37 Oracle Identity Manager

This chapter describes issues associated with Oracle Identity Manager. It includes the following topics:

37.1 Patch Requirements

This section describes patch requirements for Oracle Identity Manager 11g Release 1 (11.1.1). It includes the following sections:

37.1.1 Obtaining Patches From My Oracle Support (Formerly OracleMetaLink)

To obtain a patch from My Oracle Support (formerly OracleMetaLink), go to following URL, click Patches and Updates, and search for the patch number:


37.1.2 Patch Requirements for Oracle Database 11g (

Table 37-1 lists patches required for Oracle Identity Manager 11g Release 1 (11.1.1) configurations that use Oracle Database 11g ( Before you configure Oracle Identity Manager 11g, be sure to apply the patches to your Oracle Database 11g ( database.

Table 37-1 Required Patches for Oracle Database 11g (

Platform Patch Number and Description on My Oracle Support

UNIX / Linux







8617824: MERGE LABEL REQUEST ON TOP OF FOR BUGS 7628358 7598314

Windows 32 bit


Windows 64 bit


37.1.3 Patch Requirements for Segregation of Duties (SoD)

Table 37-2 lists patches that resolve known issues with Segregation of Duties (SoD) functionality:

Table 37-2 SoD Patches

Patch Number / ID Description and Purpose

Patch number 9819201 on My Oracle Support

Apply this patch on the SOA Server to resolve the known issue described in "SoD Check During Request Provisioning Fails While Using SAML Token Client Policy When Default SoD Composite is Used".

The description of this patch on My Oracle Support is "ERROR WHILE USING SAML TOKEN CLIENT POLICY FOR CALLBACK."

Patch ID 3M68 using the Oracle Smart Update utility. Requires passcode: 6LUNDUC7.

Using the Oracle Smart Update utility, apply this patch on the Oracle WebLogic Server to resolve the known issue described in "SoD Check Fails While Using Client-Side Policy in Callback Invocation During Request Provisioning".

37.1.4 Patch Upgrade Requirement

While applying the patch provided by Oracle Identity Manager, the following error is generated:

ApplySession failed: ApplySession failed to prepare the system.

OPatch version must be upgraded to version to meet the version requirement.

See "Obtaining Patches From My Oracle Support (Formerly OracleMetaLink)" for information about downloading OPatch from My Oracle Support.

37.2 General Issues and Workarounds

This section describes general issues and workarounds. It includes the following topics:

37.2.1 Do Not Use Platform Archival Utility

Currently, the Platform Archival Utility is not supported and should not be used.

To work around this issue, use the predefined scheduled task named Orchestration Process Cleanup Task to delete all completed orchestration processes and related data.

37.2.2 SPML-DSML Service is Unsupported

Oracle Identity Manager's SPML-DSML Service is currently unsupported in 11g Release 1 (11.1.1). However, you can manually deploy the spml-dsml.ear archive file for Microsoft Active Directory password synchronization.

37.2.3 Resource Object Names Longer than 100 Characters Cause Import Failure

If a resource object name is more than 100 characters, an error occurs in the database and the resource object is not imported. To work around this issue, change the resource object's name in the XML file so the name is less than 100 characters.

37.2.4 Limitations for Child Table Restrictions in Request Templates

When creating or modifying a request template, you must use one of the following conditions for child table restrictions:

  • Ensure there is more than one possible value.

  • Ensure there are no restrictions placed on the child table.

37.2.5 Status of Users Created Through the Create and Modify User APIs

You cannot create users in Disabled State. Users are always created in Active State.

The Create and Modify User APIs do not honor the Users.Disable User attribute value. If you pass a value to the Users.Disable User attribute when calling the Create API, Oracle Identity Manager ignores this value and the USR table is always populated with a value of 0, which indicates the user's state is Active.

Use the Disable API to disable a user.

37.2.6 Status of Locked Users in Oracle Access Manager Integrations

When Oracle Access Manager locks a user account in an Oracle Identity Manager-Oracle Access Manager integration, it may take approximately five minutes, or the amount of time defined by the incremental reconciliation scheduled interval, for the status of the locked account to be reconciled and appear in Oracle Identity Manager. However, if a user account is locked or unlocked in Oracle Identity Manager, the status appears immediately.

37.2.7 Generating an Audit Snapshot after Bulk-Loading Users or Accounts

The GenerateSnapshot.[sh|bat] option does not work correctly when invoked from the Bulkload utility. To work around this issue and generate a snapshot of the initial audit after bulk loading users or accounts, you must run GenerateSnapshot.[sh|bat] from the $OIM_HOME/bin/ directory.

37.2.8 GenerateSnapshot and GenerateGPASnapshot Utilities Fail on SSL-enabled Systems

The GenerateSnapshot and GenerateGPASnapshot utilities both require a JDBC URL to be passed as an argument. However, Oracle Identity Manager cannot display the usage if the server is SSL-enabled. The snapshot fails and an error results. Currently, no workaround exists for this issue.

37.2.9 Browser Timezone Not Displayed

Due to an ADF limitation, the browser timezone is currently not accessible to Oracle Identity Manager. Oracle Identity Manager bases the timezone information in all date values on the server's timezone. Consequently, end users will see timezone information in the date values, but the timezone value will display the server's timezone.

37.2.10 Date Format Change in the SoD Timestamp Field Not Supported

The date-time value that end users see in the Segregation of Duties (SoD) Check Timestamp field on the SoD Check page will always display as "YYYY-MM-DD hh:mm:ss" and this format cannot be localized.

To work around this localization issue, perform the following steps:

  1. Open the "Oracle_eBusiness_User_Management_9." file.

  2. In the EBS Connector import xml, locate the SoDCheckTimeStamp field for the Process Form. Change <SDC_FIELD_TYPE> to 'DateFieldDlg' and change <SDC_VARIANT_TYPE> to 'Date' as shown in the following example:

                 <SDC_UPDATE>!Do not change this field!</SDC_UPDATE>
  3. Import the Connector.

  4. Enable SoD Check.

  5. Provision the EBS Resource with entitlements to trigger an SoD Check.

  6. Check the SoDCheckTimeStamp field in Process Form to confirm it is localized like the other date fields in the form.

37.2.11 Bulk Loading CSV Files with UTF-8 BOM Encoding Not Supported

Bulk loading a CSV file for which UTF-8 BOM (byte order mark) encoding is specified causes an error. However, bulk-loading UTF-8 encoded CSV files works as expected if you specify "no BOM" encoding.

To work around this issue,

  • If you want to load non-ASCII data, you must change your CSV file encoding to "UTF-8 no BOM" before loading the CSV file.

  • If your data is stored in CSV files with "UTF-8 BOM" encoding, you must change them to "UTF-8 no BOM" encoding before running the bulkload script.

37.2.12 Date Type Attributes are Not Supported for the Default Scheduler Job, "Job History Archival"

The default Scheduler job, "Job History Archival," does not support date type attributes.

The "Archival Date" attribute parameter in "Job History Archival" only accepts string patterns such as "ddMMyyyy" and "MMM DD, yyyy."

When you run a Scheduler job, the code checks the date format. If you enter the wrong format, an error similar to the following example, displays in the execution status list and in the log console:

<IAM-1020063> <Incorrect format of Archival Date parameter. Archival Date is expected in DDMMYYYY or UI Date format.>

The job cannot run successfully until you input the correct Archival Date information.

37.2.13 Low File Limits Prevent Adapters from Compiling

On machines where the file limits are set too low, trying to create and compile an entity adapter causes a "Too many open files" error and the adapter will not compile.

To work around this issue, change the file limits on your machine to the following (located in /etc/security/limits.conf) and then restart the machine:

  • soft nofile 4096

  • hard nofile 4096

37.2.14 Reconciliation Engine Requires Matching Rules

Currently, Oracle Identity Manager's Reconciliation Engine in 11g Release 1 (11.1.1) requires you to define a matching rule to identify the users for every connector in reconciliation. Errors will occur during reconciliation if you do not define a matching rule to identify users.

37.2.15 SPML Requests Do Not Report When Any Date is Specified in Wrong Format

When any date, such as activeStartDate, hireDate, and so on, is specified in an incorrect format, the Web server does not pass those values to the SPML layer. Only valid dates are parsed and made available to SPML. Consequently, any SPML request that contains an invalid date format is ignored and not available for that operation. For example, if you specify the HireDate month as "8" instead of "08," the HireDate will not be populated after the Create request is completed and no error message is displayed.

The supported date format is:

yyyy-MM-dd hh:mm:ss.fffffffff

No other date format is supported.

37.2.16 Logs Populated with SoD Exceptions When the SoD Message Fails and Gets Stuck in the Queue

SoD functionality uses JMS-based processing. Oracle Identity Manager submits a message to the oimSODQueue for each SoD request. If for some reason an SoD message always results in an error, Oracle Identity Manager never processes the next message in the oimSODQueue. Oracle Identity Manager always picks the same error message for processing until you delete that message from the oimSODQueue.

To work around this issue, use the following steps to edit the queue properties and to delete the SoD message in oimSODQueue:

  1. Log on to the Weblogic Admin Console at http://<hostname>:<port>/console

  2. From the Console, select Services, Messaging, JMS Modules.

  3. Click OIMJMSModule. All queues will be displayed.

  4. Click oimSODQueue.

  5. Select the Configurations, Delivery Failure tabs.

  6. Change the retry count so that the message can only be submitted a specified number of times.

  7. Change the default Redelivery Limit value from -1 (which means infinite) to a specific value. For example, if you specify 1, the message will be submitted only once.

  8. To review and delete the SoD error message, go to the Monitoring tab, select the message, and delete it.

37.2.17 A Backslash (\) Cannot Be Used in a weblogic.properties File

If you are using the WeblogicImportMetadata.cmd utility to import data to MDS, then do not use a backslash (\) character in a path in the weblogic.properties file, or an exception will occur.

To work around this issue, you must use a double backslash (\\) or a forward slash (/) on Microsoft Windows. For example, change metadata_from_loc=C:\metadata\file to metadata_from_loc=C:\\metadata\\file in the weblogic.properties file.

37.2.18 Underscore Character Cannot Be Used When Searching for Resources

When you are searching for a resource object, do not use an underscore character (_) in the resource name. The search feature ignores the underscore and consequently does not return the expected results.

37.2.19 Assign to Administrator Action Rule is Not Supported by Reconciliation

Reconciliation does not support the Assign to Administrator Action rule.

To work around this issue, change the Assign to Administrator to None in the connector XML before importing the connector. However, after changing the value to None, you cannot revert to Assign to Administrator.

37.2.20 Some Buttons on Attestation Screens Do Not Work in Firefox

If you are creating attestations in a Firefox Web browser and you click certain buttons, nothing happens.

To work around this issue, click the Refresh button to refresh the page.

37.2.21 The maxloginattempts System Property Causes Autologin to Fail When User Tries to Unlock

WLS Security Realm has a default lock-out policy that locks out users for some time after several unsuccessful login attempts. This policy can interfere with the locking and unlocking functionality of Oracle Identity Manager.

To prevent the WLS Security Realm lock-out policy from affecting the lock/unlock functionality of Oracle Identity Manager, you must set the 'Lockout Threshold' value in the WLS 'User Lockout Policy' to at least 5 more than the value in Oracle Identity Manager. For example, if the value in Oracle Identity Manager is set to 10, you must set the WLS 'Lockout Threshold' value to 15.

To change the default values for the 'User lockout Policy,' perform the following steps:

  1. Open the WebLogic Server Administrative Console.

  2. Select Security Realms, REALM_NAME.

  3. Select the User Lockout tab.

  4. If configuration editing is not enabled, then click the Lock and Edit button to enable configuration editing.

  5. Change the value of lockout threshold to the required value.

  6. Click Save to save the changes.

  7. Click Activate to activate your changes.

  8. Restart all the servers in the domain.

37.2.22 "<User not found>" Error Message Appears in AdminServer Console While Setting-Up an Oracle Identity Manager-Oracle Access Manager Integration

When you set up Oracle Identity Manager-Oracle Access Manager Integration with a JAVA agent and log into the Admin Server Console, a "<User not found>" error message is displayed. This message displays even when the login is successful.

37.2.23 Do Not Use Single Quote Character in Reconciliation Matching Rule

If you use the single quote character (') in a Reconciliation Matching rule (for example, 'B'1USER1'), reconciliation will fail with an exception.

37.2.24 Do Not Use Special Characters When Reconciling Roles from LDAP

Due to a limitation in the Oracle SOA Infrastructure, do not use special characters such as commas (,) in role names, group names, or container descriptions when reconciling roles from LDAP. Oracle Identity Manager's internal code uses special characters as delimiters. For example, Oracle Identity Manager uses commas (,) as approver delimiters and the SOA HWF-level global configuration uses commas as assignee delimiters.

37.2.25 SoD Check During Request Provisioning Fails While Using SAML Token Client Policy When Default SoD Composite is Used

SoD check fails and the following error is displayed on the SOA console when SoD check is performed during request provisioning only when the Default SoD Check composite is used:

SEVERE: FabricProviderServlet.handleException Error during retrieval of test page or composite resourcejavax.servlet.ServletException: java.lang.NullPointerException

This happens when Callback is made from OIM to SOA with the SoDCheck Results.

To resolve this issue, apply patch 9819201 on the SOA server. You can obtain patch 9819201 from My Oracle Support. The description of this patch on My Oracle Support is "ERROR WHILE USING SAML TOKEN CLIENT POLICY FOR CALLBACK."

For more information, refer to:

37.2.26 SoD Check Fails While Using Client-Side Policy in Callback Invocation During Request Provisioning

SoD check fails and following error is displayed on the Oracle Identity Manager Administrative and User Console when SoD check is performed during request provisioning only when the Default SoD Check composite is used:

<Error> <oracle.wsm.resources.policymanager><WSM-02264> <"/base_domain/oim_server1/oim/unknown/iam-ejb.jar/WEBSERVICECLIENTs/SoDCheckResultService/PORTs/ResultPort" is not a recognized resource pattern.>
<Error> <oracle.iam.sod.impl> <IAM-4040002><Error getting Request Service : java.lang.IllegalArgumentException: WSM-02264 "/base_domain/oim_server1/oim/unknown/iam-ejb.jar/WEBSERVICECLIENTs/SoDCheckResultService/PORTs/ResultPort" is not a recognized resource pattern.>

To resolve this issue, use the Oracle Smart Update utility to apply patch ID 3M68, which requires passcode of 6LUNDUC7, on Oracle WebLogic Server. For more information, refer to:

37.2.27 Error While Starting Remote Manager on AIX

On starting remote manager from Oracle_IDM1/remote_manager by running the remotemanager.sh script on AIX, it shows the following error:

Class/Method: RMISSLServerSocketFactory/createServerSocket Remote Manager server socket port is 12346
Exception in thread "main" java.lang.NoClassDefFoundError: com.sun.net.ssl.SSLContext

To work around this issue, perform the following steps after installing the remote manager:

  1. Open Oracle_IDM1/remote_manager/config/xlconfig.xml.

  2. Change the value for KeyManagerFactory from SUNX509 to IBMX509.

On creating an IT Resource with Type chosen as Remote Manager by selecting the Create an IT Resource option in OIM application, the following error is seen:

<XELLERATE.WEBAPP> <BEA-000000> <Class/Method: tcAction/execute encounter some problems:
javax.servlet.ServletException: java.lang.NoClassDefFoundError: com/sun/net/ssl/SSLContext>

To work around this issue, perform the following steps:

  1. Login to Enterprise Manager:

  2. Right-click on Domains, select Base domain, select cluster, and then select oim_server1.

  3. Select system Mbean browser, select oracle.iam, select Server: oim_server1, select Application: oim, select XMLConfig, select Config, select XMLConfig.RemoteManager, and then select RemoteManager.

  4. Change the value for KeyManagerFactory from SUNX509 to IBMX509.

  5. Click Apply.

  6. Restart the oim_server.

37.2.28 Error May Appear During Provisioning when Generic Technology Connector Framework Uses SPML

When using the generic technology connector framework uses SPML, during provisioning, the following error may appear:

<SPMLProvisioningFormatProvider.formatData :problem with Velocity Template Unable
to find resource 'com/thortech/xl/gc/impl/prov/SpmlRequest.vm'>

If the error occurs, it blocks provisioning by using the predefined SPML GTC provisioning format provider. Restarting the Oracle Identity Manager server prevents the error from appearing again.

37.2.29 Benign Exception May Appear When Using Repository Creation Utility to Seed Schedule Jobs

When using the Repository Creation Utility (RCU) to seed Schedule Jobs, the following exception may appear in the SeedSchedulerData.log file:

***** Seeding job and trigger 
Exception occurs during scheduling 
org.quartz.JobPersistenceException: Couldn't obtain triggers for job: 
oracle.iam.scheduler.vo.Trigger [See nested exception: 
oracle.iam.scheduler.vo.Trigger]Exception: Couldn't obtain triggers for job: 
Couldn't obtain triggers for job: oracle.iam.scheduler.vo.Trigger [See nested 
exception: java.lang.ClassNotFoundException: oracle.iam.scheduler.vo.Trigger]

This error is benign and can safely be ignored, as there is no loss of functionality.

37.2.30 Cannot Delete Approval Policies After Restarting Server

After restarting the Oracle Identity Manager server, you cannot delete an existing Approval Policy—though you can delete Approval Policies that you add after restarting the server.

To work around this issue, after restarting the server, open the Approval Policy that you want to delete, make an inconsequential change to it, such as slightly changing the description, and save the updated Approval Policy. You can now delete the updated Approval policy.

37.2.31 Cannot Click Buttons in TransUI When Using Mozilla Firefox

When using the Mozilla Firefox browser, in certain situations, some buttons in the legacy user interface, also known as TransUI, cannot be clicked. This issue occurs intermittently and can be resolved by using Firefox's reload (refresh) function.

37.2.32 LDAP Handler May Cause Invalid Exception While Creating, Deleting, or Modifying a Role

If an LDAP handler causes an exception when you create, modify, or delete a role, an invalid error message, such as System Error or Role does not exist, may appear.

To work around this issue, look in the log files, which will display the correct error message.

37.2.33 Cannot Reset User Password Comprised of Non-ASCII Characters

If a user's password is comprised of non-ASCII characters, and that user tries to reset the password from either the My Profile or initial login screens in the Oracle Identity Manager Self Service interface, the reset will fail with the following error message:

Failed to change password during the validation of the old password


This error does not occur with user passwords comprised of only ASCII characters.

To work around this issue, perform the following steps:

  1. Set the JVM file encoding to UTF8, for example: -Dfile.encoding=UTF-8


    On Windows systems, this may cause the console output to appear distorted, though output in the log files appear correctly.
  2. Restart the Oracle WebLogic Server.

37.2.34 Benign Exception and Error Message May Appear While Patching Authorization Policies

When patches are applied to the Authorization Polices that are included with Oracle Identity manager and the JavaSE environment registers the Oracle JDBC driver, java.security.AccessControlException is reported and the following error message appears:

Error while registering Oracle JDBC Diagnosability MBean

You can ignore this benign exception, as the Authorization Policies are seeded successfully, despite the exception and error messages.

37.2.35 The DateTime Pick in the Trans UI Does Not Work Correctly in the Thai Locale

When locale is set to th_TH in Microsoft Windows Internet Explorer Web browser, the datetime in Oracle Identity Manager follows the Thai Buddhist calendar. In the Create Attestation page of the Administrative and User Console, when you select a date for start time, the year is displayed according to the Thai Buddhist calendar, for example, 2553. After you click OK, the equivalent year according to the Gregorian calendar, which is 2010, is displayed in the start time field. But when you click Next to continue creating the attestation, an error message is displayed stating that the start time of the process must not belong to the past.

To workaround this issue, perform any one of the following:

  • Specify the datetime manually.

  • Use Mozilla Firefox Web browser, which uses the Gregorian calendar.

37.2.36 End-User Administrator Changes to End-User if Request Involving the Same User is Created

Request is raised for a beneficiary for whom the Design Console Access flag is ON. The privileges the user has with this flag ON is that of the End-User Administrator role.

To workaround this issue, while raising a request for such a user, make sure that you select or set the flag again so that the privileges are maintained. Otherwise, the Flag will be cleared off and another administrator user will have to grant the privileges back to the user.

37.2.37 User Without Access Policy Administrators Role Cannot View Data in Access Policy Reports

OIM user without the ACCESS POLICY ADMINISTRATORS role cannot view data in the following reports:

  • Access Policy Details

  • Access Policy List by Role

To workaround this issue:

  1. Assign the ACCESS POLICY ADMINISTRATORS role to an OIM user.

  2. Create a BI Publisher user with the same username in Step 1. Assign appropriated BI Publisher role to view reports.

  3. Login as the BI Publisher user mentioned in step 2. View the Access Policy Details and Access Policy List by Role reports. All access policies are displayed.

37.2.38 Archival Utility Throws an Error for Empty Date

In case of empty date, archival utility throws an error message, but proceeds to archive data by mapping to the current date. Currently, no workaround exists for this issue.

37.2.39 TransUI Closes with Direct Provisioning of a Resource

TransUI closes while doing a direct provisioning if user defined field (UDF) is created with the default values. To work around this issue, you need to create a Lookup Code for the INTEGER/DOUBLE type UDF in the LKU/LKV table.

37.2.40 Scheduler Throws "ParameterValueTypeNotSupportedException" Instead of "RequiredParameterNotSetException"

On AIX platform, when a required parameter is missing during the creation of a scheduler job, instead of throwing "RequiredParameterNotSetException" with the error message "The value is not set for required parameters of a scheduled task.", it throws "ParameterValueTypeNotSupportedException" with the error message "Parameter value is not set properly". Currently, no workaround exists for this issue.

37.2.41 All New User Attributes Are Not Supported for Attestation in Oracle Identity Manager 11g

New user attributes are added in Oracle Identity Manager 11g. Not all of them are available for Attestation while defining user-scope. However, Attestation has been enhanced to include the following user attributes:





Currently, no workaround exists for this issue.

37.2.42 LDAP GUID Mapping to Any Field of Trusted Resource Not Supported

Update fails in LDAP, if LDAP GUID is mapped to any field of trusted resource in LDAP-SYNC enabled installation. To work around this issue, Oracle does not recommend mapping for LDAP GUID field while creating reconciliation field mapping for a trusted resource.

37.2.43 User Details for Design Console Access Field Must Be Mapped to Correct Values When Reading Modify Request Results

When a Modify Request is raised, "End-User" and "End-User Administrator" values are displayed for the "Design Console Access" field. These values must be mapped to False/True while interpreting the user details.

37.2.44 Non-ASCII Text in Approval Policy Rules Might Be Garbled

If an approval policy rule contains non-ASCII characters, these characters might not be displayed correctly on the UI after the policy is exported with Deployment Manager.

Currently, no workaround exists for this issue.

37.2.45 Cannot Create a User Containing Asterisks if a Similar User Exists

If you try to create a user that contains an asterisk (*) after creating a user with a similar name, the attempt will fail. For example, if you create user test1test, followed by test*test, test*test will not be created.

It is recommended to not create users with asterisks in the User Login field.

37.2.46 Blank Status Column Displayed for Past Proxies

The Status field on the Post Proxies page is blank. However, active proxies are displayed correctly on Current Proxies page.

Currently, no workaround exists for this issue.

37.2.47 Mapping the Password Field in a Reconciliation Profile Prevents Users from Being Created

The Password field is available to be mapped with a reconciliation profile, but it should not be used. Attempting to map this field will generate a reconciliation event that will not create users. (The event ends in "No Match Found State".) In addition, you will not be able to re-evaluate or manually link this event.

37.2.48 UID Displayed as User Login in User Search Results

Although you can select the UID attribute from the Search Results Table Configuration list on the Search Configuration page of the Advanced Administration, the Advanced Search: Users results table displays the User Login field instead of the UID field.

37.2.49 Roles/Organizations Browse Trees Disappear

After you delete an organization, the Browse trees for organizations and roles might not be displayed.

To work around this issue, click the Search Results tab, then click the Browse tab. The roles and organizations browse trees display correctly.

37.2.50 Entitlement Selection Is Not Optional for Data Gathering

Entitlement (Child Table) selection during data gathering on the process form, for the "Depends On (Depended)" attribute is not optional. During data gathering, if dependent lookups are configured, then the user has to select the parent lookup value so that filtering happens on the child lookup and thus user gets a final list of entitlements to select . Currently, no workaround exists to directly filter the values based on the child lookup.

37.2.51 Oracle Identity Manager Server Throws Generic Exception While Deploying a Connector

Generic exceptions are shown in server logs every time deployment manager import happens or profile changes manually or profile changes via design console. This is because "WLSINTERNAL" is not an authorized user of Oracle Identity Manager. "WLSINTERNAL" is an internal user of WebLogic Server, and MDS uses it to invoke MDS listeners if there is a change in XMLs stored in MDS. Currently, no workaround exists for this issue.

37.2.52 Create User API Allows Any Value for the "Users.Password Never Expires", "Users.Password Cannot Change", and "Users.Password Must Change" Fields

Create User API allows the user to set any value between 0 and 9 instead of 0 or 1 for "Users.Password Never Expires", "Users.Password Cannot Change" and "Users.Password Must Change" fields. However, any value other than 0 is considered as TRUE and 0 is considered as FALSE, and the flag is set accordingly for the user being created. Currently, no workaround exists for this issue.

37.2.53 Dependent Resources Must Be Approved and Provisioned Last

If you are provisioning to two resources, and one of the resources is dependent on the other, the user must be approved and provisioned on the resource on which there is a dependency first. For example, if a user is to be provisioned to Microsoft Exchange and Active Directory, then the Active Directory user must be approved and provisioned first. Exchange requires data that are provided upon request, and the data is lost when approved before Active Directory.

To work around this situation, you must make another request for Exchange. This time, one request approval task will be raised for Exchange because the user already has Active Directory provisioned. After the request task is approved, Exchange provisioning will go through.

37.2.54 Incorrect Label in JGraph Screen for the GTC

The User Type label on the JGraph screen is displayed incorrectly as Design Console Access. To display User Type, add the line Xellerate_Type=User Type to the OIM_HOME/server/customResources/customResources.properties file.

37.2.55 Running the Workflow Registration Utility Generates an Error

When the workflow registration utility is run in a clustered deployment of Oracle Identity Manager, the following error is generated:

[java] oracle.iam.platform.utils.NoSuchServiceException:

Ignore the error message.

37.2.56 Native Performance Pack is Not Enabled On Solaris 64-bit JVM Install

For Oracle Identity Manager JVM install on a Solaris 64-bit computer, Oracle WebLogic log displays the following error:

Unable to load performance pack. Using Java I/O instead. Please ensure that a native performance library is in:

To workaround this issue, perform the following to ensure that JDK picks up the 64-bit native performance:

  1. In a text editor, open the MIDDLEWARE_HOME/wlserver_10.3/common/bin/commEnv.sh file.

  2. Replace the following:



  3. Save and close the commEnv.sh file.

  4. Restart the application server.

37.2.57 Error in the Create Generic Technology Connector Wizard

If you enter incorrect credentials for the database on the Create Generic Technology Connector wizard, a system error window is displayed. You must close this window and run the wizard again.

37.2.58 DSML Profile for the SPML Web Service is Not Deployed With Oracle Identity Manager

The DSML profile for the SPML Web service is not deployed by default with Oracle Identity Manager 11g Release 1 (11.1.1). SPML-DSML binaries are bundled with the Oracle Identity Manager installer to support Microsoft Active Directory Password Synchronization. You must deploy the spml-dsml.ear file manually.

37.2.59 New Human Tasks Must Be Copied in SOA Composites

When you add a new human task to an existing SOA composite, you must ensure that all the copy operations for the attributes in the original human task are added to the new human task. Otherwise, an error could be displayed on the View Task Details page.

37.2.60 Modify Provisioned Resource Request Does Not Support Service Account Flag

A regular account cannot be changed to a service account, and similarly, a service account cannot be changed to a regular account through a Modify Provisioned Resource request.

37.2.61 Erroneous "Query by Example" Icon in Identity Administration Console

In the Identity Administration console, when viewing role details from the Members tab, an erroneous icon with the "tooltip" (mouse-over text) of "Query By Example" appears. This "Query By Example" icon is non-functional and should be ignored.

37.2.62 The XL.ForcePasswordChangeAtFirstLogin System Property Is No Longer Used

The XL.ForcePasswordChangeAtFirstLogin system property is no longer used in Oracle Identity Manager 11g Release 1 ( Therefore, forcing the user to change the password at first login cannot be configured. By default, the user must change the password:

  • When the new user is logging in to Oracle Identity Manager for the first time

  • When the user is logging in to Oracle Identity Manager for the first time after the password has been reset

37.2.63 The cExportOperationsIntf.findObjects(type,name) API Does Not Accept the Asterisk (*) Wilcard Character in Both Parameters

The cExportOperationsIntf.findObjects(type,name) API accepts the asterisk (*) wildcard character only for the second parameter, which is name. For type, a catergory must be specified. For example, findObjects("Resource","*") is a valid call, but findObjects("*","*") is not valid.

37.2.64 Disabled Links on the Access Policy Summary Page Opened in Mozilla FireFox

In the Verify Information for this Access Policy page of the Create/Modify Access Policy wizards opened in Mozilla Firefox Web browser, you click Change for resource to be provisioned by the access policy, and then click Edit to edit the process form data for the resources to be provisioned. If you click the Close button on the Edit form, then the change links for any one of the access policy information sections, such as resources to be provisioned by the access policy, resources to be denied by the access policy, or roles for the access policy, do not work.

To workaround this issue, click Refresh. All the links in the Verify Information for this Access Policy page are enabled.

37.2.65 Benign Error is Generated on Editing the IT Resource Form in Advanced Administration

When you click the Edit link on the IT Resource form in the Advanced Administration, the following error message is logged:

<Error> <XELLERATE.APIS> <BEA-000000>
<Class/Method: tcFormDefinitionOperationsBean/getFormFieldPropertyValue encounter some problems: Property 'Column Names' has not defined for the form field '-82'> 

The error message is benign and can be ignored because there is no loss of functionality.

37.2.66 User Account is Not Locked in iPlanet Directory Server After it is Locked in Oracle Identity Manager

After reaching the maximum login attempts, a user is locked in Oracle Identity Manager. But in iPlanet DS/ODSEE, the user is not locked. The orclAccountLocked feature is not supported because the backend iPlanet DS/ODSEE does not support account unlock by setting the Operational attribute. Account is unlocked only with a password reset. The nsaccountlock attribute is available for administrative lockout. The password policies do not use this attribute, but you can use this attribute to independently lock an account. If the password policy locks the account, then nsaccountlock locks the user even after the password policy lockout is gone.

37.3 Configuration Issues and Workarounds

This section describes configuration issues and their workarounds. It includes the following topics:

37.3.1 Configuring UDFs to be Searchable for Microsoft Active Directory Connectors

A Microsoft Active Directory connector installation automatically creates a UDF: USR_UDF_OBGUID. When you add a new user-defined field (UDF), the "searchable" property will be false by default unless you provide a value for that property. After installing an Active Directory connector, you must perform the following steps to make the user-defined field searchable:

  1. Using the Advanced Administration console (user interface), change the "searchable" UDF property to true by performing the following steps:

    1. Click the Advanced tab.

    2. Select User Configuration and then User Attributes.

    3. Modify the USR_UDF_OBGUID attribute in the Custom Attributes section by changing the "searchable" property to true.

  2. Using the Identity Administration console (user interface), create a new Oracle Entitlement Server policy that allows searching the UDF by performing the following steps:

    1. Click the Administration tab and open the Create Authorization policy.

    2. Enter a Policy Name, Description, and Entity Name as User Management.

    3. Select Permission, then View User Details, and then Search User.

    4. Edit the Attributes for View User Details and select all of the attributes.

    5. Select the SYSTEM ADMINSTRATOR role name.

    6. Click Finish.

37.3.2 Creating or Modifying Role Names When LDAP Synchronization is Enabled

When LDAP synchronization is enabled and you attempt to create or modify a role, entering a role name comprised of approximately 1,000 characters prevents the role from being created or modified and causes a Decoding Error to appear. To work around this issue, use role names comprised of fewer characters.

37.3.3 ADF Issue Causes Oracle Identity Manager to Fail on the Sun JDK

Due to an ADF issue, using the Oracle Identity Manager application with the Sun JDK causes a StringIndexOutOfBoundsException error. To work around this issue, add the following option to the DOMAIN_HOME/bin/setSOADomainEnv.sh or the setSOADomainEnv.cmd file:

  1. Open the DOMAIN_HOME/bin/setSOADomainEnv.sh or setSOADomainEnv.cmd file.

  2. Add the -XX:-UseSSE42Intrinsics line to the JVM options.

  3. Save the setSOADomainEnv.sh or setSOADomainEnv.cmd file.


    This error does not occur when you use JRockit.

37.3.4 Nexaweb Applet Does Not Load In an Oracle Identity Manager and Oracle Access Manager Integrated Environment

In an Oracle Identity Manager and Oracle Access Manager (OAM) integrated environment, when you login to the Oracle Identity Manager Administrative and User Console and click a link that opens the Nexaweb applet, the applet does not load.

To workaround this issue, configure loading of the NexaWeb Applet in an Oracle Identity Manager and OAM integrated environment. To do so:

  1. Login to the Oracle Access Manager Console.

  2. Create a new Webgate ID. To do so:

    1. Click the System Configuration tab.

    2. Click 10Webgates, and then click the Create icon.

    3. Specify values for the following attributes:


      Access Client Password: PASSWORD_FOR_ACCESSING_CLIENT

      Host Identifier: IDMDomain

    4. Click Apply.

    5. Edit the Webgate ID, as shown:

      set 'Logout URL' = /oamsso/logout.html

    6. Deselect the Deny On Not Protected checkbox.

  3. Install a second Oracle HTTP Server (OHS) and Webgate. During Webgate configurations, when prompted for Webgate ID and password, use the Webgate ID name and password for the second Webgate that you provided in step 2c.

  4. Login to the Oracle Access Manager Console. In the Policy Configuration tab, expand Application Domains, and open IdMDomainAgent.

  5. Expand Authentication Policies, and open Public Policy. Remove the following URLs in the Resources tab:





  6. Expand Authorization Policies, and open Protected Resource Policy. Remove the following URLs in the Resources tab:





  7. Restart all the servers.

  8. Update the obAccessClient.xml file in the second Webgate. To do so:

    1. Create a backup of the SECOND_WEBGATE_HOME/access/oblix/lib/ObAccessClient.xml file.

    2. Open the DOMAIN_HOME/output/WEBGATE_ID_FOR_SECOND_WEBGATE/ObAccessClient.xml file.


      Ensure that the DenyOnNotProtected parameter is set to 0.
    3. Copy the DOMAIN_HOME/output/WEBGATE_ID_FOR_SECOND_WEBGATE/ObAccessClient.xml file to the SECOND_WEBGATE_HOME/access/oblix/lib/ directory.

  9. Copy the mod_wls_ohs.conf from the FIRST_OHS_INSTANCE_HOME/config/OHS_NAME/directory to the SECOND_OHS_INSTANCE_HOME/config/OHS_NAME/ directory. Then, open the mod_wls_host.conf of the second OHS to ensure the WebLogicHost and WeblogicPort are still pointing to Oracle Identity Manager managed server host and port.

  10. Remove or comment out the following lines in the SECOND_OHS_INSTANCE_HOME/config/OHS_NAME/httpd.conf file:

    <LocationMatch "/oamsso/*">
       Satisfy any
  11. Copy the logout.html file from the FIRST_WEBGATE_HOME/access/oamsso/ directory to the SECOND_WEBGATE_HOME/access/oamsso/ directory. Then, open the logout.html file of the second Webgate to ensure that the host and port setting of the SERVER_LOGOUTURL variable are pointing to the correct OAM host and port.

  12. Login to Oracle Access Manager Console. In the Policy Configuration tab, expand Host Identifiers, and open the host identifier that has the same name as the second Webgate ID name. In the Operations section, verify that the host and port for the second OHS are listed. If not, then click the add icon (+ sign) to add them. Then, click Apply.

  13. Use the second OHS host and port in the URL for the OAM login page for Oracle Identity Manager. The URL must be in the following format:


37.3.5 Packing a Domain With managed=false Option

When a domain is packed with the managed=false option and unpacked on the another computer, Oracle Identity Manager Authentication Provider is not recognized by WebLogic and basic administrator authentication fails when the Oracle Identity Manager managed server is started.

The following workaround can be applied for performing successful authentication via Oracle Identity Manager Authentication Provider:

  1. Login in to the Oracle WebLogic Administrative Console by using the following URL:


  2. Navigate to Security Realms, Realm(myrealm), and then to Providers.

  3. Delete OIMAuthenticationProvider.


    Make sure that you note the provider-specific details, such as the database URL, password, and driver, before deleting the provider.
  4. Restart the WebLogic Administrative Server.

  5. Navigate to Security Realms, Realm(myrealm), and then to Providers.

  6. Create a new Authentication Provider of type OIMAuthenticationProvider.

  7. Enter the provider specific details and mark the control flag as SUFFICIENT.

  8. Restart the WebLogic Administrative Server.

  9. Restart Oracle Identity Manager and other servers, if any.

37.3.6 Option Not Available to Specify if Design Console is SSL-Enabled

While configuring Oracle Identity Manager Design Console, you cannot specify if Design Console is SSL-enabled.

To workaround this issue after installing Oracle Identity Manager Design Console, edit the OIM_HOME/designconsole/config/xlconfig.xml file to change the protocol in the Oracle Identity Manager URL from t3 to t3s.

37.3.7 Nexaweb Applet Does Not Load in JDK 1.6.0_20

Deployment Manager and Workflow Visualizer might not work if the client browser has JDK/JRE installed on it whose version is 1.6.0_20. To workaround this issue, uninstall the JDK/JRE version 1.6.0_20 from the client browser and reinstall the JDK/JRE version 1.6.0_15.

37.4 Multi-Language Support Issues and Limitations

This section describes multi-language issues and limitations. It includes the following topics:

37.4.1 Multi-language Valued Attributes in SPML and Oracle Identity Manager Do Not Match

Oracle Identity Manager supports only the Display Name attribute for multi-language values. SPML specifies additional attributes, such as commonName and surname, as multi-language valued in the PSO schema. When multiple locale-values are specified in an SPML request for one of these attributes, only a single value is picked and passed to Oracle Identity Manager. The request will not fail and a warning message identifying the attributes and the value that was passed to Oracle Identity Manager is provided in the response.

37.4.2 Login Names with Some Special Characters May Fail to Register

In Oracle Identity Manager, the user login name is case-insensitive. When a user is created, the login name is converted to upper case and saved in the database. But the password is always case-sensitive. However, some special characters may encounter an error while registering to Oracle Identity Manager:

  • Both the Greek characters &#963; (sigma) and &#962; (final sigma) maps to the &#931; character.

  • Both English character i and Turkish character &#305; maps to the I character.

  • Both German character ß and English string SS maps to the SS string.

This means that two user login names containing these special characters when the other characters in the login names are same cannot be created. For example, the user login names Johnß and JohnSS maps to the same user login name. If Johnß already exists, then creation of JohnSS is not allowed because both the ß character and the SS string maps to the SS string.

37.4.3 The Create Role, Modify Role, and Delete Role Request Templates are Not Available for Selection in the Request Templates List

The Create Role, Modify Role, and Delete Role request templates are not available in the Request Templates list of the Create Request wizard. This is because request creation by using any request template that are based on the Create Role, Modify Role, and Delete Role request models are supported from the APIs, but not in the UI. However, you can search for these request templates in the Request Templates tab. In addition, the Create Role, Modify Role, and Delete Role request models can be used to create approval policies and new request templates.

37.4.4 Parameter Names and Values for Scheduled Jobs are Not Translated

In the Create Job page of Oracle Identity Manager Advanced Administration, the fields in the Parameter section and their values are not translated. The parameter field names and values are available only in English.

37.4.5 Bidirectional Issues for Legacy User Interface

The following are known issues in the legacy user interface, also known as TransUI, contained in the xlWebApp war file:

  • Hebrew bidirectional is not supported

  • Workflow designer bidirectional is not supported for Arabic and Hebrew

37.4.6 Localization of Role Names, Role Categories, and Role Descriptions Not Supported

Localization of role names, categories, and descriptions is not supported in this release.

37.4.7 Localization of Task Names in Provisioning Task Table Not Supported

All Task Name values in the Provisioning Task table list are hard-coded and these pre-defined process task names are not localized.

37.4.8 Localization of Search Results of Scheduled Tasks Not Supported

When you search Scheduler Tasks using a Simple or Advanced search, the search results are not localized.

37.4.9 Searching for User Login Names Containing Certain Turkish Characters Causes an Error

On the Task Approval Search page, if you select "View Tasks Assigned To", then "Users You Manage", and then choose a user whose login name contains a Turkish Undotted "&#305" or a Turkish dotted "&#304" character, a User Not Found error will result.

37.4.10 Localization of Notification Template List Values for Available Data Not Supported

Localizing Notification Template Available Data list values is not supported in this release. Oracle Identity Manager depends upon the Velocity framework to merge tokens with actual values, and Velocity framework does not allow a space in token names.

37.4.11 Searching for Entity Names Containing German "ß" (Beta) Character Fails in Some Features

When you search for entity names containing the special German "ß" (beta) character from the Admin Console, the search fails in the following features:

  • System Configuration

  • Request Template

  • Approve Policy

  • Notification

In these features, the "ß" character matches to "ss" instead of itself. Consequently, the Search function cannot find entity names that contain the German beta character.

37.4.12 Special Asterisk (*) Character Not Supported

Although special characters are supported in Oracle Identity Manager, using the asterisk character (*) can cause some issues. You are advised not to use the asterisk character when creating or modifying user roles and organizations.

37.4.13 Translated Error Messages Are Not Displayed in UI

Oracle Identity Manager does not support custom resource bundles for Error Message display in user interfaces. Currently, there is no workaround for this issue.

37.4.14 Reconciliation Table Data Strings are Hard-coded on Reconciliation Event Detail Page

Some of the table data strings on the Reconciliation Event Detail page are hard-coded, customized field names. These strings are not localized.

37.4.15 Translated Password Policy Strings May Exceed the Limit in the Background Pane

Included as per bug# 9539501

The password policy help description may run beyond the colored box in some languages and when the string is too long. Currently, there is no workaround for this issue.

37.4.16 Date Format Validation Error in Bi-Directional Languages

When Job Detail page is opened in bi-directional languages, you cannot navigate away from this page because of "Date Format Validation Error". To work around this issue, select a value for the "Start Date" using the date-time control and then move to another page.

37.4.17 Mistranslation on the Create Job page

On the Japanese locale (LANG=ja_JP.UTF-8), "Fourth Wednesday" is mistranslated as "Fourth Friday" on the Create Job page when "Cron" is selected as the Schedule Type and "Monthly on given weekdays" is selected as the Recurring Interval.

37.4.18 E-mail Notification for Password Expiration Cannot Be Created With Arabic Language Setting

When the server locale is set to ar_AE.utf8 and values for user.language and user.region system properties are ar and AE respectively, if you create a password expiration warning e-mail notification in the Design Console, the value AE is not available for selection in the Region field. As a result, the email notification message cannot be created.

To workaround this issue:

  1. Open the Lookup Definitions form in the Design Console.

  2. Search for 'Global.Lookup.Region'.

  3. Add an entry with Code key and Decode value as 'AE'. You can now create an e-mail definition with language ar and region AE.

37.4.19 Translated Justification is Not Displayed in Access Policy-Based Resource Provisioning Request Detail

When an access policy with approval is created, it generates a resource provisioning request that is subject to approval. In the request details page in Self Service or Advanced Administration, the translated request justification according to the locale setting by the user is not displayed. The justification is displayed in the default server locale.

37.4.20 Additional Single Quotes Displayed in GTC Reconciliation Mapping Page for French UI

When you set the Oracle Identity Manager Administrative and User Console locale to French, select the Provisioning and Reconciliation checkboxes while creating a Generic Technology Connector (GTC), and map the reconciliation fields in the page for modifying mapping fields, a message is displayed with two single quotes. You can ignore the single quotes because this is benign and has no effect on functionality.

37.5 Documentation Errata

Documentation Errata: Currently, there are no documentation issues to note.