Notes covering ForgeRock® Identity Management software requirements, fixes, and known issues. This software offers flexible services for automating management of the identity life cycle.

About ForgeRock Identity Management Software

ForgeRock Identity Platform™ serves as the basis for our simple and comprehensive Identity and Access Management solution. We help our customers deepen their relationships with their customers, and improve the productivity and connectivity of their employees and partners. For more information about ForgeRock and about the platform, see https://www.forgerock.com.

The ForgeRock Common REST API works across the platform to provide common ways to access web resources and collections of resources.

IDM software provides centralized, simple management and synchronization of identities for users, devices and things.

IDM software is highly flexible and therefore able to fit almost any use case and workflow.

These release notes are written for anyone using the IDM 6.0 release. Read these notes before you install or upgrade IDM software.

These release notes cover the following topics:

  • A list of the major new features and functionality provided with this release

  • Hardware and software prerequisites for installing and upgrading IDM software

  • Compatibility with previous releases

  • Potential upcoming deprecation and removals that affect scripts and applications

  • Issues fixed since the previous release

  • Known issues open at the time of release

See the Installation Guide after you read these Release Notes. The Installation Guide covers installation and upgrade for IDM software.

Chapter 1. What's New

This chapter covers new capabilities in IDM.

1.1. Patch Bundle Releases

ForgeRock patch bundle releases contain a collection of fixes and minor RFEs that have been grouped together and released as part of our commitment to support our customers. For general information on ForgeRock's maintenance and patch releases, see Maintenance and Patch Availability Policy.

IDM 6.0.0.7
  • IDM 6.0.0.7 is the latest patch bundle release targeted for IDM 6.0 deployments and can be downloaded from the ForgeRock Backstage website. To view the list of fixes in this release, see Fixed Issues in IDM 6.0.0.7.

    The IDM 6.0.0.7 patch bundle release is cumulative and contains all the fixes included in the previous patch bundle releases.

    The release can be deployed as an initial deployment or updated from an existing deployment. For more information on either update method, see "Updating Servers" in the Installation Guide.

1.2. New Features

What's New in IDM 6.0.0.7
  • The connectors bundled with IDM 6.0.0.7 have all been upgraded to version 1.5.20.0. For details of these connector versions, see the latest release of the Connector Release Notes.

What's New in IDM 6.0.0.6
  • No new features were introduced in this release, only bug fixes.

What's New in IDM 6.0.0.5
  • No new features were introduced in this release, only bug fixes.

What's New in IDM 6.0.0.4
  • No new features were introduced in this release, only bug fixes.

What's New in IDM 6.0.0.3
  • No new features were introduced in this release, only bug fixes.

What's New in IDM 6.0.0.2
  • No new features were introduced in this release, only bug fixes.

What's New in IDM 6.0.0.1
  • No new features were introduced in this release, only bug fixes.

What's New in IDM 6.0.0

This release of IDM 6.0 software includes the following new features:

ForgeRock Directory Services (DS) as a supported repository

An external DS instance is now supported as a repository in production environments. For more information, see "Using an External DS Repository" in the Installation Guide.

Support for PostgreSQL 10 and DB2 11

IDM 6.0 supports PostgreSQL version 10 and DB2 version 11 as repositories. For a list of repositories that are supported in production, see "Supported Repositories".

Improved performance around relationships

The relationships mechanism has been refactored for substantial performance improvement. Much of this refactoring involves the notification process of relationship changes. For more information, see "Configuring Relationship Change Notification" in the Integrator's Guide.

Support for progressive profile completion

Progressive profile completion enables you to enhance the information you have about registered users. For more information, see "Progressive Profile Completion" in the Integrator's Guide.

Privacy and consent management

IDM now supports managing Privacy and Consent for users who self-register directly through IDM or through a social identity provider. For more information, see "Configuring Privacy & Consent" in the Integrator's Guide.

Enhancements to self-service processes

This release includes the following enhancements to the self-service functionality:

General enhancements to the Admin UI

Numerous improvements have been made to the Admin UI, including:

Property value substitution

This release provides improved support for property value substitution in the server configuration. For more information, see "Using Property Value Substitution" in the Integrator's Guide.

Support for monitoring using Prometheus

IDM now provides support for viewing metrics through external resources such as Prometheus and Grafana. For more information, see "Metrics and Monitoring" in the Integrator's Guide.

The lastChanged property has been removed from the schema

The lastChanged property, previously part of the managed object, is no longer stored within the object itself, but as metadata in a separate resource location. For more information, see "Tracking Metadata For Managed Objects" in the Integrator's Guide.

New connectors

IDM 6.0 bundles the following new connectors:

For installation instructions, see "Preparing to Install and Run Servers" in the Installation Guide.

Several samples are provided to familiarize you with the IDM features. For more information, see "Overview of the Samples" in the Samples Guide.

For an architectural overview and a high-level presentation of IDM, see "Architectural Overview" in the Integrator's Guide.

1.3. Security Advisories

ForgeRock issues security advisories in collaboration with our customers and the open source community to address any security vulnerabilities transparently and rapidly. ForgeRock's security advisory policy governs the process on how security issues are submitted, received, and evaluated as well as the timeline for the issuance of security advisories and patches.

For details of all the security advisories across ForgeRock products, see Security Advisories in the Knowledge Base library.

Chapter 2. Before You Install

This chapter covers requirements to consider before you run IDM software, especially before you run the software in your production environment.

If you have a special request to support a component or combination not listed here, contact ForgeRock at info@forgerock.com.

2.1. Supported Repositories

The following repositories are supported for use in production:

  • ForgeRock Directory Services (DS) 6.0

    By default, IDM uses an embedded DS instance for testing purposes. The embedded instance is not supported in production. If you want to use DS as a repository in production, you must set up an external instance.

  • MySQL version 5.6 and 5.7 with MySQL JDBC Driver Connector/J 5.1.18 or later

  • MariaDB version 10.0, 10.1, and 10.2 with MySQL JDBC Driver Connector/J 5.1.18 or later

  • Microsoft SQL Server 2012, 2014, and 2016

  • Oracle Database 11gR2, 12c, and 12cR1 (12.1)

  • PostgreSQL 9.3.10, 9.4.5, 9.6, and 10

  • IBM DB2, 10.1, 10.5, 11

2.2. Containers

You must install IDM as a stand-alone service, using Apache Felix and Jetty, as provided. Alternate containers are not supported.

IDM bundles Jetty version 9.2.

2.3. Supported Connectors

IDM bundles the following connectors:

  • Adobe CM Connector

  • CSV File Connector

  • Database Table Connector

  • Google Apps Connector

  • Groovy Connector Toolkit

    This toolkit enables you to create scripted connectors to virtually any resource.

  • Kerberos Connector

  • LDAP Connector

  • Marketo Connector

  • MongoDB Connector

  • Salesforce Connector

  • SCIM Connector

  • Scripted REST Connector

  • Scripted SQL Connector

  • ServiceNow Connector

  • Scripted SSH Connector

  • Workday Connector

A PowerShell Connector Toolkit is available for download from ForgeRock's BackStage site. This Toolkit enables you to create scripted connectors to address the requirements of your Microsoft Windows ecosystem.

Additional connectors are available from ForgeRock's BackStage site.

Use of the LDAP connector to provision to Active Directory is supported with Active Directory Domain Controllers, Active Directory Global Catalogues, and Active Directory Lightweight Directory Services (LDS).

Windows 2012 R2 is supported as the remote system for connectors and password synchronization plugins.

The following table lists the supported connectors, connector servers, and password synchronization plugins for this IDM release.

Supported Connectors, Connector Servers, and Plugins
Connector/PluginSupported Version
Adobe CM Connector1.5.20.0
CSV File Connector1.5.20.0
Database Table Connector1.5.20.0
Google Apps Connector1.5.20.0
Groovy Connector Toolkit1.5.20.0
Kerberos Connector1.5.20.0
LDAP Connector1.5.20.0
Marketo Connector1.5.20.0
MongoDB Connector1.5.20.0
Powershell Connector Toolkit1.5.20.0
Salesforce Connector6.0.0
SAP Connector1.5.0.0
SCIM Connector1.5.20.0
Scripted REST Connector1.5.20.0
Scripted SQL Connector1.5.20.0
ServiceNow Connector1.5.20.0
Workday Connector1.5.20.0
Active Directory Connector1.4.0.0
Java Connector Server1.5.20.0, 1.5.2.0, 1.5.1.0, 1.5.0.0, 1.4.1.0
.NET Connector Server1.5.20.0, 1.5.2.0, 1.5.1.0, 1.5.0.0, 1.4.1.0
DS Password Synchronization Plugin

6.0.0, supported with DS 6.0.0

5.5.0, supported with DS 5.5.0

5.0.0, supported with DS 5.0.0

3.5.0, supported with OpenDJ 3.5.0

DS Password Sync plugins are not supported with DS OEM

Active Directory Password Synchronization Plugin

1.7.0, 1.5.0, 1.4.0, 1.3.0, 1.2.0, and 1.1.0 supported on Windows 2008 R2, Windows 2012 R2, and Windows 2016

Note

Because version 1.4.0 can fail to make a secure connection with certain Windows versions, ForgeRock recommends using a later version.


You must use the supported versions of the .NET Connector Server, or the Java Connector Server. The 1.5.x Java Connector Server is backward compatible with the version 1.1.x connectors. The 1.5.x .NET Connector Server is compatible only with the 1.4.x and 1.5.x connectors.

The 1.5.20.0 .NET connector server requires the .NET framework (version 4.5 or later) and is supported on Windows Server 2008 R2 and 2012 R2.

Important

Although the scripted connector toolkits are supported, connectors that you build with these toolkits are not supported. You can find examples of how to build connectors with these toolkits in the Samples Guide.

2.4. Choosing a Browser

ForgeRock has tested many browsers with the IDM UI, including the following browsers:

  • Chrome and Chromium, latest stable version

  • Firefox, latest stable version

  • Safari, latest stable version

  • Internet Explorer 11 and later

2.5. Choosing an Operating System

IDM is supported on the following operating systems:

  • Red Hat Enterprise Linux (and CentOS Linux) 6.5 and later, 7.x

  • Ubuntu Linux 16.04

  • Windows 2008 R2, 2012 R2, 2016

2.6. Preparing the Java Environment

IDM requires Java 8, specifically at least the Java Standard Edition runtime environment.

ForgeRock validates IDM software with Oracle JDK and OpenJDK, and does occasionally run sanity tests with other JDKs. Support for very specific Java and hardware combinations is best-effort. This means that if you encounter an issue when using a particular JVM/hardware combination, you must also demonstrate the problem on a system that is widespread and easily tested by any member of the community.

ForgeRock recommends that you keep your Java installation up to date with the latest security fixes.

Note

If you are using the Oracle JDK and you use 2048-bit SSL certificates, you must install the Unlimited JCE policy to enable IDM to use those certificates.

Download and install the Unlimited JCE Policy for Java 8 from the Oracle Technetwork site. Unzip the JCE zip file and install the JCE policy JAR files in the /lib/security folder of the JRE.

2.7. Fulfilling Memory and Disk Space Requirements

When you install IDM for evaluation, with the embedded DS repository, you need 256 MB memory (32-bit) or 1 GB memory (64-bit) available.

You also need 10 GB free disk space for the software and for sample data.

In production, disk space and memory requirements will depend on the size of your external repository, as well as the size of the audit and service log files that IDM creates.

2.8. Supported Upgrade Paths

The following table contains information about the supported upgrade paths to IDM 6.0.0.7[1]:

Update Paths
VersionUpdate Supported to IDM 6.0.0.7
IDM 6.0.0.5[a]
IDM 6.0.0.4[a]
IDM 6.0.0.3[a]
IDM 6.0.0.2[a]
IDM 6.0.0.1[a]
IDM 6.0.0[a]
Versions prior to IDM 6.0[b]

[a] Updating from this release requires a pre-patch step, which must be applied prior to update to IDM 6.0.0.7. For more information, see "To Prepare Your Patch Bundle Release" in the Installation Guide.

[b] Must first update to IDM 6.0, then to IDM 6.0.0.7.




[1] You can deploy version 6.0.0.7 for initial deployments.

Chapter 3. Fixes, Limitations, and Known Issues

This chapter covers the status of key issues and limitations for IDM. For details and information on other issues, see the IDM issue tracker.

3.1. Fixed Issues

The following important bugs were fixed in this release:

Fixed Issues in IDM 6.0.0.7
  • OPENIDM-9710: With JDBC repo using explicit table for Managed User, integer properties are treated as string

  • OPENIDM-12778: Schedules to execute a file-based script are generated incorrectly via the Admin UI

  • OPENIDM-13095: DatabaseTable Connector sample: Update sample to not require __NAME__ on create

  • OPENIDM-13854: REST - Deleting user with a non existent relationship object returns 404

  • OPENIDM-14548: External REST: Calling endpoints which return a JSON array throws error

  • OPENIDM-14576: A workflow started in IDM 4.5 cannot be completed after upgrading to 6.0.0.5

  • OPENIDM-14768: Admin UI: Update Database Table Connector template

  • OPENIDM-15000: Rhino: Handlebars.js is not multithreaded

  • OPENIDM-15526: Opening link in new tab doesn't honour the link in IDM 6.0 UI fullstack setup

  • OPENIDM-15862: sustaining/6.5.x - sample for scriptedrest is not working with scriptedrest connector 1.5.19.1

  • OPENIDM-16197: Kerberos Connector NoClassDefFoundError: expect4j/Expect4j

  • OPENIDM-16686: sustaining/6.0.x - multiple passwords sample JsonValueException

  • OPENIDM-16745: sustaining/6.0.x - SSL errors on external/rest calls

  • OPENIDM-17053: Registration form is not loading

Fixed Issues in IDM 6.0.0.6
  • OPENIDM-11152: Unable to connect to External DS datastore via TLS/SSL

  • OPENIDM-12038: 'statusCode:null' logged in Audit for successful GET on managed objects

  • OPENIDM-12080: External Email connects to SMTP servers with TLSv1

  • OPENIDM-12207: UI login fails with non-ASCII username or password

  • OPENIDM-12208: Clustered reconciliation fails due to paging cookie from ldap AD

  • OPENIDM-12248: Data races in state shared across threads in recon

  • OPENIDM-12312: UNIQUE policy on properties other than userName not correctly check during self-registration

  • OPENIDM-12680: Reconciliation stuck in ACTIVE_QUERY_ENTRIES (or other ACTIVE_ state) and cannot be cancelled

  • OPENIDM-12897: Large integers not handled correctly in JavaScript

  • OPENIDM-13086: Do not cache Managed Roles and Assignments within ReconContext during reconciliation

  • OPENIDM-13111: !== in mergeWithTarget.js (and possibly other scripts) doesn't check if value is undefined only if value is null

  • OPENIDM-13160: PATCH may succeed although If-Match does not match _rev

  • OPENIDM-13162: ManagedObject UPSERT contract creates orphan meta object on update via PUT

  • OPENIDM-13261: Fix exception in PendingLinkAction.getPendingActionContext

  • OPENIDM-13292: IDM trying to initialize SSL Cert for the internal DJ even if it's not configured as the repo, Incompatible with HSM

  • OPENIDM-13411: identityServer.getProperty() returns null pointer if property isn't set rather than being handled gracefully

  • OPENIDM-13601: Add reuseConnections and pooledConnectionTTL options to SalesForce provisioner configuration

  • OPENIDM-13683: Using an expired token returns an HTTP 500 error

  • OPENIDM-14163: Workflow: Groovy classpath problem

  • OPENIDM-14202: SQL script provided with openidm to create the auditdb fails

  • OPENIDM-14266: Remove security/realm.properties

  • OPENIDM-14287: cli.sh keytool export and import causes IDM startup failure with 'Invalid AES key length' error

  • OPENIDM-14641: Small improvements for policy.js

Fixed Issues in IDM 6.0.0.5
  • OPENIDM-4377: Implement JDBC count support on queries with QueryFilter

  • OPENIDM-10708: ResourceException when external/rest receives HTTP 204 response

  • OPENIDM-10829: PUT modifications to workflow/taskInstance/[_id] return 'Task updated' even when no changes occur

  • OPENIDM-10987: Users have access to manager user data (no relationship filter policy)

  • OPENIDM-11494: When an internal user changes password in UI, the user's roles get removed

  • OPENIDM-11689: Specify Schema in External DJ Connection Factory

  • OPENIDM-11800: The handling of PreconditionFailedException could induce infinite loop

  • OPENIDM-12154: An attempt to use external DS with explicit tables as a repo fails on missing fr-idm-lastPasswordSet

  • OPENIDM-12190: Router authz fails in multiple-passwords sample

  • OPENIDM-12359: Changing "Identity Email Field" in "User Query Form" from "mail" to another managed object property throws an error

  • OPENIDM-12370: Enable HSM data decryption from IDM 3.1.0 instances

  • OPENIDM-12383: API descriptor not available after setting relationship-type property to nullable

  • OPENIDM-12413: Multi-nodes clustered recon may fail with wrong situation

  • OPENIDM-12528: IDM 6.0 with DS repo and explicit mapping, PATCH replace does nothing for case-insensitive attribute

  • OPENIDM-12664: Target phase run when reconById dispatched on mapping configured for clustered recon

  • OPENIDM-12796: jsonstorage "local" self-service with "uuid" option fails in multi-node cluster scenario

  • OPENIDM-12804: uuid token expiry doesn't work with jdbc repo

  • OPENIDM-12865: jwt token fails in multi-node cluster scenario

  • OPENIDM-12904: Sending mail with null "to" field causes IDM to hang

  • OPENIDM-13117: Harden upgrade to be resilient to transient errors due to router upgrade

  • OPENIDM-13135: Do not load JWT signing key if JWT session module is disabled

Fixed Issues in IDM 6.0.0.4
  • OPENIDM-10722: Investigate high CPU in sun.security.provider package for Create Managed User

  • OPENIDM-11174: Unable to resume scheduler jobs after successful pause

  • OPENIDM-11393: assigning a userTask to openidm-admin could cause null pointer exception

  • OPENIDM-11640: null exception in defaultMappings.json

  • OPENIDM-11852: clustered recon in multi-node environment may never complete

  • OPENIDM-11862: Setting a timeout on a uuid token via jsonstore.json has no effect

  • OPENIDM-12013: Cache CommonJS module exports globally and prevent re-execution of required scripts

  • OPENIDM-12017: IDM CAUD syslog product name (APP-NAME) is null

  • OPENIDM-12200: Uncaught TypeError in JavaScript console when saving reverse relationship

Fixed Issues in IDM 6.0.0.3
  • OPENIDM-7687: Provide support for ClientHandlers to use a proxy server within OpenIDM

  • OPENIDM-11052: Admin UI Mappings page load delay on system?_action=test REST call

  • OPENIDM-11101: NPE when shutdown

  • OPENIDM-11195: script query result not converted to correct groovy type

  • OPENIDM-11244: Include milliseconds in IDM logs

  • OPENIDM-11446: Impossible to add optional field to selfservice registration

  • OPENIDM-11480: With Oracle repo, Create or Update Managed user via UI results in 500 error

  • OPENIDM-11597: IllegalArgumentException updating external account if trace is enabled

  • OPENIDM-11635: When using DB2 repo, read requests with relationship expansion and update requests are not working anymore

Fixed Issues in IDM 6.0.0.2
  • OPENIDM-11269: process typeError is observed in UI for association tab in mapping details

  • OPENIDM-11603: Backport OPENIDM-11512: Integrating Social Authentication with Identity Management fails

Fixed Issues in IDM 6.0.0.1
  • OPENIDM-10915: Backport OPENIDM-10887: expose isInitiator flag for IWA module

  • OPENIDM-10917: Backport OPENIDM-10542: IDM decryption fails with AES 256-bit key

  • OPENIDM-10968: Backport OPENIDM-10919: JavaScript in Internet Explorer does not support includes method of String

  • OPENIDM-10969: Backport OPENIDM-10948: OpenerHandler require does not work with Internet Explorer

  • OPENIDM-10971: Backport OPENIDM-6782: Password is re-encrypted during any managed object update/patch

  • OPENIDM-11087: Backport OPENIDM-11024: NPE can be thrown if the authentication service comes up before the identityService

  • OPENIDM-11160: Backport OPENIDM-8043: Unable to initialize keystore and truststore when passwords are different

  • OPENIDM-11167: Backport OPENIDM-5465: Performance Issue updating conditional role memberships

  • OPENIDM-11240: Backport OPENIDM-10758: openidm.read() returns different content if called from managed.json action or a custom endpoint

  • OPENIDM-11243: Backport OPENIDM-9783: Include thread id in all logging statements

  • OPENIDM-11245: Backport OPENIDM-11215: IDM hangs using IE11 with error "Promise is undefined" in ResourceQueryFilterEditor.js

  • OPENIDM-11354: Backport COMMONS-314 json-crypto: SimpleEncryptor symmetric no longer works with HSMs

  • OPENIDM-11421: Backport OPENIDM-11292: Registration autologin with full-stack not working

  • OPENIDM-11422: Session JWT key usage is not clear

Fixed Issues in IDM 6.0.0
  • OPENIDM-10512: Mapping Scheduling Sync toggle has nothing to do with schedule or livesync

  • OPENIDM-10472: readSchema=false is added to config.properties by the admin UI for connectors

  • OPENIDM-10471: NPE X-OpenIDM-OAuth-Login: true without providing any token when invoking REST API

  • OPENIDM-10468: 500 internal error when Referer header not provided with OAuth

  • OPENIDM-10459: onCreateUser.js:emailUser assumes that a mail address has been configured for the created object

  • OPENIDM-10388: Managed object scripts are called with org.forgerock.http.routing.UriRouterContext when roles are added

  • OPENIDM-10340: NPE when performing GET with invalid arbitrary URL parameters

  • OPENIDM-10323: Sample JMS Consumer listening on incorrect JMS Topic

  • OPENIDM-10231: Unable to use read-only keystore

  • OPENIDM-10205: Entered text is lost when using the attribute selector for a role's condition

  • OPENIDM-10195: Relationship between a custom managed object and a default object can be created in both directions via the UI

  • OPENIDM-10152: Roles condition queryFilter builder does not show all properties on managed/user

  • OPENIDM-10145: Restart action in update does not work properly and should be removed

  • OPENIDM-10141: Adding an attribute to a 'The value for' condition causes it to be duplicated in the drop-down list

  • OPENIDM-10137: Unable to set manager property to nullable via UI

  • OPENIDM-10135: Manager field disappears when type is null

  • OPENIDM-10134: Self-service registration fails with cross-origin restrictions using Safari

  • OPENIDM-10126: A condition query on roles shows an incomplete list of role members

  • OPENIDM-9997: API Explorer should send OAuth headers when appropriate

  • OPENIDM-9976: Self Service email validation link for Registration leads to blank page in Safari

  • OPENIDM-9975: Startup.sh is setting PROJECT_HOME incorrectly when CDPATH is set

  • OPENIDM-9964: No content and NullPointerException returned when creating a relationship using the source managed object's attribute within the URI and specifying a _fields parameter

  • OPENIDM-9940: onRetrieve script executed for managed attributes not returned by fields

  • OPENIDM-9855: Trusted Attribute fails with multiple instances using different resources

  • OPENIDM-9819: GenericLDAP Connector setup does not read remote LDAP schema irrespective of readSchema setting

  • OPENIDM-9805: DJ Password Sync Plugin retry doesn't send any data to IDM

  • OPENIDM-9751: Authorize Apps shows "Invalid date" for expire value

  • OPENIDM-9719: CORS headers returned to client with repeated values

  • OPENIDM-9677: Instagram configuration within identityProviders.json contains incorrect attribute name for full_name

  • OPENIDM-9624: Conflict between OAuth Datastore token usage for authentication and binding

  • OPENIDM-9615: The conditionalRoles.js script should not create an empty roles array if no conditional roles are assigned

  • OPENIDM-9602: "watchedFields" and "passwordFields" can be added for audit event types other than Activity

  • OPENIDM-9601: "onSync" script for managed objects is not called for both vertices when a relationship is created between them

  • OPENIDM-9588: In the provisioning-with-workflow sample, you cannot view single record details in system/rolesFile

  • OPENIDM-9574: Custom Self-Service URL breaks social registration

  • OPENIDM-9572: Terms and Conditions acceptance not added to the profile when using Social Registration

  • OPENIDM-9568: NullPointerException when checking for updates in read-only file system

  • OPENIDM-9562: Enabling a persistent schedule multiple times through the config API runs a custom script multiple times

  • OPENIDM-9554: Workflow Processes Completed have "Not Found Error" for managed/user

  • OPENIDM-9549: "Current policy is read-only" notification shows after changing Mapping Detail policy

  • OPENIDM-9545: Unable to execute taskscanner via REST endpoint when schedule is not file-based

  • OPENIDM-9543: Patch/update requests of the _ref field against the relationship endpoint are not handled correctly

  • OPENIDM-9476: Editable row for Display/Search Properties in Identity Relationships widget settings not showing the correct value when in edit mode

  • OPENIDM-9458: Timezone is set incorrectly when a new schedule is created

  • OPENIDM-9454: With an explicit mapping in a MySQL repo, you cannot create a managed user with password longer than 13 characters

  • OPENIDM-9444: Patch Copy and Patch Move fail when the target property exists

  • OPENIDM-9409: stdDev has incorrect value 0 for all clustered recon metrics

  • OPENIDM-9390: Various problems configuring scheduled scripts in the UI

  • OPENIDM-9389: Scheduled scripts with file paths are saved incorrectly

  • OPENIDM-9387: Paged queries with query-all-ids don't work correctly for explicit mappings

  • OPENIDM-9363: Attributes are removed from the managed object configuration when edited in the UI, if they do not appear within an order array

  • OPENIDM-9362: Managed.json does not contain all attributes within the order array for default managed object types

  • OPENIDM-9335: Admin UI shows the password for CSV audit tamper prevention as a JSON string

  • OPENIDM-9328: Enabling CSV tamper prevention in the Admin UI dumps all config details to log file

  • OPENIDM-9286: install-service.bat has a broken classpath variable

  • OPENIDM-9217: Do not execute managed property's onRetrieve when returnByDefault is false

  • OPENIDM-9213: When all topics are removed from an audit handler, the Admin UI saves 'null' instead of an empty list

  • OPENIDM-9211: External REST service does not return error details from remote server

  • OPENIDM-9207: recon creates incorrect links when using linkQualifiers

  • OPENIDM-9201: Failure to send welcome email leads to user creation failure, inconsistent state

  • OPENIDM-9195: From address in Password Reset email template is ignored

  • OPENIDM-9170: A conditional role with assignments, created with single quotes over REST, does not display in the Admin UI

  • OPENIDM-9045: Performance problem getting triggers for a scheduler job

  • OPENIDM-8869: PagedResultsCookie response state in JDBCRepoService in violation of CREST Spec

  • OPENIDM-8839: enum values do not display in API Explorer

  • OPENIDM-8837: Deleting all KBA questions through the UI prevents user registration w/o visible Error Message

  • OPENIDM-8827: ScriptedCrest samples uses _id in sync.json which is forbidden

  • OPENIDM-8653: 'Unknown Error' when pasting a value into the username field when creating a managed user in IE 11

  • OPENIDM-8593: Lots of API Descriptor errors in the logs on startup

  • OPENIDM-8543: Patch remove on a field succeeds but is not propagated to the target

  • OPENIDM-8381: Recovery of scheduled jobs following cluster node failure does not work

  • OPENIDM-8045: Creating a new managed object with unsupported characters causes an exception

  • OPENIDM-7947: With DJ as a repo, OpenIDM fails to start when using HSM

  • OPENIDM-7536: Relationship fields are not returned on an "upsert" update

  • OPENIDM-7284: Create manager/reports relationship with POST or PUT work on managed/user/id/reports but fails on managed/user/id/manager

  • OPENIDM-6886: The Password Reset form applies policies from the 'password' field even if you are using a different field for the password

  • OPENIDM-5914: Role is still showing as assigned in effectiveRoles attribute on query-all output if role is unassigned via the admin UI

  • OPENIDM-5909: ScriptedSSH incorrect sample provisioner group members nativeName

  • OPENIDM-5907: ScriptedSSH search script unsupported filter cause timeout exception

  • OPENIDM-5227: LDAP Connector search filters are not persisted by the Admin UI

  • OPENIDM-4686: Neither empty _fields nor _fields=* on a system resource read return all fields

  • OPENIDM-3330: Inconsistent use of uidAttribute in LDAP Provisioner Config

3.2. Limitations

The following limitations exist in the following releases:

IDM 6.0.0.7
  • There are no known limitations in IDM 6.0.0.7, other than those identified in IDM 6.0.0.

IDM 6.0.0.5
  • There are no known limitations in IDM 6.0.0.6, other than those identified in IDM 6.0.0.

IDM 6.0.0.5
  • There are no known limitations in IDM 6.0.0.5, other than those identified in IDM 6.0.0.

IDM 6.0.0.4
  • There are no known limitations in IDM 6.0.0.4, other than those identified in IDM 6.0.0.

IDM 6.0.0.3
  • There are no known limitations in IDM 6.0.0.3, other than those identified in IDM 6.0.0.

IDM 6.0.0
  • The automated update process is not currently supported on Windows platforms.

  • When you add or edit a connector through the Admin UI, the list of required Base Connector Details is not necessarily accurate for your deployment. Some of these details might be required for specific deployment scenarios only. If you need a connector configuration where not all the Base Connector Details are required, you must create your connector configuration file over REST or by editing the provisioner file. For more information, see "Configuring Connectors" in the Integrator's Guide. directly.

  • For OracleDB repositories, queries that use the queryFilter syntax do not work on CLOB columns in explicit tables.

  • A conditional GET request, with the If-Match request header, is not currently supported.

  • IDM provides an embedded workflow and business process engine based on Activiti and the Business Process Model and Notation (BPMN) 2.0 standard. As an embedded system, local integration is supported. Remote integration is not currently supported.

3.3. Known Issues

The following important issues remained open at the time of this release:

IDM 6.0.0.7
  • OPENIDM-11597: IllegalArgumentException updating external account if trace is enabled

  • OPENIDM-11704: UI: Can't edit validation policy without specifying a parameter

  • OPENIDM-11739: Concurrent recons could cause exception deleting interim state instance deleteInterimStateInstance

  • OPENIDM-11879: Workflow time zone handling is not consistent and leads to unexpected results

  • OPENIDM-12131: UI javascript errors when a property does not have a nativeType attribute in a provisioner config file

  • OPENIDM-12149: "/username: Expecting a value" exception when calling the authenticate function of connectors

  • OPENIDM-12161: IDM does not propagate CAUD transactionId to DS

  • OPENIDM-12200: Uncaught TypeError in JavaScript console when saving reverse relationship

  • OPENIDM-12208: Clustered reconciliation fails due to paging cookie from ldap AD

  • OPENIDM-12248: Data races in state shared across threads in recon

  • OPENIDM-12259: New assignment is not reflected in onSync script hook when a new role with its members and assignments is created in one REST call

  • OPENIDM-12283: correlateTreeToQueryFilter.js may be vulnerable to injection

  • OPENIDM-12319: Audit Event Handler Port only displays first number in UI

  • OPENIDM-12334: UI: IDM Recon result failure summary doesn't respond to click on "View Entries"

  • OPENIDM-12354: Admin UI "Change Source to Target Association" button doesn't respond to click

  • OPENIDM-12379: /openidm/recon endpoint fails on an upgraded repository

  • OPENIDM-12664: Target phase run when reconById dispatched on mapping configured for clustered recon

  • OPENIDM-12691: Scheduler performance in IDM 6.x

  • OPENIDM-12796: jsonstorage "local" self-service with "uuid" option fails in multi-node cluster scenario

  • OPENIDM-12804: uuid token expiry doesn't work with jdbc repo

  • OPENIDM-12814: Setting returnByDefault for a relationship property to true could cause reconciliation exception with DJ repo explicit mapping managed user

  • OPENIDM-12827: Setting returnByDefault to true on relationship properties in managed objects DJ repo could cause missing attributes in sync.json script hooks

  • OPENIDM-12833: Removing the preferences property causes admin UI mapping/association to stop responding properly

  • OPENIDM-12877: Exception caught signalling deletion of edge when removing a relationship

  • OPENIDM-12904: Sending mail with null "to" field causes IDM to hang

  • OPENIDM-13023: Include an out of the box Oracle specific bnd file in db/oracle/scripts

  • OPENIDM-13111: !== in mergeWithTarget.js (and possibly other scripts) doesn't check if value is undefined only if value is null

  • OPENIDM-13129: PATCH remove a field could result in 500 error: Can not add or remove a 'null' value

  • OPENIDM-13940: Query workflow via REST with non-string parameter

  • OPENIDM-14290: Internal Server Error reported when entering double quotes into username field

  • OPENIDM-14501: Reset selfservice stage is checking mail attribute and not identityEmailField

  • OPENIDM-14505: ManagedObjectSet handling of patch removal of singleton relationship field will prevent successful calculation of virtual properties based on this field

  • OPENIDM-14538: Exception 412 thrown when multiple updates occur on a single managed/user

  • OPENIDM-15016: OperationOptions specified within the provisioner configuration are not passed to connectors by OpenIDM

IDM 6.0.0.6
  • OPENIDM-11597: IllegalArgumentException updating external account if trace is enabled

  • OPENIDM-11704: UI: Can't edit validation policy without specifying a parameter

  • OPENIDM-11739: Concurrent recons could cause exception deleting interim state instance deleteInterimStateInstance

  • OPENIDM-11879: Workflow time zone handling is not consistent and leads to unexpected results

  • OPENIDM-12038: 'statusCode:null' logged in Audit for successful GET on managed objects

  • OPENIDM-12149: "/username: Expecting a value" exception when calling the authenticate function of connectors

  • OPENIDM-12161: IDM does not propagate CAUD transactionId to DS

  • OPENIDM-12200: Uncaught TypeError in JavaScript console when saving reverse relationship

  • OPENIDM-12207: UI login fails with non-ASCII username or password

  • OPENIDM-12208: Clustered reconciliation fails due to paging cookie from ldap AD

  • OPENIDM-12248: Data races in state shared across threads in recon

  • OPENIDM-12249: Backport OPENIDM-12248: Data races in state shared across threads in recon

  • OPENIDM-12259: New assignment is not reflected in onSync script hook when a new role with its members and assignments is created in one REST call

  • OPENIDM-12283: correlateTreeToQueryFilter.js may be vulnerable to injection

  • OPENIDM-12319: Audit Event Handler Port only displays first number in UI

  • OPENIDM-12334: UI: IDM Recon result failure summary doesn't respond to click on "View Entries"

  • OPENIDM-12354: Admin UI "Change Source to Target Association" button doesn't respond to click

  • OPENIDM-12379: /openidm/recon endpoint fails on an upgraded repository

  • OPENIDM-12664: Target phase run when reconById dispatched on mapping configured for clustered recon

  • OPENIDM-12691: Scheduler performance in IDM 6.x

  • OPENIDM-12796: jsonstorage "local" self-service with "uuid" option fails in multi-node cluster scenario

  • OPENIDM-12804: uuid token expiry doesn't work with jdbc repo

  • OPENIDM-12814: Setting returnByDefault for a relationship property to true could cause reconciliation exception with DJ repo explicit mapping managed user

  • OPENIDM-12827: Setting returnByDefault to true on relationship properties in managed objects DJ repo could cause missing attributes in sync.json script hooks

  • OPENIDM-12833: Removing the preferences property causes admin UI mapping/association to stop responding properly

  • OPENIDM-12877: Exception caught signalling deletion of edge when removing a relationship

  • OPENIDM-12904: Sending mail with null "to" field causes IDM to hang

  • OPENIDM-13023: Include an out of the box Oracle specific bnd file in db/oracle/scripts

  • OPENIDM-13111: !== in mergeWithTarget.js (and possibly other scripts) doesn't check if value is undefined only if value is null

  • OPENIDM-13124: Backport OPENIDM-13111: !== in mergeWithTarget.js (and possibly other scripts) doesn't check if value is undefined only if value is null

  • OPENIDM-13129: PATCH remove a field could result in 500 error: Can not add or remove a 'null' value

  • OPENIDM-13292: IDM trying to initialize SSL Cert for the internal DJ even if it's not configured as the repo, Incompatible with HSM

  • OPENIDM-13403: Backport OPENIDM-13261: Fix exception in PendingLinkAction.getPendingActionContext

  • OPENIDM-13683: Using an expired token returns an HTTP 500 error

  • OPENIDM-13895: Backport OPENIDM-12208: Clustered reconciliation fails due to paging cookie from ldap AD

  • OPENIDM-13940: Query workflow via REST with non-string parameter

  • OPENIDM-14163: Workflow: Groovy classpath problem

  • OPENIDM-14202: SQL script provided with openidm to create the auditdb fails

  • OPENIDM-14287: cli.sh keytool export and import causes IDM startup failure with 'Invalid AES key length' error

  • OPENIDM-14501: Reset selfservice stage is checking mail attribute and not identityEmailField

IDM 6.0.0.5
  • OPENIDM-8052: Cannot create a remote (.NET) connector through the UI

  • OPENIDM-8122: OpenIDM Cluster incorrectly shows ready and running

  • OPENIDM-8295: Non-required single relationship properties should be nullable

  • OPENIDM-8518: Not Found error when accessing a process instance via Admin UI

  • OPENIDM-9081: WARNING about extensions directory not existing appears in felix console upon restart of IDM

  • OPENIDM-9339: Clustered recon update may abort due to a Rhino NPE

  • OPENIDM-9353: IDM does not audit the http response headers in the access audit log

  • OPENIDM-9791: Error while generating process diagram, image will not be stored in repository

  • OPENIDM-9828: Performance bottleneck when adding user to role members

  • OPENIDM-9966: NullPointerException returned when creating a relationship using the source managed object's attribute within the URI and specifying a _fields parameter

  • OPENIDM-10208: Setting an attribute's minLength applies as a string via Admin UI

  • OPENIDM-10455: Query and non-read operations not authorised for openidm-admin role with OAuth

  • OPENIDM-10660: User metadata is logged in the audit log when an object is changed

  • OPENIDM-10761: Progressive Profiling scripted condition does not include user fields within "object" map

  • OPENIDM-11050: Mutual SSL authentication failure with external REST

  • OPENIDM-11370: Activiti workflow mail task goes to default localhost:25

  • OPENIDM-11536: Cannot set user password for user created through full-stack social registration

  • OPENIDM-12080: External Email connects to SMTP servers with TLSv1

  • OPENIDM-12142: Progressive profile page fails to load if attribute wasn't added to the form

  • OPENIDM-12312: UNIQUE policy on properties other than userName not correctly check during self-registration

  • OPENIDM-12540: Unable to change openidm-admin password via self service UI

  • OPENIDM-12591: authzMembers can have duplicate entries when added using openidm.create() in scripts

  • OPENIDM-12709: Workflow Processes Completed have "Not Found Error" for managed/user

  • OPENIDM-12778: Schedules to execute a file-based script are generated incorrectly via the Admin UI

  • OPENIDM-13153: Create a pre-patch for update to 6.0.0.5

IDM 6.0.0.4
IDM 6.0.0.3
  • OPENIDM-12033: proxySystem property in external.rest.json does nothing

  • OPENIDM-12055: NullPointerException when changing Authentication/Session

IDM 6.0.0.1
IDM 6.0.0
  • OPENIDM-11370: Activiti workflow mail task goes to default localhost:25

    Workaround: Use the external email service described in "Configuring Outbound Email" in the Integrator's Guide.

  • OPENIDM-10851: Cluster doesn't recognize forcibly killed node on windows

  • OPENIDM-10833: Cluster widget doesn't show shutdown time for killed node correctly

  • OPENIDM-10829: PUT modifications to workflow/taskInstance/[_id] return 'Task updated' even when no changes occur

  • OPENIDM-10828: MongoDB Connector UI configuration has an incorrect documentation link

  • OPENIDM-10823: UI intermittently doesn't work with the new REST context when using Firefox

  • OPENIDM-10800: Port does not display correctly in the UI if property substitution is used

  • OPENIDM-10793: Problems with propvalue column size in properties tables

  • OPENIDM-10780: IDM does not work with a Luna HSM keystore provider

  • OPENIDM-10773: IDM does not start up if the parent folder name includes ' -> '

  • OPENIDM-10761: Progressive Profiling scripted condition does not include user fields within "object" map

  • OPENIDM-10740: Sharing and Activity (UMA) sections in the Self-Service UI do not display thumbnails

  • OPENIDM-10736: Attribute substitution not supported for CSV connector filepath

  • OPENIDM-10733: Compensate hangs when downstream connector is offline

  • OPENIDM-10696: Full attribute details not available to policies when creating role via relationship collection

  • OPENIDM-10692: IDM startup can be very slow with a DB2 repo

    Workaround: After you have imported the IDM schema for DB2, either run the command db2 connect to dopenidm in a terminal or run CONNECT TO DOPENIDM in a DB2 iterative command session (as the DB2 instance owner) and keep the session. IDM should then start with low latency.

  • OPENIDM-10683: UMA: When a user shares a resource, the recipient doesn't see the share

  • OPENIDM-10673: The augmentSecurityContext script should still execute when runAs cannot find the user

  • OPENIDM-10660: User metadata is logged in the audit log when an object is changed

  • OPENIDM-10653: Password reset fails using explicit tables

  • OPENIDM-10623: With an embedded DS repo, PATCH remove on a null value does not delete the property

  • OPENIDM-10603: Unexpected "manager" property in the "before" of activity audit records when patching manager on a user

  • OPENIDM-10600: Internal error "no deployed process definition found" after deleting process definition

  • OPENIDM-10579: The policy.js script does not support conditions with type 'queryFilter'

  • OPENIDM-10578: Unable to specify the authenticationId within augmentSecurityContext script

  • OPENIDM-10542: IDM decryption fails with AES 256-bit key

  • OPENIDM-10537: Deleting a previously set field during profile completion does not work

  • OPENIDM-10455: Query and non-read operations not authorised for openidm-admin role with OAuth

  • OPENIDM-10400: When configuring a new LDAP Connector config for AD using the Admin UI, the groupMembership, groupType, and groupScope attributes in the user schema are not set up properly

  • OPENIDM-10286: Idle timeout for JWT authentication module is not working

  • OPENIDM-10263: Salesforce connector error while accessing data from User and Profile objects

  • OPENIDM-10072: Scheduler service registered too early by OSGi

  • OPENIDM-10039: Various Admin UI errors when accessing mappings or data tab using Salesforce sample

  • OPENIDM-9791: Error while generating process diagram, image will not be stored in repository

  • OPENIDM-9726: User List sort by Description shows only manually edited users

  • OPENIDM-9576: Records with missing _sortKeys are not returned in query results

  • OPENIDM-9521: Backport OPENIDM-6068: Target reconciliation does not finish for large datasets

  • OPENIDM-9520: Update via REST with PUT removes private fields which are not included in the request

  • OPENIDM-9517: Backport OPENIDM-5906: PATCH request with null rev invoked twice at the same time causes infinite loop

  • OPENIDM-9502: Backport OPENIDM-5150: JSON configuration files always reloaded at startup irrespective of modifications

  • OPENIDM-9446: Random startup failures when using DB2 as a repo

  • OPENIDM-9360: Align "returnByDefault" behavior between roles and effectiveRoles

  • OPENIDM-9353: IDM does not audit the http response headers in the access audit log

  • OPENIDM-9331: Enabling CSV tamper prevention through the Admin UI may fail with a keystore password error

  • OPENIDM-9138: Unable to create user with virtual attribute defined when using explicit mappings

  • OPENIDM-9081: WARNING about extensions directory not existing appears in felix console upon restart of IDM

  • OPENIDM-8659: Property onRetrieve hook returns null even though value is absent

  • OPENIDM-8518: Not Found error when accessing a process instance via Admin UI

  • OPENIDM-8295: Non-required single relationship properties should be nullable

  • OPENIDM-8122: OpenIDM Cluster incorrectly shows ready and running

  • OPENIDM-8052: Cannot create a remote (.NET) connector through the UI

  • OPENIDM-7665: Admin UI mapping view returns HTTP 400 error

  • OPENIDM-6514: JDBC repo errors on startup when using mysql

  • OPENIDM-6467: syslog audit event handler created although required property not set

  • OPENIDM-6032: In some situations, the Admin UI does not display the properties of a completed workflow

  • OPENIDM-5465: Performance Issue updating conditional role memberships

  • OPENIDM-4149: availableConnectors are not updated after remote ICF shut down

Chapter 4. Compatibility

This chapter covers major and minor changes to existing functionality, as well as deprecated and removed functionality. You must read this chapter before you start a migration from a previous release.

4.1. Important Changes to Existing Functionality

Take the following changes into account when you update to IDM 6.0. These changes will have an impact on existing deployments. Adjust existing scripts and clients accordingly:

IDM 6.0.0.7

There are no important functionality changes in this release.

IDM 6.0.0.6

There are no important functionality changes in this release, other than those listed in IDM 6.0.0.4.

IDM 6.0.0.5

There are no important functionality changes in this release, other than those listed in IDM 6.0.0.4.

IDM 6.0.0.4
Manual Removal of Old openidm-repo-opendj Bundle during Update

The update process has added an extra manual step to remove any old DS repository openidm-repo-opendj bundle files after updating to IDM 6.0.0.4. This step is only required depending if your repository from which you are updating is JDBC-based or DS-based.

If your repository from a current or previous deployment is JDBC-based, the DS repo, specifically the openidm-repo-opendj bundle is not active and therefore not detected during the update process, and thus, the update process does not remove any older openidm-repo-opendj files. In this case, you must manually remove any older version of the openidm-repo-opendj files as it will conflict with the newer version of the file that comes with the 6.0.0.4 update.

If your deployment uses the DS repo, there is nothing to do as the update will successfully perform the replacement.

For more information, see "To Apply the 6.0.0.7 Patch Bundle Release" in the Installation Guide.

IDM 6.0.0
Hostname now set by openidm.host property in boot.properties

By default, the hostname associated with IDM is localhost. This hostname is set in the openidm.host property in the resolver/boot.properties file. When you deploy IDM in production, you must set openidm.host to the URL of your deployment. If you do not do so, calls to the /admin endpoint are not redirected properly. For more information, see "Installing and Running Servers" in the Installation Guide.

Changes to selfservice-registration.json

Self-registration and auto-login must be configured using the "All-In-One Registration", "IDM User Details Stage", and "Self-Registration Stage" stages.

Configuration options associated with security questions, and Terms & Conditions, have been moved to separate files:

  • The new selfservice.kba.json contains security questions. For more information, see "Configuring Security Questions" in the Integrator's Guide.

  • The new selfservice.terms.json file contains versions and wording related to Terms & Conditions. For more information, see "Adding Terms & Conditions" in the Integrator's Guide.

Changes to the authentication.json file

The queryOnResource entry has been changed from security/truststore to managed/user. For more information, see "Configuring Client Certificate Authentication" in the Integrator's Guide.

IDM 6.0 includes a second STATIC_USER authentication module at the end of the file for monitoring metrics, using Prometheus:

{
    "name" : "STATIC_USER",
    "properties" : {
        "queryOnResource" : "repo/internal/user",
        "username" : "&{openidm.prometheus.username}",
        "password" : "&{openidm.prometheus.password}",
        "defaultUserRoles" : [
            "openidm-prometheus"
        ]
    },
    "enabled" : true
}

For more information, see "Metrics and Monitoring" in the Integrator's Guide.

Change to the auditreport endpoint

The reporting service has been made more generic and supports the generation of reports on additional kinds of data. The reporting service is accessible on the openidm/report endpoint. For audit reports, you can access the openidm/report/audit endpoint.

For more information, see "Reporting and Monitoring" in the Integrator's Guide.

Change to the ?_action=authenticate REST call

IDM no longer supports input of user data as a parameter within the URI (system endpoints only).

The following excerpt shows how you can now include user data in a POST:

--data '{
    "username" : "bjensen",
    "password" : "Passw0rd"
    }'\ 

For more information, see "Running a script on a system object" in the Integrator's Guide.

Changes to relationship auditing in the activity log

The way in which relationship changes are audited has changed in this release, for improved performance.

Notification of connected managed objects is now optional when the relationship is created, deleted or changed. Because of this, what is audited is the relationship change itself, rather than the change to the connected managed object.

The audited entry is always relative to the managed object through which the modification took place (that is, the managed object specified in the URL). For example, if a modification to managed/user/psmith creates a relationship to managed/user/bjensen, the logged relationship change will have a _ref to managed/user/bjensen. In the following example, a manager relationship is created between psmith and bjensen with a REST call to managed/user/psmith. The resulting audit entry is as follows:

{
    "transactionId": "fa610b40-bd20-4d8d-9706-b80f81af7835-906",
    "timestamp": "2018-04-05T08:09:15.769Z",
    "eventName": "relationship_created",
    "userId": "openidm-admin",
    "runAs": "openidm-admin",
    "operation": "CREATE",
    "before": {},
    "after": {
    "_ref": "managed/user/bjensen",
    "_refResourceCollection": "managed/user",
    "_refResourceId": "bjensen",
    "_refProperties": {
    "_id": "7935501a-4414-495a-9807-3c124c25be83",
    "_rev": "00000000b0ab969d"
    }
    },
    "changedFields": [],
    "revision": null,
    "message": "Relationship originating from managed/user/psmith via the
    relationship field manager and referencing managed/user/bjensen was created.",
    "objectId": "managed/user/psmith/manager/7935501a-4414-495a-9807-3c124c25be83",
    "passwordChanged": false,
    "status": "SUCCESS",
    "_id": "fa610b40-bd20-4d8d-9706-b80f81af7835-912"
    }

For more information on notification of relationship changes, see "Configuring Relationship Change Notification" in the Integrator's Guide.

Change to how relationships are queried

Previously, you could query an object's relationships using the _ref property, for example:

"http://localhost:8080/openidm/managed/user/bjensen/authzRoles?_queryFilter=_ref%20co%20%22openidm%22"

Relationships have now been broken out into a resourceCollection and resourceId. Query filters on _ref are no longer supported and queries must explicitly specify the resourceCollection and resourceId. The previous query would be adjusted as follows:

$ curl \
    --header "X-OpenIDM-Password: openidm-admin" \
    --header "X-OpenIDM-Username: openidm-admin"  \
    --request GET \
    "http://localhost:8080/openidm/managed/user/bjensen/authzRoles?_queryFilter=_refResourceCollection+eq+'repo%2Finternal%2Frole'+and+_refResourceId+co+'openidm'"
    {
     "result": [
     {
     "_id": "3432ac47-9e4b-488d-8c4b-0db467e614aa",
     "_rev": "00000000b1eda159",
     "_ref": "repo/internal/role/openidm-authorized",
     "_refResourceCollection": "repo/internal/role",
     "_refResourceId": "openidm-authorized",
     "_refProperties": {
     "_id": "3432ac47-9e4b-488d-8c4b-0db467e614aa",
     "_rev": "00000000b1eda159"
     }
     }
     ],
     ...
     }
    
New GUID format for AD objects created with the LDAP connector

The LDAP connector no longer appends <GUID= to the object GUID. The new GUID format is compatible with objects created using the AD Powershell Connector, for example e1418d64-096c-4cb0-b903-ebb66562d99d.

In existing deployments, this might mean that your links are incompatible with the new GUID format. To update links to the new format, run a reconciliation operation. To retain the legacy behavior, set "useOldADGUIDFormat" : true in your provisioner file.

Changes to the structure of the relationships table

The way in which relationships are stored in the relationships table has changed. This table now has explicit columns for the relationship properties. An update script is provided for each repository type to convert existing data to the new table structure (*_hybridize_relationships_table.sql).

For more information about the update scripts required for your repository, see "Repository Update Scripts" in the Installation Guide.

Changed parameter for reconciliation by ID

In previous releases, the reconById action took an ids parameter to specify the ID to be reconciled. This action now takes an id parameter instead. For more information, see "Restricting Reconciliation to a Specific ID" in the Integrator's Guide.

Changes to predefined queries

For improved relationship performance, a number of predefined queries for generic mappings have been modified. Any query that is run on a managed object endpoint now requires the objectid, rev and fullobject columns to be included in the select statement.

Similarly, predefined queries that are mapped to an explicit table and that return the full object must select ALL of the columns that are mapped to the object in the repo.jdbc.json file. No column changes are required for predefined queries that do not return full objects (for example, query-all-ids), or do not return relationship data.

If you have not customized the queries in your repository configuration (repo.jdbc.json) file, you have nothing to do—the affected queries are patched as part of the update process. If you have customized your predefined queries, update these queries to include the objectid and rev.

For example, the query-all query for a MySQL repository changes from:

"query-all" : "SELECT fullobject FROM (SELECT obj.fullobject, row_number() OVER (ORDER BY obj.id) AS row_next FROM ${_dbSchema}.${_mainTable} obj , ${_dbSchema}.objecttypes o WHERE obj.objecttypes_id = o.id AND o.objecttype = ${_resource}) AS query_all_id_temp WHERE row_next BETWEEN ${int:_pagedResultsOffset} + 1 AND ${int:_pagedResultsOffset} + ${int:_pageSize}",

to:

"query-all" : "SELECT obj.objectid, obj.rev, obj.fullobject FROM (SELECT obj.objectid, obj.rev, obj.fullobject, row_number() OVER (ORDER BY obj.id) AS row_next FROM ${_dbSchema}.${_mainTable} obj , ${_dbSchema}.objecttypes o WHERE obj.objecttypes_id = o.id AND o.objecttype = ${_resource}) AS query_all_id_temp WHERE row_next BETWEEN ${int:_pagedResultsOffset} + 1 AND ${int:_pagedResultsOffset} + ${int:_pageSize}",

For more information about these queries, see "Using Generic Mappings With a JDBC Repository" in the Integrator's Guide.

Change to proxy configuration for external REST service

In previous releases, configuring a proxy for the external REST service was achieved by setting the proxySystem property in the external.rest.json configuration file. There is now a system-wide HTTP client configuration that includes proxy settings. For more information, see "Configuring HTTP Clients" in the Integrator's Guide.

4.2. ICF and Connector Changes

The following ICF and connector changes appeared in IDM 6.0.0 and will have an impact on existing IDM deployments that use those connectors:

LDAP Connector Change for Active Directory GUID (OPENICF-760)

Previous versions of the LDAP connector appended <GUID= to the GUID for Active Directory objects. This behavior ensured compatibility with the legacy .NET connector.

The LDAP connector no longer appends <GUID= to the object GUID. The new GUID format is compatible with objects created using the AD Powershell Connector, for example e1418d64-096c-4cb0-b903-ebb66562d99d. In existing deployments, this might mean that your links are incompatible with the new GUID format. To update links to the new format, run a reconciliation operation. To retain the legacy behavior, set "useOldADGUIDFormat" : true in your provisioner file.

Refactored Groovy Connector

The Groovy connector that is bundled with this IDM release has been refactored. Custom connectors that depend on the Groovy connector need to be updated.

Check the dependencies in the new Groovy connector (version 1.5.20.0) and rebuild your custom connector with the updated dependencies. You might also need to adapt some of the imports in your Groovy scripts.

A temporary workaround to avoid rebuilding the custom connector is to use the previous version of the Groovy connector from your IDM 5.5 installation:

In your IDM 6.0 installation, delete the bundled Groovy connector:

cd /path/to/openidm
rm lib/groovy-connector-1.5.20.0.jar

Copy the connector that is bundled with IDM 5.5 to your version 6.0 lib directory:

cp /path/to/openidm-55/lib/groovy-connector-1.4.4.0.jar lib/

Test that IDM starts and that your connector works as expected.

4.3. Deprecated Functionality

The following functionality is deprecated in IDM 6.0 and is likely to be removed in a future release.

  • Support for the TLSv1.1 protocol has been deprecated and will be removed in a future release. For more information, on the potential vulnerability, see CVE-2011-3389 from the National Vulnerability Database from the US National Institute of Standards and Technology.

    The default security protocol for IDM is TLSv1.2. Do not downgrade this protocol to TLSv1.1 unless necessary. For more information, see "Setting the TLS Version" in the Integrator's Guide.

  • The ability to update servers by using the UI is deprecated and will be removed in the next release. You can still update from IDM 5.5 to IDM 6.0 through the UI, but UI update will no longer be available after this release.

  • In schedule configurations, setting a time zone using the timeZone field is deprecated. To specify a time zone for schedules, use the startTime and endTime fields, as described in "Configuring Schedules" in the Integrator's Guide.

  • Support for the MD5 and SHA-1 hash algorithms is deprecated and will be removed in a future release. You should use more secure algorithms in a production environment. For a list of supported hash algorithms, see "Encoding Attribute Values by Using Salted Hash Algorithms" in the Integrator's Guide.

  • boot.properties has moved. It was previously located in project-dir/conf/boot, and is now located in install-dir/resolver/.

  • The following directory variables have been deprecated and replaced:

    • &{launcher.working.location} is now &{idm.data.dir}

    • &{launcher.working.url} is now &{idm.data.url}

    • &{launcher.install.location} is now &{idm.install.dir}

    • &{launcher.install.url} is now &{idm.install.url}

    • &{launcher.project.location} is now &{idm.instance.dir}

    • &{launcher.project.url} is now &{idm.instance.url}

  • The Active Directory (AD) .NET Connector is deprecated and support for its use in IDM will be removed in a future release.

    For simple Active Directory (and Active Directory LDS) deployments, the Generic LDAP Connector works better than the Active Directory connector, in most circumstances. For more information, see "Generic LDAP Connector" in the Connector Reference.

    For more complex Active Directory deployments, use the PowerShell Connector Toolkit, as described in "PowerShell Connector Toolkit" in the Connector Reference.

    Note that deprecating the AD Connector has no impact on the PowerShell connector, or on the .NET Connector Server.

  • When configuring connectors, (see "Configuring Connectors" in the Integrator's Guide), you can set up nativeType property level extensions. The JAVA_TYPE_DATE extension is deprecated.

  • Support for a POST request with ?_action=patch is deprecated, when patching a specific resource. Support for a POST request with ?_action=patch is retained, when patching by query on a collection.

    Clients that do not support the regular PATCH verb should use the X-HTTP-Method-Override header instead.

    For example, the following POST request uses the X-HTTP-Method-Override header to patch user jdoe's entry:

    $ curl \
     --header "X-OpenIDM-Username: openidm-admin" \
     --header "X-OpenIDM-Password: openidm-admin" \
     --header "Content-Type: application/json" \
     --request POST \
     --header "X-HTTP-Method-Override: PATCH" \
     --data '[
        {
        "operation":"replace",
        "field":"/description",
        "value":"The new description for Jdoe"
        }
      ]' \
      "http://localhost:8080/openidm/managed/user/jdoe"

No additional functionality is deprecated at this time.

4.4. Removed Functionality

The following functionality was removed in IDM 6.0.0:

  • Support for the TLSv1.0 protocol has been removed. For more information, see the following PDF: Migrating from SSL and Early TLS from the PCI Security Standards Council.

    The default security protocol for IDM is TLSv1.2. Do not downgrade this protocol unless you have a specific need.

  • The ability to update IDM through the Admin UI has been removed from IDM 6.

    If you're updating IDM from version 5.5 to 6.0.0.7, you must first update from 5.5 to 6, then to 6.0.0.7.

  • The OPENAM_SESSION authentication module has been removed. If you are integrating IDM with ForgeRock Access Management (AM), you should use the OAUTH_CLIENT module instead. For an example, see "Integrating IDM With the ForgeRock Identity Platform" in the Samples Guide.

  • Support for the Security Management Service has been removed.

    As a part of this change, the securitykeys table has been removed from the database schema. If you are updating from a previous version of IDM, an update script is available in the openidm/db/repo/scripts/updates directory to delete this table from existing repositories. For more information about updating your IDM instance, see "Updating Servers" in the Installation Guide.

  • Support for a POST request with ?_action=sendEmail when sending an email with a REST call has been removed. Support for a POST request with ?_action=send is retained, on the /openidm/external/email endpoint. For an example of this REST call, see "Sending Mail Over REST" in the Integrator's Guide.

4.5. Functionality That Will Change in the Future

No major functionality is planned to change at this time.

Chapter 5. Documentation Updates

"Documentation Change Log" tracks important changes to the documentation:

Documentation Change Log
DateDescription
2021-12-07
  • Release of IDM 6.0.0.7.

  • Updated ICF connectors to 1.5.20.0.

  • Removed all reference to the Scripted CREST connector from the documentation, as this connector has been removed from the release and is no longer supported.

  • The latest version of the Active Directory password synchronization plugin uses UTC timestamps for logs.

2021-05-10
  • Added a caution regarding the BouncyCastle dump utility.

  • Updated the default datasource.jdbc-default.json file configuration for workflow in the Integrator's Guide.

  • The latest version of the Active Directory Password Synchronization Plugin supports a new registry key to configure the maximum retry attempts for password changes. For more information, see the registry key, maxFileRetry in the Password Synchronization Plugin Guide.

  • The latest version of the Active Directory Password Synchronization Plugin supports a new registry key to configure a search filter to omit users/groups from password syncing. For more information, see the registry key, userSearchFilterStrict in the Password Synchronization Plugin Guide.

2021-03-11
  • integer is a supported managed object type.

  • Added a restriction warning on the production use of the embedded workflow H2 database in the Integrator's Guide.

  • Removed the restriction on support for the SSH connector in the Connector Reference. This connector is fully supported.

  • The latest version of the Active Directory Password Synchronization Plugin supports a new registry key that helps prevent infinite password update loops. For more information, see the registry key, pwdChangeInterval in the Password Synchronization Plugin Guide.

2020-07-18Added a description for the maxTokenSize property of the IWA authentication module.
2020-06-04

Initial release of IDM 6.0.0.6.

The following items were added:

2020-05-14

Added missing TOKEN authentication method and miscellaneous improvements to "SCIM Connector" in the Connector Reference.

2020-04-08

Update PostgreSQL repository instructions to indicate that index tuning is required.

2020-03-20

Fixed outdated Bootstrap version references in the Integrator's Guide

TBD - Add date before republishing
2019-09-10

Revised the logging documentation to include security advice on logging levels. See "Specifying the Logging Level" in the Integrator's Guide and "Updating logging.properties" in the Installation Guide.

2019-08-19

Added information on restricting the maximum payload size in HTTP requests ("Restricting the HTTP Payload Size" in the Integrator's Guide).

2021-12-07

Initial release of IDM 6.0.0.5 release.

2019-02-11

Release of IDM 6.0.0.4 maintenance release.

  • The Customizing the Landing Page section has been removed in the section, "Customizing the Self-Service UI" in the Integrator's Guide.

  • The line "context: Represents the associated context" has been removed in the section, "Variables Available to Scripts" in the Integrator's Guide.

  • Added a scripting step to clear the reconprogressstate column from the genericobjects table in the repository after the update process. For more information, see "To Apply the 6.0.0.7 Patch Bundle Release" in the Installation Guide.

  • The section describing the configuration of workflows has been changed ("Enabling Workflows" in the Integrator's Guide). The mail parameter of the Activiti engine is currently not supported (see OPENIDM-11370).

2018-11-05

Release of IDM 6.0.0.3 maintenance release.

2018-09-03

Release of IDM 6.0.0.2 patch release.

2018-08-13

Release of IDM 6.0.0.1 patch release.

2018-07-16

Added Oracle Database 12cR1 (12.1) to the list of supported repositories.

2018-06-20

Updated the instructions in "Configuring IDM For a Hardware Security Module (HSM) Device" in the Integrator's Guide to specify that symmetric keys must use an HMAC algorithm.


Chapter 6. How to Report Problems and Provide Feedback

If you have questions regarding IDM software that are not answered by the documentation, you can ask questions on the forum at https://forgerock.org/forum/fr-projects/openidm/.

When requesting help with a problem, include the following information:

  • Description of the problem, including when the problem occurs and its impact on your operation

  • Description of the environment, including the following information:

    • Machine type

    • Operating system and version

    • Repository type and version

    • Java version

    • IDM release version

    • Any patches or other software that might be affecting the problem

  • Steps to reproduce the problem

  • Any relevant access and error logs, stack traces, or core dumps

Appendix A. Release Levels and Interface Stability

This appendix includes ForgeRock definitions for product release levels and interface stability.

A.1. ForgeRock Product Release Levels

ForgeRock defines Major, Minor, Maintenance, and Patch product release levels. The release level is reflected in the version number. The release level tells you what sort of compatibility changes to expect.

Release Level Definitions
Release LabelVersion NumbersCharacteristics

Major

Version: x[.0.0] (trailing 0s are optional)

  • Bring major new features, minor features, and bug fixes

  • Can include changes even to Stable interfaces

  • Can remove previously Deprecated functionality, and in rare cases remove Evolving functionality that has not been explicitly Deprecated

  • Include changes present in previous Minor and Maintenance releases

Minor

Version: x.y[.0] (trailing 0s are optional)

  • Bring minor features, and bug fixes

  • Can include backwards-compatible changes to Stable interfaces in the same Major release, and incompatible changes to Evolving interfaces

  • Can remove previously Deprecated functionality

  • Include changes present in previous Minor and Maintenance releases

Maintenance, Patch

Version: x.y.z[.p]

The optional .p reflects a Patch version.

  • Bring bug fixes

  • Are intended to be fully compatible with previous versions from the same Minor release


A.2. ForgeRock Product Interface Stability

ForgeRock products support many protocols, APIs, GUIs, and command-line interfaces. Some of these interfaces are standard and very stable. Others offer new functionality that is continuing to evolve.

ForgeRock acknowledges that you invest in these interfaces, and therefore must know when and how ForgeRock expects them to change. For that reason, ForgeRock defines interface stability labels and uses these definitions in ForgeRock products.

Interface Stability Definitions
Stability LabelDefinition

Stable

This documented interface is expected to undergo backwards-compatible changes only for major releases. Changes may be announced at least one minor release before they take effect.

Evolving

This documented interface is continuing to evolve and so is expected to change, potentially in backwards-incompatible ways even in a minor release. Changes are documented at the time of product release.

While new protocols and APIs are still in the process of standardization, they are Evolving. This applies for example to recent Internet-Draft implementations, and also to newly developed functionality.

Deprecated

This interface is deprecated and likely to be removed in a future release. For previously stable interfaces, the change was likely announced in a previous release. Deprecated interfaces will be removed from ForgeRock products.

Removed

This interface was deprecated in a previous release and has now been removed from the product.

Technology Preview

Technology previews provide access to new features that are evolving new technology that are not yet supported. Technology preview features may be functionally incomplete and the function as implemented is subject to change without notice. DO NOT DEPLOY A TECHNOLOGY PREVIEW INTO A PRODUCTION ENVIRONMENT.

Customers are encouraged to test drive the technology preview features in a non-production environment and are welcome to make comments and suggestions about the features in the associated forums.

ForgeRock does not guarantee that a technology preview feature will be present in future releases, the final complete version of the feature is liable to change between preview and the final version. Once a technology preview moves into the completed version, said feature will become part of the ForgeRock platform. Technology previews are provided on an “AS-IS” basis for evaluation purposes only and ForgeRock accepts no liability or obligations for the use thereof.

Internal/Undocumented

Internal and undocumented interfaces can change without notice. If you depend on one of these interfaces, contact ForgeRock support or email info@forgerock.com to discuss your needs.


Appendix B. Getting Support

For more information and resources about IDM and ForgeRock support, see the following sections:

B.1. Accessing Documentation Online

ForgeRock publishes comprehensive documentation online:

  • The ForgeRock Knowledge Base offers a large and increasing number of up-to-date, practical articles that help you deploy and manage ForgeRock software.

    While many articles are visible to community members, ForgeRock customers have access to much more, including advanced information for customers using ForgeRock software in a mission-critical capacity.

  • ForgeRock product documentation, such as this document, aims to be technically accurate and complete with respect to the software documented. It is visible to everyone and covers all product features and examples of how to use them.

B.2. Using the ForgeRock.org Site

The ForgeRock.org site has links to source code for ForgeRock open source software, as well as links to the ForgeRock forums and technical blogs.

If you are a ForgeRock customer, raise a support ticket instead of using the forums. ForgeRock support professionals will get in touch to help you.

B.3. Getting Support and Contacting ForgeRock

ForgeRock provides support services, professional services, training through ForgeRock University, and partner services to assist you in setting up and maintaining your deployments. For a general overview of these services, see https://www.forgerock.com.

ForgeRock has staff members around the globe who support our international customers and partners. For details on ForgeRock's support offering, including support plans and service level agreements (SLAs), visit https://www.forgerock.com/support.

Read a different version of :