Notes covering ForgeRock® Identity Management software requirements, fixes, and known issues. This software offers flexible services for automating management of the identity life cycle.

About ForgeRock Identity Management Software

ForgeRock Identity Platform™ is the only offering for access management, identity management, user-managed access, directory services, and an identity gateway, designed and built as a single, unified platform.

The platform includes the following components that extend what is available in open source projects to provide fully featured, enterprise-ready software:

The ForgeRock Common REST API works across the platform to provide common ways to access web resources and collections of resources.

ForgeRock Identity Management software provides centralized, simple management and synchronization of identities for users, devices and things.

ForgeRock Identity Management software is highly flexible and therefore able to fit almost any use case and workflow.

These release notes are written for anyone using the ForgeRock Identity Management 6 release. Read these notes before you install or upgrade ForgeRock Identity Management software.

These release notes cover the following topics:

  • A list of the major new features and functionality provided with this release

  • Hardware and software prerequisites for installing and upgrading ForgeRock Identity Management software

  • Compatibility with previous releases

  • Potential upcoming deprecation and removals that affect scripts and applications

  • Issues fixed since the previous release

  • Known issues open at the time of release

See the Installation Guide after you read these Release Notes. The Installation Guide covers installation and upgrade for ForgeRock Identity Management software.

Chapter 1. What's New

This chapter covers new capabilities in ForgeRock Identity Management.

1.1. Maintenance Releases

  • IDM 6.0.0.3 Maintenance Release

    ForgeRock periodically issues maintenances releases with important fixes to bugs. IDM 6.0.0.3 is the latest patch release targeted for IDM 6 deployments and can be downloaded from the ForgeRock Backstage website. To view the list of fixes in this release, see Key Fixes in IDM 6.0.0.3.

    Note

    ForgeRock patch releases are aimed as a fast-track method to provide fixes to existing bugs. These fixes improve the functionality, performance and security of your deployment. No new features have been introduced.

    The IDM 6.0.0.3 maintenance release is cumulative and contains all the fixes included in the previous releases (see Key Fixes in IDM 6.0.0.2, Key Fixes in IDM 6.0.0.1). The patch can be deployed as an initial deployment or used to upgrade from an existing IDM 6, IDM 6.0.0.1, and IDM 6.0.0.2 deployment (see "Supported Update Paths").

    IDM 6 is available for download at the ForgeRock Backstage website.

1.2. New Features

This release of ForgeRock Identity Management 6.0.0 software includes the following new features:

ForgeRock Directory Services (DS) as a supported repository

An external DS instance is now supported as a repository in production environments. For more information, see "Using an External DS Repository" in the Installation Guide.

Support for PostgreSQL 10 and DB2 11

IDM 6.0.0 supports PostgreSQL version 10 and DB2 version 11 as repositories. For a list of repositories that are supported in production, see "Supported Repositories".

Improved performance around relationships

The relationships mechanism has been refactored for substantial performance improvement. Much of this refactoring involves the notification process of relationship changes. For more information, see "Configuring Relationship Change Notification" in the Integrator's Guide.

Support for progressive profile completion

Progressive profile completion enables you to enhance the information you have about registered users. For more information, see "Progressive Profile Completion" in the Integrator's Guide.

Privacy and consent management

IDM now supports managing Privacy and Consent for users who self-register directly through IDM or through a social identity provider. For more information, see "Configuring Privacy & Consent" in the Integrator's Guide.

Enhancements to self-service processes

This release includes the following enhancements to the self-service functionality:

General enhancements to the Admin UI

Numerous improvements have been made to the Admin UI, including:

Property value substitution

This release provides improved support for property value substitution in the server configuration. For more information, see "Using Property Value Substitution" in the Integrator's Guide.

Support for monitoring using Prometheus

IDM now provides support for viewing metrics through external resources such as Prometheus and Grafana. For more information, see "Metrics and Monitoring" in the Integrator's Guide.

The lastChanged property has been removed from the schema

The lastChanged property, previously part of the managed object, is no longer stored within the object itself, but as metadata in a separate resource location. For more information, see "Tracking Metadata For Managed Objects" in the Integrator's Guide.

New connectors

IDM 6.0.0 bundles the following new connectors:

For installation instructions, see "Preparing to Install and Run Servers" in the Installation Guide.

Several samples are provided to familiarize you with the IDM features. For more information, see "Overview of the Samples" in the Samples Guide.

For an architectural overview and a high-level presentation of IDM, see "Architectural Overview" in the Integrator's Guide.

1.3. Security Advisories

ForgeRock issues security advisories in collaboration with our customers and the open source community to address any security vulnerabilities transparently and rapidly. ForgeRock's security advisory policy governs the process on how security issues are submitted, received, and evaluated as well as the timeline for the issuance of security advisories and patches.

For details of all the security advisories across ForgeRock products, see Security Advisories in the Knowledge Base library.

Chapter 2. Before You Install

This chapter covers requirements to consider before you run ForgeRock Identity Management software, especially before you run the software in your production environment.

If you have a special request to support a component or combination not listed here, contact ForgeRock at info@forgerock.com.

2.1. Supported Repositories

The following repositories are supported for use in production:

  • ForgeRock Directory Services (DS) 6

    By default, IDM uses an embedded DS instance for testing purposes. The embedded instance is not supported in production. If you want to use DS as a repository in production, you must set up an external instance.

  • MySQL version 5.6 and 5.7 with MySQL JDBC Driver Connector/J 5.1.18 or later

  • MariaDB version 10.0, 10.1, and 10.2 with MySQL JDBC Driver Connector/J 5.1.18 or later

  • Microsoft SQL Server 2012, 2014, and 2016

  • Oracle Database 11gR2, 12c, and 12cR1 (12.1)

  • PostgreSQL 9.3.10, 9.4.5, 9.6, and 10

  • IBM DB2, 10.1, 10.5, 11

2.2. Containers

You must install IDM as a stand-alone service, using Apache Felix and Jetty, as provided. Alternate containers are not supported.

IDM bundles Jetty version 9.2.

2.3. Supported Connectors

IDM bundles the following connectors:

  • Adobe CM Connector

  • CSV File Connector

  • Database Table Connector

  • Google Apps Connector

  • Groovy Connector Toolkit

    This toolkit enables you to create scripted connectors to virtually any resource.

  • Kerberos Connector

  • LDAP Connector

  • Marketo Connector

  • MongoDB Connector

  • Salesforce Connector

  • SCIM Connector

  • Scripted CREST Connector

  • Scripted REST Connector

  • Scripted SQL Connector

  • ServiceNow Connector

  • Scripted SSH Connector

    Currently supported only as a prerequisite for the Kerberos Connector

  • Workday Connector

A PowerShell Connector Toolkit is available for download from ForgeRock's BackStage site. This Toolkit enables you to create scripted connectors to address the requirements of your Microsoft Windows ecosystem.

Additional connectors are available from ForgeRock's BackStage site.

Use of the LDAP connector to provision to Active Directory is supported with Active Directory Domain Controllers, Active Directory Global Catalogues, and Active Directory Lightweight Directory Services (LDS).

Windows 2012 R2 is supported as the remote system for connectors and password synchronization plugins.

The following table lists the supported connectors, connector servers, and password synchronization plugins for this IDM release.

Supported Connectors, Connector Servers, and Plugins
Connector/PluginSupported Version
Adobe CM Connector1.5.1.0
CSV File Connector1.5.3.0
Database Table Connector1.4.0.0
Google Apps Connector1.4.3.0
Groovy Connector Toolkit1.5.0.0
Kerberos Connector1.5.0.0
LDAP Connector1.4.7.0
Marketo Connector1.5.0.0
MongoDB Connector1.5.0.0
Powershell Connector Toolkit1.5.0.0
Salesforce Connector6.0.0
SAP Connector1.5.0.0
SCIM Connector1.4.1.0
Scripted CREST Connector1.5.0.0
Scripted REST Connector1.5.0.0
Scripted SQL Connector1.5.0.0
ServiceNow Connector1.5.0.0
Workday Connector1.4.0.0
Active Directory Connector1.4.0.0
Java Connector Server1.5.5.0, 1.5.2.0, 1.5.1.0, 1.5.0.0, 1.4.1.0
.NET Connector Server1.5.5.0, 1.5.2.0, 1.5.1.0, 1.5.0.0, 1.4.1.0
DS Password Synchronization Plugin

6.0.0, supported with DS 6.0.0

5.5.0, supported with DS 5.5.0

5.0.0, supported with DS 5.0.0

3.5.0, supported with OpenDJ 3.5.0

DS Password Sync plugins are not supported with DS OEM

Active Directory Password Synchronization Plugin1.1.0 and 1.2.0 supported on Windows 2008 R2 and Windows 2012 R2

You must use the supported versions of the .NET Connector Server, or the Java Connector Server. The 1.5.x Java Connector Server is backward compatible with the version 1.1.x connectors. The 1.5.x .NET Connector Server is compatible only with the 1.4.x and 1.5.x connectors.

The 1.5.5.0 .NET connector server requires the .NET framework (version 4.5 or later) and is supported on Windows Server 2008 R2 and 2012 R2.

Important

Although the scripted connector toolkits are supported, connectors that you build with these toolkits are not supported. You can find examples of how to build connectors with these toolkits in the Samples Guide.

2.4. Choosing a Browser

ForgeRock has tested many browsers with the IDM UI, including the following browsers:

  • Chrome and Chromium, latest stable version

  • Firefox, latest stable version

  • Safari, latest stable version

  • Internet Explorer 11 and later

2.5. Choosing an Operating System

IDM is supported on the following operating systems:

  • Red Hat Enterprise Linux (and CentOS Linux) 6.5 and later, 7.x

  • Ubuntu Linux 16.04

  • Windows 2008 R2, 2012 R2, 2016

2.6. Preparing the Java Environment

IDM requires Java 8, specifically at least the Java Standard Edition runtime environment.

ForgeRock validates IDM software with Oracle JDK and OpenJDK, and does occasionally run sanity tests with other JDKs. Support for very specific Java and hardware combinations is best-effort. This means that if you encounter an issue when using a particular JVM/hardware combination, you must also demonstrate the problem on a system that is widespread and easily tested by any member of the community.

ForgeRock recommends that you keep your Java installation up to date with the latest security fixes.

Note

If you are using the Oracle JDK and you use 2048-bit SSL certificates, you must install the Unlimited JCE policy to enable IDM to use those certificates.

Download and install the Unlimited JCE Policy for Java 8 from the Oracle Technetwork site. Unzip the JCE zip file and install the JCE policy JAR files in the /lib/security folder of the JRE.

2.7. Fulfilling Memory and Disk Space Requirements

When you install IDM for evaluation, with the embedded DS repository, you need 256 MB memory (32-bit) or 1 GB memory (64-bit) available.

You also need 10 GB free disk space for the software and for sample data.

In production, disk space and memory requirements will depend on the size of your external repository, as well as the size of the audit and service log files that IDM creates.

2.8. Supported Update Paths

The following table contains information about the supported update paths to IDM 6.0.0.3:

Update Paths
VersionUpdate Supported to IDM 6.0.0.3[a]
Versions prior to IDM 6.0.0[b]
IDM 6.0.0
IDM 6.0.0.1
IDM 6.0.0.2

[a] You can deploy version 6.0.0.3 for initial deployments.

[b] Must first update to IDM 6.0.0, then to IDM 6.0.0.3.


Chapter 3. Fixes, Limitations, and Known Issues

This chapter covers the status of key issues and limitations for ForgeRock Identity Management. For details and information on other issues, see the IDM issue tracker.

3.1. Fixed Issues

The following important bugs were fixed in this release:

Key Fixes in IDM 6.0.0.3
  • OPENIDM-7687: Provide support for ClientHandlers to use a proxy server within OpenIDM

  • OPENIDM-11052: Admin UI Mappings page load delay on system?_action=test REST call

  • OPENIDM-11101: NPE when shutdown

  • OPENIDM-11195: script query result not converted to correct groovy type

  • OPENIDM-11244: Include milliseconds in IDM logs

  • OPENIDM-11446: Impossible to add optional field to selfservice registration

  • OPENIDM-11480: With Oracle repo, Create or Update Managed user via UI results in 500 error

  • OPENIDM-11597: IllegalArgumentException updating external account if trace is enabled

  • OPENIDM-11635: When using DB2 repo, read requests with relationship expansion and update requests are not working anymore

Key Fixes in IDM 6.0.0.2
  • OPENIDM-11269: process typeError is observed in UI for association tab in mapping details

  • OPENIDM-11603: Backport OPENIDM-11512: Integrating Social Authentication with Identity Management fails

Key Fixes in IDM 6.0.0.1
  • OPENIDM-10915: Backport OPENIDM-10887: expose isInitiator flag for IWA module

  • OPENIDM-10917: Backport OPENIDM-10542: IDM decryption fails with AES 256-bit key

  • OPENIDM-10968: Backport OPENIDM-10919: JavaScript in Internet Explorer does not support includes method of String

  • OPENIDM-10969: Backport OPENIDM-10948: OpenerHandler require does not work with Internet Explorer

  • OPENIDM-10971: Backport OPENIDM-6782: Password is re-encrypted during any managed object update/patch

  • OPENIDM-11087: Backport OPENIDM-11024: NPE can be thrown if the authentication service comes up before the identityService

  • OPENIDM-11160: Backport OPENIDM-8043: Unable to initialize keystore and truststore when passwords are different

  • OPENIDM-11167: Backport OPENIDM-5465: Performance Issue updating conditional role memberships

  • OPENIDM-11240: Backport OPENIDM-10758: openidm.read() returns different content if called from managed.json action or a custom endpoint

  • OPENIDM-11243: Backport OPENIDM-9783: Include thread id in all logging statements

  • OPENIDM-11245: Backport OPENIDM-11215: IDM hangs using IE11 with error "Promise is undefined" in ResourceQueryFilterEditor.js

  • OPENIDM-11354: Backport COMMONS-314 json-crypto: SimpleEncryptor symmetric no longer works with HSMs

  • OPENIDM-11421: Backport OPENIDM-11292: Registration autologin with full-stack not working

  • OPENIDM-11422: Session JWT key usage is not clear

Key Fixes in IDM 6.0.0
  • OPENIDM-10512: Mapping Scheduling Sync toggle has nothing to do with schedule or livesync

  • OPENIDM-10472: readSchema=false is added to config.properties by the admin UI for connectors

  • OPENIDM-10471: NPE X-OpenIDM-OAuth-Login: true without providing any token when invoking REST API

  • OPENIDM-10468: 500 internal error when Referer header not provided with OAuth

  • OPENIDM-10459: onCreateUser.js:emailUser assumes that a mail address has been configured for the created object

  • OPENIDM-10388: Managed object scripts are called with org.forgerock.http.routing.UriRouterContext when roles are added

  • OPENIDM-10340: NPE when performing GET with invalid arbitrary URL parameters

  • OPENIDM-10323: Sample JMS Consumer listening on incorrect JMS Topic

  • OPENIDM-10231: Unable to use read-only keystore

  • OPENIDM-10205: Entered text is lost when using the attribute selector for a role's condition

  • OPENIDM-10195: Relationship between a custom managed object and a default object can be created in both directions via the UI

  • OPENIDM-10152: Roles condition queryFilter builder does not show all properties on managed/user

  • OPENIDM-10145: Restart action in update does not work properly and should be removed

  • OPENIDM-10141: Adding an attribute to a 'The value for' condition causes it to be duplicated in the drop-down list

  • OPENIDM-10137: Unable to set manager property to nullable via UI

  • OPENIDM-10135: Manager field disappears when type is null

  • OPENIDM-10134: Self-service registration fails with cross-origin restrictions using Safari

  • OPENIDM-10126: A condition query on roles shows an incomplete list of role members

  • OPENIDM-9997: API Explorer should send OAuth headers when appropriate

  • OPENIDM-9976: Self Service email validation link for Registration leads to blank page in Safari

  • OPENIDM-9975: Startup.sh is setting PROJECT_HOME incorrectly when CDPATH is set

  • OPENIDM-9964: No content and NullPointerException returned when creating a relationship using the source managed object's attribute within the URI and specifying a _fields parameter

  • OPENIDM-9940: onRetrieve script executed for managed attributes not returned by fields

  • OPENIDM-9855: Trusted Attribute fails with multiple instances using different resources

  • OPENIDM-9819: GenericLDAP Connector setup does not read remote LDAP schema irrespective of readSchema setting

  • OPENIDM-9805: DJ Password Sync Plugin retry doesn't send any data to IDM

  • OPENIDM-9751: Authorize Apps shows "Invalid date" for expire value

  • OPENIDM-9719: CORS headers returned to client with repeated values

  • OPENIDM-9677: Instagram configuration within identityProviders.json contains incorrect attribute name for full_name

  • OPENIDM-9624: Conflict between OAuth Datastore token usage for authentication and binding

  • OPENIDM-9615: The conditionalRoles.js script should not create an empty roles array if no conditional roles are assigned

  • OPENIDM-9602: "watchedFields" and "passwordFields" can be added for audit event types other than Activity

  • OPENIDM-9601: "onSync" script for managed objects is not called for both vertices when a relationship is created between them

  • OPENIDM-9588: In the provisioning-with-workflow sample, you cannot view single record details in system/rolesFile

  • OPENIDM-9574: Custom Self-Service URL breaks social registration

  • OPENIDM-9572: Terms and Conditions acceptance not added to the profile when using Social Registration

  • OPENIDM-9568: NullPointerException when checking for updates in read-only file system

  • OPENIDM-9562: Enabling a persistent schedule multiple times through the config API runs a custom script multiple times

  • OPENIDM-9554: Workflow Processes Completed have "Not Found Error" for managed/user

  • OPENIDM-9549: "Current policy is read-only" notification shows after changing Mapping Detail policy

  • OPENIDM-9545: Unable to execute taskscanner via REST endpoint when schedule is not file-based

  • OPENIDM-9543: Patch/update requests of the _ref field against the relationship endpoint are not handled correctly

  • OPENIDM-9476: Editable row for Display/Search Properties in Identity Relationships widget settings not showing the correct value when in edit mode

  • OPENIDM-9458: Timezone is set incorrectly when a new schedule is created

  • OPENIDM-9454: With an explicit mapping in a MySQL repo, you cannot create a managed user with password longer than 13 characters

  • OPENIDM-9444: Patch Copy and Patch Move fail when the target property exists

  • OPENIDM-9409: stdDev has incorrect value 0 for all clustered recon metrics

  • OPENIDM-9390: Various problems configuring scheduled scripts in the UI

  • OPENIDM-9389: Scheduled scripts with file paths are saved incorrectly

  • OPENIDM-9387: Paged queries with query-all-ids don't work correctly for explicit mappings

  • OPENIDM-9363: Attributes are removed from the managed object configuration when edited in the UI, if they do not appear within an order array

  • OPENIDM-9362: Managed.json does not contain all attributes within the order array for default managed object types

  • OPENIDM-9335: Admin UI shows the password for CSV audit tamper prevention as a JSON string

  • OPENIDM-9328: Enabling CSV tamper prevention in the Admin UI dumps all config details to log file

  • OPENIDM-9286: install-service.bat has a broken classpath variable

  • OPENIDM-9217: Do not execute managed property's onRetrieve when returnByDefault is false

  • OPENIDM-9213: When all topics are removed from an audit handler, the Admin UI saves 'null' instead of an empty list

  • OPENIDM-9211: External REST service does not return error details from remote server

  • OPENIDM-9207: recon creates incorrect links when using linkQualifiers

  • OPENIDM-9201: Failure to send welcome email leads to user creation failure, inconsistent state

  • OPENIDM-9195: From address in Password Reset email template is ignored

  • OPENIDM-9170: A conditional role with assignments, created with single quotes over REST, does not display in the Admin UI

  • OPENIDM-9045: Performance problem getting triggers for a scheduler job

  • OPENIDM-8869: PagedResultsCookie response state in JDBCRepoService in violation of CREST Spec

  • OPENIDM-8839: enum values do not display in API Explorer

  • OPENIDM-8837: Deleting all KBA questions through the UI prevents user registration w/o visible Error Message

  • OPENIDM-8827: ScriptedCrest samples uses _id in sync.json which is forbidden

  • OPENIDM-8653: 'Unknown Error' when pasting a value into the username field when creating a managed user in IE 11

  • OPENIDM-8593: Lots of API Descriptor errors in the logs on startup

  • OPENIDM-8543: Patch remove on a field succeeds but is not propagated to the target

  • OPENIDM-8381: Recovery of scheduled jobs following cluster node failure does not work

  • OPENIDM-8045: Creating a new managed object with unsupported characters causes an exception

  • OPENIDM-7947: With DJ as a repo, OpenIDM fails to start when using HSM

  • OPENIDM-7536: Relationship fields are not returned on an "upsert" update

  • OPENIDM-7284: Create manager/reports relationship with POST or PUT work on managed/user/id/reports but fails on managed/user/id/manager

  • OPENIDM-6886: The Password Reset form applies policies from the 'password' field even if you are using a different field for the password

  • OPENIDM-5914: Role is still showing as assigned in effectiveRoles attribute on query-all output if role is unassigned via the admin UI

  • OPENIDM-5909: ScriptedSSH incorrect sample provisioner group members nativeName

  • OPENIDM-5907: ScriptedSSH search script unsupported filter cause timeout exception

  • OPENIDM-5227: LDAP Connector search filters are not persisted by the Admin UI

  • OPENIDM-4686: Neither empty _fields nor _fields=* on a system resource read return all fields

  • OPENIDM-3330: Inconsistent use of uidAttribute in LDAP Provisioner Config

3.2. Limitations

The following limitations exist in the following releases:

Limitations in IDM 6.0.0.3
  • There are no known limitations in IDM 6.0.0.3, other than those identified in past releases.

Limitations in IDM 6.0.0
  • The automated update process is not currently supported on Windows platforms.

  • When you add or edit a connector through the Admin UI, the list of required Base Connector Details is not necessarily accurate for your deployment. Some of these details might be required for specific deployment scenarios only. If you need a connector configuration where not all the Base Connector Details are required, you must create your connector configuration file over REST or by editing the provisioner file. For more information, see "Configuring Connectors" in the Integrator's Guide. directly.

  • For OracleDB repositories, queries that use the queryFilter syntax do not work on CLOB columns in explicit tables.

  • A conditional GET request, with the If-Match request header, is not currently supported.

  • IDM provides an embedded workflow and business process engine based on Activiti and the Business Process Model and Notation (BPMN) 2.0 standard. As an embedded system, local integration is supported. Remote integration is not currently supported.

3.3. Known Issues

The following important issues remained open at the time of this release:

Known Issues in IDM 6.0.0.3
  • OPENIDM-12033: proxySystem property in external.rest.json does nothing

  • OPENIDM-12055: NullPointerException when changing Authentication/Session

Known Issues in IDM 6.0.0.1
Known Issues in IDM 6.0.0
  • OPENIDM-10851: Cluster doesn't recognize forcibly killed node on windows

  • OPENIDM-10833: Cluster widget doesn't show shutdown time for killed node correctly

  • OPENIDM-10829: PUT modifications to workflow/taskInstance/[_id] return 'Task updated' even when no changes occur

  • OPENIDM-10828: MongoDB Connector UI configuration has an incorrect documentation link

  • OPENIDM-10823: UI intermittently doesn't work with the new REST context when using Firefox

  • OPENIDM-10800: Port does not display correctly in the UI if property substitution is used

  • OPENIDM-10793: Problems with propvalue column size in properties tables

  • OPENIDM-10780: IDM does not work with a Luna HSM keystore provider

  • OPENIDM-10773: IDM does not start up if the parent folder name includes ' -> '

  • OPENIDM-10761: Progressive Profiling scripted condition does not include user fields within "object" map

  • OPENIDM-10740: Sharing and Activity (UMA) sections in the Self-Service UI do not display thumbnails

  • OPENIDM-10736: Attribute substitution not supported for CSV connector filepath

  • OPENIDM-10733: Compensate hangs when downstream connector is offline

  • OPENIDM-10696: Full attribute details not available to policies when creating role via relationship collection

  • OPENIDM-10692: IDM startup can be very slow with a DB2 repo

    Workaround: After you have imported the IDM schema for DB2, either run the command db2 connect to dopenidm in a terminal or run CONNECT TO DOPENIDM in a DB2 iterative command session (as the DB2 instance owner) and keep the session. IDM should then start with low latency.

  • OPENIDM-10683: UMA: When a user shares a resource, the recipient doesn't see the share

  • OPENIDM-10673: The augmentSecurityContext script should still execute when runAs cannot find the user

  • OPENIDM-10660: User metadata is logged in the audit log when an object is changed

  • OPENIDM-10653: Password reset fails using explicit tables

  • OPENIDM-10623: With an embedded DS repo, PATCH remove on a null value does not delete the property

  • OPENIDM-10603: Unexpected "manager" property in the "before" of activity audit records when patching manager on a user

  • OPENIDM-10600: Internal error "no deployed process definition found" after deleting process definition

  • OPENIDM-10579: The policy.js script does not support conditions with type 'queryFilter'

  • OPENIDM-10578: Unable to specify the authenticationId within augmentSecurityContext script

  • OPENIDM-10542: IDM decryption fails with AES 256-bit key

  • OPENIDM-10537: Deleting a previously set field during profile completion does not work

  • OPENIDM-10455: Query and non-read operations not authorised for openidm-admin role with OAuth

  • OPENIDM-10400: When configuring a new LDAP Connector config for AD using the Admin UI, the groupMembership, groupType, and groupScope attributes in the user schema are not set up properly

  • OPENIDM-10286: Idle timeout for JWT authentication module is not working

  • OPENIDM-10263: Salesforce connector error while accessing data from User and Profile objects

  • OPENIDM-10072: Scheduler service registered too early by OSGi

  • OPENIDM-10039: Various Admin UI errors when accessing mappings or data tab using Salesforce sample

  • OPENIDM-9791: Error while generating process diagram, image will not be stored in repository

  • OPENIDM-9726: User List sort by Description shows only manually edited users

  • OPENIDM-9576: Records with missing _sortKeys are not returned in query results

  • OPENIDM-9521: Backport OPENIDM-6068: Target reconciliation does not finish for large datasets

  • OPENIDM-9520: Update via REST with PUT removes private fields which are not included in the request

  • OPENIDM-9517: Backport OPENIDM-5906: PATCH request with null rev invoked twice at the same time causes infinite loop

  • OPENIDM-9502: Backport OPENIDM-5150: JSON configuration files always reloaded at startup irrespective of modifications

  • OPENIDM-9446: Random startup failures when using DB2 as a repo

  • OPENIDM-9360: Align "returnByDefault" behavior between roles and effectiveRoles

  • OPENIDM-9353: IDM does not audit the http response headers in the access audit log

  • OPENIDM-9331: Enabling CSV tamper prevention through the Admin UI may fail with a keystore password error

  • OPENIDM-9138: Unable to create user with virtual attribute defined when using explicit mappings

  • OPENIDM-9081: WARNING about extensions directory not existing appears in felix console upon restart of IDM

  • OPENIDM-8659: Property onRetrieve hook returns null even though value is absent

  • OPENIDM-8518: Not Found error when accessing a process instance via Admin UI

  • OPENIDM-8295: Non-required single relationship properties should be nullable

  • OPENIDM-8122: OpenIDM Cluster incorrectly shows ready and running

  • OPENIDM-8052: Cannot create a remote (.NET) connector through the UI

  • OPENIDM-7665: Admin UI mapping view returns HTTP 400 error

  • OPENIDM-6514: JDBC repo errors on startup when using mysql

  • OPENIDM-6467: syslog audit event handler created although required property not set

  • OPENIDM-6032: In some situations, the Admin UI does not display the properties of a completed workflow

  • OPENIDM-5465: Performance Issue updating conditional role memberships

  • OPENIDM-4149: availableConnectors are not updated after remote ICF shut down

Chapter 4. Compatibility

This chapter covers major and minor changes to existing functionality, as well as deprecated and removed functionality. You must read this chapter before you start a migration from a previous release.

4.1. Important Changes to Existing Functionality

Take the following changes into account when you update to IDM 6.0.0. These changes will have an impact on existing deployments. Adjust existing scripts and clients accordingly:

Hostname now set by openidm.host property in boot.properties

By default, the hostname associated with IDM is localhost. This hostname is set in the openidm.host property in the resolver/boot.properties file. When you deploy IDM in production, you must set openidm.host to the URL of your deployment. If you do not do so, calls to the /admin endpoint are not redirected properly. For more information, see "Installing and Running Servers" in the Installation Guide.

Changes to selfservice-registration.json

Configuration options associated with security questions, as well as Terms & Conditions, have been moved to separate files:

  • The new selfservice.kba.json contains security questions. For more information, see "Configuring Security Questions" in the Integrator's Guide.

  • The new selfservice.terms.json file contains contains versions and wording related to Terms & Conditions. For more information, see "Adding Terms & Conditions" in the Integrator's Guide.

Changes to the authentication.json file

The queryOnResource entry has been changed from security/truststore to managed/user. For more information, see "Configuring Client Certificate Authentication" in the Integrator's Guide.

IDM 6 includes a second STATIC_USER authentication module at the end of the file for monitoring metrics, using Prometheus:

{
    "name" : "STATIC_USER",
    "properties" : {
        "queryOnResource" : "repo/internal/user",
        "username" : "&{openidm.prometheus.username}",
        "password" : "&{openidm.prometheus.password}",
        "defaultUserRoles" : [
            "openidm-prometheus"
        ]
    },
    "enabled" : true
}

For more information, see "Metrics and Monitoring" in the Integrator's Guide.

Change to the auditreport endpoint

The reporting service has been made more generic and supports the generation of reports on additional kinds of data. The reporting service is accessible on the openidm/report endpoint. For audit reports, you can access the openidm/report/audit endpoint.

For more information, see "Reporting and Monitoring" in the Integrator's Guide.

Change to the ?_action=authenticate REST call

IDM no longer supports input of user data as a parameter within the URI (system endpoints only).

The following excerpt shows how you can now include user data in a POST:

--data '{
      "username" : "bjensen",
      "password" : "Passw0rd"
      }'\ 

For more information, see "Running a script on a system object" in the Integrator's Guide.

Changes to relationship auditing in the activity log

The way in which relationship changes are audited has changed in this release, for improved performance.

Notification of connected managed objects is now optional when the relationship is created, deleted or changed. Because of this, what is audited is the relationship change itself, rather than the change to the connected managed object.

The audited entry is always relative to the managed object through which the modification took place (that is, the managed object specified in the URL). For example, if a modification to managed/user/psmith creates a relationship to managed/user/bjensen, the logged relationship change will have a _ref to managed/user/bjensen. In the following example, a manager relationship is created between psmith and bjensen with a REST call to managed/user/psmith. The resulting audit entry is as follows:

{
	"transactionId": "fa610b40-bd20-4d8d-9706-b80f81af7835-906",
	"timestamp": "2018-04-05T08:09:15.769Z",
	"eventName": "relationship_created",
	"userId": "openidm-admin",
	"runAs": "openidm-admin",
	"operation": "CREATE",
	"before": {},
	"after": {
		"_ref": "managed/user/bjensen",
		"_refResourceCollection": "managed/user",
		"_refResourceId": "bjensen",
		"_refProperties": {
			"_id": "7935501a-4414-495a-9807-3c124c25be83",
			"_rev": "00000000b0ab969d"
		}
	},
	"changedFields": [],
	"revision": null,
	"message": "Relationship originating from managed/user/psmith via the
      relationship field manager and referencing managed/user/bjensen was created.",
	"objectId": "managed/user/psmith/manager/7935501a-4414-495a-9807-3c124c25be83",
	"passwordChanged": false,
	"status": "SUCCESS",
	"_id": "fa610b40-bd20-4d8d-9706-b80f81af7835-912"
}

For more information on notification of relationship changes, see "Configuring Relationship Change Notification" in the Integrator's Guide.

Change to how relationships are queried

Previously, you could query an object's relationships using the _ref property, for example:

"http://localhost:8080/openidm/managed/user/bjensen/authzRoles?_queryFilter=_ref%20co%20%22openidm%22"

Relationships have now been broken out into a resourceCollection and resourceId. Query filters on _ref are no longer supported and queries must explicitly specify the resourceCollection and resourceId. The previous query would be adjusted as follows:

$ curl \
 --header "X-OpenIDM-Password: openidm-admin" \
 --header "X-OpenIDM-Username: openidm-admin"  \
 --request GET \
      "http://localhost:8080/openidm/managed/user/bjensen/authzRoles?_queryFilter=_refResourceCollection+eq+'repo%2Finternal%2Frole'+and+_refResourceId+co+'openidm'"
{
  "result": [
    {
      "_id": "3432ac47-9e4b-488d-8c4b-0db467e614aa",
      "_rev": "00000000b1eda159",
      "_ref": "repo/internal/role/openidm-authorized",
      "_refResourceCollection": "repo/internal/role",
      "_refResourceId": "openidm-authorized",
      "_refProperties": {
        "_id": "3432ac47-9e4b-488d-8c4b-0db467e614aa",
        "_rev": "00000000b1eda159"
      }
    }
  ],
  ...
}
New GUID format for AD objects created with the LDAP connector

The LDAP connector no longer appends <GUID= to the object GUID. The new GUID format is compatible with objects created using the AD Powershell Connector, for example e1418d64-096c-4cb0-b903-ebb66562d99d.

In existing deployments, this might mean that your links are incompatible with the new GUID format. To update links to the new format, run a reconciliation operation. To retain the legacy behavior, set "useOldADGUIDFormat" : true in your provisioner file.

Changes to the structure of the relationships table

The way in which relationships are stored in the relationships table has changed. This table now has explicit columns for the relationship properties. An update script is provided for each repository type to convert existing data to the new table structure (*_hybridize_relationships_table.sql).

For more information about the update scripts required for your repository, see "Repository Update Scripts" in the Installation Guide.

Changed parameter for reconciliation by ID

In previous releases, the reconById action took an ids parameter to specify the ID to be reconciled. This action now takes an id parameter instead. For more information, see "Restricting Reconciliation to a Specific ID" in the Integrator's Guide.

Changes to predefined queries

For improved relationship performance, a number of predefined queries for generic mappings have been modified. Any query that is run on a managed object endpoint now requires the objectid, rev and fullobject columns to be included in the select statement.

Similarly, predefined queries that are mapped to an explicit table and that return the full object must select ALL of the columns that are mapped to the object in the repo.jdbc.json file. No column changes are required for predefined queries that do not return full objects (for example, query-all-ids), or do not return relationship data.

If you have not customized the queries in your repository configuration (repo.jdbc.json) file, you have nothing to do—the affected queries are patched as part of the update process. If you have customized your predefined queries, update these queries to include the objectid and rev.

For example, the query-all query for a MySQL repository changes from:

"query-all" : "SELECT fullobject FROM (SELECT obj.fullobject, row_number() OVER (ORDER BY obj.id) AS row_next FROM ${_dbSchema}.${_mainTable} obj , ${_dbSchema}.objecttypes o WHERE obj.objecttypes_id = o.id AND o.objecttype = ${_resource}) AS query_all_id_temp WHERE row_next BETWEEN ${int:_pagedResultsOffset} + 1 AND ${int:_pagedResultsOffset} + ${int:_pageSize}",

to:

"query-all" : "SELECT obj.objectid, obj.rev, obj.fullobject FROM (SELECT obj.objectid, obj.rev, obj.fullobject, row_number() OVER (ORDER BY obj.id) AS row_next FROM ${_dbSchema}.${_mainTable} obj , ${_dbSchema}.objecttypes o WHERE obj.objecttypes_id = o.id AND o.objecttype = ${_resource}) AS query_all_id_temp WHERE row_next BETWEEN ${int:_pagedResultsOffset} + 1 AND ${int:_pagedResultsOffset} + ${int:_pageSize}",

For more information about these queries, see "Using Generic Mappings With a JDBC Repository" in the Integrator's Guide.

Changes to the VKontakte Social Identity Provider

To configure VKontakte as a social identity provider, you now need to include the applicable VKontakte API version. The authenticationIdKey has also changed from uid to id.

4.2. ICF and Connector Changes

The following ICF and connector changes will have an impact on existing IDM deployments that use those connectors:

LDAP Connector Change for Active Directory GUID (OPENICF-760)

Previous versions of the LDAP connector appended <GUID= to the GUID for Active Directory objects. This behavior ensured compatibility with the legacy .NET connector.

The LDAP connector no longer appends <GUID= to the object GUID. The new GUID format is compatible with objects created using the AD Powershell Connector, for example e1418d64-096c-4cb0-b903-ebb66562d99d. In existing deployments, this might mean that your links are incompatible with the new GUID format. To update links to the new format, run a reconciliation operation. To retain the legacy behavior, set "useOldADGUIDFormat" : true in your provisioner file.

4.3. Deprecated Functionality

The following functionality is deprecated in ForgeRock Identity Management 6.0.0 and is likely to be removed in a future release.

  • Support for the TLSv1.1 protocol has been deprecated and will be removed in a future release. For more information, on the potential vulnerability, see CVE-2011-3389 from the National Vulnerability Database from the US National Institute of Standards and Technology.

    The default security protocol for IDM is TLSv1.2. Do not downgrade this protocol to TLSv1.1 unless necessary. For more information, see "Setting the TLS Version" in the Integrator's Guide.

  • The ability to update servers by using the UI is deprecated and will be removed in the next release. You can still update from IDM 5.5 to IDM 6.0 through the UI, but UI update will no longer be available after this release.

  • In schedule configurations, setting a time zone using the timeZone field is deprecated. To specify a time zone for schedules, use the startTime and endTime fields, as described in "Configuring Schedules" in the Integrator's Guide.

  • Support for the MD5 and SHA-1 hash algorithms is deprecated and will be removed in a future release. You should use more secure algorithms in a production environment. For a list of supported hash algorithms, see "Encoding Attribute Values by Using Salted Hash Algorithms" in the Integrator's Guide.

  • boot.properties has moved. It was previously located in project-dir/conf/boot, and is now located in install-dir/resolver/.

  • The following directory variables have been deprecated and replaced:

    • &{launcher.working.location} is now &{idm.data.dir}

    • &{launcher.working.url} is now &{idm.data.url}

    • &{launcher.install.location} is now &{idm.install.dir}

    • &{launcher.install.url} is now &{idm.install.url}

    • &{launcher.project.location} is now &{idm.instance.dir}

    • &{launcher.project.url} is now &{idm.instance.url}

  • The Active Directory (AD) .NET Connector is deprecated and support for its use in IDM will be removed in a future release.

    For simple Active Directory (and Active Directory LDS) deployments, the Generic LDAP Connector works better than the Active Directory connector, in most circumstances. For more information, see "Generic LDAP Connector" in the Connector Reference.

    For more complex Active Directory deployments, use the PowerShell Connector Toolkit, as described in "PowerShell Connector Toolkit" in the Connector Reference.

    Note that deprecating the AD Connector has no impact on the PowerShell connector, or on the .NET Connector Server.

  • When configuring connectors, (see "Configuring Connectors" in the Integrator's Guide), you can set up nativeType property level extensions. The JAVA_TYPE_DATE extension is deprecated.

  • Support for a POST request with ?_action=patch is deprecated, when patching a specific resource. Support for a POST request with ?_action=patch is retained, when patching by query on a collection.

    Clients that do not support the regular PATCH verb should use the X-HTTP-Method-Override header instead.

    For example, the following POST request uses the X-HTTP-Method-Override header to patch user jdoe's entry:

    $ curl \
     --header "X-OpenIDM-Username: openidm-admin" \
     --header "X-OpenIDM-Password: openidm-admin" \
     --header "Content-Type: application/json" \
     --request POST \
     --header "X-HTTP-Method-Override: PATCH" \
     --data '[
        {
        "operation":"replace",
        "field":"/description",
        "value":"The new description for Jdoe"
        }
      ]' \
      "http://localhost:8080/openidm/managed/user/jdoe"

No additional functionality is deprecated at this time.

4.4. Removed Functionality

  • Support for the TLSv1.0 protocol has been removed. For more information, see the following PDF: Migrating from SSL and Early TLS from the PCI Security Standards Council.

    The default security protocol for IDM is TLSv1.2. Do not downgrade this protocol unless you have a specific need.

  • The ability to update IDM through the Admin UI has been removed from IDM 6.

    If you're updating IDM from version 5.5 to 6.0.0.3, you must first update from 5.5 to 6, then to 6.0.0.3.

  • The OPENAM_SESSION authentication module has been removed. If you are integrating IDM with ForgeRock Access Management (AM), you should use the OAUTH_CLIENT module instead. For an example, see "Integrating IDM With the ForgeRock Identity Platform" in the Samples Guide.

  • Support for the Security Management Service has been removed.

    As a part of this change, the securitykeys table has been removed from the database schema. If you are updating from a previous version of IDM, an update script is available in the openidm/db/repo/scripts/updates directory to delete this table from existing repositories. For more information about updating your IDM instance, see "Updating Servers" in the Installation Guide.

  • Support for a POST request with ?_action=sendEmail when sending an email with a REST call has been removed. Support for a POST request with ?_action=send is retained, on the /openidm/external/email endpoint. For an example of this REST call, see "Sending Mail Over REST" in the Integrator's Guide.

4.5. Functionality That Will Change in the Future

No major functionality is planned to change at this time.

Chapter 5. Documentation Updates

"Documentation Change Log" tracks important changes to the documentation:

Documentation Change Log
DateDescription
2018-11-05

Release of IDM 6.0.0.3 maintenance release.

2018-09-03

Release of IDM 6.0.0.2 patch release.

2018-08-13

Release of IDM 6.0.0.1 patch release.

2018-07-16

Added Oracle Database 12cR1 (12.1) to the list of supported repositories.

2018-06-20

Updated the instructions in "Configuring IDM For a Hardware Security Module (HSM) Device" in the Integrator's Guide to specify that symmetric keys must use an HMAC algorithm.


Chapter 6. How to Report Problems and Provide Feedback

If you have questions regarding ForgeRock Identity Management software that are not answered by the documentation, you can ask questions on the forum at https://forgerock.org/forum/fr-projects/openidm/.

When requesting help with a problem, include the following information:

  • Description of the problem, including when the problem occurs and its impact on your operation

  • Description of the environment, including the following information:

    • Machine type

    • Operating system and version

    • Repository type and version

    • Java version

    • IDM release version

    • Any patches or other software that might be affecting the problem

  • Steps to reproduce the problem

  • Any relevant access and error logs, stack traces, or core dumps

Appendix A. Release Levels and Interface Stability

This appendix includes ForgeRock definitions for product release levels and interface stability.

A.1. ForgeRock Product Release Levels

ForgeRock defines Major, Minor, Maintenance, and Patch product release levels. The release level is reflected in the version number. The release level tells you what sort of compatibility changes to expect.

Release Level Definitions
Release LabelVersion NumbersCharacteristics

Major

Version: x[.0.0] (trailing 0s are optional)

  • Bring major new features, minor features, and bug fixes

  • Can include changes even to Stable interfaces

  • Can remove previously Deprecated functionality, and in rare cases remove Evolving functionality that has not been explicitly Deprecated

  • Include changes present in previous Minor and Maintenance releases

Minor

Version: x.y[.0] (trailing 0s are optional)

  • Bring minor features, and bug fixes

  • Can include backwards-compatible changes to Stable interfaces in the same Major release, and incompatible changes to Evolving interfaces

  • Can remove previously Deprecated functionality

  • Include changes present in previous Minor and Maintenance releases

Maintenance, Patch

Version: x.y.z[.p]

The optional .p reflects a Patch version.

  • Bring bug fixes

  • Are intended to be fully compatible with previous versions from the same Minor release


A.2. ForgeRock Product Interface Stability

ForgeRock products support many protocols, APIs, GUIs, and command-line interfaces. Some of these interfaces are standard and very stable. Others offer new functionality that is continuing to evolve.

ForgeRock acknowledges that you invest in these interfaces, and therefore must know when and how ForgeRock expects them to change. For that reason, ForgeRock defines interface stability labels and uses these definitions in ForgeRock products.

Interface Stability Definitions
Stability LabelDefinition

Stable

This documented interface is expected to undergo backwards-compatible changes only for major releases. Changes may be announced at least one minor release before they take effect.

Evolving

This documented interface is continuing to evolve and so is expected to change, potentially in backwards-incompatible ways even in a minor release. Changes are documented at the time of product release.

While new protocols and APIs are still in the process of standardization, they are Evolving. This applies for example to recent Internet-Draft implementations, and also to newly developed functionality.

Deprecated

This interface is deprecated and likely to be removed in a future release. For previously stable interfaces, the change was likely announced in a previous release. Deprecated interfaces will be removed from ForgeRock products.

Removed

This interface was deprecated in a previous release and has now been removed from the product.

Technology Preview

Technology previews provide access to new features that are evolving new technology that are not yet supported. Technology preview features may be functionally incomplete and the function as implemented is subject to change without notice. DO NOT DEPLOY A TECHNOLOGY PREVIEW INTO A PRODUCTION ENVIRONMENT.

Customers are encouraged to test drive the technology preview features in a non-production environment and are welcome to make comments and suggestions about the features in the associated forums.

ForgeRock does not guarantee that a technology preview feature will be present in future releases, the final complete version of the feature is liable to change between preview and the final version. Once a technology preview moves into the completed version, said feature will become part of the ForgeRock platform. Technology previews are provided on an “AS-IS” basis for evaluation purposes only and ForgeRock accepts no liability or obligations for the use thereof.

Internal/Undocumented

Internal and undocumented interfaces can change without notice. If you depend on one of these interfaces, contact ForgeRock support or email info@forgerock.com to discuss your needs.


Appendix B. Getting Support

For more information and resources about IDM and ForgeRock support, see the following sections:

B.1. Accessing Documentation Online

ForgeRock publishes comprehensive documentation online:

  • The ForgeRock Knowledge Base offers a large and increasing number of up-to-date, practical articles that help you deploy and manage ForgeRock software.

    While many articles are visible to community members, ForgeRock customers have access to much more, including advanced information for customers using ForgeRock software in a mission-critical capacity.

  • ForgeRock product documentation, such as this document, aims to be technically accurate and complete with respect to the software documented. It is visible to everyone and covers all product features and examples of how to use them.

B.2. Using the ForgeRock.org Site

The ForgeRock.org site has links to source code for ForgeRock open source software, as well as links to the ForgeRock forums and technical blogs.

If you are a ForgeRock customer, raise a support ticket instead of using the forums. ForgeRock support professionals will get in touch to help you.

B.3. Getting Support and Contacting ForgeRock

ForgeRock provides support services, professional services, training through ForgeRock University, and partner services to assist you in setting up and maintaining your deployments. For a general overview of these services, see https://www.forgerock.com.

ForgeRock has staff members around the globe who support our international customers and partners. For details, visit https://www.forgerock.com, or send an email to ForgeRock at info@forgerock.com.

Read a different version of :