Identity Manager 14.3 CP1 - Fixed Defects

Identity Manager 14.3 CP1 - Fixed Defects
cim143
Tabulated below are the defects that are fixed in Identity Manager 14.3 CP1.
CA Identity Manager Server
Support Ticket
Engineering Ticket
Problem Summary
Root Cause and Additional Instructions
Risk
1300960
DE406839
Nested Group scoping does not work for roles and policy sets.
Implementation issue.
HIGH
1315103
DE410555
The "Audit Reset Password" report shows wrong data.
The query used to extract the audit records caused the issue.
HIGH
1342662
DE413829
Post upgrade of Identity Manager, the application server fails to start.
The Audit Database Cleanup schema for Microsoft SQL and Oracle is not updated with the latest schema changes.
HIGH
1300960
DE412655
The Membership tab under the Group screen contains blank entries.
Implementation bug due to which the group information is also displayed in the Membership tab.
HIGH
2001346
20012947
DE422300
SOAP queries from Policy Xpress Action elements fail with a NullPointerException after upgrading Identity Manager
SOAP HTTP Header caused the issue.
HIGH
20021961
DE424201
Inbound notification filtering issue.
Missing inbound notification filter caused the issue.
HIGH
1304437
DE415777
Sensitive user data is exposed in the View Submitted Task (VST).
The metadata attribute "vst_hide" which controls the visibility of a property is disabled.
HIGH
20032048
DE426426
Database session is blocked.
The taskNumber sequence is not cached.
HIGH
20022743
DE423881
Linking errors in the custom Java code.
Identity Manager sources too many libraries; now it is limited to specific libraries.
HIGH
1259283
DE430745
Suboptimal query filter caused CPU starvation.
Regression of DE294526.
HIGH
1371067
DE419908
Identity Manager does not function properly as the majority of the tasks are stuck in the In-progress status until the Identity Manager server restarts.
Implementation bug.
HIGH
1192626
DE401856
Create or modify user task failed while evaluating the configured policies.
Issue with the Status attribute setting.
HIGH
1312267
DE411784
Few Policy Xpress policies fail with null pointer exception.
Null pointer exception is triggered as few attribute values are not saved in a task session.
MEDIUM
1294359
DE413038
Actions related to "SynchronizeUserProvisioningRolesAddAccountsEvent" are failing.
Regression issue due to the removal of "SynchronizeUserProvisioningRolesAddAccountsEvent" event.
MEDIUM
1309929
DE408149
On submission of the Modify User task, the Policy Xpress Policy of Type=UI does not perform Outbound Sync to the Provisioning Server.
When the password attribute is changed, the "Modify User" task sends Account Sync twice and behaves inappropriately.
MEDIUM
1372243
20017692
DE422629
Getting the following error while viewing the Logical Attribute Handler definitions in the Management Console:
"Can't find resource for bundle java.util.PropertyResourceBundle, key logicalattr.com.netegrity.ims.adapters.ConfirmPasswordHandler.sensitiveattributes".
Exception occurred as few classes are not defined for Resource Bundles.
MEDIUM
1371557
DE421561
Policy Xpress Soap Query results in an error:
"Execute SOAP Query: Generated By Policy Xpress: Failed to execute ExecuteSoapWebserviceEvent. ERROR MESSAGE: NullPointerException:null"
DE400864 caused regression issue.
MEDIUM
1336542
DE417024
Search for SAP Accounts in the Provisioning Manager retrieves all the SAP roles (including Compound roles) but the search fails from the Identity Manager User Console interface.
Implementation bug.
MEDIUM
20034492
DE427034
Identity Manager Management Console is vulnerable to user enumeration.
-
MEDIUM
1317563
DE409290
Identity Manager performance degrades with group management.
Group evaluation for administrative groups (groups administering other groups) is not optimally returning Boolean evaluation (true or false), and is not leveraging GROUP_ADMIN_GROUP property.
MEDIUM
20041089
DE427444
The LDAP error 53 sent as a response in the TEWS call made to Identity Manager, contains an invalid character that invalidates the xml and blocks the service that made the SOAP call.
The TEWS response XML is unable to parse as it contains {nul} character.
MEDIUM
20052127
DE429142
Policy Xpress Policy SOAP Query failed with the following error: "Failed running web service" which was caused by "Could not send Message.;HTTP response '403: Forbidden' when communicating with http://hostname/iam/im/TEWS6/env?wsdl".
Basic authentication included extra checks which resulted in the error.
MEDIUM
20019079
DE423354
Cross Site Scripting (XSS) attack on the bulk load tasks in Identity Manager.
Missing of input validation and data encoding before displaying the data on the screen caused the XSS attack.
MEDIUM
1318280
DE409313
Identity Manager does not render HTML tags properly.
An XSS issue caused the problem. Unescaping the HTML encoding solves the issue.
MEDIUM
20066284
DE432004
On navigating directly to some of the JSP files, the detailed technical information is exposed to the end user.
Exception is not handled properly.
MEDIUM
20024621
DE424535
Accept-Language value is ignored when using xx-XX syntax (For example: fr-FR for French). In the Identity Manager User Console login page, French is not shown in the language drop-down.
Regression of DE349415.
MEDIUM
20071627
DE434550
Table Fragmentation in Oracle Database.
Error while processing an update event with BLOB data type.
MEDIUM
1322762
DE409655
In the Role Definitions xml file, few well-known strings are misspelled.
Misspelled well-known strings need to be corrected.
LOW
1207758
DE400864
TEWS requests submitted via Policy Xpress policy actions are failing when Identity Manager is integrated with Single Sign-On.
Identity Manager is unable to parse Set-Cookie value from the response header.
LOW
1332650
DE411802
Provisioning Server / Connector Server hangs and slows down the application server resulting in continuous server restart.
Enhancement to allow Runtime Status Detail Service to skip JMS and talk to database directly.
LOW
1296416
DE415976
Long response time when searching for an Account Template.
Enhancement to speed up the search time for the account templates.
LOW
1278810
DE408197
A user who is disabled after the configured number of failed login attempts, is able to access Identity Manager after providing correct login credentials in the next attempt.
GET request is not handled properly in frameworkloginfilter.
LOW
1296852
DE420500
Few system tasks caused Identity Manager performance degradation.
Enhancement to improve the performance of Identity Manager.
LOW
20045033
DE428239
REST services called via a policy do not accept the Date Time Stamp in the header.
Header value is not retrieved in a proper order.
LOW
1304437
DE408963
When updating an Active Directory Account template for Logical attributes, passwords are recorded in plain text in View Submitted Task (VST).
No provision for Logical attributes to carry Data Classification flag which indicates the data type is sensitive or not.
Additional Instructions: Perform the following steps after applying Identity Manager 14.3 CP1 patch:
  1. In the Identity Manager Management Console, navigate to
    Environments
    ,
    <YourEnvironment>
    ,
    Advanced Settings
    .
  2. Click
    Import
    and select the
    EnvironmentSettings.xml
    file.
  3. Click
    Finish
    . Ignore warnings, if any.
  4. Click
    Continue
    and then click
    Restart Environment
    .
  5. To confirm that the fix is applied successfully, check if the new handler with name HideScreenLogicalAttributes is present at
    Home
    ,
    Environments
    ,
    <YourEnvironment>
    Advanced Settings
    ,
    Logical Attribute Handlers
    .
LOW
20020798
DE428104
Post upgrade of Identity Manager, the Explore and Correlate functionality does not work.
Account container is not defined for the Explore and Correlate definition.
LOW
20063058
DE434635
When searched for <Attribute Field>= *, the fields with empty values are part of the search results.
Implementation issue.
LOW
1291433
DE404940
Unable to trigger workflow on the Modify Active Directory Group task events.
Implementation bug.
LOW
1317569
DE409365
In a Bulk Task operation, the "Dates Filter" field does not function correctly.
The Date attribute value comparison is done as a string.
LOW
Provisioning Server
Support Ticket
Engineering Ticket
Problem Summary
Root Cause and Additional Instructions
Risk
1291085
DE404413
The Active Directory connector logs messages without adhering to the endpoint logging configuration.
Improper implementation of Endpoint logging configuration.
HIGH
1351534
DE419346
Enable support for ACF2 Passphrase.
The Attribute
eTACFPasswordPhrase
is marked with
isHidden
true. Hence the attribute is hidden in the Account Attribute field of the Attribute Mapping tab.
HIGH
1362475
DE417705
Provisioning Server ran out of available threads.
Insufficient memory for the Provisioning Server (IMPS) service to run smoothly.
HIGH
1327076
DE410537
Suppression hotfix is not available in the Identity Manager patch.
-
HIGH
1347296
DE415665
The im_ps service on the Provisioning Server crashed unexpectedly.
An attempt to access invalid memory caused the issue.
MEDIUM
716430
DE286441
Active Directory connector performance is degrading.
The fix provided for DE224320 has degraded the performance of an Active Directory connector. As a fix to DE224320, timeouts between Lync Operations at Connector were introduced.
MEDIUM
20009154
DE421424
Provisioning Server crashes.
Provisioning Server tries to use an invalid connection and crashes.
MEDIUM
1347256
DE415589
CA TopSecret V2 connector is unable to update account profiles.
Incorrect account profiles synchronization logic.
MEDIUM
1363897
DE418312
Oracle Application responsibilities are not end dated.
On deleting the last Account Template for an account, the respective Oracle Application responsibilities are not end dated.
Additional Instructions: To end date all existing Oracle responsibilities on account deletion, set the environment variable ENDDATE_RESP_ON_DELETEACCOUNT to 1 in the C++ Connector Server. Next, start the server.
LOW
1214849
DE402848
Connection error while creating a Home Drive on a File/Print server for a new user.
Retrial of API "WNetAddConnection2"fixed the customer issue.
LOW
1342920
DE421604
In a situation where C++ Connector Server crashes more often, the following error might occur:
When an endpoint is explored and the Provisioning Server cannot access the endpoint, it generate a Child Delete action.
Since C++ Connector Server is crashing more often, it confuses Provisioning Server to believe that an endpoint does not exist.
LOW
20024234
DE424462
Account creation fails when unicode characters are present in the custom attributes.
Incorrect handling of unicode characters in the codebase.
LOW
20050348
DE428962
Unable to delete Inclusion (relationship) between User and Account by using etautil.
etautil ran into a deadlock state on deleting an inclusion(relationship).
LOW
Java Connector Server (JCS)
Support Ticket
Engineering Ticket
Problem Summary
Root Cause and Additional Instructions
Risk
1302374
DE406342
Exception is thrown when a parameter is declared as "IN OUT" in a stored procedure for any JDBC dynamic connector.
JDBC connector does not support "IN OUT" for a parameter.
HIGH
1279957
DE404268
Identity Manager does not honour Unix v2 connector password algorithms.
Unix v2 connector code uses fixed algorithm to encrypt account passwords.
HIGH
20016139
DE422987
AIX account password appears as plain text in the Korn Shell history.
Regression of DE404268.
HIGH
20063307
DE432748
OS400 connector ignores password policy rules defined on the endpoint.
Regression of CQ (133504).
HIGH
1321843
DE409536
Connector Server does not update Oracle account password even though it says success.
The correct authentication type is not passed in the method argument.
MEDIUM
1230790
DE396742
LDAP DYN connector fails to delete endpoint accounts with the following error: "javax.naming.NamingException DELETE operation skipped java.lang.ArrayIndexOutOfBoundsException: 1"
LDAP DYN connector fails to synchronize accounts with ArrayIndexOutOfBounds exception.
MEDIUM
1299628
DE407210
An account is created on the UNIX v2 endpoint with no password but shows account creation as failed in Identity Manager.
Account creation on UNIX V2 endpoint fails if the parent directory of the specified home directory does not exist.
MEDIUM
1351913
DE416392
When HP-UX account is locked due to many failed login attempts, the account status still remains 'Active'.
The account status is not shown correctly after maximum tries.
LOW
CA Identity Manager Connector Xpress
Support Ticket
Engineering Ticket
Problem Summary
Root Cause and Additional Instructions
Risk
1340417
DE413353
The fix provided as part of DE404442, did not completely fix the issue.
As part of DE404442, enhanced the limit of eTDYN-str-multi-xx from 500 to 800. The same limit has to be applied for Connector Xpress.
HIGH
20073615
DE434302
Test connection between Connector Xpress and SCIM 1.1 endpoint fails with a null pointer exception.
Connector Xpress accepts canonicalValues ONLY in the format "canonicalValues": [{"value":"mr"},{"value":"ms"}] but not "canonicalValues": [ "mr","ms"]
MEDIUM