NetIQ Identity Manager 4.5 Service Pack 5 Release Notes

November 2016

NetIQ Identity Manager 4.5 Service Pack 5 includes new features, improves usability, and resolves several previous issues.

Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the Identity Manager Community Forum on NetIQ Communities, our online community that also includes product information, blogs, and links to helpful resources.

The documentation for this product is available on the NetIQ website in HTML and PDF formats on a page that does not require you to log in. If you have suggestions for documentation improvements, click comment on this topic at the bottom of any page in the HTML version of the documentation posted at the Identity Manager Documentation Web site page.

1.0 What’s New?

Identity Manager 4.5.5 provides the following key features, enhancements, and fixes in this release:

1.1 New Features

This release introduces the following features:

Support for Claiming a Task

When multiple users are assigned the same task, one of the users can claim the task to notify others about the ownership of the task. If a task is assigned to only one user, the task can be claimed to inform about the ownership of the task. This feature has been re-introduced in Identity Manager in this release.

A New Pop-Up Window in Designer for Migrating Linkages

Designer includes a new pop-up message that prompts you to migrate the linkages while importing a driver or a driver set. Migrating linkages reorders the policies in a policy set and generates the missing attribute, DirXML-pkgLinkages. Designer requires this attribute to correctly order the policies on future package upgrade or downgrade.

1.2 What’s Deprecated?

Support for web application servers such as JBoss Enterprise Application Platform (EAP) and WebSphere has been deprecated with Identity Manager 4.5 Service Pack 4. These web application servers will no longer be supported with the next major release of Identity Manager. NetIQ continues to support EAP and WebSphere with Identity Manager 4.5.x.

1.3 Component Updates

This service pack provides updates for the following components in Identity Manager:

  • Identity Manager engine

  • Identity applications

  • Designer for Identity Manager (Designer)

1.4 Support for Java 1.8 Update 112

This service pack updates the following components to support Java Development Kit 8 Update 112 (jdk8u112) or Java Runtime Environment 1.8 Update 112 (jre8u112).

  • Identity Manager engine

  • Identity applications, running on Apache Tomcat

  • Identity Reporting, running on Apache Tomcat

  • Designer

  • Analyzer (32-bit Java only)

This service pack updates the Java version for the Identity Manager engine. You need to manually update your current Java version for the identity applications, Identity Reporting, Designer, and Analyzer. For more information, see Section 3.5, Installing Java 1.8 Update 112 on the Identity Manager Servers.

NOTE:If you use JBoss Enterprise Application Platform (EAP) or WebSphere, do not upgrade to Java 1.8. For more information, see JBoss has Errors Running the Identity Applications with Java Development Kit 8 in the NetIQ Identity Manager 4.5 Service Pack 3 Release Notes.

1.5 Support for OSP 6.0.0.3 or Later

This service pack adds support for OSP 6.0.0.5. The minimum supported version for OSP is 6.0.0.3. For more information about updating to OSP 6.0.0.3 or later, see Section 3.9, Updating One SSO Provider.

1.6 Software Fixes

Identity Manager Engine and Driver Plug-ins

NetIQ Identity Manager includes software fixes that resolve several previous issues in the Identity Manager engine and plug-ins.

Policy in the NOVLLBACKENT Package Reported DTD Validation Error

With this service pack, the policies do not report any DTD validation errors. (Bug 942075)

Identity Manager 4.5.1 Patch Installer Does not Successfully Install on a Windows Server with Only 32-Bit Remote Loader

With this service pack, you can now successfully upgrade Identity Manager 4.5 SP1 on a server where only 32-bit Remote Loader 4.5 is installed or where Identity Manager 4.5 engine and 32-bit Remote Loader are installed. (Bug 947913)

Conflicting Jar File for the JMS Driver

This service pack resolves an issue where the JMS driver failed to start due to the presence of a conflicting Jar file. (Bug 963513)

Cannot Use 99 Option in the DirXML Command Line Utility When There are More Than 100 Drivers

If there are more than 99 menu items, use 999 option to return to the main menu to avoid any conflict. (Bug 967595)

iManager Returns an Error When Password Status is Checked

This service pack resolves an issue where the iManager plug-in prompted a -672 error while checking the password status for a user.(Bug 979080)

Unable to Read Driver Cache Occasionally

With this service pack you can read the driver cache from driver cache inspector. (Bug 1000086)

eDirectory Crashes When an Invalid Value is Used for a String Based Association

eDirectory no longer crashes when an invalid value is specified for a string based association. (Bug 1008083)

.Net Remote Loader Unable to Create a Service for Office365 Driver

With this service pack,.Net remote loader is able to load Office365 driver in service mode. (Bug 1009157)

Identity Applications

NetIQ Identity Manager includes software fixes that resolve several previous issues in the identity applications.

Issue with Making Requests when the Requester Has Configure and Delegate Rights

This service pack resolves an issue where a user with Configure Delegate and Configure Availability rights to all PRDs made a request in the User Application and the request appeared in the user's task list for approval. When the user clicked the task, an error message indicated lack of rights for the user. (Bug 974944)

Error Message Not Displayed When Opening the URL in the Provisioning Notification E-Mail for a Claimed Workflow

This service pack resolves an issue where no error message was displayed when a user clicks the URL provided in the provisioning notification e-mail for a claimed or processed workflow. (Bug 986591)

Tasks Not Displayed if the Logged In User Is a Part of More Than 2K Groups or Roles on MSSQL 2014

Tasks were not displayed for a logged in user who was part of more than 2100 groups or roles with MSSQL 2014. (Bug 970870)

This service pack resolves this issue. Now tasks are correctly displayed without any errors.

User Names with Extended Characters are Displayed Incorrectly

With this service pack, user name with an extended characters are displayed correctly in lookup controls. (Bug 987970)

Portal Data Import Fails when portalregistry Table is Updated or Deleted

This service pack resolves an issue where the portal data was not successfully imported when the portalregistry table was updated or deleted. (Bug 975508)

Unable to Set Value with form.setValues on a Field with DNLookup Control Type

This service pack resolves an issue where DNLookup did not automatically populate in the workflow. (Bug 988218)

Unable to Set or Modify allowOverride Flag

This service pack resolves an issue where you were not able to modify or set allowoverride flag using the modifyResource SOAP endpoint. (Bug 981130)

requestResourceGrant SOAP Endpoint Fails In Certain Conditions

This service pack resolves an issue where the requestResourceGrant SOAP endpoint failed when there was more than one request parameter and if nrfAllowMulti was set to false. (Bug 987486)

Incorrect Result Displayed While Searching for a User in Request on Behalf of Others

This service pack resolves an issue where searching for a user incorrectly returned all the listed users. (Bug 1006530)

Unable to Search by CN in Request on Behalf of Others

This service pack resolves an issue where searching was restricted to FirstName and LastName. Now you can search by CN in addition to FirstName and LastName. (Bug 1002631)

DNQuery Control Does Not Adhere to LocalizedString Control

This service pack resolves an issue where the DNQuery control did not format the returned data with a specific locale based upon the UI Control for the attribute. (Bug 794204)

Incorrect URL in Provisioning Notification e-mails for Proxy Assigned Users

With this service pack, the correct URL is present in the proxy notification email. (Bug 985333)

Designer for Identity Manager

NetIQ Identity Manager includes software fixes that resolve several previous issues in Designer.

Format Mismatch for E-Mail Server During Import Hangs Designer

This service pack resolves an issue where Designer hanged because of the incorrect format of the E-Mail server object while importing it into Designer. (Bug 991815)

Package Manager Does Not Update Entity Attributes with Package Changes

This service pack resolves an issue where Package Manager did not update the entity attributes with package changes. (Bug 972103)

Designer Does Not Synchronize DAL Attributes to a Package after Package Upgrade

This service pack resolves an issue where Designer does not add or synchronize the DAL attributes to a package after upgrading the package. (Bug 972113)

Designer Project Cannot Reference to GCVs

This service pack resolves an issue where a Designer project is unable to reference to GCVs (Global Configuration Values). (Bug 987676)

Issue in Deploying a Driver

This service pack resolves an issue where Designer reported an error when a driver was deployed to the Identity Vault. (Bug 991883)

Duplicate GCV Entries after Upgrade

This service pack resolves an issue where Designer duplicated a few GCV entries after Designer was upgraded. (Bug 1007013)

NOTE:If you upgraded the packages in Identity Manager 4.5.4 or earlier, some packages might contain duplicate GCVs. To delete the duplicate GCVs, perform the following steps:

  1. Take a backup of the driver to save your customization.

  2. Edit the driver configuration to remove the duplicate GCV entries.

    1. Go to Driver Properties > Driver Configuration > Driver parameters and click Edit XML.

    2. Search for <template> ... </template> elements in the XML file and delete the duplicate entries under <value> ... </value> elements.

      You must remove the entries carefully so that no other values are modified.

  3. Save the XML file.

Schema Mapping Policies Order Is Changed after Updating to a New Package

This service pack resolves an issue where updating to a new package resulted in changing the order of the schema mapping policies. (Bug 1007211)

Designer Ignores the Change in Reconcile Direction Arrow

This service pack resolves an issue where Designer incorrectly published a change in the Identity Vault because it ignored the reconcile direction arrow while comparing the objects. (Bug 990477)

Unable to Add Trustee Rights to a Workflow

This service pack resolves an issue where a user was not able to add trustee rights to a workflow. (Bug 991274)

Package Upgrade Returns Incorrect GCVs to Package Setting

This service pack resolves an issue where GCVs were not maintained correctly after upgrading a driver with only one package. (Bug 990327)

Searching for an Attribute with Full Name Entity Returns an Exception

This service pack resolves an issue where Designer returned a null pointer exception when you searched for an attribute with Full Name. (Bug 972113)

2.0 System Requirements

This service pack requires the following product versions:

Requirement

Description

NetIQ Identity Manager 4.5 or later

This includes Identity Manager engine, Identity Applications, Identity Reporting, Designer 4.5.2 at a minimum.

NetIQ eDirectory 8.8.8 Patch 8 at a minimum or eDirectory 9.0.1 at a minimum

You can install eDirectory 8.8.8.x or 9.0.1 or later as an Identity Vault and as a connected system.

NOTE:

  • You can only upgrade Identity Manager 4.5.5 with eDirectory 8.8.8 Patch 8 or later to eDirectory 9.0.1 or later.

  • Support for eDirectory 9.0.1 was introduced in Identity Manager 4.5 Service Pack 4 release.

  • eDirectory 9.0 is not supported with Identity Manager.

NetIQ iManager 2.7.7 Patch 8 or iManager 3.0.1

You must install iManager 3.x to support the new features of eDirectory 9.0.1 or later. If you are not upgrading your Identity Vault to eDirectory 9.0.1 or later, use iManager 2.7.7.x. Ensure you update your existing plug-ins to the latest versions for the iManager version you are using.

IMPORTANT:If you are planning to upgrade eDirectory 8.8.x to 9.0.1 or later, ensure that iManager is upgraded to 3.x.

NetIQ recommends you to clear the browser cache soon after upgrading the Identity Manager plug-ins.

NetIQ Self Service Password Reset 3.3.1.2, at a minimum

 

NetIQ One SSO Provider 6.0.0.3, at a minimum

 

For more information about the software requirements, see “Selecting an Operating System Platform for Identity Manager” in the NetIQ Identity Manager Setup Guide.

3.0 Upgrading to this Service Pack

You can upgrade to this service pack from Identity Manager 4.5, 4.5.1, 4.5.2, 4.5.3, 4.5.4 or 4.5.4 HF1. Install the components in the following order, depending on your current version:

  1. Identity Manager Engine

  2. Remote Loader

  3. Designer

    NOTE:You can directly upgrade to Designer 4.5.5 from Designer 4.5.2, 4.5.3, and 4.5.4. To upgrade Designer 4.5 to Designer 4.5.5, first upgrade to Designer 4.5.2 and then to Designer 4.5.5.

    Designer 4.5.2 is a complete software build while Designer 4.5.5 features are available at the Designer Auto-Update Site. For more information about updating Designer, see the following links:

  4. Configuration Update Utility 4.5.0.3

  5. One SSO Provider

  6. Role and Resource Service Driver 4.5.0.2

  7. Identity Applications (for Advanced Edition)

  8. Identity Reporting

  9. Self Service Password Reset

Before beginning the installation, review the following consideration to help you plan the installation:

  • The Identity Manager 4.5 Engine Service Pack 5 updates the Java version to 1.8.0_112 for the Identity Manager engine. You need to manually update your current Java version for the Identity Applications, Identity Reporting, Designer, and Analyzer. For more information, see Section 3.5, Installing Java 1.8 Update 112 on the Identity Manager Servers.

    • For Identity Manager Advanced Edition, update Java 1.8 Update 112 before installing the Identity Applications.

    • For Identity Manager Standard Edition, update Java 1.8 Update 112 before installing the Identity Reporting.

3.1 Upgrading to Identity Manager 4.5.5 with eDirectory 8.8.8 Patch 8 or Later

You can upgrade Identity Manager 4.5, 4.5.1, 4.5.2, 4.5.3, 4.5.4, or 4.5.4 HF1 to Identity Manager 4.5.5 with a minimum version of eDirectory 8.8.8 Patch 8.

The Identity Manager 4.5.5 installation files are included in the IDM_engine_rl_IDM4.5.5.zip file. The zipped file contains the following folders:

  • Identity Manager 4.5.5 Engine and Remote Loader (cd-image)

  • Compatibility installer for installing Identity Manager 4.5 on eDirectory 9.0.2 (idm45_eDir90_compat)

  • SAML 1.1.2 (SAML)

To upgrade to Identity Manager 4.5.5, perform the following actions:

  1. Install the Identity Manager 4.5.5 engine service pack on the Identity Manager engine server by performing the steps listed in the readme file from the download page.

  2. Select the type of Remote Loader you want to update, then click OK.

  3. Click OK when the pop-up message appears.

    This message indicates that Identity Manager is not Suite B complaint.

  4. Click Done after the installation is complete.

IMPORTANT:NetIQ allows you to install Identity Manager 4.5.0 with eDirectory 9.0.1 or later using a special compatibility installer. For instructions to upgrade to Identity Manager 4.5.5, see Section 6.0, Installing Identity Manager 4.5.5 on eDirectory 9.0.1 or Later.

3.2 Updating the Identity Applications

This service pack includes an update to the identity applications that run on a Tomcat, WebSphere, and JBoss application server. Download the IDM45-Apps-SP-5.zip file to the server where you deployed the identity applications and perform the steps listed in the readme files.

Updating the Keystore Path in the Configuration Update Utility

To update the path of the keystore in the Configuration Update utility, perform the steps listed in the readme file from the download page.

Updating SAML 1.1.2

This service pack includes support for SAML 1.1.2. The installation files are included in the IDM_engine_rl_IDM4.5.5.zip file. For information about using SAML 1.1.2 with the identity applications, perform the steps listed in the readme file from the download page.

3.3 Updating the Identity Manager Engine

This service pack includes a IDM_engine_rl_IDM4.5SP5.zip for updating the Identity Manager engine. Install this package on the Identity Manager engine server. For more information, see “Hotfixing the Identity Manager Engine and Remote Loader” in the NetIQ Identity Manager Setup Guide.

NOTE:The Identity Manager engine upgrade process displays a warning that Identity Manager is not compatible with Suite B. However, some of the Suite B modes can be enabled. For a list of supported Suite B modes, please refer to table.

3.4 Updating Designer

This service pack provides an update to Designer. Download the Designer 4.5.5 updates from the Designer Download Site.

NOTE:To upgrade Designer 4.5 to Designer 4.5.5, first upgrade to Designer 4.5.2 and then upgrade Designer 4.5.2 to Designer 4.5.5.

Designer provides an built-in auto-update feature that notifies you of new features available at the Designer Download Site. This feature allows you to download Designer package and patch updates when the computer that has Designer installed and is connected to the Internet.

You also can perform an offline update of Designer when the computer that has Designer installed and is not connected to the Internet. To perform an offline update, first download the required content from the Designer and Package Update Web sites on a local or remote computer and then point Designer to the directory containing the downloaded files.

Updating Designer in an Offline Mode

To update Designer in an offline mode, create an offline copy of the Designer update files and then configure Designer to read the patch updates from the files copied to the local directory.

To create an offline copy of the Designer update files:

  1. Log in to the computer that has Designer installed and create a local directory.

  2. Download the latest patch zip file for Designer version from the specified location and unzip the files into the local directory.

To configure Designer to read the patch updates from the local directory:

  1. Launch Designer.

  2. From Designer’s main menu, click Window > Preferences.

  3. Click NetIQ > Identity Manager and select Updates.

  4. Select Do not check for updates and deselect all the other check boxes.

  5. For URL, specify file:///<path_to_files>/updatesite4_5_5

    For a Linux mounted ISO, use the following URL format:

    file:///media/designer450offline/updatesite4_5_5

  6. Click Apply, then click OK.

  7. From Designer’s main menu, click Help > Check for Designer Updates.

  8. Select the required updates and click Yes to accept and update the Designer patch updates.

    You need to launch Designer again for the changes to take effect.

Updating the Designer Packages Offline

To update Designer packages in an offline mode, make the package update files available in a local directory on your computer and then configure Designer to read the files from this directory.

To create an offline copy of the package update files:

  1. Log in to the computer that has Designer installed and create a local directory.

  2. Copy the package update files to the directory created in Step1:

    • Linux: In a shell, change to the directory and run the following commands:

      wget -e robots=off -r -nH -np https://nu.novell.com/designer/packages/idm/updatesite1_0_0/

      wget -e robots=off -r -nH -np https://nu.novell.com/designer/packages/idm/updatesite2_0_0/

    • Windows:

      1. Launch the package update site by using one of the following URLs:

        • https://nu.novell.com/designer/packages/idm/updatesite1_0_0/

        • https://nu.novell.com/designer/packages/idm/updatesite2_0_0/

      2. Select and download the required files.

To configure Designer to read the files from the local directory:

  1. Launch Designer.

  2. From Designer’s main menu, click Window > Preferences.

  3. Click NetIQ > Package Manager > Online Updates.

  4. To add a new URL, click the plus icon.

  5. Provide information for the following fields:

    1. Vendor: Specifies the vendor name for package update.

    2. URL: Specifies the URL as file:///<path_to_files>/updatesite1_0_0/.

      For Linux mounted ISO, use the following URL format:

      file:///media/designer455offline/updatesite1_0_0/

      For Windows, use the following URL format:

      file:///c:\designer455offline\updatesite1_0_0\.

      NOTE:If you have multiple package sites, repeat Step 5 and add multiple sites and URLs.

  6. Click OK.

  7. In the Preferences window, select the required check boxes for the sites.

    NOTE:The new sites are selected by default.

  8. Click Apply, then click OK.

  9. From Designer’s main menu, click Help > Check for Package Updates.

  10. Select the required updates and click Yes to accept and update the Designer package updates.

    You need to launch Designer again for the changes to take effect.

3.5 Installing Java 1.8 Update 112 on the Identity Manager Servers

This service pack certifies Java 1.8.0_112 (JDK 8u112 or JRE 8u112) for use with Identity Applications on Apache Tomcat. The later versions of Java 1.8 are also supported.

To install Java 1.8 Update 112 on the identity applications, perform the steps listed in the readme files from the download page.

NOTE:You can download Java 1.8 Update 112 directly from the Oracle Site.

3.6 Updating Java 1.8 Update 112 for Designer

This service pack updates Designer to support Java 1.8 Update 112.

  1. On the server where you installed Designer, download and install the Java 8 Update 112 files in a local directory.

  2. Open the Designer.ini file located in the Designer installation directory.

  3. Update the Java path in the Designer.ini file.

3.7 Updating Java 1.8 Update 112 for Analyzer

This service pack updates Analyzer to support Java 1.8 (32-bit).

  1. On the server where you installed Analyzer, create a directory for Java 1.8.

    For example, opt/netiq/jdk1.8.0_112.

  2. Download and install the Java 1.8 files in this directory.

  3. Open the Analyzer.ini file located in the Analyzer installation directory.

  4. Update the Java path in the Analyzer.ini file.

  5. Replace the existing (jre) folder with the Java 1.8 folder in the installation directory.

3.8 Updating Self Service Password Reset

This service pack requires NetIQ Self Service Password Reset 3.3.1.2, at a minimum. To install these updates, download the following package and perform the steps listed in the readme files:

3.9 Updating One SSO Provider

NetIQ recommends that you install the latest version of NetIQ One SSO Provider (OSP) to work with this service pack. To upgrade to OSP 6.0.0.5, perform the steps listed in the readme file from the download page.

3.10 Enabling TLS/SSL Connections for User Application

To enable SSL connections, perform the steps listed in the readme file from the download page.

4.0 Installing Identity Manager 4.5.5 on SLES 12 Service Pack 1 Platform

You can install Identity Manager 4.5.5 on a server running SUSE Linux Enterprise Server 12 SP1 at a minimum. The following table guides you through the installation process. First you install the Identity Manager 4.5 components in the given sequence using the individual component installation programs and then apply Identity Manager 4.5 Service Pack 5 as appropriate. For more information, see Section 3.0, Upgrading to this Service Pack.

Before starting the installation, NetIQ recommends that you go through the following table to help you plan the installation process for Identity Manager.

IMPORTANT:Identity Manager does not support this installation using the integrated installation program.

Order of Installation

Installation Instructions

EAS

Install EAS and Identity Manager engine on separate servers. Install the following dependent libraries before starting the EAS installation:

For more information about installing EAS, see Installing EAS in the Identity Manager Setup Guide.

eDirectory

Install eDirectory 8.8 SP8 Patch 8, at a minimum

NOTE:Identity Manager ships eDirectory 8.8 SP8 Patch 3 as part of Identity Manager 4.5 ISO. To support Identity Manager installation on SLES 12.x, ensure that your eDirectory is running 8.8 SP8 Patch 8 at a minimum.

Download the patch from the NetIQ downloads page. For more information, see the Release Notes accompanying the patch at eDirectory 8.8 SP8 documentation site.

Identity Manager Engine and Remote Loader

Install the Identity Manager engine as instructed “Installing the Identity Manager Engine, Drivers, and Plug-ins” in the Identity Manager Setup Guide. Install the following dependant library before starting the installation:

iManager

Install iManager 2.7 SP7 Patch 7, at a minimum

  1. Download the patch from the NetIQ downloads page. For more information, see the Release Notes accompanying the patch at iManager 2.7.7 documentation site.

  2. Ensure that you install the following dependent library before starting the installation:

For detailed installation instructions, see Installing iManager in the Identity Manager Setup Guide.

Designer

  1. Download and extract XULRunner-24 (64-bit) from the Mozilla FTP site.

  2. Open the Designer.ini file from the designer installation directory.

  3. Add the following lines at the end of the Designer.ini file:

    -Dorg.eclipse.swt.browser.XULRunnerPath=<path where XULRunner is extracted>

    -Dorg.eclipse.swt.internal.gtk.disablePrinting

  4. Save the Designer.ini file and restart Designer.

Analyzer

  1. Install the following RPMs from the SLES 12 installation media:

    • gtk2-tools (32-bit)

    • libXtst6 (32-bit)

    • libgthread-2_0-0 (32-bit)

    • libXt6 (32-bit)

  2. Download and extract XULRunner-1.9.2 (32-bit) from the Mozilla FTP site.

  3. Open the Analyzer.ini file from the analyzer installation directory.

  4. Add the following line at the end of the Analyzer.ini file.

    -Dorg.eclipse.swt.browser.XULRunnerPath=<path where XULRunner is extracted>:

  5. Save the Analyzer.ini file and restart Analyzer.

Self Service Password Reset

For more information about installing Self Service Password Reset, see Installing the Single Sign-on and Password Management Components in the Identity Manager Setup Guide.

One SSO Provider

For more information about installing One SSO Provider, see Installing the Single Sign-on and Password Management Components in the Identity Manager Setup Guide.

Identity Applications

For more information about installing Identity Applications, see Installing the Identity Applications in the Identity Manager Setup Guide.

Identity Reporting

For more information about installing Identity Reporting, see Installing the Identity Reporting Components in the Identity Manager Setup Guide.

5.0 Installing Identity Manager 4.5.5 on RHEL 7.2 Platform

You can install Identity Manager 4.5.5 on a server running Red Hat Enterprise Linux 7.2 platform. The following table guides you through the installation process. First you install the Identity Manager 4.5 components in the given sequence using the individual component installation programs and then apply Identity Manager 4.5 Service Pack 5 as appropriate. For more information, see Section 3.0, Upgrading to this Service Pack.

Before starting the installation, NetIQ recommends that you go through the following table to help you plan the installation process for Identity Manager.

IMPORTANT:Identity Manager does not support this installation using the integrated installation program.

Installation Order

Description

EAS

Install EAS and Identity Manager engine on separate servers. Install the following dependent libraries before starting the EAS installation:

For more information about installing EAS, see Installing EAS in the Identity Manager Setup Guide.

eDirectory

Install eDirectory 8.8 SP8 Patch 8 and above.

NOTE:Identity Manager ships eDirectory 8.8 SP8 Patch 3 as part of Identity Manager 4.5 ISO. To support Identity Manager installation on RHEL 7.2, ensure that your eDirectory is running 8.8 SP8 Patch 8 at a minimum.

Download the patch from the NetIQ downloads page. For more information, see the Release Notes accompanying the patch at eDirectory 8.8 SP8 documentation site.

Identity Manager Engine and Remote Loader

Install the Identity Manager engine as instructed “Installing the Identity Manager Engine, Drivers, and Plug-ins” in the Identity Manager Setup Guide. Install the following dependant library before starting the installation:

iManager

Install iManager 2.7 SP7 Patch 7, at a minimum

NOTE:Identity Manager ships iManager 2.7.7 Patch 2 as part of Identity Manager 4.5 ISO. To support Identity Manager installation on RHEL 7.2, ensure that your iManager is running SP7 Patch 7 at a minimum.

  1. Download the patch from the NetIQ downloads page. For more information, see the Release Notes accompanying the patch at iManager 2.7.7 documentation site.

  2. Ensure that you install the following dependent library before starting the installation:

For detailed installation instructions, see Installing iManager in the Identity Manager Setup Guide.

Self Service Password Reset

For more information about installing Self Service Password Reset, see Installing the Single Sign-on and Password Management Components in the Identity Manager Setup Guide.

One SSO Provider

For more information about installing One SSO Provider, see Installing the Single Sign-on and Password Management Components in the Identity Manager Setup Guide.

Identity Applications

For more information about installing Identity Applications, see Installing the Identity Applications in the Identity Manager Setup Guide.

Identity Reporting

For more information about installing Identity Reporting, see Installing the Identity Reporting Components in the Identity Manager Setup Guide.

6.0 Installing Identity Manager 4.5.5 on eDirectory 9.0.1 or Later

NetIQ supports installing Identity Manager 4.5 on eDirectory 9.0.1 or later. You perform this installation in two steps. First you install the Identity Manager 4.5 engine on eDirectory 9.0.1 or later by using the compatibility installer located in the idm45_eDir90_compat folder. You must follow this installation by immediately updating the engine with the Identity Manager 4.5.5 Engine Service Pack. This service pack contains the required software to enable the Identity Manager engine to function with eDirectory 9.0.1 or later and it is a mandatory step.

NOTE:Identity Manager 4.5.5 is not completely Suite B compliant. For a list of supported Suite B modes, please refer to the Section 7.2, Features of eDirectory 9.0.1 or Later That Can be Enabled on the Identity Vault Server.

Installation Procedure

  1. Install Identity Manager 4.5.

    On eDirectory 9.0.1 or later server, perform the following actions:

    1. Download the Identity Manager 4.5 ISO.

    2. Extract the ISO contents to a folder.

    3. From the directory that contains the installation files, complete one of the following actions:

      • Linux: Replace the <ISO Extracted folder>/products/IDM/linux/setup/idm_linux.bin file with idm45_eDir90_compat/release/idm_linux.bin.

      • Windows: Replace the <ISO Extracted folder>\products\IDM\windows\setup\idm_install.exe file with idm45_eDir90_compat\release\idm_install.exe.

    4. Navigate to the extracted folder and complete one of the following actions:

      • Linux: Browse to the <ISO Extract folder>/products/IDM folder and run install.bin file.

      • Windows: Browse to the <ISO Extract folder>\products\IDM\windows\setup folder and run install.exe file.

      NOTE:

      • Identity Manager does not support this installation using the integrated installation program.

      • SAML method 1.1.2 is added by default using the compatibility installer (idm45_eDir90_compat).

  2. Apply the Identity Manager 4.5.5 or later engine service pack from the download page.

    NOTE:

    • This is a mandatory step to perform, as Identity Manager 4.5 versions prior to version 4.5.4 are not compatible with eDirectory 9.0.1 or later.

    • While installing Identity Manager 4.5 engine using compatibility installer, the following message is displayed:

      sh: /var/opt/novell/nici/nicimud: No such file or directory

      It is safe to ignore this message.

  3. (Conditional) Update other Identity Manager components to the latest versions.

    For more information, see NetIQ Identity Manager Setup Guide.

7.0 Working with eDirectory 9.0.1 or Later

In addition to eDirectory 8.8.8, Identity Manager supports installing eDirectory 9.0.1 or later as an Identity Vault and as a connected system. Before using eDirectory 9.0.1 or later with Identity Manager, NetIQ recommends that you review the following sections:

7.1 Upgrading Identity Vault from eDirectory 8.8.8 to eDirectory 9.0.1 or Later

You can upgrade Identity Vault from eDirectory 8.8.8 to eDirectory 9.0.1 or later only on Identity Manager 4.5.4 with eDirectory 8.8.8 Patch 8. If your current Identity Manager version is 4.0.2, you must first upgrade to Identity Manager 4.5 and then apply the Identity Manager 4.5.5 patch with eDirectory 8.8.8 Patch 8 or later.

Perform the following actions to upgrade Identity Vault from eDirectory 8.8.8 to eDirectory 9.0.1 or later:

  1. Ensure that your current eDirectory version on Identity Manager Server is eDirectory 8.8.8 Patch 8 or later.

  2. Update SAML methods to version 1.1.2. For more information, perform the steps listed in the readme file from the download page and restart eDirectory

    IMPORTANT:iManager NMAS plug-in should not be used to update SAML 1.1.2. For more information, see Section 8.1, eDirectory Crashes after Updating the SAML Method from Earlier Versions to SAML 1.1.2 or Later.

    NOTE:This is mandatory for Identity Manager Advanced Edition with Role Based Provisioning Module installed and configured with SAML login method.

  3. Upgrade eDirectory 8.8.8 Patch 8 to eDirectory to 9.0.1 or later. For more information, see eDirectory 9.0 Service Pack 1 Release Notes.

  4. Upgrade iManager 2.7.7.x to iManager 3.0.2. For more information, see NetIQ iManager 3.0 Service Pack 1 Release Notes.

  5. Ensure you update the iManager plug-ins to 3.0.2.

7.2 Features of eDirectory 9.0.1 or Later That Can be Enabled on the Identity Vault Server

Review the following table to understand which features of eDirectory 9.0.1 or later can be enabled with Identity Manager. None of these restrictions apply when eDirectory 9.0.1 or later is used as a connected system. For more information about the new features of eDirectory 9.0.1, see eDirectory 9.0 Release Notes and eDirectory 9.0.1 Release Notes.

Feature

Can be enabled on eDirectory (Identity Vault)

Description

TLS 1.2

Yes

Can enable all TCP communication using TLS 1.2

Suite B Configuration

  • AES 256-bit SDI Key

  • LDAP and HTTP Services

  • Authentication

  • NPKI (NetIQ Certificate Server)

  • Yes

  • No

  • Yes

  • No

  • No impact on Identity Manager

  • The Identity Manager services continue to use the RSA certificate after upgrading to eDirectory 9.0.1.

  • No impact on Identity Manager

  • If Suite B is enabled on the CA (use of Elliptical Curve certificate), the NPKI service restricts the generation of RSA certificate. The Identity Manager modules that consume RSA certificate will not function as expected.

Container Readiness

Yes

No impact on Identity Manager

Enhanced Nested groups

Yes

Not supported by Identity Manager engine and drivers

Proxied Authorization Control

Yes

No impact on Identity Manager

Monitoring

Yes

No support extended for monitoring Identity Manager components

Enhanced Data Replication

Yes

No impact on Identity Manager

Improved Data Synchronization

Yes

No impact on Identity Manager

Optimized Janitor thread of Inherited ACL Calculation

Yes

No impact on Identity Manager

7.3 Turning Off Suite B Settings on the Identity Vault Server

If NDSPKI or LDAP Services are enabled with Suite B, then Identity Manager 4.5.5 may not work as expected. Refer to the following table to revert these components to a non-Suite B mode.

Module

When Suite B is Enabled

Recovery Option

NPKI (NetIQ Certificate Server)

If Suite B is enabled on the CA, the NPKI server restricts the generation of RSA certificate.The Identity Manager modules that consume RSA certificate will not function as expected.

Disable this mode

For more information, see the NetIQ eDirectory Administration Guide.

LDAP Services

The Identity Manager modules that use LDAP services will not be able to connect to eDirectory.

Disable Suite B or reconfigure these services to a non-Suite B mode.

For more information, see the NetIQ eDirectory Administration Guide.

8.0 Known Issues

NetIQ Corporation strives to ensure that our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.

For the list of the known issues in Identity Manager 4.5, Identity Manager Standard Edition 4.5.1, Identity Manager 4.5.2, Identity Manager 4.5.3, and Identity Manager 4.5.4 see the Release Notes for each version on the Identity Manager 4.5 Documentation page.

8.1 eDirectory Crashes after Updating the SAML Method from Earlier Versions to SAML 1.1.2 or Later

Issue: eDirectory crashes after updating the SAML method from 1.1.1 or earlier to SAML 1.1.2 (or later). This occurs due to the unloading of the older method by the NMAS server to load the new method.

Also, updating to SAML 1.1.2 method by using iManager NMAS plug-in causes eDirectory to crash.(Bug 984380)

Workaround: The new NMAS SAML 1.1.2 only takes effect after restarting the eDirectory server.

8.2 Connection between the Remote Loader and the Engine Fails Initially and Succeeds Later

Issue: When a driver is started, the engine trace immediately displays a retry message. This occurs because, the connection between the Remote Loader and the engine is not established until the remote interface shim receives the driver identification query from the engine.This causes the remote interface shim to return a retry status. (Bug 923270)

Workaround: This behaviour is as per design.

8.3 Unable to Edit RBEs after Upgrading to eDirectory 8.8 SP8 from iManager Workstation

Issue: When a user tries to edit an RBE by using the iManager 2.7.7 Patch4 workstation, the following error is displayed on the Identity Manager Administration page: (Bug 947282)

Unable to obtain an LDAP context. Possible causes: the LDAP server is not running, or the LDAP server if for a tree other than the one iManager was originally set up to, and SSL has not been setup between the iManager server and the LDAP server. Either start the LDAP server, or set up SSL by importing a trusted certificate.

Workaround:

  1. Add an explicit IP address to the servers used in the LDAP interfaces.

  2. Restart the LDAP server and Tomcat.

8.4 Search by Description Does Not Work for a Role or a Resource

Issue: The roles or resources are not displayed if you search for them by using their descriptions. (Bug 973376)

Workaround: There is no workaround at this time. Search by the name of a role or a resource.

8.5 Simulator Prints an Empty Trace after Upgrading to Designer 4.5.4

Issue: While upgrading to Designer 4.5.4, using the Simulate function no longer produces any output on the Trace tab. The Output and Compare tabs look normal, but Trace is blank. (Bug 987449)

Workaround: There is no workaround at this time.

8.6 The Category ID Cannot be Modified in ManageTeamTilesCreate.jar

Issue: ManageTeamTilesCreate.jar is hard coded to use a specific category ID (Bug 990368)

Workaround: There is no workaround at this time.

8.7 Issue with Non-root Patch Installation of Identity Manager 4.5.3

Issue: The non-root patch installer is unable to install Identity Manager due to the presence of Remote Loader as a root user. (Bug 972698)

Workaround:

  1. Remove the Remote Loader as a root user.

  2. Perform a non-root installation of Identity Manager 4.5.3.

8.8 Installing G Suite Password Sync 1.5.22.0 Renders Active Directory Passwords Blank

Issue: The Active Directory password filter retrieves blank passwords if G Suite Password Sync 1.5.22.0 (also known as Google Application Password Sync) is installed. (Bug 1000333)

Workaround: To enable the password filter to capture non-blank passwords, perform the following actions:.

  1. Uninstall this version of G Suite Password Sync.

  2. Reboot the domain controller.

8.9 Identity Manager Engine Fails to Load if nds.conf is in Custom Path

Issue: When Identity Manager 4.5 SP4 is installed on eDirectory 9.0.1 with nds.conf in the /etc/opt/novell/eDirectory/conf/ location, the env_idm file is not created in the dirxml-patch-ndsd script and the drivers fail to start.(Bug 1002941)

NOTE:This is applicable only in SLES12 and RHEL7.

Workaround: create the env_idm file in the /etc/opt/novell/eDirectory/conf/ location with the following contents:

:/etc/opt/novell/eDirectory/conf # cat env_idm 
LD_LIBRARY_PATH=//opt/novell/eDirectory/lib64/nds-modules/jre/lib/amd64://opt/novell/eDirectory/lib64/nds-modules/jre/lib/amd64/server://opt/novell/eDirectory/lib64/nds-modules/jre/lib/amd64/native_threads::$LD_LIBRARY_PATH:/opt/novell/eDirectory/lib64/apr:/opt/novell/eDirectory/lib64:/opt/novell/lib64:/opt/novell/eDirectory/lib64/nds-modules:$LD_LIBRARY_PATH

8.10 Upgrading to Newly Created User Application Driver Package Overwrites Undeployed Changes to PRDs

Issue: Designer does not save the changes made to PRDs before installing a newly created User Application driver. (Bug 1001571)

Workaround: There is no workaround at this time.

8.11 Unable to Start Designer after Upgrading from Identity Manager 4.5 to 4.5.4

Issue: Designer fails to start after upgrading from Identity Manager and Designer from 4.5 to 4.5.4. (Bug 997512)

Workaround: Change the default workspace location in the /root/designer/configuration/config.ini file from osgi.instance.area.default=@user.home/designer_workspace to another directory. For example, /opt/designer_workspace or another workspace, which is not used before upgrading.

8.12 catalina.out Does Not Roll on Identity Application 4.5 Installed on Windows Server 2012

Issue: Tomcat catalina.out log does not roll after 24 hours when Identity Application 4.5 is installed on Windows Server 2012. This occurs only while using the integrated installer or while installing the framework. (Bug 988244)

Workaround: See TID 7017790.

8.13 javax.naming.AuthenticationException Error Occurs Randomly in catalina.out

Issue: User randomly gets logged out with the SAML error in catalina.out with the following error:(Bug 1005952)

javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]

Workaround: Ensure that the token expiry is higher than the LDAP timeout. To do so, make the following configuration changes:

  • Change the minimum default ism configuration value to com.novell.ldap.timeout = 600000.

  • Increase SAML expiry configuration value in eDirectory for the following attributes from 1000 (default value) to 1500 or more by using iManager:

    • authsamlValidAfter

    • authsamlValidBefore

8.14 No Password Synchronization Commands Detected with Non Status Document

Issue: When a password change is initiated on the Subscriber Channel with the SOAP driver, the password synchronization fails.This is because the engine tries to detect the password synchronization command result by checking for a status element with attribute “success”. However, the SOAP shim returns the raw XML response that needs to be translated to XDS, so no status document is found.:(Bug 987605)

Workaround: There is no workaround at this time.

8.15 Reconciling a Customized ECV from an Imported Project Deletes the ECV in Designer and the Identity Vault

Issue: When a customized ECV is reconciled with the live Identity Vault, the ECV is deleted from Designer. Also, the operation deletes the ECVs from the live Identity Vault. (Bug 1011564)

Workaround: Restore the ECVs in the Identity Vault by restarting driver. However, doing this will not restore the customization made in Designer.

8.16 Images Created by the Driver Set Dashboard Plug-In Are Not Removed After Leaving the Plug-In

Issue: Identity Manager temporarily creates the graphic files used by the Identity Manager Overview and Driver Set Dashboard plug-ins in the <iManager Install Folder>/nps/images/temp directory. (Bug 1002940)

The files created by the Driver Set Dashboard plug-in are not cleaned when you leave the plug-in or when Tomcat is stopped.

Workaround: Manually remove the file from the directory.

10.0 Contact Information

Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.

For detailed contact information, see the Support Contact Information website.

For general corporate and product information, see the NetIQ Corporate website.

For interactive conversations with your peers and NetIQ experts, become an active member of our community. The NetIQ online community provides product information, useful links to helpful resources, blogs, and social media channels.