Identity Installation Pack 2005Q4M3 SP2 Features

Before installing or upgrading the Sun Java™ System Identity Installation Pack software, review the Notes on Installation and Update section of these release notes and any documentation provided with the most recent Identity Manager 2005Q4M3 service pack.

New Features and Defects Fixed in This Release

This section contains a summary and details new features for Identity Installation Pack 2005Q4M3 SP2. See the individual sections in this chapter for details.

Installation and Update

The waveset.serverId system attribute has been added. Use this attribute to set unique server names when your deployment includes multiple Identity Manager instances that point to one repository on a single physical server.. (ID-11578)

The installer now supports upgrading installations that have renamed, deleted, or disabled the default Configurator account. The installer now prompts for the proper user name and password that can import the update.xml during the upgrade post process. If the incorrect user or password is entered, the user is prompted up to three times to enter the correct password. The error should be displayed in the text box behind it. (ID-13006)

For manual installation you must provide the -U <username> -P <password> flags to pass the credentials to UpgradePostProcess procedure.

Identity Manager installs correctly on machines without a graphics card. (ID-14258)

Administrator Interface

When you click on Reset Query in the Find Users screen, the name drop down and the results limit are now reset to their initial state.(ID-8961)

MultiSelect objects now sort the available values when the noApplet=true and sorted=true properties are set. (ID-12823)

Changes to a configuration object containing a static list did not get detected by the accounts Treetable. For example, an administrator's controlled organizations were determined by a rule which fetched a static list from a configuration object. Before, the server would have to be rebooted to detect changes to the configuration object. Now the treetable changes to configuration objects after users log out of their current session and log in again. (ID-14442)

The DatePicker can now have a date range set to allow for only certain dates to be picked from the calendar.(ID-10100)

The Server Configuration and Modify Email Templates have been modified to allow the administrator to determine if SSL or authentication should be done on the SMTP server. (ID-12465)

The continueLogin.jsp page now displays message correctly. (ID-13193)

Fixed an issue where an organization object would not be unlocked when a user with insufficient rights tried to delete it. (ID-14942)

Forms

In a form, using <set> within <Expansion> now works correctly. (ID-9617)

Verification rule messages now appear in the locale of the client, not the server. (ID-12780)

Identity Auditor

An Audit Policy can now be configured to scan only a restricted set of resources. (ID-9127)

Database Table and Microsoft Identity Information Server now uses the custom forms specified for these two resources.(ID-10302)

The title of the User Access Report displays correctly. (ID-11538)

The Access Scan task now works on dynamic organizations. (ID-12437)

The user view option CallViewValidators (UserViewConstants.OP_CALL_VIEW_VALIDATORS) can be set to the string "true "or "false" to enable or disable (respectively) audit policy checking during provisioning. (ID-12757)

The upgrade process no longer overwrites the Access Review Notice email template (ID-13216)

Identity Manager SPE

Identity Manager SPE now resumes processing transactions when the service is shutdown ungracefully (for example, the application server exits with an out-of-memory error). (ID-14579)

Identity Manager SPE transactions can now support configurable user update consistency levels. Existing transaction store databases will need to be modified to add an additional column, userId VARCHAR(N) where N is large enough to contain the maximum length expected for a Identity Manager SPE user DN, plus an additional 8 characters. This database change does not occur automatically when running the upgrade scripts. (ID-13830)

Localization

Message keys used as authentication questions now display correctly in the results page. (ID-13076)

Logging

Active Sync events are now recorded in the system log. (ID-12446)

Changing the user's authentication questions are now logged in the audit logs. (ID-13082)

Direct and indirect method subcalls can now be traced. (ID-13436) This can be useful in debugging problems known to happen at some level below a specific entry method. To enable this feature, set the trace level for a scope with the subcalls modifier, as in the following example:

trace 4,subcalls=2
com.waveset.recon.ReconTask$WorkerThread#reconcileAccount

This will trace the reconcileAccount() method at level 4 and all subcalls at level 2.

Errors that occur in Scheduler are now written to the system log, rather than preserved in the TaskSchedule object. (ID-14261)

Reconciliation

The Notify Reconcile Finish task definition completes successfully when it is specified as the Post-Reconciliation Workflow (ID-9259)

When a large number of Account objects exist (these are created as a result of reconciliations and provisions), reconciliation and provisioning performance can decrease drastically.

To address this, an index should be created on the "name" column of the "account" table in the repository. Some scripts to aid in this have been provided under the sample directory. account_index.sqlserver is for Microsoft SQL Server; account_index.sql is for all other databases. (ID-14478)

Reports

The Resource User Report now generates CSV and PDF files correctly. (ID12509, 13701)

User Reports now show the resource accountId for all the accounts on the resource in a semicolon separated list.(ID-12820) Accounts and resources indirectly assigned, via a role or resource group, are also listed. If there is only one resource account, the accountId will be displayed only if it is not equal to the Identity Manager accountId.

Resources

New Resources

Siebel 7.8

OS/400 v4r5, v5r2, v5r3, and v5r4 (5.2, 5.3, and 5.4).

General

The RACF adapter now includes search filter support for listAllObjects. (ID-10895)

The LDAP adapter no longer creates an illegal distinguished name (DN) for a new account. (ID-10951)

The escape method in com.sun.idm.util.ldap.DnUtil can now be used in forms to escape values to be inserted into identity templates of resource adapters with the LDAP DN format. Alternatively, an accountId policy with the “Required LDAP DN format” option checked can be used to validate LDAP distinguished names entering Identity Manager via input such as user input, ActiveSync, and reconciliation.

The isPickListAttribute method within the Siebel adapter is no longer misidentified as isMVGAttribute in the tracing system. (ID-11471)

For SecurId resources, the clients attribute is now treated as an optional attribute. (ID-11509)

The default for the Objectclasses to synchronize Active Sync attribute on LDAP resources now defaults to inetorgperson. (ID-11644)

Added multiple attributes to the Oracle ERP adapter to support auditing features. (ID-11725) Oracle ERP Adapter for more details.

The maximum number of Active Sync logs configured on an Active Sync resource are now honored correctly. (ID-11848)

Solaris and Linux adapters now return a year on the last login information. (ID-12182)

The Oracle ERP adapter no longer fails to close Oracle data base cursors. Previously, the failure caused the following error: (ID-12222)

ORA-01000: maximum open cursors exceeded

For the Domino adapter, concurrent updates of HTTPPassword with several users with the NSFNoteComputeWithForm() API call no longer result in a “-551” gateway error. (ID-12466)

The Flat File Active Sync adapter now provides a warning message in the Active Sync log (if enabled) whenever an error occurs preventing a diff action for synchronization. (ID-12484)

Modifications to AttrParse objects can now take effect without restarting Identity Manager. (ID-12516)

The SAP and SAP HR adapters now provide three new resource attributes that provide the parameters for a retry of an SAP operation when a network failure occurs.(ID-12579) These attributes are:

SAP BAPI Retry Count - The number of times to retry the operation

SAP Connection Retry Count - The number of times to attempt to re-connect to the SAP server

SAP Connection Retry Wait Time - The number of milliseconds to wait before attempting to re-connect to the SAP server.

The Database Table wizard no longer permits you to configure tables you cannot access. (ID-12643)

When viewing account information from a Solaris resource configured with NIS, group membership information is displayed with the group name, instead of the numeric group ID. (ID-12667)

The Siteminder LDAP Adapter now performs the following operations correctly, even when the Siteminder user is locked due to failed login attempts:
(ID-12824)

enable

disable

expire password (with enable/disable)

unexpire password (with enable/disable)

The RACF adapter no longer searches a large string once for every user retrieved in listAllObjects, which usually results in better performance in this function for a large number of users. (ID-12829)

Changing LDAP group membership now uses single adds and removes instead of rewriting the entire group (that is, replacing the entire uniqueMember attribute). (ID-13035)

Identity Manager now clears Admin privileges, if any, before attempting to delete a Secure ID user. (ID-13053)

A VLV Sort is now configurable. The VLV sort attribute (vlvSortAttribute) has been added the to the LDAP resource. If the attribute is set, that value is used for the sort, but if it is not set, the “uid” value is used. (ID-13321)

Passwords can now be set as not expired when using CUA mode on an SAP resource. (ID-13355)

Performance improvements have been made to AttrParse. Normal parsing no longer throws and catches an exception for every character in a parsed buffer. (ID-13384)

Corrected a problem encountered when performing a reconciliation on VMS. (ID-13425)

The SecurID for UNIX adapter now performs UTF-8 character encoding and decoding when interoperating with RSA. (ID-13451)

The Shell Script adapter can now detect errors generated from a ResourceAction during user create and update functions.(ID-13465)

When creating account on a Windows NT resource through the Windows NT resource adapter, the following error message is no longer displayed in the Create user result page: “Error requiring password: put_PasswordRequired(): 0X80004005:E_FAIL”. (ID-13618)

The Active Directory PasswordNeverExpires attribute can now be set during an update. (ID-13710)

A new resource configuration parameter, enableEmptyString, has been added to the Database Table adapter to allow writing an empty string, instead of a NULL value, in character-based columns defined as not-null in the table schema. This option does not influence the way strings are written for Oracle-based tables. (ID-13737)

Updating an Oracle ERP account's responsibility using the Oracle ERP adapter no longer causes other responsibilities associated with the account to be updated. (ID-13889) As a result, only the Oracle ERP audit timestamp for the responsibility modified is updated. The Oracle ERP audit timestamps for the other account responsibilities remain unchanged.

The NDS Active Sync adapter no longer polls for changes based on the User object's lastModifiedTimeStamp. This attribute was getting updated when ever a user logged in/out. To remedy this issue, the last modified value is now calculated based on the lastModifiedTimestamp of a user's attributes defined in the schema map. If an attribute's lastModifiedTimestamp is greater than the highwater mark presented by the adapter, the gateway will send this user back to the server as modified.(ID-13896)

Corrected a problem that caused newly-created NDS users to be unable to access their home directories. (ID-14208)

The Shell Script adapter now supports the rename, disable and enable functions. (ID-14472)

Active Directory data retrieval timeouts will no longer cause a premature end to reconcilations.(ID-14564)

Corrected a problem that caused Active Directory Active Sync adapter to hang due to connections to the gateway not getting closed. (ID-14597)

The Scripted JDBC adapter now correctly updates an attribute in which the original value was null but is being set to a non-null value. (ID-14655)

The SAP adapter will no longer throw a JCO_ERROR_FUNCTION_NOT_FOUND exception when the SAP system does not contain the PASSWORD_FORMAL_CHECK function module. (ID-14663)

Added the person_fullname account attribute to the schema map for the Oracle ERP adapter. In the Oracle ERP user form, this attribute is used to display the Person Name field. This field is read-only and will show the user’s fullname if an Oracle ERP account is linked to the Oracle HR system using the employee number. (ID-14675)

The SAP adapter now properly reports the status of Disabled accounts. (ID-14834)

The LDAP adapter permits the nsaccountlock activation short cut to use logic based on value presence/absence when determining if an LDAP user is disabled. (ID-14925) See Disabling and Enabling Accounts for more information

The Oracle ERP adapter now prevents the unlinking of resource accounts if the Oracle ERP Resource is inaccessible during full reconciliation. (ID-14960) (The resource could be inaccessible for many reasons including incorrect resource connection configuration.)

Reports

The generation of TaskTemplate names that were too long (greater than MAX_NAME_LENGTH) has been corrected. (ID-13790)

Column names are now displayed correctly in PDF reports. (ID-12794)

Repository

IDM Repository now initializes more quickly. (ID-14937)

Security

End user password changes initiated by administrators, via SPML or otherwise, will not get added to password history. This fix introduces both a System Configuration option and a View (form) option that will allow an administrator to toggle the desired behavior. The View option will always override any system configuration setting. In the System Configuration, an administrator may toggle based on login application. This will provide a greater amount of flexibility since admins may not desire a behavior that affects all applications. (ID-13029)

Server

TaskInstance subobjects, like approvals, are now deleted properly when terminating the task. (ID-3258)

Identity Manager now requires access to the tmp directory. (ID-7804) In order to accommodate this, if your application server uses a security policy, you need to add the following permission:

permission java.io.FilePermission "$(java.io.tmpdir)$(/)*", "read,write,delete";

In a clustered environment, a failed login on the end-user pages no longer generates a serialization-related exception. (ID-10556)

A server no longer triggers failover mechanism on itself and terminates its own tasks if the server takes too long to process task information. (ID-10920)

User Extended Attributes are now deleted from user objects correctly. (ID-11721)

Corrected the condition that caused a "no cache error" on the All Tasks page for users in sub-organizations that do not have admin access to parent organizations. (ID-12288)

Delimiter processing is now suppressed between brackets. Consequently, all characters found within bracket sets will now be treated as either an index or as a filter. Note: there currently isn't a mechanism to escape the closing bracket "]". (ID-12384)

Task instance terminate actions are now audited as Terminate actions instead of Modify. (ID-12791)

User actions can be performed on users after deleting a resource directly assigned to them. (ID-14806)

SOAP

The SPML server now returns errors for requests containing filters that use operators that are not yet implemented. (ID-11343)

Workflow

Invalid checkReference warning are no longer returned when running workflows. (ID-10802)

If notification.redirect is used to redirect messages to a file, that file is now written using the emailNotifier.contentCharset, just as the message would, if it were emailed. This allows the file to contain non ISO-8859-1 characters. (ID-10331, 14984)

More information is added to a workflow message when an approver is attempting to approve or reject a workitem that has already been approved or rejected. (ID-11045)

Assigned the RoleAdminTask authType to the Manage Role TaskDefinition and assigned the ResourceAdminTask authType to the Manage Resource TaskDefinition. (ID-12768)

Additional Defects Fixed

10235, 10475, 13434, 14044, 14178, 14792, 14874

Known Issues

By default, when a user types an answer to an authentication question, the characters are masked with asterisks (*). However, this practice disables the ability of some input method editors (IMEs) to create complex characters, such as those used in Japanese kanji.

To allow users to use an IME to answer authentication questions, use the Debug page to change the secret Property value to false in the Question Login Form UserForm.

Note: Setting this value to false is a security risk because answers to authentication questions are now human-readable on the screen. The answers are still stored encrypted. (ID-7424)

Some configuration options that appear in the Identity Manager Administrator interface are not used with Identity Manager SPE. (ID-10843). Among these are:

Resource wizard configuration options: exclude accounts rule, approvers, and organizations

Role attributes

FireFox 1.5 does not display some Identity Manager forms correctly. For example, on the Tabbed User form, the browser does not wrap labels, which pushes everything to the right. (ID-13109)

The "Report only users whose user name" checkbox is listed twice in the User and User Question Reports. One checkbox has i-help, but the other checkbox does not. Either checkbox, used individually, will return the correct data. (ID-13155)

If logging into the SPE end user pages produces an HTTP Status 500 error, this could indicate that there are multiple EncryptionKeys in the SPE configuration. This could be caused by a new one being generated in Identity Manager during the upgrade process.

The workaround is to delete the EncryptionKeys from the SPE config directory and re-export from Identity Manager. (ID-13162)

Once a value has been set for a user’s email attribute, it cannot be removed. The value can be changed, but cannot be set back to null. (ID-13164)

If you edited the Access Review Notice email template in Identity Manager version 6.0, you must either save the template before upgrading Identity Manager or edit the template after you upgrade. (The upgrade process overwrites the template with the default values.) (ID-13216)

The help page for the Email Template tab of the Edit Server Settings page is incomplete. Refer to the Guidance help details about new fields added this release. (ID-14899)

An approver who does not control the Top organization cannot view previously approved/rejected approvals.(ID-15271)

Previous Contents Next

Previous Contents Next
Sun Java System Identity Installation Pack 2005Q4M3 SP2 Release Notes