t l identity...
TRANSCRIPT
Tivoli® Identity Manager
Release Notes
Version 4.6
GI11-4212-05
���
Tivoli® Identity Manager
Release Notes
Version 4.6
GI11-4212-05
���
Note:
Before using this information and the product it supports, read the information in Appendix B, “Notices,” on page 67.
Fourth Edition (April 2007)
This edition applies to version 4.6 of Tivoli Identity Manager (product number 5724-C34) and to all subsequent
releases and modifications until otherwise indicated in new editions.
This edition replaces GI11-4212-04 and previous editions.
This product includes Adaptx, a free XSLT Processor. (C) 1998-2002 Keith Visco and Contributors.
© Copyright International Business Machines Corporation 2003, 2007. All rights reserved.
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM Corp.
Contents
Chapter 1. About this release . . . . . 1
Release Notes revision history . . . . . . . . 1
What is changed in this publication . . . . . . . 1
What is new in this release . . . . . . . . . 1
Server function that is deprecated in this release . . 3
Adapters that are deprecated, replaced, or obsolete . 4
APARs for problems not fixed at general availability 6
Publications and related information . . . . . . 6
Tivoli Identity Manager library . . . . . . . 7
Prerequisite product publications . . . . . . 9
Related publications . . . . . . . . . . 10
Accessing publications online . . . . . . . 10
Chapter 2. Hardware and software
requirements . . . . . . . . . . . . 13
Functions or components for which support is
discontinued . . . . . . . . . . . . . . 13
Java Runtime Environment (JRE) and IBM
Development Kit for Java requirements . . . . . 14
UNIX requirements . . . . . . . . . . . . 14
AIX requirements . . . . . . . . . . . 14
Solaris requirements . . . . . . . . . . 15
Linux requirements . . . . . . . . . . . 16
Windows requirements . . . . . . . . . . 16
Database requirements . . . . . . . . . . . 17
Directory server requirements . . . . . . . . 18
WebSphere Application Server base and deployment
manager requirements . . . . . . . . . . . 19
IBM Tivoli Directory Integrator requirements . . . 20
Supported Web Browsers . . . . . . . . . . 22
Crystal Report products . . . . . . . . . . 22
Supported adapter levels . . . . . . . . . . 22
Chapter 3. Known limitations,
problems, and workarounds . . . . . 23
Product installation, upgrade, and removal
problems and workarounds . . . . . . . . . 23
Tivoli Identity Manager limitations . . . . . . 24
Operating system problems and workarounds . . . 25
IBM Tivoli Directory Integrator problems and
workarounds . . . . . . . . . . . . . . 26
WebSphere MQ problems and workarounds . . . 27
Adapter and service problems and workarounds . . 28
Data and naming problems and workarounds . . . 30
Browser problems and workarounds . . . . . . 32
Report problems and workarounds . . . . . . 32
Tivoli Identity Manager user interface problems and
workarounds . . . . . . . . . . . . . . 33
Policy problems and workarounds . . . . . . . 35
Permissions problems and workarounds . . . . . 36
Directory server problems and workarounds . . . 37
Other problems and workarounds . . . . . . . 38
Chapter 4. Documentation Updates . . 41
Publication Title Changes . . . . . . . . . . 41
Installation and configuration guide problems and
workarounds . . . . . . . . . . . . . . 41
Message and e-mail problems and solutions . . . 42
Information center problems and solutions . . . . 43
Internationalization problems and solutions . . . 58
Adobe Acrobat Reader Requirements . . . . . . 59
Chapter 5. Installation images and fix
packs . . . . . . . . . . . . . . . 61
Installation images . . . . . . . . . . . . 61
Verifying the fix pack level . . . . . . . . . 61
Obtaining fix packs . . . . . . . . . . . . 62
Appendix A. Support information . . . 63
Searching knowledge bases . . . . . . . . . 63
Search the information center on your local
system or network . . . . . . . . . . . 63
Search the Internet . . . . . . . . . . . 63
Obtaining fixes . . . . . . . . . . . . . 64
Contacting IBM Software Support . . . . . . . 64
Determine the business impact of your problem 65
Describe your problem and gather background
information . . . . . . . . . . . . . 65
Submit your problem to IBM Software Support 66
Appendix B. Notices . . . . . . . . . 67
Trademarks . . . . . . . . . . . . . . 68
© Copyright IBM Corp. 2003, 2007 iii
|||
iv IBM Tivoli Identity Manager: Release Notes
Chapter 1. About this release
Welcome to the IBM® Tivoli® Identity Manager Release Notes. This release notes
document contains technical information for this release of Tivoli Identity Manager,
including late-breaking information, such as problems and workarounds, and patch
availability.
Note: The information in this publication takes precedence over information in
other publications or online help for this product.
Release Notes revision history
The following revision history table lists all changes made to this Release Notes
edition:
Table 1. Revision history
Date Topic
June 2005 Second edition published
July 2005 Re-issue this publication. For more
information, see “What is changed in this
publication.”
January 2007 Re-issue this publication. For more
information, see “What is changed in this
publication.”
April 2007 Re-issue this publication. For more
information, see “What is changed in this
publication.”
What is changed in this publication
The following revision history table lists all changes made to this Release Notes
edition:
v Described the supported upgrade sequence using version 4.5.1 and Fix Packs.
For more information, see “Product installation, upgrade, and removal problems
and workarounds” on page 23.
v Provided a workaround for an ldapUpgrade problem after a Tivoli Identity
Manager upgrade from Version 4.5.1 to 4.6 fails when a large amount of data is
being upgraded. Additionally, there is a workaround for a problem in failure to
complete any running workflows, including split/join points started before the
upgrade. For more information, see “Product installation, upgrade, and removal
problems and workarounds” on page 23.
What is new in this release
The following are new or changed functions in this release:
v Provisioning policy simulation
Provides an option to view account changes caused by a policy change, before
the change is actually submitted.
v Export-import
© Copyright IBM Corp. 2003, 2007 1
|||
||||||
Moves information between Tivoli Identity Manager test and production
environments, including information for life cycle operations and rules,
workflow processes, services, policies, owner discovery scripts, and
organizational roles.
v Life cycle rules
Allows administrators to trigger events automatically, and also automates
commonly reoccurring events or compliancy checks. Life cycle rules allow
administrators to associate rules with life cycle operations that run as a result of
a Tivoli Identity Manager event.
v Workflow enhancements
Adds workflow-based policy enforcement, invoking a custom workflow for tasks
such as direct account manipulation, policy change, reconciliation, or identity
changes. E-mail templates allow increased levels of customization, localization,
and disablement. Workflow prioritization allows daily changes such as password
requests to occur with higher priorities than long-running processes.
v To-do tasks
Added the following functions:
– Customized approval and request for information (RFI) nodes to reflect the
supported business process
– Multiple to-do items and grouping of to-do items
– To-do reminders
– Forwarding to-do items to another person
– Locking a to-do item to prevent access by others
– Enabling a work order recipient to indicate whether the work order was
completed successfully
– Enabling compliance alerts to appear as to-do itemsv Account adoption
A JavaScript script can be specified to identify the owner of an account during
account reconciliation.
v E-mail post office
A post office function combines similar e-mail notifications into a single
notification, forwarding the consolidated notification to a user at a specified time
interval.
v Additional default reports
Additional reports provide information on non-workflow activities, including
accounts and people, policies, entitlements, provisioning actions, approvals and
rejections, services, access control items, and reconciliation statistics.
v Scalability improvements in identity feeds, workflow, and other functions.
v Other features, including auditing of administrator actions, ability to log
authentication attempts, and two-way secure sockets layer (SSL) authentication
between the Tivoli Identity Manager Server and adapters.
v Changes in installation support on additional platforms and prerequisite
applications, described in the following:
– “Functions or components for which support is discontinued” on page 13
– Chapter 2, “Hardware and software requirements,” on page 13v Other changes throughout the library to improve the organization and technical
accuracy of the information.
2 IBM Tivoli Identity Manager: Release Notes
Server function that is deprecated in this release
These functions are deprecated. There may be additional deprecated function that
is not listed here. For more information, refer to the IBM Tivoli Identity Manager
Information Center and also the deprecated_list.html file in the /extensions/API
directory.
v The use of the CA_CERT_DIR property is deprecated. Examples in the IBM
Tivoli Identity Manager Information Center and online help that use this property
are in error.
This is an example statement that uses the deprecated property:
env.put("com.ibm.daml.jndi.DAMLContext.CA_CERT_DIR", certDirLocation);
To correct the use of the deprecated property, complete these tasks:
1. Remove the line which has the first parameter equal to the CA_CERT_DIR
string. For example, remove the highlighted line:
Hashtable env = new Hashtable();
env.put (Context.INITIAL_CONTEXT_FACTORY,
"com.ibm.daml.jndi.DAMLContextFactory");
env.put(Context.SECURITY_PRINCIPAL, serviceUserName);
env.put(Context.SECURITY_CREDENTIALS, servicePassword);
env.put("com.ibm.daml.jndi.DAMLContext.CA_CERT_DIR", certDirLocation);
env.put(Context.PROVIDER_URL, providerURL);
env.put("com.ibm.daml.jndi.DAMLContext.URL_TARGET_DN", serviceDN);
DirContext damlContext = new InitialDirContext (env);
2. To deploy secure communication when using a Java Naming Directory
Interface (JNDI) Identity Feed program, ensure that the issuer (signer)
certificate of the authority that issued the adapter’s certificate is installed in
the trust store of the Java Virtual Machine (VM) that the JNDI program uses.
This is not the Java VM that the WebSphere Application Server uses,
although both VMs may be the same. The default trust store path name is
JRE\lib\security\cacerts, where JRE is the location of the Java Runtime
Environment being used (for example, WAS_HOME\java\jre). This can be
done by using the WebSphere Application Server IBM Key Management
utility (ikeyman) GUI tool, or the Java Secure Socket Extension (JSSE) keytool
utility (keytool). For more information, refer to the IBM Tivoli Identity
Manager Information Center.v The label ″Access Control Information (ACI)″ has been changed to ″Access
Control Item (ACI)″.
v Context JavaScript Extensions
The context JavaScript extension is provided to support previous versions of
Tivoli Identity Manager and should be used only for entitlement workflows.
Some account-specific functions of the context JavaScript extension, including
getService(), isAccountDataChanged(), and getAccountParameter() cannot be
applicable to operation workflows that are not account related. The context
JavaScript extension might be deprecated in future releases.
v E-mail template customization
E-mail template customization is considered a deprecated method of
customizing notification templates. For more information on customizing IBM
Tivoli Identity Manager notification templates using the graphical user interface
(GUI), refer to the IBM Tivoli Identity Manager Information Center.
v Resource bundle as a work order dynamic content tag
Use of the resource bundle is deprecated as a work order dynamic content tag.
v enRole2ldif.properties file
Chapter 1. About this release 3
Use of this properties file is deprecated. It was used for migration from enRole
3.x to 4.4.
v Certain JavaScript extension references
– Context object type
As a JavaScript extension, this object type is deprecated. New JavaScript
extensions such as Process and Activity, and Relevant Data JavaScript should
be used. The context JavaScript extension is not recommended for use in
custom workflows.
– Enrole.getAttributeValue()v The Service.createEntity() method will not work when deployed on a remote
client. Avoid using these methods on a remote client. Both of the createEntity
methods of class Service have been marked as deprecated in the API help.
v The signIn method is deprecated. There is no replacement method. The
ExternalLogonServlet class calls the signIn method from the LogonMediator.
The signIn method needs the getLogonInfo method from the Home bean, which
is now also deprecated.
Adapters that are deprecated, replaced, or obsolete
The Tivoli Identity Manager adapters in Table 2 are deprecated, or are replaced for
certain versions of a product. Some adapters are supported for a later version of
the product. This list was current at the time these release notes were published.
The current list of adapters might be different.
The Tivoli Identity Manager Server technical documentation library includes
documentation for the adapter components of a Tivoli Identity Manager
implementation. Locate adapter documentation on the Web at:
http://publib.boulder.ibm.com/tividd/td/tdprodlist.html
Click the I character in the A-Z product list, and then, click the IBM Tivoli
Identity Manager link.
Locate Tivoli Identity Manager adapters on the Web at:
http://www.lotus.com/services/passport.nsf/WebDocs/Passport_Advantage_Home
Table 2. Deprecated or replaced adapters
Adapter for product
Deprecated target system
version
Supported target system
version
ACF2 6.3 6.4, available as a Services
engagement only.
Cisco ACS — 3.2
Clarify 8 12
CLI-X All versions None. You must create your
integration using the
connectors that the IBM
Tivoli Directory Integrator
product provides.
Documentum — 4.2
Entrust — 6, 7
4 IBM Tivoli Identity Manager: Release Notes
Table 2. Deprecated or replaced adapters (continued)
Adapter for product
Deprecated target system
version
Supported target system
version
GroupWise — 6.5
HP-UX 10.20, 11.0 11i, 11i Version 2
HP-UX NIS 10.20, 11.0 11i, 11i Version 2
IBM AIX 4.3, 5.0 5.1, 5.2, 5.3
IBM OS/400 V4 V5
IBM DB2 UDB 7.x 8.1
IBM Informix® 7.3 9.2
IBM Lotus Domino (Windows) 4.x, 5.x 6.0, 6.5
IBM Lotus Domino (AIX) All versions Support is discontinued for
the AIX version of the
adapter.
IBM RACF (z/OS) OS/390 2.9, 2.10 and zOS
1.1, 1.2, 1.3
1.4, 1.5, 1.6
IBM Tivoli Access Manager — 4.1, 5.1
IBM VMS 5.x, 6.x, 7.0, 7.1 7.2, 7.3
LDAP-X All versions None. You must create your
integration using the LDAP
connector that the IBM
Tivoli Directory Integrator
product provides.
Linux (x86) RedHat 7, 8, 9 and SuSE 7,
8, 9
RHEL 2.1, 3.0 and SLES 9
Microsoft Exchange 5.5 2000 and 2003, supported
by Windows AD adapter
Microsoft SQL Server 6.5, 7.0 2000
Microsoft Windows 2000 and 2003 Replaced by Windows AD
adapter
Microsoft Windows AD — 2000, 2003. Supported by
the Windows AD adapter.
Support is discontinued for
the Windows 2000 adapter.
Windows Local — 2000, 2003, XP. Replaces the
use of the Windows NT
agent for local account
management.
Microsoft Windows NT 4.0 None. Support is
discontinued.
Novell NDS eDirectory — 8.7
Oracle Database 7.x, 8.x 9i, 10g
Oracle ERP — 11i
PeopleTools — 8.18, 8.19, 8.43, 8.45
RDBMS-X All versions None. You must create your
integration using the
database connector that the
IBM Tivoli Directory
Integrator product provides.
Chapter 1. About this release 5
Table 2. Deprecated or replaced adapters (continued)
Adapter for product
Deprecated target system
version
Supported target system
version
Remedy — 5.1
RSA ACE/Server 3.x, 4.x, 5.0, 5.1 5.2
SAP R/3 — 4.6c, 4.6d, 6.10, 6.20
SAP Enterprise Portal — 6
Siebel 7.5 None. You must create your
integration using the Siebel
Web Services connector that
the IBM Tivoli Directory
Integrator product provides.
Sun Solaris 6, 7 8, 9
Sun Solaris NIS All versions None. Support is
discontinued.
Sybase 10, 11 12
Teradata Database All versions None. Support is
discontinued.
Top Secret 5.1 5.2, available as a Services
engagement only.
Tru64 UNIX — 5.1a
UPA — MAPI, Notes 6, 6.5. Use of
Tivoli Identity Manager
Work Order features is
preferred.
APARs for problems not fixed at general availability
The following Authorized Program Analysis Reports (APARs) describe problems
that were not fixed at the time of general availability:
APAR Description
IY71026 When you use an English Windows client to log on to a Tivoli Identity
Manager Server with the Japanese language pack, this error message
incorrectly appears in Japanese:
You are not authorized to perform this operation.
IY71972 Windows 2000 Group Names are displayed incorrectly in an account
form when the value is missing in the Search Filter for Group field.
IY71238 Binary Attributes should be included in the Attributes list in the search
interface.
Publications and related information
Read the descriptions of the Tivoli Identity Manager library. To determine which
additional publications you might find helpful, read the “Prerequisite product
publications” on page 9 and the “Related publications” on page 10. After you
determine the publications you need, refer to the instructions in “Accessing
publications online” on page 10.
6 IBM Tivoli Identity Manager: Release Notes
Tivoli Identity Manager library
The publications in the Tivoli Identity Manager technical documentation library are
organized into the following categories:
v Release information
v Planning for installation, configuration, and customization
v Online user assistance
v Server installation and configuration
v Problem determination
v Technical supplements
v Adapter installation and configuration
Release Information:
v IBM Tivoli Identity Manager Release Notes
Provides software and hardware requirements for Tivoli Identity Manager, and
additional fix, patch, and other support information.
v IBM Tivoli Identity Manager Documentation Read This First Card
Lists the Tivoli Identity Manager publications.
Planning for installation, configuration, and customization:
IBM Tivoli Identity Manager Planning for Deployment Guide describes the
components, functions, and capabilities of the product, explains how the product
can impact the infrastructure of an organization, recommends guidelines for
managing the implementation of the product, and recommends strategies for
integrating identity management capabilities into a production environment.
Online user assistance:
Provides online help topics and an information center for all Tivoli Identity
Manager administrative tasks. The information center includes information that
was previously provided in the IBM Tivoli Identity Manager Configuration Guide and
the IBM Tivoli Identity Manager Policy and Organization Administration Guide.
Server installation and configuration:
IBM Tivoli Identity Manager Server Installation and Configuration Guide for WebSphere
Environments provides installation and configuration information for Tivoli Identity
Manager.
Configuration information that was previously provided in the IBM Tivoli Identity
Manager Configuration Guide is now included in either the installation guide or in
the IBM Tivoli Identity Manager Information Center.
Problem determination:
IBM Tivoli Identity Manager Problem Determination Guide provides problem
determination, logging, and message information for the Tivoli Identity Manager
product.
Technical supplements:
The following technical supplements are provided by developers or by other
groups who are interested in this product:
Chapter 1. About this release 7
v IBM Tivoli Identity Manager Performance Tuning Guide
Provides information needed to tune Tivoli Identity Manager Server for a
production environment. It is available on the Web at:
http://publib.boulder.ibm.com/tividd/td/tdprodlist.html
Click the I character in the A-Z product list, and then, click the IBM Tivoli
Identity Manager link. Browse the information center for the Technical
Supplements section.
v Redbooks and white papers are available on the Web at:
http://www.ibm.com/software/sysmgmt/products/support/IBMTivoliIdentityManager.html
Browse to the Self Help section, in the Learn category, and click the Redbooks
link.
v Technotes are available on the Web at:
http://www.redbooks.ibm.com/redbooks.nsf/tips/
v Field guides are available on the Web at:
http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.html
v For an extended list of other Tivoli Identity Manager resources, search the
following IBM developerWorks Web site:
http://www.ibm.com/developerworks/
Adapter installation and configuration:
The Tivoli Identity Manager Server technical documentation library includes
documentation for the adapter components of a Tivoli Identity Manager
implementation. Locate adapter documentation on the Web at:
http://publib.boulder.ibm.com/tividd/td/tdprodlist.html
Click the I character in the A-Z product list, and then, click the IBM Tivoli
Identity Manager link.
Locate Tivoli Identity Manager adapters on the Web at:
http://www.lotus.com/services/passport.nsf/WebDocs/Passport_Advantage_Home
Skills and training:
Education solutions for Tivoli Identity Manager cover these topics:
v Planning
v Basic and Advanced Administration
v Installation and Configuration
v Workflows
You also have the option of requesting custom training that is tailored to your
needs. For more information, road maps, and schedules, access this IBM Tivoli
Education Web site:
http://www.ibm.com/software/tivoli/education
You can also e-mail these education delivery addresses:
v Americas: [email protected]
8 IBM Tivoli Identity Manager: Release Notes
v Asia Pacific: [email protected]
v Europe, the Middle East, and Africa (EMEA): [email protected]
Additional skills and technical training information might be available at these
Web sites
v IBM Professional Certification
http://www.ibm.com/certify/
Search on ″identity manager″ to locate available classes and certification
offerings.
v Virtual Skills Center for Tivoli Software on the Web at:
http://www.cgselearning.com/tivoliskills/
v Tivoli Technical Exchange on the Web at:
http://www.ibm.com/software/sysmgmt/products/support/supp_tech_exch.html
Prerequisite product publications
To use the information in this book effectively, you must have knowledge of the
products that are prerequisites for Tivoli Identity Manager Server. Publications are
available from the following locations:
v Operating systems
– IBM AIX®
http://www16.boulder.ibm.com/pseries/en_US/infocenter/base/aix52.htm
– Sun Solaris
http://docs.sun.com/db?q=solaris+9
– Red Hat Linux™
http://www.redhat.com/docs/
– Microsoft® Windows Server™ 2003
http://www.microsoft.com/windowsserver2003/proddoc/default.mspxv Database servers
– IBM DB2 Universal Database™
- Support: http://www.ibm.com/software/data/db2/udb/support.html
- Information center: http://publib.boulder.ibm.com/infocenter/db2help/index.jsp
- Documentation: http://www.ibm.com/cgi-bin/db2www/data/db2/udb/winos2unix/support/v8pubs.d2w/en_main
- DB2® product family: http://www.ibm.com/software/data/db2
- Fix packs: http://www.ibm.com/software/data/db2/udb/support/downloadv8.html
- System requirements: http://www.ibm.com/software/data/db2/udb/sysreqs.html
– Oracle
http://www.oracle.com/technology/documentation/index.html
http://otn.oracle.com/tech/index.html
http://otn.oracle.com/tech/linux/index.html
– Microsoft SQL Server 2000
http://www.msdn.com/library/
http://www.microsoft.com/sql/
Chapter 1. About this release 9
v Directory server applications
– IBM Tivoli Directory Server Version 5.2: http://publib.boulder.ibm.com/tividd/td/IBMDS/IDSapinst52/en_US/HTML/ldapinst.htm Version 6.0: http://publib.boulder.ibm.com/infocenter/tiv2help/index.jsp?toc=/com.ibm.IBMDS.doc/toc.xml
– Sun ONE Directory Server
http://docs.sun.com/app/docs/coll/S1_DirectoryServer_52v IBM WebSphere® Application Server
Additional information is available in the product directory or Web sites. http://publib.boulder.ibm.com/infocenter/ws51help/index.jsp http://www.redbooks.ibm.com/
v WebSphere embedded messaging
http://www.ibm.com/software/integration/wmq/
v IBM HTTP Server
http://www.ibm.com/software/webservers/httpservers/library.html
v Web Proxy Server
– IBM HTTP Server
http://www.ibm.com/software/webservers/httpservers/library.html
– Microsoft IIS HTTP Server
http://www.microsoft.com/technet/prodtechnol/iis/default.asp
– Apache HTTP Server
http://httpd.apache.org/docs-project
Related publications
Information that is related to Tivoli Identity Manager Server is available in the
following publications:
v The Tivoli Software Library provides a variety of Tivoli publications such as
white papers, datasheets, demonstrations, redbooks, and announcement letters.
The Tivoli Software Library is available on the Web at:
http://www.ibm.com/software/tivoli/literature/
v The Tivoli Software Glossary includes definitions for many of the technical terms
related to Tivoli software. The Tivoli Software Glossary is available from the
Glossary link of the Tivoli Software Library Web page at:
http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm
Accessing publications online
IBM posts publications for this and all other Tivoli products, as they become
available and whenever they are updated, to the Tivoli software information center
Web site. Access the Tivoli software information center at the following Web
address:
http://publib.boulder.ibm.com/tividd/td/tdprodlist.html
Click the I character in the A-Z list, and then click the IBM Tivoli Identity
Manager link to access the product library.
10 IBM Tivoli Identity Manager: Release Notes
Note: If you print PDF documents on other than letter-sized paper, set the option
in the File → Print window that allows Adobe Reader to print letter-sized
pages on your local paper.
Chapter 1. About this release 11
12 IBM Tivoli Identity Manager: Release Notes
Chapter 2. Hardware and software requirements
This section describes software and hardware requirements for Tivoli Identity
Manager Server running on WebSphere Application Server. In a clustered
environment, install WebSphere Application Server and its prerequisites before you
install Tivoli Identity Manager Server. For more information, refer to the IBM Tivoli
Identity Manager Server Installation and Configuration Guide for WebSphere
Environments.
Minimum values are listed for hardware and software prerequisites. These values
enable a very basic use of Tivoli Identity Manager. You need to use larger values
that are appropriate for your production environment. For more information, refer
to the IBM Tivoli Identity Manager Planning for Deployment Guide and the IBM Tivoli
Identity Manager Performance Tuning Guide technical supplement.
Requirements that are stated in this publication take precedence over any other
mention in the Tivoli Identity Manager publications. The requirements were
current as this publication went to production. For possible updates to this
information, contact your customer support representative.
Functions or components for which support is discontinued
This release of Tivoli Identity Manager discontinues support for these functions or
software and operating system components, which were previously supported:
v Operating systems
– AIX Version 4.3.3, 5.1
– Solaris Version 8
– Windows 2000 Advanced Server
– Red Hat Linux Enterprise for Intel (x86) AS 2.1 (kernel 2.4 only)v Web application servers
– WebSphere Application Server Version 5.0.x When you uninstall WebSphere Application Server Version 5.0.2 on AIX, not
all components are fully removed. IBM Support provides the aixclean.sh and
odmcleanup.sh scripts to complete the removal. In addition, you must
manually delete the /usr/WebSphere directory before you install WebSphere
Application Server Version 5.1. For additional information on contacting IBM
Support, see Appendix A, “Support information,” on page 63. For additional information on migrating the WebSphere Application Server
and WebSphere MQ environments, including back up and restore, refer to the
WebSphere Application Server information center.
– WebSphere Application Server functional clusters are not supported.
– WebLogic Server Version 7.0.3.0v Databases
– DB2 Universal Database Version 7.2 and Version 8.1 prior to Fix Pack 8.
However, DB2 UDB Version 8.1 with Fix Pack 8 is supported, and is the
equivalent of DB2 UDB Version 8.2.1. For more information, see “Database
requirements” on page 17.
– Oracle Version 8iv Directory servers
© Copyright IBM Corp. 2003, 2007 13
– IBM Tivoli Directory Server Version 4.1, 5.1
– Sun ONE Directory Server Version 5.1v Browsers
– Netscape, any previously-supported versionv Tivoli Identity Manager agents prior to version 4.5 of these agents. Agents are
now called adapters in Tivoli Identity Manager release 4.6. For more information,
see “Supported adapter levels” on page 22.
Java Runtime Environment (JRE) and IBM Development Kit for Java
requirements
Tivoli Identity Manager requires Java Runtime Environment version 1.4. For more
information on workflow, policy, or form designer applets that require the Java
Plug-in, refer to the IBM Tivoli Identity Manager Information Center.
Tivoli Identity Manager, Version 4.6 uses IBM Development Kit for Java 1.4.2,
which is bundled by the WebSphere Application Server, Version 5.1 in the
WAS_HOME/java directory.
UNIX requirements
The following tables identify the UNIX operating system, patches, and minimum
hardware requirements for installation. These values do not include additional
runtime requirements. Running more than one server type, such as an application
server and database server on a single computer, will require additional hardware
resources (more RAM) for that computer.
AIX requirements
Table 3 identifies the IBM AIX operating system, patches, and minimum hardware
requirements for installation.
Table 3. AIX operating system and minimum hardware requirements for Tivoli Identity Manager during installation on
WebSphere Application Server
Operating System Patch or maintenance level
requirements
Minimum hardware requirements
AIX 5.2, 5.3 Maintenance level 3
See notes 1 through 4 below.
v RAM: 2 GB
v Processor: IBM 604e processor, 375 MHz or faster
v Free disk space:
– /tmp - 512 MB
– ITIM_HOME - 500 MB
14 IBM Tivoli Identity Manager: Release Notes
Table 3. AIX operating system and minimum hardware requirements for Tivoli Identity Manager during installation on
WebSphere Application Server (continued)
Operating System Patch or maintenance level
requirements
Minimum hardware requirements
1. Migrating from AIX Version 5.1 to AIX Version 5.2 can remove symbolic links from the DB2 Version 8.1 product
directory, such as a link to libdb2.a. You must back up the DB2 database for Tivoli Identity Manager, uninstall
DB2, upgrade AIX Version 5.1 to Version 5.2, reinstall DB2, and then restore the DB2 database.
2. To determine the maintenance level, type this command:
bash-2.05a# oslevel -r
The result is a statement similar to this one, which indicates that the maintenance level is 03:
5200-03
3. Before you install AIX Version 5.3, you might need to upgrade the firmware on your computer to the latest level.
For more information, access these Web sites:
http://www.ibm.com/servers/eserver/support/pseries/news/2004/08/53installtips.html
http://techsupport.services.ibm.com/server/mdownload
4. The WebSphere Application Server administrative host uses the default port 9090. The AIX wsmserver process
might use port 9090 for Web-based System Manager servers. For more information on steps to resolve this
conflict, refer to the IBM Tivoli Identity Manager Server Installation and Configuration Guide for WebSphere
Environments.
For additional information on requirements, refer to these Web sites:
v Fixes
http://www.ibm.com/servers/eserver/support/pseries/aixfixes.html
v Documentation
http://www16.boulder.ibm.com/pseries/en_US/infocenter/base/aix52.htm
http://publib.boulder.ibm.com/infocenter/pseries/index.jsp
Solaris requirements
Table 4 identifies the Sun Solaris operating system, patches, and minimum
hardware requirements for installation.
Table 4. Solaris operating system and minimum hardware requirements for Tivoli Identity Manager during installation
on WebSphere Application Server
Operating System Patch or maintenance level
requirements
Minimum hardware requirements
Solaris 9
See note 1 below.
WebSphere Application
Server Version 5.1.1
recommended patch cluster
of November, 2003
v RAM: 2 GB
v Processor: Solaris Sparc processor, 440 MHz or faster
v Free disk space:
– /tmp - 512 MB
– ITIM_HOME - 500 MB
1. Tivoli Identity Manager has prerequisites for WebSphere Application Server and WebSphere embedded
messaging that require additional kernel settings. On Solaris 9, for files and additional processes that ensure
prerequisite checking, refer to this Web site:
http://publib.boulder.ibm.com/infocenter/ws51help/index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/relnotes/relnotes_aes.html
2. For more information on WebSphere Application Server prerequisites, access this Web site:
http://www.ibm.com/software/webservers/appserv/doc/v51/prereqs/was_v511.htm
Chapter 2. Hardware and software requirements 15
For additional information on requirements, refer to these Web sites:
v Hardware and software requirements, described in installation documentation
http://docs.sun.com/db?q=solaris+9
v Patches
http://sunsolve.sun.com/private-cgi/show.pl?target=patches/patch-access
Linux requirements
Table 5 identifies the RedHat Linux operating system, patches, and minimum
hardware requirements for installation:
Table 5. Linux operating system and minimum hardware requirements for Tivoli Identity Manager during installation
on WebSphere Application Server
Operating System Patch or maintenance level
requirements
Minimum hardware requirements
RedHat Linux
Enterprise for Intel
(x86) 3.0 for IA32
Update 3. For additional
prerequisite tasks, see note 1
below.
v RAM: 2 GB
v Processor: Intel processor, 500 MHz or faster
v Free disk space:
– /tmp - 512 MB
– ITIM_HOME - 500 MB
1. Ensure that you provide the additional prerequisites that are described in the Technote titled ″Preparing Red Hat
Enterprise Linux 3 (RHEL 3) to run WebSphere Application Server V5.1 products.″ For more information, access
this Web address:
http://www-1.ibm.com/support/docview.wss?uid=swg21164634
For additional information on requirements, refer to this Web site:
http://www.redhat.com/docs/
Windows requirements
Table 6 identifies the Microsoft Windows operating system, patches, and minimum
hardware requirements for installation. These values do not include additional
run-time requirements. Running more than one server type, such as an application
server and database server on a single computer, will require additional hardware
resources (more RAM) for that computer.
Table 6. Windows operating system and minimum hardware requirements for Tivoli Identity Manager during
installation on WebSphere Application Server
Operating System Patch or maintenance level requirements Minimum hardware requirements
Windows Server 2003
Standard Edition
None v RAM: 2 GB of memory
v Processor: Intel Pentium class, 1 GHz or
faster
v Free disk space:
– /tmp - 512 MB
– ITIM_HOME - 500 MB
Windows Server 2003,
Enterprise Edition
For additional information on requirements, refer to these Web sites:
v Support
http://www.microsoft.com/windowsserver2003/support/default.mspx
16 IBM Tivoli Identity Manager: Release Notes
v Documentation
http://www.microsoft.com/windowsserver2003/proddoc/default.mspx
Database requirements
Table 7 lists databases that are supported for Tivoli Identity Manager Server
running on WebSphere Application Server. The version, fix pack, or patch are
specified for a given database. The database is supported on the platforms for
which a check mark (U) appears. A JDBC driver is required in some cases. For
more information on configuring servers and JDBC drivers, refer to the IBM Tivoli
Identity Manager Server Installation and Configuration Guide for WebSphere
Environments.
Table 7. Databases available for Tivoli Identity Manager Server running on WebSphere Application Server
Database Fix pack, patch,
and maintenance
level
requirements
AIX 5.2, 5.3 Solaris 9 RedHat
Linux
Windows
Server 2003
Standard
Edition
Windows Server
2003, Enterprise
Edition
DB2 Universal
Database
Enterprise Edition
server Version 8.2
See note 1 below.
Fix Pack 1 U
See notes 2
through 4,
and note 6
below.
U U U U
Oracle Version 9i
See note 5 below.
Release 2 (9.2.0.5) U U U U U
Microsoft SQL
Server 2000
Service Pack 3a U U
1. DB2 UDB Version 8.2.1 is the equivalent of DB2 UDB Version 8.1 with Fix Pack 8.
2. Migrating from AIX Version 5.1 to AIX Version 5.2 can remove symbolic links from the DB2 Version 8.1 product
directory, such as a link to libdb2.a. You must back up the DB2 database for Tivoli Identity Manager, uninstall
DB2, upgrade AIX Version 5.1 to Version 5.2, reinstall DB2, and then restore the DB2 database.
3. If DB2 UDB is selected, the Tivoli Identity Manager installation program pre-allocates 1 GB database table space
on the computer on which the DB2 server resides. Ensure that this free disk space is available on the DB2 server.
For more information on database table space, refer to the IBM Tivoli Identity Manager Performance Tuning Guide
technical supplement.
4. A JDBC driver provides connectivity to a database on a remote computer. The DB2 UDB product provides a type
2 Java Database Connectivity driver, referred to as a DB2 UDB runtime client. The SQL Server 2000 JDBC driver
is JNetDirect JSQLConnect Version 3.3.0, which is provided during the Tivoli Identity Manager installation
process. The Oracle 9i Release 2 product uses the Version 9.2.0.5 JDBC driver (ojdbc14.jar), which is not provided
in the Tivoli Identity Manager product packaging.
Before you install the Tivoli Identity Manager Server, obtain this JDBC driver (ojdbc14.jar) from your Oracle
Database Server installation in the ORACLE_HOME/ora92/jdbc/lib/ directory. Alternatively, you can download
the driver from this Web site:
http://www.oracle.com/technology/software/tech/java/sqlj_jdbc/index.html
5. Oracle installation requires a minimum of 512 MB of RAM and disk space equal to the system’s physical
memory, or 1 GB, whichever is greater. The installer requires up to 400 MB of space in the /tmp directory. For
more information on additional disk space requirements, special operating system requirements, and patches,
refer to the installation documentation that Oracle provides.
6. IBM Tivoli Directory Integrator Version 6.0 and IBM Tivoli Directory Server Version 5.2 require either DB2
Universal Database Version 8.1 with Fix Pack 8 or Version 8.2 with Fix Pack 1.
For more information on database requirements, refer to these Web sites:
Chapter 2. Hardware and software requirements 17
v IBM DB2 Universal Database
http://www.ibm.com/software/data/db2/udb/support.html
http://publib.boulder.ibm.com/infocenter/db2help/index.jsp (Information
center)
http://www.ibm.com/software/data/db2
http://www.ibm.com/software/data/db2/udb/support/downloadv8.html
http://www.ibm.com/software/data/db2/udb/sysreqs.html (Operating system
prerequisites)
http://www.ibm.com/cgi-bin/db2www/data/db2/udb/winos2unix/support/v8pubs.d2w/en_main
v Oracle
http://www.oracle.com/technology/documentation/index.html
http://otn.oracle.com/tech/index.html
http://otn.oracle.com/tech/linux/index.html
v Microsoft SQL Server 2000
http://www.msdn.com/library/
http://www.microsoft.com/sql/
Directory server requirements
Table 8 lists directory servers available for Tivoli Identity Manager Server running
on WebSphere Application Server. The version, fix pack, or patch are specified for
a given directory server. The directory server is supported on the platforms for
which a check mark (U) appears.
Table 8. Directory servers available for Tivoli Identity Manager Server running on WebSphere Application Server
Directory
server
Fix pack,
patch, and
maintenance
level
requirements
AIX 5.2, 5.3 Solaris 9 Redhat Linux Windows Server
2003, Standard
Edition
Windows Server
2003, Enterprise
Edition
IBM Tivoli
Directory
Server Version
5.2
See note 1
below.
Fix Pack 2 U
See note 2.
U U
See note 3.
U U
IBM Tivoli
Directory
Server Version
6.0
U U U U U
Sun ONE
Directory
Server Version
5.2
U See note 4. U U
18 IBM Tivoli Identity Manager: Release Notes
Table 8. Directory servers available for Tivoli Identity Manager Server running on WebSphere Application
Server (continued)
Directory
server
Fix pack,
patch, and
maintenance
level
requirements
AIX 5.2, 5.3 Solaris 9 Redhat Linux Windows Server
2003, Standard
Edition
Windows Server
2003, Enterprise
Edition
1. IBM Tivoli Directory Server Version 5.2 requires either DB2 Universal Database Universal Database Version 8.1
with Fix Pack 8 or Version 8.2 with Fix Pack 1. Additionally, ensure that you obtain the most current referential
integrity file libdelref.a.
2. IBM Tivoli Directory Server Version 6.0 requires AIX 5.2 maintenance level 5.
If you are required to install Tivoli Identity Manager on one computer at AIX 5.2, maintenance level 3, you must
install IBM Tivoli Directory Server Version 6.0 on a different computer at AIX 5.2 maintenance level 5.
3. RedHat Linux Enterprise Version 3.0 only.
4. Sun ONE Directory Server Version 5.2 does not support RedHat Linux Enterprise for Intel (x86) 3.0 for IA32. For
more information, refer to the following Web site:
http://www.sun.com/software/products/directory_srvr/home_directory.xml
http://www.sun.com/software/products/directory_srvr/home_directory.xml
For more information on requirements, refer to these Web sites:
v IBM Tivoli Directory Server
– Hardware and software requirements, and documentation Version 5.2: http://publib.boulder.ibm.com/tividd/td/IBMDS/IDSapinst52/en_US/HTML/ldapinst.htm Version 6.0: http://publib.boulder.ibm.com/infocenter/tiv2help/index.jsp?toc=/com.ibm.IBMDS.doc/toc.xml
– Fixes
http://www.ibm.com/software/sysmgmt/products/support/IBMDirectoryServer.html
v Sun ONE Directory Server
– Usage and maintenance
http://www.sun.com/software/products/directory_srvr_ee/index.html
http://www.sun.com/download/index.jsp
– Documentation
http://docs.sun.com/app/docs/coll/S1_DirectoryServer_52
WebSphere Application Server base and deployment manager
requirements
Tivoli Identity Manager, Version 4.6 uses IBM Development Kit for Java 1.4.2,
which is bundled by the WebSphere Application Server, Version 5.1 in the
WAS_HOME/java directory.
Use of an independently installed development kit for Java, from IBM or other
vendors, is not supported.
Table 9 on page 20 lists the Tivoli Identity Manager Server prerequisites for the
WebSphere Application Server base and WebSphere Application Server Network
Deployment products:
Chapter 2. Hardware and software requirements 19
Table 9. Tivoli Identity Manager Server prerequisites for WebSphere Application Server
Application server Fix pack requirements Cumulative fix Additional APARs
WebSphere Application
Server base product
Version 5.1
Fix Pack 1 3
See note 1 below.
PK00346, PK02976,
PK02640
See note 2.
The deployment
manager part of the
WebSphere Application
Server Network
Deployment product
Version 5.1. See note 3.
PK00346, PK02976
See note 2.
1. Apply cumulative fix 3, and then apply the APARs.
2. Apply this APAR using the same update tool that applies WebSphere cumulative fixes.
3. The term deployment manager in lowercase is used to indicate that the Tivoli Identity Manager product package
contains the deployment manager, but not other parts, of the WebSphere Application Server Network
Deployment product.
4. When you uninstall WebSphere Application Server Version 5.0.2 on AIX, not all components are fully removed.
IBM Support provides the aixclean.sh and odmcleanup.sh scripts to complete the removal. In addition, you must
manually delete the /usr/WebSphere directory before you install WebSphere Application Server Version 5.1. For
additional information on contacting IBM Support, see Appendix A, “Support information,” on page 63.
For additional information on migrating the WebSphere Application Server and WebSphere MQ environments,
including back up and restore, refer to the WebSphere Application Server information center.
For more information on requirements, refer to these Web sites:
v Hardware and software requirements
http://www.ibm.com/software/webservers/appserv/doc/latest/prereq.html
http://www.ibm.com/software/webservers/appserv/doc/v51/prereqs/was_v511.htm
v Fixes
http://www.ibm.com/software/webservers/appserv/was/support/
v Documentation http://publib.boulder.ibm.com/infocenter/ws51help/index.jsp http://www.redbooks.ibm.com/
IBM Tivoli Directory Integrator requirements
Table 10 on page 21 lists the IBM Tivoli Directory Integrator version that Tivoli
Identity Manager supports.
20 IBM Tivoli Identity Manager: Release Notes
Table 10. Tivoli Identity Manager Server prerequisites for IBM Tivoli Directory Integrator
Directory
integrator
Fix pack,
patch, and
maintenance
level
requirements
AIX 5.2, 5.3 Solaris 9 Redhat Linux Windows Server
2003, Standard
Edition
Windows
Server 2003,
Enterprise
Edition
IBM Tivoli
Directory
Integrator
Version 6.1
IBM Tivoli
Directory
Integrator Fix
Pack 1 (see
note 1 below)
and Tivoli
Identity
Manager
interim fix 28
(see note 2
below)
U U U
Redhat
Enterprise
Linux- see note
3 below.
U U
IBM Tivoli
Directory
Integrator
Version 6.0
See note 4
below.
Fix Pack 1
and interim
fix 4
U U U U U
1. The following IBM Tivoli Directory Integrator Version 6.1 fixes are required to support Tivoli Identity Manager
Version 4.6:
v IBM Tivoli Directory Integrator v6.1 Fixpack 1(6.1.0-TIV-TDI-FP0001) is available at: http://www-1.ibm.com/support/docview.wss?rs=697&context=SSCQGF&dc=D400&uid=swg24013626&loc=en_US&cs=utf-8&lang=en
v IBM Tivoli Directory Integrator Version 6.1, Interim Fix 2 6.1.0-TIV-TDI-IF0002 is available at:
http://www-1.ibm.com/support/docview.wss?rs=697&context=SSCQGF&dc=D400&uid=swg24014199&loc=en_US&cs=utf-8&lang=en
2. Tivoli Identity Manager Interim Fix 4.6.0-TIV-TIM-IF0028 is available at: http://www-1.ibm.com/support/docview.wss?rs=644&context=SSTFWV&dc=D400&uid=swg24014062&loc=en_US&cs=utf-8&lang=en
3. IBM Tivoli Directory Integrator supported platforms are described at:
v http://www-1.ibm.com/support/docview.wss?uid=swg27007848&aid=1
v http://www-1.ibm.com/support/docview.wss?rs=697&context=SSCQGF&dc=DB520&uid=swg21222477&loc=en_US&cs=utf-8&lang=en
4. IBM Tivoli Directory Integrator Version 6.0 requires either DB2 Universal Database Universal Database Version
8.1 with Fix Pack 8 or Version 8.2 with Fix Pack 1.
For more information on requirements, refer to these Web sites:
Version 5.2: http://publib.boulder.ibm.com/tividd/td/IBMDS/IDSapinst52/en_US/HTML/ldapinst.htm
Version 6.0: http://publib.boulder.ibm.com/infocenter/tiv2help/index.jsp?toc=/com.ibm.IBMDS.doc/toc.xml
Chapter 2. Hardware and software requirements 21
Supported Web Browsers
The following Web browsers are supported:
Table 11. Tivoli Identity Manager Server prerequisites for Web browsers
Browser
Name
Version AIX 5.2, 5.3 Solaris 9 RedHat
Linux 3.0
Windows
Mozilla 1.7 U U U U
Internet
Explorer
6.0 with
Service Pack 1
U
1. Cookies must be enabled.
2. Do not log on to the Tivoli Identity Manager Server from two browsers on the same
client machine, because only one session ID is created, and this may result in problems
with data.
Crystal Report products
You can integrate a custom Crystal Report template into the Tivoli Identity
Manager environment. Tivoli Identity Manager supports Crystal Report 10
Standard Edition with Crystal Enterprise 10 Professional Edition on Windows
systems. Running the Tivoli Identity Manager Server and Crystal Enterprise 10
Professional Edition client on Unix and Linux using the Crystal Enterprise 10
Professional Edition server on Windows systems is also supported.
Supported adapter levels
A Tivoli Identity Manager agent at version 4.5 will continue to operate successfully
after you upgrade the Tivoli Identity Manager Server to server version 4.6. IBM
will support the version 4.5 agents for upgrade clients, but encourages the clients
to upgrade to Tivoli Identity Manager version 4.6 adapters. New clients installing
Tivoli Identity Manager Server at version 4.6 should install only the Tivoli Identity
Manager version 4.6 adapters. Adapters were called agents in previous releases of
the Tivoli Identity Manager product.
22 IBM Tivoli Identity Manager: Release Notes
Chapter 3. Known limitations, problems, and workarounds
This section describes known software limitations, problems, and workarounds.
Product installation, upgrade, and removal problems and workarounds
You might encounter these Tivoli Identity Manager Server installation, upgrade, or
product removal problems, and use these workarounds:
v Problem: A custom report using the DN attribute of an entity does not show the
correct data after upgrading the Tivoli Identity Manager from Version 4.5.1 to
4.6.
Workaround: The supported route to upgrade reports from Version 4.5.1 to 4.6 is
by applying Fixpack 4.5.1-TIV-TIM-FP0050 or later to Tivoli Identity Manager
Version 4.5.1, followed by applying Interim Fix 4.5.1-TIV-TIM-IF0053 or later.
New report templates that are designed after applying Interim Fix 53 can be
upgraded without problem to Version 4.6.
If you have designed reports before applying 4.5.1-TIV-TIM-IF0053, redesign
them after applying 4.5.1-TIV-TIM-IF0053, and then upgrade Tivoli Identity
Manager to Version 4.6.
For each custom report that uses the DN attribute in the filter section of the
report, do the following:
1. Remove the filter from the custom report and save the report.
2. Open the same report and add the filter again.
3. Save the report.
Report templates using policy tables cannot be upgraded from Version 4.5.1 to
4.6 because there a substantial database schema change for these reports.
v Problem: A Tivoli Identity Manager upgrade from Version 4.5.1 to 4.6 fails when
a large amount of data is being upgraded. The ldapUpgrade fails when
migrating approximately 100,000 or more person objects that include
erpersonstatus. The upgrade continues to work, even though the ldapUpgrade
has failed with an OutOfMemory error.
Workaround: When you upgrade Tivoli Identity Manager from Version 4.5.1, use
the Tivoli Identity Manager Version 4.6 Fixpack 4.6.0-TIV-TIM-FP0033 or later as
the upgrade vehicle. When the upgrade has completed, obtain Tivoli Identity
Manager Version 4.6 Interim Fix 4.6.0-TIV-TIM0-IF0044, which includes APARs
IY96157 and IY96322. APAR IY96157 adds new tables that are required prior to
running Tivoli Identity Manager. APAR IY96157 is only needed after you
upgrade Tivoli Identity Manager from Version 4.5.1 to Version 4.6 if you have
synchpoints used in workflows. APAR IY96157 corrects a problem in failure to
complete any running workflows, including split/join points started before the
upgrade.
v Problem: If the database is Oracle, additional permissions are required to enable
recovery of Oracle database transactions.
Workaround: Create these permissions after you create the user enrole, and
before you install Tivoli Identity Manager. To create the permissions, run the
following commands as user SYS on the computer on which the Oracle database
server is installed:
© Copyright IBM Corp. 2003, 2007 23
|
|||
|||||
|||
||
|
|
|
||
|||||
||||||||||
grant select on pending_trans$ to public;
grant select on dba_2pc_pending to public;
grant select on dba_pending_transactions to public;
grant execute on dbms_system to <user>;
The value of user is the user enrole.
v Problem: On a Windows system, when the Tivoli Identity Manager installation
process installs Tivoli Identity Manager on a disk drive other than the C drive,
the installation process might create a \temp directory at the root of the disk
drive if the \temp directory does not exist. The \temp directory is not deleted
when the Tivoli Identity Manager installation completes.
Workaround: Manually delete the \temp directory.
v Problem: In rare occurrences during product testing, uninstalling Tivoli Identity
Manager on Linux deleted the /tmp directory, causing other applications and
the operating system to fail to function correctly.
Workaround: Before uninstalling Tivoli Identity Manager, back up the /tmp
directory. If removing Tivoli Identity Manager deletes the /tmp directory, take
these steps to recreate the /tmp directory and set its permissions:
1. Log on as root.
2. Enter these commands:
$ mkdir /tmp
$ chmod 777 /tmp
v Problem: In a cluster environment, a java.lang exception occurs when you install
Tivoli Identity Manager on a Windows Server 2003 Standard Edition system on
the deployment manager or on a Tivoli Identity Manager cluster member. For
example, part of the exception includes this line:
## ZGGfxUtil.loadImage: image loading failed for:
com/zerog/ia/installer/images/introImage.png
Workaround: Ignore the exception, which does not affect the Tivoli Identity
Manager installation or subsequent use.
Tivoli Identity Manager limitations
These are Tivoli Identity Manager limitations:
v Problem: Data synchronization might fail with an OutOfMemoryError. This
problem might occur if the user has many objects of any single entity type, and
data synchronization is performed after mapping attributes of this entity, or after
mapping attributes of the entity category.
Limitation: Data synchronization has been successfully tested for 300K Person
entities in a single container, when each entity object has 15 attributes in LDAP.
Data synchronization has also been performed successfully for 110K AD Account
entities with over 100 attributes per object in LDAP. All tests have been
performed with 1.2 GB maximum JVM heap size setting, and with a minimum
load on the Tivoli Identity Manager Server.
v Problem: Creating or modifying a workflow design, a form, or a policy might
take longer than the session timeout interval. To avoid interruption, the timeout
value in web.xml is ignored and the session never times out while the Workflow
Designer, Form Designer, or Policy applet is running.
Workaround: Ensure that you complete each activity to create or modify a
workflow design, a form, or a policy.
v Problem: Tivoli Identity Manager does not provide a method to create an outer
join in the custom report designer.
Workaround: None.
24 IBM Tivoli Identity Manager: Release Notes
v Problem: A workflow UNTIL loop behaves like a DO...WHILE loop. Although
the loop should continue until a specified loop condition is met, the loop
continues until a specified condition fails.
Workaround: Restate the condition as the negative of the specified loop
condition. For example, this condition requires restating:
a<b
This is the restated condition:
a>=b
Operating system problems and workarounds
You might encounter these operating system problems, and use these
workarounds:
v Problem: On Linux, the setting for the default maximum number of open files
might be too low. For example, an error message occurs such as:
Too many open files.
Workaround: The WebSphere recommendation is to increase the default
maximum open files to a value of 8000. Complete these steps:
1. Edit the /etc/security/limit.conf file.
2. Change the statement that specifies the value of nofiles to a value of 8000.
3. Optionally, to cause the change to take effect in the current session, type this
command:
ulimit -n 8000
v Problem: On RedHat Linux Enterprise for Intel (x86) 3.0 for IA32 with Update 3,
the Red Hat Package Manager (RPM) database can become corrupt, causing
package name loss, or preventing any subsequent RPM installations. The
migration of bad cache data into the main RPM database corrupts the main RPM
database. However, existing user applications and existing data are not affected.
RPM database corruption might occur during these activities:
– Immediately after installing WebSphere Application Server Version 5.1.x
– After every installation of a service pack, Java Software Development Kit, or
Application Server Service Pack
– After an installation sequence that completes these tasks:
1. Installing any RPM with LD_ASSUME_KERNEL set to a value that
indicates LinuxThreads, such as 2.2.5 or 2.4.19.
2. Installing another RPM with no value set for LD_ASSUME_KERNEL.
Workaround: Immediately after any activity that is subject to RPM database
corruption, complete these tasks:
1. Delete these cache data files from the /var/lib/rpm directory on the system:
– db.001
– db.002
– db.0032. Validate the integrity of the RPM database. Enter this command:
rpm -qa ’ > /dev/null
An example error message indicates that there are segment size errors:
error: rpmdbNextIterator: skipping h#684 blob size(1568):
BAD, 8 + 16 + il(41) + dl(916)
3. If you continue to receive errors, contact Red Hat support for more
information on repairing a damaged RPM database.
Chapter 3. Known limitations, problems, and workarounds 25
IBM Tivoli Directory Integrator problems and workarounds
You might encounter these IBM Tivoli Directory Integrator problems, and use these
workarounds:
v Problem: There are potential socket errors and lockups with IBM Tivoli
Directory Integrator Version 6.0. The Java Virtual Machine (JVM) included with
the AIX version of IBM IBM Tivoli Directory Integrator Version has a problem
that can lead to socket errors and lockups during large account provisions using
IBM Tivoli Directory Integrator. As a result, specific account creations can fail
and provisioning activities may hang indefinitely.
Workaround: IBM Tivoli Directory Integrator APAR #IO01620 resolves this issue.
For more information, refer to this Web site:
http://www.ibm.com/software/sysmgmt/products/support/IBMDirectoryIntegrator.html
v Problem: A TBSFException may occur within IBM Tivoli Directory Integrator
Version 6.0 on all operating systems. Account provisioning and management
actions through IBM Tivoli Directory Integrator may occasionally fail due to a
BSFException within IBM Tivoli Directory Integrator. The BSFException occurs
within the Rhino javascript engine that IBM Tivoli Directory Integrator uses.
Workaround: The problem can be resolved by upgrading IBM Tivoli Directory
Integrator to the 1.5R4.1 release of the Rhino engine. IBM Tivoli Directory
Integrator Version 6.0 currently ships with the 1.5R2 release of the Rhino engine,
but the 1.5R4.1 release is also supported. It is recommended that you upgrade to
the 1.5R4.1 release of the Rhino engine.
To perform the upgrade, complete these steps:
1. Download the zip file for the 1.5R4.1 release of the Rhino engine from the
Rhino download site:
http://www.mozilla.org/rhino/download.html
2. Extract the js.jar file from the zip file that you download.
3. Replace the js.jar file in the ITDI_HOME/jars directory with the js.jar file
from the zip file.v Problem: IBM Tivoli Directory Integrator Version 6.0 may encounter
OutOfMemory errors on all operating systems.
IBM Tivoli Directory Integrator may encounter an OutOfMemoryError error
during very large account reconciliations (approximately 50,000 accounts or
greater on a computer with 1 GB of RAM). The OutOfMemoryError will cause
the Tivoli Identity Manager reconciliation process to fail and the IBM Tivoli
Directory Integrator application may become unusable.
Workaround: IBM Tivoli Directory Integrator APAR IO01580 resolves this issue
and will be in Fix Pack 2 for IBM Tivoli Directory Integrator 6.0. For more
information, refer to the IBM Tivoli Directory Integrator support site:
http://www.ibm.com/software/sysmgmt/products/support/IBMDirectoryIntegrator.html
v Problem: Two-way-SSL support not yet available for IBM Tivoli Directory
Integrator Version 6.0.
The readme file in the ITIM_HOME/extensions/examples/idi_integration
directory contains a section describing two-way, or mutual, SSL authentication
between Tivoli Identity Manager and IBM Tivoli Directory Integrator Version 6.0.
However, the DSMLv2EventHandler event handler included with IBM Tivoli
Directory Integrator Version 6.0 currently only supports one-way SSL
authentication.
26 IBM Tivoli Identity Manager: Release Notes
Workaround: IBM Tivoli Directory Integrator APAR IO01580 resolves this issue
and will be in Fix Pack 2 for IBM Tivoli Directory Integrator 6.0. For more
information, refer to the IBM Tivoli Directory Integrator support site:
http://www.ibm.com/software/sysmgmt/products/support/IBMDirectoryIntegrator.html
WebSphere MQ problems and workarounds
You might encounter these WebSphere MQ problems, and use these workarounds:
v Problem: JMS message send errors occur with WebSphere global security
enabled on AIX.
An issue has been identified with the Java Virtual Machine (JVM) bundled with
WebSphere Application Server Version 5.1.1 for AIX systems that causes socket
errors on the network connection used to secure access to embedded messaging
queues. This can cause JMS message sends to fail with an error similar to the
following error in the WebSphere logs:
MQJMS2008: failed to open MQ queue WQ_itim_wf
The following error will also be present in the WebSphere jmsserver logs:
MSGS0504E: An JMS Server security service thread experienced a socket exception:
java.net.SocketException: Socket closed
Workaround: It is recommended that all Tivoli Identity Manager applications
running on AIX systems should install WebSphere APAR PK07924, which
corrects the issue in the JVM. Apply this APAR after installing Fix Pack 1 for
WebSphere Application Server Version 5.1, which also updates the WebSphere
Application Server JVM. APAR PK07924 is available on the WebSphere
Application Server support site:
http://www.ibm.com/software/webservers/appserv/was/support/
v Problem: On a Windows system, during DSML feed activity with Tivoli Identity
Manager account provisioning enabled, the WebSphere embedded messaging
fails. Error messages describe failure to open a queue, a lack of permission to
access a resource, or Java Message Service errors. You might see a WebSphere
embedded messaging error similar to this message:
AMQ9181 The response set by the exit is not valid.
Workaround: On all cluster members, set the ephemeral port range to the
maximum value of 65534. For more information on problems connecting to
TCP/IP ports above 5000, refer to the following Web site:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;196271
v Problem: When you install Tivoli Identity Manager on Windows Server 2003, the
WebSphere Embedded Messaging Publish and Subscribe service is not started.
Attempting to start it manually causes an error and the following message:
Could not start the Websphere Embedded Messaging Publish and
Subscribe WAS__server1 service on Local Computer.
Error 1075: The dependency service does not exist or has been
marked for deletion
Workaround: Ignore the message and continue. Tivoli Identity Manager does not
require the Websphere Embedded Messaging Publish and Subscribe service. Do
not attempt to start the service.
v Problem: An error occurs creating the queue manager. The error in the
Amqerr*.log file is the following:
AMQ9213: A communications error for TCP/IP occurred.
EXPLANATION:
An unexpected error occurred in communications.
Chapter 3. Known limitations, problems, and workarounds 27
ACTION:
The return code from the TCP/IP (ioctlsocket) call was 10038 (X’2736’). Record
these values and tell the systems administrator.
Workaround: The 10038 return code indicates that the WebSphere MQ listener
pool has had trouble passing the initial socket from the listener to the pool. This
is rather common in environments that have a firewall. To work around the
problem, disable the pool with the following environment variable:
set MQNOREMPOOL=1
Adapter and service problems and workarounds
You might encounter these Tivoli Identity Manager adapter problems, and use
these workarounds:
v Problem: On the Tivoli Identity Manager Server, the remove_service_profiles.sh
command does not remove the service profile. For example, from the
/usr/IBM/itim/bin/unix directory, run the ./remove_service_profiles.sh
ServiceProfile command. The service profile is not removed, and an erroneous
message appears:
Configuring remote services.
Workaround: Perform this workaround with caution, and only after all account
and all service instances of the Service Profile being removed have been
removed from Tivoli Identity Manager.
Log on to the IBM Tivoli Directory Server admin console or the iPlanet Console
or any LDAP client that lets you remove entries (such as an, LDAP browser) and
take these steps to manually remove the service profile:
1. Expand ou=serviceProfile. For example, if the Tivoli Identity Manager suffix
is ’dc=com’ and the tenant id is ’IBM’, expand the tree from
ou=serviceProfile,ou=itim,ou=IBM,dc=com.
2. Remove two entries beneath ou=serviceProfile that represent the Account
and the Service Profiles. For example, to remove the Account profile entry
for Notes, remove the erobjectprofilename=NotesAccount entry beneath
ou=serviceProfile,ou=itim,ou=IBM,dc=com. To remove the Service profile
entry for Notes, remove the erobjectprofilename=NotesProfile entry beneath
ou=serviceProfile,ou=itim,ou=IBM,dc=com.
3. Expand ou=formTemplates. For example, if the Tivoli Identity Manager suffix
is ’dc=com’ and the tenant id is ’IBM’, expand the tree from
ou=formTemplates,ou=itim,ou=IBM,dc=com.
4. Remove the two entries beneath ou=formTemplates that represent the
Account and the Service form templates. For example, to remove the Account
form template for Notes, remove erformname=erNotesAccount entry beneath
ou=formTemplates,ou=itim,ou=IBM,dc=com. To remove the Service form
template for Notes, remove erformname=erNotesDAMLService entry beneath
ou=formTemplates,ou=itim,ou=IBM,dc=com.
5. Restart Tivoli Identity Manager, if applicable.v Problem: Although the service test is successful, the DSMLv2 service provider
erroneously displays this error message when the test completes:
Invalid format
Workaround: Take these steps:
– In the adapter’s test reply DSML message, add a searchResultEntry entry
containing the attribute namingContexts with the value AGENT_CONTEXT.
For example:
28 IBM Tivoli Identity Manager: Release Notes
<?xml version=’1.0’?>
<batchResponse xmlns=’urn:oasis:names:tc:DSML:2:0:core’>
<searchResponse>
<searchResultEntry dn="" xmlns="urn:oasis:names:tc:DSML:2:0:core">
<attr name="namingContexts">
<value>AGENT_CONTEXT</value>
</attr>
</searchResultEntry>
<searchResultDone xmlns="urn:oasis:names:tc:DSML:2:0:core">
<resultCode code="0" />
</searchResultDone>
</searchResponse>
</batchResponse>
– Define the namingContexts property in the resource.def file of the adapter for
which the DSMLv2 service test is run. For example, define this property:
<BehaviorProperties>
<Property Name = "com.ibm.itim.remoteservices.ResourceProperties.SERVICE_PROVIDER_FACTORY"
Value = "com.ibm.itim.remoteservices.provider.dsml2.DSML2ServiceProviderFactory"/>
<Property Name = "namingContexts"
Value = "AGENT_CONTEXT" />
</BehaviorProperties>
v Problem: The Tivoli Identity Manager Active Directory Adapter uses the ergroup
attribute, which is represented by a string of hexadecimal digits that identifies
the Active Directory group uniquely across the Active Directory forest. This
value must be used within Tivoli Identity Manager in provisioning policies and
scripts to add or remove groups on an account. Since people know these groups
by their names and not their unique identifiers, developers and system
administrators must look up the unique identifiers for use in policies and
scripts.
Workarounds: Take these steps:
– Developers and system administrators may perform an LDAP search for the
group under the associated service item in the Tivoli Identity Manager
repository. The group name can be used to perform the search and then the
unique identifier can be read from the returned group object.
– For provisioning policies, groups can be searched for using the standard
entitlement parameters view. Once the group has been found, a system
administrator may switch to the advanced parameters view and perform any
advanced configuration required.v Problem: You might need to bypass the password validation on an orphan
account when a request is submitted from an adapter.
Workaround: The enRole.properties file contains the following property to
bypass the password validation on an orphan account when a request is
submitted from an agent. Set this value to true to bypass the password
validation process:
reversePasswordSynch.bypassPwdValidationOnOrphanAccount
v Problem: You might need to add a new description to the service form of a
service. To preserve compatibility with legacy agents, this description attribute is
not included on service forms by default.
Workaround: Use the form designer to manually add the description attribute
on a service form for a service.
v Problem: The DSMLProvider is now sending modify requests as ADD |
DELETE operations. This will break existing customer DSML code expecting the
REPLACE operation.
Workaround: In the enRole.properties file, ensure that you correctly set the
value of the following property for your customized code:
Chapter 3. Known limitations, problems, and workarounds 29
##########################################################
## Remote Services: DSMLv2 provider’s mode of sending modify request
## for attributes. Property value: true | false.
## true= REPLACE operation and false= ADD, DELETE operation
###########################################################
com.ibm.itim.remoteservices.DSML2ServiceProvider.modifyAsREPLACE=true
The values are:
true or not specified
Default. If this value is true, or the value is not specified, Tivoli Identity
Manager sends all DSMLv2 modify requests with the REPLACE
operation.
false Tivoli Identity Manager sends modify requests as ADD | Delete and
REPLACE operations.
Data and naming problems and workarounds
You might encounter these Tivoli Identity Manager data or naming problems, and
use these workarounds:
v Problem: Using LDAP Data Interchange Format (LDIF) files to import back up
directory information can experience problems if the system is not stopped, or
workflows are incomplete.
Workaround: When you use LDIF files to import back up directory information,
make sure that the application servers have been stopped. If the LDIF import
will modify workflows or operations, ensure that all workflows are complete
before you perform an LDIF import. For more information about importing
LDIF files, refer to your directory server documentation.
v Problem: In account management, you can create a Tivoli Identity Manager
account name using special characters, but you cannot subsequently modify an
account name to include or remove special characters.
Workaround: Avoid using special characters to create or modify a Tivoli Identity
Manager account name.
v Problem: You cannot include a special character, such as a comma, in a
Distinguished Name (DN) entity definition. The LdapUtil.explodeDN() method
does not support a double quoted value with a special character, especially a
comma within the quoted value. For example, the comma in this definition
causes an error:
entry dn="uid=\"My Name\"\,1"
Workaround: Avoid using special characters such as a comma in the definition
of a DN.
v Problem: A DB2Exception error occurs if you create a custom entity with a name
that exceeds 100 characters.
Workaround: When you create a custom entity, avoid entering a value for an
entity name that exceeds 100 characters.
v Problem: Using Oracle, a database error occurs when you create a second Tivoli
Identity Manager database with a different name, and then attempt to re-install
Tivoli Identity Manager, or run the DBConfig command. The error indicates that
Oracle did not create an enrole_data_001.dbf file.
This sequence of tasks has the error:
1. Create an initial Tivoli Identity Manager database using Oracle.
2. Install and configure Tivoli Identity Manager.
3. Uninstall Tivoli Identity Manager.
30 IBM Tivoli Identity Manager: Release Notes
4. Create another Tivoli Identity Manager database using Oracle, specifying a
different database name than the previous database name.
5. Do either of these tasks:
– Install and attempt to configure Tivoli Identity Manager.
– Run the DBConfig command.
Workaround: To configure multiple Tivoli Identity Manager databases on the
same Oracle database server, manually update the enrole_admin.sql file to
change the datafile names.
v Problem: Only one access control item (ACI) is staged into the ACI table if you
define more than one ACI on the same target and at the same organizational
level, and the first 255 characters of every ACI name are identical. Reporting
ignores the remainder of the ACIs. An ACI report shows only one ACI and this
error appears in the trace.log file:
com.ibm.websphere.ce.cm.DuplicateKeyException: ORA-00001: unique constraint
(ENROLE.SYS_C003110) violated
Workaround: When you define an ACI, avoid entering a value for an ACI name
that exceeds 255 characters. Also try to avoid defining multiple ACIs with the
same name on the same target and at the same organizational level.
v Problem: By default, Tivoli Identity Manager provides a date range of only
1990-2010.
Workaround: Use an LDAP browser or another LDAP utility to expand the year
range. For example, update the ersapdateuntil attribute on the SAP Account
form.
Note: Any customizations done through the Tivoli Identity Manager UI (the
Form Editor applet) must be done prior to adding any manual date
attribute modifications. The Form Editor UI is not equipped to handle
these additional customizations available on date attributes, and when
edited, the Form Editor UI will write out standard Date attributes,
regardless of any manual modification that was previously added.
Complete these tasks:
1. In LDAP, bring up the dn:
erformname=erSAPAccount,ou=formTemplates,ou=itim,ou=tenant,dc=com
2. Edit the erXML attribute.
3. Look for a line similar to this example:
<formElement name="data.ersapdateuntil" label="$ersapdateuntil">
The next line beneath might look like <dateInput/> or <optDateInput/>.
Additionally, the line may have other attributes such as
hoursAndMinutes="false".
4. To set the highest year value, add the attribute maxYear. For example, type
the following:
<dateInput maxYear="9999"/>
If you want to include years earlier than 1990, additionally use the ″minYear″
attribute. This example specifies the year 1974:
<dateInput minYear="1974"/>
5. To specify that the years between 2010 and maxYear are filled in, add the
attribute spanYearRange:
<dateInput maxYear="2099" spanYearRange="yes"/>
Chapter 3. Known limitations, problems, and workarounds 31
Note: Do not combine spanYearRange and a maxYear of 9999 because this
combination significantly increases the amount of data that must be
sent to the browser, and will degrade performance.
6. Save the XML file. The next time you access the SAP account form, the
ersapdateuntil widget should now contain all the values from 1990 to 2099.
Browser problems and workarounds
You might encounter these browser problems, and use these workarounds:
v Problem: If the Mozilla browser is used, clicking the Back button during data
entry on GUI panels might cause loss of the data that you enter.
For example, when you add a Person to an Organization and fill in data in the
Person record, clicking the Back and then the Forward button causes the data
that you entered in the fields to be lost. In general, clicking Back causes loss of
data or other problems.
Workaround: Avoid using the Back button during data entry using the Mozilla
browser.
Report problems and workarounds
You might encounter these Tivoli Identity Manager report problems, and use these
workarounds:
v Problem: You may encounter slow performance or transaction timeouts during
report generation for certain reports against large data sets.
Workaround: Refer to the IBM Tivoli Identity Manager Performance Tuning Guide
technical supplement for recommended indices to set on columns in Report DB
tables, to improve performance and reduce timeouts.
v Problem: Generating a Portable Document Format (PDF) report encounters an
OutOfMemory error.
Workaround: Increase the JVM heap size in the WebSphere Application Server.
Then, restart the WebSphere Application Server and run the PDF report again.
Alternatively, change the user inputs from default values to specific values, to
limit the number of records in the PDF report output. If these workarounds do
not succeed, generate the report in CSV format from the user input screen.
v Problem: You cannot determine if data synchronization is running or determine
the status of the last synchronization.
Workaround: Status is displayed in the Data Validity field located on the
Schedule List page. Possible values are:
– No Data synchronized
– In progress
– Invalid
– Date and time when last synchronization completedv Problem: If you generate a report output file as a Portable Document Format
(PDF) file, and then minimize the displayed information or otherwise leave the
file open, you cannot generate another report until the active report file is
closed.
Workaround: Close any previous report, and then generate another report.
v Problem: The report feature uses a deprecated label called Access Control
Information. The new label is Access Control Item (ACI). You might see the
deprecated label if you view the Access Control Information {ACIs} report
builder or on the Reports tab if you click Run report –> Access Reports –>
Access Control Information {ACIs}.
32 IBM Tivoli Identity Manager: Release Notes
Workaround: Edit the ITIM_HOME/data/reportingLabels.properties file, and
manually change the label value for the key accessControlInformation.
– Deprecated: accessControlInformation=Access Control Information {ACIs}
– New: accessControlInformation=Access Control Item {ACIs}v Problem: The font that is displayed in the report is too small to read.
Workaround: Save the report in PDF format or in CSV format and print the
report. To save the report, select Save As from the File menu option in the
report output window. Browse to the required directory and enter a valid file
name and save the document. Both the PDF and CSV format reports can be
printed. PDF reports can be printed in portrait or landscape modes. CSV reports
enable users to print reports which do not fit on a single page horizontally.
To print a CSV report:
– Select the CSV report format while generating the report.
– Select the Save As option in the dialog box.
– Provide a valid location and file name for saving the report.
– Open the report using Microsoft Excel or any other CSV file reader.
– Use the print option to print the document.
Tivoli Identity Manager user interface problems and workarounds
You might encounter these Tivoli Identity Manager user interface problems, and
use these workarounds:
v Problem: If there are existing instances of person records, when you modify a
person class to have a Date field using the Alternative option, the value for this
new field for existing persons becomes null. However, the definition of an
Alternative Date field specifies that the value cannot be null.
Workaround: Either change the widget type from Alternative Date Control to
Default Date control type, or create a new ACI and grant write permission to the
new Alternative Date Control Widget attribute in this ACI.
v Problem: Adding the owner attribute on an account form will cause a
java.lang.UnsupportedOperationException error. The message is:
CTGIMO002E. An unhandled exception occurred.
Error: java.lang.UnsupportedOperationException: the owner and (or) service
or an account can NOT be changed.
Workaround: Do not use the Form Designer to add the owner attribute to an
account form. Use the account adopt and orphan operations that Tivoli Identity
Manager provides to set or clear the owner of an account.
v Problem: The Organizational Unit Name cannot exceed a length greater than 100
characters or the name is not created. A long name within the 100-character limit
will not wrap when displayed.
Workaround: Do not enter a value for the Organizational Unit Name that is
greater than 100 characters.
v Problem: For business reasons, you might need to change the labels on the
Approve and Reject buttons in the Approval to-do-list item. For example, you
might change the label on the Approve button to Recertify, and change the label
on the Reject button to Decline.
Workaround: Complete these tasks:
1. Edit the CustomLabels.properties file, and add new Recertify and Reject
button labels:
RAA=Recertify
RAR=Decline
Chapter 3. Known limitations, problems, and workarounds 33
Do not change the values of the existing Approval labels AA and AR, which
are needed for Approval use.
2. Change the Approval node Action text Approval code to read RAA and the
Rejection code to read RAR.
3. Change (double click) the transition lines that exit the Approval node. Ensure
that the transition lines have these values:
– Recertify path
activity.resultSummary == "RAA"
– Reject path
activity.resultSummary == "RAR"
v Problem: A number of attributes are missing labels in the ITIM_HOME\data\CustomLabels.properties file. For example, the Provisioning Policy category is
missing a label for the erProvisioningPolicy attribute.
Workaround: You must manually add the missing labels to attributes in the
ITIM_HOME\data\CustomLabels.properties file. Otherwise, the user interface
displays the value of the attribute. Add these labels:
erProvisioningPolicy=Provisioning Policy
erWorkflowDefinition=Workflow Definition
erSystemRole=ITIM Group
erIdentityPolicy=Identity Policy
erPasswordPolicy=Password Policy
erHostSelectionPolicy=Host Selection Policy
erBPOrg=Business Partner Organization
v Problem: The access control item for a Category Provisioning Policy has
attribute permissions that display eroriginalpolicydn and erdraft as the attribute
names, rather than using their labels.
Workaround: The access control item does not apply to attributes that are
hidden. Manually add the following labels to the attributes in the
ITIM_HOME\data\enroleHiddenAttributes.properties file:
eroriginalpolicydn=eroriginalpolicydn
erdraft=erdraft
v Problem: The following attributes should be included in the searchable
attributes menu:
erpersonstatus
eraccountstatus
erorgstatus
erbporgstatus
eraccountcompliance
Workaround: Attributes that are hidden (and therefore, are not searchable) are
specified in the enRoleHiddenAttributes.properties file. To make these
attributes searchable, manually remove the attributes from the
enRoleHiddenAttributes.properties file.
Many hidden attributes are system-managed attributes that users should not
modify. Use caution in making a previously-hidden attribute visible to Tivoli
Identity Manager users.
v Problem: If the dateinput mode is in read-only mode, the user sees the time
displayed in 12-hour format, and no indicator of morning (a.m.) or afternoon
(p.m.) time is provided.
Workaround: Set the dateinput mode field to read/write mode. The time is
displayed in 24-hour format and is correctly understood. As administrator, do
the following:
34 IBM Tivoli Identity Manager: Release Notes
– Select Configuration –> User Interface Customization.
– Select Identity Manager User in the left column and then select
ITIMAccount.
– Select erpswdlastchanged on the panel.
– In the format tab of the Properties section, ensure that the field is in
read/write mode. That is, the field is not checked for Read-only on Modify.
Save the changes.
If the dateinput field is in Read-only mode, modify the following line in the
Labels.properties file in the ITIM_HOME\data directory:
readOnlyDateFormat=MMM dd, yyyy hh:mm:ss z
To read as follows:
readOnlyDateFormat=MMM dd, yyyy hh:mm:ss a z
v Problem: The Requestee column displays an unexpected value of the
CommonName in a Person during self registration.
Workaround: Modify the selfRegister operation of the Person entity. Do the
following:
Note: The value of Name Attribute in Configuration –> Entities tab –> Person
must be set to sn. If the value of Name Attribute is changed back to cn,
remove the script node.
1. Log on as ITIM manager.
2. Click Configuration.
3. Click Entity Type.
4. Select Person in the drop-down menu.
5. Click selfRegister as the operation.
6. On the selfRegister workflow, insert a uniquely-named script node between
the Start and the selfRegister Approval nodes.
7. Double-click the new script node.
The Properties: Script Node window appears.
8. In the Properties window, enter the following Java script:
var personData = person.get();
var snValue = personData.getProperty("sn")[0];
process.setRequesteeData(snValue);
9. Click OK. Save the operation.
Policy problems and workarounds
You might encounter these policy problems, and use these workarounds:
v Problem: When a non-administrative user previews a list of available accounts,
an erroneous Disallowed label appears for accounts that are valid for use. For
example, a non-privileged ITIM user takes these steps:
1. Log on as an ITIM user
2. Click Provisioning -> Define Provisioning Policy.
3. Click Available Provisioning Policy -> Preview.
4. Select Enforcement as ″Entire Policy″ and click Continue.
In error, a Disallowed label then identifies accounts that are actually valid for
use by the ITIM user.
Workaround: Have an administrative user grant Read permission to allow view
access to all provisioning policy attributes to the non-privileged ITIM user. This
workaround avoids an error condition, in which a search API returns an
Chapter 3. Known limitations, problems, and workarounds 35
incomplete policy object. If a user performing the search does not have the
appropriate permissions, such object might be stripped of erEntitlement and
other important attributes.
Grant the Read permission to these attributes:
erPolicyItemName
erLabel
erKeywords
description
erEnabled
erScope
erPolicyTarget
erReqPolicyTarget
erEntitlements
erPriority
erPolicyMembership
erDraft
erOriginalPolicyDN
erGlobalId
erLastModifiedTime
erAcl
erAuthorizationOwner
erParent
erIsDeleted
erLifecycleEnable
v Problem: A user who tries to modify an existing policy discovers that clicking
Submit, and then clicking Reset, does not reset the modified fields.
Workaround: Click Reset first. Do not click Submit, and then click Reset.
v Problem: It is possible (but will create an error condition) to import into the
server a new identity policy which has the same specification for user class and
service as a currently active identity policy.
Workaround: Before importing a new identity policy, examine and compare the
class and service of the active identity policy with the class and service of the
identity policy that will be imported. Avoid importing a new identity policy that
has the same specification for user class and service as a currently active identity
policy.
Permissions problems and workarounds
You might encounter these permissions problems, and use these workarounds:
v Problem: An ITIM user who attempts to modify personal information such as an
e-mail address sees an ignorable error message. The ITIM user has no READ
access to the role attribute but has READ/WRITE access to any other attributes
of the Person form.
v For example, the ITIM user takes these steps:
1. Log on with a valid account.
2. In the organization tree, select a location such as My_Location_A.
3. Click My Organization -> Manage People.
4. Select the ITIM user’s ID, such as Pat.
5. Click Access Personal Information. Then, select the Communication
Information tab.
6. Enter an e-mail ID such as [email protected] and click Submit.
An erroneous message appears:
Removal of dynamic role from people
is not allowed by the system. The change will be ignored.
Please press submit to schedule changes.
36 IBM Tivoli Identity Manager: Release Notes
Workaround: Ignore the message. The e-mail ID is successfully submitted.
v Problem: After a user is authenticated using the challenge/response
authentication system, the only API that can be called with the authenticated
token is SelfPasswordManager.resetPassword(), if the system configuration
property Lost password question behavior is set to Reset Password.
Workaround: If the system configuration property Lost password question
behavior is set to Direct Entry, then the authenticated token can be used to call
any API. Do either one of these tasks after upgrading to Tivoli Identity Manager
Version 4.6:
– Use only SelfPasswordManager.resetPassword() to reset a password after
authentication using the challenge/response authentication system.
– Allow any API call to be valid by changing the system configuration property
Lost password question behavior to Direct Entry.v Problem: Tivoli Identity Manager forms throw a authorization exception when a
drop-down list box or plain list box is used and the user does not have attribute
level permission to read or write the associated field. When the field value is not
set, the form viewer will set the value to the first item in the list. Because the
user does not have write permission, an authorization exception is thrown.
Workaround: Do one of the following:
– Have a user with the appropriate attribute level permission set the value of
the problem field. Once the field has been set to any value, the user without
read and write permissions can modify the entity without authorization
violations.
– Add a blank value to the top of the list. If the form viewer selects the blank
value, no authorization violation occurs because a blank value and no
selection are treated as the same condition. Also, try checking the Use Blank
Row check box on all drop down lists that use Form Customization.
– Give both read and write permissions for this attribute to the user without
the read or write attribute permissions. This workaround is acceptable only if
the data is not sensitive.
Directory server problems and workarounds
You might encounter these directory server problems, and use these workarounds:
v Problem: After an initial installation that uses the Sun ONE Directory Server,
changing to another LDAP server causes the loss of certain indexes.
Workaround: Add the missing indexes manually to the new LDAP server from
the er-indexes.conf file on the initial LDAP server. Complete these tasks using
the Sun ONE Directory Server administrative console:
1. Navigate to Data=itim_suffix. For example, itim_suffix is a value such as
dc=com.
2. Click the Add attributes button.
3. Add the following attributes:
index erparent eq
index erroles eq
index erservice eq
index ersupervisor eq
index ersponsor eq
index erhost eq
index erauthorizationowner eq
index erprerequisite eq
index erenabled eq
index errolename pres,eq
index eraliases eq,sub
Chapter 3. Known limitations, problems, and workarounds 37
index erservicename pres,eq,sub
index erobjectprofilename pres,eq
index ercustomclass eq
index eroid eq
index erisdeleted pres
index erpolicyitemname pres,eq,sub
index erlabel eq,sub
index erkeywords eq,sub
index erpolicytarget eq,sub
index erreqpolicytarget eq,sub
index erpolicymembership eq,sub
index eroverride eq
index eruserclass eq
index erprocessname pres,eq
index eracl pres
index eruid eq,sub
4. Save the attributes. Then, add the rules that are specified next to the attribute
name.
5. Navigate to Data=itim_suffix and right-click itim_suffix.
6. Select the Re-index option.
Other problems and workarounds
You might encounter these additional problems, and use these workarounds:
v Problem: There is insufficient information when errors occur during work on
notification templates.
Workaround: Enable tracing. If errors occur, examine the trace.log file for
additional information, which is in English.
v Problem: If you initiate a search for a service immediately after you log on, the
search fails. The exception message reads:
Remote Exception occurred in server thread; nested Exception is:
java.rmi.RemoteException; nested exception is:
java.lang.IllegalArgumentException: com.ibm.itim.dataservices.INVALID_ARGUMENT
Workaround: After you log on, perform an initial activity such as browsing the
organization tree. Then, search for a service.
v Problem: After you create an AIX adapter profile and service, and exception
occurs when you create a policy and then attempt to add the password attribute
using the advanced option.
Workaround: The exception occurs when a user switches from the standard
attribute view to the advanced attribute view, and then adds the password
attribute. When you define entitlement in a provisioning policy, navigate first to
the advanced attribute view to add a password attribute. Then, return to the
standard attribute view.
v Problem: When you concurrently make more than one modification to a Tivoli
Identity Manager object, there might be an unexpected outcome or failure with
warning messages. This problem is most likely to happen when using the Tivoli
Identity Manager APIs, such as submitting multiple requests to modify the same
object in a while/for loop. A concurrent operation on the same object causes a
race condition that makes the outcome unpredictable.
Workaround: To ensure that all pending actions complete successfully, pause for
an interval, such as a minute, before you make a second modification to the
same Tivoli Identity Manager object. Alternatively, collect all desired attribute
changes on the same object and submit the changes as a single modify request.
When using the Tivoli Identity Manager APIs, consider collecting all your
attribute changes to the object in the while/for loop and submitting the changes
as a single modify request.
38 IBM Tivoli Identity Manager: Release Notes
v Problem: Using LDAP Version 3 filters causes inconsistent results from an
adapter, or may not be accepted by the adapter as input. Using more than two
arguments in a reconciliation filter might cause an error, unless multiple
operators are used. For example, the following filter causes a FilterException
error:
(&(eruid=a*)(ersql2000defdatabase=i*)(ersql2000deflanguage-E*))
Workaround: Use filters that are compliant with LDAP Version 2.
(&(eruid=a*)(ersql2000defdatabase=i*)(ersql2000deflanguage-E*))
v Problem: Under a rare combination of the following conditions, Tivoli Identity
Manager can fail due to an out of memory condition:
– A large number of concurrent users quit Tivoli Identity Manager without
properly logging out within a 10 minute window. For example, this condition
can occur if all the concurrent users close their browsers by clicking X (the
Close icon) while they remain logged onto Tivoli Identity Manager.
– The Tivoli Identity Manager Server’s physical memory and Java heap size
settings are not high enough. An out of memory condition occurs when the
memory used by the total number of sessions exceeds the amount of memory
allocated for the server.
Workaround: Tune one or more of the following:
– Limit the number of in-memory sessions that the WebSphere Application
Server provides by completing these tasks on the WebSphere administrative
console:
1. Click Applications –> Enterprise Applications –> enRole –> Web
Module –> app_web.war –> Session Management.
2. Select Overwrite Session Management.
3. Deselect Overflow.
4. Reduce the value in the Maximum in memory session count field.
The value sets a limit on the maximum number of live browser sessions
that can be open on Tivoli Identity Manager at one time. Set this number
to a value that depends on the amount of memory allocated to your
servers, and the amount of WebSphere clustered nodes that Tivoli Identity
Manager uses.
5. Click OK and save the changes to the master configuration.– Reduce the session inactivity time to a value that is less than 10 minutes by
completing this combination of steps:
1. Locate the WAS_HOME/installedApps/nodename/enRole.ear/app_web.war/WEB-INF/web.xml file.
2. Edit the web.xml file to change the value of the session-time parameter
from 10 minutes to a smaller value such as 5 minutes.
3. Save the web.xml file.
4. On the WebSphere administrative console, stop and restart the enRole.ear
Enterprise Application.
Chapter 3. Known limitations, problems, and workarounds 39
40 IBM Tivoli Identity Manager: Release Notes
Chapter 4. Documentation Updates
This section describes problems and workarounds for the product documentation.
Publication Title Changes
The following publication title changes were made:
Previous Title New Title
The IBM Tivoli Identity Manager
Information Center obsoletes the following
titles:
v IBM Tivoli Identity Manager Policy and
Organization Administration Guide is now
in the information center.
v IBM Tivoli Identity Manager Server
Configuration Guide
v IBM Tivoli Identity Manager End User Guide
The IBM Tivoli Identity Manager Information
Center now contains administrative and
configuration information, available as
online assistance with the product.
Configuration information that is related to
installation is in the IBM Tivoli Identity
Manager Server Installation and Configuration
Guide for WebSphere Environments.
Installation and configuration guide problems and workarounds
This section describes installation and configuration problems and workarounds:
Problem: Steps to optionally import an adapter language pack are missing in the
IBM Tivoli Identity Manager Server Installation and Configuration Guide for WebSphere
Environments.
Additional text: To optionally import an adapter language pack on the Tivoli
Identity Manager Server, additionally complete these steps on the computer that
has the Tivoli Identity Manager Server:
1. Obtain the Tivoli Identity Manager language support CD. Then, locate the
itimlp_agents_setup.jar file.
2. Use command line mode to install the language pack. For example, enter this
language pack command at a command prompt:
java –jar itimlp_agents_setup.jar
The Tivoli Identity Manager language pack setup program starts. To complete
the language pack installation, follow the instructions that appear in the setup
program windows.
3. Next, log on to the Tivoli Identity Manager.
4. Using the Tivoli Identity Manager GUI, click Configuration -> Import/Export
-> Import.
5. On the Import/Export window, browse to the ITIM_HOME/timpla/AllAgents.jar file.
6. Click the Import data into Identity Manager link.
7. When the language pack installation is complete, click Continue.
Problem: There are no instructions on uninstalling a server or an adapter language
pack in the IBM Tivoli Identity Manager Server Installation and Configuration Guide for
WebSphere Environments.
© Copyright IBM Corp. 2003, 2007 41
Additional text: To uninstall a language pack, complete these steps on the
computer that has the Tivoli Identity Manager Server:
1. Use command line mode to uninstall the language pack.
v Server language pack
a. Change to this directory:
ITIM_HOME/itimlp/lp_uninst
b. Locate the tidlp_uninstall.jar file.
c. Start the uninstallation program. For example, enter this language pack
command at a command prompt:
java –jar tidlp_uninstall.jar
v Adapter language pack:
a. Change to this directory:
ITIM_HOME/itimlpa/lpa_uninst
b. Locate the tidlpa_uninstall.jar file.
c. Start the uninstallation program. For example, enter this language pack
command at a command prompt:
java –jar tidlpa_uninstall.jar
2. The Tivoli Identity Manager language pack uninstallation program starts. To
complete the language pack removal, follow the instructions that appear in the
program windows.
Message and e-mail problems and solutions
This section describes message and e-mail problems and solutions:
Problem: Message number CTGIMA616E has no text that displays.
Workaround: The text for messageCTGIMA616E reads:
Modify or create an account to a noncompliant state is not allowed.
Explanation:
An attempt to create a noncompliant account on a service that
has enforcement level correct/suspend/alert failed. OR
an attempt to modify an account to become noncompliant on
a service that has enforcement level correct/suspend/alert failed.
Administrator response:
The service that the account is related to has a enforcement setting
that prevent any account modification or creation such that the outcome
will be a noncompliant account. Check your compliance setting,
change it to MARK if you want to allow noncompliant account.
Problem: After upgrading Tivoli Identity Manager Version 4.5.1 to Version 4.6,
e-mail notifications that are delivered by Lotus® Notes continue to display the
Tivoli Identity Manager Version 4.5.1 logo. The e-mail notifications that use other
browsers use the correct, upgraded logo.
Workaround: Ignore the Tivoli Identity Manager Version 4.5.1 logo provided by
e-mail notifications using Lotus Notes.
Problem: A message that can appear during data import requires clarification:
Existing text: A conflict between data to be imported and data already existing in
the data has been detected. Please choose which data should take precedence.
42 IBM Tivoli Identity Manager: Release Notes
Correction: A conflict between data to be imported and data that already exists on
the target system has been detected. Please choose which data should take
precedence.
Problem: A more accurate message needs to describe the user’s corrective action
more exactly in requesting reports for accounts that have been dormant for a very
long time.
For reporting purposes, Tivoli Identity Manager sets a limit on the span of dates
for a dormant account. A request for a report on dormant accounts for an interval
greater than this number is an error.
Existing message: A pop-up window states, ″Please enter valid user input value.″
New message: You cannot request a report for a dormant account for a time
interval (the maximum integer limit, which is 2147483647) that is greater than the
difference between January 1, 1951 and the current date. Please enter a shorter
dormant interval.
Information center problems and solutions
Note the following changes to the IBM Tivoli Identity Manager Information Center:
v In the section titled ″People management″, the following text requires additional
information:
Existing text: A person can be located using the organization tree or by using
the search page located under the Search tab. The default search attribute is set
at cn for a person. The search tab is only visible to users that have been
explicitly granted access to the search feature by an ACI.
Text addition: Access to the organization tree is also granted through Group
membership.
v In the subsection titled ″Deleting a person″, the following text requires
clarification:
Existing text: Step 4: From the Manage People page, select the check boxes next
to the people you want to delete and click Delete.
Text addition: Deleting a person is only available to users that have been
explicitly granted access to the delete feature by an ACI.
v In the section titled ″Managing access″ in the subsection titled ″Deleting
organizational roles″, the following text requires correction:
Existing text: Before you can delete an organizational role, you must confirm
that the organizational role contains no people in the user list, and that the role
is not a member of a provisioning policy. If either of those conditions is true, the
Tivoli Identity Manager Server will not allow you to delete the organizational
role. The system will display an error message notifying you that the
organizational role you are attempting to delete cannot be deleted until the
condition is corrected.
Correction: These conditions are required to delete a role:
– Dynamic role
A dynamic role must not be a member of a provisioning policy. However, you
can delete a dynamic organizational role that contains people in the user list.
– Static role
A static role must not be a member of a provisioning policy. Additionally, you
cannot delete a static organizational role that contains people in the user list.
Chapter 4. Documentation Updates 43
Before you can delete a static organizational role, you must confirm that the
organizational role is not a member of a provisioning policy and the role
must not contain people in the user list. If either condition is true, the Tivoli
Identity Manager Server will not allow you to delete the organizational role.
The system will display an error message notifying you that the
organizational role you are attempting to delete cannot be deleted until the
condition is corrected.v In the section titled ″Customizing IBM Tivoli Identity Manager notifications″ in
the subsection ″Required Escape Characters and JavaScript″, additional
information is needed on how to specify control characters.
Existing text: The following characters need to be escaped (using the appropriate
HTML entity form - &entity;) to ensure that the notification template XML is
well formed.
Additional text: Character references cannot be properly unescaped when
creating the output from the template. Refrain from using these character
references in text templates unless the unescaped character reference is what you
want to appear in output. An example of a character reference is & which
refers to the special character &, which has the entity form of &.
v In the section titled ″Customizing IBM Tivoli Identity Manager notifications″ in
the subsection ″Dynamic content tags for notifications″, additional text should be
added to describe a known problem with Lotus Notes Version 5.0 rendering the
XHTML e-mail part with the XHTML header <?xml version=″1.0″
encoding=″UTF-8″?>.
Existing text: The notification fields (subject, text, XHTML) are XML based;
therefore they must conform to XML constraints and well-formed rules
(http://www.w3.org/XML/).
Additional text as workaround: Use only text templates with Lotus Notes
Version 5.0, which has a problem rendering the XHTML e-mail part with the
XHTML header <?xml version=″1.0″ encoding=″UTF-8″?>.
v In the section titled ″Reporting identity management data″ in the subsection
″Custom report configuration files″, there is a need for additional information.
Existing text: You can modify properties files in order to change settings that are
related to custom reports and to add user-defined functions to the custom
reports tasks.
Changed text: You can modify these properties files in the ITIM_HOME/data
directory in order to change settings that are related to custom reports and to
add user-defined functions to the custom reports tasks:
Additionally, in the subsection ″Staging data for custom reports″, there is a need
for additional information.
Existing text: You do not need to perform a data synchronization task when you
modify a report. However, if you change the report schema, reporting ACIs, or
the entity data (for example, if you add a person to the system and want that
person’s name to appear in a report), you must perform a data synchronization
for the changes to take effect.
Additional text: Reports are not available during the interval in which the data
synchronization occurs.
v In the section titled ″Reporting identity management data″ in the subsection
″Report filters: sample JOIN conditions for built-in report designer″, these
corrections are needed in table entries:
– Serial number 2 Filters column
Existing text: Person.Organization Roles = Organization Role.DN
Correction: Person.Organization Roles = Role.DN
44 IBM Tivoli Identity Manager: Release Notes
– Serial number 7 Filters column
Existing text: Business Partner Person.Organization Roles = Organization
Role.DN
Correction: BPPerson.Organization Roles = Organization Role.DN
– Serial number 22 Entities column
Existing text: ACI, Organizational Uni
Correction: ACI, Organizational Unitv In the section titled ″Using Crystal Reports with IBM Tivoli Identity Manager″,
make these changes in these subsections:
– ″Installing and configuring Crystal Enterprise on a Windows system″
Existing text: Replace the second paragraph, which reads:
First, perform a full installation of Crystal Enterprise using the instructions
provided with the software. Crystal Enterprise software can reside on the
same Windows machine as the IBM Tivoli Identity Manager application
server or on a separate Windows machine. Before configuring Crystal
Enterprise, ensure that you have setup the Crystal Management Console
(CMC). Refer to the appropriate product documentation for setting up the
CMC.
Changed text: Before configuring Crystal Enterprise
1. Obtain the hostname of the computer on which the Crystal Enterprise
server is installed and ensure that you can connect to this computer by
using its hostname. For example, if the fully qualified name is
server1.ibm.com, ensure that you can connect using only the hostname
server1. You may need to add an entry to the hosts file. To test
connectivity, enter this command from the computer on which Tivoli
Identity Manager is installed:
ping server1
2. Ensure that you have setup the Crystal Management Console (CMC).
Refer to the appropriate product documentation for setting up the CMC.– ″Configuring IBM Tivoli Identity Manager to use Crystal Reports (WebSphere
Application Server on Windows)″
Existing text: 3. Update the following properties in the ITIM_HOME\data\crystal.properties file:
(Not all items and definitions are shown if changes are not required.)
cmsHost
Set this value to the host name of the machine on which Crystal
Enterprise is installed.Changed text:
cmsHost
Set this value to the host name of the machine on which Crystal
Enterprise is installed. Do not set the IP address or fully qualified
machine name (that is, server1.ibm.com) as the value. If the Crystal
Enterprise Management Server is configured for a non-default port,
this value should be hostname:port. The default port is 6400.v ″Configuring Tivoli Identity Manager (WebSphere Application Server on UNIX)″
Existing text: 3. Update the following properties in the ITIM_HOME
/data/crystal.properties file:
(Not all items and definitions are shown if changes are not required.)
cmsHost
Set this value to the host name of the machine on which Crystal
Chapter 4. Documentation Updates 45
Enterprise is installed. If the Crystal Enterprise Management Server is
configured for a non-default port (the default port is 6400), the value
should be set as hostname:port.Changed text:
cmsHost
Set this value to the host name of the machine on which Crystal
Enterprise exists. Do not set the IP address or fully qualified machine
name (that is, server1.ibm.com) as the value. If the Crystal Enterprise
Management Server is configured for a non-default port, this value
should be hostname:port. The default port is 6400.v In the section titled ″Running reports: user input values and filters″ in table 38
titled ″User input filters″, add a number of corrections, which are shown in
Table 12:
Table 12. User input filters
Report name User input Default value Designer report filter Crystal Reports filter
Account Service Any Service.DN = _USERINPUT_ Service.DN = &ParamField
Business
Unit
Any OrganizationalContainer.DN =
_USERINPUT_
OrganizationalConto.DN =
&ParamField ()
Dormant
Accounts
Service Any Service.DN = _USERINPUT_ Service.DN = &ParamField ()
Dormant
Period
14 Last Accessed Date =
_USERINPUT_
Account.erLastAccess Date =
&ParamField ()
Operation Requester Any Process.REQUESTER =
_USERINPUT_
Process.REQUESTER =
&ParamField ()
Requestee Any Process.REQUESTEE =
_USERINPUT_
Process.REQUESTEE =
&ParamField ()
Operations AccountAdd
(as specified in
the properties
file
Process.Type = _USERINPUT Process.Type = &ParamField ()
Start Date Thirty days
before the
current date
Process.Completed >
_USERINPUT_ AND
Process.Completed <
_USERINPUT_
Process.Completed >
&ParamField1 () AND
Process.Completed <
&ParamField2 () End Date Current date
Rejected Requester Any Process.REQUESTER =
_USERINPUT_ (Any)
Process.REQUESTER =
&ParamField ()
Requestee Any Process.REQUESTEE =
_USERINPUT_ (Any)
Process.REQUESTEE =
&ParamField ()
Start Date Thirty days
before the
current date
Process.Completed >
_USERINPUT_ AND
Process.Completed <
_USERINPUT_
Process.Completed >
&ParamField1 () AND
Process.Completed <
&ParamField2 () End Date Current date
User Requester Any Process.REQUESTER =
_USERINPUT_ (Any)
Process.REQUESTER =
&ParamField ()
Requestee Any Process.REQUESTEE =
_USERINPUT_ (Any)
Process.REQUESTEE =
&ParamField ()
Start Date Thirty days
before the
current date
Process.Completed >
_USERINPUT_ AND
Process.Completed <
_USERINPUT_
Process.Completed >
&ParamField1 () AND
Process.Completed <
&ParamField2 () End Date Current date
46 IBM Tivoli Identity Manager: Release Notes
Table 12. User input filters (continued)
Report name User input Default value Designer report filter Crystal Reports filter
Individuals’
Accounts
Person Any Person.Dn = _USERINPUT_ Person.DN = &ParamField ()
Business
Unit
Any OrganizationalContainer.DN =
_USERINPUT_
OrganizationalConto.DN =
&ParamField ()
Individuals’
Accounts by
Role
Role None (no role
specified)
Organization Role.DN =
_USERINPUT_
Role.DN = &ParamField (Edit
Mask)
Business
Unit
Any Organization Container.DN =
_USERINPUT_
OrganizationalConto.DN =
&ParamField ()
Summary of
Accounts on
Service
Service Any Service.DN = _USERINPUT_ Service.DN = &ParamField ()
Account
Status
Any (as
specified in the
properties file)
Account.Account Status =
_USERINPUT_
Account.eraccountstatus =
&ParamField ()
Policies
Governing a
Role
Role Any Organization Role.DN =
_USERINPUT_
Role.DN = &ParamField
Services
Granted to an
Individual
Person Any Person.DN = _USERINPUT_ Person.DN = &ParamField ()
Account
Operations
Root
Process
Any Process.Type = _USERINPUT_ RootProcessView.Type =
&ParamField ()
Account
Operation
Any Activity.Type = USERINPUT_ SubProcessView.Type =
&ParamField ()
Start Date Thirty days
before current
date
Process.Completed >
_USERINPUT_ AND
Process.Completed <
_USERINPUT_
SubProcessView.Completed >
&ParamField1 () AND
Process.Completed <
&ParamField2 ( End Date Current date
Service
Type
Any Service.servicetype =
_USERINPUT_
service.servicetype =
&ParamField ()
Service Any Service.DN = _USERINPUT_ Service.DN = &ParamField ()
User ID Any Activity.Subject = _USERINPUT_ SubProcessView.subject =
&ParamField ()
Status Any Activity.Result_ Summary =
_USERINPUT_ (Any)
SubProcessView.RESULT_SUMMARY =
&ParamField ()
Chapter 4. Documentation Updates 47
Table 12. User input filters (continued)
Report name User input Default value Designer report filter Crystal Reports filter
Account
Operations
Performed by
an Individual
Submitted
by
Any Process.REQUESTER =
_USERINPUT_
person.DN= &ParamField ()
Account
Operation
Any Activity.Type = USERINPUT_ SubProcessView.Type =
&ParamField ()
Start Date Thirty days
before current
date
Process.Completed >
_USERINPUT_ AND
Process.Completed <
_USERINPUT_
SubProcessView.Completed >
&ParamField1 () AND
Process.Completed <
&ParamField2 () End Date Current date
Service
Type
Any Service.servicetype =
_USERINPUT_
Service.erservicetype =
&ParamField ()
Service Any Service.DN = _USERINPUT_ service.servicetype =
&ParamField ()
User ID * Activity.Subject = _USERINPUT_ SubProcessView.subject =
&ParamField ()
Status Any Activity.Result_ Summary =
_USERINPUT_
SubProcessView.RESULT_
SUMMARY = &ParamField ()
Approvals
and
Rejections
Approver Any PERSON.DN like _USERINPUT_
AND PERSON.CN =
PROCESSLOG.REQUESTOR
PERSON.DN like &ParamField1
() AND PERSON.CN =
PROCESSLOG.REQUESTOR
Start Date Thirty days
before current
date
Process.Completed >
_USERINPUT_ AND
Process.Completed <
_USERINPUT_
Process.Completed >
&ParamField1 () AND
Process.Completed <
&ParamField2 () End Date Current date
Service
Type
Any Service.servicetype =
_USERINPUT_
service.servicetype =
&ParamField ()
Service Any Service.DN = _USERINPUT_ Service.DN = &ParamField ()
User ID * Process.Subject = _USERINPUT_ Process.Subject = &ParamField
()
Status * PROCESS.RESULT_ SUMMARY
like _USERINPUT_
PROCESS.RESULT_ SUMMARY
like &ParamField ()
Approval
Activity
ACTIVITY. DEFINITION_ID like
_USERINPUT_
ACTIVITY. DEFINITION_ID
like &ParamField ()
Suspended
Accounts
Account Any Account.DN = _USERINPUT_ account.eruid = &ParamField ()
Person Any Person.DN = _USERINPUT_ Person.DN = &ParamField ()
Service
Type
Any Service.servicetype =
_USERINPUT_
service.servicetype =
&ParamField ()
Service Any Service.DN = _USERINPUT_ Service.DN = &ParamField ()
Suspended
Date
Current date Process.Completed <
_USERINPUT_
Process.Completed <
&ParamField1 ()
Suspended
Individuals
Person Any Person.DN = _USERINPUT_ Person.DN = &ParamField ()
Business
Unit
Any OrganizationalContainer.DN =
_USERINPUT_
OrganizationalConto.DN =
&ParamField ()
Suspended
Before
Current date Process.Completed <
_USERINPUT_
Process.Completed <
&ParamField1 ()
48 IBM Tivoli Identity Manager: Release Notes
Table 12. User input filters (continued)
Report name User input Default value Designer report filter Crystal Reports filter
Services Service Any Service.DN = _USERINPUT_ Service.DN = &ParamField ()
Service
Type
Any Service.servicetype =
_USERINPUT_
Service.erservicetype =
&ParamField ()
Owner Any Peson.DN = _USERINPUT_ Peson.DN = &ParamField ()
Business
Unit
Any OrganizationalContainer.DN =
_USERINPUT_
OrganizationalConto.DN =
&ParamField ()
Policy Provisioning
Policy
Name
Any ProvisioningPolicy.PolicyName =
_USERINPUT_
ProvisioningPolicy.DN=
&ParamField ()
Access
Control Item
ACI Name Any ACI.name = _USERINPUT_ ACI.name = &ParamField ()
ACI
Context
Any ACI.category = _USERINPUT_ ACI.category = &ParamField ()
Object Type Any ACI.Target = _USERINPUT_ ACI.target = &ParamField ()
ACI Scope Any ACI.scope = _USERINPUT_ ACI.scope = &ParamField ()
Business
Unit
Any OrganizationalContainer.DN =
_USERINPUT_
OrganizationalConto.DN =
&ParamField ()
Reconciliation
Statistics
Service None (input
required)
Service.DN = _USERINPUT_ Service.DN = &ParamField (Edit
Mask)
v The help for Individual Accounts for Role does not indicate that a role must be
selected.
Existing text: The help reads: ″Click Search to locate and specify the role to
which you want to limit report entries. If you do not specify a role, all roles that
meet the other specified criteria are included in the report.″ To locate this help,
complete these tasks:
1. Log on as itim manager.
2. Click Reports in the main menu navigation bar.
3. Click Run Report on the task bar.
4. Select Individual Reports as the report type.
5. Select the submenu for Individual Accounts for Role.
6. Click the ? icon for help.
Changed text: Click Search to locate and specify the role to which you want to
limit report entries. A role must be selected to run this report.
v In the section titled ″Installing and using the Incremental Data Synchronizer″,
the subsection titled ″Changelogs″ has a note that requires additional
information.
Existing text: Note: For IBM Directory Server, increase the default Application
Heap Size of the DB2 database to a large number, such as 4096. This setting is
used by the IBM Directory Server to store the changelog entries. Refer to the
DB2 manuals for modifying the application heap size.
Additional text: There are no additional steps required for Oracle or SQL Server
2000.
v In the section titled ″Installing and using the Incremental Data Synchronizer″,
the subsection titled ″Installing the Incremental Data Synchronizer on a separate
system″ has a note that requires additional information.
Chapter 4. Documentation Updates 49
Existing text: Note: synchronizer_computer is the computer where the Incremental
Data Synchronizer is installed. itim_computer is the computer where Tivoli
Identity Manager is installed.
Additional text: In a Tivoli Identity Manager cluster configuration, itim_computer
is any managed node.
v In the section titled ″Installing and using the Incremental Data Synchronizer ″,
the subsection titled ″Fine-tuning the Incremental Data Synchronizer ″ needs to
specify recommended default values.
Existing text:
– changeLogFetchSize
– maximumChangeLogsToSynchronize
– changeLogsToAnalyzeBeforeSynchronization
Changed text:
Use these recommended default values:
– changeLogFetchSize=200
– maximumChangeLogsToSynchronize=10000
– changeLogsToAnalyzeBeforeSynchronization=5000
The default value of time delay is 30 seconds.
v In the section titled ″Configuring system properties″, add a new key to the
enRole.properties file to configure reverse password synchronization.
Existing text: None.
Additional text: Reverse Password Synchronization Configuration
# This is the configuration flag to bypass the password
# validation on the orphan account when the request is
# submitted from the agent.
reversePasswordSynch.bypassPwdValidationOnOrphanAccount=false
If this key is set to ″true″ and the source account that triggered password
synchronization is an orphaned account, the password validation is bypassed.
v In the section titled ″Running reports: user input values and filters″ in table 37,
titled ″User input values″, these changes are needed:
– The ACI Name row should show a value of ″Any″ rather than ″*, indicating
any value″ in the column that is labeled ″Default value used if no input is
specified″.
– The Approval Activity row entry should be Approval Activity Name.
– The Dormant Period row entry should be Dormant Period (No of Days).
– The Organization Unit row entry should be Business Unit.
– The Operations row should show a value of ″Account add″ rather than ″Any″
in the column that is labeled ″Default value used if no input is specified″.v In the section titled ″Installing and using the Incremental Data Synchronizer″, a
property is mentioned that does not exist.
Existing text: In ″Installing the Incremental Data Synchronizer on a separate
system″, several step 15 reads:
15. Modify the enRoleLogging.properties file in the ITIM_HOME/data directory
on the synchronizer_computer as follows:
– Set the jlog.logCmdPort property to a value other than 9992. Port 9992 is used
by the IBM Tivoli Identity Manager Server, therefore the Incremental Data
Synchronizer cannot start the logger using port 9992.
50 IBM Tivoli Identity Manager: Release Notes
Correction: Remove (ignore) any text describing the jlog.logCmdPort property.
The property does not exist.
v In the section titled ″Configuring account information″, an item in a list requires
correction.
Existing text: The Properties tab on the Configuration page allows you to set the
following password, logon management, and default workflow escalation
options:
– System-wide workflow escalation and item reminders configuration
Corrected text: This list item should read ″Workflow Notification″.v In the section titled ″Customizing IBM Tivoli Identity Manager notifications″ in
the subsection ″New account template″, the following statements occur:
Existing text:
EmailContext =
com.ibm.itim.mail.workflow.TemplateWorkflowNewAccountContext
Corrected text:
EmailContext =
com.ibm.itim.workflow.notification.TemplateNewAccountNotification
Existing text: In the subsection titled ″New password template″, the following
statement occurs:
EmailContext =
com.ibm.itim.mail.workflow.TemplateWorkflowNewPasswordContext
Corrected text:
EmailContext =
com.ibm.itim.workflow.notification.TemplateNewPasswordNotification
Existing text: In the subsection titled ″Change account template″, the following
statement occurs:
EmailContext =
com.ibm.itim.mail.workflow.TemplateWorkflowNewAccountContext
Corrected text:
EmailContext =
com.ibm.itim.workflow.notification.TemplateNewAccountNotification
Existing text: In the subsection titled ″Suspend account template″, the following
statement occurs:
EmailContext = com.ibm.itim.mail.workflow.TemplateWorkflowDeProvisionContext
Corrected text:
EmailContext = com.ibm.itim.workflow.notification.TemplateDeprovisionNotification
v In the section titled ″JavaScript extension reference″ in the subsection
″Activity.description″, the activity description requires additional information.
Existing text: This read only field is a String describes the purpose of the
activity given when defined in the workflow designer.
Additional text: For manual activities (approvals, RFIs, and work orders), this
read only field is a String which represents the Action Text Template defined in
the workflow designer. For all other activities, this read only field is a String
which describes the purpose of the activity given when defined in the workflow
designer.
v In the subsection titled ″Using Crystal Reports with IBM Tivoli Identity
Manager″, additional information is needed.
Existing text: In the subsubsection ″Configuring IBM Tivoli Identity Manager to
use Crystal Reports (WebSphere Application Server on Windows)″, and also in
the subsection ″Configuring IBM Tivoli Identity Manager (WebSphere
Application Server on UNIX)″, step 1 reads:
Chapter 4. Documentation Updates 51
If Crystal Enterprise is installed on the same machine as the Tivoli Identity
Manager, skip this step and go to step 2. Otherwise, perform a custom
installation of Crystal Enterprise on the machine where the Tivoli Identity
Manager is installed.
Addition: In a cluster deployment of the IBM Tivoli Identity Manager, perform
the configuration steps for Crystal Reports on each managed node of the cluster.
v In the section titled ″Using Crystal Reports with IBM Tivoli Identity Manager″,
additional information is needed.
Existing text: In the subsection ″Configuring IBM Tivoli Identity Manager to use
Crystal Reports (WebSphere Application Server on Windows)″, and also in the
subsection ″Configuring IBM Tivoli Identity Manager (WebSphere Application
Server on UNIX)″, step 3 reads:
3. Update the following properties in the ITIM_HOME\data\crystal.properties
file: (only the changed item is shown below)
database
Set this value to the database used by IBM Tivoli Identity Manager. For
DB2 database configurations, if the database resides on a machine other
than the Crystal Enterprise machine, specify the database alias that
points to the actual database being used by IBM Tivoli Identity Manager.Addition: For Oracle, if the database resides on a machine other than the Crystal
Enterprise machine, specify the TNS Service Name of the actual database being
used by IBM Tivoli Identity Manager. For MS-SQL Server, specify the actual
name of the database used by IBM Tivoli Identity Manager.
v In the section titled ″Using Crystal Reports with IBM Tivoli Identity Manager″,
additional information is needed.
Existing text: In the subsection ″Configuring standard report templates for
Crystal Reports″, step 2 reads:
2. For DB2, copy the db2jcc.jar and db2java.zip files from the SQLLIB/java
directory to the ITIM_HOME/lib directory. For Oracle, copy ojdbc14.jar from the
Oracle installation area to the ITIM_HOME/lib directory.
Addition: For MS-SQL Server, there is no action required for this step.
v In the section titled ″Setting up identity feeds and migrating data″, in the
subsection ″Determining the placement of the person″, the JavaScript example
incorrectly uses a lowercase letter ″o″ instead of the integer zero.
Existing text: The following JavaScript code can be used for the placement rule
to make this conversion:
return "ou=" + entry.dept[o] + ",ou=" + entry.bu[o] + ",ou=" + entry.dw[o];
Correction:
return "ou=" + entry.dept[0] + ",ou=" + entry.bu[0] + ",ou=" + entry.dw[0];
v In the section titled ″Reporting identity management data″, additional
information is needed to describe object filters.
Additional text: After the subsection ″Regular expression notation″, add another
section titled ″ACI Object Filter usage in Reporting″, containing this information:
Object Filters defined in ACIs are used by the Reporting Engine to staging data
and ACI information in the database. The Reporting Engine requires object
filters that meet these conventions:
– The supported filters for LDAP to SQL conversion is a subset of filters
mentioned in RFC 2254 for LDAP Filter Specification.
– Matching rules, soundex filters and approximation operators are not
supported.
– In regular expressions, only the * (asterisk) wildcard character is supported.
52 IBM Tivoli Identity Manager: Release Notes
– Only the following special characters are allowed in LDAP filters:
- $ (dollar sign)
- @ (at sign)
- _ (underscore)
- * (asterisk)
- ? (question mark)
- / (forward slash)
- \ (backward slash)
- . (period)
- : (colon)
- space
- tab
The following characters are not supported in LDAP filters. If you use these
characters in an object filter, the reporting engine does not consider the
characters for ACI information staging:
- { open curly brace
- } close curly brace
- [ open box bracket
- ] close box bracket
- % (percent sign)
- & (ampersand)
- , (comma)v As specified within RFC 2254, these special characters can be used as normal
characters in attribute values:
– \2a to use * as a normal character, not as a wildcard
– \28 to use ( as a left parenthesis character
– \29 to use ) as a right parenthesis character
– \5c to use \ as a backslash characterv In the section titled ″Configuring account information″, in the subsection
″Password synchronization″, the Sync Password Enabled option should instead
be named the Enable Password Synchronization option.
Existing text: The Sync Password Enabled option on the Properties tab of the
Configuration page allows an administrator to synchronize passwords.
Correction: The Enable Password Synchronization option on the Properties tab
of the Configuration page allows an administrator to synchronize passwords.
v In the section titled ″Configuring account information″, in the subsection
″Password challenge/response″, there should be a space in the name of the tab.
Existing text: CHALLENGERESPONSE tab of the Configuration page
Correction: CHALLENGE RESPONSE tab of the Configuration page.
v In the section titled ″Configuring account information″, in the subsection
″ADMIN-DEFINED challenge modes″:
Existing text: The ADMIN-DEFINED Challenge Mode challenge questions are
defined and modified in a window that appears when the CLICK HERE TO
DEFINE CHALLENGES link is selected.
Correction: The ADMIN-DEFINED Challenge Mode challenge questions are
defined and modified in a window that appears when the CLICK HERE TO
DEFINE ADMIN CHALLENGES link is selected.
Chapter 4. Documentation Updates 53
In this section, there is an additional instance of the same error:
Existing text: 4. Click the CLICK HERE TO DEFINE CHALLENGES link and
define the Password Challenge/Response questions.
Correction: 4. Click the CLICK HERE TO DEFINE ADMIN CHALLENGES
link and define the Password Challenge/Response questions.
v In the section titled ″Configuring account information″, in the subsection
″Defining challenge questions″, there is a missing space.
Existing text: OPTIONAL: Select a locale for the challenge question from the
Language list (default locale is optional). Refer to ″Locale specific challenges″ on
page 350 for more information.
Correction: OPTIONAL: Select a locale for the challenge question from the
Language list (default locale is optional). Refer to ″Locale specific challenges″ on
page 350 for more information.
v In the section titled ″Customizing IBM Tivoli Identity Manager notifications″, in
the subsection ″Post office″, there is a typographic error in ″-email″.
Existing text: When that interval expires, post office will aggregate all
notifications that have the same Group Email Topic and aggregate them using
the post office template using the post office template into one -email for each
e-mail recipient.
Correction: When that interval expires, post office will aggregate all notifications
that have the same Group Email Topic and aggregate them using the post office
template using the post office template into one e-mail for each e-mail recipient.
v In the section titled ″Customizing IBM Tivoli Identity Manager notifications″, in
the subsections ″Specifying general post office properties″, and ″Testing the post
office template″, HTML is used when XHTML should be used.
Existing text: In the HTML body field, type the text that is displayed in the
e-mail as well as any JavaScript code or dynamic content.
Correction: In the XHTML body field, type the text that is displayed in the
e-mail as well as any JavaScript code or dynamic content.
v In the section titled ″Customizing IBM Tivoli Identity Manager notifications″, in
the subsection ″Post office dynamic content custom tags″, the word ″newline″ is
used when ″new line″ should be used.
Existing text: Returns a string containing the text body of each of the original
notifications separated by a newline.
Correction: Returns a string containing the text body of each of the original
notifications separated by a new line.
v In the section titled ″Customizing IBM Tivoli Identity Manager notifications″, in
the subsection ″Post office label properties″, the label
POST_OFFICE_TEST_ALT=Test post office template is listed, but is not a valid
label.
Existing text: The labels for post office configuration GUI elements can be
customized by editing the following properties contained in the
Labels.properties file:
– POST_OFFICE_TEST_ALT=Test post office template
Correction: Ignore this list item, which is not a valid label:
– POST_OFFICE_TEST_ALT=Test post office templatev In the section titled ″Customizing IBM Tivoli Identity Manager notifications″, in
the subsection ″Default dynamic content tags″, text in example in table 27 runs
beyond the bottom of the page. The text reads in part, ″<RE
key=″readOnlyDateFormat″>″.
54 IBM Tivoli Identity Manager: Release Notes
v In the section titled ″Customizing IBM Tivoli Identity Manager notifications″, in
the subsection ″System notifications″, there is a missing space in Activity timeout
template, Process timeout template, and Process completion template
subsections.
Existing text: Refer to ″Context JavaScript Extensions″ on page 256 for more
information.
Correction: Refer to ″Context JavaScript Extensions″ on page 256 for more
information.
v In the section titled ″Configuring the IBM Tivoli Identity Manager environment″,
in the subsection ″One-way SSL authentication″, the same link appears twice to
Overview of SSL and digital certificates.
Correction: Ignore the duplicate link.
v In the section titled ″Customizing IBM Tivoli Identity Manager interface″, in the
subsection ″Opening form templates″, a step references a tab with an incorrect
title.
Existing text: Click the User Interface Customization tab.
Correction: Click the Form Customization tab.
v In the section titled ″Customizing IBM Tivoli Identity Manager interface″, in the
subsection ″Configuring a custom logo″, the step to copy a GIF version of the
company logo has an incorrect path.
Existing text: WAS_HOME/installedApps/enrole.ear/enrole.war/images
Correction: WAS_HOME/installedApps/cell_name/enRole.ear/app_web.war/images
v In the section titled ″Types of reports″, in the subsection ″Individual Reports″,
these problems occur:
Existing text: Individuals’ Accounts
Correction: Individual Accounts
Existing text: Individuals’ Accounts by Role
Correction: Individual Operation Report
Existing text: Entitlements Granted to an Individual
Correction: Report Entitlements Granted to an Individual
Additionally, in the subsection ″Access Reports″, this problem occurs:
Existing text: Dormant Accounts is not the last report in the Access Reports list.
Correction: Move Dormant Accounts to the last position in the Access Reports
list.
v In the section titled, "Configuring SSL authentication for the Tivoli Identity
Manager Server," in the subsection titled "Configuring the Tivoli Identity
Manager Server to use self-signed certificates," the second paragraph is amended
to include an additional procedure:
Existing text: If you are using self-signed certificates for two-way SSL
authentication between the Tivoli Identity Manager Server and one or more
adapters, complete the procedure for configuring one-way SSL authentication,
use a key management utility to create a self-signed certificate and private key
for the server, then extract the certificate (not the private key) and install the
same extracted certificate into the trusted CA (certificate issuer) list on each
adapter.
Additional text: You must also install the extracted self-signed certificate as a
"Signer Certificate" in the truststore (or keystore) on the Tivoli Identity Manager
Server where the other CA certificates are installed. For example, if you are
using the same truststore (or keystore) for certificates and CA certificates, add
Chapter 4. Documentation Updates 55
the extracted self-signed certificate (as a "Signer Certificate") to the same
keystore in which you created the self-signed certificate. If you are using
separate keystores to separate your certificates and CA certificates, install the
extracted self-signed certificate in the keystore where the CA certificates are
defined.
Note: This additional step is required because the JSSE provider used by the
Tivoli Identity Manager Server requires the CA certificate (signer
certificate) to be present in the truststore (or keystore) on the machine
where its corresponding certificate is installed.
v In the section titled, "Configuring SSL authentication for the Tivoli Identity
Manager Server," in the subsection titled "Sample scenario: configuring the Tivoli
Identity Manager Server and an ADK-based adapter for two-way SSL in a test
environment" the procedure in this section is amended to include and additional
step after step 5:
Existing text:
1. Start the IBM Key Management utility:
...
2. Open the default truststore where you intend to create the self-signed
certificate:
...
3. Change the drop-down title above the main display area to Personal
Certificates. This option causes the installed certificates, if any, to be
displayed.
4. Create the self-signed certificate:
...
5. Extract the self-signed certificate only (but not the private key that is
associated with the certificate):
a. Under Personal Certificates, select Extract Certificate.
b. Ensure that Binary DER data is shown in the Data type field.
c. In the Certificate file name field, enter the name that you want to assign
to the extracted certificate, in this example enter cacert_selfsigned.der.
d. In the Location field, enter the file path where you want to place the
extracted certificate file, in this example enter WAS_HOME\AppServer\java\jre\bin\. Click OK.
6. Exit iKeyman.
Additional text (add the following step 6 after step 5 above):
– 6. Add the extracted self-signed certificate (as a CA certificate) to the
truststore used by the Tivoli Identity Manager Server:
- a. Change the drop-down title above the main display area to Signer
Certificates. This option causes the installed CA certificates to be displayed.
- b. Click Add.
- c. Change type Data type to Binary DER data.
- d. Click Browse and navigate to the WAS_HOME\AppServer\java\jre\bin\
directory.
- e. Select the cacert_selfsigned file and click Open.
- f. Enter a short descriptive name when you are prompted to enter a label,
such as, cacert_ITIMserver_selfsigned.v In the section titled ″Excluding accounts from reconciliation″, the LDIF file
example is incorrect.
56 IBM Tivoli Identity Manager: Release Notes
Existing text: The accounts to exclude from reconciliations are specified in an
LDIF file. The following is an example of entries in an LDIF file:
dn: ou=excludeAccounts, ou=ITIM, ou=ITIM, dc=com
ou: excludeAccounts
objectClass: top
objectClass: organizationalunit
dn: cn=SolarisProfile, ou=excludeAccounts, ou=ITIM, ou=ITIM, dc=com
erObjectProfileName: SolarisProfile
objectClass: top
objectClass: eridentityexclusion
cn: SolarisProfile
erAccountID: root
erAccountID: admin
Corrected text: The accounts to exclude from reconciliations are specified in an
LDIF file. The following is an example of entries in an LDIF file. In this example,
the value ibm in ou=ibm is the default organization short name or tenant ID that
you configured in the LDAP directory for Tivoli Identity Manager.
dn: ou=excludeAccounts, ou=itim, ou=ibm, dc=com
ou: excludeAccounts
objectClass: top
objectClass: organizationalunit
dn: cn=SolarisProfile, ou=excludeAccounts, ou=itim, ou=ibm, dc=com
erObjectProfileName: SolarisProfile
objectClass: top
objectClass: eridentityexclusion
cn: SolarisProfile
erAccountID: root
erAccountID: admin
v In the section titled ″Using Crystal Reports with IBM Tivoli Identity Manager″,
in the subsection ″Configuring IBM Tivoli Identity Manager (WebSphere
Application Server on Windows)″, the following information requires changes:
Existing text: Step 2 requires the following correction:
These .jar files are typically located in the following directory:
C:\Program Files\Common Files\Crystal Decisions\2.5\java\lib
Corrected text: These .jar files are typically located in the following directories:
C:\Program Files\Common Files\Crystal Decisions\2.5\java\lib
C:\Program Files\Common Files\Crystal Decisions\2.5\java\lib\external
The lib\external directory has the log4j.jar file.
v In the section titled ″Using Crystal Reports with IBM Tivoli Identity Manager″,
in the subsection ″Configuring IBM Tivoli Identity Manager (WebSphere
Application Server on UNIX)″, the following information requires changes:
Existing text: 1. If Crystal Enterprise is installed on the same machine as the
Tivoli Identity Manager, skip this step and go to step 2. Otherwise, perform a
custom installation of Crystal Enterprise on the machine where the Tivoli
Identity Manager is installed. Using the Crystal Enterprise installer, install the
following two components onto the target machine:
– Crystal Publishing Wizard
– Crystal Enterprise Java SDK
Corrected text: 1. If Crystal Enterprise is installed on the same machine as the
Tivoli Identity Manager, skip this step and go to step 2. Otherwise, install the
webtier components of Crystal Enterprise on the machine where the Tivoli
Identity Manager is installed. Typically, this can be achieved by executing the
install_webtier.sh script that is included with the Crystal installation package.
Chapter 4. Documentation Updates 57
Notes:
1. Installation of the Crystal webtier components must be performed by the
UNIX user who actually runs the WebSphere Application Server and the
Tivoli Identity Manager Server scripts. This Crystal installation must be used
exclusively for Tivoli Identity Manager. If another user requires access to the
Crystal webtier components, a separate installation must be performed for
that user. Do not share the same Crystal webtier component installation between
multiple UNIX users.
2. Ensure that the following entry is present in the /etc/hosts file on the Tivoli
Identity Manager Server computer:
ip_address host
The value of ip_address is the actual IP address of the Crystal Enterprise
server computer. The value of host is the host name (without the domain) of
the Crystal Enterprise server computer. To ensure that the Crystal server is
accessible by its host name after adding this entry to the /etc/hosts file, type
this command:
ping host
3. Linux only: Verify that there is no entry in /etc/hosts file that maps the host
name of the local machine to the loopback IP address. For example, this
entry maps the host name to the loopback IP address:
127.0.0.1 host localhost.localdomain localhost
The following entry prevents the problem:
127.0.0.1 localhost
IPaddress_server1 host
The value of IPaddress_server1 is the IP address of server1. The value of host
is the host name of the Tivoli Identity Manager Server computer.
Existing text: Step 2 requires the following correction:
These .jar files are typically located in the following directory:
CRYSTAL_HOME/java/lib
Corrected text: These .jar files are typically located in the following directories:
CRYSTAL_HOME/java/lib
CRYSTAL_HOME/java/lib/external (has log4j.jar)
Internationalization problems and solutions
This section describes translated documentation problems and solutions:
v Problem: In Japanese, the subject is unreadable in mail notification from Tivoli
Identity Manager on Microsoft Outlook Express.
Workaround: Open the message list. The subject is readable in the message list.
Additionally, you can click the message in message list to obtain a readable
subject in a separate window.
v Problem: In German, the ″Tivoli Identity Manager deinstallieren″ window has a
grammatical error in this statement:
Bitte warten Sie während des Deinstallers von InstallAnywhere die folgenden
Funktionen entfernt...
Workaround: The corrected statement reads:
Bitte warten Sie während der Deinstaller von InstallAnywhere die folgenden
Funktionen entfernt...
v Problem: Tivoli Identity Manager installation in Spanish uses servidor1 as the
WebSphere Application Server name, which must be specified as server1.
58 IBM Tivoli Identity Manager: Release Notes
Solution: Do not use servidor1 as the name of the WebSphere Application
Server. Use the name server1.
Adobe Acrobat Reader Requirements
For the best results, use Adobe Acrobat Reader, version 4.05 or higher, to view and
access Tivoli Identity Manager documents. Adobe Acrobat Reader is available at
the following Web site:
http://www.adobe.com/products/acrobat/readstep2.html
Chapter 4. Documentation Updates 59
60 IBM Tivoli Identity Manager: Release Notes
Chapter 5. Installation images and fix packs
This section itemizes the installation images, and provides a Web address for the
product fix packs.
Installation images
The base CD for each operating system contains a list of the installation files that
Tivoli Identity Manager provides.
Locate the installation image file that is appropriate for your operating system:
v itim-4.6-cd-images-linux.txt
v itim-4.6-cd-images-aix.txt
v itim-4.6-cd-images-sun.txt
v itim-4.6-cd-images-windows.txt
For example, to locate all the files provided for the Tivoli Identity Manager
installation on the AIX operating system, open the itim-4.6-cd-images-aix.txt file on
the AIX base CD.
For more information on all supported platforms and their prerequisite
applications, refer to the IBM Tivoli Identity Manager Release Notes.
Verifying the fix pack level
Verify that the WebSphere Application Server Fix Pack is at the correct level. Enter
one of these commands:
v Windows:
– Single server or cluster member
WAS_HOME\bin\versionInfo.bat
– Deployment manager
WAS_NDM_HOME\bin\versionInfo.bat
v UNIX:
– Single server or cluster member
WAS_HOME/bin/versionInfo.sh
– Deployment manager
WAS_NDM_HOME/bin/versionInfo.sh
For example, the version is similar to the following output:
v WebSphere Application Server base
Installed Product
-----------------------------------------------
Name IBM WebSphere Application Server
Version 5.1.1.3
ID BASE
v Deployment manager
© Copyright IBM Corp. 2003, 2007 61
Installed Product
-----------------------------------------------
Name IBM WebSphere Application Server for Network Deployment
Version 5.1.1.3
ID ND
Obtaining fix packs
A fix pack file for Tivoli Identity Manager has a name similar to the following:
4.6.0-TIV-TIM-platform-WAS-000n.zip
where platform is a value such as AIX and n is an integer such as 1.
Tivoli Identity Manager fixes are available at this Web site:
http://www-1.ibm.com/support/dlsearch.wss?rs=644&q=&tc=SSTFWV&dc=D420&loc=en_US&cs=utf-8&lang=en&sort=desc&rankfile=8&p=1
For more information on registering your personal IBM online ID and alternatives
in obtaining fix packs, see “Obtaining fixes” on page 64.
62 IBM Tivoli Identity Manager: Release Notes
Appendix A. Support information
This section describes the following options for obtaining support for IBM
products:
v “Searching knowledge bases”
v “Obtaining fixes” on page 64
v “Contacting IBM Software Support” on page 64
Searching knowledge bases
If you have a problem with your IBM software, you want it resolved quickly. Begin
by searching the available knowledge bases to determine whether the resolution to
your problem is already documented.
Search the information center on your local system or
network
IBM provides extensive documentation that can be installed on your local
computer or on an intranet server. You can use the search function of this
information center to query conceptual information, instructions for completing
tasks, reference information, and support documents.
Search the Internet
If you cannot find an answer to your question in the information center, search the
Internet for the latest, most complete information that might help you resolve your
problem. To locate Internet resources for your product, open one of the following
Web sites:
v IBM Tivoli Identity Manager Performance Tuning Guide
Provides information needed to tune Tivoli Identity Manager Server for a
production environment. It is available on the Web at:
http://publib.boulder.ibm.com/tividd/td/tdprodlist.html
Click the I character in the A-Z product list, and then, click the IBM Tivoli
Identity Manager link. Browse the information center for the Technical
Supplements section.
v Redbooks and white papers are available on the Web at:
http://www.ibm.com/software/sysmgmt/products/support/IBMTivoliIdentityManager.html
Browse to the Self Help section, in the Learn category, and click the Redbooks
link.
v Technotes are available on the Web at:
http://www.redbooks.ibm.com/redbooks.nsf/tips/
v Field guides are available on the Web at:
http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.html
v For an extended list of other Tivoli Identity Manager resources, search the
following IBM developerWorks Web site:
http://www.ibm.com/developerworks/
© Copyright IBM Corp. 2003, 2007 63
Obtaining fixes
A product fix might be available to resolve your problem. You can determine what
fixes are available for your IBM software product by checking the product support
Web site:
1. Go to the IBM Software Support Web site (http://www.ibm.com/software/support).
2. Under Products support pages A to Z, select the letter for your product name.
3. In the list of specific products, click IBM Tivoli Identity Manager.
4. Under Self help, you find a list of fixes, fix packs, and other service updates
for your product.
5. Click the name of a fix to read the description and optionally download the fix.
To receive weekly e-mail notifications about fixes and other news about IBM
products, follow these steps:
1. From the support page for any IBM product, click My support in the upper-left
corner of the page.
2. If you have already registered, skip to the next step. If you have not registered,
click register in the upper-right corner of the support page to establish your
user ID and password.
3. Sign in to My support.
4. On the My support page, click Edit profiles in the left navigation pane, and
scroll to Select Mail Preferences. Select a product family and check the
appropriate boxes for the type of information you want.
5. Click Submit.
6. For e-mail notification for other products, repeat Steps 4 and 5.
For more information about types of fixes, see the Software Support Handbook
(http://techsupport.services.ibm.com/guides/handbook.html).
Contacting IBM Software Support
IBM Software Support provides assistance with product defects.
Before contacting IBM Software Support, your company must have an active IBM
software maintenance contract, and you must be authorized to submit problems to
IBM. The type of software maintenance contract that you need depends on the
type of product you have:
v For IBM distributed software products (including, but not limited to, Tivoli,
Lotus, and Rational products, as well as DB2 and WebSphere products that run
on Windows or UNIX operating systems), enroll in Passport Advantage in one
of the following ways:
– Online: Go to the Passport Advantage Web page (http://www.lotus.com/services/passport.nsf/WebDocs/ Passport_Advantage_Home) and click How
to Enroll
– By phone: For the phone number to call in your country, go to the IBM
Software Support Web site (http://techsupport.services.ibm.com/guides/contacts.html) and click the name of your geographic region.
v For IBM eServer software products (including, but not limited to, DB2 and
WebSphere products that run in zSeries, pSeries, and iSeries environments), you
can purchase a software maintenance agreement by working directly with an
IBM sales representative or an IBM Business Partner. For more information
64 IBM Tivoli Identity Manager: Release Notes
about support for eServer software products, go to the IBM Technical Support
Advantage Web page (http://www.ibm.com/servers/eserver/techsupport.html).
If you are not sure what type of software maintenance contract you need, call
1-800-IBMSERV (1-800-426-7378) in the United States or, from other countries, go to
the contacts page of the IBM Software Support Handbook on the Web
(http://techsupport.services.ibm.com/guides/contacts.html) and click the name of
your geographic region for phone numbers of people who provide support for
your location.
Follow the steps in this topic to contact IBM Software Support:
1. Determine the business impact of your problem.
2. Describe your problem and gather background information.
3. Submit your problem to IBM Software Support.
Determine the business impact of your problem
When you report a problem to IBM, you are asked to supply a severity level.
Therefore, you need to understand and assess the business impact of the problem
you are reporting. Use the following criteria:
Severity 1 Critical business impact: You are unable to use the program,
resulting in a critical impact on operations. This condition
requires an immediate solution.
Severity 2 Significant business impact: The program is usable but is
severely limited.
Severity 3 Some business impact: The program is usable with less
significant features (not critical to operations) unavailable.
Severity 4 Minimal business impact: The problem causes little impact on
operations, or a reasonable circumvention to the problem has
been implemented.
Describe your problem and gather background information
When explaining a problem to IBM, be as specific as possible. Include all relevant
background information so that IBM Software Support specialists can help you
solve the problem efficiently. To save time, know the answers to these questions:
v What software versions were you running when the problem occurred?
v Do you have logs, traces, and messages that are related to the problem
symptoms? IBM Software Support is likely to ask for this information.
v Can the problem be re-created? If so, what steps led to the failure?
v Have any changes been made to the system? (For example, hardware, operating
system, networking software, and so on.)
v Are you currently using a workaround for this problem? If so, please be
prepared to explain it when you report the problem.
The Tivoli Identity Manager serviceability tool assists in gathering information for
working with an IBM Software Support representative. The tool collects Tivoli
Identity Manager related log files, performs a check of the product JAR files,
gathers some limited configuration details, and creates a compressed file that
contains this information. The compressed file can then be transferred or e-mailed
to a support representative.
Appendix A. Support information 65
Use this tool only when directed to by your support representative. For more
information, refer to the IBM Tivoli Identity Manager Problem Determination Guide.
Submit your problem to IBM Software Support
You can submit your problem in one of two ways:
v Online: Go to the ″Submit and track problems″ page on the IBM Software
Support site (http://www.ibm.com/software/support/probsub.html). Enter
your information into the appropriate problem submission tool.
v By phone: For the phone number to call in your country, go to the contacts page
of the IBM Software Support Handbook on the Web (http://techsupport.services.ibm.com/guides/contacts.html) and click the name of your
geographic region.
If the problem you submit is for a software defect or for missing or inaccurate
documentation, IBM Software Support creates an Authorized Program Analysis
Report (APAR). The APAR describes the problem in detail. Whenever possible,
IBM Software Support provides a workaround for you to implement until the
APAR is resolved and a fix is delivered. IBM publishes resolved APARs on the
IBM product support Web pages daily, so that other users who experience the
same problem can benefit from the same resolutions.
For more information about problem resolution, see “Searching knowledge bases”
on page 63 and “Obtaining fixes” on page 64.
66 IBM Tivoli Identity Manager: Release Notes
Appendix B. Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in
other countries. Consult your local IBM representative for information on the
products and services currently available in your area. Any reference to an IBM
product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product,
program, or service that does not infringe any IBM intellectual property right may
be used instead. However, it is the user’s responsibility to evaluate and verify the
operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not give you
any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785
U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM
Intellectual Property Department in your country or send inquiries, in writing, to:
IBM World Trade Asia Corporation
Licensing
2-31 Roppongi 3-chome, Minato-ku
Tokyo 106-0032, Japan
The following paragraph does not apply to the United Kingdom or any other
country where such provisions are inconsistent with local law:
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS
PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or
implied warranties in certain transactions, therefore, this statement may not apply
to you.
This information could include technical inaccuracies or typographical errors.
Changes are periodically made to the information herein; these changes will be
incorporated in new editions of the publication. IBM may make improvements
and/or changes in the product(s) and/or the program(s) described in this
publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web
sites. The materials at those Web sites are not part of the materials for this IBM
product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.
© Copyright IBM Corp. 2003, 2007 67
Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
programs and other programs (including this one) and (ii) the mutual use of the
information which has been exchanged should contact:
IBM Corporation
2ZA4/101
11400 Burnet Road
Austin, TX 78758
U.S.A.
Such information may be available, subject to appropriate terms and conditions,
including in some cases, payment of a fee.
The licensed program described in this information and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement, or any equivalent agreement
between us.
Any performance data contained herein was determined in a controlled
environment. Therefore, the results obtained in other operating environments may
vary significantly. Some measurements may have been made on development-level
systems and there is no guarantee that these measurements will be the same on
generally available systems. Furthermore, some measurements may have been
estimated through extrapolation. Actual results may vary. Users of this document
should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of
those products, their published announcements or other publicly available sources.
IBM has not tested those products and cannot confirm the accuracy of
performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the
suppliers of those products.
Trademarks
The following terms are trademarks or registered trademarks of International
Business Machines Corporation in the United States, other countries, or both: IBM,
IBM logo, AIX, DB2, Domino, Lotus, SecureWay, Tivoli, Tivoli logo, Universal
Database, WebSphere.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of
Microsoft Corporation in the United States, other countries, or both.
Intel, Intel Inside (logos), MMX and Pentium are trademarks of Intel Corporation
in the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other
countries.
68 IBM Tivoli Identity Manager: Release Notes
Linux is a trademark of Linus Torvalds in the U.S., other countries, or both.
Java and all Java-based trademarks are trademarks of Sun
Microsystems, Inc. in the United States, other countries, or
both.
Other company, product, and service names may be trademarks or service marks
of others.
Appendix B. Notices 69
70 IBM Tivoli Identity Manager: Release Notes
����
Program Number: 5724–C34
Printed in USA
GI11-4212-05