Skip Headers
Oracle® Fusion Middleware Release Notes
11g Release 1 (11.1.1) for IBM AIX on POWER Systems (64-Bit)

Part Number E14771-27
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

33 Oracle Adaptive Access Manager

This chapter describes issues associated with Oracle Adaptive Access Manager. It includes the following topics:

33.1 Patch Requirements

This section describes patch requirements for Oracle Adaptive Access Manager 11g Release 1 (11.1.1). It includes the following sections:

33.1.1 Obtaining Patches from My Oracle Support

To obtain a patch, log in to My Oracle Support (formerly OracleMetaLink) using the following URL, click Patches & Updates, and search for the patch number:

http://support.oracle.com

Install the patch by following the instructions in the README file included with the patch.

33.1.2 Critical Patches to Install After the Oracle Identity and Access Management Installation (11.1.1.3.0)

High Availability: JBOSERIALIZATIONEXCEPTION Results When Switch Dynamic Tab Failover Occurs

After installing Oracle Identity and Access Management (11.1.1.3.0) and before running the domain configuration tool, you must install the patches for bugs 9817469 and 9882205.

The patches are not optional but critical for running the OAAM Admin console in the high availability clustered environment, which is the only supported deployment.

Table 33-1 lists patches that resolve the known issue.

Table 33-1 OAAM Patches

Patch Number / ID Description and Purpose

9817469

The description of this patch on My Oracle Support is "SWITCHING TASKFLOWS WITH DATA-SCOPE ISOLATED THROWS EXCEPTION WITH AMPOOLING=FAL."

9882205.

The description of this patch on My Oracle Support is "ADFC: CREATING AN IDSTORE IN CONSOLE EXPOSES CREDENTIALS IN PLAIN TEXT IN LOGS."


33.2 General Issues and Workarounds

This section describes general issues and workarounds. It includes the following topics:

33.2.1 General User Interface

This section describes general user interface issues.

33.2.1.1 Browser Back Button May Clear Tabs

In the OAAM Fraud Prevention Page, navigation using the browser's Back button and then the Forward button might cause all open tabs to close.

Avoid using the browser's Back button for navigation.

33.2.1.2 Add Condition Menus Do Not Render Properly

The dropdown lists in the Add Condition dialog box do not render properly in Internet Explorer 7 (IE7), but they are still usable

33.2.2 Policy Management

This section describes issues with policy, rule, and group features.

33.2.2.1 Error Message Not Displayed Creating Group with Existing Group Name

An error message is not displayed when you try to create a group with an existing group name. The group with the duplicate name is not created, but you will not see an error message.

33.2.2.2 Add Button in the Group Add Members Dialog is Disabled for Specific Scenarios

The Add button in the Add Members dialog box becomes disabled for the following scenario:

  1. Open an existing group.

  2. In the Members tab, click the Add button.

    The Add Members dialog box appears and the Search Results table is empty.

  3. In the Add Members dialog box, choose the option to search and select from the existing elements.

  4. Click the Search button.

    A list of elements appear in the Search Results table.

  5. From Search Results table, select the first element and then click the Add button.

  6. To delete the member you just added, select the member in the Members tab and then click Delete.

  7. Repeat Steps 2 through 4.

    When the list of elements appears in the Search Results table, the element you deleted previously is already selected and the Add button is disabled.

    To enable the Add button, you will have to select another element and then go back and select the original element.

    If only one element exists to choose from, you will not be able to enable the Add button and add that element to the group.

As a workaround, if there is only one element to choose from:

  1. Select the Create New option in the Add Members dialog box. The Search Results table disappears.

  2. Now, choose the option to search and select. When the Search Results table reappears, the Add button is enabled. You will be able to select the element and Add it to the group.

As a workaround, if there are more than one element to choose from, click another element and then go back to the original and then add it.

33.2.2.3 Pattern Attribute Cannot Be Used if Set to Deleted

If you set the status of an attribute to Deleted in a pattern, the attribute will not appear in the user interface and you will not be able to reuse it.

If you do not want to use the attribute, set the status to Inactive instead of Deleted.

33.2.2.4 Instructions are Incorrect in the Add User Name to Group Dialog Box

Although the instructions on the Add User name to group dialog box state that "You can either create new User name or search and select existing User name to add to the group," only Add is supported.

33.2.3 Knowledge-Base Authentication

This section describes a Knowledge-Based Authentication feature issue.

33.2.3.1 Duplicate Name for KBA Categories Can Be Given When Editing the Category

Care should be exercised when editing the name of a category. There is no validation to prevent the user from entering a KBA category name that already exists.

33.2.4 Transactions

This section describes a Transaction issue.

33.2.4.1 Cannot Delete Transaction Data in Certain Scenarios

For the Transaction Definition, in the Transaction tab, if you try to delete a row, but click Cancel in the Delete Row confirmation dialog in the Source or Data tabs, you will not be able to delete that row again.

The warning message, "No Data Elements are selected for delete," is shown even if you select the row.

33.2.5 Import, Export, and Snapshot

This section describes issues dealing with import, export, and snapshots.

33.2.5.1 Import Dialog Box is Unusable if Incorrect Path Entered

If you type in an incorrect file path for any import file dialog box in Internet Explorer 7 (IE7), the import file dialog box becomes unusable and you cannot close it.

As a workaround, log out of the application and log back in.

33.2.5.2 Validation Check Occurs in Snapshot Restore Even If User Does Not Want to Take Current Snapshot

When you are restoring a snapshot from a file, a validation check is run when you click Continue. You are then asked to enter a name and notes even if you do not want to take a current snapshot.

As a workaround, you should select Back Up Current System, enter your name and notes, deselect Back Up Current System, and click Continue to bypass the validation check.

33.2.5.3 Import of Existing Property in Java Format Fails

When you try to import an existing property with the same value in Java format, the following error occurs:

Failed to Import Properties.Imported file is empty or invalid. 

33.2.6 Audit, Logs, and Performance

This section describes issues pertaining to audit, log, and performance.

33.2.6.1 Execution and Processing Terms Used in Oracle Enterprise Manager are Different from the Ones Used in the Oracle Adaptive Access Manager Dashboard

The execution and processing labels used in Oracle Enterprise Manager are different from the ones used in the Oracle Adaptive Access Manager Dashboard.

The mappings are as follows:

Report Fusion Middleware Control Oracle Adaptive Access Manager Dashboard
Policy Execution Summary Average Execution Time Average Policy Process Time
Rules Execution Summary Average Execution Time Average Rule Process time
Rules Processing Summary Average Execution Time RulesAPI.processRules

33.2.6.2 Audit Record Uses the Term Override and Not Trigger Combination

The Add, Update, Delete Overrides audit events use the deprecated term "Override" instead of "Trigger Combination." The audit events are also not captured in the audit.log.

33.2.6.3 Performance Issues Exist When Performing Bulk Actions

The response time is slow for Select All and Bulk actions in tables. This occurs mainly for KBA and group elements.

For example, response time is slow for activating all KBA questions or deleting all group members.

33.2.6.4 Extra Audit Events are Generated for All Subcomponents When Another Subcomponent is Changed

The Update Rule Param Value audit event is triggered:

  • Whenever a condition is selected and the condition details are displayed. The rule condition value in the rule has not changed.

  • When a user make changes to rules (for example, rule name)

When you make a change to the rule and click the Apply button, the Update Rule Param Value audit event is triggered. Even though there had been only one modification, the following three audit events are also triggered:

  • UpdateRuleInPolicy

  • UpdateRulesOrderInPolicy

  • UpdateRuleParamValuesInPolicy

The extra events are triggered because Apply and Revert are global actions; therefore the entire state is saved. On the other hand, Save and Cancel are detail level actions.

33.2.6.5 Error and Warning Messages When No Issues

Certain error and warning messages appear in log files even when there are no issues with the user interface. Table 33-2 lists error/warnings that can be ignored.

'....' indicates additional contextual text

Table 33-2 Oracle Adaptive Access Manager Messages to Ignore

#
Error Message Description / Comments

1

Couldn't load properties file bharosauio_client.properties

This message may occur during server startup when an attempt is made to load the file. The file is not a requirement; therefore this message can be ignored.

2

The DocumentChange is not configured to be allowed for the component: .....

This message is from the ADF Filtered Change Persistence Manager. It can be ignored.

3

shadow[some text]: No shadow row found for ....

The message is generated when a history row is not found in the database for some server artifacts, when the row is inserted for the first time for that artifact. Since the history rows are rebuilt if they are not found, this message can be ignored.

4

Element for value= -1 not found for enum ....

This message is generated when the default value of the enumeration is used to convey an unused or unselected item from the enumerated lists in the server or user interface. Since the (-1) is interpreted as an unused value, this message can be ignored.

5

Could not find selected item matching value "0" in RichSelectOneChoice ....

The message is generated from the user interface classes when attempts are made to match selected values with choices. In some cases, the selected value of 0 may not have attached a choice and that is when this message is generated. This message can be ignored.

6

DocumentChange will not be persisted because the target component of DocumentChange is a stamped component or is in the subtree of a stamped component. Target component reference....

The message is informational and from the ADF MDS Filtered Change Persistence Manager. It can be ignored.

7

Error instantiating class - oracle.adfdtinternal.view.faces.portlet.PortletDefinitionDTFactory

The message is generated by the user interface code when attempts are made to upload portlets. Since the Oracle Adaptive Access Manager implementation does not use this class, this message can be ignored.

8

Could not find saved view state for token ....

This message is from the ADF view layer and occurs if the user cut and pasted the OAAM Admin URL.

9

ADFv: Unable to find matching JSP Document Node for: ....

This message is from ADF view layer.


33.2.7 Globalization

This section describes globalization issues.

33.2.7.1 Timestamp Criteria Input Field Has a Fixed Format

In any of the search panels, the timestamp criteria input field uses a fixed format rather than a format based per the locale.

As a workaround, use the date-picker to select the timestamp instead of manually entering it.

33.2.7.2 Command-Line Interface Tools Are Not Globalized

Command-Line Interface tools are not globalized for Oracle Adaptive Access Manager 11g Release 1 (11.1.1).

33.3 Configuration Issues and Workarounds

This section describes configuration issues and their workarounds. It includes the following topics:

33.3.1 Unused Rule.Action.Enum Actions are Disabled Out of the Box.

The values for the Rule.Action.Enum Action fields like ChallengeSMSTextPad, ChallengeSMSPinPad, and others, are not specified for the From Action and To Action fields in the Policy Set.

The workaround is to set the value of these properties to true using the Properties Editor:

rule.action.enum.ChallengeSMSTextPad.enabled
rule.action.enum.ChallengeSMSPinPad.enabled
rule.action.enum.ChallengeEmailTextPad.enabled
rule.action.enum.ChallengeEmailPinPad.enabled
rule.action.enum.SmsChallenge.enabled
rule.action.enum.EmailChallenge.enabled
rule.action.enum.NextQuestion.enabled
rule.action.enum.RegisterImageTextPad.enabled
rule.action.enum.RegisterImagePinPad.enabled
rule.action.enum.RegisterImageKeyPadFull.enabled
rule.action.enum.RegisterImageKeyPadAlpha.enabled
rule.action.enum.RegisterImageKeyPadAlphaTurk.enabled
rule.action.enum.RegisterImageQuestionPad.enabled
rule.action.enum.Token.enabled
rule.action.enum.OTPChallengeEmail.enabled
rule.action.enum.OTPChallengeSMS.enabled
rule.action.enum.OTPRegister.enabled
rule.action.enum.OTPBlock.enabled

33.3.2 Oracle Adaptive Access Manager Servers Can Run on IPv6 Enabled Dual Stack Machines

The OAAM Servers function on IPv6 enabled dual stack servers with reduced functionality. End user IP addresses in IPv4 format are used in fraud policies and rules management. This may not be an issue as IPv4 format is used across networks and OAAM Server obtains IPv4 based IP address. When end user IP addresses are in IPv6 form, rules evaluating user, device, application data (transactions/events) and other contextual data will function as expected. However, location rules will evaluate against a private dummy IP (127.0.0.99) in place of the actual v6 form IP. The OAAM Admin console will display private dummy IP (127.0.0.99) in place of the actual v6 form IP. To support location-based rules a change in database schema and an application change to support Groups, Ranges, Listing and Details pages are required. In addition, IPv6 support from geolocation data vendors is needed for advanced location rules-based on geolocation, velocity, connection settings, and others.

33.3.3 Non-ASCII Username/Password Fails to go through Authentication

In an Oracle Access Manager and Oracle Adaptive Access Manager integration deployment, if an end user enters a non-ASCII username or non-ASCII password to authenticate himself, an error occurs with the following message:

Sorry,  the identification you entered was not recognized. Please try again

To work around this issue, perform the following steps for the OAAM Server-related Manager Server:

  1. Set PRE_CLASSPATH to ORACLE_HOME/common/lib/nap-api.jar.

    For C shell:

    setenv  ORACLE_HOME "IDM_ORACLE_HOME"
    setenv PRE_CLASSPATH " $ORACLE_HOME/common/lib/nap-api.jar" 
    

    For bash/ksh Shell:

    export ORACLE_HOME= IDM_ORACLE_HOME
    export PRE_CLASSPATH="$ORACLE_HOME common/lib/nap-api.jar"
    
  2. Start OAAM Server related Manager Server.

33.3.4 InstantiationException May Appear When Create Case Failover Occurs

If both Oracle IDM 11gR1 home and Oracle Identity and Access Management (11.1.1.3.0) home are installed, then during case creation, if a server failover occurs, a java.lang.InstantiationException error may appear in the logs.

There is no loss of functionality as the case is created successfully.

33.4 Documentation Errata

This section describes documentation errata. It includes the following topic:

33.4.1 Documentation to Customize Abbreviation and Equivalences is Incorrect

The following sections on customizing abbreviations and equivalences are incorrect in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager (Part Number E14568-01).

  • 6.9.2.1 Common Abbreviations

    "The list can be customized by adding or updating properties file, client_resource_<locale>.properties, created by the administrator."

  • F.8 Adding to the Abbreviation File

    "Add as many abbreviations and equivalences as you want to client_resource_<locale>.properties."

A revised section is provided in the Release Notes.

Customizing English Abbreviations and Equivalences

Answer Logic checks if the answer provided by the user matches closely to the ones provided during registration.

Answer Logic, in part, relies on pre-configured sets of word equivalents, commonly known as abbreviations.

Although there are several thousand English abbreviations and equivalences in the English version of Oracle Adaptive Access Manager, customers can perform customizations per their business requirements.

For example, the customer might want the following to be considered a match.

Registered Answer Given Answer
nineteen hundred ninety nine 1999

The out of the box English abbreviations and equivalences are in a file named, bharosa_auth_abbreviation_config.properties. Changes cannot be made to this file.

To customize abbreviations, a new file must be created with a new set of abbreviations. This file takes precedence over the original file and all abbreviations in the original file are ignored.

To customize abbreviations:

  1. Create a new abbreviation file, custom_auth_abbreviation_config.properties, and save it in the IDM_ORACLE_HOME/oaam/conf directory.

    If the conf folder does not exist, create one.

  2. Add abbreviations and equivalences to custom_auth_abbreviation_config.properties.

    There are two different formats to use:

    Word=equivalent1
    Word=equivalent2
    

    or

    Word=equivalent1,equivalent2, equivalent3
    

    For example, in English, some equivalence for James are:

    Jim=James,\Jamie,\Jimmy
    

    With the addition of the equivalences, if a user were to enter a response as Jim, but had originally entered James, Jim would be accepted.

    Another example is that St may be equivalent to Street.

    Note:

    Retrieval of abbreviation values is not based on the browser language; values are retrieved from the properties files.
  3. Using the Properties Editor, change the property, bharosa.authenticator.AbbreviationFileName, to point to the complete path to custom_auth_abbreviation_config.properties.

    The default value for the property bharosa.authenticator.AbbreviationFileName is bharosa_auth_abbreviation_config.properties.

    Create the bharosa.authenticator.AbbreviationFileName property if it does not already exist.

    Restarting the system is not necessary for the change to take effect.

    For information on using the Properties Editor, refer to "Using the Properties Editor" in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.

  4. Configure the Answer Logic by following the instructions in "Configuring the Answer Logic" in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.

If you want to revert to the original out of the box abbreviations, set bharosa.authenticator.AbbreviationFileName back to bharosa_auth_abbreviation_config.properties.

Customizing Abbreviations and Equivalences for Locales

Translated files are shipped for different locales. These files are named bharosa_auth_abbreviation_config_<locale>.properties where <locale> is the locale string. For example, the Spanish version of the file is bharosa_auth_abbreviation_config_es.properties.

If you want to localize for one locale (for example, for Japanese only) you can create one file and set the value of property bharosa.authenticator.AbbreviationFileName to that file's absolute path.

If you want customize for multiple locales you need to perform the following steps:

  1. Create the files specific to those locales with the same prefix.

    For example,

    /mydrive/IDM_ORACLE_HOME/oaam/conf/Abbreviations_es.properties for Spanish

    /mydrive/IDM_ORACLE_HOME/oaam/conf/Abbreviations_ja.properties for Japanese

  2. Set the property bharosa.authenticator.AbbreviationFileName to /mydrive/IDM_ORACLE_HOME/oaam/conf/Abbreviations.properties.

    Note that the locale prefix is absent in the value of the property.

    Oracle Adaptive Access Manager uses the locale specific suffixes to the base file name and calculates the file name for that locale at runtime. You only have to specify the base name of the file, independent of locale, as the property value, and Oracle Adaptive Access Manager calculates the locale specific value automatically at runtime based on that property value.

33.4.2 The Pattern Statuses are Incorrectly Documented in the Administrator's Guide

The Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager (Part Number E14568-01) states that there are three states for the pattern, but lists five in Table 14.1 and four in Section 14.9.5, "Changing the Status of the Pattern."

The statuses to choose from are:

  • Active

    If data must be collected, the pattern must be in the Active state.

  • Inactive

    If the pattern definition is complete, but you do not want to collect data, select Inactive.

  • Incomplete

    If pattern creation has started, but you need to save it for completion later, select Incomplete. Data is not collected for this state.

  • Invalid

    If there is a problem with the pattern, you can mark the pattern as Invalid to signal other operators. No autolearning data analysis will performed for a pattern in this state.

  • Deleted

    The pattern has been deleted, but the system must keep this record to maintain data integrity. No autolearning data analysis will be performed for pattern in this state.

33.4.3 Name and Location of Purging Scripts Package Not Provided in Documentation

The name and location of the purging scripts package is not provided in Appendix G, "Setting Up Archive and Purge Procedures" of the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager (Part Number E14568-01).

The Oracle Adaptive Access Manager-related purging scripts are in the oaam_db_purging_scripts.zip file located under IDM_ORACLE_HOME/oaam/oaam_db_scripts.

33.4.4 Corrections and Additions to Appendix F, Globalization Support

Additions and corrections to Appendix F, "Globalization Support," in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager (Part Number E14568-01) are listed in this section.

Introduction: The first sentence of the introduction should be changed to "Oracle Adaptive Access Manager 11g is translated into 9 Admin languages for OAAM Admin and 26 languages for OAAM Server."

In the fourth paragraph, the introduction states that "When one of the non-Admin locale languages is set in the browser (for example Arabic), OAAM Server uses the default locale, English." This should be modified to "When one of the non-Admin locale languages is set in the browser (for example Arabic), OAAM Admin uses the default locale, English. When one of the non-Std_Runtime locale languages is set in the browser, OAAM Server uses the default locale, English."

Section F.3, "Configuring Language Defaults for Oracle Adaptive Access Manager should include the following note:

Note:

The only locales supported are the ones listed in enums.

Section F.7, "Adding Registration Questions,"Step 4, states that "By default, the Locale menu displays English and 27 other default locale languages." This is incorrect. It should say, "By default, the Locale menu displays English and 26 other default locale languages."

Section F.8, "Adding to the Abbreviation File" has been updated in the Release Notes. For updated information, refer to Section 33.4.1.