Pasword Sync/History and other issues in IDM 6.0

1. CONFIGURATOR CAPABILITES: Creating a new user with Configurator capabilities is possible but the bulk account administrator capability along with several others, will vanish after the password is reset and the expiry date removed from the user object and the user has logged in. If the user is not logged in then the user account is in expired state and might cause problem if we are doing a major migration move.

 

2. PASSWORD SYNC THRESHOLD: New password sync process with JMS, seems to have problems syncing the password immediately. The "passwordsyncthreshold" is an important variable that needs to be set. Default setting is 30secs but 10sec is advised for the time being.

 

3. PASSWORD HISTORY ISSUES: Listed below are the major issues in dealing with password sync, password history in IDM and AD:

 

(a). Password history on IDM is not case-sensitive by default, i.e., all the passwords in the histroy are stored in uppercase. But password history on AD is case-sensitive. This causes the password histories to go out of sync. Hot fix provided by Sun.

 

(b). Resetting password on IDM doesnot put this password in the history unlike a change password. But in AD any change/reset is stored in AD history. This again causes the password to go out of sync. Still looking for a solution.

 

(c). Password change on AD triggers a recursive password change on IDM and AD as the message is passed onto the JMS queue twice and then stops. This behaviour occurs even if the AD resource is listed in the passwordsyncexcluderesourcelist and passwordsyncthreshold is set to more than 10secs. This could either be because of the two workflows coming into play when a password change occurs - ChangeUserPassword WF and SynchronizeUserPassword WF.

 

4. AUDIX AND MAINFRAME ISSUES: Audix and Mainframe adapters are not completely fucntional in the new IDM 6.0 version. Hotfix provided by Sun.

Limitation to the number of Roles in Sun IdM

When number of roles for a particular user are added continuously, at one point, even changing the password or authentication answers and saving the account through the administrator interface of Sun IdM, will fail. This is because the maximum allowed length for the text in the user object is 256 characters. This limitation is removed and set to unlimited in the IdM Version6 SP1.

Remote login to Sun/Unix boxes from Windows/Unix systems and other general commands

Listed below are few generic things, one need to keep in mind:

1. Use Exceed software to rlogin to a remote UNIX/Sun box. With this set-up you can open the BPE from on local Windows system by logging into the remote Sun box.

2. Use the command ./lh setRepo -c to check which database is pointed to the idm repository.

3. If you want to open the BPE on your local Sun box, you need to set the environment so that it will be able to display the GUI. Use the setenv DISPLAY ipaddress:0.0 or refer http://scv.bu.edu/Graphics/xstuff.html.

Auditing Authentication Answers modification in Sun IdM

Whenever there is a modification of answers to the authentication questions of a user in Lighthouse/Sun IdM, this event will not be audited.

Server not booting after a restart

Sometimes the application server where the IdM application is deployed, doesnot come back-up as expected after a maintenance restart. This could be due to the hung Source Adapter Task. To overcome this problem, delete the "source adapter task" TaskInstance if it shows-up on the list.

 

Run the following commands from the lh console:

 

listO TaskInstance (if Source Adapter Task shows up on the list, then delete it)

delete TaskInstance "Source Adpater Task"

delete TaskSchedule SourceAdapterTask

 

Now, restarting the server should work smoothly.

Encryption change in Sun IdM Version 6.0

The encryption format in the new version of the Sun Identity Manager 6.0 has now changed. The encrypted password/messages in the older version can be decrypted in the new version, but all new encryptions will appear in a different formats.

Ex: A password was in the older version was encrypted to JAjgwZAUisg=; but in the new version 6.0 it is encrypted to B0730A11D031F50F:1EF3212:10945F4D81C:-7FFE|BOTAoKL58Zp=;

Enabling a Locked User on the Native Resource

Problem here was to enable (or unlock) an account on an Oracle resource through a form. Trying to set 'view.accounts[$(Resource)].enable' to 'true' wouldn't work and checked the Sun IdM doumentation (IDM_Techincal_Deployment) which says that, the "supportsAccountDisable" method in the custom adapter should override the corresponding method in the "ResourceAdpaterBase.class" so that it returns a true value, for the ACCOUNT_ENABLE function to work properly. Later, found that this is already done in the custom adapter. Now the final option of setting the

'view.accounts[$(Resource)].disable' to 'false' worked. The button incorporated into the form is given below:

 

<Field name='view.accounts[$(Resource)].disable'>
  <Display class='Button' action='true'>
    <Property name='noNewRow' value='false'/>
    <Property name='label' value='Enable KCS User'/>
    <Property name='value' value='false'/>
  </Display>
</Field>

Changing Page Title and Subtitle in Sun Identity Manager

To modify the default settings of the page title, sub-title and customize the end user page totally you can refer to the "Private Labeling of Identity Manager" section described in the IDM_Technical_Deployment manual. In brief, you can change the default messages by modifying the text in the "WPMessages_en.properties" file. Extract this file from WEB-INF/lib/idmcommon.jar to the config directory. Edit the required message and restart the application server.

Modifying authentication questions in a policy

Changes to aunthentication question in a LH Policy have to be made and modifying the .xml and reimporting the new xml file did not reflect the changes in the user interface immediately. But if the changes are made in the debug page directly then the changes can be seen immediately in the end user interface. One should avoid making changes from the admin interface (i.e., from Configure->Policies->) page as the "id" assigned to the Question will change and will not propogate to all the user objects linked to it.

ERROR:null in the Task Tab

When "ERROR:null" is displayed after clicking the All Tasks tab, implies that one or more of the task instances are stuck and executing. We can still search for tasks by going to the Find Tasks tab and checking only the "is Finished/Executing/Ready" option and clicking the search button. Delete the executing or hanged tasks through the debug page->Task Instances. There may be more than one such task instances. We can have java program clean-up such instances. This occured when xml parse exceptions are encountered.

Active-Sync Fine Tuning

Active Sync (realtime) running on LDAP  is slows down the server and sometimes crashes it. The active sync process is fine tuned to process only those changes that are necessary for Lighthouse user identity management rather than having all the data processed for each of the records in LDAP. In this case LDAP gets the feed from PeopleSoft HR. Proposed work-around was to host the Lighthouse active-sync and user interface processes on different servers pointing to the same LH repository. This can be done by changing the "sources.hosts=localhost" under "UI Options" in the waveset.properties file. Change this to - "sources.ldap.host = {ip address of the hosting location}".

Some minor issues encountered in Sun IdM

(1) Switiching on the personal firewall in the local setup will break the link between Identity Manager and the local database (MySQL) and throws an exception in the login page. To get this properly functioning switch off the personal firewall.

(2) Trying to stop the active sync process (which might be running for a large number of users) may fail. To stop the process - set the active sync process start-up procedure to manual and restart the server.

Rewriting import declarations while migrating from Lighthouse to SunIdM

One problem that occured while setting up a build process for an IdM project (previously existed in the Lighthouse Version 4.1 SP2) in SunIdM (Version 5.0 SP5) was that the compiler continuosly complained about the "EncryptedData" class which was extensively used in the project. This is because the EncryptedData Class existed in the lighthouse.jar file, is now moved to the "com.waveset.util" package in the idmcommon.jar file provided by the Identity Manager. So, one needs to rewrite all the import declarations in the resource adpaters while considering a migration from older version of the identity manager (Lighthouse) to the Sun IdM, to reflect this modification.