|Oracle® Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager
Release 11g (11.1.1)
Part Number E14568-02
This chapter describes common troubleshooting issues and tips to resolve them.
Importing large policy ZIP files
Question/Problem: I tried to import a large policy ZIP file that contains many policies (the file size is larger than 1MB), but the import failed. The log file does not shows any errors. How can I import this file?
Answer/Solution: If OAAM Admin is installed on the Windows platform, you must create a
\tmp folder in the drive where you have installed WebLogic.
For example, if the WebLogic domain is on the C drive, you must create a
This folder will be used as a temporary folder for uploading large files into OAAM Admin.
OAAM Admin failed to import policy, rule condition, and challenge questions ZIP files.
Question/Problem: OAAM Admin failed to import policy, rule condition, and challenge questions ZIP files.
Answer/Solution: This is an issue with Mozilla Firefox MIME type mapping. If the environment does not have any application mapped to the ZIP extension, Mozilla maps the incorrect content type. One workaround is to add a file type mapping in Firefox Preferences.
Browser does not recognize the files which are being uploaded
Question/Problem: When I try to import my Oracle Adaptive Access Manager files, my browser does not recognize them.
Answer/Solution: When the MIME entry for Foxfire is not present in the operating system on which it is installed, the browser fails to recognize correct file types.
A MIME entry must be added for all the types of files, viz, doc, txt, zip, and others under the
/etc/mime.types file of any operating system to enable browsers to recognize the files which are being uploaded. Once this entry is there, the browser recognize the files successfully.
There is no issue if the MIME entry is already present in operating system.
Group of floating point numbers
Question/Problem: I want to see if the transaction amount is one of a specific value - like $999.99. Is there a way to model this? "Generic Integer" and "Generic Long" are available, but they do not take floating point numbers.
Answer/Solution: Where decimals are needed, model by changing the unit. For example, instead of 99.99, use 9999. Care should be taken to use the unit (for example cents instead of dollars) consistently in all the rules and groups.
Exclude certain entities
Question/Problem: How do we exclude certain entities - like merchants or accounts? For example, merchants and accounts are modeled as entities and Oracle Adaptive Access Manager does not have a "group of entities" option.
Answer/Solution: Group the entities using their "primary key" (like a generic strings group.
Characterset in database for Oracle Adaptive Access Manager
Question/Problem: A client already has a database with no UTF8 support, and he wants to keep it that way as it is a shared database and ignore browser locale preferences.
Answer/Solution: Since Browser preferences cannot be controlled, the server should ignore Locale preference or always use English.
Notes in log appear in English
Question/Problem: The notes in the Logs tab appear in English.
Answer/Solution: The values for the Notes column in the Logs tab for notes that are not added by the user will appear in English by default.
The notes are taken from the action enums "note" field (property).The value of that property is saved into database (as notes). After being saved, users cannot change that data.
Implementations can customize the "note" in the enum property to the localized value.
"Access case" is inside the oaam_resources.properties file:
Case creation / access logic will use that string for the creating records after that point.
Common problems and activities in customer services
Question/Problem: What are common problems and activities in customer services?
Answer/Solution: Common problems and actions are listed in this table.
|Problem||Possible Reason||Action to Perform|
|Customer cannot log in||Customer forgot challenge question answers||Reset challenge questions|
|Customer did not register||Inform customer that registration is required at the next login.|
|Customer traveling and attempting to log in from a blacklisted country and the system has blocked him.||Grant temporary allow|
|Customer locked out of the system||"Locked" is the status that Oracle Adaptive Access Manager sets if the user fails a challenge. The "Locked" status is only used if the KBA or One Time Password (OTP) facility is in use.
||Reset the status to "Unlocked" before the account can be used to enter the system
Refer to Section 4.10.7, "Unlock OTP."
|Customer blocked from performing transactions||A customer might be in a restricted users group that is intended for users who have had high risk activity. If the user has not performed any high risk activity recently, the security team might want to remove this user from the restricted users group.||Remove from restrict group|
|Customer calls with a new problem||Open case
Refer to Section 4.8, "Creating a CSR Case."
|Customer does not like the virtual device personalization registered||Reset the image and phrase.|
|Customer does not like the virtual authentication device he has registered||Reset virtual authentication device.|
|Customer forgot the answers to the registered questions||Reset questions|
|Customer does not want his device to be flagged as "safe."||Customer no longer uses the device||Unregister device|
Why was I challenged with a question I did not register for
Question/Problem: A user states that he was challenged with a question he did not register for. How can this happen?
Answer/Solution: There are a few possible reasons:
The user may have forgotten the challenge questions since registration. Often this is because the user has not been challenged for an extended period.
The challenge questions may have been reset by another party in a joint account (husband, wife, significant other).
The user's questions should be reset, allowing him to register new challenge questions.
Should I increase the number of questions for user registration?
Question/Problem: How do I decide if I should increase the number of questions for registration?
Answer/Solution: Whether to increase the number of questions depends on the business use case.
If the number of questions is increased to five and the user has three questions registered:
If the system is using all five questions, you do not need to ask the user to re-register questions. No change is required in this case. Existing users continue to use their questions until the questions are reset.
If all five questions are required, you can have your users register:
An additional two questions, which means you must make changes in the policy and add a new rule
All five questions, which means you must use a batch job
Why is the Question Statistics in the Details Page not displaying the Percentage of Challenges for a Question.
Question/Problem: Why are the statistics not updated for "Percentage of Challenges for a Question" immediately after the user answers a question?
Answer/Solution: The thread which updates the question statistics runs every hour. Updated statistics are not available after a user answers a question. However, the statistics are updated after one hour.
Level of Answer Logic
Question/Problem: What is the difference between Off, Low, Medium, High?
Answer/Solution: Answer Logic is a set of advanced matching algorithms used by the system to find out whether the answers provided by the user in the challenge response process match closely to the ones provided during registration. The algorithms and the level of Answer Logic are factors in evaluating answers.
The levels of Answer Logic, the intensity or strength of algorithms, used to evaluate answers are:
Off – No Answer Logic is used; answers must exactly match those previously registered by the user.
Low – Less Answer Logic; answers provided by the user must be a match or near-match to the answers that were provided at the time of registration
Medium – More Answer Logic; the user is given some leeway for the answers that are provided. For example, St. might be accepted for Street.
High – Highest level of Answer Logic. The constraints are not strict for matching.
Decryption of user's registered questions and answers
Question/Problem: Can a customer decrypt a user's registered questions and answers if needed?
Answer/Solution: Decryption of registered questions and answers is not supported for a number reasons. Primarily this is a security concern. If it were supported, it would be possible for an insider to discover the questions and answers for all users. Challenge questions are used to protect applications in times of high risk. These questions in the wrong hands can be used to perpetrate fraud. As well, some KBA answers could contain personally identifiable information which requires a very high level of protection. In addition to security concerns there are privacy concerns as well.
Are KBA answers case-sensitive?
Question/Problem: Are KBA answers case-sensitive?
Answer/Solution: KBA answers are not case-sensitive for usability concerns. Since a user will only be challenged with a challenge question when there is a medium level of threat, most users will not be challenged on a regular basis since most users follow regular patterns while conducting their business. If users are not challenged regularly, they may remember the answers to their challenge questions when and if they receive a challenge but may not remember the exact spelling or capitalization. Because of this, KBA includes the use of fuzzy logic to interpret use answers. Common misspellings and abbreviations, for example, can be accepted if the basic information of the answer is correct. This greatly increases the effectiveness as a solution overall since a challenge question is not useful if a user fails to answer correctly because he forgot to capitalize the name of the street he grew up on.
RCU schema load for Oracle Adaptive Access Manager partition does not create tablespace with prefix
Question/Problem: Loading the Oracle Adaptive Access Manager partition schema through RCU does not create tablespaces for the partition using the prefix used in RCU.
Answer/Solution: There is a limitation in RCU for only 5 additional tablespace support and 30+ tablespaces are needed for the Oracle Adaptive Access Manager partitioned based schema. Prefixes cannot be used for tablespace names.
Turn on/off localization
Question/Problem: How do I turn off localization?
Answer/Solution: There is no flag to turn-off localization, but there is a user-defined enum that captures the locales supported by the deployment. The enum can be used to enable only one locale.
You would change the
locale.enum.XXX.enabled properties to
false for each unwanted locale.
Language setting on a per user basis?
Question/Problem: Does Oracle Adaptive Access Manager support language setting on a per user basis?
Answer/Solution: Usually, Web applications take the language setting of the browser.
For example, a user registers his virtual authentication device and KBA questions using a Spanish browser. If he logs in using an English browser, his phrase will be in Spanish and answers to any KBA questions presented will be expected in Spanish. The KBA question presented to him however will be in English as is expected with most Web application content.
In Oracle Adaptive Access Manager 10.1.4.5 the end-user facing Web application used in proxy type deployments has globalization support. The end user's browser language/locale setting tells the application what language to display the screens in, including KBA questions and the personalization of the virtual authentication devices (phrase). The APIs for KBA and the virtual devices accept locale as a parameter.
However, if the deployment is using native application integration, the functionality would need to be developed in the custom end user facing Web application being built. This application would probably use resource bundles. It would also need to call the KBA and the virtual authentication device APIs while passing a supported locale as a parameter.
No results were found after policy execution
Question/Problem: I imported the policy and expected to see the results from the execution, but no results were found. How can I find out what happened?
Answer/Solution: To debug the problem:
Check the Session details page to verify if that policy executed in that session.
Make sure that "vcrypt.tracker.rules.trace.policySet.XXXXXX" is set to true for that checkpoint. (XXXX corresponds to that checkpoint)
Verify the configuration of the policy.
Is the policy active?
Is the policy linked to that user group to which this user belongs?
For a policy to execute in a session, it should either be linked to "All Users" or to one of groups the user is member of. Verify whether the policy is linked appropriately.
Verify that enough time was given for the cache to refresh.
If group linking is changed recently, make sure to wait more than 30 seconds for the cache to refresh.
Alerts and/or action did not generate for a rule
Question/Problem: The policy executed but alerts and actions were not generated.
Answer/Solution: When a rule triggers, the alerts set up in the rule will trigger. However, the action configured in a rule can be overridden in different levels, like trigger combination, policy set override. Look at these for possible override of the action triggered by the rule.
Verify the configuration of actions and alerts.
Verify that the alerts and actions have been set up in the rule. Then verify that the rule was indeed triggered in the session.
When a rule triggers, the alerts set up in the rule will trigger. However, the action configured in a rule can be overridden in different levels, like trigger combination, policy set override. Look at these for possible override of the action triggered by the rule.
Verify if there are other trigger combinations in the policy that match this specific set of conditions.
Trigger combinations are evaluated in a sequential order, as shown in the UI, until all conditions match for a combination. After finding a matching combination, the rest of the combinations are not evaluated. It is possible that multiple combinations match for a specific set of conditions; however only the first one to match will trigger. Verify if there are other trigger combinations in the policy that match this specific set of conditions.
Action element or action member does not appear in the action group in rules
Question/Problem: An action element was added or an action member, but it does not appear in the action group in rules.
Answer/Solution: For the action to appear, you must restart the server because action members are enumerations.
Unable to delete all the groups
Question/Problem: The user is not able to delete all the groups that were selected for deletion.
Answer/Solution: If a group is used in other instances within the application, the user will not be able to delete the groups
Delete all the members in a group
Question/Problem: What happens if I delete all the members in a group?
Answer/Solution: If the group is linked to any rules or patterns, the rules or patterns will not function as expected.
Difference between a user ID and a Username group
Question/Problem: What is the difference between a user ID and a Username group?
Answer/Solution: The Username is set up by the user. For example: "Bob" is the login and the user is "xyz123". The User ID is the scheme a customer uses to uniquely identify users.
Question/Problem: What are groups used for?
Answer/Solution: To simplify the configuration for rule conditions and rule results, groups are created.
For example, to create a rule "Restricted IPs," you must add a condition to find out if the logged in user IP is in the list of restricted IPs configured. The restricted IPs are grouped together as RestrictedIPSGroup of type IP and the rule condition will use this group.
Add/remove group members based on a rule triggering
Question/Problem: Can I automatically add/remove members to a group based on a rule triggering? How?
Answer/Solution: To add members to a group or remove members from a group, create a new trigger action enumeration named "add member to group" or "remove member from group" and an action group for it. In the group add an action. Configure a configurable action to trigger on "add member to group" or "remove member from group" which will add or remove the member.
Question/Problem: How can I exclude some users from being affected by a rule?
Answer/Solution: Create a group which contains the users. Then specify in the Rule's Pre-Condition tab to exclude the group.
What is a Cache Policy?
Question/Problem: What does Cache Policy do?
Answer/Solution: The Cache Policy determines if the application uses data stored in the cache or re-fetches original data from the server.
How does Cache Policy affect performance
Question/Problem: How does Cache Policy affect performance?
Answer/Solution: Performance is impacted if the application has to consult the server every time the information must be accessed. With cached data, the information is already stored for rapid access. Performance is impacted if you cache data and large changes are made since caching uses server space.
Not caching a group
Question/Problem: In what situations should I not cache a group?
Answer/Solution: You should not cache a group if you have a long list of elements since groups are re-cached if there are any changes to the group.
Group inside a group
Question/Problem: Can I have a group inside another group?
Answer/Solution: No, the only exception is when a city group could be in a state group which could be in a country group.
View group linking
Question/Problem: How can I see if a group is linked to something else?
Answer/Solution: The Policy Tree shows the linking of User ID groups to policies.
Custom action not available
Question/Problem: A custom action was created, but it is not available in the user interface.
Answer/Solution: Ensure that the Java class is in the right directory and that it is in the right package.
Multiple cases were generated because of configurable action
Question/Problem: Multiple cases are generated when create cases was defined as a configurable action.
Answer/Solution: If the pre-condition is an action that can occur frequently, every time, the action occurs, a case is created. For example, actions such as "challenge" can occur more than once in a session (OTP challenge, KBA challenge, and so on).
Question/Problem: Synchronous actions are executed in the order of their priority in the ascending order. For example, if you want to create a CSR case and then send an email with the case ID, you would choose synchronous actions. Synchronous actions will trigger/execute immediately.
What happens if the first action fails. Will the email be sent still?
Answer/Solution: The execution of configurable action is not dependent on the execution of other configurable actions. However, custom code can check data in the context that is shared across actions and perform logic based on the context data.
Question/Problem: Asynchronous actions are queued for execution and will be executed based on their priority but not in any particular sequence. For example, if you want to send an email or perform some action and do not care about executing it immediately and are not interested in any order of execution, you would choose asynchronous actions.
Are asynchronous actions guaranteed to execute? What happens if the server stops running?
Answer/Solution: If the server stops running, then any pending configurable actions will not be executed.
Question/Problem: Trigger criteria enables you to choose when you want to trigger the action in the session.
The action could be either a score or an action or both. These are compared against the values from the Rule Engine for the selected checkpoint while defining the configurable action.
What happens if both action and score are specified and only one is matched? What is the priority?
Answer/Solution: When both action and score are specified, the configurable action is executed only if both of criteria match with the outcome from the Rules Engine.
Action Priority in Asynchronous Actions
Question/Problem: How is action priority used in asynchronous actions?
Answer/Solution: Actions are aligned in different queues based on the action priority. When it is time to execute the next action from the queue, the highest-priority action is executed first.
Verify that autolearning is functional
Question/Problem: I enabled autolearning and configured the policies. How do I verify that autolearning is running?
Answer/Solution: To verify if autolearning is turned on and working:
Log in to the system.
Run a few logins.
To find out whether autolearning data of a session has been processed, go to the Session Details page of that session and view the Processing Status field in the Login Details section.
If autolearning has not been set up correctly, data will not have been processed.
Entity not available
Question/Problem: A user creates an entity, but it is not available in the Transactions Page Entities list.
Answer/Solution: The user has forgotten to activate his entity.
Refer to Section 16.9, "Activating Entities."
Data element not available for evaluation
Question/Problem: The Data element is not available for evaluation in the condition
Answer/Solution: The Data element may be encrypted.
Add multiple entity instances
Question/Problem: Can a user add multiple instances of the entity to a Transaction?
Entity change affects instances of the entity
Question/Problem: If a user changed the entity definition, are all the instances of the entity affected?
Answer/Solution: Yes, the definition is a template
Refer to Section 16.6, "Editing the Entity."
Not able to delete an entity
Question/Problem: The user is not able to delete an entity. The user has removed that instance from the Transaction already.
Answer/Solution: The entity is also used in other transactions, patterns, and so on.
Refer to Section 16.11, "Deleting Entities."
Not able to delete the entity even when transactions are not using them
Question/Problem: The user does not have any Transaction that uses the entity, but is still not able to delete the entity.
Answer/Solution: There might be historical Transaction data using the entity
Time zone management
Question/Problem: Do rules that evaluate time use one time zone for all sessions or does it use the time zone from the customer browser/OS? For example, if I set up a rule to KBA challenge if a user logs in outside of office hours (not 8:00 am - 6:00 pm) is this evaluated based on the time zone from the customer browser/OS?
Nameuser.timezoneTypeSystemValuePST8PDT user.timezone = PST8PDT oaam.adf.timezone = user.timezone
The Date and Time used for rule execution (pattern or non-pattern) comes in from "request_time." This is the same date / time that any request based rules will use.
For on-line it is the OAAM Admin server time.
For off-line: it is the time specified in the off line data for that request.
KBA Challenge and Challenge Statistics Do Not Match in Sessions for Time Range
Question/Problem: The Summary Dashboard statistics for KBA challenges does not match the Challenge statistics on the Sessions Search page for the same time range.
Answer/Solution: The counts are two different metrics. The Challenge statistics are a count of the number of sessions that were challenged. The KBA Challenge statistics are a count of the number of times a user answered a challenge question.
For example, if a user logs in and is challenged and answers the question incorrectly once, and then answers the question correctly. There will be one session on the Sessions Search page related to this login, but the KBA Challenges on the dashboard will increase by 2.
The Count of Unsuccessful Challenges is Incorrect in the Summary Logins Report
Question/Problem: A high-risk user logs in to OAAM Server and he is challenged. He enters incorrect answers for the challenge questions. The CSR checks the Oracle Adaptive Access Manager Login Summary Report and looks at the unsuccessful challenges. The count is more than the actual.
Answer/Solution: The totals shown in Successful Challenges and Unsuccessful Challenges are the number of times a challenge question was answered successfully or unsuccessfully.
Average Processing Time for Rules and Policies Does Not Match with Reports
Question/Problem: The CSR captures the rules processing times from session details for a user and runs a SQL query to gather the statistics from the database. The report and SQL query numbers are different than those displayed by the dashboard.
The average processing times in sessions details and the database are different from the numbers displayed in the performance dashboard. They do not match exactly.
Execution counts shown in the Dashboard vary from the Security RulesBreakdown report. Additional rules are displayed in the dashboard. (Session details and the Security RulesBreakdown report show fewer rules.)
Answer/Solution: The reasons for the mismatch are listed as follows:
The execution count shown in the Dashboard and in the Security RulesBreakdown report vary because the dashboard displays the number of times the rule was processed, whether or not they triggered, but the Security RulesBreakdown report displays the number of times the rule returned true. The values in the dashboard and the values returned by that SQL query are different measurements, so the values should not be expected to match.
The average processing times in sessions details and the database are different from the numbers displayed in the performance dashboard. They do not match exactly. The monitor data calculates the processing time differently from the report and query. The report and query includes setup code and other processing times not included in the monitor data number. The monitor data contains the rules processing time and the time spent for fact assertions into the working memory.
Question/Problem: How do I troubleshoot command-line errors?
Answer/Solution: Here are the steps to troubleshoot command-line errors:
Check Java Version. Make sure it's the same as recommended version. For example, like JDK 1.6.
Make sure the jars are in class path ( jps*.jars).
Define credentials in the Credential Store. The Credential Store is similar to sessions.xml, but the definition is in Enterprise Management for OAAM domain instead of a file.
Make sure the SID is correct.
Question/Problem: Can I write a CRON job to schedule policy, group, and rule exports?
Steps to create a scheduled job are:
Create a script using CLI to export the required data. Test for accuracy of data.
Refer to Chapter 23, "Oracle Adaptive Access Manager Command-Line Interface Scripts" for information on exporting policies and groups
Create a cron job to periodically run the script.
For information on creating a cron job, refer to
Ensure that you:
Encrypt the database password. Refer to Chapter 23, "Oracle Adaptive Access Manager Command-Line Interface Scripts."
Do not overwrite files - Devise a unique naming convention.
Monitor the backup process - Setup email and notification
Monitor disk space /performance - Include only required data in backup, and look for groups with many elements, and so on.
Characters added during transfer of files
Question/Problem: During the transfer/ftp of files, characters such as carriage return "\r" are added.
Answer/Solution: To resolve the issue, run dos2unix against the files. When you are running the .sh file, use either dos2unix <filename> or dos2unix . *.* .
TNS:no appropriate service handler found" error
Question/Problem: The following error when I load data
TNS:no appropriate service handler found
Answer/Solution: It may be that the number of processes in your database is set to a minimal value.
Use the following commands to check the number of process set in the database
SQL> show parameter process SQL> alter system set processes=100 scope=spfile;
How many keystores are there?
Question/Problem: How many keystores are there? And which one is used for what?
Answer/Solution: There are 3 keystores:
System Keystore: Used for encrypting properties and other non database-related data
Database: Columns in the database. Mostly password, PIN, Transaction data (like credit card #, etc)...
SOAP/WebServices: On the client side to authenticate Web Services request
What tables and columns are encrypted
Question/Problem: If the database is encrypted with these keystores which database tables, or columns, or both are encrypted?
Answer/Solution: VCryptPassword and Transaction tables.
Question/Problem: Do we need to decrypt the data? When do we need to do this?
Answer/Solution: Data is decrypted by the application as and when required. There are not external tools available to decrypt this data.
Question/Problem: Can we omit the encryption?
Answer/Solution: SOAP is optional. Database and System are mandatory
Monitoring Performance through Fusion Middleware Control
Select OAAM under Identity and Access to go to the home page.
On the home page, you can view a performance overview for Oracle Adaptive Access Manager.
Select Performance Summary from the Oracle Adaptive Access Manager menu in the upper left hand side of the home page to view performance metrics.
Monitoring the Security Effectiveness of Oracle Adaptive Access Manager
Oracle Adaptive Access Manager contains a real-time dashboard of metrics including security actions taken
For information, see Chapter 18, "Using the Dashboard."
OAAM Admin also allows visibility into activity down to the object level details and relationships
For information, see Chapter 3, "Oracle Adaptive Access Manager Navigation."
Oracle Adaptive Access Manager ships with an extensive package of reporting templates for Oracle Business Intelligence Publisher.
For information, see Appendix C, "Oracle Adaptive Access Manager Reports Reference."
Question/Issue: If I want to query / audit data, it will have to be via the production instance of OAAM using OAAM Admin. This might affect the performance of OAAM Server, since query and audit activities tend to perform many sequential reads / table scans on the production index/tablespaces. How might I lessen the performance impact?
Answer/Solution: You might consider maintaining a logical standby database using DataGuard where you can have an option to query / audit / perform reporting using the logical standby database. The logical standby database would have all the data as production, except for the last one hour. The production database instance can just be used to perform its inserts, updates, and so on, and also for active monitoring and alerts.