NetIQ Identity Manager 4.5 Standard Edition Release Notes

February 2015

Identity Manager 4.5 Standard Edition includes new features, enhancements, and resolves several previous issues.

Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the Identity Manager Community Forums, our community Web site that also includes product notifications, blogs, and product user groups.

The documentation for this product and the latest release notes are available on the NetIQ Web site on a page that does not require you to log in. If you have suggestions for documentation improvements, click comment on this topic at the bottom of any page in the HTML version of the documentation posted at the Identity Manager Documentation Web site.

To download this product, see the Identity Manager Product Web site.

1.0 What’s New and Changed?

1.1 New Features

The Identity Manager 4.5 Standard Edition includes support for the following new features:

Self Service Password Reset as the Password Management Program

Identity Manager 4.5 includes NetIQ Self Service Password Reset (SSPR) to help users reset their passwords without administrative intervention. In a new installation of Identity Manager 4.5, SSPR uses a proprietary protocol for managing authentication methods. When you upgrade Identity Manager to version 4.5, you can instruct SSPR to use the NetIQ Modular Authentication Services (NMAS) that Identity Manager has traditionally used for its legacy password management program.

For more information about SSPR, see the NetIQ Identity Manager Setup Guide.

Single Sign-on Access with One SSO Provider Support for REST APIs and Identity Reporting

To provide single sign-on access to Identity Reporting, Identity Manager uses NetIQ One SSO Provider (OSP). When a user logs in to the Reporting portal, OSP verifies the user’s credentials with the authentication server. OSP can work with more than one authentication source if the source uses OAuth protocol. For example, the Identity Vault, Kerberos, or SAML.

For more information about OSP, see the NetIQ Identity Manager Setup Guide.

Apache Tomcat Support for Reporting

For your convenience, the Identity Manager 4.5 .iso includes an installation program for the PostgreSQL database and the Apache Tomcat application server. You must install Tomcat to provide the default framework for Identity Reporting.

For more information, see the NetIQ Identity Manager Setup Guide.

Identity Manager Engine Enhancements

Out of Band Sync

Identity Manager 4.5 includes a new feature, Out of Band Sync. The Identity Manager drivers process events in the order they occur, which guarantees that all changes required for an event to successfully process are already applied. However, there are instances when you want a certain event to take precedence over others. For example, events that involve password changes, locking an account, or disabling an account should take precedence over other events. The Identity Manager Out of Band Sync feature allows you to assign a higher priority to these events, so that they are processed before other events in the queue.

For more information about this feature, see Enabling Out of Band Sync in the NetIQ Identity Manager Common Driver Administration Guide.

No Reference Association for Drivers

Identity Manager 4.5 includes a new feature called No Reference Association for Identity Manager drivers. You can use this feature along with the legacy association for an Identity Manager driver.

Identity Manager uses associations for identifying objects to which changes can be applied and maintains this information in an eDirectory attribute named DirXML-Associations. Using associations also results in a reference check when an object is updated, which can impact performance in large deployments. To improve performance in large deployments, a new feature, No-Reference Association, has been introduced in Identity Manager. For more information, see Managing Associations between Drivers and Objects in the NetIQ Identity Manager Common Driver Administration Guide.

Relocating the Event Cache File

Every driver that is configured in Identity Manager has an associated event cache file. Events are cached in the TAO file before the driver processes them. By default, the TAO files are located in the dib directory.

Identity Manager 4.5 allows you to place the TAO files anywhere in the file system. Distributing the file I/O across multiple file systems improves the I/O throughput. Each driver can have an optional single-valued, server readable attribute DirXML-CacheLocation. The value of this attribute is an absolute path to the directory in the file system where the TAO files are created. When the engine is restarted, it looks for this attribute and the TAO files in the specified location.

For more information about relocating the event cache file, refer to Relocating the Event Cache File in the NetIQ Identity Manager Common Driver Administration Guide.

The Cache Flush Parameter

Identity Manager 4.5 provides an option to turn off the file system flush for each disk write. If you disable cache writes, they are not flushed immediately and instead, the underlying operating system takes care of the file system writes.

For more information about the cache flush parameter, refer to The Cache Flush Parameter in the NetIQ Identity Manager Common Driver Administration Guide.

For information about the new features in NetIQ Identity Manager Designer, see the NetIQ Designer 4.5 Release Notes. There are no new features for NetIQ Identity Manager Analyzer 4.5.

For more information about NetIQ Identity Manager Analyzer, refer to the NetIQ Analyzer 4.5 Release Notes.

1.2 What’s Changed?

To streamline functionality, several items have changed or are no longer supported with Identity Manager 4.5 Standard Edition. In many cases, alternative functionality replaces the items that are no longer supported. The following sections outline the key features and functions that have changed or have been removed from the product:

Some Log Events Have Changed

The changes to the log messages that Identity Manager generates for successful and failed login/logout attempts are as follows:

Event behavior before this release

Event

Behavior

0031700 Create Auth Token

  • Successful login to Identity Reporting

0031701 Create Auth Token Failure

  • Failed login attempt to Identity Reporting

0031702 Auth Token Revoked

  • Successful logout of Identity Reporting

Event behavior with this release

In this release, some events have been removed for Identity Reporting. Instead, OSP generates a single event for both successful and failed attempts. XDAS taxonomy then interprets the OSP event either as a successful login/logout or a SOAP call or as “other than success.”

Event

Behavior

003E0204

  • OSP event for successful or failed login to the Identity Reporting

  • OSP event for successful or failed SOAP call login to the Identity Reporting

003E0201

  • OSP event for successful or failed logout from the Identity Reporting

  • OSP event for successful or failed SOAP call logout of the Identity Reporting

Review your custom reports to ensure that they include the appropriate event codes. For more information about OSP, see the NetIQ Identity Manager Setup Guide.

Access to Identity Reporting

The Identity Reporting application can be used only by the Report Administrator. When you log in to the Identity Reporting application, the OSP OAuth process takes care of authenticating the user. For more information about OSP, see the NetIQ Identity Manager Setup Guide.

Updates to Password Self-Service and Forgot Password Features

Identity Manager 4.5 includes NetIQ Self Service Password Reset (SSPR) to help users reset their passwords without administrative intervention. For more information, see Self Service Password Reset as the Password Management Program.

Support for Reports

The Identity Manager 4.5 Standard Edition provides support for the following reports:

  • Authentication by user

  • Authentication by server

  • Database statistics

  • Self-password changes

  • Password resets

  • Identity Vault Driver Associations Report Current State

  • Identity Vault User Report Current State

  • User Password Change Events Summary

    For more information, see Using Identity Manager Reports.

    IMPORTANT:To use the reports, import the report definitions into Identity Reporting. Log in to the Reporting application and use the Download page within the application to download the reports.

Discontinued Functionality or Features

Identity Manager 4.5 Standard Edition does not include the following functionality:

  • User Application

    This version provides alternate functionality for password management and access to Identity Reporting as discussed in Section 1.1, New Features. The other functionality that User Application provides, such as User Self-service and Org Chart continues to be available as part of Identity Manager 4.5 Advanced Edition.

    In addition to password management, SSPR provides several other features such as enabling users to view and update their profile attributes and search for their colleagues’ information. For more information, see the SSPR Administration Guide.

  • Identity Manager driver for Avaya PBX and RSA SecurID

  • Telemetry job

    Ensure that you remove this predefined job before upgrading Identity Manager. For more information, see the NetIQ Identity Manager Setup Guide.

  • WebLogic, JBoss Enterprise Application Platform (EAP), JBoss Community Edition, WebSphere, MySQL, and DB2

    This version of Identity Manager does not include support for these applications. The .iso file includes an installation program for Tomcat instead of JBoss Community Edition.

NetIQ Corporation Does Not Provide Support for the Components in the PostgreSQL and Tomcat Installation

NetIQ Corporation provides the PostgreSQL and Tomcat installation as a convenience. If your company does not already provide an application server and a database server, you can install and use these components. If you need support, go to the provider of the component. NetIQ does not provide updates, administration, configuration, or tuning information for these components, beyond what it is outlined in the NetIQ Identity Manager Setup Guide.

End User License Agreement Is Not Available in All Supported Languages

Each installation program includes an End User License Agreement. Although the installation programs support multiple languages, the license agreement is not available in the following languages:

  • Danish

  • Dutch

  • Russian

  • Swedish

Instead, the installation program displays the license agreement in English. For more information, see “Understanding Language Support” in the Identity Manager Setup Guide. (Bug 896299)

The Setup Guide Provides Examples and Directory Paths for Advanced Edition Instead of Standard Edition

The paths provided in the Setup Guide are for the Advanced Edition. If you are installing the Standard Edition, ensure that you use the correct paths. For example, when you install the Standard Edition on Linux, the configupdate.sh file is located in /opt/netiq/idm/apps/IdentityReporting/bin/lib directory. For the Advanced Edition, this utility is located in the installation directory for the User Application: /opt/netiq/idm/apps/UserApplication. For more information, see Section 4.1, Locating the Installation Paths.

2.0 System Requirements

You can install Identity Manager components on a variety of operating system platforms. For specific information about which component can be installed on which operating system, see Selecting an Operating System Platform for Identity Manager in the NetIQ Identity Manager Setup Guide. For information about prerequisites, computer requirements, installation, upgrade or migration, see Considerations and Prerequisites for Installation in the NetIQ Identity Manager Setup Guide.

3.0 Identity Manager Component Versions

Identity Manager 4.5 Standard Edition bundles the following components:

  • NetIQ eDirectory 8.8.8 Patch 3

  • NetIQ iManager 2.7.7 Patch 2

  • NetIQ Identity Manager Designer 4.5

  • NetIQ Identity Manager Analyzer 4.5

  • NetIQ Identity Manager Engine 4.5

  • NetIQ Identity Manager Remote Loader 4.5

  • NetIQ Identity Manager Self Service Password Reset 3.2

  • NetIQ Identity Manager Client Login Extension 3.8

  • NetIQ Identity Manager Reporting Module 4.5

  • For event auditing, one of the following:

    • NetIQ Event Auditing Service 6.1

      The installation package includes Event Auditing Service.

    • NetIQ Sentinel 7.0 and above

      This is available only for Identity Tracking. The Identity Manager installation package does not include Sentinel. You must install Sentinel separately.

  • NetIQ Identity Manager drivers:

    • Active Directory Driver 4.0.0.4

    • Bidirectional eDirectory Driver 4.0.1.2

    • Blackboard Driver 4.0.2.0

    • Delimited Text Driver 4.0.0.3

    • Drivers for Linux and UNIX

      • Bidirectional 4.0.2.0

      • FanOut Driver 4.0.2.0

    • Drivers for Linux and UNIX Settings 4.0.2.0 (These drivers are available in a separate .iso file.)

    • Drivers for Mainframe (These drivers are available in a separate .iso file.)

      • ACF2 Driver 4.0.2.0

      • RACF Driver 4.0.2.0

      • Top Secret Driver 4.0.2.0

    • Drivers for Midrange (These drivers are available in a separate .iso file.)

      • i5os Driver 3.6.1.5

    • JDBC Driver 4.0.0.2

    • JMS Driver 4.0.0.2

    • eDirectory Driver 4.5.0.0

    • Entitlements Service Driver 4.0.0.0

    • Ellucian Banner Driver 4.0.2.2

    • GoogleApps Driver 4.0.2.2

    • GroupWise Driver 3.5.4

    • ID Provider Driver 4.0.0.0

    • Identity Tracking Driver for Sentinel 4.0.0.0

    • LDAP Driver 4.0.0.5

    • Lotus Notes Driver 4.0.0.2

    • Manual Task Service Driver 4.0.0.0

    • Null and Loopback Services 4.5.0.0

    • Oracle E-Business Suite HR Driver 4.0.0.2

    • Oracle E-Business Suite TCA Driver 4.0.0.2

    • Oracle E-Business Suite User Management Driver 4.0.0.2

    • Peoplesoft 5.2 Driver 5.2.3.7

    • Privileged User Management (PUM) Driver 4.0.2.1

    • Remedy Action Request System (ARS) Driver 4.0.2.0

    • SalesForce Driver 4.0.0.1

    • SAP HR Driver 4.0.0.1

    • SAP Portal Driver 4.0.0.0

    • SAP User Management Driver 4.0.0.2 (The User Management Fan-out driver uses the same shim.)

    • SharePoint Driver 4.0.0.0

    • SOAP Driver 4.0.0.2

    • WorkOrder Driver 4.0.0.0

4.0 Installing NetIQ Identity Manager 4.5 Standard Edition

The following .iso files contain the DVD image for installing the Identity Manager components for Standard Edition:

  • Identity_Manager_4.5_Linux_Standard.iso

  • Identity_Manager_4.5_Windows_Standard.iso

To download the Identity Manager installation files:

  1. Go to the NetIQ Downloads website.

  2. In the Product or Technology menu, select Identity Manager, then click Search.

  3. On the NetIQ Identity Manager Downloads page, click the Download button next to the ISO file that you want to download.

  4. Follow the on‐screen prompts to download the file to a directory on your computer.

  5. Either mount the downloaded .iso file as a volume, or use the .iso file to create a DVD of the software.

4.1 Locating the Installation Paths

Table 1 lists the default installation paths for the Identity Manager components.

Table 1 Default Installation Locations

Identity Manager Component

Linux

Windows

Identity Vault (eDirectory)

/opt/novell/eDirectory

C:\Novell\NDS

iManager

/opt/novell/iManager/

C:\Program Files (x86)\Novell

Identity Manager Engine

/opt/netiq

C:\netiq

Event Auditing Service (EAS)

/opt/novell/sentinel_eas

EAS installation is not supported on Windows

Tomcat (supported application server)

/opt/netiq/idm/apps/tomcat

C:\netiq\idm\apps\tomcat

Single Sign-on (One SSO) and Self Service Password Reset (SSPR)

/opt/netiq/idm/apps/osp_sspr

C:\netiq\idm\apps\osp_sspr

Identity Reporting

/opt/netiq/idm/apps/IdentityReporting

C:\netiq\idm\apps\IdentityReporting

Designer

/root/designer

C:\netiq\idm\apps\Designer

Analyzer

/root/analyzer

C:\netiq\idm\apps\Analyzer

4.2 Installation Prerequisites

The following considerations apply when you install this version:

  • NetIQ does not support the integrated installation process for installing Identity Manager 4.5 Standard Edition.

  • To perform a standalone component installation, install the components in the following order:

    1. eDirectory

    2. iManager

    3. Identity Manager Engine

    4. Designer

    5. Analyzer

    6. Event Auditing Service (EAS)

    7. Tomcat (supported application server)

    8. Single Sign-on and Password Management Components (OSP and SSPR)

    9. Identity Reporting

    For information about which component can be installed on which operating system, see Selecting an Operating System Platform for Identity Manager in the NetIQ Identity Manager Setup Guide.

  • You can install the components interactively or silently. For more information about the guidelines for installing the Identity Manager components, see Installing Identity Manager 4.5 Standard Edition in the NetIQ Identity Manager Standard Edition Quick Start Guide. The detailed instructions for installing the components are included in the NetIQ Identity Manager Setup Guide.

  • NetIQ supports Identity Reporting installation only on Tomcat. Other application servers are not supported in this version.

  • Ensure that the container where the reportAdmin role resides does not include any object with the same name.

5.0 Upgrading to Identity Manager 4.5 Standard Edition

You can upgrade to Identity Manager 4.5 Standard Edition from Identity Manager 4.0.2 Standard Edition or perform a new installation. You can also upgrade from Identity Manager 4.5 Standard Edition to Identity Manager 4.5 Advanced Edition.

For more information, see Upgrading Identity Manager in the NetIQ Identity Manager Standard Edition Quick Start Guide. To download the installation kits, see the NetIQ Downloads Web site.

5.1 Upgrade Prerequisites

The following considerations apply when you upgrade from a previous version of Identity Manager Standard Edition.

  • When upgrading Identity Manager 4.0.2 Standard Edition to Identity Manager 4.5 Standard Edition on SLES 11 SP3, migrate the Identity Reporting application server from Websphere to Tomcat.

  • When upgrading Identity Manager 4.0.2 Standard Edition to Identity Manager 4.5 Standard Edition on Windows 2012 R2, migrate the Identity Reporting application server from JBoss to Tomcat (where Identity Manager 4.0.2 engine is installed on Windows 2012 R2 server)

  • When upgrading Identity Manager 4.5 Standard Edition to Identity Manager 4.5 Advanced Edition on SLES 11 SP3, migrate the Identity Reporting application server from Tomcat to WebSphere.

5.2 Post-Installation Tasks

After upgrading to this version, ensure that you perform the actions listed in the following sections:

Delete Old .rpm Files

The upgrade process leaves some .rpm files on the server where you upgrade the Identity Manager engine and Remote Loader. NetIQ Corporation recommends that you remove the unrequired files.

Linux:

  • novell-DXMLRSA-4.0.1-20120224

  • novell-DXMLavpbx-3.5.4-20120601

  • novell-DXMLnxdrv-4.0-0

  • novell-DXMLnxpam-4.0-0

  • novell-DXMLremedy-1.0.0.4-1

  • novell-DXMLremedy71-1.0.0.3-1

  • novell-DXMLsentl-3.6.1-20090721

Windows (32-bit .NET Remote Loader):

  • dhutilj.dll

  • dxevent.dll

  • dxldap.dll

  • jntls.dll

  • novlactj.dll

6.0 Known Issues

NetIQ strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.

6.1 Installation Issues

Error While Accessing An SSPR Application Directly

Issue: If you download SSPR 3.2 and configure it to work with OSP, OSP generates an SSPR 5071 error code when you try to directly access an SSPR application. (Bug 916183)

Workaround: To access the application, shorten the URL back to the application you want to access. For example, http://localhost:<port>/sspr

Relogin to SSPR Fails when It Is Installed with Identity Manager 4.5 Standard Edition and OSP

Issue: If you attempt to log in again after logging out of SSPR, the login fails. (Bug 916849)

Workaround: Close the browser and relaunch SSPR by using http://server:port/sspr.

Launching the ConfigUpdate Utility from the OSP SSPR Installation Directory Displays Information for the Advanced Edition Components

Issue: The ConfigUpdate utility displays parameters for the Advanced Edition components, such as RBPM, Catalog Administrator, and Home and Provisioning Dashboard. This does not allow you to submit the changes made in the configuration tool. (Bug 917589)

Workaround: To display the correct information in the configuration tool, perform the following actions. This workaround uses the default installation paths created by the Identity Manager component installers on Linux.

  1. Copy the ldapconfig_support.jar file from the /opt/netiq/idm/apps/IdentityReporting/bin/lib directory to the /opt/netiq/idm/apps/osp_sspr/bin/lib directory.

  2. In the configupdate.sh.properties file located in the /opt/netiq/idm/apps/osp_sspr/bin/ directory, set is_prov to false.

  3. Launch the ConfigUpdate utility.

Cannot Specify Installation Paths on Windows that Include Spaces

The standalone installation programs for Identity Manager might not place the installation files in the specified location if the path contains spaces. Ensure that the specified path does not contain any spaces. (Bug 620797)

A Copy of ConfigUpdate Utility Is Created with a Standalone Installation of Self Service Password Reset

Issue: If you run the OSP SSPR installation program and choose to install only SSPR, the installer places the ConfigUpdate utility and a few other files and folders in the OSP installation directory. For example, /opt/netiq/idm/apps/osp. (Bug 901293)

Workaround: Ignore the ConfigUpdate utility in the OSP installation directory because SSPR does not use it.

Error Occurs when Installing Event Auditing Service on a Linux Server Set to Dutch

Issue: The Event Auditing Service standalone installation program reports errors on a Linux server with the locale set to Dutch. (Bug 896927)

Workaround: Change the following settings for locale:

  • LANG=

  • LC_ALL=

Do not include a value after the equal sign (=). This modification sets the type to POSIX instead of UTF-8 encoding.

Incorrect Message Is Displayed During Uninstallation

Issue: During uninstallation, the program displays the message, "InstallAnywhere is preparing to install...", while the program is actually uninstalling.

Workaround: There is no workaround at this time.

Installation Programs Provide Examples for Linux Instead of Windows

Issue: The installation programs provide examples for most settings that you are required to specify. Some of the examples might be for a Linux platform, even when you install on a Windows server. Ensure that you specify values that work for Windows. (Bug 896265)

Workaround: There is no workaround at this time.

Navigation Panel Is Truncated in Identity Reporting Installer

Issue: In some languages, the navigation panel that appears on the left-side of the installer for Identity Reporting appears truncated. You might not be able to see all of the Navigation panel names in the installer. (Bug 899888)

Workaround: You can safely ignore the truncated navigation panel and continue with the installation.

A Pop-up Window Is Displayed during Framework Silent Installation

Issue: The Identity Manager Framework silent installation program displays a pop-up window while installing the platform agent components. (Bug 900781)

Workaround: This does not cause any impact on the installation.

6.2 Remote Loader Issues

Cannot Generate Audit Events for 32-Bit and 64-Bit Remote Loaders on the Same Server

Issue: Although you can install both a 32-bit and a 64-bit Remote Loader on the same computer, the lcache files for these versions cannot work concurrently. The audit events are logged to the lcache file for the version that you installed first. The log file for the other version displays the message: Agent already running error. (Bug 676310)

Workaround: Do not install both versions on the same computer.

A Few Packages Remain Uncleaned after Upgrading a 32-Bit Remote Loader to 64-Bit Remote Loader

Issue: When a 32-bit Remote Loader 4.0.2 is upgraded to a 64-bit Remote Loader 4.5, the upgrade process does not clean the following 32-bit 4.0.2 packages:

  • novell-DXMLbase-4.0.0-20100929

  • novell-DXMLedir-4.0.0-20100929

  • novell-DXMLgw-3.5.3-20100405

  • novell-DXMLrdxml-4.0.0-20100929

  • novell-edirectory-expat-32bit-8.8.6-8

  • novell-edirectory-xdaslog-32bit-8.8.6-8

  • novell-NOVLjvml-4.0.0-20100929

Workaround: There is no workaround at this time.

Default Installation Directory for The Remote Loader

Issue: On Windows, the installer installs the Remote Loader in the c:\novell directory. This issue causes the driver shim to fail. (Bug 908466)

Workaround: In the Remote Loader console, manually change the default installation path of the Remote Loader from c:\novell to c:\netiq.

6.3 Driver Issues

You might encounter the following issues when you use the Identity Manager drivers:

The Delimited Text Driver Loops Endlessly on a Publisher Channel Event When Permission Collection and Reconciliation Service Is Enabled

Issue: The Permission Collection and Reconciliation Service (PCRS) functionality is not supported in the Standard Edition. This issue might occur in Standard Edition when PCRS is enabled. When there is a change in an event in the Publisher channel, it causes a change in one or more permission attributes defined in the custom entitlements (.csv file). The driver keeps checking for the creation of the resources and loops endlessly. (Bug 907031)

Workaround: Disable PCRS.

Cannot Configure the Role-Based Entitlements Driver on Identity Manager with eDirectory 8.8 SP8

Issue: You cannot create an entitlement policy in Identity Manager with eDirectory 8.8 SP8. (Bug 847632)

Workaround: Go to LDAP Server > Connections > LDAP Interfaces and change the existing values of the port to ldap://IP:389 and ldaps://IP:636. Note that IP is appended to the existing port values.

InitiatorUserDomain Is Set Incorrectly for Identity Manager Events

Issue: Identity tracking does not work properly if InitiatorUserDomain is not set correctly. (Bug 819675)

Workaround: To ensure that identity tracking works correctly, do the following:

  • For eDirectory drivers: Ensure that the Sentinel driver is installed on both Identity Manager servers.

  • For Bidirectional eDirectory drivers: Use NOVLEDIR2ATR_2.2.0 or higher version for identity tracking.

TAO Files Are Generated on the Cloned Server when Dibclone Is Used

Issue: When the Dibclone utility is used on an Identity Manager server to clone another server, unnecessary TAO files are generated on the cloned server. (Bug 876418)

Workaround: Do not use the Dibclone utility on an Identity Manager server.

Statistics Report Shows Zero for Role and License Values for an Office 365 Driver

Issue: The Statistics report for the Office 365 driver shows zero for Role and License values in the Assigned Entitlements Per Type section because of a limitation in the Office 365 driver. (Bug 893248)

Workaround: There is no workaround at this time.

Links in Emails Might Not Work in Manual Task Driver

Issue: A conflict in the javax.servlet.http.HttpServletRequest class in the j2eevalidate.jar file affects links in emails for the Manual Task driver. (Bug 897240)

Workaround: Remove j2eevalidate.jar from the classpath if you do not require the User Application driver. Before removing it, ensure that the Manual Task driver and the User Application driver are not running on the same computer.

The Remote Loader Instance of the SharePoint Driver Might Fail to Start If the Default Width of Windows Command Prompt Window Is Changed

Issue: If you change the width of the Windows command prompt window from the default value, the SharePoint driver instance might fail to start and it does not record any trace information. (Bug 854488)

Workaround: Reset the width of the Windows command prompt window to the default value of 80.

6.4 Identity Reporting Issues

You might encounter the following issues when you use the Identity Reporting:

Cannot Navigate to Today in the Calendar when the Display Option Is Set to 1 Week

Issue: In Firefox, if the Display Options on the Calendar page are set to show 1 week, clicking Today displays a day one week ahead of today. This issue does not occur in Internet Explorer. (Bug 635107)

Workaround: To see today’s schedule in the Calendar page, press the up-arrow to go back one week.

Installing Identity Reporting Might Overwrite the logevent.conf File

Issue: The Identity Reporting installation program overwrites logevent.conf without prompting under the following circumstances:

  1. A logevent.conf file already exists in the /etc/ directory.

  2. EAS is installed on the same computer.

  3. During the reporting installation, you replace the value of localhost and enter the computer’s actual IP address for the EAS server.

(Bug 642093)

Workaround: After the installation is complete, manually update the /etc/logevent.conf file.

The Identity Reporting Installation Does Not Write the PostgreSQL JDBC JAR if EAS Is Remotely Installed

Issue: If EAS is remotely installed and you want to test the connection to EAS during the Identity Reporting installation, the parent directory of your chosen installation directory must exist before you run the installation. Without an existing parent directory, the installation directory cannot be created in order to write the JDBC JAR file used for testing the connection. For example, if you are installing the Identity Reporting Module to /opt/novell/IdentityReporting, ensure that the /opt/novell directory exists before beginning the installation. (Bug 642331)

Workaround: Before running the installation, ensure that the parent directory of your chosen installation directory is present.

Identity Reporting Does Not Convert a Valid Certificate when You Add an Application

Issue: When you add an application in Identity Reporting that runs on IBM WebSphere, you might notice that a valid certificate is not properly converted. The following sequence of events might cause this problem to occur:

  1. Log in to Identity Reporting with valid credentials.

  2. On the Applications page, click Add Application and specify values for all mandatory fields.

  3. To browse for the certificate, SSL and then click Test.

The certificate does not get converted. This issue occurs when you install Identity Reporting on an IBM WebSphere application server. (Bug 677645)

Workaround: Copy and paste the content of the certificate into the text area on the form.

Cannot Modify the Frequency of a Schedule

Issue: You cannot change the frequency (for example, from week to month) of a schedule. (Bug 677430)

Workaround: To change the frequency, delete the schedule and create a new one.

Downloading an RPZ File with Internet Explorer Might Change the File Extension to ZIP

Issue: When you access Identity Reporting in an Internet Explorer browser and download an .rpz file, the file extension might change from .rpz to .zip.

This issue does not occur with Firefox. (Bug 677436)

Workaround: There is no workaround needed because the file extension change does not cause any issues. The Reporting Module correctly handles the upload and import of the reports with the .zip file extension.

Internet Explorer Displays a Warning when Accessing Identity Reporting in HTTPS

Issue: If you use Internet Explorer in HTTPS to access Identity Reporting, the browser displays the following message:

Do you want to view only the webpage content that was delivered securely? This webpage contains content that will not be delivered using a secure HTTPS connection, which could compromise the security of the entire webpage.

If you select Yes, the browser does not display the login screen for Identity Reporting. This issue occurs because the download site for the new reports supports the HTTP protocol only. The link to that site is constructed if you use http://. This issue does not occur with Firefox. (Bug 685490)

Workaround: Select No.

Identity Reporting Leaves Entries in .xml Files for Tomcat after Uninstalling

Issue: When you uninstall Identity Reporting on Tomcat, the process leaves some entries in the Tomcat server.xml and context.xml files. You cannot reinstall Identity Reporting because the files contain duplicate entries for the connections pools. The entries might also expect different passwords than the ones that you specify in the second installation. (Bug 897505)

Workaround: After uninstalling Identity Reporting, manually remove the entries from the server.xml and context.xml files.

In the server.xml file, remove entries that resemble the following entries:

<Resource auth="Container" driverClassName="org.postgresql.Driver"
factory="com.netiq.iac.jdbc.pool.IacCustomDataSourceFactory" initialSize="10"
maxActive="50" maxIdle="10" maxWait="30000" minIdle="10"
name="shared/IDMRPTDataSource" password="" testOnBorrow="true"
type="javax.sql.DataSource" url="jdbc:postgresql://localhost:15432/SIEM"
username="idmrptsrv" validationInterval="120000" validationQuery="SELECT 1"/>
<Resource auth="Container" driverClassName="org.postgresql.Driver"
factory="com.netiq.iac.jdbc.pool.IacCustomDataSourceFactory" initialSize="10"
maxActive="50" maxIdle="10" maxWait="30000" minIdle="10"
name="shared/IDMRPTCfgDataSource" password="" testOnBorrow="true"
type="javax.sql.DataSource" url="jdbc:postgresql://localhost:15432/SIEM"
username="idmrptuser" validationInterval="120000" validationQuery="SELECT 1"/>

In the context.xml file, remove entries that resemble the following entries:

<ResourceLink global="shared/IDMRPTCfgDataSource"
name="jdbc/IDMRPTCfgDataSource" type="javax.sql.DataSource"/>
<ResourceLink global="shared/IDMRPTDataSource" name="jdbc/IDMRPTDataSource"
type="javax.sql.DataSource"/>

Console Mode Does Not Report a Successful Connection to the Database

Issue: When you install Identity Reporting, you can test the settings that you specify for the database. However, if you use the console mode for installation, the process does not report a successful connection. The process does report an error if the test connection fails. (Bug 899383)

Workaround: There is no workaround at this time.

6.5 iManager Issues

You might encounter the following issues as you use iManager:

iManager Plug-in Dependency for the NDS-to-NDS Driver Certificates Wizard

Issue: iManager needs the NDS-to-NDS Driver Certificates Wizard for proper functioning.

Workaround: To use the NDS-to-NDS Driver Certificates Wizard, download and install the iManager plug-in for NetIQ Certificate Server.

Certificate Created During Identity Manager Installation is Invalid with Firefox 31

Issue: The certificate created during Identity Manager installation is invalid with Firefox 31. (Bug 896637)

Workaround: Change the Keytool self-signed certificate to an OpenSSL self-signed certificate in iManager.

  1. Generate a private key for the host by running the following command:

    # openssl genrsa -out <HOSTNAME>-private.pem 2048 
    

    Set HOSTNAME to the appropriate server name.

  2. Use openSSL to derive the public key by running the following command:

    # openssl rsa -in HOSTNAME-private.pem -pubout > HOSTNAME-public.pem
    
  3. Create a self-signed x509 certificate by running the following command:

    # openssl req -new -x509 -key HOSTNAME-private.pem -out HOSTNAME-certificate.pem -days 365
    
  4. Convert the self-signed x509 certificate to the PKCS12 format by running the following command:

    # openssl pkcs12 -export -inkey HOSTNAME-private.pem -in HOSTNAME-certificate.pem -out HOSTNAME-certificate.p12 -name "iManager"
    
    1. Enter the export password, when prompted.

    2. Enter the export password again, when prompted for verifying.

    IMPORTANT:You must remember this password, because it is required later.

  5. Copy the file to /var/opt/novell/novlwww by running the following command:

    # cp HOSTNAME-certificate.p12 /var/opt/novell/novlwww 
    
  6. Stop Tomcat by running the following command:

    # /etc/init.d/novell-tomcat5 stop
    
  7. Edit the Tomcat configuration file, server.xml, from the /etc/opt/novell/tomcat<5,6,7> location.

    Replace:

    <!-- Define a SSL HTTP/1.1 Connector on port --> 
    
       <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" 
    
           maxThreads="150" maxHttpHeaderSize="8192" minSpareThreads="25" 
    
           enableLookups="false" disableUploadTimeout="true" 
    
           acceptCount="100" scheme="https" secure="true" 
    
          clientAuth="false" sslProtocol="TLSv1.2"/>
    

    with:

    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" 
    
        maxThreads="150" maxHttpHeaderSize="8192" minSpareThreads="25"
    
        enableLookups="false" disableUploadTimeout="true" 
    
        acceptCount="100" scheme="https" secure="true" 
    
        clientAuth="false" 
    
        sslProtocol="TLS"    
    
        keystoreFile="/var/opt/novell/novlwww/HOSTNAME-certificate.p12" 
    
        keystorePass="<password from command in Step 4)>" 
    
        keystoreType="PKCS12"/>
    

    NOTE:You must specify the entire path when the keystore type is changed to PKCS12, because Tomcat no longer points to the default Tomcat home path.

  8. Change the PKCS12 file ownership to novlwww and permissions to user=rw, group=rx, and others=r by running the following commands:

    # chown novlwww:novlwww /var/opt/novell/novlwww/HOSTNAME-certificate.p12 
    
    # chmod 654 /var/opt/novell/novlwww/HOSTNAME-certificate.p12 
    
  9. Remove the existing keytool self-signed certificate by running the following command:

    # mv /var/opt/novell/novlwww/.keystore /var/opt/novell/novlwww/orig.keystore
    
  10. Restart Tomcat by running the following command:

    # /etc/init.d/novell-tomcat<5,6,7> start
    
  11. Open a Web browser and launch iManager.

iManager Does Not Send Audit Events to EAS

Issue: iManager does not send audit events to EAS even though a connection exists between EAS and iManager. (Bug 900283)

Workaround: Uncomment the following line from the /var/opt/novell/iManager/nps/WEB-INF/imanager_logging.xml file, and then restart Tomcat.

<appender-ref ref="NAUDIT_APPENDER"/>

6.6 RHEL 6.5 Issues

Identity Manager Installation Fails on RHEL 6.5

Issue: Identity Manager is not successfully installed on RHEL 6.5 because of the absence of some dependent libraries. (Bug 693334)

Workaround: Ensure that you install the dependant libraries before starting the Identity Manager installer on RHEL 6.5:

  • For GUI Install: Manually install the dependent libraries.

    • For a 64-bit RHEL: Install the following libraries in the same order:

      1. libXau-1.0.6-4.el6.i686.rpm

      2. libxcb-1.8.1-1.el6.i686.rpm

      3. libX11-1.5.0-4.el6.i686.rpm

      4. libXext-1.3.1-2.el6.i686.rpm

      5. libXi-1.6.1-3.el6.i686.rpm

      6. libXtst-1.2.1-2.el6.i686.rpm

      7. glibc-2.12-1.132.el6.i686.rpm

      8. libstdc++-4.4.7-4.el6.i686.rpm

      9. libgcc-4.4.7-4.el6.x86_64.rpm

      10. compat-libstdc++-33-3.2.3-69.el6.x86_64.rpm

      11. compat-libstdc++-33-3.2.3-69.el6.i686.rpm

      12. libXrender-0.9.7-2.el6.i686.rpm

    • For a 32-bit RHEL: Install the following library:

      • compat-libstdc++-33-3.2.3-69.el6.i686.rpm

  • For Package Install on RHEL 6.x: Manually set up a repository for the installation media.

    1. (Conditional) If you are copying the ISO to the server, run the following command:

      #mount-o loop <path to iso>/mnt/rhes65
      
    2. (Conditional) If you are copying to a CD or a DVD, and to the server, run the following command:

      #mount /dev/cdrom/mnt/rhes65
      
    3. (Conditional) If you have mounted the ISO, create a repository file in the /etc/yum.repos.d location and perform the following configuration steps:

      #vi/etc/yum.repos.d/rhes.repo
        [redhat-enterprise]
        name=RedHat Enterprise  $releasever - $basearch
        baseurl=file:///mnt/rhes65/
        enabled=1      
      
    4. (Optional) If you are using an installation server, configure the following in vi /etc/yum.repos.d/rhes.repo:

      [redhat-enterprise]
      name=RedHat Enterprise  $releasever - $basearch
      baseurl=<url to the installation source>
       enabled=1
      
    5. Run the following commands after setting up the repository:

      # yum clean all
      # yum repolist
      # yum makecache
      
    6. To install the 32-bit packages, change “exactarch=1” to “exactarch=0” in the /etc/yum.conf file.

    7. Install the GPG key by using the rpm import <path / url> to RPM-GPG-KEY-redhat-release command:

      # rpm --import /mnt/rhes65/RPM-GPG-KEY-redhat-release 
      

      or

      # rpm --import http://<url>/RPM-GPG-KEY-redhat-release
      
    8. (Optional) To install the required packages for Identity Manager 4.x, execute the following script:

      #!/bin/bash
      
      PKGS="libXau.i686 libxcb.i686 libX11.i686 libXext.i686  libXi.i686 libXtst.i686
      glibc.i686 libstdc++.i686 libgcc.i686  compat-libstdc++-33.i686
      compat-libstdc++-33.x86_64"
      for PKG in $PKGS ; do
          yum -y install "$PKG"
      done
      

      NOTE:The script cannot locate the compat-libstdc++-33.x86_64 library in the 32-bit repository unless you have modified the 64-bit repository and installed the RPM separately.

  • For Non-GUI Install: Manually install the dependent libraries.

    • For a 64-bit RHEL: Install the following libraries in the same order:

      1. glibc-2.12-1.7.el6.i686.rpm

      2. libstdc++-4.4.4-13.el6.i686.rpm

      3. libgcc-4.4.4-13.el6.i686.rpm

      4. compat-libstdc++-33-3.2.3-69.el6.x86_64.rpm

      5. compat-libstdc++-33-3.2.3-69.el6.i686.rpm

    • For a 32-bit RHEL: Install the following library:

      • compat-libstdc++-33-3.2.3-69.el6.i686.rpm

NOTE:Ensure that the unzip rpm is installed before installing Identity Manager. This applies to all Linux platforms.

6.7 Identity Manager Upgrade Issues

Upgrading Identity Manager 4.0.2 Standard Edition To 4.5 Standard Edition On Windows Does Not Remove the jersey-bundle-1.1.5.1.jar File

Issue: The upgrade process does not remove the jersey-bundle-1.1.5.1.jar file and the jersey-bundle-1.18.jar file from the C:\Novell\NDS\lib\ location. This results in an exception in the eDirectory trace. (Bug 916174)

Workaround: On a successful upgrade, remove the jersey-bundle-1.1.5.1.jar file from the C:\Novell\NDS\lib\ location and restart eDirectory.

Some RPM Versions are Downgraded when Upgrading from Identity Manager 4.5 Standard Edition to Identity Manager 4.5 Advanced Edition

Issue: The upgrade program downgrades the versions of the RPMs listed in the below table.(Bug 908539)

Versions Before Upgrade

Versions After Upgrade

novell-DXMLRsrcProv-4.5.1-0

novell-DXMLRsrcProv-4.5.0-0

novell-DXMLsch-4.5.0.0-20141114

novell-DXMLsch-4.5.0.0-20140930

Workaround: There is no workaround at this time.

Upgrading from Identity Manager 4.0.2 to 4.5 Deletes CA Certificates

Issue: The upgrade program replaces the old JRE folder but deletes all custom certificates from it. For example, the certificates are placed in the /opt/novell/eDirectory/lib64/nds-modules/jre/lib/security/cacerts directory on 64-bit Linux platforms. (Bug 794590)

Workaround: Complete the following steps:

  1. Save the CA certificates in a custom location.

  2. Upgrade Identity Manager 4.0.2 to 4.5.

  3. Copy the certificates back to the JRE directory depending on your platform.

After the upgrade, verify the JRE version is 1.7.0_65.

6.8 Localization Issues

Identity Manager Fails to Install Specific Drivers in Non-English Locales

Issue: When you install selected drivers by using the Customize the Selected Components option in non-English locales, installation fails. (Bug 926490)

Workaround: Perform any one of the following actions:

  • Select English as language for installing Identity Manager instead of non-English languages.

  • On Windows, copy the necessary jar files from the installation media to the Identity Manager installation folder. On Linux, browse to products/IDM/linux/setup/packages in the installation media and run the following command:

    New installation: rpm -ivf <file name>

    Upgrade: rpm -Uvf <file name>

The Identity Manager Installers Contain Corrupt Characters in the Console Mode On Windows

Issue: If you select Brazilian Portuguese, Danish, Dutch, English, French, German, Italian, Swedish, Spanish, or Russian as your choice of language for installing Identity Manager, the installer displays corrupt characters during installation.

If you select English, the installer contains a corrupt character on the Select Language page of the installation program. However, the characters display correctly for the Asian languages when the installer is run on Asian Windows. (Bug 672070)

Workaround: For the characters to display correctly, ensure that you change the default font of your Windows computer to Lucida Console by using the following steps before installing Identity Manager:

  1. Go to Start > Run > Regedit > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\CodePage and change the value of OEMCP from 850 to 1252.

    For Russian, change the value of OEMCP from 866 to 1251 in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\CodePage directory.

  2. Go to Start > Run and type cmd in the Open text box, then click Enter to launch the command prompt.

  3. Right-click the title bar of the Command Prompt window to open the pop-up menu.

  4. Scroll down in the pop-up menu and select the Defaults option to open the Console Windows Properties dialog box.

  5. Click the Font tab and change the default font from Raster to Lucida Console (TrueType).

  6. Click OK.

  7. Restart the computer.

Error Message Displays when Identity Manager is Installed on Russian Windows 2008 SP2

Issue: A Microsoft Visual C++ 2005 Redistributable error message displays when Identity Manager is installed on Russian Windows 2008 SP2. When you click OK in the error message, the installation completes successfully. (Bug 750992)

Workaround: To avoid this error, visit the Microsoft support site and run the steps specified in the Let me fix it myself section of the online page.

6.9 Miscellaneous

Manually Remove Old RPM Files After Upgrading to Identity Manager 4.5

Issue: When you upgrade to Identity Manager 4.5 from Identity Manager 4.0.2, the old RPM files for some drivers still exist. You must manually remove them. (Bug 888108)

Workaround: Manually remove the files listed in Table 2:

Table 2 Drivers and the RPM Files that Must be Removed

Drivers

Linux

Windows

RSA

  • novell-DXMLRSA-4.0.1-20120224

  • ACEShim.jar, hsqldb.jar, and jace.jar located in the IDM_ENGINE_DIR\lib and IDM_REMOTELOADER_DIR\lib folders

  • jace_api.dll located in the IDM_ENGINE_DIR\ and IDM_REMOTELOADER_DIR\ folders

Remedy

  • novell-DXMLremedy-1.0.0.4-1

  • novell-DXMLremedy71-1.0.0.3-1

  • ARSDriver.jar and ARSDriver71.jar located in the IDM_REMOTELOADER_DIR\lib folder

  • IDM_Notifier.xml and IDM_Notifier71.xml located in the IDM_REMOTELOADER_DIR\drivers\remedy\tools folder

Avaya

  • novell-DXMLavpbx-3.5.4-20120601

  • AvayaShim.jar and jta20.jar located in IDM_ENGINE_DIR\lib

  • AvayaShim.jar and jta20.jar located in IDM_REMOTELOADER_DIR\lib

Identity Reporting Might Not Automatically Reconnect to the EAS Server

Issue: Sometimes Identity Reporting does not automatically reconnect to the EAS server. (Bug 900258)

Workaround: Stop the application server where you deployed Identity Reporting and then start it again.

Internet Explorer 10 Displays an Error Message when Started Using Client Login Extension

Issue: A Stack Overflow message is displayed if you enter a wrong password on the SSPR Web page when you start SSPR (Self Service Password Reset) using Client Login Extension.

Workaround: Click OK and continue working. It is safe to ignore the message. (Bug 833663)

6.10 Uninstallation Issues

Identity Manager Framework Uninstallation Issues

Identity Manager Framework Uninstallation Does Not Remove all of the Folders from the Installation Directory

Issue: On Windows, the jar files from the lib directory are not removed. (Bug 643077)

Workaround: Manually remove the jar files from the lib directory.

On Windows, Identity Manager Framework Uninstallation Log Files Are Not Created in the Uninstallation Folder

Issue: The uninstallation log files are created in the temp directory. (Bug 613225)

Workaround: There is no functionality loss. You can ignore the issue.

Uninstall the Identity Manager Entry from the Control Panel after Identity Manager Engine Upgrade on Windows

Issue: After upgrading the Identity Manager engine to version 4.5, if you run the uninstallation program from the Control Panel, it successfully removes the necessary Identity Manager files except a specific registry key that leads to the Identity Manager entry being displayed in the Control Panel even after running the uninstallation. (Bug 901219)

Workaround: Delete the registry key from the following registry path when you run the uninstallation:

  • For 32-bit computers: \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Identity Manager

  • For 64-bit computers: \HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Identity Manager

7.0 Contact Information

Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.

For detailed contact information, see the Support Contact Information website.

For general corporate and product information, see the NetIQ Corporate website.

For interactive conversations with your peers and NetIQ experts, become an active member of our community. The NetIQ online community provides product information, useful links to helpful resources, blogs, and social media channels.