Notes covering OpenIDM software requirements, fixes, known issues. The OpenIDM project offers flexible, open source services for automating management of the identity life cycle.
Chapter 1. What's New in OpenIDM 3.1
OpenIDM 3.1 provides many new features and product enhancements. The following list describes the main new features affecting an end user.
- Administration User Interface
The new web-based Admin UI enables you to configure connectors, customize managed objects, set up attribute mappings between resources, configure reconciliation and synchronization rules, and more. For more information, see Section 4.1, "Configuring OpenIDM from the Admin UI" in the Integrator's Guide.
- Addition of an aggregated view to the User View UI
The User View UI now includes a read-only view of the user account in each of the external resources to which it is linked. For more information, see Procedure 4.6, "To View a User's Account in External Resources" in the Integrator's Guide.
- Reconciliation Performance Improvements
To improve reconciliation query performance on slower systems, you can now preload the entire result set into memory on the source or target system, or on both systems. For more information, see Section 12.5.1, "Improving Reconciliation Query Performance" in the Integrator's Guide.
- Updated Connectors, New Connectors and Samples
Several of the connectors bundled with OpenIDM have been updated. For details of the latest versions, see Section 11.5, "Connectors Supported With OpenIDM 3.1" in the Integrator's Guide.
OpenIDM Enterprise bundles two new connectors, and corresponding sample configurations - a Google Apps Connector and a Salesforce connector. For more information, see Section 3.19, "Sample - Connecting to Salesforce With the Salesforce Connector" in the Installation Guide and Section 3.18, "Sample - Connecting to Google With the Google Apps Connector" in the Installation Guide.
- Support for PostgreSQL
OpenIDM 3.1 supports PostgreSQL, 9.3 or higher, as an internal repository. For information on configuring OpenIDM with a PostgreSQL repository, see Section 4.4, "To Set Up OpenIDM With PostgreSQL" in the Installation Guide.
- Improvements to the Audit Facility
Audit logs for synchronization operations
The reconciliation audit facility has been extended to LiveSync and implicit sync operations. For more information, see Section 12.9, "Querying the Synchronization Audit Log" in the Integrator's Guide.
Ability to purge audit logs
OpenIDM 3.1 provides the ability to purge audit logs at a scheduled interval, or when the logs reach a certain size. For more information, see Section 18.6, "Purging Obsolete Audit Information" in the Integrator's Guide.
Ability to filter audit logs
The audit facility provides a new mechanism that enables you to filter audit data, thereby reducing the volume of data that is logged. For more information, see Section 18.5, "Filtering Data for Audits" in the Integrator's Guide.
For installation instructions and several samples to familiarize you with the OpenIDM features, see Chapter 1, "Installing OpenIDM Services" in the Installation Guide.
For an architectural overview and high-level presentation of OpenIDM, see Chapter 1, "Architectural Overview" in the Integrator's Guide.
1.1. Security Advisories
ForgeRock issues security advisories in collaboration with our customers and the open source community to address any security vulnerabilities transparently and rapidly. ForgeRock's security advisory policy governs the process on how security issues are submitted, received, and evaluated as well as the timeline for the issuance of security advisories and patches.
For details of all the security advisories across ForgeRock products, see Security Advisories in the Knowledge Base library.
Chapter 2. Before You Install OpenIDM Software
This chapter covers prerequisites for installing and running OpenIDM software.
For OpenIDM 3.1, the following configurations are supported for use in production.
The following JDBC repositories are supported for use in production:
MySQL 5.1 or 5.5 with Connector/J 5.1.18 or later
Microsoft SQL Server 2008
Oracle Database 11g
PostgreSQL 9.3 or higher
OrientDB is provided for evaluation only.
- Stand-alone installation
You must install OpenIDM as a stand-alone service, using Apache Felix and Jetty, as provided. Alternate containers are not supported.
OpenIDM 3.1 bundles Jetty version 8.1.9.v20130131.
OpenIDM 3.1 comes packaged with these OpenICF connectors:
CSV File Connector
Database Table Connector
Generic LDAP Connector
XML File Connector
Groovy Connector Toolkit
This toolkit enables you to create scripted connectors to virtually any resource
A corresponding PowerShell Connector Toolkit is available for download from ForgeRock Backstage, and enables you to create scripted connectors to address the requirements of your Microsoft Windows ecosystem.
The following connectors are available only with the OpenIDM Enterprise release:
Google Apps Connector
ForgeRock provides additional connectors, as listed on the OpenICF project connectors site.
When using the LDAP connector to provision to Active Directory, OpenIDM 3.1 supports Active Directory Domain Controllers and Active Directory Global Catalogues. This release also provides support for Active Directory Lightweight Directory Services (LDS).
OpenIDM 3.1 also provides support for Windows 2012 R2 as the remote system for connectors and password synchronization plugins.
ForgeRock has tested many browsers with the OpenIDM UI, including the following browsers.
Chrome and Chromium, latest stable version
Firefox, latest stable version
Safari, latest stable version
Internet Explorer 9 and later
- Operating Systems
OpenIDM 3.1 is supported on CentOS Linux 6.5 and on Windows 2008 R2 and Windows 2012 R2. It has been tested on most variations of Linux.
If you have a special request to support a component or combination not listed here, contact ForgeRock at email@example.com.
OpenIDM requires Java SE JDK 6 update 24 or later. When using the Oracle JDK, you also need Java Cryptography Extension (JCE) policy files.
On Windows systems, use Java SE JDK 7 update 6 or later, to take advantage of a recent JVM fix relating to non-blocking sockets with the default Jetty configuration.
OpenIDM 3.1 also supports OpenJDK 1.7.
You need 150 MB disk space and 1 GB memory for an evaluation installation. For a production installation, disk space and memory requirements will depend on the size of the repository, and on size of the audit and service log files that OpenIDM writes.
Chapter 3. OpenIDM Fixes, Limitations, & Known Issues
OpenIDM issues are tracked at https://bugster.forgerock.org/jira/browse/OPENIDM.
3.1. Fixes and Improvements
OpenIDM 3.1 includes the following major fixes and improvements.
OPENIDM-2611: review queries using QueryFilter with explicit tables in Oracle referring to CLOB field
OPENIDM-2610: QueryFilter used with explicitTables not working with Oracle or MS SQL Server
OPENIDM-2605: Missing queries from Oracle repo.jdbc.json
OPENIDM-2589: provisioner files in sample2x do not have enableFilteredResultsHandler set to false
OPENIDM-2549: unexpected results for queryFilters on integer properties when using JDBC repo
OPENIDM-2547: Base64 encoded attributes are not properly decoded to byte
OPENIDM-2538: Unable to login after changing the Session timeout setting via the UI
OPENIDM-2531: QueryFilter-generated SQL for OrientDB for sw "" is incorrect
OPENIDM-2529: searchBases in powershell2AD sample are not aligned among the scripts
OPENIDM-2526: Repo README.txt files need to be updated
OPENIDM-2525: QueryFilter-generated SQL for OrientDB does not parse
OPENIDM-2500: properties set as encrypted in managed.json written in plain text in activity audit when new and old values are the same
OPENIDM-2497: Query queryId=audit-by-recon-id not working on MS-SQL
OPENIDM-2489: Task scanner does not work using MS-SQL repository
OPENIDM-2485: Country Empty, but State is filled in
OPENIDM-2484: Multiple provisioner instances created for the same name
OPENIDM-2481: PostgreSQL query using wrong value
OPENIDM-2480: Enable READ_COMITTED_SNAPSHOT isolation w/MSSQL
OPENIDM-2456: Workflow Sample not working with MS-SQL as repo
OPENIDM-2446: The exception attribute in the audit sync entries is not being pre-formatted before the entry is created.
OPENIDM-2437: TaskScannerContext should store the ScriptEntry
OPENIDM-2429: disabled connectors returned from system?action=test need to return connectorRef details
OPENIDM-2425: Query with queryFilter on managed users fails when using MS-SQL as repo
OPENIDM-2424: The __ALL__ object class should use a default object class endpoint if it is not defined in the provisioner config.
OPENIDM-2421: Consider making the ObjectType properties value in provisioner configs not required or allow it to be empty.
OPENIDM-2406: Update UID and DN of an ldap entry returns status 500 and Internal Server Error
OPENIDM-2394: Cannot REST query with a single quote in parameter value
OPENIDM-2386: Service creation scripts hard-code memory options to 1024m
OPENIDM-2385: queryFilter support for _id fields
OPENIDM-2381: condition on route config entries are ignored
OPENIDM-2375: obsolete router.json file in samples/misc and openidm-api-servlet/src/tests
OPENIDM-2364: update main samples README with last additions/modifications
OPENIDM-2355: Update linkedView to use queryFilter
OPENIDM-2344: OpenAM sample UI is not working
OPENIDM-2330: system?action=test disabled connectors need to return with the same details as an broken/active connector.
OPENIDM-2324: ScriptedRest connector 1.4 sample scripts exceptions are not properly thrown
OPENIDM-2323: ScriptedRest connector 1.4 - GET_LATEST_SYNC_TOKEN throws exception - /changelog doesn't support paged search
OPENIDM-2321: external/rest calls to SSL endpoints result in jetty exception
OPENIDM-2315: linkedView throws null exception when there is no sync defined
OPENIDM-2314: Script launched from router.json by onResponse hook is unable to update response data
OPENIDM-2312: SmartEvent framework maintains a unbounded event name cache which consumes the entire heap
OPENIDM-2288: Single Quote character in managed object causes OrientDB error
OPENIDM-2283: A node in a cluster doesn't currently listen for configuration changes
OPENIDM-2269: unable to use a ScriptTaskListener
OPENIDM-2240: Recon with situation MISSING and action CREATE behave differently in MySQL and PostgreSQL
OPENIDM-2238: Sync Audit Log record storage in PostgreSQL fails with error 'column "rev" of relation "auditsync" does not exist'
OPENIDM-2237: Create default connector configuration for Scripted SQL connector version 22.214.171.124 raises a 500 error
OPENIDM-2233: ScriptedSQL sample3 - liveSync doesn't work
OPENIDM-2224: Enhance recon service to return a result indicating the status of the request reconciliation run
OPENIDM-2223: Update of connector info provider causes all remote connectors unavailable.
OPENIDM-2203: Pagination on managed users not working with PostgreSQL as repo
OPENIDM-2202: TaskScanner not working with PostgreSQL as repo
OPENIDM-2201: In Recon Summary the situation FOUND_ALREADY_LINKED is missing
OPENIDM-2200: Failure on writing sync audit log when action is exception with MySQL as repo
OPENIDM-2190: With PostgreSQL as repo, creating same user twice gets a 500 instead of 412
OPENIDM-2189: With PostgreSQL as repo, DELETE on managed user is not working
OPENIDM-2184: NPE thrown from within ObjectMapping$SyncOperation.isValidSource() during reconciliation.
OPENIDM-2180: Repo command action should be disallowed via HTTP
OPENIDM-2179: Sample 6 : The sample LDIF file provided is not valid
OPENIDM-2165: sourceCondition must work with maps
OPENIDM-2154: Use effectiveRoles of managed user instead of roles attribute in UI workflow scripts
OPENIDM-2153: Column name mismatch for notification tables when using SQLServer repository
OPENIDM-2134: only the last role was applied when multiple replaceTarget roles with the same property name were assigned to a user
OPENIDM-2127: Switching existing schedule from persisted=false to persisted=true results in duplicate scheduled jobs.
OPENIDM-2116: mergeWithTarget and replaceTarget on role definition fails if using Dynamic Assignment
OPENIDM-2106: Audit filter assumes action is a RequestType and improperly filters recon entries
OPENIDM-2089: Remove the need to store certificates in the default java keystore when doing ssl over jdbc.
OPENIDM-2087: Enabled:false needs to not return an error state for provisioners
OPENIDM-2079: Cannot PATCH managed user when ID contains special characters.
OPENIDM-2078: PermGen leak in "source" scripts
OPENIDM-2074: When the workflow module is disabled, shutdown errors are displayed on the console
OPENIDM-2067: For an MS SQL repository, queries in the repo config file containing concatenation functions do not work
OPENIDM-2062: openidm/system/NAME?_action=createFullConfig does not properly handle encrypted values causing the tests to fail.
OPENIDM-2061: Recon Fails to create users from AD "REV" : invalid identifier [Oracle]
OPENIDM-2058: Issues on status code and response content for REST API of Configuration with put and delete
OPENIDM-2057: Issues on status code and response content for REST API of System with post, and delete
OPENIDM-2056: Recon audit log entry formatting has issues (missing entries and extra entries)
OPENIDM-2055: Issues on status code and response content for REST API of Scheduler with query, put, and delete
OPENIDM-2046: Failed to start user onboarding workflow in usercase2 when external repo(MSSQL) was used.
OPENIDM-2021: If a query is made on an attribute that is not part of the object schema, OpenIDM returns an inaccurate message
OPENIDM-2002: Failed to Decrypt Jwt errors (badPaddingException)
OPENIDM-1990: OpenIDM ignoring min/max pool sizes in orient repo config
OPENIDM-1988: Scripted SQL 1.4 unable to find jdbc driver
OPENIDM-1959: cli.bat fails to export configuration when we give an absolute path in argument on Windows
OPENIDM-1954: Enabling the OrientDB Studio UI doesn't take effect until the second restart of OpenIDM
OPENIDM-1949: Update managed user with patch by query in POST should return modified object instead of null
OPENIDM-1946: Working location flag (-w) not working as documented
OPENIDM-1935: The ICF 1.4's RetryableException is wrapped incorrectly by IDM.
OPENIDM-1889: UI failed to recover from password changing failure
OPENIDM-1866: Delete of workflow definitions and instances via REST should return the deleted object
OPENIDM-1784: OpenIDM doesn't throw error on startup for provisioner's incorrect connectorRef
OPENIDM-1756: Cancelling "completed" taskscanner task sets its state to "cancelled" whereas it should have no effect
OPENIDM-1658: Hard-coded reference to database schema and table name in jdbc config files
OPENIDM-1560: when starting OpenIDM with -p option logging.properties file is not taken in project location
OPENIDM-1409: The query-all and get-users-of-direct-role queries are not consistent across different repos
OPENIDM-1365: Recon Audit Log Entries Should Contain "messageDetails" for ScriptExceptions During Reconciliation
OPENIDM-1354: Recon Log Entries Missing "messageDetail" From Errors During Recon
OPENIDM-1337: Recon.csv and recon detail over REST are not aligned.
OPENIDM-1252: Unable to perform search queries with AND or OR operators in where clause for ScriptedSQL.
OPENIDM-1101: Inform administrator when property specified in sync.json as a target is missing from provisioner conf
OPENIDM-746: CLI.SH command "validate" does not detect an extra bracket that makes a JSON file not valid
OPENIDM-469: The ObjectMapping can change the _id and then the OpenIDM can not find the original target object any more
OpenIDM 3.1 has the following known limitations:
When you add or edit a connector through the Admin UI, the list of required
Base Connector Detailsis not necessarily accurate for your deployment. Some of these details might be required for specific deployment scenarios only. If you need a connector configuration where not all the Base Connector Details are required, you need to create your connector configuration file over REST (see Section 11.6, "Creating Default Connector Configurations" in the Integrator's Guide) or edit the connector configuration file (
For OracleDB repositories, queries that use the
queryFiltersyntax do not work on CLOB columns in explicit tables.
A conditional GET request, with the
If-Matchrequest header, is not currently supported.
OpenIDM provides an embedded workflow and business process engine based on Activiti and the Business Process Model and Notation (BPMN) 2.0 standard. As an embedded system, local integration is supported. Remote integration is not currently supported.
The OpenIDM implementation of roles does not enforce referential integrity. In other words, you can set up users with a hypothetical role x, before you create that referential role x. Conversely, if you delete an existing referential role y, users with that role will retain that role.
When dynamically assigned roles are added, OpenIDM does not set up provisioning for previously existing users. Any updates to dynamically assigned roles will not update users assigned with those roles.
3.3. Known Issues
OpenIDM 3.1 has the following known issues.
OPENIDM-2637: OpenID Connect Auth Module is shown in the Admin UI, but is not supported
OPENIDM-2627: Connectors with an underscore in the ID cannot be edited via Admin UI
OPENIDM-2626: On IE11 update of a users profile throws Unknown error
OPENIDM-2622: For JDBC repos, accessing the audit log over REST shows incorrect "userid" and "roles" attribute values
OPENIDM-2621: Attempting to read a non-existent audit record over REST raises an exception in the console
OPENIDM-2612: queryFilter command in sample3 fails with status 500
OPENIDM-2607: Validating the connector configuration from the UI fails for Sample 3
OPENIDM-2604: For the ScriptedCREST sample, the connection to OpenDJ occasionally times out
OPENIDM-2593: RuntimeException using OSGI Service for datasource
OPENIDM-2590: Missing records in LDAP cause Data Association Management grid to fail
OPENIDM-2580: Workflow can not be started by key by a non-admin user
OPENIDM-2569: When OpenIDM is started with a provisioner.openicf.connectorinfoprovider.json file, the required bundle is not loaded correctly
Workaround : Add a space or a line to the
provisioner.openicf.connectorinfoprovider.jsonfile, which reloads the associated bundle.
OPENIDM-2568: Reconcile Duration counter remains at 0:00 until reconciliation is complete
OPENIDM-2560: Required script file fields for Scripted Groovy Connector configuration preventing validation
OPENIDM-2502: Instructions associated with RC init creation script are incomplete
OPENIDM-2496: When SSL is enabled on LDAP connector with right CA certificate, validation failed on UI
OPENIDM-2460: JAVA_TYPE_DATE nativeType not supported
OPENIDM-2454: REST errors (4xx and 5xx) interfere with CORS response headers
OPENIDM-2349: Implement openidm.xx() method resolution running in the remote Activiti engine
OPENIDM-2348: Implement external webapp for the remote Activiti server
OPENIDM-2347: Implement OpenIDM -> external resource communication
OPENIDM-2265: Got "ORA-01843: not a valid month" while trying to liveSync from Oracle database
OPENIDM-2260: Inconsistencies in encoding/decoding the IDs used of managed users
OPENIDM-2244: AD PW Sync Setup script wizard fails when browsing for a PKCS12 format certificate file
OPENIDM-2141: When creating a provisioner with CREST no errors are thrown when a provisioner already exists
OPENIDM-2107: Deleting managed/user via REST or UI leaves links records behind
OPENIDM-2034: Support arbitrary [commons] auth modules via className
OPENIDM-2028: The .NET Connector Server Exception displays an incorrect connector error
OPENIDM-2016: sync on unsupported object class with remote java connector returns 500 instead of 400
OPENIDM-2005: OpenICF query filter does not support literal expressions
OPENIDM-2004: NPE in OpenICF Provisioner query w/o filter
OPENIDM-1991: IDM blocked accessing Orientdb ReadWriteDiskCache
OPENIDM-1981: Importing all config files with CLI configimport fails with Java 8
OPENIDM-1948: Creating managed user with PUT on managed/user// endpoint is accepted whereas it should be refused
OPENIDM-1941: "pattern" property in access.js rules does not work when used on system endpoints
OPENIDM-1907: Recon failures as a result of policy violations do not indicate the cause of the violation in the recon audit log.
OPENIDM-1898: Representation of request-object differs between code and json-representation
OPENIDM-1860: Null pointer exception when setting target attribute during onUnlink
OPENIDM-1823: getScriptBindings function of ServiceScript (ScriptRegistryImpl.java) slows down extremely when accessed paralell from multiple threads
OPENIDM-1742: Launching a recon by ID on a non-existent ID is not handled correctly
OPENIDM-1664: Memory usage of AD connector continue to increase.
OPENIDM-1654: No sync/ service is registered if a sync.json file is not present in the configuration
OPENIDM-1632: create-openidm-logrotate.sh is not properly defined
OPENIDM-1619: OperationOptions specified within the provisioner configuration are not passed to connectors by OpenIDM
OPENIDM-1600: Cluster with Oracle DB backend
OPENIDM-1564: __NAME__ attribute incorrectly required as part of object definition for a create action
OPENIDM-1562: Route to endpoint service not found if there is a resourcename after the name of the endpoint
OPENIDM-1530: OpenIDM self-signed certificates in keystore and truststore does not match
OPENIDM-1504: OpenICFProvisionerService handle method performs logger.isDebugEnabled() checks but logs at the error level
OPENIDM-1501: sync?_action=performAction with an action=DELETE results in a delete on the source rather than the target
OPENIDM-1488: XDate locales could not be initialized correctly
OPENIDM-1465: cannot access Remote Activiti engine - http://localhost:9090/openidm-workflow-remote-2.1.0-SNAPSHOT/, because of 500 - Internal server error
OPENIDM-1452: Incorrect bundleVersion in provisioner config yields confusing error
OPENIDM-1445: Provisioner service does not decrypt encrypted attributes before passing them to OpenICF framework
OPENIDM-1430: OpenIDM needs a restart after importing a new cert via REST API
OPENIDM-1269: some issues with Case Sensitivity options for Sync
OPENIDM-1219: DB/Config bootstrapping should use IdentityServer support for getting properties, including boot prop
OPENIDM-1186: PATCH with POST using MVCC are successful even if revision wrong
OPENIDM-1165: EXCEPTION action when doing liveSync stops the synctoken processing
OPENIDM-1074: disabling automatic polling for changes of config file not possible on new install
OPENIDM-848: Conflicting behavior might be observed between the default fields set by the onCreate script and policy enforcement
OPENIDM-662: query-all-ids always returns the revision as 0, even after the object has been updated to a newer revision
OPENIDM-470: OpenIDM cannot rename objects - if the identifier of the object changes, the associated link breaks
Chapter 4. OpenIDM Compatibility
This chapter covers major and minor changes to existing functionality, as well as deprecated and removed functionality in this release of OpenIDM. You must read this chapter before commencing a migration from a previous OpenIDM release.
4.1. Major Changes to Existing Functionality
The following changes will have an impact on existing deployments. Read these changes carefully and adjust existing scripts and clients accordingly.
- Changes to indexing for JDBC repositories
To improve indexing across the various supported JDBC repositories, a change has been made for all generic object mappings. The size of the
propvaluecolumn in the
objectpropertiestables (used for searches) is now limited to 2000 characters for all repositories other than MS SQL. Longer values are truncated. For MS SQL repositories, the
propvaluecolumn is restricted to 195 characters.
Incoming searches are trimmed accordingly, so that search filters such as
equalsdo not break for the truncated column values.
4.2. Minor Changes to Existing Functionality
The following changes should not have an impact on existing deployment configurations.
- Change to roles assignment operation scripts
The scripts that specify how role values are assigned (
mergeWithTarget.js) now pass back a map containing the new value for the target object field and, optionally, an updated
attributesInfoobject. Previously, these scripts simply returned the new value of the target object field.
- Changes to connector configuration creation
The way in which you generate connector configurations for access to external resources has changed. There are now three separate actions involved in creating the connector configuration. For more information, see Section 11.6, "Creating Default Connector Configurations" in the Integrator's Guide.
The previous method of creating a connector configuration is retained in this release, for compatibility.
- New location for sample JDBC repository configurations
The sample JDBC repository configurations, previously located at
openidm/samples/misc/repo.jdbc-repo-type.json, are now located at
openidm/db/repo-type/conf/repo.jdbc.json. The files no longer need to be renamed before being copied to your project's
4.3. Deprecated Functionality
No functionality has been deprecated in OpenIDM 3.1.
No additional functionality is planned to be deprecated at this time.
4.4. Removed Functionality
No functionality has been removed in OpenIDM 3.1.
No functionality is planned to be removed at this time.
4.5. Functionality That Will Change in the Future
No major functionality is planned to change at this time.
Chapter 5. How to Report Problems & Provide Feedback
If you have questions regarding OpenIDM which are not answered by the documentation, there is a mailing list which can be found at https://lists.forgerock.org/mailman/listinfo/openidm where you are likely to find an answer.
If you have found issues or reproducible bugs within OpenIDM 3.1, report them in https://bugster.forgerock.org.
When requesting help with a problem, please include the following information:
Description of the problem, including when the problem occurs and its impact on your operation
Machine type, operating system version, Java version, and OpenIDM release version, including any patches or other software that might be affecting the problem
Steps to reproduce the problem
Any relevant access and error logs, stack traces, or core dumps
Chapter 6. Support
You can purchase OpenIDM support subscriptions and training courses from ForgeRock and from consulting partners around the world and in your area. To contact ForgeRock, send mail to firstname.lastname@example.org. To find a partner in your area, see http://forgerock.com/partners/find-a-partner/.