Skip Headers
Oracle® Fusion Middleware Administrator's Guide for Oracle Privileged Account Manager
11g Release 2 (11.1.2)

Part Number E27152-02
Go to Documentation Home
Home
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

C Troubleshooting Oracle Privileged Account Manager

This appendix describes how to diagnose and solve common problems that you might encounter when using Oracle Privileged Account Manager.

The information in this appendix is organized into the following sections:

C.1 Common Problems and Solutions

This section describes some common problems and provides information to help you resolve those problems.

The topics include:

C.1.1 Console Cannot Connect to Oracle Privileged Account Manager Server

Oracle Privileged Account Manager Console cannot connect to the Oracle Privileged Account Manager server.

Reason

If the Console is not connecting to the Oracle Privileged Account Manager server, then you might have a configuration problem with the Console or with Oracle Platform Security Services Trust.

Solution

C.1.2 Console Changes Are Not Reflected in Other, Open Pages

When you have multiple browser windows or Console tabs open against the same Oracle Privileged Account Manager Console, updates made in one window or tab are not immediately reflected in the other windows or tabs.

Reason

The Oracle Privileged Account Manager Console does not proactively push updates to the browser.

Solution:

Refresh the browser window or tab.

C.1.3 Cannot Access Targets or Accounts

Your attempts to access targets and privileged accounts are failing. You cannot check-out, check-in, or test.

Reason

The ICF connector being used by Oracle Privileged Account Manager is having issues interacting with the target system.

Solution:

  • Verify that the target system is up, and that the privileged account of interest exists.

  • Increase Oracle Privileged Account Manager's logging level to TRACE:32 (its finest level) and review the trace logs to determine where the failure occurs.

    Problems are often caused by environmental issues that can be identified using the trace logs and remedied by fixing the configuration on the target system. Refer to Chapter 6, "Managing Oracle Privileged Account Manager Auditing and Logging" for more information.

  • You might have a connector issue. Submit a bug that includes a reproducible test case, target system details, and trace logs.

C.1.4 Cannot Add Database Targets

This section describes issues that can prevent you from adding database targets:

C.1.4.1 Cannot Connect to Oracle Database with sysdba Role

Your attempts to connect to Oracle Database using the sysdba role are failing with the following error message:

Invalid Connection Details, see server log for details.

Reason

To connect to Oracle Database as a user with sysdba role, you must configure the Advanced Properties option with the value, internal_logon=sysdba.

You must also specify this setting for the Oracle Database SYS account, which must connect with the sysdba role. The Oracle Database SYS user is a special account and if you do not use this role, then the connection might fail. However, it is a better practice to create an Oracle Privileged Account Manager service account instead of using SYS.

Solution:

Perform the following steps to connect to Oracle Database as a user with the sysdba role:

Note:

These configuration steps are not necessary if you are connecting as a normal user.

  1. Open the target's General tab and expand Advanced Configuration to view the configuration options.

  2. Enter the internal_logon=sysdba value into the Connection Properties field.

  3. Click Test to retest the connection.

  4. Save your changes.

C.1.4.2 Cannot Find Special Options for Adding a Database Target

You cannot find configuration options for connecting to database targets such as Oracle RAC Database or for using Secure Socket Layer (SSL).

Reason

Oracle Privileged Account Manager uses a Generic Database connector where special configuration options for specific database target systems are not exposed in a clean or intuitive manner.

Solution:

Define special connectivity options for database targets by modifying the Database Connection URL and Connection Properties parameter values.

Note:

C.1.5 Cannot Add an Active Directory LDAP Target

An LDAP target using Microsoft Active Directory fails when you test the connection, search for accounts, or check out passwords.

Reason

Active Directory defaults require specific configuration, so you must change the generic default values for the LDAP target. Oracle Privileged Account Manager uses a Generic LDAP connector where special or custom configuration options for specific LDAP target systems are not obvious. (Usually, only Active Directory LDAP targets cause issues.)

Solution:

When adding the LDAP target, you must

  • Use SSL to communicate with Active Directory.

  • Specify the following Advanced Configuration parameters (see Table 5-3):

    • Set Password Attribute to unicodepwd

    • Set Advanced Configuration > Account Object Classes to top|person|organizationalPerson|user.

  • Specify an attribute that is suitable for data in Active Directory, such as uid or samaccountname, for the Account User Name Attribute, Uid Attribute, and LDAP Filter for Retrieving Accounts configuration parameters (described in Table 5-2 and Table 5-3).

C.1.6 Grantee Cannot Perform a Checkout

A grantee's attempt to checkout an account is failing with an Insufficient Privileges error.

Reason

The username is case-sensitive for Oracle Privileged Account Manager grants, but not always for WebLogic authentication.

Solution:

Ensure that you enable the Use Retrieved User Name As Principal option for the authenticator being used for your production ID Store. Refer to Section 4.3.1, "Configuring the External Identity Store" for more information.

C.1.7 Cannot View Roles from the Configured Remote ID Store

When you try to grant to a user or group, you cannot view all roles from the configured remote ID Store.

Reason

You logged into Oracle Privileged Account Manager with a user ID that has been retrieved from a user, on an authenticator that is not pointing to your ID Store. The culprit is usually the DefaultAuthenticator.

Solution:

Perform the following actions:

  • Set the Control Flag for all authenticators to SUFFICIENT.

  • Verify that the user who is logging in exists on the remote ID store.

  • Verify that the user has the relevant Oracle Privileged Account ManagerAdmin Roles. (Refer to Section 2.3.1, "Administration Role Types" for more information.)

  • Ensure those Oracle Privileged Account ManagerAdmin Roles exist on the remote ID Store.

C.1.8 Group Membership Changes Are Not Immediately Reflected in Oracle Privileged Account Manager

You have an indirect grant through group membership and updates to that group membership are not immediately reflected in Oracle Privileged Account Manager.

For example, if you assign a user to a Oracle Privileged Account Manager administration role or to a group granted with a Oracle Privileged Account Manager privileged account, you may not be able to view these changes right away.

Reason

WebLogic caches group memberships from Identity Store providers by default.

Solution:

Modify the caching settings in your WebLogic Authenticator and Asserter configuration to suit your requirements.

C.1.9 Cannot Use Larger Key Sizes for Export/Import

You are unable to use key sizes larger than 128-bits for export or import operations.

Reason

The default JRE installation does not contain the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6.

Solution:

Apply the JCE patch, available for download from http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html

C.2 Diagnosing Oracle Privileged Account Manager Problems

This section provides information about how to diagnose Oracle Privileged Account Manager problems.

The topics include:

C.2.1 Increase the Log Level

When an Oracle Privileged Account Manager error occurs, you can gather more information about what caused the error by generating complete logs that include debug information and connector logging. the following steps:

  1. Set the Oracle Privileged Account Manager logging level to the finest level, which is TRACE:32.

    Note:

  2. Repeat the task or procedure where you originally encountered the error.

  3. Examine the log information generated using the DEBUG level.

C.2.2 Examine Exceptions in the Logs

Examining the exceptions logged to the Oracle Privileged Account Manager log file can help you identify various problems.

You can access Oracle Privileged Account Manager's diagnostic log in the following directories:

DOMAIN_HOME/servers/Adminserver/logs
DOMAIN_HOME/servers/opamserver/logs

C.3 Need More Help?

You can find more solutions on My Oracle Support (formerly MetaLink) at http://support.oracle.com. If you do not find a solution for your problem, log a service request.