B Troubleshooting Oracle Delegated Administration Services

This appendix describes common problems that you might encounter when using Oracle Delegated Administration Services and explains how to solve them. It contains these topics:

• Analyzing Log Files

• Enabling Debugging

• Diagnosing Self-Service Console Problems

• Diagnosing Service Unit Problems

• Need More Help?

Note: You can also use Web browser diagnostics to identify basic problems with your Oracle Delegated Administration Services deployment, including whether the IP address and host name are valid or if a firewall is properly forwarding requests and responses. For more information, see the documentation for the Web browsers you plan to support in your Oracle Delegated Administration Services deployment.

Analyzing Log Files

If you encounter problems when deploying or running Oracle Delegated Administration Services, you should first examine the various log files that are generated by Oracle Delegated Administration Services and the various components that it requires. This section contains the following topics:

• Oracle Delegated Administration Services Logs

• Oracle Containers for J2EE Logs

• Oracle HTTP Server Logs

• OPMN Logs

Oracle Delegated Administration Services Logs

Oracle Delegated Administration Services logs most errors in the following log file:

$ORACLE_HOME/opmn/logs/OC4J~OC4J_SECURITY~default_island~1

This is the file you should check first when troubleshooting problems with Oracle Delegated Administration Services. Debugging must be enabled before Oracle Delegated Administration Services writes any information to the log file. To enable debugging, follow the instructions in "Enabling Debugging".

See Also: "Viewing and Configuring Session-Level Diagnostic Settings" for information on how to view and configure diagnostic settings for Oracle Delegated Administration Services

Oracle Containers for J2EE Logs

Oracle Containers for J2EE is the servlet engine that receives Oracle Delegated Administration Services page requests. You can examine the servlet access log, named default-web-access.log, in the $ORACLE_HOME/j2ee/OC4J_SECURITY/log/OC4J_SECURITY_default_island_1 directory. You can also examine the application.log file, which contains run-time application errors, in the $ORACLE_HOME/j2ee/OC4J_SECURITY/application-deployments/oiddas/OC4J_SECURITY_default_island_1 directory.

Oracle HTTP Server Logs

Oracle HTTP Server receives requests for Oracle Delegated Administration Services pages and forwards each request to the appropriate component for further processing. For problems that may be related to Oracle HTTP Server, you can examine the log files located in the $ORACLE_HOME/Apache/Apache/logs directory. Specifically, you should examine the access_log and error_log files.

Note: If Oracle HTTP Server is configured to rotate its log files, it appends a timestamp extension to the access_log and error_log files. Use the timestamp extension to find the most recent files.

OPMN Logs

Errors that occur when Oracle Delegated Administration Services first starts are recorded in the $ORACLE_HOME/opmn/logs/OC4J~OC4J_SECURITY~default_island~1 file, which is generated by Oracle Containers for J2EE. Check this file for error messages if the opmnctl utility hangs or generates command-line errors when attempting to start Oracle Delegated Administration Services.

The $ORACLE_HOME/opmn/logs/ipm.log file also contains basic information regarding the OC4J_SECURITY process, which can be helpful in determining the overall health of your Oracle Delegated Administration Services implementation. Search the ipm.log file for "OC4J_SECURITY" and review any errors you find. The log file typically contains the following messages for OC4J_SECURITY:

Starting Process: OC4J~OC4J_SECURITY~default_island~1
Process Alive: OC4J~OC4J_SECURITY~default_island~1
Stopping Process: OC4J~OC4J_SECURITY~default_island~1
Process Stopped: OC4J~OC4J_SECURITY~default_island~1
Restarting Process: OC4J~OC4J_SECURITY~default_island~1

The ipm.log file also contains messages describing any problems that may have occurred with the OC4J_SECURITY process. For example, the log file will contain the following message if OPMN encounters any problems while starting the OC4J_SECURITY process:

Infra.us.oracle.com~OC4J~OC4J_SECURITY~default_island~1952317603:0
  Status: NONE
  Operation: internal (oid dependency failed)
  ErrFile: 
  String: OID

Enabling Debugging

To enable or disable debugging for Oracle Delegated Administration Services, you modify the DEBUG and DEBUG_LEVEL flags in the $ORACLE_HOME/ldap/das/das.properties file. Table B-1 describes each flag.

Table B-1 Debugging Flags in the das.properties File

Flag	Description	Values	Default Value
DEBUG	Determines whether debugging is enabled	true false	false
DEBUG_LEVEL	Specifies the debugging level	error (logs all errors) schema (logs errors related to Oracle Internet Directory schema operations) tracing (logs detailed tracing information for various operations) session (logs information on operations involving the Oracle Delegated Administration Services connection pool or connection retrieval and release)	none

The DEBUG_LEVEL flag is only interpreted if the DEBUG flag is assigned a value of true. Separate the value assigned to each flag with a vertical bar (|). For example, the following statements assign a value of true to the DEBUG flag and a value of tracing to the DEBUG_LEVEL flag:

DEBUG|true
DEBUG_LEVEL|tracing
 

After modifying the das.properties file, you must restart the Oracle Delegated Administration Services instance. Before restarting Oracle Delegated Administration Services, you may want to consider deleting the existing ipm.log file in order to create a fresh log file that does not contain any messages from previous Oracle Delegated Administration Services instances.

See Also: "Starting and Stopping Oracle Delegated Administration Services"

Diagnosing Self-Service Console Problems

This section describes how to troubleshoot problems with the Self-Service Console. It contains these topics:

• Viewing and Configuring Application Diagnostic and Logging Settings

• Viewing and Configuring Session-Level Diagnostic Settings

• Setting Unit-Level Diagnostic Settings

• Diagnosing Login Problems

• Users Prompted to Change Password Multiple Times

• Missing User Entries

• Interpreting Error Messages

• Handling with Pop-Up Window Blocking

• Handling Cross-Domain Invocation Issues

• Troubleshooting SSO Login Issues

You can use the diagnostic settings in Oracle Delegated Administration Services to debug your implementation without having to examine the log files. If you have configuration privileges, then you can also change the runtime logging levels without restarting Oracle Delegated Administration Services.

See Also: Appendix B, "Troubleshooting Oracle Delegated Administration Services"

Viewing and Configuring Application Diagnostic and Logging Settings

You can view and configure application level diagnostic settings for all user sessions and all units in an Oracle Delegated Administration Services application. Diagnostic settings can be turned on or off. If an application-level diagnostic setting is turned on, diagnostics will display, unless overridden by session-level or unit-level diagnostic settings. If an application-level diagnostic setting is turned off, diagnostics will not display, unless overridden by session-level or unit-level diagnostic settings.

To view and configure application-level diagnostic settings:

1. Enter the following URL in a Web browser to open the Application-Level Diagnostic Settings window:

   http://host_name:port_number/oiddas/ui/oracle/ldap/das/pages/Application
   
   

   This window is described in "Application-Level Diagnostic Settings"

2. Basic application-level configuration settings display in the Information section and connection pool settings and statistics display in the Connection Pool section.

   To display diagnostic information:

   1. In the Configuration section, change the Value field to On.

   2. Select Update. Scroll to the bottom of the Web page to view the diagnostic information.

   To change logging levels:

   1. In the Logging section, click the check boxes of the logging levels you want to change.

   2. Select a desired value from the Change log level to box.

   3. Select Update.

Viewing and Configuring Session-Level Diagnostic Settings

You can view and configure session-level diagnostic settings for the current user session and for all units in an Oracle Delegated Administration Services application. Diagnostic settings can be turned on or off or can inherit application-level diagnostic settings. If a session-level diagnostic setting is turned on, diagnostics will display, unless overridden by a unit-level diagnostic setting. If a session-level diagnostic setting is turned off, diagnostics will not display, unless overridden by a unit-level diagnostic setting. If a particular diagnostic setting is set to "inherit", then the application-level diagnostic setting applies.

To view and configure session-level diagnostic settings:

1. Enter the following URL in a Web browser to open the Session Level Diagnostic Settings window:

   http://host_name:port_number/oiddas/ui/oracle/ldap/das/pages/Session
   
   

   This window is described in Session Level Diagnostic Settings

2. Basic session-level configuration settings display in the Information section and console navigation settings display in the Navigation section.

   To change session-level diagnostic settings:

   1. In the Configuration section, select a desired value in the Value field for the diagnostic setting you want to change.

   2. Select Update.

Setting Unit-Level Diagnostic Settings

Unit-level diagnostic settings control the display of diagnostics for the current user session in a given unit. Applicable values for a diagnostic setting at the unit level are "on", "off", and "inherit". If a unit-level diagnostic setting is turned on, diagnostics will display for the specified unit. If a unit-level diagnostic setting is turned off, diagnostics will not display for the specified unit. If a value of "inherit" is applied to a diagnostic setting, then the session-level diagnostic setting applies.

To enable or disable diagnostics for the current user session and a specific unit, append a question mark and "diagnostic=on", or "diagnostic=off", or "diagnostic=inherit" to the URL of the desired unit. For example, the following URL enables diagnostics for the current user session with the user search unit:

http://host_name:port_number/oiddas/ui/oracle/ldap/das/
pages/UserSearch?diagnostic=on

Diagnosing Login Problems

For problems logging in, examine the $ORACLE_HOME/ldap/log/das.log file. Also, verify the following:

• The URL contains the correct infrastructure host name and HTTP server port.

• You are using the correct redirection URL.

• You can successfully execute ping and nslookup commands from the Web client server to the infrastructure server.

• You can execute ldapbind commands from both administrative and user accounts.

• Whether a specific set of users is failing to log in.

• If any user accounts are locked.

  
  

  See Also: Oracle Internet Directory Administrator's Guide for information on password policies in Oracle Internet Directory

  
  

Also, verify that the following properties are correctly set in the $ORACLE_HOME/config/ias.properties file:

• DAS.LaunchSuccess

• IASname

• InfrastructureUse

• OIDhost

• OIDport

• OIDsslport

• VirtualHostName

• InfrastructureDBCommonName

Finally, ensure that the OC4J_SECURITY information in $ORACLE_HOME/opmn/conf/opmn.xml file is set correctly. The OC4J_SECURITY information is located in the following elements in the opmn.xml file:

<process-type id="OC4J_SECURITY" module-id="OC4J">
  <environment>
    <variable id="DISPLAY" value="Infrahost.us.oracle.com:0.0"/>
    <variable id="LD_LIBRARY_PATH" value="/app/oracle/product/10g/infra/lib"/>
  </environment>
  <module-data>
    <category id="start-parameters">
      <data id="java-options" value="-Djava.security.policy=/app/oracle/product
        /10g/infra/j2ee/OC4J_SECURITY/config/java2.policy -Djava.awt.headless=true
        -Xmx512m -Djava.awt.headless=true "/>
      <data id="oc4j-options" value="-properties"/>
    </category>
    <category id="stop-parameters">
      <data id="java-options" value="-Djava.security.policy=/app/oracle/product/
        10g/infra/j2ee/OC4J_SECURITY/config/java2.policy
        -Djava.awt.headless=true"/>
    </category>
  </module-data>
  <start timeout="900" retry="2"/>
  <stop timeout="120"/>
  <restart timeout="720" retry="2"/>
  <port id="ajp" range="3301-3400"/>
  <port id="rmi" range="3201-3300"/>
  <port id="jms" range="3701-3800"/>
  <process-set id="default_island" numprocs="1"/>
</process-type>

See Also: Oracle Application Server Single Sign-On Administrator's Guide for additional information on how to resolve login problems

Users Prompted to Change Password Multiple Times

Oracle Internet Directory enables you to establish a password policy in which users are prompted to change their passwords after initial login. Users must change their passwords by using the Oracle Internet Directory Self-Service Console Password Change screen. Using other mechanisms may not satisfy the password change requirement, and users may be prompted to change their password again the next time they log in.

See Also: Oracle Internet Directory Administrator's Guide for information on password policies in Oracle Internet Directory

Missing User Entries

User entries in Oracle Internet Directory that do not belong to the inetOrgPerson object class will not appear in the Self-Service Console. You can assign user entries to an object class by using Oracle Directory Manager or the ldapmodify command.

See Also: The Oracle Internet Directory Administrator's Guide for information on how to use Oracle Directory Manager and the ldapmodify command

Interpreting Error Messages

This section describes the error messages you may encounter with the Self-Service Console.

500 Internal Server Error

Cause: Usually indicates that Oracle Delegated Administration Services has not been started correctly.

Action: Follow the instructions in "Installing and Configuring Oracle Delegated Administration Services" to determine whether Oracle Delegated Administration Services is running. Also, examine the $ORACLE_HOME/ldap/log/das.log file to determine what is causing the error.

Warning: Page has Expired

Cause: Some Oracle Delegated Administration Services pages use the POST method to submit HTTP requests. Clicking the Back button to view a page that has been submitted with the POST method usually results in a warning message from the Web browser that the page has expired. In general, use of the back button on DAS pages is discouraged.

Action: Avoid using the Web browser's Back button. Instead, use the Go Back button or other navigation buttons and links that appear in the Self-Service Console.

Error: Cannot proceed. Please contact your Administrator to have your password reset!

Cause: This error occurs if a user attempts to reset their password before specifying a password hint.

Action: An administrator must reset the user's password by following the instructions in "Changing the Password of a User". To prevent this error from occurring again, the user must then specify a password hint by following the instructions in "Changing Your Own Password and Password Hint".

Diagnosing Service Unit Problems

Oracle Delegated Administration Services consists of a set of pre-defined, Web-based service units for performing directory operations on behalf of users. These units enable directory users to update their own information. This section contains these topics:

• Handling with Pop-Up Window Blocking

• Handling Cross-Domain Invocation Issues

See Also: Oracle Identity Management Application Developer's Guide for additional information on how to write custom applications to resolve the issues discussed in this section

Handling with Pop-Up Window Blocking

When an Oracle Delegated Administration Services service unit tries to open a new Web browser window, the new window may not open if pop-up window blocking is enabled on a client's Web browser. To avoid pop-up window blocking, you need to write a custom application that opens a new window on a local application server, and then immediately redirects the page to the Oracle Delegated Administration Services service unit.

Handling Cross-Domain Invocation Issues

Oracle Delegated Administration Services service units that need to return parameters to a calling page may fail due to cross-domain JavaScript security restrictions. To avoid such problems, you must write a custom Oracle Internet Directory application.

Troubleshooting SSO Login Issues

When logging in to the Self-Service Console, the Web browser displays an error message that the server cannot be found. This occurs if the SSO service is down or if the mod_osso service is not configured properly. To resolve this issue, restart the SSO service or reconfigure the mod_osso service. For more information, refer to the Oracle Application Server Single Sign-On Administrator's Guide.

Need More Help?

In case the information in the previous sections was not sufficient, you can find more solutions on OracleMetaLink, http://metalink.oracle.com. If you do not find a solution for your problem, log a service request.

See Also: Oracle Application Server Release Notes, available on the Oracle Technology Network: http://www.oracle.com/technology/documentation/index.html