14 Customizing Reconciliation Operations

Oracle Identity Manager provides connectors for reconciliation of users/accounts from various target systems, such as Microsoft Active Directory, Sun Java System Directory, Oracle Internet Directory, and Oracle E-Business Suite. For information about these connectors, see Oracle Identity Manager Connectors Documentation in the Oracle Technology Network (OTN) Web site at the following URL:

http://www.oracle.com/technetwork/indexes/documentation/index.html

However, to create a custom connector, you must develop a new scheduled task that performs the following:

1. Retrieve user/account information from the target system.

2. Use reconciliation APIs to create reconciliation events to submit event data.

3. Create events for creating, modifying, or deleting an entity.

See Also:

Chapter 6, "Developing Scheduled Tasks" for information about developing a scheduled task

14.1 Developing Reconciliation Scheduled Tasks

To connect to a specific target system, you must:

• Create a new IT resource type

• Define a new IT resource

• Use the IT resource as an input parameter for the scheduled task

See Also:

Oracle Fusion Middleware Java API Reference for Oracle Identity Manager for information about the APIs to lookup IT resource definition

In Oracle Identity Manager, a provisioning process and a process instance is associated with activities related to users or accounts. This provides a hook or point to add customizations upon various actions.

Changes to the user state or the account state can occur via direct APIs or reconciliation. The changes can be of many types, such as:

See Also:

"Understanding Reconciliation APIs" for information about the reconciliation APIs

• Data change in the user or account profile

• Status change, such as enable or disable

• Changes to user based on attestation processes

• Organization change

• Attribute propagation

• Password propagation

For each of these changes, the process definition provides a facility to add hooks to be run upon any of these changes. For reconciliation, the process definition provides the hooks in the form of the following conditional tasks:

• Reconciliation Insert Received: This conditional task is inserted when an account is created via reconciliation.

• Reconciliation Update Received: This conditional task is inserted when an existing account linked to a user is updated via reconciliation. Data in the process form or status of the account are updated.

• Reconciliation Delete Received: This conditional task is inserted when an existing account is revoked via reconciliation.

These tasks provide starting points for the workflows. You can create custom workflows in the provisioning process, and create a dependency between the reconciliation trigger tasks and the workflows. This causes the workflows to be run upon the respective triggers.

Every reconciliation event that is successfully linked to a user or an account inserts a single trigger from the conditional tasks. All the data in the user profile and the account profile is available as context-sensitive data for any adapter that is attached to one of these dependant tasks.

See Also:

Part V, "Requests and Approval Processes" and Part I, "Concepts" for details about creating conditional tasks, adapters, and dependencies

14.2 Understanding Reconciliation APIs

The reconciliation APIs are a set of published APIs that can be used to create reconciliation events with single-valued and multi-valued attribute data and other features.

Reconciliation connector developers must use these APIs to push data to the reconciliation event repository.

See Also:

Chapter 31, "Using APIs" for more information about using APIs in Oracle Identity Manager

Most of these APIs existed in earlier versions of Oracle Identity Manager. However, in 11g Release 1 (11.1.1), the implementation has changed and is based on the new reconciliation architecture introduced in the release.

Existing standard connectors also use these APIs; since the earlier APIs continue to be supported, no changes are necessary to those connectors.

callingEndOfJobAPI is the only new reconciliation API in 11g Release 1 (11.1.1).

Each run of a connector is known as a job. In 11g Release 1 (11.1.1), reconciliation events are submitted to the reconciliation engine in batches. At the end of a job, the scheduler (which executes the connector scheduled task) executes a listener, which in turn invokes the callingEndOfJOBAPI. This API submits any open batch for processing to the reconciliation engine.

The API calls are similar for Multilanguage Supported (MLS) and non-MLS data. The connector passes in data to be reconciled as a HashMap. The difference is that if an attribute is MLS-enabled, then the key is the attribute name, while the value is another HashMap of MLS data. The keys of this MLS-specific HashMap are language codes, and the values are the corresponding locale-specific data obtained from target system. If there is any MLS data that does not have a locale defined with it in the target system, that data is passed with key "base" in the MLS input data HashMap.

14.3 Postprocessing for Trusted Reconciliation

If the user login is not passed for trusted reconciliation, then the login handler generates the user login. The password is generated in postprocessing event handler. You can configure Oracle Identity Manager to send notification for the same.

Notification is sent only when the value of the Recon.SEND_NOTIFICATION system property is set to true. See "System Properties in Oracle Identity Manager" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for information about the Recon.SEND_NOTIFICATION system property.

In SSO disabled environment, for user creation via reconciliation, both the user login and password are generated in postprocess handlers and a single notification is sent for both user login and password.

In SSO enabled environment, because the password is not to be generated, if login is generated in postprocess handler, then notification is sent only for the user login.

14.4 Troubleshooting Reconciliation

Before troubleshooting issues related to reconciliation, change the reconciliation logging level to INFO. To do so, add the following line in the logging.xml file, and restart Oracle Identity Manager.

<LOGGER NAME="ORACLE.IAM.RECONCILIATION" LEVEL="INFO"/>

This section describes troubleshooting reconciliation issues in the following sections:

• Troubleshooting General Reconciliation Issues

• Troubleshooting Trusted Source Reconciliation

• Troubleshooting Target Resource Reconciliation

• Troubleshooting Database-Related Reconciliation Issues

14.4.1 Troubleshooting General Reconciliation Issues

Table 14-1 lists the troubleshooting steps that you can perform if you encounter reconciliation errors:

Table 14-1 Troubleshooting Reconciliation

Problem	Solution
Failure in processing events	The error details can be obtained from the reconciliation tables, such as: For batch processing, the exception is stored in RECON_BATCHES.RB_NOTE column For single event processing, the exception is stored in RECON_EVENTS.RE_NOTE column
Failure occurring in kernel orchestration handler	The orchestration ID can be tracked from the reconciliation table, which can further be used to check the status of related handlers, such as: For batch processing, the postprocess only orchestration ID can be read from the RECON_BATCHES.RB_NOTE column For single event processing, end-to-end orchestration ID can be read from the RECON_EVENTS.RE_NOTE column There is no UI that displays LDAP synchronization during reconciliation. Therefore, you can only track LDAP success or failure by checking the status of LDAP sync event handlers in orchestration based on the ID available in RB_NOTE/RE_NOTE columns.
After a job run, a lot of events are in Data Received status	Check if related batches are in Ready For Processing status by using the following statement: select rb_batch_status, rb_note from recon_batches where rb_batch_status = 'Ready For Processing' and rj_key = JOB_ID_ON_UI In addition, in the RECON_BATCHES.RB_NOTE, there is some generic exception, such as Connection issue. Fix the issue, and then perform any one of the following: If there is a lot of data, then rerun the reconciliation job. There is a scheduled task provided for manual retry of such failed batches Retry Reconciliation Batch. This can be used for retrying specific batches only. Multiple comma-separated batches are supported.There is no predefined job associated with this schedule task. A job can be created as required.
The following error is generated when performing user update for trusted source reconciliation: ORA Error Code =>ORA-00001: unique constraint (.) violated	For of trusted source reconciliation, if the matching rule is based on Usr_login, then the matching rule must not be case-sensitive. Otherwise, updating users work as creating users, and the error might be generated.

14.4.2 Troubleshooting Trusted Source Reconciliation

This section describes the following issues related to trusted source reconciliation:

No Reconciliation Profile

For missing reconciliation profile, the following error is logged:

[EXEC] ORACLE.IAM.RECONCILIATION.EXCEPTION.RECONCILIATIONEXCEPTION: EXCEPTION OCCURRED WHILE INSERTING DATA INTO TABLE RA_TESTRORECON7 DUE TO RA_TESTRORECON7 
[EXEC] AT ORACLE.IAM.RECONCILIATION.IMPL.RECONOPERATIONSSERVICEIMPL.RECONEVENT(RECONOPERATIONSSERVICEIMPL.JAVA)
[EXEC] AT ORACLE.IAM.RECONCILIATION.IMPL.RECONOPERATIONSSERVICEIMPL.CREATERECONCILIATIONEVENT(RECONOPERATIONSSERVICEIMPL.JAVA)
[EXEC] AT ORACLE.IAM.RECONCILIATION.IMPL.RECONOPERATIONSSERVICEIMPL.CREATERECONCILIATIONEVENT(RECONOPERATIONSSERVICEIMPL.JAVA)
[EXEC] AT ORACLE.IAM.RECONCILIATION.IMPL.RECONOPERATIONSSERVICEIMPL.CREATERECONCILIATIONEVENT(RECONOPERATIONSSERVICEIMPL.JAVA)
[EXEC] AT ORACLE.IAM.RECONCILIATION.IMPL.RECONOPERATIONSSERVICEIMPL.CREATERECONCILIATIONEVENT(RECONOPERATIONSSERVICEIMPL.JAVA)
[EXEC] AT ORACLE.IAM.RECONCILIATION.API.RECONOPERATIONSSERVICEEJB.CREATERECONCILIATIONEVENTX(UNKNOWN SOURCE)
.....
.....
.....
[EXEC] CAUSED BY: ORACLE.IAM.PLATFORM.ENTITYMGR.NOSUCHENTITYEXCEPTION: RA_TESTRORECON7
[EXEC] AT ORACLE.IAM.PLATFORM.ENTITYMGR.IMPL.ENTITYMANAGERCONFIGIMPL.EXISTS(ENTITYMANAGERCONFIGIMPL.JAVA)
[EXEC] AT ORACLE.IAM.PLATFORM.ENTITYMGR.IMPL.ENTITYMANAGERCONFIGIMPL.GETDATAPROVIDER(ENTITYMANAGERCONFIGIMPL.JAVA)
[EXEC] AT ORACLE.IAM.PLATFORM.ENTITYMGR.IMPL.ENTITYMANAGERIMPL.GETENTITYCAPABILITY(ENTITYMANAGERIMPL.JAVA)
[EXEC] AT ORACLE.IAM.PLATFORM.ENTITYMGR.IMPL.ENTITYMANAGERIMPL.GETENTITYCAPABILITY(ENTITYMANAGERIMPL.JAVA)
[EXEC] AT ORACLE.IAM.PLATFORM.ENTITYMGR.IMPL.ENTITYMANAGERIMPL.CREATEENTITY(ENTITYMANAGERIMPL.JAVA)
[EXEC] AT ORACLE.IAM.PLATFORM.ENTITYMGR.IMPL.ENTITYMANAGERIMPL.CREATEENTITY(ENTITYMANAGERIMPL.JAVA)
[EXEC] AT ORACLE.IAM.RECONCILIATION.IMPL.RECONOPERATIONSSERVICEIMPL.RECONEVENT(RECONOPERATIONSSERVICEIMPL.JAVA)
[EXEC] AT ORACLE.IAM.RECONCILIATION.IMPL.RECONOPERATIONSSERVICEIMPL.CREATERECONCILIATIONEVENT(RECONOPERATIONSSERVICEIMPL.JAVA)
[EXEC] AT ORACLE.IAM.RECONCILIATION.IMPL.RECONOPERATIONSSERVICEIMPL.CREATERECONCILIATIONEVENT(RECONOPERATIONSSERVICEIMPL.JAVA)
[EXEC] AT ORACLE.IAM.RECONCILIATION.IMPL.RECONOPERATIONSSERVICEIMPL.CREATERECONCILIATIONEVENT(RECONOPERATIONSSERVICEIMPL.JAVA)
[EXEC] AT ORACLE.IAM.RECONCILIATION.IMPL.RECONOPERATIONSSERVICEIMPL.CREATERECONCILIATIONEVENT(RECONOPERATIONSSERVICEIMPL.JAVA)
[EXEC] AT ORACLE.IAM.RECONCILIATION.API.RECONOPERATIONSSERVICEEJB.CREATERECONCILIATIONEVENTX(UNKNOWN SOURCE)
     .....
     .....
     .....

Missing Reconciliation Field Mapping or Inactive Owner Rule

The following error is logged when:

• There are no reconciliation fields defined.

• Reconciliation fields are added but no mapping is defined.

• There is no matching rule defined or the rule is inactive.

[EXEC] ORACLE.IAM.PLATFORM.UTILS.SUPERRUNTIMEEXCEPTION: -100: ERROR OCCURED IN XL_SP_RECONBLKUSRRQDCVALDNMTCH WHILE PROCESSING BATCH ID 4   ONE OR MORE INPUT PARAMETER PASSED AS NULL
[EXEC] AT ORACLE.IAM.RECONCILIATION.DAO.RECONACTIONDAO.EXECUTEBULKUSERMATCHCRUD(RECONACTIONDAO.JAVA)
[EXEC] AT ORACLE.IAM.RECONCILIATION.IMPL.USERHANDLER.EXECUTEBULKCUD(USERHANDLER.JAVA)
[EXEC] AT ORACLE.IAM.RECONCILIATION.IMPL.BASEENTITYTYPEHANDLER.PROCESS(BASEENTITYTYPEHANDLER.JAVA)
[EXEC] AT ORACLE.IAM.RECONCILIATION.IMPL.ACTIONENGINE.PROCESSBATCH(ACTIONENGINE.JAVA)
[EXEC] AT ORACLE.IAM.RECONCILIATION.IMPL.ACTIONENGINE.EXECUTE(ACTIONENGINE.JAVA)
[EXEC] AT ORACLE.IAM.RECONCILIATION.IMPL.ACTIONTASK.EXECUTE(ACTIONTASK.JAVA)
[EXEC] AT ORACLE.IAM.PLATFORM.ASYNC.IMPL.TASKEXECUTOR.EXECUTEUNMANAGEDTASK(TASKEXECUTOR.JAVA)
[EXEC] AT ORACLE.IAM.PLATFORM.ASYNC.IMPL.TASKEXECUTOR.EXECUTE(TASKEXECUTOR.JAVA)
[EXEC] AT ORACLE.IAM.PLATFORM.ASYNC.MESSAGING.MESSAGERECEIVER.ONMESSAGE(MESSAGERECEIVER.JAVA)
.....
.....
.....
[EXEC] CAUSED BY: ORACLE.IAM.PLATFORM.UTILS.SUPERRUNTIMEEXCEPTION: -100: ERROR OCCURED IN XL_SP_RECONBLKUSRRQDCVALDNMTCH WHILE PROCESSING BATCH ID 4   ONE OR MORE INPUT PARAMETER PASSED AS NULL
[EXEC] AT ORACLE.IAM.RECONCILIATION.DAO.RECONACTIONDAO.EXECUTEBULKUSERMATCHCRUD(RECONACTIONDAO.JAVA)
[EXEC] AT ORACLE.IAM.RECONCILIATION.IMPL.USERHANDLER.EXECUTEBULKCUD(USERHANDLER.JAVA)
[EXEC] AT ORACLE.IAM.RECONCILIATION.IMPL.BASEENTITYTYPEHANDLER.PROCESS(BASEENTITYTYPEHANDLER.JAVA)
[EXEC] AT ORACLE.IAM.RECONCILIATION.IMPL.ACTIONENGINE.PROCESSBATCH(ACTIONENGINE.JAVA)
[EXEC] AT ORACLE.IAM.RECONCILIATION.IMPL.ACTIONENGINE.EXECUTE(ACTIONENGINE.JAVA)
[EXEC] AT ORACLE.IAM.RECONCILIATION.IMPL.ACTIONTASK.EXECUTE(ACTIONTASK.JAVA)
[EXEC] AT ORACLE.IAM.PLATFORM.ASYNC.IMPL.TASKEXECUTOR.EXECUTEUNMANAGEDTASK(TASKEXECUTOR.JAVA)

Missing Reconciliation Action Rule

If proper reconciliation fields along with mapping are defined and the matching rule is also valid and active, but still the event status is No User Match Found, then probably there are no action rules defined. After you add the reconciliation action rule, the user is created successfully.

14.4.3 Troubleshooting Target Resource Reconciliation

This section the describes the following issues related to target resource reconciliation:

Missing Process Form

When you remove all process data fields mapping and regenerate the profile, the following error is logged:

[EXEC] <APR 19, 2011 11:13:48 PM PDT> <ERROR> <ORACLE.IAM.RECONCILIATION.IMPL> <IAM-5010000> <GENERIC INFORMATION: {0}
[EXEC] ORACLE.IAM.PLATFORM.UTILS.SUPERRUNTIMEEXCEPTION: -1: ERROR OCCURRED IN XL_SP_RECONINPUTPARAMSVALDN ORA-20001: COMMA-SEPARATED LIST INVALID NEAR D
[EXEC] AT ORACLE.IAM.RECONCILIATION.DAO.RECONACTIONDAO.EXECUTEBULKUSERMATCHCRUD(RECONACTIONDAO.JAVA)
[EXEC] AT ORACLE.IAM.RECONCILIATION.IMPL.USERHANDLER.EXECUTEBULKCUD(USERHANDLER.JAVA)
[EXEC] AT ORACLE.IAM.RECONCILIATION.IMPL.BASEENTITYTYPEHANDLER.PROCESS(BASEENTITYTYPEHANDLER.JAVA)
[EXEC] AT ORACLE.IAM.RECONCILIATION.IMPL.ACTIONENGINE.PROCESSBATCH(ACTIONENGINE.JAVA)
[EXEC] AT ORACLE.IAM.RECONCILIATION.IMPL.ACTIONENGINE.EXECUTE(ACTIONENGINE.JAVA)
[EXEC] AT ORACLE.IAM.RECONCILIATION.IMPL.ACTIONTASK.EXECUTE(ACTIONTASK.JAVA)

The possible cause of this error is that the process form is missing.

Missing Process Form Mapping or Missing Where Clause Selection

When you remove all process data fields mapping, add process form, and regenerate the profile, the following error is logged:

[EXEC] <APR 19, 2011 11:25:31 PM PDT> <WARNING> <JNDI> <BEA-050007> <AN ATTEMPT WAS MADE TO LOOK UP NON-VERSIONED GLOBAL RESOURCE "QUEUE" FROM AN APPLICATION VERSION "OIM [VERSION=11.1.1.5.0]". THIS CAN POTENTIALLY CAUSE CONFLICT OF THE GLOBAL RESOURCE USAGES AMONG MULTIPLE APPLICATION VERSIONS.> 
[EXEC] <APR 19, 2011 11:25:31 PM PDT> <ERROR> <ORACLE.IAM.RECONCILIATION.IMPL> <IAM-5010000> <GENERIC INFORMATION: {0}
[EXEC] JAVA.LANG.NULLPOINTEREXCEPTION
[EXEC] AT ORACLE.IAM.RECONCILIATION.IMPL.CONFIG.PROFILE.GETACCOUNTMATCHINGRULESWHERECLAUSE(PROFILE.JAVA)
[EXEC] AT ORACLE.IAM.RECONCILIATION.IMPL.PROFILEDATA.GETACCOUNTMATCHINGRULES(PROFILEDATA.JAVA)
[EXEC] AT ORACLE.IAM.RECONCILIATION.DAO.RECONACTIONDAO.EXECUTEBULKACCOUNTMATCHCRUD(RECONACTIONDAO.JAVA)
[EXEC] AT ORACLE.IAM.RECONCILIATION.IMPL.ACCOUNTHANDLER.EXECUTEBULKCUD(ACCOUNTHANDLER.JAVA)
[EXEC] AT ORACLE.IAM.RECONCILIATION.IMPL.BASEENTITYTYPEHANDLER.PROCESS(BASEENTITYTYPEHANDLER.JAVA)
[EXEC] AT ORACLE.IAM.RECONCILIATION.IMPL.ACTIONENGINE.PROCESSBATCH(ACTIONENGINE.JAVA)
[EXEC] AT ORACLE.IAM.RECONCILIATION.IMPL.ACTIONENGINE.EXECUTE(ACTIONENGINE.JAVA)
[EXEC] AT ORACLE.IAM.RECONCILIATION.IMPL.ACTIONTASK.EXECUTE(ACTIONTASK.JAVA)

The possible causes of this error are missing process form mapping or missing where clause selection.

Missing Valid Action Rule

When you remove all process data fields mapping, add process form with mapping, add where clause selection, and regenerate the profile, the following error is logged:

[EXEC] <APR 19, 2011 11:36:20 PM PDT> <WARNING> <ORACLE.IAM.PLATFORM.ASYNC> <BEA-000000> <EXCEPTION FOR ABOVE MESSAGE I.E IAM-0050000
[EXEC] ORACLE.IAM.PLATFORM.UTILS.SUPERRUNTIMEEXCEPTION: ORACLE.IAM.PLATFORM.UTILS.SUPERRUNTIMEEXCEPTION: -15: ERROR IN  XL_SP_RECONBLKACNTRQDCMTCHCRUD WHILE PROCESSING BATCH ID 18 ERROR OCCURED IN XL_SP_RECONBLKCHILDMTHACNTCRUD WHILE PROCESSING BATCH ID - 18 ACTION RULE 'CREATE USER' FOR NO ENTITY MATCH FOUND IS INVALID.  YOU MUST PASS A VALID NO USER MATCH FOUND ACTION RULE. -20101 -ERROR- ORA-20101: 
[EXEC] AT ORACLE.IAM.RECONCILIATION.IMPL.ACTIONENGINE.PROCESSBATCH(ACTIONENGINE.JAVA)
[EXEC] AT ORACLE.IAM.RECONCILIATION.IMPL.ACTIONENGINE.EXECUTE(ACTIONENGINE.JAVA)
[EXEC] AT ORACLE.IAM.RECONCILIATION.IMPL.ACTIONTASK.EXECUTE(ACTIONTASK.JAVA)

The possible cause of this error is that a valid action rule has not been added. Figure 14-1 shows the Design Console screen with invalid action rule:

Figure 14-1 Invalid Action Rule

Description of "Figure 14-1 Invalid Action Rule"

When you add a valid action rule, the account is created successfully. Figure 14-2 shows the Design Console screen with valid action rule:

Figure 14-2 Valid Action Rule

Description of "Figure 14-2 Valid Action Rule"

Profile Not Generated

When you remove all process data fields mapping, add process form with mapping, add where clause selection, update the matching rule, and regenerate the profile, the profile is not generated and the same error as "Missing Valid Action Rule" is logged.

Matching Rule is NULL or Inactive

When the matching rule is NULL or inactive, the following error is logged:

Thor.API.Exceptions.tcAPIException:
oracle.iam.reconciliation.exception.ReconciliationException: Matching rule where clause is null

Update the profile XML file. If you manually update the profile XML file, use the following example XML for a well-defined and active matching rule in the profile:

<ReconUserMatchingRule repo-type="RDBMS" name="AS400TrustedUser Recon
Rule">
<RRL_UPDATE>1301687006000</RRL_UPDATE>
<RRL_VALID>1</RRL_VALID>
<RRL_OPERATOR>AND</RRL_OPERATOR>
<RRL_DESCRIPTION>AS400TrustedUser Recon Rule</RRL_DESCRIPTION>
<RRL_ACTIVE>1</RRL_ACTIVE>
<ReconRuleElement repo-type="RDBMS" id="RRE1">
<RRE_SEQUENCE>1</RRE_SEQUENCE>
<RRE_UPDATE>1301689575000</RRE_UPDATE>
<RRE_FIELDNAME>User Login</RRE_FIELDNAME>
<RRE_CASESENSITIVE>0</RRE_CASESENSITIVE>
<RRE_VALID>1</RRE_VALID>
<RRE_TRANSFORM>None</RRE_TRANSFORM>
<RRE_OPERATOR>Equals</RRE_OPERATOR>
<ORF_KEY Resource="AS400TrustedUser" ReconField="User Login"/>
</ReconRuleElement>
</ReconUserMatchingRule>

If changing through the Design Console, then update the rule and regenerate the profile.

Missing Child Data for an Event

No data is deleted when you do not pass any child data for an event, which happens with some connectors if all children are deleted on the target for an account.

Multiple Account Matches When Ad Hoc Linking an Account to a User

If you ad hoc link an account to a user, then based on the matching rule for account, there can be multiple account matches even though a particular user's account has been specified. This can be overcome by selecting an account from matched accounts list, and clicking LINK on the Administrative and User Console.

14.4.4 Troubleshooting Database-Related Reconciliation Issues

This section the describes the following database-related issues for reconciliation:

Missing Critical Oracle Database 11g Release 1 Interim Patches

When the RDBMS interim patch# 7614692 is missing, the following error is logged:

ORA-02291: INTEGRITY CONSTRAINT (FK_RECON_EVENTS_USR) VIOLATED - PARENT KEY NOT FOUND
[EXEC] ORA-06512: AT "OIM_SP_RECONBLKUSERCRUD"
[EXEC] ORA-06512: AT "OIM_SP_RECONBLKUSRMLSWRAPPER"
[EXEC] ORA-06512:

To resolve this issue, the following patches must be installed on Oracle Database 11g Release 1 (11.1.0.7.0):

• p7614692_111070

• p7000281_111070

• p8327137_111070

• p8617824_111070

Note:

You can download all interim patches from the following URL:

http://support.oracle.com

Missing Critical Oracle Database 11g Release 2 Interim Patches

Running some SQL scripts might generate incorrect or inconsistent results on Oracle Database 11g Release 2 (11.2.0.2.0), which do not cause problems in earlier release of Oracle Database.

To resolve this issue, patch# 10259620 for Oracle Database 11g Release 2 must be installed.

Slow Reconciliation and Similar Traces in Error Log

When the SQL scripts having matching rules involving large volume, the entity tables are slow probably because of FULL table scans or unoptimized SQL plans in the database.

Reconciliation can be slow when the matching rule columns are not properly indexed or schema statistics is outdated. The slowness results in error logs similar to the following:

oracle.iam.platform.utils.SuperRuntimeException: java.sql.SQLException:
ORA-01013: user requested cancel of current operation
ORA-06512: at "XL_SP_RECONBLKROLEMATCH"
ORA-06512: at "OIM_SP_RECONBLKROLEMLSWRAPPER"
ORA-06512:
 
at weblogic.jms.client.JMSSession$UseForRunnable.run(JMSSession.java)
at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkMana gerImpl.java)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java)
at weblogic.work.ExecuteThread.run(ExecuteThread.java)
Caused by: java.sql.SQLException: ORA-01013: user requested cancel of current operation
ORA-06512: at "XL_SP_RECONBLKROLEMATCH"
ORA-06512: at "OIM_SP_RECONBLKROLEMLSWRAPPER"
ORA-06512: 
.
at oracle.jdbc.driver.SQLStateMapping.newSQLException(SQLStateMapping.java)
at oracle.jdbc.driver.DatabaseError.newSQLException(DatabaseError.java)
at oracle.jdbc.driver.DatabaseError.throwSqlException(DatabaseError.java)
at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java)
at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java)

To resolve this issue:

1. Verify that all the appropriate indexes are created over matching rule columns.

2. Verify that the database schema statistics are collected according to the guidelines.

   See Also:

   "Connector for Reconciliation" in the Oracle Fusion Middleware User's Guide for Oracle Identity Manager for information about creating indexes for reconciliation and collecting database statistics