Notes covering ForgeRock® Identity Management software requirements, fixes, and known issues. This software offers flexible services for automating management of the identity life cycle.
About ForgeRock Identity Management Software
ForgeRock Identity Platform™ serves as the basis for our simple and comprehensive Identity and Access Management solution. We help our customers deepen their relationships with their customers, and improve the productivity and connectivity of their employees and partners. For more information about ForgeRock and about the platform, see https://www.forgerock.com.
The ForgeRock Common REST API works across the platform to provide common ways to access web resources and collections of resources.
IDM software provides centralized, simple management and synchronization of identities for users, devices and things.
IDM software is highly flexible and therefore able to fit almost any use case and workflow.
These release notes are written for anyone using the IDM 6.0 release. Read these notes before you install or upgrade IDM software.
These release notes cover the following topics:
A list of the major new features and functionality provided with this release
Hardware and software prerequisites for installing and upgrading IDM software
Compatibility with previous releases
Potential upcoming deprecation and removals that affect scripts and applications
Issues fixed since the previous release
Known issues open at the time of release
See the Installation Guide after you read these Release Notes. The Installation Guide covers installation and upgrade for IDM software.
Chapter 1. What's New
This chapter covers new capabilities in IDM.
1.1. Patch Bundle Releases
ForgeRock patch bundle releases contain a collection of fixes and minor RFEs that have been grouped together and released as part of our commitment to support our customers. For general information on ForgeRock's maintenance and patch releases, see Maintenance and Patch Availability Policy.
IDM 6.0.0.7 is the latest patch bundle release targeted for IDM 6.0 deployments and can be downloaded from the ForgeRock Backstage website. To view the list of fixes in this release, see Fixed Issues in IDM 6.0.0.7.
The IDM 6.0.0.7 patch bundle release is cumulative and contains all the fixes included in the previous patch bundle releases.
The release can be deployed as an initial deployment or updated from an existing deployment. For more information on either update method, see "Updating Servers" in the Installation Guide.
1.2. New Features
The connectors bundled with IDM 6.0.0.7 have all been upgraded to version 1.5.20.0. For details of these connector versions, see the latest release of the Connector Release Notes.
No new features were introduced in this release, only bug fixes.
No new features were introduced in this release, only bug fixes.
No new features were introduced in this release, only bug fixes.
No new features were introduced in this release, only bug fixes.
No new features were introduced in this release, only bug fixes.
No new features were introduced in this release, only bug fixes.
This release of IDM 6.0 software includes the following new features:
- ForgeRock Directory Services (DS) as a supported repository
An external DS instance is now supported as a repository in production environments. For more information, see "Using an External DS Repository" in the Installation Guide.
- Support for PostgreSQL 10 and DB2 11
IDM 6.0 supports PostgreSQL version 10 and DB2 version 11 as repositories. For a list of repositories that are supported in production, see "Supported Repositories".
- Improved performance around relationships
The relationships mechanism has been refactored for substantial performance improvement. Much of this refactoring involves the notification process of relationship changes. For more information, see "Configuring Relationship Change Notification" in the Integrator's Guide.
- Support for progressive profile completion
Progressive profile completion enables you to enhance the information you have about registered users. For more information, see "Progressive Profile Completion" in the Integrator's Guide.
- Privacy and consent management
IDM now supports managing Privacy and Consent for users who self-register directly through IDM or through a social identity provider. For more information, see "Configuring Privacy & Consent" in the Integrator's Guide.
- Enhancements to self-service processes
This release includes the following enhancements to the self-service functionality:
Improvements to knowledge-based authentication (see "Configuring Security Questions" in the Integrator's Guide).
New terms of service feature (see "Adding Terms & Conditions" in the Integrator's Guide).
Improved login and registration widgets
- General enhancements to the Admin UI
Numerous improvements have been made to the Admin UI, including:
Additional dashboards (see "Managing Dashboards" in the Integrator's Guide).
Enhanced schedule management (see "Managing Schedules Through the Admin UI" in the Integrator's Guide)
- Property value substitution
This release provides improved support for property value substitution in the server configuration. For more information, see "Using Property Value Substitution" in the Integrator's Guide.
- Support for monitoring using Prometheus
IDM now provides support for viewing metrics through external resources such as Prometheus and Grafana. For more information, see "Metrics and Monitoring" in the Integrator's Guide.
- The
lastChanged
property has been removed from the schema The
lastChanged
property, previously part of the managed object, is no longer stored within the object itself, but as metadata in a separate resource location. For more information, see "Tracking Metadata For Managed Objects" in the Integrator's Guide.- New connectors
IDM 6.0 bundles the following new connectors:
ServiceNow connector. See "ServiceNow Connector" in the Connector Reference.
Workday connector. See "Workday Connector" in the Connector Reference.
MongoDB connector. See "MongoDB Connector" in the Connector Reference.
For installation instructions, see "Preparing to Install and Run Servers" in the Installation Guide.
Several samples are provided to familiarize you with the IDM features. For more information, see "Overview of the Samples" in the Samples Guide.
For an architectural overview and a high-level presentation of IDM, see "Architectural Overview" in the Integrator's Guide.
1.3. Security Advisories
ForgeRock issues security advisories in collaboration with our customers and the open source community to address any security vulnerabilities transparently and rapidly. ForgeRock's security advisory policy governs the process on how security issues are submitted, received, and evaluated as well as the timeline for the issuance of security advisories and patches.
For details of all the security advisories across ForgeRock products, see Security Advisories in the Knowledge Base library.
Chapter 2. Before You Install
This chapter covers requirements to consider before you run IDM software, especially before you run the software in your production environment.
If you have a special request to support a component or combination not listed here, contact ForgeRock at info@forgerock.com.
2.1. Supported Repositories
The following repositories are supported for use in production:
ForgeRock Directory Services (DS) 6.0
By default, IDM uses an embedded DS instance for testing purposes. The embedded instance is not supported in production. If you want to use DS as a repository in production, you must set up an external instance.
MySQL version 5.6 and 5.7 with MySQL JDBC Driver Connector/J 5.1.18 or later
MariaDB version 10.0, 10.1, and 10.2 with MySQL JDBC Driver Connector/J 5.1.18 or later
Microsoft SQL Server 2012, 2014, and 2016
Oracle Database 11gR2, 12c, and 12cR1 (12.1)
PostgreSQL 9.3.10, 9.4.5, 9.6, and 10
IBM DB2, 10.1, 10.5, 11
2.2. Containers
You must install IDM as a stand-alone service, using Apache Felix and Jetty, as provided. Alternate containers are not supported.
IDM bundles Jetty version 9.2.
2.3. Supported Connectors
IDM bundles the following connectors:
Adobe CM Connector
CSV File Connector
Database Table Connector
Google Apps Connector
Groovy Connector Toolkit
This toolkit enables you to create scripted connectors to virtually any resource.
Kerberos Connector
LDAP Connector
Marketo Connector
MongoDB Connector
Salesforce Connector
SCIM Connector
Scripted REST Connector
Scripted SQL Connector
ServiceNow Connector
Scripted SSH Connector
Workday Connector
A PowerShell Connector Toolkit is available for download from ForgeRock's BackStage site. This Toolkit enables you to create scripted connectors to address the requirements of your Microsoft Windows ecosystem.
Additional connectors are available from ForgeRock's BackStage site.
Use of the LDAP connector to provision to Active Directory is supported with Active Directory Domain Controllers, Active Directory Global Catalogues, and Active Directory Lightweight Directory Services (LDS).
Windows 2012 R2 is supported as the remote system for connectors and password synchronization plugins.
The following table lists the supported connectors, connector servers, and password synchronization plugins for this IDM release.
Connector/Plugin | Supported Version |
---|---|
Adobe CM Connector | 1.5.20.0 |
CSV File Connector | 1.5.20.0 |
Database Table Connector | 1.5.20.0 |
Google Apps Connector | 1.5.20.0 |
Groovy Connector Toolkit | 1.5.20.0 |
Kerberos Connector | 1.5.20.0 |
LDAP Connector | 1.5.20.0 |
Marketo Connector | 1.5.20.0 |
MongoDB Connector | 1.5.20.0 |
Powershell Connector Toolkit | 1.5.20.0 |
Salesforce Connector | 6.0.0 |
SAP Connector | 1.5.0.0 |
SCIM Connector | 1.5.20.0 |
Scripted REST Connector | 1.5.20.0 |
Scripted SQL Connector | 1.5.20.0 |
ServiceNow Connector | 1.5.20.0 |
Workday Connector | 1.5.20.0 |
Active Directory Connector | 1.4.0.0 |
Java Connector Server | 1.5.20.0, 1.5.2.0, 1.5.1.0, 1.5.0.0, 1.4.1.0 |
.NET Connector Server | 1.5.20.0, 1.5.2.0, 1.5.1.0, 1.5.0.0, 1.4.1.0 |
DS Password Synchronization Plugin |
6.0.0, supported with DS 6.0.0 5.5.0, supported with DS 5.5.0 5.0.0, supported with DS 5.0.0 3.5.0, supported with OpenDJ 3.5.0 DS Password Sync plugins are not supported with DS OEM |
Active Directory Password Synchronization Plugin | 1.7.0, 1.5.0, 1.4.0, 1.3.0, 1.2.0, and 1.1.0 supported on Windows 2008 R2, Windows 2012 R2, and Windows 2016 NoteBecause version 1.4.0 can fail to make a secure connection with certain Windows versions, ForgeRock recommends using a later version. |
You must use the supported versions of the .NET Connector Server, or the Java Connector Server. The 1.5.x Java Connector Server is backward compatible with the version 1.1.x connectors. The 1.5.x .NET Connector Server is compatible only with the 1.4.x and 1.5.x connectors.
The 1.5.20.0 .NET connector server requires the .NET framework (version 4.5 or later) and is supported on Windows Server 2008 R2 and 2012 R2.
Important
Although the scripted connector toolkits are supported, connectors that you build with these toolkits are not supported. You can find examples of how to build connectors with these toolkits in the Samples Guide.
2.4. Choosing a Browser
ForgeRock has tested many browsers with the IDM UI, including the following browsers:
Chrome and Chromium, latest stable version
Firefox, latest stable version
Safari, latest stable version
Internet Explorer 11 and later
2.5. Choosing an Operating System
IDM is supported on the following operating systems:
Red Hat Enterprise Linux (and CentOS Linux) 6.5 and later, 7.x
Ubuntu Linux 16.04
Windows 2008 R2, 2012 R2, 2016
2.6. Preparing the Java Environment
IDM requires Java 8, specifically at least the Java Standard Edition runtime environment.
ForgeRock validates IDM software with Oracle JDK and OpenJDK, and does occasionally run sanity tests with other JDKs. Support for very specific Java and hardware combinations is best-effort. This means that if you encounter an issue when using a particular JVM/hardware combination, you must also demonstrate the problem on a system that is widespread and easily tested by any member of the community.
ForgeRock recommends that you keep your Java installation up to date with the latest security fixes.
Note
If you are using the Oracle JDK and you use 2048-bit SSL certificates, you must install the Unlimited JCE policy to enable IDM to use those certificates.
Download and install the Unlimited JCE Policy for Java 8 from the
Oracle
Technetwork site. Unzip the JCE zip file and install the JCE policy
JAR files in the /lib/security
folder of the JRE.
2.7. Fulfilling Memory and Disk Space Requirements
When you install IDM for evaluation, with the embedded DS repository, you need 256 MB memory (32-bit) or 1 GB memory (64-bit) available.
You also need 10 GB free disk space for the software and for sample data.
In production, disk space and memory requirements will depend on the size of your external repository, as well as the size of the audit and service log files that IDM creates.
2.8. Supported Upgrade Paths
The following table contains information about the supported upgrade paths to IDM 6.0.0.7[1]:
Version | Update Supported to IDM 6.0.0.7 |
---|---|
IDM 6.0.0.5 | [a] |
IDM 6.0.0.4 | [a] |
IDM 6.0.0.3 | [a] |
IDM 6.0.0.2 | [a] |
IDM 6.0.0.1 | [a] |
IDM 6.0.0 | [a] |
Versions prior to IDM 6.0 | [b] |
[a] Updating from this release requires a pre-patch step, which must be applied prior to update to IDM 6.0.0.7. For more information, see "To Prepare Your Patch Bundle Release" in the Installation Guide. [b] Must first update to IDM 6.0, then to IDM 6.0.0.7. |
Chapter 3. Fixes, Limitations, and Known Issues
This chapter covers the status of key issues and limitations for IDM. For details and information on other issues, see the IDM issue tracker.
3.1. Fixed Issues
The following important bugs were fixed in this release:
OPENIDM-9710: With JDBC repo using explicit table for Managed User, integer properties are treated as string
OPENIDM-12778: Schedules to execute a file-based script are generated incorrectly via the Admin UI
OPENIDM-13095: DatabaseTable Connector sample: Update sample to not require __NAME__ on create
OPENIDM-13854: REST - Deleting user with a non existent relationship object returns 404
OPENIDM-14548: External REST: Calling endpoints which return a JSON array throws error
OPENIDM-14576: A workflow started in IDM 4.5 cannot be completed after upgrading to 6.0.0.5
OPENIDM-14768: Admin UI: Update Database Table Connector template
OPENIDM-15000: Rhino: Handlebars.js is not multithreaded
OPENIDM-15526: Opening link in new tab doesn't honour the link in IDM 6.0 UI fullstack setup
OPENIDM-15862: sustaining/6.5.x - sample for scriptedrest is not working with scriptedrest connector 1.5.19.1
OPENIDM-16197: Kerberos Connector NoClassDefFoundError: expect4j/Expect4j
OPENIDM-16686: sustaining/6.0.x - multiple passwords sample JsonValueException
OPENIDM-16745: sustaining/6.0.x - SSL errors on external/rest calls
OPENIDM-17053: Registration form is not loading
OPENIDM-11152: Unable to connect to External DS datastore via TLS/SSL
OPENIDM-12038: 'statusCode:null' logged in Audit for successful GET on managed objects
OPENIDM-12080: External Email connects to SMTP servers with TLSv1
OPENIDM-12207: UI login fails with non-ASCII username or password
OPENIDM-12208: Clustered reconciliation fails due to paging cookie from ldap AD
OPENIDM-12248: Data races in state shared across threads in recon
OPENIDM-12312: UNIQUE policy on properties other than userName not correctly check during self-registration
OPENIDM-12680: Reconciliation stuck in ACTIVE_QUERY_ENTRIES (or other ACTIVE_ state) and cannot be cancelled
OPENIDM-12897: Large integers not handled correctly in JavaScript
OPENIDM-13086: Do not cache Managed Roles and Assignments within ReconContext during reconciliation
OPENIDM-13111: !== in mergeWithTarget.js (and possibly other scripts) doesn't check if value is undefined only if value is null
OPENIDM-13160: PATCH may succeed although If-Match does not match _rev
OPENIDM-13162: ManagedObject UPSERT contract creates orphan meta object on update via PUT
OPENIDM-13261: Fix exception in PendingLinkAction.getPendingActionContext
OPENIDM-13292: IDM trying to initialize SSL Cert for the internal DJ even if it's not configured as the repo, Incompatible with HSM
OPENIDM-13411: identityServer.getProperty() returns null pointer if property isn't set rather than being handled gracefully
OPENIDM-13601: Add reuseConnections and pooledConnectionTTL options to SalesForce provisioner configuration
OPENIDM-13683: Using an expired token returns an HTTP 500 error
OPENIDM-14163: Workflow: Groovy classpath problem
OPENIDM-14202: SQL script provided with openidm to create the auditdb fails
OPENIDM-14266: Remove security/realm.properties
OPENIDM-14287: cli.sh keytool export and import causes IDM startup failure with 'Invalid AES key length' error
OPENIDM-14641: Small improvements for policy.js
OPENIDM-4377: Implement JDBC count support on queries with QueryFilter
OPENIDM-10708: ResourceException when external/rest receives HTTP 204 response
OPENIDM-10829: PUT modifications to workflow/taskInstance/[_id] return 'Task updated' even when no changes occur
OPENIDM-10987: Users have access to manager user data (no relationship filter policy)
OPENIDM-11494: When an internal user changes password in UI, the user's roles get removed
OPENIDM-11689: Specify Schema in External DJ Connection Factory
OPENIDM-11800: The handling of PreconditionFailedException could induce infinite loop
OPENIDM-12154: An attempt to use external DS with explicit tables as a repo fails on missing fr-idm-lastPasswordSet
OPENIDM-12190: Router authz fails in multiple-passwords sample
OPENIDM-12359: Changing "Identity Email Field" in "User Query Form" from "mail" to another managed object property throws an error
OPENIDM-12370: Enable HSM data decryption from IDM 3.1.0 instances
OPENIDM-12383: API descriptor not available after setting relationship-type property to nullable
OPENIDM-12413: Multi-nodes clustered recon may fail with wrong situation
OPENIDM-12528: IDM 6.0 with DS repo and explicit mapping, PATCH replace does nothing for case-insensitive attribute
OPENIDM-12664: Target phase run when reconById dispatched on mapping configured for clustered recon
OPENIDM-12796: jsonstorage "local" self-service with "uuid" option fails in multi-node cluster scenario
OPENIDM-12804: uuid token expiry doesn't work with jdbc repo
OPENIDM-12865: jwt token fails in multi-node cluster scenario
OPENIDM-12904: Sending mail with null "to" field causes IDM to hang
OPENIDM-13117: Harden upgrade to be resilient to transient errors due to router upgrade
OPENIDM-13135: Do not load JWT signing key if JWT session module is disabled
OPENIDM-10722: Investigate high CPU in sun.security.provider package for Create Managed User
OPENIDM-11174: Unable to resume scheduler jobs after successful pause
OPENIDM-11393: assigning a userTask to openidm-admin could cause null pointer exception
OPENIDM-11640: null exception in defaultMappings.json
OPENIDM-11852: clustered recon in multi-node environment may never complete
OPENIDM-11862: Setting a timeout on a uuid token via jsonstore.json has no effect
OPENIDM-12013: Cache CommonJS module exports globally and prevent re-execution of required scripts
OPENIDM-12017: IDM CAUD syslog product name (APP-NAME) is null
OPENIDM-12200: Uncaught TypeError in JavaScript console when saving reverse relationship
OPENIDM-7687: Provide support for ClientHandlers to use a proxy server within OpenIDM
OPENIDM-11052: Admin UI Mappings page load delay on system?_action=test REST call
OPENIDM-11101: NPE when shutdown
OPENIDM-11195: script query result not converted to correct groovy type
OPENIDM-11244: Include milliseconds in IDM logs
OPENIDM-11446: Impossible to add optional field to selfservice registration
OPENIDM-11480: With Oracle repo, Create or Update Managed user via UI results in 500 error
OPENIDM-11597: IllegalArgumentException updating external account if trace is enabled
OPENIDM-11635: When using DB2 repo, read requests with relationship expansion and update requests are not working anymore
OPENIDM-11269: process typeError is observed in UI for association tab in mapping details
OPENIDM-11603: Backport OPENIDM-11512: Integrating Social Authentication with Identity Management fails
OPENIDM-10915: Backport OPENIDM-10887: expose isInitiator flag for IWA module
OPENIDM-10917: Backport OPENIDM-10542: IDM decryption fails with AES 256-bit key
OPENIDM-10968: Backport OPENIDM-10919: JavaScript in Internet Explorer does not support includes method of String
OPENIDM-10969: Backport OPENIDM-10948: OpenerHandler require does not work with Internet Explorer
OPENIDM-10971: Backport OPENIDM-6782: Password is re-encrypted during any managed object update/patch
OPENIDM-11087: Backport OPENIDM-11024: NPE can be thrown if the authentication service comes up before the identityService
OPENIDM-11160: Backport OPENIDM-8043: Unable to initialize keystore and truststore when passwords are different
OPENIDM-11167: Backport OPENIDM-5465: Performance Issue updating conditional role memberships
OPENIDM-11240: Backport OPENIDM-10758: openidm.read() returns different content if called from managed.json action or a custom endpoint
OPENIDM-11243: Backport OPENIDM-9783: Include thread id in all logging statements
OPENIDM-11245: Backport OPENIDM-11215: IDM hangs using IE11 with error "Promise is undefined" in ResourceQueryFilterEditor.js
OPENIDM-11354: Backport COMMONS-314 json-crypto: SimpleEncryptor symmetric no longer works with HSMs
OPENIDM-11421: Backport OPENIDM-11292: Registration autologin with full-stack not working
OPENIDM-11422: Session JWT key usage is not clear
OPENIDM-10512: Mapping Scheduling Sync toggle has nothing to do with schedule or livesync
OPENIDM-10472: readSchema=false is added to config.properties by the admin UI for connectors
OPENIDM-10471: NPE X-OpenIDM-OAuth-Login: true without providing any token when invoking REST API
OPENIDM-10468: 500 internal error when Referer header not provided with OAuth
OPENIDM-10459: onCreateUser.js:emailUser assumes that a mail address has been configured for the created object
OPENIDM-10388: Managed object scripts are called with org.forgerock.http.routing.UriRouterContext when roles are added
OPENIDM-10340: NPE when performing GET with invalid arbitrary URL parameters
OPENIDM-10323: Sample JMS Consumer listening on incorrect JMS Topic
OPENIDM-10231: Unable to use read-only keystore
OPENIDM-10205: Entered text is lost when using the attribute selector for a role's condition
OPENIDM-10195: Relationship between a custom managed object and a default object can be created in both directions via the UI
OPENIDM-10152: Roles condition queryFilter builder does not show all properties on managed/user
OPENIDM-10145: Restart action in update does not work properly and should be removed
OPENIDM-10141: Adding an attribute to a 'The value for' condition causes it to be duplicated in the drop-down list
OPENIDM-10137: Unable to set manager property to nullable via UI
OPENIDM-10135: Manager field disappears when type is null
OPENIDM-10134: Self-service registration fails with cross-origin restrictions using Safari
OPENIDM-10126: A condition query on roles shows an incomplete list of role members
OPENIDM-9997: API Explorer should send OAuth headers when appropriate
OPENIDM-9976: Self Service email validation link for Registration leads to blank page in Safari
OPENIDM-9975: Startup.sh is setting PROJECT_HOME incorrectly when CDPATH is set
OPENIDM-9964: No content and NullPointerException returned when creating a relationship using the source managed object's attribute within the URI and specifying a _fields parameter
OPENIDM-9940: onRetrieve script executed for managed attributes not returned by fields
OPENIDM-9855: Trusted Attribute fails with multiple instances using different resources
OPENIDM-9819: GenericLDAP Connector setup does not read remote LDAP schema irrespective of readSchema setting
OPENIDM-9805: DJ Password Sync Plugin retry doesn't send any data to IDM
OPENIDM-9751: Authorize Apps shows "Invalid date" for expire value
OPENIDM-9719: CORS headers returned to client with repeated values
OPENIDM-9677: Instagram configuration within identityProviders.json contains incorrect attribute name for full_name
OPENIDM-9624: Conflict between OAuth Datastore token usage for authentication and binding
OPENIDM-9615: The conditionalRoles.js script should not create an empty roles array if no conditional roles are assigned
OPENIDM-9602: "watchedFields" and "passwordFields" can be added for audit event types other than Activity
OPENIDM-9601: "onSync" script for managed objects is not called for both vertices when a relationship is created between them
OPENIDM-9588: In the provisioning-with-workflow sample, you cannot view single record details in system/rolesFile
OPENIDM-9574: Custom Self-Service URL breaks social registration
OPENIDM-9572: Terms and Conditions acceptance not added to the profile when using Social Registration
OPENIDM-9568: NullPointerException when checking for updates in read-only file system
OPENIDM-9562: Enabling a persistent schedule multiple times through the config API runs a custom script multiple times
OPENIDM-9554: Workflow Processes Completed have "Not Found Error" for managed/user
OPENIDM-9549: "Current policy is read-only" notification shows after changing Mapping Detail policy
OPENIDM-9545: Unable to execute taskscanner via REST endpoint when schedule is not file-based
OPENIDM-9543: Patch/update requests of the _ref field against the relationship endpoint are not handled correctly
OPENIDM-9476: Editable row for Display/Search Properties in Identity Relationships widget settings not showing the correct value when in edit mode
OPENIDM-9458: Timezone is set incorrectly when a new schedule is created
OPENIDM-9454: With an explicit mapping in a MySQL repo, you cannot create a managed user with password longer than 13 characters
OPENIDM-9444: Patch Copy and Patch Move fail when the target property exists
OPENIDM-9409: stdDev has incorrect value 0 for all clustered recon metrics
OPENIDM-9390: Various problems configuring scheduled scripts in the UI
OPENIDM-9389: Scheduled scripts with file paths are saved incorrectly
OPENIDM-9387: Paged queries with query-all-ids don't work correctly for explicit mappings
OPENIDM-9363: Attributes are removed from the managed object configuration when edited in the UI, if they do not appear within an order array
OPENIDM-9362: Managed.json does not contain all attributes within the order array for default managed object types
OPENIDM-9335: Admin UI shows the password for CSV audit tamper prevention as a JSON string
OPENIDM-9328: Enabling CSV tamper prevention in the Admin UI dumps all config details to log file
OPENIDM-9286: install-service.bat has a broken classpath variable
OPENIDM-9217: Do not execute managed property's onRetrieve when returnByDefault is false
OPENIDM-9213: When all topics are removed from an audit handler, the Admin UI saves 'null' instead of an empty list
OPENIDM-9211: External REST service does not return error details from remote server
OPENIDM-9207: recon creates incorrect links when using linkQualifiers
OPENIDM-9201: Failure to send welcome email leads to user creation failure, inconsistent state
OPENIDM-9195: From address in Password Reset email template is ignored
OPENIDM-9170: A conditional role with assignments, created with single quotes over REST, does not display in the Admin UI
OPENIDM-9045: Performance problem getting triggers for a scheduler job
OPENIDM-8869: PagedResultsCookie response state in JDBCRepoService in violation of CREST Spec
OPENIDM-8839: enum values do not display in API Explorer
OPENIDM-8837: Deleting all KBA questions through the UI prevents user registration w/o visible Error Message
OPENIDM-8827: ScriptedCrest samples uses _id in sync.json which is forbidden
OPENIDM-8653: 'Unknown Error' when pasting a value into the username field when creating a managed user in IE 11
OPENIDM-8593: Lots of API Descriptor errors in the logs on startup
OPENIDM-8543: Patch remove on a field succeeds but is not propagated to the target
OPENIDM-8381: Recovery of scheduled jobs following cluster node failure does not work
OPENIDM-8045: Creating a new managed object with unsupported characters causes an exception
OPENIDM-7947: With DJ as a repo, OpenIDM fails to start when using HSM
OPENIDM-7536: Relationship fields are not returned on an "upsert" update
OPENIDM-7284: Create manager/reports relationship with POST or PUT work on managed/user/id/reports but fails on managed/user/id/manager
OPENIDM-6886: The Password Reset form applies policies from the 'password' field even if you are using a different field for the password
OPENIDM-5914: Role is still showing as assigned in effectiveRoles attribute on query-all output if role is unassigned via the admin UI
OPENIDM-5909: ScriptedSSH incorrect sample provisioner group members nativeName
OPENIDM-5907: ScriptedSSH search script unsupported filter cause timeout exception
OPENIDM-5227: LDAP Connector search filters are not persisted by the Admin UI
OPENIDM-4686: Neither empty _fields nor _fields=* on a system resource read return all fields
OPENIDM-3330: Inconsistent use of uidAttribute in LDAP Provisioner Config
3.2. Limitations
The following limitations exist in the following releases:
There are no known limitations in IDM 6.0.0.7, other than those identified in IDM 6.0.0.
There are no known limitations in IDM 6.0.0.6, other than those identified in IDM 6.0.0.
There are no known limitations in IDM 6.0.0.5, other than those identified in IDM 6.0.0.
There are no known limitations in IDM 6.0.0.4, other than those identified in IDM 6.0.0.
There are no known limitations in IDM 6.0.0.3, other than those identified in IDM 6.0.0.
The automated update process is not currently supported on Windows platforms.
When you add or edit a connector through the Admin UI, the list of required
Base Connector Details
is not necessarily accurate for your deployment. Some of these details might be required for specific deployment scenarios only. If you need a connector configuration where not all the Base Connector Details are required, you must create your connector configuration file over REST or by editing the provisioner file. For more information, see "Configuring Connectors" in the Integrator's Guide. directly.For OracleDB repositories, queries that use the
queryFilter
syntax do not work on CLOB columns in explicit tables.A conditional GET request, with the
If-Match
request header, is not currently supported.IDM provides an embedded workflow and business process engine based on Activiti and the Business Process Model and Notation (BPMN) 2.0 standard. As an embedded system, local integration is supported. Remote integration is not currently supported.
3.3. Known Issues
The following important issues remained open at the time of this release:
OPENIDM-11597: IllegalArgumentException updating external account if trace is enabled
OPENIDM-11704: UI: Can't edit validation policy without specifying a parameter
OPENIDM-11739: Concurrent recons could cause exception deleting interim state instance deleteInterimStateInstance
OPENIDM-11879: Workflow time zone handling is not consistent and leads to unexpected results
OPENIDM-12131: UI javascript errors when a property does not have a nativeType attribute in a provisioner config file
OPENIDM-12149: "/username: Expecting a value" exception when calling the authenticate function of connectors
OPENIDM-12161: IDM does not propagate CAUD transactionId to DS
OPENIDM-12200: Uncaught TypeError in JavaScript console when saving reverse relationship
OPENIDM-12208: Clustered reconciliation fails due to paging cookie from ldap AD
OPENIDM-12248: Data races in state shared across threads in recon
OPENIDM-12259: New assignment is not reflected in onSync script hook when a new role with its members and assignments is created in one REST call
OPENIDM-12283: correlateTreeToQueryFilter.js may be vulnerable to injection
OPENIDM-12319: Audit Event Handler Port only displays first number in UI
OPENIDM-12334: UI: IDM Recon result failure summary doesn't respond to click on "View Entries"
OPENIDM-12354: Admin UI "Change Source to Target Association" button doesn't respond to click
OPENIDM-12379: /openidm/recon endpoint fails on an upgraded repository
OPENIDM-12664: Target phase run when reconById dispatched on mapping configured for clustered recon
OPENIDM-12691: Scheduler performance in IDM 6.x
OPENIDM-12796: jsonstorage "local" self-service with "uuid" option fails in multi-node cluster scenario
OPENIDM-12804: uuid token expiry doesn't work with jdbc repo
OPENIDM-12814: Setting returnByDefault for a relationship property to true could cause reconciliation exception with DJ repo explicit mapping managed user
OPENIDM-12827: Setting returnByDefault to true on relationship properties in managed objects DJ repo could cause missing attributes in sync.json script hooks
OPENIDM-12833: Removing the preferences property causes admin UI mapping/association to stop responding properly
OPENIDM-12877: Exception caught signalling deletion of edge when removing a relationship
OPENIDM-12904: Sending mail with null "to" field causes IDM to hang
OPENIDM-13023: Include an out of the box Oracle specific bnd file in db/oracle/scripts
OPENIDM-13111: !== in mergeWithTarget.js (and possibly other scripts) doesn't check if value is undefined only if value is null
OPENIDM-13129: PATCH remove a field could result in 500 error: Can not add or remove a 'null' value
OPENIDM-13940: Query workflow via REST with non-string parameter
OPENIDM-14290: Internal Server Error reported when entering double quotes into username field
OPENIDM-14501: Reset selfservice stage is checking mail attribute and not identityEmailField
OPENIDM-14505: ManagedObjectSet handling of patch removal of singleton relationship field will prevent successful calculation of virtual properties based on this field
OPENIDM-14538: Exception 412 thrown when multiple updates occur on a single managed/user
OPENIDM-15016: OperationOptions specified within the provisioner configuration are not passed to connectors by OpenIDM
OPENIDM-11597: IllegalArgumentException updating external account if trace is enabled
OPENIDM-11704: UI: Can't edit validation policy without specifying a parameter
OPENIDM-11739: Concurrent recons could cause exception deleting interim state instance deleteInterimStateInstance
OPENIDM-11879: Workflow time zone handling is not consistent and leads to unexpected results
OPENIDM-12038: 'statusCode:null' logged in Audit for successful GET on managed objects
OPENIDM-12149: "/username: Expecting a value" exception when calling the authenticate function of connectors
OPENIDM-12161: IDM does not propagate CAUD transactionId to DS
OPENIDM-12200: Uncaught TypeError in JavaScript console when saving reverse relationship
OPENIDM-12207: UI login fails with non-ASCII username or password
OPENIDM-12208: Clustered reconciliation fails due to paging cookie from ldap AD
OPENIDM-12248: Data races in state shared across threads in recon
OPENIDM-12249: Backport OPENIDM-12248: Data races in state shared across threads in recon
OPENIDM-12259: New assignment is not reflected in onSync script hook when a new role with its members and assignments is created in one REST call
OPENIDM-12283: correlateTreeToQueryFilter.js may be vulnerable to injection
OPENIDM-12319: Audit Event Handler Port only displays first number in UI
OPENIDM-12334: UI: IDM Recon result failure summary doesn't respond to click on "View Entries"
OPENIDM-12354: Admin UI "Change Source to Target Association" button doesn't respond to click
OPENIDM-12379: /openidm/recon endpoint fails on an upgraded repository
OPENIDM-12664: Target phase run when reconById dispatched on mapping configured for clustered recon
OPENIDM-12691: Scheduler performance in IDM 6.x
OPENIDM-12796: jsonstorage "local" self-service with "uuid" option fails in multi-node cluster scenario
OPENIDM-12804: uuid token expiry doesn't work with jdbc repo
OPENIDM-12814: Setting returnByDefault for a relationship property to true could cause reconciliation exception with DJ repo explicit mapping managed user
OPENIDM-12827: Setting returnByDefault to true on relationship properties in managed objects DJ repo could cause missing attributes in sync.json script hooks
OPENIDM-12833: Removing the preferences property causes admin UI mapping/association to stop responding properly
OPENIDM-12877: Exception caught signalling deletion of edge when removing a relationship
OPENIDM-12904: Sending mail with null "to" field causes IDM to hang
OPENIDM-13023: Include an out of the box Oracle specific bnd file in db/oracle/scripts
OPENIDM-13111: !== in mergeWithTarget.js (and possibly other scripts) doesn't check if value is undefined only if value is null
OPENIDM-13124: Backport OPENIDM-13111: !== in mergeWithTarget.js (and possibly other scripts) doesn't check if value is undefined only if value is null
OPENIDM-13129: PATCH remove a field could result in 500 error: Can not add or remove a 'null' value
OPENIDM-13292: IDM trying to initialize SSL Cert for the internal DJ even if it's not configured as the repo, Incompatible with HSM
OPENIDM-13403: Backport OPENIDM-13261: Fix exception in PendingLinkAction.getPendingActionContext
OPENIDM-13683: Using an expired token returns an HTTP 500 error
OPENIDM-13895: Backport OPENIDM-12208: Clustered reconciliation fails due to paging cookie from ldap AD
OPENIDM-13940: Query workflow via REST with non-string parameter
OPENIDM-14163: Workflow: Groovy classpath problem
OPENIDM-14202: SQL script provided with openidm to create the auditdb fails
OPENIDM-14287: cli.sh keytool export and import causes IDM startup failure with 'Invalid AES key length' error
OPENIDM-14501: Reset selfservice stage is checking mail attribute and not identityEmailField
OPENIDM-8052: Cannot create a remote (.NET) connector through the UI
OPENIDM-8122: OpenIDM Cluster incorrectly shows ready and running
OPENIDM-8295: Non-required single relationship properties should be nullable
OPENIDM-8518: Not Found error when accessing a process instance via Admin UI
OPENIDM-9081: WARNING about extensions directory not existing appears in felix console upon restart of IDM
OPENIDM-9339: Clustered recon update may abort due to a Rhino NPE
OPENIDM-9353: IDM does not audit the http response headers in the access audit log
OPENIDM-9791: Error while generating process diagram, image will not be stored in repository
OPENIDM-9828: Performance bottleneck when adding user to role members
OPENIDM-9966: NullPointerException returned when creating a relationship using the source managed object's attribute within the URI and specifying a _fields parameter
OPENIDM-10208: Setting an attribute's minLength applies as a string via Admin UI
OPENIDM-10455: Query and non-read operations not authorised for openidm-admin role with OAuth
OPENIDM-10660: User metadata is logged in the audit log when an object is changed
OPENIDM-10761: Progressive Profiling scripted condition does not include user fields within "object" map
OPENIDM-11050: Mutual SSL authentication failure with external REST
OPENIDM-11370: Activiti workflow mail task goes to default localhost:25
OPENIDM-11536: Cannot set user password for user created through full-stack social registration
OPENIDM-12080: External Email connects to SMTP servers with TLSv1
OPENIDM-12142: Progressive profile page fails to load if attribute wasn't added to the form
OPENIDM-12312: UNIQUE policy on properties other than userName not correctly check during self-registration
OPENIDM-12540: Unable to change openidm-admin password via self service UI
OPENIDM-12591: authzMembers can have duplicate entries when added using openidm.create() in scripts
OPENIDM-12709: Workflow Processes Completed have "Not Found Error" for managed/user
OPENIDM-12778: Schedules to execute a file-based script are generated incorrectly via the Admin UI
OPENIDM-13153: Create a pre-patch for update to 6.0.0.5
OPENIDM-12363: After update NoClassDefFoundError: org/forgerock/openidm/core/MapPropertyResolver
OPENIDM-12379: /openidm/recon endpoint fails on an upgraded repository
Note
OPENIDM-12379 has a workaround where you must run a Groovy script after your update process. Review the issue for a background on the problem. To view the script, see "To Apply the 6.0.0.7 Patch Bundle Release" in the Installation Guide.
OPENIDM-12033: proxySystem property in external.rest.json does nothing
OPENIDM-12055: NullPointerException when changing Authentication/Session
OPENIDM-11265: Unable to pause scheduler jobs with REST call
OPENIDM-11370: Activiti workflow mail task goes to default localhost:25
Workaround: Use the external email service described in "Configuring Outbound Email" in the Integrator's Guide.
OPENIDM-10851: Cluster doesn't recognize forcibly killed node on windows
OPENIDM-10833: Cluster widget doesn't show shutdown time for killed node correctly
OPENIDM-10829: PUT modifications to workflow/taskInstance/[_id] return 'Task updated' even when no changes occur
OPENIDM-10828: MongoDB Connector UI configuration has an incorrect documentation link
OPENIDM-10823: UI intermittently doesn't work with the new REST context when using Firefox
OPENIDM-10800: Port does not display correctly in the UI if property substitution is used
OPENIDM-10793: Problems with propvalue column size in properties tables
OPENIDM-10780: IDM does not work with a Luna HSM keystore provider
OPENIDM-10773: IDM does not start up if the parent folder name includes ' -> '
OPENIDM-10761: Progressive Profiling scripted condition does not include user fields within "object" map
OPENIDM-10740: Sharing and Activity (UMA) sections in the Self-Service UI do not display thumbnails
OPENIDM-10736: Attribute substitution not supported for CSV connector filepath
OPENIDM-10733: Compensate hangs when downstream connector is offline
OPENIDM-10696: Full attribute details not available to policies when creating role via relationship collection
OPENIDM-10692: IDM startup can be very slow with a DB2 repo
Workaround: After you have imported the IDM schema for DB2, either run the command
db2 connect to dopenidm
in a terminal or runCONNECT TO DOPENIDM
in a DB2 iterative command session (as the DB2 instance owner) and keep the session. IDM should then start with low latency.OPENIDM-10683: UMA: When a user shares a resource, the recipient doesn't see the share
OPENIDM-10673: The augmentSecurityContext script should still execute when runAs cannot find the user
OPENIDM-10660: User metadata is logged in the audit log when an object is changed
OPENIDM-10653: Password reset fails using explicit tables
OPENIDM-10623: With an embedded DS repo, PATCH remove on a null value does not delete the property
OPENIDM-10603: Unexpected "manager" property in the "before" of activity audit records when patching manager on a user
OPENIDM-10600: Internal error "no deployed process definition found" after deleting process definition
OPENIDM-10579: The policy.js script does not support conditions with type 'queryFilter'
OPENIDM-10578: Unable to specify the authenticationId within augmentSecurityContext script
OPENIDM-10542: IDM decryption fails with AES 256-bit key
OPENIDM-10537: Deleting a previously set field during profile completion does not work
OPENIDM-10455: Query and non-read operations not authorised for openidm-admin role with OAuth
OPENIDM-10400: When configuring a new LDAP Connector config for AD using the Admin UI, the groupMembership, groupType, and groupScope attributes in the user schema are not set up properly
OPENIDM-10286: Idle timeout for JWT authentication module is not working
OPENIDM-10263: Salesforce connector error while accessing data from User and Profile objects
OPENIDM-10072: Scheduler service registered too early by OSGi
OPENIDM-10039: Various Admin UI errors when accessing mappings or data tab using Salesforce sample
OPENIDM-9791: Error while generating process diagram, image will not be stored in repository
OPENIDM-9726: User List sort by Description shows only manually edited users
OPENIDM-9576: Records with missing _sortKeys are not returned in query results
OPENIDM-9521: Backport OPENIDM-6068: Target reconciliation does not finish for large datasets
OPENIDM-9520: Update via REST with PUT removes private fields which are not included in the request
OPENIDM-9517: Backport OPENIDM-5906: PATCH request with null rev invoked twice at the same time causes infinite loop
OPENIDM-9502: Backport OPENIDM-5150: JSON configuration files always reloaded at startup irrespective of modifications
OPENIDM-9446: Random startup failures when using DB2 as a repo
OPENIDM-9360: Align "returnByDefault" behavior between roles and effectiveRoles
OPENIDM-9353: IDM does not audit the http response headers in the access audit log
OPENIDM-9331: Enabling CSV tamper prevention through the Admin UI may fail with a keystore password error
OPENIDM-9138: Unable to create user with virtual attribute defined when using explicit mappings
OPENIDM-9081: WARNING about extensions directory not existing appears in felix console upon restart of IDM
OPENIDM-8659: Property onRetrieve hook returns null even though value is absent
OPENIDM-8518: Not Found error when accessing a process instance via Admin UI
OPENIDM-8295: Non-required single relationship properties should be nullable
OPENIDM-8122: OpenIDM Cluster incorrectly shows ready and running
OPENIDM-8052: Cannot create a remote (.NET) connector through the UI
OPENIDM-7665: Admin UI mapping view returns HTTP 400 error
OPENIDM-6514: JDBC repo errors on startup when using mysql
OPENIDM-6467: syslog audit event handler created although required property not set
OPENIDM-6032: In some situations, the Admin UI does not display the properties of a completed workflow
OPENIDM-5465: Performance Issue updating conditional role memberships
OPENIDM-4149: availableConnectors are not updated after remote ICF shut down
Chapter 4. Compatibility
This chapter covers major and minor changes to existing functionality, as well as deprecated and removed functionality. You must read this chapter before you start a migration from a previous release.
4.1. Important Changes to Existing Functionality
Take the following changes into account when you update to IDM 6.0. These changes will have an impact on existing deployments. Adjust existing scripts and clients accordingly:
There are no important functionality changes in this release.
There are no important functionality changes in this release, other than those listed in IDM 6.0.0.4.
There are no important functionality changes in this release, other than those listed in IDM 6.0.0.4.
- Manual Removal of Old
openidm-repo-opendj
Bundle during Update The update process has added an extra manual step to remove any old DS repository
openidm-repo-opendj
bundle files after updating to IDM 6.0.0.4. This step is only required depending if your repository from which you are updating is JDBC-based or DS-based.If your repository from a current or previous deployment is JDBC-based, the DS repo, specifically the
openidm-repo-opendj
bundle is not active and therefore not detected during the update process, and thus, the update process does not remove any olderopenidm-repo-opendj
files. In this case, you must manually remove any older version of theopenidm-repo-opendj
files as it will conflict with the newer version of the file that comes with the 6.0.0.4 update.If your deployment uses the DS repo, there is nothing to do as the update will successfully perform the replacement.
For more information, see "To Apply the 6.0.0.7 Patch Bundle Release" in the Installation Guide.
- Hostname now set by
openidm.host
property inboot.properties
By default, the hostname associated with IDM is
localhost
. This hostname is set in theopenidm.host
property in theresolver/boot.properties
file. When you deploy IDM in production, you must setopenidm.host
to the URL of your deployment. If you do not do so, calls to the/admin
endpoint are not redirected properly. For more information, see "Installing and Running Servers" in the Installation Guide.- Changes to
selfservice-registration.json
Self-registration and auto-login must be configured using the "All-In-One Registration", "IDM User Details Stage", and "Self-Registration Stage" stages.
Configuration options associated with security questions, and Terms & Conditions, have been moved to separate files:
The new
selfservice.kba.json
contains security questions. For more information, see "Configuring Security Questions" in the Integrator's Guide.The new
selfservice.terms.json
file contains versions and wording related to Terms & Conditions. For more information, see "Adding Terms & Conditions" in the Integrator's Guide.
- Changes to the
authentication.json
file The
queryOnResource
entry has been changed fromsecurity/truststore
tomanaged/user
. For more information, see "Configuring Client Certificate Authentication" in the Integrator's Guide.IDM 6.0 includes a second
STATIC_USER
authentication module at the end of the file for monitoring metrics, using Prometheus:{ "name" : "STATIC_USER", "properties" : { "queryOnResource" : "repo/internal/user", "username" : "&{openidm.prometheus.username}", "password" : "&{openidm.prometheus.password}", "defaultUserRoles" : [ "openidm-prometheus" ] }, "enabled" : true }
For more information, see "Metrics and Monitoring" in the Integrator's Guide.
- Change to the
auditreport
endpoint The reporting service has been made more generic and supports the generation of reports on additional kinds of data. The reporting service is accessible on the
openidm/report
endpoint. For audit reports, you can access theopenidm/report/audit
endpoint.For more information, see "Reporting and Monitoring" in the Integrator's Guide.
- Change to the
?_action=authenticate
REST call IDM no longer supports input of user data as a parameter within the URI (system endpoints only).
The following excerpt shows how you can now include user data in a POST:
--data '{ "username" : "bjensen", "password" : "Passw0rd" }'\
For more information, see "Running a script on a system object" in the Integrator's Guide.
- Changes to relationship auditing in the activity log
The way in which relationship changes are audited has changed in this release, for improved performance.
Notification of connected managed objects is now optional when the relationship is created, deleted or changed. Because of this, what is audited is the relationship change itself, rather than the change to the connected managed object.
The audited entry is always relative to the managed object through which the modification took place (that is, the managed object specified in the URL). For example, if a modification to managed/user/psmith creates a relationship to managed/user/bjensen, the logged relationship change will have a
_ref
to managed/user/bjensen. In the following example, amanager
relationship is created between psmith and bjensen with a REST call to managed/user/psmith. The resulting audit entry is as follows:{ "transactionId": "fa610b40-bd20-4d8d-9706-b80f81af7835-906", "timestamp": "2018-04-05T08:09:15.769Z", "eventName": "relationship_created", "userId": "openidm-admin", "runAs": "openidm-admin", "operation": "CREATE", "before": {}, "after": { "_ref": "managed/user/bjensen", "_refResourceCollection": "managed/user", "_refResourceId": "bjensen", "_refProperties": { "_id": "7935501a-4414-495a-9807-3c124c25be83", "_rev": "00000000b0ab969d" } }, "changedFields": [], "revision": null, "message": "Relationship originating from managed/user/psmith via the relationship field manager and referencing managed/user/bjensen was created.", "objectId": "managed/user/psmith/manager/7935501a-4414-495a-9807-3c124c25be83", "passwordChanged": false, "status": "SUCCESS", "_id": "fa610b40-bd20-4d8d-9706-b80f81af7835-912" }
For more information on notification of relationship changes, see "Configuring Relationship Change Notification" in the Integrator's Guide.
- Change to how relationships are queried
Previously, you could query an object's relationships using the
_ref
property, for example:"http://localhost:8080/openidm/managed/user/bjensen/authzRoles?_queryFilter=_ref%20co%20%22openidm%22"
Relationships have now been broken out into a
resourceCollection
andresourceId
. Query filters on_ref
are no longer supported and queries must explicitly specify theresourceCollection
andresourceId
. The previous query would be adjusted as follows:$ curl \ --header "X-OpenIDM-Password: openidm-admin" \ --header "X-OpenIDM-Username: openidm-admin" \ --request GET \ "http://localhost:8080/openidm/managed/user/bjensen/authzRoles?_queryFilter=_refResourceCollection+eq+'repo%2Finternal%2Frole'+and+_refResourceId+co+'openidm'" { "result": [ { "_id": "3432ac47-9e4b-488d-8c4b-0db467e614aa", "_rev": "00000000b1eda159", "_ref": "repo/internal/role/openidm-authorized", "_refResourceCollection": "repo/internal/role", "_refResourceId": "openidm-authorized", "_refProperties": { "_id": "3432ac47-9e4b-488d-8c4b-0db467e614aa", "_rev": "00000000b1eda159" } } ], ... }
- New GUID format for AD objects created with the LDAP connector
The LDAP connector no longer appends
<GUID=
to the object GUID. The new GUID format is compatible with objects created using the AD Powershell Connector, for examplee1418d64-096c-4cb0-b903-ebb66562d99d
.In existing deployments, this might mean that your links are incompatible with the new GUID format. To update links to the new format, run a reconciliation operation. To retain the legacy behavior, set
"useOldADGUIDFormat" : true
in your provisioner file.- Changes to the structure of the relationships table
The way in which relationships are stored in the
relationships
table has changed. This table now has explicit columns for the relationship properties. An update script is provided for each repository type to convert existing data to the new table structure (*_hybridize_relationships_table.sql
).For more information about the update scripts required for your repository, see "Repository Update Scripts" in the Installation Guide.
- Changed parameter for reconciliation by ID
In previous releases, the
reconById
action took anids
parameter to specify the ID to be reconciled. This action now takes anid
parameter instead. For more information, see "Restricting Reconciliation to a Specific ID" in the Integrator's Guide.- Changes to predefined queries
For improved relationship performance, a number of predefined queries for generic mappings have been modified. Any query that is run on a managed object endpoint now requires the
objectid
,rev
andfullobject
columns to be included in the select statement.Similarly, predefined queries that are mapped to an explicit table and that return the full object must select ALL of the columns that are mapped to the object in the
repo.jdbc.json
file. No column changes are required for predefined queries that do not return full objects (for example,query-all-ids
), or do not return relationship data.If you have not customized the queries in your repository configuration (
repo.jdbc.json
) file, you have nothing to do—the affected queries are patched as part of the update process. If you have customized your predefined queries, update these queries to include theobjectid
andrev
.For example, the
query-all
query for a MySQL repository changes from:"query-all" : "SELECT fullobject FROM (SELECT obj.fullobject, row_number() OVER (ORDER BY obj.id) AS row_next FROM ${_dbSchema}.${_mainTable} obj , ${_dbSchema}.objecttypes o WHERE obj.objecttypes_id = o.id AND o.objecttype = ${_resource}) AS query_all_id_temp WHERE row_next BETWEEN ${int:_pagedResultsOffset} + 1 AND ${int:_pagedResultsOffset} + ${int:_pageSize}",
to:
"query-all" : "SELECT obj.objectid, obj.rev, obj.fullobject FROM (SELECT obj.objectid, obj.rev, obj.fullobject, row_number() OVER (ORDER BY obj.id) AS row_next FROM ${_dbSchema}.${_mainTable} obj , ${_dbSchema}.objecttypes o WHERE obj.objecttypes_id = o.id AND o.objecttype = ${_resource}) AS query_all_id_temp WHERE row_next BETWEEN ${int:_pagedResultsOffset} + 1 AND ${int:_pagedResultsOffset} + ${int:_pageSize}",
For more information about these queries, see "Using Generic Mappings With a JDBC Repository" in the Integrator's Guide.
- Change to proxy configuration for external REST service
In previous releases, configuring a proxy for the external REST service was achieved by setting the
proxySystem
property in theexternal.rest.json
configuration file. There is now a system-wide HTTP client configuration that includes proxy settings. For more information, see "Configuring HTTP Clients" in the Integrator's Guide.
4.2. ICF and Connector Changes
The following ICF and connector changes appeared in IDM 6.0.0 and will have an impact on existing IDM deployments that use those connectors:
- LDAP Connector Change for Active Directory GUID (OPENICF-760)
Previous versions of the LDAP connector appended
<GUID=
to the GUID for Active Directory objects. This behavior ensured compatibility with the legacy .NET connector.The LDAP connector no longer appends
<GUID=
to the object GUID. The new GUID format is compatible with objects created using the AD Powershell Connector, for examplee1418d64-096c-4cb0-b903-ebb66562d99d
. In existing deployments, this might mean that your links are incompatible with the new GUID format. To update links to the new format, run a reconciliation operation. To retain the legacy behavior, set"useOldADGUIDFormat" : true
in your provisioner file.- Refactored Groovy Connector
The Groovy connector that is bundled with this IDM release has been refactored. Custom connectors that depend on the Groovy connector need to be updated.
Check the dependencies in the new Groovy connector (version 1.5.20.0) and rebuild your custom connector with the updated dependencies. You might also need to adapt some of the imports in your Groovy scripts.
A temporary workaround to avoid rebuilding the custom connector is to use the previous version of the Groovy connector from your IDM 5.5 installation:
In your IDM 6.0 installation, delete the bundled Groovy connector:
cd /path/to/openidm rm lib/groovy-connector-1.5.20.0.jar
Copy the connector that is bundled with IDM 5.5 to your version 6.0
lib
directory:cp /path/to/openidm-55/lib/groovy-connector-1.4.4.0.jar lib/
Test that IDM starts and that your connector works as expected.
4.3. Deprecated Functionality
The following functionality is deprecated in IDM 6.0 and is likely to be removed in a future release.
Support for the
TLSv1.1
protocol has been deprecated and will be removed in a future release. For more information, on the potential vulnerability, see CVE-2011-3389 from the National Vulnerability Database from the US National Institute of Standards and Technology.The default security protocol for IDM is
TLSv1.2
. Do not downgrade this protocol toTLSv1.1
unless necessary. For more information, see "Setting the TLS Version" in the Integrator's Guide.The ability to update servers by using the UI is deprecated and will be removed in the next release. You can still update from IDM 5.5 to IDM 6.0 through the UI, but UI update will no longer be available after this release.
In schedule configurations, setting a time zone using the
timeZone
field is deprecated. To specify a time zone for schedules, use thestartTime
andendTime
fields, as described in "Configuring Schedules" in the Integrator's Guide.Support for the
MD5
andSHA-1
hash algorithms is deprecated and will be removed in a future release. You should use more secure algorithms in a production environment. For a list of supported hash algorithms, see "Encoding Attribute Values by Using Salted Hash Algorithms" in the Integrator's Guide.boot.properties
has moved. It was previously located inproject-dir/conf/boot
, and is now located ininstall-dir/resolver/
.The following directory variables have been deprecated and replaced:
&{launcher.working.location}
is now&{idm.data.dir}
&{launcher.working.url}
is now&{idm.data.url}
&{launcher.install.location}
is now&{idm.install.dir}
&{launcher.install.url}
is now&{idm.install.url}
&{launcher.project.location}
is now&{idm.instance.dir}
&{launcher.project.url}
is now&{idm.instance.url}
The Active Directory (AD) .NET Connector is deprecated and support for its use in IDM will be removed in a future release.
For simple Active Directory (and Active Directory LDS) deployments, the Generic LDAP Connector works better than the Active Directory connector, in most circumstances. For more information, see "Generic LDAP Connector" in the Connector Reference.
For more complex Active Directory deployments, use the PowerShell Connector Toolkit, as described in "PowerShell Connector Toolkit" in the Connector Reference.
Note that deprecating the AD Connector has no impact on the PowerShell connector, or on the .NET Connector Server.
When configuring connectors, (see "Configuring Connectors" in the Integrator's Guide), you can set up
nativeType
property level extensions. TheJAVA_TYPE_DATE
extension is deprecated.Support for a POST request with
?_action=patch
is deprecated, when patching a specific resource. Support for a POST request with?_action=patch
is retained, when patching by query on a collection.Clients that do not support the regular PATCH verb should use the
X-HTTP-Method-Override
header instead.For example, the following POST request uses the
X-HTTP-Method-Override
header to patch user jdoe's entry:$ curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Content-Type: application/json" \ --request POST \ --header "X-HTTP-Method-Override: PATCH" \ --data '[ { "operation":"replace", "field":"/description", "value":"The new description for Jdoe" } ]' \ "http://localhost:8080/openidm/managed/user/jdoe"
No additional functionality is deprecated at this time.
4.4. Removed Functionality
The following functionality was removed in IDM 6.0.0:
Support for the
TLSv1.0
protocol has been removed. For more information, see the following PDF: Migrating from SSL and Early TLS from the PCI Security Standards Council.The default security protocol for IDM is
TLSv1.2
. Do not downgrade this protocol unless you have a specific need.The ability to update IDM through the Admin UI has been removed from IDM 6.
If you're updating IDM from version 5.5 to 6.0.0.7, you must first update from 5.5 to 6, then to 6.0.0.7.
The
OPENAM_SESSION
authentication module has been removed. If you are integrating IDM with ForgeRock Access Management (AM), you should use theOAUTH_CLIENT
module instead. For an example, see "Integrating IDM With the ForgeRock Identity Platform" in the Samples Guide.Support for the Security Management Service has been removed.
As a part of this change, the
securitykeys
table has been removed from the database schema. If you are updating from a previous version of IDM, an update script is available in theopenidm/db/repo/scripts/updates
directory to delete this table from existing repositories. For more information about updating your IDM instance, see "Updating Servers" in the Installation Guide.Support for a POST request with
?_action=sendEmail
when sending an email with a REST call has been removed. Support for a POST request with?_action=send
is retained, on the/openidm/external/email
endpoint. For an example of this REST call, see "Sending Mail Over REST" in the Integrator's Guide.
4.5. Functionality That Will Change in the Future
No major functionality is planned to change at this time.
Chapter 5. Documentation Updates
"Documentation Change Log" tracks important changes to the documentation:
Date | Description |
---|---|
2021-12-07 |
|
2021-05-10 |
|
2021-03-11 |
|
2020-07-18 | Added a description for the maxTokenSize property of the
IWA
authentication module. |
2020-06-04 |
Initial release of IDM 6.0.0.6. The following items were added:
|
2020-05-14 |
Added missing |
2020-04-08 |
Update PostgreSQL repository instructions to indicate that index tuning is required. |
2020-03-20 | Fixed outdated Bootstrap version references in the Integrator's Guide |
TBD - Add date before republishing |
|
2019-09-10 |
Revised the logging documentation to include security advice on logging
levels. See "Specifying the Logging Level" in the Integrator's Guide
and "Updating |
2019-08-19 |
Added information on restricting the maximum payload size in HTTP requests ("Restricting the HTTP Payload Size" in the Integrator's Guide). |
2021-12-07 |
Initial release of IDM 6.0.0.5 release.
|
2019-02-11 |
Release of IDM 6.0.0.4 maintenance release.
|
2018-11-05 |
Release of IDM 6.0.0.3 maintenance release. |
2018-09-03 |
Release of IDM 6.0.0.2 patch release. |
2018-08-13 |
Release of IDM 6.0.0.1 patch release. |
2018-07-16 |
Added Oracle Database 12cR1 (12.1) to the list of supported repositories. |
2018-06-20 |
Updated the instructions in "Configuring IDM For a Hardware Security Module (HSM) Device" in the Integrator's Guide to specify that symmetric keys must use an HMAC algorithm. |
Chapter 6. How to Report Problems and Provide Feedback
If you have questions regarding IDM software that are not answered by the documentation, you can ask questions on the forum at https://forgerock.org/forum/fr-projects/openidm/.
When requesting help with a problem, include the following information:
Description of the problem, including when the problem occurs and its impact on your operation
Description of the environment, including the following information:
Machine type
Operating system and version
Repository type and version
Java version
IDM release version
Any patches or other software that might be affecting the problem
Steps to reproduce the problem
Any relevant access and error logs, stack traces, or core dumps
Appendix A. Release Levels and Interface Stability
This appendix includes ForgeRock definitions for product release levels and interface stability.
A.1. ForgeRock Product Release Levels
ForgeRock defines Major, Minor, Maintenance, and Patch product release levels. The release level is reflected in the version number. The release level tells you what sort of compatibility changes to expect.
Release Label | Version Numbers | Characteristics |
---|---|---|
Major |
Version: x[.0.0] (trailing 0s are optional) |
|
Minor |
Version: x.y[.0] (trailing 0s are optional) |
|
Maintenance, Patch |
Version: x.y.z[.p]
The optional |
|
A.2. ForgeRock Product Interface Stability
ForgeRock products support many protocols, APIs, GUIs, and command-line interfaces. Some of these interfaces are standard and very stable. Others offer new functionality that is continuing to evolve.
ForgeRock acknowledges that you invest in these interfaces, and therefore must know when and how ForgeRock expects them to change. For that reason, ForgeRock defines interface stability labels and uses these definitions in ForgeRock products.
Stability Label | Definition |
---|---|
Stable |
This documented interface is expected to undergo backwards-compatible changes only for major releases. Changes may be announced at least one minor release before they take effect. |
Evolving |
This documented interface is continuing to evolve and so is expected to change, potentially in backwards-incompatible ways even in a minor release. Changes are documented at the time of product release. While new protocols and APIs are still in the process of standardization, they are Evolving. This applies for example to recent Internet-Draft implementations, and also to newly developed functionality. |
Deprecated |
This interface is deprecated and likely to be removed in a future release. For previously stable interfaces, the change was likely announced in a previous release. Deprecated interfaces will be removed from ForgeRock products. |
Removed |
This interface was deprecated in a previous release and has now been removed from the product. |
Technology Preview |
Technology previews provide access to new features that are evolving new technology that are not yet supported. Technology preview features may be functionally incomplete and the function as implemented is subject to change without notice. DO NOT DEPLOY A TECHNOLOGY PREVIEW INTO A PRODUCTION ENVIRONMENT. Customers are encouraged to test drive the technology preview features in a non-production environment and are welcome to make comments and suggestions about the features in the associated forums. ForgeRock does not guarantee that a technology preview feature will be present in future releases, the final complete version of the feature is liable to change between preview and the final version. Once a technology preview moves into the completed version, said feature will become part of the ForgeRock platform. Technology previews are provided on an “AS-IS” basis for evaluation purposes only and ForgeRock accepts no liability or obligations for the use thereof. |
Internal/Undocumented |
Internal and undocumented interfaces can change without notice. If you depend on one of these interfaces, contact ForgeRock support or email info@forgerock.com to discuss your needs. |
Appendix B. Getting Support
For more information and resources about IDM and ForgeRock support, see the following sections:
B.1. Accessing Documentation Online
ForgeRock publishes comprehensive documentation online:
The ForgeRock Knowledge Base offers a large and increasing number of up-to-date, practical articles that help you deploy and manage ForgeRock software.
While many articles are visible to community members, ForgeRock customers have access to much more, including advanced information for customers using ForgeRock software in a mission-critical capacity.
ForgeRock product documentation, such as this document, aims to be technically accurate and complete with respect to the software documented. It is visible to everyone and covers all product features and examples of how to use them.
B.2. Using the ForgeRock.org Site
The ForgeRock.org site has links to source code for ForgeRock open source software, as well as links to the ForgeRock forums and technical blogs.
If you are a ForgeRock customer, raise a support ticket instead of using the forums. ForgeRock support professionals will get in touch to help you.
B.3. Getting Support and Contacting ForgeRock
ForgeRock provides support services, professional services, training through ForgeRock University, and partner services to assist you in setting up and maintaining your deployments. For a general overview of these services, see https://www.forgerock.com.
ForgeRock has staff members around the globe who support our international customers and partners. For details on ForgeRock's support offering, including support plans and service level agreements (SLAs), visit https://www.forgerock.com/support.