Oracle® Identity Management Guide to Delegated Administration 10g (10.1.4.0.1) Part Number B15996-01 |
|
|
View PDF |
This appendix describes common problems that you might encounter when using Oracle Delegated Administration Services and explains how to solve them. It contains these topics:
Note: You can also use Web browser diagnostics to identify basic problems with your Oracle Delegated Administration Services deployment, including whether the IP address and host name are valid or if a firewall is properly forwarding requests and responses. For more information, see the documentation for the Web browsers you plan to support in your Oracle Delegated Administration Services deployment. |
If you encounter problems when deploying or running Oracle Delegated Administration Services, you should first examine the various log files that are generated by Oracle Delegated Administration Services and the various components that it requires. This section contains the following topics:
Oracle Delegated Administration Services logs most errors in the following log file:
$ORACLE_HOME/opmn/logs/OC4J~OC4J_SECURITY~default_island~1
This is the file you should check first when troubleshooting problems with Oracle Delegated Administration Services. Debugging must be enabled before Oracle Delegated Administration Services writes any information to the log file. To enable debugging, follow the instructions in "Enabling Debugging".
See Also: "Viewing and Configuring Session-Level Diagnostic Settings" for information on how to view and configure diagnostic settings for Oracle Delegated Administration Services |
Oracle Containers for J2EE is the servlet engine that receives Oracle Delegated Administration Services page requests. You can examine the servlet access log, named default-web-access.log, in the $ORACLE_HOME/j2ee/OC4J_SECURITY/log/OC4J_SECURITY_default_island_1 directory. You can also examine the application.log file, which contains run-time application errors, in the $ORACLE_HOME/j2ee/OC4J_SECURITY/application-deployments/oiddas/OC4J_SECURITY_default_island_1 directory.
Oracle HTTP Server receives requests for Oracle Delegated Administration Services pages and forwards each request to the appropriate component for further processing. For problems that may be related to Oracle HTTP Server, you can examine the log files located in the $ORACLE_HOME/Apache/Apache/logs directory. Specifically, you should examine the access_log and error_log files.
Note: If Oracle HTTP Server is configured to rotate its log files, it appends a timestamp extension to theaccess_log and error_log files. Use the timestamp extension to find the most recent files. |
Errors that occur when Oracle Delegated Administration Services first starts are recorded in the $ORACLE_HOME/opmn/logs/OC4J~OC4J_SECURITY~default_island~1 file, which is generated by Oracle Containers for J2EE. Check this file for error messages if the opmnctl
utility hangs or generates command-line errors when attempting to start Oracle Delegated Administration Services.
The $ORACLE_HOME/opmn/logs/ipm.log file also contains basic information regarding the OC4J_SECURITY process, which can be helpful in determining the overall health of your Oracle Delegated Administration Services implementation. Search the ipm.log file for "OC4J_SECURITY" and review any errors you find. The log file typically contains the following messages for OC4J_SECURITY:
Starting Process: OC4J~OC4J_SECURITY~default_island~1 Process Alive: OC4J~OC4J_SECURITY~default_island~1 Stopping Process: OC4J~OC4J_SECURITY~default_island~1 Process Stopped: OC4J~OC4J_SECURITY~default_island~1 Restarting Process: OC4J~OC4J_SECURITY~default_island~1
The ipm.log file also contains messages describing any problems that may have occurred with the OC4J_SECURITY process. For example, the log file will contain the following message if OPMN encounters any problems while starting the OC4J_SECURITY process:
Infra.us.oracle.com~OC4J~OC4J_SECURITY~default_island~1952317603:0 Status: NONE Operation: internal (oid dependency failed) ErrFile: String: OID
To enable or disable debugging for Oracle Delegated Administration Services, you modify the DEBUG
and DEBUG_LEVEL
flags in the $ORACLE_HOME/ldap/das/das.properties file. Table B-1 describes each flag.
Table B-1 Debugging Flags in the das.properties File
Flag | Description | Values | Default Value |
---|---|---|---|
|
Determines whether debugging is enabled |
|
|
|
Specifies the debugging level |
|
none |
The DEBUG_LEVEL
flag is only interpreted if the DEBUG
flag is assigned a value of true. Separate the value assigned to each flag with a vertical bar (|). For example, the following statements assign a value of true
to the DEBUG
flag and a value of tracing
to the DEBUG_LEVEL
flag:
DEBUG|true DEBUG_LEVEL|tracing
After modifying the das.properties file, you must restart the Oracle Delegated Administration Services instance. Before restarting Oracle Delegated Administration Services, you may want to consider deleting the existing ipm.log file in order to create a fresh log file that does not contain any messages from previous Oracle Delegated Administration Services instances.
This section describes how to troubleshoot problems with the Self-Service Console. It contains these topics:
You can use the diagnostic settings in Oracle Delegated Administration Services to debug your implementation without having to examine the log files. If you have configuration privileges, then you can also change the runtime logging levels without restarting Oracle Delegated Administration Services.
You can view and configure application level diagnostic settings for all user sessions and all units in an Oracle Delegated Administration Services application. Diagnostic settings can be turned on or off. If an application-level diagnostic setting is turned on, diagnostics will display, unless overridden by session-level or unit-level diagnostic settings. If an application-level diagnostic setting is turned off, diagnostics will not display, unless overridden by session-level or unit-level diagnostic settings.
To view and configure application-level diagnostic settings:
Enter the following URL in a Web browser to open the Application-Level Diagnostic Settings window:
http://host_name:port_number/oiddas/ui/oracle/ldap/das/pages/Application
This window is described in "Application-Level Diagnostic Settings"
Basic application-level configuration settings display in the Information section and connection pool settings and statistics display in the Connection Pool section.
To display diagnostic information:
In the Configuration section, change the Value field to On.
Select Update. Scroll to the bottom of the Web page to view the diagnostic information.
To change logging levels:
In the Logging section, click the check boxes of the logging levels you want to change.
Select a desired value from the Change log level to box.
Select Update.
You can view and configure session-level diagnostic settings for the current user session and for all units in an Oracle Delegated Administration Services application. Diagnostic settings can be turned on or off or can inherit application-level diagnostic settings. If a session-level diagnostic setting is turned on, diagnostics will display, unless overridden by a unit-level diagnostic setting. If a session-level diagnostic setting is turned off, diagnostics will not display, unless overridden by a unit-level diagnostic setting. If a particular diagnostic setting is set to "inherit", then the application-level diagnostic setting applies.
To view and configure session-level diagnostic settings:
Enter the following URL in a Web browser to open the Session Level Diagnostic Settings window:
http://host_name:port_number/oiddas/ui/oracle/ldap/das/pages/Session
This window is described in Session Level Diagnostic Settings
Basic session-level configuration settings display in the Information section and console navigation settings display in the Navigation section.
To change session-level diagnostic settings:
In the Configuration section, select a desired value in the Value field for the diagnostic setting you want to change.
Select Update.
Unit-level diagnostic settings control the display of diagnostics for the current user session in a given unit. Applicable values for a diagnostic setting at the unit level are "on", "off", and "inherit". If a unit-level diagnostic setting is turned on, diagnostics will display for the specified unit. If a unit-level diagnostic setting is turned off, diagnostics will not display for the specified unit. If a value of "inherit" is applied to a diagnostic setting, then the session-level diagnostic setting applies.
To enable or disable diagnostics for the current user session and a specific unit, append a question mark and "diagnostic=on", or "diagnostic=off", or "diagnostic=inherit" to the URL of the desired unit. For example, the following URL enables diagnostics for the current user session with the user search unit:
http://host_name:port_number/oiddas/ui/oracle/ldap/das/ pages/UserSearch?diagnostic=on
For problems logging in, examine the $ORACLE_HOME/ldap/log/das.log file. Also, verify the following:
The URL contains the correct infrastructure host name and HTTP server port.
You are using the correct redirection URL.
You can successfully execute ping
and nslookup
commands from the Web client server to the infrastructure server.
You can execute ldapbind
commands from both administrative and user accounts.
Whether a specific set of users is failing to log in.
If any user accounts are locked.
See Also: Oracle Internet Directory Administrator's Guide for information on password policies in Oracle Internet Directory |
Also, verify that the following properties are correctly set in the $ORACLE_HOME/config/ias.properties file:
DAS.LaunchSuccess
IASname
InfrastructureUse
OIDhost
OIDport
OIDsslport
VirtualHostName
InfrastructureDBCommonName
Finally, ensure that the OC4J_SECURITY information in $ORACLE_HOME/opmn/conf/opmn.xml file is set correctly. The OC4J_SECURITY information is located in the following elements in the opmn.xml file:
<process-type id="OC4J_SECURITY" module-id="OC4J"> <environment> <variable id="DISPLAY" value="Infrahost.us.oracle.com:0.0"/> <variable id="LD_LIBRARY_PATH" value="/app/oracle/product/10g/infra/lib"/> </environment> <module-data> <category id="start-parameters"> <data id="java-options" value="-Djava.security.policy=/app/oracle/product /10g/infra/j2ee/OC4J_SECURITY/config/java2.policy -Djava.awt.headless=true -Xmx512m -Djava.awt.headless=true "/> <data id="oc4j-options" value="-properties"/> </category> <category id="stop-parameters"> <data id="java-options" value="-Djava.security.policy=/app/oracle/product/ 10g/infra/j2ee/OC4J_SECURITY/config/java2.policy -Djava.awt.headless=true"/> </category> </module-data> <start timeout="900" retry="2"/> <stop timeout="120"/> <restart timeout="720" retry="2"/> <port id="ajp" range="3301-3400"/> <port id="rmi" range="3201-3300"/> <port id="jms" range="3701-3800"/> <process-set id="default_island" numprocs="1"/> </process-type>
See Also: Oracle Application Server Single Sign-On Administrator's Guide for additional information on how to resolve login problems |
Oracle Internet Directory enables you to establish a password policy in which users are prompted to change their passwords after initial login. Users must change their passwords by using the Oracle Internet Directory Self-Service Console Password Change screen. Using other mechanisms may not satisfy the password change requirement, and users may be prompted to change their password again the next time they log in.
See Also: Oracle Internet Directory Administrator's Guide for information on password policies in Oracle Internet Directory |
User entries in Oracle Internet Directory that do not belong to the inetOrgPerson
object class will not appear in the Self-Service Console. You can assign user entries to an object class by using Oracle Directory Manager or the ldapmodify
command.
See Also: The Oracle Internet Directory Administrator's Guide for information on how to use Oracle Directory Manager and theldapmodify command |
This section describes the error messages you may encounter with the Self-Service Console.
Oracle Delegated Administration Services consists of a set of pre-defined, Web-based service units for performing directory operations on behalf of users. These units enable directory users to update their own information. This section contains these topics:
See Also: Oracle Identity Management Application Developer's Guide for additional information on how to write custom applications to resolve the issues discussed in this section |
When an Oracle Delegated Administration Services service unit tries to open a new Web browser window, the new window may not open if pop-up window blocking is enabled on a client's Web browser. To avoid pop-up window blocking, you need to write a custom application that opens a new window on a local application server, and then immediately redirects the page to the Oracle Delegated Administration Services service unit.
Oracle Delegated Administration Services service units that need to return parameters to a calling page may fail due to cross-domain JavaScript security restrictions. To avoid such problems, you must write a custom Oracle Internet Directory application.
When logging in to the Self-Service Console, the Web browser displays an error message that the server cannot be found. This occurs if the SSO service is down or if the mod_osso
service is not configured properly. To resolve this issue, restart the SSO service or reconfigure the mod_osso
service. For more information, refer to the Oracle Application Server Single Sign-On Administrator's Guide.
In case the information in the previous sections was not sufficient, you can find more solutions on OracleMetaLink, http://metalink.oracle.com
. If you do not find a solution for your problem, log a service request.
See Also:
|