20 Oracle Entitlements Server

This chapter describes issues associated with Oracle Entitlements Server. It includes the following topics:

20.1 General Issues and Workarounds

This section describes general issues and workarounds. It includes the following topic:

20.1.1 Using Backslash on Oracle Internet Directory Policy Store

When a backslash (\) is used in a policy object name and the backslash is followed by either a pound sign (#) or two hex characters ([a-fA-f_0-9][a-fA-f_0-9]), searches for the object may not work as expected. The issue has been observed when one of either a Resource Type name or a Resource name and action association has such a value causing the query of permission sets by Resource Type, Resource name or action to fail.

WORKAROUND:

Avoid using these values in policy object names.

20.1.2 Performance Tuning the Oracle Database Policy Store

The Oracle dbms_stats package can be used to improve data migration performance on an Oracle database policy store. The exact SQL command to be executed is:

*EXEC DBMS_STATS.gather_schema_stats
  ('DEV_OPSS',DBMS_STATS.AUTO_SAMPLE_SIZE,no_invalidate=>FALSE);*

where DEV_OPSS is the schema owner being used for the database policy store. You can use the other two parameters as illustrated.

WORKAROUND:

You can run this DBMS_STATS call periodically using either of the options below:

  • Use DBMS_JOB.

    1. Copy and paste the following code to a SQL script.

      In this example, the job will be executed every 10 minutes.

      variable jobno number;
      BEGIN
      DBMS_JOB.submit
      (job => :jobno,
      what =>
      'DBMS_STATS.gather_schema_stats(''DEV_OPSS'',DBMS_STATS.AUTO_SAMPLE_SIZE,
      no_invalidate=>FALSE);',
      interval => 'SYSDATE+(10/24/60)');
      COMMIT;
      END;
      /
      #end of sql script
      
    2. Login to sqlplus as the schema owner; for example, 'DEV_OPSS' not sys_user.

    3. Run the SQL script.

      To find the job ID from the script you ran, execute the following:

      sqlplus '/as sysdba'
      SELECT job FROM dba_jobs WHERE schema_user = 'DEV_OPSS' AND what =
      'DBMS_STATS.gather_schema_stats(''DEV_OPSS'',DBMS_STATS.AUTO_SAMPLE_SIZE,
      no_invalidate=>FALSE);';
      

      To remove the job, login to sqlplus as the schema owner (for example, 'DEV_OPSS' not sys_user) and run the following SQL command:

      EXEC DBMS_JOB.remove(27);
      
  • Use cron job or shell script to execute the SQL command.

    # run dbms_stats periodically
    ./runopssstats.sh
    # runopssstats.sh content is below:
    # In this example, we will execute the command in every 10 minutes
    #!/bin/sh
    
    i=1
    while [ $i -le 1000 ]
    do
    echo $i
    sqlplus dev_opss/welcome1@inst1 @opssstats.sql
    sleep 600
    i=`expr $i + 1`
    done
    # end of sh
    
    # opssstats.sql
    EXEC DBMS_STATS.gather_schema_stats('DEV_OPSS',
      DBMS_STATS.AUTO_SAMPLE_SIZE,no_invalidate=>FALSE);
    QUIT;
    # end of sql
    

20.1.3 Action Bar Disappears When Using Internet Explorer 7

If you are using Internet Explorer 7 and select a role or user from an Administrator Role under System Configuration -> System Administrators, the action bar disappears thus, External Role Mappings and External User Mappings can not be deleted.

WORKAROUND:

This issue is specific to Internet Explorer 7. Use Firefox 3.

20.1.4 Re-created Application May Not Be Distributed in Controlled Mode

In some cases, when the PDP Service is running in controlled mode, if one Application object is deleted from the policy store and re-created using the same name, the change may not be distributed to the PDP Service. This is because the Application in the local cache has a higher version than the one in the policy store.

WORKAROUND:

Remove the local cache files for the PDP service and restart the PDP Service instance. The oracle.security.jps.runtime.pd.client.localpolicy.work_folder configuration parameter defines the path to the cache. The default value is <SM_INSTANCE>/config/work/.

20.1.5 Enterprise Manager Doesn't Pick Up Newly Added Audit Events

component_events.xml is the audit event definition file used by configuration tools (like Enterprise Manager and WebLogic Scripting Tool) and by the audit runtime and database loader. You need to modify the component_events.xml file to insure that Enterprise Manager picks up all newly added events in the Low/Medium list.

WORKAROUND:

  1. Log out of Enterprise Manager.

  2. Open the component_events.xml file.

    This file is located in the $IDM_OPSS_ORACLE_HOME/modules/oracle.iau_11.1.1/components/JPS/ directory.

  3. Search for <FilterPresetDefinition name="Low">.

  4. In the event list, change purgeDistributionStatus to PurgeDistributionStatus.

    Note the capitalization.

  5. Search for <FilterPresetDefinition name="Medium">.

  6. In the event list, change purgeDistributionStatus to PurgeDistributionStatus.

    Note the capitalization.

  7. Save the file and close it.

  8. Start Enterprise Manager.

20.1.6 Attributes Passed to Authorization Request Are Treated as Case Sensitive

When using the PEP API names of passed attributes, they must be in the same case as those mentioned in the policies.

20.1.7 Audit Schema Definitions are Incomplete

The IAUOES audit schema is not synchronized with Oracle Entitlements Server event definitions, so it does not contain the necessary columns for this component. Consequently, data cannot be stored in the appropriate columns and audit reports cannot be run against Oracle Entitlements Server data.

WORKAROUND - Option 1

Use this option if RCU has not yet been run. The steps are:

  1. Locate JPS.sql at this location:

    $RCU_HOME/rcu/integration/iauoes/scripts/JPS.sql
    

    Modify the file permission, making the file writable.

  2. Copy over the file:

    $IDM_OPSS_ORACLE_HOME/modules/oracle.iau_11.1.1/sql/scripts/JPS.sql
    

    to:

    $RCU_HOME/rcu/integration/iauoes/scripts/JPS.sql
    
  3. Run RCU to create the IAUOES schema.

WORKAROUND - Option 2

Use this option if RCU has already been run. The steps are:

  1. Copy over the file:

    $IDM_OPSS_ORACLE_HOME/modules/oracle.iau_11.1.1/sql/scripts/JPS.sql
    

    to the directory from which you run sqlplus.

  2. Connect to sqlplus as sysdba.

  3. Run the following commands at the SQL prompt:

    1. alter session set current_schema=audit_schema_user

    2. drop table JPS;

    3. @@JPS.sql audit_schema_user audit_schema_user_Append
      audit_schema_user
      _Viewer;

20.1.8 Java Security Module on IPv6 Client Not Supported on Windows

Because of an issue with the JDK 1.6, the Java Security Module is not supported when using a Windows IPv6 client. We are working with the JDK development team for a resolution.

20.1.9 WebLogic Security Module Policy Distribution Configuration Issue on Windows IPv6 Hosts

The Policy Distribution URL may not be correctly generated on some Windows IPv6 hosts. Specifically, in jps-config.xml you might see the following line:

@ <property value="https://127.0.0.1:8002/pd-client"
name="oracle.security.jps.runtime.pd.client.DistributionServiceURL"/>

WORKAROUND:

Edit jps-config.xml (located in <domain_home>/config/oeswlssmconfig/) so it contains the correct policy distribution client URL. In the following example, <WLS-SM-client-host> is the hostname on which the WebLogic Server Security Module is running and <Pd-client-port> is the port on which the client is listening for policy distribution.

@ <property value="https://<WLS-SM-client-host>:<Pd-client-port>/pd-client"
name="oracle.security.jps.runtime.pd.client.DistributionServiceURL"/>

20.1.10 Validating Attribute Names in Custom Functions

When using custom function implementations, if the attribute name is invalid, the result of the authorization request could be wrong. Thus, attribute names must be validated before retrieving their values.

WORKAROUND:

Use the following code in custom function implementations to validate attribute names.

boolean isValidAttributeName(String name) {
    if (name == null) return false;
    return name.matches("[A-Za-z_][A-Za-z0-9_]*");
} 

20.2 Configuration Issues and Workarounds

There are no configuration issues at this time.

20.3 Documentation Errata

There are no documentation errata at this time.