This chapter describes issues associated with the installation and configuration process of Oracle Identity and Access Management 11g Release 2 (11.1.2.2.0). It includes the following sections:
This section describes general issues and workarounds. It includes the following topics:
Section 2.1.2, "Error Displayed in the Oracle Access Management Managed Server Logs"
Section 2.1.3, "Mandatory Patches for Enabling SSL on Oracle HTTP Server"
Section 2.1.5, "Modifying the Server Side Property for Oracle Identity Manager"
Section 2.1.7, "OAM Server Startup Fails After Applying WebLogic Server Patches"
Section 2.1.8, "Applications Will Not Start After WebLogic Server is Updated"
On AIX, the Simple security mode does not work with Oracle Access Management Server 11.1.2.
Workaround: Use either the Open or Cert security mode.
When you try to edit the policy in the Oracle Access Management administration console log, the following error is displayed in the Oracle Access Management managed server logs:
<oracle.jps.policymgmt> <JPS-10606> <Failed to distribute policy to PDP OracleIDM for catch exception oracle.security.jps.service.policystore.PolicyStoreException: JPS-04028: Application with name "cn=OAM11gApplication,cn=jpsXmlFarm,cn=JPSContext,cn=jpsXmlRoot" does not exist..>
This exception is displayed every ten minutes even when the server is idle.
Workaround:
Remove the following properties from the jps-config.xml file after the installation with -C option from pdp.service instance properties.
<property name="oracle.security.jps.pdp.AuthorizationDecisionCacheEnabled" value="false"/> <property name="oracle.security.jps.ldap.policystore.refresh.interval" value="10000"/>
Add the following new property to pdp.service instance properties:
<property name="oracle.security.jps.pd.client.PollingTimerInterval" value="10"/>
The value is in seconds, set the appropriate value as required by Oracle Access Management. The changes must be made only for Oracle Identity Management installs like Oracle Identity Manager or Oracle Access Manager.
The following is an example of a pdp.service instance in the jps-config.xml file after running the configSecurityStore command.
<serviceInstance name="pdp.service" provider="pdp.service.provider"> <description>Runtime PDP service instance</description> <property name="oracle.security.jps.runtime.pd.client.policyDistributionMode" value="mixed"/> <property name="oracle.security.jps.runtime.instance.name" value="OracleIDM"/> <property name="oracle.security.jps.runtime.pd.client.sm_name" value="OracleIDM"/> <property name="oracle.security.jps.pdp.AuthorizationDecisionCacheEnabled" value="false"/> <property name="oracle.security.jps.policystore.refresh.enable" value="true"/> <property name="oracle.security.jps.ldap.policystore.refresh.interval" value="10000"/> </serviceInstance>
This section describes the mandatory patches to be downloaded and installed for enabling SSL on Oracle HTTP Server.
Note:
For information about any additional patches that you must apply, see Section 1.5, "Downloading and Applying Required Patches"| Platform | Patch |
|---|---|
| Solaris (64 bit) | 14264658 |
| Microsoft Windows x64 (64 bit) | 14264658 |
| Solaris x86-64 (64 bit) | 14264658 |
| IBM AIX (64 bit) | 14264658 |
| Linux x86-64 | 14264658 |
To download the patches, do the following:
Log in to My Oracle Support.
Click Patches & Updates.
Select Patch name or Number.
Enter the patch number.
Click Search.
Download and install the patch.
To change log levels to SEVERE, do the following:
Logging.xml must have level=SEVERE for all log handlers and loggers (OAM_Server1, OIM_Server1, SOA).
Log in to Admin Console http://Hostname:port/console.
Click Lock and Edit to unlock the domain.)
Click Servers link.
Click on the server you want to make changes to.
Click Logging.
Click Advanced.
Do the following to change the log levels in Message destination(s):
| Message destinations | Severity Level Desired | Default Setting |
|---|---|---|
| Log File | warning | Trace |
| Standard out | error | Notice |
| Domain log broadcaster | error | Notice |
| Memory Buffer Severity | error | Blank |
Click Save.
Click Activate Changes
Restart Servers
Repeat the process for all desired servers (OAM_Server1, OIM_Server1, SOA).
The scheduler.disabled system property is required if you want to control scheduler start or stop on a clustered setup.The scheduler.disabled system property must be set to true if you don't want to start scheduler service on that node of cluster and vice-versa.
Following are the steps to modify the scheduler.disabled system property using Weblogic console:
Log in to the Oracle WebLogic Administration Console using the WebLogic administrator credentials.
Under Domain Structure, click Environment > Servers. The Summary of Servers page is displayed.
Click on the Oracle Identity Manager server name (for example, oim_server1). The Settings for oim_server1 is displayed.
Click Configuration > Server Start.
In the Arguments text box, change the existing property scheduler.disabled = false/true.
Click Save.
Click Activate Changes.
Restart the Oracle Identity Manager Managed Server.
Note:
After you modify thescheduler.disabled system property, you must start the Managed Server using the Node Manager.When you install Oracle Identity and Access Management on Windows 2012, the Identity and Access link does not appear on the Enterprise Manager Console.
Workaround:
As a workaround, you must complete the following steps after configuring Oracle Identity Manager:
Copy the ORACLE_HOME\server\setup\templates\wls\oim-mbeans.xml file to the DOMAIN_HOME\config\fmwconfig\mbeans directory.
Create a new directory called oim at the following location:
DOMAIN_HOME\config\fmwconfig\mbeans
Copy the ORACLE_HOME\server\setup\templates\wls\oim-clustermbean.jar file to the DOMAIN_HOME\config\fmwconfig\mbeans\oim directory.
Restart the OIM server.
For releases 11.1.1.5 to 11.1.2.x, after applying WebLogic Server patches using the Patchset Assistant tool, if you try to create a new OAM domain, and try to start the OAM servers, the OAM Administration Server and OAM Managed Servers fails to start.The following error is displayed:
Patched WLS Will Break Access to OAM Policy Store - "OAMSSA-06252: The policy store is not available;"
Workaround:
As a workaround, complete the following steps:
Using a text editor, open the DOMAIN_HOME/bin/SetDomainEnv.cmd file (on Windows) or DOMAIN_HOME\bin\SetDomainEnv.sh (on UNIX), and add the following lines:
WLS_PATCHVERSION=WLS_version_no
export $WLS_PATCHVERSION
where WLS_version_no is wls_patch1035 if you are using Oracle WebLogic Server 10.3.5, or WLS_version_no is wls_patch1036 if you are using Oracle WebLogic Server 10.3.6.
Search for JAVA_PROPERTIES in the SetDomainEnv.cmd file (on Windows) or SetDomainEnv.sh (on UNIX), and add the following:
JAVA_PROPERTIES="-Dplatform.home=${WL_HOME} -Dwls.home=${WLS_HOME} -Dweblogic.home=${WLS_HOME} -Dwlspatch=${WLS_PATCHVERSION} "
Restart the OAM Administration Server and OAM Managed Servers.
After applying the latest patches to Oracle WebLogic Server, the WL_HOME/server/lib/weblogic.policy file must be edited to include the following entry in order for Middleware services such as Discoverer, Access Manager, and Identity Manager to start:
grant codeBase "file:MW_HOME/WLS/patch_jars/-" {
permission java.lang.RuntimePermission "oracle.*","read";
};
Replace MW_HOME with the location of your Middleware home directory.
Replace WLS with one of the following:
patch_wls1034 for WebLogic Server version 10.3.4
patch_wls1035 for WebLogic Server version 10.3.5
patch_wls1036 for WebLogic Server version 10.3.6
This section describes installation issues and workarounds. It includes the following topics:
Section 2.2.1, "Error when Installing Oracle Identity Manager Design Console"
Section 2.2.2, "Mandatory Patches Required for Installing Oracle Identity Manager"
Section 2.2.4, "Prerequisite Checks Fails When Installing SOA on Windows 2012"
Section 2.2.9, "SOA-INFRA Component Fails to Start up After Installing SOA in Silent Mode"
When you are trying to install Oracle Identity Manager Design Console on a Windows machine that has firewall between the machine and the Oracle Identity Manager server, the following error message is displayed when you run the config.cmd command:
Error in validating the Hostname field value.Entered host is not up and running
To install Oracle Identity Manager Design Console, you must open port 7 in the firewall.
This section describes the necessary patches that you must apply for installing and configuring Oracle Identity Manager.
Note:
This section provides the mandatory patches that were available at the time of publishing the release notes. For additional changes and revised patch requirements, see My Oracle Support Document ID 1600323.1.Table 2-1 provides information about the mandatory patches required for Oracle Identity Manager. Please note that these patches can be applied in any order.
For information about any additional patches that you must apply, see Section 1.5, "Downloading and Applying Required Patches"
Table 2-1 Patches Required to Fix Specific Issues with Oracle Identity Manager 11gR2 (11.1.2.2.0)
| Oracle Fusion Middleware Product or Component | Patch Number/Name | When to Apply? | Description |
|---|---|---|---|
|
Oracle WebLogic Server |
18398295 |
After installing Oracle Identity and Access Management |
This Oracle WebLogic Server patch is required only if you are using Multi Byte Character Set. Follow the |
|
Oracle WebLogic Server |
14404715 |
After installing Oracle Identity and Access Management |
This is a mandatory Oracle WebLogic Server patch. Follow the |
|
Oracle WebCenter Portal |
18334433 |
After installing Oracle Identity and Access Management |
This is a mandatory Oracle WebCenter Portal patch. Follow the |
|
Oracle Fusion Middleware - Dynamic Monitoring Service |
18748961 |
After installing Oracle Identity and Access Management |
This is a mandatory Dynamic Monitoring Service patch. Follow the |
|
Enterprise Manager for Fusion Middleware |
18334644 |
For IBM WebSphere, apply this patch before the cell creation for changes to take effect. |
This is a mandatory Enterprise Manager patch only if you are using IBM WebSphere. Follow the |
|
Oracle Business Process Management Suite |
19190139 |
After installing Oracle SOA Suite |
This is a mandatory Oracle Business Process Management Bundle Patch 11.1.1.7.5 patch. Follow the |
|
Oracle Business Process Management Suite |
17897950, 18244420, 19457718, 19471000, 18416233, 19702081, 16677877, 19926333 |
After installing Oracle SOA Suite |
These mandatory Oracle Business Process Management Suite patches need to be applied after Oracle Business Process Management has been upgraded to Bundle Patch 11.1.1.7.5 using patch 19190139. Select patch version 11.1.1.7.5, download the patches, and follow the |
|
Oracle Platform Security for Java |
19281598 |
After installing Oracle Identity and Access Management |
This is a mandatory Oracle Platform Security Services (OPSS) patch if you are using IBM WebSphere 7.0.0.33. Follow the |
|
Oracle Application Development Framework |
20265562 |
After installing Oracle Identity and Access Management |
This is a mandatory Oracle Application Development Framework patch. Follow the |
|
Oracle Application Development Framework |
18373763 |
After installing Oracle Identity and Access Management |
This Oracle Application Development Framework patch is required only for Oracle Identity Manager cluster upgrade on the IBM WebSphere platform. |
|
Oracle Business Intelligence Publisher |
16556157 |
After installing Oracle BI Publisher 11.1.1.7.0 |
This is an Oracle Business Intelligence Publisher patch. If you want to run Reports on Oracle Identity Manager 11.1.2.2.0, you must install Oracle BI Publisher 11.1.1.7.0, and then apply the patch number 16556157. Follow the |
|
Oracle Virtual Directory - Identity Virtualization Library (libOVD) |
19779563, 18762607 |
After installing Oracle Identity and Access Management |
These patches are mandatory Oracle Virtual Directory 11g Release 1 (11.1.1.7.0) patches if you are using Identity Virtualization Library (libOVD). Note that these patches are classified as Oracle Virtual Directory patches. Select patch version 11.1.1.7.0, download the patches, and follow the |
|
Oracle Virtual Directory |
17196811 |
After installing Oracle Identity and Access Management |
This is an Oracle Virtual Directory patch. Follow the |
|
Oracle Unified Directory |
19157573 |
After installing Oracle Unified Directory |
This is a mandatory patch for deployments where Oracle Identity Manager is configured to LDAPSync with Oracle Unified Directory 11g Release 2 (11.1.2.2) as the LDAP identity store. If you have Oracle Unified Directory patch 18461856 applied in your environment, then roll it back before applying patch 19157573. For patching instructions, refer to My Oracle Support Document ID 1905631.1, which is available from My Oracle Support. |
|
Silent Installation of Oracle Identity Manager |
18270453 |
This patch contains an archive of custom scripts and response files required for the end-to-end silent installation and configuration of Oracle Identity Manager. The archive contains scripts for silent installation on Oracle WebLogic Server and on IBM WebSphere. For more information, see "End-to-End Silent Installation and Configuration for Oracle Identity Manager" in the Oracle Fusion Middleware Installation Planning Guide. |
|
|
Oracle Identity Manager |
18494370 |
After Installing Oracle Identity and Access Management 11.1.2.2.0 |
This is a mandatory Oracle Identity Manager patch if you are upgrading to 11.1.2.2.0 on IBM WebSphere Platform. |
|
Oracle Service Delivery Platform |
17565911 |
After installing Oracle Identity and Access Management |
This is a mandatory Service Delivery Platform patch if you are upgrading to Oracle Identity Manager 11g Release 2 (11.1.2.2). Follow the |
|
Repository Creation Utility (RCU) |
|
This is a mandatory Repository Creation Utility patch that must be applied if the following error is encountered when running Repository Creation Utility (RCU) during Oracle Identity Manager 11g Release 2 (11.1.2.2) installation:
Oracle Identity Manager Database schema creation fails in some 64-bit operating system environments because the existing SQLPlus shell binary might not be supported on these environments. To fix this issue, refer to My Oracle Support Document ID 1681410.1, which is available from My Oracle Support. This Support Note provides important information about this patch that must be applied to RCU. This patch consists of the |
To download the patches, do the following:
Log in to My Oracle Support.
Click Patches & Updates.
Select Patch name or Number.
Enter the patch number.
Click Search.
Download and install the patch.
If you are using Oracle WebLogic Server, the patching instructions are mentioned in the README.txt file that is provided with each patch.
If you are using IBM WebSphere, follow the instructions provided below:
Navigate to Patch_Home directory where the patch is located.
Set the environment variable ORACLE_HOME to point to the SOA_HOME directory.
For example:
setenv ORACLE_HOME /mydirectory/myfolders/Oracle_SOA1
Set the environment variable PATH to point to the OPatch directory.
For example:
setenv PATH /mydirectory/myfolders/Oracle_SOA1/OPatch:$PATH
Execute the opatch command, as follows:
opatch apply -jdk Path_To_IBM_jdk
For example:
opatch apply -jdk WAS_HOME/java
In a join domain scenario between Oracle Identity Manager and Oracle Access Management, the keystore file configured in Oracle Platform Security Services configuration does not exist but passwords are already available from OIM installation in the Credential Store Framework store. Hence, when Oracle Access Management Server tries to store the key store file, it fails as the key already exists.
Workaround:
Before starting the Administration server, copy the key store file from Oracle Identity Manager domain to Oracle Access Management domain's key store location.
For example: Copy the default keystore (.jks) file from <OIM domain>/config/fmwconfig to <OAM domain>/config/fmwconfig.
Note:
This step should be performed after you have configured the Oracle Access Management domain usingconfig.sh but before you start the Administration Server.In Oracle Identity Manager domain, look for default context in jps-config.xml.
Under this locate keystore service and keystore file location.
Copy this keystore (.jks) file to the location defined in Oracle Access Management domain key store location under Oracle Platform Security Services (jps-config.xml) configuration.
When you install SOA on Windows 2012, the prerequisite checks fails.
Workaround:
This error can be ignored by specifying -ignoreSysPrereqs when you start the Oracle SOA Suite installer.
At the end of the installation, the 11g Release 2 Oracle Universal Installer also applies the one-off patches using OPatch. When applying the patches, the installer does not use the specified JVM, but it uses the JVM that is present in the MW_HOME. The MW_HOME has a 32-bit JVM. This results in OPatch failure.
Workaround:
The Oracle Universal Installer successfully applies the one-off patches using OPatch, when the Oracle WebLogic Server is installed with a 64-bit JVM in the MW_HOME.
During the Oracle Identity and Access Management 11g Release 2 (11.1.2) installation, you may see Opatch errors when the installer applies one-off patches. The following errors are displayed in the logs:
OPatch failed with error code 39
]
stderr=[[ Error during Prerequisite for apply Phase]. Detail: OPatch
failed during prerequisite checks: Prerequisite check
"CheckPatchApplicableOnCurrentPlatform" failed.
Prerequisite check "CheckApplicable" failed.
]
Description and Workaround:
These are warning messages which can be ignored.
OPatch failed with error code 25
]
stderr=[[ Error during Oracle Home discovery Phase]. Detail: OPatch
failed: ApplySession failed to prepare the system.
To run in silent mode, OPatch requires a response file for Oracle
Configuration Manager (OCM).
Please run "/scratch/FMW_OAM/Oracle_OAM/OPatch/ocm/bin/emocmrsp" to generate
an OCM response file. The generated response file
can be reused on different platforms and in multiple OPatch silent installs.
To regenerate an OCM response file, Please rerun
"/scratch/FMW_OAM/Oracle_OAM/OPatch/ocm/bin/emocmrsp".
Description and Workaround:
This issue occurs if the OPatch version in the MW_HOME is 11.1.0.10.x. The workaround for this issue is to revert back to OPatch version 11.1.0.9.9 before applying one-off patches.
When you try to install Oracle Identity and Access Management on an Oracle Enterprise Linux 6 bare metal x64 machine, the prerequisite checks fails.
Workaround:
Start the installer using the -ignoreSysPrereq parameter.
./runInstaller -ignoreSysPrereq
When you try to install Oracle Identity and Access Management on Red Hat Enterprise Linux 6.x, the prerequisite checks fails.
Workaround:
This issue has two workarounds. You can choose to perform any of them. The workarounds are:
Install redhat-lsb-core-4.0-7.el6 for x86_64 package. For information about supported operating systems and version, see Oracle Fusion Middleware System Requirements and Specifications.
Apply Patch number 16963926. For information about downloading the patch and applying it, refer to the instructions described in Section 2.2.2, "Mandatory Patches Required for Installing Oracle Identity Manager".
Oracle Identity Manager requires Oracle SOA Suite. This issue occurs when you install and configure Oracle SOA Suite in silent mode. After installing and configuring Oracle SOA Suite in silent mode, when you start the soa-infra component, it fails with the following error message in the server log file (<domain home>/servers/soa_server1/logs/soa_server1.log):
java.lang.NoClassDefFoundError: weblogic/sca/api/ScaReferenceProcessor.
The workaround for this issue is described in the following support note:
This section describes configuration issues and their workarounds. It includes the following topics:
Section 2.3.2, "Launching Oracle Identity Manager Configuration Wizard on AIX with JDK7"
Section 2.3.3, "Unable to Add Weblogic Password in the Fusion Middleware Configuration Wizard"
Chapter 2, "Use Absolute Paths While Running configureSecurityStore.py With -m Join"
Section 2.3.7, "Weblogic Server Configuration Wizard does not support JDK6 on AIX7"
Section 2.3.12, "OES Configuration Using JBoss as a Security Module Throws Error on AIX"
Section 2.3.13, "Configuring Database Security Store Fails with JVM Error"
Section 2.3.14, "Configuring SSL When Configuring Database Security Store"
When you start the Oracle Fusion Middleware Configuration Wizard, by running the config.cmd or the config.sh command, the following error message is displayed:
*sys-package-mgr*: can't create package cache dir
The error message indicates that the default cache directory is not valid. You can change the cache directory by including the-Dpython.cachedir=<valid_directory> option in the command line.
You can not launch Oracle Identity Manager Configuration Wizard on AIX with JDK7, when you run the script $<ORACLE_HOME>/bin/config.sh
The Oracle Universal Installer window appears if you add the -jreLoc option in the command line: $<ORACLE_HOME>/bin/config.sh -jreLoc <JRE_HOME>
In the Fusion Middleware Configuration Wizard, you cannot add Weblogic password in the Configure Administrator User Name and Password screen.
Workaround:
When you are prompted to enter the Weblogic user password, you may not be able to enter the password. Click Next to go to the next screen. You will be prompted of an error: Password cannot be empty. Go back to the previous screen and type in the password again.
Note:
Before running the Oracle Fusion Middleware Configuration Wizard, ensure that you have installed the following:Oracle WebLogic Server
Oracle SOA Suite (Oracle Identity Manager Users Only)
Oracle Identity and Access Management
The following are the steps that must be followed after installing Oracle Access Management 11g Release 2 (11.1.2) or Oracle Identity Manager 11g Release 2 (11.1.2):
Ensure that the following pre-requisites are met, before moving to step 2:
Ensure that you have configured the domain using the IAM_ORACLE_HOME/common/bin/config.sh script.
Ensure that you have configured the Database Security Store using the following commands:
IAM_ORACLE_HOME/common/bin/wlst.sh IAM_ORACLE_HOME/common/tools/configureSecurityStore.py -d <domaindir> -c IAM -p <opss_schema_password> -m [create/join]
Copy the jps-config.xml file to jps-config.xml_old for recovery and reference.
Do the following to edit the jps-config.xml file:
Look for the XML element
<serviceInstance name="pdp.service" provider="pdp.service.provider">
Delete the following two entries:
<property name="oracle.security.jps.pdp.AuthorizationDecisionCacheEnabled" value="false"/> <property name="oracle.security.jps.ldap.policystore.refresh.interval" value="10000"/>
After you delete the first two properties their default values will be set. The default values are true and 600000 (10 minutes) respectively:
Add following entry in same section:
<property name="oracle.security.jps.pd.client.PollingTimerInterval" value="31536000"/>
The edited XML must look like the following:
<serviceInstance name="pdp.service" provider="pdp.service.provider">
<description>Runtime PDP service instance</description>
<property
name="oracle.security.jps.runtime.pd.client.policyDistributionMode"
value="mixed"/>
<property name="oracle.security.jps.runtime.instance.name"
value="OracleIDM"/>
<property name="oracle.security.jps.runtime.pd.client.sm_name"
value="OracleIDM"/>
<property name="oracle.security.jps.policystore.refresh.enable"
value="true"/>
<property
name="oracle.security.jps.pd.client.PollingTimerInterval" value="31536000"/>
</serviceInstance>
The Configure Security Store fails to create the policy store object when using variables such as ORACLE_HOME and MW_HOME while running configureSecurityStore.py with the -m join parameter. Specify absolute paths for ORACLE_HOME and MW_HOME while running the command with -m join parameter.
On Windows, when you run the command configSecurityStore.py, the -m validate option succeeds, but the following error gets reported towards the end of the command:
c:\Amy_OPAM\Oracle\Middleware\Oracle_RC3\common\bin>wlst.cmd ..\tools\configureSecurityStore.py -d c:\Amy_OPAM\Oracle\Middleware\user_projects\domains\OPAM_RC3_Domain2 -c IAM -m join -p welcome1 -k c:\Amy_OPAM\software\RC3\ -w welcome1 Error: Failed to join security store, unable to locate diagnostics data. Error: Join operation has failed.
Workaround:
Ignore the error. Even though the error gets reported there is no functional impact because the newly created server with the join option can start successfully and continue to service requests.
Weblogic Server configuration wizard displays the warning CFGFWK-60895 for 1.6.0.9.2 JDK on AIX 7 for Oracle Access Management, Oracle Adaptive Access Manager, and Oracle Privileged Account Manager.
Workaround:
Install Weblogic Server.
Install SOA.
Install Oracle Identity and Access Management.
Run the configuration wizard.
Create an Oracle Identity Manager (OIM) domain.
Create domain's for Oracle Access Management, Oracle Adaptive Access Manager, and Oracle Privileged Account Manager.
You get the warning CFGFWK-60895: The selected JDK version is lower than recommended minimum version.
Click Cancel and select a different JDK or Click OK to proceed with same.
Note:
WarningCFGFWK-60895 does not interfere with functionality.When you select the Oracle Entitlements Server template for Administration server, by default Access Policy Manager is deployed to the administration server.
But when a cluster for any component is created with > 1 server instance, then APM is targeted to the clustered servers and not the administration server, which causes the servers within the cluster to come up in administration mode.
For example, if you have a domain with one instance of Oracle Identity Manager, SOA and Oracle Access Management, the Access Policy Manager is targeted to the administration server. However, if you create another instance of Oracle Identity Manager, so that it has two instances at the time of domain creation, then the Access Policy Manager is deployed to the clustered servers (in this case Oracle Identity Manager server) and not administration server.
Workaround:
Log in to Weblogic administration console.
Click Deployments.
Click oracle.security.apm (11.1.1.3.0).
Click Targets.
Click Lock & Edit.
Select oracle.security.apm (11.1.1.3.0).
Click Change Targets.
Select AdminServer.
Click Yes.
Click Activate Changes and restart the administration server.
When you install Oracle Identity Manager on Weblogic Server (10.3.5.0), the request fails with the following exception:
Unable to instantiate the workflow process due to: Tasklist mapping failed for workflowdefinition: default/DefaultRequestApproval!1.0 due to oracle.bpel.services.workflow.query.ejb.TaskQueryService_oz1ipg_HomeImpl_1035_WLStub cannot be cast to oracle.bpel.services.workflow.query.ejb.TaskQueryServiceRemoteHome.
This happens when initiating the approvals for a request.
Workaround:
For Weblogic Server 10.3.5 you must download and install patch 12944361. Weblogic Server 10.3.6 do not require this patch
configSecurityStore.py Command When Using Sun JDK 1.7The command configSecurityStore.py fails to run when installing Oracle Identity and Access Management 11g Release 2 components on Solaris 10 SPARC or higher versions, using JDK 1.7. This occurs because of the implementation of PKCS11-Solaris security provider.
Workaround:
Back up the file $JAVA_HOME/jre/lib/security/java.security
Open the file $JAVA_HOME/jre/lib/security/java.security in a text editor and modify the provider list
Ensure that sun.security.pkcs11.SunPKCS11 is at the beginning of the provider list. Modify the provider list, as in the following example:
security.provider.1=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/sunpkcs11-solaris.cfg security.provider.2=com.oracle.security.ucrypto.UcryptoProvider ${java.home}/lib/security/ucrypto-solaris.cfg
...
If you start the OES domain without running the configureSecurityStore.py script, the server fails to start with following exception:
oracle.security.jps.service.keystore.KeyStoreServiceException: Failed to perform cryptographic operation Caused by: javax.crypto.BadPaddingException: Given final block not properly padded
Workaround:
The workaround is to export the domain encryption key from a domain in the same logical Oracle Identity and Access Management deployment already configured to work with the database security store, and then run the configureSecurityStore.py script.
exportEncryptionKey(jpsConfigFile=jpsConfigFile_Loc,keyFilePath=keyFilePath,keyFilePassword=keyFilePassword)
where:
jpsConfigFile_Loc - is the absolute location of the file jps-config.xml in the domain from which the encryption key is being exported.
keyFilePath - is the directory where the file ewallet.p12 is created; note that the content of this file is encrypted and secured by keyFilePassword.
keyFilePassword - is the password to secure the file ewallet.p12; note that this same password must be used when importing that file.
When you try to configure JBoss Security Module on an AIX operating system, it throws a java.lang.ClassNotFoundException error.
Workaround:
Complete the following steps:
Go to the following directory:
JAVA_HOME/jre/lib/security
Open the java.security file and search for policy.provider attribute. The value of the attribute policy.provider is set to org.apache.harmony.security.fortress.DefaultPolicy.
You must delete the existing value of the policy.provider attribute and change it to sun.security.provider.PolicyFile.
When you configure the Database Security Store using the following configureSecurityStore.py script,
oracle_common/common/bin/wlst.sh $ORACLE_HOME/common/tools/configureSecurityStore.py -d DOMAIN_HOME -c IAM -m create -p OPSS_SCHEMA_PASSWORD
the configuration fails with a JVM error. The following error is displayed:
JRE version:7.0_25 Java VM:OpenJDK 64-Bit Server VM(23.7-b01 mixed mode linux-amd64 compressed oops) Problematic frame: V [libjvm.so+0x773ec7] JVM_handle_linux_signal+0x54df7
Workaround:
The above error occurs because the JVM process tries to access a memory location that the operating system has not given access to.
As a workaround, re-configure the Database Security Store using the following command:
$JAVA_HOME/bin ./java -jar wls1036_generic.jar
To configure Database security store, you must run configureSecuritystore.py script. To configure SSL when running configureSecuritystore.py script, you must complete the following steps:
Note:
it is assumed that, at this point, Keystore and Truststore are already created using the commandkeytool.Update the Database URL in the JDBC configuration file opss-jdbc.xml by doing the following:
Open the file DOMAIN_HOME/config/jdbc/opss-jdbc.xml for editing.
Edit the Database URL on line 5 to change it from:
jdbc:oracle:thin:@<db_host>:<db_port>/<service_name>
to
jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCPS)(HOST=<db_host>)(PORT=<db_port>)))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=<service_name>)))
Add the following properties:
<property> <name>javax.net.ssl.keyStore</name> <value>path_to_keystore</value> </property> <property> <name>javax.net.ssl.keyStorePassword</name> <value>keystore_password</value> </property> <property> <name>javax.net.ssl.trustStore</name> <value>path_to_truststore</value> </property> <property> <name>javax.net.ssl.trustStorePassword</name> <value>truststore_password</value> </property> <property> <name>oracle.net.ssl_version</name> <value>TLS_version</value> </property>
Where,
path_to_keystore refers to the absolute path to the keystore. For example, /scratch/certs/dbcerts/mycerts/keystore.jks.
keystore_password refers to the password of the key store.
path_to_truststore refers to the absolute path to the truststore. For example, /scratch/certs/dbcerts/mycerts/truststore.jks.
truststore_password refers to the password of the trust store.
TLS_version refers to the Transport Layer Security (TLS) version. If the Database server is configured to use the TLS version 1.0, you must specify 1.0.
Save the file and exit.
Edit the domain configuration file setDomainEnv.sh by doing the following:
Open the file $MW_HOME/ user_projects/domains/DOMAIN_HOME/bin/setDomainEnv.sh for editing.
Edit the line 368 to change it from:
EXTRA_JAVA_PROPERTIES=" -Dweblogic.security.IgnoreHostNameVerification=true -Dweblogic.security.SSL.ignoreHostnameVerification=true ${EXTRA_JAVA_PROPERTIES}"
to
EXTRA_JAVA_PROPERTIES=" -Dweblogic.security.IdentityKeyStore=CustomIdentity -Dweblogic.security.CustomIdentityKeyStoreFileName=<path_to_identity_keystore_file> -Dweblogic.security.CustomIdentityKeyStorePassPhrase=<identity_keystore_pass_phrase> -Dweblogic.security.Identity.KeyStoreType=<identity_keystore_type> -Dweblogic.security.TrustKeyStore=CustomTrust -Dweblogic.security.CustomTrustKeyStoreFileName=<path_to_trust_keystore_file> -Dweblogic.security.CustomTrustKeyStoreType=<trust_keystore_type> -Dweblogic.security.CustomTrustKeyStorePassPhrase=<trust_keystore_pass_phrase> -Dweblogic.security.IgnoreHostNameVerification=true -Dweblogic.security.SSL.ignoreHostnameVerification=true -Dweblogic.security.SSL.protocolVersion=TLS1 ${EXTRA_JAVA_PROPERTIES}"
For example:
EXTRA_JAVA_PROPERTIES=" -Dweblogic.security.IdentityKeyStore=CustomIdentity
-Dweblogic.security.CustomIdentityKeyStoreFileName=/scratch/certs/dbcerts/mycerts/keystore.jks -Dweblogic.security.CustomIdentityKeyStorePassPhrase=Password1
-Dweblogic.security.Identity.KeyStoreType=JKS
-Dweblogic.security.TrustKeyStore=CustomTrust
-Dweblogic.security.CustomTrustKeyStoreFileName=/scratch/certs/dbcerts/mycerts/truststore.jks
-Dweblogic.security.CustomTrustKeyStoreType=JKS
-Dweblogic.security.CustomTrustKeyStorePassPhrase=Password2
-Dweblogic.security.IgnoreHostNameVerification=true
-Dweblogic.security.SSL.ignoreHostnameVerification=true
-Dweblogic.security.SSL.protocolVersion=TLS1 ${EXTRA_JAVA_PROPERTIES}"
Save the file and exit.
Edit the WLST script by doing the following:
Open the file $MW_HOME/wlserver_10.3/common/bin/wlst.sh for editing.
Update the following line:
JVM_ARGS="-Dprod.props.file='${WL_HOME}'/.product.properties ${WLST_PROPERTIES} ${JVM_D64} ${MEM_ARGS} ${CONFIG_JVM_ARGS}"
to change it to
JVM_ARGS="-Dprod.props.file='${WL_HOME}'/.product.properties ${WLST_PROPERTIES} ${JVM_D64} ${MEM_ARGS} ${CONFIG_JVM_ARGS} -Djavax.net.ssl.trustStorePassword=<trust_store_password> -Djavax.net.ssl.keyStorePassword=<key_store_password> -Djavax.net.ssl.keyStore=<path_to_keystore> -Djavax.net.ssl.trustStore=<path_to_truststore> -Doracle.net.ssl_version=<TLS_version>"
For example:
JVM_ARGS="-Dprod.props.file='${WL_HOME}'/.product.properties ${WLST_PROPERTIES} ${JVM_D64} ${MEM_ARGS} ${CONFIG_JVM_ARGS}
-Djavax.net.ssl.trustStorePassword=password1
-Djavax.net.ssl.keyStorePassword=password2
-Djavax.net.ssl.keyStore=/scratch/certs/dbcerts/mycerts/keystore.jks
-Djavax.net.ssl.trustStore=/scratch/certs/dbcerts/mycerts/truststore.jks
-Doracle.net.ssl_version=1.0"
In the above example, the property "-Doracle.net.ssl_version=1.0" represents that the Database server is configured to use the Transport Layer Security (TLS) version 1.0.
Save the file and exit.
Edit the configureSecurityStore.py script by doing the following:
Open the file $MW_HOME/IDM_HOME/common/tools/configureSecurityStore.py for editing.
Edit the line 241 to change it from:
full_command_parts = ("java -Doracle.security.jps.config=", jps_config_xml_path, " oracle.security.jps.internal.api.credstore.CredstoreUtil",
to
full_command_parts = ("java -Djavax.net.ssl.trustStorePassword=<truststore_password> -Djavax.net.ssl.keyStorePassword=<keystore_password> -Djavax.net.ssl.keyStore=<path_to_keystore> -Djavax.net.ssl.trustStore=<path_to_truststore> -Doracle.net.ssl_version=<TLS_version> -Doracle.security.jps.config=", jps_config_xml_path, " oracle.security.jps.internal.api.credstore.CredstoreUtil",
For example:
full_command_parts = ("java -Djavax.net.ssl.trustStorePassword=password1
-Djavax.net.ssl.keyStorePassword=password2
-Djavax.net.ssl.keyStore=/scratch/certs/dbcerts/mycerts/keystore.jks
-Djavax.net.ssl.trustStore=/scratch/certs/dbcerts/mycerts/truststore.jks
-Doracle.net.ssl_version=1.0
-Doracle.security.jps.config=", jps_config_xml_path, " oracle.security.jps.internal.api.credstore.CredstoreUtil",
Edit the line 282 to change it from:
full_command_parts = ("java -Doracle.security.jps.config=", jps_config_xml_path, " oracle.security.jps.internal.api.credstore.CredstoreUtil",
to
full_command_parts = ("java -Djavax.net.ssl.trustStorePassword=<truststore_password> -Djavax.net.ssl.keyStorePassword=<keystore_password> -Djavax.net.ssl.keyStore=<path_to_keystore> -Djavax.net.ssl.trustStore=<path_to_truststore> -Doracle.net.ssl_version=<TLS_version> -Doracle.security.jps.config=", jps_config_xml_path, " oracle.security.jps.internal.api.credstore.CredstoreUtil",
For example:
full_command_parts = ("java -Djavax.net.ssl.trustStorePassword=password1
-Djavax.net.ssl.keyStorePassword=password2
-Djavax.net.ssl.keyStore=/scratch/certs/dbcerts/mycerts/keystore.jks
-Djavax.net.ssl.trustStore=/scratch/certs/dbcerts/mycerts/truststore.jks
-Doracle.net.ssl_version=1.0
-Doracle.security.jps.config=", jps_config_xml_path, " oracle.security.jps.internal.api.credstore.CredstoreUtil",
Edit the line 734 to change it from:
= ("java -Xms512M -Xmx512M ", "oracle.security.jps.internal.tools.configuration.ldap.LdapServiceEnabler ", command)
to
= ("java -Xms512M -Xmx512M -Djavax.net.ssl.trustStorePassword=<truststore_password> -Djavax.net.ssl.keyStorePassword=<keystore_password> -Djavax.net.ssl.keyStore=<path_to_keystore> -Djavax.net.ssl.trustStore=<path_to_truststore> -Doracle.net.ssl_version=<TLS_version> ", "oracle.security.jps.internal.tools.configuration.ldap.LdapServiceEnabler ", command)
For example:
= ("java -Xms512M -Xmx512M -Djavax.net.ssl.trustStorePassword=password1
-Djavax.net.ssl.keyStorePassword=password2
-Djavax.net.ssl.keyStore=/scratch/certs/dbcerts/mycerts/keystore.jks
-Djavax.net.ssl.trustStore=/scratch/certs/dbcerts/mycerts/truststore.jks
-Doracle.net.ssl_version=1.0 ",
"oracle.security.jps.internal.tools.configuration.ldap.LdapServiceEnabler ", command)
Edit the line 774 to change it from:
full_command_parts = ("java -Xms512M -Xmx512M ", "oracle.security.jps.internal.tools.configuration.ldap.LdapServiceEnabler ", command)
to
full_command_parts = ("java -Xms512M -Xmx512M -Djavax.net.ssl.trustStorePassword=<truststore_password> -Djavax.net.ssl.keyStorePassword=<keystore_password> -Djavax.net.ssl.keyStore=<path_to_keystore> -Djavax.net.ssl.trustStore=<path_to_truststore> -Doracle.net.ssl_version=<TLS_version> ", "oracle.security.jps.internal.tools.configuration.ldap.LdapServiceEnabler ", command)
For example:
full_command_parts = ("java -Xms512M -Xmx512M
-Djavax.net.ssl.trustStorePassword=password1
-Djavax.net.ssl.keyStorePassword=password2
-Djavax.net.ssl.keyStore=/scratch/certs/dbcerts/mycerts/keystore.jks
-Djavax.net.ssl.trustStore=/scratch/certs/dbcerts/mycerts/truststore.jks
-Doracle.net.ssl_version=1.0 ",
"oracle.security.jps.internal.tools.configuration.ldap.LdapServiceEnabler ", command)
Save the configureSecurityStore.py script and exit.
Edit the startWebLogic script by doing the following:
Open the file DOMAIN_HOME/bin/startWebLogic.sh for editing.
Edit line 28 to change it from:
JAVA_OPTIONS="${JAVA_OPTIONS} -Dlaunch.main.class=${SERVER_CLASS} -Dlaunch.class.path="${CLASSPATH}" -Dlaunch.complete=weblogic.store.internal.LockManagerImpl -cp ${WL_HOME}/server/lib/pcl2.jar"
to
JAVA_OPTIONS="${JAVA_OPTIONS} -Djavax.net.ssl.trustStorePassword=<truststore_password> -Djavax.net.ssl.keyStorePassword=<keystore_password> -Djavax.net.ssl.keyStore=<path_to_keystore> -Djavax.net.ssl.trustStore=<path_to_truststore> -Doracle.net.ssl_version=<TLS_version> -Dlaunch.main.class=${SERVER_CLASS} -Dlaunch.class.path="${CLASSPATH}" -Dlaunch.complete=weblogic.store.internal.LockManagerImpl -cp ${WL_HOME}/server/lib/pcl2.jar"
For example:
JAVA_OPTIONS="${JAVA_OPTIONS} -Djavax.net.ssl.trustStorePassword=password1
-Djavax.net.ssl.keyStorePassword=password2
-Djavax.net.ssl.keyStore=/scratch/certs/dbcerts/mycerts/keystore.jks
-Djavax.net.ssl.trustStore=/scratch/certs/dbcerts/mycerts/truststore.jks
-Doracle.net.ssl_version=1.0 -Dlaunch.main.class=${SERVER_CLASS}
-Dlaunch.class.path="${CLASSPATH}"
-Dlaunch.complete=weblogic.store.internal.LockManagerImpl -cp ${WL_HOME}/server/lib/pcl2.jar"
Save the file and exit.
Note:
If you have Managed Server, you must update the scriptDOMAIN_HOME/bin/startManagedWebLogic.sh as described for startWebLogic.sh script.Configure the Database security store by running the configureSecurityStore.py script. For more information, see "Configuring Database Security Store for an Oracle Identity and Access Management Domain" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
After you configure the Database security store, start the domain. You can now verify that it uses DB SSL connection.