This chapter describes issues associated with general Oracle Fusion Middleware administration issues involving Identity Management. It includes the following topics:
This section describes general issue and workarounds. It includes the following topics:
Section 4.1.1, "Problems Using Oracle Database 12.2 with This Release"
Section 4.1.3, "Fusion Middleware Control May Return Error in Mixed IPv6 and IPv4 Environment"
Section 4.1.4, "Limitations in Moving from Test to Production"
When you use Oracle Database 12.2.*, you may run into the following issues:
When you create an MDS database schema using RCU or upgrade the MDS database schema using Patch Set Assistant against Oracle Database 12.2, the operation may fail.
You may receive the error ORA-28104: input value for statement_types is not valid. This is because, as part of a security fix beginning with Oracle Database 12.2, for the DBMS_RLS.ADD_POLICY procedure, statement types of INSERT and UPDATE_CHECK with a value of FALSE (the default value) are no longer allowed. It results in an ORA-28104 error while registering Virtual Private Database policies.
This error is returned to avoid giving the impression that Virtual Private Database policy are enforced for INSERT statements, which is not the case.
To workaround this, configure the system with "_allow_inserts_with_UPDATE_CHECK" set to True, by executing the following SQL command:
ALTER SYSTEM SET "_allow_insert_with_update_check"=TRUE scope=spfile
Then, re-run RCU or the Patch Set Assistant to create or upgrade the MDS database schema.
When you use Oracle Fusion Middleware with Oracle Database 12.2.*, you may encounter the following error:
ORA-00932: inconsistent datatypes: expected SYS.AQ$_JMS_MESSAGE gotSYS.AQ$_JMS_MESSAGE
The error occurs because during enqueue and dequeue of AQ$_JMS_MESSAGE type, the version number sent to the database server maybe inconsistent. This happens when TOID (the type's unique identifier) for AQ$_JMS_MESSAGE type in type$ is a user-defined TOID and not a fixed SYSTEM defined TOID.
To workaround this error, install the following patch, which replaces the ojdbc6.jar file used by Oracle Fusion Middleware:
https://updates.oracle.com/download/21663638.html
For Oracle Fusion Middleware 11g, select Release 11.1.1.7 .0.
When you install Oracle Fusion Middleware Release 11gR1 or Release 11gR2 products with Oracle Database 12.2.0.1, you may run into following error:
ORA-28040: No matching authentication protocol
This occurs because there is no 11g verifier for the proxy user.
Use the following workaround to create the 11g Verifier and allow the connection to the 12.2.0.1 Oracle Database from the Oracle Fusion Middleware installation to proceed:
Set ORACLE_HOME to the Oracle Database 12.2.0.1 Oracle home.
Add the following line to the sqlnet.ora file (in ORACLE_HOME/network/admin):
SQLNET.ALLOWED_LOGON_VERSION=11
Connect to the database as sys as sysdba user and execute the following SQL commands:
ALTER SYSTEM set sec_case_sensitive_logon=FALSE scope=spfile; shutdown immediate; startup; alter user sys identified by sys_password; alter user system identified by sys_password;
If you want to use latest DB security features, you should not set SQLNET.ALLOWED_LOGON_VERSION=11. You can apply one of the two workarounds.
Workaround 1: If Weblogic server is installed in MW_HOME, then perform the following:
Set RCU_HOME environment variable. For example:
Unix: RCU_HOME=/stage/rcu/rcuHome; export RCU_HOME
Windows: set RCU_HOME=\stage\rcu\rcuHome
Make a copy of RCU_HOME/jdbc/lib/ojdbc6.jar.
Replace RCU_HOME/jdbc/lib/ojdbc6.jar with copy from WL_HOME:
Unix: cp $WL_HOME/server/lib/ojdbc6.jar $RCU_HOME/jdbc/lib/
Windows: copy %WL_HOME%\server\lib\ojdbc6.jar %RCU_HOME%\jdbc\lib
Workaround 2: Patch RCU with the DBCPUjul2015 patch:
Download the patch from the following location. It is in the form of a zip file. Unzip it.
Because the patch is based on Oracle Database 11.1.0.7 release, apply it on a 11.1.0.7.0 Oracle Database. In the directory in which you unzipped the patch, enter the following commands:
setenv ORACLE_HOME oracle home of 11.1.0.7.0 db
setenv PATH $ORACLE_HOME/OPatch:$PATH
setenv PATH /usr/ccs/bin:$PATH
Execute following command to apply the patch from the patch unzipped directory:
opatch napply -skip_subset -skip_duplicate
After the patch is applied, copy the following files to the RCU_Home to the specified directories:
| File to Copy from Patched Database | Copy to This Location |
|---|---|
| ORACLE_HOME/jdbc/lib/ojdbc*.jar | RCU_HOME/jdbc/lib/ojdbc*.jar |
| ORACLE_HOME/lib/libclntsh.so.11.1 | Copy to this location, renaming the file:
RCU_HOME/lib/libclntsh.so.11.1 RCU_HOME/lib/libclntsh.so.10.1 RCU_HOME/lib/libclntsh.so |
| ORACLE_HOME/sqlplus/lib/* | Replace RCU_HOME/sqlplus/lib/* |
Now RCU is patched with the security patch and can be used to install Oracle Fusion Middleware schemas.
OPMN provides the opmnctl command. The executable file is located in the following directories:
ORACLE_HOME/opmn/bin/opmnctl: The opmnctl command from this location should be used only to create an Oracle instance or a component for an Oracle instance on the local system. Any opmnctl commands generated from this location should not be used to manage system processes or to start OPMN.
On Windows, if you start OPMN using the opmnctl start command from this location, OPMN and its processes will terminate when the Windows user has logged out.
ORACLE_INSTANCE/bin/opmnctl: The opmnctl command from this location provides a per Oracle instance instantiation of opmnctl. Use opmnctl commands from this location to manage processes for this Oracle instance. You can also use this opmnctl to create components for the Oracle instance.
On Windows, if you start OPMN using the opmnctl start command from this location, it starts OPMN as a Windows service. As a result, the OPMN parent process, and the processes which it manages, persist after the MS Windows user has logged out.
If your environment contains both IPv6 and IPv4 network protocols, Fusion Middleware Control may return an error in certain circumstances.
If the browser that is accessing Fusion Middleware Control is on a host using the IPv4 protocol, and selects a control that accesses a host using the IPv6 protocol, Fusion Middleware Control will return an error. Similarly, if the browser that is accessing Fusion Middleware Control is on a host using the IPv6 protocol, and selects a control that accesses a host using the IPv4 protocol, Fusion Middleware Control will return an error.
For example, if you are using a browser that is on a host using the IPv4 protocol and you are using Fusion Middleware Control, Fusion Middleware Control returns an error when you navigate to an entity that is running on a host using the IPv6 protocol, such as in the following situations:
From the Oracle Internet Directory home page, you select Directory Services Manager from the Oracle Internet Directory menu. Oracle Directory Services Manager is running on a host using the IPv6 protocol.
From a Managed Server home page, you click the link for Oracle WebLogic Server Administration Console, which is running on IPv6.
You test Web Services endpoints, which are on a host using IPv6.
You click an application URL or Java application which is on a host using IPv6.
To work around this issue, you can add the following entry to the /etc/hosts file:
nnn.nn.nn.nn myserver-ipv6 myserver-ipv6.example.com
In the example, nnn.nn.nn.nn is the IPv4 address of the Administration Server host, myserver.example.com.
Note the following limitations and known problems in moving from a test to a production environment:
After you run the extractMovePlan script, the move plan version shows 11.1.1.9. This does not cause any problems.
If you upgraded Oracle Adaptive Access Manager 11g Release 1 (11.1.1.5.x or 11.1.1.7.x) to Adaptive Access Manager 11.1.2.3.0, the component versions of some packages packages still show 11.1.1.5.x. or 11.1.1.7.x. Those packages are:
oracle.dogwood.top oracle.idm.oinav oracle.sdp.client oracle.oaam.suite oracle.oaam.oaam_admin oracle.oaam.oaam_server oracle.oaam.oaam_offline
To resolve this, you must run the domain updater utility (com.oracle.cie.domain-update_1.0.0.0.jar). This step updates the domain-info.xml.. To upgrade the necessary Oracle Adaptive Access Manager packages to 11.1.2.3.0, complete the following steps:
Go to the directory ORACLE_HOME/oaam/upgrade. The domain updater utility com.oracle.cie.domain-update_1.0.0.0.jar file is located in this directory.
Upgrade the packages listed from 11.1.1.5(7).x to 11.1.2.3.0 by running the following command:
java -cp $MW_HOME/utils/config/10.3/config-launch.jar:./com.oracle.cie.domain-update_1.0.0.0.jar com.oracle.cie.external.domain.DomainUpdater DOMAIN_HOME PACKAGE_NAME:11.1.1.7.0,:11.1.2.3.0
For example:
java -cp /scratch/Oracle/Middleware/utils/config/10.3/config-launch.jar:./com.oracle.cie.domain-update_1.0.0.0.jar com.oracle.cie.external.domain.DomainUpdater /scratch/Oracle/Middleware/user_projects/domains/OAAMDomain oracle.dogwood.top:11.1.1.7.0,:11.1.2.3.0
Repeat the previous step for the other packages that show the version 11.1.1.5 or 11.1.1.7.
If you have an IDS store configured in the source environment, and you plan to retain the same ID store host and port in the target environment without moving it, the pasteConfig script returns the following error:
Specified host already configured in adapter
To work around the problem, in the generated moveplan.xml, under configGroup LIBOVD_ADAPTERS, look for the configProperty representing the Identity Store that you do not plan to move. Comment out the entire section corresponding to the configProperty for your Identity Store in the move plan before you run the pasteConfig script.
If your environment includes Oracle WebLogic Server which you have upgraded from one release to another (for example from 10.3.4 to 10.3.5), the pasteConfig scripts fails with the following error:
Oracle_common_home/bin/unpack.sh line29: WL_home/common/bin/unpack.sh No such file or directory
To work around this issue, edit the following file:
MW_HOME/utils/uninstall/WebLogic_Platform_10.3.5.0/WebLogic_Server_10.3.5.0_Core_Application_Server.txt file
Add the following entries:
/wlserver_10.3/server/lib/unix/nodemanager.sh /wlserver_10.3/common/quickstart/quickstart.cmd /wlserver_10.3/common/quickstart/quickstart.sh /wlserver_10.3/uninstall/uninstall.cmd /wlserver_10.3/uninstall/uninstall.sh /utils/config/10.3/setHomeDirs.cmd /utils/config/10.3/setHomeDirs.sh
When you are moving Oracle Virtual Directory, the Oracle instance name in the source environment cannot be the same as the Oracle instance name in the target environment. The Oracle instance name in the target must be different than the name in the source.
After you move Oracle Virtual Directory from one host to another, you must add a self-signed certificate to the Oracle Virtual Directory keystore and EM Agent wallet on Host B. Take the following steps:
Set the ORACLE_HOME and JAVA_HOME environment variables.
Delete the existing self-signed certificate:
$JAVA_HOME/bin/keytool -delete -alias serverselfsigned -keystore ORACLE_INSTANCE/config/OVD/ovd_component_name/keystores/keys.jks -storepass OVD_Admin_password
Generate a key pair:
$JAVA_HOME/bin/keytool -genkeypair -keystore ORACLE_INSTANCE/config/OVD/ovd_component_name/keystores/keys.jks -storepass OVD_Admin_password -keypass OVD_Admin_password -alias serverselfsigned -keyalg rsa -dname "CN=Fully_qualified_hostname,O=test"
Export the certificate:
$JAVA_HOME/bin/keytool -exportcert -keystore ORACLE_INSTANCE/config/OVD/ovd_component_name/keystores/keys.jks -storepass OVD_Admin_password -rfc -alias serverselfsigned -file ORACLE_INSTANCE/config/OVD/ovd_component_name/keystores/ovdcert.txt
Add a wallet to the EM Agent:
ORACLE_HOME/../oracle_common/bin/orapki wallet add -wallet ORACLE_INSTANCE/EMAGENT/EMAGENT/sysman/config/monwallet -pwd EM_Agent_Wallet_password -trusted_cert -cert ORACLE_INSTANCE/config/OVD/ovd_component_name/keystores/ovdcert.txt
Stop and start the Oracle Virtual Directory server.
Stop and start the EM Agent.
When you are moving Oracle Platform Security and you are using an LDAP store, the LDAP store on the source environment must be running and it must be accessible from the target during the pasteConfig operation.
If you have configured WebGate with Oracle HTTP Server Release 11.1.1.6, you must apply the following patch to Oracle HTTP Server before you use the movement scripts:
13897557
The movement scripts do not support moving any releases of Oracle Identity Manager prior to Release 11.1.2.1 to another environment, either through the movement scripts or manual steps. In addition, if any release of Oracle Identity Manager prior to Release 11.1.2.1 is part of the source environment of other components, the movement scripts for that environment will fail.
After you move Oracle Adaptive Access Manager, the database schema user name for Oracle Adaptive Access Manager will be changed only if OPSS data is not migrated as part of the copyConfig operation (specified using the opssdataexport parameter).
If you are moving an integrated Access Manager and Oracle Adaptive Access Manager environment, you may receive the following errors:
####<Mar 23, 2013 4:38:12 AM PDT> <Error> <Security> <slc01age> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1332502692218> <BEA-090870> <The realm "myrealm" failed to be loaded: weblogic.security.service.SecurityServiceException: java.lang.AssertionError: java.lang.reflect.InvocationTargetException. weblogic.security.service.SecurityServiceException: java.lang.AssertionError: java.lang.reflect.InvocationTargetException
In this case, take the following steps:
Remove the access client password of the IAMSuiteAgent from the Access Manager console and the Oracle WebLogic Server Administration Console deployed on the source environment.
Execute the copyConfig script on the source environment.
Execute the pasteConfig script on the target environment.
When you execute the pasteConfig script and the archive contains Oracle Platform Security Services, the script may return the following errors:
oracle.security.audit.util.StrictValidationEventHandler handleEvent
WARNING: Failed to validate the xml content. Reason: cvc-complex-type.2.4.b:
The content of element '' is not complete. One of
'{"http://xmlns.oracle.com/ias/audit/audit-2.0.xsd":source}' is expected..
Apr 24, 2013 6:28:29 AM
oracle.security.audit.util.StrictValidationEventHandler handleEvent
WARNING: Failed to validate the xml content. Reason: cvc-complex-type.2.4.b:
The content of element '' is not complete. One of
'{"http://xmlns.oracle.com/ias/audit/audit-2.0.xsd":source}' is expected..
You can ignore these errors.
When you execute the pasteConfig script, you may see the following error messages in the pasteConfig logs:
SEVERE: 2013-10-22 01:06:33.432/953.466 Oracle Coherence GE 3.7.1.1 <Error>
(thread=Configuration Store Observer, member=n/a): Error while starting
cluster: (Wrapped) java.io.FileNotFoundException:
config/fmwconfig/.cohstore.jks (No such file or directory)
at com.tangosol.util.Base.ensureRuntimeException(Base.java:288)
at com.tangosol.util.Base.ensureRuntimeException(Base.java:269)
at com.tangosol.net.ssl.SSLSocketProvider.setConfig(SSLSocketProvider.java:444)
at com.tangosol.net.SocketProviderFactory.createProvider(SocketProviderFactory.java:77)
at com.tangosol.net.SocketProviderFactory.ensureProvider(SocketProviderFactory.java:152)
at com.tangosol.coherence.component.net.Cluster.configureSockets(Cluster.CDB:28)
You can ignore these errors.
The copyConfig script may return the following warnings:
======================================================================= WARNING: Unsupported configuration store version detected. Required "11.1.2.2.0" but found "11.1.2.1.0". Nov 03, 2013 10:16:41 PM oracle.security.am.admin.config.BasicFileConfigurationStore loadConfiguration WARNING: Unsupported configuration store version detected. Required "11.1.2.2.0" but found "11.1.2.1.0". Nov 03, 2013 10:16:42 PM oracle.security.am.admin.config.BasicFileConfigurationStore loadConfiguration WARNING: Unsupported configuration store version detected. Required "11.1.2.2.0" but found "11.1.2.1.0". =======================================================================
You can ignore these warnings.
In an environment that contains Access Manager, Oracle Identity Manager, and Oracle Adaptive Access Manager, the target environment may contain incorrect values for the following data source properties:
portNumber SID serverName
These are redundant properties, present in all data sources in the domain, and there is no functional loss from these properties carrying the wrong values.
When you execute the pasteConfig script on an environment containing Oracle Adaptive Access Manager and a valid domain is does not exist, the pasteConfg steps are skipped and the script returns the following error:
Not valid OAAM Domain. Skipping OAAM-specific copy configuration steps.
The message should read:
Not valid OAAM Domain. Skipping OAAM-specific paste configuration steps.
After your run the copyConfig script for a domain containing Access Manager and Oracle Adaptive Access Manager, you may receive the following error, which you can ignore:
javax.management.InstanceNotFoundException: java.lang:type=Runtime at weblogic.rjvm.ResponseImpl.unmarshalReturn(ResponseImpl.java:237) at weblogic.rmi.internal.BasicRemoteRef.invoke(BasicRemoteRef.java:223) at javax.management.remote.rmi.RMIConnectionImpl_1036_WLStub.getAttribute(Unknown Source)
When you move a Web tier environment, the copyBinary script may return the following message:
Warning Message :1 Nov 20, 2014 10:47:57 - WARNING - CLONE-20266 Unable to archive a file. Nov 20, 2014 10:47:57 - CAUSE - CLONE-20266 The file "/scratch/oracle/webtier6400/network/log/cgisock.9465" did not have sufficient permission to access. Nov 20, 2014 10:47:57 - ACTION - CLONE-20266 Correct the permission of above file and run copyBinary again.
You can safely ignore this message.
There are no know configuration issues at this time
This section contains the following documentation errata for the Administrator's Guide and the Oracle Fusion Middleware High Availability Guide:
Section 4.3.1, "Documentation Errata for the Administrator's Guide"
Section 4.3.2, "Documentation Errata for the Oracle Fusion Middleware High Availability Guide"
There are no documentation errata for the Administrator's Guide at this time.
This section contains the following documentation errata for the Oracle Fusion Middleware High Availability Guide for 11g Release 2 (11.1.2.1.0), Part Number E28391-04:
In section 8.3.3.1.1, "Install Oracle WebLogic Server", step 5., On the Choose Products and Components screen, select only Oracle JRockit SDK and click Next, is incorrect. It should state "On the Choose Products and Components screen, select a certified JDK. Refer to the Oracle certification matrix for the appropriate JDK to select. See http://www.oracle.com/technetwork/middleware/downloads/fmw-11gr1certmatrix.xls.