Novell Identity Manager 4.0.1 Readme

February, 2012

This document contains the known issues for Novell Identity Manager 4.0.1.

3.4 Engine

1.0 Readme Information

The latest version of this Readme is available at the Novell Identity Manager documentation Web site.

2.0 Documentation

This Readme contains the known issues for Identity Manager 4.0.1. In addition to this Readme, separate Readmes are available for Designer 4.0.1 and Analyzer 4.0.1:

Additional documentation resources are also available for the following products:

3.0 Known Issues

The following sections provide information on known issues at the time of the product release.

3.1 Identity Manager 4.0.1 Framework Installer Issues

You might encounter the following issues during the installation of the Identity Manager framework installer:

On Solaris, a 32-bit Remote Loader does not install through framework installer

For a successful installation, manually install the 32-bit NOVLaudpa.pkg package for Remote Loader on Solaris.

The installation is successful for a 64-bit Remote Loader.

On Linux, the Remote Loader does not install through framework installer

IMPORTANT:This issue occurs only with the Identity_Manager_4.0.1a_Linux_Advanced.iso or the Identity_Manager_4.0.1a_Linux_Standard.iso files.

To install the Remote Loader through the framework installer, select either a 32-bit Remote Loader or a 64-bit Remote Loader in one installation instance, then run installation separately for each of them. The installation fails if you select both Remote Loaders in one installation instance. Only one Remote Loader can be installed at a time.

Also, port 8000 must be free to ensure a successful Identity Manager installation.

On Windows, the Identity Manager 4.0.1 framework installer does not place the installation files in the specified location if the path contains spaces

Ensure that the specified path doesn’t contain any spaces.

The Linux/UNIX Bidirectional driver cannot be installed in a Solaris zone that contains a read-only/usr partition

You cannot install the Linux/UNIX Bidirectional driver in a Solaris zone that contains a read-only/usr partition. If you select the driver for installation, the Identity Manager 4.0.1 framework installer reports an error.

The Restore Default button does not work during Identity Manager installation

During the Identity Manager installation, if you return to the Installation Location page from the subsequent page, the Restore Default button does not work as expected.

The Add or Remove Programs List Shows an incorrect Identity Manager Version

After Identity Manager 4.0.1 is installed on your Windows machine, if you click the Click here for support information link under the Identity Manager entry in the Add or Remove Programs list, it displays Identity Manager 4.0.

To find the correct Identity Manager version that has been deployed on your machine, run the DxCMD command.

3.2 Identity Manager 4.0.1 Integrated Installer Issues

You might encounter the following issues when you use the Identity Manager integrated installer:

The secondary server addition might fail if the primary server is installed on Windows 2k3 and secondary server is installed on Linux

The primary server might stop working just before you start the Metadirectory server configuration after the Identity Vault configuration is completed.

If the primary server stops working, follow these steps to resume the configuration from the current state:

  1. Start Identity Vault on the primary server.

  2. On the Linux machine, create the /root/idm/Uninstall_Identity_Manager/idmconfigure_state.conf file. The idmconfigure_state.conf file should have only false entry.

  3. Make sure that the IA_RESULT_IDM_FRAMEWORK_CONFIGURED entry in the /etc/opt/novell/idm/install/state/conf/install_state.conf file does not have true value.

  4. Rerun the configuration.

The Identity Manager components do not launch after a successful installation on 64-bit SLES 11 platform

If you are installing Identity Manager through integrated installer, make sure that libgthread-2_0-0-32bit-2.17.2+2.17.3+20080708+r7171-3.1.x86_64.rpm compat library is installed before starting the Identity Manager installation on 64-bit SLES 11 platform.

The Identity Manager 4.0.1 integrated installer fails to install on Windows when you use UNC paths

You cannot use UNC paths for installation and configuration when you use the Identity Manager 4.0.1 integrated installer (for example, \\myserver\share\Identity_Manager_4.0.1_Windows_Enterprise).

To work around this issue, create an actual mapped drive.

The remote desktop installation of Identity Manager might randomly fail

The Identity Manager installation might fail with an error message if you are installing from a remote desktop. Because the remote desktop connection is delayed in comparison to the actual/physical access, the install process fails to acquire the local referrals, resulting in a failed installation.

To work around this issue, install Identity Manager on an actual/physical connection of the server or by using a VNC connection.

No Server health check before secondary server addition

The integrated installer does not perform a health check before the secondary server addition.

You must run ndscheck if you are adding secondary server through the integrated installer. On Windows, run ndscheck from the <install loccation>\NDS location. On Linux/Solaris, run it from the /opt/novell/eDirectory/bin/ndscheck directory. Specify the mandatory parameters and run the command as follows:

ndscheck [-h <hostname port]>] [-a <admin FDN>] [[-w <password>]

NOTE:Ruuning ndscheck on Windows causes eMbox warnings to display on the screen. Don't treat these warnings as health check failure. It is safe to ignore them.

You cannot change the default port for the SMTP server through the integrated installer

The integrated installer does not let you change the default port for the SMTP server in the following scenarios:

  • If the SMTP server is running on the system where you are configuring the Identity Reporting Module.

  • If the port specified for the SMTP server is already in use by other processes in the local system.

In both scenarios, do not change the default port value. As a workaround, after a successful configuration, run the following steps:

Linux:

  1. Change the <entry key="com.novell.idm.rpt.core.smtp.port" value="465"/> key value in the /etc/.java/.systemPrefs/_!%4!bw"2!'`!b!"s!#!!]@"u!':!.g==/IDM/Reporting/_!$@!.g!w/Core/prefs.xml file.

    NOTE:The path for Reporting preferences might have a goofy base64-encoded name. Ensure that Reporting and Core directories are mentioned in the path.

  2. Restart the JBoss server.

Windows:

  1. Change the "com.novell.idm.rpt.core.smtp.port"="465” registry value at HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Prefs\/Novell/Inc.\/I/D/M\/Reporting\4.0\/Core.

  2. Restart the JBoss server.

SMTP user e-mail prompt accepts address only in an e-mail format

The SMTP user e-mail prompt does not accept a user name. It accepts only an e-mail address format.

Leave the default setting as is. After a successful configuration, run the following steps for the SMTP user e-mail prompt to accept the user name:

Linux:

  1. Change the <entry key="com.novell.idm.rpt.core.smtp.user" value="newsmtpusername"/> key value in /etc/.java/.systemPrefs/_!%4!bw"2!'`!b!"s!#!!]@"u!':!.g==/IDM/Reporting/_!$@!.g!w/Core/prefs.xml file.

    NOTE:The path for Reporting preferences might have a goofy base64-encoded name. Ensure that Reporting and Core directories are mentioned in the path.

  2. Restart the JBoss server.

Windows:

  1. Change the "com.novell.idm.rpt.core.smtp.user"="newsmtpusername" registry value at HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Prefs\/Novell/Inc.\/I/D/M\/Reporting\4.0\/Core.

  2. Restart the JBoss server.

Configuration issues when SAML NMAS method is used

During the Identity Manager configuration, the integrated installer adds the SAML method, but does not extend the authsaml.sch schema. You must manually extend the NMAS schema if you are using the SAML method.

Run the following steps to extend the NMAS schema:

  1. Unzip the nmassaml.zip file from the <iso>\products\RBPM\SAML location to the temp directory.

  2. Extended the authsaml.sch file from the <temp directory>\saml\authsaml.sch location by using iManager, ndssch, or Novell ICE utility.

    For more information on extending eDirectory schema, see Extending the Schema.

  3. Restart eDirectory.

This configuration is required if you use Identity Vault with SAML as a user store for Novell Access Manager.

The User Application container DN prompt incorrectly displays in the configuration page

Instead of User Application container DN option, the prompt displays it as User Application driver container DN. For a successful configuration, you must specify the User Application container DN for this option.

During Identity Vault configuration, DHost sometimes stops working on Windows 32-bit systems

The eDirectory crash is observed during eDirectory configuration. The following message is displayed:

DHost has stopped working.

To complete the configuration, click the Close the program button.

On Linux, the Remote Loader does not install through integrated installer

IMPORTANT:This issue occurs only with the Identity_Manager_4.0.1a_Linux_Advanced.iso or the Identity_Manager_4.0.1a_Linux_Standard.iso files.

The integrated installer fails to install the Remote Loader.

You must install the Remote Loader through the framework installer. Select either a 32-bit Remote Loader or a 64-bit Remote Loader in one installation instance, then run installation separately for each of them. The installation fails if you select both Remote Loaders in one installation instance. Only one Remote Loader can be installed at a time.

Also, port 8000 must be free to ensure a successful Identity Manager installation.

3.3 Remote Loader

You might encounter the following issues as you use the Remote Loader:

The Remote Loader console help page is not displayed on Windows Server 2008 Core

On Windows Server 2008 Core, when you click Help in the Remote Loader console, the corresponding help page is not displayed.

To work around this issue, install a browser (for example, Internet Explorer) on your machine and click Help in the Remote Loader console.

The audit events are not generated if 32-Bit and 64-Bit Remote Loaders coexist

If you choose to have both a 32-bit and a 64-bit Remote Loader on the same machine, the audit events are generated only with the 64-bit Remote Loader. Events are not logged to the lcache file with the 32-bit Remote Loader.

When 32-bit and 64-bit Remote Loaders are installed together, the events are logged to the 64-bit lcache and 32-bit Remote Loader fails to log audit events. It displays the "Agent already running error" error message.

However, if a 64-bit Remote Loader is installed before installing a 32-bit Remote Loader, the events are logged to the 32-bit lcache, which prevents 64-bit Remote Loader from logging events. The 32-bit and 64-bit lcaches don’t work on the same machine.

To work around this issue, don't install both 32-bit and 64-bit Remote Loaders on the same machine.

3.4 Engine

You might encounter the following issues as you use Identity Manager:

When you start eDirectory on virtual machines, the Identity Manager engine might fail to load because of an error from JNI_CreateJavaVM

This issue is observed only on virtual machines.

To work around this issue:

  1. Restart eDirectory.

  2. Reduce the JVM minimum heap size if the failure repeats.

  3. Restart eDirectory.

Enabling or disabing a telemetry job fails on a different server in a driver set

To enable or disable telemetry job, connect iManager to the server where the job is configured to run.

If you enable or disable it from a different server than the server it is configured to run on, it might not be enabled/disabled. It might also continue to run even if it is disabled on the other server.

The default transmit location configured in the Telemetry job does not work

Go to Jobs > Telemetry Job Configuration > Parameters tab and manually change the default transmit location to https://secure-www.novell.com/center/comsvc-1.0/.

3.5 Drivers

You might encounter the following issues as you use the Identity Manager drivers:

Do not use rpm -Uvh command to upgrade a Notes driver patch prior to version 3.5.8

On Linux platforms, you should not use rpm -Uvh command to upgrade a Notes driver patch prior to version 3.5.8. This command displays File already exists message and removes existing links. Instead, run the following steps to upgrade the driver to the latest version:

  1. Remove the old RPM by using the following command:

    rpm -ev novell-DXMLnotes-3.5.x

  2. Add the new RPM by using the following command:

    rpm -ivh novell-DXMLnotes.rpm

The JDBC driver upgrade from a version earlier than 3.5.1 to version 3.5.1 or later fails

This issue has been reported only on MySQL. The upgrade operation fails when you upgrade the JDBC driver from a version earlier than 3.5.1 to version 3.5.1 or later.

The operation fails because of one of the following reasons:

  • The driver cannot use the mysql-connector-java-3.1.11-bin.jar driver classes to read the metadata of tables.

  • You cannot get the information from the state files because the serialVersionUID of the class JDBMKeyComparator has changed after the upgrade.

To work around this issue, use one of the following actions:

  • Upgrade the third-party driver class from mysql-connector-java-3.1.11-bin.jar to mysql-connector-java-5.1.6-bin.jar.

  • Delete the state files and restart the driver.

Cannot select options when creating or configuring a driver on Linux in Designer

At times, you cannot select drop-down options when creating or configuring a driver. To work around this issue:

  1. Click the drop-down menu and continue to hold the left mouse button until the desired option is highlighted.

  2. Release the left mouse button to select the option.

A warning message might display while installing or upgrading the Sentinel driver from earlier versions to Identity Manager 4.0.1

If Sentinel driver is not configured with an earlier version of Identity Manager and when Identity Manager is upgraded to 4.0.1, the installer might prompt a warning message about the missing jssecacerts file when Sentinel driver is upgraded. You might also find this warning when Identity Manager 4.0.1 is installed for the first time.

It is safe to ignore the warning.

When you start Notes Driver on a Windows machine, it fails to start because of an error from JNI_CreateJavaVM

To workaround this issue:

In the Remote Loader advanced options, change the JVM minimum heap size to 8 and maximum heap size to 64.

3.6 Identity Reporting Module

You might encounter the following issues as you use the Identity Reporting Module:

Connected system end points are not accessible if the IP address is not changed for the Managed System Gateway driver

If you use the loopback address of 127.0.0.1 as the IP address for the Managed System Gateway driver when configuring with the integrated installer, that is valid and will work correctly. However, when you use the endpoints, having the IP address be the loopback (127.0.0.1) will not work. In this case, you need to specify the correct IP address in the Driver Configuration > Connection Parameters section of the Managed System Gateway driver.

Error displayed if the Identity Reporting Module and RBPM are separately configured

The integrated installer displays the following error if Identity Reporting Module and the Roles Based Provisioning Module are separately configured:

'Failed to load users/passwords/role files'

To work around this issue, either stop JBoss before installing the Identity Reporting Module or restart JBoss after installing the Identity Reporting Module.

Database column is not populated during role assignments

When users assign roles, the request_date column in the idmrpt_idv_identity_trust table is not being populated with data. The defect number is 633206.

Removal of extended attributes is not reflected in the extended attributes table

If you remove an attribute that was added to the Data Collection Service driver filter policy, the attribute is not removed from the extended attributes tables (idmrpt_ext_attr, which tracks the attributes) and no data is removed from the idmrpt_ext_item_attr table. The defect number is 633209.

The Calendar does not navigate to Today when the display option is set to 1 week

On Firefox, when the Display Options are set to show 1 week on the Calendar page, you do not see today’s schedule if you click the Today button. Instead, you see a day one week ahead of today. To see today’s schedule in the Calendar page, press the up-arrow to go back one week. This problem does not occur on Internet Explorer.

The clock must be set correctly before you run the EAS install

If the times of your machines are not in synchronization when you install the Event Auditing Service (EAS), there may be problems with your configuration. You cannot install EAS on Windows. It must be installed on Linux. Therefore, the Linux server where EAS is installed must be synchronized with the machine where you are installing the rest of your components.

The Reporting Module installation sometimes overwrites the logevent.conf file

Under the following circumstances, the logevent.conf is overwritten without prompting during the installation of the reporting module:

  1. There is already a logevent.conf file in /etc/.

  2. EAS is installed on the same machine.

  3. During the reporting installation, you replace the value of localhost and enter the machine's actual IP address for the EAS server.

To work around this issue, manually update the /etc/logevent.conf file after the installation is complete.

The Reporting Module installation does not write the PostgreSQL JDBC JAR successfully when EAS is remote

If EAS is installed remotely and you want to test the connection to EAS during the Identity Reporting Module installation, the parent directory of your chosen install directory must exist prior to running the installation. Without an existing parent directory, the installation directory cannot be created in order to write the JDBC JAR file used for testing the connection. For example, if you are installing the Identity Reporting Module to /opt/novell/IdentityReporting, you need to ensure that the /opt/novell directory exists before beginning the installation.

The collection state of the Managed System Gateway driver is active in SE

If RBPM and the Identity Reporting Module are configured from an AE .iso file, and the tree to which they are connected is an SE tree, the collection state of the Managed System Gateway driver is active when it should not be. This bug occurs only in the following mixed mode scenario:

  1. The Metadirectory server is installed from an SE .iso file on one machine.

  2. RBPM and Reporting are configured from an AE .iso file on another machine (RemoteIDVault scenario) that tries to connect to the SE tree installed earlier.

Because the reporting module is configured from an AE .iso file, it tries to configure the Managed System Gateway driver, and the Managed System Gateway driver registration parameter is set to Yes in the Data Collection Service driver.

IDMRPT_CORE war deployment might fail on JBoss

The IDMRPT_CORE war deployment sometimes fails on the JBoss application server because of memory issues. Look for the following error messages in the server console:

***********Server Error Log******************
16:45:02,440 INFO  [[/IDMRPT-CORE]] Marking servlet OsgiBridge as unavailable
16:45:02,441 ERROR [[/IDMRPT-CORE]] Servlet /IDMRPT-CORE threw load() exception
java.lang.OutOfMemoryError: Java heap space

...

*******************************************

There are two different memory issues and the solutions are different:

ZipFile out-of-memory issue

Unfortunately, Novell is unable to correct this problem.

In this situation, you might see an error similar to the following, most of the time followed by a JVM crash:

java.lang.OutOfMemoryError
    at java.util.zip.ZipFile.open(Native Method)
    at java.util.zip.ZipFile.<init>(Unknown Source)
    at java.util.zip.ZipFile.<init>(Unknown Source)
    at
org.jboss.virtual.plugins.context.zip.ZipFileWrapper.ensureZipFile(ZipFileWrapper.java:175)
    at
org.jboss.virtual.plugins.context.zip.ZipFileWrapper.openStream(ZipFileWrapper.java:213)
    at
org.jboss.virtual.plugins.context.zip.ZipEntryContext.openStream(ZipEntryContext.java:1082)
    at
org.jboss.virtual.plugins.context.zip.ZipEntryHandler.openStream(ZipEntryHandler.java:153)
    at org.jboss.virtual.VirtualFile.openStream(VirtualFile.java:230)
    at
org.jboss.classloading.spi.vfs.policy.VFSClassLoaderPolicy.getResourceAsStream(VFSClassLoaderPolicy.java:483)

This indicates that the available system memory on your machine is not sufficient for running our product. Either increase your memory, or stop some unnecessary services from running. Increasing java heap size by -Xmx for your application server does not help.

Java heap out-of-memory issue

If you use your own JBoss, you need to use the following procedure to upgrade Hibernate before you can use the product:

  1. Stop JBoss.

  2. Back up the Hibernate jars.

    Go to the <jboss>/common/lib folder and move all jars beginning with hibernate to a backup location outside the <jboss> folder.

  3. Go to the Hibernate Web site and follow its instruction to download Hibernate 3.6.1.

  4. Unzip Hibernate and copy the hibernate3.jar file into <jboss>/common/lib.

  5. Start JBoss.

NOTE:If you do not upgrade Hibernate, the reporting module might not start properly. Also, remember that upgrading Hibernate affects non- Identity Manager applications running on the same JBoss.

A valid certificate is not converted

This problem has only been observed on WebSphere.

When you add an application in the reporting module, you might notice that a valid certificate is not properly converted. The following actions might cause this problem to occur:

  1. You log in to the Identity Reporting Module with valid credentials.

  2. You navigate to the Applications page and click the Add Application button.

  3. You fill in all the mandatory fields and browse for the certificate by selecting the SSL check box and clicking Test.

The certificate should be converted, but this does not occur.

To workaround this problem, you can simply copy and paste the content of the certificate into the text area on the form.

Reports might be empty when the server times are not synchronized

User account creation is updated in the database in the idmrpt_idv_acct table. However, some reports might be empty when executed if the time between the servers is not synchronized.

This happens only for new users when the time between the servers is out of synchronization. If a user is created and then modified, the reports are populated with data.

This issue occurs when the Metadirectory and Reporting servers are running on different machines, and the time stamp value of the Metadirectory server is ahead compared to the reporting server. User account creation is updated with Metadirectory time stamp and hence until the reporting server time meets the user account time stamp, you cannot fetch the data into reports.

The fix for this issue is to ensure that all servers have the same time.

Frequency cannot be modified in a schedule

Currently, in release 4.0.1 of the Identity Reporting Module, it is not possible to modify the frequency of a schedule. If you need to change the frequency (from week to month, for example), you need to delete the schedule and create a new one.

Download of an RPZ may change to a ZIP with Internet Explorer

Currently, when using the Download page in Identity Reporting Module with an Internet Explorer browser, the file may change its extension from .rpz to .zip. This change does not cause any problems. The reporting module will handle the upload and import the report correctly if the extension is .zip.With a Firefox browser, the extension always will be .rpz.

Upgrade to the Identity Reporting Module might not immediately show the Advanced Version

If you change from the Standard Version to the Advanced Edition, the version change for the reporting module occurs after the next batch of events is processed.

Startup process requires extra time before reports can be generated

When you first start the Identity Reporting Module, wait 5 minutes before running a report. The startup process consumes a lot of memory, leaving less memory for the report generation. If you do not wait 5 minutes, you may encounter memory errors.

Reporting does not start on Windows 2008 if the JRE is 64-bit

When using the standalone installers for RBPM and the Identity Reporting Module, you may see configuration errors on Windows 2008 if you install both components and switch from a 32-bit JRE to a 64-bit JRE.

The Identity Reporting Module is installed with a 32-bit JRE. Preferences are set under this JRE environment.

If install a 64-bit Java on Windows 2008, then this will become the default Java on you system. When JBoss starts up, it reads the environment variable JAVA_HOME, and uses the Java that JAVA_HOME points to. If JAVA_HOME points to the 64 bit Java, then you will see errors in the JBoss server log when starting the reporting module (IDMRPT, IDMRPT-AUTH, IDMRPT-CORE) indicating that the configuration is not correct. This is because it is reading the preferences under the 64-bit Java and not the 32-bit Java.

To workaround this issue, open the start-jboss.bat file and edit the JAVA_HOME and PATH entries to point the 32-bit Java. This will typically be in your JBoss directory. Alternatively, if you are aware of this issue before installing RBPM, you can point to the 32 bit Java when the installer asks which Java you want to use.

If you install RBPM alone (and do not install the Identity Reporting Module), you can use 64-bit Java.

Internet Explorer displays a warning when accessing reporting in HTTPS

If you access the reporting module with an Internet Explorer browser in HTTPS, you will receive a pop-up message similar to the following:

Do you want to view only the webpage content that was delivered securely? This webpage contains content that will not be delivered using a secure HTTPS connection, which could compromise the security of the entire webpage.

If you select Yes, the login screen for the reporting module will not appear. You must select No. The behavior is seen because the download site for new reports only supports the HTTP protocol. The link to that site is constructed using http://. This behavior is not seen with FireFox.

Standard Edition Reporting Configuration splash screen displays version as Advanced Edition

In Standard Edition, the Reporting Configuration tool shows Advanced Edition.

EAS may not start on a very fast server

In some cases, after you upgrade to 4.0.1, EAS may not come up after a reboot if you have a very fast Enterprise server. You can start the server manually with this command:

/etc/init.d/sentienl_eas start

If you see this behavior, you can add a wait statement to pause EAS so it has a chance to fully shutdown and restart when rebooting. To do this, you can modify the /opt/novell/sentinel_eas/bin/server.sh file. Search for the places in the file where you see a call to stop or start the database. You should find several occurrences in the file.

Add this argument after each start statement:

--wait 45

For example:

ALLOW_ROOT=1 RUN_AS_USER=$RUN_AS_USER"${ESEC_HOME}/bin/db.sh" start --wait 45
–quiet

Add this argument after each stop statement:

--wait 15

For example:

ALLOW_ROOT=1 RUN_AS_USER=$RUN_AS_USER "${ESEC_HOME}/bin/db.sh" stop --quiet
--wait 15

Save your changes when you’re done editing the file.

Need to change the definition for the cat_item_type_id column in the idm_rpt_data.idmrpt_sod_violations_hist table

The definition of the cat_item_type_id column in the idm_rpt_data.idmrpt_sod_violations_hist table needs to be changed to allow nulls.

To allow nulls in the cat_item_type_id column, perform these steps:

  1. Launch pgAdminIII.

  2. Connect to the PostgreSQL database server in EAS as the dbauser.

  3. Press the plus sign + next to Databases.

  4. Select the SIEM Database.

  5. Press the plus sign + next to the SIEM Database.

  6. Press the plus sign + next to Schemas.

  7. Press the plus sign + next to idm_rpt_data.

  8. Press the plus sign + next to Tables.

  9. Press the plus sign + next to the idmrpt_sod_violations_hist table.

  10. Press the plus sign + next to Columns.

  11. Select cat_item_type_id.

  12. In the Properties Panel double click on Not Null?.

  13. Uncheck the checkbox next to Not Null.

  14. Press the OK button.

easrestapi WAR fails to deploy

If you have changed the Network Interface Card (NIC) recently on your Windows machine, and the easretapi WAR fails to deploy with an error similar to the following, you will need to disable IPV6 on this server:

Caused by: java.lang.ArrayIndexOutOfBoundsException    
  at java.lang.System.arraycopy(Native Method)    
  at com.esecurity.uuid.UUIDGenerator.<init>(UUIDGenerator.java:142)    
  at com.esecurity.uuid.UUIDGenerator.<clinit>(UUIDGenerator.java:86)

Here are the steps you need to perform:

  1. Remove the ipv6 bindings on all NICs.

  2. Add the following reg key and value:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters]
    "DisabledComponents"=dword:ffffffff
    

3.7 Roles Based Provisioning Module

You might encounter the following issues as you use the Roles Based Provisioning Module:

An error message is displayed for the Copy function in the Detail portlet

In Firefox, if you attempt to copy text in the Detail portlet, an error message is displayed.

The following actions cause this message to appear:

  1. You log in to the User application as administrator and go to the Administration tab.

  2. You click Portlet Admin > Detail Portlet in Portlet Applications.

  3. You click Preferences > View/Edit custom Preferences > continue.

  4. You click the HTML Layout edit icon and enter some sample text, such as “TEST”.

  5. You select the text and click the Copy icon.

If you follow these steps, you see the following error message:

“Exception... "Access to XPConnect service
denied"  code: "1011" nsresult: "0x805303f3
(NS_ERROR_DOM_XPCONNECT_ACCESS_DENIED)"  location:
"http://172.16.1.99:8180/IDMProv/resource//portal-general/javascript/html_editor.js
Line: 531" ” when clicked on Copy button.

You might also see this message when performing cut and paste operations.

This is a known issue with Dojo and Firefox.

Session-level failover does not work with software dispatchers

The session-level failover does not function properly with software dispatchers. However, it works correctly with hardware dispatchers.Until further notice, the User Application supports only hardware dispatchers in a clustered environment.

Forms do not print correctly on Internet Explorer

You can add JavaScript to a workflow form to allow for printing. However, this technique does not produce expected results on Internet Explorer.

As described in the Designer documentation, you can add the following to the form onload event:

form.interceptAction("SubmitAction", "around",
      function (invocation)
        {var pf = new PrintForm("SubmitAction");
         pf.printFormInterceptor(invocation);
       } );

This action works correctly for both Internet Explorer and Firefox. However, the printed form output is not formatted correctly on Internet Explorer, although it is formatted correctly on Firefox.

Firefox supports automatic resizing of pages. It takes the entire page as a vector and resizes it, but Internet Explorer just changes the styles internally. For this reason, only Firefox can be used to resize the page appropriately for printing.

To work around this problem on Internet Explorer, determine which of the following possible solutions works best for you:

  • You can perform an Alt+Print Screen function in Internet Explorer that prints the content as it appears on the screen.

  • You can use the reference below, which might work for the workflows but might not print the form exactly the way you want it to print. This is a quick fix to print the form.

    <link rel="stylesheet" type="text/css" href="print.css" media="print" />
    

    This can be added in the workflow forms (the Request_form, Approval_form, and so forth) under Scripts > URL/Inline Script. This improves the print formatting on Internet Explorer, but might not be totally correct.

  • You can create a CSS script specifically for each workflow to print the output as you want it to appear. Each CSS script probably needs to be specific to a workflow and requires tweaking that could be time-consuming.

    The references look like this:

    document.writeln("<link rel=\"stylesheet\" type=\"text/css\" href=\"http://172.17.5.100:8280/externalFiles/css/jquery-ui-1.7.2.custom.css\"><\/script>");
    

    This can be added in the workflow forms (Request_form, Approval_form, and so forth) under Scripts > URL/Inline Script.

  • You can create an external WAR file that stores all the CSS scripts and is referenced from the workflow. This allows changes to be made in one file rather than within each workflow.

    For example, with document.writeln("<link rel=\"stylesheet\"type=\"text/css\"href=\"http://172.17.5.100:8280/externalFiles/css/jquery-ui-1.7.2.custom.css\"><\/script>");, you replace the href attribute with the link to your CSS script. You need to do it this way because the external script for a workflow form must be JavaScript. You need to use an inline script to load a reference to a CSS. The inline scripts go into a specific area on the form called scripts and are executed when the form is first loaded. You need to put the scripts on all the forms (request forms and approval forms). This allows you to specify a style that works for the printer, without changing the style for the viewable form.

RBPM reports have been deprecated

The Roles Based Provisioning Module reports that were provided in previous releases of the product (available under Reports on the Roles and Resources tab) are being deprecated in this release. These reports will be removed in a future release.

Digital signatures are not supported

Support for digital signatures has been removed in this release.

Accessory portlets are not supported

Support for accessory portlets has been removed in this release

A new user with special characters in the name cannot log in to the User Application

On WebSphere, if you create a new user with special characters in the name, the user cannot log in to the User Application. For example, if you create a user as /Test// from the Create Users and Groups page, an error page is displayed when the new user tries to log in to the application.

The JBossPostgreSQL installer might display a pop-up in silent mode on Windows

PostgreSQL requires several Microsoft VC++ libraries when running on Windows. If these libraries are not installed on the Windows server, the PostgreSQL installer automatically installs them. When you run the JBossPostgreSQL installer in silent mode on Windows, a pop-up window appears for about three seconds while these libraries are being installed, if those libraries are not already installed on the machine.

At this time, the installer is not able to suppress this pop-up window on Windows.

Content for the User Application driver is missing trustees for Attestation Reports

If you redeploy the User Application driver from Designer after running the integrated installer, the trustees for the Attestation Report provisioning request definitions are deleted and no one can execute the report. The reason for this is that the trustees are added to the Attestation Report provisioning request definitions at User Application startup. Because Designer does not know about the trustees, an attempt to redeploy the User Application driver from Designer removes the trustees. Therefore, you need to import these objects from eDirectory after User Application startup to synchronize the trustees.

The integrated installer does not properly handle the RBPM error codes

In some situations, the integrated installer does not properly handle the Roles Based Provisioning Module setup errors. This can happen when the Roles Based Provisioning Module configuration fails because of a problem with the driver configuration process. In this case, the integrated installer configuration summary displays a message indicating that the Roles Based Provisioning Module configuration passed, but the Roles Based Provisioning Module configuration has setup errors. The defect number is 641557.

Caching issue with newly removed assignments

If you create a role or resource assignment, and then remove it, you see a message indicating that the assignment has been removed, but the assignment is still listed. If you refresh the page, you see that the assignnent has been removed. This is caused by a caching issue.

Entity names with a dash are not supported in a search within the Org Chart portlet

The search feature in the Orch Chart Portlet does not work if the Entity type being displayed has a dash (-) in the name. At this time, the product does not support Entities with dashes in their names.

Workflow engine displays a java.lang.StackOverflowError in a looping workflow

If you have workflows that are recursive in nature (that execute loops), you might see a StackOverflowError at execution time. Java does not handle the stack space for recursive type functions effectively. Therefore, in recursive workflows, you need to increase the stack size for the JVM. The JVM defaults to 512K. You might want to increase the stack size to 1M.

To increase the stack size, you can include the -Xss1M setting with the JAVA_OPTS in your start JBoss script file.

JAVA_OPTS="-server -Xss1M -Xms512M -Xmx512M -XX:MaxPermSize=512m"

Setting NDSD_TRY_NMASLOGIN_FIRST to true on eDirectory

If you perform a default eDirectory installation and apply a password policy that has an Email Password to User action) to an existing user, then you log in as this user and perform a forgotten password procedure, you might see a message that says Univeral Password is not set after answering the challenge response questions.

To fix this issue:

  1. Add the following two lines to the pre_ndsd_start script located at /opt/novell/eDirectory/sbin (formerly in /etc/init.d):

    NDSD_TRY_NMASLOGIN_FIRST=true
    export NDSD_TRY_NMASLOGIN_FIRST
    

    This should be done on any server that might handle NMAS logins via LDAP.

  2. Restart eDirectory to apply the change.

For more information, see “How to Make Your Password Case-Sensitive” in the Novell eDirectory 8.8 What’s New Guide.

PostgreSQL does not support number format of Simplified Chinese

If your server is set up with Simplified Chinese as the number format (by using Control Panel -> Clock, Language, and Region -> Region and Language -> Formats tab -> Format -> Chinese, Simplified,RPC), PostgreSQL will not install successfully. Do not use the Simplified Chinese Number format on the server that PostgreSQL will be installed on.

Resource with multiple entitlement values assigned at the Runtime shows only one in the request status tab

If you assign a resource to a user that has multiple values from an entitlement, on the Request Status tab only one entry will be listed. The first value selected will be the one displayed. On the Assignments tab, multiple entries will be listed, and the user will be appear as many times as there were values selected.

SQL file option should not be used in the installer

Currently, in the User Application 4.0.1 release, there is an issue with SQL generation for both new and existing installs. These problems will be corrected and provided via a patch to the User Application. Do not use the SQL generation option in the User Application installer until further notice.

Association Description is required for the default language when assigning resources to roles

When accessing the User Application in a language that is not the default language (for example, accessing in Spanish while the default language is set to English), if you add a resource to a role, you also need to supply a value for the default language in the Association Description field. To do this, press the Localization button after the Association Description field and enter a value in the Language that is marked with the * (the default language). If you do not enter a value for the default language, you will receive an error and will not be able to add the resource to the role.

Deploying RBPM on JBoss 5.1.0 EAP requires manual setup

To deploy RBPM on JBoss 5.1.0 Enterprise Application Platform (EAP), you need to perform several manual setup steps. The setup process is outlined below:

  1. Install JBoss 5.1 EAP.

  2. Copy the jbosssx.jar file from the %jboss-root%/lib directory to the %jboss-root%/common/lib directory before launching the RBPM User Application installer.

  3. Install the RBPM User Application.

  4. Replace the messaging-jboss-beans.xml file you have with a modified XML file.

    If you deploy RBPM on JBoss 5.1.0 EAP without replacing the messaging-jboss-beans.xml file, you might see multiple warrnings and errors in the startup log.

    The problem is that the RBPM installer uses the community version of the messaging-jboss-beans.xml file as a template to generate its own version of the file. Unfortunately, the EAP version is very different in many aspects, including the definitions of QueueMODefinition and TopicMODefinition.

    The workaround for this issue is to replace the the messaging-jboss-beans.xml file you have with the modified XML file shown below. The file needs to be in the IDMProv/deploy/messaging folder.

    <?xml version="1.0" encoding="UTF-8"?>
    
    <!--
     ========================================================================
    
     Copyright (c) 2009 Novell, Inc. All Rights Reserved.
    
     THIS WORK IS SUBJECT TO U.S. AND INTERNATIONAL COPYRIGHT LAWS AND TREATIES
     NO PART OF THIS WORK MAY BE USED, PRACTICED, PERFORMED COPIED, DISTRIBUTED,
     REVISED, MODIFIED, TRANSLATED, ABRIDGED, CONDENSED, EXPANDED, COLLECTED,
     COMPILED, LINKED, RECAST, TRANSFORMED OR ADAPTED WITHOUT THE PRIOR WRITTEN
     CONSENT OF NOVELL, INC. ANY USE OR EXPLOITATION OF THIS WORK WITHOUT
     AUTHORIZATION COULD SUBJECT THE PERPETRATOR TO CRIMINAL AND CIVIL
     LIABILITY.
    
     ========================================================================
    -->
    
    <!--
        Messaging beans
        $Id: messaging-jboss-beans.xml 88672 2009-05-11 20:49:47Z anil.saldhana@jboss.com $
    -->
    <deployment xmlns="urn:jboss:bean-deployer:2.0">
    
       <!-- messaging application-policy definition -->
       <application-policy xmlns="urn:jboss:security-beans:1.0" name="messaging">
          <authentication>
             <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
                <module-option name="unauthenticatedIdentity">guest</module-option>
                <module-option name="dsJndiName">java:/IDMUADataSource</module-option>
                <module-option name="principalsQuery">SELECT PASSWD FROM JBM_USER WHERE USER_ID=?</module-option>
                <module-option name="rolesQuery">SELECT ROLE_ID, 'Roles' FROM JBM_ROLE WHERE USER_ID=?</module-option>
             </login-module>
          </authentication>
       </application-policy>
    
       <bean name="SecurityStore" class="org.jboss.jms.server.jbosssx.JBossASSecurityMetadataStore">
          <!-- default security configuration -->
          <property name="defaultSecurityConfig">
             <![CDATA[
                <security>
                   <role name="guest" read="true" write="true" create="true"/>
                </security>
             ]]>
          </property>
          <property name="suckerPassword">changeit</property>
          <property name="securityDomain">messaging</property>
          <property name="securityManagement"><inject bean="JNDIBasedSecurityManagement"/></property>
          <!-- @JMX annotation to export the management view of this bean -->
          <annotation>@org.jboss.aop.microcontainer.aspects.jmx.JMX(name="jboss.messaging:service=SecurityStore",exposedInterface=org.jboss.jms.server.jbosssx.JBossASSecurityMetadataStoreMBean.class)</annotation>
          <!-- Password Annotation to inject the password from the common password utility
           <annotation>@org.jboss.security.integration.password.Password(securityDomain="messaging",methodName="setSuckerPassword")</annotation>
           -->
       </bean>
    
       <bean name="MessagingDeploymentTemplateInfoFactory"
          class="org.jboss.managed.plugins.factory.DeploymentTemplateInfoFactory"/>
    
       <bean name="QueueTemplate" class="org.jboss.profileservice.management.templates.JmsDestinationTemplate">
          <property name="info"><inject bean="QueueTemplateInfo"/></property>
       </bean>
       <bean name="QueueTemplateInfo"
          class="org.jboss.profileservice.management.templates.JmsDestinationTemplateInfo">
          <constructor factoryMethod="createTemplateInfo">
             <factory bean="DSDeploymentTemplateInfoFactory"/>
             <parameter class="java.lang.Class">org.jboss.profileservice.management.templates.JmsDestinationTemplateInfo</parameter>
             <parameter class="java.lang.Class">org.jboss.jms.server.destination.QueueServiceMO</parameter>
             <parameter class="java.lang.String">QueueTemplate</parameter>
             <parameter class="java.lang.String">A template for JMS queue *-service.xml deployments</parameter>
          </constructor>
          <property name="destinationType">QueueTemplate</property>
       </bean>
    
       <bean name="TopicTemplate" class="org.jboss.profileservice.management.templates.JmsDestinationTemplate">
          <property name="info"><inject bean="TopicTemplateInfo"/></property>
       </bean>
       <bean name="TopicTemplateInfo"
          class="org.jboss.profileservice.management.templates.JmsDestinationTemplateInfo">
          <constructor factoryMethod="createTemplateInfo">
             <factory bean="DSDeploymentTemplateInfoFactory"/>
             <parameter class="java.lang.Class">org.jboss.profileservice.management.templates.JmsDestinationTemplateInfo</parameter>
             <parameter class="java.lang.Class">org.jboss.jms.server.destination.TopicServiceMO</parameter>
             <parameter class="java.lang.String">TopicTemplate</parameter>
             <parameter class="java.lang.String">A template for JMS topic *-service.xml deployments</parameter>
          </constructor>
          <property name="destinationType">TopicTemplate</property>
       </bean>
    
    </deployment>
    
  5. Replace the postgresql-persistence-service.xml file with the %jboss-root%/docs/examples/jms/postgresql-persistence-service.xml file and copy it to %jboss-root%/server/IDMProv/deploy/messaging/.

  6. Edit the postgresql-persistence-service.xml file and replace the text DefaultDS with the text IDMUADataSource.

  7. In the postgresql-persistence-service.xml file, also comment out the following lines within the Clustered attribute:

    <attribute name="Clustered">false</attribute>
    
          <!-- All the remaining properties only have to be specified if the post
    office is clustered.
               You can safely comment them out if your post office is non clustered
    -->
    
          <!-- The JGroups group name that the post office will use -->
    
          <!--attribute
    name="GroupName">${jboss.messaging.groupname:MessagingPostOffice}</attribute>-->
    
          <!-- Max time to wait for state to arrive when the post office joins the
    cluster -->
    
          <!--attribute name="StateTimeout">30000</attribute>-->
    
          <!-- Max time to wait for a synchronous call to node members using the
    MessageDispatcher -->
    
          <!--attribute name="CastTimeout">30000</attribute>-->
    
          <!-- Set this to true if you want failover of connections to occur when a
    node is shut down -->
    
          <!--<attribute name="FailoverOnNodeLeave">false</attribute>
    
          <depends
    optional-attribute-name="ChannelFactoryName">jboss.jgroups:service=ChannelFactory</depends>
          <attribute name="ControlChannelName">jbm-control</attribute>
          <attribute name="DataChannelName">jbm-data</attribute>
          <attribute
    name="ChannelPartitionName">${jboss.partition.name:DefaultPartition}-JMS</attribute>-->
       </mbean>
    
  8. Also, in postgresql-persistence-service.xml:

    1. Find this line:

      POPULATE.TABLES.3  = INSERT INTO JBM_USER (USER_ID, PASSWD, CLIENTID)
      VALUES ('john', 'needle', 'DurableSubscriberExample')
      

      Replace it with this line:

      POPULATE.TABLES.3  = INSERT INTO JBM_USER (USER_ID, PASSWD,
      CLIENTID) VALUES ('p_user', 'changeit', 'IDMNotificationDurableTopic')
      
    2. Find this line:

      POPULATE.TABLES.8  = INSERT INTO JBM_ROLE (ROLE_ID, USER_ID) VALUES
      ('john','guest')
      

      Replace it with this line:

      POPULATE.TABLES.8  = INSERT INTO JBM_ROLE (ROLE_ID, USER_ID)
      VALUES ('p_user','guest')
      
    3. Find this line:

      POPULATE.TABLES.9  = INSERT INTO JBM_ROLE (ROLE_ID, USER_ID) VALUES
      ('subscriber','john')
      

      Replace it with this line:

      POPULATE.TABLES.9  = INSERT INTO JBM_ROLE (ROLE_ID, USER_ID)
      VALUES ('subscriber','p_user')
      
    4. Find this line:

      POPULATE.TABLES.10 = INSERT INTO JBM_ROLE (ROLE_ID, USER_ID) VALUES
      ('publisher','john')
      

      Replace it with this line:

      POPULATE.TABLES.12 = INSERT INTO JBM_ROLE (ROLE_ID, USER_ID)
      VALUES ('durpublisher','p_user')
      
  9. Start JBoss.

    If you are configured correctly, you will see this information in the server log:

    INFO  [ServerPeer] JBoss Messaging 1.4.7.GA server [0] started
    {About 7 lines down}
    INFO  [TopicService] Topic[/topic/IDMNotificationDurableTopic] started,
    fullSize=200000, pageSize=2000, downCacheSize=2000
    

    In addition, you will see this information further down in the log:

    INFO  [RBPM] [com.novell.soa.notification.impl.jms.JMSConnectionMediator:init]
    Starting JMS notification system
    INFO  [STDOUT] INFO  [RBPM]
    [com.novell.soa.notification.impl.NotificationThread:run] Starting asynchronous
    notification system
    

In addition, the stop-jboss.sh script that is created during the installation process needs to be modified. The JBoss administrator’s user ID and password must be appended to the end of the shutdown command:

shutdown.sh -s jnp://localhost:1199 -u %value% -p %value%

For example:

shutdown.sh -s jnp://localhost:1199 -u admin -p novell

WebSphere install does not extract the antlr.jar file

When installing RBPM on WebSphere, the antlr.jar file is not deployed to the install directory. This file is mandatory for a successful configuration.

This file does exist in the installation media. To extract the file:

  1. Unjar IdmUserApp.jar (/$JAVA$/bin/jar -xvf IdmUserApp.jar).

  2. Change to the InstData directory (cd Disk1/InstData/).

  3. Unzip Resource1.zip.

  4. Change to the project directory (cd \$IA_PROJECT_DIR\$/).

  5. Change to the lib directory (cd lib).

  6. Unzip websphere-addons.zip.

  7. Change to the WEB-IN/lib directory (cd WEB-INF/lib).

    The file antlr.jar will now be present.

  8. Copy the antlr.jar file to your RBPM install directory (/opt/novell/idm by default) and continue the setup.

Novell does not provide support for the components installed by the JBossPostgreSQL utility

Novell provides the JBossPostgreSQL utility as a convenience. If your company does not already provide an application server and a database server, you can use the JBossPostgreSQL utility to install an Open Source version of these components. By running this utility, you can install these components without having to download them separately. If you need support, go to the third party provider of the component. Novell does not provide updates for these components, or administration, configuration, or tuning information for these components, beyond what it is outlined in the RBPM documentation.

JBoss does not automatically start on Red Hat Enterprise Linux 6

The default jboss_init script that is provided by JBoss for Red Hat Enterprise Linux does not work on Red Hat Enterprise Linux 6. JBoss will not automatically start with this script.

To work around this issue, you need to perform the following steps:

  1. Add the following text at the top of the file:

    ### BEGIN INIT INFO
    # Provides: JBoss
    # Required-Start:
    # Required-Stop:
    # Default-Start: 3 5
    # Default-Stop: 0 1 6
    # Description: Start/Stop Script for JBoss
    ### END INIT INFO
    
  2. Add the jboss_init to chkconfig.

Database user’s password must not contain a dollar sign

Currently, there is an issue with the JBossPostgreSQL and EAS installers if a password for the database user(s) contains a dollar sign $. If the password contains a dollar sign, the $ and the next value are removed when the password is being set. For example, if one enters test$123, the value actually get set is test23.

At this time, you can not use a $ during the install of PostgreSQL, either in the JBossPostgreSQL or EAS installers. You can change the password after the install by using the PostgreSQL Administration tools.

srvprvUserPrefs attribute must be cleaned up manually

Values that are saved into the srvprvUserPrefs attribute are not fully removed when a user removes or change their filters or customization entries.

The attribute srvprvUserPrefs is a single values, synchronize immediately, string in eDirectory. It is limited to about 33,000 total characters. Once the attribute reaches the maximum size, users will not be able to save filter and customization entries into this attribute. To work around this issue, an Administrator would need to clean up the attribute manually with iManager or an LDAP Browser.

Need to manually enter a four digit year when using a year past 2030

When using the Effective or Expiration dates for a role assignment in the User Application, you need to manually enter the date if the year you want to use is after 2030. For example, if you want to set the Effective Date for a role to be assigned on January 01, 2031, the Calendar picker will display it as 1/1/31. If you leave this as is, the role will be immediately assigned. You must make the year a four digit year if the year is greater than 2030. For this example, you would need to use 1/1/2031.

A resource might be removed unexpectedly when an associated role is removed

If a user has been assigned to multiple roles, and these roles are associated with a resource that is dynamically bound (meaning that the value for the entitlement is set at assignment time), the user may lose all of the resource assignments for these roles if only one of the roles is removed. This will only happen if the option Allow user to request multiple assignments by selecting more than on value (which maps to nrfAllowMulti) is not selected when mapping the entitlement to a resource.

For example, suppose you have a resource that is dynamically bound to an entitlement, and the resource is mapped to two different roles, and the option Allow user to request multiple assignments by selecting more than one value is not set for the resource. In this case, if a user has been assigned to both roles, and later is removed from one of the roles, the user will lose both resources. This behavior occurs because the option Allow user to request multiple assignments by selecting more than one value was not selected when the entitlement was mapped to the resource.

Migration from Identity Manager 3.6.1 to 4.0.1 causes a foreign key error

Upgrading from 3.6.1 to 4.0.1 will receive a Liquibase error creating foreign key. Instructions on the steps to follow to correct this error and to continue with the installation are found in Patch A Special Instructions.

3.8 iManager

You might encounter the following issues as you use iManager:

Upgrading to iManager 2.7.4 FTF3

The Identity Manager 4.0.1a does not install iManager 2.7.4 FTF3. To extend support for Microsoft Internet Explorer 9 and Mozilla Firefox 4.0.1 browsers, manually upgrade iManager 2.7.4 to iManager 2.7.4 FTF3. For iManager installation and upgrade information, see Installing iManager section in the iManager 2.7 Installation Guide.

Internet Explorer 7 continually prompts for access to the Clipboard

When you are using iManager, particularly the Policy Builder, Internet Explorer 7 continually prompts you for access to the Clipboard. To disable prompting:

  1. Click Tools > Internet Options.

  2. Click the Security tab, then click Custom Level.

  3. Click Scripting > Allow programmatic clipboard access, then select Enable.

    After you restart Internet Explorer, the prompting stops.

iManager plug-in dependency for the NDS-to-NDS Driver Certificates Wizard

If you want to use the NDS-to-NDS Driver Certificates Wizard, you must download and install the iManager plug-in for Novell Certificate Server.

3.9 Identity Manager 4.0.1 Upgrade

You might encounter the following issues during Identity Manager upgrade.

On SLES 11, the Identity Manager installer hangs while upgrading Identity Manager with multiple instances of eDirectory

To upgrade Metadirectory on a server with multiple eDirectory instances, make sure that you have only one eDirectory instance file in the /etc/opt/novell/eDirectory/conf/.edir/ directory. You must upgrade each eDirectory instance separately to inject the edition information for each instance and to extend the schema for each instance. Refer to TID 7008633 for more information on upgrading Metadirectory on a server with multiple eDirectory instances.

3.10 Identity Manager 4.0.1 Framework Uninstallation

You might encounter the following issues during uninstallation of the Identity Manager Metadirectory engine and drivers.

Identity Manager 4.0.1 framework uninstallation does not remove DXMLnotes.pkg on Solaris 10

Manually remove the DXMLnotes.pkg package.

On Windows, Identity Manager 4.0.1 framework uninstallation log files are not created in the Uninstall folder

The uninstall log files are created in the temp directory.

On Windows, the Metadirectory server uninstallation does not remove the lib directory

The jar files that reside in the lib directory are not removed.

The uninstaller uninstalls other installed components.

3.11 Identity Manager 4.0.1 Integrated Uninstallation

On Windows, the Identity Vault uninstallation hangs in silent mode

The Identity Vault uninstallation hangs when you run the nds-uninstall command.

To successfully uninstall the Identity Vault:

  1. Stop the DHost from the Task Manager.

  2. Start the NDS service.

  3. Start the uninstallation program.

The integrated uninstaller does not remove JBoss and PostgreSQL

For more information on uninstalling the Roles Based Provisioning Module, refer to uninstallation details in the Identity Manager Roles Based Provisioning Module 4.0.1 User Application: Installation Guide.

On Windows, the integrated uninstaller does not completely clean the installation folder

The following command might fail with an exit value of 1:

cmd /c copy
"C:\Users\Administrator\AppData\Local\Temp\2\I1285831815\Windows\resource\jre\..\iawin64_x64.dll"
"C:\Program Files (x86)\Novell\Identity
Manager\Uninstall_Roles_Based_Provisioning_Module_for_Novell_Identity_Manager\resource\iawin64_x64.dll

The uninstaller does not remove the <Install> and the <system drive>\Novell\conf folders.

To work around this issue, manually remove these folders.

3.12 Localization

On Windows, the Identity Manager 4.0.1 installers contain corrupt characters in the Console Mode

If you select Brazilian Portuguese, Danish, Dutch, English, French, German, Italian, Swedish, Spanish, or Russian as your choice of language for installing Identity Manager 4.0.1, the installer displays corrupt characters during installation.

If you select English, the installer contains a corrupt character on the Select Language page of the installation program. However, the characters display correctly for the Asian languages when the installer is run on Asian Windows.

For the characters to display correctly, ensure that you change the default font of your Windows machine to Lucida Console by using the following steps before installing Identity Manager:

  1. Go to Start > Run > Regedit > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\CodePage and change the OEMCP value from 850 to 1252.

    For Russian, change the OEMCP value from 866 to 1251 in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\CodePage directory.

  2. Go to Start > Run, type cmd in the Open text box, then press Enter to launch the command prompt.

  3. Right-click the title bar of the cmd window to open the pop-up menu.

  4. Scroll down in the pop-up menu and select the Defaults option to open the Console Windows Properties dialog box.

  5. Click the Font tab and change the default font from Raster to Lucida Console (TrueType).

  6. Click OK.

  7. Restart the machine.

3.13 Upgrading the JRE Version

The JRE version available with Identity Manager 4.0.1 addresses the CVE-2010-4476 security vulnerability

If you are upgrading Identity Manager 4.0 to 4.0.1 which has been installed through integrated installer, the upgrade procedure ignores the JRE version available with Identity Manager 4.0. Instead, it uses JRE 1.6_20 available with the individual product installers. The JRE 1.6_20 packaged with Identity Manager 4.0.1 has been updated to address the CVE-2010-4476 security vulnerability.

To use the same JRE version as that of Identity Manager 4.0, manually install JRE 1.6_20 or higher. The instructions for installing the latest JRE version are available at the JRE Patch Download Site.

3.14 RHEL 6.0 Issues

Identity Manager installation fails on RHEL 6.0

For a successful installation and configuration of Identity Manager, do the following:

  • For GUI Install: Before invoking the Identity Manager installer, manually install the dependant libraries.

    • For a 64-bit RHEL: Install the following libraries in the same order:

      1. libXau-1.0.5-1.el6.i686.rpm

      2. libxcb-1.5-1.el6.i686.rpm

      3. libX11-1.3-2.el6.i686.rpm

      4. libXext-1.1-3.el6.i686.rpm

      5. libXi-1.3-3.el6.i686.rpm

      6. libXtst-1.0.99.2-3.el6.i686.rpm

      7. glibc-2.12-1.7.el6.i686.rpm

      8. libstdc++-4.4.4-13.el6.i686.rpm

      9. libgcc-4.4.4-13.el6.i686.rpm

      10. compat-libstdc++-33-3.2.3-69.el6.x86_64.rpm

      11. compat-libstdc++-33-3.2.3-69.el6.i686.rpm

    • For a 32-bit RHEL: Install the following library:

      • compat-libstdc++-33-3.2.3-69.el6.i686.rpm

  • For Non-GUI Install: Before invoking the Identity Manager installer, manually install the dependant libraries.

    • For a 64-bit RHEL: Install the following libraries in the same order:

      1. glibc-2.12-1.7.el6.i686.rpm

      2. libstdc++-4.4.4-13.el6.i686.rpm

      3. libgcc-4.4.4-13.el6.i686.rpm

      4. compat-libstdc++-33-3.2.3-69.el6.x86_64.rpm

      5. compat-libstdc++-33-3.2.3-69.el6.i686.rpm

    • For a 32-bit RHEL: Install the following library:

      • compat-libstdc++-33-3.2.3-69.el6.i686.rpm

NOTE:Ensure that the unzip rpm is installed before installing Identity Manager for all Linux platforms.

After Identity Manager 4.0.1 installation, JBoss does not automatically start when the system is rebooted

To workaround this issue, manually start JBoss after system reboot.

After Identity Manager 4.0.1 installation, the Role Mapping Administrator service does not automatically start

To workaround this issue, manually start the Role Mapping Administrator service after completing the Identity Manager 4.0.1 installation.

4.0 Legal Notices

Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.

Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.

Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the Novell International Trade Services Web page for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.

Copyright © 2011 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.

For Novell trademarks, see the Novell Trademark and Service Mark list.

All third-party trademarks are the property of their respective owners.