Identity Manager - Post Upgrade Designer Steps

  • Document ID:7024865
  • Creation Date:14-Oct-2020
  • Modified Date:15-Oct-2020
    • Micro Focus Products:
      Designer
      Identity Manager
      Identity Manager Roles Based Provisioning Module

Environment

Identity Manager Engine, Designer and RBPM 4.7
Identity Manager Engine, Designer and RBPM 4.8

Situation

Many IDM upgrade issues stem from steps being missed entirely or done in the wrong order. This often results in Designer having incorrect version information stored in the project while attempted updates are being pushed to the IDM Engine. The UserApp and Role and Resource Service Driver updates are documented here. The Designer package upgrade steps are outlined in section 6.2.3 of this document. A full Live -> Deploy is required after the IDM Engine(s) is upgraded, in order for the new driver packages and eDirectory schema to be loaded in the Identity Vault. Do not perform a Compare -> Reconcile when upgrading. The custom attributes and schema mentioned here will not be installed properly.

When upgrading the Identity Vault and Engine, and then importing a new project to Designer is not an option, it is very important to perform the following steps to have the version information of the project updated. This has to happen in a particular order before deploying the updated project back into the Identity Vault. With the following sections updated to the correct eDirectory, IDM and driver versions, the latest packages will be made available for each driver in the project and the new schema for User Application (including UAD) will be installed.

Resolution

This document can help correct failed upgrades or be used to ensure the required Designer updates are not missed in the first place. The Identity Applications upgrade scripts (from 4.7 on) now allow you to point the configuration to the existing drivers for Identity Applications, but you first need the upgraded IDM Engine (best practice is to upgrade and then patch eDirectory and IDM Engine to latest available SP for major release) and following Designer updates pushed out.

Often times, the missed or out of order Designer steps are caused by using existing projects that do not get updated in the following sections. When using existing projects, MANUALLY confirm the Identity Vault Properties -> Server List -> Edit

Vault Properties:

Server List:

Vault Versions:

User Application Driver - Version Info:

User Application Driver Packages tab:


Preferred Server (optional):

You need to run the IDM upgrade media on the Engine, and then perform the updates in Designer. This needs to happen before any additional applications and services receive their updates. Designer should be at the latest available version (can be newer - i.e. running 4.8.x Designer to administer 4.7.4 environment) and updated immediately after the IDM Engine is upgraded. eDirectory schema and IDM packages are pushed out at this point, and need to be in place PRIOR to upgrading other pieces and this needs to happen on all IDM Engines, when upgrading from one major version to the next (you can remove servers at older versions from the Designer project or disassociate them from the Driver Set, but do not try upgrading a single IDM Engine and then try deploying and updating the other IDM components before also updating any additional IDVaults). This section 'Troubleshooting Designer' discusses one such problem with mixed versions of IDM Engine. There are others as well, including older servers losing their association to the Driver Set and not being able to add until the upgrade is completed.

Additional Information

Error caused by UAD packages not being upgraded and / or fully deployed to Identity Vault:
com.sssw.fw.exception.EboDataException: User application driver (UAD) is not compatible with User Application version 4.8. Please upgrade your UAD using Designer for Identity Manager.
Errors encountered creating roles after upgrade to 4.7 or 4.8, due to nrfRoleLevels attributes of the cn=configuration object either missing or incorrectly set to the User Application Driver DN, rather than the correct role level container. With UA driver DN entered, a "DAL Communication error" will be seen in the catalina.out during creation of roles.

Incorrect values for nrfRoleLevels on cn=configuration object: 
        "cn=configuration,cn=RoleConfig,cn=AppConfig,cn=UserApplication,cn=DriverSet,o=system" 

        cn=UserApplication,cn=DriverSet,o=system#10#
        cn=UserApplication,cn=DriverSet,o=system#20#
        cn=UserApplication,cn=DriverSet,o=system#30#
        Should be:
cn=Level10,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=UserApplication,cn=DriverSet,o=system#10#
cn=Level20,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=UserApplication,cn=DriverSet,o=system#20#
cn=Level30,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=UserApplication,cn=DriverSet,o=system#30#
Error encountered after upgrade due to UA driver package not being updated because IDM Engine version was not updated in existing project. This prevented Designer from detecting the correct version of package after upgrade: 
        In browser: 
        “Identity authentication is not correctly configured or Identity Manager to eDirectory SAML is not functioning correctly.
        Please contact an administrator to correct the problem”
        catalina.out: 
        2019-07-25 21:30:56,397 [ERROR] AuthorizationManagerService [RBPM] [Create_Domain_Administrator_Failure] Initiated by com.novell.idm.security.authorization.service.AuthorizationManagerService; Domain Administrator DN: cn=userappadm,ou=Sa,o=system; Error Message: Role with DN = [cn=secAdmin,cn=System,cn=Level20,cn=UserApplication,cn=DriverSet,ou=IDM,ou=Services,o=system ] does not exist.
        com.novell.idm.nrf.exception.NrfException: Role with DN = [cn=secAdmin,cn=System,cn=Level20,cn=UserApplication,cn=DriverSet,ou=IDM,ou=Services,o=system ] does not exist.