HP OpenView Select Identity 3.3.1 Patch 8 Release

September 08, 2006

This document provides an overview of HP OpenView Select Identity (OVSI) 3.3.1 Patch 8.  It contains important information not included in the manuals or in online help.


In This Version

This Patch 8 release includes a number of defect fixes for HP OpenView Select Identity 3.3.1.

 


Installation Notes

Please refer to the HP OpenView Select Identity Installation Guide for details describing the steps necessary to install HP OpenView Select Identity, including software platform and third-party application requirements.

Installation of OVSI 3.3.1 Patch 8

1.       Backup the Original OVSI Database

2.       Extract the SI331Patch8.zip. The patch contains the following directories:

 

o        SI331Patch8\application\WebLogic – WebLogic ear file

o        SI331Patch8\library – ovsii18n.jar

o        SI331Patch8\properties

3.       Un-deploy the old lmz.ear

4.       Rename the old lmz.ear and replace it with the new lmz.ear

5.       Rename the old ovsii18n.jar and replace it with the new ovsii18n.jar

6.       Deploy the new lmz.ear.

7.       Access the AppServer.


Enhancements and Fixes

New Features

The OVSI 3.3.1 patch 8 of HP OpenView Select Identity include some new features and enhanced capabilities.

·         Password expiration operation can show SI password only. (QXCR1000310823)

·         Forget password operation can show SI password only. (QXCM1000289108/ QXCR1000359263)

·         Check box to select/unselect all passwords for delegate reset password and self change password. (QXCR1000363402)

The OVSI 3.3.1 patch 7 of HP OpenView Select Identity does not include any new features.

The OVSI 3.3.1 patch 6 of HP OpenView Select Identity does not include any new features.

The OVSI 3.3.1 patch 5 of HP OpenView Select Identity does not include any new features.

The OVSI 3.3.1 patch 4 of HP OpenView Select Identity introduces a new feature that provides enhanced capabilities.  The release includes:

Password History and validation supports when the PasswordHistoryValidation and Password History And Dictionary external calls are set on the Password attribute.  This feature provides validation against any password stored in history to prevent duplication.

The OVSI 3.3.1 patch 3 of HP OpenView Select Identity introduces some new features and enhanced capabilities.  The release includes:

·         Password Dictionary support.

·         When authenticating the user, HP OpenView Select Identity will now use the password verification function first (if it exists) before checking the OVSI database for the password.

·         Support has been added to allow SHA256 for one-way encryption and AES for two-way encryption/decryption.

·         OVSI now supports Hardware Security Module (HSM) to store encryption keys.

The OVSI 3.3.1 patch 2 of HP OpenView Select Identity introduces some new features and enhanced capabilities.  New features and enhancements of the release include:

·         Multi-value attribute support in Recon has been updated to include regular multi-value attributes, not just entitlements.

·         Ability to view existing request.

·         Approval for Reconciliation Requests when a rule selects one or more services in the Add2Service block is now allowed.

·         Multiple i18n issues are now resolved.

 

 

 

Software Fixes

HP OpenView Select Identity OVSI 3.3.1 Patch 8 release includes the following software fix:

·         Out of memory issues. (QXCR1000310993)

HP OpenView Select Identity OVSI 3.3.1 Patch 7 release includes the following software fix:

·         Disables logging of sensitive information in the log files.

·         Fixes an issue where there are constraint violation errors (ORA02292) when trying to delete the service membership of certain users after a “reconciliation modify” request (QXCR1000329393).

·         Fixes an issue that prevented the submission of requests that add or modify admin users with All Contexts/All Services (QXCR1000330266).

·         Fixes an issue where SI was not creating a user attribute correctly in the database when the connector sets its value and sends it back to SI (QXCR1000328980).

·         Fixes an issue where SI calls getEntitlements with a null filter during Reconciliation (QXCR1000331043).

The HP OpenView Select Identity OVSI 3.3.1 Patch 6 release includes the following software fixes:

·         Added missing screen_ja.properites and two related entries in the mappings.xml to support the Japanese locale.

·         Resolves an issue that caused imports and exports to fail when a large number of attributes were exported concurrently by preventing OVSI from dropping attributes during export.

·         Fixes a WfWaitBlock Table Constraint Violation error and allows the workflow to proceed.

·         Includes the image files login_headgrad_ja.gif and selectall_ja.gif in the lmz.war files allowing the OVSI 3.3.1 user interface to show these images in the Japanese environment.  (Resolves issue QXCM1000298643.)

·         Resolves an issue in the Search filter which prevented values from being returned when searching in an attribute-level constraint list. (Resolves issue QXCR1000287131.)

·         Fixes an issue preventing successful searches in User Management by Administrators.  (Resolves issue QXCR1000310990.)

·         Ends the need to change passwords if a user’s password expires in OVSI.  (Resolves issue QXCR1000310823.)

·         Allows long entitlement names to display properly.  (Resolves issue QXCR1000313419)

·         Adds the ability to export and import configurations that have i18n characters included.  (Resolves issue QXCR1000312957.)

·         Resolves an issue preventing requests from being terminated when the IE language setting is in simplified Chinese.  (Resolves issue QXCR1000306707.)

·         Fixes an issue with the Oracle 10g Thin Driver causing OVSI report generation to fail during Service Assignment.  (Resolves issue QXCR1000309041.)

·         Removes memory and JMS connection leaks in the Workflow engine.  (Resolves issue QXCR1000304053,)

·         Changes the default contact_help desk message in the TruAcess.properties file by removing the generic help desk phone number.  (Resolves issue QXCR1000316669.)

·         Works with the Oracle 11i connector to make sure the Date attribute is modified correctly when a Modify request is submitted from Web Services.  (Resolves issue QXCR1000319829.)

·         Removes a hard-coded UserName in the ReconPollingChangeLogHandler.  (Resolves issue QXCR1000314654.)

·         Prevents taUserName from being used in the ReconPollingChangeLogHandler to avoid issues when resources are not assigned a taUserName.  (Resolves issue QXCR1000314654.)

·         Fixes an issue causing reconciliation to fail when one or more resources used by a service was down. (Resolves issue QXCR1000317800.)

·         Allows user to be added to services per a defined rule.  (Resolves issue QXCR1000317791.)

·         Prevents requests from periodically going into a pending state without cause.  (Resolves issue QXCR1000317120.)

·         Honors the selected search filter preventing the Service Assignment Service Attribute Constraint Value search from returning all entitlements.  (Resolves issue QXCR1000316145)

·         Allows administrators imported into OVSI through the User Import function to successfully search for users in the User Management module. (Resolves issue QXCR1000311935.)

·         Corrects Post Provisioning activity in WorkFlow ReconciliationDefaultProcessMove WorkFlow. Resolves issue QXCR1000317800.) The Application Invocation in the PostProvisioning block should be changed from “Post Provision in Bulk to save date” to “Post Provision in reconciliation to save data.” If the ReconcilitionDefaultProcessMove has not been customized, the file exportcfg_ ReconciliationDefaultProcessMove_workflow.xml may be imported to implement the change.

·         Adds a new workflow called ReconciliationDefaultProcessMoveRetry_workflow.xml that works similarly to ReconciliationDefaultProcessMove_workflow.xml except that it adds an additional retry block to automatically retry requests that fail.  (Resolves issue QXCR1000317800.)

The HP OpenView Select Identity OVSI 3.3.1 Patch 5 release includes the following software fixes:

·         Provides a TruAccess.properties specifiable list of Workflow templates that OVSI provisions synchronously resulting in performance improvements.

·         Resolves an issue that caused attributes with double quotes (“”) to display incorrectly.

·         Updates password security functionality to prevent users with expired passwords from logging into OVSI.  (Resolves issue QXCM1000300601.)

The HP OpenView Select Identity OVSI 3.3.1 Patch 4 release includes the following software fixes:

·         Fixes a possible memory leak by clearing out a cache in the Request component.

·         Schedules Workflow invocations using JMS queues so that OVSI is no longer using application-spawned threads

·         Resolves an issue that prevented WebService from displaying the Date attribute value when retrieving a user record. (Resolves issue QXCR100029344.)

·         Updates the mapping file changes of existing attributes in the Modify Resources module now. (Resolves issue QXCR1000290020.)

·         Provides a solution to the issue that prevented the proper deployment of a resource in some circumstances. (Resolves issue QXCR1000292408).

·         Implements changes that allow OVSI to automatically retry password change operations if the first attempt fails.

·         Provides caching of the ConnectorParamFactory designed to improve performance.

The HP OpenView Select Identity OVSI 3.3.1 Patch 3 release includes the following software fixes:

·         Changes that result in the reduction of the time it takes to retrieve and process resource entitlements improve performance.

·         Ignores constraint value validation for empty attributes and retrieves entitlements correctly when there is a pipe “|” character in the entitlement string.

·         Updates to the Single Sign On (SSO) token lookup order making sure that OVSI now checks the TruAccess.properties file first and the generic remote_user variable second.

·         Attempts to encrypt/decrypt null or empty attribute strings no longer happen.

·         Sends a valid response to a Web Service Request that returns foreign language characters.

·         Changes resolved multiple i18n issues.

·         Modifications corrected the problem of unlinked entitlements reappearing during post provisioning.

The HP Open Select Identity OVSI 3.3.1 Patch 2 release includes the following fix:

·         BR4732: 3.3.1 Migration: Cannot view existing request

 

 

Property File Changes

The HP OpenView Select Identity OVSI 3.3.1 Patch 8 release includes the following new properties file settings:

# show all password or only SI password for password expiration and forgot password

# default is true

com.hp.ovsi.passwordexpire.showallpassword

 

# these properties are used to tune the caching of objects and reporting

si.cache.attribute.mappedresattr - defaults to true
si.cache.bulkmove.brattr - defaults to true
si.cache.serviceassingment - defaults to true
si.cache.spml.resattr - defaults to true
si.cache.service.attrvalconstr - defaults to true
si.cache.service.threadlocal - defaults to true
si.cache.requestbroker.requestevent - defaults to true

si.cache.attribute.mappedresattr.size = defaults to 1000

si.cache.attribute.mappedresattr.timeout - defaults to 10

 

# following options can be used to include the headers only in the automatic reports:

si.report.userdiscovery.headeronly - defaults to false
si.report.bulk.headeronly - defaults to false
si.report.reconciliation.headeronly - defaults to false
si.report.serviceassignment.headeronly - defaults to false

 

 

The HP OpenView Select Identity OVSI 3.3.1 Patch 7 release does not include any new properties file settings.

 

The HP OpenView Select Identity OVSI 3.3.1 Patch 6 release does not include any new properties file settings.

 

The HP OpenView Select Identity OVSI 3.3.1 Patch 5 release includes the following new properties file settings:

# comma-separated list of Workflow templates that will be provision synchronously

#com.hp.ovsi.synchronous.provision.templates=SI\ Provisioning\ Only\ Bulk , ReconciliationDefaultProcess

 

The HP OpenView Select Identity OVSI 3.3.1 Patch 4 release includes the following new properties file settings:

# the number of times the operation is attempted in case of failure - default is 3 com.ovsi.passwordoperation.retrycount

# the number of milliseconds SI waits between retry attempts - default is 100 com.ovsi.passwordoperation.retrydelay

 

The HP OpenView Select Identity OVSI 3.3.1 Patch 3 release includes the following new properties file settings:

 

# The cipher algorithm used to encrypt and decrypt two-way passwords in OVSI.

#com.hp.ovsi.encryptdecrypt.algorithm=AES/CBC/PKCS5Padding

 

# HSM provider - Eracom

#com.hp.ovsi.encryptdecrypt.algorithm=DESede/ECB/PKCS5Padding

# HSM provider - Ncipher

#com.hp.ovsi.encryptdecrypt.algorithm=AES/ECB/PKCS5Padding

Note: For a migrated database, you must comment out the following setting:

# The cipher algorithm used for encrypting one-way encrypted attributes and passwords

com.hp.ovsi.messagedigest.algorithm=SHA-256

 

# Location of the keystore parameter file generated via the script ks_gen.bat (or ks_gen.sh)

#si.keystore.paramfile=location_of_the_keystore_properties_file

 

# The provider properties used to look up the private key from the SI keystore

com.hp.ovsi.keypair.provider.classname=com.sun.crypto.provider.SunJCE

com.hp.ovsi.keypair.provider.position=1

com.hp.ovsi.keypair.keystoretype=JCEKS

 

 

# EncryptionKey Provider Details if the provider is external (Hardware Security Module)

#com.hp.ovsi.encryptionkey.provider.classname=au.com.eracom.crypto.provider.ERACOMProvider

#com.hp.ovsi.encryptionkey.provider.position=2

#com.hp.ovsi.encryptionkey.keystoretype=CRYPTOKI

 

#com.hp.ovsi.encryptionkey.provider.classname=com.ncipher.provider.km.nCipherKM

#com.hp.ovsi.encryptionkey.provider.position=2

#com.hp.ovsi.encryptionkey.keystoretype=nCipher.sworld

 

 

Known Problems, Limitations, and Workarounds

Known Problems and Limitations

Refer to HP Open View Select Identity 3.3.1 Release Notes

 


Support

Please visit the HP OpenView web site at: http://managementsoftware.hp.com/.