| Oracle® Application Server Release Notes 10g (10.1.4.0.1) for Microsoft Windows (64-Bit) on Intel Itanium Part Number B32107-06 |
|
|
View PDF |
| Oracle® Application Server Release Notes 10g (10.1.4.0.1) for Microsoft Windows (64-Bit) on Intel Itanium Part Number B32107-06 |
|
|
View PDF |
This chapter introduces Oracle Role Manager Release Notes, 10g (10.1.4.2). It includes the following topics:
This document is accurate at the time of publication. Oracle will update the release notes periodically after the software release. You can access the latest information and additions to these release notes on the Oracle Technology Network at:
http://www.oracle.com/technology/documentation/
The following sections discuss what's new in Oracle Role Manager release 10.1.4.2:
This section discusses the following new certifications:
Note:
For a complete list of certified components, visit the official platform certification Web site at:Oracle Role Manager is now certified to run on the following operating systems:
Oracle Enterprise Linux 4 (64-bit)
Oracle Enterprise Linux 5 (64-bit)
Microsoft Windows 2008 (64-bit)
Microsoft Windows 2008 (32-bit and 64-bit)
Red Hat Enterprise Linux AS Release 4 (64-bit)
Red Hat Enterprise Linux AS Release 5 (64-bit)
SUSE 10 (32 bit)
Solaris 10 (64 bit)
Oracle Role Manager and Oracle Role Manager Integration Library are now certified to run in clustered environments with JBoss and IBM WebSphere.
Oracle Role Manager Integration Library is supported only with Oracle Identity Manager 9.1.0.2. For more information, see Oracle Role Manager Integration Guide.
This section discusses the following new features and enhancements:
This release includes many usability enhancements to the Oracle Role Manager user interface for an improved end-user experience. These include the following:
Audit history details now display workflow events as well as dynamic role membership audit events.
The Outbox now displays workflow events.
The system now detects whether the Integration Library is installed and the user experience is affected as follows:
Entitlement data from Oracle Identity Manager now displays if the Integration Library is installed. If the Integration Library is not installed, no entitlement data from Oracle Identity Manager is displayed.
Person fields and entitlement fields display as read-only if the Integration Library is installed, so that Oracle Identity Manager remains the system of record for person and entitlement data. If the Integration Library is not installed, person fields and entitlement fields are editable fields.
The Oracle Role Manager installation now includes the Oracle Role Manager Integration Library software for easier deployments. In addition, for deployments of the Integration Library on Oracle WebLogic Server, a new tool is provided in this release for facilitate easier configuration.
The Integration Library has been enhanced with new functionality supporting role grant approval workflow and reconciliation of entitlements and IT Roles (as access policies in Oracle Identity Manager). Additionally, there are now new scheduled tasks for one-time import of entitlements, user groups, and access policies. See Oracle Role Manager Integration Guide for details.
This release now supports upgrade from Oracle Role Manager 10.1.4.1 and Oracle Role Manager 10.1.4.1.1.
This release contains changes to the application data model as described in the following table.
Table 15-1 Application Data Model Changes
| Model | Description of Change |
|---|---|
|
primordial.xml |
The |
|
The |
|
|
The |
|
|
The word "privilege" in all titles and messages, when referring to IT privileges, has been changed to "entitlement." |
|
|
standard.xml |
The |
|
The |
|
|
The |
|
|
A new reference attribute (relationship path) that relates approver to approver business roles has been added to the |
|
|
oim_integration.xml |
The |
|
The |
|
|
The |
|
|
A uniqueness constraint has been added to the |
This section discusses the following changes to the Oracle Role Manager Java API related to the new features and enhancements for this release:
No public classes have been added in this release.
The methods listed in this section have been added to the classes specified below. See Oracle Role Manager Java API Reference for full descriptions of each method.
This section identifies components certified with Oracle Role Manager release 10.1.4.2 and contains the following topics:
Oracle Role Manager release 10.1.4.2 is certified for the following operating systems:
Microsoft Windows Server 2003 Standard Edition with SP1 (32-bit and 64-bit)
Microsoft Windows 2008 (32-bit and 64-bit)
Oracle Enterprise Linux 4 (32-bit and 64-bit)
Oracle Enterprise Linux 5 (32-bit and 64-bit)
Red Hat Enterprise Linux AS Release 4 (32-bit and 64-bit)
Red Hat Enterprise Linux AS Release 5 (32-bit and 64-bit)
SUSE 10 (32 bit)
Solaris 10 (64 bit)
Oracle Role Manager release 10.1.4.2 is certified for the following application servers:
WebLogic Server 10.3 (on clustered and nonclustered environments)
IBM WebSphere Application Server 6.1.0.21 (on clustered and nonclustered environments)
JBoss Application Server 4.2.3 (on clustered and nonclustered environments)
Oracle Role Manager release 10.1.4.2 is certified for the following databases:
Oracle Database Deployment
Oracle Database 10g Enterprise Edition release 10.2.0.4 to 10.2.x
Oracle Database 10g Standard Edition release 10.2.0.4 to 10.2.x
Oracle Database 11g Standard Edition release 11.1.0.6 to 11.1.0.x
Oracle Database 11g Enterprise Edition release 11.1.0.6 to 11.1.0.x
Oracle RAC Deployment (general purpose operation)
Oracle Database 10g Enterprise Edition release 10.2.0.4 to 10.2.x
Oracle Database 11g Enterprise Edition release 11.1.0.6 to 11.1.0.x
For each certified application server, Oracle Role Manager release 10.1.4.2 is certified for the JDKs listed in Table 15-3.
Table 15-3 Certified JDKs
| Application Server | Certified JDK |
|---|---|
|
Oracle WebLogic Server |
Oracle JRockit 6.0 (R27.6.0-50) Note: For 64-bit systems, the JDK must be the 64-bit version of JRockit, not the version that is installed with WebLogic Server. For information about installing the 64-bit JDK, refer to WebLogic Server 10.3 Installation Guide. |
|
IBM WebSphere Application Server |
IBM JDK 1.5 |
|
JBoss Application Server |
Sun Java 2 JDK 1.6 |
Oracle Role Manager release 10.1.4.2 supports the configurations listed in Table 15-4.
Table 15-4 Supported Configurations
| Operating System | Hardware | Application Server | Database |
|---|---|---|---|
|
Oracle Enterprise Linux 4 and 5 (32-bit) |
Intel x86 |
WebLogic 10.3 |
Oracle Database (see Section 15.3.3) |
|
JBoss 4.2.3 |
Oracle Database (see Section 15.3.3) |
||
|
WebSphere 6.1.0.21 |
Oracle Database (see Section 15.3.3) |
||
|
Oracle Enterprise Linux 4 and 5 (64-bit) |
Intel EM64T or AMD64 |
WebLogic 10.3 |
Oracle Database (see Section 15.3.3) |
|
JBoss 4.2.3 |
Oracle Database (see Section 15.3.3) |
||
|
WebSphere 6.1.0.21 |
Oracle Database (see Section 15.3.3) |
||
|
RedHat AS ES4 and ES5 (32-bit) |
Intel x86 |
WebLogic 10.3 |
Oracle Database (see Section 15.3.3) |
|
JBoss 4.2.3 |
Oracle Database (see Section 15.3.3) |
||
|
WebSphere 6.1.0.21 |
Oracle Database (see Section 15.3.3) |
||
|
RedHat AS ES4 and ES5 (64-bit) |
Intel EM64T or AMD64 |
WebLogic 10.3 |
Oracle Database (see Section 15.3.3) |
|
JBoss 4.2.3 |
Oracle Database (see Section 15.3.3) |
||
|
WebSphere 6.1.0.21 |
Oracle Database (see Section 15.3.3) |
||
|
Windows Server 2003 SP1 or Windows 2008 (32-bit) |
Intel x86 |
WebLogic 10.3 |
Oracle Database (see Section 15.3.3) |
|
JBoss 4.2.3 |
Oracle Database (see Section 15.3.3) |
||
|
WebSphere 6.1.0.21 |
Oracle Database (see Section 15.3.3) |
||
|
Windows Server 2003 SP1 or Windows 2008 (64-bit) |
Intel EM64T or AMD64 |
WebLogic 10.3 |
Oracle Database (see Section 15.3.3) |
|
JBoss 4.2.3 |
Oracle Database (see Section 15.3.3) |
||
|
WebSphere 6.1.0.21 |
Oracle Database (see Section 15.3.3) |
||
|
Windows XP Professional SP2 (32-bit development environments only) |
Intel x86 |
WebLogic 10.3 |
Oracle Database (see Section 15.3.3) |
|
JBoss 4.2.3 |
Oracle Database (see Section 15.3.3) |
||
|
WebSphere 6.1.0.21 |
Oracle Database (see Section 15.3.3) |
Oracle Role Manager release 10.1.4.2 is certified for Single Sign-On with the following component:
Oracle Access Manager 10.1.4.0.1 (formerly known as Oracle COREid) using both ASCII and non-ASCII character logins.
Note:
Single Sign-On with Oracle Access Manager 10.1.4.0.1 for non-ASCII character logins requires an Oracle Access Manager patch.Oracle Role Manager release 10.1.4.2 is certified for the following language:
English (en_US locale only)
Oracle Role Manager release 10.1.4.2 is certified for the following Web browsers:
Microsoft Internet Explorer 6.0 (SP2)
Microsoft Internet Explorer 7.0
Oracle Role Manager release 10.1.4.2 resolves the known bugs from previous releases listed in the following table.
Table 15-5 Bugs Resolved by 10.1.4.2
| Bug # | Description |
|---|---|
|
6949154 |
Auditing: Dynamic membership updates are not audited. Changes to a user's memberships based on dynamic roles (resolved by membership rules or grant policies) are not stored with audit data. |
|
6949255 |
System Messages: System should provide useful warning for syntactically incorrect XML rule. The system does not issue a user-friendly message if a syntactically incorrect membership rule is given in the role grant policy or membership rule. Instead, a generic "setMembershipRule failed" error displays. |
|
7043245 |
Integration Library: Exception in Oracle Identity Manager server console when creating user. The message can be ignored. User creation is successful, both in Oracle Identity Manager and in Oracle Role Manager |
|
7529678 |
Search: SELECT query returns deleted objects. A SELECT query run on the database using the Oracle Role Manager tjdbc driver returns deleted objects. This can affect reports but has no affect on the Oracle Role Manager user interface. |
|
7718897 |
Server: CSV file parsing errors during data load. The strings defined as field delimiters in the load script for different object types are inconsistent. All objects types use the carat (^) as a delimiter except |
|
8226900 |
Integration Library: Exception "ERROR [ACCOUNTMANAGEMENT] Class/Method: Authenticate/connect encounter some problems" intermittently displays in Oracle Identity Manager application server console on JBoss. This message is harmless and can be ignored. |
|
8235658 |
Integration Library: Deploying on UNIX-based systems requires renaming of directory to ensure successful role reconciliation. Role reconciliation fails on case-sensitive UNIX-based systems because the message from Integration Library is looking for the pluginConfigDir directory instead of the pluginConfigdir directory (note the lowercase d). |
This section describes known problems for Oracle Role Manager release 10.1.4.x. If a suitable workaround exists for a known problem, it is listed with the description of the bug to provide a temporary solution.
This section contains the following topics:
This section describes known bugs related to the auditing component and contains the following topics:
System displays misleading information for create transactions
Duplicate audit messages are displayed in the transaction details
Some audit and validation messages displayed to the end user are unclear or contain incorrect references.
System displays the transaction as an update action in the Outbox even when the user has performed a create transaction.
If a user updates any attribute and navigates to any other tab before clicking the Submit button, duplicate entries are displayed in the transaction details in the Outbox.
This section describes general user interface bugs and contains the following topics.
User has no indication why the Delete option is disabled for organizations with child entities
Context menu continues to display when a user selects another transaction
Hierarchy bread crumbs update only on submit and reload of the page
Timestamp value does not always match user's locale in role mapping details
Submit button appears functional to users without appropriate sphere of control to edit role
Cannot change sphere of control while creating a new role if user switches tab focus
The relationship between organization type objects and their child entities (other organization types, roles, and people) is restrictive, which means if the organization has active relationships with child entities, the organization cannot be deleted. Therefore, the Delete option on the context menu is disabled but the user is given no indication about why it is disabled.
System fails to wrap data with a large number of characters in multiple places in the application.
System displays the context menu in left hand pane even when the user has selected to perform another transaction, until the user either clicks another primary or secondary menu item or refreshes the context menu.
In resolution 1600 x 1200 or smaller, the horizontal scroll bar always appears for all the tabs at the bottom content frame (Attributes, Members, Privileges, Mappings and History).
When a person's location in any of the hierarchies changes, the hierarchy path bread crumb does not change unless submit and reload actions are performed.
The user must refresh the tree after performing a transaction that creates or updates tree members to reflect those changes in the tree view. This is only an issue if a node is created directly under the root node or for operations performed in other user sessions.
When viewing role mapping details, the user may see local time in some and GMT in others. The timestamp format should always match the user's locale.
When a user is granted a system role with system privilege, "All for System Role Objects," where the role grant sphere of control is set to ORG_A, but that system role is defined with sphere of control set to ORG_B, if the user navigates to roles in ORG_B, edits appear to be allowed. However, when the user clicks the Submit button and then returns to the "edited" role, no changes have been made.
While creating a system role, if the user navigates to another tab in the application, when returning to the Attributes tab and sets sphere of control, the error "Cannot change the SOC hierarchy type of a role" displays. The workaround is to cancel the operation and start over, setting sphere of control before navigating to another tab.
This section describes known bugs related to installation and contains the following topics.
Configuration Assistant fails on retry after database connection
Installer intermittently skips screens when the user goes back to previous screen
Oracle Role Manager runInstaller fails to install on SUSE 10
System fails to roll back the previous configuration and displays an exception on retrying the configuration. The workaround is to exit and restart the installer and uninstall the recent installation home, drop and re-create the users/schemas for Oracle Role Manager, then run the installer to install and configure Oracle Role Manager.
If this occurs, the workaround is to navigate all the way back to the File Location Page, which forces the installer to restart the interview phase and display all screens.
While running the installer in silent mode, the file copy progress is displayed as 92% instead of 100%.
When attempting to start the managed server for Oracle Role Manager, the following exception message displays in the application server console:
SEVERE: Failure disabling delivery of messages to BtFinisherMessageEJB weblogic.management.NoAccessRuntimeException: Access not allowed for subject: principals=[ormserver, Deployers], on ResourceType: MessageDrivenEJBRuntime
This occurs because a permission is missing from the template file used to configure WebLogic for Oracle Role Manager in clustered environments. The workaround is to assign the ormserver user to the Administrators group using the WebLogic Administrative Console, and then restart all servers.
To install Oracle Role Manager successfully on SUSE 10, run the installer with the option to ignore pre-reqs:
./runInstaller -ignoreSysPrereqs
This section describes known bugs of the Oracle Role Manager Integration Library with Oracle Identity Manager and contains the following topic:
Static business roles with the same name not created properly in Oracle Identity Manager
OIM-setup.sh and ORM-setup.sh scripts does not run on SUSE 10 machine
Suppose the person records of a user and the user's manager are created in Oracle Role Manager during reconciliation with Oracle Identity Manager. You then delete the manager's person record through the Oracle Role Manager user interface. During the scheduled user reconciliation (Quick or Full) after the manager's person record is deleted, although the manager's person record is re-created in Oracle Role Manager, the manager's person record might not be associated with the user's person record. By the end of the next scheduled user reconciliation (Quick or Full), the manager's person record is associated with the user's reconciliation run.
The following error might display on the application server console for Oracle Identity Manager when the RoleManagerUserGroupsCleanup scheduled task is run:
ERROR,19 Apr 2009 00:28:17,080,[XELLERATE.SERVER],Class/Method: QuartzWrapper/run encounter some problems: Exhausted Resultset java.sql.SQLException: Exhausted Resultset
The recommended workaround is to use the Resource Management component of the Oracle Administrative and User Console to create and then run a scheduled task with a task name of RoleManagerUserGroupsCleanup1 and class name of oracle.iam.rm.imframework.scheduledTasks.ScheduledUserGroupsCleanup.
If more than one static business role share the same name and are sent to Oracle Identity Manager during in the same run of the BusinessRolePublishing process, the Integration Library creates the first user group of that name, but fails to create the others. In this case, the Integration Library throws the error "duplication user group" in the Oracle Identity Manager application server console.
The workaround is to run the BusinessRolePublishing process again to create the second user group of that name (ORM_BR_name~1), and again for the third (ORM_BR_name~2), and so forth.
To execute OIM-setup.sh successfully, you must ensure that the following prerequisites are met:
For Oracle Identity Manager:
Remove ^M character in:
ORMINT_HOME/tools/WebLogic_Automation/oim-setup.sh
and
ORMINT_HOME/tools/WebLogicAutomation/properties/OIMConfig.properties.This is done by executing either dos2unix, for example, dos2unix oim-setup.sh or the following shell commands:
sed 's/^M//g' oim-setup.sh > oim-setup-temp.sh
mv oim-setup-temp.sh oim-setup.sh
Note:
Character '^M' is entered as 'ctl-V' and 'ctl-M'.
Execute Step 1 and Step 2 for OIMConfig.properties file.
For Oracle Role Manager:
Remove ^M character in:
ORMINT_HOME/tools/WebLogic_Automation/orm-setup.sh
and
ORMINT_HOME/tools/WebLogicAutomation/properties/ORMConfig.properties.This is done by executing either dos2unix, for example, dos2unix oim-setup.sh or the following shell commands:
sed 's/^M//g' oim-setup.sh > orm-setup-temp.sh
mv orm-setup-temp.sh orm-setup.sh
Note:
Characters '^M' is entered as 'ctl-V' and 'ctl-M'.
Execute Step 1and Step 2 for ORMConfig.properties file.
This section describes known bugs around the search functionality and behavior and contains the following topics:
Searchable attributes/operators should be sorted alphabetically
Search operator should be retained when selecting a different search attribute.
Sorting of search results should not be case sensitive throughout the application.
System fails to refresh the search results and displays the previous search results in the pop-up window.
Search attributes and operators appear to be sorted in random order in the search menu on search pages. Sort order should be alphabetical and non-case-insensitive.
When the user searches by first name using the begins with operator and later searches by a different attribute, the operator refreshes to contains, the default operator.
When the user searches on a blank value, the message "Full wildcard search is not supported" displays, which is a misleading statement. Full wildcard searches can be performed by entering the percent symbol (%) in the field to search.
This section describes known server bugs and contains the following topics:
Data load fails when data contains the specified field delimiter
System allows the System Administrator system role to be deleted or made inactive
Oracle RAC support lacks certification for high availability scenarios
Deploy tool fails to deploy when CAR file contains unchanged XML
Web sessions on clustered JBoss environments may not failover where messages are waiting to display
Problems when the database server and the application server are set to different times
JMSContainerInvoker exception displays in console on clustered JBoss environments
When the specified field delimiter character is present in the data to be loaded, the data loader fails. There is not currently a means by which an escape character can be provided to allow the special character to be treated as "loadable" data.
The recommendation is to make sure the field delimiter for all object types is a character that is not contained in your data set. The delimiter is set in the file parsing scripts. For information about the file parsing scripts see Oracle Role Manager Administrator's Guide.
Important grants are allowed to be removed. The recommended workaround is to use the procedures described in the Oracle Role Manager Administrator's Guide to restore the System Administrator system user.
EJB method invocation has a timeout associated with it so that no matter how many retries might take place, the batch role membership does not complete.
For JBoss, in the jboss.xml file, add configuration of the following to the TimerCommandEJB configuration:
<method-attributes>
<method>
<method-name>execute</method-name>
<transaction-timeout>3600</transaction-timeout><!-- Maximum 1 hour per batch
resolution process -->
</method>
</method-attributes>
For WebSphere, in the server.jar file, add a META-INF/ibm-ejb-jar-ext.xmi file with the following contents:
<?xml version="1.0" encoding="UTF-8"?> <ejbext:EJBJarExtension xmi:version="2.0" xmlns:xmi="http://www.omg.org/XMI" xmlns:ejbext="ejbext.xmi" xmlns:ejb="ejb.xmi" xmi:id="ejb-jar_ID_Ext"> <ejbExtensions xmi:type="ejbext:SessionExtension" xmi:id="SessionExtension_1" timeout="3600"> <enterpriseBean xmi:type="ejb:Session" href="META-INF/ejb-jar.xml#Session_1183672362012"/> </ejbExtensions> <ejbJar href="META-INF/ejb-jar.xml#EJBJar_1183672362010"/> </ejbext:EJBJarExtension>
The Oracle Role Manager supports Oracle RAC database environments for general purpose operation only. High-availability scenarios, such as load balancing and failover, are not officially supported.
When deploying large data sets on Oracle Role Manager configured with the Sun JDK, the error "java.lang.OutOfMemoryError: Java heap space" might display. This is caused by either not enough JVM memory set in JAVA_OPTIONS, not enough physical memory on the host, or both.
For more information about increasing the JVM memory settings, see Oracle Role Manager Installation Guide.
If a customized CAR bundle contains already deployed but unchanged versioned XML files, the CAR file cannot be deployed. One workaround is to make sure that customizations are bundled separately, for example, the CAR file to deploy contains only the changed XML files.
Another workaround is to separate the versioned files (standard.xml, standard_permissions.xml, oim_integration.xml in oracle.iam.rm.temporal, and any XML that contains customized application data model extensions) from the component configuration XML files. This workaround allows redeploy of configuration without having to create separate CAR files. Note that redeploying the versioned files requires incrementing the version each time the CAR is changed and redeployed.
Due to a Java Server Faces bug, there is a small chance that a user session might be lost when replicating a user session during an application server failover event. This issue only occurs when a user performs create, delete, or update actions in the Web application and a message instance inside the session is not yet visible in the user interface. In this rare situation, a JBossCacheService exception (java.io.NotSerializableException) displays in the log file and can be ignored.
When the database server and the application server are set to different times, there can be problems deploying the Oracle Role Manager server to the application server. There can also be problems related to setting transaction time for operations submitted from the Oracle Role Manager Web application.
When starting the primary node on JBoss, some WARN exceptions display in the application server console. This is because JBoss happens to load the finalization-server.ear before its dependencies, such as the JMS resources and the server.ear EJBs. These error conditions recover when the dependencies are subsequently loaded, so the exception messages can be ignored.
This section describes bugs relating to messages generated by the system that display to the end user. This section contains the following topics:
System fails to display a warning dialog when canceling or navigating away from a create process
No warning message when delegating a Business Role twice to the same person
The system does not display a dialog with a meaningful message and successfully allows the user to navigate away from the create page. The user is not warned that he may lose data already entered.
When delegating a Business Role twice to the same person, the system successfully prevents repeat delegation, but no message displays to inform the user that the person already has been delegated that role.
The latest certification information for Oracle Role Manager 10g (10.1.4.2) is available at:
http://www.oracle.com/technology/software/products/ias/files/idm_certification_101401.html
|
 Copyright © 2006, 2010, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|