This chapter describes issues associated with the upgrade and migration process of Oracle Identity and Access Management 11g Release 2 (11.1.2). It includes the following sections:
This section describes issues related to upgrading the following components:
Oracle Identity Manager 11g Release 1 (11.1.1.5.0) to Oracle Identity Manager 11g Release 2 (11.1.2)
Oracle Access Manager 11g Release 1 (11.1.1.5.0) to Oracle Access Management Access Manager 11g Release 2 (11.1.2)
Oracle Adaptive Access Manager 11g Release 1 (11.1.1.5.0) to Oracle Adaptive Access Manager 11g Release 2 (11.1.2)
Oracle Identity Navigator 11g Release 1 (11.1.1.5.0) to Oracle Identity Navigator 11g Release 2 (11.1.2)
Oracle Entitlements Server 11g Release 1 (11.1.1.5.0) to Oracle Entitlements Server 11g Release 2 (11.1.2)
Oracle Identity and Access Management 11g Release 1 (11.1.1.3.0) to Oracle Identity and Access Management 11g Release 2 (11.1.2)
Oracle Identity Manager 9.x to Oracle Identity Manager 11g Release 2 (11.1.2)
This section describes general issues and workarounds. It includes the following topics:
Section 3.1.1.1, "OIM-OAM-OAAM: 11.1.1.5.0 to 11.1.2: Error Reset Password in First Login"
Section 3.1.1.2, "Save Column with Multiple/Null Values to be Manually Updated for LookupByQuery"
Section 3.1.1.5, "Lookup Values Do Not Get Saved in the My Information Page"
Section 3.1.1.6, "Bulk User Modify Does Not Work After Upgrade"
Section 3.1.1.9, "Authorization Policies Containing No Resources Are Not Extracted"
Section 3.1.1.11, "OIM Upgrade: Access Policy Based Provisioning of EBS Resource Does Not Work"
Section 3.1.1.12, "TCORGANIZATIONNOTFOUNDEXCEPTION Error While Creating New Organizations"
Section 3.1.1.13, "Forgot User Login Flow Shows System Error"
Section 3.1.1.15, "Matching Rule is Lost During the OIM 11.1.1.5.0 Upgrade"
While upgrading an OAM-OIM-OAAM integrated11g R1 (11.1.1.5.0) environment to 11g R2 (11.1.2), when the user tries to login into http://bej301133.cn.oracle.com:7777/identity
for the first time, the user is redirected to the password management page. However, when the user clicks Submit after editing the user profile, an error message pops up.
The workaround is as follows:
On UNIX:
Go to the following location:
IAM_ORACLE_HOME/server/apps
In this location, create a directory by using the following command:
mkdir temp
Copy the oracle.iam.console.identity.self-service.ear
file to the temp
folder that you created in step 2, by running the following command:
cp oracle.iam.console.identity.self-service.ear temp
Go to the temp
folder that you created :
cd temp
Extract the contents of the oracle.iam.console.identity.self-service.ear
file by running the following command:
jar -xvf oracle.iam.console.identity.self-service.ear
The folder META-INF/
is automatically created in the location.
Locate the weblogic-application.xml
file in the folder META-INF
, and edit the contents of the file by adding the following packages before the parameter </weblogic-application>
:
<prefer-application-packages> <package-name>oracle.iam.*</package-name> <package-name>oracle.security.am.common.nap.*</package-name> <package-name>oracle.security.am.common.aaaclient.*</package-name> <package-name>oracle.security.am.common.*</package-name> </prefer-application-packages>
Save the changes made in the weblogic-application.xml
file and exit.
Package the extracted contents back into the oracle.iam.console.identity.self-service.ear
file by running the following command:
jar -cvf oracle.iam.console.identity.self-service.ear
Copy the contents of the temp
folder to the original location IAM_ORACLE_HOME/server/apps
.
Ensure that you take a backup of the files of the existing location, before you replace the content.
This bug is related to manual updations that a customer would need to perform as a post-upgrade step. This happens when there are multiple values specified for the Column Names attribute while defining lookupby
in a 9.x environment.
If the OIM 9.x Role or User data model contains UDFs of type Lookup Query
, then after upgrading, do the following:
For Role:
Start the Design Console.
Select Administration.
Select User Defined field and select Roles.
Ensure that the property for Column Names and Lookup Column Name is set to the desired column name for the Role Lookup Query UDF. If the value is not present, provide an appropriate value, and click Save.
This updates the MDS definitions. These fields are visible in the OIM 11.1.2 Administrator user interface.
For Users:
Start the Configuration Service user interface.
Select Administration.
Select User Defined field.
Open the User configuration service, open the UDFs which are of type Lookup By Query
. Specify the required value in Column to Display and Column to save fields.
Click Save.
This will update the MDS definitions for the User Lookup Query UDFs. These fields are visible in the OIM 11.1.2 Administrator user interface.
Entitlements assigned to OIM 11g Release 1 (11.1.1.5.0) users are not shown in the Entitlement tab after upgrading to OIM 11g Release 2 (11.1.2).
Entitlement or child forms provisioned to OIM 11g Release 1 (11.1.1.5.0) users, according to access policy, is removed from OIM 11g Release 1 (11.1.1.5.0) users after upgrading to OIM 11g Release 2 (11.1.2).The resource is shown in Accounts in the provisioned state.
If you wish to integrate OIM 11g Release 2 (11.1.2) with OAM for single sign-on, then you must upgrade OAM 11g Release 1 (11.1.1.5.0) to OAM 11g Release 1 (11.1.1.5.2) or later. If do not upgrade OAM 11g Release 1 (11.1.1.5.0) to OAM 11g Release 1 (11.1.1.5.2) or later, the auto-login functionality will not work.
The workaround for this issue is as follows:
For the auto-login functionality to work, upgrade OAM 11g Release 1 (11.1.1.5.0) to OAM 11g Release 1 (11.1.1.5.2) or later.
The Look Up values selected do not get saved in the My Information page. An error, like the following, is displayed:
JBO-27010: Attribute set with value Senior Member Technical Staff for L1__c @ in UserEO has invalid precision/scale
The workaround for this issue is as follows:
Create UDF as Drop Down rather then as Look Up.
In step 5, ensure that Searchable in Picklist is not selected. Save the form.
In step 12, add UDF on My Information Page as ADF Select One Choice.
Bulk User modify functionality does not work after upgrade.
The workaround for this issue is as follows:
Export the following artifact from MDS:
/metadata/iam-features-requestactions/model-data/ModifyUserDataset.xml
Change the flag available-in-bulk="true"
for the following attributes:
User Type
Role
User Manager
Start Date
End Date
usr_timezone
FA Language
Change the length for attribute fax to 4000.
Import the ModifyUserDataset.xml
into MDS.
Upgrading OAM 11.1.1.5.0 to Access Manager 11.1.2 on AIX platform fails. The upgrade appears complete and the first Access Manager Server starts up without any problem. However, subsequent servers fails to start up and shows the following message:
<Warning> <Coherence> <BEA-000000> <Oracle Coherence GE 3.7.1.1 <Warning> (thread=Cluster, member=n/a): This Member(Id=0, Address=XX.XX.XX.XX:9097, MachineId=6803, Location=site:,machine:XXXXXX,process:3080574, Role=WeblogicServer) has been attempting to join the cluster using WKA list [XXXXXX/XX.XX.XX.XX:9095] for 30 seconds without success; this could indicate a mis-configured WKA, or it may simply be the result of a busy cluster or active failover.> <Warning> <Coherence> <BEA-000000> <Oracle Coherence GE 3.7.1.1 <Warning> thread=Cluster, member=n/a): Delaying formation of a new cluster; waiting for well-known nodes to respond>
Oracle Access Management Access Manager upgrade fails for Java version with the following artifacts:
java version "1.6.0" Java(TM) SE Runtime Environment (build pap6460sr10-20111208_01(SR10)) IBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 AIX ppc64-64 jvmap6460sr10-20111207_96808 (JIT enabled, AOT enabled) J9VM - 20111207_096808 JIT - r9_20111107_21307ifx1 GC - 20110519_AA) JCL - 20111104_02
Oracle Access Management Access Manager requires IBM java version with the following artifacts, as a prerequisite:
java version "1.6.0" Java(TM) SE Runtime Environment (build pap6460sr9fp2-20110627_03(SR9 FP2)) IBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 AIX ppc64-64 jvmap6460sr9-20110624_85526 (JIT enabled, AOT enabled) J9VM - 20110624_085526 JIT - r9_20101028_17488ifx17 GC - 20101027_AA) JCL - 20110530_01
In addition to the steps provided in "Upgrading Oracle Access Manager 11g Release 1 (11.1.1.5.0) Environments" in the Oracle Fusion Middleware Upgrade and Migration Guide for Oracle Identity and Access Management, complete the following task before starting the Access Manager domain after upgrading:
Go to the following directory:
On UNIX:
cd <OAM_DOMAIN_HOME>/bin
On Windows:
cd <OAM_DOMAIN_HOME>\bin
where
<OAM_DOMAIN_HOME>
is the complete path to the Access Manager domain home. The following example shows the complete path:
On UNIX, it is located in the <MW_HOME/user_projects/domains/<oam_domain>
directory.
On Windows, it is located in the <MW_HOME\user_projects\domains\<oam__domain>
directory.
Edit the setDomainEnv
file by running the following command:
On UNIX:
vi setDomainEnv.sh
On Windows:
vi setDomainEnv.cmd
Search for EXTRA_JAVA_PROPERTIES
and select the property that looks like the following:
EXTRA_JAVA_PROPERTIES="-DOAM_POLICY_FILE=${DOMAIN_HOME}/config/fmwconfig/oam-policy.xml -DOAM_CONFIG_FILE=${DOMAIN_HOME}/config/fmwconfig/oam-config.xml -DOAM_ORACLE_HOME=${OAM_ORACLE_HOME} -Doracle.security.am.SERVER_INSTNCE_NAME=${SERVER_NAME} -Does.jars.home=${OAM_ORACLE_HOME}/server/lib/oes-d8 -Does.integration.path=${OAM_ORACLE_HOME}/server/lib/oeslib/oes-integration.jar -Does.enabled=true -Djavax.xml.soap.SOAPConnectionFactory=weblogic.wsee.saaj.SOAPConnectionFactoryImpl -Djavax.xml.soap.MessageFactory=oracle.j2ee.ws.saaj.soap.MessageFactoryImpl -Djavax.xml.soap.SOAPFactory=oracle.j2ee.ws.saaj.soap.SOAPFactoryImpl ${EXTRA_JAVA_PROPERTIES}"
export EXTRA_JAVA_PROPERTIES
Add -Doam.oes.new=true
property before -DOAM_POLICY_FILE
. The file looks like the following after making the changes:
EXTRA_JAVA_PROPERTIES="-Doam.oes.new=true -DOAM_POLICY_FILE=${DOMAIN_HOME}/config/fmwconfig/oam-policy.xml -DOAM_CONFIG_FILE=${DOMAIN_HOME}/config/fmwconfig/oam-config.xml -DOAM_ORACLE_HOME=${OAM_ORACLE_HOME} -Doracle.security.am.SERVER_INSTNCE_NAME=${SERVER_NAME} -Does.jars.home=${OAM_ORACLE_HOME}/server/lib/oes-d8 -Does.integration.path=${OAM_ORACLE_HOME}/server/lib/oeslib/oes-integration.jar -Does.enabled=true -Djavax.xml.soap.SOAPConnectionFactory=weblogic.wsee.saaj.SOAPConnectionFactoryImpl -Djavax.xml.soap.MessageFactory=oracle.j2ee.ws.saaj.soap.MessageFactoryImpl -Djavax.xml.soap.SOAPFactory=oracle.j2ee.ws.saaj.soap.SOAPFactoryImpl ${EXTRA_JAVA_PROPERTIES}"
export EXTRA_JAVA_PROPERTIES
This issue typically affects rolling upgrade customers, upgrading from OAM 11.1.1.3.0 to Oracle Access Management Access Management 11.1.2. Application domains which have authorization policies that contains no resources are not extracted by the exportAccessData
command during upgrade. This does not impact other application domain extraction. The following error message is shown:
SEVERE: Resource : not found
The workaround for this issue is to either remove all authorization policies that contain no resources before upgrading or manually configure them.
Known issue.
Test to Production (T2P) fails in an environment with OAM, OAAM, or OIN that is upgraded from 11.1.1.5.0 to 11.1.2.0.0.
Access based provisioning does not work for most of the resource objects created through connector import.
The workaround for this issue is as follows:
Before upgrading OIM schemas, do the following:
Log in to the OIM database schema.
Run the following SQL scripts:
BEGIN execute immediate 'ALTER table OBJ MODIFY OBJ_ALLOWALL default ''1'''; execute immediate 'ALTER table OBJ MODIFY OBJ_ALLOW_MULTIPLE default ''1'''; execute immediate 'ALTER table OBJ MODIFY OBJ_SELF_REQUEST_ALLOWED default ''1'''; execute immediate 'ALTER table OBJ MODIFY OBJ_OBJADMINONLY default ''0'''; END;
In some specific environment, after upgrading OIM 11.1.1.5.0 to OIM 11.1.2, when you click on the Create Organization tab from the Identity Console, you may see this error:
TCORGANIZATIONNOTFOUNDEXCEPTION
To workaround, close the exception and create a new organization.
Forgot User Login feature does not work after upgrading to OIM 11.1.2.
The workaround for this issue is as follows:
Create a notification template manually with the following credentials:
Log in to the System Administration Console.
Select Notification.
In the search box, search for ForgottenUsernameNotification, PasswordExpiredNotification, and PasswordWarningNotification.
Do the following if you do not see any of them listed in the search results:
ForgottenUsernameNotification:
Select the Create Notification Template. It is located above the search results with a plus icon, next to the pencil icon. The Create Notification Template screen appears.
Enter the following details:
Template Name: ForgottenUsernameNotification
Available Event: ForgottenUsername
Encoding: UTF-8
Message Subject: Your User Login
Type: HTML
Short Message: User Login
Long Message:
<html><head></head> <body> <p> Your $tenantName user login - $userLoginId </p> </body> </html>
Click Save.
PasswordExpiredNotification:
Select the Create Notification Template. It is located above the search results with a plus icon, next to the pencil icon. The Create Notification Template screen appears.
Enter the following details:
Template Name: PasswordWarningNotification
Available Event: PasswordWarning
Encoding: UTF-8
Message Subject: Password Expiry Warning
Type: HTML
Short Message: Password Expiry
Long Message:
<html><head></head> <body> <![CDATA[ <p> Your Password is about to be Expired. Please reset your Password. </p><p> UserID: %1<br> </p><p> For any issues, please contact [admin email or phone] </p>]]> </body> </html>
Click Save.
PasswordExpiration:
Select the Create Notification Template. It is located above the search results with a plus icon, next to the pencil icon. The Create Notification Template screen appears.
Enter the following details:
Template Name: PasswordExpiredNotification
Available Event: PasswordExpiration
Encoding: UTF-8
Message Subject: Password Expired
Type: HTML
Short Message: Password Expired
Long Message:
<html><head></head> <body> <![CDATA[ <p> Your Password has Expired. Please reset your Password. </p><p> UserID: %1<br> </p><p> For any issues, please contact [admin email or phone] </p>]]> </body> </html>
Click Save.
This issue occurs if you upgrade the middle tier twice, during the OIM 11.1.1.5.0 to 11.1.2 upgrade process. The middle tier upgrade patch domain report shows error for Foreign JNDI Provide Creation, eventhough the parameter oim.domainextension.jndiprovider.patch
is set to false
in the oimupgrade.properties
file.
The following is a sample patch domain report displayed when you perform the middle tier upgrade twice:
Domain Component Status Foreign JNDI Provider Creation Error
Ignore this error report for Foreign JNDI Provider Creation.
When you upgrade OIM 11.1.1.5.0 to 11.1.2, the customization made for the matching rule is lost.
The workaround for this issue is to redo the customization for the matching rule in OIM 11.1.2.
This section describes issues related to the following scenarios:
Migrating Oracle Access Manager 10g to Oracle Access Management Access Manager 11g Release 2 (11.1.2)
Migrating Oracle Adaptive Access Manager 10g to Oracle Adaptive Access Manager 11g Release 2 (11.1.2)
Migrating Oracle Single Sign-On 10g to Oracle Access Management Access Manager 11g Release 2 (11.1.2)
Migrating Sun OpenSSO Enterprise 8.0 to Oracle Access Management Access Manager 11g Release 2 (11.1.2)
Migrating Sun Java System Access Manager 7.1 to Oracle Access Management Access Manager 11g Release 2 (11.1.2)
Coexistence of Oracle Access Manager 10g with Oracle Access Management Access Manager 11g Release 2 (11.1.2)
Coexistence of Sun OpenSSO Enterprise 8.0 with Oracle Access Management Access Manager 11g Release 2 (11.1.2)
Coexistence of Sun Java System Access Manager 7.1 with Oracle Access Management Access Manager 11g Release 2 (11.1.2)
This section describes general issues and workarounds. It includes the following topics:
This issue occurs when you upgrade Oracle Single Sign-On 10g to Oracle Access Management Access Manager 11g Release 2 (11.1.2). If errors occurs during the execution of the Upgrade Assistant which require you to re-run the process, there is a possibility that required osso.conf
files will not be generated, in the location specified in the Upgrade Assistant Summary screen, at the end of the process.
If this occurs, the osso.conf
files needed to complete the upgrade, can also be found in the following directory:
<MW_HOME>/user_projects/domains/<Domain_Home>/output/upgrade
Known issue.
The server logs and assessment report shows only English messages when you migrate the following components to Oracle Access Management Access Manager 11g Release 2 (11.1.2):
Oracle Access Manager 10g
Sun OpenSSO Enterprise 8.0
Sun Java System Access Manager 7.1
Known issue.
Migration of the profile of J2EE Agent 2.2 from Sun Java System Access Manager 7.1 to Oracle Access Management Access Manager 11g release 2 (11.1.2) is not supported, and therefore, the run-time verification support for the same is not available.
Oracle Fusion Middleware Upgrade and Migration Guide for Oracle Identity and Access Management 11g Release 2 (11.1.2) discusses how to upgrade or migrate various Single Sign-On and Access Management environments to Oracle Access Management 11g Release 2 (11.1.2.0.0). You should use this guide for information about upgrade, migration, and coexistence procedures.
If necessary, you can read the following support note for any late-breaking information and changes: