VMware Identity Manager 3.3.3 | October 2020 | Build 17121420

VMware Identity Manager (Windows) 3.3.3 | October 2020 | Build VMware Identity Manager Connector Installer.exe

Release date: November 2020

Updated:

December 8, 2020       This release has been determined to be impacted by CVE-2020-4006. Fixes and workarounds are available to address this vulnerability. For more information, see VMSA-2020-0027.

What's in the Release Notes

Release notes cover the following topics.

VMware Products that can upgrade to VMware Identity Manager 3.3.3

  • VMware vRealize Products such as vRealize Automation, vRealize Suite Lifecycle Manager (vRSLCM), vRealize Operations, vRealize Business, vRealize Log insight, and vRealize Network Insight for Authentication and SSO

    • vRealize products that are deployed and managed through vRealize Suite Lifecycle Manager only can consume VMware Identity Manager 3.3.1, 3.3.2 or 3.3.3.

    • vRealize Suite Lifecycle Manager can now handle a brand-new installation of VMware Identity Manager 3.3.3, or an upgrade to 3.3.3 from VMware Identity Manager 3.3.1 or 3.3.2.

  • VMware NSX-T Data Center for Authentication and SSO
    • NSX-T can be deployed with VMware Identity Manager
    • 3.3.3 or an upgrade to 3.3.3 from VMware Identity Manager 3.3.1 or 3.3.2.

What's New for VMware Identity Manager 3.3.3

  • Photon OS Migration

    In VMware Identity Manager 3.3.3, the underlying operating system has been migrated from SUSE Linux 11 SP4 to VMware Photon 3.0. Photon 3.0 addresses known security vulnerabilities and is an updated software stack. 

  • Tenant migration support from vRA 7.5/vRA 7.6 to VMware Identity Manager
  • Default Deployment Configuration Changes

    Different sizing options for CPU and memory are available to choose at the time of deployment based on the requirements

    • 100 GB hard disk
    • 8 GB RAM
    • 4 vCPUs
    • Extra Small: 4CPU/8 GB Memory
    • Small: 6CPU/10 GB Memory
    • Medium: 8CPU/16 GB Memory
    • Large: 10CPU/16 GB Memory
    • Extra Large: 12CPU/32 GB Memory
    • Extra Extra Large: 12CPU/48 GB Memory
  • Support of 4096 key certificates

    We now support 4096-bit key SSL certificates for the service and connector. With this implementation, we bring increased encryption strength to the SSL certificates.

  • Embedded to external connector migration for IWA/Kerberos use cases

New December 18, 2020      VMware Identity Manager 3.3.3 does not support IWA (Integrated Windows Authentication) with the embedded Linux connector. vRA 8.x customers using LDAP or IWA with the external Windows connector are not impacted. For more details refer to https://kb.vmware.com/s/article/82013.

  • Operator can reset the console password (or operator password) using hznAdminTool command:
     /usr/sbin/hznAdminTool setOperatorPassword

Internationalization

VMware Identity Manager 3.3 is available in the following languages.

  • English
  • French
  • German
  • Spanish
  • Japanese
  • Simplified Chinese
  • Korean
  • Traditional Chinese
  • Russian
  • Italian
  • Portuguese (Brazil)
  • Dutch

Compatibility, Installation, and Upgrade

VMware vCenter™ and VMware ESXi™ Compatibility

VMware Identity Manager appliance supports the following versions of vSphere and ESXi.

  • 6.5 U3, 6.7 U2, 6.7 U3, 7

Component Compatibility

Windows Server Supported

  • Windows Server 2012 R2
  • Windows Server 2016

Web Browser Supported

  • Mozilla Firefox, latest version
  • Google Chrome 42.0 or later
  • Internet Explorer 11
  • Safari 6.2.8 or later
  • Microsoft Edge, latest version

Database Supported

  • Postgres 9.6.19
  • MS SQL 2012, 2014, and 2016

Directory Server Supported

  • Active Directory on Windows Server 2012 R2, 2016, and 2019 with a Domain functional level and Forest functional level of Windows 2003 and later.
  • OpenLDAP - 2.4.42
  • Oracle LDAP - Directory Server Enterprise Edition 11g, Release 1 (11.1.1.7.0)
  • IBM Tivoli LDAP - IBM Security Directory Server 6.3.1

Update: Component Versions No Longer Supported

  • Windows Server 2008 R2
  • Windows Server 2012

This impacts Workspace ONE Access Connectors or database that might be installed on these versions of the Windows server. This impacts Active Directory if it is running on these older versions of a Windows server.

VMware Product Interoperability Matrix provides details about the compatibility of current and previous versions of VMware products and components,

For other system requirements, see the VMware Identity Manager Installation guides for 3.3 on the VMware Workspace ONE Access Documentation center.

Upgrading to VMware Identity Manager 3.3.3

Note:

  • To access the Appliance Settings page in the Workspace ONE Access console, make sure that you are assigned the Operator role for the default tenant.
  • To configure the SMTP settings, you must be logged in as operator user of the default tenant from system domain, not as the admin tenant.
    • Tenant admins of non-default tenants are not authorized to configure SMTP settings.
  • Migrate VMware vRealize Automation 7.5 or 7.6 Business Groups to vRealize Version 8.2

To upgrade to VMware Identity Manager 3.3.3, see Upgrading VMware Identity Manager 3.3.3 on the VMware Workspace ONE Access Documentation center. During the upgrade, all services are stopped, so if only one connector is configured plan the upgrade with the expected downtime in mind.

You can upgrade VMware Identity Manager from version 3.3.1 or 3.3.2 directly to 3.3.3. To upgrade from earlier versions, upgrade to 3.3.1 first, then upgrade 3.3.1 to 3.3.3.

Note: When you upgrade to VMware Identity Manager 3.3.2 for Linux, if you see the following error message and the upgrade is aborted, follow these steps to update the certificate. After the certificate is updated, restart the upgrade.

"Certificate auth configuration update required for tenant <tenantName> prior to upgrade. Pre-update check failed, aborting upgrade."
  1. Log in to the VMware Identity Manager console.
  2. Navigate to Identity & Access Management > Setup.
  3. In the Connectors page, click the link in the Worker column
  4. Click the Auth Adapters tab, then click CertificateAuthAdapter.
  5. In the Uploaded CA Certificates section, click the red X next to the certificate to remove it.
  6. In the Root and intermediate CA Certificates section, click Select File to re-add the certificate.
  7. Click Save.

Migrate VMware vRealize Automation 7.5 or 7.6 Business Groups to vRealize Version 8.2

To migrate the business groups from VMware vRealize Automation 7.5 or 7.6 to version 8.2, you must migrate one tenant at a time from the embedded VMware Identity Manager 3.1 service to the external VMware Identity Manager 3.3.3 service as described in the following procedure.
Background

  • VMware Identity Manager is an embedded service in vRealize Automation 7.5 and 7.6
  • Starting with vRealize Automation 8.0, VMware Identity Manager became an external service
  • vRealize Automation 8.0 and 8.1 only support fresh installations
  • vRealize Automation 8.2 supports Business Groups Migration from vRealize Automation 7.5 or 7.6. To achieve business group migration, VMware Identity Manager 3.3.3 migrates each tenant from VMware Identity Manager on vRA to the 3.3.3

Prerequisite

  • Valid email needs to be set for all local users of  vRealize Automation 7.5 and 7.6 Tenant which needs to be migrated
  •  Enable Remote Connection to vRA Database to access it. ONLY from VIDM Machine to read User Ids for Custom Group Migration
  • The SMTP server information of the tenant being migrated must be configured in the VMware Identity Manager service. This information is required to receive email instructions to reset the password for all local users.

Procedure

You perform tenant by tenant migration in VMware Identity Manager 3.3.3 using vRealize Lifecycle Manager. vRealize Lifecycle Manager provides the user interface to leverage the VMware Identity Manager 3.3.3 Tenant Migration REST APIs for tenant by tenant migration. See Migrating Tenants Using vRealize Suite Lifecycle Manager.

The VMware Identity Manager 3.3.3 Tenant Migration REST APIs take care of migrating the following configurations from vRealize Automation 7.5 or 7.6. to VMware Identity Manager 3.3.3.

  • Tenant configuration
  • User attribute mapping configuration
  • Directory configuration, such as local, LDAP, IWA, OpenLDAP, and JIT
  • By default, bind user will be listed as a read-only admin in the migrated tenants
  • Third-party identity provider configuration
  • Access policy and network range configuration
  • Custom groups configuration
  • Role and rule set configuration

Tenant Migration Limitations in VMware Identity Manager 3.3.3

  • Authentication Adapters: The tenant migration process only migrates PasswordIdpAdapter. If other authentication adapters were configured in vRealize Automation 7.5 or 7.6, you must configure them manually in VMware Identity Manager 3.3.3.
  • Third-Party Identity Provider Migration: The tenant migration process migrates third-party identity provider configurations. After the migration, you must copy the VMware Identity Manager service provider metadata manually to the external third-party identity provider.

VMware Identity Manager Connector 3.3.3 (Windows)

If you installed the VMware Identity Manager Connector for Windows 3.3.1 and 3.3.2 with vRealize Suite Lifecycle Manager, you cannot upgrade to 3.3.3.  You must install the new 3.3.3 version of the connector.

If you installed the VMware Identity Manager Connector for Windows 3.3.1 or 3.3.2 using the .exe installer, you can upgrade your connector to 3.3.3.

Documentation

The VMware Identity Manager 3.3 documentation is in the VMware Workspace ONE Access Documentation center. The 3.3.3 upgrade guide can be found under VMware Identity Manager 3.3 in the Installation & Architecture section.

Known Issues

  • Identity Provider configuration cannot be saved in VMware Identity Manager 3.3.3 multi-site environments with embedded connectors from secondary site

    When using an embedded connector with VMware Identity Manager service in a multi-site environment, you cannot save the identity provider configuration in the secondary site if using an embedded connector.

    Workaround: Use an external connector for the secondary site.

  • Sync fails after upgrading to VMware Identity Manager 3.3.3

    After upgrade from VMware Identity Manager 3.3.2 to 3.3.3, if the embedded connector is being used with Active Directory over IWA, users can log in, but the directory sync will fail until the embedded connector is migrated to a VMware Identity Manager external connector on a Windows server.

    Workaround. No workaround. You must migrate the directory from the embedded connector to an external VMware Identity Manager connector.

check-circle-line exclamation-circle-line close-line
Scroll to top icon