The following table lists the issues you might encounter and the suggested actions for working on these issues. If the problem persists, contact your NetIQ representative.
Issue |
Suggested Actions |
---|---|
Identity Manager authorizes and securely communicates with its components using digital certificates. The Identity Vault certificates must be imported into the idm.jks and tomcat.ks keystore files. However, when attempting to access Identity Applications after importing the certificates, you might hit the following error: javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Could not determine revocation status. The certificates are validated by checking the Certificate Revocation Lists (CRLs) specified by the CRL Distribution Point (CDP) field to determine whether the certificate has been revoked or not. The CRLDPs are available in both the root certificate and the intermediate certificates present in the keystore files tomcat.ks and idm.jks. Certificate revocation checking, however, is disabled by default. As a result, the PKIX trust manager is unable to determine the revocation status of the certificates. |
To fix this issue, enable CRL distribution point checking by setting the -Dcom.sun.security.enableCRLDP property to true. To set the property, perform the following actions:
|
After upgrading Identity Manager, logging in to Identity Manager Dashboard is extremely slow for non-admin users. There is a significant delay in loading the Applications and the Dashboard pages. This issue occurs due to the nested group search, which is enabled by default. The application will look for the permissions inherited by the logged-in user via the nested group membership, regardless of whether there are any nested groups in the environment. |
(Conditional) The following steps apply to Identity Manager 4.8.5 and later.
|
After upgrading Identity Applications to 4.8 version from a prior version, the Form Renderer does not work as expected. This issue is observed when the default IDMProv deployment context is modified to a custom context. |
To work around this issue, perform the following steps:
|
After you upgrade Identity Manager in a distributed environment to 4.8.1 version, login to the Identity Applications fails. The following error message is displayed: Your login process did not complete successfully. Logging to the Identity Applications requires trust anchor certificates for establishing a secure connection between the Identity Applications and the OSP. A trust anchor certificate must include the Basic Constraints extension with the Subject Type set to CA. Identity Manager makes use of the property jdk.security.allowNonCaAnchor to validate the trust anchors in the certificate. By default, this property is set to false. Therefore, when the trust anchors are not found in the certificates, the connection between Identity Applications and OSP cannot be established and the login fails. You will notice the following exception in the idm-osp.log file: sun.security.validator.ValidatorException: TrustAnchor with subject "CN=***, L=***, O=***" is not a CA certificate |
To resolve this issue, you must satisfy either of the following conditions:
|
After upgrading to Identity Applications 4.8.1 version, you are not able to open forms while requesting for permissions in the Identity Applications Dashboard. |
To resolve this issue, manually restart the NGNIX and Golang services using the following commands:
The Identity Applications uses the NGNIX service for rendering forms in the Identity Applications Dashboard. |
After you upgrade Identity Reporting in a standard edition, the is_prov parameter in the configupdate.sh.properties is set to true. Since Identity Applications is not available in a standard edition, the value of this parameter must be set to false. |
Manually set the is_prov parameter to false in the configupdate.sh.properties file. |
Unable to re-run the Identity Manager engine installer if the prior upgrade of Identity Manager Engine fails. For example, if the 4.8 upgrade for Identity Manager Engine fails on the first attempt and you try upgrading Identity Manager Engine again, the upgrade process cannot be triggered. |
Perform the following steps:
|
After you upgrade Identity Manager, the following property is added to the ism-configuration.properties file: com.netiq.idm.osp.ldap.admin-dn = cn=admin,ou=sa,o=system |
Comment out the property in the ism-configuration.properties file and restart Tomcat. It does not cause any functionality loss. |
After you upgrade Identity Manager, the following SSPR property is added to the ism-configuration.properties file, even if you do not have SSPR in your deployment: com.netiq.sspr.redirect.url = https://___SSPR_IP___:___SSPR_TOMCAT_HTTPS_PORT___/sspr/public/oauth |
Comment out the property in the ism-configuration.properties file and restart Tomcat. It does not cause any functionality loss. |
After you upgrade Identity Manager, the ism-configuration.properties file populates some duplicate values of java.protocol.handler.pkgs property. |
There is no loss of functionality. To resolve this issue, perform the following actions:
|
Unable to start Tomcat after Identity Manager upgrade. You will notice few exceptions in tomcat logs and a communication failure between the workflow engine and the Identity Vault. |
|