36 Oracle Identity Manager

This chapter describes issues associated with Oracle Identity Manager. It includes the following topics:

36.1 Patch Requirements

This section describes patch requirements for Oracle Identity Manager 11g Release 1 (11.1.1). It includes the following sections:

36.1.1 Obtaining Patches From My Oracle Support (Formerly OracleMetaLink)

To obtain a patch from My Oracle Support (formerly OracleMetaLink), go to following URL, click Patches and Updates, and search for the patch number:

http://support.oracle.com/

36.1.2 Patch Requirements for Oracle Database 11g (11.1.0.7)

Table 36-1 lists patches required for Oracle Identity Manager 11g Release 1 (11.1.1) configurations that use Oracle Database 11g (11.1.0.7). Before you configure Oracle Identity Manager 11g, be sure to apply the patches to your Oracle Database 11g (11.1.0.7) database.

Table 36-1 Required Patches for Oracle Database 11g (11.1.0.7)

Platform Patch Number and Description on My Oracle Support

UNIX / Linux

7614692: BULK FEATURE WITH 'SAVE EXCEPTIONS' DOES NOT WORK IN ORACLE 11G

7000281: DIFFERENCE IN FORALL STATEMENT BEAHVIOUR IN 11G

8327137: WRONG RESULTS WITH INLINE VIEW AND AGGREGATION FUNCTION

8617824: MERGE LABEL REQUEST ON TOP OF 11.1.0.7 FOR BUGS 7628358 7598314

Windows 32 bit

8689191: ORACLE 11G 11.1.0.7 PATCH 16 BUG FOR WINDOWS 32 BIT

Windows 64 bit

8689199: ORACLE 11G 11.1.0.7 PATCH 16 BUG FOR WINDOWS (64-BIT AMD64 AND INTEL EM64T)


36.1.3 Patch Requirements for Segregation of Duties (SoD)

Table 36-2 lists patches that resolve known issues with Segregation of Duties (SoD) functionality:

Table 36-2 SoD Patches

Patch Number / ID Description and Purpose

Patch number 9819201 on My Oracle Support

Apply this patch on the SOA Server to resolve the known issue described in "SoD Check During Request Provisioning Fails While Using SAML Token Client Policy When Default SoD Composite is Used".

The description of this patch on My Oracle Support is "ERROR WHILE USING SAML TOKEN CLIENT POLICY FOR CALLBACK."

Patch ID 3M68 using the Oracle Smart Update utility. Requires passcode: 6LUNDUC7.

Using the Oracle Smart Update utility, apply this patch on the Oracle WebLogic Server to resolve the known issue described in "SoD Check Fails While Using Client-Side Policy in Callback Invocation During Request Provisioning".


36.1.4 Patch Upgrade Requirement

While applying the patch provided by Oracle Identity Manager, the following error is generated:

ApplySession failed: ApplySession failed to prepare the system.

OPatch version 11.1.0.8.1 must be upgraded to version 11.1.0.8.2 to meet the version requirement.

See "Obtaining Patches From My Oracle Support (Formerly OracleMetaLink)" for information about downloading OPatch from My Oracle Support.

36.2 General Issues and Workarounds

This section describes general issues and workarounds. It includes the following topics:

36.2.1 Do Not Use Platform Archival Utility

Currently, the Platform Archival Utility is not supported and should not be used.

To work around this issue, use the predefined scheduled task named Orchestration Process Cleanup Task to delete all completed orchestration processes and related data.

36.2.2 SPML-DSML Service is Unsupported

Oracle Identity Manager's SPML-DSML Service is currently unsupported in 11g Release 1 (11.1.1). However, you can manually deploy the spml-dsml.ear archive file for Microsoft Active Directory password synchronization.

36.2.3 Status of Users Created Through the Create and Modify User APIs

You cannot create users in Disabled State. Users are always created in Active State.

The Create and Modify User APIs do not honor the Users.Disable User attribute value. If you pass a value to the Users.Disable User attribute when calling the Create API, Oracle Identity Manager ignores this value and the USR table is always populated with a value of 0, which indicates the user's state is Active.

Use the Disable API to disable a user.

36.2.4 Status of Locked Users in Oracle Access Manager Integrations

When Oracle Access Manager locks a user account in an Oracle Identity Manager-Oracle Access Manager integration, it may take approximately five minutes, or the amount of time defined by the incremental reconciliation scheduled interval, for the status of the locked account to be reconciled and appear in Oracle Identity Manager. However, if a user account is locked or unlocked in Oracle Identity Manager, the status appears immediately.

36.2.5 Generating an Audit Snapshot after Bulk-Loading Users or Accounts

The GenerateSnapshot.[sh|bat] option does not work correctly when invoked from the Bulkload utility. To work around this issue and generate a snapshot of the initial audit after bulk loading users or accounts, you must run GenerateSnapshot.[sh|bat] from the $OIM_HOME/bin/ directory.

36.2.6 GenerateSnapshot and GenerateGPASnapshot Utilities Fail on SSL-enabled Systems

The GenerateSnapshot and GenerateGPASnapshot utilities both require a JDBC URL to be passed as an argument. However, Oracle Identity Manager cannot display the usage if the server is SSL-enabled. The snapshot fails and an error results. Currently, no workaround exists for this issue.

36.2.7 Browser Timezone Not Displayed

Due to an ADF limitation, the browser timezone is currently not accessible to Oracle Identity Manager. Oracle Identity Manager bases the timezone information in all date values on the server's timezone. Consequently, end users will see timezone information in the date values, but the timezone value will display the server's timezone.

36.2.8 Date Format Change in the SoD Timestamp Field Not Supported

The date-time value that end users see in the Segregation of Duties (SoD) Check Timestamp field on the SoD Check page will always display as "YYYY-MM-DD hh:mm:ss" and this format cannot be localized.

To work around this localization issue, perform the following steps:

  1. Open the "Oracle_eBusiness_User_Management_9.1.0.1.0/xml/Oracle-eBusinessSuite-TCA-Main-ConnectorConfig.xml" file.

  2. In the EBS Connector import xml, locate the SoDCheckTimeStamp field for the Process Form. Change <SDC_FIELD_TYPE> to 'DateFieldDlg' and change <SDC_VARIANT_TYPE> to 'Date' as shown in the following example:

    <FormField name = "UD_EBST_USR_SODCHECKTIMESTAMP">
                 <SDC_UPDATE>!Do not change this field!</SDC_UPDATE>
                 <SDC_LABEL>SoDCheckTimestamp</SDC_LABEL>
                 <SDC_VERSION>1</SDC_VERSION>
                 <SDC_ORDER>23</SDC_ORDER>
                 <SDC_FIELD_TYPE>DateFieldDlg</SDC_FIELD_TYPE>
                 <SDC_DEFAULT>0</SDC_DEFAULT>
                 <SDC_ENCRYPTED>0</SDC_ENCRYPTED>
                 <!--SDC_SQL_LENGTH>50</SDC_SQL_LENGTH-->
                 <SDC_VARIANT_TYPE>Date</SDC_VARIANT_TYPE>
             </FormField>
    
  3. Import the Connector.

  4. Enable SoD Check.

  5. Provision the EBS Resource with entitlements to trigger an SoD Check.

  6. Check the SoDCheckTimeStamp field in Process Form to confirm it is localized like the other date fields in the form.

36.2.9 Bulk Loading CSV Files with UTF-8 BOM Encoding Not Supported

Bulk loading a CSV file for which UTF-8 BOM (byte order mark) encoding is specified causes an error. However, bulk-loading UTF-8 encoded CSV files works as expected if you specify "no BOM" encoding.

To work around this issue,

  • If you want to load non-ASCII data, you must change your CSV file encoding to "UTF-8 no BOM" before loading the CSV file.

  • If your data is stored in CSV files with "UTF-8 BOM" encoding, you must change them to "UTF-8 no BOM" encoding before running the bulkload script.

36.2.10 Date Type Attributes are Not Supported for the Default Scheduler Job, "Job History Archival"

The default Scheduler job, "Job History Archival," does not support date type attributes.

The "Archival Date" attribute parameter in "Job History Archival" only accepts string patterns such as "ddMMyyyy" and "MMM DD, yyyy."

When you run a Scheduler job, the code checks the date format. If you enter the wrong format, an error similar to the following example, displays in the execution status list and in the log console:

<IAM-1020063> <Incorrect format of Archival Date parameter. Archival Date is expected in DDMMYYYY or UI Date format.>

The job cannot run successfully until you input the correct Archival Date information.

36.2.11 Low File Limits Prevent Adapters from Compiling

On machines where the file limits are set too low, trying to create and compile an entity adapter causes a "Too many open files" error and the adapter will not compile.

To work around this issue, change the file limits on your machine to the following (located in /etc/security/limits.conf) and then restart the machine:

  • soft nofile 4096

  • hard nofile 4096

36.2.12 Reconciliation Engine Requires Matching Rules

Currently, Oracle Identity Manager's Reconciliation Engine in 11g Release 1 (11.1.1) requires you to define a matching rule to identify the users for every connector in reconciliation. Errors will occur during reconciliation if you do not define a matching rule to identify users.

36.2.13 SPML Requests Do Not Report When Any Date is Specified in Wrong Format

When any date, such as activeStartDate, hireDate, and so on, is specified in an incorrect format, the Web server does not pass those values to the SPML layer. Only valid dates are parsed and made available to SPML. Consequently, any SPML request that contains an invalid date format is ignored and not available for that operation. For example, if you specify the HireDate month as "8" instead of "08," the HireDate will not be populated after the Create request is completed and no error message is displayed.

The supported date format is:

yyyy-MM-dd hh:mm:ss.fffffffff

No other date format is supported.

36.2.14 Logs Populated with SoD Exceptions When the SoD Message Fails and Gets Stuck in the Queue

SoD functionality uses JMS-based processing. Oracle Identity Manager submits a message to the oimSODQueue for each SoD request. If for some reason an SoD message always results in an error, Oracle Identity Manager never processes the next message in the oimSODQueue. Oracle Identity Manager always picks the same error message for processing until you delete that message from the oimSODQueue.

To work around this issue, use the following steps to edit the queue properties and to delete the SoD message in oimSODQueue:

  1. Log on to the Weblogic Admin Console at http://<hostname>:<port>/console

  2. From the Console, select Services, Messaging, JMS Modules.

  3. Click OIMJMSModule. All queues will be displayed.

  4. Click oimSODQueue.

  5. Select the Configurations, Delivery Failure tabs.

  6. Change the retry count so that the message can only be submitted a specified number of times.

  7. Change the default Redelivery Limit value from -1 (which means infinite) to a specific value. For example, if you specify 1, the message will be submitted only once.

  8. To review and delete the SoD error message, go to the Monitoring tab, select the message, and delete it.

36.2.15 Underscore Character Cannot Be Used When Searching for Resources

When you are searching for a resource object, do not use an underscore character (_) in the resource name. The search feature ignores the underscore and consequently does not return the expected results.

36.2.16 Assign to Administrator Action Rule is Not Supported by Reconciliation

Reconciliation does not support the Assign to Administrator Action rule.

To work around this issue, change the Assign to Administrator to None in the connector XML before importing the connector. However, after changing the value to None, you cannot revert to Assign to Administrator.

36.2.17 Some Buttons on Attestation Screens Do Not Work in Firefox

If you are creating attestations in a Firefox Web browser and you click certain buttons, nothing happens.

To work around this issue, click the Refresh button to refresh the page.

36.2.18 The maxloginattempts System Property Causes Autologin to Fail When User Tries to Unlock

WLS Security Realm has a default lock-out policy that locks out users for some time after several unsuccessful login attempts. This policy can interfere with the locking and unlocking functionality of Oracle Identity Manager.

To prevent the WLS Security Realm lock-out policy from affecting the lock/unlock functionality of Oracle Identity Manager, you must set the 'Lockout Threshold' value in the WLS 'User Lockout Policy' to at least 5 more than the value in Oracle Identity Manager. For example, if the value in Oracle Identity Manager is set to 10, you must set the WLS 'Lockout Threshold' value to 15.

To change the default values for the 'User lockout Policy,' perform the following steps:

  1. Open the WebLogic Server Administrative Console.

  2. Select Security Realms, REALM_NAME.

  3. Select the User Lockout tab.

  4. If configuration editing is not enabled, then click the Lock and Edit button to enable configuration editing.

  5. Change the value of lockout threshold to the required value.

  6. Click Save to save the changes.

  7. Click Activate to activate your changes.

  8. Restart all the servers in the domain.

36.2.19 "<User not found>" Error Message Appears in AdminServer Console While Setting-Up an Oracle Identity Manager-Oracle Access Manager Integration

When you set up Oracle Identity Manager-Oracle Access Manager Integration with a JAVA agent and log into the Admin Server Console, a "<User not found>" error message is displayed. This message displays even when the login is successful.

36.2.20 Do Not Use Single Quote Character in Reconciliation Matching Rule

If you use the single quote character (') in a Reconciliation Matching rule (for example, 'B'1USER1'), reconciliation will fail with an exception.

36.2.21 Do Not Use Special Characters When Reconciling Roles from LDAP

Due to a limitation in the Oracle SOA Infrastructure, do not use special characters such as commas (,) in role names, group names, or container descriptions when reconciling roles from LDAP. Oracle Identity Manager's internal code uses special characters as delimiters. For example, Oracle Identity Manager uses commas (,) as approver delimiters and the SOA HWF-level global configuration uses commas as assignee delimiters.

36.2.22 SoD Check During Request Provisioning Fails While Using SAML Token Client Policy When Default SoD Composite is Used

SoD check fails and the following error is displayed on the SOA console when SoD check is performed during request provisioning only when the Default SoD Check composite is used:

SEVERE: FabricProviderServlet.handleException Error during retrieval of test page or composite resourcejavax.servlet.ServletException: java.lang.NullPointerException

This happens when Callback is made from OIM to SOA with the SoDCheck Results.

To resolve this issue, apply patch 9819201 on the SOA server. You can obtain patch 9819201 from My Oracle Support. The description of this patch on My Oracle Support is "ERROR WHILE USING SAML TOKEN CLIENT POLICY FOR CALLBACK."

For more information, refer to:

36.2.23 SoD Check Fails While Using Client-Side Policy in Callback Invocation During Request Provisioning

SoD check fails and following error is displayed on the Oracle Identity Manager Administrative and User Console when SoD check is performed during request provisioning only when the Default SoD Check composite is used:

<Error> <oracle.wsm.resources.policymanager><WSM-02264> <"/base_domain/oim_server1/oim/unknown/iam-ejb.jar/WEBSERVICECLIENTs/SoDCheckResultService/PORTs/ResultPort" is not a recognized resource pattern.>
<Error> <oracle.iam.sod.impl> <IAM-4040002><Error getting Request Service : java.lang.IllegalArgumentException: WSM-02264 "/base_domain/oim_server1/oim/unknown/iam-ejb.jar/WEBSERVICECLIENTs/SoDCheckResultService/PORTs/ResultPort" is not a recognized resource pattern.>

To resolve this issue, use the Oracle Smart Update utility to apply patch ID 3M68, which requires passcode of 6LUNDUC7, on Oracle WebLogic Server. For more information, refer to:

36.2.24 Error May Appear During Provisioning when Generic Technology Connector Framework Uses SPML

When using the generic technology connector framework uses SPML, during provisioning, the following error may appear:

<SPMLProvisioningFormatProvider.formatData :problem with Velocity Template Unable
to find resource 'com/thortech/xl/gc/impl/prov/SpmlRequest.vm'>

If the error occurs, it blocks provisioning by using the predefined SPML GTC provisioning format provider. Restarting the Oracle Identity Manager server prevents the error from appearing again.

36.2.25 Benign Exception May Appear When Using Repository Creation Utility to Seed Schedule Jobs

When using the Repository Creation Utility (RCU) to seed Schedule Jobs, the following exception may appear in the SeedSchedulerData.log file:

***** Seeding job and trigger 
Exception occurs during scheduling 
org.quartz.JobPersistenceException: Couldn't obtain triggers for job: 
oracle.iam.scheduler.vo.Trigger [See nested exception: 
java.lang.ClassNotFoundException: 
oracle.iam.scheduler.vo.Trigger]Exception: Couldn't obtain triggers for job: 
oracle.iam.scheduler.vo.Triggerorg.quartz.JobPersistenceException: 
Couldn't obtain triggers for job: oracle.iam.scheduler.vo.Trigger [See nested 
exception: java.lang.ClassNotFoundException: oracle.iam.scheduler.vo.Trigger]

This error is benign and can safely be ignored, as there is no loss of functionality.

36.2.26 Cannot Delete Approval Policies After Restarting Server

After restarting the Oracle Identity Manager server, you cannot delete an existing Approval Policy—though you can delete Approval Policies that you add after restarting the server.

To work around this issue, after restarting the server, open the Approval Policy that you want to delete, make an inconsequential change to it, such as slightly changing the description, and save the updated Approval Policy. You can now delete the updated Approval policy.

36.2.27 Cannot Click Buttons in TransUI When Using Mozilla Firefox

When using the Mozilla Firefox browser, in certain situations, some buttons in the legacy user interface, also known as TransUI, cannot be clicked. This issue occurs intermittently and can be resolved by using Firefox's reload (refresh) function.

36.2.28 LDAP Handler May Cause Invalid Exception While Creating, Deleting, or Modifying a Role

If an LDAP handler causes an exception when you create, modify, or delete a role, an invalid error message, such as System Error or Role does not exist, may appear.

To work around this issue, look in the log files, which will display the correct error message.

36.2.29 Cannot Reset User Password Comprised of Non-ASCII Characters

If a user's password is comprised of non-ASCII characters, and that user tries to reset the password from either the My Profile or initial login screens in the Oracle Identity Manager Self Service interface, the reset will fail with the following error message:

Failed to change password during the validation of the old password

Note:

This error does not occur with user passwords comprised of only ASCII characters.

To work around this issue, perform the following steps:

  1. Set the JVM file encoding to UTF8, for example: -Dfile.encoding=UTF-8

    Note:

    On Windows systems, this may cause the console output to appear distorted, though output in the log files appear correctly.
  2. Restart the Oracle WebLogic Server.

36.2.30 Benign Exception and Error Message May Appear While Patching Authorization Policies

When patches are applied to the Authorization Polices that are included with Oracle Identity manager and the JavaSE environment registers the Oracle JDBC driver, java.security.AccessControlException is reported and the following error message appears:

Error while registering Oracle JDBC Diagnosability MBean

You can ignore this benign exception, as the Authorization Policies are seeded successfully, despite the exception and error messages.

36.2.31 The DateTime Pick in the Trans UI Does Not Work Correctly in the Thai Locale

When locale is set to th_TH in Microsoft Windows Internet Explorer Web browser, the datetime in Oracle Identity Manager follows the Thai Buddhist calendar. In the Create Attestation page of the Administrative and User Console, when you select a date for start time, the year is displayed according to the Thai Buddhist calendar, for example, 2553. After you click OK, the equivalent year according to the Gregorian calendar, which is 2010, is displayed in the start time field. But when you click Next to continue creating the attestation, an error message is displayed stating that the start time of the process must not belong to the past.

To workaround this issue, perform any one of the following:

  • Specify the datetime manually.

  • Use Mozilla Firefox Web browser, which uses the Gregorian calendar.

36.2.32 End-User Administrator Changes to End-User if Request Involving the Same User is Created

Request is raised for a beneficiary for whom the Design Console Access flag is ON. The privileges the user has with this flag ON is that of the End-User Administrator role.

To workaround this issue, while raising a request for such a user, make sure that you select or set the flag again so that the privileges are maintained. Otherwise, the Flag will be cleared off and another administrator user will have to grant the privileges back to the user.

36.2.33 User Without Access Policy Administrators Role Cannot View Data in Access Policy Reports

OIM user without the ACCESS POLICY ADMINISTRATORS role cannot view data in the following reports:

  • Access Policy Details

  • Access Policy List by Role

To workaround this issue:

  1. Assign the ACCESS POLICY ADMINISTRATORS role to an OIM user.

  2. Create a BI Publisher user with the same username in Step 1. Assign appropriated BI Publisher role to view reports.

  3. Login as the BI Publisher user mentioned in step 2. View the Access Policy Details and Access Policy List by Role reports. All access policies are displayed.

36.2.34 Archival Utility Throws an Error for Empty Date

In case of empty date, archival utility throws an error message, but proceeds to archive data by mapping to the current date. Currently, no workaround exists for this issue.

36.2.35 TransUI Closes with Direct Provisioning of a Resource

TransUI closes while doing a direct provisioning if user defined field (UDF) is created with the default values. To work around this issue, you need to create a Lookup Code for the INTEGER/DOUBLE type UDF in the LKU/LKV table.

36.2.36 Scheduler Throws "ParameterValueTypeNotSupportedException" Instead of "RequiredParameterNotSetException"

On AIX platform, when a required parameter is missing during the creation of a scheduler job, instead of throwing "RequiredParameterNotSetException" with the error message "The value is not set for required parameters of a scheduled task.", it throws "ParameterValueTypeNotSupportedException" with the error message "Parameter value is not set properly". Currently, no workaround exists for this issue.

36.2.37 All New User Attributes Are Not Supported for Attestation in Oracle Identity Manager 11g

New user attributes are added in Oracle Identity Manager 11g. Not all of them are available for Attestation while defining user-scope. However, Attestation has been enhanced to include the following user attributes:

  • USR_COUNTRY

  • USR_LDAP_ORGANIZATION

  • USR_LDAP_ORGANIZATION_UNIT

  • USR_LDAP_GUID

Currently, no workaround exists for this issue.

36.2.38 LDAP GUID Mapping to Any Field of Trusted Resource Not Supported

Update fails in LDAP, if LDAP GUID is mapped to any field of trusted resource in LDAP-SYNC enabled installation. To work around this issue, Oracle does not recommend mapping for LDAP GUID field while creating reconciliation field mapping for a trusted resource.

36.2.39 User Details for Design Console Access Field Must Be Mapped to Correct Values When Reading Modify Request Results

When a Modify Request is raised, "End-User" and "End-User Administrator" values are displayed for the "Design Console Access" field. These values must be mapped to False/True while interpreting the user details.

36.2.40 Non-ASCII Text in Approval Policy Rules Might Be Garbled

If an approval policy rule contains non-ASCII characters, these characters might not be displayed correctly on the UI after the policy is exported with Deployment Manager.

Currently, no workaround exists for this issue.

36.2.41 Cannot Create a User Containing Asterisks if a Similar User Exists

If you try to create a user that contains an asterisk (*) after creating a user with a similar name, the attempt will fail. For example, if you create user test1test, followed by test*test, test*test will not be created.

It is recommended to not create users with asterisks in the User Login field.

36.2.42 Blank Status Column Displayed for Past Proxies

The Status field on the Post Proxies page is blank. However, active proxies are displayed correctly on Current Proxies page.

Currently, no workaround exists for this issue.

36.2.43 Mapping the Password Field in a Reconciliation Profile Prevents Users from Being Created

The Password field is available to be mapped with a reconciliation profile, but it should not be used. Attempting to map this field will generate a reconciliation event that will not create users. (The event ends in "No Match Found State".) In addition, you will not be able to re-evaluate or manually link this event.

36.2.44 UID Displayed as User Login in User Search Results

Although you can select the UID attribute from the Search Results Table Configuration list on the Search Configuration page of the Advanced Administration, the Advanced Search: Users results table displays the User Login field instead of the UID field.

36.2.45 Roles/Organizations Browse Trees Disappear

After you delete an organization, the Browse trees for organizations and roles might not be displayed.

To work around this issue, click the Search Results tab, then click the Browse tab. The roles and organizations browse trees display correctly.

36.2.46 Entitlement Selection Is Not Optional for Data Gathering

Entitlement (Child Table) selection during data gathering on the process form, for the "Depends On (Depended)" attribute is not optional. During data gathering, if dependent lookups are configured, then the user has to select the parent lookup value so that filtering happens on the child lookup and thus user gets a final list of entitlements to select . Currently, no workaround exists to directly filter the values based on the child lookup.

36.2.47 Oracle Identity Manager Server Throws Generic Exception While Deploying a Connector

Generic exceptions are shown in server logs every time deployment manager import happens or profile changes manually or profile changes via design console. This is because "WLSINTERNAL" is not an authorized user of Oracle Identity Manager. "WLSINTERNAL" is an internal user of WebLogic Server, and MDS uses it to invoke MDS listeners if there is a change in XMLs stored in MDS. Currently, no workaround exists for this issue.

36.2.48 Create User API Allows Any Value for the "Users.Password Never Expires", "Users.Password Cannot Change", and "Users.Password Must Change" Fields

Create User API allows the user to set any value between 0 and 9 instead of 0 or 1 for "Users.Password Never Expires", "Users.Password Cannot Change" and "Users.Password Must Change" fields. However, any value other than 0 is considered as TRUE and 0 is considered as FALSE, and the flag is set accordingly for the user being created. Currently, no workaround exists for this issue.

36.2.49 Dependent Resources Must Be Approved and Provisioned Last

If you are provisioning to two resources, and one of the resources is dependent on the other, the user must be approved and provisioned on the resource on which there is a dependency first. For example, if a user is to be provisioned to Microsoft Exchange and Active Directory, then the Active Directory user must be approved and provisioned first. Exchange requires data that are provided upon request, and the data is lost when approved before Active Directory.

To work around this situation, you must make another request for Exchange. This time, one request approval task will be raised for Exchange because the user already has Active Directory provisioned. After the request task is approved, Exchange provisioning will go through.

36.2.50 Incorrect Label in JGraph Screen for the GTC

The User Type label on the JGraph screen is displayed incorrectly as Design Console Access. To display User Type, add the line Xellerate_Type=User Type to the OIM_HOME/server/customResources/customResources.properties file.

36.2.51 Running the Workflow Registration Utility Generates an Error

When the workflow registration utility is run in a clustered deployment of Oracle Identity Manager, the following error is generated:

[java] oracle.iam.platform.utils.NoSuchServiceException:
java.lang.reflect.InvocationTargetException

Ignore the error message.

36.2.52 Native Performance Pack is Not Enabled On Solaris 64-bit JVM Install

For Oracle Identity Manager JVM install on a Solaris 64-bit computer, Oracle WebLogic log displays the following error:

Unable to load performance pack. Using Java I/O instead. Please ensure that a native performance library is in:

To workaround this issue, perform the following to ensure that JDK picks up the 64-bit native performance:

  1. In a text editor, open the MIDDLEWARE_HOME/wlserver_10.3/common/bin/commEnv.sh file.

  2. Replace the following:

    SUN_ARCH_DATA_MODEL="32"
    

    With:

    SUN_ARCH_DATA_MODEL="64"
    
  3. Save and close the commEnv.sh file.

  4. Restart the application server.

36.2.53 Error in the Create Generic Technology Connector Wizard

If you enter incorrect credentials for the database on the Create Generic Technology Connector wizard, a system error window is displayed. You must close this window and run the wizard again.

36.2.54 DSML Profile for the SPML Web Service is Not Deployed With Oracle Identity Manager

The DSML profile for the SPML Web service is not deployed by default with Oracle Identity Manager 11g Release 1 (11.1.1). SPML-DSML binaries are bundled with the Oracle Identity Manager installer to support Microsoft Active Directory Password Synchronization. You must deploy the spml-dsml.ear file manually.

36.2.55 New Human Tasks Must Be Copied in SOA Composites

When you add a new human task to an existing SOA composite, you must ensure that all the copy operations for the attributes in the original human task are added to the new human task. Otherwise, an error could be displayed on the View Task Details page.

36.2.56 Modify Provisioned Resource Request Does Not Support Service Account Flag

A regular account cannot be changed to a service account, and similarly, a service account cannot be changed to a regular account through a Modify Provisioned Resource request.

36.2.57 Erroneous "Query by Example" Icon in Identity Administration Console

In the Identity Administration console, when viewing role details from the Members tab, an erroneous icon with the "tooltip" (mouse-over text) of "Query By Example" appears. This "Query By Example" icon is non-functional and should be ignored.

36.3 Configuration Issues and Workarounds

This section describes configuration issues and their workarounds. It includes the following topics:

36.3.1 Configuring UDFs to be Serachable for Microsoft Active Directory Connectors

A Microsoft Active Directory connector installation automatically creates a UDF: USR_UDF_OBGUID. When you add a new user-defined field (UDF), the "searchable" property will be false by default unless you provide a value for that property. After installing an Active Directory connector, you must perform the following steps to make the user-defined field searchable:

  1. Using the Advanced Administration console (user interface), change the "searchable" UDF property to true by performing the following steps:

    1. Click the Advanced tab.

    2. Select User Configuration and then User Attributes.

    3. Modify the USR_UDF_OBGUID attribute in the Custom Attributes section by changing the "searchable" property to true.

  2. Using the Identity Administration console (user interface), create a new Oracle Entitlement Server policy that allows searching the UDF by performing the following steps:

    1. Click the Administration tab and open the Create Authorization policy.

    2. Enter a Policy Name, Description, and Entity Name as User Management.

    3. Select Permission, then View User Details, and then Search User.

    4. Edit the Attributes for View User Details and select all of the attributes.

    5. Select the SYSTEM ADMINSTRATOR role name.

    6. Click Finish.

36.3.2 Creating or Modifying Role Names When LDAP Synchronization is Enabled

When LDAP synchronization is enabled and you attempt to create or modify a role, entering a role name comprised of approximately 1,000 characters prevents the role from being created or modified and causes a Decoding Error to appear. To work around this issue, use role names comprised of fewer characters.

36.3.3 ADF Issue Causes Oracle Identity Manager to Fail on the Sun JDK

Due to an ADF issue, using the Oracle Identity Manager application with the Sun JDK causes a StringIndexOutOfBoundsException error. To work around this issue, add the following option to the DOMAIN_HOME/bin/setSOADomainEnv.sh or the setSOADomainEnv.cmd file:

  1. Open the DOMAIN_HOME/bin/setSOADomainEnv.sh or setSOADomainEnv.cmd file.

  2. Add the -XX:-UseSSE42Intrinsics line to the JVM options.

  3. Save the setSOADomainEnv.sh or setSOADomainEnv.cmd file.

    Note:

    This error does not occur when you use JRockit.

36.3.4 Nexaweb Applet Does Not Load In an Oracle Identity Manager and Oracle Access Manager Integrated Environment

In an Oracle Identity Manager and Oracle Access Manager (OAM) integrated environment, when you login to the Oracle Identity Manager Administrative and User Console and click a link that opens the Nexaweb applet, the applet does not load.

To workaround this issue, configure loading of the NexaWeb Applet in an Oracle Identity Manager and OAM integrated environment. To do so:

  1. Login to the Oracle Access Manager Console.

  2. Create a new Webgate ID. To do so:

    1. Click the System Configuration tab.

    2. Click 10Webgates, and then click the Create icon.

    3. Specify values for the following attributes:

      Name: NAME_OF_NEW_WEBGATE_ID

      Access Client Password: PASSWORD_FOR_ACCESSING_CLIENT

      Host Identifier: IDMDomain

    4. Click Apply.

    5. Edit the Webgate ID, as shown:

      set 'Logout URL' = /oamsso/logout.html

    6. Deselect the Deny On Not Protected checkbox.

  3. Install a second Oracle HTTP Server (OHS) and Webgate. During Webgate configurations, when prompted for Webgate ID and password, use the Webgate ID name and password for the second Webgate that you provided in step 2c.

  4. Login to the Oracle Access Manager Console. In the Policy Configuration tab, expand Application Domains, and open IdMDomainAgent.

  5. Expand Authentication Policies, and open Public Policy. Remove the following URLs in the Resources tab:

    /xlWebApp/.../*

    /xlWebApp

    /Nexaweb/.../*

    /Nexaweb

  6. Expand Authorization Policies, and open Protected Resource Policy. Remove the following URLs in the Resources tab:

    /xlWebApp/.../*

    /xlWebApp

    /Nexaweb/.../*

    /Nexaweb

  7. Restart all the servers.

  8. Update the obAccessClient.xml file in the second Webgate. To do so:

    1. Create a backup of the SECOND_WEBGATE_HOME/access/oblix/lib/ObAccessClient.xml file.

    2. Open the DOMAIN_HOME/output/WEBGATE_ID_FOR_SECOND_WEBGATE/ObAccessClient.xml file.

      Note:

      Ensure that the DenyOnNotProtected parameter is set to 0.
    3. Copy the DOMAIN_HOME/output/WEBGATE_ID_FOR_SECOND_WEBGATE/ObAccessClient.xml file to the SECOND_WEBGATE_HOME/access/oblix/lib/ directory.

  9. Copy the mod_wls_ohs.conf from the FIRST_OHS_INSTANCE_HOME/config/OHS_NAME/directory to the SECOND_OHS_INSTANCE_HOME/config/OHS_NAME/ directory. Then, open the mod_wls_host.conf of the second OHS to ensure the WebLogicHost and WeblogicPort are still pointing to Oracle Identity Manager managed server host and port.

  10. Remove or comment out the following lines in the SECOND_OHS_INSTANCE_HOME/config/OHS_NAME/httpd.conf file:

    <LocationMatch "/oamsso/*">
       Satisfy any
    </LocationMatch>
    
  11. Copy the logout.html file from the FIRST_WEBGATE_HOME/access/oamsso/ directory to the SECOND_WEBGATE_HOME/access/oamsso/ directory. Then, open the logout.html file of the second Webgate to ensure that the host and port setting of the SERVER_LOGOUTURL variable are pointing to the correct OAM host and port.

  12. Login to Oracle Access Manager Console. In the Policy Configuration tab, expand Host Identifiers, and open the host identifier that has the same name as the second Webgate ID name. In the Operations section, verify that the host and port for the second OHS are listed. If not, then click the add icon (+ sign) to add them. Then, click Apply.

  13. Use the second OHS host and port in the URL for the OAM login page for Oracle Identity Manager. The URL must be in the following format:

    http://SECOND_OHS_HOST:SECOND_OHS_PORT/admin/faces/pages/Admin.jspx

36.3.5 Packing a Domain With managed=false Option

When a domain is packed with the managed=false option and unpacked on the another computer, Oracle Identity Manager Authentication Provider is not recognized by WebLogic and basic administrator authentication fails when the Oracle Identity Manager managed server is started.

The following workaround can be applied for performing successful authentication via Oracle Identity Manager Authentication Provider:

  1. Login in to the Oracle WebLogic Administrative Console by using the following URL:

    http://HOST_NAME:ADMIN_PORT/console

  2. Navigate to Security Realms, Realm(myrealm), and then to Providers.

  3. Delete OIMAuthenticationProvider.

    Note:

    Make sure that you note the provider-specific details, such as the database URL, password, and driver, before deleting the provider.
  4. Restart the WebLogic Administrative Server.

  5. Navigate to Security Realms, Realm(myrealm), and then to Providers.

  6. Create a new Authentication Provider of type OIMAuthenticationProvider.

  7. Enter the provider specific details and mark the control flag as SUFFICIENT.

  8. Restart the WebLogic Administrative Server.

  9. Restart Oracle Identity Manager and other servers, if any.

36.3.6 Option Not Available to Specify if Design Console is SSL-Enabled

While configuring Oracle Identity Manager Design Console, you cannot specify if Design Console is SSL-enabled.

To workaround this issue after installing Oracle Identity Manager Design Console, edit the OIM_HOME/designconsole/config/xlconfig.xml file to change the protocol in the Oracle Identity Manager URL from t3 to t3s.

36.3.7 Nexaweb Applet Does Not Load in JDK 1.6.0_20

Deployment Manager and Workflow Visualizer might not work if the client browser has JDK/JRE installed on it whose version is 1.6.0_20. To workaround this issue, uninstall the JDK/JRE version 1.6.0_20 from the client browser and reinstall the JDK/JRE version 1.6.0_15.

36.4 Multi-Language Support Issues and Limitations

This section describes multi-language issues and limitations. It includes the following topics:

36.4.1 Multi-language Valued Attributes in SPML and Oracle Identity Manager Do Not Match

Oracle Identity Manager supports only the Display Name attribute for multi-language values. SPML specifies additional attributes, such as commonName and surname, as multi-language valued in the PSO schema. When multiple locale-values are specified in an SPML request for one of these attributes, only a single value is picked and passed to Oracle Identity Manager. The request will not fail and a warning message identifying the attributes and the value that was passed to Oracle Identity Manager is provided in the response.

36.4.2 Login Names with Some Special Characters May Fail to Register

In Oracle Identity Manager, the user login name is case-insensitive. When a user is created, the login name is converted to upper case and saved in the database. But the password is always case-sensitive. However, some special characters may encounter an error while registering to Oracle Identity Manager:

  • Both the Greek characters &#963; (sigma) and &#962; (final sigma) maps to the &#931; character.

  • Both English character i and Turkish character &#305; maps to the I character.

  • Both German character ß and English string SS maps to the SS string.

This means that two user login names containing these special characters when the other characters in the login names are same cannot be created. For example, the user login names Johnß and JohnSS maps to the same user login name. If Johnß already exists, then creation of JohnSS is not allowed because both the ß character and the SS string maps to the SS string.

36.4.3 The Create Role, Modify Role, and Delete Role Request Templates are Not Available for Selection in the Request Templates List

The Create Role, Modify Role, and Delete Role request templates are not available in the Request Templates list of the Create Request wizard. This is because request creation by using any request template that are based on the Create Role, Modify Role, and Delete Role request models are supported from the APIs, but not in the UI. However, you can search for these request templates in the Request Templates tab. In addition, the Create Role, Modify Role, and Delete Role request models can be used to create approval policies and new request templates.

36.4.4 Parameter Names and Values for Scheduled Jobs are Not Translated

In the Create Job page of Oracle Identity Manager Advanced Administration, the fields in the Parameter section and their values are not translated. The parameter field names and values are available only in English.

36.4.5 Bidirectional Issues for Legacy User Interface

The following are known issues in the legacy user interface, also known as TransUI, contained in the xlWebApp war file:

  • Hebrew bidirectional is not supported

  • Workflow designer bidirectional is not supported for Arabic and Hebrew

36.4.6 Localization of Role Names, Role Categories, and Role Descriptions Not Supported

Localization of role names, categories, and descriptions is not supported in this release.

36.4.7 Localization of Task Names in Provisioning Task Table Not Supported

All Task Name values in the Provisioning Task table list are hard-coded and these pre-defined process task names are not localized.

36.4.8 Localization of Search Results of Scheduled Tasks Not Supported

When you search Scheduler Tasks using a Simple or Advanced search, the search results are not localized.

36.4.9 Searching for User Login Names Containing Certain Turkish Characters Causes an Error

On the Task Approval Search page, if you select "View Tasks Assigned To", then "Users You Manage", and then choose a user whose login name contains a Turkish Undotted "&#305" or a Turkish dotted "&#304" character, a User Not Found error will result.

36.4.10 Localization of Notification Template List Values for Available Data Not Supported

Localizing Notification Template Available Data list values is not supported in this release. Oracle Identity Manager depends upon the Velocity framework to merge tokens with actual values, and Velocity framework does not allow a space in token names.

36.4.11 Searching for Entity Names Containing German "ß" (Beta) Character Fails in Some Features

When you search for entity names containing the special German "ß" (beta) character from the Admin Console, the search fails in the following features:

  • System Configuration

  • Request Template

  • Approve Policy

  • Notification

In these features, the "ß" character matches to "ss" instead of itself. Consequently, the Search function cannot find entity names that contain the German beta character.

36.4.12 Special Asterisk (*) Character Not Supported

Although special characters are supported in Oracle Identity Manager, using the asterisk character (*) can cause some issues. You are advised not to use the asterisk character when creating or modifying user roles and organizations.

36.4.13 Translated Error Messages Are Not Displayed in UI

Oracle Identity Manager does not support custom resource bundles for Error Message display in user interfaces. Currently, there is no workaround for this issue.

36.4.14 Reconciliation Table Data Strings are Hard-coded on Reconciliation Event Detail Page

Some of the table data strings on the Reconciliation Event Detail page are hard-coded, customized field names. These strings are not localized.

36.4.15 Translated Password Policy Strings May Exceed the Limit in the Background Pane

Included as per bug# 9539501

The password policy help description may run beyond the colored box in some languages and when the string is too long. Currently, there is no workaround for this issue.

36.4.16 Date Format Validation Error in Bi-Directional Languages

When Job Detail page is opened in bi-directional languages, you cannot navigate away from this page because of "Date Format Validation Error". To work around this issue, select a value for the "Start Date" using the date-time control and then move to another page.

36.4.17 Mistranslation on the Create Job page

On the Japanese locale (LANG=ja_JP.UTF-8), "Fourth Wednesday" is mistranslated as "Fourth Friday" on the Create Job page when "Cron" is selected as the Schedule Type and "Monthly on given weekdays" is selected as the Recurring Interval.

36.5 Documentation Errata

Documentation Errata: Currently, there are no documentation issues to note.