Oracle® Access Manager Identity and Common Administration Guide 10g (10.1.4.3) Part Number E12489-01 |
|
|
View PDF |
This appendix explains typical problems that you could encounter while running or restarting Oracle Access Manager and components. It contains these sections:
Enabling Case-Comparisons For Challenge and Response Attributes for LPM
Identity Server Logs Indicate that User Data Has Been Tampered With
Problem
The Access Server profile has the debug flag turned on. When the Access Server debug log reaches 2 GB in size, the Access Server stops and cannot be restarted.
Cause
If the Access Server debug option is used, the Access Server does not recycle the debug log file. On some Operating Systems, the log file can grow to a size that prevents debug logging from being successful. At this point, the Access Server might not function.
Solution
Either remove the debug log file or disable the debug flag in the Access Server profile.
Use debugging only when diagnosing a problem related to connection issues between the Access Server and WebGate. For a longer period, Oracle recommends that you use trace level logging rather than debug logging. For more information, see Chapter 10, "Logging".
Problem
Certain Identity System functions, for example, Query Builder or Derived Attributes, might not seem to work as expected. For instance, suppose you are using Group Manager, Modify Group, Build Filter. In the Query Builder, a query based on "car license" or "Department Number" might not seem to work as expected even though you have valid data for these attributes and expect the filter to show those users.
Cause
All attributes must be indexed (also known as cataloged) in the directory server used by Oracle Access Manager. Some attributes might need to be cataloged manually.
Solution
Confirm that the attribute is indexed and cataloged in the directory server. If it is not, manually index and catalog the attribute.
The steps to create a user identity depend on how the administrator defined the Create User workflow.
Problem
Clicking the Create User Identity tab in the User Manager results in a message saying that you do not have enough access rights.
Cause
If there is no Create User workflow defined, even an administrator can see a message saying they do not have enough access rights after clicking the Create User Identity tab.
Solution
Develop and enable a Create User workflow. For more information, see the following topics:
This section describes common problems and solutions for the directory and database. It contains the following topics:
Problem Setting up SSL Between the Identity Server and Active Directory
Error Message to Check if the Directory Server is Running or Responding
Active Directory: Adding Members Causes the Group Size to Shrink
When configuring SSL between the Identity Server and Active Directory, the Identity Server crashes.
Problem
Active Directory uses the Lightweight Directory Access Protocol (LDAP) for read and write operations. By default, LDAP traffic is sent in the clear over an open channel. You can enable a secure version of LDAP using the Secure Sockets Layer (SSL) Transport Layer Security (TLS).
If you have not configured SSL, or if there is a problem with the configuration, the Identity Server crashes when establishing an SSL connection with an LDAPS-enabled Active Directory Server. The Event Viewer application log produces a report similar to the following:
Faulting application ois_server.exe, version 0.0.0.0, faulting module NSLDAPSSL32V41.dll, version 16512.0.0.10521, fault address 0x0004d3cd.
Solution
Install a valid certificate on a domain controller that enables the LDAP service to listen for, and automatically accept, SSL connections for LDAP and global catalog traffic.
For the component to establish an SSL connection to an LDAPS-enabled Active Directory server, the server certificate must contain the fully qualified domain name for the Acrive Directory domain controller, for example, server.domain.com. This informaiton must appear in the Common Name (CN) of the Subject field.
After receiving the client certificate the LDAP server determines if the CA who issued the certificate is trusted. If the CA is trusted, the server uses the subject name in the certificate to determine if the client has access rights to perform the requested operation.
During normal operations, you can receive an error indicating that the directory server may not be operational.
Problem
The Access Server or Policy Manager may issue one of the following error messages:
"Please verify that the Directory Server is running."
"Please verify that the Directory Server is responding."
These error messages are generated when the Oracle Access Manager component does not receive a response from the directory server within a user-configurable amount of time.
Solution
The following are possible solutions to the problem:
Check the value for the LDAPOperationTimeout parameter in globalparams.xml.
This parameter enables the Oracle Access Manager component to fail over to a secondary directory server when the primary one takes too long to respond. See the appendix on parameter files in the Oracle Access Manager Customization Guide for details.
Ensure that failover has been configured for this directory server.
See the information on configuring directory server profiles in the Oracle Access Manager Identity and Common Administration Guide. Also see the chapter on failover in the Oracle Access Manager Deployment Guide.
You might need to apply patches for access control and searchbase support on Novell eDirectory.
When conducting searches using Novell eDirectory 8.7.3, attribute access controls and searchbase filters do not work as expected. For example, using eDirectory 8.7.3, you can configure filters to return organizational units (ou's) below the top node of the DIT, as follows:
(&(objectclass=*)(!(|(objectclass=oblixconfig)(objectclass=oblixlocation)(objectclass=genSiteOrgPerson)(objectclass=genSiteGroup)))(objectclass=*))
However, these searches return information that you were trying to exclude. For example, users may be returned.
To work around this issue, apply the eDirectory patch 8.7.3.7. See the following URLs for details:
http://support.novell.com/servlet/downloadfile?file=/uns/ftf/edir8737ftf_1.exe
When saving a directory server profile for use by Identity System and Access System components, you may receive an error similar to the following:"Unable to save the Directory Server Profile. The applications require a Directory Server Profile to access Policy base with search, modify, and delete operations to function properly. This Directory Server Profile cannot load balance between its servers as well."
When you install the Access System (at least the Policy Manager), you are asked to identify a location in the directory for policy information. This branch in the directory may or may not be the same as the branch where the Identity System configuration data is stored. Also during Policy Manager installation, a directory profile is created that provides the Identity Servers rights over the policy branch. The Identity Servers require the ability to search, modify and delete objects in the Access System's policy branch to ensure referential integrity between the Identity and Access Systems. For example, suppose that you allow a user access to a particular resource in the Allow Access page of a policy in the Access System. If you delete the user from the Identity System, referential integrity ensures that the user is also deleted from the policies in the Access System.
If there is no directory profile that provides referential integrity between the Identity and Access Systems, you receive the "Unable to save. . ." error. If you receive this message, you have probably deleted or edited this profile.
Adding users to static groups works properly only up to a point.
Problem
Continuing to add members to static groups causes the group size to shrink.
Solution
Change the value for the parameter maxForRangedMemberRetrieval in globalparams.xml to a number higher than the desired group membership size:
If you are using Active Directory on Windows 2003, set the parameter maxForRangedMemberRetrieval in globalparams.xml to 1500.
If you are using Active Directory on Windows 2000, set it to 1000.
When using Active Directory, you can use the Identity System Console to change the directory profile for user data from ADSI to LDAP or LDAP to ADSI. However, you cannot do this for configuration or policy data.
When you attempt to change the directory profile for policy or configuration data from the Identity System Console, you get an error. For example, suppose that you store user data in an Active Directory forest using LDAP, and you store configuration and policy data in a different Active Directory forest using ADSI. If you use the Identity System Console to change the ADSI flag in the configuration data database profile to LDAP, after restarting the Oracle Access Manager servers and services, the ADSI flag remains enabled and the following message appears:
"ADSI can be enabled for either user or configuration DB Profile if they are in a separate forest. ADSI Cannot be Enabled for this DB Profile."
Any attempts to modify the directory profile for configuration or policy data to ADSI produces an error because Oracle Access Manager recognizes the profile as ADSI-enabled.
To modify the directory profile for configuration and policy data, rerun the setup program. See "Rerunning Setup Manually" for details.
In the Identity System Console, when you attempt to save a new database instance for an RDBMS profile you may receive a "Database Validation failed" message.
This problem occurs when creating an RDBMS profile, as described in "Managing RDBMS Profiles". Usually, the problem arises because of an incorrect value for the SQLDBType parameter in the following file:
component_install_dir/identity/apps/common/bin/globalparams.xml
Where component_install_dir is the location where the Identity Server was installed.
Problem
When configuring the challenge and response attributes for lost password management, the "response" attribute is set to Case - Insensitive, however when you enter the response, it is case sensitive.
Solution
To make case comparisons configurable for lost password management, a new parameter, isLPMResponseCaseSensitive
, can be added to the Identity Server globalparams.xml file. This parameter directs Oracle Access Manager behavior as follows:
true: The default value when the parameter is not in the globalparams.xml file. A value of true (or no parameter) triggers case sensitive comparisons of the LPM response.
false: Enter this value when the parameter is present and you want to disable case sensitive comparisons of the LPM response.
To enable or disable case comparisons
Locate the Identity Server globalparams.xml file, as follows:
IdentityServer_install_dir/identity/oblix/apps/common/bin/
Disable case sensitive comparisons for LPM responses:
<SimpleList> <NameValPair ParamName="isLPMResponseCaseSensitive" Value="false"></NameValPair> </SimpleList>
Enable case sensitive comparisons for LPM responses:
<SimpleList> <NameValPair ParamName="isLPMResponseCaseSensitive" Value="true"></NameValPair> </SimpleList>
Restart the Identity Server.
Repeat for each Identity Server in your deployment.
Ignore this topic if you have a fresh installation of Oracle Access Manager 10g (10.1.4.3), which includes the latest changes to basic.xsl and misc.js. You have no previous customizations to update and need not perform any of the steps here.
Problem
An error might occur when a user attempts to reset the lost password management challenge or response phrase in their own user profile. For instance, when changing the Challenge or Response using a Selection box in a Panel, an unexpected error could appear:
Challenge phrase is blank. Provide values for all challenge phrases.
Note:
The LPM function does not require the Challenge and Response attributes to be modified simultaneously. For example, a delegated administrator might be allowed to set Challenge questions for a user, but not the responses. No error occurs if you change the Challenge phrase without changing the Response phrase.Solution
To help resolve this issue, Oracle Access Manager bundle patch 10.1.4.2-BP04 delivered changes to basic.xsl and misc.js. The updated basic.xsl (a typical wrapper stylesheet) and misc.js (a system-level file used by many stylesheets) need to be introduced in your deployment.
The updated basic.xsl and misc.js files are available in a separate zip file with this bundle patch to avoid possible overwriting of any customizations that may have been done to these files in your environment.
The basic.xsl that is delivered in bundle patch 10.1.4.2-BP04 should replace the earlier version that reside in IdentityServer_install_dir\identity\oblix\lang\shared and WebPass_install_dir\identity\oblix\lang\shared. If your environment includes a custom-style directory, you must update your customized version of basic.xsl to include the changes delivered with this new basic.xsl file.
The misc.js file delivered with bundle patch 10.1.4.2-BP04 should replace the earlier version that resides in WebPass_install_dir\identity\oblix\lang\shared.
Note:
Oracle recommends that you retain Oracle-delivered stylesheets as is, and use Oracle guidelines to copy stylesheets to a new directory before customizing the copy. If your original stylesheets in the \shared directory were customized, you must perform extra steps to ensure that customizations are preserved while changes delivered with this patch are incorporated.Your existing basic.xsl and misc.js files are stored as follows:
\shared\basic.xsl: IdentityServer_install_dir\identity\oblix\lang\shared
\shared
contains default global stylesheets that are language-neutral. You can replace the existing \shared\basic.xsl with the new one delivered with this patch.
Note:
If your existing \shared\basic.xsl is customized and stored in a custom style directory, see \CustomStyle\basic.xsl.\CustomStyle\basic.xsl: IdentityServer_install_dir\identity\oblix\lang\en-us\CustomStyle
If your environment includes a custom-style directory and stylesheets, you can update \CustomStyle\basic.xsl to include the changes delivered with this new basic.xsl file (differences between the original Oracle-provided version and the one delivered with this patch). You can lose any customizations if you replace the customized file with the new one.
\style0\basic.xsl: IdentityServer_install_dir\identity\oblix\lang\en-us\style0
This patch does not include a basic.xsl thin wrapper file. \style0
contains corresponding, language-specific, default thin wrapper files that differ from the default global stylesheet in \shared. You can have a language-specific \style0 directory for each installed language. Typically, these language-specific wrappers call the global stylesheet in \shared.
Note:
Do not replace \style0\basic.xsl with the file in this patch. However, if the basic.xsl thin wrapper in a language-specific \style0 has been customized and does not include the reference to \shared\basic.xsl, then you might have to apply the changes delivered with this new shared\basic.xsl to basic.xsl in the language-specific \style0.basic.xsl: WebPass_install_dir\identity\oblix\lang\shared
Replace the existing \shared\basic.xsl for WebPass with the new one delivered with this patch.
misc.js: WebPass_install_dir\identity\oblix\lang\shared
You can replace the existing \shared\misc.js with the new one delivered with this patch.
Note:
Oracle strongly recommends that you do not change mics.js. This system level file is contained in almost every stylesheet as an include file. Errors in this file affect most every stylesheet that the system uses. Changing this file can cause hidden problems, or problems down the road.For more information about these files, stylesheets, and customization, see the chapter on designing the GUI with PresentationXML in the Oracle Access Manager Customization Guide.
Note:
LPMChallengeResponsePatch.zip is included in each platform zip file. After downloading and unzipping the package, you can perform the following steps to obtain and use the latest basic.xsl and mics.js files.To prepare and use the new basic.xsl and mics.js files in your environment
Create a temporary directory to hold the contents of LPMChallengeResponsePatch.zip.
temp\lpm_cr_patch
Unzip LPMChallengeResponsePatch.zip
to extract the contents.
Within the temporary directory you created, locate the new files:
temp\lpm_cr_patch\basic.xsl
temp\lpm_cr_patch\mics.js
Back up your earlier \shared\basic.xsl and \shared\misc.js files.
Back up your earlier \CustomStyle\basic.xsl file, if your deployment includes a customized style directory containing customized stylesheets.
No Customizations: If your existing \shared\basic.xsl or \shared\misc.js files are pristine (not customized), replace existing versions with the new versions (overwrite the earlier versions).
basic.xsl: IdentityServer_install_dir\identity\oblix\lang\shared\basic.xsl
basic.xsl: WebPass_install_dir\identity\oblix\lang\shared\basic.xsl
misc.js: WebPass_install_dir\identity\oblix\lang\shared\misc.js
Customizations: Copy all changes from the basic.xsl or misc.js files delivered with this patch, into your customized versions (generally, only within a custom style directory).
basic.xsl: IdentityServer_install_dir\identity\oblix\lang\ langtag\CustomStyle\
basic.xsl: IdentityServer_install_dir\identity\oblix\lang\shared
basic.xsl: WebPass_install_dir\identity\oblix\lang\shared\basic.xsl
misc.js: WebPass_install_dir\identity\oblix\lang\shared
You are ready to modify lost password management challenges and responses within the user profile panel, as usual. For example:
From the Identity System Console, click the User Manager tab and click the My Profile tab.
From the My Profile page, click the View Panel button.
On the Panel under which you have configured the Challenges and Responses, click the Modify button.
Change the challenge or response, and then click Save.
All command line utilities and tools must be run as the user who installed the product, as described in the Oracle Access Manager Installation Guide. Oracle recommends that you do not attempt to change ownership or permissions on files after installation.
Problem
Identity Server logs indicate that user data has been tampered with. This occurs after challenge and response attributes are set, and then you modify a user profile and save it without entering values for the challenge and response. The following message appears in the log.
"Delimiter not found. User data seems to be tampered."
This error is logged only once for any user profile that is modified.
Cause
This issue occurs only if you choose already available attributes (which may have some value) for the Challenge and Response phrase.
Solution
Follow the recommended way of configuring lost password management challenge and response-type attributes: In your directory, create two new attributes: one to be used for challenges that are presented to users, and one for responses that users provide to the challenges. Ensure that there are two unused, empty attributes in your directory to be used for user challenges and responses. Oracle recommends that you choose unused attributes, not attributes that already have a value assigned. For details about lost password management, see "Lost Password Management".
A new parameter (UseDefaultOptionsForAllMails
) in the globalparams.xml file in the IdentityServer_install_dir path:
/apps/common/bin/globalparams.xml
Enables you to configure an email ID to be used to send all email notifications.
If the parameter UseDefaultOptionsForAllMails
is set to true
, then for any email that is sent from the Identity Server the:
"Sender's Name" field gets the value from the "sendMailFromName
" parameter defined in the globalparams.xml file."Sender's Email" field gets the value from the "sendMailFromEmail
" parameter defined in the globalparams.xml file.
Problem
An email notification is sent with the "sendMailFromEmail
" parameter value in the Sender's Name field.
No email notification is sent. Instead, an message is sent to the user and an error is logged indicating that the notification email could not be sent.
Cause
UseDefaultOptionsForAllMails
is true
, but values are not defined in the globalparams.xml file, as follows:
sendMailFromName not defined: An email is sent with the "sendMailFromEmail
" parameter's value in the Sender's Name field.sendMailFromEmail not defined: If UseDefaultOptionsForAllMails
is true
and if sendMailFromEmail
is not defined, then no email is sent. Instead, anappropriate message is sent to the user and an error is logged indicating that the notification email could not be sent.
Solution
Set UseDefaultOptionsForAllMails
to true
and define values appropriately in the globalparams.xml file:
sendMailFromName not definedsendMailFromEmail not defined
For more information, see "Descriptions of Step Actions" for information on UseDefaultOptionsForAllMail and the chapter on parameters in the Oracle Access Manager Customization Guide.
Earlier releases of Oracle Access Manager for Linux used the LinuxThreads library only. Using LinuxThreads required that you manually set the environment variable LD_ASSUME_KERNEL, which is used by the dynamic linker to decide what implementation of libraries is used. When you set LD_ASSUME_KERNEL to 2.4.19 the libraries in /lib/i686 are used dynamically.
Red Hat Linux v5 and later releases support only Native POSIX Thread Library (NPTL), not LinuxThreads. To accommodate this change, Oracle Access Manager is now compliant with NPTL specifications. However, LinuxThreads is used by default.
Oracle Access Manager uses either Native POSIX Thread Library (NPTL) or LinuxThreads. The default mode is LinuxThreads. To support the default, the start_ois_server and start_access_server start sin LinuxThreads mode. In this case, the variable LD_ASSUME_KERNEL is automatically set to 2.4.19. The message "Using Linux Threading Library." appears in the console and in the server's oblog file. However, if you start the server with the start_ois_server_nptl or start_access_server_nptl scripts, NPTL mode is used. You can also restart the server with restart_ois_server_nptl or restart_access_server_nptl scripts. In this case, the message "Using NPTL Threading Library." appears in the console and in the server's oblog file.
When you use NPTL with Oracle Access Manager, there is no impact on custom plug-ins and APIs that you have created for Oracle Access Manager. When upgrading, you must still recompile custom plug-ins from Oracle Access Manager release 6.x using the GCC v3.3.2 C++ compiler. With NPTL, there is no requirement to set the environment variable LD_ASSUME_KERNEL to 2.4.19 when installing Web components or third-party connectors for use with Oracle Access Manager.
The NPTL-ready scripts include:
Identity Server: start_ois_server_nptl and restart_ois_server_nptl
Access Server: start_access_server_nptl and restart_access_server_nptl
Note:
Standard stop scripts and the following standard setup scripts operate successfully whether you use LinuxThreads or NPTL: start_setup_ois, start_setup_webpass, start_setup_access_manager, start_configureAAAServer, stop_snmp_agent, start_configureWebGate, and start_configureAccessGate.The setup script for the SNMP agent, start_snmp_agent, includes an entry for LD_ASSUME_KERNEL. When using NPTL with Oracle Access Manager, you must remove or comment out the LD_ASSUME_KERNEL=2.4.19 environment variable from the following file:
SNMP Agent: start_snmp_agent
Note:
Oracle Access Manager servers can run using NPTL while Oracle Access Manager Web components use LinuxThreads (and vice versa). When installing Oracle Access Manager Web components or third-party connectors for use with NPTL, there is no need to set the environment variable LD_ASSUME_KERNEL to 2.4.19.Use the following procedure as a guide when using or modifying scripts for NPTL and Oracle Access Manager.
To use NPTL with Oracle Access Manager
Use NPTL versions of start scripts for the Identity Server and Access Server stored in:
SNMP Agent: Perform the following steps to remove or comment out the LD_ASSUME_KERNEL=2.4.19 environment variable from the start_snmp_agent script.
Locate the start_snmp_agent script in the following path:
In a text editor, remove or comment out the following line:
LD_ASSUME_KERNEL =2.4.19
Save the file.
Repeat for each SNMP Agent in your deployment.
Use standard setup and stop scripts:
Web Components or Third-party Connectors Using NPTL: Do not set the environment variable LD_ASSUME_KERNEL to 2.4.19 when using NPTL with Oracle Access Manager.
Problem
The username and password appear in clear text in the HTTP header.
Cause
The username and password are sent in HTTP POST data from the browser to the Web server. If the Web server does not have SSL-enabled, the username and password appear in clear text in the HTTP header.
Solution
A Web server that passes credentials (username and password) to an Oracle Access Manager Web component should have SSL enabled. With an SSL-enabled Web server, data in the HTTP POST cannot be sniffed. Other Web servers need not be SSL-enabled.
This section describes common problems and solutions for components other than the directory and database. It contains the following topics:
Identity System Deletes a User Entry When an RDN Is Modified
Memory Usage Rises for an Identity Server After Configuring a Directory Server Profile
Reports With Non-ASCII Characters Are Not Imported Correctly in Excel
User Creation Might Fail When You Have Multi-byte Charcters in the Password
WebPass Is Unable to Connect to Its Associated Identity Server
When you configure auditing for multiple Read Application Cluster (RAC) databases, auditing may not work correctly for a while.
After you customize a stylesheet, the Identity Server crashes or issues an error about a Win32 exception being caught.
You may have used backslash characters as path separators in your stylesheets in xsl:include constructs.
If you have used backslash characters as path separators in your stylesheets in xsl:include constructs, replace the backslashes with forward slash characters. For example, you would want to change the following:
<xsl:include href=".\style.xsl" />
To this:
<xsl:include href="./style.xsl" />
The Identity System deletes user entries when you attempt to modify an RDN attribute value. The RDN is the leftmost attribute in a DN. Typically, the RDN attribute is cn
or Full Name
.
This problem occurs when you use Oracle Internet Directory as the back-end repository. A referential integrity setting has not been configured for the Identity Server.
To fix this problem:
Edit the file ldapreferentialintegrityparams.xml in the following directory:
Identity_Server_installation_directory\identity\oblix\data\common
Change the value of the parameter referential_integrity_using
from oblix
to ds
, as follows:
<NameValPair ParamName="referential_integrity_using" Value="ds"/>
Save the file.
Restart the Identity Server for the changes to take effect.
You should be able to modify the RDN attribute value without any problem.
If you have multiple instances of the Identity Server installed, make this change to every instance of the Identity Server.
When attempting to modify a photo in an Identity application, JPEG photo images are not being updated.
This problem occurs when a user who has write permission to the Photo attribute does the following:
Open the User Manager.
View a user profile that contains a photo.
Select Panel View.
Try to upload a new photo.
Expected result: The photo is updated.
Actual result: The photo does not change.
After configuring a directory server profile, the memory usage for the Identity Server becomes too high. Note that this problem can also apply to an Access Server or Policy Manager.
When you configure a directory server profile, you are prompted to provide a maximum session time. The default value for the session time is 0 (unlimited). This may cause a performance issue, because the size of the caches for LDAP connections to the Identity Server increase over time. Oracle Access Manager does not control these caches directly.
To prevent the cache size from causing a performance problem, set the value of the Maximum Session Time (Minutes) for the directory server profile to a finite value, for example, 10 hours, as follows:
From the Identity System Console click System Configuration, then click Directory Profiles.
Click the link for the profile that you want to modify.
In the Max. Session Time (Min.) field, set the value to 600.
The performance of the system or a particular component can be slower than you think it should be.
You need to determine where to add servers or what component should be tuned for performance.
Use the information logs to identify components that are processing a heavier load or are taking a particularly long time to service requests. See "Logging" for details. In particular, you may want to focus on call processing times. See "Logging the Amount of Time to Process Requests" for details.
See Also:
Performance tuning tips in the Oracle Access Manager Deployment GuideAfter modifying and exporting object class attributes, a report.csv file is created. In some languages, the report may have encoding problems.
The default value for the validity period of Simple transport security mode certificates is 365 days.
When you configure transport security among Oracle Access Manager components, you can choose between Open, Simple, and Cert modes. By default, Simple mode is only operational for one year.
See Also:
"Changing Transport Security Modes"You can extend the life of the Simple mode certificate by updating related configuration files for all Identity Servers, WebPass instances, Policy Manager instances, Access Servers, and WebGates, and then using component-related utilities to implement the change:
Open the following files:
component_install_dir/identity/oblix/tools/openssl/openssl.cnf
component_install_dir/access/oblix/tools/openssl/openssl_silent.cnf
Where component_install_dir is the directory where the Identity or Access System components are installed. Identity components require openssl.cnf (Identity Server and WebPass instances). Access components require openssl_silent.cnf (Policy Manager instances, Access Servers, and WebGates).
In these files, look for the parameter named default_days
.
By default, the value for this parameter is 365 days, as follows:
default_days = 730 # Duration to certify for
Extend the life of the certificate by increasing the number of default days. available until expiration. For example, you can increase the life of the certificate to two years as follows:
default_days = 730 # Duration for the certificate
Note:
Update both files with the same value for default days.Perform the following tasks to regenerate simple mode certificates with the duration you set in the openssl_silent.cnf and openssl.cnf files and restart the component:
Identity Server: Use the setup_ois.exe utility with the -i command and the openssl.cnf file.
File in IdentityServer_install_dir/oblix/tools/openssl/openssl.cnf
Run the setup_ois.exe utility on Windows (or start_setup_ois on UNIX):
IdentityServer_install_dir/oblix/tools/setup/setup_ois -i install_dir
WebPass: Use setup_webpass.exe with the -i option and the openssl.cnf file.
File in WebPass_install_dir/oblix/tools/openssl/openssl.cnf
Run the setup_webpass.exe utility on Windows (or start_setup_webpass on UNIX):
WebPass_install_dir/oblix/tools/setup/setupWebPass -i c:/OracleAccessManager/identity
For more information about Identity System utilities, see the Oracle Access Manager Identity and Common Administration Guide.
Policy Manager: Use the genCert utility with the -i, -m, and -p options and the openssl_silent.cnf file.
File in PolicyManager_install_dir/oblix/tools/openssl/openssl_silent.cnf
Run the genCert.exe utility:
PolicyManager_install_dir/oblix/tools/gencert/gencert -i install_dir -m simple -P password
Access Server: Use configureAAAServer with the -i option and the openssl_silent.cnf file.
File in AccessServer_install_dir/oblix/tools/openssl/openssl_silent.cnf
Run configureAAAServer on Windows (or start_configureAAAServer on UNIX):
AccessServer_install_dir/oblix/tools/configureAAAServer/configureAAAServer -i C:/OracleAccessManager/access
WebGate: Use configureWebGate with the -i option, the -t option, and the openssl_silent.cnf file.
File in WebGate_install_dir/oblix/tools/openssl/openssl_silent.cnf
Run configureWebGate on Windows (or start_configureWebGate on UNIX):
WebGate_install_dir/oblix/tools/configureAccessGate/configureWebGate -i C:/OracleAccessManager/access -t WebGate
For more information about Access System utilities, see the Oracle Access Manager Access Administration Guide.
When you create or customize a stylesheet using Presentation XML, the stylesheet has compilation errors.
This problem occurs when you do the following:
Open a stylesheet in a text editor or (preferably) an XML editor.
Change some parameters in the file and save the changes.
Open an Identity application, for example, the User Manager, to see the changes.
Expected result: Changes appear as expected.
Actual result: The Identity System issues a bug report.
This problem can occur for any variety of reasons, but chances are good that there are errors in the way the stylesheet is coded.
Open the XSL file in an Internet Explorer window. If there is an error in the code, the browser shows the line number that contains the error. For more information on Presentation XML, see Oracle Access Manager Customization Guide.
Problem:
When you create a user with multi-byte charcters in the password using a non-English keyboard, user creation might fail. You might see an error about a directory server password policy violation.
Cause
This problem can occur when you have the 7-bit check plug-in enabled for the "uid" and "userpassword" attributes. In this case, modifying a password for an existing user forces the "7-bit check" for the newly entered password. If the newly entered password contains multi-byte characters, then it does not qualify as "7-bit clean". The product is designed to function in this way.
For example, when creating a workflow, the values are stored under the "obcontainerId=workflowInstances,o=Oblix,o=company,c=us" node. The password value is stored as "obattrvals: <value>" and is encoded as "7-bit clean" . When the Approver approves the workflow, the password value is decrypted and stored under the "userpassword" attribute.
Solution
If you want "7-bit check" to be enabled for workflow steps you need to write your own plug-ins.
Note:
Your directory server might not support the 7-bit check. In any case, you must be able to create a user with multi-byte characters.If you want a user password (or any other attribute) to contain multi-byte characters, you must disable the "7-bit check" for the specific attribute. The following procedure refers to steps for a Sun (formerly iPlanet) directory server. Your details and steps might be different. See your vendor documentation for more information.
To disable the 7-bit check
Log in to your directory server as an administrator.
Click your directory server instance under "Server Group".
Go to the configuration tab for the directory server instance.
Expand the "Plug-ins" node to display the list of plug-ins that are applied to your directory server instances.
Click "7-bit check" to display the list of attributes that are acted upon by this plug-in.
Remove the required attributes or disable the plug-in entirely, as follows:
Remove "obattrvals".
Disable the plug-in by clicking the Advanced button and set "nsslapd-pluginenabled" to "off".
If you have installed a WebPass on IIS 6 and enabled logging, the WebPass may be unable to connect to its associated Identity Server.
This problem occurs when you send logs to an MPFileLogWriter. It does not occur when you send logs to a FileLogWriter.
The problem occurs with the MPFileLogWriter when there is no anonymous user with access to the directory that contains the log files. MPFileLogWriter uses a file namedlogfile name.lck to synchronize multiple processes that write to the corresponding log file. The MPFileLogWriter write-locks the .lck file before writing to the oblog.log file.
Configure an anonymous user with access to the directory that contains the log files. In some circumstances, the user context used to acquire the write-lock is the IIS Anonymous web user. By default, this user is named IUSR_<
computer name
>
, but you can configure any anonymous user for this purpose.
The following are error messages and troubleshooting tips for handling them.
When running a workflow, a user may receive a 404 error that states "Cannot find xenroll.cab."
This problem occurs when a user runs a workflow in an Identity System application, for example:
Open the User Manager.
View a user profile.
Click a Modify button on the profile that invokes an Enroll Certificate Workflow.
In older versions of Oracle Access Manager, the file xenroll.cab was used for certificate enrollment workflows and certificate revocation workflows. However, Oracle has removed support for these workflows. This file is not used anymore.
You can safely remove the references to xenroll.cab from the stylesheet. The following is an example of this reference. See the Oracle Access Manager Customization Guide for details:
<head> ... <object id="cenroll" classid="clsid:43F8F289-7A20-11D0-8F06-00C04FC295E1" codebase="/identity/oblix/apps/common/bin/xenroll.cab" /> ... <script src="http://km.oraclecorp.com/identity/oblix/apps/common/bin/installCert.vbx" language="VBScript" /> </head>
The workflow fails when a user runs it.
This problem occurs when a user runs a workflow in an Identity System application, for example:
Open the User Manager.
View a user profile.
Click a Modify button on the profile that invokes a Change Attribute Workflow.
Expected result: The workflow behaves as expected.
Actual result: The user receives an "Enabled failed" error.
There is no definitive solution to this problem, since workflow configuration can fail for a number of reasons. However, a likely candidate is selecting an invalid searchbase during workflow configuration. Delete the searchbase and re-configure the workflow. See "About the Searchbase" for details.
You may receive this error when managing administrators in an environment that uses Oracle Internet Directory.
In Oracle Internet Directory, the orcladmin user (dn: cn=orcladmin
) can be thought of as a pseudo user with administrative privileges. There is no LDAP entry corresponding to this user in Oracle Internet Directory. This user is part of special groups that are created in Oracle Internet Directory. The Identity Server requires that every user exist as an independent entry in the directory. When these special groups are viewed or modified using Group Manager, you may see the message, "There is no profile configured for this kind of object."
If you have this issue, view and update these special Oracle Internet Directory groups using the Oracle Directory Manager application.
Note that there are some special groups in Oracle Internet Directory that exhibit cyclic behavior. Using Oracle Directory Manager to manage these groups is recommended, not the Group Manager or the Identity Server.
You may receive this error when clicking the Back button after conducting a search in an Identity System application.
By default, Identity System application pages are not cached as a security measure. Caching is disabled to prevent a user from clicking the Back button and seeing what the previously logged-in user was viewing. When caching is turned off, users receive a "page expired" error if they click the Back button from a search results page.
As of Oracle Access Manager 10.1.4.2, the Access Server and Identity Server provide diagnostic tools to help you work with an Oracle Technical Support representative to troubleshoot problems.
These tools are not for day-to-day administration. Their purpose is to help you investigate problems that require assistance from Oracle Technical Support.
The diagnostic tools enable you to do the following:
Obtain hard-to-locate information about component configuration and behavior.
For example, to investigate memory consumption or unresponsive servers, you can run diagnostics that provide information on caches and threads. This information can help you work with Oracle Technical Support on pinpointing the cause of the problem.
Automatically capture events that immediately precede a core dump.
Oracle Access Manager automatically writes stack traces of these events to the log files. You can send these log files to Oracle for analysis by the Technical Support team.
Manually capture a stack trace of any event in the Identity or Access System.
A diagnotic tool enables you to capture ad-hoc stack traces that you can forward to Oracle for analysis by the Technical Support team. For example, you can invoke a stack trace when a server crashes.
The rest of this section discusses the following topics:
You should only collect diagnostic data to analyze serious problems. In general, you would only run diagnostics when working with a Technical Support representative.
The diagnostic tools are installed with the Access Server and the Identity Server. The diagnostics can focus on caches and threads. The diagnostic tool displays the returned data on-screen and saves the data in a file.
As a best practice, you should run the same diagnostics a few times to determine if a problem is temporary or persistent. For example, you can compare diagnotic output to see if memory or cache size is increasing.
The following tools enable you to collect diagnostic data for the respective component (Access Server or Identity Server):
The tool aaa_mon.exe
enables you to collect diagnostic data for the Access System.
The tool ois_mon.exe
enables you to collect diagnostic data for the Identity System.
The following procedures describe how to use these tools. In the following procedures, a vertical bar ("|") represents a choice of options. For instance, in the install_dir path name, the choice would be either "access" or "identity" or might refer to a specific tool name; in the transport security mode it would be a choice of either "open", or "simple:, or "cert".
Note:
Running the diagnostic tool produces overhead and can affect system performance. The more detail you request when running a diagnostic tool, the more memory is consumed.For this reason, do not request detailed diagnostics for cache queries.
To view a list of supported diagnostic operations
Navigate to the following Access Server or Identity Server directory:
install_dir\identity|access\oblix\tools\ois_mon|aaa_mon
Where install_dir is the directory where the Identity Server or Access Server is installed.
Issue the following command:
aaa_mon.exe|ois_mon.exe -s server -p port -i install_dir -m mode open|simple|cert -o optype=GetListofSupportedOperations
Where:
Server is the name of the host computer where you want to collect the information.
Port is the listen port for the host.
Install_dir is the installation directory for the component being diagnosed.
On the -m
parameter, specify open
, simple
, or cert
for the transport security mode.
See "Changing Transport Security Modes" for details. If you specify cert
you must also specify the following parameter:
-c path_for_certs
Where path_for_certs is the fully qualified path to the certificate files.
To retrieve the name of a diagnostic object
Navigate to the following directory:
install_dir\identity|access\oblix\tools\ois_mon|aaa_mon
Where install_dir is the directory where the Identity Server or Access Server is installed.
To retrieve the names of all objects of a particular type, issue the following command, using one of the options separated by a vertical bar:
aaa_mon.exe|ois_mon.exe -s server -p port -i install_dir -m open|simple|cert -o optype=GetDiagnosticInformation,object=cache|thread,mode=list
Where:
Server is the name of the host computer where you want to collect the information.
Port is the listen port for the host.
Install_dir is the installation directory for the component being diagnosed.
On the -m
parameter, specify open
, simple
, or cert
for the transport security mode.
See "Changing Transport Security Modes" for details. If you specify cert
you must also specify the following parameter:
-c path_for_certs
Where path_for_certs is the fully qualified path to the certificate files.
The object
parameter limits the results to a particular object type.
By default, information is fetched for all diagnosable objects. The following are possible values:
cache
: A cache can hold copies of recently accessed data in memory. A cache can also store data on disk to prevent the program from having to download the same information from the internet. Also see Table F-1 and Table F-2 for a list of cache names and a brief description of each cache.
thread
: A program can split itself into two or more simultaneously running threads that run concurrently, each performing a different job.
To collect diagnostic information for a particular object
Navigate to the appropriate tool in the following directory path:
install_dir\identity|access\oblix\tools\ois_mon|aaa_mon
Where install_dir is the directory where the Identity Server or Access Server is installed.
Issue the following command:
aaa_mon.exe|ois_mon.exe -s server -p port -i install_dir -m open|simple|cert -o optype=GetDiagnosticInformation[, object=cache|thread, mode=brief|detail|list|usage, name=name]
Where:
Server is the name of the host computer where you want to collect the information.
Port is the listen port for the host.
Install_dir is the installation directory for the component being diagnosed.
On the -m
parameter, specify open
, simple
, or cert
for the transport security mode.
See "Changing Transport Security Modes" for details. If you specify cert
you must also specify the following parameter:
-c path_for_certs
Where path_for_certs is the fully qualified path to the certificate files.
The optional object
parameter for GetDiagnosticInformation
limits the results to a particular object type.
By default, information is fetched for all diagnosable objects. The following are possible values:
cache
: A cache can hold copies of recently accessed data in memory. A cache can also store data on disk to prevent the program from having to download the same information from the internet.
thread
: A program can split itself into two or more simultaneously running threads that run concurrently, each performing a different job.
The optional mode
parameter for GetDiagnosticInformation
determines the amount and type of detail returned.
The following are possible values:
brief
: Prints a summary of the diagnosable objects on the screen.
detail
: Writes the current values of all diagnosable objects of the specified type to a file in the following directory:
install_dir\identity|access\oblix\tools\ois_mon|aaa_mon\OISDiag_datetime|AAADiag_datetime
Where install_dir is the directory where the Identity Server or Access Server is installed and datetime is the date and time when the file was created.
Do not specify detail
mode for caches.
list
: Shows a list of all diagnosable objects of the specified type.
usage
: Displays help text for the diagnostics tool.
The optional name
parameter for GetDiagnosticInformation
limits the command output to a particular object.
You should only attempt to interpret diagnostic output when working with a Technical Support Representative. This section provides simple guidelines for how to read the diagnostic XML output file.
This section discusses the following topics:
Interpreting Diagnotic Output When the list
Parameter Is Used
Interpreting Diagnostic Output When the detail
Parameter Is Used
list
Parameter Is UsedWhen you use the list
parameter on a diagnostic command, the output is written to the screen and to the log file. The most important information is returned in the name
element of the output file. Also see Table F-1 and Table F-2 for a list of cache names and a brief description of each cache.
The following command exerpt uses list
mode to retrieve a list of cache names:
-o optype=GetDiagnosticInformation,mode=list,object=cache
Example F-1 shows output for the following diagnostic command excerpt.
Example F-1 Sample Output for a Diagnostic Command That Used list Mode
<?xml version="1.0" encoding="utf-8"?> <DiagnosticReport> <Command> <CommandArg name="optype"> <Value>GetDiagnosticInformation</Value> </CommandArg> <CommandArg name="mode"> <Value>list</Value> </CommandArg> <CommandArg name="object"> <Value>cache</Value> </CommandArg> </Command> <CommandOutput> <Objects> <Object type="cache"> <Name>UidInfoCache</Name> <Name>PersonOOOIndicatorCache</Name> <Name>AuditCache</Name> <Name>AuditUserCache</Name> <Name>AuditMasterAuditPolicyCache</Name> <Name>AuditServerInfoCache</Name> <Name>WfDefCache</Name> <Name>WfDefSetCache</Name> <Name>xsllib_stylesheet</Name> <Name>PortalIdCache</Name> </Object> </Objects> </CommandOutput> </DiagnosticReport>
detail
Parameter Is UsedWhen you use the detail
parameter on the command to get diagnostic information, the output file contains information on the values set for the object, its current state, and multiple data points about its performance. Items of interest in the output file depend on the type of object. For example, with a cache object, you may be interested in the cache size and if the cache has been flushed.
In general, you should walk through detailed output with a support representative, who can interpret the meaning of the diagnostic.
Example F-2 shows the generic structure of an xml file that is generated using the list
parameter:
Example F-2 Generic XML Output for a Diagnostic Using mode=detail or mode=brief
<?xml version="1.0" encoding="utf-8"?> <DiagnosticReport> <Command type=CommandType1> <CommandArg name=Arg1> <Value>ArgValue1</Value> </CommandArg> <CommandArg name=Arg2> <Value>ArgValue2-1</Value> <Value>ArgValue2-2</Value> </CommandArg> </Command> <CommandOutput> <Objects> <Object type=ObjectType1 name=ObjectName1> <Attribute name=Attribute1> <Value>Value1</Value> </Attribute> <Attribute name=Arribute2> <Value> Value2-1</Value> <Value> Value2-2</Value> ----- </Attribute> </Object> <Object type=ObjectType2 name=ObjectName2> <Attribute name=Attribute3> <Value>Value3</Value> </Attribute> ----- ----- </Object> ----- ----- </Objects> <CommandOutput> </DiagnosticReport>
For example, the following is a command excerpt for generating detailed diagnostic data:
. . . -o optype=GetDiagnosticInformation,mode=detail,object=cache,name=XSLXDKCache
The previous command excerpt produces the output in Example F-3:
Example F-3 Output for a Diagnostic Command Using mode=detail
<?xml version="1.0" encoding="utf-8" ?> <DiagnosticReport> <Command> <CommandArg name="optype"> <Value>GetDiagnosticInformation</Value> </CommandArg> <CommandArg name="mode"> <Value>detail</Value> </CommandArg> <CommandArg name="object"> <Value>cache</Value> </CommandArg> <CommandArg name="name"> <Value>XSLXDKCache</Value> </CommandArg> </Command> <CommandOutput> <Objects> <Object type="cache" name="XSLXDKCache"> <Attribute name="state"> <Value>active</Value> </Attribute> <Attribute name="Maximum Elements"> <Value>200</Value> </Attribute> <Attribute name="Current Elements"> <Value>11</Value> </Attribute> <Attribute name="Timeout"> <Value>0</Value> </Attribute> <Attribute name="Hit Count"> <Value>4</Value> </Attribute> <Attribute name="Miss Count"> <Value>11</Value> </Attribute> <Attribute name="Expire Count"> <Value>0</Value> </Attribute> <Attribute name="Flush Count"> <Value>0</Value> </Attribute> <Attribute name="Memory footprint"> <Value>945008</Value> </Attribute> <Attribute name="keys"> <Value>../../../lang/en-us/style0/predefinedreports.xsl</Value> <Value>../../../lang/en-us/style0/reports.xsl</Value> <Value>../../../lang/en-us/style0/usc_admin_main.xsl</Value> <Value>../../../lang/en-us/style0/admin_wf_definition.xsl</Value> <Value>../../../lang/en-us/style0/wf_quickstart_report.xsl</Value> <Value>../../../lang/en-us/style0/reportresults.xsl</Value> <Value>../../../lang/en-us/style0/usc_searchresults.xsl</Value> <Value>../../../lang/en-us/style0/usc_profile.xsl</Value> <Value>../../../lang/en-us/style0/login.xsl</Value> <Value>../../../lang/en-us/style0/qbmodify.xsl</Value> <Value>../../../lang/en-us/style0/wf_quickstart.xsl</Value> </Attribute> </Object> </Objects> </CommandOutput> </DiagnosticReport>
An Oracle Technical Support representative can help you interpret diagnostic data. If you are running diagnostics for a cache, Table F-1 and Table F-2 can help you understand the diagnostic output.
Table F-1 Identity System Cache Names and Descriptions
Cache Name | Description |
---|---|
UidInfoCache |
Stores information on the structural object class for each user |
PersonOOOIndicatorCache |
Caches the out-of-office indicator of each user. |
WfDefCache |
This is a cache of all workflow definitions. |
WfDefSetCache |
This is a cache of all workflow definition of a particular type, for example, the create user type of workflow. |
xsllib_stylesheet |
This is not used in production environment. |
PortalIdCache |
This is not used in production environment. |
AuditCache |
This is a cache of the auditing configuration information for the server. |
AuditUserCache |
This is a cache of the User Manager audit policy. |
AuditMasterAuditPolicy Cache |
This is a cache of the master audit policy. |
XMLStructureCache |
This is a cache of the internal XML data structure that represents each page rendered on the browser. |
XSLXDKCache |
This cache contains the compiled form of each stylesheet (XSL) used in the Identity system. |
Table F-2 Access System Cache Names and Descriptions
Cache Name | Description |
---|---|
UserAccessCache |
Used during the authorization phase of evaluation. Holds a hash table of rules and groups that the user satisfies. |
AAASyncRequestCache |
Used to maintain cache coherency in the Access System and to provide updates to Access clients. |
AAAUserCache |
Holds list of user profile attributes. Used in the Authenticate, IsAuthorized and Audit Event phases of request evaluation. |
AAAUserCredCache |
Holds user passwords. Used in the authentication phase of request evaluation to validate passwords. |
AuditPolicyCache |
Used during processing of an IsResrcProtected event to retrieve the audit mask. Also used during an audit event. Stores audit policies. |
AuthentPluginCache |
A wrapper for a custom authentication plug-in. Used during authentication. |
AuthentSchemeCache |
Used during processing of an IsResrcProtected event and the authentication phase of a resource request. Stores authentication scheme details. |
AuthzDSOCache |
A wrapper for a custom authorization plug-in. Used when processing IsAuthorized events. |
AuthzRuleCache |
Used when processing an IsAuthorized event to evaluate a user's permissions to access a resource and get action information. Stores policy details. |
AuthzSchemeCache |
Holds custom authorization scheme information. Used in processing an IsAuthorized event. |
ClientConfigCache |
Used when processing UpdateConfiguration requests from Access clients. |
DomainPasswdPolicyID Mapper |
Holds password policy IDs. Used when processing Authenticate events to retrieve password policy information. |
GrpQueryCache |
Holds a list of groups that the user belongs to. Used during evaluation of ObMyGroups. |
HostIdHashString |
Used when processing an IsResrcProtected event to find the matching policy. Stores host identifiers. |
LPMPolicyCache |
Used during the authenticate phase of evaluation to retrieve Lost Password Management policy information. |
PSCGrpDefnCache |
Holds nested groups and rules for dynamic groups. |
PSCUid2OcCache |
Used in the authorization phase of evaluation. Contains a hash table of rules and groups that the user satisfies. |
PasswdPolicyCache |
Used in the authentication phase of evaluation to retrieve password policy information. |
PasswdPolicyUserCache |
Used in the authentication phase of evaluation to retrieve password policy information. |
PolicyCache |
Used during the IsAuthorized phase of processing to evaluate access to a resource for user and retrieve action information. Stores policy rules. |
SDCache |
Used during the IsResrcProtected phase to find the matching policy and authentication scheme. Stores site domain objects. |
SessionTokenCache |
Stores the decrypted session token. Reduces overhead for decrypting the session token. |
URLPrefixCache |
Used to find which policy domain the resource maps to. Stores policy domain IDs. |
WRORCache |
Used when processing an IsResrcProtected event to find the authentication challenge scheme and authentication specifics. Stores authentication scheme details. |
jobstatuscache |
Holds the status of reporting jobs. |
If Oracle Access Manager experiences a core dump, you can write a stack trace of the core dump to a log file. The stack trace lists the functions that were called immediately before the dump. The information in the trace can help with troubleshooting. For example, a stack trace can show if a thread has been mired in a process and is not receiving a response from a directory server, or if a message reader thread is alive.
You must enable logging if you want stack traces to be written to a log file. Any logging level is permitted when writing a stack trace. See "Logging" for details.
You can send the log file that contains the stack trace to Oracle Technical Support to help with diagnosing the core dump. The first three entries of the stack trace are always the same. These entries belong to the stack trace functionality. The fourth entry is the function that failed in the case of a core dump, or it was the last function that was executed by the thread at the time that you initiated the stack trace.
This information should only be interpreted by an Oracle Technical Support representative.
For more information, see the following topics:
If Oracle Access Manager experiences a core dump in the Access Server or the Identity Server, you can write a stack trace to a log file. However, writing the stack trace might prevent the core dump from being written. You might need to disable the StackDumpEnabled
parameter in globalparams.xml when pursuing diagnostic issues or when instructed by Oracle Support to re-create a core dump scenario.Here are the values:
0: Disable the function.
1: Default value enables the function to write a stack trace to the log file if Oracle Access Manager experiences a core dump on Access Server or Identity Server
2: To manually request a stack trace, you must set the value of StackDumpEnabled
to 2. For more information, see the following topic, "Manually Requesting a Stack Trace".
The following procedure describes how to properly set the StackDumpEnabled
parameter value for the action you want to take. Perform only relevant steps.
Note:
A value of "0" or "2" are valid when attempting to collect core files. However, a value of"1" conflicts with core file generation.To set the value of StackDumpEnabled
Locate the globalparams.xml file in the appropriate path for the Identity Server or Access Server:
install_dir/access|identity/oblix/apps/common/bin/globalparams.xml
Disable Stack Trace: Locate StackDumpEnabled
and set the value to 0
.
<SimpleList> <NameValPair ParamName="StackDumpEnabled" Value="0"></NameValPair> </SimpleList>
Enable Stack Trace: Locate StackDumpEnabled
and validate that the value is set to 1
.
<SimpleList> <NameValPair ParamName="StackDumpEnabled" Value="1"></NameValPair> </SimpleList>
Manually Request a Stack Trace: Locate StackDumpEnabled
and set the value to 2
.
<SimpleList> <NameValPair ParamName="StackDumpEnabled" Value="2"></NameValPair> </SimpleList>
Save the file.
Proceed to "Manually Requesting a Stack Trace".
The following procedure describes how to manually request a stack trace while running the Access Server or identity Server.
Note:
In certain circumstances, Oracle recommends that you first follow the steps in the previous topic, "Enabling or Disabling a Stack Trace When Persuing Diagnostic Issues or Recreating Crashes".To manually request a stack trace
Navigate to the appropriate tool in the following path:
install_dir\identity|access\oblix\tools\ois_mon|aaa_mon
Where install_dir is the directory where the Identity Server or Access Server is installed.
Issue the following command:
aaa_mon.exe|ois_mon.exe -s server -p port -i install_dir -m open|simple|cert -o optype=GenerateStackTrace
Where a vertical bar ("|") represents a choice of commands, server is the name of the host computer where you want to collect the information, port is the listen port for the host, and install_dir is the installation directory for the component being diagnosed.
On the -m
parameter, specify open
, simple
, or cert
for the transport security mode. See "Changing Transport Security Modes" for details. If you specify cert
you must also specify the following parameter:
-c path_for_certs
Where path_for_certs is the fully qualified path to the certificate files.
To view the results, open the log file for the server where the trace was run.
See "Logging" for details.
You can find more solutions on Oracle Support (formerly MetaLink), http://metalink.oracle.com
. If you do not find a solution for your problem, log a service request.