This chapter describes issues associated with Oracle Identity Manager. It includes the following topics:
Section 36.1, "Patch Requirements for Oracle Database 11g (11.1.0.7)"
Section 36.4, "Multi-Language Support Issues and Limitations"
The following patches are required for Oracle Identity Manager 11g Release 1 (11.1.1) configurations that use Oracle Database 11g (11.1.0.7). Before you configure Oracle Identity Manager 11g, be sure to apply the patches described in Table 36-1 to your Oracle Database 11g (11.1.0.7) database.
Note:
On Windows, rather than applying the individual patches listed in Table 36-1, you can apply only Patch 8689199 to resolve all issues. The description of patch 8689199 on My Oracle Support is "ORACLE 11G 11.1.0.7 PATCH 16 BUG FOR WINDOWS (64-BIT AMD64 AND INTEL EM64T)."Table 36-1 Required Patches for Oracle Database 11g (11.1.0.7)
| Patch Number on My Oracle Support | Description and Purpose |
|---|---|
|
7614692 |
The description of this patch on My Oracle Support is "BULK FEATURE WITH 'SAVE EXCEPTIONS' DOES NOT WORK IN ORACLE 11G". The equivalent patch for the Windows platform is 8416539. |
|
7000281 |
The description of this patch on My Oracle Support is "DIFFERENCE IN FORALL STATEMENT BEAHVIOUR IN 11G." The equivalent patch for the Windows platform is 7375105. |
|
8327137 |
The description of this patch on My Oracle Support is "WRONG RESULTS WITH INLINE VIEW AND AGGREGATION FUNCTION." The equivalent patch for the Windows platform is 8451592. |
|
8617824 |
The description of this patch on My Oracle Support is "MERGE LABEL REQUEST ON TOP OF 11.1.0.7 FOR BUGS 7628358 7598314." This patch includes patches 7598314 and 7628358, which were previously required for an Oracle Identity Manager database. |
To obtain a patch, log in to My Oracle Support (formerly OracleMetaLink) using the following URL, click Patches and Updates, and search for the patch number:
To obtain a support note or document, log in to My Oracle Support and enter the support note number in the Quick Find search field at the top of the My Oracle Support window and search the Knowledge Base for the note number.
This section describes general issues and workarounds. It includes the following topics:
Bulk Loading CSV Files with UTF-8 BOM Encoding Not Supported
Date Type Attributes are Not Supported for the Default Scheduler Job, "Job History Archival"
Default Object Administrators Are Not Available for Imported Resource Objects
How to Generate an Audit Snapshot after Bulk-Loading Users or Accounts
SPML Requests Do Not Report When Any Date is Specified in Wrong Format
Logs Populated with SoD Exceptions When the SoD Message Fails and Gets Stuck in the Queue
SoD Check Field Values Do Not Get Mapped from Request Dataset to Process Form in SAP UM
Underscore Character Cannot Be Used When Searching for Resources
Assign to Administrator Action Rule is Not Supported by Reconciliation
The maxloginattempts System Property Causes Autologin to Fail When User Tries to Unlock
Using a Single Quote in Request Matching Rule Causes Reconciliation to Fail
Due to an ADF limitation, the browser timezone is currently not accessible to Oracle Identity Manager. Oracle Identity Manager bases the timezone information in all date values on the server's timezone. Consequently, end users will see timezone information in the date values, but the timezone value will display the server's timezone.
The date-time value that end users see in the Segregation of Duties (SoD) Check Timestamp field on the SoD Check page will always display as "YYYY-MM-DD hh:mm:ss" and this format cannot be localized.
To work around this localization issue, perform the following steps:
Open the "Oracle_eBusiness_User_Management_9.1.0.1.0/xml/Oracle-eBusinessSuite-TCA-Main-ConnectorConfig.xml" file.
In the EBS Connector import xml, locate the SoDCheckTimeStamp field for the Process Form. Change <SDC_FIELD_TYPE> to 'DateFieldDlg' and change <SDC_VARIANT_TYPE> to 'Date' as shown in the following example:
<FormField name = "UD_EBST_USR_SODCHECKTIMESTAMP">
<SDC_UPDATE>!Do not change this field!</SDC_UPDATE>
<SDC_LABEL>SoDCheckTimestamp</SDC_LABEL>
<SDC_VERSION>1</SDC_VERSION>
<SDC_ORDER>23</SDC_ORDER>
<SDC_FIELD_TYPE>DateFieldDlg</SDC_FIELD_TYPE>
<SDC_DEFAULT>0</SDC_DEFAULT>
<SDC_ENCRYPTED>0</SDC_ENCRYPTED>
<!--SDC_SQL_LENGTH>50</SDC_SQL_LENGTH-->
<SDC_VARIANT_TYPE>Date</SDC_VARIANT_TYPE>
</FormField>
Import the Connector.
Enable SoD Check.
Provision the EBS Resource with entitlements to trigger an SoD Check.
Check the SoDCheckTimeStamp field in Process Form to confirm it is localized like the other date fields in the form.
Bulk loading a CSV file for which UTF-8 BOM (byte order mark) encoding is specified causes an error. However, bulk-loading UTF-8 encoded CSV files works as expected if you specify "no BOM" encoding.
To work around this issue,
If you want to load non-ASCII data, you must change your CSV file encoding to "UTF-8 no BOM" before loading the CSV file.
If your data is stored in CSV files with "UTF-8 BOM" encoding, you must change them to "UTF-8 no BOM" encoding before running the bulkload script.
The default Scheduler job, "Job History Archival," does not support date type attributes.
The "Archival Date" attribute parameter in "Job History Archival" only accepts string patterns such as "ddMMyyyy" and "MMM DD, yyyy."
When you run a Scheduler job, the code checks the date format. If you enter the wrong format, an error similar to the following example, displays in the execution status list and in the log console:
<IAM-1020063> <Incorrect format of Archival Date parameter. Archival Date is expected in DDMMYYYY or UI Date format.>
The job cannot run successfully until you input the correct Archival Date information.
When you create a resource using the Design Console, Oracle Identity Manager adds approximately 23 default roles as "Administrators." However, when you import a resource, only the default "System Administrator" role is available.
Oracle Identity Manager only associates imported resources with the "System Administrator" role, so just the one relationship with the "System Administrator" role is imported with the resource.
To work around this issue, you (or a Resource Administrator) must manually add the additional roles based on your requirements.
The GenerateSnapshot.[sh|bat] option does not work correctly when invoked from the Bulkload utility.
To work around this issue and generate a snapshot of the initial audit after bulk loading users or accounts, you must run GenerateSnapshot.[sh|bat] from the $OIM_HOME/bin/ directory.
On machines where the file limits are set too low, trying to create and compile an entity adapter causes a "Too many open files" error and the adapter will not compile.
To work around this issue, change the file limits on your machine to the following (located in /etc/security/limits.conf) and then restart the machine:
soft nofile 4096
hard nofile 4096
Currently, Oracle Identity Manager's Reconciliation Engine in 11g Release 1 (11.1.1) requires you to define a matching rule to identify the users for every connector in reconciliation. Errors will occur during reconciliation if you do not define a matching rule to identify users.
When any date, such as activeStartDate, hireDate, and so on, is specified in an incorrect format, the Web server does not pass those values to the SPML layer. Only valid dates are parsed and made available to SPML. Consequently, any SPML request that contains an invalid date format is ignored and not available for that operation. For example, if you specify the HireDate month as "8" instead of "08," the HireDate will not be populated after the Create request is completed and no error message is displayed.
The supported date format is:
yyyy-MM-dd hh:mm:ss.fffffffff
No other date format is supported.
SoD functionality uses JMS-based processing. Oracle Identity Manager submits a message to the oimSODQueue for each SoD request. If for some reason an SoD message always results in an error, Oracle Identity Manager never processes the next message in the oimSODQueue. Oracle Identity Manager always picks the same error message for processing until you delete that message from the oimSODQueue.
To work around this issue, use the following steps to edit the queue properties and to delete the SoD message in oimSODQueue:
Log on to the Weblogic Admin Console at http://<hostname>:<port>/console
From the Console, select Services, Messaging, JMS Modules.
Click OIMJMSModule. All queues will be displayed.
Click oimSODQueue.
Select the Configurations, Delivery Failure tabs.
Change the retry count so that the message can only be submitted a specified number of times.
Change the default Redelivery Limit value from -1 (which means infinite) to a specific value. For example, if you specify 1, the message will be submitted only once.
To review and delete the SoD error message, go to the Monitoring tab, select the message, and delete it.
SoD Check field values do not get mapped from the request dataset to the process form in the SAP Connector because the SoD Check fields defined in the common dataset expect different labels than those currently provided in the connector.
To work around this issue, you must change the Process Form field labels in the SAP Connector to the following values:
SoDCheckStatus
SoDCheckTrackingID
SoDCheckResult
SoDCheckTimestamp
SoDCheckEntitlementViolation
When you are searching for a resource object, do not use an underscore character (_) in the resource name. The search feature ignores the underscore and consequently does not return the expected results.
Reconciliation does not support the Assign to Administrator Action rule.
To work around this issue, change the Assign to Administrator to None in the connector XML before importing the connector. However, after changing the value to None, you cannot revert to Assign to Administrator.
If you are creating attestations in a Firefox Web browser and you click certain buttons, nothing happens.
To work around this issue, click the Refresh button to refresh the page.
WLS Security Realm has a default lock-out policy that locks out users for some time after several unsuccessful login attempts. This policy can interfere with the locking and unlocking functionality of Oracle Identity Manager.
To prevent the WLS Security Realm lock-out policy from affecting the lock/unlock functionality of Oracle Identity Manager, you must set the 'Lockout Threshold' value in the WLS 'User Lockout Policy' to at least 5 more than the value in Oracle Identity Manager. For example, if the value in Oracle Identity Manager is set to 10, you must set the WLS 'Lockout Threshold' value to 15.
To change the default values for the 'User lockout Policy,' perform the following steps:
Open the WebLogic Server Administrative Console.
Select Security Realms, REALM_NAME.
Select the User Lockout tab.
If configuration editing is not enabled, then click the Lock and Edit button to enable configuration editing.
Change the value of lockout threshold to the required value.
Click Save to save the changes.
Click Activate to activate your changes.
Restart all the servers in the domain.
When you set up Oracle Identity Manager-Oracle Access Manager Integration with a JAVA agent and log into the Admin Server Console, a "<User not found>" error message is displayed. This message displays even when the login is successful.
If you use single quotes in a Request Matching rule (for example, 'B'1USER1'), reconciliation will fail with an exception.
Due to a limitation in SOA Infrastructure, do not use special characters such as commas (,) in role names, group names, or container descriptions when reconciling roles from LDAP. Oracle Identity Manager's internal code uses special characters as delimiters. For example, Oracle Identity Manager uses commas (,) as approver delimiters and the SOA HWF-level global configuration uses commas as assignee delimiters.
SoD check fails and the following error is displayed on the SOA console when SoD check is performed during request provisioning only when the Default SoD Check composite is used:
SEVERE: FabricProviderServlet.handleException Error during retrieval of test page or composite resourcejavax.servlet.ServletException: java.lang.NullPointerException
This happens when Callback is made from OIM to SOA with the SoDCheck Results.
To resolve this issue, apply patch 9819201 on the SOA server. You can obtain patch 9819201 from My Oracle Support. The description of this patch on My Oracle Support is "ERROR WHILE USING SAML TOKEN CLIENT POLICY FOR CALLBACK."
For more information, refer to Obtaining Patches and Support Documents From My Oracle Support (Formerly OracleMetaLink).
On starting remote manager from Oracle_IDM1/remote_manager by running the remotemanager.sh script on AIX, it shows the following error:
Class/Method: RMISSLServerSocketFactory/createServerSocket Remote Manager server socket port is 12346 Exception in thread "main" java.lang.NoClassDefFoundError: com.sun.net.ssl.SSLContext
To work around this issue, perform the following steps after installing the remote manager:
Open Oracle_IDM1/remote_manager/config/xlconfig.xml.
Change the value for KeyManagerFactory from SUNX509 to IBMX509.
On creating an IT Resource with Type chosen as Remote Manager by selecting the Create an IT Resource option in OIM application, the following error is seen:
<XELLERATE.WEBAPP> <BEA-000000> <Class/Method: tcAction/execute encounter some problems: javax.servlet.ServletException: java.lang.NoClassDefFoundError: com/sun/net/ssl/SSLContext>
To work around this issue, perform the following steps:
Login to Enterprise Manager:
http://adminhostname:adminport/em
Right-click on Domains, select Base domain, select cluster, and then select oim_server1.
Select system Mbean browser, select oracle.iam, select Server: oim_server1, select Application: oim, select XMLConfig, select Config, select XMLConfig.RemoteManager, and then select RemoteManager.
Change the value for KeyManagerFactory from SUNX509 to IBMX509.
Click Apply.
Restart the oim_server.
This section describes configuration issues and their workarounds. It includes the following topics:
Due to an ADF issue, using the Oracle Identity Manager application with the Sun JDK causes a StringIndexOutOfBoundsException error. To work around this issue, add the following option to the DOMAIN_HOME/bin/setSOADomainEnv.sh or the setSOADomainEnv.cmd file:
Open the DOMAIN_HOME/bin/setSOADomainEnv.sh or setSOADomainEnv.cmd file.
Add the -XX:-UseSSE42Intrinsics line to the JVM options.
Save the setSOADomainEnv.sh or setSOADomainEnv.cmd file.
Note:
This error does not occur when you use JRockit.This section describes multi-language issues and limitations. It includes the following topics:
Multi-language Valued Attributes in SPML and Oracle Identity Manager Do Not Match
Login Names with Some Special Characters May Fail to Register
Parameter Names and Values for Scheduled Jobs are Not Translated
Localization of Role Names, Role Categories, and Role Descriptions Not Supported
Localization of Task Names in Provisioning Task Table Not Supported
Localization of Search Results of Scheduled Tasks Not Supported
Searching for User Login Names Containing Certain Turkish Characters Causes an Error
Localization of Notification Template List Values for Available Data Not Supported
Searching for Entity Names Containing German "ß" (Beta) Character Fails in Some Features
Reconciliation Table Data Strings are Hard-coded on Reconciliation Event Detail Page
Oracle Identity Manager supports only the Display Name attribute for multi-language values. SPML specifies additional attributes, such as commonName and surname, as multi-language valued in the PSO schema. When multiple locale-values are specified in an SPML request for one of these attributes, only a single value is picked and passed to Oracle Identity Manager. The request will not fail and a warning message identifying the attributes and the value that was passed to Oracle Identity Manager is provided in the response.
In Oracle Identity Manager, the user login name is case-insensitive. When a user is created, the login name is converted to upper case and saved in the database. But the password is always case-sensitive. However, some special characters may encounter an error while registering to Oracle Identity Manager:
Both the Greek characters σ (sigma) and ς (final sigma) maps to the Σ character.
Both English character i and Turkish character ı maps to the I character.
Both German character ß and English string SS maps to the SS string.
This means that two user login names containing these special characters when the other characters in the login names are same cannot be created. For example, the user login names Johnß and JohnSS maps to the same user login name. If Johnß already exists, then creation of JohnSS is not allowed because both the ß character and the SS string maps to the SS string.
The Create Role, Modify Role, and Delete Role request templates are not available in the Request Templates list of the Create Request wizard. This is because request creation by using any request template that are based on the Create Role, Modify Role, and Delete Role request models are supported from the APIs, but not in the UI. However, you can search for these request templates in the Request Templates tab. In addition, the Create Role, Modify Role, and Delete Role request models can be used to create approval policies and new request templates.
In the Create Job page of Oracle Identity Manager Advanced Administration, the fields in the Parameter section and their values are not translated. The parameter field names and values are available only in English.
The following are known issues in the legacy user interface, also known as TransUI, contained in the xlWebApp war file:
Hebrew bidirectional is not supported
Workflow designer bidirectional is not supported for Arabic and Hebrew
Localization of role names, categories, and descriptions is not supported in this release.
All Task Name values in the Provisioning Task table list are hard-coded and these pre-defined process task names are not localized.
When you search Scheduler Tasks using a Simple or Advanced search, the search results are not localized.
On the Task Approval Search page, if you select "View Tasks Assigned To", then "Users You Manage", and then choose a user whose login name contains a Turkish Undotted "ı" or a Turkish dotted "İ" character, a User Not Found error will result.
Localizing Notification Template Available Data list values is not supported in this release. Oracle Identity Manager depends upon the Velocity framework to merge tokens with actual values, and Velocity framework does not allow a space in token names.
When you search for entity names containing the special German "ß" (beta) character from the Admin Console, the search fails in the following features:
System Configuration
Request Template
Approve Policy
Notification
In these features, the "ß" character matches to "ss" instead of itself. Consequently, the Search function cannot find entity names that contain the German beta character.
Although special characters are supported in Oracle Identity Manager, using the asterisk character (*) can cause some issues. You are advised not to use the asterisk character when creating or modifying user roles and organizations.
Oracle Identity Manager does not support custom resource bundles for Error Message display in user interfaces. Currently, there is no workaround for this issue.
Some of the table data strings on the Reconciliation Event Detail page are hard-coded, customized field names. These strings are not localized.
Currently, there are no documentation issues to note.