Supplementary release notes for IBM Security Privileged Identity Manager V2.0

News

Abstract

This document contains release information that was not documented in the published Release Notes.

Content

Tab navigation

Overview
Installing
Fix packs
Enhancements
Issues and limitations
Documentation updates
Troubleshooting common issues

Overview

IBM Security Privileged Identity Manager, Version 2.0, is a virtual appliance for the IBM® Security Privileged Identity Manager solution. The virtual appliance simplifies deployment, administration, and configuration.

For more information about what's new, see New in 2.0.

Installing

To download version 2.0, go to http://www.ibm.com/support/docview.wss?uid=swg24038026.

For more information about the IBM Security Privileged Identity Manager installation, see the following additional technotes:

If you are upgrading from earlier versions of IBM Security Privileged Identity Manager to Version 2.0, see the upgrade roadmap.

Fix packs

IBM Security Privileged Identity Manager, Version 2.0, fix packs provide fixes to known problems, new functions, additional currency and application support, resiliency, and performance improvement.

Client

UPDATE for IBM Security Privileged Identity Manager only: Starting from August 2018, to obtain the latest fix packs and support for the AccessAgent client, download Privileged Access Agent 2.1.1. For more information, see the compatibility announcement.

Virtual appliance
You can download the fix pack installer from Fix Central or click on the fix pack link on the following table.

Fix Pack	Link to Fix Central
Fix Pack 3	2.0.0-ISS-ISPIM-VA-FP0003
Fix Pack 2	2.0.0-ISS-ISPIM-VA-FP0002
Interim Fix 1	2.0.0-ISS-ISPIM-VA-IF0001

Enhancements

Windows 8.1 support (with AccessAgent Fix Pack 10)

Credential check-out and and check-in automation support is now available on Windows 8.1 with AccessAgent Fix Pack 10 (8.2.1-ISS-SAMESSO-AA-FP0010).

Issues and limitations

Integration with SoftLayer
Managing privileged credentials on SoftLayer is currently not supported. See announcement.

Shared access consoles
When the administrative console and Service Center are opened at the same time, logging in to the Service Center somehow redirects it to the administrative console homepage.

When connecting multiple credentials, View Requests does not show a value for the Requested For value.

When adding or editing credentials in the Service Center, on Internet Explorer 10 you might have to click the text box twice or thrice, for example Login ID field, before text box accepts your input.

In the administrator console, expand Set System Security> Manage Views. The label Manage Password Providers should be Manage Identity Providers.

ID Feed Service will always use workflow for reconciliation. For more information, see http://www.ibm.com/support/docview.wss?uid=swg21691715.

There is no column header for password interval in "Shared Access Bulk Load" to allow end users to set the password interval (in days) for credentials included in their CSV file.

The Privileged Identity Manager Service Center is not accessible.

The maximum check-out duration value does not change when you add a new credential by using default settings in the administrative console. (Manage Shared Access > Configure Credential Default Settings)

When performing an Advanced Search in the credential vault, you are unable to search for other Business Units when a Business Unit is already selected.
Workaround: Click Clear to remove the chosen Business Unit and search again to see all available Business Units.

When performing an Advanced Search in the credential vault, the label displays "User ID" instead of "Login ID".

Unable to delete secondary organization. For more information, see http://www.ibm.com/support/docview.wss?uid=swg21690991.

The About page in the administrative console shows the wrong version number and maintenance level. The version number should be 2.0.0.0 and the Maintenance Level should be 0000. For more information, see http://www.ibm.com/support/docview.wss?uid=swg21690989

Embedded links in the administrative console or service center for a credential redirects to the wrong page.[1] When the credential is connected to an identity provider, the entry in the Resource Name column hyperlink is linked to the account form instead of the resource. [2] When a credential is checked out, the Check Out By column contains a hyperlink that goes to the Business Unit details page instead of the person form.

Identity Providers
The AIX identity provider is not working.
Workaround: Set up an external Directory Integrator component with the AIX adapter.

Upgrade issues with identity providers and adapters
For IBM Security Privileged Identity Manager deployments that have been upgraded,
- New adapters will not be shown in Manage Identity Providers in the service center.
- Existing versions of adapters are not upgraded automatically.
Solution: You must upgrade each of the identity providers manually.
In the administrative console, expand Configure System > Manage Service Types. Click Import.
Browse for the Service Definition File, a JAR file, for the new adapters.
For more information, see the related guides for the adapter in the IBM Security Identity Manager product documentation.

Session recording

In session recordings with IBM Personal Communications, the status-bar is not recorded.
The IBM Privileged Session Recorder configuration utility is available in English language only.
The IBM Privileged Session Recorder configuration utility cannot start when there are non-ASCII characters in the installation path.
For Arabic locales, the Privileged Session Recorder console does not use Arabic-Indic digits and does not use the correct date and time format.
On a monitored application, when you complete actions with modifier keys, for example Ctrl+A, the Privileged Session Recorder on the client computer logs the action as two separate events. For example: Ctrl and Ctrl+A.
The IBM Privileged Session Recorder ignores Microsoft Windows accessibility settings for StickyKeys, ToggleKeys, FilterKeys, and MouseKeys.
IBM Security Privileged Identity Manager AccessAgent client cannot have multiple session recordings on Mozilla Firefox. You can have only one session recording that is running on Mozilla Firefox at any one time. This scenario is regardless of the number of windows or tabs that are running.
Session recording is not supported on the following versions of Internet Explorer:
- Internet Explorer 8 or later when both the web browser Protected Mode and Windows 7 with User Account Control feature are enabled.
- Internet Explorer 11 on Windows Server 2012, Windows 8.0, and Windows 8.1. For an updated list of web browsers and system requirements, see Detailed system requirements.

Automatic check-in and check-out

Issue: When the user simultaneously opens several instances of RDP, the Allow me to save credentials check box is not automatically selected. Check out of shared access credentials fails.
Workaround: User must select the check box and click Connect to successfully check out the credential.
Issue: Credential injection fails when the user starts any of the applications, and at the time of injection the application is overlaid with another application, or with the lease expiry window.
Workaround: Ensure that you place focus on the application until application logon is complete.
Issue: When using Remote Desktop Connection, AccessAgent offers to save the shared credentials after injecting the checked out user name and password. This issue occurs after the PIM_Profiles.eas AccessProfile is uploaded to the IMS Server.

Workaround: Disable the sso_site_wnd_rdp6_with_options AccessProfile.
1. Log in to AccessAgent as an ISAM ESSO administrator.
2. Open AccessStudio.
3. Choose File > Import data from local AccessAgent.
4. From the list of AccessProfiles, select sso_site_wnd_rdp6_with_options.
5. Select the General Properties tab.
6. Under Signatures identifying web-page or exe where this AccessProfile is to be loaded, click Remove.
7. Right-click sso_site_wnd_rdp6_with_options.
8. Click Upload to IMS.
Issue: The password injection process does not start if you resized the PuTTY window to a width that is too small. This situation occurs if you resize the window to 24 columns wide, or a width where the user password prompt splits into a new line, as shown in the following example.
login as: adminaccount
adminaccount@192.0.2.24's password
The password injection process with the bundled AccessProfile cannot find a match for the word, password, because the keyword password is split into separate lines. As a result, the password is not injected.
Workaround: Resize the PuTTY window so that the line for the password does not split.
The bundled IBM Security Privileged Identity Manager AccessProfiles are not designed for Microsoft Remote Desktop Connection clients with versions 6.1.76xx.
The IBM Security Privileged Identity Manager AccessProfile for Microsoft Remote Desktop Connection RDP client does not support the injection of shared credentials at the RDP lock screen.
Check-out and check-in of shared credentials cannot work for mainframe applications that run on z/OS® and i5 series, which have the following workflow:
1. Inject user name.
2. Press Tab.
3. Inject password.
Multiple IBM Security Privileged Identity Manager credentials for one AccessAgent user is not supported.
When the user does not have an IBM Security Privileged Identity Manager credential in the user Wallet and simultaneously starts two applications, such as RDP and VMware vSphere Client, checking out shared credentials only works for one application where the user enters the IBM Security Privileged Identity Manager credentials when prompted by AccessAgent.
Shared access credential check-out in RDP only works when the General tab is selected.

Archival

Exporting to a non-existent directory or a directory with spaces or special characters throws an error. The error occurs when you run sp_export_psr_partitionset

Error Message : Unexpected error occurred : SQL0480N The procedure "SYSPROC.ADMIN_CMD " has not yet been called. SQLSTATE=51030

Virtual appliance

When the user accesses the monitoring URI for Identity service, the response is displayed in the following format: Service name, Time taken in milliseconds, response code
The message codes displayed during virtual appliance installation are not correct.
A translation error is displayed when you double-click Reconfigure.
Strings on the guided wizard exceed arrow indicator image size.
Topic: Setting up a stand-alone or primary node for IBM Security Privileged Identity Manager
When you are specifying a custom root certificate in the Root CA Configuration page, the length of the Distinguished Name (DN) for the custom root certificate must not be longer than 128 characters. For example, CN=pim, OU=example, O=ibm, ST=cal, POSTALCODE=1067, C=US

Cognos reporting
When generating a Cognos-based report, if you require only the records for the current date, specify both the start date and end date. Otherwise, the previous data are also displayed in the report.

Documentation updates

To download the latest PDF documentation, see http://www.ibm.com/support/docview.wss?uid=swg21689068.

The error message reference is available from the following technote.

The IBM Security Privileged Identity Manager Web Services reference is available from the following technote.

The page level help for the identity providers topic contains errors.

There is no page-level help for Enable password synchronization under Set Security Properties in the administrative console.

Page-level help is not found for Manage Applications in the Privileged Identity Manager Service Center.

In the administrative console, there is no help content for the Search for Access page.

The examples that are referred to in the Reference Guide are downloadable as an eAssembly.

Troubleshooting common issues

Problems with certificates.
Symptom: Check in and check out throws an error.
Check in and check out works but nothing is recorded.
Other causes:

Mismatched host name in certificate.
DNS or host file is not set up correctly to resolve target URL.

Solution: Deploy CA certificate with the AccessAgent installer. If AccessAgent is already installed, copy the certificate into the AccessAgent folder, and then restart.

Problem with certificates in a virtual appliance cluster.
Cause:

AccessAgent is not configured to communicate with the load balancer.
Load balancers CA certificate is not imported properly.
The load balancers certificate host name does not match.

Solution: Deploy CA certificate with AccessAgent installer. If AccessAgent is already installed, copy the certificate into the AccessAgent folder, and then restart. Check the host name in the certificate.

Virtual appliance is unstable.
Symptom: Some components do not start.
Cause:

Virtual appliance is deployed on a non-supported VMware platform or version.
Insufficient RAM.

Profile is loaded for application, but no check-in or check-out or recording occurs.
Cause: You are using a standard single sign-on profile, not one that is enhanced for check-in, check-out, and session recording.

Cannot log in to IBM Security Privileged Identity Manager components (for example administrative console or self-service console).
Symptom: You keep getting a password invalid or a password expired error.
Cause: Data tier was restarted while the virtual appliance was running.
Solution: Restart the virtual appliance.

AccessAgent throws a Privileged Credential Manager error about an invalid password during check-in and check-out.
Cause: IBM Security Privileged Identity Manager password has expired.
Solution: Reset the password in the Service Center.

Related Information

Product documentation

New in 2.0

[{"Product":{"code":"SSRQBP","label":"IBM Security Privileged Identity Manager"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF004","label":"Appliance"}],"Version":"2.0.0","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Tips