Novell Identity Manager 4.0.2 Readme

November 2013

This document contains the known issues for Novell Identity Manager 4.0.2.

1.0 Known Issues

The following sections provide information on known issues at the time of the product release.

1.1 Identity Manager Framework Installer Issues

You might encounter the following issues during the installation of the Identity Manager framework installer:

1.1.1 On Windows, the Identity Manager framework installer does not place the installation files in the specified location if the path contains spaces

Ensure that the specified path doesn’t contain any spaces.

1.1.2 The Linux/UNIX Bidirectional driver cannot be installed in a Solaris zone that contains a read-only/usr partition

You cannot install the Linux/UNIX Bidirectional driver in a Solaris zone that contains a read-only/usr partition. If you select the driver for installation, the Identity Manager framework installer reports an error.

1.1.3 The Identity Manager installer downgrades the Platform Agent if the existing version of Platform Agent is higher than 2.02-62

If Platform Agent is already installed on a computer where you are installing Identity Manager, the Identity Manager installer will replace it. However, if the Platform Agent version installed on the computer is higher than 2.02-62, it is downgraded to 2.02-62 version.

To workaround this issue, reinstall the latest version of Platform Agent after the Identity Manager installation is complete.

1.1.4 Valid version of NMAS is not found during Identity Manager installation

If you install Identity Manager 4.0.2 on a computer running eDirectory 8.8 SP8, the installer displays the following error:

Valid version of NMAS not found

The error message states NMAS 8.8.8 is not a valid version and asks if you want to proceed with the installation process. Ignore the error, and proceed with the installation. The installation completes successfully.

1.1.5 Solaris is not supported for User Application for Identity Manager 4.0.2

Though Identity_Manager_4.0.2_Solaris_Advanced.iso includes User Application, Novell does not support installing it on Solaris.

1.2 Identity Manager Integrated Installer Issues

You might encounter the following issues when you use the Identity Manager integrated installer:

1.2.1 The Identity Manager integrated installer fails to install on Windows when you use UNC paths

You cannot use UNC paths for installation and configuration when you use the Identity Manager integrated installer (for example, \\myserver\share\Identity_Manager_4.0.2_Windows_Enterprise).

To workaround this issue, create an actual mapped drive.

1.2.2 No server health check before secondary server addition

The integrated installer does not perform a health check before the secondary server addition.

You must run ndscheck command if you are adding secondary server through the integrated installer. On Windows, run the ndscheck command from the <install location>\NDS folder. On Linux/Solaris, run it from the /opt/novell/eDirectory/bin/ndscheck directory. Specify the mandatory parameters and run the command as follows:

ndscheck [-h <hostname port]>] [-a <admin FDN>] [[-w <password>]

NOTE:Running the ndscheck command on Windows causes eMbox warnings to display on the screen. Don't treat these warnings as eDirectory health check failure. It is safe to ignore them.

1.2.3 The RBPM and Identity Reporting Module configuration fails on RHEL 5.7 or later

The configuration fails with an exit value of 13. For a successful configuration of RBPM and Identity Reporting Module, ensure that the number of open connections for the server is increased from a default value of 1024 before configuration is started.

To increase the open connections upto 4096, execute the ulimit -n 4096 command in the terminal where configuration is invoked. Ensure that your console terminal shows open files (-n) 4096 when you run the ulimit -n command.

1.2.4 The authsamlProviderID attribute is not created for the SAML authorization object on Windows

This attribute is not listed under Valued Attributes in iManager. To workaround this issue, perform the following steps:

  1. Select authsamlProviderID in the Unvalued Attributes list and move it to the Valued Attributes list by clicking on the left arrow.

  2. In the input field, enter a value in the following format:

    cn=<Name of the SAML Object>
    

    For example:

    cn=SCCp16ouo,cn=nids,ou=accessManagerContainer,o=novell
    

This behavior occurs only on the Windows server platform when Access Manager creates the SAML authorization object.

1.2.5 A warning is displayed when installation, configuration, or uninstallation is invoked on Solaris

This warning is displayed only on Solaris. It is safe to ignore the warning and continue with the installation.

1.3 Driver Issues

You might encounter the following issue as you use the Identity Manager drivers:

1.3.1 Cannot select options when creating or configuring a driver in Designer on Linux

At times, you cannot select drop-down options when creating or configuring a driver. To workaround this issue:

  1. Click the drop-down menu and continue to hold the left mouse button until the desired option is highlighted.

  2. Release the left mouse button to select the option.

1.3.2 Cannot configure the Role-Based Entitlements Driver on Identity Manager with eDirectory 8.8 SP8

You cannot create an entitlement policy in Identity Manager with eDirectory 8.8 SP8.

To work around this issue, go to LDAP Server > Connections > LDAP Interfaces and change the existing values of the port to ldap://IP:389 and ldaps://IP:636. Note that IP is appended to the existing port values.

1.3.3 Office 365 driver does not start after applying Novell Identity Manager 4.0.2 Patch 4

After applying Novell Identity Manager 4.0.2 Patch 4, Office 365 driver does not start.

To workaround this issue, change the order of supportedRuntime version (specify the lower version before the higher version) in the RemoteLoader.exe.config file and the RemoteLoaderSvc.exe.config files, as shown in the following code snippet:


<?xml version="1.0"?>
<configuration>
  <runtime>
    <NetFx40_LegacySecurityPolicy enabled="true"/>
  </runtime>
<startup>
  <supportedRuntime version="v2.0.50727"/>
  <supportedRuntime version="v4.0.30319"/>
</startup>
</configuration>

1.4 Identity Reporting Module Issues

You might encounter the following issues when you use the Identity Reporting Module:

1.4.1 Removal of extended attributes does not reflect in the extended attributes table

If you remove an attribute that was added to the Data Collection Service driver filter policy, the attribute is not removed from the extended attributes tables (idmrpt_ext_attr, which tracks the attributes) and no data is removed from the idmrpt_ext_item_attr table.

1.4.2 You cannot navigate to Today in the Calendar when the display option is set to 1 week

In Firefox, if the Display Options on the Calendar page are set to show 1 week, clicking Today displays a day one week ahead of today.

To see today’s schedule in the Calendar page, press the up-arrow to go back one week. This issue does not occur in Internet Explorer.

1.4.3 The Reporting Module installation sometimes overwrites the logevent.conf file

Under the following circumstances, the logevent.conf is overwritten without prompting during the installation of the reporting module:

  1. There is already a logevent.conf file in /etc/ directory.

  2. EAS is installed on the same machine.

  3. During the reporting installation, you replace the value of localhost and enter the machine's actual IP address for the EAS server.

To workaround this issue, manually update the /etc/logevent.conf file after the installation is complete.

1.4.4 The Reporting Module installation does not write the PostgreSQL JDBC JAR successfully when EAS is remotely installed

If EAS is remotely installed and you want to test the connection to EAS during the Identity Reporting Module installation, the parent directory of your chosen install directory must exist prior to running the installation. Without an existing parent directory, the installation directory cannot be created in order to write the JDBC JAR file used for testing the connection. For example, if you are installing the Identity Reporting Module to /opt/novell/IdentityReporting, ensure that the /opt/novell directory exists before beginning the installation.

1.4.5 A valid certificate is not converted when an application is added to the Reporting Module

This problem has only been observed on WebSphere.

When you add an application in the Reporting Module, you might notice that a valid certificate is not properly converted. The following actions might cause this problem to occur:

  1. Log in to the Identity Reporting Module with valid credentials.

  2. Navigate to the Applications page and click the Add Application button.

  3. Fill in all the mandatory fields and browse for the certificate by selecting the SSL check-box and clicking Test.

The certificate should be converted, but this does not occur.

To workaround this issue, copy and paste the content of the certificate into the text area on the form.

1.4.6 Frequency cannot be modified in a schedule

You cannot modify the frequency of a schedule. To change the frequency (from week to month, for example), delete the schedule and create a new one.

1.4.7 Downloading an RPZ file by using Internet Explorer might change the file extension to ZIP

In the Identity Reporting Module, if an .rpz file is downloaded by using the Internet Explorer browser, the file might change its extension from.rpz to .zip file format. This change does not cause any issues. The Reporting Module correctly handles the upload and import of the reports with the .zip file extension.This issue is not reported on Firefox.

1.4.8 Internet Explorer displays a warning when accessing reporting in HTTPS

If you use Internet Explorer browser in HTTPS to access the Reporting Module, the following pop-up message is displayed:

Do you want to view only the webpage content that was delivered securely? This webpage contains content that will not be delivered using a secure HTTPS connection, which could compromise the security of the entire webpage.

If you select Yes, the login screen for the Reporting Module does not appear. You must select No. The behavior is observed because the download site for the new reports only supports the HTTP protocol. The link to that site is constructed if you use http://. This behavior is not observed with FireFox.

1.5 Roles Based Provisioning Module Issues

You might encounter the following issues when you use the Roles Based Provisioning Module:

1.5.1 Copying text in the Detail portlet displays an error message

In Firefox or Dojo, if you attempt to copy text in the Detail portlet, an error message is displayed.

The following actions cause this message to appear:

  1. Log in to the User application as administrator and go to the Administration tab.

  2. Click Portlet Admin > Detail Portlet in Portlet Applications.

  3. Click Preferences > View/Edit custom Preferences > continue.

  4. Click the HTML Layout edit icon and enter some sample text, such as “TEST”.

  5. Select the text and click the Copy icon.

If you follow these steps, you see the following error message:

“Exception... "Access to XPConnect service
denied"  code: "1011" nsresult: "0x805303f3
(NS_ERROR_DOM_XPCONNECT_ACCESS_DENIED)"  location:
"http://172.16.1.99:8180/IDMProv/resource//portal-general/javascript/html_editor.js
Line: 531" ” when clicked on Copy button.

You might also see this message when performing cut and paste operations.

1.5.2 RBPM reports have been deprecated

The Roles Based Provisioning Module reports provided under Reports on the Roles and Resources tab have been deprecated from Identity Manager 4.0 onwards. These reports will be removed in a future release.

1.5.3 A newly created user with slashes in the name cannot log in to the User Application on WebSphere

On WebSphere, if you create a new user with a slash (/) or backslash (\) in the name, the user cannot log in to the User Application. For example, if you create a user as /Test// from the Create Users and Groups page, an error is displayed when the new user tries to log in to the User Application.

1.5.4 Content for the User Application driver is missing trustees for Attestation Reports

If you redeploy the User Application driver from Designer after running the integrated installer, the trustees for the Attestation Report provisioning request definitions are deleted and no one can execute the report. This is because the trustees are added to the Attestation Report provisioning request definitions when the User Application starts. Because Designer does not know about the trustees, an attempt to redeploy the User Application driver from Designer removes the trustees. Therefore, you need to import these objects from eDirectory after User Application startup to synchronize the trustees.

1.5.5 PostgreSQL does not support number format of Simplified Chinese

If you install PostgreSQL on a server that is set up with Simplified Chinese as the number format (by using Control Panel -> Clock, Language, and Region -> Region and Language -> Formats tab -> Format -> Chinese, Simplified,PRC), PostgreSQL does not install successfully. Ensure that the Simplified Chinese Number format is changed on the server where you are installing PostgresSQL.

1.5.6 Association Description is required for the default language when assigning resources to roles

When the User Application is accessed in a language other than the default language (for example, accessing in Spanish while the default language is set to English), if a resource is added to a role, ensure that a value is supplied for the default language in the Association Description field. To do this, press the Localization button after the Association Description field and enter a value in the language that is marked with the * (the default language). If a value is not entered for the default language, you get an error and you cannot add the resource to the role.

1.5.7 A role request can be approved or denied after the role has been deleted

If an administrator deletes a role that requires a workflow after a user has made a role request, the workflow addressee for the role request still sees the workflow in the Task List and be able to approve or deny the request.

1.5.8 Accessing a Web service links throw a null pointer exception on WebSphere 7

When the User Application is deployed on WebSphere 7, if you access a Web Service home page either directly or from the Administration page, you see a broken image on the page. It also throws a java.lang.NullPointerException in the SystemOut.log file. However, there is no loss of functionality. You can still download the WSDL file and use the Web Services.

1.5.9 Database schema is updated with every time User Application start up

If you create the tables for the User Application during installation, you might still see messages in the log that indicate that the database is being updated at start-up time when you start the User Application. This is caused by a limitation in Liquibase 2.0.1.

To workaround this issue, set the create-db-on-startup parameter to false in the web.xml file, as shown below:

<init-param>
  <param-name>create-db-on-startup</param-name>
  <param-value>false</param-value>
</init-param>

1.5.10 Novell does not provide support for the components installed by the JBossPostgreSQL utility

Novell provides the JBossPostgreSQL utility as a convenience. If your company does not already provide an application server and a database server, you can use the JBossPostgreSQL utility to install an Open Source version of these components. By running this utility, you can install these components without having to download them separately. If you need support, go to the third party provider of the component. Novell does not provide updates for these components, or administration, configuration, or tuning information for these components, beyond what it is outlined in the RBPM documentation.

1.6 Role Mapping Administrator Module Issues

You might encounter the following issue as you use Role Mapping Administrator.

1.6.1 Authorizations are lost when changes are made to the active profile

When you make changes to the active profile in the Role Mapping Administrator configuration page, all the cached authorizations are cleared from the database. You must reload the authorizations after changes are made to the active profile. For more information, see loading authorizations in the Identity Manager Role Mapping Administrator 4.0.2 User Guide.

1.7 Internet Explorer 10 displays an error message when invoked through the Client Login Extension

A Stack Overflow message is displayed if you enter a wrong password on the SSPR Web page when SSPR is invoked using the Client Login Extension.

You can simply click OK and continue working. It is safe to ignore the message.

1.8 Identity Manager Framework Uninstallation Issues

You might encounter the following issues during uninstallation of the Identity Manager engine and drivers.

1.8.1 Identity Manager framework uninstallation does not remove all the folders from the installation directory

On Windows, the jar files from the lib directory are not removed. On Solaris, the DXMLnotes.pkg is not removed. You need to remove them manually.

1.9 Localization Issues

1.9.1 On Windows, the Identity Manager installers contain corrupt characters in the Console Mode

If you select Brazilian Portuguese, Danish, Dutch, English, French, German, Italian, Swedish, Spanish, or Russian as your choice of language for installing Identity Manager, the installer displays corrupt characters during installation.

If you select English, the installer contains a corrupt character on the Select Language page of the installation program. However, the characters display correctly for the Asian languages when the installer is run on Asian Windows.

For the characters to display correctly, ensure that you change the default font of your Windows machine to Lucida Console by using the following steps before installing Identity Manager:

  1. Go to Start > Run > Regedit > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\CodePage and change the OEMCP value from 850 to 1252.

    For Russian, change the OEMCP value from 866 to 1251 in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\CodePage directory.

  2. Go to Start > Run, type cmd in the Open text box, then press Enter to launch the command prompt.

  3. Right-click the title bar of the cmd window to open the pop-up menu.

  4. Scroll down in the pop-up menu and select the Defaults option to open the Console Windows Properties dialog box.

  5. Click the Font tab and change the default font from Raster to Lucida Console (TrueType).

  6. Click OK.

  7. Restart the machine.

1.9.2 Error message displays when Identity Manager is installed on Russian Windows 2008 SP2

A Microsoft Visual C++ 2005 Redistributable error message displays when Identity Manager is installed on Russian Windows 2008 SP2. When you click OK in the error message, the installation completes successfully.

To avoid this error, visit the Microsoft support site and run the steps specified in the Let me fix it myself section of the online page.

1.10 RHEL 6.0 Issues

1.10.1 Identity Manager installation fails on RHEL 6.0

Ensure that you install the following libraries before installing Identity Manager on RHEL 6.0:

  • For GUI Install: Before invoking the Identity Manager installer, manually install the dependant libraries.

    • For a 64-bit RHEL: Install the following libraries in the same order:

      1. libXau-1.0.5-1.el6.i686.rpm

      2. libxcb-1.5-1.el6.i686.rpm

      3. libX11-1.3-2.el6.i686.rpm

      4. libXext-1.1-3.el6.i686.rpm

      5. libXi-1.3-3.el6.i686.rpm

      6. libXtst-1.0.99.2-3.el6.i686.rpm

      7. glibc-2.12-1.7.el6.i686.rpm

      8. libstdc++-4.4.4-13.el6.i686.rpm

      9. libgcc-4.4.4-13.el6.i686.rpm

      10. compat-libstdc++-33-3.2.3-69.el6.x86_64.rpm

      11. compat-libstdc++-33-3.2.3-69.el6.i686.rpm

    • For a 32-bit RHEL: Install the following library:

      • compat-libstdc++-33-3.2.3-69.el6.i686.rpm

  • For Package Install on RHEL 6.x: Before invoking the Identity Manager installer, you must manually setup a repository for the installation media.

    1. (Conditional) If you are copying the ISO to the server, run the following command:

      #mount-o loop <path to iso>/mnt/rhes62
      
    2. (Conditional) If you are copying to a CD or a DVD, and to the server, run the following command:

      #mount /dev/cdrom/mnt/rhes62
      
    3. (Conditional) If you have mounted the ISO, create a repository file in the /etc/yum.repos.d location and perform the following configuration steps:

      #vi/etc/yum.repos.d/rhes.repo
        [redhat-enterprise]
        name=RedHat Enterprise  $releasever - $basearch
        baseurl=file:///mnt/rhes62/
        enabled=1      
      
    4. (Optional) If you are using an installation server, configure the following in vi /etc/yum.repos.d/rhes.repo:

      [redhat-enterprise]
      name=RedHat Enterprise  $releasever - $basearch
      baseurl=<url to the installation source>
       enabled=1
      
    5. Run the following commands after setting up the repository:

      # yum clean all
      # yum repolist
      # yum makecache
      
    6. To install the 32-bit packages, change “exactarch=1” to “exactarch=0” in the /etc/yum.conf file.

    7. Install the GPG key by using the rpm import <path / url> to RPM-GPG-KEY-redhat-release command:

      # rpm --import /mnt/rhes62/RPM-GPG-KEY-redhat-release 
      

      or

      # rpm --import http://<url>/RPM-GPG-KEY-redhat-release
      
    8. (Optional) To install the required packages for Identity Manager 4.x, execute the following script:

      #!/bin/bash
      
      PKGS="libXau.i686 libxcb.i686 libX11.i686 libXext.i686  libXi.i686 libXtst.i686
      glibc.i686 libstdc++.i686 libgcc.i686  compat-libstdc++-33.i686
      compat-libstdc++-33.x86_64"
      for PKG in $PKGS ; do
          yum -y install "$PKG"
      done
      

      NOTE:The script cannot locate the compat-libstdc++-33.x86_64 library in the 32-bit repository unless you have modified the 64-bit repository and installed the RPM separately.

  • For Non-GUI Install: Before invoking the Identity Manager installer, manually install the dependant libraries.

    • For a 64-bit RHEL: Install the following libraries in the same order:

      1. glibc-2.12-1.7.el6.i686.rpm

      2. libstdc++-4.4.4-13.el6.i686.rpm

      3. libgcc-4.4.4-13.el6.i686.rpm

      4. compat-libstdc++-33-3.2.3-69.el6.x86_64.rpm

      5. compat-libstdc++-33-3.2.3-69.el6.i686.rpm

    • For a 32-bit RHEL: Install the following library:

      • compat-libstdc++-33-3.2.3-69.el6.i686.rpm

NOTE:Ensure that the unzip rpm is installed before installing Identity Manager. This applies to all Linux platforms.

1.10.2 After Identity Manager installation, JBoss does not automatically start when the system is rebooted

To workaround this issue, manually start JBoss after system reboot.

1.10.3 After Identity Manager installation, the Role Mapping Administrator service does not automatically start

To workaround this issue, manually start the Role Mapping Administrator service after completing the Identity Manager installation.

1.11 Identity Manager Upgrade Issues

1.11.1 Upgrading from Identity Manager 4.0.1 to 4.0.2 deletes CA certificates

The upgrade replaces the JRE folder but deletes all custom certificates from it. For example, the certificates are placed in the /opt/novell/eDirectory/lib64/nds-modules/jre/lib/security/cacerts directory on 64-bit Linux platforms.

To work around this issue:

  1. Save the CA certificates in a custom location.

  2. Upgrade Identity Manager 4.0.1 to 4.0.2.

  3. Copy the certificates back to the JRE directory depending on your platform.

After the upgrade, verify the JRE version is 1.6.0_31.