Skip Headers
Oracle® Fusion Middleware Release Notes
11g Release 1 (11.1.1) for Microsoft Windows (64-Bit)

Part Number E14774-58
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

28 Oracle Adaptive Access Manager

This chapter describes issues associated with Oracle Adaptive Access Manager. It includes the following topics:

28.1 General Issues and Workarounds

This section describes general issues. It includes the following topics:

28.1.1 OAAM Sessions is Not Recorded When IP Address from Header is an Invalid IP Address

OAAM sessions were not recorded for some header-based IP addresses.

Header based IP addresses are not accepted by default. To enabled the reading of IP addresses from the header, set vcrypt.tracker.ip.detectProxiedIP to true. When header IP addresses are enabled, only valid IP addresses are used. If the header contains an invalid IP address, the actual request IP address is used.

28.1.2 Checkpoint Boxes in Session are Displayed with Same Timestamp

The same timestamp is displayed in Checkpoint boxes in the Session Details page when multiple transactions are triggered in the same session. This bug has been fixed for OAAM Online.

28.1.3 Autogenerated Agent Cases Display User Specific Data

When an OAAM Agent Case is autogenerated from a Configurable Action, the User Details pane is populated with details of the user for the session where the case was created. An autogenerated Agent case should not contain user-specific data. Only Escalated Agent cases should display user details since they are the only cases specific to a single end user.

28.2 Policy Management Issues and Workarounds

This section describes policy management issues and workarounds. It includes the following topics:

28.2.1 Rule Condition Check Current Transaction Using the Filter Conditions Cannot Be Configured for Corresponding Attributes of Two Entity Instances

When two instances of an entity are associated to an OAAM Transaction and a filter condition is set up to compare an attribute of one entity instance with the corresponding attribute of the other entity instance, the OAAM Administration Console can only configure a comparison between the same attribute instead of a comparison between the different attributes.

For example:

Two instances of the Address entity are associated with a Transaction, one with the instance name BillingAddr and another with the instance name ShippingAddr. If the user configures Check Current Transaction using the filter condition to compare Billing.line1 with ShippingAddr.line1, after saving the rule, the OAAM Administration Console always shows the instance --- line1 of BillingAddr in the dropdown for the attribute the user wants to compare and the dropdown for the attribute the user is comparing to.

28.2.2 Rule Condition to Check Consecutive Transactions Fails Entity Check

The rule condition TRANSACTION: Check if consecutive Transactions in given duration satisfies the filter conditions does not trigger. The condition returns False and the entity check fails with exceptions in the debug log.

28.2.3 Exclude IP List Parameter for User and Device Velocity Rule Conditions

The Exclude IP List parameter was added to the following conditions:

  • Device: Velocity from last login

  • User: Velocity from last login

This parameter allows you to specify a list of IP addresses to ignore. If the user's IP address belongs to that list, then this condition always evaluates to false and no action and/or alert is triggered. If the user's IP address is not in that list or if the list is null or empty, then the condition evaluates the velocity of the user or the device from the last login. If the velocity of the user or the device from the last login is more than the configured value in the rule, the condition evaluates to true and the condition is triggered.

28.2.4 OAAM Offline Displays Only the Last Rule Executed Overwriting Previous

When multiple transactions are run in the same session, only the rule triggered for the last transaction is displayed in OAAM offline. The rules from the previous transactions are overwritten. To fix this bug, you must apply the patch and update the database schema.

28.2.5 User: Check First Login Time Rule Condition Always Triggers

The User: Check first login time condition returned the same value regardless of when the user logged in.

28.3 Transaction Issues and Workarounds

This section describes OAAM Transaction issues. It includes the following topics:

28.3.1 OAAM Displays Only the Last Rule Executed and Overwrites Previous Rules

When multiple transactions are triggered in the same session which result in multiple alerts and policies execution, OAAM displays only the most recent alerts and policies triggered and overwrites the alerts and policies from previous transactions.

28.3.2 OAAM Shows Only 25 Transactions in Session Details

When there are more than 25 data elements configured for a transaction, the Session Details displays only transaction details for the first 25 items. The page has no scroll bars for scrolling.

28.3.3 Alerts Are Not Displayed Beyond 25 Transactions

Alerts are not visible for transactions beyond the 25th. If there are more than 25 checkpoint boxes containing alerts, they are not visible in the Session Details, although the data is seen in the database.

28.3.4 OAAM Transaction Cannot Be Created with Numeric Parameter of More than 16 Digits

If a user defines any numeric value more than 16 digits in a transaction field, the transaction creation fails with the error on the server of ORA-01438: value larger than specified precision allowed for this column.

28.3.5 Transactions in Session Details Duplicated After 25

Transactions listed in Session Transactions section of Session Details are duplicated after 25 transactions in a session.

28.3.6 Transaction ID Association with Alert Does Not Work

Transaction ID association with Alert is not working even after passing transactionId in processRules API. The bug has been fixed for the server-side.

28.3.7 OAAM Console Does Not Display Transaction Status

Transaction status needs to be displayed in the Transaction Details page so that the Fraud team will be able to see if a transaction was attempted but did not complete. This provides information on both the behavior of customers and fraudsters and also of the functioning of the rules. The Fraud team does not believe they can do their job effectively if they cannot tell the transaction status. The workaround is to display the status value for each transaction on the Session Transactions panel along with Name, Transaction Id, Description, and Timestamp. The value displayed would be mapped from the property tracker.transaction.status.enum (e.g. 1=Success, 99=Pending).

28.3.8 Transaction Mapping Substring Error for First Character Value

When the user performs a transaction mapping of the type SubString, the first character of the value is missing from the mapping result because the oaam.transaction.mapping.startindex.min property was set to 1. Setting the property to 1 starts the substring operation from the second character of the string. A fix has been made so that this property is assigned to 0 so that the substring operation starts from the first character of the string.

28.3.9 Update Time for Entity Is Updated Without Any Change in Entity Data

When using an entity that is mapped to a Transaction Definition in a transaction, the entity's update time is updated by the OAAM Server even if no changes were made to the entity data (other fields are not updated). Database performance is impacted when this occurs.

28.4 Knowledge-Based Authentication Issues and Workarounds

This section describes Knowledge-Based Authentication issues. It includes the following topics:

28.4.1 Registration Logic Page Does Not Display KBA Logic

The KBA Registration Logic page does not display KBA Logic (Question per menu, Categories per menu, Number of questions the user will register) because the previous out of the box snapshot did not contain the properties for the KBA Registration Logic page. The patch fixes this problem. To effect this fix, the new out of the box snapshot file (oaam_base_snapshot.zip) needs to be imported. Note that importing this file will overwrite the existing content in the server.

If you do not want to import the snapshot file, but want to fix the registration logic related issue, you can create the following properties (with default values as shown):

challenge.question.registration.groups.categories.count=5
challenge.question.registration.groups.count=3
challenge.question.registration.groups.minimum.questions.per.category.count=1
challenge.question.registration.groups.questions.count=5

The patch also fixes the policy overrides in such a way that when the user fails the OTP challenge, the challenge does use KBA as a fallback. If you do not want to overwrite the contents but just import the newer policies, you can import oaam_policies.zip as a policies import. Importing the policies does not fix the registration logic related bug.

28.4.2 Answer Logic Abbreviation Resource Was Not Used

Answer Logic checks if the answer provided by the user matches closely to the ones provided during registration. Answer Logic relies abbreviations.

An updated Answer Logic abbreviations resource bundle is available in OAAM 11.1.1.5. In the new resource bundle, the following are considered a match:

Registered Answer Given Answer

Missus

Mrs

Mister

Mr

Sergeant

Sgt

Mrs

Missus

Mr

Mister

Sgt

Sergeant


28.4.3 Update KBA for FFIEC Compliance

The following KBA questions from previous releases were deleted from the kba_questions.zip (English) file and oaam_base_snapshot.zip file for Federal Financial Institutions Examination Council (FFIEC) compliance:

Children Category

Delete or deactivate the following 10 questions:

  • What year was your oldest child born?

  • What year did your oldest child start school?

  • What year did your youngest child start school?

  • What is your eldest child's middle name?

  • What is the first name of your youngest child?

  • What year was your youngest child born?

  • What is the first name of your oldest child?

  • What is your youngest child's birthday?

  • What is your youngest child's middle name?

  • What is your oldest child's birthday?

Education Category

Delete or deactivate the following 18 questions:

  • What year did you graduate from high school?

  • What year did you graduate from junior high school?

  • What city was your high school in?

  • What were your college colors?

  • What year did you graduate from grade school?

  • What was the mascot of your college?

  • What were your high school colors?

  • What was the mascot of your high school?

  • What is the name of a college you applied to but did not attend?

  • In what city was your first elementary school?

  • What year did you start high school?

  • What year did you start junior high school?

  • What year did you start grade school?

  • What year did you graduate from college?

  • What year did you start college?

  • What was your major in college?

  • What was the first school you ever attended?

  • What city was your college in?

Miscellaneous Category

Delete or deactivate the following 2 questions:

  • What is the first name of your closest childhood friend?

  • What is your height?

Parents, Grandparents, Siblings Category

Delete or deactivate the following 17 questions:

  • What year was your father born?

  • What is your father's birthday?

  • What is your oldest sibling's nickname?

  • In which city was your father born?

  • In which city was your mother born?

  • What is your parent's current street address number?

  • What is your parent's current street name?

  • What is your youngest sibling's nickname?

  • What is your parent's current ZIP code?

  • What year was your mother born?

  • What are the last 4 digits of your parent's phone number?

  • What is your maternal grandmother's first name?

  • What is your paternal grandmother's first name?

  • What is the first name of your youngest sibling?

  • What is your paternal grandfather's first name?

  • What is your mother's birthday?

  • What is the first name of your eldest sibling?

Significant Other Category

Delete or deactivate the following 18 questions:

  • Where did you go on your honeymoon?

  • What year did you get married?

  • What year was your significant other born?

  • What is your significant other's birthday?

  • What date is your wedding anniversary?

  • In what city did you meet your spouse for the first time?

  • What city was your significant other born in?

  • What is the first name of your significant other's mother?

  • What is the first name of your significant other's father?

  • What is the last name of your significant other's eldest sibling?

  • What is the first name of your significant other's youngest sibling?

  • What high school did your significant other attend?

  • What was the last name of your best man or maid of honor?

  • What was the first name of your best man or maid of honor?

  • Name of the place where your wedding reception was held.

  • What is your spouse's nickname?

  • What state was your significant other born in?

  • What is the last name of your significant other's youngest sibling?

Sports Category

Delete or deactivate the following 4 questions:

  • What is the mascot of your favorite sports team?

  • What are the colors of your favorite sports team?

  • What team is the biggest rival of your favorite sports team?

  • What is your all time favorite sports team?

Your Birth Category

Delete or deactivate the following 9 questions:

  • What is the ZIP code where you grew up?

  • Who was the US President when you were born?

  • How old was your father when you were born?

  • How old was your mother when you were born?

  • What is the name of the hospital you were born in?

  • What is the ZIP code of your birthplace?

  • What is the holiday closest to your birthday?

  • What state were you born in?

  • What city were you born in?

28.4.4 Closing Browser on Image and Security Phrase Registration Page

If the user tries to register his security image and phrase for the first time and during the process, he closes his browser window on the registration and user preferences pages or returns to the login page, the last image and phrase presented are accepted as the default even if he has not explicitly chosen them by clicking the Continue button.

A fix has been made so that the image and phrase registration only saves the image and phrase after the user clicks Continue on the registration and user preferences pages.

28.4.5 OAAM Change Password Does Not Display Any Validation for Password Fields

The OAAM Change Password page in an OAAM and OIM integration does not display any validation for the Password field. The issues are as follows:

  • If the user does not enter a password, but clicks Submit, there is no validation that the fields are empty

  • If the user enters a new password and then the confirmation password, the password is accepted regardless of whether they are the same or different

  • If the user changes his password, the old password is not validated to confirm that it is correct

28.4.6 ORA-01722 Occurs During KBA Update

An ORA-01722 error can occur when adding a new challenge question.

28.4.7 Registered Questions Are Deleted and Subsequent Challenge Does Not Succeed

If a user's question set contains a deleted question and/or if a user's registered questions contain a deleted question and/or if the KBA registration logic is out of alignment with the user's registered questions and question set (the number of questions/categories and so on), when the user tries to update his question set but cancels or closes the browser window or the session times out without saving, that user's existing questions are deleted from the database. The subsequent challenge does not succeed as the existing questions have been deleted.

This issue has been fixed so that now if a user's registered questions have been deleted in the process of resetting the questions, the user will be asked to re-register new ones on the next login.

28.5 Integration Issues and Workarounds

This section describes OAAM integration issues. It includes the following topics:

28.5.1 setupOAMTapIntegration.sh Does Not Set oaam.uio.oam.secondary.host.port

The setupOAMTapIntegration.sh script does not set the secondary OAM host information (oaam.uio.oam.secondary.host.port value) during the configuration of Oracle Adaptive Access Manager for the Oracle Access Manager and Oracle Adaptive Access Manager integration. The workaround is to set the property value through the property editor.

28.5.2 OAAM Does Not Support Juniper Single Sign-On for Authentication and Forgot Password Flow

The OAAM Authentication flow is not invoked when integrated with Juniper SSL. With invoking OAAM, the integration can detect fraud and determine risk during the authentication flow and accordingly strongly authenticate the user using OAAM capabilities like Challenge, Block, and other actions. The Juniper SSL and OAAM integration flow should be as follows:

  1. The user tries to access a web application or URL that is secured by Juniper SSL, and Juniper SSL detects whether the user is authenticated or not.

  2. If the user is authenticated then he is allowed to proceed to the web application.

  3. If the user is not authenticated, he is redirected to the OAAM Server. The OAAM Server displays the User ID page and prompts the user to enter his User ID. Once the user enters his User ID, OAAM evaluates the Pre-Authentication checkpoint policies and checks to see if the user has to be blocked.

  4. OAAM then checks to see if the user has registered for an Authentication Pad. If so, it displays the registered Authentication Pad, otherwise it displays a generic text pad.

  5. OAAM Server displays the Password page with the Authentication Pad and prompts the user to enter his password. Once the password is entered, it is validated against the user store (the user store can be LDAP, Active Directory, or any active user store). It also identifies the device by running the device identification process.

  6. If the credentials are incorrect then OAAM displays an error page and asks the user to enter his credentials again.

  7. If the credentials are correct then OAAM evaluates Post-Authentication checkpoint policies. Based on the outcome of the policy OAAM might challenge or block the user.

  8. If the outcome of Post-Authentication is ALLOW then OAAM determines if the user has to be registered. Based on the types of registration, OAAM takes the user through registration pages.

  9. If the outcome of Post-Authentication is CHALLENGE and if the user is already registered for at least one of the challenge mechanisms, OAAM challenges the user. If the user is able to answer the challenge then he would be allowed to continue to the next step. As the next step OAAM fetches the user attributes from the user store and then creates the SAML response, signs it and then it posts to the Juniper SSL redirection URL. Juniper SSL then takes control, validates the SAML payload, and lets the user access the web application.

  10. If the outcome of Post-Authentication is BLOCK then user would be blocked and he would not be able to access the web application.

28.5.3 Step Up Authentication Changes

The Step Up Authentication feature is available with OAAM. Step Up Authentication allows users who have been authenticated by OAM at a lower level to access resources protected by OAAMTAPScheme configured at a relatively higher authentication level. When the user tries to access a protected resource that is configured at a higher level, OAAM runs policies to determine how to further authenticate the user so as to gain the required level of authentication needed for access to the protected resource. The user is not taken to the normal login flow since he is already authenticated.

The property to disable/enable Step Up Authentication mode in TAP Integration: By default the Step Up Authentication mode is enabled. However if you want to disable this feature, then set property oaam.uio.oam.integration.stepup.enabled as false.

Change in behavior for the end user: For an end user using the Access Manager-OAAM TAP Integration, the change in behavior is as follows:

If a user has already been authenticated by Access Manager and he tries to access a resource protected under TAPScheme with OAAM as the TAP partner, the user is not taken to the OAAM login flow (since the user is already authenticated). However, OAAM runs its fraud detection policies and might ask challenge questions or block the user depending on the risk evaluated by the policies.

28.5.4 TAP: Incorrect Error Message

In Access Manager-OAAM TAP integration, when an incorrect user name or password is supplied, OAAM shows following error:

There was some technical error processing your request.   Please try again

The patch fixes this problem: the error message now indicates an invalid user name or password error instead of a technical error.

28.5.5 OAAM 11g SOAP Timeout Exception Handling

The client calling Web services is not getting exceptions for timeouts. As a result the client cannot handle SOAP timeouts in a proper way because it cannot determine whether the exception is a SOAP timeout or any other faults. A fix has been implemented so that a specific error code for timeouts is passed to the client. The client can therefore handle the fault per the information contained in the exception.

The method handleException() has introduced a class VCryptSOAPGenericImpl which can be overridden to include more error codes based on business requirements. Currently it has been set for soaptimeout errors:

protected String handleException(String requestName, Exception ex, String resultXml) {

28.5.6 OAAM Should Call UserManager.Unlock() in the Forgot Password Workflow

In the Forgot Password flow executed by OAAM in an Oracle Identity Manager and Access Manager integration, the user is not unlocked when he changes his password. When OAAM executes the changePassword() API, Oracle Identity Manager does not automatically unlock the user.

The following steps are needed to enable automatic unlocking of the user on the Oracle Identity Manager side when OAAM executes the changePassword () API during the Forgot Password flow:

  1. Log in to the OAAM Administration Console.

  2. In the navigation pane, click Environment and double-click Properties. The Properties search page is displayed.

  3. Set oaam.oim.passwordflow.unlockuser to true.

    By default this property value is set to false. By setting this property to true OAAM will call the unlock API of Oracle Identity Manager in the Change Password task flow.

28.6 Reporting Issues and Workarounds

This section describes OAAM BI Publisher reports and Sessions issues and workarounds. It includes the following topics:

28.6.1 Alert Message Link in Session Details Page Does Not Open the Alert Details

When the user tries to access an alert details page from an alert message link in the Session Details page, the page fails to open.

To work around this issue, use the alert message link on the Session Search page.

28.6.2 OAAM Rules Breakdown Report Does Not Provide Correct Information

The BI Publisher Rules Breakdown report does not give a summary of the rules which have been triggered by the checkpoint and policy. The values given are not complete or accurate.

For the report to work, run the following script:

create or replace view OAAM_FIRED_RULES_VIEW as (

select actionMap.create_time, ruleMaps.rule_map_id, actionMap.request_id,

actionMap.runtime_type,

sessions.user_id, sessions.node_id, actionMap.action_list

from (select substr(attr_name, 7) ruleInstanceId, case when

length(trim(translate(attr_value, '+-.0123456789', ' '))) is null then

CAST(attr_value AS NUMBER(16)) else null end rule_map_id, fprint_id from

v_fp_map where attr_name like 'RLD_ID%') ruleMaps

inner join vt_session_action_map actionMap on actionMap.rule_trace_fp_id =

ruleMaps.fprint_id

inner join vcrypt_tracker_usernode_logs sessions on sessions.request_id =

actionMap.request_id

inner join (select substr(attr_name, 11) ruleInstanceId, case when

length(trim(translate(attr_value, '+-.0123456789', ' '))) is null then

CAST(attr_value AS NUMBER(16)) else null end attr_value, fprint_id from

v_fp_map where attr_name like 'RLD_STATUS%') ruleStatus

on ruleStatus.ruleInstanceId = ruleMaps.ruleInstanceId and

ruleStatus.fprint_id = ruleMaps.fprint_id

where ruleStatus.attr_value=1

union select ruleLogs.create_time, ruleLogs.rule_map_id,

policySetLogs.request_id, policySetLogs.runtime_type,

userNodeLogs.user_id, userNodeLogs.node_id, ruleLogs.action_list

from VR_RULE_LOGS ruleLogs

inner join VR_MODEL_LOGS modelLogs on ruleLogs.MODEL_LOG_ID =

modelLogs.MODEL_LOG_ID

inner join VR_POLICY_LOGS policyLogs on modelLogs.POLICY_LOG_ID =

policyLogs.POLICY_LOG_ID

inner join VR_POLICYSET_LOGS policySetLogs on policyLogs.POLICYSET_LOG_ID =

policySetLogs.POLICYSET_LOG_ID

inner join VCRYPT_TRACKER_USERNODE_LOGS userNodeLogs on

policySetLogs.REQUEST_ID = userNodeLogs.REQUEST_ID

where ruleLogs.status=1);

commit;

28.7 Configuration Issues and Workarounds

This section describes the following configuration issues and workarounds:

28.7.1 Oracle Linux 6 (OEL6) with the Unbreakable Enterprise Kernel (UEK), Oracle Linux 6 (OEL6) with the Red Hat Compatible Kernel, and Red Hat Enterprise Linux 6 (RHEL6) Certification

OAAM is certified on Oracle Linux 6 (OEL6) with the Unbreakable Enterprise Kernel (UEK), Oracle Linux 6 (OEL6) with the Red Hat Compatible Kernel, and Red Hat Enterprise Linux 6 (RHEL6). Note that OAAM 11g is certified on Oracle Linux 6 but during the installation of Oracle Identity Management (Oracle IdM), the user will see an alert message during the pre-requisite check. This error does not impact the installation and can be ignored. The user can click OK to continue the installation.

Bug 15833450 OAAM 11.1.1.5 is certified on Oracle Linux 6 (OEL6) with the Unbreakable Enterprise Kernel (UEK), Oracle Linux 6 (OEL6) with the Red Hat Compatible Kernel, and Red Hat Enterprise Linux 6 (RHEL6).

28.7.2 Database Archive and Purge Scripts Missing from Installation

Case and monitor data purge scripts are missing from the oaam_db_purging_scripts.zip file.

For purging case data, the following scripts need to be included:

  • create_case_purge_proc.sql

    The create_case_purge_proc.sql script is required to set up the archive and purge routines for the Oracle database.

  • exec_sp_purge_case_data.sql

    The exec_sp_purge_case_data.sql is required to perform the archive and purge of case data.

For purging monitor data, the following scripts need to be included:

  • drop_monitor_partition.sql

    Customers who are using the Oracle table partitioning option and have no reporting database should run the drop_monitor_partition.sql script before setting up purging routine for monitor data.

  • exec_v_monitor_purge_proc.sql

    The exec_v_monitor_purge_proc.sql script calls the stored procedures to archive and purge data from device fingerprinting tables.

  • create_v_monitor_purge_proc.sql

    The create_v_monitor_purge_proc.sql script creates the V_MONITOR_DATA_PURGE table and the stored procedure SP_V_MON_DATA_PURGE_PROC to archive and purge data from the transaction table.

28.7.3 Juniper Login Fails Due to Incorrect CN Value and No UID Attribute in SAML Response

After successful authentication, OAAM obtains the user attributes from the user store and sends user attributes in a SAML assertion to Juniper. Juniper is set up to look for attributes to read from the SAML assertion to match the user in its repository. Then it logs the user in to the requested target page or web application.

In this bug, the user is unable to log in to Juniper via OAAM because Juniper fails to identify the user. OAAM did not fetch the correct cn (common name) value and it did not set the uid (User ID) attribute in the SAML response.

28.8 Customer Care Issues and Workarounds

This section describes customer care and investigation issues. It includes the following topics:

28.8.1 Investigator Role Overrides CSR Role When Both Roles Are Given to a User

When a user is given both the Investigator and CSR Access roles, the former overrides the access permissions of the latter and the user has only Investigator access and no CSR access. Expected behavior is that a user having both Investigator and CSR access, should be able to perform Investigator and CSR tasks.

28.8.2 Scroll Bars Missing from Some Case Management Screens

Users with low resolution monitors are not able to see details in full in the Case Details page. Details refer to those available based on a user's role. The Case Details page required scroll bars so that a users with low resolution monitors can see all details.

28.8.3 Case Search and Case Details Do Not Display Case Disposition

After an OAAM Agent case is closed with a disposition of Confirmed Fraud, the agent can locate the case by searching by deposition but Confirmed Fraud is not displayed in the Case search page even after adding Disposition as a column to display. When the Case Details page of the same case is opened, the field is empty for Disposition.

28.8.4 Wrong User Attributed for Last Notes Added If Two Users Concurrently Update Case Notes

OAAM allows two agents to concurrently access a case, but if the two agents add notes to the case, OAAM saves both agents' notes; however, the second agent's notes are displayed as having been added by the first agent. Concurrent write access to cases is supported: if two agents are accessing the case at the same time, the second agent is made aware that the case is being worked on by another agent with a warning message. When the second agent continues, he is made the owner of the case. Notes are attributed to the correct agent.

28.8.5 Manually Created OAAM Agent Cases Cannot Be Searched by Username or User ID

When an OAAM Agent Case is autogenerated from the Configurable Action, the User Details panel is populated with user details for the session for which the case was created. When manually creating a case and linking to a session, user details are not populated. Subsequent searches of cases by Username or User ID only locate automatically created cases.

An enhancement has been made so that the Agent case creation page can optionally accept entry of a valid Username and/or User ID if the oaam.customercare.agent.case.allow.userinfo property is set to true. If a Username and/or User ID is entered it is mapped to the Agent case. Agent cases with a mapped Username and/or User ID are searchable by Username and/or User ID. These cases display the mapped user identifier in the Username and/or User ID column on the Cases search page. Only an Agent case that has been escalated from a CSR case displays the User Details section under the Case Details Summary tab.

28.8.6 OAAM Allows Case Ownership Change and Add Notes Actions to Closed Case

After an Agent case is closed, case ownership can still change when accessed by another user. The case owner is changed to the user who accessed the case. OAAM also allows the adding and editing of notes after a case is closed. After an Agent case is closed, no changes should be allowed.

28.8.7 Create Agent Case Configurable Action Displays Wrong Name for Action

When a Configurable Action triggers the Create Agent Case action, it is displayed as Add to IP Watch list for both the Name and Description of the action when it is added to an Action group.

28.8.8 KBA and OTP Failure Counter Reset and Unlock

Challenge failure counters are not displayed on the CSR Case Details as in the details pages. Failure counters should be displayed for KBA and OTP as well as for new or custom challenge processors. Also, the Reset action does not reset all the counters. An Unlock action should reset all counters (KBA and OTP). The following should occur for counters when the Unlock action is performed:

  • Unlocking KBA resets the KBA and OTP failure counters to 0

  • Unlocking OTP resets the KBA and OTP failure counters to 0

The following actions should occur for failure counters when the Reset action is performed:

  • Resetting KBA resets KBA and OTP failure counters to 0. The user will be required to register challenge questions again

  • Resetting CSR KBA resets KBA and OTP failure counters to 0. The user will be required to register challenge questions again

  • Resetting OTP resets KBA and OTP failure counters to 0. The user will be required to register OTP again

The following enhancements have been made:

  • OAAM Admin Console Case detail and details pages display failure counter, registration, and other information for KBA, OTP, and other custom challenge mechanisms

  • OTP failure counters from different channels consolidate failures. For example, if multiple channels are used, the OTP status displays Locked if the combined OTP counters are above the threshold. So, if the user fails SMS twice and Email once and threshold is 3, they are locked using the consolidated OTP counter

  • The Reset action resets all challenge failure counters

  • The Unlock action is consolidated into an Unlock User action instead of separate actions for unlocking KBA and OTP. The Unlock User action resets all failure counters

  • User name is displayed on the Case Details tab instead of or along with Case ID

  • The Threshold value for failure counter can be set in the rule condition, User: Challenge Channel Failure.

28.9 Performance Issues and Workarounds

This section describes performance issues. It includes the following topic:

28.9.1 Out of Memory Error Occurs Scrolling through Sessions Search in OAAM Admin

Scrolling up and down on the Session search page may pass an empty or null input list, which may result in retrieving millions of rows from the database, causing the error, java.lang.OutOfMemoryError:GC overhead limit exceeded.

28.10 Device Fingerprinting Issues and Workarounds

This section describes device fingerprinting issues. It includes the following topic:

28.10.1 Errors Occur When Custom Locale is Used in OAAM .NET

When the .Net API is used to generate a browser fingerprint that uses a custom locale as part of the login flow, an error occurs: Culture ID 4096 (0x1000) is not a supported culture.\r\nParameter name: culture. The issue occurs when the application is using a custom culture because locale is registered with the Microsoft .NET framework and when the OAAM .NET API classes try to construct the CultureInfo from the LCID that came into the HttpSession, an exception occurs because of the Microsoft .NET framework. The workaround is to change the oaam/src/dotNET/Bharosa/vCrypt/Common/Util/HttpUtil.cs line 162 from CultureInfo ci = new CultureInfo(context.Session.LCID); to CultureInfo ci = new CultureInfo(context.Current.Request.UserLanguages[0]);

This causes .NET to look up the locale by the name of the locale instead of by the LCID.

28.11 Geolocation Data Loader Issues and Workarounds

This section describes geolocation loader issues. It includes the following topics:

28.11.1 Upload of Geolocation Data Causes Unique Constraint Violation

When reloading the same location data file, or loading an updated location data file, the data would be loaded correctly, but the log file would show numerous warnings about unique constraint violations which degrades performance.

28.11.2 IP Location Data Loader Fails If There is a Blank Line in the File

The OAAM data loader fails to load IP location data if a blank line is in the data file and does not report the line number. The expected result is for the OAAM data loader to skip the blank line and display a warning message that include the line number.

You can work around this issue by opening the IP location data file, removing the blank line, and saving the file. This issue will be fixed in a future release.

28.12 Multi-Language Support Issues and Workarounds

This section describes multi-language support issues and limitations. It includes the following topics:

28.12.1 Session or Cases Page Cannot Open if Browser Language is Italian

When the browser language is set to Italian, the user cannot open pages with calendars in the OAAM Administration Console, such as the Session or Cases page. A pop-up window with the following error message is displayed:

java.lang.IllegalArgumentException:
Illegal pattern character 'g'

28.12.2 Session Search and Case Search By Date Range Does Not Work in OAAM Admin Console When Browser Language is Brazilian Portuguese or Spanish

Searching sessions and cases by date range does not work in the OAAM Administration Console when the browser language is set to Brazilian Portuguese or Spanish. When the user opens the calendar in the Session or Cases page in the Spanish or Brazilian Portuguese locale, the year value is always shown as 1970 and cannot be modified to the correct year. As a result, the search does not work and the expected data cannot be returned in the search results.