This chapter describes issues associated with the installation and configuration process of Oracle Identity and Access Management 11g Release 2 (11.1.2.1.0). It includes the following sections:
This section describes general issues and workarounds. It includes the following topics:
Section 2.1.2, "Error Displayed in the Oracle Access Management Managed Server Logs"
Section 2.1.3, "Mandatory Patches for Enabling SSL on Oracle HTTP Server"
Section 2.1.5, "Modifying the Server Side Property for Oracle Identity Manager"
On AIX, the Simple security mode does not work with Oracle Access Management Server 11.1.2.
Workaround: Use either the Open
or Cert
security mode.
When you try to edit the policy in the Oracle Access Management administration console log, the following error is displayed in the Oracle Access Management managed server logs:
<oracle.jps.policymgmt> <JPS-10606> <Failed to distribute policy to PDP OracleIDM for catch exception oracle.security.jps.service.policystore.PolicyStoreException: JPS-04028: Application with name "cn=OAM11gApplication,cn=jpsXmlFarm,cn=JPSContext,cn=jpsXmlRoot" does not exist..>
This exception is displayed every ten minutes even when the server is idle.
Workaround:
Remove the following properties from the jps-config.xml
file after the installation with -C
option from pdp.service
instance properties.
<property name="oracle.security.jps.pdp.AuthorizationDecisionCacheEnabled" value="false"/> <property name="oracle.security.jps.ldap.policystore.refresh.interval" value="10000"/>
Add the following new property to pdp.service
instance properties:
<property name="oracle.security.jps.pd.client.PollingTimerInterval" value="10"/>
The value is in seconds, set the appropriate value as required by Oracle Access Management. The changes must be made only for Oracle Identity Management installs like Oracle Identity Manager or Oracle Access Manager.
The following is an example of a pdp.service
instance in the jps-config.xml
file after running the configSecurityStore
command.
<serviceInstance name="pdp.service" provider="pdp.service.provider"> <description>Runtime PDP service instance</description> <property name="oracle.security.jps.runtime.pd.client.policyDistributionMode" value="mixed"/> <property name="oracle.security.jps.runtime.instance.name" value="OracleIDM"/> <property name="oracle.security.jps.runtime.pd.client.sm_name" value="OracleIDM"/> <property name="oracle.security.jps.pdp.AuthorizationDecisionCacheEnabled" value="false"/> <property name="oracle.security.jps.policystore.refresh.enable" value="true"/> <property name="oracle.security.jps.ldap.policystore.refresh.interval" value="10000"/> </serviceInstance>
This section describes the mandatory patches to be downloaded and installed for enabling SSL on Oracle HTTP Server.
Platform | Patch |
---|---|
Solaris (64 bit) | 14264658 |
Microsoft Windows x64 (64 bit) | 14264658 |
Solaris x86-64 (64 bit) | 14264658 |
IBM AIX (64 bit) | 14264658 |
Linux x86-64 | 14264658 |
To download the patches, do the following:
Log in to My Oracle Support.
Click Patches & Updates.
Select Patch name or Number.
Enter the patch number.
Click Search.
Download and install the patch.
To change log levels to SEVERE
, do the following:
Logging.xml
must have level=SEVERE
for all log handlers and loggers (OAM_Server1, OIM_Server1, SOA
).
Log in to Admin Console http://Hostname:port/console
.
Click Lock and Edit to unlock the domain.)
Click Servers link.
Click on the server you want to make changes to.
Click Logging.
Click Advanced.
Do the following to change the log levels in Message destination(s):
Message destinations | Severity Level Desired | Default Setting |
---|---|---|
Log File | warning | Trace |
Standard out | error | Notice |
Domain log broadcaster | error | Notice |
Memory Buffer Severity | error | Blank |
Click Save.
Click Activate Changes
Restart Servers
Repeat the process for all desired servers (OAM_Server1, OIM_Server1, SOA
).
The scheduler.disabled
system property is required if you want to control scheduler start or stop on a clustered setup.The scheduler.disabled
system property must be set to true
if you don't want to start scheduler service on that node of cluster and vice-versa.
Following are the steps to modify the scheduler.disabled
system property using Weblogic console:
Log in to the Oracle WebLogic Administration Console using the WebLogic administrator credentials.
Under Domain Structure, click Environment > Servers. The Summary of Servers page is displayed.
Click on the Oracle Identity Manager server name (for example, oim_server1
). The Settings for oim_server1
is displayed.
Click Configuration > Server Start.
In the Arguments text box, change the existing property scheduler.disabled = false/true
.
Click Save.
Click Activate Changes.
Restart the Oracle Identity Manager Managed Server.
Note:
After you modify thescheduler.disabled
system property, you must start the Managed Server using the Node Manager.This section describes installation issues and workarounds. It includes the following topics:
Section 2.2.1, "Error when Installing Oracle Identity Manager Design Console"
Section 2.2.2, "Mandatory Patches Required for Installing Oracle Identity Manager"
When you are trying to install Oracle Identity Manager Design Console on a Windows machine that has firewall between the machine and the Oracle Identity Manager server, the following error message is displayed when you run the config.cmd
command:
Error in validating the Hostname field value.Entered host is not up and running
To install Oracle Identity Manager Design Console, you must open port 7 in the firewall.
This section describes the necessary patches that you must apply for installing and configuring Oracle Identity Manager.
Note:
This section provides the mandatory patches that were available at the time of publishing the release notes. For late-breaking changes and additional patch requirements, see My Oracle Support document ID 1536894.1.Table 2-1 provides information about the mandatory patches required for Oracle Identity Manager. Please note that these patches can be applied in any order.
Table 2-1 Patches Required to Fix Specific Issues with Oracle Identity Manager 11gR2 (11.1.2.1.0)
Oracle Fusion Middleware Product or Component | Patch Number | When to Apply? | Description |
---|---|---|---|
Oracle SOA Suite |
16702086 |
After installing Oracle SOA Suite |
This is a mandatory Oracle SOA Suite Bundle Patch 11.1.1.6.7 patch. Follow the |
Oracle SOA Suite |
17988119, 18486891, 13973356 |
After installing Oracle SOA Suite Bundle Patch 11.1.1.6.7 |
These mandatory Oracle SOA Suite patches need to be applied after Oracle SOA Suite has been upgraded to Bundle Patch 11.1.1.6.7 using patch 16702086. Choose the 11.1.1.6.7 version of these patches, and follow the |
Oracle User Messaging Service |
16366204 |
After installing Oracle SOA Suite |
This is an Oracle User Messaging Service (UMS) patch. Choose the 11.1.1.6.0 version of this patch, and follow the |
Oracle WebCenter Portal |
16472592 |
After installing Oracle Identity Manager |
This is an Oracle WebCenter Portal patch. Follow the |
Oracle Application Development Framework |
19976022 |
After installing Oracle Identity and Access Management |
This is an Oracle Application Development Framework (ADF) patch. Follow the |
Oracle Platform Security Services |
16400771 |
After installing Oracle Identity Manager |
This is an Oracle Platform Security Services (OPSS) patch. Follow the |
Oracle Virtual Directory - Identity Virtualization Library (libOVD) |
18919213 |
After installing Oracle Identity and Access Management |
This is a mandatory patch if you are using Identity Virtualization Library (libOVD). Note that this patch is classified as an Oracle Virtual Directory patch. Download the 11.1.1.6.0 version of this patch, and follow the |
Oracle Virtual Directory - Oracle Directory Server Enterprise Edition |
14016801 |
After installing Oracle Directory Server Enterprise Edition |
This is a mandatory patch if you are using Oracle Directory Server Enterprise Edition. Note that this patch is classified as an Oracle Virtual Directory patch. Download the 11.1.1.6.0 version of this patch, and follow the |
Oracle Unified Directory |
18489893 |
After installing Oracle Unified Directory |
This is a mandatory patch if you are using Oracle Unified Directory. Download the version of this patch that corresponds with the version of Oracle Unified Directory you installed. Follow the |
Oracle Access Manager |
16513008 |
After installing Oracle Identity and Access Management |
You must apply this patch if you plan to integrate Oracle Identity Manager with Oracle Access Manager. Follow the |
Oracle Business Intelligence Publisher |
14630670 |
After installing Oracle Identity Manager |
This is an Oracle Business Intelligence Publisher patch. Follow the |
Oracle IDM Tools |
17008132 |
After installing Oracle Identity and Access Management |
This is an Oracle IDM Tools patch. Follow the |
Oracle Business Intelligence Publisher |
14088000 |
After installing Oracle Identity Manager |
This is an Oracle Business Intelligence Publisher patch. Follow the |
Enterprise Manager for Fusion Middleware |
17375780 |
After installing Oracle Identity and Access Management |
This is an Enterprise Manager patch. Follow the |
To download the patches, do the following:
Log in to My Oracle Support.
Click Patches & Updates.
Select Patch name or Number.
Enter the patch number.
Click Search.
Download and install the patch.
If you are using Oracle WebLogic Server, the patching instructions are mentioned in the README.txt
file that is provided with each patch.
If you are using IBM WebSphere, follow the instructions provided below:
Navigate to Patch_Home
directory where the patch is located.
Set the environment variable ORACLE_HOME
to point to the SOA_HOME
directory.
For example:
setenv ORACLE_HOME /mydirectory/myfolders/Oracle_SOA1
Set the environment variable PATH
to point to the OPatch directory.
For example:
setenv PATH /mydirectory/myfolders/Oracle_SOA1/OPatch:$PATH
Execute the opatch command, as follows:
opatch apply -jdk Path_To_IBM_jdk
For example:
opatch apply -jdk WAS_HOME/java
In a join domain scenario between Oracle Identity Manager and Oracle Access Management, the keystore file configured in Oracle Platform Security Services configuration does not exist but passwords are already available from OIM installation in the Credential Store Framework store. Hence, when Oracle Access Management Server tries to store the key store file, it fails as the key already exists.
Workaround:
Before starting the Administration server, copy the key store file from Oracle Identity Manager domain to Oracle Access Management domain's key store location.
For example: Copy the default keystore (.jks
) file from <OIM domain>/config/fmwconfig
to <OAM domain>/config/fmwconfig
.
Note:
This step should be performed after you have configured the Oracle Access Management domain usingconfig.sh
but before you start the Administration Server.In Oracle Identity Manager domain, look for default context in jps-config.xml
.
Under this locate keystore service and keystore file location.
Copy this keystore (.jks
) file to the location defined in Oracle Access Management domain key store location under Oracle Platform Security Services (jps-config.xml
) configuration.
This section describes configuration issues and their workarounds. It includes the following topics:
Section 2.3.2, "Launching Oracle Identity Manager Configuration Wizard on AIX with JDK7"
Section 2.3.3, "Unable to Add Weblogic Password in the Fusion Middleware Configuration Wizard"
Chapter 2, "Use Absolute Paths While Running configureSecurityStore.py With -m Join"
Section 2.3.7, "Weblogic Server Configuration Wizard does not support JDK6 on AIX7"
When you start the Oracle Fusion Middleware Configuration Wizard, by running the config.cmd
or the config.sh
command, the following error message is displayed:
*sys-package-mgr*: can't create package cache dir
The error message indicates that the default cache directory is not valid. You can change the cache directory by including the-Dpython.cachedir=<valid_directory>
option in the command line.
You can not launch Oracle Identity Manager Configuration Wizard on AIX with JDK7, when you run the script $<ORACLE_HOME>/bin/config.sh
The Oracle Universal Installer window appears if you add the -jreLoc
option in the command line: $<ORACLE_HOME>/bin/config.sh -jreLoc <JRE_HOME>
In the Fusion Middleware Configuration Wizard, you cannot add Weblogic password in the Configure Administrator User Name and Password screen.
Workaround:
When you are prompted to enter the Weblogic user password, you may not be able to enter the password. Click Next to go to the next screen. You will be prompted of an error: Password cannot be empty. Go back to the previous screen and type in the password again.
Note:
Before running the Oracle Fusion Middleware Configuration Wizard, ensure that you have installed the following:Oracle WebLogic Server 11g Release 1 (10.3.6) or Oracle WebLogic Server 11g Release 1 (10.3.5)
Oracle SOA Suite 11.1.1.6.0 (Oracle Identity Manager Users Only)
Oracle Identity and Access Management 11g Release 2 (11.1.2)
The following are the steps that must be followed after installing Oracle Access Management 11g Release 2 (11.1.2) or Oracle Identity Manager 11g Release 2 (11.1.2):
Configure domain
Configure the Configsecuritystore
Copy jps-config.xml
file to jps-config.xml_old
for recovery and reference
Do the following to edit the jps-config.xml
file:
Look for the XML element
<serviceInstance name="pdp.service" provider="pdp.service.provider">
Delete the following two entries:
<property name="oracle.security.jps.pdp.AuthorizationDecisionCacheEnabled" value="false"/> <property name="oracle.security.jps.ldap.policystore.refresh.interval" value="10000"/>
After you delete the first two properties their default values will be set. The default values are true
and 600000
(10 minutes) respectively:
Add following entry in same section:
<property name="oracle.security.jps.pd.client.PollingTimerInterval" value="31536000"/>
The edited XML must look like the following:
<serviceInstance name="pdp.service" provider="pdp.service.provider"> <description>Runtime PDP service instance</description> <property name="oracle.security.jps.runtime.pd.client.policyDistributionMode" value="mixed"/> <property name="oracle.security.jps.runtime.instance.name" value="OracleIDM"/> <property name="oracle.security.jps.runtime.pd.client.sm_name" value="OracleIDM"/> <property name="oracle.security.jps.policystore.refresh.enable" value="true"/> <property name="oracle.security.jps.pd.client.PollingTimerInterval" value="31536000"/> </serviceInstance>
The Configure Security Store fails to create the policy store object when using variables such as ORACLE_HOME
and MW_HOME
while running configureSecurityStore.py
with the -m join
parameter. Specify absolute paths for ORACLE_HOME
and MW_HOME
while running the command with -m join
parameter.
On Windows, when you run the command configSecurityStore.py
, the -m
validate option succeeds, but the following error gets reported towards the end of the command:
c:\Amy_OPAM\Oracle\Middleware\Oracle_RC3\common\bin>wlst.cmd ..\tools\configureSecurityStore.py -d c:\Amy_OPAM\Oracle\Middleware\user_projects\domains\OPAM_RC3_Domain2 -c IAM -m join -p welcome1 -k c:\Amy_OPAM\software\RC3\ -w welcome1 Error: Failed to join security store, unable to locate diagnostics data. Error: Join operation has failed.
Workaround:
Ignore the error. Even though the error gets reported there is no functional impact because the newly created server with the join
option can start successfully and continue to service requests.
Weblogic Server configuration wizard displays the warning CFGFWK-60895
for 1.6.0.9.2 JDK on AIX 7 for Oracle Access Management, Oracle Adaptive Access Manager, and Oracle Privileged Account Manager.
Workaround:
Install Weblogic Server.
Install SOA.
Install Oracle Identity and Access Management.
Run the configuration wizard.
Create an Oracle Identity Manager (OIM) domain.
Create domain's for Oracle Access Management, Oracle Adaptive Access Manager, and Oracle Privileged Account Manager.
You get the warning CFGFWK-60895
: The selected JDK version is lower than recommended minimum version
.
Click Cancel and select a different JDK or Click OK to proceed with same.
Note:
WarningCFGFWK-60895
does not interfere with functionality.When you select the Oracle Entitlements Server template for Administration server, by default Access Policy Manager is deployed to the administration server.
But when a cluster for any component is created with > 1 server instance, then APM is targeted to the clustered servers and not the administration server, which causes the servers within the cluster to come up in administration mode.
For example, if you have a domain with one instance of Oracle Identity Manager, SOA and Oracle Access Management, the Access Policy Manager is targeted to the administration server. However, if you create another instance of Oracle Identity Manager, so that it has two instances at the time of domain creation, then the Access Policy Manager is deployed to the clustered servers (in this case Oracle Identity Manager server) and not administration server.
Workaround:
Log in to Weblogic administration console.
Click Deployments.
Click oracle.security.apm (11.1.1.3.0).
Click Targets.
Click Lock & Edit.
Select oracle.security.apm (11.1.1.3.0).
Click Change Targets.
Select AdminServer.
Click Yes.
Click Activate Changes and restart the administration server.
When you install Oracle Identity Manager on Weblogic Server (10.3.5.0), the request fails with the following exception:
Unable to instantiate the workflow process due to: Tasklist mapping failed for workflowdefinition: default/DefaultRequestApproval!1.0 due to oracle.bpel.services.workflow.query.ejb.TaskQueryService_oz1ipg_HomeImpl_1035_WLStub cannot be cast to oracle.bpel.services.workflow.query.ejb.TaskQueryServiceRemoteHome.
This happens when initiating the approvals for a request.
Workaround:
For Weblogic Server 10.3.5 you must download and install patch 12944361. Weblogic Server 10.3.6 do not require this patch
configSecurityStore.py
Command When Using Sun JDK 1.7The command configSecurityStore.py
fails to run when installing Oracle Identity and Access Management 11g Release 2 components on Solaris 10 SPARC or higher versions, using JDK 1.7. This occurs because of the implementation of PKCS11-Solaris security provider.
Workaround:
Back up the file $JAVA_HOME/jre/lib/security/java.security
Open the file $JAVA_HOME/jre/lib/security/java.security
in a text editor and modify the provider list
Ensure that sun.security.pkcs11.SunPKCS11
is at the beginning of the provider list. Modify the provider list, as in the following example:
security.provider.1=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/sunpkcs11-solaris.cfg security.provider.2=com.oracle.security.ucrypto.UcryptoProvider ${java.home}/lib/security/ucrypto-solaris.cfg ...
If you start the OES domain without running the configureSecurityStore.py
script, the server fails to start with following exception:
oracle.security.jps.service.keystore.KeyStoreServiceException: Failed to perform cryptographic operation Caused by: javax.crypto.BadPaddingException: Given final block not properly padded
Workaround:
The workaround is to export the domain encryption key from a domain in the same logical Oracle Identity and Access Management deployment already configured to work with the database security store, and then run the configureSecurityStore.py
script.
exportEncryptionKey(jpsConfigFile=jpsConfigFile_Loc,keyFilePath=keyFilePath,keyFilePassword=keyFilePassword)
where:
jpsConfigFile_Loc
- is the absolute location of the file jps-config.xml
in the domain from which the encryption key is being exported.
keyFilePath
- is the directory where the file ewallet.p12
is created; note that the content of this file is encrypted and secured by keyFilePassword
.
keyFilePassword
- is the password to secure the file ewallet.p12
; note that this same password must be used when importing that file.