Notes covering OpenIDM software requirements, fixes, and known issues. This software offers flexible services for automating management of the identity life cycle.
About OpenIDM Software
ForgeRock Identity Platform™ serves as the basis for our simple and comprehensive Identity and Access Management solution. We help our customers deepen their relationships with their customers, and improve the productivity and connectivity of their employees and partners. For more information about ForgeRock and about the platform, see https://www.forgerock.com.
OpenIDM software provides centralized, simple management and synchronization of identities for users, devices and things.
OpenIDM software is highly flexible and therefore able to fit almost any use case and workflow.
These release notes are written for anyone using the OpenIDM 5 release. Read these notes before you install or upgrade OpenIDM software.
These release notes cover the following topics:
A list of the major new features and functionality provided with this release
Hardware and software prerequisites for installing and upgrading OpenIDM software
Compatibility with previous releases
Potential upcoming deprecation and removals that affect scripts and applications
Issues fixed since the previous release
Known issues open at the time of release
See the Installation Guide after you read these Release Notes. The Installation Guide covers installation and upgrade for OpenIDM software.
Chapter 1. What's New
This chapter covers new capabilities in OpenIDM 5.
1.1. New Releases
OpenIDM 5.0.1.1 is a maintenance release for OpenIDM 5 that provides important fixes to existing bugs. These fixes improve the functionality, performance and security of your OpenIDM deployment. No new features have been introduced.
OpenIDM 5.0.1.1 is available for download from the ForgeRock BackStage website. To view the list of fixes, see "Issues Fixed in OpenIDM 5.0.1.1".
Note
The release can be deployed as an initial deployment or used to upgrade an existing version. You can upgrade from any version listed in "Supported Update Paths".
1.2. Core Releases
This release includes the following new features:
- Registration With Social Identities
Users can now register new accounts using information from social identity providers, including Google, Facebook, and LinkedIn. If you configure access through more than one social identity provider, users can select and manage the providers they use.
For more information, see "Configuring Social ID Providers" in the Integrator's Guide.
- Integration Between Products Across the Platform
It is now much easier to use OpenAM as the default authentication provider. This enhanced functionality is demonstrated in the new Full Stack Sample. For more information, see "Integrating OpenIDM With the ForgeRock Identity Platform" in the Samples Guide, which works with OpenIDM 5 and OpenAM 5.
The old Full Stack sample is still available in the OpenIDM 4.5 Samples Guide
- Scripted JMS Message Handler
A new scripted JMS Message Handler enables you to perform CRUDPAQ operations by subscribing to an ActiveMQ message queue.
For more information, see "Scripted JMS Sample" in the Samples Guide.
- Enhanced Update Process
The update process from OpenIDM 4.5 to OpenIDM 5 is simpler than in previous versions. For more information, see "Updating to OpenIDM 5" in the Installation Guide.
- New Audit Event Handlers
The following new audit event handlers are supported:
JSON audit event handler, that logs audit data to a set of JSON files.
Important
This is the new default file-based audit event handler, and replaces the default CSV audit configuration. Auditing to CSV is still supported but must be configured on an OpenIDM 5 system.
For more information, see "JSON Audit Event Handler" in the Integrator's Guide.
Splunk audit event handler, that supports logging to a Splunk system. For more information, see "Splunk Audit Event Handler" in the Integrator's Guide.
Syslog audit event handler, based on RFC 5424, The Syslog Protocol. For more information, see "Syslog Audit Event Handler" in the Integrator's Guide.
- New Authentication Modules
OpenIDM 5 includes support for OpenID Connect and OAuth 2.0 authentication. For more information, see "Supported Authentication and Session Modules" in the Integrator's Guide
A new
SOCIAL_PROVIDERS
authentication module allows you to configure additional OAuth 2.0 or OpenID Connect social identity providers. These providers must be entirely compliant with the OAuth 2.0 and OpenID Connect 1.0 standards. For more information, see "Configuring Social ID Providers" in the Integrator's Guide.- Improved Cluster Service and Scheduled Job Management
OpenIDM 5 provides simpler configuration and management of a clustered deployment, including improvements to how scheduled jobs across a cluster are managed. Support has been added for the following:
Removal of the keystore from the repository.
The OpenIDM keystore is no longer persisted in the repository. In a clustered environment, you must copy the initialized keystore to each instance in the cluster, or point to a single, centralized keystore. For more information, see "Configuring an OpenIDM Instance as Part of a Cluster" in the Integrator's Guide.
Changes to the cluster configuration.
It is no longer necessary to specify the
openidm.instance.type
of nodes in a cluster. This configuration property does not exist in OpenIDM 5 and all nodes are assumed to be of the same type. If you leave this property in yourboot.properties
file after an upgrade, it is simply ignored. For more information, see "Configuring an OpenIDM Instance as Part of a Cluster" in the Integrator's Guide.Basic cluster monitoring in the Admin UI.
For more information, see "Managing Nodes Through the Admin UI" in the Integrator's Guide.
- Support for Hardware Security Module (HSM) Devices
OpenIDM 5 supports the configuration of an external PKCS #11 (HSM) device to manage the keys used to secure OpenIDM transactions. For more information, see "Configuring a Hardware Security Module (HSM) Device" in the Integrator's Guide.
- Changes to Supported Connectors and Connector Servers
New Marketo Connector
Part of the Social Registration feature, the Marketo Connector is an example of how OpenIDM can be used to manage customer data. For more information, see "Marketo Connector" in the Connectors Guide.
Upgraded Remote Connector Servers
OpenIDM 5 supports version 1.5.2.0 of the .NET and Java connector servers. The updated connector servers provide full support for the
websocket
protocol communication protocol and fix a number of issues. For more information, see "Accessing Remote Connectors" in the Integrator's Guide.Updated LDAP Connector
OpenIDM 5 bundles version 1.4.3.0 of the LDAP connector. The updated connector provides a number of enhancements, including:
A
resetSyncToken
flag to address possible inconsistencies between thesyncToken
value and thelastChangeNumber
in the changelog (see OPENICF-601).Better exception logging for failed updates (see OPENICF-593).
Detection of the Red Hat Directory Server server type and subsequent selection of the correct sync strategy (see OPENICF-539).
More efficient search filters (see OPENICF-505).
Updated Groovy Connector Toolkit
OpenIDM 5 bundles version 1.4.3.0 of the Groovy connector toolkit.
SAP Connector Now Supports SNC
Version 1.4.1.0 of the SAP connector supports an SNC (Secure Network Connection) configuration. For more information, see "Configuring the SAP Connector For SNC" in the Connectors Guide.
- Password Reset Capability for Administrators
Administrators can now reset user passwords in a secure, configurable way, through the Admin UI. For more information, see "Resetting User Passwords" in the Integrator's Guide.
- API Explorer For Managed Objects
The OpenIDM 5 UI includes an API Explorer that allows you to list the supported methods and actions on managed object endpoints. For more information, see "API Explorer" in the Integrator's Guide.
- JSON Configuration File to Protect the Felix Web Console
OpenIDM 5 provides a new configuration file that enables you to protect access to the Felix Web Console, in the event that you cannot remove the console in production. For more information, see "Remove or Protect Development & Debug Tools" in the Integrator's Guide.
For installation instructions, see "Preparing to Install and Run Servers" in the Installation Guide.
Several samples are provided to familiarize you with the OpenIDM features. For more information, see "Overview of the Samples" in the Samples Guide.
For an architectural overview and a high-level presentation of OpenIDM, see "Architectural Overview" in the Integrator's Guide.
1.3. Security Advisories
ForgeRock issues security advisories in collaboration with our customers and the open source community to address any security vulnerabilities transparently and rapidly. ForgeRock's security advisory policy governs the process on how security issues are submitted, received, and evaluated as well as the timeline for the issuance of security advisories and patches.
For details of all the security advisories across ForgeRock products, see Security Advisories in the Knowledge Base library
Chapter 2. Before You Install
This chapter covers requirements to consider before you run OpenIDM software, especially before you run the software in your production environment.
If you have a special request to support a component or combination not listed here, contact ForgeRock at info@forgerock.com.
2.1. Supported Repositories
The following JDBC repositories are supported for use in production:
MySQL version 5.5, 5.6, and 5.7 with MySQL JDBC Driver Connector/J 5.1.18 or later
Microsoft SQL Server 2012 and 2014
Oracle Database 11gR2 and 12c
PostgreSQL 9.3.10 and 9.4.5
IBM DB2, 10.1, 10.5
OrientDB is provided for evaluation only.
2.2. Containers
You must install OpenIDM as a stand-alone service, using Apache Felix and Jetty, as provided. Alternate containers are not supported.
OpenIDM bundles Jetty version 9.2.
2.3. Connectors
OpenIDM bundles the following OpenICF connectors:
CSV File Connector
Database Table Connector
Groovy Connector Toolkit
This toolkit enables you to create scripted connectors to virtually any resource
LDAP Connector
XML File Connector
Kerberos Connector
Scripted SSH Connector
Currently supported only as a prerequisite for the Kerberos Connector
Google Apps Connector
Salesforce Connector
A PowerShell Connector Toolkit is available for download from ForgeRock's BackStage site. This Toolkit enables you to create scripted connectors to address the requirements of your Microsoft Windows ecosystem.
Additional connectors are available from ForgeRock's BackStagesite.
Use of the LDAP connector to provision to Active Directory is supported with Active Directory Domain Controllers, Active Directory Global Catalogues, and Active Directory Lightweight Directory Services (LDS).
Windows 2012 R2 is supported as the remote system for connectors and password synchronization plugins.
The following table lists the supported connectors, connector servers, and password synchronization plugins for this OpenIDM release.
Connector/Plugin | Supported Version |
---|---|
CSV File Connector | 1.5.1.4 |
Database Table Connector | 1.1.0.2 |
Google Apps Connector | 1.4.1.0 |
Groovy Connector Toolkit | 1.4.3.0 |
Kerberos Connector | 1.4.2.0 |
LDAP Connector | 1.4.3.0 |
Powershell Connector Toolkit | 1.4.3.0 |
RACF Connector | 1.1.0.0 |
Salesforce Connector | 2.0.29.4 |
SAP Connector | 1.4.1.0 |
XML Connector | 1.1.0.3 |
Active Directory Connector | 1.4.0.0 |
Java Connector Server | 1.5.2.0, 1.5.1.0, 1.5.0.0, 1.4.1.0 |
.NET Connector Server | 1.5.2.0, 1.5.1.0, 1.5.0.0, 1.4.1.0 |
OpenDJ Password Synchronization Plugin |
3.5.0, supported with OpenDJ 3.5.0 5, supported with OpenDJ 5 OpenDJ Password Sync plugins are not supported with OpenDJ OEM |
Active Directory Password Synchronization Plugin | 1.1.0, supported on Windows 2008 R2 and Windows 2012 R2 |
OpenIDM 4.0 and upwards supports a revised version of the OpenICF Framework. You must use the supported versions of the .NET Connector Server, or the Java Connector Server. The 1.5.x Java Connector Server is backward compatible with the version 1.1.x connectors. The 1.5.x .NET Connector Server is compatible only with the 1.4.x and 1.5.x connectors.
The 1.5.2.0 .NET connector server requires the .NET framework (version 4.5 or later) and is supported on Windows Server 2008 R2 and 2012 R2.
Important
Although the scripted connector toolkits are supported, connectors that you build with these toolkits are not supported. You can find examples of how to build connectors with these toolkits in "Samples That Use the Groovy Connector Toolkit to Create Scripted Connectors" in the Samples Guide and "Samples That Use the PowerShell Connector Toolkit to Create Scripted Connectors" in the Samples Guide.
2.4. Browsers
ForgeRock has tested many browsers with the OpenIDM UI, including the following browsers:
Chrome and Chromium, latest stable version
Firefox, latest stable version
Safari, latest stable version
Internet Explorer 11 and later
2.5. Operating Systems
OpenIDM software is supported on the following operating systems:
Red Hat Enterprise Linux 6.x/7.x (CentOS Linux 6.x/7.x)
Ubuntu Linux 16.04
Windows 2008 R2, 2012 R2, 2016
2.6. Java Environment
OpenIDM requires Java 7 or Java 8, specifically at least the Java Standard Edition runtime environment. ForgeRock has performed most testing with Oracle Java Platform 8, Standard Edition.
ForgeRock recommends that you keep your Java installation up to date with the latest security fixes.
When using the Oracle JDK, you also need the Java Cryptography Extension (JCE) policy files.
On Windows systems, you must use at least Java SE JDK 7 update 6 to take advantage of the JVM fix relating to non-blocking sockets with the default Jetty configuration.
OpenJDK 1.7 and OpenJDK 1.8 are also supported.
2.7. Memory
You need 250 MB disk space and 1 GB memory for an evaluation installation. For a production installation, disk space and memory requirements will depend on the size of any internal and external repositories, as well as the size of the audit and service log files that OpenIDM creates.
2.8. Supported Update Paths
The following table contains information about the supported update paths to OpenIDM 5.0.1.1:
Note
OpenIDM 5.0.1.1 can also be deployed as-is for initial deployments.
Chapter 3. Fixes, Limitations, and Known Issues
This chapter covers the status of key issues and limitations for OpenIDM 5. For details and information on other issues, see the OpenIDM issue tracker.
3.1. Key Fixes in OpenIDM 5
This section covers key bug fixes in the current and previous releases.
Note
OpenIDM releases are cumulative. There is no need to install any previous patch. You only need to download and install the latest distribution. For example, openidm-5.0.1.1.zip includes the fixes in Patch Releases 5.0.0.1, 5.0.0.2, 5.0.0.3, and 5.0.1.0.
3.1.1. Issues Fixed in OpenIDM 5.0.1.1
The following important bugs were fixed in the OpenIDM 5.0.1.1 release:
COMMONS-314: COMMONS-314 json-crypto: SimpleEncryptor symmetric no longer works with HSMs
OPENIDM-5465: OPENIDM-5465: Performance Issue updating conditional role memberships
OPENIDM-9783: OPENIDM-9783: Include thread id in all logging statements
OPENIDM-10542: OPENIDM-10542: IDM decryption fails with AES 256-bit key
OPENIDM-10758: OPENIDM-10758: openidm.read() returns different content if called from managed.json action or a custom endpoint
OPENIDM-10887: OPENIDM-10887: expose isInitiator flag for IWA module
OPENIDM-11283: OpenIDM 5.0.1.0 sample9 and usecase samples have incorrect configuration by default after adding workflow switch.
3.1.2. Issues Fixed in OpenIDM 5.0.1.0
The following important bugs were fixed in the OpenIDM 5.0.1.0 release:
OPENIDM-2728: OPENIDM-2728: Database creation scripts missing primary and foreign keys on some tables
OPENIDM-9880: User object relationships lost when using compensate script to handle failed delete
OPENIDM-6156: OPENIDM-6156: multi-valued mail attribute causes reconciliation to abort without accurately auditing the failure cause
OPENIDM-6782: OPENIDM-6782: Password is re-encrypted during any managed object update/patch
OPENIDM-7223: OPENIDM-7223: recon always detects manager field as modified
OPENIDM-7422: OPENIDM-7422: Apostrophe character is not displaying properly in the Provisioning Roles
OPENIDM-7803: OPENIDM-7803: Audit activity occurs for update even when before/after show no differences
OPENIDM-8287: OPENIDM-8287: Deleting a schedule leaves data in schedulerobjectproperties table (oracle repo)
OPENIDM-8810: OPENIDM-8810: Scheduler objects persisted across both schedulerobjects and genericobjects repo tables
OPENIDM-8834: OPENIDM-8834: SQL exception when running oracle script for repo
OPENIDM-8856: OPENIDM-8856: Role grant conditions do not work on properties of any type other than string
OPENIDM-9198: OPENIDM-9198: Improve workflow switch in admin to handle situation where workflow.json file is not available
OPENIDM-9219: OPENIDM-9219: Worflow service randomly not starting properly
OPENIDM-9274: OPENIDM-9274: Disable Activiti Workflow service by default unless specifically required by a sample
OPENIDM-9554: OPENIDM-9554: Workflow Processes Completed have "Not Found Error" for managed/user
OPENIDM-9738: OPENIDM-9738: selecting tasks assigned to manager1 results in 404
OPENIDM-9643: OPENIDM-9643: Separate the logic out for storing the 'lastSync' property out of the all-inclusive ManagedObjetSet#update
OPENIDM-9796: OPENIDM-9796: Add backend support to pass the task assignee _id to workflow/taskinstance/ endpoint
OPENIDM-9797: OPENIDM-9797: Self-signed certificate used for HTTPS not in OpenIDM trust store anymore
OPENIDM-10286: OPENIDM-10286: Idle timeout for JWT authentication module is not working
OPENIDM-10733: OPENIDM-10733: Compensate hangs when downstream connector is offline
OPENIDM-10790: Backport OPENIDM-9102: Add workflow switch to system preferences
3.1.3. Issues Fixed in OpenIDM 5
The following important bugs were fixed in the OpenIDM 5 release:
OPENIDM-7349: LDAP Group assignment removal fails due to case mismatch
OPENIDM-7286: GET on manager/user/user_id/reports/relation_id and managed/user/user_id/manager/relation_id are giving wrong results on user with a manager
OPENIDM-7199: Policies not executed for multiple type attributes
OPENIDM-7108: Password Reset Token issued by one process cannot be validated by a different process
OPENIDM-7028: Audit schema missing db index
OPENIDM-7025: Setting the authzRoles 's attribute Return by Default to true, triggers the error "Changes pending - Authorization Roles"
OPENIDM-7014: SQLException thrown during GenericTableHandler.readForUpdate() is masked by failure to close the Statement associated with the ResultSet
OPENIDM-6973: AD Powershell samples: __ENABLE__ used in README but not in provisioner and create script
OPENIDM-6966: credential-query is inconsistent across repo config and needs to include status = 'active'
OPENIDM-6954: NullPointerException thrown during LiveSync when connectivy to Remote Connector Server has been lost
OPENIDM-6818: OpenIDM ICF Provisioner 'runAs' use-case is broken when integrating with OpenDJ
OPENIDM-6783: Unable to set managed object attribute type within UI to multiple values
OPENIDM-6742: ["relationship","null"] on 'manager' in managed.json causes tabs to disappear in the UI
OPENIDM-6723: Policy failure during forgotten password reset causes redirect to Login Page and obscures the failure cause
OPENIDM-6710: index and constraints on relationshipproperties table not properly configured in schemas
OPENIDM-6700: Self Service Dashboard displays task names incorrectly
OPENIDM-6641: cannot-contains-others policy is broken and does not correctly detect values which do not meet the policy requirements
OPENIDM-6619: "After" object missing from activity log when removing an authzRole
OPENIDM-6559: Patch ADD operation on system adds value to single-valued attribute
OPENIDM-6508: CountPolicy does not work because -count queryIds are missing
OPENIDM-6504: recon status may have incorrect data with recon after update
OPENIDM-6481: OpenIDM creates redundant BoneCPDataSource
OPENIDM-6457: CREATE request with _fields for relationships are not returned in the response
OPENIDM-6385: sample2d 'group' entry in managed.json causes UI issue
OPENIDM-6348: mapping properties page doesn't display completely if error occurs in script evaluation
OPENIDM-6313: Editing managed user schema from admin-ui corrupts lastSync and kbaInfo property definitions
OPENIDM-6291: '/_id: Expecting a value' warning when adding a Role with an On Assignment script
OPENIDM-6230: IDM hangs in shutdown waiting on promise.PromiseImpl.await
OPENIDM-6215: With non-local project, after update to 4.5.0 OpenIDM startup fails to activate crypto module
OPENIDM-6207: Excessive DB lock contention resulting from readForUpdateQueryStr execution in GenericTableHandler
OPENIDM-6200: conf/logging.properties not managed by update tool
OPENIDM-6196: With a non-local project, update is not updating default OpenIDM project directory
OPENIDM-6193: JobEntity was updated by another transaction concurrently
OPENIDM-6192: Update CLI causes OpenIDM to restart when previewing repo updates
OPENIDM-6170: Update process creates erroneous new keystore and truststore files that should be removed
OPENIDM-6169: unAssignment script undetected by defaultMapping.js
OPENIDM-6145: Admin UI incorrectly changes Managed User schema
OPENIDM-6086: Deleting attributes in the LDAP Connector via the Admin UI creates empty strings
OPENIDM-6083: Sample 2d -- Admin UI rendering of group recon is illegible in the UI
OPENIDM-6071: OpenIDM changes port from 389 to 1389 when configuring LDAP connector through the UI
OPENIDM-6068: Target reconciliation does not finish for large datasets
OPENIDM-6067: When a mapping is deleted through the Admin UI, links associated with the mapping are not deleted
OPENIDM-6051: Entire source object is returned when an attribute in sample data is null
OPENIDM-6044: When boolean or number property is updated on managed user in Admin UI the Save button remains grayed out
OPENIDM-6043: ScriptedREST and ScriptedCREST samples do not work with OpenDJ 3.5.0
OPENIDM-6031: Some workflow use cases show the wrong property name (_body instead of body)
OPENIDM-6025: "Filter Actions" message for "authentication" and "access" event is not correct
OPENIDM-6015: Clicking the '-' button next to 'The Value for' Reconciliation Query Filters in the Admin UI throws JavaScript errors in the console
OPENIDM-5997: Invalid "lastSync" JSON schema syntax in managed.json
OPENIDM-5986: cli.sh configimport returns success when errors occur
OPENIDM-5963: Connector schema data preview can fail depending on the order of automatically generated schema fields
OPENIDM-5962: Managed User Edit page displays changes pending warning
OPENIDM-5960: EmailClient requires username/password when auth is disabled
OPENIDM-5906: PATCH request with null rev invoked twice at the same time causes infinite loop
OPENIDM-5904: Incorrect "Missing source/target" text in Admin UI
OPENIDM-5896: A single role can be assigned multiple times to the same user
OPENIDM-5887: SyncResult always specifies default situation action and not the actual action determined during synchronization
OPENIDM-5878: Newly added Object type doesn't appear in mappings
OPENIDM-5851: Backgrid: Clicking on filter reset button sorts the column
OPENIDM-5850: groupRoleMapping in passthrough authentication not working with LDAP
OPENIDM-5796: Change Association Dialog not working for ambiguous values
OPENIDM-5772: Identity Relationship graph in widget isn't responsive
OPENIDM-5754: onUpdate trigger on managed user called twice with a patch operation
OPENIDM-5731: In Usecase 2 date validation in the Admin UI does not reject an invalid date
OPENIDM-5724: unAssignment event not executing inline script
OPENIDM-5721: Admin UI does not respond after setting connector nativeType to array
OPENIDM-5705: Removal of multiple elements of an array in a single patch set produces incorrect results
OPENIDM-5697: Cluster state failure yields permanent persistent schedule failure in cluster when a cluster node is shutdown
OPENIDM-5622: Update of bundle file on Windows fails with "Could not remove temporary directory" error
OPENIDM-5579: Unable to download Update Report using Safari
OPENIDM-5541: Configuring LDAP connector with incorrect DN and trying to view the data causes the UI to fail
OPENIDM-5504: Unable to use cli.sh for administration over a secure port
OPENIDM-5486: Via REST API it is possible to create an assignment with an invalid mappingName
OPENIDM-5472: OpenAM fullStack sample: session timeout option not available
OPENIDM-5459: targetIdsCaseSensitive not honored when "links" set in mapping
OPENIDM-5454: User profile page does not support boolean attributes on managed objects
OPENIDM-5416: PUT REST call to AD with LDAP adapter is interpreted as create instead of update
OPENIDM-5361: Mapping source property cannot be empty
OPENIDM-5345: Connector names need to be validated as alpha-numeric
OPENIDM-5297: Property substitution is lost when saving from REST
OPENIDM-5235: Sample configuration for explicit mapping for managed user table is missing description
OPENIDM-5107: PUT with no "If-Match" header fails to update an object with the Google Apps Connector
OPENIDM-5091: CORS servlet filter should read https port from boot.properties
OPENIDM-5086: Illegal State Exception REST with invalid credentials and Accept header
OPENIDM-5038: Creating connector with underscore in its name fails with exception
OPENIDM-5033: No validation is done when using the Admin UI to configure an LDAP connector
OPENIDM-4918: Attempt by openidm-admin to add Security Questions leads to Problem During Profile Update error
OPENIDM-4905: Querying info/ping returns 503 UnavailableException: Servlet not initialized
OPENIDM-4829: Admin UI, Audit, CSV Handler configuration, fails without proper signatureInterval entry
OPENIDM-4777: Support PATCH cluster event on ConfigObjectService
OPENIDM-4693: Creating a Managed Object with a semicolon leads to an error
OPENIDM-4692: ALL_GONE situation for deleted entries leads to NPE in JS
OPENIDM-4521: Custom attributes submitted in request to store in jdbc repo are not stored but the request returns them.
OPENIDM-4185: Command-line hashing of JSON objects provided interactively returns an exception
OPENIDM-4076: TaskScanner dates not using ISO 8601 standard
OPENIDM-3187: Custom authentication headers cannot handle Unicode characters
OPENIDM-3039: Mapping page not displaying if connector with mapping is removed
OPENIDM-2722: several samples are not working properly with sample configuration for MySQL explicit mapping
OPENIDM-2718: Creating a user in DJ via LDAP connector with different ID in URL and payload leads to 500 but user is created anyway
3.1.4. Patch Releases
ForgeRock periodically issues patch releases containing important fixes to bugs.
Patch releases are cumulative. There is no need to install any previous patch. For example,
you only need to download and install the latest patch, OpenIDM-5.0.0.3-patch.zip
,
which contains the fixes from previous patch releases, OpenIDM-5.0.0.2 and OpenIDM-5.0.0.1.
You can download the latest patch release distribution from the ForgeRock BackStage web site.
OPENIDM-7236: OPENIDM-7236: Update AD Powershell samples with new scripts
OPENIDM-7726: OPENIDM-7726: Unable to filter by '_id' attribute on Managed Objects in the UI
OPENIDM-8420: OPENIDM-8420: Self-Service page fails to load if no security questions are configured
OPENIDM-9819: OPENIDM-9819: GenericLDAP Connector setup does not read remote LDAP schema irrespective of readSchema setting
OPENIDM-9940: OPENIDM-9940: onRetrieve script executed for managed attributes not returned by fields
OPENIDM-9966: OPENIDM-9966: NullPointerException returned when creating a relationship using the source managed object's attribute within the URI and specifying a _fields parameter
OPENIDM-10135: OPENIDM-10135: manager field disappears when type is null
OPENIDM-10365: OPENIDM-10365: Temporal constraints on roles are not working anymore
OPENIDM-5227: OPENIDM-5227: LDAP Connector search filters not persisted by the Admin UI
OPENIDM-7315: OPENIDM-7315: Requests on relationship endpoints should not double-log managed object
OPENIDM-8201: OPENIDM-8201: Schedule is not saved when configured through the UI
OPENIDM-8418: OPENIDM-8418: Some variables are not available to some managed script handlers
OPENIDM-8571: OPENIDM-8571: Provisioner should be able to retry connector that fails the startup "test"
OPENIDM-9045: OPENIDM-9045: Performance problem getting triggers for a scheduler job
OPENIDM-9094: OPENIDM-9094: Workflow task submission allows arbitrary content with no scoping protection
OPENIDM-9217: OPENIDM-9217: Do not execute managed property's onRetrieve when returnByDefault is false
OPENIDM-9412: OPENIDM-9412: In LDAP connector config page, not possible to remove Update User Filter
OPENIDM-9855: OPENIDM-9855: Trusted Attribute fails with multiple instances using different resources
OPENIDM-9863: BOPENIDM-9863: Additional jackson-databind vulnerability updates
OPENIDM-9976: OPENIDM-9976: Self Service email validation link for Registration leads to blank page in Safari
OPENIDM-10126: OPENIDM-10126: Incomplete list of role members after condition query.
OPENIDM-10134: OPENIDM-10134: self service registration fails with cross-origin restrictions using safari
OPENIDM-7669: OPENIDM-7669: When defining an array type in configuration, the type specified for the items is ignored
OPENIDM-7726: OPENIDM-7726: Unable to filter by '_id' attribute on Managed Objects in the UI
OPENIDM-7894: OPENIDM-7894: Clustered recon may fail
OPENIDM-8042: OPENIDM-8042: scheduler throws NullPointerException at startup
OPENIDM-8043: OPENIDM-8043: Unable to initialize keystore and truststore when passwords are different
OPENIDM-8049: OPENIDM-8049: Self-signed cert not stored in truststore during initialization
OPENIDM-8050: OPENIDM-8050: External IDM endpoint does not return response codes and errors
OPENIDM-8154: OPENIDM-8154: The splunk, elastic search, and jdbc audit config have sensitive fields that need to be encrypted in the audit json config
OPENIDM-8276: OPENIDM-8276: ReconContext should generate it's own Id and not inherit the RootContext Id
OPENIDM-8275: OPENIDM-8275: new managed user boolean property not getting saved via Admin UI
OPENIDM-8288: OPENIDM-8288: scheduler: getting resource NotFoundException
OPENIDM-8527: OPENIDM-8527: Persistent schedules do not failover if recovery initiated by a node with execute.persistent.schedules=false
OPENIDM-9107: OPENIDM-9107: NullPointerException in AbstractScheduler calling trigger.getFireTimeAfter
OPENIDM-9207: OPENIDM-9207: recon creates incorrect links when using linkQualifiers
OPENIDM-9211: OPENIDM-9211: External REST service does not return error details from remote server
OPENIDM-9707: Update related fixes from 5.5.0 to 5.0.x maintenance branch
3.2. Limitations
OpenIDM 5.0.1.x has the following known limitations:
Performance hit occurs when updating a role condition with membership of 5K or more.
When creating a role condition that has a membership of 5K or more, OpenIDM exhibits a performance hit for versions 5.0.1.x. The workaround is to update to version OpenIDM 5.5.x or 6.0.0.x.
For more information, see OPENIDM-11894: Performance issue updating conditional role membership on OpenIDM 5.0.1.x.
OpenIDM 5 has the following known limitations:
Cannot modify CSV audit handler formatting fields using the OpenIDM Admin UI.
Workaround: Do not use the UI to change any of the CSV Output Formatting parameters. If you need to change these parameters, change them directly in your project's
conf/audit.json
file.Undefined file occurs when downloading a repository update file during updates using the Admin UI.
During an update to OpenIDM 5.0.1.1, there is an existing bug with the Download button when downloading the
v6_add_primary_key_to_properties_tables.sql
file. The downloaded file ends up with an undefined value.Workaround: If you have a MySQL, MSSQL, or DB2 database, manually copy the
v6_add_primary_key_to_properties_tables.sql
file from/path/to/openidm/db/repo_type/scripts/update
to theopenidm/update-scripts
directory, then apply the script as shown in the next step.For Oracle databases: use
v7_add_primary_key_to_properties_tables.sql
.For PostgreSQL databases: use
v9_add_primary_key_to_properties_tables.sql
.
For more information, see "Updating to Version 5.0.1.1 Using the Admin UI" in the Installation Guide.
The automated update process is not currently supported on Windows platforms.
When you add or edit a connector through the Admin UI, the list of required
Base Connector Details
is not necessarily accurate for your deployment. Some of these details might be required for specific deployment scenarios only. If you need a connector configuration where not all the Base Connector Details are required, you must create your connector configuration file over REST (see "Creating Default Connector Configurations" in the Integrator's Guide) or edit the connector configuration file (conf/provisioner.openicf-connector-type.json
) directly.For OracleDB repositories, queries that use the
queryFilter
syntax do not work on CLOB columns in explicit tables.A conditional GET request, with the
If-Match
request header, is not currently supported.OpenIDM provides an embedded workflow and business process engine based on Activiti and the Business Process Model and Notation (BPMN) 2.0 standard. As an embedded system, local integration is supported. Remote integration is not currently supported.
If you're using the
OPENAM_SESSION
module to help OpenIDM work with OpenAM software, modify theJWT_SESSION
module to limit token lifetime to 5 seconds. For more information, see information on the OPENAM_SESSION Module in the Integrator's Guide and "Supported Session Module" in the Integrator's Guide.
3.3. Known Issues
The following important issues remained open at the time of this release:
OPENIDM-9454: With an explicit mapping in a MySQL repo, cannot create a managed user with password longer than 13 characters
OPENIDM-10919: JavaScript in Internet Explorer does not support includes method of String
OPENIDM-11648: RuntimeException&Server Error is observed on full-stack example
OPENIDM-11649: UI error: Service unavailable after changes in Authentication/Session
OPENIDM-11894: Performance issue updating conditional role membership on OpenIDM 5.0.1.x.
OPENIDM-11906: There are 2 files (third-party-copyrights.txt,ThirdPartyCopyright.txt) after update from 5.0.x.x to 5.0.1.1
OPENIDM-11283: OpenIDM 5.0.1.0 sample and usecase samples have incorrect configuration by default after adding workflow switch
OPENIDM-7984: Unable to edit ForgeRock Identity Provider in Admin UI
OPENIDM-7982: Backport OPENIDM-7803: Audit activity occurs for update even when before/after show no differences
OPENIDM-7978: Full Stack sample: unable to log in as a regular user after logging out as an admin
OPENIDM-7968: amAdmin doesn't work with fullStack (or full-stack) sample
OPENIDM-7803: Audit activity occurs for update even when before/after show no differences
OPENIDM-7700: Core attributes can specify returnByDefault even though not applicable
OPENIDM-7665: Admin UI mapping view returns HTTP 400 error
OPENIDM-7659: Updating the CSV audit event handler using the Admin UI may disable the handler
OPENIDM-7644: Admin UI should create schedule config instead of direct scheduler entries
OPENIDM-7422: Apostrophe character is not displaying properly in the Provisioning Roles
OPENIDM-7284: Create manager/reports relationship with POST or PUT work on managed/user/id/reports but fails on managed/user/id/manager
OPENIDM-7223: Recon always detects manager field as modified
OPENIDM-7054: Samples declare wrong type for ds-pwp-account-disabled in provisioner conf
OPENIDM-6179: UI doesn't display error when Relationship Validation fails
OPENIDM-6072: Multiple answers to the same security question are possible
OPENIDM-5923: ScriptedSSH sample - group members create/update is not working
OPENIDM-5914: Role is still showing as assigned in effectiveRoles attribute on query-all output if role is unassigned via the admin UI
OPENIDM-5909: ScriptedSSH incorrect sample provisioner group members nativeName
OPENIDM-5907: ScriptedSSH search script unsupported filter cause timeout exception
OPENIDM-5905: Removing a workflow definition file from the filesystem does not delete it in the config
OPENIDM-5900: ScriptedSSH ErrorCodes.groovy is not loaded
OPENIDM-5893: Recon on AD LDAPS mapping (tap association) gives 500 Server Error
OPENIDM-5791: JNDI Config for JMS Audit Handler not rendered correctly.
OPENIDM-5465: Performance Issue updating conditional role memberships
OPENIDM-5450: When Buffering is not enabled, related options should not be available
OPENIDM-5399: Spaces in CSV field names result in an exception when creating a CSV connector
OPENIDM-5166: Changing CSV audit event handler formatting fields causes an exception
OPENIDM-4797: Connector info provider needs to be updated to connect to .NET server
OPENIDM-4462: Delete request with HTTP "If-Match *" header does not work on repo endpoints
OPENIDM-4227: Use value of managed object prior to save for sync events to use hashed values
OPENIDM-4149: availableConnectors are not updated after remote ICF shut down
OPENIDM-4127: Endpoint system/os returns cpu usage above available
OPENIDM-3857: Cannot pass along custom context when making router requests from script
OPENIDM-3199: When a mailtask can't be completed in an Activiti workflow, an exception is thrown
OPENIDM-3197: '%' character in object id of openidm.read calls has to be encoded
OPENIDM-3149: Custom Endpoint Example: object request.patchOperations is wrong for Groovy scripts
OPENIDM-2016: Sync on unsupported object class with remote java connector returns 500 instead of 400
OPENIDM-1898: Representation of request-object differs between code and json-representation
OPENIDM-1488: XDate locales could not be initialized correctly
OPENIDM-1445: Provisioner service does not decrypt encrypted attributes before passing them to OpenICF framework
OPENIDM-1269: some issues with Case Sensitivity options for Sync
OPENIDM-1165: EXCEPTION action when doing liveSync stops the synctoken processing
OPENIDM-848: Conflicting behavior might be observed between the default fields set by the onCreate script and policy enforcement
OPENIDM-470: OpenIDM cannot rename objects - if the identifier of the object changes, the associated link breaks
Chapter 4. Compatibility
This chapter covers major and minor changes to existing functionality, as well as deprecated and removed functionality. You must read this chapter before you start a migration from a previous release.
4.1. Important Changes to Existing Functionality
Take the following changes into account when updating to OpenIDM. These changes will have an impact on existing deployments. Adjust existing scripts and clients accordingly:
4.1.1. Changes to Existing Functionality in OpenIDM 5.0.1.0
- Changed path for
external.rest.json
The path for the properties file for the sample configuration has changed to
/path/to/openidm/samples/misc/external.rest.json
.For more information, see "Configuring the External REST Service" in the Integrator's Guide.
4.1.2. Changes to Existing Functionality in OpenIDM 5
- Hikari is the default connection pool library
In OpenIDM 5, the default connection pool library is Hikari, and not BoneCP. If you use the update mechanism to move from a previous release, your existing JDBC connection configuration will not be changed to use the new default. To use the Hikari connection pool library in an updated deployment, change your
datasource.jdbc-default.json
file, as described in "Understanding the JDBC Connection Configuration File" in the Integrator's Guide.- JSON is the default file-based audit event handler
In OpenIDM 5, the default file-based audit event handler is JSON, and not CSV. If you use the update mechanism to move from a previous release, your existing audit configuration will not be changed to use the new default. To use the JSON audit event handler in an updated deployment, enable it, as described in "JSON Audit Event Handler" in the Integrator's Guide.
- Changes in database schema
The database schema of the supported JDBC repositories has changed slightly in OpenIDM 5. When you update, the repository update scripts located in the
/path/to/openidm/db/repo/script/update
directory will implement the changes for your database. To understand what has changed, you can review the update scripts for your specific repository.- Changes to how the search filter is constructed with the LDAP connector
The LDAP connector version 1.4.3.0 constructs the LDAP search filter in a different way to previous versions. Previously, the filter was built as follows:
(& (object class filter) (native filter) (user filter) )
Now the filter is built as follows:
(& (native filter) (user filter) (object class filter) )
The user filter and object class filter are now mutually exclusive. The user filter takes precedence and the object class filter is used only if a user filter is not defined. Consider the following excerpt of a connector configuration:
"configurationProperties" : { ... "accountSearchFilter" : "(uid = bjensen)", "accountObjectClasses" : [ "top", "person", "organizationalPerson", "inetOrgPerson" ] ...
With connector versions prior to 1.4.3.0, the LDAP filter would be constructed as follows:
"(&(&(objectClass=top)(objectClass=person)(objectClass=organizationalPerson)(objectClass=inetOrgPerson))(uid=bjensen))"
With connector versions from 1.4.3.0 onwards, the LDAP filter would be constructed as follows:
"(uid=bjensen)"
If your existing connector configuration defines a filter using either the
accountSearchFilter
orgroupSearchFilter
properties, you must update that filter to include all requirements, including any object class requirements that would otherwise have been pulled in from theaccountObjectClasses
property.For example:
"accountSearchFilter" : "(&(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(objectClass=Computer)))",
must be changed to:
"accountSearchFilter" : "(&(!(userAccountControl:1.2.840.113556.1.4.803:=2))(objectClass=User))",
For more information, see "Constructing the LDAP Search Filter" in the Connectors Guide.
4.2. Deprecated Functionality
The following functionality is deprecated in OpenIDM 5 and is likely to be removed in a future release.
Support for Java 7 is deprecated and will be removed in the next 5.5 release.
When upgrading to the current release, also move to Java 8 in order to be prepared for pending removal of support for Java 7.
Support for the
TLSv1.1
protocol has been deprecated and will be removed in a future release. For more information, on the potential vulnerability, see CVE-2011-3389 from the National Vulnerability Database from the US National Institute of Standards and Technology.The default security protocol for OpenIDM is
TLSv1.2
. Do not downgrade this protocol toTLSv1.1
unless necessary. For more information, see "Setting the TLS Version" in the Integrator's Guide.When configuring connectors, (see "Configuring Connectors" in the Integrator's Guide), you can set up
nativeType
property level extensions. TheJAVA_TYPE_DATE
extension is deprecated.Support for a POST request with
?_action=patch
is deprecated, when patching a specific resource. Support for a POST request with?_action=patch
is retained, when patching by query on a collection.Clients that do not support the regular PATCH verb should use the
X-HTTP-Method-Override
header instead.For example, the following POST request uses the
X-HTTP-Method-Override
header to patch user jdoe's entry:$ curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Content-Type: application/json" \ --request POST \ --header "X-HTTP-Method-Override: PATCH" \ --data '[ { "operation":"replace", "field":"/description", "value":"The new description for Jdoe" } ]' \ "http://localhost:8080/openidm/managed/user/jdoe"
The XML file connector is deprecated and support for its use in OpenIDM will be removed in a future release. This connector is really useful only in a demonstration context and should not be used in the general provisioning of XML data stores. In real deployments, if you need to connect to a custom XML data file, you should create your own scripted connector by using the Groovy connector toolkit.
No additional functionality is deprecated at this time.
4.3. Removed Functionality
The following functionality has been removed in OpenIDM 5.
- Support for TLSv1.0 has been removed
Support for the
TLSv1.0
protocol has been removed. For more information, see the following PDF: Migrating from SSL and Early TLS from the PCI Security Standards Council.The default security protocol for OpenIDM is
TLSv1.2
. Do not downgrade this protocol unless you have a specific need.- Support for creating system objects with a client-assigned ID
The ability to specify the ID of an object when it is created is not supported across all system resources. Because the OpenICF framework cannot assess whether the resource supports a client-assigned ID, this functionality is generally no longer supported for any system object.
- Ability to retrieve private keys over REST
The ability to read a private key from the
/security/keystore/privatekey
endpoint has been removed. A read on that endpoint now returns a "not supported" exception. The ability to obtain a private key when generating a certificate, or a certificate signing request has also been removed.
4.4. Functionality That Will Change in the Future
The Active Directory (AD) .NET Connector will be deprecated in a future OpenICF release, and, ultimately, support for its use with OpenIDM will be discontinued.
For simple Active Directory (and Active Directory LDS) deployments, the Generic LDAP Connector works better than the Active Directory connector, in most circumstances. For more information, see "Generic LDAP Connector" in the Connectors Guide.
For more complex Active Directory deployments, use the PowerShell Connector Toolkit, as described in "PowerShell Connector Toolkit" in the Connectors Guide.
Note that deprecating the AD Connector has no impact on the PowerShell connector, or on the .NET Connector Server.
Chapter 5. Documentation Updates
"Documentation Change Log" tracks important changes to the documentation:
Date | Description |
---|---|
2021-03-11 |
|
2020-07-18 | Added a description for the maxTokenSize property of the
IWA
authentication module. |
2020-03-20 | Fixed outdated Bootstrap version references in the Integrator's Guide |
2020-03-16 |
Revised the sync documentation to clarify how to remove links to target objects that no longer exist. See "How OpenIDM Assesses Synchronization Situations" in the Integrator's Guide. |
2019-09-10 |
Revised the logging documentation to include security advice on logging
levels. See "Specifying the Logging Level" in the Integrator's Guide
and "Updating |
2019-08-19 |
Added information on restricting the maximum payload size in HTTP requests ("Restrict the HTTP Payload Size" in the Integrator's Guide). |
2018-10-26 |
Release of 5.0.1.1 maintenance release. For more information, see "Issues Fixed in OpenIDM 5.0.1.1". |
2018-07-16 |
Release of 5.0.1.0 maintenance release. For more information, see "Issues Fixed in OpenIDM 5.0.1.0". The following documentation updates were made in this release:
|
2018-04-16 |
Updates the following "Variables Available to Scripts" in the Integrator's Guide to clarify the variables available to scripts (OPENIDM-8418). |
2018-04-06 |
Release of 5.0.0.3 patch release. For more information, see Key Fixes in OpenIDM 5.0.0.3. |
2018-03-09 |
Release of 5.0.0.2 patch release. For more information, see Key Fixes in OpenIDM 5.0.0.2. |
2017-12-17 |
Release of 5.0.0.1 patch release. For more information, see Key Fixes in OpenIDM 5.0.0.1. Updated the section on external rest for new configuration options (OPENIDM-9664). See ("Configuring the External REST Service" in the Integrator's Guide). |
2017-11-10 |
Added a workaround for the problem related to Quartz schedules and daylight savings time ("Schedules and Daylight Savings Time" in the Integrator's Guide). |
2017-10-10 |
Refreshed formatting. |
2017-04-20 |
Added a note to "Types of Synchronization" in the Integrator's Guide to indicate the required permissions for the LDAP user when configuring liveSync with OpenDJ. |
2017-03-29 |
Initial release of OpenIDM 5. |
Chapter 6. Getting Support
This chapter offers information and resources about OpenIDM and ForgeRock support.
6.1. Accessing Documentation Online
ForgeRock publishes comprehensive documentation online:
The ForgeRock Knowledge Base offers a large and increasing number of up-to-date, practical articles that help you deploy and manage ForgeRock software.
While many articles are visible to community members, ForgeRock customers have access to much more, including advanced information for customers using ForgeRock software in a mission-critical capacity.
ForgeRock product documentation, such as this document, aims to be technically accurate and complete with respect to the software documented. It is visible to everyone and covers all product features and examples of how to use them.
6.2. Using the ForgeRock.org Site
The ForgeRock.org site has links to source code for ForgeRock open source software, as well as links to the ForgeRock forums and technical blogs.
If you are a ForgeRock customer, raise a support ticket instead of using the forums. ForgeRock support professionals will get in touch to help you.
6.3. Getting Support and Contacting ForgeRock
ForgeRock provides support services, professional services, training through ForgeRock University, and partner services to assist you in setting up and maintaining your deployments. For a general overview of these services, see https://www.forgerock.com.
ForgeRock has staff members around the globe who support our international customers and partners. For details, visit https://www.forgerock.com, or send an email to ForgeRock at info@forgerock.com.