Novell Identity Manager 4.0.1 Readme

April 15, 2011

This document contains the known issues for Novell Identity Manager 4.0.1.

3.4 Engine

1.0 Readme Information

The latest version of this Readme is available at the Novell Identity Manager documentation Web site.

2.0 Documentation

This Readme contains the known issues for Identity Manager 4.0.1. In addition to this Readme, separate Readmes are available for Designer 4.0.1 and Analyzer 4.0.1:

Additional documentation resources are also available for the following products:

3.0 Known Issues

The following sections provide information on known issues at the time of the product release.

3.1 Identity Manager 4.0.1 Framework Installer Issues

You might encounter the following issues during the installation of the Identity Manager framework installer:

3.1.1 On Windows, the Identity Manager 4.0.1 framework installer does not place the installation files in the specified location if the path contains spaces

Ensure that the specified path doesn’t contain any spaces.

3.1.2 The Linux/UNIX Bidirectional driver cannot be installed in a Solaris zone that contains a read-only /usr partition

You cannot install the Linux/UNIX Bidirectional driver in a Solaris zone that contains a read-only/usr partition. If you select the driver for installation, the Identity Manager 4.0.1 framework installer reports an error.

3.1.3 The Restore Default button does not work during Identity Manager installation

During the Identity Manager installation, if you return to the Installation Location page from the subsequent page, the Restore Default button does not work as expected.

3.1.4 The Add or Remove Programs List Shows an incorrect Identity Manager Version

After Identity Manager 4.0.1 is installed on your Windows machine, if you click the Click here for support information link under the Identity Manager entry in the Add or Remove Programs list, it displays Identity Manager 4.0.

To find the correct Identity Manager version that has been deployed on your machine, run the DxCMD command.

3.2 Identity Manager 4.0.1 Integrated Installer Issues

You might encounter the following issues when you use the Identity Manager integrated installer:

3.2.1 The secondary server addition might fail if the primary server is installed on Windows 2k3 and secondary server is installed on Linux

The primary server might stop working just before you start the Metadirectory server configuration after the Identity Vault configuration is completed.

If the primary server stops working, follow these steps to resume the configuration from the current state:

  1. Start Identity Vault on the primary server.

  2. On the Linux machine, create the /root/idm/Uninstall_Identity_Manager/idmconfigure_state.conf file. The idmconfigure_state.conf file should have only false entry.

  3. Make sure that the IA_RESULT_IDM_FRAMEWORK_CONFIGURED entry in the /etc/opt/novell/idm/install/state/conf/install_state.conf file does not have true value.

  4. Rerun the configuration.

3.2.2 The Identity Manager components do not launch after a successful installation on 64-bit systems

If you are installing Identity Manager through integrated installer on a 64-bit system, make sure that libgthread-2_0-0-32bit-2.17.2+2.17.3+20080708+r7171-3.1.x86_64.rpm compat library is installed before starting the Identity Manager installation.

3.2.3 The Identity Manager 4.0.1 integrated installer fails to install on Windows when you use UNC paths

You cannot use UNC paths for installation and configuration when you use the Identity Manager 4.0.1 integrated installer (for example, \\myserver\share\Identity_Manager_4.0.1_Windows_Enterprise).

To work around this issue, create an actual mapped drive.

3.2.4 The remote desktop installation of Identity Manager might randomly fail

The Identity Manager installation might fail with an error message if you are installing from a remote desktop. Because the remote desktop connection is delayed in comparison to the actual/physical access, the install process fails to acquire the local referrals, resulting in a failed installation.

To work around this issue, install Identity Manager on an actual/physical connection of the server or by using a VNC connection.

3.2.5 No Server health check before secondary server addition

The integrated installer does not perform a health check before the secondary server addition.

You must run ndscheck if you are adding secondary server through the integrated installer. On Windows, run ndscheck from the <install loccation>\NDS location. On Linux/Solaris, run it from the /opt/novell/eDirectory/bin/ndscheck directory. Specify the mandatory parameters and run the command as follows:

ndscheck [-h <hostname port]>] [-a <admin FDN>] [[-w <password>]

NOTE:Ruuning ndscheck on Windows causes eMbox warnings to display on the screen. Don't treat these warnings as health check failure. It is safe to ignore them.

3.3 Remote Loader

You might encounter the following issues as you use the Remote Loader:

3.3.1 The Remote Loader console help page is not displayed on Windows Server 2008 Core

On Windows Server 2008 Core, when you click Help in the Remote Loader console, the corresponding help page is not displayed.

To work around this issue, install a browser (for example, Internet Explorer) on your machine and click Help in the Remote Loader console.

3.3.2 Audit events are not generated if 32-Bit and 64-Bit Remote Loaders coexist

If you choose to have both a 32-bit and a 64-bit Remote Loader on the same machine, the audit events are generated only with the 64-bit Remote Loader. Events are not logged to the lcache file with the 32-bit Remote Loader.

When 32-bit and 64-bit Remote Loaders are installed together, the events are logged to the 64-bit lcache and 32-bit Remote Loader fails to log audit events. It displays the "Agent already running error" error message.

However, if a 64-bit Remote Loader is installed before installing a 32-bit Remote Loader, the events are logged to the 32-bit lcache, which prevents 64-bit Remote Loader from logging events. The 32-bit and 64-bit lcaches don’t work on the same machine.

To work around this issue, don't install both 32-bit and 64-bit Remote Loaders on the same machine.

3.4 Engine

You might encounter the following issues as you use Identity Manager:

3.4.1 When you start eDirectory on virtual machines, the Identity Manager engine might fail to load because of an error from JNI_CreateJavaVM

This issue is observed only on virtual machines.

To work around this issue:

  1. Restart eDirectory.

  2. Reduce the JVM minimum heap size if the failure repeats.

  3. Restart eDirectory.

3.4.2 Enabling or disabing a telemetry job fails on a different server in a driver set

To enable or disable telemetry job, connect iManager to the server where the job is configured to run.

If you enable or disable it from a different server than the server it is configured to run on, it might not be enabled/disabled. It might also continue to run even if it is disabled on the other server.

3.5 Drivers

You might encounter the following issues as you use the Identity Manager drivers:

3.5.1 The JDBC driver upgrade from a version earlier than 3.5.1 to version 3.5.1 or later fails

This issue has been reported only on MySQL. The upgrade operation fails when you upgrade the JDBC driver from a version earlier than 3.5.1 to version 3.5.1 or later.

The operation fails because of one of the following reasons:

  • The driver cannot use the mysql-connector-java-3.1.11-bin.jar driver classes to read the metadata of tables.

  • You cannot get the information from the state files because the serialVersionUID of the class JDBMKeyComparator has changed after the upgrade.

To work around this issue, use one of the following actions:

  • Upgrade the third-party driver class from mysql-connector-java-3.1.11-bin.jar to mysql-connector-java-5.1.6-bin.jar.

  • Delete the state files and restart the driver.

3.5.2 Cannot select options when creating or configuring a driver on Linux in Designer

At times, you cannot select drop-down options when creating or configuring a driver. To work around this issue:

  1. Click the drop-down menu and continue to hold the left mouse button until the desired option is highlighted.

  2. Release the left mouse button to select the option.

3.6 Identity Reporting Module

You might encounter the following issues as you use the Identity Reporting Module:

3.6.1 Connected system end points are not accessible if the IP address is not changed for the Managed System Gateway driver

If you use the loopback address of 127.0.0.1 as the IP address for the Managed System Gateway driver when configuring with the integrated installer, that is valid and will work correctly. However, when you use the endpoints, having the IP address be the loopback (127.0.0.1) will not work. In this case, you need to specify the correct IP address in the Driver Configuration > Connection Parameters section of the Managed System Gateway driver.

3.6.2 Error displayed if the Identity Reporting Module and RBPM are separately configured

The integrated installer displays the following error if Identity Reporting Module and the Roles Based Provisioning Module are separately configured:

'Failed to load users/passwords/role files'

To work around this issue, either stop JBoss before installing the Identity Reporting Module or restart JBoss after installing the Identity Reporting Module.

3.6.3 Database column is not populated during role assignments

When users assign roles, the request_date column in the idmrpt_idv_identity_trust table is not being populated with data. The defect number is 633206.

3.6.4 Removal of extended attributes is not reflected in the extended attributes table

If you remove an attribute that was added to the Data Collection Service driver filter policy, the attribute is not removed from the extended attributes tables (idmrpt_ext_attr, which tracks the attributes) and no data is removed from the idmrpt_ext_item_attr table. The defect number is 633209.

3.6.5 The Calendar does not navigate to Today when the display option is set to 1 week

On Firefox, when the Display Options are set to show 1 week on the Calendar page, you do not see today’s schedule if you click the Today button. Instead, you see a day one week ahead of today. To see today’s schedule in the Calendar page, press the up-arrow to go back one week. This problem does not occur on Internet Explorer.

3.6.6 The clock must be set correctly before you run the EAS install

If the times of your machines are not in synchronization when you install the Event Auditing Service (EAS), there may be problems with your configuration. You cannot install EAS on Windows. It must be installed on Linux. Therefore, the Linux server where EAS is installed must be synchronized with the machine where you are installing the rest of your components.

3.6.7 The Reporting Module installation sometimes overwrites the logevent.conf file

Under the following circumstances, the logevent.conf is overwritten without prompting during the installation of the reporting module:

  1. There is already a logevent.conf file in /etc/.

  2. EAS is installed on the same machine.

  3. During the reporting installation, you replace the value of localhost and enter the machine's actual IP address for the EAS server.

To work around this issue, manually update the /etc/logevent.conf file after the installation is complete.

3.6.8 The Reporting Module installation does not write the PostgreSQL JDBC JAR successfully when EAS is remote

If EAS is installed remotely and you want to test the connection to EAS during the Identity Reporting Module installation, the parent directory of your chosen install directory must exist prior to running the installation. Without an existing parent directory, the installation directory cannot be created in order to write the JDBC JAR file used for testing the connection. For example, if you are installing the Identity Reporting Module to /opt/novell/IdentityReporting, you need to ensure that the /opt/novell directory exists before beginning the installation.

3.6.9 The collection state of the Managed System Gateway driver is active in SE

If RBPM and the Identity Reporting Module are configured from an AE .iso file, and the tree to which they are connected is an SE tree, the collection state of the Managed System Gateway driver is active when it should not be. This bug occurs only in the following mixed mode scenario:

  1. The Metadirectory server is installed from an SE .iso file on one machine.

  2. RBPM and Reporting are configured from an AE .iso file on another machine (RemoteIDVault scenario) that tries to connect to the SE tree installed earlier.

Because the reporting module is configured from an AE .iso file, it tries to configure the Managed System Gateway driver, and the Managed System Gateway driver registration parameter is set to Yes in the Data Collection Service driver.

3.6.10 IDMRPT_CORE war deployment might fail on JBoss

The IDMRPT_CORE war deployment sometimes fails on the JBoss application server because of memory issues. Look for the following error messages in the server console:

***********Server Error Log******************
16:45:02,440 INFO  [[/IDMRPT-CORE]] Marking servlet OsgiBridge as unavailable
16:45:02,441 ERROR [[/IDMRPT-CORE]] Servlet /IDMRPT-CORE threw load() exception
java.lang.OutOfMemoryError: Java heap space

...

*******************************************

There are two different memory issues and the solutions are different:

3.6.10.1 ZipFile out-of-memory issue

Unfortunately, Novell is unable to correct this problem.

In this situation, you might see an error similar to the following, most of the time followed by a JVM crash:

java.lang.OutOfMemoryError
    at java.util.zip.ZipFile.open(Native Method)
    at java.util.zip.ZipFile.<init>(Unknown Source)
    at java.util.zip.ZipFile.<init>(Unknown Source)
    at
org.jboss.virtual.plugins.context.zip.ZipFileWrapper.ensureZipFile(ZipFileWrapper.java:175)
    at
org.jboss.virtual.plugins.context.zip.ZipFileWrapper.openStream(ZipFileWrapper.java:213)
    at
org.jboss.virtual.plugins.context.zip.ZipEntryContext.openStream(ZipEntryContext.java:1082)
    at
org.jboss.virtual.plugins.context.zip.ZipEntryHandler.openStream(ZipEntryHandler.java:153)
    at org.jboss.virtual.VirtualFile.openStream(VirtualFile.java:230)
    at
org.jboss.classloading.spi.vfs.policy.VFSClassLoaderPolicy.getResourceAsStream(VFSClassLoaderPolicy.java:483)

This indicates that the available system memory on your machine is not sufficient for running our product. Either increase your memory, or stop some unnecessary services from running. Increasing java heap size by -Xmx for your application server does not help.

3.6.10.2 Java heap out-of-memory issue

If you use your own JBoss, you need to use the following procedure to upgrade Hibernate before you can use the product:

  1. Stop JBoss.

  2. Back up the Hibernate jars.

    Go to the <jboss>/common/lib folder and move all jars beginning with hibernate to a backup location outside the <jboss> folder.

  3. Go to the Hibernate Web site and follow its instruction to download Hibernate 3.6.1.

  4. Unzip Hibernate and copy the hibernate3.jar file into <jboss>/common/lib.

  5. Start JBoss.

NOTE:If you do not upgrade Hibernate, the reporting module might not start properly. Also, remember that upgrading Hibernate affects non- Identity Manager applications running on the same JBoss.

3.6.11 A valid certificate is not converted

This problem has only been observed on WebSphere.

When you add an application in the reporting module, you might notice that a valid certificate is not properly converted. The following actions might cause this problem to occur:

  1. You log in to the Identity Reporting Module with valid credentials.

  2. You navigate to the Applications page and click the Add Application button.

  3. You fill in all the mandatory fields and browse for the certificate by selecting the SSL check box and clicking Test.

The certificate should be converted, but this does not occur.

To workaround this problem, you can simply copy and paste the content of the certificate into the text area on the form.

3.6.12 Reports might be empty when users are added in both RBPM and iManager and the server times are not synchronized

When users are added in both RBPM and iManager, these users are updated in the database in the idmrpt_idv_acct table. However, the following reports might be empty when executed if the time between the servers is not synchronized:

  • IDV User report

  • IDV user status

  • IDV password

This happens only for new users when the time between the servers is out of synchronization. If a user is added and then modified, the reports are populated with data.

If the MetaDirectory and Reporting servers are running on different machines, and the timestamp value of the MetaDirectory server is ahead compared to the reporting server, this issue will occur. The timestamp value of the user account (valid time) will update with MetaDirectory timestamp. Until the reporting server time meets the user account valid time, you cannot fetch the data into reports. The fix for this issue is to ensure that all servers have the same time.

3.6.13 Frequency cannot be modified in a schedule

Currently, in release 4.0.1 of the Identity Reporting Module, it is not possible to modify the frequency of a schedule. If you need to change the frequency (from week to month, for example), you need to delete the schedule and create a new one.

3.6.14 Download of an RPZ may change to a ZIP with Internet Explorer

Currently, when using the Download page in Identity Reporting Module with an Internet Explorer browser, the file may change its extension from .rpz to .zip. This change does not cause any problems. The reporting module will handle the upload and import the report correctly if the extension is .zip.With a Firefox browser, the extension always will be .rpz.

3.6.15 Upgrade to the Identity Reporting Module may not immediately show the Advanced Version

If you change from the Standard Version to the Advanced Edition, the version change for the reporting module will occur after the next batch of events is processed.

3.6.16 Startup process requires extra time before reports can be generated

When you first start the Identity Reporting Module, wait 5 minutes before running a report. The startup process consumes a lot of memory, leaving less memory for the report generation. If you do not wait 5 minutes, you may encounter memory errors.

3.6.17 Reporting does not start on Windows 2008 if the JRE is 64-bit

When using the standalone installers for RBPM and the Identity Reporting Module, you may see configuration errors on Windows 2008 if you install both components and switch from a 32-bit JRE to a 64-bit JRE.

The Identity Reporting Module is installed with a 32-bit JRE. Preferences are set under this JRE environment.

If install a 64-bit Java on Windows 2008, then this will become the default Java on you system. When JBoss starts up, it reads the environment variable JAVA_HOME, and uses the Java that JAVA_HOME points to. If JAVA_HOME points to the 64 bit Java, then you will see errors in the JBoss server log when starting the reporting module (IDMRPT, IDMRPT-AUTH, IDMRPT-CORE) indicating that the configuration is not correct. This is because it is reading the preferences under the 64-bit Java and not the 32-bit Java.

To workaround this issue, open the start-jboss.bat file and edit the JAVA_HOME and PATH entries to point the 32-bit Java. This will typically be in your JBoss directory. Alternatively, if you are aware of this issue before installing RBPM, you can point to the 32 bit Java when the installer asks which Java you want to use.

If you install RBPM alone (and do not install the Identity Reporting Module), you can use 64-bit Java.

3.7 Roles Based Provisioning Module

You might encounter the following issues as you use the Roles Based Provisioning Module:

3.7.1 An error message is displayed for the Copy function in the Detail portlet

In Firefox, if you attempt to copy text in the Detail portlet, an error message is displayed.

The following actions cause this message to appear:

  1. You log in to the User application as administrator and go to the Administration tab.

  2. You click Portlet Admin > Detail Portlet in Portlet Applications.

  3. You click Preferences > View/Edit custom Preferences > continue.

  4. You click the HTML Layout edit icon and enter some sample text, such as “TEST”.

  5. You select the text and click the Copy icon.

If you follow these steps, you see the following error message:

“Exception... "Access to XPConnect service
denied"  code: "1011" nsresult: "0x805303f3
(NS_ERROR_DOM_XPCONNECT_ACCESS_DENIED)"  location:
"http://172.16.1.99:8180/IDMProv/resource//portal-general/javascript/html_editor.js
Line: 531" ” when clicked on Copy button.

You might also see this message when performing cut and paste operations.

This is a known issue with Dojo and Firefox.

3.7.2 Session-level failover does not work with software dispatchers

The session-level failover does not function properly with software dispatchers. However, it works correctly with hardware dispatchers.Until further notice, the User Application supports only hardware dispatchers in a clustered environment.

3.7.3 Forms do not print correctly on Internet Explorer

You can add JavaScript to a workflow form to allow for printing. However, this technique does not produce expected results on Internet Explorer.

As described in the Designer documentation, you can add the following to the form onload event:

form.interceptAction("SubmitAction", "around",
      function (invocation)
        {var pf = new PrintForm("SubmitAction");
         pf.printFormInterceptor(invocation);
       } );

This action works correctly for both Internet Explorer and Firefox. However, the printed form output is not formatted correctly on Internet Explorer, although it is formatted correctly on Firefox.

Firefox supports automatic resizing of pages. It takes the entire page as a vector and resizes it, but Internet Explorer just changes the styles internally. For this reason, only Firefox can be used to resize the page appropriately for printing.

To work around this problem on Internet Explorer, determine which of the following possible solutions works best for you:

  • You can perform an Alt+Print Screen function in Internet Explorer that prints the content as it appears on the screen.

  • You can use the reference below, which might work for the workflows but might not print the form exactly the way you want it to print. This is a quick fix to print the form.

    <link rel="stylesheet" type="text/css" href="print.css" media="print" />
    

    This can be added in the workflow forms (the Request_form, Approval_form, and so forth) under Scripts > URL/Inline Script. This improves the print formatting on Internet Explorer, but might not be totally correct.

  • You can create a CSS script specifically for each workflow to print the output as you want it to appear. Each CSS script probably needs to be specific to a workflow and requires tweaking that could be time-consuming.

    The references look like this:

    document.writeln("<link rel=\"stylesheet\" type=\"text/css\" href=\"http://172.17.5.100:8280/externalFiles/css/jquery-ui-1.7.2.custom.css\"><\/script>");
    

    This can be added in the workflow forms (Request_form, Approval_form, and so forth) under Scripts > URL/Inline Script.

  • You can create an external WAR file that stores all the CSS scripts and is referenced from the workflow. This allows changes to be made in one file rather than within each workflow.

    For example, with document.writeln("<link rel=\"stylesheet\"type=\"text/css\"href=\"http://172.17.5.100:8280/externalFiles/css/jquery-ui-1.7.2.custom.css\"><\/script>");, you replace the href attribute with the link to your CSS script. You need to do it this way because the external script for a workflow form must be JavaScript. You need to use an inline script to load a reference to a CSS. The inline scripts go into a specific area on the form called scripts and are executed when the form is first loaded. You need to put the scripts on all the forms (request forms and approval forms). This allows you to specify a style that works for the printer, without changing the style for the viewable form.

3.7.4 RBPM reports have been deprecated

The Roles Based Provisioning Module reports that were provided in previous releases of the product (available under Reports on the Roles and Resources tab) are being deprecated in this release. These reports will be removed in a future release.

3.7.5 Digital signatures are not supported

Support for digital signatures has been removed in this release.

3.7.6 Accessory portlets are not supported

Support for accessory portlets has been removed in this release

3.7.7 A new user with special characters in the name cannot log in to the User Application

On WebSphere, if you create a new user with special characters in the name, the user cannot log in to the User Application. For example, if you create a user as /Test// from the Create Users and Groups page, an error page is displayed when the new user tries to log in to the application.

3.7.8 The JBossPostgreSQL installer might display a pop-up in silent mode on Windows

PostgreSQL requires several Microsoft VC++ libraries when running on Windows. If these libraries are not installed on the Windows server, the PostgreSQL installer automatically installs them. When you run the JBossPostgreSQL installer in silent mode on Windows, a pop-up window appears for about three seconds while these libraries are being installed, if those libraries are not already installed on the machine.

At this time, the installer is not able to suppress this pop-up window on Windows.

3.7.9 Content for the User Application driver is missing trustees for Attestation Reports

If you redeploy the User Application driver from Designer after running the integrated installer, the trustees for the Attestation Report provisioning request definitions are deleted and no one can execute the report. The reason for this is that the trustees are added to the Attestation Report provisioning request definitions at User Application startup. Because Designer does not know about the trustees, an attempt to redeploy the User Application driver from Designer removes the trustees. Therefore, you need to import these objects from eDirectory after User Application startup to synchronize the trustees.

3.7.10 The integrated installer is not properly handling RBPM error codes

In some situations, the integrated installer does not properly handle the Roles Based Provisioning Module setup errors. This can happen when the Roles Based Provisioning Module configuration fails because of a problem with the driver configuration process. In this case, the integrated installer configuration summary displays a message indicating that the Roles Based Provisioning Module configuration passed, but the Roles Based Provisioning Module configuration has setup errors. The defect number is 641557.

3.7.11 Caching issue with newly removed assignments

If you create a role or resource assignment, and then remove it, you see a message indicating that the assignment has been removed, but the assignment is still listed. If you refresh the page, you see that the assignnent has been removed. This is caused by a caching issue.

3.7.12 Entity names with a dash are not supported in a search within the Org Chart portlet

The search feature in the Orch Chart Portlet does not work if the Entity type being displayed has a dash (-) in the name. At this time, the product does not support Entities with dashes in their names.

3.7.13 Deploying RBPM on JBoss 5.1.0 EAP throws warnings and errors at startup

If you deploy the Roles Based Provisioning Module on JBoss 5.1.0 Enterprise Application Platform (EAP), you might see multiple warrnings and errors in the startup log.

The problem is that the RBPM installer uses the community version of the messaging-jboss-beans.xml file as a template to generate its own version of the file. Unfortunately, the EAP version is very different in many aspects, including the definitions of QueueMODefinition and TopicMODefinition.

The workaround for this issue is to replace the the messaging-jboss-beans.xml file you have with the modified XML file shown below. The file needs to be in the IDMProv/deploy/messaging folder.

<?xml version="1.0" encoding="UTF-8"?>

<!--
 ========================================================================

 Copyright (c) 2009 Novell, Inc. All Rights Reserved.

 THIS WORK IS SUBJECT TO U.S. AND INTERNATIONAL COPYRIGHT LAWS AND TREATIES
 NO PART OF THIS WORK MAY BE USED, PRACTICED, PERFORMED COPIED, DISTRIBUTED,
 REVISED, MODIFIED, TRANSLATED, ABRIDGED, CONDENSED, EXPANDED, COLLECTED,
 COMPILED, LINKED, RECAST, TRANSFORMED OR ADAPTED WITHOUT THE PRIOR WRITTEN
 CONSENT OF NOVELL, INC. ANY USE OR EXPLOITATION OF THIS WORK WITHOUT
 AUTHORIZATION COULD SUBJECT THE PERPETRATOR TO CRIMINAL AND CIVIL
 LIABILITY.

 ========================================================================
-->

<!--
    Messaging beans
    $Id: messaging-jboss-beans.xml 88672 2009-05-11 20:49:47Z anil.saldhana@jboss.com $
-->
<deployment xmlns="urn:jboss:bean-deployer:2.0">

   <!-- messaging application-policy definition -->
   <application-policy xmlns="urn:jboss:security-beans:1.0" name="messaging">
      <authentication>
         <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
            <module-option name="unauthenticatedIdentity">guest</module-option>
            <module-option name="dsJndiName">java:/IDMUADataSource</module-option>
            <module-option name="principalsQuery">SELECT PASSWD FROM JBM_USER WHERE USER_ID=?</module-option>
            <module-option name="rolesQuery">SELECT ROLE_ID, 'Roles' FROM JBM_ROLE WHERE USER_ID=?</module-option>
         </login-module>
      </authentication>
   </application-policy>

   <bean name="SecurityStore" class="org.jboss.jms.server.jbosssx.JBossASSecurityMetadataStore">
      <!-- default security configuration -->
      <property name="defaultSecurityConfig">
         <![CDATA[
            <security>
               <role name="guest" read="true" write="true" create="true"/>
            </security>
         ]]>
      </property>
      <property name="suckerPassword">changeit</property>
      <property name="securityDomain">messaging</property>
      <property name="securityManagement"><inject bean="JNDIBasedSecurityManagement"/></property>
      <!-- @JMX annotation to export the management view of this bean -->
      <annotation>@org.jboss.aop.microcontainer.aspects.jmx.JMX(name="jboss.messaging:service=SecurityStore",exposedInterface=org.jboss.jms.server.jbosssx.JBossASSecurityMetadataStoreMBean.class)</annotation>
      <!-- Password Annotation to inject the password from the common password utility
       <annotation>@org.jboss.security.integration.password.Password(securityDomain="messaging",methodName="setSuckerPassword")</annotation>
       -->
   </bean>

   <bean name="MessagingDeploymentTemplateInfoFactory"
      class="org.jboss.managed.plugins.factory.DeploymentTemplateInfoFactory"/>

   <bean name="QueueTemplate" class="org.jboss.profileservice.management.templates.JmsDestinationTemplate">
      <property name="info"><inject bean="QueueTemplateInfo"/></property>
   </bean>
   <bean name="QueueTemplateInfo"
      class="org.jboss.profileservice.management.templates.JmsDestinationTemplateInfo">
      <constructor factoryMethod="createTemplateInfo">
         <factory bean="DSDeploymentTemplateInfoFactory"/>
         <parameter class="java.lang.Class">org.jboss.profileservice.management.templates.JmsDestinationTemplateInfo</parameter>
         <parameter class="java.lang.Class">org.jboss.jms.server.destination.QueueServiceMO</parameter>
         <parameter class="java.lang.String">QueueTemplate</parameter>
         <parameter class="java.lang.String">A template for JMS queue *-service.xml deployments</parameter>
      </constructor>
      <property name="destinationType">QueueTemplate</property>
   </bean>

   <bean name="TopicTemplate" class="org.jboss.profileservice.management.templates.JmsDestinationTemplate">
      <property name="info"><inject bean="TopicTemplateInfo"/></property>
   </bean>
   <bean name="TopicTemplateInfo"
      class="org.jboss.profileservice.management.templates.JmsDestinationTemplateInfo">
      <constructor factoryMethod="createTemplateInfo">
         <factory bean="DSDeploymentTemplateInfoFactory"/>
         <parameter class="java.lang.Class">org.jboss.profileservice.management.templates.JmsDestinationTemplateInfo</parameter>
         <parameter class="java.lang.Class">org.jboss.jms.server.destination.TopicServiceMO</parameter>
         <parameter class="java.lang.String">TopicTemplate</parameter>
         <parameter class="java.lang.String">A template for JMS topic *-service.xml deployments</parameter>
      </constructor>
      <property name="destinationType">TopicTemplate</property>
   </bean>

</deployment>

3.7.14 Workflow engine displays a java.lang.StackOverflowError in a looping workflow

If you have workflows that are recursive in nature (that execute loops), you might see a StackOverflowError at execution time. Java does not handle the stack space for recursive type functions effectively. Therefore, in recursive workflows, you need to increase the stack size for the JVM. The JVM defaults to 512K. You might want to increase the stack size to 1M.

To increase the stack size, you can include the -Xss1M setting with the JAVA_OPTS in your start JBoss script file.

JAVA_OPTS="-server -Xss1M -Xms512M -Xmx512M -XX:MaxPermSize=512m"

3.7.15 Setting NDSD_TRY_NMASLOGIN_FIRST to true on eDirectory

If you perform a default eDirectory installation and apply a password policy that has an Email Password to User action) to an existing user, then you log in as this user and perform a forgotten password procedure, you might see a message that says Univeral Password is not set after answering the challenge response questions.

To fix this issue:

  1. Add the following two lines to the pre_ndsd_start script located at /opt/novell/eDirectory/sbin (formerly in /etc/init.d):

    NDSD_TRY_NMASLOGIN_FIRST=true
    export NDSD_TRY_NMASLOGIN_FIRST
    

    This should be done on any server that might handle NMAS logins via LDAP.

  2. Restart eDirectory to apply the change.

For more information, see “How to Make Your Password Case-Sensitive” in the Novell eDirectory 8.8 What’s New Guide.

3.7.16 PostgreSQL does not support number format of Simplified Chinese

If your server is set up with Simplified Chinese as the number format (by using Control Panel -> Clock, Language, and Region -> Region and Language -> Formats tab -> Format -> Chinese, Simplified,RPC), PostgreSQL will not install successfully. Do not use the Simplified Chinese Number format on the server that PostgreSQL will be installed on.

3.8 iManager

You might encounter the following issues as you use iManager:

3.8.1 Internet Explorer 7 continually prompts for access to the Clipboard

When you are using iManager, particularly the Policy Builder, Internet Explorer 7 continually prompts you for access to the Clipboard. To disable prompting:

  1. Click Tools > Internet Options.

  2. Click the Security tab, then click Custom Level.

  3. Click Scripting > Allow programmatic clipboard access, then select Enable.

    After you restart Internet Explorer, the prompting stops.

3.8.2 iManager plug-in dependency for the NDS-to-NDS Driver Certificates Wizard

If you want to use the NDS-to-NDS Driver Certificates Wizard, you must download and install the iManager plug-in for Novell Certificate Server.

3.9 Identity Manager 4.0.1 Framework Uninstallation

You might encounter the following issues during uninstallation of the Identity Manager Metadirectory engine and drivers.

3.9.1 Identity Manager 4.0.1 framework uninstallation does not remove DXMLnotes.pkg on Solaris 10

Manually remove the DXMLnotes.pkg package.

3.9.2 On Windows, Identity Manager 4.0.1 framework uninstallation log files are not created in the Uninstall folder

The uninstall log files are created in the temp directory.

3.9.3 On Windows, the Metadirectory server uninstallation does not remove the lib directory

The jar files that reside in the lib directory are not removed.

The uninstaller uninstalls other installed components.

3.10 Identity Manager 4.0.1 Integrated Uninstallation

3.10.1 On Windows, the Identity Vault uninstallation hangs in silent mode

The Identity Vault uninstallation hangs when you run the nds-uninstall command.

To successfully uninstall the Identity Vault:

  1. Stop the DHost from the Task Manager.

  2. Start the NDS service.

  3. Start the uninstallation program.

3.10.2 The integrated uninstaller does not remove JBoss and PostgreSQL

For more information on uninstalling the Roles Based Provisioning Module, refer to uninstallation details in the Identity Manager Roles Based Provisioning Module 4.0.1 User Application: Installation Guide.

3.10.3 On Windows, the integrated uninstaller does not completely clean the installation folder

The following command might fail with an exit value of 1:

cmd /c copy
"C:\Users\Administrator\AppData\Local\Temp\2\I1285831815\Windows\resource\jre\..\iawin64_x64.dll"
"C:\Program Files (x86)\Novell\Identity
Manager\Uninstall_Roles_Based_Provisioning_Module_for_Novell_Identity_Manager\resource\iawin64_x64.dll

The uninstaller does not remove the <Install> and the <system drive>\Novell\conf folders.

To work around this issue, manually remove these folders.

3.11 Localization

3.11.1 On Windows, the Identity Manager 4.0.1 installers contain corrupt characters in the Console Mode

If you select Brazilian Portuguese, Danish, Dutch, English, French, German, Italian, Swedish, Spanish, or Russian as your choice of language for installing Identity Manager 4.0.1, the installer displays corrupt characters during installation.

If you select English, the installer contains a corrupt character on the Select Language page of the installation program. However, the characters display correctly for the Asian languages when the installer is run on Asian Windows.

For the characters to display correctly, ensure that you change the default font of your Windows machine to Lucida Console by using the following steps before installing Identity Manager:

  1. Go to Start > Run > Regedit > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\CodePage and change the OEMCP value from 850 to 1252.

    For Russian, change the OEMCP value from 866 to 1251 in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\CodePage directory.

  2. Go to Start > Run, type cmd in the Open text box, then press Enter to launch the command prompt.

  3. Right-click the title bar of the cmd window to open the pop-up menu.

  4. Scroll down in the pop-up menu and select the Defaults option to open the Console Windows Properties dialog box.

  5. Click the Font tab and change the default font from Raster to Lucida Console (TrueType).

  6. Click OK.

  7. Restart the machine.

4.0 Legal Notices

Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.

Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.

Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the Novell International Trade Services Web page for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.

Copyright © 2011 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.

For Novell trademarks, see the Novell Trademark and Service Mark list.

All third-party trademarks are the property of their respective owners.