Select Identity v4.01.000 includes support for the following WebLogic 8.1 SP5 platform combinations:

• Oracle 9i, Windows 2003
• Oracle 10g, RH Linux AS 3.0
• MS SQL 2000, Windows 2003

• Oracle 9i, HP UX 11i
• Oracle 9i, RH-Linux AS 3.0 
• Oracle 9i, Solaris 9

Select Identity v4.01.000 includes support for the following WebSphere 5.1.1.7 platform combinations:

• Oracle 9i, HP UX 11i
• Oracle 9i, Windows 2003

We are making further changes to the OVSI Migration tool. If you are migrating to OVSI v4.01.000 from a 3.3.1 or 4.0 version then please contact OVSI customer support and they will provide you with an updated version of the Migrator tool as soon as it is available.

Platform updates and additional migration scripts may occur at other times. Check with your HP representative for the latest list of supported platforms.

This release provides an upgrade to HP OpenView Select Identity (OVSI) that includes a number of enhancements, new functionality, and defect fixes to the previous release.

New Features

HP OpenView Select Identity 4.01.000 Commercial Release introduces some new features and enhanced capabilities.  New features and enhancements in the release include:

·    Ease of Use

The User Interface has been redesigned. Improvements include:

o        Landing pages are presented to the user at login.

o        Multiple approval requests may be approved at once in a new one-shot approval process.  

o        Attributes with a size greater that 1K are now supported.

o        User management displays pending approval requests.

o        Attribute management now allows authoritative assignment from multiple resources

o        Enhanced search capabilities include:

§         Case insensitive search for users

§         Wild card searches ‘begins with,’ ‘ends with,’ and ‘contains’ added.

·    Audit

Improvements include:

o        Audits configuration changes for all objects. This feature includes audit of both old and new value information.

o        Supports external audit event notifications.

·    Service Management

Provisioning / de-provisioning is available during reconciliation for all service users when a resource is added to or removed from a service.

·    Workflow

Approvals can be escalated to a new approver after a specified time when the workflow is set up accordingly based on new workflow functionality.

·    Reconciliation

The following enhancements are now available:

o        Makes available configurable options to control the reconciliation process based on source resource and event.

o        Provides enriched reconciliation rule actions.

o        Offers flexible options to handle resource attribute updates.

·    Web Service Commands

Enhancements include the following:

o        Batch operations now support the Add, Modify, and Delete commands.

o        The OVSI Connector interface now supports fine control over attribute modifications, batch updates for entitlements, etc.

·  Reports

Enhancements include the ability to report:

o        Users with access to a given resource with specified entitlements.

o        Resources and entitlements for specified users.

o        Reports may now include the state of the servers when OVSI is installed in a clustered server environment

·    Performance

Improvements include:

o        Improves throughput for User Import, Service Assignment, Reconciliation, and Self Registration.

o        Enhances service and attribute caching.

o        Enhances request queue management.

o        Provides distributed workflow execution.

o        Allows caching of entitlements for slow resources.

·    Sensitive Attributes

Select Identity provides the capability to:

o        Process encrypted attributes in SPML requests.

o        Suppress SPML encrypted attributes in HTML reports.

o        Encrypt OVSI Sensitive attributes in XML reports.

o        Suppress OVSI Sensitive attributes in HTML reports.

Software Fixes

HP OpenView Select Identity 4.01.000 Commercial Release corrects problems which were present in the 4.00.000 Commercial release. Fixes include:

·         Move User is now successful for a User on Services with different Context attributes.

·         WebServices Get has been corrected to return only the requested user and process Date attributes.

·         Password changes received from connectors in the form of attribute modifications are now converted to reset password requests so all connectors can process the request.

·         Entitlements can now be deleted during reconciliation when a null list of entitlements for a user is received from a connector.

·         Request Status List sorting is now by Started time instead of Request ID. This presents a more logical sort for clustered environments.

·         Resource attribute information now displays when Select Identity attributes contain null values.

·         Home page User Management search now works for all attributes: User Name, First Name, Last Name, and Email.

·         User Searches now use the UserName Display Name instead of Attribute Name.

·         The Request Worklist now displays the Parent Request ID instead of Sub Task ID. Inside the Workflow Detail, the Sub Task ID still displays.

·         Corrected the problem of connector required attributes not being pushed to the resource during reconciliation. With this change, all attributes identified as required in the mapping file will be sent to the resource regardless of the Sync Out setting on the Resource Attribute Mapping page. Note that Select Identity will not push unchanged resource required attributes that are one-way encrypted. This prevents the corruption of data on the resource.

·         Select Identity now invalidates the web session on Sign Out for Single SignOn mode.

·         Navigation off the Resource Access Information page on resources which contain required Password fields is now allowed. Note that changes will be lost if the Apply or OK button is not used to persist the changes before moving off the page.

·         Scheduled Reports for 12:00 and 12:30 PM are now saved with the correct time.

·         The Resource Reconciliation Report path name now displays correctly when the report is generated.

·         The migration script has been corrected to:

o        Convert “In Process” Reconciliation and Service Assignment jobs

o        Display old Requests

·         Reconciliation add user is now successful if containing null value in the SPML file

HP OpenView Select Identity 4.00.000 Commercial Release corrected problems which were present in the Controlled release. Fixes include:

·         Entitlements are no longer removed from the user if an approver modifies the request during approval.

·         Administrators on roles other than “Concero Sys Admin” no longer lose Reconciliation and User Import privileges after Approvals are generated.

·         Select Identity now reports detailed Connector Interface exceptions.

·         “Terminate and Retry” functionality has been added to Server Management.

·         Reset password of a user on multiple resources (three or more) now works correctly.

·         Modification of a service workflow when pending requests exist on the old workflow is now handled correctly; requests can be viewed and completed.

·         Resource copy now copies all attribute mappings.

·         Adding an Administrative Service to an existing user already on a Business Service now displays the user’s existing Business Service in the manageable services list.

·         The resource Single Sign On (SSO) attribute has been renamed. In addition, corrections have been made so that SI validation is no longer used if SSO is used.

·         Corrected the intermittent problem of reset user password from Modify User->Actions->Reset Password not working.

·         Buttons are no longer visible when permissions are removed from a Role.

·         Oracle occasionally throws error ORA-22922 when updates to BLOB data are made. SI now handles the error by performing a select query and retrying the update when this error occurs.

·         SI now enforces minimum attribute length requirements when processing Web Service requests.

·         Corrected the problem of workflow hanging when an external call is called outside a block activity.

·         SI workflow now reports external call updates when 'ExternalCall' is specified in a block other than the predefined Approval, Provisioning, Post Provisioning, etc.

·         The logout URL defined in the properties file is now being correctly used.  This ensures the OVSI session is closed properly when using a SSO to protect OVSI.

·         Server Management Terminate and Retry Request operations are now operational.  It is no longer necessary to retry failed requests by terminating the request from Server Management and then retrying the request using Request Status.

·         If a Reconciliation request fails before a workflow is created (attribute generation external call or resource down), the request now correctly shows the failure.

·         The link to create a Certificate from the "Verisign Cert. Issue" notification template no longer hangs. 

·         The Reconciliation Task List now lists new "Status" values to indicate user processing status allowing an administrator to immediately identify reconciliation tasks that had some failures.

·         Extremely large Service Assignment reports are now split and zipped before emailing ensuring that the reports can be opened. The size of other reports (Bulk, User Import, and Reconciliation) is controlled by limiting the size of the upload file.

·         All Bulk User operations are now working including:

o        Add service to existing user.

o        Add user to all services.

o        File without Operational Services are working.

·         Date attribute values can now be deleted when modifying a user.

·         Shared entitlements are now correctly removed when simultaneously disabling or deleting seven (7) or more services.

·         The HP OpenView Select Identity Installer no longer requires that you set the “SetBigStringTryClob = true” property manually.

·         Service Names can now be created with special characters

The HP OpenView Select Identity 4.0 Controlled Release corrected problems which were present in prior releases. Fixes include:

·         Modification of a resource after changing the resource mapping file to remove attributes mapped to OVSI no longer fails with the error “Application cannot be modified at this time.” Therefore, it is no longer necessary to remove OVSI mapping prior to modifying the resource.

·         High volume reconciliation tasks no longer cause memory leaks.

·         Single value attributes can now be deleted from the user. This is controlled by the properties setting: truaccess.singlevalue.attribute.delete

Known Problems and Limitations

The following limitations existed prior to the 4.0 Controlled Release and have not been resolved:

·      You must select a workflow when mapping the View Service Membership event in a Service Role.  The workflow is ignored but is needed to view users in the service.

·      Modifying a user through the use of a Web Service does not use the view associated with a Modify event.   Instead, it uses the Add User view.

·      Create User will not be rolled back in OVSI when the user is added in the resource if the entitlements are not created successfully for the associated user.

·      Search response time within OVSI may be negatively impacted if a large number of values are entered for the context attribute in a service.

·      When defining a parent Service Role, you may assign multiple workflows for a single event for the purposes of passing those workflows down to other child Service Roles.  However, if you attempt to add, modify, or delete a user that references a context with multiple templates assigned to an event, the action will fail.

The following limitations existed in the 4.0 Controlled Release and have not been resolved:

·          3.3.1 Workflow configurations imported to 4.0 will not operate properly.

·          The following attributes should not be imported to avoid issues:

o        <Resource>_ENTITLEMENTS

o        <Resource>_KEY

o        SIAdminRole

o        SIService

·         Some pages contain multiple vertical scroll bars.

·         Service Reconciliation jobs do not appear in the Reconciliation Job List.

·         When modifying an Administrator, there is no “Add” button to enter context values. As the “mouse over” instruction indicates, press the “Enter” key to add a value.

·      HP Open View Select Identity does not recover all tasks in process after a catastrophic failure (system or database crash):

o        After a restart or database loss, some requests will not resume processing and complete.

o        When the database goes off-line the messages are still being retrieved from the JMS queues and ignored. The requests affected by these missed messages remain in the pending state forever. In most cases there is no UI screen to re-process them.

These losses should be limited to less than ten (10) requests and the recovery procedure is documented in the Administrator Guide.

·      Not all drop-down lists are sorted.

·      Unconstrained context attributes do not always return values when context is searched:

o        Move User with a wild card context on the Service.

o        Creating specific Admin with specific Context.

Note: To ensure proper results, use attribute constraints to limit wild card scope.

·      User Names should not be created with double quotes (“).

·      If Service Reconciliation is not done after adding or removing resources or fixed entitlements, users will not display the current resource and entitlement information correctly even after the modify action is done

·      The HP OpenView Select Identity Installer still requires that you set the “JTA Timeout Seconds = 300” (set under domain -->Services -->JTA in the WebLogic console)

·      The “Results per Page” dropdown used to select the number of items displayed is working correctly on all screens except User Import -> Service Assignment.

The following problems and limitations exist in the 4.01.000 Commercial Release:

·         The Resource Reconciliation Report will not run using the Run Now or Add and Run Now buttons. This report should be scheduled because it can take a long time to generate and should be emailed rather than placed on the server. These buttons will be removed in a future patch release.

·         Approver comments for migrated requests cannot be viewed.

·         In Workflow Approval blocks the Create work flow approver task must come before the Notify approvers task. In 3.3.1 the order did not matter. Default workflows are correct, but manual update of migrated workflows is required.

·         When scheduling reconciliation or bulk tasks, use 24 hours instead of 1 day if creating a job to run daily. Otherwise, the task will run at midnight instead of the scheduled time.

·         Using the Resource “Edit” button to open the Attribute Mapper for database connectors opens a new window with an error. On the new window, select the connector, enter the resource access information, and click “Connect”. The Attribute Mapper page then correctly displays.

·         When generating the User Configuration Detail Report, a context must be selected.

·         Profile attributes must be constrained at the Attribute level instead of the Service level or the constrained values are not enforced when modifying the attribute from the User Profile.

·         When importing a changed Workflow Application Definition file, the modifications aren't visible in other members of the cluster until a restart is performed.

·         If SI is doing its’ own authentication, only the standard Password attribute should be used. 2 way password attributes can be used as long as SI is not authenticating the user.

·         CSV Report format is not available for the User Configuration Detail Report.

·         Specific Service Admins can only manage the users on their specific service. Therefore, a Specific Service Admin cannot add their managed service to a new user.

·         When an Admin user is added to the specific Service he manages, the Admin role is lost. After adding the user to the business service, modify the administrators’ role to a temporary role, and then modify the administrator back to the original administrator role.

·         Approval cannot be used when moving an Admin User on all Services.

·         If all components are not completely installed during Installation, uninstall will display the error “Error During Uninstall”. This simply means that the uninstall program could not find all components to uninstall.

·         A problem exists when adding service to an existing user. If the administrator does not have the Add New User role, then Subscribe to Service fails with error "Requestor not authorized for current operation".

·         JMS expired message redirection function is not supported in WebSphere. When the system is working on the heavy workload, some low priority messages might not be picked up in a short time.

·         WebSphere platform customers please note:  It is possible that there may be some conflict between some of the connectors released with the 4.01.000 version of SI with any of the connectors released with SI v4.0 or SI v3.3.1. This is due to potential class loading conflicts on WebSphere which may result in incorrect behavior at deployment time or runtime. If you experience these problems please contact HP Support for help to work around them.

·         Due to time constraints, the following instructions regarding the deployment of online help files on WebSphere has not been added to the installation guide.

The help file is a .war (Web Application Archive) file, located in the same directory as the websphere_lmz.ear file deployed to activate Select Identity. This is the only .war file in that director. The precise name of this file varies according to the localized version of Select Identity that you are using.

To deploy this file, perform the following steps:

1. Locate the OVSI .war file, which is stored on the HP OpenView Select Identity product CD, in the application directory with the websphere_lmz.ear application file.

2. Copy the .war file into the <OVSI_INSTALL_DIR>/deploy directory.

3. Use the instructions provided in Deploying Select Identity on the installation guide (Chapter5, Installing Select Identity on IBM WebSphere, Page 124), to locate and deploy the help files in the same way as you did for websphere_lmz.ear. On this occasion, however, you must deploy the help files as a Web Application module, by first navigating to Applications> Install New Application. Please make sure that the Context Root should be set as the name of the help war file without the “.war” file type. For example, for the ovsil10n_help_enUS.war, the relative Context Root should be ovsil10n_help_en_US.

·         The following Sensitive Attributes imitations exist:

o        The sensitivity of UserIDAndDomainName and PrimaryAcctValue are not incorporated in this release. Values for above fields will not be encrypted if they are unmapped and/or sensitive.

o        Bulk-Add requests are grouped into sub-batches before processing. If a SPML request within a bulk-add sub-batch fails with a decryption failure the corresponding sub-batch is not processed.

o        If an attribute within a bulk-add request is not found in SI, the whole batch is not processed.

o        If the encrypted XML value contains escape characters like "<" ">" the XML parser will throw an exception unless it is enclosed in a CDATA section.