Supplementary release notes for IBM Security Privileged Identity Manager V2.0.1
This document contains release information that was not documented in the published Release Notes.
IBM Security Privileged Identity Manager, Version 2.0.1, is a virtual appliance for the IBM® Security Privileged Identity Manager solution. The virtual appliance simplifies deployment, administration, and configuration.
For more information about what's new, see New in 2.0.1.
To download version 2.0.1, go to http://www.ibm.com/support/docview.wss?uid=swg24040010.
For more information about the IBM Security Privileged Identity Manager installation, see the following additional technotes:
- Preparing server SSL certificates for deploying on the AccessAgent client computers
- Changing the custom task URLs for the default tiles in Service Center
Important: If you are configuring IBM Security Privileged Identity Manager 2.0.1 with an LDAPS connection, you must apply fix pack 1 before you configure the data tier.
If you are upgrading from IBM Security Privileged Identity Manager 2.0 with an LDAPS connection, you must apply fix pack 1 after the upgrade process.
IBM Security Privileged Identity Manager, Version 2.0.1, fix packs provide fixes to known problems, new functions, additional currency and application support, resiliency, and performance improvements.
You can download fix packs from Fix Central.
|Fix Pack||Link to Fix Central|
|Fix Pack 2||2.0.1-ISS-ISPIM-VA-FP0002|
|Fix Pack 1||2.0.1-ISS-ISPIM-VA-FP0001|
Issues and limitations
Shared access consoles
- IBM Security Privileged Identity Manager runs into JMS issues after a database restart.
- Missing Resource Info and incomplete results in several PCM accounts and credential audit log events.
- Resource name is not displayed in View My Requests in self-service user interface.
- Cluster node shows incorrect dashboard status for 3-node cluster setup.
- Creating a user that includes the ampersand character (&) results in an ISAMESSO Account Warning.
- Unable to delete secondary organization. For more information, see http://www.ibm.com/support/docview.wss?uid=swg21690991.
- When the administrative console and Service Center are opened at the same time, logging in to the Service Center somehow redirects it to the administrative console homepage.
- When connecting multiple credentials, View Requests does not show a value for the Requested For value.
- When adding or editing credentials in the Service Center, on Internet Explorer 10 you might have to click the text box twice or thrice, for example Login ID field, before text box accepts your input.
- ID Feed Service will always use workflow for reconciliation. For more information, see http://www.ibm.com/support/docview.wss?uid=swg21691715.
- There is no column header for password interval in "Shared Access Bulk Load" to allow end users to set the password interval (in days) for credentials included in their CSV file.
- The Privileged Identity Manager Service Center does not meet accessibility standards.
- The maximum check-out duration value does not change when you add a new credential by using default settings in the administrative console. (Manage Shared Access > Configure Credential Default Settings)
- Embedded links in the administrative console or service center for a credential redirects to the wrong page. When the credential is connected to an identity provider, the entry in the Resource Name column hyperlink is linked to the account form instead of the resource. When a credential is checked out, the Check Out By column contains a hyperlink that goes to the Business Unit details page instead of the person form.
- In the administrator console, expand Set System Security> Manage Views. The label Manage Password Providers should be Manage Identity Providers.
- Issue: When performing an Advanced Search in the credential vault, you are unable to search for other Business Units when a Business Unit is already selected.
Workaround: Click Clear to remove the chosen Business Unit and search again to see all available Business Units.
- Issue: Manage Access Request Workflow: Notify Activity does not have any email templates to choose from.
Workaround: See a more complete list of templates in Configure System > Workflow notification properties.
- Issue: "Max number of incorrect login attempts" in "Set System Security" does not work properly. Setting "Max number of incorrect login attempts" in "Set System Security" will lock a user account as described. However, there is no explicit way to enable the user account again.
Workaround: Suspend the user account and then restore it.
- Managing privileged credentials on SoftLayer is currently not supported. See announcement.
- In session recordings with IBM Personal Communications, the status-bar is not recorded.
- The IBM Privileged Session Recorder configuration utility is available in English language only.
- The IBM Privileged Session Recorder configuration utility cannot start when there are non-ASCII characters in the installation path.
- For Arabic locales, the Privileged Session Recorder console does not use Arabic-Indic digits and does not use the correct date and time format.
- On a monitored application, when you complete actions with modifier keys, for example Ctrl+A, the Privileged Session Recorder on the client computer logs the action as two separate events. For example: Ctrl and Ctrl+A.
- The IBM Privileged Session Recorder ignores Microsoft Windows accessibility settings for StickyKeys, ToggleKeys, FilterKeys, and MouseKeys.
- Other language characters are not displayed while playback.
- In a multiple display or multiple monitor configuration, session recordings are only supported when the extended display or extended monitor is to the right or bottom of the main display.
- For applications that are designed with multiple tabs or multiple windows that run under a single process, session recordings are only supported when you launch only a single tab or window.
- Session recording is not supported on the following versions of Internet Explorer:
- Internet Explorer 8 or later when both the web browser Protected Mode and Windows 7 with User Account Control feature are enabled.
- Internet Explorer 11 on Windows Server 2012, Windows 8.0, and Windows 8.1. For an updated list of web browsers and system requirements, see Detailed system requirements.
Automatic check-in and check-out
- Issue: When the user simultaneously opens several instances of RDP, the Allow me to save credentials check box is not automatically selected. Check out of shared access credentials fails.
Workaround: User must select the check box and click Connect to successfully check out the credential.
- Issue: Credential injection fails when the user starts any of the applications, and at the time of injection the application is overlaid with another application, or with the lease expiry window.
Workaround: Ensure that you place focus on the application until application logon is complete.
- Issue: When using Remote Desktop Connection, AccessAgent offers to save the shared credentials after injecting the checked out user name and password. This issue occurs after the PIM_Profiles.eas AccessProfile is uploaded to the IMS Server.
Workaround: Disable the sso_site_wnd_rdp6_with_options AccessProfile.
1. Log in to AccessAgent as an ISAM ESSO administrator.
2. Open AccessStudio.
3. Choose File > Import data from local AccessAgent.
4. From the list of AccessProfiles, select sso_site_wnd_rdp6_with_options .
5. Select the General Properties tab.
6. Under Signatures identifying web-page or exe where this AccessProfile is to be loaded, click Remove.
7. Right-click sso_site_wnd_rdp6_with_options.
8. Click Upload to IMS.
- Issue: The password injection process does not start if you resized the PuTTY window to a width that is too small. This situation occurs if you resize the window to 24 columns wide, or a width where the user password prompt splits into a new line, as shown in the following example.
login as: adminaccount
The password injection process with the bundled AccessProfile cannot find a match for the word, password, because the keyword password is split into separate lines. As a result, the password is not injected.
Workaround: Resize the PuTTY window so that the line for the password does not split.
- The bundled IBM Security Privileged Identity Manager AccessProfiles are not designed for Microsoft Remote Desktop Connection clients with versions 6.1.76xx.
- The IBM Security Privileged Identity Manager AccessProfile for Microsoft Remote Desktop Connection RDP client does not support the injection of shared credentials at the RDP lock screen.
- Check-out and check-in of shared credentials cannot work for mainframe applications that run on z/OS® and i5 series, which have the following workflow:
1. Inject user name.
2. Press Tab.
3. Inject password.
- Multiple IBM Security Privileged Identity Manager credentials for one AccessAgent user is not supported.
- When the user does not have an IBM Security Privileged Identity Manager credential in the user Wallet and simultaneously starts two applications, such as RDP and VMware vSphere Client, checking out shared credentials only works for one application where the user enters the IBM Security Privileged Identity Manager credentials when prompted by AccessAgent.
- Shared access credential check-out in RDP only works when the General tab is selected.
Exporting to a non-existent directory or a directory with spaces or special characters throws an error. The error occurs when you run sp_export_psr_partitionset
Error Message : Unexpected error occurred : SQL0480N The procedure "SYSPROC.ADMIN_CMD " has not yet been called. SQLSTATE=51030
- When the user access the monitoring URI for Identity service, the response is displayed in the following format: Service name, Time taken in milliseconds, response code
- The message codes displayed during virtual appliance installation is not correct.
- A translation error is displayed when you double-click Reconfigure.
- Strings on the guided wizard exceed arrow indicator image size.
- Warning message (mesa_cli) appears when logging into the virtual appliance. This message can be ignored.
- Topic: Setting up a stand-alone or primary node for IBM Security Privileged Identity Manager
When you are specifying a custom root certificate in the Root CA Configuration page, the length of the Distinguished Name (DN) for the custom root certificate must not be longer than 128 characters. For example, CN=pim, OU=example, O=ibm, ST=cal, POSTALCODE=1067, C=US
When generating a Cognos-based report, if you require only the records for the current date, specify both the start date and end date. Otherwise, the previous data are also displayed in the report.
|1.||In the topic Managing the external user registry configuration, in the Before you begin section, the following restrictions must be highlighted:
- For the IBM Security Privileged Identity Manager system user, the following restrictions apply:
- For the bind user, the following restrictions apply:
- For the default pim manager user, the following restrictions apply:
For example, if the base DN that you are providing for the external registry configuration is cn=users,dc=example,dc=com, then the bind user, pim manager, and the IBM Security Privileged Identity Manager ystem user must be defined in this base DN.
|2.||The Application Name filter is not applicable to the Application Instance Activity Audit Report.
- To download the documentation in the PDF format, see http://www.ibm.com/support/docview.wss?uid=swg21920390.
- Web Services API for IBM Security Privileged Identity Manager is available from the following technote.
- REST API developer reference for IBM Security Privileged Identity Manager is available from the following technote.
- In the administrative console, there is no help content for the Search for Access page.
- When adding resources, the resource alias that you define must be unique across IBM Security Privileged Identity Manager.
Troubleshooting common issues
Problems with certificates.
Symptom: Check in and check out throws an error.
Check in and check out works but nothing is recorded.
- Mismatched host name in certificate.
- DNS or host file is not set up correctly to resolve target URL.
Problem with certificates in a virtual appliance cluster.
- AccessAgent is not configured to communicate with the load balancer.
- Load balancers CA certificate is not imported properly.
- The load balancers certificate host name does not match.
Virtual appliance is unstable.
Symptom: Some components refuse to start.
- Virtual appliance is deployed on a non-supported VMware platform or version.
- Insufficient RAM.
Profile is loaded for application, but no check-in or check-out or recording occurs.
Cause: You are using a standard single sign-on profile, not one that is enhanced for check-in, check-out, and session recording.
Cannot log in to IBM Security Privileged Identity Manager components (for example administrative console or self-service console).
Symptom: You keep getting password invalid or a password expired error.
Cause: Data tier was restarted while the virtual appliance was running.
Solution: Restart the virtual appliance.
AccessAgent throws a Privileged Credential Manager error about an invalid password during check-in and check-out.
Cause: IBM Security Privileged Identity Manager password has expired.
Solution: Reset the password in the Service Center.
Translate this page: