This chapter describes issues associated with Oracle Privileged Account Manager. It includes the following topics:
This section describes general issue and workarounds. It includes the following topics:
Section 8.1.1, "No Translation (Messages or Help) Support for OPAM Command Line Tools"
Section 8.1.2, "Error in OPAM-OIM-WLS-OUD if Account Contains Single Quote"
Section 8.1.3, "OPAM-OIM:OPAM Catalog Sync Job Fails if Group Name Contains Non-ASCII"
Section 8.1.4, "idmconfigtool Does Not Create OPAM Admin Roles in Groups Container"
Oracle Privileged Account Manager command-line tool messages and help were not translated in the Oracle Privileged Account Manager 11.1.2.0.0 release.
Translation support for the Oracle Privileged Account Manager command-line tool messages and help will be provided after the 11.1.2.0.0 release.
If you are setting up an Oracle Privileged Account Manager-Oracle Identity Manager-Oracle Unified Directory-WebLogic Server integration environment and run an OPAM Catalog Synchronization job using a privileged account name that contains a single quote character ('), an exception will occur.
Example trace from oim_server1-diagnostic.log:
oracle.iam.catalog.exception.CatalogException: Failed to update the Catalog items with Entity name as 5~cn=testGroup,cn=OPAM,cn=components,cn=IDMRoles,cn=IDMSuite, dc=example,dc=com at oracle.iam.catalog.repository.DBRepository.updateCatalogItems (DBRepository.java:651) at oracle.iam.catalog.impl.CatalogServiceImpl. updateCatalogItems(CatalogServiceImpl.java:84)
Or
[2013-03-14T19:28:40.270-07:00] [oim_server1] [ERROR] [] [oracle.iam.catalog.repository] [tid: OIMQuartzScheduler_Worker-10] [userId:oiminternal] [ecid: 0000JpfolZb0vlP5Ifs1yf1HGcF7000003,1:21679] [APP:oim#11.1.2.0.0] Invalid column index[[java.sql.SQLException: Invalid column index at oracle.jdbc.driver.OraclePreparedStatement.setTimestampInternal (OraclePreparedStatement.java:9203) at oracle.jdbc.driver.OraclePreparedStatement.setTimestamp (OraclePreparedStatement.java:9168) at oracle.jdbc.driver.OraclePreparedStatementWrapper.setTimestamp (OraclePreparedStatementWrapper.java:334) at weblogic.jdbc.wrapper.PreparedStatement.setTimestamp (PreparedStatement.java:1038) at oracle.iam.catalog.repository.DBRepository$1.process(DBRepository.java:614) at oracle.iam.catalog.repository.DBRepository$1.process(DBRepository.java:554) at oracle.iam.platform.tx.OIMTransactionCallback.doInTransaction (OIMTransactionCallback.java:13) at oracle.iam.platform.tx.OIMTransactionCallback.doInTransaction (OIMTransactionCallback.java:6) at org.springframework.transaction.support.TransactionTemplate.execute (TransactionTemplate.java:128) at oracle.iam.platform.tx.OIMTransactionManager.execute (OIMTransactionManager.java:22) at oracle.iam.catalog.repository.DBRepository.updateCatalogItems (DBRepository.java:554) at oracle.iam.catalog.impl.CatalogServiceImpl.updateCatalogItems (CatalogServiceImpl.java:84)
If you are setting up an Oracle Privileged Account Manager-Oracle Identity Manager-Oracle Unified Directory-WebLogic integration environment and run an OPAM Catalog Synchronization job using a group name that contains non-ASCII characters, the job will fail with an error.
If you are setting up an Oracle Privileged Account Manager-Oracle Identity Manager-Oracle Unified Directory-IBM WebSphere integration environment and run an OPAM Catalog Synchronization job using a group name that contains a special German Eszett character (ß), the job will fail with an error.
When you execute the steps to create Oracle Privileged Account Manager Admin Roles, the roles are created under IDSTORE_SEARCHBASE instead of IDSTORE_GROUPSEARCHBASE in the properties file that is passed into the idmConfigTool. This result makes configuring an authenticator against that identity store more complex, and it diverges from the process that is documented in the "Preparing the Identity Store" section of the Oracle Fusion Middleware Administrator's Guide for Oracle Privileged Account Manager.
Workaround: To address this issue, apply BLR patch #16570348. You can download this patch from My Oracle Support at the following location:
http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info
After applying this patch, the idmConfigTool will work as documented in the Administrator's Guide.
This section describes configuration issues and their workarounds. It includes the following topic:
The Config Security Store fails to create the policy store object when using variables such as ORACLE_HOME and MW_HOME while running wlst.sh using configureSecurityStore.py with -m join.
Always use absolute paths for ORACLE_HOME and MW_HOME while running the command for -m join.
Oracle Privileged Account Manager privileged accounts can optionally contain CSF mappings to synchronize account credentials with the Oracle Credential Store Framework (see "Adding CSF Mappings" in the Oracle Fusion Middleware Administrator's Guide for Oracle Privileged Account Manager).
The Oracle Privileged Account Manager command line tool (CLI) export command does not export these optionally configured CSF mappings to the exported XML file. As a result, if you export Oracle Privileged Account Manager data to XML and import the data back from the exported XML, then the CSF mappings will be missing.
Workaround: You must manually update the CSF mappings as follows:
Use the CLI retrieveaccount command to retrieve the account details, including the CSF mappings. (See "retrieveaccount Command" in the Oracle Fusion Middleware Administrator's Guide for Oracle Privileged Account Manager.)
Use the retrieveaccount command to fetch and save details about the relevant accounts.
Export the data by using the export command.
Import the data by using the import command.
Use the saved account details to manually update the CSF mappings for relevant accounts. (See "Adding CSF Mappings" in the Oracle Fusion Middleware Administrator's Guide for Oracle Privileged Account Manager).
This section contains documentation errata for the following publications:
Oracle Fusion Middleware Administrator's Guide for Oracle Privileged Account Manager
Oracle Fusion Middleware Patching Guide for Identity and Access Management
There are no documentation errata items for the Oracle Fusion Middleware Administrator's Guide for Oracle Privileged Account Manager 11g Release 2 (11.1.2.1.0), Part Number E27152-03.
This section contains documentation errata for the Oracle Fusion Middleware High Availability Guide.
In the Oracle Fusion Middleware High Availability Guide for 11g Release 2 (11.1.2.1.0), Part Number E28391-04, update the following:
In sections 9.8.5.3 and 9.8.5.4.1, the Installing and Configuring Oracle Identity and Access Management guide release number should read "11.1.2.1.0".
In section 9.8.5.4.1, Configuring Oracle Identity Management on OPAMHOST1, after Item 2 (Install the Oracle Identity and Access Management software), add the following step: "Optionally, Oracle Privileged Account Manager can operate with Oracle Database TDE (Transparent Data Encryption) mode. For more information, see Section 9.4, Optional: Enabling TDE in Oracle Privileged Account Manager Data Store in the guide Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
At the end of section 9.8.5.4.5, Starting Oracle Privileged Account Manager on OPAMHOST1, add the following item: "For more information, see sections 9.9, Assigning the Application Configurator Role to a User and 9.10, Optional: Setting Up Non-TDE Mode in the guide Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management. Section 9.10 Optional: Setting Up Non-TDE Mode is required only if you did not set up TDE as section 9.8.4.1 explains in the guide Installing and Configuring Oracle Identity and Access Management.
This section contains documentation errata for the Oracle Fusion Middleware Patching Guide for Identity and Access Management 11g Release 2 (11.1.2.1.0), Part Number E36789-02.
The order of sections provided for patching Oracle Privileged Account Manager in the Oracle Fusion Middleware Patching Guide for Identity and Access Management must be corrected. When patching Oracle Privileged Account Manager you must perform the steps in the following order:
Enable TDE in Oracle Privileged Account Manager Data Store or
Configure Non-TDE Mode
Import Pre-Upgrade OPAM Data
Consequently, the sections provided in the Oracle Fusion Middleware Patching Guide for Identity and Access Management must be rearranged as follows:
3.7.5 "Optional: Enabling TDE in Oracle Privileged Account Manager Data Store"
3.7.6. "Optional: Configuring Non-TDE Mode"
3.7.7 "Importing Pre-Upgrade OPAM Data"