|Oracle® Fusion Middleware Release Notes
11g Release 1 (11.1.1) for IBM AIX on POWER Systems (64-Bit)
Part Number E14771-27
This chapter describes issues associated with Oracle Identity Manager. It includes the following topics:
This section describes patch requirements for Oracle Identity Manager 11g Release 1 (11.1.1). It includes the following sections:
To obtain a patch from My Oracle Support (formerly OracleMetaLink), go to following URL, click Patches and Updates, and search for the patch number:
Table 37-1 lists patches required for Oracle Identity Manager 11g Release 1 (11.1.1) configurations that use Oracle Database 11g (18.104.22.168). Before you configure Oracle Identity Manager 11g, be sure to apply the patches to your Oracle Database 11g (22.214.171.124) database.
Table 37-1 Required Patches for Oracle Database 11g (126.96.36.199)
|Platform||Patch Number and Description on My Oracle Support|
UNIX / Linux
7614692: BULK FEATURE WITH 'SAVE EXCEPTIONS' DOES NOT WORK IN ORACLE 11G
7000281: DIFFERENCE IN FORALL STATEMENT BEAHVIOUR IN 11G
8327137: WRONG RESULTS WITH INLINE VIEW AND AGGREGATION FUNCTION
8617824: MERGE LABEL REQUEST ON TOP OF 188.8.131.52 FOR BUGS 7628358 7598314
Windows 32 bit
8689191: ORACLE 11G 184.108.40.206 PATCH 16 BUG FOR WINDOWS 32 BIT
Windows 64 bit
8689199: ORACLE 11G 220.127.116.11 PATCH 16 BUG FOR WINDOWS (64-BIT AMD64 AND INTEL EM64T)
Table 37-2 lists patches that resolve known issues with Segregation of Duties (SoD) functionality:
Table 37-2 SoD Patches
|Patch Number / ID||Description and Purpose|
Patch number 9819201 on My Oracle Support
Apply this patch on the SOA Server to resolve the known issue described in "SoD Check During Request Provisioning Fails While Using SAML Token Client Policy When Default SoD Composite is Used".
The description of this patch on My Oracle Support is "ERROR WHILE USING SAML TOKEN CLIENT POLICY FOR CALLBACK."
Patch ID 3M68 using the Oracle Smart Update utility. Requires passcode: 6LUNDUC7.
Using the Oracle Smart Update utility, apply this patch on the Oracle WebLogic Server to resolve the known issue described in "SoD Check Fails While Using Client-Side Policy in Callback Invocation During Request Provisioning".
While applying the patch provided by Oracle Identity Manager, the following error is generated:
ApplySession failed: ApplySession failed to prepare the system.
OPatch version 18.104.22.168.1 must be upgraded to version 22.214.171.124.2 to meet the version requirement.
See "Obtaining Patches From My Oracle Support (Formerly OracleMetaLink)" for information about downloading OPatch from My Oracle Support.
This section describes general issues and workarounds. It includes the following topics:
Currently, the Platform Archival Utility is not supported and should not be used.
To work around this issue, use the predefined scheduled task named Orchestration Process Cleanup Task to delete all completed orchestration processes and related data.
Oracle Identity Manager's SPML-DSML Service is currently unsupported in 11g Release 1 (11.1.1). However, you can manually deploy the spml-dsml.ear archive file for Microsoft Active Directory password synchronization.
If a resource object name is more than 100 characters, an error occurs in the database and the resource object is not imported. To work around this issue, change the resource object's name in the XML file so the name is less than 100 characters.
When creating or modifying a request template, you must use one of the following conditions for child table restrictions:
Ensure there is more than one possible value.
Ensure there are no restrictions placed on the child table.
You cannot create users in Disabled State. Users are always created in Active State.
The Create and Modify User APIs do not honor the Users.Disable User attribute value. If you pass a value to the Users.Disable User attribute when calling the Create API, Oracle Identity Manager ignores this value and the USR table is always populated with a value of 0, which indicates the user's state is Active.
Use the Disable API to disable a user.
When Oracle Access Manager locks a user account in an Oracle Identity Manager-Oracle Access Manager integration, it may take approximately five minutes, or the amount of time defined by the incremental reconciliation scheduled interval, for the status of the locked account to be reconciled and appear in Oracle Identity Manager. However, if a user account is locked or unlocked in Oracle Identity Manager, the status appears immediately.
The GenerateSnapshot.[sh|bat] option does not work correctly when invoked from the Bulkload utility. To work around this issue and generate a snapshot of the initial audit after bulk loading users or accounts, you must run GenerateSnapshot.[sh|bat] from the $OIM_HOME/bin/ directory.
The GenerateSnapshot and GenerateGPASnapshot utilities both require a JDBC URL to be passed as an argument. However, Oracle Identity Manager cannot display the usage if the server is SSL-enabled. The snapshot fails and an error results. Currently, no workaround exists for this issue.
Due to an ADF limitation, the browser timezone is currently not accessible to Oracle Identity Manager. Oracle Identity Manager bases the timezone information in all date values on the server's timezone. Consequently, end users will see timezone information in the date values, but the timezone value will display the server's timezone.
The date-time value that end users see in the Segregation of Duties (SoD) Check Timestamp field on the SoD Check page will always display as "YYYY-MM-DD hh:mm:ss" and this format cannot be localized.
To work around this localization issue, perform the following steps:
Open the "Oracle_eBusiness_User_Management_126.96.36.199.0/xml/Oracle-eBusinessSuite-TCA-Main-ConnectorConfig.xml" file.
In the EBS Connector import xml, locate the SoDCheckTimeStamp field for the Process Form. Change <SDC_FIELD_TYPE> to 'DateFieldDlg' and change <SDC_VARIANT_TYPE> to 'Date' as shown in the following example:
<FormField name = "UD_EBST_USR_SODCHECKTIMESTAMP"> <SDC_UPDATE>!Do not change this field!</SDC_UPDATE> <SDC_LABEL>SoDCheckTimestamp</SDC_LABEL> <SDC_VERSION>1</SDC_VERSION> <SDC_ORDER>23</SDC_ORDER> <SDC_FIELD_TYPE>DateFieldDlg</SDC_FIELD_TYPE> <SDC_DEFAULT>0</SDC_DEFAULT> <SDC_ENCRYPTED>0</SDC_ENCRYPTED> <!--SDC_SQL_LENGTH>50</SDC_SQL_LENGTH--> <SDC_VARIANT_TYPE>Date</SDC_VARIANT_TYPE> </FormField>
Import the Connector.
Enable SoD Check.
Provision the EBS Resource with entitlements to trigger an SoD Check.
Check the SoDCheckTimeStamp field in Process Form to confirm it is localized like the other date fields in the form.
Bulk loading a CSV file for which UTF-8 BOM (byte order mark) encoding is specified causes an error. However, bulk-loading UTF-8 encoded CSV files works as expected if you specify "no BOM" encoding.
To work around this issue,
If you want to load non-ASCII data, you must change your CSV file encoding to "UTF-8 no BOM" before loading the CSV file.
If your data is stored in CSV files with "UTF-8 BOM" encoding, you must change them to "UTF-8 no BOM" encoding before running the bulkload script.
The default Scheduler job, "Job History Archival," does not support date type attributes.
The "Archival Date" attribute parameter in "Job History Archival" only accepts string patterns such as "ddMMyyyy" and "MMM DD, yyyy."
When you run a Scheduler job, the code checks the date format. If you enter the wrong format, an error similar to the following example, displays in the execution status list and in the log console:
<IAM-1020063> <Incorrect format of Archival Date parameter. Archival Date is expected in DDMMYYYY or UI Date format.>
The job cannot run successfully until you input the correct Archival Date information.
On machines where the file limits are set too low, trying to create and compile an entity adapter causes a "Too many open files" error and the adapter will not compile.
To work around this issue, change the file limits on your machine to the following (located in /etc/security/limits.conf) and then restart the machine:
soft nofile 4096
hard nofile 4096
Currently, Oracle Identity Manager's Reconciliation Engine in 11g Release 1 (11.1.1) requires you to define a matching rule to identify the users for every connector in reconciliation. Errors will occur during reconciliation if you do not define a matching rule to identify users.
When any date, such as activeStartDate, hireDate, and so on, is specified in an incorrect format, the Web server does not pass those values to the SPML layer. Only valid dates are parsed and made available to SPML. Consequently, any SPML request that contains an invalid date format is ignored and not available for that operation. For example, if you specify the HireDate month as "8" instead of "08," the HireDate will not be populated after the Create request is completed and no error message is displayed.
The supported date format is:
No other date format is supported.
SoD functionality uses JMS-based processing. Oracle Identity Manager submits a message to the oimSODQueue for each SoD request. If for some reason an SoD message always results in an error, Oracle Identity Manager never processes the next message in the oimSODQueue. Oracle Identity Manager always picks the same error message for processing until you delete that message from the oimSODQueue.
To work around this issue, use the following steps to edit the queue properties and to delete the SoD message in oimSODQueue:
Log on to the Weblogic Admin Console at http://<hostname>:<port>/console
From the Console, select Services, Messaging, JMS Modules.
Click OIMJMSModule. All queues will be displayed.
Select the Configurations, Delivery Failure tabs.
Change the retry count so that the message can only be submitted a specified number of times.
Change the default Redelivery Limit value from -1 (which means infinite) to a specific value. For example, if you specify 1, the message will be submitted only once.
To review and delete the SoD error message, go to the Monitoring tab, select the message, and delete it.
If you are using the WeblogicImportMetadata.cmd utility to import data to MDS, then do not use a backslash (\) character in a path in the weblogic.properties file, or an exception will occur.
To work around this issue, you must use a double backslash (\\) or a forward slash (/) on Microsoft Windows. For example, change metadata_from_loc=C:\metadata\file to metadata_from_loc=C:\\metadata\\file in the weblogic.properties file.
When you are searching for a resource object, do not use an underscore character (_) in the resource name. The search feature ignores the underscore and consequently does not return the expected results.
Reconciliation does not support the Assign to Administrator Action rule.
To work around this issue, change the Assign to Administrator to
None in the connector XML before importing the connector. However, after changing the value to None, you cannot revert to Assign to Administrator.
If you are creating attestations in a Firefox Web browser and you click certain buttons, nothing happens.
To work around this issue, click the Refresh button to refresh the page.
WLS Security Realm has a default lock-out policy that locks out users for some time after several unsuccessful login attempts. This policy can interfere with the locking and unlocking functionality of Oracle Identity Manager.
To prevent the WLS Security Realm lock-out policy from affecting the lock/unlock functionality of Oracle Identity Manager, you must set the 'Lockout Threshold' value in the WLS 'User Lockout Policy' to at least 5 more than the value in Oracle Identity Manager. For example, if the value in Oracle Identity Manager is set to 10, you must set the WLS 'Lockout Threshold' value to 15.
To change the default values for the 'User lockout Policy,' perform the following steps:
Open the WebLogic Server Administrative Console.
Select Security Realms, REALM_NAME.
Select the User Lockout tab.
If configuration editing is not enabled, then click the Lock and Edit button to enable configuration editing.
Change the value of lockout threshold to the required value.
Click Save to save the changes.
Click Activate to activate your changes.
Restart all the servers in the domain.
When you set up Oracle Identity Manager-Oracle Access Manager Integration with a JAVA agent and log into the Admin Server Console, a "<User not found>" error message is displayed. This message displays even when the login is successful.
If you use the single quote character (') in a Reconciliation Matching rule (for example, 'B'1USER1'), reconciliation will fail with an exception.
Due to a limitation in the Oracle SOA Infrastructure, do not use special characters such as commas (,) in role names, group names, or container descriptions when reconciling roles from LDAP. Oracle Identity Manager's internal code uses special characters as delimiters. For example, Oracle Identity Manager uses commas (,) as approver delimiters and the SOA HWF-level global configuration uses commas as assignee delimiters.
SoD check fails and the following error is displayed on the SOA console when SoD check is performed during request provisioning only when the Default SoD Check composite is used:
SEVERE: FabricProviderServlet.handleException Error during retrieval of test page or composite resourcejavax.servlet.ServletException: java.lang.NullPointerException
This happens when Callback is made from OIM to SOA with the SoDCheck Results.
To resolve this issue, apply patch 9819201 on the SOA server. You can obtain patch 9819201 from My Oracle Support. The description of this patch on My Oracle Support is "ERROR WHILE USING SAML TOKEN CLIENT POLICY FOR CALLBACK."
For more information, refer to:
SoD check fails and following error is displayed on the Oracle Identity Manager Administrative and User Console when SoD check is performed during request provisioning only when the Default SoD Check composite is used:
<Error> <oracle.wsm.resources.policymanager><WSM-02264> <"/base_domain/oim_server1/oim/unknown/iam-ejb.jar/WEBSERVICECLIENTs/SoDCheckResultService/PORTs/ResultPort" is not a recognized resource pattern.> <Error> <oracle.iam.sod.impl> <IAM-4040002><Error getting Request Service : java.lang.IllegalArgumentException: WSM-02264 "/base_domain/oim_server1/oim/unknown/iam-ejb.jar/WEBSERVICECLIENTs/SoDCheckResultService/PORTs/ResultPort" is not a recognized resource pattern.>
To resolve this issue, use the Oracle Smart Update utility to apply patch ID 3M68, which requires passcode of 6LUNDUC7, on Oracle WebLogic Server. For more information, refer to:
On starting remote manager from
remote_manager by running the
remotemanager.sh script on AIX, it shows the following error:
Class/Method: RMISSLServerSocketFactory/createServerSocket Remote Manager server socket port is 12346 Exception in thread "main" java.lang.NoClassDefFoundError: com.sun.net.ssl.SSLContext
To work around this issue, perform the following steps after installing the remote manager:
Change the value for KeyManagerFactory from
On creating an IT Resource with Type chosen as Remote Manager by selecting the Create an IT Resource option in OIM application, the following error is seen:
<XELLERATE.WEBAPP> <BEA-000000> <Class/Method: tcAction/execute encounter some problems: javax.servlet.ServletException: java.lang.NoClassDefFoundError: com/sun/net/ssl/SSLContext>
To work around this issue, perform the following steps:
Login to Enterprise Manager:
Right-click on Domains, select Base domain, select cluster, and then select oim_server1.
Select system Mbean browser, select oracle.iam, select Server: oim_server1, select Application: oim, select XMLConfig, select Config, select XMLConfig.RemoteManager, and then select RemoteManager.
Change the value for KeyManagerFactory from
Restart the oim_server.
When using the generic technology connector framework uses SPML, during provisioning, the following error may appear:
<SPMLProvisioningFormatProvider.formatData :problem with Velocity Template Unable to find resource 'com/thortech/xl/gc/impl/prov/SpmlRequest.vm'>
If the error occurs, it blocks provisioning by using the predefined SPML GTC provisioning format provider. Restarting the Oracle Identity Manager server prevents the error from appearing again.
When using the Repository Creation Utility (RCU) to seed Schedule Jobs, the following exception may appear in the SeedSchedulerData.log file:
***** Seeding job and trigger Exception occurs during scheduling org.quartz.JobPersistenceException: Couldn't obtain triggers for job: oracle.iam.scheduler.vo.Trigger [See nested exception: java.lang.ClassNotFoundException: oracle.iam.scheduler.vo.Trigger]Exception: Couldn't obtain triggers for job: oracle.iam.scheduler.vo.Triggerorg.quartz.JobPersistenceException: Couldn't obtain triggers for job: oracle.iam.scheduler.vo.Trigger [See nested exception: java.lang.ClassNotFoundException: oracle.iam.scheduler.vo.Trigger]
This error is benign and can safely be ignored, as there is no loss of functionality.
After restarting the Oracle Identity Manager server, you cannot delete an existing Approval Policy—though you can delete Approval Policies that you add after restarting the server.
To work around this issue, after restarting the server, open the Approval Policy that you want to delete, make an inconsequential change to it, such as slightly changing the description, and save the updated Approval Policy. You can now delete the updated Approval policy.
When using the Mozilla Firefox browser, in certain situations, some buttons in the legacy user interface, also known as TransUI, cannot be clicked. This issue occurs intermittently and can be resolved by using Firefox's reload (refresh) function.
If an LDAP handler causes an exception when you create, modify, or delete a role, an invalid error message, such as
System Error or
Role does not exist, may appear.
To work around this issue, look in the log files, which will display the correct error message.
If a user's password is comprised of non-ASCII characters, and that user tries to reset the password from either the My Profile or initial login screens in the Oracle Identity Manager Self Service interface, the reset will fail with the following error message:
Failed to change password during the validation of the old password
Note:This error does not occur with user passwords comprised of only ASCII characters.
To work around this issue, perform the following steps:
Set the JVM file encoding to UTF8, for example:
Note:On Windows systems, this may cause the console output to appear distorted, though output in the log files appear correctly.
Restart the Oracle WebLogic Server.
When patches are applied to the Authorization Polices that are included with Oracle Identity manager and the JavaSE environment registers the Oracle JDBC driver,
java.security.AccessControlException is reported and the following error message appears:
Error while registering Oracle JDBC Diagnosability MBean
You can ignore this benign exception, as the Authorization Policies are seeded successfully, despite the exception and error messages.
When locale is set to th_TH in Microsoft Windows Internet Explorer Web browser, the datetime in Oracle Identity Manager follows the Thai Buddhist calendar. In the Create Attestation page of the Administrative and User Console, when you select a date for start time, the year is displayed according to the Thai Buddhist calendar, for example, 2553. After you click OK, the equivalent year according to the Gregorian calendar, which is 2010, is displayed in the start time field. But when you click Next to continue creating the attestation, an error message is displayed stating that the start time of the process must not belong to the past.
To workaround this issue, perform any one of the following:
Specify the datetime manually.
Use Mozilla Firefox Web browser, which uses the Gregorian calendar.
Request is raised for a beneficiary for whom the Design Console Access flag is ON. The privileges the user has with this flag ON is that of the End-User Administrator role.
To workaround this issue, while raising a request for such a user, make sure that you select or set the flag again so that the privileges are maintained. Otherwise, the Flag will be cleared off and another administrator user will have to grant the privileges back to the user.
OIM user without the ACCESS POLICY ADMINISTRATORS role cannot view data in the following reports:
Access Policy Details
Access Policy List by Role
To workaround this issue:
Assign the ACCESS POLICY ADMINISTRATORS role to an OIM user.
Create a BI Publisher user with the same username in Step 1. Assign appropriated BI Publisher role to view reports.
Login as the BI Publisher user mentioned in step 2. View the Access Policy Details and Access Policy List by Role reports. All access policies are displayed.
In case of empty date, archival utility throws an error message, but proceeds to archive data by mapping to the current date. Currently, no workaround exists for this issue.
TransUI closes while doing a direct provisioning if user defined field (UDF) is created with the default values. To work around this issue, you need to create a Lookup Code for the INTEGER/DOUBLE type UDF in the LKU/LKV table.
On AIX platform, when a required parameter is missing during the creation of a scheduler job, instead of throwing "RequiredParameterNotSetException" with the error message "The value is not set for required parameters of a scheduled task.", it throws "ParameterValueTypeNotSupportedException" with the error message "Parameter value is not set properly". Currently, no workaround exists for this issue.
New user attributes are added in Oracle Identity Manager 11g. Not all of them are available for Attestation while defining user-scope. However, Attestation has been enhanced to include the following user attributes:
Currently, no workaround exists for this issue.
Update fails in LDAP, if LDAP GUID is mapped to any field of trusted resource in LDAP-SYNC enabled installation. To work around this issue, Oracle does not recommend mapping for LDAP GUID field while creating reconciliation field mapping for a trusted resource.
When a Modify Request is raised, "End-User" and "End-User Administrator" values are displayed for the "Design Console Access" field. These values must be mapped to False/True while interpreting the user details.
If an approval policy rule contains non-ASCII characters, these characters might not be displayed correctly on the UI after the policy is exported with Deployment Manager.
Currently, no workaround exists for this issue.
If you try to create a user that contains an asterisk (*) after creating a user with a similar name, the attempt will fail. For example, if you create user test1test, followed by test*test, test*test will not be created.
It is recommended to not create users with asterisks in the User Login field.
The Status field on the Post Proxies page is blank. However, active proxies are displayed correctly on Current Proxies page.
Currently, no workaround exists for this issue.
The Password field is available to be mapped with a reconciliation profile, but it should not be used. Attempting to map this field will generate a reconciliation event that will not create users. (The event ends in "No Match Found State".) In addition, you will not be able to re-evaluate or manually link this event.
Although you can select the UID attribute from the Search Results Table Configuration list on the Search Configuration page of the Advanced Administration, the Advanced Search: Users results table displays the User Login field instead of the UID field.
After you delete an organization, the Browse trees for organizations and roles might not be displayed.
To work around this issue, click the Search Results tab, then click the Browse tab. The roles and organizations browse trees display correctly.
Entitlement (Child Table) selection during data gathering on the process form, for the "Depends On (Depended)" attribute is not optional. During data gathering, if dependent lookups are configured, then the user has to select the parent lookup value so that filtering happens on the child lookup and thus user gets a final list of entitlements to select . Currently, no workaround exists to directly filter the values based on the child lookup.
Generic exceptions are shown in server logs every time deployment manager import happens or profile changes manually or profile changes via design console. This is because "WLSINTERNAL" is not an authorized user of Oracle Identity Manager. "WLSINTERNAL" is an internal user of WebLogic Server, and MDS uses it to invoke MDS listeners if there is a change in XMLs stored in MDS. Currently, no workaround exists for this issue.
Create User API allows the user to set any value between 0 and 9 instead of 0 or 1 for "Users.Password Never Expires", "Users.Password Cannot Change" and "Users.Password Must Change" fields. However, any value other than 0 is considered as TRUE and 0 is considered as FALSE, and the flag is set accordingly for the user being created. Currently, no workaround exists for this issue.
If you are provisioning to two resources, and one of the resources is dependent on the other, the user must be approved and provisioned on the resource on which there is a dependency first. For example, if a user is to be provisioned to Microsoft Exchange and Active Directory, then the Active Directory user must be approved and provisioned first. Exchange requires data that are provided upon request, and the data is lost when approved before Active Directory.
To work around this situation, you must make another request for Exchange. This time, one request approval task will be raised for Exchange because the user already has Active Directory provisioned. After the request task is approved, Exchange provisioning will go through.
The User Type label on the JGraph screen is displayed incorrectly as Design Console Access. To display User Type, add the line
Xellerate_Type=User Type to the OIM_HOME/server/customResources/customResources.properties file.
When the workflow registration utility is run in a clustered deployment of Oracle Identity Manager, the following error is generated:
[java] oracle.iam.platform.utils.NoSuchServiceException: java.lang.reflect.InvocationTargetException
Ignore the error message.
For Oracle Identity Manager JVM install on a Solaris 64-bit computer, Oracle WebLogic log displays the following error:
Unable to load performance pack. Using Java I/O instead. Please ensure that a native performance library is in:
To workaround this issue, perform the following to ensure that JDK picks up the 64-bit native performance:
In a text editor, open the MIDDLEWARE_HOME/wlserver_10.3/common/bin/commEnv.sh file.
Replace the following:
Save and close the commEnv.sh file.
Restart the application server.
If you enter incorrect credentials for the database on the Create Generic Technology Connector wizard, a system error window is displayed. You must close this window and run the wizard again.
The DSML profile for the SPML Web service is not deployed by default with Oracle Identity Manager 11g Release 1 (11.1.1). SPML-DSML binaries are bundled with the Oracle Identity Manager installer to support Microsoft Active Directory Password Synchronization. You must deploy the spml-dsml.ear file manually.
When you add a new human task to an existing SOA composite, you must ensure that all the copy operations for the attributes in the original human task are added to the new human task. Otherwise, an error could be displayed on the View Task Details page.
A regular account cannot be changed to a service account, and similarly, a service account cannot be changed to a regular account through a Modify Provisioned Resource request.
In the Identity Administration console, when viewing role details from the Members tab, an erroneous icon with the "tooltip" (mouse-over text) of "Query By Example" appears. This "Query By Example" icon is non-functional and should be ignored.
The XL.ForcePasswordChangeAtFirstLogin system property is no longer used in Oracle Identity Manager 11g Release 1 (188.8.131.52). Therefore, forcing the user to change the password at first login cannot be configured. By default, the user must change the password:
When the new user is logging in to Oracle Identity Manager for the first time
When the user is logging in to Oracle Identity Manager for the first time after the password has been reset
The cExportOperationsIntf.findObjects(type,name) API accepts the asterisk (*) wildcard character only for the second parameter, which is name. For type, a catergory must be specified. For example, findObjects("Resource","*") is a valid call, but findObjects("*","*") is not valid.
In the Verify Information for this Access Policy page of the Create/Modify Access Policy wizards opened in Mozilla Firefox Web browser, you click Change for resource to be provisioned by the access policy, and then click Edit to edit the process form data for the resources to be provisioned. If you click the Close button on the Edit form, then the change links for any one of the access policy information sections, such as resources to be provisioned by the access policy, resources to be denied by the access policy, or roles for the access policy, do not work.
To workaround this issue, click Refresh. All the links in the Verify Information for this Access Policy page are enabled.
When you click the Edit link on the IT Resource form in the Advanced Administration, the following error message is logged:
<Error> <XELLERATE.APIS> <BEA-000000> <Class/Method: tcFormDefinitionOperationsBean/getFormFieldPropertyValue encounter some problems: Property 'Column Names' has not defined for the form field '-82'>
The error message is benign and can be ignored because there is no loss of functionality.
After reaching the maximum login attempts, a user is locked in Oracle Identity Manager. But in iPlanet DS/ODSEE, the user is not locked. The orclAccountLocked feature is not supported because the backend iPlanet DS/ODSEE does not support account unlock by setting the Operational attribute. Account is unlocked only with a password reset. The nsaccountlock attribute is available for administrative lockout. The password policies do not use this attribute, but you can use this attribute to independently lock an account. If the password policy locks the account, then nsaccountlock locks the user even after the password policy lockout is gone.
This section describes configuration issues and their workarounds. It includes the following topics:
A Microsoft Active Directory connector installation automatically creates a UDF: USR_UDF_OBGUID. When you add a new user-defined field (UDF), the "searchable" property will be false by default unless you provide a value for that property. After installing an Active Directory connector, you must perform the following steps to make the user-defined field searchable:
Using the Advanced Administration console (user interface), change the "searchable" UDF property to true by performing the following steps:
Click the Advanced tab.
Select User Configuration and then User Attributes.
Modify the USR_UDF_OBGUID attribute in the Custom Attributes section by changing the "searchable" property to true.
Using the Identity Administration console (user interface), create a new Oracle Entitlement Server policy that allows searching the UDF by performing the following steps:
Click the Administration tab and open the Create Authorization policy.
Enter a Policy Name, Description, and Entity Name as User Management.
Select Permission, then View User Details, and then Search User.
Edit the Attributes for View User Details and select all of the attributes.
Select the SYSTEM ADMINSTRATOR role name.
When LDAP synchronization is enabled and you attempt to create or modify a role, entering a role name comprised of approximately 1,000 characters prevents the role from being created or modified and causes a
Decoding Error to appear. To work around this issue, use role names comprised of fewer characters.
Due to an ADF issue, using the Oracle Identity Manager application with the Sun JDK causes a StringIndexOutOfBoundsException error. To work around this issue, add the following option to the DOMAIN_HOME/bin/setSOADomainEnv.sh or the setSOADomainEnv.cmd file:
Open the DOMAIN_HOME/bin/setSOADomainEnv.sh or setSOADomainEnv.cmd file.
Add the -XX:-UseSSE42Intrinsics line to the JVM options.
Save the setSOADomainEnv.sh or setSOADomainEnv.cmd file.
Note:This error does not occur when you use JRockit.
In an Oracle Identity Manager and Oracle Access Manager (OAM) integrated environment, when you login to the Oracle Identity Manager Administrative and User Console and click a link that opens the Nexaweb applet, the applet does not load.
To workaround this issue, configure loading of the NexaWeb Applet in an Oracle Identity Manager and OAM integrated environment. To do so:
Login to the Oracle Access Manager Console.
Create a new Webgate ID. To do so:
Click the System Configuration tab.
Click 10Webgates, and then click the Create icon.
Specify values for the following attributes:
Access Client Password: PASSWORD_FOR_ACCESSING_CLIENT
Host Identifier: IDMDomain
Edit the Webgate ID, as shown:
set 'Logout URL' = /oamsso/logout.html
Deselect the Deny On Not Protected checkbox.
Install a second Oracle HTTP Server (OHS) and Webgate. During Webgate configurations, when prompted for Webgate ID and password, use the Webgate ID name and password for the second Webgate that you provided in step 2c.
Login to the Oracle Access Manager Console. In the Policy Configuration tab, expand Application Domains, and open IdMDomainAgent.
Expand Authentication Policies, and open Public Policy. Remove the following URLs in the Resources tab:
Expand Authorization Policies, and open Protected Resource Policy. Remove the following URLs in the Resources tab:
Restart all the servers.
Update the obAccessClient.xml file in the second Webgate. To do so:
Create a backup of the SECOND_WEBGATE_HOME/access/oblix/lib/ObAccessClient.xml file.
Open the DOMAIN_HOME/output/WEBGATE_ID_FOR_SECOND_WEBGATE/ObAccessClient.xml file.
Note:Ensure that the DenyOnNotProtected parameter is set to 0.
Copy the DOMAIN_HOME/output/WEBGATE_ID_FOR_SECOND_WEBGATE/ObAccessClient.xml file to the SECOND_WEBGATE_HOME/access/oblix/lib/ directory.
Copy the mod_wls_ohs.conf from the FIRST_OHS_INSTANCE_HOME/config/OHS_NAME/directory to the SECOND_OHS_INSTANCE_HOME/config/OHS_NAME/ directory. Then, open the mod_wls_host.conf of the second OHS to ensure the WebLogicHost and WeblogicPort are still pointing to Oracle Identity Manager managed server host and port.
Remove or comment out the following lines in the SECOND_OHS_INSTANCE_HOME/config/OHS_NAME/httpd.conf file:
<LocationMatch "/oamsso/*"> Satisfy any </LocationMatch>
Copy the logout.html file from the FIRST_WEBGATE_HOME/access/oamsso/ directory to the SECOND_WEBGATE_HOME/access/oamsso/ directory. Then, open the logout.html file of the second Webgate to ensure that the host and port setting of the SERVER_LOGOUTURL variable are pointing to the correct OAM host and port.
Login to Oracle Access Manager Console. In the Policy Configuration tab, expand Host Identifiers, and open the host identifier that has the same name as the second Webgate ID name. In the Operations section, verify that the host and port for the second OHS are listed. If not, then click the add icon (+ sign) to add them. Then, click Apply.
Use the second OHS host and port in the URL for the OAM login page for Oracle Identity Manager. The URL must be in the following format:
When a domain is packed with the managed=false option and unpacked on the another computer, Oracle Identity Manager Authentication Provider is not recognized by WebLogic and basic administrator authentication fails when the Oracle Identity Manager managed server is started.
The following workaround can be applied for performing successful authentication via Oracle Identity Manager Authentication Provider:
Login in to the Oracle WebLogic Administrative Console by using the following URL:
Navigate to Security Realms, Realm(myrealm), and then to Providers.
Note:Make sure that you note the provider-specific details, such as the database URL, password, and driver, before deleting the provider.
Restart the WebLogic Administrative Server.
Navigate to Security Realms, Realm(myrealm), and then to Providers.
Create a new Authentication Provider of type OIMAuthenticationProvider.
Enter the provider specific details and mark the control flag as SUFFICIENT.
Restart the WebLogic Administrative Server.
Restart Oracle Identity Manager and other servers, if any.
While configuring Oracle Identity Manager Design Console, you cannot specify if Design Console is SSL-enabled.
To workaround this issue after installing Oracle Identity Manager Design Console, edit the OIM_HOME/designconsole/config/xlconfig.xml file to change the protocol in the Oracle Identity Manager URL from t3 to t3s.
Deployment Manager and Workflow Visualizer might not work if the client browser has JDK/JRE installed on it whose version is 1.6.0_20. To workaround this issue, uninstall the JDK/JRE version 1.6.0_20 from the client browser and reinstall the JDK/JRE version 1.6.0_15.
This section describes multi-language issues and limitations. It includes the following topics:
Oracle Identity Manager supports only the Display Name attribute for multi-language values. SPML specifies additional attributes, such as commonName and surname, as multi-language valued in the PSO schema. When multiple locale-values are specified in an SPML request for one of these attributes, only a single value is picked and passed to Oracle Identity Manager. The request will not fail and a warning message identifying the attributes and the value that was passed to Oracle Identity Manager is provided in the response.
In Oracle Identity Manager, the user login name is case-insensitive. When a user is created, the login name is converted to upper case and saved in the database. But the password is always case-sensitive. However, some special characters may encounter an error while registering to Oracle Identity Manager:
Both the Greek characters σ (sigma) and ς (final sigma) maps to the Σ character.
Both English character i and Turkish character ı maps to the I character.
Both German character ß and English string SS maps to the SS string.
This means that two user login names containing these special characters when the other characters in the login names are same cannot be created. For example, the user login names Johnß and JohnSS maps to the same user login name. If Johnß already exists, then creation of JohnSS is not allowed because both the ß character and the SS string maps to the SS string.
The Create Role, Modify Role, and Delete Role request templates are not available in the Request Templates list of the Create Request wizard. This is because request creation by using any request template that are based on the Create Role, Modify Role, and Delete Role request models are supported from the APIs, but not in the UI. However, you can search for these request templates in the Request Templates tab. In addition, the Create Role, Modify Role, and Delete Role request models can be used to create approval policies and new request templates.
In the Create Job page of Oracle Identity Manager Advanced Administration, the fields in the Parameter section and their values are not translated. The parameter field names and values are available only in English.
The following are known issues in the legacy user interface, also known as TransUI, contained in the xlWebApp war file:
Hebrew bidirectional is not supported
Workflow designer bidirectional is not supported for Arabic and Hebrew
Localization of role names, categories, and descriptions is not supported in this release.
All Task Name values in the Provisioning Task table list are hard-coded and these pre-defined process task names are not localized.
When you search Scheduler Tasks using a Simple or Advanced search, the search results are not localized.
On the Task Approval Search page, if you select "View Tasks Assigned To", then "Users You Manage", and then choose a user whose login name contains a Turkish Undotted "ı" or a Turkish dotted "İ" character, a User Not Found error will result.
Localizing Notification Template Available Data list values is not supported in this release. Oracle Identity Manager depends upon the Velocity framework to merge tokens with actual values, and Velocity framework does not allow a space in token names.
When you search for entity names containing the special German "ß" (beta) character from the Admin Console, the search fails in the following features:
In these features, the "ß" character matches to "ss" instead of itself. Consequently, the Search function cannot find entity names that contain the German beta character.
Although special characters are supported in Oracle Identity Manager, using the asterisk character (*) can cause some issues. You are advised not to use the asterisk character when creating or modifying user roles and organizations.
Oracle Identity Manager does not support custom resource bundles for Error Message display in user interfaces. Currently, there is no workaround for this issue.
Some of the table data strings on the Reconciliation Event Detail page are hard-coded, customized field names. These strings are not localized.
Included as per bug# 9539501
The password policy help description may run beyond the colored box in some languages and when the string is too long. Currently, there is no workaround for this issue.
When Job Detail page is opened in bi-directional languages, you cannot navigate away from this page because of "Date Format Validation Error". To work around this issue, select a value for the "Start Date" using the date-time control and then move to another page.
On the Japanese locale (LANG=ja_JP.UTF-8), "Fourth Wednesday" is mistranslated as "Fourth Friday" on the Create Job page when "Cron" is selected as the Schedule Type and "Monthly on given weekdays" is selected as the Recurring Interval.
When the server locale is set to ar_AE.utf8 and values for user.language and user.region system properties are ar and AE respectively, if you create a password expiration warning e-mail notification in the Design Console, the value AE is not available for selection in the Region field. As a result, the email notification message cannot be created.
To workaround this issue:
Open the Lookup Definitions form in the Design Console.
Search for 'Global.Lookup.Region'.
Add an entry with Code key and Decode value as 'AE'. You can now create an e-mail definition with language ar and region AE.
When an access policy with approval is created, it generates a resource provisioning request that is subject to approval. In the request details page in Self Service or Advanced Administration, the translated request justification according to the locale setting by the user is not displayed. The justification is displayed in the default server locale.
When you set the Oracle Identity Manager Administrative and User Console locale to French, select the Provisioning and Reconciliation checkboxes while creating a Generic Technology Connector (GTC), and map the reconciliation fields in the page for modifying mapping fields, a message is displayed with two single quotes. You can ignore the single quotes because this is benign and has no effect on functionality.
Documentation Errata: Currently, there are no documentation issues to note.