This chapter describes issues associated with general Oracle Fusion Middleware administration issues involving Identity Management. It includes the following topics:
This section describes general issue and workarounds. It includes the following topics:
Section 4.1.2, "Fusion Middleware Control May Return Error in Mixed IPv6 and IPv4 Environment"
Section 4.1.3, "Limitations in Moving from Test to Production"
Section 4.2.1, "Configuring Fusion Middleware Control for Windows Native Authentication"
OPMN provides the opmnctl command. The executable file is located in the following directories:
ORACLE_HOME/opmn/bin/opmnctl: The opmnctl command from this location should be used only to create an Oracle instance or a component for an Oracle instance on the local system. Any opmnctl commands generated from this location should not be used to manage system processes or to start OPMN.
On Windows, if you start OPMN using the opmnctl start command from this location, OPMN and its processes will terminate when the Windows user has logged out.
ORACLE_INSTANCE/bin/opmnctl: The opmnctl command from this location provides a per Oracle instance instantiation of opmnctl. Use opmnctl commands from this location to manage processes for this Oracle instance. You can also use this opmnctl to create components for the Oracle instance.
On Windows, if you start OPMN using the opmnctl start command from this location, it starts OPMN as a Windows service. As a result, the OPMN parent process, and the processes which it manages, persist after the MS Windows user has logged out.
If your environment contains both IPv6 and IPv4 network protocols, Fusion Middleware Control may return an error in certain circumstances.
If the browser that is accessing Fusion Middleware Control is on a host using the IPv4 protocol, and selects a control that accesses a host using the IPv6 protocol, Fusion Middleware Control will return an error. Similarly, if the browser that is accessing Fusion Middleware Control is on a host using the IPv6 protocol, and selects a control that accesses a host using the IPv4 protocol, Fusion Middleware Control will return an error.
For example, if you are using a browser that is on a host using the IPv4 protocol and you are using Fusion Middleware Control, Fusion Middleware Control returns an error when you navigate to an entity that is running on a host using the IPv6 protocol, such as in the following situations:
From the Oracle Internet Directory home page, you select Directory Services Manager from the Oracle Internet Directory menu. Oracle Directory Services Manager is running on a host using the IPv6 protocol.
From a Managed Server home page, you click the link for Oracle WebLogic Server Administration Console, which is running on IPv6.
You test Web Services endpoints, which are on a host using IPv6.
You click an application URL or Java application which is on a host using IPv6.
To work around this issue, you can add the following entry to the /etc/hosts file:
nnn.nn.nn.nn myserver-ipv6 myserver-ipv6.example.com
In the example, nnn.nn.nn.nn is the IPv4 address of the Administration Server host, myserver.example.com.
Note the following limitations in moving from test to production:
If your environment includes Oracle WebLogic Server which you have upgraded from one release to another (for example from 10.3.4 to 10.3.5), the pasteConfig scripts fails with the following error:
Oracle_common_home/bin/unpack.sh line29: WL_home/common/bin/unpack.sh No such file or directory
To work around this issue, edit the following file:
MW_HOME/utils/uninstall/WebLogic_Platform_10.3.5.0/WebLogic_Server_10.3.5.0_Core_Application_Server.txt file
Add the following entries:
/wlserver_10.3/server/lib/unix/nodemanager.sh /wlserver_10.3/common/quickstart/quickstart.cmd /wlserver_10.3/common/quickstart/quickstart.sh /wlserver_10.3/uninstall/uninstall.cmd /wlserver_10.3/uninstall/uninstall.sh /utils/config/10.3/setHomeDirs.cmd /utils/config/10.3/setHomeDirs.sh
When you are moving Oracle Virtual Directory, the Oracle instance name in the source environment cannot be the same as the Oracle instance name in the target environment. The Oracle instance name in the target must be different than the name in the source.
After you move Oracle Virtual Directory from one host to another, you must add a self-signed certificate to the Oracle Virtual Directory keystore and EM Agent wallet on Host B. Take the following steps:
Set the ORACLE_HOME and JAVA_HOME environment variables.
Delete the existing self-signed certificate:
$JAVA_HOME/bin/keytool -delete -alias serverselfsigned -keystore ORACLE_INSTANCE/config/OVD/ovd_component_name/keystores/keys.jks -storepass OVD_Admin_password
Generate a key pair:
$JAVA_HOME/bin/keytool -genkeypair -keystore ORACLE_INSTANCE/config/OVD/ovd_component_name/keystores/keys.jks -storepass OVD_Admin_password -keypass OVD_Admin_password -alias serverselfsigned -keyalg rsa -dname "CN=Fully_qualified_hostname,O=test"
Export the certificate:
$JAVA_HOME/bin/keytool -exportcert -keystore ORACLE_INSTANCE/config/OVD/ovd_component_name/keystores/keys.jks -storepass OVD_Admin_password -rfc -alias serverselfsigned -file ORACLE_INSTANCE/config/OVD/ovd_component_name/keystores/ovdcert.txt
Add a wallet to the EM Agent:
ORACLE_HOME/../oracle_common/bin/orapki wallet add -wallet ORACLE_INSTANCE/EMAGENT/EMAGENT/sysman/config/monwallet -pwd EM_Agent_Wallet_password -trusted_cert -cert ORACLE_INSTANCE/config/OVD/ovd_component_name/keystores/ovdcert.txt
Stop and start the Oracle Virtual Directory server.
Stop and start the EM Agent.
The copyConfig operation fails if you are using IPv6 and the Managed Server listen address is not set.
To work around this problem, set the Listen Address for the Managed Server in the Oracle WebLogic Server Administration Console. Navigate to the server. Then, on the Settings for server page, enter the Listen Address. Restart the Managed Servers.
When you are moving Oracle Platform Security and you are using an LDAP store, the LDAP store on the source environment must be running and it must be accessible from the target during the pasteConfig operation.
If you have configured WebGate with Oracle HTTP Server Release 11.1.1.6, you must apply the following patch to Oracle HTTP Server before you use the movement scripts:
13897557
For Oracle Identity Manager, Release 11.1.2.1, note the following when you move your environment:
If you are using a different database in the target, update the information in the DATASOURCE configGroup, along with any other information that needs to change.
In the SERVER_CONFIG configGroup, when you update the Listen Address property, specify the name of the host containing the Oracle SOA Suite server and the Oracle Identity Manager server. Do not specify All Local Addresses.
When you are using the pasteConfig script with Oracle Identity Manager, you might encounter the following error:
SEVERE : [PLUGIN][OIM] ERROR - CLONE-71000 configuration Failed. Exiting configuration due to data validation failure. SEVERE : [PLUGIN][OIM] CAUSE - CLONE-71000 [VALIDATION] [ERROR]:INST-6109: Unable to connect to the Database with the given credentials. Invalid service name
To correct the problem, take the following steps:
Update the move plan. In the move plan, for Oracle Identity Manager specific data sources, the value of the property Url might have SID pattern rather than service name pattern. Correct the move plan, using the service name pattern in the URL property of the DataSource configGroup instead of the SID.
Use the following format:
<value>jdbc:oracle:thin:@hostname:13477/servicename</value>
For example:
<value>jdbc:oracle:thin:@example.com:13477/MySID.example.com</value>
Do not use the following formats:
<value>jdbc:oracle:thin:@hostname:13477:sid</value> <value>jdbc:oracle:thin:@hostname:13477:servicename</value>
Run the pasteConfig script again.
If you are using a different database in the target, update the information in the DATASOURCE configGroup, along with any other information that needs to change.
In the SERVER_CONFIG configGroup, when you update the Listen Address property, specify the name of the host containing the Oracle SOA Suite server and the Oracle Identity Manager server.
If you have a source environment that contains Oracle Identity Manager Release 11.1.2.1, and Oracle SOA Suite, Release 11.1.1.*, you must install the following patch before you run the copyConfig script:
Patch14501468
The movement scripts do not support moving Oracle Identity Manager Release 11.1.1.* to another environment, either through the movement scripts or manual steps. In addition, if Oracle Identity Manager Release 11.1.1.* is part of the source environment of other components, the movement scripts for that environment will fail.
When you are moving Oracle Entitlements Server from a source to a target environment, the copyConfig step may fail and display an exception similar to the following in the log file:
javax.management.InstanceNotFoundException: java.lang:type=Runtime at weblogic.rjvm.ResponseImpl.unmarshalReturn(ResponseImpl.java:237) at weblogic.rmi.internal.BasicRemoteRef.invoke(BasicRemoteRef.java:223)
Before running copyConfig on the source environment, you must first set the env variable in the shell and restart the source environment. Set the env variable as follows, for example:
setenv JAVA_OPTIONS -Djavax.management.builder.initial=weblogic.management.jmx.mbeanserver.WLSMBean ServerBuilder
If the copyConfig operation fails for a domain involving Oracle Identity Manager with the following exception trace, there is a problem that the script encountered in getting MBean server connection for the Oracle Identity Manager Managed Server using the hostname as localhost:
INFO : [PLUGIN][OIM] Mar 22, 2013 7:45:23 AM - CLONE-71019 Executing
Mbean:MBean
Name:oracle.iam:type=IAMAppRuntimeMBean,name=IDStoreConfigMBean,Application=oi
m,ApplicationVersion=11.1.2.0.0.
INFO : [PLUGIN][OIM] null
oracle.as.t2p.exceptions.FMWT2PCopyConfigException: java.lang.Exception
at
oracle.iam.t2p.OIMT2PCopyConfig.doCopyConfig(OIMT2PCopyConfig.java:87)
at
oracle.as.clone.cloner.component.J2EEComponentCreateCloner.getMovableCompsFrom
PluginImpl(J2EEComponentCreateCloner.java:796)
.
.
.
In this situation, analyze and correct the network configuration on the machine. Also check the file /etc/hosts for this network configuration.
This section describes configuration issues and their workarounds. It includes the following topics:
To use Windows Native Authentication (WNA) as the single sign-on mechanism between Fusion Middleware Control and Oracle WebLogic Server Administration Console, you must make changes to the following files:
web.xml
weblogic.xml
These files are located in the em.ear file. You must explode the em.ear file, edit the files, then rearchive the em.ear file. Take the following steps (which assume that while the front end is on Windows, the em.ear file is on UNIX):
Set the JAVA_HOME environment variable. For example:
setenv JAVA_HOME /scratch/Oracle/Middleware/jrockit_160_05_R27.6.2-20
Change to the directory containing the em.ear, and explode the file. For example:
cd /scratch/Oracle/Middleware/user_projects/applications/domain_name JAVA_HOME/bin/jar xvf em.ear em.war JAVA_HOME/bin/jar xvf em.war WEB-INF/web.xml JAVA_HOME/bin/jar xvf em.war WEB-INF/weblogic.xml
Edit web.xml, commenting out the first login-config block and uncommenting the login-config block for WNA. (The file contains information about which block to comment and uncomment.) When you have done this, the portion of the file will appear as in the following example:
<!--<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
-->
<!--
the following block is for Windows Native Authentication, if you are using
WNA, do the following:
1. uncomment the following block
2. comment out the previous <login-config> section.
3. you also need to uncomment a block in weblogic.xml
-->
<login-config>
<auth-method>CLIENT-CERT,FORM</auth-method>
<form-login-config>
<form-login-page>/faces/targetauth/emasLogin</form-login-page>
<form-error-page>/login/LoginError.jsp</form-error-page>
</form-login-config>
</login-config>
<security-constraint>
.
.
.
<security-role>
<role-name>Monitor</role-name>
</security-role>
Edit weblogic.xml, uncommenting the following block. (The file contains information about which block to uncomment.) When you have done this, the portion of the file will appear as in the following example:
<!--
the following block is for Windows Native Authentication, if you are using
WNA, uncomment the following block.
-->
<security-role-assignment>
<role-name>Admin</role-name>
<externally-defined/>
</security-role-assignment>
.
.
.
<security-role-assignment>
<role-name>Deployer</role-name>
<externally-defined/>
</security-role-assignment>
Rearchive the em.ear file. For example:
JAVA_HOME/bin/jar uvf em.war WEB-INF/web.xml JAVA_HOME/bin/jar uvf em.war WEB-INF/weblogic.xml JAVA_HOME/bin/jar uvf em.ear em.war
This section contains the following documentation errata for the Oracle Fusion Middleware Administrator's Guide and the Oracle Fusion Middleware High Availability Guide:
Section 4.3.1, "Documentation Errata for the Oracle Fusion Middleware Administrator's Guide"
Section 4.3.2, "Documentation Errata for the Oracle Fusion Middleware High Availability Guide"
This section contains the following documentation errata for the Oracle Fusion Middleware Administrator's Guide:
Section 4.3.1.1, "Combining All Oracle Homes in a Single Inventory File"
Section 4.3.1.2, "Correction in Moving Oracle Platform Security Services"
Section 4.3.1.3, "Correction to Link About Supported Databases for MDS"
All Oracle homes in the Middleware home on the source environment must be registered in the same Oracle inventory. If you have installed multiple components under the same Middleware home, but used different Oracle inventory locations, the scripts are not able to detect all of the Oracle homes.
To work around this issue, take the following steps:
Create a new oraInst.loc pointing to the inventory to which you want to register, using the following commands:
cat oraInst.loc
inventory_loc=new_oraInst_loc_location
inst_group=g900
Detach the Oracle Home from its current inventory:
cd ORACLE_HOME/oui/bin ./detachHome.sh -invPtrLoc ORACLE_HOME/oraInst.loc
Attach the Oracle Home to the new inventory by passing new oraInst.loc created in step 1:
./attachHome.sh -invPtrLoc new_oraInst_loc_location
Do this for every Oracle home in the Middleware home.
Set the necessary dependencies between Oracle homes if required (for example most Oracle homes depend on oracle_common). The dependencies are required when you uninstall. You can check the existing dependencies from the old inventory by checking the file oraInventory/ContentsXML/inventory.xml. The following shows an example of the file:
<?xml version="1.0" standalone="yes" ?>
<!-- Copyright (c) 1999, 2010, Oracle. All rights reserved. -->
<!-- Do not modify the contents of this file by hand. -->
<VERSION_INFO>
<SAVED_WITH>11.1.0.9.0</SAVED_WITH>
<MINIMUM_VER>2.1.0.6.0</MINIMUM_VER>
</VERSION_INFO>
<HOME_LIST>
<HOME NAME="OH339778486" LOC="/scratch/oracle/11gMW/oracle_common" TYPE="O" IDX="1">
<REFHOMELIST>
<REFHOME LOC="/scratch/oracle/11gMW/Oracle_WT1"/>
</REFHOMELIST>
</HOME>
<HOME NAME="OH299443989" LOC="/scratch/oracle/11gMW/Oracle_WT1" TYPE="O"
IDX="2">
<DEPHOMELIST>
<DEPHOME LOC="/scratch/oracle/11gMW/oracle_common"/>
</DEPHOMELIST>
</HOME>
</HOME_LIST>
<COMPOSITEHOME_LIST>
</COMPOSITEHOME_LIST>
</INVENTORY>
Run the following command to set up dependencies. Note that this is not mandatory for the movement scripts to work, but is needed when you uninstall.
./runInstaller -updateHomeDeps
"HOME_DEPENDENCY_LIST={/scratch/oracle/11gMW/Oracle_WT1:/scratch/oracle/11gMW/
oracle_common}" -invPtrLoc ~/oraInst.loc
The procedure for moving Oracle Platform Security Services to a new target environment the data is in a database is missing a step. The complete procedure is:
Set the environment variables and change to the Oracle home directory:
setenv ORACLE_HOME ORACLE_HOME setenv ORACLE_SID ORACLE_SID cd $ORACLE_HOME/bin
Export the data from the source schema:
expdp "sys/password@connect_id as sysdba" DIRECTORY=DATA_PUMP_DIR SCHEMAS=OPSS_schema_name DUMPFILE=export.dmp PARALLEL=2 LOGFILE=export.log
Create a directory, for example DATA_PUMP_DIR2 and copy the .dmp file to that directory in the target environment.
Connect to the database as a user with the sysdba role and execute the following command:
CREATE DIRECTORY DATA_PUMP_DIR2 as '/scratch/oracle/product/11.2.0/dbhome_1/opss_dump';
Import the data into the target schema:
impdp "sys/password@connect_id as sysdba" DIRECTORY=DATA_PUMP_DIR2 DUMPFILE=export.dmp PARALLEL=2 LOGFILE=import.log remap_schema=test_env_schema_name:prod_env_schema_name remap_tablespace=test_env_tablespace:prod_env_tablespace TABLE_EXISTS_ACTION=REPLACE
Note that the import command generates "Job "SYS"."SYS_IMPORT_FULL_01" completed with 6 errors." You can ignore the errors.
The section "Databases Supported by MDS" in the Oracle Fusion Middleware Administrator's Guide contains an incorrect link toOracle Fusion Middleware System Requirements and Specifications. The correct link is:
http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-requirements-100147.html
This section contains the following documentation errata for the Oracle Fusion Middleware High Availability Guide for 11g Release 2 (11.1.2.1.0), Part Number E28391-04:
In section 8.3.3.1.1, "Install Oracle WebLogic Server", step 5., On the Choose Products and Components screen, select only Oracle JRockit SDK and click Next, is incorrect. It should state "On the Choose Products and Components screen, select a certified JDK. Refer to the Oracle certification matrix for the appropriate JDK to select. See http://www.oracle.com/technetwork/middleware/downloads/fmw-11gr1certmatrix.xls
In section 9.2.3.12.1, "Update Oracle HTTP Server Configuration," lines in the example file do not have the correct formatting; they are split between two lines but should be one line.
To fix this issue, replace:
oamhost1.mycompany.com:14100,oamhost2.mycompany.com:14100 WebLogicCluster
and
WebLogicCluster oamhost1.mycompany.com:14100,oamhost2.mycompany.com:14100
with the following line:
WebLogicCluster oamhost1.mycompany.com:14100,oamhost2.mycompany.com:14100