12 Oracle Fusion Middleware on IBM WebSphere

This chapter describes issues you might encounter when you install and configure supported Oracle Fusion Middleware products on IBM WebSphere. It includes the following topics:

12.1 General Issues and Workarounds

This section describes general issues and workarounds. It includes the following topics:

12.1.1 Additional Debug/TRACE Details in Exception Message

If a runtime exception is thrown by an EJB, IBM WebSphere adds additional debug details to the exception message. This can result in incorrect error messages on the UI.

To fix the issue:

  1. Add the com.ibm.CORBA.ShortExceptionDetails JVM property to the Oracle Identity Manager server by using the WebSphere Console, and set its value to true.

  2. Set the com.ibm.CORBA.ShortExceptionDetails system property to true on all relevant application servers, save the configuration, and restart all the relevant servers.

For information about adding the JVM property, refer to IBM WebSphere Application Server documentation by navigating to the following URL:

http://pic.dhe.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=%2Fcom.ibm.websphere.nd.multiplatform.doc%2Finfo%2Fae%2Fae%2Fxrun_jvm.html

12.1.2 Cell Creation Fails When Multiple Templates are Selected With Oracle Identity Manager in the Same Session

As part of Oracle Identity Manager cell creation using was_config.sh or was_config.bat, if you select additional templates, such as Oracle Entitlements Server (OES) template, then cell creation fails.

To avoid this issue, first create the cell with Oracle Identity Manager template only, and then extend the cell with additional templates as required.

12.1.3 Opening Identity Directory Service Profile Displays Warning Popup in Oracle Entitlements Server

When configuring the Identity Directory Service Profile in Oracle Entitlement Server Administration Console (System Configuration tab > IDS Profile > Open), a warning popup may display. For example: Cannot acquire a read-write connection; using a read-only connection instead.

This can occur when Identity Directory Service is attempting to connect to the Mbean Server. When connecting to the Mbean Server, an exception may be thrown indicating the attempt to create a listener failed. In this case, check the standard output (for example, SystemOut.log) of the corresponding server. Before the exception stack trace the cause of the failure will be mentioned. For example:

[9/17/12 4:58:16:286 PDT] 00000020 ORBRas        E com.ibm.ws.orbimpl.transport.WSTransport createServerSocket WebContainer : 0 
ORBX0390E: Cannot create listener thread. Exception=[ org.omg.CORBA.INTERNAL: CAUGHT_EXCEPTION_WHILE_CONFIGURING_SSL_SERVER_SOCKET, 
Exception=org.omg.CORBA.INTERNAL: UNABLE_TO_CREATE_SSL_SERVER_SOCKET Exception=java.net.BindException: Address already in use  
vmcid: 0x49421000  minor code: 76  completed: No  vmcid: 0x49421000  minor code: 77  completed: No 
- received while attempting to open server socket on port 9404 ]

The problem is a port conflict exists when trying to open a socket on a port that is already in use. For more information about this issue, see the following IBM technical note at: http://www-01.ibm.com/support/docview.wss?uid=swg21248645.

To workaround this issue, change the port settings to be dynamic (by specifying port="0" for specific endpoints in serverindex.xml) as discussed in the IBM technical note.

12.1.4 Cannot Create CSF Mapping in IBM WebSphere with Target Domain in WebLogic Server

When Oracle Privileged Account Manager is running on IBM WebSphere, you cannot add CSF mappings corresponding to a Oracle WebLogic Server domain.

Similarly, when Oracle Privileged Account Manager is running on Oracle WebLogic Server, you cannot add CSF mappings corresponding to a IBM WebSphere cell.

12.1.5 OIMAdmin Keys Credential Might Be Lost

In an Oracle Identity Manager 11g Release 2 (11.1.2.1.0) deployment that has been upgraded from Release 9.x, OIMAdmin Keys Credential might be lost if SOA communication issues for authentication are found in the logs. There errors can occur if the user in the first run has not set .xldatabasekey, which is a prerequisite for running MT in PRE_CONFIG_MODE.

The following is an example of logged error:

[oim_server1] [ERROR] [] [oracle.soa.services.workflow.worklist] [tid:
WebContainer : 5] [ecid: disabled,0] [APP:
oracle.iam.console.identity.self-service.ear] <Fatal Error occurred while
authenticating with EJB identity propagation. Unable to get the workflow
context using authenticate.getWorkflowContextFromSession>
oracle.bpel.worklistapp.util.WorklistUtil

To workaround this issue:

  1. Login to Oracle Enterprise Manager.

  2. Right click Cell_Websphere, and select Security, Credentials.

  3. Expand oracle.wsm.security.

  4. Select OIMAdmin key, and click Edit. If OIMAdmin key does not exist, then create it by clicking Create Key in the oracle.wsm.security map.

  5. In the Edit Key dialog box, enter the xelsysadm credentials.

  6. Stop Oracle Identity Manager Server, SOA Server, and Admin Server in respective sequence. Stop node, and stop Manager.

  7. Start Manager, sync node, and start node. Start Admin Server, SOA Server, and Oracle Identity Manager Server in respective sequence.

12.1.6 Warnings, Errors and Stack Traces Appear in oaam_admin Log File of OAAM Configured on IBM WebSphere

The following warnings, errors, and stack traces often appear in the oaam_admin log of OAAM on IBM WebSphere Application Servers, but do not have any effect on functionality:

  • Failed to register connection type (WARNING)

  • Could not load properties file bharosa_server.properties (ERROR)

  • Could not load properties file oaam_custom.properties (ERROR)

  • Unable to customize Oracle, OAAM, view, or DataBindings.cpx. Empty or null value for tip customization layer user (stack trace)

  • The operation on the resource, pages, or loginPageDef.xml failed because the source metadata store mapped to the namespace or BASE DEFAULT is read only (stack trace)

  • Exception while querying the ExalogicOptimizationsEnabled attribute (WARNING)

12.1.7 Task Details Page Might Throw ADFC-12000 Errors

In an Oracle Identity Manager deployment on IBM WebSphere Application Server, performing any action on the Task Details page of the Inbox might throw ADFC-12000 errors.

To workaround this issue, close the browser session, and access the Task Details page in a new session.

12.1.8 Some Approval Policies Not Deleted After Upgrade

In an Oracle Identity Manager 11g Release 2 (11.1.2.1.0) deployment on IBM WebSphere Application Server that has been upgraded from Release 9.x, some approval policies are not deleted.

To delete the policies, manually run the following SQL script:

DECLARE
 
 BEGIN
 
 DELETE FROM REQUEST_APPROVAL_POLICIES
 WHERE
 RAP_POLICY_NAME in (
 'AssignRolesWithCallbackRL',
 'AssignRolesWithCallbackOL',
 'CreateRoleWithCallbackRL',
 'CreateUserWithCallbackRL',
 'CreateUserWithCallbackOL',
 'DeleteRoleWithCallbackRL',
 'DeleteUserWithCallbackRL',
 'DeleteUserWithCallbackOL',
 'DisableUserWithCallbackOL',
 'DisableUserWithCallbackRL',
 'EnableUserWithCallbackRL',
 'EnableUserWithCallbackOL',
 'ModifyRoleWithCallbackRL',
 'ModifyUserWithCallbackRL',
 'ModifyUserWithCallbackOL',
 'RemovefromRolesWithCallbackRL',
 'RemovefromRolesWithCallbackOL');
 
 COMMIT;
 END;
 /

12.1.9 Oracle Identity Federation Audit Records Not Moved to Database

Problem

When you configure the audit service to move audit records to the database, the Oracle Identity Federation busstop file at: %DOMAIN_HOME%/servers/%INSTANCE_NAME%/logs/auditlogs/OIF is updated. However these audit records are not populated in the database.

Workaround

To resolve this, enter the wsadmin scripting environment and run the following command:

wsadmin>sts_commands.putStringProperty("/notifierconfig/CommonAuditListenerConfig/auditbusstop","%DOMAIN_HOME%/logs/%INSTANCE_NAME%/auditlogs")

This action should result in a "Command was successful." message.

12.1.10 All Channels Cannot be SSL Enabled between OIM and Database Server on Websphere

All channels can not be SSL enabled between OIM and Database server on Websphere.

Workaround:

OIM application has three different channels to the database:

  • Data Sources

  • Direct DB for DDL operations

  • Custom registry

Workaround:

To enable only one SSL, on each data source add the following custom property:

Name: connectionProperties

Value:javax.net.ssl.trustStore=TRUST_STORE_LOCATION;javax.net.ssl.trustStoreType=JKS;javax.net.ssl.trustStorePassword=TRUST_STORE_PASSWORD;oracle.net.ssl_version=3.0

replace TRUST_STORE_LOCATION and TRUST_STORE_PASSWORD with appropriate values.

12.2 Configuration Issues and Workarounds

This section describes configuration issues and their workarounds. It includes the following topics:

12.2.1 SSLHandshakeException Error for Google and Yahoo IdP Partners

When you integrate Access Manager with Identity Federation, and configure a Google or Yahoo IdP partner for federated SSO on IBM WebSphere application server through the OpenID protocol, you may see an SSLHandshakeException error when you attempt to access the resource.

For a Google partner, the error is as follows:

oracle.security.fed.controller.library.LibraryException:
oracle.security.fed.controller.frontend.action.exceptions.ResponseHandlerExcep
tion: oracle.security.fed.util.http.HttpException:
javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building
failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl
could not build a valid CertPath.; internal cause is:
        java.security.cert.CertPathValidatorException: The certificate issued
by OU=XXX Secure Certificate Authority, O=XXX, C=US is not trusted;
...

For a Yahoo partner, the error is as follows:

[2013-02-15T15:18:58.747-08:00] [oam_server1] [WARNING] [OAM-12001]
[oracle.oam.audit] [tid: WebContainer : 5] [ecid: disabled,0] [APP:
oam_server_11.1.2.0.0] Cannot load audit configuration.
[2013-02-15T15:18:58.749-08:00] [oam_server1] [WARNING] [OAM-12001]
[oracle.oam.audit] [tid: WebContainer : 5] [ecid: disabled,0] [APP:
oam_server_11.1.2.0.0] Cannot load audit configuration.
[2013-02-15T15:18:58.750-08:00] [oam_server1] [WARNING] [OAM-12001]
[oracle.oam.audit] [tid: WebContainer : 5] [ecid: disabled,0] [APP:
oam_server_11.1.2.0.0] Cannot load audit configuration.
[2013-02-15T15:18:59.136-08:00] [oam_server1] [ERROR] [FEDSTS-12078]
[oracle.security.fed.controller.library.api.FedEngineInstance] [tid:
WebContainer : 5] [ecid: disabled,0] [APP: oam_server_11.1.2.0.0] Library
Exception: {0}[[
oracle.security.fed.controller.library.LibraryException:
oracle.security.fed.controller.frontend.action.exceptions.ResponseHandlerExcep
tion: oracle.security.fed.util.http.HttpException:
javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building
failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl
could not build a valid CertPath.; internal cause is:
        java.security.cert.CertPathValidatorException: The certificate issued
by CN=XXX Root, OU="XXX, Inc.", O=XXX Corporation, C=US is not trusted; 
...

This error is due to missing Yahoo/Google SSL certificates.

Solution

You need to import the Yahoo/Google SSL certificates into the IBM JSSE Trusted keystore.

First obtain the SSL certificates.

  1. Using the Firefox browser, go to the https URL that is being accessed.

  2. After viewing the page, right click on the page, then view page info, then details, then view certificate, then details tab.

  3. Click export, then save.

Next, import the certificates into the keystore using the instructions provided in the following IBM Technote:

http://www-01.ibm.com/support/docview.wss?uid=swg21588087

Note: When executing the keytool command in Step 6 of the Technote:

  • The alias is whatever string you want to use to reference that certificate afterwards.

  • If you are not sure which cacerts to use, import the certificates to all the cacerts keystores.

Note: You may need to download Equifax certification from this URL:

http://www.geotrust.com/resources/root-certificates/index.html

Under Root Certificates, download Root1 - Equifax Secure Certificate Authority (.pem file).

Import this certificate using the steps described above.

12.2.2 Controlled-Push Policy Distribution Fails on Oracle Entitlements Server Administration Server

In an Oracle Entitlements Server on IBM WebSphere environment, controlled-push policy distribution fails when the parameter oracle.security.jps.config is not configured. The oracle.security.jps.config parameter is configured to be the location of the jps-config.xml file. If this setting is missing, then policy distribution may fail in an IBM WebSphere environment. The configuration parameter is required for the policy distribution to succeed.

12.2.3 Shell Syntax Error Seen When Configuring Fusion Middleware Products on IBM Websphere Application Server on Solaris SPARC64 5.10 Machines

When you run the ORACLE_HOME/common/bin/wsadmin.sh script on Solaris Sparc64 5.10 machines, to configure Fusion Middleware products in a cell on IBM Websphere Application Server, the following error is displayed:

./wsadmin.sh: test: argument expected

Workaround:

Replace the following line in the ORACLE_HOME/common/bin/setWsadminEnv.sh file

if [ ! $WSADMIN_SCRIPT_LIBRARIES ]; then

with

if [ ! "${WSADMIN_SCRIPT_LIBRARIES}" ]; then

After making this change, re-run the ORACLE_HOME/common/bin/wsadmin.sh script to complete the configuration.

12.2.4 Error Displayed When Accessing DMS Spy for Oracle Access Manager on IBM Websphere

If you have not configured an external LDAP such as OID or OVD, and you try accessing DMS Spy servlet for Oracle Access Manager on IBM Websphere, the following error is displayed:

Error 403: AuthorizationFailed

If you have not created a user in the external LDAP with Admin roles, then the wsadmin user is not allowed to log in to DMS Spy by default. You must manually associate the wasadmin user with Admin roles to be able to log in.

Workaround:

Complete the following steps:

  1. Log in to the IBM Console.

  2. On the left pane, go to Applications > Application Types > WebSphere enterprise applications.

  3. On the right pane, click on Dmgr DMS Application_11.1.1.1.0.

  4. Click on Security role to user/group mapping.

  5. Select Admin role and click on Map Users... button.

  6. Type wasadmin in the search string and click on Search button.

  7. Select wasadmin in the Available box and click on --> arrow.

  8. Click OK to return to the previous page.

  9. Click OK again.

  10. Click Save directly to the master configuration.

  11. Start Dmgr DMS Application_11.1.1.1.0.

  12. Repeat the above step for DMS Application_11.1.1.1.0

12.2.5 oaam_offline_was.ear File Missing antlr-2.7.6.jar File in IBM WebSphere Environment

OAAM Offline is not loading the correct number of records and rules are not being processed. The offline logs show the following error:

java.lang.NoClassDefFoundError: antlr.TokenStream

The offline environment cannot process rules because the antlr-2.7.6.jar file is missing from the oaam_offline_was.ear file.

As a workaround, perform the following steps on the command line from the IDM_ORACLE_HOME directory before running was_config.sh.

cd IDM_ORACLE_HOME/oaam/oaam_offline/ear
mv oaam_offline_was.ear oaam_offline_was.ear.bak
mkdir temp
cd temp
jar xf ../oaam_offline_was.ear
mkdir war_tmp
cd war_tmp
jar xf ../oaam_offline.war
cp IDM_ORACLE_HOME/oaam/oaam_libs/was_native_jar/antlr-2.7.6.jar ./WEB-INF/lib
jar -cfm ../oaam_offline.war META-INF/MANIFEST.MF  *
cd ..
rm -rf war_tmp
jar -cfm ../oaam_offline_was.ear META-INF/MANIFEST.MF *
cd ..
rm -rf temp

12.2.6 Use Custom Certificate to Configure SSL for Oracle Entitlements Administration on IBM Websphere

When an Oracle Entitlements Server domain on IBM Websphere is created (by applying OES WAS template), by default SSL is configured using the demoTrust and keystore certificates signed by the demo certificate (CerGenCA). In a production environment, Oracle recommends you change the default setting and use a custom trust and identity key store.

12.2.7 Oracle Identity Manager Server Configuration on IBM WebSphere Fails If Sun JDK is Used During Installation

If you provide a Sun JDK as the value for the -jreLoc parameter when installing Oracle Identity and Access Management components on IBM WebSphere, the installation is successful. However, when you try to configure Oracle Identity Manager Server, Design Console, and Remote Manager using the Oracle Universal Installer Configuration Assistant, the configuration fails.

Workaround:

  1. Open the orapram.ini file located in the Oracle_Home/oui directory.

  2. Search for JRE_LOCATION.

  3. Change the value of the JRE_LOCATION to point to an IBM JDK.

  4. Save the orapram.ini file.

  5. Start the Oracle Universal Installer Configuration Assistant by running the config.sh file (on UNIX) or config.bat file (on Windows), located in the OIM_HOME/bin directory.

12.2.8 Error Generated When Extending an OAAM WebSphere Cell to Include OIM Template

When you run the was_config command to extend an Oracle Adaptive Access Manager cell to include the Oracle Identity Manager template, you may see the following warning:

Conflict detected
CFGFWK -42001: The following duplicate elements exists in a configuration, discarding new elements from a incomming template

You can safely ignore this error message.

12.3 Documentation Errata

This section describes documentation errata. It includes the following topics:

12.3.1 Adding Targets to Oracle Privileged Account Manager

The following section should be added to the "Managing Oracle Privileged Account Manager on IBM WebSphere" chapter in the Oracle Fusion Middleware Third-Party Application Server Guide for Oracle Identity and Access Management.

12.3.1.1 Differences When Adding Targets to Oracle Privileged Account Manager on IBM WebSphere

The procedure for adding targets to Oracle Privileged Account Manager is described in "Adding Targets to Oracle Privileged Account Manager" of the Oracle Fusion Middleware Administrator's Guide for Oracle Privileged Account Manager. However, the process for configuring an Oracle database target is slightly different if you are using Oracle Privileged Account Manager on IBM WebSphere:

If you select an Oracle database target, then no driver jar is required. For other target systems, you must include one of the following third-party jars:

  • For MSSQL: Copy the sqljdbc4.jar.

  • For MySQL: Copy the mysql-connector-java-5.1.20-bin.jar.

  • For Sybase: Copy the jconn4.jar.

You can modify the connector jars to include these third-party jars as follows:

  1. Make a back-up copy of the DBUM connector bundle, which is available in

    ORACLE_HOME/connectors/dbum/bundle/org.identityconnectors.dbum-1.0.1116.jar

  2. Create a temporary/lib folder and put the third-party jars in that folder.

  3. Update the bundle with the third-party jar:

    jar -uvf org.identityconnectors.dbum-1.0.1116.jar lib/JAR_NAME

  4. Remove the temporary/lib folder.

  5. Restart all Oracle Privileged Account Manager processes for the change to take effect.

For more information, refer to "Installing the Connector on the Connector Server" in the Oracle Identity Manager Connector Guide for Database User Management.

12.3.2 Differences When Integrating Oracle Privileged Account Manager with Oracle Identity Manager

The following information should be added to the "Managing Oracle Privileged Account Manager on IBM WebSphere" chapter of the Oracle Fusion Middleware Third-Party Application Server Guide for Oracle Identity and Access Management.

12.3.2.1 Differences When Running the opamSetup Script

The basic procedure for running the Oracle Privileged Account Manager-Oracle Identity Manager integration setup script (opamSetup) is described in "Running the opamSetup Script" in the Oracle Fusion Middleware Administrator's Guide for Oracle Privileged Account Manager.

However, if you are running this script on an IBM WebSphere server, there is a minor difference in the description of the ctxFactory option. The usual context factory name (noted parenthetically in the table) is different for IBM WebSphere as shown here:

Option Description
-ctxFactory <Initial context factory> Provide the name of the context factory (usually com.ibm.websphere.naming.WsnInitialContextFactory).

12.3.3 Online Help for IBM WebSphere Options in the Oracle Identity Manager Configuration Assistant

When using the Oracle Identity Manager Configuration Assistant, the online help for the configuration screens does not describe the IBM WebSphere-specific options. For more information about the IBM WebSphere options, see "Configuring Oracle Identity Manager for Single-Node Setup" in the chapter, "Managing Oracle Identity Manager on IBM WebSphere" in the Oracle Fusion Middleware Third-Party Application Server Guide for Oracle Identity and Access Management.