F Troubleshooting Oracle Access Manager

This appendix explains typical problems that you could encounter while running or restarting Oracle Access Manager and components. It contains these sections:

• Access Server Won't Start When the Debug Log Reaches 2GB

• Certain Identity Functions Don't Work as Expected

• Creating a User Identity

• Directory and Database Problems and Solutions

• Enabling Case-Comparisons For Challenge and Response Attributes for LPM

• Error When Resetting the LPM Challenge or Response Phrase

• File Ownership and Command Line Tools

• Identity Server Logs Indicate that User Data Has Been Tampered With

• Notifications

• NPTL Requirements and Post-Installation Tasks

• Username and Password Are in Clear Text in the HTTP Header

• Other Problems and Solutions

• Error Messages and Recommendations for Handling Them

• Capturing Diagnostic Information

• Need More Help?

F.1 Access Server Won't Start When the Debug Log Reaches 2GB

Problem

The Access Server profile has the debug flag turned on. When the Access Server debug log reaches 2 GB in size, the Access Server stops and cannot be restarted.

Cause

If the Access Server debug option is used, the Access Server does not recycle the debug log file. On some Operating Systems, the log file can grow to a size that prevents debug logging from being successful. At this point, the Access Server might not function.

Solution

Either remove the debug log file or disable the debug flag in the Access Server profile.

Use debugging only when diagnosing a problem related to connection issues between the Access Server and WebGate. For a longer period, Oracle recommends that you use trace level logging rather than debug logging. For more information, see Chapter 10, "Logging".

F.2 Certain Identity Functions Don't Work as Expected

Problem

Certain Identity System functions, for example, Query Builder or Derived Attributes, might not seem to work as expected. For instance, suppose you are using Group Manager, Modify Group, Build Filter. In the Query Builder, a query based on "car license" or "Department Number" might not seem to work as expected even though you have valid data for these attributes and expect the filter to show those users.

Cause

All attributes must be indexed (also known as cataloged) in the directory server used by Oracle Access Manager. Some attributes might need to be cataloged manually.

Solution

Confirm that the attribute is indexed and cataloged in the directory server. If it is not, manually index and catalog the attribute.

F.3 Creating a User Identity

The steps to create a user identity depend on how the administrator defined the Create User workflow.

Problem

Clicking the Create User Identity tab in the User Manager results in a message saying that you do not have enough access rights.

Cause

If there is no Create User workflow defined, even an administrator can see a message saying they do not have enough access rights after clicking the Create User Identity tab.

Solution

Develop and enable a Create User workflow. For more information, see the following topics:

• How Workflows Are Initiated

• Workflow Types

• Using the QuickStart Tool

• Starting a New Workflow Definition

• Creating a Self-Registration Workflow

• Defining an LDAP Target for Create Object Workflows

• Subscribing to Groups

F.4 Directory and Database Problems and Solutions

This section describes common problems and solutions for the directory and database. It contains the following topics:

• Problem Setting up SSL Between the Identity Server and Active Directory

• Error Message to Check if the Directory Server is Running or Responding

• Access Control and Searchbase Support for eDirectory 8.7.3

• Unable to Save a Directory Server Profile

• Active Directory: Adding Members Causes the Group Size to Shrink

• ADSI Cannot Be Enabled for a Directory Profile

• Database Validation Fails

F.4.1 Problem Setting up SSL Between the Identity Server and Active Directory

When configuring SSL between the Identity Server and Active Directory, the Identity Server crashes.

Problem

Active Directory uses the Lightweight Directory Access Protocol (LDAP) for read and write operations. By default, LDAP traffic is sent in the clear over an open channel. You can enable a secure version of LDAP using the Secure Sockets Layer (SSL) Transport Layer Security (TLS).

If you have not configured SSL, or if there is a problem with the configuration, the Identity Server crashes when establishing an SSL connection with an LDAPS-enabled Active Directory Server. The Event Viewer application log produces a report similar to the following:

Faulting application ois_server.exe, version 0.0.0.0, faulting module
NSLDAPSSL32V41.dll, version 16512.0.0.10521, fault address 0x0004d3cd. 

Solution

Install a valid certificate on a domain controller that enables the LDAP service to listen for, and automatically accept, SSL connections for LDAP and global catalog traffic.

For the component to establish an SSL connection to an LDAPS-enabled Active Directory server, the server certificate must contain the fully qualified domain name for the Acrive Directory domain controller, for example, server.domain.com. This informaiton must appear in the Common Name (CN) of the Subject field.

After receiving the client certificate the LDAP server determines if the CA who issued the certificate is trusted. If the CA is trusted, the server uses the subject name in the certificate to determine if the client has access rights to perform the requested operation.

F.4.2 Error Message to Check if the Directory Server is Running or Responding

During normal operations, you can receive an error indicating that the directory server may not be operational.

Problem

The Access Server or Policy Manager may issue one of the following error messages:

• "Please verify that the Directory Server is running."

• "Please verify that the Directory Server is responding."

These error messages are generated when the Oracle Access Manager component does not receive a response from the directory server within a user-configurable amount of time.

Solution

The following are possible solutions to the problem:

• Check the value for the LDAPOperationTimeout parameter in globalparams.xml.

  This parameter enables the Oracle Access Manager component to fail over to a secondary directory server when the primary one takes too long to respond. See the appendix on parameter files in the Oracle Access Manager Customization Guide for details.

• Ensure that failover has been configured for this directory server.

  See the information on configuring directory server profiles in the Oracle Access Manager Identity and Common Administration Guide. Also see the chapter on failover in the Oracle Access Manager Deployment Guide.

F.4.3 Access Control and Searchbase Support for eDirectory 8.7.3

You might need to apply patches for access control and searchbase support on Novell eDirectory.

F.4.3.1 Problem

When conducting searches using Novell eDirectory 8.7.3, attribute access controls and searchbase filters do not work as expected. For example, using eDirectory 8.7.3, you can configure filters to return organizational units (ou's) below the top node of the DIT, as follows:

(&(objectclass=*)(!(|(objectclass=oblixconfig)(objectclass=oblixlocation)(objectclass=genSiteOrgPerson)(objectclass=genSiteGroup)))(objectclass=*))

However, these searches return information that you were trying to exclude. For example, users may be returned.

F.4.3.2 Solution

To work around this issue, apply the eDirectory patch 8.7.3.7. See the following URLs for details:

http://www.novell.com

http://support.novell.com/servlet/downloadfile?file=/uns/ftf/edir8737ftf_1.exe

F.4.4 Unable to Save a Directory Server Profile

When saving a directory server profile for use by Identity System and Access System components, you may receive an error similar to the following:"Unable to save the Directory Server Profile. The applications require a Directory Server Profile to access Policy base with search, modify, and delete operations to function properly. This Directory Server Profile cannot load balance between its servers as well."

F.4.4.1 Problem

When you install the Access System (at least the Policy Manager), you are asked to identify a location in the directory for policy information. This branch in the directory may or may not be the same as the branch where the Identity System configuration data is stored. Also during Policy Manager installation, a directory profile is created that provides the Identity Servers rights over the policy branch. The Identity Servers require the ability to search, modify and delete objects in the Access System's policy branch to ensure referential integrity between the Identity and Access Systems. For example, suppose that you allow a user access to a particular resource in the Allow Access page of a policy in the Access System. If you delete the user from the Identity System, referential integrity ensures that the user is also deleted from the policies in the Access System.

If there is no directory profile that provides referential integrity between the Identity and Access Systems, you receive the "Unable to save. . ." error. If you receive this message, you have probably deleted or edited this profile.

F.4.4.2 Solution

Create another directory server profile with access to the policy branch of the directory.

F.4.5 Active Directory: Adding Members Causes the Group Size to Shrink

Adding users to static groups works properly only up to a point.

Problem

Continuing to add members to static groups causes the group size to shrink.

Solution

Change the value for the parameter maxForRangedMemberRetrieval in globalparams.xml to a number higher than the desired group membership size:

• If you are using Active Directory on Windows 2003, set the parameter maxForRangedMemberRetrieval in globalparams.xml to 1500.

• If you are using Active Directory on Windows 2000, set it to 1000.

F.4.6 ADSI Cannot Be Enabled for a Directory Profile

When using Active Directory, you can use the Identity System Console to change the directory profile for user data from ADSI to LDAP or LDAP to ADSI. However, you cannot do this for configuration or policy data.

F.4.6.1 Problem

When you attempt to change the directory profile for policy or configuration data from the Identity System Console, you get an error. For example, suppose that you store user data in an Active Directory forest using LDAP, and you store configuration and policy data in a different Active Directory forest using ADSI. If you use the Identity System Console to change the ADSI flag in the configuration data database profile to LDAP, after restarting the Oracle Access Manager servers and services, the ADSI flag remains enabled and the following message appears:

"ADSI can be enabled for either user or configuration DB Profile if they are in a separate forest. ADSI Cannot be Enabled for this DB Profile."

Any attempts to modify the directory profile for configuration or policy data to ADSI produces an error because Oracle Access Manager recognizes the profile as ADSI-enabled.

F.4.6.2 Solution

To modify the directory profile for configuration and policy data, rerun the setup program. See "Rerunning Setup Manually" for details.

F.4.7 Database Validation Fails

In the Identity System Console, when you attempt to save a new database instance for an RDBMS profile you may receive a "Database Validation failed" message.

F.4.7.1 Problem

This problem occurs when creating an RDBMS profile, as described in "Managing RDBMS Profiles". Usually, the problem arises because of an incorrect value for the SQLDBType parameter in the following file:

component_install_dir/identity/apps/common/bin/globalparams.xml

Where component_install_dir is the location where the Identity Server was installed.

F.4.7.2 Solution

Set the value for the SQLDBType parameter as follows:

• For an ODBC connection type, set the value to Oracle.

• For an OCI connection type, set the value to Oracle_OCI.

• For SQL Server database, set the value to SQLServer.

F.5 Enabling Case-Comparisons For Challenge and Response Attributes for LPM

Problem

When configuring the challenge and response attributes for lost password management, the "response" attribute is set to Case - Insensitive, however when you enter the response, it is case sensitive.

Solution

To make case comparisons configurable for lost password management, a new parameter, isLPMResponseCaseSensitive, can be added to the Identity Server globalparams.xml file. This parameter directs Oracle Access Manager behavior as follows:

• true: The default value when the parameter is not in the globalparams.xml file. A value of true (or no parameter) triggers case sensitive comparisons of the LPM response.

• false: Enter this value when the parameter is present and you want to disable case sensitive comparisons of the LPM response.

To enable or disable case comparisons

1. Locate the Identity Server globalparams.xml file, as follows:

   IdentityServer_install_dir/identity/oblix/apps/common/bin/

2. Disable case sensitive comparisons for LPM responses:

   <SimpleList>
     <NameValPair 
        ParamName="isLPMResponseCaseSensitive" 
        Value="false"></NameValPair>
   </SimpleList>
   

3. Enable case sensitive comparisons for LPM responses:

   <SimpleList>
     <NameValPair 
        ParamName="isLPMResponseCaseSensitive" 
        Value="true"></NameValPair>
   </SimpleList>
   

4. Restart the Identity Server.

5. Repeat for each Identity Server in your deployment.

F.6 Error When Resetting the LPM Challenge or Response Phrase

Ignore this topic if you have a fresh installation of Oracle Access Manager 10g (10.1.4.3), which includes the latest changes to basic.xsl and misc.js. You have no previous customizations to update and need not perform any of the steps here.

Problem

An error might occur when a user attempts to reset the lost password management challenge or response phrase in their own user profile. For instance, when changing the Challenge or Response using a Selection box in a Panel, an unexpected error could appear:

Challenge phrase is blank. Provide values for all challenge phrases.

Note:

The LPM function does not require the Challenge and Response attributes to be modified simultaneously. For example, a delegated administrator might be allowed to set Challenge questions for a user, but not the responses. No error occurs if you change the Challenge phrase without changing the Response phrase.

Solution

To help resolve this issue, Oracle Access Manager bundle patch 10.1.4.2-BP04 delivered changes to basic.xsl and misc.js. The updated basic.xsl (a typical wrapper stylesheet) and misc.js (a system-level file used by many stylesheets) need to be introduced in your deployment.

The updated basic.xsl and misc.js files are available in a separate zip file with this bundle patch to avoid possible overwriting of any customizations that may have been done to these files in your environment.

The basic.xsl that is delivered in bundle patch 10.1.4.2-BP04 should replace the earlier version that reside in IdentityServer_install_dir\identity\oblix\lang\shared and WebPass_install_dir\identity\oblix\lang\shared. If your environment includes a custom-style directory, you must update your customized version of basic.xsl to include the changes delivered with this new basic.xsl file.

The misc.js file delivered with bundle patch 10.1.4.2-BP04 should replace the earlier version that resides in WebPass_install_dir\identity\oblix\lang\shared.

Note:

Oracle recommends that you retain Oracle-delivered stylesheets as is, and use Oracle guidelines to copy stylesheets to a new directory before customizing the copy. If your original stylesheets in the \shared directory were customized, you must perform extra steps to ensure that customizations are preserved while changes delivered with this patch are incorporated.

Your existing basic.xsl and misc.js files are stored as follows:

• \shared\basic.xsl: IdentityServer_install_dir\identity\oblix\lang\shared

  \shared contains default global stylesheets that are language-neutral. You can replace the existing \shared\basic.xsl with the new one delivered with this patch.

  Note:

  If your existing \shared\basic.xsl is customized and stored in a custom style directory, see \CustomStyle\basic.xsl.

• \CustomStyle\basic.xsl: IdentityServer_install_dir\identity\oblix\lang\en-us\CustomStyle

  If your environment includes a custom-style directory and stylesheets, you can update \CustomStyle\basic.xsl to include the changes delivered with this new basic.xsl file (differences between the original Oracle-provided version and the one delivered with this patch). You can lose any customizations if you replace the customized file with the new one.

• \style0\basic.xsl: IdentityServer_install_dir\identity\oblix\lang\en-us\style0

  This patch does not include a basic.xsl thin wrapper file. \style0 contains corresponding, language-specific, default thin wrapper files that differ from the default global stylesheet in \shared. You can have a language-specific \style0 directory for each installed language. Typically, these language-specific wrappers call the global stylesheet in \shared.

  Note:

  Do not replace \style0\basic.xsl with the file in this patch. However, if the basic.xsl thin wrapper in a language-specific \style0 has been customized and does not include the reference to \shared\basic.xsl, then you might have to apply the changes delivered with this new shared\basic.xsl to basic.xsl in the language-specific \style0.

• basic.xsl: WebPass_install_dir\identity\oblix\lang\shared

  Replace the existing \shared\basic.xsl for WebPass with the new one delivered with this patch.

• misc.js: WebPass_install_dir\identity\oblix\lang\shared

  You can replace the existing \shared\misc.js with the new one delivered with this patch.

  Note:

  Oracle strongly recommends that you do not change mics.js. This system level file is contained in almost every stylesheet as an include file. Errors in this file affect most every stylesheet that the system uses. Changing this file can cause hidden problems, or problems down the road.

For more information about these files, stylesheets, and customization, see the chapter on designing the GUI with PresentationXML in the Oracle Access Manager Customization Guide.

Note:

LPMChallengeResponsePatch.zip is included in each platform zip file. After downloading and unzipping the package, you can perform the following steps to obtain and use the latest basic.xsl and mics.js files.

To prepare and use the new basic.xsl and mics.js files in your environment

1. Create a temporary directory to hold the contents of LPMChallengeResponsePatch.zip.

   temp\lpm_cr_patch

2. Unzip LPMChallengeResponsePatch.zip to extract the contents.

3. Within the temporary directory you created, locate the new files:

   • temp\lpm_cr_patch\basic.xsl

   • temp\lpm_cr_patch\mics.js

4. Back up your earlier \shared\basic.xsl and \shared\misc.js files.

5. Back up your earlier \CustomStyle\basic.xsl file, if your deployment includes a customized style directory containing customized stylesheets.

6. No Customizations: If your existing \shared\basic.xsl or \shared\misc.js files are pristine (not customized), replace existing versions with the new versions (overwrite the earlier versions).

   • basic.xsl: IdentityServer_install_dir\identity\oblix\lang\shared\basic.xsl

   • basic.xsl: WebPass_install_dir\identity\oblix\lang\shared\basic.xsl

   • misc.js: WebPass_install_dir\identity\oblix\lang\shared\misc.js

7. Customizations: Copy all changes from the basic.xsl or misc.js files delivered with this patch, into your customized versions (generally, only within a custom style directory).

   • basic.xsl: IdentityServer_install_dir\identity\oblix\lang\ langtag\CustomStyle\

   • basic.xsl: IdentityServer_install_dir\identity\oblix\lang\shared

   • basic.xsl: WebPass_install_dir\identity\oblix\lang\shared\basic.xsl

   • misc.js: WebPass_install_dir\identity\oblix\lang\shared

8. You are ready to modify lost password management challenges and responses within the user profile panel, as usual. For example:

   1. From the Identity System Console, click the User Manager tab and click the My Profile tab.

   2. From the My Profile page, click the View Panel button.

   3. On the Panel under which you have configured the Challenges and Responses, click the Modify button.

   4. Change the challenge or response, and then click Save.

F.7 File Ownership and Command Line Tools

All command line utilities and tools must be run as the user who installed the product, as described in the Oracle Access Manager Installation Guide. Oracle recommends that you do not attempt to change ownership or permissions on files after installation.

F.8 Identity Server Logs Indicate that User Data Has Been Tampered With

Problem

Identity Server logs indicate that user data has been tampered with. This occurs after challenge and response attributes are set, and then you modify a user profile and save it without entering values for the challenge and response. The following message appears in the log.

"Delimiter not found. User data seems to be tampered." 

This error is logged only once for any user profile that is modified.

Cause

This issue occurs only if you choose already available attributes (which may have some value) for the Challenge and Response phrase.

Solution

Follow the recommended way of configuring lost password management challenge and response-type attributes: In your directory, create two new attributes: one to be used for challenges that are presented to users, and one for responses that users provide to the challenges. Ensure that there are two unused, empty attributes in your directory to be used for user challenges and responses. Oracle recommends that you choose unused attributes, not attributes that already have a value assigned. For details about lost password management, see "Lost Password Management".

F.9 Notifications

A new parameter (UseDefaultOptionsForAllMails) in the globalparams.xml file in the IdentityServer_install_dir path:

/apps/common/bin/globalparams.xml

Enables you to configure an email ID to be used to send all email notifications.

If the parameter UseDefaultOptionsForAllMails is set to true, then for any email that is sent from the Identity Server the:

• "Sender's Name" field gets the value from the "sendMailFromName" parameter defined in the globalparams.xml file."Sender's Email" field gets the value from the "sendMailFromEmail" parameter defined in the globalparams.xml file.

Problem

An email notification is sent with the "sendMailFromEmail" parameter value in the Sender's Name field.

No email notification is sent. Instead, an message is sent to the user and an error is logged indicating that the notification email could not be sent.

Cause

UseDefaultOptionsForAllMails is true, but values are not defined in the globalparams.xml file, as follows:

• sendMailFromName not defined: An email is sent with the "sendMailFromEmail" parameter's value in the Sender's Name field.sendMailFromEmail not defined: If UseDefaultOptionsForAllMails is true and if sendMailFromEmail is not defined, then no email is sent. Instead, anappropriate message is sent to the user and an error is logged indicating that the notification email could not be sent.

Solution

Set UseDefaultOptionsForAllMails to true and define values appropriately in the globalparams.xml file:

• sendMailFromName not definedsendMailFromEmail not defined

For more information, see "Descriptions of Step Actions" for information on UseDefaultOptionsForAllMail and the chapter on parameters in the Oracle Access Manager Customization Guide.

F.10 NPTL Requirements and Post-Installation Tasks

Earlier releases of Oracle Access Manager for Linux used the LinuxThreads library only. Using LinuxThreads required that you manually set the environment variable LD_ASSUME_KERNEL, which is used by the dynamic linker to decide what implementation of libraries is used. When you set LD_ASSUME_KERNEL to 2.4.19 the libraries in /lib/i686 are used dynamically.

Red Hat Linux v5 and later releases support only Native POSIX Thread Library (NPTL), not LinuxThreads. To accommodate this change, Oracle Access Manager is now compliant with NPTL specifications. However, LinuxThreads is used by default.

Oracle Access Manager uses either Native POSIX Thread Library (NPTL) or LinuxThreads. The default mode is LinuxThreads. To support the default, the start_ois_server and start_access_server start sin LinuxThreads mode. In this case, the variable LD_ASSUME_KERNEL is automatically set to 2.4.19. The message "Using Linux Threading Library." appears in the console and in the server's oblog file. However, if you start the server with the start_ois_server_nptl or start_access_server_nptl scripts, NPTL mode is used. You can also restart the server with restart_ois_server_nptl or restart_access_server_nptl scripts. In this case, the message "Using NPTL Threading Library." appears in the console and in the server's oblog file.

When you use NPTL with Oracle Access Manager, there is no impact on custom plug-ins and APIs that you have created for Oracle Access Manager. When upgrading, you must still recompile custom plug-ins from Oracle Access Manager release 6.x using the GCC v3.3.2 C++ compiler. With NPTL, there is no requirement to set the environment variable LD_ASSUME_KERNEL to 2.4.19 when installing Web components or third-party connectors for use with Oracle Access Manager.

The NPTL-ready scripts include:

• Identity Server: start_ois_server_nptl and restart_ois_server_nptl

• Access Server: start_access_server_nptl and restart_access_server_nptl

Note:

Standard stop scripts and the following standard setup scripts operate successfully whether you use LinuxThreads or NPTL: start_setup_ois, start_setup_webpass, start_setup_access_manager, start_configureAAAServer, stop_snmp_agent, start_configureWebGate, and start_configureAccessGate.

The setup script for the SNMP agent, start_snmp_agent, includes an entry for LD_ASSUME_KERNEL. When using NPTL with Oracle Access Manager, you must remove or comment out the LD_ASSUME_KERNEL=2.4.19 environment variable from the following file:

SNMP Agent: start_snmp_agent

Note:

Oracle Access Manager servers can run using NPTL while Oracle Access Manager Web components use LinuxThreads (and vice versa). When installing Oracle Access Manager Web components or third-party connectors for use with NPTL, there is no need to set the environment variable LD_ASSUME_KERNEL to 2.4.19.

Use the following procedure as a guide when using or modifying scripts for NPTL and Oracle Access Manager.

To use NPTL with Oracle Access Manager

1. Use NPTL versions of start scripts for the Identity Server and Access Server stored in:

   
   IdentityServer_install_dir/identity/oblix/apps/common/bin/
   start_ois_server_nptl
   
   AccessServer_install_dir/access/oblix/apps/common/bin/
   start_access_server_nptl
   

2. SNMP Agent: Perform the following steps to remove or comment out the LD_ASSUME_KERNEL=2.4.19 environment variable from the start_snmp_agent script.

   1. Locate the start_snmp_agent script in the following path:

      
      SNMP_install_dir/oblix/apps/agent/bin/start_snmp_agent
      

   2. In a text editor, remove or comment out the following line:

      LD_ASSUME_KERNEL =2.4.19
      

   3. Save the file.

   4. Repeat for each SNMP Agent in your deployment.

3. Use standard setup and stop scripts:

   
   start_setup_ois
   start_setup_webpass
   start_setup_access_manager
   start_configureAAAServer
   start_configureWebGate
   start_configureAccessGate
   stop_ois_server
   stop_access_server
   stop_snmp_agent
   

4. Web Components or Third-party Connectors Using NPTL: Do not set the environment variable LD_ASSUME_KERNEL to 2.4.19 when using NPTL with Oracle Access Manager.

F.11 Username and Password Are in Clear Text in the HTTP Header

Problem

The username and password appear in clear text in the HTTP header.

Cause

The username and password are sent in HTTP POST data from the browser to the Web server. If the Web server does not have SSL-enabled, the username and password appear in clear text in the HTTP header.

Solution

A Web server that passes credentials (username and password) to an Oracle Access Manager Web component should have SSL enabled. With an SSL-enabled Web server, data in the HTTP POST cannot be sniffed. Other Web servers need not be SSL-enabled.

F.12 Other Problems and Solutions

This section describes common problems and solutions for components other than the directory and database. It contains the following topics:

• Auditing for the Identity System Ceases to Work

• Identity Server Crashes if It Cannot Find a Stylesheet

• Identity System Deletes a User Entry When an RDN Is Modified

• JPEG Photo Images Are Not Updated

• Memory Usage Rises for an Identity Server After Configuring a Directory Server Profile

• Performance of a Component is Slow

• Reports With Non-ASCII Characters Are Not Imported Correctly in Excel

• Simple Transport Security Mode Expires After One Year

• Stylesheet Validation Fails

• User Creation Might Fail When You Have Multi-byte Charcters in the Password

• WebPass Is Unable to Connect to Its Associated Identity Server

F.12.1 Auditing for the Identity System Ceases to Work

When you configure auditing for multiple Read Application Cluster (RAC) databases, auditing may not work correctly for a while.

F.12.1.1 Problem

After shutting down and restarting a RAC instance other than the one that was shut down the last time, auditing stops.

F.12.1.2 Solution

Restart the Identity Server.

F.12.2 Identity Server Crashes if It Cannot Find a Stylesheet

After you customize a stylesheet, the Identity Server crashes or issues an error about a Win32 exception being caught.

F.12.2.1 Problem

You may have used backslash characters as path separators in your stylesheets in xsl:include constructs.

F.12.2.2 Solution

If you have used backslash characters as path separators in your stylesheets in xsl:include constructs, replace the backslashes with forward slash characters. For example, you would want to change the following:

<xsl:include href=".\style.xsl" /> To this:

<xsl:include href="./style.xsl" />

F.12.3 Identity System Deletes a User Entry When an RDN Is Modified

The Identity System deletes user entries when you attempt to modify an RDN attribute value. The RDN is the leftmost attribute in a DN. Typically, the RDN attribute is cn or Full Name.

F.12.3.1 Problem

This problem occurs when you use Oracle Internet Directory as the back-end repository. A referential integrity setting has not been configured for the Identity Server.

F.12.3.2 Solution

To fix this problem:

1. Edit the file ldapreferentialintegrityparams.xml in the following directory:

   Identity_Server_installation_directory\identity\oblix\data\common

2. Change the value of the parameter referential_integrity_using from oblix to ds, as follows:

   <NameValPair ParamName="referential_integrity_using" Value="ds"/>
   

3. Save the file.

4. Restart the Identity Server for the changes to take effect.

   You should be able to modify the RDN attribute value without any problem.

5. If you have multiple instances of the Identity Server installed, make this change to every instance of the Identity Server.

F.12.4 JPEG Photo Images Are Not Updated

When attempting to modify a photo in an Identity application, JPEG photo images are not being updated.

F.12.4.1 Problem

This problem occurs when a user who has write permission to the Photo attribute does the following:

1. Open the User Manager.

2. View a user profile that contains a photo.

3. Select Panel View.

4. Try to upload a new photo.

Expected result: The photo is updated.

Actual result: The photo does not change.

F.12.4.2 Solution

Modify JPEG photo images in the page view.

F.12.5 Memory Usage Rises for an Identity Server After Configuring a Directory Server Profile

After configuring a directory server profile, the memory usage for the Identity Server becomes too high. Note that this problem can also apply to an Access Server or Policy Manager.

F.12.5.1 Problem

When you configure a directory server profile, you are prompted to provide a maximum session time. The default value for the session time is 0 (unlimited). This may cause a performance issue, because the size of the caches for LDAP connections to the Identity Server increase over time. Oracle Access Manager does not control these caches directly.

F.12.5.2 Solution

To prevent the cache size from causing a performance problem, set the value of the Maximum Session Time (Minutes) for the directory server profile to a finite value, for example, 10 hours, as follows:

1. From the Identity System Console click System Configuration, then click Directory Profiles.

2. Click the link for the profile that you want to modify.

3. In the Max. Session Time (Min.) field, set the value to 600.

F.12.6 Performance of a Component is Slow

The performance of the system or a particular component can be slower than you think it should be.

F.12.6.1 Problem

You need to determine where to add servers or what component should be tuned for performance.

F.12.6.2 Solution

Use the information logs to identify components that are processing a heavier load or are taking a particularly long time to service requests. See "Logging" for details. In particular, you may want to focus on call processing times. See "Logging the Amount of Time to Process Requests" for details.

See Also:

Performance tuning tips in the Oracle Access Manager Deployment Guide

F.12.7 Reports With Non-ASCII Characters Are Not Imported Correctly in Excel

After modifying and exporting object class attributes, a report.csv file is created. In some languages, the report may have encoding problems.

F.12.7.1 Problem

In the Japanese Locale or Simplified Chinese Locale, there are encoding problems due to a Microsoft Excel limitation that cannot process CSV files containing data in UTF-8 encoding.

F.12.7.2 Solution

To process the exported report, complete the process below.

1. Rename report.csv to report.txt.

2. Open report.txt Excel 2003 (Excel 2000 does not support UTF-8 encoding).

3. In the text import wizard, choose encoding as UTF- 8 and comma as the field separator.

4. Click Finish.

F.12.8 Simple Transport Security Mode Expires After One Year

The default value for the validity period of Simple transport security mode certificates is 365 days.

F.12.8.1 Problem

When you configure transport security among Oracle Access Manager components, you can choose between Open, Simple, and Cert modes. By default, Simple mode is only operational for one year.

See Also:

"Changing Transport Security Modes"

F.12.8.2 Solution

You can extend the life of the Simple mode certificate by updating related configuration files for all Identity Servers, WebPass instances, Policy Manager instances, Access Servers, and WebGates, and then using component-related utilities to implement the change:

1. Open the following files:

   component_install_dir/identity/oblix/tools/openssl/openssl.cnf

   component_install_dir/access/oblix/tools/openssl/openssl_silent.cnf

   Where component_install_dir is the directory where the Identity or Access System components are installed. Identity components require openssl.cnf (Identity Server and WebPass instances). Access components require openssl_silent.cnf (Policy Manager instances, Access Servers, and WebGates).

2. In these files, look for the parameter named default_days.

   By default, the value for this parameter is 365 days, as follows:

   default_days = 730 # Duration to certify for
   

3. Extend the life of the certificate by increasing the number of default days. available until expiration. For example, you can increase the life of the certificate to two years as follows:

   default_days = 730 # Duration for the certificate
   

   Note:

   Update both files with the same value for default days.

4. Perform the following tasks to regenerate simple mode certificates with the duration you set in the openssl_silent.cnf and openssl.cnf files and restart the component:

   • Identity Server: Use the setup_ois.exe utility with the -i command and the openssl.cnf file.

     File in IdentityServer_install_dir/oblix/tools/openssl/openssl.cnf

     Run the setup_ois.exe utility on Windows (or start_setup_ois on UNIX):

     IdentityServer_install_dir/oblix/tools/setup/setup_ois -i install_dir
     

   • WebPass: Use setup_webpass.exe with the -i option and the openssl.cnf file.

     File in WebPass_install_dir/oblix/tools/openssl/openssl.cnf

     Run the setup_webpass.exe utility on Windows (or start_setup_webpass on UNIX):

     WebPass_install_dir/oblix/tools/setup/setupWebPass -i  
     c:/OracleAccessManager/identity
     

     For more information about Identity System utilities, see the Oracle Access Manager Identity and Common Administration Guide.

   • Policy Manager: Use the genCert utility with the -i, -m, and -p options and the openssl_silent.cnf file.

     File in PolicyManager_install_dir/oblix/tools/openssl/openssl_silent.cnf

     Run the genCert.exe utility:

     PolicyManager_install_dir/oblix/tools/gencert/gencert -i install_dir
      -m simple -P password
     

   • Access Server: Use configureAAAServer with the -i option and the openssl_silent.cnf file.

     File in AccessServer_install_dir/oblix/tools/openssl/openssl_silent.cnf

     Run configureAAAServer on Windows (or start_configureAAAServer on UNIX):

     AccessServer_install_dir/oblix/tools/configureAAAServer/configureAAAServer 
     -i C:/OracleAccessManager/access
     

   • WebGate: Use configureWebGate with the -i option, the -t option, and the openssl_silent.cnf file.

     File in WebGate_install_dir/oblix/tools/openssl/openssl_silent.cnf

     Run configureWebGate on Windows (or start_configureWebGate on UNIX):

     WebGate_install_dir/oblix/tools/configureAccessGate/configureWebGate 
     -i C:/OracleAccessManager/access -t WebGate
     

     For more information about Access System utilities, see the Oracle Access Manager Access Administration Guide.

F.12.9 Stylesheet Validation Fails

When you create or customize a stylesheet using Presentation XML, the stylesheet has compilation errors.

F.12.9.1 Problem

This problem occurs when you do the following:

1. Open a stylesheet in a text editor or (preferably) an XML editor.

2. Change some parameters in the file and save the changes.

3. Open an Identity application, for example, the User Manager, to see the changes.

Expected result: Changes appear as expected.

Actual result: The Identity System issues a bug report.

F.12.9.2 Solution

This problem can occur for any variety of reasons, but chances are good that there are errors in the way the stylesheet is coded.

Open the XSL file in an Internet Explorer window. If there is an error in the code, the browser shows the line number that contains the error. For more information on Presentation XML, see Oracle Access Manager Customization Guide.

F.12.10 User Creation Might Fail When You Have Multi-byte Charcters in the Password

Problem:

When you create a user with multi-byte charcters in the password using a non-English keyboard, user creation might fail. You might see an error about a directory server password policy violation.

Cause

This problem can occur when you have the 7-bit check plug-in enabled for the "uid" and "userpassword" attributes. In this case, modifying a password for an existing user forces the "7-bit check" for the newly entered password. If the newly entered password contains multi-byte characters, then it does not qualify as "7-bit clean". The product is designed to function in this way.

For example, when creating a workflow, the values are stored under the "obcontainerId=workflowInstances,o=Oblix,o=company,c=us" node. The password value is stored as "obattrvals: <value>" and is encoded as "7-bit clean" . When the Approver approves the workflow, the password value is decrypted and stored under the "userpassword" attribute.

Solution

If you want "7-bit check" to be enabled for workflow steps you need to write your own plug-ins.

Note:

Your directory server might not support the 7-bit check. In any case, you must be able to create a user with multi-byte characters.

If you want a user password (or any other attribute) to contain multi-byte characters, you must disable the "7-bit check" for the specific attribute. The following procedure refers to steps for a Sun (formerly iPlanet) directory server. Your details and steps might be different. See your vendor documentation for more information.

To disable the 7-bit check

1. Log in to your directory server as an administrator.

2. Click your directory server instance under "Server Group".

3. Go to the configuration tab for the directory server instance.

4. Expand the "Plug-ins" node to display the list of plug-ins that are applied to your directory server instances.

5. Click "7-bit check" to display the list of attributes that are acted upon by this plug-in.

6. Remove the required attributes or disable the plug-in entirely, as follows:

   • Remove "obattrvals".

   • Disable the plug-in by clicking the Advanced button and set "nsslapd-pluginenabled" to "off".

F.12.11 WebPass Is Unable to Connect to Its Associated Identity Server

If you have installed a WebPass on IIS 6 and enabled logging, the WebPass may be unable to connect to its associated Identity Server.

F.12.11.1 Problem

This problem occurs when you send logs to an MPFileLogWriter. It does not occur when you send logs to a FileLogWriter.

The problem occurs with the MPFileLogWriter when there is no anonymous user with access to the directory that contains the log files. MPFileLogWriter uses a file namedlogfile name.lck to synchronize multiple processes that write to the corresponding log file. The MPFileLogWriter write-locks the .lck file before writing to the oblog.log file.

F.12.11.2 Solution

Configure an anonymous user with access to the directory that contains the log files. In some circumstances, the user context used to acquire the write-lock is the IIS Anonymous web user. By default, this user is named IUSR_<computer name>, but you can configure any anonymous user for this purpose.

F.13 Error Messages and Recommendations for Handling Them

The following are error messages and troubleshooting tips for handling them.

F.13.1 Cannot Find xenroll.cab Error Is Issued When Using a Workflow

When running a workflow, a user may receive a 404 error that states "Cannot find xenroll.cab."

F.13.1.1 Problem

This problem occurs when a user runs a workflow in an Identity System application, for example:

1. Open the User Manager.

2. View a user profile.

3. Click a Modify button on the profile that invokes an Enroll Certificate Workflow.

In older versions of Oracle Access Manager, the file xenroll.cab was used for certificate enrollment workflows and certificate revocation workflows. However, Oracle has removed support for these workflows. This file is not used anymore.

F.13.1.2 Solution

You can safely remove the references to xenroll.cab from the stylesheet. The following is an example of this reference. See the Oracle Access Manager Customization Guide for details:

<head>
... <object id="cenroll" classid="clsid:43F8F289-7A20-11D0-8F06-00C04FC295E1"
codebase="/identity/oblix/apps/common/bin/xenroll.cab" />
... <script src="http://km.oraclecorp.com/identity/oblix/apps/common/bin/installCert.vbx" language="VBScript" />
</head>

F.13.2 Enable Failed Error Is Issued When Using a Workflow

The workflow fails when a user runs it.

F.13.2.1 Problem

This problem occurs when a user runs a workflow in an Identity System application, for example:

1. Open the User Manager.

2. View a user profile.

3. Click a Modify button on the profile that invokes a Change Attribute Workflow.

Expected result: The workflow behaves as expected.

Actual result: The user receives an "Enabled failed" error.

F.13.2.2 Solution

There is no definitive solution to this problem, since workflow configuration can fail for a number of reasons. However, a likely candidate is selecting an invalid searchbase during workflow configuration. Delete the searchbase and re-configure the workflow. See "About the Searchbase" for details.

F.13.3 There is No Profile Configured for This Kind of Object" Error Is Issued

You may receive this error when managing administrators in an environment that uses Oracle Internet Directory.

F.13.3.1 Problem

In Oracle Internet Directory, the orcladmin user (dn: cn=orcladmin) can be thought of as a pseudo user with administrative privileges. There is no LDAP entry corresponding to this user in Oracle Internet Directory. This user is part of special groups that are created in Oracle Internet Directory. The Identity Server requires that every user exist as an independent entry in the directory. When these special groups are viewed or modified using Group Manager, you may see the message, "There is no profile configured for this kind of object."

F.13.3.2 Solution

If you have this issue, view and update these special Oracle Internet Directory groups using the Oracle Directory Manager application.

Note that there are some special groups in Oracle Internet Directory that exhibit cyclic behavior. Using Oracle Directory Manager to manage these groups is recommended, not the Group Manager or the Identity Server.

F.13.4 "Warning: Page Has Expired" Error Is Issued

You may receive this error when clicking the Back button after conducting a search in an Identity System application.

F.13.4.1 Problem

By default, Identity System application pages are not cached as a security measure. Caching is disabled to prevent a user from clicking the Back button and seeing what the previously logged-in user was viewing. When caching is turned off, users receive a "page expired" error if they click the Back button from a search results page.

F.13.4.2 Solution

To cache Identity System application pages, set the value of the parameter browserNoCache to false in the following file:

Identity_Server_install_dir/apps/common/bin/globalparams.xml

<SimpleList>
     <NameValPair ParamName="browserNoCache" Value="false"></NameValPair>
</SimpleList>

F.14 Capturing Diagnostic Information

As of Oracle Access Manager 10.1.4.2, the Access Server and Identity Server provide diagnostic tools to help you work with an Oracle Technical Support representative to troubleshoot problems.

These tools are not for day-to-day administration. Their purpose is to help you investigate problems that require assistance from Oracle Technical Support.

The diagnostic tools enable you to do the following:

• Obtain hard-to-locate information about component configuration and behavior.

  For example, to investigate memory consumption or unresponsive servers, you can run diagnostics that provide information on caches and threads. This information can help you work with Oracle Technical Support on pinpointing the cause of the problem.

• Automatically capture events that immediately precede a core dump.

  Oracle Access Manager automatically writes stack traces of these events to the log files. You can send these log files to Oracle for analysis by the Technical Support team.

• Manually capture a stack trace of any event in the Identity or Access System.

  A diagnotic tool enables you to capture ad-hoc stack traces that you can forward to Oracle for analysis by the Technical Support team. For example, you can invoke a stack trace when a server crashes.

The rest of this section discusses the following topics:

• About Oracle Access Manager Diagnostics

• Collecting Diagnostic Data

• Interpreting Diagnostic Output

• Automatically Writing Stack Traces to a Log File After a Core Dump

• Manually Requesting a Stack Trace

F.14.1 About Oracle Access Manager Diagnostics

You should only collect diagnostic data to analyze serious problems. In general, you would only run diagnostics when working with a Technical Support representative.

The diagnostic tools are installed with the Access Server and the Identity Server. The diagnostics can focus on caches and threads. The diagnostic tool displays the returned data on-screen and saves the data in a file.

As a best practice, you should run the same diagnostics a few times to determine if a problem is temporary or persistent. For example, you can compare diagnotic output to see if memory or cache size is increasing.

F.14.2 Collecting Diagnostic Data

The following tools enable you to collect diagnostic data for the respective component (Access Server or Identity Server):

• The tool aaa_mon.exe enables you to collect diagnostic data for the Access System.

• The tool ois_mon.exe enables you to collect diagnostic data for the Identity System.

The following procedures describe how to use these tools. In the following procedures, a vertical bar ("|") represents a choice of options. For instance, in the install_dir path name, the choice would be either "access" or "identity" or might refer to a specific tool name; in the transport security mode it would be a choice of either "open", or "simple:, or "cert".

Note:

Running the diagnostic tool produces overhead and can affect system performance. The more detail you request when running a diagnostic tool, the more memory is consumed.

For this reason, do not request detailed diagnostics for cache queries.

To view a list of supported diagnostic operations

1. Navigate to the following Access Server or Identity Server directory:

   install_dir\identity|access\oblix\tools\ois_mon|aaa_mon

   Where install_dir is the directory where the Identity Server or Access Server is installed.

2. Issue the following command:

   aaa_mon.exe|ois_mon.exe -s server -p port -i install_dir -m mode open|simple|cert -o optype=GetListofSupportedOperations
   

   Where:

   • Server is the name of the host computer where you want to collect the information.

   • Port is the listen port for the host.

   • Install_dir is the installation directory for the component being diagnosed.

   • On the -m parameter, specify open, simple, or cert for the transport security mode.

     See "Changing Transport Security Modes" for details. If you specify cert you must also specify the following parameter:

     -c path_for_certs
     

     Where path_for_certs is the fully qualified path to the certificate files.

To retrieve the name of a diagnostic object

1. Navigate to the following directory:

   install_dir\identity|access\oblix\tools\ois_mon|aaa_mon

   Where install_dir is the directory where the Identity Server or Access Server is installed.

2. To retrieve the names of all objects of a particular type, issue the following command, using one of the options separated by a vertical bar:

   aaa_mon.exe|ois_mon.exe -s server -p port -i install_dir -m open|simple|cert 
   -o optype=GetDiagnosticInformation,object=cache|thread,mode=list
   

   Where:

   • Server is the name of the host computer where you want to collect the information.

   • Port is the listen port for the host.

   • Install_dir is the installation directory for the component being diagnosed.

   • On the -m parameter, specify open, simple, or cert for the transport security mode.

     See "Changing Transport Security Modes" for details. If you specify cert you must also specify the following parameter:

     -c path_for_certs
     

     Where path_for_certs is the fully qualified path to the certificate files.

   • The object parameter limits the results to a particular object type.

     By default, information is fetched for all diagnosable objects. The following are possible values:

     • cache: A cache can hold copies of recently accessed data in memory. A cache can also store data on disk to prevent the program from having to download the same information from the internet. Also see Table F-1 and Table F-2 for a list of cache names and a brief description of each cache.

     • thread: A program can split itself into two or more simultaneously running threads that run concurrently, each performing a different job.

To collect diagnostic information for a particular object

1. Navigate to the appropriate tool in the following directory path:

   install_dir\identity|access\oblix\tools\ois_mon|aaa_mon

   Where install_dir is the directory where the Identity Server or Access Server is installed.

2. Issue the following command:

   aaa_mon.exe|ois_mon.exe -s server -p port -i install_dir 
   -m open|simple|cert -o optype=GetDiagnosticInformation[, object=cache|thread, mode=brief|detail|list|usage, name=name]
   

   Where:

   • Server is the name of the host computer where you want to collect the information.

   • Port is the listen port for the host.

   • Install_dir is the installation directory for the component being diagnosed.

   • On the -m parameter, specify open, simple, or cert for the transport security mode.

     See "Changing Transport Security Modes" for details. If you specify cert you must also specify the following parameter:

     -c path_for_certs
     

     Where path_for_certs is the fully qualified path to the certificate files.

   • The optional object parameter for GetDiagnosticInformation limits the results to a particular object type.

     By default, information is fetched for all diagnosable objects. The following are possible values:

     • cache: A cache can hold copies of recently accessed data in memory. A cache can also store data on disk to prevent the program from having to download the same information from the internet.

     • thread: A program can split itself into two or more simultaneously running threads that run concurrently, each performing a different job.

   • The optional mode parameter for GetDiagnosticInformation determines the amount and type of detail returned.

     The following are possible values:

     • brief: Prints a summary of the diagnosable objects on the screen.

     • detail: Writes the current values of all diagnosable objects of the specified type to a file in the following directory:

       install_dir\identity|access\oblix\tools\ois_mon|aaa_mon\OISDiag_datetime|AAADiag_datetime

       Where install_dir is the directory where the Identity Server or Access Server is installed and datetime is the date and time when the file was created.

       Do not specify detail mode for caches.

     • list: Shows a list of all diagnosable objects of the specified type.

     • usage: Displays help text for the diagnostics tool.

   • The optional name parameter for GetDiagnosticInformation limits the command output to a particular object.

F.14.3 Interpreting Diagnostic Output

You should only attempt to interpret diagnostic output when working with a Technical Support Representative. This section provides simple guidelines for how to read the diagnostic XML output file.

This section discusses the following topics:

• Interpreting Diagnotic Output When the list Parameter Is Used

• Interpreting Diagnostic Output When the detail Parameter Is Used

• Interpreting the Diagnostic Data for Caches

F.14.3.1 Interpreting Diagnotic Output When the list Parameter Is Used

When you use the list parameter on a diagnostic command, the output is written to the screen and to the log file. The most important information is returned in the name element of the output file. Also see Table F-1 and Table F-2 for a list of cache names and a brief description of each cache.

The following command exerpt uses list mode to retrieve a list of cache names:

-o optype=GetDiagnosticInformation,mode=list,object=cache

Example F-1 shows output for the following diagnostic command excerpt.

Example F-1 Sample Output for a Diagnostic Command That Used list Mode

<?xml version="1.0" encoding="utf-8"?>
<DiagnosticReport>
    <Command>
        <CommandArg
            name="optype">
            <Value>GetDiagnosticInformation</Value>
        </CommandArg>
        <CommandArg
            name="mode">
            <Value>list</Value>
        </CommandArg>
        <CommandArg
            name="object">
            <Value>cache</Value>
        </CommandArg>
    </Command>
    <CommandOutput>
        <Objects>
            <Object
                type="cache">
                <Name>UidInfoCache</Name>
                <Name>PersonOOOIndicatorCache</Name>
                <Name>AuditCache</Name>
                <Name>AuditUserCache</Name>
                <Name>AuditMasterAuditPolicyCache</Name>
                <Name>AuditServerInfoCache</Name>
                <Name>WfDefCache</Name>
                <Name>WfDefSetCache</Name>
                <Name>xsllib_stylesheet</Name>
                <Name>PortalIdCache</Name>
            </Object>
        </Objects>
    </CommandOutput>
</DiagnosticReport>

F.14.3.2 Interpreting Diagnostic Output When the detail Parameter Is Used

When you use the detail parameter on the command to get diagnostic information, the output file contains information on the values set for the object, its current state, and multiple data points about its performance. Items of interest in the output file depend on the type of object. For example, with a cache object, you may be interested in the cache size and if the cache has been flushed.

In general, you should walk through detailed output with a support representative, who can interpret the meaning of the diagnostic.

Example F-2 shows the generic structure of an xml file that is generated using the list parameter:

Example F-2 Generic XML Output for a Diagnostic Using mode=detail or mode=brief

<?xml version="1.0" encoding="utf-8"?>
<DiagnosticReport>
  <Command type=CommandType1>
    <CommandArg name=Arg1>
      <Value>ArgValue1</Value>    
    </CommandArg>
    <CommandArg name=Arg2>
      <Value>ArgValue2-1</Value>
      <Value>ArgValue2-2</Value>
    </CommandArg>
  </Command>
  <CommandOutput>
    <Objects>
      <Object type=ObjectType1 name=ObjectName1>
        <Attribute name=Attribute1>
          <Value>Value1</Value> 
        </Attribute>
        <Attribute name=Arribute2>
          <Value> Value2-1</Value> 
          <Value> Value2-2</Value> 
          -----
        </Attribute>
      </Object>
      <Object type=ObjectType2 name=ObjectName2>
        <Attribute name=Attribute3>
          <Value>Value3</Value> 
        </Attribute>
        -----
        -----
      </Object>
      -----
      -----
    </Objects>
  <CommandOutput>
</DiagnosticReport>

For example, the following is a command excerpt for generating detailed diagnostic data:

. . . -o optype=GetDiagnosticInformation,mode=detail,object=cache,name=XSLXDKCache

The previous command excerpt produces the output in Example F-3:

Example F-3 Output for a Diagnostic Command Using mode=detail

<?xml version="1.0" encoding="utf-8" ?> 
<DiagnosticReport>
  <Command>
    <CommandArg name="optype">
      <Value>GetDiagnosticInformation</Value> 
    </CommandArg>
    <CommandArg name="mode">
      <Value>detail</Value> 
    </CommandArg>
    <CommandArg name="object">
      <Value>cache</Value> 
    </CommandArg>
    <CommandArg name="name">
      <Value>XSLXDKCache</Value> 
    </CommandArg>
  </Command>
  <CommandOutput>
    <Objects>
      <Object type="cache" name="XSLXDKCache">
        <Attribute name="state">
          <Value>active</Value> 
        </Attribute>
        <Attribute name="Maximum Elements">
          <Value>200</Value> 
        </Attribute>
        <Attribute name="Current Elements">
          <Value>11</Value> 
        </Attribute>
        <Attribute name="Timeout">
          <Value>0</Value> 
        </Attribute>
        <Attribute name="Hit Count">
          <Value>4</Value> 
        </Attribute>
        <Attribute name="Miss Count">
          <Value>11</Value> 
        </Attribute>
        <Attribute name="Expire Count">
          <Value>0</Value> 
        </Attribute>
        <Attribute name="Flush Count">
          <Value>0</Value> 
        </Attribute>
        <Attribute name="Memory footprint">
         <Value>945008</Value> 
        </Attribute>
        <Attribute name="keys">
          <Value>../../../lang/en-us/style0/predefinedreports.xsl</Value> 
          <Value>../../../lang/en-us/style0/reports.xsl</Value> 
          <Value>../../../lang/en-us/style0/usc_admin_main.xsl</Value> 
          <Value>../../../lang/en-us/style0/admin_wf_definition.xsl</Value> 
          <Value>../../../lang/en-us/style0/wf_quickstart_report.xsl</Value> 
          <Value>../../../lang/en-us/style0/reportresults.xsl</Value> 
          <Value>../../../lang/en-us/style0/usc_searchresults.xsl</Value> 
          <Value>../../../lang/en-us/style0/usc_profile.xsl</Value> 
          <Value>../../../lang/en-us/style0/login.xsl</Value> 
          <Value>../../../lang/en-us/style0/qbmodify.xsl</Value> 
          <Value>../../../lang/en-us/style0/wf_quickstart.xsl</Value> 
        </Attribute>
      </Object>
    </Objects>
  </CommandOutput>
</DiagnosticReport>

F.14.3.3 Interpreting the Diagnostic Data for Caches

An Oracle Technical Support representative can help you interpret diagnostic data. If you are running diagnostics for a cache, Table F-1 and Table F-2 can help you understand the diagnostic output.

Table F-1 Identity System Cache Names and Descriptions

Cache Name	Description
UidInfoCache	Stores information on the structural object class for each user
PersonOOOIndicatorCache	Caches the out-of-office indicator of each user.
WfDefCache	This is a cache of all workflow definitions.
WfDefSetCache	This is a cache of all workflow definition of a particular type, for example, the create user type of workflow.
xsllib_stylesheet	This is not used in production environment.
PortalIdCache	This is not used in production environment.
AuditCache	This is a cache of the auditing configuration information for the server.
AuditUserCache	This is a cache of the User Manager audit policy.
AuditMasterAuditPolicy Cache	This is a cache of the master audit policy.
XMLStructureCache	This is a cache of the internal XML data structure that represents each page rendered on the browser.
XSLXDKCache	This cache contains the compiled form of each stylesheet (XSL) used in the Identity system.

Table F-2 Access System Cache Names and Descriptions

Cache Name	Description
UserAccessCache	Used during the authorization phase of evaluation. Holds a hash table of rules and groups that the user satisfies.
AAASyncRequestCache	Used to maintain cache coherency in the Access System and to provide updates to Access clients.
AAAUserCache	Holds list of user profile attributes. Used in the Authenticate, IsAuthorized and Audit Event phases of request evaluation.
AAAUserCredCache	Holds user passwords. Used in the authentication phase of request evaluation to validate passwords.
AuditPolicyCache	Used during processing of an IsResrcProtected event to retrieve the audit mask. Also used during an audit event. Stores audit policies.
AuthentPluginCache	A wrapper for a custom authentication plug-in. Used during authentication.
AuthentSchemeCache	Used during processing of an IsResrcProtected event and the authentication phase of a resource request. Stores authentication scheme details.
AuthzDSOCache	A wrapper for a custom authorization plug-in. Used when processing IsAuthorized events.
AuthzRuleCache	Used when processing an IsAuthorized event to evaluate a user's permissions to access a resource and get action information. Stores policy details.
AuthzSchemeCache	Holds custom authorization scheme information. Used in processing an IsAuthorized event.
ClientConfigCache	Used when processing UpdateConfiguration requests from Access clients.
DomainPasswdPolicyID Mapper	Holds password policy IDs. Used when processing Authenticate events to retrieve password policy information.
GrpQueryCache	Holds a list of groups that the user belongs to. Used during evaluation of ObMyGroups.
HostIdHashString	Used when processing an IsResrcProtected event to find the matching policy. Stores host identifiers.
LPMPolicyCache	Used during the authenticate phase of evaluation to retrieve Lost Password Management policy information.
PSCGrpDefnCache	Holds nested groups and rules for dynamic groups.
PSCUid2OcCache	Used in the authorization phase of evaluation. Contains a hash table of rules and groups that the user satisfies.
PasswdPolicyCache	Used in the authentication phase of evaluation to retrieve password policy information.
PasswdPolicyUserCache	Used in the authentication phase of evaluation to retrieve password policy information.
PolicyCache	Used during the IsAuthorized phase of processing to evaluate access to a resource for user and retrieve action information. Stores policy rules.
SDCache	Used during the IsResrcProtected phase to find the matching policy and authentication scheme. Stores site domain objects.
SessionTokenCache	Stores the decrypted session token. Reduces overhead for decrypting the session token.
URLPrefixCache	Used to find which policy domain the resource maps to. Stores policy domain IDs.
WRORCache	Used when processing an IsResrcProtected event to find the authentication challenge scheme and authentication specifics. Stores authentication scheme details.
jobstatuscache	Holds the status of reporting jobs.

F.14.4 Automatically Writing Stack Traces to a Log File After a Core Dump

If Oracle Access Manager experiences a core dump, you can write a stack trace of the core dump to a log file. The stack trace lists the functions that were called immediately before the dump. The information in the trace can help with troubleshooting. For example, a stack trace can show if a thread has been mired in a process and is not receiving a response from a directory server, or if a message reader thread is alive.

You must enable logging if you want stack traces to be written to a log file. Any logging level is permitted when writing a stack trace. See "Logging" for details.

You can send the log file that contains the stack trace to Oracle Technical Support to help with diagnosing the core dump. The first three entries of the stack trace are always the same. These entries belong to the stack trace functionality. The fourth entry is the function that failed in the case of a core dump, or it was the last function that was executed by the thread at the time that you initiated the stack trace.

This information should only be interpreted by an Oracle Technical Support representative.

For more information, see the following topics:

• Enabling or Disabling a Stack Trace When Persuing Diagnostic Issues or Recreating Crashes

• Manually Requesting a Stack Trace

F.14.5 Enabling or Disabling a Stack Trace When Persuing Diagnostic Issues or Recreating Crashes

If Oracle Access Manager experiences a core dump in the Access Server or the Identity Server, you can write a stack trace to a log file. However, writing the stack trace might prevent the core dump from being written. You might need to disable the StackDumpEnabled parameter in globalparams.xml when pursuing diagnostic issues or when instructed by Oracle Support to re-create a core dump scenario.Here are the values:

• 0: Disable the function.

• 1: Default value enables the function to write a stack trace to the log file if Oracle Access Manager experiences a core dump on Access Server or Identity Server

• 2: To manually request a stack trace, you must set the value of StackDumpEnabled to 2. For more information, see the following topic, "Manually Requesting a Stack Trace".

The following procedure describes how to properly set the StackDumpEnabled parameter value for the action you want to take. Perform only relevant steps.

Note:

A value of "0" or "2" are valid when attempting to collect core files. However, a value of"1" conflicts with core file generation.

To set the value of StackDumpEnabled

1. Locate the globalparams.xml file in the appropriate path for the Identity Server or Access Server:

   install_dir/access|identity/oblix/apps/common/bin/globalparams.xml
   

2. Disable Stack Trace: Locate StackDumpEnabled and set the value to 0.

   <SimpleList>
        <NameValPair ParamName="StackDumpEnabled" Value="0"></NameValPair>
   </SimpleList>
   

3. Enable Stack Trace: Locate StackDumpEnabled and validate that the value is set to 1.

   <SimpleList>
        <NameValPair ParamName="StackDumpEnabled" Value="1"></NameValPair>
   </SimpleList>
   

4. Manually Request a Stack Trace: Locate StackDumpEnabled and set the value to 2.

   <SimpleList>
        <NameValPair ParamName="StackDumpEnabled" Value="2"></NameValPair>
   </SimpleList>
   

5. Save the file.

6. Proceed to "Manually Requesting a Stack Trace".

F.14.6 Manually Requesting a Stack Trace

The following procedure describes how to manually request a stack trace while running the Access Server or identity Server.

Note:

In certain circumstances, Oracle recommends that you first follow the steps in the previous topic, "Enabling or Disabling a Stack Trace When Persuing Diagnostic Issues or Recreating Crashes".

To manually request a stack trace

1. Navigate to the appropriate tool in the following path:

   install_dir\identity|access\oblix\tools\ois_mon|aaa_mon

   Where install_dir is the directory where the Identity Server or Access Server is installed.

2. Issue the following command:

   aaa_mon.exe|ois_mon.exe -s server -p port -i install_dir -m open|simple|cert -o optype=GenerateStackTrace
   

   Where a vertical bar ("|") represents a choice of commands, server is the name of the host computer where you want to collect the information, port is the listen port for the host, and install_dir is the installation directory for the component being diagnosed.

   On the -m parameter, specify open, simple, or cert for the transport security mode. See "Changing Transport Security Modes" for details. If you specify cert you must also specify the following parameter:

   -c path_for_certs
   

   Where path_for_certs is the fully qualified path to the certificate files.

3. To view the results, open the log file for the server where the trace was run.

   See "Logging" for details.

F.15 Need More Help?

You can find more solutions on Oracle Support (formerly MetaLink), http://metalink.oracle.com. If you do not find a solution for your problem, log a service request.