New IDM Release - 24.4 which is also known as IDM 4.10, eDir 9.3, IDConsole 1.9

The next IDM release is out today.   They moved to the OpenText model of naming, so technically it is 24.4 and maybe we will see quarterly releases (we shall see) and consists of IDM 4.10 and eDir 9.3.

Biggest single feature is the change to OpenSSL 3.0 so we get TLS 1.3 support but alas, that breaks lots of compability.

You need the matching eDir, IDM and IDConsole to work because of the TLS 1.3 change.  But it is a change we had to have so might as well bite it all off.

Interestingly, Designer needs an update as well.  From the Readme:

IMPORTANT:You must install Designer 24.4 (v4.10) with OpenText Identity Manager 24.4 (v4.10). Previous Designer versions are not compatible. However, Designer 24.4 (v4.10) can be used with Identity Manager 4.8.x and 4.9.

Downloads are at sld.microfocus.com and docs are at: https://www.netiq.com/documentation/identity-manager-4.10/

More details to come!

  • 0

    Should I be worried about replication between two (old and new) eDir replicas due to the TLS 1.3? I do not think it will be a problem. So far it has never been.

    ...We're just about to migrate IDM from 4.8.6 to 4.10. We were just waiting for it. The plan is to install the new IDM on new server connected to the same NDS tree and then move everything and decommission old servers afterwards. 

  • 0   in reply to 

    Sorry, let me clarify.  EBA, enhanced background authentication, authenticates NCP traffic.  This uses a CA on the EBA-CA server to mint certs for every server.  And talks TLS in th eback ground I think. 

    THAT has compatibility issues.  They have a patch for eDir 9.2.7 and higher i think, so those servers with EBA turned on can work with it till they get upgraded.

    PS: You cannot really turn off EBA once it is enabled.  (As far as I know.  If you know how, please let me know. You can turn it off easily, however eDir will break over time if you do that).

  • 0   in reply to   

    Patch is for 9.28 or 9.29.  Included in the eDir distro. ONLY needed if you have EBA enabled in the tree.

    Bridge Patch: If you have a multi-server environment and if EBA is enabled in any or all of the servers, then before upgrading to OpenText eDirectory 9.3.0, it is mandatory to upgrade all OpenText eDirectory Servers to latest OpenText eDirectory 9.2.8 or 9.2.9 versions. Post Successful Upgrade, user must apply the EBA bridge patch to all the replica servers where EBA is enabled. EBA bridge patch is available with OpenText eDirectory.

  • 0  

    Just reading IDM 4.10 release notes, specifically Resloved Issues section and I'd like to know more about OCTCR56A585485:

    When a role is revoked, the Role and Resource Service Driver recalculates roles for all users in a container, including inherited ones, which leads to performance issues.

    Does that mean when role is revoked from user? From group? Container?

    I am also a bit confuised with "Note" section:

    NOTE:To ensure that the performance of RRSD is not affected when revoking a role, create a custom Event Transformation policy and set the skip-processing attribute to true. This will disable recalculation operations during role revoke or assign actions. However, skipping recalculations may result in the role not being fully revoked, leaving its status as running. Be sure to set skip-processing back to false after the revocation.

    I assume we should create ETP policy for setting skip-processing attribute in RRSD, right? When/for which classes should this policy be enabled? All classes and all the time?

    And where/in which policy should we set skip-processing back to false (ref. Be sure to set skip-processing back to false after the revocation.)

    Kind regards,

    Sebastijan

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

  • 0   in reply to   

    I agree that the note is not very helpful.  My guess is that RRSD is a strange IDM driver, and does 'commands' vs events. Basically events come in, and the Sub-ETP policy remaps it to nrf:Identity or nrf:Role 'commands'. Those make it into the shim, which then treats the object referenced as a 'reprocess the whole thing'.  In the case of a Role revoke, which I guess would come into the Sub-ETP as a nrfAssignedRoles remove value, then <modify> event is changed to an <nrf:Identity> event (I forget the exact class, but watch trace, you will see what I mean) and append an XML attribute of skip-processing='true' .  So this is probably for a User object.  So the <nrf:Identity skip-process="true"> might be the outcome.

    What confuses me is the line "Be sure to set skip-processing back to false after the revocation." It would seem this is a one event only change...  And that sentence leaves me with no context.  Let me see if I can get more info from that bug,

  • 0  

    Heads up:  I was browsing through the Windows ISO, 5 GB (!!!!) in size and wondering why it was so large.

    First crazy file I found was in common\IDConsole\Resources\app.asar at 797 MB in size!!!

    But if you look at the Workstation version of IDConsole, it is 780 Megs or so, so this strangely enough makes some sense.  Crazy size but likely normal.

    Then I was looking at Readme's and license files.

    common\license\IdentityManager-3rdParty-license.txt  This is 7,7Megs of text.  Yes, it is a 1 million line license file.  It looks like they included every single license from every single JAR they use, and all the versions of them.  So who reads license files? Million line files?

    Then we have:

    ReleaseNotes\LEGAL-AE.TXT

    ReleaseNotes\LEGAL-SE.TXT

       These are both 7.7 megs, and the same as above,  1 million + line file of every license ever.

    I think they have beat that dead horse to the point of stupidty.  What value is a 1 million line license file? 

    I seriously thought they had a virus infecting the distro file, but a walk through calmed me down...  Still odd, but hopefully next person who finds it will find this and not be concerned.

  • 0   in reply to   

    What stands out for me is the "This will disable recalculation operations during role revoke or assign actions. ", if that is what happens then it would leave the role model and assignments in an inconsistent state.

    More information is required as there is probably a reason for implementing this, but I doubt tit should be without knowing the ramification.

  • 0   in reply to   

    They are using electron (https://www.electronjs.org/) to build these applications, which is why they are that large. It also causes applications to be device and not desktop centered.

  • 0   in reply to   

    Other companies have managed to use Electron without ending up with a bloated and horrible product.
    VSCode is maybe the best example of this.

    It takes effort and care to make a good Electron app
    There are a lot more horrible Electron apps out there.

    Problem is that most developers choose Electron because they just don't care and Electron seemed like an easy option when a product manager asked them to turn their web app into a desktop app.

  • 0   in reply to   

    Do hope that the wording is clarified somewhat, what is currently mentioned there zero sense to me.

    It also would help greatly if the actual reference ID for the issue was able to be looked up in the Knowledge Base (and actually contained useful information)