NetIQ Identity Manager 4.5 Service Pack 3 Release Notes

Updated February 2016

NetIQ Identity Manager 4.5 Service Pack 3 includes new features, improves usability, and resolves several previous issues.

Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the Identity Manager Community Forum on NetIQ Communities, our online community that also includes product information, blogs, and links to helpful resources.

The documentation for this product is available on the NetIQ website in HTML and PDF formats on a page that does not require you to log in. If you have suggestions for documentation improvements, click comment on this topic at the bottom of any page in the HTML version of the documentation posted at the Identity Manager Documentation Web site page. To download this service pack, see the NetIQ Identity Manager Product Upgrade website.

1.0 What’s New?

The following sections outline the key features and software issues reported by customers that are resolved in this release.

This service pack includes the software fixes and enhancements in the Identity Manager 4.5 Service Pack 2 release. For more information, see the NetIQ Identity Manager 4.5 Service Pack 2 Release Notes.

NOTE:JBoss Enterprise Application Platform (EAP) support is depreciated with Identity Manager 4.5 Service Pack 3. JBoss EAP will be removed as a supported application server with the next major release of Identity Manager. However, it will continue to be a supported application server for Identity Manager 4.5.x.

1.1 New Features

This release introduces the following new features:

Request on Behalf of Other Users

Identity Manager extends the capability of Provisioning Dashboard for placing requests for permissions with this service pack. In addition to requesting permissions for yourself, you can now request permissions for other users in your organization. Identity Manager allows the following roles to request permissions for other users:

  • Security Administrator

  • Domain Administrator

  • Team Requestor

The Provisioning Dashboard interface allows you to select objects such as users, groups, and teams for making requests. For more information, see Making and Managing Requests in the NetIQ Identity Manager Home and Provisioning Dashboard User Guide.

Identity Manager provides a new Team Configuration page that allows you to create teams, manage teams, and define permissions for the team. When a team is created, you can request permissions for the team using the Provisioning Dashboard. For more information about accessing the new Team Configuration page from Identity Manager Home, see Adding the Manage Teams Link to the Identity Manager Home Page. For more information about configuring teams, see Managing Teams in the NetIQ Identity Manager Catalog Administrator User Guide.

For information about installing this feature, see Section 3.3, Updating the Identity Applications.

Association Statistics

With this service pack, Identity Manager introduces the Association Statistics feature that allows an administrator to find association details of the identities managed by Identity Manager. The association count for the drivers is evaluated per Identity Manager server. Using this feature, administrators can review the current state of their Identity Manager deployment. For more information see, Association Statistics in the NetIQ Identity Manager Driver Administration Guide.

1.2 Component Updates

This service pack provides updates for the following components in Identity Manager.

  • Identity Manager engine

  • One SSO Provider (OSP)

  • Identity applications

  • Identity Reporting

  • Designer for Identity Manager (Designer)

1.3 Support for Java 1.8 Update 66

This service pack updates the following components to support Java Development Kit 8 Update 66 (jdk8u66) or Java Runtime Environment 1.8 Update 66 (jre8u66).

  • Identity Manager engine

  • Identity applications, running on Apache Tomcat

  • Identity Reporting, running on Apache Tomcat

  • Designer

  • Analyzer (32-bit Java only)

When you upgrade from Identity Manager 4.5, 4.5.1 or 4.5.2 to 4.5.3, ensure that your current Java version is upgraded to JRE 1.8 Update 66 on these components.

The Identity Manager 4.5 Engine Service Pack 3 updates the Java version for the Identity Manager engine. You need to manually update your current Java version for the identity applications, Identity Reporting, Designer, and Analyzer. For more information, see Section 3.7, Installing Java 1.8 Update 66 on the Identity Manager Servers.

NOTE:If you use JBoss Enterprise Application Platform (EAP), do not upgrade to Java 1.8. For more information, see Section 4.7, JBoss has Errors Running the Identity Applications with Java Development Kit 8.

1.4 Support for OSP 6.0.0.2

This service pack adds support for OSP 6.0.0.2. For more information about updating to OSP 6.0.0.2, see Section 3.11, Updating One SSO Provider.

1.5 Addresses Software Vulnerabilities

This service pack addresses the following Common Vulnerabilities and Exposures (CVEs) for Identity Manager:

  • CVE-2015-0787

  • CVE-2016-1592

  • CVE-2015-3195

1.6 Enhancements for Designer for Identity Manager

This service pack provides the following improvements for Identity Manager Designer:

Support for Drivers

Designer 4.5.3 supports the creation and configuration of the following drivers:

NOTE:Designer 4.5.2.1 and Designer 4.5.2.2 includes the support for creating ServiceNow and JDBC Fan-Out drivers respectively. Designer 4.5.3 includes enhancements and software fixes added in Designer 4.5.2.2.

ServiceNow

The NetIQ Identity Manager driver for ServiceNow can seamlessly provision and de-provision users to the ServiceNow cloud application. ServiceNow provides cloud based services that allow users to manage the software through a web service.

For more information about creating and configuring this driver, see the NetIQ ServiceNow Driver Implementation Guide.

JDBC Fan-Out

The Identity Manager Java DataBase Connectivity (JDBC) Fan-Out driver supports the fan-out capability at the driver level. The Fan-Out driver provisions users and password to multiple databases with minimal effort. This eliminates the need for the Identity Manager administrator to configure multiple JDBC drivers using the same policies to provision multiple databases of the same type. You can centrally manage user accounts and have them automatically created, configured, maintained, and removed when appropriate. This saves cost and time associated with managing the Identity Manager environment. In this configuration, the synchronization is unidirectional, from the Identity Vault to the connected database.

For more information about creating and configuring this driver, see the NetIQ Identity Manager for JDBC Fan-Out Implementation Guide.

1.7 Software Fixes for the Identity Applications

NetIQ Identity Manager includes software fixes that resolve several previous issues in the Identity applications.

Ability to Update the Code Map Label When the Label Changes On the Entitlement

Issue: The User Application updates Code Map labels only when the Code Map table is created for the first time for an entitlement and not during the Code Map Refresh cycles. (Bug 953261)

Fix: The User Application now updates the Code Map labels during the code map refresh cycles when there is a change in the Code Map label on an entitlement.

Allows you to Print a Form From Internet Explorer 10.x and 11.x

This service pack resolves an issue where the Printform.js library invoked from a form did not work with Internet Explorer 10.x and 11.x browsers. (Bug 944006)

Incorrect Dates Displayed on Selecting Swedish language

This service pack resolves an issue where incorrect date was displayed on selecting Swedish language. (Bug 960007)

Exception From getRoleAssignmentRequestStatusByIdentityType() SOAP Call on Deleting a Role

This service pack resolves the issue where the SOAP getRoleAssignmentRequestStatusByIdentityType() call sent an exception when a role was deleted. (Bug 935453)

Unable To View the Complete Workflow Request in French

This service pack resolves an issue where the Identity Manager Home page displayed incomplete request form in French locale. (Bug 952582)

User Application Workflow Cannot Revoke an Entitlement That Contains a # Character

This service pack resolves an issue where the User Application discarded the entitlement parameters containing a # character while revoking the entitlement. (Bug 958843)

Home Provisioning Dashboard Does Not Display Featured Items for Users

This service pack resolves an issue where the featured items were not displayed even if one of them was a PRD and inactive. (Bug 956361)

eDirectory Crashes While Invoking the SAML Library

SAML 1.1.1 resolves an issue where eDirectory crashed while invoking the SAML library. (Bugs 849846, 871203)

SAML Method Fails to Authenticate When User DN Exceeds 128 Characters

SAML 1.1.1 resolves an issue where the SAML method failed to authenticate the DNs of users that contained 128 characters or more. (Bug 935130)

Resolves an Issue When Browser Displays an Error When a Colon Is Used in An SSO Secret

This service pack uses OSP 6.0.0.2 that resolves this issue.

1.8 Software Fixes for Configuration Utility

NetIQ Identity Manager includes software fixes that resolve several previous issues in the Configuration Utility.

The ConfigUpdate Utility Does Not Allow Non-Default LDAP Time-Out Values

This service pack resolves an issue where the ConfigUdpate utility did not allow you to change the LDAP Time-out parameter from the default value of 600000. (Bug 954437)

1.9 Software Fixes for Identity Reporting

NetIQ Identity Manager includes software fixes that resolve several previous issues in the Identity Reporting.

Importing Reports That Utilizes JSON Pasing Fails

Issue: Four new reports were introduced in 4.5.0. These were utilized in 4.5.0, 4.5.1 and 4.5.2. While importing these new reports that utilizes the JSON parsing, the import failed. (Bug 949019)

Fix: This service pack resolves this issue. You can now import the reports successfully.

Incorrect Dates Displayed on Selecting Swedish language

This service pack resolves an issue where incorrect date was displayed on selecting Swedish language. (Bug 960105)

1.10 Software Fixes for the Identity Manager Engine and Driver Plug-ins

NetIQ Identity Manager includes software fixes that resolve several previous issues in the Identity Manager engine and plug-ins.

DirXML-Associations Are Not Removed For Revoked Instances

This service pack resolves an issue where the DirXML-Associations attribute was not removed for the revoked instances. (Bug 958882)

Identity Manager Engine Filters the Search from query-ex During Object Migration

This service pack resolves an issue where the Identity Manager engine filtered the search from query-ex while migrating objects into Identity Vault. (Bug 948757)

Identity Manager Patch Installation Fails if the Installation Path Contains a Space

This service pack resolves an issue where the Identity Manager patch installation failed if there was a space in the installation path. (Bug 943052)

Issue with Importing the Global Configuration Values of a Driver Set

This service pack resolves an issue where the import configuration failed to import the Global Configuration Values for a driver set. (Bug 943788)

Remote Loader Installation Fails to Install Java if Identity Manager Engine Runs on the Same Server

This service pack resolves an issue where the Remote Loader installation failed to install Java if Identity Manager engine was running on the same server. (Bug 948699)

Driver does not Stop When a Fatal Error is Prompted by the Startup Policy

This service pack resolves an issue of startup policy stopping the driver. (Bug 939548)

Issue with Migrating Objects from the Connected Systems to the Identity Vault Using the Identity Manager Plug-Ins

This service pack resolves an issue of migrating objects from the connected systems (for example, Multi Domain Active Directory) to the Identity Vault by using the current plug-ins. (Bug 943839)

Changes to the Connection Passwords Are Not Reflected in the Named Passwords list

Issue: The changes made to connection passwords are not reflected in the named password list. (Bug 942226)

Fix: On deselecting the Remove Existing Password option in iManager, the changes made to connection passwords in Multi Domain ACtive Directory are reflected in the named passwords list.

Resolves an Issue with Token-map Functionality

This service pack resolves an issue where Token-map failed to evaluate tokens resulting in broken Token-map functionality. (Bug 956062)

1.11 Software Fixes for Designer for Identity Manager

NetIQ Identity Manager includes software fixes that resolve several previous issues in Designer.

Resolves Errors Reported in the Package Management Feature

Issue: Designer reports errors when you perform the following operations in the package management area of Designer: (Bug 941930)

  • Create a new version of an existing package.

  • Link a new item to a new version of a package.

Fix: This service pack resolves these issues. Designer no longer reports errors while performing these operations.

Designer Allows the Ability to Access the Arguments for the do-move-dest-object Action

This service pack resolves an issue where the argument builder was not able to access the arg-association node for modifying it. (Bug 946169)

Importing Libraries Removes Policy References

This service pack resolves an issue where Designer removes the reference to a policy when the library containing that policy is imported. (Bug 943088)

Unable to Save Changes to the ECMA Scripts

This service pack resolves an issue where Designer did not save changes made to the ECMA scripts. (Bug 934399)

Performing a do-add-role Action from A Driver Fails with an Error

This service pack resolves an issue where the driver displayed an error message while performing a do-add role action in the policy builder.

Changes to Startup and Shutdown Policies Are Not Displayed in Compare and Deploy Views As Pseudo Driver Attributes

Issue: When you add, remove, or reorder the Startup or Shutdown policies in a driver, Designer does not display the correct status of the policies in the Compare and Deploy views. In addition, Designer does not display the policy linkages to the driver in the pseudo attributes of the driver. (Bug 939553)

Fix: This service pack resolves this issue. Designer now correctly displays the policy changes in the DirXML-Startup and DirXML-Shutdown attributes of the driver.

No Support for do-generate-xdas-event Action

This service pack enhances the policy builder to support the do-generate-xdas-event action. This action was added in Identity Manager 4.5. (Bug 948845)

2.0 System Requirements

This service pack requires the following product versions:

  • NetIQ Identity Manager 4.5 or later

    NOTE:

    • NetIQ Identity Manager 4.5 or later includes Identity Applications, Identity Reporting, and Identity Manager Engine.

    • Ensure that Designer is upgraded to 4.5.2.

  • NetIQ eDirectory 8.8.SP8 Patch 7

    IMPORTANT:This release does not support installing eDirectory 9.0 as an Identity Vault. However, you can install eDirectory 9.0 as a connected system for the Bidirectional eDirectory 4.0.2 driver. For more information see NetIQ Driver for Bidirectional eDirectory Implementation Guide.

  • NetIQ iManager 2.7.7 Patch 6

    IMPORTANT:iManager 3.0 is not yet certified with this release. It will be supported in future.

  • Identity Manager Plug-ins 4.5.3.0

  • NetIQ Self Service Password Reset 3.2.0.3 or 3.3.0.2

  • NetIQ One SSO Provider 4.5.0.3, at a minimum

NetIQ recommends that you install the following products to work with this service pack:

  • NetIQ One SSO Provider 6.0.0.2

  • Latest patches for the Identity Manager drivers

  • Designer 4.5.3

For more information about the software requirements, see “Selecting an Operating System Platform for Identity Manager” in the NetIQ Identity Manager Setup Guide.

NOTE:The minimum memory requirement for Identity Vault is 2 GB.

3.0 Installing This Service Pack

You can upgrade to this service pack from Identity Manager 4.5, 4.5.1, or 4.5.2. Install the components in the following order, depending on your current version:

Upgrading from Identity Manager 4.5

Upgrading from Identity Manager 4.5.1

Upgrading from Identity Manager 4.5.2

  1. Identity Manager Engine

  2. Remote Loader

  3. Designer

  4. Configuration Update Utility 4.5.0.1

  5. One SSO Provider

  6. Role and Resource Service Driver 4.5.0.1

  7. Identity Applications (for Advanced Edition)

  8. Identity Reporting

  9. Self Service Password Reset

  1. Identity Manager Engine

  2. Remote Loader

  3. Designer

  4. One SSO Provider

  5. Identity Applications (for Advanced Edition)

  6. Identity Reporting

  7. Self Service Password Reset

  1. Identity Manager Engine

  2. Remote Loader

  3. Designer

  4. One SSO Provider

  5. Identity Applications (for Advanced Edition)

  6. Identity Reporting

  7. Self Service Password Reset

IMPORTANT:To upgrade Designer 4.5 to Designer 4.5.3, first upgrade to Designer 4.5.2 and then upgrade Designer 4.5.2 to Designer 4.5.3. It is also possible to directly update to Designer 4.5.3 from Designer 4.5.2.1 and 4.5.2.2.

Be informed that Designer 4.5.2 is a complete software build while Designer 4.5.3 features are available at the Designer Auto-Update Site. For more information about updating to Designer 4.5.2, see NetIQ Identity Manager 4.5 Service Pack 2 Release Notes. For more information about updating to Designer 4.5.3, see Section 3.6, Updating Designer.

NOTE:

  • For Identity Manager Advanced Edition, install Java 1.8 Update 66 before installing the Identity Applications.

  • For Identity Manager Standard Edition, install Java 1.8 Update 66 before installing the Identity Reporting.

3.1 Installing Identity Manager on RHEL 7.1 Platforms

You can install Identity Manager 4.5.3 on a server running Red Hat Enterprise Linux 7.1 at a minimum. The following table guides you through the installation process. First you install the Identity Manager 4.5 components in the given sequence using the individual component installation programs and then apply Identity Manager 4.5 Service Pack 3 as appropriate. For more information, see Section 3.0, Installing This Service Pack.

Before starting the installation, NetIQ recommends that you go through Issues with Installing Identity Manager on RHEL 7.1 and SLES 12 Platforms in the NetIQ Identity Manager 4.5 Service Pack 2 Release Notes to help you plan the installation process for Identity Manager. For example, you should not install Identity Vault and EAS on the same server.

IMPORTANT:Identity Manager does not support this installation using the integrated installation program.

Installation Order

Description

EAS

Install EAS and Identity Manager engine on separate servers. Install the following dependent libraries before starting the EAS installation:

For more information about installing EAS, see Installing EAS in the Identity Manager Setup Guide.

eDirectory

Install eDirectory 8.8 SP8 Patch 7, at a minimum

NOTE:Identity Manager ships eDirectory 8.8 SP8 Patch 2 as part of Identity Manager 4.5 ISO. To support Identity Manager installation on RHEL 7.1, ensure that your eDirectory is running 8.8 SP8 Patch 7 at a minimum.

Download the patch from the NetIQ downloads page. For more information, see the Release Notes accompanying the patch at eDirectory 8.8 SP8 documentation site.

Identity Manager Engine

Install the Identity Manager engine as instructed “Installing the Identity Manager Engine, Drivers, and Plug-ins” in the Identity Manager Setup Guide. Install the following dependant library before starting the installation:

iManager

Install iManager 2.7 SP7 Patch 6, at a minimum

NOTE:Identity Manager ships iManager 2.7.7 Patch 2 as part of Identity Manager 4.5 ISO. To support Identity Manager installation on RHEL 7.1, ensure that your iManager is running SP7 Patch 6 at a minimum.

  1. Download the patch from the NetIQ downloads page. For more information, see the Release Notes accompanying the patch at iManager 2.7.7 documentation site.

  2. Ensure that you install the following dependent library before starting the installation:

For detailed installation instructions, see Installing iManager in the Identity Manager Setup Guide.

Self Service Password Reset

For more information about installing Self Service Password Reset, see Installing the Single Sign-on and Password Management Components in the Identity Manager Setup Guide.

One SSO Provider

For more information about installing One SSO Provider, see Installing the Single Sign-on and Password Management Components in the Identity Manager Setup Guide.

Identity Applications

For more information about installing Identity Applications, see Installing the Identity Applications in the Identity Manager Setup Guide.

Identity Reporting

For more information about installing Identity Reporting, see Installing the Identity Reporting Components in the Identity Manager Setup Guide.

3.2 Installing Identity Manager on SLES 12 Platforms

You can install Identity Manager 4.5.3 on a server running SUSE Linux Enterprise Server 12 at a minimum. The following table guides you through the installation process. First you install the Identity Manager 4.5 components in the given sequence using the individual component installation programs and then apply Identity Manager 4.5 Service Pack 3 as appropriate. For more information, see Section 3.0, Installing This Service Pack.

Before starting the installation, NetIQ recommends that you go through Installing Identity Manager on RHEL 7.1 and SLES 12 Platforms in the NetIQ Identity Manager 4.5 Service Pack 2 Release Notes to help you plan the installation process for Identity Manager. For example, you should not install Identity Vault and EAS on the same server.

IMPORTANT:Identity Manager does not support this installation using the integrated installation program.

Order of Installation

Installation Instructions

EAS

Install EAS and Identity Manager engine on separate servers. Install the following dependent libraries before starting the EAS installation:

For more information about installing EAS, see Installing EAS in the Identity Manager Setup Guide.

eDirectory

Install eDirectory 8.8 SP8 Patch 7, at a minimum

NOTE:Identity Manager ships eDirectory 8.8 SP8 Patch 2 as part of Identity Manager 4.5 ISO. To support Identity Manager installation on SLES 12, ensure that your eDirectory is running 8.8 SP8 Patch 7 at a minimum.

Download the patch from the NetIQ downloads page. For more information, see the Release Notes accompanying the patch at eDirectory 8.8 SP8 documentation site.

Identity Manager Engine

Install the Identity Manager engine as instructed “Installing the Identity Manager Engine, Drivers, and Plug-ins” in the Identity Manager Setup Guide. Install the following dependant library before starting the installation:

iManager

Install iManager 2.7 SP7 Patch 6, at a minimum

  1. Download the patch from the NetIQ downloads page. For more information, see the Release Notes accompanying the patch at iManager 2.7.7 documentation site.

  2. Ensure that you install the following dependent library before starting the installation:

For detailed installation instructions, see Installing iManager in the Identity Manager Setup Guide.

Designer

  1. Download and extract XULRunner-24 (64-bit) from the Mozilla FTP site.

  2. Open the Designer.ini file from the designer installation directory.

  3. Add the following lines at the end of the Designer.ini file:

    -Dorg.eclipse.swt.browser.XULRunnerPath=<path where XULRunner is extracted>

    -Dorg.eclipse.swt.internal.gtk.disablePrinting

  4. Save the Designer.ini file and restart designer.

Analyzer

  1. Install the following RPMs from the SLES 12 installation media:

    • gtk2-tools (32-bit)

    • libXtst6 (32-bit)

    • libgthread-2_0-0 (32-bit)

    • libXt6 (32-bit)

  2. Download and extract XULRunner-1.9.2 (32-bit) from the Mozilla FTP site.

  3. Open the Analyzer.ini file from the analyzer installation directory.

  4. Add the following line at the end of the Analyzer.ini file.

    -Dorg.eclipse.swt.browser.XULRunnerPath=<path where XULRunner is extracted>:

  5. Save the Analyzer.ini file and restart analyzer.

Self Service Password Reset

For more information about installing Self Service Password Reset, see Installing the Single Sign-on and Password Management Components in the Identity Manager Setup Guide.

One SSO Provider

For more information about installing One SSO Provider, see Installing the Single Sign-on and Password Management Components in the Identity Manager Setup Guide.

Identity Applications

For more information about installing Identity Applications, see Installing the Identity Applications in the Identity Manager Setup Guide.

Identity Reporting

For more information about installing Identity Reporting, see Section 3.4, Updating Identity Reporting.

3.3 Updating the Identity Applications

This service pack includes an update to the identity applications that run on a JBoss, Tomcat, and WebSphere application server. Download the IDM45-Apps-SP-3.zip file to the server where you deployed the identity applications and perform the steps listed in the readme files.

This zip file also includes the files for installing and configuring the Request on Behalf feature. After updating the identity applications, configure Identity Manager Home to include the link for configuring the teams. You need to do this to access the Team Configuration page where you can create and manage teams.

Adding the Manage Teams Link to the Identity Manager Home Page

To include the Manage Teams link in the Identity Manager Home page, perform the steps listed in the readme file from the download page.

Alternatively, you can launch the Team Configuration page from a Web browser on your workstation. For more information, see Managing Teams in the NetIQ Identity Manager Catalog Administrator User Guide.

Updating the Keystore Path in the Configuration Update Utility

To update the path of the keystore in the Configuration Update utility, perform the steps listed in the readme file from the download page.

Updating SAML 1.1.1

This service pack includes support for SAML 1.1.1. For more information about using SAML 1.1.1 with the identity applications, perform the steps listed in the readme file from the download page.

3.4 Updating Identity Reporting

This service pack includes an update to Identity Reporting. When installing or upgrading Identity Reporting without the Event Auditing Service (EAS), perform the workaround for the following issue:

Section 4.15, Cannot Connect to Remote Database When Installing Identity Reporting

For more information about installing or upgrading, see “Installing the Identity Reporting Components” in the Identity Manager Setup Guide.

3.5 Updating the Identity Manager Engine

This service pack includes a IDM_engine_rl_IDM4.5SP3.zip for updating the Identity Manager engine. Install this package on the Identity Manager engine server. For more information, see “Hotfixing the Identity Manager Engine and Remote Loader” in the NetIQ Identity Manager Setup Guide.

3.6 Updating Designer

This service pack provides an update to Designer. Download the Designer 4.5.3 updates from the Designer Download Site.

NOTE:To upgrade Designer 4.5 to Designer 4.5.3, first upgrade to Designer 4.5.2 and then upgrade Designer 4.5.2 to Designer 4.5.3.

Designer provides an in-built auto-update feature that notifies you of new features available at the Designer Download Site. This feature allows you to download Designer package and patch updates when the computer that has Designer installed and is connected to the Internet.

You also can perform an offline update of Designer when the computer that has Designer installed and is not connected to the Internet. To perform an offline update, first download the required contents from the Designer and Package Update Web sites on a local or remote computer and then point Designer to the directory containing the downloaded files.

Updating Designer in an Offline Mode

To do this, create an offline copy of the Designer update files and then configure Designer to read the patch updates from the files copied to the local computer.

To create an offline copy of the Designer update files on Linux:

  1. Log in to the computer that has Designer installed and create a local directory.

  2. Download the latest patch zip file for Designer version from the specified location and unzip the files into the local directory.

To configure Designer to read the patch updates from the files copied to the local computer

  1. Launch Designer.

  2. From Designer’s main menu, click Window > Preferences.

  3. Click NetIQ > Identity Manager and select Updates.

  4. Select Do not check for updates and deselect all the other check boxes.

  5. For URL, specify file:///path_to_files/updatesite1_0_0/.

    For a Linux mounted ISO, use the following URL format: file:///media/designer450offline/updatesite1_0_0.

    For Windows, use the following URL format: file:///c:\designer450offline\updatesite1_0_0\.

  6. Click Apply, then click OK.

  7. From Designer’s main menu, click Help > Check for Designer Updates.

  8. Select the required updates and click Yes to accept and update the Designer patch updates.

    You need to launch Designer again for the changes to take effect.

Updating the Designer Packages Offline

To do this, create an offline copy of the package update files and then configure Designer to read the package updates from the files copied to the local computer.

To create an offline copy of the package update files on Linux:

  1. Log in to the computer that has Designer installed and create a local directory.

  2. In a shell, change to this directory and run the following commands to copy the Designer package update files:

    wget -e robots=off -r -nH -np http://nu.novell.com/designer/packages/idm/updatesite1_0_0/

    wget -e robots=off -r -nH -np http://nu.novell.com/designer/packages/idm/updatesite2_0_0/

To configure Designer to read the package updates from the files copied to the local computer:

  1. Launch Designer.

  2. From Designer’s main menu, click Window > Preferences.

  3. Click NetIQ > Package Manager > Online Updates.

  4. To add a new URL, click the plus icon.

  5. Provide information for the following fields:

    1. Vendor: Specifies the vendor name for package update.

    2. URL: Specifies the URL as file:///path_to_files/packages/idm/updatesite1_0_0.

      For Linux mounted ISO, use the following URL format:

      file:///media/designer450offline/packages/idm/updatesite1_0_0

      file:///media/designer450offline/packages/idm/updatesite2_0_0

      NOTE:If you have multiple package sites, repeat Step 5 and add multiple sites and URLs.

  6. Click OK.

  7. In the Preferences window, select the required check boxes for the sites.

    NOTE:The new sites are selected by default.

  8. Click Apply, then click OK.

  9. From Designer’s main menu, click Help > Check for Package Updates.

  10. Select the required updates and click Yes to accept and update the Designer package updates.

    You need to launch Designer again for the changes to take effect.

3.7 Installing Java 1.8 Update 66 on the Identity Manager Servers

This service pack certifies Java 1.8.0_66 (JDK 8u66 or JRE 8u66) for use with Identity Applications on Apache Tomcat although later versions of Java 1.8 are also supported.

To install Java 1.8 Update 66 on the identity applications and Identity Reporting, perform the steps listed in the readme files from one of the following download pages:

NOTE:You can download Java 1.8 Update 66 directly from the Oracle Site.

3.8 Updating Designer for Java 1.8 Update 66

This service pack updates Designer to support Java 1.8 Update 66.

  1. On the server where you installed Designer, download and install the Java 8 Update 66 files in a local directory.

  2. Open the Designer.ini file located in the Designer installation directory.

  3. Update the Java path in the Designer.ini file.

3.9 Updating Analyzer for Java 1.8 Update 66

This service pack updates Analyzer to support Java 1.8 (32-bit).

  1. On the server where you installed Analyzer, create a directory for Java 1.8.

    For example, opt/netiq/jdk1.8.0_66.

  2. Download and install the Java 1.8 files in this directory.

  3. Open the Analyzer.ini file located in the Analyzer installation directory.

  4. Update the Java path in the Analyzer.ini file.

  5. Replace the existing (jre) folder with the Java 1.8 folder in the installation directory.

3.10 Updating Self Service Password Reset

This service pack requires NetIQ Self Service Password Reset 3.2.0.3 or 3.3.1.1. To install these updates, download the following packages and perform the steps listed in the readme files:

3.11 Updating One SSO Provider

NetIQ recommends that you install the latest version of NetIQ One SSO Provider (OSP) to work with this service pack. To upgrade to OSP 6, perform the steps listed in the readme file from the download page.

4.0 Known Issues

NetIQ Corporation strives to ensure that our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.

For the list of the known issues in Identity Manager 4.5, Identity Manager Standard Edition 4.5.1, and Identity Manager 4.5.2, see the Release Notes for each version on the Identity Manager 4.5 Documentation page.

4.1 Images Not Attaching With the Send Email Template

Issue: If you are attaching an image with an e-mail, the image is not included in the e-mail.(Bug 947162)

Workaround: Copy the image file to the DIB directory, restart eDirectory and then attach the image with the e-mail.

4.2 Issue with Resource Creation In Absence of CSV Files for Entitlements

Issue: Identity Manager cannot create resources if a CSV file is missing in the mapping table for any one of the entitlements. (Bug 945038)

Workaround: There is no workaround at this time.

4.3 Unable to Select the Onload Items in the Picklist in the User Application in Internet Explorer 11

Issue: You cannot select the onload items from the picklist in the User Application in Internet Explorer 11. This issue does not occur with other browsers. (Bug 954608)

Fix: To populate the picklist, use pre-activity instead of the onLoad event.

4.4 Cannot Upgrade RHEL 6.x With GUI Mode to RHEL 7.1

Issue: If you try to upgrade your GUI-enabled RHEL 6.x to RHEL 7.1, the upgrade fails due to Red Hat limitations. The following links provide more information about this limitation: (Bug 951964)

  • https://access.redhat.com/solutions/799813

  • https://access.redhat.com/solutions/637583

Workaround: For a successful upgrade, perform the following actions:

  1. Uninstall the GUI from RHEL 6.x server.

  2. Upgrade the server.

  3. Create an env_idm file in the /etc/opt/novell/eDirectory/conf directory and add the following content to the file:

    LD_LIBRARY_PATH=/opt/novell/lib64:/opt/novell/eDirectory/lib64:/opt/novell/eDirectory/lib64/nds-modules:/opt/novell/eDirectory/lib64/nds-modules/jre/lib/amd64://opt/novell/eDirectory/lib64/nds-modules/jre/lib/amd64/server://opt/novell/eDirectory/lib64/nds-modules/jre/lib/amd64/native_threads::$LD_LIBRARY_PATH

  4. (Optional) To install the GUI on the upgraded server, follow the instructions provided in the RHEL documentation.

4.5 Drivers Do Not Start If KMO Is Used in the Driver Configuration on RHEL 7.1 and SLES 12 Platforms

Issue: The drivers do not start on these platforms if you used KMO in the driver configuration. (Bug 951958)

Workaround: Manually enter the library path /opt/novell/lib64 to the following existing path:

LD_LIBRARY_PATH=/opt/novell/lib64:/opt/novell/eDirectory/lib64:/opt/novell/eDirectory/lib64/nds-modules:/opt/novell/eDirectory/lib64/nds-modules/jre/lib/amd64://opt/novell/eDirectory/lib64/nds-modules/jre/lib/amd64/server://opt/novell/eDirectory/lib64/nds-modules/jre/lib/amd64/native_threads::$LD_LIBRARY_PATH

4.6 Assigning a Dynamic Resource to a User Fails the Second Time with idm4 Type Entitlements and When Entitlement ID is Not Populated

Issue: If you have a custom idm4 type of an entitlement and the ID field is not populated in the entitlement values (ID is mandatory for idm4 type entitlements), the User Application might not correctly assign a resource mapped to this entitlement for the second time. The Roles and Resource driver fails to correctly assign these resources to the same user for the second time. Identity Manager does not report any error in the log file.

Workaround: There is no workaround at this time.

4.7 JBoss has Errors Running the Identity Applications with Java Development Kit 8

Issue: Java Development Kit 8 introduces new default methods to some interfaces. If the source level for your project is lower than jdk1.8.0_51, the Java compiler does not let you use default methods in the interface. This behavior can interfere with the configuration of the identity applications and Identity Reporting running on a JBoss application server. (Bug 941913)

For example, the application might fail to display the tab that allows you to approve a task or user request. Instead, you might receive the following message:

An Error has occurred while processing your request. Please contact the administrator or click the back button and try again.

Workaround: When running the identity applications and Identity Reporting on a JBoss application server, use jdk1.7.0_65 or later from Sun (Oracle).

4.8 Engine Upgrade Fails if the Downloaded Folder Contains Special Characters

Issue: The Engine upgrade fails due to special characters present in the download folder. (Bug 958474)

Workaround: There is no workaround at this time.

4.9 Launching the ConfigUpdate Utility from the OSP SSPR Installation Directory Displays Information for the Advanced Edition Components

Issue: The ConfigUpdate utility displays parameters for the Advanced Edition components, such as RBPM, Catalog Administrator, and Home and Provisioning Dashboard. This does not allow you to submit the changes made in the configuration tool. (Bug 917589)

Workaround: To display the correct information in the configuration tool, perform the following actions. This workaround uses the default installation paths created by the Identity Manager component installers on Linux.

  1. In the configupdate.sh.properties file located in the /opt/netiq/idm/apps/osp_sspr/bin/ directory, set is_prov to false.

  2. Launch the ConfigUpdate utility.

4.10 Adding a Permission to a Team in the User Application Is Not Listed in the Make a Request Page of Home Provisioning Dashboard

Issue: Adding a permission to a team in the User Application reflects in the Catalog Administrator and the newly added Team Configuration page. However, the new permission is not included in the Make a Request page of Home Provisioning Dashboard.

Workaround: To display the newly added permission in the Make a Request page, flush the cache in the User Application.

4.11 Issue with Loading the Team Listing

Issue: If you have multiple teams in your environment, Catalog Administrator displays the teams in multiple pages. When you update a team that is not listed in the first page, Catalog Administrator loads the first page instead of the page that contains the team that was updated.(Bug 961480)

Workaround: There is no workaround at this time.

4.12 eDirectory to eDirectory Certificate in Designer Fails with an Error

Issue: In Designer, the certificate creation fails for eDirectory to eDirectory driver certificates. The certificate can be created only a day after CA is created. (Bug 962929)

Workaround: Run the utility only after the CA is created.

4.13 Delegated Administrators not Supported for Teams Management and Request on Behalf Features

Issue: The Team Management and Request on Behalf features are not supported for a delegated administrator role.(Bug 962710)

Workaround: There is no workaround at this time.

4.14 Running the ConfigUpdate Utility from the OSP SSPR Installation Directory Shows Inconsistent GUI on Windows and Linux Platforms

Issue: If you run the ConfigUpdate utility from the OSP Self Service Password Reset (SSPR) installation directory, the utility displays different options on Windows and Linux platforms. For example, the utility displays Reporting, Authentication, and SSO Clients tabs on Windows platforms and Identity Vault, Authentication, and SSO Clients tabs on Linux platforms. (Bug 916812)

Workaround: To display the correct tabs on Windows, perform the following actions:

  1. Open the configupdate.bat.properties in a text editor. For example, C:\netiq\idm\apps\osp_sspr\bin\lib\configupdate.bat

  2. Change the following entries in the file:

    • Change force_no_userapp=true to force-no-userapp=true

    • Change force_no_reporting=true to force-no-reporting=true

  3. Save and close the file.

The ConfigUpdate utility displays the correct tabs for only OSP installation.

4.15 Cannot Connect to Remote Database When Installing Identity Reporting

Issue: You can install Identity Reporting on a separate server from the database that Identity Reporting uses. During the installation or upgrade process for Identity Reporting, you can test the connection to the remote database server. However, the connection attempt fails when you install or upgrade Identity Reporting without also specifying a server for NetIQ Event Auditing Service (EAS). (Bug 964099)

Workaround: Complete the following steps:

  1. During the installation or upgrade process for Identity Reporting, select Use EAS (even though you do not intend to use EAS).

  2. For EAS server host name, specify the DNS name or IP address for the database server that Identity Reporting will use.

  3. Continue specifying the database settings as requested by the installation wizard. Then select Test database connection.

  4. If the test connection passes, return to the Event Auditing Service window and deselect Use EAS. Then proceed with the installation or upgrade for Identity Reporting.

  5. If the test connection fails, ensure that you have entered the correct values for the database server. Then perform Step 4.

NOTE:Running Identity Reporting without EAS is also referred to as “standalone Reporting.”

4.16 Cannot Import Portal Data

Issue: Identity Manager cannot import portal data when you have the following settings in User Application > Administration > Application Configuration > Portal Data Import:

  • Import security settings? = Yes

  • View Import Archive > Access level for imported objects = Administrator Only

(Bug 928378)

Workaround: To import portal data, you must change the settings to the following values:

  • Import security settings? = No

  • Access level for imported objects = All Users

After completing the import, you can reestablish your preferred security settings. For more information, see “Importing Portal Data” in the NetIQ Identity Manager User Application: Administration Guide.

5.0 Additions to Documentation

The following topics describe additions and modifications to the Identity Manager documentation.

5.1 Updating a Password for a Database User on Tomcat

The server.xml and context.xml files for the Tomcat application server contain a data source entry that points to the database for the identity applications, Identity Reporting, or when they are deployed together. Identity Manager 4.5.1 changed the method for updating the password for a database user in the server.xml file when you deploy the identity applications, Identity Reporting, or both on a Tomcat application server.

  1. Stop Tomcat.

  2. Update the user's password in the database server.

  3. In a terminal, navigate to the tomcat/lib directory and enter the following command with Java in your path:

    java -jar iac-datasource-factory.jar %newpassword%
  4. Copy the encrypted output of the password and update the entry for that user in the server.xml file, located by default in the tomcat/conf directory.

  5. Start Tomcat.

5.2 Adding a Custom Logo in the Identity Applications

You can customize the themes and images that the identity applications and Identity Reporting display in your users’ Web browsers. To replace the NetIQ logo with a custom log in the header, the logo must be in a .GIF or .JPG format. Otherwise, Microsoft Internet Explorer 11 does not display the logo. (Bug 938050)

5.3 Customizing Strings for One SSO Provider

Identity Manager allows you to customize the strings in OSP to suit the needs of your enterprise. The strings are based on the user’s current locale. The osp-custom-resources.jar file contains all of the string property files.(Bug 942083)

To customize OSP strings, perform the steps listed in the readme file from the download page.

5.4 Installing the Identity Manager Engine with Multiple Instances of Identity Vault

You can install the Identity Manager engine in an environment where you have configured multiple instances of Identity Vault. Identity Manager supports this installation as a root user and in a silent mode. For more information, see Installing on a Server with Multiple Instances of Identity Vault section in the NetIQ Identity Manager Setup Guide. (Bug 938158)

6.0 Previous Releases

This service pack includes enhancements and software fixes provided in previous releases:

  • Identity Manager 4.5 Service Pack 2 Hotfix 1

  • Identity Manager 4.5 Service Pack 2

  • Identity Manager 4.5 Service Pack 1

For more information, see NetIQ Identity Manager 4.5 Service Pack 2 Release Notes and NetIQ Identity Manager 4.5 Service Pack 1 Release Notes.

7.0 Contact Information

Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.

For detailed contact information, see the Support Contact Information website.

For general corporate and product information, see the NetIQ Corporate website.

For interactive conversations with your peers and NetIQ experts, become an active member of our community. The NetIQ online community provides product information, useful links to helpful resources, blogs, and social media channels.