Notes covering OpenIDM software requirements, fixes, known issues. The OpenIDM project offers flexible, open source services for automating management of the identity life cycle.

Chapter 1. What's New in OpenIDM 4

OpenIDM 4 provides many new features and product enhancements. The following list describes the main new features affecting an end user.

Getting Started Guide

If you are new to OpenIDM, you can now start exploring OpenIDM with the following document: Getting Started.

Samples Guide

To test OpenIDM in a variety of configurations, read the Samples Guide. This document replaces the samples that were previously described in the Installation Guide.

Enhanced Administrative UI

You can configure more OpenIDM features from the Administrative User Interface, also known as the Admin UI. For example, you can manage:

  • Audit Event Handlers and Event Topics

  • Outbound Email (SMTP) Service

  • User Self-service (Self-registration and Password Reset)

  • Managed Roles and Assignments

  • Workflow Tasks and Processes

We have highlighted most of these features elsewhere in these Release Notes, with links to appropriate documentation.

Of course, you can still administer these features from appropriate configuration files.

The new Web UI includes three additional components: the Bootstrap front-end framework, a Font Awesome font, and an associated CSS toolkit. You can now customize the OpenIDM UIs with the Bootstrap themes and Font Awesome icons. For information about the new customization process, see "Customizing the UI" in the Integrator's Guide. Given the availability and flexibility of Bootstrap, ForgeRock does not support upgrades of custom UI themes from earlier versions of OpenIDM.

New User Self-Service UI

OpenIDM 4 includes a new system for user self-service that is common across ForgeRock's Identity Platform. The current implementation includes user self-registration, password reset, and knowledge-based authentication. You can configure user self-registration and password reset from the Admin UI, and see the results in the Self-Service UI login screen. For more information, see "Configuring User Self-Service" in the Integrator's Guide.

Multi-Account Linking

OpenIDM 4 supports the correlation of a single source entry with multiple target entries. For more information, see "Correlating Multiple Target Objects" in the Integrator's Guide and "The Multi-Account Linking Sample" in the Samples Guide.

Automated Updates

OpenIDM 4 supports automated updates. If you need to migrate from or install a patch for OpenIDM 4, read "Updating OpenIDM" in the Installation Guide.

Relationships as a Resource

OpenIDM 4 supports managed relationship objects. For example, you can have an object for relationships between a manager and an employee. For more information, see "Managing Relationships Between Objects" in the Integrator's Guide.

Also, see the following JIRA issues:

  • OPENIDM-3507: Provide mechanism to store relationships with arbitrary metadata

  • OPENIDM-3896: Update the managed object parent schema to reflect the relationship resource representation

  • OPENIDM-4043: Add support for bidirectional relationships

  • OPENIDM-4042: Verify relationship reference objects

  • OPENIDM-4040: Implement PATCH support on relationship objects

  • OPENIDM-4134: Move relationships to generic object

OpenIDM 4 includes two different types of roles: provisioning roles that specify how objects are provisioned to an external system, and authorization roles that specify the authorization rights of a managed object, internal to OpenIDM. You may still associate provisioning roles with the roles property.

In contrast, authorization roles are now stored in the authzRoles property for that object. For more information, see "Working With Managed Roles" in the Integrator's Guide.

Integration of a Common Audit Facility

OpenIDM 4 incorporates a new audit facility that is common across ForgeRock's Identity Platform. The audit facility now logs authentication and configuration events by default, and supports the addition of custom audit event handlers.

For information about the common audit facility, see "Using Audit Logs" in the Integrator's Guide.

For details about changes required for existing OpenIDM deployments, see "Major Changes to Existing Functionality".

IBM DB2 Database Support

OpenIDM 4 supports the use of the IBM DB2 Database as an internal repository. For more information, see "To Set Up OpenIDM With IBM DB2" in the Installation Guide.

Support for Oracle 12c as a Repository

See OPENIDM-3514: Support Oracle 12C as a Repo.

Scripted Password Generation for Users

For more information, see "Managing Passwords" in the Integrator's Guide.

Support for Java 8

For information about supported systems, see "Before You Install OpenIDM Software".

Read-Only Installation

You can now configure OpenIDM on a Linux/UNIX read-only volume. For guidance, see "Installing OpenIDM on a Read-Only Volume" in the Installation Guide.

Improved Performance for Queries

For more information, see OPENIDM-2413: Support for paging and sorting results with queryFilter against repo-based endpoints.

For installation instructions and several samples to familiarize you with the OpenIDM features, see "Installing OpenIDM Services" in the Installation Guide.

For an architectural overview and high-level presentation of OpenIDM, see "Architectural Overview" in the Integrator's Guide.

1.1. Security Advisories

ForgeRock issues security advisories in collaboration with our customers and the open source community to address any security vulnerabilities transparently and rapidly. ForgeRock's security advisory policy governs the process on how security issues are submitted, received, and evaluated as well as the timeline for the issuance of security advisories and patches.

For details of all the security advisories across ForgeRock products, see Security Advisories in the Knowledge Base library.

Chapter 2. Before You Install OpenIDM Software

This chapter covers prerequisites for installing and running OpenIDM software.

For OpenIDM 4, the following configurations are supported for use in production.

Repository

The following JDBC repositories are supported for use in production:

  • MySQL version 5.x with MySQL JDBC Driver Connector/J 5.1.18 or later

  • Microsoft SQL Server 2012, 2014

  • Oracle Database 11gR2, 12c

  • PostgreSQL 9.3 and above

  • IBM DB2, 10.x

OrientDB is provided for evaluation only.

Stand-alone installation

You must install OpenIDM as a stand-alone service, using Apache Felix and Jetty, as provided. Alternate containers are not supported.

OpenIDM 4 bundles Jetty version 9.2.

Connectors

OpenIDM 4 comes packaged with these OpenICF connectors:

  • CSV File Connector

  • Database Table Connector

  • Generic LDAP Connector

  • XML File Connector

  • Groovy Connector Toolkit

    This toolkit enables you to create scripted connectors to virtually any resource

A corresponding PowerShell Connector Toolkit is available for download from ForgeRock Backstage, and enables you to create scripted connectors to address the requirements of your Microsoft Windows ecosystem.

The following connectors are bundled only with the OpenIDM Enterprise release:

  • Google Apps Connector

  • Salesforce Connector

ForgeRock provides additional connectors, as listed on the OpenICF project connectors site.

When using the LDAP connector to provision to Active Directory, OpenIDM 4 supports Active Directory Domain Controllers, Active Directory Global Catalogues, and Active Directory Lightweight Directory Services (LDS).

OpenIDM 4 also provides support for Windows 2012 R2 as the remote system for connectors and password synchronization plugins.

The following table lists the supported connector, connector server, and password synchronization plugins for this OpenIDM release.

Supported Connectors, Connector Servers, and Plugins
ConnectorVersion
CSV File Connector1.5.0.0
Database Table Connector1.1.0.1
Google Apps Connector1.4.1.0
Generic LDAP Connector1.4.1.0
XML Connector1.1.0.2
Active Directory Connector1.4.0.0
Java Connector Server1.5.0.0, 1.4.1.0
.NET Connector Server1.5.0.0, 1.4.1.0
OpenDJ Password Synchronization Plugin1.1.1, supported with OpenDJ version 3.0.0
OpenDJ Password Synchronization Plugin1.0.3, supported with OpenDJ version 2.6.x
Active Directory Password Synchronization Plugin1.1.0, supported on Windows 2008 R2 and Windows 2012 R2

OpenIDM 4 supports version 1.5.0.0 of the OpenICF Framework. Therefore, you must use version 1.5.0.0 of the .NET Connector Server, or the Java Connector Server. The 1.5.0.0 Java Connector Server is backward compatible with the version 1.1.x connectors. The 1.5.0.0 .NET Connector Server is compatible only with the 1.4.x and 1.5.x connectors.

The 1.5.0.0 .NET connector server requires the .NET framework (version 4.5 or later) and is supported on Windows Server 2008 R2 and 2012 R2.

While the following connector toolkits are also supported, any connectors that you build with these toolkits are not supported. However, we do provide examples for how you can build connectors with these toolkits in "Samples That Use the Groovy Connector Toolkit to Create Scripted Connectors" in the Samples Guide and "Samples That Use the PowerShell Connector Toolkit to Create Scripted Connectors" in the Samples Guide.

Included Connector Toolkits
ConnectorVersion
Scripted Groovy Connector Toolkit1.4.2.0
PowerShell Connector Toolkit1.4.2.0

Browsers

ForgeRock has tested many browsers with the OpenIDM UI, including the following browsers.

  • Chrome and Chromium, latest stable version

  • Firefox, latest stable version

  • Safari, latest stable version

  • Internet Explorer 9 and later

Operating Systems

ForgeRock supports the use of OpenIDM 4 on the following operating systems:

  • Red Hat Enterprise Linux 6.x/7.x (CentOS Linux 6.x/7.x)

  • Ubuntu Linux 14.04

  • Windows 2008 R2

  • Windows 2012 R2

Java Environment

OpenIDM requires Java 7 or Java 8, specifically at least the Java Standard Edition runtime environment. ForgeRock has performed most testing with Oracle Java Platform, Standard Edition.

ForgeRock recommends that you keep your Java installation up to date with the latest security fixes.

When using the Oracle JDK, you also need the Java Cryptography Extension (JCE) policy files.

On Windows systems, use Java SE JDK 7 update 6 or later, to take advantage of the JVM fix relating to non-blocking sockets with the default Jetty configuration.

OpenIDM 4 also supports OpenJDK 1.7 and OpenJDK 1.8.

If you have a special request to support a component or combination not listed here, contact ForgeRock at info@forgerock.com.

You need 250 MB disk space and 1 GB memory for an evaluation installation. For a production installation, disk space and memory requirements will depend on the size of any internal and external repositories, as well as the size of the audit and service log files that OpenIDM creates.

Chapter 3. OpenIDM Fixes, Limitations, & Known Issues

This chapter covers the status of key issues and limitations for OpenIDM 4. For details and information on other issues, see the OpenIDM issue tracker.

3.1. Fixed Issues

OpenIDM 4 includes fixes to the following major issues:

  • OPENIDM-4768: Index for links table (Oracle) should be unique

  • OPENIDM-4766: Reduce default logging in IDM log files

  • OPENIDM-4678: Recon may fail if source object is deleted during recon and a correlation query is defined

  • OPENIDM-4584: Infinite loop while attempting to create default config/sync object from within mappingDetails endpoint

  • OPENIDM-4542: Incorrect conversion of CREST QueryFilters to ICF Filters by the OpenIDM ICF Provisioner Service

  • OPENIDM-4497: Column definitions for postgresql auditaccess table have wrong length

  • OPENIDM-4471: openidm.patch returns null when a no effect patch is called

  • OPENIDM-4121: Audit sample does not support sorting, page sizes, or paged results

  • OPENIDM-4083: ReconciliationService unable to query audit data from remote SQL server

  • OPENIDM-4078: '400 Bad Request error' can occur when try to display Mapping page in UI with audit-sample

  • OPENIDM-3980: Duplicate source IDs with source system break reconciliation

  • OPENIDM-3914: Mishandling system object identifiers with slash character

  • OPENIDM-3611: Action dropdown on connector detail page renders outside of browser pane

  • OPENIDM-3512: ICF Provisioner Service needs to support system objects with path expression as ID

  • OPENIDM-3338: workflow.json configuration without a mail username and password throws a NPE

  • OPENIDM-2427: Pagination on managed users not working with MS-SQL, DB2 and Oracle as repo

3.2. Limitations

OpenIDM 4 has the following known limitations:

  • Asynchronous reconciliation does not work on Linux with Java 8. (OPENIDM-3076)

  • When you add or edit a connector through the Admin UI, the list of required Base Connector Details is not necessarily accurate for your deployment. Some of these details might be required for specific deployment scenarios only. If you need a connector configuration where not all the Base Connector Details are required, you must create your connector configuration file over REST (see "Creating Default Connector Configurations" in the Integrator's Guide) or edit the connector configuration file (conf/provisioner.openicf-connector-type.json) directly.

  • For OracleDB repositories, queries that use the queryFilter syntax do not work on CLOB columns in explicit tables.

  • A conditional GET request, with the If-Match request header, is not currently supported.

  • OpenIDM provides an embedded workflow and business process engine based on Activiti and the Business Process Model and Notation (BPMN) 2.0 standard. As an embedded system, local integration is supported. Remote integration is not currently supported.

  • For updates and patches from OpenIDM 4, you can use the CLI, and any supported browser listed in "Before You Install OpenIDM Software", except Internet Explorer 9.

3.3. Known Issues

OpenIDM 4 has the following known issues.

  • OPENIDM-6509: JMX enable prevents GC of discarded BoneCPDataSource objects

  • OPENIDM-6481: OpenIDM creates redundant BoneCPDataSource

  • OPENIDM-5033: No validation is done when using the Admin UI to configure an LDAP connector

  • OPENIDM-5032: Workflow sample: unable to complete manager task, due to startup issues

    Workaround: Disable and re-enable Password Reset. For more information, see "Configuring User Self-Service" in the Integrator's Guide.

  • OPENIDM-4969: Admin UI, Bad Link when reconciling an XML file resource

  • OPENIDM-4961: enableFilteredResultsHandler:true causes NPEs when using queryFilter=true

  • OPENIDM-4957: OpenAM Auth Module, UI doesn't reflect change in Require OpenAM Authentication setting, after saving (refresh required)

  • OPENIDM-4954: In Admin UI, Audit Event config, "passed variables" added to the script are not saved

    Workaround: Edit the corresponding JSON file directly.

  • OPENIDM-4946: Admin UI -- CSV Audit Handler: if tamper-evident security is disabled and signature interval is blank, other security entries lead to audit service failure

    Workaround: Open the audit.json file for your project and remove the "signatureInterval" entry in the security section, or change it to a formatted string of appropriate duration.

  • OPENIDM-4945: Newline character was not saved correctly when configured through UI and caused only one line in csv audit files

    Workaround: Open the audit.json file for your project, and change "endOfLineSymbols" : "\\n" to "endOfLineSymbols" : "\n".

  • OPENIDM-4933: Tamper-evident audit logs: Verification command does not give meaningful results

  • OPENIDM-4926: Scriptedcrest2Dj and Scriptedrest2Dj samples do not work with OpenDJ 3.0.0

  • OPENIDM-4919: Script eval action doesn't handle ResourceExceptions thrown by scripts

  • OPENIDM-4918: Attempt by openidm-admin to add Security Questions leads to Problem During Profile Update error

  • OPENIDM-4917: Scripted CREST Sample - UI connector template is missing descriptions

  • OPENIDM-4914: In Admin UI, deleting connector for sample5 fails with internal error

  • OPENIDM-4913: TaskScanner not working when using Oracle as a repo

  • OPENIDM-4908: KBA settings can cause Password Reset to fail with a 500 Internal Server Error: "Exception intercepted"

  • OPENIDM-4879: Workflow sample usecase specific repo config file is missing for Oracle and postgreSQL

  • OPENIDM-4856: Role edit page doesn't load when openidm-authorized, Basic minimum user clicked

  • OPENIDM-4855: Clicking disabled Save button on Role edit page takes you to Dashboard

  • OPENIDM-4830: Admin UI, double conflicting pop-up windows are possible

  • OPENIDM-4829: Admin UI, Audit, CSV Handler configuration, fails without proper signatureInterval entry

  • OPENIDM-4828: CSV Connector does not handle multi-line attributes

  • OPENIDM-4812: Admin UI: 500 error from Invalid Search in Mapping Detail Properties attribute grid text box

  • OPENIDM-4799: with OrientDB repo, reading managed user with encoded quote in ID is failing with server error on policy

  • OPENIDM-4798: Command to create a managed user with encoded percentage in ID fails with server error on policy

  • OPENIDM-4797: Connector info provider needs to be updated to connect to .NET server

    Workaround: Add a space or a line to the provisioner.openicf.connectorinfoprovider.json file, which reloads the associated bundle.

  • OPENIDM-4792: When a sync mapping references source or target routes other than "managed" or "system", the Mapping UI won't render

  • OPENIDM-4777: A patch on one cluster system is not replicated on the other members of the cluster

  • OPENIDM-4693: Creating a Managed Object with a semicolon leads to an error

  • OPENIDM-4692: ALL_GONE situation for deleted entries leads to NPE in JS

  • OPENIDM-4624: MS SQL database script creates the openidm user with the wrong password

    Workaround: In /path/to/openidm/db/mssql/scripts/openidm.sql, change PASSWORD=N'Passw0rd' to PASSWORD=N'openidm'.

  • OPENIDM-4549: Warnings when importing MS-SQL schema

  • OPENIDM-4521: Custom attributes submitted in request to store in jdbc repo are not stored but the request returns them.

  • OPENIDM-4473: Activiti does not pick up DataSource configuration changes.

  • OPENIDM-4462: Delete request with HTTP "If-Match *" header does not work on repo endpoints

  • OPENIDM-4388: repo/scheduler not found exception, when Oracle DB is the repo

  • OPENIDM-4386: Update process: cli.sh should include info on new / updated / backed up files in update.log

  • OPENIDM-4369: Viewing data for an LDAP/Group in the UI throws an error

  • OPENIDM-4321: Unable to use cli.sh for remote administration over a secure port

  • OPENIDM-4315: Unable to run queries on managed/user using CLIENT_CERT module with openidm-admin role

  • OPENIDM-4261: Setting relationship properties to empty string throws NPE

  • OPENIDM-4227: Use value of managed object prior to save for sync events to use hashed values

  • OPENIDM-4149: availableConnectors are not updated after remote ICF shut down

  • OPENIDM-4127: Endpoint system/os returns cpu usage above available

  • OPENIDM-4110: Multiple servlets map to path stacktraces on startup with MySQL/DB2/MSSQL as repo

    Workaround: If you observe this error, restart OpenIDM. The error should not reoccur after a restart.

  • OPENIDM-4080: Deleting a custom Certificate in Trustore via REST now returns a broken response

  • OPENIDM-4049: User list doesn't filter as input is typed into the filter fields

  • OPENIDM-4020: "My group's tasks" not showing tasks from different processes

  • OPENIDM-3983: Target reconciliation broken when _targetQuery results contain full objects

  • OPENIDM-3974: Unable to update/add a property in response.content object in Javascript script (launched from router onResponse hook)

  • OPENIDM-3972: Sync Failure handling calls to onSyncFailure.js-deadLetterQueue do not work

  • OPENIDM-3969: Response size of POST is limited to 1MB

  • OPENIDM-3941: PATCH via REST with operation increment with invalid value returns 500 instead of 400

  • OPENIDM-3937: RESTful calls, HEAD method no longer works (OpenIDM/CREST 3)

  • OPENIDM-3857: Cannot pass along custom context when making router requests from script

  • OPENIDM-3745: UI doesn't display msg related to failedPolicyRequirements when attempting to add new process

  • OPENIDM-3667: openidm/managed/user/openidm-admin 404 (Not Found) when selecting process instance created by openidm-admin

  • OPENIDM-3613: BoneCP: unexplained connections getting created

  • OPENIDM-3525: Endpoint reconResults not working with MS-SQL/DB2 as repo (internal error 500)

  • OPENIDM-3450: CLI.SH configimport does not work with the --replaceAll option

  • OPENIDM-3357: In Admin UI / Edit XML Connector, LiveSync schedule is not saved properly

  • OPENIDM-3199: When a mailtask can't be completed in an Activiti workflow, an exception is thrown

  • OPENIDM-3197: '%' character in object id of openidm.read calls has to be encoded

  • OPENIDM-3187: Custom authentication headers cannot handle Unicode characters

  • OPENIDM-3149: Custom Endpoint Example: object request.patchOperations is wrong for Groovy scripts

  • OPENIDM-2348: Implement external webapp for the remote Activiti server

  • OPENIDM-2028: The .NET Connector Server Exception displays an incorrect connector error

  • OPENIDM-2016: Sync on unsupported object class with remote java connector returns 500 instead of 400

  • OPENIDM-1898: Representation of request-object differs between code and json-representation

  • OPENIDM-1823: getScriptBindings function of ServiceScript (ScriptRegistryImpl.java) slows down extremely when accessed in parallel from multiple threads

  • OPENIDM-1664: Memory usage of AD connector continue to increase.

  • OPENIDM-1488: XDate locales could not be initialized correctly

  • OPENIDM-1445: Provisioner service does not decrypt encrypted attributes before passing them to OpenICF framework

  • OPENIDM-1430: OpenIDM needs a restart after importing a new cert via REST API

  • OPENIDM-1269: some issues with Case Sensitivity options for Sync

  • OPENIDM-1165: EXCEPTION action when doing liveSync stops the synctoken processing

  • OPENIDM-1074: Disabling automatic polling for changes of config file not possible on new install

  • OPENIDM-848: Conflicting behavior might be observed between the default fields set by the onCreate script and policy enforcement

  • OPENIDM-470: OpenIDM cannot rename objects - if the identifier of the object changes, the associated link breaks

Chapter 4. OpenIDM Compatibility

This chapter covers major and minor changes to existing functionality, as well as deprecated and removed functionality in this release of OpenIDM. You must read this chapter before commencing a migration from a previous OpenIDM release.

4.1. Major Changes to Existing Functionality

The following changes will have an impact on existing deployments. Read these changes carefully and adjust existing scripts and clients accordingly.

Bootstrap-based UI

To simplify the customization of UI themes, OpenIDM 4 uses the Bootstrap front-end framework and a Font Awesome font. As you can now more easily customize the OpenIDM UI, we have not retained any of the features associated with the OpenIDM-3.1 UI.

Changes to the audit facility

OpenIDM 4 replaces the existing audit facility with a new facility that is common across ForgeRock's Identity Platform. This change has the following effect on the JDBC schema of existing OpenIDM deployments:

  • New auditauthentication and auditconfig tables for the authentication log.

  • Changes to the object to column mapping for the auditaccess, auditactivity, auditrecon, and auditsync tables.

You can review the new mapping in the configuration file for your JDBC repository, typically repo.jdbc.json. The mappings have changed significantly relative to OpenIDM-3.1.

For more information, see "Using Audit Logs" in the Integrator's Guide.

Changes to the JDBC Repository Configuration

The way in which you configure a JDBC database as the OpenIDM repository has changed. This change separates the connection configuration from the database (table) configuration. Previously, both the connection configuration and the database table configuration were located in the file repo.jdbc.json. Now, the connection configuration is in the file datasource.jdbc-default.json and the database table configuration in the file repo.jdbc.json. For more information, see "Installing a Repository For Production" in the Installation Guide.

Changes to user self-service

OpenIDM 4 incorporates a system for user self-registration and password reset that is common for ForgeRock products, known as Commons User Self-Service.

Updated REST API

OpenIDM has migrated to an updated version of the ForgeRock Common REST API. This update entails the following migration requirements for existing deployments.

  • The resourceName object has been renamed to resourcePath. Custom scripts that request this object must be updated accordingly, for example request.resourceName must be replaced with request.resourcePath.

    Implementations that use a scripted CREST connector must also update their scripts with this change. For example, note the change to the following line in the UpdateScript.groovy script, provided in the scriptedcrest2dj sample.

    UpdateRequest updateRequest = Requests.newUpdateRequest(request.resourcePath, resource.content)
  • The way in which context IDs are constructed has changed. OpenIDM now concatenates a 36-character UUID with a 64-bit sequence number. The context ID is therefore of variable length (37-56 characters). This will impact existing implementations where the transactionId and reconId are stored in a database column that uses a fixed schema. Corresponding column sizes will need to be increased.

    In addition, the reconId of a reconciliation operation is now constructed from the root context ID of the invocation.

    For details of the updated schema definitions, see the schema definition script for your repository (/path/to/openidm/db/repo-name/scripts/openidm.sql).

  • The paging implementation has changed to improve the performance when counting results. Previously, the default behavior was to return the number of remaining results, which necessitated a time-consuming calculation for every request. In OpenIDM 4, the default behavior is to return the total results. Any clients that rely on remaining results must be updated accordingly.

    The updated REST API implementation includes a configurable count policy, that can be set per request.

For more information about the paging implementation in OpenIDM 4, see "Paging and Counting Query Results" in the Integrator's Guide.

Changes to the Scripted Groovy Connector

OpenIDM 4 bundles a new version of the scripted Groovy connector (1.4.2.0). In terms of the OpenIDM configuration, any connector configuration files for the Groovy connector must now use the "scriptRoots" property and not the "classpath" property to specify the location or locations of the Groovy scripts used by the connector.

For example, an old provisioner.openicf-scriptedsql.json would have the following line:

"classpath" : ["&{launcher.project.location}/tools"],

In OpenIDM 4, that line should be:

"scriptRoots" : ["&{launcher.project.location}/tools"],
Changes to Roles

OpenIDM 4 now includes two different role types: authorization roles and provisioning roles. Authorization roles are assigned to managed user objects, as values of the "authzRoles" property for that object.

Changes to the Security Context

The access control element of the security context is now denoted by the attribute named authorization, rather than authorizationId. This means that any scripts that called the authorizationId attribute must be changed to call the authorization attribute.

For more information, see "Roles, Authentication, and the Security Context" in the Integrator's Guide.

Changes to the PowerShell Connector

The previous version of the PowerShell connector (1.4.1.0) sent passwords to the Authenticate action script in clear text. The PowerShell connector version 1.4.2.0 sends passwords as a GuardedString.

Change to sourceCondition property in a mapping

The sourceCondition property in a mapping must now take a queryFilter string, or a script configuration, as a value.

For more information, see "Filtering Synchronized Objects" in the Integrator's Guide.

4.2. Minor Changes to Existing Functionality

The following changes should not have an impact on existing deployment configurations.

Addition of an explicit internal role for repositories

Now that OpenIDM includes separate provisioning and authorization roles, each supported repository now includes an explicit mapping to internal/roles.

Removal of predefined queries for audits

As the functionality exists with queryFilter, the following pre-defined queries have been removed from the default configuration: audit-last-recon-for-mapping, audit-by-recon-id-situations-latest, and audit-by-recon-id-situations-latest-filtered.

Changes to the database schema

A new column, linkQualifier, has been added to the links table. This column enables correlation between a single source object and multiple target objects. Predefined queries on the links table have been adjusted accordingly.

Changes to Logging Output

The reconciliation and synchronization logs now include an additional linkQualifier field, which is used in the context of mapping a single source object to multiple target objects.

4.3. Changes in Database Schema

For users who are updating from OpenIDM 3.1 to OpenIDM 4, "Differences Between Data Definition Language (DDL) Scripts" details the differences in the respective internal repositories. It does not address any changes that you've made in your production repository.

You can also examine "Comparing Repositories", which compares the differences between the OpenIDM 3.1 and OpenIDM 4 repositories in the repo.jdbc.json file in your /path/to/openidm/db/repo/conf directory.

For the procedure to upgrade from OpenIDM 3.1 to OpenIDM 4, see "Migrating from OpenIDM 3.1 to OpenIDM 4" in the Installation Guide.

4.3.1. Differences Between Data Definition Language (DDL) Scripts

For each supported repository, OpenIDM includes a DDL script in the openidm/db/repo/scripts directory. Each DDL script is named either openidm.sql or openidm.pgsql. This section is subdivided by supported repository:

IBM DB2 is not included in this list, as it is new for OpenIDM 4.

4.3.1.1. MSSQL DDL Scripts

The following table enumerates the differences between the MSSQL instance of openidm.sql for OpenIDM 3.1 and OpenIDM 4.

Changes in openidm.sql for MSSQL
SubjectOpenIDM 3.1OpenIDM 4Explanation
openidm_proxy, second user for DB-only accessIncluded entries to create an openidm_proxy userRemoved for OpenIDM 4No longer used
propkey, propvalue, in the following tables: genericobjectproperties, managedobjectproperties, configobjectproperties, relationshipproperties, schedulerobjectproperties, clusterobjectproperties, updateobjectpropertiespropkey, propvalue combined in an indexpropkey, propvalue in separate indexesEnables independent use by the query engine for searchable properties, where propkey is the name, and propvalue is the value
Relationship metadataNot availablerelationship table, new for OpenIDM 4Metadata supports relationship features such as temporal constraints
Relationship metadataNot availablerelationshipproperties table, new for OpenIDM 4Metadata supports relationship features such as temporal constraints
links tableUNIQUE INDEX with linktypeAdded linkqualifierSupports correlation queries per link
auditrecon tableReconciliation tableReconciliation table, extensively revisedSupports common transaction ID with other audit data
auditsync tableSynchronization tableSynchronization table, extensively revisedSupports common transaction ID with other audit data
auditconfig tableNot availableNew for OpenIDM 4Logs configuration changes
auditactivity tableAudit Activity tableAudit Activity table, extensively revisedLogs OpenIDM activity
auditaccess tableAudit Access tableAudit Access table, extensively revisedSupports common transaction ID with other audit data
auditauthentication tableNot availableNew for OpenIDM 4Logs authentication attempts
internalrole tableNot availableNew for OpenIDM 4Table for internal roles, as described in "Roles and Authentication" in the Integrator's Guide.
updateobjects tableNot availableNew for OpenIDM 4Supports update features
updateobjectproperties tableNot availableNew for OpenIDM 4Supports update features

4.3.1.2. MySQL DDL Scripts

The following table enumerates the differences between the MySQL instance of openidm.sql for OpenIDM 3.1 and OpenIDM 4.

Changes in openidm.sql for MYSQL
SubjectOpenIDM 3.1OpenIDM 4Explanation
propkey, propvalue, in the following tables: genericobjectproperties, managedobjectproperties, configobjectproperties, relationshipproperties, schedulerobjectproperties, clusterobjectproperties, updateobjectproperties propkey, propvalue combined in an indexpropkey, propvalue in separate indexesEnables independent use by the query engine for searchable propeties, where propkey is the name, and propvalue is the value
Relationship metadataNot availablerelationship table, new for OpenIDM 4Metadata supports relationship features such as temporal constraints
Relationship metadataNot availablerelationshipproperties table, new for OpenIDM 4Metadata supports relationship features such as temporal constraints
links tableUNIQUE INDEX with linktypeAdded linkqualifierSupports correlation queries per link
auditauthentication tableNot availableNew for OpenIDM 4Logs authentication attempts
auditrecon tableReconciliation tableReconciliation table, extensively revisedSupports common transaction ID with other audit data
auditsync tableSynchronization tableSynchronization table, extensively revisedSupports common transaction ID with other audit data
auditconfig tableNot availableNew for OpenIDM 4Logs configuration changes
auditactivity tableAudit Activity tableAudit Activity table, extensively revisedLogs OpenIDM activity
auditaccess tableAudit Access tableAudit Access table, extensively revisedSupports common transaction ID with other audit data
internalrole tableNot availableNew for OpenIDM 4Table for internal roles, as described in "Roles and Authentication" in the Integrator's Guide.
updateobjects tableNot availableNew for OpenIDM 4Supports update features
updateobjectproperties tableNot availableNew for OpenIDM 4Supports update features
Data for internaluser tableIncludes openidm-admin, openidm-authorized usersUpdated with references for internal rolesIncludes references for internal roles

4.3.1.3. Oracle DDL Scripts

The following table enumerates the differences between the Oracle instance of openidm.sql for OpenIDM 3.1 and OpenIDM 4.

Changes in openidm.sql for Oracle DB
SubjectOpenIDM 3.1OpenIDM 4Explanation
Relationship metadataNot availablerelationship table, new for OpenIDM 4Metadata supports relationship features such as temporal constraints
Relationship metadataNot availablerelationshipproperties table, new for OpenIDM 4Metadata supports relationship features such as temporal constraints
updateobjects tableNot availableNew for OpenIDM 4Supports update features
updateobjectproperties tableNot availableNew for OpenIDM 4Supports update features
auditaccess tableAudit Access tableAudit Access table, extensively revisedSupports common transaction ID with other audit data
auditauthentication tableNot availableNew for OpenIDM 4Logs authentication attempts
auditconfig tableNot availableNew for OpenIDM 4Logs configuration changes
auditactivity tableAudit Activity tableAudit Activity table, extensively revisedLogs OpenIDM activity
auditrecon tableReconciliation tableReconciliation table, extensively revisedSupports common transaction ID with other audit data
auditsync tableSynchronization tableSynchronization table, extensively revisedSupports common transaction ID with other audit data
propkey, propvalue, in the following tables: genericobjectproperties, managedobjectproperties, configobjectproperties, relationshipproperties, schedulerobjectproperties, clusterobjectproperties, updateobjectproperties propkey, propvalue combined in an indexpropkey, propvalue in separate indexesEnables independent use by the query engine, for generic, managed, and config object properties
internalrole tableNot availableNew for OpenIDM 4Table for internal roles, as described in "Roles and Authentication" in the Integrator's Guide.
links tableIncludes linktypeAdded linkqualifierSupports correlation queries per link

4.3.1.4. PostgreSQL DDL Scripts

The following table enumerates the differences between the PostgreSQL instance of openidm.pgsql for OpenIDM 3.1 and OpenIDM 4.

Changes in openidm.sql for PostgreSQL
SubjectOpenIDM 3.1OpenIDM 4Explanation
Clear existing schemaCommented out: --DROP SCHEMA IF EXISTS openidm CASCADE;Active: DROP SCHEMA IF EXISTS openidm CASCADE;Remove schema from database, then create it
Relationship metadataNot availablerelationship table, new for OpenIDM 4Metadata supports relationship features such as temporal constraints
Relationship metadataNot availablerelationshipproperties table, new for OpenIDM 4Metadata supports relationship features such as temporal constraints
links tableUNIQUE INDEX with linktypeAdded linkqualifierSupports correlation queries per link
auditauthentication tableNot availableNew for OpenIDM 4Logs authentication attempts
auditaccess tableAudit Access tableAudit Access table, extensively revisedSupports common transaction ID with other audit data
auditconfig tableNot availableNew for OpenIDM 4Logs configuration changes
auditactivity tableAudit Activity tableAudit Activity table, extensively revisedLogs OpenIDM activity
auditrecon tableReconciliation tableReconciliation table, extensively revisedSupports common transaction ID with other audit data
auditsync tableSynchronization tableSynchronization table, extensively revisedSupports common transaction ID with other audit data
internalrole tableNot availableNew for OpenIDM 4Table for internal roles, as described in "Roles and Authentication" in the Integrator's Guide.
updateobjects tableNot availableNew for OpenIDM 4Supports update features
updateobjectproperties tableNot availableNew for OpenIDM 4Supports update features

4.3.2. Comparing Repositories

The following tables include a generic comparison between the repo.jdbc.json files, between OpenIDM 3.1 and OpenIDM 4. The tables cover the databases that have changed between those two releases: MSSQL, MySQL, Oracle SQL, and PostgreSQL. When the changes do not affect all repositories, the difference is shown in the notes.

The following tables detail those differences, specifically:

Changes in Query IDs, Generic Tables
Query IDStatusExplanation
get-users-of-direct-roleRemoved for OpenIDM 4Info available via queryFilter
get-managed-usersRemoved for OpenIDM 4Used in OpenIDM 3.1 only for the UI
get-managed-users-filteredRemoved for OpenIDM 4Used in OpenIDM 3.1 only for the UI
get-managed-users-countRemoved for OpenIDM 4Used in OpenIDM 3.1 only for the UI
get-managed-users-filtered-countRemoved for OpenIDM 4Used in OpenIDM 3.1 only for the UI
query-allUpdated for OpenIDM 4 (MySQL only)Added pagination
query-all-idsUpdated for OpenIDM 4 (MSSQL only)Added pagination
find-relationships-for-resourceAdded for OpenIDM 4Added relationships search on two repositories

Changes in Query IDs, Explicit Tables
Query IDStatusExplanation
audit-by-mappingRemoved for OpenIDM 4 (MySQL and Oracle)Functionality available in queryFilter, as described in "Constructing Queries" in the Integrator's Guide
audit-by-recon-idRemoved for OpenIDM 4 (MySQL and Oracle)Functionality available in queryFilter, as described in "Constructing Queries" in the Integrator's Guide
audit-by-recon-id-typeRemoved for OpenIDM 4 (MySQL and Oracle)Functionality available in queryFilter, as described in "Constructing Queries" in the Integrator's Guide
audit-by-recon-id-situationRemoved for OpenIDM 4 (MySQL and Oracle)Functionality available in queryFilter, as described in "Constructing Queries" in the Integrator's Guide
audit-by-activity-parent-actionRemoved for OpenIDM 4 (MySQL and Oracle)Functionality available in queryFilter, as described in "Constructing Queries" in the Integrator's Guide
audit-last-recon-for-mappingRemoved for OpenIDM 4Functionality available in queryFilter, as described in "Constructing Queries" in the Integrator's Guide
audit-by-recon-id-situations-latestRemoved for OpenIDM 4Functionality available in queryFilter, as described in "Constructing Queries" in the Integrator's Guide
audit-by-recon-id-situations-latest-filteredRemoved for OpenIDM 4Functionality available in queryFilter, as described in "Constructing Queries" in the Integrator's Guide

New Tables
TableStatusExplanation
updateobjectsNew for OpenIDM 4A genericMapping table for updates
relationshipsNew for OpenIDM 4A genericMapping table for relationships
auditauthenticationNew for OpenIDM 4Table for authentication attempts; for an overview, see "OpenIDM Audit Event Topics" in the Integrator's Guide.
auditconfigNew for OpenIDM 4Table for configuration changes; for an overview, see "OpenIDM Audit Event Topics" in the Integrator's Guide.
auditactivityExtensively revised for OpenIDM 4Table for operations on internal and external objects; for an overview, see "OpenIDM Audit Event Topics" in the Integrator's Guide.
auditreconExtensively revised for OpenIDM 4Table for reconciliations; for an overview, see "OpenIDM Audit Event Topics" in the Integrator's Guide.
auditsyncExtensively revised for OpenIDM 4Table for synchronizations; for an overview, see "OpenIDM Audit Event Topics" in the Integrator's Guide.
auditaccessExtensively revised for OpenIDM 4Table for access requests; for an overview, see "OpenIDM Audit Event Topics" in the Integrator's Guide.

Data Schema Changes
SchemaStatusExplanation
linkQualifier in the links tableAdded for OpenIDM 4New column; if migrating from OpenIDM 3.1, include default as a value for that entry.
roles in the internaluser tableChanged for OpenIDM 4Revised column; now supports an array

If you're using OrientDB, which is not supported in production, the names for the audit tables are listed in "Repository Audit Event Handler" in the Integrator's Guide.

4.4. Deprecated Functionality

The following functionality has been deprecated in OpenIDM 4 and is likely to be removed in a future release.

  • When configuring connectors, (see "Configuring Connectors" in the Integrator's Guide), you can set up nativeType property level extensions. The JAVA_TYPE_DATE extension is deprecated.

  • Support for a POST request with ?_action=patch is deprecated. Clients that do not support the regular PATCH verb should use the X-HTTP-Method-Override header instead.

    For example, the following POST request uses the X-HTTP-Method-Override header to patch user jdoe's entry:

    $ curl \
     --cacert self-signed.crt \
     --header "X-OpenIDM-Username: openidm-admin" \
     --header "X-OpenIDM-Password: openidm-admin" \
     --header "Content-Type: application/json" \
     --request POST \
     --header "X-HTTP-Method-Override: PATCH" \
     --data '[
        {
        "operation":"replace",
        "field":"/description",
        "value":"The new description for Jdoe"
        }
      ]' \
      "https://localhost:8443/openidm/managed/user/jdoe"

No additional functionality is deprecated at this time.

4.5. Removed Functionality

UI Themes from OpenIDM 3.1

As OpenIDM 4 now supports only the Bootstrap front-end framework, the "look and feel" of the UI will change. If you had customized the UI for previous versions of OpenIDM, we are confident that it will take less effort to customize the UI for OpenIDM 4 within the Bootstrap framework.

User Self-Service Features from OpenIDM 3.1

OpenIDM 4 replaces the user self-service features from OpenIDM 3.1, as described in "Working With the Self-Service UI" in the Integrator's Guide.

4.6. Functionality That Will Change in the Future

The Active Directory (AD) .NET Connector will be deprecated in a future OpenICF release, and, ultimately, support for its use with OpenIDM will be discontinued. For more information, see "Active Directory Connector" in the Integrator's Guide.

For simple Active Directory (and Active Directory LDS) deployments, examine "Generic LDAP Connector" in the Integrator's Guide. In most circumstances, it works better than the Active Directory connector.

For more complex Active Directory deployments, examine the option described in "PowerShell Connector Toolkit" in the Integrator's Guide.

4.7. Added and Deleted Samples

For OpenIDM 4.0, we have organized our sample configuration documentation into a single document: Samples Guide.

As the capabilities of OpenIDM evolve, we have added and removed samples relative to the previous release.

The new samples include:

Full Stack Sample

You can integrate OpenIDM with two other components of the ForgeRock identity platform: OpenAM and OpenDJ. With the OpenAM Session authentication module, you can route authentication and authorization requests to OpenAM, protect managed users in OpenIDM, based on a data store of users in OpenDJ. For more information, see "Full Stack Sample - Using OpenIDM in the ForgeRock Identity Platform" in the Samples Guide.

This replaces the OpenAM sample included with OpenIDM 3.1.

Multiaccount Relationships

OpenIDM 4 supports links from a single account in one resource to multiple accounts in a second resource, based on roles. For example, you can link one user account to two roles such as an insurance agent and a customer. For more information, see "Managing Users, Groups, Roles and Relationships" in the Integrator's Guide.

To see how this works, follow the instructions in: "The Multi-Account Linking Sample" in the Samples Guide.

Linking Historical Accounts

OpenIDM 4 supports links from a single account to inactive (historical) LDAP accounts, based on relationships to past and current LDAP accounts. For more information about relationship objects, see "Managing Relationships Between Objects" in the Integrator's Guide.

To see how this works, follow the instructions in the following sample: "Linking Historical Accounts" in the Samples Guide.

Multiple Passwords

OpenIDM 4 supports the configuration of separate passwords per external resource. This means that you can configure different rules for password complexity and history, depending on the resource to which you are connecting. For more information, see "Storing Multiple Passwords For Managed Users" in the Samples Guide.

Trusted Filter Servlet Sample

You can integrate OpenIDM with other authentication services, with the help of the trusted request attribute authentication module. For an excerpt of the configuration, see "Supported Session Module" in the Integrator's Guide.

For an example of how this works, see "The Trusted Servlet Filter Sample" in the Samples Guide.

The deleted samples include:

OpenAM

The functionality of the OpenAM sample for OpenIDM 3.1 has been replaced by "Full Stack Sample - Using OpenIDM in the ForgeRock Identity Platform" in the Samples Guide.

Sample 7

OpenIDM documentation no longer includes Sample 7, which demonstrated how you can use OpenIDM to expose user data with schema associated with the System for Cross-Domain Identity Management: Core Schema 1.1 (SCIM). That standard is being superseded by SCIM 2.0.

Scripted Azure

OpenIDM no longer includes a dedicated provisioner for Microsoft Azure AD. For OpenIDM 4, we suggest that you start with the "PowerShell Connector Toolkit" in the Integrator's Guide.

Usecase 5

OpenIDM no longer includes a certification workflow for users. The certification workflow usecase sample has been removed pending improvements to our workflow implementation.

Chapter 5. Documentation Updates

The following table tracks changes to the documentation set following the release of OpenIDM ${serverDocTargetVersion}:

Documentation Change Log
DateDescription
2021-03-11

integer is a supported managed object type.

2019-09-10

Revised the logging documentation to include security advice on logging levels. See "Specifying the Logging Level" in the Integrator's Guide and Step 5 in the Installation Guide.

2019-08-19

Added information on restricting the maximum payload size in HTTP requests ("Restrict the HTTP Payload Size" in the Integrator's Guide).

2017-10-10

Refreshed formatting.

2016-09-01

Added OPENIDM-6481 and OPENDIM-6509 to "Known Issues".

2016-03-14
  • The list of "Limitations" in the OpenIDM Release Notes was not complete. This section has been updated.

  • The procedure to change the password of the default OpenIDM administrative user had errors, and has been updated ("Change the Default Administrator Password" in the Integrator's Guide).


Chapter 6. How to Report Problems & Provide Feedback

If you have questions regarding OpenIDM software that are not answered by the documentation, you can ask questions on the forum at https://forgerock.org/forum/fr-projects/openidm/.

If you have found issues or reproducible bugs within OpenIDM 4, report them in https://bugster.forgerock.org.

When requesting help with a problem, please include the following information:

  • Description of the problem, including when the problem occurs and its impact on your operation

  • Machine type, operating system version, Java version, and OpenIDM release version, including any patches or other software that might be affecting the problem

  • Steps to reproduce the problem

  • Any relevant access and error logs, stack traces, or core dumps

Chapter 7. Support

You can purchase OpenIDM support subscriptions and training courses from ForgeRock and from consulting partners around the world and in your area. To contact ForgeRock, send mail to info@forgerock.com. To find a partner in your area, use the ForgeRock website.

Read a different version of :