delete command now automatically deletes an object that has become corrupted (for example, any object that contains invalid XML). Previously, under some circumstances the delete command would appear to succeed but would not actually delete the corrupted object. (ID-11861)

Trace

For deployments with custom Java code installed: Be aware that the tracing facility implemented by com.waveset.util.Trace and com.waveset.adapter.Trace has been replaced with a new facility in com.sun.idm.logging.Trace.

While Identity Manager will continue to support the old facility, it is now marked deprecated and customers are advised to begin migrating to the new facility. (ID-10494)

Workflows

In auditing workflows you no longer need to insert sets of WorkflowServices calls. Instead set the audit=true attribute at either the <WFProcess> or <Activity> element. (ID-10178)

If a TaskDefinition is in use by one or more active tasks (TaskInstance objects), then the workflow steps (embedded WFProcess object) in the TaskDefinition cannot be changed. (ID-10460, 10462)

The bulkReProvision workflow service now correctly re-provisions multiple users. Role attributes are now correctly applied to users during a reProvision operation. (ID-10541)

Additional Defects Fixed

A Continue on error feature is now supported for mainframe, scripted (such as. UNIX), and LDAP resources. This feature affects reconciliation and Active Sync - if supported on the resource. If the feature is enabled, errors processing individual users are logged, but processing continues. (ID-9602)

Active Sync for a resource can now be stopped and started from any server in an Identity Manager cluster. (ID-10821)

There is now the ability to lock Identity Manager users. (ID-10851)

A cross-site scripting exposure related to the actionControl HTTP parameter has been fixed. (ID-11417)

Documentation

The Identity Manager Administration Data Synchronization and Loading chapters now describes the Assign Active Sync resource on create events in the General Settings panel of the Active Sync Wizard. (ID-11217)

The Identity Manager Tuning, Troubleshooting, and Error Messages Troubleshooting and Tracing chapter was updated to change the instructions for modifying the workflow.trace parameter.

This parameter is no longer located in Waveset.properties. You are now directed to edit the workflow.trace parameter in the SystemConfiguration object. (ID-11910)

Chapter nine of the Install Pack Installation now includes correct Sun Java System Application Server users server.policy file information. If you are upgrading to the current release add this information to the server.policy file. (ID-11983):

Previous Contents Next

Previous Contents Next
Sun Java System Identity Installation Pack 2005Q4M3 Release Notes