NetIQ Identity Manager 4.5 Service Pack 2 Release Notes

October 2015

Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the Identity Manager Community Forum on NetIQ Communities, our online community that also includes product information, blogs, and links to helpful resources.

The documentation for this product is available on the NetIQ website in HTML and PDF formats on a page that does not require you to log in. If you have suggestions for documentation improvements, click comment on this topic at the bottom of any page in the HTML version of the documentation posted at the Identity Manager Documentation Web site page. To download this service pack, see the NetIQ Identity Manager Product Upgrade website.

1.0 What’s New?

The following sections outline the key features and software issues reported by customers that are resolved in this release. In addition to the issues highlighted below, this release addresses approximately 100 software issues.

This service pack includes the software fixes and enhancements in the Identity Manager 4.5 Service Pack 1 release. For more information, see the NetIQ Identity Manager 4.5 Service Pack 1 Release Notes.

1.1 Component Updates

This service pack provides updates for the following components in Identity Manager. NetIQ recommends that you update them in the following order:

  • Identity Manager engine

  • Remote Loader, .NET Remote Loader, and Java Remote Loader

  • One SSO Provider (OSP)

  • Identity applications

  • Identity Reporting

  • Designer for Identity Manager (Designer)

1.2 Operating System Support

This service pack adds support for the following platforms, in addition to the platforms introduced in 4.5 release:

  • SLES 11 SP4

  • SLES 12

  • RHEL 7.x

For detailed information on hardware requirements and supported operating systems, see the NetIQ Identity Manager Setup Guide.

1.3 Java 8 Support

This service pack updates the following components to support Java Development Kit 8 (jdk8u60) or Java Runtime Environment 8 (jre8u60):

  • Identity Manager engine

  • Java Remote Loader

  • Identity applications, running on Apache Tomcat

  • Identity Reporting, running on Apache Tomcat

  • Designer

  • Analyzer (32-bit Java only)

For more information about updating to Java 8, see Section 3.1, Installing Java 1.8 on the Identity Manager Servers.

NOTE:If you use JBoss Enterprise Application Platform (EAP) or IBM WebSphere, do not upgrade to Java 8. For more information, see Section 6.8, JBoss has Errors Running the Identity Applications with Java Development Kit 8.

1.4 Clustering Support for Apache Tomcat

You can now run the identity applications in a cluster on the Apache Tomcat application server. For more information about configuring your components to run on a Tomcat cluster, see Sample Identity Applications Cluster Deployment Solution on Tomcat in the NetIQ Identity Manager Setup Guide.

1.5 Addresses Software Vulnerabilities

This service pack addresses the following Common Vulnerabilities and Exposures (CVEs) for Identity Manager:

  • CVE-2015-0787

  • CVE-2015-0788

  • CVE-2015-0789

  • CVE-2015-0204

  • CVE-2014-3566

1.6 Enhancements for Designer

This service pack provides the following improvements for Identity Manager Designer:

Support for Eclipse 4.4.1

Designer has been updated to run on Eclipse 4.4.1.

Support for Drivers

Designer now supports the creation and configuration of the following drivers:

Multi-Domain Active Directory Driver

Multi Domain Active Directory Driver, which supports provisioning of multiple domains in an Active Directory forest. This driver also supports Global, Local and Universal groups within the same forest. The driver simplifies the overall deployment and integration of the entire Active Directory forest with your Identity Manager solution.

If you already have the NetIQ Active Directory driver, you can continue using it for most of the Identity Manager deployment scenarios. You would use the Multi-Domain Active Directory driver to enable your enterprise with multiple domain support.

For more information about creating and configuring this driver, see the NetIQ Multi-Domain Active Directory Driver Implementation Guide.

REST Driver

REST (Representational State Transfer) is an HTTP-based protocol used for Internet communication. The Identity Manager driver for REST enables identity provisioning and data synchronization between an Identity Vault and any RESTful service.

For more information about creating and configuring this driver, see the NetIQ REST Driver Implementation Guide.

1.7 Enhancements for Identity Reporting and the Identity Applications

This service pack provides the following enhancements for Identity Reporting and the identity applications:

Improves User Reports

This service pack updates the reporting framework to ensure that reports consistently provide the correct value of the manager attribute for an identity (mgr_id). When this issue occurred, reports such as Identity Vault User Report listed the previous identity_id for mgr_id. (Bug 939161)

If you experienced this issue, complete the following steps:

  1. Perform a full database purge.

  2. Remove all associations to the Data Collection Services driver.

  3. Perform a migrate from the Identity Vault.

Improves Use of Custom Style Sheets

This service pack improves your ability to review the custom.css file that you are using to display Identity Reporting content in a Web browser. For more information about customizing the style sheets, see “Working in the Identity Reporting Module” in the NetIQ Identity Manager Setup Guide. (Bug 940586)

Updates for Future Reports

This service pack includes changes that will allow Identity Reporting to support reports planned for NetIQ Access Review.

1.8 Software Fixes for the Identity Manager Engine and Driver Plug-ins

NetIQ Identity Manager includes software fixes that resolve several previous issues in the Identity Manager engine and plug-ins.

Resolves an Issue with Driver Synchronization

Issue: iManager does not synchronize with a driver when you specify a date/time and the locale is not set to United States. The iManager plug-in interprets the specified date using the standard English language format regardless of the locale setting. (Bugs 842918, 914977)

Fix: This service pack updates the iManager plug-in code to ensure that you can synchronize with a driver when using the data/time parameter.

Resolves an Issue with Driver Health Jobs that Fail to Run

Issue: A driver health job that contains custom conditions fails to run, even though you have enabled the Always execute actions when conditions are true option. For example, you create custom conditions to look for transactions in the queue that are older than five minutes. This issue might occur after the job runs once successfully. (Bug 891980)

Fix: This service pack updates the ckdrvhealthjob.jar file to ensure that the Identity Manager engine runs the job as specified.

Resolves an Issue with Starting Workflows with the Do-Start-Workflow Option

Issue: If you use the do-start-workflow method to initiate a workflow and you do not specify a value for all the attributes or a specified attribute is not in the XDS, the workflow fails. (Bug 924513)

Fix: The Identity Manager engine now inserts an empty string to ensure that the workflow avoids this type of failure.

Resolves an Issue with Deleting Events from the Driver Cache

This service pack resolves an issue where you cannot use the Driver Cache Inspector to delete events from a driver’s cache. Previously, iManager responded with the following error message:

JavaScript Assertion Failed: 'handleMenu_Delete_Response( 'Bogus XML reply, rootTag: parsererror' 

(Bug 935315)

1.9 Software Fixes for Remote Loader

NetIQ Identity Manager includes the following software fix for the Remote Loader component.

Updated Patch Installer for the Identity Manager Engine and Remote Loader

This service pack resolves an issue where the installation program for the Remote Loader requires you to specify the current location for an installed Remote Loader, even when you have not previously installed the component. The program fails to continue the installation process without your specifying the path. (Bug 933712)

1.10 Software Fixes for Designer

NetIQ Identity Manager includes software fixes that resolve several previous issues in Designer.

Ability to Deploy a Linked Schema Mapping Policy for a Driverset

This service pack resolves an issue where you cannot view or deploy a schema mapping policy that you created and linked to a driver. (Bug 939458)

Designer Can Open a Project that has been Renamed

This service pack resolves an issue where Designer might fail to open a project that you have renamed. For example, you changed the project name from TestProj1.proj to Test Project 1.proj, then Designer did not open the project. (Bug 926807)

Designer Provides Status of SVN Cleanup Tasks

Issue: When you run an SVN cleanup during a runtime job, Designer does not provide a message when the clean up tasks are completed or whether the clean up failed. Instead, you must check the Error Log. (Bug 891741)

Fix: Designer provides a notification bar to indicate the status of the SVN cleanup job The notification disappears when the job completes without errors.

Allows You to Open a Designer 4.0.2 Project with Affecting the Layout

Issue: When you open a Designer 4.0.2 project in Designer 4.5.x, Designer provides an option to migrate the linkages. If you select Yes, then Designer rearranges the driver layout in the Modeler view. This issue occurs because Designer 4.5.x reads the project object first, which prevents it from gathering information about the layout in the Modeler view. (Bug 902005)

Fix: When you opt to migrate linkages, Designer now opens the Modeler first, then gets the project object from the active editor.

Designer Helps Resolve a Conflict in Driver Status between Designer and the Identity Manager Engine

Issue: When you attempt to deploy or reconcile a driver that is disabled in Designer but enabled (auto or manual) and running on the Identity Manager engine server, Designer fails to notify you of the issue or to provide you a method for resolving the conflict. (Bug 891720)

Fix: When this type of conflict occurs, Designer now displays a message that provides the following options:

  • Stop the running driver where Designer stops the driver and marks it as disabled

  • Keep the driver running where Designer does not deploy the disabled setting for the driver

Resolves an Issue with Erroneous PRDs in the User Application Driver

This service pack resolves an issue where the User Application driver contains erroneous provisioning request definitions (PRDs). This issue occurred when you created a custom package for the driver then uninstalled that custom package. During uninstallation, Designer failed to remove the PRD objects associated with the custom package. (Bug 921253)

2.0 System Requirements

This service pack requires the following product versions:

  • NetIQ Identity Manager 4.5, at a minimum

  • NetIQ iManager 2.7.7 Patch 5

  • NetIQ Self Service Password Reset 3.2.0.3 or 3.3.0.2

NetIQ recommends that you install the following products to work with this service pack:

  • NetIQ eDirectory 8.8.SP8 Patch 6

  • NetIQ One SSO Provider 4.5.0.3, at a minimum

  • Latest patch for Identity Manager drivers

For more information about the software requirements, see “Selecting an Operating System Platform for Identity Manager” in the NetIQ Identity Manager Setup Guide.

NOTE:The minimum memory requirement for Identity Vault is 2 GB.

3.0 Installing This Service Pack

You can upgrade to this service pack from either Identity Manager 4.5 or 4.5.1. Install the components in the following order, depending on your current version:

Upgrading from Identity Manager 4.5

Upgrading from Identity Manager 4.5.1

  1. Identity Manager Engine

  2. Remote Loader

  3. Designer

  4. Configuration Update Utility 4.5.0.1

  5. One SSO Provider

  6. Role and Resource Service Driver 4.5.0.1

  7. Identity Applications (for Advanced Edition)

  8. Identity Reporting

  9. Self Service Password Reset

  1. Identity Manager Engine

  2. Remote Loader

  3. Designer

  4. One SSO Provider

  5. Identity Applications (for Advanced Edition)

  6. Identity Reporting

  7. Self Service Password Reset

3.1 Installing Java 1.8 on the Identity Manager Servers

This service pack adds support for Java 1.8.0_60 64-bit JDK or JRE for the following Identity Manager components:

  • Identity Manager engine

  • Java Remote Loader

  • Identity applications, running on Apache Tomcat

  • Identity Reporting, running on Apache Tomcat

  • Designer

  • Analyzer (32-bit Java only)

To install Java 1.8, perform the steps listed in the readme files from one of the following download pages:

3.2 Updating the Identity Manager Engine

This service pack includes a IDM_engine_rl_IDM4.5SP2.zip for updating the Identity Manager engine and Remote Loader. Install this package on the Identity Manager engine server. For more information, see “Hotfixing the Identity Manager Engine and Remote Loader” in the NetIQ Identity Manager Setup Guide.

3.3 Updating the Remote Loader

This service pack provides updates for the Remote Loader, Remote Loader, .NET, and the Java Remote Loader. When you install the Remote Loader on supported platforms, the installation program includes all versions of the Remote Loader for the operating system.

Updating the Remote Loader Files

Install the contents of IDM_engine_rl_IDM4.5SP2.zip file on each server where you have installed the Remote Loader, .Net Remote Loader, and the Java Remote Loader. For more information, see “Hotfixing the Identity Manager Engine and Remote Loader” in the NetIQ Identity Manager Setup Guide.

Updating the Java Remote Loader Manually

IMPORTANT:You can use the Java Remote Loader with any publicly supported version of Java. This update is optional unless you want to upgrade your Java version to 1.8.

If you installed the Java Remote Loader manually on a server, you must manually upgrade the Java Remote Loader. You must also download Java 1.8 JDK or JRE from the Oracle Web site, then install the package.

  1. On the server where you installed the Java Remote Loader, download and install Java 1.8.

    For more information, see Section 3.1, Installing Java 1.8 on the Identity Manager Servers.

  2. Shut down the Java Remote Loader:

    ../dirxml_jremote -config fileName -u
    
  3. Extract the contents of the IDM_engine_rl_IDM4.5SP2.zip file to a temporary location.

  4. Replace the following files in the lib folder of your Java Remote Loader installation with the files extracted from the .zip file:

    • dirxml.jar

    • dirxml_misc.jar

    • dirxml_remote.jar

    By default, the files are located in the /cd-image/patch/OS_platform/<architecture>/RL/ folder of the installation package.

  5. Restart the Java Remote Loader:

    ../dirxml_jremote -config fileName &
    

3.4 Updating Designer

This service pack provides an update to Designer. Download the IDM45_Designer_SP2.zip file and perform the steps listed in the readme files.

3.5 Updating Self Service Password Reset

This service pack requires NetIQ Self Service Password Reset 3.2.0.3 or 3.3.0.2. To install these updates, download the following packages and perform the steps listed in the readme files:

3.6 Updating One SSO Provider

NetIQ recommends that you install the latest version of NetIQ One SSO Provider (OSP) to work with this service pack. Download the IDM45-OSP-HF-3.zip file and perform the steps listed in the readme files.

3.7 Updating the Identity Applications

This service pack includes an update to the identity applications that run on a JBoss, Tomcat, and WebSphere application server. Download the IDM45-Apps-SP-2.zip file to the server where you deployed the identity applications and perform the steps listed in the readme files.

3.8 Updating Identity Reporting

This service pack includes an update to Identity Reporting that runs on JBoss, Tomcat, and WebSphere application servers and a new Report Packaging Tool. Download the IDM45-Reporting-SP-2.zip file to the server where you installed Identity Reporting and perform the steps listed in the readme files.

3.9 Updating Analyzer for Java 8

This service pack updates Analyzer to support Java 1.8 (32-bit).

  1. On the server where you installed Analyzer, create a directory for Java 1.8. For example, opt/netiq/jdk1.8.0_60.

  2. Download and install the Java 1.8 files in this directory.

  3. Replace the Java 1.7 (jre) folder with the Java 1.8 folder in the installation directory.

4.0 Installing Identity Manager on RHEL 7.x Platforms

You can install Identity Manager 4.5.2 on a server running Red Hat Enterprise Linux 7.x at a minimum. The following table guides you through the installation process. First you install the Identity Manager 4.5 components in the given sequence using the individual component installation programs and then apply Identity Manager 4.5 Service Pack 2 as appropriate. For more information, see Section 3.0, Installing This Service Pack.

Before starting the installation, NetIQ recommends that you go through Section 6.10, Issues With Installing Identity Manager on RHEL 7.x and SLES 12.x Platforms to help you plan the installation process for Identity Manager. For example, you should not install Identity Vault and EAS on the same server.

IMPORTANT:Identity Manager does not support this installation using the integrated installation program.

Installation Order

Description

EAS

Install EAS and Identity Manager engine on separate servers. Install the following dependent libraries before starting the EAS installation:

For more information about installing EAS, see Installing EAS in the Identity Manager Setup Guide.

eDirectory

Install eDirectory 8.8 SP8 Patch 6, at a minimum

NOTE:Identity Manager ships eDirectory 8.8 SP8 Patch 2 as part of Identity Manager 4.5 ISO. To support Identity Manager installation on RHEL 7.x, ensure that your eDirectory is running 8.8 SP8 Patch 6 at a minimum.

Download the patch from the NetIQ downloads page. https://dl.netiq.com/For more information, see the Release Notes accompanying the patch at eDirectory 8.8 SP8 documentation site.

Identity Manager Engine

Install the Identity Manager engine as instructed “Installing the Identity Manager Engine, Drivers, and Plug-ins” in the Identity Manager Setup Guide. Install the following dependant library before starting the installation:

iManager

Install iManager 2.7 SP7 Patch 5, at a minimum

NOTE:Identity Manager ships iManager 2.7.7 Patch 2 as part of Identity Manager 4.5 ISO. To support Identity Manager installation on RHEL 7.x, ensure that your iManager is running SP7 Patch 5 at a minimum.

  1. Download the patch from the NetIQ downloads page. For more information, see the Release Notes accompanying the patch at iManager 2.7.7 documentation site.

  2. Ensure that you install the following dependent library before starting the installation:

For detailed installation instructions, see Installing iManager in the Identity Manager Setup Guide.

Self Service Password Reset

For more information about installing Self Service Password Reset, see Installing the Single Sign-on and Password Management Components in the Identity Manager Setup Guide.

One SSO Provider

For more information about installing One SSO Provider, see Installing the Single Sign-on and Password Management Components in the Identity Manager Setup Guide.

Identity Applications

For more information about installing Identity Applications, see Installing the Identity Applications in the Identity Manager Setup Guide.

Identity Reporting

For more information about installing Identity Reporting, see Installing the Identity Reporting Components in the Identity Manager Setup Guide.

5.0 Installing Identity Manager on SLES 12.x Platforms

You can install Identity Manager 4.5.2 on a server running SUSE Linux Enterprise Server 12.x at a minimum. The following table guides you through the installation process. First you install the Identity Manager 4.5 components in the given sequence using the individual component installation programs and then apply Identity Manager 4.5 Service Pack 2 as appropriate. For more information, see Section 3.0, Installing This Service Pack.

Before starting the installation, NetIQ recommends that you go through Section 6.10, Issues With Installing Identity Manager on RHEL 7.x and SLES 12.x Platforms to help you plan the installation process for Identity Manager. For example, you should not install Identity Vault and EAS on the same server.

IMPORTANT:Identity Manager does not support this installation using the integrated installation program.

Order of Installation

Installation Instructions

EAS

Install EAS and Identity Manager engine on separate servers. Install the following dependent libraries before starting the EAS installation:

For more information about installing EAS, see Installing EAS in the Identity Manager Setup Guide.

eDirectory

Install eDirectory 8.8 SP8 Patch 6, at a minimum

NOTE:Identity Manager ships eDirectory 8.8 SP8 Patch 2 as part of Identity Manager 4.5 ISO. To support Identity Manager installation on SLES 12.x, ensure that your eDirectory is running 8.8 SP8 Patch 6 at a minimum.

Download the patch from the NetIQ downloads page. https://dl.netiq.com/For more information, see the Release Notes accompanying the patch at eDirectory 8.8 SP8 documentation site.

Identity Manager Engine

Install the Identity Manager engine as instructed “Installing the Identity Manager Engine, Drivers, and Plug-ins” in the Identity Manager Setup Guide. Install the following dependant library before starting the installation:

iManager

Install iManager 2.7 SP7 Patch 5, at a minimum

  1. Download the patch from the NetIQ downloads page. For more information, see the Release Notes accompanying the patch at iManager 2.7.7 documentation site.

  2. Ensure that you install the following dependent library before starting the installation:

For detailed installation instructions, see Installing iManager in the Identity Manager Setup Guide.

Designer

  1. Download and extract XULRunner-24 (64-bit) from the Mozilla FTP site.

  2. Open the Designer.ini file from the designer installation directory.

  3. Add the following lines at the end of the Designer.ini file:

    -Dorg.eclipse.swt.browser.XULRunnerPath=<path where XULRunner is extracted>

    -Dorg.eclipse.swt.internal.gtk.disablePrinting

  4. Save the Designer.ini file and restart designer.

Analyzer

  1. Install the following RPMs from the SLES 12 installation media:

    • gtk2-tools (32-bit)

    • libXtst6 (32-bit)

    • libgthread-2_0-0 (32-bit)

    • libXt6 (32-bit)

  2. Download and extract XULRunner-1.9.2 (32-bit) from the Mozilla FTP site.

  3. Open the Analyzer.ini file from the analyzer installation directory.

  4. Add the following line at the end of the Analyzer.ini file.

    -Dorg.eclipse.swt.browser.XULRunnerPath=<path where XULRunner is extracted>:

  5. Save the Analyzer.ini file and restart analyzer.

Self Service Password Reset

For more information about installing Self Service Password Reset, see Installing the Single Sign-on and Password Management Components in the Identity Manager Setup Guide.

One SSO Provider

For more information about installing One SSO Provider, see Installing the Single Sign-on and Password Management Components in the Identity Manager Setup Guide.

Identity Applications

For more information about installing Identity Applications, see Installing the Identity Applications in the Identity Manager Setup Guide.

Identity Reporting

For more information about installing Identity Reporting, see Installing the Identity Reporting Components in the Identity Manager Setup Guide.

6.0 Known Issues

NetIQ Corporation strives to ensure that our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.

For the list of the known issues in Identity Manager 4.5, Identity Manager Standard Edition 4.5, and Identity Manager 4.5.1, see the Release Notes for each version on the Identity Manager Documentation page.

6.1 Installation Program for the Identity Manager Engine Fails to Run

Issue: The idm_linux.bin file located in the /products/idm/linux/setup directory fails to complete the installation process for the Identity Manager engine, Remote Loader, and plug-ins. (Bug 926557)

Workaround: Use the install.bin file in the /products/IDM directory, as instructed in Using the Wizard to Install the Components in the Identity Manager Setup Guide.

6.2 The Remote Loader Installation Fails if the Identity Manager Engine Is Running on the Same Windows Computer

Issue: If you install the Remote Loader without stopping the Identity Manager engine on that computer, the installation fails. (Bug 948844)

Workaround: Stop the Identity Manager engine (eDirectory) before starting the Remote Loader installation.

6.3 Remote Loader Console Might Not Start the Remote Loader

Issue: If the Windows cmd.exe font is set to a value other than Raster/8x32, you cannot start the Remote Loader from the Remote Loader Console application. (Bug 947009)

Workaround: When this issue occurs, use the Windows Services page to start the Remote Loader.

6.4 Identity Manager Plug-ins Do Not Work After Upgrading to iManager 2.7.7 Patch 5

Issue: The Identity Manager plug-ins do not work in iManager 2.7.7 Patch 5 if you have not selected the Identity Manager plug-in option during iManager installation.

Workaround: To install the Identity Manager plug-ins, use one of the following methods:

6.5 Failover in a Tomcat Cluster Might Require the User to Log In Again

On occasion, when a node fails in a Tomcat cluster, the identity applications might require the user to log in again rather than continuing the current user session. (Bug 945665)

6.6 Issue with Processing REST Requests in the Identity Applications

The identity applications cannot process a REST request from a client application when the password of the user who makes the request contains an accent. For example, the password is 1résumé1. (Bug 946081)

6.7 Identity Manager Fails to Use ActiveMQ for Guaranteed Mail Delivery

Issue: Although you use ActiveMQ to guarantee mail delivery in your JBoss and Tomcat environments, Identity Manager might default to the asynchronous JMS mode to deliver notifications from the identity applications. This mode cannot guarantee the delivery of every notification. (Bug 944784)

When this issue occurs, the logs include the following message:

WARN com.novell.soa.notification.impl.NotificationEngine- [RBPM] Could not properly initialize JMS persistence for the notification system. Will revert back to non-persistent asynchronous notification system.

Restarting ActiveMQ does not resolve the problem.

Workaround: In a text editor, remove jms from the name of the Active MQ ConnectionFactory attribute from the context.xml and server.xml files for the application server:

  • In the context.xml file, change the following line:

    ResourceLink global="ConnectionFactory" name="jms/ConnectionFactory" type="javax.jms.ConnectionFactory"/
    

    To:

    ResourceLink global="ConnectionFactory" name="ConnectionFactory" type="javax.jms.ConnectionFactory"/
    
  • In the server.xml file, change the following line:

    Resource auth="Container" brokerName="LocalActiveMQBroker" brokerURL="tcp://localhost:61716" description="JMS Connection Factory" factory="org.apache.activemq.jndi.JNDIReferenceFactory" name="jms/ConnectionFactory" type="org.apache.activemq.ActiveMQConnectionFactory"/
    

    To:

    Resource auth="Container" brokerName="LocalActiveMQBroker" brokerURL="tcp://localhost:61716" description="JMS Connection Factory" factory="org.apache.activemq.jndi.JNDIReferenceFactory" name="ConnectionFactory" type="org.apache.activemq.ActiveMQConnectionFactory"/
    

6.8 JBoss has Errors Running the Identity Applications with Java Development Kit 8

Issue: Java Development Kit 8 introduces new default methods to some interfaces. If the source level for your project is lower than jdk1.8.0_51, the Java compiler does not let you use default methods in the interface. This behavior can interfere with the configuration of the identity applications and Identity Reporting running on a JBoss application server. (Bug 941913)

For example, the application might fail to display the tab that allows you to approve a task or user request. Instead, you might receive the following message:

An Error has occurred while processing your request. Please contact the administrator or click the back button and try again.

Workaround: When running the identity applications and Identity Reporting on a JBoss application server, use jdk1.7.0_65 or later from Sun (Oracle).

6.9 Cannot Upgrade RHEL 6.x With GUI Mode To RHEL 7.x

Issue: If you try to upgrade your GUI-enabled RHEL 6.x to RHEL 7.x, the upgrade fails due to Red Hat limitations. The following links provide more information about this limitation:

  • https://access.redhat.com/solutions/799813

  • https://access.redhat.com/solutions/637583

Workaround: For a successful upgrade, perform the following actions:

  1. Uninstall the GUI from RHEL 6.x server.

  2. Upgrade the server.

  3. Create an env_idm file in the /etc/opt/novell/eDirectory/conf directory and add the following content to the file:

    LD_LIBRARY_PATH=/opt/novell/lib64:/opt/novell/eDirectory/lib64:/opt/novell/eDirectory/lib64/nds-modules:/opt/novell/eDirectory/lib64/nds-modules/jre/lib/amd64://opt/novell/eDirectory/lib64/nds-modules/jre/lib/amd64/server://opt/novell/eDirectory/lib64/nds-modules/jre/lib/amd64/native_threads::$LD_LIBRARY_PATH

  4. (Optional) To install the GUI on the upgraded server, follow the instructions provided in the RHEL documentation.

6.10 Issues With Installing Identity Manager on RHEL 7.x and SLES 12.x Platforms

Drivers Do Not Start If KMO Is Used in the Driver Configuration

Issue: When you run an Identity Manager driver on these platforms, Identity Manager displays an error message indicating that the driver needs to be shut down. (Bug 950492)

This issue occurs because Identity Manager cannot locate the env_idm file in the /etc/opt/novell/eDirectory/conf directory on the upgraded server. Although a new installation of RHEL 7.x or SLES 12.x places the file in this directory, the file does not contain the environment variables that Identity Manager requires to run the Identity Manager drivers.

Workaround: Perform one of the following actions depending on your installation:

  • If you are upgrading from RHEL 6.x to RHEL 7.x or SLES 11.x to SLES 12.x, manually place the env_idm file in the directory path.

  • If you are performing a new installation of RHEL 7.x or SLES 12.x, manually enter the following environment variable in the env_idm file.

    LD_LIBRARY_PATH=/opt/novell/lib64:/opt/novell/eDirectory/lib64:/opt/novell/eDirectory/lib64/nds-modules:/opt/novell/eDirectory/lib64/nds-modules/jre/lib/amd64://opt/novell/eDirectory/lib64/nds-modules/jre/lib/amd64/server://opt/novell/eDirectory/lib64/nds-modules/jre/lib/amd64/native_threads::$LD_LIBRARY_PATH

Issue With Deploying the User Application Driver

Issue: The driver fails to deploy and displays the following error message:

V R Driver Interface Module not found - Error 783 (Bug 919047)

This issue occurs because Identity Manager cannot locate the env_idm file in the /etc/opt/novell/eDirectory/conf directory on the upgraded server.

Workaround: Perform one of the following actions depending on your installation:

  • If you are upgrading from RHEL 6.x to RHEL 7.x or SLES 11.x to SLES 12.x, manually place the env_idm file in /etc/opt/novell/eDirectory/conf.

  • If you are performing a new installation of RHEL 7.x or SLES 12.x, manually enter the following environment variables in the env_idm file.

    LD_LIBRARY_PATH=/opt/novell/lib64:/opt/novell/eDirectory/lib64:/opt/novell/eDirectory/lib64/nds-modules:/opt/novell/eDirectory/lib64/nds-modules/jre/lib/amd64://opt/novell/eDirectory/lib64/nds-modules/jre/lib/amd64/server://opt/novell/eDirectory/lib64/nds-modules/jre/lib/amd64/native_threads::$LD_LIBRARY_PATH

Issue with Installing the Identity Vault and EAS On the Same Server

Issue: This issue is only observed in a new installation of Identity Manager. (Bug 918139)

Workaround: For successfully installing Identity Manager, ensure that you install the Identity Vault and EAS on separate servers in your Identity Manager environment.

7.0 Additions to Documentation

The following topics describe additions and modifications to the Identity Manager documentation.

7.1 Updating a Password for a Database User on Tomcat

The server.xml and context.xml files for the Tomcat application server contain a data source entry that points to the database for the identity applications, Identity Reporting, or when they are deployed together. Identity Manager 4.5.1 changed the method for updating the password for a database user in the server.xml file when you deploy the identity applications, Identity Reporting, or both on a Tomcat application server.

  1. Stop Tomcat.

  2. Update the user's password in the database server.

  3. In a terminal, navigate to the tomcat/lib directory and enter the following command with Java in your path:

    java -jar iac-datasource-factory.jar %newpassword%
    
  4. Copy the encrypted output of the password and update the entry for that user in the server.xml file, located by default in the tomcat/conf directory.

  5. Start Tomcat.

7.2 Adding a Custom Logo in the Identity Applications

You can customize the themes and images that the identity applications and Identity Reporting display in your users’ Web browsers. To replace the NetIQ logo with a custom log in the header, the logo must be in a .GIF or .JPG format. Otherwise, Microsoft Internet Explorer 11 does not display the logo. (Bug 938050)

7.3 Customizing Strings for One SSO Provider

Identity Manager allows you to customize the strings in OSP to suit the needs of your enterprise. The strings are based on the user’s current locale. The osp-conf.jar file contains all of the string property files.(Bug 942083)

NOTE:Each time you update OSP, you must perform this procedure.

To customize OSP strings:

  1. Log on to the server where you installed OSP.

  2. Close all browsers currently running the identity applications or Identity Reporting.

  3. Back up your current osp-conf.jar file located by default in the osp-installation-path/osp directory. For example, /opt/netiq/idm/apps/osp_sspr/osp.

  4. Copy the current osp-conf.jar file to a temporary directory.

  5. Extract the string property files from the osp-conf.jar file in the temporary directory. For example, unzip osp-conf.jar WEB-INF/classes/oidp*.

    When extracting the files, ensure that you maintain the original directory structure.

  6. In a text editor, open the properties for the language that you want to update. For example, for U.S. English, open the oidp_custom_resources_en_US.properties file.

  7. For each string that you want to update, modify the value after the equal (=) sign.

    For example, change

    idm.username=Username
    

    To

    idm.username=ID
    
  8. Save and close the files.

  9. For each language that you want to customize, repeat Step 6 and Step 7.

  10. Update the osp-conf.jar file with the customized properties files in the temporary directory.

    Ensure that you maintain the original directory structure.

  11. Replace the current osp-conf.jar file with the file that contains the customized properties files.

  12. Stop Tomcat.

  13. Delete the contents of the following directories:

    • Default locations on Linux:

      • /opt/netiq/idm/apps/tomcat/temp

      • /opt/netiq/idm/apps/tomcat/work/Catalina

    • Default locations on Windows:

      • C:\NetIQ\IdentityManager\apps\tomcat\temp

      • C:\NetIQ\IdentityManager\apps\tomcat\work\Catalina

  14. Start Tomcat.

  15. To verify the changes, complete the following steps:

    1. In a browser, open one of the applications that you updated.

    2. Verify that the login page displays the customized strings.

7.4 Installing the Identity Manager Engine with Multiple Instances of Identity Vault

You can install the Identity Manager engine in an environment where you have configured multiple instances of Identity Vault. Identity Manager supports this installation as a root user and in a silent mode. For more information, see Installing on a Server with Multiple Instances of Identity Vault section in the NetIQ Identity Manager Setup Guide. (Bug 938158)

7.5 Changing the URL for Designer Updates

NetIQ provides a new update site for downloading the Designer updates and packages. NetIQ recommends that you start using the new update site even though it continues to support the existing update site for updating the older versions of Designer. To receive notifications from the new update site, include the new URLs in your Designer. (Bug 905397)

To include the new URL of the Designer update site in Designer:

  1. Launch Designer.

  2. From Designer’s main menu, select Windows > Preferences > NetIQ > Identity Manager > Updates.

  3. Change URL to https://nu.novell.com/designer/updatesite4_5_0/.

  4. Select Apply, then select OK.

To verify whether the new URL is working:

  1. Launch Designer.

  2. From Designer’s main menu, select Help > Check for Designer Updates.

    If your version of Designer is up-to-date, a prompt informs you that no updates are available. If an update is available, a prompt lists components that you can update.

  3. If the updates are available, select the updates and then select OK.

To include the new URL of the package update site:

  1. Launch Designer.

  2. From Designer’s main menu, select Windows > Preferences > NetIQ > Package Manager > Online Updates.

  3. Select the plus icon to add the new URL as https://nu.novell.com//designer/packages/idm/updatesite2_0_0/.

  4. Select OK.

  5. Select the required check boxes for the update sites in the Preferences window.

  6. Select Apply, then OK.

To verify whether the new URL is working:

  1. Launch Designer.

  2. From Designer’s main menu, select Help > Check for Package Updates.

    If there are no package updates, Designer returns a message stating that no updates are available. If an update is available, a prompt lists the packages with newer versions.

  3. From the list of available packages, select the required version for update, then select Yes.

8.0 Previous Releases

This service pack also includes enhancements and software fixes added in Identity Manager 4.5 Service Pack 1.

8.1 Enhancements to Identity Manager

This release provides the following enhancements:

New Names for Installation Log Files on Linux Servers

The installation log files now indicate whether you updated Identity Manager components on a Linux server as a root or non-root user:

  • Linux root: idmPatchInstall-root.log

  • Linux non-root: idmPatchInstall-nonroot.log

The installation process also changes the permission of the /tmp/logs file on a Linux server:

chown root:users /tmp/logs
chmod +t /tmp/logs

The log file for a Windows server continues to be idmPatchInstall.log. Permissions for the file have not been changed. (Bug 943808)

Improved Patch Installer for the Identity Manager Engine and Remote Loader

This service pack improves the content in the NetIQ Identity Manager Patch Installer program for the Identity Manager engine and Remote Loader. For example, the program accurately identifies the operating system on which you run the update. (Bug 873938)

Also, when updating Remote Loader, you can now specify the path where you want to perform the update. The NetIQ Identity Manager Patch Installer allows you to browse to the installed version of Remote Loader. Previously, the patch installer might incorrectly detect the location of the installed Remote Loader 64-bit and would use a default path as if installing the 32-bit version. (Bug 921959)

8.2 Enhancements to Designer for Identity Manager

Creating the deprecated.properties file On Custom Package Update Site

Designer automatically generates the deprecated.properties file if the update site is created by using the Designer package build and publish mechanism. This file contains the required instructions for building the list of deprecated packages.

If you have created your own update site, create a deprecations folder on the site and include a deprecated.properties file in this folder.

Improved Ability to Upgrade Installed Packages

Designer now allows you view and upgrade the already installed packages in your Identity Manager environment in a single consolidated view. The provision of a single view removes the need for you to separately go to each driver, driver set, or Identity Vault in your project to view or upgrade the packages that they contain. For more information, see “Upgrading Installed Packages” in the NetIQ Designer for Identity Manager Administration Guide. (Bug 912257)

Designer Maintains Parameter Value after Conversion to GCV

You can convert a parameter for driver configuration to a Global Configuration Value (GCV). In this release, Designer preserves the specified value of the parameter during the conversion process. (Bug 808304)

Enhances Ability to Perform Comparisons

This service pack improves your ability to perform the following types of comparisons:

Resource Objects

You can compare any pair of resource objects in the same manner that you might compare two policies. For example, you can compare resources, mapping tables, or ecma scripts. (Bug 916906)

Driver Set Packages

You can compare the customization capability of driver set packages, similar to comparisons for a driver. You can compare the package folder items from the package to the one in driver set for the following library items: policy, ECMA script, mapping table, DS object, resource, and GCV. (Bug 916912)

Identity Vault Packages

You can compare the customization capability of policy packages in the Identity Vault, similar to comparisons for a driver. You can compare the package folder items from the tree-level package to the one in the Identity Vault for the following library items: schema map, policy, ECMA script, mapping table, DS object, resource, and notification templates. (Bug 916913)

Designer Update Site Has Changed

NetIQ provides a new update site for downloading the Designer updates and packages. NetIQ recommends that you start using the new update site even though it continues to support the existing update site for updating the older versions of Designer. To receive notifications from the new update site, include the new URLs in your Designer. For more information, see Section 7.5, Changing the URL for Designer Updates. (Bug 905397)

8.3 Enhancements to the Identity Applications and Identity Reporting

Can Specify the Timezone for a Report

When configuring a report, you can specify the timezone for which you want to run the report. This change ensures that you can gather data from a source at the time appropriate for that source rather than the time on the reporting server.

For example, the data source resides on a server in Houston and the reporting server is in Delhi. You can configure the report to run at 2 AM Houston time. If the report runs at 2 AM in Delhi, which is 12:30 PM in Houston, it cannot capture all the changes that occur at the Houston office that day. (Bug 902453)

Reports Include the Name of the Reporter

Identity Reporting now includes the name of user who generated the report. The name appears in the report header. (Bug 911849)

Updating a Password for a Database User on Tomcat

This service pack changes the method for updating the password for a database user in the server.xml file when you deploy the identity applications or Identity Reporting on a Tomcat application server. For more information, see Section 7.1, Updating a Password for a Database User on Tomcat. (Bug 930994)

8.4 Software Fixes for the Identity Manager Framework

This release resolves the following major customer issues for the Identity Manager engine, Remote Loader, and the Identity Vault:

Events from the Identity Vault Display Full Domain Name in NetIQ Sentinel

When you use NetIQ Sentinel to collect Add Group Member events from the Identity Vault, the TargetTrustDomain and TargetUserDomain fields now include the full domain name, such as \org\groups\test. Previously, the fields failed to include the name of the top-level container, such as \org. This change allows you to create more precise correlation rules within Sentinel. (Bug 914242)

Identity Vault Now Displays Special Characters

This service pack resolves an issue where the Identity Vault might synchronize a ? character instead of a special character such as an umlaut for user-specified fields. For example, it synchronizes j?ppel instead of jäppel for a user’s name. This issue usually occurred after you rebooted the server that hosts the Identity Vault and the environment variable reverted to a non-UTF-8 character set. Now Identity Manager ensures that the JVM option file.encoding is set to UTF-8 before launching the JVM. (Bug 909406)

Can Run the Update Regardless of Spaces in the Installation Path

You can now update Identity Manager even when path of the installation program includes a space. Previous updates would fail if the installation path contained a space. (Bug 887378)

Email Policy Does Not Require SMTP Authentication

Identity Manager can now communicate with an SMTP server that does not require authentication while executing the policy do-send-mail-with-template. For example, you can now use the policy to send notifications from the Identity Manager engine without configuring SMTP authentication. (Bug 875033)

Set and Clear SSO Credentials for Accounts Configured with an Older Version of NetIQ SecureLogin

This service pack resolves an issue where you could not clear and set the SSO credential of an account that uses clear-sso-credentials actions. This issue occurred for accounts where you previously set the credential using NetIQ SecureLogin 6 or older. The clear-sso-credentials action failed with the following message:

Couldn't perform SSO operation <do-set-sso-credential>: '4444:ERROR (provisionNSLAccount): General Exception: java.lang.NullPointerException'

(Bug 904822)

Password Expiration Job Runs Successfully after an NDSrepair

This service pack resolves an issue where the Password Expiration Job fails after you run the NDSrepair utility on the same server that processes the job. The job would fail with the following error:

no object DCH for MIME type multipart/mixed

This issue occurred only if the Password Expiration Job used HTML format and you did not restart eDirectory after running the NDSrepair utility. (Bug 890229)

NOTE:NetIQ recommends running the NDSrepair utility only when you need to correct problems in the Identity Vault (eDirectory database), rather than running the utility as a scheduled activity. Corrections usually require a restart of eDirectory and Identity Manager, which can adversely affect user operations.

ndsd.log File Does Not List an Erroneous Warning Message

This service pack resolves an issue where eDirectory 8.8.8 Patch 3 generates the following warning in the ndsd.log when you load libvrdim:

Java HotSpot(TM) 64-Bit Server VM warning: You have loaded library /opt/novell/eDirectory/lib64/libdhutilj.so.3.0.500 which might have disabled stack guard

(Bug 907240)

Resolves an Issue with Adding Event Information

This service pack resolves an issue where the Identity Manager engine incorrectly adds extra event information to operation data. (Bug 906276)

8.5 Software Fixes for Designer for Identity Manager

This release resolves the following major customer issues for Designer:

Designer Appropriately Launches ECMAScript Editor for New Workflow Scripts

This service pack updates Designer so you can use the ECMAScript editor when you add a new script for a form in a workflow in Designer. In previous releases, you might have received an unhandled event loop exception error when attempting to launch the script editor. The launch failed because the JSEditor plugin was not initialized. (Bug 901510)

Email Addresses Can Include Numeric Characters

With this service pack, you can specify email addresses that begin with a numeric character. For example, when you specify the From address for Default Notification Collection. (Bug 907783)

Resolves an Issue with Changing a Driver Icon

Changing the icon for a driver in no longer causes high CPU utilization and Designer does not initiate a loop while trying to display the icon. (Bug 911470)

Designer Help Has Been Updated

This service pack updates the Help to ensure that all appropriate content gets displayed upon request on Windows-based computers. In the previous release, some Help pages were not displayed as expected. (Bug 902975)

Adds the Ability to Download the Deprecated.properties File

If you create the update site with the Designer package build and publish mechanism, Designer automatically generates the deprecated.properties file. This file contains the required instructions for building the list of deprecated packages.

If you have created your own update site, create a deprecations folder on the site and include a deprecated.properties file in this folder. (Bug 903087)

Add Resource Action No Longer Needs instanceGUID

This service pack resolves an issue where you use attempt to add and remove one resource assignment in the Policy Builder using the remove resource action but Designer removes all resource assignments. This is occurred because Designer expected an instanceGUID to be associated with each remove resource action. Designer now prompts you to specify a value for instanceGUID when you perform the remove resource action. (Bug 902428)

Correction to Documentation

The online documentation for Designer erroneously stated that you can browse to objects in an application for Source DN (if on publisher) or Destination DN (if on subscriber). However, Designer allows you to browse to the Identity Vault, not an application. The online help has been improved to reflect Designer behavior. (Bug 890716)

8.6 Software Fixes for the Identity Applications and Identity Reporting

This release resolves the following major customer issues for the identity applications and Identity Reporting:

Role Service Now Provides a “Cancelled” Message

The Role Service now reports a “Cancelled” message when you search for role assignments for a user and the service attempts to return a retracted role assignment request. Previously, the service responded with an error. (Bug 895501)

Resolves an Issue with Using the Resource Request Portlet

This service pack resolves an issue where you use the Resource Request Portlet on a Shared Page to provide a form for a workflow. The browser responded with an unrecoverable error. (Bug 920641)

Resolves an Issue with Form Displays in Internet Explorer 11

This service pack resolves an issue where fields in forms do not display appropriately in Internet Explorer 11 on a Windows computer. (Bug 920853)

The server.log File is Truncated on WebSphere

This service pack resolves an issues where in WebSphere, the server.log file located in the WebSphere-install-dir/AppServer/profiles/profile-name (for example, /opt/IBM/WebSphere/AppServer/profiles/AppSrv01) might be truncated. (Bugs 900844, 899981)

9.0 Contact Information

Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.

For detailed contact information, see the Support Contact Information website.

For general corporate and product information, see the NetIQ Corporate website.

For interactive conversations with your peers and NetIQ experts, become an active member of our community. The NetIQ online community provides product information, useful links to helpful resources, blogs, and social media channels.