This chapter describes notes on topics associated with Oracle Platform Security Services (OPSS), in the following sections:
The following documents are relevant to topics included in this chapter:
This section describes general issues and workarounds. It includes the following topic:
The following issue has been observed with the Common Audit Framework reports available in Oracle Business Intelligence Publisher.
Issue with % sign embedded in Hyperlinks in Audit Reports
Navigate to Common Reports, then User Activities, then Dashboard. The following issue is observed:
For hyperlinks corresponding to certain data strings, the event is not displayed correctly. For example, if the data consists of a string containing a percent sign, such as cn=%host%.us.oracle.com, when you click on the corresponding event hyperlink, the event is not correctly displayed on the resulting report since the percent sign is not processed correctly. A similar issue may be seen if there are embedded spaces in the string.
Apply the one-off patch for Bug 8524140.
EventDetails Report Requires the PS1 Schema
The Event Details report requires the PS1 (Release 11.1.1.2.0) schema.
This section describes configuration issues and their workarounds. It includes the following topics:
This section describes configuration issues for the Oracle Fusion Middleware Audit Framework. It contains these topics:
Section 30.2.1.1, "Configuring Auditing for Oracle Access Manager"
Section 30.2.1.2, "Audit Reports do not Display Translated Text in Certain Locales"
Although Oracle Access Manager appears as a component in Oracle Enterprise Manager Fusion Middleware Control, you cannot configure auditing for Oracle Access Manager using Fusion Middleware Control.
The standard audit reports packaged with Oracle Business Intelligence Publisher support a number of languages for administrators. Oracle Business Intelligence Publisher can start in different locales; at start-up, the administrator can specify the language of choice by setting the preferred locale in Preferences.
Due to this bug, if Oracle Business Intelligence Publisher is started on any of these 3 locales:
zh_CN (simplified chinese)
zh_TW (traditional chinese)
pt_BR (portuguese brazilian)
then users cannot see the report in that locale (the entire report including labels, headers, titles and so on appears in English), while the other locales display the translated text as expected. For example, when Oracle Business Intelligence Publisher is started in zh_CN, the text cannot be seen in zh_CN even though the preferred locale is set to zh_CN; information is displayed in English.
This issue will be fixed in a future release of Oracle Business Intelligence Publisher.
The standard audit reports packaged with Oracle Business Intelligence Publisher support a number of languages.
Due to this bug, report titles and descriptions are displayed in English even when they have been translated.
This issue will be fixed in a future release of Oracle Business Intelligence Publisher.
Oracle Fusion Middleware supports providers that enable the User and Role API to interact with custom identity stores.
For details about creating a custom User and Role provider, see the OPSS page in Oracle Technology Network at:
http://www.oracle.com/technology/products/id_mgmt/opss/index.html
In 11gR1, the process that reassociates XML to LDAP stores creates a bootstrap key with the trailing new line character '\n', or its equivalent code '
'. This key value is written in the file jps-config.xml and stored in the wallet. In both places, the key value contains the trailing character '\n'.
When reusing that same wallet in 11gR1 PS1, upon retrieving the bootstrap key, the system trims out the trailing '\n' character; but the key value in the wallet, however, still contains the trailing character, a situation that leads to errors since the requested and stored key values no longer match.
To resolve this issue, proceed as follows:
Use the WLST command modifyBootStrapCredential to reprovision wallet credentials without trailing '\n'. For details on the command usage, see section 9.5.2.5 in the Oracle Fusion Middleware Security Guide.
Manually edit the file jps-config.xml and remove the trailing characters '
' from any bootstrap key.
This problem arises only in the scenario above, namely, when an 11gR1 wallet is reused in 11gR1 PS1; in particular, when reassociating in an 11gR1 PS1 environment, the above trailing character is not an issue.
The connections that client applications use to request queries to an LDAP authenticator, via the User and Role API, are stored and maintained in a connection pool. By default, and out-of-the-box, this pool is the JNDI pool, as specified in the file jps-config.xml.
If the number of current connections in the pool exceeds the maximum allowed by the LDAP service, client applications will not be able to connect to the service or, even when they are already connected, receive a "socket closed" exception. The server log would indicate, in this case, that the number of concurrent connections allowed has been exceeded.
To avoid going over this limit, one needs to adjust the maximum number of concurrent connections allowed by the LDAP service as appropriate to the application's needs. This threshold needs to be finely tuned up: a too small maximum may not be sufficient (and cause the exception mentioned above); a too large maximum may risk a denial of service (DOS) attack. The correct maximum depends on your application and the particular LDAP service the application uses.
There are two alternative workarounds that resolve this issue:
Increase the maximum number of concurrent connections allowed by the authenticator:
If the authenticator your application is using is the WebLogic Embedded LDAP authenticator, then edit the file DomainName/servers/MyServerName/data/ldap/conf/vde.prop, and increase the value of the property vde.quota.max.conpersubject from the default 100 to, for example, 200, or any other larger value.
Otherwise, if your application is using any other authenticator, consult the authenticator's documentation to learn how to modify the maximum.
Edit the file DomainName/config/fmwconfig/jps-config.xml and remove the property CONNECTION_POOL_CLASS from the authenticator server instance (by default, this property has the value oracle.security.idm.providers.stdldap.JNDIPool).
Note that (a) these workarounds do not exclude each other, that is, you can carry out both of them; and (b) in any case, you must restart the server for the changes to take effect.
This section describes documentation errata. It contains these topics:
This section specifies corrections to Chapter 17, Developing with the Credential Store Framework, of the Oracle Fusion Middleware Security Guide.
Section 30.3.1.1, "Updates to Example 1: JavaSE Application with Wallet Store"
Section 30.3.1.2, "Updates to Example 2: JavaEE Application with Wallet Store"
In section 17.7.2, "Example 1: JavaSE Application with Wallet Store", in the example jazn-data.xml, change the name elements as follows:
Change:
<name>*context=SYSTEM,mapName=pc_map,keyName=**</name>
to:
<name>context=SYSTEM,mapName=pc_map,keyName=*</name>
Change:
<name>*context=SYSTEM,mapName=gc_map,keyName=gc_key*</name>
to:
<name>context=SYSTEM,mapName=gc_map,keyName=gc_key</name>
In section 17.7.3, "Example 2: JavaEE Application with Wallet Store", in the example jazn-data.xml, change the codesource element to include the deployed application name as follows:
Change:
<codesource> <url>file:${domain.home}/servers/${weblogic.Name}/tmp/_WL_user/-</url></codesource>
to:
<codesource>
<url>file:${domain.home}/servers/${weblogic.Name}
/tmp/_WL_user/myTestApp/-</url>
</codesource>
This section specifies corrections to Chapter 19, Developing with the User and Role API, of the Oracle Fusion Middleware Security Guide.
By default, ECID support is disabled in the User and Role API.
When initializing the API, set the ST_ECID_ENABLED property to true for ECID support. For example:
factEnv.put(OVDIdentityStoreFactory.ST_ECID_ENABLED, "true");
Note:
This action is necessary only if either Oracle Internet Directory or Oracle Virtual Directory is used as the back-end identity store. It is not necessary if you use other repositories like Microsoft Active Directory or Novell eDirectory.