Novell Identity Manager 3.0.1 Readme

October 10, 2006

Table of Contents

12.0 Drivers

1.0 Documentation

The following sources provide information about Novell® Identity Manager:

2.0 Documentation Conventions

In this documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path.

A trademark symbol (®, TM, etc.) denotes a Novell trademark; an asterisk (*) denotes a third-party trademark

3.0 Fixes included in Identity Manager 3.0.1

For a list of defect fixes included in Identity Manager 3.0.1, see TID 3351724

4.0 System Requirements for Identity Manager 3.0.1

For the latest system requirements, see the Installation Guide section on System Requirements for Identity Manager.

5.0 eDirectory Considerations

5.1 NMAS installation Fails on eDirectory 8.7.3.x

As of eDirectory 8.7.3 SP8, the NMAS™ security updates are no longer included with the eDirectory patch. You need to download NMAS separately from Novell’s Download Web site.

If you are using eDirectory 8.7.3 SP8 or later and upgrade to Identity Manager 3.0.1, Challenge Response and other password functions do not work without the latest NMAS update.

5.2 Configuring eDirectory to enhance portal performance

In addition to using eDirectory 8.7.3 SP8 or later, you can make the following changes to your eDirectory system to avoid degradation of login response time (which sometimes occurs in environments that are under consistent load for an extended duration):

  • Set static cached with 50% block cache
  • In the _ndsdb.ini file, set preallocatecache=true
  • Specify a smaller cache amount

6.0 Identity Manager Installation

6.1 Upgrading the IDM 3.0 User Application to the IDM 3.0.1 User Application

Follow these tips to upgrade the Identity Manager 3.0 User Application to the Identity Manager 3.0.1 User Application:

  1. Before you begin:

    • Back up your existing User Application installation directory and database.
    • Back up any customized Identity Self-Service pages by using the Import/Export tools available through the User Application's Administration > Tools page.
    • Make note of your existing User Application Configuration settings (such as the eDirectory Connection Settings, eDirectory DNs and eDirectory Certificates). You will be required to re-enter this information during the installation procedure. You can obtain your current settings by running the configupdate utility, which is located in the User Application installation directory (for example, c:\novell\idm).
  2. Install the IDM 3.0.1 User Application using the Custom installation with the User Application and JBoss options selected.

  3. Empty the jboss/server/<ApplicationName>/work directory before starting JBoss server. See Readme item 8.5 for more information about upgrade issues associated with in-process resource requests.

6.2 Installing Identity Manager 3.0.1 on SLES 10 gives Errors while Loading Shared Libraries

You might see errors such as the following while installing Identity Manager3.0.1 on SLES 10:

awk: error while loading shared libraries: cannot open shared object file: No such file or directory 
grep: error while loading shared libraries: cannot open shared object file: No such file or directory

Novell provides a script to work around this problem. The script is installed at the same level as the IdmUserApp.bin file and is named The script takes the name of the installer binary file as an argument:

sh installer binary

For example if you unpacked the ISO distribution to /tmp/IDM301, run the following from the command line:

$ cd /tmp/IDM301

$ sh IdmUserApp.bin

The script comments out the setting of an environment variable in the IdmUserApp.bin file. This environment variable can cause the previously mentioned error on SLES 10. After making the modification, the script then launches the installer normally.

7.0 User Application: User Interface

7.1 Deleting and adding groups for a user profile through the Detail Page

In the Identity Manager User Application, under the Identity Self-Service tab, editing the group attribute to delete and add groups should be done as separate operations. If you remove and add groups as a one-step process, the deleted group name reappears when you click the + (add) button.

7.2 Support link in the Bookmark portlet does not work

The Support link in the Bookmark portlet does not work. The Novell Support Web site URL is

7.3 “Recipient” retains a previous value

In Request Team Resources in the Identity Manager user application, “Recipient” retains its previous value after you use the Back or Cancel button. To clear the current state so you can see the new value, return to the menu of actions on the left side of your tab page and click Request Team Resources.

7.4 Can’t log in as two different users in Firefox at the same time

In the User Application, if you log in as User A using a Mozilla-family browser (Firefox, Netscape, or Mozilla), then open another browser instance (of the same kind of browser) and log in as User B, you might see information for User B when going back to the first browser instance. This is because browser instances are sharing (and overwriting) the same cookie. This behavior is specific to Mozilla-family browsers; it does not occur with Internet Explorer.

7.5 Using the Organization Chart HTML Editor in Firefox causes exceptions

Exceptions can occur in Firefox on Cut, Paste, Copy operations when using the HTML Editor within Orgchart preferences. Mozilla doesn’t allow scripts to access the Clipboard for security reasons. Therefore, the Cut, Copy, and Paste buttons aren’t available in Firefox.

You can use the following procedure to enable cut, copy, and paste:

  1. In Firefox, you can download an extension named Allow Clipboard Helper via Tools > Extensions, which leads you to the extension download Web site

  2. After the download, you will see Allow Clipboard Helper in Firefox > Tools.

  3. Open it, and enter the server address where you want to grant the Clipboard access, then click Allow.

  4. You can add as many Web sites as you like. Shut down all the Firefox browsers, restart Firefox, and cut/copy/paste should be working in Firefox.

7.6 Users should have proper eDirectory rights to create users and groups

When you log into the IDM User Application, there is a link on left menu to create a user. In order to create users, you must have the necessary eDirectory rights to add entries to the directory. Because the IDM User Application has existing eDirectory users, those users should already have the necessary rights.

To give eDirectory rights to new users:

  1. In iManager, click View Objects.

  2. Browse to the object that contains your user container (for example, MySample.novell.) and click Modify Trustees.

  3. Add a trustee (for example, MySample.novell) and change the assigned rights.

  4. Under [Entry Rights], select Create. Leave other fields with the default values, then click Save.

Now all of the users in the users.MySample.novell container can now create users or groups within that MySample entity.

7.7 Resource requests are not supported for multiple users

In the User Application, it is not currently possible to request a resource for a list of users. The Team Resource Request page includes text indicating that this might be supported. The text says “Select a user (or users, if the resource you selected was marked Multiple Recipients Allowed) for whom you are requesting a resource.” This capability is not supported in this release.

7.8 GroupWise WebAccess portlet generates error on page in Internet Explorer

When using the GroupWise® WebAccess portlet and accessing a GroupWise 7.0 server, you receive an Error on Page message when you click the Calendar tab if you are using Internet Explorer 6.x. Firefox works without error. This error has been fixed in GroupWise 7.0.1.

7.9 Background image locations for themes disappear from view

Background image locations you specify for themes (whether manually or by performing a browse operation) disappear from view immediately after you enter them.

To reproduce:

  1. Go to Administration > Themes > Customize Branding (from any theme).

  2. Browse to a file for the Background Image Location or specify a file by typing the name.

  3. Select a JPG file.

The file will flicker and disappear from the screen. The new theme is saved, but the field is empty.

7.10 Minor display problem might occur in Organization Chart on first access

On Novell Linux Desktop (NLD), you might see a minor cosmetic problem when you first display an organization chart. The first time you do a lookup for a user, you might see the left root node icon in the middle of the screen by itself and not aligned with the user. On subsequent viewing, the icon lines up properly.

7.11 User Application and cookie requirements

The User Application requires that you enable cookies in your browser settings.

7.12 Special Characters in the User Application must be escaped

The User Application supports the same characters as iManager. For information on escaping special characters, refer to the iManager documentation on Special Characters.

7.13 Logging in without first logging out can cause failure of the login

When a user is logged into the user application, loads the login portlet or page from a Bookmark or History, and tries to log in again, the second login does not correctly set up the new portal session. This can cause the second login to fail.

8.0 User Application: Administration

8.1 Initial password expiration for new users or groups is now configurable

Administrators can now configure the initial password expiration for new users. To do so, edit the Create Portlet Preferences as documented in the Identity Manager User Application: Administration Guide.

Specify an Expire password on initial login preference.

  • True (default) expires the password upon the new user's first login.
  • False uses the eDirectory settings to determine when the password expires.

8.2 Using SOAP to override the default retention period for workflows

The default setting for retaining completed workflow information is 120 days. However, you can use the SOAP interface to the Workflow Engine to change this setting. To access the SOAP interface for the Workflow Engine, type the following URL in a browser:


When you see the page that lists the Workflow Engine methods you can call, select the setCompletedProcessTimeout method. The parameter you pass to this method changes the retention period. The value you specify must be in milliseconds.

8.3 Additional information on using iChain Simultaneous Logout

Note the following correction to the ICS Logout Page definition in the Identity Manager 3.0 Installation Guide, in section 5.4, “Installing the User Application:”

“The URL to the iChain® logout page” should be “The URL to the iChain logout page, where the URL is a hostname that iChain expects.”

Also note that to enable ICS Logout in the Identity Manager user application, you must turn on the Cookie Forward option in iChain, as follows:

  1. From the iChain Web management console, click Modify on the Accelerator in question.

  2. In the Web Server Accelerator window, click Authentication Options. This opens the Add Authentication Profiles window.

  3. Select Forward iChain Cookie to web server, then click OK. The presence of that cookie in the header tells Identity Manager to do the redirect with the URL that is in

8.4 A workflow fails to trigger from an eDirectory event

A single quote in a workflow Common Name (CN) prevents an eDirectory event from triggering that workflow. Avoid using a single quote in a workflow CN.

8.5 After migrating from IDM 3 to IDM 3.0.1, in process resource request tasks might fail to display

Unfinished tasks can fail to display after you upgrade from Identity Manager 3.0.0 to Identity Manager 3.0.1. To work around the problem, complete the following before installing IDM 3.0.1:

  1. Stop the jboss application server and delete the jboss/server/IDMProv/work directory.

  2. If you have already installed Identity Manager 3.0.1, stop the jboss server and then delete the jboss/server/IDMProv/work directory.

    The jboss server must not be running while you delete the work folder.

8.6 Coordinating Identity Manager user application passwords with iManager password policies

The Identity Manager User Application: Administration Guide is missing the following information to help you coordinate Identity Manager user application passwords with iManager password policies.

In Sections 19.3.1 and 19.7.1, add the following information describing the Universal Password requirement: “If Universal Password is enabled, open iManager and go to Passwords > Password Policies > Universal Password > Configuration Options. Make sure the following option is selected: ‘Verify whether existing passwords comply with the password policy (verification occurs on login).’”

In Section 16.2.1, add the following information describing the Container for Create property: “If you use the Create portlet to create users and want to assign the users to an iManager password policy, also assign the specified container to the same iManager password policy. This ensures that users created in the user application are automatically assigned to the default iManager password policy.”

8.7 Special characters in a password cause a schema extension problem during install

If your Identity Manager installation account password contains special characters, you might see the schema extension fail. You should install using a different account or change your password.

8.8 LDAP port must be set in the ForgotPasswordPortlet

On your User Application Server (JBoss server), when you use the User Application login page, if you click the Forgotten Password link and enter the user name, the portal might return the following error message on the JBoss console and not redirect:

08:59:17,962 ERROR [EboPortletProxyHelper] The portlet entity does not exist com.novell.afw.portal.aggregation.EboPortletInfoBean: id [portal-general] iid [-1] timeout [-1] multithread [false]

The error results from the ldap-sslport preference in the ForgotPasswordPortlet portlet using the standard default TLS (ldaps) port of 636 instead of the port configured for your LDAP server’s secure connection. The eDirectory administrator has probably changed the default secure LDAP port on the eDirectory instance to a non-standard port. eDirectory administrators commonly change the LDAP ports when running eDirectory on the same physical hardware as other LDAP-enabled systems such as Active Directory*.

If your secure LDAP (TLS) configuration uses a port other than 636, change the ldap-sslport preference in the ForgotPasswordPortlet to the port configured for your secure LDAP as follows:

  1. Open the User Application.

  2. Open Administration > Portlet Admin > ForgotPasswordPortlet > ForgotPasswordPortlet instance > Preferences.

  3. Change the value of ldap-sslport from the default port of 636 to the port configured for your LDAP server’s secure LDAP connections.

8.9 Parallel approvals don’t work when addressee for one step refers to another step

In a provisioning workflow that uses parallel processing, the addressee for one approval activity should not refer to the addressee for another approval activity in the flow. The reason for this is that the workflow engine does not have any way to know which step will be executed first, because the activities are being processed in parallel. In addition, the iManager plug-in for Provisioning Request Configuration is not able to determine which addressees should be allowed at any point in time. To restrict the list of possible addressees, the plug-in would need to analyze the flow to get the list of upstream activities that have already been completed. This capability is not supported in the plug-in at this time.

8.10 JBoss directory browsing is enabled by default

By default, JBoss allows directory browsing. Therefore, if you type the URL http://server:8080/IDMProv/resources/, the list of resources under this URL is displayed.

If you do not want directory browsing to be enabled, go to jboss-4.0.2\server\IDM-Application Context\deploy\jbossweb-tomcat55.sar\conf, and edit the listings entry in the web.xml file:


To suppress the display of resources, change the listings value from true to false.

8.11 Service config.xml files contain outdated version numbers

The services for various subsystems within the user application might contain outdated version numbers. You do not need to modify these files to correct the versions.

For example, IDMfw.jar contains the FrameworkService-conf\config.xml file, which has the following entry for the version number:

          <value>040712, Version 5.2.1</value>

8.12 The Workflow activity escalation policy might result in workflow failure and process termination

In the Provisioning Request Configuration plug-in to iManager, you can define an escalation policy that redirects a workflow activity to the manager of the original addressee.

If the original addressee is a task group that has more than one manager, the escalation fails. The Provisioning Request Configuration plug-in does not prevent you from defining this type of escalation, so you need to be careful to avoid it.

8.13 Starting workflows with the SOAP Web Service sometimes causes errors

On Linux, the default open limit is not sufficient to support a large number of requests initiated through the SOAP Web Service. The User Application Driver might reach this limit when using the Web Service endpoints to trigger workflows in response to directory events.

Linux has a default open file limit of 1024 for each process. If you start the JBoss server with the default setting, you might see errors when more than 40 or 45 requests are started sequentially through the SOAP Web Service interface. After reaching the limit, you might be unable to initiate any more requests for several minutes. In some cases, you might need to restart the JBoss server.

To work around this problem, you can increase the open file limit from 1024 to 4096.

If you’re using BASH, execute these commands to increase the open file limit:

su - root ulimit -n 4096 su - <user>

If you’re using C Shell, execute these commands to increase the open file limit:

su - root limit descriptors 4096 su - user

8.14 Separate user applications should not share a single instance of the User Application Driver

The User Application Driver stores various kinds of information (such as workflow configuration and cluster information) that is application-specific. Therefore, a single instance of the User Application Driver should be not shared among multiple applications.

The User Application stores application-specific data to control and configure the application environment. This includes the JBoss Application Server cluster information and the workflow engine configuration. The only user applications that should share a single User Application Driver instance are those applications that are part of the same JBoss cluster. You should not configure a set of user applications to share a single driver unless they are part of the same JBoss cluster. Otherwise, your configuration could lead to ambiguity and misconfiguration for one or more of the components running inside the user application.

8.15 Root, user, and group container DNs do not support the root of the tree or allow multiple container DNs to be selected

In the install program for the Identity User Application, you can specify the Root Container DN, User Container DN, and Group Container DN for the application. In this release, you cannot specify the treeRoot in eDirectory as the root container. Also, you cannot specify more than one search root for any particular object type (container, user, or group). Instead, you must specify a single search scope.

However, an organization (o) can be contained in a Country (c) or locality (l), as shown below:

c=US o=novell-provo o=novell-waltham

This type of configuration works.

8.16 Separate instances of the User Application Driver should not share the same user container

If two separate instances of the User Application Driver point to the same user container, the availability settings (on the Edit Availability page of the user application) show availability entries from both applications.

For example, Server 1 is configured to use one driver (such as driver1,o=novell), and Server 2 is configured to use another (such as driver2,o=novell). Both servers are configured to use the same containers for users, groups, and root container (such as ou=users,o=novell). A user on Server 1 creates a delegate definition for a user and provisioning request definition. The user is then marked as unavailable for that request definition. Server 2 shows the user as unavailable, but it is unable to resolve the friendly name for the request definition. If the user’s delegate definitions on Server 2 are examined, the definition from Server 1 is not seen.

The reason for this behavior is that delegation information (created when users mark themselves available or unavailable) is stored on user records. This information includes the delegate/delegator information along with the provisioning request definition and start/stop time for delegation. The delegate definition, from which delegation information is derived, is stored in the driver, along with the provisioning request definition.

We recommend not configuring two separate driver instances to point to the same user container.

8.17 User Application logging configuration is not propagated to all servers in a cluster

When you make changes to the logging configuration for a User Application server in a cluster, the changes are not propagated to the other servers in the cluster. For example, if you use the Logging administration page on a server in a cluster to set the logging level for com.novell.afw.portal.aggregation to Trace, this setting is not propagated to the other servers in the cluster. To work around this problem, you must individually configure the level of logging messages for each server in the cluster.

8.18 The User Application Driver must be restarted after creating a new provisioning request definition

The User Application Driver reads the list of workflow attributes when the driver is started. If you create a new provisioning request definition, and if you immediately try to create a Schema Mapping policy, the attributes for the new provisioning request definition do not appear in the list of application attributes after you refresh the application schema. This is because the User Application driver needs to be restarted before the provisioning request definition is made available. After creating the new provisioning request definition, stop the user application driver, then restart it before attempting to use the provisioning request definition in policies. Alternatively, in the Schema Mapping policy editor, simply refresh the application schema twice.

8.19 Installing to a cluster does not prompt for workflow engine ID

When running workflows in a cluster, each server’s workflow engine must have a unique ID. The engine ID is identified by passing to the Java VM. On Linux, the user needs to edit the jboss/bin/run.conf file and pass that property in the JAVA_OPTS line. For example:

if [ "x$JAVA_OPTS" = "x" ]; then JAVA_OPTS="-server -Xms800m -Xmx800m"

The install program does not prompt you to specify the workflow engine ID. Therefore, you need to identify the engine by passing the JAVA_OPTS property, as shown above.

8.20 Workflow requests might cause MySQL to exceed its connection limit

By default, MySQL sets the maximum number of connections to 100. This number might be too small to handle the workflow request load in a cluster. If the number is too small, you might see the following exception:

(java.sql.SQLException: Data source rejected establishment of connection, message from server: "Too many connections.")

To increase the maximum number of connections, set the max_connections variable in my.cnf.

8.21 Server caching problem might occur with photos in the Detail portlet

If you change the way images are displayed in the Detail portlet header by specifying the $IMG: tag, you must flush the CompiledLayout cache for the changes to take effect. Follow these steps to flush the cache:

  1. Go to the Administration tab of the user application.

  2. Go to the Caching tab.

  3. Select CompiledLayout from the Flush Cache drop-down list.

  4. Click Flush Cache.

8.22 A User is allowed to add direct reports to the manager even if the direct report user has another manager assigned

It is possible that a user who has access to the Edit User page of the Identity Self-Service tab can make changes that break the hierarchical reporting structure. For example, it is possible to change the reporting structure so that a manager reports to a person in his or her own organization.

8.23 Portal Data Import utility fails to import pages without descriptions

The Portal Data Import utility (Administration > Tools > Portal Data Import) uses the shared-pages.xml and container-pages.xml in the Portal Data Export ZIP file to generate container and shared pages, and portlets. If the <description/> element is blank, then pages cannot be imported.

To work around this, provide text for the <description/> element and perform the import again.

8.24 Additional documentation is available on JBoss setup

The Identity Manager User Application: Administration Guide contains some information on configuring JBoss. If you need further information on JBoss setup, see the following sources:

8.25 Required Attribute rights for Provisioning Request objects

To use the iManager Provisioning Request Configuration plug-in, you must have Read rights and Write rights to the attributes associated with the Provisioning Request objects.

8.26 Character set encoding support and Tomcat

By default, the user application character encoding filter is set to enabled in the user application's web.xml. This setting typically does not require any specific configuration, but it might require changes if you have configured Tomcat for URI encoding. There are two attributes in the configuration of Tomcat http/https connector that affect character set encoding and filter configuration: URIEncoding and useBodyEncodingForURI.


This entry specifies the character encoding used to decode the URI bytes, after %xx decoding the URL. If not specified, ISO-8859-1 is used. Both http and https connectors must have the same configuration, and the Charest encoding filter should be modified to include the uri-encoding init parameter. The value of this parameter should be the same as the value of the URIEncoding attribute in the tomcat connector configuration.



This entry specifies whether the encoding specified in contentType should be used for URI query parameters instead of using the URIEncoding. This setting is present for compatibility with Tomcat 4.1.x, where the encoding is specified in the contentType, or explicitly set using Request.setCharacterEncoding method for the parameters from the URL. The default value is false.

If useBodyEncodingForURI is set to true, the filter configuration should include the use-body-encoding init parameter, for example:



For more details, see the Web site on Tomcat connector configuration information.

8.27 Using a DNDisplay form control can result in provisioning application errors

The following error results when you use a DNDisplay form control to put data in the Pre-Activity Map for an Approval Form in a provisioning request:

Error Message:
Index:0, Size:0

If the problem persists, copy the error message and error log and send them to your system administrator. You can click the Error Log link to see the details of the IndexOutOfBoundsException that occurred.

The workaround is to use a DNLookup control instead. Set the following DNLookup properties to False:

  • Editable
  • Show object history button
  • Show object selector button
  • Show clear button

The two controls look different, but have the same function.

8.28 Change in behavior of the DirXML-EntitlementResult attribute

There has been a change to the way in which the DirXML-EntitlementResult multi-valued attribute is handled. Previously, entitlement results were not purged from this attribute. Now, the default behavior has been changed. Entitlement results are now purged after they are processed.

You can change the default behavior (specify whether entitlement results are purged or not, and how they are purged).

  1. In iManager, display the Identity Manager Driver Overview page for your user application driver.

  2. Click Event Transformation Policies.

  3. Click the Manage Modify policy for your user application driver, then click Edit.

  4. Click Set Entitlement Purge Type.

  5. In the Do append XML text action, type one of the following in the Enter String field:

    • current: After notifying the user application driver, delete the entitlement result that caused the event. This is the default behavior. It is also used if no entitlement purge type is set, or if an invalid entitlement purge type is set.

    • none: Do not purge the entitlement result.

    • previous: Delete any previous entitlement results without deleting the one that caused the event.

    • notnewer: Delete previous entitlement results including one that caused the event. This preserves any entitlement result that was created after the entitlement result that caused the event.

8.29 When defining a mandatory attribute in the directory abstraction layer editor, set it to Require

When you define directory abstraction layer entities that include auxiliary classes, be aware that all auxiliary class associations specified in the entity definition are added to the object instance when the entity is created or updated by the user application. If the auxiliary class that is included in the entity definition contains mandatory attributes, your users might encounter a schema violation. They will see this as a generic NDS exception in the user application (NDS error: missing mandatory (-609)).

You can avoid displaying the error message in the user application by making sure the attribute's Require property is selected. To set the property, edit the attribute in the directory abstraction layer editor.

9.0 User Application: Performance

9.1 Session timeout should be tuned to improve server performance

By default, the session timeout for the server is 20 minutes. The session timeout should be tuned to match the server and usage environment in which the application will run. In general, it is advised that the session timeout be as small as practically possible. If business requirements can tolerate a 5 minute session timeout, this allows the server to release unused resources sooner than the default, and make the server faster and more scalable.

However, keep in mind the following considerations:

  • Longer session timeouts might cause the JBoss server to run out of memory if many users log in. This is true of any application server that has too many open sessions.
  • When a user logs in to the user application, an LDAP connection is created for the user, and bound to the session. If more sessions are open, more LDAP connections are held open and the longer the session timeout, the longer these connections are held open. Too many open connections to the LDAP server can cause system performance degradation, even if the connections are idle.
  • If the server starts experiencing OutOfMemoryErrors, and the JVM* heap and garbage collection tuning parameters have already been optimized for the server and usage environments, then you should consider lowering the session timeout.

The session timeout is set in the web.xml file.

9.2 The timeout attribute can be an expression

If you edit the source specifying the timeout attribute for user activities, the value of this attribute can be either a number, in a unit that you specify, or an expression that resolves to a number of milliseconds. An expression must return an instance of java.lang.Number.


  • A constant value in milliseconds: timeout=“172800000”
  • A constant value in milliseconds: timeout=“172800000”

9.3 Enabling e-mail notification for workflows without configuring the e-mail server results in memory consumption

If you enable e-mail notification in your provisioning request definitions, but you do not configure any e-mail servers, e-mail notifications pile up on the server and are never sent. This eventually uses up available memory.

If you turn on e-mail notification, be sure to configure the e-mail server so that the e-mail messages are actually sent. To configure the e-mail server, select Email Server Options under Workflow Administration in iManager.

9.4 Recommended JBoss settings for production environments

By default, the JBoss deployment scanner runs every five seconds. For a production server, this is typically not necessary and might impact performance. You should consider turning this off.

Please refer to the JBoss site for more information about tuning for production environments.

10.0 Localization

10.1 E-mail Subject text display problem

The Windows GroupWise Mail and Outlook* Clients have a known bug when displaying the Subject text from an HTML “mailto:” command. This bug appears when the browser uses a double-byte character set language such as Chinese, Japanese, or Korean.

In this case, when you send identity information from the Detail page, the Subject line has invalid characters because these mail clients do not unescape the double-byte characters correctly.

10.2 A browser's locale overrides Identity Manager locale settings for portal artifacts and portlet preferences

As a result of this bug, you might see anomalies such as one part of the UI appearing in the localized language but other parts appearing in English.

The workaround is to match your browser language and Identity Manager preferred locale. In Firefox, set the highest-preference language. In Internet Explorer, set the highest-priority language. Change the preferred locale with either iManager or the Edit User feature in the Identity Manager User Application.

10.3 Possible issue with character set encoding

You should ensure that the input and output character encodings match those used by the source or destination application. Any characters that are not representable in the selected output are changed to question marks (?).

10.4 The locale must be set correctly to display localized characters on an English OS

If you run the User Application Configuration tool (for configuring LDAP settings) in a localized operating system environment, all the text input boxes are displayed correctly. For example, if there are any Chinese distinguished names in eDirectory, or you input any Chinese characters, these are displayed properly in a Chinese operating system environment. However, if you are in an English operating system environment, any Chinese characters entered or returned from eDirectory are displayed as non-readable characters (most likely squares). This is because the Locale is not properly set.

If you are in an English operating system environment and want to display localized characters, do the following:

- In a Windows 2000 environment, go to the Control Panel and select Regional Options. Under the General tab, set Your Locale to the local language (such as Chinese (PRC)).

- In a Windows 2003 environment, go to the Control Panel and select Regional Options. Under the Regional Options tab, select Chinese (PRC) and apply the change.

- In a SUSE Linux environment, set the environment variable LANG as follows: export LANG=zh_CN

The same basic procedure applies to all languages.

10.5 Some accessory portlets have not been localized

The Message, HTML, RSS News Feed, and Shortcut. accessory portlets have not been localized. In addition, the help section of the HTML Editor portlet has not been localized.

10.6 The portlet category description contains escape characters

The portlet category description on the Category tab in Portlet Administration contains escape characters (blackslashes that appear around the greater than and less than signs.) This problem exists in all localized languages.

10.7 The OK and Cancel buttons on Context Preferences dialog are not localized

In Portal Administration > Page Administration, the Content Preferences dialog box always displays the following text in English: “Changes have been made to your Selected Content. Click OK to save your changes or cancel to continue without saving.”

10.8 E-Mail has a problem displaying content in double-byte character-set languages

When Identity Manager sends an e-mail containing a double-byte character-set language such as Chinese or Japanese, the e-mail client has a problem reading it. Please contact Novell Technical Support if you encounter this problem.

11.0 iManager

11.1 Adding localized e-mail templates through iManager

To add localized e-mail templates through iManager:

  1. Log in to iManager.

  2. Under Roles and Tasks, expand Passwords or Workflow Administration.

  3. Click Edit Email Templates (under the Passwords plug-in) or Email Templates (under Workflow Administration).

  4. Identify the e-mail template (without any locale in the name) you want to copy. Write down the template name to use in step 5. Click the template subject to open the template and view its message subject, body, and Replacement Tags. Copy the message subject, body (to be translated) and replacement tags you want to use in your new template. Click Cancel.

  5. Click Create and specify the template name with a locale extension. For example, to create a Forgot Hint template in German, enter the name Forgot Hint_de, where _de signifies Deutsch (German). Click OK.

    If you use a two-letter language and two-letter country code, this works as expected. If you attempt to use a locale with a variant such as en_US_TX, only the variant and language are considered. Do not use locale variants when naming e-mail templates in this release.

  6. In the template list, click the newly created template, for example Forgot Hint_de, and enter the translated subject and message body, for example in German. Be sure to preserve the replacement tags surrounded by the dollar ($) sign in the message body.

  7. Click Add to enter or paste Replacement Tags, then click OK.

  8. Click Apply, then OK.

E-mail templates only send properly localized content if the preferred locale is set for the user to whom the mail is sent.

11.2 Saving edits to a work flow definition in iManager can generate a system error

You might receive a NullPointerReference exception when using iManager to edit and save edits to certain provisioning requests that were deployed by Designer for Identity Manager.

For workflows that have this problem, perform all configuration using Designer for Identity Manager.

11.3 iManager plug-in error: The driver password could not be saved

This issue is fixed by upgrading to NMAS 2.3.9.

11.4 iManager plug-in dependency for the NDS-to-NDS Driver Certificates wizard

If you want to use the NDS-to-NDS Driver Certificates Wizard, you must download and install the iManager plug-in for Certificate Server.

12.0 Drivers

12.1 Character set encoding in the Delimited Text Driver must match character set encoding in applications

Ensure that the input and output character encodings configured in the Delimited Text Driver match those used by the source or destination application. Mismatches cause errors or corrupted data in the Identity Vault or the application. Characters that are not representable in the selected output are changed to question marks (?).

12.2 Using a non-Unicode MySQL database configuration causes parser errors

Using a non-Unicode MySQL database configuration causes parser errors under the following conditions:

  • The MySQL server is installed with non-Unicode encoding specified in its configuration file (for example latin-1), and
  • A MySQL database is created with the UTF-8 encoding required for the Identity Manager user application.

The JDBC* driver uses the MySQL server configuration file to determine the character set to use to transfer data to and from the user application/MySQL server. The MySQL database for Identity Manager user application must use UTF-8 encoding, and the MySQL server configuration should also specify UTF-8.

However, if you need to leave the MySQL server configuration as a different character set encoding than UTF-8, you must force the JDBC driver to use the correct encoding. Do so by adding connection parameters to the JDBC connection definition stored in the mysqlds.xml file deployed with the User Application.

  1. Create a database for the user application. Use a default character encoding of utf8 and default collation of utf8_bin:

    create database [database-name] character set utf8 collate utf8_bin;

    For more information on syntax, refer to

  2. Edit the <connection-url> element in the mysql-ds.xml file deployed with your IDMProv.war or IDM.war file (for example, you might find the file at jboss-4.0.3.SP1/server/idm/deploy/mysql-ds.xml).

    Change the following:


    To this new specification:


    Where [host] is your database server host and [database-name] is the name of your database.

MySQL connection parameters are documented in the MySQL 5.0 Reference Manual in Chapter 23, “Connectors.”The character-set and Unicode connection parameters are described in Section, “Using Character Sets and Unicode.”

13.0 Designer 1.2 Provisioning Request Definition Editor

13.1 Editing more than one Provisioning Request Definition at a time can result in changes entered in one to appear in another.

Editing more than one Provisioning Request Definition at a time can result in changes entered in one to appear in another. This occurs when using the DataItem Mapping or Email Notification views. To work around this issue, edit one Provisioning Request Definition at a time.

For other Designer issues, refer to the full Designer 1.2 Readme. The Readme is bundled with the Designer product and is also available at the Novell Designer for Identity Manager Web site.

14.0 Legal Notices

Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.

Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.

Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export, or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. Please refer to for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.

Copyright © 2006 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.

Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed at and one or more additional patents or pending patent applications in the U.S. and in other countries

For Novell trademarks, see the Novell Trademark and Service Mark list.