This chapter describes issues associated with Oracle Access Management. It includes the following topics:
Note:For late-breaking changes and information, see My Oracle Support document ID 1537796.1.
This section describes general issues and workarounds organized around specific services. To streamline your experience, only services with a general issue are included. If you do not find a service-related topic (Security Token Service, for example), there are no general issues at this time.
The following topics are included:
This topic describes general issues and workarounds for Oracle Access Management Access Manager (Access Manager). It includes the following topics:
Support for WebGate agents using the Apache 2.2 server on AIX 5.3, 6.1 and 7.1 has been added. The Apache Server will not start or work (with AIX 6.1 and 7.1) unless the LDR_PRELOAD64 flag is set using the following command:
The 11gR2 PS1 ASDK has incorrect version details:
getSDKVersion() API returns a 220.127.116.11.0 value instead of a 18.104.22.168.0 value.
The name of the
ofm_oam_sdk_generic_22.214.171.124.0_disk1_1of1.zip disk might be
The following benign exception might be seen on the Administration and Managed servers. It can be ignored.
java.lang.NoClassDefFoundError: oracle/security/am/engines/rreg/common/RegistrationRequest at java.lang.Class.getDeclaredMethods0(Native Method) at java.lang.Class.privateGetDeclaredMethods(Class.java:2427) at java.lang.Class.privateGetPublicMethods(Class.java:2547) at java.lang.Class.getMethods(Class.java:1410) at oracle.security.am.admin.config.mgmt.beanimpl.AMBootstrap. isBootstrapCandidate (AMBootstrap.java:191) at oracle.security.am.admin.config.mgmt.beanimpl.AMBootstrap. invokeBootstrapMethods(AMBootstrap.java:146) at oracle.security.am.admin.config.mgmt.beanimpl.AMBootstrap. doServerBootstrap(AMBootstrap.java:106) at oracle.security.am.admin.config.mgmt.beanimpl.AMBootstrap load(AMBootstrap.java:247)
The following benign exception is seen in the AdminServer-diagnostic.log file. It does not impact the Administration Console functionality and can be ignored.
oracle.mds.exception.ReadOnlyStoreException: MDS-01273: The operation on the resource /oracle/oam/ui/adfm/DataBindings.cpx failed because source metadata store mapped to the namespace / DEFAULT is read only. at oracle.mds.core.MDSSession.checkAndSetWriteStoreInUse(MDSSession.java:2495) at oracle.mds.core.MDSSession.checkAndSetWriteStoreInUse(MDSSession.java:2548) at oracle.mds.core.MDSSession.getMutableMO(MDSSession.java:3493) at oracle.mds.core.MDSSession.getMutableMO(MDSSession.java:1660) at oracle.mds.core.MDSSession.getMutableMO(MDSSession.java:1546) at oracle.adfdt.model.mds.MDSApplicationService.findApplication (MDSApplicationService.java:57) at oracle.adfdt.model.mds.MDSModelDesignTimeContext.initServices (MDSModelDesignTimeContext.java:232) at oracle.adfdt.model.mds.MDSModelDesignTimeContext.<init> (MDSModelDesignTimeContext.java:82) at oracle.adfdt.mds.MDSDesignTimeContext.<init> (MDSDesignTimeContext.java:66) at oracle.adf.view.rich.dt.DtAtRtContext.<init> (DtAtRtContext.java:22) at oracle.adf.view.rich.dt.Page.<init>(Page.java:535) at oracle.adf.view.rich.dt.Page.getInstance(Page.java:80) at oracle.adf.view.page.editor.customize.ComposerPageResolver.getPageObject (ComposerPageResolver.java:200) at oracle.adfinternal.view.page.editor.contextual.event.ContextualResolver. getPageDefinition(ContextualResolver.java:1229) at oracle.adfinternal.view.page.editor.contextual.event.ContextualResolver. <init>(ContextualResolver.java:129)
WLST commands cannot be used for adding, editing or deleting the federated SSO password policy profile until the following modifications have been made to the oam-config.xml file manually.
Back up the existing oam-config.xml file.
Find Setting Name="UserProfileInstance" in the file and add the following entry as a child of the "UserProfileInstance" setting.
<Setting Name=""NEW_PROFILE" Type="htf:map"> <Setting Name="PasswordPolicyAttributes" Type="htf:map"> <Setting Name="FORCED_PASSWORD_CHANGE" Type="xsd:boolean">true</Setting> <Setting Name="USER_ACCOUNT_DISABLED" Type="xsd:boolean">true</Setting> <Setting Name="PASSWORD_EXPIRED" Type="xsd:boolean">true</Setting> <Setting Name="TENANT_DISABLED" Type="xsd:boolean">true</Setting> <Setting Name="USER_ACCOUNT_LOCKED" Type="xsd:boolean">true</Setting> </Setting> </Setting>
For edit and delete, the changes should be made on the existing profile entry in oam-config.xml.
Increment the oam-config.xml "Version" setting and persist the changes.
A CertPathValidatorException is seen in the Access Manager diagnostic log when accessing a Resource. For example:
[2013-03-12T21:39:09.281-07:00] [oam_server1] [ERROR] [OAMSSA-12117] [oracle.oam.engine.authn] [tid: WebContainer : 3] [ecid: disabled,0] [APP: oam_server_126.96.36.199.0] Cannot validate the user certificate.[[ java.security.cert.CertPathValidatorException: The certificate issued by O=My Company Ltd, L=Newbury, ST=Berkshire, C=GB is not trusted; internal cause is: java.security.cert.CertPathValidatorException: Certificate chaining error at com.ibm.security.cert.BasicChecker.<init>(BasicChecker.java:111) at
The static getSessionAttributes() method does not retrieve all Session attributes for a user - only those which have been set using the ASDK.
FORM Cache Mode should be used to support multi-tab browser behavior. By default, it is set to COOKIE Mode.
The following items are unsupported in the Access Manager WebSphere Trust Association Interceptor (TAI) when compared to the Access Manager WebLogic Server Id Asserter.
Access Manager WAS TAI does not support SAML assertions based on the OAM_IDENTITY_ASSERTION header.
OAM WAS TAI does not support the Identity Context. Identity Context is supported based on the OAM_IDENTITY_ASSERTION header by Access Manager WebLogic Server Identity Asserter.
idmConfigTool.sh -configOAM, two WebGate profiles are created: Webgate_IDM and Webgate_IDM_11g; both are 11g. When validating each Access Manager server configuration using the
oamtest tool, the Administration Console displays the connection status correctly but a long error/exception for each Webgate is logged. This error log is expected and can be ignored.
When performing a fresh incremental migration or a delta incremental migration after a complete migration, Simple Policy are not migrated. This issue is due to a Maximum Session Time lapse. Either restart the Administration Server or change the value of Maximum Session Time to more than 120 minutes.
When accessing the OAM Administration Console localized for
jp using Internet Explorer 9, double-clicking the Available Services text will not open the related page. Clicking the folder icon as opposed to the text will work. Or use Internet Explorer 8 or Firefox to workaround. If it works when using Internet Explorer 7, you can force OAM to run in Explorer 7 compatibility mode. See the PDF called Run ADF Faces applications with IE 9 in IE 8 compatibility mode at Oracle Technology Network.
The RSA plugin has been removed as a system plugin. The functionality can still be accessed by installing and using a custom RSA plugin. These steps should be followed to run a custom RSA plug-in, located in <ORACLE_HOME>/oam/custom_plugins/rsa/RSAPlugin.jar.
Download the RSA dependent libraries named
cryptoj.jar libraries to <DOMAIN_HOME>/config/fmwconfig/oam/plugin-lib.
Get the custom RSAPlugin.jar file from it's directory and import the plugin to add it to the list of custom plugins.
Once successfully imported, distribute and activate the plug-in.
Activation will fail the first time. When it does, restart the server and activate again. After activation, use the plugin to specify the necessary orchestration steps.
If extending the Oracle Identity Manager domain by adding Oracle Access Management Access Manager, the 'OIMAuthenticationProvider' will be deleted. When integrating OIM and OAM using idmConfigTool -configOIM, providers are automatically reordered as required. If not using idmConfigTool -configOIM, the provider needs to be created manually.
mod_osso agents shipped with 11g OHS cannot be configured to protect the @ context root '/'.
You will get a runtime exception when starting an instance of Access Manager protected by Oracle Entitlements Server. The exception can be ignored.
Register a Webgate with Access Manager using a non-ASCII name. In the Access Tester, enter the valid IP Address, Port, and Agent ID (non-ASCII name), then click Connect.
Connection testing fails.
Configure Access Manager to use Kerberos Authentication Scheme with WNA challenge method, and create a non-ASCII user in Microsoft Active Directory.
An exception occurs when trying to get user details to populate the subject with the user DN and GUID attributes. Authentication fails and an error is recorded in the OAM Server log when a non-ASCII user in Active Directory attempts to access an Access Manager-protected resource:
... Failure getting users by attribute : cn, value ....
The username in the attribute is passed without modification as a java string.
Non-ASCII users can access the resource protected by Kerberos WNA scheme by applying the following JVM system property in the startManagedWeblogic.sh script in $DOMAIN_HOME/bin:
Simple mode is not supported with JDK 1.6 and on AIX platforms. Use Open or Cert mode instead.
When you have a Detached Credential Collector-enabled Webgate combined with a resource Webgate, the user might have to provide credentials twice. This can occur when login is triggered with a URL that results in an internal forward by Oracle HTTP Server.
To resolve this issue, you can use following workaround:
Edit the httpd.conf file to add rewrite rules that redirect the browser for directory access (before Webgate configuration include) For example:
RewriteEngine On RewriteRule ^(.*)/$ "$1/welcome-index.html" [R]
SSL-enabled Web server: Repeat these rules under SSL configuration.
This topic describes general issues and workarounds for Oracle Access Management Security Token Service (Security Token Service). It includes the following topics:
Security Token Service does not process the Lifetime sent in the WS-Trust RequestSecurityToken message. Rather, the WS-Trust RequestSecurityTokenResponse contains the Lifetime per the configured token validity time in the Oracle Security Token Service Issuance Template.
When adding a new Attribute Name Mapping during the creation of a New Requester Profile in the Security Token Service section of the Access Manager Administration Console, an error message indicating an Unsupported Operation Exception can be displayed when clicking twice on a column titled Row No.
Security Token Service searches might not return the expected result when the browser language is set to a non-English language. For example, this occurs when setting the:
Partner Type field to
Relying Party or
Issuing Authority in the Requesters, Relying Party or Issuing Authorities screens
Token Type to
Username on the Token Issuance Templates screen when the Oracle Access Manager Administration Console browser setting is non-English
Token Type to
Username on the Token Validation Templates screen when the Oracle Access Manager Administration Console browser setting is non-English
When the browser language is English, the search returns expected results.
This topic describes general issues and workarounds for Oracle Access Management Identity Federation (Identity Federation). It includes the following topic:
This problem is seen in the following situation:
Webgate fronts a resource.
The "Allow Credential Collector Operations" option is checked for that Webgate.
The resource is protected by a policy using FederationScheme.
Due to this issue, when requesting access to the resource, the server returns a 200 with a URL where the browser will post the request to that URL using the POST, while the browser should have been redirected through a 302.
To resolve this issue, for Webgate agents fronting resources protected with the FederationScheme, disable the "Allow Credential Collector Operations" option.
This topic describes general issue and workarounds for Oracle Access Management Mobile and Social. It includes the following topics:
Mobile and Social supports the Mozilla Firefox and Google Chrome browsers on Android devices. The following issues are known to occur if the native Android OS browser is used.
The login web page rendered by the native browser does not allow the user to enter a username or password.
Internet Explorer users who do not enable Protected Mode cannot sign in with an Internet Identity Provider. Instead, an empty page will display.
To work around this issue in Internet Explorer versions 8 and 9, enable Protected Mode:
From the Internet Explorer menu choose Tools > Internet Options > Security.
Select Enable Protected Mode and restart the browser.
If a user who signs in with Google selects a different language from the on-screen menu, Google redirects the page request outside of the request flow managed by Mobile and Social. Consequently, the log-in pages that Google generates may be in a different language than the pages generated by Mobile and Social. Mobile and Social provides translated pages based on the browser's language settings. To avoid having pages display in different languages, users should only use their browser's preferred language settings to make changes.
In the Oracle Access Management console, when viewing the "Mobile and Social Settings" tree in the navigation pane, it is possible to click and drag the contents of this pane out of view.
To workaround this issue refresh the page or logout and login again.
This section describes configuration issues and their workarounds organized around specific services. To streamline your experience, only services with an issue are included. For example, Identity Context has no known issues at this time and is not included. The following topics are included:
This topic describes configuration issues and workarounds for Oracle Access Management Access Manager (Access Manager). It includes the following topics:
If the OAM 10g environment that is being migrated to 11g has multiple database instances configured in a Directory Server Profile and some of them share the same
displayName value, the migration process does not convert all of the database instances in Data Sources to the new environment. To workaround, rename the 10g environment database instances such that no two instances in the Directory Server Profile have the same
After upgrading Access Manager to version 11gR2 PS1, the Password Validation Scheme is not set to the Password Policy Validation Module. Use the Console to set the Password Validation Scheme to the Password Policy Validation Module.
Communication between the IBM HTTP Server (IHS) and WebSphere Application Server (WAS) is made possible by installing and configuring plugins that are available with IHS. The following steps describe the installation and configuration process.
During IHS installation, install the out-of-the-box plugin.
After installation, navigate to the IHS plugin directory at (for example,
\Plugins\config\webserver1) and verify that the
plugin-cfg.xml configuration file is available.
plugin-cfg.xml as follows and save the file.
Add the virtual host ports from which IHS can be accessed.
<VirtualHostGroup Name="default_host"> <!-- Include active IHS port details required for connecting to OAM on WAS --> <!-- <VirtualHost Name="*:9004"/> --> <VirtualHost Name="*:8080"/> <VirtualHost Name="*:17777"/> </VirtualHostGroup>
Add <ServerCluster> with the appropriate details comprising of the respective server entries where the resource is deployed.
Add <UriGroup> tag for the respective serverclusters.
<UriGroup Name="oamserver1_Cluster_URIs"> <Uri Name="/oam/*"/> </UriGroup>
Add the corresponding <Route> tag for the respective <UriGroup> tag.
<Route ServerCluster="oamserver1_Cluster" UriGroup="oamserver1_Cluster_URIs" VirtualHostGroup="default_host"/>
Add the respective VirtualHost entries in WebSphere by navigating to Environment ->Virtual Hosts -> default_hosts -> Host Alias using the IBM console.
Using an ObAccessClient (created with the 188.8.131.52.0 Access Manager Console) to create the AccessClient for the 11g ASDK (184.108.40.206.0, 220.127.116.11.0 and above) results in the following error because the older
ObAccessClient.xml file has Boolean settings expressed as
true/false rather than numeric:
oracle.security.am.asdk.AccessClient initialize SEVERE: Oracle Access SDK initialization failed.
To workaround, copy the original (older)
AGENT_NAME to the ASDK configuration directory (configLocation). You may also manually edit the newer
ObAccessClient.xml to change the Boolean values ("true/false") to numeric values (0/1).
There is only one
oamtai.xml file for a single WebSphere instance. In a case where the deployment contains multiple WebGate profiles protecting applications deployed on the same WebSphere application server - for example, a mix of 10g and 11g WebGates - the OAM Trust Association Interceptor is required to be configured as below.
Irrespective of the number of Webgates in the deployment, the agent profile defined in the file should be an OAM10g type.
The assertion type should be defined as HeaderBasedAssertion.
After upgrading Access Manager from 11gR2 to 11gR2 PS1, the
obLockedOn attribute will be missing from the Oracle Internet Directory. Use the following steps to add this attribute back to the OID.
Manually add the obLockedOn attribute to the schema.
Import the LDIF to OID using the ldapmodify command.
oam_user_write_acl_users_oblockedon_template.ldif to give oamSoftwareUser permission to modify obLockedOn.
Replace %s_UsersContainerDN% with User Search Base and replace %s_GroupsContainerDN% with Group Search Base.
Import the modified
When Oracle Access Manager 10g Webgates are used with Oracle Access Management 11g, the
To enable OpenSSO Agent configuration hotswap, make sure the opensso agents have the following properties in the
Miscellaneous properties section of the agent's registration in the OpenSSO Proxy on OAM Server, and the agent servers are restarted:
Not Supported for Web Agents:
Restart the OAM Server hosting the agent.
This topic describes configuration issues and their workarounds for Oracle Access Management Security Token Service (Security Token Service). It includes the following topics:
Security Token Service Create Like (duplicate) button does not copy some properties on the original Issuing Authority Profile template (the Security and Attribute Mapping sections, for instance).
The Administrator must manually enter the necessary configuration items into the newly created Issuing Authority Profile:
From the Oracle Access Management Console System Configuration tab, Security Token Service section, go to Issuance Templates.
Select an existing Issuance Template Click the Create Like (duplicate) button.
Create the new copied Issuance Template and manually enter the necessary configuration items in the newly created Template.
Oracle Access Management Console does not provide a way to remove a signing or encryption certificate that was set for an Security Token Service Partner.
The Administrator must manually delete these using the following WLST commands:
To delete the signing certificate of an Security Token Service Partner
To delete the encryption certificate of an Security Token Service Partner
This topic describes configuration issues and their workarounds for Oracle Access Management Identity Federation (Identity Federation). It includes the following topics:
Users should be aware that in the Oracle Access Management Console, the Identity Provider search screen does an exact match (==) for the ProviderId and Partner name fields, rather than a "contains" search.
Although it is an exact match, the user can employ "*" as a wild card in searches.
While creating/editing an IdP, if you upload an invalid file for a signing certificate, you will see a
Null pointer exception error message instead of a proper message indicating that the file does not contain a certificate.
This topic describes configuration issues and their workarounds for Oracle Access Management Mobile and Social (Mobile and Social). It includes the following topics:
The following steps describe how to copy Mobile and Social from a test environment to a production environment.
Important:Complete these steps after you finish moving Access Manager from the test environment to the production environment. For more information, see "Moving Access Manager From a Test to Production Environment on IBM WebSphere" in the Oracle Fusion Middleware Third-Party Application Server Guide.
oam-config.xml in the production environment with the
secretKey value from the test environment.
In the test environment, use a text editor to open
oam-config.xml in the
fmwconfig directory and, for object
accessgate-oic, copy the value of the
<Setting Name="accessgate-oic" Type="htf:map"> <Setting Name="ConfigurationProfile" Type="xsd:string">DefaultProfile</Setting> <Setting Name="aaaTimeoutThreshold" Type="xsd:string">-1</Setting>
<Setting Name="secretKey" Type="xsd:string">A686408D1020B93EAA8B411EE0137847FD2968D1285A2A37BB0BE0B00238F50464E9C01EB3E5319AED6D7CAC81BD9FF7</Setting>
In the production environment, use a text editor to open
oam-config.xml in the
fmwconfig directory and, for object
accessgate-oic, replace the value of the attribute
secretKey with the value from the test host.
oic_rp.xml files from the test environment
fmwconfig directory to the production environment
In the production environment, edit the host and port information as appropriate in
Search for the name of the test host and replace it with the name of the production host. Verify that the port number is correct for the host URL.
Stop the node manager.
Synchronize the node and start the node manager.
Restart the oam_server1 and OracleAdminServer applications.
Because of a design change, attribute names on the Register page are in English and are not localized to other languages. To translate this page, use the following steps to modify the attribute name values using the Oracle Access Management console.
In the Oracle Access Management console, open the Application Profile under Internet Identity Services, for example OAMApplication.
Go to the User Attribute Display Name list in the Registration Service Details with Application User Attribute Mapping section.
Replace the values in English with localized values.
Save your changes by clicking Apply on the OAMApplication page.
Open the Register page and confirm that the page shows the correct localized values.
The Mobile and Social server sends error messages to the mobile clients in the language that is configured in the server locale language settings. The mobile clients cannot translate server error messages to a different language.
The Yahoo Internet identity provider does not return
lastname values following user authentication. To work around this issue, change the following Mobile and Social mappings in the Oracle Access Management console:
Open the Application Profile for editing.
Click Next until the Internet Identity Provider configuration page opens.
Open the Application User Attribute Vs Internet Identity Provider User Attributes Mapping section.
In the Attribute Mapping section, click Yahoo to select it in the Internet Identity Provider list.
Configure the values as follows:
Locate firstname in the Application User Attribute column and in the corresponding Internet Identity Provider User Attributes column, choose nickname.
Locate lastname in the Application User Attribute column and in the corresponding Internet Identity Provider User Attributes column, choose fullname.
Save the Application Profile.
Once you assign a value to the Jail Breaking Detection Policy "Max OS Version" setting, you cannot remove the value and leave the field empty. Per the documentation, the Max OS Version field is used to configure the maximum iOS version to which the Jail Breaking policy applies. If the value is empty, a maximum iOS version number is not checked so the policy applies to any iOS version higher than the value specified for Min OS Version. Once set, however, the value cannot go back to being empty. To work around this issue, set a value for the Max OS Version field.
When moving Mobile and Social from a test environment to a production environment, complete the following configuration steps on each production machine after running the Test-to-Production scripts:
Launch the Oracle Access Management Console.
On the Policy Configuration tab, choose Shared Components > Authentication Schemes > OIC Scheme and click Open.
The Authentication Schemes configuration page opens.
Update the Challenge Redirect URL value to point to the production machine, not the test machine, then click Apply.
Update the Mobile and Social credential store framework (CSF) entry to point from the test machine to the production machine. To do this, run the following WLST command:
createCred(map="OIC_MAP", key=" https://<production machine host>:<production machine port>/oam/server/dap/cred_submit ", user="="<description>", password=" DCC5332B4069BAB4E016C390432627ED", desc="<description>");
password, use the value from
oam-config.xml, which is located in the domain home
/config/fmwconfig directory on the production machine. Use the value from the
In the Oracle Access Management Console, do the following:
Select the System Configuration tab.
Choose Mobile and Social > Internet Identity Services.
In the Application Profiles section, select OAMApplicaton and click Edit. (If using an application profile name other than OAMApplication, edit that instead.)
Update the Registration URL field host name and port to point to the production machine.
This section documents issues that affect the Oracle Access Management Console. It includes the following topics:
If the OAM Server and the Oracle Access Management Console client are configured for different locales, the server will report error messages to the client in whichever language the server is configured for.
Oracle manuals describing and showing Oracle Access Management 11.1.2 and related services, including these Release Notes, incorrectly refer to the OAM Server (the former name of the Access Manager Server). However, in the next release of Oracle 11.1.2 books, the term OAM Server will be replaced by AM Server (Access Manager Server).
This section describes documentation errata for Oracle Access Management-specific manuals. It includes the following titles:
Documentation errata for Oracle Fusion Middleware Administrator's Guide for Oracle Access Management is organized into the following topics:
The description of the Max Session Time element in Chapter 14 Registering and Managing OAM 11g Agents has been updated.
Format of creds= challenge parameter lists 10g format (
creds:source$name) in an 11g book. The 10g format was removed and text added to explain 11g format.
Replaced the incorrect configuration directory path WebTier_Middleware_Home/Oracle_WT1/instances1/config/OHS/ohs1/config/ with the correct one: PolicyAgent-base/AgentInstance-Dir/config
There are no documentation errata for Oracle Fusion Middleware Developer's Guide for Oracle Access Management.