A Troubleshooting

This appendix contains the following topics:

Log Files
Error Messages and Other Problems
Increasing the Debug Level
Enabling the Debug Option in the Single Sign-On Database
Enabling LDAP Tracing for UI Operations
Managing Single Sign-On Audit Records
Refreshing the LDAP Connection Cache
Restarting OC4J After Modifying Oracle Internet Directory
Troubleshooting Replication
A Word About Non-GET Authentication
Need More Help?

A.1 Log Files

These OracleAS log files record data about single sign-on operations.

General log file for the single sign-on server:
```
ORACLE_HOME/sso/log/ssoServer.log
```
Usage Notes:

The single sign-on server writes all errors to this file. You can change the default location by editing ORACLE_HOME/sso/conf/policy.properties. You can also use this file to change the logging level.
Startup error log for single sign-on server:
```
ORACLE_HOME/opmn/logs/OC4J~OC4J_SECURITY~default_island~1
```
Usage Notes:

This OC4J-generated file reports any errors that occur when the single sign-on server is started. Check the file for error messages if the opmnctl command hangs or if it reports errors on the command line when the OC4J_SECURITY instance is started.

Web application log:

ORACLE_HOME/j2ee/OC4J_SECURITY/application-deployments/sso/OC4J_SECURITY_default_island_1/application.log

Usage Notes:

This file reports run-time errors for OC4J applications.

OC4J servlet access log:
```
ORACLE_HOME/j2ee/OC4J_SECURITY/log/OC4J_SECURITY_default_island_1/default-web-access.log
```
Usage Notes:

Another OC4J-generated file. The file contains the servlet access logs for single sign-on. Check the file to determine whether the authentication request was received by the authentication servlet.
Error log for Oracle HTTP Server:
```
ORACLE_HOME/Apache/Apache/logs/error_log
```
Usage Notes:

If the Oracle HTTP Server is configured to rotate its log files, it appends a timestamp to these files. Use this timestamp to find the latest file.
Access log for Oracle HTTP Server:
```
ORACLE_HOME/Apache/Apache/logs/access_log
```
Usage Notes:

If the Oracle HTTP Server is configured to rotate its log files, it appends a timestamp to these files. Use this timestamp to find the latest file.

A.2 Error Messages and Other Problems

This section explains how to address error messages and other problems. It devotes sections to the following:

Basic Error Messages and Problems
Certificate Authentication
Password Policies
Type 41400 Errors

A.2.1 Basic Error Messages and Problems

Internal Server Error. Please contact administrator.

Cause: This error message usually appears when the single sign-on server is started incorrectly.

Action: Use the following sequence to solve the problem:

Verify that the single sign server was started correctly. To do this, examine the startup log file for errors.
If the file reports errors for the database or for Oracle Internet Directory, make sure that both are up and running before starting the single sign-on server. If you see the message SSOLoginServlet.init: SSO server started, the server has been started correctly.
Next, check ssoServer.log, the log file for the single sign-on server.
If the log file contains the error message NumberFormatException or a specific configuration parameter not found, check policy.properties for blank spaces. Remove spaces that occur at the end of the line containing the questionable configuration; then restart the OC4J_SECURITY instance:
```
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
```
If the file ORACLE_HOME/opmn/logs/OC4J~OC4J_SECURITY~default_island~1 reports the error message Orion Launcher SSO Server initialization failed, do the following:
- Make sure that the database is available; then restart the single sign-on server:
```
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
```
- If the database is available, the problem may be the directory connection. Check the opmn log. If you see the error message that follows, run ssooconf.sql to ensure that directory access is properly configured in the single sign-on database.
```
java.lang.NumberFormatException: null
  at java.lang.Integer.parseInt(Integer.java:442)
  at java.lang.Integer.parseInt(Integer.java:524)
  at oracle.security.sso.server.conf.DatabaseConfigReader.
  setSSOServerConfig(DatabaseConfigReader.java:322)
```
To learn how to run ssooconf.sql, see "Changing Single Sign-On Server Settings for Directory Access" in Chapter 3.

Internal Server Error. Please try the operation later.: Cause: This error message appears when either the infrastructure database or Oracle Internet Directory is unavailable or is down.; Action: Check ssoServer.log for a detailed description of the message; then try restarting the database or the directory, depending upon what you find.

Unexpected Error. Please Contact Administrator.

Cause: This message may indicate a server-side error. The policy.properties file may be misconfigured, or Java classes may not be loaded. Another cause may be that the partner application is registered incorrectly.

Action: In the first case, check ssoServer.log for the actual error message. If this file does not contain the message, check the Oracle HTTP Server error log. In the second case, try to log in to the administration pages:

http://single_sign-on_host:single_sign-on_port/pls/orasso

Be sure to log in as orcladmin, not as cn=orcladmin. If you are able to log in, the problem is not with the server, but with the partner application registration or with the application itself.

File not found.

Cause: This message may appear when you try to access the single sign-on server.

Action: Perform two checks:

Check the Oracle HTTP Server error log.

If you find the message file not found, Apache is not delegating the authentication request to OC4J.

Check mod_oc4j.conf for single sign-on application mappings. The mount configuration Oc4jMount/sso OC4J_SECURITY should be present.
Check default-web-access.log to determine whether the authentication request was received by the servlet.

Forbidden. You don't have permission to access /pls/orasso/orasso.home on this server.

Cause: This message may appear when you try to access the single sign-on administration URL. Perhaps the password for the ORASSO schema was changed in the database, but not in the dads.conf file.

Action: Perform these steps:

Update ORACLE_HOME/Apache/modplsql/conf/dads.conf.

Restart the Oracle HTTP Server:

ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server

If the schema password is correct to begin with, check the Oracle HTTP Server error log for error messages.

Audit log insertion exception: ORA-00018: maximum number of sessions exceeded.: Cause: This message appears when the load on the single sign-on server is heavy. The number of database sessions required has exceeded the number specified in the init.ora file.; Action: Change the properties of the identity management infrastructure database. Specifically, increase the processes and sessions parameters to match anticipated load. Use a database-specific configuration file such as init.ora to make the change. init.ora is found at ORACLE_HOME/dbs.

Connection limit exceeded.: Cause: This is a variation of the message immediately preceding.; Action: The end user should retry the operation. Or the administrator can increase the connection limit.

Single Sign-On Administration UI is not working. The administrator sees a white page when clicking Login

Cause: This problem has three possible explanations:

Case 1: The PUBLIC user entry is missing from Oracle Internet Directory. Either that or the user nickname attribute was changed in the directory, but the new attribute was not added to the PUBLIC entry.
Case 2: The single sign-on server is configured with the wrong information for the directory.
Case 3: There may be installation problems, namely, a missing Enabler entry or faulty SSL registration.
Case 4: The directory DIT has changed and the single sign-on server has not been updated with the changes.

Action:

Case 1: Add the PUBLIC user entry under the user search base in the directory. If, instead, the user nickname attribute was changed, add the attribute to the PUBLIC user entry.
Case 2: Run ssooconf.sql to configure the single sign-on server with the correct directory information. To learn how to run the script, see "Changing Single Sign-On Server Settings for Directory Access" in Chapter 3.
Case 3: Run ssooconf.sql to update the single sign-on server with the enabler entry or to modify single sign-on URLs for SSL.
Case 4: Run ssoreoid.sql to update the single sign-on server with directory DIT changes.

Authentication Failed.

Cause: The user's password is incorrect, or the server does not have the permissions necessary to authenticate the user.

Action:

Try binding to the directory as the user, making sure that the user DN corresponds to the appropriate realm:
```
ORACLE_HOME/bin/ldapbind 
-h directory_server
-p directory_ssl_port
-D user_dn
-w user_password
-u 1
```
If the bind fails, the user's password is incorrect. Reset the password. If the bind succeeds, proceed to step 2.
Try binding to the directory as the single sign-on server:
```
ORACLE_HOME/bin/ldapbind 
-h directory_server
-p directory_ssl_port
-D orclApplicationCommonName=ORASSO_ 
 SSOSERVER,cn=SSO,cn=Products,cn=OracleContext
-w single_sign-on_server_password
```
If the bind fails, the server password that you are trying to bind with may be incorrect. To set the correct password, run ssooconf.sql as explained in "Changing Single Sign-On Server Settings for Directory Access" in Chapter 3. If the bind succeeds, proceed to step 3.
Check whether the single sign-on application is a member of the SecurityAdmins group. If it is not a member of this group, it cannot authenticate the user:
```
ORACLE_HOME/bin/ldapcompare 
-h directory_host
-p directory_ssl_port
-D orclApplicationCommonName=ORASSO_
 SSOSERVER,cn=SSO,cn=Products,cn=OracleContext
-w orasso_password
-b "cn=user_dn,cn=users,realm_dn"
-a userpassword
-v user_password
```
If the application is not a member, add it to the SecurityAdmins group (cn=OracleUserSecurityAdmins,cn=Groups,cn=OracleContext) and have the user reauthenticate. If the application is a member, the problem may be directory based.

Administrator does not see administration pages when logging in to /pls/orasso.

Cause: The administrator is not a member of the iASAdmins group:

cn=iASAdmin,cn=Groups,cn=OracleContext,realm_dn

Action: Check the uniquemember attribute of the iASAdmins entry in the directory:

ldapsearch -h directory_host
           -p directory_port
           -D orclApplicationCommonName=ORASSO_
              SSOSERVER,cn=SSO,cn=Products,cn=OracleContext
           -w orasso_password
           -b "cn=iasadmins,cn=groups,cn=oraclecontext,realm_dn"  
              "uniquemember=cn=user,cn=users,realm_dn"

If the user in the command is not a unique member of iASAdmins, follow the instructions in "Granting Administrative Privileges" in Chapter 2.

The user name submitted for authentication does not match the user name present in the existing single sign-on session.: Cause: Users encounter this error only during a forced authentication request. They see the error because they fail to enter the same user ID and, optionally, realm that they entered when they first authenticated.; Action: The user ID and, optionally, realm entered during forced authentication must match the user ID and realm in the current single sign-on session. Users who want to use different credentials to log in must log out of the current session first.

The SSO Server Administration link is missing from the administration page

Cause: Only administrators see this link. The user who is missing the link is logged in as an end user.

Action: Make sure that the user is a member of the iASAdmins group:

cn=iASAdmins,cn=Groups,cn=OracleContext,dc=default_identity_management_realm

If you have changed the SSO administration group, make sure that the user is a member of this group.

A.2.2 Certificate Authentication

This section explains how to debug certificate authentication; then it explains how to interpret error messages.

A.2.2.1 Debugging Certificate Sign-On

Set the debug level in policy.properties to DEBUG; then restart the single sign-on middle tier:

ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
ORACLE_HOME/opmn/bin/opmnctl startproc process-type=OC4J_SECURITY

To view browser certificate information while debugging, extract the file certinfo.jsp file from ORACLE_HOME/sso/lib/ipassample.jar.
Place the file into ORACLE_HOME/j2ee/applications/sso/web/jsp.
View the file at this URL:
```
https://host:port/sso/certinfo.jsp
```

A.2.2.2 Error Messages

Network Error: Connection Refused.: Cause: This message appears when the user tries to access a partner application over SSL. The parameter SSLEngine on may be missing from httpd.conf or may not have been entered correctly.; Action: Add the missing parameter as specified in "Setting SSL Parameters" in Chapter 7. If the parameter is present and is entered correctly, the Oracle HTTP Server log file may identify the problem.

The single sign-on server fails to prompt the user for a certificate.: Cause: The optional parameter SSLVerifyClient is missing from httpd.conf or has not been entered correctly.; Action: Add the missing parameter as specified in "Setting SSL Parameters" in Chapter 7. If the parameter is present and is entered correctly, the Oracle HTTP Server log file may identify the problem.

Certificate authentication fails to work, and the user is presented with the login page.: Cause: The user's certificate is missing from the directory or has been entered incorrectly. Check ssoServer.log for details.; Action: Reenter the user's certificate in the directory. See the instructions in "Oracle Internet Directory" in Chapter 7.

User's browser certificate not found.

Cause: This problem has two possible causes:

Case 1: The user's certificate is not in the browser.
Case 2: The SSL wallet on the Oracle HTTP Server may not contain the trusted certificate of the CA that issued the client certificate.

Action:

Case 1: Install a valid certificate.
Case 2: Use Oracle Wallet Manager to determine whether the SSL wallet contains the trusted certificate. To learn how to use the tool, see the chapter about managing wallets and certificates in Oracle Application Server Administrator's Guide.

Mapping Module class name not found.: Cause: The class name for the mapping module is missing from x509CertAuth.properties or is incorrect.; Action: Make sure that a value is assigned to the parameter CertificateMappingModule. If it is assigned, check that this value is correct.

Mapping module instance creation failed.: Cause: The customized mapping module has been incorrectly implemented.; Action: Ensure that the custom module has a default constructor.

Cannot create the mapping module object.: Cause: The customized mapping module has been incorrectly implemented.; Action: Ensure that the customized module implements the interface prescribed in "Customize the User Name Mapping Module (Optional)" in Chapter 7.

Exception in creating mapping module.: Cause: The customized mapping module has been incorrectly implemented.; Action: Ensure that the customized module implements the interface prescribed in "Customize the User Name Mapping Module (Optional)" in Chapter 7.

Certificate match failed.: Cause: The user's certificate is missing from the directory or has been entered incorrectly. Check ssoServer.log for details.; Action: Reenter the user's certificate in the directory. See the instructions in "Oracle Internet Directory" in Chapter 7.

A.2.3 Password Policies

The administrator disabled a user using the orclIsEnabled attribute in Oracle Internet Directory, but the user can still log in.: Cause: The orclIsEnabled attribute is incorrect.; Action: Execute ldapbind from the command line as the user. If this act invokes an "account disabled error," reenter the attribute value.

The administrator disabled a user using the orclIsEnabled attribute in Oracle Internet Directory, but the user receives an "authentication failed error" instead of an "account disabled" error.: Cause: This is expected behavior. If the user's account is disabled, she receives an "authentication failed error."; Action: None.

The user receives a password expiry message when trying to log in.: Cause: The user's password has expired.; Action: The administrator has to reset the password. He or she can enable password expiry warnings in the directory. These warnings prompt users to change their passwords before they expire.

The user logs in to the single sign-on server and is told that her password is about to expire and is prompted to change it. When, however, she does a command-line bind, the message does not appear, and the bind succeeds.: Cause: Certain extended directory messages are not visible through the command-line tools. These messages are visible only through the LDAP client-side APIs.; Action: None.

A.2.4 Type 41400 Errors

When a user sees a WWC-41400 error, it usually means that the single sign-on server is configured incorrectly. The most common errors involve mod_osso-protected sites that have been reconfigured. Either the site2pstoretoken parameter is invalid or the site_id parameter is missing from the ORASSO.WWSSO_PAPP_CONFIGURATION_INFO$ table. Use the following steps to check these parameters:

Try to log in to a protected application. Make a note of any URLs that you use.
Display and save the HTTP page source of the single sign-on login page.
In the page source, search for the text site2pstoretoken. If the parameter is present, it should consist of three elements separated by the tilde character. The middle element in site2pstoretoken is the site ID. Here are two examples:
- Release 9.0.2:
```
"v1.2~1321~C4C41209C8E4F0E3E8D.........."
```
- Release 9.0.4 or 10.1.2
```
"v1.4~2F02C369~121CBBEE9920CDB.........."
```
If any one of these elements is missing, site2pstoretoken is invalid.
If site2pstoretoken is valid, determine whether the site ID is missing from single sign-on configuration tables. Log in to the single sign-on schema as orasso; then use SQL*Plus to search for site_id in the ORASSO.WWSSO_PAPP_CONFIGURATION_INFO$ table. See Appendix B to obtain the schema password.

WWC-41400 errors may be generated under the following conditions:

The site2pstoretoken value is missing.: Cause: The deployment-specific login page does not accept site2pstoretoken. Users see a WWC-41400 error after presenting their credentials.; Action: Rewrite the login page to accept site2pstoretoken and pass it back to the single sign-on server.

The site2pstoretoken value is blank ("").: Cause: The user has accessed the single sign-on login URL directly from the browser.; Action: The user must first access an application protected by mod_osso or an application integrated with the now-deprecated single sign-on SDK.

Login parameters are lost during redirection to a third-party server.: Cause: The user has used the POST method to access the single sign-on server. During login a third-party URL is invoked. In release 9.0.2, POST parameters are lost during redirection to the third-party server. This problem does not arise in release 9.0.4 and release 10.1.2 because mod_osso uses the GET method.; Action: Use an extra page that uses GET to pass login parameters to the single sign-on server.

The site2pstoretoken has an incorrect site ID.: Cause: The partner application has been deleted from single sign-on configuration tables.; Action: Reregister the partner application. See "Registering mod_osso" in Chapter 4.

The site ID is obsolete.: Cause: The registration that generated the ID may have been removed because it was obsolete.; Action: Determine whether the correct version of the osso.conf file is referenced in the OssoConfigFile directive of the mod_osso.conf file. This file is found at ORACLE_HOME/Apache/Apache/conf. It may have been overwritten accidently. If you determine that the osso.conf file is incorrect, reregister the partner application. See "Registering mod_osso" in Chapter 4.

The site2pstoretoken has a correct site ID.: Cause: In this case an error is thrown because an incorrectly configured virtual host is being used to access the single sign-on server. The VirtualHost container of the httpd.conf file—or the ssl.conf file if an HTTPS virtual host is defined—is missing the directives RewriteEngine On and RewriteOptions inherit. Invalid directives may be present as well.; Action: Add the missing directives to httpd.conf or ssl.conf. Check for invalid ones. Both files are found at ORACLE_HOME/Apache/Apache/conf.

A.3 Increasing the Debug Level

OracleAS Single Sign-On provides four levels of debugging. They are listed here in ascending order of detail provided.

ERROR—log errors only
WARN—log both errors and warning messages
INFO—log informational messages—current date and time, for instance—as well as errors and warnings
DEBUG—log details about program execution as well as errors, warnings, and informational messages

In the course of debugging, you may have to increase the level of debugging to, say, DEBUG. You do this by modifying the file ORACLE_HOME/sso/conf/policy.properties.

After changing the debug level, restart the OC4J_SECURITY instance:

ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY

A.4 Enabling the Debug Option in the Single Sign-On Database

Occasionally you may need to debug the mod_plsql code used to access external applications. This task requires that you enable debugging on the single sign-on database and then view detail logs. Note that this procedure does not apply to the debugging of partner applications. Debugging information for these applications is stored only in ORACLE_HOME/sso/log/ssoServer.log.

To turn on mod_plsql debugging, log in to the ORASSO schema and run the ssolsdbg.sql script. See Appendix B to obtain the schema password. Be sure to uncomment the commented lines in the script before running it. A copy of the script is located at ORACLE_HOME/sso/admin/plsql/sso.

Here is the script:

set scan off;
set feedback ON;
set verify ON;
set pages 50000;
set serveroutput ON;

CREATE OR replace PROCEDURE debug_print (str VARCHAR2) AS
BEGIN


   INSERT INTO wwsso_log$ VALUES (wwsso_log_pk_seq.nextval,
      substr(str, 1, 1000),
      sysdate, dbms_session.unique_session_id);

   commit;


END debug_print;
/

show errors;

To query the debug logs, issue this command:

SELECT * FROM WWSSO_LOG$ ORDER BY ID;

To turn off debugging, log in to the ORASSO schema and create the PL/SQL script that follows. Be sure to include this step when you finish debugging. If you skip it, superfluous records are created in the database table. See Appendix B to obtain the schema password.

set scan off;
set feedback ON;
set verify ON;
set pages 50000;
set serveroutput ON;


CREATE OR replace PROCEDURE debug_print (str VARCHAR2) AS
--  PRAGMA autonomous_transaction;
BEGIN

    null;

END debug_print;
/

show errors;

A.5 Enabling LDAP Tracing for UI Operations

The administration pages for single sign-on use the DBMS_LDAP package to perform directory operations. You can obtain details about these operations in the debug logs for the single sign-on database. To pinpoint the error though, you must enable client-side LDAP tracing. In trying, for example, to determine why an administrator cannot see administration links on the single sign-on home page, you can determine the exact point at which an error is being returned by the LDAP client-side APIs. You can then find the trace results in the RDBMS trace files.

Follow these steps to perform client-side tracing:

Enable tracing by loading the debugonldap.sql package into the ORASSO schema:
```
SQL> connect orasso/password
```
See Appendix B to obtain the schema password.

Run the script:

SQL> @debugonldap.sql

debugonldap.sql looks like this:

set scan off;
set feedback ON;
set verify ON;
set pages 50000;
set serveroutput ON;

CREATE OR replace PROCEDURE debug_print (str VARCHAR2) AS
BEGIN

   dbms_ldap.set_trace_level(65535);

   INSERT INTO wwsso_log$ VALUES
     (wwsso_log_pk_seq.nextval, substr(str, 1, 1000), sysdate,
     dbms_session.unique_session_id);

    commit;


END debug_print;
/

show errors;

Perform a single sign-on operation that raised an error or that requires debugging—logging in to the home page as an administrator, for instance.
Examine the LDAP client logs in the RDBMS trace directory. You can determine the location of this directory by connecting as SYS to the identity management infrastructure database and then issuing this command:
```
SQL> show parameter user_dump_dest
```
The value returned is the directory where trace files are written. Once in the directory, examine the file timestamps to find the relevant file.

If the client-side trace files fail to reveal the problem, enable server-side tracing, but perform client-side tracing first. To enable server-side tracing, see the chapter about logging, auditing, and monitoring in Oracle Internet Directory Administrator's Guide.

To disable tracing, load and run this package:

set scan OFF;
set feedback ON;
set verify ON;
set pages 50000;
set serveroutput ON;

CREATE OR replace PROCEDURE debug_print (str VARCHAR2) AS BEGIN
null;
END debug_print;
/
show errors;

A.6 Managing Single Sign-On Audit Records

The single sign-on server records authentication failures and successes in the Oracle Identity Management database. In time, the audit table, ORASSO.WWSSO_AUDIT_LOG_TABLE_T, runs out of space. When this happens, this error message appears in database alert logs:

ORA-1654: unable to extend index ORASSO.AUDIT_INDEX1 by 128 in tablespace IAS_META

In addition, further authentication requests fail.

Be sure to monitor ORASSO.WWSSO_AUDIT_LOG_TABLE_T regularly. When it becomes full, either back up the table and free up space or add space. Note that this is an internal, product-specific table. This means that you can use SQL*Plus to clean up the table, but you cannot use this tool or any other tool to build reporting or monitoring scripts based on the table.

A.7 Refreshing the LDAP Connection Cache

For performance reasons, the single sign-on server caches connections to Oracle Internet Directory. If the directory server has a scheduled or unscheduled outage, the single sign-on server is left holding bad directory connections, and users may encounter directory setup errors when they try to access external applications. If the LDAP connection cache is invalid, the Oracle HTTP Server must be restarted:

ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server

Use the following steps to determine whether the LDAP connection cache must be refreshed:

Connect to the single sign-on schema. See Appendix B to obtain the schema password.
Issue the following command:
```
SELECT * FROM WWSSO_LOG$
```
Restart the HTTP server if you see the following error in the log:
```
'INVALID LDAP CONNECTION CACHE: RESTART ORACLE HTTP SERVER'
```
Delete the error message from WWSSO_LOG$.

A.8 Restarting OC4J After Modifying Oracle Internet Directory

If you change values in Oracle Internet Directory, you must update the single sign-on server with the changes. If, for example, you change a user, subscriber, or group search base in the directory and fail to "notify" the single sign-on server, users under the modified container are unable to log in. The ssoreoid.sql script updates the single sign-on server with directory changes. To learn how to run the script, see "Updating the Single Sign-On Server with Directory Changes" in Chapter 3.

After running the script, make sure that you restart the single sign-on server:

ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY

A.9 Troubleshooting Replication

Deploying geographically distributed single sign-on instances requires, among other things, that you replicate the identity management infrastructure database. Each time you replicate the database, you should validate the replication process on each replicated node and correct errors that you find. Use the Replication Environment Management Tool (remtool) to complete both tasks.

remtool is run on the master definition site. You can find the tool at ORACLE_HOME/ldap/bin. It can be executed in two modes as the sections that follow explain.

A.9.1 Verifying Oracle9i Advanced Replication Configuration

To verify that the directory replication group has been successfully configured, issue the following command:

remtool -asrverify

The command option -asverify instructs the tool to report on the verification as it progresses, but not to rectify problems.

A.9.2 Verifying and Rectifying Oracle9i Advanced Replication Configuration

To verify that a directory replication group has been successfully configured and to rectify problems, execute the following command:

remtool -asrrectify -v -connect repadmin/repadmin_password@net_service_name

The command option -asrectify instructs the tool to report on the verification as it progresses and to rectify problems. Table A-1 defines the two other command parameters.

Table A-1 Parameters for the Replication Environment Management Tool

Parameter	Description
-v	Verbose mode. Specifying this option not only shows the progress of `remtool`, it also logs all actions of the tool in `remtool.log`. This file is found at `ORACLE_HOME/ldap/log`.
-connect	Connect string of the database for the remote master site. As the command syntax shows, this string has three components: `repadmin`—Name of the replication administrator `repadmin_password`—Password of the replication administrator `net_service_name`—Network service name of the RMS database.

For an in-depth look at the Replication Environment Management Tool, see the syntax chapter in Oracle Internet Directory Administrator's Guide.

A.10 A Word About Non-GET Authentication

The first page of a mod_osso-protected application must be a URL that uses the GET authentication method . If the POST method is used, the data that the user provides when logging in is lost during redirection to the single sign-on server. When deciding whether to enable the global user inactivity timeout, note that users are redirected after timing out and logging in again.

A.11 Need More Help?

You can find more solutions on Oracle MetaLink, http://metalink.oracle.com. If you do not find a solution for your problem, log a service request.