What's new in IDM 4.5 - Part 1

over 6 years ago
I like writing about the new features in IDM releases. I happen to be a very curious person, so I generally look for that reason. Usually I find something I did not know about, so I find I learn useful things for myself. Plus everyone gets to see what I found, so it seems like a good plan. I have done a number of these style articles before for earlier releases of IDM, and in fact already for Designer in IDM 4.5.

Here are some I have done in the past.

Older IDM:

IDM 4.x things:

IDM 4.5:

With the release of IDM 4.5 (and the upcoming release of IDM 4.5 Patch 1) I wanted to do the same for the 4.5 release. I found this neat TID, https://www.novell.com/support/kb/doc.php?id=7016414 which lists all the bugs involved. I went through to find ones I found interesting and worth calling out. There are many bugs listed, but I figured I would call out ones I knew what was going on, and where it would be interesting for others. With the imminent release of IDM 4.5.1 I am hoping to find a similar TID to work from for that release.

The very first one was possibly the most interesting! How lucky is that! Gold on the first try. I should buy a lottery ticket, right?

862460 AD Password Sync-Password Agent ENH: Include the password sync troubleshooting tool as part of Pegasus

This is a new tool added in 4.5, based on work done at NTS (Novell Technical Services) for troubleshooting such issues. You can find it on the install media in the path:

products/IDM/linux (or windows)/utilities/PassSyncTroubleshootingTool/x64

It is a standalone EXE file. Run it on a member of your domain, or on the DC itself. A small window with 4 options appears.


The Trace File is a bit confusing, as I assumed it meant pass in a AD driver or maybe Remote Loader trace file for parsing, but really it means a path to write out the results as a file.

Domain name is needed to know where to look, so DNS format for your AD domain. Then Check Driver Machine, Advanced, and Check Domain Controllers are your other options.

It seems like this does DNS tests, RPC tests, Registry settings on the various DC tests and so on, to validate that everything for password sync is working. Overall this is a great addition, since checking all these things individually is possible but something of a pain. I love seeing the Support guys build a tool for their convenience that makes our lives easier.

The docs for this are mostly non-existent at this point. You can find the reference here in the AD driver documentation.

For me, just finding this means I win on writing this article, since I probably would never have noticed it otherwise. I have some sample output that I will probably discuss in a standalone article just about this tool later. For now, if you are having trouble with Password Sync on Active Directory, there is actually a useful tool for debugging the issues.

887665 Builds To include JRE version 1.7u65 in IDM 4.5

A new JRE is important. There are so many bugs being found in SSL, Java, etc these days that staying up to date is really important. Yes, IDM does not usually face externally, so firewalls should protect you from the outside world, but lots of people attack from inside the firewall.

Remember that the IDM engine is pretty much entirely Java that runs in the memory space of the eDirectory instance.

It is work mentioning how many JVM's are potentially involved in an IDM system.

  1. Installer - Did you know, that the Install Anywhere tool used to install on Windows and Linux includes a JVM. Interestingly it is a 32 bit JVM, which is why on Red Hat, the needed packages to install, are actually the 32 bit versions, not the 64 bit ones. This bit me a number of times. I would install the packages they wanted, but of course, on a 64 bit platform I would install the 64 bit packages. Nope, you actually need the 32 bit versions. Who knew? (Maybe nice if that was documented better?)

    Now this one is not that important since it extracts to a temp directory and deletes itself when done.

  • The system level JVM. The OS you are running on probably has its own JVM. This is not really used by IDM unless you want it to.

  • The eDirectory instance's JVM. This is in the /opt/novell/eDirectory/lib64/nds-modules/jre directory on Linux, and somewhere on Windows. (Seriously, friends don't let friends run IDM on Windows). This specific bug is referring to this JVM I think.

  • The JVM used by the Identity Apps. You can use the system one, or install via the installer, in which case it would reside at:
    /opt/netiq/idm/apps/jre by default. This would be used by Tomcat or Jboss, to run OSP, CA, UA, HPD, Reporting, and Access Review.

  • Designer and Analyzer each include their own JVM.

  • Validator comes in versions with and without a bundled JVM.

Why this matters, is that often the trusted root certificates you need to add to the Java keystore need to be added to all of them. Or just one. But when you do a JVM update, you may lose your cacerts file. So anytime you see there is a JVM update, think about your cacerts file, and consider checking to see if your Tree CA and other trusted CA's are still in it after the upgrade.

That is a lot of JVMs isn't it? Anyone remember the days when the Timezone changes were happening and we had to go to every workstation and update the TZ info for all JVM's installed? I remember finding a tool that searched the filesystem, and then patched every JVM. That was at least 5-6 years ago, and I remember then being astonished at how many JVM's there were. This is a server, not a workstation!

888682 Builds Soap driver is not starting with https configured with KMO

This is an annoying bug when doing web services via IDM. The SOAP driver can use a Certificate for its https service a number of different ways. You can provide a private key in a standalone JKS (Java Keystore) keystore. This is the sort of thing you need to do with OSP and Tomcat to get SSL working. You get to use the keytool program, which I am becoming quite comfortable with these days. I used to prefer a GUI version, but honestly I have gotten so familiar with the commands I just type them freehand now.

The other option was to use a KMO (Key Material Object) in eDirectory as the source of the certficates private key. This is how the Remote Loader SSL works, and others in IDM so it makes sense. Looks like there was an issue when running in this mode. It is a nice choice, since you can make the certificate in eDirectory, manage it there, and not bother with a file system representation of it. Glad to see this resolved.

890134 Builds Incorporate new metamap replacement to generate HRMD files

This bug has me confused. If you have read my series on the SAP HR drivers which are really cool, but very complicated you will know that the SAP HR schema is provided as a default in a file with the driver. But if your SAP team has added custom extensions, you can add them by hand (I would copy a block and modify personally) or you could run the metamap.exe tool to connect to SAP and pull back the schema. It looks like this tool is broken with later SAP HR releases, and the short term fix is to use a Delimited Text driver that can parse a text file version to the format needed. When all you have is a hammer, everything looks like a nail? Sure you could write a custome app to do this, but just read the file in a driver and reformat it there. I personally have done this many times. In fact, I often use Simulator to take the input data (paste it in) and then run it through a policy that fixes and reformats my data, and then copy out the results.

It looks like the replaced the metamap.exe file with a XML file of a driver. Look on the DVD ISO at the path:


That looks a Driver export of a Delimited text driver. Hmm, that looks like another article to dissect that included driver! My favorite thing to do! Also, the consultant who wrote it, is one of my favorite guys at NetIQ. He is a master of SAP to a level that is scary. I had him do a session for my IDM User group on just one of his drivers. Thus I expect this will be a very clever tool I will learn much from.

Gold again, man this is working out really well for me so far!

616471 Documentation update DTD documentation

This is a bug I may be responsible for, at least in one of its iterations. In XML you have a DTD (Data Type Declaration?) that defines what is legal in the XML. There are tools that require the DTD since they wish to validate any XML strictly.

It is very helpful sometimes to know what the options are in the XML since it gives you ideas and hints for things that could be done, that the documentation may not address. However, the DTD by itself only talks about elements and attributes, it does not discuss the specific values that those attributes and elements can hold. Thus the need for documentation of the DTD.

I was specifically nagging them about the EntitlementConfiguration DTD since that was pretty poorly covered in the past, and it is critical to understand if you are building your own custom entitlements. (Which I have been doing lately! Lots of fun! Clever things you can do with them!) I am not sure I am happy with the quality of the documentation on the DTD's since if you know me, you will know I always want more details. But this is a step forward.

881776 Driver-Delimited Text Bug fix in 667863 changes header on XML output docuement causing rejection by receiving app

This is interesting as it fixed a problem that another fix created. When you look at XML you often see an XML header that declares the format and type of the document. Like:

$lt;?xml version="1.0" encoding="UTF-8"?>

That tells you a version and encoding. Some applications that recieve XML are very strict and require it. Thus when writing out via a Delimited Text driver, the ability to add such a line is important for those applications. You could of course reprocess the file and add them in a script but it would be nice to have the driver provide it.

Thus it was added as a default. So of course some other application decided to be very strict and fail if it is there. This bug just tells us that a configuration option was added to enable or disable this feature, which of course was the right way to do it. The downside is that often a driver will fail to start if you are missing a configuration value. Therefore you need to update the XML configuration of a driver, when updating to the latest shim. (The JDBC Database driver was a good example of this). However, it is better to leave this as a feature we can control than not, so I will accept the pain involved. Also, when you get that error it tells you the name of the configuration value it is missing.).

Well that is about all the room I have for this at the moment, more to come in later articles. I am still working through the TID looking for interesting bugs to discuss.


How To-Best Practice
Comment List
Related Discussions