This chapter describes issues associated with Oracle Adaptive Access Manager. It includes the following topics:
This section describes general user interface issues. It includes the following topics:
Section 19.1.1, "A Few Conditions in the Base Snapshot Are Not Translated"
Section 19.1.2, "Alert Trigger Sources Are Not Being Displayed in Session Details Page"
The following four conditions have not been translated for this release and display in English in non-English browsers:
Check to see if the ASN for the current IP address is (or is not) in the ASN group
Compare Transaction Counts across two different durations
Checks if user's OTP failure counter value over a specified value
IP is valid, unknown or private
In the Sessions Details page for sessions which contain alerts, the Trigger Source column is empty.
By default, the Session Details page does not display the trigger sources if the execution time for alerts is less than 2000 millisecond (2000 ms) since detailed logging is dependent on the execution time.
The property that controls this threshold and logging is
# Int property determining minimum time required for detailed logging vcrypt.tracker.rulelog.detailed.minMillis=2000
After changing the property, print vcrypt.tracker.rulelog.detailed.minMillis=<value>.
Note: Changing the property influences only new sessions.
This section describes scheduler issues and workarounds. It includes the following topics:
Section 19.2.1, "Job Queue Does Not Display Next Recurrence For Canceled Jobs"
Section 19.2.2, "Pause and Cancel Job Status Is Not Displayed in the Job Instance Tab"
Section 19.2.3, "Job Queue Process Start and End Time Does Not Follow the Browser Language Setting"
Section 19.2.4, "Changing the Schedule Parameters Does Not Affect Next Recurrence"
Section 19.2.5, "When Searching for an Online Job a Warning Might Appear in the Log"
Section 19.2.6, "When the Create Job Dialog is Clicked an Error Might Display"
If the job is canceled, its next recurrence does not appear in the Job Queue.
Pause and Cancel Job statuses do not display in the Job Instance tab when a job is canceled or paused. However, the Job Instance tab does show the status (record) at the next scheduled job instance.
In the Job Log tab of the Job Queue page, the Process Start Time and Process End Time columns display in the yyyy-mm-dd format even if the browser is not set to English.
Changing the schedule parameters of a scheduled job does not affect the next recurrence of the job if the start date and time have not been changed. If a non-recurring job is changed to a recurring job, the scheduled recurrence does not occur if there is no change to the start date and time.
When a user clicks the Search button in the online Jobs page, a warnings may appear in the log. There is no loss of functionality.
When the user clicks the Create Job dialog, an error may result occasionally. To work around this issue, log out or close the browser and open a new browser to log back in.
Errors occur when creating a new job in the OAAM Offline environment. The workaround is to close the browser and start the application again.
This section describes policy management issues and workarounds. It includes the following topics:
Section 19.3.1, "Some Attributes of Returned Rules Result Not Set"
Section 19.3.2, "Search with Rule Notes Keyword is Not Working Properly"
Section 19.3.3, "Database Error Occurs When Deleting an Action or Alert Group in a Policy Override"
When using the processRules OAAM Server API, users should be aware that the rule result returned by the API call may have attributes empty or null.
The following attributes returned by processRules API are not set:
alertIdList
transactionLogId
runTimeType
session Id
In the rule listing, the search and sort may not work properly on the Notes column. The search result may include rows that do not contain the search keyword.
Groups used in Score Overrides and Action Overrides are deleted without a warning message.
A parameter, Exclude IP List, was added to the following conditions:
Device: Velocity from last login
User: Velocity from last login
This parameter allows you to specify a list of IPs to ignore. If a user's IP is from that list, then this condition always evaluates to false. If the user's IP is not in that list or if the list is null or empty, then the condition evaluates the velocity of the user or the device from the last login and evaluates to true if the velocity exceeds the configured value.
This section describes Transaction API issues.
A NullPointerException error on the client side occurs for the updateTransactions and createTransactions APIs when one of the transactions in the array is null. The server only returns success responses and the failed one is ignored.
This section describes UIO Proxy issues and workarounds. It includes the following topics:
Section 19.6.1, "UIO ISA Proxy: Certain Filters Are Note Evaluating the Variable in Value"
Section 19.6.3, "Warnings are Displayed in Memcached Environment During User Login"
Filters are used in the proxy to modify HTTP request/response contents or modify the state information saved in the proxy (variables). The following filters are not evaluating variables in the value:
SetVariable
AddHeader
AddResponseCookie
AddRequestCookie
ReplaceText
When the send-to-server action in the response interceptor is used without the display-url, the UIO ISA Proxy redirects the user to an incorrect location and does not display an error.
In an Apache Memcached environment, warnings are shown in the log during the user login flow. The functionality is not impacted.
This section describes an integration issue.
The following namevalueprofile APIs return empty values:
getNameValueProfile
saveNameValueProfile
refreshNameValueProfile
This section describes OAAM BI Publisher reports and Sessions issues and workarounds. It includes the following topics:
Section 19.8.1, "OAAM BI Publisher Reports Are Not Working in BI Publisher 11g"
Section 19.8.2, "Session Details Checkpoint Panel Order Sometimes Randomized"
Section 19.8.3, "Alert Message Link in Session Details Page Does Not Open the Alert Details"
OAAM BI Publisher reports are not working on BI Publisher 11g.
In the Session Details page, sometimes the checkpoint execution display order may not be the same as the execution order.
When the user tries to access an alert details page from an alert message link in the Session Details page, the page fails to open.
To work around this issue, use the alert message link on the Session Search page.
This section describes globalization issues and workarounds. It includes the following topics:
Section 19.10.2, "Policy, Rule, and Action in the OAAM Dashboard Do Not Pick Up110N Value"
Section 19.10.3, "NLS: Descriptions in Non-ASCII Characters Fails to Save Maximum Length"
Section 19.10.4, "XMLDOMException Occurs When Saving Searches"
Section 19.10.5, "Date Format May Not Follow the Browser Language Setting in User Details"
Section 19.10.6, "Sort for NLS String Might Not Work Properly for Out-of-the-Box Objects"
Section 19.10.7, "A Few Objects from the OAAM_BASE_SNAPSHOT.ZIP Appear in English Only"
The following information is supported in English only in this release:
Alert messages in the standard policies packaged with Oracle Adaptive Access Manager
Action values in the RulesBreakdown and RecentLogin OAAM BI Publisher reports
Notes for Action Templates
Policy, rule, and action are not displayed in their translated values in the Dashboard table. The issues are listed below:
Locations: The Actions table in the Location dashboard does not display the translated value for actions when non-English content is viewed.
Security: The Rules table in the Security dashboard does not display the Policy name, Rule name and Action in the browser's locale when non-English content is viewed.
Performance: The Rules table in the Performance dashboard does not display the translated value for policy names when non-English content is viewed.
On a few OAAM Administration pages, for fields with tooltips that say "Enter between 0 and 4000 characters", OAAM accepts input of up to 4000 non-ASCII characters but cannot save the non-ASCII string (for example, Chinese) if it contains more than 4000 bytes.
With UTF-8 encoding, one non-ASCII character uses 1, 2, 3 or 4 byte(s) to store in the database, so 4000 non-ASCII characters require more than 4000 bytes, which is the maximum size of the VARCHAR2 type field.
An XMLDOMException may occur while saving the search criteria if certain characters, such as fullwidth digits (Unicode U+FF10 through U+FF19) are used. To work around this issue, substitute the characters with more ordinary equivalents (for example, ASCII digits 0 through 9 instead of fullwidth digits).
The Date of Last Online Action field uses the date format yyyy-mm-dd rather than the browser locale's date format. This occurs in the Registration Information panel on the Summary tab of the User Details page.
With a 11.1.1.5.0 refresh installation and restore of pre-defined data from the oaam_base_snapshot.zip, sorting might not work properly for Group Name, Pattern Name, Entity Name and Description, Action Templates Name, KBA Validation Name and KBA Category Name in a non-English environment.
Some rules, groups, and other items are displayed in English when the 11.1.1.5.0 base snapshot is imported into the system.
This section describes the following configuration issue and its workaround:
The WebLogic Console provides an option to specify the session timeout for an application but changing this value does not work for OAAM Admin. The session timeout value should be configurable when OAAM is deployed.
The workaround to configure the session timeout value is to configure the web.xml session timeout in the WebLogic application server using the deployment plan feature. The steps are as follows:
Generate deployment plan from the existing non-plan based deployment.
The URL for a WebLogic deployment plan example is:
http://www.slideshare.net/jambay/weblogic-deployment-plan-example
Edit the plan.xml.
Add a variable definition for the custom session timeout in minutes.
...
<variable-definition>
<variable>
<name>mySessionTimeOut</name>
<value>60</value>
</variable>
</variable-definition>
...
Override the desired web application oaam_admin.war's web.xml as follows:
<module-override>
<module-name>oaam_admin.war</module-name>
...
<module-descriptor external="false">
<root-element>web-app</root-element>
<uri>WEB-INF/web.xml</uri>
<variable-assignment>
<name>mySessionTimeOut</name>
<xpath>/web-app/session-config/session-timeout</xpath>
</variable-assignment>
</module-descriptor>
...
Then, select the application oaam_admin.ear and click the Update button in the deployment list
Select the plan path and redeploy the application.
Ignore any shared library warnings.
Make sure your config-root is the application ear directory.
Restart all the servers.
This section describes documentation errata for the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager, part number E14568, the Oracle Fusion Middleware Developer's Guide for Oracle Adaptive Access Manager, part number E15480, and the OAAM sections of the Oracle Fusion Middleware Installation Guide for Oracle Identity Management, part number E12002. It includes the following topics:
Section 19.12.1, "Incorrect File Location for sample.bharosa_location.properties"
Section 19.12.2, "A Separate Step to Import KBA Questions Is Redundant in OAAM Setup"
Section 19.12.3, "Rules Logging Property Setting for OAAM Offline Is Not Correct"
The procedure to load location data into the Oracle Adaptive Access Manager database is not correct in the Oracle Fusion Middleware Installation Guide for Oracle Identity Management. The location of the sample.bharosa_location.properties file is documented as oaam/WEB-INF/classes. The correct location for sample.bharosa_location.properties is <ORACLE_MW_HOME>/<IAM_HOME>/oaam/cli.
The corrected text is provided below:
Load Location Data into the Oracle Adaptive Access Manager database as follows:
Configure the IP Location Loader script, as described in the topics "OAAM Command Line Interface Scripts" and "Importing IP Location Data" in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.
Make a copy of the sample.bharosa_location.properties file, which is located under the <ORACLE_MW_HOME>/<IAM_HOME>/oaam/cli directory. Enter location data details in the location.data properties, as in the following examples:
location.data.provider=quova location.data.file=/tmp/quova/EDITION_Gold_2008-07-22_v374.dat.gz location.data.ref.file=/tmp/quova/EDITION_Gold_2008-07-22_v374.ref.gz location.data.anonymizer.file=/tmp/quova/anonymizers_2008-07-09.dat.gz
Run the loader on the command line as follows:
On Windows: loadIPLocationData.bat
On UNIX: ./loadIPLocationData.sh
Note:
If you wish to generate CSF keys or passwords manually, see the "Setting Up Encryption and Database Credentials for OAAM" topic in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.In the Oracle Fusion Middleware Installation Guide for Oracle Identity Management, a separate step is given to import KBA questions after importing the snapshot. Importing KBA questions is duplication and redundant since importing the snapshot imports KBA questions by default.
The property for setting up rules logging in OAAM Offline is incorrect in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager. With property vcrypt.tracker.rules.trace.policySet.min.ms = 100, rules logs are not processed. The value to vcrypt.tracker.rules.trace.policySet.min.ms must be changed to -1.
Rule logging for detailed information can be turned on by setting:
vcrypt.tracker.rules.trace.policySet=true vcrypt.tracker.rules.trace.policySet.min.ms=-1