NetIQ Identity Manager4.6 Service Pack 1 provides new features, improves usability, and resolves several previous issues. Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the Identity Manager Community Forums on NetIQ Communities, our online community that also includes product information, blogs, and links to helpful resources.
The documentation for this product and the latest release notes are available on the NetIQ Web site on a page that does not require you to log in. If you have suggestions for documentation improvements, click comment on this topic at the bottom of any page in the HTML version of the documentation posted at the Identity Manager Documentation Web site.
Identity Manager 4.6.1 provides the following key features, enhancements, and fixes in this release:
This release introduces the following features:
If you have NetIQ Identity Governance in your environment, you can convert your Identity Manager Dashboard into an Identity Governance and Administration (IGA) Dashboard. This dashboard serves as a single landing portal for both Identity Manager and Identity Governance users. The dashboard also displays IGA tasks such as pending reviews, manual fulfillment tasks, and Separation of Duties policy violations for Identity Governance users.
To integrate Identity Governance with Identity Manager, you must add a link to Identity Governance in the Identity Manager Dashboard interface. Also, Identity Governance and identity applications are required to use the same authentication server. For more information about configuring the Identity Governance integration with Identity Manager, perform the steps listed in the readme file from the download page.
This release provides documentation for all Identity Applications REST APIs. These APIs are exposed by Identity Applications to allow the following common tasks to be handled automatically:
List the tasks
List existing permission assignments for end users
Request permissions for yourself or for other users
Access white pages
Perform proxy tasks
Administer settings
The Identity Applications service pack (IDM46-Apps-SP-1.zip) installation program deploys a WAR file, idmappsdoc.war, which contains the documentation of REST services needed for Identity Applications. Download this installation package on the server where the Identity Applications are installed and perform the steps listed in the readme file.
To access the REST API documentation on the server where the Identity Applications are installed, specify the path of /idmappsdoc in the address bar of your browser. For example, if you installed the Identity Applications on a host called servername on port 8543, you can access the REST API documentation at https://servername:8543/idmappsdoc.
NOTE:The Technical Support team will support the general Identity Manager setup and any issues where the Identity Applications APIs do not return valid data. Any other code changes needed to integrate with the Identity Applications are outside the scope of traditional NTS support.
Be aware that while working in a staging or production environment, you must manually delete the idmappsdoc.war files and folders from your environment.
In addition to the existing databases, this service pack adds support to Microsoft SQL Server 2016.
This service pack provides both versions of Designer: Designer 4.6.1 and Designer (LDAP) 4.6.1. NetIQ strongly recommends you to use Designer (LDAP) 4.6. Designer 4.6 is redundant and will be deprecated in the future.
To upgrade to Designer (LDAP) 4.6.1, install Designer (LDAP) 4.6. For more information, see NetIQ Identity Manager Designer (LDAP) 4.6 Release Notes. For upgrading to 4.6.1 version, see Section 3.7, Updating Designer.
This service pack addresses the following Common Vulnerabilities and Exposures (CVE) for Identity Manager:
CVE-2017-7427
CVE-2017-7426
This service pack provides updates for the following components in Identity Manager:
Identity Manager engine
Identity applications
Designer for Identity Manager (Designer)
NetIQ Self Service Password Reset (SSPR)
NetIQ One SSO Provider (OSP)
This service pack updates the following components to support Java Development Kit 8 Update 131 (jdk8u131) or Java Runtime Environment 1.8 Update 131 (jre8u131).
Identity Manager engine
Identity applications, running on Apache Tomcat
Identity Reporting, running on Apache Tomcat
Designer
Analyzer (32-bit Java only)
This service pack updates the Java version for the Identity Manager engine.
NOTE:You can download Java 1.8 Update 131 directly from the Oracle Site.
The method of updating Java for the identity applications depends on whether you choose to update this component using the Identity Applications update utility packaged with this service pack or manually. The update utility automatically updates your current Java version. However, you need to update the Java version in the manual update process.
You need to manually update your current Java version for Identity Reporting, Designer, and Analyzer. For more information, see Section 3.3, Installing Java 1.8 Update 131.
This service pack requires Apache Tomcat 8.5.16. The following considerations apply for updating your current version of Tomcat.
If you are updating the identity applications by using the Identity Applications Update utility packaged in the IDM46-Apps-SP-1.zip file, the utility automatically updates Tomcat.
If you are manually updating the identity applications, you need to separately update Tomcat by following the steps listed in the readme file. Alternatively, run the Identity Applications Update utility to update Tomcat.
This service pack requires NetIQ One SSO Provider 6.1.3 at a minimum.
Support for the following operating systems will be deprecated from Identity Manager 4.7:
Red Hat Enterprise Linux 6
SUSE Linux Enterprise Server 11
Windows 2008
Open Enterprise Server 11
NetIQ remains committed to support the current versions of Identity Manager on these platforms throughout the end of their support lifecycles.
NetIQ Identity Manager includes software fixes that resolve several previous issues in the Identity Manager engine and plug-ins.
The NetIQ Identity Manager Patch Installer program for the Identity Manager engine and Remote Loader successfully updates the installed RPMs without the need for having the PERL software installed on your server.(Bug 1029331)
In a multi-server environment, although a server hosting Certificate Authority (CA) is not available, iManager successfully brings up the driver overview page for that server. (Bug 1028417)
Issue: Events are not populating in the Identity Tracking reports because the Sentinel Collector for Identity Manager is not normalizing the Initiator.
Fix: The Initiator data format for a user has been updated to correctly map with the corresponding data in the Sentinel Identity Tracking driver.(Bug 1013670)
The iManager plug-in correctly displays time for a scheduled job in the Crontab string. (Bug 1035844)
The plug-in has been enhanced to accept special characters in the JDBC Fan-Out driver instance connection URL.(Bug 1035842)
NetIQ Identity Manager includes software fixes that resolve several previous issues in the identity applications.
This service pack enhances the new Dashboard to allow you to configure the outgoing EMail Approval properties while continuing to allow you to perform this using the ConfigUpdate utility. (Bug 1016857)
This service pack resolves an issue where the DateTimePicker control does not correctly populate the eDirectory attributes. (Bug 993479)
If you use the DNLookUp field to search users, the scroll bar and all user details are correctly displayed.(Bug 1041741)
The pre-activity flowdata.get for the DNLookUp data item now correctly resolves the attributes specified in the Display Expression field in the Approval Print Pop-up window. (Bug 1033975)
The HTTP clients that User Application and the User Application driver use honor Subject Alternate Names in a certificate that enable the User Application driver to verify the User Application's X.509 certificate. (Bug 1034018)
While printing a request form, all the fields are correctly populated and properly displayed in the Form Print Pop-up window on the following web browsers: Google Chrome, Mozilla Firefox and Microsoft Internet Explorer 11. (Bug 992087)
When you are not connected to the Internet, the enhanced scripts and style sheets ensure faster loading of the Dashboard page. (Bug 1030280)
This service pack resolves an issue where User Application reported an error if the DNLookUp field was empty.(Bug 1034172)
Issue: If you set a blank value in the Recipient field of a workflow and then select the Request Status option in Work Dashboard, workflow status is not displayed. (Bug 1010234)
Fix: The User Application validates the contents of the Recipient field before starting the workflow process. If the field is null or empty, the workflow is aborted. In case of multiple recipients, if one of the recipients is null or empty, the workflow is aborted. (Bug 1010234)
When a code map refresh fails for an entitlement or if an error occurs while obtaining the details about a driver or entitlements, the code map refresh continues to refresh other entitlements.(Bug 1009592)
When you customize the User Application as a normal user or as a User Application administrator to select the options to display in the Task Notification Display, User Application reports an error indicating that it cannot save the updated user preferences. (Bug 986806)
This issue has been fixed with this release.
If you search for a user name that has a space in the first name, the User Application or Identity Manager Dashboard escapes the space in the name and obtains the correct user name. (Bug 1016903)
The cancel action property validates the required fields in a Workflow Approval Form. You can set the property to allow or block a cancellation when it encounters an error. For example, set the block-on-error property to False to allow you to close the Approval Form without validating the fields when you click the Cancel button. (Bug 1030687)
The ASCII control characters are not printable and cannot be parsed by the XML parser. Dashboard escapes these characters while parsing the XML. (Bug 1032346)
Regardless of whether you are working with User Application or the new Dashboard, you can now customize the width of the text fields to suit your requirement.(Bug 1033629)
The User Application has been updated to display an error message when a disallowed character is specified in a resource name.(Bug 1031657)
This release fixes an issue where getAssignedIdentities API did not return the indirectly assigned entities.(Bug 1007307)
A non-administrator users with Trustee rights can see the custom permission items in the Applications page. (Bug 1026444)
The Auto Complete search has been updated to allow you to select only one attribute in Display Expression of a DNLookUp field for correct interpretation of results. (Bug 1022104)
When migrating the existing team URLs, the identity applications obtain only the database record identifier that is needed for migrating the URLs and then send this information to generic Java data type number for further processing. (Bug 1039053)
NetIQ Identity Manager includes software fixes that resolve several previous issues in Designer.
Designer has been enhanced to correctly display the name of the Active Directory Entitlements and Exchange Mailbox Support package in Japanese.(Bug 948005)
Designer is updated to successfully simulate the policies that contain ECMAScripts.(Bug 1030511)
While building the Move Source Object and Move Destination Object actions in Policy Builder, Designer correctly displays all the fields in the appropriate dialogs that are displayed.(Bug 1031156)
This service pack requires the following product versions:
|
Requirement |
Description |
|---|---|
|
NetIQ Identity Manager 4.6 |
This includes Identity Manager engine, Identity Applications, Identity Reporting, Sentinel Log Management for Identity Governance and Administration, Designer, and Analyzer. |
|
NetIQ eDirectory 8.8.8 Patch 8, 8.8.8 Patch 9, 8.8.8 Patch 10, or 8.8.8 Patch 10 Hot Fix (HF)1 |
For considerations about upgrading eDirectory, see the supported upgrade paths from Section 3.1, Supported Upgraded Paths. |
|
NetIQ eDirectory 9.0.1, 9.0.2, 9.0.3, or 9.0.3 HF1 |
For considerations about upgrading eDirectory, see the supported upgrade paths from Section 3.1, Supported Upgraded Paths. |
|
NetIQ iManager 2.7.7 Patch 10 at a minimum |
You must install iManager 2.7.7 Patch 10 or later to support eDirectory 8.8.8.x. Ensure that you update your existing plug-ins to the latest versions for the iManager version you are using. IMPORTANT:If you are planning to upgrade eDirectory 8.8.x to 9.0.1 or later, ensure that iManager is upgraded to 3.x. NetIQ recommends you to clear the browser cache soon after upgrading the Identity Manager plug-ins. |
|
NetIQ iManager 3.0.3 at a minimum |
You must install iManager 3.x to support eDirectory 9.0.1 or later. Ensure that you update your existing plug-ins to the latest versions for the iManager version you are using. |
|
NetIQ Self Service Password Reset 4.1.0.0, at a minimum |
|
|
NetIQ One SSO Provider 6.1.3, at a minimum |
|
For more information about the software requirements, see “Selecting an Operating System Platform for Identity Manager” in the NetIQ Identity Manager Setup Guide.
Review the supported upgrade paths and the order of installation before starting to upgrade your current version.
You need to be on Identity Manager 4.6 to upgrade to Identity Manager 4.6.1. If you are currently on Identity Manager 4.5.6 or a prior version, you must first upgrade to 4.6 and then upgrade to 4.6.1 version.
The upgrade process requires you to upgrade the Identity Manager components in a specific order. NetIQ recommends that you review this information from the release notes for your current version.
|
Base Version |
Upgraded Version |
|---|---|
|
Identity Manager engine, eDirectory, and identity applications |
|
|
Identity Manager 4.6 with eDirectory 9.0.2 or later |
Identity Manager 4.6.1 with eDirectory 9.0.2 or later |
|
Identity Manager 4.6 with eDirectory 8.8.8 SP10 |
Identity Manager 4.6.1 with eDirectory 8.8.8 SP10 Identity Manager 4.6.1 with eDirectory 9.0.2 or later |
|
Identity Manager 4.6 with eDirectory 8.8.8 SP9 |
Identity Manager 4.6.1 with eDirectory 9.0.2 or later |
|
Identity Manager 4.6 with eDirectory 8.8.8 SP9 |
Identity Manager 4.6.1 with eDirectory 9.0.3 (apply HF1) |
|
Identity Manager 4.6 with eDirectory 8.8.8 SP9 |
Identity Manager 4.6.1 with eDirectory 8.8.8 SP10 (apply HF1) |
|
Remote Loader |
|
|
Identity Manager 4.6 with Remote Loader 4.6 |
Identity Manager 4.6.1 with Remote Loader 4.6.1 |
|
Identity Manager Designer |
|
|
Designer 4.6 |
Designer 4.6.1 |
|
Designer (LDAP) 4.6 |
Designer (LDAP) 4.6.1 |
You must install the components in the following order, depending on your current version:
Identity Manager Engine
Sentinel Log Management for IGA
Remote Loader
Designer
NOTE:You can directly upgrade from both versions of Designer 4.6.
You can perform an auto-update or download the updates from the Designer Auto-Update Site. For more information about updating Designer, see Section 3.7, Updating Designer.
Java 1.8.0_131
Apache Tomcat 8.5.16
PostgreSQL 9.4.12 (SLES 11 SP4 only) or PostgreSQL 9.6.3 (other supported operating systems)
Identity Applications (for Advanced Edition)
Roles and Resource Service Driver 4.6.0.1 or later
User Application Driver 4.6.0.1 or later
Identity Reporting
One SSO Provider 6.1.3 or later
Self Service Password Reset
Before beginning the installation, review the following considerations to help you plan the installation:
This service pack includes the Identity Applications Update utility. This utility automatically updates your currently installed identity applications, Tomcat, and Java version. If you are not using the update utility, you need to manually update each of these components. For more information, see Section 3.6, Updating the Identity Applications.
This service pack updates the Java version to 1.8.0_131 for the Identity Manager engine. You need to manually update your current Java version for Identity Reporting, Designer, and Analyzer. For more information, see Section 3.3, Installing Java 1.8 Update 131.
For Identity Manager Standard Edition, update Java 1.8 Update 131 before installing Identity Reporting.
This service pack provides support for Java version 1.8.0_131 for Identity Manager components.
This service pack certifies Java 1.8.0_131 (JDK 8u131 or JRE 8u131) for use with the Identity Manager engine and Identity Applications. The later versions of Java 1.8 are also supported. To install Java 1.8 Update 131, see the readme files from the following download pages:
This service pack updates Designer to support Java 1.8 Update 131.
On the server where you installed Designer, download and install the Java 8 Update 131 files in a local directory.
Open the Designer.ini file located in the Designer installation directory.
Update the Java path in the Designer.ini file.
This service pack updates Analyzer to support Java 1.8 (32-bit).
On the server where you installed Analyzer, create a directory for Java 1.8.
For example, opt/netiq/jdk1.8.0_131.
Download and install the Java 1.8 files in this directory.
Open the Analyzer.ini file located in the Analyzer installation directory.
Update the Java path in the Analyzer.ini file.
Replace the existing (jre) folder with the Java 1.8 folder in the installation directory.
This service pack includes a IDM_engine_rl_IDM4.6.1.zip for updating the Identity Manager engine. Install this package on the Identity Manager engine server. For more information, see “Hotfixing the Identity Manager Engine and Remote Loader” in the NetIQ Identity Manager Setup Guide.
This service pack includes a SentinelLogManagementForIGA8.1.tar.gz file for updating the Sentinel Log Management for Identity Governance and Administration (IGA) component. Download this package on the server where Sentinel Log Management for IGA is installed and perform the steps listed in the readme file.
This service pack includes an update to Identity Applications and the following supporting software:
Identity Applications 4.6
Apache Tomcat 8.5.16
Java 1.8 Update 131
You can install the service pack by using the Identity Applications update utility or manually update the components. All the updates are available in the IDM46-Apps-SP-1.zip file. Download the file to the server where you deployed the identity applications and perform the steps listed in the readme files. After installing the service pack, perform the following actions:
This service pack requires you to update your existing PostgreSQL database version. For example, if you are running the PostgreSQL database on a SLES 11 SP4 server, upgrade the database to 9.4.12 version. For other supported platforms, upgrade the PostgreSQL database to 9.6.3 version. To update the database, perform the steps listed in the readme file from the download page.
To update the path of the keystore in the Configuration Update utility, perform the steps listed in the readme file from the download page.
To ensure a proper integration between Identity Manager Dashboard and Identity Governance, perform the steps listed in the readme file from the download page.
(Conditional) This applies only when you perform a silent update of Identity Applications and the NETIQ_DATABASE_CONFIG_ADMIN is different of NETIQ_DATABASE_ADMIN (for example idmadmin and postgres). In this case, the schema may not update correctly. If the schema is not updated, run the liquibase command with the NETIQ_DATABASE_CONFIG_ADMIN credentials.
The command can be found in the following files:
Linux: /opt/netiq/idm/apps/UserApplication/NetIQ-Custom-Install.log
Windows: C:\netiq\idm\apps\UserApplication\NetIQ-Custom-Install
Ensure that you modify the parameters as per your need.
For example:
Linux: /opt/netiq/idm/apps/jre/bin/java -Xms256m -Xmx256m -Dlog4j.configuration=file:///opt/netiq/idm/apps/tomcat/conf/userapp-log4j.xml -Dwar.context.name=IDMProv -Ddriver.dn="cn=UserApplication,cn=Driver Set,o=system" -Duser.container="o=data" -jar /opt/netiq/idm/apps/UserApplication/liquibase.jar --databaseClass=liquibase.database.core.PostgresDatabase --driver=org.postgresql.Driver --classpath=/opt/netiq/idm/apps/postgres/postgresql-9.4.1212.jdbc42.jar:/opt/netiq/idm/apps/tomcat/webapps/IDMProv.war --changeLogFile=DatabaseChangeLog.xml --url="jdbc:Postgresql:// localhost:5432/idmuserappdb?compatible=true" --contexts="prov,newdb,updatedb" --logLevel=info --username=******** --password=******** update >> /opt/netiq/idm/apps/UserApplication/db.out
Windows: "C:\netiq\idm\apps\jre\bin\java" -Xms256m -Xmx256m -Dlog4j.configuration=file:C:\netiq\idm\apps\tomcat\conf\userapp-log4j.xml -Dwar.context.name=IDMProv -Ddriver.dn="cn=UserApplication,cn=driverset1,o=system" -Duser.container="o=data" -jar "C:\netiq\idm\apps\UserApplication\liquibase.jar" --databaseClass=liquibase.database.core.PostgresDatabase --driver=org.postgresql.Driver --classpath="C:\netiq\idm\apps\postgres\postgresql-9.4.1212.jdbc42.jar;C:\netiq\idm\apps\tomcat\webapps\IDMProv.war" --changeLogFile=DatabaseChangeLog.xml --url="jdbc:postgresql://localhost:5432/idmuserappdb?compatible=true" --contexts="prov,newdb,updatedb" --logLevel=info --username=******** --password=******** update >> C:\netiq\idm\apps\UserApplication\db.out
This service pack provides an update to Designer 4.6 and Designer 4.6 (LDAP). Download the Designer 4.6.1 updates from one of the following links for your version of Designer.
Designer provides an built-in auto-update feature that notifies you of new features available at the Designer Download Site. This feature allows you to download Designer package and patch updates when the computer that has Designer installed and is connected to the Internet.
You also can perform an offline update of Designer when the computer that has Designer installed and is not connected to the Internet. To perform an offline update, first download the required content from the Designer and Package Update Web sites on a local or remote computer and then point Designer to the directory containing the downloaded files.
Launch Designer.
From Designer main menu, click Help > Check for Designer Updates.
Click Yes to accept the Designer updates.
Restart Designer for the changes to take effect.
To update Designer in an offline mode, create an offline copy of the Designer update files and then configure Designer to read the patch updates from the files copied to the local directory.
To create an offline copy of the Designer update files:
Log in to the computer that has Designer installed and create a local directory.
Download the latest patch zip file for Designer version from the specified location and unzip the files into the local directory.
To configure Designer to read the patch updates from the local directory:
Launch Designer.
From Designer’s main menu, click Window > Preferences.
Click NetIQ > Identity Manager and select Updates.
Select Do not check for updates and deselect all the other check boxes.
For URL, specify file:///media/<path_to_update>/updatesite1_0_0/
For a Linux mounted ISO, use the following URL format:
file:///media/designer450offline/updatesite1_0_0/
Click Apply, then click OK.
From Designer’s main menu, click Help > Check for Designer Updates.
Select the required updates and click Yes to accept and update the Designer.
Restart Designer for the changes to take effect.
This service pack provides support for NetIQ Self Service Password Reset 4.1.0.4. The minimum supported version for SSPR is 4.1.0.0. To update to SSPR 4.1.0.4, download the package and perform the steps listed in the readme file from the download page.
To enable SSL connections, perform the steps listed in the readme file from the download page.
NetIQ strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.
Issue: On Windows, if you downloaded or extracted the contents of the Identity Manager Engine service pack to a directory whose name contains a space or a special character, the upgrade fails. (Bug 1045261)
Workaround: Rename the directory to remove spaces or special characters.
Issue: The upgrade fails if Remote Loader 4.6 installation folder does not contain the required Remote Loader files. This issue has been observed on both 32-bit and 64-bit Remote Loaders on Windows. (Bug 1046285)
Workaround: Perform the following actions:
Reinstall Remote Loader 4.6. (Select only Remote Loader option during the installation).
Verify that the installation folder contains the required Remote Loader files.
Upgrade to Remote Loader 4.6.1.
Plug-ins shipped with both Identity Manager versions provide the same functionality. So, iManager considers them as similar and does not allow you to upgrade. (Bug 1039891)
Issue: Designer fails to update on a Windows server when the locale is set to Dutch. (Bug 1026157)
Workaround: Perform the following actions:
Switch Designer to English language for installing the Designer updates.
Update Designer.
Change the locale to Dutch.
If you are using a custom keystore other than cacerts, you must import the certificate to /opt/netiq/idm/apps/jre/lib/security. (Bug 1046653)
For example, if your custom keystore file, edirectory.cacerts, is placed in default jre/lib/security path, perform the following steps to import the certificate:
Apply the Identity Applications service pack.
Do not start Tomcat immediately after this step.
Import the backed-up file (edirectory.cacerts) from /opt/netiq/idm/apps/Identity_Apps_4.6.1.0_Installation Directory/backup/jre/lib/security directory to the new Java path (/opt/netiq/idm/jre/lib/security).
Start the Tomcat service.
Issue: This issue is reported only on Mozilla Firefox browser. The idmappsdoc page is properly loaded on Google Chrome and Microsoft Internet Explorer browsers. (Bug 1046379)
Workaround: Click Continue multiple times until the page loads.
Issue: This issue is reported only on Mozilla Firefox browser. (Bug 1046994)
Workaround: Perform the following actions:
Stop the Tomcat service.
Go to Tomcat-install-directory/conf. For example, /opt/netiq/idm/apps/tomcat/conf.
Open the server.xml file in a text editor and locate the following entry in the http section:
<Connector connectionTimeout="20000" port="8180" protocol="HTTP/1.1" redirectPort="8543"/>
Comment the entry.
Save and close the file.
Restart the Tomcat service.
Issue: If a certificate in the keystore contains a leading zero in the certificate serial number, the JDK version used by the update utility (JDK 1.8.0_131) does not open and access that certificate and reports an exception in the catalina.out file. This is because Oracle has introduced a stricter certificate retrieval mechanism starting JDK 1.8.0_121 where it does not allow reading of certificates with serial numbers with leading zeroes. (Bug 1046654)
Workaround: Identify the affected certificates and regenerate them in the keystore after upgrading the JRE.
For example, if the eDirectory server certificate contains a leading zero, perform the following actions to make the certificate accessible to the JRE.
Stop the Tomcat service.
Export the certificate in .der or .pem format.
Go to iManager > NetIQ Certificate Access > Server Certificates and export SSL Certificate DNS in .der format.
Alternatively, run the following command in a terminal window:
#echo -n | openssl s_client -connect x.x.x.x_ldap_server:636 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /opt/certs/eDir/cert.pem
Import the exported *.der file into new the JRE keystore by running the following command:
#./keytool -import -trustcacerts -file /opt/certs/eDir/cert.der or cert.pem -alias edir_cert -keystore /opt/netiq/idm/apps/jre/lib/security/cacerts
(Conditional) Import root (Self Signed eDirectory certificates) and mycerts (required for SSL Tomcat connections) certificates into new the JRE keystore by running the following commands:
# /opt/netiq/idm/apps/jre/bin/keytool -import -trustcacerts -alias root -keystore /opt/netiq/idm/apps/jre/lib/security/cacerts -file /opt/certs/cert.der
# /opt/netiq/idm/apps/jre/bin/keytool -import -alias mycerts -keystore /opt/netiq/idm/apps/jre/lib/security/cacerts -file /opt/certs/chap8.der
Start the Tomcat service.
Issue: If you resynchronize a user in the Role and Resource Service driver, the driver checks the user attributes in the filter and synchronizes them, but it does not recalculate the roles and resources assigned to the user. (Bug 1093450)
Workaround: There is no workaround at this time.
Issue: The archived file size shows zero file size. (Bug 1045670)
Workaround: Perform the following actions:
Stop the Tomcat service. For example, run the following command:
/etc/init.d/idmapps_tomcat_init stop
Navigate to the Tomcat/conf directory. For example, /opt/netiq/idm/apps/tomcat/conf.
Modify the userapp-log4j.xml file in a text editor.
Add the following entries for log appenders after the Catalina Appender section.
<!-- catalina.out logrollover -->
<appender name="CATALINALOG" class="org.apache.log4j.DailyRollingFileAppender">
<param name="Append" value="true"/>
<param name="DatePattern" value="'.'yyyy-MM-dd'.log'"/>
<param name="Encoding" value="UTF-8"/>
<param name="File" value="${catalina.base}/logs/catalina.out"/>
<param name="Threshold" value="ALL"/>
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d [%p] %c{1} %m%n"/>
</layout>
</appender>Add <appender-ref ref="CATALINALOG"/> entry under the <root> section before </log4j:configuration> section.
The section should look similar to this:
<!-- ======================= -->
<!-- Setup the Root category -->
<!-- ======================= -->
<root>
<level value="INFO"/>
<appender-ref ref="CONSOLE"/>
<appender-ref ref="IDAPPS"/>
<appender-ref ref="CATALINALOG"/>
</root>Start the Tomcat service.
For the list of the known issues in Identity Manager 4.6, see the Release Notes on the Identity Manager Documentation page.
Issue: On an unsuccessful update, Designer reports an exception in the Designer error log.
Workaround: Perform the following actions:
Download the XULRunner and extract it to /usr/lib/xulrunner-24.0.
Add the following line at the end of the Designer.ini file:
Dorg.eclipse.swt.browser.XULRunnerPath=/usr/lib/xulrunner-24.0/
Restart Designer for the changes to take effect.
Issue: Identity Manager does not support a direct conversion of non-compatible Designer projects (such as Designer 4.5.x or before) to Designer (LDAP) 4.6 or later. (Bug 1078772)
Workaround: There is no workaround at this time.
Issue: If you installed Identity Applications on Linux or Windows, the catalina.out file does not rotate the log.
Workaround on Linux: Perform the following actions:
Open a text editor and create a netiq-tomcat file at /etc/logrotate.d/ with the following entries:
/opt/netiq/idm/apps/tomcat/logs/catalina.out {
copytruncate
daily
dateext
dateformat -%Y-%m-%d
rotate 25
notifempty
missingok
compress
su novlua novlua
}Verify that logrotate is scheduled to run at midnight.
Verify that novlua user and novlua group permissions are set for the catalina.out file.
Verify that the log is correctly rotated.
Run the following command:
/usr/sbin/logrotate -d /etc/logrotate.d/netiq-tomcat
You should see messages similar to the below in the screen.
reading config file /etc/logrotate.d/netiq-tomcat Handling 1 logs rotating pattern: /opt/netiq/idm/apps/tomcat/logs/catalina.out after 1 days (25 rotations) empty log files are not rotated, old logs are removed switching euid to 485 and egid to 0 considering log /opt/netiq/idm/apps/tomcat/logs/catalina.out log does not need rotating switching euid to 0 and egid to 0
Workaround on Windows: There is no workaround at this time.
Issue: If a driver contains a package that includes a filter resource, any changes made to the filter resource are not reflected in the driver filter. For example, when a new class or an attribute is added to the filter, the changes are not merged with the driver filter.
Workaround: Manually synchronize the changes with the package.
In the Outline view, right-click the filter resource and select Sync to Package.
Select the package where you want to add the filter resource and click OK.
Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.
For detailed contact information, see the Support Contact Information website.
For general corporate and product information, see the NetIQ Corporate website.
For interactive conversations with your peers and NetIQ experts, become an active member of our community. The NetIQ online community provides product information, useful links to helpful resources, blogs, and social media channels.
For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see https://www.netiq.com/company/legal/.
Copyright © 2017 NetIQ Corporation, a Micro Focus company. All Rights Reserved.