October 10, 2006
The following sources provide information about Novell® Identity Manager:
The information in this book replaces existing information in the Identity Manager Administration Guide, specifically:
In this documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path.
A trademark symbol (®, TM, etc.) denotes a Novell trademark; an asterisk (*) denotes a third-party trademark
For a list of defect fixes included in Identity Manager 3.0.1, see TID 3351724
For the latest system requirements, see the Installation Guide section on System Requirements for Identity Manager.
As of eDirectory 8.7.3 SP8, the NMAS™ security updates are no longer included with the eDirectory patch. You need to download NMAS separately from Novell’s Download Web site.
If you are using eDirectory 8.7.3 SP8 or later and upgrade to Identity Manager 3.0.1, Challenge Response and other password functions do not work without the latest NMAS update.
In addition to using eDirectory 8.7.3 SP8 or later, you can make the following changes to your eDirectory system to avoid degradation of login response time (which sometimes occurs in environments that are under consistent load for an extended duration):
Follow these tips to upgrade the Identity Manager 3.0 User Application to the Identity Manager 3.0.1 User Application:
Before you begin:
Install the IDM 3.0.1 User Application using the Custom installation with the and options selected.
Empty the jboss/server/<ApplicationName>/work directory before starting JBoss server. See Readme item 8.5 for more information about upgrade issues associated with in-process resource requests.
You might see errors such as the following while installing Identity Manager3.0.1 on SLES 10:
awk: error while loading shared libraries: libdl.so.2: cannot open shared object file: No such file or directory
grep: error while loading shared libraries: libc.so.6: cannot open shared object file: No such file or directory
Novell provides a script to work around this problem. The script is installed at the same level as the IdmUserApp.bin file and is named SLES10-install.sh. The script takes the name of the installer binary file as an argument:
sh SLES10-install.sh installer binary
For example if you unpacked the ISO distribution to /tmp/IDM301, run the following from the command line:
$ cd /tmp/IDM301
$ sh SLES10-install.sh IdmUserApp.bin
The script comments out the setting of an environment variable in the IdmUserApp.bin file. This environment variable can cause the previously mentioned error on SLES 10. After making the modification, the script then launches the installer normally.
In the Identity Manager User Application, under the tab, editing the group attribute to delete and add groups should be done as separate operations. If you remove and add groups as a one-step process, the deleted group name reappears when you click the + (add) button.
The Support link in the Bookmark portlet does not work. The Novell Support Web site URL is http://www.novell.com/support.
In Request Team Resources in the Identity Manager user application, “Recipient” retains its previous value after you use the or button. To clear the current state so you can see the new value, return to the menu of actions on the left side of your tab page and click
In the User Application, if you log in as User A using a Mozilla-family browser (Firefox, Netscape, or Mozilla), then open another browser instance (of the same kind of browser) and log in as User B, you might see information for User B when going back to the first browser instance. This is because browser instances are sharing (and overwriting) the same cookie. This behavior is specific to Mozilla-family browsers; it does not occur with Internet Explorer.
Exceptions can occur in Firefox on Cut, Paste, Copy operations when using the HTML Editor within Orgchart preferences. Mozilla doesn’t allow scripts to access the Clipboard for security reasons. Therefore, the , , and buttons aren’t available in Firefox.
You can use the following procedure to enable cut, copy, and paste:
In Firefox, you can download an extension named Allow Clipboard Helper via > , which leads you to the extension download Web site
After the download, you will see > .
Open it, and enter the server address where you want to grant the Clipboard access, then click .
You can add as many Web sites as you like. Shut down all the Firefox browsers, restart Firefox, and cut/copy/paste should be working in Firefox.
When you log into the IDM User Application, there is a link on left menu to create a user. In order to create users, you must have the necessary eDirectory rights to add entries to the directory. Because the IDM User Application has existing eDirectory users, those users should already have the necessary rights.
To give eDirectory rights to new users:
In iManager, click .
Browse to the object that contains your user container (for example, MySample.novell.) and click .
Add a trustee (for example, MySample.novell) and change the assigned rights.
Under [Entry Rights], select . Leave other fields with the default values, then click .
Now all of the users in the users.MySample.novell container can now create users or groups within that MySample entity.
In the User Application, it is not currently possible to request a resource for a list of users. The Team Resource Request page includes text indicating that this might be supported. The text says “Select a user (or users, if the resource you selected was marked Multiple Recipients Allowed) for whom you are requesting a resource.” This capability is not supported in this release.
When using the GroupWise® WebAccess portlet and accessing a GroupWise 7.0 server, you receive an Error on Page message when you click the tab if you are using Internet Explorer 6.x. Firefox works without error. This error has been fixed in GroupWise 7.0.1.
Background image locations you specify for themes (whether manually or by performing a browse operation) disappear from view immediately after you enter them.
To reproduce:
Go to > > (from any theme).
Browse to a file for the Background Image Location or specify a file by typing the name.
Select a JPG file.
The file will flicker and disappear from the screen. The new theme is saved, but the field is empty.
On Novell Linux Desktop (NLD), you might see a minor cosmetic problem when you first display an organization chart. The first time you do a lookup for a user, you might see the left root node icon in the middle of the screen by itself and not aligned with the user. On subsequent viewing, the icon lines up properly.
The User Application requires that you enable cookies in your browser settings.
The User Application supports the same characters as iManager. For information on escaping special characters, refer to the iManager documentation on Special Characters.
When a user is logged into the user application, loads the login portlet or page from a Bookmark or History, and tries to log in again, the second login does not correctly set up the new portal session. This can cause the second login to fail.
Administrators can now configure the initial password expiration for new users. To do so, edit the Create Portlet Preferences as documented in the Identity Manager User Application: Administration Guide.
Specify an preference.
The default setting for retaining completed workflow information is 120 days. However, you can use the SOAP interface to the Workflow Engine to change this setting. To access the SOAP interface for the Workflow Engine, type the following URL in a browser:
http://server:host/IDMProv/provisioning/service?test
When you see the page that lists the Workflow Engine methods you can call, select the setCompletedProcessTimeout method. The parameter you pass to this method changes the retention period. The value you specify must be in milliseconds.
Note the following correction to the ICS Logout Page definition in the Identity Manager 3.0 Installation Guide, in section 5.4, “Installing the User Application:”
“The URL to the iChain® logout page” should be “The URL to the iChain logout page, where the URL is a hostname that iChain expects.”
Also note that to enable ICS Logout in the Identity Manager user application, you must turn on the Cookie Forward option in iChain, as follows:
From the iChain Web management console, click on the Accelerator in question.
In the Web Server Accelerator window, click . This opens the Add Authentication Profiles window.
Select , then click . The presence of that cookie in the header tells Identity Manager to do the redirect with the URL that is in configupdate.sh.
A single quote in a workflow Common Name (CN) prevents an eDirectory event from triggering that workflow. Avoid using a single quote in a workflow CN.
Unfinished tasks can fail to display after you upgrade from Identity Manager 3.0.0 to Identity Manager 3.0.1. To work around the problem, complete the following before installing IDM 3.0.1:
Stop the jboss application server and delete the jboss/server/IDMProv/work directory.
If you have already installed Identity Manager 3.0.1, stop the jboss server and then delete the jboss/server/IDMProv/work directory.
The jboss server must not be running while you delete the work folder.
The Identity Manager User Application: Administration Guide is missing the following information to help you coordinate Identity Manager user application passwords with iManager password policies.
In Sections 19.3.1 and 19.7.1, add the following information describing the Universal Password requirement: “If Universal Password is enabled, open iManager and go to > > > s. Make sure the following option is selected: ‘).’”
In Section 16.2.1, add the following information describing the Container for Create property: “If you use the Create portlet to create users and want to assign the users to an iManager password policy, also assign the specified container to the same iManager password policy. This ensures that users created in the user application are automatically assigned to the default iManager password policy.”
If your Identity Manager installation account password contains special characters, you might see the schema extension fail. You should install using a different account or change your password.
On your User Application Server (JBoss server), when you use the User Application login page, if you click the link and enter the user name, the portal might return the following error message on the JBoss console and not redirect:
08:59:17,962 ERROR [EboPortletProxyHelper] The portlet entity does not exist com.novell.afw.portal.aggregation.EboPortletInfoBean: id [portal-general] iid [-1] timeout [-1] multithread [false]
The error results from the ldap-sslport preference in the ForgotPasswordPortlet portlet using the standard default TLS (ldaps) port of 636 instead of the port configured for your LDAP server’s secure connection. The eDirectory administrator has probably changed the default secure LDAP port on the eDirectory instance to a non-standard port. eDirectory administrators commonly change the LDAP ports when running eDirectory on the same physical hardware as other LDAP-enabled systems such as Active Directory*.
If your secure LDAP (TLS) configuration uses a port other than 636, change the ldap-sslport preference in the ForgotPasswordPortlet to the port configured for your secure LDAP as follows:
Open the User Application.
Open > > > ForgotPasswordPortlet instance > .
Change the value of ldap-sslport from the default port of 636 to the port configured for your LDAP server’s secure LDAP connections.
In a provisioning workflow that uses parallel processing, the addressee for one approval activity should not refer to the addressee for another approval activity in the flow. The reason for this is that the workflow engine does not have any way to know which step will be executed first, because the activities are being processed in parallel. In addition, the iManager plug-in for Provisioning Request Configuration is not able to determine which addressees should be allowed at any point in time. To restrict the list of possible addressees, the plug-in would need to analyze the flow to get the list of upstream activities that have already been completed. This capability is not supported in the plug-in at this time.
By default, JBoss allows directory browsing. Therefore, if you type the URL http://server:8080/IDMProv/resources/, the list of resources under this URL is displayed.
If you do not want directory browsing to be enabled, go to jboss-4.0.2\server\IDM-Application Context\deploy\jbossweb-tomcat55.sar\conf, and edit the listings entry in the web.xml file:
<servlet>
<servlet-name>default</servlet-name>
<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
<init-param>
<param-name>debug</param-name>
<param-value>0</param-value>
</init-param>
<init-param>
<param-name>listings</param-name>
<param-value>true</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
To suppress the display of resources, change the listings value from true to false.
The services for various subsystems within the user application might contain outdated version numbers. You do not need to modify these files to correct the versions.
For example, IDMfw.jar contains the FrameworkService-conf\config.xml file, which has the following entry for the version number:
<property>
<key>FrameworkService.version</key>
<value>040712, Version 5.2.1</value>
</property>
In the Provisioning Request Configuration plug-in to iManager, you can define an escalation policy that redirects a workflow activity to the manager of the original addressee.
If the original addressee is a task group that has more than one manager, the escalation fails. The Provisioning Request Configuration plug-in does not prevent you from defining this type of escalation, so you need to be careful to avoid it.
On Linux, the default open limit is not sufficient to support a large number of requests initiated through the SOAP Web Service. The User Application Driver might reach this limit when using the Web Service endpoints to trigger workflows in response to directory events.
Linux has a default open file limit of 1024 for each process. If you start the JBoss server with the default setting, you might see errors when more than 40 or 45 requests are started sequentially through the SOAP Web Service interface. After reaching the limit, you might be unable to initiate any more requests for several minutes. In some cases, you might need to restart the JBoss server.
To work around this problem, you can increase the open file limit from 1024 to 4096.
If you’re using BASH, execute these commands to increase the open file limit:
su - root ulimit -n 4096 su - <user> start-jboss.sh
If you’re using C Shell, execute these commands to increase the open file limit:
su - root limit descriptors 4096 su - user start-jboss.sh
The User Application Driver stores various kinds of information (such as workflow configuration and cluster information) that is application-specific. Therefore, a single instance of the User Application Driver should be not shared among multiple applications.
The User Application stores application-specific data to control and configure the application environment. This includes the JBoss Application Server cluster information and the workflow engine configuration. The only user applications that should share a single User Application Driver instance are those applications that are part of the same JBoss cluster. You should not configure a set of user applications to share a single driver unless they are part of the same JBoss cluster. Otherwise, your configuration could lead to ambiguity and misconfiguration for one or more of the components running inside the user application.
In the install program for the Identity User Application, you can specify the Root Container DN, User Container DN, and Group Container DN for the application. In this release, you cannot specify the treeRoot in eDirectory as the root container. Also, you cannot specify more than one search root for any particular object type (container, user, or group). Instead, you must specify a single search scope.
However, an organization (o) can be contained in a Country (c) or locality (l), as shown below:
c=US o=novell-provo o=novell-waltham
This type of configuration works.
If two separate instances of the User Application Driver point to the same user container, the availability settings (on the Edit Availability page of the user application) show availability entries from both applications.
For example, Server 1 is configured to use one driver (such as driver1,o=novell), and Server 2 is configured to use another (such as driver2,o=novell). Both servers are configured to use the same containers for users, groups, and root container (such as ou=users,o=novell). A user on Server 1 creates a delegate definition for a user and provisioning request definition. The user is then marked as unavailable for that request definition. Server 2 shows the user as unavailable, but it is unable to resolve the friendly name for the request definition. If the user’s delegate definitions on Server 2 are examined, the definition from Server 1 is not seen.
The reason for this behavior is that delegation information (created when users mark themselves available or unavailable) is stored on user records. This information includes the delegate/delegator information along with the provisioning request definition and start/stop time for delegation. The delegate definition, from which delegation information is derived, is stored in the driver, along with the provisioning request definition.
We recommend not configuring two separate driver instances to point to the same user container.
When you make changes to the logging configuration for a User Application server in a cluster, the changes are not propagated to the other servers in the cluster. For example, if you use the Logging administration page on a server in a cluster to set the logging level for com.novell.afw.portal.aggregation to Trace, this setting is not propagated to the other servers in the cluster. To work around this problem, you must individually configure the level of logging messages for each server in the cluster.
The User Application Driver reads the list of workflow attributes when the driver is started. If you create a new provisioning request definition, and if you immediately try to create a Schema Mapping policy, the attributes for the new provisioning request definition do not appear in the list of application attributes after you refresh the application schema. This is because the User Application driver needs to be restarted before the provisioning request definition is made available. After creating the new provisioning request definition, stop the user application driver, then restart it before attempting to use the provisioning request definition in policies. Alternatively, in the Schema Mapping policy editor, simply refresh the application schema twice.
When running workflows in a cluster, each server’s workflow engine must have a unique ID. The engine ID is identified by passing -Dcom.novell.afw.wf.engine-id to the Java VM. On Linux, the user needs to edit the jboss/bin/run.conf file and pass that property in the JAVA_OPTS line. For example:
if [ "x$JAVA_OPTS" = "x" ]; then JAVA_OPTS="-server -Xms800m -Xmx800m -Dcom.novell.afw.wf.engine-id=echo"
The install program does not prompt you to specify the workflow engine ID. Therefore, you need to identify the engine by passing the JAVA_OPTS property, as shown above.
By default, MySQL sets the maximum number of connections to 100. This number might be too small to handle the workflow request load in a cluster. If the number is too small, you might see the following exception:
(java.sql.SQLException: Data source rejected establishment of connection, message from server: "Too many connections.")
To increase the maximum number of connections, set the max_connections variable in my.cnf.
If you change the way images are displayed in the Detail portlet header by specifying the $IMG: tag, you must flush the CompiledLayout cache for the changes to take effect. Follow these steps to flush the cache:
Go to the Administration tab of the user application.
Go to the tab.
Select from the drop-down list.
Click
It is possible that a user who has access to the Edit User page of the Identity Self-Service tab can make changes that break the hierarchical reporting structure. For example, it is possible to change the reporting structure so that a manager reports to a person in his or her own organization.
The Portal Data Import utility (Administration > Tools > Portal Data Import) uses the shared-pages.xml and container-pages.xml in the Portal Data Export ZIP file to generate container and shared pages, and portlets. If the <description/> element is blank, then pages cannot be imported.
To work around this, provide text for the <description/> element and perform the import again.
The Identity Manager User Application: Administration Guide contains some information on configuring JBoss. If you need further information on JBoss setup, see the following sources:
To use the iManager Provisioning Request Configuration plug-in, you must have Read rights and Write rights to the attributes associated with the Provisioning Request objects.
By default, the user application character encoding filter is set to enabled in the user application's web.xml. This setting typically does not require any specific configuration, but it might require changes if you have configured Tomcat for URI encoding. There are two attributes in the configuration of Tomcat http/https connector that affect character set encoding and filter configuration: URIEncoding and useBodyEncodingForURI.
This entry specifies the character encoding used to decode the URI bytes, after %xx decoding the URL. If not specified, ISO-8859-1 is used. Both http and https connectors must have the same configuration, and the Charest encoding filter should be modified to include the uri-encoding init parameter. The value of this parameter should be the same as the value of the URIEncoding attribute in the tomcat connector configuration.
<filter>
<filter-name>AggregationServletEncFilter</filter-name>
<display-name>AggregationServletEncFilter</display-name>
<filter-class>com.novell.afw.portal.l18n.CharacterEncodingFilter</filter-class>
<init-param>
<param-name>uri-encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
</filter>
This entry specifies whether the encoding specified in contentType should be used for URI query parameters instead of using the URIEncoding. This setting is present for compatibility with Tomcat 4.1.x, where the encoding is specified in the contentType, or explicitly set using Request.setCharacterEncoding method for the parameters from the URL. The default value is false.
If useBodyEncodingForURI is set to true, the filter configuration should include the use-body-encoding init parameter, for example:
<filter>
<filter-name>AggregationServletEncFilter</filter-name>
<display-name>AggregationServletEncFilter</display-name>
<filter-class>com.novell.afw.portal.l18n.CharacterEncodingFilter</filter-class>
<init-param>
<param-name>use-body-encoding</param-name>
<param-value>true</param-value>
</init-param>
</filter>
For more details, see the Web site on Tomcat connector configuration information.
The following error results when you use a DNDisplay form control to put data in the Pre-Activity Map for an Approval Form in a provisioning request:
Error Message: Index:0, Size:0
If the problem persists, copy the error message and error log and send them to your system administrator. You can click the Error Log link to see the details of the IndexOutOfBoundsException that occurred.
The workaround is to use a DNLookup control instead. Set the following DNLookup properties to :
The two controls look different, but have the same function.
There has been a change to the way in which the DirXML-EntitlementResult multi-valued attribute is handled. Previously, entitlement results were not purged from this attribute. Now, the default behavior has been changed. Entitlement results are now purged after they are processed.
You can change the default behavior (specify whether entitlement results are purged or not, and how they are purged).
In iManager, display the Identity Manager Driver Overview page for your user application driver.
Click .
Click the policy for your user application driver, then click .
Click .
In the action, type one of the following in the field:
current: After notifying the user application driver, delete the entitlement result that caused the event. This is the default behavior. It is also used if no entitlement purge type is set, or if an invalid entitlement purge type is set.
none: Do not purge the entitlement result.
previous: Delete any previous entitlement results without deleting the one that caused the event.
notnewer: Delete previous entitlement results including one that caused the event. This preserves any entitlement result that was created after the entitlement result that caused the event.
When you define directory abstraction layer entities that include auxiliary classes, be aware that all auxiliary class associations specified in the entity definition are added to the object instance when the entity is created or updated by the user application. If the auxiliary class that is included in the entity definition contains mandatory attributes, your users might encounter a schema violation. They will see this as a generic NDS exception in the user application (NDS error: missing mandatory (-609)).
You can avoid displaying the error message in the user application by making sure the attribute's property is selected. To set the property, edit the attribute in the directory abstraction layer editor.
By default, the session timeout for the server is 20 minutes. The session timeout should be tuned to match the server and usage environment in which the application will run. In general, it is advised that the session timeout be as small as practically possible. If business requirements can tolerate a 5 minute session timeout, this allows the server to release unused resources sooner than the default, and make the server faster and more scalable.
However, keep in mind the following considerations:
The session timeout is set in the web.xml file.
If you edit the source specifying the timeout attribute for user activities, the value of this attribute can be either a number, in a unit that you specify, or an expression that resolves to a number of milliseconds. An expression must return an instance of java.lang.Number.
Examples:
If you enable e-mail notification in your provisioning request definitions, but you do not configure any e-mail servers, e-mail notifications pile up on the server and are never sent. This eventually uses up available memory.
If you turn on e-mail notification, be sure to configure the e-mail server so that the e-mail messages are actually sent. To configure the e-mail server, select under in iManager.
By default, the JBoss deployment scanner runs every five seconds. For a production server, this is typically not necessary and might impact performance. You should consider turning this off.
Please refer to the JBoss site for more information about tuning for production environments.
The Windows GroupWise Mail and Outlook* Clients have a known bug when displaying the Subject text from an HTML “mailto:” command. This bug appears when the browser uses a double-byte character set language such as Chinese, Japanese, or Korean.
In this case, when you send identity information from the Detail page, the Subject line has invalid characters because these mail clients do not unescape the double-byte characters correctly.
As a result of this bug, you might see anomalies such as one part of the UI appearing in the localized language but other parts appearing in English.
The workaround is to match your browser language and Identity Manager preferred locale. In Firefox, set the highest-preference language. In Internet Explorer, set the highest-priority language. Change the preferred locale with either iManager or the Edit User feature in the Identity Manager User Application.
You should ensure that the input and output character encodings match those used by the source or destination application. Any characters that are not representable in the selected output are changed to question marks (?).
If you run the User Application Configuration tool (for configuring LDAP settings) in a localized operating system environment, all the text input boxes are displayed correctly. For example, if there are any Chinese distinguished names in eDirectory, or you input any Chinese characters, these are displayed properly in a Chinese operating system environment. However, if you are in an English operating system environment, any Chinese characters entered or returned from eDirectory are displayed as non-readable characters (most likely squares). This is because the Locale is not properly set.
If you are in an English operating system environment and want to display localized characters, do the following:
- In a Windows 2000 environment, go to the Control Panel and select . Under the tab, set to the local language (such as Chinese (PRC)).
- In a Windows 2003 environment, go to the Control Panel and select . Under the tab, select and apply the change.
- In a SUSE Linux environment, set the environment variable LANG as follows: export LANG=zh_CN
The same basic procedure applies to all languages.
The Message, HTML, RSS News Feed, and Shortcut. accessory portlets have not been localized. In addition, the help section of the HTML Editor portlet has not been localized.
The portlet category description on the Category tab in Portlet Administration contains escape characters (blackslashes that appear around the greater than and less than signs.) This problem exists in all localized languages.
In > , the Content Preferences dialog box always displays the following text in English: “Changes have been made to your Selected Content. Click OK to save your changes or cancel to continue without saving.”
When Identity Manager sends an e-mail containing a double-byte character-set language such as Chinese or Japanese, the e-mail client has a problem reading it. Please contact Novell Technical Support if you encounter this problem.
To add localized e-mail templates through iManager:
Log in to iManager.
Under Roles and Tasks, expand or .
Click (under the Passwords plug-in) or (under Workflow Administration).
Identify the e-mail template (without any locale in the name) you want to copy. Write down the template name to use in step 5. Click the template subject to open the template and view its message subject, body, and Replacement Tags. Copy the message subject, body (to be translated) and replacement tags you want to use in your new template. Click .
Click and specify the template name with a locale extension. For example, to create a Forgot Hint template in German, enter the name Forgot Hint_de, where _de signifies Deutsch (German). Click .
If you use a two-letter language and two-letter country code, this works as expected. If you attempt to use a locale with a variant such as en_US_TX, only the variant and language are considered. Do not use locale variants when naming e-mail templates in this release.
In the template list, click the newly created template, for example Forgot Hint_de, and enter the translated subject and message body, for example in German. Be sure to preserve the replacement tags surrounded by the dollar ($) sign in the message body.
Click to enter or paste Replacement Tags, then click .
Click , then .
E-mail templates only send properly localized content if the preferred locale is set for the user to whom the mail is sent.
You might receive a NullPointerReference exception when using iManager to edit and save edits to certain provisioning requests that were deployed by Designer for Identity Manager.
For workflows that have this problem, perform all configuration using Designer for Identity Manager.
This issue is fixed by upgrading to NMAS 2.3.9.
If you want to use the NDS-to-NDS Driver Certificates Wizard, you must download and install the iManager plug-in for Certificate Server.
Ensure that the input and output character encodings configured in the Delimited Text Driver match those used by the source or destination application. Mismatches cause errors or corrupted data in the Identity Vault or the application. Characters that are not representable in the selected output are changed to question marks (?).
Using a non-Unicode MySQL database configuration causes parser errors under the following conditions:
The JDBC* driver uses the MySQL server configuration file to determine the character set to use to transfer data to and from the user application/MySQL server. The MySQL database for Identity Manager user application must use UTF-8 encoding, and the MySQL server configuration should also specify UTF-8.
However, if you need to leave the MySQL server configuration as a different character set encoding than UTF-8, you must force the JDBC driver to use the correct encoding. Do so by adding connection parameters to the JDBC connection definition stored in the mysqlds.xml file deployed with the User Application.
Create a database for the user application. Use a default character encoding of utf8 and default collation of utf8_bin:
create database [database-name] character set utf8 collate utf8_bin;
For more information on syntax, refer to http://dev.mysql.com/doc/refman/5.0/en/createdatabase.html.
Edit the <connection-url> element in the mysql-ds.xml file deployed with your IDMProv.war or IDM.war file (for example, you might find the file at jboss-4.0.3.SP1/server/idm/deploy/mysql-ds.xml).
Change the following:
<connection-url>jdbc:mysql://[host]:3306/database-name]</connection-url>
To this new specification:
<connection-url>jdbc:mysql://[host]:3306/database-name]?useUnicode=true&characterEncoding=utf8&connectionCollation=utf8_bin</connection-url>
Where [host] is your database server host and [database-name] is the name of your database.
MySQL connection parameters are documented in the MySQL 5.0 Reference Manual in Chapter 23, “Connectors.”The character-set and Unicode connection parameters are described in Section 23.3.4.4, “Using Character Sets and Unicode.”
Editing more than one Provisioning Request Definition at a time can result in changes entered in one to appear in another. This occurs when using the DataItem Mapping or Email Notification views. To work around this issue, edit one Provisioning Request Definition at a time.
For other Designer issues, refer to the full Designer 1.2 Readme. The Readme is bundled with the Designer product and is also available at the Novell Designer for Identity Manager Web site.
Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export, or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. Please refer to www.novell.com/info/exports/ for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.
Copyright © 2006 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.
Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed at http://www.novell.com/company/legal/patents/ and one or more additional patents or pending patent applications in the U.S. and in other countries
For Novell trademarks, see the Novell Trademark and Service Mark list.