This chapter describes issues associated with Oracle Identity Manager. It includes the following topics:
This section describes patch requirements for Oracle Identity Manager 11g Release 1 (11.1.1). It includes the following sections:
To obtain a patch from My Oracle Support (formerly OracleMetaLink), go to following URL, click Patches and Updates, and search for the patch number:
Table 32-1 lists patches required for Oracle Identity Manager 11g Release 1 (11.1.1) configurations that use Oracle Database 11g (11.1.0.7). Before you configure Oracle Identity Manager 11g, be sure to apply the patches to your Oracle Database 11g (11.1.0.7) database.
Table 32-1 Required Patches for Oracle Database 11g (11.1.0.7)
| Platform | Patch Number and Description on My Oracle Support |
|---|---|
|
UNIX / Linux |
7614692: BULK FEATURE WITH 'SAVE EXCEPTIONS' DOES NOT WORK IN ORACLE 11G |
|
7000281: DIFFERENCE IN FORALL STATEMENT BEHAVIOR IN 11G |
|
|
8327137: WRONG RESULTS WITH INLINE VIEW AND AGGREGATION FUNCTION |
|
|
8617824: MERGE LABEL REQUEST ON TOP OF 11.1.0.7 FOR BUGS 7628358 7598314 |
|
|
Windows 32 bit |
8689191: ORACLE 11G 11.1.0.7 PATCH 16 BUG FOR WINDOWS 32 BIT |
|
Windows 64 bit |
8689199: ORACLE 11G 11.1.0.7 PATCH 16 BUG FOR WINDOWS (64-BIT AMD64 AND INTEL EM64T) |
Note:
The patches listed for UNIX/Linux in Table 32-1 are also available by the same names for Solaris SPARC 64 bit.
If you are using Oracle Database 11g (11.2.0.2.0), make sure that you download and install the appropriate version (based on the platform) for the RDBMS Patch Number 9776940. This is a prerequisite for installing the Oracle Identity Manager schemas.
Table 32-2 lists the patches required for Oracle Identity Manager 11g Release 1 (11.1.1) configurations that use Oracle Database 11g Release 2 (11.2.0.2.0). Make sure that you download and install the following patches before creating Oracle Identity Manager schemas.
Table 32-2 Required Patches for Oracle Database 11g (11.2.0.2.0)
| Platform | Patch Number and Description on My Oracle Support |
|---|---|
|
Linux x86 (32-bit) Linux x86 (64-bit) Oracle Solaris on SPARC (64-bit) Oracle Solaris on x86-64 (64-bit) |
RDBMS Interim Patch#9776940. |
|
Microsoft Windows x86 (32-bit) |
Bundle Patch 2 [Patch#11669994] or later. The latest Bundle Patch is 4 [Patch# 11896290]. |
|
Microsoft Windows x86 (64-bit) |
Bundle Patch 2 [Patch# 11669995] or later. The latest Bundle Patch is 4 [Patch# 11896292]. |
If this patch is not applied, then problems might occur in user and role search and manager lookup. In addition, search results might return empty result.
Note:
Apply this patch in ONLINE mode. Refer to the readme.txt file bundled with the patch for the steps to be followed.
In some environments, the RDBMS Interim Patch has been unable to resolve the issue, but the published workaround works. Refer to the metalink note "Wrong Results on 11.2.0.2 with Function-Based Index and OR Expansion due to fix for Bug:8352378 [Metalink Note ID 1264550.1]" for the workaround. This note can be followed to set the parameters accordingly with the only exception that they need to be altered at the Database Instance level by using ALTER SYSTEM SET <param>=<value> scope=<memory> or <both>.
Table 32-3 lists patches that resolve known issues with Segregation of Duties (SoD) functionality:
| Patch Number / ID | Description and Purpose |
|---|---|
|
Patch number 9819201 on My Oracle Support |
Apply this patch on the SOA Server to resolve the known issue described in "SoD Check During Request Provisioning Fails While Using SAML Token Client Policy When Default SoD Composite is Used". The description of this patch on My Oracle Support is "ERROR WHILE USING SAML TOKEN CLIENT POLICY FOR CALLBACK." |
|
Patch ID 3M68 using the Oracle Smart Update utility. Requires passcode: 6LUNDUC7. |
Using the Oracle Smart Update utility, apply this patch on the Oracle WebLogic Server to resolve the known issue described in "SoD Check Fails While Using Client-Side Policy in Callback Invocation During Request Provisioning". |
Note:
The SoD patches are required to resolve the known issues in Oracle Identity Manager 11g Release 1 (11.1.1.3), but these patches are not required in 11g Release 1 (11.1.1.5).
While applying the patch provided by Oracle Identity Manager, the following error is generated:
ApplySession failed: ApplySession failed to prepare the system.
OPatch version 11.1.0.8.1 must be upgraded to version 11.1.0.8.2 to meet the version requirement.
See "Obtaining Patches From My Oracle Support (Formerly OracleMetaLink)" for information about downloading OPatch from My Oracle Support.
This section describes general issues and workarounds. It includes the following topics:
Resource Object Names Longer than 100 Characters Cause Import Failure
Status of Users Created Through the Create and Modify User APIs
Status of Locked Users in Oracle Access Manager Integrations
Generating an Audit Snapshot after Bulk-Loading Users or Accounts
Bulk Loading CSV Files with UTF-8 BOM Encoding Not Supported
Date Type Attributes are Not Supported for the Default Scheduler Job, "Job History Archival"
SPML Requests Do Not Report When Any Date is Specified in Wrong Format
Logs Populated with SoD Exceptions When the SoD Message Fails and Gets Stuck in the Queue
Underscore Character Cannot Be Used When Searching for Resources
Assign to Administrator Action Rule is Not Supported by Reconciliation
Some Buttons on Attestation Screens Do Not Work in Mozilla Firefox
The maxloginattempts System Property Causes Autologin to Fail When User Tries to Unlock
Do Not Use Single Quote Character in Reconciliation Matching Rule
Do Not Use Special Characters When Reconciling Roles from LDAP
SoD Check Fails While Using Client-Side Policy in Callback Invocation During Request Provisioning
Error May Appear During Provisioning when Generic Technology Connector Framework Uses SPML
LDAP Handler May Cause Invalid Exception While Creating, Deleting, or Modifying a Role
Cannot Reset User Password Comprised of Non-ASCII Characters
Benign Exception and Error Message May Appear While Patching Authorization Policies
The DateTime Pick in the Trans UI Does Not Work Correctly in the Thai Locale
User Without Access Policy Administrators Role Cannot View Data in Access Policy Reports
All New User Attributes Are Not Supported for Attestation in Oracle Identity Manager 11g
LDAP GUID Mapping to Any Field of Trusted Resource Not Supported
Cannot Create a User Containing Asterisks if a Similar User Exists
Mapping the Password Field in a Reconciliation Profile Prevents Users from Being Created
Oracle Identity Manager Server Throws Generic Exception While Deploying a Connector
Running the Workflow Registration Utility Generates an Error
Native Performance Pack is Not Enabled On Solaris 64-bit JVM Install
DSML Profile for the SPML Web Service is Not Deployed With Oracle Identity Manager
Modify Provisioned Resource Request Does Not Support Service Account Flag
Erroneous "Query by Example" Icon in Identity Administration Console
The XL.ForcePasswordChangeAtFirstLogin System Property Is No Longer Used
Disabled Links on the Access Policy Summary Page Opened in Mozilla FireFox
Benign Error is Generated on Editing the IT Resource Form in Advanced Administration
User Account is Not Locked in iPlanet Directory Server After it is Locked in Oracle Identity Manager
Oracle Identity Manager Does Not Support Autologin With JavaAgent
Benign Error Logged on Opening Access Policies, Resources, or Attestation Processes
Benign Error Logged on Clicking Administration After Upgrade
Provisioning Fails Through Access Policy for Provisioned User
Benign Warning Messages Displayed During Oracle Identity Manager Managed Server Startup
Benign Message Displayed When Running the Deployment Manager
XML Validation Error on Oracle Identity Manager Managed Server Startup
Cannot View or Edit Adapter Mapping in the Data Object Manager Form of the Design Console
Reconciliation Data Displays Attributes That Are Not Modified
Trusted Source GTC Reconciliation Mapping Cannot Display Complete Attribute Names
MDS Validation Error When Importing GTC Provider Through the Deployment Manager
Encrypted User-Defined Field (UDF) Cannot be Stored with Size of 4000 Characters or More
Import of Objects Fails When All Objects Are Selected for Export
Connector Upgrade Fails if Existing Data is Bigger in Size Than New Column Length
Connector Artifacts Count Increases in the Deployment Manager When File is Not Imported
Oracle Identity Manager Data and MT Upgrade Fails Because Change of Database User Password
Resources Provisioned to User Without Checking Changes in User Status After Request is Submitted
Starting UCP Connection Pool Fails When Trying to Create User on 64-Bit Microsoft Windows With JDK 6
Config.sh Command Fails When JRockit is Installed With Data Samples and Source
Unexpected Memory Usage in Oracle Identity Manager 11g Release 1(11.1.1)
Reports Link No Longer Exists in the Administrative and User Console
Not Allowing to Delete a Role Whose Assigned User Members are Deleted
Roles and Organizations Do Not Support String UDFs of Password Type
Error on Importing Connector By Using the Deployment Manager
Manage Localizations Dialog Box Does Not Open After Modifying Roles
Not Allowing to Create User With Language-Specific Display Name Values
SoD Check Results Not Displayed for Requests Created by Users for the PeopleSoft Resource
Incremental and Full Reconciliation Jobs Cannot Be Run Together
Adapter Import Might Display Adapter Logic if Compilation Fails Because of Incorrect Data
Currently, the Platform Archival Utility is not supported and should not be used.
To work around this issue, use the predefined scheduled task named Orchestration Process Cleanup Task to delete all completed orchestration processes and related data.
Oracle Identity Manager's SPML-DSML Service is currently unsupported in 11g Release 1 (11.1.1). However, you can manually deploy the spml-dsml.ear archive file for Microsoft Active Directory password synchronization.
If a resource object name is more than 100 characters, an error occurs in the database and the resource object is not imported. To work around this issue, change the resource object's name in the XML file so the name is less than 100 characters.
You cannot create users in Disabled State. Users are always created in Active State.
The Create and Modify User APIs do not honor the Users.Disable User attribute value. If you pass a value to the Users.Disable User attribute when calling the Create API, Oracle Identity Manager ignores this value and the USR table is always populated with a value of 0, which indicates the user's state is Active.
Use the Disable API to disable a user.
When Oracle Access Manager locks a user account in an Oracle Identity Manager-Oracle Access Manager integration, it may take approximately five minutes, or the amount of time defined by the incremental reconciliation scheduled interval, for the status of the locked account to be reconciled and appear in Oracle Identity Manager. However, if a user account is locked or unlocked in Oracle Identity Manager, the status appears immediately.
The GenerateSnapshot.[sh|bat] option does not work correctly when invoked from the Bulk Load utility. To work around this issue and generate a snapshot of the initial audit after bulk loading users or accounts, you must run GenerateSnapshot.[sh|bat] from the $OIM_HOME/bin/ directory.
Due to an ADF limitation, the browser timezone is currently not accessible to Oracle Identity Manager. Oracle Identity Manager bases the timezone information in all date values on the server's timezone. Consequently, end users will see timezone information in the date values, but the timezone value will display the server's timezone.
The date-time value that end users see in the Segregation of Duties (SoD) Check Timestamp field on the SoD Check page will always display as "YYYY-MM-DD hh:mm:ss" and this format cannot be localized.
To work around this localization issue, perform the following steps:
Open the "Oracle_eBusiness_User_Management_9.1.0.1.0/xml/Oracle-eBusinessSuite-TCA-Main-ConnectorConfig.xml" file.
In the EBS Connector import xml, locate the SoDCheckTimeStamp field for the Process Form. Change <SDC_FIELD_TYPE> to 'DateFieldDlg' and change <SDC_VARIANT_TYPE> to 'Date' as shown in the following example:
<FormField name = "UD_EBST_USR_SODCHECKTIMESTAMP">
<SDC_UPDATE>!Do not change this field!</SDC_UPDATE>
<SDC_LABEL>SoDCheckTimestamp</SDC_LABEL>
<SDC_VERSION>1</SDC_VERSION>
<SDC_ORDER>23</SDC_ORDER>
<SDC_FIELD_TYPE>DateFieldDlg</SDC_FIELD_TYPE>
<SDC_DEFAULT>0</SDC_DEFAULT>
<SDC_ENCRYPTED>0</SDC_ENCRYPTED>
<!--SDC_SQL_LENGTH>50</SDC_SQL_LENGTH-->
<SDC_VARIANT_TYPE>Date</SDC_VARIANT_TYPE>
</FormField>
Import the Connector.
Enable SoD Check.
Provision the EBS Resource with entitlements to trigger an SoD Check.
Check the SoDCheckTimeStamp field in Process Form to confirm it is localized like the other date fields in the form.
Bulk loading a CSV file for which UTF-8 BOM (byte order mark) encoding is specified causes an error. However, bulk-loading UTF-8 encoded CSV files works as expected if you specify "no BOM" encoding.
To work around this issue,
If you want to load non-ASCII data, you must change your CSV file encoding to "UTF-8 no BOM" before loading the CSV file.
If your data is stored in CSV files with "UTF-8 BOM" encoding, you must change them to "UTF-8 no BOM" encoding before running the bulkload script.
The default Scheduler job, "Job History Archival," does not support date type attributes.
The "Archival Date" attribute parameter in "Job History Archival" only accepts string patterns such as "ddMMyyyy" and "MMM DD, yyyy."
When you run a Scheduler job, the code checks the date format. If you enter the wrong format, an error similar to the following example, displays in the execution status list and in the log console:
<IAM-1020063> <Incorrect format of Archival Date parameter. Archival Date is expected in DDMMYYYY or UI Date format.>
The job cannot run successfully until you input the correct Archival Date information.
On machines where the file limits are set too low, trying to create and compile an entity adapter causes a "Too many open files" error and the adapter will not compile.
To work around this issue, change the file limits on your machine to the following (located in /etc/security/limits.conf) and then restart the machine:
soft nofile 4096
hard nofile 4096
Currently, Oracle Identity Manager's Reconciliation Engine in 11g Release 1 (11.1.1) requires you to define a matching rule to identify the users for every connector in reconciliation. Errors will occur during reconciliation if you do not define a matching rule to identify users.
When any date, such as activeStartDate, hireDate, and so on, is specified in an incorrect format, the Web server does not pass those values to the SPML layer. Only valid dates are parsed and made available to SPML. Consequently, when any SPML request that contains an invalid date format, the invalid date format from the request is ignored and is not available for that operation. For example, if you specify the HireDate month as "8" instead of "08," the HireDate will not be populated after the Create request is completed and no error message is displayed.
The supported date format is:
yyyy-MM-dd hh:mm:ss.fffffffff
No other date format is supported.
SoD functionality uses JMS-based processing. Oracle Identity Manager submits a message to the oimSODQueue for each SoD request. If for some reason an SoD message always results in an error, Oracle Identity Manager never processes the next message in the oimSODQueue. Oracle Identity Manager always picks the same error message for processing until you delete that message from the oimSODQueue.
To work around this issue, use the following steps to edit the queue properties and to delete the SoD message in oimSODQueue:
Log on to the WebLogic Admin Console at http://<hostname>:<port>/console
From the Console, select Services, Messaging, JMS Modules.
Click OIMJMSModule. All queues will be displayed.
Click oimSODQueue.
Select the Configurations, Delivery Failure tabs.
Change the retry count so that the message can only be submitted a specified number of times.
Change the default Redelivery Limit value from -1 (which means infinite) to a specific value. For example, if you specify 1, the message will be submitted only once.
To review and delete the SoD error message, go to the Monitoring tab, select the message, and delete it.
If you are using the WeblogicImportMetadata.cmd utility to import data to MDS, then do not use a backslash (\) character in a path in the weblogic.properties file, or an exception will occur.
To work around this issue, you must use a double backslash (\\) or a forward slash (/) on Microsoft Windows. For example, change metadata_from_loc=C:\metadata\file to metadata_from_loc=C:\\metadata\\file in the weblogic.properties file.
When you are searching for a resource object, do not use an underscore character (_) in the resource name. The search feature ignores the underscore and consequently does not return the expected results.
Reconciliation does not support the Assign to Administrator Action rule.
To work around this issue, change the Assign to Administrator to None in the connector XML before importing the connector. However, after changing the value to None, you cannot revert to Assign to Administrator.
If you are creating attestations in a Mozilla Firefox Web browser and you click certain buttons, nothing happens.
To work around this issue, click the Refresh button to refresh the page.
WLS Security Realm has a default lock-out policy that locks out users for some time after several unsuccessful login attempts. This policy can interfere with the locking and unlocking functionality of Oracle Identity Manager.
To prevent the WLS Security Realm lock-out policy from affecting the lock/unlock functionality of Oracle Identity Manager, you must set the 'Lockout Threshold' value in the WLS 'User Lockout Policy' to at least 5 more than the value in Oracle Identity Manager. For example, if the value in Oracle Identity Manager is set to 10, you must set the WLS 'Lockout Threshold' value to 15.
To change the default values for the 'User lockout Policy,' perform the following steps:
Open the WebLogic Server Administrative Console.
Select Security Realms, REALM_NAME.
Select the User Lockout tab.
If configuration editing is not enabled, then click the Lock and Edit button to enable configuration editing.
Change the value of lockout threshold to the required value.
Click Save to save the changes.
Click Activate to activate your changes.
Restart all the servers in the domain.
When you set up Oracle Identity Manager-Oracle Access Manager Integration with a JAVA agent and log into the Admin Server Console, a "<User not found>" error message is displayed. This message displays even when the login is successful.
If the single quote character (') is used in reconciliation data (for example, 'B'1USER1'), then target reconciliation will fail with an exception.
Due to a limitation in the Oracle SOA Infrastructure, do not use special characters such as commas (,) in role names, group names, or container descriptions when reconciling roles from LDAP. Oracle Identity Manager's internal code uses special characters as delimiters. For example, Oracle Identity Manager uses commas (,) as approver delimiters and the SOA HWF-level global configuration uses commas as assignee delimiters.
SoD check fails and the following error is displayed on the SOA console when SoD check is performed during request provisioning only when the Default SoD Check composite is used:
SEVERE: FabricProviderServlet.handleException Error during retrieval of test page or composite resourcejavax.servlet.ServletException: java.lang.NullPointerException
This happens when Callback is made from Oracle Identity Manager to SOA with the SoDCheck Results.
To resolve this issue, apply patch 9819201 on the SOA server. You can obtain patch 9819201 from My Oracle Support. The description of this patch on My Oracle Support is "ERROR WHILE USING SAML TOKEN CLIENT POLICY FOR CALLBACK."
For more information, refer to:
SoD check fails and following error is displayed on the Oracle Identity Manager Administrative and User Console when SoD check is performed during request provisioning only when the Default SoD Check composite is used:
<Error> <oracle.wsm.resources.policymanager><WSM-02264> <"/base_domain/oim_server1/oim/unknown/iam-ejb.jar/WEBSERVICECLIENTs/SoDCheckResultService/PORTs/ResultPort" is not a recognized resource pattern.> <Error> <oracle.iam.sod.impl> <IAM-4040002><Error getting Request Service : java.lang.IllegalArgumentException: WSM-02264 "/base_domain/oim_server1/oim/unknown/iam-ejb.jar/WEBSERVICECLIENTs/SoDCheckResultService/PORTs/ResultPort" is not a recognized resource pattern.>
To resolve this issue, use the Oracle Smart Update utility to apply patch ID 3M68, which requires passcode of 6LUNDUC7, on Oracle WebLogic Server. For more information, refer to:
When using the generic technology connector framework uses SPML, during provisioning, the following error may appear:
<SPMLProvisioningFormatProvider.formatData :problem with Velocity Template Unable to find resource 'com/thortech/xl/gc/impl/prov/SpmlRequest.vm'>
If the error occurs, it blocks provisioning by using the predefined SPML GTC provisioning format provider. Restarting the Oracle Identity Manager server prevents the error from appearing again.
When using the Mozilla Firefox browser, in certain situations, some buttons in the legacy user interface, also known as TransUI, cannot be clicked. This issue occurs intermittently and can be resolved by using Firefox's reload (refresh) function.
If an LDAP handler causes an exception when you create, modify, or delete a role, an invalid error message, such as System Error or Role does not exist, may appear.
To work around this issue, look in the log files, which will display the correct error message.
If a user's password is comprised of non-ASCII characters, and that user tries to reset the password from either the My Profile or initial login screens in the Oracle Identity Manager Self Service interface, the reset will fail with the following error message:
Failed to change password during the validation of the old password
Note:
This error does not occur with user passwords comprised of only ASCII characters.
To work around this issue, perform the following steps:
Set the JVM file encoding to UTF8, for example: -Dfile.encoding=UTF-8
Note:
On Windows systems, this may cause the console output to appear distorted, though output in the log files appear correctly.
Restart the Oracle WebLogic Server.
When patches are applied to the Authorization Polices that are included with Oracle Identity manager and the JavaSE environment registers the Oracle JDBC driver, java.security.AccessControlException is reported and the following error message appears:
Error while registering Oracle JDBC Diagnosability MBean
You can ignore this benign exception, as the Authorization Policies are seeded successfully, despite the exception and error messages.
When locale is set to th_TH in Microsoft Windows Internet Explorer Web browser, the datetime in Oracle Identity Manager follows the Thai Buddhist calendar. In the Create Attestation page of the Administrative and User Console, when you select a date for start time, the year is displayed according to the Thai Buddhist calendar, for example, 2553. After you click OK, the equivalent year according to the Gregorian calendar, which is 2010, is displayed in the start time field. But when you click Next to continue creating the attestation, an error message is displayed stating that the start time of the process must not belong to the past.
To workaround this issue, perform any one of the following:
Specify the datetime manually.
Use Mozilla Firefox Web browser, which uses the Gregorian calendar.
OIM user without the ACCESS POLICY ADMINISTRATORS role cannot view data in the following reports:
Access Policy Details
Access Policy List by Role
To workaround this issue:
Assign the ACCESS POLICY ADMINISTRATORS role to an OIM user.
Create a BI Publisher user with the same username in Step 1. Assign appropriated BI Publisher role to view reports.
Login as the BI Publisher user mentioned in step 2. View the Access Policy Details and Access Policy List by Role reports. All access policies are displayed.
In case of empty date, archival utility throws an error message, but proceeds to archive data by mapping to the current date. Currently, no workaround exists for this issue.
TransUI closes while doing a direct provisioning if user defined field (UDF) is created with the default values. To work around this issue, you need to create a Lookup Code for the INTEGER/DOUBLE type UDF in the LKU/LKV table.
On AIX platform, when a required parameter is missing during the creation of a scheduler job, instead of throwing "RequiredParameterNotSetException" with the error message "The value is not set for required parameters of a scheduled task.", it throws "ParameterValueTypeNotSupportedException" with the error message "Parameter value is not set properly". Currently, no workaround exists for this issue.
New user attributes are added in Oracle Identity Manager 11g. Not all of them are available for Attestation while defining user-scope. However, Attestation has been enhanced to include the following user attributes:
USR_COUNTRY
USR_LDAP_ORGANIZATION
USR_LDAP_ORGANIZATION_UNIT
USR_LDAP_GUID
Currently, no workaround exists for this issue.
Update fails in LDAP, if LDAP GUID is mapped to any field of trusted resource in LDAP-SYNC enabled installation. To work around this issue, Oracle does not recommend mapping for LDAP GUID field while creating reconciliation field mapping for a trusted resource.
When a Modify Request is raised, "End-User" and "End-User Administrator" values are displayed for the "Design Console Access" field. These values must be mapped to False/True while interpreting the user details.
If you try to create a user that contains an asterisk (*) after creating a user with a similar name, the attempt will fail. For example, if you create user test1test, followed by test*test, test*test will not be created.
It is recommended to not create users with asterisks in the User Login field.
The Status field on the Post Proxies page is blank. However, active proxies are displayed correctly on Current Proxies page.
Currently, no workaround exists for this issue.
The Password field is available to be mapped with a reconciliation profile, but it should not be used. Attempting to map this field will generate a reconciliation event that will not create users. (The event ends in "No Match Found State".) In addition, you will not be able to re-evaluate or manually link this event.
Although you can select the UID attribute from the Search Results Table Configuration list on the Search Configuration page of the Advanced Administration, the search results table for advanced search for users displays the User Login field instead of the UID field.
After you delete an organization, the Browse trees for organizations and roles might not be displayed.
To work around this issue, click the Search Results tab, then click the Browse tab. The roles and organizations browse trees display correctly.
Entitlement (Child Table) selection during data gathering on the process form, for the "Depends On (Depended)" attribute is not optional. During data gathering, if dependent lookups are configured, then the user has to select the parent lookup value so that filtering happens on the child lookup and thus user gets a final list of entitlements to select . Currently, no workaround exists to directly filter the values based on the child lookup.
Generic exceptions are shown in server logs every time deployment manager import happens or profile changes manually or profile changes via design console. This is because "WLSINTERNAL" is not an authorized user of Oracle Identity Manager. "WLSINTERNAL" is an internal user of WebLogic Server, and MDS uses it to invoke MDS listeners if there is a change in XMLs stored in MDS. Currently, no workaround exists for this issue.
Create User API allows the user to set any value between 0 and 9 instead of 0 or 1 for "Users.Password Never Expires", "Users.Password Cannot Change" and "Users.Password Must Change" fields. However, any value other than 0 is considered as TRUE and 0 is considered as FALSE, and the flag is set accordingly for the user being created. Currently, no workaround exists for this issue.
The User Type label on the JGraph screen is displayed incorrectly as Design Console Access. To display User Type, add the line Xellerate_Type=User Type to the OIM_HOME/server/customResources/customResources.properties file.
When the workflow registration utility is run in a clustered deployment of Oracle Identity Manager, the following error is generated:
[java] oracle.iam.platform.utils.NoSuchServiceException: java.lang.reflect.InvocationTargetException
Ignore the error message.
For Oracle Identity Manager JVM install on a Solaris 64-bit computer, Oracle WebLogic log displays the following error:
Unable to load performance pack. Using Java I/O instead. Please ensure that a native performance library is in:
To workaround this issue, perform the following to ensure that JDK picks up the 64-bit native performance:
In a text editor, open the MIDDLEWARE_HOME/wlserver_10.3/common/bin/commEnv.sh file.
Replace the following:
SUN_ARCH_DATA_MODEL="32"
With:
SUN_ARCH_DATA_MODEL="64"
Save and close the commEnv.sh file.
Restart the application server.
If you enter incorrect credentials for the database on the Create Generic Technology Connector wizard, a system error window is displayed. You must close this window and run the wizard again.
The DSML profile for the SPML Web service is not deployed by default with Oracle Identity Manager 11g Release 1 (11.1.1). SPML-DSML binaries are bundled with the Oracle Identity Manager installer to support Microsoft Active Directory Password Synchronization. You must deploy the spml-dsml.ear file manually.
When you add a new human task to an existing SOA composite, you must ensure that all the copy operations for the attributes in the original human task are added to the new human task. Otherwise, an error could be displayed on the View Task Details page.
A regular account cannot be changed to a service account, and similarly, a service account cannot be changed to a regular account through a Modify Provisioned Resource request.
In the Identity Administration console, when viewing role details from the Members tab, an erroneous icon with the "tooltip" (mouse-over text) of "Query By Example" appears. This "Query By Example" icon is non-functional and should be ignored.
The XL.ForcePasswordChangeAtFirstLogin system property is no longer used in Oracle Identity Manager 11g Release 1 (11.1.1.1). Therefore, forcing the user to change the password at first login cannot be configured. By default, the user must change the password:
When the new user, other than self-registered users, is logging in to Oracle Identity Manager for the first time
When the user is logging in to Oracle Identity Manager for the first time after the password has been reset
The tcExportOperationsIntf.findObjects(type,name) API accepts the asterisk (*) wildcard character only for the second parameter, which is name. For type, a category must be specified. For example, findObjects("Resource","*") is a valid call, but findObjects("*","*") is not valid.
In the Verify Information for this Access Policy page of the Create/Modify Access Policy wizards opened in Mozilla Firefox Web browser, you click Change for resource to be provisioned by the access policy, and then click Edit to edit the process form data for the resources to be provisioned. If you click the Close button on the Edit form, then the change links for any one of the access policy information sections, such as resources to be provisioned by the access policy, resources to be denied by the access policy, or roles for the access policy, do not work.
To workaround this issue, click Refresh. All the links in the Verify Information for this Access Policy page are enabled.
When you click the Edit link on the IT Resource form in the Advanced Administration, the following error message is logged:
<Error> <XELLERATE.APIS> <BEA-000000> <Class/Method: tcFormDefinitionOperationsBean/getFormFieldPropertyValue encounter some problems: Property 'Column Names' has not defined for the form field '-82'>
The error message is benign and can be ignored because there is no loss of functionality.
After reaching the maximum login attempts, a user is locked in Oracle Identity Manager. But in iPlanet DS/ODSEE, the user is not locked. The orclAccountLocked feature is not supported because the backend iPlanet DS/ODSEE does not support account unlock by setting the Operational attribute. Account is unlocked only with a password reset. The nsaccountlock attribute is available for administrative lockout. The password policies do not use this attribute, but you can use this attribute to independently lock an account. If the password policy locks the account, then nsaccountlock locks the user even after the password policy lockout is gone.
In an Oracle Access Manager (OAM) integrated deployment of Oracle Identity Manager with JavaAgent, when a user created in Oracle Identity Manager tries to login to the Oracle Identity Manager Administrative and User Console for the first time, the user is forced to reset password and set challenge questions. After this, the user is not logged in to Oracle Identity Manager automatically, but is redirected to the OAM login page. This is because Oracle Identity Manager does not support autologin when JavaAgent is used.
As a delegated administrator, when you open the page to display the details of an access policy, resource, or attestation process, the following error is logged:
Error> <org.apache.struts.tiles.taglib.InsertTag> <BEA-000000> <Can't insert page '/gc/EmptyTiles.jsp' : Write failed: Broken pipe java.net.SocketException: Write failed: Broken pipe
The error is benign and can be ignored because there is no loss of functionality.
In a LDAP-enabled deployment of Oracle Identity Manager in which the directory servers are Microsoft Active Directory (AD) or Oracle Internet Directory (OID), when a user is manually locked in Oracle Identity Manager by the administrator, the user is not locked in LDAP if a password policy is not configured in LDAP. The configurable password policy in LDAP can either be the default password policy that is applicable to all the LDAP users, or it can be a user-specific Password Setting Object (PSO).
By default, the Xellerate Organization resource object does not have reconciliation to Oracle Identity Manager field mappings and any matching/action rule information. As a result, when reconciliation profile for Xellerate Organization resource object is updated via Design Console, it corrupts the existing reconciliation configuration for that resource object, and reconciliation fails with empty status.
To workaround this issue, do not generate the reconciliation profile/configuration via the Design Console. Instead, export the Xellerate Organization profile from Meta Data Store (MDS) and edit it manually, and import it back into Oracle Identity Manager. If the profile changes include modification of the reconciliation fields, then the corresponding changes must be made in the horizontal table schema and its entity definition as well.
After upgrading Oracle Identity Manager from Release 9.1.0.1 to 11g Release 1 (11.1.1), on clicking the Administration link on the Administrative and User Console, the following error is logged:
<Error> <oracle.adfinternal.view.page.editor.utils.ReflectionUtility> <WCS-16178> <Error instantiating class - oracle.adfdtinternal.view.faces.portlet.PortletDefinitionDTFactory>
This error is benign and can be ignored because there is no loss of functionality.
When a user is already provisioned and you try to assign a role to the user that triggers provisioning to the target domain, the provisioning is not started. However, if the user is not provisioned already and you assign a role to the user, then the provisioning occurs successfully.
To workaround this issue:
Open the connector-specific user form in the Design Console.
Create a new version of the connector, and select Edit.
Click the Properties tab, and then click server (ITResourceLookupField). Click Add Property.
Add Required for the property and specify true. Click Make Version Active, and then click Save.
Login to Oracle Identity Manager Administrative and User Console.
Navigate to System Property. Search for the 'Allows access policy based provisioning of multiple instances of a resource' system property. Change the value of this property to TRUE.
Restart Oracle Identity Manager.
Try provisioning a provisioned user to provision through access policy of the same IT Resource Type, and the provisioning is successful.
Several messages resembling the following are logged during Oracle Identity Manager managed server startup:
<Mar 30, 2011 6:51:01 PM PDT> <Warning> <oracle.iam.platform.kernel.impl> <IAM-0080071> <Preview stage is not supported in kernel and found an event handler with name ProvisionAccountPreviewHandler implemented by the class oracle.iam.accesspolicy.impl.handlers.provisioning.ProvisionAccountPreviewHandlerfor this stage. It will be ignored.>
These warning messages are benign and can be ignored because there is no loss of functionality.
When running the Deployment Manager, a message with header ' XUL SYNTAX: ID Conflict' is displayed.
This message is benign and can be ignored because there is no loss of functionality. Close the message and continue.
After upgrading Oracle Identity Manager from an earlier release to 11g Release 1 (11.1.1), when you use the Microsoft Internet Explorer 7 Web browser with JRE plugin 1.6_23 to open the Administrative and User Console and try to export files by using the Deployment Manager, an error is generated and you cannot proceed with the export.
To workaround this issue, use a combination of the following Web browsers and plugins:
Mozilla Firefox 3.6 and JRE version 1.6_23 on 64-bit computer
Microsoft Internet Explorer 7 and JRE version 1.5
Microsoft Internet Explorer 8 and JRE version 1.6_18
Microsoft Internet Explorer 7 and JRE version 1.6_24
In a LDAP-enabled deployment of Oracle Identity Manager, user creation fails in the Microsoft Active Directory (AD) server if the value of the Country attribute exceeds two characters. AD mandates two characters for the Country attribute, for example US, based on the ISO 3166 standards.
In Oracle Identity Manager 11g Release 1 (11.1.1), schedules job has a dependency on scheduled task. Therefore, scheduled task must be imported prior to scheduled job.
As a result, if a XML file has scheduled job entries prior to scheduled task entries, then importing the XML file using Deployment Manager fails with the following error message:
[exec] Caused By: oracle.iam.scheduler.exception.SchedulerException: Invalid ScheduleTask definition [exec] com.thortech.xl.ddm.exception.DDMException
To workaround this issue, open the XML file and move all scheduled task entries above the scheduled job entries.
When you login to the Administrative and User Console with Identity User Administrators and Resource Administrators roles, direct provision a resource to a user, and attempt to revoke the resource from the user, an error message is displayed.
To workaround this issue, you (logged-in user) must have the write permission on the target user (such as user1). To achieve this:
Create a role, such as role1, and assign self to this role.
Create an organization, such as org1, and assign role1 as administrative group.
Modify the user user1 and change its organization to org1. You can now revoke the resource from user1.
When Oracle Identity Manager is upgraded from an earlier release to 11g Release 1 (11.1.1), for trusted source reconciliation, such as trusted source reconciliation using GTC, the reconciliation event fails with the following error message because of a missing reconciliation rule:
<Mar 31, 2011 6:27:41 PM CDT> <Info> <oracle.iam.reconciliation.impl>
<IAM-5010006> <The following exception occurred: {0}
oracle.iam.platform.utils.SuperRuntimeException:
Error occurred in XL_SP_RECONEVALUATEUSER while processing Event No 3
Error occurred in XL_SP_RECONUSERMATCH while processing Event No 3
One or more input parameter passed as null
To workaround this issue:
Create a reconciliation rule for the resource object.
In the Resource Object form of the Design Console, click Create Reconciliation Profile.
The following error message is logged at the time of Oracle Identity Manager Managed Server startup:
<Mar 29, 2011 2:49:31 PM PDT> <Error> <oracle.iam.platform.kernel.impl> <IAM-0080075> <XML schema validation failed for XML/metadata/iam-features-callbacks/event_configuration/EventHandlers.xml and it will not be loaded by kernel. > <Mar 29, 2011 2:49:32 PM PDT> <Error> <oracle.iam.platform.kernel.impl> <IAM-0080075> <XML schema validation failed for XML/metadata/iam-features-OIMMigration/EventHandlers.xml and it will not be loaded by kernel. >
This error message is benign and can be ignored because there is no loss of functionality.
When you click Map on the Map Adapters tab in the Data Object Manager form of the Design Console, a dialog box is displayed that allows you to edit the individual entity adapter mappings. But the list with fields on the user object to map is displayed as empty. As a result, you cannot view or edit the individual entity adapter mappings.
Use of entity adapters is deprecated in Oracle Identity Manager 11g Release 1 (11.1.1), although limited support is still provided for backward compatibility only. Event handlers must be used for all new or changed scenarios.
In a multi-directory deployment, the secondary server must be OID. The primary server can be OID or AD. For example, users can be stored in the OID or AD primary server, and roles can be stored in the OID secondary server. Enabling of disabling the referential integrity plug-in does not update the role memberships for assign or revoke operations.
An entry in the Oracle Identity Manager database cannot be updated if data level is set to 1. When you try to import a Deployment Manager XML, the following error is displayed:
Class/Method: tcTableDataObj/updateImplementation Error :The row cannot be updated. [2011-04-06T07:25:36.583-05:00] [oim_server1] [ERROR] [] [XELLERATE.DDM.IMPORT] [tid: [ACTIVE].ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid: cad00d8aeed4d8fc:-67a4db1a:12f2abbac4b:-8000-000000000000018e,0] [APP: oim#11.1.1.3.0] The security level for this data item indicates that it cannot be updated.
To workaround this issue, open the XML file and change the data level for rules from 1 to 0, as shown:
<RUL_DATA_LEVEL>0</RUL_DATA_LEVEL>
In an Oracle Identity Manager deployment with LDAP synchronization enabled and Microsoft Active Directory (AD) as the directory server, the Reconciliation Data tab of the Event Management page in the Administrative and User Console displays all the attributes of the reconciled user instead of displaying only the modified attributes. This is because of the way AD changelogs are processed, in which the entire entry is marked as updated when any attribute is changed. Therefore, Oracle Virtual Directory (OVD) returns the full entry. There is no way to figure out which attribute has been modified as a result of reconciliation.
When the Scheduler service is started and there are some scheduled jobs that have not been recovered, the following error might be logged in the oim_diagnostic log:
Caused by: java.lang.NullPointerException at org.quartz.SimpleTrigger.computeNumTimesFiredBetween(SimpleTrigger.java:800) at org.quartz.SimpleTrigger.updateAfterMisfire(SimpleTrigger.java:514) at org.quartz.impl.jdbcjobstore.JobStoreSupport.doUpdateOfMisfiredTrigger(JobStor eSupport.java:944) at org.quartz.impl.jdbcjobstore.JobStoreSupport.recoverMisfiredJobs(JobStoreSuppo rt.java:898) at org.quartz.impl.jdbcjobstore.JobStoreSupport.recoverJobs(JobStoreSupport.java: 780) at org.quartz.impl.jdbcjobstore.JobStoreSupport$2.execute(JobStoreSupport.java:75 2) at org.quartz.impl.jdbcjobstore.JobStoreSupport$40.execute(JobStoreSupport.java:3 628) at org.quartz.impl.jdbcjobstore.JobStoreSupport.executeInNonManagedTXLock(JobStor eSupport.java:3662) at org.quartz.impl.jdbcjobstore.JobStoreSupport.executeInNonManagedTXLock(JobStor eSupport.java:3624) at org.quartz.impl.jdbcjobstore.JobStoreSupport.recoverJobs(JobStoreSupport.java: 748) at org.quartz.impl.jdbcjobstore.JobStoreSupport.schedulerStarted(JobStoreSupport. java:573)
This error is benign and can be ignored because there is no loss of functionality.
In an upgrade environment, the next time when some scheduled jobs will be triggered is not defined. This results in a null input for Quartz code, which is not handled gracefully in earlier versions of Quartz. This has been fixed in Quartz version 1.6.3, and therefore, this error is not generated when you upgrade to that version of Quartz.
When creating a trusted GTC (for example, flat file), the right-hand column under OIM User is not wide enough to display the complete names for many attributes. For example, two entries are displayed as 'LDAP Organizati', whereas the attribute names are 'LDAP Organization' and 'LDAP Organization Unit'.
To workaround this issue, click the Mapping button for the attribute. The Provide Field Information dialog box is displayed with the complete attribute name.
When running the database connectivity test in XIMDD, the following error is logged multiple times:
<Apr 10, 2011 7:45:20 PM PDT> <Error> <Default> <J2EE JMX-46335> <MBean attribute access denied. MBean: oracle.logging:type=LogRegistration Getter for attribute Application Detail: Access denied. Required roles: Admin, Operator, Monitor, executing subject: principals=[REQUEST TEMPLATE ADMINISTRATORS, SYSTEM ADMINISTRATORS, APPROVAL POLICY ADMINISTRATORS, oimusers, xelsysadm, PLUGIN ADMINISTRATORS] java.lang.SecurityException: Access denied. Required roles: Admin, Operator, Monitor, executing subject: principals=[REQUEST TEMPLATE ADMINISTRATORS, SYSTEM ADMINISTRATORS, APPROVAL POLICY ADMINISTRATORS, oim users, xelsysadm, PLUGIN ADMINISTRATORS]
Each time the error occurs in the log, the name of the bean is different, but the error is same. In spite of these errors, the test passes. These errors are benign and can be ignored because there is no loss of functionality.
An MDS validation error is generated when you import the GTC provider by using the Deployment Manager.
To workaround this issue, do not import the GTC provider through the Deployment Manager. If the Deployment Manager XML file contains tags for GTC provider, then remove it and import the rest of the XML by using the Deployment Manager. Import the XML file with the GTC provider tags separately by using the MDS import utility. To do so:
If the XML file being imported through the Deployment Manager contains <GTCProvider> tags, then remove these tags along with everything under them.
The following is an example of the original XML file to be imported:
<?xml version = '1.0' encoding = 'UTF-8'?>
<xl-ddm-data version="2.0.1.0" user="XELSYSADM"
database="jdbc:oracle:thin:@localhost:5521:myps12"
exported-date="1302888552341" description="sampleGTC"><GTCProvider
repo-type="MDS" name="InsertIntoTargetList"
mds-path="/db/GTC/ProviderDefinitions"
mds-file="InsertIntoTargetListProvTransport.xml"><completeXml><Provider><Provi
der>
<Provisioning>
<ProvTransportProvider
class="provisioningTransportProvider.InsertIntoTargetList"
name="InsertIntoTargetList">
<Configuration>
<Parameter datatype="String" name="targetServerName"
type="Runtime" encrypted="NO" required="YES"/>
<Response code="FUNCTIONALITY_NOT_SUPPORTED"
description="Functionality not supported"/>
<Response code="TARGET_SERVER_NAME_MISSING" description="Target
server name is missing"/>
<Response code="TARGET_SERVER_NAME_STARTSWITH_A"
description="Target server name starts with A, from XML"/>
<Response code="PROBLEM_WHILE_INITIALIZAING" description="Problem
occured while intializing Provider instance"/>
</Configuration>
</ProvTransportProvider>
</Provisioning>
</Provider></Provider></completeXml></GTCProvider><GTCProvider
repo-type="MDS" name="PrepareDataHMap" mds-path="/db/GTC/ProviderDefinitions"
mds-file="PrepareDataHMapProvFormat.xml"><completeXml><Provider><Provider>
<Provisioning>
<ProvFormatProvider class="provisioningFormatProvider.PrepareDataHMap"
name="PrepareDataHMap">
<Configuration>
<DefaultAttribute datatype="String" name="testField" size="40"
encrypted="NO"/>
<Response code="INCORRECT_PROCESS_DATA" description="Incorrect
process data received from GTC provisioning framework"/>
<Response code="PROCESSING_ISSUE" description="Processing issue
in Preparing provisioning input, check logs"/>
</Configuration>
</ProvFormatProvider>
</Provisioning>
</Provider></Provider></completeXml></GTCProvider><GTCProvider
repo-type="MDS" name="IsValidOrgInOIM" mds-path="/db/GTC/ProviderDefinitions"
mds-file="IsValidOrgInOIM.xml"><completeXml><Provider><Provider>
<Validation>
<ValidationProvider class="validationProvider.IsValidOrgInOIM"
name="IsValidOrgInOIM">
<Configuration>
<Parameter datatype="String" name="maxOrgSize"/>
</Configuration>
</ValidationProvider>
</Validation>
</Provider></Provider></completeXml></GTCProvider><GTCProvider
repo-type="MDS" name="ConvertToUpperCase"
mds-path="/db/GTC/ProviderDefinitions"
mds-file="ConvertToUpperCase.xml"><completeXml><Provider><Provider>
<Transformation>
<TransformationProvider
class="transformationProvider.ConvertToUpperCase" name="ConvertToUpperCase">
<Configuration>
<Parameter type="Runtime" datatype="String" required="YES"
encrypted="NO" name="Input"/>
<Response code="errorRespNullInput" description="Input String is
Missing"/>
</Configuration>
</TransformationProvider>
</Transformation>
</Provider></Provider></completeXml></GTCProvider><Resource repo-type="RDBMS"
name="SAMPLEGTC_GTC">....</Resource><Process repo-type="RDBMS"
name="SAMPLEGTC_GTC">
...........
</Process><Form repo-type="RDBMS" name="UD_SAMPLEGT" subtype="Process
Form">.....
</Form>....</xl-ddm-data>
Import the rest of the XML file through the Deployment Manager.
The following is the XML file after removing the <GTCProvider> tags from the original XML file. Import this XML file by using the Deployment Manager.
<?xml version = '1.0' encoding = 'UTF-8'?> <xl-ddm-data version="2.0.1.0" user="XELSYSADM" database="jdbc:oracle:thin:@localhost:5521:myps12" exported-date="1302888552341" description="sampleGTC"><Resource repo-type="RDBMS" name="SAMPLEGTC_GTC">....</Resource><Process repo-type="RDBMS" name="SAMPLEGTC_GTC"> ........... </Process><Form repo-type="RDBMS" name="UD_SAMPLEGT" subtype="Process Form">..... </Form>....</xl-ddm-data>
The following is the removed XML content:
<GTCProvider
repo-type="MDS" name="InsertIntoTargetList"
mds-path="/db/GTC/ProviderDefinitions"
mds-file="InsertIntoTargetListProvTransport.xml"><completeXml><Provider><Provider>
<Provisioning>
<ProvTransportProvider
class="provisioningTransportProvider.InsertIntoTargetList"
name="InsertIntoTargetList">
<Configuration>
<Parameter datatype="String" name="targetServerName"
type="Runtime" encrypted="NO" required="YES"/>
<Response code="FUNCTIONALITY_NOT_SUPPORTED"
description="Functionality not supported"/>
<Response code="TARGET_SERVER_NAME_MISSING" description="Target
server name is missing"/>
<Response code="TARGET_SERVER_NAME_STARTSWITH_A"
description="Target server name starts with A, from XML"/>
<Response code="PROBLEM_WHILE_INITIALIZAING" description="Problem
occured while intializing Provider instance"/>
</Configuration>
</ProvTransportProvider>
</Provisioning>
</Provider></Provider></completeXml></GTCProvider>
<GTCProvider
repo-type="MDS" name="PrepareDataHMap" mds-path="/db/GTC/ProviderDefinitions"
mds-file="PrepareDataHMapProvFormat.xml"><completeXml><Provider><Provider>
<Provisioning>
<ProvFormatProvider class="provisioningFormatProvider.PrepareDataHMap"
name="PrepareDataHMap">
<Configuration>
<DefaultAttribute datatype="String" name="testField" size="40"
encrypted="NO"/>
<Response code="INCORRECT_PROCESS_DATA" description="Incorrect
process data received from GTC provisioning framework"/>
<Response code="PROCESSING_ISSUE" description="Processing issue
in Preparing provisioning input, check logs"/>
</Configuration>
</ProvFormatProvider>
</Provisioning>
</Provider></Provider></completeXml></GTCProvider>
<GTCProvider
repo-type="MDS" name="IsValidOrgInOIM" mds-path="/db/GTC/ProviderDefinitions"
mds-file="IsValidOrgInOIM.xml"><completeXml><Provider><Provider>
<Validation>
<ValidationProvider class="validationProvider.IsValidOrgInOIM"
name="IsValidOrgInOIM">
<Configuration>
<Parameter datatype="String" name="maxOrgSize"/>
</Configuration>
</ValidationProvider>
</Validation>
</Provider></Provider></completeXml></GTCProvider>
<GTCProvider
repo-type="MDS" name="ConvertToUpperCase"
mds-path="/db/GTC/ProviderDefinitions"
mds-file="ConvertToUpperCase.xml"><completeXml><Provider><Provider>
<Transformation>
<TransformationProvider
class="transformationProvider.ConvertToUpperCase" name="ConvertToUpperCase">
<Configuration>
<Parameter type="Runtime" datatype="String" required="YES"
encrypted="NO" name="Input"/>
<Response code="errorRespNullInput" description="Input String is
Missing"/>
</Configuration>
</TransformationProvider>
</Transformation>
</Provider></Provider></completeXml></GTCProvider>
Separate the removed XML content based on the <GTCProvier> tags. The following is an example of the first <GTCProvider> tag:
<GTCProvider repo-type="MDS" name="InsertIntoTargetList"
mds-path="/db/GTC/ProviderDefinitions"
mds-file="InsertIntoTargetListProvTransport.xml"><completeXml><Provider><Provi
der>
<Provisioning>
<ProvTransportProvider
class="provisioningTransportProvider.InsertIntoTargetList"
name="InsertIntoTargetList">
<Configuration>
<Parameter datatype="String" name="targetServerName"
type="Runtime" encrypted="NO" required="YES"/>
<Response code="FUNCTIONALITY_NOT_SUPPORTED"
description="Functionality not supported"/>
<Response code="TARGET_SERVER_NAME_MISSING" description="Target
server name is missing"/>
<Response code="TARGET_SERVER_NAME_STARTSWITH_A"
description="Target server name starts with A, from XML"/>
<Response code="PROBLEM_WHILE_INITIALIZAING" description="Problem
occured while intializing Provider instance"/>
</Configuration>
</ProvTransportProvider>
</Provisioning>
</Provider></Provider></completeXml></GTCProvider>
Resultant xml after removal of tags surronding inner <Provider> tag:
<Provider>
<Provisioning>
<ProvTransportProvider
class="provisioningTransportProvider.InsertIntoTargetList"
name="InsertIntoTargetList">
<Configuration>
<Parameter datatype="String" name="targetServerName"
type="Runtime" encrypted="NO" required="YES"/>
<Response code="FUNCTIONALITY_NOT_SUPPORTED"
description="Functionality not supported"/>
<Response code="TARGET_SERVER_NAME_MISSING" description="Target
server name is missing"/>
<Response code="TARGET_SERVER_NAME_STARTSWITH_A"
description="Target server name starts with A, from XML"/>
<Response code="PROBLEM_WHILE_INITIALIZAING" description="Problem
occured while intializing Provider instance"/>
</Configuration>
</ProvTransportProvider>
</Provisioning>
</Provider>
From the removed <GTCProvider> tags, remove everything surrounding the inner <Provider> tag. In other words, keep the content inside the inner <Provider> tag. For each <Provider> tag, create a separate XML file. This results in multiple XML files with each <Provider> tag as the root element.
The following is the resultant XML content after removal of tags surrounding the inner <Provider> tag:
<Provider>
<Provisioning>
<ProvTransportProvider
class="provisioningTransportProvider.InsertIntoTargetList" name="InsertIntoTargetList">
<Configuration>
<Parameter datatype="String" name="targetServerName" type="Runtime" encrypted="NO" required="YES"/>
<Response code="FUNCTIONALITY_NOT_SUPPORTED" description="Functionality not supported"/>
<Response code="TARGET_SERVER_NAME_MISSING" description="Target server name is missing"/>
<Response code="TARGET_SERVER_NAME_STARTSWITH_A" description="Target server name starts with A, from XML"/>
<Response code="PROBLEM_WHILE_INITIALIZAING" description="Problem occured while intializing Provider instance"/>
</Configuration>
</ProvTransportProvider>
</Provisioning>
</Provider>
Name the resultant XML files, which have the <Provider> tag as the root element, with the mds-file attribute value from the <GTCProvider> tag. For example, name the first XML file with the first <GTCProvider> tag as InsertIntoTargetListProvTransport.xml. The file name must be the value of the mds-file attribute.
Similarly, create other GTC provider XML files. There must be one XML file for each <GTCProvider> tag.
Import the GTC Provider XML files by using the MDS utility.
An encrypted UDF cannot be stored with size of 4000 characters or more. This is because encryption automatically increases the column width by 1.5 times approximately, and the size of the attribute exceeds the maximum allowable width of 4000. As a result, the UDF is automatically type-promoted to a CLOB data type. Oracle Identity Manager 11g Release 1 (11.1.1) does not intercept this as an exception and might subsequently show errors. This is likely to be addressed in the next patch release.
However, an encrypted attribute that does not exceed the final width of 4000 characters can be stored. The specified width must factor in the increment of 1.5 times, which means that it must not exceed approximately 2500 characters.
In an environment where SSL is enabled in the OAAM server but not in Oracle Identity Manager and SOA server, when you create a request, the request-level approval is successful on the SOA side, but the operational-level approval is not displayed anywhere in the UI. When the SOA composite that provides approval workflow for the Oracle Identity Manager request tries to invoke the request callback Web service to indicate whether the workflow is approved or rejected, the Web service invocation fails with the following error:
Unable to dispatch request to http://slc402354.mycompany.com:14000/workflowservice/CallbackService due to exception[[ javax.xml.ws.WebServiceException: oracle.fabric.common.PolicyEnforcementException: PolicySet Invalid: WSM-06162 PolicyReference The policy referenced by URI "oracle/wss11_saml_token_with_message_protection_client_policy" could not be retrieved as connection to Policy Manager cannot be established at "t3s://slc402354:14301" due to invalid configuration or inactive state.
The error indicates that OWSM is not able to connect to the Policy Manager on the specified port. This port is for the OAAM server in SSL mode, which is shut down. The issue occurs because SSL is enabled in the OAAM server but not on Oracle Identity Manager and SOA server, and the Policy Manager is also targeted on that server. If there is an SSL-enabled Policy Manager, then OWSM does not use the non-SSL ports anymore. In this setup, SSL is enabled only for OAAM and not for others. Therefore, the only usable WSM Policy Manager is on OAAM. Because the OAAM server is down, the connection to the Policy Manager is not established, and as a result, the call fails.
To workaround this issue, start the OAAM server and then create the request.
Note:
This issue does not occur if:
OAAM server is not SSL-enabled.
SSL is enabled on any other server that is up and running, such as Oracle Identity Manager or SOA server.
In an Oracle Identity Manager deployment with LDAP synchronization enabled in which iPlanet is the directory server, the following issues occur:
The localized Display Name is not reconciled into Oracle Identity Manager via user/role incremental reconciliation.
The localized value of the Display Name attribute is returned to Oracle Identity Manager, but the original base value of Display Name is lost and is replaced by the localized value that is received from iPlanet.
LDAP role hierarchy and role membership reconciliation jobs with non-ASCII characters do not bring in role hierarchy and role membership changes into Oracle Identity Manager. This issue is applicable to incremental reconciliation only.
In an upgraded environment of Oracle Identity Manager 11g Release 1 (11.1.1), the import of objects can fail when you select the Select All option to export the objects. When you select all the objects to be exported, the corresponding XML file grows in size. If it exceeds 2.5 million records, then it does not remain valid. As a result, the import fails. However, selecting all objects works if the data is small and the generated XML file does not exceed 2.5 million records.
To workaround this issue, select the objects to be exported in smaller logical units. For example, if there are 20 resource objects in the system, then select four or five resource objects with all dependencies and children objects in a XML file, and export. Then select another five resource objects into a new XML file. Similarly, for all other objects, such as GTC or adapters, export in small logical units in separate XML files. Examples of logical unit grouping are:
Resource objects, process definition forms, adapters, IT resources, lookup definitions, and roles
Organizations, attestation, and password policies
Access policies and rules
GTC and resource objects
After upgrading from Oracle Identity Manager Release 9.1.0 to 11g Release 1 (11.1.1), audit errors are logged. An example of such an audit error is:
IAM-0050001 oracle.iam.platform.async.TaskExecutionException: java.lang.Exception: Audit handler failed at com.thortech.xl.audit.engine.jms.XLAuditMessage.execute(XLAuditMessage.java:59)
These errors are benign and can be ignored because there is no loss of functionality.
In the current release of some connectors, the sizes of some process form fields have been reduced. For example, the length of the UD_ADUSER_MNAME field in the Microsoft Active Directory connector release 9.1.1.5 has been reduced to 6 characters from 80 characters in release 9.0.4.16 of the connector. The length of the existing data in these columns or fields are already bigger in size than the new column length. As a result, the connector upgrade fails, and the following error is logged:
<Apr 16, 2011 4:52:37 PM GMT+05:30> <Error> <XELLERATE.DATABASE> <BEA-000000> <ALTER TABLE UD_ADUSER MODIFY UD_ADUSER_MNAME VARCHAR2(6) java.sql.SQLException: ORA-01441: cannot decrease column length because some value is too big
To workaround this issue:
Make sure that you create a backup of the database.
Restore the backed up database.
Check the logs to locate the 'ORA-01441: cannot decrease column length because some value is too big' exception. Note the form field name, such as UD_ADUSER_MNAME.
Open the Deployment Manager XML file that you are using for upgrade. Search for the form field in the <SDC_SQL_LENGTH> tag, and change the length to the base version length. You can get the base version length in the Deployment Manager XML of the base connector.
Retry the upgrade.
When you upgrade a connector, map the connector artifacts between the base and latest versions, select the connector objects to be upgraded, and exit the upgrade without importing the objects by using the Deployment Manager, the connector artifacts count in the left panel displays more than the actual count. When this process is repeated, the artifacts count continues increasing. This is a known issue, and there is no loss of functionality.
When SSL is enabled for Oracle Identity Manager, uploading the JAR files by using the Upload JAR utility fails with the following error:
Error occurred in performing the operation: Exception in thread "main" java.lang.NullPointerException at oracle.iam.platformservice.utils.JarUploadUtility.main(JarUploadUtility.java:229)
With SSL enabled in Oracle Identity Manager, the server URL must contain the exact host name or IP address. If localhost is used as the host name, then the error is generated.
To workaround this issue, use the exact server URL.
If you are NOT upgrading the original Oracle Identity Manager Release 9.x database, but choose to export/import to a new database, then you must make sure that the database connection setting, schema name, and password in the OIM_HOME/xellerate/config/xlconfig.xml file used for the upgrade is correct.
To workaround this issue, change the Oracle Identity Manager database information in the xlconfig.xml file. You must create a backup of this file before updating it. To update the file with the new database information, modify the information of the loaction where the database has been imported in the <URL>, <username>, and <Password ...> tags, as shown:
<DirectDB> <driver>oracle.jdbc.driver.OracleDriver</driver> <url>jdbc:oracle:thin:@localhost:1522:oimdb</url> <username>oimadm</username> <password encrypted="false"><NEW_PASSWORD_FOR_OIM_DB_USER></password> <maxconnections>5</maxconnections> <idletimeout>360</idletimeout> <checkouttimeout>1200</checkouttimeout> <maxcheckout>1000</maxcheckout> </DirectDB>
The Administration Details pages for roles and organizations in the Administrative and User Console do not support reverting unsaved UDF attribute values. Therefore, if you modify the UDF attribute values for a role or organization and then do not want to save the changes to these attributes, then perform one of the following:
Close the tab with the modified role or organization. A warning message is displayed asking if you want to continue. Clicking Yes cancels all unsaved changes.
You can manually edit the modified attributes to their original state. Saving the entity applies any other desired changes made.
After submission of a request, if the user associated with the request, such as beneficiary, requester, or approver, is disabled or deleted, then the resources are provisioned to the user without checking for user status, such as Disabled or Deleted, after the request is approved.
CRUD operations on Microsoft Windows 64-bit platform using JDK 6 fails in Non Input Output (NIO) mode. This is because of a limitation in JDK 6 to support IPv6 stack in Microsoft Windows Vista 2008. This support is added in JDK 7 since Build b36. With JDK 7, it works in OVD NIO mode.
To workaround this issue:
In the OVD server, turn off NIO mode. To do so:
Open the OracleInstance/config/OVD/ovd1/listeners.os_xml file.
Add <useNIO>false</useNIO> at the following location:
<ldap id="LDAP Endpoint" version="0">
<port>6501</port>
...
<socketOptions>
...
</socketOptions>
<useNIO>false</useNIO>
</ldap>
Save the listeners.os_xml file.
Restart the OVD server.
When you install jrockit-jdk1.6.0_24-R28.1.3-4.0.1-linux-x64.bin with demo samples and source, and install Oracle WebLogic Server using wls1035_generic.jar on a Linux 64-bit computer, and run Oracle Identity Manager configuration wizard by running the config.sh command from the $ORACLE_HOME/bin/ directory, the Oracle universal installer does not start and the following error message is displayed:
config.sh: line 162: 9855 Segmentation fault $INSTALLER_DIR/runInstaller-weblogicConfig ORACLE_HOME="$ORACLE_HOME" -invPtrLoc$ORACLE_HOME/oraInst.loc -oneclick $COMMANDLINE -Doracle.config.mode=true
On running scheduled tasks that perform user orchestration in bulk, such as EndDateSchedulerTask and StartDateSchedulerTask, Oracle Identity Manager 11g Release 1 (11.1.1) might consume large memory space. This can cause Out of Memory issues.
This is a known issue, and a workaround is not available for this in the current release.
Under the Administration tab of the Advanced Administration in the Administrative and User Console, the Reports link to generate BI Publisher Reports has been removed, even though BIP has been selected while installing Oracle Identity Manager.
If the user members of a role have been deleted before revoking the role memberships, then the role cannot be deleted. Therefore, you must revoke the user role memberships that have been explicitly assigned before deleting the user.
Creating a String UDF of password type for roles and organizations is not supported. If you try to create such a UDF, then the Administrative and User Console does not allow you create roles and organizations.
If you export a connector from a Oracle Identity Manager deployment to another deployment by using the Deployment Manager, then an error similar to the following might be generated:
[ERROR] [] [XELLERATE.WEBAPP] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid: f9e72ab2a292a346:-421e2bf0:12f77f65b9a:-8000-0000000000000174,0] [APP: oim#11.1.1.3.0] Class/Method: LoadDeploymentUtility/importSelected encounter some problems: oracle.iam.reconciliation.exception.ConfigException: Profile :AD User Trusted InvalidAttributes : [ObjectGUID][[ com.thortech.xl.ddm.exception.DDMException: oracle.iam.reconciliation.exception.ConfigException: Profile :AD User Trusted InvalidAttributes : [ObjectGUID] at com.thortech.xl.ejb.beansimpl.tcImportOperationsBean.performImport(tcImportOpe . rationsBean.java:1199)
This problem is because of the missing dependencies of UDFs created on the user entity. To avoid this problem, perform any one of the following:
Manually create the UDFs in the system before importing the connector XMLs.
Export the user meta data through the Deployment Manager and import it in the target environment. This bring in all the UDFs created on the user entity. However, if the requirement confines to some specific UDFs or if it is not desirable to have all the UDFs in the target system, then create the required UDFs manually.
After a role is modified, the Manage Localizations dialog box is not opening on clicking the Manage Localizations button in the role details page.
To open the Manage Localizations dialog box after modifying a role, close the role details page and open it again.
In an Oracle Identity Manager deployment with Microsoft Active Directory (AD) as the LDAP server, localized display name values are supported when you specify the oimLanguage parameter values in the UserManagement plugin adapter for AD via OVD. However, a user cannot be created when a language-specific value for the Display Name attribute is specified in Canadian French or Latin American Spanish, even if these languages have been specified in oimLanguage. In addition, when you create a user without language-specific Display Name, and then modify the user to add Canadian French or Latin American Spanish Display Name values, the same issue persists.
SoD check results are not displayed for the requests created by users for the PeopleSoft (PSFT) resource.
To workaround this issue:
Open the PSFT connector XML file.
Under the <ITResource name = "PSFT Server"> tag, add the following:
<ITResourceAdministrator>
<SUG_READ>1</SUG_READ>
<SUG_UPDATE>1296129050000</SUG_UPDATE>
<UGP_KEY UserGroup = "ALL USERS"/>
</ITResourceAdministrator>
Save the PSFT connector XML file.
Manually add or assign the ALL USERS role with Read permission to the PSFT Server IT resource.
The XL.UnlockAfter system property determines the unlock time for the locked user accounts after the specified time. If the user account is locked because of the maximum login attempt failure with invalid credentials, then the account is automatically unlocked after the time (in minutes) as configured in the XL.UnlockAfter system property. By default, the value of this system property is 0, which implies that the locked user is never unlocked automatically.
The Automatically Unlock User scheduled job is responsible for unlocking such users. This scheduled job is configured to run after every 24 hours (1 day).
Therefore, even after the maximum time of Oracle WebLogic lockout threshold and expiry of the time specified for the XL.UnlockAfter system property, the locked users might not be able to login unless the Automatically Unlock User scheduled job is run.
If you are changing the default value of the XL.UnlockAfter system property, then it is recommended to change the frequency of the Automatically Unlock User scheduled task so that both the values are in sync. This ensures that the scheduled task gets triggered at the appropriate interval, and the users are unlocked successfully and are able to login in to Oracle Identity Manager.
In a Oracle Identity Manager deployment with LDAP synchronization enabled and integrated with Oracle Access Manager (OAM), a user is locked on entering incorrect password more than the maximum allowed limit. However, the user is not allowed to unlock by resetting the password until after reconciliation is run.
On some Microsoft Windows 64-bit computers, it is observed that Oracle Identity Manager and SOA Server take more than an hour to start for the first time. However, do not stop the managed servers while this process is going on. After the first start, subsequent restarts do not take the extended time.
Both incremental and full reconciliation jobs cannot be run at the same time. Incremental reconciliation jobs are enabled and run in periodic intervals of 5 minutes. At the same time, when full reconciliation job is run, an error is generated.
To workaround this issue, if full reconciliation needs to be run, then disable the incremental reconciliation jobs before running the full reconciliation jobs. After full reconciliation completes successfully, re-enable the incremental reconciliation jobs.
When Oracle Identity Manager release 9.1.x is upgraded to Oracle Identity Manager 11g Release 1 (11.1.1), the contents of the ScheduleTask Jars Loaded and Third Party Jars tables in the CRBUpgradeReport.html page generated by MT upgrade are not correct. The original scheduled task JARs are not displayed in the ScheduleTask Jars Loaded table. Therefore, you must run the SQL query query to know the scheduled task JARs. In addition, the third-party JARs are incorrectly placed in the ScheduleTask Jars Loaded table.
However, this does not result in any loss of functionality.
If the Connector Management - Upgrading wizard is opened by using Microsoft Internet Explorer, then all the fields and buttons on the Step 13: Select Connector Objects to Be Upgraded page might not be visible. There is no scroll bar available in this page. Therefore, maximize the window to display all the controls in the page.
If you import a process task adapter by using the Design Console and the adapter compilation fails because of incorrect data, then the error displays the entire code for the adapter.
This is a known issue, and a workaround is not available for this in the current release.
After you deploy the Diagnostic Dashboard in Oracle Identity Manager, failures are encountered when you perform the following tests:
Test OWSM setup by submitting a request with OWSM header information
Test SPML to Oracle Identity Manager request invocation
The failures might occur because the Diagnostic Dashboard is not capable of performing tests when the wss1_saml_or_username_token_policy is attached to the SPML XSD Web services.
To workaround this issue, set the Web service to use the XIMDD supported policy. To configure the policies for the SPML XSD Web service:
Login to Fusion Middleware Control.
Navigate to Application Deployments, spml-xsd.
For a clustered deployment of Oracle Identity Manager, expand and select a node.
From the Application Deployment menu, select Web Services.
Click the Web Service Endpoint tab, and then click the SPMLServiceProviderSOAP link.
Click the Policies tab, and then click Attach/Detach.
Detach the default policy: oracle/wss11_saml_or_username_token_with_message_protection_service_policy.
Under Available Policies, select oracle/wss_username_token_service_policy. Otherwise, select the SSL version of the same policy if SSL is in use.
Click Attach, and then click OK.
For a clustered deployment of Oracle Identity Manager, repeat step 3 through step 9 for each managed node listed for SPML XSD.
Restart the application servers.
This section describes configuration issues and their workarounds. It includes the following topics:
Configuring UDFs to be Searchable for Microsoft Active Directory Connectors
Creating or Modifying Role Names When LDAP Synchronization is Enabled
ADF Issue Causes Oracle Identity Manager to Fail on the Sun JDK
Option Not Available to Specify if Design Console is SSL-Enabled
Error is Generated on Starting Servers With Sun JDK 160_24 (32-bit) on Microsoft Windows 2008
Oracle Identity Manager and Design Console Must be Installed in Different Directory Paths
A Microsoft Active Directory connector installation automatically creates a UDF: USR_UDF_OBGUID. When you add a new user-defined field (UDF), the "searchable" property will be false by default unless you provide a value for that property. After installing an Active Directory connector, you must perform the following steps to make the user-defined field searchable:
Using the Advanced Administration console (user interface), change the "searchable" UDF property to true by performing the following steps:
Click the Advanced tab.
Select User Configuration and then User Attributes.
Modify the USR_UDF_OBGUID attribute in the Custom Attributes section by changing the "searchable" property to true.
Using the Identity Administration console (user interface), create a new Oracle Entitlement Server policy that allows searching the UDF by performing the following steps:
Click the Administration tab and open the Create Authorization policy.
Enter a Policy Name, Description, and Entity Name as User Management.
Select Permission, then View User Details, and then Search User.
Edit the Attributes for View User Details and select all of the attributes.
Select the SYSTEM ADMINSTRATOR role name.
Click Finish.
When LDAP synchronization is enabled and you attempt to create or modify a role, entering a role name comprised of approximately 1,000 characters prevents the role from being created or modified and causes a Decoding Error to appear. To work around this issue, use role names comprised of fewer characters.
Due to an ADF issue, using the Oracle Identity Manager application with the Sun JDK causes a StringIndexOutOfBoundsException error. To work around this issue, add the following option to the DOMAIN_HOME/bin/setSOADomainEnv.sh or the setSOADomainEnv.cmd file:
Open the DOMAIN_HOME/bin/setSOADomainEnv.sh or setSOADomainEnv.cmd file.
Add the -XX:-UseSSE42Intrinsics line to the JVM options.
Save the setSOADomainEnv.sh or setSOADomainEnv.cmd file.
Note:
This error does not occur when you use JRockit.
In an Oracle Identity Manager and Oracle Access Manager (OAM) integrated environment, when you login to the Oracle Identity Manager Administrative and User Console and click a link that opens the Nexaweb applet, the applet does not load.
To workaround this issue, configure loading of the NexaWeb Applet in an Oracle Identity Manager and OAM integrated environment. To do so:
Login to the Oracle Access Manager Console.
Create a new Webgate ID. To do so:
Click the System Configuration tab.
Click 10Webgates, and then click the Create icon.
Specify values for the following attributes:
Name: NAME_OF_NEW_WEBGATE_ID
Access Client Password: PASSWORD_FOR_ACCESSING_CLIENT
Host Identifier: IDMDomain
Click Apply.
Edit the Webgate ID, as shown:
set 'Logout URL' = /oamsso/logout.html
Deselect the Deny On Not Protected checkbox.
Install a second Oracle HTTP Server (OHS) and Webgate. During Webgate configurations, when prompted for Webgate ID and password, use the Webgate ID name and password for the second Webgate that you provided in step 2c.
Login to the Oracle Access Manager Console. In the Policy Configuration tab, expand Application Domains, and open IdMDomainAgent.
Expand Authentication Policies, and open Public Policy. Remove the following URLs in the Resources tab:
/xlWebApp/.../*
/xlWebApp
/Nexaweb/.../*
/Nexaweb
Expand Authorization Policies, and open Protected Resource Policy. Remove the following URLs in the Resources tab:
/xlWebApp/.../*
/xlWebApp
/Nexaweb/.../*
/Nexaweb
Restart all the servers.
Update the obAccessClient.xml file in the second Webgate. To do so:
Create a backup of the SECOND_WEBGATE_HOME/access/oblix/lib/ObAccessClient.xml file.
Open the DOMAIN_HOME/output/WEBGATE_ID_FOR_SECOND_WEBGATE/ObAccessClient.xml file.
Note:
Ensure that the DenyOnNotProtected parameter is set to 0.
Copy the DOMAIN_HOME/output/WEBGATE_ID_FOR_SECOND_WEBGATE/ObAccessClient.xml file to the SECOND_WEBGATE_HOME/access/oblix/lib/ directory.
Copy the mod_wls_ohs.conf from the FIRST_OHS_INSTANCE_HOME/config/OHS_NAME/directory to the SECOND_OHS_INSTANCE_HOME/config/OHS_NAME/ directory. Then, open the mod_wls_host.conf of the second OHS to ensure the WebLogicHost and WeblogicPort are still pointing to Oracle Identity Manager managed server host and port.
Remove or comment out the following lines in the SECOND_OHS_INSTANCE_HOME/config/OHS_NAME/httpd.conf file:
<LocationMatch "/oamsso/*"> Satisfy any </LocationMatch>
Copy the logout.html file from the FIRST_WEBGATE_HOME/access/oamsso/ directory to the SECOND_WEBGATE_HOME/access/oamsso/ directory. Then, open the logout.html file of the second Webgate to ensure that the host and port setting of the SERVER_LOGOUTURL variable are pointing to the correct OAM host and port.
Login to Oracle Access Manager Console. In the Policy Configuration tab, expand Host Identifiers, and open the host identifier that has the same name as the second Webgate ID name. In the Operations section, verify that the host and port for the second OHS are listed. If not, then click the add icon (+ sign) to add them. Then, click Apply.
Use the second OHS host and port in the URL for the OAM login page for Oracle Identity Manager. The URL must be in the following format:
http://SECOND_OHS_HOST:SECOND_OHS_PORT/admin/faces/pages/Admin.jspx
When a domain is packed with the managed=false option and unpacked on the another computer, Oracle Identity Manager Authentication Provider is not recognized by WebLogic and basic administrator authentication fails when the Oracle Identity Manager managed server is started.
The following workaround can be applied for performing successful authentication via Oracle Identity Manager Authentication Provider:
Login in to the Oracle WebLogic Administrative Console by using the following URL:
http://HOST_NAME:ADMIN_PORT/console
Navigate to Security Realms, Realm(myrealm), and then to Providers.
Delete OIMAuthenticationProvider.
Note:
Make sure that you note the provider-specific details, such as the database URL, password, and driver, before deleting the provider.
Restart the WebLogic Administrative Server.
Navigate to Security Realms, Realm(myrealm), and then to Providers.
Create a new Authentication Provider of type OIMAuthenticationProvider.
Enter the provider specific details and mark the control flag as SUFFICIENT.
Restart the WebLogic Administrative Server.
Restart Oracle Identity Manager and other servers, if any.
While configuring Oracle Identity Manager Design Console, you cannot specify if Design Console is SSL-enabled.
To workaround this issue after installing Oracle Identity Manager Design Console, edit the OIM_HOME/designconsole/config/xlconfig.xml file to change the protocol in the Oracle Identity Manager URL from t3 to t3s.
Deployment Manager and Workflow Visualizer might not work if the client browser has JDK/JRE installed on it whose version is 1.6.0_20. To workaround this issue, uninstall the JDK/JRE version 1.6.0_20 from the client browser and reinstall the JDK/JRE version 1.6.0_15.
When you install Oracle WebLogic Server (64-bit), Oracle Identity Manager, and SOA Server, and select Sun JDK 160_24 (32-bit) on Microsoft Windows 2008, an out-of-memory error is generated on starting the SOA Server and Oracle Identity Manager.
To workaround this issue, add -XX:-DoEscapeAnalysis. For example:
set USER_MEM_ARGS=-Xms512m -Xmx1024m -XX:CompileThreshold=8000 -XX:PermSize=128m -XX:MaxPermSize=512m -XX:-DoEscapeAnalysis
Oracle recommends to install Oracle Identity Manager and the Design Console in different directory paths.
In Microsoft Windows Internet Explorer 8 web browser, when you find and select an organization in the popup window from the Create User page, clicking the Add button displays the following error:
popup is null or not an object
To workaround this issue, make sure that the Display a notification about every script error option is not selected in the Advanced tab of the Internet Options dialog box.
This section describes multi-language issues and limitations. It includes the following topics:
Multi-language Valued Attributes in SPML and Oracle Identity Manager Do Not Match
Login Names with Some Special Characters May Fail to Register
Parameter Names and Values for Scheduled Jobs are Not Translated
Localization of Role Names, Role Categories, and Role Descriptions Not Supported
Localization of Task Names in Provisioning Task Table Not Supported
Localization of Search Results of Scheduled Tasks Not Supported
Searching for User Login Names Containing Certain Turkish Characters Causes an Error
Localization of Notification Template List Values for Available Data Not Supported
Searching for Entity Names Containing German "ß" (Beta) Character Fails in Some Features
Reconciliation Table Data Strings are Hard-coded on Reconciliation Event Detail Page
Translated Password Policy Strings May Exceed the Limit in the Background Pane
E-mail Notification for Password Expiration Cannot Be Created With Arabic Language Setting
Additional Single Quotes Displayed in GTC Reconciliation Mapping Page for French UI
Do Not Modify Oracle Identity Manager Predefined System Properties in Non-English Locale
Password Notification is Not Sent if User Login Contains Special Characters
Reset Password Fails if User Login Contains Lowercase Special Characters
Oracle Identity Manager supports only the Display Name attribute for multi-language values. SPML specifies additional attributes, such as commonName and surname, as multi-language valued in the PSO schema. When multiple locale-values are specified in an SPML request for one of these attributes, only a single value is picked and passed to Oracle Identity Manager. The request will not fail and a warning message identifying the attributes and the value that was passed to Oracle Identity Manager is provided in the response.
In Oracle Identity Manager, the user login name is case-insensitive. When a user is created, the login name is converted to upper case and saved in the database. But the password is always case-sensitive. However, some special characters may encounter an error while registering to Oracle Identity Manager:
Both the Greek characters σ (sigma) and ς (final sigma) maps to the Σ character.
Both English character i and Turkish character ı maps to the I character.
Both German character ß and English string SS maps to the SS string.
This means that two user login names containing these special characters when the other characters in the login names are same cannot be created. For example, the user login names Johnß and JohnSS maps to the same user login name. If Johnß already exists, then creation of JohnSS is not allowed because both the ß character and the SS string maps to the SS string.
The Create Role, Modify Role, and Delete Role request templates are not available in the Request Templates list of the Create Request wizard. This is because request creation by using any request template that are based on the Create Role, Modify Role, and Delete Role request models are supported from the APIs, but not in the UI. However, you can search for these request templates in the Request Templates tab. In addition, the Create Role, Modify Role, and Delete Role request models can be used to create approval policies and new request templates.
In the Create Job page of Oracle Identity Manager Advanced Administration, the fields in the Parameter section and their values are not translated. The parameter field names and values are available only in English.
The following are known issues in the legacy user interface, also known as TransUI, contained in the xlWebApp war file:
Hebrew bidirectional is not supported
Workflow designer bidirectional is not supported for Arabic and Hebrew
Localization of role names, categories, and descriptions is not supported in this release.
All Task Name values in the Provisioning Task table list are hard-coded and these pre-defined process task names are not localized.
When you search Scheduler Tasks using a Simple or Advanced search, the search results are not localized.
On the Task Approval Search page, if you select "View Tasks Assigned To", then "Users You Manage", and then choose a user whose login name contains a Turkish Undotted "ı" or a Turkish dotted "İ" character, a User Not Found error will result.
Localizing Notification Template Available Data list values is not supported in this release. Oracle Identity Manager depends upon the Velocity framework to merge tokens with actual values, and Velocity framework does not allow a space in token names.
When you search for entity names containing the special German "ß" (beta) character from the Admin Console, the search fails in the following features:
System Configuration
Request Template
Approve Policy
Notification
In these features, the "ß" character matches to "ss" instead of itself. Consequently, the Search function cannot find entity names that contain the German beta character.
Although special characters are supported in Oracle Identity Manager, using the asterisk character (*) can cause some issues. You are advised not to use the asterisk character when creating or modifying user roles and organizations.
Oracle Identity Manager does not support custom resource bundles for Error Message display in user interfaces. Currently, there is no workaround for this issue.
Some of the table data strings on the Reconciliation Event Detail page are hard-coded, customized field names. These strings are not localized.
Included as per bug# 9539501
The password policy help description may run beyond the colored box in some languages and when the string is too long. Currently, there is no workaround for this issue.
When Job Detail page is opened in bi-directional languages, you cannot navigate away from this page because of "Date Format Validation Error". To work around this issue, select a value for the "Start Date" using the date-time control and then move to another page.
On the Japanese locale (LANG=ja_JP.UTF-8), "Fourth Wednesday" is mistranslated as "Fourth Friday" on the Create Job page when "Cron" is selected as the Schedule Type and "Monthly on given weekdays" is selected as the Recurring Interval.
When the server locale is set to ar_AE.utf8 and values for user.language and user.region system properties are ar and AE respectively, if you create a password expiration warning e-mail notification in the Design Console, the value AE is not available for selection in the Region field. As a result, the email notification message cannot be created.
To workaround this issue:
Open the Lookup Definitions form in the Design Console.
Search for 'Global.Lookup.Region'.
Add an entry with Code key and Decode value as 'AE'. You can now create an e-mail definition with language ar and region AE.
When an access policy with approval is created, it generates a resource provisioning request that is subject to approval. In the request details page in Self Service or Advanced Administration, the translated request justification according to the locale setting by the user is not displayed. The justification is displayed in the default server locale.
When you set the Oracle Identity Manager Administrative and User Console locale to French, select the Provisioning and Reconciliation checkboxes while creating a Generic Technology Connector (GTC), and map the reconciliation fields in the page for modifying mapping fields, a message is displayed with two single quotes. You can ignore the single quotes because this is benign and has no effect on functionality.
When you set the server locale to Simple Chinese, Traditional Chinese, Japanese, or Korean, and start the Design Console, you are not allowed to enter the password to login to the Design Console.
To workaround this issue:
Kill all scim processes. To do so, run the following command:
kill `pgrep scim`
Edit the scim config file. To do so:
Search for the following line:
/FrontEnd/X11/Dynamic = ......
Enter true as the value, as shown:
/FrontEnd/X11/Dynamic = true
Note:
If this line does not exist, then enter:
/Frontend/X11/Dynamic = true
Save the file.
Log out of the VNC viewer.
Restart the VNC server and log in again. You can now enter the password for the Design Console.
The Nexaweb pages that open from the Oracle Identity Manager Administrative and User Console do not support bidirectional text. For example, when you select any of the languages that are written from right to left, such as Arabic or Hebrew, and click Install Connector on the Welcome page, search for a connector, click Upgrade, and then proceed to step 13 of the Connector Upgrade wizard, the text in the page is not displayed from right to left.
When the user preference language for the Administrative and User Console is not English, and you update the value of a predefined system property in Oracle Identity Manager, translated property name and keyword are written in the PTY table. Therefore, on searching for system properties in the Administrative and User Console, this system property is not found.
When you try to set the value of a system property in a Western language UI, such as French, and if the translation string length exceeds the maximum allowed length, which is 80 characters, in the PTY_NAME column of the PTY table, then an error is generated.
For a user entity created with valid e-mail address in LDAP, if the User Login contains the German beta character, then the notification message is not sent on running LDAP user create/update full reconciliation.
In a Oracle Identity Manage deployment with LDAP synchronization enabled, if the User Login contains special characters such as Turkis dotted I, dotless i, German beta, and Greek sigma in lowercase format, then the reset password does not work.
To workaround this issue, use uppercase User Login to reset password because User Login is not case-sensitive in Oracle Identity Manager.
When provisioning a resource to a user, the provisioned user and the user's manager receive the email notification in the locale as specified for user.language and user.country instead of their preferred locale.
On non-English Web browsers, clicking the Help link on the top-right corner of the Oracle Identity Manager Self Service, Identity Administration, or Advanced Administration opens the help window, but always displays the on-line help contents in English.
Documentation Errata: Currently, there are no documentation issues to note.