This document contains the known issues for Novell Identity Manager 4.0.1.
The latest version of this Readme is available at the Novell Identity Manager documentation Web site.
This Readme contains the known issues for Identity Manager 4.0.1. In addition to this Readme, separate Readmes are available for Designer 4.0.1 and Analyzer 4.0.1:
Additional documentation resources are also available for the following products:
The following sections provide information on known issues at the time of the product release.
You might encounter the following issues during the installation of the Identity Manager framework installer:
For a successful installation, manually install the 32-bit NOVLaudpa.pkg package for Remote Loader on Solaris.
The installation is successful for a 64-bit Remote Loader.
IMPORTANT:This issue occurs only with the Identity_Manager_4.0.1a_Linux_Advanced.iso or the Identity_Manager_4.0.1a_Linux_Standard.iso files.
To install the Remote Loader through the framework installer, select either a 32-bit Remote Loader or a 64-bit Remote Loader in one installation instance, then run installation separately for each of them. The installation fails if you select both Remote Loaders in one installation instance. Only one Remote Loader can be installed at a time.
Also, port 8000 must be free to ensure a successful Identity Manager installation.
Ensure that the specified path doesn’t contain any spaces.
You cannot install the Linux/UNIX Bidirectional driver in a Solaris zone that contains a read-only/usr partition. If you select the driver for installation, the Identity Manager 4.0.1 framework installer reports an error.
During the Identity Manager installation, if you return to the Installation Location page from the subsequent page, the
button does not work as expected.After Identity Manager 4.0.1 is installed on your Windows machine, if you click the
link under the Identity Manager entry in the list, it displays Identity Manager 4.0.To find the correct Identity Manager version that has been deployed on your machine, run the DxCMD command.
You might encounter the following issues when you use the Identity Manager integrated installer:
The primary server might stop working just before you start the Metadirectory server configuration after the Identity Vault configuration is completed.
If the primary server stops working, follow these steps to resume the configuration from the current state:
Start Identity Vault on the primary server.
On the Linux machine, create the /root/idm/Uninstall_Identity_Manager/idmconfigure_state.conf file. The idmconfigure_state.conf file should have only false entry.
Make sure that the IA_RESULT_IDM_FRAMEWORK_CONFIGURED entry in the /etc/opt/novell/idm/install/state/conf/install_state.conf file does not have true value.
Rerun the configuration.
If you are installing Identity Manager through integrated installer, make sure that libgthread-2_0-0-32bit-2.17.2+2.17.3+20080708+r7171-3.1.x86_64.rpm compat library is installed before starting the Identity Manager installation on 64-bit SLES 11 platform.
You cannot use UNC paths for installation and configuration when you use the Identity Manager 4.0.1 integrated installer (for example, \\myserver\share\Identity_Manager_4.0.1_Windows_Enterprise).
To work around this issue, create an actual mapped drive.
The Identity Manager installation might fail with an error message if you are installing from a remote desktop. Because the remote desktop connection is delayed in comparison to the actual/physical access, the install process fails to acquire the local referrals, resulting in a failed installation.
To work around this issue, install Identity Manager on an actual/physical connection of the server or by using a VNC connection.
The integrated installer does not perform a health check before the secondary server addition.
You must run ndscheck if you are adding secondary server through the integrated installer. On Windows, run ndscheck from the <install loccation>\NDS location. On Linux/Solaris, run it from the /opt/novell/eDirectory/bin/ndscheck directory. Specify the mandatory parameters and run the command as follows:
ndscheck [-h <hostname port]>] [-a <admin FDN>] [[-w <password>]
NOTE:Ruuning ndscheck on Windows causes eMbox warnings to display on the screen. Don't treat these warnings as health check failure. It is safe to ignore them.
The integrated installer does not let you change the default port for the SMTP server in the following scenarios:
If the SMTP server is running on the system where you are configuring the Identity Reporting Module.
If the port specified for the SMTP server is already in use by other processes in the local system.
In both scenarios, do not change the default port value. As a workaround, after a successful configuration, run the following steps:
Linux:
Change the <entry key="com.novell.idm.rpt.core.smtp.port" value="465"/> key value in the /etc/.java/.systemPrefs/_!%4!bw"2!'`!b!"s!#!!]@"u!':!.g==/IDM/Reporting/_!$@!.g!w/Core/prefs.xml file.
NOTE:The path for Reporting preferences might have a goofy base64-encoded name. Ensure that Reporting and Core directories are mentioned in the path.
Restart the JBoss server.
Windows:
Change the "com.novell.idm.rpt.core.smtp.port"="465” registry value at HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Prefs\/Novell/Inc.\/I/D/M\/Reporting\4.0\/Core.
Restart the JBoss server.
The SMTP user e-mail prompt does not accept a user name. It accepts only an e-mail address format.
Leave the default setting as is. After a successful configuration, run the following steps for the SMTP user e-mail prompt to accept the user name:
Linux:
Change the <entry key="com.novell.idm.rpt.core.smtp.user" value="newsmtpusername"/> key value in /etc/.java/.systemPrefs/_!%4!bw"2!'`!b!"s!#!!]@"u!':!.g==/IDM/Reporting/_!$@!.g!w/Core/prefs.xml file.
NOTE:The path for Reporting preferences might have a goofy base64-encoded name. Ensure that Reporting and Core directories are mentioned in the path.
Restart the JBoss server.
Windows:
Change the "com.novell.idm.rpt.core.smtp.user"="newsmtpusername" registry value at HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Prefs\/Novell/Inc.\/I/D/M\/Reporting\4.0\/Core.
Restart the JBoss server.
During the Identity Manager configuration, the integrated installer adds the SAML method, but does not extend the authsaml.sch schema. You must manually extend the NMAS schema if you are using the SAML method.
Run the following steps to extend the NMAS schema:
Unzip the nmassaml.zip file from the <iso>\products\RBPM\SAML location to the temp directory.
Extended the authsaml.sch file from the <temp directory>\saml\authsaml.sch location by using iManager, ndssch, or Novell ICE utility.
For more information on extending eDirectory schema, see Extending the Schema.
Restart eDirectory.
This configuration is required if you use Identity Vault with SAML as a user store for Novell Access Manager.
Instead of
option, the prompt displays it as . For a successful configuration, you must specify the User Application container DN for this option.The eDirectory crash is observed during eDirectory configuration. The following message is displayed:
DHost has stopped working.
To complete the configuration, click the
button.IMPORTANT:This issue occurs only with the Identity_Manager_4.0.1a_Linux_Advanced.iso or the Identity_Manager_4.0.1a_Linux_Standard.iso files.
The integrated installer fails to install the Remote Loader.
You must install the Remote Loader through the framework installer. Select either a 32-bit Remote Loader or a 64-bit Remote Loader in one installation instance, then run installation separately for each of them. The installation fails if you select both Remote Loaders in one installation instance. Only one Remote Loader can be installed at a time.
Also, port 8000 must be free to ensure a successful Identity Manager installation.
You might encounter the following issues as you use the Remote Loader:
On Windows Server 2008 Core, when you click
in the Remote Loader console, the corresponding help page is not displayed.To work around this issue, install a browser (for example, Internet Explorer) on your machine and click
in the Remote Loader console.If you choose to have both a 32-bit and a 64-bit Remote Loader on the same machine, the audit events are generated only with the 64-bit Remote Loader. Events are not logged to the lcache file with the 32-bit Remote Loader.
When 32-bit and 64-bit Remote Loaders are installed together, the events are logged to the 64-bit lcache and 32-bit Remote Loader fails to log audit events. It displays the "Agent already running error" error message.
However, if a 64-bit Remote Loader is installed before installing a 32-bit Remote Loader, the events are logged to the 32-bit lcache, which prevents 64-bit Remote Loader from logging events. The 32-bit and 64-bit lcaches don’t work on the same machine.
To work around this issue, don't install both 32-bit and 64-bit Remote Loaders on the same machine.
You might encounter the following issues as you use Identity Manager:
This issue is observed only on virtual machines.
To work around this issue:
Restart eDirectory.
Reduce the JVM minimum heap size if the failure repeats.
Restart eDirectory.
To enable or disable telemetry job, connect iManager to the server where the job is configured to run.
If you enable or disable it from a different server than the server it is configured to run on, it might not be enabled/disabled. It might also continue to run even if it is disabled on the other server.
Go to
tab and manually change the default transmit location to https://secure-www.novell.com/center/comsvc-1.0/.You might encounter the following issues as you use the Identity Manager drivers:
On Linux platforms, you should not use rpm -Uvh command to upgrade a Notes driver patch prior to version 3.5.8. This command displays File already exists message and removes existing links. Instead, run the following steps to upgrade the driver to the latest version:
Remove the old RPM by using the following command:
rpm -ev novell-DXMLnotes-3.5.x
Add the new RPM by using the following command:
rpm -ivh novell-DXMLnotes.rpm
This issue has been reported only on MySQL. The upgrade operation fails when you upgrade the JDBC driver from a version earlier than 3.5.1 to version 3.5.1 or later.
The operation fails because of one of the following reasons:
The driver cannot use the mysql-connector-java-3.1.11-bin.jar driver classes to read the metadata of tables.
You cannot get the information from the state files because the serialVersionUID of the class JDBMKeyComparator has changed after the upgrade.
To work around this issue, use one of the following actions:
Upgrade the third-party driver class from mysql-connector-java-3.1.11-bin.jar to mysql-connector-java-5.1.6-bin.jar.
Delete the state files and restart the driver.
At times, you cannot select drop-down options when creating or configuring a driver. To work around this issue:
Click the drop-down menu and continue to hold the left mouse button until the desired option is highlighted.
Release the left mouse button to select the option.
If Sentinel driver is not configured with an earlier version of Identity Manager and when Identity Manager is upgraded to 4.0.1, the installer might prompt a warning message about the missing jssecacerts file when Sentinel driver is upgraded. You might also find this warning when Identity Manager 4.0.1 is installed for the first time.
It is safe to ignore the warning.
To workaround this issue:
In the Remote Loader advanced options, change the JVM minimum heap size to 8 and maximum heap size to 64.
You might encounter the following issues as you use the Identity Reporting Module:
If you use the loopback address of 127.0.0.1 as the IP address for the Managed System Gateway driver when configuring with the integrated installer, that is valid and will work correctly. However, when you use the endpoints, having the IP address be the loopback (127.0.0.1) will not work. In this case, you need to specify the correct IP address in the
section of the Managed System Gateway driver.The integrated installer displays the following error if Identity Reporting Module and the Roles Based Provisioning Module are separately configured:
'Failed to load users/passwords/role files'
To work around this issue, either stop JBoss before installing the Identity Reporting Module or restart JBoss after installing the Identity Reporting Module.
When users assign roles, the request_date column in the idmrpt_idv_identity_trust table is not being populated with data. The defect number is 633206.
If you remove an attribute that was added to the Data Collection Service driver filter policy, the attribute is not removed from the extended attributes tables (idmrpt_ext_attr, which tracks the attributes) and no data is removed from the idmrpt_ext_item_attr table. The defect number is 633209.
On Firefox, when the
are set to show 1 week on the Calendar page, you do not see today’s schedule if you click the button. Instead, you see a day one week ahead of today. To see today’s schedule in the Calendar page, press the up-arrow to go back one week. This problem does not occur on Internet Explorer.If the times of your machines are not in synchronization when you install the Event Auditing Service (EAS), there may be problems with your configuration. You cannot install EAS on Windows. It must be installed on Linux. Therefore, the Linux server where EAS is installed must be synchronized with the machine where you are installing the rest of your components.
Under the following circumstances, the logevent.conf is overwritten without prompting during the installation of the reporting module:
There is already a logevent.conf file in /etc/.
EAS is installed on the same machine.
During the reporting installation, you replace the value of localhost
and enter the machine's actual IP address for the EAS server.
To work around this issue, manually update the /etc/logevent.conf file after the installation is complete.
If EAS is installed remotely and you want to test the connection to EAS during the Identity Reporting Module installation, the parent directory of your chosen install directory must exist prior to running the installation. Without an existing parent directory, the installation directory cannot be created in order to write the JDBC JAR file used for testing the connection. For example, if you are installing the Identity Reporting Module to /opt/novell/IdentityReporting, you need to ensure that the /opt/novell directory exists before beginning the installation.
If RBPM and the Identity Reporting Module are configured from an AE .iso file, and the tree to which they are connected is an SE tree, the collection state of the Managed System Gateway driver is active when it should not be. This bug occurs only in the following mixed mode scenario:
The Metadirectory server is installed from an SE .iso file on one machine.
RBPM and Reporting are configured from an AE .iso file on another machine (RemoteIDVault scenario) that tries to connect to the SE tree installed earlier.
Because the reporting module is configured from an AE .iso file, it tries to configure the Managed System Gateway driver, and the Managed System Gateway driver registration parameter is set to Yes in the Data Collection Service driver.
The IDMRPT_CORE war deployment sometimes fails on the JBoss application server because of memory issues. Look for the following error messages in the server console:
***********Server Error Log****************** 16:45:02,440 INFO [[/IDMRPT-CORE]] Marking servlet OsgiBridge as unavailable 16:45:02,441 ERROR [[/IDMRPT-CORE]] Servlet /IDMRPT-CORE threw load() exception java.lang.OutOfMemoryError: Java heap space ... *******************************************
There are two different memory issues and the solutions are different:
Unfortunately, Novell is unable to correct this problem.
In this situation, you might see an error similar to the following, most of the time followed by a JVM crash:
java.lang.OutOfMemoryError at java.util.zip.ZipFile.open(Native Method) at java.util.zip.ZipFile.<init>(Unknown Source) at java.util.zip.ZipFile.<init>(Unknown Source) at org.jboss.virtual.plugins.context.zip.ZipFileWrapper.ensureZipFile(ZipFileWrapper.java:175) at org.jboss.virtual.plugins.context.zip.ZipFileWrapper.openStream(ZipFileWrapper.java:213) at org.jboss.virtual.plugins.context.zip.ZipEntryContext.openStream(ZipEntryContext.java:1082) at org.jboss.virtual.plugins.context.zip.ZipEntryHandler.openStream(ZipEntryHandler.java:153) at org.jboss.virtual.VirtualFile.openStream(VirtualFile.java:230) at org.jboss.classloading.spi.vfs.policy.VFSClassLoaderPolicy.getResourceAsStream(VFSClassLoaderPolicy.java:483)
This indicates that the available system memory on your machine is not sufficient for running our product. Either increase your memory, or stop some unnecessary services from running. Increasing java heap size by -Xmx for your application server does not help.
If you use your own JBoss, you need to use the following procedure to upgrade Hibernate before you can use the product:
Stop JBoss.
Back up the Hibernate jars.
Go to the <jboss>/common/lib folder and move all jars beginning with hibernate
to a backup location outside the <jboss> folder.
Go to the Hibernate Web site and follow its instruction to download Hibernate 3.6.1.
Unzip Hibernate and copy the hibernate3.jar file into <jboss>/common/lib.
Start JBoss.
NOTE:If you do not upgrade Hibernate, the reporting module might not start properly. Also, remember that upgrading Hibernate affects non- Identity Manager applications running on the same JBoss.
This problem has only been observed on WebSphere.
When you add an application in the reporting module, you might notice that a valid certificate is not properly converted. The following actions might cause this problem to occur:
You log in to the Identity Reporting Module with valid credentials.
You navigate to the Applications page and click the
button.You fill in all the mandatory fields and browse for the certificate by selecting the
check box and clicking .The certificate should be converted, but this does not occur.
To workaround this problem, you can simply copy and paste the content of the certificate into the text area on the form.
User account creation is updated in the database in the idmrpt_idv_acct table. However, some reports might be empty when executed if the time between the servers is not synchronized.
This happens only for new users when the time between the servers is out of synchronization. If a user is created and then modified, the reports are populated with data.
This issue occurs when the Metadirectory and Reporting servers are running on different machines, and the time stamp value of the Metadirectory server is ahead compared to the reporting server. User account creation is updated with Metadirectory time stamp and hence until the reporting server time meets the user account time stamp, you cannot fetch the data into reports.
The fix for this issue is to ensure that all servers have the same time.
Currently, in release 4.0.1 of the Identity Reporting Module, it is not possible to modify the frequency of a schedule. If you need to change the frequency (from week to month, for example), you need to delete the schedule and create a new one.
Currently, when using the Download page in Identity Reporting Module with an Internet Explorer browser, the file may change its extension from .rpz to .zip. This change does not cause any problems. The reporting module will handle the upload and import the report correctly if the extension is .zip.With a Firefox browser, the extension always will be .rpz.
If you change from the Standard Version to the Advanced Edition, the version change for the reporting module occurs after the next batch of events is processed.
When you first start the Identity Reporting Module, wait 5 minutes before running a report. The startup process consumes a lot of memory, leaving less memory for the report generation. If you do not wait 5 minutes, you may encounter memory errors.
When using the standalone installers for RBPM and the Identity Reporting Module, you may see configuration errors on Windows 2008 if you install both components and switch from a 32-bit JRE to a 64-bit JRE.
The Identity Reporting Module is installed with a 32-bit JRE. Preferences are set under this JRE environment.
If install a 64-bit Java on Windows 2008, then this will become the default Java on you system. When JBoss starts up, it reads the environment variable JAVA_HOME, and uses the Java that JAVA_HOME points to. If JAVA_HOME points to the 64 bit Java, then you will see errors in the JBoss server log when starting the reporting module (IDMRPT, IDMRPT-AUTH, IDMRPT-CORE) indicating that the configuration is not correct. This is because it is reading the preferences under the 64-bit Java and not the 32-bit Java.
To workaround this issue, open the start-jboss.bat file and edit the JAVA_HOME and PATH entries to point the 32-bit Java. This will typically be in your JBoss directory. Alternatively, if you are aware of this issue before installing RBPM, you can point to the 32 bit Java when the installer asks which Java you want to use.
If you install RBPM alone (and do not install the Identity Reporting Module), you can use 64-bit Java.
If you access the reporting module with an Internet Explorer browser in HTTPS, you will receive a pop-up message similar to the following:
Do you want to view only the webpage content that was delivered securely? This webpage contains content that will not be delivered using a secure HTTPS connection, which could compromise the security of the entire webpage.
If you select http://. This behavior is not seen with FireFox.
, the login screen for the reporting module will not appear. You must select . The behavior is seen because the download site for new reports only supports the HTTP protocol. The link to that site is constructed usingIn Standard Edition, the Reporting Configuration tool shows Advanced Edition.
In some cases, after you upgrade to 4.0.1, EAS may not come up after a reboot if you have a very fast Enterprise server. You can start the server manually with this command:
/etc/init.d/sentienl_eas start
If you see this behavior, you can add a wait statement to pause EAS so it has a chance to fully shutdown and restart when rebooting. To do this, you can modify the /opt/novell/sentinel_eas/bin/server.sh file. Search for the places in the file where you see a call to stop or start the database. You should find several occurrences in the file.
Add this argument after each start statement:
--wait 45
For example:
ALLOW_ROOT=1 RUN_AS_USER=$RUN_AS_USER"${ESEC_HOME}/bin/db.sh" start --wait 45 –quiet
Add this argument after each stop statement:
--wait 15
For example:
ALLOW_ROOT=1 RUN_AS_USER=$RUN_AS_USER "${ESEC_HOME}/bin/db.sh" stop --quiet --wait 15
Save your changes when you’re done editing the file.
The definition of the cat_item_type_id column in the idm_rpt_data.idmrpt_sod_violations_hist table needs to be changed to allow nulls.
To allow nulls in the cat_item_type_id column, perform these steps:
Launch pgAdminIII.
Connect to the PostgreSQL database server in EAS as the dbauser.
Press the plus sign
next to Databases.Select the
Database.Press the plus sign
next to the Database.Press the plus sign
next to .Press the plus sign
next to .Press the plus sign
next to .Press the plus sign idmrpt_sod_violations_hist table.
next to thePress the plus sign
next to .Select cat_item_type_id.
In the Properties Panel double click on
.Uncheck the checkbox next to
.Press the
button.If you have changed the Network Interface Card (NIC) recently on your Windows machine, and the easretapi WAR fails to deploy with an error similar to the following, you will need to disable IPV6 on this server:
Caused by: java.lang.ArrayIndexOutOfBoundsException at java.lang.System.arraycopy(Native Method) at com.esecurity.uuid.UUIDGenerator.<init>(UUIDGenerator.java:142) at com.esecurity.uuid.UUIDGenerator.<clinit>(UUIDGenerator.java:86)
Here are the steps you need to perform:
Remove the ipv6 bindings on all NICs.
Add the following reg key and value:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters] "DisabledComponents"=dword:ffffffff
You might encounter the following issues as you use the Roles Based Provisioning Module:
In Firefox, if you attempt to copy text in the Detail portlet, an error message is displayed.
The following actions cause this message to appear:
You log in to the User application as administrator and go to the
tab.You click
in Portlet Applications.You click
.You click the
icon and enter some sample text, such as “TEST”.You select the text and click the
icon.If you follow these steps, you see the following error message:
“Exception... "Access to XPConnect service denied" code: "1011" nsresult: "0x805303f3 (NS_ERROR_DOM_XPCONNECT_ACCESS_DENIED)" location: "http://172.16.1.99:8180/IDMProv/resource//portal-general/javascript/html_editor.js Line: 531" ” when clicked on Copy button.
You might also see this message when performing cut and paste operations.
This is a known issue with Dojo and Firefox.
The session-level failover does not function properly with software dispatchers. However, it works correctly with hardware dispatchers.Until further notice, the User Application supports only hardware dispatchers in a clustered environment.
You can add JavaScript to a workflow form to allow for printing. However, this technique does not produce expected results on Internet Explorer.
As described in the Designer documentation, you can add the following to the form onload event:
form.interceptAction("SubmitAction", "around", function (invocation) {var pf = new PrintForm("SubmitAction"); pf.printFormInterceptor(invocation); } );
This action works correctly for both Internet Explorer and Firefox. However, the printed form output is not formatted correctly on Internet Explorer, although it is formatted correctly on Firefox.
Firefox supports automatic resizing of pages. It takes the entire page as a vector and resizes it, but Internet Explorer just changes the styles internally. For this reason, only Firefox can be used to resize the page appropriately for printing.
To work around this problem on Internet Explorer, determine which of the following possible solutions works best for you:
You can perform an Alt+Print Screen function in Internet Explorer that prints the content as it appears on the screen.
You can use the reference below, which might work for the workflows but might not print the form exactly the way you want it to print. This is a quick fix to print the form.
<link rel="stylesheet" type="text/css" href="print.css" media="print" />
This can be added in the workflow forms (the Request_form, Approval_form, and so forth) under
> . This improves the print formatting on Internet Explorer, but might not be totally correct.You can create a CSS script specifically for each workflow to print the output as you want it to appear. Each CSS script probably needs to be specific to a workflow and requires tweaking that could be time-consuming.
The references look like this:
document.writeln("<link rel=\"stylesheet\" type=\"text/css\" href=\"http://172.17.5.100:8280/externalFiles/css/jquery-ui-1.7.2.custom.css\"><\/script>");
This can be added in the workflow forms (Request_form, Approval_form, and so forth) under
> .You can create an external WAR file that stores all the CSS scripts and is referenced from the workflow. This allows changes to be made in one file rather than within each workflow.
For example, with document.writeln("<link rel=\"stylesheet\"type=\"text/css\"href=\"http://172.17.5.100:8280/externalFiles/css/jquery-ui-1.7.2.custom.css\"><\/script>");, you replace the href attribute with the link to your CSS script. You need to do it this way because the external script for a workflow form must be JavaScript. You need to use an inline script to load a reference to a CSS. The inline scripts go into a specific area on the form called and are executed when the form is first loaded. You need to put the scripts on all the forms (request forms and approval forms). This allows you to specify a style that works for the printer, without changing the style for the viewable form.
The Roles Based Provisioning Module reports that were provided in previous releases of the product (available under
on the tab) are being deprecated in this release. These reports will be removed in a future release.Support for digital signatures has been removed in this release.
Support for accessory portlets has been removed in this release
On WebSphere, if you create a new user with special characters in the name, the user cannot log in to the User Application. For example, if you create a user as /Test//
from the page, an error page is displayed when the new user tries to log in to the application.
PostgreSQL requires several Microsoft VC++ libraries when running on Windows. If these libraries are not installed on the Windows server, the PostgreSQL installer automatically installs them. When you run the JBossPostgreSQL installer in silent mode on Windows, a pop-up window appears for about three seconds while these libraries are being installed, if those libraries are not already installed on the machine.
At this time, the installer is not able to suppress this pop-up window on Windows.
If you redeploy the User Application driver from Designer after running the integrated installer, the trustees for the Attestation Report provisioning request definitions are deleted and no one can execute the report. The reason for this is that the trustees are added to the Attestation Report provisioning request definitions at User Application startup. Because Designer does not know about the trustees, an attempt to redeploy the User Application driver from Designer removes the trustees. Therefore, you need to import these objects from eDirectory after User Application startup to synchronize the trustees.
In some situations, the integrated installer does not properly handle the Roles Based Provisioning Module setup errors. This can happen when the Roles Based Provisioning Module configuration fails because of a problem with the driver configuration process. In this case, the integrated installer configuration summary displays a message indicating that the Roles Based Provisioning Module configuration passed, but the Roles Based Provisioning Module configuration has setup errors. The defect number is 641557.
If you create a role or resource assignment, and then remove it, you see a message indicating that the assignment has been removed, but the assignment is still listed. If you refresh the page, you see that the assignnent has been removed. This is caused by a caching issue.
The search feature in the Orch Chart Portlet does not work if the Entity type being displayed has a dash (-) in the name. At this time, the product does not support Entities with dashes in their names.
If you have workflows that are recursive in nature (that execute loops), you might see a StackOverflowError at execution time. Java does not handle the stack space for recursive type functions effectively. Therefore, in recursive workflows, you need to increase the stack size for the JVM. The JVM defaults to 512K. You might want to increase the stack size to 1M.
To increase the stack size, you can include the -Xss1M setting with the JAVA_OPTS in your start JBoss script file.
JAVA_OPTS="-server -Xss1M -Xms512M -Xmx512M -XX:MaxPermSize=512m"
If you perform a default eDirectory installation and apply a password policy that has an Email Password to User action) to an existing user, then you log in as this user and perform a forgotten password procedure, you might see a message that says Univeral Password is not set after answering the challenge response questions.
To fix this issue:
Add the following two lines to the pre_ndsd_start script located at /opt/novell/eDirectory/sbin (formerly in /etc/init.d):
NDSD_TRY_NMASLOGIN_FIRST=true export NDSD_TRY_NMASLOGIN_FIRST
This should be done on any server that might handle NMAS logins via LDAP.
Restart eDirectory to apply the change.
For more information, see “How to Make Your Password Case-Sensitive” in the Novell eDirectory 8.8 What’s New Guide.
If your server is set up with Simplified Chinese as the number format (by using
), PostgreSQL will not install successfully. Do not use the Simplified Chinese Number format on the server that PostgreSQL will be installed on.If you assign a resource to a user that has multiple values from an entitlement, on the
tab only one entry will be listed. The first value selected will be the one displayed. On the tab, multiple entries will be listed, and the user will be appear as many times as there were values selected.Currently, in the User Application 4.0.1 release, there is an issue with SQL generation for both new and existing installs. These problems will be corrected and provided via a patch to the User Application. Do not use the SQL generation option in the User Application installer until further notice.
When accessing the User Application in a language that is not the default language (for example, accessing in Spanish while the default language is set to English), if you add a resource to a role, you also need to supply a value for the default language in the
field. To do this, press the button after the field and enter a value in the Language that is marked with the (the default language). If you do not enter a value for the default language, you will receive an error and will not be able to add the resource to the role.To deploy RBPM on JBoss 5.1.0 Enterprise Application Platform (EAP), you need to perform several manual setup steps. The setup process is outlined below:
Install JBoss 5.1 EAP.
Copy the jbosssx.jar file from the %jboss-root%/lib directory to the %jboss-root%/common/lib directory before launching the RBPM User Application installer.
Install the RBPM User Application.
Replace the messaging-jboss-beans.xml file you have with a modified XML file.
If you deploy RBPM on JBoss 5.1.0 EAP without replacing the messaging-jboss-beans.xml file, you might see multiple warrnings and errors in the startup log.
The problem is that the RBPM installer uses the community version of the messaging-jboss-beans.xml file as a template to generate its own version of the file. Unfortunately, the EAP version is very different in many aspects, including the definitions of QueueMODefinition and TopicMODefinition.
The workaround for this issue is to replace the the messaging-jboss-beans.xml file you have with the modified XML file shown below. The file needs to be in the IDMProv/deploy/messaging folder.
<?xml version="1.0" encoding="UTF-8"?> <!-- ======================================================================== Copyright (c) 2009 Novell, Inc. All Rights Reserved. THIS WORK IS SUBJECT TO U.S. AND INTERNATIONAL COPYRIGHT LAWS AND TREATIES NO PART OF THIS WORK MAY BE USED, PRACTICED, PERFORMED COPIED, DISTRIBUTED, REVISED, MODIFIED, TRANSLATED, ABRIDGED, CONDENSED, EXPANDED, COLLECTED, COMPILED, LINKED, RECAST, TRANSFORMED OR ADAPTED WITHOUT THE PRIOR WRITTEN CONSENT OF NOVELL, INC. ANY USE OR EXPLOITATION OF THIS WORK WITHOUT AUTHORIZATION COULD SUBJECT THE PERPETRATOR TO CRIMINAL AND CIVIL LIABILITY. ======================================================================== --> <!-- Messaging beans $Id: messaging-jboss-beans.xml 88672 2009-05-11 20:49:47Z anil.saldhana@jboss.com $ --> <deployment xmlns="urn:jboss:bean-deployer:2.0"> <!-- messaging application-policy definition --> <application-policy xmlns="urn:jboss:security-beans:1.0" name="messaging"> <authentication> <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required"> <module-option name="unauthenticatedIdentity">guest</module-option> <module-option name="dsJndiName">java:/IDMUADataSource</module-option> <module-option name="principalsQuery">SELECT PASSWD FROM JBM_USER WHERE USER_ID=?</module-option> <module-option name="rolesQuery">SELECT ROLE_ID, 'Roles' FROM JBM_ROLE WHERE USER_ID=?</module-option> </login-module> </authentication> </application-policy> <bean name="SecurityStore" class="org.jboss.jms.server.jbosssx.JBossASSecurityMetadataStore"> <!-- default security configuration --> <property name="defaultSecurityConfig"> <![CDATA[ <security> <role name="guest" read="true" write="true" create="true"/> </security> ]]> </property> <property name="suckerPassword">changeit</property> <property name="securityDomain">messaging</property> <property name="securityManagement"><inject bean="JNDIBasedSecurityManagement"/></property> <!-- @JMX annotation to export the management view of this bean --> <annotation>@org.jboss.aop.microcontainer.aspects.jmx.JMX(name="jboss.messaging:service=SecurityStore",exposedInterface=org.jboss.jms.server.jbosssx.JBossASSecurityMetadataStoreMBean.class)</annotation> <!-- Password Annotation to inject the password from the common password utility <annotation>@org.jboss.security.integration.password.Password(securityDomain="messaging",methodName="setSuckerPassword")</annotation> --> </bean> <bean name="MessagingDeploymentTemplateInfoFactory" class="org.jboss.managed.plugins.factory.DeploymentTemplateInfoFactory"/> <bean name="QueueTemplate" class="org.jboss.profileservice.management.templates.JmsDestinationTemplate"> <property name="info"><inject bean="QueueTemplateInfo"/></property> </bean> <bean name="QueueTemplateInfo" class="org.jboss.profileservice.management.templates.JmsDestinationTemplateInfo"> <constructor factoryMethod="createTemplateInfo"> <factory bean="DSDeploymentTemplateInfoFactory"/> <parameter class="java.lang.Class">org.jboss.profileservice.management.templates.JmsDestinationTemplateInfo</parameter> <parameter class="java.lang.Class">org.jboss.jms.server.destination.QueueServiceMO</parameter> <parameter class="java.lang.String">QueueTemplate</parameter> <parameter class="java.lang.String">A template for JMS queue *-service.xml deployments</parameter> </constructor> <property name="destinationType">QueueTemplate</property> </bean> <bean name="TopicTemplate" class="org.jboss.profileservice.management.templates.JmsDestinationTemplate"> <property name="info"><inject bean="TopicTemplateInfo"/></property> </bean> <bean name="TopicTemplateInfo" class="org.jboss.profileservice.management.templates.JmsDestinationTemplateInfo"> <constructor factoryMethod="createTemplateInfo"> <factory bean="DSDeploymentTemplateInfoFactory"/> <parameter class="java.lang.Class">org.jboss.profileservice.management.templates.JmsDestinationTemplateInfo</parameter> <parameter class="java.lang.Class">org.jboss.jms.server.destination.TopicServiceMO</parameter> <parameter class="java.lang.String">TopicTemplate</parameter> <parameter class="java.lang.String">A template for JMS topic *-service.xml deployments</parameter> </constructor> <property name="destinationType">TopicTemplate</property> </bean> </deployment>
Replace the postgresql-persistence-service.xml file with the %jboss-root%/docs/examples/jms/postgresql-persistence-service.xml file and copy it to %jboss-root%/server/IDMProv/deploy/messaging/.
Edit the postgresql-persistence-service.xml file and replace the text DefaultDS with the text IDMUADataSource.
In the postgresql-persistence-service.xml file, also comment out the following lines within the Clustered attribute:
<attribute name="Clustered">false</attribute> <!-- All the remaining properties only have to be specified if the post office is clustered. You can safely comment them out if your post office is non clustered --> <!-- The JGroups group name that the post office will use --> <!--attribute name="GroupName">${jboss.messaging.groupname:MessagingPostOffice}</attribute>--> <!-- Max time to wait for state to arrive when the post office joins the cluster --> <!--attribute name="StateTimeout">30000</attribute>--> <!-- Max time to wait for a synchronous call to node members using the MessageDispatcher --> <!--attribute name="CastTimeout">30000</attribute>--> <!-- Set this to true if you want failover of connections to occur when a node is shut down --> <!--<attribute name="FailoverOnNodeLeave">false</attribute> <depends optional-attribute-name="ChannelFactoryName">jboss.jgroups:service=ChannelFactory</depends> <attribute name="ControlChannelName">jbm-control</attribute> <attribute name="DataChannelName">jbm-data</attribute> <attribute name="ChannelPartitionName">${jboss.partition.name:DefaultPartition}-JMS</attribute>--> </mbean>
Also, in postgresql-persistence-service.xml:
Find this line:
POPULATE.TABLES.3 = INSERT INTO JBM_USER (USER_ID, PASSWD, CLIENTID) VALUES ('john', 'needle', 'DurableSubscriberExample')
Replace it with this line:
POPULATE.TABLES.3 = INSERT INTO JBM_USER (USER_ID, PASSWD, CLIENTID) VALUES ('p_user', 'changeit', 'IDMNotificationDurableTopic')
Find this line:
POPULATE.TABLES.8 = INSERT INTO JBM_ROLE (ROLE_ID, USER_ID) VALUES ('john','guest')
Replace it with this line:
POPULATE.TABLES.8 = INSERT INTO JBM_ROLE (ROLE_ID, USER_ID) VALUES ('p_user','guest')
Find this line:
POPULATE.TABLES.9 = INSERT INTO JBM_ROLE (ROLE_ID, USER_ID) VALUES ('subscriber','john')
Replace it with this line:
POPULATE.TABLES.9 = INSERT INTO JBM_ROLE (ROLE_ID, USER_ID) VALUES ('subscriber','p_user')
Find this line:
POPULATE.TABLES.10 = INSERT INTO JBM_ROLE (ROLE_ID, USER_ID) VALUES ('publisher','john')
Replace it with this line:
POPULATE.TABLES.12 = INSERT INTO JBM_ROLE (ROLE_ID, USER_ID) VALUES ('durpublisher','p_user')
Start JBoss.
If you are configured correctly, you will see this information in the server log:
INFO [ServerPeer] JBoss Messaging 1.4.7.GA server [0] started {About 7 lines down} INFO [TopicService] Topic[/topic/IDMNotificationDurableTopic] started, fullSize=200000, pageSize=2000, downCacheSize=2000
In addition, you will see this information further down in the log:
INFO [RBPM] [com.novell.soa.notification.impl.jms.JMSConnectionMediator:init] Starting JMS notification system INFO [STDOUT] INFO [RBPM] [com.novell.soa.notification.impl.NotificationThread:run] Starting asynchronous notification system
In addition, the stop-jboss.sh script that is created during the installation process needs to be modified. The JBoss administrator’s user ID and password must be appended to the end of the shutdown command:
shutdown.sh -s jnp://localhost:1199 -u %value% -p %value%
For example:
shutdown.sh -s jnp://localhost:1199 -u admin -p novell
When installing RBPM on WebSphere, the antlr.jar file is not deployed to the install directory. This file is mandatory for a successful configuration.
This file does exist in the installation media. To extract the file:
Unjar IdmUserApp.jar (/$JAVA$/bin/jar -xvf IdmUserApp.jar).
Change to the InstData directory (cd Disk1/InstData/).
Unzip Resource1.zip.
Change to the project directory (cd \$IA_PROJECT_DIR\$/).
Change to the lib directory (cd lib).
Unzip websphere-addons.zip.
Change to the WEB-IN/lib directory (cd WEB-INF/lib).
The file antlr.jar will now be present.
Copy the antlr.jar file to your RBPM install directory (/opt/novell/idm by default) and continue the setup.
Novell provides the JBossPostgreSQL utility as a convenience. If your company does not already provide an application server and a database server, you can use the JBossPostgreSQL utility to install an Open Source version of these components. By running this utility, you can install these components without having to download them separately. If you need support, go to the third party provider of the component. Novell does not provide updates for these components, or administration, configuration, or tuning information for these components, beyond what it is outlined in the RBPM documentation.
The default jboss_init script that is provided by JBoss for Red Hat Enterprise Linux does not work on Red Hat Enterprise Linux 6. JBoss will not automatically start with this script.
To work around this issue, you need to perform the following steps:
Add the following text at the top of the file:
### BEGIN INIT INFO # Provides: JBoss # Required-Start: # Required-Stop: # Default-Start: 3 5 # Default-Stop: 0 1 6 # Description: Start/Stop Script for JBoss ### END INIT INFO
Add the jboss_init to chkconfig.
Currently, there is an issue with the JBossPostgreSQL and EAS installers if a password for the database user(s) contains a dollar sign $
. If the password contains a dollar sign, the $
and the next value are removed when the password is being set. For example, if one enters test$123, the value actually get set is test23.
At this time, you can not use a $
during the install of PostgreSQL, either in the JBossPostgreSQL or EAS installers. You can change the password after the install by using the PostgreSQL Administration tools.
Values that are saved into the srvprvUserPrefs attribute are not fully removed when a user removes or change their filters or customization entries.
The attribute srvprvUserPrefs is a single values, synchronize immediately, string in eDirectory. It is limited to about 33,000 total characters. Once the attribute reaches the maximum size, users will not be able to save filter and customization entries into this attribute. To work around this issue, an Administrator would need to clean up the attribute manually with iManager or an LDAP Browser.
When using the Effective or Expiration dates for a role assignment in the User Application, you need to manually enter the date if the year you want to use is after 2030. For example, if you want to set the Effective Date for a role to be assigned on January 01, 2031, the Calendar picker will display it as 1/1/31. If you leave this as is, the role will be immediately assigned. You must make the year a four digit year if the year is greater than 2030. For this example, you would need to use 1/1/2031.
If a user has been assigned to multiple roles, and these roles are associated with a resource that is dynamically bound (meaning that the value for the entitlement is set at assignment time), the user may lose all of the resource assignments for these roles if only one of the roles is removed. This will only happen if the option
(which maps to nrfAllowMulti) is not selected when mapping the entitlement to a resource.For example, suppose you have a resource that is dynamically bound to an entitlement, and the resource is mapped to two different roles, and the option
is not set for the resource. In this case, if a user has been assigned to both roles, and later is removed from one of the roles, the user will lose both resources. This behavior occurs because the option was not selected when the entitlement was mapped to the resource.Upgrading from 3.6.1 to 4.0.1 will receive a Liquibase error creating foreign key. Instructions on the steps to follow to correct this error and to continue with the installation are found in Patch A Special Instructions
.
You might encounter the following issues as you use iManager:
The Identity Manager 4.0.1a does not install iManager 2.7.4 FTF3. To extend support for Microsoft Internet Explorer 9 and Mozilla Firefox 4.0.1 browsers, manually upgrade iManager 2.7.4 to iManager 2.7.4 FTF3. For iManager installation and upgrade information, see Installing iManager section in the iManager 2.7 Installation Guide.
When you are using iManager, particularly the Policy Builder, Internet Explorer 7 continually prompts you for access to the Clipboard. To disable prompting:
Click
> .Click the
tab, then click .Click
> , then select .After you restart Internet Explorer, the prompting stops.
If you want to use the NDS-to-NDS Driver Certificates Wizard, you must download and install the iManager plug-in for Novell Certificate Server.
You might encounter the following issues during Identity Manager upgrade.
To upgrade Metadirectory on a server with multiple eDirectory instances, make sure that you have only one eDirectory instance file in the /etc/opt/novell/eDirectory/conf/.edir/ directory. You must upgrade each eDirectory instance separately to inject the edition information for each instance and to extend the schema for each instance. Refer to TID 7008633 for more information on upgrading Metadirectory on a server with multiple eDirectory instances.
You might encounter the following issues during uninstallation of the Identity Manager Metadirectory engine and drivers.
Manually remove the DXMLnotes.pkg package.
The uninstall log files are created in the temp directory.
The jar files that reside in the lib directory are not removed.
The uninstaller uninstalls other installed components.
The Identity Vault uninstallation hangs when you run the nds-uninstall command.
To successfully uninstall the Identity Vault:
Stop the DHost from the Task Manager.
Start the NDS service.
Start the uninstallation program.
For more information on uninstalling the Roles Based Provisioning Module, refer to uninstallation details in the Identity Manager Roles Based Provisioning Module 4.0.1 User Application: Installation Guide.
The following command might fail with an exit value of 1:
cmd /c copy "C:\Users\Administrator\AppData\Local\Temp\2\I1285831815\Windows\resource\jre\..\iawin64_x64.dll" "C:\Program Files (x86)\Novell\Identity Manager\Uninstall_Roles_Based_Provisioning_Module_for_Novell_Identity_Manager\resource\iawin64_x64.dll
The uninstaller does not remove the <system drive>\Novell\conf folders.
and theTo work around this issue, manually remove these folders.
If you select Brazilian Portuguese, Danish, Dutch, English, French, German, Italian, Swedish, Spanish, or Russian as your choice of language for installing Identity Manager 4.0.1, the installer displays corrupt characters during installation.
If you select English, the installer contains a corrupt character on the Select Language page of the installation program. However, the characters display correctly for the Asian languages when the installer is run on Asian Windows.
For the characters to display correctly, ensure that you change the default font of your Windows machine to Lucida Console by using the following steps before installing Identity Manager:
Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\CodePage and change the OEMCP value from 850 to 1252.
For Russian, change the OEMCP value from 866 to 1251 in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\CodePage directory.
Go to cmd in the text box, then press Enter to launch the command prompt.
, typeRight-click the title bar of the cmd window to open the pop-up menu.
Scroll down in the pop-up menu and select the
option to open the Console Windows Properties dialog box.Click the Raster to Lucida Console ( ).
tab and change the default font fromClick
.Restart the machine.
If you are upgrading Identity Manager 4.0 to 4.0.1 which has been installed through integrated installer, the upgrade procedure ignores the JRE version available with Identity Manager 4.0. Instead, it uses JRE 1.6_20 available with the individual product installers. The JRE 1.6_20 packaged with Identity Manager 4.0.1 has been updated to address the CVE-2010-4476 security vulnerability.
To use the same JRE version as that of Identity Manager 4.0, manually install JRE 1.6_20 or higher. The instructions for installing the latest JRE version are available at the JRE Patch Download Site.
For a successful installation and configuration of Identity Manager, do the following:
For GUI Install: Before invoking the Identity Manager installer, manually install the dependant libraries.
For a 64-bit RHEL: Install the following libraries in the same order:
libXau-1.0.5-1.el6.i686.rpm
libxcb-1.5-1.el6.i686.rpm
libX11-1.3-2.el6.i686.rpm
libXext-1.1-3.el6.i686.rpm
libXi-1.3-3.el6.i686.rpm
libXtst-1.0.99.2-3.el6.i686.rpm
glibc-2.12-1.7.el6.i686.rpm
libstdc++-4.4.4-13.el6.i686.rpm
libgcc-4.4.4-13.el6.i686.rpm
compat-libstdc++-33-3.2.3-69.el6.x86_64.rpm
compat-libstdc++-33-3.2.3-69.el6.i686.rpm
For a 32-bit RHEL: Install the following library:
compat-libstdc++-33-3.2.3-69.el6.i686.rpm
For Non-GUI Install: Before invoking the Identity Manager installer, manually install the dependant libraries.
For a 64-bit RHEL: Install the following libraries in the same order:
glibc-2.12-1.7.el6.i686.rpm
libstdc++-4.4.4-13.el6.i686.rpm
libgcc-4.4.4-13.el6.i686.rpm
compat-libstdc++-33-3.2.3-69.el6.x86_64.rpm
compat-libstdc++-33-3.2.3-69.el6.i686.rpm
For a 32-bit RHEL: Install the following library:
compat-libstdc++-33-3.2.3-69.el6.i686.rpm
NOTE:Ensure that the unzip rpm is installed before installing Identity Manager for all Linux platforms.
To workaround this issue, manually start JBoss after system reboot.
To workaround this issue, manually start the Role Mapping Administrator service after completing the Identity Manager 4.0.1 installation.
Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the Novell International Trade Services Web page for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.
Copyright © 2011 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.
For Novell trademarks, see the Novell Trademark and Service Mark list.
All third-party trademarks are the property of their respective owners.