SecurID^® Governance & Lifecycle Product Documentation

Remote AFX and agents do not work after upgrading Java 1.8 JDK to u241 or higher. This patch updates the generation of the self-signed certificates for RSA Identity Governance and Lifecycle.

If you have applied this patch and upgraded to Java version JDK 8u241 or higher, you must download or regenerate the self-signed certificates for RSA Identity Governance and Lifecycle into your environment and restart the server.

1. Log in to RSA Identity Governance and Lifecycle, and go to Admin > System > Security. In a clustered environment, perform this step on the single system operations node (SON).
2. Click Change Certificate Store, and click OK to change the root certificate and CA.
3. Click Download and save the server.keystore file to a location on your computer.
4. Go to AFX > Servers, click Change Certificate Store, and click OK to change the client certificate.
5. Click Download and save the client.keystore file to a location on your computer.
6. Stop the ACM and AFX servers.
7. Copy the new server.keystore file to the location on the server where your web server reads the keystore. For example, $AVEKSA_HOME/keystore.
8. Copy the new client.keystore file to the AFX server under <AFX-server-root>/esb/conf.
9. Update the client.keystore files from the remote agents after you download the corresponding client.keystore from RSA Identity Governance and Lifecycle.
10. Restart the ACM and AFX servers and verify connectivity with the endpoints.

The following improvements have been made to the process of uploading additional JAR files to connect to other databases using a generic database.

• The driver field is now editable to support the addition of a new path and selecting the existing driver path from the list for the Generic Type Connector.
• Under Generic Type Connector > File Content, add and delete options have been added for custom driver JARs.
• Handled the upload and removal of custom drivers to and from AFX/esb/apps/connectorname/lib, where connectorname is the name of the connector.

Memory management in ActiveMQ has been updated to handle bulk change request items. You may need to modify the following ActiveMQ settings.

1. The queue can handle messages for a change request with about 500 change request items for an AFX connector. To handle a larger number of items than this default, update the settings as follows.

   1. Edit AFX\activemq\conf\activemq.xml.

   2. Find the policyEntry tag and modify the memoryLimit attribute value based on the requirement, as shown below, then save the changes.

      <policyEntry queue=">" producerFlowControl="true" useCache="false" memoryLimit="5mb">

2. The queue can handle approximately 50 AFX connectors for provisioning the change request items in parallel with the default settings. To configure a larger number of connectors than default allows, based on the requirement modify memoryUsage value accordingly.

   Example:
   Memory usage for an AFX connector needs approximately 5 MB. 5MB multiplied by 50 connectors is a total of 250 MB, which is the default.
   The memory usage is calculated based on the memoryLimit values in point 1.

   1. Edit AFX\activemq\conf\activemq.xml.

   2. Find the memoryUsage tag and modify the limit attribute value based on the requirement.

      <memoryUsage>
      <memoryUsage limit="256 mb"/>
      </memoryUsage

   3. Find the tempUsage tag and modify the limit attribute value same as memoryUsage value.

      <tempUsage>
      <tempUsage limit="256 mb"/>
      </tempUsage>

   4. Find the storeUsage tag and modify the limit based on changes of memoryUsage value.

      <storeUsage>
      <storeUsage limit="1 gb"/>
      </storeUsage>

   5. Save changes.

3. Based on the requirements and memory configuration changes, the ActiveMQ heap size must be updated. The recommended heap size is between 2 and 4 GB.

   1. Edit the AFX/bin/afx.sh script.

   2. Update the ACTIVEMQ_OPTS Xms and Xmx values.

   3. Edit the AFX/activemq/bin/activemq.sh script.

   4. Update the ACTIVEMQ_OPTS Xms and Xmx values.

RSA Identity Governance and Lifecycle previously defined orphan accounts as accounts with no mapping regardless of the account status.

This patch introduces an additional scenario for orphan accounts. After creating a pending account with a pending mapping, if you collect just the account, the mapping remains pending. Pending mappings are not a trusted source, and therefore the account is listed as an orphan account even though its pending mapping is visible in the RSA Identity Governance and Lifecycle user interface. This account is listed in the orphan view of the accounts tab as well as in an orphan report. An icon is displayed next to the user component of the mapping to indicate that the mapping is pending.

To resolve an orphan account resulting from a pending mapping, perform one of the following actions:

• Properly collect the user mapping to the account.
• Manually unmap the pending account mapping, and manually map it to the appropriate user.

After the account is removed from its orphan status, all entitlements collected for the account appear under the mapped user.

The following changes have been made in roles:

• In the Members tab, Missing Direct Entitlements has been changed to Missing Direct Entitlements (Active).
• In the Entitlements tab, Direct Members Missing has been changed to Direct Active Members Missing.
• In the Analytics tab, Missing Entitlements has been changed to Missing Entitlements for Active Members.
• In the Analytics tab, the new metric Number of Users (Terminated) has been added.

In WildFly ACM installations with a remote database and configured failover options, a new, optional ACM configuration property, REMOTE_ORACLE_JDCB_URL, has been added to Aveksa_system.cfg. This property is to be used by AveksaCli only to connect to the target database. Use it only if the default connection URL is not sufficient. When configured, the provided value should match the connection URL of the AVDB data source in aveksa-standalone-full.xml or domain.xml.

Single-line example:

REMOTE_ORACLE_JDBC_URL=jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=DB_PRIMARY_HOST)(PORT=DB_port))(ADDRESS=(PROTOCOL=TCP)(HOST=DB_SECONDARY_HOST)(PORT=DB_port)))(CONNECT_DATA=(SERVICE_NAME=avdb)(SERVER=DEDICATED)))

REMOTE_ORACLE_JDBC_URL=jdbc:oracle:thin:@(DESCRIPTION_LIST=(LOAD_BALANCE=off)(FAILOVER=on)(DESCRIPTION=(CONNECT_TIMEOUT=10)(TRANSPORT_CONNECT_TIMEOUT=3)(RETRY_COUNT=3)(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=node1)(PORT=1555)))(CONNECT_DATA=(SERVICE_NAME=avdb)))(DESCRIPTION=(CONNECT_TIMEOUT=10)(TRANSPORT_CONNECT_TIMEOUT=3)(RETRY_COUNT=3)(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=node2)(PORT=1555)))(CONNECT_DATA=(SERVICE_NAME=avdb))))

Multiple-line example:

REMOTE_ORACLE_JDBC_URL=jdbc:oracle:thin:@(DESCRIPTION_LIST=(LOAD_BALANCE=off) (FAILOVER=on) \

(DESCRIPTION= \

(CONNECT_TIMEOUT=10)(TRANSPORT_CONNECT_TIMEOUT=3)(RETRY_COUNT=3) \

(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=node1)(PORT=1555))) \

(CONNECT_DATA=(SERVICE_NAME=avdb))) \

(DESCRIPTION= \

(CONNECT_TIMEOUT=10)(TRANSPORT_CONNECT_TIMEOUT=3)(RETRY_COUNT=3) \

(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=node2)(PORT=1555))) \

(CONNECT_DATA=(SERVICE_NAME=avdb))) \

)

For references and additional examples, see the Oracle Database JDBC Developer's Guide and Database Net Services Reference on the Oracle website.

The Aveksa Statistics Report (ASR) has the following new column for the Unified Users section:

• terminatedUser.count — The total number of terminated users.
• deletedUsers.total — The total number of deleted users.
• user.total — The total number of users.

Change request approval and fulfillment processing has been enhanced to enforce uniqueness of account names with regard to both active and deleted accounts. Because all active accounts within a business source must have unique names, but deleted accounts within the same business source are not limited to unique names, these changes prevent a reactivated or pending account from having the same name as another active account. The behavior is as follows:

• During Pending account creation, the system checks the account name for uniqueness within the business source in the following order:
  • If the name is already in use by an active account within the business source, the change request creation action does not proceed until the name is changed.
  • If the name is used by one of the deleted accounts within the business source, the most recently deleted account with that name is reactivated into a pending account and the change request preserves its history.
  • If the name is not used by any active or deleted accounts within the business source, a change request is created with that account name.
• During the fulfillment phase, if a pending account is renamed, the system performs the following checks:
  • If the name is already in use by an active account in the same business source, the fulfillment does not proceed and the following exception occurs in the aveksaServer.log log file: “java.lang.IllegalArgumentException: Could not rename the Account due to a conflict.”
  • If the new name for this pending account (Account A) is used by a deleted account within the business source, the most recently deleted account with that name (Account B) is converted into a pending account. The old account (Account A) is replaced by the reactivated pending account (Account B) in the change request. The change request item (Account B) waits for verification and the old pending account for Account A reverts to its previous state by being removed from the system or reverted into a deleted account.
  • If the new name is not used by any active or deleted account within the business source, a new pending account with the new name is created and placed into the change request instead of the previous name, and the old account is either removed or reverted into a deleted account if it had been converted into a pending account.
• When a pending account is waiting for verification, the first account collectors to collect it takes control of the account and marks it as verified.

The following changes were made to how RSA Identity Governance and Lifecycle handles report file names:

• If invalid characters are detected the report file name, the detected characters are replaced with an underscore.
• Consecutive strings of invalid characters are replaced with a single underscore.
• The user interface allows characters not valid for the file name.
  • Invalid characters for Windows filenames are (separated by commas): ",\,/,:,*,?,<,>,|," "
  • Invalid characters for Unix filenames are (separated by commas): ",\,[,],{,},(,),',+,-,=,!,@,#,$,%,^,&,;,” "

Updated Segregation-of-Duty (SOD) rules and policy language, which includes additional analysis and detection capabilities to identify complex cross-application violations and reduce potential false positives.

For information about the new SOD rules functionality, see "Using a Correlation Specification with a Segregation of Duties Rule" in the Online Help.

SOD and user access violations can now be remediated using violation remediation reviews, which allow users to review violations and perform remediation actions directly through the reviewer user interface.

The violation remediation reviewer experience uses the same user interface as the new user access reviewer experience, which provides advanced features such as Analysis and Guidance, a review progress monitor, advanced filtering, and the ability to manage multiple violations at the same time.

This feature uses both an SOD or User Access Rule definition and a User Access Violation Remediation Review definition and seamlessly manages their association within the system. For more information, see "About the Violation Remediation Review Experience" in the Online Help.

Added automated log artifact collection and bundling capabilities to collect and send logs for support cases.

This feature is available by going to Admin > Diagnostics and clicking the Log Artifact tab. For more information, see "Collect Logs to Review Artifacts" in the Online Help.

System usage data, diagnostics, and heuristics information is collected and available through newly provided reports and through a downloadable JSON file for offline analysis and troubleshooting.

You can configure this feature by going to Admin > Diagnostics and clicking the Diagnostics and System Data tab. For more information, see "Diagnostics and System Data" in the Online Help.

The following changes have been made for Access Certification:

• User reviews now leverage business calendars to determine when the completion due date is calculated and displayed.
• The confirmation dialog for enabling or disabling an email template is now presented in a pop-up.
• When a Maintain with Expiration action is performed on a review item, the expiration date details are now included in the Comments and History section.

The following changes have been made in Change Requests and Workflow:

• The number of work items retained in the workflow history is now limited to reduce the amount of data loaded.
• The protocol for the URL specified in workpoint-client properties is now a variable and can be configured along with the URL and port.

Introduced IBM Security Identity Manager 6.0 connector template for provisioning requests on ISIM.

The following changes have been made for custom attributes:

• Custom attributes now have a reference name column, which stores an attribute name that unique across all attributes of the same type. The reference name cannot contain spaces, and any spaces detected are converted into underscores. In a new custom attribute, the reference name is automatically populated with the Attribute Name in which the spaces are replaced by underscores. This value is available for mapping in both Account Templates and AFX Connector Capabilities. This value is stored in the T_AV_CUSTOM_ATTRIBUTES table.
• When upgrading or patching from a previous version, the Attribute Name values for a custom attribute are migrated. The Reference Name column is populated with the values of the Attribute Name with spaces replaced by underscores.
• The Reference Name can only be modified during the creation of a new custom attribute.

New custom attributes for strings and user data are available for resource objects:

• CAS11 and CAS12 (varchar2), limit 4000
• CAS13 to CAS25 (varchar2), limit 256
• cau1 to cau5 (int)
• cau1_name to cau5_name (varchar2), limit 512

For more information, see "Creating and Managing Attributes for RSA Identity Governance and Lifecycle" in the Administrator's Guide and the online Help.

The following changes have been made for request forms:

• The Entitlement Table, Entitlement Table with Action, and Entitlement Table (non-visual) request form controls can now filter entitlements by entitlement types: entitlements, groups, roles, and application roles. This allows a finer scope and improved performance for the request form controls when only specific entitlement types are needed.
• The way in which request forms for applications prompt for account information from end users has been improved. Users with only one account are not prompted to select an account. Users with multiple accounts are prompted to select an account as the first step, before the rest of the form is displayed. All aspects of the displayed application request form take the selected account into consideration, eliminating the need to select an account after selecting entitlements.

32-bit installation of the AD Password Capture tool has been deprecated.

Hardware appliance operations, such as edit, restart, reboot, and shutdown, can no longer be performed through the RSA Identity Governance and Lifecycle user interface. To perform these operations, use OS access level commands.

The following changes were made to how RSA Identity Governance and Lifecycle handles report file names:

• If invalid characters are detected the report file name, the detected characters are replaced with an underscore.
• Strings of invalid characters are replaced with a single underscore. o
• The user interface allows characters not valid for the file name.
  • Invalid characters for Windows filenames are: " \ / : * ? < > | "
  • Invalid characters for Unix filenames are: " \ [ ] { } ( ) ' + - = ! @ # $ % ^ & ; ”

The JavaScript block form control no longer allows Display conditions. The Display tab for this form control displays a message for the restriction.

When Enable conditions are set, the JavaScript block entered is executed only when the conditions are satisfied.

If there are no conditions set, then the JavaScript block is executed whenever the form runs.

The "Role Missing Entitlement Rule" email notification now adds group entitlements collected from the ADC.

Rules are now processed one at a time to avoid a system error. The monitoring page relays this new process as follows:

Currently Processing Rule (X out of Y)
Steps 1-3

The JRE has been upgraded to Java 8.

By default, Java 8 enforces endpoint identification on LDAPS connections to improve the robustness of the connections. After upgrading, Active Directory collectors that use SSL that were previously able to connect might be unable to connect. View the aveksaServer.log for details about connection failures. If this occurs, ensure that the certificate of the host configured in the collector settings has the correct subject alternative name attributes available that match the hostname.