Skip Headers
Oracle® Application Server Release Notes
10g (10.1.4.0.1) for Solaris Operating System (SPARC 64-Bit)

Part Number B32089-06
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

5 Oracle Access Manager

This chapter provides information about known issues and workarounds for Oracle Access Manager. The following topics are included:

See Also:

The following documents for more information:

5.1 About Installation Packages, Patch Sets, Bundle Patches, and Newly Certified Agents

This section provides information and distinctions on the following Oracle Access Manager product packages:

5.1.1 Full Installer Packages

Oracle provides full installer packages for major Oracle Access Manager releases:

  • 10g (10.1.4.3)

  • 10g (10.1.4.0.1)

Note:

Oracle Access Manager 10g (10.1.4.2.0) was a patch set only.

Each full installer package provides the libraries and files that comprise a complete software distribution and implement all product functionality. Full installer packages are provided for every component on supported platforms. All of the components have been tested and are certified to work with one another across supported platforms.

Note:

You can use 10g (10.1.4.3) installers to create a fresh Oracle Access Manager installation only. You can apply the 10g (10.1.4.3) patch set to update 10g (10.1.4.2.0) components as described in Section 5.1.2.1, "Updating Oracle Access Manager 10g (10.1.4) with the Latest Patch Sets".

An Oracle Media Pack is an electronic version of Oracle software products on physical media (DVDs). Physical Oracle Media Packs are available to any customer working with a Sales Representative. In addition, you can order a physical Media Pack from the Oracle store. Shop online at: http://oracle.com.

Virtual DVDs and Media Packs are available as follows:

  • From Oracle Technology Network (OTN) at:

    http://www.oracle.com/technology/software/products/middleware/htdocs/fmw_11_download.html
    

    Use the following links to download Oracle Access Manager 10g (10.1.4.3):

    • Access Manager Core Components (10.1.4.3.0)

      See Also:

      Oracle Containers for J2EE Security Guide to implement SSO for Oracle Fusion Middleware 11g using the OAM Configuration tool (available with 10g (10.1.4.3) core components) and the OAM Identity Assertion Provider (available with 10g (10.1.4.3) WebGates for OHS 11g).
    • Access Manager WebGate (10.1.4.3.0)

    • Policy Manager and WebPass on Third Party and non-OHS 11g Web Servers

    • Access Manager Language Packages (10.1.4.3.0)

    • GCC Libraries

    Note:

    Get Oracle Access Manager 10g (10.1.4.3) WebGates for third-party and non-OHS 11g Web servers from:
    http://www.oracle.com/technology/software/products/ias/htdocs/101401.html
    
  • From Oracle edelivery at:

    http://edelivery.oracle.com/EPD/Search/get_form
    

    Oracle edelivery provides access to Oracle Fusion Middleware Media Packs that mirror the contents of the physical Media Pack bundle.

5.1.2 Patch Sets, Bundle Patches, and Patch Set Exceptions

Table 5-1 provides a brief overview of the differences between a standard patch set (10g (10.1.4.2.0), for instance), a bundle patch, and a patch set exception.

Table 5-1 Bundle Patches, Patch Sets, and Patch Set Exceptions

Mechanism Description

Patch Set

A patch set is a mechanism for delivering fully tested and integrated product fixes that can be applied to installed components of the same release. Each patch set provides the libraries and files that have been rebuilt to implement bug fixes (and new functions, if any). All of the fixes and functions in the patch set have been tested and are certified to work with one another on specified platforms.

Patch sets include all of the fixes available in previous bundle patches (or patch set exceptions) for the release. A patch set might not be a complete software distribution and might not include packages for every component on every platform.

See Also: Section 5.1.2.1, "Updating Oracle Access Manager 10g (10.1.4) with the Latest Patch Sets".

Bundle Patch

A bundle patch is an official Oracle patch for Oracle Access Manager components on baseline platforms. Bundle patches are released on a regular basis, after one product release and before the next.

Each bundle patch includes the libraries and files that have been rebuilt to implement one or more fixes and functions. All of the fixes and functions in the bundle patch have been tested and are certified to work with one another. Regression testing has also been performed to ensure backward compatibility with all Oracle Access Manager components in the bundle patch, and with earlier WebGates

Each bundle patch is cumulative: the latest bundle patch includes all fixes in earlier bundle patches for the same release and platform. Fixes delivered in bundle patches are rolled into the next release: all 10g (10.1.4.2.0) bundle patch fixes are included in Oracle Access Manager release 10g (10.1.4.3).

See Also: Section 5.1.2.2, "Retrieving the Latest Bundle Patch".

Patch Set Exception (PSE)

Each PSE was an official Oracle patch; however, a PSE was not a complete product distribution and did not include packages for every component on every platform.

Each PSE (also known as a one off or hot fix) addressed only one issue for a single component; typically (but not always) only for a single platform. A PSE included only the libraries and files that had been rebuilt to implement a specific fix for a specific component.

Each PSE was cumulative, but did not undergo extensive regression testing and certification by QA. Individual PSE releases were not tested to work together with other PSE releases.

Note: The bundle patch mechanism has replaced the patch set exception mechanism.


5.1.2.1 Updating Oracle Access Manager 10g (10.1.4) with the Latest Patch Sets

Your starting Oracle Access Manager release determines the patch sets you need, as described in Table 5-2.

Table 5-2 Updating Oracle Access Manager

If Your Starting Release is ... You Must ...

10g (10.1.4.0.1)

Perform both steps in the following procedure to:

  1. Apply the 10g (10.1.4.2.0) patch.

  2. Apply the 10g (10.1.4.3) patch.

10g (10.1.4.2.0)

Skip Step 1 and apply only the 10g (10.1.4.3) patch


Note:

See the patch set notes for 10g (10.1.4.2.0) and 10g (10.1.4.3) for details about enhancements and bug fixes available with each release, as well as any known issues.

To obtain the latest patch sets

  1. 10g (10.1.4.2.0) Patch:

    1. Go to My Oracle Support and log in as usual:

      https://support.oracle.com
      
    2. Click Patch ID or Number.

    3. In the empty field, enter5957301, and then click Search.

    4. In the Patch Search Results table, click the number beside the item that corresponds to your platform.

    5. Readme: Click the View Readme button to display the Release Notes, which you can print.

    6. Download: Click the Download button to acquire the packages.

    7. Installation: See the Readme (oam_101420_readme.pdf) for all prerequisites, patch install, post-patching instructions, and more.

  2. 10g (10.1.4.3) Patch:

    1. Go to My Oracle Support and log in as usual:

      http://support.oracle.com
      
    2. Click Patch ID or Number.

    3. In the empty field, enter8276055, and then click Search

    4. In the Patch Search Results table, click the number beside the item that corresponds to your platform.

    5. Readme: Click the View Readme button to display the Release Notes, which you can print.

    6. Download: Click the Download button to acquire the packages.

    7. Installation: See the Readme (oam_101430_readme.pdf) for all prerequisites, patch install, post-patching instructions, and more.

5.1.2.2 Retrieving the Latest Bundle Patch

Oracle releases bundle patches to correct any reported issues in your deployment. Oracle recommends that you obtain and apply the latest bundle patch.

To download a 10g (10.1.4.3) bundle patch

  1. On the machine that will host the bundle patch files, create a temporary directory to contain the platform-specific bundles that you will download. For example:


    Unix : /home/10143BPnn/tmp
    Windows: C:\10143BPnn\tmp
  2. Go to My Oracle Support and log in as usual:

    http://support.oracle.com
    
  3. Click the Patches & Updates link.

  4. Click Product or Family (Advanced Search) and fill in the search criteria. For example:

    1. From the Product is list, click Oracle Oblix COREid.

    2. From the Release is list, click Oracle Access Manager 10.1.4.3.

    3. From the following list, select Platform.

    4. From the list of platforms, select all that apply.

    5. Click the Search button.

    6. In the Patch Search Results table: Locate the latest bundle patch (top of the list) and click the corresponding number.

  5. Readme: Click the View Readme button to display the Release Notes, which you can print.

  6. Download: Click the Download button to retrieve the packages.

  7. Installation: See the Readme (oam_101430_bpnn_doc.pdf) for all prerequisites, patch install, post-patching instructions, and more.

5.2 General Issues

This section describes some general issues and workarounds. It includes the following topics:

5.2.1 New Location for the Platform Support Matrix

Oracle continually certifies Oracle Access Manager support with various third-party platforms, Web server releases, directory server releases, and applications. For the latest support details, see the certification matrix that is available at:

http://www.oracle.com/technology/products/id_mgmt/coreid_acc/pdf/oracle_access_manager_certification_10.1.4_r3_matrix.xls

5.2.2 Known Issue With JDK 1.1.7

There is a known limitation with Java applets in JDK 1.1.7. When used with this release of Oracle Access Manager, applets with non-ASCII data can only be displayed properly on computers with a native-encoded operating system. Setting browser encoding will not work.

If you intend to use non-ASCII data, run Oracle Access Manager on computers with a native-encoded operating system.

5.2.3 The Name "Query Builder" Is Not Always Translated

In this release, the name "Query Builder" has been translated for different language locales in some places, and not in others. The term "Selector" is translated into respective locales everywhere.

5.2.4 Users Can Access Resources After Password Reset Without Logging In

You can enable users to access resources without re-authenticating after resetting a password. This information was omitted from the documentation.

To log users in after changing their password, the change password redirect URL must include STLogin=%applySTLogin% as a parameter.

The following is an example of a change password redirect URL that logs the user in:

/http://machinename:portnumber/identity/oblix/apps/lost_password_mgmt/bin/lost_password_mgmt.cgi?program=redirectforchangepwd&login=%login%%userid%&backURL=
% HostTarget%%RESOURCE%&STLogin=%applySTLogin%&target=top

To implement automatic login after password change with a form-based authentication scheme, you must configure the challenge parameter creds by supplying the user name credential parameter as the first token, the password credential parameter as the second token, then any other credential parameters.

5.2.5 Time Management and Daylight Savings Time

Time management includes changes for daylight savings time. In the United States, the Energy Policy Act of 2005 was signed into law to extend daylight saving time. In calendar year 2007, the effective dates for daylight savings are going to change. Under the new rules, DST in the U.S. will start on the second Sunday in March and end the first Sunday in November. In the past, daylight savings time started on the first Sunday in April and ended the last Sunday in October. This change also affects Canada.

USA 2007 Daylight Saving Time (DST) Compliance for Oracle Access Manager: No patches are required for the Identity Server or Access Server to accommodate daylight savings time changes. However, Oracle Access Manager interacts with other components that may be impacted by DST changes such as Web servers, applications servers, LDAP directories and databases. Check your vendor documentation and ensure that any required patches are applied to other affected components.

Follow the recommendations of Operating System vendors for any required DST changes. In addition, ensure that system clocks of computers hosting Oracle Access Manager components are synchronized as discussed in the Oracle Access Manager Installation Guide.

For more information about the impact of USA 2007 DST compliance for Oracle Database and Oracle Fusion Middleware products, see Note: 397281.1 on the My Oracle Support Web Site:

https://support.oracle.com

5.2.6 SSL Is Now Supported for Communication Between the Policy Manager and the Directory Server

On an NSAPI Policy Manager that runs on Solaris, you can now configure SSL between the Policy Manager and the Directory Server.

The Oracle Access Manager Installation Guide will be updated with this information in a future release.

5.2.7 Caveat to Create a Password Policy with Change on Reset Enabled

A caveat has been added to Oracle Access Manager Identity and Common Administration Guide, chapter on "Configuring Global Settings," in the section on "Creating Password Policies for a Specific Domain." See Step 16 of the procedure "To create a password policy" for the following new note.

16. Select Change on Reset if you want to force users to change the password the first time they log in to the system after an administrator resets the password. By default, the Change on Reset flag is not set. During self-registration, the Change on Reset flag is not set. This field is applicable to both the Identity and Access Systems. For the Access System only, you can also configure a redirect URL for password change. See "Configuring Password Redirect URLs" on page 7-66 for details.

Note:

Use of password policies in the Access System with change on reset functionality enabled and without specifying a Password Change Redirect URL will cause the login prompt to redisplay. This prevents users from changing passwords and ultimately logging in.

5.2.8 Login.html Not Found if Browser Language is Not Supported

Out of the box, Oracle Access Manager internationalized login pages support 27 languages. After customizing external pages, however, you might have only a subset of the 27 supported languages for your Oracle Fusion Applications. For instance, you might have added translation text to your HTML pages that can be translated to only a select few languages.

To avoid additional changes, you must remove support for the unsupported languages in three locations, as follows:

  1. Perl Script configuration (config.pl file): Update the Config.pl Language Mapping array to remove unsupported languages: simply comment out unsupported language lines.

    Note:

    Perl Script configuration refers to the config.pl file, which is copied to the Web server directory during installation.
  2. JavaScript configuration: Remove unsupported languages from Language Array to eliminate their display in Language Selection LOV: simply comment out the lines for unsupported languages.

  3. WebGate_install_dir: Manually remove (or simply move) directories containing unsupported languages. For example, if you have no support for Korean (and Greek), remove WebGate_install_dir/access/oblix/lang/ko-kr (and /lang/el-gr).

5.3 Installation and Upgrade Issues and Workarounds

To ensure success when upgrading older releases to Oracle Access Manager 10g (10.1.4), you must complete all preparation tasks and meet all requirements described in the Oracle Access Manager Upgrade Guide. The guide also provides step-by-step instructions that you can follow as you upgrade from releases as early as 6.1.1.

This section describes the issues and workarounds for installation and upgrade:

5.3.1 Words are Garbled in the Japanese and Chinese Installation Programs

On Solaris, during installation of the Identity Server, Oracle HTTP Server, WebPass, Policy Manager, Access Server, and WebGate using the graphical user interface in Japanese, some words are garbled, as follows:

  • Language to Install page: All choices in the drop-down list titled "Please choose one of the languages as the default language

  • Select Directory Server Type page: Some choices in the drop-down list titled "Directory Server Type"

These items have been left in English in the Japanese and Chinese versions of this release.

5.3.2 Issue with Shutting Down WebGates Before an Upgrade

On Solaris, an Access Server may occasionally not shut down completely. If this occurs, it can cause problems with upgrading an older WebGate to release 10g (10.1.4).

To ensure that all Access Server processes are completely shut down before an upgrade, issue the following at a shell prompt:

ps -ef | grep aaa

You can end any running Access Server processes using the kill -9 command.

If some Access Server processes are still running during the upgrade, a "Page not found" error can occur after the upgrade when users attempt to access WebGate-protected resources. To fix this problem, stop the associated Access Servers, terminate any running processes, and restart the Access Servers.

5.3.3 Issue with Exiting from Installation on Solaris

The installer may dump core when exiting. If it does, the following message appears:

@ SIGABRT 6 abort (generated by abort(3) routine) 
@     si_signo [6]: ABRT 
@     si_errno [0]: 
@     si_code [-1]: SI_LWP [pid: 1724, uid: 0] 
@         stackpointer=FFBFD7D0 
@ "process reaper" (TID:0x72d588, sys_thread_t:0x72d4c0, state:NS, thread_t: 
@ t@54, threadID:0x0, stack_bottom:0x0, stack_size:0x0) prio=5 
@ ... 
@ ------------------- 

This is only a problem with the installer. It has no impact on the functionality of the Oracle Access Manager component that you installed.

5.3.4 Change the Transport Security Mode During Installation

A transport security mode is a method of communication between two points, such as a client and a server. Oracle Access Manager offers the following transport security modes for communication between components, as discussed in the Oracle Access Manager Installation Guide:

  • Open: Communication is not encrypted.

  • Simple: Communication is encrypted with Oracle Access Manager's internal CA.

  • Cert: Communication is encrypted with an external CA. With Cert mode, communications are encrypted using TLS v1, and both client and server must present an X.509 certificate (in base64 format) when establishing a connection.

By default, an Oracle Access Manager installation uses Open mode. This applies to directory connections and communication between Oracle Access Manager components, for example, the WebPass and Identity Server. In Open mode, the communication channel is open to eavesdroppers. Oracle recommends that you secure your network using SSL communication with the directory and Certificate mode across Oracle Access Manager components.

The next release of the Oracle Access Manager Installation Guide will include the following recommendation for transport security:

"During installation, Oracle Access Manager components default to Open mode. However, this does not provide secure communication between components such as Identity Servers and WebPass nor Access Server and WebGate, nor for LDAP connections. In Open mode, the communication channel is susceptible to eavesdropping. To provide a secure deployment, Oracle recommends that you choose Certificate (Cert) mode for transport security between Oracle Access Manager components, and SSL-enabled security between Oracle Access Manager components and directory servers."

5.3.5 iPlanet Server Fails After Tuning

After tuning Oracle Access Manager from the iPlanet administration console, the server fails to work. For example, after changing the number of threads in the native thread pool, the server fails to restart.

Do not use the iPlanet console for tuning. This can cause the server to remove any existing Oracle Access Manager configuration information. Use the following file to load the Oracle Access Manager Web components and retain the tuning parameters: $Web_Server_home\config\magnus.conf

5.3.6 Oracle Internet Directory Servers Require Tuning After Installation

After installing Oracle Access Manager against an Oracle Internet Directory, you need to tune the directory to ensure adequate performance when processing search requests and other functions.

Use the following ldapmodify command to tune Oracle Internet Directory:

ldapmodify -D cn=orcladmin -w <adminPsswd> -h <host> -p <port> << eof
dn: cn=dsaconfig, cn=configsets, cn=oracle internet directory
changetype: modify
add: orclinmemfiltprocess
orclinmemfiltprocess: (|(obuseraccountcontrol=activated)(!(obuseraccountcontrol=*)))
orclinmemfiltprocess: (|(!(obuseraccountcontrol=*))(obuseraccountcontrol=activated))
eof

In the sample command, <host> and <port> refer to the Oracle Internet Directory installation host and port.

Note:

Be sure to include a space after the attribute orclinmemfiltprocess: and at the start of each continuation line of the attribute value. There is no line break between the attribute orclinmemfiltprocess: and the continuation line. Repeat the above step for each additional Oracle Internet Directory Server that you install

For more information, see the Oracle Access Manager Installation Guide.

5.3.7 Support for DirX Has Been Deprecated

Support for the Siemens DirX directory server has been deprecated in this release. However, options to select and configure DirX appear on installation screens and on Identity System and Access System configuration pages in the System Console.

Ignore all Siemens DirX options in the product installer and configuration user interface.

5.3.8 "Enter Password" String Does Not Display Correctly During Installation

When running the installer in console mode using some language packs, the prompt for entering the LDAP password may be garbled.

The solution that works in most cases is to install all of the language support available on the computer where the Oracle Access Manager installation is being performed. Be sure all of the fonts that are required for the language are installed. Log in to the machine locally and choose the language to display on the login screen.

5.3.9 Uninstalling a Language Pack With a "2" Designation Causes an Error

You may be unable to remove (uninstall) a language pack with a designation 2. For example, you may not be able to uninstall using _uninstAccessLP_ko-kr2 after using _uninstAccessLP_ko-kr (and vice versa).

The following information is a workaround for this problem.

Complete the following steps. Korean (ko-kr) is used as the language in the following example; your environment will vary:

  1. Copy _jvmAccessLP_ko-kr to a backup folder.

  2. Run uninstaller.exe under _uninstAccessLp_ko-kr2.

    It should automatically remove both _jvmAccessLP_ko-kr and _uninstAccessLP_ko-kr2.

  3. Copy _jvmAccessLP_ko-kr back to the original Component_install_dir/WebComponent/access/ directory.

  4. Run uninstaller.exe under _uninstAccessLP_ko-kr.

    It should automatically remove _jvmAccessLP_ko-kr and _uninstAccessLP_ko-kr.

  5. Restart the Identity Server and Access Server and Web component Web servers.

5.3.10 Simple Mode Password File Not Converted During Upgrade

If the earlier Access Server is in Simple mode before the upgrade, during the upgrade the password.lst file might not be converted to password.xml. The result is that the Access Server cannot be started in the Services Window unless you use the command-line parameters to convey the passphrase on startup. Also, after upgrading a WebGate in Simple mode and starting the Web server, the following error may appear:

"Exception thrown during WebGate initialization" 
     Error^Oracle AccessGate API is not initialized.

The initial Access System page appears. However, clicking on any link results in a "Server error" in the browser (no error number) with the above error echoed to the console. The system cannot be accessed.

The upgraded area does not have the updated password.xml file.

Note:

In releases before 10g (10.1.4), the password file is named and formatted as password.lst. Starting with release 10g (10.1.4), the password file is named and formatted as password.xml

The following information is a workaround for this problem when the same Simple mode password is being used in the Identity System. In this case, you can copy the password.xml file from the upgraded Identity Server to the upgraded Access Server and WebGate as described in the following procedure.: "Workaround when the same Simple mode password is used in the Identity System". You will be asked about the password immediately after selecting Simple mode.

However, if the password is not the same on the Identity Server as it is on the Access Server, skip to the following procedures. Again, you will be asked about the password immediately after selecting Simple mode:

Workaround when the same Simple mode password is used in the Identity System

  1. If the same Simple mode password is being used in the Identity System, copy the password.xml file as follows:


    From: <upgraded_IdentityServer_install_dir>/oblix/config/password.xml
    To: <upgraded_AccessServer_install_dir>/oblix/config /password.xml
    and
    To: <upgraded_WebGate_install_dir>/oblix/config/password.xml
  2. Start the Access Server.

  3. Restart the WebGate Web server.

If the Access System Simple mode password is not the same as the Identity System Simple mode password, you must change the password using the following tools and procedures.


<AccessServer_install_dir>/access/oblix/tools/configureAAAServer
<WebGate_install_dir>/access/oblix/tools/configureWebGate

Workaround when the Simple mode password is different on the Identity System and Access Server

  1. Go to the folder where configureAAAserver is located. For example:

    AccessServer_install_dir\access\oblix\tools\configureAAAServer
    
  2. Run the following executable:

    configureAAAServer chpasswd AccessServer_install_dir 
    
  3. Responds to prompts as directed on the screen.

  4. Restart the Access Server.

Workaround when the Simple mode password is different on the Identity System and WebGate

  1. Go to the directory:

    WebGate_install_dir\access\oblix\tools\configureWebGate
    

    where WebGate_install_dir is the directory in which WebGate is installed.

  2. Run the following command:

    configureWebGate -i WebGate_install_dir -t WebGate -k
    

    The -k option results in only prompts for the password for Simple or Cert mode transport security.

  3. Respond to prompts on the screen.

  4. Restart the WebGate Web server.

For more information about the configureAAAServer and configureWebGate tools, see the Oracle Access Manager Access Administration Guide.

5.3.11 Unnecessary Message Asks for SDK Migration Bundles During Upgrade

During an upgrade, the 10g (10.1.4.0.1) installer asks for migration bundles and instructs you to place these in a specific directory. The following information provides a workaround for this problem:

Ignore the following message, which will be removed from the Software Developer Kit (SDK) installer.

Please download and extract COREid 6.5 migration bundles

To ensure success when upgrading a COREid 6.5 installation, you 
need to perform the following steps before you continue. For 
information, see the Oracle Access Manager Upgrade Guide chapter
on preparing your environment.

1) Log in to the download Web site.

   http://www.oracle.com/support/contact.html

Retrieve appropriate _msg and _param files for the older version of this 
component.

For example: 
Netpoint_65_orig_en_<Component>_msg.zip
Netpoint_65_orig_<Component>_param.zip

Note: Retrieve only the files that are relevant to your older installation.
Files for version 6.5 include _65_ in their name; files for version 6.5.2 or
later include _652_ in their name.

Press ENTER to read the text [Type q to quit].

3) Extract or unzip these files in to your <Component Installation Directory>.

 For example:
 <Component Installation Directory>/identity
 <Component Installation Directory>/access

A directory named "orig" is created during this process. For example:

<Component Installation Directory>/identity/oblix/orig.
<Component Installation Directory>/access/oblix/orig.

Press 1 for Next, 2 for Previous, 3 to Cancel or 4 to Redisplay [1] 

5.3.12 Unable to Locate Bundles Needed for COREid 6.x Upgrades

The Oracle Access Manager Upgrade Guide discussion on preparing release 6.x environments includes details about obtaining specific COREid 6.x bundles from the installation media before upgrading. However, the files are not available on the media.

The following information is a workaround for this problem. Before you upgrade from a COREid 6.x installation to 10g (10.1.4), you must perform the following steps to download the missing packages, which contain text files for use on any platform.

Note:

My Oracle Support was formerly MetaLink.
  1. In your browser, enter the My Oracle Support URL and log in:

    https://support.oracle.com
    
  2. Click Patches & Updates, then click Patch ID or Number.

  3. In the Patch ID or Number field, enter 5724938, then click the Search button.

    The results of your search for Patch 5724938 are displayed with the description: UNABLE TO LOCATE MIGRATION BUNDLE FOR 6.5-10.1.4 UPGRADE.

    Note:

    The Platform is automatically specified as Microsoft Windows 2000 because the bundles contain only text files that can be used on any platform; there are no binary files.
  4. Click the Download button and follow instructions on the screen.

  5. Before you continue upgrading review following discussions, then extract files and finish preparing components as described in Oracle Access Manager Upgrade Guide:

Note:

As described in "Ignore Bundles for Release 6.5 with Multi-language Capability", multi-language bundles are not needed and are not available.

Packages for Release 6.5.0.x

A new package has been added for release 6.5: Netpoint_65_orig_en_AccessServerSdk_msg.zip. Before you upgrade from Oracle Access Manager 6.5.0.x, you must download and add the following packages to your original Component_install_dir.

Extract 65-orig Packages to the Original Component_install_dir
Netpoint_65_orig_en_COREid_Server_msg.zip
Netpoint_65_orig_COREid_Server_param.zip
Netpoint_65_orig_en_Access_Manager_msg.zip
Netpoint_65_orig_Access_Manager_param.zip
Netpoint_65_orig_en_WebPass_msg.zip
Netpoint_65_orig_WebPass_param.zip
Netpoint_65_orig_en_Access_Server_msg.zip
Netpoint_65_orig_Access_Server_param.zip
Netpoint_65_orig_en_WebGate_msg.zip
Netpoint_65_orig_WebGate_param.zip
Netpoint_65_orig_en_AccessServerSdk_msg.zip

Packages for Release 6.5.2.x Patch

Two new packages have been added for 6.5.2: Netpoint_652_orig_AccessServerSdk_param.zip and Netpoint_652_orig_en_AccessServerSdk_msg.zip. If you originally installed release 6.5.0.x, then patched to 6.5.2.x, you must download and add the following packages to your original Component_install_dir before the upgrade.

Extract 652_orig Packages to the Original Component_install_dir
Netpoint_652_orig_en_COREid_Server_msg.zip
Netpoint_652_orig_COREid_Server_param.zip
Netpoint_652_orig_en_WebPass_msg.zip
Netpoint_652_orig_WebPass_param.zip
Netpoint_652_orig_en_Access_Manager_msg.zip
Netpoint_652_orig_Access_Manager_param.zip
Netpoint_652_orig_en_Access_Server_msg.zip
Netpoint_652_orig_Access_Server_param.zip
Netpoint_652_orig_en_WebGate_msg.zip
Netpoint_652_orig_WebGate_param.zip
Netpoint_652_orig_AccessServerSdk_param.zip
Netpoint_652_orig_en_AccessServerSdk_msg.zip

Ignore Bundles for Release 6.5 with Multi-language Capability

The Oracle Access Manager Upgrade Guide states that certain multi-language packages may be required for an upgrade from release 6.5 to 10g (10.1.4). However, multi-language bundles are not needed and are not available. Ignore information in the Oracle Access Manager Upgrade Guide on "Preparing Multi-Language Installations."

5.3.13 Problem with Automatic Directory Updates During Identity Server or Policy Manager Installation

When using Novell eDirectory, an error occurs during directory server updates for Identity Server installation. If you have a separate directory for policy data, this error also occurs during Policy Manager installation:

"Error 16: Unable to update Identity System Configuration - Unknown LDAP error 
occurred."
 

The index is applied with one exception for the obLPMname attribute, even though the error message may give the impression that the entire operation has failed.

The following is a workaround for this problem. For more information, see your Novell eDirectory documentation.

  1. Dismiss the error message.

  2. Using the Novell index management tool, manually index the obLPMname attribute for equality.

5.3.14 Challenge Parameter Rows Discarded During the Master Access Manager Upgrade

After you upgrade from Oracle Access Manager 7.0.4 to 10.1.4.0.1, any authentication scheme that contains multiple challenge parameter rows are truncated. Only the first challenge parameter row remains. The others are deleted.

Note:

This problem was fixed in release 10.1.4.2.0. After upgrading to 10.1.4.2.0, all challenge parameters are preserved.

5.3.15 Applying Release 10.1.4 Patch Set 1 (10.1.4.2.0) to Finish Upgrading With a Switch from Solaris to Linux

After installing Oracle Access Manager 10g (10.1.4.0.1) on Linux hosts, Oracle recommends that you apply Release 10.1.4 Patch Set 1 (10.1.4.2.0) to obtain the latest version of the obmigratenp utility. This tool is needed to finish the upgrade and switch from your original Solaris platform to Linux.

Note:

Oracle recommends that you apply Release 10.1.4 Patch Set 1 (10.1.4.2.0) before using the obmigratenp tool.

To obtain the Release 10.1.4 Patch Set 1 (10.1.4.2.0) obmigratenp utility

  1. Go to My Oracle Support Web site and obtain Release 10.1.4 Patch Set 1 (10.1.4.2.0) (Patch ID 5957301), as described in Section 5.1.2.1, "Updating Oracle Access Manager 10g (10.1.4) with the Latest Patch Sets":

  2. Use instructions in the Oracle Access Manager Patchset Notes Release 10.1.4 Patchset 1 (10.1.4.2.0) For All Supported Operating Systems to apply Release 10.1.4 Patch Set 1 (10.1.4.2.0) to each 10g (10.1.4.0.1) component instance on the Linux host:

    • Identity Server instances

    • WebPass instances

    • Policy Manager instances

    • Access Server instances

    • WebGate instances

5.3.16 No Translation Support for the SNMP Agent Installshield

There is no translation support for the SNMP agent installshield wizard.

5.3.17 Installation of Identity Server 10.1.4.0.1 With Sun Java Directory Server 6.0

Problem

Installation of a 10g (10.1.4) Identity Server with Sun Java Directory Server 6.0 fails when you are defining directory details. The following error will occur if you specify Sun Directory Server 5.x, and you supply the Sun Directory Server 6 hostname, port number, and credentials, and choose Yes to automatically update the LDAP server schema configuration:

Error 32: LDAP Invalid credentials. Or invalid directory type supplied. Or no such 
object.

This can also occur when installing the Policy Manager with the Sun Directory Server 6.

Cause

Certification of the Sun Java Directory Server 6.0 with Oracle Access Manager 10g (10.1.4) occurred after 10g (10.1.4.0.1) was released. As a result, during Identity Server installation there is no option to select Sun Java Directory Server 6.0. If Sun Directory Server 5.x is selected, the configuration fails when performing an automatic schema update.

When installing with Sun Java Directory Server 6.0, the automatic schema update option cannot be used. The schema must be updated manually.

Solution

  1. Install Oracle Access Manager as described in the Oracle Access Manager Installation Guide, and choose the Sun Directory Server 5.x option.

  2. Provide the Sun Directory Server 6 hostname, port number, and credentials.

  3. Using either the Sun Java System Directory Server 6.0 Management Console, or ldapmodify command line, load the Oracle Access Manager schema and index files into Sun Java System Directory Server 6.0 using the following ldif files:

    LDAP server instance hosting user data only:

    IdentityServer/identity/oblix/data.ldap/common/iPlanet_user_schema_add.ldif
    IdentityServer_installdir/identity/oblix/data.ldap/common/iPlanet5_user_index_add.ldif
    

    LDAP server instance hosting user data and configuration data (or configuration data and policy data, or policy data only):

    installdir/identity|access/oblix/data.ldap/common/iPlanet_oblix_schema_add.ldif
    installdir/identity|access/oblix/data.ldap/common/iPlanet5_oblix_index_add.ldif
    

    In the previous path name, the pipe between identity|access indicates "or". If you are installing the Identity Server the path will be the IdentityServer_installdir/identity and if you are installing Policy Manager the path will be PolicyManager_installdir/access.

    Note:

    For an example of the ldapmodify command, see the Sun document at: http://docs.sun.com/app/docs/doc/819-0995/6n3cq3avf?a=view
  4. Proceed to Identity Server or Policy Manager setup, as usual.

    Note:

    Oracle Support strongly recommends that you apply the latest patch sets and bundle patch immediately after installation. For more information, see Section 5.1, "About Installation Packages, Patch Sets, Bundle Patches, and Newly Certified Agents".

5.4 Removal and Rollback Issues and Workarounds

This section describes removal issues and workarounds. It includes the following topic:

5.4.1 Removing Language Packs

You must stop and restart servers after uninstalling language packs. For example, suppose you have an Identity Server and a WebPass installed with a Korean Language Pack. After uninstalling the Korean language pack on each component host, you must stop and restart both the Identity Server Service and the WebPass Web server instance. This will re-initialize corresponding components with the proper language support.

For more information about installing and removing language packs, see the Oracle Access Manager Installation Guide.

5.4.2 Removing the Default Administrator Language

Removing (uninstalling) the language pack associated with the default Administrator language that was chosen during installation is not supported. An error occurs if you remove this language pack and you may not be able to gain access to the Identity and Access Systems.

To recover, see the discussion of language pack issues in the Troubleshooting chapter of the Oracle Access Manager Installation Guide.

5.4.3 Removing Components and Reinstalling

If a component installation terminates (or is terminated by you) after component files were extracted to the designated installation directory, you should run the Uninstaller for that component and then remove the installation directory before attempting to reinstall in the same location. If you simply delete the installation directory and attempt to reinstall the component in the same location, the vpd.properties file is left in an inconsistent state and reinstalling will not work.

For example, suppose you terminate a WebGate installation after component files were extracted, then you remove the installation directory manually rather than using the WebGate uninstaller. In this case, the extracted files are deleted but the vpd.properties file is not. This leaves the vpd.properties file in an inconsistent state that prevents successful installation.

For more information about uninstalling, see the Oracle Access Manager Installation Guide.

5.4.4 Rollback Issues After Upgrading to Oracle Access Manager 10g (10.1.4)

Changes in the way Oracle Access Manager 10g (10.1.4) uses the obVer attribute in oblixOrgPerson and oblixConfig may result in rollback issues following an upgrade from an earlier release to 10g (10.1.4). This will be documented in the next release of the Oracle Access Manager Upgrade Guide. For more information, see Section 5.9, "Documentation Issues".

The following workaround will solve the rollback issue and will be documented in the next release of the Oracle Access Manager Upgrade Guide.

5.4.4.1 Halting On-the-fly User Data Migration Phase 1

When you upgrade from an earlier release to Oracle Access Manager 10g (10.1.4), the configuration data stored in the oblix tree of the directory server is migrated automatically and the value of the obVer attribute is changed to 10.1.4.0. However, user data is not migrated until the first login following the upgrade. This means that the obVer attribute value remains less than 10.1.4.0 in user data (in the OblixOrgPerson class).

Unless you temporarily halt the immediate (also known as on-the-fly) user data migration as described in the task overview, the first time a user logs in after the upgrade to 10g (10.1.4) that user entry is immediately migrated. Any existing challenge and response values for that user are encoded (@1# is appended to the end) and the obVer attribute value for that user is changed to 10.1.4.0 in the OblixOrgPerson class. However the rollback process does not revert these changes. If you rollback to the previous release, the obVer value in the user entry in the OblixOrgPerson class remains 10.1.4.0 and challenge and response values remain encoded format.

Phase 1 must be performed after backing up data and before preparing host machines for the upgrade, as described in Chapter 5 of the Oracle Access Manager Upgrade Guide. Phase 1 includes setting the obVer attribute for the Master Administrator entry and then upgrading the schema and data to 10g (10.1.4). Phase 2 occurs after the schema and data upgrade. In Phase 2, you remove the Challenge and Response semantic types at both the tab level and the object class level.

Before performing the following Phase 1 procedure, there are several conditions to take into account:

  • If OblixOrgPerson does not exist in the objectclass list of the user entry, then you must first add it as described in step 1. Otherwise, start with step 2.

  • After performing the last step, the lost password management feature will not work.

    After temporarily halting on-the-fly migration of user data at first login, Oracle recommends that you stop processing or performing the following actions to ensure that user data will maintain backward compatibility:

    • Stop processing workflow tickets: for example, create user, change attributes, and the like.

    • Stop modifying Challenge and Response attributes from the Modify Profile page.

To temporarily stop the immediate migration of user data (Phase 1)

  1. Add OblixOrgPerson to the Master Administrator's user entry, if needed:

    ldapmodify.exe  -h <Host> \
         -p <Port> 
         -D <Bind DN> 
         -w <Bind Password> \
         -f <ldif file containing attribute to be added>
    

    The format of LDIF file to be created when adding OblixOrgPerson to the objectclass list is as follows. This example is for the Netscape Directory Server:

    dn: <Administrator DN>
         changetype: modify
         add: objectclass
         objectclass: OblixOrgPerson
    
  2. Set the obVer attribute for the Master Administrator entry in the LDAP directory server to 7.0.4 using the following command:

    ldapmodify.exe  -h <Host> \
         -p <Port> 
         -D <Bind DN> 
         -w <Bind Password> \
         -f <ldif file containing attribute to be modified>
    

    The format of LDIF file to be created is as follows. This example is for the Netscape Directory Server:

    dn: <Administrator DN>
         changetype: modify
         replace: obver
         obver: 7.0.4
    
  3. Finish remaining preparation tasks as described Chapter 5 the Oracle Access Manager Upgrade Guide.

  4. Perform a schema and data upgrade for your deployment as described in Chapter 6 the Oracle Access Manager Upgrade Guide to, which includes instructions to perform Phase 2 of this procedure. For more information, see Section 5.4.4.2, "Halting On-the-fly Migration of User Data: Phase 2".

5.4.4.2 Halting On-the-fly Migration of User Data: Phase 2

Before you perform Phase 2, you must have completed all activities in Chapter 5 as well as the following tasks described in Chapter 6 of the Oracle Access Manager Upgrade Guide. Chapter 6 prerequisite tasks include:

  • Upgrading the Schema and Data with the Master Identity Server

  • Upgrading the Master WebPass

  • Verifying the Identity System Schema and Data Upgrade

  • Uploading Directory Server Index Files

  • Backing Up Upgraded Identity Data

Note:

You must perform Phase 2 before any administrator or user login, even if you have a joint Identity and Access System deployment.

During Phase 2 you must remove the Challenge and Response semantic types at both the tab level and the object class level.

Caution:

When you finish this Phase 2 procedure, lost password management will not work.

When you finish Phase 2, Oracle recommends that you stop processing or performing the following actions to ensure that user data will maintain its backward compatibility:

  • Stop processing workflow tickets: for example, create user, change attributes, and the like.

  • Stop modifying Challenge and Response attributes from the Modify Profile page.

To temporarily stop the immediate migration of user data (Phase 2)

  1. After upgrading the schema and data, change the value of obVer in the configuration base to 7.0.4 as follows:

    ldapmodify.exe  -h <Host> \
         -p <Port> 
         -D <Bind DN> 
         -w <Bind Password> \
         -f <ldif file containing attribute to be modified>
    

    A bind DN for configuration data (also known as the configuration DN) is similar to the searchbase for user data. The configuration bind DN must be specified to identify the node in the DIT under which the Oracle Access Manager schema and all configuration data is stored for the Identity and Access Systems.

    The format of LDIF file to be created is as follows. This example is for the Netscape Directory Server:

    dn: o=oblix,<configuration DN>
         changetype: modify
         replace: obver
         obver: 7.0.4
    
  2. Restart the master Identity Server.

  3. Go to the Identity System Console by specifying the URL for your environment, and then log in as the Master Administrator. For example:

    http://hostname:port/identity/oblix
    

    In the URL example, hostname refers to machine that hosts the WebPass Web server; port refers to the HTTP port number of the WebPass Web server instance; /identity/oblix connects to the Identity System Console.

  4. Tab Level: Remove the Challenge and Response semantic types at the tab level, as follows:

    1. Click Identity System Console, click User Manager Configuration, and then click Tabs.

    2. From the Existing Tabs listed on the page, select Employees to display information about this Person class tab on the View Tab page.

      Note:

      Object Classes on the View Tab page may include OblixOrgPerson and others (gensiteorgperson, for example). The obVer attribute is a member of only the OblixOrgPerson class. There is no impact to other object classes.
    3. On the View Tab page, click Modify Attributes to open the Modify Attributes page.

    4. From the Attribute list select the attribute that is configured with Challenge as the Semantic Type, set the Semantic Type to None and click Save.

    5. From the Attribute list select the attribute that is configured with Response as the Semantic Type, set the Semantic Type to None and click Save.

    6. Click Done.

  5. Object Class Level: Remove the Challenge and Response semantic types at the object class level, as follows:

    1. Click Identity System Console, click Common Configuration, and then click Object Classes.

    2. Select the person object class from the list, then click Modify Attributes to open the Modify Attributes page.

    3. From the Attribute list select the attribute that is configured with Challenge as the Semantic Type, set the Semantic Type to None and click Save.

    4. From the Attribute list select the attribute that is configured with Response as the Semantic Type, set the Semantic Type to None and click Save.

    5. Click Done.

For details about restarting user data migration after validating that your deployment is successfully upgraded, see Section 5.4.4.3, "Restarting On-the-fly User Data Migration".

5.4.4.3 Restarting On-the-fly User Data Migration

Before you perform this task, you must have performed all in-place upgrade tasks and validated that your entire upgraded deployment is operating as expected to ensure that no rollback is needed.

You use the procedure here to restart immediate (on-the-fly) user data migration:

  • When immediate (on-the-fly) user data migration was temporarily halted.

  • After validating that your upgraded deployment is operating as expected and that no rollback to the earlier release is needed

Note:

If you roll back to an earlier release after performing activities here, any user data that has been migrated will not be reverted.

In the following procedure you must reconfigure the attributes used for challenge and response at both the tab level and the object class level.

To restart one-the-fly user data migration

  1. Tab Level: Reconfigure the Challenge and Response semantic types at the tab level, as follows:

    1. Click Identity System Console, then click User Manager Configuration, click Tabs.

    2. Select Employees from the list, then click Modify Attributes to open the Modify Attributes page.

    3. From the Attribute list select the attribute that is used for Challenge, set the Semantic Type to Challenge and the Display Type to Single Line Text, then click Save.

    4. From the Attribute list select the attribute that is used for Response, set the Semantic Type to Response and the Display Type to Password, then click Save.

    5. Click Done.

  2. Object Class Level: Reconfigure the Challenge and Response semantic types at the object class level, as follows:

    1. Click Identity System Console, then click Common Configuration, click Object Classes.

    2. Select the person object class from the list, then click Modify Attributes to open the Modify Attributes page.

    3. From the Attribute list select the attribute that is used for Challenge, set the Semantic Type to Challenge and the Display Type to Single Line Text, then click Save.

    4. From the Attribute list select the attribute that is used for Response, set the Semantic Type to Response and the Display Type to Password, then click Save.

    5. Click Done.

  3. Set the obVer attribute for oblixConfig (the configuration data root node in the LDAP directory server) to 10.1.4.0 as follows:

    ldapmodify.exe  -h <Host> \
         -p <Port> 
         -D <Bind DN> 
         -w <Bind Password> \
         -f <ldif file containing attribute to be modified>
    

    The format of LDIF file to be created is as follows. This example is for the Netscape Directory Server:

    dn: o=oblix,<configuration DN>
         changetype: modify
         replace: obver
         obver: 10.1.4.0
    
  4. Restart all upgraded Identity Servers and Access Servers.

5.5 Access System Issues and Workarounds

This section describes issues and workarounds for the Access System. It includes the following topics:

5.5.1 Disabling the User Cache for the Access Server

As discussed in the Oracle Access Manager Access Administration Guide, you can configure a user cache for the Access Server. The guide omits the value you supply to disable this cache.

Provide a value of -1 in the Maximum Elements in User Cache field for the Access Server to disable the cache.

5.5.2 WebGate Diagnostics URL Incorrectly Report the Access Server Is Down

As discussed in the Oracle Access Manager Access Administration Guide, the WebGate diagnostics URL reports the status of the Access Server or Servers to which the WebGate is connected. In some cases, the landing page for this URL can report that the Access Server or Servers are down when in the servers actually are running.

This problem occurs when the number of Access Servers that are associated with a WebGate is higher than the value of WebGate's Maximum Connections property. In this type of situation, the WebGate diagnostics page displays a status of Down for all Access Servers that exceed the Maximum Connections irrespective of their status.For example, suppose that you set the Maximum Connections value for WebGate A to 1 and you associate three Access Servers with it, AAA1, AAA2, and AAA3. The diagnostics page will indicate that AAA1 is up and AAA2 and AAA3 are down. If AAA1 is down, the page will indicate that AAA2 is up and AAA3 is down.

To fix this problem, ensure that there are more connections configured between the WebGate and the Access Servers than there are Access Servers.

To configure the Maximum Connections field:

  1. In the Access System Console, click Access System Configuration, then click AccessGate Configuration.

    The Search for AccessGates page appears.

  2. Enter search criteria on this page, or click the All button.

  3. Click Go.

    AccessGates that match your search criteria are listed on this page.

  4. Click the link for a WebGate.

    The Details for AccessGate page appears.

  5. Click Modify.

    The Modify AccessGate page displays the settings for this WebGate.

5.5.3 WebGate Is Unable to Connect to Its Associated Access Server

If you have installed a WebPass or a WebGate on IIS 6 and enabled logging, the WebPass or WebGate may be unable to connect to its associated Identity or Access Server. In particular, this problem occurs when you send logs to an MPFileLogWriter. It does not occur when you send logs to a FileLogWriter.

The problem occurs with the MPFileLogWriter when there is no anonymous user with access to the directory that contains the log files. MPFileLogWriter uses a file named <logfile name>.lck to synchronize multiple processes that write to the corresponding log file. The MPFileLogWriter write-locks the.lck file before writing to the oblog.log file.

Configure an anonymous user with access to the directory that contains the log files. In some circumstances, the user context used to acquire the write-lock will be the IIS Anonymous web user. By default, this user is named IUSR_<computer name>, but you can configure any anonymous user for this purpose.

5.5.4 An Authentication Action for Form-Based Authentication Redirects to a Non-Secure Page

You can specify a redirection action for authentication or authorization success or failure. However, if you specify this action relative to the Web server, it may fail when the WebGate being used is installed on an Oracle HTTP Server version 2.

For example, you may be redirected using an HTTP redirect instead of HTTPS when you do the following:

  1. In the Policy Manager, create a policy to protect a resource.

  2. Protect the resource using a form-based authentication scheme.

  3. Specify a redirection action for authorization success.

  4. In a browser, enter the URL for the protected resource.

  5. Provide login credentials when presented with the login form.

To work around this problem, add the following lines in the Virtual host definition section of the ssl.conf file:

LoadModule certheaders_module modules/mod_certheaders.so
AddCertHeader HTTPS
AddCertHeader SSL_CLIENT_CERT
SimulateHttps On 

5.5.5 Access Server Memory Usage Rises After Configuring a Directory Server Profile

After configuring a directory server profile, the memory usage for the Access Server or Policy Manager becomes too high.

When you configure a directory server profile, you are prompted to provide a maximum session time. The default value for the session time is 0 (unlimited). This may cause a performance issue, because the size of the caches for LDAP connections to the Access Server and Policy Manager increase over time. Oracle Access Manager does not control these caches directly.

To prevent the cache size from causing a performance problem, set the value of the Maximum Session Time (Minutes) for the directory server profile to a finite value, for example, 10 hours, as follows:

  1. From the Identity System Console click System Configuration, then click Directory Profiles.

  2. Click the link for the profile that you want to modify.

  3. In the Max. Session Time (Min.) field, set the value to 600.

5.5.6 The Passthrough Challenge Parameter Does Not Work on a Domino Web Server

There is a problem with specifying the passthrough: challenge parameter in some form-based authentication schemes. In particular, this parameter does not work on a Domino Web server when using the POST method for form-based login.

There is no solution for this problem at this time.

5.5.7 Steps for Integrating the Access System with OracleAS Single Sign-On 10.1.2.0.2

The Oracle Access Manager Integration Guide provides a chapter on integrating the Access System's single sign-on with OracleAS Single Sign-On. In addition to following the information in the Oracle Access Manager Integration Guide, you must also complete the following procedure to integrate the Access System with OracleAS Single Sign-On 10.1.2.0.2.

To configure the integration:

  1. Follow the steps in the chapter on integrating the Access System's single sign-on with OracleAS Single Sign-On in the Oracle Access Manager Integration Guide.

  2. In the Access System Console, click System Configuration, then click Server Settings, and configure the following logout URL:

    http://[host.domain]:[port]/pls/orasso/ORASSO.wwsso_app_admin.ls_logout?p_done_url=http%3A%2F%2F[host.domain]%3A[port]
    

    URL-encode the p_done_url value.

    See the Oracle Application Server Single Sign-On Administrator's Guide for release 10.1.2.0.2 for details on configuring the logout link for single sign-on. A sample JSP that can be used for this purpose is included at the end of this release note.

  3. If you use the sample JSP, go to the Access System Console, click Access System Configuration, then click AccessGate Configuration, and include the following in the LogOutURLs parameter for every WebGate in your environment:

    /access/oblix/lang/en-us/style2/oblixlogo.gif
    

The following is a sample logout.jsp file:

<!-- Copyright (c) 1999, 2003, Oracle. All rights reserved. -->
<%@page autoFlush="true" session="false"%>
<%
// Declare English Message Strings
String msg1 = "Single Sign-Off";
String msg2 = "Application Name";
String msg3 = "Logout Status";
String msg4 = "ERROR: The return URL value not found.";
String msg5 = "ERROR: Logout URL for partner applications not found.";
// Get the user language preference
String userLocaleParam = null;
java.util.Locale myLocale = null;
// Get the user locale preference sent by the SSO server
try
{
userLocaleParam = request.getParameterValues("locale")[0];
}
catch(Exception e)
{
userLocaleParam = null;
}
if( (userLocaleParam == null) || userLocaleParam.equals("") )
{
myLocale = request.getLocale();
}
else
{
if(userLocaleParam.indexOf("-") > 0 )
{
// SSO server sent the language and territory value (e.g. en-us)
myLocale = new java.util.Locale(userLocaleParam.substring(0, 2),
userLocaleParam.substring(3, 5));
}
else
{
// SSO server sent only the language value (e.g. en)
myLocale = new java.util.Locale(userLocaleParam, "");
}
}
// The following two lines will be used only for the Multilingual support
with
// proper resource bundle class supplied
// java.util.ResourceBundle myMsgBundle
// = java.util.ResourceBundle.getBundle("MyMsgBundleClassName", myLocale);
// Get the message string in the appropriate language using the message key.
// Use this string to display the message in this page.
// String mesg = myMsgBundle.getString("mesg_key");
%>
<html>
<body bgcolor="#FFFFFF">
<h1><%=msg1%></h1>
<%
String done_url = null;
int i = 0;
// Get the return URL value
try
{
done_url = request.getParameterValues("p_done_url")[0];
}
catch(Exception e)
{
done_url = "";
}
// Get the application name and logout URL for each partner application
try
{
%>
<b> <%=msg2%>   <%=msg3%> </b>
<br>
// Substitute an actual host, domain, and port for
myhost.us.mydomain.com:7777
// that points to the WebGate.
<img
src="http://myhost.us.mydomain.com:7777/access/oblix/lang/en-us/style2/oblixlo
go.gif">
<%
for(;;)
{
i++;
String app_name = request.getParameterValues("p_app_name"+i)[0];
String url_name = request.getParameterValues("p_app_logout_url"+i)[0];
%>
<%=app_name%>
 
<img src="<%=url_name%>">
<br>
<%
}
}
catch(Exception e)
{
if(done_url == null)
{
%>
<%=msg4%> <br>
<%
}
if(i>1)
{
%>
<br> <a href="<%=done_url%>">Return</a>
<%
}
else
{
%>
<%=msg5%><br>
<%
}
}
%>
</body>
</html> 

5.5.8 Return Type Parameters Are Case-Sensitive in This Release

In this release, certain authentication and authorization action parameters are case-sensitive. For example, in previous releases you could set up a policy domain in the Policy Manager and include an authentication or authorization action that uses the cookie parameter. In this release, if you do this a cookie will not be set for the action. You can test this configuration issue by accessing the protected resource from a browser and monitoring the HTTP traffic to the browser.The workaround for this issue is to use the following action type parameters in policies, preserving the case:

  • Cookie

  • HeaderVar

5.5.9 Single Sign-On with Oracle Identity Management Fails

If you attempt to implement single sign-on between Oracle Identity Management 9.0.2 and Oracle Access Manager 10g (10.1.4), you may encounter a problem. If you configure authentication using HTTP headers instead of cookies, the headers are only supported if they use ASCII text. To integrate an HTTP header with non-ASCII data, you need to install a patch. Contact Oracle Support and ask for a patch for bug 5552617.

5.5.10 Policy Manager API Support Used Incorrectly in Help and Access System Console

The "AM Service State" in previous Access System Console pages was renamed to "Access Management Service". In 10.1.4 Access Server and AccessGate configuration pages, "Access Management Service" appears correctly.

However, the following product areas incorrectly refer to "Policy Manager API Support" rather than "Access Management Service":

  • Access Server Cluster configuration page

  • Help for Access Server and AccessGate configuration pages

5.5.11 webgate.so Not Found Error After Form-based Login

After successful authentication, if you click the Back button in the browser window, you might get an error for access/oblix/apps/webgate/bin/webgate.so.

When form-based authentication is used, Oracle Access Manager creates a form login cookie that holds information about the requested resource. On successful authentication, the state of the cookie changes. When the user clicks the Back button, the login form appears. When reposted, the form login cookie no longer holds redirection details.

The ObSSOCookie is also sent with the form login cookie.The ObSSOCookie is correctly checked. As the form login cookie state changes, the form-based authentication does not occur and the form action is considered as a request for the resource.

5.6 Identity System Workarounds and Issues

This section describes issues and workarounds for the Identity System. It includes the following topics:

5.6.1 Identity System Deletes a User Entry When an RDN is Modified

The Identity System deletes user entries when you attempt to modify an RDN attribute value. The RDN is the left-most attribute in a DN. Typically, the RDN attribute is cn or Full Name.

This problem occurs when you use Oracle Internet Directory as the back-end repository.To fix this problem:

  1. Edit the file ldapreferentialintegrityparams.xml in the following directory:

    Identity_Server_installation_directory\identity\oblix\data\common
    
  2. Change the value of the parameter referential_integrity_using from oblix to ds, as follows:

    <NameValPair ParamName="referential_integrity_using" Value="ds"/>
    
  3. Save the file.

  4. Restart the Identity Server for the changes to take effect.

    You should be able to modify the RDN attribute value without any problem.

  5. If you have multiple instances of the Identity Server installed, make this change to every instance of the Identity Server.

5.6.2 Auditing for the Identity System Ceases to Work

When you have auditing configured for multiple Oracle Real Application Cluster (Oracle RAC) databases, auditing will work correctly for a while. However, after shutting down and restarting an Oracle RAC instance other than the one that was shut down the last time, auditing stops.To avoid this issue, restart the Identity Server.

5.6.3 Identity Server Crashes if It Cannot Find a Style Sheet

After you customize a style sheet, the Identity Server crashes or issues an error about a Win32 exception being caught.

If you have used backslash characters as path separators in your stylesheets in xsl:include constructs, replace the backslashes with forward slash characters. For example, you would want to change the following:

<xsl:include href=".\style.xsl" /> To this:

<xsl:include href="./style.xsl" />

5.6.4 WebPass Is Unable to Connect to Its Associated Identity Server

If you have installed a WebPass on IIS 6 and enabled logging, the WebPass may be unable to connect to its associated Identity Server. In particular, this problem occurs when you send logs to an MPFileLogWriter. It does not occur when you send logs to a FileLogWriter.

The problem occurs with the MPFileLogWriter when there is no anonymous user with access to the directory that contains the log files. MPFileLogWriter uses a file named <logfile name>.lck to synchronize multiple processes that write to the corresponding log file. The MPFileLogWriter write-locks the.lck file before writing to the oblog.log file.

Configure an anonymous user with access to the directory that contains the log files. In some circumstances, the user context used to acquire the write-lock will be the IIS Anonymous web user. By default, this user is named IUSR_<computer name>, but you can configure any anonymous user for this purpose.

5.6.5 Memory Usage Rises for an Identity Server After Configuring a Directory Server Profile

After configuring a directory server profile, the memory usage for the Identity Server becomes too high.

When you configure a directory server profile, you are prompted to provide a maximum session time. The default value for the session time is 0 (unlimited). This may cause a performance issue, because the size of the caches for LDAP connections to the Identity Server increase over time. Oracle Access Manager does not control these caches directly.

To prevent the cache size from causing a performance problem, set the value of the Maximum Session Time (Minutes) for the directory server profile to a finite value, for example, 10 hours, as follows:

  1. From the Identity System Console click System Configuration, then click Directory Profiles.

  2. Click the link for the profile that you want to modify.

  3. In the Max. Session Time (Min.) field, set the value to 600.

5.6.6 Errors Are Found in the HTTP Logs After Setting Up the Identity System

After completing the process described in the Oracle Access Manager Installation Guide chapter on setting up the Identity System, if you installed Japanese language packs you may see errors in the following log files:

ORACLE_OHS_HOME/Apache/Apache/logs/error_log.* 

Where ORACLE_OHS_HOME is the installation directory for the Oracle HTTP Server. These errors have a format similar to the following example:

[Sun Jun  4 16:31:06 2006] [error] [client 12.345.678.99] [ecid:
1149406266:12.345.678.82:28663:0:3,0] File does not exist:
/home/as1014/as1014coreid/COREid/webcomponent_3/identity/oblix//apps/admin/
bin/com/oblix/data/resource.class 

These errors have no impact, and can be ignored.

5.6.7 Reports With Non-ASCII Characters Are Not Imported Correctly in Excel

After modifying and exporting object class attributes, a report.csv file is created. In the Japanese Locale or Simplified Chinese Locale, there are encoding problems due to a Microsoft Excel limitation that cannot process CSV files containing data in UTF-8 encoding.

To process the exported report, complete the process below.

  1. Rename report.csv to report.txt.

  2. Open report.txt Excel 2003 (Excel 2000 does not support UTF-8 encoding).

  3. In the text import wizard, choose encoding as UTF- 8 and comma as the field separator.

  4. Click Finish.

5.6.8 Translation of Tab Names May be Incomplete

In multi-language environments, Configuration tab names in the Identity System Console (User Manager Configuration, Group Manager Configuration, Org. Manager Configuration) may be only partially translated. Only the word "Configuration" may be translated, not the application name before it.

For example, when viewing the Identity System Console using a browser, the application name "User Manager" on the User Manager Configuration tab might not be translated.

There is no solution for this problem at this time.

5.6.9 Non-ASCII Values for Certain Display Types Are Corrupted in the Identity System Console

In the Identity System Console, the display names that appear as values for items in the list of display types (radio button, checkbox, and so on) may be corrupt due to a known limitation with Java Applets and internationalized characters. The browser's JVM displays only those characters that are in the current locale. Internationalized characters are displayed correctly in applets only if you have set the browser to the same locale.

Set the browser to the locale used when setting the display name value.

5.6.10 Data Is Lost When Saving an Object Profile in Org. Manager

When saving new or modified information in an object profile in the Org. Manager application, some of the data is lost. This problem occurs in Org. Manager tabs that do not contain any panels.To ensure that there is no loss of data when modifying object profiles in Org. Manager, you should configure at least one panel for the tab. This panel should contain the same attributes as the Header Panel for the tab.

For example, if the header panel contains two attributes named Location Title and Location Name, you would do the following:

  1. From the Identity System landing page, select the Identity System Console.

  2. Click Org. Manager Configuration.

  3. Click Tabs.

  4. Click the link for the tab where you want to add panels.

  5. Click View Object Profile.

  6. Click Configure Panels.

  7. Click Create.

  8. On the Create Panel page, provide a panel name and add the Location Title and Location Name attributes.

5.6.11 Incorrect Path Provided to the UDDI Files

The Oracle Access Manager Developer Guide states that sample UDDI registration programs in .NET and Java format are provided in the following locations:

webpass_install_dir\oblix\WebServices\UDDI\dotnet

and

webpass_install_dir\oblix\WebServices\UDDI\java

However, the actual paths are as follows

webpass_install_dir\oblix\WebServices\samples\UDDI\dotnet

and

webpass_install_dir\oblix\WebServices\samples\UDDI\java

5.6.12 Incorrect Path Setting for Running Sample WSDL Code

The Oracle Access Manager Developer Guide section on "Invoking a WSDL-Based Web Service Using Java" states that when compiling and running the sample code, you set the path to your Access Manager SDK installation as follows:

set PATH=f:\temp\AccessServerSDK\oblix\lib;F:\j2sdk1.4.2_05\bin;path

However, you actually set the path to your Access Manager SDK installation as follows:

set PATH=AccessServerSDK_install_dir\oblix\lib;F:\j2sdk1.4.2_05\bin;%PATH%

Where AccessServer_install_dir is the directory where the Access Server was installed.

5.6.13 User Creation Might Fail When You Have Multi-byte Characters in the Password

Problem:

When you create a user with multi-byte characters in the password using a non-English keyboard, user creation might fail. You might see the error: Directory Server Password Policy violated.

Cause

This problem will occur when you have the 7-bit check plug-in enabled for the "uid" and "userpassword" attributes. In this case, modifying a password for an existing user forces the "7-bit check" for the newly entered password. If the newly entered password contains multi-byte characters, then it does not qualify as "7-bit clean". The product is designed to function in this way.

For example, when creating a workflow, the values are stored under the "obcontainerId=workflowInstances,o=Oblix,o=company,c=us" node. The password value is stored as "obattrvals: <value>" and is encoded as "7-bit clean". When the Approver approves the workflow, the password value is decrypted and stored under the "userpassword" attribute.

Solution

The following solution is now documented in the Oracle Access Manager Identity and Common Administration Guide, "Troubleshooting" section in Appendix F.

If you want "7-bit check" to be enabled for workflow steps you need to write your own plug-ins.

Note:

Your directory server might not support the 7-bit check. In any case, you must be able to create a user with multi-byte characters.

If you want a user password (or any other attribute) to contain multi-byte characters, you must disable the "7-bit check" for the specific attribute. The following procedure refers to steps for a Sun (formerly iPlanet) directory server. Your details and steps might be different. See your vendor documentation for more information.

To disable the 7-bit check

  1. Log in to your directory server as an administrator.

  2. Click your directory server instance under "Server Group".

  3. Go to the configuration tab for the directory server instance.

  4. Expand the "Plug-ins" node to display the list of plug-ins that are applied to your directory server instances.

  5. Click "7-bit check" to display the list of attributes that are acted upon by this plug-in.

  6. Remove the required attributes or disable the plug-in entirely, as follows:

    • Remove "obattrvals".

    • Disable the plug-in by clicking the Advanced button and set "nsslapd-pluginenabled" to "off".

5.6.14 Modifying Challenge and Response Phrases for Lost Password Management from a Panel

A user can modify the challenge and response used for lost password management by modifying phrases in his own user profile. However, changing the Challenge/Response using a Selection box in a Panel results in an unexpected error:

Challenge phrase is blank. Provide values for all challenge phrases

Note:

Ignore this topic if you have a fresh installation of Oracle Access Manager 10g (10.1.4.3), which includes the latest changes to basic.xsl and misc.js. You have no previous customizations to update and need not perform any of the steps here.

To help resolve this issue, changes have been made to basic.xsl (a typical wrapper stylesheet) and misc.js (a system-level file used by many stylesheets). These updated files reside in LPMChallengeResponsePatch.zip and are available with bundle patch 10.1.4.2.0-BP04. These files and the changes they contain need to be introduced in your deployment.

LPMChallengeResponsePatch.zip is included in each platform zip file for the 10.1.4.2.0-BP04 bundle patch. You can obtain the patch and the LPMChallengeResponsePatch.zip as described in following steps. However, you will not actually use any other bundle patch components.

To download Patch ID 7113405 in the 10.1.4.2.0-BP04 bundle patch

  1. On the machine that will host the bundle patch files, create a temporary directory to contain the platform-specific bundles that you will download. For example:


    Unix : /home/10142BP04/tmp
    Windows: C:\10142BP04\tmp
  2. Go to My Oracle Support and login as usual:

    https://support.oracle.com 
    
  3. Follow instructions in Section 5.1.2.2, "Retrieving the Latest Bundle Patch" to retrieve Patch ID 7113405.

  4. In the temporary directory where you stored the downloaded zip file, unzip to extract component-specific bundles and LPMChallengeResponsePatch.zip.

  5. Refer to usage instructions in the topic "Details for Bug 6804657" in the companion Oracle Access Manager Bundle Patch Notes.

  6. For more information, see "Error When Resetting the LPM Challenge or Response Phrase" in the troubleshooting chapter of the Oracle Access Manager Identity and Common Administration Guide.

5.6.15 Workflow Buttons Might Appear Disabled with Firefox 3.5 on Linux

In the Workflow Definition applet, Defined Steps panel, “Defined steps” buttons such as New, Modify, Delete Step, and Insert Step, can appear disabled when using Firefox 3.5.x under Linux with newer JRE versions. However these buttons are functionally working.

5.7 Third-Party Integration Issues

This section describes issues and workarounds for third-party integrations. It includes the following topics:

5.7.1 Users Receive Errors When Accessing WebLogic Resources

Users can receive errors when using the WebLogic Application Server version 9.2 with the Oracle Access Manager 10.1.4 SSPI Connector.

Specifically, users can receive a "not authorized" error when accessing pages that they should be able to according to the policies configured in Oracle Access Manager.

When you deploy an application on WebLogic 9.2, be sure that you deploy it with the appropriate deployment descriptors for Web applications. The deployment descriptors for Web applications are web.xml and weblogic.xml. Also be sure to deploy the application with deployment descriptors for EJB applications. The files ejb-jar.xml and weblogic-ejb-jar.xml are the deployment descriptors for EJB applications.

5.7.2 The Deploy Link on the WebLogic Console Does Not Respond to Users Without a Role

After configuring the WebLogic Server SSPI Connector, if a non-administrative user selects the Deploy link, the WebLogic Server Console may not respond. That is, the Deploy link no longer responds to users who are logged in without a role.

The problem manifests differently in different environments:

  • When the connector is deployed against a WebLogic Server instance running on RedHat Enterprise Linux AS4.0 or Solaris 10, if no application was previously deployed, the link does respond to users without a role.

  • When the connector is configured against a WebLogic Server instance running on Solaris 8, the link fails to respond whether or not an application had been previously deployed.

The error also differs slightly depending on your version or WebLogic Server. On WebLogic Server 8.1, the following WebLogic Console error message is shown, "User does not have access to this page." No WebLogic Console error message is displayed on WebLogic Server 9.2. Instead, the user receives the message, "The page cannot be displayed."

There is no workaround at this time.

5.7.3 No Error Is Displayed When You Create a WebLogic Group that Already Exists

When using WebLogic Console for WebLogic Server 9.2 on Red Hat Enterprise Linux AS 4.0 & Solaris 10, if you create a group that already exists, the WebLogic Server Console does not display an error message. The group creation page appears without an error message. However, an exception stack trace is generated.

There is no known workaround at this time

5.7.4 Double-Byte Language Packs Do Not Work with the WebLogic SSPI Connector

When you install the WebLogic SSPI connector, you are prompted to choose a language. If you select Japanese, Simplified Chinese, or Traditional Chinese, the installation appears to complete successfully. However, the files are not successfully extracted and no directory for the selected language is created in install_dir/connector/oblix/lang.

If you try to extract the language pack for a previously installed connector, an error message similar to the following is displayed, "Please specify existing Access installation directory for installing Oracle Access Manager 10.1.4.0.1 Access System Japanese Language Pack. Please specify a directory name or press Enter."

If you then try to specify the installation directory of the SSPI connector, you receive the following message, "This directory does not exist. Please enter a valid Oracle Access Manager installation location."

Without the language pack properly installed and the appropriate properties files extracted, the configureWebgate, configureAccessGate, and PolicyDeployer tools display characters incorrectly.

In this release, affected Japanese, Simplified Chinese, and Traditional Chinese characters are replaced with English characters.

5.7.5 Integrating with Oracle Application Server Single Sign-On

In the Oracle Access Manager Integration Guide, the chapter on "Configuring the Access System for OracleAS Single Sign-On 10.1.2.0.2" is incomplete. The following is correct information on this topic.

  1. Follow the steps in the rest of the chapter on "Configuring the Access System for OracleAS Single Sign-On 10.1.2.0.2".

  2. In the Access System Console, click System Configuration, then click Server Settings, and configure the following logout URL:

    http://[host.domain]:[port]/pls/orasso/ORASSO.wwsso_app_admin.ls_logout?p_done_url=http%3A%2F%2F[host.domain]%3A[port]
    

    URL-encode the p_done_url value.

    See the Oracle Application Server Single Sign-On Administrator's Guide for release 10.1.2.0.2 for details on configuring the logout link for single sign-on. A sample JSP that can be used for this purpose is included at the end of this release note.

  3. If you use the following sample JSP, go to the Access System Console, click Access System Configuration, then click AccessGate Configuration, and include the following in the LogOutURLs parameter for every WebGate in your environment:

    /access/oblix/lang/en-us/style2/oblixlogo.gif
    

The following is a sample logout.jsp file:

<!-- Copyright (c) 1999, 2003, Oracle. All rights reserved. -->
<%@page autoFlush="true" session="false"%>
<%
// Declare English Message Strings
String msg1 = "Single Sign-Off";
String msg2 = "Application Name";
String msg3 = "Logout Status";
String msg4 = "ERROR: The return URL value not found.";
String msg5 = "ERROR: Logout URL for partner applications not found.";
// Get the user language preference
String userLocaleParam = null;
java.util.Locale myLocale = null;
// Get the user locale preference sent by the SSO server
try
{
userLocaleParam = request.getParameterValues("locale")[0];
}
catch(Exception e)
{
userLocaleParam = null;
}
if( (userLocaleParam == null) || userLocaleParam.equals("") )
{
myLocale = request.getLocale();
}
else
{
if(userLocaleParam.indexOf("-") > 0 )
{
// SSO server sent the language and territory value (e.g. en-us)
myLocale = new java.util.Locale(userLocaleParam.substring(0, 2),
userLocaleParam.substring(3, 5));
}
else
{
// SSO server sent only the language value (e.g. en)
myLocale = new java.util.Locale(userLocaleParam, "");
}
}
// The following two lines will be used only for the Multilingual support
with
// proper resource bundle class supplied
// java.util.ResourceBundle myMsgBundle
// = java.util.ResourceBundle.getBundle("MyMsgBundleClassName", myLocale);
// Get the message string in the appropriate language using the message key.
// Use this string to display the message in this page.
// String mesg = myMsgBundle.getString("mesg_key");
%>
<html>
<body bgcolor="#FFFFFF">
<h1><%=msg1%></h1>
<%
String done_url = null;
int i = 0;
// Get the return URL value
try
{
done_url = request.getParameterValues("p_done_url")[0];
}
catch(Exception e)
{
done_url = "";
}
// Get the application name and logout URL for each partner application
try
{
%>
<b> <%=msg2%>   <%=msg3%> </b>
<br>
// Substitute an actual host, domain, and port for
myhost.us.mydomain.com:7777
// that points to the WebGate.
<img
src="http://myhost.us.mydomain.com:7777/access/oblix/lang/en-us/style2/oblixlo
go.gif">
<%
for(;;)
{
i++;
String app_name = request.getParameterValues("p_app_name"+i)[0];
String url_name = request.getParameterValues("p_app_logout_url"+i)[0];
%>
<%=app_name%>
 
<img src="<%=url_name%>">
<br>
<%
}
}
catch(Exception e)
{
if(done_url == null)
{
%>
<%=msg4%> <br>
<%
}
if(i>1)
{
%>
<br> <a href="<%=done_url%>">Return</a>
<%
}
else
{
%>
<%=msg5%><br>
<%
}
}
%>
</body>
</html> 

5.7.6 File Needed for Registrytester Not Bundled with IBM WebSphere Application Server 6.1

Before you enable the NetPointWASRegistry, you need to run the registryTester program to ensure that the NetPointWASRegistry is registered and can successfully connect to the Identity System. A file required to run the registrytester was available in the WAS_install_dir. Today, however, the file is not bundled with the Oracle Access Manager Connector for WebSphere. As a result, you cannot run the registrytester with the Oracle Access Manager Connector for WebSphere 6.1.

Workaround: Copy the com.ibm.ws.runtime_6.1.0.jar file which is available in WAS_INSTALL_DIR\plugins, then set the classpath in the RegistryTester.bat/ RegistryTester.sh file accordingly. For example:

set CLASSPATH=.:${CLASSPATH}:${INSTALL_DIR}/oblix/lib/NetPointWASRegistry.jar 
:${INSTALL_DIR}/oblix/lib/jobaccess.jar 
:${WAS_INSTALL_DIR}/lib/wssec.jar
:${WAS_INSTALL_DIR/lib/sas.jar 
:${WAS_INSTALL_DIR}/lib/j2ee.jar
:${WAS_INSTALL_DIR}/java/jre/lib/security.jar 
:${WAS_INSTALL_DIR}/java/jre/lib/xml.jar 
%WAS_INSTALL_DIR%\plugins\com.ibm.ws.runtime_6.1.0.jar

5.8 Directory Issues

This section describes issues and workarounds for the directory. It includes the following topics:

5.8.1 Error "There Is No Profile Configured for this Kind of Object"

In Oracle Internet Directory, the orcladmin user (dn: cn=orcladmin) can be thought of as a pseudo user with administrative privileges. There is no LDAP entry corresponding to this user in Oracle Internet Directory. This user is part of special groups that are created in Oracle Internet Directory. The Identity Server requires that every user exist as an independent entry in the directory. When these special groups are viewed or modified using Group Manager, you may see following message "There is no profile configured for this kind of object."

If you have this issue, view and update these special Oracle Internet Directory groups using the Oracle Directory Manager application.

Note that there are some special groups in Oracle Internet Directory that exhibit cyclic behavior. Using Oracle Directory Manager to manage these groups is recommended, not the Group Manager or the Identity Server.

5.8.2 Issues With the Display of Messages in Some Languages

There may be an issue with the display of messages for some installations of Oracle Access Manager with Oracle Internet Directory using a native character set. For some supported languages in these environments, messages in the Oracle Access Manager message catalog that are not compatible with the native character set are not displayed properly.

Use the AL32UTF8 character set for Oracle Internet Directory instead of the native character set for the language.

5.8.3 Support for eDirectory 8.7.3

When conducting searches using Novel eDirectory 8.7.3, attribute access controls and searchbase filters do not work as expected. For example, using eDirectory 8.7.3, you can configure filters to return organizational units (ou's) below the top node of the DIT, as follows:

(&(objectclass=*)(!(|(objectclass=oblixconfig)(objectclass=oblixlocation)(objectclass=genSiteOrgPerson)(objectclass=genSiteGroup)))(objectclass=*))

However, these searches return information that you were trying to exclude. For example, users may be returned.

To workaround this issue, apply the eDirectory patch 8.7.3.7. See the following URL for details:

http://www.novell.com

5.9 Documentation Issues

This section describes issues and workarounds for documentation and online help. It includes the following topics:

5.9.1 Reference to Oracle Internet Directory Is Needed in Installation Preparation Checklist

In the next version of the Oracle Access Manager Installation Guide, Chapter 2, "Preparing for Installation" Table 2-3 will include Oracle Internet Directory in the Installation Preparation Checklists.

5.9.2 Help Mentions WebGateStatic.lst But No Such File Exists

Some language versions of the online help for the Access System contains an obsolete reference to a WebGateStatic.lst file, as follows:

"To ensure that the WebGate logs out users from Identity and Access applications when they click the Logout button, set the LogOutUrls parameter in WebGateStatic.lst to the same value as the SSO Logout URL. WebGateStatic.lst is located in

WebGate_install_dir/oblix/apps/Webgate/"

Beginning with 10g (10.1.4), the WebGateStatic.lst file is no longer present. Various parameters that were set in WebGateStatic.lst are now defined in the Access System Console.

The following procedure describes how to configure the LogOutURLs parameter. See the Oracle Access Manager Access Administration Guide for details.

To set the LogOutUrls parameter:

  1. Launch the Access System Console and click Access System Configuration.

  2. Click AccessGate Configuration in the left navigation pane.

  3. Conduct a search for existing AccessGates and click the link for the AccessGate that you want to modify.

  4. Modify the LogOutURLs parameter.

5.9.3 The obEnableCredentialCache Credential Mapping Parameter Is Misspelled

In the Oracle Access Manager Access Administration Guide chapter on configuring authentication, the obEnableCredentialCache parameter is misspelled as EnableCredentialCache.

Use the correct spelling, "obEnableCredentialCache" when configuring this parameter.

5.9.4 Warning Regarding Retrieving Authorization Data From an External Source

As described in the Oracle Access Manager Access Administration Guide, an authorization scheme can obtain data from an external source. This data is passed to a custom authorization plug-in. By obtaining external data (usually in the form of information about the user) authorization decisions can be made dynamically, based on user input.

For example, if a user goes to a form to purchase an item for $1000, this $1000 amount can be dynamically evaluated against a limit—perhaps stored in a database—to determine if the purchase is authorized.

The process of retrieving authorization data from an external source is sometimes known as a reverse action.

Note that when creating an authorization plug-in that uses a reverse action, the calls to retrieve reverse actions will not fail if no reverse actions are present. For example, the following returns NULL for a list if there is no user-agent value in RequestContext:

ObASPluginList_t list = pFnBlock->GetDataFn(pInfo->RequestContext, "user-agent");

Plug-ins should check if the data list returned for a reverse action (or anything else) is NULL before using it to retrieve individual data values. Even with a new Access Server, this situation could occur if the client did not specify a value for a reverse action.

This information will be added to the Authorization Plugin API documentation.

5.9.5 Active Directory MaxPageSize Parameter Stated as PageSize Parameter

The discussion on "Oracle Access Manager ADSI Configuration Files", in the Oracle Access Manager Identity and Common Administration Guide, Appendix B, Table B-2 Parameters and Values in adsi_params Files includes two pagesize parameter descriptions as follows:

  • pageSize: Page size of results that ADSI request from the server.

  • pageSize: Setting the pageSize value to a finite value (the default is 0) turns off LDAP referrals. This can improve performance when client applications perform directory searches.

Correction: The second pageSize parameter in the table will refer to the MaxPageSize parameter.

5.9.6 Missing Parameter in globalparams.xml Documentation

The following information has been added to the Oracle Access Manager Customization Guide, and related notes have been added to Oracle Access Manager Identity and Common Administration Guide.

The parameter excludeOCsForTreeInApplet specifies the list of object classes whose objects are excluded from display in the Identity System. For example, if you remove the group object class item from the list, the group objects will be visible in the Identity System applications.

By default, the Identity System does not display every object and attribute in the directory. This parameter enables you to expose object classes in the Identity System applications that would otherwise be hidden.

5.9.7 Incorrect obver Attribute Value Stated in Documentation

Procedures in the Oracle Access Manager Upgrade Guide to verify Identity and Access System schema upgrades, instruct you to view the configuration node in the configuration directory server and confirm that the value of the obver attribute is 10.1.4.0.1. However, the actual attribute value is 10.1.4.0.

In the next release of the Oracle Access Manager Upgrade Guide, the following procedures will be corrected to reflect the actual attribute value of 10.1.4.0:

To verify the schema and data upgrade

  1. Check to ensure that the schema contains 10g (10.1.4) attributes obPolicyEnabled and objectclass oblixLPMPolicy.

  2. View the configuration node in the configuration directory server and confirm that the value of the obver attribute is 10.1.4.0.

To verify the Access System schema and data upgrade

  1. Using your directory administration console, confirm that the schema contains all the object classes and attributes as defined in the Oracle Access Manager Schema Description.

  2. Using your directory administration console, verify that all the indexes have been added.

  3. Different Directory Server Instances: Perform the steps in the following list to ensure that the schema was also updated:

    • View the configuration node in the configuration directory server and confirm that the value of the obver attribute is 10.1.4.0.

    • Check to ensure that the schema contains 10g (10.1.4) attributes obPolicyEnabled and objectclass oblixLPMPolicy.

5.9.8 Changes in System Behavior for obVer Missing in Manuals

Changes in system behavior for the obVer attribute were not noted in the Oracle Access Manager Schema Description and the Oracle Access Manager Upgrade Guide.

The following information will be added to the next release of the Oracle Access Manager Schema Description:

  • oblixConfig class: This value is used by the Identity and Access Servers with the Lost Password Management feature.

  • OblixOrgPerson class: A value of 10.1.4.0 or greater in oblixOrgPerson indicates that the challenge phrase and response attributes are encoded with a delimiter of @n# between multiple values. In the encoding, n is the number of the challenge or response.

    For more information about multiple challenge and response attributes, see the Oracle Access Manager Identity and Common Administration Guide. For implications when upgrading from an earlier release to Oracle Access Manager 10g (10.1.4), see the Oracle Access Manager Upgrade Guide.

The following information will be added to the next release of the Oracle Access Manager Upgrade Guide in the chapter that provides a summary of system behaviors.

The obVer attribute identifies the current Oracle Access Manager release and is one of several attributes in the class description of many Oracle Access Manager schema objects. For example, the obVer attribute is part of oblixPanel, oblixConfig, oblixLocation, oblixMetaAttribute, oblixEnum, and OblixOrgPerson to name only a few.

Until release 10g (10.1.4), the obVer attribute was purely informational. However starting with release 10g (10.1.4), the obVer attribute is used by the Identity and Access Servers to support encoding of multiple challenge phrase and response attributes for lost password management. In this case, Oracle Access Manager 10g (10.1.4) reads the obVer attribute in:

  • oblixConfig class: The structural class defines the container node for the Oracle Access Manager configuration data.

    In oblixConfig, the obVer attribute always exists and indicates the current product release.

  • OblixOrgPerson class: The auxiliary class used for associating Oracle Access Manager person information with the class configured as the structural person object class. The next release of the Oracle Access Manager Schema Description will include the following details:

    In OblixOrgPerson obVer may or may not exist. When obVer does not exist in a user entry, the value is assumed to be less than 10.1.4.0.

Oracle Access Manager 10g (10.1.4) uses the obVer value in the OblixOrgPerson class in the following ways:

  • An obVer vale of less than 10.1.4.0 indicates that there is a single value for the challenge phrase and the response with no encoding. For example:

    ChallengeAttribute: what is your name?
         ResponseAttribute: xxxxxxxx (encrypted form of Ramakrishna)
    
  • An obVer value of 10.1.4.0 or greater indicates that the challenge phrase and response attributes are encoded (with @n# as a delimiter between multiple values, where n is the number of the challenge or response). For example:

    ChallengeAttribute: what is your name?@1#what is your school name?@2#
         ResponseAttribute: xxxxxxxx (where xxxxxxxx is the encrypted form of the 
                                     name@1#SGschool@2#)
    
         ChallengeAttribute: what is your name?@1#
         ResponseAttribute: xxxxxxxx (where xxxxxxxx is the encrypted form of the  
                                     name@1#
    

When you upgrade from an earlier release to Oracle Access Manager 10g (10.1.4), configuration data stored in the oblix tree is migrated automatically and the value of the obVer attribute is changed to 10.1.4.0. However, user data is not migrated until the first login following the upgrade. This means that the obVer attribute value remains less than 10.1.4.0 in user data (in the OblixOrgPerson class). In this case, during the first login the user data is migrated and:

  • The existing challenge phrase and response values are encoded (@1# is appended to the existing values automatically).

  • The value of the obVer attribute in user data (the OblixOrgPerson class) is set to the value of the obVer attribute in migrated configuration data in the root node of the oblix tree (oblixConfig).

Caution:

The first time a user logs in after the upgrade, that user entry is migrated immediately. Any existing challenge and response values for that user are encoded (@1# is appended to the end) and the obVer attribute value is changed to 10.1.4.0. However if you restore your earlier release, the rollback process does not revert these changes. If you rollback to your previous release, the obVer value in the user entry in the OblixOrgPerson class remains 10.1.4.0 and challenge and response values remain encoded format. To temporarily stop the immediate user data migration (also known as on-the-fly migration) and avoid possible rollback issues, see Section 5.4.4, "Rollback Issues After Upgrading to Oracle Access Manager 10g (10.1.4)".

5.9.9 Items Needed for WebLogic 9.2 Application Server Certification

With the latest support for the Security Provider for WebLogic SSPI on WebLogic 9.2, information in the Oracle Access Manager Integration Guide must include new details. Specifically in the discussion on preparing the WebLogic environment in the chapter on "Integrating the Security Provider for WebLogic SSPI."

The note beneath step 1 and additions to subsections b and c beneath step 12 of the following procedure will appear in the Oracle Access Manager Integration Guide to with Release 10.1.4 Patch Set 1 (10.1.4.2.0).

To prepare the environment

  1. Copy the mbean jar file from one of the following locations:

    From

    install_dir/oblix/lib/mbeantypes

    to

    WebLogic_Home/server/lib/mbeantypes

    Note:

    If you are using WebLogic 9.2, copy wl8NetPointSecurityProviders_Upgraded.jar. If you are using WebLogic 8.1, copy wl8NetPointSecurityProviders.jar. If you are using WebLogic 7.0 SP2 and later, copy wl7NetPointSecurityProviders.jar.
  2. Copy the following files from your Security_Provider_install_dir to your WebLogic domain folder:

    NetPointProvidersConfig.properties

    NetPointResourceMap.conf: only for the WebLogic Server domain

  3. Ensure that the following Admin credentials are set in clear text in the NetPointProvidersConfig.properties file:

    OB_AdminUserName=admin

    OB_AdminUserCreds=password

    If the NetPointProvidersConfig.properties file has a clear text password, the SSPI reads in the password, encrypts it, and rewrites the properties file with the encrypted password.

    Note:

    NetPointProvidersConfig.properties file formatting is lost when Oracle Access Manager rewrites the file with the encrypted password. You may want to save a copy of the NetPointProvidersConfig.properties file. Also, ensure that all parameters are correctly filled as mentioned in the Oracle Access Manager Integration Guide.

    You complete the next step if the SSPI talks to a WebPass that is protected by a WebGate. Otherwise, skip to step 5.

  4. WebPass Protected by WebGate: Complete the following activities when the Oracle Access Manager SSPI talks to a WebPass protected by a WebGate:

    1. In the NetPointProvidersConfig.properties file, ensure that OB_WebPassIsProtected is set to true. The OB_CookiePath and OB_CookieDomain parameters are configured correctly.

    2. From the Access System Console, click Access System Configuration, click AccessGate Configuration in the left navigation pane, click the link for the WebGate that protects the WebPass, and in the IPValidation field select the Off option.

      In Oracle Access Manager 10g (10.1.4), the WebGateStatic.lst file no longer exists. The options in this file have moved to the Access System Console. See Oracle Access Manager Access Administration Guide for details.

      Note:

      If you want to set IPValidation to True, configure the IPValidationExceptions parameter to contain the IP address.
    3. Restart the Web server.

      Note:

      Ensure that the security level in this authentication scheme is the same level or a lower level than the one specified in the WebLogic authentication scheme

      Next, you need to determine if the machine hosting WebPass is running SSL. If it is, complete step 5. Otherwise, skip to step 6.

  5. WebPass Host SSL-Enabled: Determine if the machine hosting WebPass is running SSL, and if so, complete the following steps:

    1. Open the NetPointProvidersConfig.properties file and set OB_WebPassSSLEnabled = True.

    2. Obtain the CA certificate from the certificate authority to which the Web server hosting the WebPass or WebGate running in SSL mode has registered, and place it in ca.cer file.

    3. Use the keytool in JAVA_HOME\bin or JAVA_HOME\jre\bin to add the following ca certificate to cacerts keystore present in:

      JAVA_HOME\jre\lib\security folder for weblogic jdk
      keytool -import -alias ca -file ca.cer -keystore JAVA_HOME\jre\lib\
      security\cacerts
      
  6. Add the following environment variables in the WebLogic Server startup script before the command that starts the server:

    Add the following to the CLASSPATH:

    /install_dir/oblix/lib/wlNetPoint.jar
         /install_dir/oblix/lib/bcprov-jdk14-125.jar
         /install_dir/oblix/lib/xerces.jar
         /install_dir/oblix/lib/jobaccess.jar
    
  7. Add the following environment variables in the WebLogic Server startup script before the command that starts the server:

    Solaris: Add the following to LD_LIBRARY_PATH:

    Portal Domain: The CLASSPATH and PATH variables should be added just after the SAVE_JAVA_OPTIONS environment variable in the startWebLogic.cmd script (On Unix, it is the startWebLogic.sh script).

  8. On Linux, set the LD_ASSUME_KERNEL environment variable to 2.4.19, as follows:

    LD_ASSUME_KERNEL=2.4.19
    export LD_ASSUME_KERNEL
    
  9. Remove the boot.properties file from the WebLogic domain directory.

    This will cause the startWebLogic script described in the next step to prompt for username and password.

  10. In the WebLogic domain directory, edit the appropriate startup script:

    Unix: The script is startWeblogic.sh

    Ensure the following paths are set in the script:

    /install_dir/oblix/lib/wlNetPoint.jar
         /install_dir/oblix/lib/bcprov-jdk14-125.jar
         /install_dir/oblix/lib/xerces.jar
         /install_dir/oblix/lib/jobaccess.jar
    
  11. In the WebLogic domain directory, start the WebLogic Server using the appropriate startup script:

    Unix: This command is startWeblogic.sh

    Using the WebLogic 8.1 Domain Configuration Wizard, you can create instances of a new WebLogic 8.1 domain, for example, mydomain, and a new WebLogic 8.1 server, for example, myserver. You can also create instances of a new WebLogic 8.1.3 Portal domain, for example, portalDomain, and a new WebLogic 8.1.3 portal, for example, portalServer.

  12. Set up a Realm that uses Oracle Access Manager security providers, as follows:

    1. Open a new console window and set the Weblogic environment by executing setEnv.cmd.

      Unix: Source the setEnv.sh script present in the server domain directory.

      Portal Domain: Use the setDomainEnv.cmd script (on Unix it is the setDomainEnv.sh script).

    2. Run the following script and ensure that it has the correct username, password, and URL values:

      Unix: install_dir/setupNetPointRealm.sh

      Note:

      To use policies based on roles for Web and EJB applications in WebLogic SSPI, run the setupNetPointRealm tool with the sspi_role parameter.

      For example:

      install_dir\setupNetPointRealm.cmd sspi_role
      

      Portal Domain: Run the script with parameter "portal".

      WebLogic Server 7.0: The script does not work and NetPointRealm must be set manually.

      WebLogic Application Server 9.2 on Unix: Set the domName variable in the install_dir/setupNetPointRealm.properties file. Then run the install_dir/setupNetPointRealm_wl92.sh script.

    3. Log in to the WebLogic Admin Console, navigate to Domain, Security, Realms and:

      • Verify that NetPointRealm is set as the default.

      • Verify that the security providers are set properly in NetPointRealm.

      Use the following steps for WebLogic Server 9.2:

      • Click Lock and Edit in the WebLogic Admin Console.

      • Navigate to NetpointRealm, Providers, Certification Path, WebLogicCertPathProvider. Select the Current Builder option to use the WebLogicCertPathProvider as the current builder. Click Activate Changes to activate all changes.

      • Set NetPointRealm as the default realm.

        In the left pane, select your domain to open the Settings page for your domain. Click the Security tab; click General; select NetPointRealm as the default security realm; click Save; click Activate Changes to activate all changes.

    4. Script Fails: If the script fails, you must manually add the Oracle Access Manager security realm (NetPointRealm):

      • Go to Domain, Security, Realms and select "Configure a new Realm".

      • For the option "Check Roles and Policies for", ensure that "All Web Applications and EJBs" is selected.

      • Navigate to Providers, Authentication, and configure a new Authenticator and Identity Asserter.

      • Identity Asserter: Select the Token Type ObSSOCookie and in the Details tab, uncheck "Base64Decoding Required".

      • Portal Domain: Set the control flag of Authenticator to OPTIONAL and also configure a Default Authenticator.

      • Navigate to Providers, Authorization and configure a new Authorizer(for the portal domain, only configure a Default Authorizer).

        For role based policies, you also need to configure a Default Authorization Provider. Navigate to Providers, Authorization and configure a Default Authorization Provider.

      • For role based policies, navigate to Providers, Adjudication and configure a new Adjudication Provider.

      • Navigate to Providers, Role Mapping and configure a new Role mapper (for the portal domain, only configure a Default Role mapper).

      • Navigate to Providers, Credential Mapping and configure a new Default Credential mapper.

      • Navigate to Domain, Security and select this realm as the default realm.

  13. Portal Server Domain: Complete the following steps to configure a WebLogic Portal domain:

    1. Restart the server using the same WebLogic credentials that were used earlier.

    2. In the WebLogic Server Console, navigate to Domain, Security, Realms, NetPointRealm, Providers, Authentication, and:

      • Remove the Default Authenticator.

      • Change the control flag for Authenticator to REQUIRED.

    3. Using the Group Manager, create a group in Oracle Access Manager that maps to the Admin role in the BEA WebLogic Server and contains all the administrators for the BEA Portal.

      For example:

      BEA_Administrators

    4. Create a user (portaladmin) and add it to the BEA_Administrators group; later you login as this user (portaladmin) when restarting the server.

    5. In the WebLogic Server Console Admin Console, navigate to Security, Realms, NetPointRealm and:

      • Click Groups to display all Oracle Access Manager groups.

      • Search for the BEA Admin group that was created in this step. You can use a wild card in the search.

      • Copy the group name.

    6. Click Global Roles, Admin role, Conditions tab and:

      • Add a Role Condition where the caller is a member of the group.

      • Paste in the group name you copied.

    7. Change the role condition from "and" to "or", then click Apply.

    8. Repeat this procedure for the PortalSystemAdministrator role.

      Note:

      Other BEA roles can be mapped to Oracle Access Manager groups/users. When you restart the WebLogic Server, it is important that you are logged in as a user in the Oracle Access Manager group associated with the BEA Admin role.
  14. Restart the WebLogic Server.

    The next time you log in to the WebLogic console, provide Master Oracle Access Manager Administrator credentials. You will be authenticated using NetPointRealm.

  15. If you are using identity assertion as the authentication mechanism that protects Web applications:

    1. Install a WebGate on the proxy Web server. See the Oracle Access Manager Integration Guide for an illustration of this type of installation.

    2. Configure the Oracle Access Manager policies that protect the Web applications to use HTTP as the resource type instead of wl_url.

      Note:

      There is one exception to the resource type configuration. The WebLogic administration console always uses form login. The /console policy must use the resource type wl_url.
  16. If anything other than an Oracle Access Manager form-based authentication scheme protects the policies configured with the HTTP resource type, configure a challenge redirect parameter to redirect the user to another Web server that has WebGate installed.

    Note:

    If you do not complete this step, the user will have to refresh the browser to access the desired page because the ObSSOCookie set by the WebGate in the HTTP request has not yet been sent to the WebLogic server.
  17. Continue with following procedure in the Oracle Access Manager Integration Guide as needed.

5.9.10 Corrected Default Path Names in Oracle Access Manager Installation Guide

The Oracle Access Manager Installation Guide states incorrect default path names for components, as shown in Table 5-3.

Table 5-3 Erroneous Default Installation Path Names

Component Installation Directory

Identity Server

Windows: \Program Files\OracleAccessManager\identityUnix: /opt/oracleaccessmanager/identity In This Guide: \IdentityServer_install_dir\identity

WebPass

Windows: \Program Files\OracleAccessManager\WebComponent\identityUnix: /opt/oracleaccessmanager/WebComponent/identityIn This Guide: \WebPass_install_dir\identity

Access Server

Windows: \Program Files\OracleAccessManager\accessUnix: /opt/oracleaccessmanager/accessIn This Guide: \AccessServer_install_dir\access

Policy Manager

Windows: \Program Files\OracleAccessManager\WebComponent\accessUnix: /opt/oracleaccessmanager/WebComponent/accessIn This Guide: \PolicyManager_install_dir\access

WebGate

Windows: \Program Files\OracleAccessManager\WebComponent\accessUnix: /opt/oracleaccessmanager/WebComponent/accessIn This Guide: \WebGate_install_dir\access


In the next release of this manual, with Release 10.1.4 Patch Set 1 (10.1.4.2.0), the path names will be corrected as shown in Table 5-4.

Table 5-4 Correct Default Installation Path Names

Component Installation Directory

Identity Server

Windows: \Program Files\NetPoint\identity

Unix: /opt/NetPoint/identity

In This Guide: \IdentityServer_install_dir\identity

WebPass

Windows: \Program Files\NetPoint\WebComponent\identity

Unix: /opt/NetPoint/WebComponent/identity

In This Guide: \WebPass_install_dir\identity

Access Server

Windows: \Program Files\NetPoint\access

Unix: /opt/NetPoint/access

In This Guide: \AccessServer_install_dir\access

Policy Manager

Windows: \Program Files\NetPoint\WebComponent\access

Unix: /opt/NetPoint/WebComponent/access

In This Guide: \PolicyManager_install_dir\access

WebGate

The default WebGate installation directory path name varies depending upon your platform and Web server type. For example:

Win32 ISAPI WebGate: \Program Files\NetPoint\Webgate

Win32 OHS2 WebGate: \Program Files\NetPoint\WebComponent

Win32 NSAPI WebGate: \Program Files\NetPoint\WebGat

Linux Apache2 WebGate: /opt/netpoint/webgate

Linux OHS2 WebGates: /opt/netpoint/webgate

In This Guide: \WebGate_install_dir\access


5.9.11 OIS and Access Server Service Start is Automatic by Default

The Oracle Access Manager Installation Guide chapter "Installing the Identity Server" incorrectly states that the Identity Server and Access Server services are set to start manually by default in step 6 of the procedure that describes finishing the Identity Server installation:

  • Windows: Open the Services Window then locate and start the Identity Server service.

    By default, the Identity Server (also known as the Oracle Identity Server (OIS)) starts manually, but you can set its startup type to Automatic. See the Microsoft Windows Help for details.

  • Unix: Execute the following command:

    /IdentityServer_install_dir/identity/oblix/apps/common/bin/start_ois_server

To correct this statement, the Oracle Access Manager Installation Guide that is available with Release 10.1.4 Patch Set 1 (10.1.4.2.0) will include the following updated information in step 6:

  • Windows: Open the Services Window and confirm that the Identity Server service is started.

    By default, the Identity Server (also known as the Oracle Identity Server (OIS)) starts automatically. To change the default to manual start, see the Microsoft Windows Help for details.

  • Unix: Execute the following command to start the Identity Server service:

    /IdentityServer_install_dir/identity/oblix/apps/common/bin/start_ois_server

Also, the procedure on finishing the Access Server installation in the chapter on "Installing the Access Server", includes similar information which is now corrected.

5.9.12 Certificate Utility Flags Incorrect for Oracle Virtual Directory SSL Listener

The Oracle Access Manager Installation Guide chapter on "Setting Up Oracle Access Manager with Oracle Virtual Directory", contains a procedure to configure the Oracle Virtual Directory SSL Listener. Step 8 of this procedure contains an incorrect command-line syntax.

The incorrect syntax line will be changed to the following and a new note will be added for clarification:

8. Import the root CA to the Identity Server using the following command:

certutil -d IdentityServer_install_dir\identity\oblix\config -A -n ldap -a 
-t "C,," -i root_ca_file

Note:

In the certutil command, the -t (trusted arguments) flag should be followed by the trust attributes that will be assigned to the certificate, enclosed in double-quotes.

5.9.13 Tuning Oracle Internet Directory for Oracle Access Manager

The Oracle Access Manager Installation Guide describes how to use the ldapmodify command to tune Oracle Internet Directory. However, if you tune Oracle Internet Directory 10.1.2 or earlier using the ldapmodify command as described in the chapter on installing the Identity Server, you will receive the following error message:

"Attribute orclinmemfiltprocess is not supported in schema."

The orclinmemfiltprocess attribute is not supported in the schema until Oracle Internet Directory 10.1.4. As a result, you cannot use the ldapmodify command to tune Oracle Internet Directory.

The next release of the Oracle Access Manager Installation Guide will make this clear.

5.9.14 Obtaining/Updating Sample Adapter and Mapping Templates for Oracle Virtual Directory

The chapter on integrating Oracle Virtual Directory with Oracle Access Manager in the Oracle Access Manager Installation Guide states that Oracle-provided sample adapter and mapping template files are available in the DNConversionToolkit and must be obtained and stored in the Oracle Virtual Directory Manager using the steps provided.

However, Oracle Virtual Directory 10.1.4 and later provides sample Oracle Access Manager templates and mappings out-of-the-box in Oracle Virtual Directory Manager. These sample adapter templates are available automatically in the Adapter Template list of Oracle Virtual Directory Manager.

The next release of the Oracle Access Manager Installation Guide will include the following information:

Oracle Virtual Directory 10.1.4 and later provides sample Oracle Access Manager templates and mappings out-of-the-box in Oracle Virtual Directory Manager. Depending on the Oracle Virtual Directory release you are using, proceed as follows:

  • Skip the topic "Obtaining/Updating Sample Adapter and Mapping Templates" if you are using Oracle Virtual Directory 10.1.4 and later, and instead proceed to the next applicable topic for your environment. Later in this chapter you will see how to use the adapter and mapping templates.

  • Continue with the information and steps in this topic if you are using a release of Oracle Virtual Directory before 10.1.4, or if you choose to use the sample adapter and mapping templates in the Oracle Access Manager distribution.

5.9.15 Typographical Error in the Solution for "The Login Form Appears Repeatedly"

The troubleshooting chapter of the Oracle Access Manager Access Administration Guide contains a typographical error in the solution for The Login Form Appears Repeatedly." This will be corrected in the next release of the Oracle Access Manager Access Administration Guide.

Incorrect: To verify whether a user has a valid session, you can type the following in the browser's location:

javascript:altert(document.cookie)

Correct: To verify whether a user has a valid session, you can type the following in the browser's location:

javascript:alert(document.cookie)

5.9.16 Added Required Database User Privileges to Upload Schema in Oracle Access Manager Configuration Manager

The Oracle Access Manager Configuration Manager Installation and Administration Guide did not mention the privileges required by the database user to upload the Oracle Access Manager Configuration Manager schema after adding repository details.

The 10.1.4.2.0 version of the manual, available with Release 10.1.4 Patch Set 1 (10.1.4.2.0), will include the following information to correct this issue.

Upload Schema Button appears only when there is no Oracle Access Manager Configuration Manager schema present in the Oracle Database repository. For a successful schema upload, the database user needs the following system privileges: Create Table, Create Sequence, Create Trigger, and Create Procedure.

5.9.17 Added Audit File Renaming Steps to Oracle Access Manager Upgrade Guide

A new discussion is added to the release 10.1.4.2.0 Oracle Access Manager Upgrade Guide that is available with Release 10.1.4 Patch Set 1 (10.1.4.2.0). The following new procedure describes how to rename audit file path names after upgrading multiple Identity Servers.

After upgrading Identity Servers from releases earlier than 7.0, you must perform this task to correct the path name of audit files. If you have upgraded from release 7.x, you can skip this activity.

When upgrading the master Identity Server and the schema and data from any release earlier than 700, the audit file name is changed by prefixing the path to the master Identity Server.

If your deployment includes multiple Identity Servers, the audit file name for each will be prefixed by the same Identity Server installation directory path as the Identity Server from which the data upgrade is performed. The result is that your original configuration is lost during the Identity Server upgrade. For example, suppose you have two Identity Server instances with audit files stored as follows:


D:\611\ois_one\identity\oblix\engine\auditfile_1.lst
D:\611\ois_two\identity\oblix\engine\auditfile_2.lst

After the upgrade, however, both audit files will be stored in the directory path of the master Identity Server (611\ois_one). For example:


D:\611\ois_one\identity\oblix\engine\auditfile_1.lst
D:\611\ois_one\identity\oblix\engine\auditfile_2.lst

To recover your audit files after upgrading multiple Identity Servers, you must perform the following task to change audit file paths to reflect the appropriate path to specific Identity Server instances.

To recover your original audit files after upgrading Identity Servers

  1. Go to the Identity System Console and log in as usual.

    http://hostname:port/identity/oblix
    

    where hostname refers to machine that hosts the Web server; port refers to the HTTP port number of the WebPass Web server instance; and /identity/oblix connects to the Identity System Console.

  2. From the Identity System Console, click System Configuration, then click Identity Servers.

  3. Select the name of an upgraded Identity Server to display the information for this instance.

  4. Check the Audit File Name field, to see if the path name is correct.

    If the path name is correct, click Cancel and then repeat steps 3 and 4 to check the audit file path name for another instance. If the path name is not correct, proceed to step 5.

  5. Click the Modify button at the bottom of the page.

  6. On the Modify page, change the path name in the Audit File Name field to the correct path for this instance and then click Save. For example:


    From: D:\611\ois_one\identity\oblix\engine\auditfile_2.lst
    To: D:\611\ois_two\identity\oblix\engine\auditfile_2.lst
  7. Restart the Identity Server whose details you just updated.

  8. Repeat all steps in this procedure for each upgraded Identity Server instance.

5.9.18 Corrected Path Details for Oracle Virtual Directory Schema Files

The discussion on extending directory schemas in the Oracle Access Manager Installation Guide states the location of vde_user_schema_add.ldif and aduserschema.ldif files as being in the IdentityServer_install_dir\identity\oblix\tools\DNConversionToolkit\tools\DataAnyWhere\OblixUserSchema. The DNConversionToolkit was provided with release 10g (10.1.4.0.1). However, the following location is also available and was documented in a later version of the Oracle Access Manager Installation Guide:


IdentityServer_install_dir\identity\oblix\tools\DataAnyWhere\OblixUserSchema\
vde_user_schema_add.ldif

IdentityServer_install_dir\identity\oblix\tools\DataAnyWhere\OblixUserSchema\
aduserschema.ldif

5.9.19 Corrected LDAPModify Syntax for Oracle Virtual Directory

The discussion on extending directory schemas in the Oracle Access Manager Installation Guide omits the VDE_user_schema_add.ldif file name in the ldapmodify command syntax. The manual currently states the following syntax:

ldapmodify -h host -p port -D bind-dn -w password -a -f 

This syntax will be corrected as follows in the 10.1.4.2.0 version of the Oracle Access Manager Installation Guide that is available with Release 10.1.4 Patch Set 1 (10.1.4.2.0):

ldapmodify -h host -p port -D bind-dn -w password -a -f VDE_user_schema_add.ldif

5.9.20 Added SSL Requirements When Upgrading Schema and Data with Master Access Manager

The Oracle Access Manager Upgrade Guide does not mention that SSL-enabled communication with the directory server might be a requirement for the master Access Manager component that is installed and used for the schema and data upgrade.

The following information is added to the chapter on preparing for schema and data upgrades in the release 10.1.4.2.0 Oracle Access Manager Upgrade Guide that is available with Release 10.1.4 Patch Set 1 (10.1.4.2.0):

When your original Access Manager component is configured to use SSL-enabled communication with the directory server, the master that you add must also be configured to use SSL-enabled communication with the directory.

The following information is added to help you when troubleshooting data access issues in the release 10.1.4.2.0 Oracle Access Manager Upgrade Guide that is available with Release 10.1.4 Patch Set 1 (10.1.4.2.0):

If you receive a "Cannot find <person> Object Class" error after upgrading the schema and data, the problem may be that the master Access Manger component used to upgrade the schema and data did not use the same transport security as the original component. When your original Access Manager component is configured to use SSL-enabled communication with the directory server, the master that you add must also be configured to use SSL-enabled communication with the directory.

5.9.21 Corrected Path Names for Schema Index Files in Oracle Access Manager Upgrade Guide

The Oracle Access Manager Upgrade Guide states an incorrect path when uploading the schema index files for Sun (formerly iPlanet) directory, Novell eDirectory (NDS), and Oracle Internet Directory after data migration. This will be corrected in the section on "Uploading Directory Server Index Files” in the 10.1.4.2.0 Oracle Access Manager Upgrade Guide that is available with Release 10.1.4 Patch Set 1 (10.1.4.2.0).

The corrected paths are:

IdentityServer_install_dir/identity/oblix/data.ldap/common

PolicyManager_install_dir/access/oblix/data.ldap/common

5.9.22 Corrected Environment URL in Oracle Access Manager Configuration Manager Installation and Administration Guide

The description of the Environment URL in the chapter on migrating configuration data changes in the Oracle Access Manager Configuration Manager Installation and Administration Guide is incorrect and has been changed as described here.

Original Description

The Add Environment page provides fields where you can enter other information, including Environment Name, optional Description, Host Name and Port, Configuration DN, User DN, Password, and the URL for the LDAP Directory environment. When defining an environment name and description, you can use any combination of uppercase and lowercase alphanumeric characters, as well as spaces and punctuation.

The Add Environment page provides fields where you can enter other information, including Environment Name, optional Description, Host Name and Port, Configuration DN, User DN, Password, and the (optional) URL for the relevant Oracle Access Manager deployment for this environment. When defining an environment name and description, you can use any combination of uppercase and lowercase alphanumeric characters, as well as spaces and punctuation.

Environment URL: The URL to the LDAP directory. For example:

http://141.144.74.35:3333/access/oblix/

Corrected Description

The Add Environment page provides fields where you can enter other information, including Environment Name, optional Description, Host Name and Port, Configuration DN, User DN, Password, and the (optional) URL for the relevant Oracle Access Manager deployment for this environment. When defining an environment name and description, you can use any combination of uppercase and lowercase alphanumeric characters, as well as spaces and punctuation.

Environment URL: The URL to the relevant Oracle Access Manager deployment for this environment. For example:

http://141.144.74.35:3333/access/oblix/

5.9.23 Missing Challenge Parameter "realmunique:yes"

After integrating Oracle Access Manager and Oracle SSO, and implementing global logout from Oracle SSO, logout does not remove the ObSSOCookie cookie. When the user clicks logout and tries to go back to the protected URL, the user is the still logged in.

When using "Basic over LDAP" authentication, the browser will return the cached credential following a timeout. A new challenge parameter "realmunique:yes" was introduced in Oracle COREid 7.0.4.2 to correct the problem. However, the information is not described in recent manuals.

A future release of the Oracle Access Manager Integration Guide will include new information.

See Also:

Knowledge Base Note 443493.1

To access Knowledge Base Note 443493.1

  1. Go to My Oracle Support and login as usual:

    https://support.oracle.com 
    
  2. Click Knowledge (upper-left corner).

  3. In the Search Knowledge Base field (upper right corner), enter 443493.1.

  4. Click the title on the results page: After Integration of Oracle Access Manager and Oracle SSO Logout Does Not Rem...

  5. Review the article.

5.9.24 Misleading Title for Enabling Client Cert on IIS in Oracle Access Manager Installation Guide

The Oracle Access Manager Installation Guide provides a misleading title in the chapter on installing WebGate, Chapter 9.

Incorrect Title

Enabling SSL on the IIS Web Server

The correct title will appear in the 10.1.4.3.0 version of the book. The information has moved into a separate chapter on Installing Web Components with the IIS Web Server, Chapter 19.

Correct Title

Enabling Client Cert on the IIS Web Server

5.9.25 oblixCoreidServerDown has the Same Description as oblixCoreidServerFailure

The Oracle Access Manager Identity and Common Administration Guide chapter on SNMP Monitoring, provides the same description for both OBLIXCOREIDSERVERDOWN and OBLIXCOREIDSERVERFAILURE.

Incorrect

oblixCoreidServerDown

A trap generated when the SNMP Agent detects that the Identity Server is (potentially) Down. This trap contains the server ID, host name, and port.

oblixCoreidServerFailure

This trap is generated when the SNMP Agent detects that the Identity Server has failed. This trap contains the server ID, host name, and port.

Correct

oblixCoreidServerDown

A trap generated when the SNMP Agent detects that the Identity Server is (potentially) Down. This trap contains the server ID, host name, and port.

oblixCoreidServerFailure

This trap is generated when the SNMP Agent detects that the Identity Server has failed. This trap contains the server ID, host name, and port.

5.9.26 Syntax Correction in Oracle Access Manager Customization Guide

A syntax error has been corrected in Step 2 of the procedure "To import an Identity System XML file to work with its respective XSL stylesheet" in the Oracle Access Manager Customization Guide. $format=xmlnoxsy now reads &format=xmlnoxsl.

This information appears in the latest version of the book.

5.9.27 Clarification of unique_value_attrs in ldapreferentialintegrityparams.xml

The following additional information should appear in the description of unique_value_attrs in the table that describes ldapreferentialintegrityparams.xml in theOracle Access Manager Customization Guide.

Note: Oracle Access Manager enforces uniqueness only for the attribute of Login semantic type. As a result, it appears that the product enforces uniqueness for uid or samaccountname attribute.

The 'unique_value_attrs' parameter is only used in the context of Oracle Access Manager performing LDAP referential integrity. In certain referential integrity cases, Oracle Access Manager might need to delete and add the same entry with the updated DN. In such cases, unique_value_attrs identifies whether delete needs to happen first.

This information appears in the latest version of the book.

5.9.28 Clarification on Reconfiguring COREid Server and WebPass

The following additional step should be included in the Oracle Access Manager Deployment Guide chapter on "Migration". This new Step 4 in the procedure "To reconfigure COREid Server and WebPass" will ensure that the COREid Server will restart after deleting entries in the directory.

4. Locate and run setup_ois from the following file system directory path:


IdentityServer_install_dir/identity/oblix/tools/
start_setup_ois

./start_setup_ois -i IdentityServer_install_dir/identity/

This information appears in the latest version of the book.

5.9.29 Updating Novell eDirectory Schema Details

Information on updating the Novell eDirectory schema should appear in the Oracle COREid Access and Identity Installation Guide. The following information appears in the latest version of the book.

Details for Novell eDirectory

By default, the Oracle schema for Novell eDirectory does not support creating the oblix node (o=oblix,<config-dn>) under a domain node (for example, dc=us,dc=oracle,dc=com) during browser-based Identity System setup. This means that you cannot use a domain node as the configuration base during the browser-based Identity System setup. A workaround is provided in the Troubleshooting chapter, under "Novell eDirectory Issues" on page E-7.

When setting the searchbase to "dc=nc" during browser-based Identity System setup with Novell eDirectory, you must define the CONTAINMENT object under which the "o=Oblix" (oblixconfig) objectclass can exist. Within the schema for eDirectory, the oblixconfig objectclass can include "domain" as a possible CONTAINMENT object.

Workaround

The following workaround will appear in the "Troubleshooting" chapter of the 10.1.4.3 Oracle Access Manager Installation Guide:

During Identity Server installation, you are asked if you want to extend the directory server schema. At this point, you can browse the Identity Server's installation directory and locate the NDS_oblix_schema_add.ldif file. From a file editor, you can edit the CONTAINMENT for this objectclass to include "domain" using the following steps:

  1. When asked if you want to extend the directory schema during Identity Server installation, locate the NDS_oblix_schema_add.ldif file, as follows:

    IdentityServer_install_dir\identity\oblix\data.ldap\common\'NDS_oblix_schema_
    add.ldif 
    
  2. Open the NDS_oblix_schema_add.ldif in an editor and locate the 'oblixconfig' objectclass, which also defines the CONTAINMENT for this objectclass. For example:

    dn: cn=schema 
    changetype: modify 
    add: objectclasses 
    objectclasses: ( 1.3.6.1.4.1.3831.0.1.2 NAME 'oblixconfig' SUP top  
    STRUCTURAL MUST ( obpersonoc $ 
    obsearchbase $ organizationName )  MAY ( obsearchbasestr $ obgroupoc $  
    ………………………………..$ obver $
    obduplicateAction )  X-NDS_NAMING ( 'O' )  X-NDS_CONTAINMENT ( 
    'organization' 'organizationalUnit'  'country' 'locality' ) ) 
    
  3. Modify this entry to specify the 'domain' as one of the CONTAINMENT classes for the 'oblixconfig' objectclass. For example:

    dn: cn=schema 
    changetype: modify 
    add: objectclasses 
    objectclasses: ( 1.3.6.1.4.1.3831.0.1.2 NAME 'oblixconfig' SUP top 
    STRUCTURAL MUST ( obpersonoc $ 
    obsearchbase $ organizationName )  MAY ( obsearchbasestr $ obgroupoc $  
    ………………………………..$ obver $ 
    obduplicateAction )  X-NDS_NAMING ( 'O' )  X-NDS_CONTAINMENT ( 'domain'    
    'organization' 'organizationalUnit'  'country' 'locality' ) ) 
    
  4. Save the modified schema file and continue with installation and browser-based setup.

5.9.30 Clarification in WebLogic Chapter of Oracle Access Manager Integration Guide

The following note is missing from the "Integration Architecture" section of the WebLogic chapter in the Oracle Access Manager Integration Guide.

Form-based authentication gives SSO between Oracle Access Manager and WebLogic applications. However, Basic Over LDAP authentication does not provide SSO.

The previous paragraph appears in the latest version of the book.

5.9.31 Policy Manager API Support Should Read Access Management Service

Oracle Access Manager manuals provide a table of product name changes in the "What's New" chapter. However, the chapter incorrectly states that the Access System Service (named AM Service State in Access System Console pages) was renamed to "Policy Manager API Support Mode". "Access System Service" was actually renamed as "Access Management Service". The latest Oracle Access Manager manuals contain the following correction in the "What's New" chapter.

Table 5-5 Product Name Changes

Item Was Is

Access System Service

AM Service State

Policy Manager API Support Mode

Access Management Service


The correction has also been made in the Oracle Access Manager Access Administration Guide, "Configuring WebGates and Access Servers" chapter as follows:

  • Access Server Configuration Parameters table

  • AccessGate Configuration Parameters table

5.9.32 Invalid URL Patterns in Policy

A URL pattern is an Access System-supported mechanism for identifying different resources of a certain type that are protected by a single policy. Patterns with the following attributes are invalid:

  • A '[' without a closing ']'

  • A '{' without a closing '}'

  • Unescaped '{' inside {}

  • Unescaped '/' inside [ ]

The following information has been added to the topic on "Invalid URL Patterns" in the chapter on protecting resources with policy domains in the Oracle Access Manager Access Administration Guide.

The following URL pattern is not recognized when it is included within {}:

{pattern_1, pattern_2, /.../cleanup.asp}

The URL pattern will only be recognized if it is used without {}:

/.../cleanup.asp

URL patterns within {} are designed for simple expressions such as the following:

a{ab,bc}b matches aabb and abcb
     a{x*y,y?x}b matches axyb, axabayb, ayaxb, etc

URL patterns within [] should not contain complex sub-expressions such as those starting with "/". For example:

[/.../cleanup.asp   OR    /c*/webservice/webservice.asp]

Instead, consider creating three separate policies:

??/admin/*    /c*/webservice/webservice.asp    /.../cleanup.asp 

5.9.33 Update for Apache v2 for WebGate on UNIX with the mpm_worker_module

The troubleshooting chapter of the Oracle Access Manager Installation Guide provides instructions to compile Apache v2.0 for WebGate on UNIX with the mpm_worker_module. This should be done only for the Apache 2.0 WebGate. During the update, you will modify the thread.c file from the Apache source for the UNIX environment.

The following note should be added.

Note:

Apache v2.1 on Linux does not support the ThreadStackSize directive.

See Also:

"Apache v2 on UNIX with the mpm_worker_module for WebGate" in the troubleshooting chapter of the latest Oracle Access Manager Installation Guide