This appendix describes common problems that you might encounter when using Oracle Privileged Account Manager and explains how to solve them.
This appendix includes the following sections:
Section C.1, "Introduction to Troubleshooting Oracle Privileged Account Manager"
Section C.4, "Using My Oracle Support for Additional Troubleshooting Information"
In addition to this appendix, review the Oracle Fusion Middleware Error Messages Reference for information about the error messages you may encounter.
This section provides guidelines and a process for using the information in this chapter. Using the following guidelines and process will focus and minimize the time you spend resolving problems.
When using the information in this chapter, Oracle recommends:
After performing any of the solution procedures in this chapter, immediately retrying the failed task that led you to this troubleshooting information. If the task still fails when you retry it, perform a different solution procedure in this chapter and then try the failed task again. Repeat this process until you resolve the problem.
Making notes about the solution procedures you perform, symptoms you see, and data you collect while troubleshooting. If you cannot resolve the problem using the information in this chapter and you must log a service request, the notes you make will expedite the process of solving the problem.
Follow the process outlined in Table C-1 when using the information in this chapter. If the information in a particular section does not resolve your problem, proceed to the next step in this process.
Table C-1 Process for Using the Information in this Chapter
| Step | Section to Use | Purpose |
|---|---|---|
|
1 |
Get started troubleshooting Oracle Privileged Account Manager. The procedures in this section quickly address a wide variety of problems. |
|
|
2 |
Perform problem-specific troubleshooting procedures for Oracle Privileged Account Manager. This section describes:
|
|
|
3 |
Use My Oracle Support to get additional troubleshooting information about Oracle Fusion Applications or Oracle BI. My Oracle Support provides access to several useful troubleshooting resources, including Knowledge Base articles and Community Forums and Discussions. |
|
|
4 |
Log a service request if the information in this chapter and My Oracle Support does not resolve your problem. You can log a service request using My Oracle Support at |
This section provides information about how to diagnose Oracle Privileged Account Manager problems. The topics include:
When an Oracle Privileged Account Manager error occurs, you can gather more information about what caused the error by generating complete logs that include debug information and connector logging. the following steps:
Set the Oracle Privileged Account Manager logging level to the finest level, which is TRACE:32.
Note:
For more information about Oracle Privileged Account Manager logging, refer to Chapter 14, "Managing Oracle Privileged Account Manager Auditing and Logging."
For more information about setting logging levels, refer to "Implementing Java and Oracle Logging" in the Oracle Containers for J2EE Developer's Guide.
Repeat the task or procedure where you originally encountered the error.
Examine the log information generated using the DEBUG level.
Examining the exceptions logged to the Oracle Privileged Account Manager log file can help you identify various problems.
You can access Oracle Privileged Account Manager's diagnostic log in the following directories:
DOMAIN_HOME/servers/Adminserver/logs DOMAIN_HOME/servers/opamserver/logs
This section describes common problems and solutions. The topics include:
Section C.3.1, "Console Cannot Connect to Oracle Privileged Account Manager Server"
Section C.3.2, "Console Changes Are Not Reflected in Other, Open Pages"
Section C.3.7, "Cannot View Users or Roles from the Configured Remote Identity Store"
Section C.3.9, "Cannot Use Larger Key Sizes for Export/Import"
Section C.3.11, "Cannot Access MSSQL Server Targets and Accounts"
Section C.3.12, "Troubleshooting Issues with Using Oracle Database TDE"
Section C.3.14, "Session Checkout Does Not Work, Even After Granting the Account"
Section C.3.15, "OPAM Console Login Does Not Work in Internet Explorer 11 Browser"
Oracle Privileged Account Manager Console cannot connect to the Oracle Privileged Account Manager server.
If the Console cannot connect to the Oracle Privileged Account Manager server, then you might have a configuration problem with the Console or with Oracle Platform Security Services Trust.
To resolve this problem:
Verify that your host and port information is correct.
Confirm that the generated URL displayed on the Console is responsive.
Ensure that you correctly completed all of the configuration steps described in "Post-Installation Tasks" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
Note:
If you have configured a high availability instance, ensure that you correctly completed all of the Oracle Privileged Account Manager configuration steps described in the Oracle Fusion Middleware High Availability Guide.
When you have multiple browser windows or Console tabs open against the same Oracle Privileged Account Manager Console, updates made in one window or tab are not immediately reflected in the other windows or tabs.
The Oracle Privileged Account Manager Console does not proactively push updates to the browser.
To resolve this problem, refresh the browser window or tab.
Your attempts to access targets and privileged accounts are failing. You cannot check out, check-in, or test.
The ICF connector being used by Oracle Privileged Account Manager is having issues interacting with the target system.
To resolve this problem:
Verify that the target system is up, and that the privileged account of interest exists.
Increase Oracle Privileged Account Manager's logging level to TRACE:32 (its finest level) and review the trace logs to determine where the failure occurs.
Problems are often caused by environmental issues that can be identified using the trace logs and remedied by fixing the configuration on the target system. Refer to Chapter 14, "Managing Oracle Privileged Account Manager Auditing and Logging" for more information.
You might have a connector issue. Submit a bug that includes a reproducible test case, target system details, and trace logs.
A user changed the target's service account password out of band from Oracle Privileged Account Manager. For example, if the user changed the password by using the DB host or by using a different Oracle Privileged Account Manager instance in a different domain, the Show Password feature for the original Oracle Privileged Account Manager server does not reflect that change and any attempt to connect to that target will fail.
To resolve this problem, update the new password by editing the target through the Oracle Privileged Account Manager Console or the command line. Refer to Section 8.8, "Managing Privileged Account Passwords" or to Section A.5.8, "resetpassword Command" for more information.
This section describes issues that can prevent you from adding database targets:
sysdba RoleYour attempts to connect to Oracle Database using the sysdba role are failing with the following error message:
Invalid Connection Details, see server log for details.
To connect to Oracle Database as a user with sysdba role, you must configure the Advanced Properties option with the value, internal_logon=sysdba.
You must also specify this setting for the Oracle Database SYS account, which must connect with the sysdba role. The Oracle Database SYS user is a special account and if you do not use this role, then the connection might fail. However, it is a better practice to create a service account instead of using SYS.
To resolve this problem:
Connect to Oracle Database as a user with the sysdba role.
Note:
These configuration steps are not necessary if you are connecting as a normal user.
Open the target's General tab and expand Advanced Configuration to view the configuration options.
Enter the internal_logon=sysdba value into the Connection Properties field.
Click Test to retest the connection.
Save your changes.
You cannot find configuration options for connecting to database targets such as Oracle RAC Database or for using Secure Socket Layer (SSL).
Oracle Privileged Account Manager uses a Generic Database connector where special configuration options for specific database target systems are not exposed in a clean or intuitive manner.
To resolve this problem, define special connectivity options for database targets by modifying the Database Connection URL and Connection Properties parameter values.
Note:
Refer to Section 6.2, "Adding Targets to Oracle Privileged Account Manager" for information about these parameters.
Refer to the Oracle Identity Manager Connector Guide for Database User Management for information about which special options are supported.
An LDAP target using Microsoft Active Directory fails when you test the connection, search for accounts, or check out passwords.
Active Directory defaults require specific configuration, so you must change the generic default values for the LDAP target. Oracle Privileged Account Manager uses a Generic LDAP connector where special or custom configuration options for specific LDAP target systems are not obvious. (Usually, only Active Directory LDAP targets cause issues.)
To resolve this problem, ensure the following when you add an LDAP target:
Use SSL to communicate with Active Directory.
Import the SSL certificates into the WebLogic instance running Oracle Privileged Account Manager. Refer to Section 15.1, "Configuring Oracle Privileged Account Manager to Communicate With Target Systems Over SSL" for more information.
From the Targets page, set the TCP Port to your Active Directory SSL port and enable the SSL checkbox.
Specify the following Advanced Configuration parameters:
Set Password Attribute to unicodepwd
Set Advanced Configuration > Account Object Classes to top|person|organizationalPerson|user.
Specify an attribute that is suitable for data in Active Directory, such as uid or samaccountname, for the Account User Name Attribute, Uid Attribute, and LDAP Filter for Retrieving Accounts configuration parameters.
Note:
For more information about setting any of the following parameters, refer to Section 6.2.2, "ldap Target Type Parameters."
A grantee's attempt to checkout an account is failing with an Insufficient Privileges error.
The username is case-sensitive for Oracle Privileged Account Manager grants, but not always for WebLogic authentication.
To resolve this problem, be sure to enable the Use Retrieved User Name As Principal option for the authenticator being used for your production identity store. Refer to Section 3.3.2, "Configuring an External Identity Store for Oracle Privileged Account Manager" for more information.
When you try to grant to a user or group, you cannot view all users and roles from the configured remote identity store.
The Control flag of the authenticator that corresponds to the identity store containing the user or role is not set to SUFFICIENT.
The user or role that you are searching for is not present in the first authenticator listed in the providers list.
To resolve this problem:
Set the Control flag for all necessary authenticators to SUFFICIENT.
By default, Oracle Privileged Account Manager searches for users and groups in the first authenticator in the Providers list. However, if you set the virtualize property in jps-config.xml to true, Oracle Privileged Account Manager fetches the entities from all LDAP authenticators. For example,
<serviceInstance name="idstore.ldap" provider="idstore.ldap.provider"> <property name="idstore.config.provider" value="oracle.security.jps.wls .internal.idstore.WlsLdapIdStoreConfigProvider"/> <property name="CONNECTION_POOL_CLASS" value= "oracle.security.idm.providers.stdldap.JNDIPool"/> <property name="virtualize" value="true"/> </serviceInstance>
In WebLogic, the jps-config.xml file is located in the following location:
DOMAIN_HOME/config/fmwconfig
You have an indirect grant through group membership and updates to that group membership are not immediately reflected in Oracle Privileged Account Manager.
For example, if you assign a user to a Oracle Privileged Account Manager administration role or to a group granted with a Oracle Privileged Account Manager privileged account, you may not be able to view these changes right away.
WebLogic caches group memberships and identity assertions by default. Therefore, changes in the source location will not be reflected in Oracle Privileged Account Manager until the cache entries are recomputed.
To resolve this problem, modify the caching settings in your WebLogic Authenticator and Asserter configuration to suit your requirements.
You are unable to use key sizes larger than 128-bits for export or import operations.
The default JRE installation does not contain the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6.
To resolve this problem, apply the JCE patch, available for download from http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html
An Oracle Privileged Account Manager end user can access all of the groups associated with a user, but was not explicitly granted access to those groups.
You granted an Oracle Privileged Account Manager end user access through an LDAP group that uses multiple values as its naming value.
For example, assume you configured an environment that uses CN as its naming attribute and that it contains two groups, A and B. Group A has only one CN value, cn=GroupA and group B has two CN values, cn=GroupA and cn=GroupB.
The Oracle Privileged Account Manager host container (WebLogic or WebSphere) will assert that actual members of GroupA are members of GroupA. However, the host container will also assert that the actual members of GroupB are also members of GroupA, which means that the members of GroupB will inadvertently get the privileges associated with GroupA.
You used nested group memberships.
If group B is a member of group A, and you grant group A access to an Oracle Privileged Account Manager resource, then you implicitly grant this privilege to group B.
To resolve this problem, you must ensure that group entries in LDAP have only a single value for the naming attribute being used.
Your attempts to access the MSSQL server database target and accounts are failing. You cannot test, check out, or check-in. Following are two reasons why this problem might occur:
The MSSQL driver sqljdbc4.jar is missing.
You might be facing JAVA Bug 7105007, which affects Java Versions: 1.6.0_26 and
1.6.0_29. Refer to http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7105007.
To resolve this problem:
Ensure MSSQL driver is available for the server as described by the note in Database Type description in Table 6-0, "database Target Type Parameters".
Use JAVA version 1.6.0_30 or higher to avoid encountering the referenced JAVA bug.
This section describes issues you might encounter when you are attempting to set-up or to operate Oracle Privileged Account Manager in Oracle Database Transparent Data Encryption (TDE) mode. These issues include:
After enabling TDE mode, you see one of the following error messages:
No TDE wallet found
TDE wallet is closed
TDE wallet is undefined
TDE wallet is open but has no master key
Columns are encrypted but TDE wallet is not open
The expected TDE wallet status is open.
To resolve a problem with the TDE wallet, refer to "Enabling Transparent Data Encryption" in the Oracle Database Advanced Security Administrator's Guide.
After setting up TDE, you notice that the TDE wallet is open, but the columns are not encrypted.
The secure Oracle Privileged Account Manager columns are not encrypted.
To resolve this problem, perform the steps described in "Configuring Oracle Privileged Account Manager" of the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
For example:
sqlplus DEV_OPAM/welcome1 @IAM_HOME/opam/sql/opamxencrypt.sql
This section describes issues you might encounter when you are attempting to view session recording transcripts. These issues include:
You used Internet Explorer to log in to the Oracle Privileged Account Manager Console, but when you tried viewing the Recording transcript from an account's Checkout History page, the following message displayed:
There is a problem with this website's security certificate.
You cannot open the recording even after selecting the Continue to this website (not recommended) option.
Internet Explorer mandates key sizes that are greater than 1024 bits, but the out-of-the-box DemoCA and certificates that are generated by Oracle WebLogic Server are 512 bits.
To workaround this issue, you must generate a self-signed certificate with a key size that is greater than 1024 bits. Use the following steps:
Generate a self-signed certificate with a key size of 2048 bits.
Note:
Refer to "Using the Oracle WebLogic Server Java Utilities" in the Oracle Fusion Middleware Command Reference for Oracle WebLogic Server for more information.
java utils.CertGen -keyfilepass <CAPassword> -certfile <hostname>-cert -keyfile <hostname>-key -cn <fully qualified hostname> -strength 2048 -selfsigned -keyusagecritical false -keyusage digitalSignature,nonRepudiation, keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign
For example:
java utils.CertGen -keyfilepass Welcome123 -certfile adc2120745-cert -keyfile adc2120745-key -cn adc2120745.mycompany.com -strength 2048 -selfsigned -keyusagecritical false -keyusage digitalSignature,nonRepudiation, keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign
Move the key with the demoidentity alias to demoidentityold.
cd MW_HOME/wlserver/server/lib keytool -list -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase keytool -changealias -alias demoidentity -destalias demoidentityold -keypass DemoIdentityPassPhrase -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase keytool -list -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase
Update the DemoIdentityStore with the certificate and key that you generated in Step 1.
Note:
Refer to "Using the Oracle WebLogic Server Java Utilities" in the Oracle Fusion Middleware Command Reference for Oracle WebLogic Server for more information.
cd MW_HOME/wlserver/server/lib java utils.ImportPrivateKey -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase -keyfile <hostname>-key.pem -keyfilepass <CAPassword> -certfile <hostname>-cert.pem -alias demoidentity -keypass DemoIdentityPassPhrase
Import the certificate that you generated in Step 1 into the DemoTrust.jks file.
keytool -importcert -v -trustcacerts -file <hostname>-cert.pem -keystore DemoTrust.jks -storepass DemoTrustKeyStorePassPhrase -alias <hostname>
Restart the Oracle WebLogic Server Domain.
Note:
For an environment hosted on multiple servers, you must repeat this step for each server. Most importantly, you must copy or duplicate the updates you performed on one server
(in MW_HOME/wlserver/server/lib) on to the other servers.
When you try to view a session recording, the error message "This web page is not available" displays and you are redirected to a URL that uses localhost as the host name.
The Oracle Privileged Account Manager server URL that was configured under the Oracle Privileged Account Manager Server Configuration has localhost defined in the URL. This host name is unresolvable from external hosts.
Use the Server Configuration page to change the Oracle Privileged Account Manager server URL to reflect the fully qualified host name for the Oracle Privileged Account Manager server.
An end user has been granted access to an account. However, when that user tries to connect as that account through the Oracle Privileged Session Manager the connection is disallowed.
Although the end user has been granted access to the account, the effective Usage Policy does not include session as the Allowed checkout type. You must explicitly grant session access in the Usage Policy.
Modify the effective Usage Policy to also grant session access.
You tried to log into Oracle Privileged Account Manager by using the Console in an Internet Explorer 11 browser. No error messages were reported, but the login did not go through.
The Oracle Privileged Account Manager Login does not work in an Internet Explorer 11 browser.
Use a lower version of Internet Explorer or another browser.
Apply the Oracle Universal Installer (OUI) patch for bug number 18071063 as described in the downloaded patch Readme.
To download this patch, login to https://support.oracle.com. Select the Patches and Updates tab and search for patch number 18071063.
You can use My Oracle Support (formerly MetaLink) to help resolve Oracle Fusion Middleware problems. My Oracle Support contains several useful troubleshooting resources, such as:
Knowledge base articles
Community forums and discussions
Patches and upgrades
Certification information
Note:
You can also use My Oracle Support to log a service request.
You can access My Oracle Support at https://support.oracle.com.