Novell Identity Manager 3.5 Readme

Last updated July 10, 2007

11.0 Drivers

1.0 Documentation

This document contains the known issues for Identity Manager version 3.5.

These additional documentation resources are currently available:

2.0 Documentation Conventions

In this documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path.

A trademark symbol (®, TM, etc.) denotes a Novell trademark; an asterisk (*) denotes a third-party trademark.

3.0 System Requirements for Identity Manager 3.5

This section describes system requirements for Identity Manager 3.5:

3.1 Supported Server Operating Systems

Identity Manager 3.5 supports the server operating systems listed in Table 1.

Table 1 Identity Manager 3.5: Supported Server Operating Systems

Server OS

32-Bit OS on 32-Bit Processor

32-Bit OS on 64-Bit Processor

64-Bit OS on 64-Bit Processor

NetWare 6.5 SP6




OES 1.0 NetWare




Windows NT




Windows 2000 Server




Windows Server 2003



Password Sync is supported but other components, including the Metadirectory Engine, are not, in this release.

Red Hat Linux AS 3.0




Red Hat Linux AS 4.0
















OES 1.0 Linux




Solaris 9




Solaris 10




AIX 5.2L




AIX 5.3




32-bit processors for Linux (Red Hat and SLES), NetWare, and Windows operating systems are

  • Intel x86-32

  • AMD x86-32

64-bit processors for Linux (Red Hat and SLES), NetWare, and Windows operating systems are:

  • Intel EM64T

  • AMD Athlon64

  • AMD Opteron

3.2 Metadirectory Engine Platforms

Identify Manager 3.5 supports the following Metadirectory engine platforms:

  • NetWare 6.5 1 with the latest SP (with eDirectory 8.7.3 or 8.8.1).

  • OES 1.0 NetWare SP2 (with eDirectory 8.7.3 or 8.8.1)

  • Windows NT (with eDirectory 8.7.3, 8.8 SP2, or Remote Loader)

  • Windows 2000 Server SP (with eDirectory 8.7.3, 8.8.1, or Remote Loader)

  • Windows Server 2003 SP (with eDirectory 8.7.3, 8.8.1, or Remote Loader)

  • Red Hat Linux AS 3.0 (with eDirectory 8.7.3, 8.8, or Remote Loader)

  • Red Hat Linux AS 4.0 - 64-bit edition (with eDirectory 8.7.3, 8.8.1, or Remote Loader)

  • SLES 8 (with eDirectory 8.7.3 or Remote Loader)

  • SLES 9 (with eDirectory 8.7.3, 8.8.1, or Remote Loader)

  • SLES 10 (with eDirectory 8.8.1 or Remote Loader) (XEN virtualization is not available.)

  • OES 1.0 Linux (with eDirectory 8.7.3, 8.8.1, or Remote Loader)

  • Solaris 8 (with eDirectory 8.7.3 or Remote Loader) (eDirectory 8.8.x is not supported on Solaris 8)

  • Solaris 9 (with eDirectory 8.7.3, 8.8.1, or Remote Loader)

  • Solaris 10 (with eDirectory 8.8.1 or Remote Loader)

  • AIX 5.2L (with eDirectory 8.7.3, 8.8.1, or Remote Loader)

  • AIX 5.3 (with eDirectory 8.8.1 or Remote Loader) Delayed support: IDM 3.5 will be validated on AIX 5.3 after eDirectory 8.8.2 ships.

Additional conditions on support are:

  1. IDM 3.5 supports two eDirectory 8.8.x features:

    • Multi-instance

    • Encrypted attributes

  2. IDM 3.5 does not support instances of eDirectory installed through the non-root installation mechanism.

3.3 User Application

The Identity Manager 3.5 Metadirectory engine requires the Identity Manager 3.5 User Application. The Identity Manager 3.0 User Application and the Identity Manager 3.0.1 User Application do not work with the Identity Manager 3.5 Metadirectory. See also Section 5.0, Migrating from Previous Versions of Identity Manager.

3.4 Java

Identity Manager 3.5 uses these Java versions:

  • The User Application requires Java 5.0.10 to support Digital signing and Cryptovision.

  • The iManager afadmin.jar file is built separately without Java 5 features.

  • The Metadirectory Engine uses Java 1.4.x to ensure compatibility with NetWare. (Java 5 is not available on NetWare.)

The Java 5 runtime is shipped with the Metadirectory Engine on all platforms except NetWare.

3.5 Administration Server Platforms

The administration server, iManager 2.6, requires one of the following platforms:

  • NetWare 6.5

  • OES 1.0 SP2 on NetWare

  • Windows 2000 Server SP4

  • Windows Server 2003

  • Windows XP Professional SP2 (iManager workstation only)

  • Red Hat Linux AS 3.0

  • Red Hat Linux AS 4.0 - 64-bit edition (eDirectory 8.8.1 supports 64-bit Red Hat Linux AS 4.0)

  • Red Hat Enterprise Linux Workstation (iManager workstation only)

  • SLES 8 SP4 Dropped.

  • SLES 9 SP2

  • SLES 10 (Code 10) (iManager 2.5 is not supported on SLES 10.)

  • SUSE Linux 9.1 iManager workstation only

  • SUSE Linux 9.3 iManager workstation only

  • OES 1.0 SP2 on Linux

  • Solaris 9

  • Solaris 10

3.6 Novell Audit

Identity Manager 3.5 supports Novell Audit 2.0.2.

3.7 Supported Browsers

The following browsers are supported by the Identity Manager 3.5 versions of iManager and the User Application:

  • Internet Explorer 6 SP 1

  • Internet Explorer 7 on Vista

  • Firefox 2

3.8 Application Server Platforms

Supported platforms for application servers include:

  • SLES 9

  • SLES 10

  • Windows 2000 Server

  • Windows Server 2003

  • Solaris 10

3.9 Database Platforms

Supported databases include:

  • MySQL 5.0.x
  • Oracle 9i
  • Oracle 10g (
  • MS SQL 2005

3.9.1 Hibernate Exception

Using the Oracle 9i driver creates the following exception: org.hibernate.exception.GenericJDBCException: could not insert: []

To avoid this problem, use the Oracle 10g drivers: ojdbc14.jar and orai18n.jar. These drivers are backward compatible to Oracle 9i.

4.0 Identity Manager Installation

The following section describes installation bugs and workarounds if available.

4.1 GUI Install fails on Solaris 9 and 10 when using eDirectory 8.8.1

The GUI install fails on Solaris 9 and 10 when using eDirectory 8.8.1. Workaround includes:

  • Run the text-based installation program.

  • Use eDirectory 8.8.2, which will contain the fix for this issue.

4.2 Configupdate Script Fails After Adding Files to the WAR

The script fails after you manually add custom files to an IDM.war, if the WAR was created with the jar binary in /usr/bin/jar distributed in SLES 9. The error is:

DEBUG===WAR invalid entry compressed size (expected 16176 but got 16177 bytes) at Source) at Source)

To solve or prevent the problem, use a newer version of the jar to create the WAR, as in this example:/usr/lib/java/bin/jar -cvf IDM.war *

4.3 Failed to Set Up Clustering

The following warning message can appear when you start the User Application using the default JBoss server configuration:

WARN [TomcatDeployer] Failed to setup clustering, clustering disabled. NoClassDefFoundError: org/jboss/cache/CacheException

If you chose the default configuration (single-node) during the user application installation, you can disregard this message. This message comes from the JBoss application server. It indicates that although the Identity Manager User Application can support clustering, your chosen application server configuration does not support clustering.

4.4 Assigning Administrator Roles

The first time you assign the User Application Administrator and the Provisioning Administrator roles, in the user application configuration file, IDM writes the assignments into the WAR. When you deploy the User Application, the assignment is written into your database. Thereafter, to change this assignment, use the Administration > Security pages within the User Application.

4.5 Special characters in password cause schema extension problem during install

If your Identity Manager installation account password contains special characters, you might see the schema extension fail. You should install using a different account or change your password.

4.6 User Application & Access Manager Simultaneous Logout

The most recent versions of Access Manager may not support the default URL path for the ICS Logout Page found under iChain Settings on the Show Advanced Options page when configuring the User Application. If the default URL path of https://yourIChainServer/cmd/ICSLogout doesn't work try https://yourAccessManagerServer/AGLogout.

5.0 Migrating from Previous Versions of Identity Manager

This section describes the process of migrating from Identity Manager 3.0 or 3.01 to Identity Manager 3.5.

5.1 Overview

The migration process is performed in a number of steps, using several installers and utilities. The migration process consists of the following steps, in the order given. Each of these steps is described in greater detail in the following paragraphs.

  1. Install Identity Manager.

  2. Migrate the user application drivers

  3. Create Team Definitions

  4. Install the user application

NOTE:Before beginning the migration process, make directory and database backups of your Identity Manager system.

5.2 Install Identity Manager

The first step of the migration process is to install Identity Manager 3.5. Before installing Identity Manager 3.5, ensure that your system configuration meets the requirements for Identity Manager 3.5 (see “Identity Manager System Components and Requirements” in the Identity Manager 3.5 Installation Guide). During the installation, the Identity Manager 3.5 installer makes the schema changes necessary to support the Identity Manager 3.5 user application.

NOTE:The Metadirectory and the Administration server must be installed separately, or the installation will hang. Install the Metadirectory first by unchecking Identity Manager Web Components and Utilities in the components selection panel in the Identity Manager installation program. When the installation is complete, run the installation program again; this time unchecking Novell Identity Manager Metadirectory Server. Check both Identity Manager Web Components and Utilities.

5.3 Migrate User Application Drivers

Any user application drivers that you want to use in Identity Manager 3.5 must be migrated. To migrate a user application driver:

  1. Install Identity Manager Designer Version 2.0 M5 or later.

  2. Create a new provisioning project, which will be used to store the local representations of the artifacts that are located on your Metadirectory server (see “Setting up a Provisioning Project” in the Identity Manager User Application: Design Guide).

  3. Import the Driver set that contains the user application drivers that you want to migrate (see “Importing Provisioning Objects” in the Identity Manager User Application: Design Guide).

  4. Make a backup copy of the new provisioning project as follows:

    1. Right-click the name of the project in Project view, then select Copy Project.

    2. In the Copy Project dialog box, type a new Project Name (or accept the default name), then click OK.

  5. Click the name of the project that you want to migrate, the click the Provisioning View tab.

  6. Click the plus (+) sign next to the name of the project to show the list of user application drivers in the project.

  7. Right-click the name of the driver that you want to migrate and select Migrate from the context menu.

    This will migrate the local definition of the driver, found in the IDM Designer workspace. These changes will not be reflected on the Metadirectory server until a later step when you deploy the changes.

  8. When the migration is completed, a dialog box is displayed that lists all migrated objects and any errors encountered during the migration. You can perform several operations using this dialog box:

    • To revert to the original user application configuration (for example, if errors occurred during the migration) click the Undo Migration button.

    • To save the contents of the dialog box in a migration log file, click the floppy disk icon in the upper right corner of the dialog box.

    • To deploy the migrated configuration directly from the Migration dialog box, select Deploy Migrated User Application Configuration.

      If you select this option, the migrated driver is validated before it is deployed. If you don’t select this option, you should run the Project Checker on the migrated driver.

    Select the desired options in the Migration dialog box, then click OK.

  9. If you do not deploy directly from the migration dialog box, run the Project Checker on migrated objects (see “Validating Objects” in the Identity Manager User Application: Design Guide).

    If validation errors exist for the configuration, you are informed of the errors, which must be corrected before the driver can be deployed.

  10. If you do not deploy directly from the migration dialog box, deploy the driver by right-clicking the name of the driver and selecting Deploy.

    After the migration, the project is in a state in which only the entire migrated configuration can be deployed. You also cannot import any definitions into the migrated configuration. Once the entire migrated configuration has been deployed, this restriction is lifted and you can deploy individual objects and import definitions.

  11. Repeat these steps for each user application driver in the driver set that you want to use in Identity Manager 3.5.

5.4 Create Team Definitions

Identity Manager 3.5 provides new features for defining teams. If you do not have teams defined, then the new team portions of the user application will not be displayed. Team managers will be unable to perform team-based tasks and delegation or proxy assignments for their teams, since teams have not been defined. Teams can be defined at any time, but you may want to define teams during the migration process to ensure a consistent transition to Identity Manager 3.5.You define teams using the Provisioning Teams iManager plug-in. You will find this plug-in in iManager under Roles and Tasks > Provisioning Configuration > Provisioning Teams.

NOTE:If you want team membership to be based on a directory relationship, use Designer to add a relationship (see “Working with Relationships in the Identity Manager User Application: Design Guide). On the details page for the relationship, select the Used by Team Management option.

5.5 Install the User Application

The user application installer upgrades your user application and migrates data from the Version 3.0 or 3.0.1 database to the database used for Version 3.5. The user application installer makes a backup copy of your user application war file, installs the new user application war file, and migrates data from your user application database to XML files. The data is loaded from the XML files to your new user application database the first time that you start the Version 3.5 user application, completing the data migration.

Before you upgrade the user application, make sure that all prerequisites to installing the Identity Manager 3.5 user application have been completed (see “Installing the User Application” in the Identity Manager 3.5 Installation Guide).

The following installation steps are specific to installations in which you are migrating data from Identity Manager 3.0 or 3.0.1 user application databases.

  1. Make sure that the database server for the Version 3.0/3.01 user application is running, and that the Version 3.0/3.01 user application is not running.

  2. Start the Version 3.5 user application installation program (see the Identity Manager 3.5 Installation Guide).

    When the user application installation program starts, it displays a screen that asks you if you would like to migrate your database data from a previous installation.

  3. Select the Yes option.

  4. Use the Choose button to navigate to the file in the IDM 3.0/3.01 user application installation directory.

    Specifying the location of the file from your previous installation reduces the number of items that you have to specify in the following screens.

  5. Click Next to proceed with the installation.

    The rest of the installation proceeds as described in the Identity Manager 3.5 Installation Guide.

    The installation program exports data from your version 3.0 or 3.0.1 database, and stores the data in XML files. When you start the Version 3.5 user application for the first time, the data extracted from your version 3.0 or 3.0.1 database is imported into your version 3.5 database.

6.0 User Application: User Interface

6.1 Backslashes in Entity Names Are Multiplied

If you create an entity such as a user in the User Application and include a backslash in the name, the backslash is multiplied in the full dn, for example myusername\ becomes mysusername\\\. This is a known bug. To work around this bug, avoid using backslashes in entity names.

6.2 Tip for deleting and adding groups for a user profile through the Detail Page

In the Identity Manager User Application, under the Identity Self-Service tab, editing the group attribute to delete and add groups should be done as separate operations. In removing and adding a group as a one step process, the deleted group name reappears when the + (add) button is clicked.

6.3 Can’t log in as two different users in Firefox at the same time

In the user application, if you log in as User A using a Mozilla-family browser (Firefox*, Netscape*, or Mozilla*), then open another browser instance (of the same kind of browser) and log in as User B, you might see information for User B when going back to the first browser instance. This is because browser instances are sharing (and overwriting) the same cookie. This behavior is specific to Mozilla-family browsers; it does not occur with Internet Explorer.

6.4 Using Organization Chart HTMLEditor in Firefox causes exceptions

Exceptions may occur in Firefox on Cut, Paste, Copy operations when using the HTMLEditor within Orgchart preferences. Mozilla doesn’t allow scripts to access the clipboard for security reasons. Therefore, the cut, copy, and paste buttons aren’t available in Firefox.

In Firefox, you can download an extension named Allow Clipboard Helper via tools > Extensions, which leads you to the extension download Web site

After the download, you will see Allow Clipboard Helper in Firefox > tool.

Open it, and enter the server address you want to grant the clipboard access, then click Allow. You can add as many Web sites as you like. Shut down all the Firefox browsers, restart Firefox, and cut/copy/paste should be working in Firefox.

6.5 Users should have proper eDirectory rights to create users and groups

When logging into the IDM User Application, there is a link on left menu to create a user. In order to create users, you must have the necessary eDirectory rights to add entries to the directory. Because the IDM User Application has existing eDirectory users, those users should already have the necessary rights.

  1. In iManager, click View Objects.

  2. Browse to the object that contains your user container (for example, MySample.novell.) and click Modify Trustees.

  3. Add a trustee (for example, MySample.novell) and change the assigned rights.

  4. Under [Entry Rights], select Create. Leave other fields with the default values, then click Save.

Now all of the users in the users.MySample.novell container can create users or groups within that MySample entity.

6.6 Special Characters in the User Application must be escaped

The User Application supports the same characters as iManager. For information on escaping special characters, go to and refer to the iManager 2.6 Administration Guide, Chapter 3 "Navigating the iManager Interface," Section 3.2, “Special Characters,” on page 20.

6.7 Logging in without first logging out can cause failure of the login

When a user is logged into the user application, loads the login portlet or page from a Bookmark or History, and tries to login again, the second login does not set up the new portal session correctly. This can cause the second login to fail. To work around this issue, always use the logout link before logging in.

7.0 User Application: Administration

7.1 Limit the Rights of Accounts

For security, it is advisable to limit the administrator and LDAP guest accounts to the minimum set of rights required to fulfill the intended roles. When assigning the following roles in the User Application (during installation, or with the configupdate utility after installation), specify a separate physical Identity Vault user account for each:

  • LDAP Administrator

  • LDAP Guest (if used)

  • User Application Administrator

  • Provisioning Application Administrator

7.2 Password Policies Are Not Inheritable

Password policies are not inheritable. The User Application Administrator must explicitly apply the password policy to a container in which users are created. Failure to do so can yield this error:

Invalid Secure Password Manager (SPM) request. If the problem persists, contact your System Administrator.

7.3 Setting SSL Configuration Parameters

Setting the Secure Administration Connection and the Secure User Connection parameters in the configupdate utility allows operations that don't need SSL to operate without SSL. Operations that require SSL, such as password functionality, still use SSL.

7.4 Redirected User Can Bypass Authentication Checks

If a user is redirected after login to change the password or challenge response hint, the user can type a URL of the portal and bypass the authentication checks until next login. This is a known bug without a workaround at this time.

7.5 Browse Button Crashes configupdate Utility on Windows

The File Browse button in the configupdate utility sometimes crashes JVM on Windows XP SP2. To work around this problem, type the full file pathname rather than using the File Browse button.

7.6 User Application Driver Requires Activation

When the Application Server is down and you restart the activated User Application driver, the driver activation status can display as requiring activation even though the activation credentials have been loaded against the driver. This is a known bug. To avoid or resolve this problem, start the User Application driver after the User Application server is started and available.

7.7 JGroups problem requires upgrade to JGroups 2.4.x

There is a problem in the version of JGroups (Version 2.2.7) that is included in JBoss 4.0.5 GA that can cause performance problems in a clustered environment. For details about the problem, see Deadlock - JIRA. The issue is resolved in JGroups 2.4. We recommend upgrading to JGroups 2.4 or higher to avoid the problem described in JGRP-292.

Before upgrading to JGroups 2.4.x (or before upgrading any other component in the JBoss install) consult the compatibility list provided by the JBoss Application Server, JBossCache and JGroups Compatibility Matrix .

For downloads and information about JGroups see JGroups - The JGroups Project.

7.8 java.util.NoSuchElementException Exception

A java.util.NoSuchElementException exception can occur while the User Application is running in a cluster. This exception is a known issue in JBoss and has been fixed in a higher release. Refer to the JBoss Web site for more information.

Here is an example of the stack trace that occurs for this issue:

2007-02-06 14:23:58,231 ERROR[org.jboss.web.tomcat.tc5.session.JBossCacheManager:processExpires]processExpires: failed with exception: java.util.NoSuchElementExceptionjava.util.NoSuchElementException        atEDU.oswego.cs.dl.util.concurrent.ConcurrentHashMap$        at java.util.AbstractCollection.toArray(        atorg.jboss.web.tomcat.tc5.session.JBossCacheManager.findLocalSessions(        atorg.jboss.web.tomcat.tc5.session.JBossCacheManager.processExpires(        atorg.jboss.web.tomcat.tc5.session.JBossManager.backgroundProcess(        atorg.apache.catalina.core.ContainerBase.backgroundProcess(        atorg.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(        atorg.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(        atorg.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(        atorg.apache.catalina.core.ContainerBase$        at

7.9 Sensitive Data in User Session is not Encrypted

Sensitive data (for example, a login-password for single sign-on) in the user session is not encrypted in this release. This may expose sensitive data to network sniffers. To protect sensitive data that is temporarily stored in the user session and that may be transmitted over the network during session replication in a clustered environment, you need to perform one of the following:

  • Enable encryption for JGroups. For information about enabling JGroups encryption, see JGroups Encrypt.

  • Make sure that the cluster is behind a firewall.

7.10 Initial password expiration for new users or groups is now configurable

Administrators can now configure the initial password expiration for new users. To do so, edit the Create Portlet Preferences as documented in the Identity Manager User Application: Administration Guide.

Specify an Expire password on initial login preference.

  • True expires the password upon the new user's first login.

  • False (the default) uses the eDirectory settings to determine when the password expires.

7.11 Using SOAP to override the default retention period for workflows

The default setting for retaining completed workflow information is 120 days. However, you can use the SOAP interface to the Workflow Engine to change this setting. To access the SOAP interface for the Workflow Engine, type this URL in a browser:


When you see the page that lists the Workflow Engine methods you can call, select the setCompletedProcessTimeout method. The parameter you pass to this method changes the retention period. The value you specify must be in milliseconds.

7.12 A workflow fails to trigger from an eDirectory event

A single quote in a workflow CN prevents an eDirectory event from triggering that workflow. Avoid using a single quote in a workflow Common Name (CN).

7.13 Coordinate Identity Manager user application passwords with iManager password policies

The Identity Manager User Application: Administration Guide is missing the following information to help you coordinate Identity Manager user application passwords with iManager password policies.

Sections 19.3.1 and 19.7.1 describing the Universal Password requirement: “If Universal Password is enabled, open iManager and go to Passwords > Password Policies > Universal Password > Configuration Options. Make sure the following option is checked: Verify whether existing passwords comply with the password policy (verification occurs on login).”

Section 16.2.1 describing the Container for Create property: “If you use the Create portlet to create users and want to assign the users to an iManager password policy, also assign the specified container to the same iManager password policy. This ensures that users created in the user application are automatically assigned to the default iManager password policy.”

7.14 LDAP port must be set in ForgotPasswordPortlet

On your User Application Server (JBoss server), when using the User Application login page, if you click the Forgotten Password link and enter the user name, the portal might return the following error message on the JBoss console and not redirect:

08:59:17,962 ERROR [EboPortletProxyHelper] The portlet entity does not exist com.novell.afw.portal.aggregation.EboPortletInfoBean: id [portal-general] iid [-1] timeout [-1] multithread [false]

The error results from the ldap-sslport preference in the ForgotPasswordPortlet portlet using the standard default TLS (ldaps) port of 636 instead of the port configured for your LDAP server’s secure connection. The eDirectory administrator has probably changed the default secure LDAP port on the eDirectory instance to a non-standard port. eDirectory administrators commonly change the LDAP ports when running eDirectory on the same physical hardware as other LDAP-enabled systems such as Active Directory*.

If your secure LDAP (TLS) configuration uses a port other than 636, change the ldap-sslport preference in the ForgotPasswordPortlet to the port configured for your secure ldap as follows:

  1. Open the User Application.

  2. Open Administration > Portlet Admin > ForgotPasswordPortlet > ForgotPasswordPortlet instance > Preferences.

  3. Change the value of ldap-sslport from the default port of 636 to the port configured for your LDAP server’s secure LDAP connections.

7.15 Parallel approvals don’t work when addressee for one step refers to another step

In a provisioning workflow that uses parallel processing, the addressee for one approval activity should not refer to the addressee for another approval activity in the flow. The reason for this is that the workflow engine does not have any way to know which step will be executed first, because the activities are being processed in parallel. Furthermore, the iManager plug-in for Provisioning Request Configuration is not able to determine which addressees should be allowed at any point in time. To restrict the list of possible addressees, the plug-in would need to be able to analyze the flow to get the list of upstream activities that have already been completed. This capability is not supported in the plug-in at this time.

7.16 JBoss directory browsing is enabled by default

By default, JBoss allows directory browsing. Therefore, if you type the URL http://server:8080/IDMProv/resources/, the list of resources under this URL is displayed.

If you do not want directory browsing to be enabled, go to jboss-4.0.2\server\<IDM-Application Context>\deploy\jbossweb-tomcat55.sar\conf, and edit the listings entry in the web.xml file:


To suppress the display of resources, change the listings value from true to false.

7.17 Service config.xml files contain outdated version numbers

The services for various subsystems within the user application might contain outdated version numbers. You do not need to modify these files to correct the versions.

For example, IDMfw.jar contains the FrameworkService-conf\config.xml file, which has the following entry for the version number:

          <value>040712, Version 5.2.1</value>

7.18 Workflow activity escalation policy might result in workflow failure and process termination

In the Provisioning Request Configuration plug-in to iManager, you can define an escalation policy that redirects a workflow activity to the manager of the original addressee.

If the original addressee is a task group that has more than one manager, the escalation fails. The Provisioning Request Configuration plug-in does not prevent you from defining this type of escalation, so you need to be careful to avoid this type of configuration.

7.19 Starting workflows with SOAP Web Service sometimes causes errors

On Linux*, the default open limit is not sufficient to support a large number of requests initiated through the SOAP Web Service. The User Application Driver may reach this limit when using the Web Service endpoints to trigger workflows in response to directory events.

Linux has a default open file limit of 1024 for each process. If you start the JBoss server with the default setting, you might see errors when more than 40 or 45 requests are started sequentially through the SOAP Web Service interface. After reaching the limit, you may be unable to initiate any more requests for several minutes. In some cases, you might need to restart the JBoss server.

To work around this problem, you can increase the open file limit from 1024 to 4096.

If you’re using BASH, execute these commands to increase the open file limit:

su - root ulimit -n 4096 su - <user>

If you’re using C Shell, execute these commands to increase the open file limit:

su - root limit descriptors 4096 su - user

7.20 Separate user applications should not share a single instance of the User Application Driver

The User Application Driver stores various kinds of information (such as workflow configuration and cluster information) that is application-specific. Therefore, a single instance of the User Application Driver should be not shared among multiple applications.

The User Application stores application-specific data to control and configure the application environment. This includes the JBoss Application Server cluster information and the workflow engine configuration. The only user applications that should share a single User Application Driver instance are those applications that are part of the same JBoss cluster. You should not configure a set of user applications to share a single driver unless they are part of the same JBoss cluster. Otherwise, your configuration could lead to ambiguity and misconfiguration for one or more of the components running inside the user application.

7.21 Root, user, and group container DNs do not support the root of the tree or allow multiple container DNs to be selected

In the install program for the Identity User Application, you can specify the Root Container DN, User Container DN, and Group Container DN for the application. In this release, you cannot specify the treeRoot in eDirectory as the root container. Also, you cannot specify more than one search root for any particular object type (container, user, or group). Instead, you must specify a single search scope.

An organization (o) could be contained in a Country (c) or locality (l), as shown below:

c=US o=novell-provo o=novell-waltham

This type of configuration works.

7.22 Separate instances of the User Application Driver should not share the same user container

If two separate instances of the User Application Driver point to the same user container, the availability settings (on the Edit Availability page of the user application) show availability entries from both applications.

Suppose Server 1 is configured to use one driver (such as driver1,o=novell), and server 2 is configured to use another (such as driver2,o=novell). Both servers are configured to use the same containers for users, groups, and root container (such as ou=users,o=novell). A user on server 1 creates a delegate definition for a user and provisioning request definition. The user is then marked as unavailable for that request definition. Server 2 shows the user as unavailable, but it is unable to resolve the friendly name for the request definition. If the user’s delegate definitions on server 2 are examined, the definition from server 1 is not seen.

The reason for this behavior is that delegation information (created when users mark themselves available/unavailable) is stored on user records. This information includes the delegate/delegator information along with the provisioning request definition and start/stop time for delegation. The delegate definition, from which delegation information is derived is stored in the driver, along with the provisioning request definition.

We recommend not configuring two separate driver instances to point to the same user container.

7.23 User Application driver must be restarted after creating a new provisioning request definition

The User Application driver reads the list of workflow attributes when the driver is started. If you create a new provisioning request definition, and if you immediately try to create a Schema Mapping policy, the attributes for the new provisioning request definition do not appear in the list of application attributes after you refresh the application schema. This is because the User Application driver needs to be restarted before the provisioning request definition is made available. After creating the new provisioning request definition, stop the user application driver, then restart before attempting to use the provisioning request definition in policies. Alternatively, in the Schema Mapping policy editor, simply refresh the application schema twice.

7.24 Installing to a cluster does not prompt for workflow engine ID

When running workflows in a cluster, each server’s workflow engine must have a unique ID. The engine ID is identified by passing to the Java VM. On Linux, the user needs to edit the jboss/bin/run.conf file and pass that property in the JAVA_OPTS line. For example:

if [ "x$JAVA_OPTS" = "x" ]; then JAVA_OPTS="-server -Xms800m -Xmx800m"

The install program does not prompt you to specify the workflow engine ID. Therefore, you need to identify the engine by passing the JAVA_OPTS property, as shown above.

7.25 Server caching problem might occur with photos in the Detail portlet

If you change the way images are displayed in the Detail portlet header by specifying the $IMG: tag, you must flush the CompiledLayout cache for the changes to take effect. Follow these steps to flush the cache:

  1. Go to the Administration tab of the user application.

  2. Go to the Caching tab.

  3. Select CompiledLayout from the Flush Cache drop-down list.

  4. Click Flush Cache.

7.26 Portal Data Import utility fails to import pages without descriptions

The Portal Data Import utility ( Administration > Tools > Portal Data Import) uses the shared-pages.xml and container-pages.xml in the Portal Data Export ZIP file to generate container and shared pages, and portlets. If the <description/> element is blank then pages cannot be imported.

To workaround this, provide text for the <description/> element and perform the import again.

7.27 Additional documentation is available on JBoss setup

The Identity Manager User Application: Administration Guide contains some information on configuring JBoss. If you need further information on JBoss set up, look at the sources listed below:

7.28 Required Attribute rights for Provisioning Request Objects

To use the iManager Provisioning Request Configuration plug-in, you must have read rights and write rights to the attributes associated with the Provisioning Request Objects.

7.29 Character set encoding support and Tomcat

By default, the user application character encoding filter is set to enabled in the user application's web.xml. This setting typically does not require any specific configuration, but it might require changes if you have configured Tomcat for URI encoding. There are two attributes in the configuration of Tomcat http/https connector that affect character set encoding and filter configuration.


This entry specifies the character encoding used to decode the URI bytes, after %xx decoding the URL. If not specified, ISO-8859-1 is used. The requirements for this include: Both http and https connectors have the same configuration. The Charest encoding filter should be modified to include uri-encoding init parameter. The value of this parameter should be the same as the value of the URIEncoding attribute in the tomcat connector configuration.

<filter> <filter-name>AggregationServletEncFilter</filter-name> <display-name>AggregationServletEncFilter</display-name>

<filter-class>com.novell.afw.portal.l18n.CharacterEncodingFilter</filter-class> <init-param> <param-name>uri-encoding</param-name> <param-value>UTF-8</param-value> </init-param> </filter>


This entry specifies whether the encoding specified in contentType should be used for URI query parameters instead of using the URIEncoding. This setting is present for compatibility with Tomcat 4.1.x, where the encoding is specified in the contentType, or explicitly set using Request.setCharacterEncoding method for the parameters from the URL. The default value is false.

If useBodyEncodingForURI is set to true the filter configuration should include the use-body-encoding init parameter, for example:

<filter> <filter-name>AggregationServletEncFilter</filter-name> <display-name>AggregationServletEncFilter</display-name> <filter-class>com.novell.afw.portal.l18n.CharacterEncodingFilter</filter-class> <init-param> <param-name>use-body-encoding</param-name> <param-value>true</param-value> </init-param> </filter>

For more details, see this Web site on Tomcat connector configuration information.

7.30 Using a DNDisplay form control can result in provisioning application errors

The following error results when you use a DNDisplay form control to put data in the Pre-Activity Map for an Approval Form in a provisioning request:

Error Message:
Index:0, Size:0

If the problem persists, copy the error message and error log and send them to your system administrator. You can click the Error Log link to see the details of the IndexOutOfBoundsException that occurred.

The workaround is to use a DNLookup control instead. Set the following DNLookup properties to False.

  • Editable

  • Show object history button

  • Show object selector button

  • Show clear button

The two controls look different, but function the same.

7.31 Change in behavior of DirXML-EntitlementResult attribute

There has been a change to the way in which the DirXML-EntitlementResult multi-valued attribute is handled. Previously, entitlement results were not purged from this attribute. Now, the default behavior has been changed. Entitlement results are now purged after they are processed.

You can change the default behavior (specify whether entitlement results are purged or not, and how they are purged). To set the entitlement purge type:

  1. In iManager, display the Identity Manager Driver Overview page for your user application driver.

  2. Click Event Transformation Policies.

  3. Click the Manage Modify policy for your user application driver, then click Edit.

  4. Click Set Entitlement Purge Type.

  5. In the for the "Do append XML text" action, type one of the following in the Enter String field:

    • current: After notifying the user application driver, delete the entitlement result that caused the event. This is the default behavior. It will also be used if NO entitlement purge type is set, or if an invalid entitlement purge type is set.

    • none: Do not purge the entitlement result.

    • previous: Delete any previous entitlement results without deleting the one that caused the event.

    • notnewer: Delete previous entitlement results including one that caused the event. This preserves any entitlement result that was created after the entitlement result that caused the event.

7.32 Network File Accessory Portlet has New Preference

The NetWork File accessory portlet has the following additional, new Preference: ShortcutsUseFullyQualifiedPath. If True, any shortcuts you specify in the Shortcuts preference must have fully qualified paths. If False, any shortcuts you specify in the Shortcuts preference must have paths relative to the InitialDirectory. Check False only if users will navigate only to subdirectories within the path.

7.33 Configuring the Network File Portlet for RMI access to NetWare

With the current release of JBoss, configuring the Network File Portlet for accessing a NetWare server via RMI has changed.

Currently the documentation states to copy njclv2r.jar from sys:\java\njclv2r\lib on the NetWare/RMI server to the $JAVA_HOME$/jre/lib/ext directory on your portal platform.

With the current release of JBoss, you must copy njclv2r.jar to the .../jboss/server/IDM/lib directory where your User Application was initially deployed. Then, restart JBoss.

7.34 Exiting Your Netstorage Accessory Portlet Session

To end your NetStorage session and close access to the files you used, click the logout button in the NetStorage web interface.

7.35 Enabling Single Sign-On in Accessory Portlets

For IDM 3.5, in the Accessory Portlets Guide, replace each description of how to enable portlet SSO with this procedure:

To enable portlet Single Sign On, do the following:

  1. In the User Application, open the Administration tab and choose Application Configuration.

  2. Select Password Module Setup > Login.

  3. Click the radio button that enables SSO.

7.36 Log File Name Changes

The log file jboss/server/IDM/conf/extendlogging.xml name has changed to jboss/server/IDM/conf/idmuserapp_logging.xml. The new log file name is used in Section 7.2.4 of Administering the User Application, in the subsection “Persisting Your Logging Settings.”

7.37 Logging Configuration Does Not Allow Removing a Package

When you add a package to the log list, it immediately shows up in the Logging Configuration Screen. To remove a package from the log list:

Do not click “Persist the logging changes.” The new package will disappear from the log list the next time you start the server.

If you clicked “Persist the logging changes,” you must manually remove the package from the idmuserapp_logging.xml file located in the $JBOSS/servers/$seafang/conf directory.

7.38 PermGen Space Error

You might encounter the following error if you redeploy the User Application often, for instance in a development stage::

11:32:20,194 ERROR [[PortalAggregator]] Servlet.service() for servletPortalAggregator threw exceptionjava.lang.OutOfMemoryError: PermGen space

To avoid this error, either

  • Restart the JBoss server

  • Or, increase the PermSpace value by passing to the Java virtual machine by means of JAVA_OPTS in the start-jboss script, for example JAVA_OPTS="-server -Xms256M -Xmx256M -XX:MaxPermSize=256m".

7.39 Forgot Password

7.40 How to Reassign a Workflow Process from One Workflow Engine to Another in a Cluster

Workflow engines in a cluster now detect when a workflow engine in the cluster has failed, and automatically reassign any processes running on the failed workflow engine to another workflow engine.

However, there may be occasions when you want to manually reassign a workflow process from one workflow engine to another (for example, to distribute processes back to a failed workflow engine when it is brought back online). To do so, you use the iManager Workflow Administration plug-in, as follows:

  1. Select the Workflow Administration category in Roles and Tasks in iManager.

  2. Select Workflows.

  3. If you have yet not accessed a workflow server, specify the driver name in the User Application Driver field and click OK.

    iManager fills in the remaining fields on the screen for you.

  4. (Optional) Override the user name in the User field and the password in the Password field.

    The user must be the user application administrator (Provisioning Administrator). By default, the user name is set to the user who is currently logged in to iManager. If this user is not the user application administrator, you need to change the user name.

  5. Click Login.

    The Workflow Administration plug-in displays a page that allows you to specify a filter for finding workflows.

  6. Click Show all Workflows, then click OK.

    iManager displays the workflow processes running on the specified user application driver. The Engine column lists the engine ID of a workflow engine.

  7. To reassign a workflow process from one engine to another, select the workflow in the Workflows panel by clicking the checkbox next to the workflow name, then click Actions > Reassign.

8.0 User Application: Performance

8.1 Session timeout should be tuned to improve server performance

By default, the session timeout for the server is 20 minutes. The session timeout should be tuned to match the server and usage environment in which the application will run. In general, it is advised that the session timeout be as small as practically possible. If business requirements can tolerate a 5 minute session timeout, this would allow the server to release unused resources sooner than the default, and make the server faster and more scalable.

  • Longer session timeouts could potentially cause the JBoss server to run out of memory if many users log in. This is true of any application server that has too many open sessions.

  • When a user logs in to the user application, an LDAP connection is created for the user, and bound to the session. Thus, if more sessions are open, more LDAP connections are held open and the longer the session timeout, the longer these connections are held open. Too many open connections to the LDAP server can cause system performance degradation, even if the connections are idle.

  • If the server starts experiencing OutOfMemoryErrors, and the JVM* heap and garbage collection tuning parameters have already been optimized for the server and usage environments, then you should consider lowering the session timeout.

The session timeout is set in the web.xml file.

8.2 Enabling e-mail notification for workflows without configuring the e-mail server results in memory consumption

If you enable e-mail notification in your provisioning request definitions, but you do not configure any e-mail servers, e-mail notifications pile up on the server and are never sent. This eventually uses up available memory.

If you turn on e-mail notification, be sure to configure the e-mail server so that the e-mails are actually sent. To configure the e-mail server, select Email Server Options under Workflow Administration in iManager.

9.0 Localization

9.1 E-mail Subject text display problem

The Windows GroupWise Mail and Outlook Clients have a known bug when displaying the Subject text from an HTML 'mailto:' command. This bug appears when the browser uses a double-byte character set language such as Chinese, Japanese, or Korean.

In this case, when you send identity information from the Detail page, the Subject line has invalid characters because these mail clients do not unescape the double-byte characters correctly.

9.2 Possible issue with character set encoding

You should ensure that the input and output character encodings match those used by the source or destination application. Any characters that are not representable in the selected output are changed to question marks (“?”).

9.3 Locale must be set correctly to display localized characters on an English OS

If you run the User Application Configuration tool (for configuring LDAP settings) in a localized operating system environment, all the text input boxes are displayed correctly. For example, if there are any Chinese distinguished names in eDirectory, or you input any Chinese characters, these are displayed properly in a Chinese operating system environment. However, if you are in an English operating system environment, any Chinese characters entered or returned from eDirectory are displayed as non-readable characters (most likely squares). This is because the Locale is not properly set.

If you are in an English operating system environment and want to display localized characters, do the following:

- In a Windows 2000 environment, go to the Control Panel and select Regional Options. Under the General tab, set “Your Locale” to the local language (for example, Chinese (PRC)).

- In a Windows 2003 environment, go to the Control Panel and select Regional Options. Under the Regional Options tab, select “Chinese (PRC)” and apply the change.

- In a SUSE® Linux environment, set the environment variable LANG as follows: export LANG=zh_CN

The same basic procedure applies to all languages.

9.4 The Message accessory portlet has not been localized

The Message accessory portlet has not been localized.

9.5 OK and Cancel buttons on Context Preferences dialog are not localized

In Portal Administration > Page Administration, the Content Preferences dialog always displays the following text in English: “Changes have been made to your Selected Content. Click OK to save your changes or cancel to continue without saving.”

9.6 E-Mail has a problem displaying content in double-byte character-set languages

When Identity Manager sends an e-mail containing a double-byte character-set language such as Chinese or Japanese, the e-mail client has a problem reading it. Please contact Novell Technical Support if you encounter this problem.

10.0 iManager

10.1 Internet Explorer 7 prompts continually for access to the clipboard

When in iManager, particularly the Policy Builder, Internet Explorer 7 continually prompts you for access to the clipboard. To disable prompting:

  1. Click Tools > Internet Options.

  2. Select the Security tab, then click Custom Level.

  3. Locate Scripting > Allow programmatic clipboard access, then select Enable.

    After you restart Internet Explorer, the prompting stops.

10.2 Adding localized e-mail templates through iManager

To add localized e-mail templates through iManager:

  1. Log in to iManager.

  2. Under Roles and Tasks, expand Passwords or Workflow Administration.

  3. Click Edit Email Templates (under Passwords plug-in) or Email Templates (under Workflow Administration).

  4. Identify the e-mail template (without any locale in the name) you want to copy. Write down the template name to use in step 5. Click the template subject to open the template and view its message subject, body, and Replacement Tags. Copy the message subject, body (to be translated) and replacement tags you want to use in your new template. Click Cancel.

  5. Click Create and enter the template name with a locale extension. For example, to create a Forgot Hint template in German, enter the name Forgot Hint_de, where _de signifies Deutsch (German). Click OK.

    NOTE:If you use a two-letter language and two-letter country code, this works fine. If you attempt to use a locale with a variant such as en_US_TX, only the variant and language are considered. Do not use locale variants when naming e-mail templates in this release.

  6. In the template list, click the newly created template, for example Forgot Hint_de, and enter the translated subject and message body, for example in German. Be sure to preserve the replacement tags surrounded by the dollar ($) sign in the message body.

  7. Click Add to enter or paste Replacement Tags, then click OK.

  8. Click Apply, then OK.

E-mail templates only send properly localized content if the preferred locale is set for the user (to whom the mail is sent.)

10.3 iManager plug-in error: The driver password could not be saved

This issue is fixed by upgrading to NMAS® 2.3.9.

10.4 iManager plug-in dependency for the NDS-to-NDS Driver Certificates wizard

If you want to use the NDS-to-NDS Driver Certificates Wizard, you must download and install the iManager plug-in for Certificate Server.

10.5 Problem creating a new password policy based on the default settings in Mobile iManager 2.6

When using the Identity Manager 3.5 plug-ins and Mobile iManager 2.6, iManager might quit unexpectedly when you select the task, Create a new Password Policy based on default settings. This issue occurs because of an error in the javascript handler of the embedded Mozilla browser that’s delivered with Mobile iManager on Linux.

To workaround:

  1. Start Mobile iManager, then minimize it.

  2. Open your preferred browser, then access iManager at the following address: http:\\localhost:48080\nps\iManager.html.

11.0 Drivers

11.1 Character set encoding in the delimited text driver must match character set encoding in applications

Ensure that the input and output character encodings configured in the delimited text driver match those used by the source or destination application. Mismatches cause errors or corrupted data in the Identity Vault or the application. Characters that are not representable in the selected output are changed to question marks (?).

12.0 Password Management

12.1 Limited support of multi-language challenge sets

The User Application included with Identity Manager 3.5 supports the full use of multi-language challenge sets. You can configure this functionality through iManager and setting password policies.

If you are using the Novell Client 4.9.1 or older, or Password Management for Novell eDirectory, this multi-language feature is not yet supported. You should not assign password policies to users if you have defined challenge sets in more than one language. For example, you can define challenge sets for French, but not French and German.

12.2 Challenge set fails if no random questions are assigned

A new challenge set fails when no random questions are assigned.

For example, if you create a challenge set in the Create Password Policy Wizard in iManager and do not select any random questions, and save the challenge set, the nsimNumberRandomQuestions attribute on the challenge set is erroneously set to 1 (1 random question). Then, assign this policy to a user. Enter your challenge responses in IDM, and access Forgot Password. Enter the user name and select Submit. You receive a “challenge set failed” message without getting a chance to answer the challenge questions.

The workaround is to edit the challenge set before assigning the password policy to users. Modify the challenge set with Apply, and then redefine the challenge set in iManager. This sets the nsimNumberRandomQuestions attribute to 0 and eliminates the need to have the user resave responses.

13.0 Security

Downloads of Identity Manager 3.5 prior to April 9, 2007 contained a security issue. Under certain conditions, the iManager plug-ins were showing administrative users the values of hidden attributes. A fix has been made to an iManager plug-in to disallow the display of hidden attributes that have been synchronized by Identity Manager drivers. Since drivers often synchronize sensitive information, administrative rights to these drivers should be limited to prevent unauthorized access.

The CRC's of the original affected media are:







You can obtain the latest patches from Novell’s Download Web site.

14.0 Legal Notices

Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.

Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.

Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export, or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. Please refer to for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.

Copyright © 2007 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.

Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed at and one or more additional patents or pending patent applications in the U.S. and in other countries.

Novell is a registered trademark of Novell, Inc. in the United States and other countries.

SUSE is a registered trademark of Novell, Inc., in the United States and other countries.

All third-party trademarks are the property of their respective owners.