Known issues

This chapter contains a list known issues and their possible solutions.

Unable to change the account’s login in LDAP_CAS

During the change of the account’s login in CzechIdM, it is impossible to rename an account in the LDAP_CAS system. This behavior can be remedied by making the following configuration change.

  1. In the CzechIdM, open the detail of the LDAP_CAS system.

  2. In Schema, click the item __ACCOUNT__.

  3. Open the detail of the attribute uid.

  4. Uncheck the option Able to edit and save.

The CzechIdM service cannot be started

When using the container image bcv-czechidm:10.8.2-r1 or older, the following error can occur after 30/9/2021:

Oct  5 12:28:06 localhost czechidm[28113]: [/runscripts/runEvery.d/001_000-buildIdM.sh] Rebuilding CzechIdM...
Oct  5 12:28:06 localhost czechidm[28113]: sha256sum: node-v15.3.0-linux-x64.tar.gz: No such file or directory
Oct  5 12:28:06 localhost czechidm[28113]: [/runscripts/runEvery.d/001_000-buildIdM.sh] NodeJS 15.3.0 archive verification failed. Killing the rebuild...
Oct  5 12:28:06 localhost czechidm[28113]: tar (child): node-v15.3.0-linux-x64.tar.gz: Cannot open: No such file or directory
Oct  5 12:28:06 localhost czechidm[28113]: tar (child): Error is not recoverable: exiting now
Oct  5 12:28:06 localhost czechidm[28113]: tar: Child returned status 2
Oct  5 12:28:06 localhost czechidm[28113]: tar: Error is not recoverable: exiting now

This is caused by certificate validation issue for Let’s Encrypt certificate authority whose original root certificate expired on 30/9/2021. To remedy the issue, use image version bcv-czechidm:10.8.2-r2 or higher. Container images for CzechIdM 11.x or higher are not affected by this issue.

  1. Edit the file /data/registry/node-active-config/docker-compose-czechidm.yml.

  2. Rewrite the value of the image setting to repo.iamappliance.com:8443/bcv-czechidm:10.8.2-r2 and save the file.

  3. Restart the CzechIdM service systemctl restart iam-czechidm.

The vulnerability of the Log4j library CVE-2021-44228

Some older container images of CzechIdM and CAS can be affected by this vulnerability. To mitigate it, you need to change parameters used to run containerized applications.

Add a new environment property JAVA_OPTS_ADD to the compose file like this:

...
    environment:
...
      - JAVA_OPTS_ADD="-Dlog4j2.formatMsgNoLookups=true"
..

Make the change in files /data/registry/node-active-config/docker-compose-cas.yml and /data/registry/node-active-config/docker-compose-czechidm.yml, then restart the iam-cas and iam-czechidm services.

Spring Framework vulnerability CVE-2022-22965 (Spring4Shell)

The images of the CzechIdM and CAS applications are affected by this vulnerability. To mitigate the error, it is necessary to update affected containers to following versions.

  • CzechIdM 10.x (LTS) - repo.iamappliance.com:8443/bcv-czechidm:10.8.5-r0 or any newer image of the 10.x line.

  • CzechIdM 11.x - repo.iamappliance.com:8443/bcv-czechidm:11.2.5-r0

    • Use this image only if you cannot upgrade your environment to the 12.x line image.

  • CzechIdM 12.x - repo.iamappliance.com:8443/bcv-czechidm:12.1.3-r0 or later.

  • CAS - repo.iamappliance.com:8443/bcv-cas:6.2.8.4-r1 or later.

Update the images by editing the image version (look for line starting with image:…​) in the files /data/registry/node-active-config/docker-compose-czechidm.yml and docker-compose-cas.yml (located in the same directory). Then, restart the iam-czechidm and iam-cas services.