Novell Identity Manager 3 Readme

Last Updated April 12, 2006

Table of Contents

1.0 eDirectory 8.8 upgrade issue

If you plan to upgrade from eDirectory™ version 8.7.3 to 8.8, we recommend that you upgrade eDirectory before installing Identity Manager 3. If you upgrade eDirectory after installing Identity Manager, the eDirectory installation program states, “Identity Manager 3 is not supported. Install anyway?”

You can proceed with the eDirectory 8.8 installation, however, you will need to re-install Identity Manager after the upgrade.

2.0 iManager plug-in error: The driver password could not be saved

This issue is fixed by upgrading to NMAS® 2.3.9.

3.0 iManager plug-in dependency for the NDS-to-NDS Driver Certificates wizard

If you want to use the NDS-to-NDS Driver Certificates Wizard, you must download and install the iManager plug-in for Certificate Server.

4.0 Forgotten Password Summary page message is incorrect

When editing a password policy and enabling forgotten password, the summary message indicates that the forgotten password is not enabled. The summary always states that forgotten password is not enabled, even when it is.

5.0 When SMTP e-mail server is configured to use authentication, password self-service cannot e-mail hint or notification

If your SMTP server is secured and requires authentication before sending e-mail, password self-service is unable to access the authentication information to connect to the SMTP server. If your SMTP server is secured, you must provide SMTP authentication information in policies. For more information, see “Providing SMTP Authentication Information in Driver Policies” in the Identity Manager Administration Guide.

6.0 Can’t log in as two different users in Firefox at the same time

In the user application, if you log in as User A using a Mozilla-family browser (Firefox*, Netscape*, or Mozilla*), then open another browser instance (of the same kind of browser) and log in as User B, you might see information for User B when going back to the first browser instance. This is because browser instances are sharing (and overwriting) the same cookie. This behavior is specific to Mozilla-family browsers; it does not occur with Internet Explorer.

7.0 Using Organization Chart HTMLEditor in Firefox causes exceptions

Exceptions may occur in Firefox on Cut, Paste, Copy operations when using the HTMLEditor within Orgchart preferences. Mozilla doesn’t allow scripts to access the clipboard for security reasons. Therefore, the cut, copy, and paste buttons aren’t available in Firefox.

In Firefox, you can download an extension named Allow Clipboard Helper via tools > Extensions, which leads you to the extension download Web site

After the download, you will see Allow Clipboard Helper in Firefox > tool.

Open it, and enter the server address you want to grant the clipboard access, then click Allow. You can add as many Web sites as you like. Shut down all the Firefox browsers, restart Firefox, and cut/copy/paste should be working in Firefox.

8.0 Users should have proper eDirectory rights to create users and groups

When logging into the IDM User Application, there is a link on left menu to create a user. In order to create users, you must have the necessary eDirectory rights to add entries to the directory. Because the IDM User Application has existing eDirectory users, those users should already have the necessary rights.

  1. In iManager, click View Objects.

  2. Browse to the object that contains your user container (for example, MySample.novell.) and click Modify Trustees.

  3. Add a trustee (for example, MySample.novell) and change the assigned rights.

  4. Under [Entry Rights], select Create. Leave other fields with the default values, then click Save.

Now all of the users in the users.MySample.novell container can create users or groups within that MySample entity.

9.0 LDAP port must be set in ForgotPasswordPortlet

On your User Application Server (JBoss* server), when using the User Application login page, if you click the Forgotten Password link and enter the user name, the portal might return the following error message on the JBoss console and not redirect:

08:59:17,962 ERROR [EboPortletProxyHelper] The portlet entity does not exist com.novell.afw.portal.aggregation.EboPortletInfoBean: id [portal-general] iid [-1] timeout [-1] multithread [false]

The error results from the ldap-sslport preference in the ForgotPasswordPortlet portlet using the standard default TLS (ldaps) port of 636 instead of the port configured for your LDAP server’s secure connection. The eDirectory administrator has probably changed the default secure LDAP port on the eDirectory instance to a non-standard port. eDirectory administrators commonly change the LDAP ports when running eDirectory on the same physical hardware as other LDAP-enabled systems such as Active Directory*.

If your secure LDAP (TLS) configuration uses a port other than 636, change the ldap-sslport preference in the ForgotPasswordPortlet to the port configured for your secure ldap as follows:

  1. Open the User Application.

  2. Open Administration > Portlet Admin > ForgotPasswordPortlet > ForgotPasswordPortlet instance > Preferences.

  3. Change the value of ldap-sslport from the default port of 636 to the port configured for your LDAP server’s secure LDAP connections.

10.0 Parallel approvals don’t work when addressee for one step refers to another step

In a provisioning workflow that uses parallel processing, the addressee for one approval activity should not refer to the addressee for another approval activity in the flow. The reason for this is that the workflow engine does not have any way to know which step will be executed first, because the activities are being processed in parallel. Furthermore, the iManager plug-in for Provisioning Request Configuration is not able to determine which addressees should be allowed at any point in time. To restrict the list of possible addressees, the plug-in would need to be able to analyze the flow to get the list of upstream activities that have already been completed. This capability is not supported in the plug-in at this time.

11.0 JBoss directory browsing is enabled by default

By default, JBoss allows directory browsing. Therefore, if you type the URL http://server:8080/IDMProv/resources/, the list of resources under this URL is displayed.

If you do not want directory browsing to be enabled, go to jboss-4.0.2\server\<IDM-Application Context>\deploy\jbossweb-tomcat55.sar\conf, and edit the listings entry in the web.xml file:

<servlet>
   <servlet-name>default</servlet-name>
   <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
      <init-param>
            <param-name>debug</param-name>
                  <param-value>0</param-value>
                     </init-param>
                        <init-param>
                              <param-name>listings</param-name>
                                    <param-value>true</param-value>
                                       </init-param>
                                          <load-on-startup>1</load-on-startup>
                                          </servlet>

To suppress the display of resources, change the listings value from true to false.

12.0 Session timeout should be tuned to improve server performance

By default, the session timeout for the server is 20 minutes. The session timeout should be tuned to match the server and usage environment in which the application will run. In general, it is advised that the session timeout be as small as practically possible. If business requirements can tolerate a 5 minute session timeout, this would allow the server to release unused resources sooner than the default, and make the server faster and more scalable.

  • Longer session timeouts could potentially cause the JBoss server to run out of memory if many users log in. This is true of any application server that has too many open sessions.
  • When a user logs in to the user application, an LDAP connection is created for the user, and bound to the session. Thus, if more sessions are open, more LDAP connections are held open and the longer the session timeout, the longer these connections are held open. Too many open connections to the LDAP server can cause system performance degradation, even if the connections are idle.
  • If the server starts experiencing OutOfMemoryErrors, and the JVM* heap and garbage collection tuning parameters have already been optimized for the server and usage environments, then you should consider lowering the session timeout.

The session timeout is set in the web.xml file.

13.0 Locale must be set correctly to display localized characters on an English OS

If you run the User Application Configuration tool (for configuring LDAP settings) in a localized operating system environment, all the text input boxes are displayed correctly. For example, if there are any Chinese distinguished names in eDirectory, or you input any Chinese characters, these are displayed properly in a Chinese operating system environment. However, if you are in an English operating system environment, any Chinese characters entered or returned from eDirectory are displayed as non-readable characters (most likely squares). This is because the Locale is not properly set.

If you are in an English operating system environment and want to display localized characters, do the following:

- In a Windows 2000 environment, go to the Control Panel and select Regional Options. Under the General tab, set “Your Locale” to the local language (for example, Chinese (PRC)).

- In a Windows 2003 environment, go to the Control Panel and select Regional Options. Under the Regional Options tab, select “Chinese (PRC)” and apply the change.

- In a SUSE® Linux environment, set the environment variable LANG as follows: export LANG=zh_CN

The same basic procedure applies to all languages.

14.0 Service config.xml files contain outdated version numbers

The services for various subsystems within the user application might contain outdated version numbers. You do not need to modify these files to correct the versions.

For example, IDMfw.jar contains the FrameworkService-conf\config.xml file, which has the following entry for the version number:

<property>
     <key>FrameworkService.version</key>
          <value>040712, Version 5.2.1</value>
          </property> 

15.0 Workflow activity escalation policy might result in workflow failure and process termination

In the Provisioning Request Configuration plug-in to iManager, you can define an escalation policy that redirects a workflow activity to the manager of the original addressee.

If the original addressee is a task group that has more than one manager, the escalation fails. The Provisioning Request Configuration plug-in does not prevent you from defining this type of escalation, so you need to be careful to avoid this type of configuration.

16.0 Starting workflows with SOAP Web Service sometimes causes errors

On Linux*, the default open limit is not sufficient to support a large number of requests initiated through the SOAP Web Service. The User Application Driver may reach this limit when using the Web Service endpoints to trigger workflows in response to directory events

Linux has a default open file limit of 1024 for each process. If you start the JBoss server with the default setting, you might see errors when more than 40 or 45 requests are started sequentially through the SOAP Web Service interface. After reaching the limit, you may be unable to initiate any more requests for several minutes. In some cases, you might need to restart the JBoss server.

To work around this problem, you can increase the open file limit from 1024 to 4096.

If you’re using BASH, execute these commands to increase the open file limit:

su - root ulimit -n 4096 su - <user> start-jboss.sh

If you’re using C Shell, execute these commands to increase the open file limit:

su - root limit descriptors 4096 su - user start-jboss.sh

17.0 Separate user applications should not share a single instance of the User Application Driver

The User Application Driver stores various kinds of information (such as workflow configuration and cluster information) that is application-specific. Therefore, a single instance of the User Application Driver should be not shared among multiple applications.

The User Application stores application-specific data to control and configure the applications environment. This includes the JBoss Application Server cluster information and the workflow engine configuration. The only user applications that should share a single User Application Driver instance are those applications that are part of the same JBoss cluster. You should not configure a set of user applications to share a single driver unless they are part of the same JBoss cluster. Otherwise, your configuration could lead to ambiguity and misconfiguration for one or more of the components running inside the user application.

18.0 Root, user, and group container DNs do not support the root of the tree or allow multiple container DNs to be selected

In the install program for the Identity User Application, you can specify the Root Container DN, User Container DN, and Group Container DN for the application. In this release, you cannot specify the treeRoot in eDirectory as the root container. Also, you cannot specify more than one search root for any particular object type (container, user, or group). Instead, you must specify a single search scope.

An organization (o) could be contained in a Country (c) or locality (l), as shown below: c=US o=novell-provo o=novell-waltham

This type of configuration works.

19.0 Resource requests are not supported for multiple users

In the user application, it is not currently possible to request a resource for a list of users. The Team Resource Request page includes text indicating that this might be supported. The text says “Select a user (or users, if the resource you selected was marked Multiple Recipients Allowed) for whom you are requesting a resource.” This capability is not supported in this release.

20.0 Transferring data from localhost... status message never goes away

In the user application, there may be times when the status bar message: “Transferring data from localhost...” does not go away or is not replaced with “Done.” This is a known problem with Internet Explorer and Mozilla-based browsers.

21.0 Separate instances of the User Application Driver should not share the same user container

If two separate instances of the User Application Driver point to the same user container, the availability settings (on the Edit Availability page of the user application) show availability entries from both applications.

Suppose Server 1 is configured to use one driver (such as driver1,o=novell), and server 2 is configured to use another (such as driver2,o=novell). Both servers are configured to use the same containers for users, groups, and root container (such as ou=users,o=novell, etc). A user on server 1 creates a delegate definition for a user and provisioning request definition. The user is then marked as unavailable for that request definition. Server 2 shows the user as unavailable, but it is unable to resolve the friendly name for the request definition. If the user’s delegate definitions on server 2 are examined, the definition from server 1 is not seen.

The reason for this behavior is that delegation information (created when users mark themselves available/unavailable) is stored on user records. This information includes the delegate/delegator information along with the provisioning request definition and start/stop time for delegation. The delegate definition, from which delegation information is derived is stored in the driver, along with the provisioning request definition.

We recommend not configuring two separate driver instances to point to the same user container.

22.0 User Application logging configuration is not propagated to all servers in cluster

When you make changes to the logging configuration for a User Application server in a cluster, the changes are not propagated to the other servers in the cluster. For example, if you use the Logging administration page on a server in a cluster to set the logging level for com.novell.afw.portal.aggregation to Trace, this setting is not propagated to the other servers in the cluster. To work around this problem, you must individually configure the level of logging messages for each server in the cluster.

23.0 User Application driver must be restarted after creating a new provisioning request definition

The User Application driver reads the list of workflow attributes when the driver is started. If you create a new provisioning request definition, and if you immediately try to create a Schema Mapping policy, the attributes for the new provisioning request definition do not appear in the list of application attributes after you refresh the application schema. This is because the User Application driver needs to be restarted before the provisioning request definition is made available. After creating the new provisioning request definition, stop the user application driver, then restart before attempting to use the provisioning request definition in policies. Alternatively, in the Schema Mapping policy editor, simply refresh the application schema twice.

24.0 The display label for the departmentNumber attribute is misleading

The display label for the departmentNumber attribute is Department, not Department Number. To prevent any confusion, you can change the display label to Department Number using the directory abstraction layer editor. For more information, see the section on configuring the directory abstraction layer in the Identity Manager User Application: Administration Guide .

25.0 Workflow pattern information is not saved in a provisioning request

When you use the Provisioning Request Configuration plug-in to iManager to create a provisioning request definition, the workflow pattern selected (parallel/sequential) and timeout behavior (approve/deny) are not saved with the request definition.

Therefore, if you create many request definitions, and then need to modify them later, you might be confused about the design patterns used by the request definitions and not know which to edit.

To minimize confusion, you should always provide text in the Description for a new request definition that designates the template from which the request was created, or indicates the selected design pattern (such as “sequential approval timeout approves.”)

To see the workflow pattern and timeout behavior for an existing provisioning request definition:

  1. Select View Objects from the iManager toolbar and navigate the eDirectory tree to your defined workflows (such as RequestDefs.AppConfig.UserApplication.myDriverSet.myCompany).

  2. Select the workflow of interest, then select Modify object when the window menu appears.

  3. Edit the Valued Attribute named XmlData.

  4. Search for the <display-name> element. It should contain the original template name, such as Three Step Parallel Approval (Timeout Approves).

  5. Cancel out of the editor without making changes to the XmlData attribute.

NOTE:Be sure not to modify the XmlData attribute in any way.

26.0 EPM Migration Report utility available for download

Novell provides a reporting utility that offers assistance for those who need to migrate EPM applications to Identity Manager 3. This utility is available on the Innerforge EPM Products page for download by consultants.

EPM customers should contact Novell Sales or Consulting for help in migrating their EPM applications.

27.0 Installing to a cluster does not prompt for workflow engine ID

When running workflows in a cluster, each server’s workflow engine must have a unique ID. The engine ID is identified by passing -Dcom.novell.afw.wf.engine-id to the Java* VM. On Linux, the user needs to edit the jboss/bin/run.conf file and pass that property in the JAVA_OPTS line. For example:

if [ "x$JAVA_OPTS" = "x" ]; then JAVA_OPTS="-server -Xms800m -Xmx800m -Dcom.novell.afw.wf.engine-id=echo"

The install program does not prompt you to specify the workflow engine ID. Therefore, you need to identify the engine by passing the JAVA_OPTS property, as shown above.

28.0 Provisioning request templates are not localized

The Provisioning Request Configuration plug-in has been localized, but the provisioning request templates that are installed with the User Application Driver are not localized.

NOTE:When you create a new provisioning request from a template, you can localize display names and descriptions to suit your application requirements.

29.0 GroupWise WebAccess portlet generates error on page in Internet Explorer

When using the GroupWise® WebAccess portlet and accessing a GroupWise 7.0 server, you receive an “Error on page” when you click the Calendar tab if you are using Internet Explorer 6.x. Firefox works without error. This error will be fixed in a future GroupWise release.

30.0 Workflow requests might cause MySQL to exceed its connection limit

By default, MySQL* sets the maximum number of connections to 100. This number might be too small to handle the workflow request load in a cluster. If the number is too small, you might see the following exception:

(java.sql.SQLException: Data source rejected establishment of connection, message from server: “Too many connections.”)

To increase the maximum number of connections, you need to set the max_connections variable in my.cnf.

31.0 Enabling e-mail notification for workflows without configuring the e-mail server results in memory consumption

If you enable e-mail notification in your provisioning request definitions, but you do not configure any e-mail servers, e-mail notifications pile up on the server and never be sent. This eventually uses up available memory.

If you turn on e-mail notification, be sure to configure the e-mail server so that the e-mails are actually sent. To configure the e-mail server, select Email Server Options under Workflow Administration in iManager.

32.0 Background image locations for themes disappear from view

Background image locations you specify for themes (whether manually or by performing a browse operation) disappear from view immediately after you enter them.

To reproduce:

  1. Go to Administration >Themes > Customize Branding (from any theme).

  2. Browse to a file for the Background Image Location or enter a file by typing the name.

  3. Select a jpg.

The file will flicker and disappear from the screen. The new theme is saved, but the field is empty.

33.0 Minor display problem may occur in Organization Chart on first access

On Novell Linux Desktop (NLD), you might see a minor cosmetic problem when you first display an organization chart. The first time you do a lookup for a user, you might see that the left root node icon is in the middle of the screen by itself and is not aligned with the user. On subsequent viewings, the icon lines up properly.

34.0 Server caching problem might occur with photos in the Detail portlet

If you change the way images are displayed in the Detail portlet header by specifying the $IMG: tag, you must flush the CompiledLayout cache for the changes to take effect. Follow these steps to flush the cache:

  1. Go to the Administration tab of the user application.

  2. Go to the Caching tab.

  3. Select CompiledLayout from the Flush Cache drop-down list.

  4. Click Flush Cache.

35.0 User allowed to add direct reports to the manager even if the direct report user has another manager assigned

In the Directory Abstraction Layer Editor, the assignment of direct reports is not editable. However, you can turn this editing on. If you do, you need to be aware of two things:

  • This might allow users to define multiple managers for an employee.
  • You might end up with a circular reporting structure.

This problem arises only when an administrator is logged in to the User Application. For other users, the directReport attribute is not viewable, and, therefore, does not show up on the Detail portlet in edit mode.

Steps to reproduce:

  1. Log in as an administrator.

  2. Select any manager and specify that you want to edit the information for that manager.

  3. Add a user who has another manager as the first manager’s direct report. For example, you might add ablake as a direct report to jmiller, even though ablake already reports to mmackenzie.

  4. Save your changes.

  5. Go to the Organization Chart view, or search for ablake and try to present information for this employee.

The following error displays:

Error getting object: cn=ablake,ou=users,ou=idmsample-polina,o=novell. The definition for attribute key manager is single-valued, and multiple values exist.

36.0 Expired Delegate and Proxy definitions are not automatically deleted, preventing new definitions with the same principals from being created

Identity Manager prevents the creation of new Delegate and Proxy definitions with principals that are identical to an existing Delegate or Proxy definition. This includes expired Delegate and Proxy definitions, which are not displayed in the User Application, and are not automatically deleted from the system. This can lead to a user attempting to create a new Delegate or Proxy definition with the same principals as an expired definition, which creates an error. The error message displayed in the User Application is similar to the following:

Failed to submit proxy assignment with id = [apwaNewDetailId].security violation: com.sssw.fw.exception.EboSecurityException:Invalid proxy definition. Proxy Definition: name: cn=726dbba6d8a049ebbd4782973dd4f417,cn=ProxyDefs,cn=AppConfig,cn=afdriver,cn=driverset,ou=idmsample,o=novell assign from users: cn=UserAppAdmin,o=novell assign from containers: o=novell assign to users: cn=mmackenzie,ou=users,ou=idmsample,o=novell expiration: 20051206172200Z A duplicate definition exists.

We recommend that, in this release, you do not use the Proxy or Delegate Assignment expiration feature (in other words, when you create a Proxy or Delegate assignment, select the “No Expiration” option). If you do use the expiration feature, change the expiration date in Proxy or Delegate Assignment before the assignment expires. If your assignment expires before you are able to change it, you can work around the problem by using an LDAP editor to delete the Proxy or Delegate Assignment definition.

  1. Navigate to your User Application driver object.

  2. Navigate to the AppConfig object in the User Application driver object.

  3. Navigate to the ProxyDefs or DelegateeDefs object in the AppConfig object.

  4. Locate the definition that you want to delete in the ProxyDefs or DelegateeDefs object. For help in locating the definition, check the values of the srvprvAssignToUser, srvprvAssignFromUser, and srvprvAssignExpiration attributes. The srvprvAssignExpiration attribute stores the expiration date of the definition in UTC (Coordinated Universal Time) format.

  5. Delete the Proxy or Delegate Assignment definition.

37.0 NoClassDefFoundError might occur when application server is unable to connect to eDirectory server

If you start the application server without first having a network connection, you might see a NoClassDefFoundError in the stack trace and be unable to connect to the eDirectory server. After establishing a network connection, you might still be unable to connect to eDirectory. In this case, you need to restart the application server.

If you have a network connection when the server starts, the application server runs without errors, and is able to recover if you subsequently lose the network connection.

38.0 Selecting the Custom install set to use an existing database

If you want to use an existing database with the user application, you must select the Custom install set. After you have selected Custom and the IDM User Application, you are prompted to provide connection information about the existing database. See the section on installing the user application in the Identity Manager 3 Installation Guide.

39.0 The database name does not get updated in database-ds.xml for Custom install of user application

When you perform a Custom installation of the user application, the database name is not updated in the database-ds.xml file. To work around this problem:

  1. Shut down the JBoss server.

  2. Open the file %APPLICATION_NAME%-ds.xml under %INSTALL_DIR%/jboss/server/%APPLICATION_NAME%/deploy.

  3. In the <connection-url> tag, change the text "DatabaseName=IDM" to "DatabaseName=%your_database_name%".

  4. Save your modification.

  5. Start the JBoss server.

The following example shows the MyApp-ds.xml file. In this example, the database name is "mydatabase":

<datasources>
      <local-tx-datasource>
                 <jndi-name>MyApp</jndi-name>
                 <connection-url>jdbc:microsoft:sqlserver://Contusion:1433;DatabaseName=mydatabase</connection-url>
                 
                 <driver-class>com.microsoft.jdbc.sqlserver.SQLServerDriver</driver-class>
                           <user-name>mydatabase</user-name>
                                     <password>mydatabase</password>
                                           </local-tx-datasource>
                                           </datasources>

40.0 Localization Effort is Ongoing

There are some instances in the Identity Manager user application where the localization is not complete. Improvements in localization will continue over time, and will be made available in subsequent releases.

41.0 Portal Data Import utility fails to import pages without descriptions

The Portal Data Import utility (Administration > Tools > Portal Data Import) uses the shared-pages.xml and container-pages.xml in the Portal Data Export ZIP file to generate container and shared pages, and portlets. If the <description/> element is blank then pages cannot be imported.

To workaround this, provide text for the <description/> element and perform the import again.

42.0 Additional documentation is available on JBoss setup

The Identity Manager User Application: Administration Guide contains some information on configuring JBoss. If you need further information on JBoss set up, look at the sources listed below:

43.0 IDM 3 Provisioning User Application Driver update needed

If you installed IDM3 before January 24, 2006, you must update the IDM 3 Provisioning User Application Driver. For download and installation instructions, see TID #10100283.

44.0 Required Attribute rights for Provisioning Request Objects

To use the iManager Provisioning Request Configuration plug-in, you must have read rights and write rights to the attributes associated with the Provisioning Request Objects.

45.0 Recommended JBoss settings for production environments

By default, the JBoss deployment scanner runs every five seconds. For a production server, this is typically not necessary and might impact performance. You should consider turning this off.

Please refer to the JBoss site for more information about tuning for production environments.

46.0 Recommended Workflow cleanup process settings

If you are completing a high volume of workflows each day, it is recommended that you adjust both the CPTIMEOUT and CLEANUP values in the AFENGINE table. (CPTIMEOUT is the number of days a completed entry is retained. CLEANUP is the interval (in milliseconds) that the CLEANUP task is run.)

The default setting for retaining completed workflow information for a request is 120 days. By default, a task to cleanup expired workflow information runs once every 12 hours. The cleanup task requires approximately 5k bytes per expired workflow that needs to be removed.

You need to use a tool provided by your database to update the AFENGINE settings. The SQL for each setting is:

update AFENGINE set CPTIMEOUT=<numberofdays> update AFENGINE set CLEANUP=<milliseconds>

47.0 Character set encoding support and Tomcat

By default, the user application character encoding filter is set to enabled in the user application's web.xml. This setting typically does not require any specific configuration, but it might require changes if you have configured Tomcat for URI encoding. There are two attributes in the configuration of Tomcat http/https connector that affect charset encoding and filter configuration.

--URIEncoding

This entry specifies the character encoding used to decode the URI bytes, after %xx decoding the URL. If not specified, ISO-8859-1 is used. The requirements for this include: Both http and https connectors have the same configuration. The Charest encoding filter should be modified to include uri-encoding init parameter. The value of this parameter should be the same as the value of the URIEncoding attribute in the tomcat connector configuration.

<filter> <filter-name>AggregationServletEncFilter</filter-name> <display-name>AggregationServletEncFilter</display-name>

<filter-class>com.novell.afw.portal.l18n.CharacterEncodingFilter</filter-class> <init-param> <param-name>uri-encoding</param-name> <param-value>UTF-8</param-value> </init-param> </filter>

--useBodyEncodingForURI

This entry specifies whether the encoding specified in contentType should be used for URI query parameters instead of using the URIEncoding. This setting is present for compatibility with Tomcat 4.1.x, where the encoding is specified in the contentType, or explicitly set using Request.setCharacterEncoding method for the parameters from the URL. The default value is false.

If useBodyEncodingForURI is set to true the filter configuration should include the use-body-encoding init parameter, for example:

<filter> <filter-name>AggregationServletEncFilter</filter-name> <display-name>AggregationServletEncFilter</display-name> <filter-class>com.novell.afw.portal.l18n.CharacterEncodingFilter</filter-class> <init-param> <param-name>use-body-encoding</param-name> <param-value>true</param-value> </init-param> </filter>

For more details, see this Web site on Tomcat connector configuration information.

48.0 User Application and cookie requirements

The User Application requires that you enable cookies in your browser settings.

49.0 Designer: Importing an extremely large project from the file system might cause problems

You might encounter problems with Designer if you import an extremely large project. To work around this problem, increase Designer's heap size. The heap size is specied using the -Xmx parameter at startup.A heap size of 512m is recommended.

To set heap size on Windows: Open the Designer for Identity Manager shortcut properties. Look in the Target field for the -Xmx startup parameter. Increase this value to increase Designer's heap size.

To set heap size on Linux: Open the StartDesigner.sh file in an editor and search for -Xmx. Increase this value to increase the Designer's heap size.

50.0 Documentation Conventions

In this documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path.

A trademark symbol (® , TM, etc.) denotes a Novell trademark; an asterisk (*) denotes a third-party trademark.

51.0 Legal Notices

Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.

Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.

You may not use, export, or re-export this product in violation of any applicable laws or regulations including, without limitation, U.S. export regulations or the laws of the country in which you reside.

Copyright © 2005 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.

Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed at http://www.novell.com/company/legal/patents/ and one or more additional patents or pending patent applications in the U.S. and in other countries.

eDirectory is a trademark of Novell, Inc.

GroupWise is a registered trademark of Novell, Inc., in the United States and other countries.

NMAS is a registered trademark of Novell, Inc., in the United States and other countries.

Novell is a registered trademark of Novell, Inc., in the United States and other countries.

NDS is a registered trademark of Novell, Inc., in the United States and other countries.

SUSE is a registered trademark of Novell, Inc. in the United States and other countries.

All third-party trademarks are the property of their respective owners.