After you upgrade to VMware Identity Manager 2.7, configure these settings.

If you have set up a VMware Identity Manager cluster for failover, updating it to three nodes is recommended. This is because of a limitation of Elasticsearch, a search and analytics engine embedded in the VMware Identity Manager appliance. You may continue to use two nodes but you should be aware of a few limitations related to Elasticsearch. See "Configuring Failure and Redundancy" in Installing and Configuring VMware Identity Manager for more information.

If you have set up a VMware Identity Manager cluster for failover, updating it to three nodes is recommended. This is because of a limitation of Elasticsearch, a search and analytics engine embedded in the VMware Identity Manager appliance. You may continue to use two nodes but you should be aware of a few limitations related to Elasticsearch. See "Configuring Failure and Redundancy" in Installing and Configuring VMware Identity Manager for more information.

Enable the new portal user interface.

a

In the administration console, click the arrow on the Catalog tab and select Settings.

b

Select New End User Portal UI in the left pane and click Enable New Portal UI.

If you use ThinApps, Kerberos authentication, or Active Directory (Integrated Windows Authentication) directories, you must leave the domain and then rejoin it. This is required for all the virtual appliances in your deployment.

a

Click the Identity & Access Management tab.

b

Click Setup.

c

In the Connectors page, for each connector that is being used for ThinApps integration, Kerberos authentication, or an Active Directory (Integrated Windows Authentication) directory, click Leave Domain.

d

Click Join Domain to join the domain again.

To join the domain, you need Active Directory credentials with the privileges to join the domain. See "Integrating with Active Directory" in Installing and Configuring VMware Identity Manager for more information about joining a domain.

e

If you are using Kerberos authentication, enable the Kerberos authentication adapter again. To access the Auth Adapters page, in the Connectors page click the appropriate link in the Worker column and select the Auth Adapters tab.

f

Verify that the other authentication adapters you are using are enabled.

If you are using Active Directory (Integrated Windows Authentication), or Active Directory over LDAP with the This Directory supports DNS Service Location option enabled, save the directory's Domains page.

a

Click the Identity & Access Management tab.

b

In the Directories page, click the directory.

c

Provide the password for the Bind DN user and click Save.

d

Click Sync Settings on the left of the page and select the Domains tab.

e

Click Save.

Note

Beginning with VMware Identity Manager 2.6, a domain_krb.properties file is automatically created and auto-populated with domain controllers when a directory with DNS Service Location enabled is created. When you save the Domains page after upgrade, if you had a domain_krb.properties file in your original deployment, the file is updated with domains that you may have added subsequently and that were not in the file. If you did not have a domain_krb.properties file in your original deployment, the file is created and auto-populated with domain controllers. See "Integrating with Active Directory" in Installing and Configuring VMware Identity Manager for more information about the domain_krb.properties file.

Beginning with version 2.6, you can sync users and groups that have the same username or group name across multiple Active Directory domains. The uniqueness rule was updated to be a combination of username or group name and domain. For example, a username Administrator can have both an Active Directory account in multiple Active Directory domains, as well as a local user account in the VMware Identity Manager service. When you upgrade, this feature is not enabled. Contact support for information about how to enable the username and group name uniqueness rule.

Transport Layer Security (TLS) protocol 1.0 is disabled by default beginning with VMware Identity Manager 2.6. TLS 1.1 and 1.2 are supported. During upgrade to 2.6 or 2.7, TLS 1.0 is disabled.

External product issues are known to occur when TLS 1.0 is disabled. Updating your other product configurations to use TLS 1.1 or 1.2 is recommended. However, if your version of products such as Horizon, Horizon Air, Citrix, or load balancers have a dependence on TLS 1.0, you can enable TLS 1.0 in VMware Identity Manager after upgrade by following the instructions in Knowledge Base article 2144805.