ca identity manager™ identity manager 12 6 5-enu...ca cloudminder™ identity management ......
TRANSCRIPT
Release Notes 12.6.5
CA Identity Manager™
This Documentation, which includes embedded help systems and electronically distributed materials (hereinafter referred to as the “Documentation”), is for your informational purposes only and is subject to change or withdrawal by CA at any time. This Documentation is proprietary information of CA and may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part, without the prior written consent of CA.
If you are a licensed user of the software product(s) addressed in the Documentation, you may print or otherwise make available a reasonable number of copies of the Documentation for internal use by you and your employees in connection with that software, provided that all CA copyright notices and legends are affixed to each reproduced copy.
The right to print or otherwise make available copies of the Documentation is limited to the period during which the applicable license for such software remains in full force and effect. Should the license terminate for any reason, it is your responsibility to certify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed.
TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.
The use of any software product referenced in the Documentation is governed by the applicable license agreement and such license agreement is not modified in any way by the terms of this notice.
The manufacturer of this Documentation is CA.
Provided with “Restricted Rights.” Use, duplication or disclosure by the United States Government is subject to the restrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7014(b)(3), as applicable, or their successors.
Copyright © 2015 CA. All rights reserved. All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.
CA Technologies Product References
This document references the following CA Technologies products:
■ CA CloudMinder™ Identity Management
■ CA Directory
■ CA Identity Manager ™
■ CA Identity Governance (formerly CA GovernanceMinder)
■ CA SiteMinder®
■ CA User Activity Reporting
■ CA AuthMinder ™
Contact CA Technologies
Contact CA Support
For your convenience, CA Technologies provides one site where you can access the information that you need for your Home Office, Small Business, and Enterprise CA Technologies products. At http://ca.com/support, you can access the following resources:
■ Online and telephone contact information for technical assistance and customer services
■ Information about user communities and forums
■ Product and documentation downloads
■ CA Support policies and guidelines
■ Other helpful resources appropriate for your product
Providing Feedback About Product Documentation
If you have comments or questions about CA Technologies product documentation, you can send a message to [email protected].
To provide feedback about CA Technologies product documentation, complete our short customer survey which is available on the CA Support website at http://ca.com/docs.
Contents 5
Contents
Chapter 1: New Features 11
12.6.5.......................................................................................................................................................................... 11
New Certifications ............................................................................................................................................... 11
Enhanced Provisioning using CSV Files with Connector Xpress .......................................................................... 12
Increased Performance Running Tasks ............................................................................................................... 12
Enhanced Record Collection from SCIM Endpoints with Pagination Support .................................................... 12
Service Desk Integration for CA Identity Manager .............................................................................................. 13
Box CA API Gateway Connector .......................................................................................................................... 13
Google Apps CA API Gateway Connector ............................................................................................................ 13
Support for Managing and Synching Active Directory Users by Custom Active Directory Attributes ................ 14
Manage Universal Active Directory Groups from the User Console ................................................................... 14
Support for Cross-Reference Roles with ACF2 Java Connector .......................................................................... 14
Informative Error Messages for CA Single-Sign On Integration .......................................................................... 14
Reduced Exposure to OpenSSL Vulnerabilities ................................................................................................... 15
Different Administrator Email Address for Each Environment ........................................................................... 15
Reduce Permissions to the Oracle Connector ..................................................................................................... 15
Consistent Security Validation across the Web User Interface ........................................................................... 15
12.6.4.......................................................................................................................................................................... 15
Changes to Existing Features .............................................................................................................................. 15
CA Identity Manager Supports New Version of CABI .......................................................................................... 15
New Certifications ............................................................................................................................................... 16
Top Secret V2 Connector Enhanced to Support Additional Objects/Attributes ................................................. 17
Mobile Application Password Change Enhancements ........................................................................................ 17
Enhancements to the Bulk Load Client ............................................................................................................... 17
Mobile Application Support for Android OS ....................................................................................................... 17
Connector Xpress Support Customization of SCIM and Web Services Connector .............................................. 17
Policy XPress Supports SOAP and REST Web Services ........................................................................................ 17
View My Work List task Search Screen ............................................................................................................... 18
12.6.3.......................................................................................................................................................................... 18
New Certifications ............................................................................................................................................... 19
Unicast Support for JBoss 6.1 EAP ...................................................................................................................... 20
New Events Generate Emails and Audit Data ..................................................................................................... 20
Support of ID Vault in Lotus Notes Domino ........................................................................................................ 20
HTTP Header Information Capture ..................................................................................................................... 21
Service Object Enhancements............................................................................................................................. 21
12.6.2.......................................................................................................................................................................... 22
New Certifications ............................................................................................................................................... 23
6 Release Notes
Mobile App Support ............................................................................................................................................ 24
Synchronization/Remove Account Template Values From Accounts ................................................................. 24
Enhanced Configurations for the LND Connector ............................................................................................... 25
Task Persistence Database Schema .................................................................................................................... 25
Support for Deactivating SAP Account Password ............................................................................................... 25
Two Modes for Connecting to Exchange: Agentless and Agent.......................................................................... 26
Support for Exchange Data Access Groups (DAG)............................................................................................... 26
Support for Automatic Mailbox Distribution in Exchange 2010 ......................................................................... 26
Connect to SQL Server When the Database is Offline ........................................................................................ 26
Task to Create a Snapshot Definition for Reports ............................................................................................... 27
12.6.1.......................................................................................................................................................................... 27
New Certifications ............................................................................................................................................... 27
SSL-Enabled JNDI User Store ............................................................................................................................... 28
Encrypted Password Support in Management Console Bootstrap Directory ..................................................... 28
12.6............................................................................................................................................................................. 28
New Name and Appearance ............................................................................................................................... 29
Simplified User Experience ................................................................................................................................. 29
Provisioning Enhancements ................................................................................................................................ 29
Connector Enhancements ................................................................................................................................... 30
Performance Enhancements ............................................................................................................................... 31
Policy Xpress Enhancements ............................................................................................................................... 32
Secure Management Console ............................................................................................................................. 33
Basic Access Requests ......................................................................................................................................... 33
New Documentation for Config Xpress ............................................................................................................... 35
Native CA Identity Manager Replacement for SiteMinder Advanced Password Services .................................. 36
Dynamic Keys for Encrypting Data ...................................................................................................................... 37
Active Directory Server Synchronization............................................................................................................. 37
Auditing Login and Logout Events ....................................................................................................................... 37
SHA-2 Support ..................................................................................................................................................... 38
Chapter 2: Installation Considerations 39
Verify WebSphere Configuration ............................................................................................................................... 39
Enable Policy Xpress Support for Web Services SOAP and REST................................................................................ 40
Supported Platforms and Versions ............................................................................................................................ 40
Deprecated and Dropped Components ..................................................................................................................... 40
Co-installation of Unix Remote Agents with Additional CA Products ........................................................................ 41
Passwords Not Encrypted .......................................................................................................................................... 41
Oracle 11g R2 RAC as User Store and Object Store.................................................................................................... 41
Oracle 12c RDB as User Store and Object Store ......................................................................................................... 41
AD LDS as a User Store ............................................................................................................................................... 42
Non-ASCII Character Causes Installation Failure on Non-English Systems................................................................. 42
Contents 7
Work Around Firewall on Windows 2008 SP2............................................................................................................ 42
Deploy JSP Pages for Administrator Actions .............................................................................................................. 43
Linux: Provisioning Directory Installation................................................................................................................... 43
Linux: JDK Requirement for Installation ..................................................................................................................... 43
Linux 64-bit: SiteMinder Connectivity Errors ............................................................................................................. 44
Improve Performance on WebSphere and AIX .......................................................................................................... 45
Ignore WebSphere 7/Oracle Error ............................................................................................................................. 45
Chapter 3: Upgrade Considerations 47
Supported Upgrade Paths .......................................................................................................................................... 47
Application Server Support ........................................................................................................................................ 47
System Manager Role Needs Admin Roles Scope After Upgrade from 12.6 ............................................................. 48
New Scripts to Update the Task Persistence and Archive Schemas........................................................................... 48
New JCO Files for SAP R3............................................................................................................................................ 48
New Active Directory Role Definition File .................................................................................................................. 48
Update to jboss.xml File ............................................................................................................................................. 49
Upgrade from r12 (CR6 or later) Fails on Some Clusters............................................................................................ 49
Workflow Error after Upgrade from pre-r12.5 SP7 .................................................................................................... 50
Environment Migration Error ..................................................................................................................................... 50
Credential Provider Upgrade Error............................................................................................................................. 51
Credential Provider Internal Error .............................................................................................................................. 51
No Search Screen with Explore and Correlate Task ................................................................................................... 51
Non-Fatal Error after Upgrading Provisioning Manager from r12 ............................................................................. 52
Rename ACF2, RACFand TSS Endpoints Before Upgrade ........................................................................................... 52
Run the SQL Upgrade Script ....................................................................................................................................... 52
Chapter 4: Known Issues 55
General ....................................................................................................................................................................... 55
Service Desk Integration REST API Doc Task Fails in IE10 ................................................................................... 55
Status for Box Endpoint Users may Vary From Privileges Set in an Account Template ...................................... 55
Formatting Issues While Switching Between HTML and Text Views .................................................................. 56
Configuration Xpress has Limitations When Migrating Objects from One Environment to Another Environment........................................................................................................................................................ 56
QnA as "Reset password behavior" Fails with Default Question and Answer Configuration Setting ................. 57
Reset Password Fails After Upgrading IdentityMinder from r12.6 SP2, SP3 to SP4 ........................................... 58
Error When Exposing Many Services .................................................................................................................. 59
Password Stored in Clear Text ............................................................................................................................ 60
Too Many Approvers in ApproversList ................................................................................................................ 60
Unable to connect to "Forgot Password" and "Unlock account" pages through Credential Provider in Windows 2012 and Windows 8 platforms .......................................................................................................... 61
404 after password reset confirmation due to missing pws.fcc ......................................................................... 61
8 Release Notes
Adding Custom E-mail Templates for Service Objects ........................................................................................ 61
Error When Installing CA Identity Manager with UTF-8 Characters in Installation Path or Database Details in Any Non-English Language .................................................................................................................. 62
Connection Errors After CA IdentityMinder Server Upgrade .............................................................................. 62
Warning Message When Running an OOTB Snapshot DDL Script ...................................................................... 63
Non-Context Sensitive Help for Mobile App ....................................................................................................... 64
Provisioning Directory Fails to Create through Management Console ............................................................... 64
AttributeLevelEncryption for User Passwords .................................................................................................... 65
Specifying LDAP DN When Using TEWS .............................................................................................................. 66
setpasswd Fails on 64-bit Linux Systems............................................................................................................. 66
Password Policy Issue When Using a Combined User Store and Provisioning Directory.................................... 67
Cannot Connect to the CA IdentityMinder server when configuring the 64-bit Active Directory Password Synchronization Agent ........................................................................................................................ 68
Workflow Participant Resolver Fails for EnableUserEventRoles ......................................................................... 69
Duplicate name in View Submitted Tasks ........................................................................................................... 69
Not Found Error When Creating a New Environment ........................................................................................ 69
Modifying Single Valued Compound Attributes in CA Identity Manager............................................................ 70
Limitations of Bulk loader in Relationship Attribute Level .................................................................................. 71
Error Creating Provisioning-Enabled Environment using Tokenized Template .................................................. 71
Oracle Applications Prerequisite ......................................................................................................................... 71
Oracle 11gR2 RAC User Store: Search is Case-Sensitive...................................................................................... 71
CA Identity Manager on JBoss does not Reconnect to Oracle ............................................................................ 72
Skip to Main Content Fails in Mozilla Firefox ...................................................................................................... 72
Concurrent Changes to a User Fails .................................................................................................................... 72
Change to Policy Xpress Syntax ........................................................................................................................... 73
Update to SAP Help Topic ................................................................................................................................... 73
Enable the Fix for Oracle Bug 6376915 ............................................................................................................... 74
Failed to Execute the RequestUserToService Task ............................................................................................. 75
Reporting .................................................................................................................................................................... 75
Audit-Assign Revoke Provisioning Roles Report ................................................................................................. 76
User Filter Search is Case Sensitive in the User Accounts and the Endpoint Accounts Custom Snapshots XML Files ............................................................................................................................................ 76
Satisfy=All Not Working Properly in XML File ..................................................................................................... 77
Issue While Using Multiple Filter With Endpoint Object..................................................................................... 77
Snapshot is not Capturing Group Object Data .................................................................................................... 77
General Provisioning .................................................................................................................................................. 77
Renaming Provisioning Roles not Supported ...................................................................................................... 77
Solaris ECS Logging Above INFO Level Can Affect the Performance of the Provisioning Server ........................ 78
Multi-Valued Custom Fields for Provisioning Roles ............................................................................................ 78
Already Exists Error When Adding an Endpoint .................................................................................................. 78
Correlation of a Microsoft SQL Endpoint Fails .................................................................................................... 79
CA SiteMinder® Login Name Restriction for Global User Name ......................................................................... 79
Contents 9
CA IAM CS and Connector Xpress............................................................................................................................... 79
JNDI Account Management Screens – Creating Accounts with Multiple Structural objectclasses Fails............. 80
Endpoint Types ........................................................................................................................................................... 80
General ................................................................................................................................................................ 80
CA Access Control ............................................................................................................................................... 83
CA Arcot .............................................................................................................................................................. 85
CA SSO Connector for Advanced Policy Server ................................................................................................... 85
DB2 and DB2 for z/OS ......................................................................................................................................... 85
Google Apps ........................................................................................................................................................ 86
Microsoft Active Directory and Exchange ........................................................................................................... 88
PeopleSoft ........................................................................................................................................................... 88
SAP ...................................................................................................................................................................... 88
Siebel ................................................................................................................................................................... 89
Unix v2 ................................................................................................................................................................ 89
Chapter 5: Fixed Issues 91
12.6.5.......................................................................................................................................................................... 91
12.6.4.......................................................................................................................................................................... 95
12.6.3.......................................................................................................................................................................... 98
12.6.2........................................................................................................................................................................ 101
12.6.1........................................................................................................................................................................ 102
Chapter 6: Documentation 105
Bookshelf .................................................................................................................................................................. 105
Known Issues ............................................................................................................................................................ 105
CA Identity Manager and CA Identity Governance Integration Release Notes ........................................................ 106
Appendix A: Accessibility Features 107
508 Compliance ........................................................................................................................................................ 107
Product Enhancements ............................................................................................................................................ 107
Chapter 1: New Features 11
Chapter 1: New Features
This section contains the following topics:
12.6.5 (see page 11) 12.6.4 (see page 15) 12.6.3 (see page 18) 12.6.2 (see page 22) 12.6.1 (see page 27) 12.6 (see page 28)
12.6.5
New Certifications
The following new platforms are certified with CA Identity Manager r12.6.5:
Endpoints
■ RSA 8.x
■ Lotus Notes Domino 9.x
■ Oracle eBusiness 12.2.x
Operating Systems
■ RedHat Linux 7
■ Solaris 11 (CES 77673 – Fujitsu)
■ Windows 2012 R2
Application Server
■ JBoss 6.3 EAP
Repositories
■ CA Directory 12.0 SP14
■ SQL 2012 SP2 (user store, object store)
12.6.5
12 Release Notes
Enhanced Provisioning using CSV Files with Connector Xpress
This version supports creating data sources and provisioning endpoints with CSV files. The Connector Xpress flat-file functionality can load CSVs locally or with FTP, HTTP, and Samba protocols. CSV files can be exported to support provisioning to endpoints as well. Specifically, administrators can define a location, enter credentials, define a schedule, and output delta changes from CA Identity Manager to endpoints. Administrators can alternatively also configure email notifications of the output delta changes to an endpoint admin who can then use the endpoint management console to fulfil the provisioning requests manually. An Explore and Correlate will subsequently refresh the information in CA Identity Manager with the latest state of the endpoint.
The data exported to CSV can be processed in the two ways described here.
Provisioning to an endpoint with an SDK or API
Endpoint systems for which CA Identity Manager does not provide a connector, but for which the endpoint system does provide a user provisioning SDK or API, could support a third-party development. The delta file CSV output is read from a directory or folder and then the endpoint user provisioning SDK or API is used to modify the endpoint. An explore and correlate is required to refresh the CA Identity Manager environment.
Provisioning to an endpoint without an SDK or API
CA Identity Manager emails the endpoint system admin the delta of changes between two different times. The admin can then manually make the changes to the endpoint. An explore and correlate is required to refresh the CA Identity Manager environment.
Increased Performance Running Tasks
You can now run tasks, such as bulk load, and explore and correlate faster. The performance increase applies to all tasks. CA Identity Manager has been optimized to use one database connection instead of two for processing tasks.
Enhanced Record Collection from SCIM Endpoints with Pagination Support
When connecting SCIM endpoints to Identity Manager, you can configure pagination settings. Pagination allows you to retrieve all the endpoint records during explore and correlate. Previously, the SCIM connector would retrieve only the number of records specified by the endpoint API. Additionally, SCIM endpoints that support pagination are not required to send all the records at one request. Instead, they can be provided page by page for better performance.
For SCIM documentation and downloads, see https://wiki.ca.com/display/IMGC10/SCIM.
12.6.5
Chapter 1: New Features 13
Service Desk Integration for CA Identity Manager
Normalized Integration Management Service Management (NIM SM) integration enables you to integrate CA Identity Manager with a number of service desk products through a single normalized RESTful API. NIM provides a fully embedded web service that exposes this RESTful API and internally translates all requests into native service desk format based on a set of configurable mappings.
By using Policy Xpress and its web services actions you can automatically create service desk tickets based on Task and Event state within CA Identity Manager.
For more information, see the Configuration Guide.
Box CA API Gateway Connector
This version includes a Box CA API Gateway Connector. Your connector administrator can download the documentation and attribute list from https://wiki.ca.com/display/IMGC10/Box+CA+API+Gateway. CA Support Credentials are required for access.
Google Apps CA API Gateway Connector
This version includes the Google Apps API Gateway Connector. The attribute list and the documentation are available at https://wiki.ca.com/display/IMGC10/Google+Apps. CA Support Credentials are required for access.
This version of the connector automatically transfers files from deleted users to administrators. See the documentation Introduction for additional information on features and updates.
12.6.5
14 Release Notes
Support for Managing and Synching Active Directory Users by Custom Active Directory Attributes
Administrators can add custom Active Directory attributes to their account templates allowing them to:
■ Add, modify, delete and view custom active directory attributes
■ Enter values for custom attributes
■ Map single and multi-valued attributes
The administrator needs to download the Attribute list from the Downloads Section of the Microsoft Active Directory Connector documentation at https://wiki.ca.com/display/IMGC10/Microsoft+Active+Directory%2C+Microsoft+Exchange%2C+and+Microsoft+Lync .
Following configuration, a Custom tab is available to the administrator.
Manage Universal Active Directory Groups from the User Console
Administrators can build templates to set users in one Active Directory domain as a member of a universal group created in a different Active Directory domain with the option Universal Groups Only.To use this option, save the account template as a Universal Group Only template. A Universal Group Only template is only for Universal Group membership assignment. All other fields on the template are unused and are applied to accounts.
Support for Cross-Reference Roles with ACF2 Java Connector
ACF2 roles are available for account templates to load users and role assignments between CA Identity Manager and a CA ACF2 endpoint. This feature is available by default with this version of CA Identity Manager. It can also be added to previous implementations by installing the connector module and following the configuration steps packaged with the readme. For the ACF2 documentation and downloads, see https://wiki.ca.com/display/IMGC10/CA+ACF2.
Informative Error Messages for CA Single-Sign On Integration
Informative error messages are provided for problematic integrations with CA Single Sign-On. These messages help deployment and integration teams quickly identify problems and complete problematic integrations in less time.
12.6.4
Chapter 1: New Features 15
Reduced Exposure to OpenSSL Vulnerabilities
Updated CA Identity Manager to CAPKI 4.x from CAPKI 3.x. This reduces the exposure to known OpenSSL vulnerabilities.
Different Administrator Email Address for Each Environment
Previous versions allowed one administrator email address in the CA Identity Manager Management Console for all environments in the deployment. You can now specify an administrator email address for each environment.
Reduce Permissions to the Oracle Connector
This version supports customizing and reducing permissions for users to the Oracle connector. For information and instructions, please see the the Oracle connector documentation at https://wiki.ca.com/display/IMGC10/Oracle+Applications+Connector.
Consistent Security Validation across the Web User Interface
When using TEWS, security validation was inconsistent across the web user interface. This version adds consistent security validation across the web user interface. This improvement also increases security for CA Single Sign-On integrations.
12.6.4
Changes to Existing Features
CA Identity Manager Supports New Version of CABI
With this release, the CA Identity Manager supports only CA Business Intelligence (CABI) version 3.3 SP1. The CA Identity Manager installation kit provides CABI 3.3 and CABI 3.3 SP1 installers. You must install CABI 3.3 and then install CABI 3.3 SP1.
12.6.4
16 Release Notes
New Certifications
The following new platforms are certified with CA Identity Manager r12.6.4:
Endpoints
■ CA Control Minder r12.8 as an endpoint
■ Microsoft Windows 2012 R2 Active Directory as an endpoint
■ Oracle 12c Database as an endpoint
■ Microsoft Lync Server 2010 and 2013 as an endpoint
■ PeopleSoft Financials 9.2 as an endpoint
■ System for Cross-domain Identity Management (SCIM) as an endpoint
■ Lotus Notes Domino 9.x as an endpoint
Web Services (Layer7) Endpoints
■ Service Now
■ Microsoft Azure
■ Zendesk
Application Server
■ JBoss 6.2.0 EAP
CA Identity Manager User Store
■ Oracle 12c
■ Microsoft Windows 2012 R2 Active Directory
CA Identity Manager Object Store
■ Oracle 12c
Credential Provider
■ Microsoft Windows 8
■ Microsoft Windows 8.1
Additional Support
■ Password Synchronization agent support on Windows Active Directory 2012 R2
■ Integration with CA SiteMinder r12.52 CR1, r12.52 SP1, and r12.51 CR3
■ Browsers support for IE 11.x
■ Browsers support for Firefox 29.x
12.6.4
Chapter 1: New Features 17
Top Secret V2 Connector Enhanced to Support Additional Objects/Attributes
Top Secret V2 Connector has been enhanced to expose Resources, Facilities, Segments and all other attributes in the Mainframe.
Mobile Application Password Change Enhancements
The Mobile App has additional levels of security when resetting the Password that involves both the PIN and Q&A flow. For more information, refer to the Administration Guide.
Enhancements to the Bulk Load Client
The Bulk Load Client has been enhanced to support Kettle Transform as a data source and a secondary action, similar to what is in the Bulk Task user interface.
Mobile Application Support for Android OS
The mobile application now supports mobile devices that use the Android operating system.
Connector Xpress Support Customization of SCIM and Web Services Connector
The Connector Xpress is enhanced to support the customization of SCIM and Web Services Connector metadata for
■ Service Now
■ Azure
■ Zendesk
Policy XPress Supports SOAP and REST Web Services
Policy XPress is enhanced to support Web Services SOAP (with basic authentication method) and REST (with basic authentication, proxy authentication, and OAuth authentication methods) such that it can be integrated with external applications that provide a web service interface.
12.6.3
18 Release Notes
View My Work List task Search Screen
A new search screen was added to the View My Work List task that allows you to search either by the user Id of the workflow subject, or by the initiator of the task to filter the workitems.
12.6.3
New Certifications (see page 19)
Unicast Support for JBoss 6.1 EAP (see page 20)
New Events Generate Emails and Audit Data (see page 20)
Support of ID Vault in Lotus Notes Domino (see page 20)
HTTP Header Information Capture (see page 21)
Service Object Enhancements (see page 21)
12.6.3
Chapter 1: New Features 19
New Certifications
The following new platforms are certified with CA Identity Manager r12.6.3:
Endpoints
■ Microsoft AD Exchange Server 2013 as an endpoint
■ Salesforce v24 as an endpoint
■ Solaris 11.1 as an endpoint
■ SUSE 11 SP3 as an endpoint
■ CA Directory r12.0 SP12 GA as a Connector Xpress JNDI endpoint
■ CA ACF2 LDAP r15.1 as an endpoint
■ CA RACF LDAP r15.1 as an endpoint
■ CA TSS LDAP r15.1 as an endpoint
Server Operating System
■ Windows 2012 Essentials
Server Client Operating System
■ Windows 2012 Essentials
■ Windows 8
Application Server
■ JBoss 6.1.1 EAP
CA Identity Manager User Store
■ CA Directory r12.0 SP12 GA
■ Microsoft Active Directory 2012 Essentials
■ Microsoft ADAM 2012 Essentials
Additional Support
■ Password Synchronization agent support on Active Directory 2012 Essentials
■ Internet Explorer 10.x
■ Google chrome 28.x
■ Integration with CA SiteMinder r12.5 CR3, r12.51 CR1
■ Unix Agentless support on RHEL, SUSE, Solaris, AIX and HPUX
■ Support of Unicast and Multicast with JBoss 6.1.0 EAP
■ Support of CAM 1.14 with Remote Agents of this release
12.6.3
20 Release Notes
■ Support of AXIS2 1.6.2 with this release
Unicast Support for JBoss 6.1 EAP
For customers who install CA Identity Manager on JBoss 6.1 EAP, unicast is an alternative messaging protocol to multicast. We recommend testing both protocols to determine the best choice for your organization.
For details on using either protocol, see the JBoss version of the Upgrade Guide.
New Events Generate Emails and Audit Data
You can enable email notifications and audit data for two new events:
■ ForgottenPasswordAuditEventQnAInitiated
The Forgotten Password Public Task generates this event when a user sees the Question and Answer page during a password reset attempt.
■ ForgottenPasswordAuditEventQnALocked
The Forgotten Password Public Task generates this event when the Question and Answer page is locked due to unsuccessful attempts to answer security questions.
You configure email notifications and auditing from the Management Console.
Note: For information about how to configure email notifications, see the Administration Guide. For information about how to configuration auditing, see the Configuration Guide.
Support of ID Vault in Lotus Notes Domino
Lotus Notes Domino's ID Vault feature is now supported from this release. This feature allows you to natively and securely recover and reset passwords, recover lost IDs, rename users and so on.
12.6.3
Chapter 1: New Features 21
HTTP Header Information Capture
New servlet filter : ClientExtractFilter has been added in this release. This servlet filter will be a central place to extract all the information related to the web client environment. This filter extract information from HTTP headers. Currently only client IP address is being extracted. We however ensure that this information is extracted only once, for any given request.
This servlet filter is executed for each request as suggested by URL pattern:/* in web.xml.
The WebClientInformation utility class has been added which acts as a placeholder for web client information extracted in filter. This class currently holds only IP address however may be enhanced in future.
Then this WebClientInformation is put into the TaskSession as an attribute identified by key: WebClientInfo. So any event, task , UI or workflow created as result of request will have client information where this request generated.
Service Object Enhancements
A new checkbox option "Revoke services for users" to determine if service needs to be revoked before deletion or not has been added in Delete User task.
“Request and View access” task filtering support is added such that the user will get search section for Admin and owner search options.
Service Request specific information like Service Request Duration, user data is made visible in the Service Request approval workflow item. This information is also sent in Email notification when there is global policy based workflow configured on event 'AddServiceToUserEvent'.
12.6.2
22 Release Notes
12.6.2
New Certifications (see page 23)
Mobile App Support (see page 24)
Synchronization/Remove Account Template Values From Accounts (see page 24)
Enhanced Configuration for the LND Connector (see page 25)
Task Persistence Database Schema (see page 25)
Support for Deactivating SAP Account Password (see page 25)
Two Modes for Connecting to Exchange: Agentless and Agent (see page 26)
Support for Exchange Data Access Groups (DAG) (see page 26)
Support for Automatic Mailbox Distribution in Exchange 2010 (see page 26)
Connect to SQL Server When the Database is Offline (see page 26)
Task to Create a Snapshot Definition for Reports (see page 27)
12.6.2
Chapter 1: New Features 23
New Certifications
The following new platforms are certified with CA Identity Manager r12.6.2:
Endpoints
■ CA ControlMinder r12.6 SP2 as an endpoint
■ CA ControlMinder r12.7 as an endpoint
■ Windows Server 2012 as an NT endpoint
■ Windows Server 2012 (ADAM) as a JNDI endpoint
■ CA Directory r12.0 SP11 as a JNDI endpoint
■ Windows Server 2012 Active Directory as an endpoint
■ Java Mainframe Connector as an endpoint
■ Microsoft AD Exchange Server 2010 SP3 as an endpoint
■ Microsoft Office 365 as an endpoint
■ SAPJCO V.3 as an endpoint
Application Servers
■ JBoss 6.1 EAP
■ WebSphere Application Server (WAS) 8.0
■ WebSphere Application Server (WAS) 8.5
CA Identity Manager User Store
■ CA Directory r12.0 SP11 GA
CA Identity Manager User Store and Object Store
■ Microsoft SQL Server 2008 R2 SP2
■ Microsoft SQL Server 2012 SP1
Note: JBoss has not announced support for Microsoft SQL Server 2012.
Additional Support
■ Java JDK 1.7.x
■ Microsoft SQL Server 2012 SP1 user-defined roles and user-defined Server Roles
■ Mozilla Firefox 18.x
■ Business Objects Report Server XI 3.1 SP6 (CABI 3.3 SP1)
■ Integration with CA SiteMinder r12.5 CR1, r12.5 CR2, r12.5.1, r12.0 SP3 CR12 and r6 SP6 CR10
12.6.2
24 Release Notes
■ Integration with CA Identity Manager with CA Identity Governance r12.5 SP8 and CA Identity Governance r12.6 SP1
■ Mobile App support
■ Support for Workpoint designer version 3.4.2.20080602-33
■ Support for Microsoft ADS/Exchange Agentless mode, DAG, and Automatic Mailbox Distribution
■ CA AuthMinder v7.1 support
Mobile App Support
The CA Identity Manager mobile app enables you to leverage your existing CA Identity Manager infrastructure to allow users to complete the following tasks in a mobile device, such as an iPhone or iPad:
■ Reset a forgotten password
Note: When you enable mobile users to reset a forgotten password from their device, CA Identity Manager relies on the device security, instead of security questions. Consider requiring more device security, such as a passcode before you enable password reset functionality.
■ Change a password
■ Respond to approval requests
■ View manager details
This feature allows users who approve workflow requests to view information about a user's manager.
Note: CA Identity Manager 12.6.5 does not support version 1.0 of the mobile app. Download the latest version from the Apple store.
For more information about the mobile app, see the Administration Guide.
Synchronization/Remove Account Template Values From Accounts
You can now use the Synchronization/Remove Account Template Values From Accounts feature on the Responsibilities List attribute of Oracle Applications Account Template, to expire a responsibility entry on the Oracle Applications account.
Additionally, this release includes improvements to responsibility calculations to prevent "out of sync" errors.
For more information about the feature, see the CA Identity Management and Governance Connectors wiki.
12.6.2
Chapter 1: New Features 25
Enhanced Configurations for the LND Connector
To improve the performance of LND Connector during Explore and Correlate operations, the following configurable settings are now available:
■ readExpirationDateInSearch
■ readOuFromPrimaryAddressBookOnly
■ readAcctFromPrimaryAddressBookOnly
■ enableUouDetection
Note: You can change the values of the above attributes in the following file:
CA\Identity Manager\Connector Server\conf\override\lnd\connector.xml
Task Persistence Database Schema
This release includes improvements to the SQL scripts that update the Task Persistence DB schema. The scripts set the correct column size and insert the Runtime Status Detail stored procedure.
In this update, there are no size discrepancies between the runtimeStatusDetail12 table and the corresponding archive_runtimeStatusDetail12 table for new or upgraded systems. This update eliminates the failures with the Cleanup Submitted Tasks task.
Support for Deactivating SAP Account Password
In this release, the Password Deactivated attribute is now available on the Account tab. Using this attribute, you can create an SAP account with a deactivated password. You can also deactivate the password of an existing SAP account. To reactivate, reset the password.
12.6.2
26 Release Notes
Two Modes for Connecting to Exchange: Agentless and Agent
With this release, you can connect to Exchange 2007 and Exchange 2010 endpoints without using an agent. We recommend that you use the agentless mode for new connections to these endpoints.
However, agentless mode does not work with Exchange 2003 and you must connect using the remote agent.
The following table lists the supported versions of Exchange for Agent and Agentless modes:
Endpoint Versions Agent Agentless
Exchange 2003 Yes No
Exchange 2007 Yes Yes
Exchange 2003 and Exchange 2007 Yes No
Exchange 2010 Yes Yes
Exchange 2007 and Exchange 2010 Yes Yes
Support for Exchange Data Access Groups (DAG)
In this release, Exchange 2010 can use Data Access Groups (DAGs) to ensure the high availability. You can connect to a DAG to ensure that the connection to the endpoint survives a failover.
Support for Automatic Mailbox Distribution in Exchange 2010
In this release, the Active Directory (AD) Exchange connector can handle an automatic mailbox distribution in Exchange 2010.
When you create or move a mailbox or mailenable an existing user, the mailbox must be stored in a mailbox database. Earlier Exchange Servers required you to specify the mailbox database for performing one of the above operations. Exchange Server 2010 selects the Exchange select the database using automatic mailbox distribution.
Connect to SQL Server When the Database is Offline
You can now explore and correlate an SQL Server endpoint when its database is offline.
12.6.1
Chapter 1: New Features 27
Task to Create a Snapshot Definition for Reports
We now recommend that you use the Create Snapshot Definition task to create a snapshot for the data needed to build a report. The default snapshot XML parameter files are being phased out. For details, see the Administration Guide.
12.6.1
New Certifications (see page 27)
SSL-Enabled JNDI User Store (see page 28)
Encrypted Password Support in Management Console Bootstrap Directory (see page 28)
New Certifications
The following new platforms are certified with CA Identity Manager r12.6.1:
Endpoints
■ Microsoft SQL 2012 as a static and dynamic endpoint
■ CA Directory r12 SP10 CR2 as a JNDI endpoint
■ CA Embedded Entitlements Manager (EEM) - supported by Provisioning Manager
CA Identity Manager User Store
■ CA Directory r12 SP10 CR2
CA Identity Manager User Store and Runtime Store
■ Microsoft SQL Server 2012 SP1
Additional Support
■ Mozilla Firefox 14.x
■ Business Objects Report Server XI 3.1 SP5 (CA Business Intelligence 3.3)
This version matches the version supported by CA CA SiteMinder®
■ Support of the Report Server in a high availability configuration
■ Support of CA Identity Manager with CA Identity Governance r12.6
■ Support of CA Identity Manager with CA SiteMinder r12.0 SP3 CR11
12.6
28 Release Notes
SSL-Enabled JNDI User Store
Peer certificate verification is now enforced. The feature requires that you add the user store SSL server certificate into the CA Identity Manager JRE default trusted keystore. The keystore is the cacerts or jssecacerts file in this location:
JAVA_HOME\jre\lib\
Use the JDK's utility keytool to add the certificate.
Encrypted Password Support in Management Console Bootstrap Directory
If you secure the Management Console using the bootstrap directory, called the AuthenticationDirectory, you can now encrypt the password for the Management Console administrator.
12.6
New Name and Appearance (see page 29)
Simplified User Experience (see page 29)
Provisioning Enhancements (see page 29)
Connector Enhancements (see page 30)
Performance Enhancements (see page 31)
Policy Xpress Enhancements (see page 32)
Secure Management Console (see page 33)
Basic Access Requests (see page 33)
New Documentation for Config Xpress (see page 35)
Native CA Identity Manager Replacement for SiteMinder Advanced Password Services (see page 36)
Dynamic Keys for Encrypting Data (see page 37)
Active Directory Server Synchronization (see page 37)
Auditing User Login and Logout Events (see page 37)
SHA-2 Support (see page 38)
12.6
Chapter 1: New Features 29
New Name and Appearance
The default User Console has been updated to reflect new CA styles and colors.
Java Connector Server (Java CS or JCS) has been renamed to CA IAM Connector Server (CA IAM CS).
Simplified User Experience
This release includes the following user experience improvements:
■ Updated self-service task screens
The following screens are updated to improve usability:
– Portal look and feel for the Login screen
– Self registration/Creation of identity
– Change My Password
– Forgotten Password Reset
– Forgotten User ID
■ Certain admin tasks use Web 2.0 controls.
Provisioning Enhancements
CA Identity Manager 12.6 includes the following new features and changes to improve provisioning.
Provisioning Server on Linux
The Provisioning Server can now be installed on Red Hat Linux as an alternative to Solaris.
Provisioning Manager Features in the User Console
Several features of the Provisioning Manager are now supported in the User Console:
■ Synchronization of users, roles, endpoint accounts, and account templates
The integration of endpoints and accounts in CA Identity Manager can result in lost synchronization. For example, the provisioning roles that are assigned to a user can differ from the actual accounts that are possessed by that user. Synchronization tasks correct this problem.
■ Correlation rules control the mapping of endpoint account attributes to user attributes in the User Console. For example, Access Control has an attribute called AccountName. You can create a rule to map it to FullName in the User Console.
12.6
30 Release Notes
Connector Enhancements
CA Identity Manager 12.6 includes the following new features and changes to simplify building and deploying new connectors.
Hot Deployment – Install a New Connector without Restarting CA IAM CS
CA IAM Connector Server (CA IAM CS) is the new name for Java Connector Server (or Java CS or JCS).
CA IAM CS now supports hot deployment. Hot deployment is the process of adding, removing or updating a component without restarting CA IAM CS. You can now do the following tasks:
■ Install, uninstall, or upgrade a connector without restarting CA IAM CS
You can deploy a new or updated connector and install it without restarting CA IAM CS or logging in to its host. Contact CA Support for the latest connector versions.
■ Deploy third-party libraries without restarting CA IAM CS
Some connectors require libraries that we cannot ship with CA IAM CS. Previously, you would have to deploy these libraries and then restart CA IAM CS. Now, you can deploy these libraries while the connector server is running.
CA IAM CS includes a core set of third-party libraries, and any connector can use any of these libraries. A connector can also include any other third-party library that it requires.
Note: Hot deployment does not work for C++ connectors.
Bundle Builder – New Tool for Creating Connectors
CA IAM CS requires that connectors be supplied as an Open Services Gateway initiative bundle. The OSGi framework is a module system and service platform for the Java programming language that implements a complete and dynamic component model. The SDK for the Connector Server now includes a Bundle Builder tool, which helps you wrap your connector in a bundle.
Logging for Connectors and CA IAM CS
You can now log in to CA IAM CS to see recent log messages for CA IAM CS and its connectors. You can still use log files to see all log messages.
Certificates for Connectors and CA IAM CS
You can now log in to CA IAM CS to view and manage certificates for CA IAM CS and its connectors.
12.6
Chapter 1: New Features 31
Use Connector Xpress to Map Custom Attributes and Custom Capability Attributes
Use Connector Xpress to map custom attributes and custom capability attributes. Using the XML file <jcs-home>/conf/override/lnd/lnd_custom_metatdata.xml to map attributes is no longer available.
CA IAM CS Is a Proxy for CCS
CA Identity Manager now uses CA IAM CS as a proxy for C++ Connector Server (CCS). CA Identity Manager no longer communicates with CCS directly.
Performance Enhancements
CA Identity Manager 12.6 includes performance improvements in the following areas of the product.
Bulk Loader Performance Improvements
In this release, the performance of the bulk loader is improved. The improvements include the following changes:
■ Higher submission rate of tasks through the parent Bulk Loader (Feeder) task; more tasks execute in parallel.
■ Optimizations in database connection reuse; managed object attribute definition caching resulting in faster execution of each task from start to end.
■ Improvements to some plug-ins and listeners to speed up processing of the events that are generated during task execution.
To improve performance further, we recommend that you make these change for the duration of the bulk load operation:
■ Disable any unwanted Policy Xpress policies, Business Logic Task Handlers and synchronization flags at the task level.
■ Run the Bulk Loader (Feeder) task as a dedicated user with the fewest possible admin roles and admin tasks in scope.
Note: For more information about additional performance improvements, see the section on the bulk loader in the Administration Guide.
12.6
32 Release Notes
Improved Snapshot Export Performance
In this release, the process of exporting snapshot data for reports has been refactored to improve performance and usability. Using the Snapshot definition wizard, you can define or customize rules to load users, endpoints, admin roles, provisioning roles, groups, and organizations.
Using this feature, you can use a User Console task to select and export only the desired attributes for a particular snapshot instance. In previous releases, users had to edit an XML file manually.
Note: You can still use and customize the default XML files for capturing snapshots.
For more information about creating snapshot definitions, see the Administration Guide.
Policy Xpress Enhancements
This release contains the following enhancements to Policy Xpress:
■ Attribute plug-ins for Managed Objects
The following Managed Object Attribute plugins have been added to Policy Xpress:
■ Object Attribute—allows you to extract the value of any managed object attribute
■ Has the Object Attribute Value Changed/Attribute of a Specific Object—same as 'Has the User attribute changed' and 'Attribute of a Specific User', but they work with any type of managed object
■ Set Object Attribute—allows you to modify the attribute of managed objects
■ Trim Function
The Trim function allows you to remove unwanted leading and trailing spaces from any data element or string.
■ Support for More Action Rules
Previously, when trying to add more than 60-70 action rules to a policy, Policy Xpress would not add the policy. In this case, no errors or exceptions were reported in the logs. Now, Policy Xpress policies can support up to 500 action rules.
■ Policy Xpress Wiki
The Policy Xpress documentation has been updated and now resides on a Wiki in the CA Security Global User Community.
12.6
Chapter 1: New Features 33
Secure Management Console
The Management Console enables administrators to create and manage CA Identity Manager directories and environments.
The CA Identity Manager installation now includes an option, which is selected by default, to secure the Management Console. During the installation, you create an account that can access the Management Console in a predefined directory.
After installation, you can add additional administrators who need access to the Management Console.
Note: For more information, see the Configuration Guide.
Basic Access Requests
CA Identity Manager users can request access to services that they need to perform their job functions.
A service bundles together all the entitlements - tasks, roles, groups, and attributes - a user needs for a given business role. Services are available to the user through access request tasks in the CA Identity Manager User Console. Access request tasks enable a user or administrator to request, assign, revoke and renew a service.
Services allow an administrator to combine user entitlements into a single package, which are managed as a set. For example, all new Sales employees need access to a defined set of tasks and accounts on specific endpoint systems. They also need specific information added to their user account profiles. An administrator creates a service named Sales Administration, containing all the required tasks, roles, groups, and profile attribute information for a new Sales employee. When an administrator assigns the Sales Administration service to a user, that user receives the entire set of roles, tasks, groups and account attributes that are defined by the service.
12.6
34 Release Notes
Another way users can access services is to request access themselves. In the User Console, each user has a list of services available for their request. This list is populated with services marked as "Self Subscribing" by an administrator with the appropriate privileges, typically during service creation. From the list of available services, users can request access to the services they need. When the user requests access to a service, the request is fulfilled automatically, and the associated entitlements are assigned to the user immediately. An administrator with the appropriate privileges can also configure service fulfillment to require workflow approval, or to generate email notifications.
Note: This initial release supports basic access request capabilities. Access request functionality enables end users to request entitlements (managed and un-managed by CA Identity Manager), define approval flows, and use fulfillment flows.
This initial release does not provide support for advanced access request capabilities such as
■ Bulk definition of access request services objects
■ Integration with CA Identity Governance (formerly called CA GovernanceMinder)
■ Granular filtering and searching
This initial release does not support the following capabilities:
■ Bulk definition of services objects
■ Granular filtering
■ Searches
■ Integration with other fulfillment mechanisms
For more information about services, see the Administration Guide.
12.6
Chapter 1: New Features 35
New Documentation for Config Xpress
Config Xpress is a tool that is included with CA Identity Manager. You can use this tool to analyze and work with the configurations of your CA Identity Manager environments.
Config Xpress allows you to do these tasks:
■ Move components between environments.
The tool automatically detects any other required components, and prompts you move them too. This can save you a lot of work.
■ Publish a report of the system components in a PDF file.
■ Publish the XML configuration for a particular component.
For more information about importing configuration, see Manage Configuration in the Configuration Guide.
12.6
36 Release Notes
Native CA Identity Manager Replacement for SiteMinder Advanced Password Services
In addition to basic password policies, CA Identity Manager provides the following additional password settings now decoupled from SiteMinder:
■ Password expiration:
– Track failed or successful logins - When enabled, tracking information for successful or failed login attempts is written to the password data attribute of the relevant user in the user store.
– Authenticate on login tracking failure - If disabled, users are not able to log in when CA Identity Manager cannot write tracking information to the user store.
– Password expiration if not changed - Configures expiration behavior. If a password has not changed after a specified number of days, users are disabled or forced to change their password. Also allows expiration warnings to be sent for a specified number of days.
– Password inactivity - Configures inactive user behavior. If the user has not made a successful login attempt after a specified number of days the user is disabled or forced to change their password.
– Incorrect password - Configures the number of failed logins that are allowed before the user is disabled.
– Multiple regular expressions - Specifies regular expressions that passwords must or must not match. CA Identity Manager password policies support a single expression of each type.
■ Password restrictions:
– Minimum days before reuse
– Minimum number of passwords before reuse
– Percent different from last password
– Ignore sequence when checking for differences - Ignore position of characters when calculating the percentage difference.
Note: This release does not support historical password data from a CA Identity Manager deployment that uses CA SiteMinder password services (password history) to a deployment that includes only CA Identity Manager r12.6 password services.
12.6
Chapter 1: New Features 37
Dynamic Keys for Encrypting Data
In an environment, you can create dynamic keys that encrypt or decrypt data. If you suspect that a user gained unauthorized access to a key, you can change the password for the keystore. The keystore is the database that stores secret keys. Once you change this password, CA Identity Manager re-encrypts the values of the keys.
The Manage Secret Keys section of the Administration Guide provides details.
Active Directory Server Synchronization
CA IAM CS can be configured to let users with Active Directory Server (ADS), synchronize local identity information with cloud-based endpoint information. For example, you could set up your ADS to synchronize with a cloud-based SalesForce installation. Additions or changes to a synchronized local user group are then propagated to the SalesForce environment.
This feature requires CA IAM CS, a supported endpoint, and the appropriate connector.
Note the following about the Active Directory synchronization feature:
■ This feature supports only Active Directory. Other LDAP directories are not supported for use with this feature in this release.
■ This feature supports only cloud-based endpoints that have an existing connector. In this release, supported applications include Google Apps and SalesForce.
For more information about this feature, see the CA Identity Management and Governance Connectors wiki.
Auditing Login and Logout Events
To improve monitoring of user access in CA Identity Manager environment, you can configure CA Identity Manager to audit the user login and logout events in an environment. You can view these logged events in the default Audit Details report.
Note: User login and logout events cannot be logged for CA SiteMinder.
You can configure these settings in the Audit Settings file. For more information about configuring login and logout events, see the Chapter "Auditing" in the Configuration Guide.
12.6
38 Release Notes
SHA-2 Support
SHA-2 SSL certificate hashing is a cryptographic algorithm developed by the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA). SHA2 certificates are more secure than all previous algorithms. In CA Identity Manager, you can configure SHA-2 signed SSL certificates in place of certificates that are signed with the SHA-1 hash function.
Chapter 2: Installation Considerations 39
Chapter 2: Installation Considerations
This section contains the following topics:
Verify WebSphere Configuration (see page 39) Enable Policy Xpress Support for Web Services SOAP and REST (see page 40) Supported Platforms and Versions (see page 40) Deprecated and Dropped Components (see page 40) Co-installation of Unix Remote Agents with Additional CA Products (see page 41) Passwords Not Encrypted (see page 41) Oracle 11g R2 RAC as User Store and Object Store (see page 41) Oracle 12c RDB as User Store and Object Store (see page 41) AD LDS as a User Store (see page 42) Non-ASCII Character Causes Installation Failure on Non-English Systems (see page 42) Work Around Firewall on Windows 2008 SP2 (see page 42) Deploy JSP Pages for Administrator Actions (see page 43) Linux: Provisioning Directory Installation (see page 43) Linux: JDK Requirement for Installation (see page 43) Linux 64-bit: SiteMinder Connectivity Errors (see page 44) Improve Performance on WebSphere and AIX (see page 45) Ignore WebSphere 7/Oracle Error (see page 45)
Verify WebSphere Configuration
WebSphere must be configured to use the Sun Reference Implementation as the JSF implementation container. This configuration should be set before you install CA Identity Manager. If you have already installed CA Identity Manager, do not open the CA Identity Manager user interface. Return to the WebSphere management console and update the configuration, and restart WebSphere for the changes to take effect. You can then return to the CA Identity Manager user console.
For detailed instructions, see the WebSphere section of the Installation Guide.
Enable Policy Xpress Support for Web Services SOAP and REST
40 Release Notes
Enable Policy Xpress Support for Web Services SOAP and REST
Policy XPress is enhanced to support Web Services SOAP (with basic authentication method) and REST (with basic authentication, proxy authentication, and OAuth authentication methods) such that it can be integrated with external applications that provide a web service interface. To use the Policy XPress web services (SOAP and REST) with JBoss 5.1 community edition, copy the following jars into your JBoss 5.1 community edition "\lib\endorsed" directory from the "client" directory, and then restart the application server:
■ jbossws-native-jaxrpc.jar
■ jbossws-native-jaxws.jar
■ jbossws-native-jaxws-ext.jar
■ jbossws-native-saaj.jar
Note: You do not need to consider copying these files for the EAP versions.
Supported Platforms and Versions
At each release of CA Identity Manager, specific versions of application servers, directories, databases, and endpoints are supported.
Note: For a complete list of supported platforms and versions, see the CA Identity Manager support matrix on CA Support.
Deprecated and Dropped Components
Certain components are being deprecated, which means they will not be supported in future releases. Other components are dropped, meaning they are no longer shipped with the product or no longer tested with the product. These components are listed in the CA Identity Manager Deprecation Policy on CA Support.
Co-installation of Unix Remote Agents with Additional CA Products
Chapter 2: Installation Considerations 41
Co-installation of Unix Remote Agents with Additional CA Products
In this release, the UNIX Remote Agents (except for TRU64 platforms) are now installed such that the installed software tracks the dependent software components, such as CA ITCM.
If you want to upgrade the UNIX Remote Agent, the new tracking method does not update the reference counts of dependent software components. If you want to uninstall the product after this upgrade, use the following de-install file:
<install-dir>/scripts/uninstall-force.sh
Note: Ensure that the uninstall-force.sh is not used on hosts that have additional CA software installed. The products may depend on the same software packages which this script removes.
Passwords Not Encrypted
New installations do not encrypt user passwords by default. Also, when CA SiteMinder® is integrated with CA Identity Manager, you cannot enable password encryption by using AttributeLevelEncrypt. This attribute only works when CA SiteMinder® is not installed.
This issue will be corrected at a future release.
Oracle 11g R2 RAC as User Store and Object Store
When using Oracle 11g R2 RAC as a User store and a Runtime store, perform the following to use the Cluster capabilities of an Oracle database cluster:
■ Use SCAN (Single Client Access Name) while you install CA Identity Manager with Oracle 11g R2 RAC.
■ Create the database tablespace on the shared disk group while creating a tablespace.
Oracle 12c RDB as User Store and Object Store
When using Oracle 12c RDB as a User store and a Runtime store, use only non-Container DB mode. The Oracle 12c “Container” DB (multi-tenancy) RDBMS option is excluded for the enterprise product.
AD LDS as a User Store
42 Release Notes
AD LDS as a User Store
If you use AD LDS on Windows 2008 as the CA Identity Manager user store and you integrate CA Identity Manager with SiteMinder, SiteMinder r6.0 SP6/r6.x QMR6 is required.
Non-ASCII Character Causes Installation Failure on Non-English Systems
During CA Identity Manager installation, the installer extracts files to a Temp directory. On some localized systems, the default path to the Temp directory contains non-ASCII characters. For example, the default path to the Temp directory on a Spanish Windows system is the following:
C:\Documents and Settings\Administrador\Configuración local\Temp
The non-ASCII characters cause the installer to display a blank Pre-Installation Summary page, and then cause the installation to fail.
Workaround
Change the tmp environment variable to point to a folder that contains only ASCII characters.
Work Around Firewall on Windows 2008 SP2
During installation in Windows 2008 SP2 deployments, communication to CA Identity Manager components, such as the Provisioning Server, Java Connector Server, and the C++ Connector Server, is blocked by the firewall.
To work around this problem, add port exceptions or disable the Windows firewall to access distributed CA Identity Manager components in Windows 2008 SP2 deployments.
Deploy JSP Pages for Administrator Actions
Chapter 2: Installation Considerations 43
Deploy JSP Pages for Administrator Actions
The CA Identity Manager Server includes sample JSP pages for performing the following actions:
■ Ping the application server
■ List deployed BLTHs
■ List information about object types and managed object providers
■ List plugin information
■ Change logging levels
The JSP pages are installed in this location:
admin_tools\samples\admin
The folder contains a readme.txt file with instructions for using the JSP pages.
Note: You will see a 404 error if you use these JSP pages without following the instructions in the readme.txt file.
Linux: Provisioning Directory Installation
If you install the Provisioning Directory on a Linux system, the system automatically uses IPv6 addresses even if you intend to use IPv4 on this system. All DSAs appear to be running, but when you attempt to connect to the DSAs via JXplorer or install the Provisioning Server, a connection refused error may appear.
To disable IPv6 on Linux
1. Before Provisioning Directory installation, follow the steps in the Red Hat Knowledge base article to Disable IPv6 on Linux.
2. Make sure that /etc/hosts has no entry for this address:
127.0.0.1 hostname
Linux: JDK Requirement for Installation
CA Identity Manager 12.6.5 requires Oracle JDK 1.6.
RedHat 6.x includes OpenJDK 1.6, which can cause the CA Identity Manager installer to hang indefinitely. Be sure to use the required Sun JDK version, as specified in the CA Identity Manager Support Matrix.
Linux 64-bit: SiteMinder Connectivity Errors
44 Release Notes
Linux 64-bit: SiteMinder Connectivity Errors
Symptom:
The CA Identity Manager installer reports errors on Linux 64 bit when you select Connect to SiteMinder. The required agent configuration is not correct in SiteMinder.
Solution:
Perform these steps before deploying any directory or environment.
1. Remember the Agent name and password you provided during the installation. Alternately you can read the value for "AgentName" property from the following:
\iam_im.ear\policyserver.rar\META-INF\ra.xml
2. Open the SiteMinder User Interface and create an agent with the Agent name. Verify that you select the "4.x agent" check box.
3. Start the application server and verify that no policy server connectivity issues appear. For example, look for a line such as following with no exceptions:
13:40:43,156 WARN [default] * Startup Step 2 : Attempting to start
PolicyServerService
Improve Performance on WebSphere and AIX
Chapter 2: Installation Considerations 45
Improve Performance on WebSphere and AIX
For a WebSphere installation on AIX, you can achieve better performance in the User Console by setting the maximum heap size.
Follow these steps:
1. Locate the server.xml in the following location:
WAS_HOME/profiles/Profile/config/cells/Cell/nodes/Node/servers/
Server
2. Add maximumHeapSize="1000" to the jvmEntries element.
You can use a higher value if necessary. For example, to set maximumHeapSize to 2 GB (2048 MB), you add it as shown in bold in the following excerpt from this file:
<jvmEntries xmi:id="JavaVirtualMachine_1183122130078"
verboseModeClass="false"
verboseModeGarbageCollection="false" maximumHeapSize="2048"
verboseModeJNI="false" runHProf="false" hprofArguments=""
debugMode="false"
debugArgs="-agentlib:jdwp=transport=dt_socket,server=y,suspend=
n,address=7777" genericJvmArguments="">
<systemProperties xmi:id="Property_1"
name="com.ibm.security.jgss.debug" value="off"
required="false"/>
<systemProperties xmi:id="Property_2"
name="com.ibm.security.krb5.Krb5Debug" value="off"
required="false"/>
</jvmEntries>
Ignore WebSphere 7/Oracle Error
When CA Identity Manager is installed using an Oracle runtime store and the WebSphere 7 default JRE, the following error appears in the CA Identity Manager logs.
Oracle does not support the use of version 10 of their JDBC driver with the version of the Java runtime environment that is used by the application server.
This error can be ignored.
Chapter 3: Upgrade Considerations 47
Chapter 3: Upgrade Considerations
This section contains the following topics:
Supported Upgrade Paths (see page 47) Application Server Support (see page 47) System Manager Role Needs Admin Roles Scope After Upgrade from 12.6 (see page 48) New Scripts to Update the Task Persistence and Archive Schemas (see page 48) New JCO Files for SAP R3 (see page 48) New Active Directory Role Definition File (see page 48) Update to jboss.xml File (see page 49) Upgrade from r12 (CR6 or later) Fails on Some Clusters (see page 49) Workflow Error after Upgrade from pre-r12.5 SP7 (see page 50) Environment Migration Error (see page 50) Credential Provider Upgrade Error (see page 51) Credential Provider Internal Error (see page 51) No Search Screen with Explore and Correlate Task (see page 51) Non-Fatal Error after Upgrading Provisioning Manager from r12 (see page 52) Rename ACF2, RACFand TSS Endpoints Before Upgrade (see page 52) Run the SQL Upgrade Script (see page 52)
Supported Upgrade Paths
You can upgrade to CA Identity Manager 12.6.5 from the following versions:
■ CA Identity Manager r12
■ CA Identity Manager r12.5 or 12.5 SPx
■ CA Identity Manager r12.6 or 12.6 SPx
If you have a pre-r12 version of CA Identity Manager, first upgrade to r12, r12.5, or r12.5 SP1 to SP6. These versions include the imsconfig tool, which is required to upgrade a pre-r12 version. Then you can upgrade to CA Identity Manager 12.6.5.
Application Server Support
CA Identity Manager 12.6.5 supports the following application server versions:
■ JBoss 6.2 and 6.3 Enterprise Application Platform (EAP)
■ Oracle WebLogic 11g (10.3.5) and 12c
■ IBM WebSphere 8.5.x
See the Upgrade Guide for full details on upgrading on your application server.
System Manager Role Needs Admin Roles Scope After Upgrade from 12.6
48 Release Notes
System Manager Role Needs Admin Roles Scope After Upgrade from 12.6
When upgrading from CA Identity Manager version 12.6 or later, the System Manager role needs to be given the Admin Roles scope.
Note: If this is not done, then the Admin role searches may not return results.
Follow either of these steps:
■ In the Management Console, click System Manager, and then choose the user.
■ Alternatively, you can add the Admin Role scope to the System Manager role itself using Modify Admin Role, System Manager.
New Scripts to Update the Task Persistence and Archive Schemas
This release includes new scripts to update the Task Persistence and Archive schemas. The update runs automatically when you start CA Identity Manager first time after an upgrade. For more information about the new scripts, see the Installation Guide.
New JCO Files for SAP R3
If you plan to use the new connector for SAP R3, you need to update the JCO files. See the endpoint guide for the SAP R3 connector for more details.
New Active Directory Role Definition File
Be sure that you import the new role definition file for Active Directory into each environment. The current CA Identity Manager environment may have an earlier release of the Active Directory Role definition file. So import the file to upgrade the role definitions to 1.08. For details about importing role definition files, follow the procedures in the Upgrade Guide.
Update to jboss.xml File
Chapter 3: Upgrade Considerations 49
Update to jboss.xml File
During a JBoss restart or CA Identity Manager initialization, many errors messages are logged to the CA Identity Manager server.log file. These messages are related to events managed by JMX, but the receiving message bean is not yet initialized. To correct this problem, the following file now includes a depends clause:
iam_im.ear\iam_im_identityminder_ejb.jar\META-INF\jboss.xml
The depends clause is included in this section:
<message-driven>
<ejb-name>SubscriberMessageEJB</ejb-name>
<destination-jndi-name>queue/iam/im/jms/queue/com.netegrity.ims.ms
g.queue
</destination-jndi-name>
<depends>jboss.web.deployment:war=/iam/im</depends>
</message-driven>
Be sure to include this section in your jboss.xml file. The result is the receiving message bean is initialized before JMX starts to process the event queue.
Upgrade from r12 (CR6 or later) Fails on Some Clusters
Symptom:
If you upgrade a cluster from CA Identity Manager r12 CR6 or later, the upgrade may fail due to some cluster properties in the installation file being cleared.
Solution:
Verify that the following properties are populated in the im-installer.properties file before the upgrade:
■ WebSphere: Check if the cluster name is populated in DEFAULT_WAS_CLUSTER. If it is not, add it back manually.
■ WebLogic: Check if the cluster name is populated in DEFAULT_BEA_CLUSTER. If it is not, add it back manually.
Note: This issue does not affect a JBoss cluster.
By default, the installation file is found in the following locations:
■ Windows: C:\Program Files\CA\CA Identity Manager\install_config_info\im-installer.properties
■ UNIX: /opt/CA/CA_Identity_Manager/install_config_info/im-installer.properties
Workflow Error after Upgrade from pre-r12.5 SP7
50 Release Notes
Workflow Error after Upgrade from pre-r12.5 SP7
Symptom:
If you upgrade from a pre-r12.5 SP7 system on the WebLogic application server, you see this error on workflow startup:
WARN [ims.default] * Startup Step 25 : Attempting to start SchedulerService
ERROR [ims.bootstrap.Main] The IAM FW Startup was not successful
ERROR [ims.bootstrap.Main] org.quartz.SchedulerException: JobStore class
'org.quartz.impl.jdbcjobstore.JobStoreCMT' props could not be configured.
[See nested exception: java.lang.NoSuchMethodException: No setter for
property 'lockHandler.class']
Solution:
1. Stop WebLogic.
2. Go to the <IAM-EAR>/APP-INF/lib folder.
3. Remove the following files:
■ common-pool-1.3.jar
■ annotations.jar
■ eurekifyclient.jar
■ quartz-all-1.5.2.jar
4. Start the application server.
5. The workflow startup error no longer appears.
Environment Migration Error
Symptom:
If you are upgrading from CA Identity Manager r12 CR1, CR2, or CR3, you may see the following error when importing your environments:
Attribute "accumulateroleeventsenabled" is not allowed to appear in element "Provisioning".
Solution:
Open the envsettings.xml file in the exported Env.zip, and update the accumulateroleeventsenabled to acumulateroleeventsenabled (remove the second 'c' in accumulate).
Credential Provider Upgrade Error
Chapter 3: Upgrade Considerations 51
Credential Provider Upgrade Error
After you upgrade the CA Identity Manager r12 Credential Provider on a 32 bit Windows platform, the Disable Microsoft Password Credential Provider checkbox in the CAIMCredProvConfig application is unchecked.
Workaround
Open the CAIMCredProvConfig application and select the check box.
Credential Provider Internal Error
Symptom:
When I upgrade CA Identity Manager Credential Provider on 64-bit Windows platforms, I receive the error message Internal Error 2324.2.
Solution:
No action is required. If no other errors were issued, the upgrade process completed successfully.
No Search Screen with Explore and Correlate Task
If you upgraded from CA Identity Manager r12 or if you upgraded from CA Identity Manager r12.5 and migrated the Explore and Correlate task to the new recurrence model, the Browse button in the Explore and Correlate task does not work correctly.
Workaround
Configure a search screen for the task so that the new Browse button brings up a search screen when clicked.
Non-Fatal Error after Upgrading Provisioning Manager from r12
52 Release Notes
Non-Fatal Error after Upgrading Provisioning Manager from r12
Symptom:
After upgrading Provisioning Manager from CA Identity Manager r12 CRx, the installer displays the following message:
The installation wizard has finished upgrading CA Identity Manager but
non fatal errors or warnings occurred during the upgrade. For details
please see the installation log under C:\Program Files\CA\CA Identity
Manager.
Warning/Errors were reported related to the following components
The CA Identity Manager installation log contains the following entry:
Install, com.installshield.product.actions.Files, err,
ServiceException: (error code = -30016; message = "The process cannot
access the file because it is being used by another process.”
Solution:
The error occurs because the installer cannot create a directory that exists. However, the installation has completed successfully, and the Provisioning Manager is fully functional.
Rename ACF2, RACFand TSS Endpoints Before Upgrade
Spaces in endpoint names are no longer supported. If you created endpoints with spaces in the name in a previous release, remove the spaces before upgrading to 12.6.
Run the SQL Upgrade Script
After the upgrade, the first time you start the CA Identity Manager server, a script executes. It updates the Task Persistence table runtimeStatusDetail12 Description column size to 2000 characters.
Run the SQL Upgrade Script
Chapter 3: Upgrade Considerations 53
If the script fails to run, follow these steps:
1. Do one of the following:
■ Microsoft SQL Server: Open the Query Analyzer tool and select the script you need.
■ Oracle: Open the SQL prompt for the script you need.
2. Select one of the following scripts:
– Microsoft SQL Server: C:\Program Files\CA\Identity Manager\IAM Suite\Identity Manager\tools\db\taskpersistence\sqlserver\archive_db_sqlserver_upgrade_to126sp2.sql
– Oracle on Windows: C:\Program Files\CA\Identity Manager\IAM Suite\Identity Manager\tools\db\taskpersistence\oracle9i\archive_db_oracle_upgrade_to126sp2.sql
– Oracle on UNIX: /opt/CA/IdentityManager/IAM_Suite/Identity_Manager/tools/db/taskpersistence/oracle9i/archive_db_derby_upgrade_to126sp2.sql
3. Run the script file.
4. Verify that no errors appeared when you ran the script.
Chapter 4: Known Issues 55
Chapter 4: Known Issues
This chapter lists the issues that are known to exist in CA Identity Manager 12.6.5. All Fixed Issues are in a separate chapter.
This section contains the following topics:
General (see page 55) Reporting (see page 75) General Provisioning (see page 77) CA IAM CS and Connector Xpress (see page 79) Endpoint Types (see page 80)
General
The following are general known issues in CA Identity Manager 12.6.5.
Service Desk Integration REST API Doc Task Fails in IE10
The Service Desk Integration REST API Doc task does not work in Internet Explorer 10.
To workaround this issue, use a compatible browser such as Internet Explorer 11, Chrome or Firefox.
Status for Box Endpoint Users may Vary From Privileges Set in an Account Template
Symptom:
When a Box account is Enabled from a Disabled state or Resumed from a Suspended state, the account state is set to Active even if the state set in the Account Template is different. This is from the difference between the binary value of the account in IM, Enabled/Disabled, and the multi-valued account status on Box.
Solution:
Administrators can perform the task Check Account Template Synchronization and synchronize an account with the Account Template.
General
56 Release Notes
Formatting Issues While Switching Between HTML and Text Views
Symptom:
When you create or modify an email in the HTML editor and switch between HTML and text views, there may be formatting issues, such as table colors being changed or the table being moved. These issues have been observed in Internet Explorer 9 running on Windows 7.
Solution:
Use other supported browsers. For more information on supported browsers, see CA Identity Manager r12.6 SP4 Platform Support Matrix.
Configuration Xpress has Limitations When Migrating Objects from One Environment to Another Environment
Symptom
Some objects, such as Workflow Mappings, can not promote to another environment using Config Xpress.
Solution
1. Log in to the User Console, and browse to Systems, Configure Global Policy Based Workflow for Events.
Note: You can also go to Management Console, Advance Settings, Workflow.
2. Map an event to a non-template workflow.
Note: This event should not be from the OOTB mapping list.
For example, added and mapped AssignAccessRoleEvent to, ModifyAccessRoleMembershipApproveProcess.
3. Export the Environmentsetting.xml from Advance Setting in the Management Console.
4. Delete the newly added mapping from step2.
5. Import the Environmentsetting.xml file of step3.
The mapping created in step 2 should be present after import.
General
Chapter 4: Known Issues 57
QnA as "Reset password behavior" Fails with Default Question and Answer Configuration Setting
QnA as "Reset password behavior" fails using the default Question and Answer Configuration setting, under the environment administrator of IdentityMinder Tasks.
Symptom
Upon selecting the QnA as "Reset password behavior" with default Question and Answer configuration settings, the reset password fails to with the following error message:
"ERROR [im.webservices.QuestionAndAnswerResource] (http-/0.0.0.0:8443-1) Failed to process get user credential questions. Message:java.lang.NullPointerException in the server log file"
Solution:
Perform the following steps to make reset password work with the QnA as Reset password behavior:
Follow these steps:
1. Login to Identity Minder as SuperAdmin.
2. Navigate to Tasks, Environment Administrator, and then select 'Question and Answer Configuration'.
3. Click the Submit button.
Note: Even the default values of 'Enable' option and 'Number of Authentication questions' apply only after performing this step.
General
58 Release Notes
Reset Password Fails After Upgrading IdentityMinder from r12.6 SP2, SP3 to SP4
Symptom:
After the upgrading from either CA IdentityMinder r12.6 SP2 or SP3 to 12.6 SP4, 'Reset password' fails to work as the “Password Reset Behavior” option is not set in the Mobile Configuration.
Solution:
To manually select the “Password Reset Behavior” option,complete the following steps.
1. Login to Identity Minder as SuperAdmin.
2. Navigate to Tasks, System, Mobile Configuration and Click on "Modiy Mobile Configuration".
3. Select the mobile configuration, navigate to 'Features' tab.
4. Manually select one of the available 'Password Reset Behavior' options.
5. Submit the task.
General
Chapter 4: Known Issues 59
Error When Exposing Many Services
Symptom:
When many services is exposed from CA Identity Manager, Axis2 generates large stub class violating the JVM compilation rule and it returns the following error:
error: code too large for try statement
Solution:
When you receive such compilation error, perform the following steps to resolve:
1. Open the generated Stub class file from the following samples directory:
<samples_dir>\wsdl2java\src\tew6\wsdl
Axis2 generates the stub class in the following format:
<Service_name>Stub.java
Note: Retrieve the service name from WSDL.
2. In the stub class file, split the fromOM and populateFaults methods. The following script is an example of fromOM method from the stub class file:
public org.apache.xmlbeans.Xmlobject fromOM (
org.apache.axiom.om.OMElement param,
java.lang.Class type,
java.util.Map extraNamespaces) throws
org.apache.axis2.AxisFault {
try {
.......
.......
.......
}catch (java.lang.Exception e) {
throw org.apache.axis2.AxisFault.makeFault(e);
}
return null;
}
3. Split the method script into two halves and name the other half, for instance, fromOMExtended.
4. Call the newly created method from the fromOM method. The following script is an example of the modified fromOM method:
public org.apache.xmlbeans.Xmlobject fromOM (
org.apache.axiom.om.OMElement param,
java.lang.Class type,
java.util.Map extraNamespaces) throws
org.apache.axis2.AxisFault {
try {
.......
.......
.......
}catch (java.lang.Exception e) {
General
60 Release Notes
throw org.apache.axis2.AxisFault.makeFault(e);
}
//invoking the new method
return this. fromOMExtended(param, type, extraNamespaces);
}
5. Repeat the steps 3 and 4 for populateFaults method.
6. Save the changes and run the following command from the samples directory location for compiling the changes:
sample_dir_location> ant -Dnowsdlgen=true
The compilation returns no error.
Password Stored in Clear Text
Symptom:
The password for the secure management console bootstrap user is stored in the clear text.
Solution:
Use password tool bundled with the installation pacakge to encrypt the password with the –JSAFE option. For more information, see The Password Tool in the Configuration Guide.
Too Many Approvers in ApproversList
Symptom:
Too many Approvers in ApproversList returns the following error:
ORA-12899: Value too large for column error
The task fails and the workflow does not continue.
Solution:
Run the following SQL commands in the Oracle database where report database (object store) is stored.
ALTER TABLE WP_ACT_DATA MODIFY (VAR_VALUE NVARCHAR2(2000));
ALTER TABLE WP_ACTI_DATA MODIFY (VAR_VALUE NVARCHAR2(2000));
ALTER TABLE WP_PROC_DATA MODIFY (VAR_VALUE NVARCHAR2(2000));
ALTER TABLE WP_PROCI_DATA MODIFY (VAR_VALUE NVARCHAR2(2000));
General
Chapter 4: Known Issues 61
Unable to connect to "Forgot Password" and "Unlock account" pages through Credential Provider in Windows 2012 and Windows 8 platforms
Windows 2012 on the lines of Windows 8 does not work with the Credential Provider as Microsoft has changed their interface
404 after password reset confirmation due to missing pws.fcc
Symptom:
When using a public IM task called CPSChangeMyPassword in which the user enters its old password, new password and the confirmation. Once he clicks Submit and then confirms with OK in the subsequent IM confirmation page we receive a 404 File Cannot Be Found.
Solution:
The SiteMinder 12.5 IIS Web Agent does not contain the PWS.fcc file in the IIS virtual directory forms. Copy the PWS.fcc file from the earlier version of the CA Identity Manager.
Adding Custom E-mail Templates for Service Objects
In Service Objects, to receive e-mail notifications and expiration of the service, you must create a custom email template.
Follow these steps:
1. Navigate to the following path:
%JBOSS_HOME%\server\default\deploy\iam_im.ear\custom\emailTemplates\default.
2. Create an custom email template with name “AddServiceToUserEvent.tmpl” in the following folder:
iam_im.ear\custom\emailTemplates\default\service_status_folder
3. If the Service is completed, or pending, change the Status on line 38 accordingly.
4. Verify whether the notification and expiration are updated in the generated e-mail.
General
62 Release Notes
Error When Installing CA Identity Manager with UTF-8 Characters in Installation Path or Database Details in Any Non-English Language
Symptom:
When attempting to perform the CA Identity Manager 12.6 SP3 installation with UTF-8 characters in Installation path or Database details like (DB Name, DB Username and DB Password) in any non-English language, the following error occurs in the installation logs and the installation fails:
C:\Users\Administrator\AppData\Local\Temp\1\598343.tmp\installFrag
ments\dataSource.xml:329: Invalid byte 2 of 4-byte UTF-8 sequence.
Solution:
Use Non UTF-8 characters (English text) in Installation path or Database details like (DB Name, DB Username and DB Password) and proceed with the installation on the following supported foreign non-English languages i.e. French, Italian, German, Spanish, Japanese, Brazilian Portuguese, Simplified Chinese, Korean, Finnish, Norwegian, Swedish, Danish, and Polish.
Connection Errors After CA IdentityMinder Server Upgrade
Symptom:
Connect error when accessing CA Identity Governance from CA Identity Manager after upgrade of an existing installation.
Solution:
After CA Identity Manager server upgrade more configuration is required.
Follow these steps:
1. In the CA Identity Manager User Console, go to System, Web Services, Delete Web Services Configuration, Search.
2. Delete the IMRCM configuration.
3. Log in to the CA Identity Governance web portal.
4. Go to Administration, Universes and select the universe configured to integrate with CA Identity Manager.
5. Go to Connectivity tab and select the CA Identity Manager connector.
Click Test and confirm that the connection is successful.
General
Chapter 4: Known Issues 63
Warning Message When Running an OOTB Snapshot DDL Script
Symptom:
The following sql script produces an invalid index when run on a Microsoft SQL database:
IdentityManager/IAM_Suite/IdentityManager/tools/imrexport/db/SqlServer/ims_mssql_report.sql
The script returns with the following warning message:
Warning! The maximum key length is 900 bytes. The index 'imruser6_index_3' has maximum length of 1260 bytes. For some combination of large values, the insert/update operation will fail.
Solution:
Follow these steps:
1. Use the following code to create a stored procedure:
CREATE PROCEDURE sp_imruser6_index_3_exists
AS
BEGIN
DECLARE @MAX_LEN integer
DECLARE @sql_cmd nvarchar(255)
DECLARE @stmt nvarchar(255)
SET @MAX_LEN = (SELECT SUM(max_length)AS TotalIndexKeySize
FROM sys.columns WHERE name IN (N'imr_userdn', N'imr_reportid')
AND object_id = OBJECT_ID(N'imruser6'))
IF EXISTS (SELECT name FROM sysindexes WHERE name =
'imruser6_index_3') DROP INDEX imruser6_index_3 on imruser6
IF (@MAX_LEN > 900)
CREATE INDEX imruser6_index_3 ON imruser6 (imr_reportid)
INCLUDE(imr_userdn)
ELSE
CREATE INDEX imruser6_index_3 ON imruser6 (imr_reportid,
imr_userdn)
END
GO
Stored procedure is now created.
2. Use the following command to run the stored procedure:
EXEC sp_imruser6_index_3_exists
After successfully executing the stored procedure, the column imr_userdn under imruser6_index_3 becomes as included column.
General
64 Release Notes
Non-Context Sensitive Help for Mobile App
Symptom:
When a user clicks the help icon while performing mobile app tasks, unrelated help displays.
Solution:
Browse for mobile app help in the table of contents or by searching the help.
Provisioning Directory Fails to Create through Management Console
When creating a Provisioning Directory through Management Console, the Provisioning Server domain name field does not allow foreign language characters as the domain name. You may see the following error message:
“could not connect to the LDAP server machinename:20389 with userDN etGlobalUserName=admin,eTGlobalUserContainerName:GlobalUsers,eTNamespacename=CommonObjects,dc=foreignChars, dc=eta and specified password.”
General
Chapter 4: Known Issues 65
AttributeLevelEncryption for User Passwords
When you specify the AttributeLevelEncryption data classification for attributes in the directory configuration file (directory.xml), CA Identity Manager encrypts the attribute value in the user store. In the User Console, the value appears in clear text.
The following attribute description shows the AttributeLevelEncryption data classification:
<ImsManagedObjectAttr physicalname="title" description="Title"
displayname="Title" valuetype="String" maxlength="0"
searchable="false">
<DataClassification name="AttributeLevelEncrypt"/>
</ImsManagedObjectAttr>
In environments with the following configuration, enabling attribute level encryption for passwords prevents users from logging in:
■ CA Identity Manager integrates with CA SiteMinder, and
■ The user store is a relational database
In this release, the AttributeLevelEncryption data classification is removed from the password attribute in the following directory configuration (directory.xml) files:
■ DirectoryTemplates/RelationalDatabase.xml
■ fwSampleRDB.xml
■ Samples/NeteAutoRDB/NoOrganization.xml
■ Samples/NeteAutoRDB/Organization.xml
These files are located in the admin_tools directory.
Note: For more information on managing sensitive attributes, see the Configuration Guide.
General
66 Release Notes
Specifying LDAP DN When Using TEWS
Symptom:
When using TEWS to call the task "CreateOracleServerAccountTemplate" you can get back the following error message:
Error Message: <code>500</code>
<description>Failed to execute CreateOracleServerAccountTemplate. ERROR
MESSAGE: com.ca.iam.model.IAMParseException: Not a valid IAM handle:
'UHGUSERS' ProcessStep::Unknown TabName: null ERRORLEVEL::Fatal</description>
The problem is that the DN TEWS is expecting is not what is in the Provisioning Directory.
This example did not work:
eTORADirectoryName=WSDLOracle4,eTNamespaceName=Oracle Server,dc=im,dc=eta
This example is the DN that did work:
EndPoint=WSDLOracle4,Namespace=Oracle Server,Domain=im,Server=Server
Solution:
To find the mapping make sure the application server log levels are set to verbose. Execute the Identity Manager tasks for which you need the data/paths. The paths will be in the log file. Searching on "<" and "insert into IM_" can be helpful for finding the paths as well as attribute values being passed by the tasks.
setpasswd Fails on 64-bit Linux Systems
Symptom:
On Linux 64-bit and Solaris systems, setpasswd fails with this error:
"/opt/CA/SharedComponents/csutils/bin/expect: error while loading shared libraries:
libtcl8.4.so: cannot open shared object file: No such file or directory"
Solution:
Set LD_LIBRARY_PATH to the following value:
/opt/CA/SharedComponents/csutils/lib/tcl8.4
setpasswd no longer generates this error.
General
Chapter 4: Known Issues 67
Password Policy Issue When Using a Combined User Store and Provisioning Directory
Symptom:
CA Identity Manager does not apply certain password policies in deployments that use a combined user store and provisioning directory. This issue occurs with password policies that include the following rules and restrictions:
■ Password expiration:
– Track failed logins or successful logins.
– Authenticate a login.
– Password expiration if not changed
– Password inactivity
– Incorrect password
– Multiple regular expressions
■ Password restrictions:
– Minimum days before reuse
– Minimum number of passwords before reuse
– Percent different from last password
– Ignore sequence when checking for differences.
This issue occurs because %PASSWORD_DATA% is mapped to a binary attribute instead of a string attribute by default.
Solution:
In the Management Console, map %PASSWORD_DATA% to any eTCustomField attribute that is not mapped to another attribute. For example, eTCustomField99.
After you update the mapping, restart the environment.
Note: For more information about updating an existing CA Identity Manager directory, see the Configuration Guide.
General
68 Release Notes
Cannot Connect to the CA IdentityMinder server when configuring the 64-bit Active Directory Password Synchronization Agent
Symptom:
When configuring the 64-bit Password Synchronization Agent (PSA), I am unable to connect to the CA Identity Manager server to retrieve the list of available Active Directory endpoints.
Solution:
You can configure only the ciphers that the CA IAM CS uses. Add the three new SSL FIPS ciphers to the cipher suite that CA IAM CS uses.
Follow these steps:
1. Open the following configuration file in a text editor:
cs_home\jcs\conf\server_osgi_shared.xml
2. Locate the defaultCipherSuite property in the file. The following example code in the file:
<property
name="defaultCipherSuite"><value>FIPS_TLS_PLUS_SSL_Ciphers</value></property>
<property name="cipherSuites">
<map>
<entry key="FIPS_TLS_PLUS_SSL_Ciphers">
<list>
<value>TLS_RSA_WITH_AES_128_CBC_SHA</value>
<value>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</value>
<value>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</value>
</list>
In this example, FIPS_TLS_PLUS_SSL_Ciphers is the default suite that corresponds to the list of ciphers under cipherSuites property.
3. Add the following entries to the list:
<value>SSL_RSA_WITH_3DES_EDE_CBC_SHA</value>
<value>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</value>
<value>SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA</value>
4. Click Save.
5. Restart the CA IAM CS service.
The 64-bit active directory PSA now connects without an error.
General
Chapter 4: Known Issues 69
Workflow Participant Resolver Fails for EnableUserEventRoles
Symptom:
When you attempt to change workflow settings for the task, you may see this message:
Cannot set "Primary object of this task" in the {0} Resolver Description section for
the multi select task".
Solution:
Go to the workflow page and change the approver to "Object associated with the event."
Duplicate name in View Submitted Tasks
Symptom:
In some heavy-load high availability environment, the CA Identity Manager server may send concurrent requests to the Provisioning Server and introduce race conditions in the Provisioning Server when handling parallel modification requests on same Global User.
Solution:
Change the following Provisioning Manager setting to No and restart the Provisioning Server.
Identity Manager Server/Allow Concurrent Modification on Same Global User
Note: If there is Program Exit accessing Global Users, leave this parameter set to Yes.
Not Found Error When Creating a New Environment
If CA Identity Manager integrates with CA SiteMinder 6.0.5 CR 31 or later, an "Error 404 - Not found" message maybe displayed when users try to browse to a new Environment URL.
This issue is due to a caching issue in the Policy Server.
General
70 Release Notes
Workaround
To resolve this issue, complete the following steps:
For Windows:
1. Add a keyword to the SiteMinder registry as follows:
a. Navigate to \\HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\Siteminder\CurrentVersion\ObjectStore
b. Add the "ServerCmdMsec" key with the following settings:
■ Type: DWORD
■ Value: 1
c. Restart Policy Server
2. Restart the application server.
3. Close all browser instances. Then, use a new browser instance to access the Environment URL.
For Solaris:
1. Add a line to the <CA_HOME folder>/netegrity/siteminder/registry/sm.registry file ServerCmdMsec= 0x1 REG_DWORD
2. Restart the Policy Server.
3. Restart the application server.
4. Close all browser instances. Then, use a new browser instance to access the Environment URL.
Modifying Single Valued Compound Attributes in CA Identity Manager
If you modify a single valued compound attribute in CA Identity Manager for a dynamic endpoint, specify only a single value. If you specify multiple values, the existing value is cleared and the attribute is not given a value. The problem does not occur in the Provisioning Manager.
General
Chapter 4: Known Issues 71
Limitations of Bulk loader in Relationship Attribute Level
Bulk loader cannot update the task operations on the user objects in the relationship attribute level.
■ Relationship attributes that are not updated by Bulk Loader are Users Access roles, Users admin roles, Users Provisioning Roles, Users group membership, and Groups group.
■ Relationship attributes that would get overwritten when you replace old attribute values with new attribute values from the bulk loader file are Groups Administrators, and Custom or default Multi-valued attribute.
Error Creating Provisioning-Enabled Environment using Tokenized Template
In this case, CA Identity Manager cannot assign the Provisioning Synchronization Manager role to the inbound administrator defined in the Environment creation wizard.
If the environment template has tokens or translated strings for the Provisioning Synchronization Manager role name, the search fails and a NoSuchObjectException is thrown.
Oracle Applications Prerequisite
You must set the NLS_LANG as a system environment variable, with .UTF8 as the value.
Note: There must be a period (.) before UTF8 on the system where the Connector Server is installed.
Oracle 11gR2 RAC User Store: Search is Case-Sensitive
Symptom:
When Oracle 11gR2 RAC is the user store, searching for users, groups, or organizations sometimes provides no results although the objects exist.
Solution:
For this user store, the search is case sensitive. For example, searching for smith yields no results if the user was created as Smith in the database. Use the same case as was used when the object was created in the database.
General
72 Release Notes
CA Identity Manager on JBoss does not Reconnect to Oracle
Symptom:
When using JBoss 5.x with an Oracle Database datasource and upgrading CA Identity Manager from an r12.5 release, an application outage occurs if the database server is restarted. The outage is caused by JBoss replacing the property background-validation-minutes with background-validation-millis.
Solution:
To resolve this issue, perform the following steps:
1. Stop the application server.
2. Open the data source files located in /jboss folder/server/default [or server name in cluster]/deploy and delete the following line:
<background-validation-minutes> </background-validation-minutes>
3. Add the following line:
<background-validation-millis>120000</background-validation-millis>
Note: 120000 is the equivalent of 2 minutes previously specified by default for background-validation-minutes. Configure the value according to the business requirements.
4. Restart the application server.
Note: The issue does not affect a new installation of CA Identity Manager.
Skip to Main Content Fails in Mozilla Firefox
Symptom:
At the top of the User Console, you see a Skip to main content link. This link moves the main frame of the page to the top. However, this link fails in Mozilla Firefox.
Solution:
Use Microsoft Internet Explorer 8 or higher with JAWS to support this feature.
Concurrent Changes to a User Fails
A modify user task fails in these situations:
■ If you try to disable a user while modifying that user, the task fails.
■ If you add the forcePasswordChange attribute to the User Profile screen while modifying a user, the task fails.
General
Chapter 4: Known Issues 73
Change to Policy Xpress Syntax
Symptom:
Due to a change to Policy Xpress syntax, an error can occur. It occurs if the policy uses string parsing for the account identifier and the user has multiple accounts on a flat endpoint. Endpoints such as Oracle, OS400, and Microsoft SQL have accounts as a virtual container, which sit below the endpoint name. Starting at 12.6.1, the syntax of account identifier is as follows:
■ For flat connectors, EndpointName: EndpointName:AccountName
■ For hierarchical connectors, EndpointName:AccountContainerPath:AccountName
Solution:
Locate Policy Xpress policies that use string parsing for the account identifier. Update those policies to conform to the new syntax.
Update to SAP Help Topic
The help for the defaults tab related to SAP r3 accounts should have this definition for Decimal Notation.
■ Specifies the different ways to represent decimal notations.
■ You can choose from the following:
1.234.567,89
1,234,567.89
1 234567,89
General
74 Release Notes
Enable the Fix for Oracle Bug 6376915
The Oracle bug 6376915 causes high water (HW) enqueue contention when the database is busy handling large objects (LOB) and the database is configured to use automatic segments space management (ASSM).
This bug causes performance and scalability problems with CA software, including CA Identity Manager and CA CloudMinder.
The fix for this problem introduces a mandatory event. Set this new event to make the ASSM architecture allocate LOB chunks more efficiently.
This bug was introduced in Oracle 10.2.0.3. It was fixed in both Oracle 10.2.0.4 and Oracle 11.1.0.7. However, the fix is not enabled by default.
The steps in this procedure assume that spfile is used for configuration.
Follow these steps:
1. Enter the following command:
ALTER SYSTEM SET EVENT='44951 TRACE NAME CONTEXT FOREVER, LEVEL
1024' scope=spfile;
2. Restart the database.
3. To test the fix, use the following measures:
■ Use Bulk Loader to measure the task throughput in CA Identity Manager and CA CloudMinder.
■ Measure the wait time for HW enqueue contention.
Reporting
Chapter 4: Known Issues 75
Failed to Execute the RequestUserToService Task
Symptom:
When Oracle 12c is used as Objectstore with Jboss 6.x as Application server Error message "Failed to execute RequestUserToService. ERROR MESSAGE: SmApiWrappedExceptionRA-01843: not a valid month" is displayed in the UI when a user is requesting for a Service.
Solution:
1. Stop the Jboss 6.x Application server.
2. Edit the file named Standalone-full.xml, available at <Jboss installed location>\Standalone\Configuration.
3. Search for the following text :
jndi-name="java:/iam/im/jdbc/jdbc/objectstore".
4. Add the highlighted line shown below:
<datasource jta="false"
jndi-name="java:/iam/im/jdbc/jdbc/objectstore"
pool-name="iam_im-imobjectstoredb-ds" enabled="true"
use-java-context="true">
<connection-url>jdbc:sqlserver://<hostname>:1433;selectMethod=c
ursor;DatabaseName=<ora_dbname></connection-url>
<driver>sqljdbc</driver>
<new-connection-sql>alter session set
NLS_DATE_FORMAT='YYYY-MM-DD' NLS_TIMESTAMP_FORMAT='YYYY-MM-DD
HH24:MI:SS.FF3'</new-connection-sql>
5. Add the highlighted line shown below in the same file and save it.
<datasource jta="false"
jndi-name="java:/iam/im/jdbc/jdbc/reportsnapshot"
pool-name="iam_im-imreportsnapshotdb-ds" enabled="true"
use-java-context="true">
<connection-url>jdbc:sqlserver://<hostname>:1433;selectMethod=c
ursor;DatabaseName=<ora_dbname></connection-url>
<driver>sqljdbc</driver>
<new-connection-sql>alter session set
NLS_DATE_FORMAT='YYYY-MM-DD' NLS_TIMESTAMP_FORMAT='YYYY-MM-DD
HH24:MI:SS.FF3'</new-connection-sql>
6. Start the Application server.
Reporting
The following issues are related to reporting in CA Identity Manager 12.6.5.
Reporting
76 Release Notes
Audit-Assign Revoke Provisioning Roles Report
Symptom:
Audit-Assign Revoke Provisioning Roles Report is generated without data when Windows AD 2012 R2 is used as User store.
Solution:
1. Log into the IdentityMinder Management console.
2. Click on Environments link, and then click your <AD Environment>.
3. Click on Advance Settings, Auditing,
4. Click the Export button.
5. Save the Audit Settings xml file.
6. Open the Audit Settings xml file, and then add the following lines at the end of the file:
<AuditEvent name="RevokeProvisioningRoleEvent" enabled="true"
auditlevel="BOTHCHANGED">
<AuditProfile objecttype="USER" auditlevel="BOTHCHANGED"/>
<EventState name="COMPLETE" severity="NONE"/>
<EventState name="INVALID" severity="CRITICAL"/>
</AuditEvent>
7. Save the file.
8. Repeat steps 1, 2 and 3.
9. Click the Import button, browse to and select the updated Audit Settings xml file, and then click on Finish.
10. Click Restart Environment.
11. Generate the Report to get an Audit-Assign Revoke Provisioning Roles Report with data.
User Filter Search is Case Sensitive in the User Accounts and the Endpoint Accounts Custom Snapshots XML Files
Symptom:
When creating a filter on %USER_ID% in both the useraccounts export elements in UserAccounts and Endpoint Accounts custom snapshots xml file, the report does not display the results although the user exists.
Solution:
The filter search is case sensitive.
General Provisioning
Chapter 4: Known Issues 77
Satisfy=All Not Working Properly in XML File
In a Snapshot Parameters XML file, satisfy=all and satisfy=any are both behaving as satisfy=any (similar to an OR operator).
Issue While Using Multiple Filter With Endpoint Object
Symptom:
When a snapshot definition is created with Endpoint object using Multiple Filter, none of the endpoint data is captured.
Solution:
In the Snapshot Policies Tab, in place of selecting multiple endpoint objects, specify '*' asterisk to select multiple endpoint objects.
Snapshot is not Capturing Group Object Data
Symptom:
When a snapshot definition is created with a Group object using "org-filter", none of the group data is captured.
Solution:
In the Snapshot Policies Tab, in place of selecting org-filter from the drop-down, select "(all)".
General Provisioning
The following issues are general provisioning issues in CA Identity Manager 12.6.5.
Renaming Provisioning Roles not Supported
The renaming of provisioning roles after they are created is not supported.
General Provisioning
78 Release Notes
Solaris ECS Logging Above INFO Level Can Affect the Performance of the Provisioning Server
Enabling ECS logging above INFO level causes logs to be written before you receive a response. This causes your request to be delayed while the log is being written.
Workaround
Turn ECS logging off if you are experiencing poor Provisioning Server performance.
Multi-Valued Custom Fields for Provisioning Roles
The CA Identity Manager Provisioning Manger supports multi-valued, custom attributes in Provisioning Roles. However, the CA Identity Manager User Console only supports single valued custom attributes in Provisioning Roles. If CA Identity Manager Provisioning Manger is used to edit Provisioning Role custom attributes, the notification to CA Identity Manager will not include any custom attribute changes. CA recommends you use the IM Modify Provisioning Role task to edit Provisioning Role custom attributes. Do not use CA Identity Manager. It is also advised that only single-valued, custom attributes be used in Provisioning Roles.
Already Exists Error When Adding an Endpoint
If you delete and re-add an endpoint with exactly the same name, sometimes the Provisioning Server reports a failure claiming the endpoint of that name already exists. This can occur when you have configured multiple connector servers to manage that endpoint. The failure results from a problem during endpoint deletion, where not all connector servers are notified of the deletion.
Workaround
Restart all connector servers that are configured to manage the endpoint.
CA IAM CS and Connector Xpress
Chapter 4: Known Issues 79
Correlation of a Microsoft SQL Endpoint Fails
Symptom:
The correlation of a Microsoft SQL endpoint fails with the following message:
Object MS SQL Logins global users creation failed. Unable to determine object class
from distinguished name.
This error occurs when all containers are selected for a Microsoft SQL endpoint, not just the container with accounts.
Solution:
1. Create an Explore and Correlate definition and search for a Microsoft SQL endpoint.
2. Search for all containers but select only the endpoint-name as a container.
3. Select explore and correlate attributes.
4. Execute the Explore and Correlate definition.
CA SiteMinder® Login Name Restriction for Global User Name
If a user is required to log in to the CA SiteMinder® Policy Server, the following characters or character strings cannot be part of a global user name:
&
*
:
()
Workaround
Avoid using these characters in the global user name.
CA IAM CS and Connector Xpress
The following issues are related to CA IAM Connector Server (CA IAM CS) and Connector Xpress.
Note: In CA Identity Manager 12.6, Java Connector Server (Java CS or JCS) has been renamed to CA IAM Connector Server (CA IAM CS).
Endpoint Types
80 Release Notes
JNDI Account Management Screens – Creating Accounts with Multiple Structural objectclasses Fails
You cannot create accounts with multiple structural object classes.
Endpoint Types
The following issues are related to managing endpoint types in CA Identity Manager 12.6.5.
General
The following sections describe the known issues for the various connectors:
Account Status of Non-Existent Account is not Displayed Correctly in the CA Identity Manager User Console
In the CA Identity Manager user console, account status of a natively deleted account is not displayed correctly. A success message is displayed when suspending an endpoint that does not exist.
Endpoints with Retry Autolock must be Configured with a Generous Retry Limit
This section applies to all of the TSS connectors.
Consider an endpoint that has 'N' retry autolock behavior. The account that is used to connect to the endpoint using CA IAM CS should be configured to have a generous (or unlimited) “N” due to attempts to connect being used up quickly by CA IAM CS.
When the account is natively locked due to "N" being exceeded, it may be necessary to use native tools to unlock the account before the endpoint is acquired again. This situation depends on the exact native "locked" behavior of the endpoint.
Endpoint Types
Chapter 4: Known Issues 81
Error in Endpoint Search Screens after Upgrading from CA Identity Manager r12.5 SP6 or Earlier
This section applies to all of the TSS connectors.
Symptom:
An error that resembles the following message occurs when you import endpoint role definitions files from r12.5 SP6 or earlier into r12.5 SP7 or later:
"Error in screen definition "Default Endpoint Type Primary Group Endpoint Capability Search" with tag "DefaultActiveDirectoryPrimaryGroupEndpointCapabilitySearch" Error: The type "UNKNOWN" is not a valid object type."
In CA Identity Manager r12.5 SP7, certain objects were renamed. These objects are referenced in endpoint capability search screens. After upgrading to r12.5 SP7 or later, an error can occur when you import role definitions files that include screens referring to the old object names.
This issue is identified in Active Directory and CA Access Control endpoints.
Solution:
Consider deleting screen definitions that reference the old object name before importing a role definitions file.
The following case is an example of an Active Directory endpoint:
In CA Identity Manager r12.5 SP6, the Active Directory endpoint capability search screen name referenced the object ACTIVEDIRECTORY_ADUNIXPRIMARYGROUP'.
The object name appears in the following screen definition:
<Screen name="Default Active Directory Primary Group Endpoint
Capability Search"
tag="DefaultActiveDirectoryPrimaryGroupEndpointCapabilitySearch"
screendefinition="EndpointCapabilitySearch"
Object="ACTIVEDIRECTORY_ADUNIXPRIMARYGROUP">
Endpoint Types
82 Release Notes
In CA Identity Manager r12.5 SP7, the object name was changed to 'ACTIVEDIRECTORY_ETADSGROUP'.
The new object name appears in the following screen definition:
<Screen name="Default Active Directory Group Endpoint Capability
Search"
tag="DefaultActiveDirectoryGroupEndpointCapabilitySearch"
screendefinition="EndpointCapabilitySearch"
object="ACTIVEDIRECTORY_ETADSGROUP">
Account Templates are not Synchronized with Accounts on a Create or Modify Task in the User Console
Symptom:
Using the User Console, explicit account synchronization is not supported.
Solution:
Use Provisioning Manager to synchronize accounts with account templates.
Modifying Endpoint Directly Causes Failure when Importing Between Endpoint and Provisioning Server.
This section applies to all of the TSS connectors.
When the endpoint is modified directly (not using the Provisioning Server), a failure is returned when importing. This failure is because of inconsistent data between the endpoint and Provisioning Server. Two examples include:
■ Someone removed tables from the MSSQL endpoint using native tools which resulted in some users getting resources that no longer exist.
To resolve the failure, reexplore the endpoint using the Provisioning Server.
■ Someone deleted some server roles on the endpoint. The account templates that still had those server roles assigned received extra roles that do not exist on the endpoint any more.
To resolve this failure, manually remove those "removed" server roles from the account templates.
Endpoint Types
Chapter 4: Known Issues 83
Restriction on the Endpoint Name for ACF2 ACFESAGE, RACF IRRDBU00, and TSSCFILE Connectors
Symptom:
Attempting to create an endpoint with an endpoint name such as “user test”, “user-test”, and “_usertest” on dumpfile connectors causes endpoint creation to fail with the message: 'Cannot create pool able connection factory'.
Solution:
Space characters are no longer allowed in endpoint names for the ACF2 ACFESAGE, TSSCFILE, or RACF IRRDBU00 connectors. The endpoint name for these connectors also has the following restrictions:
■ Must be between 1 and 30 characters in length
■ Starts with the alphanumeric characters
■ Contains only alphanumeric and/or "_" character only.
Before you upgrade to this version, delete the existing mainframe dumpfile endpoints which are not according to the given restrictions.
CA Access Control
Text for Calender Window Buttons are Shown in English
When creating an account template in the CA access control endpoint, the OK and CANCEL buttons in the calender window appear in English under the Login tab.
Endpoint Types
84 Release Notes
Removing Groups from an Access Control Account
Symptom:
When you remove a native group from a native user account that the Access Control Connector provisioned, the native groups are removed in a two-step process. The two-step process removes all existing group memberships and then adds back all required group memberships. This results in the correct group membership for the account, but can cause operational concerns for some customers.
Solution:
If you do not want to use the two-step process, you can use Connector XPress to create a C++ Connector Server (CCS) definition. The CCS definition can connect to the Provisioning Server directly, instead of routing through the CA IAM CS. This workaround results in one-step group modification for ACC accounts. However, you cannot use the User Console to manage ACC account group membership. To manage ACC account group membership, use the Provisioning Manager.
Note: For information about using Connector Xpress to create a C++ Connector Server definition, see How you Set a Managing Connector Server in the Connector Xpress Guide.
Endpoint Types
Chapter 4: Known Issues 85
CA Arcot
Protecting ArcotID Tasks When CA SiteMinder® Protects CA Identity Manager
If CA SiteMinder® protects CA Identity Manager using a CA AuthMinder authentication scheme, the following tasks are disabled in CA Identity Manager:
■ Create/Reset My ArcotID
■ Download My ArcotID
This is because CA SiteMinder® defines one authentication scheme for a protected resource. All CA Identity Manager-protected tasks have the same URL, which is protected by one CA SiteMinder® authentication scheme. As a result, the same authentication scheme covers all CA Identity Manager tasks.
When ArcotID authentication protects the CA Identity Manager URL, users have to provide an ArcotID to access tasks. Users who access the tasks listed above do not have an ArcotID yet, so they cannot provide it to access the tasks.
To prevent this issue, use an authentication scheme other than CA AuthMinder when CA SiteMinder® protects CA Identity Manager tasks. Examples: Active Directory or LDAP.
Note: Create/Reset My ArcotID or Download My ArcotID are sensitive tasks. CA Technologies strongly recommends that you configure these tasks as protected tasks. If you configure these tasks as public tasks, users can access them without providing credentials. For more information about public tasks, see Self-Service Tasks in the User Console Design Guide.
CA SSO Connector for Advanced Policy Server
The following sections describe the known issues for the CA SSO Connector for Advanced Policy Server:
PLS Connector Cannot Add More than 2000 Accounts to Applications
You cannot add more than 2000 PLS accounts to an application at one time. If you have more than 2000 PLS accounts to add, you must split the accounts into multiple operations.
DB2 and DB2 for z/OS
The following sections describe the known issues for the DB2 and DB2 for z/OS connectors:
Endpoint Types
86 Release Notes
Unable to Save a Date Datatype due to Data Type Mismatch
Symptom:
When I set date type attribute on a DB2 endpoint (JDBC DB2 for IBM i), the following error is displayed:
Bad SQL Grammar: Data type mismatch. (YYYY-MM-DD)
Solution:
Edit the Connection URI on the endpoint page in Provisioning Manager and add date format=iso. The final URI appear as:jdbc:as400://<host>:CA Portal/<db>;prompt=false;date format=iso;. Note the spacing between date and format.
Google Apps
The following sections describe the known issues for the Google Apps Connector.
Google Apps—Error Message When Creating Google Apps Accounts
Symptom:
When I create a Google Apps account, I receive the error message Failed to Execute CreateGoogleAppsUser Google Apps account has been created, but some additional operation failed
The account is created in CA Identity Manager and on the Google Apps endpoint, but it is not visible in the CA Identity Manager User Console because it is not associated with the global user.
Solution:
The error occurs when you try to create an account using the same nickname and username.
To fix the problem, do an explore and correlate on the Google Apps endpoint.
The account you created is associated with the global user in CA Identity Manager and is now visible.
Google Apps—Multiple Google Apps Endpoints on the Same Connector Server
Google Apps Connector proxy settings are system-wide properties. If you create two or more Google Apps endpoints on the same CA IAM CS, use the same proxy server, port, user name, and password for all the Google Apps endpoints on the same CA IAM CS.
Endpoint Types
Chapter 4: Known Issues 87
Google Apps—Error Message HTTP 403: Forbidden Received When Using NTLM Authentication
Symptom:
When I try to use NTLM authentication I receive the error HTTP 403: Forbidden from the proxy server and the Google Apps domain is not acquired.
Solution:
The error occurs because on a Windows computer, CA IAM CS is installed as a Windows Service and runs as Local System by default.
If CA IAM CS is running on a Windows computer and NTLM is the strongest authentication scheme supported by the HTTP proxy, the Google Apps connector attempts to use NTLM authentication with the HTTP proxy.
If your HTTP proxy server uses NTLM authentication, configure CA IAM CS to run under a Windows domain account or a Windows local account.
To configure NTLM authentication
Do either of the following:
■ Run CA IAM CS with a Windows account that can be authenticated with the HTTP proxy server without providing a user name and password for proxy authentication when creating the endpoint.
■ Run CA IAM CS with a Windows account that cannot be authenticated with the HTTP proxy server, and provide a HTTP user name and password that can be authenticated with the proxy when creating the endpoint.
Note: If you use a Windows domain user for HTTP proxy authentication, prefix the HTTP proxy user name with the Windows domain that the user is in. For example, DOMAIN\ProxyUserAccountName.
Account search failure from Google Apps
Symptom:
Searching for a Google Apps account based on the first or last name fails.
Solution:
Updates to a user's first name or last name may take up to 30 minutes to be processed by Google Apps. Therefore, searching for the new name in CA Identity Manager fails. Wait 30 minutes after a name change before using the new name in the search.
Endpoint Types
88 Release Notes
Microsoft Active Directory and Exchange
The known issues for Active Directory and Exchange are now in the Endpoint Guide for Active Directory and Exchange. You can download this guide from CA Support.
PeopleSoft
The following sections describe the known issues for the PeopleSoft connector.
Searches May Fail in Provisioning Manager
When you use the Provisioning Manager to search for a PeopleSoft endpoint with PeopleTools 8.49, the search for PPS Users for assignment to the "Alternate User ID", "Supervising User ID" and "Reassign Work To" fields does not return results in some cases.
There are two workarounds for this issue:
■ Use the User Console to manage PeopleSoft endpoints (preferred)
■ Enter the value in the Provisioning Manager fields without performing any searches. The value is still be subject to validation, such that if the entered value is not a PPS User, the assignment will fail upon clicking the “Apply” button.
SAP
The following sections describe the known issues for the SAP connector
Assigning SAP Contractual User Types
When assigning a contractual user type to a user on the License Data tab, the change can only be applied to the Master system, not any child system.
Workaround
You can change the contractual license types for the children natively.
Endpoint Types
Chapter 4: Known Issues 89
SAP Endpoint is not Pre-Populated from the SAPlogon.ini File
When the Provisioning Manager is running on Windows 2008, the endpoint details for SAP are not being pre-populated from the SAPlogon.ini file.
Note: This problem is specific to the Provisioning Manager running on Windows 2008 only.
Workaround
You must manually enter the contents of the SAPlogon.ini file into the Provisioning Manager.
Mandatory Fields in the SAP Contractual User Type Attribute
The Contractual User Type that can be specified on the account's License Data tab cannot have mandatory fields other than the LIC_TYPE field. For example, if you have to specify the name of a SAP R3 System (SYSID) to use a Contractual User Type, the assignment will fail and you will get an error saying that there is a missing value for the Name of the SAP R3 System.
The Contractual User Type Attribute in the Account License Data Tab does not Work for all License Types
When a User type is selected from the available list, only some user types work. Some license types produce an error 'BAPI' function call error. The reason is some User types contain extra fields that are not recognized.
Siebel
The following sections describe the known issues for the Siebel connector
SBL Error when Creating Account on Multiple Endpoints
An account template that lists multiple endpoints can only list Siebel groups that exist on all endpoints.
Unix v2
Reset User Password Tasks Works Differently for Various Platforms
When a Reset User Password task is performed in Suse and HPUX endpoints, the user account gets enabled from the suspended state. But, in the case of RHEL, Solaris, and AIX endpoints, the user account remains in suspended state.
Chapter 5: Fixed Issues 91
Chapter 5: Fixed Issues
This section contains the following topics:
12.6.5 (see page 91) 12.6.4 (see page 95) 12.6.3 (see page 98) 12.6.2 (see page 101) 12.6.1 (see page 102)
12.6.5
The following issues are fixed in CA Identity Manager 12.6.5:
Support Ticket Problem Reported
21945012-01
21930288-01 Update Known Issues section: Regular Expression Not Process
21790011-01 System Emails get mangled under windows 7 and IE
21960749-01 Adding BulkLoaderThreads details to the documentation
21457224-01 IDM siteminder integration steps missing in Docs
21400889-01 Documentation changes needed for resolution of defect PROD00171267.
21921090-01 IM r12.6 SP4 docs for Configuration guide refers to a non-existent directory template.
21801163-01 Documentation changes needed for resolution of defect PROD00185352.
21592314-01 Oracle endpoint requires OEM_MONITOR role for the proxy user to manage the accounts
21974806-01 Custom Authentication Schemes documentation specifies incorrect location
21611356-01 Documentation for forgotten password reset. Number of verification questions needs clarification.
21925818-01
[Merge Up for 126778]Values of [Connector Map To] attribute in [Attribute Details] screen continue to increase by changing screen between [Map Attributes] screen and [Attribute
Details] screen.
21848425-01 Email Addresses tab on Create Active dir account
21933212-01 Merge # 127690 : Policy Xpress execution flow not well sorted within "Task/Event History" section
21848425-01 Email Addresses tab on Create Active dir account
21932260-01 Doc missing Reporting steps required for upgrade
21868294-01 Work List Search Screen throws exception error when running View My Worklist
12.6.5
92 Release Notes
21992845-01 ConnXP JNDI DYN With Auxillary Class Mapped Not Return Attribute Data
21879262-01 Need documentation regarding domain admin privileges required for service account
21712517-01 RACF Guide list RACF V2 connector SSL feature as 'no'. It should be 'yes'
21564487-01 Documentation required for work item:111574-How to use the ACC connector against SSL enabled AC clients
Internal Ticket Problem Reported
142910 Export CSV log feature is not working as expected
138153 Update OS400 PSA documentation
134638 Capture two screens needed for the documentation
115810 Need to manually add JARs for JBoss 5.1 community to get PX web service support
128989 Missing Browse Button while adding the members to the Web Service Configuration via Search and select a user option
70758 No information is documented for Question and Answer Configuration under Environment Administration of User Console.
72652 IM<->SM Integration - Validate SM Headers when TEWS is being used (CQ # 185545)
142899 IDM deployments on Weblogic do not provide explicit specification of certain packages required by IDM - log4j in particular.
139355 Manage Users workitems is loading indefinitely to display the workitems of an user if the User Search filter returns a single user
144091 Role not getting added after account sync to the account
142911 Disabling Export CSV log file option throws exception
127815 On Service Revocation,the corresponding user is not getting removed from the group.
141910 IDM deployments on Weblogic do not provide explicit specification of certain packages required by IDM - log4j in particular.
143273 When Modify User admin task is assigned with a event level policy based workflow,modify user
task execution is failing.
134918 L10N:Highlighted text has to be fixed
134923 L10N issue: linguistic failures for main page in Japanese OS.
125049 LLSDK BulkImportTest has been running forever for SQL and AD Platforms
142537 Endpoint creation is failing when cron expression is specified
142838 Modifying the existing project in connector xpress throws Nullpointer exception
137247 Branding logo dimension details should be update in the documentation.
140568 IMPM is getting hanged when clicked on the few tabs present for endpoint window for RSA.
12.6.5
Chapter 5: Fixed Issues 93
136761 Failed to Acquire WinNT, Access Control, AD, ACF as the corresponding DLLs and plugins were failing to load
142707 Multiple file entries are shown in Connector Map To file name drop down
144530
Unable to set BulkLoaderNotification Manager - Error: [Loader Notification Details] The out of the box workflow process definition BulkLoaderNotificationProcess was either missing or not
imported
143092 Provisioning Server installation is failing in RHEL 7.
136754 Unable to Launch Provisioning Manager
129032 Enhancement for generation of Osgi bundles for RSA
144032 The option of ‘System’ menu item is appearing twice in the Tasks Menu
136619 policy based workflow approval policies causing incorrect policies to be evaluated
126663 IM Server failed to start in Post Migration setup. (Could not establish connection with Object
Store)
144160 Modifying database type after creating users and exporting csv files has partial data
142536 Unable to disable Export CSV file checkbox
134920 Linguistic failures for login page in japanese OS
119354 Wrong error message when wrong activation code is entered
64345 Custom logo failed to update for initial mobile client Splash screen.
142378 Merge-up ConfigXpress requires an active internet connection for first run
144344 Log from and Log to date/time feature is not working as expected
137008 Paging needs to be supported for more than 500 accounts
127775 OOTB endpoint dropdown should be RSA SecurID
142456 IM Deployment is failing on IMR12.6 SP5 line on JBoss EAP 6.3
70735 Mobile application behaves inappropriate when moving too and forth within the available questions for user validation to perform reset password.
144163 Multiple deleted users information is written to the log file repeatedly
141974 Group membership details are not displayed for Box User account in IMUI
142687 Sync operation with Manager attribute is not working.
142372 Sync operation is not working when the status is changed in the account template
142692 "java.util.NoSuchElementException: Attribute customProperties has no value" is displayed when try to delete the TransferToUser custom attribute
142688 Able to add the account as manager to himself and able to delete the account without errors (with files attached to the user)
143298 Files are missing on account deletion when acc1 is manager of acc2 and acc2 is manager of acc1
12.6.5
94 Release Notes
142153 Universal Groups are not listed when account template has multiple endpoints
144184 Capture snapshot for "Non-Standards Accounts Report" or "User Accounts Report" taking more than 5 hours for Box-WSL7 and GoogleApps-WSL7 endpoints
142689 No Validation of Manager user specified like email format or the account exists on the endpoint.
142269 ???key: transfertouser.multipleparams??? message is displayed for Box endpoint is having multiple TransferToUser parameters
142134 The account is not getting added as a member of Universal group from other domain
142533 Sort Order it not working in custom attribute tab.
142235 "TransferToUser" parameter validation is getting failed when creating Box-WSL7 endpoint.
142690 Files of deleted user is not moved to Google admin when manager is not specified for the account.
142437 "Invalid JSON data" error message is displayed for Box endpoint is having empty custom
parameters
140716 Active Directory Universal groups are not listed in IMr12.6SP5
142162 Restrict external collaboration checkbox is displayed as unchecked in IMUI.
142532 Disable pagination on endpoint profile screen of SCIM and after executing E&C, Orphan
accounts are not listed as expected.
144155 Start Date Time displaying as blank in snapshot reports
142691 The references of deleted manager is still displayed for the user account in the Manager field.
142158 ???key: transfertouser.invalidemail??? message is displayed for Box endpoint TransferToUser validation
143629 "Status" attribute is displayed TWICE in the Out-Of-Sync attributes.
120195 Package the Box connector
72659 Upgrade to latest CAPKI 4.3 to address OpenSSL vulnerabilities
141297 Task Persistence Database Improvement: Reduce number of database connections.
136473 Certify Oracle eBusiness Suite 12.2.x
121339 Expose X-ROL object
134786 Documentation of IM RSA 8.1 Capabilities and upload documentation to Connector page
126605 Certify Cumulative Update1 of SQL 2012 SP2
107086 Support ACF2 Roles for the Java ACF2 connector (CES # 76560 - Erie)
121348 Extend account template to support role membership
137748 Certify JBoss 6.3 EAP
136547 Support Pin Propagation
61368 Lotus Notes 9 Connector Support (CES # 75706 - TATA)
12.6.4
Chapter 5: Fixed Issues 95
141543 Weblogic, Websphere and Encryption support
139159 Merge back the Flat File Connector capabilities from Wasbi to 12.6 code line
134778 Windows - Install, Upgrade test fix for non-fips and FIPS mode
70785 Rebranding CA IdentityMinder to CA Identity Manager
134782 Support for Extending Filter for RSA 7
139186 Upgrade of CAPKI Libraries for Agents
121344 Extend account object to support role membership
124604 Search functionality for hierarchical objects (domain, account, token, group, trusted group, agent)
135410 Merge back the ADS Custom Tab in IM Web UI from Wasabi (CES # 76469 - SOCIETA' GESTIONE SERVIZI BP SCPA)
140482 Update CA Directory bundle version to SP14 CR2 for IM 12.6 SP5
124768 Package CA Normalized Integration Management for Service Management (CA NIM SM)
120194 Package the GoogleApps V2 connector
136554 Package of RSA and verification of bundles with JCS versions
70432 IM<->SM Integration - Generic or poor/legacy error messages
137628 Certify IM with Solaris 11.x (CES # 77673 - Fujitsu)
135411 Merge back the Universal Active Directory Groups Support in IM Web UI from Wasabi (CES #
75039 - AstraZeneca)
111580 LND connector requirements need to say http port anonymous setting must be set to yes if you do not specify the DIIOP port
72674 Allow specific Admin email Address for each environment that is configured (CES 76155 - First Data)
116751 Certify IM with RSA 8.1 (TIAA of America)
12.6.4
The following issues are fixed in CA Identity Manager 12.6.4:
Support Ticket Problem Reported
20957471/07 Need fix delivered for CQ 170096 on IM 12.6 SP2
21517465/01 Admin role scoping in the search screen.
21536689/01 IM Directory creation keeps bad password
21539813/01 Failed to update quotas and threshold for LND accounts if Mail File ACL set to Manager
12.6.4
96 Release Notes
21538682/01
In a "tokenized" IME when a date picker field is in error then the returned error message shows the Key ID instead of the pair value
from the resource bundle.
21521403/04 Modify of a Service object causes the category to change from Service
21547136/01
On Oracle Applications accounts, the From date on a responsibilityList item is not visible on new accounts in Provisioning Manager until the endpoint is re-explored, if the account is created using a template without any From date set.
21558292/01 MULTIPLE 508 NON-COMPLIANCES
20957471/09
Reverse Sync approvals are generated to remove responsibilities from an Oracle Apps account when an explore is peformed after new accounts were created via IM with responsibilities already assigned.
21551822/01 erroneous object selector results
21567422/01 value for Organization mapping missing in GM after import from IM
20957471/11 Reverse Sync Modified Account policies are not behaving as expected for Oracle Server
21576029/01 Description for Windows NT endpoint does not get displayed in IM user console
21559775/01 Roles import fails with invalid XML character (Unicode: 0x1f) generated by object selector in access role task
21593378/01 Live notification's manager information incorrect
21590547/01 IM 12.6 SP2: AD- A Blank UserPrincipalName attribute causes out of sync errors for AD accounts
21588715/01 When a Showing Rule is defined into an Admin Role Search screen then the search filter does no more work.
21590303/01
Running new bulk loader client in IM r12.6 SP2, the bulk loader opens all of its tasks as in progress and hogs the JVM leaving other requests stuck in queue.
21594906/01 IM 12.6 SP1 - Audit level BOTH on the attribute not taking effect
21574514/02 IM 12.6 SP2:Tassk stuck in progres with PX triggered on event level
workflow
21606642/02 slow performances with "Modify Group Members" task when group contains 38K users
21557047/01 Incorrect attribute mappings in Office 365 connector ?
12345678/01 Need new SM Web Agent API on IM 12.6 SP4.
21604197/01 Role Def Import stops on Prov Role with name containing "\00"
21604199/01 Fail to search Prov Roles on "\" in combination with wildcard "*".
12.6.4
Chapter 5: Fixed Issues 97
21609415/01 Google connector error due to deprecated (?) API
21626365/01 Script Error trying to view page 2 of Provisioning Manager op details
21613942/01 Modify Account Container Filter
21419884/02 ridiculously filtered snapshot takes excessive time to complete
21592259/01 Password filter not working as expected for password validation
21640856/01
When an approval generated by reverse sync for adding a responsibility to an Oracle Apps account is rejected, the responsibility is not expired even though it shows in VST as having been revoked.
21633958/01 DUPLICATE PROV ROLES(PX)
21641737/01 Win2012 ADS functionality levels reported as Win2008R2
21643258/01 Same as CQ176812 but this one is related to "read order"
21575724/01
User scoping rule on Admin policies of Admin roles results in members/administrators of a role not being visible after a restart of
JBoss
21584724/01 Additional logging for the SAP connector
21500603/01 CA Identity Manager and SiteMinder integration fails
21639644/01 Oracle Account Template Export
21657577/01 JCS no longer referencing the Apache CCPP causing failures when JavaScript is used in custom CXP connector.
21636774/01
FND Accounts getting Responsibilities End Dated to Current Date and ORA/01422: exact fetch returns more than requested number of rows
ORA-06512: at "APPS_APPLSYS3.FND_USER_PKG"
21641383/01 Task "Enable/Disable User" getting stucked "In Progress" if PolXpress email is configured.
21646678/01 Ant utility fails trying to tokenize roles if property 'Title' is added to search screens.
21657600/01 IM failed to import the custom fields values on Provisioning Role
21687010/01 Unable to launch some ELM reports.
21668810/01 Problem with deleting users assigned to dynamic groups.
21699782/01 WORK ITEM LIST - LIMITATION. This CQ covers the work needed to make inclusion of worklist items on logon/welcome page optional.
21650405/01 Config Xpress tool not loading policy based workflows
21539813/01 Documentation changes needed for resolution of defect PROD00176400.
12.6.3
98 Release Notes
21712883/01 IM 12.6 SP2 - Active Direcotry account attributes for date/time are not showing up in local timezone in the IM User Console
21669984/01 Can use a private (not public) task called on the public alias using TEWS when IDM and SM are integrated.
21711390/01
IM 12.6 - Security vulnerability- The URL to request an image page allows contentType to be defined by an attacker, allowing code execution in the
browser of an authenticated user who visits the URL
21713498/01 Task status shows complete while events still show in progress
21699782/01 Add initiator and userid search on User's worklist
21704767/01 Java AXIS sample for ModifyGroupMembership.java isn't working with
12.6 (any service pack) - Possible regression used to work with 12.5
21651991/01 Add configuration option to suppress PROVISIONING SERVER Modify_Account_Password notifications to IM
21730035/02
IM12.6 SP2: AD endpoint:Setting 'User must change password after password reset flag' on Configuration tab of endpoint does not update provisioning
21730581/01 Inconsistence in Certifier Type between Provisioning Server and LND endpoint
21746621/01 Unable to Explore/Correlate accounts under OU with name containing "&"
21764131/01
The Office365 single attribute for Block Credential is mapped to eTDYN-str-multi-c/023 instead of to a single-valued DYN attribute which causes errors when trying to do an account sync with a WEAK SYNC Account Template.
12.6.3
The following issues are fixed in CA Identity Manager 12.6.3:
Support Ticket Problem Reported
21088049/02 Workflow job is not responding in "active" state.
21227662/05 Once an ACF2 endpoint is explored with the logged in user, you cannot change to use the proxy admin user.
21240169/01 StringIndexOutOfBoundsException when exporting CA Identity Manager environment.
21298884/01 Assign/Remove Service To/From User not writing to UserStore or Triggering PX to accounts.
12.6.3
Chapter 5: Fixed Issues 99
Support Ticket Problem Reported
21325322/03 Bulk suspensions fail to suspend all LND accounts or add all accounts to the Deny Access Group (Suspended 0)
21329912/02 Account synchronization is not working in CA Identity Manager 12.6.
21347968/01
21358148/01
Policy server crashed when CA Identity Manager access role assigned/removedto/ from a user.
21366658/01 Creating user through bulk loader task is returning null pointer exception when CA SiteMinder is integrated.
21378657/01 OOTB Escalation Workflow prematurely escalates if defined using the "COnfigure Global Policy Based Workflow for Events" task.
21378803/01 Error "Previous password cannot be reused." occurs and fails the task.
21385464/01 NullPointerException when identity policy configured with MemberRule-Groups Where-Attribute Expression.
21387236/01 Create user from Copy is not copying the organization attribute.
21389685/01 Login time exceeds when integrated with CA SiteMinder.
21393295/01 Provisioning role missing from CA Identity Manager user's list of provisioning roles.
21395953/01 Policy Xpress sends e-mail loops.
21417960/01
21417960/03
Modify provisioning role returns null pointer.
21424762/02 Forbidden user error.
21430655/01 Global Policy based workflow events defers to escalation approver.
21430868/02 Unable to remove the middle initial when renaming LND accounts.
21438148/03 The root LND organization is not explored and no accounts are retrieved.
21438256/01 Sample java script does not work with Self Registration task.
21438937/01 Odd special character ends up in task persistence "Old Value" and in auditing.
21439600/01 Customer finds blank windows when they login using password expired user.
21441213/01 Management task imported from CA Identity Manager r12.5 environment returns java.lang.ClassCastException error.
21447986/01 When a Policy Xpress policy is triggered and logged in using Norwegian language, it returns java.lang.IllegalArgumentException: Unmatched braces in the pattern.
21450831/01 When opening a new template using Connector Xpress, it is not showing the Operation Bindings dialog.
21468616/01 Middle initial attribute length.
21470755/01 In Mobile Application, contact card's manager card is not functioning properly.
12.6.3
100 Release Notes
Support Ticket Problem Reported
21470794/01 In Mobile Application, all password reset errors report back as complexity issues even if you submit the incorrect current password.
21473825/01 In CA Identity Manager Mobile application, login fails after resetting a password from inside the mobile application.
21475033/01 In CA Identity Manager Mobile application, Forgotten Password Reset can only be used once.
21478278/01 A CAPTCHA field in CA Identity Manager screen is not displayed again when validation phase rejects some other fields.
21480621/01 Installing CA Identity Manager r12.6 SP2 on JBoss EAP 6 fails to install the iam_im_compile_jsp.* and the build.xml.
21481343/01 No active slots available as they are blocked indefinitely.
21486937/01 When "Wait" flag is checked for an action rule in Policy Xpress to "Execute a function" (not main) as "External Code" category and "Execute Java Code" Type; The JavaActionWaitEvent
is generated by Policy Xpress and status remains "In progress".
21488801/01 Configuring password policy which require punctuation character results in incorrect password.
21497995/01 Bulk operations returns an error when selecting one (out of multiple) delegation worklist items.
21520525/01 <ETAHOME>\bin\ADSLDAPDiag.exe fails with "Error 10054 reading data from server", when attempting manual connection to an Active Directory server 2012.
21522674/01 Connection reset error at startup step 5.
21535004/01 Unable to add SAP role using TEWS.
21537907/01 ConfigXpress is not working in the CA Identity Manager r12.6 SP2 installation.
21539251/01 Error occurs when creating a copy or modifying the Admin Task "View Access History".
215544431/01 Global Workflow policy creation fails.
21558358/01 Agentless exchange agent is looking for CA CloudMinder/CAFT
21568224/01 ConfigXpress.air is not working- returns an error on CA Identity Manager r12.6 SP2 installation.
21572374/01 In CA Identity Manager mobile application, quick approval is not working.
21585328/01 ConfigXpress.air fails to install on CA Identity Manager r12.6 SP2.
12.6.2
Chapter 5: Fixed Issues 101
12.6.2
The following issues are fixed in CA Identity Manager 12.6.2:
Support Ticket Problem Reported
21198613/01 Password set by PX is not synchronized to global user and accounts.
21230281/01 Unable to import Logical Attribute Handlers in the Management Console.
21263275/01 Issues with Arcot Password policy.
21269108/02 Issues with installation of CA Identity Manager r12.6 Password Synchronization agent.
21264877/01 Admin DN is getting appended to the External URL.
21275958/01 Null Pointer Exception while acquiring SAP endpoint.
21272983/01 Errors while reading CA Access Control endpoint with multiple Policy Model Databases (PMDBs) defined.
21173122/01 Imported rolesDef is not displayed.
21270763/01 Error occurs when a provision directory is created using wizard.
21280342/01 DoSynchUserRoles is not enabling the checkboxes for "add missing accounts" and "remove extra accounts" to the CA Identity Manager Task Execution Web Service (TEWS) Web Services Description Language (WSDL).
21285651/01 'Synchronize Accounts with Account Template' task compatibility with TEWS.
21295778/01 "Error instantiating Policy Xpress plugin" error occurs when trying to create or modify any Policy Xpress policies.
21304316/01 Performance issue while adding groups to a user using create or modify user task.
21304316/02 Performance issue when adding groups to user, using Add Groups button on Modify User
task.
21306987/01 NoClassDefFoundError error occurs when running highavailability.bat.
21307126/01 RSA Secure ID 7 - Cannot acquire endpoint due to issues with the script to create Open Service Gateway Initiative (OSGi) bundle.
21315277/04 C++ Connector Server crashes when searching for moved or renamed Active Directory (AD) user accounts.
21319140/01 The imported SQL based dir.xml data is in upper case.
21322022/01 CA Identity Manager Logins are slower over a period of time.
21325322/01 "Session closed due to communications failure" on LND when modifying accounts.
21331632/01 Warning message when revoking service does not include the user name parameter.
21335464/01 Provisioning manager script error when viewing an operation that spans multiple pages.
12.6.1
102 Release Notes
Support Ticket Problem Reported
21351855/01 CA Identity Manager fails to create environment when no provisioning and system manager role only chosen.
21361599/01
21383034/01
The following error appears when Modify User task is used:
Task failed Fatal: Failed to execute SynchronizeAttributesWithAccountEvent:
ERRORMESSAGE: For input string
21393461/01 Exception while updating Enable/Disable user or any other user attribute.
12.6.1
The following issues are fixed in CA Identity Manager 12.6.1:
Support Ticket
Problem Reported
20576709/02 Need to support sharing of common Business Objects Report Server for both CA Identity Manager and SiteMinder
20576725/02 Need to support Business Objects Report Server in a high availability
Configuration
20583665/02 Need to support Business Objects Report Server XI 3.1 SP5 (CABI 3.3)
20774861/02 Unable to include Secondary Object data in Policy Xpress
20777137/02 Enhancement is made to the policy based workflow to get the secondary objects (user objects) which are needed for the primary
objects
20888199/01 DN naming convention for account templates for TEWS not documented
21073146/01 "Synchronize accounts with account template" does not synchronize
21086870/01 Standalone JCS installer does not prompt for FIPS key, causing encryption related problems
21108813/01 CA Identity Manager 12.6 does not provide the expected role definitions
21111634/01 JCS endpoint logs are not created
21131768/01 Global Policy Workflow attribute issue (Event definitions were missing secondary object type)
21135604/01 View Logical Attribute Handlers task fails with a NullPointer Error
21136454/01 SQL Injection security vulnerability has been fixed in this release
12.6.1
Chapter 5: Fixed Issues 103
Support Ticket
Problem Reported
21136456/01 Security vulnerability
21136499/01 Select Box Data is not working with a Profile screen that is attached to a Service in CA Identity Manager 12.6
21137701/01 An exception "PxEnvironmentException" is received when Policy Xpress policy calls external Java code
21140501-1 Support for cloud deployments (tenant management)
21146621/01 Global Attribute Validation in directory.xml
21156269/01 Differences between the DB schemas generated by the installer and the individual database scripts in the tools folder
21156269/01 More scripts needed for manual database creation
21162602/01 Custom correlation for TSS does not work on Unix
21170706/01 View Submitted Task results are incorrectly sorted when regional settings are set to Danish
21175201/01 Account synchronization initiated by inbound notification does not occur when Provisioning Roles are assigned using Policy Xpress
policies
21181592/01 Failed to load CA Identity Manager r12.6 with an error of the invalid class-path
21183366/01 Wrong username used with datasources
21187385/01 CA Identity Manager crashes intermittently
21188814/01 CA SiteMinder® r12 SP3 CR11 policy server crashes while accessing CA Identity Manager policy
21190699/01 Unable to get secondary object information from Policy Xpress on either event or task based policies. Also original attribute value info is
returned even when Policy Xpress fires after task completion.
21190873/01 508 compliance issue - Tool Tip of checkboxes are not meaningful.
21193837/01 Create&delete Managed Objects
21194712-1 Policy Xpress with iterator breaks when a triggered access role assignment is rejected by Workflow
21200396/01 508 Compliance Issue: "Skip to main content" link problems
21200412/01 508 Compliance Issue: Warning and Error messages are not read properly by assisting software to disabled users.
12.6.1
104 Release Notes
Support Ticket
Problem Reported
21213029-1 The password services variables stored in the JSession cache are not cleared (on logout) and subsequent requests get redirected to the
pws.fcc page
Chapter 6: Documentation 105
Chapter 6: Documentation
This section contains the following topics:
Bookshelf (see page 105) Known Issues (see page 105) CA Identity Manager and CA Identity Governance Integration Release Notes (see page 106)
Bookshelf
The Bookshelf provides access to all CA Identity Manager documentation from a single interface. It includes the following:
■ Expandable list of contents for all guides in HTML format
■ Full text search across all guides with ranked search results and search terms highlighted in the content
■ Breadcrumbs that link you to higher level topics
■ Single HTML index to topics in all guides
■ Links to PDF versions of guides for printing
To use the Bookshelf
1. Download the bookshelf from the CA Support Site.
2. Extract the contents of the bookshelf ZIP file.
Note: For best performance, when you install the bookshelf on a remote system, make the bookshelf accessible from a web server.
3. Open the Bookshelf.html file.
Note: If you access the bookshelf from a local drive and are using Microsoft Internet Explorer, a warning appears about active content. To work around this problem, install the bookshelf on a remote system or use a different browser.
The Bookshelf requires Internet Explorer 7 or 8 or Mozilla Firefox 2 or higher. For links to PDF guides, Adobe Reader 7 or higher is required. You can download Adobe Reader at www.adobe.com.
Known Issues
All known issues related to CA Identity Manager are found on the CA support site.
CA Identity Manager and CA Identity Governance Integration Release Notes
106 Release Notes
CA Identity Manager and CA Identity Governance Integration Release Notes
All release notes related to the integration between CA Identity Manager and CA Identity Governance are located in the CA Identity Governance Release Notes. You can access the CA Identity Governance bookshelf from CA Support.
Appendix A: Accessibility Features 107
Appendix A: Accessibility Features
CA Technologies is committed to ensuring that all customers, regardless of ability, can successfully use its products and supporting documentation to accomplish vital business tasks. This section outlines the accessibility features that are part of CA Identity Manager.
508 Compliance
CA Identity Manager complies with Section 508 of the US Rehabilitation Act and the Web Content Accessibility Guidelines (WCAG2.0) at the AA level. The Product Enhancements (see page 107) topic provides more details. You can also ask your account manager for a copy of CA Technology's Voluntary Product Accessibility Template (VPAT).
Product Enhancements
CA Identity Manager offers accessibility enhancements in the following areas:
■ Display
■ Sound
■ Keyboard
■ Mouse
Note: The following information applies to Windows-based and Macintosh-based applications. Java applications run on many host operating systems, some of which already have assistive technologies available to them. For these existing assistive technologies to provide access to programs written in JPL, they need a bridge between themselves in their native environments and the Java Accessibility support that is available from within the Java virtual machine (or Java VM). This bridge has one end in the Java VM and the other on the native platform, so it will be slightly different for each platform it bridges to. Sun is currently developing both the JPL and the Win32 sides of this bridge.
Product Enhancements
108 Release Notes
Display
To increase visibility on your computer display, you can adjust the following options:
Font style, color, and size of items
Lets you choose font color, size, and other visual combinations.
Screen resolution
Lets you change the pixel count to enlarge objects on the screen.
Cursor width and blink rate
Lets you make the cursor easier to find or minimize its blinking.
Icon size
Lets you make icons larger for visibility or smaller for increased screen space.
High contrast schemes
Lets you select color combinations that are easier to see.
Sound
Use sound as a visual alternative or to make computer sounds easier to hear or distinguish by adjusting the following options:
Volume
Lets you turn the computer sound up or down.
Text-to-Speech
Lets you hear command options and text read aloud.
Warnings
Lets you display visual warnings.
Notices
Gives you aural or visual cues when accessibility features are turned on or off.
Schemes
Lets you associate computer sounds with specific system events.
Captions
Lets you display captions for speech and sounds.
Note: If you are using a screen reader, we recommend that you install the latest version of the screen reader tool for better interpretation.
Product Enhancements
Appendix A: Accessibility Features 109
Keyboard
You can make the following keyboard adjustments:
Repeat Rate
Lets you set how quickly a character repeats when a key is struck.
Tones
Lets you hear tones when pressing certain keys.
Sticky Keys
Lets those who type with one hand or finger choose alternative keyboard layouts.
Skip Link
Lets you use the Skip to main content link for a quick navigation to the main content.
Mouse
You can use the following options to make your mouse faster and easier to use:
Click Speed
Lets you choose how fast to click the mouse button to make a selection.
Click Lock
Lets you highlight or drag without holding down the mouse button.
Reverse Action
Lets you reverse the functions controlled by the left and right mouse keys.
Blink Rate
Lets you choose how fast the cursor blinks or if it blinks at all.
Pointer Options
Let you do the following:
■ Hide the pointer while typing
■ Show the location of the pointer
■ Set the speed that the pointer moves on the screen
■ Choose the pointer's size and color for increased visibility
■ Move the pointer to a default location in a dialog box
Product Enhancements
110 Release Notes
Mozilla Firefox Exceptions
We recommend that keyboard users and JAWS users use Internet Explorer 8 for the following reasons:
■ In Firefox, dialogs do not receive the in/out focus.
■ In Firefox, the skip to main content link is not always read first by screen reader.
Keyboard Shortcuts
The following table lists the keyboard shortcuts that CA Identity Manager supports:
Keyboard Description
Ctrl+X Cut
Ctrl+C Copy
Ctrl+K Find Next
Ctrl+F Find and Replace
Ctrl+V Paste
Ctrl+S Save
Ctrl+Shift+S Save All
Ctrl+D Delete Line
Ctrl+Right Next Word
Ctrl+Down Scroll Line Down
End Line End