Skip Headers
Oracle® Fusion Middleware Identity Management Release Notes
11g Release 2 (11.1.2.2)

Part Number E39887-13
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

10 Oracle Identity Manager

This chapter describes issues associated with Oracle Identity Manager. It includes the following topics:

10.1 Patch Requirements

This section describes patch requirements for Oracle Identity Manager 11g Release 2 (11.1.2.2). It includes the following sections:

Note:

For information about the mandatory patches that you must apply for installing and configuring Oracle Identity Manager, see Section 2.2.2, "Mandatory Patches Required for Installing Oracle Identity Manager".

10.1.1 Obtaining Patches From My Oracle Support (Formerly OracleMetaLink)

To obtain a patch from My Oracle Support (formerly OracleMetaLink), go to following URL, click Patches and Updates, and search for the patch number:

https://support.oracle.com/

10.1.2 Patch Requirements for Oracle Database 11g (11.1.0.7)

Table 10-1 lists patches required for Oracle Identity Manager 11g Release 2 (11.1.2) configurations that use Oracle Database 11g (11.1.0.7). Before you configure Oracle Identity Manager 11g, be sure to apply the patches to your Oracle Database 11g (11.1.0.7) database.

Table 10-1 Required Patches for Oracle Database 11g (11.1.0.7)

Platform Patch Number and Description on My Oracle Support

UNIX / Linux

7614692: BULK FEATURE WITH 'SAVE EXCEPTIONS' DOES NOT WORK IN ORACLE 11G

 

7000281: DIFFERENCE IN FOR ALL STATEMENT BEHAVIOR IN 11G

 

8327137: WRONG RESULTS WITH INLINE VIEW AND AGGREGATION FUNCTION

 

8617824: MERGE LABEL REQUEST ON TOP OF 11.1.0.7 FOR BUGS 7628358 7598314

Linux x86 64-bit

8545377: ORA-1780 RAISED WHEN CURSOR_SHARING=FORCE

Windows 32 bit

8689191: ORACLE 11G 11.1.0.7 PATCH 16 BUG FOR WINDOWS 32 BIT

Windows 64 bit

8689199: ORACLE 11G 11.1.0.7 PATCH 16 BUG FOR WINDOWS (64-BIT AMD64 AND INTEL EM64T)

Oracle Solaris on SPARC 64-bit

8545377: ORA-1780 RAISED WHEN CURSOR_SHARING=FORCE


Note:

The patches listed for UNIX/Linux in Table 10-1 are also available by the same names for Solaris SPARC 64 bit.

10.1.3 Patch Requirements for Oracle Database 11g (11.2.0.1.0)

Table 10-2 lists the required patch for Oracle Identity Manager 11g Release 2 (11.1.2.2) configurations that use Oracle Database 11g (11.2.0.1.0).

Table 10-2 Required Patch for Oracle Database 11g (11.2.0.1.0)

Platform Patch Number and Description on My Oracle Support

Linux x86 64-bit

8545377: ORA-1780 RAISED WHEN CURSOR_SHARING=FORCE


10.1.4 Patch Requirements for Oracle Database 11g (11.2.0.2.0)

If you are using Oracle Database 11g (11.2.0.2.0), make sure that you download and install the appropriate version (based on the platform) for the RDBMS Patch Number 9776940. This is a prerequisite for installing the Oracle Identity Manager schemas.

Table 10-3 lists the patches required for Oracle Identity Manager 11g Release 2 (11.1.2) configurations that use Oracle Database 11g Release 2 (11.2.0.2.0). Make sure that you download and install the following patches before creating Oracle Identity Manager schemas.

Table 10-3 Required Patches for Oracle Database 11g (11.2.0.2.0)

Platform Patch Number and Description on My Oracle Support

Linux x86 (32-bit)

Linux x86 (64-bit)

Oracle Solaris on SPARC (64-bit)

Oracle Solaris on x86-64 (64-bit)

RDBMS Patch#13004894.

Microsoft Windows x86 (32-bit)

Bundle Patch 2 [Patch#11669994] or later. The latest Bundle Patch is 4 [Patch# 11896290].

Microsoft Windows x86 (64-bit)

Bundle Patch 2 [Patch# 11669995] or later. The latest Bundle Patch is 4 [Patch# 11896292].

All platforms

Patch 12419331: Database PSU 11.2.0.2.3 on top of 11.2.0.2.0 Base Release.


If this patch is not applied, then problems might occur in user and role search and manager lookup. In addition, search results might return empty result.

10.1.5 Patch Requirements for Oracle Database 11g (11.2.0.3.0)

Table 10-4 lists the patches required for Oracle Identity Manager 11g Release 2 (11.1.2.2) configurations that use Oracle Database 11g (11.2.0.3.0).

Table 10-4 Required Patches for Oracle Database 11g (11.2.0.3.0)

Platform Patch Number and Description on My Oracle Support

Linux x86, 32-bit, and 64-bit

14019600: MERGE REQUEST ON TOP OF 11.2.0.3.0 FOR BUGS 13004894 13370330 13743357

Solaris, HP-UX, IBM AIX:

14019600: MERGE REQUEST ON TOP OF 11.2.0.3.0 FOR BUGS 13004894 13370330 13743357

Microsoft Windows 32-bit

13783452: ORACLE 11G 11.2.0.3 PATCH 4 BUG FOR WINDOWS 32 BIT

Microsoft Windows 64-bit

13783453: ORACLE 11G 11.2.0.3 PATCH 4 BUG FOR WINDOWS (64-BIT AMD64 AND INTEL EM64)


10.1.6 Patch Requirements for Oracle Database 11g (11.2.0.4.0)

Table 10-5 lists the patch required for Oracle Identity Manager 11g Release 2 (11.1.2.2) configurations that use Oracle Database 11g (11.2.0.4.0).

Table 10-5 Required Patch for Oracle Database 11g (11.2.0.4.0)

Platform Patch Number and Description on My Oracle Support

All platforms

17501296: UNABLE TO DELETE ROWS FROM TABLE WITH TEXT INDEX AFTER UPGRADE TO 11.2.0.4


10.1.7 Patch Requirements for Oracle Database 10g (10.2.0.3, 10.2.0.4, and 10.2.0.5)

In Oracle Database 10g, problems are encountered when creating materialized view using CONNECT_BY_ROOT clause. This is because the CONNECT_BY_ROOT operator is not available in Oracle Database 10g (10.2).

To resolve this issue, use the patches listed in Table 10-6:

Table 10-6 Required Patches for Oracle Database 10g (10.2.0.3 and 10.2.0.4)

Oracle Database Release Patch Number and Description on My Oracle Support

10.2.0.3.0

7012065: BLR BACKPORT OF BUG 6908967 ON TOP OF VERSION 10.2.0.3.0 (BLR #81973)

10.2.0.4.0

8239552: BLR BACKPORT OF BUG 6908967 ON TOP OF 10.2.0.4.0 (BLR #113173)

10.2.0.4 and 10.2.0.5

8545377: ORA-1780 RAISED WHEN CURSOR_SHARING=FORCE


10.1.8 Patch Upgrade Requirement

While applying the patch provided by Oracle Identity Manager, the following error is generated:

ApplySession failed: ApplySession failed to prepare the system.

OPatch version 11.1.0.8.1 must be upgraded to version 11.1.0.8.2 to meet the version requirement.

See "Obtaining Patches From My Oracle Support (Formerly OracleMetaLink)" for information about downloading OPatch from My Oracle Support.

10.1.9 Patch Requirement for BI Publisher 11.1.1.7.1

For information about patch requirement for BI Publisher 11.1.1.7.1, see Section 2.2.2, "Mandatory Patches Required for Installing Oracle Identity Manager".

10.1.10 Patch Requirement for SOA 11.1.1.7.0

For information about patch requirement for SOA 11.1.1.7.0, see Section 2.2.2, "Mandatory Patches Required for Installing Oracle Identity Manager".

10.1.11 Patch Requirement for SSL with JDK 7u40 or Later

In an Oracle Identity Manager environment in which SSL is enabled, JDK 7u40 or later is used, and SSL is configured by using the default setting as described in section "Enabling SSL for Oracle Identity Manager By Using Default Setting" of the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager, apply Oracle WebLogic Server patch 13964737.

10.1.12 Obtaining the Latest Bundle Patch

You must download and apply the latest Bundle Patch for Oracle Identity Manager 11g Release 2 (11.1.2.2). To do so:

  1. Log in to My Oracle Support web site at the following URL:

    https://support.oracle.com

  2. Click the Knowledge tab.

  3. Search the article titled Master Note on Fusion Middleware Proactive Patching - Patch Set Updates (PSUs) and Bundle Patches (BPs) (Doc ID 1494151.1).

  4. Download and apply the appropriate Bundle Patch by following the instructions in the article. The row for 'Oracle Identity Manager (OIM) 11gR2' in the Proactive Patch Table provides information about the Bundle Patches for the current release of Oracle Identity Manager.

10.2 What's New in Oracle Identity Manager 11g Release 2 (11.1.2.2)

Oracle Identity Manager 11g Release 2 (11.1.2.2) has the following key new features:

10.2.1 Access Policy Harvesting for Reconciled Accounts

Oracle Identity Manager enables you to link the reconciled and bulk loaded accounts to pre-existing access policies by running the 'Evaluate User Policies' scheduled task, and therefore, such reconciled and bulk loaded accounts can be managed via access policies. The linking of access policies to reconciled or bulk loaded accounts is also referred to as access policy harvesting.

Only reconciled and bulk loaded accounts are linked with access policy, which means that the direct or request-based provisioned accounts are not considered for access policy harvesting.

10.2.2 Dynamic Organization Membership

A user is associated to the home organization, but can require membership to other organizations to perform related functions. For example, a global help desk user who belongs to the Support organization would require access to view and perform certain functions, such as password reset, on other organizations, say Finance or Sales. Oracle Identity Manager has the capability to manually assign the help desk user to an Organization Viewer admin role, which is restrictive and more applicable to permission grants. Dynamic organization membership provides a way to specify a rule that drives the membership of the user to one or more organizations based on their user attributes. The feature introduces the ability to specify a membership rule for organizations similar to how roles are handled. When the user is dynamically associated to other organizations, the user gets implicit viewer privileges to view users, roles, and privileges made available to those organizations as well. If certain users are required to perform certain functions, such as viewing and performing certain functions on other organizations, the users can still be associated to the corresponding admin role manually. Note that this is dynamic rule-based organization membership, and not virtual organization that must be associated with a physical organization in Oracle Identity Manager.

10.2.3 Hierarchical Entitlements

Business users, requesters, approvers, or access certifiers, require detailed information on what a particular entitlement maps to in the target system. For example, granting an e-Business role or responsibility would grant a user a set of menu/button privileges. Oracle Identity Manager supports such critical hierarchical entitlement metadata to be imported and made available during request, approval, and certification processes.

Users typically have more than one account in a target system. In addition to supporting multiple accounts to be associated with a user, Oracle Identity Manager supports specifying to which account a specific entitlement in a request needs to be associated with during the request checkout process.

10.2.4 Catalog Auditing

Catalog auditing maintains a footprint of changes in the access request catalog. By enabling the catalog auditing feature of Oracle Identity Manager, you can track who changes what and when in the access request catalog through the UI.

10.2.5 Archiving/Purge Support for Entities

The application capabilities in Oracle Identity Manager generate a large volume of data. To meet the standards of performance and scalability, maintaining the data generated for the life cycle management of Oracle Identity Manager entities is a challenge. Oracle Identity Manager meets this challenge by providing a real-time and continuous data purge solution. Request, Reconciliation, Task, and Orchestration entity data can be continuously purged through this based on the options or choices made. The configuration is one time and the purge solution works automatically without any intervention from the administrator.

10.2.6 Draft Request Support

Oracle Identity Manager enables requesters to save the request cart enabling them to validate and submit requests at a later time.

10.2.7 Additional Information in Requests

In many instances, requesters are required to provide additional information during access request for each requested item. For example, in a request that involves multiple entitlements, the requester might be required to specify the start date and end date for each of the entitlements requested. Oracle Identity Manager enables requesters to provide such information during request that can be carried all the way to approval and provisioning processes. Oracle Identity Manager also provides a scheduled task for entitlement grant and revoke based on the start and end dates specified.

10.2.8 Account and Entitlement Dependency Handling

Oracle Identity Manager provides a request catalog to request account entitlements. However, it requires the business user to know any entitlement-related dependencies. For example, the user must know that an e-Business account is required before the user can request for an entitlement that grants privileges to raise a purchase order in e-Business. Oracle Identity Manager can now automatically request the account for a user when a related entitlement is requested, thereby reducing the burden of the business users to know the account-entitlement relationship.

10.2.9 Entitlement Form Support

Oracle Identity Manager enables you to associate a new form with complex entitlements. A complex entitlement is represented by child object having at least two attributes, one of them marked as Entitlement attribute. Using this form, users can provide additional information that might help an approver during the approval process.

10.2.10 Sunrise/Sunset of Accounts and Entitlements

Oracle Identity Manager supports temporal grant of accounts and entitlements, which refers to provisioning accounts or entitlements between a specific start or sunrise date and end or sunset date. You can specify start and end dates for accounts and entitlements in various instances, for example:

  • Employee on boarding on a future start date

  • Contractor on boarding from a future start date to a specific end date

  • Employee termination on a specific end date

  • Temporal accounts, which can be requested to be active between a specific start date and end date

  • Temporal entitlements, which can be requested to be active between a specific start and end date

10.2.11 Flexible Certification

Oracle Identity Manager introduces the capability of specifying additional levels of reviews in the certification workflow process. For example, Oracle Identity Manager can launch a certification review process whereby the business manager reviews the users that report to the manager, but is then followed by the managers' manager also reviewing the same access rights, while viewing the decisions made by their subordinates.

10.2.12 Improved Diagnostic Console via Oracle Enterprise Manager

Oracle Identity Manager introduces a new operational console in Oracle Enterprise Manager that provides administrators a complete view of all the defined Oracle Identity Manager operations, default and custom event handlers, child processes, workflow processes, and state and error information, without requiring to look into different server logs. This tool does not replace the larger Identity and Access Management pack in Enterprise Manager that provides a suite-wide monitoring capability, but serves as a useful diagnostic tool specifically for Oracle Identity Manager.

10.2.13 Enable Taskflows for Customization

Oracle Identity Manager provides default taskflows for using them in the customized pages of Oracle Identity Self Service and to invoke other taskflows. For example, you can customize the user details page so that the user details of the manager will be displayed if you click the manager login name in the user details page. The default or predefined taskflows are called public taskflows.

10.2.14 FVC Utility Enhancements

The Form Version Control (FVC) Utility facilitates the management of form data changes after a form upgrade operation. Oracle Identity Manager enables you to upgrade the form version and data by using any one of the following:

  • The Form Upgrade Job scheduled task: Updates the form version to the latest active version and the form data to the value specified during the field's creation for all accounts.

  • The command-line FVC Utility: Supports field mapping and data updates on a provisioning process form and its associated child forms.

10.2.15 BI Publisher Certification for IBM WebSphere Application Server

Oracle Identity Manager is certified to use BI Publisher reports on IBM WebSphere Application Server.

10.3 General Issues and Workarounds

This section describes general issue and workarounds. It includes the following topic:

10.3.1 Auto-Logged In User is Logged Out After the Cookie Expiry Interval of 120 Seconds

In an Oracle Identity Manager deployment integrated with Oracle Access Manager (OAM), when you log in to Oracle Identity Self Service for the first time, you are redirected to reset the password and answer challenge questions. After successfully resetting the password and answering challenge questions, you are automatically logged in to the Oracle Identity Self Service without requiring to authenticate again. However, the login session ends in 120 seconds and you are redirected to the login page.

To workaround this issue, the cookieExpiryInterval configuration property of the ssoConfig tag in the oim-config.xml file must be set as -1.

Note:

The oim-config.xml file is stored in MDS. To edit this file, you can either use WebLogic export/import utilities, or use MBeans from the Enterprise Manager console.

10.3.2 Localized Display Name Not Reconciled in Oracle Identity Manager Via User/Role Incremental Reconciliation

When a user attribute with subtype, such as displayname;lang-jp, is modified in iPlanet DS/ODSEE, then reconciliation does not bring that change into Oracle Identity Manager. Unlike other directory servers, such as OID or AD, which bring in all subtype attributes (displayname, displayname;lang-jp, ...), iPlanet DS/ODSEE only logs the updated subtype attribute. Because of this iPlanet DS/ODSEE limitation, the subtype update is not reconciled.

The workaround is to update all the other subtype attributes with existing values, in addition to the subtype being updated in a single modify command. For example, if you have displayName;lang-zh-tw, ;lang-fr, and ;lang-ja, then to update displayName;lang-ja, the ldif shown in Example 10-1 must be used.

Example 10-1 Sample ldif File

dn: cn=Role 001,cn=Groups,dc=example,dc=com
changetype: modify
replace: displayName
displayName: Roles 001
-
replace: displayName;lang-zh-tw
displayName;lang-zh-tw: Roles 001-Chinese
-
replace: displayName;lang-fr
displayName;lang-fr: Roles 001-French
-
replace: displayName;lang-ja
displayName;lang-ja: Roles 001-Japanese_update1

10.3.3 Organizations Not Created Because of AD Organization Reconciliation Run

When the scheduled job for AD organization reconciliation is run, AD organizations are not created in Oracle Identity Manager.

To workaround this issue:

  1. Create a reconciliation rule for the Xellerate Organization resource object by using the Design Console. To do so:

    1. In the Design Console, open the Reconciliation Rules form.

    2. In the Name field, enter AD Organization Recon Rule.

    3. In the Object field, select Xellerate Organization.

    4. In the Description field, enter AD Organization Recon Rule.

    5. Save the reconciliation rule.

    6. Click Add Rule Element. The Add Rule Element dialog box is displayed.

    7. In the Rule Elements tab, select the following:

      - For Organization Data, select Organization Name.- For operator, select Equals.- For attribute, select Organization.Organzation Name.- For transform, select none.

    8. Click Save, and then close the dialog box.

    9. In the Reconciliation Rules form, select Active.

    10. Click Save.

  2. Create a reconciliation profile for the Xellerate Organization resource object. To do so:

    1. In the Resource Objects form, search and select Xellerate Organization.

    2. In the Object Reconciliation tab, click Create Reconciliation Profile.

  3. Run the AD Organization Recon scheduler to create AD organizations as OIM Organizations.

10.3.4 The SodCheckViolation Field of the Process Form is Not Updated for Request Provisioning

For request provisioning of the PSFT resource with conflicting entitlements, the SodCheckViolation field in the process form is not updated. The entitlement violation is mapped to the field with the SoDCheckEntitlementViolation label, while the PSFT resource has the field with the SoDCheckViolation label. Therefore, the mapping does not occur. Direct provisioning and provisioning through access policy successfully takes place with the SoDCheckViolation field label.

To workaround this issue for request provisioning, change the SoDCheckViolation field label to SoDCheckEntitlementViolation in the PSFT form by using the Design Console.

10.3.5 Blank Page Displayed for Approval Details

Blank page is displayed for approval details when the host and port to access identity application and the host and port to access task details are different.

The task details URL configuration can be checked from Oracle Enterprise Manager in the following way:

  1. Login to Oracle Enterprise Manager by using WebLogic administrator username and password.

  2. On the left navigation menu, click SOA. Expand soa-infra, default.

  3. Click the required SOA composite under the default menu.

  4. On the right pane, click the approval task in the Component Metrics section.

  5. Click the Administration tab.

    The host and port used to access identity and task details must match for task details to work.

Notice that host and port has been set by using OIMExternalFrontEndURL in the DiscoveryConfigMBean. If OIMExternalFrontEndURL is empty, then OIMFrontEndURL can be used. If there has been a change in frontend host or port, then correct it or perform the steps described in "Oracle Identity Manager Host and Port Changes" of the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

10.3.6 Modification of Disabled Account and Requesting Entitlement for the Account is Allowed

Oracle Identity Manager allows modification of an account and requesting of its entitlement, although the account is in disabled state.

This is a known issue, and a workaround is currently not available.

10.3.7 The Refresh Button is Truncated in Some Pages of the Oracle Identity Self Service

When you open Oracle Identity Self Service by using Google Chrome 15.0.x web browser, the Refresh button on the toolbar is displayed as truncated in some pages.

To workaround this issue, upgrade Google Chrome 15.0.x to Google Chrome 18.0.1025.162 or higher version.

10.3.8 Provisioning of Application Instance with AD User Resource Object Does not Work

When you create an application instance for AD with appropriate details and request to provision the application instance as System Administrator, the resource is in provisioning state, and the following message is logged:

<Warning> <XELLERATE.SERVER> <BEA-000000> <No fields having ITResouce property found in form with sdk_key=11>
<Warning> <XELLERATE.SERVER> <BEA-000000> <More than fields of type ITResourceLookupField found on form with sdk_key=11>
<Warning> <XELLERATE.SERVER> <BEA-000000>
<Cannot figure out the ITResource field uniquely>

To workaround this issue, add the ITResource=true property for AD Server process form field in the process form.

10.3.9 Some Attestation Pages Do Not Work in Mozilla Firefox and Google Chrome

In Oracle Identity Manager User and Administrative Console, some pages related to attestation do not work when you use Mozilla Firefox or Google Chrome web browsers. These include pages for creating attestation processes and submitting attestation requests.

To workaround this problem, use Microsoft Internet Explorer web browser.

10.3.10 Custom Scheduled Jobs Fail Because of Dependency on Legacy APIs

Custom scheduled jobs, which use APIs available in legacy versions of Oracle Identity Manager but is not available in the current release, fail at run time. For example, a custom scheduled job, which calls com.thortech.xl.client.mail.tcSendMail to send emails, fails with the java.lang.NoClassDefFoundError error message. This is because com.thortech.xl.client.mail.tcSendMail is available in Oracle Identity Manager release 9.x and earlier releases, but is not available in 11g releases.

To avoid this issue, use only APIs published with the current release instead of using individual unsupported APIs, such as tcAdapterUtilities or tcClient. In addition, you must migrate any custom code to use the new APIs if the old APIs have been deprecated. For information about APIs in Oracle Identity Manager 11g Release 2 (11.1.2.0), see Oracle Fusion Middleware Java API Reference for Oracle Identity Manager.

10.3.11 Catalog Tag Cannot Store More Than 256 Characters

When you create a role, entitlement, or application instance with maximum possible values for name, display name, and description attributes, only the first 256 characters of the entity are displayed in the request catalog. For example, when you create a role with name=2000 characters, role display name=3000 characters, and description=1024 characters, and search for the role in the request catalog, the first 256 characters of the corresponding entry for the role is displayed. The user must search for the entity in the catalog by using the words present in the first 256 characters of the entity name, display name, or description.

This is a known issue, and a workaround is currently not available.

10.3.12 Self Registration Request Fails After Request Approval

When the task assignee of Self registration request tries to approve the task from the pending approvals page, the task is approved but the request moves to Request Failed status.

For self registration requests, Organization is a mandatory attribute that must be provided by the approver before approving the task. If the task is approved from the pending approvals page, the task is completed but since approver has not updated the Organization for the user, the request fails. The following workaround is available for the approver:

  1. Provide a value for the Organization attribute for the user in the task details page.

  2. Update the user information by clicking Update in the task details page.

  3. Approve the task from the task details page.

Oracle Identity Manager validates if mandatory attribute values are provided in the task details page and that all the changes to the page are saved before approving the task.

10.3.13 Soft-Deleted Entitlement is Provisioned by Access Policy-Based Provisioning

When performing access policy-based entitlement provisioning where the entitlement is already soft-deleted, the entitlement can still be provisioned to the user.

This a known issue, and a workaround is currently not available.

10.3.14 Interrupted Scheduled Job Run Fails on Restarting

When a scheduled job runs for a considerable time and the job is interrupted by clicking the stop button, the job status changes to Interrupted, and a message is displayed stating that the job is stopped.

However, depending on the implementation of stop check on the execute methods of the individual scheduled jobs, the processing is made to stop with due checking only after a specified time. If the checking is delayed, then there is a similar delay in the actual stopping of the job in the backend. Till the execute method of the job verifies that the job is stopped, the status of the job continues to show as Interrupted and not Stopped. After the result of the verification is returned, the job status changes to Stopped. Only after this change in status of the job, the next run of the job can be rescheduled.

10.3.15 Bulk Request for Multiple Entities Fails After Approval

When a request for multiple entities, such as application instance, roles, or entitlements, is created for a user who does not have the viewer admin role for the entities, no error is generated during request submission. However, the request fails after approval. This is because bulk request checks only the requester's permissions. The beneficiary permissions are used to determine the child requests to be created after request-level approval is done.

This is a known issue, and a workaround is currently not available.

10.3.16 Import of Disconnected Application Instance Fails

When you export an application instance, the Deployment Manager shows the IT Resource and Resource as dependent objects in the Select Dependencies window. In the final export window at the end of all the dependency selection, Deployment Manager shows IT Resource Defn in the Unselected Dependencies list. To avoid import failure, add the dependency for IT Resource Def from the Unselected Dependencies list.

10.3.17 Existing Data for Administrators Role Grant Does Not Sync After Applying Patch 14591093

In an environment, in which the Administrators role has already been granted to the system administrator or any user before applying patch 14591093, this role grant is not reflected in LDAP after applying the patch. The patch takes care of new grants made to the users for the Administrators role.

To workaround this issue, perform any one of the following:

  • Retry the role grant with a newly created user or a user who does not have Administrators role granted through the Oracle Identity Manager User and Administrative Console.

  • Include the user's DN in the Administrators unique member in Oracle Directory Services Manager (ODSM). To do so:

    1. Login to ODSM.

    2. Find the 'cn=Administrators,cn=Groups,dc=us,dc=example,dc=com' role.

    3. Add the uniquemember field.

    4. Specify the DN of the user. For example, for the oim_admin user, the dn is 'cn=oim_admin,cn=Users,dc=us,dc=example,dc=com'.

    5. Click Save/Apply.

    6. Retry the role grant.

10.3.18 The Reset Button in the Resource Object Lookup Redirects to Basic Search

In the Create Application Instance page, when you search for a resource object by using Advance Search, if you click on the Reset button, then instead of resetting the values in the same page, the search is redirected to Basic Search. This is because the Reset button resets the QueryDescriptor object in Application Development Framework (ADF), which defines the Simple or Advanced display mode. For details about the QueryDescriptor object, refer to ADF documentation.

10.3.19 IT Resource Definition Not Displayed in Dependency List

When exporting an application instance by using the Deployment Manager, IT resource definition is not displayed the dependency selection list. This is because the Deployment Manager shows only one level of dependencies in the Select Dependency page of the Export wizard. Other dependent objects are displayed in the Unselected Dependencies pane in the Export wizard before the export. To avoid missing dependencies at the time of import, select the dependency object from the Unselected Dependencies pane.

10.3.20 Error in Entitlement Provisioning for Manually Created Resource Object

When you create a resource object by using the Design Console, create the provisioning process, parent and child forms with entitlement, change the lookup code with the correct ITResource key, populate the ent-list table, and then try to provision the entitlement, the following error is generated:

IAM-4060021 : An error occurred while validating whether entitlement with key 2151 is already provisioned to user with key 31 and the cause of error is oracle.iam.provisioning.exception.GenericProvisioningException: Entitlement attribute not marked as key in reconciliation field mapping for UD_TESTC.

This means that the key attribute in reconciliation field mapping is not defined for the child form attribute. Here, in the UD_TESTC child form, the value of the entitlement property is set to true in the UD_TESTC_LKP child form attribute, but reconciliation mapping is not defined.

To workaround this issue, define the reconciliation field mapping. See "Reconciliation Field Mappings Tab" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information about reconciliation field mapping.

10.3.21 QBE Returns No Result When User Has No Permission on Organization of the Requester

User is allowed to search for a request in the Track Requests page even though the user does not have permissions on the requester's organization. But when the user filters the records for the requester in the Track Requests page by using Query By Example (QBE) without permissions on the requester's organization, no results are returned.

This is a known issue, and a workaround is currently not available.

10.3.22 Checkbox UDF Displayed as Boolean Field

When you create a UDF of type checkbox in the User form, customize the Create User, Modify User, and User Details pages to add the UDF, and then create a user by selecting the checkbox, it is displayed as a Boolean field with values as true and false.

To workaround this issue, add the field on the User Details pages as a check box, and mark the field as read-only.

10.3.23 Lookup for Entitlements Must Be Searchable and Searchable Lookup

When creating a child table with a lookup field for entitlement, the following options must be selected so that the Entitlement=true property is set and the field type is lookup:

  • Searchable

  • Entitlement

  • Searchable Picklist

There is scope for error when you do not select the Searchable option in the Constraints section and/or the Searchable Picklist from the Advanced section. As a result, the field type of the form field will be a Combo box instead of a LookupField.

To workaround this issue, perform any one of the following:

  • If the Searchable option in the Constraints section is not selected, then open the form attribute again, and select the Searchable option to mark the attribute to be of searchable type. Then, create a new form for the application instance or select Regenerate View in the parent form view.

  • If the Searchable Picklist option in the Advanced section is not selected, then a Combo box type field is created. There is no way to edit the Searchable Picklist option. There are two ways to fix this. The first method is:

    1. Open the Form Designer form in the Design Console, and open the child form.

    2. Create a new version of the child form, and change the field type from ComboBox to LookupField. Then, activate the child form.

    3. Create a new version of the parent form, associate the new version of the child form, and then activate the parent form.

    4. Create a new form for the application instance or regenerate the view of the existing parent form.

    Otherwise, create another form field attribute with the correct options selected. Then, customize the parent form page, and hide the form field with the incorrect attribute values.

10.3.24 Dependent Lookup Does Not Work With Pick List Component

When you have a dependent lookup with a pick list (a lookup with glass icon to search for the values) and select a value in the parent lookup, the correct values in the dependent combo box are not displayed. This is because Oracle Identity Manager does not support dependent lookup for the pick list component.

This is a known issue, and a workaround is currently not available.

10.3.25 Cascading Lookups Display Limited Number of Values

When you create a cascading lookup as a LOV or as a combo box, only 25 values are displayed in the lookup search irrespective of the number of values.

To workaround this issue:

  • Do not use cascading lookup as a combo box, and instruct users to narrow the searches.

  • Implement cascading lookups by using the Managed Bean approach, as described in "Implementing Custom Cascading LOVs" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

10.3.26 Catalog Search With Special Characters Fail

If catalog search contains special characters, the search fails with error that has IAM-7130125 and DRG code in the message, such as:

IAM-7130125 : Search token caused Oracle text DRG issue, DB exception is :ORA-20000: Oracle Text error: DRG-50943: query token too long on line 1 on column 40 20000
IAM-7130125 : Search token caused Oracle text DRG issue, DB exception is :ORA-20000: Oracle Text error: DRG-50901: text query parser syntax error on line 1, column 5 20000

In the request catalog, search keywords that include all the commonly used special characters, such as #, $, and -, in requestable entities work correctly and return desired results. However, search keywords with few special characters, such as double quote ("), colon (:), or brackets do not return the desired results.

To avoid the issue, escape the special characters with the back slash character (\) in the search query string. For example, replace special characters (, ), and " with \(, \) and \" respectively.

10.3.27 Lookup Search Does Not Support Asterisk Wildcard Character

Searching for lookup definitions with the asterisk character (*). For example, searching lookup definitions with * or (a*) do not return any result.

To workaround this issue, search the percentage character, % or (a%).

10.3.28 Errors Not Displayed in Form Designer

When you add a UDF to a form by using the Form Designer, if you mark the UDF as Searchable and Encrypted at the same time, then no error message is displayed although this combination in not valid.

This is a known issue, and a workaround is currently not available.

10.3.29 User Creation Fails if Default Password Policy is Removed

User creation depends on default password policy. User creation fails if there is no default password policy. Therefore, default password policy must not be deleted.

To avoid failure of user creation because of default password policy removal, Oracle recommends the following:

  • Default password policy is the only one used for user creation and is not recommended to be deleted.

  • The default password policy constraints can be modified if the password is expected to meet different criteria.

  • If the default policy is deleted or a different password policy is required to be considered as the default password policy, which would be used for user creation, then the desired default policy must be associated with the TOP organization.

10.3.30 Exception Displayed Intermittently

The following error message might be displayed intermittently:

too many objects match the primary key oracle.jbo.key[ua0902 ]. with npe

For example, when you try to reassign a task in Oracle Identity Self Service, this error message might be displayed intermittently.

Whenever this error message is displayed, log out of Oracle Identity Self Service and log in again.

10.3.31 Benign unknownplatformexception Error

When logging in by using any client in Oracle Identity Manager, for example while logging in to the Design Console, the logging is successful. However, some times a benign unknownplatformexception error is displayed.

This does not result in any loss of functionality.

10.3.32 Error in Searching for Data Components

When you search for data controls from the catalog in the Data Components dialog box, the search is only performed for the data controls at the top level and not for the fields. An error is logged when you search for the fields in the Data Components dialog box for customization purpose, and the search does not return any result.

This is a known issue, and a workaround is currently not available.

10.3.33 Retry Provisioning Task Fails

When a provisioning task is assigned to a role and the role member is able to view the task, and when the role member tries to retry the provisioning task, the following error message is displayed:

Error JBO-29000: Unexpected exception caught: Thor.API.Exceptions.tcBulkException, msg=null
Error Localized message not available. Error returned is: null

To workaround this issue, assign the provisioning task to the System Administrator role.

10.3.34 Multiple Entries Displayed for the Same Provisioning Task

When a user opens the Provisioning Tasks page in Oracle Identity Self Service and clicks Search, multiple entries for the same provisioning task that is assigned to the user are displayed.

To workaround this issue, close the Open Tasks page and reopen it.

10.3.35 Length of Attribute Value Changes on Updating the Form Field

The following issues are encountered if you update a field in an existing form:

  • If you update the Organization Name existing field in the AD User form, save and close the form, regenerate view, and provision and provide the lookup value for the Organization Name in the Catalog, the following error message is displayed:

    IAM-2050099 : The length of the attribute value Organization Name is greater than the maximum allowed length 40.
    

    Even if you try to provision for single user and select the Organization Name, the same error is displayed.

    To workaround this issue, create a new form for AD User and attach it to the application instance.

  • For child table, if you edit the existing lookup field, for example the GroupName field in AD User form, add Entitlement and Searchable option, and view the child form in the Design Console, one more field adds with entitlement = true, and the length of the field changes.

    To workaround this issue, perform the changes from the Design Console when configuring resources for entitlement for the first time.

10.3.36 Input Data Lost in Request Catalog

When you add an application instance in the request catalog, enter some data in the parent form, remove the user, and then add another user, the data entered to the parent form is lost.

This is a known issue, and a workaround is currently not available.

10.3.37 Error on Publishing Sandbox

If two users log in to Oracle Identity Self Service by using the same System Administrator login credentials, perform some operations on sandbox by using the same sandbox, and try to publish the sandbox, then the following error is displayed and the sandbox does not get published:

Publish Sandbox Failed
oracle.mds.sandbox.RefreshFailedException: MDS-00001: exception in Metadata
Services layer MDS-00165: metadata Object
"/persdef/oracle/iam/ui/catalog/model/am/CatalogAM.xml" has changed
MDS-00164: There is a concurrent "UPDATE" operation on the document
"/persdef/oracle/iam/ui/catalog/model/am/mdssys/cust/site/site/CatalogAM.xml.x
ml". MDS-00165: metadata Object
"/persdef/oracle/iam/ui/catalog/model/am/CatalogAM.xml" has changed
MDS-00164: There is a concurrent "CREATE" operation on the document
"/persdef/oracle/iam/ui/catalog/model/am/mdssys/cust/site/site/CatalogAM.xml.x
ml". MDS-00165: metadata Object
"/persdef/oracle/iam/ui/catalog/model/am/CatalogAM.xml" has changed
MDS-00164: There is a concurrent "UPDATE" operation on the document
"/persdef/oracle/iam/ui/catalog/model/am/mdssys/cust/site/site/CatalogAM.xml.x
ml". MDS-00165: metadata Object
"/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf" has changed
MDS-00164: There is a concurrent "UPDATE" operation on the document 

This is a known issue, and a workaround is currently not available.

10.3.38 Import/Export of Organization and Role Without UDFs

Organization and role entities are imported and exported via the Deployment Manager without any related UDFs and UDF values. The related UDFs are imported and exported separately via the Deployment Manager because Role Metadata and Organization Metadata options are available under the drop-down list of exportable entities in the Deployment Manager.

Only default value of UDFs are imported and exported. The value assigned to UDFs at creation of Organization and Role entities are not import and exported.

10.3.39 Possible Suboptimal SQL in Target Resource Reconciliation Run

When you add a resource object and run target resource reconciliation for bulk accounts using DBUM connector, the following SQL might report suboptimal performance:

Note:

  • The exact SQL structure may vary because of matching rule predicates in an environment.

  • This SQL may show suboptimal performance in very few environments. It may function properly in almost all environments. All setups have their own uniqueness in terms of data volume, distribution, and selectivity.

INSERT
INTO    RECON_ACCOUNT_MATCH
(
   RE_KEY  ,
   ORC_KEY ,
   SDK_KEY ,
   RAM_ROWVER
)
 
(
   SELECT re.re_key           ,
          ud_db_ora_u.orc_key ,
          :"sys_b_0"          ,
          :"sys_b_1"
   FROM   UD_DB_ORA_U UD_DB_ORA_U                        ,
          ra_oracledbuser725eedcb ra_oracledbuser725eedcb,
          ost ost                                        ,
          oiu oiu                                        ,
          recon_events re
   WHERE  re.rb_key =:"SYS_B_2"
          AND re.re_status = :"SYS_B_3"
          AND re.re_key = ra_oracledbuser725eedcb.re_key
          AND
          (
            ud_db_ora_u.ud_db_ora_u_itres=ra_oracledbuser725eedcb.ra_itresource15641f83
            AND
            ud_db_ora_u.ud_db_ora_u_username=ra_oracledbuser725eedcb.ra_username8825b9c0
          )
 
          AND oiu.orc_key = ud_db_ora_u.orc_key
          AND ost.ost_key = OIU.ost_key
          AND ost.ost_status <> :"SYS_B_4"
)

To workaround this issue, use the Plan Stability feature of the Oracle Database for this rare behavior of this particular SQL. Oracle Database as a RDBMS feature provides for SQL Plan stability via Stored Outlines. It can be used by DBAs to prevent certain database environment changes from affecting the performance characteristics of applications. This feature helps optimize database performance when the optimizer, in normal mode, does not pick up an execution plan that is tuned for performance. Therefore, the SQL Profiles feature can be used to potentially lock a better SQL plan for this SQL in the Oracle Identity Manager database environment (by using the SQL Tuning Advisor and subsequent usage of SQL Profiles, or any suitable mechanism of choice by the DBAs).More on this feature usage as a workaround for this or similar situations can be found in section "Using Plan Stability" of the Oracle Performance Tuning Guide.

10.3.40 Multiple Child Tables Cannot Be Used in Requests

Although a connector has more than one child table, only one child table can be used in requests.

To workaround this issue, use entitlement requests.

10.3.41 Session Failover Issues

Active-Active session fail over does not work properly with Oracle Identity Manager. These issues are mostly displayed in Oracle Identity System Administration.

This is a known issue, and a workaround is currently not available.

10.3.42 Error in Adding Data for Process Instance to Child Form

When a new UDF is added to the application instance form and the UDF is updated for already provisioned users, it is not displayed in the UI but is available in the database.

If there are any changes to the application instances form, such as adding new fields, adding new children forms, or adding fields to children forms, then the form versions of all existing users must be updated to the latest version by using the Form Version Control Utility. This utility is available in the design console directory. Update the properties file as follows, and execute the utility:

  • Resource Object Name: roname

  • Process Form Name: UD_PFORM

  • From Version: <fromversion>

  • To Version: <toversion>

10.3.43 Last Entitlement Not Removed

Oracle Identity Manager does not remove the last entitlement during a modify account request.

To workaround this issue, remove the existing entitlement by using a revoke entitlement request instead of a modify account request.

10.3.44 Manual Fulfillment Task Not Initiated for Entitlement Provisioning

An entitlement request for a disconnected resource does not initiate the manual fulfillment task but marks the request as completed.

To workaround this issue, using the Design Console, open the corresponding provisioning process for the disconnected application and add a manual provisioning task for entitlement provisioning so that this manual task gets initiated after the approval is complete.

10.3.45 Form Fields Displayed For Disable/Enable/Revoke Manual Provisioning Task

The form associated to a disconnected application instance is displayed even when the request type is disable, enable, or revoke. There is no functionality loss in displaying the form during the disable, enable, or revoke requests. Ignore the form field display and submit the request.

10.3.46 Duplicate Rows in Request Tracking

Request tracking might display duplicate rows for the same request when searching by beneficiary. Ignore the duplicate rows.

10.3.47 Help Desk Cannot Use Request Tracking

Request tracking for help desk role mandates to specify the beneficiary of the request, even when searching by request ID.

To workaround this issue, issue a full search of the request without specifying any search filters.

10.3.48 Use Request Details to Approve Requests That Require Mandatory Information

For requests that require mandatory additional information to be provided, such as Organization, when approving a self-registration request, do not act upon the request directly from the Pending task list. Open the request, provide the required information in the Request Details page, and then approve the request. This is a SOA tasklist limitation.

10.3.49 Benign Error Messages

Although Oracle Identity Manager handles all validations, some of the error messages are not detailed enough. Benign exceptions and error messages might be displayed in the server logs during server startup, which can be ignored as long as the system is up and running.

10.3.50 Accessibility Compliance

Currently, the system is not compliant completely with Accessibility guidelines and the Accessibility link provided does not function.

10.3.51 Password Policy Not Enforced

Password policy attached to a resource does not get enforced properly during request to a connected resource. However, when you try to change the password of a provisioned resource from the My Information page, the policy is enforced.

10.3.52 Form Designer Failure Not Displayed

Form designer failure in the backend is not displayed in the UI. If the change you are expecting is not successful, then abandon the sandbox. Oracle recommends creating and using short-lived sandboxes (for example separate sandbox with a detailed description for UI customization, form creation, and UDF addition) so that conflicts can be avoided.

10.3.53 Request for Application Instance Fails If Related Sandbox is Not Published

If the sandbox, in which an application instance is created, is not published, then the request for that application instance will fail during request checkout process. Best practice is to create a sandbox for an application instance and immediately publish it.

10.3.54 Application Instance Administrator Cannot Create Forms

Only System Administrators or System Configurators can create forms and attach it to application instances.

10.3.55 Delete Reconciliation Does Not Work With libOVD and ODSEE

Delete reconciliation does not work with libOVD and ODSEE combination.

This is a known issue, and a workaround is currently not available.

10.3.56 Lookup Values Not Saved on the My Information Page

Oracle Identity Manager does not support a UDF of type Lookup to be created for the My Information page.

10.3.57 Benign Error for Missing Matching Rule Data

When running reconciliation, matching rule transformation fails with the following error message if all the fields that are part of the matching rule are not provided as input while invoking the ignoreEvent API:

<BEA-000000> <Generic Information: {0}
oracle.iam.reconciliation.exception.DBAccessException: Failed SQL:: select
USR_KEY from usr where USR_FIRST_NAME=? and USR_LAST_NAME=? and USR_LOGIN=?
and USR_TYPE is null and USR_EMAIL is null and USR_MIDDLE_NAME is null and  
USR.USR_STATUS != 'Deleted' AND ((UPPER(USR.USR_LOGIN)=UPPER(?)) OR
(UPPER(USR.USR_UDF_OBGUID)=UPPER(RA_EZCUSERTRUSTED49EC4A54.RA_OBJECTGUID)))
=>PARAMS:: [John, Doe, J.DOE, J.DOE]
Caused By: java.sql.SQLSyntaxErrorException: ORA-00904:
"RA_EZCUSERTRUSTED49EC4A54"."RA_OBJECTGUID": invalid identifier

This is a benign error, and there is no functional loss because of this. The event is not ignored. It is created and processed normally without causing any data corruption.

10.3.58 User Type Attribute Value Not Populated

When you perform customization on the User Type attribute in the My Information page, for example display the User Type attribute as read-only, then the value in the User Type attribute does not populate.

Here, the attribute name is User Type in the My Information page, but from customization VO, you must select role to populate the correct values in the User Type attribute. Therefore, to workaround this issue:

  1. In customization mode, select the Panel Form Layout Component.

  2. Open the Resource Catalog.

  3. Select Data Component, My Information, UserVO1, and then select role.

  4. Drop the field with Output Text with a label.

10.3.59 Approval Page Customization Not Supported

Approval page customization is not supported through WebCenter Composer.

To customize the approval details page, see "Developing Workflows: Vision Request Tutorial" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

10.3.60 Enable, Sequence, and Description for Lookup Values Not Supported

The Enable, Sequence, and Description attributes are not supported for lookup values. Therefore, do not include a value in the Description field for searching lookups. Also, the Enabled, Sequence, and Description columns are displayed without any values.

10.3.61 Cannot Add Radio Button

When you try to add a radio button to a form, for example organization form, a forward-only range paging error is generated. This is because adding a radio button through drop handlers is not supported. However, radio buttons can be added to forms through view layer customization with custom code.

10.3.62 Indirect Role Membership Error

Clicking the Roles tab in the My Access section or the Users section of the Oracle Identity Self Service generates an error when the logged-in user has indirect role relationship.

10.3.63 Created UDFs Not Listed in Customization View

When you create a UDF in an active sandbox, the UDF is not listed in the customization view (catalog of the Data Component).

To avoid this issue, create the UDF, and then create the sandbox and activate it. Newly created UDFs are displayed in customization view in the sandboxes created after the UDF creation.

10.3.64 Attributes Cannot Be Marked Required Using Form Designer

Attributes cannot be marked as required or mandatory from the Form Designer. However, mandatory attributes can be specified by customizing the page by using Oracle Web Center.

10.3.65 Cascading LOV Not Working

When you setup cascading LOVs, the values in the dependent LOV are not displayed based on the selection of the parent LOV.

To workaround this issue:

  1. Set up the cascading LOV by using two UDFs.

  2. Add both the Select One Choice components.

  3. Setup the partial rendering of the component.

10.3.66 Number Type Lookup Code Not Supported

Oracle Identity Manager does not support number type lookup code in this release.

10.3.67 Customizing the Self Registration Page Does Not Work

When you try to customize the self registration page of Oracle Identity Manager by selecting View, Source, validation error messages are displayed stating that input for the form fields are missing.

To avoid this issue, provide values for the input fields in the self registration page. The complete steps to customize the self registration page are the following:

  1. Login to Oracle Identity Self Service.

  2. Activate a sandbox.

  3. Click Customize.

  4. Navigate to the Oracle Identity Manager login page, and click New User Registration. Alternatively, navigate to /identity/faces/register directly.

  5. Enter values for the required input fields.

  6. Select View, Source.

  7. Customize the page.

10.3.68 Some Help Links Do Not Work

When you access Help Topics for Oracle Identity Manager from Oracle Identity Self Service and Oracle Identity System Administration, some links do not work. The following are the navigation paths where the links are not active:

From Oracle Identity System Administration:

  • Help link from Identity System Administration, Using Oracle Identity System Administration, Lookups

  • Help link from Identity System Administration, Using Oracle Identity Self Service, Approval Details, Request for Information

From Oracle Identity Self Service:

  • Help link from Identity Self Service, Using Oracle Identity Self Service, Approval Details, Request for Information

  • Help link from Identity Self Service, Using Oracle Identity Self Service, Manage Sandboxes

  • Help link from Identity Self Service, Using Oracle Identity Self Service, Customize Oracle Identity Self Service

  • Help link from Identity Self Service, Using Oracle Identity System Administration, Manage Reconciliation Events

  • Help link from Identity Self Service, Using Oracle Identity System Administration - Manage Policies:

    - Create Access Policies

    - Manage Access Policies

    - Create Attestation Configuration

  • Help link from Identity Self Service, Using Oracle Identity System Administration, Approval Policies

  • Help link from Identity Self Service, Using Oracle Identity System Administration, Manage Attestation Configuration

  • Help link from Identity Self Service, Using Oracle Identity System Administration, Password Policy

  • Help link from Identity Self Service, Using Oracle Identity System Administration, Perform Configuration Tasks: Create IT Resource

    - Manage IT Resource

    - Create Generic Connector

    - Manage Generic Connector

  • Help link from Identity Self Service, Using Oracle Identity System Administration, Form Designer

  • Help link from Identity Self Service, Using Oracle Identity System Administration, Application Instances:

    - Search Application Instances

    - Create Application Instances

    - Delete Application Instances

  • Help link from Identity Self Service, Using Oracle Identity System Administration, Modify Application Instances, The How links

  • Help link from Identity Self Service, Using Oracle Identity System Administration, Lookups

  • Help link from Identity Self Service, Using Oracle Identity System Administration, Perform System Management Tasks:

    - Import

    - Export

  • Help link from Identity Self Service, Using Oracle Identity System Administration, Scheduler

  • Help link from Identity Self Service, Using Oracle Identity System Administration, Notification

  • Help link from Identity Self Service, Using Oracle Identity System Administration, System Management

  • Help link from Identity Self Service, Using Oracle Identity System Administration, Manage Connector

  • Help link from Identity Self Service, Using Oracle Identity System Administration, Manage Sandboxes

View the Help topics from the relevant section of the interface. For example, to view the Help topic for System Management or Sandboxes, navigate to the Help topics from Identity System Administration. For any topic that is not displayed, refer to Oracle Fusion Middleware Identity Management 11g Release 2 (11.1.2) Documentation Library.

10.3.69 Unpublished Entities Provisioned Via Access Policies

Entitlements and accounts can be granted via access policies. When entitlements and accounts are granted via access policies, organization scoping does not apply, and therefore, the entitlements and accounts that are not published to the target user's organization are also provisioned.

Although an entitlement is not published to an organization, an access policy can still provision the entitlement to the user of that organization. This is because access policies are not aware of the publishing and scoping security model of Oracle Identity Manager.

This is a known issue, and a workaround is currently not available.

10.3.70 Certificate-Based Digital Signatures Not Supported

For task approvals, Oracle Identity Manager does not support digital signatures based on certificates. However, Oracle Identity Manager supports password-based digital signatures. See "How to Specify a Workflow Digital Signature Policy" in the Oracle Fusion Middleware Developer's Guide for Oracle SOA Suite.

10.3.71 Entitlements Provisioned to Users Not Displayed After Upgrade

In an upgraded deployment of Oracle Identity Manager 11g Release 2 (11.1.2.2), the entitlements provisioned to the users before the upgrade are not displayed in the Entitlements tab.

To display the entitlements in the Entitlements tab after the upgrade, login to Oracle Identity System Administration, and run the Entitlement Assignments scheduled job.

10.3.72 Labels in Query Panel Cannot be Customized

By default, labels in query panels are not customizable. For example, the Beneficiary label in the Track Requests search page cannot be customized, but the column names in the Track Requests search results table can be changed.

10.3.73 UMS Fails to Send Notification While Provisioning Account

Notification in provisioning workflow does not use the notification model in Oracle Identity Manager 11g. Therefore, if UMS notification provider is configured and notification is assigned to a provisioning task, then while provisioning an account for OIM user, a notification message is not sent. In addition, a NullPointerException error message is logged.

To configure and use notification in provisioning workflow, see "Specifying the E-Mail Server" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

10.3.74 Error on Creating Subtask

When the requester tries to create a subtask by selecting Create Subtask from the Actions menu in the Inbox, NullPointerException is generated. Creating subtasks is not supported for certification tasks.

10.3.75 Running the pasteConfig Script Displays Incorrect Error Message

While running the pasteConfig script in the target host, if the jdk location specified does not exist, then an incorrect error message is displayed, as shown:

The JDK wasn't found in directory /scratch/aime1/jrockit-jdk1.6.0_37-R28.2.5-4.1.0.
Please edit the startWebLogic.sh script so that the JAVA_HOME variable points to the location of your JDK.

You can ignore this error message because it does not result in any loss of functionality.

Note:

If the source Middleware home uses a JDK that is external to the Middleware home, then the pasteBinary operation must also use an external JDK. The JDK provided to run FMW T2P utility must be accessible to the source as well as target.

10.3.76 Error Logged While Exporting Metadata of oracle.security.apm Application

The following error is logged on running the FMW T2P copyConfig utility in the source computer:

Exporting metadata of application -  oracle.security.apm
.
Metadata transfer operation started
Exporting metadata from repository . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Metadata tranfer operation failed
.
Cause: main.WLSTException : MDS-00503: The metadata path "../mds" does not contain any valid directories.MDS-91009: Operation "exportMetadata" failure.
Use dumpStack() to view the full stacktrace. 
.
Unable to export Application data from Oracle Metadata Repository. The Application "oracle.security.apm" may not have any data in Oracle Metadata Repository or it may not be in "ACTIVE" state.

This is a benign error and can be ignored because it does not cause any loss of functionality in Oracle Identity Manager.

10.3.77 Error Logged While Exporting Metadata of oim Application

The following error is logged on running the FMW T2P copyConfig utility in the source computer:

Exporting metadata of application -  oim
.
.
Cause: main.WLSTException : MDSAppRuntimeMBean is not available for oracle.mds.lcm:name=MDSAppRuntime,type=MDSAppRuntime,Application=oim,Location=oim_server1,*MDS-91009: Operation "exportMetadata" failure. Use dumpStack() to view the full stacktrace.
.
.
Unable to export Application data from Oracle Metadata Repository. The Application "oim" may not have any data in Oracle Metadata Repository or it may not be in "ACTIVE" state.

This is a benign error and can be ignored because it does not cause any loss of functionality in Oracle Identity Manager.

10.3.78 Benign ApplicationDB Connection Pool Errors

Errors related to the ApplicationDB data source connection pool might be logged. This data source is used internally by ADF for reading MDS artifacts for Oracle Identity Self Service. These errors cause no functional loss. Frequency of these exceptions can be reduced by tuning the Data Source Inactive Connection Timeout property and JVM parameters, such as jbo.ampool.timetolive and jbo.ampool.maxinactiveage.

The following exception might be logged:

<Warning> <JDBC> <BEA-001153>
<Forcibly releasing inactive/harvested connection
weblogic.jdbc.wrapper.PoolConnection_oracle_jdbc_driver_T4CConnection back
into the data source connection pool "ApplicationDB"

Immediately followed by:

java.sql.SQLException: Connection has already been closed.

10.3.79 Reconciliation Archival Utility Throws Errors

When you install an Active Directory Release 9.x connector and run the reconciliation archival utility, then uninstall AD 9x connector and install AD 11g connector, and try to run reconciliation archival utility, errors are generated and the utility does not run. The following is a sample error message:

ERROR ==> Error/warning occurred while executing ./oim_create_recon_arch_tables.sql
For Details check log file ./logs/oim_create_recon_arch_tables.log
Exiting Utility

The errors are generated because old Reconciliation Archival tables related to the uninstalled connector still exist in the database. Therefore, to avoid this issue, after uninstalling a connector, drop the RA tables related to the connector.

10.3.80 Latency in Auto Closing the Tab After Acting on the Task

When you act on a task from the details page, the tab closes automatically, but after a delay of few seconds. This is a known issue, and there is no workaround for this.

10.3.81 Filters on Some Columns Not Supported

Oracle Identity Manager does not support filters or Query by Example (QBE) on some columns in the search result table. Examples of such columns are Date Added and Hierarchy Aware.

10.3.82 Disconnected Resource Child Table Tasks Not Autocreated

Disconnected resource child table insert/delete trigger tasks are not autocreated when the child table with an Entitlement field is created by using the Design Console.

10.3.83 Field Added to a Page Might Not Be Displayed

During UI customization, when you try to add a field to a page for the first time, the field might not be displayed on the page. The field is displayed on the page when you retry to add the field by clicking the Add action.

10.3.84 Auto-Unlock Feature Does Not Work

The auto-unlock feature between Oracle Identity Manager and Oracle Access Manager (OAM) does not work. User is not unlocked on running the Automatically Unlock User scheduled task.

Working of the auto-unlock feature between Oracle Identity Manager and OAM is dependent on the fixes of the following bugs on top of Oracle Virtual Directory 11g Release 1 (11.1.1) Patch Set 5:

  • Bug# 13503440: OVD: REDUCE TRANSACTION SEND TO BACKEND WHEN USING USERMANAGEMENT PLUGIN

  • Bug# 14464394: NEW MAPPING FOR ORCLUSERLOCKEDON FOR CHANGELOG AND USERMANAGEMENT PLUGIN

10.3.85 Self Registration Request Fails

In an Oracle Identity Manager deployment on Microsoft Windows with OUD as the LDAP server, self registration request fails. Successful self registration request is dependent of the fix of the following libOVD bug:

Bug# 16523164: OIM/LIBOVD SHOULD REQUEST 'MODIFIERSNAME' WHEN SEARCHING IN CN=CHANGELOG

10.3.86 Catalog Synchronization Job Overrides Certifier/Approver/Fulfillment User

For role processing, run the Catalog Synchronization scheduled job one time in Full mode, and run it in Incremental mode from the next time onward. If the job is run again in Full mode, it overrides the current values for certifier, approver, and fulfillment user, and sets them to Role Owner.

10.3.87 Certification Creation Fails With Incorrect SSL Configuration

If SSL is not configured correctly, then certification creation might fail and the following error is displayed in the scheduler page for certification creation:

org.springframework.transaction.TransactionSystemException: JTA failure on commit;
nested exception is javax.transaction.SystemException: Could not contact coordinator at
soa_server1+[2606:b400:2010:4049:216:3eff:fe52:65ba]:8002+RRC4SN130321+t3s+
        at
org.springframework.transaction.jta.JtaTransactionManager.doCommit(JtaTransactionManager.java:1044)
        at

To avoid this issue, SOA clear port must be opened when starting Oracle Identity Manager. If Oracle Identity Manager has been started with the clear SOA port closed, then re-open it and restart SOA and Oracle Identity Manager.

After the servers are started with clear port open, you can close the clear port. It is only required to be opened for starting the servers.

10.3.88 Role Certification Creation Fails With Only Certify Policy Option Selected

Role certification for only policies does not create certifications. While creating a role certification with content selected to certify only policies, the scheduler jobs fail with the following error:

java.lang.Exception: Role certification creation succeeded but with the following errors: {0}. Role certification creation failed with the following error: null.

10.3.89 Duplicate Attribute Labels Displayed

While adding a custom attribute by using the Form Designer, the Add Content dialog box incorrectly displays two labels for the same custom attribute. For example, for the custom attribute Att1, labels Att1 and Att1_C are displayed. The correct label is Att1. If Att1_C is added, then it corrupts the sandbox, and the following error is generated:

JBO-25058: Definition Att1__c of type Attribute is not found in UserEO.

If the corrupted sandbox is published, then the customized screen is corrupted and does not open for any user. The only solution then is to rollback the sandbox. For information about rolling back the sandbox, search and see the technote "OIM 11gR2: How to Roll back A Published Sandbox" (ID 1496179.1) by navigating to the following URL:

https://support.oracle.com

10.3.90 Error in Clone Log During PasteConfig Operation

During pasteConfig operation, if the specified target OPSS datasource URL is different than the source OPSS datasource URL, then clone log will have some SQL errors. However, the pasteConfig operation completes successfully. This error can be ignored.

Error in logs:

INFO: Found persistence provider
"org.eclipse.persistence.jpa.PersistenceProvider". OpenJPA will not be used.
INFO: Found persistence provider
"org.eclipse.persistence.jpa.PersistenceProvider". OpenJPA will not be used.
[EL Severe]: --ServerSession(515759393)--Exception
[EclipseLink-4002] (Eclipse Persistence Services - 2.3.1.v20111018-r10243):
org.eclipse.persistence.exceptions.DatabaseException
Internal Exception: java.sql.SQLException: ORA-01017: invalid
username/password; logon denied

Error Code: 1017
oracle.security.jps.internal.credstore.ldap.LdapCredentialStore <init>
WARNING: Could not create credential store instance. Reason
oracle.security.jps.service.policystore.PolicyStoreException:
javax.persistence.PersistenceException: Exception [EclipseLink-4002] (Eclipse
Persistence Services - 2.3.1.v20111018-r10243):
org.eclipse.persistence.exceptions.DatabaseException
Internal Exception: java.sql.SQLException: ORA-01017: invalid
username/password; logon denied

Error Code: 1017
opss-DBDS:oracle.jdbc.OracleDriver:t2pp_
OPSS:jdbc:oracle:thin:@example.com:1521/orcl.example.com

10.3.91 Slow Database Connection

You may encounter the following error message due to slow database connection:

<Error> <oracle.iam.oimdataproviders.impl>
<BEA-000000> <java.sql.SQLException: Internal error: Cannot obtain
XAConnection weblogic.common.resourcepool.ResourceDisabledException: Pool
oimOperationsDB is Suspended, cannot allocate resources to applications..
oracle.iam.platform.entitymgr.vo.ConnectivityException:

If you come across such error messages, perform the following steps:

  1. Open the DOMAIN_HOME\bin\setSOADomainEnv.cmd file.

  2. Uncomment the following lines:

    EXTRA_JAVA_PROPERTIES="${EXTRA_JAVA_PROPERTIES}
    -Dweblogic.resourcepool.max_test_wait_secs=30"
    export EXTRA_JAVA_PROPERTIES
    
  3. Save your changes and restart the Oracle Identity Manager managed Oracle WebLogic Server.

10.3.92 Scheduled Job Does Not Run

If any scheduled job does not run as scheduled, then perform any of the following:

  • Restart Oracle Identity Manager server.

  • Manually run the scheduled job from the UI by clicking Run Now.

10.3.93 QBE and User Membership Rule Work for Lookup Fields Only for Encoded Values

User membership rule for organizations and Query by example (QBE) work for custom lookup fields if the encoded lookup values are used instead of the display strings. For example, Account Status is a lookup with display values 'Locked' and 'Unlocked', but QBE and user membership rule work with Account Status if their encoded values are used, which are 1 and 0 respectively.

To workaround this issue, use simple or advanced search for searching custom lookup fields.

10.3.94 Role Name Displayed as Null

When creating a role certification with reviewer as Role Certifier, if a role has no certifier, then the certification job shows the following warning message:

java.lang.Exception: Role certification creation succeeded but with the following errors: Role certification will not contain role "null": Role has no role owner assigned to it.

The role name is displayed as 'null' in the warning message if the role does not contain a description.

10.3.95 Empty Results Displayed in the Organization Hierarchy and Management Hierarchy Tabs

If a user certification reviewer is in a different organization from the certifier, then empty results for the certifier are displayed in the organization hierarchy and management hierarchy tabs. This is because a reviewer cannot view the direct reports and organization hierarchy details of the certifier if the reviewer and certifier are members of different organizations, and are not related through the management hierarchy.

10.3.96 Request Approval Tasks Not Displayed in the Inbox With SSL Enabled

In a SSL-enabled Oracle Identity Manager setup with JDK 7u40 or later, request approval tasks are not displayed, and the following exception might be found in SOA logs:

Unable to invoke endpoint URI "https://oimhost:oimport/workflowservice/CallbackService" successfully due to: javax.xml.soap.SOAPException: javax.xml.soap.SOAPException: Message send
failed:
sun.security.validator.ValidatorException: PKIX path validation failed:           java.security.cert.CertPathValidatorException: Algorithm constraints check failed: MD5withRSA

To workaround this issue, refer to the following sections in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager, and validate if the SSL setup has been configured correctly:

10.3.97 Error Logged for Some OUD Operations When LDAP Synchronization is Enabled

In an environment in which LDAP synchronization is enabled, certain operations against OUD fail with one of the following errors in OUD logs:

The request control with Object Identifier (OID) "1.2.840.113556.1.4.319" cannot be used due to insufficient access rights

OR:

The request control with Object Identifier (OID) "1.3.6.1.4.1.26027.1.5.4" cannot be used due to insufficient access rights

To workaround this issue:

  1. Change the ACIs on control 1.2.840.113556.1.4.319 from ldap://all to ldap://anyone in OUD config file OUD_INSTANCE/config/config.ldif file, as shown:

    Change:

    ds-cfg-global-aci: (targetcontrol="1.3.6.1.1.12 || 1.3.6.1.1.13.1 || 1.3.6.1.1.13.2 || 1.2.840.113556.1.4.319 || 1.2.826.0.1.3344810.2.3 || 2.16.840.1.113730.3.4.18 || 2.16.840.1.113730.3.4.9 || 1.2.840.113556.1.4.473 || 1.3.6.1.4.1.42.2.27.9.5.9") (version 3.0; acl "Authenticated users control access"; allow(read) userdn="ldap:///all";)
    

    To:

    ds-cfg-global-aci: (targetcontrol="2.16.840.1.113730.3.4.2 || 2.16.840.1.113730.3.4.17 || 2.16.840.1.113730.3.4.19 || 1.3.6.1.4.1.4203.1.10.2 || 1.3.6.1.4.1.42.2.27.8.5.1 || 2.16.840.1.113730.3.4.16 || 2.16.840.1.113894.1.8.31 || 1.2.840.113556.1.4.319" ||1.3.6.1.4.1.26027.1.5.4 ) (version 3.0; acl "Anonymous control access"; allow(read) userdn="ldap:///anyone";)
    
  2. Restart OUD and Oracle Identity Manager servers.

10.3.98 Error Thrown When Oracle Identity Manager Uses Database in Oracle Enterprise Linux 6

When Oracle Identity Manager instance points to the database, which is running on Oracle Enterprise Linux 6, OutOfMemoryError might be thrown.

To avoid this issue, perform the following steps in Oracle Enterprise Linux 6 host on which the database is installed:

  1. To fix any memory issue while starting database instances, add the following in the /etc/sysctl.conf file:

    kernel.shmmax = 12737418240 / kernel.shmall = 3109721
    
  2. To fix any java.lang.OutOfMemoryError while starting Oracle Identity Manager Managed Servers:

    1. Check ulimit -u or sudo cat /proc/PROCESS_ID/limits.

    2. Change soft and hard limit in the /etc/security/limits.conf file to 327680.

    3. Change soft limit in the /etc/security/limits.d/90-nproc.conf file to 327680.

10.3.99 The Design Console Hangs Intermittently

When Oracle Identity Manager is deployed on Microsoft Windows 2008 or 2012, the Design Console hangs intermittently while creating an adapter. After it hangs, there is no other way to kill the process and start a new session.

10.3.100 Lookup UDF Created with Maximum Length of 4000 Characters

New lookup UDFs are created with maximum length of 4000 characters although the default value is 100. Only the EO attribute (UI artifact) has the length constraint of 4000; backend database column has the correct length.

To workaround this issue, edit the UDF, set the correct length, and save the UDF.

10.3.101 UDF Not Removed From the Add Fields List

If a UDF is searchable, then it is displayed in the Add Fields drop down on the Search Users page. If you later mark the UDF as non-searchable by editing the UDF properties in the Form Designer, then the UDF is not automatically removed from the Add Fields drop down on the Search Users page.

To workaround this issue:

  1. Extract the sandbox ZIP file that was used for editing the attributes to make the UDF non-searchable.

  2. In a text editor, open the /persdef/oracle/iam/ui/common/model/user/view/mdssys/cust/site/site/UserVO.xml file.

  3. For all such attributes that did not get removed from Add Fields drop down, add the IsQueriable="false" attribute in the corresponding <ViewAttribute Name="attrName"> tag. For example:

    <ViewAttribute Name="UserTextUDF__c" EntityUsage="UserEO" EntityAttrName="UserTextUDF__c" AliasName="UserTextUDF__c" IsPersistent="false" xmlns="http://xmlns.oracle.com/bc4j" IsQueriable="false">
    
  4. Save, re-zip, and import the sandbox. Test the changes in activated sandbox state. Publish the sandbox.

10.3.102 Deployment Manager Does Not Open After Updating to Java 7 Update 51

The Deployment Manager does not open after updating to Java 7 update 51 because of security-related attribute permission not being present in the JAR manifest, which can be bypassed by updating the security information in the Java Console. To do so:

  1. Open the Java Console.

  2. Click the Security tab.

  3. Add the site name, which is in the following format:

    http://HOST:PORT/xlWebApp/DeploymentManager/loadDU.do
    

10.3.103 Periodic Scheduled Job Throws NullPointerException

While running any periodic scheduled job, a NullPointerException is thrown. This is because the job parameter key is null during job creation.

To workaround this issue, delete the scheduled job, create a similar job as non-periodic, and then change it to a periodic job.

10.3.104 Notification Sent Although Notification Template Status is Disabled

If an end user, who does not have the System Configuration Administrator admin role in Top organization, is used to send notification, then the notification is sent although the status of the notification template is Disabled.

To workaround this issue, provide the System Configuration Administrator admin role in the Top organization to the user.

10.3.105 OUD Changlelogs Purged Before Incremental Reconciliation Runs

In an integrated deployment of Oracle Unified Directory (OUD) and Oracle Identity Manager, OUD changelogs might be purged before the Oracle Identity Manager incremental reconciliation runs. This can cause the following error:

Caused By: oracle.ods.virtualization.service.VirtualizationException:
oracle.ods.virtualization.engine.util.DirectoryException: LDAP Error 53 :
[LDAP: error code 53 - Full resync required. Reason: The provided cookie is older than the start of historical in the server for the replicated domain : dc=hsgbu,dc=oracle,dc=com]

The cause of this error is that OUD purges its replication store according to the interval specified by OUD's replication-purge-delay. This resets OUD's external changelog cookie. The cookie contains the value used by Oracle Identity Manager when comparing against its own stored last changelog number. Consequently, if the value is reset before Oracle Identity Manager can reset it by processing new changelog events, then the last changelog number for Oracle Identity Manager will be out of date, and the error will be generated.

To workaround this issue, re-synchronize the integration between OUD and Oracle Identity Manager. To do so:

  1. Increase the changelog retention period in OUD as follows:

    1. (Optional) Display the current value of the replication purge delay by running the following command:

      $ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -n \
        get-replication-server-prop \
        --provider-name "Multimaster Synchronization" --advanced \
        --property replication-purge-delay
      
    2. Change the purge delay by running the following sample command that changes the purge delay to one week:

      $ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -n \
        set-replication-server-prop \
        --provider-name "Multimaster Synchronization" --set replication-purge-delay:1w
      
  2. Disable all the incremental jobs, if not already disabled. There is a total of six incremental jobs.

  3. Run the following full reconciliation jobs:

    • LDAP Role Delete Full Reconciliation

    • LDAP User Delete Full Reconciliation

    • LDAP Role Create and Update Full Reconciliation

    • LDAP Role Hierarchy Full Reconciliation

    • LDAP User Create and Update Full Reconciliation

    • LDAP Role Membership Full Reconciliation

  4. Get the latest changelog from OUD by running the following command:

    ldapsearch -h OUD_HOST -p OUD_PORT -D "cn=Directory Manager" -w PASSWORD -b "" -s base "objectclass=*" lastExternalChangelogCookie
    
  5. Update all six incremental jobs with the value obtained in step 4, and enable the incremental jobs.

10.3.106 Icon Not Displayed in Internet Explorer 11

When you open the Expression Builder to add or edit a rule in the Members tab for roles or organizations using Windows Internet Explorer 11, the icons to select AND, OR, and Remove are not displayed properly.

10.3.107 Offline Certification Not Supported in Internet Explorer 11

User certification in offline mode is not supported when Windows Internet Explorer 11 web browser is used.

10.3.108 Deployment Manager Fails to Import or Export

While using the Deployment Manager to import/export, the XML file generated while exporting cannot be saved, and the XML file cannot be read while importing. No error message is logged for this issue, but it is displayed that Java 1.3 or 1.4 is not letting I/O operations.

To grant permissions for I/O operations, add the following to the JRE/lib/security/java.policy:

grant {
    permission java.io.FilePermission "<<ALL FILES>>", "write";
};

This issue can occur with any Oracle Identity Manager version or Java version. Therefore, Java settings must be verified if Deployment Manager is throwing an error in reading the XML file during import when it prompts to select the XML file in the final step of exporting the file.

10.4 Configuration Issues and Workarounds

This section describes configuration issues and their workarounds. It includes the following topics:

10.4.1 Benign Connection Error From OIA For SoD Check

A connection error stating Argument(s) "type" can't be null is displayed intermittently when Oracle Identity Analytics (OIA) is configured for SoD Check, and an SoD Check is initiated. The error is as shown:

Caused By: oracle.iam.grc.sod.exception.SILServiceComponentException:  
oracle.iam.grc.sod.scomp.impl.oia.analysis.SoDAnalysisExecutionOperOIA :
initializeUnable to connect to OIA Server : Argument(s) "type" can't be null.

This is a benign error and causes no functional loss.

10.4.2 Use Absolute Paths While Running configureSecurityStore.py With -m Join

The Config Security Store fails to create the policy store object when using variables, such as ORACLE_HOME and MW_HOME, while running wlst.sh using configureSecurityStore.py with -m join. Always use absolute paths for ORACLE_HOME and MW_HOME while running the command for -m join.

10.4.3 Oracle Identity Manager Fails to Find orclPwdExpirationDate

When OAM integration is enabled in Oracle Identity Manager that is configured with libOVD/OID, ODSEE, OUD, or AD, Oracle Identity Manager reset user password fails, and the Attribute orclpwdexpirationdate is not supported in schema error message is generated.

To workaround this issue, change the backend IDStore schema. To do so:

  1. Create new attributetypes: ( 2.16.840.1.113894.200.1.7 NAME 'orclPwdExpirationDate' EQUALITY caseIgnoreMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE USAGE userApplications ).

  2. Modify the orclIDXPerson objectclass to include orclPwdExpirationDate as an optional attribute.

10.4.4 Design Console Login Failure With SSL Enabled

If SSL is enabled on the Design Console, then login to the Design Console might fail with the following 'Invalid Login' error:

Error Keyword: DAE.LOGON_DENIED
Description: Invalid Login.
Remedy: Contact your system administrator.
Action: E
Severity: H
Help URL:
Detail:
javax.security.auth.login.LoginException: java.lang.NoClassDefFoundError:
com/rsa/jsafe/JSAFE_InvalidUseException
    at
weblogic.security.SSL.SSLClientInfo.getSSLSocketFactory(SSLClientInfo.java:101
)
    at
weblogic.socket.ChannelSSLSocketFactory.getSocketFactory(ChannelSSLSocketFactory.java:185)

To workaround this issue, copy the MIDDLEWARE_HOME/modules/cryptoj.jar file to $OIM_HOME/designconsole/ext/ directory and login again.

10.4.5 Create User Event Fails in Integrated Environment

In an integrated environment of Oracle Access Manager, Oracle Identity Manager, and libOVD, for the Oracle Identity Manager create user event, the oblockedon attribute is not populated with the current date and time when orclAccountlocked=true. The attribute is populated with 0 value when orclAccountLocked=false.

To workaround this issue, apply the patch for the following OVD bug:

Bug# 16482350: OIM-OAM-LIBOVD:OUD: IAM-205024 FOR CREATING OIM USER

10.4.6 Insufficient Memory Causes Server Startup Failure

If Oracle Identity Manager server fails to start because of insufficient native memory for Java, then make sure to set memory settings to accommodate heap size.

When Oracle Identity Manager is installed on Microsoft Windows with Jrocket Java (for example jrockit-jdk1.6.0_37-R28.2.5-4.1.0), Java/JVM gets terminated when servers are started. This is caused by the -Xmx2048m memory settings for the CUSTOM_MEM_ARGS_64BIT environment variable in the setDomainEnv script. To avoid this issue, this memory setting must be changed to the recommended value. Here setting it to a value of -Xmx1538m resolves the issue. To do so:

  1. In a text editor, open the $DOMAIN_HOME/bin/setDomainEnv.cmd file.

  2. In the following snippet:

    if "%JAVA_VENDOR%"=="Oracle" (
    set CUSTOM_MEM_ARGS_64BIT=-Xms1024m -Xmx2048m -XX:PermSize=512m -XX:MaxPermSize=1024m
    set CUSTOM_MEM_ARGS_32BIT=-Xms1024m -Xmx2048m -XX:PermSize=512m -XX:MaxPermSize=1024m
    ) else (
    set CUSTOM_MEM_ARGS_64BIT=-Xms1024m -Xmx2048m -XX:PermSize=512m -XX:MaxPermSize=1024m -XX:ReservedCodeCacheSize=256m
    set CUSTOM_MEM_ARGS_32BIT=-Xms1024m -Xmx2048m -XX:PermSize=512m -XX:MaxPermSize=1024m -XX:ReservedCodeCacheSize=256m
    )
    

    Modify the lines with CUSTOM_MEM_ARGS_64BIT within the If condition to the following for 64-bit host. Otherwise, modify CUSTOM_MEM_ARGS_32BIT.

    set CUSTOM_MEM_ARGS_64BIT=-Xms1024m -Xmx1538m -XX:PermSize=512m -XX:MaxPermSize=1024m
    
  3. Save the setDomainEnv.cmd file and restart the servers.

10.4.7 OIMSignatureAuthenticator Not Configured for Oracle Identity Manager Domain Security Realm

In a Oracle Identity Manager deployment that is integrated with Access Manager (OAM), OIMSignatureAuthenticator is not configured in the Oracle Identity Manager domain's security realm. As a result, the following error can occur on the Oracle Identity Manager server:

<Error> <XELLERATE.ACCOUNTMANAGEMENT> <BEA-000000> <Class/Method: tcUtilityFactory/tcUtilityFactory(Hashtable env, tcSignatureMessage poUserIDMessage) encounter some problems: javax.security.auth.login.LoginException: java.lang.SecurityException: [Security:090304]Authentication Failed: User xelsysadm javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User xelsysadm denied
javax.security.auth.login.LoginException: javax.security.auth.login.LoginException: java.lang.SecurityException: [Security:090304]Authentication Failed: User xelsysadm javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User xelsysadm denied
        at weblogic.security.auth.login.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:199)

This exception can occur in any one of the following scenarios:

  • You are using a 9.x connector, which performs signature-based login to Oracle Identity Manager. To perform signature-based client login in an Oracle Identity Manager deployment integrated with OAM, the following configuration must be performed:

    1. Login to the WebLogic Administrative Console.

    2. Go to Security realms, myrealm, Providers, Authentication.

    3. Click New, add OIMSignatureAuthenticator, and provide a name, such as OIMSignatureAuthenticator.

    4. Click OIMSignatureAuthenticator that you added in step 3, and set the control flag as SUFFICIENT from the drop down. Save the changes.

    5. Click Reorder, and re-order the existing authentication providers as follows:

      • OAMIDAsserter

      • OIMSignatureAuthenticator

      • LDAPAuthenticator (such as OID/OUD, depending on the directory type)

      • DefaultAuthenticator

      • DefaultIdentityAsserter

    6. Save and activate the changes done so far.

    7. Restart all the servers running in the Oracle Identity Manager WebLogic domain.

  • You have custom Oracle Identity Manager client code, which performs signature-based login by using the tcUtilityFactory or OIMClient APIs. For this scenario, resolve the issue by referring to "Using OIMClient and tcUtilityFactory in Integrated Deployments" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

10.5 Multi-Language Support Issues and Limitations

This section describes multi-language issues and limitations. It includes the following topics:

10.5.1 UI Components are Displayed in English on non-English Web Browsers

On the Lookups or Form Details pages in Oracle Identity System Administration, UI components are displayed in English on non-English web browsers.

This is known issue, and a workaround is currently not available.

10.5.2 BI Publisher 11g Reports Displayed in English Although Translation Files Are Available

Oracle Identity Manager 11g Release 2(11.1.2) supports BI Publisher 11g for Oracle Identity Manager reports. The translations for these Oracle Identity Manager reports must be manually imported. Oracle Identity Manager has centralized translations, each locale has a XLIFF (.xlf) file for all the Oracle Identity Manager reports.

By default, all BI Publisher 11g reports are displayed in English. Import the translations files to BI Publisher.

To import a XLIFF file:

  1. In Oracle BI Publisher Enterprise, select the Oracle Identity Manager folder in the catalog.

  2. Click the Translation toolbar button, and then select Import XLIFF.

  3. Click Browse to locate the translated file, and then select the appropriate locale from the list.

  4. Click Upload.

First, upload all the transaction files in the catalog for each report. Select the report, and then change the report locale and UI language locale to run the report in different locale.

10.5.3 Date Format in BI Publisher Report Not Displayed Per Report Locale Setting

The date format in the content and footer of the BI Publisher report is not displayed according to the value specified in Report Locale setting for the logged-in user.

This is a known issue, and a workaround is currently not available.

10.5.4 Translated Values Not Displayed for User Type and Locale

In the Create User and Modify pages, values of the following attributes are displayed in English irrespective of the browser language setting:

  • User Type, in the Basic Information section

  • Locale, in the Preferences section

This is a known issue, and a workaround is currently not available.

10.5.5 Catalog Search With Special Non-ASCII Characters Do Not Work Correctly

If catalog items, such as roles, application instances, and entitlements, contain special non-ASCII characters, such as some German, Greek, or Turkish characters, then the search pattern with these characters do not return correct results.

This is a known issue, and a workaround is currently not available.

10.5.6 Polish Translation of BI Publisher Files Do Not Work

BI Publisher 11.1.1.6.0 and 11.1.1.7.0 cannot handle the string colon(:). Therefore, Polish translation of BI Publisher files do not work correctly.

This is a known issue, and a workaround is currently not available.

10.5.7 Localized String for Cart is Truncated in the Catalog Search Results Page

In the Catalog Search Results page, the localized string for Cart on the top right of the page is displayed as truncated text.

This is a known issue, and a workaround is currently not available.

10.5.8 Values Not Displayed Per Browser Language Setting

Some fields with drop-down list are displayed in English instead of the browser language setting. For example:

  • The following option values of the SortBy list on the Catalog Search page:

    • Type

    • Display Name

  • The following option values of the Risk Level list on the Detailed Information panel of the Catalog search result page:

    • High Risk

    • Medium Risk

    • Low Risk

  • The following Task Status option values in the Search panel, and values under Task Status column of Search Results table on the Provisioning Tasks page:

    • Pending

    • Rejected

  • Values in the Type list on the Form Designer page.

This is a known issue, and a workaround is currently not available.

10.5.9 Challenge Questions and Password Policy Messages Displayed in Server Locale

After restarting Oracle Identity Manager and navigating to the self registration or Forgot Password pages when no user is logged in, the Challenge Questions and Password Policy messages are intermittently displayed in server locale instead of browser locale.

To workaround this issue, login to Oracle Identity Self Service by using any available user login credentials after Oracle Identity Manager is started or restarted.

10.5.10 Values for Organization Type and Status Displayed in English

The values in the Organization Type or Status lists in some pages are displayed in English although the browser is set with a non-English locale. For example:

  • The values in the Organization Type or Status lists in the Admin Roles tab of the My Access page in Oracle Identity Self Service.

  • The values in the Organization Type or Status lists for any selected admin role in the Admin Roles tab of User Details page in Oracle Identity Self Service.

  • The values in the Organization Type or Status lists in the Organizations tab of Role Details page in Oracle Identity Self Service.

  • The values in the Organization Type or Status lists for any selected suborganization in the Children tab of Organization Details page in Oracle Identity Self Service.

  • The values in the Organization Type or Status lists in the Search Parent Organization dialog box when creating new organization in Oracle Identity Self Service.

  • The Type column of the Organizations tab of the Application Instances page in Oracle Identity System Administration.

This is a known issue, and a workaround is currently not available.

10.5.11 MLS and MR Support Not Available

Multi-Language Support (MLS) and Multi-Representation (MR) support are not available for Role Display Name and User Display Name in Oracle Identity Self Service.

10.5.12 Error Displayed If User Login Contains Special Character

If user login name contains a special character, such as German Esszet character or Turkish dotted I character, then the following error message is displayed on clicking Inbox on the left navigation pane in Oracle Identity Self Service:

An internal error has occurred. Please contact the administrator or Oracle support for help

10.5.13 Task Stage Name and Task Assignee Label Displayed in English

When you open the request details in the Track Requests page and navigate to the History Panel in the Approval Details tab, the task stage name and task assignee label are displayed in English instead of the translated language.

10.5.14 Escalating Request Displayed Warning in Server Locale

If a request assignee has no manager, then escalating this request displays a warning message. The warning message is displayed in server locale instead of browser locale.

10.5.15 Some Predefined View Names Cannot Be Translated

The following predefined view names in the Inbox are hard coded in English and cannot be translated:

  • Pending Approvals

  • Pending Certifications

  • Manual Provisioning

10.5.16 Request Task Details Displayed in Server Locale

From the Home page or Inbox in Oracle Identity Self Service, when you open a task, the task detail is displayed in server locale instead of browser locale.

To workaround this issue:

  1. Navigate to the Inbox in Oracle Identity Self Service.

  2. Click the Edit User Preferences icon on the Worklist Views section toolbar. The Edit User Preferences dialog box is displayed.

  3. For Use language settings of, select the Browser option.

  4. Click OK.

10.5.17 Oracle Identity Manager Operation Names Not Translated in Enterprise Manager

In Oracle Identity Manger Administration pages of Oracle Enterprise Manager that provides business operation diagnostic capabilities, there is no translation for the operation names. The following operation names are not translated:

  • Modify an Account by Access Policy

  • Revoke an Account by Access Policy

  • Disable an Account by Access Policy

  • Enable an Account by Access Policy

  • Provision an Account by Access Policy

  • Modify Account

  • Revoke Entitlement

  • Assign Role Membership

  • Delete Role Membership

  • Create User

  • Change Password

  • Reset Password

  • Enable User

  • Disable User

  • Delete User

  • Modify User

  • Modify Role Membership

  • Lock User

  • Unlock User

  • Add Proxy

  • Update Proxy

  • Remove Proxy

  • Remove All Proxies

  • Set Challenge Question Answers

  • Password Expired

  • Provision Account

  • Grant Entitlement

  • Modify Entitlement

  • Disable Account

  • Enable Account

  • Revoke Account

  • Change Account Password

  • Evaluate Policies

  • Bulk Request

  • Associate Application Instance with reconciled account

  • Update Application Instance with reconciled account

  • Delete Application Instance with reconciled account

  • Create Role

  • Modify Role

  • Delete Role

  • Modify Role Auto group membership rule

10.5.18 Display Label Not Shown Correctly When Browser Language is Switched

When the resource type form, such as form for AD User, is created with browser language XX-YY, Display Label is shown correctly in the browser language XX-YY. However, when the browser language is switched to others, for example XX or MM-NN, and the same form is opened, Display Label is shown incorrectly as UD_XXXXX similar to the Name value.

To workaround this issue:

  1. Create the resource type form with browser language as XX.

  2. Apply the new create resource type form to application instance. Then, you can view the form with the correct browser language XX and XX-NN.

For example, for Japanese language, create the resource type form with browser language ja. Then, the form is displayed correctly with browser language of both ja and ja-JP.

10.5.19 User Type Values Not Translated

The following values of the User Type list are displayed in English on the Create User page irrespective of the browser language setting:

  • Employee

  • Contingent Worker

  • Non Worker

  • Other

To workaround this issue:

  1. Navigate to the $ORACLE_HOME/server/apps/oim.ear/APP-INF/classes/ directory.

  2. Open the xlWebAdmin_LANG.properties file for your locale. For example, open the xlWebAdmin_ja.properties file for Japanese language.

  3. Add following lines with unicode text and save the file.

    global.Lookup.Users.Role.EMP=\u5F93\u696D\u54E1
    global.Lookup.Users.Role.CWK=\u6D3E\u9063\u5C31\u696D\u8005
    global.Lookup.Users.Role.NONW=\u975E\u5C31\u52B4\u8005
    global.Lookup.Users.Role.OTHER=\u305D\u306E\u4ED6
    

    The lines of code are translations for Employee, Contingent Worker, Non Worker, and Other respectively.

  4. Restart Oracle Identity Manager.

10.5.20 Online Help Translated in Nine Languages

Oracle Identity Manager online help is not translated in all supported languages. It is translated in the following languages:

  • Brazilian Portuguese

  • French

  • German

  • Italian

  • Japanese

  • Korean

  • Simplified Chinese

  • Spanish

  • Traditional Chinese

10.6 Documentation Errata

Currently, there are no documentation issues to note.