Notes covering OpenIDM software requirements, fixes, known issues. The OpenIDM project offers flexible, open source services for automating management of the identity life cycle.

Chapter 1. What's New

OpenIDM 2.1.2 is a maintenance release that resolves a number of issues, including security issues in OpenIDM. It is strongly recommended that you update to this release to make your deployment more secure, and to take advantage of important functional fixes. ForgeRock customers can contact support for help and further information.

Before you install OpenIDM or update your existing OpenIDM installation, read these release notes. Then update or install OpenIDM.

For installation instructions and several samples to familiarize you with the features, see the Installation Guide.

For an architectural overview and high-level presentation of OpenIDM, see the Architectural Overview chapter in the Integrator's Guide.

1.1. New in 2.1.2

Compared to the OpenIDM 2.1.1 release, OpenIDM 2.1.2 fixes a number of issues and provides the following new features:

  • OPENIDM-957: Ability to launch startup.sh and cli.sh from any directory

  • OPENIDM-1764: New launcher.bat override, including install-service.bat

1.2. New in 2.1.0

OpenIDM 2.1.0 provides many new features, including the following:

  • Browser-based user interface

    Includes self service capabilities, a generic platform to expose and invoke workflows, and a notification service for tasks.

    For more information, see OpenIDM User Interface in the Integrator's Guide in the Integrator's Guide.

  • BPMN 2.0 workflow engine, embedded as an OSGi bundle and accessible over REST.

    For more information, see Integrating Business Processes and Workflows in the Integrator's Guide in the Integrator's Guide.

  • Configurable task scheduling service, including support for clustered schedules and scanning tasks.

    For more information, see Scheduling Tasks and Events in the Integrator's Guide in the Integrator's Guide.

  • Configurable policy service.

    For more information, see Using Policies to Validate Data in the Integrator's Guide in the Integrator's Guide.

  • Ability to perform batch scans to execute tasks

    For more information, see Scanning Data to Trigger Tasks in the Integrator's Guide in the Integrator's Guide.

  • Ability to create custom RESTful endpoints.

    For more information, see Adding Custom Endpoints in the Integrator's Guide in the Integrator's Guide.

  • Support for MS SQL JDBC as an internal repository.

    For more information, see Procedure 4.2, "To Set Up OpenIDM With MS SQL" in the Installation Guide.

  • Enhanced, multi-threaded reconciliation service, accessible over REST.

    For more information, see Configuring Synchronization in the Integrator's Guide in the Integrator's Guide.

  • Support for Powershell scripts on the Active Directory connector.

    For more information, see Using PowerShell Scripts With the Active Directory Connector in the Integrator's Guide in the Integrator's Guide.

  • Reusable server configuration and property value substitution in the configuration.

    For more information, see Using Property Value Substitution in the Configuration in the Integrator's Guide in the Integrator's Guide.

  • Support for calling LiveSync operations over REST, or using the resource API.

    For more information, see Triggering LiveSync Over REST in the Integrator's Guide in the Integrator's Guide.

For installation instructions and several samples to familiarize you with the features, see the Installation Guide in the Installation Guide.

For an architectural overview and high-level presentation of OpenIDM, see the Architectural Overview in the Integrator's Guide chapter in the Integrator's Guide.

Chapter 2. Before You Install OpenIDM Software

This chapter covers prerequisites for installing and running OpenIDM software.

For OpenIDM 2.1, the following configurations are supported for use in production.

Repository

The following JDBC repositories are supported for use in production:

  • MySQL 5.1 or 5.5 with Connector/J 5.1.18 or later

  • Microsoft SQL Server 2008 Express

  • Oracle Database 11g Enterprise Edition

OrientDB is provided for evaluation only.

Stand-alone installation

You must install OpenIDM as a stand-alone service, using Apache Felix and Jetty as provided. Alternate containers are not supported.

This OpenIDM release bundles Jetty version 7.6.2.v20120308.

Connectors

OpenIDM 2.1 comes packaged with these OpenICF connectors:

  • CSV File

  • LDAP

  • Scripted SQL

  • XML File

  • Database Table

ForgeRock provides additional connectors, as listed on the OpenICF project connectors site.

If you have a special request to support a component or combination not listed here, contact ForgeRock at info@forgerock.com.

OpenIDM requires Java SE JDK 6 update 24 or later. When using the Oracle JDK, you also need Java Cryptography Extension (JCE) policy files.

On Windows systems, use Java SE JDK 7 update 6 or later, to take advantage of a recent JVM fix relating to non-blocking sockets with the default Jetty configuration.

You need 150 MB disk space and 1 GB memory for an evaluation installation. For a production installation, disk space and memory requirements will depend on the size of the repository, and on size of the audit and service log files that OpenIDM writes.

Chapter 3. OpenIDM Fixes, Limitations, & Known Issues

OpenIDM issues are tracked at https://bugster.forgerock.org/jira/browse/OPENIDM.

3.1. Fixes and Improvements

OpenIDM 2.1 includes the following major fixes and improvements.

  • OPENIDM-2776: Install path with space not handled correctly in shutdown.sh

  • OPENIDM-2500: properties set as encrypted in managed.json written in plain text in activity audit when new and old values are the same

  • OPENIDM-2480: Enable READ_COMITTED_SNAPSHOT isolation w/MSSQL

  • OPENIDM-2127: Switching existing schedule from persisted=false to persisted=true results in duplicate scheduled jobs.

  • OPENIDM-1915: Add ability to configure the HTTP session timeout for the OpenIDM UI

  • OPENIDM-1907: Recon failures as a result of policy violations do not indicate the cause of the violation in the recon audit log.

  • OPENIDM-1885: onUnlink trigger throws NPE if invoked for SOURCE_MISSING situation (action=UNLINK) during target reconciliation

  • OPENIDM-1755: Recon target phase is always single threaded regardless of the number of configured taskThreads

  • OPENIDM-1739: Changes made to target objects by onLink triggers should be persisted if the situation action is UPDATE

  • OPENIDM-1665: Startup failure when connectors directory contains arbitrary sub-directories

  • OPENIDM-1663: Deadlock within OpenIDM when updating managed users w/MSSQL as the repository

  • OPENIDM-1658: Hard-coded reference to database schema and table name in jdbc config files

  • OPENIDM-1655: External Rest Service erroneously sets the remote auth ChallengeScheme to HTTP_COOKIE instead of HTTP_BASIC

  • OPENIDM-1652: Policy violation doesn't prevent managed objects creation

  • OPENIDM-1647: LiveSync fails when using Generic LDAP Connector if readSchema=false

  • OPENIDM-1629: Policy cannot-contain-others raises an exception when one of the fields to check against is absent

  • OPENIDM-1624: Linux rc script generated by create-openidm-rc.sh fails to shutdown OpenIDM when installed to a directory other than 'openidm'

  • OPENIDM-1584: java.lang.OutOfMemoryError exception

  • OPENIDM-1583: OpenIDM should not enforce the REAUTH_REQUIRED policy for openidm-cert role.

  • OPENIDM-1563: Task scanner creates a new thread pool for each execution resulting in a thread leak.

  • OPENIDM-1433: OpenIDM renames entry on update (OpenIDM ICF glue code sets __NAME__ to __UID__)

  • OPENIDM-1416: Default onCreate script of UI sets the accountStatus to 'active', overrides the value of the managed user attribute

  • OPENIDM-1281: Query for "get-by-field-value" is incorrect

  • OPENIDM-1256: additionalPolicies option in policy.json not working

  • OPENIDM-1236: ScriptableList: cannot put 0 (zero) index element

  • OPENIDM-1170: Linux startup script generator is not working correctly

  • OPENIDM-1147: Install path with space not handled correctly in startup.sh

  • OPENIDM-969: Console login fails and leaves OpenIDM in unusable state

3.2. Limitations

OpenIDM 2.1 has the following known limitations:

  • A conditional GET request, with the If-None-Match request header, is not currently supported.

  • The keystore password, the truststore password and the secret key passwords must all be set to the same value. If you use different passwords, OpenIDM is unable to read the required keys and certificates.

  • Connectors generally use the global JVM settings for keystore and truststore, rather than the settings that are specified in the boot.properties file. You can work around this by specifying a path to the keystore or truststore in the conf/system.properties file. For example: 

    # Set the truststore
javax.net.ssl.trustStore=/path/to/openidm/security/truststore

3.3. Known Issues

OpenIDM 2.1 has the following known issues.

  • OPENIDM-2595: OpenIDM failed to start-up during installation

  • OPENIDM-2312: SmartEvent framework maintains a unbounded event name cache which consumes the entire heap

  • OPENIDM-2184: NPE thrown from within ObjectMapping$SyncOperation.isValidSource() during reconciliation.

  • OPENIDM-2078: PermGen leak in "source" scripts

  • OPENIDM-2034: Support arbitrary [commons] auth modules via className

  • OPENIDM-1946: Working location flag (-w) not working as documented

  • OPENIDM-1912: Exception from OpenIDMResolverFactory if used in a parallel execution workflow task

  • OPENIDM-1878: DELETE situation-actions on managed objects in bidirectional mappings result in incorrect LINK_ONLY

  • OPENIDM-1860: Null pointer exception when setting target attribute during onUnlink

  • OPENIDM-1823: getScriptBindings function of ServiceScript (ScriptRegistryImpl.java) slows down extremely when accessed paralell from multiple threads

  • OPENIDM-1770: CLI tool needs the ability to authenticate as a user other than openidm-admin w/default password

  • OPENIDM-1664: Memory usage of AD connector continue to increase.

  • OPENIDM-1637: Problem in UI when the username contains a space char.

  • OPENIDM-1632: create-openidm-logrotate.sh is not properly defined

  • OPENIDM-1619: OperationOptions specified within the provisioner configuration are not passed to connectors by OpenIDM

  • OPENIDM-1600: Cluster with Oracle DB backend

  • OPENIDM-1574: AD sync service might crash after applying latest Windows updates

  • OPENIDM-1564: __NAME__ attribute incorrectly required as part of object definition for a create action

  • OPENIDM-1562: Route to endpoint service not found if there is a resourcename after the name of the endpoint

  • OPENIDM-1560: when starting OpenIDM with -p option logging.properties file is not taken in project location

  • OPENIDM-1535: incomplete handleQuery implementation in ScriptedRequestHandler

  • OPENIDM-1530: OpenIDM self-signed certificates in keystore and truststore does not match

  • OPENIDM-1513: Inconsistency in script context: request object has different representations

  • OPENIDM-1511: Policy.java overwrites the action parameter of async recon

  • OPENIDM-1509: false 'validSource' entries still being evaluated, and returned correlation records are unexpectedly DELETEd

  • OPENIDM-1507: Logging level change to FINE causes NullPointerException in OrientDBRepoService

  • OPENIDM-1504: OpenICFProvisionerService handle method performs logger.isDebugEnabled() checks but logs at the error level

  • OPENIDM-1503: InvalidCredentialException thrown from OpenICFProvisionerService uses 500 HTTP error code

  • OPENIDM-1501: sync?_action=performAction with an action=DELETE results in a delete on the source rather than the target

  • OPENIDM-1489: Command line needs to allow supplying user/pwd

  • OPENIDM-1483: Pool size settings not effective for OrientDB repo

  • OPENIDM-1445: Provisioner service does not decrypt encrypted attributes before passing them to OpenICF framework

  • OPENIDM-1444: json schema package needs to specify export version and import version ranges

  • OPENIDM-1430: OpenIDM needs a restart after importing a new cert via REST API

  • OPENIDM-1417: Throwing 401 exception in augment security context javascript ends up being a 500 in the response

  • OPENIDM-1413: In async recon starter script (workflow.js) the query of the already running instances is executed before all it's parameters are set

  • OPENIDM-1412: Missing 'not undefined' check for sourceId and targetId in async recon workflow starter script (workflow.js)

  • OPENIDM-1411: Add not null check to async recon starter script (workflow.js) for sourceId query parameter, fill businessKey field of the workflow when starting a new workflow

  • OPENIDM-1390: Unable to parse boolean configuration values from custom OpenICF provisioner

  • OPENIDM-1380: opendj-accountchange-handler schema does not load schema provided after install

  • OPENIDM-1379: ADD operation failed for OpenDJ account notification handler

  • OPENIDM-1361: Exception from UI when a workflow started by scheduler has a user task in it

  • OPENIDM-1358: Connector test of LDAP fails

  • OPENIDM-1338: Validation for create without objectId is always true

  • OPENIDM-1329: OrientDB as repo does not initialize if there is no network connection

  • OPENIDM-1293: OpenIDMELResolver should use component.name to bind JavaDelegate implementations instead of component.id

  • OPENIDM-1269: some issues with Case Sensitivity options for Sync

  • OPENIDM-1267: Add Enum and DateFormType specific data to the taskdefinitions returned by Activiti

  • OPENIDM-1265: liveSync process should never get stuck because of exceptions with the synchronizationListener.

  • OPENIDM-1245: Align openidm and activiti contract on scripting(openidm.action() and openidm.patch() failed in a workflow on managed object.)

  • OPENIDM-1219: DB/Config bootstrapping should use IdentityServer support for getting properties, including boot prop

  • OPENIDM-1218: Audit filter on eventTypes for recon.csv does not work properly

  • OPENIDM-1210: Directly-assigned workflow tasks disappear when "Requeue" button is hit

  • OPENIDM-1190: Disable Quartz update check by default

  • OPENIDM-1186: PATCH with POST using MVCC are successful even if revision wrong

  • OPENIDM-1184: sample/sample3 and sample/provisioner use hardcoded path in provisioner configuration.

  • OPENIDM-1175: IE9 and below aggressively cache AJAX requests, causing the UI to behave strangely

  • OPENIDM-1174: Some UI Features are Indistinguishable From Plaintext

  • OPENIDM-1165: EXCEPTION action when doing liveSync stops the synctoken processing

  • OPENIDM-1162: With OrientDB, for a MISSING/CREATE situation/action, reconciliation creates a new link instead of using an existing link

  • OPENIDM-1142: Harmless error message may appear when starting OpenIDM

  • OPENIDM-1141: OrientDB config bootstrap repository does not use .json config file, only properties

  • OPENIDM-1133: Certain sample files contain unnecessary, unused entries

  • OPENIDM-1129: OpenIDM freezes when the connection to the repository is interrupted

  • OPENIDM-1117: Malformed content-type request header produces 500 error

  • OPENIDM-1115: When an LDAP user is created through the REST API, the _id that is returned is not normalized

  • OPENIDM-1098: onDelete script generates exception

  • OPENIDM-1096: A PUT command on a configuration object may return an incorrect value

  • OPENIDM-1094: Starting a second OpenIDM instance with a conflicting port causes the instance to freeze

  • OPENIDM-1093: A user's accountStatus (active or inactive) has no effect on the UI or the REST API

  • OPENIDM-1074: disabling automatic polling for changes of config file not possible on new install

  • OPENIDM-1021: Wrong starting arguments during start could throw an error or warning.

  • OPENIDM-964: An incorrect password in boot.properties causes OpenIDM to hang on startup

  • OPENIDM-848: Conflicting behavior might be observed between the default fields set by the onCreate script and policy enforcement

  • OPENIDM-470: OpenIDM cannot rename objects - if the identifier of the object changes, the associated link breaks

Chapter 4. OpenIDM Compatibility

This chapter covers both major changes to existing functionality, and also deprecated and removed functionality.

4.1. Major Changes to Existing Functionality

The following changes will have an impact on existing deployments. Read these changes carefully and adjust existing scripts and clients accordingly.

Changes to the scheduler configuration

The way in which scheduled tasks is configured has changed, as described in Scheduling Tasks and Events in the Integrator's Guide.

Schedules are now defined in files named openidm/conf/schedule-*.json. If you use the previous naming convention (scheduler-*.json), the schedules will not be launched.

Reconciliation now on recon service

In previous releases, reconciliation was called on the sync service. This API has been deprecated and reconciliation is now called on the recon service. For example, a reconciliation operation that previously targeted the following URL:

                        "http://localhost:8080/openidm/recon?_action=sync&mapping=systemLdapAccounts_managedUser"

would now use the following URL:

                        "http://localhost:8080/openidm/recon?_action=recon&mapping=systemLdapAccounts_managedUser"
Audit log changes

Timestamps now have milliseconds and are in UTC timezone.

The access log now has an additional field, userid, which is the OpenIDM ID for a managed or internal user who is logged in. For authentication via SSL mutual auth only, the userid is currently null because there is no direct associated user in OpenIDM.

Database schema changes

The reconID column has been removed from the links table.

The size of the linkType column in the links table has been reduced to 255 characters. This is because MySQL can only create unique indexes on that size for UTF-8 encoding.

The links table indexes have been changed to unique indexes to prevent duplication.

The auditactivity table contains two new columns - changedfields and passwordchanged, for additional auditing functionality.

Tables have been added for the scheduler configuration and for User Interface notifications.

The openidm user is created with all the required privileges to update the openidm database by default.

Changes to token definitions in OrientDB query definitions

Existing repo.orientdb.json query definitions with tokens like ${mytoken} must be reviewed and adjusted to match the new definition which aligns declarations for regular and prepared statement uses.

Existing ${token} tokens are now suitable for quoted strings by default. Prefixes such as unquoted: and dotnotation: allow you to use queries in contexts where the unquoted value or the JSON pointer converted to OrientDB dot notation should be inserted.

New queries in repo.*.json definitions

query-by-linkType

Security context changes

The request context now includes the security context of the user that is associated with the call.

The "user" property has been renamed "username", the name used to log in (for example, to authenticate against an access manager).

Name change for the query-id parameter

The query-id parameter has been renamed queryID for consistency across the API.

4.2. Minor Changes to Existing Functionality

The following changes should not have an impact on existing deployment configurations.

Connection pooling is on by default

For existing configurations, keep this setting off unless you explicitly require it to be changed.

Explicit definition of username, password, and role

The authentication configuration now explicitly defines which properties from the query represent the username, password, and role. Existing configurations rely on the logic of the query order to determine which property is which.

Prefetching of links during reconciliation operations

All links are now queried at the start of a correlation and the results of that query are used.

For more information, see Prefetching Links in the Integrator's Guide in the Integrator's Guide.

4.3. Deprecated Functionality

The following functionality is deprecated in OpenIDM 2.1.

  • Reconciliation is no longer called on the sync service. For more information, see the list of changes to existing functionality.

No additional functionality is planned to be deprecated at this time.

4.4. Removed Functionality

No functionality has been removed in OpenIDM 2.1.

No functionality is planned to be removed at this time.

4.5. Functionality That Will Change in the Future

These capabilities are expected to change in upcoming releases:

Chapter 5. How to Report Problems & Provide Feedback

If you have found issues or reproducible bugs within OpenIDM, report them in https://bugster.forgerock.org.

When requesting help with a problem, please include the following information:

  • Description of the problem, including when the problem occurs and its impact on your operation

  • Machine type, operating system version, Java version, and OpenIDM release version, including any patches or other software that might be affecting the problem

  • Steps to reproduce the problem

  • Any relevant access and error logs, stack traces, or core dumps

Chapter 6. Support

You can purchase OpenIDM support subscriptions and training courses from ForgeRock and from consulting partners around the world and in your area. To contact ForgeRock, send mail to info@forgerock.com. To find a partner in your area, see http://forgerock.com/partners/find-a-partner/.

Read a different version of :