Oracle® Access Manager Installation Guide 10g (10.1.4.2.0) Part Number B32412-01 |
|
|
View PDF |
This chapter describes common troubleshooting issues and tips to resolve them. This chapter covers the following topics:
Oracle Virtual Directory SSL Listener Certificate Utility Flags
Reinstalling Oracle Access Manager with Oracle Internet Directory
Note:
Oracle Access Manager Release 10g (10.1.4.2.0) is a patch set. After installing 10g (10.1.4.0.1), you can apply Release 10.1.4 Patch Set 1 (10.1.4.2.0) to installed components. You cannot install 10g (10.1.4.2.0) directly.The following issues are browser specific:
When using Apache-based Web servers (including Apache, Oracle HTTP Server (OHS), and IBM HTTP Server (IHS)), Oracle Access Manager HTML pages may appear garbled.
Oracle Access Manager 10g (10.1.4.0.1) HTML pages use UTF-8 encoding. Apache-based Web servers allow administrators to specify a default character set for HTML pages using the AddDefaultCharset directive. If the AddDefaultCharset directive enables a character set other than UTF-8, Oracle Access Manager HTML pages are garbled.
Oracle recommends that you disable the AddDefaultCharset directive in the Web server configuration file (httpd.conf) as follows to ensure the correct display of Oracle Access Manager 10g (10.1.4.0.1) HTML pages:
AddDefaultCharset Off
With this configuration, when you create a container limits policy and specify a user to receive notification for a containment limit event then click Done in the Person Selector you may notice that the Save, Cancel, and Reset buttons do not appear and the policy cannot be saved.
To work around this problem
Open the oblixbaseparams.xml
file:
IdentityServer_install_dir\identity\oblix\apps\common\bin\oblixbaseparams.xml
Locate the section, applet_customizations
and find the subsection for the applet where the problem is observed. For example, containmentlimit_applet
subsection.
Adjust the width and height parameters suitably for this applet to resolve the issue. For example, modify the applet_dimension_height
parameter to a value of 530.
Restart the Identity Server.
Open a new browser window and view the same applet.
Previous releases of Oracle Access Manager supported only Latin-1 encoding. 10g (10.1.4.0.1), however, supports UTF-8 encoding. This problem should no longer occur.
Symptom: You receive Unable to Authenticate Resource errors on Internet Explorer.
Cause: Internet Explorer provides the advanced option to always convert UTF characters in URLs. Oracle Access Manager automatically does this as well. Having both enabled causes authentication errors.
Solution: Complete the steps that follow to remedy "Unable to Authenticate Resource" errors on IE.
To remedy this
Open the globalparams.xml
file in a text editor. This file is stored in two locations, and both must be edited:
\IdentityServer_install_dir\identity\oblix\apps\common\bin\globalparams.xml
\AccessServer_install_dir\access\oblix\apps\common\bin\globalparams.xml
Set the doUtfConversion
parameter to NO and save your changes.
Note:
If you set this after importing the UTF-8 data, restart the Web server, close all browsers, and open a new browser window.In Microsoft Internet Explorer, select Internet Options from the Tools menu.
In the Internet Options dialog box, select the Advanced tab.
Under Browsing, deselect the Always send URLs as UTF-8 check box.
The following discussions identify several directory server issues:
See also "Issues with Oracle Virtual Directory Implementations".
Active Directory 2000 does not support concurrent bind requests coming from different Oracle Access Manager threads on the same LDAP connection. Oracle Access Manager servers are multi-threaded and maintain a pool multiple LDAP connections to the directory server. Several Oracle Access Manager threads may share the LDAP connection for efficient processing of requests. However, Active Directory 2000 does not support concurrent binds requests coming from different Oracle Access Manager threads on the same LDAP connection. This may cause spurious authentication failures.
To avoid this situation
On the Access Server, locate the globalparams.lst file and open this in an editor.
Add a new flag called exclusiveAuthnConnection and set it to true.
This forces Oracle Access Manager threads to use separate LDAP connections for bind requests being sent to the directory server.
For additional information, see:
ADSI Cannot Be Enabled for this DB Profile (Active Directory)
Appendix A, "Installing Oracle Access Manager with Active Directory"
Symptom: 400 policy domains were created in Oracle Access Manager, each with 10 resources and 10 policies. The limitAMPolicyDomainResourceDisplay
is set to true
in the Policy Manager globalparams.xml file. When the Search icon is selected an error page appears stating "The following messages were produced by the product. Please contact your webmaster to fix the problem."
Cause: The number of policy domains exceeds the current limit.
Solution: Do not exceed 350 policy domains with Active Directory.
Oracle Access Manager supports changing the user data DB profile between ADSI and LDAP using the Identity System Console. However, Oracle Access Manager does not support changing the configuration or policy DB profile between ADSI and LDAP using the System Console.
Symptom: Suppose you have user data stored in an Active Directory forest using LDAP and configuration and policy data stored in another Active Directory forest using ADSI. When you change the ADSI flag in the configuration data DB profile to LDAP using the Identity System Console and restart Oracle Access Manager servers and services, the ADSI flag remains enabled and the following message appears:
"ADSI can be enabled for either User or Configuration DB Profile if they are in a separate forest. ADSI Cannot be Enabled for this DB Profile."
Further, attempting to modify the user data DB profile to ADSI produces an error because Oracle Access Manager recognizes the DB profile for configuration and policy data as ADSI enabled.
Solution: Rerun the setup program to modify the DB profile for configuration and policy data.
If you installed Active Directory with Windows Server 2003 and experience difficulty with dynamically-linked auxiliary classes, ensure that you have completed all items that follow.
See Also:
For more information, see Chapter A, "Installing Oracle Access Manager with Active Directory".To enable dynamically-linked auxiliary classes for Active Directory
Before Oracle Access Manager installation, you must ensure that the Active Directory domain and forest functionality are operating at a Windows 2003 Server level.
You must raise both the domain and the forest to a Windows 2003 Server level, as described in the Microsoft documentation.
During Identity System installation and set up, you must specify dynamically-linked auxiliary classes when asked.
During Policy Manager installation and set up, you must specify dynamically-linked auxiliary classes when asked.
During Access Server installation, you must specify dynamically-linked auxiliary classes when asked.
After setup, it's a good idea to verify that the dynamicAuxiliary
flag is set to true in the following files:
\IdentityServer_install_dir\identity\oblix\data.ldap\common\ldapconfigdbparams.xml
\PolicyManager_install_dir\access\oblix\data.ldap\common\ldapconfigdbparams.lxml
\AccessServer_install_dir\access\oblix\data.ldap\common\ldapconfigdbparams.xml
NameValPair ParamName= "dynamicAuxiliary" Value= "true"
Oracle Access Manager also sets a dynamicAuxiliary
tag to true in the following file:
\IdentityServer_install_dir\identity\oblix\config\setup.xml
Note:
The directory is the best place to look for any static associations.Configure Oracle Access Manager for dynamically-linked auxiliary class support, as described in the Oracle Access Manager Identity and Common Administration Guide.
For more information, see Appendix B, "Installing Oracle Access Manager with ADAM".
Please make sure the configuration DN or searchbase exist.
This error message may also indicate that you are not using ous for the configuration and policy DNs.
The ADAM schema must be updated through an open port. For details, see "ADAM Schema Updates".
Password changes can be made only through an SSL-enabled port. For details, see "ADAM Password Changes".
ADAM describes the user object class differently than Active Directory. samaccountname, which is required with Active Directory, does not exist in ADAM. grouptype is still required with ADAM. Oracle Access Manager configures a grouptype attribute when you automatically configure attributes during setup.
Keep the following in mind with manual schema updates when you don't plan to use dynamic auxiliary classes:
Update the schema manually using IdentityServer_install_dir\identity\oblix\data.ldap\common\ADAM_oblix_schema_add.ldif, as described in "Installing and Setting the Identity System with ADAM".
Use the ldifde command to import the Oracle Access Manager schema file ADAMAuxSchema.ldif from the IdentityServer_install_dir\identity\oblix\data.ldap\common directory.
Ensure that the object classes "oblixorgperson" and "oblixgroup" are explicitly attached as auxiliary classes to the Person and Group object classes, respectively.
Password changes require SSL. If you have a problem changing a password, the directory server may have a native password policy that is not being honored.
When creating a user, ensure the user has a password. If you activate a user and the operation fails, the user may not have a password.
Users must be enabled within ADAM. If you search for a user in the Oracle Access Manager User Manager, and the user does not appear as the result of the search, check the msDS-UserAccountDisabled= user attribute in the object class to see if it is disabled or enabled.
When you install Oracle Access Manager, you must manually update the ADAM schema.
If the user data directory instance is separate from the configuration and policy data directory instance, you must manually upload the ADAM_user_schema_add.ldif file.
On the configuration data directory instance, you must manually upload the ADAM_oblix_schema_add.ldif file. When using static auxiliary classes, you must manually upload the ADAMAuxSchema.ldif file.
If the policy data directory instance is separate from the configuration data directory instance, you must manually upload the ADAM_oblix_schema_add.ldif file. When using static auxiliary classes, you must manually upload the ADAMAuxSchema.ldif file.
Currently ldifde, which is used to extend the ADAM schema, does not support binding to an SSL port. If you are having trouble updating the schema, ensure that you specified the open ADAM port during Identity Server installation. You may still install certificates and specify SSL during Identity Server installation.
If you tune Oracle Internet Directory 10.1.2 or earlier using the ldapmodify
command described in "Tuning for Oracle Internet Directory", you will receive the following error message:
"Attribute orclinmemfiltprocess is not supported in schema."
The orclinmemfiltprocess
attribute is not supported in the schema until Oracle Internet Directory 10.1.4. As a result, you cannot perform "Tuning for Oracle Internet Directory" if you have installed Oracle Internet Directory 10.1.2 or earlier.
This discussion covers the following Identity Server issues that may arise:
Under certain circumstances, you may want to reuse an existing Identity Server name. For example, you may want to use an existing Identity Server name if you need to remove an Identity Server instance from one computer and reinstall it on another computer.
If you do not delete the original Identity Server name from the System Console, a login following the set up of a new instance may result in the message "Application has not been set up". Special steps must be taken to ensure you can set up the application and login when recycling an Identity Server name.
For more information, see "Recycling an Identity Server Instance Name".
When the Identity Server and WebPass are installed in Cert mode using certificates issued by a subordinate CA, you may see a blank page when you click the Identity System Console link to start Identity System setup. The event viewer may show a Oracle Access Manager error without specifying any cause.
When using certificates generated by a subordinate CA, the root CA's certificate must be present in the xxx_chain.pem
along with the subordinate CA certificate. Both certificates must be present to ensure appropriate verification and successful Identity System setup.
See Also:
Information on transport security modes in the Oracle Access Manager Identity and Common Administration Guide.To see if Access Server is running, Telnet to it using the port it is listening to. The following is a Telnet session to an Access Server running on a server named myserver.mycompany.com
running on Port 6021:
myserver% telnet myserver.mycompany.com 6021 Trying 192.168.5.18. . . Connected to myserver.mycompany.com. Escape character is '^]'. ^] telnet> q Connection closed. myserver%
In the preceding example, the system's response:
Connected to myserver.mycompany.com. Escape character is '^]'.
indicates that the Access Server accepted the Telnet request and is operational. If you cannot connect to the server on the port it was installed to listen on, there is a problem with the Access Server. Possible problems include:
The connection is blocked by a firewall
The server is not running
Check the firewall to see if the connection is open. Check the Access Server process to see if it is running. At the Access System server, you can use the netstat
command to verify that the server is communicating through the ports you specified when you installed the Access Server.
Symptom: You receive a message "Could Not Get any DB Profile used by Identity2 during initialization of DBManager. Please verify that there exists enabled DB profile for Identity2".
Cause: This can occur when you:
Install a second (or later) Identity Server
Answer Yes during installation when asked if this is "the first Identity Server in the network for this LDAP directory server".
Restart the Identity Servers and Web servers.
Solution: Uninstall the Identity Server, then reinstall the Identity Server and answer No when asked if this is "the first Identity Server in the network for this LDAP directory server.
Symptom: During Identity System setup you are asked to restart the Identity Server and Web servers. After a long wait, the browser returns a message, "The page cannot be displayed".
Cause: Your Web browser may time out waiting for a Identity Server response after specifying directory server details and automatically configuring user object classes, and Group object classes because the schema update may exceed the browser's timeout.
Solution: Wait for a minute or so and refresh the browser to continue.
If the Identity Server does not start, there are three items you can check that may cause the issue.
To troubleshoot the Identity Server
Ensure that the LDAP directory is clean. For example:
Is the configuration branch empty?
Does the configuration branch have the right data?
Does the configuration branch have data from a previous install with a different Identity Server entry?
Confirm that the following files are correct and in the correct folder:
\IdentityServer_install_dir\identity\oblix\config\configinfo.xml
\IdentityServer_install_dir\identity\oblix\config\ois_server_config.xml
\IdentityServer_install_dir\identity\oblix\config\setup.xml
Verify that the port chosen for the Identity Server is not already in use by another application.
Symptom: Identity System components on RedHat Linux may fail with the new NPTL-based runtime libraries when "MAX_ROTATION_SIZE" is reduced to 10000 kb in the oblog_config.xml file.
Solution: Set the LD_ASSUME_KERNEL environment variable before starting the Web server and WebLogic and WebSphere components that integrate with the 10g (10.1.4.0.1) Software Developer Kit and Oracle Access Manager Web components (WebPass, WebGate, and Access Manager). For example:
# export LD_ASSUME_KERNEL=2.4.19
This causes the Linux dynamic linker to use the old runtime libraries.
IdentityXML calls require authentication credentials. If there is no WebGate protecting WebPass, thenthe basic credential mechanism is used. This takes the form of username and password embedded in the SOAP request itself. However, when a WebGate is installed later, then the IdentityXML calls must be changed to use a SSO toekn-based authentication.
The IdentityXML calls need to be changed to first obtain an OBSSOCookie, and then pass that token into all the subsequent calls. An example of how to do this is shown in the Oracle Access Manager Developer Guide. Look for details on code examples of deployed IdentityXML functions, and the ObSSOCookie Example.
The Identity Server identifier that you enter during installation must be unique and must differ from the WebPass identifier that you enter during WebPass installation.
If the WebPass identifier you enter during installation matches the Identity Server identifier entered during the Identity Server installation, the WebPass identifier is not created and will not be available in the Identity System Console after setup.
Use the following steps to reconfigure the WebPass:
Locate the setup_webpass
utility. For example:
WebPass_install_dir\identity\oblix\tools\setup\setup_webpass.exe
where WebPass_install_dir is the directory where you installed the WebPass (c:\OracleAccessManager\identity
, for instance).
Run the setup_webpass
utility with the following options:
setup_webpass -i <WebPass_install_dir> [-q] [-n <WebPass ID>][-h <OIS hostname>] [-p <OIS port #>] [-s <open|simple|cert>][-P <simple|cert mode password>] [-c (request|install)][-W iis]
To change the WebPass password for simple/cert mode
Use the following steps to change the WebPass password for simple/cert mode:
Locate the setup_webpass
utility. For example:
WebPass_install_dir\identity\oblix\tools\setup\setup_webpass.exe
Run the setup_webpass
utility with the following options:
setup_webpass -i <WebPass_install_dir> -k
Use the following steps to reconfigure Webpass mode:
Locate the setup_webpass
utility. For example:
WebPass_install_dir\identity\oblix\tools\setup\setup_webpass.exe
Run the setup_webpass
utility with the following options:
setup_webpass -i <WebPass_install_dir> -m
Following are some general guidelines to follow when installing Oracle Access Manager Web components with IIS Web servers.
Account Privileges: The account that performs Oracle Access Manager installation must have administration privileges. The user account that is used to run the Identity Server and Access Server services must have the "Log on as a service" right, which can be set by selecting Administrative Tools, Local Security Policy, Local Policies, User Rights Assignements, Log on as a service.
IIS 6 Web Servers: You must run the WWW service in IIS 5.0 isolation mode. This is required by the ISAPI postgate filter. During Oracle Access Manager installation, this is usually set automatically. If it is not, you must set it manually for the Default Web site.
WebGate: When installing IIS WebGates, setting various permissions for the /access directory is required for IIS WebGates only when you are installing on a file system that supports NTFS . For example, suppose you install the ISAPI WebGate in Simple or Cert mode on a Windows 2000 computer running the FAT32 file system. The last installation panel provides instructions for manually setting various permissions that cannot be set on the FAT32 file system. In this case, these instructions may be ignored.
When installing WebGates for IIS and you want to enable form-based authentication and single-sign on (SSO), ensure that you install the WebGate in the same directory as the Policy Manager component. For example:
Failure During Automatic Web Server Configuration Updates on Windows 2003 Server Platforms Localized for Brazilian Portuguese and French Languages: An error may occur during automatic Web server configuration updates when installing Policy Manager or WebGate. For example:
Failure of the definition of the rights of access on the C:\ProgramFiles\NetPoint\WebComponent\access file
The 10g (10.1.4.0.1) setNTAcl tool failed to retrieve or set the access permissions while processing user names with non-ASCII Latin-1 characters. The function expects UTF-8 characters.
To resolve this issue, the following steps are recommended by Oracle to obtain and use the setNTAcl tool that is available with Release 10.1.4 Patch Set 1 (10.1.4.2.0). To summarize this task, you start a 10g (10.1.4.0.1) Policy Manager installation and then exit after product files are extracted into the designated installation directory. The Policy Manager must be installed at the same directory level as WebPass and must ultimately be configured to work with the same Web server instance as WebPass. For example:
Note:
Both the Policy Manager and WebGate must be installed in the same directory to perform SSO form-based login. This does not occur by default.Next you apply Release 10.1.4 Patch Set 1 (10.1.4.2.0), and then extract and back up the 10.1.4.2.0 setNTAcl.exe tool for use later. You delete the original Policy Manager installation directory, start new 10g (10.1.4.0.1) Policy Manager installation and use the Release 10.1.4 Patch Set 1 (10.1.4.2.0) setNTAcl.exe tool as described in the following procedure. To finish, you reinstate the 10g (10.1.4.0.1) setNTAcl.exe tool.
Note:
You perform steps 1 through 3 once only to obtain the Release 10.1.4 Patch Set 1 (10.1.4.2.0) setNTAcl.exe tool. Remaining steps must be performed for each Policy Manager and WebGate instance.To use the patch set 1 (10.1.4.2.0) setNTAcl.exe tool with Web components for IIS
Start a 10g (10.1.4.0.1) Policy Manager installation for IIS as follows:
Launch the 10g (10.1.4.0.1) Policy Manager installer and specify a directory at the same level as an existing WebPass. For example:
Proceed until product packages are extracted and you see the Configure Directory Server for Policy Data screen, then click Cancel to exit the installer.
Apply Release 10.1.4 Patch Set 1 (10.1.4.2.0) to the Policy Manager you just installed to obtain a copy of the 10.1.4.2.0 setntacl tool, as follows:
Using instructions in the Oracle Access Manager Patchset Notes Release 10.1.4 Patchset 1 (10.1.4.2.0) For All Supported Operating Systems, download and apply Release 10.1.4 Patch Set 1 (10.1.4.2.0) to the Policy Manager you just installed.
Note:
The new Release 10.1.4 Patch Set 1 (10.1.4.2.0) setNTAcl.exe tool is the same for both the Policy Manager and WebGate.Create a backup copy of the Release 10.1.4 Patch Set 1 (10.1.4.2.0) setntacl tool and store it in a new directory for later use. For example:
Delete the Policy Manager installation directory you started in step 1.
Perform a new 10g (10.1.4.0.1) Policy Manager for IIS installation as follows:
Specify a new Policy Manager and WebGate installation directory. For example:
c:\101401\Web_component\access
After file extraction, when the Configure Directory Server screen appears, create a backup copy of the 10g (10.1.4.0.1) setntacl tool that was just installed for Policy Manager and store it in a different location for later retrieval. For example:
From: 101401\Web_component\access\oblix\tools\setNTAcl
To: backup_101401_NTtool\setNTAcl
Use a copy of the Release 10.1.4 Patch Set 1 (10.1.4.2.0) setntacl tool to replace the 10g (10.1.4.0.1) setntacl tool in the new Policy Manager installation. For example:
Finish the 10g (10.1.4.0.1) Policy Manager installation as usual; you should see no errors.
Use a copy of the 10g (10.1.4.0.1) setntacl tool backup to replace the Release 10.1.4 Patch Set 1 (10.1.4.2.0) setNTAcl tool in the new installation directory to preserve the exact 10g (10.1.4.0.1) installation configuration.
Optional: Apply the Release 10.1.4 Patch Set 1 (10.1.4.2.0) to the Policy Manager using instructions in the Oracle Access Manager Patchset Notes Release 10.1.4 Patchset 1 (10.1.4.2.0) For All Supported Operating Systems.
Repeat these steps for each Policy Manager instance.
Install WebGate in the same directory as the Policy Manager, as follows:
Choose the same installation directory for WebGate as the Policy Manager you just installed.
101401\Web_component\access
When the Configure WebGate screen appears after file extraction, create a backup copy of the 10g (10.1.4.0.1) setntacl tool that was just installed for WebGate and store it in a different location for later retrieval. For example:
From: 101401\Web_component\access\oblix\tools\setNTAcl
To: backup_101401_NTtool\setNTAcl
Copy the Release 10.1.4 Patch Set 1 (10.1.4.2.0) setntacl tool for WebGate and use it to replace the 10g (10.1.4.0.1) setntacl tool. For example:
Finish the 10g (10.1.4.0.1) WebGate installation as usual; you should see no errors.
Retrieve the backup copy of the 10g (10.1.4.0.1) setntacl tool, and use it to replace the Release 10.1.4 Patch Set 1 (10.1.4.2.0) setNTAcl tool in the WebGate installation directory to preserve the exact 10g (10.1.4.0.1) installation configuration.
Optional: Apply Release 10.1.4 Patch Set 1 (10.1.4.2.0) to the WebGate using instructions in the Oracle Access Manager Patchset Notes Release 10.1.4 Patchset 1 (10.1.4.2.0) For All Supported Operating Systems.
Repeat these steps for each WebGate instance.
You should be aware of several conditions that might affect your implementation with Oracle Virtual Directory:
For more information, see Chapter 10, "Setting Up Oracle Access Manager with Oracle Virtual Directory".
Active Directory or ADAM Search Problem: With Oracle Virtual Directory and Active Directory or ADAM directory servers, you cannot search with the "That Sounds Like" operator.
Cause: Active Directory or ADAM directory servers do not support the "That Sounds Like" search.
Workaround: Do not use the "That Sounds Like" search with Active Directory or ADAM directory servers.
You cannot modify multi-value attributes through a Change Attribute workflow.
Cause: The default Oracle Virtual Directory schema includes multi-valued attributes, as does the Sun Directory Server schema. The attribute syntax on Active Directory sometimes may not match. For example, the mail address in Active Directory is single-valued but on a Sun Directory Server and Oracle Virtual Directory this is multi-valued.
For example, when Oracle Virtual Directory is communicating with Active Directory and a Sun directory server if you create a Change Attribute workflow and try to change a multi-valued attribute (such as an mail address) for a user on the Sun Directory Server, the attribute is changed but on Active Directory the commit step fails and the attribute does not get changed.
Workaround: Do not change multi-valued attributes.
Sub-tree Search: With a database split profile, you cannot derive an attribute from an attribute that is present in the secondary table.
Cause: Oracle Access Manager cannot perform a sub-tree search on an attribute from a secondary data store.
Suppose, for example, if you used the mapping template CustomOracleDBMapping_mpy.xml and defined a derived attribute for InetOrgPerson as follows:
Attribute Name: MyAttr
Display Name: MyAttr
Match Attribute: employeenumber
Lookup Attribute: employeenumber
Object class: InetOrgPerson
When you search for a user (Rohit for example) and view his profile, you can see the value for the employeenumber attribute but the myAttr value is blank.
In the following example, there is a database and a split profile and the following adapter templates:
CustomOracleAdaptorSplitPrimary_adapter_template.xml
CustomOracleAdaptorSplitSecondary1-1_adapter_template.xml
CustomOracleAdaptorSplitSecondary1-M_adapter_template.xml
CustomAdapterJoinView_adapter_template.xml
Workaround: Do not configure attributes from a secondary data store
Create User Workflow: When defining a Create User workflow, Oracle Access Manager enables you to select attributes from the Oracle Virtual Directory secondary view. At run time, the user entries are created in the primary view; however, the workflow fails and these entries cannot be used by Oracle Access Manager.
Cause: Oracle Access Manager gets all the attributes from Oracle Virtual Directory and therefore has no knowledge about which attributes are obtained from the primary data store, rather than the secondary data store.
Workaround: Do not configure attributes from a secondary data store.
When you set up Oracle Access Manager with a Oracle Virtual Directory virtual directory that federates at least one LDAP directory and at least one database table, then you try to remove a member from a group in the LDAP directory, the entire group is removed from that directory.
Cause: For performance reasons, Oracle Virtual Directory returns to Oracle Access Manager only the member you specify for deletion. By contrast, a "standard" LDAP directory server would return all the members in the group.
This non-standard Oracle Virtual Directory behavior has consequences when you try to use Identity System to delete a member from a group. Because a "standard" LDAP directory server returns all members of the group, Oracle Access Manager stills "sees" the rest of the members of the group after the one member has been deleted. But since Oracle Virtual Directory has returned to Oracle Access Manager only the single member of the group designated for deletion, Oracle Access Manager does not "see" any other group members after it deletes the returned member, so it assumes that the group is now empty and it deletes the group and all its members.
Important:
This is generic to all DN attributes, not just uniqueMember of a group. The workaround must be applied to all DN attributes where multiple values are a possibility.Work Around: See the customized file shown in "Customized Mapping Script for Oracle Database" and pay attention to the following details to prevent the Identity System from writing dummy user to backend database:
Workaround to prevent COREid from writing dummy user to backend database if haveAttributeValue('uniqueMember','cn=Dummy User'): #removeAttributeValue('uniqueMember','cn=Dummy User') if operation != 'modify': removeAttributeValue('uniqueMember','cn=Dummy User') else: change = removeAttribute('uniqueMember')[0] change.values.remove(DistinguishedName('cn=Dummy User')) addEntryChange(change)
The following issues arise during or immediately after installation:
Symptom: The Access Server installation halts with a message explaining that there is no DB profile for this server.
Solution: Perform these steps:
Navigate to the Access System Console from your browser by specifying the URL of the WebPass instance for the Policy Manager. For example:
http://hostname:port/access/oblix
where hostname
refers to Web server host of the WebPass instance; port
refers to the HTTP port number of the WebPass Web server instance; /access/oblix
targets the Access System Console.
Select the Access System Console link, then log in as a user with Master Administrator privileges.
Select the Access System Configuration tab, Access Server Configurataion in the left column, and AccessServer_Link.
Click the Associate DB Profiles button at the bottom of the details page.
Click the AccessServer_default_user_profile link at the bottom of the page.
Confirm that AAA Servers is checked, with either All Servers or the appopriate servers identified.
Confirm that the profile is enabled, at the bottom of the page.
Click Save.
Log out and continue the Access Server installation.
Symptom: Your Web server's CGI programs do not run after you install Oracle Access Manager.
Solution: Perform these steps:
In the ../https:server name/config directory obj.conf
file, add this line before the other Oracle Access Manager Init functions:
Init fn="Init-cgi" timeout-300 LateInit="yes"
Type the line exactly as shown.
Restart your Web server.
Symptom: When installing a Identity Server on a new computer, sometimes the installer attempts to replace the winnt/system32/Msvcrt.dll
file with an updated one. Because this file is locked by Windows, you get "File is locked cannot replace" message.
Cause: The installer sometimes attempts to replace a file that is locked by the Windows operating system.
Solution: Click Restart in the warning box to replace the DLL.
Symptom: Identity Server installation in GUI mode may fail with a "bad credentials error (49)", though the credentials are valid.
Cause: Known problems with third-party Installshield's ISMP framework. If any inputs supplied during installation contain the character $, the installer might interpret it unpredictably. For example, if the bind password supplied during the schema update for the first Identity Server is Admin$$
, ISMP interprets this as Admin$
while invoking the schema update tool and the update fails citing a "bad credentials error(49)".
Suggested Workaround: If this problem is observed during invocation of a particular tool, you may run that tool from the command line.
Note:
Every Oracle Access Manager installer that uses the same password may also fail with a credential problem of some type.Symptom: During a subsequent Oracle Access Manager component installation on the same computer, or when installing a second instance of a component on the same computer, the user is prompted to replace one or more of the following DLL files even if the files had been updated during a previous installation:
messagedll.dll
mtl70mt.dll
Cause: The preceding DLLs are not Oracle Access Manager DLLs. Because these DLLs do not contain version information, Oracle Access Manager uses a DLL's data stamp to evaluate whether the file needs to be replaced. Upon subsequent installations, the user is prompted to replace the file because the date stamp is older.
Solution: Click OK to replace the DLLs.
You may experience an issue when exiting from Oracle Access Manager component installation on Solaris before the installation completes. Early termination of the installer on Solaris may result in a core dump. In this case, the following message appears:
SIGABRT 6 abort (generated by abort(3) routine) si_signo [6]: ABRT si_errno [0]: si_code [-1]: SI_LWP [pid: 1724, uid: 0] stackpointer=FFBFD7D0 "process reaper" (TID:0x72d588, sys_thread_t:0x72d4c0, state:NS, thread_t: t@54, threadID:0x0, stack_bottom:0x0, stack_size:0x0) prio=5 ...
This is only a problem with the installer. It has no impact on the functionality of the Oracle Access Manager component that you installed.
Symptom: When starting a GUI installation on Unix, you may receive a warning regarding fonts and scroll bars.
Solution: These warnings can be ignored. They indicate a change in the appearance of the installation wizard GUI.
Symptom: If you terminate the Windows installation wizard abnormally (such as by hitting Control + C or terminating it from the Task Manager), the wizard is not able to properly clean up its files and leaves a large amount of data in the TEMP
directory.
Solution: Delete these files manually.
To run Install Shield as a non-root user on AIX, set the environment variable as:
AIX_ISMP_SUPPORT=NONROOT
Install Oracle Access Manager components in directories that have only standard alphanumeric characters in their path name. Be sure that all file and path names include only English language characters. In file and path names, no international characters are allowed.
Once you finish installing Oracle Access Manager, test your installation.
To test Oracle Access Manager installation
Use the following steps to test an Oracle Access Manager installation:
Close all browsers.
Shut down your Access Server.
Try to open a page protected by Oracle Access Manager.
You should receive an Oracle Access Manager operation error indicating it was unable to authenticate your login.
Restart the Access Server and the Web server.
Attempt to connect to the same page as in Step 3. The page you specified should open.
Symptom: You cannot get past the Person object class page during installation and setup.
Cause: Your directory schema is probably invalid.
Solution: Review the changes you made to the directory schema to see if you have done them correctly.
Symptom: You install WebGate on an Apache Web server running on AIX in SSL mode. You make changes to httpd.conf
file from the sample.obj.conf
file. The Apache Web server fails to start after changing the httpd.conf
file. You may receive this message:
"Name of server certificate chain file is hardcoded as ca.cert in the httpd.conf file."
Solution: Change the Server-Certificate-Chain-filename to match the actual name of the server certificate chain file for the user.
Following are solutions to problems you may experience:
Problem: When running the installer using the Console method with some language packs, the "Enter Password" string does not display correctly. The prompt asking you to enter the LDAP password may be garbled.
Solution: The solution that works in most cases is to install all of the language support available on the computer where the Oracle Access Manager installation is being performed. Be sure all of the fonts that are required for the language are installed. Log in to the computer locally and choose the language to display on the login screen.
Symptom: If you install additional Administrator Language Packs for Access System components (after installing the same Language Packs for the Identity System), you may not be able to view new Administrator languages in the Policy Manager.
Solution: Use the procedure that follows to enable new Administrator languages.
To enable additional Administrator languages for the Access System
Install new Administrator languages for all Identity System components.
Install new Administrator languages for Access System components.
Use the Identity System Console to enable the Administrator languages as follows:
Disable the Administrator language, if previously enabled.
Enable the Administrator language (now installed on both the Identity and Access System components).
Restart the appropriate Oracle Access Manager server services (Identity and Access Server services for example) and Web component (WebPass, Policy Manager, and WebGate) Web servers (Apache, IIS, or Sun ONE for example).
Symptom: WebGate is not using the installed Administrator language when the installation sequence is Policy Manager, Language Pack, then WebGate in the same directory.
Cause: If you install the Policy Manager then a Language Pack then a WebGate in the same directory, the language is installed for the Policy Manager only. In this case, both the Policy Manager and WebGate share a common obnls.xml file.
Soution: Install the same Language Pack for the WebGate.
Symptom: Policy Manager is not using the installed language when the installation sequence is Policy Manager, Language Pack, then WebGate in the same directory.
Cause: During WebGate installation you may be asked if you want to overwrite the obnls.xml in the Policy Manager installation directory. Selecting "Yes" replaces the Policy Manager's obnls.xml file (which contains additional Language Pack entries) with a fresh obnls.xml file (which will not include listings for all installed languages). As a result, the Policy Manager will not be available in the additional Administrator language.
Solution: If you are asked during WebGate installation to overwrite obnls.xml in the Policy Manager installation directory, be sure to select "No". If you select "Yes", you must install all the same languages for the WebGate as you did for the Policy Manager.
Removing the Language Pack associated with the default Administrator language that was selected during installation is not supported.
If you accidentally uninstall the default Administrator language, you should be able to recover using the following procedure:
To restore the default Administrator language
Create one options file, (options.txt, for example) with the following content for the default Administrator language you removed:
-W ObPropBean.defaultLocale="ko-kr"
where the value of ObPropBean.defaultLocale, "ko-kr" (Korean) in the preceding example, is the locale of the default Administrator language selected for this installation.
Reinstall the default Administrator Language Pack for each component, as shown in the following example:
Identity System:
Oracle_Access_Manager10_1_4_0_1_KO_Win32_LP_Identity_System.exe -options options.txt
Access System:
Oracle_Access_Manager10_1_4_0_1_KO_Win32_LP_Access_System.exe -options options.txt
After reinstalling the default Administrator Language Pack for each component, restart the server services (Identity Server and Access Server) and Web servers OHS or IIS for WebPass, Policy Manager, and WebGate.
This discussion covers the following issues that may arise during login:
The message "Identity Server Logged You In, Access System Logged You Out" could be triggered by one or more events. For example:
You did not restart the Identity Servers after setting up Access System components.
The Identity and Access Servers are running on different computers and the clock is set to a different time.
In this case, change the login slack parameter or synchronize system clocks.
You have protected the Identity System with a policy domain but not the Access System, or vice versa.
Both systems must be protected.
The shared secret needs to be regenerated.
Delete the shared secret from the directory server.
Log in to the Access System Console.
Select Access System Configuration, Common Information Configuration, Shared Secret.
Generate a new shared secret.
Symptom: Users are unable to log in after Oracle Access Manager installation.
Cause: When you import user data into Active Directory, all passwords are cleared. This is a security feature of Active Directory.
Solution: In the Active Directory User and Computer MMC, be sure the Change password on next login check box is not selected. Have your users change their passwords.
In the Policy Manager, enable access control for the Password attribute. This forces users to create a service ticket to change their passwords.
Symptom: Users receive repeated login prompts.
Cause: This can occur when you install Oracle Access Manager on a Web server that has security policies enforced through a Web browser.
Solution: Enable Oracle Access Manager security and disable the browser's security.
Symptom: Users may experience unpredictable behavior when they attempt to browse the /identity or /access directory or click the System Console and Policy Manager links (such as receiving File Download dialog boxes).
Cause: This can occur when you install Oracle Access Manager on a Web server that has security policies enforced through a Web browser. When the Oracle Virtual Directory has "Scripts only" permission, users are unable to log in to either the Access System Console or Policy Manager.
Solution: Change the Oracle virtual directory's permissions from "Scripts only" to "Scripts and Executables".
To change permissions for the Oracle virtual directory
Select the computer configured for Oracle Access Manager.
Expand the Default Web Site.
Right-click either identity or access (the virtual directory you created during Identity System or Access System install).
Select Properties and select Scripts and Executables.
The Oracle Access Manager Installation Guide chapter on "Setting Up Oracle Access Manager with Oracle Virtual Directory", contains a procedure to configure the Oracle Virtual Directory SSL Listener. Step 8 of this procedure must contain the correct command-line syntax, as shown in the following example.
8. Import the root CA to the Identity Server using the following command:
certutil -d IdentityServer_install_dir\identity\oblix\config -A -n ldap -a -t "C,," -i root_ca_file
Note:
In the certutil command, the -t (trusted arguments) flag should be followed by the trust attributes that will be assigned to the certificate, enclosed in double-quotes.You need to set the TEMP
environment variable to point to a valid directory. Oracle recommends that you do this for the entire system, as shown in Figure E-1. However, you can also set the TEMP
variable for the IIS user.
Figure E-1 Setting the TEMP Environment Variable
Without this variable, the Policy Manager attempts to create temporary intermediate files in the root directory and if IIS doesn't have permission to create the files at that level, you may see an error in the following circumstances. For example:
When setting up the Policy Manager
When selecting either the Policy Manager or Access System Console link from the Access System Console main page
In this case, you may see an error message on setup pages warning about not being able to locate the TEMP
directory.
Symptom: You receive the message, "You cannot delete the Directory Server Profile that accesses the Policy base." after uninstalling the optional Policy Manager and deleting the setup* and config* files in PolicyManager_install_dir. You may be able to delete the Policy Manager profile for user and configuration data from the Identity System Console, but not the profile for policy data.
Solution: After uninstalling the optional Policy Manager, you need to complete the steps that follow before you can remove remaining Policy Manager policy profiles.
To delete a leftover Policy Manager policy profile
To delete a leftover Policy Manager policy profile, use the following steps:
Uninstall the Policy Manager.
In the directory server, remove all oblix-related entries and be sure to delete the obpolicybase
attribute from the top node. For example,
o=Oblix,o=oblixdata,c=uk
Restart the Identity Server.
In the Identity System Console, delete the Policy Manager policy profile.
See Also:
See the following topics for more information about issues that may affect the Policy Manager:If Oracle Access Manager will be removed and reinstalled with the same directory instance, only the Oracle Access Manager configuration tree(s) need be deleted. In this case, there is no need to remove the Oracle Access Manager schema from the directory instance. When reinstalling the Identity Server, select ÒNoÓ when asked if you want to update the schema (which is already present). Selecting ÒYesÓ results in an an error message "schema already exists".
You remove the Oracle Access Manager configuration tree from the directory server instance using tools and instructions from your directory vendor. For Oracle Internet Directory, for example, you may use the Oracle Internet Directory Administration Console. However, you cannot simply delete the parent object because there are dependencies and recursive deletes are not possible.
Oracle recommends that you do not remove the Oracle Access Manager schema from Oracle Internet Directory using the Console. Instead, Oracle recommends that you use the LDIF files in Component_install_dir\identity\access\oblix\data.ldap\common. For example:
OID_oblix_schema_index_delete.ldif : Oracle Access Manager attrbitue index cleanup file drops the Oracle Access Manager indexes before or after you clean up the schema.
OID_user_schema_delete.ldif—Oracle Access Manager user data cleanup file for Oracle Internet Directory—removes user data that resides on a separate directory instance from configuration data
OID_oblix_schema_delete.ldif—Oracle Access Manager configuration data cleanup file for Oracle Internet Directory—removes both user and configuration data when both reside on the same directory instance
When user data and configuration data reside in the same directory instance, only the OID_oblix_schema_delete.ldif needs to be used with the because it will also remove the user schema objects. However, when a separate directory instance hosts only user data the OID_user_schema_delete.ldif should be used. In either case, however, you must use the OID_oblix_schema_delete.ldif to remove the attribute index.
For steps, see Chapter 21, "Removing Oracle Access Manager".
If a component installation terminates (or is terminated by you) after component files were extracted to the designated installation directory, you should run the Uninstaller for that component and then remove the installation directory before attempting to reinstall in the same location. If you simply delete the installation directory and attempt to reinstall the component in the same location, the vpd.properties file is left in an inconsistent state and reinstalling will not work.
For example, suppose you terminate a WebGate installation after component files were extracted, then you remove the installation directory manually rather than using the WebGate uninstaller. In this case, the extracted files are deleted but the vpd.properties file is not. This leaves the vpd.properties file in an inconsistent state that prevents successful installation.
The preferred method to avoid removal and reinstall issues is to run the component Uninstaller program, then remove the installation directory and then attempt to reinstall the component. However, you may manually remove the component installation directory (without running the Uninstaller) then back up and delete the vpd.properties, begin installing the component, then restore the vpd.properties file.
For more information, see Chapter 21, "Removing Oracle Access Manager".
Oracle Access Manager supports three different transport security modes: (Open, Simple, or Cert). While Open is initially easier to implement, it is not secure.
Rather than starting with open and changing later, Oracle recommends you install Oracle Access Manager with the desired transport security mode in place. Changing the transport security mode is outlined in the discussion that follows. For details, see the Oracle Access Manager Identity and Common Administration Guide.
To change transport security modes on the Identity System
For each Identity Server, run the Identity Server certutil program located at IdentityServer_install_dir/identity/oblix/tools/certutil.
You must configure the Identity Server before the WebPass. You do not need to use the same password and PEM keys for all Identity System components.
For each WebPass, run the WebPass gencert
program located at WebPass_install_dir/identity/oblix/tools/gencert.
To change transport security modes on the Access System
For each Access Server, run the configureAAAServer program located at AccessServer_install_dir/access/oblix/tools/configureAAAServer.
You must configure the Access Server before the WebGate. Use the same password and PEM keys for all Access System components.
For each WebGate, run the configureWebGate program located at WebGate_install_dir/access/oblix/tools/configureWebGate.
The following issues pertain to directories.
If you replicate your Sun directory server and make a change to a user, you are notified that the write will be delayed. However, you are not notified during new user creation.
New users appear in the Identity System pages that are configured against consumers the next time synchronization occurs between the supplier and its consumers.
Synchronization can either occur immediately or at scheduled times, depending on the replication agreement.
Symptom: While using features in the System Console or in one of the Applications, Oracle Access Manager begins to display bug reports or error messages. This may occur because of corrupt data. Data corruption can be difficult to diagnose. Though data may appear to be valid as displayed in the directory interface tools, the actual data files may be corrupt. One way to verify this is to perform the same search using another tool such as ldapsearch. If the expected data is not returned, then the data is corrupt.
Solution: Consult with your directory vendor to determine the most appropriate solution. If possible, export the directory data to an LDIF and examine the LDIF for errors. If the data has obvious errors, correct these errors as appropriate and then import the corrected data.
The following issues with Web servers may arise:
Symptom: You are running an Apache Web server, and an Access Server fails, displaying the following message:
libthread panic: cannot create new lwp (PID: 9035 LWP 2). stackrace: ff3424cc 0
This symptom may be caused by the Apache Web server launching more instances of itself. This can happen when the server determines that more instances are needed to service the number of connections between one or more WebGates and the Access Server.
The additional instances create even more connections, which exceed the number of connections by the Access Server.
Solution: Reduce the number of MinSpareServers
, MaxSpareServers
, StartServers
, and MaxClients
parameters.
Go to the Access Server's configuration directory and open the http.d
configuration file.
Recommended parameter settings:
MinSpareServers
1
MaxSpareServers
5
StartServers
3
MaxClients
5
Failure Authentication Event: For Domino Web servers, the redirection of a URL through Oracle Access Manager may not work if the authentication type is set as Basic Over LDAP and the URL to be redirected is mentioned as one of the following:
To overcome a failure authentication event, you must set the redirected URL with a computer name that is not defined under the host identifier group. For example, the IP address of the computer.
This problem does not occur with a form-based authentication type.
Header Variables: It may not be possible to pass header variables other than REMOTE_USER to WebGates installed on Lotus Notes Domino Web servers when using Client Certificate authentication scheme.
For example, header variables cannot be set on the one request where Client Certificate authentication occurs. However, all other requests do allow header variables to be set.
For more information, see Chapter 18, "Setting Up Lotus Domino Web Servers for WebGates".
Symptom: If you installed Oracle Access Manager on Unix under a different user ID than you used to create your Web server instance, Oracle Access Manager can become unstable. Users may experience behavior such as:
Solution: Change file permissions using the chown command. Change the Oracle Access Manager directory to the same user ID that you used to create your Web server instance.
After installing a WebPass, WebGate, or Policy Manager instance on an Oracle HTTP Server (OHS), the server does not start up. This occurs because Oracle Access Manager uses an older Linux threading model.
Solution: Comment out the perl module in the httpd.conf file, update the LD_ASSUME_KERNEL environment variable, and restart, as described in the following paragraphs.
To resolve the failure to start OHS
Comment out the perl module in the httpd.conf file in the following location:
For OHS v1.3: OH$
/Apache/Apache/conf/httpd.conf
For OHS v2: OH$
/ohs/conf/httpd.conf
To update the LD_ASSUME_KERNEL value, open the following file in a text editor:
OH$/opmn/conf/opm.xml
Find the following line:
<process-type id="HTTP_Server" module-id="OHS">
Add the following information under the line you found in the previous step:
<environment> <variable id="LD_ASSUME_KERNEL" value="2.4.19" /> </environment>
Save this file.
Run the following commands to implement your changes:
opmnctl stopall opmnctl startall
Symptom: WebGate fails to initialize when installed on an Oracle HTTP Server running RedHat Enterprise Server version 4.0 with a kernel version lower than 2.6.9-34.EL. Version 2.6.9-34.EL is supplied with the RedHat version 4, update 3.
Solution: To prevent this problem, you must upgrade RedHat version 4 must be to update 3 or higher.
Symptom: When attempting to start the Sun Web server, you get an error like the following:
Unable to start, PCLOSE
Solution: A number of problems can cause this error:
A syntax error in your obj.conf
file
Leading spaces in your obj.conf
file
Installing Oracle Access Manager as a different user ID than what you used to create your Web server instance
A carriage return at the end of the obj.conf
file
When Oracle Access Manager is running with Microsoft's IIS Web server, you must manually uninstall and reinstall the following ISAPI filters when reinstalling Oracle Access Manager.
tranfilter.dll
oblixlock.dll
(if you installed WebGate)
webgate.dll
(if you installed WebGate)
To remove and reinstall IIS DLLs
Uninstall Oracle Access Manager.
Manually uninstall the preceding DLLs.
Reinstall Oracle Access Manager.Active Directory.
Manually reinstall the DLLs.
Note:
These filters can change depending on the version of IIS you are using. If these filters do not exist or there are others present, contact Oracle to determine if the filters that are present need to be removed.The following issues may arise with WebGate:
Access Servers and WebGates cannot be named using non-English keyboard characters.
Descriptions on the Modify AccessGate page of the Access System Console are case insensitive. For example, if you change capitalization of the description but do not alter any other details, you will see no change after the save. To work around this problem, add or alter other information so that the change is recognized.
To change capitalization in an AccessGate description
Navigate to the Access System Console, Access System Configuration, AccessGate Configuration.
Search for a particular AccessGate or just select the Go button to display a list of all AccessGates.
Double-click the link to the WebGate you want to change.
Click Modify at the bottom of the page.
Enter a new description with the capitalization you would like some new information. For example:
From: webgate
To: WebGate with IIS 6.0
After WebGate installation and configuration, point your browser to the following URL for WebGate diagnostics:
http(s)://host:port/access/oblix/apps/webgate/bin/webgate.cgi?progid=1
Host
and port
are the WebGate's hostname and Web server instance port number. If the diagnostics page does not open, the WebGate was installed improperly.
Symptom: If you are running an Access Server with debugging enabled on a Solaris computer, then install a WebGate on a Windows server that uses that Access Server, you will probably see messages like the following in the Access Server's debug log:
Got a client! SSL handshake failed: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Solution: These messages are harmless and may be ignored.
To provide maximum protection for the Identity System, install the WebGate and Identity System in the same directory.
Symptom: When attempting to connect, you receive errors indicating that your Access Server is down.
Solution: The clocks of computers hosting various Oracle Access Manager components must be synchronized to within 75 or fewer seconds of each other. If the clocks are out-of-sync by more than 75 seconds, installation will fail.
Symptom: You get the following error when you attempt to start the Identity System:
Access Server error WebGate cannot connect to Access Server
Cause: When configuring a WebGate in the System Console, you must link each WebGate with at least one Access Server.
Solution: In Policy Manager, associate your WebGate with an Access Server. Then configure WebGate.
Symptom: WebGate fails to initialize when installed on an Oracle HTTP Server running RedHat Enterprise Server version 4.0 with a kernel version lower than 2.6.9-34.EL. Version 2.6.9-34.EL is supplied with the RedHat version 4, update 3.
Solution: To prevent this problem, you must upgrade RedHat version 4 must be to update 3 or higher.
The following are miscellaneous issues:
Symptom: If the Policy Manager uses Simple or Cert transport security mode, flushing the cache from Policy Manager requires certificates. If your Policy Manager is protected by a WebGate that was installed in Simple or Cert mode, the certificates exist and there is no problem. However, if you did not install WebGate in Simple or Cert Mode, you cannot update Access System caches because the Policy Manager will not be able to communicate with the Access Servers.
Solution: For an installation that has no WebGate, use the GenCert tool to generate the certificates. This tool is stored at IdentityServer_install_dir/identity/oblix/tools, where IdentityServer_install_dir is your Identity Server installation directory.
To generate certificates for cache flushing, type
genCert install_dir
IdentityServer_install_dir is your Identity Server installation directory. You must be the user with the permissions to write files into the installation directory.
The Master Administrator is specified during Oracle Access Manager installation and setup. Even though this is the highest-ranking Master Administrator, this role does not have view rights for attributes until this right is specifically assigned to it.
The administrator must have permission to view the cn attribute (usually configured as Full Name) at the top level of the directory tree. Then the administrator can configure Access Control for attributes for others.
See Also:
Refer to the Oracle Access Manager Identity and Common Administration Guide for instructions on completing this taskSymptom: When using either Simple or Cert transport security mode, the user's browser caches the credentials and automatically resends them when a WebGate session times out.This causes the illusion that the timeout settings are not working when in fact a new authentication exchange is taking place without any action on the user's part.
Solution: Use form-based authentication. The browser does not cache form-based authentication information.
Loading your directory can take much longer when SSL is activated. You can load your directory, then activate SSL on the Web server and directory server.
Symptom: When a non-Oracle Access Manager program that is set to an incorrect TCP port tries to communicate with your Access Server, you receive an error in your Access Server's debug output. Your Access Server's debug output displays the following error:
Peer does not use NetPoint Access Protocol. Connection dropped.
Other than the message in your Access Server's debug output, there probably is no impact to your Oracle Access Manager installation. However, the non-Oracle Access Manager peer attempting to communicate with the Access Server will probably fail.
Solution: Check your TCP port numbers. Something is connecting to the wrong thing.
Oracle Access Manager does not support replication with Sun by default.
Symptom: After making a write to a Sun consumer/slave, you get a bug report form.
Solution: To update the enableLDAPReferral
parameter:
Open the ldapconfigdbparams.xml
file in a text editor. This file is stored in two locations, and both must be edited:
IdentityServer_install_dir/identity/oblix/data/common/ldapconfigdbparams.xml
Access_Server_install_dir/access/oblix/data/common/ldapconfigdbparams.xml
Change the enableLDAPReferral
parameter to true.
Save your changes.
Restart the consumer/slave's Web server.
Symptom: When performing a search or a query, you receive a "Bad request" message.
Cause: Your search or query string is too long for your browser. Browsers handle search and query strings as URLs. They generate an error if the string exceeds the maximum URL length.
Solution: Shorten the search or query string.
Symptom: You receive the message "Identity Server logged you in but Access System (Policy Manager or System Console) logged you out." This occurs when the Access Domain policy is disabled and the Identity Domain policy is enabled when logging into the Policy Manager as a valid user.
Solution: For security reasons, both the Policy Manager (/access) policy and Identity Domain (/identity) policy must be enabled and protected when logging in to the Policy Manager.
To make FrontPage work correctly with Oracle Access Manager, the settings for IIS must be set up to allow Oracle Access Manager to do all of the authentication and authorization.
To allow Oracle Access Manager to do all authentication and authorization
The Web server needs to run as a user that has full control of all directories containing Web content.
Use the Web server MMC and click the directory security tab.
Click the anonymous user and authentication Edit button.
Make sure that only the allow anonymous users check box is checked. Un-check the other two (basic authentication and nlm authentication)
Add the Web server process user (such as IUSR_OBLIX) to the FrontPage admins by using the FrontPage server admin tools (these are different for every version of FrontPage.