Sun Java System Identity Installation Pack 2005Q4M3 Release Notes |
3
Known Issues
The following sections list known issues and workarounds for:
Identity Manager SPE
- Identity Manager SPE and Sun Java System Portal Server may not be compatible; there is a problem related to the encrypted libraries. (ID-10744)
This problem may be corrected by setting the following values in Portal Server’s /etc/opt/SUNWam/config/AMConfig.properties file, and then restarting the webcontainer:
com.iplanet.security.encryptor=com.iplanet.services.util.JCEEncryption
com.iplanet.security.SSLSocketFactoryImpl=netscape.ldap.factory.
JSSESocketFactory
com.iplanet.security.SecureRandomFactoryImpl=com.iplanet.am.util.
SecureRandomFactoryImpl- When working with SPE dashboards: If graphs take several minutes to load the first time, then you should verify that your browser is not configured to use the Microsoft Java Virtual Machine (MSJVM). Identity Manager SPE does not support using MSJVM to run browser applets. (ID-10837)
- Some configuration options that appear in the Identity Manager Administrator interface are not used with Identity Manager SPE. (ID-10843). Among these are:
- By default, auditing is not performed when using the checkinObject and deleteObject IDMXContext API calls. Auditing has to be explicitly requested by setting the IDMXContext.OP_AUDIT key to true in the option map passed to these methods. The createAndLinkUser() method in the ApiUsage class shows how to request auditing. (ID-11261)
- When configuring the LDAP Resource Adapter for Active Sync, you must specify the value in the User DN field on the Resource Parameters page in the Filter Changes By field on the General Active Sync Settings page. Otherwise, the Active Sync process never completes, as it continually processes its own changes. (ID-11323)
- When Active Sync is processing account events for existing SPE Directory user accounts, the correlation rule must correlate accounts with the user, and the resource account must have an attribute named “accountId” that matches the SPE Directory user. To match, the “accountId” must be the fully qualified DN of the SPE Directory user, or the result of resolving the Identity Template using the “accountId” must match the fully qualified DN of the SPE Directory user.
(ID-11324)This issue prevents the Active Sync processing of deleted accounts for those resources that cannot return the accountId attribute because the attribute has been deleted with the account. For example, the LDAP resource cannot process deleted account events, but the Database Table resource can (since the deleted accounts still exist and are only marked as deleted).
Identity ManagerGeneral
- A login prompt is displayed when attempting to visit specific pages if cookies are disabled (ID-158).
- Systems that are running the Sun Identity Manager Gateway should be configured so that Dr. Watson does not produce visual notifications. If this feature is set, then if the gateway encounters an error, the process will hang until the pop-up window is closed.
- The display.session and display.subject variables are not available to Disable form elements. It is not recommended to create potentially long-running activities in Disable elements due to the fact that these expressions will run each time the form is recalculated. Instead, it is recommended that the calculation be done in another form element that will not run as frequently.
- For best performance when working with the Identity Manager Web Interface, use the OpenSPML toolkit that is bundled with Identity Manager. Using the openspml.jar file from the openspml.org website may cause memory leaks. (ID-11889)
- If you have a space in the path to the Identity Manager installation directory, you should specify the WSHOME environment variable without double quotes (") as shown below.
Note Trailing slashes ( \ ) should not be used when specifying the path even if the path contains no spaces.
set WSHOME=c:\Program Files\Apache Group\Tomcat 4.1\lighthouse
or
set WSHOME=c:\Progra~1\Apache~1\Tomcat~1\lighthouse
The following will not work:
set WSHOME="c:\Program Files\Apache Group\Tomcat 4.1\lighthouse"
- Required fields set on the resource schema map are only checked when a user account is created (ID-220). If a field is to be required on user updates, then the user form should be configured to ensure that the field is required.
- No checking is done on organization name, administrator name, account name, user attribute name (left hand side of schema map), or task names for invalid characters (ID-1145, 1206, 1679, 1734, 1767, 2413, 3331). You cannot use a dollar ($), a comma (,), a period (.), an apostrophe ('), an ampersand (&), a left bracket ( [ ), a right bracket ( ] ), or a colon (:) in the name for these types of objects.
- A misleading error message is given on the account page if you try to perform an action after your session has timed out (ID-1223).
- The calendar object is not fully viewable if the browser is using large fonts
(ID-2120).- The Select All checkbox on the Find Results page and the List Task page does not become un-selected if one of the items in the list is un-selected (ID-5090). The selectAll checkbox is ignored during the resulting action if not all of the members in the list have their checkbox selected.
- If you make a change to a custom message catalog, it is necessary to restart the server in order to see your changes. (ID-6792)
- The sidebar tabs (such as Account List, Find User) do not appear on the confirmation page when enabling or disabling multiple users (ID-6866). Once the page is confirmed and the results are displayed, the tabs re-appear.
- The current mechanism for detecting a failed Server assumes that all the systems in an Identity Manager cluster are synchronized with respect to time. (ID-7064) With the default failure interval of five minutes, if one server is five minutes out of sync with another, the server that is ahead will declare the server that is behind to be dead, causing unpredictable results. The workaround is to maintain better time synchronization, or to increase the failover interval.
- On Windows, if you are logging in as a user whose name contains double-byte characters and the default encoding for the machine only supports single-byte characters, you must set the USER_JPI_PROFILE environment variable to an existing directory whose name contains only single byte characters. (ID-8540)
- If the account applet fails to load in the browser, ensure that all users have read and execute permissions for the applet JAR file, IDM_install_dir/applet/tt22.jar, as well as the directory containing the applet JAR file. (ID-8541)
- Resource objects now expose a queryable attribute typeString (Attribute.TYPE_STRING). This attribute contains the resource type value that was previously exposed as type.
Change as quickly as possible any custom code that queries Resources based on type (Attribute.TYPE) to query on typeString (Attribute.TYPE_STRING). Attribute.TYPE_STRING is inlined for Resource objects, so converting to Attribute.TYPE_STRING improves performance.
The next full release of Identity Installation Pack will no longer expose the resource type value as Attribute.TYPE. (ID-11124, 11125)
Error Messages
- Access Manager and Identity Manager 5.5 should not be deployed together on Application Server. Access Manager changes the default security provider and therefore Identity Manager fails to validate the signature of the license.
The initial page of the browser displays an error message if the license signature cannot be verified. In most cases, this error appears because of a compatibility issue with the security provider. (ID-10518, 10750, 11011)
The error appears as:
Failed to verify signature: Exception Error
Install and Update
- When installing Identity Manager from the idm.war file, the execute bits are not set on the UNIX shell scripts (ID-2371). Workaround is to perform a UNIX chmod command on the idm/bin directory.
- If the update encounters an error during the Preserving Customizations phase, the Install button is still active, but has no affect if it is pressed (ID-3797).
- The Install button remains active during the Preserving Customizations phase, pressing the button before a message appears in the panel will generate an error and the update process will need to be restarted (ID-3865).
- Identity Manager cannot connect to an LDAP repository if there are spaces in the DN (ID-6066).
- When Identity Manager is installed in a Tomcat 5.x environment, running reports results in a java error (ID-6652). Workaround is to perform the following:
cd $WSHOME\WEB-INF\classes
jar xvf ..\lib\j2ee.jar javax/activation/DataSource.class
- Command line installation on AIX fails with Java 1.3 and no DISPLAY set. When installing on systems with JDK versions earlier than 1.4, ensure that the DISPLAY environmental variable is set to a valid X server or the installation may fail. (ID-9949)
- The AD Active Sync resource has been deprecated and replaced by the AD resource. Perform the following steps to migrate to the AD Active Sync to newer releases: (ID-11363)
- Export the existing AD Active Sync resource object to an xml file (either from the command line or debug pages).
- Delete the existing resource (this will not affect Identity Manager users or resource account users)
- Create a new AD resource that is Active Sync.
- Export this new resource object to an XML file.
- Edit this file and change the value of the id attribute and the value of the name attribute to match the values from the OLD resource object saved in step 1. These attributes are in the <Resource id='#ID#01F9CB4BA7E603C0:16EE3EC:106B737B093:-7F63' name='AD' ...> tag.
- Save the changes to the file.
- Import the modified object back into Identity Manager using either the Configure->Import Exchange File page or the command line.
- When upgrading to Identity Manager 6.0 you may encounter problems with PBE server key generation. If you configured your pre-6.0 system to use pkcs5 for server key encryption, the license key will no longer function after upgrading. As a result, on the next server start you will not be able to login or start the console. (ID-12026, 12027)
You should generate a new PBE password by selecting Generate new secure random PBE password. This option is only displayed and selectable if PKCS#5 was selected prior to upgrading.
You may also edit/import system configuration in upgraded system repository. Adding, removing, or changing the values of the pkcs5Encrypt or updatePkcs5Password attributes affects server key encryption as follows:
pkcs5Encrypt = 'false', updatePkcs5Password = 'true' or 'false'
This re-encrypts all server encryption keys using the default encryption key.
pkcs5Encrypt = 'true', updatePkcs5Password = 'false'
This re-encrypts of all server encryption keys using a pcks5 encryption key generated from the pbe password in the repository.
pkcs5Encrypt = 'true', updatePkcs5Password = 'true'
This updates the repository unique secure random pbe password (for example, miscData).
This also re-encrypts of all server encryption keys using a pcks5 encryption key generated from the updated pbe password in the repository.
Account Management
- It is possible to create NT accounts that have account names longer than 20 characters and that the NT native tools cannot manage (ID-710).
- An administrator cannot save resources or roles that contain organizations that he does not manage (ID-839).
- Identity Manager does not check for user accounts names with characters that are restricted on NT (ID-844). The NT restricted characters are:
" / \ [ ] : ; | = , + * ? < >
In addition, a user name cannot consist solely of periods (.) and spaces.
- Sorting the columns on the Provisioning Results page adds additional empty rows to the results (ID-1105).
- Approvals of several hundred user accounts take a considerable amount of time (ID-1149). Workaround is to approve user account records in smaller groups.
- Approval records owned by an administrator who no longer has approval capability cannot be approved (ID-1150). Workaround is to remove administrator from resources, roles, and organizations in which he has approval rights, then approve any outstanding approval records prior to removing the administrator or the approval capability for that administrator.
- Updating a user without making any modifications does not show detailed results page (ID-2327).
- When creating a new user or adding a resource to an existing user, if the distinguished name for the user is incorrect, the incorrect value is cached until the administrator logs out (ID-2508). Attempts to re-create the user after fixing the distinguished name are not successful until after the administrator logs out.
- Account locked out message does not display on the Identity Manager User Interface login screen on Netscape 4.7 (ID-2680). The error message appears in the page URL.
- The name “name” is a view reserved word and should not be used as a Identity Manager User Attribute on resource schema maps (ID-2918).
- Windows Active Directory requires the gateway to run as an administrator who can create directories (ID-2919). Lighthouse 2.0 introduced the ability to create home directories on Windows 2000 systems. The home directory account creation is being performed by the user the gateway process is running as, instead of the administrator specified in the resource definition. Workaround is to change the user that the gateway is running as from Local System to an account that has permission to create remote shares and set permissions on those shares. This account will also need Bypass traverse checking and Act as operating system privileges.
- The Windows NT resource incorrectly throws a warning message instead of an error message when errors occur when disabling a user account (ID-3222).
- A java.lang.NullPointerException may be seen when removing all the resources from a user via the edit user page (ID-4811). A workaround for this problem is to use the user delete page to either unlink or delete these resource accounts from the user.
- If an Identity Manager user is created and assigned to a Windows Active Directory resource where the user account already exists, the user will be created without a GUID attribute in the resource info (ID-5114). This GUID is used to detect changes to the user's organization or name in the Directory. Running reconcile from the resource will fix this problem.
- When creating a user, a warning is given if you add a Role to the user that contains a resource that is directly assigned (ID-5385).
- A “Forward To” administrator cannot be specified when a user is being created. This option can only be set when editing the user (ID-5695).
- The 'unassign' operation of Delete User does not handle multiple accounts per resource (ID-6305).
Approvals
- When updating a user and selecting to run the update in the background, an approval activity appears on the task results page (ID-3301). This approval can be ignored.
- Approval records for an administrator do not show up after the user is renamed (ID-3386). Workaround is to resolve all outstanding approvals before renaming the user.
- Previously approved or previously rejected approval records cannot be viewed by an administrator if the user being approved belongs to an organization that the approver does not control (ID-3494).
- Resource retries tasks appear in the pending approval list for Configurator (ID-3508).
Login Configuration
- Pass-through authentication module does not work for the Domino resource (ID-1646).
- Changes made to the Administrator Login Setup and User Login Setup pages are not visible to other administrators logged in (ID-3487). To see the changes, the other administrators will need to log out of the Administrator Interface and log back in.
- If an Administrator logs in and selects “Change My Password” and then selects another tab, their account is locked until the lock expires. (ID-3705)
If another Administrator attempts to edit that locked Administrator, the “com.waveset.util.WavesetException: Unable to access account #ID#Configurator at this time. Please try again later.” message is displayed. If they click on the "OK" button, the workflow process diagram from the last action is displayed.
Organizations
- When deleting multiple organizations, if the delete fails on one organization, all the remaining organizations are not deleted (ID-517).
- Renaming an organization when there are provisioning requests pending that have users belonging to the organization will cause the provision request to fail (ID-564). Workaround is to ensure there are no outstanding requests before renaming an organization.
- When creating a new organization, if the User Member Rules option is selected before specifying an org name, when the page is refreshed, an organization ID will appear in the Organization name field (ID-6302). The name can still be set prior to saving the new organization.
( ) - Warning: Parenthesized values in field 'Approvers' do not match any of the allowed values.
- A user will appear twice in the List Accounts applet, if the user is assigned to an organization through a dynamic organization rule and also exists in that organization (ID-6413).
Policies and Capabilities
- The Identity Manager account policy attribute Reset Notification Option has a value option of “administrator” that has no effect (ID-944). The only viable options are “immediate” and “user”.
- When deleting multiple roles, if an error is encountered, the entire operation will stop instead of continuing to the other roles (ID-1168).
- The minimum number of questions a user must answer can be set to a value greater than the number of defined questions (ID-1834). If this situation occurs, the user will not be able to log in using the “Forgot My Password” option.
- The Default Lighthouse Account Policy cannot be cloned by editing the policy, changing the name, and selecting to create a new object (ID-5147). Workaround is to create a new account policy.
Reconcile and Import Users
- Importing users from a CSV file does not update resource attributes if the user already exists in Identity Manager (ID-2041).
- Comma-separated-value (CSV) file that is loaded with single quotes (') in the account IDs are translated to question marks (?) (ID-2100).
- Scheduled tasks will not show up in a search on the "Find Tasks" page when using the "Is Scheduled" option (ID-5001).
- Reconciliation fails when run against a Red Hat version 8 resource (ID-6087).
- Reconciliation of an Oracle ERP resource will complete with errors if connection pooling on the resource is enabled (ID-6386). Workaround is to turn off connection pooling during reconciliation.
Reports
- Security administrators cannot run or create reports (ID-1217). Workaround is to give administrators Report Administrator capability.
- Risk analysis reports can be viewed by administrators other than report administrators (ID-1224).
- Report results that are emailed with the plain text option are not formatted (ID-2191). Workaround is to use HTML option for the email.
- Audit Log entries may not be recorded for large results (ID-5050).
- The ticker will not display when selected if there are organizations with apostrophes (') in their name (ID-5653).
- If you attempt to run an Administrator Report and select to Report only Administrators which belong to a specific organization which has no administrators, a java.lang.NullPointerException error is returned (ID-5722).
- Any audit/usage reports created or modified in Identity Manager 5.0 SP4 that referenced the "User" object type will reference "Directory User" when edited. Although these reports would not have been functional, if they exist you must manually edit and select "User" instead of "Directory User" if it is selected.
(ID-9737)Resources
- Resource test button does not test all fields (ID-51).
- Resource port assignments can be set to values greater than 65535 (ID-59).
- Bad error message displayed when setting incorrect Active Directory group name (ID-393). If you attempt to set an Active Directory group name to “groupname” instead of “cn=groupname,cn=builtin,dc=waveset,dc=com” an error message stating “array index out of bounds” is displayed.
- Required account attributes are sometimes ignored if there is another resource with the same account attribute name that does not have the required flag set (ID-1161).
- If an administrator attempts to add an organization to a resource that he does not have rights over, an error will appear. The edit of the resource must then be canceled and the resource edited again to make any other changes to the resource (ID-1274).
- The error message when a resource account password or username is not correct on a PeopleSoft resource is not clear (ID-2235). The error message states:
bea.jolt.ApplicationException: TPESVCFAIL - application level service failure
- Windows Active Directory resource actions that use the exit status %DISPLAY_INFO_CODE% cause the action to fail with errors (ID-2827).
- Windows NT resource actions that return a non-zero exit code do not cause the action to fail (ID-2828).
- Setting a user's primary group ID on Active Directory cannot be done when creating the user (ID-3221). Workaround is to create the user without setting the primary group ID, then edit the user and set the value. The primary group ID is also set by number and not by the distinguished name (DN) of the group.
- Resource IP addresses are cached in the JVM after the hostname is resolved to an IP address. If a resource IP address is changed, the application server will need to be restarted for Identity Manager to detect the change (ID-3635). This is a setting in the Sun JDK (version 1.3 and higher) and can be controlled with the sun.net.inetaddr.ttl property which is typically set in jre/lib/security/java.security.
- You cannot create multiple accounts for a single user on Oracle resources (ID-3832).
- End-users cannot use the self-discovery feature for Domino resource accounts (ID-4775).
- If a user is moved from or to a sub-container within the Active Directory organization, the Active Sync adapter will detect the change, but when you view the user on the edit page, (or make a change and view the confirmation page) the user's accountId is still displayed as the original DN (distinguished name) (ID-4950). Because we use GUID to modify the user, this will not cause any operational problems. Running a reconcile against the resource will fix the problem.
- If a user is moved from an Organization (OU) to a sub-organization, the LDAP ChangeLog adapter will not recognize the change and assumes the user has been deleted. The user object is then locked in LH (if that is the current setting), and a “new” account is not created for the moved account (ID-4953).
- The pooled connections used by the UNIX resource adapters can be left in an undetermined state if an error occurs while executing a command or script (ID-5406).
- NDS organizations can be created in the top level of the tree only by setting the Base Context for the resource to "[ROOT]" (ID-5509).
- When searching for resource objects from the right mouse menu on the ListResources page, the 'is not' option does not return the correct list of objects.(ID-6194)
- On NDS, if you edit a field (such Grace Login Limit) on the initial provision, and do not provide values for the boolean fields, all the boolean fields are set to false (ID-6770). This prevents you from setting the other fields on the restriction tab which require certain check box values to be true. To avoid this, always ensure all your boolean fields are true when you expect them to be, so they are properly pushed when editing other fields.
- If you change the password for a UNIX machine using the Manage Connection --> Change Resource Password feature, the task name that appears is:
_FM_PASSWORD_CHANGING_TASK null:null
A user-friendly name should be displayed. (ID-6947)
- You cannot use the manage connection feature for UNIX resources that use NIS (ID-6948). An error is thrown because the password you are trying to change is for root, but NIS does not manage the root account.
- When updating users by selecting update from an Identity Manager organization, users with a Sun One ID Server account will get an error if those users were created natively and loaded into Identity Manager (ID-7094). The work around is to update those users individually.
- Identity Installation Pack still contains the following deprecated classes:
- Do not set any account attributes in the DatabaseTableResourceAdapter schema to boolean. The adapter does not correctly return boolean attributes as boolean objects, causing the native change auditor to erroneously think changes have been made. (ID-8746, 9638)
- A java.security.NoSuchAlgorithmException error might be written to standard output the first time after making a connection to ActivCard following server startup. This is a benign error. (ID-8905)
- An error occurs when trying to delete a user who has an account on the PeopleSoft Component Interface resource. This resource currently does not support account deletions. (ID-9000)
Resource Object Management
- A Windows Active Directory object (Group, Organizational Unit, or Container) cannot be renamed on the List Resources page (ID-3329).
- The resource management applet can take several seconds to open if there are a large number of resources in the list (ID-3456).
- Cannot create new LDAP groups if there are users with multi-valued CNs (ID-3848). Workaround is to manage the members of the group by DN instead of CN which is configured in the LDAP Create Group Form.
- When searching for resource objects from the right mouse menu on the List Resources page, the 'is not' option does not return the correct list of objects (ID-6194).
Resource Groups
Security
- If you import an object containing any encrypted data and the data was encrypted with a encryption key that is not in the repository in which the data is being imported, the object will still be imported, but you will get a warning message stating that the data cannot be decrypted since the server encryption key is missing. (ID-12143, 12197)
Sun Identity Manager Gateway
- The Sun Identity Manager Gateway occasionally will not stop when the Stop button is pressed on the NT Services screen (ID-590). Workaround is to cancel the stop service request (if it is still hanging) and stop the service again, or exit the NT services dialog and re-enter and attempt the stop operation again.
- Users cannot be added to groups in an NT domain if the gateway is in a remote trusted domain (ID-711).
- The gateway occasionally will not stop when using 'net stop "Sun Identity Manager Gateway"' (ID-2337).
Tasks
- Administrators with Identity Manager Administrator privileges cannot view the manage tasks page if there is a Risk Analysis task in the list of tasks (ID-1225).
- Administrators who do not control Top cannot create Discovery or ResourceScanner scheduled tasks (ID-1414).
- The Find Task page does not display the number of tasks matching the search criteria (ID-5152).
- When editing a scheduled task, the start date must be re-entered using MM/DD/YYYY format (ID-5675).
- Delegated administrators who do not control Top can schedule tasks and view the task results, but cannot view the task after it has been created (ID-6659). The scheduled task was placed in Top and the delegated administrator does not have rights to view the object.
- A field named Deferred Tasks was added to the library. It provides the ability to list deferred tasks on a user. To implement this field, the following line must be added the Tabbed User Form and Tabbed View User Form (ID-7660).
<FieldRef name='Deferred Tasks'/>
Workflow, Forms, Rules, and XPRESS
- XPRESS <eq> function cannot be used to compare Boolean values to the strings TRUE or FALSE or the integers 1 or 2 (ID-3904). Workaround is to use:
<cond>
<isTrue><ref>Boolean_variable</ref></isTrue>
<s>True action</s>
<s>False action</s>
</cond>
- Path expressions do not work when iterating a list of generic objects via a dolist (ID-4920).
<dolist name='genericObj'>
<ref>listOfGenericObjects</ref>
<ref>genericObj.name</ref>
</dolist>
The workaround is to use <get> / <set> as shown:
<dolist name='genericObj'>
<ref>listOfGenericObjects</ref>
<get><ref>genericObject</ref><s>name</s>
</dolist>
- If you use global.attrname variables for fields in your user form, and the attribute is shared among more than one resource, you should also define a Derivation rule (ID-5074). Otherwise, if the attribute has been changed natively on one of the resources, the attribute may or may not be picked up and propagated to the other resources.
- Cannot use special strings beginning with & in HTML components of forms. For example, will no longer appear as a space. This issue was introduced because of a change to support special characters (&\<>') in Select lists (ID-5548).
- Form, workflow and rule comments contained in <Comment> tags have 
 strings in them representing the line feed character (ID-6243). These characters are only seen when viewing the XML for these objects; the Identity Manager server and Business Process Editor will process these characters properly.
- If you use the Resource Table User Form for editing users, when editing a user's resource, the resource attributes are not fetched when the form first appears. The work around is to click the "Refresh" button, which will fetch the attribute data. (ID-10551)
Identity AuditorAdministrative Interface
- The Completed subtab of the Remediations tab does not change color when selected. (ID-9149)
- The application server’s locale setting might cause two languages to be displayed when localization is enabled on Identity Auditor and Identity Manager. (ID-9468)
Workaround: Setting the locale value to “C” might resolve this problem.
Approvals
Identity Manager approvals are not supported in Identity Auditor Remediations page. To perform approvals, go to the Approval page in Identity Manager. (ID-9479)
Audit Policies
- During a scan, there is no support for retrying user accounts that could not be fetched from resources, or where other failures occur. These failures are reported when the scan is complete, but there is no automated way to rescan the accounts. (ID-9112)
- To configure the number of threads a scan will launch, add a field named maxThreads to the form that is launching the task. The default value is 5. (ID-9127)
- Identity Auditor attempts to keep users in compliance between policy scans by enforcing policy whenever the user is edited. If editing a user that has assigned audit policies and also is in violation of a policy, you cannot save changes to the user, even if the change is as simple as moving a user to another organization. (ID-9504)
Workaround: Use the right-click move (or find then move) functionality on the user applet, or temporarily disable the audit policy checks.
To disable the auditor policy checks, edit the system configuration and remove userViewValidators property. This property which has a value of a List of strings is added during the import of init.xml or upgrade.xml.
Reports