Skip Headers
Oracle® Fusion Middleware Release Notes
11g Release 2 (11.1.2)

Part Number E35820-07
Go to Documentation Home
Home
Go to Table of Contents
Contents
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

5 Oracle Access Management

This chapter describes issues associated with Oracle Access Management. It includes the following topics:

5.1 General Issues and Workarounds

This section describes general issue and workarounds organized around specific services. To streamline your experience, only services with a a general issue are included.

If you do not find a service-related topic (Security Token Service, for example), there are no general issues at this time.

The following topics are included:

5.1.1 General Issues and Workarounds: Access Manager

This topic describes general issue and workarounds for Oracle Access Management Access Manager (Access Manager). It includes the following topics:

5.1.1.1 Exception Regarding WebGate Profiles Is Expected

When validating a WebGate 11g profile using the OAM Test Tool, an exception may be displayed on the invoking screen when the test tool connects to the OAM server - even though the screen shows a successful connection. This is expected and can be ignored.

5.1.1.2 Unable to Access "/" Context Root if Protected by OSSO Agent for 11g OHS

mod_osso agents shipped with 11g OHS cannot be configured to protect the @ context root '/'.

5.1.1.3 Access Manager Server Start Causes Exception Error

When the Access Manger Server is started, an ArmeRUNTIME exception error is thrown.

The exception error does not cause any loss of functionality.

5.1.1.4 Starting Access Manager When Protected by Oracle Entitlements Server Throws Exception

You will get a runtime exception when starting an instance of Access Manager protected by Oracle Entitlements Server. The exception can be ignored.

5.1.1.5 Access Tester Does Not Work with Non-ASCII Agent Names

Register a Webgate with Access Manager using a non-ASCII name. In the Access Tester, enter the valid IP Address, Port, and Agent ID (non-ASCII name), then click Connect.

Connection testing fails.

5.1.1.6 Authentication Fails: WNA Challenge, Active Directory, Users with Non-ASCII Characters

Configure Access Manager to use Kerberos Authentication Scheme with WNA challenge method, and create a non-ASCII user in Microsoft Active Directory.

Problem

An exception occurs when trying to get user details to populate the subject with the user DN and GUID attributes. Authentication fails and an error is recorded in the OAM Server log when a non-ASCII user in Active Directory attempts to access an Access Manager-protected resource:

... Failure getting users by attribute : cn, value ....

Cause

The username in the attribute is passed without modification as a java string.

Solution

Non-ASCII users can access the resource protected by Kerberos WNA scheme by applying the following JVM system property in the startManagedWeblogic.sh script in $DOMAIN_HOME/bin:

-Dsun.security.krb5.msinterop.kstring=true

5.1.1.7 Simple Mode is Not Supported for JDK 1.6 and AIX

Simple mode is not supported with JDK 1.6 and on AIX platforms. Use Open or Cert mode instead.

5.1.1.8 User Might Need to Supply Credentials Twice with DCC-Enabled Webgate

Problem

When you have a Detached Credential Collector-enabled Webgate combined with a resource Webgate, the user might have to provide credentials twice. This can occur when login is triggered with a URL that results in an internal forward by Oracle HTTP Server.

Workaround

To resolve this issue, you can use following workaround:

  1. Edit the httpd.conf file to add rewrite rules that redirect the browser for directory access (before Webgate configuration include) For example:

    RewriteEngine On
    RewriteRule     ^(.*)/$         "$1/welcome-index.html"      [R]
    
  2. SSL-enabled Web server: Repeat these rules under SSL configuration.

5.1.2 General Issues and Workarounds: Security Token Service

This topic describes general issues and workarounds for Oracle Access Management Security Token Service (Security Token Service). It includes the following topics:

5.1.2.1 Issues with Searches and Non-English Browser Settings

Security Token Service searches might not return the expected result when the browser language is set to a non-English language. For example, this occurs when setting the:

  • Requesters, Relying Parties and Issuing Authorities Partner Type field to Requester, Relying Party or Issuing Authority when the Oracle Access Management Console browser setting is non-English.

  • Token Issuance Templates Token Type to Username when the Oracle Directory Services Manager browser setting is non-English

  • Token Validation Templates Token Type to Username when the Oracle Directory Services Manager browser setting is non-English

When the browser language is English, the search returns expected results.

5.1.3 General Issues and Workarounds: Identity Federation

This topic describes general issue and workarounds for Oracle Access Management Identity Federation (Identity Federation). It includes the following topic:

5.1.3.1 Federation Metadata is not Accessible after Upgrade

After upgrade from PS1 to R2 the new environment also contains identity federation. If you enable identity federation and try to access the federation metadata there is an error.

To work around this problem, issue the following WLST commands:

connect('<username>', '<password>', 't3://<host>:port')

domainRuntime()

putStringProperty('/stsglobal/jaxbcontextpath','oracle.security.fed.xml.soap.v
11:oracle.security.fed.xml.soap.v12:oracle.security.fed.xml.security.dsig:orac
le.security.fed.xml.security.enc:oracle.security.fed.xml.security.trust.v12:or
acle.security.fed.xml.security.trust.v13:oracle.security.fed.xml.security.trus
t.v14:oracle.security.fed.xml.ws.addressing.v09:oracle.security.fed.xml.ws.add
ressing.v10:oracle.security.fed.xml.ws.policy.v12:oracle.security.fed.xml.secu
rity.wss.ext.v10:oracle.security.fed.xml.security.wss.ext.v11:oracle.security.
fed.xml.security.wss.policy.v11:oracle.security.fed.xml.security.wss.policy.v1
2:oracle.security.fed.xml.security.wss.utility.v10:oracle.security.fed.xml.sec
urity.saml.v11.assertion:oracle.security.fed.xml.security.saml.v11.protocol:or
acle.security.fed.xml.security.saml.v1x.assertion:oracle.security.fed.xml.secu
rity.saml.v1x.protocol:oracle.security.fed.xml.security.saml.v1x.metadata:orac
le.security.fed.xml.security.saml.v20.assertion:oracle.security.fed.xml.securi
ty.saml.v20.protocol:oracle.security.fed.xml.security.saml.v20.metadata:oracle
.security.fed.xml.security.identity.v10:oracle.security.fed.xml.security.openi
d.v20:oracle.security.fed.xml.security.openid.v20.xrd') 

5.1.3.2 Federation Redirect URLs May be Overwritten in Concurrency Mode

In concurrency mode where several clients use the Access Manager server for Federation at the same time, the redirect URLs created by Access Manager and the Federation Plugin for a client may be overwritten with the redirect URL created for another client.

5.1.3.3 Errors when Webgate has Credential Collector Option Enabled

This problem is seen in the following situation:

  • Webgate fronts a resource.

  • The "Allow Credential Collector Operations" option is checked for that Webgate.

  • The resource is protected by a policy using FederationScheme.

Due to this issue, when requesting access to the resource, the server returns a 200 with a URL where the browser will post the request to that URL using the POST, while the browser should have been redirected through a 302.

To resolve this issue, for Webgate agents fronting resources protected with the FederationScheme, disable the "Allow Credential Collector Operations" option.

5.2 Configuration Issues and Workarounds

This section describes configuration issues and their workarounds organized around specific services. To streamline your experience, only services with an issue are included. For example, Identity Context has no known issues at this time and is not included. The following topics are included:

5.2.1 Configuration Issues and Workarounds: Access Manager

This topic describes configuration issues and orkarounds for Oracle Access Management Access Manager (Access Manager). It includes the following topics:

5.2.1.1 Enabling OpenSSO Agent Configuration Hotswap

To enable OpenSSO Agent configuration hotswap, make sure the opensso agents have the following properties in the Miscellaneous properties section of the agent's registration in the OpenSSO Proxy on OAM Server, and the agent servers are restarted:

J2ee Agents: com.sun.identity.client.notification.url =http://<AGENT_SERVER_HOST>:<AGENT_SERVER_PORT>/agentapp/notification

Web Agents:

com.sun.identity.client.notification.url=http://<AGENT_SERVER_HOST>:<AGENT_SERVER_PORT>/UpdateAgentCacheServlet?shortcircuit=false

Not Supported for Web Agents: com.sun.identity.agents.config.change.notification.enable=true

Restart the OAM Server hosting the agent.

5.2.2 Configuration Issues and Workarounds: Security Token Service

This topic describes configuration issues and their workarounds for Oracle Access Management Security Token Service (Security Token Service). It includes the following topics:

5.2.2.1 Create Like (Duplicate) Does Not Copy All Properties of Original Template

Security Token Service Create Like (duplicate) button does not copy some properties on the original Issuing Authority Profile template (the Security and Attribute Mapping sections, for instance).

The Administrator must manually enter the necessary configuration items into the newly created Issuing Authority Profile:

  1. From the Oracle Access Management Console System Configuration tab, Security Token Service section, go to Issuance Templates.

  2. Select an existing Issuance Template Click the Create Like (duplicate) button.

  3. Create the new copied Issuance Template and manually enter the necessary configuration items in the newly created Template.

5.2.2.2 Incorrect Value in the Kerberos Validation Template

In the Security Token Service Kerberos Validation template, the Kerberos Principal No Domain value in the drop down list sets an incorrect value:

Incorrect Value: STS_KERBEROS_NODOMAIN

Correct Value: STS_KERBEROS_PRINCIPAL_NODOMAIN

To use the Kerberos Principal No Domain option the Administrator must select a blank field in drop down list and manually set STS_KERBEROS_PRINCIPAL_NODOMAIN in the field near the list.

  1. From the Oracle Access Management Console System Configuration tab, Security Token Service section, go to Token Validation Template:

  2. Click the Add button.

  3. Provide a name, select token type as Kerberos and enter other details.

  4. In the Token Mapping tab, select Map Token to User from the down list and then enable Enable Simple User Mapping.

  5. From User Token Attribute drop down, select Kerberos Principal No Domain: select a blank field in drop down list and manually set STS_KERBEROS_PRINCIPAL_NODOMAIN in the field near the list.

  6. Give a value for the Datastore Attribute and Save.

In oam-config.xml, the User Token Attribute should set STS_KERBEROS_PRINCIPAL_NODOMAIN as the value.

5.2.2.3 No Console Support Removing Partner Encryption or Signing Certificates

Oracle Access Management Console does not provide a way to remove a signing or encryption certificate that was set for an Security Token Service Partner.

The Administrator must manually delete these using the following WLST commands:

To delete the signing certificate of an Security Token Service Partner

deletePartnerSigningCert 

To delete the encryption certificate of an Security Token Service Partner

deletePartnerEncryptionCert 

5.2.2.4 Resource URLs Removed During Create Like (Duplicate) Operation

When using the Security Token Service Create Like (duplicate) button with existing Relying Parties, the URLs listed in the Resource URLs section of the original relying party are removed (but should not be modified).

The Administrator must manually re-enter the necessary URLs, or not use the Create Like button when creating Relying Parties.

5.2.2.5 Error Sending USERNAME TOKEN with NONCE

The following error can be seen in Security Token Service logs when sending USERNAME TOKEN with NONCE:

<oracle.security.fed.model.util.rdbms.RDBMSBatchExecutor> <FEDSTS-11013> <SQL 

Error seen while interacting with the database:

java.sql.BatchUpdateException: ORA-12899: value too large for column
"DEV_OAM"."ORAFEDBLOBSTORE"."BLOBID"

Have the client send a smaller nonce.

5.2.3 Configuration Issues and Workarounds: Identity Federation

This topic describes configuration issues and their workarounds for Oracle Access Management Identity Federation (Identity Federation). It includes the following topics:

5.2.3.1 Provider Search Text Fields do an Exact Match Search

Users should be aware that in the Oracle Access Management Console, the Identity Provider search screen does an exact match (==) for the ProviderId and Partner name fields, rather than a "contains" search.

5.2.3.2 Incorrect Error Message when an Invalid Signing Certificate is Uploaded

While creating/editing an IdP, if you upload an invalid file for a signing certificate, you will see a Null pointer exception error message instead of a proper message indicating that the file does not contain a certificate.

5.2.3.3 Data is Cached in the Keystore Templates Table upon Validation Error

When data entered in the keystore templates table in the Oracle Access Management Console is rejected due to a validation error, the error is shown and the invalid row of the table is not saved.

However, this invalid row is cached in the user interface and closing and reopening the Federation Setting tab does not refresh the data. You must log in again to refresh the data.

5.2.3.4 Cannot Specify Multiple Non-Proxy Hosts for Identity Federation

In the Federation Settings page of the Oracle Access Management Console, the non-proxy hosts field is meant to take a delimited list of non-proxy hosts using a semi-colon (;) separator.

However this field currently does not allow semi-colons (;) in the input characters.

If you need to specify more than one non-proxy host (for example host1 and host2), the workaround is to use WLST as follows:

connect(<adminuser>,<adminpassword>,'t3://<HOST_NAME>:<WLS_ADMIN_PORT>')
 
domainRuntime()
 
putStringProperty("/fedserverconfig/nonproxyhosts", "host1;host2") 

5.2.3.5 Invalid IdP is Created if Incorrect Metadata Imported

When creating an IdP with the Oracle Access Management Console, if you choose an invalid Metadata XML file (such as an SP metadata file), you get an error message indicating that the metadata is invalid. The message is as follows:

ADFC-10001: cannot instantiate class

'oracle.security.am.fed.oif.managedbeans.idp.EditIDProviderMB' 

However if you still continue with the task and click Save, the IdP is created with the incorrect metadata file and there is an exception in the console, which makes the console unusable until you re-login.

5.2.3.6 WLST Commands for OpenID IdP Partner

The Federation WLST commands to add an OpenID IdP partner are not listed in the WLST Federation help.

The supported commands are:

  • addOpenID20IdPFederationPartner: Creates an OpenID 2.0 IdP Federation partner

  • addOpenID20GoogleIdPFederationPartner: Adds Google as an OpenID 2.0 IdP Partner

  • addOpenID20YahooIdPFederationPartner: Adds Yahoo as an OpenID 2.0 IdP Partner

addOpenID20IdPFederationPartner

The syntax is as follows:

addOpenID20IdPFederationPartner(partnerName, ssoURL, discoveryURL,
description)

The parameters are as follows:

  • partnerName=The name of the partner to be created.

  • ssoURL=The endpoint URL of the IdP (OP).

  • discoveryURL=The discovery URL of the IdP (OP).

  • description=Description of the partner. This is optional.

addOpenID20GoogleIdPFederationPartner

The syntax is as follows:

addOpenID20GoogleIdPFederationPartner()

This command does not take any parameters.

addOpenID20YahooIdPFederationPartner

The syntax is as follows:

addOpenID20YahooIdPFederationPartner()

This command does not take any parameters.

5.2.3.7 No Console Support for Federation OpenID IdP Partner

The federation IdP partner page, accessed in the Oracle Access Management Console from the System Configuration tab, Identity Federation, Identity Providers, does not provide support for OpenID IdP/OP partners.

As a workaround, you can use the Federation OpenID WLST commands to add an OpenID IdP/OP partner. For details, see Section 5.2.3.6.

5.2.3.8 SSO Error when federationscheme for a Partner Protects a Resource

This issue is seen in the following scenario:

  • A Federation IdP partner has been added.

  • An Authentication Scheme and Module were created using the Oracle Access Management Console or WLST commands for that IdP partner.

  • An authentication policy is created using the newly created Authentication Scheme for that partner.

  • A resource is protected with this policy.

Due an incorrect configuration in the newly created Authentication Module for that partner, an error will be seen in the browser and logs.

The workaround is as follows:

  1. Log in to the Oracle Access Management Console.

  2. Click the System Configuration Tab.

  3. On left hand side, click Access Manager.

  4. Expand Authentication Modules.

  5. Expand Custom Authentication Module.

  6. Double-click on the new Federation authentication module (IdPNameFederationPlugin).

  7. Go to the Steps Orchestration tab in the right hand side.

  8. For the drop-down called Initial Step, change that to FedAuthnRequestPlugin.

5.2.4 Configuration Issues and Workarounds: Mobile and Social

This topic describes configuration issues and their workarounds for Oracle Access Management Mobile and Social (Mobile and Social). It includes the following topics:

5.2.4.1 Once Set, Jail Breaking "Max OS Version" Setting Cannot be Empty

Once you assign a value to the Jail Breaking Detection Policy "Max OS Version" setting, you cannot remove the value and leave the field empty. Per the documentation, the Max OS Version field is used to configure the maximum iOS version to which the Jail Breaking policy applies. If the value is empty, a maximum iOS version number is not checked so the policy applies to any iOS version higher than the value specified for Min OS Version. Once set, however, the value cannot go back to being empty. To work around this issue, set a value for the Max OS Version field.

5.2.4.2 Additional Configuration Required After Running Test-to-Production Scripts

When moving Mobile and Social from a test environment to a production environment, complete the following configuration steps on each production machine after running the Test-to-Production scripts:

  1. Launch the Oracle Access Management Console.

  2. On the Policy Configuration tab, choose Shared Components > Authentication Schemes > OIC Scheme and click Open.

    The Authentication Schemes configuration page opens.

    Update the Challenge Redirect URL value to point to the production machine, not the test machine, then click Apply.

    For example: https://production_machine:port/oic_rp/login.jsp

  3. Update the Mobile and Social credential store framework (CSF) entry to point from the test machine to the production machine. To do this, run the following WLST command:

    createCred(map="OIC_MAP", key=" https://<production machine host>:<production machine port>/oam/server/dap/cred_submit ", user="="<description>", password=" DCC5332B4069BAB4E016C390432627ED", desc="<description>");
    

    For password, use the value from oam-config.xml, which is located in the domain home/config/fmwconfig directory on the production machine. Use the value from the RPPartner entry, TapCipherKey attribute.

  4. In the Oracle Access Management Console, do the following:

    1. Select the System Configuration tab.

    2. Choose Mobile and Social > Internet Identity Services.

    3. In the Application Profiles section, select OAMApplicaton and click Edit. (If using an application profile name other than OAMApplication, edit that instead.)

    4. Update the Registration URL field host name and port to point to the production machine.

      Click Apply.

5.3 Oracle Access Management Console Issues

This section documents issues that affect the Oracle Access Management Console. It includes the following topics:

5.3.1 Messages Sent From the Server to the Client Can Appear in a Foreign Language

If the OAM Server and the Oracle Access Management Console client are configured for different locales, the server will report error messages to the client in whichever language the server is configured for.

5.4 Documentation Errata

There are no documentation issues for the following books: