Skip Headers
Oracle® Fusion Middleware Identity Management Release Notes
11g Release 2 (11.1.2.1)

Part Number E39887-12
Go to Documentation Home
Home
Go to Table of Contents
Contents
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

8 Oracle Privileged Account Manager

This chapter describes issues associated with Oracle Privileged Account Manager. It includes the following topics:

8.1 General Issues and Workarounds

This section describes general issue and workarounds. It includes the following topics:

8.1.1 No Translation (Messages or Help) Support for OPAM Command Line Tools

Oracle Privileged Account Manager command-line tool messages and help were not translated in the Oracle Privileged Account Manager 11.1.2.0.0 release.

Translation support for the Oracle Privileged Account Manager command-line tool messages and help will be provided after the 11.1.2.0.0 release.

8.1.2 Error in OPAM-OIM-WLS-OUD if Account Contains Single Quote

If you are setting up an Oracle Privileged Account Manager-Oracle Identity Manager-Oracle Unified Directory-WebLogic Server integration environment and run an OPAM Catalog Synchronization job using a privileged account name that contains a single quote character ('), an exception will occur.

Example trace from oim_server1-diagnostic.log:

oracle.iam.catalog.exception.CatalogException: Failed to update the Catalog items
with Entity name as 5~cn=testGroup,cn=OPAM,cn=components,cn=IDMRoles,cn=IDMSuite,
dc=example,dc=com at oracle.iam.catalog.repository.DBRepository.updateCatalogItems
(DBRepository.java:651) at oracle.iam.catalog.impl.CatalogServiceImpl.
updateCatalogItems(CatalogServiceImpl.java:84)

Or

[2013-03-14T19:28:40.270-07:00] [oim_server1] [ERROR] []
[oracle.iam.catalog.repository] [tid: OIMQuartzScheduler_Worker-10] 
[userId:oiminternal] [ecid: 0000JpfolZb0vlP5Ifs1yf1HGcF7000003,1:21679] 
[APP:oim#11.1.2.0.0] Invalid column index[[java.sql.SQLException: Invalid column index at oracle.jdbc.driver.OraclePreparedStatement.setTimestampInternal
(OraclePreparedStatement.java:9203)
at oracle.jdbc.driver.OraclePreparedStatement.setTimestamp
  (OraclePreparedStatement.java:9168)
at oracle.jdbc.driver.OraclePreparedStatementWrapper.setTimestamp
  (OraclePreparedStatementWrapper.java:334)
at weblogic.jdbc.wrapper.PreparedStatement.setTimestamp
  (PreparedStatement.java:1038)
at oracle.iam.catalog.repository.DBRepository$1.process(DBRepository.java:614)
at oracle.iam.catalog.repository.DBRepository$1.process(DBRepository.java:554)
at oracle.iam.platform.tx.OIMTransactionCallback.doInTransaction
  (OIMTransactionCallback.java:13)
at oracle.iam.platform.tx.OIMTransactionCallback.doInTransaction
  (OIMTransactionCallback.java:6)
at org.springframework.transaction.support.TransactionTemplate.execute
  (TransactionTemplate.java:128)
at oracle.iam.platform.tx.OIMTransactionManager.execute
  (OIMTransactionManager.java:22)
at oracle.iam.catalog.repository.DBRepository.updateCatalogItems
  (DBRepository.java:554)
at oracle.iam.catalog.impl.CatalogServiceImpl.updateCatalogItems
  (CatalogServiceImpl.java:84)

8.1.3 OPAM-OIM:OPAM Catalog Sync Job Fails if Group Name Contains Non-ASCII

If you are setting up an Oracle Privileged Account Manager-Oracle Identity Manager-Oracle Unified Directory-WebLogic integration environment and run an OPAM Catalog Synchronization job using a group name that contains non-ASCII characters, the job will fail with an error.

If you are setting up an Oracle Privileged Account Manager-Oracle Identity Manager-Oracle Unified Directory-IBM WebSphere integration environment and run an OPAM Catalog Synchronization job using a group name that contains a special German Eszett character (ß), the job will fail with an error.

8.1.4 idmconfigtool Does Not Create OPAM Admin Roles in Groups Container

When you execute the steps to create Oracle Privileged Account Manager Admin Roles, the roles are created under IDSTORE_SEARCHBASE instead of IDSTORE_GROUPSEARCHBASE in the properties file that is passed into the idmConfigTool. This result makes configuring an authenticator against that identity store more complex, and it diverges from the process that is documented in the "Preparing the Identity Store" section of the Oracle Fusion Middleware Administrator's Guide for Oracle Privileged Account Manager.

Workaround: To address this issue, apply BLR patch #16570348. You can download this patch from My Oracle Support at the following location:

http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info

After applying this patch, the idmConfigTool will work as documented in the Administrator's Guide.

8.2 Configuration Issues and Workarounds

This section describes configuration issues and their workarounds. It includes the following topic:

8.2.1 Use Absolute Paths While Running configureSecurityStore.py With -m Join

The Config Security Store fails to create the policy store object when using variables such as ORACLE_HOME and MW_HOME while running wlst.sh using configureSecurityStore.py with -m join.

Always use absolute paths for ORACLE_HOME and MW_HOME while running the command for -m join.

8.2.2 Upgrade: CSF Mapping Does Not Get Imported

Oracle Privileged Account Manager privileged accounts can optionally contain CSF mappings to synchronize account credentials with the Oracle Credential Store Framework (see "Adding CSF Mappings" in the Oracle Fusion Middleware Administrator's Guide for Oracle Privileged Account Manager).

The Oracle Privileged Account Manager command line tool (CLI) export command does not export these optionally configured CSF mappings to the exported XML file. As a result, if you export Oracle Privileged Account Manager data to XML and import the data back from the exported XML, then the CSF mappings will be missing.

Workaround: You must manually update the CSF mappings as follows:

  1. Use the CLI retrieveaccount command to retrieve the account details, including the CSF mappings. (See "retrieveaccount Command" in the Oracle Fusion Middleware Administrator's Guide for Oracle Privileged Account Manager.)

  2. Use the retrieveaccount command to fetch and save details about the relevant accounts.

  3. Export the data by using the export command.

  4. Import the data by using the import command.

  5. Use the saved account details to manually update the CSF mappings for relevant accounts. (See "Adding CSF Mappings" in the Oracle Fusion Middleware Administrator's Guide for Oracle Privileged Account Manager).

8.3 Documentation Errata

This section contains documentation errata for the following publications:

8.3.1 Oracle Fusion Middleware Administrator's Guide for Oracle Privileged Account Manager

There are no documentation errata items for the Oracle Fusion Middleware Administrator's Guide for Oracle Privileged Account Manager 11g Release 2 (11.1.2.1.0), Part Number E27152-03.

8.3.2 Oracle Fusion Middleware High Availability Guide

This section contains documentation errata for the Oracle Fusion Middleware High Availability Guide.

In the Oracle Fusion Middleware High Availability Guide for 11g Release 2 (11.1.2.1.0), Part Number E28391-04, update the following:

  • In sections 9.8.5.3 and 9.8.5.4.1, the Installing and Configuring Oracle Identity and Access Management guide release number should read "11.1.2.1.0".

  • In section 9.8.5.4.1, Configuring Oracle Identity Management on OPAMHOST1, after Item 2 (Install the Oracle Identity and Access Management software), add the following step: "Optionally, Oracle Privileged Account Manager can operate with Oracle Database TDE (Transparent Data Encryption) mode. For more information, see Section 9.4, Optional: Enabling TDE in Oracle Privileged Account Manager Data Store in the guide Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

  • At the end of section 9.8.5.4.5, Starting Oracle Privileged Account Manager on OPAMHOST1, add the following item: "For more information, see sections 9.9, Assigning the Application Configurator Role to a User and 9.10, Optional: Setting Up Non-TDE Mode in the guide Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management. Section 9.10 Optional: Setting Up Non-TDE Mode is required only if you did not set up TDE as section 9.8.4.1 explains in the guide Installing and Configuring Oracle Identity and Access Management.

8.3.3 Oracle Fusion Middleware Patching Guide for Identity and Access Management

This section contains documentation errata for the Oracle Fusion Middleware Patching Guide for Identity and Access Management 11g Release 2 (11.1.2.1.0), Part Number E36789-02.

The order of sections provided for patching Oracle Privileged Account Manager in the Oracle Fusion Middleware Patching Guide for Identity and Access Management must be corrected. When patching Oracle Privileged Account Manager you must perform the steps in the following order:

  1. Enable TDE in Oracle Privileged Account Manager Data Store or
    Configure Non-TDE Mode

  2. Import Pre-Upgrade OPAM Data

Consequently, the sections provided in the Oracle Fusion Middleware Patching Guide for Identity and Access Management must be rearranged as follows:

  • 3.7.5 "Optional: Enabling TDE in Oracle Privileged Account Manager Data Store"

  • 3.7.6. "Optional: Configuring Non-TDE Mode"

  • 3.7.7 "Importing Pre-Upgrade OPAM Data"