Identity Manager 14.3 CP2 - Fixed Defects

Identity Manager 14.3 CP2 - Fixed Defects
Tabulated below are the defects that are fixed in Identity Manager 14.3 CP2.
Identity Manager Server
Support Ticket
Engineering Ticket
Problem Summary
Root Cause
Behavioural Change
Components
20271699
DE447024
After logging out of Identity Manager and clicking back in the browser, user is able to view the most recent page. On clicking anywhere in the page, user is redirected to the login page.
An issue with the JSP caching.
By default, the browser back button navigation functionality works as-is. To disable back button navigation functionality, in the Identity Manager Management Console, customer has to navigate to Home › Environments › identityEnv › Advanced Settings › Miscellaneous and set the “DisableBackButtonNavigation” property to “true”.
Security
20091566
DE439794
Security issues in the  Identity Manager application.
-
-
Security
20098781
DE439219
On the Forgot Password page of Identity Manager, the OTP option is not displayed if custom questions are configured.
Question Display Attribute is over-ridding the Delivery Option attribute.
-
Security
31893495
DE460926
Cross-Site Scripting (XSS) attack on the Date Picker attribute of the application.
The application skips the validation of the Date Picker attribute.
The Date Picker attribute undergoes the same level of validation as other fields.
Security
20061775
DE434342
Post upgrade of Identity Manager from 14.0 to 14.2, customer observed database related errors during schema upgrade.
The Object SQL query is written in the Task Persistence Database SQL script file.
-
Database
20303862
DE449476
Offline Endpoints Task Persistence upgrade does not create all the required tables.
The upgrade installer does not handle the database schema population properly.
-
Database
20309517
DE448380
Oracle database treats the UserID attribute as case insensitive.
Oracle database does not support case-sensitive attributes.
Case-sensitive attribute support on Oracle is offered without provisioning. For example, username of "Paul" and "paul" can be considered as separate entities.
In the User Directory schema, a new attribute named
casesensitive
is added for the Oracle database.
Database
31718153
DE453303
Deleting a task using recurring task results in multiple task deletions. Example: If one task is deleted using recurring task, two tasks are getting deleted.
The taskResults variable that is assigned with the list of tasks retrieved during the task search, is not getting reset.
-
Database
31816709
DE453842
After upgrading Identity Manager from 12.6 to 14.2, the View User task activity is accumulating a large number of rows in the task tables, thus filling up the database.
View entries are added to the task tables.
The fix disables persistence of any task launched via UI or TEWS with action type
View
thereby improving the Task Persistence traffic.
Database
20095233
DE438129
Single endpoint search results in searching all the endpoints of same type thus causing performance issue.
Unoptimized search caused performance issue.
Improved performance while searching for accounts with "Endpoint Name equal to" filter.
Performance
20008742
DE421771
User experienced significant performance issues while logging and loading the access tree into Identity Portal.
The providers for Identity Manager directory and environment are cached instead of being initialized each time.
-
Performance
20101864
DE438846
The Division operation in Policy Xpress throws an exception: "Non-terminating decimal expansion; no exact representable decimal result".
The decimal expressions are not rounded.
In the Policy Xpress policies that include division operations, the decimal expressions are now rounded to two decimal values. With this change, customer has to change their existing policies to a two decimal values.
Example:
Before fix: 1.21456
After fix: 1.21
Policy Xpress
20117938
DE446368
Policy Xpress policy does not properly update the provisioning user attributes if the Identity Manager Screen field is set to read only.
When a user is modified in the Identity Manager User Console, the modified user object is not used to perform provisioning activities.
-
Policy Xpress
1011409
1063686
DE358814
DE359112
When issuing a SOAP call via Policy Xpress, the SOAP call including password (plain text) is written to the log even when the log level is set to WARN or INFO.
Identity Manager supports plain text password when using WSS security. So, when the SOAP request is logged into the server, the password is available to users who inspect the logs.
The WSSE password element from the WSS Header is now replaced with **** to mask the password.
The fix also improves the logging facility. The WARN messaging for message elements is now changed to DEBUG to minimize the log messages by default.
Policy Xpress
20249702
DE444816
Policy Xpress task completion data elements retrieve the originally submitted value and not the updated value set during a workflow approval.
PolicyXpress is unable to read and save the updated value of an attribute on the Approval Profile page.
-
Policy Xpress
31791868
DE451205
Import of Identity Manager Environment Role XML does not preserve the leading and trailing whitespaces in the Policy Xpress attribute values.
The Policy Xpress attribute values are trimmed.
-
Management Console
20157353
DE450411
On comparing two environments using config xpress, observed that the Policy Xpress data items are exported in a different order.
While exporting the role definition, the Policy Xpress data elements are not sorted in an order.
Policy Xpress data elements are in sorted order when a role definition is exported.
Environment Import and Export
20256589
20300403
DE446787
DE447637
Approval Notification emails are delayed by the Workflow.
Condition check for the Modify User event is failing.
-
Workflow
1291433
DE404940
Unable to trigger workflow on the Modify Active Directory Group task events.
  • Framework descriptor is missing the event definition details.
  • Incorrect event generation model.
-
Workflow
20092136
DE441255
The Identity Manager user is getting disabled when the Active Directory account is locked.
When a user is locked due to unsuccessful user authentication by Active Directory (Active Directory Auth Module), the user is disabled in the corporate store.
Added a new property named "Disable IM User on Authentication Failure due to AD Account Locked Status" in the Management Console, Environments, <Environment>, User Console, Active Directory Authentication Module Properties. This new property is set to true by default. This new property allows an administrator to either enable or disable a user when the Active Directory account is locked.
Active Directory Authentication
31925697
DE461663
Obscure messages in View Submitted Tasks (VST) after adding a user/group as a member to another group in an endpoint.
The AddToEndpointGroupRelationShipEvent is executed on adding a user/group as a member to another group in an endpoint. Even before this event is executed, the Description field of the View Submitted Task(VST) is updated which results in an obscure message.
-
View Submitted Task
31883241
DE45844
Oracle SQL query fills up the logs with errors when the query is run on View Submitted Task (VST).
Oracle SQL Query does not work with multiple Order By clause when the select statement has * character.
-
View Submitted Task
20312653
DE460689
Unable to resubmit a failed event using TEWS call by providing the event ID. However, the same failed event is getting resubmitted from the user interface button of the View Submitted Task. Resubmitting the whole task by providing TaskID using TEWS call also works.
Resubmit event does not work via TEWS.
-
TEWS
20091005
DE444581
Identity Manager is not compatible with the 508 accessibility and compliance standards.
-
Introduced a new Identity Manager User Console URL (ui-508 skin) which caters to the needs of the people with disabilities in accordance with the guidelines laid under the Section 508 Compliance. For more information, see Section 508 Compliance and Accessibility Features.
Identity Manager User Console - 508 Compliance
31936093
DE463499
Scope is not enforced when fast search option is used for searching account templates.
The application skips scoping for the fast track account templates.
-
Identity Manager User Console - Account Templates
20304919
DE449378
In the Modify User Task screen, the group search action fails with the following error: "findGroupsAdminCanManageInScope"
Improper exception handling.
-
Identity Manager User Console -Groups
31908431
DE461129
Enhancement request to support custom parser with more regex patterns, custom response groups, custom request criteria and custom unique disambiguate attribute other than %USER_ID%.
-
The Workday.xml file available at
~iam_im.ear/custom/hrfeed/
location comes with the standard out-of-the-box mappings/requests/response groups or other custom unique attribute to disambiguate the user in their environment other than %USER_ID%. If the out-of-the-box settings do not met your requirements, you must edit the respective sections within the file as desired. Note that the Workday.xml file is self-explanatory and contains examples for each of the sections.
Identity Manager User Console - HR Feed
20302214
DE446809
Unable to view Active Directory members from the Identity Manager User Console.
Multi-search screen is not added for the View AD group members task.
-
Identity Manager User Console
20161244
DE443445
Getting an error on clicking the "Test Connection" button in the Create or Modify HR Feed screen.
Workday credentials validation for the test connection is missing.
The parser now supports an extra regex. The workday.xml includes all the writeup within itself.
Configuration
20318599
DE448830
Identity Manager Explore Definition for Active Directory endpoint does not include all attributes in Partial Explore filtering.
The Custom Attributes (1 - 15) are NOT included in the code for Active Directory Partial Explore and Correlate Definition.
Added extra 1 to 15 custom Attributes for Partial Explore and Correlate filter.
Connector - Active Directory
20300404
DE447671
Identity Manager throws the constraint violation error on editing the mandatory multivalued attribute for an account.
The Modify Account task does not support delete followed by an add operation on the mandatory multivalued attribute  for any dynamic connector.
-
Dynamic Connector
20310799
DE451373
When two endpoints that are created in Identity Manager point to the same Active Directory, Identity Governance fails to correlate users from one endpoint to the groups from another endpoint.
When a user/group belongs to multiple endpoints, import of data happens from the first searched endpoint to which the user/group belongs to. Import of data happens without validating the endpoint to which the user/group belongs to.
-
JIAM
31817296
DE453301
Snapshots of the old reports are retained even after creating a new Snapshot Definition.
The cleanup value of the snapshot definition is set to -1 instead of 1 in the snapshot_type table.
-
Reports
01296416
DE415976
Account Template search takes a long time.
Search slows down when it has to search through a huge list of account templates.
When dealing with a huge list of account templates, you can speed-up the account templates search by selecting the
List Account Template Names Only (fast search)
checkbox in the account templates' search window.
Account Management
31955711
DE467323
Invalid filter failure message on searching Provisioning Roles that contain parenthesis in their name.
LDAP command does not escape parenthesis that are defined in the search filters.
-
Provisioning Roles
Provisioning Server
Support Ticket
Engineering Ticket
Problem Summary
Root Cause
Behavioural Change
Components
20024290
DE425728
While performing incremental Explore and Correlate, explore and correlate works but the global users are not updated.
The LDAP filter for Global User Update operation is filtered without incremental time stamp.
-
Provisioning Server
20092242
DE437151
Provisioning Server ran out of available threads.
Insufficient memory for the Provisioning Server service to run smoothly.
Increased the Provisioning Server service memory from 2GB to 3GB for Windows and 4GB for Linux.
Provisioning Server
20048348
DE437299
User is able to retrieve password of all the provisioning global users in a non-FIPS installation.
Maintenance user(etaserver) has full rights to access every object in the database.
The maintenance account 'etaserver' can be blocked from accessing Provisioning Server service by setting the registry variable 'ETRUST_MAINTENANCEID_DISABLED' to 'yes'.
Note:
Before upgrading to subsequent releases or cumulative patches, ensure that the maintenance user (etaserver) is unblocked by setting the registry Set 'ETRUST_MAINTENANCEID_DISABLED' to 'no'.
Provisioning Server
20127890
20046148
DE441386
DE430030
The Active Directory connector does not handle the latest list of ISO 3166 Country Codes.
Add support for the latest list of ISO 3166 Country Codes.
Active Directory country code list is updated as per ISO standards.
Provisioning Server
20089846
DE440657
An error while assigning Provisioning Roles result in deletion of Dynamic accounts.
Provisioning Roles are deleted when the Account ID is null.
When multiple roles are getting assigned during account creation, the role synchronization process does not stop when one of the account templates has an error. It will check for any success in the remaining account templates. As a result, all the account templates are checked during role synchronization process whether it is a create/modify account task.
Provisioning Server
20037733
DE427767
Enhancement request to increase the custom attributes for Dynamic endpoint from 800 to 1500.
-
-
Provisioning Server
20295979
DE446243
The search loop operation keeps the C++ Connector Server busy and slows down the performance.
Search goes into an infinite loop when it fails to meet the condition set to come out of a failed search operation.
-
Provisioning Server
1372320
DE420439
When a dynamic endpoint is removed from one of its associated account templates, it gets removed from all the associated account templates.
Provisioning Server is unable to find the desired account template inclusion for the dynamic endpoint that is removed. As a result, the dynamic endpoint is removed from all the associated account templates.
-
Provisioning Manager
20325607
DE451076
Active Directory account operations such as Move Mailbox and Delete Mailbox are not working as expected from Provisioning Manager.
Provisioning Manager is unable to differentiate a normal Active Directory account from an account with an exchange mailbox due to the absence of homeMTA attribute which is not mandatory for Exchange versions from 2010 onwards. Hence, the Move Mailbox and Delete Mailbox operations are ignored.
-
Provisioning Manager
20103836
DE438959
Provisioning Manager is unable to handle more than 99 Tabs/Property pages in a Screen/Property sheet.
The used Windows API has a limitation to display only 99 tabs.
-
Provisioning Manager
20029325
DE426978
Unable to log in to Provisioning Manager in FIPS mode.
Library loading conflict.
-
Provisioning Manager
20117127
DE440946
Active Directory account creation is failing for users that include an empty value in the "accountExpires" attribute.
Active Directory does not accept an empty value in the "accountExpires" attribute.
-
C++ Connector Server (CCS)
20117009
DE443224
Active Directory connector is unable to perform Skype relevant operations successfully.
The session affinity issue occurred when the remote PowerShell sessions are not routed to the same Skype server. The problem occurs when a Load Balancer is added between the Active Directory connector and Skype servers.
-
C++ Connector Server (CCS)
20105189
31871372
DE447045
DE459822
Active Directory connector is unable to access Exchange attributes when the endpoint security mode is SASL and user Distinguished Name is specified as "domain\username" notation.
The Active Directory connector is not working as expected in SASL mode due to bind problems (user Distinguished Name is converted into a full distinguished Name).
-
Connector -Active Directory
31887475
DE460486
After upgrading to Identity Manager 14.3 CP1, the Active Directory extension attributes cannot be provisioned with multi-value values.
The updated buffer that is used to handle unicode strings is able to handle only one value.
-
Connector -Active Directory
20311916
DE448334
Active Directory explore operation removed unreturned accounts from the Provisioning Directory.
In an Active Directory failover setup, if the primary server goes down in the middle of a large search operation, the Provisioning Server returns only a partial result set and hence deletes the accounts from the Provisioning Directory.
In the Active Directory failover setup, when the connection between Active Directory connector and Active Directory primary server is broken during a long Explore and Correlate operation, the connector tends to fall back on to the failover Active Directory server to return success. The fail over server sends the partial result set with success which results in deleting unwanted accounts from the Provisioning Directory. With the fix, the Active Directory connector now sends a failure message instead of the partial result set with success.
Connector -Active Directory
20140501
DE442252
Inbound Synchronization does not work as expected due to SSL context issues.
Issue with the third-party library (libcurl) that is referenced in EtaNotifyTools.dll.
-
Third-Party Libraries
Connectors
Support Ticket
Engineering Ticket
Problem Summary
Root Cause
Behavioural Change
Components
20136997
DE436612
The port 20080 available through the Java Connector Server (JCS) can allow any individual on the network to read the web.xml without any credentials.
Access granted to files without performing any validation.
-
Security
20221897
DE444427
Connector Server error while working with PostgreSQL endpoint with attribute data type set to integer.
PostgreSQL expects integer/numeric and boolean values as a JAVA OBJECT.
-
Java Connector Server (JCS)
20028706
DE426884
Azure connector restricts the number of user groups that can be retrieved while compiling a User Group Membership request.
Pagination issue
Implemented paging to retrieve all members of a group and user.
Connector - Azure API Gateway
20020195
DE426736
Azure connector does not handle double-quote characters in the user and group attribute values.
JSON parse error with the special characters as they are not escaped.
-
Connector - Azure API Gateway
20028706
DE436363
Azure connector user group members have an extra "#" character when viewed in Provisioning Manager.
Unable to open the account properties from the Group Membership tab when account name has the "#" character.
-
Connector - Azure API Gateway
31808062
DE452029
While creating a RACF account using Provisioning Manager, getting a timeout warning but the user is created in RACF after 3 or 4 minutes.
Creation of RACF account with group takes around 3 to 4 minutes.
Optimized performance to handle creation of RACF user with a group consisting of bulk member users (around 1400 users as member of a group).
Connector - RACF v2
31875546
DE458349
Creation of RACF account with RACF Connect Groups takes more than 4 minutes.
RACF connector makes an extra search call to retrieve all the properties of a group.
-
Connector - RACF v2
31840385
DE455145
Java Connector Server log (jcs_daily.log) contains Oracle user password when using out-of-the-box (OOTB) Oracle Server connector to change the Oracle user password.
Password is not masked in the log file.
-
Connector - Oracle
31797428
DE460808
Provisioning Server is unaware of the account creation failure and reports a successful account creation.
Generated exception was not handled properly at the connector end.
-
Connector - Top Secret v2
Provisioning Components
Support Ticket
Engineering Ticket
Problem Summary
Root Cause
Behavioural Change
Components
20257811
DE446190
DLL errors in Identity Manager - Credential Provider for Windows x64 setup.
Credential Provider installs files to the C:\Windows\System32 folder which are loaded by the LogonUI.exe. The loaded files cause DLL conflicts.
Credential Provider will now reference third-party library from its own path and not from Windows system32 folder.
Credential Provider
32007376
DE465547
Enhancement request for Password Synchronization Agent to support Local Security Authority Server Service (LSASS) protection mode.
-
Password Synchronization Agent is now compatible to work with Local Security Authority Server Service (LSASS) protection mode enabled on Active Directory and WindowsNT endpoints.
Password Synchronization Agent