VMware Identity Manager 3.3.4 | February 2021 | Build 17498518
VMware Identity Manager (Windows) 3.3.4 | February 2021 | Build VMware Identity Manager Connector Installer.exe
Release date: February 2021
Updated: December 17, 2021
12/17/2021 This release has been determined to be impacted by CVE-2021-44228 and CVE-2021-45046. Fixes and workarounds are available to address this vulnerability. For more information, see VMware Security Advisory VMSA-2021-0028.
12/17/2021 This release is also impacted by CVE-2021-22056. Fixes and workarounds are available to address this vulnerability. For more information, see VMware Security Advisory VMSA-2021-0030.
What's in the Release NotesRelease notes cover the following topics.
- Products that can upgrade to VMware Identity Manager 3.3.4
- What's New in 3.3.4
- Compatibility, Installation, and Upgrade
- Known Issues
VMware vRealize Products such as vRealize Automation, vRealize Suite Lifecycle Manager (vRSLCM), vRealize Operations, vRealize Business, vRealize Log insight, and vRealize Network Insight for Authentication and SSO
vRealize products that are deployed and managed through vRealize Suite Lifecycle Manager only can consume VMware Identity Manager 3.3.1, 3.3.2, 3.3.3, or 3.3.4.
vRealize Suite Lifecycle Manager can now handle a brand-new installation of VMware Identity Manager 3.3.4, or an upgrade to 3.3.4 from VMware Identity Manager 3.3.1, 3.3.2, or 3.3.3.
- VMware NSX-T Data Center for Authentication and SSO
- NSX-T can be deployed with VMware Identity Manager 3.3.4 or an upgrade to 3.3.4 from VMware Identity Manager 3.3.1, 3.3.2, or 3.3.3.
Support of Active Directory over Integrated Windows Authentication (IWA) and Kerberos with embedded connector
VMware Identity Manager 3.3.4 brings back support for Active Directory over IWA and the Kerberos authentication adapter with the embedded connector. All customers using LDAP or using IWA with an external Windows connector can update to VMware Identity Manager 3.3.4. For upgrade and migration information, see Upgrading to VMware Identity Manager 3.3.4 (Linux).
VMware Identity Manager 3.3 is available in the following languages.
- Simplified Chinese
- Traditional Chinese
- Portuguese (Brazil)
VMware vCenter™ and VMware ESXi™ Compatibility
VMware Identity Manager appliance supports the following versions of vSphere and ESXi.
- 6.5 U3, 6.7 U2, 6.7 U3, 7
Windows Server Supported
- Windows Server 2012 R2
- Windows Server 2016
Web Browser Supported
- Mozilla Firefox, latest version
- Google Chrome 42.0 or later
- Internet Explorer 11
- Safari 6.2.8 or later
- Microsoft Edge, latest version
- Postgres 9.6.19
- MS SQL 2012, 2014, and 2016
Directory Server Supported
- Active Directory on Windows Server 2012 R2, 2016, and 2019 with a Domain functional level and Forest functional level of Windows 2003 and later.
- OpenLDAP - 2.4.42
- Oracle LDAP - Directory Server Enterprise Edition 11g, Release 1 (184.108.40.206.0)
- IBM Tivoli LDAP - IBM Security Directory Server 6.3.1
Update: Component Versions No Longer Supported
- Windows Server 2008 R2
- Windows Server 2012
This impacts Workspace ONE Access Connectors or database that might be installed on these versions of the Windows server. This impacts Active Directory if it is running on these older versions of a Windows server.
VMware Product Interoperability Matrix provides details about the compatibility of current and previous versions of VMware products and components,
For other system requirements, see the VMware Identity Manager Installation guides for 3.3 on the VMware Workspace ONE Access Documentation center.
Default Deployment Configuration
Different sizing options for CPU and memory are available to choose at the time of deployment based on the requirements
- 100 GB hard disk
- 8 GB RAM
- 4 vCPUs
- Extra Small: 4CPU/8 GB Memory
- Small: 6CPU/10 GB Memory
- Medium: 8CPU/16 GB Memory
- Large: 10CPU/16 GB Memory
- Extra Large: 12CPU/32 GB Memory
- Extra Extra Large: 14CPU/48 GB Memory
Upgrading to VMware Identity Manager 3.3.4
- To access the Appliance Settings page in the Workspace ONE Access console, make sure that you are assigned the Operator role for the default tenant.
- To configure the SMTP settings, you must be logged in as operator user of the default tenant from system domain, not as the admin tenant.
- Tenant admins of non-default tenants are not authorized to configure SMTP settings.
- Migrate VMware vRealize Automation 7.5 or 7.6 Business Groups to vRealize Version 8.3
To upgrade to VMware Identity Manager 3.3.4, see Upgrading VMware Identity Manager 3.3.4 on the VMware Workspace ONE Access Documentation center. During the upgrade, all services are stopped, so if only one connector is configured plan the upgrade with the expected downtime in mind.
You can upgrade VMware Identity Manager from version 3.3.1, 3.3.2, or 3.3.3 directly to 3.3.4. To upgrade from earlier versions, upgrade to 3.3.1 first, then upgrade 3.3.1 to 3.3.4.
Note: When you upgrade to VMware Identity Manager 3.3.4 for Linux, if you see the following error message and the upgrade is aborted, follow these steps to update the certificate. After the certificate is updated, restart the upgrade.
"Certificate auth configuration update required for tenant <tenantName> prior to upgrade. Pre-update check failed, aborting upgrade."
- Log in to the VMware Identity Manager console.
- Navigate to Identity & Access Management > Setup.
- In the Connectors page, click the link in the Worker column
- Click the Auth Adapters tab, then click CertificateAuthAdapter.
- In the Uploaded CA Certificates section, click the red X next to the certificate to remove it.
- In the Root and intermediate CA Certificates section, click Select File to re-add the certificate.
- Click Save.
Migrate VMware vRealize Automation 7.5 or 7.6 Business Groups to vRealize Version 8.3
To migrate the business groups from VMware vRealize Automation 7.5 or 7.6 to version 8.3, you must migrate one tenant at a time from the embedded VMware Identity Manager 3.1 service to the external VMware Identity Manager 3.3.4 service as described in the following procedure.
- VMware Identity Manager is an embedded service in vRealize Automation 7.5 and 7.6
- Starting with vRealize Automation 8.0, VMware Identity Manager became an external service
- vRealize Automation 8.0 and 8.1 only support fresh installations
- vRealize Automation 8.3 supports Business Groups Migration from vRealize Automation 7.5 or 7.6. To achieve business group migration, VMware Identity Manager 3.3.4 migrates each tenant from VMware Identity Manager on vRA to 3.3.4.
- Valid email needs to be set for all local users of vRealize Automation 7.5 and 7.6 Tenant which needs to be migrated
- Enable Remote Connection to vRA Database to access it. ONLY from VIDM Machine to read User Ids for Custom Group Migration
- The SMTP server information of the tenant being migrated must be configured in the VMware Identity Manager service. This information is required to receive email instructions to reset the password for all local users.
You perform tenant by tenant migration in VMware Identity Manager 3.3.4 using vRealize Lifecycle Manager. vRealize Lifecycle Manager provides the user interface to leverage the VMware Identity Manager 3.3.4 Tenant Migration REST APIs for tenant by tenant migration. See Migrating Tenants Using vRealize Suite Lifecycle Manager.
The VMware Identity Manager 3.3.4 Tenant Migration REST APIs take care of migrating the following configurations from vRealize Automation 7.5 or 7.6. to VMware Identity Manager 3.3.4.
- Tenant configuration
- User attribute mapping configuration
- Directory configuration, such as local, LDAP, IWA, OpenLDAP, and JIT
- By default, bind user will be listed as a read-only admin in the migrated tenants
- Third-party identity provider configuration
- Access policy and network range configuration
- Custom groups configuration
- Role and rule set configuration
Tenant Migration Limitations in VMware Identity Manager 3.3.4
- Authentication Adapters: The tenant migration process only migrates PasswordIdpAdapter. If other authentication adapters were configured in vRealize Automation 7.5 or 7.6, you must configure them manually in VMware Identity Manager 3.3.4.
- Third-Party Identity Provider Migration: The tenant migration process migrates third-party identity provider configurations. After the migration, you must copy the VMware Identity Manager service provider metadata manually to the external third-party identity provider.
VMware Identity Manager Connector 3.3.4 (Windows)
If you installed the VMware Identity Manager Connector for Windows 3.3.1 and 3.3.2 with vRealize Suite Lifecycle Manager, you cannot upgrade to 3.3.4. You must install the new 3.3.4 version of the connector.
If you installed the VMware Identity Manager Connector for Windows 3.3.1, 3.3.2, or 3.3.3 using the .exe installer, you can upgrade your connector to 3.3.4.
The VMware Identity Manager 3.3 documentation is in the VMware Workspace ONE Access Documentation center. The 3.3.4 upgrade guide can be found under VMware Identity Manager 3.3 in the Installation & Architecture section.