NetIQ Identity Manager 4.5 Service Pack 4 Release Notes

June 2016

NetIQ Identity Manager 4.5 Service Pack 4 includes new features, improves usability, and resolves several previous issues.

Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the Identity Manager Community Forum on NetIQ Communities, our online community that also includes product information, blogs, and links to helpful resources.

The documentation for this product is available on the NetIQ website in HTML and PDF formats on a page that does not require you to log in. If you have suggestions for documentation improvements, click comment on this topic at the bottom of any page in the HTML version of the documentation posted at the Identity Manager Documentation Web site page. To download this service pack, see the NetIQ Identity Manager Product Upgrade website.

1.0 What’s New?

Identity Manager 4.5.4 provides the following key features, enhancements, and fixes in this release:

NOTE:Support for web application servers such as JBoss Enterprise Application Platform (EAP) and WebSphere has been deprecated with Identity Manager 4.5 Service Pack 4. These web application servers will be no longer supported with the next major release of Identity Manager. However, they will continue to be supported with Identity Manager 4.5.x.

1.1 New Features

This release introduces the following features:

  • Optional support for eDirectory 9.0.1: This service pack provides support for eDirectory 9.0.1 in addition to eDirectory 8.8.8.x as an Identity Vault and as a connected system. However, NetIQ applies certain restrictions on installing eDirectory 9.0.1 with Identity Manager. For more information, see Section 7.0, Working with eDirectory 9.0.1. You must install iManager 3.x to support the new features of eDirectory 9.0.1. For more information, see Section 2.0, System Requirements.

  • Support for Transport Layer Socket (TLS) 1.2: This service pack extends support for TLS 1.2 for ensuring improved security across Identity Manager components. TLS 1.2 has several benefits over the previous versions of TLS. For example, it allows stronger ciphers and makes your environment more secure. 

    NetIQ supports TLS 1.2 with eDirectory 9.0 or later versions. No additional configuration is required when a secure connection is configured between identity applications and eDirectory. TLS 1.2 is supported with other Identity Manager components as well.

    NOTE:Reporting-EAS is certified with TLS 1.0 and TLS 1.1 only.

    For detailed information regarding TLS support, refer to the following Identity Manager component release notes:

  • Platform updates: This service pack extends support for SUSE Linux Enterprise Server (SLES) 12 SP1 and Red Hat Enterprise Linux (RHEL) 7.2 platforms.

  • Notification when a new Designer build is available: Designer now extends the existing Check for Designer Updates capability and notifies when a new full build of Designer is available for download.

  • Improved startup time for Designer: Designer now takes significantly less time to start as compared to 4.5.3 or below.

  • Support for monitoring the health statistics information for the User Application: The User Application now provides the health statistics information for the User Application. The health statistics helps you to smoothly run and tune the User Application, and make upgrades and troubleshooting much easier. For more information, see Support for Monitoring the User Application Health Statistics.

1.2 Component Updates

This service pack provides updates for the following components in Identity Manager:

  • Identity Manager engine

  • Identity applications

  • Designer for Identity Manager (Designer)

  • SAML

1.3 Support for Java 1.8 Update 92

This service pack updates the following components to support Java Development Kit 8 Update 92 (jdk8u92) or Java Runtime Environment 1.8 Update 92 (jre8u92).

  • Identity Manager engine

  • Identity applications, running on Apache Tomcat

  • Identity Reporting, running on Apache Tomcat

  • Designer

  • Analyzer (32-bit Java only)

The Identity Manager 4.5 Engine Service Pack 4 updates the Java version for the Identity Manager engine. You need to manually update your current Java version for the identity applications, Identity Reporting, Designer, and Analyzer. For more information, see Section 3.5, Installing Java 1.8 Update 92 on the Identity Manager Servers.

NOTE:If you use JBoss Enterprise Application Platform (EAP) or IBM WebSphere, do not upgrade to Java 1.8. For more information, see JBoss has Errors Running the Identity Applications with Java Development Kit 8 in the NetIQ Identity Manager 4.5 Service Pack 3 Release Notes.

1.4 Support for OSP 6.0.0.3 or Later Versions

This service pack adds support for OSP 6.0.0.3 or later. For more information about updating to OSP 6.0.0.3 or later, see Section 3.9, Updating One SSO Provider.

1.5 Addresses Software Vulnerabilities

This service pack addresses the following Common Vulnerabilities and Exposures (CVEs) for Identity Manager:

CVE-2016-1598

1.6 Enhancements for Designer for Identity Manager

This service pack provides the following improvements for Identity Manager Designer:

Notification of New Full Builds for Designer

Designer now extends the Check for Designer Updates capability and provides a notification when a new full build of Designer is available for download.

This is an additional capability that Designer provides. Designer continues to provide support for downloading the builds from the download site.

Support for TLS 1.2 Protocol

  • Designer now supports TLS 1.2 for connecting to the Identity Vault.

  • The Version Control feature of Designer supports TLS 1.2 for connecting to the Subversion version control server.

1.7 Enhancements for Identity Applications

This service pack provides the following improvements for Identity Applications:

Support for Monitoring the User Application Health Statistics

This release includes a new API that allows you to retrieve information about the health of the User Application. The REST API can access the system for the currently running threads, memory consumption, cache, and cluster information and returns the information using the GET operation. (Bug 980242)

  • Memory information (JVM and system memory): Reads the memory related information such as system memory and memory consumed by the JVM.

    For example,

    http://<ip_addr:port>/IDMProv/rest/monitoring/statistics/memoryinfo

  • Thread information: Reads the information about the CPU-intensive threads and returns the list of top threads that cause heavy utilization of the CPU.

    For example,

    http://<ip_addr:port>/IDMProv/rest/monitoring/statistics/threadinfo

    To access the stack trace of threads in the JVM, set the stack parameter to True.

    For example,

    http://<ip_addr:port>/IDMProv/rest/monitoring/statistics/threadinfo?stack=true

    To specify the number of threads in the JVM, specify the value for the thread-count parameter.

    For example,

    http://<ip_addr:port>/IDMProv/rest/monitoring/statistics/threadinfo?thread-count=1

  • Cache information: Reads the cache information for the User Application.

    For example,

    http://<ip_addr:port>/IDMProv/rest/monitoring/statistics/cacheinfo

  • Cluster information: Reads the cluster related information.

    For example,

    http://<ip_addr:port>/IDMProv/rest/monitoring/statistics/clusterinfo

NOTE:You need to be a Security Administrator to view the User Application health statistics by using the REST API.

1.8 Software Fixes for the Identity Manager Engine and Driver Plug-ins

NetIQ Identity Manager includes software fixes that resolve several previous issues in the Identity Manager engine and plug-ins.

Drivers Do Not Start If KMO Is Used in the Driver Configuration on RHEL 7.1 and SLES 12 Platforms

This service pack resolves the issue where the drivers did not start on these platform if KMO was used in driver configuration.(Bug 951958)

Unicode Character Causes the Remote Loader To Crash

This service pack resolves an issue where the Remote Loader crashed if the unicode characters were passed to the drivers.

The Remote Loader is now updated to handle the special characters. (Bug 962355)

Upgrading iManager 2.7.7 Patch 6 to iManager 3.0 Fails If Identity Manager is Installed on the Same Windows 2012 Server

This service pack resolves an issue where upgrading iManager 2.7.7 Patch 6 to iManager 3.0 failed if Identity Manager was installed on the same Windows 2012 server. (Bug 971743)

Drivers Do Not Start After Upgrading to RHEL 7.x or SLES 12.x

This service pack resolves an issue where the drivers did not start using RHEL 7.x or SLES 12.x in the following scenarios:

  • The operating system is upgraded to RHEL 7.x or SLES 12.x after eDirectory and Identity Manager is upgraded to 8.8.8 Patch 8 and 4.5.4 respectively.

  • Identity Manager is installed on an eDirectory server where the eDirectory configuration file (nds.conf) is not placed in a default location.(Bug 953273)

To ensure that the drivers start post RHEL or SLES upgrade, do the following action:

Create an env_idm file in /etc/opt/novell/eDirectory/conf directory on the upgraded RHEL or SLES server and manually enter the following environment variable in the env_idm file.

LD_LIBRARY_PATH=//opt/novell/eDirectory/lib64/nds-modules/jre/lib/amd64://opt/novell/eDirectory/lib64/nds-modules/jre/lib/amd64/server://opt/novell/eDirectory/lib64/nds-modules/jre/lib/amd64/native_threads::$LD_LIBRARY_PATH:/opt/novell/eDirectory/lib64/apr:/opt/novell/eDirectory/lib64:/opt/novell/lib64:/opt/novell/eDirectory/lib64/nds-modules:$LD_LIBRARY_PATH

1.9 Software Fixes for the Identity Applications

NetIQ Identity Manager includes software fixes that resolve several previous issues in the identity applications.

Creating a Role Using the SOAP Endpoint Does Not Create and Set the nrfStatus Attribute

This service pack resolves an issue where a role created using the SOAP endpoint did not add the nrfStatus attribute to the role. (Bug 969128)

Performance Issues with the Request on Behalf Feature

The Request on Behalf feature performs automatic queries on users and groups and searches from the base container set in the ConfigUpdate utility. It does not wait for you to specify the minimum number of characters before starting to search. The automatic querying results in memory issues in your environment. (Bug 976730)

This service pack resolves this issue by optimizing the performance of the search result regardless of whether you use Request on Behalf, Catalog Administrator, or the Teams configuration page. If you search for a huge number of users or groups, the search displays only 250 results in the user interface. However, the results are not in sorted order. To further enhance the search performance, use the refined search option.

Unable to Access the Identity Applications If Login Attribute Contains a Comma

This service pack resolves an issue where Identity Manager applications could not be successfully accessed when the login attribute contained a comma. (Bug 970959)

Cannot Assign a Role to a User With a Comma in the CN Attribute

With this service pack, you can assign a role and administrator rights to a user who has a comma in the CN (Common Name) attribute. (Bug 970967)

Unable to Select the Onload Items in the Picklist in the User Application in Internet Explorer 11

This service pack resolves an issue where fields in forms do not display appropriately in Internet Explorer 11 on a Windows computer. (Bug 954608)

Identity Manager Dashboard Does Not Display all Tasks If Recipients Have Mixed Cases In Their Names

This service pack resolves an issue where the Identity Manager dashboard did not display the entire list of tasks if any of the recipients had mixed cases in their names. (Bug 967738)

Featured Items Displayed Lower On Screen After Applying Identity Manager 4.5.3

This service pack resolves an issue where the Featured Items tab was displayed below the Make a Request tab after Identity Manager 4.5.3 was applied. (Bug 970236)

Workflow With Approver Type as Multiple Does Not Allow All Approvers to Update Comments

This service pack resolves an issue where approvers in a single approval workflow with Approver Type as Multiple were unable to add their comments. Any new request made were not listed in all the users task list. (Bug 971447)

Reminder e-mail Notification Issue While Using Multiple Approval

With this service pack, all users of a group get notification mails after each reminder interval even if a member of the group approves the task. (Bug 973097)

Unable to Select Items in Picklist Using the User Application on Internet Explorer 11

With this service pack, the user is now able to request for workflow using the User Application on Internet Explorer 11. (Bug 977371)

User Application Times Out After Three Minutes With OSP 6

This service pack resolves the issue where the User Application used to time out after a couple of minutes using OSP 6. (Bug 977863)

The ManageTeamTilesCreate.jar Does Not Support Silent Properties

This service pack resolves the issue where ManageTeamTilesCreate.jar did not support silent properties. You can now provide a silent properties file or command line arguments as an input for the ManageTeamTilesCreate.jar utility, to generate teams tiles on the new landing page items for Request on Behalf. (Bug 970256)

1.10 Software Fixes for Designer for Identity Manager

NetIQ Identity Manager includes software fixes that resolve several previous issues in Designer.

Incorrect Policy Linkages Are Displayed

With this service pack, Designer correctly displays the policy weights under the Policy Set view when a driver package with linkages to a driver set policy is upgraded or downgraded.(962888)

Action Model Option Not Visible in the Integration Tab

With this service pack, Designer now correctly displays the toolbar options for the action model on the Integration tab in the Provisioning Request Definition editor. (Bug 876014)

Standard DirXML Script Objects are Removed in ECMAScript Expression Builder

With this service pack, if additional objects are set in the Simulation preferences in Designer, ECMA Script Expression Builder lists these objects along with the default DirXML objects. (Bug 971388)

Unable to Migrate User Application Driver 3.7 to 4.0.0 with Designer 4.0.2 or 4.5.2.1

This service pack resolves an issue where the User Application driver was unable to migrate from version 3.7 to 4.0.0 by using Designer 4.0.2 or 4.5.2.1. (Bug 959128)

Unable To Make a Connection to the SVN Server Over TLS 1.2

With this service pack, Designer successfully connects to the SVN server over TLS 1.2. (Bug 970445)

Considering Weights From Other Drivers While Creating The Order of Policies In a Policy Set

With this service pack, Designer does not consider weights of policies from other drivers of the driver set. It now creates the order based on weights from the same driver. (Bug 972507)

Designer 4.5.3 Simulate Function Does Not Work on REST Driver Policy

This service pack resolves the issue where the Designer 4.5.3 simulate function did not process the input document and produce the output document of the policy. (Bug 968525)

Remote Loader Prompt Transform Fails to Read Additional Setting If No KMO Parameter is Used

With this service pack, the port, host name, and other fields are correctly populated even if the KMO field is empty. (Bug 773647)

Inform Users If a New Version of Designer Is Available or Not

With this service pack, Designer displays a message and informs you when a full build of Designer is available and also provides a link to the web page where the build is published. (Bug 960781)

2.0 System Requirements

This service pack requires the following product versions:

Requirement

Description

NetIQ Identity Manager 4.5 or later

This includes Identity Manager engine, Identity Applications, Identity Reporting, Designer 4.5.2 at a minimum.

NetIQ eDirectory 8.8.8 Patch 8 at a minimum or eDirectory 9.0.1 at a minimum

You can install eDirectory 8.8.8.x or 9.0.1 as an Identity Vault and as a connected system.

NOTE:

  • You can only upgrade Identity Manager 4.5.4 with eDirectory 8.8.8 Patch 8 or later to eDirectory 9.0.1.

  • eDirectory 9.0 is not supported with Identity Manager.

NetIQ iManager 2.7.7 Patch 7 or iManager 3.0.1

You must install iManager 3.x to support the new features of eDirectory 9.0.1. If you are not upgrading your Identity Vault to eDirectory 9.0.1, use iManager 2.7.7 Patch 7. Ensure you update your existing plug-ins to the latest versions for the iManager version you are using.

IMPORTANT:Do not install iManager 3.x on a server running eDirectory 8.8.8.x. Similarly, do not install iManager 2.7.7.x on a server running eDirectory 9.0.1. If you are planning to upgrade eDirectory 8.8.x to 9.0.1 on a server running iManager 2.7.7.x, ensure that iManager is upgraded to 3.x. iManager 3.x is compatible with eDirectory 9.0.1.

NetIQ recommends you to clear the iManager cache soon after upgrading the Identity Manager plug-ins.

NetIQ Self Service Password Reset 3.3.1.2, at a minimum

 

NetIQ One SSO Provider 6.0.0.3, at a minimum

 

For more information about the software requirements, see “Selecting an Operating System Platform for Identity Manager” in the NetIQ Identity Manager Setup Guide.

3.0 Upgrading to this Service Pack

You can upgrade to this service pack from Identity Manager 4.5, 4.5.1, 4.5.2, or 4.5.3. Install the components in the following order, depending on your current version:

Upgrading from Identity Manager 4.5

Upgrading from Identity Manager 4.5.1

Upgrading from Identity Manager 4.5.2

Upgrading from Identity Manager 4.5.3

  1. Identity Manager Engine

  2. Remote Loader

  3. Designer

  4. Configuration Update Utility 4.5.0.2

  5. One SSO Provider

  6. Role and Resource Service Driver 4.5.0.1

  7. Identity Applications (for Advanced Edition)

  8. Identity Reporting

  9. Self Service Password Reset

  1. Identity Manager Engine

  2. Remote Loader

  3. Designer

  4. Configuration Update Utility 4.5.0.2

  5. One SSO Provider

  6. Role and Resource Service Driver 4.5.0.1

  7. Identity Applications (for Advanced Edition)

  8. Identity Reporting

  9. Self Service Password Reset

  1. Identity Manager Engine

  2. Remote Loader

  3. Designer

  4. Configuration Update Utility 4.5.0.2

  5. One SSO Provider

  6. Role and Resource Service Driver 4.5.0.1

  7. Identity Applications (for Advanced Edition)

  8. Identity Reporting

  9. Self Service Password Reset

  1. Identity Manager Engine

  2. Remote Loader

  3. Designer

  4. Configuration Update Utility 4.5.0.2

  5. One SSO Provider

  6. Role and Resource Service Driver 4.5.0.1

  7. Identity Applications (for Advanced Edition)

  8. Identity Reporting

  9. Self Service Password Reset

Before beginning the installation, review the following considerations to help you plan the installation:

  • The Identity Manager 4.5 Engine Service Pack 4 updates the Java version to 1.8.0_92 for the Identity Manager engine. You need to manually update your current Java version for the Identity Applications, Identity Reporting, Designer, and Analyzer. For more information, see Section 3.5, Installing Java 1.8 Update 92 on the Identity Manager Servers.

    • For Identity Manager Advanced Edition, update Java 1.8 Update 92 before installing the Identity Applications.

    • For Identity Manager Standard Edition, update Java 1.8 Update 92 before installing the Identity Reporting.

  • You can directly upgrade Designer 4.5.4 from Designer 4.5.2 and 4.5.3. To upgrade Designer 4.5 to Designer 4.5.4, first upgrade to Designer 4.5.2 and then upgrade Designer 4.5.2 to Designer 4.5.4.

    NOTE:Be informed that Designer 4.5.2 is a complete software build while Designer 4.5.4 features are available at the Designer Auto-Update Site. For more information about updating Designer, see the following links:

3.1 Upgrading to Identity Manager 4.5.4 with eDirectory 8.8.8 Patch 8 or Later

You can upgrade Identity Manager 4.5, 4.5.1, 4.5.2, or 4.5.3 to Identity Manager 4.5.4 with a minimum version of eDirectory 8.8.8 Patch 8.

The Identity Manager 4.5.4 installation files are included in the IDM_engine_rl_IDM4.5.4.zip file. The zipped file contains the following folders:

  • Identity Manager 4.5.4 Engine and Remote Loader (cd-image)

  • Compatibility installer for installing Identity manager 4.5 on eDirectory 9.0.1 (idm45_eDir90_compat)

  • SAML 1.1.2 (SAML)

To upgrade to Identity Manager 4.5.4, perform the following actions:

  1. Install the Identity Manager 4.5.4 engine service pack on the Identity Manager engine server by performing the steps listed in the readme file from the download page.

  2. Select the type of Remote Loader you want to update, then click OK.

  3. Click OK when the pop-up message appears.

    This message indicates that Identity Manager is not Suite B complaint.

  4. Click Done after the installation is complete.

IMPORTANT:NetIQ allows you to upgrade Identity Manager 4.5 with eDirectory 9.0.1 to Identity Manager 4.5.4 using a special compatibility installer. For installation instructions, see Section 6.0, Installing Identity Manager 4.5.4 on eDirectory 9.0.1 or Later.

3.2 Updating the Identity Applications

This service pack includes an update to the identity applications that run on a Tomcat, WebSphere, and JBoss application server. Download the IDM45-Apps-SP-4.zip file to the server where you deployed the identity applications and perform the steps listed in the readme files.

Updating the Keystore Path in the Configuration Update Utility

To update the path of the keystore in the Configuration Update utility, perform the steps listed in the readme file from the download page.

Updating SAML 1.1.2

This service pack includes support for SAML 1.1.2. The installation files are included in the IDM_engine_rl_IDM4.5.4.zip file. For information about using SAML 1.1.2 with the identity applications, perform the steps listed in the readme file from the download page.

3.3 Updating the Identity Manager Engine

This service pack includes a IDM_engine_rl_IDM4.5SP4.zip for updating the Identity Manager engine. Install this package on the Identity Manager engine server. For more information, see “Hotfixing the Identity Manager Engine and Remote Loader” in the NetIQ Identity Manager Setup Guide.

NOTE:The Identity Manager engine upgrade process displays a warning that you must not enable eDirectory 9.0.1 in Suite B modes. However, some of the Suite B modes can be enabled. For a list of supported Suite B modes, please refer to table.

3.4 Updating Designer

This service pack provides an update to Designer. Download the Designer 4.5.4 updates from the Designer Download Site.

NOTE:To upgrade Designer 4.5 to Designer 4.5.4, first upgrade to Designer 4.5.2 and then upgrade Designer 4.5.2 to Designer 4.5.4.

Designer provides an built-in auto-update feature that notifies you of new features available at the Designer Download Site. This feature allows you to download Designer package and patch updates when the computer that has Designer installed and is connected to the Internet.

You also can perform an offline update of Designer when the computer that has Designer installed and is not connected to the Internet. To perform an offline update, first download the required contents from the Designer and Package Update Web sites on a local or remote computer and then point Designer to the directory containing the downloaded files.

Updating Designer in an Offline Mode

To do this, create an offline copy of the Designer update files and then configure Designer to read the patch updates from the files copied to the local computer.

To create an offline copy of the Designer update files on Linux:

  1. Log in to the computer that has Designer installed and create a local directory.

  2. Download the latest patch zip file for Designer version from the specified location and unzip the files into the local directory.

To configure Designer to read the patch updates from the files copied to the local computer

  1. Launch Designer.

  2. From Designer’s main menu, click Window > Preferences.

  3. Click NetIQ > Identity Manager and select Updates.

  4. Select Do not check for updates and deselect all the other check boxes.

  5. For URL, specify file:///path_to_files/updatesite4_5_4

    For a Linux mounted ISO, use the following URL format:

    file:///media/designer450offline/updatesite4_5_4

  6. Click Apply, then click OK.

  7. From Designer’s main menu, click Help > Check for Designer Updates.

  8. Select the required updates and click Yes to accept and update the Designer patch updates.

    You need to launch Designer again for the changes to take effect.

Updating the Designer Packages Offline

To do this, create an offline copy of the package update files and then configure Designer to read the package updates from the files copied to the local computer.

To create an offline copy of the package update files on Linux:

  1. Log in to the computer that has Designer installed and create a local directory.

  2. In a shell, change to this directory and run the following commands to copy the Designer package update files:

    wget -r -nH -np http://nu.novell.com/cached/designer/packages/idm/updatesite1_0_0/

    wget -r -nH -np http://nu.novell.com/cached/designer/packages/idm/updatesite2_0_0/

To configure Designer to read the package updates from the files copied to the local computer:

  1. Launch Designer.

  2. From Designer’s main menu, click Window > Preferences.

  3. Click NetIQ > Package Manager > Online Updates.

  4. To add a new URL, click the plus icon.

  5. Provide information for the following fields:

    1. Vendor: Specifies the vendor name for package update.

    2. URL: Specifies the URL as file:///path_to_files/updatesite1_0_0/.

      For Linux mounted ISO, use the following URL format:

      file:///media/designer454offline/updatesite1_0_0/

      For Windows, use the following URL format:

      file:///c:\designer454offline\updatesite1_0_0\.

      NOTE:If you have multiple package sites, repeat Step 5 and add multiple sites and URLs.

  6. Click OK.

  7. In the Preferences window, select the required check boxes for the sites.

    NOTE:The new sites are selected by default.

  8. Click Apply, then click OK.

  9. From Designer’s main menu, click Help > Check for Package Updates.

  10. Select the required updates and click Yes to accept and update the Designer package updates.

    You need to launch Designer again for the changes to take effect.

3.5 Installing Java 1.8 Update 92 on the Identity Manager Servers

This service pack certifies Java 1.8.0_92 (JDK 8u92 or JRE 8u92) for use with Identity Applications on Apache Tomcat. The later versions of Java 1.8 are also supported.

To install Java 1.8 Update 92 on the identity applications, perform the steps listed in the readme files from the download page.

NOTE:You can download Java 1.8 Update 92 directly from the Oracle Site.

3.6 Updating Java 1.8 Update 92 for Designer

This service pack updates Designer to support Java 1.8 Update 92.

  1. On the server where you installed Designer, download and install the Java 8 Update 92 files in a local directory.

  2. Open the Designer.ini file located in the Designer installation directory.

  3. Update the Java path in the Designer.ini file.

3.7 Updating Java 1.8 Update 92 for Analyzer

This service pack updates Analyzer to support Java 1.8 (32-bit).

  1. On the server where you installed Analyzer, create a directory for Java 1.8.

    For example, opt/netiq/jdk1.8.0_92.

  2. Download and install the Java 1.8 files in this directory.

  3. Open the Analyzer.ini file located in the Analyzer installation directory.

  4. Update the Java path in the Analyzer.ini file.

  5. Replace the existing (jre) folder with the Java 1.8 folder in the installation directory.

3.8 Updating Self Service Password Reset

This service pack requires NetIQ Self Service Password Reset 3.3.1.2, at a minimum. To install these updates, download the following package and perform the steps listed in the readme files:

3.9 Updating One SSO Provider

NetIQ recommends that you install the latest version of NetIQ One SSO Provider (OSP) to work with this service pack. To upgrade to OSP 6.0.0.3 or later, perform the steps listed in the readme file from the download page.

3.10 Enabling TLS/SSL Connections for User Application

To enable SSL connections, perform the steps listed in the readme file from the download page.

4.0 Installing Identity Manager 4.5.4 on SLES 12 Service Pack 1 Platform

You can install Identity Manager 4.5.4 on a server running SUSE Linux Enterprise Server 12 SP1 at a minimum. The following table guides you through the installation process. First you install the Identity Manager 4.5 components in the given sequence using the individual component installation programs and then apply Identity Manager 4.5 Service Pack 4 as appropriate. For more information, see Section 3.0, Upgrading to this Service Pack.

Before starting the installation, NetIQ recommends that you go through the following table to help you plan the installation process for Identity Manager. For example, you should not install Identity Vault and EAS on the same server.

IMPORTANT:Identity Manager does not support this installation using the integrated installation program.

Order of Installation

Installation Instructions

EAS

Install EAS and Identity Manager engine on separate servers. Install the following dependent libraries before starting the EAS installation:

For more information about installing EAS, see Installing EAS in the Identity Manager Setup Guide.

eDirectory

Install eDirectory 8.8 SP8 Patch 8, at a minimum

NOTE:Identity Manager ships eDirectory 8.8 SP8 Patch 3 as part of Identity Manager 4.5 ISO. To support Identity Manager installation on SLES 12.x, ensure that your eDirectory is running 8.8 SP8 Patch 8 at a minimum.

Download the patch from the NetIQ downloads page. For more information, see the Release Notes accompanying the patch at eDirectory 8.8 SP8 documentation site.

Identity Manager Engine and Remote Loader

Install the Identity Manager engine as instructed “Installing the Identity Manager Engine, Drivers, and Plug-ins” in the Identity Manager Setup Guide. Install the following dependant library before starting the installation:

iManager

Install iManager 2.7 SP7 Patch 7, at a minimum

  1. Download the patch from the NetIQ downloads page. For more information, see the Release Notes accompanying the patch at iManager 2.7.7 documentation site.

  2. Ensure that you install the following dependent library before starting the installation:

For detailed installation instructions, see Installing iManager in the Identity Manager Setup Guide.

Designer

  1. Download and extract XULRunner-24 (64-bit) from the Mozilla FTP site.

  2. Open the Designer.ini file from the designer installation directory.

  3. Add the following lines at the end of the Designer.ini file:

    -Dorg.eclipse.swt.browser.XULRunnerPath=<path where XULRunner is extracted>

    -Dorg.eclipse.swt.internal.gtk.disablePrinting

  4. Save the Designer.ini file and restart Designer.

Analyzer

  1. Install the following RPMs from the SLES 12 installation media:

    • gtk2-tools (32-bit)

    • libXtst6 (32-bit)

    • libgthread-2_0-0 (32-bit)

    • libXt6 (32-bit)

  2. Download and extract XULRunner-1.9.2 (32-bit) from the Mozilla FTP site.

  3. Open the Analyzer.ini file from the analyzer installation directory.

  4. Add the following line at the end of the Analyzer.ini file.

    -Dorg.eclipse.swt.browser.XULRunnerPath=<path where XULRunner is extracted>:

  5. Save the Analyzer.ini file and restart Analyzer.

Self Service Password Reset

For more information about installing Self Service Password Reset, see Installing the Single Sign-on and Password Management Components in the Identity Manager Setup Guide.

One SSO Provider

For more information about installing One SSO Provider, see Installing the Single Sign-on and Password Management Components in the Identity Manager Setup Guide.

Identity Applications

For more information about installing Identity Applications, see Installing the Identity Applications in the Identity Manager Setup Guide.

Identity Reporting

For more information about installing Identity Reporting, see Installing the Identity Reporting Components in the Identity Manager Setup Guide.

5.0 Installing Identity Manager 4.5.4 on RHEL 7.2 Platform

You can install Identity Manager 4.5.4 on a server running Red Hat Enterprise Linux 7.2 platform. The following table guides you through the installation process. First you install the Identity Manager 4.5 components in the given sequence using the individual component installation programs and then apply Identity Manager 4.5 Service Pack 4 as appropriate. For more information, see Section 3.0, Upgrading to this Service Pack.

Before starting the installation, NetIQ recommends that you go through the following table to help you plan the installation process for Identity Manager. For example, you should not install Identity Vault and EAS on the same server.

IMPORTANT:Identity Manager does not support this installation using the integrated installation program.

Installation Order

Description

EAS

Install EAS and Identity Manager engine on separate servers. Install the following dependent libraries before starting the EAS installation:

For more information about installing EAS, see Installing EAS in the Identity Manager Setup Guide.

eDirectory

Install eDirectory 8.8 SP8 Patch 8 and above.

NOTE:Identity Manager ships eDirectory 8.8 SP8 Patch 3 as part of Identity Manager 4.5 ISO. To support Identity Manager installation on RHEL 7.2, ensure that your eDirectory is running 8.8 SP8 Patch 8 at a minimum.

Download the patch from the NetIQ downloads page. For more information, see the Release Notes accompanying the patch at eDirectory 8.8 SP8 documentation site.

Identity Manager Engine and Remote Loader

Install the Identity Manager engine as instructed “Installing the Identity Manager Engine, Drivers, and Plug-ins” in the Identity Manager Setup Guide. Install the following dependant library before starting the installation:

iManager

Install iManager 2.7 SP7 Patch 7, at a minimum

NOTE:Identity Manager ships iManager 2.7.7 Patch 2 as part of Identity Manager 4.5 ISO. To support Identity Manager installation on RHEL 7.2, ensure that your iManager is running SP7 Patch 7 at a minimum.

  1. Download the patch from the NetIQ downloads page. For more information, see the Release Notes accompanying the patch at iManager 2.7.7 documentation site.

  2. Ensure that you install the following dependent library before starting the installation:

For detailed installation instructions, see Installing iManager in the Identity Manager Setup Guide.

Self Service Password Reset

For more information about installing Self Service Password Reset, see Installing the Single Sign-on and Password Management Components in the Identity Manager Setup Guide.

One SSO Provider

For more information about installing One SSO Provider, see Installing the Single Sign-on and Password Management Components in the Identity Manager Setup Guide.

Identity Applications

For more information about installing Identity Applications, see Installing the Identity Applications in the Identity Manager Setup Guide.

Identity Reporting

For more information about installing Identity Reporting, see Installing the Identity Reporting Components in the Identity Manager Setup Guide.

6.0 Installing Identity Manager 4.5.4 on eDirectory 9.0.1 or Later

NetIQ supports installing Identity Manager 4.5.4 on eDirectory 9.0.1 or later. You perform this installation in two steps. First you install the Identity Manager 4.5 engine on eDirectory 9.0.1 by using the compatibility installer located in the idm45_eDir90_compat folder. You must follow this installation by immediately updating the engine with the Identity Manager 4.5.4 Engine Service Pack. This service pack contains the required software to enable the Identity Manager engine to function with eDirectory 9.0.1 and it is a mandatory step.

NOTE:Identity Manager 4.5.4 which also includes the engine component is not completely Suite B compliant. Some of the Suite B modes can be enabled. For a list of supported Suite B modes, please refer to the table.

6.1 Prerequisites

Ensure that you do not install iManager 4.5.0 plug-ins during the installation. The Identity Manager 4.5.4 plug-ins can be installed using the iManager update page for the respective version of iManager.

For more information, see NetIQ iManager Installation Guide.

6.2 Installation Procedure

  1. Install Identity Manager 4.5.

    On eDirectory 9.0.1 server, perform the following actions:

    1. Download the Identity Manager 4.5 ISO.

    2. Extract the ISO contents to a folder.

    3. From the directory that contains the installation files, complete one of the following actions:

      • Linux: Replace the <ISO Extracted folder>/products/IDM/linux/setup/idm_linux.bin file with idm45_eDir90_compat/release/idm_linux.bin.

      • Windows: Replace the <ISO Extracted folder>\products\IDM\windows\setup\idm_install.exe file with idm45_eDir90_compat\release\idm_install.exe.

    4. Navigate to the extracted folder and complete one of the following actions:

      • Linux: Browse to the <ISO Extract folder>/products/IDM folder and run install.bin file.

      • Windows: Browse to the <ISO Extract folder>\products\IDM\windows\setup folder and run install.exe file.

      NOTE:

      • Identity Manager does not support this installation using the integrated installation program.

      • SAML method 1.1.2 is added by default using the compatibility installer (idm45_eDir90_compat).

  2. Apply the Identity Manager 4.5.4 or later engine service pack from the download page.

    NOTE:

    • This is a mandatory step to perform, as Identity Manager 4.5 versions prior to version 4.5.4 are not compatible with eDirectory 9.0.1.

    • While installing Identity Manager 4.5 engine using compatibility installer, the following message is displayed:

      sh: /var/opt/novell/nici/nicimud: No such file or directory

      It is safe to ignore this message.

  3. (Conditional) Update the other Identity Manager components to the latest versions.

    For more information, see NetIQ Identity Manager Setup Guide.

7.0 Working with eDirectory 9.0.1

In addition to eDirectory 8.8.8, Identity Manager supports installing eDirectory 9.0.1 as an Identity Vault and as a connected system. Before using eDirectory 9.0.1 with Identity Manager, NetIQ recommends that you review the following sections:

7.1 Upgrading Identity Vault from eDirectory 8.8.8 to eDirectory 9.0.1

You can upgrade Identity Vault from eDirectory 8.8.8 to eDirectory 9.0.1 only on Identity Manager 4.5.4 with eDirectory 8.8.8 Patch 8. If your current Identity Manager version is 4.0.2, you must first upgrade to Identity Manager 4.5 and then apply the Identity Manager 4.5.4 patch with eDirectory 8.8.8 Patch 8.

Perform the following actions to upgrade Identity Vault from eDirectory 8.8.8 to eDirectory 9.0.1:

  1. Ensure that your current eDirectory version on Identity Manager Server is eDirectory 8.8.8 Patch 8.

  2. Update SAML methods to version 1.1.2. For more information, perform the steps listed in the readme file from the download page and restart eDirectory

    IMPORTANT:iManager NMAS plug-in should not be used to update SAML 1.1.2. For more information, see Section 8.12, eDirectory Crashes After Updating SAML Method From Earlier Versions to SAML 1.1.2 or Later.

    NOTE:This is mandatory for Identity Manager Advanced Edition with Role Based Provisioning Module installed and configured with SAML login method.

  3. Upgrade eDirectory 8.8.8 Patch 8 to eDirectory to 9.0.1. For more information, see eDirectory 9.0 Service Pack 1 Release Notes.

  4. Upgrade iManager 2.7.7.x to iManager 3.0.1. For more information, see NetIQ iManager 3.0 Service Pack 1 Release Notes.

  5. Ensure you update the iManager plug-ins to 3.0.1.

7.2 Features of eDirectory 9.0.1 That Can be Enabled on the Identity Vault Server

Review the following table to understand which features of eDirectory 9.0.1 can be enabled with Identity Manager. None of these restrictions apply when eDirectory 9.0.1 is used as a connected system. For more information about the new features of eDirectory 9.0.1, see eDirectory 9.0 Release Notes and eDirectory 9.0.1 Release Notes.

Feature

Can be enabled on eDirectory (Identity Vault)

Description

TLS 1.2

Yes

Can enable all TCP communication using TLS 1.2

Suite B Configuration

  • AES 256-bit SDI Key

  • LDAP and HTTP Services

  • Enhanced Background Authentication

  • NPKI (NetIQ Certificate Server)

  • Yes

  • No

  • Yes

  • No

  • No impact on Identity Manager

  • The Identity Manager services continue to use the RSA certificate after upgrading to eDirectory 9.0.1.

  • No impact on Identity Manager

  • If Suite B is enabled on the CA (use of Elliptical Curve certificate), the NPKI service restricts the generation of RSA certificate. The Identity Manager modules that consume RSA certificate will not function as expected.

Container Readiness

Yes

No impact on Identity Manager

Enhanced Nested groups

Yes

Not supported by Identity Manager engine and drivers

Proxied Authorization Control

Yes

No impact on Identity Manager

Monitoring

Yes

No support extended for monitoring Identity Manager components

Enhanced Data Replication

Yes

No impact on Identity Manager

Improved Data Synchronization

Yes

No impact on Identity Manager

Optimized Janitor thread of Inherited ACL Calculation

Yes

No impact on Identity Manager

7.3 Turning Off Suite B Settings on the Identity Vault Server

If NDSPKI or LDAP Services are enabled with Suite B, then Identity Manager 4.5.4 may not work as expected. Refer to the following table to revert these components to a non-Suite B mode.

Module

When Suite B is Enabled

Recovery Option

NPKI (NetIQ Certificate Server)

If Suite B is enabled on the CA, the NPKI server restricts the generation of RSA certificate.The Identity Manager modules that consume RSA certificate will not function as expected.

Disable this mode

For more information, see the NetIQ eDirectory Administration Guide.

LDAP Services

The Identity Manager modules that use LDAP services will not be able to connect to eDirectory.

Disable Suite B or reconfigure these services to a non-Suite B mode.

For more information, see the NetIQ eDirectory Administration Guide.

8.0 Known Issues

NetIQ Corporation strives to ensure that our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.

For the list of the known issues in Identity Manager 4.5, Identity Manager Standard Edition 4.5.1, Identity Manager 4.5.2 and Identity Manager 4.5.3, see the Release Notes for each version on the Identity Manager 4.5 Documentation page.

8.1 Identity Manager Fails to Start After Updating eDirectory 8.8.8 Patch 4 on Non-Root eDirectory 8.8.8

Issue: In a non-root installation of eDirectory 8.8.8 Patch 4, NetIQ ships an empty <eDirectroy install path>/sbin/pre_ndsd_start script that does not allow the Identity Manager paths to set. Therefore Identity Manager fails to start.

This issue does not occur when you upgrade eDirectory 8.8.8 Patch 8 to eDirectory 9.0.1. (Bug 972926)

Workaround: To fix this issue, see TID 7016136.

8.2 Cannot Upgrade RHEL 6.x With GUI Mode to RHEL 7.1

Issue: If you try to upgrade your GUI-enabled RHEL 6.x to RHEL 7.1, the upgrade fails due to Red Hat limitations. The following links provide more information about this limitation: (Bug 951964)

  • https://access.redhat.com/solutions/799813

  • https://access.redhat.com/solutions/637583

Workaround: For a successful upgrade, perform the following actions:

  1. Uninstall the GUI from RHEL 6.x server.

  2. Upgrade the server.

  3. Apply the Identity Manager 4.5.4 patch.

  4. (Optional) To install the GUI on the upgraded server, follow the instructions provided in the RHEL documentation.

8.3 Connection Between Remote Loader 4.5.3 and Identity Manager 4.5.4 Engine Fails

Issue: You are not able to establish a connection between Remote Loader 4.5.3 and Identity Manager 4.5.4 engine. (Bug 972258)

NOTE:This issue is observed only when a native Identity Manager driver uses Remote Loader. An example of a native driver is the Identity Manager driver for Active Directory.

Workaround: Depending on the eDirectory version you are using, you can re-establish the connection in one of the following ways:

  • eDirectory 8.8.8.x: Do one of the following:

    • Modify the Remote Loader configuration in the driver properties and add secureprotocol=TLSv1 to it. For example, hostname=ipaddress port=8090 kmo="SSL CertificateDNS" secureprotocol=TLSv1.

    • Upgrade Remote Loader to 4.5.4 version.

  • eDirectory 9.0.1: Upgrade Remote Loader to 4.5.4 version.

8.4 Identity Manager Engine Fails to Upgrade if the Downloaded Folder Contains Special Characters

Issue: The upgrade fails if the downloaded folder contains special characters. (Bug 972641)

Workaround: There is no workaround at this time.

8.5 Upgrading .NET Remote Loader from Identity Manager 4.5.x to 4.5.x Randomly Fails on Windows 2012 R2 Servers

Issue: The Remote Loader upgrade randomly fails while upgrading Identity Manager 4.5.x .NET Remote Loader to Identity Manager 4.5.x or later. NET Remote Loader on a few windows 2012R2 servers. For example, upgrading .NET Remote Loader from Identity Manager 4.5.2 to 4.5.3 can fail randomly. (Bug 972139)

Workaround: To successfully upgrade the Remote Loader, perform the following actions:

  1. Stop the Remote Loader process running in Task Manager.

  2. (Conditional) If Identity Manager engine and .Net Remote Loader are installed on the same computer machine, stop eDirectory before starting the upgrade and start it after the upgrade.

8.6 Installer Does Not Set the Correct Response Type for Reporting

Issue: If Identity Applications and Identity Reporting are installed on separate computers, the identity applications installer sets the value for com.netiq.rpt.response-types as token instead of token,password during the installation.(Bug 970536)

Workaround: Navigate to the ism-configuration.properties file and set the com.netiq.rpt.response-types = token,password in the computer where the identity applications are installed and restart Tomcat.

8.7 Workflows Report an Error When Using dateToString for Timestamp Control

Issue: Workflows created in the User Application that use the form script method dateToString for a timestamp do not function appropriately in Identity Manager Home. The dateToString form script in the API includes seconds, while the new Date/Time control in Identity Manager Home uses a different format. To ensure that the forms function properly with Identity Manager Home, replace dateToString with the new script: new Date ().toString ('M/d/yyyy h:mm tt'). (Bug 970543)

Workaround: To replace the control for a single date in the form, use the following code:

document.getElementById('%Field-Name').value = new Date().toString('M/d/yyyy h:mm tt');

However, you need to replace controls that represent two dates. For example, a form that needs you to specify a start and end time for an entitlement request.

To specify startDate, use the following type of code:

document.getElementById('_startDate').value = new Date().toString('M/d/yyyy h:mm tt');

To specify an endDate that occurs three days after the start date, use the following code:

var s = new Date().getTime(); s = s + 3 * 1000 * 24 * 60 * 60; document.getElementById('_furDate').value = new Date(s).toString('M/d/yyyyh:mm tt');

In this example, the workflow responds with the following information:

startDate: 3/14/2016 12:03 PMendDate: 3/17/2016 12:03 PM

NOTE:The following command works only with the English locale.

document.getElementById('_furDate').value = new

Date(future).toString('M/d/yyyy h:mm tt');

NOTE:Workflows created in the User Application using the dateToString script are deprecated. NetIQ recommends that you use the new script: new Date ().toString ('%date-format'). For example: new Date ().toString ('M/d/yyyy h:mm tt').

8.8 Non-Root Installation of Identity Manager 4.5.3 Patch Detects a Root Installation of the Remote Loader

Issue: If your environment has Remote Loader 4.0.2 installed as a root-user and you attempt to install eDirectory 8.8.8 Patch 8 and Identity Manager 4.5 as a non-root user, the installation fails with the following error message: (Bug 975737)

IDMBaseVersion does not match the base version of the Patch. Cancelling the installation.

Workaround: Perform the following actions:

  1. Manually uninstall the RPM packages installed with the root permission from the Identity Manager 4.0.2 Remote Loader installation directory.

  2. Continue with the non-root Identity Manager 4.5.3 installation.

8.9 CN Containing a Comma in a Group Name Cannot be an Approver in the User Application

Issue: The User Application does not allow you to save a group name with a comma in the CN attribute as an approver in the Roles and Resources catalog or the SOD pages.(Bug 979731)

Workaround: There is no workaround at this time.

8.10 SSL Handshake Fails When Remote Loader Is Running On Windows 2012 Platform

Issue: When the Remote Loader is running on a Windows 2012 R2 64-bit server, the SSL handshake fails. (Bug 948013)

Workaround: To ensure that the SSL handshake does not fail, do the following actions:

  • Ensure that the specified KMO parameter is in lowercase.

  • If the SSL connection fails due to handshaketimeout when the Remote Loader establishes a connection with the Identity Manager engine, update the default handshaketimeout variable to 10000 and restart both the driver and the Remote Loader.

8.11 Older Version of iManager Password Management Plug-In Not Removed

Issue: Installing a new version of the Password Management plug-in replaces the currently installed version of the plug-in but does not uninstall it from the installation directory. The plug-in continues to display in the list of installed plug-ins. (Bug 983656)

Workaround: There is no workaround at this time.

8.12 eDirectory Crashes After Updating SAML Method From Earlier Versions to SAML 1.1.2 or Later

Issue: eDirectory crashes after updating SAML method from 1.1.1 or earlier to SAML 1.1.2(or later). This occurs due to the unloading of the older method by the NMAS server to load the new method.

Also, updating to SAML 1.1.2 method using iManager NMAS plug-in causes eDirectory to crash.(Bug 984380)

Workaround: A new configuration option is provided with the latest version of the nmasinst command line utility and the SAML method to load the new NMAS SAML 1.1.2 only after restarting the eDirectory server. An appropriate warning message appears after the SAML method is updated.

8.13 Issues With Editing Policies Using Internet Explorer 11 on Windows 2012R2

Issue: If you use Internet Explorer 11 on Windows 2012 R2 server with an Administrator account to edit a policy, the browser displays a pop-up window and an additional tab for editing the policy. When you save the modified policy, the browser prompts you to close the tab but does not automatically close the pop-up window. This issue occurs because the User Account Control (UAC) is automatically enabled on Windows Server 2012 R2 servers. This issue is reported only on iManager 2.7.7 and 3.0.1 plug-ins.(Bug 985790)

Workaround: Disable UAC. Follow the instructions from this page.

8.14 Warning Message is Printed on Top of the Policy Name in iManager

Issue: While editing a driver policy in iManager 2.7.7.7, iManager displays a warning message on top of the policy name indicating that the policy is part of the driver. (Bug 985809)

Workaround: There is no workaround at this time.

8.15 Images Created by the Driver Set Dashboard Plug-In Are Not Removed After Leaving the Plug-In

Issue: Identity Manager temporarily creates the graphic files used by the Identity Manager Overview and Driver Set Dashboard plug-ins in the <iManager Install Folder>/nps/images/temp directory. (Bug 1002940)

The files created by the Driver Set Dashboard plug-in are not cleaned when you leave the plug-in or when Tomcat is stopped.

Workaround: Manually remove the file from the directory.

8.16 Using OSP 6.0.0.3 Reports an Error in the Catalina.out File

Issue: The following error occurs when OSP 6.0.0.3 is used with Identity Manager 4.5.4:

Could Not Find or Load Main Class com.novell.naudit.lcache.LCache

Workaround: Login as a root and run the following commands in a command prompt:

  1. chown -R novlua:novlua /var/opt/novell/naudit

  2. find /var/opt/novell -type d -exec chmod og+rx '{}' \;

  3. /etc/init.d/idmapps_tomcat_init restart

  4. /opt/netiq/idm/apps/osp_sspr/conf/logevent.conf/etc/logevent.conf

  5. /etc/init.d/idmapps_tomcat_init restart

9.0 Previous Releases

10.0 Contact Information

Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.

For detailed contact information, see the Support Contact Information website.

For general corporate and product information, see the NetIQ Corporate website.

For interactive conversations with your peers and NetIQ experts, become an active member of our community. The NetIQ online community provides product information, useful links to helpful resources, blogs, and social media channels.