This chapter describes issues associated with the installation and configuration process of Oracle Identity and Access Management 11g Release 2 (11.1.2). It includes the following sections:
This section describes general issues and workarounds. It includes the following topics:
When you are trying to install Oracle Identity Manager (OIM) Design Console on a Windows machine that has firewall between the machine and the OIM server, the following error message is displayed when you run the
Error in validating the Hostname field value.Entered host is not up and running
To install OIM Design Console, you must open port 7 in the firewall.
You can not launch Oracle Identity Manager Configuration Wizard on AIX with JDK7, when you run the script
The Oracle Universal Installer window appears if you add the
-jreLoc option in the command line:
$<ORACLE_HOME>/bin/config.sh -jreLoc <JRE_HOME>
On AIX, the Simple security mode does not work with Oracle Access Management Server 11.1.2.
Workaround: Use either the
Cert security mode.
In the Fusion Middleware Configuration Wizard, you cannot add Weblogic password in the Configure Administrator User Name and Password screen.
When you are prompted to enter the Weblogic user password, you may not be able to enter the password. Click Next to go to the next screen. You will be prompted of an error: Password cannot be empty. Go back to the previous screen and type in the password again.
Before running the Oracle Fusion Middleware Configuration Wizard, ensure that you have installed the following:
Oracle WebLogic Server 11g Release 1 (10.3.6) or Oracle WebLogic Server 11g Release 1 (10.3.5)
Oracle SOA Suite 188.8.131.52.0 (Oracle Identity Manager Users Only)
Oracle Identity and Access Management 11g Release 2 (11.1.2)
In a join domain scenario between Oracle Identity Manager and Oracle Access Management, the keystore file configured in Oracle Platform Security Services (OPSS) configuration does not exist but passwords are already available from OIM installation in the Credential Store Framework (CSF) store. Hence when Oracle Access Management Server tries to store the key store file, it fails as the key already exists.
Before starting the Administration server, copy the key store file from Oracle Identity Manager domain to Oracle Access Management domain's key store location.
For example: Copy the default keystore (
.jks) file from
<OIM domain>/config/fmwconfig to
This step should be performed after you have configured the Oracle Access Management domain using
config.sh but before you start the Administration Server.
In Oracle Identity Manager domain, look for default context in
Under this locate keystore service and keystore file location.
Copy this keystore (
.jks) file to the location defined in Oracle Access Management domain key store location under OPSS (
This section describes configuration issues and their workarounds. It includes the following topics:
The patches and workaround described in this note are required only if you are integrating Oracle Access Manager or Oracle Identity Manager with Oracle Unified Directory, and Oracle Unified Directory is configured for High Availability in active-active mode.
After performing a fresh installation of Oracle Identity and Access Management, apply the patch for Oracle Identity Manager Bug 16390983 and also Patch 15894053.
Then manually copy the file
/libovd/. For example:
cp ORACLE_COMMON_HOME/modules/oracle.ovd_11.1.1/templates/adapter_template_oim.xml IAM_ORACLE_HOME/libovd/
When you start the Oracle Fusion Middleware Configuration Wizard, by running the
config.cmd or the
config.sh command, the following error message is displayed:
*sys-package-mgr*: can't create package cache dir
The error message indicates that the default cache directory is not valid. You can change the cache directory by including the
-Dpython.cachedir=<valid_directory> option in the command line.
The following are the steps that must be followed after installing Oracle Access Management (OAM) 11g Release 2 (11.1.2) or Oracle Identity Manager (OIM) 11g Release 2 (11.1.2):
jps-config.xml file to
jps-config.xml_old for recovery and reference
Do the following to edit the
Look for the XML element
<serviceInstance name="pdp.service" provider="pdp.service.provider">
Delete the following two entries:
<property name="oracle.security.jps.pdp.AuthorizationDecisionCacheEnabled" value="false"/> <property name="oracle.security.jps.ldap.policystore.refresh.interval" value="10000"/>
After you delete the first two properties their default values will be set. The default values are
600000 (10 minutes) respectively:
Add following entry in same section:
<property name="oracle.security.jps.pd.client.PollingTimerInterval" value="31536000"/>
The edited XML must look like the following:
<serviceInstance name="pdp.service" provider="pdp.service.provider"> <description>Runtime PDP service instance</description> <property name="oracle.security.jps.runtime.pd.client.policyDistributionMode" value="mixed"/> <property name="oracle.security.jps.runtime.instance.name" value="OracleIDM"/> <property name="oracle.security.jps.runtime.pd.client.sm_name" value="OracleIDM"/> <property name="oracle.security.jps.policystore.refresh.enable" value="true"/> <property name="oracle.security.jps.pd.client.PollingTimerInterval" value="31536000"/> </serviceInstance>
The Configure Security Store fails to create the policy store object when using variables such as
MW_HOME while running
configureSecurityStore.py with the
-m join parameter. Specify absolute paths for
MW_HOME while running the command with
-m join parameter.
If you upgrade existing LDAP users using a command such as:
idmConfigTool.bat -upgradeLDAPUsersForSSO input_file=filename
you might see warning messages similar to these:
WARNING: Expiry date not present in cn=oamadmin,cn=Users, dc=us,dc=oracle,dc=com WARNING: Expiry date not present in cn=weblogic_idm,cn=Users, dc=us,dc=oracle,dc=com WARNING: Expiry date not present in cn=orcladmin, cn=Users, dc=us,dc=oracle,dc=com
These messages do not impact function and can be safely ignored.
This section describes the mandatory patches to be downloaded to install Oracle Identity Manager.
This section provides the mandatory patches that were available at the time of publishing the release notes. For additional changes and revised patch requirements, see My Oracle Support document ID 1908280.1.
The patches must be downloaded only after you have installed Oracle Identity Manager using the Oracle Identity and Access Management 11g Release 2 (11.1.2) Installer and before starting the Oracle Identity Manager configuration.
Table 2-1 lists the patches that need to be downloaded and installed:
|Patch Number||Product Name|
Oracle Virtual Directory
Oracle Application Access Controls Governor
Oracle SOA Suite
Oracle Business Process Management Suite
Oracle Containers for J2EE
To download the patches, do the following:
Log in to My Oracle Support.
Click Patches & Updates.
Select Patch name or Number.
Enter the patch number.
Download and Install the patch.