This chapter describes issues associated with Oracle Adaptive Access Manager. It includes the following topics:
This section describes patch requirements for Oracle Adaptive Access Manager 11g Release 1 (11.1.1). It includes the following sections:
To obtain a patch, log in to My Oracle Support (formerly OracleMetaLink) using the following URL, click Patches & Updates, and search for the patch number:
Install the patch by following the instructions in the README file included with the patch.
After installing Oracle Identity and Access Management (126.96.36.199.0) and before running the domain configuration tool, you must install the patches for bugs 9817469 and 9882205.
The patches are not optional but critical for running the OAAM Admin console in the high availability clustered environment, which is the only supported deployment.
Table 33-1 lists patches that resolve the known issue.
|Patch Number / ID||Description and Purpose|
The description of this patch on My Oracle Support is "SWITCHING TASKFLOWS WITH DATA-SCOPE ISOLATED THROWS EXCEPTION WITH AMPOOLING=FAL."
The description of this patch on My Oracle Support is "ADFC: CREATING AN IDSTORE IN CONSOLE EXPOSES CREDENTIALS IN PLAIN TEXT IN LOGS."
This section describes general issues and workarounds. It includes the following topics:
This section describes general user interface issues.
In the OAAM Fraud Prevention Page, navigation using the browser's Back button and then the Forward button might cause all open tabs to close.
Avoid using the browser's Back button for navigation.
This section describes issues with policy, rule, and group features.
An error message is not displayed when you try to create a group with an existing group name. The group with the duplicate name is not created, but you will not see an error message.
The Add button in the Add Members dialog box becomes disabled for the following scenario:
Open an existing group.
The Add Members dialog box appears and the Search Results table is empty.
In the Add Members dialog box, choose the option to search and select from the existing elements.
A list of elements appear in the Search Results table.
From Search Results table, select the first element and then click the Add button.
To delete the member you just added, select the member in the Members tab and then click Delete.
When the list of elements appears in the Search Results table, the element you deleted previously is already selected and the Add button is disabled.
To enable the Add button, you will have to select another element and then go back and select the original element.
If only one element exists to choose from, you will not be able to enable the Add button and add that element to the group.
As a workaround, if there is only one element to choose from:
Select the Create New option in the Add Members dialog box. The Search Results table disappears.
Now, choose the option to search and select. When the Search Results table reappears, the Add button is enabled. You will be able to select the element and Add it to the group.
As a workaround, if there are more than one element to choose from, click another element and then go back to the original and then add it.
If you set the status of an attribute to Deleted in a pattern, the attribute will not appear in the user interface and you will not be able to reuse it.
If you do not want to use the attribute, set the status to Inactive instead of Deleted.
This section describes a Knowledge-Based Authentication feature issue.
This section describes a Transaction issue.
For the Transaction Definition, in the Transaction tab, if you try to delete a row, but click Cancel in the Delete Row confirmation dialog in the Source or Data tabs, you will not be able to delete that row again.
The warning message, "No Data Elements are selected for delete," is shown even if you select the row.
This section describes issues dealing with import, export, and snapshots.
If you type in an incorrect file path for any import file dialog box in Internet Explorer 7 (IE7), the import file dialog box becomes unusable and you cannot close it.
As a workaround, log out of the application and log back in.
When you are restoring a snapshot from a file, a validation check is run when you click Continue. You are then asked to enter a name and notes even if you do not want to take a current snapshot.
As a workaround, you should select Back Up Current System, enter your name and notes, deselect Back Up Current System, and click Continue to bypass the validation check.
This section describes issues pertaining to audit, log, and performance.
The execution and processing labels used in Oracle Enterprise Manager are different from the ones used in the Oracle Adaptive Access Manager Dashboard.
The mappings are as follows:
|Report||Fusion Middleware Control||Oracle Adaptive Access Manager Dashboard|
|Policy Execution Summary||Average Execution Time||Average Policy Process Time|
|Rules Execution Summary||Average Execution Time||Average Rule Process time|
|Rules Processing Summary||Average Execution Time||RulesAPI.processRules|
The Add, Update, Delete Overrides audit events use the deprecated term "Override" instead of "Trigger Combination." The audit events are also not captured in the audit.log.
The response time is slow for Select All and Bulk actions in tables. This occurs mainly for KBA and group elements.
For example, response time is slow for activating all KBA questions or deleting all group members.
The Update Rule Param Value audit event is triggered:
Whenever a condition is selected and the condition details are displayed. The rule condition value in the rule has not changed.
When a user make changes to rules (for example, rule name)
When you make a change to the rule and click the Apply button, the Update Rule Param Value audit event is triggered. Even though there had been only one modification, the following three audit events are also triggered:
The extra events are triggered because Apply and Revert are global actions; therefore the entire state is saved. On the other hand, Save and Cancel are detail level actions.
Certain error and warning messages appear in log files even when there are no issues with the user interface. Table 33-2 lists error/warnings that can be ignored.
'....' indicates additional contextual text
||Error Message||Description / Comments|
Couldn't load properties file bharosauio_client.properties
This message may occur during server startup when an attempt is made to load the file. The file is not a requirement; therefore this message can be ignored.
The DocumentChange is not configured to be allowed for the component: .....
This message is from the ADF Filtered Change Persistence Manager. It can be ignored.
shadow[some text]: No shadow row found for ....
The message is generated when a history row is not found in the database for some server artifacts, when the row is inserted for the first time for that artifact. Since the history rows are rebuilt if they are not found, this message can be ignored.
Element for value= -1 not found for enum ....
This message is generated when the default value of the enumeration is used to convey an unused or unselected item from the enumerated lists in the server or user interface. Since the (-1) is interpreted as an unused value, this message can be ignored.
Could not find selected item matching value "0" in RichSelectOneChoice ....
The message is generated from the user interface classes when attempts are made to match selected values with choices. In some cases, the selected value of 0 may not have attached a choice and that is when this message is generated. This message can be ignored.
DocumentChange will not be persisted because the target component of DocumentChange is a stamped component or is in the subtree of a stamped component. Target component reference....
The message is informational and from the ADF MDS Filtered Change Persistence Manager. It can be ignored.
Error instantiating class - oracle.adfdtinternal.view.faces.portlet.PortletDefinitionDTFactory
The message is generated by the user interface code when attempts are made to upload portlets. Since the Oracle Adaptive Access Manager implementation does not use this class, this message can be ignored.
Could not find saved view state for token ....
This message is from the ADF view layer and occurs if the user cut and pasted the OAAM Admin URL.
ADFv: Unable to find matching JSP Document Node for: ....
This message is from ADF view layer.
This section describes globalization issues.
In any of the search panels, the timestamp criteria input field uses a fixed format rather than a format based per the locale.
As a workaround, use the date-picker to select the timestamp instead of manually entering it.
This section describes configuration issues and their workarounds. It includes the following topics:
The values for the
Rule.Action.Enum Action fields like ChallengeSMSTextPad, ChallengeSMSPinPad, and others, are not specified for the From Action and To Action fields in the Policy Set.
The workaround is to set the value of these properties to true using the Properties Editor:
rule.action.enum.ChallengeSMSTextPad.enabled rule.action.enum.ChallengeSMSPinPad.enabled rule.action.enum.ChallengeEmailTextPad.enabled rule.action.enum.ChallengeEmailPinPad.enabled rule.action.enum.SmsChallenge.enabled rule.action.enum.EmailChallenge.enabled rule.action.enum.NextQuestion.enabled rule.action.enum.RegisterImageTextPad.enabled rule.action.enum.RegisterImagePinPad.enabled rule.action.enum.RegisterImageKeyPadFull.enabled rule.action.enum.RegisterImageKeyPadAlpha.enabled rule.action.enum.RegisterImageKeyPadAlphaTurk.enabled rule.action.enum.RegisterImageQuestionPad.enabled rule.action.enum.Token.enabled rule.action.enum.OTPChallengeEmail.enabled rule.action.enum.OTPChallengeSMS.enabled rule.action.enum.OTPRegister.enabled rule.action.enum.OTPBlock.enabled
The OAAM Servers function on IPv6 enabled dual stack servers with reduced functionality. End user IP addresses in IPv4 format are used in fraud policies and rules management. This may not be an issue as IPv4 format is used across networks and OAAM Server obtains IPv4 based IP address. When end user IP addresses are in IPv6 form, rules evaluating user, device, application data (transactions/events) and other contextual data will function as expected. However, location rules will evaluate against a private dummy IP (127.0.0.99) in place of the actual v6 form IP. The OAAM Admin console will display private dummy IP (127.0.0.99) in place of the actual v6 form IP. To support location-based rules a change in database schema and an application change to support Groups, Ranges, Listing and Details pages are required. In addition, IPv6 support from geolocation data vendors is needed for advanced location rules-based on geolocation, velocity, connection settings, and others.
In an Oracle Access Manager and Oracle Adaptive Access Manager integration deployment, if an end user enters a non-ASCII username or non-ASCII password to authenticate himself, an error occurs with the following message:
Sorry, the identification you entered was not recognized. Please try again
To work around this issue, perform the following steps for the OAAM Server-related Manager Server:
PRE_CLASSPATH to ORACLE_HOME/common/lib/nap-api.jar.
For C shell:
setenv ORACLE_HOME "IDM_ORACLE_HOME" setenv PRE_CLASSPATH " $ORACLE_HOME/common/lib/nap-api.jar"
For bash/ksh Shell:
export ORACLE_HOME= IDM_ORACLE_HOME export PRE_CLASSPATH="$ORACLE_HOME common/lib/nap-api.jar"
Start OAAM Server related Manager Server.
If both Oracle IDM 11gR1 home and Oracle Identity and Access Management (188.8.131.52.0) home are installed, then during case creation, if a server failover occurs, a
java.lang.InstantiationException error may appear in the logs.
There is no loss of functionality as the case is created successfully.
This section describes documentation errata. It includes the following topic:
The following sections on customizing abbreviations and equivalences are incorrect in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager (Part Number E14568-01).
184.108.40.206 Common Abbreviations
"The list can be customized by adding or updating properties file,
client_resource_<locale>.properties, created by the administrator."
F.8 Adding to the Abbreviation File
"Add as many abbreviations and equivalences as you want to
A revised section is provided in the Release Notes.
Answer Logic checks if the answer provided by the user matches closely to the ones provided during registration.
Answer Logic, in part, relies on pre-configured sets of word equivalents, commonly known as abbreviations.
Although there are several thousand English abbreviations and equivalences in the English version of Oracle Adaptive Access Manager, customers can perform customizations per their business requirements.
For example, the customer might want the following to be considered a match.
|Registered Answer||Given Answer|
|nineteen hundred ninety nine||1999|
The out of the box English abbreviations and equivalences are in a file named,
bharosa_auth_abbreviation_config.properties. Changes cannot be made to this file.
To customize abbreviations, a new file must be created with a new set of abbreviations. This file takes precedence over the original file and all abbreviations in the original file are ignored.
To customize abbreviations:
Create a new abbreviation file,
custom_auth_abbreviation_config.properties, and save it in the IDM_ORACLE_HOME/oaam/conf directory.
conf folder does not exist, create one.
Add abbreviations and equivalences to
There are two different formats to use:
For example, in English, some equivalence for James are:
With the addition of the equivalences, if a user were to enter a response as
Jim, but had originally entered
Jim would be accepted.
Another example is that
St may be equivalent to
Note:Retrieval of abbreviation values is not based on the browser language; values are retrieved from the properties files.
Using the Properties Editor, change the property,
bharosa.authenticator.AbbreviationFileName, to point to the complete path to
The default value for the property
bharosa.authenticator.AbbreviationFileName property if it does not already exist.
Restarting the system is not necessary for the change to take effect.
For information on using the Properties Editor, refer to "Using the Properties Editor" in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.
Configure the Answer Logic by following the instructions in "Configuring the Answer Logic" in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.
If you want to revert to the original out of the box abbreviations, set
bharosa.authenticator.AbbreviationFileName back to
Translated files are shipped for different locales. These files are named
<locale> is the locale string. For example, the Spanish version of the file is
If you want to localize for one locale (for example, for Japanese only) you can create one file and set the value of property
bharosa.authenticator.AbbreviationFileName to that file's absolute path.
If you want customize for multiple locales you need to perform the following steps:
Create the files specific to those locales with the same prefix.
/mydrive/IDM_ORACLE_HOME/oaam/conf/Abbreviations_es.properties for Spanish
/mydrive/IDM_ORACLE_HOME/oaam/conf/Abbreviations_ja.properties for Japanese
Set the property
Note that the locale prefix is absent in the value of the property.
Oracle Adaptive Access Manager uses the locale specific suffixes to the base file name and calculates the file name for that locale at runtime. You only have to specify the base name of the file, independent of locale, as the property value, and Oracle Adaptive Access Manager calculates the locale specific value automatically at runtime based on that property value.
The Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager (Part Number E14568-01) states that there are three states for the pattern, but lists five in Table 14.1 and four in Section 14.9.5, "Changing the Status of the Pattern."
The statuses to choose from are:
If data must be collected, the pattern must be in the Active state.
If the pattern definition is complete, but you do not want to collect data, select Inactive.
If pattern creation has started, but you need to save it for completion later, select Incomplete. Data is not collected for this state.
If there is a problem with the pattern, you can mark the pattern as Invalid to signal other operators. No autolearning data analysis will performed for a pattern in this state.
The pattern has been deleted, but the system must keep this record to maintain data integrity. No autolearning data analysis will be performed for pattern in this state.
The name and location of the purging scripts package is not provided in Appendix G, "Setting Up Archive and Purge Procedures" of the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager (Part Number E14568-01).
The Oracle Adaptive Access Manager-related purging scripts are in the
oaam_db_purging_scripts.zip file located under IDM_ORACLE_HOME/oaam/oaam_db_scripts.
Additions and corrections to Appendix F, "Globalization Support," in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager (Part Number E14568-01) are listed in this section.
Introduction: The first sentence of the introduction should be changed to "Oracle Adaptive Access Manager 11g is translated into 9 Admin languages for OAAM Admin and 26 languages for OAAM Server."
In the fourth paragraph, the introduction states that "When one of the non-Admin locale languages is set in the browser (for example Arabic), OAAM Server uses the default locale, English." This should be modified to "When one of the non-Admin locale languages is set in the browser (for example Arabic), OAAM Admin uses the default locale, English. When one of the non-Std_Runtime locale languages is set in the browser, OAAM Server uses the default locale, English."
Section F.3, "Configuring Language Defaults for Oracle Adaptive Access Manager should include the following note:
Note:The only locales supported are the ones listed in enums.
Section F.7, "Adding Registration Questions,"Step 4, states that "By default, the Locale menu displays English and 27 other default locale languages." This is incorrect. It should say, "By default, the Locale menu displays English and 26 other default locale languages."
Section F.8, "Adding to the Abbreviation File" has been updated in the Release Notes. For updated information, refer to Section 33.4.1.