This chapter describes issues associated with Oracle Access Manager. It includes the following topics:
This section describes general issue and workarounds. It includes the following topic:
Section 31.1.1, "Incorrect SSO Agent Date/Time Shown to User"
Section 31.1.2, "Oamreg.sh Missing Execute Permission After Configuring"
Section 31.1.3, "Initial Messages After WebGate Registration Are Not Shown in the User's Locale"
Section 31.1.4, "Error While Browsing Resources Table in the ResourceType Tab"
Section 31.1.5, "Single Click to Open Child Node is Not Supported in Navigation Tree"
Section 31.1.7, "Turkish and Greek Character Issues on OAM Authentication Page"
Section 31.1.8, "OAM Authentication Does Not Support Non-ASCII Passwords on Locales other than UTF8"
Section 31.1.9, "Error Message of Create Agent Shows as Server Locale"
Section 31.1.11, "Diagnostic Information Is Not Being Displayed on the Administration Console"
Section 31.1.12, "Non-ASCII Resources Require OHS To Restart To Make Protection Take Effect"
Section 31.1.13, "Non-ASCII Characters On Success/Failure URL Results in Garbled Redirect URL"
Section 31.1.14, "Resource with Non-ASCII Characters Cannot Be Protected by an OSSO Agent"
Section 31.1.15, "Translation Packages Use "Agents" Term instead of "WebGates""
Section 31.1.16, "Error in Administration Server Log from Console Logins"
Section 31.1.17, "Special Character Limitations in Response Attribute Names"
Section 31.1.18, "Error in the "Evaluate Single Sign-On Requirements" Help Topic"
Section 31.1.19, "EDITWEBGATEAGENT Command Should Give An Error If Invalid Value is Entered"
Section 31.1.21, "Message Logged at Error Level Instead of at INFO When Servers in Cluster Start"
Section 31.1.22, "Help Is Not Available for WLST Command REGISTEROIFDAPPARTNER"
Section 31.1.23, "User Must Click Continue to Advance in Authentication Flow"
Section 31.1.24, "Plain Text Credentials Exposed in Diagnostic Logs when Creating an ID Store"
Section 31.1.26, "Database Node is Non-Function in the System Console"
Section 31.1.27, "Online Help Provided Might Not Be Up To Date"
Section 31.1.28, "Custom Resource Types Should Not be Created"
Section 31.1.29, "Use of a Non-ASCII Name for an Agent May Impact SSO Redirection Flows"
The default start date on the Create OAM Agent page is based on the Oracle Access Manager server date/time. The date/time shown to the end user is based on the Oracle Access Manager server timezone rather than on the user's machine.
Out of the box, execute permissions are not set for the oamreg.sh
and oamreg.bat
files in the OAM shiphome location. Hence, before you perform remote registration (rreg
), you need to set the execute permissions on the scripts by using the following commands:
chmod +x oamreg.sh OR chmod +x oamreg.bat
Then you can proceed with the regular remote registration steps.
After OAM Web Gate registration, the description fields in the initial messages for related components are not shown in the user's locale. The description field does not support Multilingual Support (MLS).
While browsing across the the Resources table in the ResourceType tab, the following error message is displayed:
<Error> <oracle.adfinternal.view.faces.model.binding.CurrencyRowKeySet> <BEA-000000> <ADFv: Rowkey does not have any primary key attributes. Rowkey: oracle.jbo.Key[], table: model.ResTypeVOImpl@620289.>
This message is harmless and does not hinder any functionality.
Single-click to open a child node in the navigation tree is not supported, but double-click is supported.
The user credential for the OAM registration tool oamreg.sh
/oamreg.bat
does not support non-ASCII characters on the Linux Non-UTF8 server locale and the Windows native server.
In some cases if a user has Turkish, German, or Greek special characters in the user name and the login name only differs in the special characters, he might pass authentication because of case mappings and case-insensitivity.
Some internationalization characters should have special capitalization rule so that characters do not convert back to the lower case.
For example, there is the case with SS and ß in German, where ß only exists as a lower case character. When performing "to Upper" against ß, ß will be changed to SS. And if the upper case text is then converted back to lower case, the SS becomes ss and not the original ß.
When the server locale is not UTF-8 and using WebLogic Server embedded LDAP as an identity store, the SSO Authentication page does not support Non-ASCII passwords.
When an administrator creates an agent with the same name as one that already exists, the language of the error message displayed is based on the server locale rather than on the browser locale.
OAM 11g Release 1 (11.1.1) cannot operate directly with LDAP servers returning referrals.
The workaround is to use Oracle Virtual Directory.
Diagnostic information is not displayed in the Oracle Access Manager Administration Console for monitoring Agents when one or more nodes of the cluster are down.
This information can be retrieved using the Oracle Dynamic Monitoring Service (DMS). The steps are as follows:
Using WebLogic credentials, log in to the DMS application, http://<adminserver-host>:<adminserver-port>/dms
On the navigation tree, click OAMS.OAM_Server.OAM_Agents under the DMS Metrics node.
When you add a resource with a non-ASCII name to the protected authentication policy, it will require the OHS 11g server to restart to make the protection take effect, whereas in adding resources with English characters, protection takes effect in real time without restarting the OHS 11g server.
If an on success or on failure URL configured for an authentication policy contains non-ASCII characters in the URL specified, then the URL specified will be garbled when it is used during a user authentication. This will happen only when the authentication scheme is Basic Authentication and the end user's browser is the Simplified Chinese version of IE8 running on the Chinese version of Windows.
When trying to protect a resource, mod_sso
only converts unicode character in the URL, whereas WebGate is able to convert the entire resource URL to UTF-8 format. If you need this capability, use the mod_webgate
instead of mod_osso
.
The term "Agents" has been changed to "WebGates." Because of this late change, the translation packages cannot be updated for this. The packages will continue to use "Agents" instead of the preferred term, "WebGates."
If you log in to the OAM Administration Console as an administrator and then log in to the Console as an administrator in a new tab, the following error appears in the administration logs:
------------------------------------------------------------ <May 20, 2010 10:12:47 AM PDT> <Error> <oracle.adfinternal.view.page.editor.utils.ReflectionUtility> <WCS-16178> <Error instantiating class - oracle.adfdtinternal.view.faces.portlet.PortletDefinitionDTFactory> ------------------------------------------------------------
The error message does not impact functionality.
The ":
" special character should not be used in response attribute names.
For example, "name=STAT_:HEADER1
."
This is not supported in 11g Release 1 (11.1.1).
In the help topic, "Evaluate Single Sign-On Requirements," "Configuring Single Logout for 10g WebGate with OAM 11g Servers" was listed twice under "Review steps to configure single sign-off."
The English version has been corrected to read:
"Step 7 Review steps to configure single sign-off
Configuring Single Logout for 10g WebGate with OAM 11g Servers. More.
Configuring Single Logout for 11g WebGate with OAM 11g Servers. More.
Configuring Single Logout for Oracle ADF Applications. More
The translated version will be fixed in a future release.
The WLST command editWebgateAgent
does not give an error when a invalid value is entered for the state field in both online and offline mode. The OAM Administration Console does show the state field value as neither enabled nor disabled, though it is a mandatory field.
In the offline mode, the WLST command, displayWebgate11gAgent
, displays the 11g WebGate Agent entry in the System Configuration tab twice.
When starting Oracle Access Manager servers in a cluster, the following message is displayed:
<Jun 22, 2010 3:59:41 AM PDT> <Error> <oracle.jps.authorization.provider.pd> <JPS-10774> <arme can not find state.chk file.>
The correct level of the message is INFO
, rather than Error
.
The Help command is not available for the WLST command, registeroifdappartner
.
The online and offline command registers Oracle Identity Federation as a Delegated Authentication Protocol (DAP) Partner.
For information, refer to "registerOIFDAPPartner" in the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference.
registerOIFDAPPartner(keystoreLocation="/scratch/keystore" logoutURL="http://<oifhost>:<oifport>/fed/user/sploosso?doneURL= http://<oamhost>:< oam port>/ngam/server/pages/logout.jsp", rolloverTime="526")
Parameter Name | Definition |
---|---|
keystoreLocation |
Location of the Keystore file. The file generated at the OIF Server. (mandatory) |
logoutURL |
The OIF Server's logout URL. <mandatory> |
rolloverInterval |
The Rollover Interval for the keys used to enc/decrypt SASSO Tokens (optional) |
The following invocation illustrates use of all parameters. registerOIFDAPPartner(keystoreLocation="/scratch/keystore", logoutURL="http://<oifhost>:<oifport>/fed/user/sploosso?doneURL=http://<oamhost>: <oam port>/ngam/server/pages/logout.jsp", rolloverTime="526")
In a native integration with Oracle Adaptive Access Manager, the resource is protected by an Oracle Access Manager policy that uses the Basic Oracle Adaptive Access Manager authentication scheme.
When a user tries to access a resource, he is presented with the username page.
After he enters his username, he must click Continue before he can proceed to the password page. He is not taken to this page automatically.
The workaround is for the user to click Continue, which might allow him to proceed to the password page.
To work around this issue:
Go to My Oracle Support at
Click the Patches & Updates tab, and search for bug 9824531.Download the associated patch and install it by following the instructions in the README file included with the patch.
On the Patches & Updates tab, search for bug 9882205. Download the associated patch and install it by following the instructions in the README file included with the patch.
In the X509 authentication modules, the following OCSP-related fields are no longer mandatory:
OCSP Server Alias
OCSP Responder URL
OCSP Responder Timeout
If OCSP is enabled
The OCSP-related fields should be filled in by the administrator. If they are not filled, there will not be an error from the Console side.
It is the responsibility of the administrator to provide these values.
If OCSP is not enabled
The OCSP-related fields need not be filled in this case. If there are values for these fields, they will be of no consequence/significance, as OCSP itself is not enabled.
In the default out of the box configuration, the OCSP responder URL is http://ocspresponderhost:port
. If you make changes to other fields and leave this as is, you will see a validation error, since this value is still submitted to the back end and at the Console, the layer port should be a numeric field. You can either modify the field, with the port being a numeric field or delete the entire value.
The Databases node available in OAM System Configuration under System Configuration > DataSources > Databases is not functional. It does not create datasource entries that are consumed by the OAM Runtime.
The OAM Data Source needs to be managed using the WebLogic Server Administration Console. Oracle Access Manager 11g includes a data source named oamDS which is configured against the database instance extended with the OAM Schema. To navigate to oamDS in the WebLogic Server Administration Console, go to <domain_name> > Services > JDBC > DataSources in the navigation tree.
Online help is available in the console, but you should check OTN to ensure you have the latest information.
For OAM 11g, creating custom resource types should not be attempted even though the button to create/edit/delete resource types is not disabled.
When using the OAM 11g server with WebGates and when the WebGate ID is registered with a non-ASCII name, the OAM server may reject that authentication redirect as an invalid request. The workaround is to utilize an ASCII name for the WebGate.
This section describes configuration issues and their workarounds. It includes the following topics:
Section 31.2.1, "For mod-osso Value for RedirectMethod Should be "POST""
Section 31.2.5, "WNA Authentication Does Not Function on Windows 2008"
Section 31.2.9, "What to Avoid or Note in OAM Configuration"
Section 31.2.10, "Install Guides Do Not Include Centralized Logout Configuration Steps"
For agents to be capable of supporting long URLS, the following code sample was added under oam-config.xml
:
<Setting Name="AgentConfig" Type="htf:map"> <Setting Name="OSSO" Type="htf:map"> <Setting Name="RedirectMethod"Type="xsd:string">GET</Setting> <Setting Name="Delimiter" Type="xsd:string">AND</Setting> </Setting>
For mod-osso
, the value for RedirectMethod
should be POST
, however, the values shipped out of the box is GET
. Follow these steps to perform the modification, as this change needs to be performed manually and there is no user interface or WLST commands available to do so.
Stop the OAM Administration Server and managed servers.
Enter cd DOMAIN_HOME/config/fmwconfig
Enter vi oam-config.xml
Go to the following line in oam-config.xml
:
<Setting Name="AgentConfig" Type="htf:map"> <Setting Name="OSSO" Type="htf:map"> <Setting Name="RedirectMethod"Type="xsd:string">GET</Setting>
Modify GET
to POST
as follows:
<Setting Name="RedirectMethod"Type="xsd:string">POST</Setting>
Save the changes and start the OAM Administration and managed servers.
If you encounter a java.lang.NullPointerException: Cannot set value to null at javax.naming.ldap.Rdn.<init>(Rdn.java:178)
error in your WebLogic Administration Console or managed server logs, it is mostly likely caused by JRockit.
In certain cases involving try-catch-clauses, JRockit will apply an incorrect optimization such that a null check always returns false. To avoid this issue, ensure that you are running JVM version R28.0.1 or later.
R28.0.1 is available as patch 9847606, which you can download from My Oracle Support at:
http://support.oracle.com
The user is directed to the self-user login after logging out of the Oracle Identity Manager Administration Console.
To be redirected correctly, the logout must work properly.
The workaround for logout with 10g WebGate is to:
Copy logout.html
(for example, from Oracle_IDM1/oam/server/oamsso/logout.html
) to webgate_install_dir/oamsso
.
Update logout URL in the file to http://oam_server:oam_server/ngam/server/logout
.
If redirection to specific page has to occur after logout, change the logout URL to http://oam_server:oam_server/ngam/server/logout?doneURL=http://host:port/specifipage.html
.
Although a resource can be protected using the BASIC scheme, the WebLogic server has a feature by which it first authenticates the user and then sends it to the server.
If you add the following flag under <security-configuration>
in config.xml
and restart the server, you will be able to bypass WebLogic server's authentication <enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth-credentials>
. Once the credentials are submitted back to the OAM server, it will be audited.
The WebLogic Administration Console does not display or log the enforce-valid-basic-auth-credentials
setting. However, you can use WLST to check the value in a running server. You must modify this value by setting this in config.xml
.
To do so, refer to the following documentation:
"Developing Secure Web Applications" at:
http://download.oracle.com/docs/cd/E13222_01/wls/docs103/security/thin_client.html#wp1037337
The default Kerberos encryption supported by Windows 2008 Server and Windows 2007 machines are "AES256-CTS-HMAC-SHA1-96", "AES128-CTS-HMAC-SHA1-96" and "RC4-HMAC".
If the clients are configured to use DES only encryption, users will not be able to access protected resources with Kerberos authentication. The error message, "An incorrect username and password was specified" might be displayed.
Because the initial Kerberos tokens are not present, the browser sends NTLM tokens, which the OAM 11g server does not recognize; therefore, the user authentication fails.
The workaround is to enable the encryption mechanisms, and follow the procedure mentioned in:
http://technet.microsoft.com/en-us/library/dd560670%28WS.10%29.aspx
When you install the Oracle Access Manager 10g WebGate, do not replace the current version of msvcirt.dll
with a newer version when prompted. If you do so, there may be incompatibility issues. Later, when you try to install OSSO 10g (10.1.4.3), the opmn.exe
command might fail to start and the OracleCSService might time out because the required .dll
file is missing.
The supported topology for OAM 11g is shown below.
Oracle Database on IPv4 protocol host
OAM Administration Console on dual-stack host
Clients on IPv4 protocol host
Clients on IPv6 protocol host
OAM Administration Console on IPv4/IPv6 dual-stack can be accessed from both IPv4 and IPv6 client.
WebGate 10g or WebGate 11g on IPv4 protocol host
OAM Server in IPv4 on dual-stack host
WebGate 10g and WebGate 11g on IPv4 can work with OAM server on IPv4/IPv6 dual-stack.
WebGate10g or WebGate 11g +protected applications on IPv4 protocol host
OHS reverse proxy on dual-stack host
Client on IPv6 protocol host
IPv6 client can access WebGate10g or WebGate11g through OHS reverse proxy.
When the OAM server is not running, login to WebLogic Administration Console is successful, but when OAM server is running, login to the WebLogic Administration Console is redirected to the OAM server and authentication fails because the Identity Store fails to initialize.
IPV6 for IDSTORE will be supported in a later release.
This section contains scenarios and items to note in OAM Configuration
WLST scripts for OAM 10g and OAM 11g WebGates do not support changing Agent security modes.
Unsupported operations for the OAM Administration Console and WLST are described in the following subsections.
OAM Server
Use Case: Concurrent Deletion and Updating
Description
Open an OAM Server instance in edit mode in Browser 1.
Using the OAM Administration Console in another browser (Browser 2) or using a WLST script, delete this server instance.
Return to Browser 1 where the server instance is opened in edit mode.
In Browser 1, click the Apply button.
Current Behavior
The OAM Administration Console displays the message, "Server instance server_name might be in use, are you sure you want to edit it?" along with the confirmation that the update succeeded.
This server instance node is removed from navigation tree.
The behavior is incorrect.
Use Case: Two OAM Server Instances with Same Host Cannot have the Same Proxy Port.
Description
For this use case, there are two instances of the OAM Server: oam_server1 and oam_server2.
Open oam_server1 in edit mode and specify a host and OAM proxy port.
Now open oam_server2 in edit mode and specify the same host and proxy port as oam_server1.
The changes are saved without any error message.
Current Behavior
The OAM Administration Console does not display any error and allows the update.
The behavior is incorrect.
Use Case: Log Statements Detailing the Server Instance Creation, Update and Delete are not Present on the OAM Administration Console
Description
If you create, edit, or delete an OAM Server instance from the OAM Administration Console, the log statements corresponding to create, edit and delete are not displayed by the Console.
LDAP Authentication Module:
Use Case: Concurrent Deletion/Creation of User Identity Store does not Reflect in the Dropdown of Identity Stores in the LDAP Authentication Module Create and Edit
Description
Open create/ edit for the LDAP authentication module.
A dropdown list displays the identity stores present in the system.
Now create a user identity store using another tab.
Return to the create/edit tab for the LDAP authentication module and check the dropdown list for user identity stores.
Current Behavior
The newly added user identity store entry is not added to the dropdown list.
The entry of the user identity store that was deleted appears on the list.
An error message is not displayed when you select the deleted user identity store in the dropdown list and click Apply.
The OAM Administration Console does not change and the configuration is not updated in back end.
LDAP, Kerberos and X509 Authentication Module
Use Case: Concurrent deletion and updating
Description
Open an LDAP/Kerberos/X509 authentication module in edit mode in OAM Administration Console in Browser 1.
Using OAM Administration Console in another browser (Browser 2) or using a WLST script, delete this authentication module.
Now return to Browser 1 where the authentication module is opened in edit mode.
Click the Apply button.
Current Behavior
The OAM Administration Console updates this authentication module configuration and writes it to back end.
The behavior is incorrect.
Use Case: Log Statements Detailing the Server Instance Creation, Update and Delete are Not present on OAM Administration Console side.
Description
When you create, edit or delete an authentication module from OAM Administration Console, the log statements corresponding to create, edit and delete are not written by the Console.
OAM 11G WebGate
Use Case: Concurrent Deletion and Update
Description
Open an OAM 11g WebGate instance in edit mode in OAM Administration Console in Browser 1.
Using the OAM Administration Console in another browser (Browser 2) or using a WLST script, delete this OAM 11g WebGate.
Now return to the Browser1 where the server instance is opened in edit mode.
Click on the Apply button.
Current Behavior
The OAM Administration Console for edit OAM11g WebGate does not change and the tab does not close.
A OAM11g WebGate configuration not found error dialog is displayed by the OAM Administration Console.
However, the navigation tree is blank and attempts to perform any operation results in a javax.faces.model.NoRowAvailableException".
The behavior is incorrect.
OSSO Agent
Use Case: Concurrent Deletion and Update
Description
Open an OSSO Agent instance in edit mode in the OAM Administration Console in Browser 1.
Using the OAM Administration Console in another browser (Browser 2) or using a WLST script, delete this OSSO Agent.
Now return to the Browser 1 where the OSSO Agent instance is opened in edit mode.
Click on Apply button.
Current Behavior
Editing the OSSO Agent in the OAM Administration Console results in a null pointer exception.
The behavior is incorrect.
Single-Sign On is enabled after Oracle Access Manager is installed; to complete configuration of Single-Sign On out of the box, centralized log out must be configured post-install. Configure centralized log out by following direction from these sections:
Configuring Centralized Logout for ADF-Coded Applications with OAM 11g
http://fmwdocs.us.oracle.com/doclibs/fmw/E15482_01/doc.1111/e15478/logout.htm#CIHFDDGF
Configuring Centralized Logout for the IDM Domain Agent
http://fmwdocs.us.oracle.com/doclibs/fmw/E15482_01/doc.1111/e15478/logout.htm#CIHDEIGJ
Update instructions are provided in this section.
In the "Provisioning a 10g WebGate for Use with OAM 11g" section in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager, the following information must be added for Windows specific environments:
In Windows environment, you must update the file:
<MiddlewareHome>\Oracle_IDM1\oam\server\rreg/oamreg.bat
Update the line for setting OAM_REG_HOME
set OAM_REG_HOME="D:\Remote Registration\RREG client kit\rreg"
by replacing the value with
set OAM_REG_HOME=<MiddlewareHome>\Oracle_IDM1\oam\server\rreg
Note:
Ensure the two " (quotes) are removed.