B Troubleshooting Oracle Delegated Administration Services

This appendix describes common problems that you might encounter when using Oracle Delegated Administration Services and explains how to solve them. It contains these topics:

• Analyzing Log Files

• Enabling Debugging

• Diagnosing Self-Service Console Problems

• Diagnosing Service Unit Problems

• Need More Help?

Note: You can also use Web browser diagnostics to identify basic problems with your Oracle Delegated Administration Services deployment, including whether the IP address and host name are valid or if a firewall is properly forwarding requests and responses. For more information, see the documentation for the Web browsers you plan to support in your Oracle Delegated Administration Services deployment.

B.1 Analyzing Log Files

If you encounter problems when deploying or running Oracle Delegated Administration Services, you should first examine the various log files that are generated by Oracle Delegated Administration Services and the various components that it requires. This section contains the following topics:

• Oracle Delegated Administration Services Logs

• Oracle Application Server Containers for J2EE Logs

• Oracle HTTP Server Logs

• OPMN Logs

B.1.1 Oracle Delegated Administration Services Logs

Oracle Delegated Administration Services logs most errors in the following log file:

$ORACLE_HOME/opmn/logs/OC4J~OC4J_SECURITY~default_island~1

This is the file you should check first when troubleshooting problems with Oracle Delegated Administration Services. Debugging must be enabled before Oracle Delegated Administration Services writes any information to the log file. To enable debugging, follow the instructions in "Enabling Debugging".

See Also: "Managing Diagnostic Settings" for information on how to view and configure diagnostic settings for Oracle Delegated Administration Services

B.1.2 Oracle Application Server Containers for J2EE Logs

Oracle Application Server Containers for J2EE is the servlet engine that receives Oracle Delegated Administration Services page requests. You can examine the servlet access log, named default-web-access.log, in the $ORACLE_HOME/j2ee/OC4J_SECURITY/log/OC4J_SECURITY_default_island_1 directory. You can also examine the application.log file, which contains run-time application errors, in the $ORACLE_HOME/j2ee/OC4J_SECURITY/application-deployments/oiddas/OC4J_SECURITY_default_island_1 directory.

B.1.3 Oracle HTTP Server Logs

Oracle HTTP Server receives requests for Oracle Delegated Administration Services pages and forwards each request to the appropriate component for further processing. For problems that may be related to Oracle HTTP Server, you can examine the log files located in the $ORACLE_HOME/Apache/Apache/logs directory. Specifically, you should examine the access_log and error_log files.

Note: If Oracle HTTP Server is configured to rotate its log files, it appends a timestamp extension to the access_log and error_log files. Use the timestamp extension to find the most recent files.

B.1.4 OPMN Logs

Errors that occur when Oracle Delegated Administration Services first starts are recorded in the $ORACLE_HOME/opmn/logs/OC4J~OC4J_SECURITY~default_island~1 file, which is generated by Oracle Application Server Containers for J2EE. Check this file for error messages if the opmnctl utility hangs or generates command-line errors when attempting to start Oracle Delegated Administration Services.

The $ORACLE_HOME/opmn/logs/ipm.log file also contains basic information regarding the OC4J_SECURITY process, which can be helpful in determining the overall health of your Oracle Delegated Administration Services implementation. Search the ipm.log file for "OC4J_SECURITY" and review any errors you find. The log file typically contains the following messages for OC4J_SECURITY:

Starting Process: OC4J~OC4J_SECURITY~default_island~1
Process Alive: OC4J~OC4J_SECURITY~default_island~1
Stopping Process: OC4J~OC4J_SECURITY~default_island~1
Process Stopped: OC4J~OC4J_SECURITY~default_island~1
Restarting Process: OC4J~OC4J_SECURITY~default_island~1

The ipm.log file also contains messages describing any problems that may have occurred with the OC4J_SECURITY process. For example, the log file will contain the following message if OPMN encounters any problems while starting the OC4J_SECURITY process:

Infra.us.oracle.com~OC4J~OC4J_SECURITY~default_island~1952317603:0
  Status: NONE
  Operation: internal (oid dependency failed)
  ErrFile: 
  String: OID

B.2 Enabling Debugging

To enable or disable debugging for Oracle Delegated Administration Services, you modify the DEBUG and DEBUG_LEVEL flags in the $ORACLE_HOME/ldap/das/das.properties file. Table B-1 describes each flag.

Table B-1 Debugging Flags in the das.properties File

Flag	Description	Values	Default Value
DEBUG	Determines whether debugging is enabled	true false	false
DEBUG_LEVEL	Specifies the debugging level	error (logs all errors) schema (logs errors related to Oracle Internet Directory schema operations) tracing (logs detailed tracing information for various operations) session (logs information on operations involving the Oracle Delegated Administration Services connection pool or connection retrieval and release)	none

The DEBUG_LEVEL flag is only interpreted if the DEBUG flag is assigned a value of true. Separate the value assigned to each flag with a vertical bar (|). For example, the following statements assign a value of true to the DEBUG flag and a value of tracing to the DEBUG_LEVEL flag:

DEBUG|true
DEBUG_LEVEL|tracing
 

After modifying the das.properties file, you must restart the Oracle Delegated Administration Services instance. Before restarting Oracle Delegated Administration Services, you may want to consider deleting the existing das.log file in order to create a fresh log file that does not contain any messages from previous Oracle Delegated Administration Services instances.

See Also: "Starting and Stopping Oracle Delegated Administration Services"

B.3 Diagnosing Self-Service Console Problems

This section describes how to troubleshoot problems with the Self-Service Console. It contains these topics:

• Viewing Diagnostic Settings

• Diagnosing Login Problems

• Users Prompted to Change Password Multiple Times

• Missing User Entries

• Interpreting Error Messages

B.3.1 Viewing Diagnostic Settings

You can use the diagnostic settings in Oracle Delegated Administration Services to debug your implementation without having to examine the log files. If you have configuration privileges, then you can also change the runtime logging levels without restarting Oracle Delegated Administration Services. For more information, see"Managing Diagnostic Settings".

B.3.2 Diagnosing Login Problems

For problems logging in, examine the $ORACLE_HOME/ldap/log/das.log file. Also, verify the following:

• The URL contains the correct infrastructure host name and HTTP server port

• You are using the correct redirection URL

• You can successfully execute ping and nslookup commands from the Web client server to the infrastructure server

• You can execute ldapbind commands from both administrative and user accounts

• Whether a specific set of users is failing to log in

• If any user accounts are locked

  
  

  See Also: Oracle Internet Directory Administrator's Guide for information on password policies in Oracle Internet Directory

  
  

Also, verify that the following properties are correctly set in the $ORACLE_HOME/config/ias.properties file:

• DAS.LaunchSuccess

• IASname

• InfrastructureUse

• OIDhost

• OIDport

• OIDsslport

• VirtualHostName

• InfrastructureDBCommonName

Finally, ensure that the OC4J_SECURITY information in $ORACLE_HOME/opmn/conf/opmn.xml file is set correctly. The OC4J_SECURITY information is located in the following elements in the opmn.xml file:

<process-type id="OC4J_SECURITY" module-id="OC4J">
  <environment>
    <variable id="DISPLAY" value="Infrahost.us.oracle.com:0.0"/>
    <variable id="LD_LIBRARY_PATH" value="/app/oracle/product/10g/infra/lib"/>
  </environment>
  <module-data>
    <category id="start-parameters">
      <data id="java-options" value="-Djava.security.policy=/app/oracle/product
        /10g/infra/j2ee/OC4J_SECURITY/config/java2.policy -Djava.awt.headless=true
        -Xmx512m -Djava.awt.headless=true "/>
      <data id="oc4j-options" value="-properties"/>
    </category>
    <category id="stop-parameters">
      <data id="java-options" value="-Djava.security.policy=/app/oracle/product/
        10g/infra/j2ee/OC4J_SECURITY/config/java2.policy
        -Djava.awt.headless=true"/>
    </category>
  </module-data>
  <start timeout="900" retry="2"/>
  <stop timeout="120"/>
  <restart timeout="720" retry="2"/>
  <port id="ajp" range="3301-3400"/>
  <port id="rmi" range="3201-3300"/>
  <port id="jms" range="3701-3800"/>
  <process-set id="default_island" numprocs="1"/>
</process-type>

See Also: Oracle Application Server Single Sign-On Administrator's Guide for additional information on how to resolve login problems

B.3.3 Users Prompted to Change Password Multiple Times

Oracle Internet Directory enables you to establish a password policy in which users are prompted to change their passwords after initial login. Users must change their passwords by using the Oracle Internet Directory Self-Service Console Password Change screen. Using other mechanisms may not satisfy the password change requirement, and users may be prompted to change their password again the next time they log in.

See Also: Oracle Internet Directory Administrator's Guide for information on password policies in Oracle Internet Directory

B.3.4 Missing User Entries

User entries in Oracle Internet Directory that do not belong to the inetOrgPerson object class will not appear in the Self-Service Console. You can assign user entries to an object class by using Oracle Directory Manager or the ldapmodify command.

See Also: The Oracle Internet Directory Administrator's Guide for information on how to use Oracle Directory Manager and the ldapmodify command

B.3.5 Interpreting Error Messages

This section describes the error messages you may encounter with the Self-Service Console.

500 Internal Server Error

Cause: Usually indicates that Oracle Delegated Administration Services has not been started correctly.

Action: Follow the instructions in "Installing and Configuring Oracle Delegated Administration Services" to determine whether Oracle Delegated Administration Services is running. Also, examine the $ORACLE_HOME/ldap/log/das.log file to determine what is causing the error.

Warning: Page has Expired

Cause: Some Oracle Delegated Administration Services pages use the POST method to submit HTTP requests. Clicking the Back button to view a page that has been submitted with the POST method usually results in a warning message from the Web browser that the page has expired. In general, use of the back button on DAS pages is discouraged.

Action: Avoid using the Web browser's Back button. Instead, use the Go Back button or other navigation buttons and links that appear in the Self-Service Console.

Error: Cannot proceed. Please contact your Administrator to have your password reset!

Cause: This error occurs if a user attempts to reset their password before specifying a password hint.

Action: An administrator must reset the user's password by following the instructions in "Changing the Password of a User". To prevent this error from occurring again, the user must then specify a password hint by following the instructions in "Changing Your Own Password and Password Hint".

B.4 Diagnosing Service Unit Problems

Oracle Delegated Administration Services consists of a set of pre-defined, Web-based service units for performing directory operations on behalf of users. These units enable directory users to update their own information. This section contains these topics:

• Dealing with Pop-Up Window Blocking

• Handling Cross-Domain Invocation Issues

See Also: Oracle Identity Management Application Developer's Guide for additional information on how to write custom applications to resolve the issues discussed in this section

B.4.1 Dealing with Pop-Up Window Blocking

When an Oracle Delegated Administration Services service unit tries to open a new Web browser window, the new window may not open if pop-up window blocking is enabled on a client's Web browser. To avoid pop-up window blocking, you need to write a custom application that opens a new window on a local application server, and then immediately redirects the page to the Oracle Delegated Administration Services service unit.

B.4.2 Handling Cross-Domain Invocation Issues

Oracle Delegated Administration Services service units that need to return parameters to a calling page may fail due to cross-domain JavaScript security restrictions. To avoid such problems, you must write a custom Oracle Internet Directory application.

B.5 Need More Help?

In case the information in the previous sections was not sufficient, you can find more solutions on Oracle MetaLink, http://metalink.oracle.com. If you do not find a solution for your problem, log a service request.

See Also: Oracle Application Server Release Notes, available on the Oracle Technology Network: http://www.oracle.com/technology/documentation/index.html