Novell Identity Manager 4.0 Readme

February 10, 2012

This document contains the known issues for Novell Identity Manager 4.0.

3.4 Engine

1.0 Readme Information

The latest version of this Readme is available at the Novell Identity Manager documentation Web site.

2.0 Documentation

This Readme contains the known issues for Identity Manager version 4.0. In addition to this Readme, separate Readmes are available for Designer 4.0 and Designer 3.5:

Additional documentation resources are also available for the following products:

3.0 Known Issues

The following sections provide information on known issues at the time of the product release.

3.1 Identity Manager 4.0 Framework Installer Issues

You might encounter the following issues during the installation of the Identity Manager framework installer:

Upgrading Identity Manager requires the correct Administrator account to avoid losing Challenge Response answers

When you upgrade from an earlier version of Identity Manager on the Windows platform, you should use the same Administrator account that was used to install eDirectory. For example, if a domain Administrator account was used to install eDirectory, use the domain Administrator account again when installing Identity Manager. Do not use a local Administrator account.

If you do not use the same Administrator account, users’ answers for their Challenge Response questions are no longer accessible. This occurs because the tree key is re-created during the installation (because of the different Administrator accounts) and the new tree key does not provide the correct access to the stored answers. Users are prompted for new Challenge Response answers when they log in.

Upgrading Identity Manager from 3.6.1 to 4.0 does not remove all Identity Manager 3.6.1 RPMs on 64-bit machines

Identity Manager upgrade does not completely replace the older packages in the system. Having older packages in the system does not break functionality.

You can contact Novell technical support before attempting to remove these packages.

Upgrading Identity Manager from 3.5.1 to 4.0 on Windows does not remove the Novell Identity Manager Connected System of Identity Manager 3.5.1 entry from Add or Remove Programs

On Windows, the Identity Manager 4.0 framework installer does not place the installation files in the specified location if the path contains spaces

The Linux/UNIX Bidirectional driver cannot be installed in a Solaris zone that contains a read-only /usr partition

You cannot install the Linux/UNIX Bidirectional driver in a Solaris zone that contains a read-only/usr partition. If you select the driver for installation, the Identity Manager 4.0 framework installer reports an error.

On Linux, the Platform Agent is not upgraded to the latest version

On Linux, the Platform Agent is not upgraded when Identity Manager is upgraded by using the framework installer. On Windows and Solaris, the Platform Agent is automatically upgraded.

To work around this issue, manually install the Platform Agent RPM on Linux platforms.

NOTE:This issue is also observed when you upgrade through the integrated installer.

The Restore default button does not work during Identity Manager installation

During the Identity Manager installation, if you return to the Installation Location page from the subsequent page, the Restore Default button does not work as expected.

On Linux, the Identity Manager non root installer does not install 64-bit version of Identity Manager

Only 32-bit Identity Manager is installed.

3.2 Identity Manager 4.0 Integrated Installer Issues

You might encounter the following issues when you use the Identity Manager integrated installer:

The integrated installer does not upgrade Identity Manager on Windows

The Identity Manager upgrade is not supported on Windows.

Use the individual component installers and follow the onscreen instructions to complete the Identity Manager upgrade on Windows. For more information on Identity Manager upgrade on Windows, refer to the Performing an Upgrade in the Identity Manager 4.0 Framework Installation Guide.

The Identity Manager 4.0 integrated installer fails to install on Windows when you use UNC paths

You cannot use UNC paths to install and configure when you use Identity Manager 4.0 integrated installer (for example: \\myserver\share\Identity_Manager_4.0_Windows_Enterprise).

To work around this issue, create an actual mapped drive.

The schema extension fails when the eDirectory password contains more than one "$" special character

During Identity Manager installation, specify an eDirectory admin password that does not contain the "$" special character twice.

For example, the schema extension fails if you specify the following as the eDirectory password:

  • n0v3$$

  • n^!123$$

Any string that has a single instance of the "$" special character works with any other combination. For example, the following string is appropriate:

  • n0v3ll$

NOTE:This issue does not occur if you install through the framework installer.

On Linux, the Platform Agent is not upgraded to the latest version

On Linux, the Platform Agent is not upgraded when Identity Manager is upgraded by using the integrated installer. On Windows and Solaris, the Platform Agent is automatically upgraded.

To work around this issue, manually install the Platform Agent RPM on Linux platforms.

NOTE:This issue is also observed with the framework installer.

The remote desktop installation of Identity Manager might randomly fail

The Identity Manager installation fails with an error message. Because the remote desktop connection is delayed in comparison to the actual/physical access, the install process fails to acquire the local referrals, resulting in a failed installation.

To work around this issue, install Identity Manager on an actual/physical connection of the server or by using the VNC connection.

The integrated installer does not add logging server to the logevent.cfg file

The logevent.cfg is modified on both Windows and Linux platforms when either the Roles Based Provisioning Module or the Identity Reporting Module is configured. If the Roles Based Provisioning Module or the Identity Reporting Module is not configured, use the individual installers to enable the auditing of eDirectory, Identity Manager, and the Role Mapping Administrator. For more information, see Setting Up Logging in the Identity Manager Roles Based Provisioning Module 4.0 User Application: Administration Guide.

On Solaris 10, incorrect error message displays if Metadirectory is installed before installing the Remote Loader

If you install Metadirectory before installing Remote Loader, the Install Complete page incorrectly displays that Metadirectory is not properly installed.

However, the Metadirectory is properly installed and works fine.

It is safe to ignore the message.

The Challenge Response NMAS Methods are not installed through integrated installer

If Identity Vault is installed and configured by using the integrated installer, the Novell Client or User Application cannot authenticate to eDirectory because Challenge Response methods are not installed.

To work around this issue, after configuring the Identity Vault, install the Challenge Response methods on Linux and Solaris platforms by using the following command:

nmasinst -addmethod <admin.context> <treename>
<iso>/products/eDirectory/x86/nmas/NmasMethods/Novell/ChallengeResponse/config.txt [-h hostname[:port]] [-w password]

For a 64-bit Linux platform, use the following command:

nmasinst -addmethod <admin.context> <treename>
<iso>/products/eDirectory/x64/nmas/NmasMethods/Novell/ChallengeResponse/config.txt [-h hostname[:port]] [-w password]

For more information on installing NMAS methods, refer to the NMAS 3.3.3 Administration Guide.

3.3 Remote Loader

You might encounter the following issues as you use the Remote Loader:

The Remote Loader console help page is not displayed on Windows Server 2008 Core

On Windows Server 2008 Core, when you click Help in the Remote Loader console, the corresponding help page is not displayed.

To work around this issue, install a browser (for example, Internet Explorer) on your machine and click Help in the Remote Loader console.

3.4 Engine

You might encounter the following issues as you use Identity Manager:

Identity Manager 4.0 might sporadically report an unsatisfied link error on Solaris 10

When you start Identity Manager 4.0 on Solaris 10, you might sporadically encounter an unsatisfied link error.

To work around this issue, go to /opt/novell/eDirectory/lib/ and manually delete the following zero-size files:

  • libjclnt.so

  • libjclnt.so.0

On virtual machines, when you start eDirectory, the Identity Manager Engine might fail to load due to an error from JNI_CreateJavaVM

The issue is observed only on virtual machines.

To work around this issue:

  1. Restart eDirectory.

  2. Reduce the JVM minimum heap size if the failure repeats.

  3. Restart eDirectory.

3.5 Drivers

You might encounter the following issues as you use the Identity Manager drivers:

The JDBC driver upgrade from a version earlier than 3.5.1 to version 3.5.1 or later fails

This issue has been reported only on MySQL. The upgrade operation fails when you upgrade the JDBC driver from a version earlier than 3.5.1 to version 3.5.1 or later.

The operation fails because of one of the following reasons:

  • The driver cannot read the metadata of tables by using the mysql-connector-java-3.1.11-bin.jar driver classes.

  • You cannot get the information from the state files because the serialVersionUID of the class JDBMKeyComparator has changed after the upgrade.

To work around this issue, use one of the following actions, which are based on the reasons for the upgrade failure:

  • Upgrade the third-party driver class from mysql-connector-java-3.1.11-bin.jar to mysql-connector-java-5.1.6-bin.jar.

  • Delete the state files and restart the driver.

Cannot select options when creating or configuring a driver on Linux in Designer

At times, you cannot select drop-down options when creating or configuring a driver. To work around this issue:

  1. Click the drop-down menu and continue to hold the left mouse button until the desired option is highlighted.

  2. Release the left mouse button to select the option.

3.6 Identity Reporting Module

You might encounter the following issues as you use the Identity Reporting Module:

Reports do not run unless the headless option is enabled

If you try to run a report (for example, Novell-Identity-Manager_Role-Assignments-by-Role_6.1r2), you might see the following error in the details:

An error was detected while running report 'Novell-Identity-Manager_Role-Assignments-by-Role_6.1r2': Could not initialize class net.sf.jasperreports.engine.util.JRStyledTextParser

To resolve this problem, you need to enable the headless option in the startup script for JBoss, as outlined below:

  1. Stop JBoss by specifying the following command:

    /etc/init.d/jboss_init stop
    
  2. Open the start-jboss.sh file in /opt/novell/idm/rbpm/UserApplication.

  3. In the JAVA_OPTS section, add the following entry:

    -Djava.awt.headless=true
    

    It now appears as:

    JAVA_OPTS="-server -Xms512m -Xmx512m -XX:MaxPermSize=256m -Djava.awt.headless=true "
    export JAVA_OPTS
    
  4. Save the file and exit.

  5. Restart JBoss:

    /etc/init.d/jboss_init start
    

Connected system end points are not accessible if the IP address is not changed for the Managed System Gateway driver

To access the end points of a connected system, specify the correct IP address of the machine on which the integrated installer is installed in the Driver Configuration > Connection Parameters section of the Managed System Gateway driver.

Error displayed if Identity Reporting Module and RBPM are separately configured

The integrated installer displays the following error if Identity Reporting Module and the Roles Based Provisioning Module are separately configured:

'Failed to load users/passwords/role files'

To work around this issue, either stop JBoss before installing the Identity Reporting Module or restart JBoss after installing the Identity Reporting Module.

The Database column is not populated during role assignments

When users assign roles, the request_date column in the idmrpt_idv_identity_trust table is not being populated with data.

Removal of extended attributes is not reflected in the extended attributes table

If you remove an attribute that was added to the Data Collection Service driver filter policy, the attribute is not removed from the extended attributes tables (idmrpt_ext_attr, which tracks the attributes) and no data is removed from the idmrpt_ext_item_attr table.

The Calendar does not navigate to Today when the display option is set to 1 week

On Firefox, when the Display Options are set to show 1 week on the Calendar page, if you click on the Today button, you do not see today’s schedule. Instead, you see a day one week ahead of today. To see today’s schedule in the Calendar page, press the up-arrow to go back one week. This problem does not occur on Internet Explorer.

The Clock must be set correctly before you run the EAS install

You need to make sure your clock is set to the correct time before you run the Event Auditing Service (EAS) install program. If the clock is not set correctly, EAS cannot capture events.

The heap size should be increased for reporting

The Identity Manager heap size should be increased to use a minimum of 128 MB and a maximum of 512 MB in order to support large data collection operations. If the heap size is not already within this range, you need to increase it. Refer to the Identity Manager documentation for information on how to increase the heap size.

The Reporting Module installation sometimes overwrites the logevent.conf file

Under the following circumstances, the logevent.conf is overwritten without prompting during the installation of the reporting module:

  1. There is already a logevent.conf file in /etc/.

  2. EAS is installed on the same machine.

  3. During the reporting installation, you replace the value of localhost and enter the machine's actual IP address for the EAS server.

To work around this issue, manually update the /etc/logevent.conf file after the installation is complete.

The Reporting Module installation does not write the PostgreSQL JDBC JAR successfully when EAS is remote

If EAS is installed remotely and you want to test the connection to EAS during the Identity Reporting Module installation, the parent directory of your chosen install directory must exist prior to running the installation. Without an existing parent directory, the installation directory cannot be created in order to write the JDBC JAR file used for testing the connection. For example, if you are installing the Identity Reporting Module to /opt/novell/IdentityReporting, you need to ensure that the directory /opt/novell exists before beginning the installation.

Reporting requires an Internet connection

The Reporting WAR(s) require Internet access to hibernate.sourceforge.net. If this site cannot be accessed, you will see an error similar to the following when running reports:

ERROR [RPT]
[com.novell.idm.rpt.core.server.events.rptdriver.ColumnAttributeMap:loadMappings]
Unable to process mapping file: IdmrptIdvAcct.xml. This will prevent the
processing of DCS driver events for this object/table. Reason:
java.net.UnknownHostException:hibernate.sourceforge.net
java.net.UnknownHostException: hibernate.sourceforge.net

If you cannot allow your server to access the Internet, you can perform the following steps:

  1. Shut down the server where the User Application is running.

  2. Edit the following WAR file:

    Linux: /opt/novell/idm/rbpm/jboss/server/IDMProv/deploy/IDMRPT-CORE.war

    Windows: c:\novell\idm\rbpm\jboss\server\IDMProv\deploy\IDMRPT-CORE.war

  3. Open the WAR file with an archiving tool and extract this file to a test folder while maintaining the folder structure:

    /WEB-INF/classes/com/novell/idm/rpt/core/server/events/rptdriver/IdmrptIdvAcct.xml

    Open the IdmrptIdvAcct.xml file in a text editor and remove the following DOCTYPE tag:

    <!DOCTYPE hibernate-mapping PUBLIC
            "-//Hibernate/Hibernate Mapping DTD 3.0//EN"
            "http://hibernate.sourceforge.net/hibernate-mapping-3.0.dtd">
    

    Save the file.

  4. The next step requires a JDK. Please confirm that the correct JDK is installed on the machine for the application server being used before proceeding.

    NOTE:If you use any tool besides the jar command from a JDK, the WAR file can corrupt. You cannot use WinZip, WinRAR, or any other tool. Only the jar command from a JDK can be used to re-archive the WAR.

  5. Issue the jar command and press Enter. If you do not see the Usage of Java' s jar command message, the jar command is not in your path.

    If jar is in your path, use the following command to re-archive the WAR:

    Linux: jar -uf IDMRPT-CORE.war WEB-INF/classes/com/novell/idm/rpt/core/server/events/rptdriver/IdmrptIdvAcct.xml

    Windows: jar -uf IDMRPT-CORE.war WEB-INF\classes\com\novell\idm\rpt\core\server\events\rptdriver\IdmrptIdvAcct.xml

    If jar is not in your path, you must include the path to jar in the command above.

  6. Deploy the modified WAR file.

    For JBoss, copy the modified WAR file and paste it into the deploy directory. When prompted, specify that you want to overwrite the existing file.

    For WebSphere and WebLogic, copy the modified WAR file and paste it into the directory that was created during the install. When prompted, specify that you want to overwrite the existing file. Then, deploy the WAR through the WebSphere or WebLogic Administration tool.

  7. Restart the application server.

EAS and Identity Reporting Module do not install correctly if there is a novell entry in /etc/passwd and /etc/group

On the Linux machine where EAS is installed, if the entry novell is in /etc/passwd and /etc/group before you run the install program, EAS will not install correctly. This can happen whether you are running the installers separately or using the Integrated Installer.

EAS needs to be able to create the entry novell in /etc/passwd and /etc/group as part of its installation. If the entry is already there, a conflict will occur and several problems will result:

  • Not all of the files needed for EAS will be installed.

  • In the terminal where the installer was launched, a prompt to supply the password for the dbauser will appear.

  • In the server0.0.log file for EAS, the following error will appear:

    SEVERE|Timer-2|esecurity.base.ccs.comp.dataobject.ConnectionManager.fetchConnection; 
    Exception FATAL: password authentication failed for user "appuser" -
    SQLState : 28000 - ErrorCode : 0; esecurity.base.exceptions.DBConnectException;
    Caused by FATAL: password authentication failed for user "appuser";
    org.postgresql.util.PSQLException;
    

    This in turn will cause the following error to appear in the RPT_Install.log:

    [com.novell.idm.install.rpt.ReceiveServerCerts] User did not accept
    Certificate. Error: [-5]
    

Steps are required to take advantage of DNContainer enhancement

Some additional steps are required to take advantage of an Identity Manager 4.0 DNContainer form field enhancement. This enhancement allows you to display the container description instead of the container O/OU name.

To take advantage of the DNContainer enhancement, you need to manually update the Designer install to add properties to the DNContainer control. Then, you need to create a DAL entity corresponding to the container for which you want to display an attribute. Finally, you need to use the form editor to choose the entity and attribute.

Here are the detailed steps you need to follow:

  1. Locate the following file in your Designer install:

    /opt/novell/idm/Designer/plugins/com.novell.core.scriptengineshell_4.0.0.*/lib/UIRegistry.jar

  2. Back it up first, then using a suitable jar/zip tool, modify the file within the jar:

    com\novell\srvprv\impl\uictrl\UIControlRegistry.xml

  3. Locate the <ctrl key="DNContainer" section and add the following properties at the end:

    <prop name="display-entitydef" type="string" since="1.9">
         <display-label rb-key="LAB_DIS_ENTITYDEF"/>
    </prop>
    <prop name="display-exp" type="expression" since="1.9">
          <display-label rb-key="LAB_DIS_EXPRESSION"/>
    </prop>
    
  4. Put this file back into the JAR in its original location and start Designer.

  5. In Designer, create a new DAL entry with an unused name, such as myDescriptionLookup.

  6. For the base class of this DAL entry, choose Organization, and pick the attribute you want to show (for example Description).

  7. Once the DAL editor is open, change the LDAP name of the class to Top. (This allows you to pick up the Description on Organizations, Organizational Units, and so forth.)

  8. To use the new DAL entry, open a PRD and go to a form. Add or pick a dn/DNContainer field.

  9. Fill in the two new fields (Entity key for DN expression lookup, Display expression) with the values specified above (myDescriptionLookup, Description).

  10. Deploy the new DAL entry and the PRD.

  11. On the User Application, clear the cache (or restart the server).

  12. Test the new PRD to ensure that the descriptions are shown instead of the cn in the DNContainer control.

    NOTE:Make sure the containers you are going to show have a Description value, otherwise cn is used. Containers, by default, leave this value blank.

Conversion of certificate is not done for valid certificate

When adding an application in the reporting module, you may notice that a valid certificate is not properly converted. Here are steps that may cause this problem to occur:

  1. Login to the Identity Reporting Module with valid credentials.

  2. Navigate to the Applications page and click on the Add Application button.

  3. Fill in all the mandatory fields and browse for the certificate by checking the SSL check box and Test.

In this case, the certificate should be converted, but this does not occur. This problem has only been observed on WebSphere.

To workaround this problem, you can simply copy and paste the content of the certificate into the text area on the form.

Internet Explorer displays a warning when accessing reporting in HTTPS

If you access the reporting module with an Internet Explorer browser in HTTPS, you will receive a pop-up message similar to the following:

Do you want to view only the webpage content that was delivered securely? This webpage contains content that will not be delivered using a secure HTTPS connection, which could compromise the security of the entire webpage.

If you select Yes, the login screen for the reporting module will not appear. You must select No. The behavior is seen because the download site for new reports only supports the HTTP protocol. The link to that site is constructed using http://. This behavior is not seen with FireFox.

Need to change the definition for the cat_item_type_id column in the idm_rpt_data.idmrpt_sod_violations_hist table

The definition of the cat_item_type_id column in the idm_rpt_data.idmrpt_sod_violations_hist table needs to be changed to allow nulls.

To allow nulls in the cat_item_type_id column, perform these steps:

  1. Launch pgAdminIII.

  2. Connect to the PostgreSQL database server in EAS as the dbauser.

  3. Press the plus sign + next to Databases.

  4. Select the SIEM Database.

  5. Press the plus sign + next to the SIEM Database.

  6. Press the plus sign + next to Schemas.

  7. Press the plus sign + next to idm_rpt_data.

  8. Press the plus sign + next to Tables.

  9. Press the plus sign + next to the idmrpt_sod_violations_hist table.

  10. Press the plus sign + next to Columns.

  11. Select cat_item_type_id.

  12. In the Properties Panel double click on Not Null?.

  13. Uncheck the checkbox next to Not Null.

  14. Press the OK button.

3.7 Roles Based Provisioning Module

You might encounter the following issues as you use the Roles Based Provisioning Module:

A misleading error message is displayed for the Copy function in the Detail portlet

In Firefox, if you attempt to copy text in the Detail portlet, a misleading error message is displayed.

The following steps cause this message to appear:

  1. Log in to the User application as administrator and go to the Administration tab.

  2. Click Portlet Admin > Detail Portlet in Portlet Applications.

  3. Click Preferences > View/Edit custom Preferences > continue.

  4. Click the HTML Layout edit icon and enter some sample text, such as “TEST”.

  5. Select the text and click the Copy icon.

If you follow these steps, you see the following error message:

“Exception... "Access to XPConnect service
denied"  code: "1011" nsresult: "0x805303f3
(NS_ERROR_DOM_XPCONNECT_ACCESS_DENIED)"  location:
"http://172.16.1.99:8180/IDMProv/resource//portal-general/javascript/html_editor.js
Line: 531" ” when clicked on Copy button.

You might also see this message when performing cut and paste operations.

This is a known issue with Dojo and Firefox.

Session-level failover does not work with software dispatchers

The session-level failover does not function properly with software dispatchers. However, it works correctly with hardware dispatchers.Until further notice, the User Application only supports hardware dispatchers in a clustered environment.

Forms do not print correctly on Internet Explorer

You can add JavaScript to a workflow form to allow for printing. However, this technique does not produce expected results on Internet Explorer.

As described in the Designer documentation, you can add the following to the form onload event:

form.interceptAction("SubmitAction", "around",
      function (invocation)
        {var pf = new PrintForm("SubmitAction");
         pf.printFormInterceptor(invocation);
       } );

This action works correctly for both Internet Explorer and Firefox. However, the printed form output is not formatted correctly on Internet Explorer, although it is formatted correctly on Firefox.

Firefox supports automatic resizing of pages. It takes the entire page as a vector and resizes it, but Internet Explorer just changes the styles internally. For this reason, only Firefox can be used to resize the page appropriately for printing.

To work around this problem on Internet Explorer, determine which of the following possible solutions works best for you:

  • You can perform an Alt+Print Screen function in Internet Explorer that prints the content as it appears on the screen.

  • You can use the reference below, which might work for the workflows but might not print the form exactly the way you want it to print. This is a quick fix to print the form.

    The reference looks like this:

    <link rel="stylesheet" type="text/css" href="print.css" media="print" />
    

    This can be added in the workflow forms (the Request_form, Approval_form, and so forth) under Scripts > URL/Inline Script. This improves the print formatting on Internet Explorer, but might not be totally correct.

  • You can create a CSS script specifically for each workflow that prints the output as you want it to appear. Each CSS script probably needs to be specific to a workflow and requires tweaking that could be time-consuming.

    The references look like this:

    document.writeln("<link rel=\"stylesheet\" type=\"text/css\" href=\"http://172.17.5.100:8280/externalFiles/css/jquery-ui-1.7.2.custom.css\"><\/script>");
    

    This can be added in the workflow forms (Request_form, Approval_form, and so forth) under Scripts > URL/Inline Script.

  • You can create an external WAR file that stores all the CSS scripts and is referenced from the workflow. This allows changes to be made in one file rather than within each workflow.

    For example, with document.writeln("<link rel=\"stylesheet\"type=\"text/css\"href=\"http://172.17.5.100:8280/externalFiles/css/jquery-ui-1.7.2.custom.css\"><\/script>");, you replace the href attribute with the link to your CSS script. You need to do it this way because the external script for a workflow form must be JavaScript. You need to use an inline script to load a reference to a CSS. The inline scripts go into a specific area on the form called scripts and are executed when the form is first loaded. You need to put the scripts on all the forms (request forms and approval forms). This allows you to specify a style that works for the printer, without changing the style for the viewable form.

RBPM reports have been deprecated

The Role Based Provisioning Module reports that were provided in previous releases of the product (available under Reports on the Roles and Resources tab) are being deprecated in this release. These reports will be removed in a future release.

Digital signatures are not supported

Support for digital signatures has been removed in this release.

Accessory portlets are not supported

Support for accessory portlets has been removed in this release

New user with special characters cannot log in to the User Application

On WebSphere, if you create a new user with special characters in the name, this user cannot log in to the User Application. For example, if you create a user as /Test// from the Create Users and Groups page, an error page is displayed when the new user tries to log in to the application.

The JBossPostgreSQL installer might display a pop-up in silent mode on Windows

PostgreSQL requires several Microsoft VC++ libraries when running on Windows. If these libraries are not installed on the Windows server, then the PostgreSQL installer automatically installs them. When you run the JBossPostgreSQL installer in silent mode on Windows, a pop-up window appears for about 3 seconds while these libraries are being installed, if those libraries are not already installed on the machine.

At this time, the installer is not able to suppress this pop-up window on Windows.

Content for User Application Driver is missing trustees for Attestation Reports

If you redeploy the User Application Driver from Designer after running the integrated installer, the trustees for the Attestation Report provisioning request definitions are wiped out and no one can execute the report. The reason for this is that the trustees are added to the Attestation Report provisioning request definitions at User Application startup. Because Designer does not know about the trustees, an attempt to redeploy the User Application Driver from Designer removes the trustees. Therefore, you need to import these objects from eDirectory after User Application startup to synchronize the trustees.

The integrated installer is not handling RBPM error codes properly

In some situations, the integrated installer does not handle the Role Based Provisioning Module setup errors properly. This can happen when the Role Based Provisioning Module configuration fails because of a problem with the driver configuration process. In this case, the integrated installer configuration summary displays a message indicating that the Role Based Provisioning Module configuration passed, but the Role Based Provisioning Module configuration has setup errors.

Caching issue with newly removed assignments

If you create a role or resource assignment, and then remove it, you see a message indicating that the assignment has been removed, but the assignment is still listed. If you refresh the page, you probably see that the assignnent has been removed. This is caused by a caching issue.

Entity names with a dash are not supported in a search within the Org Chart portlet

The search feature in the Orch Chart Portlet does not work if the Entity type being displayed has a dash (-) in the name. At this time, the product does not support Entities with dashes in their names.

Need to set NDSD_TRY_NMASLOGIN_FIRST to true on eDirectory

If you perform a default eDirectory installation and apply a password policy (that has email password to user action) to an existing user, then login as this user and perform a forgot password procedure, you may see a message that says Univeral Password is not set after answering the challenge response questions.

To fix this issue, perform these two steps:

  1. Add the following two lines to the pre_ndsd_start script located at /opt/novell/eDirectory/sbin (formerly in /etc/init.d):

    NDSD_TRY_NMASLOGIN_FIRST=true
    export NDSD_TRY_NMASLOGIN_FIRST
    

    This should be done on any server that may handle NMAS logins via LDAP.

  2. Restart eDirectory to apply the change.

For more information, see “How to Make Your Password Case-Sensitive”.

Novell does not provide support for the components installed by the JBossPostgreSQL utility

Novell provides the JBossPostgreSQL utility as a convenience. If your company does not already provide an application server and a database server, you can use the JBossPostgreSQL utility to install an Open Source version of these components. By running this utility, you can install these components without having to download them separately. If you need support, go to the third party provider of the component. Novell does not provide updates for these components, or administration, configuration, or tuning information for these components, beyond what it is outlined in the RBPM documentation.

srvprvUserPrefs attribute must be cleaned up manually

Values that are saved into the srvprvUserPrefs attribute are not fully removed when a user removes or change their filters or customization entries.

The attribute srvprvUserPrefs is a single values, synchronize immediately, string in eDirectory. It is limited to about 33,000 total characters. Once the attribute reaches the maximum size, users will not be able to save filter and customization entries into this attribute. To work around this issue, an Administrator would need to clean up the attribute manually with iManager or an LDAP Browser.

Need to manually enter a four digit year when using a year past 2030

When using the Effective or Expiration dates for a role assignment in the User Application, you need to manually enter the date if the year you want to use is after 2030. For example, if you want to set the Effective Date for a role to be assigned on January 01, 2031, the Calendar picker will display it as 1/1/31. If you leave this as is, the role will be immediately assigned. You must make the year a four digit year if the year is greater than 2030. For this example, you would need to use 1/1/2031.

A resource might be removed unexpectedly when an associated role is removed

If a user has been assigned to multiple roles, and these roles are associated with a resource that is dynamically bound (meaning that the value for the entitlement is set at assignment time), the user may lose all of the resource assignments for these roles if only one of the roles is removed. This will only happen if the option Allow user to request multiple assignments by selecting more than on value (which maps to nrfAllowMulti) is not selected when mapping the entitlement to a resource.

For example, suppose you have a resource that is dynamically bound to an entitlement, and the resource is mapped to two different roles, and the option Allow user to request multiple assignments by selecting more than one value is not set for the resource. In this case, if a user has been assigned to both roles, and later is removed from one of the roles, the user will lose both resources. This behavior occurs because the option Allow user to request multiple assignments by selecting more than one value was not selected when the entitlement was mapped to the resource.

3.8 iManager

You might encounter the following issues as you use iManager:

Internet Explorer 7 prompts continually for access to the Clipboard

When you are using iManager, particularly the Policy Builder, Internet Explorer 7 continually prompts you for access to the Clipboard. To disable prompting:

  1. Click Tools > Internet Options.

  2. Click the Security tab, then click Custom Level.

  3. Click Scripting > Allow programmatic clipboard access, then select Enable.

    After you restart Internet Explorer, the prompting stops.

iManager plug-in dependency for the NDS-to-NDS Driver Certificates Wizard

If you want to use the NDS-to-NDS Driver Certificates Wizard, you must download and install the iManager plug-in for Novell Certificate Server.

3.9 Identity Manager Plug-ins

You might encounter the following issues as you use the Identity Manager plug-ins:

On SLES 11, the Identity Manager 4.0 Plug-Ins selected during the Identity Manager 4.0 framework installation do not appear in iManager

The Identity Manager 4.0 plug-ins do not appear in iManager.

To work around this issue, use iManager from another host connecting to your tree.

or

Install iManager by using the integrated installer to install the Identity Manager 4.0 plug-ins.

The updated version of the Identity Manager plug-ins is available on the Novell downlaod Web site.

Identity Manager 4.0 plug-ins are not installed when the Metadirectory is selected

If you select Metadirectory Server and Identity Manager plug-ins in one operation from the Select Component page of the installation, the Identity Manager plug-ins are not installed. No errors are reported in the log file.

To work around the issue, select the Identity Manager plug-ins separately and not with the Metadirectory server.

Identity Manager 4.0 plug-in performance

If your Identity Manager system has multiple replicas of Identity Vault and the replicas are frequently updated, the operations performed on the Identity Vault are delayed.This is more evident during the driver creation process when a large number of objects is added to the Identity Vault. The delay increases with the addition of Identity Vault replicas.

3.10 Analyzer

The following issues exist in the Analyzer 1.2 environment:

Analyzer fails to start after being installed through the integrated installer

To start the Analyzer, perform the following steps to change the XULRunner mapping:

  1. As a root user, navigate to the /opt/novell/idm/Analyzer folder.

  2. Open the Analyzer.ini file in the gedit editor.

  3. Add the following line at the end of the list of the parameters given in the Analyzer.ini file:

    -Dorg.eclipse.swt.browser.XULRunnerPath=/usr/lib/xulrunner-1.9/
    

    The Analyzer.ini file should read as follows:

    -vmargs
    -Xms256m
    -Xmx1024m
    -XX:MaxPermSize=128m
    -XX:+UseParallelGC
    -XX:ParallelGCThreads=20
    -XX:+UseParallelOldGC
    -Dorg.eclipse.swt.browser.XULRunnerPath=/usr/lib/xulrunner-1.9/
    
  4. Save the file and close it.

Avoiding projects created with pre-release versions of Analyzer

Over the course of its development, Analyzer has gone through some significant architectural and model changes. Because of this, projects created with pre-release versions of Analyzer might not work properly with the released Analyzer.

To avoid difficulty, specify a new workspace for the released Analyzer and do not mix old projects with new projects. When you use the internal Analyzer database, this ensures that you are not mixing pre-release data tables and formats with the released Analyzer data tables.

If you use an external MySQL database as your Analyzer database, clean out any pre-release data before using it with the released Analyzer. To do this, use your preferred database management tool to delete the following database tables before starting the released Analyzer for the first time:

  • DSTable_ver where ver is a version number

  • AnalysisTable_ver where ver is a version number

  • All tables with an enf_ prefix

Alternatively, you can create a new MySQL database for use with the released Analyzer.

Data browser issues

Please note the following issues when using the Data Browser:

Limit Attributes in Data Set Definition: Novell recommends restricting data set definitions to fewer than 10 attributes for optimal Data Browser performance. Creating data set definitions with more than 10 attributes causes the Data Browser performance to deteriorate significantly.

Painting Issues: When you return from the Multi-Value Edit dialog box to a cell with multiple values, Analyzer does not repaint the table cursor correctly.

To correct the display, move to another cell with a click or an arrow key, then move back to the original cell.

Sorting Issues: Integer columns sort as strings instead of integers. For example, 100 sorts before 90. Also, sorting is case sensitive. For example, “Bob” sorts before “andy”.

Empty Column in Flat File Data Import: The Source-DN field is always empty in a data set instance imported from a flat file. You can ignore it.

Analyzer does not start after installing on Windows Vista

Windows Vista has implemented a new User Account Control feature that prevents applications from running as Administrator unless you specifically allow it.

To run Analyzer in Vista, right-click the Analyzer shortcut and choose the option to Run as Administrator. You can also choose to disable User Account Control.

Analyzer database does not initialize after restart

If you quickly stop and restart Analyzer, the Analyzer Database might not reinitialize properly. To avoid this problem, wait approximately thirty seconds before restarting Analyzer.

If Analyzer starts and the Analyzer Database is not initialized correctly, select Refresh View in the Project View to reinitialize the database.

Using a MySQL external database with Analyzer

Analyzer allows you to change its internal database from the default HSQLDB to a MySQL database. You can configure database settings in Window > Preferences > Analyzer > Database Settings. When you use an external MySQL database, be aware of the following issue:

Extended and Double-Byte Characters: The MySQL database uses the default character set from the operating system for encoding table fields. If an extended or double-byte character is not recognized by the default character set, Analyzer displays ??? in the Data Browser. To avoid this, set the operating system’s default character set to UTF-8, or to a character set that includes all the extended or double-byte characters that Analyzer might import.

SAP User driver requires additional files

To use the SAP user driver, you must install the sapjco.jar library in Analyzer, and install the librfc32.dll and sapjcorfc.dll into the Windows %systemroot% folder (typically C:\windows\system32).

Restart Analyzer after installing these files.

DB2 driver requires additional libraries

The Analyzer DB2 driver requires the following two libraries to function properly. You can download these libraries from IBM.

  • db2java.zip

  • db2jcc.jar

Warning about modifying data

Analyzer does not prevent users from modifying anything in a data set. If a user with appropriate rights to the source application modifies a value, for example a GUID or DN, Analyzer does not attempt to determine if the modification causes a problem when written out to the source application.

To avoid causing unintended problems in the source application, users should be careful when modifying data and sending those modifications to the source application.

Errors when sending updated data to an application

When you attempt to push updated data to the source application from Analyzer’s Data Browser (by clicking Save to Application), you might get an error indicating there was a problem with the update operation. However, the Data Browser’s modified data indicators in the data table change to indicate that the updates were successful.

If this occurs, the data updates might have been unsuccessful. Re-import the data from the source application to make sure you know the true state of the data before making any other data modifications.

Problems with the update operation occur primarily when adding a value to a multi-valued attribute.

IDS trace level

The IDS Trace view consumes significant resources. You should only open the IDS Trace view when you need the information.

The IDS Trace level is set to 3 by default in order to track connection problems and errors. This trace level can cause performance issues with data browsing. You can modify this setting by clicking the Preferences button in the IDS Trace view.

Importing does not return data from the application

The following issues can prevent Analyzer from displaying data set content in the Data Browser view:

SQL reserved word used as a column name

Analyzer 1.2 does not support SQL reserved words as column names for data sets (For example, group or select.) If a column name is an SQL reserved word, no data displays in the Data Browser view. To avoid this, exclude the column (attribute) with a reserved-word name from the data set.

Subscriber Is disabled for the selected connection

By default, Analyzer’s Subscriber channel is enabled so that you can perform data set queries. However, if a connection profile was synchronized from Designer with the Subscriber channel disabled, it remains disabled for Analyzer. If your data sets do not have any data, confirm that the connection profile’s Subscriber channel is enabled in Analyzer.

To do this, right-click the desired connection profile, then select Properties. In the connection profile properties, select IDS Configuration > Parameters > Subscriber Options. Make sure that Disable subscriber is set to No (default).

Back button does not work in the configuration wizard

The Back button in the Configuration Wizard dialog boxes is not functional. If you need to make a change to the connection profile on which you are working, either cancel the wizard and start over, or finish configuring the connection profile and make the change in the connection properties.

Analysis does not consider the class name

Analyzer performs its data analysis solely based on the attribute name, and does not take the class name into account. Therefore, if you map attributes from different classes to the same application attribute, the analysis tests only the first mapped attribute it encounters. For example, in the following schema map, Analyzer tests only the name attribute mapped to the Group class, and ignores the mapping in the User class.

Class = Group
  |___ Attribute = gname ---> name
Class = User
  |___ Attribute = uname ---> name

This issue might also exist with the preconfigured schema maps that Analyzer includes with its drivers. The mappings might be correct to the attribute name, but not the class name.

Deleting multiple projects generates exceptions

If you delete multiple Analyzer projects simultaneously, the error log might record several exception messages. These messages are benign and do not indicate any problem with Analyzer or with the delete operation.

Some characters cause problems with pattern frequency analysis

The Pattern Frequency analysis metric does not work properly with data that includes the following characters. If you attempt to do a pattern frequency analysis on a data set that has values that contain any of these characters, the analysis fails and returns an empty result.

Character

Description

+

Plus (addition) symbol

*

Asterisk

.

Period

Apostrophe

?

Question mark

|

Pipe symbol

\

Backslash symbol

( )

Left or right parentheses

[ ]

Left or right bracket

Apostrophe in a value causes a problem with saving to an application

If you modify a data value in a data set instance so that it includes an apostrophe (‘), Analyzer generates a Java exception error when attempting to save the changes back to the application. This occurs when using either the HSQL database or an external MySQL database for Analyzer.

Unable to import connections from Designer

If connections do not import properly from Designer, the likely problem is that the server configuration associated with the driver set in Designer is incorrect or incomplete. For example, when you create a new driver set in Designer, the default server DN is server.context. If you attempt to import connection information that includes invalid information like this, the import fails.

Before importing connection information from Designer, make sure that the server information is valid.

Errors when printing reports

On Linux systems with CUPS printers, the JasperReports framework is unable to print reports directly from the Report Viewer. However, you can save the report as a PDF file, then print it from a PDF reader.

Unable to cancel large data operations

When you import a large data set instance or run an SQL query on a large data set instance, clicking Cancel in the progress dialog box does not work. To cancel the operation, you can either let the operation complete or shut down and restart Analyzer.

Connection wizard help pages

The Connection Wizard uses some dynamic help pages from which Designer is unable to properly reference the Analyzer help pages. Because of this, when you click the Help button you get general Eclipse help rather than dialog-specific help for the Connection Wizard.

The first three pages and the final Summary page in the Connection Wizard are static pages that properly display the Analyzer help. Use the help from these pages to get all the help information for the Connection Wizard.

Matching analysis does not exclude deleted values

If you have deleted values in the Data Browser that have not been updated to the application, the deleted values are still considered when running a Matching Analysis.

Application schema import fails

The Identity Vault schema does not support multiple classes with the same name. Some application schemas, such as Notes, do support duplicate class names. If you want to import an application schema that includes duplicate class names, you should first consolidate the duplicate class names into a single class that contains the attributes from all duplicate classes.

If you cannot resolve the duplicate classes in the application schema, you can manually resolve the duplicate class names in Analyzer by doing the following:

WARNING:This procedure is not recommended and can cause inconsistencies in the Identity Vault schema. It should only be used if absolutely necessary.

  1. Open the IDS Trace view (Window > Show View > IDS Trace).

  2. In the Project view, right-click the appropriate connection, then select Refresh Schema.

    This captures the application schema in the IDS Trace. If the IDS Trace does not capture the entire schema, increase the IDS Trace window size by clicking the Preferences icon, then increasing the Maximum lines to retain setting.

  3. Open the Navigator view (Window > Show View > Navigator).

  4. In the Navigator view, expand the appropriate project, then browse to Model > Analyzer.

  5. Double-click the appropriate schema file (*ShimConfig.xml) to open it in an XML editor.

    If there are multiple shim config files, you can identify the application associated with each file by opening the file and looking at the contents of the <class-name>, <auth-id>, and <auth-context> tags.

  6. In the XML editor, search for the following elements. If they do not exist, add them to the schema immediately above the closing </shim-config> tag.

    <app-schema-def>
       <schema-def>
    ...
       </schema-def>
    <app-schema-def>
    
  7. In IDS Trace, locate the <NDS> tag, then paste the contents of the <NDS> tag into the <schema-def> tag in the *ShimConfig.xml file.

    Make sure you do not include the <NDS> as part of what you copy and paste into the *ShimConfig.xml.

  8. Search for any duplicate <ClassDef> elements in the schema definition and consolidate all attribute definitions <attr-def> under a single <ClassDef> element.

  9. Save the changes to the schema file (Ctrl+S), then restart Analyzer.

Matching is case sensitive when using HSQL

If you are using HSQL as the back end database for Analyzer, matching is case sensitive. If you are using MySQL, the back end database is case insensitive.

Analyzer crashes on Windows if CM Synergy is installed

When Analyzer is installed on Windows and you have CM Synergy installed, browsing for files causes Analyzer to shut down. You cannot have CM Synergy and Analyzer installed on the same machine.

The CM Synergy install overwrites one of the Windows native libraries that Analyzer uses.

JVM crashes when launching Analyzer, the Welcome Page, or opening Help on 64-bit Linux

If the 32-bit version of XULRunner is installed on a 64-bit Linux distribution, the JVM might crash when you launch Analyzer, when the Welcome Page displays, or when you view a Help topic. To resolve this problem:

  1. Open the Analyzer.ini file located in the Analyzer install directory.

  2. Add the following line to the end of the Analyzer.ini file:

    -Dorg.eclipse.swt.browser.XULRunnerPath=/usr/lib/xulrunner-1.9/

  3. Save the Analyzer.ini file and launch Analyzer.

3.11 Identity Manager 4.0 Framework Uninstallation

You might encounter the following issues during uninstallation of the Identity Manager Metadirectory engine and drivers.

Identity Manager 4.0 framework uninstallation does not remove DXMLnotes.pkg on Solaris 10

On Windows, Identity Manager 4.0 framework uninstallation log files are not created under the Uninstall folder

The uninstall log files are created in the temp directory.

On Windows, the Metadirectory server uninstallation does not remove the lib directory

The jar files that reside in the lib directory are not removed.

The uninstaller uninstalls other installed components.

3.12 Identity Manager 4.0 Integrated Uninstallation

Windows might reboot after an integrated installer uninstalls

The installer detects if a reboot is needed during the uninstallation. It displays a warning in the GUI mode. In silent mode, it might reboot.

On Windows, the Identity Vault uninstallation hangs in silent mode

The Identity Vault uninstallation hangs when you run the nds-uninstall command.

For successfully uninstalling the Identity Vault,

  1. Stop the DHost from the Task Manager.

  2. Start the NDS service.

  3. Start the uninstallation program.

The integrated uninstaller does not remove JBoss and PostgreSQL

For more information on uninstalling Roles Based Provisioning Module, refer to the Identity Manager Roles Based Provisioning Module 4.0 User Application: Installation Guide.

On Windows, the integrated uninstaller does not completely clean the installation folder

The following command might fail with an exit value of 1.

cmd /c copy
"C:\Users\Administrator\AppData\Local\Temp\2\I1285831815\Windows\resource\jre\..\iawin64_x64.dll"
"C:\Program Files (x86)\Novell\Identity
Manager\Uninstall_Roles_Based_Provisioning_Module_for_Novell_Identity_Manager\resource\iawin64_x64.dll

The uninstaller does not remove the <Install> and the <system drive>\Novell\conf folders.

To work around this issue, manually remove these folders.

4.0 Legal Notices

Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.

Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.

Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the Novell International Trade Services Web page for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.

Copyright © 2010 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.

For Novell trademarks, see the Novell Trademark and Service Mark list.

All third-party trademarks are the property of their respective owners.

Third-Party License Information for Analyzer

The following sections discuss the third-party license information about Analyzer.

Analyzer includes software developed by IBM Corp. using the Eclipse platform (all rights reserved) and the Apache Software Foundation. Novell is an Eclipse Foundation Member.

HSQLDB License

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE HYPERSONIC SQL GROUP, OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This software consists of voluntary contributions made by many individuals on behalf of the Hypersonic SQL Group.

Jython License

Copyright© 2006, Sun Microsystems, Inc.

All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  • Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

  • Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

  • Neither the name of the Sun Microsystems, Inc. nor the names of contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.