| Oracle® Access Manager Identity and Common Administration Guide 10g (10.1.4.0.1) Part Number B25343-01 |
|
|
View PDF |
| Oracle® Access Manager Identity and Common Administration Guide 10g (10.1.4.0.1) Part Number B25343-01 |
|
|
View PDF |
This appendix explains typical problems that you could encounter while running or installing Oracle Access Manager. It contains these sections:
This section describes common Oracle Access Manager error messages, problems and solutions. It contains the following topics:
Memory Usage Rises for an Identity Server After Configuring a Directory Server Profile
Active Directory: Adding Members Causes the Group Size to Shrink
"Cannot Find xenroll.cab" Error Is Issued When Using a Workflow
After configuring a directory server profile, the memory usage for the Identity Server becomes too high. Note that this problem can also apply to an Access Server or Policy Manager.
When you configure a directory server profile, you are prompted to provide a maximum session time. The default value for the session time is 0 (unlimited). This may cause a performance issue, because the size of the caches for LDAP connections to the Identity Server increase over time. Oracle Access Manager does not control these caches directly.
To prevent the cache size from causing a performance problem, set the value of the Maximum Session Time (Minutes) for the directory server profile to a finite value, for example, 10 hours, as follows:
From the Identity System Console click System Configuration, then click Directory Profiles.
Click the link for the profile that you want to modify.
In the Max. Session Time (Min.) field, set the value to 600.
When saving a directory server profile for use by Identity System and Access System components, you may receive an error similar to the following:"Unable to save the Directory Server Profile. The applications require a Directory Server Profile to access Policy base with search, modify, and delete operations to function properly. This Directory Server Profile cannot load balance between its servers as well."
When you install the Access System (at least the Policy Manager), you are asked to identify a location in the directory for policy information. This branch in the directory may or may not be the same as the branch where the Identity System configuration data is stored. Also during Policy Manager installation, a directory profile is created that provides the Identity Servers rights over the policy branch. The Identity Servers require the ability to search, modify and delete objects in the Access System's policy branch to ensure referential integrity between the Identity and Access Systems. For example, suppose that you allow a user access to a particular resource in the Allow Access page of a policy in the Access System. If you delete the user from the Identity System, referential integrity ensures that the user is also deleted from the policies in the Access System.
If there is no directory profile that provides referential integrity between the Identity and Access Systems, you receive the "Unable to save. . ." error. If you receive this message, you have probably deleted or edited this profile.
Adding users to static groups works properly only up to a point.
Problem
Continuing to add members to static groups causes the group size to shrink.
Solution
Change the value for the parameter maxForRangedMemberRetrieval in globalparams.xml to a number higher than the desired group membership size:
If you are using Active Directory on Windows 2003, set the parameter maxForRangedMemberRetrieval in globalparams.xml to 1500.
If you are using Active Directory on Windows 2000, set it to 1000.
When using Active Directory, you can use the Identity System Console to change the directory profile for user data from ADSI to LDAP or LDAP to ADSI. However, you cannot do this for configuration or policy data.
When you attempt to change the directory profile for policy or configuration data from the Identity System Console, you get an error. For example, suppose that you store user data in an Active Directory forest using LDAP, and you store configuration and policy data in a different Active Directory forest using ADSI. If you use the Identity System Console to change the ADSI flag in the configuration data database profile to LDAP, after restarting the Oracle Access Manager servers and services, the ADSI flag remains enabled and the following message appears:
"ADSI can be enabled for either user or configuration DB Profile if they are in a separate forest. ADSI Cannot be Enabled for this DB Profile."
Any attempts to modify the directory profile for configuration or policy data to ADSI produces an error because Oracle Access Manager recognizes the profile as ADSI-enabled.
To modify the directory profile for configuration and policy data, rerun the setup program. See "Rerunning Setup Manually" for details.
In the Identity System Console, when you attempt to save a new database instance for an RDBMS profile you may receive a "Database Validation failed" message.
This problem occurs when creating an RDBMS profile, as described in "Managing RDBMS Profiles". Usually, the problem arises because of an incorrect value for the SQLDBType parameter in the following file:
Component_install_dir/identity/apps/common/bin/globalparams.xml
Where component_install_dir is the location where the Identity Server was installed.
The default value for validity period for Simple transport security mode certificates is 365 days.
When you configure transport security among Oracle Access Manager components, you can choose between Open, Simple, and Cert modes. See "Changing Transport Security Modes" for details.
By default, Simple mode is only operational for one year.
You can extend the life of the Simple mode certificate as follows:
Open the following file:
component_install_dir/identity|access/oblix/tools/openssl/openssl_silent.cnf
Where component_install_dir is the directory where the Access or Identity System component was installed.
In this file, look for the parameter named default_days.
By default, the value for this parameter is 365 days, as follows:
default_days = 730 # Duration to certify for
You can extend the life of the certificate by increasing the default days.
For example, you increase the life of the certificate to two years as follows:
default_days = 730 # Duration to certify for
To regenerate the simple mode certificates with the duration you set in the openssl_silent.cnf file, reconfigure and restart the component using one of the following tools:
Access Server: use configureAAAServer.exe.
See the Oracle Access Manager Access Administration Guide. for details.
WebGate: Use configureWebGate.
See the Oracle Access Manager Access Administration Guide. for details.
WebPass: Use setup_webpass.exe
See "Changing Transport Security Modes" for details.
Identity Server: setup_ois.exe
See "Changing Transport Security Modes" for details.
When you create or customize a style sheet using Presentation XML, the style sheet has compilation errors.
This problem occurs when you do the following:
Open a stylesheet in a text editor or (preferably) an XML editor.
Change some parameters in the file and save the changes.
Open an Identity application, for example, the User Manager, to see the changes.
Expected result: Changes appear as expected.
Actual result: The Identity System issues a bug report.
This problem can occur for any variety of reasons, but chances are good that there are errors in the way the style sheet is coded.
Open the XSL file in an Internet Explorer window. If there is an error in the code, the browser will show the line number that contains the error. For more information on Presentation XML, see Oracle Access Manager Customization Guide.
When running a workflow, a user may receive a 404 error that states "Cannot find xenroll.cab."
This problem occurs when a user runs a workflow in an Identity System application, for example:
Open the User Manager.
View a user profile.
Click a Modify button on the profile that invokes an Enroll Certificate Workflow.
In older versions of Oracle Access Manager, the file xenroll.cab was used for certificate enrollment workflows and certificate revocation workflows. However, Oracle has removed support for these workflows. This file is not used anymore.
You can safely remove the references to xenroll.cab from the stylesheet. The following is an example of this reference. See the Oracle Access Manager Customization Guide for details:
<head> ... <object id="cenroll" classid="clsid:43F8F289-7A20-11D0-8F06-00C04FC295E1" codebase="/identity/oblix/apps/common/bin/xenroll.cab" /> ... <script src="http://km.oraclecorp.com/identity/oblix/apps/common/bin/installCert.vbx" language="VBScript" /> </head>
The workflow fails when a user runs it.
This problem occurs when a user runs a workflow in an Identity System application, for example:
Open the User Manager.
View a user profile.
Click a Modify button on the profile that invokes a Change Attribute Workflow.
Expected result: The workflow behaves as expected.
Actual result: The user receives an "Enabled failed" error.
There is no definitive solution to this problem, since workflow configuration can fail for a number of reasons. However, a likely candidate is selecting an invalid searchbase during workflow configuration. Delete the searchbase and re-configure the workflow. See "About the Searchbase" for details.
When attempting to modify a photo in an Identity application, JPEG photo images are not being updated.
This problem occurs when a user who has write permission to the Photo attribute does the following:
Open the User Manager.
View a user profile that contains a photo.
Select Panel View.
Try to upload a new photo.
Expected result: The photo is updated.
Actual result: The photo does not change.
You can find more solutions on Oracle MetaLink, http://metalink.oracle.com. If you do not find a solution for your problem, log a service request.
