SecurID^® Governance & Lifecycle Product Documentation

When Collect Data (all) is selected from  Collectors > Multi-App Collectors, the All Multi-App Account Collectors setting is now enabled by default.

Remote AFX and agents do not work after upgrading Java 1.8 JDK to u241 or higher. This patch updates the generation of the self-signed certificates for RSA Identity Governance and Lifecycle.

If you have applied this patch and upgraded to Java version JDK 8u241 or higher, you must download or regenerate the self-signed certificates for RSA Identity Governance and Lifecycle into your environment and restart the server.

1. Log in to RSA Identity Governance and Lifecycle, and go to Admin > System > Security. In a clustered environment, perform this step on the single system operations node (SON).
2. Click Change Certificate Store, and click OK to change the root certificate and CA.
3. Click Download and save the server.keystore file to a location on your computer.
4. Go to AFX > Servers, click Change Certificate Store, and click OK to change the client certificate.
5. Click Download and save the client.keystore file to a location on your computer.
6. Stop the ACM and AFX servers.
7. Copy the new server.keystore file to the location on the server where your web server reads the keystore. For example, $AVEKSA_HOME/keystore.
8. Copy the new client.keystore file to the AFX server under <AFX-server-root>/esb/conf.
9. Update the client.keystore files from the remote agents after you download the corresponding client.keystore from RSA Identity Governance and Lifecycle.
10. Restart the ACM and AFX servers and verify connectivity with the endpoints.

The following improvements have been made to the process of uploading additional JAR files to connect to other databases using a generic database.

• The driver field is now editable to support the addition of a new path and selecting the existing driver path from the list for the Generic Type Connector.
• Under Generic Type Connector > File Content, add and delete options have been added for custom driver JARs.
• Handled the upload and removal of custom drivers to and from AFX/esb/apps/connectorname/lib, where connectorname is the name of the connector.

Memory management in ActiveMQ has been updated to handle bulk change request items. You may need to modify the following ActiveMQ settings.

1. The queue can handle messages for a change request with about 500 change request items for an AFX connector. To handle a larger number of items than this default, update the settings as follows.

   1. Edit AFX\activemq\conf\activemq.xml.

   2. Find the policyEntry tag and modify the memoryLimit attribute value based on the requirement, as shown below, then save the changes.

      <policyEntry queue=">" producerFlowControl="true" useCache="false" memoryLimit="5mb">

2. The queue can handle approximately 50 AFX connectors for provisioning the change request items in parallel with the default settings. To configure a larger number of connectors than default allows, based on the requirement modify memoryUsage value accordingly.

   Example:
   Memory usage for an AFX connector needs approximately 5 MB. 5MB multiplied by 50 connectors is a total of 250 MB, which is the default.
   The memory usage is calculated based on the memoryLimit values in point 1.

   1. Edit AFX\activemq\conf\activemq.xml.

   2. Find the memoryUsage tag and modify the limit attribute value based on the requirement.

      <memoryUsage>
      <memoryUsage limit="256 mb"/>
      </memoryUsage

   3. Find the tempUsage tag and modify the limit attribute value same as memoryUsage value.

      <tempUsage>
      <tempUsage limit="256 mb"/>
      </tempUsage>

   4. Find the storeUsage tag and modify the limit based on changes of memoryUsage value.

      <storeUsage>
      <storeUsage limit="1 gb"/>
      </storeUsage>

   5. Save changes.

3. Based on the requirements and memory configuration changes, the ActiveMQ heap size must be updated. The recommended heap size is between 2 and 4 GB.

   1. Edit the AFX/bin/afx.sh script.

   2. Update the ACTIVEMQ_OPTS Xms and Xmx values.

   3. Edit the AFX/activemq/bin/activemq.sh script.

   4. Update the ACTIVEMQ_OPTS Xms and Xmx values.

The following dashboard components have been created for the System Admin Dashboard:

• System Admin: System Information
• System Admin: Enabled Modules
• System Admin: Collections Status
• System Admin: Workflow Jobs Status
• System Admin: Admin Errors
• System Admin: User Sessions

The following changes have been made in roles:

• In the Members tab, Missing Direct Entitlements has been changed to Missing Direct Entitlements (Active).
• In the Entitlements tab, Direct Members Missing has been changed to Direct Active Members Missing.
• In the Analytics tab, Missing Entitlements has been changed to Missing Entitlements for Active Members.
• In the Analytics tab, the new metric Number of Users (Terminated) has been added.

Diagnostic and system data information is collected either on demand or on a scheduled basis to use in dashboard and custom reports that show system details and trends. The data can also be shared with RSA to provide details on your environment and usage. These details provide RSA with insight that facilitates decisions such as providing extended support and deprecating certain versions, as well as what new features and enhancements to prioritize in upcoming releases.

Administrators can change these settings in Admin > Diagnostics > Diagnostics and System Data.

There are several improvements to the RSA Identity Governance and Lifecycle installation process:

• The installation process has been improved to allow installation using either the root user or oracle user, depending on the specific environment and requirements.

  Installation as the root user is required for deployments in which you use an RSA-supplied database or in which you want to run RSA Identity Governance and Lifecycle as a service. Root user installation is required for any deployment in which sudo functionality is needed.

  Installation as the oracle user is an option for environments that use a remote database and do not require the use of services or sudo functionality.

  For instructions for each of these installation options, see the RSA Identity Governance and Lifecycle Installation Guide.

• The installation script now prompts users to confirm passwords entered when configuring a remote database.

Several improvements were made to web services:

• All available commands are now organized across several tabs labeled by category. The Settings tab, which is the first tab the user sees, provides a high-level ability to toggle web services on and off, allows the user to specify a list of IP addresses that can be used for commands, and the import directory where some commands may look for content. Those commands will indicate in their details that they use the import directory.
• The user interface that lists all commands has been redesigned to display the commands in a table format. A user can click the Click for Details link for a particular command to expand a command's row and view details about using the command. The new table includes a security column that uses icons to represent the current settings for the command, and a Configure button to change the security.
• Security settings are now configured at the command-level. A user can only change the security for a particular command to be stronger than the default, out-of-the-box security setting.
• Added the deleteCollector web service, which allows users with appropriate privileges to delete a collector from the system.
• Added support for using a bearer token in request headers instead of passing the token in the URL.

This release introduces many improvements to the user interface to provide a cleaner, faster, and more consistent user experience. These changes include:

• An improved notification panel with notifications grouped by date.
• Redesigned UI components, such as dialogs, buttons, and navigation.
• Card-based component layout.
• New icon set for high-resolution displays.
• Charts now have a modern theme and layout with improved animation. You can now download charts.
• Added auto-refresh functionality to the pages at Admin > Diagnostics > General and Admin > Diagnostics > Logs.
• Added support to upload JavaScript files in the Files tab under Admin > User Interface, which may be used to perform custom validation for request forms or may be referenced from JSP pages. Consult Professional Services before using this feature.

The following improvements have been made in access certification:

• The display names for the Review and Revoke buttons for roles in fine-grained role reviews and for groups in group reviews are now specified within the review definition using two new text fields. Previously, the display names for these buttons were configured using the global resources strings RoleReview_Maintain, RoleReview_Revoke, GroupReview_Maintain, and GroupReview_Revoke.

• When the Allow expiration option is selected for the Maintain state in a review definition, the Display Name text field now appears, allowing users to enter a display name for this state.

• In a review, the Expiration date field displayed in the flyout for the Maintain with Expiration state, which indicates the date on which the exceptional access expires, has been renamed to Expires on, to avoid confusion with other fields.
• You can now limit the maximum number of days in the future that a reviewer can set as the expiration date when choosing the Maintain with Expiration state for a review item. The Default and Maximum Expiration Days setting can be configured under both Reviews > Configuration and Rules > Configuration.

• When determining unchanged items, RSA Identity Governance and Lifecycle considers only reviews generated in the past 365 days instead of all reviews. An item for a reviewer is tagged as unchanged when he or she has last reviewed it with the Maintain state in a review that was generated in the last 365 days, and none of the attributes of the reviewed entitlement have changed.

• The Expiring Soon tooltip now includes the expiration date.

• The order of categories for Review Analysis and Guidance in the review and review definition have been reordered to prioritize.

The Aveksa Statistics Report (ASR) has the following new columns for the Unified Users section:

• terminatedUser.count — The total number of terminated users.
• deletedUsers.total — The total number of deleted users.
• user.total — The total number of users.

The following changes have been made in Change Requests and Workflow:

• The Workflow Architect has a new “Auto Complete Category” option when grouping by category that indicates whether the Category Manager automatically completes all other work items in a category. By default, this option is selected.

• The Processing Workflow link in change requests is now visible to users with the Access Request Admin: Administrator entitlement.

Multi-app collectors now provide the option to collect Account Disabled Status and Account Lock Status in the collector configuration.

SUSE Linux Enterprise Server (SLES) 11 and Red Hat Enterprise Linux (RHEL) 6 have been deprecated.

In hardware appliance and software bundle deployments, use the RSA Identity Governance and Lifecycle Appliance Updater to upgrade the operating system.

The following views and associated reports have been deprecated:

Saved results from previous reports are still accessible.

Fixed the failure of roles explosion from change requests when duplicate roles are found in system. This addresses the issue of user entitlement discrepancies due to explosion failures. Additionally, multiple issues with roles import were addressed. During import, the system reuses the existing members and entitlements when overwriting a local role instead of fully deleting them and creating new entries. When importing roles, the system now looks only for active roles with similar names so that deleted roles are not reactivated. This change will avoid the creation of multiple active roles with role name. If a role being imported matches an existing active collected role, the system throws an exception instead of overwriting the role. Collected roles are not overwritten at any point.