NetIQ Identity Manager 4.5 Service Pack 5 includes new features, improves usability, and resolves several previous issues.
Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the Identity Manager Community Forum on NetIQ Communities, our online community that also includes product information, blogs, and links to helpful resources.
The documentation for this product is available on the NetIQ website in HTML and PDF formats on a page that does not require you to log in. If you have suggestions for documentation improvements, click comment on this topic at the bottom of any page in the HTML version of the documentation posted at the Identity Manager Documentation Web site page.
Identity Manager 4.5.5 provides the following key features, enhancements, and fixes in this release:
This release introduces the following features:
When multiple users are assigned the same task, one of the users can claim the task to notify others about the ownership of the task. If a task is assigned to only one user, the task can be claimed to inform about the ownership of the task. This feature has been re-introduced in Identity Manager in this release.
In Designer, the Claim button can now be added in the approval form. This enables an approver to view the claim details in the approval form before approving a task. For more information, see Action Reference in NetIQ User Application Design guide.
In Home and Provisioning Dashboard, after a request is initiated, you can approve the request with or without claiming it. For more information, see Claiming Tasks in NetIQ Identity Manager Home and Provisioning Dashboard User Guide.
Designer includes a new pop-up message that prompts you to migrate the linkages while importing a driver or a driver set. Migrating linkages reorders the policies in a policy set and generates the missing attribute, DirXML-pkgLinkages. Designer requires this attribute to correctly order the policies on future package upgrade or downgrade.
Support for web application servers such as JBoss Enterprise Application Platform (EAP) and WebSphere has been deprecated with Identity Manager 4.5 Service Pack 4. These web application servers will no longer be supported with the next major release of Identity Manager. NetIQ continues to support EAP and WebSphere with Identity Manager 4.5.x.
This service pack provides updates for the following components in Identity Manager:
Identity Manager engine
Identity applications
Designer for Identity Manager (Designer)
This service pack updates the following components to support Java Development Kit 8 Update 112 (jdk8u112) or Java Runtime Environment 1.8 Update 112 (jre8u112).
Identity Manager engine
Identity applications, running on Apache Tomcat
Identity Reporting, running on Apache Tomcat
Designer
Analyzer (32-bit Java only)
This service pack updates the Java version for the Identity Manager engine. You need to manually update your current Java version for the identity applications, Identity Reporting, Designer, and Analyzer. For more information, see Section 3.5, Installing Java 1.8 Update 112 on the Identity Manager Servers.
NOTE:If you use JBoss Enterprise Application Platform (EAP) or WebSphere, do not upgrade to Java 1.8. For more information, see JBoss has Errors Running the Identity Applications with Java Development Kit 8 in the NetIQ Identity Manager 4.5 Service Pack 3 Release Notes.
This service pack adds support for OSP 6.0.0.5. The minimum supported version for OSP is 6.0.0.3. For more information about updating to OSP 6.0.0.3 or later, see Section 3.9, Updating One SSO Provider.
NetIQ Identity Manager includes software fixes that resolve several previous issues in the Identity Manager engine and plug-ins.
With this service pack, the policies do not report any DTD validation errors. (Bug 942075)
With this service pack, you can now successfully upgrade Identity Manager 4.5 SP1 on a server where only 32-bit Remote Loader 4.5 is installed or where Identity Manager 4.5 engine and 32-bit Remote Loader are installed. (Bug 947913)
This service pack resolves an issue where the JMS driver failed to start due to the presence of a conflicting Jar file. (Bug 963513)
If there are more than 99 menu items, use 999 option to return to the main menu to avoid any conflict. (Bug 967595)
This service pack resolves an issue where the iManager plug-in prompted a -672 error while checking the password status for a user.(Bug 979080)
With this service pack you can read the driver cache from driver cache inspector. (Bug 1000086)
eDirectory no longer crashes when an invalid value is specified for a string based association. (Bug 1008083)
With this service pack,.Net remote loader is able to load Office365 driver in service mode. (Bug 1009157)
NetIQ Identity Manager includes software fixes that resolve several previous issues in the identity applications.
This service pack resolves an issue where a user with Configure Delegate and Configure Availability rights to all PRDs made a request in the User Application and the request appeared in the user's task list for approval. When the user clicked the task, an error message indicated lack of rights for the user. (Bug 974944)
This service pack resolves an issue where no error message was displayed when a user clicks the URL provided in the provisioning notification e-mail for a claimed or processed workflow. (Bug 986591)
Tasks were not displayed for a logged in user who was part of more than 2100 groups or roles with MSSQL 2014. (Bug 970870)
This service pack resolves this issue. Now tasks are correctly displayed without any errors.
With this service pack, user name with an extended characters are displayed correctly in lookup controls. (Bug 987970)
This service pack resolves an issue where the portal data was not successfully imported when the portalregistry table was updated or deleted. (Bug 975508)
This service pack resolves an issue where DNLookup did not automatically populate in the workflow. (Bug 988218)
This service pack resolves an issue where you were not able to modify or set allowoverride flag using the modifyResource SOAP endpoint. (Bug 981130)
This service pack resolves an issue where the requestResourceGrant SOAP endpoint failed when there was more than one request parameter and if nrfAllowMulti was set to false. (Bug 987486)
This service pack resolves an issue where searching for a user incorrectly returned all the listed users. (Bug 1006530)
This service pack resolves an issue where searching was restricted to FirstName and LastName. Now you can search by CN in addition to FirstName and LastName. (Bug 1002631)
This service pack resolves an issue where the DNQuery control did not format the returned data with a specific locale based upon the UI Control for the attribute. (Bug 794204)
With this service pack, the correct URL is present in the proxy notification email. (Bug 985333)
NetIQ Identity Manager includes software fixes that resolve several previous issues in Designer.
This service pack resolves an issue where Designer hanged because of the incorrect format of the E-Mail server object while importing it into Designer. (Bug 991815)
This service pack resolves an issue where Package Manager did not update the entity attributes with package changes. (Bug 972103)
This service pack resolves an issue where Designer does not add or synchronize the DAL attributes to a package after upgrading the package. (Bug 972113)
This service pack resolves an issue where a Designer project is unable to reference to GCVs (Global Configuration Values). (Bug 987676)
This service pack resolves an issue where Designer reported an error when a driver was deployed to the Identity Vault. (Bug 991883)
This service pack resolves an issue where Designer duplicated a few GCV entries after Designer was upgraded. (Bug 1007013)
NOTE:If you upgraded the packages in Identity Manager 4.5.4 or earlier, some packages might contain duplicate GCVs. To delete the duplicate GCVs, perform the following steps:
Take a backup of the driver to save your customization.
Edit the driver configuration to remove the duplicate GCV entries.
Go to Driver Properties > Driver Configuration > Driver parameters and click Edit XML.
Search for <template> ... </template> elements in the XML file and delete the duplicate entries under <value> ... </value> elements.
You must remove the entries carefully so that no other values are modified.
Save the XML file.
This service pack resolves an issue where updating to a new package resulted in changing the order of the schema mapping policies. (Bug 1007211)
This service pack resolves an issue where Designer incorrectly published a change in the Identity Vault because it ignored the reconcile direction arrow while comparing the objects. (Bug 990477)
This service pack resolves an issue where a user was not able to add trustee rights to a workflow. (Bug 991274)
This service pack resolves an issue where GCVs were not maintained correctly after upgrading a driver with only one package. (Bug 990327)
This service pack resolves an issue where Designer returned a null pointer exception when you searched for an attribute with Full Name. (Bug 972113)
This service pack requires the following product versions:
Requirement |
Description |
---|---|
NetIQ Identity Manager 4.5 or later |
This includes Identity Manager engine, Identity Applications, Identity Reporting, Designer 4.5.2 at a minimum. |
NetIQ eDirectory 8.8.8 Patch 8 at a minimum or eDirectory 9.0.1 at a minimum |
You can install eDirectory 8.8.8.x or 9.0.1 or later as an Identity Vault and as a connected system. NOTE:
|
NetIQ iManager 2.7.7 Patch 8 or iManager 3.0.1 |
You must install iManager 3.x to support the new features of eDirectory 9.0.1 or later. If you are not upgrading your Identity Vault to eDirectory 9.0.1 or later, use iManager 2.7.7.x. Ensure you update your existing plug-ins to the latest versions for the iManager version you are using. IMPORTANT:If you are planning to upgrade eDirectory 8.8.x to 9.0.1 or later, ensure that iManager is upgraded to 3.x. NetIQ recommends you to clear the browser cache soon after upgrading the Identity Manager plug-ins. |
NetIQ Self Service Password Reset 3.3.1.2, at a minimum |
|
NetIQ One SSO Provider 6.0.0.3, at a minimum |
|
For more information about the software requirements, see “Selecting an Operating System Platform for Identity Manager” in the NetIQ Identity Manager Setup Guide.
You can upgrade to this service pack from Identity Manager 4.5, 4.5.1, 4.5.2, 4.5.3, 4.5.4 or 4.5.4 HF1. Install the components in the following order, depending on your current version:
Identity Manager Engine
Remote Loader
Designer
NOTE:You can directly upgrade to Designer 4.5.5 from Designer 4.5.2, 4.5.3, and 4.5.4. To upgrade Designer 4.5 to Designer 4.5.5, first upgrade to Designer 4.5.2 and then to Designer 4.5.5.
Designer 4.5.2 is a complete software build while Designer 4.5.5 features are available at the Designer Auto-Update Site. For more information about updating Designer, see the following links:
Designer 4.5.2: NetIQ Identity Manager 4.5 Service Pack 2 Release Notes
Designer 4.5.3: NetIQ Identity Manager 4.5 Service Pack 3 Release Notes
Designer 4.5.4: Updating Designer
Configuration Update Utility 4.5.0.3
One SSO Provider
Role and Resource Service Driver 4.5.0.2
Identity Applications (for Advanced Edition)
Identity Reporting
Self Service Password Reset
Before beginning the installation, review the following consideration to help you plan the installation:
The Identity Manager 4.5 Engine Service Pack 5 updates the Java version to 1.8.0_112 for the Identity Manager engine. You need to manually update your current Java version for the Identity Applications, Identity Reporting, Designer, and Analyzer. For more information, see Section 3.5, Installing Java 1.8 Update 112 on the Identity Manager Servers.
For Identity Manager Advanced Edition, update Java 1.8 Update 112 before installing the Identity Applications.
For Identity Manager Standard Edition, update Java 1.8 Update 112 before installing the Identity Reporting.
You can upgrade Identity Manager 4.5, 4.5.1, 4.5.2, 4.5.3, 4.5.4, or 4.5.4 HF1 to Identity Manager 4.5.5 with a minimum version of eDirectory 8.8.8 Patch 8.
The Identity Manager 4.5.5 installation files are included in the IDM_engine_rl_IDM4.5.5.zip file. The zipped file contains the following folders:
Identity Manager 4.5.5 Engine and Remote Loader (cd-image)
Compatibility installer for installing Identity Manager 4.5 on eDirectory 9.0.2 (idm45_eDir90_compat)
SAML 1.1.2 (SAML)
To upgrade to Identity Manager 4.5.5, perform the following actions:
Install the Identity Manager 4.5.5 engine service pack on the Identity Manager engine server by performing the steps listed in the readme file from the download page.
Select the type of Remote Loader you want to update, then click OK.
Click OK when the pop-up message appears.
This message indicates that Identity Manager is not Suite B complaint.
Click Done after the installation is complete.
IMPORTANT:NetIQ allows you to install Identity Manager 4.5.0 with eDirectory 9.0.1 or later using a special compatibility installer. For instructions to upgrade to Identity Manager 4.5.5, see Section 6.0, Installing Identity Manager 4.5.5 on eDirectory 9.0.1 or Later.
This service pack includes an update to the identity applications that run on a Tomcat, WebSphere, and JBoss application server. Download the IDM45-Apps-SP-5.zip file to the server where you deployed the identity applications and perform the steps listed in the readme files.
To update the path of the keystore in the Configuration Update utility, perform the steps listed in the readme file from the download page.
This service pack includes support for SAML 1.1.2. The installation files are included in the IDM_engine_rl_IDM4.5.5.zip file. For information about using SAML 1.1.2 with the identity applications, perform the steps listed in the readme file from the download page.
This service pack includes a IDM_engine_rl_IDM4.5SP5.zip for updating the Identity Manager engine. Install this package on the Identity Manager engine server. For more information, see “Hotfixing the Identity Manager Engine and Remote Loader” in the NetIQ Identity Manager Setup Guide.
NOTE:The Identity Manager engine upgrade process displays a warning that Identity Manager is not compatible with Suite B. However, some of the Suite B modes can be enabled. For a list of supported Suite B modes, please refer to table.
This service pack provides an update to Designer. Download the Designer 4.5.5 updates from the Designer Download Site.
NOTE:To upgrade Designer 4.5 to Designer 4.5.5, first upgrade to Designer 4.5.2 and then upgrade Designer 4.5.2 to Designer 4.5.5.
Designer provides an built-in auto-update feature that notifies you of new features available at the Designer Download Site. This feature allows you to download Designer package and patch updates when the computer that has Designer installed and is connected to the Internet.
You also can perform an offline update of Designer when the computer that has Designer installed and is not connected to the Internet. To perform an offline update, first download the required content from the Designer and Package Update Web sites on a local or remote computer and then point Designer to the directory containing the downloaded files.
To update Designer in an offline mode, create an offline copy of the Designer update files and then configure Designer to read the patch updates from the files copied to the local directory.
To create an offline copy of the Designer update files:
Log in to the computer that has Designer installed and create a local directory.
Download the latest patch zip file for Designer version from the specified location and unzip the files into the local directory.
To configure Designer to read the patch updates from the local directory:
Launch Designer.
From Designer’s main menu, click Window > Preferences.
Click NetIQ > Identity Manager and select Updates.
Select Do not check for updates and deselect all the other check boxes.
For URL, specify file:///<path_to_files>/updatesite4_5_5
For a Linux mounted ISO, use the following URL format:
file:///media/designer450offline/updatesite4_5_5
Click Apply, then click OK.
From Designer’s main menu, click Help > Check for Designer Updates.
Select the required updates and click Yes to accept and update the Designer patch updates.
You need to launch Designer again for the changes to take effect.
To update Designer packages in an offline mode, make the package update files available in a local directory on your computer and then configure Designer to read the files from this directory.
To create an offline copy of the package update files:
Log in to the computer that has Designer installed and create a local directory.
Copy the package update files to the directory created in Step1:
Linux: In a shell, change to the directory and run the following commands:
wget -e robots=off -r -nH -np https://nu.novell.com/designer/packages/idm/updatesite1_0_0/
wget -e robots=off -r -nH -np https://nu.novell.com/designer/packages/idm/updatesite2_0_0/
Windows:
Launch the package update site by using one of the following URLs:
https://nu.novell.com/designer/packages/idm/updatesite1_0_0/
https://nu.novell.com/designer/packages/idm/updatesite2_0_0/
Select and download the required files.
To configure Designer to read the files from the local directory:
Launch Designer.
From Designer’s main menu, click Window > Preferences.
Click NetIQ > Package Manager > Online Updates.
To add a new URL, click the plus icon.
Provide information for the following fields:
Vendor: Specifies the vendor name for package update.
URL: Specifies the URL as file:///<path_to_files>/updatesite1_0_0/.
For Linux mounted ISO, use the following URL format:
file:///media/designer455offline/updatesite1_0_0/
For Windows, use the following URL format:
file:///c:\designer455offline\updatesite1_0_0\.
NOTE:If you have multiple package sites, repeat Step 5 and add multiple sites and URLs.
Click OK.
In the Preferences window, select the required check boxes for the sites.
NOTE:The new sites are selected by default.
Click Apply, then click OK.
From Designer’s main menu, click Help > Check for Package Updates.
Select the required updates and click Yes to accept and update the Designer package updates.
You need to launch Designer again for the changes to take effect.
This service pack certifies Java 1.8.0_112 (JDK 8u112 or JRE 8u112) for use with Identity Applications on Apache Tomcat. The later versions of Java 1.8 are also supported.
To install Java 1.8 Update 112 on the identity applications, perform the steps listed in the readme files from the download page.
NOTE:You can download Java 1.8 Update 112 directly from the Oracle Site.
This service pack updates Designer to support Java 1.8 Update 112.
On the server where you installed Designer, download and install the Java 8 Update 112 files in a local directory.
Open the Designer.ini file located in the Designer installation directory.
Update the Java path in the Designer.ini file.
This service pack updates Analyzer to support Java 1.8 (32-bit).
On the server where you installed Analyzer, create a directory for Java 1.8.
For example, opt/netiq/jdk1.8.0_112.
Download and install the Java 1.8 files in this directory.
Open the Analyzer.ini file located in the Analyzer installation directory.
Update the Java path in the Analyzer.ini file.
Replace the existing (jre) folder with the Java 1.8 folder in the installation directory.
This service pack requires NetIQ Self Service Password Reset 3.3.1.2, at a minimum. To install these updates, download the following package and perform the steps listed in the readme files:
NetIQ recommends that you install the latest version of NetIQ One SSO Provider (OSP) to work with this service pack. To upgrade to OSP 6.0.0.5, perform the steps listed in the readme file from the download page.
To enable SSL connections, perform the steps listed in the readme file from the download page.
You can install Identity Manager 4.5.5 on a server running SUSE Linux Enterprise Server 12 SP1 at a minimum. The following table guides you through the installation process. First you install the Identity Manager 4.5 components in the given sequence using the individual component installation programs and then apply Identity Manager 4.5 Service Pack 5 as appropriate. For more information, see Section 3.0, Upgrading to this Service Pack.
Before starting the installation, NetIQ recommends that you go through the following table to help you plan the installation process for Identity Manager.
IMPORTANT:Identity Manager does not support this installation using the integrated installation program.
Order of Installation |
Installation Instructions |
---|---|
EAS |
Install EAS and Identity Manager engine on separate servers. Install the following dependent libraries before starting the EAS installation:
For more information about installing EAS, see Installing EAS in the Identity Manager Setup Guide. |
eDirectory |
Install eDirectory 8.8 SP8 Patch 8, at a minimum NOTE:Identity Manager ships eDirectory 8.8 SP8 Patch 3 as part of Identity Manager 4.5 ISO. To support Identity Manager installation on SLES 12.x, ensure that your eDirectory is running 8.8 SP8 Patch 8 at a minimum. Download the patch from the NetIQ downloads page. For more information, see the Release Notes accompanying the patch at eDirectory 8.8 SP8 documentation site. |
Identity Manager Engine and Remote Loader |
Install the Identity Manager engine as instructed “Installing the Identity Manager Engine, Drivers, and Plug-ins” in the Identity Manager Setup Guide. Install the following dependant library before starting the installation:
|
iManager |
Install iManager 2.7 SP7 Patch 7, at a minimum
For detailed installation instructions, see Installing iManager in the Identity Manager Setup Guide. |
Designer |
|
Analyzer |
|
Self Service Password Reset |
For more information about installing Self Service Password Reset, see Installing the Single Sign-on and Password Management Components in the Identity Manager Setup Guide. |
One SSO Provider |
For more information about installing One SSO Provider, see Installing the Single Sign-on and Password Management Components in the Identity Manager Setup Guide. |
Identity Applications |
For more information about installing Identity Applications, see Installing the Identity Applications in the Identity Manager Setup Guide. |
Identity Reporting |
For more information about installing Identity Reporting, see Installing the Identity Reporting Components in the Identity Manager Setup Guide. |
You can install Identity Manager 4.5.5 on a server running Red Hat Enterprise Linux 7.2 platform. The following table guides you through the installation process. First you install the Identity Manager 4.5 components in the given sequence using the individual component installation programs and then apply Identity Manager 4.5 Service Pack 5 as appropriate. For more information, see Section 3.0, Upgrading to this Service Pack.
Before starting the installation, NetIQ recommends that you go through the following table to help you plan the installation process for Identity Manager.
IMPORTANT:Identity Manager does not support this installation using the integrated installation program.
Installation Order |
Description |
---|---|
EAS |
Install EAS and Identity Manager engine on separate servers. Install the following dependent libraries before starting the EAS installation:
For more information about installing EAS, see Installing EAS in the Identity Manager Setup Guide. |
eDirectory |
Install eDirectory 8.8 SP8 Patch 8 and above. NOTE:Identity Manager ships eDirectory 8.8 SP8 Patch 3 as part of Identity Manager 4.5 ISO. To support Identity Manager installation on RHEL 7.2, ensure that your eDirectory is running 8.8 SP8 Patch 8 at a minimum. Download the patch from the NetIQ downloads page. For more information, see the Release Notes accompanying the patch at eDirectory 8.8 SP8 documentation site. |
Identity Manager Engine and Remote Loader |
Install the Identity Manager engine as instructed “Installing the Identity Manager Engine, Drivers, and Plug-ins” in the Identity Manager Setup Guide. Install the following dependant library before starting the installation:
|
iManager |
Install iManager 2.7 SP7 Patch 7, at a minimum NOTE:Identity Manager ships iManager 2.7.7 Patch 2 as part of Identity Manager 4.5 ISO. To support Identity Manager installation on RHEL 7.2, ensure that your iManager is running SP7 Patch 7 at a minimum.
For detailed installation instructions, see Installing iManager in the Identity Manager Setup Guide. |
Self Service Password Reset |
For more information about installing Self Service Password Reset, see Installing the Single Sign-on and Password Management Components in the Identity Manager Setup Guide. |
One SSO Provider |
For more information about installing One SSO Provider, see Installing the Single Sign-on and Password Management Components in the Identity Manager Setup Guide. |
Identity Applications |
For more information about installing Identity Applications, see Installing the Identity Applications in the Identity Manager Setup Guide. |
Identity Reporting |
For more information about installing Identity Reporting, see Installing the Identity Reporting Components in the Identity Manager Setup Guide. |
NetIQ supports installing Identity Manager 4.5 on eDirectory 9.0.1 or later. You perform this installation in two steps. First you install the Identity Manager 4.5 engine on eDirectory 9.0.1 or later by using the compatibility installer located in the idm45_eDir90_compat folder. You must follow this installation by immediately updating the engine with the Identity Manager 4.5.5 Engine Service Pack. This service pack contains the required software to enable the Identity Manager engine to function with eDirectory 9.0.1 or later and it is a mandatory step.
NOTE:Identity Manager 4.5.5 is not completely Suite B compliant. For a list of supported Suite B modes, please refer to the Section 7.2, Features of eDirectory 9.0.1 or Later That Can be Enabled on the Identity Vault Server.
Install Identity Manager 4.5.
On eDirectory 9.0.1 or later server, perform the following actions:
Download the Identity Manager 4.5 ISO.
Extract the ISO contents to a folder.
From the directory that contains the installation files, complete one of the following actions:
Linux: Replace the <ISO Extracted folder>/products/IDM/linux/setup/idm_linux.bin file with idm45_eDir90_compat/release/idm_linux.bin.
Windows: Replace the <ISO Extracted folder>\products\IDM\windows\setup\idm_install.exe file with idm45_eDir90_compat\release\idm_install.exe.
Navigate to the extracted folder and complete one of the following actions:
Linux: Browse to the <ISO Extract folder>/products/IDM folder and run install.bin file.
Windows: Browse to the <ISO Extract folder>\products\IDM\windows\setup folder and run install.exe file.
NOTE:
Identity Manager does not support this installation using the integrated installation program.
SAML method 1.1.2 is added by default using the compatibility installer (idm45_eDir90_compat).
Apply the Identity Manager 4.5.5 or later engine service pack from the download page.
NOTE:
This is a mandatory step to perform, as Identity Manager 4.5 versions prior to version 4.5.4 are not compatible with eDirectory 9.0.1 or later.
While installing Identity Manager 4.5 engine using compatibility installer, the following message is displayed:
sh: /var/opt/novell/nici/nicimud: No such file or directory
It is safe to ignore this message.
(Conditional) Update other Identity Manager components to the latest versions.
For more information, see NetIQ Identity Manager Setup Guide.
In addition to eDirectory 8.8.8, Identity Manager supports installing eDirectory 9.0.1 or later as an Identity Vault and as a connected system. Before using eDirectory 9.0.1 or later with Identity Manager, NetIQ recommends that you review the following sections:
You can upgrade Identity Vault from eDirectory 8.8.8 to eDirectory 9.0.1 or later only on Identity Manager 4.5.4 with eDirectory 8.8.8 Patch 8. If your current Identity Manager version is 4.0.2, you must first upgrade to Identity Manager 4.5 and then apply the Identity Manager 4.5.5 patch with eDirectory 8.8.8 Patch 8 or later.
Perform the following actions to upgrade Identity Vault from eDirectory 8.8.8 to eDirectory 9.0.1 or later:
Ensure that your current eDirectory version on Identity Manager Server is eDirectory 8.8.8 Patch 8 or later.
Update SAML methods to version 1.1.2. For more information, perform the steps listed in the readme file from the download page and restart eDirectory
IMPORTANT:iManager NMAS plug-in should not be used to update SAML 1.1.2. For more information, see Section 8.1, eDirectory Crashes after Updating the SAML Method from Earlier Versions to SAML 1.1.2 or Later.
NOTE:This is mandatory for Identity Manager Advanced Edition with Role Based Provisioning Module installed and configured with SAML login method.
Upgrade eDirectory 8.8.8 Patch 8 to eDirectory to 9.0.1 or later. For more information, see eDirectory 9.0 Service Pack 1 Release Notes.
Upgrade iManager 2.7.7.x to iManager 3.0.2. For more information, see NetIQ iManager 3.0 Service Pack 1 Release Notes.
Ensure you update the iManager plug-ins to 3.0.2.
Review the following table to understand which features of eDirectory 9.0.1 or later can be enabled with Identity Manager. None of these restrictions apply when eDirectory 9.0.1 or later is used as a connected system. For more information about the new features of eDirectory 9.0.1, see eDirectory 9.0 Release Notes and eDirectory 9.0.1 Release Notes.
Feature |
Can be enabled on eDirectory (Identity Vault) |
Description |
---|---|---|
TLS 1.2 |
Yes |
Can enable all TCP communication using TLS 1.2 |
Suite B Configuration |
||
|
|
|
Container Readiness |
Yes |
No impact on Identity Manager |
Enhanced Nested groups |
Yes |
Not supported by Identity Manager engine and drivers |
Proxied Authorization Control |
Yes |
No impact on Identity Manager |
Monitoring |
Yes |
No support extended for monitoring Identity Manager components |
Enhanced Data Replication |
Yes |
No impact on Identity Manager |
Improved Data Synchronization |
Yes |
No impact on Identity Manager |
Optimized Janitor thread of Inherited ACL Calculation |
Yes |
No impact on Identity Manager |
If NDSPKI or LDAP Services are enabled with Suite B, then Identity Manager 4.5.5 may not work as expected. Refer to the following table to revert these components to a non-Suite B mode.
Module |
When Suite B is Enabled |
Recovery Option |
---|---|---|
NPKI (NetIQ Certificate Server) |
If Suite B is enabled on the CA, the NPKI server restricts the generation of RSA certificate.The Identity Manager modules that consume RSA certificate will not function as expected. |
Disable this mode For more information, see the NetIQ eDirectory Administration Guide. |
LDAP Services |
The Identity Manager modules that use LDAP services will not be able to connect to eDirectory. |
Disable Suite B or reconfigure these services to a non-Suite B mode. For more information, see the NetIQ eDirectory Administration Guide. |
NetIQ Corporation strives to ensure that our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.
For the list of the known issues in Identity Manager 4.5, Identity Manager Standard Edition 4.5.1, Identity Manager 4.5.2, Identity Manager 4.5.3, and Identity Manager 4.5.4 see the Release Notes for each version on the Identity Manager 4.5 Documentation page.
Issue: eDirectory crashes after updating the SAML method from 1.1.1 or earlier to SAML 1.1.2 (or later). This occurs due to the unloading of the older method by the NMAS server to load the new method.
Also, updating to SAML 1.1.2 method by using iManager NMAS plug-in causes eDirectory to crash.(Bug 984380)
Workaround: The new NMAS SAML 1.1.2 only takes effect after restarting the eDirectory server.
Issue: When a driver is started, the engine trace immediately displays a retry message. This occurs because, the connection between the Remote Loader and the engine is not established until the remote interface shim receives the driver identification query from the engine.This causes the remote interface shim to return a retry status. (Bug 923270)
Workaround: This behaviour is as per design.
Issue: When a user tries to edit an RBE by using the iManager 2.7.7 Patch4 workstation, the following error is displayed on the Identity Manager Administration page: (Bug 947282)
Unable to obtain an LDAP context. Possible causes: the LDAP server is not running, or the LDAP server if for a tree other than the one iManager was originally set up to, and SSL has not been setup between the iManager server and the LDAP server. Either start the LDAP server, or set up SSL by importing a trusted certificate.
Workaround:
Add an explicit IP address to the servers used in the LDAP interfaces.
Restart the LDAP server and Tomcat.
Issue: The roles or resources are not displayed if you search for them by using their descriptions. (Bug 973376)
Workaround: There is no workaround at this time. Search by the name of a role or a resource.
Issue: While upgrading to Designer 4.5.4, using the Simulate function no longer produces any output on the Trace tab. The Output and Compare tabs look normal, but Trace is blank. (Bug 987449)
Workaround: There is no workaround at this time.
Issue: ManageTeamTilesCreate.jar is hard coded to use a specific category ID (Bug 990368)
Workaround: There is no workaround at this time.
Issue: The non-root patch installer is unable to install Identity Manager due to the presence of Remote Loader as a root user. (Bug 972698)
Workaround:
Remove the Remote Loader as a root user.
Perform a non-root installation of Identity Manager 4.5.3.
Issue: The Active Directory password filter retrieves blank passwords if G Suite Password Sync 1.5.22.0 (also known as Google Application Password Sync) is installed. (Bug 1000333)
Workaround: To enable the password filter to capture non-blank passwords, perform the following actions:.
Uninstall this version of G Suite Password Sync.
Reboot the domain controller.
Issue: When Identity Manager 4.5 SP4 is installed on eDirectory 9.0.1 with nds.conf in the /etc/opt/novell/eDirectory/conf/ location, the env_idm file is not created in the dirxml-patch-ndsd script and the drivers fail to start.(Bug 1002941)
NOTE:This is applicable only in SLES12 and RHEL7.
Workaround: create the env_idm file in the /etc/opt/novell/eDirectory/conf/ location with the following contents:
:/etc/opt/novell/eDirectory/conf # cat env_idm LD_LIBRARY_PATH=//opt/novell/eDirectory/lib64/nds-modules/jre/lib/amd64://opt/novell/eDirectory/lib64/nds-modules/jre/lib/amd64/server://opt/novell/eDirectory/lib64/nds-modules/jre/lib/amd64/native_threads::$LD_LIBRARY_PATH:/opt/novell/eDirectory/lib64/apr:/opt/novell/eDirectory/lib64:/opt/novell/lib64:/opt/novell/eDirectory/lib64/nds-modules:$LD_LIBRARY_PATH
Issue: Designer does not save the changes made to PRDs before installing a newly created User Application driver. (Bug 1001571)
Workaround: There is no workaround at this time.
Issue: Designer fails to start after upgrading from Identity Manager and Designer from 4.5 to 4.5.4. (Bug 997512)
Workaround: Change the default workspace location in the /root/designer/configuration/config.ini file from osgi.instance.area.default=@user.home/designer_workspace to another directory. For example, /opt/designer_workspace or another workspace, which is not used before upgrading.
Issue: The following SAML error is logged to the catalina.out file along with a user log-out: (Bug 1005952)
javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]
Workaround: Ensure that the token expiry time exceeds the LDAP timeout value by performing the following actions:
Change the minimum default ism configuration value to com.novell.ldap.timeout = 600000.
Increase SAML expiry configuration value in eDirectory for the following attributes from 1000 (default value) to 1500 or more by using iManager:
authsamlValidAfter
authsamlValidBefore
Issue: When a password change is initiated on the Subscriber Channel with the SOAP driver, the password synchronization fails.This is because the engine tries to detect the password synchronization command result by checking for a status element with attribute “success”. However, the SOAP shim returns the raw XML response that needs to be translated to XDS, so no status document is found.:(Bug 987605)
Workaround: There is no workaround at this time.
Issue: When a customized ECV is reconciled with the live Identity Vault, the ECV is deleted from Designer. Also, the operation deletes the ECVs from the live Identity Vault. (Bug 1011564)
Workaround: Restore the ECVs in the Identity Vault by restarting driver. However, doing this will not restore the customization made in Designer.
Issue: Identity Manager temporarily creates the graphic files used by the Identity Manager Overview and Driver Set Dashboard plug-ins in the <iManager Install Folder>/nps/images/temp directory. (Bug 1002940)
The files created by the Driver Set Dashboard plug-in are not cleaned when you leave the plug-in or when Tomcat is stopped.
Workaround: Manually remove the file from the directory.
Issue: If you resynchronize a user in the Role and Resource Service driver, the driver checks the user attributes in the filter and synchronizes them, but it does not recalculate the roles and resources assigned to the user. (Bug 1093450)
Workaround: There is no workaround at this time.
Issue: The catalina.out file does not rotate the log on Windows.(Bug 979722)
Workaround: Perform the steps from TID 7017790.
This service pack includes enhancements and software fixes provided in the previous releases:
Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.
For detailed contact information, see the Support Contact Information website.
For general corporate and product information, see the NetIQ Corporate website.
For interactive conversations with your peers and NetIQ experts, become an active member of our community. The NetIQ online community provides product information, useful links to helpful resources, blogs, and social media channels.
For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see https://www.netiq.com/company/legal/.
© 2016 NetIQ Corporation. All Rights Reserved.