This chapter describes issues associated with Oracle Directory Integration Platform. It includes the following topics:
This section describes general issues and workarounds. It includes the following topics:
If the source directory is heavily-loaded, a race condition may occur where database commits cannot keep pace with updates to the lastchangenumber. If this race condition occurs, Oracle Directory Integration Platform may not be able to synchronize some of the changes.
To work around this issue, perform the following steps to enable database commits to keep pace with the lastchangenumber:
Increase the value of the synchronization profile's Scheduling Interval.
Control the number of times the search is performed on the source directory during a synchronization cycle by setting the searchDeltaSize parameter in the profile. Oracle suggests starting with a value of 10, then adjusting the value as needed.
When a synchronization profile is initialized, the debugging log level for the Oracle Directory Integration Platform application is set to the debugging log level configured for that synchronization profile. If you have synchronization profiles configured with different debugging log levels, you may see various levels of information in the Oracle Directory Integration Platform application's logs.
To work around this issue, set the debugging log level in all synchronization profiles to the same level.
If you stop the Oracle Directory Integration Platform application during synchronization, the synchronization process that the Quartz scheduler started will continue to run.
To work around this issue, restart the Oracle WebLogic Managed Server hosting Oracle Directory Integration Platform or redeploy the Oracle Directory Integration Platform application.
When synchronizing from Sun Java System Directory Server (iPlanet) or IBM Tivoli Directory Server, if the change log is not enabled in these third-party directory servers, the manageSyncProfiles utility may fail to register synchronization profiles and the
Profile Initialization Failure message may appear.
If you encounter this issue while attempting to update or register synchronization profiles for Sun Java System Directory Server (iPlanet) or IBM Tivoli Directory Server, ensure the change log is enabled in the third-party directory server.
syncProfileBootstrap utility, which performs the initial migration of data between a connected target directory and Oracle Internet Directory based on a synchronization profile or LDIF file, is not supported for SSL mode 2 (Server-Only Authentication).
syncProfileBootstrap utility is supported only for SSL mode 0 (No SSL) and SSL mode 1 (No Authentication).
At the time of publication of these Release Notes, the DIP Tester utility is not supported for Oracle Directory Integration Platform 11g Release 1 (11.1.1).
Monitor My Oracle Support (formerly MetaLink) for updates regarding DIP Tester support for Oracle Directory Integration Platform 11g Release 1 (11.1.1). You can access My Oracle Support at
While the DIP Tester utility is not currently supported for Oracle Directory Integration Platform 11g Release 1 (11.1.1), you can use the manageSyncProfiles command and its testProfile operation to test a disabled synchronization profile to ensure it will successfully perform synchronization. Refer to the "Managing Synchronization Profiles Using manageSyncProfiles" section in the Oracle Fusion Middleware Integration Guide for Oracle Identity Management for more information about the testProfile operation.
If the Oracle Directory Integration Platform (DIP) server is configured with Sun JDK version 1.6.0_16+ or BEA JRockit version 1.6.0_14+, you may see the following PKCS11 exceptions intermittently in the
wls_ods1.out log files under DIP server logs directory:
Exception in thread "Thread-236" java.security.ProviderException: doFinal() failed at sun.security.pkcs11.P11Cipher.implDoFinal(P11Cipher.java:720) at sun.security.pkcs11.P11Cipher.engineDoFinal(P11Cipher.java:488) Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_OPERATION_NOT_INITIALIZED at sun.security.pkcs11.wrapper.PKCS11.C_DecryptFinal(Native Method) at sun.security.pkcs11.P11Cipher.implDoFinal(P11Cipher.java:713) Exception in thread "Thread-88" java.security.ProviderException: update() failed at sun.security.pkcs11.P11Cipher.implUpdate(P11Cipher.java:548) at sun.security.pkcs11.P11Cipher.engineUpdate(P11Cipher.java:448) Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_OPERATION_NOT_INITIALIZED at sun.security.pkcs11.wrapper.PKCS11.C_EncryptUpdate(Native Method) at sun.security.pkcs11.P11Cipher.implUpdate(P11Cipher.java:501)
You can safely ignore these exception messages. They do not affect any functionality.
This section describes configuration issues and their workarounds. It includes the following topics:
When configuring Oracle Directory Integration Platform against an existing Oracle Internet Directory—using either the installer's Install and Configure installation option or the Oracle Identity Management 11g Release 1 (11.1.1) Configuration Wizard—you must specify the hostname for Oracle Internet Directory using only its fully qualified domain name (such as myhost.example.com). Do not use
localhost as the Oracle Internet Directory hostname even if Oracle Directory Integration Platform and Oracle Internet Directory are collocated on the same host.
If you use
localhost as the Oracle Internet Directory hostname, you will not be able to start the Oracle WebLogic Managed Server hosting Oracle Directory Integration Platform.
The foreign security principal file for Microsoft Active Directory, activeimp.cfg.fsp, that was included in Oracle Directory Integration Platform Release 10g, is not included in 11g Release 1 (11.1.1). This file is required if you are synchronizing entries from multiple domain controllers and also global groups involving foreign security principals as members. The activeimp.cfg.fsp should be in the $ORACLE_HOME/ldap/odi/conf/ directory.
To work around this issue, create the activeimp.cfg.fsp file by opening a text file and entering the following information
Note:In the following example, DOMAIN_B and DOMAIN_C represent the trusted domains for DOMAIN_A. PROFILE_NAME_FOR_DOMAIN_B and PROFILE_NAME_FOR_DOMAIN_C represent the profiles used to synchronized domains B and C respectively.
[INTERFACEDETAILS] Reader: oracle.ldap.odip.gsi.ActiveReader [TRUSTEDPROFILES] prof1: PROFILE_NAME_FOR_DOMAIN_B prof2: PROFILE_NAME_FOR_DOMAIN_C [FSPMAXSIZE] val: 1000 *
There are no known documentation issues at this time.