Release Notes

General

This Readme file contains information about changes and enhancements of DirX Identity 9.0.0 (build 29615), in addition to the standard product documentation.

This release of DirX Identity provides installation packages for Windows and Linux that contain a license as txt file, the ReleaseNotes, the HistoryOfChanges, in addition to all user manuals and use case documents of this release in PDF format.

For any other documentation or files, please have a look at the released DirX Identity 9.0 iso-image, which can be downloaded from the DirX support portal.

This version of DirX Identity can be installed without having any DirX Identity installed beforehand but can also be installed as patch for any previous installed DirX Identity V8.9 or 8.10 instances including the SP variants.

For a standard installation (initial or patch) on Windows, just start the dirxidty.exe in a graphical environment.

For a standard installation (initial or patch) on Linux, run the following command in a graphical environment: chmod 700 dirxidty.bin; .\dirxidty.bin -i GUI.

For detailed installation instructions and advanced scenarios, please refer to the DirX Identity Installation Guide.

The installation of DirX Identity 9.0.0 requires a Java Runtime Environment 21.

Licenses

The End User License Agreement must be accepted to use the DirX Identity software products. Please refer to the file license.txt on Windows systems or read the file license agreement with page resp. more on Linux systems.

DirX Identity Highlights

General Features

DirX Identity provides a comprehensive, process-driven, customizable, cloud-ready, scalable, and highly available identity management solution for enterprises and organizations. It delivers risk-based identity and access governance functionality seamlessly integrated with automated provisioning. Features include life-cycle management for users and roles, cross-platform and rule-based provisioning in real-time, Web-based user self-service and delegated administration, request workflows, access certification, password management, metadirectory and auditing and reporting.

DirX Identity is available with two options for the base license: Business Suite and Pro Suite. The Pro Upgrade option allows a customer to extend the Business Suite license to a Pro Suite license. The base licenses can be extended by the following add-on license options: Connectivity Packages, Password Management Option and High Availability Option.

The Business Suite comprises these features:

  • Powerful applications to create identities from various sources

  • DirX Identity Business User Access – various user interfaces

  • Self-service capability for group assignments

  • Access policies for delegated administration

  • Maintenance applications for consistency checking and/or automatic repair of detected problems

  • Policy-based automatic provisioning for groups

  • Automatic inheritance of groups from business objects

  • Real-time and scheduled target system synchronization and validation/reconciliation for accounts and groups

  • Event-based change notification to trigger real-time provisioning

  • Identity Manager administrator interface

  • DirX Identity Servers for Java-based and C/C++-based connectivity to target systems

  • Support for monitoring DirX Identity Servers with Nagios

  • DirX Identity Framework for Java and C/C++ to build customer specific connectivity to target systems

  • DirX Identity Web and REST services to handle most of DirX Identity’s functionality

  • Status reports for basic auditing (also available through the Web Center)

  • A basic connectivity package that comprises file-based, LDAP-based, SPML, and DirX Access connectivity

The Pro Suite includes the Business Suite and the following features:

  • Risk management

  • Additional privilege structures (roles and permissions) including parameters and hierarchies

  • Policy-based provisioning for roles and permissions

  • Automatic inheritance of roles and permissions from business objects

  • Support for personas, user facets and functional users

  • Hierarchical segregation of duty (SoD)

  • Additional functionality within the Web Center

  • Graphically configurable request workflows for creation, modification and approval of objects and assignments

  • Access certification campaigns to verify periodically that roles are assigned to users in compliance

  • Re-approval workflows to renew approvals for critical assignments before they expire

  • Enhanced access policy functionality

  • Comprehensive password management functionality

  • Management of passwords for privileged (often called shared) accounts

  • Configurable audit trail with optional system and client signature

The DirX Identity Business Access provides different user interfaces for administering the business features of DirX Identity:

  • DirX Identity Business User Interface

  • DirX Identity Web Center interface available as stand-alone and SAP NetWeaver version

  • DirX Identity Web Admin to monitor and control DirX Identity Servers

Connectivity packages are available for:

  • Microsoft applications

  • Databases

  • Cloud systems

  • Proxies

  • SAP applications

  • IBM applications

  • HCL applications

  • Communication applications

  • Health care applications

  • Enterprise single sign-on systems

The Password Management Option includes the following features:

  • Password policies

  • Password change by end user via Web Center

  • Password change by end user for a subset of their accounts

  • Display the password change status

  • Challenge/response to reset forgotten passwords (self-service)

  • Challenge/response to reset forgotten passwords (via admin)

  • Administrative password reset

  • DirX Password Reset client

New Features of DirX Identity 9.0.0

  • SCIM v2 Provisioning Workflows for User and Group management

  • Enhanced support of Microsoft Entra as a target system

    • Microsoft 365 groups

      • Public, Private, HiddenMembership

    • Microsoft 365 teams groups

      • Public, Private, Security groups

    • ADS Agent supports UTF-8 encoding

  • New HCL Domino REST Connector

  • New Identity Manager design

    • New look and feel

      • modernized page layout and restructured menus

      • Light and dark theme

    • Customizable

      • Create themes

      • SVG icons and Fonts can be colorized and resized

    • Support of DirX Directory 9.1 Temporary One-Time Password (OTP) feature for user authentication

  • New User Resolution Implementation

    • Deploy integrated or as separate service for better performance and scalability

  • Support for multiple TSAccount configurations in the same target system configuration

  • Replaced outdated Rhino JavaScript engine with GraalVM for better performance and support of modern JavaScript features

  • Added Timezone Support for Java-based Servers and corrected timezone differences between Java-based Servers, C++-based Server and Ldap GeneralizedTime.

  • Support for Java SE 21

For more details refer to the History of Changes document.

Information about Discontinued Features

Server Admin web application was removed in DirX Identity 9.0. Please use Web Admin instead.

DirX Identity 9.0 or newer does no longer support these features:

  • Support of Microsoft Lync 2013

  • Connectivity package for Imprivata OneSign

  • Connectivity package for HiPath 4000

  • Connectivity package for SiPass

  • Connectivity package for ODBC Agent

  • Reapproval Workflows (use Certification campaigns)

  • Boston Workstation Connectivity (connector)

  • XSLT-based Reports

  • Server Admin web application

  • Microsoft Windows Server 2016 (x86-64 Intel architecture)

  • Linux Kernel v3 as used in Red Hat 7

  • Linux Red Hat Enterprise Linux 7 (x86-64 Intel architecture)

DirX Identity 9.0 is the last version that supports the following features:

  • DirX Identity for Password Management

    • DirX Password Reset Client

    • Web Center for Password Management

  • Web Center for SAP NetWeaver

Releases overview

DirX Identity releases:

DirX Identity 8.10.14

(build 1858)

Feb. 24, 2026

 
*)

DirX Identity 8.10.13

(build 1711)

Oct. 27, 2025

 
*)

DirX Identity 8.10.12

(build 1638)

Aug. 25, 2025

 
*)

DirX Identity 8.10.11

(build 1589)

Jul. 15, 2025

 
*)

DirX Identity 8.10.10

(build 1514)

May. 18, 2025

 
*)

DirX Identity 8.10.9.a

(build 1483)

May. 09, 2025

 
*)

DirX Identity 8.10.9

(build 1474)

Apr. 13, 2025

 
*)

DirX Identity 8.10.8

(build 1432)

Mar. 25, 2025

 
*)

DirX Identity 8.10.7

(build 1360)

Feb. 12, 2025

 
*)

DirX Identity 8.10.6

(build 344932)

Jan. 8, 2025

 
*)

DirX Identity 8.10.5

(build 344643)

Dec. 2, 2024

 
*)

DirX Identity 8.10.4

(build 344084)

Nov. 8, 2024

 
*)

DirX Identity 8.10.3

(build 343905)

Sep. 25, 2024

 
*)

DirX Identity V8.10 SP2

(build 112)

Jun. 28, 2024

 
*)

DirX Identity V8.10 SP1

(build 34)

Dec. 16, 2022

 
*)

DirX Identity V8.10

(build 33)

Feb. 7, 2022

 
*)

DirX Identity V8.9 SP3

Apr. 13, 2022

 
*)

DirX Identity V8.9 SP2

Feb. 25, 2021

 
*)

DirX Identity V8.9 SP1

Jul. 13, 2020

 
*)

DirX Identity V8.9

(build 22)

Jul. 31, 2019

 
*)

DirX Identity V8.7 SP4

Nov. 30, 2019

 
*)

DirX Identity V8.7 SP3

Nov. 30, 2018

 
*)

DirX Identity V8.7 SP2

Jun. 29, 2018

 
*)

DirX Identity V8.7 SP1

Apr. 30, 2018

 
*)

DirX Identity V8.7

(build 15)

Dec. 21, 2017

 
*)

*) See the history-of-changes.pdf file for a history of changes of these DirX Identity releases.

Supported Platforms

DirX Identity Version 9.0 or newer is available on the following platforms:

Windows

Microsoft Windows Server 2019 (x86-64 Intel architecture; with Desktop Experience)

Microsoft Windows Server 2022 (x86-64 Intel architecture; with Desktop Experience)

Microsoft Windows Server 2025 (x86-64 Intel architecture; with Desktop Experience)

The DirX Identity Manager client runs also on Microsoft Windows 10 / Windows 11.

You can install DirX Identity completely on Microsoft Windows 10 or 11 for non-productive use (demos or POCs). Do not use this configuration for productive use.

Linux

Red Hat Enterprise Linux 8 (x86-64 Intel architecture)

Red Hat Enterprise Linux 9 (x86-64 Intel architecture)

SUSE Linux Enterprise Server 12 (x86-64 Intel architecture)

SUSE Linux Enterprise Server 15 (x86-64 Intel architecture)

Additional remarks for using Linux platforms:

32-bit libraries are not installed by default on Red Hat Enterprise Linux.

To run DirX Identity successfully for Red Hat Enterprise Linux, you need to install at least the following 32- and 64-bit library packages:

  • yum install ksh

  • yum install xinetd

  • yum install glibc.i686

  • yum install libXext.i686

  • yum install libXtst.i686

  • yum install libuuid.i686

  • yum install libgcc.i686

  • yum install libnsl.i686

  • yum install cyrus-sasl-lib.i686

  • yum install libstdc++.i686

  • yum install zlib.i686

  • yum install libXrender.i686

  • yum install chkconfig (only for Red Hat 9)

  • yum install initscripts (only for Red Hat 9)

Don’t forget to add the 32-bit library path /lib to your LD_LIBRARY_PATH environment variable.

Soft links

Additionally, for Red Hat you need libsasl2.so.2 which is missing. To overcome this issue for DirX Identity, just create a soft link

  • /lib/libsasl2.so.2 which points to /lib/libsasl2.so.3 and a soft link

  • /usr/lib64/libsasl2.so.2 which points to /usr/lib64/libsasl2.so.3

if not already done.

Additionally, for Red Hat 9, a link to libcrypt.so.1 from libcrypt.so.2:

cd /lib

ln -s libcrypt.so.2 libcrypt.so.1

For SUSE Linux, above-mentioned library packages might need installing - especially if your operating system installation is not a default installation. The list of required 32- and 64-bit library is like Red Hat for SUSE Linux, except for package names which might be slightly different and for the installation utility to be used (yast instead of yum). This is the related search pattern list for verifying their presence when using the related graphical interface (yast → Software Manager):

  • ksh

  • xinetd

  • glibc

  • libXext

  • libuuid

  • libgcc

  • libnsl

  • cyrus-sasl

  • libstdc++

  • zlib.i686

  • libXrender

  • libcrypt1-32bit

  • insserv-compat

Additionally, for SUSE Linux you need libsasl2.so.2 which is missing. To overcome this issue for DirX Identity, just create a soft link

  • /lib/libsasl2.so.2 which points to /lib/libsasl2.so.3 and a soft link

  • /usr/lib64/libsasl2.so.2 which points to /usr/lib64/libsasl2.so.3

if not already done.

Support of virtual machines:

VMWare ESXi, in combination with guest operating systems listed above that are supported by VMWare ESXi.

Support of hardware cluster configurations is available on request.

Microsoft HyperV have not been tested thoroughly. But random usage hints that it might work as well.

Java Requirements for DirX Identity

DirX Identity requires a customer-supplied Java SE installation. No embedded Java environment comes with DirX Identity. It is customer’s responsibility to download and install any Java SE security patches in time.

As described in the DirX Identity Installation Guide these are the options regarding the Java environment:

  • The product must be an implementation of the Java Platform, Standard Edition (Java SE).

  • The related version number must be 21.0.xx.

  • It must be a 64-bit distribution.

  • The distribution must be TCK tested (Technology Compatibility Kit for Java)

Tested and considered working Java distributions are:

  • Oracle Java SE 21 (LTS)

  • Adoptium Eclipse Temurin JDK-21

For details regarding said installation options, see the chapter “Installation” and “The Java for DirX Identity” in the DirX Identity Installation Guide.

Supported Apache Tomcat Installations

DirX Identity Web Center / Web Center for Password Management / Business User Interface / REST service / Provisioning web service support these Apache Tomcat versions (running with a Java SE 21):

  • Tomcat 11

Use an installed Java SE 21 version with the latest security patches installed. It is customer’s responsibility to download and install any Java SE security patches in time.

Please consider also additional steps to secure Tomcat beyond the default installation. As the Tomcat installation comes with a default username / password for the Tomcat administrator we strongly recommend to consider additional measures to secure the Web container Tomcat by following the guidelines in https://tomcat.apache.org/tomcat-11.0-doc/security-howto.html.

Supported Directories

Product Version

DirX Directory

9.0 or higher

Patch level 9.4.454 or higher is preferred because of support of new LDAP controls that increase the performance of the LDAP lock feature.

Please note that all components of DirX Identity must work with the master directory server of DirX Directory or with a synchronous DirX Directory shadow server. It cannot work with asynchronous shadow servers due to the delay that occurs after a write operation on the shadow until the information is provided via chaining from the master again. Using asynchronous shadow servers is only allowed for pure read applications. For best performance, the master directory server should be used.

Supported JMS Messaging Servers

DirX Identity supports the following JMS messaging server:

  • Apache ActiveMQ message broker (included in the installation)

Delivery Packages

This section provides information about DirX Identity 9.0 or newer delivery packages on the supported platforms.

Windows Platforms

For Windows platforms a single installation package is provided that allows to install the following DirX Identity components:

  • Connectivity - LDAP Schema and Configuration Data

  • Provisioning - LDAP Schema and Configuration Data

  • ActiveMQ Message Broker

  • Identity Server (C++-based)

  • Identity Server (Java-based)

  • Manager

  • Web Center

  • Web Center for SAP NetWeaver

  • Web Center for Password Management

  • Business User Interface

  • Provisioning Web service

  • REST service

It also includes these connectivity packages:

  • Default: LDAP, Files, SPML

  • Microsoft: Entra (including Exchange), SharePoint, Teams

  • Database: JDBC

  • SAP: SAP ERP HR UniCode (former SAP R/3), SAP ECC UM (former SAP R/3), SAP NetWeaver (former EP) UM

  • IBM: RACF

  • HCL: Notes

  • Communication: Unify Office

  • HealthCare: Medico//s

  • ESSO: Evidian ESSO

  • Cloud Systems: Google Apps, Citrix ShareFile, Microsoft Office 365, Salesforce

  • Proxy: Remote Upload Connector, OpenICF Proxy Connector

The Business package can be upgraded with a special license (Pro Suite Upgrade) to obtain additional powerful functionality.

For a detailed description of the installation prerequisite and procedure see the DirX Identity Installation Guide.

Linux Platforms

For Linux platforms a single installation package is provided that allows to install all DirX Identity components as for Windows but without the connectivity packages for:

  • Microsoft: Entra (agent only, connector is running)

  • HCL: Notes

Distribution Media

Software packages for all platforms are usually distributed on DVDs. All platforms are delivered together on one DVD.

The cumulative patch 9.0.0 is delivered in two zip-archives:

  • The zip-archive (DirX_Identity_9.0.0-Windows.zip) contains the Windows installation package available in the sub folder 'Windows-Installer'.

  • The zip-archive (DirX_Identity_9.0.0-Linux.zip) contains the Linux installation package available in the sub folder 'linux-installer'.

They can be downloaded from the DirX support portal (https://support.dirx.solutions/).

In addition to the distribution medium, you must purchase separate product licenses to use the software packages.

Please contact your local sales representative for details on product licenses.

Resources

Each DVD or zip-archive ships with modified sources of the:

  • Mozilla LDAP Java SDK (see also: https://www.mozilla.org). You can find them - along with a brief documentation of the modifications - in the folder Resources of the DVD.

  • Genivia gSOAP C++ SOAP Server (see also: https://www.genivia.com/dev.html). You can find them - along with a brief documentation of the modifications - in the folder Resources of the DVD.

User Documentation

DirX Identity User Manuals

The following manuals are available in PDF format of Adobe:

  • DirX Identity 9.0 Introduction (introduction.pdf)

  • DirX Identity 9.0 Tutorial (tutorial.pdf)

  • DirX Identity 9.0 Provisioning Administration Guide (prov-admin-guide.pdf)

  • DirX Identity 9.0 Connectivity Administration Guide (conn-admin-guide.pdf)

  • DirX Identity 9.0 User Interface Guide (bui-user-guide.pdf)

  • DirX Identity 9.0 Application Development Guide (appl-dev-guide.pdf)

  • DirX Identity 9.0 Customization Guide (custom-guide.pdf)

  • DirX Identity 9.0 Integration Framework Guide (integration-framework.pdf)

  • DirX Identity 9.0 Connectivity Meta Controller Reference (metacp-ref.pdf)

  • DirX Identity 9.0 Connectivity Reference (conn-ref.pdf)

  • DirX Identity 9.0 Web Center Reference (web-center-ref.pdf)

  • DirX Identity 9.0 Web Center Customization Guide (web-center-custom-guide.pdf)

  • DirX Identity 9.0 Troubleshooting Guide (troubleshooting-guide.pdf)

  • DirX Identity 9.0 Installation Guide (install-guide.pdf)

  • DirX Identity 9.0 Migration Guide (migration-guide.pdf)

The DVD may optionally contain the migration guides of previous DirX Identity versions.

Additionally, a set of Use Case documents is available:

  • Creating a Custom Target System Type (creating-custom-targetSystemType.pdf)

  • Java Programming in DirX Identity (java-programming)

  • Service Management (service-management.pdf)

  • Using Domains (using-domains.pdf)

  • Using Segregation of Duties (using-segregation-of-duties.pdf)

  • Password Management (password-management.pdf)

  • High Availability (high-availability.pdf)

  • Realtime Synchronization within an Identity Domain (realtime-synchronization.pdf)

  • Enabling Smart Card Login for Identity Manager (smart-card-login-manager.pdf)

  • Monitoring DirX Identity Servers with Nagios (nagios-support.pdf)

  • User specific Proposal Lists for Role Parameters (user-specific-proposals-for-roleParameters.pdf)

  • Certification Campaigns (certification-campaign.pdf)

  • Configuring the Maintenance Workflows for User Facets (userFacet-maintenance.pdf)

  • Web Center File Upload (webCenter-file-upload.pdf)

  • Atos Password Reset Client Installation Guide (password-reset-client-installation.pdf)

  • Atos Password Reset Client User Interface Guide (password-reset-client-gui.pdf)

  • Business User Interface User Guide (bui-user-guide.pdf)

  • Business User Interface Configuration Guide (bui-config-guide.pdf)

  • Jaspersoft Reports (jaspersoft-reports.pdf)

You need Adobe Acrobat Reader to view PDF files. For a free copy of Adobe Acrobat Reader please refer to

https://www.adobe.com/products/reader.html

DirX Identity Online Help

All manuals are also available online at https://docs.dirx.solutions/. Also, all manuals except the guides for Installation, Migration and Web Center as well as the Use Case documents are also available in the DirX Identity Manager using the help button.

DirX Support Notes

Please refer to the DirX Identity Support Notes in the IAM Support Portal for more information about important warnings, known problems and their solutions.

Third Party Documentation

The subfolder tcl_V83_part contains the license agreement (license_terms.txt) and the reference pages of the Tcl V8.3 commands (in html format). Part of this information is also contained in the DirX Identity Manager online help.

Hardware Requirements

This section provides information about hardware requirements.

RAM

On 64-bit platforms at least 8 GB RAM is recommended. RAM size should be increased to at least 16 GB for managing more than 10,000 users.

Disk Space

At least 14 GB of free disk space is recommended for DirX Identity. This value does not include Apache Tomcat and DirX Directory but includes Apache ActiveMQ. Note that Apache ActiveMQ message broker is pre-configured to use a persistent store of maximum 10 GB.

Software Requirements

DirX Identity 9.0 or newer requires:

  • An installation of one of the supported directory servers (see section above).

  • One of the supported operating systems (see section above).

  • A supported Apache Tomcat installation (see section above).

The DirX Identity Web Center supports these types of browsers:

  • Mozilla Firefox 78 or newer

  • Google Chrome 96 or newer (Request signing via Java applet is not supported)

  • Microsoft Edge 96 or newer (Request signing via Java applet is not supported)

The DirX Identity Web Center for Password Management supports these types of browsers:

  • Mozilla Firefox 147 or newer

  • Google Chrome 142 or newer

  • Microsoft Edge 142 or newer

The DirX Identity Web Admin supports these types of browsers:

  • Mozilla Firefox 147 or newer

  • Google Chrome 142 or newer

  • Microsoft Edge 142 or newer

The Business User Interface application supports these types of browsers:

  • Mozilla Firefox 147 or newer

  • Google Chrome 142 or newer

  • Microsoft Edge 142 or newer

Make sure that the browsers allow the application to store information into its local session storage.

Included 3rd party software:

(for exact version information, refer to the Software Bill of Material (SBOM) files in your installation folder.)

  • Apache ActiveMQ message broker (included in the installation)
    If you consider upgrading the message broker, please contact the DirX support unit.

  • Apache Embedded Tomcat (included in the installation)
    If you consider upgrading the embedded Tomcat, please contact the DirX support unit.

  • On Windows: Microsoft Visual C++ Redistributables for x86 and x64. If newer redistributables are installed, then the installer does not install an older version (included in the installation)

  • Tanuki Java Service Wrapper Standard Edition for starting Apache ActiveMQ as a service (included in the installation)

The HCL Notes Agent requires an installation of Notes Client 8.5 or higher. Ideally, the version number of the Notes Client should be equal to or greater than the version number of the Notes / Domino server.

The ODBC Agent requires an installation of an ODBC driver. Note: ODBC drivers are not part of the DirX Identity delivery.

The JDBC Agent/Connector requires an installation of a JDBC driver. Note: JDBC drivers are not part of the DirX Identity delivery – see the related Workflow description for more information.

The SAP ECC UM Agent/Connector supports ECC 6.0, SAP S/4HANA (1709 FPS1 or higher) on-premise and higher and runs with all NetWeaver (ABAP stack) platforms that are supported by the SAP Java Connector and by DirX Identity. For more details see the Connectivity Reference Guide, Chapter 3.10.

The SAP ECC UM Agent requires an installation of SAP JCo (Java Connector) Version 3.1.7 or higher. The 64 bit JCo is required.

For the DirX Identity backup functionality, gzip is required on all platforms.

For Linux, gzip is a part of the operating system and must have been installed. The minimum version required is gzip 1.3.5. The installed gzip version is displayed by the command gzip –V.

For Windows the gzip program must be downloaded. The minimum version required is gzip 1.14.

A suitable gzip program is available from https://www.gnu.org, for example. The gzip program “gzip.exe“ must be found via the PATH environment variable.

Changed Configuration Files

The following configuration files have changed. The base for this list is 9.0. Any changes that were done before an upgrade or update installation are overwritten:

  • The configuration files idmsvc.ini/runServer.bat/sh for a Java-based server were changed.

  • The configuration file dxmmsssvr.ini for a C++-based server was changed.

  • Configuration files for Apache ActiveMQ were changed (activemq.xml, wrapper.conf).

  • Configuration files for Apache Log4j were changed from version 1.x to 2.x.

  • Changes for Web Center or Web Center for Password Management see the extra text files.

  • Changes for SPML Provisioning Web Services see the extra text files.

  • Changes for the Rest Services see the extra text files.

Third-Party libaries / Software Bill of Material

DirX Identity 9.0 relies on third-party open source software libraries. All used third-party libraries are listed in the Software Bill of Material (SBOM) file in CycloneDX format included in the installation package.

Restrictions

Ipv6 Address Support

There is full Ipv6 address support for all Java-based DirX Identity components.
The following components are not supporting Ipv6:

  • C++-based Server

  • Windows Password Listener

  • APRC

  • Meta Controller

  • HCL Notes Agent / Connector

  • ADS / Exchange Agent

Installation

The installable components, installation and migration configurations and procedures are described in the Installation Guide and the Migration Guide.

Documentation Extensions

The default pathname on Windows platforms has changed starting with 8.10 SP2. The notation convention install_path on Windows systems is C:\Program Files\DirX\Identity.

  1. Meta Controller Reference, chapter 6.3 Certification Administration – correct link:

    For a complete documentation on the certutil command line tool see on project’s page: https://firefox-source-docs.mozilla.org/security/nss/

    Use the option -d dbm:<directory> for the legacy database cert8.db.

  2. Use Case document Monitoring DirX Identity Servers with Nagios, chapter 2.3.8:

    To obtain the JMX port for a Java-based Server, examine the following parameter in the INI file <DXI_INSTALL_PATH>/ids-j-<DOMAIN>-S<N>/bin/idmsvc.ini:

    16=-Dcom.sun.management.jmxremote.port=40005

    The leading number might differ. Do not confuse that with the second parameter
    ( -Dcom.sun.management.jmxremote.rmi.port=40006)

  3. Enabling Smart Card Login for DirX Identity Manager - Configuring DirX Identity, the ordering of the tasks must be changed: "Setting up the request workflow service for SASL authentication" is the first task not the last.
    The corrected paragraphs:

    2.1.4 Configuring DirX Identity

    Configuring DirX Identity for smart card login in the recommended scenario consists of the following tasks:

    • Setting up the request workflow service for SASL authentication.

    • Creating the personalized DomainAdmin in the Provisioning view.

    • Storing the smart card certificate in the personalized DomainAdmin.

    • Adding the personalized DomainAdmin to DirXmetahub read and write groups in the Connectivity view.

    Set up Request Workflow Service SASL Authentication

    To set up request workflow service authentication:

    • Navigate to the utils/ssl subdirectory in the directory of the Java-based Server that runs the request workflows; for example, for Sample domain, <DXI_INSTALL_PATH>*/ids-j-My-Company-S1/utils/ssl*.

    • Edit the following genManager.bat (or .sh) script parameters to your requirements:

      set dname - specifies the host name

      set alias - specifies the keystore alias

      set keystorePassword - specifies the keystore password.

      set truststorePassword - specifies the truststore password.

    • Run the genManager.bat (or .sh) script.

    • Copy the generated keystore file to <DXI_INSTALL_PATH>/gui/bin on the machine that hosts DirX Identity Manager.

    • In <DXI_INSTALL_PATH>/gui/bin, edit the dxi.cfg property file: uncomment the following lines and then set the keystoreName and keystoreAlias values:

      #keystoreName=manager-keystore-<alias>
#keystoreAlias=<alias>

      For example:

      keystoreName=manager-keystore-AN_ALIAS
keystoreAlias=AN_ALIAS

  4. Description of the custom field validation for Business User Interface:

    To add support for field validation in form (e.g., in “My profile” page), a script must be modified to enable field form validation. This script file is called validator.js file available in extern folder. This file provides a function validate. This function is called for when a field (control) is modified in the form.

    To validate a field, following actions must be executed:

    • Extract Formly key of the control (Formly does not provide direct access to this field and must be extracted from _fields attribute).

    • Check if acquired key is the current target to be validated (e.g., key has value ‘mobile’). Available key values are set in json files from forms folder (e.g., my-profile.json)

    • Extract and check if field value passes the validation criteria.

    • Return null is the value is valid, otherwise return an object with the key for invalid value. (e.g., { mobile: true } ). See file extern/validator.js for more implementation details.

    Formly is a dynamic form library for Angular and is used by the Business User Interface (see https://formly.dev/).

Known Restrictions

Client Signature with Java Applets

The solution is not supported anymore.

Java deployment technologies were deprecated in Java 9 and removed in Java SE 11. Java applet and Web Start functionality, including the Java plug-in, the Java Applet Viewer, Java Control Panel, and Java Web Start, along with javaws tool, have been removed in Java SE 11.

Known Issues

Release Notes – Important Information for Version 9.0.0

Mass provisioning tests with a huge number of entries (>200.000) show some Ldap Connection closures and reconnects during use of policy agent which leads to reduced performance. The issue is under investigation and will be resolved as soon as possible in a patch release.

Zipping More Than 100 C++-based Server LOG Files With Dirx Diag Tool

If you have more than 100 LOG* files in the server\log folder and call dirxdiag_cserver.bat/sh to collect diagnosis files into a zip file the tool will hang.

In this case, delete or archive older files and rerun the command.

Missing MS Access Bridge Support with Oracle JRE

Starting with Oracle JRE 8, there is no JDBC ODBC Bridge for MS Access support any longer.

Use another driver instead. An example is the UCanAccess driver. Find a sample configuration in the Connectivity View: Connected Directories – Default - Source Scheduled - HR-JDBC CD.

Migrating of ActiveMQ messaging server

In some cases, the migration of the repository (file-based database kahadb) from a former ActiveMQ version to the version that comes with DirX Identity 9.0 does not work.

For that reason, we recommend strongly that you should verify that all message queues in ActiveMQ are empty before upgrading (enqueued and dequeued counters are equal in ActiveMQ Web Console). In rare cases, ActiveMQ doesn’t start correctly after migration because of kahadb issues (the repository). In that case the only possibility is to delete the kahadb completely.

Message RPC741 and Rule AssocAccount2User

Message RPC741 is now logged as an informal message from the Policy Execution. If you have a rule that associates accounts to user and the association fails, then this is now not logged as a warning anymore. It is recommended checking out the unassigned accounts with a QueryFolder (in the TS View of the Identity Manager) instead of checking in the monitor area.

Warning about SOAP MetaFactory

With the introduction of modules, Java for example logs the following warning:

“WARNING: Using deprecated META-INF/services mechanism with non-standard property: javax.xml.soap.MetaFactory….”.

In order to suppress it, you have to set the full classname of a SOAP MetaFactory implementation in a system property when starting the JVM:

-Djavax.xml.soap.SAAJMetaFactory=com.sun.xml.messaging.saaj.soap.SAAJMetaFactoryImpl

For the Java VM used by the Tomcat container hosting Web Center or any other Identity service, you must do that manually. See the Tomcat documentation for configuring the setup under https://tomcat.apache.org/tomcat-11.0-doc/setup.html.

Warnings in the Java-based Server Log Files at Startup

During startup of the Java server several warnings are written like

24.11.2021 16:45:00.468 [Main-S1] [  ] *** WARNING ***
Called from org.apache.catalina.util.SessionIdGeneratorBase.createSecureRandom()
 Creation of SecureRandom instance for session ID generation using [SHA1PRNG] took [141] milliseconds.


24.11.2021 16:45:04.455 [Main-S1] [  ] *** WARNING ***
Called from org.jboss.weld.bootstrap.events.BeforeBeanDiscoveryImpl.addAnnotatedType()
 WELD-000146: BeforeBeanDiscovery.addAnnotatedType(AnnotatedType<?>) used for {0} is deprecated from CDI 1.1!
-------------------------------------------------------------------------------

The first warning is from Apache Tomcat and is related to a session Id create process. It is a more diagnostic message that can be ignored unless the given millisecond time is very high (more than several seconds).

Permission Parameters and Attribute Indexes

Starting with DirX Identity V8.9 the algorithm for calculating the matching groups of a permission has changed. Depending on the definition of the role match rules (namely the match expression refers to a “Group” definition with operator “=”) the matching groups are searched via an LDAP search. For better performance the permission parameters should be indexed.

The DirX Identity provides an attribute index for dxrRPvalues, but not for all the other attributes defined in the Permission Parameter Tab. The default permission parameters departmentnumber, dxrProject, employeetype, l and manager are not indexed whereas the permission parameters c and ou are indexed.

If you think of using these standard attributes in a productive environment, you should consider creating an attribute index for them. The same also applies if you defined your own attributes as permission parameters.