Identity Manager 4.5 Standard Edition includes new features, enhancements, and resolves several previous issues.
Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the Identity Manager Community Forums, our community Web site that also includes product notifications, blogs, and product user groups.
The documentation for this product and the latest release notes are available on the NetIQ Web site on a page that does not require you to log in. If you have suggestions for documentation improvements, click comment on this topic at the bottom of any page in the HTML version of the documentation posted at the Identity Manager Documentation Web site.
To download this product, see the Identity Manager Product Web site.
The Identity Manager 4.5 Standard Edition includes support for the following new features:
Identity Manager 4.5 includes NetIQ Self Service Password Reset (SSPR) to help users reset their passwords without administrative intervention. In a new installation of Identity Manager 4.5, SSPR uses a proprietary protocol for managing authentication methods. When you upgrade Identity Manager to version 4.5, you can instruct SSPR to use the NetIQ Modular Authentication Services (NMAS) that Identity Manager has traditionally used for its legacy password management program.
For more information about SSPR, see the NetIQ Identity Manager Setup Guide.
To provide single sign-on access to Identity Reporting, Identity Manager uses NetIQ One SSO Provider (OSP). When a user logs in to the Reporting portal, OSP verifies the user’s credentials with the authentication server. OSP can work with more than one authentication source if the source uses OAuth protocol. For example, the Identity Vault, Kerberos, or SAML.
For more information about OSP, see the NetIQ Identity Manager Setup Guide.
For your convenience, the Identity Manager 4.5 .iso includes an installation program for the PostgreSQL database and the Apache Tomcat application server. You must install Tomcat to provide the default framework for Identity Reporting.
For more information, see the NetIQ Identity Manager Setup Guide.
Identity Manager 4.5 includes a new feature, Out of Band Sync. The Identity Manager drivers process events in the order they occur, which guarantees that all changes required for an event to successfully process are already applied. However, there are instances when you want a certain event to take precedence over others. For example, events that involve password changes, locking an account, or disabling an account should take precedence over other events. The Identity Manager Out of Band Sync feature allows you to assign a higher priority to these events, so that they are processed before other events in the queue.
For more information about this feature, see Enabling Out of Band Sync in the NetIQ Identity Manager Common Driver Administration Guide.
Identity Manager 4.5 includes a new feature called No Reference Association for Identity Manager drivers. You can use this feature along with the legacy association for an Identity Manager driver.
Identity Manager uses associations for identifying objects to which changes can be applied and maintains this information in an eDirectory attribute named DirXML-Associations. Using associations also results in a reference check when an object is updated, which can impact performance in large deployments. To improve performance in large deployments, a new feature, No-Reference Association, has been introduced in Identity Manager. For more information, see Managing Associations between Drivers and Objects in the NetIQ Identity Manager Common Driver Administration Guide.
Every driver that is configured in Identity Manager has an associated event cache file. Events are cached in the TAO file before the driver processes them. By default, the TAO files are located in the dib directory.
Identity Manager 4.5 allows you to place the TAO files anywhere in the file system. Distributing the file I/O across multiple file systems improves the I/O throughput. Each driver can have an optional single-valued, server readable attribute DirXML-CacheLocation. The value of this attribute is an absolute path to the directory in the file system where the TAO files are created. When the engine is restarted, it looks for this attribute and the TAO files in the specified location.
For more information about relocating the event cache file, refer to Relocating the Event Cache File in the NetIQ Identity Manager Common Driver Administration Guide.
Identity Manager 4.5 provides an option to turn off the file system flush for each disk write. If you disable cache writes, they are not flushed immediately and instead, the underlying operating system takes care of the file system writes.
For more information about the cache flush parameter, refer to The Cache Flush Parameter in the NetIQ Identity Manager Common Driver Administration Guide.
For information about the new features in NetIQ Identity Manager Designer, see the NetIQ Designer 4.5 Release Notes. There are no new features for NetIQ Identity Manager Analyzer 4.5.
For more information about NetIQ Identity Manager Analyzer, refer to the NetIQ Analyzer 4.5 Release Notes.
To streamline functionality, several items have changed or are no longer supported with Identity Manager 4.5 Standard Edition. In many cases, alternative functionality replaces the items that are no longer supported. The following sections outline the key features and functions that have changed or have been removed from the product:
The changes to the log messages that Identity Manager generates for successful and failed login/logout attempts are as follows:
Event |
Behavior |
---|---|
0031700 Create Auth Token |
|
0031701 Create Auth Token Failure |
|
0031702 Auth Token Revoked |
|
In this release, some events have been removed for Identity Reporting. Instead, OSP generates a single event for both successful and failed attempts. XDAS taxonomy then interprets the OSP event either as a successful login/logout or a SOAP call or as “other than success.”
Event |
Behavior |
---|---|
003E0204 |
|
003E0201 |
|
Review your custom reports to ensure that they include the appropriate event codes. For more information about OSP, see the NetIQ Identity Manager Setup Guide.
The Identity Reporting application can be used only by the Report Administrator. When you log in to the Identity Reporting application, the OSP OAuth process takes care of authenticating the user. For more information about OSP, see the NetIQ Identity Manager Setup Guide.
Identity Manager 4.5 includes NetIQ Self Service Password Reset (SSPR) to help users reset their passwords without administrative intervention. For more information, see Self Service Password Reset as the Password Management Program.
The Identity Manager 4.5 Standard Edition provides support for the following reports:
Authentication by user
Authentication by server
Database statistics
Self-password changes
Password resets
Identity Vault Driver Associations Report Current State
Identity Vault User Report Current State
User Password Change Events Summary
For more information, see Using Identity Manager Reports.
IMPORTANT:To use the reports, import the report definitions into Identity Reporting. Log in to the Reporting application and use the Download page within the application to download the reports.
Identity Manager 4.5 Standard Edition does not include the following functionality:
User Application
This version provides alternate functionality for password management and access to Identity Reporting as discussed in Section 1.1, New Features. The other functionality that User Application provides, such as User Self-service and Org Chart continues to be available as part of Identity Manager 4.5 Advanced Edition.
In addition to password management, SSPR provides several other features such as enabling users to view and update their profile attributes and search for their colleagues’ information. For more information, see the SSPR Administration Guide.
Identity Manager driver for Avaya PBX and RSA SecurID
Telemetry job
Ensure that you remove this predefined job before upgrading Identity Manager. For more information, see the NetIQ Identity Manager Setup Guide.
WebLogic, JBoss Enterprise Application Platform (EAP), JBoss Community Edition, WebSphere, MySQL, and DB2
This version of Identity Manager does not include support for these applications. The .iso file includes an installation program for Tomcat instead of JBoss Community Edition.
NetIQ Corporation provides the PostgreSQL and Tomcat installation as a convenience. If your company does not already provide an application server and a database server, you can install and use these components. If you need support, go to the provider of the component. NetIQ does not provide updates, administration, configuration, or tuning information for these components, beyond what it is outlined in the NetIQ Identity Manager Setup Guide.
Each installation program includes an End User License Agreement. Although the installation programs support multiple languages, the license agreement is not available in the following languages:
Danish
Dutch
Russian
Swedish
Instead, the installation program displays the license agreement in English. For more information, see “Understanding Language Support” in the Identity Manager Setup Guide. (Bug 896299)
The paths provided in the Setup Guide are for the Advanced Edition. If you are installing the Standard Edition, ensure that you use the correct paths. For example, when you install the Standard Edition on Linux, the configupdate.sh file is located in /opt/netiq/idm/apps/IdentityReporting/bin/lib directory. For the Advanced Edition, this utility is located in the installation directory for the User Application: /opt/netiq/idm/apps/UserApplication. For more information, see Section 4.1, Locating the Installation Paths.
You can install Identity Manager components on a variety of operating system platforms. For specific information about which component can be installed on which operating system, see Selecting an Operating System Platform for Identity Manager in the NetIQ Identity Manager Setup Guide. For information about prerequisites, computer requirements, installation, upgrade or migration, see Considerations and Prerequisites for Installation in the NetIQ Identity Manager Setup Guide.
Identity Manager 4.5 Standard Edition bundles the following components:
NetIQ eDirectory 8.8.8 Patch 3
NetIQ iManager 2.7.7 Patch 2
NetIQ Identity Manager Designer 4.5
NetIQ Identity Manager Analyzer 4.5
NetIQ Identity Manager Engine 4.5
NetIQ Identity Manager Remote Loader 4.5
NetIQ Identity Manager Self Service Password Reset 3.2
NetIQ Identity Manager Client Login Extension 3.8
NetIQ Identity Manager Reporting Module 4.5
For event auditing, one of the following:
NetIQ Event Auditing Service 6.1
The installation package includes Event Auditing Service.
NetIQ Sentinel 7.0 and above
This is available only for Identity Tracking. The Identity Manager installation package does not include Sentinel. You must install Sentinel separately.
NetIQ Identity Manager drivers:
Active Directory Driver 4.0.0.4
Bidirectional eDirectory Driver 4.0.1.2
Blackboard Driver 4.0.2.0
Delimited Text Driver 4.0.0.3
Drivers for Linux and UNIX
Bidirectional 4.0.2.0
FanOut Driver 4.0.2.0
Drivers for Linux and UNIX Settings 4.0.2.0 (These drivers are available in a separate .iso file.)
Drivers for Mainframe (These drivers are available in a separate .iso file.)
ACF2 Driver 4.0.2.0
RACF Driver 4.0.2.0
Top Secret Driver 4.0.2.0
Drivers for Midrange (These drivers are available in a separate .iso file.)
i5os Driver 3.6.1.5
JDBC Driver 4.0.0.2
JMS Driver 4.0.0.2
eDirectory Driver 4.5.0.0
Entitlements Service Driver 4.0.0.0
Ellucian Banner Driver 4.0.2.2
GoogleApps Driver 4.0.2.2
GroupWise Driver 3.5.4
ID Provider Driver 4.0.0.0
Identity Tracking Driver for Sentinel 4.0.0.0
LDAP Driver 4.0.0.5
Lotus Notes Driver 4.0.0.2
Manual Task Service Driver 4.0.0.0
Null and Loopback Services 4.5.0.0
Oracle E-Business Suite HR Driver 4.0.0.2
Oracle E-Business Suite TCA Driver 4.0.0.2
Oracle E-Business Suite User Management Driver 4.0.0.2
Peoplesoft 5.2 Driver 5.2.3.7
Privileged User Management (PUM) Driver 4.0.2.1
Remedy Action Request System (ARS) Driver 4.0.2.0
SalesForce Driver 4.0.0.1
SAP HR Driver 4.0.0.1
SAP Portal Driver 4.0.0.0
SAP User Management Driver 4.0.0.2 (The User Management Fan-out driver uses the same shim.)
SharePoint Driver 4.0.0.0
SOAP Driver 4.0.0.2
WorkOrder Driver 4.0.0.0
The following .iso files contain the DVD image for installing the Identity Manager components for Standard Edition:
Identity_Manager_4.5_Linux_Standard.iso
Identity_Manager_4.5_Windows_Standard.iso
To download the Identity Manager installation files:
Go to the NetIQ Downloads website.
In the Product or Technology menu, select Identity Manager, then click Search.
On the NetIQ Identity Manager Downloads page, click the Download button next to the ISO file that you want to download.
Follow the on‐screen prompts to download the file to a directory on your computer.
Either mount the downloaded .iso file as a volume, or use the .iso file to create a DVD of the software.
Table 1 lists the default installation paths for the Identity Manager components.
Table 1 Default Installation Locations
Identity Manager Component |
Linux |
Windows |
---|---|---|
Identity Vault (eDirectory) |
/opt/novell/eDirectory |
C:\Novell\NDS |
iManager |
/opt/novell/iManager/ |
C:\Program Files (x86)\Novell |
Identity Manager Engine |
/opt/netiq |
C:\netiq |
Event Auditing Service (EAS) |
/opt/novell/sentinel_eas |
EAS installation is not supported on Windows |
Tomcat (supported application server) |
/opt/netiq/idm/apps/tomcat |
C:\netiq\idm\apps\tomcat |
Single Sign-on (One SSO) and Self Service Password Reset (SSPR) |
/opt/netiq/idm/apps/osp_sspr |
C:\netiq\idm\apps\osp_sspr |
Identity Reporting |
/opt/netiq/idm/apps/IdentityReporting |
C:\netiq\idm\apps\IdentityReporting |
Designer |
/root/designer |
C:\netiq\idm\apps\Designer |
Analyzer |
/root/analyzer |
C:\netiq\idm\apps\Analyzer |
The following considerations apply when you install this version:
NetIQ does not support the integrated installation process for installing Identity Manager 4.5 Standard Edition.
To perform a standalone component installation, install the components in the following order:
eDirectory
iManager
Identity Manager Engine
Designer
Analyzer
Event Auditing Service (EAS)
Tomcat (supported application server)
Single Sign-on and Password Management Components (OSP and SSPR)
Identity Reporting
For information about which component can be installed on which operating system, see Selecting an Operating System Platform for Identity Manager in the NetIQ Identity Manager Setup Guide.
You can install the components interactively or silently. For more information about the guidelines for installing the Identity Manager components, see Installing Identity Manager 4.5 Standard Edition in the NetIQ Identity Manager Standard Edition Quick Start Guide. The detailed instructions for installing the components are included in the NetIQ Identity Manager Setup Guide.
NetIQ supports Identity Reporting installation only on Tomcat. Other application servers are not supported in this version.
Ensure that the container where the reportAdmin role resides does not include any object with the same name.
You can upgrade to Identity Manager 4.5 Standard Edition from Identity Manager 4.0.2 Standard Edition or perform a new installation. You can also upgrade from Identity Manager 4.5 Standard Edition to Identity Manager 4.5 Advanced Edition.
For more information, see Upgrading Identity Manager in the NetIQ Identity Manager Standard Edition Quick Start Guide. To download the installation kits, see the NetIQ Downloads Web site.
The following considerations apply when you upgrade from a previous version of Identity Manager Standard Edition.
When upgrading Identity Manager 4.0.2 Standard Edition to Identity Manager 4.5 Standard Edition on SLES 11 SP3, migrate the Identity Reporting application server from Websphere to Tomcat.
When upgrading Identity Manager 4.0.2 Standard Edition to Identity Manager 4.5 Standard Edition on Windows 2012 R2, migrate the Identity Reporting application server from JBoss to Tomcat (where Identity Manager 4.0.2 engine is installed on Windows 2012 R2 server)
When upgrading Identity Manager 4.5 Standard Edition to Identity Manager 4.5 Advanced Edition on SLES 11 SP3, migrate the Identity Reporting application server from Tomcat to WebSphere.
After upgrading to this version, ensure that you perform the actions listed in the following sections:
The upgrade process leaves some .rpm files on the server where you upgrade the Identity Manager engine and Remote Loader. NetIQ Corporation recommends that you remove the unrequired files.
Linux:
novell-DXMLRSA-4.0.1-20120224
novell-DXMLavpbx-3.5.4-20120601
novell-DXMLnxdrv-4.0-0
novell-DXMLnxpam-4.0-0
novell-DXMLremedy-1.0.0.4-1
novell-DXMLremedy71-1.0.0.3-1
novell-DXMLsentl-3.6.1-20090721
Windows (32-bit .NET Remote Loader):
dhutilj.dll
dxevent.dll
dxldap.dll
jntls.dll
novlactj.dll
NetIQ strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.
Relogin to SSPR Fails when It Is Installed with Identity Manager 4.5 Standard Edition and OSP
Cannot Specify Installation Paths on Windows that Include Spaces
Error Occurs when Installing Event Auditing Service on a Linux Server Set to Dutch
Installation Programs Provide Examples for Linux Instead of Windows
Navigation Panel Is Truncated in Identity Reporting Installer
A Pop-up Window Is Displayed during Framework Silent Installation
Issue: If you download SSPR 3.2 and configure it to work with OSP, OSP generates an SSPR 5071 error code when you try to directly access an SSPR application. (Bug 916183)
Workaround: To access the application, shorten the URL back to the application you want to access. For example, http://localhost:<port>/sspr
Issue: If you attempt to log in again after logging out of SSPR, the login fails. (Bug 916849)
Workaround: Close the browser and relaunch SSPR by using http://server:port/sspr.
Issue: The ConfigUpdate utility displays parameters for the Advanced Edition components, such as RBPM, Catalog Administrator, and Home and Provisioning Dashboard. This does not allow you to submit the changes made in the configuration tool. (Bug 917589)
Workaround: To display the correct information in the configuration tool, perform the following actions. This workaround uses the default installation paths created by the Identity Manager component installers on Linux.
Copy the ldapconfig_support.jar file from the /opt/netiq/idm/apps/IdentityReporting/bin/lib directory to the /opt/netiq/idm/apps/osp_sspr/bin/lib directory.
In the configupdate.sh.properties file located in the /opt/netiq/idm/apps/osp_sspr/bin/ directory, set is_prov to false.
Launch the ConfigUpdate utility.
The standalone installation programs for Identity Manager might not place the installation files in the specified location if the path contains spaces. Ensure that the specified path does not contain any spaces. (Bug 620797)
Issue: If you run the OSP SSPR installation program and choose to install only SSPR, the installer places the ConfigUpdate utility and a few other files and folders in the OSP installation directory. For example, /opt/netiq/idm/apps/osp. (Bug 901293)
Workaround: Ignore the ConfigUpdate utility in the OSP installation directory because SSPR does not use it.
Issue: The Event Auditing Service standalone installation program reports errors on a Linux server with the locale set to Dutch. (Bug 896927)
Workaround: Change the following settings for locale:
LANG=
LC_ALL=
Do not include a value after the equal sign (=). This modification sets the type to POSIX instead of UTF-8 encoding.
Issue: During uninstallation, the program displays the message, "InstallAnywhere is preparing to install...", while the program is actually uninstalling.
Workaround: There is no workaround at this time.
Issue: The installation programs provide examples for most settings that you are required to specify. Some of the examples might be for a Linux platform, even when you install on a Windows server. Ensure that you specify values that work for Windows. (Bug 896265)
Workaround: There is no workaround at this time.
Issue: In some languages, the navigation panel that appears on the left-side of the installer for Identity Reporting appears truncated. You might not be able to see all of the Navigation panel names in the installer. (Bug 899888)
Workaround: You can safely ignore the truncated navigation panel and continue with the installation.
Issue: The Identity Manager Framework silent installation program displays a pop-up window while installing the platform agent components. (Bug 900781)
Workaround: This does not cause any impact on the installation.
Issue: Although you can install both a 32-bit and a 64-bit Remote Loader on the same computer, the lcache files for these versions cannot work concurrently. The audit events are logged to the lcache file for the version that you installed first. The log file for the other version displays the message: Agent already running error. (Bug 676310)
Workaround: Do not install both versions on the same computer.
Issue: When a 32-bit Remote Loader 4.0.2 is upgraded to a 64-bit Remote Loader 4.5, the upgrade process does not clean the following 32-bit 4.0.2 packages:
novell-DXMLbase-4.0.0-20100929
novell-DXMLedir-4.0.0-20100929
novell-DXMLgw-3.5.3-20100405
novell-DXMLrdxml-4.0.0-20100929
novell-edirectory-expat-32bit-8.8.6-8
novell-edirectory-xdaslog-32bit-8.8.6-8
novell-NOVLjvml-4.0.0-20100929
Workaround: There is no workaround at this time.
Issue: On Windows, the installer installs the Remote Loader in the c:\novell directory. This issue causes the driver shim to fail. (Bug 908466)
Workaround: In the Remote Loader console, manually change the default installation path of the Remote Loader from c:\novell to c:\netiq.
You might encounter the following issues when you use the Identity Manager drivers:
Cannot Configure the Role-Based Entitlements Driver on Identity Manager with eDirectory 8.8 SP8
InitiatorUserDomain Is Set Incorrectly for Identity Manager Events
TAO Files Are Generated on the Cloned Server when Dibclone Is Used
Statistics Report Shows Zero for Role and License Values for an Office 365 Driver
Issue: The Permission Collection and Reconciliation Service (PCRS) functionality is not supported in the Standard Edition. This issue might occur in Standard Edition when PCRS is enabled. When there is a change in an event in the Publisher channel, it causes a change in one or more permission attributes defined in the custom entitlements (.csv file). The driver keeps checking for the creation of the resources and loops endlessly. (Bug 907031)
Workaround: Disable PCRS.
Issue: You cannot create an entitlement policy in Identity Manager with eDirectory 8.8 SP8. (Bug 847632)
Workaround: Go to LDAP Server > Connections > LDAP Interfaces and change the existing values of the port to ldap://IP:389 and ldaps://IP:636. Note that IP is appended to the existing port values.
Issue: Identity tracking does not work properly if InitiatorUserDomain is not set correctly. (Bug 819675)
Workaround: To ensure that identity tracking works correctly, do the following:
For eDirectory drivers: Ensure that the Sentinel driver is installed on both Identity Manager servers.
For Bidirectional eDirectory drivers: Use NOVLEDIR2ATR_2.2.0 or higher version for identity tracking.
Issue: When the Dibclone utility is used on an Identity Manager server to clone another server, unnecessary TAO files are generated on the cloned server. (Bug 876418)
Workaround: Do not use the Dibclone utility on an Identity Manager server.
Issue: The Statistics report for the Office 365 driver shows zero for Role and License values in the Assigned Entitlements Per Type section because of a limitation in the Office 365 driver. (Bug 893248)
Workaround: There is no workaround at this time.
Issue: A conflict in the javax.servlet.http.HttpServletRequest class in the j2eevalidate.jar file affects links in emails for the Manual Task driver. (Bug 897240)
Workaround: Remove j2eevalidate.jar from the classpath if you do not require the User Application driver. Before removing it, ensure that the Manual Task driver and the User Application driver are not running on the same computer.
Issue: If you change the width of the Windows command prompt window from the default value, the SharePoint driver instance might fail to start and it does not record any trace information. (Bug 854488)
Workaround: Reset the width of the Windows command prompt window to the default value of 80.
You might encounter the following issues when you use the Identity Reporting:
Cannot Navigate to Today in the Calendar when the Display Option Is Set to 1 Week
Installing Identity Reporting Might Overwrite the logevent.conf File
Identity Reporting Does Not Convert a Valid Certificate when You Add an Application
Downloading an RPZ File with Internet Explorer Might Change the File Extension to ZIP
Internet Explorer Displays a Warning when Accessing Identity Reporting in HTTPS
Identity Reporting Leaves Entries in .xml Files for Tomcat after Uninstalling
Console Mode Does Not Report a Successful Connection to the Database
Issue: In Firefox, if the Display Options on the Calendar page are set to show 1 week, clicking Today displays a day one week ahead of today. This issue does not occur in Internet Explorer. (Bug 635107)
Workaround: To see today’s schedule in the Calendar page, press the up-arrow to go back one week.
Issue: The Identity Reporting installation program overwrites logevent.conf without prompting under the following circumstances:
A logevent.conf file already exists in the /etc/ directory.
EAS is installed on the same computer.
During the reporting installation, you replace the value of localhost and enter the computer’s actual IP address for the EAS server.
(Bug 642093)
Workaround: After the installation is complete, manually update the /etc/logevent.conf file.
Issue: If EAS is remotely installed and you want to test the connection to EAS during the Identity Reporting installation, the parent directory of your chosen installation directory must exist before you run the installation. Without an existing parent directory, the installation directory cannot be created in order to write the JDBC JAR file used for testing the connection. For example, if you are installing the Identity Reporting Module to /opt/novell/IdentityReporting, ensure that the /opt/novell directory exists before beginning the installation. (Bug 642331)
Workaround: Before running the installation, ensure that the parent directory of your chosen installation directory is present.
Issue: When you add an application in Identity Reporting that runs on IBM WebSphere, you might notice that a valid certificate is not properly converted. The following sequence of events might cause this problem to occur:
Log in to Identity Reporting with valid credentials.
On the Applications page, click Add Application and specify values for all mandatory fields.
To browse for the certificate, SSL and then click Test.
The certificate does not get converted. This issue occurs when you install Identity Reporting on an IBM WebSphere application server. (Bug 677645)
Workaround: Copy and paste the content of the certificate into the text area on the form.
Issue: You cannot change the frequency (for example, from week to month) of a schedule. (Bug 677430)
Workaround: To change the frequency, delete the schedule and create a new one.
Issue: When you access Identity Reporting in an Internet Explorer browser and download an .rpz file, the file extension might change from .rpz to .zip.
This issue does not occur with Firefox. (Bug 677436)
Workaround: There is no workaround needed because the file extension change does not cause any issues. The Reporting Module correctly handles the upload and import of the reports with the .zip file extension.
Issue: If you use Internet Explorer in HTTPS to access Identity Reporting, the browser displays the following message:
Do you want to view only the webpage content that was delivered securely? This webpage contains content that will not be delivered using a secure HTTPS connection, which could compromise the security of the entire webpage.
If you select Yes, the browser does not display the login screen for Identity Reporting. This issue occurs because the download site for the new reports supports the HTTP protocol only. The link to that site is constructed if you use http://. This issue does not occur with Firefox. (Bug 685490)
Workaround: Select No.
Issue: When you uninstall Identity Reporting on Tomcat, the process leaves some entries in the Tomcat server.xml and context.xml files. You cannot reinstall Identity Reporting because the files contain duplicate entries for the connections pools. The entries might also expect different passwords than the ones that you specify in the second installation. (Bug 897505)
Workaround: After uninstalling Identity Reporting, manually remove the entries from the server.xml and context.xml files.
In the server.xml file, remove entries that resemble the following entries:
<Resource auth="Container" driverClassName="org.postgresql.Driver" factory="com.netiq.iac.jdbc.pool.IacCustomDataSourceFactory" initialSize="10" maxActive="50" maxIdle="10" maxWait="30000" minIdle="10" name="shared/IDMRPTDataSource" password="" testOnBorrow="true" type="javax.sql.DataSource" url="jdbc:postgresql://localhost:15432/SIEM" username="idmrptsrv" validationInterval="120000" validationQuery="SELECT 1"/>
<Resource auth="Container" driverClassName="org.postgresql.Driver" factory="com.netiq.iac.jdbc.pool.IacCustomDataSourceFactory" initialSize="10" maxActive="50" maxIdle="10" maxWait="30000" minIdle="10" name="shared/IDMRPTCfgDataSource" password="" testOnBorrow="true" type="javax.sql.DataSource" url="jdbc:postgresql://localhost:15432/SIEM" username="idmrptuser" validationInterval="120000" validationQuery="SELECT 1"/>
In the context.xml file, remove entries that resemble the following entries:
<ResourceLink global="shared/IDMRPTCfgDataSource" name="jdbc/IDMRPTCfgDataSource" type="javax.sql.DataSource"/>
<ResourceLink global="shared/IDMRPTDataSource" name="jdbc/IDMRPTDataSource" type="javax.sql.DataSource"/>
Issue: When you install Identity Reporting, you can test the settings that you specify for the database. However, if you use the console mode for installation, the process does not report a successful connection. The process does report an error if the test connection fails. (Bug 899383)
Workaround: There is no workaround at this time.
You might encounter the following issues as you use iManager:
Issue: iManager needs the NDS-to-NDS Driver Certificates Wizard for proper functioning.
Workaround: To use the NDS-to-NDS Driver Certificates Wizard, download and install the iManager plug-in for NetIQ Certificate Server.
Issue: The certificate created during Identity Manager installation is invalid with Firefox 31. (Bug 896637)
Workaround: Change the Keytool self-signed certificate to an OpenSSL self-signed certificate in iManager.
Generate a private key for the host by running the following command:
# openssl genrsa -out <HOSTNAME>-private.pem 2048
Set HOSTNAME to the appropriate server name.
Use openSSL to derive the public key by running the following command:
# openssl rsa -in HOSTNAME-private.pem -pubout > HOSTNAME-public.pem
Create a self-signed x509 certificate by running the following command:
# openssl req -new -x509 -key HOSTNAME-private.pem -out HOSTNAME-certificate.pem -days 365
Convert the self-signed x509 certificate to the PKCS12 format by running the following command:
# openssl pkcs12 -export -inkey HOSTNAME-private.pem -in HOSTNAME-certificate.pem -out HOSTNAME-certificate.p12 -name "iManager"
Enter the export password, when prompted.
Enter the export password again, when prompted for verifying.
IMPORTANT:You must remember this password, because it is required later.
Copy the file to /var/opt/novell/novlwww by running the following command:
# cp HOSTNAME-certificate.p12 /var/opt/novell/novlwww
Stop Tomcat by running the following command:
# /etc/init.d/novell-tomcat5 stop
Edit the Tomcat configuration file, server.xml, from the /etc/opt/novell/tomcat<5,6,7> location.
Replace:
<!-- Define a SSL HTTP/1.1 Connector on port --> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" maxHttpHeaderSize="8192" minSpareThreads="25" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLSv1.2"/>
with:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" maxHttpHeaderSize="8192" minSpareThreads="25" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/var/opt/novell/novlwww/HOSTNAME-certificate.p12" keystorePass="<password from command in Step 4)>" keystoreType="PKCS12"/>
NOTE:You must specify the entire path when the keystore type is changed to PKCS12, because Tomcat no longer points to the default Tomcat home path.
Change the PKCS12 file ownership to novlwww and permissions to user=rw, group=rx, and others=r by running the following commands:
# chown novlwww:novlwww /var/opt/novell/novlwww/HOSTNAME-certificate.p12 # chmod 654 /var/opt/novell/novlwww/HOSTNAME-certificate.p12
Remove the existing keytool self-signed certificate by running the following command:
# mv /var/opt/novell/novlwww/.keystore /var/opt/novell/novlwww/orig.keystore
Restart Tomcat by running the following command:
# /etc/init.d/novell-tomcat<5,6,7> start
Open a Web browser and launch iManager.
Issue: iManager does not send audit events to EAS even though a connection exists between EAS and iManager. (Bug 900283)
Workaround: Uncomment the following line from the /var/opt/novell/iManager/nps/WEB-INF/imanager_logging.xml file, and then restart Tomcat.
<appender-ref ref="NAUDIT_APPENDER"/>
Issue: Identity Manager is not successfully installed on RHEL 6.5 because of the absence of some dependent libraries. (Bug 693334)
Workaround: Ensure that you install the dependant libraries before starting the Identity Manager installer on RHEL 6.5:
For GUI Install: Manually install the dependent libraries.
For a 64-bit RHEL: Install the following libraries in the same order:
libXau-1.0.6-4.el6.i686.rpm
libxcb-1.8.1-1.el6.i686.rpm
libX11-1.5.0-4.el6.i686.rpm
libXext-1.3.1-2.el6.i686.rpm
libXi-1.6.1-3.el6.i686.rpm
libXtst-1.2.1-2.el6.i686.rpm
glibc-2.12-1.132.el6.i686.rpm
libstdc++-4.4.7-4.el6.i686.rpm
libgcc-4.4.7-4.el6.x86_64.rpm
compat-libstdc++-33-3.2.3-69.el6.x86_64.rpm
compat-libstdc++-33-3.2.3-69.el6.i686.rpm
libXrender-0.9.7-2.el6.i686.rpm
For a 32-bit RHEL: Install the following library:
compat-libstdc++-33-3.2.3-69.el6.i686.rpm
For Package Install on RHEL 6.x: Manually set up a repository for the installation media.
(Conditional) If you are copying the ISO to the server, run the following command:
#mount-o loop <path to iso>/mnt/rhes65
(Conditional) If you are copying to a CD or a DVD, and to the server, run the following command:
#mount /dev/cdrom/mnt/rhes65
(Conditional) If you have mounted the ISO, create a repository file in the /etc/yum.repos.d location and perform the following configuration steps:
#vi/etc/yum.repos.d/rhes.repo [redhat-enterprise] name=RedHat Enterprise $releasever - $basearch baseurl=file:///mnt/rhes65/ enabled=1
(Optional) If you are using an installation server, configure the following in vi /etc/yum.repos.d/rhes.repo:
[redhat-enterprise] name=RedHat Enterprise $releasever - $basearch baseurl=<url to the installation source> enabled=1
Run the following commands after setting up the repository:
# yum clean all # yum repolist # yum makecache
To install the 32-bit packages, change “exactarch=1” to “exactarch=0” in the /etc/yum.conf file.
Install the GPG key by using the rpm import <path / url> to RPM-GPG-KEY-redhat-release command:
# rpm --import /mnt/rhes65/RPM-GPG-KEY-redhat-release
or
# rpm --import http://<url>/RPM-GPG-KEY-redhat-release
(Optional) To install the required packages for Identity Manager 4.x, execute the following script:
#!/bin/bash PKGS="libXau.i686 libxcb.i686 libX11.i686 libXext.i686 libXi.i686 libXtst.i686 glibc.i686 libstdc++.i686 libgcc.i686 compat-libstdc++-33.i686 compat-libstdc++-33.x86_64" for PKG in $PKGS ; do yum -y install "$PKG" done
NOTE:The script cannot locate the compat-libstdc++-33.x86_64 library in the 32-bit repository unless you have modified the 64-bit repository and installed the RPM separately.
For Non-GUI Install: Manually install the dependent libraries.
For a 64-bit RHEL: Install the following libraries in the same order:
glibc-2.12-1.7.el6.i686.rpm
libstdc++-4.4.4-13.el6.i686.rpm
libgcc-4.4.4-13.el6.i686.rpm
compat-libstdc++-33-3.2.3-69.el6.x86_64.rpm
compat-libstdc++-33-3.2.3-69.el6.i686.rpm
For a 32-bit RHEL: Install the following library:
compat-libstdc++-33-3.2.3-69.el6.i686.rpm
NOTE:Ensure that the unzip rpm is installed before installing Identity Manager. This applies to all Linux platforms.
Issue: The upgrade process does not remove the jersey-bundle-1.1.5.1.jar file and the jersey-bundle-1.18.jar file from the C:\Novell\NDS\lib\ location. This results in an exception in the eDirectory trace. (Bug 916174)
Workaround: On a successful upgrade, remove the jersey-bundle-1.1.5.1.jar file from the C:\Novell\NDS\lib\ location and restart eDirectory.
Issue: The upgrade program downgrades the versions of the RPMs listed in the below table.(Bug 908539)
Versions Before Upgrade |
Versions After Upgrade |
---|---|
novell-DXMLRsrcProv-4.5.1-0 |
novell-DXMLRsrcProv-4.5.0-0 |
novell-DXMLsch-4.5.0.0-20141114 |
novell-DXMLsch-4.5.0.0-20140930 |
Workaround: There is no workaround at this time.
Issue: The upgrade program replaces the old JRE folder but deletes all custom certificates from it. For example, the certificates are placed in the /opt/novell/eDirectory/lib64/nds-modules/jre/lib/security/cacerts directory on 64-bit Linux platforms. (Bug 794590)
Workaround: Complete the following steps:
Save the CA certificates in a custom location.
Upgrade Identity Manager 4.0.2 to 4.5.
Copy the certificates back to the JRE directory depending on your platform.
After the upgrade, verify the JRE version is 1.7.0_65.
Issue: When you install selected drivers by using the Customize the Selected Components option in non-English locales, installation fails. (Bug 926490)
Workaround: Perform any one of the following actions:
Select English as language for installing Identity Manager instead of non-English languages.
On Windows, copy the necessary jar files from the installation media to the Identity Manager installation folder. On Linux, browse to products/IDM/linux/setup/packages in the installation media and run the following command:
New installation: rpm -ivf <file name>
Upgrade: rpm -Uvf <file name>
Issue: If you select Brazilian Portuguese, Danish, Dutch, English, French, German, Italian, Swedish, Spanish, or Russian as your choice of language for installing Identity Manager, the installer displays corrupt characters during installation.
If you select English, the installer contains a corrupt character on the Select Language page of the installation program. However, the characters display correctly for the Asian languages when the installer is run on Asian Windows. (Bug 672070)
Workaround: For the characters to display correctly, ensure that you change the default font of your Windows computer to Lucida Console by using the following steps before installing Identity Manager:
Go to Start > Run > Regedit > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\CodePage and change the value of OEMCP from 850 to 1252.
For Russian, change the value of OEMCP from 866 to 1251 in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\CodePage directory.
Go to Start > Run and type cmd in the Open text box, then click Enter to launch the command prompt.
Right-click the title bar of the Command Prompt window to open the pop-up menu.
Scroll down in the pop-up menu and select the Defaults option to open the Console Windows Properties dialog box.
Click the Font tab and change the default font from Raster to Lucida Console (TrueType).
Click OK.
Restart the computer.
Issue: A Microsoft Visual C++ 2005 Redistributable error message displays when Identity Manager is installed on Russian Windows 2008 SP2. When you click OK in the error message, the installation completes successfully. (Bug 750992)
Workaround: To avoid this error, visit the Microsoft support site and run the steps specified in the Let me fix it myself section of the online page.
Issue: When you upgrade to Identity Manager 4.5 from Identity Manager 4.0.2, the old RPM files for some drivers still exist. You must manually remove them. (Bug 888108)
Workaround: Manually remove the files listed in Table 2:
Table 2 Drivers and the RPM Files that Must be Removed
Drivers |
Linux |
Windows |
---|---|---|
RSA |
|
|
Remedy |
|
|
Avaya |
|
|
Issue: Sometimes Identity Reporting does not automatically reconnect to the EAS server. (Bug 900258)
Workaround: Stop the application server where you deployed Identity Reporting and then start it again.
Issue: A Stack Overflow message is displayed if you enter a wrong password on the SSPR Web page when you start SSPR (Self Service Password Reset) using Client Login Extension.
Workaround: Click OK and continue working. It is safe to ignore the message. (Bug 833663)
Issue: On Windows, the jar files from the lib directory are not removed. (Bug 643077)
Workaround: Manually remove the jar files from the lib directory.
Issue: The uninstallation log files are created in the temp directory. (Bug 613225)
Workaround: There is no functionality loss. You can ignore the issue.
Issue: After upgrading the Identity Manager engine to version 4.5, if you run the uninstallation program from the Control Panel, it successfully removes the necessary Identity Manager files except a specific registry key that leads to the Identity Manager entry being displayed in the Control Panel even after running the uninstallation. (Bug 901219)
Workaround: Delete the registry key from the following registry path when you run the uninstallation:
For 32-bit computers: \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Identity Manager
For 64-bit computers: \HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Identity Manager
Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.
For detailed contact information, see the Support Contact Information website.
For general corporate and product information, see the NetIQ Corporate website.
For interactive conversations with your peers and NetIQ experts, become an active member of our community. The NetIQ online community provides product information, useful links to helpful resources, blogs, and social media channels.
THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT, NETIQ CORPORATION PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY TO YOU.
For purposes of clarity, any module, adapter or other similar material (“Module”) is licensed under the terms and conditions of the End User License Agreement for the applicable version of the NetIQ product or software to which it relates or interoperates with, and by accessing, copying or using a Module you agree to be bound by such terms. If you do not agree to the terms of the End User License Agreement you are not authorized to use, access or copy a Module and you must destroy all copies of the Module and contact NetIQ for further instructions.
This document and the software described in this document may not be lent, sold, or given away without the prior written permission of NetIQ Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of NetIQ Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data.
This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time.
U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the government's rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement.
© 2015 NetIQ Corporation. All Rights Reserved.
For information about NetIQ trademarks, see http://www.netiq.com/company/legal/.