|
| |
| Sun Java System Identity Installation Pack 2005Q4M3 SP4 Release Notes | |
Identity Installation Pack 2005Q4M3 SP4 Features
Before installing or upgrading the Sun Java™ System Identity Installation Pack software, review the “Notes on Installation and Update” section of these release notes and any documentation provided with the most recent Identity Manager 2005Q4M3 service pack.
New Features and Defects Fixed in This ReleaseThis section contains a summary and details new features for Identity Installation Pack 2005Q4M3 SP4. See the individual sections in this chapter for details.
Administrator Interface
- When viewing Server Tasks, the Start Time column on the All Tasks tab will now sort in correct chronological order. Previously, the Start Time column was not sorting properly. (ID-16783)
- When performing a user search on the List Accounts tab (Accounts > List Accounts), the search feature will now only list users once per organization. Previously the same user would appear multiple times per organization in the search results. (ID-16795)
Also: See the Known Issues section on page page 2-22 regarding a separate issue with the account tree table on the List Accounts tab.
- When doing a search by user in the account tree table, the returned user’s manager attribute now displays the manager’s full name. Previously, only the manager’s ID was displayed. (ID-14645)
- The Status column on the Change User Password Results page has been removed. In addition, the Status column has been removed from these pages: Change Answers Results, Change All Results, and Change Password Results. The Status column did not show any data and did not serve a purpose. (ID-16889)
- You can now clear the DatePicker field type value on forms. (ID-17022)
- Sorting the Pending Approval table now works. Previously, a user with pending approvals could not sort this table. Instead, the message “Cannot format results page, no task id or result” would be displayed. (ID-17304)
- The Text display component now renders autocomplete="off" on input fields where the display property autocomplete has been set to off. (Setting autocomplete to off prevents browsers from offering to store the user's credentials on their computer.)
You can make this customization in XPRESS by adding the display property. Any other value than off will prevent the autocomplete attribute from being rendered (which is the same as not setting the property). (ID-17045)
- A cross-site scripting vulnerability was identified and fixed for the following pages (ID-17241):
Auditing
Password Synchronization
- A change in behavior introduced in Microsoft Windows Server 2003 SP2 has necessitated a change to Identity Manager's PasswordSync DLL (lhpwic.dll). In SP2, password change notifications sent from Windows to PasswordSync can contain improperly formatted computer account data. This can cause PasswordSync to throw an exception. Eventually it can also cause Microsoft's Local Security Authority Subsystem (LSASS) component to hang, requiring a reboot of the domain controller.
Because computer account data is not processed by PasswordSync (only user accounts are processed), the PasswordSync DLL has been updated to discard all computer account change notifications as soon as they are received.
Windows computer accounts end in a "$" dollar sign. Therefore, be advised that PasswordSync will not process any accounts ending in a $, including any user accounts that may end with a $. (ID-17245)
- The PasswordSync trace log has been updated. When PasswordSync/JMS forwards a password change notification from Windows Active Directory to Identity Manager, and the user does not exist in Identity Manager, the trace log will now record an appropriate message. Previously under these circumstances PasswordSync would throw a null pointer exception without an explanation. (ID-16920)
- Booting an Active Directory domain controller in “Directory Service Restore” mode will no longer cause a continuous reboot cycle if PasswordSync (lhpwic.dll) crashes. (ID-16695)
- PasswordSync has been updated to prevent “out of handle” errors on Active Directory domain controllers running PasswordSync (lhpwic.dll). When computer accounts are updated in a domain, the domain controller incorrectly sends a password update notification to Identity Manager's PasswordSync DLL. Consequently, the DLL was not closing search handles properly. (ID-16495)
Also: A separate PasswordSync issue that caused handle leaks has been resolved. (ID-16827)
- A new Windows registry entry will generate a dump file if the PasswordSync DLL throws an exception.
Key name: dumpFilebase
Type: REG_SZ
This key should be added to Windows domain controllers running PasswordSync. The registry key should be set to the fully qualified directory path where the memory dump should be written, for example: c:\temp
If the registry value is set, then every time an exception is caught during password processing the memory dump will be written.
Note: On Windows 2000 server (any service pack), you also must install in the configured directory DbgHelp.dll, which is available from Microsoft. The minimum release version of this file must be 5.1. Download this file here:
http://www.microsoft.com/whdc/DevTools/Debugging/default.mspx
If DbgHelp.dll is not installed, no dumps will be generated on Windows 2000.
Dump files will be named using this format:
lhpwic-YYYYMMDD-HHmm-xxxxx.dmp
In this name, YYYYMMDD will be the date of the dump, HHmm is the time of the dump (24-hour clock), and xxxxx is the thread number of the application.
Note that dump files need to be manually removed! These files can range in size from 20 MB to more than 100 MB, depending on the size of the Windows Local Security Authority Subsystem (LSASS) process. Over time, systems with limited disk space could fill up if these dump files are not removed. (ID-17552)
Reconciliation
Reports
- The following events will now be included in Audit Log reports, such as the "Today's Activity Report":
- Attempts to create a user with a missing user ID or password
- Attempts to create a user with a non-existing role (as well as attempts to assign an existing user a non-existing role)
- Attempts to create a user that violates Account ID policy
- Attempts to create a user assigned with can-not-accessible resource (as well as attempts to assign an existing user a can-not-accessible resource)
- Attempts to delete non-existing users
These events will also be written to the System Log.
Previously, unsuccessful attempts at creating and deleting users were only written to the System Log. (ID-13284)
- Identity Manager now supports the CLOB datatype for acctAttrChanges when using an Oracle database as the Identity Manager repository.
The advantage of using CLOB (instead of using the default VARCHAR(4000) datatype) is that it allows a much larger set of changes to be logged; however, it also makes this column more difficult to query, due to the proprietary nature of the CLOB access routines.
To enable a larger set of changes, you must change the log.acctAttrChanges column type to CLOB (from VARCHAR(4000)) and adjust the maxLogAcctAttrChangesLength attribute of the RepositoryConfiguration Configuration Object correspondingly. (ID-15326)
Resources
- The Solaris resource adapter now forces users to change their passwords upon next login. To enable this feature, add expirePassword to the Identity System User Attribute column of the schema map and force_change to the Resource User Attribute column. This attribute type must be set to string. (ID-17032,
ID-17146)- The Oracle resource adapter has been updated to provide a more detailed error message in the event that the adapter is unable to add, modify, or delete a user responsibility. The adapter now lists the responsibility that it was unable to update. (ID-16656)
- The Sun Access Manager resource adapter can now connect to Access Manager in SSL mode. Previously, when testing the resource adapter configuration, administrators would receive an “AuthContext cannot be created” error. (ID-16454)
- The Microsoft ADSI gateway has been updated. If an Active Directory resource is used to authenticate a user logging on to Identity Manager, the Identity Manager UI will now prompt the user to change their password if the user’s Windows password is expired. Previously, the user would simply receive an error message stating that their password had expired. (ID-16681)
- Support for access to Remedy servers has changed. The gateway no longer depends on the 4.5 version of the Remedy API libraries. Customers will now be required to place the Remedy libraries in the gateway directory. These libraries can be found on the Remedy server. (ID-17361, ID-16551)
- With this Service Pack, Identity Manager supports Remedy versions 6.3 and 7.0. There are, however, many substantial differences between these versions in terms of their sample data, defaults, and out-of-the-box configuration. For example, the name of the “ticket” schema in version 6.3 is HPD:HelpDesk, while in 7.0 it has been changed to HPD:Help Desk. (ID-17361, ID-14611)
- When configuring an Active Directory resource, it is now possible to specify a domain in the resource authentication properties section. Administrators should specify a domain in multi-domain or forest environments so that logins only authenticate against the correct Active Directory domain. If a domain is not specified, a user can be locked out after only a single failed login attempt. This is because the user can collect a password failure for each domain that shares a trust relationship with the primary domain. (ID-16603)
- An issue with the SecurId Unix resource adapter has been fixed. Prior to this fix, a change to the user’s first and/or last name would cause the user’s groups to be deleted from the SecurId resource. (ID-16914)
Scheduler
- Scheduler has been updated to suppress the output of the SystemLog (syslog) entry ‘EVNT00’, LockedByAnother. In clustered environments this error message was output to the log an excessive number of times. (ID-15714)
- Scheduler has been updated to reduce the chance of two instances of Identity Manager both running the same workflow simultaneously. Prior to this update, clustered environments with multiple Schedulers all using the same repository were vulnerable to this problem. (ID-16500)
Additional Defects Fixed
16382
Known Issues
- The account tree table on the List Accounts tab (Accounts > List Accounts) does not display the Manager column. (Only the Name, Last Name, and First Name columns are displayed.)
To correct this issue, use the Business Process Editor to edit the UserUIConfig configuration object.
Locate the <AppletColumns> element and insert the following XML couplet at the end of the list:
<Object name='idmManager'>
<Attribute name='label' value='UI_ATTR_MANAGER'/>
</Object>
Save your changes and restart the application server. (ID-17710)
- In the Administrator Interface, the only way to cancel a submitted delegation (Approvals > Delegate My Approvals) is to set the End Date equal to the Start Date (or to a date in the past). (ID-16790, ID-16799)
- The TaskScheduleViewer does not format the start date in the same format that is required for entry. Consequently, you must correct the start date when editing a task schedule. (ID-5675)
- By default, when a user types an answer to an authentication question, the characters are masked with asterisks (*). This practice, however, disables the ability of some input method editors (IMEs) to create complex characters, such as those used in Japanese kanji.
To allow users to use an IME to answer authentication questions, use the Debug page to change the secret Property value to false in the Question Login Form UserForm.
<Property name='secret' value='false'/>
Note: Setting this value to false is a security risk because answers to authentication questions are now human-readable on the screen. The answers are still stored encrypted. (ID-7424)
- Some configuration options that appear in the Identity Manager Administrator interface are not used with Identity Manager SPE. (ID-10843). Among these are:
- FireFox 1.5 does not display some Identity Manager forms correctly. For example, on the Tabbed User form, the browser does not wrap labels, which pushes everything to the right. (ID-13109)
- The "Report only users whose user name" checkbox is listed twice in the User and User Question Reports. One checkbox has I-help, but the other checkbox does not. Either checkbox, used individually, will return the correct data. (ID-13155)
- If logging into the SPE end user pages produces an HTTP Status 500 error, this could indicate that there are multiple encryption keys in the SPE configuration. This could be caused by a new one being generated in Identity Manager during the upgrade process.
The workaround is to delete the encryption keys (EncryptionKeys) from the SPE config directory and re-export from Identity Manager. (ID-13162)
- Once a value has been set for a user’s email attribute, it cannot be removed. The value can be changed, but cannot be set back to null. (ID-13164)
- If you modify a Role form to change the showSuperAndSubRoles variable from 0 to 1, and then import a super role object definition file containing existing subroles from the Configure tab, those subroles will not be modified to include the <SuperRoles> section. If, however, you use the Identity Manager graphic user interface to create a super role, the subroles referenced by that super role will be updated. (ID-15053)
This issue can occur with roles created outside Identity Manager that have references to existing roles (either subroles or super roles) already in the system.
When importing these roles, the roles that already exist in the system are not updated to reflect the new relationships; for example, referential integrity is not maintained. Use the RoleUpdater to check and correct the referential integrity if roles are imported in this way.
Workaround: See ID-15482, described in “Roles”.
- Microsoft SQL Server 2000's locking characteristics can cause deadlock errors under certain heavy load conditions in Identity Manager. (ID-16068)
Workaround: Upgrade from Microsoft SQL Server 2000 to Microsoft SQL Server 2005 using native mode.
Microsoft SQL Server 2005 (which has new functionality called Snapshot Isolation) has been tested with Identity Manager under heavy load, and does not exhibit the same deadlocking problems as SQL Server 2000.
Some customers also found it useful to alter their database to use READ_COMMITTED_SNAPSHOT as follows:
ALTER DATABASE dbname SET READ_COMMITTED_SNAPSHOT ON </quote>
- Due to interoperability issues between WebSphere data sources and Oracle JDBC drivers, Oracle customers who want to use a WebSphere data source with Identity Manager must use Oracle 10g R2 and the corresponding JDBC driver. (The Oracle 9 JDBC driver will not work with a WebSphere data source and Identity Manager.) If you have a version of Oracle prior to 10g R2 and cannot upgrade Oracle to 10g R2, then configure the Identity Manager repository so that it connects to the Oracle database using Oracle's JDBC Driver Manager (and not a WebSphere data source). (ID-16167)
See the following URL or more information:
http://www-1.ibm.com/support/docview.wss?uid=swg21225859
- Some of the words on the tab of "Edit User" screen could wrap around in multi-language mode. (ID-16054)
Workaround: To ensure words in tabs are displayed without being wrapped, add the following to $WSHOME/styles/customStyle.css:
table.Tab2TblNew td {
background-image:url(../images/tabs/level2_deselect.jpg);
background-repeat:repeat-x;background-position:left top;
background-color:#C4CBD1;
border:solid 1px #8f989f;
white-space:nowrap;
}
table.Tab2TblNew td.Tab2TblSelTd {
border-bottom:none;
background-image:url(../images/tabs/level3_selected.jpg);
background-repeat:repeat-x;background-position:left bottom;
background-color:#F2F4F3;
border-left:solid 1px #8f989f;
border-right:solid 1px #8f989f;
border-top:solid 1px #8f989f;
white-space:nowrap;
}