• OpenIDM 5.0.1.1 is a maintenance release for OpenIDM 5 that provides important fixes to existing bugs. These fixes improve the functionality, performance and security of your OpenIDM deployment. No new features have been introduced.

  OpenIDM 5.0.1.1 is available for download from the ForgeRock BackStage website. To view the list of fixes, see "Issues Fixed in OpenIDM 5.0.1.1".

  Note

  The release can be deployed as an initial deployment or used to upgrade an existing version. You can upgrade from any version listed in "Supported Update Paths".

• This release includes the following new features:

  Registration With Social Identities

  Users can now register new accounts using information from social identity providers, including Google, Facebook, and LinkedIn. If you configure access through more than one social identity provider, users can select and manage the providers they use.

  For more information, see "Configuring Social ID Providers" in the Integrator's Guide.

  Integration Between Products Across the Platform

  It is now much easier to use OpenAM as the default authentication provider. This enhanced functionality is demonstrated in the new Full Stack Sample. For more information, see "Integrating OpenIDM With the ForgeRock Identity Platform" in the Samples Guide, which works with OpenIDM 5 and OpenAM 5.

  The old Full Stack sample is still available in the OpenIDM 4.5 Samples Guide

  Scripted JMS Message Handler

  A new scripted JMS Message Handler enables you to perform CRUDPAQ operations by subscribing to an ActiveMQ message queue.

  For more information, see "Scripted JMS Sample" in the Samples Guide.

  Enhanced Update Process

  The update process from OpenIDM 4.5 to OpenIDM 5 is simpler than in previous versions. For more information, see "Updating to OpenIDM 5" in the Installation Guide.

  New Audit Event Handlers

  The following new audit event handlers are supported:

  • JSON audit event handler, that logs audit data to a set of JSON files.

    Important

    This is the new default file-based audit event handler, and replaces the default CSV audit configuration. Auditing to CSV is still supported but must be configured on an OpenIDM 5 system.

    For more information, see "JSON Audit Event Handler" in the Integrator's Guide.

  • Splunk audit event handler, that supports logging to a Splunk system. For more information, see "Splunk Audit Event Handler" in the Integrator's Guide.

  • Syslog audit event handler, based on RFC 5424, The Syslog Protocol. For more information, see "Syslog Audit Event Handler" in the Integrator's Guide.

  New Authentication Modules

  OpenIDM 5 includes support for OpenID Connect and OAuth 2.0 authentication. For more information, see "Supported Authentication and Session Modules" in the Integrator's Guide

  A new SOCIAL_PROVIDERS authentication module allows you to configure additional OAuth 2.0 or OpenID Connect social identity providers. These providers must be entirely compliant with the OAuth 2.0 and OpenID Connect 1.0 standards. For more information, see "Configuring Social ID Providers" in the Integrator's Guide.

  Improved Cluster Service and Scheduled Job Management

  OpenIDM 5 provides simpler configuration and management of a clustered deployment, including improvements to how scheduled jobs across a cluster are managed. Support has been added for the following:

  • Removal of the keystore from the repository.

    The OpenIDM keystore is no longer persisted in the repository. In a clustered environment, you must copy the initialized keystore to each instance in the cluster, or point to a single, centralized keystore. For more information, see "Configuring an OpenIDM Instance as Part of a Cluster" in the Integrator's Guide.

  • Changes to the cluster configuration.

    It is no longer necessary to specify the openidm.instance.type of nodes in a cluster. This configuration property does not exist in OpenIDM 5 and all nodes are assumed to be of the same type. If you leave this property in your boot.properties file after an upgrade, it is simply ignored. For more information, see "Configuring an OpenIDM Instance as Part of a Cluster" in the Integrator's Guide.

  • Basic cluster monitoring in the Admin UI.

    For more information, see "Managing Nodes Through the Admin UI" in the Integrator's Guide.

  Support for Hardware Security Module (HSM) Devices

  OpenIDM 5 supports the configuration of an external PKCS #11 (HSM) device to manage the keys used to secure OpenIDM transactions. For more information, see "Configuring a Hardware Security Module (HSM) Device" in the Integrator's Guide.

  Changes to Supported Connectors and Connector Servers

  • New Marketo Connector

    Part of the Social Registration feature, the Marketo Connector is an example of how OpenIDM can be used to manage customer data. For more information, see "Marketo Connector" in the Connectors Guide.

  • Upgraded Remote Connector Servers

    OpenIDM 5 supports version 1.5.2.0 of the .NET and Java connector servers. The updated connector servers provide full support for the websocket protocol communication protocol and fix a number of issues. For more information, see "Accessing Remote Connectors" in the Integrator's Guide.

  • Updated LDAP Connector

    OpenIDM 5 bundles version 1.4.3.0 of the LDAP connector. The updated connector provides a number of enhancements, including:

    • A resetSyncToken flag to address possible inconsistencies between the syncToken value and the lastChangeNumber in the changelog (see OPENICF-601).

    • Better exception logging for failed updates (see OPENICF-593).

    • Detection of the Red Hat Directory Server server type and subsequent selection of the correct sync strategy (see OPENICF-539).

    • More efficient search filters (see OPENICF-505).

  • Updated Groovy Connector Toolkit

    OpenIDM 5 bundles version 1.4.3.0 of the Groovy connector toolkit.

  • SAP Connector Now Supports SNC

    Version 1.4.1.0 of the SAP connector supports an SNC (Secure Network Connection) configuration. For more information, see "Configuring the SAP Connector For SNC" in the Connectors Guide.

  Password Reset Capability for Administrators

  Administrators can now reset user passwords in a secure, configurable way, through the Admin UI. For more information, see "Resetting User Passwords" in the Integrator's Guide.

  API Explorer For Managed Objects

  The OpenIDM 5 UI includes an API Explorer that allows you to list the supported methods and actions on managed object endpoints. For more information, see "API Explorer" in the Integrator's Guide.

  JSON Configuration File to Protect the Felix Web Console

  OpenIDM 5 provides a new configuration file that enables you to protect access to the Felix Web Console, in the event that you cannot remove the console in production. For more information, see "Remove or Protect Development & Debug Tools" in the Integrator's Guide.

  For installation instructions, see "Preparing to Install and Run Servers" in the Installation Guide.

  Several samples are provided to familiarize you with the OpenIDM features. For more information, see "Overview of the Samples" in the Samples Guide.

  For an architectural overview and a high-level presentation of OpenIDM, see "Architectural Overview" in the Integrator's Guide.

The following JDBC repositories are supported for use in production:

• MySQL version 5.5, 5.6, and 5.7 with MySQL JDBC Driver Connector/J 5.1.18 or later

• Microsoft SQL Server 2012 and 2014

• Oracle Database 11gR2 and 12c

• PostgreSQL 9.3.10 and 9.4.5

• IBM DB2, 10.1, 10.5

OpenIDM bundles the following OpenICF connectors:

• CSV File Connector

• Database Table Connector

• Groovy Connector Toolkit

  This toolkit enables you to create scripted connectors to virtually any resource

• LDAP Connector

• XML File Connector

• Kerberos Connector

• Scripted SSH Connector

  Currently supported only as a prerequisite for the Kerberos Connector

• Google Apps Connector

• Salesforce Connector

ForgeRock has tested many browsers with the OpenIDM UI, including the following browsers:

• Chrome and Chromium, latest stable version

• Firefox, latest stable version

• Safari, latest stable version

• Internet Explorer 11 and later

OpenIDM software is supported on the following operating systems:

• Red Hat Enterprise Linux 6.x/7.x (CentOS Linux 6.x/7.x)

• Ubuntu Linux 16.04

• Windows 2008 R2, 2012 R2, 2016

OpenIDM 5.0.1.x has the following known limitations:

• Performance hit occurs when updating a role condition with membership of 5K or more.

  When creating a role condition that has a membership of 5K or more, OpenIDM exhibits a performance hit for versions 5.0.1.x. The workaround is to update to version OpenIDM 5.5.x or 6.0.0.x.

  For more information, see OPENIDM-11894: Performance issue updating conditional role membership on OpenIDM 5.0.1.x.

OpenIDM 5 has the following known limitations:

• Cannot modify CSV audit handler formatting fields using the OpenIDM Admin UI.

  Workaround: Do not use the UI to change any of the CSV Output Formatting parameters. If you need to change these parameters, change them directly in your project's conf/audit.json file.

• Undefined file occurs when downloading a repository update file during updates using the Admin UI.

  During an update to OpenIDM 5.0.1.1, there is an existing bug with the Download button when downloading the v6_add_primary_key_to_properties_tables.sql file. The downloaded file ends up with an undefined value.

  Workaround: If you have a MySQL, MSSQL, or DB2 database, manually copy the v6_add_primary_key_to_properties_tables.sql file from /path/to/openidm/db/repo_type/scripts/update to the openidm/update-scripts directory, then apply the script as shown in the next step.

  • For Oracle databases: use v7_add_primary_key_to_properties_tables.sql.

  • For PostgreSQL databases: use v9_add_primary_key_to_properties_tables.sql.

  For more information, see "Updating to Version 5.0.1.1 Using the Admin UI" in the Installation Guide.

• The automated update process is not currently supported on Windows platforms.

• When you add or edit a connector through the Admin UI, the list of required Base Connector Details is not necessarily accurate for your deployment. Some of these details might be required for specific deployment scenarios only. If you need a connector configuration where not all the Base Connector Details are required, you must create your connector configuration file over REST (see "Creating Default Connector Configurations" in the Integrator's Guide) or edit the connector configuration file (conf/provisioner.openicf-connector-type.json) directly.

• For OracleDB repositories, queries that use the queryFilter syntax do not work on CLOB columns in explicit tables.

• A conditional GET request, with the If-Match request header, is not currently supported.

• OpenIDM provides an embedded workflow and business process engine based on Activiti and the Business Process Model and Notation (BPMN) 2.0 standard. As an embedded system, local integration is supported. Remote integration is not currently supported.

• If you're using the OPENAM_SESSION module to help OpenIDM work with OpenAM software, modify the JWT_SESSION module to limit token lifetime to 5 seconds. For more information, see information on the OPENAM_SESSION Module in the Integrator's Guide and "Supported Session Module" in the Integrator's Guide.

• OPENIDM-9454: With an explicit mapping in a MySQL repo, cannot create a managed user with password longer than 13 characters

• OPENIDM-10919: JavaScript in Internet Explorer does not support includes method of String

• OPENIDM-11648: RuntimeException&Server Error is observed on full-stack example

• OPENIDM-11649: UI error: Service unavailable after changes in Authentication/Session

• OPENIDM-11894: Performance issue updating conditional role membership on OpenIDM 5.0.1.x.

• OPENIDM-11906: There are 2 files (third-party-copyrights.txt,ThirdPartyCopyright.txt) after update from 5.0.x.x to 5.0.1.1

• OPENIDM-11283: OpenIDM 5.0.1.0 sample and usecase samples have incorrect configuration by default after adding workflow switch

• OPENIDM-7984: Unable to edit ForgeRock Identity Provider in Admin UI

• OPENIDM-7982: Backport OPENIDM-7803: Audit activity occurs for update even when before/after show no differences

• OPENIDM-7978: Full Stack sample: unable to log in as a regular user after logging out as an admin

• OPENIDM-7968: amAdmin doesn't work with fullStack (or full-stack) sample

• OPENIDM-7803: Audit activity occurs for update even when before/after show no differences

• OPENIDM-7700: Core attributes can specify returnByDefault even though not applicable

• OPENIDM-7665: Admin UI mapping view returns HTTP 400 error

• OPENIDM-7659: Updating the CSV audit event handler using the Admin UI may disable the handler

• OPENIDM-7644: Admin UI should create schedule config instead of direct scheduler entries

• OPENIDM-7422: Apostrophe character is not displaying properly in the Provisioning Roles

• OPENIDM-7284: Create manager/reports relationship with POST or PUT work on managed/user/id/reports but fails on managed/user/id/manager

• OPENIDM-7223: Recon always detects manager field as modified

• OPENIDM-7054: Samples declare wrong type for ds-pwp-account-disabled in provisioner conf

• OPENIDM-6179: UI doesn't display error when Relationship Validation fails

• OPENIDM-6072: Multiple answers to the same security question are possible

• OPENIDM-5923: ScriptedSSH sample - group members create/update is not working

• OPENIDM-5914: Role is still showing as assigned in effectiveRoles attribute on query-all output if role is unassigned via the admin UI

• OPENIDM-5909: ScriptedSSH incorrect sample provisioner group members nativeName

• OPENIDM-5907: ScriptedSSH search script unsupported filter cause timeout exception

• OPENIDM-5905: Removing a workflow definition file from the filesystem does not delete it in the config

• OPENIDM-5900: ScriptedSSH ErrorCodes.groovy is not loaded

• OPENIDM-5893: Recon on AD LDAPS mapping (tap association) gives 500 Server Error

• OPENIDM-5791: JNDI Config for JMS Audit Handler not rendered correctly.

• OPENIDM-5465: Performance Issue updating conditional role memberships

• OPENIDM-5450: When Buffering is not enabled, related options should not be available

• OPENIDM-5399: Spaces in CSV field names result in an exception when creating a CSV connector

• OPENIDM-5166: Changing CSV audit event handler formatting fields causes an exception

• OPENIDM-4797: Connector info provider needs to be updated to connect to .NET server

• OPENIDM-4462: Delete request with HTTP "If-Match *" header does not work on repo endpoints

• OPENIDM-4227: Use value of managed object prior to save for sync events to use hashed values

• OPENIDM-4149: availableConnectors are not updated after remote ICF shut down

• OPENIDM-4127: Endpoint system/os returns cpu usage above available

• OPENIDM-3857: Cannot pass along custom context when making router requests from script

• OPENIDM-3199: When a mailtask can't be completed in an Activiti workflow, an exception is thrown

• OPENIDM-3197: '%' character in object id of openidm.read calls has to be encoded

• OPENIDM-3149: Custom Endpoint Example: object request.patchOperations is wrong for Groovy scripts

• OPENIDM-2016: Sync on unsupported object class with remote java connector returns 500 instead of 400

• OPENIDM-1898: Representation of request-object differs between code and json-representation

• OPENIDM-1488: XDate locales could not be initialized correctly

• OPENIDM-1445: Provisioner service does not decrypt encrypted attributes before passing them to OpenICF framework

• OPENIDM-1269: some issues with Case Sensitivity options for Sync

• OPENIDM-1165: EXCEPTION action when doing liveSync stops the synctoken processing

• OPENIDM-848: Conflicting behavior might be observed between the default fields set by the onCreate script and policy enforcement

• OPENIDM-470: OpenIDM cannot rename objects - if the identifier of the object changes, the associated link breaks

• Support for Java 7 is deprecated and will be removed in the next 5.5 release.

  When upgrading to the current release, also move to Java 8 in order to be prepared for pending removal of support for Java 7.

• Support for the TLSv1.1 protocol has been deprecated and will be removed in a future release. For more information, on the potential vulnerability, see CVE-2011-3389 from the National Vulnerability Database from the US National Institute of Standards and Technology.

  The default security protocol for OpenIDM is TLSv1.2. Do not downgrade this protocol to TLSv1.1 unless necessary. For more information, see "Setting the TLS Version" in the Integrator's Guide.

• When configuring connectors, (see "Configuring Connectors" in the Integrator's Guide), you can set up nativeType property level extensions. The JAVA_TYPE_DATE extension is deprecated.

• Support for a POST request with ?_action=patch is deprecated, when patching a specific resource. Support for a POST request with ?_action=patch is retained, when patching by query on a collection.

  Clients that do not support the regular PATCH verb should use the X-HTTP-Method-Override header instead.

  For example, the following POST request uses the X-HTTP-Method-Override header to patch user jdoe's entry:

  $ curl \
   --header "X-OpenIDM-Username: openidm-admin" \
   --header "X-OpenIDM-Password: openidm-admin" \
   --header "Content-Type: application/json" \
   --request POST \
   --header "X-HTTP-Method-Override: PATCH" \
   --data '[
      {
      "operation":"replace",
      "field":"/description",
      "value":"The new description for Jdoe"
      }
    ]' \
    "http://localhost:8080/openidm/managed/user/jdoe"

• The XML file connector is deprecated and support for its use in OpenIDM will be removed in a future release. This connector is really useful only in a demonstration context and should not be used in the general provisioning of XML data stores. In real deployments, if you need to connect to a custom XML data file, you should create your own scripted connector by using the Groovy connector toolkit.

ForgeRock publishes comprehensive documentation online:

• The ForgeRock Knowledge Base offers a large and increasing number of up-to-date, practical articles that help you deploy and manage ForgeRock software.

  While many articles are visible to community members, ForgeRock customers have access to much more, including advanced information for customers using ForgeRock software in a mission-critical capacity.

• ForgeRock product documentation, such as this document, aims to be technically accurate and complete with respect to the software documented. It is visible to everyone and covers all product features and examples of how to use them.