20 Troubleshoot Oracle Identity Management

This section describes common problems that might be encountered in the Oracle Identity Management and security integration layer, and it explains how to solve them.

The following topics are discussed:

Some procedures in this section reference topics in Oracle Fusion Middleware guides where the use of Fusion Middleware Control is explained; those topics also apply to Fusion Applications Control.

In addition to this section, review the Oracle Fusion Middleware Error Messages Guide for information about the error messages that might be encountered.

20.1 Introduction to Troubleshooting Oracle Identity Management

Oracle Identity Management (IDM), a member of the Oracle Fusion Middleware family of products, is a complete and integrated identity management platform that provides scalability; enables organizations to achieve rapid compliance with regulatory mandates; and secures sensitive applications and data regardless of whether they are hosted on-premises or in a cloud. The suite of IDM solutions include:

Access Management, which secures applications, data, and Web services.
Identity Governance, which simplifies account administration of identities.
Directory Services, which delivers and integrated directory service, including identity virtualization, storage, and synchronizing services.

This section provides guidelines and a process for using the information in this section, which will help you minimize the time you spend solving problems.

Guidelines:

When using the information in this section, Oracle recommends the following:

After performing any of the solution procedures in this section, immediately retrying the failed task that led you to this troubleshooting information. If the task still fails when retrying it, perform a different solution procedure written in this section and then try the failed task again. Repeat this process until you resolve the problem.
Making notes about the performed solution procedures, seen symptoms, and collected data while troubleshooting. If it is not possible to resolve the problem using the information in this section and a service request must be logged, these notes will expedite the process to solve the problem.

Process:

Follow the process outlined in Table 20-1 when using the information in this section. If the information in a particular section does not resolve your problem, proceed to the next step in this process.

Table 20-1 Process for Using the Information in this Section

Step	Section to Use	Purpose
1	Get Started with Troubleshooting Oracle Identity Management	Get started troubleshooting Oracle Identity Management. The procedures in this section quickly address a wide variety of problems.
2	Problems and Solutions for Missing or Incorrect Data - Problems and Solutions for Logging in to Secured Resources	Perform problem-specific troubleshooting procedures. This section describes: Symptoms of specific Oracle Fusion Applications runtime problems that may have originated in the Oracle Identity Management and security integration layer Possible causes of the problems Solution procedures corresponding to each of the possible causes
3	Additional Information for Troubleshooting Oracle Identity Management	Get Oracle Identity Management component-specific troubleshooting information. Use this section if the problem has been isolated to a specific Oracle Identity Management component or want to learn more about a component.

Step

Section to Use

Purpose

Get Started with Troubleshooting Oracle Identity Management

Get started troubleshooting Oracle Identity Management. The procedures in this section quickly address a wide variety of problems.

Problems and Solutions for Missing or Incorrect Data - Problems and Solutions for Logging in to Secured Resources

Perform problem-specific troubleshooting procedures. This section describes:

Symptoms of specific Oracle Fusion Applications runtime problems that may have originated in the Oracle Identity Management and security integration layer
Possible causes of the problems
Solution procedures corresponding to each of the possible causes

Additional Information for Troubleshooting Oracle Identity Management

Get Oracle Identity Management component-specific troubleshooting information. Use this section if the problem has been isolated to a specific Oracle Identity Management component or want to learn more about a component.

20.2 Get Started with Troubleshooting Oracle Identity Management

Start troubleshooting by performing the procedures described in this section, as they quickly address a wide variety of problems. If the procedures in this section do not resolve your problem, proceed to Problems and Solutions for Missing or Incorrect Data- Problems and Solutions for Logging in to Secured Resources.

This section contains the following topics:

20.2.1 Verify the Security Providers in the Oracle WebLogic Server Domain

Small configuration errors in the security providers for the Oracle WebLogic Server domain, such as in the Identity Asserters and Authenticators, frequently are the cause of runtime problems. Use the information in this section to quickly verify a few key security provider settings, including:

The order of providers, which determines the authentication sequence.
JAAS Control Flags, which determine how the authentication sequence uses the providers.
Connection, cache, and user and group lookup settings for the identity store's LDAP Authenticator.

To verify configuration settings for the security providers in the Oracle WebLogic Server domain, perform the following steps:

Log in to the Oracle WebLogic Server Administration Console as follows:
1. Log in to Oracle Enterprise Manager Cloud Control.
2. From the Targets drop-down, select Middleware, to display the Middleware page.
3. From the Middleware Features drop-down, select Identity and Access, to get to the Identity and Access Dash board.
4. Select an OID instance from the Oracle Internet Directory table, to get to the appropriate OID instance page.
5. In the OID instance page, from the Oracle Internet Directory pull-down select WebLogic Server Administration Console.
6. Log in to the console.
Click Security Realms in the Domain Structure area on the left side of the Administration Console Home Page. The Summary of Security Realms screen appears.
Click the name of the appropriate security realm in the Realms table. The Settings for REALM_NAME screen appears.
Click the Providers, then Authentication tabs. The configured providers appear in the Authentication Providers table.

20.2.1.1 Verify the Order of Providers

The security providers must be configured in the following order, where number 1 in the following list is at the top of the Authentication Providers table:

Oracle Access Manager Identity Asserter
LDAP Authenticator for the identity store: Either the Oracle Internet Directory Authenticator or Oracle Virtual Directory Authenticator, depending on the LDAP server used as the identity store.

If needed, it is possible to reorder the security providers by performing the following steps from the Settings for REALM_NAME screen:

Click Reorder.
Select a provider and use the arrow buttons to move it up or down in the order.
Click OK.

20.2.1.2 Verify JAAS Control Flags

The JAAS Control Flags for the security providers must be set as shown in Table 20-2. Perform the following steps to view, and if needed, edit the JAAS Control Flags.

From the Settings for REALM_NAME screen:

Click the provider name in the Authentication Providers table.
Click the Configuration and the Common tabs.
Examine the Control Flag setting and adjust it as needed.
Click Save.

Table 20-2 Required JAAS Control Flags for Security Providers

Security Provider	Required JAAS Control Flag
Oracle Access Manager Identity Asserter	Required
LDAP Authenticator for the identity store: Oracle Internet Directory Authenticator or Oracle Virtual Directory Authenticator	Sufficient

Security Provider

Required JAAS Control Flag

Oracle Access Manager Identity Asserter

Required

LDAP Authenticator for the identity store:

Oracle Internet Directory Authenticator

or
Oracle Virtual Directory Authenticator

Sufficient

20.2.1.3 Verify Settings for the Identity Store's LDAP Authenticator

The Table 20-3 lists settings for the identity store's LDAP Authenticator that should be verified. Perform the following steps on either the Oracle Internet Directory Authenticator or the Oracle Virtual Directory Authenticator, depending on the LDAP server being used for the identity store.

From the Settings for REALM_NAME screen, perform the following steps:

Click the appropriate authenticator in the Authentication Providers table.
Click the Configuration and the Provider Specific tabs.
Examine the settings and adjust as needed.
Click Save.

Get more information about each of the settings listed in Table 20-3 by clicking More Info... next to each setting in the Oracle WebLogic Server Administration Console.

Table 20-3 Settings to Verify in the Identity Store's LDAP Authenticator

Setting	Verification to Perform
Connection settings	Double-check all to ensure accuracy. Pay particular attention to the Host value, which can contain misspelled strings.
User Name Attribute	Regardless of which attribute is set, the same attribute must be used to specify the user name in the All Users Filter and User From Name Filter settings.
All Users Filter and User From Name Filter	The user name attribute used in both of these settings must be the attribute configured for the User Name Attribute setting.
Use Retrieved User Name as Principal	Must be enabled (checked).
Static Group Name Attribute	Regardless of which attribute is set, the same attribute must be used to specify the group name in the All Groups Filter and Group From Name Filter settings.
All Groups Filter and Group From Name Filter	The attribute used to specify the group name in these two settings must be the same attribute configured for the Static Group Name Attribute setting.
Cache Enabled	If enabled, examine the value of the Cache TTL setting.
Cache TTL	Examine to ensure an appropriate value is set. If performing an operation that fails, wait for the amount of time specified by the Cache TTL to elapse and then retry the failed operation. This will ensure the authenticator's cache has been refreshed and any recent configuration changes have been activated.

20.2.2 Use Selective Tracing to Troubleshoot Inaccessible Functionality

When Oracle Fusion Applications users cannot access a particular functionality, for example, they attempt to log in to an application and are denied access or see an unexpected view of the application, often it is because they are not authorized to access that functionality. In these situations, use the Selective Tracing feature in Fusion Applications Control to collect data specific to the user and request, then collaborate with the security administrator to compare it against the configured authorizations.

To use Selective Tracing to troubleshoot inaccessible functionality, perform the following steps:

Update the domain's environment setup script by performing one of the following steps that is appropriate to your environment:

On UNIX systems, add the text shown in the following example to the bottom of the DOMAIN_HOME/bin/setDomainEnv.sh file:

JAVA_OPTIONS="-Djava.util.logging.manager=oracle.core.ojdl.logging.ODLLogManager ${JAVA_OPTIONS}"
export JAVA_OPTIONS
FMWCONFIG_CLASSPATH=${FMWCONFIG_CLASSPATH}${CLASSPATHSEP}${ORACLE_COMMON_HOME}/modules/oracle.odl_11.1.1/ojdl.jar
export FMWCONFIG_CLASSPATH

Log in to Fusion Applications Control as follows:
1. Log in to Oracle Enterprise Manager Cloud Control.
2. From the Targets drop-down, select Middleware, to display the Middleware page.
3. From the Middleware Features drop-down, select Identity and Access to get to the Identity and Access Dash board.
4. Select an OID instance from the Oracle Internet Directory table, to get to the appropriate OID instance page.
5. In the OID instance page, from the Oracle Internet Directory pull-down select Fusion Middleware Control.
6. Log in to the contol.
Navigate to the appropriate domain, then select Logs and Selective Tracing from the domain menu. The Selective Tracing page appears.
Click the Tracing Options tab, configure the following settings, and click Start Tracing to generate the selective trace:
1. Option Name: Select User Name from the list and enter the name of the user that cannot access functionality.
  
  While this procedure describes troubleshooting inaccessible functionality by selective tracing on a user name, it is also possible to use the other options in the Option Names list for troubleshooting purposes.
2. Level: Select TRACE:32 (FINEST).
3. Description: Enter a description that will help you identify the trace results, such as: USER_NAME cannot access functionality.
4. Duration: Enter the number of minutes the selective trace will run.
5. Trace ID: Select Generate a New Unique Trace ID. Optionally, you can select Use a Custom Trace ID and enter an ID, but note that Fusion Middleware Control does not verify the uniqueness of Custom Trace ID strings.
6. Loggers: Oracle recommends enabling the following loggers for troubleshooting inaccessible functionality:
  To quickly locate a specific logger, enter the logger name or a string in the logger name in the field above the list of loggers and press return.
  - oracle.jps.authorization
  - oracle.jps.common
  - oracle.security.jps.az.internal.runtime.policy.AbstractPolicyImpl
  - oracle.security.jps.internal.policystore.JavaPolicyProvider
  - oracle.security.jps.internal.policystore.ldap.BulkAuthorizer
  - oracle.security.jps.trace.logger
  - oracle.security.jps.util.JpsAuth
  Refer to the Debugging the Authorization Process section in the Oracle Fusion Middleware Applications Security Guide for information about system properties you can enable for extremely fine grained authorization debugging.
Instruct the user that cannot access functionality to try and access it again. Now that Selective Tracing has been enabled for that user, data specific to that user and the request will be collected.
Access the results from the selective trace by clicking the Active Traces And Tracing History tab and selecting the trace from either the Active Traces or Tracing History table. If the number of minutes specified in the Duration option has elapsed, the trace will be in the Tracing History table. If a description for the selective trace was provided, look for it in the Description column.
Provide the trace results to the Security Administrator.

Typically, the Security Administrator performs the remaining steps in this procedure.

Locate the Failed ProtectionDomain string and its corresponding resourceName=, resourceType=, and Principal= strings in the trace results. These strings will provide information about the user and the inaccessible resource. As shown in the following example, the user named user1 was denied access to the resource named ResourceNameX:

PolicyContext: [JeeScenarioApp]
Resource/Target: [resourceType=TaskFlowResourceType,resourceName=ResourceNameX]
Action:[read]
Permission Class: [oracle.security.jps.ResourcePermission]
            Result:            [FAILED]
            Evaluator:         [ACC]
            FailedProtectionDomain:ClassLoader=weblogic.utils.classloaders.ChangeAwareClassLoader
@c7cee9finder:weblogic.utils.classloaders.CodeGenClassFinder@a05da2 annotation: JeeScenarioApp@jeescenario
                               CodeSource=file:/somepath/wls-jrfServer/servers/jrfServer_admin/tmp/
_WL_user/JeeScenarioApp/gw8m4w/war/WEB-INF/lib/_wl_cls_gen.jar
                              Principals=total 5 of principals(
                               1. weblogic.security.principal.WLSUserImpl "user1"
                               2. JpsPrincipal:
oracle.security.jps.internal.core.principals.JpsAuthenticatedRoleImpl "authenticated-role" 
GUID=null DN=null
                               3. JpsPrincipal:
oracle.security.jps.service.policystore.ApplicationRole "basic_role1"
GUID=734342D04A2811E0AF671B4A95E1598C DN=cn=basic_role1,cn=Roles,cn=JeeScenarioApp,cn=testfarm_
wilu_mlr6,cn=JPSContext,cn=jpsroot
                               4. JpsPrincipal:
oracle.security.jps.service.policystore.ApplicationRole "myrole2"
GUID=738C80D04A2811E0AF671B4A95E1598C DN=cn=myrole2,cn=Roles,cn=JeeScenarioApp,cn=testfarm_wilu_
mlr6,cn=JPSContext,cn=jpsroot
                               5. JpsPrincipal:
oracle.security.jps.internal.core.principals.JpsAnonymousRoleImpl "anonymous-role" GUID=null
DN=null)
                              Permissions=(
                               (oracle.security.jps.service.credstore.CredentialAccessPermission
context=SYSTEM,mapName=default,keyName=* read,write)
                               (oracle.security.jps.service.policystore.PolicyStoreAccessPermission
Context:SYSTEM Context Name:null Actions:getConfiguredApplications)
                               (oracle.security.jps.service.policystore.PolicyStoreAccessPermission
Context:APPLICATION Context Name:* Actions:getApplicationPolicy)
                               (oracle.security.jps.service.policystore.PolicyStoreAccessPermission
Context:SYSTEM Context Name:null Actions:*)
                               (oracle.security.jps.service.policystore.PolicyStoreAccessPermission
Context:APPLICATION Context Name:* Actions:*)
                               (java.io.FilePermission file2.txt read)
                               (java.io.FilePermission file2.txt write)
                               (java.io.FilePermission file1.txt read)
                               (java.util.PropertyPermission line.separator read)
                               (java.util.PropertyPermission java.vm.specification.version read)
                               (java.util.PropertyPermission java.vm.version read)
                               (java.util.PropertyPermission java.vendor.url read)
                               (java.util.PropertyPermission java.vm.specification.vendor read)
                               (java.util.PropertyPermission java.vm.name read)
                               (java.util.PropertyPermission os.name read)
                               (java.util.PropertyPermission java.vm.vendor read)
                               (java.util.PropertyPermission path.separator read)
                               (java.util.PropertyPermission os.version read)
                               (java.util.PropertyPermission java.specification.name read)
                               (java.util.PropertyPermission os.arch read)
                               (java.util.PropertyPermission java.version read)
                               (java.util.PropertyPermission java.class.version read)
                               (java.util.PropertyPermission java.vendor read)

Use Oracle Authorization Policy Manager to search for configured security policies that contain the resource and resource type listed in the trace results (look for resourceName= and resourceType=). In the example shown in Step 8, you would search for configured security polices that contain the resource named ResourceNameX that is of the type TaskFlowResourceType.

After identifying the relevant security policies using the "Finding Application Policies that Match Entitlements or Resources" procedure, it will be possible to identify the principals and actions granted in each of those configured security policies.
Compare the security policies identified by the search in Step 9 against the relevant Failed ProtectionDomain strings in the trace results. Specifically, for each of the security policies, compare the granted actions and principals as follows:
1. Ensure the action granted in the security policies is the same action listed for the Failed ProtectionDomain string in the trace results. In , you would ensure the security policy is granting the read action (identified by Action:[read] in the trace).
  
  If the action for the Failed ProtectionDomain string is granted in the configured security policy, proceed to Step 10.b.
  
  If the action for the Failed ProtectionDomain string is not granted in the security policy, compare the action against all security policies identified by the search in Step 9.
2. Ensure the principals granted in the security policies are the same principals listed for the Failed ProtectionDomain string (identified by Principals=).
  
  If the principals configured in the security policy are application roles or external roles and they are not listed in the Failed ProtectionDomain string, use Oracle Authorization Policy Manager to determine if the roles are mapped to the relevant user.
Be sure to consult your organization's security policies and the Oracle Fusion Applications security reference manuals before altering any aspect of the configured security policies, as it is possible the user is intentionally unauthorized to access the particular functionality.

Access the Oracle Fusion Applications security reference manuals in the Oracle Fusion Applications Technology Documentation Library.

If both the actions and principals granted in the security polices are consistent with the authorization request (as identified in the trace), examine Oracle Platform Security Services' cache refresh setting by referring to the problem and solution described in the Inappropriate User Access After Enterprise Role Membership Removal: Check Refresh Intervals section.

20.2.3 Edit Logging Level

This is one way of changing log level.

Edit the logging.xml file that is in each server directory of the Oracle Identity Management Domain, such as OAM_Server1, OIM_Server1, and SOA, and set level='SEVERE' (as you desire) for all log_handlers and loggers. The path to each logging.xml file will resemble:

DOMAIN_HOME/config/fmwconfig/<servername>

20.3 Problems and Solutions for Missing or Incorrect Data

This section describes problems and solutions related to missing or incorrect data. This section contains the following topics:

20.3.1 Data is Missing After Migrating or Patching the Policy Store: Use DSDataMigrator to Reconcile GUIDs

Problem

After migrating or patching the Oracle Platform Security Services policy store, data that was once available is now missing. This issue may be encountered after the policy store is:

Migrated from the baseline ("out-of-the-box") jazn-data.xml file policy store to an Oracle Internet Directory instance.
Migrated from one environment to another, such as moving from a test environment to a production environment.
Patched using Oracle Authorization Policy Manager.

The problem may be the application role GUIDs in the Oracle Fusion Data Security repository are not identical to their corresponding application role GUIDs in the Oracle Platform Security Services policy store.

Solution

Run the oracle.apps.fnd.applcore.dataSecurity.util.DSDataMigrator java program to reconcile the application role GUIDs from the Oracle Platform Security Services policy store (which is the "source of truth" repository) to the Oracle Fusion Data Security repository.

20.3.1.1 Back Up the fnd_grants Table in Oracle Fusion Data Security Repository

The DSDataMigrator program modifies only the fnd_grants table, which is Virtual Private Database (VPD) enabled. Before running the program, as sys user, back up the existing fnd_grants table in the Oracle Fusion Data Security repository. For example:

$sqlplus sys as sysdba
 create table FUSION.FND_GRANTS_OLD as select * from FUSION.FND_GRANTS;

20.3.1.2 Run the DSDataMigrator Program

To run the oracle.apps.fnd.applcore.dataSecurity.util.DSDataMigrator java program, the following JAR files must be added to the classpath:

MW_HOME/ATGPF_HOME/atgpf/modules/oracle.applcore.model_11.1.1/Common-Model.jar
MW_HOME/ATGPF_HOME/atgpf/modules/oracle.applcore.model_11.1.1/DataSecurity-Model.jar
MW_HOME/oracle_common/modules/oracle.adf.model_11.1.1/adfm.jar
MW_HOME/oracle_common/modules/oracle.adf.share.ca_11.1.1/adf-share-ca.jar
MW_HOME/oracle_common/modules/oracle.adf.share.ca_11.1.1/adf-share-base.jar
MW_HOME/oracle_common/modules/oracle.adf.share_11.1.1/jsp-el-api.jar
MW_HOME/oracle_common/modules/oracle.adf.businesseditor_11.1.1/adf-businesseditor.jar
MW_HOME/oracle_common/modules/oracle.adf.share_11.1.1/adflogginghandler.jar
MW_HOME/oracle_common/modules/oracle.jps_11.1.1/jps-manifest.jar
MW_HOME/modules/javax.jsp_1.2.0.0_2-1.jar
MW_HOME/oracle_common/modules/oracle.mds_11.1.1/mdsrt.jar
MW_HOME/oracle_common/modules/oracle.javatools_11.1.1/resourcebundle.jar
MW_HOME/oracle_common/modules/oracle.javatools_11.1.1/javatools-nodeps.jar
MW_HOME/wlserver_10.3/server/ext/jdbc/oracle/11g/ojdbc5.jar

If the classpath is set in the shell, it is possible to run the program from the command line using only the necessary arguments.

The syntax to run the DSDataMigrator java program is:

java -classpath $CLASSPATH \
-Doracle.security.jps.config=Path_to_jps-config-jse.xml_file \
oracle.apps.fnd.applcore.dataSecurity.util.DSDataMigrator \
-dsdburl URL_to_Oracle_Fusion_Data_Security_repository \
-dsdbuser user_name_for_Oracle_Fusion_Data_Security_repository \
-silentMode [true | false] -forceProcessAllRows [true | false] \
-policyStripe [crm | fscm | hcm]

To see usage instructions, execute the following command:

java oracle.apps.fnd.applcore.dataSecurity.util.DSDataMigrator

Parameters:

The DSDataMigrator program supports the following parameters:

oracle.security.jps.config: Identifies the path to the jps-config-jse.xml file that the DSDataMigrator program will use. For example:

COMMON_DOMAIN/config/fmwconfig/jps-config-jse.xml

The jps-config-jse.xml file must have credentials for both the identity store and policy store—not just the policy store.
FND_DS_GUID_RECON_LOG_DIR: Identifies the output directory for the program's log. For example: -DFND_DS_GUID_RECON_LOG_DIR=/tmp

Arguments:

The DSDataMigrator program supports the following arguments:

silentMode: Set to true if you do not want exceptions to be raised when an entry is not found in the Oracle Platform Security Services policy store.
forceProcessAllRows: Set to true if you want to process all the rows in the policies table. By default, only rows where compile_flag=Y are processed.
policyStripe: Identifies the policy stripe to process. Valid values are: crm, fscm, and hcm. If the policyStripe argument is not specified, all policy stripes and identity store data security role policies are processed.
idStoreOnly: Set to true if you want to process only data security policies made to enterprise roles. If idStoreOnly is set to true, the policyStripe argument is ignored.

20.3.2 Administrator Search for Database Resources Returns No Results: Check Roles and Policies

A user with administrator privileges uses Oracle Authorization Policy Manager to search for database resources, but the search does not find any.

The problem may be data security policies that govern data security administration do not exist in the Oracle Fusion Data Security repository.

To troubleshoot this issue:

Use Oracle Authorization Policy Manager to verify that the application roles listed below are mapped to the external roles of the user performing the search. For details, search the Oracle Applications Help for Managing Policy Objects.
- APM_CRM_APPLICATION_OBJECTS_DATA_ADMINISTRATION_DUTY
- APM_HCM_APPLICATION_OBJECTS_DATA_ADMINISTRATION_DUTY
- APM_FSCM_APPLICATION_OBJECTS_DATA_ADMINISTRATION_DUTY
- APM_FND_APPLICATION_OBJECTS_DATA_ADMINISTRATION_DUTY
If the application roles are mapped to the external roles of the user performing the search, go to Step 2
If the application roles are not mapped to the external roles of the user performing the search, use Oracle Authorization Policy Manager to map them to the user's external roles and then go to Step 2.
Determine whether data security policies that govern data security administration exist in the Oracle Fusion Data Security repository. Log in to Oracle Authorization Policy Manager as a user with the Application Developer external role and search for the following roles. Ensure that data security policies for the roles exist on the FND_OBJECTS object and that the policies have not expired.
- APM_CRM_APPLICATION_OBJECTS_DATA_ADMINISTRATION_DUTY
- APM_HCM_APPLICATION_OBJECTS_DATA_ADMINISTRATION_DUTY
- APM_FSCM_APPLICATION_OBJECTS_DATA_ADMINISTRATION_DUTY
- APM_FND_APPLICATION_OBJECTS_DATA_ADMINISTRATION_DUTY
If the policies do not exist in the Oracle Fusion Data Security repository, use Oracle Fusion Functional Setup Manager to upload the Applications Core data security seed data to the Oracle Fusion Data Security repository.

20.3.3 Data is Missing or Incorrect in a Portlet: Check User Sessions

Problem

After logging in to an Oracle Fusion Applications portlet, the data the user expects to see is missing or incorrect.

The problem may be the following:

The application user session was not propagated to the portlet.
The application user session was not created using the portlet's application stripe and Applications Core did not compute the application roles for the portlet's application stripe.

Solution

To troubleshoot this situation, perform the following steps:

Log out of the portlet, and then log in again.
Execute the following diagnostic tests:
- Data Security Configuration
- Data Security Configuration with Application User Session Prerequisite
- Data Security Run Time
- Data Security Run Time with Application User Session Prerequisite

20.4 Problems and Solutions for Accessing Functionality

This section describes problems and solutions related to accessing functionality. This section contains the following topics:

20.4.1 Inappropriate User Access After Enterprise Role Membership Removal: Check Refresh Intervals

Problem

After removing an enterprise role's membership to an application role using Oracle Authorization Policy Manager, access to the application is still being granted.

Oracle Platform Security Services optimizes the authorization process by caching security artifacts. When an application policy (or some other security artifact) is modified, the change becomes effective depending on where the application and the tool used to modified the artifact (Oracle Authorization Policy Manager in this case) are running.

If the application and the tool (Oracle Authorization Policy Manager) are running on different hosts or in different domains, the change becomes effective after the policy store cache is refreshed. The frequency of the cache refresh is determined by the value of the Refresh Polling Time (secs) parameter in Fusion Middleware Control.

Depending on the configuration, access to the application may have been granted (despite the removal of the enterprise role membership to the application role) because the Oracle Platform Security Services cache was not refreshed before the application was accessed.

Refer to the Caching and Refreshing the Cache section in the Oracle Fusion Middleware Applications Security Guide for more information about authorization behavior relating to the Oracle Platform Security Services cache.

Solution

To examine the refresh interval for Oracle Platform Security Services' cache, perform the following steps:

Log in to Fusion Applications Control as follows:
1. Log in to Oracle Enterprise Manager Cloud Control.
2. From the Targets drop-down, select Middleware, to display the Middleware page.
3. From the Middleware Features drop-down, select Identity and Access, to get to the Identity and Access Dash board.
4. Select an OID instance from the Oracle Internet Directory table, to get to the appropriate OID instance page.
5. In the OID instance page, from the Oracle Internet Directory pull-down select Fusion Middleware Control.
6. Log in to the control.
Click the name of the appropriate domain in the target navigation pane on the left side of the screen.
Select Security and Security Provider Configuration from the domain menu at the top of the screen. The Security Provider Configuration screen appears.
Select the Policy Store Credential Store Keystore entry in the Security Stores table and click Edit. The Edit Security Provider Configuration screen appears.
Examine the value set for the Refresh Polling Time (secs) parameter.
Wait for the amount of time specified by the Refresh Polling Time (secs) parameter to elapse, then retry the use case. This will ensure that the policy store cache has been refreshed and any recent changes to policies are effective.

20.4.2 Newly Created User Does Not Have Correct Access to Oracle Fusion Applications: Check Various Causes and Solutions

After creating a new user and external role using Oracle Fusion Human Capital Management, then granting duty roles to that user using Oracle Authorization Policy Manager, the user cannot log in and perform its granted duties.

The problem may be:

20.4.2.1 User Does Not Exist: Verify if User is in the Identity Store

To verify the user exists in the identity store, use Oracle Directory Services Manager, examine the container in the identity store where users are stored, such as cn=users,dc=us,dc=oracle,dc=com. Refer to the following for more information about examining identity store containers.

If Oracle Internet Directory is the identity store, refer to the following sections in the Oracle Internet Directory Administrator's Guide using this sequence:

Invoking Oracle Directory Services Manager
Connecting to the Server from Oracle Directory Services Manager
Displaying Entries by Using Oracle Directory Services Manager

If Oracle Virtual Directory is the identity store, refer to the following sections in the Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory using this sequence:

Invoking Oracle Directory Services Manager
Connecting to the Server from Oracle Directory Services Manager
Viewing Oracle Virtual Directory Entries

20.4.2.2 A Cache Has Not Been Refreshed: Check Caches

To troubleshoot the Oracle Internet Directory Authenticator's cache and Oracle Platform Security Services' cache, perform the following steps:

Examine the Oracle Internet Directory Authenticator's cache settings by referring to Verify the Security Providers in the Oracle WebLogic Server Domain.
Examine Oracle Platform Security Services' cache refresh setting by referring to the problem and solution described in Inappropriate User Access After Enterprise Role Membership Removal: Check Refresh Intervals.

Wait for the caches to be refreshed before retrying any failed task or operation.

20.4.3 After Logging Out, Access to a Secured Resource is Granted Without Logging in: Check Various Causes and Solutions

After logging out of a resource secured by Oracle Access Manager and then attempting to access a different secured resource, access is granted without a login page appearing.

Oracle Platform Security Services manages logouts for Oracle Fusion Applications by providing the configured logout URL (typically the Oracle Access Manager logout URL) to Oracle Application Development Framework for redirection. Oracle Access Manager then sets the session status to logged out.

The problem may be:

20.4.3.1 User Session Was Not Removed During Logout: Check Cookies and Session Management

Perform either of the following steps to determine whether Oracle Access Manager's user session was removed during logout:

Examine the cookies in the user's browser. Oracle Access Manager's OAM_ID session cookie should not be present, as it gets deleted from the browser upon logout.
Use the Oracle Access Manager Administration Console's Session Management functionality to examine the active sessions. Search on the user to see if any of its sessions are active.

Refer to the Logging In to the Oracle Access Manager Console and Managing Active User Sessions sections in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.

20.4.3.2 Oracle Platform Security Services Not Configured with Correct URL: Verify Settings

To verify Oracle Platform Security Services is configured with the correct Oracle Access Manager logout URL:

Log in to Fusion Applications Control as follows:
1. Log in to Oracle Enterprise Manager Cloud Control.
2. From the Targets drop-down, select Middleware, to display the Middleware page.
3. From the Middleware Features drop-down, select Identity and Access, to get to the Identity and Access Dash board.
4. Select an OID instance from the Oracle Internet Directory table, to get to the appropriate OID instance page.
5. In the OID instance page, from the Oracle Internet Directory pull-down select Fusion Middleware Control.
6. Log in to the control.
Select the appropriate domain from the target navigation pane or the content pane.
Select Security > Security Provider Configuration from the domain menu. The Security Provider Configuration page appears.
Expand the Single Sign-On Provider area if it is not already expanded and click the Configure button. The Single Sign-On Provider page appears.
Select the Configure Single Sign-on option. All settings on the Single Sign-On Provider page are invisible until you select the Configure Single Sign-on option.
Examine the value set in the Logout URL field.

20.4.4 Authenticated User Gets Unexpected Page when Accessing a Different Secured Resource: Check Cookies

After successfully logging in to and working on a resource secured by Oracle Access Manager and then attempting to access a different secured resource, an unexpected page, such as Not Authorized, blank (empty), corrupted, or 500 error, appears.

The problem may be Oracle Access Manager's OAMAuthnCookie_<host:port>_<random number> and OAM_ID cookies are not in the user's browser. The OAMAuthnCookie_<host:port>_<random number> and OAM_ID cookies are encrypted, single sign-on, session-based cookies generated by the Oracle Access Manager Access Server when a user authenticates successfully.

20.4.4.1 Verify Cookies in User's Browser

To verify Oracle Access Manager's OAMAuthnCookie_<host:port>_<random number> and OAM_ID cookies are in your browser:

Display the cookies in your browser.
Locate Oracle Access Manager's OAMAuthnCookie_<host:port>_<random number> and OAM_ID session cookies.

If the OAMAuthnCookie_<host:port>_<random number> and OAM_ID cookies are not in the user's browser:

Examine the browser's security settings, as they may be too high and preventing cookies from being accepted.
Add the Oracle Fusion application's domain to the browser's exception list.

20.4.5 Support Representative Cannot Impersonate an Oracle Fusion Applications User: Check Priviledges

If a Support representative attempts to log in to a resource secured by Oracle Access Manager and impersonate an Oracle Fusion Applications user, but cannot do so, the problem may be the user that the Support representative is attempting to impersonate has not granted the privilege to be impersonated or the privilege has expired.

To verify that the user has granted the privilege to be impersonated and that the privilege is active:

Use Oracle Directory Services Manager to locate the account of the user to be impersonated in the identity store. Look in the container where users are stored, such as cn=users,dc=us,dc=oracle,dc=com.

Refer to the following for more information about examining identity store containers.

If Oracle Internet Directory is the identity store, refer to the following sections in the Oracle Internet Directory Administrator's Guide using this sequence:
1. Invoking Oracle Directory Services Manager
2. Connecting to the Server from Oracle Directory Services Manager
3. Displaying Entries by Using Oracle Directory Services Manager
If Oracle Virtual Directory is the identity store, refer to the following sections in the Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory using this sequence:
1. Invoking Oracle Directory Services Manager
2. Connecting to the Server from Oracle Directory Services Manager
3. Viewing Oracle Virtual Directory Entries
Verify the user has granted the privilege to be impersonated by examining the user's account for the orclImpersonationGrantee attribute.
- If the user's account does not have the orclImpersonationGrantee attribute, the user has not granted the privilege to be impersonated.
- If the user's account has the orclImpersonationGrantee attribute, ensure the privilege has not expired. The orclImpersonationGrantee attribute will be in a format such as:
```
EEA958988E344BF49740CF00DF9B0421|20110124170000Z|20110124180000Z
```
  - EEA958988E344BF49740CF00DF9B0421 is the GUID of the impersonator.
  - 20110124170000Z is the date on which impersonation can begin
  - 20110124180000Z is the expiration date for the impersonation privilege
  The date strings in the orclImpersonationGrantee attribute use the Coordinated Universal Time (UTC) standard and are of the form: yyyyMMddHHmmss'Z'

20.4.6 Unauthenticated User Gets Error Page when Accessing a Secured Resource: Check Various Causes and Solutions

While attempting to access a resource secured by Oracle Access Manager, an unauthenticated user gets an error page instead of the login page.

The problem may be:

20.4.6.1 Oracle HTTP Server Web Servers Not Running: Verify Status

To verify the Oracle HTTP Server Web servers front-ending the Oracle Fusion application are running, perform the following steps:

Connect to a page provided by Oracle Identity Manager. If Oracle Identity Manager is front-ended by Oracle HTTP Server or a load balancer, use the following URL:
```
http(s)://FRONTEND_HOST:FRONTEND_PORT/admin/faces/pages/accountlocked.jspx
```
If Oracle Identity Manager is not front-ended by Oracle HTTP Server or a load balancer, use the following URL:
```
http(s)://OIM_MANAGED_SERVER_HOST:PORT/admin/faces/pages/accountlocked.jspx
```
Connect to any public page provided by an Oracle Fusion application through Oracle HTTP Server. For example:
```
http(s)://ORACLE_HTTP_SERVER_FRONTEND_HOST:PORT/fa/app/index.jsp
```

If you cannot access a page in an Oracle HTTP Server front-ending configuration, use Fusion Applications Control to examine the WebLogic Host and WebLogic Port settings for the Oracle HTTP Server's mod_wl_ohs module. Refer to the Configuring the mod_wl_ohs Module section in the Administrator's Guide for Oracle HTTP Server for more information.

20.4.6.2 Managed Servers or Oracle Access Manager Services Not Running: Verify Status

To verify the Managed Servers where Oracle Access Manager is deployed and the requisite Oracle Access Manager services are running, perform the following steps:

Verify the Managed Servers where Oracle Access Manager is deployed are running by performing the following steps:
1. Log in to the Oracle WebLogic Server Administration Console by referring to the Starting the Administration Console section in the Oracle Fusion Middleware Introduction to Oracle WebLogic Server document.
2. Click Servers in the Environment section on the Home page. The Summary of Servers page appears.
3. Click the Configuration tab. A table containing a summary of each server in the domain appears.
4. Examine the State and Health columns for the Managed Servers where Oracle Access Manager is deployed.
Verify the HTTP port is open by attempting to connect to it. If Oracle Access Manager is front-ended by Oracle HTTP Server or a load balancer, enter the following URL into a web browser:
```
http://ORACLE_HTTP_SERVER-or-LOAD_BALANCER_HOST:PORT/oam/pages/logout.jsp
```
If Oracle Access Manager is not front-ended, enter the following URL into a web browser:
```
http://MANAGED_SERVER_HOST:PORT/oam/pages/logout.jsp
```
Verify Oracle Access Manager authentication is functioning properly by accessing any resource secured by Oracle Access Manager. For example, log in to the Oracle Access Manager Administration Console by referring to the Logging In to the Oracle Access Manager Console section in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.

20.5 Problems and Solutions for Managing Users

This section describes problems and solutions related to managing users. This section contains the following topic:

Oracle Fusion Human Capital Management Requests to Assign Roles to Users Fail: Verify User in Internet Directory Store

20.5.1 Oracle Fusion Human Capital Management Requests to Assign Roles to Users Fail: Verify User in Internet Directory Store

If Oracle Fusion Human Capital Management makes a request to assign a role to a user, but the role assignment fails, the problem may be the user exists in Oracle Identity Manager, but does not exist in the Oracle Internet Directory identity store.

To troubleshoot this situation, perform the following step:

Verify the user does not exist in Oracle Internet Directory by using Oracle Directory Services Manager to examine the container where users are stored, such as cn=users,dc=us,dc=oracle,dc=com.

Refer to the Displaying Entries by Using Oracle Directory Services Manager or the Searching for Entries by Using Oracle Directory Services Manager sections in the Oracle Internet Directory Administrator's Guide for more information.

20.6 Problems and Solutions for Managing Roles

This section describes problems and solutions related to managing roles. This section contains the following topics:

20.6.1 Cannot See the Function Security Policies for an External Role: Check Various Causes and Solutions

The function security polices for a particular external role cannot be seen using Oracle Authorization Policy Manager.

The problem may be:

20.6.1.1 Oracle Internet Directory Not Indexing displayName Attribute: Verify Configuration

If Oracle Internet Directory is being used as the identity store, it may not be configured to index the displayName attribute. If Oracle Internet Directory is not indexing the displayName attribute, Oracle Authorization Policy Manager cannot retrieve the role during a search.

Verify that the Oracle Internet Directory identity store is configured to index the displayName attribute.

20.6.1.2 Oracle Internet Directory Authenticator Not Configured Correctly: Verify Connection Settings

The Oracle Internet Directory Authenticator in the Oracle WebLogic Server domain is may not be configured with the correct connection settings to the Oracle Internet Directory instance. To verify the Oracle Internet Directory Authenticator in the Oracle WebLogic Server domain is configured with the correct connection settings to the Oracle Internet Directory instance, refer to Verify the Security Providers in the Oracle WebLogic Server Domain.

20.6.1.3 External Role Not Provisioned: Examine Identity Store Containers to Verify

To verify the external role was provisioned into the identity store, use Oracle Directory Services Manager to examine the container in the identity store where external roles are stored, such as: cn=groups,dc=mycompany,dc=com.

If the external role does not exist in the identity store, use Oracle Fusion Human Capital Management to add it to the identity store.
If the external role exists in the identity store, verify the security providers in the Oracle WebLogic Server domain are configured in the correct order and with the correct JAAS Control Flags by referring to Verify the Security Providers in the Oracle WebLogic Server Domain.

Refer to the following for more information about examining identity store containers.

If Oracle Internet Directory is the identity store, refer to the following sections in the Oracle Internet Directory Administrator's Guide using the following sequence:

Invoking Oracle Directory Services Manager
Connecting to the Server from Oracle Directory Services Manager
Displaying Entries by Using Oracle Directory Services Manager

If Oracle Virtual Directory is the identity store, refer to the following sections in the Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory using this sequence:

Invoking Oracle Directory Services Manager
Connecting to the Server from Oracle Directory Services Manager
Viewing Oracle Virtual Directory Entries

20.6.1.4 Administrator Does Not Have Access: Check Settings for Delegated Administrator Role

If the administrator attempting to identify the function security polices is configured as a Delegated Administrator, verify the Delegated Administrator role has access to the appropriate application stripe.

20.6.1.5 Policy Store Does Not Have Correct Application Stripes: Verify Policy Stripes

The policy store may not have the correct application stripes.To verify whether it has:

Identify the application stripes that were loaded into the policy store after the Oracle Fusion Applications environment was provisioned by referring to the Oracle Fusion Applications security reference manuals. You can access the Oracle Fusion Applications security reference manuals in the Oracle Fusion Applications Technology Documentation Library.
Verify the application stripes identified in Step 1 exist in the policy store by performing the following steps:
1. Log in to Oracle Authorization Policy Manager as a security administrator with the APMAdmin application role, which will allow you to see all application stripes in the policy store.
2. Examine the Browse tab of the Navigation Panel, which lists all policy stripes in the policy store (because you are logged in as a security administrator with the APMAdmin application role).

20.6.1.6 External Role is Not Mapped to Correct Application Roles: Verify Mapping

To verify the external role is mapped to the correct application roles:

Verify the application stripe that the application role is expected to be in exists in the policy store by performing the following steps:
1. Determine which application stripe the application role is expected to be in by referring to the Oracle Fusion Applications security reference manuals. You can access the Oracle Fusion Applications security reference manuals in the Oracle Fusion Applications Technology Documentation Library.
2. Log in to Oracle Authorization Policy Manager as a security administrator with the APMAdmin application role, which will allow you to see all application stripes in the policy store.
3. Examine the Browse tab of the Navigation Panel, which lists all policy stripes in the policy store (because you are logged in as a security administrator with the APMAdmin application role). Verify the application stripe identified in Step 1.a exists in the policy store.
Use Oracle Authorization Policy Manager to identify the application roles currently mapped to the external role. For details, search the Oracle Applications Help for Managing Policy Objects.
Compare the application roles identified in Step 2 to the application roles listed for the external role in the Oracle Fusion Applications security reference manuals.

If any application roles listed in the Oracle Fusion Applications security reference manuals are not mapped to the external role, use Oracle Authorization Policy Manager to see if they exist in the policy store.

If the application roles exist in the policy store, use Oracle Authorization Policy Manager to map them to the external role.

If the application roles do not exist in the policy store, use Oracle Authorization Policy Manager to create them. For details, search the Oracle Applications Help for Managing Application Roles.

20.6.1.7 Application Role Has No Policy Attached: Verify Policies

Verify the external role is mapped to an application role that has policy attached to it.

20.6.2 Cannot See the Data Security Policies for a Data Role: Check Various Causes and Solutions

Data security polices for a particular data role cannot be seen in Oracle Authorization Policy Manager.

The problem may be:

20.6.2.1 Oracle Internet Directory Not Indexing displayName Attribute: Verify Configuration

Verify that the Oracle Internet Directory identity store is configured to index the displayName attribute.

20.6.2.2 Oracle Internet Directory Authenticator Not Configured Correctly: Verify Connection Settings

To verify the Oracle Internet Directory Authenticator in the Oracle WebLogic Server domain is configured with the correct connection settings to the Oracle Internet Directory instance, refer to Verify the Security Providers in the Oracle WebLogic Server Domain.

20.6.2.3 User Searching for Data Security Policies Does Not Have Privileges to Do So: Verify

To verify the user searching for the data security policies has the privileges to do so, perform the solution described in Administrator Search for Database Resources Returns No Results: Check Roles and Policies.

20.6.2.4 Data Role Does Not Exist in Identity Store: Examine Identity Store Container to Verify

To verify the data role exists in the identity store, use Oracle Directory Services Manager to examine the container in the identity store where data roles are stored, such as cn=groups,dc=mycompany,dc=com. If the role does not exist in the identity store, an administrator should add it.

Refer to the following for more information about examining identity store containers.

If Oracle Internet Directory is the identity store, refer to the following sections in the Oracle Internet Directory Administrator's Guide using this sequence:

Invoking Oracle Directory Services Manager
Connecting to the Server from Oracle Directory Services Manager
Displaying Entries by Using Oracle Directory Services Manager

If Oracle Virtual Directory is the identity store, refer to the following sections in the Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory using this sequence:

Invoking Oracle Directory Services Manager
Connecting to the Server from Oracle Directory Services Manager
Viewing Oracle Virtual Directory Entries

20.6.2.5 Data Role Templates Did Not Create Policies for the Data Role: Verify

Data role templates may not have created data security policies for the data role.To verify whether they did:

Use Oracle Authorization Policy Manager to perform a simple search for the data role using External Role as the object type.
Select the data role in the search results and click the View button. Details about the data role appear.
Click the Find Global Policies button. The Data Security Policies table appears and lists the data security policies attached to the data role. Examine the entries in the table to ensure the data role template created the appropriate data security policies.

20.6.2.6 Security Role GUIDs Not Synchronized: Use DSDataMigrator to Reconcile

The data security role GUIDs in the Oracle Fusion Data Security repository and the Oracle Platform Security Services policy store may not besynchronized.

To reconcile the data security role GUIDs in the Oracle Fusion Data Security repository and the Oracle Platform Security Services policy store, run the oracle.apps.fnd.applcore.dataSecurity.util.DSDataMigrator java program to reconcile the GUIDs. Refer to the solution in Data is Missing After Migrating or Patching the Policy Store: Use DSDataMigrator to Reconcile GUIDs for information about using this program.

20.6.3 Problems Mapping an Application Role to an External Role

While attempting to map an application role to an external role using Oracle Authorization Policy Manager, issues such as the following are encountered:

Either the external role or application role cannot be seen in Oracle Authorization Policy Manager.
The mapping succeeds in Oracle Authorization Policy Manager, but is activated after a delay.

The problem may be:

20.6.3.1 Oracle Internet Directory Not Indexing displayName Attribute: Verify

Verify that the Oracle Internet Directory identity store is configured to index the displayName attribute.

20.6.3.2 Configuration of Security Providers Is Incorrect: Verify

The security providers for the Oracle WebLogic Server domain may be configured incorrectly. Specifically, the order of providers, JAAS Control Flags, or connection settings to the Oracle Internet Directory instance may be incorrect. To troubleshoot the configuration of the security providers for the Oracle WebLogic Server domain, perform the steps in Verify the Security Providers in the Oracle WebLogic Server Domain and examine the:

Order of providers
JAAS Control Flags
Connection settings to the Oracle Internet Directory instance

20.6.3.3 Mapping Activated After a Delay: Consider Adjusting Cache Settings

If the mapping succeeds in Oracle Authorization Policy Manager, but is activated after a delay, the cache refresh settings for the Oracle Internet Directory Authenticator or for Oracle Platform Security Services may need to be adjusted. If the mapping is activated after a delay, to troubleshoot the cache refresh settings for the Oracle Internet Directory Authenticator and for Oracle Platform Security Services:

Examine the Oracle Internet Directory Authenticator's cache settings by referring to Verify the Security Providers in the Oracle WebLogic Server Domain.
Examine Oracle Platform Security Services' cache refresh setting by referring to the problem and solution described in Inappropriate User Access After Enterprise Role Membership Removal: Check Refresh Intervals of this section.

Wait for the caches to be refreshed before reattempting a failed task or operation.

20.6.4 Cannot See Application Role Hierarchies

Attempts to view application role hierarchies using Oracle Authorization Policy Manager fail.

The problem may be:

20.6.4.1 LDAP Authenticator Configured to Use Wrong Identity Store: Verify

To verify the identity store's LDAP Authenticator in the Oracle WebLogic Server domain is configured to use the correct identity store, refer to Verify the Security Providers in the Oracle WebLogic Server Domain and examine the connection settings configured for the identity store's LDAP Authenticator.

20.6.4.2 Administrator Trying to View Role Hierarchy from Wrong Role in the Interface: Verify

The administrator may be attempting to view the application role hierarchy from the incorrect application role in the Oracle Authorization Policy Manager interface.To verify the correct application role is being used to display the application role hierarchy, in the Oracle Authorization Policy Manager interface, ensure attempts to display the role hierarchy are based on the correct application role. Application roles frequently have similar names, such as roles that are qualified by region. Double-check that the intended application role is being used to display the role hierarchy.

20.6.4.3 Role Hierarchies Are Not Defined: Verify

Use Authorization Policy Manager to verify role hierarchies are defined.

20.6.5 Attempts to Add an Application Role to a Hierarchy Appear to Have No Effect

After using Oracle Authorization Policy Manager to add an application role to a hierarchy, no changes can be seen in the hierarchy.

The problem may be:

The application role already exists as a member of the hierarchy.
The incorrect application role was added to the hierarchy, or the correct application role was added to the incorrect hierarchy.

To verify the application role hierarchy:

Use Authorization Policy Manager to display the application role hierarchy the role was intended for.
Ensure that the application role does not already exist in the hierarchy.
Ensure that when the application role was added to the hierarchy, the intended application role and the intended hierarchy were used. It is possible the intended application role was added to the incorrect hierarchy, or the incorrect application role was added to the intended hierarchy.

Refer to the Permission Inheritance and the Role Hierarchy section in the Oracle Fusion Middleware Applications Security Guide for information about rules for application role hierarchies.

20.6.6 Cannot Create Valid Data Roles Using Data Role Template

While attempting to create a data role using a data role template in Oracle Authorization Policy Manager, issues such as the following are encountered:

The data role is not created
The data role is created with a null displayName and description

The problem may be:

20.6.6.1 SQL Query in Dimensions Tab is Invalid: Troubleshoot

If the SQL query used in the Dimension tab of the template is invalid or returns no records, troubleshoot as follows:

Review the SQL query and ensure the intended string was entered correctly.
Review the SQL query and ensure it does not contain special characters such as "," (comma) that are unsupported by the identity store. Role names must be comprised of only alphanumeric characters.
Verify the database table referenced in the SQL query contains data (is not empty).

20.6.6.2 Oracle Authorization Policy Manager Application ID Privileged Problem

Sometimes the Oracle Authorization Policy Manager application ID used by the data role template does not have sufficient privileges to create the data role in the intended identity store container.To troubleshoot the privileges of the Oracle Authorization Policy Manager application ID used by the data role template, perform the following steps on the identity store:

Verify the cn=fusion_apps_apm_rgx_appid user exists in the cn=appidusers container.

Refer to the following for more information about examining identity store containers.

If Oracle Internet Directory is the identity store, refer to the following sections in the Oracle Internet Directory Administrator's Guide using this sequence:
1. Invoking Oracle Directory Services Manager
2. Connecting to the Server from Oracle Directory Services Manager
3. Displaying Entries by Using Oracle Directory Services Manager
If Oracle Virtual Directory is the identity store, refer to the following sections in the Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory using this sequence:
1. Invoking Oracle Directory Services Manager
2. Connecting to the Server from Oracle Directory Services Manager
3. Viewing Oracle Virtual Directory Entries
Verify the cn=fusion_apps_apm_rgx_appid group exists in the cn=appidgroups container.
Identify all groups that the fusion_apps_apm_rgx_appid group is a member of, and then verify those groups have write permission to the container where enterprise roles are stored, such as cn=groups.

If using Oracle Virtual Directory as the identity store, you must verify the groups' permissions in both Oracle Virtual Directory and the back-end (source) repositories.
If using Oracle Virtual Directory as the identity store, verify that the ACLs for Oracle Virtual Directory and its back-end (source) data repositories are configured correctly.

To focus the ACL verification, perform the following steps:
1. Temporarily disable access control checking in Oracle Virtual Directory using Fusion Middleware Control. To disable access control checking, deselect (disable) the Enable Access Control Check option on Oracle Virtual Directory's Server Properties page.
  
  Refer to the Configuring Oracle Virtual Directory Server Properties Using Fusion Middleware Control section in Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory for more information.
2. Perform the steps to create the data role using a data role template.
  - If you can create the data role when Oracle Virtual Directory access control checking is disabled, the Oracle Virtual Directory ACLs are configured incorrectly.
    
    To isolate the error in the Oracle Virtual Directory ACLs, re-enable access control checking in Oracle Virtual Directory, set its logging to TRACE message type at level 32, try creating the data role using a data role template, and then examine Oracle Virtual Directory's log, which will now contain the result of each ACL test.
    
    Refer to the Setting the Level of Information Written to Log Files section and the Managing Log Files and Diagnostic Data section in the Administering Oracle Fusion Middleware for more information about Oracle Virtual Directory logging.
  - If it is not possible to create the data role when Oracle Virtual Directory access control checking is disabled, the error is not in the Oracle Virtual Directory ACLs and you should examine the ACLs in the back-end (source) data repositories by referring to their documentation.

20.6.6.3 Identity Store Problems: Troubleshoot

To troubleshoot the identity store, perform the following steps:

If using Oracle Internet Directory as the identity store:
1. Verify Oracle Internet Directory is running.
  
  You can view the status of Oracle Internet Directory using Fusion Applications Control. After logging in to Fusion Applications Control, navigate to the Farm home page and examine the Identity and Access components within the Fusion Middleware section of the content pane.
  
  Refer to the Navigating within Fusion Applications Control section in the Oracle Fusion Applications Administrator's Guide for more information.
2. Verify that the Oracle Internet Directory is configured to index the displayName attribute.
If using Oracle Virtual Directory as the identity store:
1. Verify Oracle Virtual Directory is running.
  
  It is possible to view the status of Oracle Virtual Directory using Fusion Applications Control. After logging in to Fusion Applications Control, navigate to the Farm home page and view the Identity and Access components within the Fusion Middleware section of the content pane.
  
  Refer to the Navigating within Fusion Applications Control section in the Oracle Fusion Applications Administrator's Guide for more information.
2. Verify the connectivity between Oracle Virtual Directory and its back-end (source) data repositories. Use Oracle Directory Services Manager's Client View Data Browser to view the directory tree. If Oracle Virtual Directory is not connected to a back-end repository, a message will appear when the Data Browser attempts to connect it.
  
  Refer to the following sections (in the listed sequence) in the Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory for more information about using Oracle Directory Services Manager's Client View Data Browser:
  1. Invoking Oracle Directory Services Manager
  2. Connecting to the Server from Oracle Directory Services Manager
  3. Viewing Oracle Virtual Directory Entries

20.7 Problems and Solutions for Managing Keystores and Certificates

This section describes problems and solutions for managing keystores and certificates. This section contains the following topics:

20.7.1 Key or Credential Store Error After an Application Invokes Web Service

After an Oracle Fusion application invokes a web service, a key store or credential store error such as the following appears:

WSM-00056: The key orakey is not retrieved
WSM-00256: The property "Keystore Sign Alias" is not set

There are two potential reasons for the error:

The problem may be:

The alias for the signature key or encryption key in the Oracle WSM keystore configuration does not exist in the Oracle WSM keystore file.
The signature key, encryption key, or Oracle WSM keystore file password is not synchronized in the keystore file and the keystore configuration for Oracle WSM. That is, at least one of the passwords does not have identical values in both locations.

To resolve, perform the following:

20.7.1.1 Check if the Key Alias Exists in the Keystore File

To verify the alias for the signature key and encryption key in the Oracle WSM keystore configuration exist in the Oracle WSM keystore file, perform the following steps:

Use Fusion Middleware Control to identify the alias for the signature key and encryption key in the Oracle WSM keystore configuration. Perform the procedure in the Configuring Keystores for Message Protection section in the Administering Web Services.

To login to Fusion Middleware Control, proceed as follows:
1. Log in to Oracle Enterprise Manager Cloud Control.
2. From the Targets drop-down, select Middleware, to display the Middleware page.
3. From the Middleware Features drop-down, select Identity and Access, to get to the Identity and Access Dash board.
4. Select an OID instance from the Oracle Internet Directory table, to get to the appropriate OID instance page.
5. In the OID instance page, from the Oracle Internet Directory pull-down select Fusion Middleware Control.
6. Log in to the control.
Verify the aliases identified in Step 1 exist in the Oracle WSM keystore file. Use the keytool -list command on the Oracle WSM keystore file to view its aliases. Refer to the keytool - Key and Certificate Management Tool document on the Java SE Technical Documentation Web site for more information about using keytool. You can access this document by searching for it on the Search Java SE Technical Documentation Web page at:

http://download.oracle.com/javase/search.html
- Ensure each alias is synchronized in both locations. If they are not, you can edit the alias in the Oracle WSM keystore configuration by performing the procedure in the Configuring Keystores for Message Protection section in the Administering Web Services. You can edit the alias in the Oracle WSM keystore file using the keytool -changealias command.
  
  Before editing an alias, be sure that doing so will not affect any other web service.
- If the alias for the signature key or encryption key does not exist in the Oracle WSM keystore file, add it by referring to the Generating Private Keys and Creating the Java Keystore section in the Administering Web Services.

20.7.1.2 Check if Key Passwords are Synchronized

To ensure that the signature key, encryption key, and Oracle WSM keystore file passwords are each synchronized in the keystore file and the keystore configuration for Oracle WSM, perform the following steps:

Use keytool to reset the passwords in the Oracle WSM keystore file. Because the passwords are not visible, resetting them is the only method to ensure that they have identical respective values in both locations.
- Use the keytool -storepasswd command to reset the Oracle WSM keystore file password.
- Use the keytool -keypasswd command to reset the signature key password and encryption key password.
Use Fusion Middleware Control to reset the passwords in the Oracle WSM keystore configuration to the same respective values set in Step 1. Refer to the Configuring Keystores for Message Protection section in the Administering Web Services for more information.

To login to Fusion Middleware Control, proceed as follows:
1. Log in to Oracle Enterprise Manager Cloud Control.
2. From the Targets drop-down, select Middleware, to display the Middleware page.
3. From the Middleware Features drop-down, select Identity and Access, to get to the Identity and Access Dash board.
4. Select an OID instance from the Oracle Internet Directory table, to get to the appropriate OID instance page.
5. In the OID instance page, from the Oracle Internet Directory pull-down select Fusion Middleware Control.
6. Log in to the control.

20.7.2 Trust Certificate Error After Application Invokes Web Service: Verify Trust Settings

After an Oracle Fusion application invokes a web service, a trust certificate error such as the following appears:

WSM-00138: The path to the certificate is invalid due to exception

The problem may be, if the web service is advertising its certificate in the Web Services Description Language (WSDL), the client is not configured correctly to trust that certificate or its issuer.

To verify the client is configured to trust the web service's certificate advertised in the WSDL or its issuer:

Verify the client keystore has either the public certificate of the web service or the public certificate of its issuer. Use the keytool –list command to identify the certificates in the client keystore. If either of the public certificates are missing from the client keystore, use the keytool –importcert command to add them.

Refer to the keytool - Key and Certificate Management Tool document on the Java SE Technical Documentation Web site for more information about using keytool. You can access this document by searching for it on the Search Java SE Technical Documentation Web page at:

http://download.oracle.com/javase/search.html
Verify the value for the keystore.recipient.alias override property of the client Oracle WSM policy is identical to the alias of the trusted public certificate in the Oracle WSM keystore file. Refer to the Attaching Web Service Policies Permitting Overrides section of the Administering Web Services for more information.

20.8 Problems and Solutions for Identity Propagation Using SAML

After an Oracle Fusion application attempts to propagate a user's identity by calling a different Oracle Fusion application using Oracle SOA, InvalidSecurityToken-, FailedAuthentication-, or SAML assertion issuer-related errors appear.

The problem may be:

The SAML issuer name for the SAML token is not configured or is configured incorrectly.
The subject.precendence configuration override is set incorrectly.

20.8.1 Troubleshoot SAML Issuer Name Configuration

To troubleshoot the SAML issuer name configuration, verify the SAML Issuer Name the client is using is among the issuers configured on the Oracle WebLogic Server domain by performing the steps in the Adding an Additional SAML Assertion Issuer Name section of the Administering Web Services.

If the SAML Issuer Name that the client is using is not configured as an issuer in the Oracle WebLogic Server domain, Oracle recommends changing the issuer name on the client by updating its saml.issuer.name override to one of the issuers configured on the Oracle WebLogic Server domain.

If you cannot change the issuer name on the client, you can add its issuer name to the Oracle WebLogic Server domain by performing the steps in the Adding an Additional SAML Assertion Issuer Name section of the Administering Web Services.

20.8.2 Troubleshoot Subject Precedence Configuration Override

To troubleshoot the subject.precendence configuration override, perform the following steps:

Set the subject.precedence override value in your current client policy to false to change the identity to a different user. By default, the subject.precendence override is set to true.
Set the appropriate Credential Store Framework key override on the client policy that contains the user name and password of the user you want to send to the service. If an entry for this user does not exist in the Credential Store Framework, you must add it. Refer to the Adding Keys and User Credentials to the Credential Store section in the Administering Web Services for more information.
Ensure the appropriate Web Services Identity Permission is set for the client application by performing the steps in the Configuring SAML Web Service Clients for Identity Switching section of the Administering Web Services.

20.9 Problems and Solutions for Logging in to Secured Resources

This section describes problems and solutions for logging in to secured resources. This section contains the following topics:

20.9.1 Incorrect Language Appears After Logging in to a Secured Resource: Check Cookies

While attempting to access a resource secured by Oracle Access Manager, a user changes the language preference on the login page. After logging in successfully, the secured resource appears in a language different from what the user selected on the login page.

The problem may be Oracle Access Manager's ORA_FUSION_PREFS cookie is not in the user's browser. The ORA_FUSION_PREFS cookie determines which language the secured resource appears in. After the user chooses a language preference on the login page and gets authenticated, Oracle Access Manager sends the ORA_FUSION_PREFS cookie to the user's browser.

Examine the cookies in the user's browser and try to locate the ORA_FUSION_PREFS cookie. If the ORA_FUSION_PREFS cookie is not in the user's browser:

Examine the browser's security settings, as they may be too high and preventing cookies from being accepted.
Add the Oracle Fusion application's domain to the browser's exception list.

20.9.2 Login Page Unexpectedly Reappears (No Single Sign-On): Check Various Solutions

After successfully logging in to a resource secured by Oracle Access Manager, a login page unexpectedly reappears. Regardless if the reappearing login page is for Oracle Access Manager or Oracle Fusion Applications, a user may not expect to see it in a single sign-on environment.

The problem may be:

If the login page reappeared after attempting to access a different secured resource, the authentication level of the authentication scheme securing the subsequently accessed resource is greater (higher) than the authentication level of the authentication scheme securing the resource that was accessed first. In this situation, the reappearing login page is expected behavior.
The Oracle Access Manager server's Idle Timeout or Session Lifetime configuration parameters are set to a value that is too small. The Idle Timeout parameter specifies the amount of time, in minutes, that a user's authentication session remains valid without accessing a resource secured by Oracle Access Manager. The Session Lifetime parameter specifies the amount of time, in minutes, that a user's authentication session remains valid. For both parameters, the smaller the value, the more frequently users must re-authenticate.
Oracle Access Manager's ObSSOCookie and OAM_ID cookies are not in the user's browser. The ObSSOCookie and OAM_ID cookies are encrypted, single sign-on, session-based cookies generated by the Oracle Access Manager Access Server when a user authenticates successfully.

20.9.2.1 No SSO: Check Authentication Levels

To examine the authentication levels of the authentication schemes securing the resources, perform the following steps:

Log in to the Oracle Access Manager Administration Console by referring to the Logging In to the Oracle Access Manager Console section in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.
Identify the authentication policies securing the resources and the authentication schemes configured for those policies. You can reduce the number of policies to examine by first looking at the policies for the Host Identifier that the Webgate is using.

Refer to the Searching for an Authentication Policy and Viewing or Editing an Authentication Policy sections in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management for more information.
Identify the authentication levels for each authentication scheme. Refer to the Viewing or Editing a Authentication Scheme section in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.

If the authentication level for the subsequently accessed resource is greater than that of the first accessed resource, the reappearing login page is the expected behavior.

20.9.2.2 No SSO: Check Idle Timeout and Session Lifetime Parameters

To verify the settings for the Idle Timeout and Session Lifetime configuration parameters, perform the following steps:

Log in to the Oracle Access Manager Administration Console by referring to the Logging In to the Oracle Access Manager Console section in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.
Verify the values configured for the Idle Timeout and Session Lifetime configuration parameters by referring to the Configuring User Session Lifecycle Settings section in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.

20.9.2.3 No SSO: Check Cookies

To verify Oracle Access Manager's ObSSOCookie and OAM_ID cookies are in the user's browser:

Display the cookies in the user's browser.
Locate Oracle Access Manager's ObSSOCookie and OAM_ID session cookies.

If the ObSSOCookie and OAM_ID cookies are not in the user's browser:

Examine the browser's security settings, as they may be too high and preventing cookies from being accepted.
Add the Oracle Fusion application's domain to the browser's exception list.

20.9.3 Cannot Access Forgotten Password Functionality from Login Page: Check Various Solutions

While attempting to access a resource secured by Oracle Access Manager, the Forgotten Password feature is inaccessible from the login page.

The problem may be:

Network issues are preventing a connection to Oracle Identity Manager.
Oracle Access Manager's configuration to Oracle Identity Manager's lost password functionality is incorrect.

20.9.3.1 Login Functionality: Ping the System

To test connectivity to Oracle Identity Manager, from the system hosting the Administration Server where Oracle Access Manager is deployed, ping the system hosting the Managed Server where Oracle Identity Manager is deployed.

20.9.3.2 Login Functionality: Verify Configurations

To verify Oracle Access Manager's configuration to Oracle Identity Manager's lost password functionality:

Use a text editor to open the following file on the Administration Server for the domain where Oracle Access Manager is deployed:
```
DOMAIN_HOME/config/fmwconfig/oam-config.xml
```
Locate the <Setting Name="IdentityManagement" Type="htf:map"> entry.
Examine the ServerConfiguration settings similar to those shown in Example 20-1 and verify the following values:
- OIM-SERVER-1: Must be identical value of the same setting in the IdentityServiceProviderConfiguration entry described in Step 4.
- If Oracle Identity Manager is front-ended by Oracle HTTP Server or a load balancer:
  - OIM_HOST: Fully-qualified host name of Oracle HTTP Server or load balancer.
  - OIM_PORT: The port for the Oracle HTTP Server or load balancer.
  - SecureMode: Set to true for connecting to Oracle Identity Manager over HTTPS, set to false for connecting over HTTP.
- If Oracle Identity Manager is not front-ended:
  - OIM_HOST: Fully-qualified host name of the Managed Server where Oracle Identity Manager is deployed.
  - OIM_PORT: The port for the Managed Server where Oracle Identity Manager is deployed.
  - SecureMode: Set to true for connecting to Oracle Identity Manager over HTTPS, set to false for connecting over HTTP.
Examine the IdentityServiceProviderConfiguration settings similar to those shown in Example 20-2 and verify the following values:
- OIM-SERVER-1: Must be identical value of the same setting in the ServerConfiguration entry described in Step 3.
- Confirm the following URL Settings are configured with the values shown in Example 20-2:
  - PasswordExpiredURL
  - ChallengeSetupNotDoneURL
  - ForcedPasswordChangeURL
  - AccountLockedURL

Example 20-1 ServerConfiguration Settings Within IdentityManagement Entry

           <Setting Name="ServerConfiguration" Type="htf:map">
             <Setting Name="OIM-SERVER-1" Type="htf:map">
               <Setting Name="Host" Type="xsd:string">OIM_HOST</Setting>
               <Setting Name="Port" Type="xsd:integer">OIM_PORT</Setting>
               <Setting Name="SecureMode" Type="xsd:boolean">true|false</Setting>
             </Setting>
           </Setting>

Example 20-2 IdentityServiceProviderConfiguration Settings Within IdentityManagement Entry

<Setting Name="IdentityServiceProviderConfiguration" Type="htf:map">
  <Setting Name="IdentityManagementServer" Type="xsd:string">OIM-SERVER-1</Setting>
  <Setting Name="DateFormatPattern" Type="xsd:string">yyyy-MM-dd'T'HH:mm:ss'Z'</Setting>
  <Setting Name="PasswordExpiredURL" Type="xsd:string">/admin/faces/pages/pwdmgmt.jspx</Setting>
  <Setting Name="ChallengeSetupNotDoneURL" Type="xsd:string">/admin/faces/pages/pwdmgmt.jspx</Setting>
  <Setting Name="ForcedPasswordChangeURL" Type="xsd:string">/admin/faces/pages/pwdmgmt.jspx</Setting>
  <Setting Name="AccountLockedURL" Type="xsd:string">/admin/faces/pages/accountlocked.jspx</Setting>
</Setting>

20.10 Additional Information for Troubleshooting Oracle Identity Management

The following is a list of Oracle Identity Management documents that provide additional information and will help you troubleshoot IDM problems. Use these documents if you have isolated your problem to a specific Oracle Identity Management component or to learn more about a specific component.

A few of the documents in the following list do not contain explicit troubleshooting information, but are a source of information that will help during troubleshooting:

Troubleshooting Oracle Fusion Middleware appendix of the Administering Oracle Fusion Middleware
Troubleshooting Security in Oracle Fusion Middleware appendix in the Oracle Fusion Middleware Applications Security Guide
Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management (Oracle Fusion Applications Edition)
Troubleshooting Oracle Internet Directory appendix of the Oracle Internet Directory Administrator's Guide
Troubleshooting Oracle Virtual Directory appendix of the Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory
Troubleshooting appendix in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management
Oracle Fusion Middleware Administering Oracle Identity Manager
Oracle Fusion Middleware Administering Web Service