Skip Headers
Oracle® Access Manager Installation Guide
10g (10.1.4.3)

Part Number E12493-01
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

E Troubleshooting Installation Issues

This chapter describes common troubleshooting issues and tips to resolve them. This chapter covers the following topics:

E.1 Browser Issues

The following issues are browser specific:

E.1.1 Character Display Issues

When using Apache-based Web servers (including Apache, Oracle HTTP Server, and IBM HTTP Server (IHS)), Oracle Access Manager HTML pages may appear garbled.

Oracle Access Manager HTML pages use UTF-8 encoding. Apache-based Web servers allow administrators to specify a default character set for HTML pages using the AddDefaultCharset directive. If the AddDefaultCharset directive enables a character set other than UTF-8, Oracle Access Manager HTML pages are garbled.

Oracle recommends that you disable the AddDefaultCharset directive in the Web server configuration file (httpd.conf) as follows to ensure the correct display of Oracle Access Manager HTML pages:

AddDefaultCharset Off

E.1.2 Microsoft Internet Explorer 6 with Sun VM v1.4.2_04

With this configuration, when you create a container limits policy and specify a user to receive notification for a containment limit event then click Done in the Person Selector you may notice that the Save, Cancel, and Reset buttons do not appear and the policy cannot be saved.

To work around this problem

  1. Open the oblixbaseparams.xml file:

    IdentityServer_install_dir\identity\oblix\apps\common\bin\oblixbaseparams.xml
    
  2. Locate the section, applet_customizations and find the subsection for the applet where the problem is observed. For example, containmentlimit_applet subsection.

  3. Adjust the width and height parameters suitably for this applet to resolve the issue. For example, modify the applet_dimension_height parameter to a value of 530.

  4. Restart the Identity Server.

  5. Open a new browser window and view the same applet.

E.1.3 Unable to Authenticate Resource on Internet Explorer

Previous releases of Oracle Access Manager supported only Latin-1 encoding. However, Oracle Access Manager 10.1.4 supports UTF-8 encoding. This problem should no longer occur.

Symptom: You receive Unable to Authenticate Resource errors on Internet Explorer.

Cause: Internet Explorer provides the advanced option to always convert UTF characters in URLs. Oracle Access Manager automatically does this as well. Having both enabled causes authentication errors.

Solution: Complete the steps that follow to remedy "Unable to Authenticate Resource" errors on IE.

To remedy this

  1. Open the globalparams.xml file in a text editor. This file is stored in two locations, and both must be edited:

    • \IdentityServer_install_dir\identity\oblix\apps\common\bin\globalparams.xml

    • \AccessServer_install_dir\access\oblix\apps\common\bin\globalparams.xml

  2. Set the doUtfConversion parameter to NO and save your changes.

    Note:

    If you set this after importing the UTF-8 data, restart the Web server, close all browsers, and open a new browser window.
  3. In Microsoft Internet Explorer, select Internet Options from the Tools menu.

  4. In the Internet Options dialog box, select the Advanced tab.

  5. Under Browsing, deselect the Always send URLs as UTF-8 check box.

E.2 Directory Server Issues

The following discussions identify several directory server issues:

See also "Issues with Oracle Virtual Directory Implementations".

E.2.1 Active Directory Issues

Active Directory 2000 does not support concurrent bind requests coming from different Oracle Access Manager threads on the same LDAP connection. Oracle Access Manager servers are multi-threaded and maintain a pool multiple LDAP connections to the directory server. Several Oracle Access Manager threads may share the LDAP connection for efficient processing of requests. However, Active Directory 2000 does not support concurrent binds requests coming from different Oracle Access Manager threads on the same LDAP connection. This may cause spurious authentication failures.

To avoid this situation

  1. On the Access Server, locate the globalparams.lst file and open this in an editor.

  2. Add a new flag called exclusiveAuthnConnection and set it to true.

    This forces Oracle Access Manager threads to use separate LDAP connections for bind requests being sent to the directory server.

For additional information, see:

E.2.1.1 Active Directory Search Halts

Symptom: 400 policy domains were created in Oracle Access Manager, each with 10 resources and 10 policies. The limitAMPolicyDomainResourceDisplay is set to true in the Policy Manager globalparams.xml file. When the Search icon is selected an error page appears stating "The following messages were produced by the product. Please contact your webmaster to fix the problem."

Cause: The number of policy domains exceeds the current limit.

Solution: Do not exceed 350 policy domains with Active Directory.

E.2.1.2 ADSI Cannot Be Enabled for this DB Profile (Active Directory)

Oracle Access Manager supports changing the user data DB profile between ADSI and LDAP using the Identity System Console. However, Oracle Access Manager does not support changing the configuration or policy DB profile between ADSI and LDAP using the System Console.

Symptom: Suppose you have user data stored in an Active Directory forest using LDAP and configuration and policy data stored in another Active Directory forest using ADSI. When you change the ADSI flag in the configuration data DB profile to LDAP using the Identity System Console and restart Oracle Access Manager servers and services, the ADSI flag remains enabled and the following message appears:

"ADSI can be enabled for either User or Configuration DB Profile if they are in a separate forest. ADSI Cannot be Enabled for this DB Profile."

Further, attempting to modify the user data DB profile to ADSI produces an error because Oracle Access Manager recognizes the DB profile for configuration and policy data as ADSI enabled.

Solution: Rerun the setup program to modify the DB profile for configuration and policy data.

E.2.1.3 Dynamically-Linked Auxiliary Classes for Active Directory

If you installed Active Directory with Windows Server 2003 and experience difficulty with dynamically-linked auxiliary classes, ensure that you have completed all items that follow.

To enable dynamically-linked auxiliary classes for Active Directory

  1. Before Oracle Access Manager installation, you must ensure that the Active Directory domain and forest functionality are operating at a Windows 2003 Server level.

    You must raise both the domain and the forest to a Windows 2003 Server level, as described in the Microsoft documentation.

  2. During Identity System installation and set up, you must specify dynamically-linked auxiliary classes when asked.

  3. During Policy Manager installation and set up, you must specify dynamically-linked auxiliary classes when asked.

  4. During Access Server installation, you must specify dynamically-linked auxiliary classes when asked.

  5. After setup, it's a good idea to verify that the dynamicAuxiliary flag is set to true in the following files:

    • \IdentityServer_install_dir\identity\oblix\data.ldap\common\ldapconfigdbparams.xml

    • \PolicyManager_install_dir\access\oblix\data.ldap\common\ldapconfigdbparams.lxml

    • \AccessServer_install_dir\access\oblix\data.ldap\common\ldapconfigdbparams.xml

    NameValPair ParamName= "dynamicAuxiliary" Value= "true"
    

    Oracle Access Manager also sets a dynamicAuxiliary tag to true in the following file:

    • \IdentityServer_install_dir\identity\oblix\config\setup.xml

    Note:

    The directory is the best place to look for any static associations.
  6. Configure Oracle Access Manager for dynamically-linked auxiliary class support, as described in the Oracle Access Manager Identity and Common Administration Guide.

E.2.2 ADAM Issues

For more information, see Appendix B, "Installing Oracle Access Manager with ADAM".

E.2.2.1 ADAM: Cannot find the Config DN or Searchbase

Please make sure the configuration DN or searchbase exist.

This error message may also indicate that you are not using ous for the configuration and policy DNs.

E.2.2.2 ADAM Directory Server Security

The ADAM schema must be updated through an open port. For details, see "ADAM Schema Updates".

Password changes can be made only through an SSL-enabled port. For details, see "ADAM Password Changes".

E.2.2.3 ADAM Object Classes

ADAM describes the user object class differently than Active Directory. samaccountname, which is required with Active Directory, does not exist in ADAM. grouptype is still required with ADAM. Oracle Access Manager configures a grouptype attribute when you automatically configure attributes during setup.

Keep the following in mind with manual schema updates when you don't plan to use dynamic auxiliary classes:

  • Update the schema manually using IdentityServer_install_dir\identity\oblix\data.ldap\common\ADAM_oblix_schema_add.ldif, as described in "Installing and Setting the Identity System with ADAM".

  • Use the ldifde command to import the Oracle Access Manager schema file ADAMAuxSchema.ldif from the IdentityServer_install_dir\identity\oblix\data.ldap\common directory.

  • Ensure that the object classes "oblixorgperson" and "oblixgroup" are explicitly attached as auxiliary classes to the Person and Group object classes, respectively.

E.2.2.4 ADAM Password Changes

Password changes require SSL. If you have a problem changing a password, the directory server may have a native password policy that is not being honored.

When creating a user, ensure the user has a password. If you activate a user and the operation fails, the user may not have a password.

Users must be enabled within ADAM. If you search for a user in the Oracle Access Manager User Manager, and the user does not appear as the result of the search, check the msDS-UserAccountDisabled= user attribute in the object class to see if it is disabled or enabled.

E.2.2.5 ADAM Schema Updates

When you install Oracle Access Manager, you must manually update the ADAM schema.

If the user data directory instance is separate from the configuration and policy data directory instance, you must manually upload the ADAM_user_schema_add.ldif file.

On the configuration data directory instance, you must manually upload the ADAM_oblix_schema_add.ldif file. When using static auxiliary classes, you must manually upload the ADAMAuxSchema.ldif file.

If the policy data directory instance is separate from the configuration data directory instance, you must manually upload the ADAM_oblix_schema_add.ldif file. When using static auxiliary classes, you must manually upload the ADAMAuxSchema.ldif file.

Currently ldifde, which is used to extend the ADAM schema, does not support binding to an SSL port. If you are having trouble updating the schema, ensure that you specified the open ADAM port during Identity Server installation. You may still install certificates and specify SSL during Identity Server installation.

E.2.3 Novell eDirectory Issues

Problem

By default, the Oracle schema for Novell eDirectory does not support creating the oblix node (o=oblix,<config-dn>) under a domain node (for example, dc=us,dc=oracle,dc=com) during browser-based Identity System setup. This means that you cannot use a domain node as the configuration base during the browser-based Identity System setup.

When setting the searchbase to "dc=nc" during browser-based Identity System setup with Novell eDirectory, you must define the CONTAINMENT object under which the "o=Oblix" (oblixconfig) objectclass can exist. Within the schema for eDirectory, the oblixconfig objectclass can include "domain" as a possible CONTAINMENT object.

Solution

During the installation of the Identity Server, you asked if you want to extend the Directory Server schema. At this point, you can browse the Identity Server's installation directory and locate the NDS_oblix_schema_add.ldif file. From a file editor, you can edit the CONTAINMENT for this objectclass to include "domain" using the following steps.

  1. When asked if you want to extend the directory schema during Identity Server installation, locate the NDS_oblix_schema_add.ldif file, as follows:

    IdentityServer_install_dir\identity\oblix\data.ldap\common\'NDS_oblix_schema_
    add.ldif 
    
  2. Open the NDS_oblix_schema_add.ldif in an editor and locate the 'oblixconfig' objectclass, which also defines the CONTAINMENT for this objectclass. For example:

    dn: cn=schema 
    changetype: modify 
    add: objectclasses 
    objectclasses: ( 1.3.6.1.4.1.3831.0.1.2 NAME 'oblixconfig' SUP top STRUCTURAL  
    MUST ( obpersonoc $ 
    obsearchbase $ organizationName )  MAY ( obsearchbasestr $ obgroupoc $  
    ………………………………..$ obver $
    obduplicateAction )  X-NDS_NAMING ( 'O' )  X-NDS_CONTAINMENT ( 'organization'  
    'organizationalUnit'  'country' 'locality' ) ) 
    
  3. Modify this entry to specify the 'domain' as one of the CONTAINMENT classes for the 'oblixconfig' objectclass. For example:

    dn: cn=schema 
    changetype: modify 
    add: objectclasses 
    objectclasses: ( 1.3.6.1.4.1.3831.0.1.2 NAME 'oblixconfig' SUP top STRUCTURAL MUST ( obpersonoc $ 
    obsearchbase $ organizationName )  MAY ( obsearchbasestr $ obgroupoc $  ………………………………..$ obver $ 
    obduplicateAction )  X-NDS_NAMING ( 'O' )  X-NDS_CONTAINMENT ( 'domain'    
    'organization' 'organizationalUnit'  'country' 'locality' ) ) 
    
  4. Save the modified schema file and continue with the installation and browser-based setup.

E.2.4 Oracle Internet Directory Schema

Oracle Internet Directory schema for the orclrole objectclass does not follow RFC 2256. As a result, when Oracle Access Manager is configured with Oracle Internet Directory, this schema discrepancy in Oracle Internet Directory causes issues in the objectclass configuration of Oracle Access Manager.

For instance, the Object Class list on the Add Object Class page of the Identity System Console will list all object classes available for configuration. However, when configured with Oracle Internet Directory, the orclrole object class definition appears instead of the object class name. This does not cause any issues with Oracle Access Manager unless the object class is configured for use with Oracle Access Manager. However it does result in distortion of the Object Class list.

To configure this object class for use with Oracle Access Manager or to fix the distortion, you must modify the definition of orclrole as follows.

Note:

The LDAP tools have been modified to disable the options -w password and -P password when the environment variable LDAP_PASSWORD_PROMPTONLY is set to TRUE or 1. If you use -q or -Q, respectively, the command will prompt you for the user password or wallet password. Set this environment variable whenever possible.

To fix distortion or configure orclrole for use with Oracle Access Manager

  1. Prepare an LDIF file (ModifiedSchema_orclrole.ldif) with following entries:

    Note:

    These are sample LDIF entries. The actual schema definition for orclrole in Oracle Internet Directory should be used to update these entries.
    dn: cn=subSchemaSubentry 
    changetype: modify 
    delete: objectclasses 
    objectclasses: ( 2.16.840.1.113894.1.2.43 NAME orclrole SUP top STRUCTURAL 
    MUST ( cn ) MAY ( uniquemember $ orclassignedpermissions $ orclassignedroles 
    $ owner $ description $ displayname ) )
    
    dn: cn=subSchemaSubentry 
    changetype: modify 
    add: objectclasses 
    objectclasses: ( 2.16.840.1.113894.1.2.43 NAME 'orclrole' SUP top 
    STRUCTURAL MUST ( cn ) MAY ( uniquemember $ orclassignedpermissions $ 
    orclassignedroles $ owner $ description $ displayname ) ) 
    
  2. Set the environment variable LDAP_PASSWORD_PROMPTONLY to TRUE or 1 so that you can use -q or -Q to prompt you for the password during the next step.

  3. Upload this LDIF to Oracle Internet Directory using ldap_add as follows:

    >ldapadd.exe -h hostname -p port -D "cn=orcladmin" -f   
    ModifiedSchema_orclrole.ldif -q
    

E.2.5 Oracle Internet Directory Tuning for Oracle Access Manager

If you tune Oracle Internet Directory 10.1.2 or earlier using the ldapmodify command described in "Tuning for Oracle Internet Directory", you will receive the following error message:

"Attribute orclinmemfiltprocess is not supported in schema."

The orclinmemfiltprocess attribute is not supported in the schema until Oracle Internet Directory 10.1.4. As a result, you cannot perform "Tuning for Oracle Internet Directory" if you have installed Oracle Internet Directory 10.1.4 or earlier.

E.2.6 Sun Java System Directory Server 6.0 and Installation of Identity Server

Problem

This problem can occur on any platform. Installing the Identity Server (or Policy Manager) with Sun Java Directory Server 6.0 fails when you are defining directory details. The following error will occur if you specify Sun Directory Server 5.x, and you supply the Sun Directory Server 6 hostname, port number, and credentials, and choose Yes to automatically update the LDAP server schema configuration:

Error 32: LDAP Invalid credentials. Or invalid directory type supplied. Or no such 
object.

Cause

Certification of the Sun Java Directory Server 6.0 with Oracle Access Manager occurred after 10g (10.1.4.0.1) was released. As a result, during Identity Server installation there is no option to select Sun Java Directory Server 6.0. If Sun Directory Server 5.x is selected, the configuration fails when performing an automatic schema update.

When installing with Sun Java Directory Server 6.0, the automatic schema update option cannot be used. The schema must be updated manually.

Solution

  1. Choose the Sun Directory Server 5.x option when you install the Identity Server (or Policy Manager).

  2. Provide the Sun Directory Server 6 hostname, port number, and credentials.

  3. Using either the Sun Java System Directory Server 6.0 Management Console, or ldapmodify command line, load the Oracle Access Manager schema and index files into Sun Java System Directory Server 6.0 using the following ldif files:

    LDAP server instance hosting user data only:

    IdentityServer/identity/oblix/data.ldap/common/iPlanet_user_schema_add.ldif
    IdentityServer_installdir/identity/oblix/data.ldap/common/iPlanet5_user_index_add.ldif
    

    LDAP server instance hosting user data and configuration data (or configuration data and policy data, or policy data only):

    installdir/identity|access/oblix/data.ldap/common/iPlanet_oblix_schema_add.ldif
    installdir/identity|access/oblix/data.ldap/common/iPlanet5_oblix_index_add.ldif
                       
    

    In the previous path name, the pipe between identity|access indicates "or". If you are installing the Identity Server the path will be the IdentityServer_installdir/identity and if you are installing Policy Manager the path will be PolicyManager_installdir/access.

    Note:

    For an example of the ldapmodify command, see the Sun document at: http://docs.sun.com/app/docs/doc/819-0995/6n3cq3avf?a=view
  4. Proceed to Identity Server or Policy Manager setup, as usual.

E.2.7 Sun One Directory Server v5 Issue

Problem

After creating a derived attribute that has any negatively-listed attribute as a match or lookup attribute, if you access the user profile the product stops working. The Sun One Directory Server v5 might crash and cause the Identity Server to crash. The following error will be displayed.

sldap.exe application error

Solution

Apply patch 6 (patch id 117667-06) to Sun One Directory Server 5.2.

E.2.8 Sun One Directory Server v5 SSL Issues

Problem

Oracle Access Manager servers might not be able to fulfill requests when Sun One Directory Server v5.1 and v5.2 are SSL-enabled.

Cause

The Sun One Directory Server v5.1 and v5.2 hang when there are more than 60 open SSL connections.

Solution

Apply patches to the Sun One Directory Server, as follows:

  • Sun One Directory Server 5.2: Apply patch 6 (patch id 117667-06)

  • Sun One Directory Server 5.1: Apply Service Pack 4

E.2.9 Sun One Directory Server 6.3: No such object error

Problem

When you attempt to load the iPlanet5_oblix_index_add.ldif to a Sun One directory server version 6.3:

IdentityServer_install_dir /oblix/data/common/iPlanet5_oblix_index_add.ldif

The following errors occurs:

No such object

Cause

In versions of the Sun One directory server before v6.3, the node under which Oracle Access Manager adds the user index is as follows:

cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config

iPlanet5_oblix_index_add.ldif continues to use the earlier node structure for this directory server. However with Sun One directory server v6.3, the structure of the node has changed to create a node under:

cn=ldbm database,cn=plugins,cn=config

The name of this node is derived from the suffix node of the directory instance being used during this setup. For example, if the suffix node of the instance used in Oracle Access Manager is:

o=company,c=us

the Sun One directory server creates the following node:

cn=company,cn=ldbm database,cn=plugins,cn=config

To confirm the node where the user index should be loaded, check the value of its attribute:

nsslapd-suffix

The result should be same as the suffix node of the directory instance being used, with the cn=index node included:

cn=index,cn=company,cn=ldbm database,cn=plugins,cn=config

This is the node under which the index should be loaded.

Solution

  1. During Identity Server Installation with a Sun One v6.3 directory server, decline the automatic schema update.

  2. Following Identity Server installation, modify the iPlanet5_oblix_index_add.ldif file as follows:

    1. Locate iPlanet5_oblix_index_add.ldif in:

      IdentityServer_install_dir\identity\oblix\data.ldap\common\iPlanet5_oblix_
      index_add.ldif
      
    2. Replace the earlier node in iPlanet5_oblix_index_add.ldif:

      cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
      

      with the index node of your 6.3 directory instance; for example (using the example presented earlier):

      cn=index,cn=company,cn=ldbm database,cn=plugins,cn=config
      
  3. Use the Sun One directory server administration console (or any LDAP client) to manually upload the following schema ldif:

    IdentityServer_install_dir\identity\oblix\data.ldap\common\iPlanet_oblix_
    schema_add.ldif
    
  4. Upload the modified iPlanet5_oblix_index_add.ldif:

    IdentityServer_install_dir\identity\oblix\data.ldap\common\Planet5_oblix_
    index_add.ldif
    

E.3 File Ownership and Command Line Tools

All command line utilities and tools must be run as the user who installed the product, as described in the Oracle Access Manager Installation Guide. Oracle recommends that you do not attempt to change ownership or permissions on files after installation.

E.4 Identity System Issues

This discussion covers the following Identity Server issues that may arise:

E.4.1 Application Has Not Been Set Up

Under certain circumstances, you may want to reuse an existing Identity Server name. For example, you may want to use an existing Identity Server name if you need to remove an Identity Server instance from one computer and reinstall it on another computer.

If you do not delete the original Identity Server name from the System Console, a login following the set up of a new instance may result in the message "Application has not been set up". Special steps must be taken to ensure you can set up the application and login when recycling an Identity Server name.

For more information, see "Recycling an Identity Server Instance Name".

E.4.2 Cannot Set Up Identity System

When the Identity Server and WebPass are installed in Cert mode using certificates issued by a subordinate CA, you may see a blank page when you click the Identity System Console link to start Identity System setup. The event viewer may show a Oracle Access Manager error without specifying any cause.

When using certificates generated by a subordinate CA, the root CA's certificate must be present in the xxx_chain.pem along with the subordinate CA certificate. Both certificates must be present to ensure appropriate verification and successful Identity System setup.

See Also:

Information on transport security modes in the Oracle Access Manager Identity and Common Administration Guide.

E.4.3 Checking Access Server or Identity Server Availability

To see if Access Server is running, Telnet to it using the port it is listening to. The following is a Telnet session to an Access Server running on a server named myserver.mycompany.com running on Port 6021:

myserver% telnet myserver.mycompany.com 6021
Trying 192.168.5.18. . .
Connected to myserver.mycompany.com.
Escape character is '^]'.
^]
telnet> q
Connection closed.
myserver%

In the preceding example, the system's response:

Connected to myserver.mycompany.com.
Escape character is '^]'.

indicates that the Access Server accepted the Telnet request and is operational. If you cannot connect to the server on the port it was installed to listen on, there is a problem with the Access Server. Possible problems include:

  • The connection is blocked by a firewall

  • The server is not running

Check the firewall to see if the connection is open. Check the Access Server process to see if it is running. At the Access System server, you can use the netstat command to verify that the server is communicating through the ports you specified when you installed the Access Server.

E.4.4 Could Not Get Any DB Profile

Symptom: You receive a message "Could Not Get any DB Profile used by Identity2 during initialization of DBManager. Please verify that there exists enabled DB profile for Identity2".

Cause: This can occur when you:

  • Install a second (or later) Identity Server

  • Answer Yes during installation when asked if this is "the first Identity Server in the network for this LDAP directory server".

  • Restart the Identity Servers and Web servers.

Solution: Uninstall the Identity Server, then reinstall the Identity Server and answer No when asked if this is "the first Identity Server in the network for this LDAP directory server.

E.4.5 Identity Server Does Not Start

Symptom: During Identity System setup you are asked to restart the Identity Server and Web servers. After a long wait, the browser returns a message, "The page cannot be displayed".

Cause: Your Web browser may time out waiting for a Identity Server response after specifying directory server details and automatically configuring user object classes, and Group object classes because the schema update may exceed the browser's timeout.

Solution: Wait for a minute or so and refresh the browser to continue.

If the Identity Server does not start, there are three items you can check that may cause the issue.

To troubleshoot the Identity Server

  1. Ensure that the LDAP directory is clean. For example:

    • Is the configuration branch empty?

    • Does the configuration branch have the right data?

    • Does the configuration branch have data from a previous install with a different Identity Server entry?

  2. Confirm that the following files are correct and in the correct folder:

    • \IdentityServer_install_dir\identity\oblix\config\configinfo.xml

    • \IdentityServer_install_dir\identity\oblix\config\ois_server_config.xml

    • \IdentityServer_install_dir\identity\oblix\config\setup.xml

  3. Verify that the port chosen for the Identity Server is not already in use by another application.

E.4.6 IdentityXML Calls Fail After WebGate Install

IdentityXML calls require authentication credentials. If there is no WebGate protecting WebPass, then the basic credential mechanism is used. This takes the form of username and password embedded in the SOAP request itself. However, when a WebGate is installed later, then the IdentityXML calls must be changed to use a SSO token-based authentication.

The IdentityXML calls need to be changed to first obtain an OBSSOCookie, and then pass that token into all the subsequent calls. An example of how to do this is shown in the Oracle Access Manager Developer Guide. Look for details on code examples of deployed IdentityXML functions, and the ObSSOCookie Example.

E.4.7 WebPass Identifier Not Available After Setup

The Identity Server identifier that you enter during installation must be unique and must differ from the WebPass identifier that you enter during WebPass installation.

If the WebPass identifier you enter during installation matches the Identity Server identifier entered during the Identity Server installation, the WebPass identifier is not created and will not be available in the Identity System Console after setup.

To reconfigure the WebPass

Use the following steps to reconfigure the WebPass:

  1. Locate the setup_webpass utility. For example:

    WebPass_install_dir\identity\oblix\tools\setup\setup_webpass.exe
    

    where WebPass_install_dir is the directory where you installed the WebPass (c:\OracleAccessManager\identity, for instance).

  2. Run the setup_webpass utility with the following options:

    setup_webpass -i <WebPass_install_dir> [-q] [-n <WebPass ID>][-h <OIS hostname>] [-p <OIS port #>] [-s <open|simple|cert>][-P <simple|cert mode password>] [-c (request|install)][-W iis]
    

To change the WebPass password for simple/cert mode

Use the following steps to change the WebPass password for simple/cert mode:

  1. Locate the setup_webpass utility. For example:

    WebPass_install_dir\identity\oblix\tools\setup\setup_webpass.exe
    
  2. Run the setup_webpass utility with the following options:

    setup_webpass -i <WebPass_install_dir> -k
    

To reconfigure Webpass mode

Use the following steps to reconfigure Webpass mode:

  1. Locate the setup_webpass utility. For example:

    WebPass_install_dir\identity\oblix\tools\setup\setup_webpass.exe
    
  2. Run the setup_webpass utility with the following options:

    setup_webpass -i <WebPass_install_dir> -m
    

E.5 IIS and Windows Issues

Following are some general guidelines to follow when installing Oracle Access Manager Web components with IIS Web servers.

Account Privileges: The account that performs Oracle Access Manager installation must have administration privileges. The user account that is used to run the Identity Server and Access Server services must have the "Log on as a service" right, which can be set by selecting Administrative Tools, Local Security Policy, Local Policies, User Rights Assignments, Log on as a service.

IIS 6 Web Servers: You must run the WWW service in IIS 5.0 isolation mode. This is required by the ISAPI postgate filter. During Oracle Access Manager installation, this is usually set automatically. If it is not, you must set it manually for the Default Web site.

WebGate: When installing IIS WebGates, setting various permissions for the /access directory is required for IIS WebGates only when you are installing on a file system that supports NTFS. For example, suppose you install the ISAPI WebGate in Simple or Cert mode on a Windows 2000 computer running the FAT32 file system. The last installation panel provides instructions for manually setting various permissions that cannot be set on the FAT32 file system. In this case, these instructions may be ignored.

When installing WebGates for IIS and you want to enable form-based authentication and single-sign on (SSO), ensure that you install the WebGate in the same directory as the Policy Manager component. For example:


Default WebPass Directory: c:\Program Files\NetPoint\WebComponent\identity
Policy Manager or WebGate Directory:
c:\Program Files\NetPoint\WebComponent\access

E.6 Issues with Oracle Virtual Directory Implementations

You should be aware of several conditions that might affect your implementation with Oracle Virtual Directory:

For more information, see Chapter 10, "Setting Up Oracle Access Manager with Oracle Virtual Directory".

E.6.1 Directory Server Problems

Active Directory or ADAM Search Problem: With Oracle Virtual Directory and Active Directory or ADAM directory servers, you cannot search with the "That Sounds Like" operator.

Cause: Active Directory or ADAM directory servers do not support the "That Sounds Like" search.

Workaround: Do not use the "That Sounds Like" search with Active Directory or ADAM directory servers.

E.6.2 Error Accessing Policy Manager When Searchbases Differ in User Data Directory Profiles

Problem

An administrator cannot access the Policy Manager after entering valid credentials when multiple directory profiles use different searchbases.

For example, suppose the Identity Server connector is directly connected with the Oracle Internet Directory LDAP directory server and uses the direct searchbase. However, the Access System is connected to an adapter that interfaces with a load balancer that front ends the same LDAP directory server with a different searchbase:


Identity Server:
User Data Directory Profile Name: default_id1
Host:Port: stade65:7052
Identity Server contacts Oracle Virtual Directory for user data using OVD1 adapter.
Searchbase: cn=users,dc=us,dc=myco,dc=com

Policy Manager
Policy Manager User Data Directory Profile: setup_user_data
Policy Manager contacts Oracle Virtual Directory for user data using OID-LBR adapter.
Searchbase: cn=users,dc=us,dc=oidlbr,dc=com

Access Server
Access Server User Data Directory Profile: default_user_data
Access Server contacts Oracle Virtual Directory for user data using OID-LBR adapter.
Searchbase: cn=users,dc=us,dc=oidlbr,dc=com

Cause

The searchbase in each directory server profile must be the same.

Solution

Ensure that the searchbase in each directory server profile is the same.Ttake care to ensure that any directory server information provided in profiles is reachable and allows viewing of the Oblix tree.

E.6.3 Multi-Value Attribute Problems

You cannot modify multi-value attributes through a Change Attribute workflow.

Cause: The default Oracle Virtual Directory schema includes multi-valued attributes, as does the Sun Directory Server schema. The attribute syntax on Active Directory sometimes may not match. For example, the mail address in Active Directory is single-valued but on a Sun Directory Server and Oracle Virtual Directory this is multi-valued.

For example, when Oracle Virtual Directory is communicating with Active Directory and a Sun directory server if you create a Change Attribute workflow and try to change a multi-valued attribute (such as an mail address) for a user on the Sun Directory Server, the attribute is changed but on Active Directory the commit step fails and the attribute does not get changed.

Workaround: Do not change multi-valued attributes.

E.6.4 Oracle Virtual Directory SSL Listener Certificate Utility Flags

The Oracle Access Manager Installation Guide chapter on "Setting Up Oracle Access Manager with Oracle Virtual Directory", contains a procedure to configure the Oracle Virtual Directory SSL Listener. Step 8 of this procedure must contain the correct command-line syntax, as shown in the following example.

8. Import the root CA to the Identity Server using the following command:

certutil -d IdentityServer_install_dir\identity\oblix\config -A -n ldap -a 
-t "C,," -i root_ca_file

Note:

In the certutil command, the -t (trusted arguments) flag should be followed by the trust attributes that will be assigned to the certificate, enclosed in double-quotes.

E.6.5 Secondary Data Store Problems

  1. Sub-tree Search: With a database split profile, you cannot derive an attribute from an attribute that is present in the secondary table.

    Cause: Oracle Access Manager cannot perform a sub-tree search on an attribute from a secondary data store.

    Suppose, for example, if you used the mapping template CustomOracleDBMapping_mpy.xml and defined a derived attribute for InetOrgPerson as follows:

    • Attribute Name: MyAttr

    • Display Name: MyAttr

    • Match Attribute: employeenumber

    • Lookup Attribute: employeenumber

    • Object class: InetOrgPerson

    When you search for a user (Rohit for example) and view his profile, you can see the value for the employeenumber attribute but the myAttr value is blank.

    In the following example, there is a database and a split profile and the following adapter templates:

    CustomOracleAdaptorSplitPrimary_adapter_template.xml

    CustomOracleAdaptorSplitSecondary1-1_adapter_template.xml

    CustomOracleAdaptorSplitSecondary1-M_adapter_template.xml

    CustomAdapterJoinView_adapter_template.xml

    Workaround: Do not configure attributes from a secondary data store

  2. Create User Workflow: When defining a Create User workflow, Oracle Access Manager enables you to select attributes from the Oracle Virtual Directory secondary view. At run time, the user entries are created in the primary view; however, the workflow fails and these entries cannot be used by Oracle Access Manager.

    Cause: Oracle Access Manager gets all the attributes from Oracle Virtual Directory and therefore has no knowledge about which attributes are obtained from the primary data store, rather than the secondary data store.

    Workaround: Do not configure attributes from a secondary data store.

E.6.6 Unexpected Group Deletion Problem

When you set up Oracle Access Manager with a Oracle Virtual Directory virtual directory that federates at least one LDAP directory and at least one database table, then you try to remove a member from a group in the LDAP directory, the entire group is removed from that directory.

Cause: For performance reasons, Oracle Virtual Directory returns to Oracle Access Manager only the member you specify for deletion. By contrast, a "standard" LDAP directory server would return all the members in the group.

This non-standard Oracle Virtual Directory behavior has consequences when you try to use Identity System to delete a member from a group. Because a "standard" LDAP directory server returns all members of the group, Oracle Access Manager stills "sees" the rest of the members of the group after the one member has been deleted. But since Oracle Virtual Directory has returned to Oracle Access Manager only the single member of the group designated for deletion, Oracle Access Manager does not "see" any other group members after it deletes the returned member, so it assumes that the group is now empty and it deletes the group and all its members.

Important:

This is generic to all DN attributes, not just uniqueMember of a group. The workaround must be applied to all DN attributes where multiple values are a possibility.

Work Around: See the customized file shown in "Customized Mapping Script for Oracle Database" and pay attention to the following details to prevent the Identity System from writing dummy user to backend database:

Workaround to prevent COREid from writing dummy user to backend database
if haveAttributeValue('uniqueMember','cn=Dummy User'):
#removeAttributeValue('uniqueMember','cn=Dummy User')
if operation != 'modify':
removeAttributeValue('uniqueMember','cn=Dummy User')
else:
change = removeAttribute('uniqueMember')[0]
change.values.remove(DistinguishedName('cn=Dummy User'))
addEntryChange(change)

E.7 Installation Issues

The following issues arise during or immediately after installation:

E.7.1 Access Server Installation Halts

Symptom: The Access Server installation halts with a message explaining that there is no DB profile for this server.

Solution: Perform these steps:

  1. Navigate to the Access System Console from your browser by specifying the URL of the WebPass instance for the Policy Manager. For example:

    http://hostname:port/access/oblix
    

    where hostname refers to Web server host of the WebPass instance; port refers to the HTTP port number of the WebPass Web server instance; /access/oblix targets the Access System Console.

  2. Select the Access System Console link, then log in as a user with Master Administrator privileges.

  3. Select the Access System Configuration tab, Access Server Configuration in the left column, and AccessServer_Link.

  4. Click the Associate DB Profiles button at the bottom of the details page.

  5. Click the AccessServer_default_user_profile link at the bottom of the page.

  6. Confirm that AAA Servers is checked, with either All Servers or the appropriate servers identified.

  7. Confirm that the profile is enabled, at the bottom of the page.

  8. Click Save.

  9. Log out and continue the Access Server installation.

E.7.2 CGI Programs Do not Run After Installation

Symptom: Your Web server's CGI programs do not run after you install Oracle Access Manager.

Solution: Perform these steps:

  1. In the ../https:server name/config directory obj.conf file, add this line before the other Oracle Access Manager Init functions:

    Init fn="Init-cgi" timeout-300 LateInit="yes"
    

    Type the line exactly as shown.

  2. Restart your Web server.

E.7.3 File Replace Warning When Installing on Windows

Symptom: When installing a Identity Server on a new computer, sometimes the installer attempts to replace the winnt/system32/Msvcrt.dll file with an updated one. Because this file is locked by Windows, you get "File is locked cannot replace" message.

Cause: The installer sometimes attempts to replace a file that is locked by the Windows operating system.

Solution: Click Restart in the warning box to replace the DLL.

E.7.4 GUI Mode Issues

Problem

During the installation the Identity Server configuration screen asks to specify whether or not this is the first Identity Server for this LDAP directory server. However, the page seems to be missing the whole text.

Workaround

Resize the installer window slightly to force a redraw and refresh the content.

E.7.5 Installation Fails with a "bad credentials error (49)"

Symptom: Identity Server installation in GUI mode may fail with a "bad credentials error (49)", though the credentials are valid.

Cause: Known problems with third-party Installshield's ISMP framework. If any inputs supplied during installation contain the character $, the installer might interpret it unpredictably. For example, if the bind password supplied during the schema update for the first Identity Server is Admin$$, ISMP interprets this as Admin$ while invoking the schema update tool and the update fails citing a "bad credentials error(49)".

Suggested Workaround: If this problem is observed during invocation of a particular tool, you may run that tool from the command line.

Note:

Every Oracle Access Manager installer that uses the same password may also fail with a credential problem of some type.

E.7.6 Installer Hangs on Linux

Problem

Identity Server and WebPass installers for Red Hat Linux AS 3.0 hang after launching the installer, supplying the installation path, and pressing <Enter>, but before the installer sets up.

Solution

  1. Before you start the installation, paste the following into a shell window

    cd /tmp
       mkdir bin.$$
       cd bin.$$
       cat > mount <<EOF
       #! /bin/sh
       exec /bin/true
       EOF
       chmod 755 mount
    @    export PATH=`pwd`:$PATH
    
  2. Run your installation.

  3. When the installer is finished running, you may run the following command to clean the temporary directory:

    rm -r /tmp/bin.$$
    

E.7.7 Installer Prompts to Replace DLL Files

Symptom: During a subsequent Oracle Access Manager component installation on the same computer, or when installing a second instance of a component on the same computer, the user is prompted to replace one or more of the following DLL files even if the files had been updated during a previous installation:

  • messagedll.dll

  • mtl70mt.dll

Cause: The preceding DLLs are not Oracle Access Manager DLLs. Because these DLLs do not contain version information, Oracle Access Manager uses a DLL's data stamp to evaluate whether the file needs to be replaced. Upon subsequent installations, the user is prompted to replace the file because the date stamp is older.

Solution: Click OK to replace the DLLs.

E.7.8 Issue with Early Exit from Installation on Solaris

You may experience an issue when exiting from Oracle Access Manager component installation on Solaris before the installation completes. Early termination of the installer on Solaris may result in a core dump. In this case, the following message appears:

SIGABRT 6 abort (generated by abort(3) routine)
      si_signo [6]: ABRT
      si_errno [0]:
      si_code [-1]: SI_LWP [pid: 1724, uid: 0]
      stackpointer=FFBFD7D0
     "process reaper" (TID:0x72d588, sys_thread_t:0x72d4c0, state:NS, thread_t:
            t@54, threadID:0x0, stack_bottom:0x0, stack_size:0x0) prio=5
         ...

This is only a problem with the installer. It has no impact on the functionality of the Oracle Access Manager component that you installed.

E.7.9 Performing UNIX Installation in GUI Mode

Symptom: When starting a GUI installation on UNIX, you may receive a warning regarding fonts and scroll bars.

Solution: These warnings can be ignored. They indicate a change in the appearance of the installation wizard GUI.

E.7.10 Quitting a Windows Installation

Symptom: If you terminate the Windows installation wizard abnormally (such as by hitting Control + C or terminating it from the Task Manager), the wizard is not able to properly clean up its files and leaves a large amount of data in the TEMP directory.

Solution: Delete these files manually.

E.7.11 Running as Non-Root User When Installing on AIX

To run Install Shield as a non-root user on AIX, set the environment variable as:

AIX_ISMP_SUPPORT=NONROOT

E.7.12 Specifying Installation Directories

Install Oracle Access Manager components in directories that have only standard alphanumeric characters in their path name. Be sure that all file and path names include only English language characters. In file and path names, no international characters are allowed.

E.7.13 Testing Your Installation

Once you finish installing Oracle Access Manager, test your installation.

To test Oracle Access Manager installation

Use the following steps to test an Oracle Access Manager installation:

  1. Close all browsers.

  2. Shut down your Access Server.

  3. Try to open a page protected by Oracle Access Manager.

    You should receive an Oracle Access Manager operation error indicating it was unable to authenticate your login.

  4. Restart the Access Server and the Web server.

  5. Attempt to connect to the same page as in Step 3. The page you specified should open.

E.7.14 Unable to Leave Person Object Class Page

Symptom: You cannot get past the Person object class page during installation and setup.

Cause: Your directory schema is probably invalid.

Solution: Review the changes you made to the directory schema to see if you have done them correctly.

E.7.15 WebGate Installation with Apache Web Server on AIX

Symptom: You install WebGate on an Apache Web server running on AIX in SSL mode. You make changes to httpd.conf file from the sample.obj.conf file. The Apache Web server fails to start after changing the httpd.conf file. You may receive this message:

"Name of server certificate chain file is hardcoded as ca.cert in the httpd.conf file."

Solution: Change the Server-Certificate-Chain-filename to match the actual name of the server certificate chain file for the user.

E.8 Language Issues

Following are solutions to problems you may experience:

E.8.1 Garbled Password Message

Problem: When running the installer using the Console method with some language packs, the "Enter Password" string does not display correctly. The prompt asking you to enter the LDAP password may be garbled.

Solution: The solution that works in most cases is to install all of the language support available on the computer where the Oracle Access Manager installation is being performed. Be sure all of the fonts that are required for the language are installed. Log in to the computer locally and choose the language to display on the login screen.

E.8.2 Installing Additional Administrator Language Packs

Symptom: If you install additional Administrator Language Packs for Access System components (after installing the same Language Packs for the Identity System), you may not be able to view new Administrator languages in the Policy Manager.

Solution: Use the procedure that follows to enable new Administrator languages.

To enable additional Administrator languages for the Access System

  1. Install new Administrator languages for all Identity System components.

  2. Install new Administrator languages for Access System components.

  3. Use the Identity System Console to enable the Administrator languages as follows:

    • Disable the Administrator language, if previously enabled.

    • Enable the Administrator language (now installed on both the Identity and Access System components).

  4. Restart the appropriate Oracle Access Manager server services (Identity and Access Server services for example) and Web component (WebPass, Policy Manager, and WebGate) Web servers (Apache, IIS, or Sun ONE for example).

E.8.3 Installing Language Packs for Policy Manager and WebGate in Same Directory

Symptom: WebGate is not using the installed Administrator language when the installation sequence is Policy Manager, Language Pack, then WebGate in the same directory.

Cause: If you install the Policy Manager then a Language Pack then a WebGate in the same directory, the language is installed for the Policy Manager only. In this case, both the Policy Manager and WebGate share a common obnls.xml file.

Soution: Install the same Language Pack for the WebGate.

Symptom: Policy Manager is not using the installed language when the installation sequence is Policy Manager, Language Pack, then WebGate in the same directory.

Cause: During WebGate installation you may be asked if you want to overwrite the obnls.xml in the Policy Manager installation directory. Selecting "Yes" replaces the Policy Manager's obnls.xml file (which contains additional Language Pack entries) with a fresh obnls.xml file (which will not include listings for all installed languages). As a result, the Policy Manager will not be available in the additional Administrator language.

Solution: If you are asked during WebGate installation to overwrite obnls.xml in the Policy Manager installation directory, be sure to select "No". If you select "Yes", you must install all the same languages for the WebGate as you did for the Policy Manager.

E.8.4 Removing the Default Administrator Language Pack

Removing the Language Pack associated with the default Administrator language that was selected during installation is not supported.

If you accidentally uninstall the default Administrator language, you should be able to recover using the following procedure:

To restore the default Administrator language

  1. Create one options file, (options.txt, for example) with the following content for the default Administrator language you removed:

    -W ObPropBean.defaultLocale="ko-kr"
    

    where the value of ObPropBean.defaultLocale, "ko-kr" (Korean) in the preceding example, is the locale of the default Administrator language selected for this installation.

  2. Reinstall the default Administrator Language Pack for each component, as shown in the following example:

    Identity System:

    Oracle_Access_Manager10_1_4_3_0_KO_Win32_LP_Identity_System.exe
        -options options.txt
    

    Access System:

    Oracle_Access_Manager10_1_4_3_0_KO_Win32_LP_Access_System.exe 
        -options options.txt
    
  3. After reinstalling the default Administrator Language Pack for each component, restart the server services (Identity Server and Access Server) and Web servers Oracle HTTP Server or IIS for WebPass, Policy Manager, and WebGate.

E.9 Login Issues

This discussion covers the following issues that may arise during login:

E.9.1 Identity Server Logged You In, Access System Logged You Out

The message "Identity Server Logged You In, Access System Logged You Out" could be triggered by one or more events. For example:

  • You did not restart the Identity Servers after setting up Access System components.

  • The Identity and Access Servers are running on different computers and the clock is set to a different time.

    In this case, change the login slack parameter or synchronize system clocks.

  • You have protected the Identity System with a policy domain but not the Access System, or vice versa.

    Both systems must be protected.

  • The shared secret needs to be regenerated.

To regenerate a shared secret

  1. Delete the shared secret from the directory server.

  2. Log in to the Access System Console.

  3. Select Access System Configuration, Common Information Configuration, Shared Secret.

  4. Generate a new shared secret.

E.9.2 Windows 2000 Users Cannot Log in After Installation

Symptom: Users are unable to log in after Oracle Access Manager installation.

Cause: When you import user data into Active Directory, all passwords are cleared. This is a security feature of Active Directory.

Solution: In the Active Directory User and Computer MMC, be sure the Change password on next login check box is not selected. Have your users change their passwords.

In the Policy Manager, enable access control for the Password attribute. This forces users to create a service ticket to change their passwords.

E.9.3 Receiving Repeated Login Prompts

Symptom: Users receive repeated login prompts.

Cause: This can occur when you install Oracle Access Manager on a Web server that has security policies enforced through a Web browser.

Solution: Enable Oracle Access Manager security and disable the browser's security.

E.9.4 Unable to log in to Oracle Access Manager on IIS

Symptom: Users may experience unpredictable behavior when they attempt to browse the /identity or /access directory or click the System Console and Policy Manager links (such as receiving File Download dialog boxes).

Cause: This can occur when you install Oracle Access Manager on a Web server that has security policies enforced through a Web browser. When the Oracle Virtual Directory has "Scripts only" permission, users are unable to log in to either the Access System Console or Policy Manager.

Solution: Change the Oracle virtual directory's permissions from "Scripts only" to "Scripts and Executables".

To change permissions for the Oracle virtual directory

  1. Select the computer configured for Oracle Access Manager.

  2. Expand the Default Web Site.

  3. Right-click either identity or access (the virtual directory you created during Identity System or Access System install).

  4. Select Properties and select Scripts and Executables.

E.9.5 Restricting Access to Oracle Access Manager

Symptom: After installation, while Oracle Access Manager is protecting access to your resources, access to Oracle Access Manager itself is still unrestricted.

Solution: Use the Policy Manager to restrict access to Oracle Access Manager.

E.10 NPTL Requirements and Post-Installation Tasks

Earlier releases of Oracle Access Manager for Linux used the LinuxThreads library only. Using LinuxThreads required that you manually set the environment variable LD_ASSUME_KERNEL, which is used by the dynamic linker to decide what implementation of libraries is used. When you set LD_ASSUME_KERNEL to 2.4.19 the libraries in /lib/i686 are used dynamically.

Red Hat Linux v5 and later releases support only Native POSIX Thread Library (NPTL), not LinuxThreads. To accommodate this change, Oracle Access Manager is now compliant with NPTL specifications. However, LinuxThreads is used by default.

Oracle Access Manager uses either Native POSIX Thread Library (NPTL) or LinuxThreads. The default mode is LinuxThreads. To support the default, the start_ois_server and start_access_server will start in LinuxThreads mode. In this case, the variable LD_ASSUME_KERNEL is automatically set to 2.4.19. The message "Using Linux Threading Library." appears in the console and in the server's oblog file. However, if you start a server with the start_ois_server_nptl (or restart_ois_server_nptl) or start_access_server_nptl (or restart_access_server_nptl) scripts, NPTL mode is used. In this case, the message "Using NPTL Threading Library." appears in the console and in the server's oblog file.

Note:

On Linux, Oracle Access Manager Web components for Oracle HTTP Server 11g use only NPTL; you cannot use the LinuxThreads library. In this case, do not set the environment variable LD_ASSUME_KERNEL to 2.4.19.

When you use NPTL with Oracle Access Manager, there is no impact on custom plug-ins and APIs that you have created for Oracle Access Manager. When upgrading, you must still recompile custom plug-ins from Oracle Access Manager release 6.x using the GCC v3.3.2 C++ compiler. With NPTL, there is no requirement to set the environment variable LD_ASSUME_KERNEL to 2.4.19 when installing Web components or third-party connectors for use with Oracle Access Manager.

The NPTL-ready scripts include:

Note:

Standard stop scripts and the following standard setup scripts will operate successfully whether you use LinuxThreads or NPTL: start_setup_ois, start_setup_webpass, start_setup_access_manager, start_configureAAAServer, stop_snmp_agent, start_configureWebGate, and start_configureAccessGate.

The setup script for the SNMP agent, start_snmp_agent, includes an entry for LD_ASSUME_KERNEL. When using NPTL with Oracle Access Manager, you must remove or comment out the LD_ASSUME_KERNEL=2.4.19 environment variable from the following file:

SNMP Agent: start_snmp_agent

Note:

Oracle Access Manager servers can run using NPTL while Oracle Access Manager Web components use LinuxThreads (and vice versa). When installing Oracle Access Manager Web components or third-party connectors for use with NPTL, there is no need to set the environment variable LD_ASSUME_KERNEL to 2.4.19.

Use the following procedure as a guide when using or modifying scripts for NPTL and Oracle Access Manager.

To use NPTL with Oracle Access Manager

  1. Use NPTL versions of start scripts for the Identity Server and Access Server stored in:


    IdentityServer_install_dir/identity/oblix/apps/common/bin/
    start_ois_server_nptl

    AccessServer_install_dir/access/oblix/apps/common/bin/
    start_access_server_nptl
  2. SNMP Agent: Perform the following steps to remove or comment out the LD_ASSUME_KERNEL=2.4.19 environment variable from the start_snmp_agent script.

    1. Locate the start_snmp_agent script in the following path:


      SNMP_install_dir/oblix/apps/agent/bin/start_snmp_agent
    2. In a text editor, remove or comment out the following line:

      LD_ASSUME_KERNEL =2.4.19
      
    3. Save the file.

    4. Repeat for each SNMP Agent in your deployment.

  3. Use standard setup and stop scripts:


    start_setup_ois
    start_setup_webpass
    start_setup_access_manager
    start_configureAAAServer
    start_configureWebGate
    start_configureAccessGate
    stop_ois_server
    stop_access_server
    stop_snmp_agent
  4. Web Components or Third-party Connectors Using NPTL: Do not set the environment variable LD_ASSUME_KERNEL to 2.4.19 when using NPTL with Oracle Access Manager.

Known Issues: File Not Found Exceptions

You might see the following exceptions in the WebGate oblog.log file. There is no adverse impact on WebGate functionality:

Using NPTL Threading Library. 
2009/02/26@05:27:44.030874      24287   24321   INIT    ERROR   0x000003B6 
  ../oblistrwutil.cpp:192 "Could not read file"
  ../oblog_config.xml
Using NPTL Threading Library. 
2009/02/26@05:27:44.042332      24287   24321   INIT    ERROR   0x000003B6
  ../oblistrwutil.cpp:192 "Could not read file" 
  ..netlibmsg.xml

E.11 Platform-Specific Issues

The following topics describe platform-specific issues:

E.11.1 SELinux Issues

Delivered with Oracle Enterprise Linux, SELinux modifications provide a variety of security policies through the use of Linux Security Modules (LSM) within the Linux kernel.

SELinux requires performing additional steps after installing Oracle Access Manager Web components and before starting the associated Web server.

Problem

The following errors could be reported in WebServer logs/console when starting a Web server on Linux distributions that have more strict SELinux policies in place (after installing an Oracle Access Manager Web component):

$WPINSTALLDIR/identity/oblix/apps/webpass/bin/libwebpass.so: cannot restore 
segment prot after reloc: Permission denied. 

Cause

These errors are reported due to Secure Linux security context policies on files.

Solution

To avoid these errors and start the Web server, run following chcon commands to change the security context on files after installing each Oracle Access Manager Web component and before restarting the associated Web server. For more information on the chcon command, see your Linux documentation.

  1. All Web Components: Run chcon -t texrel_shlib_t PATH_TO_LIBWEBCOMPONENT.SO. For example:

    chcon -t texrel_shlib_t /WebPass_install_dir/identity/oblix/apps/webpass/ 
    bin/*.so 
    
  2. All Web Components: Run chcon -t texrel_shlib_t PATH_TO_LIBWEBPLUGINS.SO. For example:

    chcon -t texrel_shlib_t  /WebPass_install_dir/identity/oblix/lib/*.so 
    
  3. WebGates: Run chcon -t texrel_shlib_t PATH_TO_LIBWEBGATE.SO. For example:

    chcon -t texrel_shlib_t  /WebGate_install_dir/WebGate/access/oblix/apps/
    webgate/*.so 
    

E.11.2 Oracle Access Manager Components and Command-line Tools Might Fail with LinuxThreads

Symptom: Identity System components on Red Hat Linux v4 may fail with the new NPTL-based runtime libraries when "MAX_ROTATION_SIZE" is reduced to 10000 kb in the oblog_config.xml file.

Solution: Set the LD_ASSUME_KERNEL environment variable before starting the Web server and WebLogic and WebSphere components that integrate with the 10.1.4 Software Developer Kit and Oracle Access Manager Web components (WebPass, WebGate, and Access Manager). For example:

# export LD_ASSUME_KERNEL=2.4.19

This causes the Linux dynamic linker to use the old runtime libraries.

Note:

When running Oracle Access Manager, LinuxThreads is used by default. This requires setting the environment variable LD_ASSUME_KERNEL to 2.4.19. If you are using NPTL with Oracle Access Manager, you do not set LD_ASSUME_KERNEL to 2.4.19. For more information, see "NPTL Requirements and Post-Installation Tasks".

Symptom: Oracle Access Manager command-line tools on Linux platforms might crash.

Solution: To run Oracle Access Manager command-line tools on Linux v4 platforms, the LD_ASSUME_KERNEL environment variable must be set to a value of =2.4.19 at runtime because the older Linux threading model is supported (not the native posix thread library (NPTL)). If you are running a bash shell, the exact specification is as follows:

# export LD_ASSUME_KERNEL=2.4.19

The exact command might differ if you are using a different shell.

E.12 Policy Manager Issues

You need to set the TEMP environment variable to point to a valid directory. Oracle recommends that you do this for the entire system, as shown in Figure E-1. However, you can also set the TEMP variable for the IIS user.

Figure E-1 Setting the TEMP Environment Variable

Description of Figure E-1 follows
Description of "Figure E-1 Setting the TEMP Environment Variable"

Without this variable, the Policy Manager attempts to create temporary intermediate files in the root directory and if IIS doesn't have permission to create the files at that level, you may see an error in the following circumstances. For example:

E.12.1 Cannot Delete Policy Manager Policy Profile

Symptom: You receive the message, "You cannot delete the Directory Server Profile that accesses the Policy base." after uninstalling the optional Policy Manager and deleting the setup* and config* files in PolicyManager_install_dir. You may be able to delete the Policy Manager profile for user and configuration data from the Identity System Console, but not the profile for policy data.

Solution: After uninstalling the optional Policy Manager, you need to complete the steps that follow before you can remove remaining Policy Manager policy profiles.

To delete a leftover Policy Manager policy profile

To delete a leftover Policy Manager policy profile, use the following steps:

  1. Uninstall the Policy Manager.

  2. In the directory server, remove all oblix-related entries and be sure to delete the obpolicybase attribute from the top node. For example,

    o=Oblix,o=oblixdata,c=uk
    
  3. Restart the Identity Server.

  4. In the Identity System Console, delete the Policy Manager policy profile.

E.13 Reinstalling Oracle Access Manager with Oracle Internet Directory

If Oracle Access Manager will be removed and reinstalled with the same directory instance, only the Oracle Access Manager configuration tree(s) need be deleted. In this case, there is no need to remove the Oracle Access Manager schema from the directory instance. When reinstalling the Identity Server, select ÒNoÓ when asked if you want to update the schema (which is already present). Selecting ÒYesÓ results in an error message "schema already exists".

You remove the Oracle Access Manager configuration tree from the directory server instance using tools and instructions from your directory vendor. For Oracle Internet Directory, for example, you may use the Oracle Internet Directory Administration Console. However, you cannot simply delete the parent object because there are dependencies and recursive deletes are not possible.

Oracle recommends that you do not remove the Oracle Access Manager schema from Oracle Internet Directory using the Console. Instead, Oracle recommends that you use the LDIF files in component_install_dir\identity\access\oblix\data.ldap\common. For example:

When user data and configuration data reside in the same directory instance, only the OID_oblix_schema_delete.ldif needs to be used with the because it will also remove the user schema objects. However, when a separate directory instance hosts only user data the OID_user_schema_delete.ldif should be used. In either case, however, you must use the OID_oblix_schema_delete.ldif to remove the attribute index.

For steps, see Chapter 22, "Removing Oracle Access Manager".

E.14 Removal Issues

If a component installation terminates (or is terminated by you) after component files were extracted to the designated installation directory, you should run the Uninstaller for that component and then remove the installation directory before attempting to reinstall in the same location. If you simply delete the installation directory and attempt to reinstall the component in the same location, the vpd.properties file is left in an inconsistent state and reinstalling will not work.

For example, suppose you terminate a WebGate installation after component files were extracted, then you remove the installation directory manually rather than using the WebGate uninstaller. In this case, the extracted files are deleted but the vpd.properties file is not. This leaves the vpd.properties file in an inconsistent state that prevents successful installation.

The preferred method to avoid removal and reinstall issues is to run the component Uninstaller program, then remove the installation directory and then attempt to reinstall the component. However, you may manually remove the component installation directory (without running the Uninstaller) then back up and delete the vpd.properties, begin installing the component, then restore the vpd.properties file.

For more information, see Chapter 22, "Removing Oracle Access Manager".

E.15 Transport Security Mode Issues

Oracle Access Manager supports three different transport security modes: (Open, Simple, or Cert). While Open is initially easier to implement, it is not secure.

Rather than starting with open and changing later, Oracle recommends you install Oracle Access Manager with the desired transport security mode in place. Changing the transport security mode is outlined in the discussion that follows. For details, see the Oracle Access Manager Identity and Common Administration Guide.

To change transport security modes on the Identity System

  1. For each Identity Server, run the Identity Server certutil program located at IdentityServer_install_dir/identity/oblix/tools/certutil.

    You must configure the Identity Server before the WebPass. You do not need to use the same password and PEM keys for all Identity System components.

  2. For each WebPass, run the WebPass gencert program located at WebPass_install_dir/identity/oblix/tools/gencert.

To change transport security modes on the Access System

  1. For each Access Server, run the configureAAAServer program located at AccessServer_install_dir/access/oblix/tools/configureAAAServer.

    You must configure the Access Server before the WebGate. Use the same password and PEM keys for all Access System components.

  2. For each WebGate, run the configureWebGate program located at WebGate_install_dir/access/oblix/tools/configureWebGate.

E.16 User Directory Issues

The following issues pertain to directories.

E.16.1 Adding User to Replicated Directory

If you replicate your Sun directory server and make a change to a user, you are notified that the write will be delayed. However, you are not notified during new user creation.

New users appear in the Identity System pages that are configured against consumers the next time synchronization occurs between the supplier and its consumers.

Synchronization can either occur immediately or at scheduled times, depending on the replication agreement.

E.16.2 Data Corruption

Symptom: While using features in the System Console or in one of the Applications, Oracle Access Manager begins to display bug reports or error messages. This may occur because of corrupt data. Data corruption can be difficult to diagnose. Though data may appear to be valid as displayed in the directory interface tools, the actual data files may be corrupt. One way to verify this is to perform the same search using another tool such as ldapsearch. If the expected data is not returned, then the data is corrupt.

Solution: Consult with your directory vendor to determine the most appropriate solution. If possible, export the directory data to an LDIF and examine the LDIF for errors. If the data has obvious errors, correct these errors as appropriate and then import the corrected data.

E.17 Web Server Issues

The following issues with Web servers may arise:

E.17.1 Access Server Fails on an Apache Web Server

Symptom: You are running an Apache Web server, and an Access Server fails, displaying the following message:

libthread panic: cannot create new lwp
(PID: 9035 LWP 2). stackrace:
ff3424cc
0

This symptom may be caused by the Apache Web server launching more instances of itself. This can happen when the server determines that more instances are needed to service the number of connections between one or more WebGates and the Access Server.

The additional instances create even more connections, which exceed the number of connections by the Access Server.

Solution: Reduce the number of MinSpareServers, MaxSpareServers, StartServers, and MaxClients parameters.

Go to the Access Server's configuration directory and open the http.d configuration file.

Recommended parameter settings:

  • MinSpareServers 1

  • MaxSpareServers 5

  • StartServers 3

  • MaxClients 5

E.17.2 Apache v2 on HP-UX

When running Apache v2 on HP-UX, do not use nobody for User or Group, because shared memory may not work. Instead, use your login name as User Name with a group Group as "Oblix" (or "www" as User Name and "others" as Group Name). On HP-UX, "www" is equivalent to "nobody" on Solaris.

When running Apache v2 on HPUX 11.11, ensure that the AcceptMutex directive in the Apache httpd.conf file is set to "fcntl". If the directive is not present, add it to the httpd.conf file (AcceptMutex fcntl). For more information, see:

http://issues.apache.org/bugzilla/show_bug.cgi?id=22484

E.17.3 Apache v2 Bundled with Red Hat Enterprise Linux 4

After installing a WebPass or WebGate on vendor-bundled Apache, the Web server may give the following error upon startup:

Error: Cannot load libgcc_s.so.1 library - Permission denied. 

Solution: Change the Security-Enhanced Linux (SELinux) policy rules for Oracle Access Manager Web components as described in "Tuning Apache/IHS v2 for Oracle Access Manager Web Components".

E.17.4 Apache v2 Bundled with Security-Enhanced Linux

Errors might be reported in WebServer logs/console when starting a Web server on Linux distributions, which have stricter SELinux policies in place, after installing an Oracle Access Manager Web component. You can avoid these errors by running appropriate chcon commands for the installed Web component before restarting the Web server.

See Also:

"SELinux Issues"

E.17.5 Apache v2 on UNIX with the mpm_worker_module for WebGate

The following item is required only if you compile Apache v2 for WebGate on UNIX with the mpm_worker_module. In this case, you need to modify the thread.c file from the Apache source for the UNIX environment. Making this change ensures that the default pthread stacksize for WebGate produces optimal performance during multithreaded server implementation. If this change is not made, the default pthread stack size would not be sufficient for WebGate and could result in a crash.

Apache 2.0 does not support the ThreadStackSize option. Therefore:

  • With UNIX-based Apache v2.1 and later you must use the ThreadStackSize directive to set the size of the stack (for autodata) of threads that handle client connections and call modules to help process those connections.

  • With UNIX-based Apache 2, it is best to use the compilable source while adding the mpm_worker_module and changing the thread.c file to avoid a stack overflow.

The following procedure shows how to modify the Apache v2.0 thread.c file to provide the default pthread stacksize needed by WebGate for optimal performance during multi-threaded server implementation. For details about the Apache v2.1+ ThreadStackSize directive, see http://httpd.apache.org/docs/2.2/mod/mpm_common.html#threadstacksize.

Note:

The following procedure should be performed only for the Apache 2.0 WebGate. Otherwise, the default pthread stack size is not sufficient for the WebGate and could result in a crash.

To modify the Apache v2.0 thread.c file for WebGate in a UNIX environment

  1. Locate the thread.c file. For example:

    APACHE 2.0.52 source/srclib/apr/threadproc/unix/thread.c
    
  2. Locate the function named apr_threadattr_create(apr_threadattr_t **new,apr_pool_t *pool) in the following code segment:

    **new,apr_pool_t *pool) in the following code segment:
    1-----> apr_status_t stat; 
    2 
    3-----> (*new) = (apr_threadattr_t *)apr_pcalloc(pool, sizeof(apr_threadattr_t)); 
    4-----> (*new)->attr = (pthread_attr_t *)apr_pcalloc(pool, sizeof(pthread_attr_t)); 
    5 
    6-----> if ((*new) == NULL || (*new)->attr == NULL) { 
    7----->              return APR_ENOMEM; 
    8-----> } 
    9 
    10----->(*new)->pool = pool; 
    11----->stat = pthread_attr_init((*new)->attr); 
    12 
    13-----> if (stat == 0) { 
    14----->            return APR_SUCCESS; 
    15-----> } 
    16----->#ifdef PTHREAD_SETS_ERRNO 
    17----->stat = errno; 
    18----->#endif 
    19 
    20----->return stat; 
    21 
    
  3. Add the following code before line 13 shown earlier.

    int stacksize = 1 << 20; 
    pthread_attr_setstacksize(&(*new)->attr, stacksize);
    
  4. Run configure, make, and make install to set up the Apache Web server with the mpm_worker_module.

E.17.6 Domino Web Server Issues

Failure Authentication Event: For Domino Web servers, the redirection of a URL through Oracle Access Manager may not work if the authentication type is set as Basic Over LDAP and the URL to be redirected is mentioned as one of the following:

Either a relative path present on the same Web server
Or the Full path URL on the same Web server containing a computer name defined in the host identifier string combinations.

To overcome a failure authentication event, you must set the redirected URL with a computer name that is not defined under the host identifier group. For example, the IP address of the computer.

This problem does not occur with a form-based authentication type.

Header Variables: It may not be possible to pass header variables other than REMOTE_USER to WebGates installed on Lotus Notes Domino Web servers when using Client Certificate authentication scheme.

For example, header variables cannot be set on the one request where Client Certificate authentication occurs. However, all other requests do allow header variables to be set.

For more information, see Chapter 18, "Setting Up Lotus Domino Web Servers for WebGates".

E.17.7 Errors, Loss of Access, and Unpredictable Behavior

Symptom: If you installed Oracle Access Manager on UNIX under a different user ID than you used to create your Web server instance, Oracle Access Manager can become unstable. Users may experience behavior such as:

  • Random bug report pages

  • Failure to write to log file errors

  • Loss of access to Web pages

Solution: Change file permissions using the chown command. Change the Oracle Access Manager directory to the same user ID that you used to create your Web server instance.

E.17.8 Oracle HTTP Server Fails to Start with LinuxThreads

After installing a WebPass, WebGate, or Policy Manager instance on an Oracle HTTP Server, the server does not start up. This occurs because Oracle Access Manager uses an older Linux threading model.

Note:

When running Oracle Access Manager, LinuxThreads is used by default. This requires setting the environment variable LD_ASSUME_KERNEL to 2.4.19. If you are using NPTL with Oracle Access Manager, you do not set LD_ASSUME_KERNEL to 2.4.19. For more information, see "NPTL Requirements and Post-Installation Tasks".

Solution: When using LinuxThreads mode, comment out the Perl module in the httpd.conf file, update the LD_ASSUME_KERNEL environment variable, and restart, as described in the following procedure.

To resolve the failure to start Oracle HTTP Server in LinuxThreads mode

  1. Comment out the Perl module in the httpd.conf file in the following location:

    Oracle HTTP Server 11g: ORACLE_INSTANCE/config/OHS/<ohs_name>/httpd.conf

    Oracle HTTP Server v2: OH$/ohs/conf/httpd.conf

    Oracle HTTP Server v1.3: OH$/Apache/Apache/conf/httpd.conf

  2. To update the LD_ASSUME_KERNEL value, open the following file in a text editor:

    OH$/opmn/conf/opm.xml
    
  3. Find the following line:

    <process-type id="HTTP_Server" module-id="OHS">
    
  4. 
    

    Add the following information under the line you found in the previous step:

    <environment>
    <variable id="LD_ASSUME_KERNEL" value="2.4.19" />
    </environment>
    
  5. Save this file.

  6. Run the following commands to implement your changes:

    opmnctl stopall
    opmnctl startall
    

E.17.9 Oracle HTTP Server WebGate Fails to Initialize On Linux Red Hat 4

This situation might arise whether you are using Oracle Access Manager with LinuxThreads or NPTL

Symptom: WebGate fails to initialize when installed on an Oracle HTTP Server running Red Hat Enterprise Server version 4.0 with a kernel version lower than 2.6.9-34.EL. Version 2.6.9-34.EL is supplied with the Red Hat version 4, update 3.

Solution: To prevent this problem, you must upgrade to Red Hat version 4, update 3 or higher.

E.17.10 Oracle HTTP Server Web Server Configuration File Issue

Problem

With Oracle Application Server 10.1.x, OC4J, when the httpd.conf file is modified automatically during WebGate installation, it can be corrupted.

Solution

Before installing WebGate, run the following command to prevent the httpd.conf file from being overwritten.

$ORACLE_HOME/dcm/bin/dcmctl updateConfig -ct ohs 

E.17.11 Issues with IIS v6 Web Servers

On IIS 6 Web servers only, you must run the WWW service in IIS 5.0 isolation mode, which is a requirement of the ISAPI postgate filter. This scenario will work if you have 32-bit Oracle Access Manager binaries running on a 32-bit Windows operating system. However, there is an issue if you attempt to run a 32-bit postgate.dll on a 64-bit Windows machine with IIS running in 32-bit mode.

Problem

When running IIS in IIS5.0 isolation mode, you see the following message:

"ISAPI Filter 'C:\webgate\access\oblix\apps\webgate\bin\webgate.dll' could not be loaded due to a configuration problem.

Cause

The current configuration only supports loading images built for an AMD 64-bit processor architecture. The data field contains the error number.

Solution

To learn more about this issue, including how to troubleshoot this kind of processor architecture mismatch error, see the following Web site:

http://go.microsoft.com/fwlink/?LinkId=29349

For more information, see Help and Support Center at:

http://go.microsoft.com/fwlink/events.asp

Problem

IIS5 never existed as 64-bit. However, IIS v6's IIS5 Compatibility Mode on 64-bit Windows computers only runs as 64-bit.

Cause

It is architecturally impossible run IIS5 Isolation Mode 32- bit on 64-bit Windows, as described in documentation available through the following URLs:

http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.pu
blic.inetserver.iis&tid=5dd07102-8896-40cc-86cb-809060fa9426&cat=en_US_
02ceb021-bb43-476d-8f8f-6c00a363ccf5&lang=en&cr=US&p=1
http://blogs.msdn.com/david.wang/archive/2005/12/14/HOWTO-Diagnose-one-cause-of-W3
SVC-failing-to-start-with-Win32-Error-193-on-64bit-Windows.aspx

E.17.12 PCLOSE Error When Starting Sun Web Server

Symptom: When attempting to start the Sun Web server, you get an error like the following:

Unable to start, PCLOSE

Solution: A number of problems can cause this error:

  • A syntax error in your obj.conf file

  • Leading spaces in your obj.conf file

  • Installing Oracle Access Manager as a different user ID than what you used to create your Web server instance

  • A carriage return at the end of the obj.conf file

E.17.13 Removing and Reinstalling IIS DLLs

When Oracle Access Manager is running with Microsoft's IIS Web server, you must manually uninstall and reinstall the following ISAPI filters when reinstalling Oracle Access Manager.

  • tranfilter.dll

  • oblixlock.dll (if you installed WebGate)

  • webgate.dll (if you installed WebGate)

To remove and reinstall IIS DLLs

  1. Uninstall Oracle Access Manager.

  2. Manually uninstall the preceding DLLs.

  3. Reinstall Oracle Access Manager.Active Directory.

  4. Manually reinstall the DLLs.

Note:

These filters can change depending on the version of IIS you are using. If these filters do not exist or there are others present, contact Oracle to determine if the filters that are present need to be removed.

E.18 WebGate Issues

The following issues may arise with WebGate:

E.18.1 Access Server and WebGate Naming

Access Servers and WebGates cannot be named using non-English keyboard characters.

Descriptions on the Modify AccessGate page of the Access System Console are case insensitive. For example, if you change capitalization of the description but do not alter any other details, you will see no change after the save. To work around this problem, add or alter other information so that the change is recognized.

To change capitalization in an AccessGate description

  1. Navigate to the Access System Console, Access System Configuration, AccessGate Configuration.

  2. Search for a particular AccessGate or just select the Go button to display a list of all AccessGates.

  3. Double-click the link to the WebGate you want to change.

  4. Click Modify at the bottom of the page.

  5. Enter a new description with the capitalization you would like some new information. For example:

    From: webgate

    To: WebGate with IIS 6.0

E.18.2 Enabling WebGate Diagnostics

After WebGate installation and configuration, point your browser to the following URL for WebGate diagnostics:

http(s)://host:port/access/oblix/apps/webgate/bin/webgate.cgi?progid=1

Host and port are the WebGate's hostname and Web server instance port number. If the diagnostics page does not open, the WebGate was installed improperly.

E.18.3 Error Messages After Installing WebGate

Symptom: If you are running an Access Server with debugging enabled on a Solaris computer, then install a WebGate on a Windows server that uses that Access Server, you will probably see messages like the following in the Access Server's debug log:

Got a client!
SSL handshake failed:
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

Solution: These messages are harmless and may be ignored.

E.18.4 Installing WebGate and an Identity Server in Same Directory

To provide maximum protection for the Identity System, install the WebGate and Identity System in the same directory.

E.18.5 Receiving Access Server Down Errors

Symptom: When attempting to connect, you receive errors indicating that your Access Server is down.

Solution: The clocks of computers hosting various Oracle Access Manager components must be synchronized to within 75 or fewer seconds of each other. If the clocks are out-of-sync by more than 75 seconds, installation will fail.

E.18.6 WebGate Cannot Connect to Access Server

Symptom: You get the following error when you attempt to start the Identity System:

Access Server error
WebGate cannot connect to Access Server

Cause: When configuring a WebGate in the System Console, you must link each WebGate with at least one Access Server.

Solution: In Policy Manager, associate your WebGate with an Access Server. Then configure WebGate.

E.18.7 Oracle HTTP Server WebGate Fails to Initialize On Linux Red Hat 4

Symptom: WebGate fails to initialize when installed on an Oracle HTTP Server running Red Hat Enterprise Server version 4.0 with a kernel version lower than 2.6.9-34.EL. Version 2.6.9-34.EL is supplied with the Red Hat version 4, update 3.

Solution: To prevent this problem, you must upgrade Red Hat version 4 to update 3 or higher.

Note:

When running Oracle Access Manager, LinuxThreads is used by default. This requires setting the environment variable LD_ASSUME_KERNEL to 2.4.19. If you are using NPTL with Oracle Access Manager, you do not set LD_ASSUME_KERNEL to 2.4.19. For more information, see "NPTL Requirements and Post-Installation Tasks".

E.18.8 Logout Not Working with Client Certificate Authentication

Problem

The logout mechanism kills/removes the ObSSOCookie. After logout, access in the same browser session to the original resource protected with client certificate authentication will not result in a re-challenge for authentication.

Cause

With client certificate authentication, the browser the certificates used for authentication by the Access Server with each request. Using these certificates, the Access Server authenticates the previously logged in user without prompting for authentication (user certificates). This creates a new ObSSOCookie.

Solution

Close the browser window after logout.

E.19 Miscellaneous Issues

The following are miscellaneous issues:

E.19.1 Unable to Flush the Cache

Symptom: If the Policy Manager uses Simple or Cert transport security mode, flushing the cache from Policy Manager requires certificates. If your Policy Manager is protected by a WebGate that was installed in Simple or Cert mode, the certificates exist and there is no problem. However, if you did not install WebGate in Simple or Cert Mode, you cannot update Access System caches because the Policy Manager will not be able to communicate with the Access Servers.

Solution: For an installation that has no WebGate, use the GenCert tool to generate the certificates. This tool is stored at IdentityServer_install_dir/identity/oblix/tools, where IdentityServer_install_dir is your Identity Server installation directory.

To generate certificates for cache flushing, type

genCert install_dir

IdentityServer_install_dir is your Identity Server installation directory. You must be the user with the permissions to write files into the installation directory.

E.19.2 Giving View Rights to the Master Administrator

The Master Administrator is specified during Oracle Access Manager installation and setup. Even though this is the highest-ranking Master Administrator, this role does not have view rights for attributes until this right is specifically assigned to it.

The administrator must have permission to view the cn attribute (usually configured as Full Name) at the top level of the directory tree. Then the administrator can configure Access Control for attributes for others.

See Also:

Refer to the Oracle Access Manager Identity and Common Administration Guide for instructions on completing this task

E.19.3 Idle Session Time, Maximum Cookie Session Time

Symptom: When using either Simple or Cert transport security mode, the user's browser caches the credentials and automatically resends them when a WebGate session times out.This causes the illusion that the timeout settings are not working when in fact a new authentication exchange is taking place without any action on the user's part.

Solution: Use form-based authentication. The browser does not cache form-based authentication information.

E.19.4 Loading the Directory in Secure Mode

Loading your directory can take much longer when SSL is activated. You can load your directory, then activate SSL on the Web server and directory server.

E.19.5 Peer Does Not Use Oracle Access Protocol

Symptom: When a non-Oracle Access Manager program that is set to an incorrect TCP port tries to communicate with your Access Server, you receive an error in your Access Server's debug output. Your Access Server's debug output displays the following error:

Peer does not use NetPoint Access Protocol. Connection dropped.

Other than the message in your Access Server's debug output, there probably is no impact to your Oracle Access Manager installation. However, the non-Oracle Access Manager peer attempting to communicate with the Access Server will probably fail.

Solution: Check your TCP port numbers. Something is connecting to the wrong thing.

E.19.6 Receiving Bug Report After Replication Attempt

Oracle Access Manager does not support replication with Sun by default.

Symptom: After making a write to a Sun consumer/slave, you get a bug report form.

Solution: To update the enableLDAPReferral parameter:

  1. Open the ldapconfigdbparams.xml file in a text editor. This file is stored in two locations, and both must be edited:

    • IdentityServer_install_dir/identity/oblix/data/common/ldapconfigdbparams.xml

    • Access_Server_install_dir/access/oblix/data/common/ldapconfigdbparams.xml

  2. Change the enableLDAPReferral parameter to true.

  3. Save your changes.

  4. Restart the consumer/slave's Web server.

E.19.7 Search and Query Error Message (Defect 4547)

Symptom: When performing a search or a query, you receive a "Bad request" message.

Cause: Your search or query string is too long for your browser. Browsers handle search and query strings as URLs. They generate an error if the string exceeds the maximum URL length.

Solution: Shorten the search or query string.

E.19.8 Identity Server Logged You in but Access System Logged You Out

Symptom: You receive the message "Identity Server logged you in but Access System (Policy Manager or System Console) logged you out." This occurs when the Access Domain policy is disabled and the Identity Domain policy is enabled when logging into the Policy Manager as a valid user.

Solution: For security reasons, both the Policy Manager (/access) policy and Identity Domain (/identity) policy must be enabled and protected when logging in to the Policy Manager.

To make FrontPage work correctly with Oracle Access Manager, the settings for IIS must be set up to allow Oracle Access Manager to do all of the authentication and authorization.

To allow Oracle Access Manager to do all authentication and authorization

  1. The Web server needs to run as a user that has full control of all directories containing Web content.

  2. Use the Web server MMC and click the directory security tab.

  3. Click the anonymous user and authentication Edit button.

    Make sure that only the allow anonymous users check box is checked. Un-check the other two (basic authentication and nlm authentication)

  4. Add the Web server process user (such as IUSR_OBLIX) to the FrontPage admins by using the FrontPage server admin tools (these are different for every version of FrontPage.