This document contains the known issues for Novell Identity Manager 4.0.
The latest version of this Readme is available at the Novell Identity Manager documentation Web site.
This Readme contains the known issues for Identity Manager version 4.0. In addition to this Readme, separate Readmes are available for Designer 4.0 and Designer 3.5:
Additional documentation resources are also available for the following products:
The following sections provide information on known issues at the time of the product release.
You might encounter the following issues during the installation of the Identity Manager framework installer:
When you upgrade from an earlier version of Identity Manager on the Windows platform, you should use the same Administrator account that was used to install eDirectory. For example, if a domain Administrator account was used to install eDirectory, use the domain Administrator account again when installing Identity Manager. Do not use a local Administrator account.
If you do not use the same Administrator account, users’ answers for their Challenge Response questions are no longer accessible. This occurs because the tree key is re-created during the installation (because of the different Administrator accounts) and the new tree key does not provide the correct access to the stored answers. Users are prompted for new Challenge Response answers when they log in.
Identity Manager upgrade does not completely replace the older packages in the system. Having older packages in the system does not break functionality.
You can contact Novell technical support before attempting to remove these packages.
You cannot install the Linux/UNIX Bidirectional driver in a Solaris zone that contains a read-only/usr partition. If you select the driver for installation, the Identity Manager 4.0 framework installer reports an error.
On Linux, the Platform Agent is not upgraded when Identity Manager is upgraded by using the framework installer. On Windows and Solaris, the Platform Agent is automatically upgraded.
To work around this issue, manually install the Platform Agent RPM on Linux platforms.
NOTE:This issue is also observed when you upgrade through the integrated installer.
During the Identity Manager installation, if you return to the Installation Location page from the subsequent page, the Restore Default button does not work as expected.
Only 32-bit Identity Manager is installed.
You might encounter the following issues when you use the Identity Manager integrated installer:
The Identity Manager upgrade is not supported on Windows.
Use the individual component installers and follow the onscreen instructions to complete the Identity Manager upgrade on Windows. For more information on Identity Manager upgrade on Windows, refer to the Performing an Upgrade in the Identity Manager 4.0 Framework Installation Guide.
You cannot use UNC paths to install and configure when you use Identity Manager 4.0 integrated installer (for example: \\myserver\share\Identity_Manager_4.0_Windows_Enterprise).
To work around this issue, create an actual mapped drive.
During Identity Manager installation, specify an eDirectory admin password that does not contain the "$" special character twice.
For example, the schema extension fails if you specify the following as the eDirectory password:
n0v3$$
n^!123$$
Any string that has a single instance of the "$" special character works with any other combination. For example, the following string is appropriate:
n0v3ll$
NOTE:This issue does not occur if you install through the framework installer.
On Linux, the Platform Agent is not upgraded when Identity Manager is upgraded by using the integrated installer. On Windows and Solaris, the Platform Agent is automatically upgraded.
To work around this issue, manually install the Platform Agent RPM on Linux platforms.
NOTE:This issue is also observed with the framework installer.
The Identity Manager installation fails with an error message. Because the remote desktop connection is delayed in comparison to the actual/physical access, the install process fails to acquire the local referrals, resulting in a failed installation.
To work around this issue, install Identity Manager on an actual/physical connection of the server or by using the VNC connection.
The logevent.cfg is modified on both Windows and Linux platforms when either the Roles Based Provisioning Module or the Identity Reporting Module is configured. If the Roles Based Provisioning Module or the Identity Reporting Module is not configured, use the individual installers to enable the auditing of eDirectory, Identity Manager, and the Role Mapping Administrator. For more information, see Setting Up Logging in the Identity Manager Roles Based Provisioning Module 4.0 User Application: Administration Guide.
If you install Metadirectory before installing Remote Loader, the Install Complete page incorrectly displays that Metadirectory is not properly installed.
However, the Metadirectory is properly installed and works fine.
It is safe to ignore the message.
If Identity Vault is installed and configured by using the integrated installer, the Novell Client or User Application cannot authenticate to eDirectory because Challenge Response methods are not installed.
To work around this issue, after configuring the Identity Vault, install the Challenge Response methods on Linux and Solaris platforms by using the following command:
nmasinst -addmethod <admin.context> <treename> <iso>/products/eDirectory/x86/nmas/NmasMethods/Novell/ChallengeResponse/config.txt [-h hostname[:port]] [-w password]
For a 64-bit Linux platform, use the following command:
nmasinst -addmethod <admin.context> <treename> <iso>/products/eDirectory/x64/nmas/NmasMethods/Novell/ChallengeResponse/config.txt [-h hostname[:port]] [-w password]
For more information on installing NMAS methods, refer to the NMAS 3.3.3 Administration Guide.
You might encounter the following issues as you use the Remote Loader:
On Windows Server 2008 Core, when you click in the Remote Loader console, the corresponding help page is not displayed.
To work around this issue, install a browser (for example, Internet Explorer) on your machine and click in the Remote Loader console.
You might encounter the following issues as you use Identity Manager:
When you start Identity Manager 4.0 on Solaris 10, you might sporadically encounter an unsatisfied link error.
To work around this issue, go to /opt/novell/eDirectory/lib/ and manually delete the following zero-size files:
libjclnt.so
libjclnt.so.0
The issue is observed only on virtual machines.
To work around this issue:
Restart eDirectory.
Reduce the JVM minimum heap size if the failure repeats.
Restart eDirectory.
You might encounter the following issues as you use the Identity Manager drivers:
This issue has been reported only on MySQL. The upgrade operation fails when you upgrade the JDBC driver from a version earlier than 3.5.1 to version 3.5.1 or later.
The operation fails because of one of the following reasons:
The driver cannot read the metadata of tables by using the mysql-connector-java-3.1.11-bin.jar driver classes.
You cannot get the information from the state files because the serialVersionUID of the class JDBMKeyComparator has changed after the upgrade.
To work around this issue, use one of the following actions, which are based on the reasons for the upgrade failure:
Upgrade the third-party driver class from mysql-connector-java-3.1.11-bin.jar to mysql-connector-java-5.1.6-bin.jar.
Delete the state files and restart the driver.
At times, you cannot select drop-down options when creating or configuring a driver. To work around this issue:
Click the drop-down menu and continue to hold the left mouse button until the desired option is highlighted.
Release the left mouse button to select the option.
You might encounter the following issues as you use the Identity Reporting Module:
If you try to run a report (for example, Novell-Identity-Manager_Role-Assignments-by-Role_6.1r2), you might see the following error in the details:
An error was detected while running report 'Novell-Identity-Manager_Role-Assignments-by-Role_6.1r2': Could not initialize class net.sf.jasperreports.engine.util.JRStyledTextParser
To resolve this problem, you need to enable the headless option in the startup script for JBoss, as outlined below:
Stop JBoss by specifying the following command:
/etc/init.d/jboss_init stop
Open the start-jboss.sh file in /opt/novell/idm/rbpm/UserApplication.
In the JAVA_OPTS section, add the following entry:
-Djava.awt.headless=true
It now appears as:
JAVA_OPTS="-server -Xms512m -Xmx512m -XX:MaxPermSize=256m -Djava.awt.headless=true " export JAVA_OPTS
Save the file and exit.
Restart JBoss:
/etc/init.d/jboss_init start
To access the end points of a connected system, specify the correct IP address of the machine on which the integrated installer is installed in the section of the Managed System Gateway driver.
The integrated installer displays the following error if Identity Reporting Module and the Roles Based Provisioning Module are separately configured:
'Failed to load users/passwords/role files'
To work around this issue, either stop JBoss before installing the Identity Reporting Module or restart JBoss after installing the Identity Reporting Module.
When users assign roles, the request_date column in the idmrpt_idv_identity_trust table is not being populated with data.
If you remove an attribute that was added to the Data Collection Service driver filter policy, the attribute is not removed from the extended attributes tables (idmrpt_ext_attr, which tracks the attributes) and no data is removed from the idmrpt_ext_item_attr table.
On Firefox, when the are set to show 1 week on the Calendar page, if you click on the button, you do not see today’s schedule. Instead, you see a day one week ahead of today. To see today’s schedule in the Calendar page, press the up-arrow to go back one week. This problem does not occur on Internet Explorer.
You need to make sure your clock is set to the correct time before you run the Event Auditing Service (EAS) install program. If the clock is not set correctly, EAS cannot capture events.
The Identity Manager heap size should be increased to use a minimum of 128 MB and a maximum of 512 MB in order to support large data collection operations. If the heap size is not already within this range, you need to increase it. Refer to the Identity Manager documentation for information on how to increase the heap size.
Under the following circumstances, the logevent.conf is overwritten without prompting during the installation of the reporting module:
There is already a logevent.conf file in /etc/.
EAS is installed on the same machine.
During the reporting installation, you replace the value of localhost
and enter the machine's actual IP address for the EAS server.
To work around this issue, manually update the /etc/logevent.conf file after the installation is complete.
If EAS is installed remotely and you want to test the connection to EAS during the Identity Reporting Module installation, the parent directory of your chosen install directory must exist prior to running the installation. Without an existing parent directory, the installation directory cannot be created in order to write the JDBC JAR file used for testing the connection. For example, if you are installing the Identity Reporting Module to /opt/novell/IdentityReporting, you need to ensure that the directory /opt/novell exists before beginning the installation.
The Reporting WAR(s) require Internet access to hibernate.sourceforge.net. If this site cannot be accessed, you will see an error similar to the following when running reports:
ERROR [RPT] [com.novell.idm.rpt.core.server.events.rptdriver.ColumnAttributeMap:loadMappings] Unable to process mapping file: IdmrptIdvAcct.xml. This will prevent the processing of DCS driver events for this object/table. Reason: java.net.UnknownHostException:hibernate.sourceforge.net java.net.UnknownHostException: hibernate.sourceforge.net
If you cannot allow your server to access the Internet, you can perform the following steps:
Shut down the server where the User Application is running.
Edit the following WAR file:
Linux: /opt/novell/idm/rbpm/jboss/server/IDMProv/deploy/IDMRPT-CORE.war
Windows: c:\novell\idm\rbpm\jboss\server\IDMProv\deploy\IDMRPT-CORE.war
Open the WAR file with an archiving tool and extract this file to a test folder while maintaining the folder structure:
/WEB-INF/classes/com/novell/idm/rpt/core/server/events/rptdriver/IdmrptIdvAcct.xml
Open the IdmrptIdvAcct.xml file in a text editor and remove the following DOCTYPE tag:
<!DOCTYPE hibernate-mapping PUBLIC
"-//Hibernate/Hibernate Mapping DTD 3.0//EN"
"http://hibernate.sourceforge.net/hibernate-mapping-3.0.dtd">
Save the file.
The next step requires a JDK. Please confirm that the correct JDK is installed on the machine for the application server being used before proceeding.
NOTE:If you use any tool besides the jar command from a JDK, the WAR file can corrupt. You cannot use WinZip, WinRAR, or any other tool. Only the jar command from a JDK can be used to re-archive the WAR.
Issue the jar command and press Enter. If you do not see the Usage of Java' s jar command
message, the jar command is not in your path.
If jar is in your path, use the following command to re-archive the WAR:
Linux: jar -uf IDMRPT-CORE.war WEB-INF/classes/com/novell/idm/rpt/core/server/events/rptdriver/IdmrptIdvAcct.xml
Windows: jar -uf IDMRPT-CORE.war WEB-INF\classes\com\novell\idm\rpt\core\server\events\rptdriver\IdmrptIdvAcct.xml
If jar is not in your path, you must include the path to jar in the command above.
Deploy the modified WAR file.
For JBoss, copy the modified WAR file and paste it into the deploy directory. When prompted, specify that you want to overwrite the existing file.
For WebSphere and WebLogic, copy the modified WAR file and paste it into the directory that was created during the install. When prompted, specify that you want to overwrite the existing file. Then, deploy the WAR through the WebSphere or WebLogic Administration tool.
Restart the application server.
novellentry in /etc/passwd and /etc/group
On the Linux machine where EAS is installed, if the entry novell
is in /etc/passwd and /etc/group before you run the install program, EAS will not install correctly. This can happen whether you are running the installers separately or using the Integrated Installer.
EAS needs to be able to create the entry novell
in /etc/passwd and /etc/group as part of its installation. If the entry is already there, a conflict will occur and several problems will result:
Not all of the files needed for EAS will be installed.
In the terminal where the installer was launched, a prompt to supply the password for the dbauser
will appear.
In the server0.0.log file for EAS, the following error will appear:
SEVERE|Timer-2|esecurity.base.ccs.comp.dataobject.ConnectionManager.fetchConnection; Exception FATAL: password authentication failed for user "appuser" - SQLState : 28000 - ErrorCode : 0; esecurity.base.exceptions.DBConnectException; Caused by FATAL: password authentication failed for user "appuser"; org.postgresql.util.PSQLException;
This in turn will cause the following error to appear in the RPT_Install.log:
[com.novell.idm.install.rpt.ReceiveServerCerts] User did not accept Certificate. Error: [-5]
Some additional steps are required to take advantage of an Identity Manager 4.0 DNContainer form field enhancement. This enhancement allows you to display the container description instead of the container O/OU name.
To take advantage of the DNContainer enhancement, you need to manually update the Designer install to add properties to the DNContainer control. Then, you need to create a DAL entity corresponding to the container for which you want to display an attribute. Finally, you need to use the form editor to choose the entity and attribute.
Here are the detailed steps you need to follow:
Locate the following file in your Designer install:
/opt/novell/idm/Designer/plugins/com.novell.core.scriptengineshell_4.0.0.*/lib/UIRegistry.jar
Back it up first, then using a suitable jar/zip tool, modify the file within the jar:
com\novell\srvprv\impl\uictrl\UIControlRegistry.xml
Locate the <ctrl key="DNContainer" section and add the following properties at the end:
<prop name="display-entitydef" type="string" since="1.9">
<display-label rb-key="LAB_DIS_ENTITYDEF"/>
</prop>
<prop name="display-exp" type="expression" since="1.9">
<display-label rb-key="LAB_DIS_EXPRESSION"/>
</prop>
Put this file back into the JAR in its original location and start Designer.
In Designer, create a new DAL entry with an unused name, such as myDescriptionLookup
.
For the base class of this DAL entry, choose Organization
, and pick the attribute you want to show (for example Description
).
Once the DAL editor is open, change the LDAP name of the class to Top
. (This allows you to pick up the Description on Organizations, Organizational Units, and so forth.)
To use the new DAL entry, open a PRD and go to a form. Add or pick a dn/DNContainer field.
Fill in the two new fields (Entity key for DN expression lookup, Display expression) with the values specified above (myDescriptionLookup, Description).
Deploy the new DAL entry and the PRD.
On the User Application, clear the cache (or restart the server).
Test the new PRD to ensure that the descriptions are shown instead of the cn in the DNContainer control.
NOTE:Make sure the containers you are going to show have a Description value, otherwise cn is used. Containers, by default, leave this value blank.
When adding an application in the reporting module, you may notice that a valid certificate is not properly converted. Here are steps that may cause this problem to occur:
Login to the Identity Reporting Module with valid credentials.
Navigate to the Applications page and click on the button.
Fill in all the mandatory fields and browse for the certificate by checking the check box and .
In this case, the certificate should be converted, but this does not occur. This problem has only been observed on WebSphere.
To workaround this problem, you can simply copy and paste the content of the certificate into the text area on the form.
If you access the reporting module with an Internet Explorer browser in HTTPS, you will receive a pop-up message similar to the following:
Do you want to view only the webpage content that was delivered securely? This webpage contains content that will not be delivered using a secure HTTPS connection, which could compromise the security of the entire webpage.
If you select , the login screen for the reporting module will not appear. You must select . The behavior is seen because the download site for new reports only supports the HTTP protocol. The link to that site is constructed using http://. This behavior is not seen with FireFox.
The definition of the cat_item_type_id column in the idm_rpt_data.idmrpt_sod_violations_hist table needs to be changed to allow nulls.
To allow nulls in the cat_item_type_id column, perform these steps:
Launch pgAdminIII.
Connect to the PostgreSQL database server in EAS as the dbauser.
Press the plus sign next to Databases.
Select the Database.
Press the plus sign next to the Database.
Press the plus sign next to .
Press the plus sign next to .
Press the plus sign next to .
Press the plus sign next to the idmrpt_sod_violations_hist table.
Press the plus sign next to .
Select cat_item_type_id.
In the Properties Panel double click on .
Uncheck the checkbox next to .
Press the button.
You might encounter the following issues as you use the Roles Based Provisioning Module:
In Firefox, if you attempt to copy text in the Detail portlet, a misleading error message is displayed.
The following steps cause this message to appear:
Log in to the User application as administrator and go to the tab.
Click in Portlet Applications.
Click .
Click the icon and enter some sample text, such as “TEST”.
Select the text and click the icon.
If you follow these steps, you see the following error message:
“Exception... "Access to XPConnect service denied" code: "1011" nsresult: "0x805303f3 (NS_ERROR_DOM_XPCONNECT_ACCESS_DENIED)" location: "http://172.16.1.99:8180/IDMProv/resource//portal-general/javascript/html_editor.js Line: 531" ” when clicked on Copy button.
You might also see this message when performing cut and paste operations.
This is a known issue with Dojo and Firefox.
The session-level failover does not function properly with software dispatchers. However, it works correctly with hardware dispatchers.Until further notice, the User Application only supports hardware dispatchers in a clustered environment.
You can add JavaScript to a workflow form to allow for printing. However, this technique does not produce expected results on Internet Explorer.
As described in the Designer documentation, you can add the following to the form onload event:
form.interceptAction("SubmitAction", "around",
function (invocation)
{var pf = new PrintForm("SubmitAction");
pf.printFormInterceptor(invocation);
} );
This action works correctly for both Internet Explorer and Firefox. However, the printed form output is not formatted correctly on Internet Explorer, although it is formatted correctly on Firefox.
Firefox supports automatic resizing of pages. It takes the entire page as a vector and resizes it, but Internet Explorer just changes the styles internally. For this reason, only Firefox can be used to resize the page appropriately for printing.
To work around this problem on Internet Explorer, determine which of the following possible solutions works best for you:
You can perform an Alt+Print Screen function in Internet Explorer that prints the content as it appears on the screen.
You can use the reference below, which might work for the workflows but might not print the form exactly the way you want it to print. This is a quick fix to print the form.
The reference looks like this:
<link rel="stylesheet" type="text/css" href="print.css" media="print" />
This can be added in the workflow forms (the Request_form, Approval_form, and so forth) under > . This improves the print formatting on Internet Explorer, but might not be totally correct.
You can create a CSS script specifically for each workflow that prints the output as you want it to appear. Each CSS script probably needs to be specific to a workflow and requires tweaking that could be time-consuming.
The references look like this:
document.writeln("<link rel=\"stylesheet\" type=\"text/css\" href=\"http://172.17.5.100:8280/externalFiles/css/jquery-ui-1.7.2.custom.css\"><\/script>");
This can be added in the workflow forms (Request_form, Approval_form, and so forth) under > .
You can create an external WAR file that stores all the CSS scripts and is referenced from the workflow. This allows changes to be made in one file rather than within each workflow.
For example, with document.writeln("<link rel=\"stylesheet\"type=\"text/css\"href=\"http://172.17.5.100:8280/externalFiles/css/jquery-ui-1.7.2.custom.css\"><\/script>");, you replace the href attribute with the link to your CSS script. You need to do it this way because the external script for a workflow form must be JavaScript. You need to use an inline script to load a reference to a CSS. The inline scripts go into a specific area on the form called and are executed when the form is first loaded. You need to put the scripts on all the forms (request forms and approval forms). This allows you to specify a style that works for the printer, without changing the style for the viewable form.
The Role Based Provisioning Module reports that were provided in previous releases of the product (available under on the tab) are being deprecated in this release. These reports will be removed in a future release.
Support for digital signatures has been removed in this release.
Support for accessory portlets has been removed in this release
On WebSphere, if you create a new user with special characters in the name, this user cannot log in to the User Application. For example, if you create a user as /Test//
from the page, an error page is displayed when the new user tries to log in to the application.
PostgreSQL requires several Microsoft VC++ libraries when running on Windows. If these libraries are not installed on the Windows server, then the PostgreSQL installer automatically installs them. When you run the JBossPostgreSQL installer in silent mode on Windows, a pop-up window appears for about 3 seconds while these libraries are being installed, if those libraries are not already installed on the machine.
At this time, the installer is not able to suppress this pop-up window on Windows.
If you redeploy the User Application Driver from Designer after running the integrated installer, the trustees for the Attestation Report provisioning request definitions are wiped out and no one can execute the report. The reason for this is that the trustees are added to the Attestation Report provisioning request definitions at User Application startup. Because Designer does not know about the trustees, an attempt to redeploy the User Application Driver from Designer removes the trustees. Therefore, you need to import these objects from eDirectory after User Application startup to synchronize the trustees.
In some situations, the integrated installer does not handle the Role Based Provisioning Module setup errors properly. This can happen when the Role Based Provisioning Module configuration fails because of a problem with the driver configuration process. In this case, the integrated installer configuration summary displays a message indicating that the Role Based Provisioning Module configuration passed, but the Role Based Provisioning Module configuration has setup errors.
If you create a role or resource assignment, and then remove it, you see a message indicating that the assignment has been removed, but the assignment is still listed. If you refresh the page, you probably see that the assignnent has been removed. This is caused by a caching issue.
The search feature in the Orch Chart Portlet does not work if the Entity type being displayed has a dash (-) in the name. At this time, the product does not support Entities with dashes in their names.
If you perform a default eDirectory installation and apply a password policy (that has email password to user action) to an existing user, then login as this user and perform a forgot password procedure, you may see a message that says after answering the challenge response questions.
To fix this issue, perform these two steps:
Add the following two lines to the pre_ndsd_start script located at /opt/novell/eDirectory/sbin (formerly in /etc/init.d):
NDSD_TRY_NMASLOGIN_FIRST=true export NDSD_TRY_NMASLOGIN_FIRST
This should be done on any server that may handle NMAS logins via LDAP.
Restart eDirectory to apply the change.
For more information, see “How to Make Your Password Case-Sensitive”.
Novell provides the JBossPostgreSQL utility as a convenience. If your company does not already provide an application server and a database server, you can use the JBossPostgreSQL utility to install an Open Source version of these components. By running this utility, you can install these components without having to download them separately. If you need support, go to the third party provider of the component. Novell does not provide updates for these components, or administration, configuration, or tuning information for these components, beyond what it is outlined in the RBPM documentation.
Values that are saved into the srvprvUserPrefs attribute are not fully removed when a user removes or change their filters or customization entries.
The attribute srvprvUserPrefs is a single values, synchronize immediately, string in eDirectory. It is limited to about 33,000 total characters. Once the attribute reaches the maximum size, users will not be able to save filter and customization entries into this attribute. To work around this issue, an Administrator would need to clean up the attribute manually with iManager or an LDAP Browser.
When using the Effective or Expiration dates for a role assignment in the User Application, you need to manually enter the date if the year you want to use is after 2030. For example, if you want to set the Effective Date for a role to be assigned on January 01, 2031, the Calendar picker will display it as 1/1/31. If you leave this as is, the role will be immediately assigned. You must make the year a four digit year if the year is greater than 2030. For this example, you would need to use 1/1/2031.
If a user has been assigned to multiple roles, and these roles are associated with a resource that is dynamically bound (meaning that the value for the entitlement is set at assignment time), the user may lose all of the resource assignments for these roles if only one of the roles is removed. This will only happen if the option (which maps to nrfAllowMulti) is not selected when mapping the entitlement to a resource.
For example, suppose you have a resource that is dynamically bound to an entitlement, and the resource is mapped to two different roles, and the option is not set for the resource. In this case, if a user has been assigned to both roles, and later is removed from one of the roles, the user will lose both resources. This behavior occurs because the option was not selected when the entitlement was mapped to the resource.
You might encounter the following issues as you use iManager:
When you are using iManager, particularly the Policy Builder, Internet Explorer 7 continually prompts you for access to the Clipboard. To disable prompting:
Click > .
Click the tab, then click .
Click > , then select .
After you restart Internet Explorer, the prompting stops.
If you want to use the NDS-to-NDS Driver Certificates Wizard, you must download and install the iManager plug-in for Novell Certificate Server.
You might encounter the following issues as you use the Identity Manager plug-ins:
The Identity Manager 4.0 plug-ins do not appear in iManager.
To work around this issue, use iManager from another host connecting to your tree.
or
Install iManager by using the integrated installer to install the Identity Manager 4.0 plug-ins.
The updated version of the Identity Manager plug-ins is available on the Novell downlaod Web site.
If you select Metadirectory Server and Identity Manager plug-ins in one operation from the Select Component page of the installation, the Identity Manager plug-ins are not installed. No errors are reported in the log file.
To work around the issue, select the Identity Manager plug-ins separately and not with the Metadirectory server.
If your Identity Manager system has multiple replicas of Identity Vault and the replicas are frequently updated, the operations performed on the Identity Vault are delayed.This is more evident during the driver creation process when a large number of objects is added to the Identity Vault. The delay increases with the addition of Identity Vault replicas.
The following issues exist in the Analyzer 1.2 environment:
To start the Analyzer, perform the following steps to change the XULRunner mapping:
As a root user, navigate to the /opt/novell/idm/Analyzer folder.
Open the Analyzer.ini file in the gedit editor.
Add the following line at the end of the list of the parameters given in the Analyzer.ini file:
-Dorg.eclipse.swt.browser.XULRunnerPath=/usr/lib/xulrunner-1.9/
The Analyzer.ini file should read as follows:
-vmargs -Xms256m -Xmx1024m -XX:MaxPermSize=128m -XX:+UseParallelGC -XX:ParallelGCThreads=20 -XX:+UseParallelOldGC -Dorg.eclipse.swt.browser.XULRunnerPath=/usr/lib/xulrunner-1.9/
Save the file and close it.
Over the course of its development, Analyzer has gone through some significant architectural and model changes. Because of this, projects created with pre-release versions of Analyzer might not work properly with the released Analyzer.
To avoid difficulty, specify a new workspace for the released Analyzer and do not mix old projects with new projects. When you use the internal Analyzer database, this ensures that you are not mixing pre-release data tables and formats with the released Analyzer data tables.
If you use an external MySQL database as your Analyzer database, clean out any pre-release data before using it with the released Analyzer. To do this, use your preferred database management tool to delete the following database tables before starting the released Analyzer for the first time:
DSTable_ver where ver is a version number
AnalysisTable_ver where ver is a version number
All tables with an enf_ prefix
Alternatively, you can create a new MySQL database for use with the released Analyzer.
Please note the following issues when using the Data Browser:
Limit Attributes in Data Set Definition: Novell recommends restricting data set definitions to fewer than 10 attributes for optimal Data Browser performance. Creating data set definitions with more than 10 attributes causes the Data Browser performance to deteriorate significantly.
Painting Issues: When you return from the Multi-Value Edit dialog box to a cell with multiple values, Analyzer does not repaint the table cursor correctly.
To correct the display, move to another cell with a click or an arrow key, then move back to the original cell.
Sorting Issues: Integer columns sort as strings instead of integers. For example, 100 sorts before 90. Also, sorting is case sensitive. For example, “Bob” sorts before “andy”.
Empty Column in Flat File Data Import: The field is always empty in a data set instance imported from a flat file. You can ignore it.
Windows Vista has implemented a new User Account Control feature that prevents applications from running as Administrator unless you specifically allow it.
To run Analyzer in Vista, right-click the Analyzer shortcut and choose the option to . You can also choose to disable .
If you quickly stop and restart Analyzer, the Analyzer Database might not reinitialize properly. To avoid this problem, wait approximately thirty seconds before restarting Analyzer.
If Analyzer starts and the Analyzer Database is not initialized correctly, select in the Project View to reinitialize the database.
Analyzer allows you to change its internal database from the default HSQLDB to a MySQL database. You can configure database settings in > > > . When you use an external MySQL database, be aware of the following issue:
Extended and Double-Byte Characters: The MySQL database uses the default character set from the operating system for encoding table fields. If an extended or double-byte character is not recognized by the default character set, Analyzer displays ??? in the Data Browser. To avoid this, set the operating system’s default character set to UTF-8, or to a character set that includes all the extended or double-byte characters that Analyzer might import.
To use the SAP user driver, you must install the sapjco.jar library in Analyzer, and install the librfc32.dll and sapjcorfc.dll into the Windows %systemroot% folder (typically C:\windows\system32).
Restart Analyzer after installing these files.
The Analyzer DB2 driver requires the following two libraries to function properly. You can download these libraries from IBM.
db2java.zip
db2jcc.jar
Analyzer does not prevent users from modifying anything in a data set. If a user with appropriate rights to the source application modifies a value, for example a GUID or DN, Analyzer does not attempt to determine if the modification causes a problem when written out to the source application.
To avoid causing unintended problems in the source application, users should be careful when modifying data and sending those modifications to the source application.
When you attempt to push updated data to the source application from Analyzer’s Data Browser (by clicking ), you might get an error indicating there was a problem with the update operation. However, the Data Browser’s modified data indicators in the data table change to indicate that the updates were successful.
If this occurs, the data updates might have been unsuccessful. Re-import the data from the source application to make sure you know the true state of the data before making any other data modifications.
Problems with the update operation occur primarily when adding a value to a multi-valued attribute.
The IDS Trace view consumes significant resources. You should only open the IDS Trace view when you need the information.
The IDS Trace level is set to 3 by default in order to track connection problems and errors. This trace level can cause performance issues with data browsing. You can modify this setting by clicking the button in the IDS Trace view.
The following issues can prevent Analyzer from displaying data set content in the Data Browser view:
Analyzer 1.2 does not support SQL reserved words as column names for data sets (For example, group or select.) If a column name is an SQL reserved word, no data displays in the Data Browser view. To avoid this, exclude the column (attribute) with a reserved-word name from the data set.
By default, Analyzer’s Subscriber channel is enabled so that you can perform data set queries. However, if a connection profile was synchronized from Designer with the Subscriber channel disabled, it remains disabled for Analyzer. If your data sets do not have any data, confirm that the connection profile’s Subscriber channel is enabled in Analyzer.
To do this, right-click the desired connection profile, then select . In the connection profile properties, select > > . Make sure that is set to (default).
The button in the Configuration Wizard dialog boxes is not functional. If you need to make a change to the connection profile on which you are working, either cancel the wizard and start over, or finish configuring the connection profile and make the change in the connection properties.
Analyzer performs its data analysis solely based on the attribute name, and does not take the class name into account. Therefore, if you map attributes from different classes to the same application attribute, the analysis tests only the first mapped attribute it encounters. For example, in the following schema map, Analyzer tests only the name attribute mapped to the Group class, and ignores the mapping in the User class.
Class = Group |___ Attribute = gname ---> name
Class = User |___ Attribute = uname ---> name
This issue might also exist with the preconfigured schema maps that Analyzer includes with its drivers. The mappings might be correct to the attribute name, but not the class name.
If you delete multiple Analyzer projects simultaneously, the error log might record several exception messages. These messages are benign and do not indicate any problem with Analyzer or with the delete operation.
The Pattern Frequency analysis metric does not work properly with data that includes the following characters. If you attempt to do a pattern frequency analysis on a data set that has values that contain any of these characters, the analysis fails and returns an empty result.
If you modify a data value in a data set instance so that it includes an apostrophe (‘), Analyzer generates a Java exception error when attempting to save the changes back to the application. This occurs when using either the HSQL database or an external MySQL database for Analyzer.
If connections do not import properly from Designer, the likely problem is that the server configuration associated with the driver set in Designer is incorrect or incomplete. For example, when you create a new driver set in Designer, the default server DN is server.context. If you attempt to import connection information that includes invalid information like this, the import fails.
Before importing connection information from Designer, make sure that the server information is valid.
On Linux systems with CUPS printers, the JasperReports framework is unable to print reports directly from the Report Viewer. However, you can save the report as a PDF file, then print it from a PDF reader.
When you import a large data set instance or run an SQL query on a large data set instance, clicking in the progress dialog box does not work. To cancel the operation, you can either let the operation complete or shut down and restart Analyzer.
The Connection Wizard uses some dynamic help pages from which Designer is unable to properly reference the Analyzer help pages. Because of this, when you click the button you get general Eclipse help rather than dialog-specific help for the Connection Wizard.
The first three pages and the final Summary page in the Connection Wizard are static pages that properly display the Analyzer help. Use the help from these pages to get all the help information for the Connection Wizard.
If you have deleted values in the Data Browser that have not been updated to the application, the deleted values are still considered when running a Matching Analysis.
The Identity Vault schema does not support multiple classes with the same name. Some application schemas, such as Notes, do support duplicate class names. If you want to import an application schema that includes duplicate class names, you should first consolidate the duplicate class names into a single class that contains the attributes from all duplicate classes.
If you cannot resolve the duplicate classes in the application schema, you can manually resolve the duplicate class names in Analyzer by doing the following:
WARNING:This procedure is not recommended and can cause inconsistencies in the Identity Vault schema. It should only be used if absolutely necessary.
Open the IDS Trace view ( > > ).
In the Project view, right-click the appropriate connection, then select .
This captures the application schema in the IDS Trace. If the IDS Trace does not capture the entire schema, increase the IDS Trace window size by clicking the icon, then increasing the setting.
Open the Navigator view ( > > ).
In the Navigator view, expand the appropriate project, then browse to > .
Double-click the appropriate schema file (*ShimConfig.xml) to open it in an XML editor.
If there are multiple shim config files, you can identify the application associated with each file by opening the file and looking at the contents of the <class-name>, <auth-id>, and <auth-context> tags.
In the XML editor, search for the following elements. If they do not exist, add them to the schema immediately above the closing </shim-config> tag.
<app-schema-def> <schema-def> ... </schema-def> <app-schema-def>
In IDS Trace, locate the <NDS> tag, then paste the contents of the <NDS> tag into the <schema-def> tag in the *ShimConfig.xml file.
Make sure you do not include the <NDS> as part of what you copy and paste into the *ShimConfig.xml.
Search for any duplicate <ClassDef> elements in the schema definition and consolidate all attribute definitions <attr-def> under a single <ClassDef> element.
Save the changes to the schema file (Ctrl+S), then restart Analyzer.
If you are using HSQL as the back end database for Analyzer, matching is case sensitive. If you are using MySQL, the back end database is case insensitive.
When Analyzer is installed on Windows and you have CM Synergy installed, browsing for files causes Analyzer to shut down. You cannot have CM Synergy and Analyzer installed on the same machine.
The CM Synergy install overwrites one of the Windows native libraries that Analyzer uses.
If the 32-bit version of XULRunner is installed on a 64-bit Linux distribution, the JVM might crash when you launch Analyzer, when the Welcome Page displays, or when you view a Help topic. To resolve this problem:
Open the Analyzer.ini file located in the Analyzer install directory.
Add the following line to the end of the Analyzer.ini file:
-Dorg.eclipse.swt.browser.XULRunnerPath=/usr/lib/xulrunner-1.9/
Save the Analyzer.ini file and launch Analyzer.
You might encounter the following issues during uninstallation of the Identity Manager Metadirectory engine and drivers.
The uninstall log files are created in the temp directory.
The jar files that reside in the lib directory are not removed.
The uninstaller uninstalls other installed components.
The installer detects if a reboot is needed during the uninstallation. It displays a warning in the GUI mode. In silent mode, it might reboot.
The Identity Vault uninstallation hangs when you run the nds-uninstall command.
For successfully uninstalling the Identity Vault,
Stop the DHost from the Task Manager.
Start the NDS service.
Start the uninstallation program.
For more information on uninstalling Roles Based Provisioning Module, refer to the Identity Manager Roles Based Provisioning Module 4.0 User Application: Installation Guide.
The following command might fail with an exit value of 1.
cmd /c copy "C:\Users\Administrator\AppData\Local\Temp\2\I1285831815\Windows\resource\jre\..\iawin64_x64.dll" "C:\Program Files (x86)\Novell\Identity Manager\Uninstall_Roles_Based_Provisioning_Module_for_Novell_Identity_Manager\resource\iawin64_x64.dll
The uninstaller does not remove the and the <system drive>\Novell\conf folders.
To work around this issue, manually remove these folders.
Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the Novell International Trade Services Web page for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.
Copyright © 2010 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.
For Novell trademarks, see the Novell Trademark and Service Mark list.
All third-party trademarks are the property of their respective owners.
The following sections discuss the third-party license information about Analyzer.
Analyzer includes software developed by IBM Corp. using the Eclipse platform (all rights reserved) and the Apache Software Foundation. Novell is an Eclipse Foundation Member.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE HYPERSONIC SQL GROUP, OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This software consists of voluntary contributions made by many individuals on behalf of the Hypersonic SQL Group.
Copyright© 2006, Sun Microsystems, Inc.
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
Neither the name of the Sun Microsystems, Inc. nor the names of contributors may be used to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.