February 9, 2011
This document contains the known issues for the Identity Manager Roles Based Provisioning Module, Version 3.6.1. See Section 2.0, Issues Fixed in 3.6.1 for a list of the IDM Roles Based Provisioning Module 3.6 issues that were fixed in this release. See the Read Me for Version 3.6 for a list of known issues for the 3.6 release. You can find the 3.6 Read Me at the Novell Identity Manager 3.6 Product Documentation Web site.
The documentation resources are refreshed regularly. Corrections and enhancements are made as needed. Please check Novell Identity Manager 3.6.1 Product Documentation Web site for updates.
The following sections describe known issues in Version 3.6.1 of the Roles Based Provisioning Module:
The User Application requires that the database character set use Unicode encoding. For example, UTF-8 is example of a character set that uses Unicode encoding, but Latin1 does not use Unicode encoding. Before installing the User Application, verify that your database is configured with a character set that has Unicode encoding.
Install your MySQL server. Optionally, set the UTF-8 character set for the whole server. Create your database and set the character set. Edit the mysql configuration file (my.ini on windows, or my.cnf on linux). Set the following values:
character_set_server=utf8
default-table-type=innodb
Create a user to log into the MySQL server and grant privileges to the user, for example
GRANT ALL PRIVILEGES ON <dbname.>* TO <username>@<host> IDENTIFIED BY ‘password’
The minimum set of privileges is CREATE, INDEX, INSERT, UPDATE, DELETE, and LOCK TABLES. For documentation on the GRANT command, see http://www.mysql.org/doc/refman/5.0/en/grant.html.
Create your Oracle server and use AL32UTF8 to specify a Unicode-encoded character set. (See AL32UTF8 .)
Create a user. (This automatically creates a database.) Issue the following statements using the SQL Plus utility. These statements create the user and set the user's privileges. Grant the user CONNECT and RESOURCE privileges, for example
CREATE USER idmuser IDENTIFIED BY password
GRANT CONNECT, RESOURCE to idmuser
Set up your MS SQL Server database as follows:
Install the MS SQL server.
Connect to the server and open an application for creating the database and database user (typically the SQL Server Management Studio application).
Create a database. SQL Server does not allow users to select the character set for databases. The IDM User Application stores SQL Server character data in a NCHAR column type,which supports UTF-8.
Create a login.
Add the login as a user of the database.
Grant these privileges to the login: CREATE TABLE, CREATE INDEX, SELECT, INSERT, UPDATE, and DELETE.
The User Application requires version 1.0.809.102 of the Microsoft SQL Server 2005 JDBC Driver. Note that only the Sun Solaris, Red Hat Linux, and Windows 2000 or later operating systems are officially supported with this JDBC driver.
When using DB2 if you see the error "The current transaction has been rolled back because of a deadlock or timeout," the problem may be caused by a high level of user and database concurrency.
DB2 provides many techniques for resolving lock conflicts including tuning of the cost-based optimizer. The Performance Guide included in the DB2 Administration documentation is an excellent source that contains much information on the topic of tuning.
There are no prescribed tuning values that can be used for all installations since the level of concurrency and size of data varies. However, here are some DB2 tuning tips that may be relevant for your installation:
The reorgchk update statistics command will update the statistics used by the optimizer. Periodic updates of these statistics may be enough to alleviate the problem.
Use of the DB2 registry parameter DB2_RR_TO_RS can improve concurrency by not locking the next key of the row that was inserted or updated.
Increase the MAXLOCKS and LOCKLIST parameters on the database.
Increase the currentLockTimeout property on the database connection pool.
Use the Database Configuration Advisor and optimize for faster transactions.
Alter all the User Application tables to be VOLATILE to indicate to the optimizer that cardinality of the table will vary significantly. For example, to make the AFACTIVITY table VOLATILE, you might issue the command: ALTER TABLE AFACTIVITY VOLATILE
The ALTER TABLE commands need to be run after the User Application has been started once and the database tables have been created. Refer to the ALTER TABLE documentation for more information on this statement. Here are the SQL statements for all the User Application tables:
ALTER TABLE AFACTIVITY VOLATILE ALTER TABLE AFACTIVITYTIMERTASKS VOLATILE ALTER TABLE AFBRANCH VOLATILE ALTER TABLE AFCOMMENT VOLATILE ALTER TABLE AFDOCUMENT VOLATILE ALTER TABLE AFENGINE VOLATILE ALTER TABLE AFENGINESTATE VOLATILE ALTER TABLE AFMODEL VOLATILE ALTER TABLE AFPROCESS VOLATILE ALTER TABLE AFPROVISIONINGSTATUS VOLATILE ALTER TABLE AFQUORUM VOLATILE ALTER TABLE AFRESOURCEREQUESTINFO VOLATILE ALTER TABLE AFWORKTASK VOLATILE ALTER TABLE AUTHPROPS VOLATILE ALTER TABLE DSS_APPLET_BROWSER_TYPES VOLATILE ALTER TABLE DSS_APPLET_CFG VOLATILE ALTER TABLE DSS_APPLET_CFG_MAP VOLATILE ALTER TABLE DSS_BROWSER_TYPE VOLATILE ALTER TABLE DSS_CONFIG VOLATILE ALTER TABLE DSS_EXT_KEY_USAGE_RESTRICTION VOLATILE ALTER TABLE DSS_USR_POLICY_SET VOLATILE ALTER TABLE PORTALCATEGORY VOLATILE ALTER TABLE PORTALPORTLETHANDLES VOLATILE ALTER TABLE PORTALPORTLETSETTINGS VOLATILE ALTER TABLE PORTALPRODUCERREGISTRY VOLATILE ALTER TABLE PORTALPRODUCERS VOLATILE ALTER TABLE PORTALREGISTRY VOLATILE ALTER TABLE PROFILEGROUPPREFERENCES VOLATILE ALTER TABLE PROFILEUSERPREFERENCES VOLATILE ALTER TABLE SCHEMAVERSION VOLATILE ALTER TABLE SECURITYACCESSRIGHTS VOLATILE ALTER TABLE SECURITYPERMISSIONMETA VOLATILE ALTER TABLE SECURITYPERMISSIONS VOLATILE ALTER TABLE SEC_DELPROXY_CFG VOLATILE ALTER TABLE SEC_DELPROXY_SRV_CFG VOLATILE ALTER TABLE SEC_SYNC_CLEANUP_QUEUE VOLATILE
Using the Oracle* 9i driver creates the following exception: org.hibernate.exception.GenericJDBCException: could not insert: [com.sssw.fw.security.persist.EboPermissionMeta]
To avoid this problem, use the Oracle 10g drivers, ojdbc14.jar and orai18n.jar. These drivers are backward compatible to Oracle 9i.
The cryptovision installer refers to Novell IDM 3.5 User Application. This message can be ignored, since the installer will work with Version 3.6.1.
If Access Gateway is placed in front of the User Application and SSO is enabled, the available grace login amount might decrease by 2 for each login (instead of by 1 without Access Gateway). This is a limitation of NMAS. In the event that a password expires for a user, the user interface prompts the user to change the password. The user should follow the instructions presented and change the password accordingly.
If you’re running in HTTPS mode on Internet Explorer 6 or 7, you will see a pop-up warning message when viewing the team task list with the Exhibit Display format. This warning does not appear when viewing the team task list with the Template Display format. The warning message indicates that the page contains mixed content. The pop-up asks if you want to display the nonsecure items. Click Yes to view the task list.
The Pending Activation status is in a sub-category under Approved in the View Request Status page (because the request has been approved). In areas where you are viewing the assignments, the Pending Activation icon is used to differentiate approved requests that are active from approved requests that are pending future activation.
The Pending Activation icon and roles pending activation do not currently appear in the Role Assignments page or the My Roles page. Due to this restriction, the User Application currently shows only active assignments. The pending role assignments will be added to the Role Assignments page and the My Roles page in a future release.
The Association report page works only for administrators and typical users. It does not work for team managers. If the administrator configures the Associate Report page security settings and opens it to public access, a typical user can log in and view his or her association report without a problem. However, when a team manager logs in, this user cannot use the lookup icon to search for a team member and view the team member's association report.
The User Application does not support using the < and > symbols in a user's CN (or any other login attribute, such as workforceID) in this release. Using the < or > symbols will cause the password self-service feature to work incorrectly.
The Browse right setting for entry rights is required for authorization to make role assignments. The Read right on attributes is required for attributes that are used in role searches. If you notice an inconsistency between the behavior for role assignments and role searches in the User Application, check your trustee rights. The behavior may result from different settings for the entry and attribute rights.
If the User Application is configured for Audit logging using OpenXDAS, the application will not deploy properly if the xdasd process is not running.The error message will appear in the server console and log as shown below:
2008-05-03 13:46:48,308 ERROR [com.sssw.fw.servlet.Boot:contextInitialized]
Un>com.novell.srvprv.spi.util.servlet.LogConfiguratorException: Error
Initialize > at
com.novell.srvprv.spi.util.servlet.LogConfigurator.init(LogConfigur> at
com.sssw.fw.servlet.InitListener.contextInitialized(InitListener.ja> at
org.apache.catalina.core.StandardContext.listenerStart(StandardCont> at
org.apache.catalina.core.StandardContext.start(StandardContext.java> at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBa> at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:> at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:55> at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.apache.tomcat.util.modeler.BaseModelMBean.invoke(BaseModelMB
Then hundreds of:
2008-05-03 13:46:53,072 WARN [com.novell.soa.af.impl.core.EngineImpl:run]
Fai>java.lang.NullPointerException
at com.novell.soa.af.impl.persist.EngineStateDAO.updateHeartbeat(Engin>
at com.novell.soa.af.impl.core.EngineImpl$HeartbeatTimer.run(EngineImp>
at java.lang.Thread.run(Unknown Source)
2008-05-03 13:46:53,072 INFO [STDOUT:warn] XDas was not enabled
There may also be an infinite loop caused by the Workflow heartbeat thread throwing a null pointer exception.
On WebSphere, the User Application will start even if OpenXDAS throws an exception.
To work around this problem, perform either of these steps:
Start the xdasd process and restart the application server.
Remove the OpenXDAS appender-ref from idmuserapp_logging.xml (<appender-refref="OpenXDas"/>).
The user interface does not restrict the use of the less-than symbol (<). However, if a page name includes the < character, the page name does not display properly in the Page Administration console. The name of the page in the page list and in the page name field will be truncated at the < character. For example, the name <Page displays an empty row in the page list and nothing in the page name field. The name Pa<ge displays Pa in the page list and Pa in the page name field.
The page name does display properly in the navigation portlet.
When running role reports, if you use the Select a Role control to filter the report based on a particular role, and the selected entity has Asian characters in it, the role report will not run properly. (If you run role reports with All Roles selected, the entities with Asian characters will display correctly.)
The fix for this problem depends on which application server you are using. To fix this problem, use the correct configuration option for your application server, as described below:
For the JBoss Application Server, add URLEncoding="UTF-8" to the http/https connector definitions in Tomcat's server.xml (see JBoss documentation for details). For example:
<Connector port="9000" address="${jboss.bind.address}"
maxThreads="250" maxHttpHeaderSize="8192"
emptySessionPath="true" protocol="HTTP/1.1"
enableLookups="false" redirectPort="9443 acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true"
URIEncoding="UTF-8"/>
For the WebSphere Application Server, add -Dclient.encoding.override=UTF-8 as the JVM property to use when the application is started.
For more information, see the following page:
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/com.ibm.websphere.express.doc/info/exp/ae/trun_svr_utf.html
For the WebLogic Application Server, you need to add the following entry in the weblogic.xml inside the User Application WAR:
<charset-params>
<input-charset>
<resource-path>/runreport</resource-path>
<java-charset-name>UTF-8</java-charset-name>
</input-charset>
<input-charset>
<resource-path>/run_sod_list_report</resource-path>
<java-charset-name>UTF-8</java-charset-name>
</input-charset>
<input-charset>
<resource-path>/run_sod_violation_report</resource-path>
<java-charset-name>UTF-8</java-charset-name>
</input-charset>
<input-charset>
<resource-path>/run_user_roles_report</resource-path>
<java-charset-name>UTF-8</java-charset-name>
</input-charset>
<input-charset>
<resource-path>/run_entitlement_report</resource-path>
<java-charset-name>UTF-8</java-charset-name>
</input-charset>
</charset-params>
The User Application supports the concept of XSS (Cross-Site Scripting) blacklists to allow you to prevent scripting attacks. The XSS blacklists prevent XSS injection in the free text input fields within the Detail portlet, approval flow, and role assignments pages within the application.
The User Application handles XSS blacklists correctly. However, the error messages displayed when a user enters a character on a blacklist are not very informative.
If you are running the digital signature applet with the Windows Vista version of Internet Explorer 7.0, you may see the following error message:
"The application's Digital Signature has an Error. Do you want to run the Application?"
To fix this problem, you need to turn off Protected Mode in Internet Explorer.
When configuring the external password WAR without using the User Application installer, you must ensure that log4j.jar is on the External WAR server classpath or in the External WAR file's WEB-INF/lib folder. If you do not, you will likely see a "NoClassDefFoundError" when accessing the external WAR.
If a role attestation request is initiated for a role that has no assignments, the role name and role category fields display as "null" on the View Attestation Request Status" page details report.
This release supports only the JKS key store type for trusted anchor storage. To enable digital signature support to work on WebSphere, you need to use the keytool utility from the IBM Java environment to import the trusted anchor certificate into the JKS key store.
Here is an example of the keytool command you should use:
If you do not use the IBM keytool utility to import the certificate, the User Application on WebSphere will not be able to find the trusted store path and digital signing verification will fail with the following messages:
sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:236)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:215)
at
com.cryptovision.SAfX.Verifier.validateCertificate(Verifier.java:477)
at com.cryptovision.SAfX.Verifier.verify(Verifier.java:622)
at com.cryptovision.SAfX.Verifier.verify(Verifier.java:614)
at com.cryptovision.SAfX.Verifier.verify(Verifier.java:607)
at
com.novell.srvprv.impl.dss.dsvp.CryptoDSVPProvider.verifyXMLSignature(CryptoDSVPProvider.java:83)
...
When using xmlsigner 1.4 with WebLogic, you need to be sure to download the commons-logging.jar file and copy it to the same location where other cryptovision libraries are placed. If you do not do this, the digital signature verification process will fail.
You can download the commons-logging.jar from this location:
http://commons.apache.org/downloads/download_logging.cgi.
The search feature from the Orch Chart Portlet will not work if the Entity type being displayed has a dash (-) in the name. At this time, the product does not support Entities with dashes in their names.
This section includes the list of issues described in the IDM 3.6 Roles Based Provisioning Module Readme that were fixed in the IDM 3.6.1 Roles Based Provisioning Module.
2.3 Assigning an Organization Unit (OU) to a Role But the Role is Not Applied
2.7 Roles User Interface Sometimes Shows Inconsistent Effective Dates
4.1 SessionWarning Text and Simplified Chinese
4.2 Problems with Role and SoD Constraint Name and Description in Chinese
In this documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path.
A trademark symbol (®, ™, etc.) denotes a Novell® trademark; an asterisk (*) denotes a third-party trademark.
Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export, or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the Novell International Trade Services Web page for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.
Copyright © 2008 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.
Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed on the Novell Legal Patents Web page and one or more additional patents or pending patent applications in the U.S. and in other countries.
For Novell trademarks, see the Novell Trademark and Service Mark list.
All third-party trademarks are the property of their respective owners.