This chapter describes the issues associated with Oracle Identity Manager. It includes the following topics:
Section 10.2, "What's New in Oracle Identity Manager 11g Release 2 (11.1.2.3.0)"
Section 10.5, "Multi-Language Support Issues and Limitations"
This section describes patch requirements for Oracle Identity Manager 11g Release 2 (11.1.2.3). It includes the following sections:
Note:
For information about any additional patches that you must apply, see "Downloading and Applying Required Patches".Section 10.1.1, "Obtaining Patches From My Oracle Support (Formerly OracleMetaLink)"
Section 10.1.2, "Patch Requirements for Oracle Database 11g (11.1.0.7)"
Section 10.1.3, "Patch Requirements for Oracle Database 11g (11.2.0.1.0)"
Section 10.1.4, "Patch Requirements for Oracle Database 11g (11.2.0.2.0)"
Section 10.1.5, "Patch Requirements for Oracle Database 11g (11.2.0.3.0)"
Section 10.1.6, "Patch Requirements for Oracle Database 11g (11.2.0.4.0)"
Section 10.1.7, "Patch Requirements for Oracle Database 10g (10.2.0.4)"
Section 10.1.9, "Patch Requirement for BI Publisher 11.1.1.9.0"
Section 10.1.11, "Patch Requirement for SSL with JDK 7u40 or Later"
To obtain a patch from My Oracle Support (formerly OracleMetaLink), go to following URL, click Patches and Updates, and search for the patch number:
Table 10-1 lists patches required for Oracle Identity Manager 11g Release 2 (11.1.2) configurations that use Oracle Database 11g (11.1.0.7). Before you configure Oracle Identity Manager 11g, be sure to apply the patches to your Oracle Database 11g (11.1.0.7).
Table 10-1 Required Patches for Oracle Database 11g (11.1.0.7)
| Platform | Patch Number and Description on My Oracle Support |
|---|---|
|
UNIX / Linux |
7614692: BULK FEATURE WITH 'SAVE EXCEPTIONS' DOES NOT WORK IN ORACLE 11G |
|
7000281: DIFFERENCE IN FOR ALL STATEMENT BEHAVIOR IN 11G |
|
|
8327137: WRONG RESULTS WITH INLINE VIEW AND AGGREGATION FUNCTION |
|
|
8617824: MERGE LABEL REQUEST ON TOP OF 11.1.0.7 FOR BUGS 7628358 7598314 |
|
|
8545377: ORA-1780 RAISED WHEN CURSOR_SHARING=FORCE |
|
|
Windows 32 bit |
8689191: ORACLE 11G 11.1.0.7 PATCH 16 BUG FOR WINDOWS 32 BIT |
|
Windows 64 bit |
8689199: ORACLE 11G 11.1.0.7 PATCH 16 BUG FOR WINDOWS (64-BIT AMD64 AND INTEL EM64T) |
|
Oracle Solaris on SPARC 64-bit |
8545377: ORA-1780 RAISED WHEN CURSOR_SHARING=FORCE |
Note:
The patches listed for UNIX/Linux in Table 10-1 are also available by the same names for Solaris SPARC 64 bit.Table 10-2 lists the required patch for Oracle Identity Manager 11g Release 2 (11.1.2.3) configurations that use Oracle Database 11g (11.2.0.1.0).
If you are using Oracle Database 11g (11.2.0.2.0), make sure that you download and install the appropriate version (based on the platform) for the RDBMS Patch Number 9776940. This is a prerequisite for installing the Oracle Identity Manager schemas.
Table 10-3 lists the patches required for Oracle Identity Manager 11g Release 2 (11.1.2) configurations that use Oracle Database 11g Release 2 (11.2.0.2.0). Make sure that you download and install the following patches before creating Oracle Identity Manager schemas.
Table 10-3 Required Patches for Oracle Database 11g (11.2.0.2.0)
| Platform | Patch Number and Description on My Oracle Support |
|---|---|
|
Linux x86 (32-bit) Linux x86 (64-bit) Oracle Solaris on SPARC (64-bit) Oracle Solaris on x86-64 (64-bit) |
RDBMS Patch#13004894. |
|
Microsoft Windows x86 (32-bit) |
Bundle Patch 2 [Patch#11669994] or later. The latest Bundle Patch is 4 [Patch# 11896290]. |
|
Microsoft Windows x86 (64-bit) |
Bundle Patch 2 [Patch# 11669995] or later. The latest Bundle Patch is 4 [Patch# 11896292]. |
|
All platforms |
Patch 12419331: Database PSU 11.2.0.2.3 on top of 11.2.0.2.0 Base Release. |
If this patch is not applied, then problems might occur in user and role search and manager lookup. In addition, search results might return empty result.
Table 10-4 lists the patches required for Oracle Identity Manager 11g Release 2 (11.1.2.3) configurations that use Oracle Database 11g (11.2.0.3.0).
Table 10-4 Required Patches for Oracle Database 11g (11.2.0.3.0)
| Platform | Patch Number and Description on My Oracle Support |
|---|---|
|
Linux x86 64-bit |
14019600: MERGE REQUEST ON TOP OF 11.2.0.3.0 FOR BUGS 13004894 13370330 13743357 |
|
Solaris, HP-UX, IBM AIX: |
14019600: MERGE REQUEST ON TOP OF 11.2.0.3.0 FOR BUGS 13004894 13370330 13743357 |
|
Microsoft Windows 32-bit |
13783452: ORACLE 11G 11.2.0.3 PATCH 4 BUG FOR WINDOWS 32 BIT |
|
Microsoft Windows 64-bit |
13783453: ORACLE 11G 11.2.0.3 PATCH 4 BUG FOR WINDOWS (64-BIT AMD64 AND INTEL EM64) |
Table 10-5 lists the patch required for Oracle Identity Manager 11g Release 2 (11.1.2.3) configurations that use Oracle Database 11g (11.2.0.4.0).
In Oracle Database 10g, problems are encountered when creating materialized view using CONNECT_BY_ROOT clause. This is because the CONNECT_BY_ROOT operator is not available in Oracle Database 10g (10.2).
To resolve this issue, use the patches listed in Table 10-6:
While applying the patch provided by Oracle Identity Manager, the following error is generated:
ApplySession failed: ApplySession failed to prepare the system.
OPatch version 11.1.0.8.1 must be upgraded to version 11.1.0.8.2 to meet the version requirement.
See "Obtaining Patches From My Oracle Support (Formerly OracleMetalink)" for information about downloading OPatch from My Oracle Support.
For information about patch requirement for BI Publisher 11.1.1.9.0, see Section 1.6.1, "Mandatory Patches Required for Installing Oracle Identity Manager.".
For information about patch requirement for SOA 11.1.1.9.0, see Section 1.6.1, "Mandatory Patches Required for Installing Oracle Identity Manager.".
In an Oracle Identity Manager environment in which SSL is enabled, JDK 7u40 or later is used, and SSL is configured by using the default setting as described in section "Enabling SSL for Oracle Identity Manager By Using Default Setting" of Administering Oracle Identity Manager, apply Oracle WebLogic Server patch 13964737.
You must download and apply the latest Bundle Patch for Oracle Identity Manager 11g Release 2 (11.1.2.3). To do so:
Log in to My Oracle Support web site at the following URL:
Click the Knowledge tab.
Search the article titled Master Note on Fusion Middleware Proactive Patching - Patch Set Updates (PSUs) and Bundle Patches (BPs) (Doc ID 1494151.1).
Download and apply the appropriate Bundle Patch by following the instructions in the article. The row for 'Oracle Identity Manager (OIM) 11gR2' in the Proactive Patch Table provides information about the Bundle Patches for the current release of Oracle Identity Manager.
Oracle Identity Manager 11g Release 2 (11.1.2.3.0) has the following key new features:
The simplified tiled user interface of Oracle Identity Manager presents end-users with quick access to the self service functions they need to do their jobs. Users can see what access they have, manage their information, and reset their passwords without having to do unnecessary navigation. Managers and empowered users can access their work items easily, with the ubiquitous notification icons providing them a clear picture of their work.
The access request feature has been further simplified to enable end-users to get the access they need to do their jobs in a simple and user-friendly manner. Users are guided through the access request process and are presented with the relevant access in an easy to understand manner via the access catalog. The guided navigation and intelligent forms ensure that end-users are able to browse and, if required, search for access using keyword search. The access catalog presents end-users with relevant business information that helps them make a decision about the access they need.
As part of requesting for new access (or modifications to existing access), users can set start and end dates so that access is granted at the right time and revoked when the requirement is over. Empowered users can modify the grant duration for pending as well as provisioned access.
Administrators have a requirement to control the actions that end-users can perform in Oracle Identity Manager, either on themselves or on others. In earlier releases, there is no ability for an administrator to control the end-user actions as this function is handled by a combination of admin roles and approval policies.
In this release, administrators can make use of the self capabilities feature and specify rules that determine which action users can perform on themselves. To control the actions that users can perform on others, administrators can leverage the custom admin roles feature.
Oracle Identity Manager allows you to define custom admin roles. As part of creating these admin roles, you can assign functional capabilities to the admin role, specify members and membership rules, and organizations that the admin role members can manage. The system-defined admin roles of 11g Release 2 (11.1.2.2.0) are present for backward compatibility only and should be considered deprecated. It is recommended to move to the new admin role model as soon as possible. To make use of the new admin role functionality, you must also enable the workflow policies feature.
With the introduction of this feature, Oracle Identity Manager no longer requires the use of Authorization Policy Manager (APM) and does not support policy customizations based on Oracle Entitlement Server (OES).
Oracle Identity Manager allows empowered users to create, modify, approve, and certify business roles. Users composing new business roles or modifying existing roles can define business-friendly metadata, control membership, and specify which organizations have access to the role. They can also associate one or more access policies, which are collections of application entitlements, with the role. Access policies abstract out the complexities associated with application entitlements from business users, simplifying the role modeling and composition process. The application-specific access policy model also encourages reuse across roles simplifying the overall process.
As part of role composition or approval, users can see the impact of their actions, including potential compliance violations in a simple graphical manner. They can see which users will be impacted, whether there are other roles similar to the one being worked on, and whether any compliance policies are violated.
The use of this feature requires you to be licensed for its use.
Ensuring compliance with security controls across applications and enforcement of these controls are a key part of regulatory compliance. This requires you to define access controls that span applications and the ability to enforce these in real-time when access is being granted or modified, but also in a detective manner, for access that has already been granted. Oracle Identity Manager makes it possible for organizations to meet their compliance objectives by allowing business users to define audit policies. Audit policies specify what type of access a user may or may not have. For example, a user who has access to both Accounts Payables and Accounts Receivables is violating Sarbanes-Oxley guidelines. This is known as a Segregation of Duties (SoD) violation. Oracle Identity Manager allows organizations to define SoD policies that can be enforced during access request and can also be used to scan existing access to identify toxic combinations of access privileges, known as policy violations. Oracle Identity Manager identifies the violations and initiates a workflow allowing remediators, who could be business manager or administrators to fix these violations. This process is known as remediation. All actions taken by remediators are recorded and a comprehensive audit trail is maintained.
The use of this feature requires you to be licensed for its use.
This release of Oracle Identity Manager introduces a lightweight auditing engine which is used by user, role, and organization management, and other components excluding provisioning. Unlike the existing audit engine, it does not depend on audit snapshots and JMS and is synchronous in operation. This audit engine is the strategic choice, and the current audit engine will be deprecated in the next release of the product.
This release of Oracle Identity Manager provides a common password policy management framework between Oracle Identity Manager and Oracle Access Manager (OAM). It also introduces the concept of a challenge policy, which allows you to specify whether challenge questions are system-defined or end-user defined (or a combination of both). You can specify different password policies for different organizations, allowing granular control of passwords and challenge questions.
Representational State Transfer (REST) services is the standard approach for creating scalable web services over HTTP. System for Cross-Domain Identity Management (SCIM) is the standard used to represent users and groups and provides a REST API for all necessary CRUD operations. This release of Oracle Identity Manager exposes several services as SCIM-based REST services. The SPML XSD-based SOAP web service is deprecated in favor of SCIM-based REST Services. It is recommended to move to the new REST services as soon as possible.
Approval policies are used in Oracle Identity Manager to determine the approval workflow to be launched for a particular action. This feature has been deprecated in favor of workflow policies. Functionally, workflow policies are equivalent to approval policies but perform better, expose additional configuration options, and conform to the UI of this release. You can continue using approval policies if you are upgrading to this release of Oracle Identity Manager. However, you cannot leverage the simplified admin roles capabilities. You must work with workflow policies only for a fresh deployment of Oracle Identity Manager.
If you are upgrading to Oracle Identity Manager 11g Release 2 (11.1.2.3), then it is recommended that you convert the approval policies to workflow policies as soon as possible.
The recommended approach of Oracle Identity Manager to Single Sign On (SSO) is to use WebLogic plug-ins (Identity Asserters or Authenticators). These plug-ins are provided by Web Access Management solutions, such as OAM or SiteMinder. This release of Oracle Identity Manager supports a simplified single sign on integration by using HTTP Header variables. This approach requires you to configure a HTTP Server similar to Oracle HTTP Server or Apache HTTP Server as a reverse proxy for Oracle Identity Manager, and install and configure the vendor-provided web server plug-in.
This section describes general issue and workarounds. It includes the following topics:
Section 10.3.1, "Background Color of Buttons Not Showing in Internet Explorer 9"
Section 10.3.2, "Status Attribute Cannot be Included in the Denied Attributes List"
Section 10.3.3, "Advanced Search Parameters Do Not Reset After Switching to Basic Search"
Section 10.3.5, "Form Data Not Displayed in Email Notifications"
Section 10.3.6, "Export/Import of Roles with UDF Values Does Not Work"
Section 10.3.7, "Export/Import of Role with History Does Not Work"
Section 10.3.8, "Export/Import of Roles with Parent Roles Does Not Work"
Section 10.3.9, "Modifying Display Name of Default Roles Not Supported"
Section 10.3.10, "Approval Tasks Cannot Be Signed Using Some Web Browsers"
Section 10.3.11, "Filtering By Organization Name Not Supported"
Section 10.3.15, "Incorrect Error Codes for Some Operations"
Section 10.3.18, "Error Thrown on Sorting by Description Column on Lookup Type"
Section 10.3.19, "More Link in Auto-suggest for Catalog Advanced Search Does Not Work"
Section 10.3.20, "Error While Customizing the Summary Page of the Create Role Wizard"
Section 10.3.21, "Error While Provisioning Application Instance with New Field"
Section 10.3.23, "Delay in Displaying Pending Approvals Count"
Section 10.3.24, "Loading of Technical Glossary Does Not Work With Oracle Database 11.2.0.1.0"
Section 10.3.25, "Error Thrown While Setting Challenge Questions for the First Time"
Section 10.3.26, "SCIM OIM Webapp Does Not Support Some Characters in UDF Names"
Section 10.3.27, "Local Part of Email Must Be Less Than Or Equal To 64 Characters"
Section 10.3.29, "Error on Opening Deployment Manager in Chrome Version 42"
Section 10.3.30, "Approvals Via Actionable Email Not Processed After Upgrade"
Section 10.3.31, "System Properties Replaced with Password Policy Fields"
Section 10.3.33, "Scope of Immediate Attribute Limited to the Specific Actions"
Section 10.3.34, "Unauthenticated SSL Not Supported by OWSM Policy"
Section 10.3.35, "Deployment Manager Import/Export Not Supported on Edge and Safari Browsers"
Section 10.3.36, "Connector Upgrade Not Supported on Edge and Safari Browsers"
Section 10.3.37, "oimclient.jar Needs Update and ipf.jar for Some passwordmgmt VOs"
If you are using Microsoft Internet Explorer 9, then the green background color for some action buttons in Oracle Identity Self Service are not displayed correctly.
To workaround this issue, upgrade to Internet Explorer 10 or higher. Otherwise, use Mozilla Firefox or Google Chrome.
If Identity Status is included in the list of Denied Attributes, then the functional capabilities added to an admin role do not work as expected. Identity Status cannot be included in the list of Denied Attributes.
This is a known issue, and a workaround for this is not available.
When you switch from basic to advanced search and fill in search criteria and then switch back to basic search again, the basic search still has the criteria from the advanced search. It is now no longer a basic search. However, this is not apparent to the user because all the parameters from the advanced search are not displayed.
UMS client object is pooled in Oracle Identity Manager. The following exception can be logged while using notification:
Class/Method: UCPPool/returnConnectionToPool encounter some problems: Failed to release connection back to the UCP Pool, pooledconnection is null.
This exception can be safely ignored because it does not result in any notification message loss.
When requesting for account/entitlement, email notification is sent to the approver. The task details embedded in the email does not display the form data of the application instance or entitlement.
This is a known issue, and a workaround for this is not available.
When you export and import the roles consisting of role UDFs and catalog UDFs by using the Deployment Manager, the catalog UDFs are imported with values but the role UDF values are not imported properly.
To workaround this issue, manually update the role after import.
When you export and import a role by using the Deployment Manager, the role history is not imported properly. Fresh role history is created in the imported environment and is displayed for the Attributes and Membership Rules subtabs. But new history is not displayed for the following subtabs:
Hierarchy
Access Policy
Organizations
Role Membership
Certification
This is a know issue, and a workaround for this is not available.
When you export and import a role with parent and child roles by using the Deployment Manager, the child roles are displayed in the Inherited By subtab of the Hierarchy tab. But the parent roles are not displayed in the Inherits From subtab. In addition, parent roles cannot be selected as dependency during the export.
This is a known issue, and a workaround for this is not available.
Modifying the values of the Display Name attribute for default roles, for example OPERATORS, ALL USERS, and SELF OPERATORS, is not supported.
In addition, if any client, such as API Client, UI, or the Deployment Manager, passes the display name attribute in the Role VO to the role modification API, then the operation fails even if the display name passed is same as the display name of the role in the system. As a result, import of exported default roles via the Deployment Manager fails because of this limitation, and the following error is logged:
Caused by: oracle.iam.platform.kernel.ValidationFailedException: IAM-3056150:Cannot change the base value for the display name of an Oracle Identity Manager system role.: at oracle.iam.identity.utils.Utils.createValidationFailedException(Utils.java:1066) at oracle.iam.identity.utils.Utils.createValidationFailedException(Utils.java:1049) at oracle.iam.identity.rolemgmt.utils.RoleManagerUtils.createValidationFailedException(RoleManagerUtils.java:3242) at oracle.iam.identity.rolemgmt.utils.RoleManagerUtils.createValidationFailedException(RoleManagerUtils.java:3251) at oracle.iam.identity.rolemgmt.impl.handlers.role.RoleValidationHandler.validateOOTBRoles(RoleValidationHandler.java:731) at oracle.iam.identity.rolemgmt.impl.handlers.role.RoleValidationHandler.validate(RoleValidationHandler.java:441) at oracle.iam.identity.rolemgmt.impl.handlers.role.RoleValidationHandler.validate(RoleValidationHandler.java:285) at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.validate(OrchestrationEngineImpl.java:307) at oracle.iam.request.impl.RequestEngine.triggerOperation(RequestEngine.java:4783) at oracle.iam.request.impl.RequestEngine.doOperation(RequestEngine.java:4472) at oracle.iam.impl.OIMServiceImpl.doOperation(OIMServiceImpl.java:43) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307) at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149) at oracle.iam.platform.utils.DMSMethodInterceptor.invoke(DMSMethodInterceptor.java:35) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204) at $Proxy355.doOperation(Unknown Source) at oracle.iam.identity.utils.Utils.invokeUnifiedService(Utils.java:3831) at oracle.iam.identity.rolemgmt.impl.RoleManagerImpl.modify(RoleManagerImpl.java:4196)
To workaround this issue, right-click the default role in the import selection summary screen of the Deployment Manager, and click Remove to remove the specific role from the import selection. Then, import the rest of the artifacts.
Approval tasks cannot be digitally signed when Google Chrome, Microsoft Internet Explorer, or Mozilla Firefox web browsers are used. When Firefox is used, this issue is encountered only with recent versions of Firefox.
Only Firefox web browser is supported for digitally signing tasks. To sign with Firefox, make the following setting:
Navigate to the following URL:
Click Add to Firefox to install the add-on for electronic signing.
Restart the browser.
Sorting or filtering by the Organization Name column in the Available Roles tab of role details is not supported.
Using SCIM REST service, filtering on the attribute ID is not supported for root search.
Using SCIM REST service, filtering on the attribute meta.resourceType is not supported.
When using SCIM REST API to retrieve password policies, the returned resources cannot be sorted.
For some operations, the HTTP error code returned in a SCIM response is not same as defined by the SCIM specification, for example:
POST operation on user that already exists returns HTTP error code 400 instead of 409.
Deleting an organization that is already deleted returns HTTP error code 400 instead of 404.
Request with no authorization returns HTTP error code 500 instead of 401.
POST, PATCH, and PUT operations on password policies with no authorization return error code 500 instead of 401.
PUT operation on unknown password policy returns incorrect error code 500.
PATCH operation on read-only attributes returns incorrect error code.
Unsupported operation for ServiceProviderConfigs returns incorrect error code instead of 403.
Disabling and enabling a user with no authorization returns incorrect error code instead of 401.
GET operation on attribute that is not searchable returns incorrect error code.
PATCH replace a read-only attribute returns incorrect error code.
DELETE operation in unknown notification templates and system properties return incorrect error codes.
PUT group is unknown owner returns incorrect error code.
Root search with filter on meta.resourceType using SCIM REST service fails, and error code 500 is returned.
Root search with no resource specified using SCIM REST service fails, and error code 500 is returned.
When you click the Description column in the search results of the Lookup Type form to sort by description, the sorted result is not displayed, and the following error is displayed in Oracle Identity Manager server locale:
ORA-00932: inconsistent datatypes: expected - got CLOB
In catalog advanced search, when you select the entity type as entitlement, you can select the application instance from the Application combo box. Alternatively, if you type the first few characters of the application instance name in the Application combo box, application instance names that match the characters are displayed along with a More link. However, clicking the More link has no effect.
The following error is thrown while customizing a catalog UDF added as read-only attribute in the Summary page of the Create Role wizard, when the Catalog Attributes section is expanded:
OracleJSP error: java.io.FileNotFoundException:
Note:
Set theinit-param debug mode to true to see the complete exception message.To workaround this issue, collapse the Catalog Attributes section of the Summary page in the Create Role wizard, and then click Customize.
The Summary page of the Create Role wizard displays the attributes that have already been added while creating the role. Therefore, you cannot add any extra catalog attribute in the Summary page that are not present in the Catalog Attributes section of the Attributes page. Therefore, if you want to add the read-only label for the catalog UDF, then add the UDF on the Catalog Attributes section of the Attributes page, go to the Display Options of that UDF, and set the Read Only property by using the Expression Builder. To do so, use the following expression:
#{!pageFlowScope.editable}
The same UDF is displayed in the Summary page as read-only, and there is no need to add the extra read-only attribute on the summary page for the UDF.
When you create a new field in the application instance form, and in the same session, try to provision the application instance using Identity Self Service to any user, an error page is displayed.
To workaround this issue, logout and login to Identity Self Service.
In this release of Oracle Identity Manager, risk levels cannot be customized.
Display of the pending approvals count in the Self Service home page in Oracle Identity Self Service is delayed when large number of tasks are waiting for approval, which is approximately 34000 tasks.
To resolve this issue:
Create the index in SOA schema by running following SQL query:
CREATE INDEX WFTASKSTATENSPC ON
WFTASK("STATE","IDENTITYCONTEXT","TASKNAMESPACE",
"ACQUIREDBY","AGGREGATIONTASKID")';
Collect the statistics from all database schemas.
Restart all servers.
With Oracle Database version 11.2.0.1.0, loading of Technical Glossary does not work as expected. The following Internal ORA-00600 error is logged when trying to seed hierarchical entitlement data in Oracle Identity Manager database:
<ORA-00600: internal error code, arguments:
[kzxcInitLoadLocal-7], [64131],
[ORA-64131: XMLIndex Metadata: failure during the looking up of the dictionary
ORA-30966: error detected in the XML Index layer
ORA-31011: XML parsing failed], [], [], [], [], [], [], [], [], []
ORA-00600: internal error code, arguments: [kzxcInitLoadLocal-7], [64131], [ORA-64131: XMLIndex Metadata: failure during the looking up of the dictionary
ORA-30966: error detected in the XML Index layer
ORA-31011: XML parsing failed ], [], [], [], [], [], [], [], [], []
To workaround this issue:
Login to the database as SYS DB user, and run the following queries:
DROP INDEX XDB.PRIN_XIDX; DROP INDEX XDB.SC_XIDX;
Seed hierarchical entitlement data into Oracle Identity Manager database.
Run the following query from Oracle Identity Manager user to check whether the seeded data has entered the catalog hierarchical table:
SELECT COUNT(1) FROM CATALOG_HIERARCHICAL_ATTR;
The data is successfully seeded to the CATALOG_HIERARCHICAL_ATTR table.
When you login to Oracle Identity Self Service for the first time, and while setting the challenge questions and answers, you try to set the question with length more than 55 characters, the following error is displayed:
Error
Unexpected exception caught: {0}, msg={1}
Error
JTA transaction unexpectedly rolled back (maybe due to a timeout); nested exception is weblogic.transaction.RollbackException: setRollbackOnly called on transaction
Error
setRollbackOnly called on transaction
This issue is applicable for administrator-defined challenge questions as well as challenge questions defined by the password policy. In addition, the same error is displayed when you try to set challenge questions and answers from the My Information page of Identity Self Service.
SCIM OIM webapp accepts UDF names only with alphanumeric characters. If a UDF is created with an underscore (_) or dash (-) character in its name, then the SCIM OIM webapp does not work after the UDF is created.
To workaround this issue, the UDF definition in Oracle Identity Manager metadata must be fixed, as follows:
Export OIM metadata, as described in "Migrating User Modifiable Metadata Files" in Developing and Customizing Applications for Oracle Identity Manager.
Specify the export directory in toLocation: /tmp/mds, and the metadata documents to export in docs: /file/User.xml,/db/identity/entity-definition/Role.xml,/db/identity/entity-definition/Organization.xml.
Depending on the UDF you created, edit the User.xml, Role.xml, or Organization.xml file, and look for the SCIM definition of the UDF, which is similar to the following:
<metadata>
<name>scim</name>
<value>UDF_NAME</value>
<category>properties</category>
</metadata>
In the sample, remove the _ or dash - character from the UDF name (UDF_NAME).
The new UDF name must be unique in the metadata file to avoid name conflict. For example, if you want to replace MY_UDF_NAME with MYUDFNAME, then make sure that MYUDFNAME is not already defined in the metadata as a SCIM attribute (UDF or not). If it is already defined, then find a unique name, such as MYUDFNAMEUNIQUE.
Import the modified XML file, as described in "Migrating User Modifiable Metadata Files" in Developing and Customizing Applications for Oracle Identity Manager.
Specify the import directory in fromLocation: /tmp/mds, and the metadata documents to import in docs: /file/User.xml,/db/identity/entity-definition/Role.xml,/db/identity/entity-definition/Organization.xml.
Restart Oracle Identity Manager.
During user creation from the Identity Self Service, the local part of the email ID must be less than or equal to 64 characters. The local part is denoted as localpart@domain.com.
If the local part of the email ID consists of more than 64 characters, then user creation fails with the following error:
****attribute mail is not valid. Please enter valid value for attribute mail
In an upgraded deployment of Oracle Identity Manager, the Inbox view names are not displayed correctly. For example, the view names are displayed as MANUAL_PROVISIONING_VIEW, PENDING_APPROVALS_VIEW, PENDING_CERTIFICATIONS_VIEW, and PENDING_VOILATIONS_VIEW instead of Manual Provisioning, Pending Approvals, Pending Certifications, and Pending Violations respectively.
To display the Inbox view names correctly, set the value of the WorkflowCustomClasspathURL attribute, as follows:
Login to Oracle Enterprise Manager.
Expand Weblogic Domain, DOMAIN_NAME.
Right-click the domain name, and select System MBean Browser.
Go to Application Defined MBeans, oracle.as.soainfra.config, server:SOA_SERVER, WorkflowConfig, human-workflow.
Check the value of the WorkflowCustomClasspathURL attribute. Verify that the path to the adflibPendingApprovalsUI.jar file is correct. If the path is not correct, then change the path correctly.
Save the changes.
When you use Google Chrome Version 42, the Deployment Manager window does not open and displays the following error:
"This Plugin is not supported".
To workaround this issue:
In the address bar of the Google Chrome browser, enter chrome://flags.
In the page that loads, search for #enable-npapi.
Alternatively, you can enter chrome://flags/#enable-npapi in the address bar to load the page directly.
Click the Enable link under Enable NPAPI.
Restart the browser.
After upgrading Oracle Identity Manager to 11g Release 2 (11.1.2.3.0), approvals done via actionable mails are not processed because of the following error:
"Overlapping access point specification".
To fix this issue, remove access points from the database. To do so:
Login to Oracle Enterprise Manager.
On the left pane, expand User Messaging Service.
Right-click usermessagingserver, and select Messaging Client Applications.
The table that is displayed contains an entry with the SOA domain under the Name column. All the access points are listed in the Access Point column. Check how many and what access points are registered.
To deregister an access point, select the row, and then click De-register.
Restart SOA Managed Server, which will register the access point again.
In this release of Oracle Identity Manager, the XL.MAXLOGINATTEMPTS and XL.MAXPASSWORDRESETATTEMPTS system properties have been removed.
The function of the XL.MAXLOGINATTEMPTS system property has been replaced with the Maximum Incorrect Login attempts counter field in the password policy details page.
The function of the XL.MAXPASSWORDRESETATTEMPTS system property has been replaced with the Lock User After Attempts field in the Challenge Options section of the password policy details page.
For information about these fields, see "Managing Password Policies" in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Manager.
If you have upgraded from Oracle Identity Manager 11g Release 2 (11.1.2.2) to Oracle Identity Manager 11g Release 2 (11.1.2.3), then the existing task flows cannot be used on Oracle Identity Manager 11g Release 2 (11.1.2.3). Because the UI of Oracle Identity Manager 11g Release 2 (11.1.2.3) changed, the existing task flows are outdated.
You should rewrite your own task flows for using them in 11g Release 2 (11.1.2.3). For information about creating task flows, see Developing and Customizing Applications for Oracle Identity Manager.
When the Justification field is customized to be required and the value of the field is not set, displaying other UI pages does not work and validation error happens for the empty value of the Justification field.
The problem can be resolved after disabling the ADF attribute Immediate of the Justification field. The scope of the ADF attribute Immediate is limited to the scope of specific actions, such as Submit or Next.
When OWSM multi_token_noauth_over_ssl_rest_service_policy is configured, all access must be over SSL. However, Oracle REST Self Service APIs allow unauthenticated access over HTTP even though OWSM multi_token_noauth_over_ssl_rest_service_policy is configured.
Import or export by using the Deployment Manager is not supported on Edge and Safari browsers. This is because Edge and Safari browsers do not support Java plug-ins or any other plug-ins, and Java plug-in is required for the Deployment Manager import/export to work. This is also stated in the following FAQ:
https://www.java.com/en/download/faq/win10_faq.xml
Therefore, use the Internet Explorer or other browsers for Deployment Manager import/export.
Upgrading any connector is not supported on Edge and Safari browsers because of the plug-in issue described in Section 10.3.35, "Deployment Manager Import/Export Not Supported on Edge and Safari Browsers".
Therefore, use the Internet Explorer or any other browsers for connector upgrade.
Custom client applications using the previous version of the oimclient.jar will get an error similar to the following:
"oracle.iam.passwordmgmt.vo.Challenge; local class incompatible: stream classdesc serialVersionUID = 7026677945288353246, local class serialVersionUID = -5258470952025280257"
To resolve this issue, update the client application to use the new version of the oimclient.jar included with this release in OIM_ORACLE_HOME/server/client/oimclient.zip, and include the additional OIM_ORACLE_HOME/modules/oracle.idm.ipf_11.1.2/ipf.jar in the lib/classpath.
Currently, there are no configuration issues to note.
This section describes multi-language issues and limitations. It includes the following topics:
Section 10.5.1, "SOA-Based Notification Fails for Non-ASCII Administrator User"
Section 10.5.2, "Oracle Identity Manager Help Displayed in Browser Language"
Section 10.5.3, "Values for Organization Type and Status Displayed in English"
Section 10.5.4, "Task Status Option Values Not Displayed Per Browser Language Setting"
Section 10.5.5, "Data Populated By Default Not Translatable"
Section 10.5.6, "Locale Drop Down is Not Displayed in Browser Language"
SOA-based notification is not working when a notification is sent to the user whose name contains non-ASCII characters. The notification e-mail body contains the following:
Error 500--Internal Server Error From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1: 10.5.1 500 Internal Server Error
The following error is logged:
Caused By: javax.security.auth.login.FailedLoginException:
[Security:090304]Authentication Failed: User 0318~A~A~Y~A
javax.security.auth.login.FailedLoginException:
[Security:090302]Authentication Failed: User 0318~A~A~Y~A denied
at
weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAt
nLoginModuleImpl.java:261)
at
com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleW
rapper.java:110)
at java.security.AccessController.doPrivileged(Native Method)
at
com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleW
rapper.java:106)
at sun.reflect.GeneratedMethodAccessor1382.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.j
ava:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at
javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at
javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at
javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at
javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
To resolve this issue:
Go to the My Oracle Support web site at:
Search and apply patch 18398295.
Restart all servers.
If you set different languages as the browser language and as the value of the ORA_FUSION_PREFS cookie, then Oracle Identity Manager UI is displayed in the language set by the ORA_FUSION_PREFS cookie, but Oracle Identity Manager Help is displayed in the browser language.
For example, if you set the browser language as Japanese, and set ORA_FUSION_PREFS=German, then Oracle Identity Manager UI is displayed in German, but Oracle Identity Manager Help is displayed in Japanese.
The values in the Organization Type or Status lists in some pages are displayed in English although the browser is set with a non-English locale. For example:
The values in the Organization Type or Status lists in the Admin Roles tab of the My Access page in Oracle Identity Self Service.
The values in the Organization Type or Status lists for any selected admin role in the Admin Roles tab of User Details page in Oracle Identity Self Service.
The values in the Organization Type or Status lists for any selected suborganization in the Children tab of Organization Details page in Oracle Identity Self Service.
This is a known issue, and a workaround is currently not available.
The following Task Status option values are displayed in English on the Provisioning Tasks page instead of the browser language setting:
Pending
Rejected
All data that is populated by default in Oracle Identity Self Service cannot be translated. For example, the name of the default password policy, which is Default Password Policy, displayed in the Password Policies page of Identity Self Service is in English irrespective of the browser language setting.
When you set the browser language to any one of the following, the Locale drop down in either My Information or Preferences in Identity Self Service is displayed in English and not according to the browser language setting:
Arabic (ar)
Czech (cs)
Danish (da)
Dutch (nl)
Hebrew (he)
Hungarian (hu)
Norwegian (no)
Romanian (ro)
Slovak (sk)
Turkish (tr)
Currently, there are no documentation issues to note.