Identity Installation Pack 2005Q4M3 SP3 Features

Before installing or upgrading the Sun Java™ System Identity Installation Pack software, review the Notes on Installation and Update section of these release notes and any documentation provided with the most recent Identity Manager 2005Q4M3 service pack.

New Features and Defects Fixed in This Release

This section contains a summary and details new features for Identity Installation Pack 2005Q4M3 SP3. See the individual sections in this chapter for details.

Installation and Update

The upgrade process no longer overwrites the Access Review email template. (ID-13216)

Administrator Interface

The following changes were made to the Identity Manager 7.1 Identity Manager Integrated Development Environment (IDE) to provide support for Identity Manager version 2005Q4M3 SP3: (ID-14089, 15211)

The Identity Manager debugger is now enabled by default.

If you are deploying to production, it is recommended that you set the system configuration property to serverSettings.default.debugger.enabled=false.

The Identity Manager debugger now supports setting breakpoints in rule libraries.

Direct-mode password synchronization requires SimpleRpcHandler to be configured in web.xml. The SimpleRpcHandler interferes with certain RemoteSession calls. If you are not using direct-mode password synchronization and are experiencing problems with RemoteSession calls, you can remove the SimpleRpcHandler configuration from the rpcrouter2 servlet to resolve the RemoteSession problems.

Change these entries In web.xml:

<init-param>

<param-name>handlers</param-name>

<param- value>com.waveset.rpc.SimpleRpcHandler,com.waveset.rpc.Passwor dSyncHandler</param-value>

</init-param>

to this:

<init-param>

<param-name>handlers</param-name>

<param-value>com.waveset.rpc.PasswordSyncHandler</param-value>

</init-param>

If you want to use RemoteSession and direct-mode password synchronization, configure a separate servlet for handling the RemoteSession calls.

Identity Manager now displays resource group lists that are accessed from the Resources tab in the order in which the list was saved. (Previously, resources were sorted.) (ID-14117)

You can now find Roles with lots of Organizations from the Find Roles page without an ObjectGroup error being displayed. (ID-15303)

When unassigning resource accounts from a user via the edit user functionality, the SITUATION of the accounts in the account index are now properly updated in all cases. (ID-15310)

The Roles tab > Find Roles > Approvers menu can now show users with the "Role Approver" capability. (ID-15373)

Corrected a problem where Internet Explorer fails when a URL has over 2000 characters in it. (ID-15801)

Internet Explorer 6 or 7 with security update 912812 users are no longer required to double click a multi-select box to highlight the box or double click an item to move it. (ID-15824)

When you specify true for IAPI.cancel (which cancels any pending updates detected for the user being processed) on the ActiveSync Input form, the user's view no longer remains locked after being processed. (ID-15912)

Performing a user search in which you select the "Users organization" option as well as other search options now returns valid results. (ID-16076)

On the Find Role page, the list of approvers is now sorted. (ID-16392)

The DatePicker component works correctly in all time zones. (ID-16618)

Forms

The listResourceObjects method of com.waveset.ui.FormUtil now properly executes defined filters. Please refer to the JavaDocs for additional information concerning this method. (ID-14422)

Identity Manager SPE

LDAP deleted attributes are now propagated after a downed resource is once again available. (ID-15471)

Password Synchronization

The password synchronization configuration application (Configure.exe) no longer truncates the JMS properties at an equal sign (=) when reading from the repository. (ID-12658)

The passwordsync.dll now returns the correct error messages for connection failures. This change will also fix possible handle leaks during connection failures. (ID-15451)

Passwords intercepted with characters outside of the 7-bit ASCII range are now correctly encoded as UTF-8 before encryption. (ID-15829)

Reconciliation

Reconciliations no longer stop when resources have duplicate users. (ID-14949)

Some ambiguous account matches during reconcile are now considered a preferred match to avoid unnecessary reconciliation errors. (ID-14965)

Reconciliations no longer stop when user normalizations remove all resource information from a user. (ID-15028)

Reports

When a resource name is selected for the y-axis of a usage report, the value is now used in the query. (ID-12035)

Audit logging is now supported for the creation, modification, and deletion of admin roles. (ID-12514)

Emailed PDF reports now honor the font and font embedding settings specified at any level. (ID-15328)

A CSV report encoded with the UTF-8 character set and multibyte text can now be customized so it can be displayed in applications that do not support UTF-8 encoding, such as Microsoft Excel. (ID-13574, 15407)

HTML <b></b> tags are now removed from the following PDF reports: (ID-15408)

All Admin Roles

All Administrators

All Roles

Forms for usage reports are now required to specify an X-axis attribute value. (ID-15777)

Repository

SQL Server 2005 is now supported as a repository. (ID-14755) Perform the following steps to use this version of SQL Server.

Download the JDBC driver for SQLServer 2005 (version 1.2) from the Microsoft web site.

Archive the previous version of the driver, located in the $WSHOME/WEB-INF/lib directory. Then replace the old version with the sqljdbc.jar driver in the same directory.

Review the database creation script. When creating the database, you may want to uncomment the lines:

ALTER DATABASE waveset SET READ_COMMITTED_SNAPSHOT ON

See SQLServer 2005 documentation for information on this setting.

When setting the repository with lh setup or lh setRepo command, use the following settings:

type = SQLServer

jdbc driver = com.microsoft.sqlserver.jdbc.SQLServerDriver

url = jdbc:sqlserver://MachineName:Port;DatabaseName=waveset

You will need to replace the machine name and port in the URL with valid settings.

Slow Oracle database systems can no longer cause suspended tasks to execute on more than one Scheduler simultaneously. (ID-15372)

Removing a role from one user in a similar group of users no longer affects the repository entries of the other users, and no longer prevents you from finding those users when searching by role. (ID-15584)

Resources

The RACF Resource Adapter now allows you to control dataset rules directly, rather than have Identity Manager administer them. This enables you to create dataset rules different from those native to Identity Manager. (ID-10446)

The following example 'after create' rule creates a dataset rule of <user id>.test1.**, rather than the Identity Manager default of <user id>.**.

<?xml version='1.0' encoding='UTF-8'?>

<!DOCTYPE ResourceAction PUBLIC 'waveset.dtd' 'waveset.dtd'>

<act>

var TSO_PROMPT = " READY";

var TSO_MORE = " ***";

var cmd1 = "addsd '"+identity+".test1.**' owner('"+identity+"')[enter]";

var result1 = hostAccess.doCmd(cmd1, TSO_PROMPT, TSO_MORE);

</act>

</ResTypeAction>

</ResourceAction>

The SecurID UNIX adapter correctly processes Identity System User Account attributes when the default names are changed. (ID-10521)

The system now supports Active Sync retries on a resource. To enable this feature, update the resource XML to include two additional resource attributes of the form:

syncRetryCountLimit is the number of times to retry the update, and syncRetryInterval is the number of milliseconds to wait between retries. These values will then appear as custom resource settings when configuring Active Sync. Specifying a displayName is advisable, using a custom catalog key if localization is desired. (ID-11255)

The LDAPActiveSync search filter that searches for changes in the changelog has been optimized for performance. The filter part (objectClass=changelogEntry) has been removed from the default search filter. (ID-11722)

You can restore the old behavior by adding the Remove objectClass from Search Params Filter resource attribute directly to the resource definition with a value of false, as follows:

Note: You cannot change this setting from the GUI.

Temporary tablespaces do not honor quota settings and if attempted from Oracle 10gR2, a SQL exception occurs. (ID-12843)

Until now, the resource adapter would set a quota on a temporary tablespace — even if the oracleTempTSQuota account attribute was not mapped. This behavior has changed. If you map the oracleTempTSQuota attribute, the old behavior is maintained (no change), but if you remove the mapping, no quota will be set on the temporary tablespace.

On Oracle 10gR2 resources, remove the oracleTempTSQuota attribute from the resource adapter.

The LDAP adapter can be configured so that a VLV Sort is performed on a value other than uid. (ID-13321) To change this value, add the following to the resource definition:

The SecurID adapters enforce the RSA requirement that the default login attribute be comprised of single-byte English characters only.(ID-13805)

Writing SAP activity groups and profiles in a Central User Administration (CUA) environment no longer splits a new table row into two rows when the information is separated by a colon. (ID-14371)

For some resource adapters, exclusion rules are now applied before users are fetched during reconciling, which allows specific users to be excluded, prevents errors generated by the resource, and can improve performance for a large number of users. (ID-14436)

Identity Manager now supports connections to mainframe resources using the Attachmate Reflection for the Web Emulator Class Library. See the Documentation Additions and Corrections section of these release notes for information about setting up this feature. (ID-14815)

Identity Manager now honors the Supported Features deny, ignore combination setting for a resource. If you select ignore, the action will not be performed, but in some circumstances it could be shown as a message in the GUI. (ID-14948)

Passwords with characters outside of the 7-bit ASCII range are now set correctly by the gateway (create and update) when Identity Manager is deployed with Tivoli Access Manager and Active Directory. (ID-15006)

The default RACF List User AttrParse mechanism has been extended to handle large numbers of “CLASS AUTHORIZATIONS” and template users with group entries such as “GROUP SYS1 USER CONNECTION NOT INDICATED”. (ID-15021)

Two resource attributes, Default Primary Group and Login Shell, have been added to the Solaris, AIX, HP-UX, Red Had Linux, and SuSE Linux resource adapters. (ID-15034)

If common resources are configured in System Configuration for use by login, and a common resource login fails, logins no longer fail when there is another resource in the login module stack that is not a common resource and it requires different authentication properties than any of the previous login module resources. (ID-15047)

The Oracle ERP adapter now supports Oracle E-Business Suite 12. Refer to Documentation Additions and Corrections in these release notes for more information. (ID-15062, 16705)

If you perform a Create Resource Object for a Solaris NIS server resource, select multiple accounts in Users, and then click Save, all of the accounts are now added to the group file in the NIS password source directory in the managed NIS server. Previously, this operation worked only if one account was selected. (ID-15085)

The ADSIResourceAdapter now closes connections when querying for resource objects. (ID-15098)

If a Resource Affinity account on RACF has insufficient privileges to list a user, Identity Manager will provides an appropriate error message. (ID-15331)

The Shell Script adapter now “traps” and reports output from Delete scripts that overtly return with an error. (ID-15340)

The database table adapter allows you to specify the Rethrow all SQLExceptions resource parameter. If this is not checked, SQL statements that throw SQLExceptions with a 0 ErrorCode will have the exception caught and supressed. (ID-15390)

When deleting RACF accounts, the system will now query, via a search mask, the data set profiles the user has, enumerate over these profiles, and delete the individual data sets (as opposed to trying to remove them all via a DELDSD .**). (ID-15413)

For Solaris NIS, Identity Manager no longer adds the netid target, which was not required and caused error messages in the traces. (ID-15503)

For Solaris NIS, Identity Manager no longer prevents use of the sudo command if the directory containing Solaris NIS passwd, shadow, and group template files are read-protected from the admin user. (ID-15505)

For Solaris NIS, an account is no longer partially created if the default primary group is either missing entirely or is a name not found in the group file. (ID-15509)

Corrected a problem that caused Solaris NIS user or group ID generation to fail when beginning with an environment with no users or groups, and template passwd and group files are in a directory other than /etc. (ID-15510)

For Solaris NIS, if two accounts are created in a row and a shell is specified for the first account but not the second (either it is not defined in the defadduser file or there is no defadduser file), the second account no longer is created with the first account's shell. (ID-15511)

On Solaris NIS, the /usr/sadm/defadduser file is used as an optional source for default values for newly created accounts. In previous versions of Identity Manager, the system used an incorrect element of this file to set the default primary group for a new Identity Manager user. It is now properly the defgname element that sets the default primary group. This default primary group value is overridden by the Default Primary Group resource attribute, which is in turn overridden by the similarly-named account attribute. (ID-15512)

Identity Manager no longer stores the Solaris NIS and HP-UX NIS encrypted passwords in both the passwd and shadow NIS template files when an account is updated. Now, the placeholder value “x” is stored in the passwd file. (ID-15593)

Activity groups (roles) and profiles in a CUA environment can now be updated with a start and end date. (ID-15613)

For roles, map the activityGroups attribute in the adapter to:

CUA->directLocalActivityGroupObjects

For Profiles, map profiles to:

CUA->directLocalProfileObjects

Active Sync no longer continues running when Create Unmatched Accounts is set to true and the Allowed Error Count is exceeded. (ID-15662)

Enhanced the UNIX resource adapters to improve performance during bulk provisioning. See AIX, HP-UX, Red Hat Linux, SuSE Linux, Solaris Adapters for more information. (ID-15754)

Corrected a a problem that allowed you to create a group on a Solaris NIS resource with a name or ID of an existing group. (ID-15755)

When deleting a user from a Solaris resource, Identity Manager no longer gives a false positive result if the user is currently logged on to the resource and the deletion fails. (ID-15761)

Identity Manager no longer reads write-only account attributes from an LDAP directory or Active Directory. (ID-15838)

Clearing a RACF attribute in a form did not cause Identity Manager to clear the attribute on the user when the form was submitted, it was a noop. Identity Manager now clears the attribute. (ID-15971)

Fixed an issue that caused deadlocks to occur when using Active Sync and the PeopleSoft resource. (ID-16109)

The Top Secret resource adapter now correctly handles ASUSPEND, PSUSPEND, VSUSPEND, and XSUSPEND when enabling and disabling users.(ID-16295)

The SAP adapter now supports updating the ALIAS field in SAP. The attribute mapping in the schema configuration is ALIAS->USERALIAS. (ID-16320)

Corrected a problem within the Top Secret adapter that caused incomplete user attributes to be loaded. (ID-16334)

Added the npw_number account attribute to the Oracle ERP adapter in order to support contingent worker accounts. (ID-16507)

Roles

When you import roles containing links to back to existing super roles, Identity Manager now updates the existing roles with links back to the newly imported roles. (ID-15482)

Identity Manager detects and creates links from existing super roles back to the subroles that reference them. During upgrade, Identity Manager invokes the RoleUpdater class used to repair the roles.

You can update roles outside the upgrade process by importing a new RoleUpdater.xml file found in sample/forms/RoleUpdater.xml. By default, Identity Manager adds the subrole links during upgrade or when you import RoleUpdater.xml.

To disable this new functionality, set the RoleUpdater attribute nofixsubrolelinks to true. For example,

See ID-15053 described in “Known Issues” for related information about automatically updating roles during import.

Bulk actions are able to remove the role from waveset.roles when it contains only one role. (ID-14568)

The system now properly updates sub/super roles during a SaveAs. (ID-16010)

Security

End user password changes initiated by administrators, via SPML or otherwise, will not get added to password history. There are now two ways to configure the application to save a password into the users history. Only one way is necessary. (ID-13029)

View option (takes precedence if present or true) Set the 'savePasswordHistory' attribute on the target form. For example:

Use the following System Configuration Settings and toggle the behavior for the desired interface. This will need be added to the System Configuration Object if not already present.

<Attribute name='security'>
  <Object>
    <Attribute name='admin'>
      <Object>
        <Attribute name='changePassword'>
          <Object>
            <Attribute name='Administrator Interface'>
              <Object>
                <Attribute name='savePasswordHistory'>
                  <Boolean>true</Boolean>
                </Attribute>
              </Object>
            </Attribute>
            <Attribute name='Command Line Interface'>
              <Object>
                <Attribute name='savePasswordHistory'>
                  <Boolean>true</Boolean>
                </Attribute>
              </Object>
            </Attribute>
            <Attribute name='IVR Interface'>
              <Object>
                <Attribute name='savePasswordHistory'>
                  <Boolean>false</Boolean>
                </Attribute>
              </Object>
            </Attribute>
            <Attribute name='SOAP Interface'>
              <Object>
                <Attribute name='savePasswordHistory'>
                  <Boolean>true</Boolean>
                </Attribute>
              </Object>
            </Attribute>
            <Attribute name='User Interface'>
              <Object>
                <Attribute name='savePasswordHistory'>
                  <Boolean>false</Boolean>
                </Attribute>
              </Object>
            </Attribute>
          </Object>
        </Attribute>
      </Object>
    </Attribute>
....

You can now add passwords to a user's password history when creating a user. (ID-15179)

An approver who does not control the Top organization can now view previously approved/rejected approvals.(ID-15271)

If a user who owns any pending work items is deleted, Identity Manager now ensures that the work items are not lost, as follows: (ID-15868)

If a pending work item was delegated and the delegator has not been deleted, the pending work item is returned to the delegator, and the delegator will then be the new work item owner.

If a pending work item was delegated and the delegator has also been deleted or if a pending work item was not delegated, the delete attempt fails until the user's pending work item has been either resolved or forwarded to another user.

Server

The session is now correctly set during expansions and derivations while processing resource account creations during a bulk action. (ID-16181)

Under certain conditions, it was possible for a scheduled task to be processed by multiple servers for a given scheduled start time. This is now prevented. (ID-16318)

Workflow

Under certain conditions, an expired work item could be edited without an error. Now an error indicating the work item was invalid will be returned. (ID-15439)

The workflow variable WF_ACTION_ERROR is now set correctly when an error in the Remedy resource adapter occurs. (ID-16360)

A customized emailTemplate can now be used for forwarded approvals. The emailTemplate to be used must be specified in the Approval subprocesses, by ID. (ID-16468)

Additional Defects Fixed

12585, 13338, 13965, 14334, 14893, 14899, 15036, 15073, 15219, 15474, 16107, 16282, 16389, 16395, 16610

Known Issues

The TaskScheduleViewer does not format the start date in the same format that is required for entry. Consequently, you must correct the start date when editing a task schedule. (ID-5675)

By default, when a user types an answer to an authentication question, the characters are masked with asterisks (*). However, this practice disables the ability of some input method editors (IMEs) to create complex characters, such as those used in Japanese kanji.

To allow users to use an IME to answer authentication questions, use the Debug page to change the secret Property value to false in the Question Login Form UserForm.

Note: Setting this value to false is a security risk because answers to authentication questions are now human-readable on the screen. The answers are still stored encrypted. (ID-7424)

Some configuration options that appear in the Identity Manager Administrator interface are not used with Identity Manager SPE. (ID-10843). Among these are:

Resource wizard configuration options: exclude accounts rule, approvers, and organizations

Role attributes

FireFox 1.5 does not display some Identity Manager forms correctly. For example, on the Tabbed User form, the browser does not wrap labels, which pushes everything to the right. (ID-13109)

The "Report only users whose user name" checkbox is listed twice in the User and User Question Reports. One checkbox has i-help, but the other checkbox does not. Either checkbox, used individually, will return the correct data. (ID-13155)

If logging into the SPE end user pages produces an HTTP Status 500 error, this could indicate that there are multiple EncryptionKeys in the SPE configuration. This could be caused by a new one being generated in Identity Manager during the upgrade process.

The workaround is to delete the EncryptionKeys from the SPE config directory and re-export from Identity Manager. (ID-13162)

Once a value has been set for a user’s email attribute, it cannot be removed. The value can be changed, but cannot be set back to null. (ID-13164)

If you modify a Role form to change the showSuperAndSubRoles variable from 0 to 1, and then import a super role object definition file containing existing subroles from the Configure tab; those subroles will not be modified to include the <SuperRoles> section. However, if you use the Identity Manager graphic user interface to create a super role, the subroles referenced by that super role will be updated. (ID-15053)

This issue can occur with roles created outside Identity Manager that have references to existing roles (either subroles or super roles) already in the system.

When importing these roles, the roles that already exist in the system are not updated to reflect the new relationships; for example, referential integrity is not maintained. Use the RoleUpdater to check and correct the referential integrity if roles are imported in this way.

Workaround: See ID-15482, described in “Roles”.

Microsoft SQL Server 2000's locking characteristics can cause deadlock errors under certain heavy load conditions in Identity Manager. (ID-16068)

Workaround: Upgrade from Microsoft SQLServer 2000 to Microsoft SQLServer 2005 using native mode.

Microsoft SQLServer 2005 (which has new functionality called Snapshot Isolation) has been tested with Identity Manager under heavy load, and does not exhibit the same deadlocking problems as SQLServer 2000.

Some customers also found it useful to alter their database to use READ_COMMITTED_SNAPSHOT as follows:

ALTER DATABASE dbname SET READ_COMMITTED_SNAPSHOT ON </quote>

Due to interoperability issues between WebSphere data sources and Oracle JDBC drivers, Oracle customers who want to use a WebSphere data source with Identity Manager must use Oracle 10g R2 and the corresponding JDBC driver. (The Oracle 9 JDBC driver will not work with a WebSphere data source and Identity Manager.) If you have a version of Oracle prior to 10g R2 and cannot upgrade Oracle to 10g R2, then configure the Identity Manager repository so that it connects to the Oracle database using Oracle's JDBC Driver Manager (and not a WebSphere data source). (ID-16167)

See the following URL or more information:

http://www-1.ibm.com/support/docview.wss?uid=swg21225859

Some of the words on the tab of "Edit User" screen could wrap around in multi-language mode. (ID-16054)

Workaround: To ensure words in tabs are displayed without being wrapped, add the following to $WSHOME/styles/customStyle.css:

table.Tab2TblNew td

{background- image:url(../images/tabs/level2_deselect.jpg);background- repeat:repeat-x;background-position:left top;background- color:#C4CBD1;border:solid 1px #8f989f;white-space:nowrap}

table.Tab2TblNew td.Tab2TblSelTd

{border-bottom:none;background- image:url(../images/tabs/level3_selected.jpg);background- repeat:repeat-x;background-position:left bottom;background- color:#F2F4F3;border-left:solid 1px #8f989f;border-right:solid 1px #8f989f;border-top:solid 1px #8f989f;white-space:nowrap}

Previous Contents Next

Previous Contents Next
Sun Java System Identity Installation Pack 2005Q4M3 SP3 Release Notes