This appendix describes how to diagnose and solve common problems that you might encounter when using Oracle Privileged Account Manager.
The information in this appendix is organized into the following sections:
This section describes some common problems and provides information to help you resolve those problems.
The topics include:
Console Cannot Connect to Oracle Privileged Account Manager Server
Group Membership Changes Are Not Immediately Reflected in Oracle Privileged Account Manager
Oracle Privileged Account Manager Console cannot connect to the Oracle Privileged Account Manager server.
If the Console is not connecting to the Oracle Privileged Account Manager server, then you might have a configuration problem with the Console or with Oracle Platform Security Services Trust.
Verify that your host and port information is correct. Confirm that the generated URL displayed on the Console is responsive.
Ensure that you correctly completed all of the configuration steps described in "Post-Installation Tasks" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
When you have multiple browser windows or Console tabs open against the same Oracle Privileged Account Manager Console, updates made in one window or tab are not immediately reflected in the other windows or tabs.
The Oracle Privileged Account Manager Console does not proactively push updates to the browser.
Refresh the browser window or tab.
Your attempts to access targets and privileged accounts are failing. You cannot check-out, check-in, or test.
The ICF connector being used by Oracle Privileged Account Manager is having issues interacting with the target system.
Verify that the target system is up, and that the privileged account of interest exists.
Increase Oracle Privileged Account Manager's logging level to TRACE:32 (its finest level) and review the trace logs to determine where the failure occurs.
Problems are often caused by environmental issues that can be identified using the trace logs and remedied by fixing the configuration on the target system. Refer to Chapter 6, "Managing Oracle Privileged Account Manager Auditing and Logging" for more information.
You might have a connector issue. Submit a bug that includes a reproducible test case, target system details, and trace logs.
This section describes issues that can prevent you from adding database targets:
sysdba RoleYour attempts to connect to Oracle Database using the sysdba role are failing with the following error message:
Invalid Connection Details, see server log for details.
To connect to Oracle Database as a user with sysdba role, you must configure the Advanced Properties option with the value, internal_logon=sysdba.
You must also specify this setting for the Oracle Database SYS account, which must connect with the sysdba role. The Oracle Database SYS user is a special account and if you do not use this role, then the connection might fail. However, it is a better practice to create an Oracle Privileged Account Manager service account instead of using SYS.
Perform the following steps to connect to Oracle Database as a user with the sysdba role:
Note:
These configuration steps are not necessary if you are connecting as a normal user.
Open the target's General tab and expand Advanced Configuration to view the configuration options.
Enter the internal_logon=sysdba value into the Connection Properties field.
Click Test to retest the connection.
Save your changes.
You cannot find configuration options for connecting to database targets such as Oracle RAC Database or for using Secure Socket Layer (SSL).
Oracle Privileged Account Manager uses a Generic Database connector where special configuration options for specific database target systems are not exposed in a clean or intuitive manner.
Define special connectivity options for database targets by modifying the Database Connection URL and Connection Properties parameter values.
Note:
See Section 5.1.2.2, "Adding Targets to Oracle Privileged Account Manager" for information about these parameters.
Refer to the Oracle Identity Manager Connector Guide for Database User Management for information about which special options are supported.
An LDAP target using Microsoft Active Directory fails when you test the connection, search for accounts, or check out passwords.
Active Directory defaults require specific configuration, so you must change the generic default values for the LDAP target. Oracle Privileged Account Manager uses a Generic LDAP connector where special or custom configuration options for specific LDAP target systems are not obvious. (Usually, only Active Directory LDAP targets cause issues.)
When adding the LDAP target, you must
Use SSL to communicate with Active Directory.
Import the SSL certificates into the WebLogic instance running Oracle Privileged Account Manager. Refer to Section 3.3.2, "Configuring SSL Communication in Oracle Privileged Account Manager" for more information.
From the Targets page, set the TCP Port to your Active Directory SSL port and enable the SSL checkbox. (see Table 5-2)
Specify the following Advanced Configuration parameters (see Table 5-3):
Set Password Attribute to unicodepwd
Set Advanced Configuration > Account Object Classes to top|person|organizationalPerson|user.
Specify an attribute that is suitable for data in Active Directory, such as uid or samaccountname, for the Account User Name Attribute, Uid Attribute, and LDAP Filter for Retrieving Accounts configuration parameters (described in Table 5-2 and Table 5-3).
A grantee's attempt to checkout an account is failing with an Insufficient Privileges error.
The username is case-sensitive for Oracle Privileged Account Manager grants, but not always for WebLogic authentication.
Ensure that you enable the Use Retrieved User Name As Principal option for the authenticator being used for your production ID Store. Refer to Section 4.3.1, "Configuring the External Identity Store" for more information.
When you try to grant to a user or group, you cannot view all roles from the configured remote ID Store.
You logged into Oracle Privileged Account Manager with a user ID that has been retrieved from a user, on an authenticator that is not pointing to your ID Store. The culprit is usually the DefaultAuthenticator.
Perform the following actions:
Set the Control Flag for all authenticators to SUFFICIENT.
Verify that the user who is logging in exists on the remote ID store.
Verify that the user has the relevant Oracle Privileged Account ManagerAdmin Roles. (Refer to Section 2.3.1, "Administration Role Types" for more information.)
Ensure those Oracle Privileged Account ManagerAdmin Roles exist on the remote ID Store.
You have an indirect grant through group membership and updates to that group membership are not immediately reflected in Oracle Privileged Account Manager.
For example, if you assign a user to a Oracle Privileged Account Manager administration role or to a group granted with a Oracle Privileged Account Manager privileged account, you may not be able to view these changes right away.
WebLogic caches group memberships from Identity Store providers by default.
Modify the caching settings in your WebLogic Authenticator and Asserter configuration to suit your requirements.
Note:
For more information, refer to "Optimizing the Group Membership Caches" in Oracle Fusion Middleware Securing Oracle WebLogic Server.
You are unable to use key sizes larger than 128-bits for export or import operations.
The default JRE installation does not contain the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6.
Apply the JCE patch, available for download from http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html
This section provides information about how to diagnose Oracle Privileged Account Manager problems.
The topics include:
When an Oracle Privileged Account Manager error occurs, you can gather more information about what caused the error by generating complete logs that include debug information and connector logging. the following steps:
Set the Oracle Privileged Account Manager logging level to the finest level, which is TRACE:32.
Note:
For more information about Oracle Privileged Account Manager logging, refer to Chapter 6, "Managing Oracle Privileged Account Manager Auditing and Logging."
For instructions about how to set logging levels, refer to "Logging Implementation Guidelines" Oracle Containers for J2EE Developer's Guide.
Repeat the task or procedure where you originally encountered the error.
Examine the log information generated using the DEBUG level.
Examining the exceptions logged to the Oracle Privileged Account Manager log file can help you identify various problems.
You can access Oracle Privileged Account Manager's diagnostic log in the following directories:
DOMAIN_HOME/servers/Adminserver/logs DOMAIN_HOME/servers/opamserver/logs
You can find more solutions on My Oracle Support (formerly MetaLink) at http://support.oracle.com. If you do not find a solution for your problem, log a service request.