Oracle® Application Server Release Notes 10g (10.1.4.0.1) for HP-UX Itanium Part Number B32101-06 |
|
|
View PDF |
This chapter provides information about known issues and workarounds for Oracle Access Manager. The following topics are included:
Section 5.1, "About Installation Packages, Patch Sets, Bundle Patches, and Newly Certified Agents"
Section 5.3, "Installation and Upgrade Issues and Workarounds"
See Also:
The following documents for more information:Oracle Access Manager Release Notes 10g (10.1.4.3.0) For All Supported Operating Systems E12496-02 for known issues with the full-installer release
Oracle Access Manager Patch Set Notes, Release 10.1.4 Patch Set 2 (10.1.4.3.0) for All Supported Platforms for enhancements, bug fixes, and known issues with the patch set: oam_101430_readme.pdf
Oracle Access Manager Patch Set Notes, Release 10.1.4 Patch Set 1 (10.1.4.2.0) for All Supported Platforms for enhancements and bug fixes available with this patch set: oam_101420_readme.pdf
This section provides information and distinctions on the following Oracle Access Manager product packages:
Oracle provides full installer packages for major Oracle Access Manager releases:
10g (10.1.4.3)
10g (10.1.4.0.1)
Note:
Oracle Access Manager 10g (10.1.4.2.0) was a patch set only.Each full installer package provides the libraries and files that comprise a complete software distribution and implement all product functionality. Full installer packages are provided for every component on supported platforms. All of the components have been tested and are certified to work with one another across supported platforms.
Note:
You can use 10g (10.1.4.3) installers to create a fresh Oracle Access Manager installation only. You can apply the 10g (10.1.4.3) patch set to update 10g (10.1.4.2.0) components as described in Section 5.1.2.1, "Updating Oracle Access Manager 10g (10.1.4) with the Latest Patch Sets".An Oracle Media Pack is an electronic version of Oracle software products on physical media (DVDs). Physical Oracle Media Packs are available to any customer working with a Sales Representative. In addition, you can order a physical Media Pack from the Oracle store. Shop online at: http://oracle.com
.
Virtual DVDs and Media Packs are available as follows:
From Oracle Technology Network (OTN) at:
http://www.oracle.com/technology/software/products/middleware/htdocs/fmw_11_download.html
Use the following links to download Oracle Access Manager 10g (10.1.4.3):
Access Manager Core Components (10.1.4.3.0)
See Also:
Oracle Containers for J2EE Security Guide to implement SSO for Oracle Fusion Middleware 11g using the OAM Configuration tool (available with 10g (10.1.4.3) core components) and the OAM Identity Assertion Provider (available with 10g (10.1.4.3) WebGates for OHS 11g).Access Manager WebGate (10.1.4.3.0)
Policy Manager and WebPass on Third Party and non-OHS 11g Web Servers
Access Manager Language Packages (10.1.4.3.0)
GCC Libraries
Note:
Get Oracle Access Manager 10g (10.1.4.3) WebGates for third-party and non-OHS 11g Web servers from:http://www.oracle.com/technology/software/products/ias/htdocs/101401.html
From Oracle edelivery at:
http://edelivery.oracle.com/EPD/Search/get_form
Oracle edelivery provides access to Oracle Fusion Middleware Media Packs that mirror the contents of the physical Media Pack bundle.
Table 5-1 provides a brief overview of the differences between a standard patch set (10g (10.1.4.2.0), for instance), a bundle patch, and a patch set exception.
Table 5-1 Bundle Patches, Patch Sets, and Patch Set Exceptions
Mechanism | Description |
---|---|
Patch Set |
A patch set is a mechanism for delivering fully tested and integrated product fixes that can be applied to installed components of the same release. Each patch set provides the libraries and files that have been rebuilt to implement bug fixes (and new functions, if any). All of the fixes and functions in the patch set have been tested and are certified to work with one another on specified platforms. Patch sets include all of the fixes available in previous bundle patches (or patch set exceptions) for the release. A patch set might not be a complete software distribution and might not include packages for every component on every platform. See Also: Section 5.1.2.1, "Updating Oracle Access Manager 10g (10.1.4) with the Latest Patch Sets". |
Bundle Patch |
A bundle patch is an official Oracle patch for Oracle Access Manager components on baseline platforms. Bundle patches are released on a regular basis, after one product release and before the next. Each bundle patch includes the libraries and files that have been rebuilt to implement one or more fixes and functions. All of the fixes and functions in the bundle patch have been tested and are certified to work with one another. Regression testing has also been performed to ensure backward compatibility with all Oracle Access Manager components in the bundle patch, and with earlier WebGates Each bundle patch is cumulative: the latest bundle patch includes all fixes in earlier bundle patches for the same release and platform. Fixes delivered in bundle patches are rolled into the next release: all 10g (10.1.4.2.0) bundle patch fixes are included in Oracle Access Manager release 10g (10.1.4.3). See Also: Section 5.1.2.2, "Retrieving the Latest Bundle Patch". |
Patch Set Exception (PSE) |
Each PSE was an official Oracle patch; however, a PSE was not a complete product distribution and did not include packages for every component on every platform. Each PSE (also known as a one off or hot fix) addressed only one issue for a single component; typically (but not always) only for a single platform. A PSE included only the libraries and files that had been rebuilt to implement a specific fix for a specific component. Each PSE was cumulative, but did not undergo extensive regression testing and certification by QA. Individual PSE releases were not tested to work together with other PSE releases. Note: The bundle patch mechanism has replaced the patch set exception mechanism. |
Your starting Oracle Access Manager release determines the patch sets you need, as described in Table 5-2.
Table 5-2 Updating Oracle Access Manager
If Your Starting Release is ... | You Must ... |
---|---|
10g (10.1.4.0.1) |
Perform both steps in the following procedure to:
|
10g (10.1.4.2.0) |
Skip Step 1 and apply only the 10g (10.1.4.3) patch |
Note:
See the patch set notes for 10g (10.1.4.2.0) and 10g (10.1.4.3) for details about enhancements and bug fixes available with each release, as well as any known issues.To obtain the latest patch sets
10g (10.1.4.2.0) Patch:
Go to My Oracle Support and log in as usual:
https://support.oracle.com
Click Patch ID or Number.
In the empty field, enter5957301, and then click Search.
In the Patch Search Results table, click the number beside the item that corresponds to your platform.
Readme: Click the View Readme button to display the Release Notes, which you can print.
Download: Click the Download button to acquire the packages.
Installation: See the Readme (oam_101420_readme.pdf) for all prerequisites, patch install, post-patching instructions, and more.
10g (10.1.4.3) Patch:
Go to My Oracle Support and log in as usual:
http://support.oracle.com
Click Patch ID or Number.
In the empty field, enter8276055, and then click Search
In the Patch Search Results table, click the number beside the item that corresponds to your platform.
Readme: Click the View Readme button to display the Release Notes, which you can print.
Download: Click the Download button to acquire the packages.
Installation: See the Readme (oam_101430_readme.pdf) for all prerequisites, patch install, post-patching instructions, and more.
Oracle releases bundle patches to correct any reported issues in your deployment. Oracle recommends that you obtain and apply the latest bundle patch.
To download a 10g (10.1.4.3) bundle patch
On the machine that will host the bundle patch files, create a temporary directory to contain the platform-specific bundles that you will download. For example:
Go to My Oracle Support and log in as usual:
http://support.oracle.com
Click the Patches & Updates link.
Click Product or Family (Advanced Search) and fill in the search criteria. For example:
From the Product is list, click Oracle Oblix COREid.
From the Release is list, click Oracle Access Manager 10.1.4.3.
From the following list, select Platform.
From the list of platforms, select all that apply.
Click the Search button.
In the Patch Search Results table: Locate the latest bundle patch (top of the list) and click the corresponding number.
Readme: Click the View Readme button to display the Release Notes, which you can print.
Download: Click the Download button to retrieve the packages.
Installation: See the Readme (oam_101430_bpnn_doc.pdf) for all prerequisites, patch install, post-patching instructions, and more.
This section describes some general issues and workarounds. It includes the following topics:
Section 5.2.1, "New Location for the Platform Support Matrix"
Section 5.2.3, "The Name "Query Builder" Is Not Always Translated"
Section 5.2.4, "Users Can Access Resources After Password Reset Without Logging In"
Section 5.2.6, "Caveat to Create a Password Policy with Change on Reset Enabled"
Section 5.2.7, "Login.html Not Found if Browser Language is Not Supported"
Oracle continually certifies Oracle Access Manager support with various third-party platforms, Web server releases, directory server releases, and applications. For the latest support details, see the certification matrix that is available at:
http://www.oracle.com/technology/products/id_mgmt/coreid_acc/pdf/oracle_access_manager_certification_10.1.4_r3_matrix.xls
There is a known limitation with Java applets in JDK 1.1.7. When used with this release of Oracle Access Manager, applets with non-ASCII data can only be displayed properly on computers with a native-encoded operating system. Setting browser encoding will not work.
If you intend to use non-ASCII data, run Oracle Access Manager on computers with a native-encoded operating system.
In this release, the name "Query Builder" has been translated for different language locales in some places, and not in others. The term "Selector" is translated into respective locales everywhere.
You can enable users to access resources without re-authenticating after resetting a password. This information was omitted from the documentation.
To log users in after changing their password, the change password redirect URL must include STLogin=%applySTLogin% as a parameter.
The following is an example of a change password redirect URL that logs the user in:
/http://machinename:portnumber/identity/oblix/apps/lost_password_mgmt/bin/lost_password_mgmt.cgi?program=redirectforchangepwd&login=%login%%userid%&backURL= % HostTarget%%RESOURCE%&STLogin=%applySTLogin%&target=top
To implement automatic login after password change with a form-based authentication scheme, you must configure the challenge parameter creds
by supplying the user name credential parameter as the first token, the password credential parameter as the second token, then any other credential parameters.
Time management includes changes for daylight savings time. In the United States, the Energy Policy Act of 2005 was signed into law to extend daylight saving time. In calendar year 2007, the effective dates for daylight savings are going to change. Under the new rules, DST in the U.S. will start on the second Sunday in March and end the first Sunday in November. In the past, daylight savings time started on the first Sunday in April and ended the last Sunday in October. This change also affects Canada.
USA 2007 Daylight Saving Time (DST) Compliance for Oracle Access Manager: No patches are required for the Identity Server or Access Server to accommodate daylight savings time changes. However, Oracle Access Manager interacts with other components that may be impacted by DST changes such as Web servers, applications servers, LDAP directories and databases. Check your vendor documentation and ensure that any required patches are applied to other affected components.
Follow the recommendations of Operating System vendors for any required DST changes. In addition, ensure that system clocks of computers hosting Oracle Access Manager components are synchronized as discussed in the Oracle Access Manager Installation Guide.
For more information about the impact of USA 2007 DST compliance for Oracle Database and Oracle Fusion Middleware products, see Note: 397281.1 on the My Oracle Support Web Site:
https://support.oracle.com
A caveat has been added to Oracle Access Manager Identity and Common Administration Guide, chapter on "Configuring Global Settings," in the section on "Creating Password Policies for a Specific Domain." See Step 16 of the procedure "To create a password policy" for the following new note.
16. Select Change on Reset if you want to force users to change the password the first time they log in to the system after an administrator resets the password. By default, the Change on Reset flag is not set. During self-registration, the Change on Reset flag is not set. This field is applicable to both the Identity and Access Systems. For the Access System only, you can also configure a redirect URL for password change. See "Configuring Password Redirect URLs" on page 7-66 for details.
Note:
Use of password policies in the Access System with change on reset functionality enabled and without specifying a Password Change Redirect URL will cause the login prompt to redisplay. This prevents users from changing passwords and ultimately logging in.Out of the box, Oracle Access Manager internationalized login pages support 27 languages. After customizing external pages, however, you might have only a subset of the 27 supported languages for your Oracle Fusion Applications. For instance, you might have added translation text to your HTML pages that can be translated to only a select few languages.
To avoid additional changes, you must remove support for the unsupported languages in three locations, as follows:
Perl Script configuration (config.pl file): Update the Config.pl Language Mapping array to remove unsupported languages: simply comment out unsupported language lines.
Note:
Perl Script configuration refers to the config.pl file, which is copied to the Web server directory during installation.JavaScript configuration: Remove unsupported languages from Language Array to eliminate their display in Language Selection LOV: simply comment out the lines for unsupported languages.
WebGate_install_dir: Manually remove (or simply move) directories containing unsupported languages. For example, if you have no support for Korean (and Greek), remove WebGate_install_dir/access/oblix/lang/ko-kr (and /lang/el-gr).
To ensure success when upgrading older releases to Oracle Access Manager 10g (10.1.4), you must complete all preparation tasks and meet all requirements described in the Oracle Access Manager Upgrade Guide. The guide also provides step-by-step instructions that you can follow as you upgrade from releases as early as 6.1.1.
This section describes the issues and workarounds for installation and upgrade:
Section 5.3.1, "Change the Transport Security Mode During Installation"
Section 5.3.3, "Oracle Internet Directory Servers Require Tuning After Installation"
Section 5.3.5, ""Enter Password" String Does Not Display Correctly During Installation"
Section 5.3.6, "Uninstalling a Language Pack With a "2" Designation Causes an Error"
Section 5.3.7, "Simple Mode Password File Not Converted During Upgrade"
Section 5.3.8, "Unnecessary Message Asks for SDK Migration Bundles During Upgrade"
Section 5.3.9, "Unable to Locate Bundles Needed for COREid 6.x Upgrades"
Section 5.3.11, "Challenge Parameter Rows Discarded During the Master Access Manager Upgrade"
Section 5.3.12, "No Translation Support for the SNMP Agent Installshield"
Section 5.3.13, "Installation of Identity Server 10.1.4.0.1 With Sun Java Directory Server 6.0"
A transport security mode is a method of communication between two points, such as a client and a server. Oracle Access Manager offers the following transport security modes for communication between components, as discussed in the Oracle Access Manager Installation Guide:
Open: Communication is not encrypted.
Simple: Communication is encrypted with Oracle Access Manager's internal CA.
Cert: Communication is encrypted with an external CA. With Cert mode, communications are encrypted using TLS v1, and both client and server must present an X.509 certificate (in base64 format) when establishing a connection.
By default, an Oracle Access Manager installation uses Open mode. This applies to directory connections and communication between Oracle Access Manager components, for example, the WebPass and Identity Server. In Open mode, the communication channel is open to eavesdroppers. Oracle recommends that you secure your network using SSL communication with the directory and Certificate mode across Oracle Access Manager components.
The next release of the Oracle Access Manager Installation Guide will include the following recommendation for transport security:
"During installation, Oracle Access Manager components default to Open mode. However, this does not provide secure communication between components such as Identity Servers and WebPass nor Access Server and WebGate, nor for LDAP connections. In Open mode, the communication channel is susceptible to eavesdropping. To provide a secure deployment, Oracle recommends that you choose Certificate (Cert) mode for transport security between Oracle Access Manager components, and SSL-enabled security between Oracle Access Manager components and directory servers."
After tuning Oracle Access Manager from the iPlanet administration console, the server fails to work. For example, after changing the number of threads in the native thread pool, the server fails to restart.
Do not use the iPlanet console for tuning. This can cause the server to remove any existing Oracle Access Manager configuration information. Use the following file to load the Oracle Access Manager Web components and retain the tuning parameters: $Web_Server_home
\config\magnus.conf
After installing Oracle Access Manager against an Oracle Internet Directory, you need to tune the directory to ensure adequate performance when processing search requests and other functions.
Use the following ldapmodify
command to tune Oracle Internet Directory:
ldapmodify -D cn=orcladmin -w <adminPsswd> -h <host> -p <port> << eof dn: cn=dsaconfig, cn=configsets, cn=oracle internet directory changetype: modify add: orclinmemfiltprocess orclinmemfiltprocess: (|(obuseraccountcontrol=activated)(!(obuseraccountcontrol=*))) orclinmemfiltprocess: (|(!(obuseraccountcontrol=*))(obuseraccountcontrol=activated)) eof
In the sample command, <host
> and <port
> refer to the Oracle Internet Directory installation host and port.
Note:
Be sure to include a space after the attribute orclinmemfiltprocess: and at the start of each continuation line of the attribute value. There is no line break between the attribute orclinmemfiltprocess: and the continuation line. Repeat the above step for each additional Oracle Internet Directory Server that you installFor more information, see the Oracle Access Manager Installation Guide.
Support for the Siemens DirX directory server has been deprecated in this release. However, options to select and configure DirX appear on installation screens and on Identity System and Access System configuration pages in the System Console.
Ignore all Siemens DirX options in the product installer and configuration user interface.
When running the installer in console mode using some language packs, the prompt for entering the LDAP password may be garbled.
The solution that works in most cases is to install all of the language support available on the computer where the Oracle Access Manager installation is being performed. Be sure all of the fonts that are required for the language are installed. Log in to the machine locally and choose the language to display on the login screen.
You may be unable to remove (uninstall) a language pack with a designation 2. For example, you may not be able to uninstall using _uninstAccessLP_ko-kr2
after using _uninstAccessLP_ko-kr
(and vice versa).
The following information is a workaround for this problem.
Complete the following steps. Korean (ko-kr) is used as the language in the following example; your environment will vary:
Copy _jvmAccessLP_ko-kr
to a backup folder.
Run uninstaller.exe
under _uninstAccessLp_ko-kr2
.
It should automatically remove both _jvmAccessLP_ko-kr
and _uninstAccessLP_ko-kr2
.
Copy _jvmAccessLP_ko-kr
back to the original Component_install_dir/WebComponent
/access/
directory.
Run uninstaller.exe
under _uninstAccessLP_ko-kr
.
It should automatically remove _jvmAccessLP_ko-kr
and _uninstAccessLP_ko-kr
.
Restart the Identity Server and Access Server and Web component Web servers.
If the earlier Access Server is in Simple mode before the upgrade, during the upgrade the password.lst file might not be converted to password.xml. The result is that the Access Server cannot be started in the Services Window unless you use the command-line parameters to convey the passphrase on startup. Also, after upgrading a WebGate in Simple mode and starting the Web server, the following error may appear:
"Exception thrown during WebGate initialization" Error^Oracle AccessGate API is not initialized.
The initial Access System page appears. However, clicking on any link results in a "Server error" in the browser (no error number) with the above error echoed to the console. The system cannot be accessed.
The upgraded area does not have the updated password.xml file.
Note:
In releases before 10g (10.1.4), the password file is named and formatted as password.lst. Starting with release 10g (10.1.4), the password file is named and formatted as password.xmlThe following information is a workaround for this problem when the same Simple mode password is being used in the Identity System. In this case, you can copy the password.xml file from the upgraded Identity Server to the upgraded Access Server and WebGate as described in the following procedure.: "Workaround when the same Simple mode password is used in the Identity System". You will be asked about the password immediately after selecting Simple mode.
However, if the password is not the same on the Identity Server as it is on the Access Server, skip to the following procedures. Again, you will be asked about the password immediately after selecting Simple mode:
Workaround when the Simple mode password is different on the Identity System and Access Server
Workaround when the Simple mode password is different on the Identity System and WebGate
Workaround when the same Simple mode password is used in the Identity System
If the same Simple mode password is being used in the Identity System, copy the password.xml file as follows:
Start the Access Server.
Restart the WebGate Web server.
If the Access System Simple mode password is not the same as the Identity System Simple mode password, you must change the password using the following tools and procedures.
Workaround when the Simple mode password is different on the Identity System and Access Server
Go to the folder where configureAAAserver is located. For example:
AccessServer_install_dir\access\oblix\tools\configureAAAServer
Run the following executable:
configureAAAServer chpasswd AccessServer_install_dir
Responds to prompts as directed on the screen.
Restart the Access Server.
Workaround when the Simple mode password is different on the Identity System and WebGate
Go to the directory:
WebGate_install_dir\access\oblix\tools\configureWebGate
where WebGate_install_dir is the directory in which WebGate is installed.
Run the following command:
configureWebGate -i WebGate_install_dir -t WebGate -k
The -k option results in only prompts for the password for Simple or Cert mode transport security.
Respond to prompts on the screen.
Restart the WebGate Web server.
For more information about the configureAAAServer and configureWebGate tools, see the Oracle Access Manager Access Administration Guide.
During an upgrade, the 10g (10.1.4.0.1) installer asks for migration bundles and instructs you to place these in a specific directory. The following information provides a workaround for this problem:
Ignore the following message, which will be removed from the Software Developer Kit (SDK) installer.
Please download and extract COREid 6.5 migration bundles To ensure success when upgrading a COREid 6.5 installation, you need to perform the following steps before you continue. For information, see the Oracle Access Manager Upgrade Guide chapter on preparing your environment. 1) Log in to the download Web site. http://www.oracle.com/support/contact.html Retrieve appropriate _msg and _param files for the older version of this component. For example: Netpoint_65_orig_en_<Component>_msg.zip Netpoint_65_orig_<Component>_param.zip Note: Retrieve only the files that are relevant to your older installation. Files for version 6.5 include _65_ in their name; files for version 6.5.2 or later include _652_ in their name. Press ENTER to read the text [Type q to quit]. 3) Extract or unzip these files in to your <Component Installation Directory>. For example: <Component Installation Directory>/identity <Component Installation Directory>/access A directory named "orig" is created during this process. For example: <Component Installation Directory>/identity/oblix/orig. <Component Installation Directory>/access/oblix/orig. Press 1 for Next, 2 for Previous, 3 to Cancel or 4 to Redisplay [1]
The Oracle Access Manager Upgrade Guide discussion on preparing release 6.x environments includes details about obtaining specific COREid 6.x bundles from the installation media before upgrading. However, the files are not available on the media.
The following information is a workaround for this problem. Before you upgrade from a COREid 6.x installation to 10g (10.1.4), you must perform the following steps to download the missing packages, which contain text files for use on any platform.
Note:
My Oracle Support was formerly MetaLink.In your browser, enter the My Oracle Support URL and log in:
https://support.oracle.com
Click Patches & Updates, then click Patch ID or Number.
In the Patch ID or Number field, enter 5724938
, then click the Search button.
The results of your search for Patch 5724938 are displayed with the description: UNABLE TO LOCATE MIGRATION BUNDLE FOR 6.5-10.1.4 UPGRADE.
Note:
The Platform is automatically specified as Microsoft Windows 2000 because the bundles contain only text files that can be used on any platform; there are no binary files.Click the Download button and follow instructions on the screen.
Before you continue upgrading review following discussions, then extract files and finish preparing components as described in Oracle Access Manager Upgrade Guide:
Note:
As described in "Ignore Bundles for Release 6.5 with Multi-language Capability", multi-language bundles are not needed and are not available.Packages for Release 6.5.0.x
A new package has been added for release 6.5: Netpoint_65_orig_en_AccessServerSdk_msg.zip. Before you upgrade from Oracle Access Manager 6.5.0.x, you must download and add the following packages to your original Component_install_dir.
Extract 65-orig Packages to the Original Component_install_dir |
---|
Netpoint_65_orig_en_COREid_Server_msg.zip |
Netpoint_65_orig_COREid_Server_param.zip |
Netpoint_65_orig_en_Access_Manager_msg.zip |
Netpoint_65_orig_Access_Manager_param.zip |
Netpoint_65_orig_en_WebPass_msg.zip |
Netpoint_65_orig_WebPass_param.zip |
Netpoint_65_orig_en_Access_Server_msg.zip |
Netpoint_65_orig_Access_Server_param.zip |
Netpoint_65_orig_en_WebGate_msg.zip |
Netpoint_65_orig_WebGate_param.zip |
Netpoint_65_orig_en_AccessServerSdk_msg.zip |
Packages for Release 6.5.2.x Patch
Two new packages have been added for 6.5.2: Netpoint_652_orig_AccessServerSdk_param.zip and Netpoint_652_orig_en_AccessServerSdk_msg.zip. If you originally installed release 6.5.0.x, then patched to 6.5.2.x, you must download and add the following packages to your original Component_install_dir before the upgrade.
Extract 652_orig Packages to the Original Component_install_dir |
---|
Netpoint_652_orig_en_COREid_Server_msg.zip |
Netpoint_652_orig_COREid_Server_param.zip |
Netpoint_652_orig_en_WebPass_msg.zip |
Netpoint_652_orig_WebPass_param.zip |
Netpoint_652_orig_en_Access_Manager_msg.zip |
Netpoint_652_orig_Access_Manager_param.zip |
Netpoint_652_orig_en_Access_Server_msg.zip |
Netpoint_652_orig_Access_Server_param.zip |
Netpoint_652_orig_en_WebGate_msg.zip |
Netpoint_652_orig_WebGate_param.zip |
Netpoint_652_orig_AccessServerSdk_param.zip |
Netpoint_652_orig_en_AccessServerSdk_msg.zip |
Ignore Bundles for Release 6.5 with Multi-language Capability
The Oracle Access Manager Upgrade Guide states that certain multi-language packages may be required for an upgrade from release 6.5 to 10g (10.1.4). However, multi-language bundles are not needed and are not available. Ignore information in the Oracle Access Manager Upgrade Guide on "Preparing Multi-Language Installations."
When using Novell eDirectory, an error occurs during directory server updates for Identity Server installation. If you have a separate directory for policy data, this error also occurs during Policy Manager installation:
"Error 16: Unable to update Identity System Configuration - Unknown LDAP error occurred."
The index is applied with one exception for the obLPMname
attribute, even though the error message may give the impression that the entire operation has failed.
The following is a workaround for this problem. For more information, see your Novell eDirectory documentation.
Dismiss the error message.
Using the Novell index management tool, manually index the obLPMname
attribute for equality.
After you upgrade from Oracle Access Manager 7.0.4 to 10.1.4.0.1, any authentication scheme that contains multiple challenge parameter rows are truncated. Only the first challenge parameter row remains. The others are deleted.
Note:
This problem was fixed in release 10.1.4.2.0. After upgrading to 10.1.4.2.0, all challenge parameters are preserved.There is no translation support for the SNMP agent installshield wizard.
Problem
Installation of a 10g (10.1.4) Identity Server with Sun Java Directory Server 6.0 fails when you are defining directory details. The following error will occur if you specify Sun Directory Server 5.x, and you supply the Sun Directory Server 6 hostname, port number, and credentials, and choose Yes to automatically update the LDAP server schema configuration:
Error 32: LDAP Invalid credentials. Or invalid directory type supplied. Or no such object.
This can also occur when installing the Policy Manager with the Sun Directory Server 6.
Cause
Certification of the Sun Java Directory Server 6.0 with Oracle Access Manager 10g (10.1.4) occurred after 10g (10.1.4.0.1) was released. As a result, during Identity Server installation there is no option to select Sun Java Directory Server 6.0. If Sun Directory Server 5.x is selected, the configuration fails when performing an automatic schema update.
When installing with Sun Java Directory Server 6.0, the automatic schema update option cannot be used. The schema must be updated manually.
Solution
Install Oracle Access Manager as described in the Oracle Access Manager Installation Guide, and choose the Sun Directory Server 5.x option.
Provide the Sun Directory Server 6 hostname, port number, and credentials.
Using either the Sun Java System Directory Server 6.0 Management Console, or ldapmodify command line, load the Oracle Access Manager schema and index files into Sun Java System Directory Server 6.0 using the following ldif files:
LDAP server instance hosting user data only:
IdentityServer/identity/oblix/data.ldap/common/iPlanet_user_schema_add.ldif IdentityServer_installdir/identity/oblix/data.ldap/common/iPlanet5_user_index_add.ldif
LDAP server instance hosting user data and configuration data (or configuration data and policy data, or policy data only):
installdir/identity|access/oblix/data.ldap/common/iPlanet_oblix_schema_add.ldif installdir/identity|access/oblix/data.ldap/common/iPlanet5_oblix_index_add.ldif
In the previous path name, the pipe between identity|access indicates "or". If you are installing the Identity Server the path will be the IdentityServer_installdir/identity and if you are installing Policy Manager the path will be PolicyManager_installdir/access.
Note:
For an example of the ldapmodify command, see the Sun document at:http://docs.sun.com/app/docs/doc/819-0995/6n3cq3avf?a=view
Proceed to Identity Server or Policy Manager setup, as usual.
Note:
Oracle Support strongly recommends that you apply the latest patch sets and bundle patch immediately after installation. For more information, see Section 5.1, "About Installation Packages, Patch Sets, Bundle Patches, and Newly Certified Agents".This section describes removal issues and workarounds. It includes the following topic:
Section 5.4.2, "Removing the Default Administrator Language"
Section 5.4.3, "Rollback Issues After Upgrading to Oracle Access Manager 10g (10.1.4)"
You must stop and restart servers after uninstalling language packs. For example, suppose you have an Identity Server and a WebPass installed with a Korean Language Pack. After uninstalling the Korean language pack on each component host, you must stop and restart both the Identity Server Service and the WebPass Web server instance. This will re-initialize corresponding components with the proper language support.
For more information about installing and removing language packs, see the Oracle Access Manager Installation Guide.
Removing (uninstalling) the language pack associated with the default Administrator language that was chosen during installation is not supported. An error occurs if you remove this language pack and you may not be able to gain access to the Identity and Access Systems.
To recover, see the discussion of language pack issues in the Troubleshooting chapter of the Oracle Access Manager Installation Guide.
Changes in the way Oracle Access Manager 10g (10.1.4) uses the obVer attribute in oblixOrgPerson and oblixConfig may result in rollback issues following an upgrade from an earlier release to 10g (10.1.4). This will be documented in the next release of the Oracle Access Manager Upgrade Guide. For more information, see Section 5.9, "Documentation Issues".
The following workaround will solve the rollback issue and will be documented in the next release of the Oracle Access Manager Upgrade Guide.
Section 5.4.3.1, "Halting On-the-fly User Data Migration Phase 1"
Section 5.4.3.2, "Halting On-the-fly Migration of User Data: Phase 2"
Section 5.4.3.3, "Restarting On-the-fly User Data Migration"
When you upgrade from an earlier release to Oracle Access Manager 10g (10.1.4), the configuration data stored in the oblix
tree of the directory server is migrated automatically and the value of the obVer attribute is changed to 10.1.4.0. However, user data is not migrated until the first login following the upgrade. This means that the obVer attribute value remains less than 10.1.4.0 in user data (in the OblixOrgPerson class).
Unless you temporarily halt the immediate (also known as on-the-fly) user data migration as described in the task overview, the first time a user logs in after the upgrade to 10g (10.1.4) that user entry is immediately migrated. Any existing challenge and response values for that user are encoded (@1# is appended to the end) and the obVer attribute value for that user is changed to 10.1.4.0 in the OblixOrgPerson class. However the rollback process does not revert these changes. If you rollback to the previous release, the obVer value in the user entry in the OblixOrgPerson class remains 10.1.4.0 and challenge and response values remain encoded format.
Phase 1 must be performed after backing up data and before preparing host machines for the upgrade, as described in Chapter 5 of the Oracle Access Manager Upgrade Guide. Phase 1 includes setting the obVer attribute for the Master Administrator entry and then upgrading the schema and data to 10g (10.1.4). Phase 2 occurs after the schema and data upgrade. In Phase 2, you remove the Challenge and Response semantic types at both the tab level and the object class level.
Before performing the following Phase 1 procedure, there are several conditions to take into account:
If OblixOrgPerson does not exist in the objectclass list of the user entry, then you must first add it as described in step 1. Otherwise, start with step 2.
After performing the last step, the lost password management feature will not work.
After temporarily halting on-the-fly migration of user data at first login, Oracle recommends that you stop processing or performing the following actions to ensure that user data will maintain backward compatibility:
Stop processing workflow tickets: for example, create user, change attributes, and the like.
Stop modifying Challenge and Response attributes from the Modify Profile page.
To temporarily stop the immediate migration of user data (Phase 1)
Add OblixOrgPerson to the Master Administrator's user entry, if needed:
ldapmodify.exe -h <Host> \ -p <Port> -D <Bind DN> -w <Bind Password> \ -f <ldif file containing attribute to be added>
The format of LDIF file to be created when adding OblixOrgPerson to the objectclass list is as follows. This example is for the Netscape Directory Server:
dn: <Administrator DN> changetype: modify add: objectclass objectclass: OblixOrgPerson
Set the obVer attribute for the Master Administrator entry in the LDAP directory server to 7.0.4 using the following command:
ldapmodify.exe -h <Host> \ -p <Port> -D <Bind DN> -w <Bind Password> \ -f <ldif file containing attribute to be modified>
The format of LDIF file to be created is as follows. This example is for the Netscape Directory Server:
dn: <Administrator DN> changetype: modify replace: obver obver: 7.0.4
Finish remaining preparation tasks as described Chapter 5 the Oracle Access Manager Upgrade Guide.
Perform a schema and data upgrade for your deployment as described in Chapter 6 the Oracle Access Manager Upgrade Guide to, which includes instructions to perform Phase 2 of this procedure. For more information, see Section 5.4.3.2, "Halting On-the-fly Migration of User Data: Phase 2".
Before you perform Phase 2, you must have completed all activities in Chapter 5 as well as the following tasks described in Chapter 6 of the Oracle Access Manager Upgrade Guide. Chapter 6 prerequisite tasks include:
Upgrading the Schema and Data with the Master Identity Server
Upgrading the Master WebPass
Verifying the Identity System Schema and Data Upgrade
Uploading Directory Server Index Files
Backing Up Upgraded Identity Data
Note:
You must perform Phase 2 before any administrator or user login, even if you have a joint Identity and Access System deployment.During Phase 2 you must remove the Challenge and Response semantic types at both the tab level and the object class level.
Caution:
When you finish this Phase 2 procedure, lost password management will not work.When you finish Phase 2, Oracle recommends that you stop processing or performing the following actions to ensure that user data will maintain its backward compatibility:
Stop processing workflow tickets: for example, create user, change attributes, and the like.
Stop modifying Challenge and Response attributes from the Modify Profile page.
To temporarily stop the immediate migration of user data (Phase 2)
After upgrading the schema and data, change the value of obVer in the configuration base to 7.0.4 as follows:
ldapmodify.exe -h <Host> \ -p <Port> -D <Bind DN> -w <Bind Password> \ -f <ldif file containing attribute to be modified>
A bind DN for configuration data (also known as the configuration DN) is similar to the searchbase for user data. The configuration bind DN must be specified to identify the node in the DIT under which the Oracle Access Manager schema and all configuration data is stored for the Identity and Access Systems.
The format of LDIF file to be created is as follows. This example is for the Netscape Directory Server:
dn: o=oblix,<configuration DN> changetype: modify replace: obver obver: 7.0.4
Restart the master Identity Server.
Go to the Identity System Console by specifying the URL for your environment, and then log in as the Master Administrator. For example:
http://hostname:port/identity/oblix
In the URL example, hostname refers to machine that hosts the WebPass Web server; port refers to the HTTP port number of the WebPass Web server instance; /identity/oblix connects to the Identity System Console.
Tab Level: Remove the Challenge and Response semantic types at the tab level, as follows:
Click Identity System Console, click User Manager Configuration, and then click Tabs.
From the Existing Tabs listed on the page, select Employees to display information about this Person class tab on the View Tab page.
Note:
Object Classes on the View Tab page may include OblixOrgPerson and others (gensiteorgperson, for example). The obVer attribute is a member of only the OblixOrgPerson class. There is no impact to other object classes.On the View Tab page, click Modify Attributes to open the Modify Attributes page.
From the Attribute list select the attribute that is configured with Challenge as the Semantic Type, set the Semantic Type to None and click Save.
From the Attribute list select the attribute that is configured with Response as the Semantic Type, set the Semantic Type to None and click Save.
Click Done.
Object Class Level: Remove the Challenge and Response semantic types at the object class level, as follows:
Click Identity System Console, click Common Configuration, and then click Object Classes.
Select the person object class from the list, then click Modify Attributes to open the Modify Attributes page.
From the Attribute list select the attribute that is configured with Challenge as the Semantic Type, set the Semantic Type to None and click Save.
From the Attribute list select the attribute that is configured with Response as the Semantic Type, set the Semantic Type to None and click Save.
Click Done.
For details about restarting user data migration after validating that your deployment is successfully upgraded, see Section 5.4.3.3, "Restarting On-the-fly User Data Migration".
Before you perform this task, you must have performed all in-place upgrade tasks and validated that your entire upgraded deployment is operating as expected to ensure that no rollback is needed.
You use the procedure here to restart immediate (on-the-fly) user data migration:
When immediate (on-the-fly) user data migration was temporarily halted.
After validating that your upgraded deployment is operating as expected and that no rollback to the earlier release is needed
Note:
If you roll back to an earlier release after performing activities here, any user data that has been migrated will not be reverted.In the following procedure you must reconfigure the attributes used for challenge and response at both the tab level and the object class level.
To restart one-the-fly user data migration
Tab Level: Reconfigure the Challenge and Response semantic types at the tab level, as follows:
Click Identity System Console, then click User Manager Configuration, click Tabs.
Select Employees from the list, then click Modify Attributes to open the Modify Attributes page.
From the Attribute list select the attribute that is used for Challenge, set the Semantic Type to Challenge and the Display Type to Single Line Text, then click Save.
From the Attribute list select the attribute that is used for Response, set the Semantic Type to Response and the Display Type to Password, then click Save.
Click Done.
Object Class Level: Reconfigure the Challenge and Response semantic types at the object class level, as follows:
Click Identity System Console, then click Common Configuration, click Object Classes.
Select the person object class from the list, then click Modify Attributes to open the Modify Attributes page.
From the Attribute list select the attribute that is used for Challenge, set the Semantic Type to Challenge and the Display Type to Single Line Text, then click Save.
From the Attribute list select the attribute that is used for Response, set the Semantic Type to Response and the Display Type to Password, then click Save.
Click Done.
Set the obVer attribute for oblixConfig (the configuration data root node in the LDAP directory server) to 10.1.4.0 as follows:
ldapmodify.exe -h <Host> \ -p <Port> -D <Bind DN> -w <Bind Password> \ -f <ldif file containing attribute to be modified>
The format of LDIF file to be created is as follows. This example is for the Netscape Directory Server:
dn: o=oblix,<configuration DN> changetype: modify replace: obver obver: 10.1.4.0
Restart all upgraded Identity Servers and Access Servers.
This section describes issues and workarounds for the Access System. It includes the following topics:
Section 5.5.1, "Disabling the User Cache for the Access Server"
Section 5.5.2, "WebGate Diagnostics URL Incorrectly Report the Access Server Is Down"
Section 5.5.3, "WebGate Is Unable to Connect to Its Associated Access Server"
Section 5.5.5, "Access Server Memory Usage Rises After Configuring a Directory Server Profile"
Section 5.5.6, "The Passthrough Challenge Parameter Does Not Work on a Domino Web Server"
Section 5.5.7, "Steps for Integrating the Access System with OracleAS Single Sign-On 10.1.2.0.2"
Section 5.5.8, "Return Type Parameters Are Case-Sensitive in This Release"
Section 5.5.9, "Single Sign-On with Oracle Identity Management Fails"
Section 5.5.10, "Policy Manager API Support Used Incorrectly in Help and Access System Console"
Section 5.5.11, "webgate.so Not Found Error After Form-based Login"
As discussed in the Oracle Access Manager Access Administration Guide, you can configure a user cache for the Access Server. The guide omits the value you supply to disable this cache.
Provide a value of -1 in the Maximum Elements in User Cache field for the Access Server to disable the cache.
As discussed in the Oracle Access Manager Access Administration Guide, the WebGate diagnostics URL reports the status of the Access Server or Servers to which the WebGate is connected. In some cases, the landing page for this URL can report that the Access Server or Servers are down when in the servers actually are running.
This problem occurs when the number of Access Servers that are associated with a WebGate is higher than the value of WebGate's Maximum Connections property. In this type of situation, the WebGate diagnostics page displays a status of Down for all Access Servers that exceed the Maximum Connections irrespective of their status.For example, suppose that you set the Maximum Connections value for WebGate A to 1 and you associate three Access Servers with it, AAA1, AAA2, and AAA3. The diagnostics page will indicate that AAA1 is up and AAA2 and AAA3 are down. If AAA1 is down, the page will indicate that AAA2 is up and AAA3 is down.
To fix this problem, ensure that there are more connections configured between the WebGate and the Access Servers than there are Access Servers.
To configure the Maximum Connections field:
In the Access System Console, click Access System Configuration, then click AccessGate Configuration.
The Search for AccessGates page appears.
Enter search criteria on this page, or click the All button.
Click Go.
AccessGates that match your search criteria are listed on this page.
Click the link for a WebGate.
The Details for AccessGate page appears.
Click Modify.
The Modify AccessGate page displays the settings for this WebGate.
If you have installed a WebPass or a WebGate on IIS 6 and enabled logging, the WebPass or WebGate may be unable to connect to its associated Identity or Access Server. In particular, this problem occurs when you send logs to an MPFileLogWriter. It does not occur when you send logs to a FileLogWriter.
The problem occurs with the MPFileLogWriter when there is no anonymous user with access to the directory that contains the log files. MPFileLogWriter uses a file named <
logfile name
>.lck
to synchronize multiple processes that write to the corresponding log file. The MPFileLogWriter write-locks the.lck file before writing to the oblog.log
file.
Configure an anonymous user with access to the directory that contains the log files. In some circumstances, the user context used to acquire the write-lock will be the IIS Anonymous web user. By default, this user is named IUSR_<
computer name
>
, but you can configure any anonymous user for this purpose.
You can specify a redirection action for authentication or authorization success or failure. However, if you specify this action relative to the Web server, it may fail when the WebGate being used is installed on an Oracle HTTP Server version 2.
For example, you may be redirected using an HTTP redirect instead of HTTPS when you do the following:
In the Policy Manager, create a policy to protect a resource.
Protect the resource using a form-based authentication scheme.
Specify a redirection action for authorization success.
In a browser, enter the URL for the protected resource.
Provide login credentials when presented with the login form.
To work around this problem, add the following lines in the Virtual host definition section of the ssl.conf file:
LoadModule certheaders_module modules/mod_certheaders.so AddCertHeader HTTPS AddCertHeader SSL_CLIENT_CERT SimulateHttps On
After configuring a directory server profile, the memory usage for the Access Server or Policy Manager becomes too high.
When you configure a directory server profile, you are prompted to provide a maximum session time. The default value for the session time is 0 (unlimited). This may cause a performance issue, because the size of the caches for LDAP connections to the Access Server and Policy Manager increase over time. Oracle Access Manager does not control these caches directly.
To prevent the cache size from causing a performance problem, set the value of the Maximum Session Time (Minutes) for the directory server profile to a finite value, for example, 10 hours, as follows:
From the Identity System Console click System Configuration, then click Directory Profiles.
Click the link for the profile that you want to modify.
In the Max. Session Time (Min.) field, set the value to 600.
There is a problem with specifying the passthrough:
challenge parameter in some form-based authentication schemes. In particular, this parameter does not work on a Domino Web server when using the POST method for form-based login.
There is no solution for this problem at this time.
The Oracle Access Manager Integration Guide provides a chapter on integrating the Access System's single sign-on with OracleAS Single Sign-On. In addition to following the information in the Oracle Access Manager Integration Guide, you must also complete the following procedure to integrate the Access System with OracleAS Single Sign-On 10.1.2.0.2.
To configure the integration:
Follow the steps in the chapter on integrating the Access System's single sign-on with OracleAS Single Sign-On in the Oracle Access Manager Integration Guide.
In the Access System Console, click System Configuration, then click Server Settings, and configure the following logout URL:
http://[host.domain]:[port]/pls/orasso/ORASSO.wwsso_app_admin.ls_logout?p_done_url=http%3A%2F%2F[host.domain]%3A[port]
URL-encode the p_done_url
value.
See the Oracle Application Server Single Sign-On Administrator's Guide for release 10.1.2.0.2 for details on configuring the logout link for single sign-on. A sample JSP that can be used for this purpose is included at the end of this release note.
If you use the sample JSP, go to the Access System Console, click Access System Configuration, then click AccessGate Configuration, and include the following in the LogOutURLs parameter for every WebGate in your environment:
/access/oblix/lang/en-us/style2/oblixlogo.gif
The following is a sample logout.jsp
file:
<!-- Copyright (c) 1999, 2003, Oracle. All rights reserved. --> <%@page autoFlush="true" session="false"%> <% // Declare English Message Strings String msg1 = "Single Sign-Off"; String msg2 = "Application Name"; String msg3 = "Logout Status"; String msg4 = "ERROR: The return URL value not found."; String msg5 = "ERROR: Logout URL for partner applications not found."; // Get the user language preference String userLocaleParam = null; java.util.Locale myLocale = null; // Get the user locale preference sent by the SSO server try { userLocaleParam = request.getParameterValues("locale")[0]; } catch(Exception e) { userLocaleParam = null; } if( (userLocaleParam == null) || userLocaleParam.equals("") ) { myLocale = request.getLocale(); } else { if(userLocaleParam.indexOf("-") > 0 ) { // SSO server sent the language and territory value (e.g. en-us) myLocale = new java.util.Locale(userLocaleParam.substring(0, 2), userLocaleParam.substring(3, 5)); } else { // SSO server sent only the language value (e.g. en) myLocale = new java.util.Locale(userLocaleParam, ""); } } // The following two lines will be used only for the Multilingual support with // proper resource bundle class supplied // java.util.ResourceBundle myMsgBundle // = java.util.ResourceBundle.getBundle("MyMsgBundleClassName", myLocale); // Get the message string in the appropriate language using the message key. // Use this string to display the message in this page. // String mesg = myMsgBundle.getString("mesg_key"); %> <html> <body bgcolor="#FFFFFF"> <h1><%=msg1%></h1> <% String done_url = null; int i = 0; // Get the return URL value try { done_url = request.getParameterValues("p_done_url")[0]; } catch(Exception e) { done_url = ""; } // Get the application name and logout URL for each partner application try { %> <b> <%=msg2%> <%=msg3%> </b> <br> // Substitute an actual host, domain, and port for myhost.us.mydomain.com:7777 // that points to the WebGate. <img src="http://myhost.us.mydomain.com:7777/access/oblix/lang/en-us/style2/oblixlo go.gif"> <% for(;;) { i++; String app_name = request.getParameterValues("p_app_name"+i)[0]; String url_name = request.getParameterValues("p_app_logout_url"+i)[0]; %> <%=app_name%> <img src="<%=url_name%>"> <br> <% } } catch(Exception e) { if(done_url == null) { %> <%=msg4%> <br> <% } if(i>1) { %> <br> <a href="<%=done_url%>">Return</a> <% } else { %> <%=msg5%><br> <% } } %> </body> </html>
In this release, certain authentication and authorization action parameters are case-sensitive. For example, in previous releases you could set up a policy domain in the Policy Manager and include an authentication or authorization action that uses the cookie
parameter. In this release, if you do this a cookie will not be set for the action. You can test this configuration issue by accessing the protected resource from a browser and monitoring the HTTP traffic to the browser.The workaround for this issue is to use the following action type parameters in policies, preserving the case:
Cookie
HeaderVar
If you attempt to implement single sign-on between Oracle Identity Management 9.0.2 and Oracle Access Manager 10g (10.1.4), you may encounter a problem. If you configure authentication using HTTP headers instead of cookies, the headers are only supported if they use ASCII text. To integrate an HTTP header with non-ASCII data, you need to install a patch. Contact Oracle Support and ask for a patch for bug 5552617.
The "AM Service State" in previous Access System Console pages was renamed to "Access Management Service". In 10.1.4 Access Server and AccessGate configuration pages, "Access Management Service" appears correctly.
However, the following product areas incorrectly refer to "Policy Manager API Support" rather than "Access Management Service":
Access Server Cluster configuration page
Help for Access Server and AccessGate configuration pages
After successful authentication, if you click the Back button in the browser window, you might get an error for access/oblix/apps/webgate/bin/webgate.so.
When form-based authentication is used, Oracle Access Manager creates a form login cookie that holds information about the requested resource. On successful authentication, the state of the cookie changes. When the user clicks the Back button, the login form appears. When reposted, the form login cookie no longer holds redirection details.
The ObSSOCookie is also sent with the form login cookie.The ObSSOCookie is correctly checked. As the form login cookie state changes, the form-based authentication does not occur and the form action is considered as a request for the resource.
This section describes issues and workarounds for the Identity System. It includes the following topics:
Section 5.6.2, "Auditing for the Identity System Ceases to Work"
Section 5.6.3, "Identity Server Crashes if It Cannot Find a Style Sheet"
Section 5.6.4, "WebPass Is Unable to Connect to Its Associated Identity Server"
Section 5.6.6, "Errors Are Found in the HTTP Logs After Setting Up the Identity System"
Section 5.6.7, "Reports With Non-ASCII Characters Are Not Imported Correctly in Excel"
Section 5.6.10, "Data Is Lost When Saving an Object Profile in Org. Manager"
Section 5.6.12, "Incorrect Path Setting for Running Sample WSDL Code"
Section 5.6.13, "User Creation Might Fail When You Have Multi-byte Characters in the Password"
Section 5.6.14, "Modifying Challenge and Response Phrases for Lost Password Management from a Panel"
Section 5.6.15, "Workflow Buttons Might Appear Disabled with Firefox 3.5 on Linux"
The Identity System deletes user entries when you attempt to modify an RDN attribute value. The RDN is the left-most attribute in a DN. Typically, the RDN attribute is cn
or Full Name
.
This problem occurs when you use Oracle Internet Directory as the back-end repository.To fix this problem:
Edit the file ldapreferentialintegrityparams.xml
in the following directory:
Identity_Server_installation_directory\identity\oblix\data\common
Change the value of the parameter referential_integrity_using
from oblix
to ds
, as follows:
<NameValPair ParamName="referential_integrity_using" Value="ds"/>
Save the file.
Restart the Identity Server for the changes to take effect.
You should be able to modify the RDN attribute value without any problem.
If you have multiple instances of the Identity Server installed, make this change to every instance of the Identity Server.
When you have auditing configured for multiple Oracle Real Application Cluster (Oracle RAC) databases, auditing will work correctly for a while. However, after shutting down and restarting an Oracle RAC instance other than the one that was shut down the last time, auditing stops.To avoid this issue, restart the Identity Server.
After you customize a style sheet, the Identity Server crashes or issues an error about a Win32 exception being caught.
If you have used backslash characters as path separators in your stylesheets in xsl:include constructs, replace the backslashes with forward slash characters. For example, you would want to change the following:
<xsl:include href=".\style.xsl" />
To this:
<xsl:include href="./style.xsl" />
If you have installed a WebPass on IIS 6 and enabled logging, the WebPass may be unable to connect to its associated Identity Server. In particular, this problem occurs when you send logs to an MPFileLogWriter. It does not occur when you send logs to a FileLogWriter.
The problem occurs with the MPFileLogWriter when there is no anonymous user with access to the directory that contains the log files. MPFileLogWriter uses a file named <
logfile name
>.lck
to synchronize multiple processes that write to the corresponding log file. The MPFileLogWriter write-locks the.lck file before writing to the oblog.log
file.
Configure an anonymous user with access to the directory that contains the log files. In some circumstances, the user context used to acquire the write-lock will be the IIS Anonymous web user. By default, this user is named IUSR_<
computer name
>
, but you can configure any anonymous user for this purpose.
After configuring a directory server profile, the memory usage for the Identity Server becomes too high.
When you configure a directory server profile, you are prompted to provide a maximum session time. The default value for the session time is 0 (unlimited). This may cause a performance issue, because the size of the caches for LDAP connections to the Identity Server increase over time. Oracle Access Manager does not control these caches directly.
To prevent the cache size from causing a performance problem, set the value of the Maximum Session Time (Minutes) for the directory server profile to a finite value, for example, 10 hours, as follows:
From the Identity System Console click System Configuration, then click Directory Profiles.
Click the link for the profile that you want to modify.
In the Max. Session Time (Min.) field, set the value to 600.
After completing the process described in the Oracle Access Manager Installation Guide chapter on setting up the Identity System, if you installed Japanese language packs you may see errors in the following log files:
ORACLE_OHS_HOME/Apache/Apache/logs/error_log.*
Where ORACLE_OHS_HOME
is the installation directory for the Oracle HTTP Server. These errors have a format similar to the following example:
[Sun Jun 4 16:31:06 2006] [error] [client 12.345.678.99] [ecid: 1149406266:12.345.678.82:28663:0:3,0] File does not exist: /home/as1014/as1014coreid/COREid/webcomponent_3/identity/oblix//apps/admin/ bin/com/oblix/data/resource.class
These errors have no impact, and can be ignored.
After modifying and exporting object class attributes, a report.csv
file is created. In the Japanese Locale or Simplified Chinese Locale, there are encoding problems due to a Microsoft Excel limitation that cannot process CSV files containing data in UTF-8 encoding.
To process the exported report, complete the process below.
Rename report.csv
to report.txt
.
Open report.txt Excel 2003 (Excel 2000 does not support UTF-8 encoding).
In the text import wizard, choose encoding as UTF- 8 and comma as the field separator.
Click Finish.
In multi-language environments, Configuration tab names in the Identity System Console (User Manager Configuration, Group Manager Configuration, Org. Manager Configuration) may be only partially translated. Only the word "Configuration" may be translated, not the application name before it.
For example, when viewing the Identity System Console using a browser, the application name "User Manager" on the User Manager Configuration tab might not be translated.
There is no solution for this problem at this time.
In the Identity System Console, the display names that appear as values for items in the list of display types (radio button, checkbox, and so on) may be corrupt due to a known limitation with Java Applets and internationalized characters. The browser's JVM displays only those characters that are in the current locale. Internationalized characters are displayed correctly in applets only if you have set the browser to the same locale.
Set the browser to the locale used when setting the display name value.
When saving new or modified information in an object profile in the Org. Manager application, some of the data is lost. This problem occurs in Org. Manager tabs that do not contain any panels.To ensure that there is no loss of data when modifying object profiles in Org. Manager, you should configure at least one panel for the tab. This panel should contain the same attributes as the Header Panel for the tab.
For example, if the header panel contains two attributes named Location Title and Location Name, you would do the following:
From the Identity System landing page, select the Identity System Console.
Click Org. Manager Configuration.
Click Tabs.
Click the link for the tab where you want to add panels.
Click View Object Profile.
Click Configure Panels.
Click Create.
On the Create Panel page, provide a panel name and add the Location Title and Location Name attributes.
The Oracle Access Manager Developer Guide states that sample UDDI registration programs in .NET and Java format are provided in the following locations:
webpass_install_dir\oblix\WebServices\UDDI\dotnet
and
webpass_install_dir\oblix\WebServices\UDDI\java
However, the actual paths are as follows
webpass_install_dir\oblix\WebServices\samples\UDDI\dotnet
and
webpass_install_dir\oblix\WebServices\samples\UDDI\java
The Oracle Access Manager Developer Guide section on "Invoking a WSDL-Based Web Service Using Java" states that when compiling and running the sample code, you set the path to your Access Manager SDK installation as follows:
set PATH=f:\temp\AccessServerSDK\oblix\lib;F:\j2sdk1.4.2_05\bin;path
However, you actually set the path to your Access Manager SDK installation as follows:
set PATH=AccessServerSDK_install_dir\oblix\lib;F:\j2sdk1.4.2_05\bin;%PATH%
Where AccessServer_install_dir is the directory where the Access Server was installed.
Problem:
When you create a user with multi-byte characters in the password using a non-English keyboard, user creation might fail. You might see the error: Directory Server Password Policy violated.
Cause
This problem will occur when you have the 7-bit check plug-in enabled for the "uid" and "userpassword" attributes. In this case, modifying a password for an existing user forces the "7-bit check" for the newly entered password. If the newly entered password contains multi-byte characters, then it does not qualify as "7-bit clean". The product is designed to function in this way.
For example, when creating a workflow, the values are stored under the "obcontainerId=workflowInstances,o=Oblix,o=company,c=us" node. The password value is stored as "obattrvals: <value>" and is encoded as "7-bit clean". When the Approver approves the workflow, the password value is decrypted and stored under the "userpassword" attribute.
Solution
The following solution is now documented in the Oracle Access Manager Identity and Common Administration Guide, "Troubleshooting" section in Appendix F.
If you want "7-bit check" to be enabled for workflow steps you need to write your own plug-ins.
Note:
Your directory server might not support the 7-bit check. In any case, you must be able to create a user with multi-byte characters.If you want a user password (or any other attribute) to contain multi-byte characters, you must disable the "7-bit check" for the specific attribute. The following procedure refers to steps for a Sun (formerly iPlanet) directory server. Your details and steps might be different. See your vendor documentation for more information.
To disable the 7-bit check
Log in to your directory server as an administrator.
Click your directory server instance under "Server Group".
Go to the configuration tab for the directory server instance.
Expand the "Plug-ins" node to display the list of plug-ins that are applied to your directory server instances.
Click "7-bit check" to display the list of attributes that are acted upon by this plug-in.
Remove the required attributes or disable the plug-in entirely, as follows:
Remove "obattrvals".
Disable the plug-in by clicking the Advanced button and set "nsslapd-pluginenabled" to "off".
A user can modify the challenge and response used for lost password management by modifying phrases in his own user profile. However, changing the Challenge/Response using a Selection box in a Panel results in an unexpected error:
Challenge phrase is blank. Provide values for all challenge phrases
Note:
Ignore this topic if you have a fresh installation of Oracle Access Manager 10g (10.1.4.3), which includes the latest changes to basic.xsl and misc.js. You have no previous customizations to update and need not perform any of the steps here.To help resolve this issue, changes have been made to basic.xsl (a typical wrapper stylesheet) and misc.js (a system-level file used by many stylesheets). These updated files reside in LPMChallengeResponsePatch.zip and are available with bundle patch 10.1.4.2.0-BP04. These files and the changes they contain need to be introduced in your deployment.
LPMChallengeResponsePatch.zip is included in each platform zip file for the 10.1.4.2.0-BP04 bundle patch. You can obtain the patch and the LPMChallengeResponsePatch.zip as described in following steps. However, you will not actually use any other bundle patch components.
To download Patch ID 7113405 in the 10.1.4.2.0-BP04 bundle patch
On the machine that will host the bundle patch files, create a temporary directory to contain the platform-specific bundles that you will download. For example:
Go to My Oracle Support and login as usual:
https://support.oracle.com
Follow instructions in Section 5.1.2.2, "Retrieving the Latest Bundle Patch" to retrieve Patch ID 7113405.
In the temporary directory where you stored the downloaded zip file, unzip to extract component-specific bundles and LPMChallengeResponsePatch.zip.
Refer to usage instructions in the topic "Details for Bug 6804657" in the companion Oracle Access Manager Bundle Patch Notes.
For more information, see "Error When Resetting the LPM Challenge or Response Phrase" in the troubleshooting chapter of the Oracle Access Manager Identity and Common Administration Guide.
In the Workflow Definition applet, Defined Steps panel, “Defined steps” buttons such as New, Modify, Delete Step, and Insert Step, can appear disabled when using Firefox 3.5.x under Linux with newer JRE versions. However these buttons are functionally working.
This section describes issues and workarounds for third-party integrations. It includes the following topics:
Section 5.7.1, "Users Receive Errors When Accessing WebLogic Resources"
Section 5.7.2, "The Deploy Link on the WebLogic Console Does Not Respond to Users Without a Role"
Section 5.7.3, "No Error Is Displayed When You Create a WebLogic Group that Already Exists"
Section 5.7.4, "Double-Byte Language Packs Do Not Work with the WebLogic SSPI Connector"
Section 5.7.5, "Integrating with Oracle Application Server Single Sign-On"
Users can receive errors when using the WebLogic Application Server version 9.2 with the Oracle Access Manager 10.1.4 SSPI Connector.
Specifically, users can receive a "not authorized" error when accessing pages that they should be able to according to the policies configured in Oracle Access Manager.
When you deploy an application on WebLogic 9.2, be sure that you deploy it with the appropriate deployment descriptors for Web applications. The deployment descriptors for Web applications are web.xml and weblogic.xml. Also be sure to deploy the application with deployment descriptors for EJB applications. The files ejb-jar.xml and weblogic-ejb-jar.xml are the deployment descriptors for EJB applications.
After configuring the WebLogic Server SSPI Connector, if a non-administrative user selects the Deploy link, the WebLogic Server Console may not respond. That is, the Deploy link no longer responds to users who are logged in without a role.
The problem manifests differently in different environments:
When the connector is deployed against a WebLogic Server instance running on RedHat Enterprise Linux AS4.0 or Solaris 10, if no application was previously deployed, the link does respond to users without a role.
When the connector is configured against a WebLogic Server instance running on Solaris 8, the link fails to respond whether or not an application had been previously deployed.
The error also differs slightly depending on your version or WebLogic Server. On WebLogic Server 8.1, the following WebLogic Console error message is shown, "User does not have access to this page." No WebLogic Console error message is displayed on WebLogic Server 9.2. Instead, the user receives the message, "The page cannot be displayed."
There is no workaround at this time.
When using WebLogic Console for WebLogic Server 9.2 on Red Hat Enterprise Linux AS 4.0 & Solaris 10, if you create a group that already exists, the WebLogic Server Console does not display an error message. The group creation page appears without an error message. However, an exception stack trace is generated.
There is no known workaround at this time
When you install the WebLogic SSPI connector, you are prompted to choose a language. If you select Japanese, Simplified Chinese, or Traditional Chinese, the installation appears to complete successfully. However, the files are not successfully extracted and no directory for the selected language is created in install_dir/connector/oblix/lang.
If you try to extract the language pack for a previously installed connector, an error message similar to the following is displayed, "Please specify existing Access installation directory for installing Oracle Access Manager 10.1.4.0.1 Access System Japanese Language Pack. Please specify a directory name or press Enter."
If you then try to specify the installation directory of the SSPI connector, you receive the following message, "This directory does not exist. Please enter a valid Oracle Access Manager installation location."
Without the language pack properly installed and the appropriate properties files extracted, the configureWebgate
, configureAccessGate
, and PolicyDeployer
tools display characters incorrectly.
In this release, affected Japanese, Simplified Chinese, and Traditional Chinese characters are replaced with English characters.
In the Oracle Access Manager Integration Guide, the chapter on "Configuring the Access System for OracleAS Single Sign-On 10.1.2.0.2" is incomplete. The following is correct information on this topic.
Follow the steps in the rest of the chapter on "Configuring the Access System for OracleAS Single Sign-On 10.1.2.0.2".
In the Access System Console, click System Configuration, then click Server Settings, and configure the following logout URL:
http://[host.domain]:[port]/pls/orasso/ORASSO.wwsso_app_admin.ls_logout?p_done_url=http%3A%2F%2F[host.domain]%3A[port]
URL-encode the p_done_url
value.
See the Oracle Application Server Single Sign-On Administrator's Guide for release 10.1.2.0.2 for details on configuring the logout link for single sign-on. A sample JSP that can be used for this purpose is included at the end of this release note.
If you use the following sample JSP, go to the Access System Console, click Access System Configuration, then click AccessGate Configuration, and include the following in the LogOutURLs parameter for every WebGate in your environment:
/access/oblix/lang/en-us/style2/oblixlogo.gif
The following is a sample logout.jsp
file:
<!-- Copyright (c) 1999, 2003, Oracle. All rights reserved. --> <%@page autoFlush="true" session="false"%> <% // Declare English Message Strings String msg1 = "Single Sign-Off"; String msg2 = "Application Name"; String msg3 = "Logout Status"; String msg4 = "ERROR: The return URL value not found."; String msg5 = "ERROR: Logout URL for partner applications not found."; // Get the user language preference String userLocaleParam = null; java.util.Locale myLocale = null; // Get the user locale preference sent by the SSO server try { userLocaleParam = request.getParameterValues("locale")[0]; } catch(Exception e) { userLocaleParam = null; } if( (userLocaleParam == null) || userLocaleParam.equals("") ) { myLocale = request.getLocale(); } else { if(userLocaleParam.indexOf("-") > 0 ) { // SSO server sent the language and territory value (e.g. en-us) myLocale = new java.util.Locale(userLocaleParam.substring(0, 2), userLocaleParam.substring(3, 5)); } else { // SSO server sent only the language value (e.g. en) myLocale = new java.util.Locale(userLocaleParam, ""); } } // The following two lines will be used only for the Multilingual support with // proper resource bundle class supplied // java.util.ResourceBundle myMsgBundle // = java.util.ResourceBundle.getBundle("MyMsgBundleClassName", myLocale); // Get the message string in the appropriate language using the message key. // Use this string to display the message in this page. // String mesg = myMsgBundle.getString("mesg_key"); %> <html> <body bgcolor="#FFFFFF"> <h1><%=msg1%></h1> <% String done_url = null; int i = 0; // Get the return URL value try { done_url = request.getParameterValues("p_done_url")[0]; } catch(Exception e) { done_url = ""; } // Get the application name and logout URL for each partner application try { %> <b> <%=msg2%> <%=msg3%> </b> <br> // Substitute an actual host, domain, and port for myhost.us.mydomain.com:7777 // that points to the WebGate. <img src="http://myhost.us.mydomain.com:7777/access/oblix/lang/en-us/style2/oblixlo go.gif"> <% for(;;) { i++; String app_name = request.getParameterValues("p_app_name"+i)[0]; String url_name = request.getParameterValues("p_app_logout_url"+i)[0]; %> <%=app_name%> <img src="<%=url_name%>"> <br> <% } } catch(Exception e) { if(done_url == null) { %> <%=msg4%> <br> <% } if(i>1) { %> <br> <a href="<%=done_url%>">Return</a> <% } else { %> <%=msg5%><br> <% } } %> </body> </html>
Before you enable the NetPointWASRegistry, you need to run the registryTester program to ensure that the NetPointWASRegistry is registered and can successfully connect to the Identity System. A file required to run the registrytester was available in the WAS_install_dir. Today, however, the file is not bundled with the Oracle Access Manager Connector for WebSphere. As a result, you cannot run the registrytester with the Oracle Access Manager Connector for WebSphere 6.1.
Workaround: Copy the com.ibm.ws.runtime_6.1.0.jar file which is available in WAS_INSTALL_DIR\plugins, then set the classpath in the RegistryTester.bat/ RegistryTester.sh file accordingly. For example:
set CLASSPATH=.:${CLASSPATH}:${INSTALL_DIR}/oblix/lib/NetPointWASRegistry.jar :${INSTALL_DIR}/oblix/lib/jobaccess.jar :${WAS_INSTALL_DIR}/lib/wssec.jar :${WAS_INSTALL_DIR/lib/sas.jar :${WAS_INSTALL_DIR}/lib/j2ee.jar :${WAS_INSTALL_DIR}/java/jre/lib/security.jar :${WAS_INSTALL_DIR}/java/jre/lib/xml.jar %WAS_INSTALL_DIR%\plugins\com.ibm.ws.runtime_6.1.0.jar
This section describes issues and workarounds for the directory. It includes the following topics:
Section 5.8.1, "Error "There Is No Profile Configured for this Kind of Object""
Section 5.8.2, "Issues With the Display of Messages in Some Languages"
In Oracle Internet Directory, the orcladmin user (dn: cn=orcladmin
) can be thought of as a pseudo user with administrative privileges. There is no LDAP entry corresponding to this user in Oracle Internet Directory. This user is part of special groups that are created in Oracle Internet Directory. The Identity Server requires that every user exist as an independent entry in the directory. When these special groups are viewed or modified using Group Manager, you may see following message "There is no profile configured for this kind of object."
If you have this issue, view and update these special Oracle Internet Directory groups using the Oracle Directory Manager application.
Note that there are some special groups in Oracle Internet Directory that exhibit cyclic behavior. Using Oracle Directory Manager to manage these groups is recommended, not the Group Manager or the Identity Server.
There may be an issue with the display of messages for some installations of Oracle Access Manager with Oracle Internet Directory using a native character set. For some supported languages in these environments, messages in the Oracle Access Manager message catalog that are not compatible with the native character set are not displayed properly.
Use the AL32UTF8 character set for Oracle Internet Directory instead of the native character set for the language.
When conducting searches using Novel eDirectory 8.7.3, attribute access controls and searchbase filters do not work as expected. For example, using eDirectory 8.7.3, you can configure filters to return organizational units (ou's) below the top node of the DIT, as follows:
(&(objectclass=*)(!(|(objectclass=oblixconfig)(objectclass=oblixlocation)(objectclass=genSiteOrgPerson)(objectclass=genSiteGroup)))(objectclass=*))
However, these searches return information that you were trying to exclude. For example, users may be returned.
To workaround this issue, apply the eDirectory patch 8.7.3.7. See the following URL for details:
This section describes issues and workarounds for documentation and online help. It includes the following topics:
Section 5.9.2, "Help Mentions WebGateStatic.lst But No Such File Exists"
Section 5.9.3, "The obEnableCredentialCache Credential Mapping Parameter Is Misspelled"
Section 5.9.4, "Warning Regarding Retrieving Authorization Data From an External Source"
Section 5.9.5, "Active Directory MaxPageSize Parameter Stated as PageSize Parameter"
Section 5.9.6, "Missing Parameter in globalparams.xml Documentation"
Section 5.9.7, "Incorrect obver Attribute Value Stated in Documentation"
Section 5.9.8, "Changes in System Behavior for obVer Missing in Manuals"
Section 5.9.9, "Items Needed for WebLogic 9.2 Application Server Certification"
Section 5.9.10, "Corrected Default Path Names in Oracle Access Manager Installation Guide"
Section 5.9.11, "OIS and Access Server Service Start is Automatic by Default"
Section 5.9.12, "Certificate Utility Flags Incorrect for Oracle Virtual Directory SSL Listener"
Section 5.9.13, "Tuning Oracle Internet Directory for Oracle Access Manager"
Section 5.9.15, "Typographical Error in the Solution for "The Login Form Appears Repeatedly""
Section 5.9.17, "Added Audit File Renaming Steps to Oracle Access Manager Upgrade Guide"
Section 5.9.18, "Corrected Path Details for Oracle Virtual Directory Schema Files"
Section 5.9.19, "Corrected LDAPModify Syntax for Oracle Virtual Directory"
Section 5.9.20, "Added SSL Requirements When Upgrading Schema and Data with Master Access Manager"
Section 5.9.21, "Corrected Path Names for Schema Index Files in Oracle Access Manager Upgrade Guide"
Section 5.9.23, "Missing Challenge Parameter "realmunique:yes"
"
Section 5.9.25, "oblixCoreidServerDown has the Same Description as oblixCoreidServerFailure"
Section 5.9.26, "Syntax Correction in Oracle Access Manager Customization Guide"
Section 5.9.27, "Clarification of unique_value_attrs
in ldapreferentialintegrityparams.xml"
Section 5.9.28, "Clarification on Reconfiguring COREid Server and WebPass"
Section 5.9.30, "Clarification in WebLogic Chapter of Oracle Access Manager Integration Guide"
Section 5.9.31, "Policy Manager API Support Should Read Access Management Service"
Section 5.9.33, "Update for Apache v2 for WebGate on UNIX with the mpm_worker_module"
In the next version of the Oracle Access Manager Installation Guide, Chapter 2, "Preparing for Installation" Table 2-3 will include Oracle Internet Directory in the Installation Preparation Checklists.
Some language versions of the online help for the Access System contains an obsolete reference to a WebGateStatic.lst
file, as follows:
"To ensure that the WebGate logs out users from Identity and Access applications when they click the Logout button, set the LogOutUrls parameter in WebGateStatic.lst
to the same value as the SSO Logout URL. WebGateStatic.lst
is located in
WebGate_install_dir
/oblix/apps/Webgate/
"
Beginning with 10g (10.1.4), the WebGateStatic.lst file is no longer present. Various parameters that were set in WebGateStatic.lst are now defined in the Access System Console.
The following procedure describes how to configure the LogOutURLs parameter. See the Oracle Access Manager Access Administration Guide for details.
To set the LogOutUrls parameter:
Launch the Access System Console and click Access System Configuration.
Click AccessGate Configuration in the left navigation pane.
Conduct a search for existing AccessGates and click the link for the AccessGate that you want to modify.
Modify the LogOutURLs parameter.
In the Oracle Access Manager Access Administration Guide chapter on configuring authentication, the obEnableCredentialCache
parameter is misspelled as EnableCredentialCache
.
Use the correct spelling, "obEnableCredentialCache
" when configuring this parameter.
As described in the Oracle Access Manager Access Administration Guide, an authorization scheme can obtain data from an external source. This data is passed to a custom authorization plug-in. By obtaining external data (usually in the form of information about the user) authorization decisions can be made dynamically, based on user input.
For example, if a user goes to a form to purchase an item for $1000, this $1000 amount can be dynamically evaluated against a limit—perhaps stored in a database—to determine if the purchase is authorized.
The process of retrieving authorization data from an external source is sometimes known as a reverse action.
Note that when creating an authorization plug-in that uses a reverse action, the calls to retrieve reverse actions will not fail if no reverse actions are present. For example, the following returns NULL
for a list if there is no user-agent
value in RequestContext
:
ObASPluginList_t list = pFnBlock->GetDataFn(pInfo->RequestContext, "user-agent");
Plug-ins should check if the data list returned for a reverse action (or anything else) is NULL
before using it to retrieve individual data values. Even with a new Access Server, this situation could occur if the client did not specify a value for a reverse action.
This information will be added to the Authorization Plugin API documentation.
The discussion on "Oracle Access Manager ADSI Configuration Files", in the Oracle Access Manager Identity and Common Administration Guide, Appendix B, Table B-2 Parameters and Values in adsi_params Files includes two pagesize parameter descriptions as follows:
pageSize: Page size of results that ADSI request from the server.
pageSize: Setting the pageSize value to a finite value (the default is 0) turns off LDAP referrals. This can improve performance when client applications perform directory searches.
Correction: The second pageSize parameter in the table will refer to the MaxPageSize parameter.
The following information has been added to the Oracle Access Manager Customization Guide, and related notes have been added to Oracle Access Manager Identity and Common Administration Guide.
The parameter excludeOCsForTreeInApplet
specifies the list of object classes whose objects are excluded from display in the Identity System. For example, if you remove the group object class item from the list, the group objects will be visible in the Identity System applications.
By default, the Identity System does not display every object and attribute in the directory. This parameter enables you to expose object classes in the Identity System applications that would otherwise be hidden.
Procedures in the Oracle Access Manager Upgrade Guide to verify Identity and Access System schema upgrades, instruct you to view the configuration node in the configuration directory server and confirm that the value of the obver
attribute is 10.1.4.0.1
. However, the actual attribute value is 10.1.4.0
.
In the next release of the Oracle Access Manager Upgrade Guide, the following procedures will be corrected to reflect the actual attribute value of 10.1.4.0
:
To verify the schema and data upgrade
Check to ensure that the schema contains 10g (10.1.4) attributes obPolicyEnabled
and objectclass oblixLPMPolicy
.
View the configuration node in the configuration directory server and confirm that the value of the obver
attribute is 10.1.4.0
.
To verify the Access System schema and data upgrade
Using your directory administration console, confirm that the schema contains all the object classes and attributes as defined in the Oracle Access Manager Schema Description.
Using your directory administration console, verify that all the indexes have been added.
Different Directory Server Instances: Perform the steps in the following list to ensure that the schema was also updated:
View the configuration node in the configuration directory server and confirm that the value of the obver
attribute is 10.1.4.0
.
Check to ensure that the schema contains 10g (10.1.4) attributes obPolicyEnabled
and objectclass oblixLPMPolicy
.
Changes in system behavior for the obVer attribute were not noted in the Oracle Access Manager Schema Description and the Oracle Access Manager Upgrade Guide.
The following information will be added to the next release of the Oracle Access Manager Schema Description:
oblixConfig class: This value is used by the Identity and Access Servers with the Lost Password Management feature.
OblixOrgPerson class: A value of 10.1.4.0 or greater in oblixOrgPerson indicates that the challenge phrase and response attributes are encoded with a delimiter of @n# between multiple values. In the encoding, n is the number of the challenge or response.
For more information about multiple challenge and response attributes, see the Oracle Access Manager Identity and Common Administration Guide. For implications when upgrading from an earlier release to Oracle Access Manager 10g (10.1.4), see the Oracle Access Manager Upgrade Guide.
The following information will be added to the next release of the Oracle Access Manager Upgrade Guide in the chapter that provides a summary of system behaviors.
The obVer attribute identifies the current Oracle Access Manager release and is one of several attributes in the class description of many Oracle Access Manager schema objects. For example, the obVer attribute is part of oblixPanel, oblixConfig, oblixLocation, oblixMetaAttribute, oblixEnum, and OblixOrgPerson to name only a few.
Until release 10g (10.1.4), the obVer attribute was purely informational. However starting with release 10g (10.1.4), the obVer attribute is used by the Identity and Access Servers to support encoding of multiple challenge phrase and response attributes for lost password management. In this case, Oracle Access Manager 10g (10.1.4) reads the obVer attribute in:
oblixConfig class: The structural class defines the container node for the Oracle Access Manager configuration data.
In oblixConfig, the obVer attribute always exists and indicates the current product release.
OblixOrgPerson class: The auxiliary class used for associating Oracle Access Manager person information with the class configured as the structural person object class. The next release of the Oracle Access Manager Schema Description will include the following details:
In OblixOrgPerson obVer may or may not exist. When obVer does not exist in a user entry, the value is assumed to be less than 10.1.4.0.
Oracle Access Manager 10g (10.1.4) uses the obVer value in the OblixOrgPerson class in the following ways:
An obVer vale of less than 10.1.4.0 indicates that there is a single value for the challenge phrase and the response with no encoding. For example:
ChallengeAttribute: what is your name? ResponseAttribute: xxxxxxxx (encrypted form of Ramakrishna)
An obVer value of 10.1.4.0 or greater indicates that the challenge phrase and response attributes are encoded (with @n# as a delimiter between multiple values, where n is the number of the challenge or response). For example:
ChallengeAttribute: what is your name?@1#what is your school name?@2# ResponseAttribute: xxxxxxxx (where xxxxxxxx is the encrypted form of the name@1#SGschool@2#) ChallengeAttribute: what is your name?@1# ResponseAttribute: xxxxxxxx (where xxxxxxxx is the encrypted form of the name@1#
When you upgrade from an earlier release to Oracle Access Manager 10g (10.1.4), configuration data stored in the oblix
tree is migrated automatically and the value of the obVer attribute is changed to 10.1.4.0. However, user data is not migrated until the first login following the upgrade. This means that the obVer attribute value remains less than 10.1.4.0 in user data (in the OblixOrgPerson class). In this case, during the first login the user data is migrated and:
The existing challenge phrase and response values are encoded (@1# is appended to the existing values automatically).
The value of the obVer attribute in user data (the OblixOrgPerson class) is set to the value of the obVer attribute in migrated configuration data in the root node of the oblix
tree (oblixConfig).
Caution:
The first time a user logs in after the upgrade, that user entry is migrated immediately. Any existing challenge and response values for that user are encoded (@1# is appended to the end) and the obVer attribute value is changed to 10.1.4.0. However if you restore your earlier release, the rollback process does not revert these changes. If you rollback to your previous release, the obVer value in the user entry in the OblixOrgPerson class remains 10.1.4.0 and challenge and response values remain encoded format. To temporarily stop the immediate user data migration (also known as on-the-fly migration) and avoid possible rollback issues, see Section 5.4.3, "Rollback Issues After Upgrading to Oracle Access Manager 10g (10.1.4)".With the latest support for the Security Provider for WebLogic SSPI on WebLogic 9.2, information in the Oracle Access Manager Integration Guide must include new details. Specifically in the discussion on preparing the WebLogic environment in the chapter on "Integrating the Security Provider for WebLogic SSPI."
The note beneath step 1 and additions to subsections b and c beneath step 12 of the following procedure will appear in the Oracle Access Manager Integration Guide to with Release 10.1.4 Patch Set 1 (10.1.4.2.0).
Copy the mbean jar file from one of the following locations:
From
install_dir/oblix/lib/mbeantypes
to
WebLogic_Home/server/lib/mbeantypes
Note:
If you are using WebLogic 9.2, copywl8NetPointSecurityProviders_Upgraded.jar
. If you are using WebLogic 8.1, copy wl8NetPointSecurityProviders.jar
. If you are using WebLogic 7.0 SP2 and later, copy wl7NetPointSecurityProviders.jar
.Copy the following files from your Security_Provider_install_dir to your WebLogic domain folder:
NetPointProvidersConfig.properties
NetPointResourceMap.conf: only for the WebLogic Server domain
Ensure that the following Admin credentials are set in clear text in the NetPointProvidersConfig.properties file:
OB_AdminUserName=admin
OB_AdminUserCreds=password
If the NetPointProvidersConfig.properties file has a clear text password, the SSPI reads in the password, encrypts it, and rewrites the properties file with the encrypted password.
Note:
NetPointProvidersConfig.properties file formatting is lost when Oracle Access Manager rewrites the file with the encrypted password. You may want to save a copy of the NetPointProvidersConfig.properties file. Also, ensure that all parameters are correctly filled as mentioned in the Oracle Access Manager Integration Guide.You complete the next step if the SSPI talks to a WebPass that is protected by a WebGate. Otherwise, skip to step 5.
WebPass Protected by WebGate: Complete the following activities when the Oracle Access Manager SSPI talks to a WebPass protected by a WebGate:
In the NetPointProvidersConfig.properties file, ensure that OB_WebPassIsProtected is set to true. The OB_CookiePath and OB_CookieDomain parameters are configured correctly.
From the Access System Console, click Access System Configuration, click AccessGate Configuration in the left navigation pane, click the link for the WebGate that protects the WebPass, and in the IPValidation field select the Off option.
In Oracle Access Manager 10g (10.1.4), the WebGateStatic.lst file no longer exists. The options in this file have moved to the Access System Console. See Oracle Access Manager Access Administration Guide for details.
Note:
If you want to set IPValidation to True, configure the IPValidationExceptions parameter to contain the IP address.Restart the Web server.
Note:
Ensure that the security level in this authentication scheme is the same level or a lower level than the one specified in the WebLogic authentication schemeNext, you need to determine if the machine hosting WebPass is running SSL. If it is, complete step 5. Otherwise, skip to step 6.
WebPass Host SSL-Enabled: Determine if the machine hosting WebPass is running SSL, and if so, complete the following steps:
Open the NetPointProvidersConfig.properties file and set OB_WebPassSSLEnabled = True.
Obtain the CA certificate from the certificate authority to which the Web server hosting the WebPass or WebGate running in SSL mode has registered, and place it in ca.cer file.
Use the keytool in JAVA_HOME\bin or JAVA_HOME\jre\bin to add the following ca certificate to cacerts keystore present in:
JAVA_HOME\jre\lib\security folder for weblogic jdk keytool -import -alias ca -file ca.cer -keystore JAVA_HOME\jre\lib\ security\cacerts
Add the following environment variables in the WebLogic Server startup script before the command that starts the server:
Add the following to the CLASSPATH:
/install_dir/oblix/lib/wlNetPoint.jar /install_dir/oblix/lib/bcprov-jdk14-125.jar /install_dir/oblix/lib/xerces.jar /install_dir/oblix/lib/jobaccess.jar
Add the following environment variables in the WebLogic Server startup script before the command that starts the server:
HP-UX: Add the following to SHLIB_PATH:
install_dir/oblix/lib
Portal Domain: The CLASSPATH and PATH variables should be added just after the SAVE_JAVA_OPTIONS environment variable in the startWebLogic.cmd script (On Unix, it is the startWebLogic.sh script).
On Linux, set the LD_ASSUME_KERNEL environment variable to 2.4.19, as follows:
LD_ASSUME_KERNEL=2.4.19 export LD_ASSUME_KERNEL
Remove the boot.properties file from the WebLogic domain directory.
This will cause the startWebLogic script described in the next step to prompt for username and password.
In the WebLogic domain directory, edit the appropriate startup script:
Unix: The script is startWeblogic.sh
Ensure the following paths are set in the script:
/install_dir/oblix/lib/wlNetPoint.jar /install_dir/oblix/lib/bcprov-jdk14-125.jar /install_dir/oblix/lib/xerces.jar /install_dir/oblix/lib/jobaccess.jar
In the WebLogic domain directory, start the WebLogic Server using the appropriate startup script:
Unix: This command is startWeblogic.sh
Using the WebLogic 8.1 Domain Configuration Wizard, you can create instances of a new WebLogic 8.1 domain, for example, mydomain, and a new WebLogic 8.1 server, for example, myserver. You can also create instances of a new WebLogic 8.1.3 Portal domain, for example, portalDomain, and a new WebLogic 8.1.3 portal, for example, portalServer.
Set up a Realm that uses Oracle Access Manager security providers, as follows:
Open a new console window and set the Weblogic environment by executing setEnv.cmd.
Unix: Source the setEnv.sh script present in the server domain directory.
Portal Domain: Use the setDomainEnv.cmd script (on Unix it is the setDomainEnv.sh script).
Run the following script and ensure that it has the correct username, password, and URL values:
Unix: install_dir/setupNetPointRealm.sh
Note:
To use policies based on roles for Web and EJB applications in WebLogic SSPI, run thesetupNetPointRealm
tool with the sspi_role
parameter.
For example:
install_dir\setupNetPointRealm.cmd sspi_role
Portal Domain: Run the script with parameter "portal".
WebLogic Server 7.0: The script does not work and NetPointRealm must be set manually.
WebLogic Application Server 9.2 on Unix: Set the domName
variable in the install_dir/setupNetPointRealm.properties
file. Then run the install_dir/setupNetPointRealm_wl92.sh
script.
Log in to the WebLogic Admin Console, navigate to Domain, Security, Realms and:
Verify that NetPointRealm is set as the default.
Verify that the security providers are set properly in NetPointRealm.
Use the following steps for WebLogic Server 9.2:
Click Lock and Edit in the WebLogic Admin Console.
Navigate to NetpointRealm, Providers, Certification Path, WebLogicCertPathProvider. Select the Current Builder option to use the WebLogicCertPathProvider as the current builder. Click Activate Changes to activate all changes.
Set NetPointRealm as the default realm.
In the left pane, select your domain to open the Settings page for your domain. Click the Security tab; click General; select NetPointRealm as the default security realm; click Save; click Activate Changes to activate all changes.
Script Fails: If the script fails, you must manually add the Oracle Access Manager security realm (NetPointRealm):
Go to Domain, Security, Realms and select "Configure a new Realm".
For the option "Check Roles and Policies for", ensure that "All Web Applications and EJBs" is selected.
Navigate to Providers, Authentication, and configure a new Authenticator and Identity Asserter.
Identity Asserter: Select the Token Type ObSSOCookie and in the Details tab, uncheck "Base64Decoding Required".
Portal Domain: Set the control flag of Authenticator to OPTIONAL and also configure a Default Authenticator.
Navigate to Providers, Authorization and configure a new Authorizer(for the portal domain, only configure a Default Authorizer).
For role based policies, you also need to configure a Default Authorization Provider. Navigate to Providers, Authorization and configure a Default Authorization Provider.
For role based policies, navigate to Providers, Adjudication and configure a new Adjudication Provider.
Navigate to Providers, Role Mapping and configure a new Role mapper (for the portal domain, only configure a Default Role mapper).
Navigate to Providers, Credential Mapping and configure a new Default Credential mapper.
Navigate to Domain, Security and select this realm as the default realm.
Portal Server Domain: Complete the following steps to configure a WebLogic Portal domain:
Restart the server using the same WebLogic credentials that were used earlier.
In the WebLogic Server Console, navigate to Domain, Security, Realms, NetPointRealm, Providers, Authentication, and:
Remove the Default Authenticator.
Change the control flag for Authenticator to REQUIRED.
Using the Group Manager, create a group in Oracle Access Manager that maps to the Admin role in the BEA WebLogic Server and contains all the administrators for the BEA Portal.
For example:
BEA_Administrators
Create a user (portaladmin) and add it to the BEA_Administrators group; later you login as this user (portaladmin) when restarting the server.
In the WebLogic Server Console Admin Console, navigate to Security, Realms, NetPointRealm and:
Click Groups to display all Oracle Access Manager groups.
Search for the BEA Admin group that was created in this step. You can use a wild card in the search.
Copy the group name.
Click Global Roles, Admin role, Conditions tab and:
Add a Role Condition where the caller is a member of the group.
Paste in the group name you copied.
Change the role condition from "and" to "or", then click Apply.
Repeat this procedure for the PortalSystemAdministrator role.
Note:
Other BEA roles can be mapped to Oracle Access Manager groups/users. When you restart the WebLogic Server, it is important that you are logged in as a user in the Oracle Access Manager group associated with the BEA Admin role.Restart the WebLogic Server.
The next time you log in to the WebLogic console, provide Master Oracle Access Manager Administrator credentials. You will be authenticated using NetPointRealm.
If you are using identity assertion as the authentication mechanism that protects Web applications:
Install a WebGate on the proxy Web server. See the Oracle Access Manager Integration Guide for an illustration of this type of installation.
Configure the Oracle Access Manager policies that protect the Web applications to use HTTP as the resource type instead of wl_url.
Note:
There is one exception to the resource type configuration. The WebLogic administration console always uses form login. The /console policy must use the resource type wl_url.If anything other than an Oracle Access Manager form-based authentication scheme protects the policies configured with the HTTP resource type, configure a challenge redirect parameter to redirect the user to another Web server that has WebGate installed.
Note:
If you do not complete this step, the user will have to refresh the browser to access the desired page because the ObSSOCookie set by the WebGate in the HTTP request has not yet been sent to the WebLogic server.Continue with following procedure in the Oracle Access Manager Integration Guide as needed.
The Oracle Access Manager Installation Guide states incorrect default path names for components, as shown in Table 5-3.
Table 5-3 Erroneous Default Installation Path Names
Component | Installation Directory |
---|---|
Identity Server |
Windows: \Program Files\OracleAccessManager\identityUnix: /opt/oracleaccessmanager/identity In This Guide: \IdentityServer_install_dir\identity |
WebPass |
Windows: \Program Files\OracleAccessManager\WebComponent\identityUnix: /opt/oracleaccessmanager/WebComponent/identityIn This Guide: \WebPass_install_dir\identity |
Access Server |
Windows: \Program Files\OracleAccessManager\accessUnix: /opt/oracleaccessmanager/accessIn This Guide: \AccessServer_install_dir\access |
Policy Manager |
Windows: \Program Files\OracleAccessManager\WebComponent\accessUnix: /opt/oracleaccessmanager/WebComponent/accessIn This Guide: \PolicyManager_install_dir\access |
WebGate |
Windows: \Program Files\OracleAccessManager\WebComponent\accessUnix: /opt/oracleaccessmanager/WebComponent/accessIn This Guide: \WebGate_install_dir\access |
In the next release of this manual, with Release 10.1.4 Patch Set 1 (10.1.4.2.0), the path names will be corrected as shown in Table 5-4.
Table 5-4 Correct Default Installation Path Names
Component | Installation Directory |
---|---|
Identity Server |
Windows: \Program Files\NetPoint\identity Unix: /opt/NetPoint/identity In This Guide: \IdentityServer_install_dir\identity |
WebPass |
Windows: \Program Files\NetPoint\WebComponent\identity Unix: /opt/NetPoint/WebComponent/identity In This Guide: \WebPass_install_dir\identity |
Access Server |
Windows: \Program Files\NetPoint\access Unix: /opt/NetPoint/access In This Guide: \AccessServer_install_dir\access |
Policy Manager |
Windows: \Program Files\NetPoint\WebComponent\access Unix: /opt/NetPoint/WebComponent/access In This Guide: \PolicyManager_install_dir\access |
WebGate |
The default WebGate installation directory path name varies depending upon your platform and Web server type. For example: Win32 ISAPI WebGate: \Program Files\NetPoint\Webgate Win32 OHS2 WebGate: \Program Files\NetPoint\WebComponent Win32 NSAPI WebGate: \Program Files\NetPoint\WebGat Linux Apache2 WebGate: /opt/netpoint/webgate Linux OHS2 WebGates: /opt/netpoint/webgate In This Guide: \WebGate_install_dir\access |
The Oracle Access Manager Installation Guide chapter "Installing the Identity Server" incorrectly states that the Identity Server and Access Server services are set to start manually by default in step 6 of the procedure that describes finishing the Identity Server installation:
Windows: Open the Services Window then locate and start the Identity Server service.
By default, the Identity Server (also known as the Oracle Identity Server (OIS)) starts manually, but you can set its startup type to Automatic. See the Microsoft Windows Help for details.
Unix: Execute the following command:
/IdentityServer_install_dir/identity/oblix/apps/common/bin/start_ois_server
To correct this statement, the Oracle Access Manager Installation Guide that is available with Release 10.1.4 Patch Set 1 (10.1.4.2.0) will include the following updated information in step 6:
Windows: Open the Services Window and confirm that the Identity Server service is started.
By default, the Identity Server (also known as the Oracle Identity Server (OIS)) starts automatically. To change the default to manual start, see the Microsoft Windows Help for details.
Unix: Execute the following command to start the Identity Server service:
/IdentityServer_install_dir/identity/oblix/apps/common/bin/start_ois_server
Also, the procedure on finishing the Access Server installation in the chapter on "Installing the Access Server", includes similar information which is now corrected.
The Oracle Access Manager Installation Guide chapter on "Setting Up Oracle Access Manager with Oracle Virtual Directory", contains a procedure to configure the Oracle Virtual Directory SSL Listener. Step 8 of this procedure contains an incorrect command-line syntax.
The incorrect syntax line will be changed to the following and a new note will be added for clarification:
8. Import the root CA to the Identity Server using the following command:
certutil -d IdentityServer_install_dir\identity\oblix\config -A -n ldap -a -t "C,," -i root_ca_file
Note:
In the certutil command, the -t (trusted arguments) flag should be followed by the trust attributes that will be assigned to the certificate, enclosed in double-quotes.The Oracle Access Manager Installation Guide describes how to use the ldapmodify
command to tune Oracle Internet Directory. However, if you tune Oracle Internet Directory 10.1.2 or earlier using the ldapmodify
command as described in the chapter on installing the Identity Server, you will receive the following error message:
"Attribute orclinmemfiltprocess is not supported in schema."
The orclinmemfiltprocess
attribute is not supported in the schema until Oracle Internet Directory 10.1.4. As a result, you cannot use the ldapmodify
command to tune Oracle Internet Directory.
The next release of the Oracle Access Manager Installation Guide will make this clear.
The chapter on integrating Oracle Virtual Directory with Oracle Access Manager in the Oracle Access Manager Installation Guide states that Oracle-provided sample adapter and mapping template files are available in the DNConversionToolkit and must be obtained and stored in the Oracle Virtual Directory Manager using the steps provided.
However, Oracle Virtual Directory 10.1.4 and later provides sample Oracle Access Manager templates and mappings out-of-the-box in Oracle Virtual Directory Manager. These sample adapter templates are available automatically in the Adapter Template list of Oracle Virtual Directory Manager.
The next release of the Oracle Access Manager Installation Guide will include the following information:
Oracle Virtual Directory 10.1.4 and later provides sample Oracle Access Manager templates and mappings out-of-the-box in Oracle Virtual Directory Manager. Depending on the Oracle Virtual Directory release you are using, proceed as follows:
Skip the topic "Obtaining/Updating Sample Adapter and Mapping Templates" if you are using Oracle Virtual Directory 10.1.4 and later, and instead proceed to the next applicable topic for your environment. Later in this chapter you will see how to use the adapter and mapping templates.
Continue with the information and steps in this topic if you are using a release of Oracle Virtual Directory before 10.1.4, or if you choose to use the sample adapter and mapping templates in the Oracle Access Manager distribution.
The troubleshooting chapter of the Oracle Access Manager Access Administration Guide contains a typographical error in the solution for The Login Form Appears Repeatedly." This will be corrected in the next release of the Oracle Access Manager Access Administration Guide.
Incorrect: To verify whether a user has a valid session, you can type the following in the browser's location:
javascript:altert(document.cookie)
Correct: To verify whether a user has a valid session, you can type the following in the browser's location:
javascript:alert(document.cookie)
The Oracle Access Manager Configuration Manager Installation and Administration Guide did not mention the privileges required by the database user to upload the Oracle Access Manager Configuration Manager schema after adding repository details.
The 10.1.4.2.0 version of the manual, available with Release 10.1.4 Patch Set 1 (10.1.4.2.0), will include the following information to correct this issue.
Upload Schema Button appears only when there is no Oracle Access Manager Configuration Manager schema present in the Oracle Database repository. For a successful schema upload, the database user needs the following system privileges: Create Table, Create Sequence, Create Trigger, and Create Procedure.
A new discussion is added to the release 10.1.4.2.0 Oracle Access Manager Upgrade Guide that is available with Release 10.1.4 Patch Set 1 (10.1.4.2.0). The following new procedure describes how to rename audit file path names after upgrading multiple Identity Servers.
After upgrading Identity Servers from releases earlier than 7.0, you must perform this task to correct the path name of audit files. If you have upgraded from release 7.x, you can skip this activity.
When upgrading the master Identity Server and the schema and data from any release earlier than 700, the audit file name is changed by prefixing the path to the master Identity Server.
If your deployment includes multiple Identity Servers, the audit file name for each will be prefixed by the same Identity Server installation directory path as the Identity Server from which the data upgrade is performed. The result is that your original configuration is lost during the Identity Server upgrade. For example, suppose you have two Identity Server instances with audit files stored as follows:
After the upgrade, however, both audit files will be stored in the directory path of the master Identity Server (611\ois_one). For example:
To recover your audit files after upgrading multiple Identity Servers, you must perform the following task to change audit file paths to reflect the appropriate path to specific Identity Server instances.
To recover your original audit files after upgrading Identity Servers
Go to the Identity System Console and log in as usual.
http://hostname:port/identity/oblix
where hostname refers to machine that hosts the Web server; port refers to the HTTP port number of the WebPass Web server instance; and /identity/oblix connects to the Identity System Console.
From the Identity System Console, click System Configuration, then click Identity Servers.
Select the name of an upgraded Identity Server to display the information for this instance.
Check the Audit File Name field, to see if the path name is correct.
If the path name is correct, click Cancel and then repeat steps 3 and 4 to check the audit file path name for another instance. If the path name is not correct, proceed to step 5.
Click the Modify button at the bottom of the page.
On the Modify page, change the path name in the Audit File Name field to the correct path for this instance and then click Save. For example:
Restart the Identity Server whose details you just updated.
Repeat all steps in this procedure for each upgraded Identity Server instance.
The discussion on extending directory schemas in the Oracle Access Manager Installation Guide states the location of vde_user_schema_add.ldif and aduserschema.ldif files as being in the IdentityServer_install_dir\identity\oblix\tools\DNConversionToolkit\tools\DataAnyWhere\OblixUserSchema. The DNConversionToolkit was provided with release 10g (10.1.4.0.1). However, the following location is also available and was documented in a later version of the Oracle Access Manager Installation Guide:
The discussion on extending directory schemas in the Oracle Access Manager Installation Guide omits the VDE_user_schema_add.ldif file name in the ldapmodify command syntax. The manual currently states the following syntax:
ldapmodify -h host -p port -D bind-dn -w password -a -f
This syntax will be corrected as follows in the 10.1.4.2.0 version of the Oracle Access Manager Installation Guide that is available with Release 10.1.4 Patch Set 1 (10.1.4.2.0):
ldapmodify -h host -p port -D bind-dn -w password -a -f VDE_user_schema_add.ldif
The Oracle Access Manager Upgrade Guide does not mention that SSL-enabled communication with the directory server might be a requirement for the master Access Manager component that is installed and used for the schema and data upgrade.
The following information is added to the chapter on preparing for schema and data upgrades in the release 10.1.4.2.0 Oracle Access Manager Upgrade Guide that is available with Release 10.1.4 Patch Set 1 (10.1.4.2.0):
When your original Access Manager component is configured to use SSL-enabled communication with the directory server, the master that you add must also be configured to use SSL-enabled communication with the directory.
The following information is added to help you when troubleshooting data access issues in the release 10.1.4.2.0 Oracle Access Manager Upgrade Guide that is available with Release 10.1.4 Patch Set 1 (10.1.4.2.0):
If you receive a "Cannot find <person> Object Class" error after upgrading the schema and data, the problem may be that the master Access Manger component used to upgrade the schema and data did not use the same transport security as the original component. When your original Access Manager component is configured to use SSL-enabled communication with the directory server, the master that you add must also be configured to use SSL-enabled communication with the directory.
The Oracle Access Manager Upgrade Guide states an incorrect path when uploading the schema index files for Sun (formerly iPlanet) directory, Novell eDirectory (NDS), and Oracle Internet Directory after data migration. This will be corrected in the section on "Uploading Directory Server Index Files” in the 10.1.4.2.0 Oracle Access Manager Upgrade Guide that is available with Release 10.1.4 Patch Set 1 (10.1.4.2.0).
The corrected paths are:
IdentityServer_install_dir/identity/oblix/data.ldap/common
PolicyManager_install_dir/access/oblix/data.ldap/common
The description of the Environment URL in the chapter on migrating configuration data changes in the Oracle Access Manager Configuration Manager Installation and Administration Guide is incorrect and has been changed as described here.
Original Description
The Add Environment page provides fields where you can enter other information, including Environment Name, optional Description, Host Name and Port, Configuration DN, User DN, Password, and the URL for the LDAP Directory environment. When defining an environment name and description, you can use any combination of uppercase and lowercase alphanumeric characters, as well as spaces and punctuation.
The Add Environment page provides fields where you can enter other information, including Environment Name, optional Description, Host Name and Port, Configuration DN, User DN, Password, and the (optional) URL for the relevant Oracle Access Manager deployment for this environment. When defining an environment name and description, you can use any combination of uppercase and lowercase alphanumeric characters, as well as spaces and punctuation.
Environment URL: The URL to the LDAP directory. For example:
http://141.144.74.35:3333/access/oblix/
Corrected Description
The Add Environment page provides fields where you can enter other information, including Environment Name, optional Description, Host Name and Port, Configuration DN, User DN, Password, and the (optional) URL for the relevant Oracle Access Manager deployment for this environment. When defining an environment name and description, you can use any combination of uppercase and lowercase alphanumeric characters, as well as spaces and punctuation.
Environment URL: The URL to the relevant Oracle Access Manager deployment for this environment. For example:
http://141.144.74.35:3333/access/oblix/
"realmunique:yes"
After integrating Oracle Access Manager and Oracle SSO, and implementing global logout from Oracle SSO, logout does not remove the ObSSOCookie cookie. When the user clicks logout and tries to go back to the protected URL, the user is the still logged in.
When using "Basic over LDAP
" authentication, the browser will return the cached credential following a timeout. A new challenge parameter "realmunique:yes"
was introduced in Oracle COREid 7.0.4.2 to correct the problem. However, the information is not described in recent manuals.
A future release of the Oracle Access Manager Integration Guide will include new information.
See Also:
Knowledge Base Note 443493.1To access Knowledge Base Note 443493.1
Go to My Oracle Support and login as usual:
https://support.oracle.com
Click Knowledge (upper-left corner).
In the Search Knowledge Base field (upper right corner), enter 443493.1
.
Click the title on the results page: After Integration of Oracle Access Manager and Oracle SSO Logout Does Not Rem...
Review the article.
The Oracle Access Manager Installation Guide provides a misleading title in the chapter on installing WebGate, Chapter 9.
Incorrect Title
Enabling SSL on the IIS Web Server
The correct title will appear in the 10.1.4.3.0 version of the book. The information has moved into a separate chapter on Installing Web Components with the IIS Web Server, Chapter 19.
Correct Title
Enabling Client Cert on the IIS Web Server
The Oracle Access Manager Identity and Common Administration Guide chapter on SNMP Monitoring, provides the same description for both OBLIXCOREIDSERVERDOWN and OBLIXCOREIDSERVERFAILURE.
Incorrect
oblixCoreidServerDown
A trap generated when the SNMP Agent detects that the Identity Server is (potentially) Down. This trap contains the server ID, host name, and port.
oblixCoreidServerFailure
This trap is generated when the SNMP Agent detects that the Identity Server has failed. This trap contains the server ID, host name, and port.
Correct
oblixCoreidServerDown
A trap generated when the SNMP Agent detects that the Identity Server is (potentially) Down. This trap contains the server ID, host name, and port.
oblixCoreidServerFailure
This trap is generated when the SNMP Agent detects that the Identity Server has failed. This trap contains the server ID, host name, and port.
A syntax error has been corrected in Step 2 of the procedure "To import an Identity System XML file to work with its respective XSL stylesheet" in the Oracle Access Manager Customization Guide. $format=xmlnoxsy
now reads &format=xmlnoxsl
.
This information appears in the latest version of the book.
unique_value_attrs
in ldapreferentialintegrityparams.xmlThe following additional information should appear in the description of unique_value_attrs
in the table that describes ldapreferentialintegrityparams.xml in theOracle Access Manager Customization Guide.
Note: Oracle Access Manager enforces uniqueness only for the attribute of Login semantic type. As a result, it appears that the product enforces uniqueness for uid or samaccountname attribute.
The 'unique_value_attrs' parameter is only used in the context of Oracle Access Manager performing LDAP referential integrity. In certain referential integrity cases, Oracle Access Manager might need to delete and add the same entry with the updated DN. In such cases, unique_value_attrs identifies whether delete needs to happen first.
This information appears in the latest version of the book.
The following additional step should be included in the Oracle Access Manager Deployment Guide chapter on "Migration". This new Step 4 in the procedure "To reconfigure COREid Server and WebPass" will ensure that the COREid Server will restart after deleting entries in the directory.
4. Locate and run setup_ois from the following file system directory path:
./start_setup_ois -i IdentityServer_install_dir/identity/
This information appears in the latest version of the book.
Information on updating the Novell eDirectory schema should appear in the Oracle COREid Access and Identity Installation Guide. The following information appears in the latest version of the book.
Details for Novell eDirectory
By default, the Oracle schema for Novell eDirectory does not support creating the oblix node (o=oblix,<config-dn>) under a domain node (for example, dc=us,dc=oracle,dc=com) during browser-based Identity System setup. This means that you cannot use a domain node as the configuration base during the browser-based Identity System setup. A workaround is provided in the Troubleshooting chapter, under "Novell eDirectory Issues" on page E-7.
When setting the searchbase to "dc=nc" during browser-based Identity System setup with Novell eDirectory, you must define the CONTAINMENT object under which the "o=Oblix" (oblixconfig) objectclass can exist. Within the schema for eDirectory, the oblixconfig objectclass can include "domain" as a possible CONTAINMENT object.
Workaround
The following workaround will appear in the "Troubleshooting" chapter of the 10.1.4.3 Oracle Access Manager Installation Guide:
During Identity Server installation, you are asked if you want to extend the directory server schema. At this point, you can browse the Identity Server's installation directory and locate the NDS_oblix_schema_add.ldif file. From a file editor, you can edit the CONTAINMENT for this objectclass to include "domain" using the following steps:
When asked if you want to extend the directory schema during Identity Server installation, locate the NDS_oblix_schema_add.ldif file, as follows:
IdentityServer_install_dir\identity\oblix\data.ldap\common\'NDS_oblix_schema_
add.ldif
Open the NDS_oblix_schema_add.ldif in an editor and locate the 'oblixconfig' objectclass, which also defines the CONTAINMENT for this objectclass. For example:
dn: cn=schema changetype: modify add: objectclasses objectclasses: ( 1.3.6.1.4.1.3831.0.1.2 NAME 'oblixconfig' SUP top STRUCTURAL MUST ( obpersonoc $ obsearchbase $ organizationName ) MAY ( obsearchbasestr $ obgroupoc $ ………………………………..$ obver $ obduplicateAction ) X-NDS_NAMING ( 'O' ) X-NDS_CONTAINMENT ( 'organization' 'organizationalUnit' 'country' 'locality' ) )
Modify this entry to specify the 'domain' as one of the CONTAINMENT classes for the 'oblixconfig' objectclass. For example:
dn: cn=schema changetype: modify add: objectclasses objectclasses: ( 1.3.6.1.4.1.3831.0.1.2 NAME 'oblixconfig' SUP top STRUCTURAL MUST ( obpersonoc $ obsearchbase $ organizationName ) MAY ( obsearchbasestr $ obgroupoc $ ………………………………..$ obver $ obduplicateAction ) X-NDS_NAMING ( 'O' ) X-NDS_CONTAINMENT ( 'domain' 'organization' 'organizationalUnit' 'country' 'locality' ) )
Save the modified schema file and continue with installation and browser-based setup.
The following note is missing from the "Integration Architecture" section of the WebLogic chapter in the Oracle Access Manager Integration Guide.
Form-based authentication gives SSO between Oracle Access Manager and WebLogic applications. However, Basic Over LDAP authentication does not provide SSO.
The previous paragraph appears in the latest version of the book.
Oracle Access Manager manuals provide a table of product name changes in the "What's New" chapter. However, the chapter incorrectly states that the Access System Service (named AM Service State in Access System Console pages) was renamed to "Policy Manager API Support Mode". "Access System Service" was actually renamed as "Access Management Service". The latest Oracle Access Manager manuals contain the following correction in the "What's New" chapter.
Table 5-5 Product Name Changes
Item | Was | Is |
---|---|---|
Access System Service |
AM Service State Policy Manager API Support Mode |
Access Management Service |
The correction has also been made in the Oracle Access Manager Access Administration Guide, "Configuring WebGates and Access Servers" chapter as follows:
Access Server Configuration Parameters table
AccessGate Configuration Parameters table
A URL pattern is an Access System-supported mechanism for identifying different resources of a certain type that are protected by a single policy. Patterns with the following attributes are invalid:
A '[' without a closing ']'
A '{' without a closing '}'
Unescaped '{' inside {}
Unescaped '/' inside [ ]
The following information has been added to the topic on "Invalid URL Patterns" in the chapter on protecting resources with policy domains in the Oracle Access Manager Access Administration Guide.
The following URL pattern is not recognized when it is included within {}:
{pattern_1, pattern_2, /.../cleanup.asp}
The URL pattern will only be recognized if it is used without {}:
/.../cleanup.asp
URL patterns within {} are designed for simple expressions such as the following:
a{ab,bc}b matches aabb and abcb a{x*y,y?x}b matches axyb, axabayb, ayaxb, etc
URL patterns within [] should not contain complex sub-expressions such as those starting with "/". For example:
[/.../cleanup.asp OR /c*/webservice/webservice.asp]
Instead, consider creating three separate policies:
??/admin/* /c*/webservice/webservice.asp /.../cleanup.asp
The troubleshooting chapter of the Oracle Access Manager Installation Guide provides instructions to compile Apache v2.0 for WebGate on UNIX with the mpm_worker_module. This should be done only for the Apache 2.0 WebGate. During the update, you will modify the thread.c file from the Apache source for the UNIX environment.
The following note should be added.
Note:
Apache v2.1 on Linux does not support the ThreadStackSize directive.See Also:
"Apache v2 on UNIX with the mpm_worker_module for WebGate" in the troubleshooting chapter of the latest Oracle Access Manager Installation Guide