This chapter describes issues associated with Oracle Adaptive Access Manager. It includes the following topics:
This section describes general user interface issues. It includes the following topics:
The following four conditions have not been translated for this release and display in English in non-English browsers:
Check to see if the ASN for the current IP address is (or is not) in the ASN group
Compare Transaction Counts across two different durations
Checks if user's OTP failure counter value over a specified value
IP is valid, unknown or private
In the Sessions Details page for sessions which contain alerts, the Trigger Source column is empty.
By default, the Session Details page does not display the trigger sources if the execution time for alerts is less than 2000 millisecond (2000 ms) since detailed logging is dependent on the execution time.
The property that controls this threshold and logging is
# Int property determining minimum time required for detailed logging vcrypt.tracker.rulelog.detailed.minMillis=2000
After changing the property, print
Note: Changing the property influences only new sessions.
This section describes scheduler issues and workarounds. It includes the following topics:
If the job is canceled, its next recurrence does not appear in the Job Queue.
Pause and Cancel Job statuses do not display in the Job Instance tab when a job is canceled or paused. However, the Job Instance tab does show the status (record) at the next scheduled job instance.
In the Job Log tab of the Job Queue page, the Process Start Time and Process End Time columns display in the
yyyy-mm-dd format even if the browser is not set to English.
Changing the schedule parameters of a scheduled job does not affect the next recurrence of the job if the start date and time have not been changed. If a non-recurring job is changed to a recurring job, the scheduled recurrence does not occur if there is no change to the start date and time.
When a user clicks the Search button in the online Jobs page, a warnings may appear in the log. There is no loss of functionality.
When the user clicks the Create Job dialog, an error may result occasionally. To work around this issue, log out or close the browser and open a new browser to log back in.
Errors occur when creating a new job in the OAAM Offline environment. The workaround is to close the browser and start the application again.
This section describes policy management issues and workarounds. It includes the following topics:
When using the
processRules OAAM Server API, users should be aware that the rule result returned by the API call may have attributes
The following attributes returned by
processRules API are not set:
In the rule listing, the search and sort may not work properly on the Notes column. The search result may include rows that do not contain the search keyword.
Groups used in Score Overrides and Action Overrides are deleted without a warning message.
Exclude IP List, was added to the following conditions:
Device: Velocity from last login
User: Velocity from last login
This parameter allows you to specify a list of IPs to ignore. If a user's IP is from that list, then this condition always evaluates to false. If the user's IP is not in that list or if the list is null or empty, then the condition evaluates the velocity of the user or the device from the last login and evaluates to true if the velocity exceeds the configured value.
This section describes Transaction API issues.
NullPointerException error on the client side occurs for the
createTransactions APIs when one of the transactions in the array is
null. The server only returns
success responses and the
failed one is ignored.
This section describes an OTP issue.
This section describes UIO Proxy issues and workarounds. It includes the following topics:
Filters are used in the proxy to modify
HTTP request/response contents or modify the state information saved in the proxy (variables). The following filters are not evaluating variables in the value:
send-to-server action in the response interceptor is used without the
display-url, the UIO ISA Proxy redirects the user to an incorrect location and does not display an error.
In an Apache Memcached environment, warnings are shown in the log during the user login flow. The functionality is not impacted.
This section describes an integration issue.
namevalueprofile APIs return empty values:
This section describes OAAM BI Publisher reports and Sessions issues and workarounds. It includes the following topics:
OAAM BI Publisher reports are not working on BI Publisher 11g.
In the Session Details page, sometimes the checkpoint execution display order may not be the same as the execution order.
When the user tries to access an alert details page from an alert message link in the Session Details page, the page fails to open.
To work around this issue, use the alert message link on the Session Search page.
This section describes an issue with the Export function.
This section describes globalization issues and workarounds. It includes the following topics:
The following information is supported in English only in this release:
Alert messages in the standard policies packaged with Oracle Adaptive Access Manager
Action values in the RulesBreakdown and RecentLogin OAAM BI Publisher reports
Notes for Action Templates
Policy, rule, and action are not displayed in their translated values in the Dashboard table. The issues are listed below:
Locations: The Actions table in the Location dashboard does not display the translated value for actions when non-English content is viewed.
Security: The Rules table in the Security dashboard does not display the Policy name, Rule name and Action in the browser's locale when non-English content is viewed.
Performance: The Rules table in the Performance dashboard does not display the translated value for policy names when non-English content is viewed.
On a few OAAM Administration pages, for fields with tooltips that say "Enter between 0 and 4000 characters", OAAM accepts input of up to 4000 non-ASCII characters but cannot save the non-ASCII string (for example, Chinese) if it contains more than 4000 bytes.
With UTF-8 encoding, one non-ASCII character uses 1, 2, 3 or 4 byte(s) to store in the database, so 4000 non-ASCII characters require more than 4000 bytes, which is the maximum size of the VARCHAR2 type field.
XMLDOMException may occur while saving the search criteria if certain characters, such as fullwidth digits (Unicode U+FF10 through U+FF19) are used. To work around this issue, substitute the characters with more ordinary equivalents (for example, ASCII digits 0 through 9 instead of fullwidth digits).
The Date of Last Online Action field uses the date format
yyyy-mm-dd rather than the browser locale's date format. This occurs in the Registration Information panel on the Summary tab of the User Details page.
With a 126.96.36.199.0 refresh installation and restore of pre-defined data from the
oaam_base_snapshot.zip, sorting might not work properly for Group Name, Pattern Name, Entity Name and Description, Action Templates Name, KBA Validation Name and KBA Category Name in a non-English environment.
Some rules, groups, and other items are displayed in English when the 188.8.131.52.0 base snapshot is imported into the system.
This section describes the following configuration issue and its workaround:
The WebLogic Console provides an option to specify the
session timeout for an application but changing this value does not work for OAAM Admin. The
session timeout value should be configurable when OAAM is deployed.
The workaround to configure the
session timeout value is to configure the
session timeout in the WebLogic application server using the deployment plan feature. The steps are as follows:
Generate deployment plan from the existing non-plan based deployment.
The URL for a WebLogic deployment plan example is:
Edit the plan.xml.
Add a variable definition for the custom
session timeout in minutes.
... <variable-definition> <variable> <name>mySessionTimeOut</name> <value>60</value> </variable> </variable-definition> ...
Override the desired web application
web.xml as follows:
<module-override> <module-name>oaam_admin.war</module-name> ... <module-descriptor external="false"> <root-element>web-app</root-element> <uri>WEB-INF/web.xml</uri> <variable-assignment> <name>mySessionTimeOut</name> <xpath>/web-app/session-config/session-timeout</xpath> </variable-assignment> </module-descriptor> ...
Then, select the application
oaam_admin.ear and click the Update button in the deployment list
Select the plan path and redeploy the application.
Ignore any shared library warnings.
Make sure your
config-root is the application
Restart all the servers.
This section describes documentation errata for the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager, part number E14568, the Oracle Fusion Middleware Developer's Guide for Oracle Adaptive Access Manager, part number E15480, and the OAAM sections of the Oracle Fusion Middleware Installation Guide for Oracle Identity Management, part number E12002. It includes the following topics:
The procedure to load location data into the Oracle Adaptive Access Manager database is not correct in the Oracle Fusion Middleware Installation Guide for Oracle Identity Management. The location of the
sample.bharosa_location.properties file is documented as
oaam/WEB-INF/classes. The correct location for
The corrected text is provided below:
Load Location Data into the Oracle Adaptive Access Manager database as follows:
Configure the IP Location Loader script, as described in the topics "OAAM Command Line Interface Scripts" and "Importing IP Location Data" in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.
Make a copy of the
sample.bharosa_location.properties file, which is located under the
<ORACLE_MW_HOME>/<IAM_HOME>/oaam/cli directory. Enter location data details in the
location.data properties, as in the following examples:
location.data.provider=quova location.data.file=/tmp/quova/EDITION_Gold_2008-07-22_v374.dat.gz location.data.ref.file=/tmp/quova/EDITION_Gold_2008-07-22_v374.ref.gz location.data.anonymizer.file=/tmp/quova/anonymizers_2008-07-09.dat.gz
Run the loader on the command line as follows:
Note:If you wish to generate CSF keys or passwords manually, see the "Setting Up Encryption and Database Credentials for OAAM" topic in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.
In the Oracle Fusion Middleware Installation Guide for Oracle Identity Management, a separate step is given to import KBA questions after importing the snapshot. Importing KBA questions is duplication and redundant since importing the snapshot imports KBA questions by default.
The property for setting up rules logging in OAAM Offline is incorrect in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager. With property
vcrypt.tracker.rules.trace.policySet.min.ms = 100, rules logs are not processed. The value to
vcrypt.tracker.rules.trace.policySet.min.ms must be changed to
Rule logging for detailed information can be turned on by setting: