Sun Java™ System Identity Manager Release Notes Version 7.1 Update 1 November 2007 Part Number 820-2952-10 These Release Notes contain important information available at the time of release of Sun Java System Identity Manager 7.1 Update 1. New features and enhancements, known issues and limitations, and other information are addressed here. Read this document before you begin using Identity Manager 7.1 Update 1.
Supported Software and Environments Introduction This section of the Identity Manager 7.
Supported Software and Environments Operating Systems This release of Identity Manager supports the following operating systems: • AIX 4.3.3, 5.2, 5L v5.3 • HP-UX 11i v1, 11i v2 • Microsoft Windows 2000 SP3 or higher • Microsoft Windows 2003 • Solaris 8, 9, 10 Sparc and x86 • Red Hat Linux Advanced Server 2.1 • Red Hat Linux Enterprise Server 3.0, 4.0 • Novell SuSE Linux Enterprise Server 9 SP1 Application Servers The application server you use with Identity Manager must be Servlet 2.
Supported Software and Environments • Sun Java™ System Application Server Enterprise Edition 8.1, 8.2, 9.x • Sun Java™ System Application Server Standard Edition 8.2 NOTE • If your current application server does not support JDK 1.4.2 or higher, please check with your vendor to examine the implications of upgrading to one that does before installing Identity Manager 7.1 • You can run Identity Manager 7.1 and later on BEA WebLogic application servers with all WebLogic-supported 1.4.2 and 1.5 JVMs.
Supported Software and Environments Sun Identity Manager Gateway If you plan to set up Windows Active Directory, Novell NetWare, Remedy, Lotus Notes (Domino) or RSA ACE/Server resources, you should install the Sun Identity Manager Gateway. NOTE The Novell GroupWise adapter is deprecated, and will be discontinued in the next major Identity Manager release. However, the NetWare NDS adapter supports GroupWise accounts, and can be used instead.
Supported Software and Environments Databases • Generic database table • IBM® DB2® Universal Database for Linux, UNIX®, and Windows® 7.x, 8.1, 8.2 • Microsoft® Identity Integration Server (MIIS) 2003 • Microsoft SQL Server 2000, 2005 • MySQL™ 4.1.x, 5.x The MySQL™ 4.1.x database server is deprecated, and will be discontinued in the next major Identity Manager release. NOTE • Oracle Database 9i®, 10g Release 1®, 10g Release 2® • Sybase Adaptive Server® 12.
Supported Software and Environments Enterprise Resource Planning (ERP) • MySAP ERP 2005 (ECC 6.0) Kernel version 7.00 • Oracle E-Business Suite on Oracle Applications 11.5.9, 11.5.10, 12 • Peoplesoft® PeopleTools 8.1 through 8.4.2 • Peoplesoft PeopleTools HRMS 8.0 through 8.8, 9.0 • SAP® R/3 v4.5, v4.6 • SAP® R/3 Enterprise 4.7 (SAP BASIS 6.20) • SAP® NetWeaver Enterprise Portal 2004 (SAP BASIS 6.40) • SAP® NetWeaver Enterprise Portal 2004s (SAP BASIS 7.
Supported Software and Environments • Lotus Notes® (Domino) 5.0, 6.5, 7.0 • Microsoft® Exchange 2000, 2003 • Novell® GroupWise 6.0, 6.5, and 7.0 (using the Novell NDS adapter) NOTE • Microsoft Exchange 2000 and 2003 are managed through the Microsoft Windows Active Directory 2000 and 2003 resources. • The Novell GroupWise adapter is deprecated and will be discontinued in the next major Identity Manager release. However, the NetWare NDS adapter supports GroupWise accounts, and can be used instead.
Supported Software and Environments • Red Hat Linux Advanced Server 2.1 • Red Hat Linux Enterprise Server 3.0, 4.0 • Sun Solaris™ 8, 9, 10 • SuSE Enterprise 9 NOTE If you manage NIS accounts on Solaris, install patch 126632-01 on the resource to improve the performance of the logins command and the Solaris adapter. Role Management System • BridgeStream SmartRoles 2.7 Security Managers • ActivCard® 5.0 • eTrust CA-ACF2® Security • eTrust CA-Top Secret® Security 5.
Supported Software and Environments • Sun™ ONE Identity Server 6.0, 6.1, 6.2 • Sun Java™ System Identity Server 2004Q2 • Sun Java™ System Access Manager 6 2005Q1, 7 2005Q4 (Realms supported as of 2005Q4), 7.1 Web Servers NOTE Integration between an application server and Web server is not required for Identity Manager. You may choose to use a Web server for better load balancing and for increased security (through the https protocol). • Apache 1.3.19 • iPlanet 4.
Supported Software and Environments Discontinued Software Identity Manager will discontinue support for the following software packages that are used as application servers, database repositories and managed resources. Support will continue until the next major release of Identity Manager. Please contact your Customer Care representative or Customer Support if you have questions about moving to newer versions of these software packages. Software Category Software Package Operating Systems • IBM AIX 4.
Supported Software and Environments The following dependent software will no longer be supported in Identity Manager 7.1 or 7.1 Update 1: Software Category Software Package Repository Database Servers • Oracle 8i • IBM DB2 Universal Database for Linux, UNIX, and Windows 7.0 Operating Systems • Solaris 7, Microsoft Windows NT 4.0 Resources • Microsoft Exchange 5.5 • IBM DB2 7.0 • Novell® GroupWise 5.x API Support The Identity Manager 7.
Supported Software and Environments Task com.waveset.task.Executor com.waveset.task.TaskContext UI com.waveset.ui.FormUtil com.waveset.ui.util.RequestState com.waveset.ui.util.html.* Workflow com.waveset.provision.WorkflowServices com.waveset.session.WorkflowServices com.waveset.workflow.WorkflowApplication com.waveset.workflow.WorkflowContext Identity Manager SPE additionally includes the public classes listed in the following table. API Type Class Names SPE com.sun.idm.idmx.api.* com.sun.idm.
Upgrade Paths and End of Service Life Upgrade Paths and End of Service Life This section provides information about the upgrade paths you should follow when upgrading Identity Manager, and describes Identity Manager’s End of Service Life (EOSL) policy for the products software support. Identity Manager Upgrade Paths Use the following to determine the upgrade path you must follow when upgrading to a newer version of Identity Manager. Current Identity Manager Version Waveset Lighthouse 4.
Upgrade Paths and End of Service Life NOTE • When upgrading Identity Manager, you do not have to install Updates (formerly called Service Packs or SPs) within a major release to upgrade to the next major release. For example, when upgrading from Identity Manager 5.0 to 6.0, you do not have to install any of the 5.0 Service Packs. • Updates for a major release are cumulative.
Redistributable Files Limited Support Phase During the Limited Support Phase, Sun Microsystems, Inc. provides software support in accordance with the customer's support contract with Sun (including the applicable Service Listing) as set forth at: http://www.sun.com/service/servicelist/ However, customers are not entitled to submit bugs or to receive new patches from Sun Microsystems, Inc.
How to Report Problems and Provide Feedback How to Report Problems and Provide Feedback If you have problems with Sun Java System Identity Manager, contact Sun customer support using one of the following mechanisms: • Sun Software Support services online at http://www.sun.com/service/sunone/software This site has links to the Knowledge Base, Online Support Center, and ProductTracker, as well as to maintenance programs and support contact numbers.
Additional Sun Resources Additional Sun Resources Useful Sun Java System information can be found at the following Internet locations: • Documentation for Sun Java™ System Identity Manager http://docs.sun.com/app/docs/prod/ident.mgr#hic • Sun Java System Documentation http://docs.sun.com/prod/java.sys • Sun Java System Professional Services http://www.sun.com/service/sunps/sunone • Sun Java System Software Products and Service http://www.sun.
Additional Sun Resources Copyright © 2007 Sun Microsystems, Inc. All rights reserved. Sun Microsystems, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed at http://www.sun.com/patents and one or more additional patents or pending patent applications in the U.S. and in other countries. SUN PROPRIETARY/CONFIDENTIAL.
Additional Sun Resources Page 20 Identity Manager 7.
Identity Manager 7.1 Update 1 Features This section of the Identity Manager 7.1 Update 1 Release Notes provides information about • What’s New in This Release • Bugs Fixed in This Release • Known Issues What’s New in This Release This section provides additional information about the new features provided in Identity Manager 7.
What’s New in This Release • A Return to Main Menu button was added to the Launch Requests form to take users back to the Identity Manager Home page. (ID-15957) The Launch Requests form (EndUserRequestMenu) is preserved during an upgrade, so you must manually add this button to the End User interface by referring to the default UserForm object in sample/enduser.xml. • Identity Manager supports the Microsoft Internet Explorer 7 browser.
What’s New in This Release • The Netbeans embedded application server now automatically shuts down whenever you perform any of the following project operations (ID-16738): ❍ Clean Project ❍ Create Delta Distribution ❍ Create Jar ❍ Debug Project ❍ Manage Embedded Repository ❍ Profile Project ❍ Run Project • Identity Manager IDE’s Manage Embedded Repository feature can now import your customizations as well as default init.
What’s New in This Release ❍ ❍ ❍ ❍ In the build-config.properties file, install.includes has been replaced by install.pattern.substitution.excludes and install.excludes. The ant property names were changed, and they now use the standard “.” ant convention instead of “-”. In addition, lighthouse* property names were changed to idm*. XML validation is now run both before and after pattern substitutions are applied. For Identity Manager 7.
What’s New in This Release Password Synchronization • PasswordSync uses a newly created servlet to provide support for 64-bit Windows. This servlet goes in to the web.xml file and should be configured as follows (ID-15660): PasswordSync com.waveset.rpc.
What’s New in This Release Resource Adapter Updates • MySQL resource adapter now supports account iteration. The adapter discards duplicate usernames and skips null usernames. (ID-6204) • The RACF adapter now allows you to control dataset rules directly, rather than have Identity Manager administer them. This feature enables you to create dataset rules different from the rules that are native to Identity Manager. (ID-10446) The following example after create rule creates a dataset rule of user id.test1.
What’s New in This Release In addition, the following attributes are available from the SAP Resource adapter: ❍ Use SAP Temporary Passwords ❍ Return SAP Temporary Passwords on Failure • The SAP Adapter now supports the Rename feature. For more information, see “Renaming Accounts” on page 104 in Documentation Additions and Corrections. (ID-15582) • The rethrowAllSQLExceptions parameter has been added to the Database Table adapter.
What’s New in This Release Security • Identity Manager now provides a new, built-in ObjectGroup/organization called End User that, initially, has no member objects. The End User ObjectGroup/organization enables users to view several types of objects, including tasks, rules, roles, and resources. This ObjectGroup/organization is implicitly assigned to all users. For more information, see “Chapter 5, Administration” in Documentation Additions and Corrections.
Bugs Fixed in This Release Bugs Fixed in This Release This section describe the bugs fixed in Identity Manager 7.
Bugs Fixed in This Release • The Summary column on the Run Reports page now displays correctly localized text. (ID-12393) • The Resource List Group view on the Resource tab now displays the Resource Group list in the order that it was saved instead of sorting the list. (ID-14117) • The synchronization mechanism for the legacy role and current roles attribute can now clear the legacy role attribute when roles are removed.
Bugs Fixed in This Release • You can now edit and save current or previous workItem delegations. (ID-16564) • When delegating future work items for a user, if the user does not have an Identity Manager manager or cannot access any other users or DelegateWorkItemsRules, that user is no longer allowed to create new delegations, edit existing delegations, or edit previous delegations. (ID-16566) • TaskDefinitions containing ManualActions will now run correctly from the End User interface.
Bugs Fixed in This Release Auditing • Now, when you launch a periodic access review and then go to the Access Reviews page, you no longer have to manually refresh the page to see your scan displayed in the list. (D-14169, 16570) • The Identity Manager Compliance features provide tasks, policies, and rules that you can use as is. (ID-16127, 16571) Identity Manager initially creates these objects in either the Top or All object groups as appropriate.
Bugs Fixed in This Release • Continuous compliance is now enforced on all subtabs on the User Edit page. (ID-16934) • When you end a delegation in the user interface and then run an Audit Log report, the changes are now captured in the audit report. (ID-17103) Installation and Upgrade • For an example of how to create the required database structure on SQL Server 2005 SP2, refer to the comments provided in the sample database creation script (sample/create_waveset_tables.sqlserver).
Bugs Fixed in This Release Password Synchronization • The Password Synchronization dll now shows the correct error messages for connection failures instead of the There was a soap client error: -2147467259 message. This change also fixes possible handle leaks during connection failures. (ID-15451) • Computer object changes in Active Directory no longer cause a handle leak in the PasswordSync dll.
Bugs Fixed in This Release • Identity Manager now supports the CLOB datatype for acctAttrChanges when using an Oracle database as the Identity Manager repository. (ID-15326) The advantage of using CLOB (instead of using the default VARCHAR(4000) datatype) is that it allows a much larger set of changes to be logged; however, it also makes this column more difficult to query, due to the proprietary nature of the CLOB access routines. To enable a larger set of changes, you must change the log.
Bugs Fixed in This Release • The Audit Log has been updated to more accurately reflect what has happened to resource attributes during the creation or modification of a resource account. (ID-15323) The log now contains three columns for resource account attributes: ❍ The first column (old value) shows the value before modification. ❍ The second column (attempted value) shows the requested change. ❍ The third column (new value) shows how the value was actually set.
Bugs Fixed in This Release • The attribute names on left-hand side of the SAP adapter schema map have been changed as follows: (ID-16399) Old Name New Name title titleP nameSupplement titleSupplement communicationTypeCUA communicationType personName addressName personName2 addressName2 personName3 addressName3 personName4 addressName4 cityPostalCode2 poBoxPostalCode cityPostalCode3 companyPostalCode poBoxCityNumber poBoxCityCode streetCode streetNumber • The Oracle ERP adapter no
Bugs Fixed in This Release • When using Attachmate libraries to access a mainframe, Identity Manager uses the port specified in the resource instead of always using the default TCP port (23). (ID-17046) • The sample AccessEnforcerUserForm now handles cases where an Access Enforcer user’s role assignment only contains a single SAP role. (ID-17161) Roles • Rules used to calculate resource attributes from roles are no longer applied when a user logs in to the End User page.
Known Issues Workflow • You can no longer edit expired work items. Identity Manager now returns an error indicating the work item is invalid. (ID-15439) • Configuring a large number of users with the same email address no longer causes an OutOfMemory error for a Notify action. (ID-16386) Additional Defects Fixed 9940, 11690, 14489, 15073, 15906,16382, 16395, 16500, 16536, 16560, 16586, 16596, 16610, 16656, 16680, 16770, 16870, 16930, 17044, 17055 Known Issues This section of the Identity Manager 7.
Known Issues • A regression causes Identity Manager password synchronization to fail when used with Sun JavaTM System Directory Server Enterprise Edition 6.0, 6.1, and 6.2. The failure will be corrected in the Directory Server 6.3 release. If versions 6.0, 6.1, or 6.2 are required to work with Identity Manager, please request a Directory Server hotfix from Support, referencing Directory Server bug 6604342. (ID-14895) • When you expand the resource objects of a Sun Java™ System Access Manager 7.
Known Issues If you have a version of Oracle prior to 10g R2 and cannot upgrade Oracle to 10g R2, then configure the Identity Manager repository so that it connects to the Oracle database using Oracle's JDBC Driver Manager (and not a WebSphere data source). See the following URL or more information: http://www-1.ibm.com/support/docview.wss?uid=swg21225859 • Numbers display in the Priority and Severity columns of the Violation Summary Report instead of text descriptions.
Known Issues • When installing Password Synchronization, be sure to use the binary that is appropriate for the operating system on which you are installing. The binary for 32-bit Windows is called IdmPwSync_x86.msi and the binary for 64-bit Windows is called IdmPwSync_x64.msi. If you install the wrong binary, it may appear to succeed, but Password Synchronization will not operate properly.
Known Issues • When executing Load From Resource, and the resource supports ACCOUNT_CASE_INSENSITIVE_IDS, if the user's accountId differs in case from the accountId stored in Identity Manager’s ResourceInfo user object, a second ResourceInfo will be added to the user object with the accountId in the same case as reported by the resource. Workaround: Ensure that the accountId in the Identity Manager ResourceInfo object in the user object is the same case as that reported by the resource.
Known Issues Page 44 Identity Manager 7.
Installation and Update Notes This section provides information related to installing or updating, and the information is organized as follows: • Installation Notes • Upgrade Notes A schema change occurs with most major Identity Manager releases. You must update your schema before upgrading to a new Identity Manager version. To upgrade to Identity Manager 7.
Installation Notes • Running the Sun Identity Manager Gateway on a Windows NT system requires the Microsoft Active Directory Client extension. The DSClient can be found at the following location: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q288358 NOTE • Refer to the Sun Java™ System Identity Manager Installation publication for detailed product installation instructions. On UNIX/Linux, there are two additional installation requirements (ID-8403): ❍ ❍ • For 5.0 - 5.
Upgrade Notes Upgrade Notes This section summarizes the tasks you must perform to upgrade Identity Manager from version 6.0 or version 7.0 to version 7.1. (See “Identity Manager Upgrade Paths” on page 14 for information about which versions can be upgraded to Identity Manager 7.1.
Upgrade Notes • Identity Manager’s User Extended Attributes now fully supports multi-valued attributes. (ID-14863) NOTE You can add a multi-valued user extended attribute to the accounts list table, and it will render the list without error. However, attempting to sort on that column will yield the following error: java.lang.ClassCastException: java.util.
Upgrade Notes ❍ Using the Deferred Task Scanner. NOTE Before running the Deferred Task Scanner process, you must edit the System Configuration object using the Identity Manager Integrated Development Environment (Identity Manager IDE) or some other method. Search for 'refreshOfType' and remove the attributes for '2005Q4M3refreshOfTypeUserIsComplete' and '2005Q4M3refreshOfTypeUserUpperBound'. After editing the System Configuration object, you must import it to repository for your changes to be present.
Upgrade Notes • Table 1 If your installation contains a Remedy resource, you must place Remedy API libraries in the directory where the Gateway is installed. These libraries can be found on the Remedy server. Remedy API Libraries Remedy 4.x and 5.x Remedy 6.3 Remedy 7.0 • arapiXX.dll • arapi63.dll • arapi70.dll • arrpcXX.dll • arrpc63.dll • arrpc70.dll • arutlXX.dll • arutl63.dll • arutl70.dll • icudt20.dll • icudt32.dll • icuin20.dll • icuin32.dll • icuuc20.
Upgrade Notes Using the Identity Manager Upgrade Program This section describes the steps for upgrading Identity Manager using the Identity Manager installation and upgrade program. NOTES • A schema change occurs with most major Identity Manager releases. You must update your schema before upgrading to a new Identity Manager version. To upgrade to Identity Manager 7.
Upgrade Notes To upgrade Identity Manager: 1. Shut down the application server. 2. If you are upgrading to Identity Manager 6.0 or Identity Manager 7.0, you must upgrade the repository database schema, as follows: ❍ ❍ Identity Manager 6.0 introduces a schema change that provides new tables for tasks, groups, orgs, and the syslog table. You must create these new table structures and move your existing data. Identity Manager 6.0 stores user objects in two tables.
Upgrade Notes ❍ To activate the installer in nodisplay mode, change to the directory where the software is located, and enter the following command: install -nodisplay The installer displays the Welcome text, and then presents a list of questions to gather installation information in the same order as the GUI installer. NOTE • If no display is present, the installer defaults to the nodisplay option. • The installer will not install an older version of the software over a newer version.
Upgrade Notes f. Extract the new Gateway files. If you are installing the newly upgraded Gateway on a system that is not the Identity Manager server, then copy the gateway.zip file from the Identity Manager Installation CD. g. Unpack the gateway.zip file into the directory where Gateway was installed. h. Run the following command to install the Gateway service: gateway -i i.
Upgrade Notes 4. Run pre-process: mkdir %TEMP% cd /d %TEMP% jar -xvf %ISPATH%\IDM.WAR \ WEB-INF\lib\idm.jar WEB-INF\lib\idmcommon.jar set TMPLIBPTH=%TEMP%\WEB-INF\lib set CLASSPATH=%TMPLIBPTH%\idm.jar;\ %TMPLIBPTH%\idmcommon.jar; java -classpath %CLASSPATH% -Dwaveset.home=%WSHOME% \ com.waveset.install.UpgradePreProcess 5. Install software: cd %WSHOME% jar -xvf %ISPATH%\IDM.WAR 6. Run post-process: java -classpath %CLASSPATH% -Dwaveset.home=%WSHOME% com.waveset.install.
Upgrade Notes On a UNIX Platform Use the following steps to upgrade Identity Manager manually on a supported UNIX platform: 1. Stop the application server and Sun Identity Manager Gateway. 2. Update the Identity Manager database. (See Step 2 on page 52 for instructions.) 3. Enter the following commands to set your environment: export ISPATH=Path to Install Software export WSHOME=Path to Identity Manager Installation OR Staging Directory export TEMP=Path to Temporary Directory 4.
Upgrade Notes 7. Change directory to $WSHOME/bin/solaris or $WSHOME/bin/linux, and then set permissions on the files in the directory so that they are executable. 8. If you installed into a staging directory, create a .war file for deployment to your application server. 9. Remove the Identity Manager files from the application server work directory. 10.
Upgrade Notes Page 58 Identity Manager 7.
Deprecated APIs This section lists all Identity Manager Application Programming Interfaces (APIs) deprecated since Identity Manager 6.0 2005Q4M3 and their replacements (if available). This information is organized into the following sections: • Deprecated Constructors and Classes • Deprecated Methods and Fields Deprecated Constructors and Classes The following table lists the deprecated constructors and classes and their replacements, when available. Deprecated Replacement com.sun.idm.idmx.
Deprecated Constructors and Classes Deprecated Replacement com.waveset.adapter.ResourceAdapterBase.SimpleAccount Iterator Users of this class should switch to using the supplier model for account iteration. A direct replacement for this class would be: new BufferedAccountQueue(new SimpleAccountSupplier(accounts)); com.waveset.adapter.SVIDResourceAdapter.BlockAcctIter References to this class should be replaced with an AccountIterator based on the Supplier model.
Deprecated Methods and Fields Deprecated Replacement com.waveset.security.authz.Right com.waveset.object.Right com.waveset.util.ConnectionPool.getConnection(String, String, String, String, String, boolean) getConnection(String driverClass, String driverPrefix, String url, String user, String password, boolean checkConnection, String validationSql) com.waveset.util.CSVParser com.waveset.util.ConfigurableDelimitedFileParser com.waveset.util.Debug com.sun.idm.logging.Trace com.waveset.util.
Deprecated Methods and Fields com.waveset.adapter.AccessManagerResourceAdapter Deprecated Method or Field Replacement handlePDException(Exception) handlePDException(PDException) com.waveset.adapter.ACF2ResourceAdapter Deprecated Method or Field Replacement getAccountAttributes(String) com.waveset.adapter.ActiveSync Deprecated Method or Field Replacement RA_UPDATE_IF_DELETE com.waveset.adapter.ActiveSyncUtil Deprecated Method or Field Replacement getLogFileFullPath() com.waveset.adapter.
Deprecated Methods and Fields com.waveset.adapter.AgentResourceAdapter Deprecated Method or Field Replacement getAccountAttributes(String) com.waveset.adapter.AuthSSOResourceAdapter Deprecated Method or Field Replacement getAccountAttributes(String) com.waveset.adapter.ClearTrustResourceAdapter Deprecated Method or Field Replacement getAccountAttributes(String) com.waveset.adapter.DatabaseTableResourceAdapter Deprecated Method or Field Replacement RA_PROCESS_NAME com.waveset.adapter.
Deprecated Methods and Fields com.waveset.adapter.DominoResourceAdapter Deprecated Method or Field Replacement buildEvent(UpdateRow) com.waveset.adapter.iapi.IAPIFactory#getIAPI(Map,Map,ResourceAdapterBase) RA_UPDATE_IF_DELETE com.waveset.adapter.ActiveSync#RA_DELETE_RULE com.waveset.adapter.DominoResourceAdapterBase Deprecated Method or Field Replacement getAccountAttributes(String) com.waveset.adapter.
Deprecated Methods and Fields com.waveset.adapter.HostConnectionPool r Deprecated Method or Field Replacement getConnection(HostAccessLogin) com.waveset.adapter.HostConnPool#getAffinityConnection(HostAccessLogin) releaseConnection(HostAccess) com.waveset.adapter.HostConnPool#releaseConnection(HostAccess) releaseConnection(IHostAccess) com.waveset.adapter.HostConnPool#releaseConnection(IHostAccess) com.waveset.adapter.
Deprecated Methods and Fields com.waveset.adapter.INISafeNexessResourceAdapter Deprecated Method or Field Replacement getAccountAttributes(String) com.waveset.adapter.LDAPResourceAdapterBase Deprecated Method or Field Replacement addUserToGroup(LDAPObject,String,String) addUserToGroup(String,String,String) buildBaseUrl() buildBaseUrl(String) buildEvent(UpdateRow) getAccountAttributes(String) getBaseContextAttrName() com.waveset.adapter.
Deprecated Methods and Fields com.waveset.adapter.NaturalResourceAdapter Deprecated Method or Field Replacement getAccountAttributes(String) com.waveset.adapter.NDSResourceAdapter Deprecated Method or Field Replacement buildEvent(UpdateRow) getBaseContextAttrName() com.waveset.adapter.ResourceAdapter#getBaseContexts() com.waveset.adapter.ONTDirectorySmartResourceAdapter Deprecated Method or Field Replacement getAccountAttributes(String) com.waveset.adapter.
Deprecated Methods and Fields com.waveset.adapter.RACFResourceAdapter Deprecated Method or Field Replacement getAccountAttributes(String) com.waveset.adapter.RASecureConnection Deprecated Method or Field Replacement ExchangeAuth(boolean) ExchangeAuth(boolean,byte[]) com.waveset.adapter.RequestResourceAdapter Deprecated Method or Field Replacement getAccountAttributes(String) com.waveset.adapter.
Deprecated Methods and Fields com.waveset.adapter.ResourceAdapterBase Deprecated Method or Field Replacement getAccountAttributes(String) getAdapter(Resource,LighthouseContext) getAdapterProxy(Resource,LighthouseContext) getAdapter(Resource,ObjectCache,WSUser) getAdapterProxy(Resource,ObjectCache) getAdapter(Resource,ObjectCache) getAdapterProxy(Resource,LighthouseContext) getBaseContextAttrName() getBaseContexts() isExcludedAccount(String,Rule) com.waveset.adapter.
Deprecated Methods and Fields com.waveset.adapter.SAPResourceAdapter Deprecated Method or Field Replacement reverseMapMultiAttr(String, Object, WSUser) setUserField(JCO.Function, String) Function#setUserField(String) unexpirePassword(String,WavesetResult) unexpirePassword(String, String,String,WavesetResult) unexpirePassword(WSUser,WavesetResult) unexpirePassword(String, String,String,WavesetResult) com.waveset.adapter.
Deprecated Methods and Fields com.waveset.adapter.SMEResourceAdapter Deprecated Method or Field Replacement getAccountAttributes(String) com.waveset.adapter.SQLServerResourceAdapter Deprecated Method or Field Replacement getAccountAttributes(String) com.waveset.adapter.SunAccessManagerResourceAdapter Deprecated Method or Field Replacement getAccountAttributes(String) getBaseContextAttrName() com.waveset.adapter.ResourceAdapter#getBaseContexts() com.waveset.adapter.
Deprecated Methods and Fields com.waveset.adapter.TopSecretResourceAdapter Deprecated Method or Field Replacement hasError(String,String) hasError(String,String,String) login(HostAccess hostAccess) login(HostAccess,ServerAffinity) login(IHostAccess hostAccess) #login(IHostAccess hostAccess, ServerAffinity affinity) com.waveset.adapter.VerityResourceAdapter Deprecated Method or Field Replacement getAccountAttributes(String) com.waveset.adapter.
Deprecated Methods and Fields com.waveset.object.Account Deprecated Method or Field Replacement getUnowned() hasOwner() setUnowned(boolean) setOwner(WSUser) com.waveset.object.AccountAttributeType Deprecated Method or Field Replacement getAttrType() getSyntax() setAttrType(String) setSyntax(String) setSyntax(Syntax) com.waveset.object.
Deprecated Methods and Fields com.waveset.object.AttributeDefinition Deprecated Method or Field Replacement AttributeDefinition(String,String) AttributeDefinition(String,Syntax) setAttrType(String) setSyntax(Syntax) com.waveset.object.
Deprecated Methods and Fields com.waveset.object.EmailTemplate Deprecated Method or Field Replacement setToAddress(String) setTo(String) getFromAddress() getFrom() getToAddress() getTo() setFromAddress(String) setFrom(String) VAR_FROM_ADDRESS VAR_FROM VAR_TO_ADDRESS VAR_TO com.waveset.object.Form Deprecated Method or Field Replacement EL_HELP com.waveset.object.
Deprecated Methods and Fields com.waveset.object.MessageUtil Deprecated Method or Field Replacement getActionDisplayKey(String) getEventParmDisplayKey(String) getResultDisplayKey(String) getTypeDisplayKey(String) com.waveset.ui.FormUtil#getTypeDisplayName(LighthouseContext,String) com.waveset.object.RepositoryResult Deprecated Method or Field Replacement get(int) getId(int) getName(int) getObject(int) getRowCount() getRows() seek(int) hasNext() next() sort() com.waveset.object.RepositoryResult.
Deprecated Methods and Fields com.waveset.object.TaskInstance Deprecated Method or Field Replacement DATE_FORMAT com.waveset.util.Util#stringToDate(String,String) com.waveset.util.Util#getCanonicalDate(Date) com.waveset.util.Util#getCanonicalDate(Date,TimeZone) com.waveset.util.Util#getCanonicalDate(long) VAR_RESULT_LIMIT setResultLimit(int) getResultLimit() VAR_TASK_STATUS com.waveset.object.
Deprecated Methods and Fields com.waveset.object.
Deprecated Methods and Fields com.waveset.session Subclass Deprecated Method or Field Replacement LocalSession getAdministrators(Map) com.waveset.view.WorkItemUtil#getAdmini strators Session listApprovers() getAdministrators(Map) listControlledApprovers() getAdministrators(Map) listSimilarApprovers(String adminName) getAdministrators(Map) getApp(String) getLoginApp(String) getApps() getLoginApps() ARG_TASK_DATE com.waveset.object.Attribute#DATE SessionFactory WorkflowServices com.
Deprecated Methods and Fields Deprecated Method or Field Replacement getCapabilities(LighthouseContext,String,String) getCapabilities(LighthouseContext,Map) getCapabilities(LighthouseContext) getCapabilities(LighthouseContext,Map) getObjectNames(LighthouseContext,String,List,Map) getObjectNames(LighthouseContext,String,Map) getObjectNames(LighthouseContext,String,List) getObjectNames(LighthouseContext,String,Map) getObjectNames(LighthouseContext,String,String, String,List,Map) getObjectNames(Lig
Deprecated Methods and Fields Deprecated Method or Field Replacement getUnassignedOrganizationsDisplayNames(LighthouseC ontext,Map) getOrganizationsDisplayNames(LighthouseContext,Map) getUnassignedOrganizationsDisplayNames(LighthouseC ontext) getOrganizationsDisplayNames(LighthouseContext,Map) getUnassignedOrganizationsDisplayNamesWithPrefixes( LighthouseContext,List) getOrganizationsDisplayNames(LighthouseContext,Map) getUnassignedOrganizationsDisplayNamesWithPrefixes( LighthouseContext) getOrgan
Deprecated Methods and Fields com.waveset.util.PdfReportRenderer Deprecated Method or Field Replacement render(Element,boolean,String,OutputStream) render(Element,boolean,String,OutputStream,String,boolean) render(Element,boolean,String) render(Element,boolean,String,String,boolean) render(Report,boolean,String,OutputStream) render(Report,boolean,String,OutputStream,String,boolean) render(Report,boolean,String) render(String,boolean,String,String,boolean) com.waveset.util.
Deprecated Methods and Fields com.waveset.util.Trace Deprecated Method or Field Replacement data(long,Object,String,byte[]) com.sun.idm.logging.trace.Trace#data(long,String,byte[]) entry(long,Object,String,Object[]) com.sun.idm.logging.trace.Trace#entry(long,String,Object[]) entry(long,Object,String,String) com.sun.idm.logging.trace.Trace#entry(long,String) entry(long,Object,String) com.sun.idm.logging.trace.Trace#entry(long,String) exception(long,Object,String,t) com.sun.idm.logging.trace.
Deprecated Methods and Fields com.waveset.util.Util Deprecated Method or Field Replacement DATE_FORMAT_CANONICAL stringToDate(String,String) getCanonicalDate(Date) getCanonicalDate(Date,TimeZone) getCanonicalDate(long) debug(Object) getCanonicalDateFormat() stringToDate(String,String) getCanonicalDate(Date) getCanonicalDate(Date,TimeZone) getCanonicalDate(long) getOldCanonicalDateString(Date,boolean) getCanonicalDateString(Date) rfc2396URLPieceEncode(String,String) com.waveset.util.
Documentation Additions and Corrections This section contains new and corrected information that was required after the Identity Manager 7.1 documentation set was published.
Identity Manager Upgrade • ❍ Step 3: Edit the server.policy File ❍ Step 4. Deploy Identity Manager into Sun ONE Application Server ❍ Step 5.
Identity Manager Upgrade ❍ ❍ ❍ • Edit this file and change the value of the id attribute and the value of the name attribute to match the values from the OLD resource object saved in step 1. These attributes are in the tag. Save the changes to the file. Import the modified object back into Identity Manager using either the Configure->Import Exchange File page or the command line.
Identity Manager Upgrade SnapShot copies the following, specific object types from your system for comparison: • AdminGroup • AdminRole • Configuration • EmailTemplate • Policy • ProvisionTask • RemedyConfig • ResourceAction • Resourceform • Role • Rule • TaskDefinition • TaskTemplate • UserForm You can then compare two snapshots to determine what changes have been made to certain system objects before and after upgrade.
Identity Manager Upgrade Figure 1 2. SnapShot Management Page Type a name for the snapshot in the Create text box, and then click the Create button. When Identity Manager adds the snapshot, the snapshot’s name displays in the Compare menu list and to the right of the Export label. To compare two snapshots: 1. Select the snapshots from each of the two Compare menus (Figure 2). Figure 2 2. SnapShot Management Page Click the Compare button.
Identity Manager Upgrade • If you are upgrading from a 6.x install to version 7.0 or 7.1, and you want to start using the new Identity Manager end-user pages, you must manually change the system configuration ui.web.user.showMenu to true for the horizontal navigation bar to display. (ID-14901) • If you are upgrading from 6.0 or 7.0 to version 7.1, and using LocalFiles, you must export all of your data before upgrading and then re-import the data after doing a clean installation of 7.1.
Identity Manager Administration Guide NOTE Do not use trailing slashes (\) when specifying the path, even if the path contains no spaces. set WSHOME=c:\Program Files\Apache Group\Tomcat 5.5\idm or set WSHOME=c:\Progra~1\Apache~1\Tomcat~1\idm The following path will not work: set WSHOME="c:\Program Files\Apache Group\Tomcat 5.5\idm" Identity Manager Administration Guide This section provides new information and documentation corrections for Sun Java™ System Identity Manager Administration.
Identity Manager Administration Guide Chapter 3, User and Account Management • In the section titled Disable Users (User Actions, Organization Actions), the note has been amended.
Identity Manager Administration Guide Table 2 Authentication Question Policy options (Continued) Option Description Random This option allows the administrator to specify how many questions the user must answer. Identity Manager randomly selects and displays the specified number of questions from the list of questions defined in the policy as well as those the user has defined. The user must answer all questions displayed. Any Identity Manager displays all policy-defined and user-defined questions.
Identity Manager Administration Guide You can use the EndUserControlledOrganizations rule to define whatever logic is necessary to ensure the right set of users are available for delegating, based on your organizational needs.
Identity Manager Administration Guide • The following information should be added to the “Understanding and Managing Capabilities” section. (ID-14630, 15614) Identity Manager provides a built-in ObjectGroup/organization called End User that, initially, has no member objects. The End User ObjectGroup/organization is implicitly assigned to all users, and enables them to view several types of objects, including tasks, rules, roles, and resources.
Identity Manager Administration Guide Chapter 8, Task Templates • The following information should be added to this chapter, in the Configuring the Audit Tab section: (ID-16797) The Audited Attribute Report can report attribute-level changes to Identity Manager users and accounts. However, standard audit logging does not generate enough audit log data to support a full query expression.
Identity Manager Administration Guide g. Click the Add Attribute button (located in the Audit Attributes section) to select the attributes you want to record for reporting purposes. h. When the Select an attribute menu displays in the Audit Attributes table, select an attribute from the list. (For example: Select user.global.email from the drop-down menu). i. Click Save. j. You must now enable the configuration as follows: I. Select Server Tasks > Configure Tasks. II.
Identity Manager Administration Guide You can resolve this limitation by adding the capabilities to another organization. Identity Manager provides two utilities, located in the sample/scripts directory, to assist with this task. 1. Run the following command to list all capabilities (AdminGroups) and their associated organizations (object groups): beanshell objectGroupUpdate.bsh -type AdminGroup -action list -csv This command captures the output to a comma-separated value (CSV) file. 2.
Identity Manager Resources Reference Identity Manager Resources Reference This section contains new information and documentation corrections for the Sun Java™ System Identity Manager Resources Reference: General • The Exchange 5.5 resource adapter is not supported. Ignore any references to this adapter. Active Directory The following information should be added to the Active Directory resource adapter documentation.
Identity Manager Resources Reference In an environment with multiple trusted domains and Active Directory forests, the authentication can fail using any of these configurations because the Global Catalog does not contain cross-forest information. If a user supplies a wrong password, it could also lead to account lockout in the user’s domain if the number of domains is greater than the lockout threshold.
Identity Manager Resources Reference Gateway Adapters The Domino Gateway, Active Directory, Novell NetWare and other gateway adapters allow you to use the RA_HANGTIMEOUT resource attribute to specify a timeout value, in seconds. This attribute controls how long before a request to the gateway times out and is considered hung. You must manually add this attribute to the Resource object as follows:
Identity Manager Resources Reference Remedy You must place multiple Remedy API libraries in the directory where the Gateway is installed. These libraries can be found on the Remedy server. Table 3 Remedy API Libraries Remedy 4.x and 5.x Remedy 6.3 Remedy 7.0 • arapiXX.dll • arapi63.dll • arapi70.dll • arrpcXX.dll • arrpc63.dll • arrpc70.dll • arutlXX.dll • arutl63.dll • arutl70.dll • icudt20.dll • icudt32.dll • icuin20.dll • icuin32.dll • icuuc20.dll • icuuc32.
Identity Manager Resources Reference The SAP GUI uses a different method to perform the rename because it has access to non-public APIs and to the SAP kernel. The following steps provide a high-level description of how the adapter performs the rename operation: 1. Get the user information for the existing user. 2. Save the ALIAS attribute, if one exists. 3. Create the new user. 4. Set the Activity Groups on the new user. (If in CUA mode, get the old user's Activity Groups) 5.
Identity Manager Resources Reference 6. When a new Select option displays next to the Assign Login Module option, select the appropriate resource. 7. When the Modify Login Module page displays, edit the displayed fields as needed, and then click Save. The Modify Login Module Group is displayed again. 8. Specify Sun Access Manager Login Module as the first resource in the module group, and then click Save.
Identity Manager Resources Reference 7. After copying the files, you must add the Sun Java System Access Manager Realm resource to the Identity Manager resources list. Add the following value in the Custom Resources section of the Configure Managed Resources page. com.waveset.adapter.SunAccessManagerRealmResourceAdapter The procedure described in the “Policy Agent” section is outdated. Use the following procedure instead. 1. From the Identity Manager Administrator Interface menu bar, select Security.
Identity Manager Resources Reference Note the following documentation changes: • In the procedure “Step 2: Enable Password Synchronization Features”, a new numbered step should be added between steps 6 and 7 that states you must select an option from the Directory Server version pull-down menu. • The section titled “Installing the Password Capture Plugin” should be re-titled to “Installing and Configuring the Password Capture Plugin.
Identity Manager Technical Deployment Overview Identity Manager Technical Deployment Overview This section contains new information and documentation corrections for Sun Java™ System Identity Manager Technical Deployment Overview: • You can use CSS to set column widths in the User list and Resource list tables to a fixed pixel or percentage value. To do so, add the following style classes (commented out by default) to customStyle.css. You can then edit the values to meet the user's requirements.
Identity Manager Technical Deployment Overview You can also resize table columns by clicking and dragging the right border of the column header. If you mouse over the right border of the column header, the cursor will change to a horizontal resize arrow. Left-click and drag the cursor will resize the column. (Resizing ends when you release the mouse button.
Identity Manager Technical Deployment Overview to maxAge 6M to limit reviews to the last 6 months. The same qualifiers as above apply. Each Periodic Access Review includes a set of UserEntitlement records that were created when the review was run. These records, which accumulate over time, provide valuable historical information about accounts. However, to conserve database space, consider deleting some records.
Identity Manager Technical Deployment Overview Code Example 5-4 Customizing Navigation Tabs (Continued) border-bottom:none; } /* LEVEL 2 TABS */ .TabLvl2Div { background-image:url(../images/other/dot.gif); background-repeat:repeat-x; background-position:left bottom; background-color:#9999CC; padding:6px 0px 0px 10px } a.TabLvl2Lnk:link, a.TabLvl2Lnk:visited{ display:block; padding:3px 6px 2px; font: 0.8em sans-serif; color:#333; text-decoration:none; text-align:center; } table.TabLvl2Tbl div.
Identity Manager Technical Deployment Overview Code Example 5.5 should be as follows: Code Example 5-5 Changing Tab Panel Tabs table.Tab2TblNew td {background-image:url(../images/other/dot.gif);background-repeat:repeat-x;background-positi on:left top;background-color:#CCCCFF;border:solid 1px #8f989f} table.Tab2TblNew td.Tab2TblSelTd {border-bottom:none;background-image:url(../images/other/dot.
Identity Manager Technical Deployment Overview The extends attribute allows for a hierarchy of work item types (workItem Types). When Identity Manager creates a work item, it delegates the work item to the specified users if its workItem type is: ❍ the type delegated ❍ one of the subordinate workItem types of the type being delegated.
Identity Manager Technical Deployment Overview 2. Using the Identity Manager IDE, load the System Configuration object for editing. Add a new top-level attribute: Name = customMessageCatalog Type = string Value = AltMsgCatalog 3. Open the ui.web Generic Object and look for the browserTitleProdNameOverride attribute. Set this value to true. 4. Save this change to the System Configuration object, and restart your application server.
Identity Manager Technical Deployment Overview • The discussion of how to customize the login pages in Chapter 5 “Private Labeling of Identity Manager” should include the following information about message keys. (ID-16702) JSP or Identity Manager Component Login Page TITLE Login Page SUBTITLE Interface Affected Message Key Administrator and User UI_LOGIN_TITLE_TO_RESOURCE Administrator and User Select a key depending on the login mode: Forgot Password, Forgot User ID, Login Challenge.
Identity Manager Workflows, Forms, and Views Identity Manager Workflows, Forms, and Views This section contains new information and documentation corrections for Sun Java™ System Identity Manager Workflows, Forms, and Views. • You can turn off policy checking in your user form by adding the following field to the form: (ID-13346)
Identity Manager Workflows, Forms, and Views Chapter 3, Identity Manager Forms • This chapter now contains the following description of forms used in auditing and compliance procedures. (ID-15447, 16240) Identity Manager auditing and compliance forms provide a feature unique among Identity Manager forms: You can assign a form on a per-user and per-organization basis. Forms assigned on a per-user basis can boost the efficiency of attestation and remediation processing.
Identity Manager Workflows, Forms, and Views Specifying User Forms The Audit Policy List and Access Scan List forms support a fullView property that causes the form to display a significant amount of data about the elements in the list. Set this policy to false to improve the performance of the list viewer. The Access Approval List form has a similar property named includeUE, and the Remediation List form uses the includeCV property.
Identity Manager Workflows, Forms, and Views Table 2 Per-Use r Control Form Name Mapped Name General Purpose Violation Detail Form violationDetailForm Remediation List remediationList Audit Policy List auditPolicyList Show a list of audit policies Audit Policy Delete Confirmation Form auditPolicyDeleteConfirmation Confirm the deletion of an audit policy Conflict Violation Details Form conflictViolationDetailsForm Show the SOD violation matrix Compliance Violation Summary Form complianceVi
Identity Manager Workflows, Forms, and Views Scan Task Variables The Audit Policy Scan Task and Access Scan Task task definitions both specify the forms to be used when initiating the task. These forms include fields that allow for most, but not all, of the scan task variables to be controlled. Variable Name Default Value Purpose maxThreads 5 Identifies the number of concurrent users to work at one time for a single scanner.
Identity Manager Workflows, Forms, and Views NOTE Although this example illustrates how to insert a Warning ErrorMessage object into a form, you can assign a different severity level. 1. Use the Identity Manager IDE to open the form to which you want to add the warning. 2. Add the to the main EditForm or HtmlPage display class. 3. Add the code block from the following sample code. 4.
Identity Manager Workflows, Forms, and Views To display a severity level other than warning, replace the warning in the preceding example with either of the these two values: ❍ ❍ error -- Causes Identity Manager to render an InlineAlert with a red "error" icon. ok -- Results in an InlineAlert with a blue informational icon for messages that can indicate either success or another non-critical message. Identity Manager renders this as an InlineAlert with a warning icon 3. Select the accounts[Lighthouse].adminRoles field within the AdministratorFields field. 4. Replace the entire accounts[Lighthouse].adminRoles with the following reference:
Identity Manager Deployment Tools Process Name Mapped Name Description Access Review accessReview Performs an access review Access Scan accessReviewScan Performs an access scan Access Review Rescan accessReviewRescan Performs an access rescan Audit Policy Rescan auditPolicyRescan Performs an audit policy rescan Abort Access Review abortAccessReview Terminates an access review Delete Access Review deleteAccessReview Deletes an access review Recover Access Review recoverAccessReview Re
Identity Manager Deployment Tools • Several files in the Identity Manager project were changed for 7.1 Update 1; and if you modified any of these files, you must manually merge the changes when you upgrade from the Identity Manager IDE plugin version 7.1 to version 7.1 Update 1. The following instructions describe the “best practices” for upgrading Identity Manager IDE Plugin version 7.1 projects to version 7.1 Update 1 (and later). (ID-16850) Upgrading Version 7.1 Projects to Version 7.
Identity Manager Deployment Tools NOTE The procedures in this section describe how to upgrade the Identity Manager IDE Plugin version only. They do not explain how to upgrade Identity Manager, which is a much more involved process. For example, if you want to use a project created with the 7.1 version of the Identity Manager IDE plugin with the version 7.1 Update 1 plugin, use the following instructions. Your Identity Manager version will remain at 7.
Identity Manager Deployment Tools For a complete list of the files that should be checked into source control, read the “CVS Best Practices” section provided in the README.txt. NOTE Steps to be Performed by Other Deployment Team Members After someone upgrades the new Identity Manager IDE 7.1 Update 1 plugin nbm file and merges the necessary project files, the remaining members of the deployment team should perform the following steps: 1. Perform a full source control update of the project. 2.
Using the Profiler to Troubleshoot Performance Problems Using the Profiler to Troubleshoot Performance Problems Identity Manager provides a Profiler utility to help you troubleshoot performance problems with forms, Java, rules, workflows, and XPRESS in your deployment. Forms, Java, rules, workflows, and XPRESS can all cause performance and scale problems.
Using the Profiler to Troubleshoot Performance Problems ❍ ❍ ❍ ❍ • Hotspots view provides a flattened list of nodes that shows the aggregate call timings regardless of parent. Back Traces view provides an inverted call stack showing all the call chains from which that node (known as the root node) was called. Callees view provides an aggregate call tree of the root node, regardless of its parent chain.
Using the Profiler to Troubleshoot Performance Problems In Call Tree view or Hotspots view, you can double-click any node that corresponds to a Java method, workflow, form, rule, or XPRESS to view the source for that node. TIP For Forms, Rules, Workflows, and XPRESS Objects When you take a snapshot with the Profiler, the server evaluates all of the profiling data and discovers on which sources the data depends.
Using the Profiler to Troubleshoot Performance Problems Self Time Statistics To compute a root node’s Self Time statistic, the Profiler subtracts the times of all children nodes from the root node’s total time. Consequently, an uninstrumented child node’s time is reflected in the root node’s self time. If a root node has a significant self time, you should certainly investigate why. You might not have the proper methods instrumented and so you are looking in the wrong place.
Using the Profiler to Troubleshoot Performance Problems class A { public A() { this(0); } public A(int i) { } } and: class B { public static void test() { new A(); } } The call tree will look like this: B.test() -A.(int) -A.() Rather than this: B.test() -A.() -A.(int) Daemon Threads Do not be mislead by the seemingly large amount of time spent in a number of Identity Manager’s daemon threads, such as ReconTask.WorkerThread.run() or TaskThread.WorkerThread.run().
Using the Profiler to Troubleshoot Performance Problems Getting Started This section describes how to start the profiler and how to work with various features of the Profiler’s graphical user interface. This information is organized as follows: • Before You Begin • Starting the Profiler Before You Begin Because the Profiler is very memory intensive, you should significantly increase the memory for both your server and the Netbeans Java Virtual Machine (JVM). • • To increase your server’s memory, a.
Using the Profiler to Troubleshoot Performance Problems • Select Window > IDM Profiler from the menu bar. The Identity Manager Profiler window appears in the Explorer. From this window, select an Identity Manager project from Current Project drop-down menu, and then click the Start Identity Manager Profiler icon located in the Controls section. • Right-click a project in the Projects window, and then select Start Identity Manager Profiler from the pop-up menu.
Using the Profiler to Troubleshoot Performance Problems Specifying the Profiler Options The Profiler Options dialog consists of the following tabs: • Mode • IDM Object Filters • Java Filters • Miscellaneous Use the options on these tabs to indicate which objects to profile and which elements to display in the profile. After specifying the Profiler options, click OK to start the Profiler.
Using the Profiler to Troubleshoot Performance Problems IDM Object Filters The IDM Object Filters tab provides the following options: • Show IDM Object details: ❍ ❍ • Select this box to include every executed form, workflow, and XPRESS element in the snapshot.
Using the Profiler to Troubleshoot Performance Problems Java filters are given in terms of method patterns, and they are expressed in patterns that include or exclude based on canonical method name. Where a canonical method name is: fully-qualified-class-name.method-name(parameter-type-1, parameter-type-2, ...) NOTE For constructors, method-name is . Here are a few examples: • To exclude all constructors, enable the Exclude box and add the following filter: *.
Using the Profiler to Troubleshoot Performance Problems By default, the configuration includes all your custom classes and most Identity Manager classes. A number of Identity Manager classes are forcibly excluded — because enabling them would break the Profiler. For example, classes from the workflow, forms, and XPRESS engines are excluded or the Profiler would produce an unintelligible snapshot when profiling Java and Identity Manager objects.
Using the Profiler to Troubleshoot Performance Problems ❍ Disable this option only if you are profiling Identity Manager and have the complete Identity Manager source available. In this situation, you do not want to include the Identity Manager source because it can create extremely large snapshots. (See “How the Profiler Locates and Manages Source” on page 148 for more information.
Using the Profiler to Troubleshoot Performance Problems Current Project Area The Current Project area consists of a drop-down menu that lists all of your current projects. Use this menu to select the project you want to profile. Controls Area The Controls area contains four icons: Table 4 Controls Area Icons Icon Purpose Start Identity Manager Profiler Starts the Profiler and opens the Profiler Options dialog. Stop Identity Manager Profiler Stops the Profiler.
Using the Profiler to Troubleshoot Performance Problems Saved Snapshots Area The Saved Snapshots area provides a list of all saved snapshots. In addition, you can use the following buttons to manage these snapshots: • Open: Click to open saved snapshots in the Snapshot View window. TIP You can also double-click a snapshot in the Saved Snapshots list to open that snapshot. • Delete: Select a snapshot in the Saved Snapshots list, and then click this button to delete the selected snapshot.
Using the Profiler to Troubleshoot Performance Problems A snapshot provides several views of your data, which are described in the following sections: • Call Tree View • Hotspots View • Back Traces View • Callees View Call Tree View Call Tree view (Figure 5) consists of a tree table showing the call timing and invocation counts throughout your system.
Using the Profiler to Troubleshoot Performance Problems This tree table contains three columns: • Call Tree column: Lists all nodes, where the top-level nodes are one of the following: ❍ Thread.run() methods for various background threads in the system. For example, if you enable Java profiling, you will see the ReconTask.WorkerThread.run() method. ❍ Request timings For example, if you view the idm/login.jsp URL, you will see a top-level entry for idm/login.jsp.
Using the Profiler to Troubleshoot Performance Problems You can access the Back Traces view from any of the other snapshot views by right-clicking a node (known as the root node) and selecting Show Back Traces from the pop-up menu. The Time and Invocations data values mean something different in Back Traces view: NOTE • Time: The values in this column represent the time spent in the root node when it is called from a given call chain.
Using the Profiler to Troubleshoot Performance Problems Table 7 Profiler Pop-Up Menu Options (Continued) Menu Options Description Find In Hotspots Select this option to find a node in the Hotspots view. For detailed information about this view, see “Hotspots View” on page 162.
Using the Profiler to Troubleshoot Performance Problems Saving a Snapshot The Profiler provides several options for saving a snapshot. See Table 7 for a description of these options: Save Icons Table 8 Icon Purpose Save the Snapshot in the Project icon (located at the top of the Snapshot View window) Saves the snapshot in the nbproject/private/idm-profiler directory of your project. Snapshots saved in your project are listed in the Saved Snapshots section of the Profiler view.
Using the Profiler to Troubleshoot Performance Problems 3. 4. Complete the following fields on the Name and Location panel, and then click Next: ❍ Project Name: Enter Idm711 as the project name. ❍ Project Location: Use the default location or specify a different location. ❍ Project Folder: Use the default folder or specify a different folder. When the Identity Manager WAR File Location panel displays, enter the location of the Identity Manager 7.1 Update 1 war file.
Using the Profiler to Troubleshoot Performance Problems 4. Continue to “Step 4: Setting the Profiler Options.” Figure 9 Profiler Options Dialog Step 4: Setting the Profiler Options For detailed information about all of the different Profiler options, see “Specifying the Profiler Options” on page 154. NOTE For the purposes of this tutorial, specify the following Profiler options: 1. On the Mode tab, select Java and IDM Objects to profile form, Java, rule, workflow, and XPRESS objects. 2.
Using the Profiler to Troubleshoot Performance Problems 5. When the Identity Manager window displays, log in. NOTE Typically, you should log in to Identity Manager as a different user instead of logging in as configurator again. You are already logged into the Profiler as configurator, and the Identity Manager session pool only allows one entry per user.
Using the Profiler to Troubleshoot Performance Problems c. When the Process Diagram displays, return to the Identity Manager IDE and click Take Snapshot in the Profiling Results section. Figure 10 8. The Identity Manager IDE downloads your snapshot and displays the results on the right side of the window. Figure 11 Call Tree Results This area is the Call Tree view. At the top of the Call Tree, you should see a /idm/task/taskLaunch.jsp with a time listed in the Time column.
Using the Profiler to Troubleshoot Performance Problems 11. Expand activity2. Note that action1 took two seconds and action2 took two seconds. 12. Expand action1 and note that the also took two seconds. 13. Double-click the to open ProfilerTutorialWorkflow1.xml and highlight the following line: You should see that a call to the ProfilerTutorialExample method took two seconds.
Using the Profiler to Troubleshoot Performance Problems 21. Click the Save the snapshot in the project icon to save your snapshot and close it. If you check the Saved Snapshots section on the IDM Profiler tab, you should see your snapshot. (You might have to scroll down.) Figure 12 Saved Snapshots List 22. Select the saved snapshot, and then click Open to re-open it.
Using the Profiler to Troubleshoot Performance Problems 7. In the IDM Profiler view, click Take Snapshot. After a few seconds, a snapshot should display in the Call Tree area. You should see that /idm/task/workItemEdit.jsp took six+seconds. (This result corresponds to the manual action in the workflow.) 8. Expand the /idm/task/workItemEdit.jsp node and note that running all Derivations in the ManualAction form took a total of six seconds. 9. Expand the Derivation, displayNameForm, variables.
Using the Profiler to Troubleshoot Performance Problems Identity Manager IDE Frequently Asked Questions (FAQ) This FAQ answers some commonly asked questions related to using the Identity Manager Integrated Development Environment (Identity Manager IDE).
Using the Profiler to Troubleshoot Performance Problems Working with Projects Q: Building and running a project is taking a very long time, and the Identity Manager IDE seems to be copying a lot of files. What could be causing this problem? A: This problem can occur for the following reasons: • You are using the Identity Manager IDE 7.0 or 7.1 plugin. Use the Identity Manager IDE 7.1 Update 1 plugin. Several adjustments were made to the Identity Manager IDE 7.
Using the Profiler to Troubleshoot Performance Problems Refer to the “Working with the Repository” section in the Identity Manager IDE README.txt for more information. Q: When are objects imported automatically? A: You have to configure Identity Manager IDE to import objects automatically. The steps are as follows: 1. Select Repository > Manage Embedded Repository from the IdM menu. 2. Enable the Automatically Publish Identity Manager Objects option on the Manage Embedded Repository dialog. NOTE 3.
Using the Profiler to Troubleshoot Performance Problems Using the Identity Manager IDE Debugger Q: The Identity Manager IDE Debugger is sluggish. What could be causing this problem? A: To improve the Debugger’s performance: • Always disable Tomcat's HTTP Monitor, as follows: a. Select the Identity Manager IDE Runtime Tab. b. Expand the Servers node and right-click Bundled Tomcat > Properties. c. Disable the Enable HTTP Monitor option, and then close the dialog.
Using the Profiler to Troubleshoot Performance Problems Q: I set a breakpoint in the Debugger and it is not suspending on the breakpoint. What could be causing this problem? A: There are two things to check: • Be sure the object name does not contain a CBE replacement string (%%). CBE replacement strings are not allowed in object names. • Verify that the code you think is being executed is actually being executed. Try adding a trace and see if anything prints out.
Identity Manager Tuning, Troubleshooting, and Error Messages Identity Manager Tuning, Troubleshooting, and Error Messages This section provides new information and documentation corrections for Sun Java™ System Identity Manager Tuning, Troubleshooting, and Error Messages. • Information about the size of repository objects (in characters) is now available. You can use this information to detect problematically large objects that might affect your system.
Identity Manager Service Provider Edition Deployment Show Timings The Show Timings page provides a list of methods and their aggregate call timer statistics (not broken down by caller) that can help you track bottlenecks to specific methods and invoked APIs. NOTE Call timing statistics are only collected while trace is enabled. You can use the options on this page to start timing and tracing, stop timing and tracing, clear the timing statistics, and import or export call timer metrics.
Identity Manager Service Provider Edition Deployment Link Confirmation Rule A link confirmation rule eliminates any resource accounts from the list of potential accounts that the link correlation rule selects. Given the view of the user and the list of candidate resource accounts, a link confirmation rule selects at most one resource account from the candidate list. The view of the user is visible under the 'view' path, while the list of candidates is available under the 'candidates' path.
Localization Scope Localization Scope Historically, Identity Manager does not localize resource objects and functions, primarily because they are mostly samples that get loaded (through init.xml) during initialization of Identity Manager, and because the attributes of object types can vary between actual customer deployments, depending on the level of customizations.
Using helpTool Using helpTool With the Identity Manager 6.0 release, a new feature has been added that allows you to search the online help and documentation files, which are in HTML format. The search engine is based on the SunLabs “Nova” search engine technology. There are two stages to using the Nova engine: indexing and retrieval. During the indexing stage, the input documents are analyzed and an index is created which is used during the retrieval stage.
Using helpTool 3. Change your current working directory to the help/ directory. NOTE 4. Gather the following information for your command line arguments: ❍ Destination directory — html/help/en_US NOTE Use the locale string appropriate for your installation. ❍ Input file — ../WEB-INF/lib/idm.jar ❍ Nova index directory — index/help ❍ Output file name — index_files_help.txt NOTE ❍ 5. It is important to run helpTool from this directory or the index will not build correctly.
Using helpTool Rebuilding/Re-Creating the Documentation Index Use the following procedure to rebuild or re-create the documentation index: 1. Unpack the helpTool distribution to a temporary directory. (Details TBD) In this example, we will extract the files to /tmp/helpTool. 2. In a UNIX shell or Windows command window, change directory to the location where the Identity Manager application was deployed to your web container.
Using helpTool 5. Run the following command: $ java -jar /tmp/helpTool/helpTool.jar -d html/docs -i ../doc/HTML/en_US -n index/docs -o help_files_docs.txt -p index/index.properties Copied 84 files. Copied 105 files. Copied 1 files. Copied 15 files. Copied 1 files. Copied 58 files. Copied 134 files. Copied 156 files. Copied 116 files. Copied 136 files. Copied 21 files. Copied 37 files. Copied 1 files. Copied 13 files. Copied 2 files. Copied 19 files. Copied 20 files. Copied 52 files. Copied 3 files.
Using helpTool Page 186 Identity Manager 7.
