32 Oracle Access Manager

This chapter describes issues associated with Oracle Access Manager 11g Release 1 (11.1.1). It includes the following topics:

32.1 Patch Requirements

This section describes patch requirements for Oracle Access Manager 11g Release 1 (11.1.1). It includes the following sections:

See Also:

The latest Oracle Access Manager 11g Release 1 (11.1.1) updates and related release notes on My Oracle Support at: 
https://support.oracle.com/

32.1.1 Plain Text Credentials Exposed in Diagnostic Logs when Creating an Identity Store

To work around this issue:

  1. Go to My Oracle Support at

    http://support.oracle.com

  2. Click the Patches & Updates tab, and search for bug 9824531.Download the associated patch and install it by following the instructions in the README file included with the patch.

  3. On the Patches & Updates tab, search for bug 9882205. Download the associated patch and install it by following the instructions in the README file included with the patch.

32.1.2 java.lang.NullPointerException: Cannot Set Value to Null at javax.naming.ldap.Rdn.<init>(Rdn.java:178)

If you encounter a java.lang.NullPointerException: Cannot set value to null at javax.naming.ldap.Rdn.<init>(Rdn.java:178) error in your WebLogic Server Administration Console or managed server logs, it is mostly likely caused by Oracle JRockit.

In certain cases involving try-catch-clauses, JRockit will apply an incorrect optimization such that a null check always returns false. To avoid this issue, ensure that you are running JVM version R28.0.1 or later.

R28.0.1 is available as patch 9847606, which you can download from My Oracle Support at:

http://support.oracle.com

32.2 General Issues and Workarounds

This section describes general issue and workarounds. It includes the following topic:

32.2.1 Replacing oamreg Scripts with Remote Registration Home

IM_ORACLE_HOME/oam/server/rreg/bin contains the scripts (oamreg.bat and oamreg.sh) for performing remote registration. Prior to execution, the scripts need to be edited to point the attribute OAM_REG_HOME to the absolute file location for RREG HOME.

RREG_HOME will be one directory above where the scripts exist.

For example,

If IM_ORACLE_HOME in a particular Linux environment is:

MW_HOME/Oracle_IDM

The entry for the attribute OAM_REG_HOME in oamreg.sh will be:

export OAM_REG_HOME=MW_HOME/Oracle_IDM/oam/server/rreg

32.2.2 Incorrect SSO Agent Date/Time Shown to User

The default start date on the Create OAM Agent page is based on the Oracle Access Manager server date/time. The date/time shown to the end user is based on the Oracle Access Manager server timezone rather than on the user's machine.

32.2.3 The oamreg.sh File Missing Execute Permission After Configuring

Out of the box, execute permissions are not set for the oamreg.sh and oamreg.bat files in the Oracle Access Manager install location. Before you perform remote registration (rreg), you need to set the execute permissions on the scripts by using the following commands:

chmod +x oamreg.sh   OR  chmod +x oamreg.bat

Then, you can proceed with the regular remote registration steps.

32.2.4 Initial Messages After WebGate Registration Are Not Shown in the User's Locale

After OAM Web Gate registration, the description fields in the initial messages for related components are not shown in the user's locale.

The description field does not support Multilingual Support (MLS).

32.2.5 Error While Browsing Resources Table in the ResourceType Tab

While browsing across the Resources table in the ResourceType tab, the following error message is displayed:

<Error> <oracle.adfinternal.view.faces.model.binding.CurrencyRowKeySet>
<BEA-000000> <ADFv: Rowkey does not have any primary key attributes. Rowkey:
oracle.jbo.Key[], table: model.ResTypeVOImpl@620289.>

This message is harmless and does not hinder any functionality.

32.2.6 Single-Click to Open Child Node is Not Supported in the Navigation Tree

Single-click to open a child node in the navigation tree is not supported, but double-click is supported.

32.2.7 User Credential for OAM Registration Tool Does Not Support Non-ASCII Characters on Native Server Locale

The user credential for the OAM registration tool oamreg.sh/oamreg.bat does not support non-ASCII characters on the Linux Non-UTF8 server locale and the Windows native server.

32.2.8 Turkish and Greek Character Issues on OAM Authentication Page

In some cases if a user has Turkish, German, or Greek special characters in the user name and the login name only differs in the special characters, he might pass authentication because of case mappings and case-insensitivity.

Some internationalization characters should have special capitalization rule so that characters do not convert back to the lower case.

For example, there is the case with SS and ß in German, where ß only exists as a lower case character. When performing "to Upper" against ß, ß will be changed to SS. And if the upper case text is then converted back to lower case, the SS becomes ss and not the original ß.

32.2.9 OAM Authentication Does Not Support Non-ASCII Passwords on Locales Other than UTF8

When the server locale is not UTF-8 and using WebLogic Server embedded LDAP as an identity store, the SSO Authentication page does not support Non-ASCII passwords.

32.2.10 Error Message of Create Agent Shows as Server Locale

When an administrator creates an agent with the same name as one that already exists, the language of the error message displayed is based on the server locale rather than on the browser locale.

32.2.11 Referrals in LDAP Searches

Oracle Access Manager 11g Release 1 (11.1.1) cannot operate directly with LDAP servers returning referrals.

The workaround is to use Oracle Virtual Directory.

32.2.12 Diagnostic Information Is Not Being Displayed on the Administration Console

Diagnostic information is not displayed in the Oracle Access Manager Administration Console for monitoring Agents when one or more nodes of the cluster are down.

This information can be retrieved using the Oracle Dynamic Monitoring Service (DMS). The steps are as follows:

  1. Using WebLogic credentials, log in to the DMS application

    http://<adminserver-host>:<adminserver-port>/dms

  2. On the navigation tree, click OAMS.OAM_Server.OAM_Agents under the DMS Metrics node.

32.2.13 Non-ASCII Resources Require OHS To Restart To Make Protection Take Effect

When you add a resource with a non-ASCII name to the protected authentication policy, it will require the 11g OHS Server to restart to make the protection take effect, whereas in adding resources with English characters, protection takes effect in real time without having to restarting the OHS Server.

32.2.14 Non-ASCII Characters on Success/Failure URL Results in Garbled Redirect URL

If an on success or on failure URL configured for an authentication policy contains non-ASCII characters in the URL specified, then the URL specified will be garbled when it is used during a user authentication. This will happen only when the authentication scheme is Basic Authentication and the end user's browser is the Simplified Chinese version of IE8 running on the Chinese version of Windows.

32.2.15 Resource with Non-ASCII Characters Cannot Be Protected by an OSSO Agent

The OSSO Agent cannot protect a resource because it does not encode the entire resource URL to UTF-8 format.

To work around this issue, use the WebGate Agent instead of the SSO Agent.

WebGate is able to convert the entire resource URL to UTF-8 format.

32.2.16 Error in Administration Server Log from Console Logins

If you log in to the OAM Administration Console as an administrator and then log in to the Console as an administrator in a new tab, the following error appears in the administration logs:

 ------------------------------------------------------------
 <May 20, 2010 10:12:47 AM PDT> <Error>
 <oracle.adfinternal.view.page.editor.utils.ReflectionUtility> <WCS-16178>
 <Error instantiating class -
 oracle.adfdtinternal.view.faces.portlet.PortletDefinitionDTFactory>
 ------------------------------------------------------------

The error message does not impact functionality.

32.2.17 Translation Packages Use the Term, Agents, Instead of WebGates

The term Agents has been changed to WebGates.

The issue is that because of this late change, the translation packages are not updated and will continue to use the term, Agents, instead of the preferred term, WebGates.

32.2.18 Special Character Limitations in Response Attribute Names

The ":" special character should not be used in response attribute names.

For example, "name=STAT_:HEADER1."

This is not supported in 11g Release 1 (11.1.1).

32.2.19 Application Domain Subtree in the Navigation Tree Is Not Rendered and Does Not Respond to User Actions

If the Application Domain subtree on the navigation tree does not render or respond to user interface actions over a period of time, it may be the result of multiple refreshes.

To work around these issues, restart the administration server and log in to the OAM Administration Console again.

32.2.20 Error in the "Evaluate Single Sign-On Requirements" Help Topic

In the help topic, "Evaluate Single Sign-On Requirements," "Configuring Single Logout for 10g WebGate with OAM 11g Servers" was listed twice under "Review steps to configure single sign-off."

The English version has been corrected to read:

"Step 7 Review steps to configure single sign-off

  • Configuring Single Logout for 10g WebGate with OAM 11g Servers. More.

  • Configuring Single Logout for 11g WebGate with OAM 11g Servers. More.

  • Configuring Single Logout for Oracle ADF Applications. More

The translated version will be fixed in a future release.

32.2.21 EDITWEBGATEAGENT Command Does Not Give An Error If Invalid Value is Entered

The WLST command editWebgateAgent does not give an error when a invalid value is entered for the state field in both online and offline mode. The OAM Administration Console does show the state field value as neither enabled nor disabled, though it is a mandatory field.

32.2.22 WLST Command DISPLAYWEBGATE11GAGENT In Offline Mode Displays the WebGate Agent Entry Twice

In the offline mode, the WLST command, displayWebgate11gAgent, displays the 11g WebGate Agent entry in the System Configuration tab twice.

32.2.23 Message Logged at Error Level Instead of at INFO When Servers in Cluster Start

When starting Oracle Access Manager servers in a cluster, the following message is displayed:

<Jun 22, 2010 3:59:41 AM PDT> <Error> <oracle.jps.authorization.provider.pd> 
<JPS-10774> <arme can not find state.chk file.>

The correct level of the message is INFO, rather than Error.

32.2.24 Help Is Not Available for WLST Command REGISTEROIFDAPPARTNER

The Help command is not available for the WLST command, registeroifdappartner.

The online and offline command registers Oracle Identity Federation as a Delegated Authentication Protocol (DAP) Partner.

For information, refer to "registerOIFDAPPartner" in the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference.

Syntax

registerOIFDAPPartner(keystoreLocation="/scratch/keystore"  
logoutURL="http://<oifhost>:<oifport>/fed/user/sploosso?doneURL=
http://<oamhost>:< oam port>/ngam/server/pages/logout.jsp", 
rolloverTime="526")
Parameter Name Definition

keystoreLocation

Location of the Keystore file. The file generated at the OIF Server. (mandatory)

logoutURL

The OIF Server's logout URL. <mandatory>

rolloverInterval

The Rollover Interval for the keys used to enc/decrypt SASSO Tokens (optional)

Example

The following invocation illustrates use of all parameters.
 
registerOIFDAPPartner(keystoreLocation="/scratch/keystore", 
logoutURL="http://<oifhost>:<oifport>/fed/user/sploosso?doneURL=http://<oamhost>: 
<oam port>/ngam/server/pages/logout.jsp", rolloverTime="526")

32.2.25 User Must Click Continue to Advance in Authentication Flow

In a native integration with Oracle Adaptive Access Manager, the resource is protected by an Oracle Access Manager policy that uses the Basic Oracle Adaptive Access Manager authentication scheme.

When a user tries to access a resource, he is presented with the username page.

After he enters his username, he must click Continue before he can proceed to the password page. He is not taken to this page automatically.

The workaround is for the user to click Continue, which might allow him to proceed to the password page.

32.2.26 Login Page Throws Exception in the OAM-SERVER1 Log After Restarting the Servers

In OAM out of the box, login failures might occur during failover mode or when the user tries to submit credentials to a login page before the OAM Servers were restarted.

To work around the issue, set the cache type as Cookie by executing the following online WLST command:

configRequestCacheType(type="COOKIE")

Then, restart the OAM managed servers if they had been running before the execution of the WLST command.

32.2.27 After RREG User Required to Click Refresh Domain Twice for Changes to Be Visible

After performing rreg (through the console/rreg scripts), the user must click the Refresh button twice on the Policy Configuration Console for any policy-related changes to be visible.

32.2.28 OCSP-Related Fields are Not Mandatory

In the X509 authentication modules, the following OCSP-related fields are no longer mandatory:

  • OCSP Server Alias

  • OCSP Responder URL

  • OCSP Responder Timeout

If OCSP is enabled

The OCSP-related fields should be filled in by the administrator. If they are not filled, there will not be an error from the Console side.

It is the responsibility of the administrator to provide these values.

If OCSP is not enabled

The OCSP-related fields need not be filled in this case. If there are values for these fields, they will be of no consequence/significance, as OCSP itself is not enabled.

In the default out of the box configuration, the OCSP responder URL is http://ocspresponderhost:port. If you make changes to other fields and leave this as is, you will see a validation error, since this value is still submitted to the back end and at the Console, the layer port should be a numeric field. You can either modify the field, with the port being a numeric field or delete the entire value.

32.2.29 Database Node is Non-Functional in the System Console

The Databases node under the Data Sources node of the System Configuration tab is not functional. It does not create datasource entries that are consumed by the OAM Runtime.

The OAM Data Source needs to be managed using the WebLogic Server Administration Console. Oracle Access Manager 11g includes a data source named oamDS which is configured against the database instance extended with the OAM Schema. To navigate to oamDS in the WebLogic Server Administration Console, go to domain_name, select Services, select JDBC, and select DataSources in the navigation tree.

32.2.30 Online Help Provided Might Not Be Up To Date

Online help is available in the console, but you should check OTN to ensure you have the latest information.

32.2.31 Agent Key Password Should Be Mandatory for Both the Console and Remote Registration Tool in Cert Mode

Providing the Agent Key Password during registration should be mandatory for both the OAM Console and the Remote Registration tool. Currently it is mandatory for one and not the other.

When registering the 11g WebGate in cert mode through the remote registration tool, the Agent Key Password must be provided. If it is not, the password for cert mode cannot be null. Please enter the valid password message is shown.

The Agent Key Password is not mandatory when registering the 11g WebGate in cert mode through the OAM Administration Console. The password.xml is generated regardless of whether the Agent Key Password is provided or not.

32.2.32 OAM Audit Report AUTHENTICATIONFROMIPBYUSER Throws a FROM Keyword Not Found Where Expected Error

The OAM audit report AuthenticationFromIPByUser uses an Oracle Database 11.2.0 feature and will not work with older versions of database. The following error is displayed if an older version is used:

ORA-00923: FROM keyword not found where expected

32.2.33 Custom Resource Types Should Not be Created

For OAM 11g, creating custom resource types should not be attempted even though the button to create/edit/delete resource types is not disabled.

32.2.34 Oracle Access Manager IDM Domain Agent Provides Single-Sign On

The domain consoles are the Oracle Identity Manager, Oracle Adaptive Access Manager and other Identity Management servers created during domain creation.

The Oracle Access Manager IDM Domain Agent provides Single-Sign On for the IDM domain consoles. It does not provide Single-Sign On protection for Fusion Middleware Control and the WebLogic Server Administration Console. Thus, policies configured for Fusion Middleware Control and the WebLogic Server Administration Console (provided for use in production deployments when using OAM WebGates) must be removed when using the IDM Domain Agent. Remove these policies as follows:

  1. Access the OAM Administration Console

  2. Navigate to Policy Configuration, select Application Domains, select IDMDomainAgent, select Authentication Policies, and select Protected Higher Level Policy.

  3. Open the policy and the list of resources for the policy will display on the right panel.

  4. Remove the following resources from the authentication policy:

    1. /console

    2. /console/.../*

    3. /em

    4. /em/.../*

  5. Click Apply.

  6. Navigate to Policy Configuration, select Application Domains, select IDMDomainAgent, select Authorization Policies, and select Protected Resource Policy.

  7. Open the policy and the list of resources for the policy will display on the right panel.

  8. Remove the following resources from the authorization policy:

    1. /console

    2. /console/.../*

    3. /em

    4. /em/.../*

  9. Click Apply.

Removing the actual "urls" from the Resources list is not necessary nor advised should you need to restore the policies.

To add these policies back should you later want Single-Sign On to protect Fusion Middleware Control and WebLogic Server Administration Console when using a WebGate:

  1. Navigate to Policy Configuration, select Application Domains, select IDMDomainAgent, select Authentication Policies, and select Protected Higher Level Policy.

  2. Open the policy and the list of resources for the policy will display on the right panel.

  3. Add the same resources (removed in Step 4 above) to the authentication policy.

  4. Click Apply.

  5. Navigate to Policy Configuration, select Application Domains, select IDMDomainAgent, select Authorization Policies, and select Protected Resource Policy.

  6. Open the policy and the list of resources for the policy will display on the right panel.

  7. Add the same resources (removed in Step 8 above) to the authorization policy.

  8. Click Apply.

32.2.35 Use of a Non-ASCII Name for a WebGate Might Impact SSO Redirection Flows

When using the OAM 11g server with WebGates and when the WebGate ID is registered with a non-ASCII name, the OAM server may reject that authentication redirect as an invalid request.

To work around this redirection issue, use an ASCII name for the WebGate.

Note:

Resources are protected and error messages do not occur when the administration server and oracle access servers are started on UTF-8 locales.

The redirection issue only occurs on native server locales (Windows and Non-UTF8 Linux server locales)

32.2.36 Authentication Module Lists Non-Primary Identity Stores

In the user interface under the Authentication Module, only the primary identity store should be selected in the dropdown since only primary identity stores can be used for authentication/authorization. Currently, the OAM Console allows you to select identity stores that are not primary.

32.2.37 Unable to Stop and Start OAM Server Through Identity and Access Node in Fusion Middleware Control

The following OAM operations are not supported through using the oam_server node under Identity and Access in Fusion Middleware Control:

  • Start up

  • Shut down

  • View Log Messages

However, these operations are supported per the Oracle Access Manager managed server instance through using the oam_server node (for the specific server) under Application Deployments in Fusion Middleware Control.

32.2.38 ADF Applications Using ADF Security Fail to Work in OAM 11g

Due to a bug, when accessing a protected resource (protected by 11g WebGate) with query parameters containing encoded URL strings, an error is displayed in browser:

Action failed. Please try again

32.3 Configuration Issues and Workarounds

This section describes configuration issues and their workarounds. It includes the following topics:

32.3.1 For mod-osso Value for RedirectMethod Should be "POST"

For WebGate to support long URLs, the following code sample was added under oam-config.xml:

<Setting Name="AgentConfig" Type="htf:map">
   <Setting Name="OSSO" Type="htf:map">
        <Setting Name="RedirectMethod"Type="xsd:string">GET</Setting>
        <Setting Name="Delimiter" Type="xsd:string">AND</Setting>
   </Setting>

For mod-osso, the value for RedirectMethod should be POST, however, the values shipped out of the box is GET. Follow these steps to perform the modification, as this change needs to be performed manually and there is no user interface or WLST commands available to do so.

  1. Stop the OAM Administration Server and managed servers.

  2. Enter cd DOMAIN_HOME/config/fmwconfig

  3. Enter vi oam-config.xml

  4. Go to the following line in oam-config.xml:

    <Setting Name="AgentConfig" Type="htf:map">
   <Setting Name="OSSO" Type="htf:map">
        <Setting Name="RedirectMethod"Type="xsd:string">GET</Setting>

    Modify GET to POST as follows:

    <Setting Name="RedirectMethod"Type="xsd:string">POST</Setting>

  5. Save the changes and start the OAM Administration and managed servers.

32.3.2 User Wrongly Directed to the Self-User Login after Logging Out of the Oracle Identity Manager Administration Console

The user is directed to the self-user login after logging out of the Oracle Identity Manager Administration Console.

To be redirected correctly, the logout must work properly.

The workaround for logout with 10g WebGate is to:

  1. Copy logout.html (for example, from Oracle_IDM1/oam/server/oamsso/logout.html) to webgate_install_dir/oamsso.

  2. Update logout URL in the file to http://oam_server:oam_server/ngam/server/logout.

  3. If redirection to specific page has to occur after logout, change the logout URL to http://oam_server:oam_server/ngam/server/logout?doneURL=http://host:port/specifipage.html.

32.3.3 11g WebGate Fails to Install with Compact Configuration

A compact configuration is an installation with all identity management components on a machine with limited hardware capacity.

On trying to install the 11g WebGate with compact configuration, the following error occurs during the configure step:

Configuring WebGate... 
There is an error. Please try again. 
Preparing to connect to Access Server. Please wait. 
Client authentication failed, please verify your WebGate ID. 
cp: cannot stat 
`$ORACLE_HOME/ohs/conf/aaa_key.pem': 
No such file or directory 
cp: cannot stat 
`$ORACLE_HOME/ohs/conf/aaa_cert.pem': 
No such file or directory 
cp: cannot stat 
`$ORACLE_HOME/ohs/conf/aaa_chain.pem':

The error occurs because the following entries were not initialized in oam-config.xml during the installation:

<Setting Name="oamproxy" Type="htf:map">
<Setting Name="sslGlobalPassphrase" Type="xsd:string">changeit</Setting>
<Setting Name="SharedSecret" Type="xsd:string">1234567812345678</Setting>
</Setting>

To initialize oam-config.xml properly:

  1. Delete the OAM entry from CSF repository by performing the following steps:

    1. Start the WebLogic Scripting Tool:

      oracle_common/oracle_common/common/bin/wlst.sh

    2. In the WLST shell, enter the command to connect to the domain and then enter the requested information.

      A sample is given below.

      wls:/offline> connect () 
Please enter your username [weblogic] : 
Please enter your password [welcome1] : 
Please enter your server URL [t3://localhost:7001] : 
Connecting to t3://localhost:7001 with userid weblogic ... 
Successfully connected to Admin Server 'AdminServer' that belongs to domain 'imdomain86'.

    3. Change to domainRuntime.

      A sample is given below.

      wls:/imdomain86/serverConfig> domainRuntime () 
Location changed to domainRuntime tree. This is a read-only tree with DomainMBean as the root.

    4. Check whether an entry exists in the CSF repository with the map name as OAM and key as jks.

      A sample is given below.

      wls:/imdomain86/domainRuntime> listCred(map="OAM_STORE",key="jks") {map=OAM_STORE, key=jks} 
Already in Domain Runtime Tree 
. 
[Name : jks, Description : null, expiry Date : null] 
PASSWORD:1qaldrk3eoulhlcmfcqasufgj2 
.

    5. Delete the OAM map entry from the CSF repository.

      wls:/imdomain86/domainRuntime> deleteCred(map="OAM_STORE",key="jks") 
{map=OAM_STORE, key=jks} 
Already in Domain Runtime Tree 
.

    6. Exit from wlst shell.

      A sample is given below.

      wls:/imdomain86/domainRuntime> exit () 
. 
. 
.

  2. Go to DOMAIN_HOME/config/fmwconfig and delete the file .oamkeystore.

    A sample [on linux] is given below.

    [aime@pdrac09-5 fmwconfig]$ rm .oamkeystore 
.

  3. Stop the Managed Server and Admin Server.

  4. Start the Admin Server.

  5. Verify oam-config.xml.

  6. Start Managed Server.

Steps to verify oam-config.xml:

  1. Go to DOMAIN_HOME/config/fmwconfig/oam-config.xml.

  2. Verify that all the WebLogic Server server instances are configured under DeployedComponent > Server > NGAMServer > Instance

  3. Verify that the OAM Managed Server protocol, host and port are available at:

    DeployedComponent > Server > NGAMServer > Profile > OAMServerProfile > OAMSERVER

  4. Verify that the SSO CipherKey is generated and available at:

    DeployedComponent > Server > NGAMServer > Profile > ssoengine > CipherKey

  5. Verify that the oamproxy entries for SharedSecret and sslGlobalPassphrase is generated and available at:

    DeployedComponent > Server > NGAMServer > Profile > oamproxy

    SharedSecret should have a value different from 1234567812345678 and sslGlobalPassphrase different from changeit.

32.3.4 Auditing Does Not Capture the Information Related to Authentication Failures if a Resource is Protected Using Basic Authentication Scheme

Although a resource can be protected using the BASIC scheme, the WebLogic server has a feature by which it first authenticates the user and then sends it to the server.

If you add the following flag under <security-configuration> in config.xml and restart the server, you will be able to bypass WebLogic server's authentication <enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth-credentials>. Once the credentials are submitted back to the OAM server, it will be audited.

The WebLogic Server Administration Console does not display or log the enforce-valid-basic-auth-credentials setting. However, you can use WLST to check the value in a running server. You must modify this value by setting this in config.xml.

To do so, refer to the following documentation:

"Developing Secure Web Applications" at:

http://download.oracle.com/docs/cd/E13222_01/wls/docs103/security/thin_client.html#wp1037337

32.3.5 Unable to Access Partner Information on the Production Environment

After test-to-production migration, the following steps must be performed:

  1. Ensure that the production OAM managed server(s) are down when the policy is imported from the test system.

  2. Log in to the OAM Administration Console and modify the primary /secondary server list for all agents in the production system (including the IDMDomainAgent).

  3. Copy the generated artifacts for WebGate generated for each of the WebGate agents (excluding IDMDomain agent).

  4. Start the production OAM managed server(s).

  5. Restart all the WebGate agents' OHS.

In migrating partner information from a test environment to a production one, you will not be able to access partner information if

  • The migratePartnersToProd command was used. It is outdated. The following set of commands should be used instead:

    • exportPartners- This command is used to export the partners from the test environment. It needs to be run from the OAM server, from where the partners needs to be exported. This command takes the path to the temporary oam-partners file as a parameter.

      exportPartners(pathTempOAMPartnerFile=', <pathTempOAMPartnerFile>')

    • importPartners- This command is used to import the partners to the production environment. It needs to be run from the OAM server to which the partners needs to be imported. This command takes the path to the temporary oam-partners file as a parameter.

      importPartners(pathTempOAMPartnerFile=', <pathTempOAMPartnerFile>')

  • The agent profiles were not edited after the migration to match the production system.

    A WebGate Agent might be configured with a list of primary/secondary server hosts and nap ports available in the test system. The production system may not contain server instances with the same hosts and ports as configured in the test system. Since the SysConfig Agent Profile user interface obtains the server name by picking up the servers matching the host and port details of the primary/secondary server list, the server names may not be displayed in the user interface after migration. Since the primary/secondary server lists could be a subset of the list of available server instances in the production system, the agent profiles need to be edited after migration to match the production system.

32.3.6 WNA Authentication Does Not Function on Windows 2008

The default Kerberos encryption supported by Windows 2008 Server and Windows 2007 machines are "AES256-CTS-HMAC-SHA1-96", "AES128-CTS-HMAC-SHA1-96" and "RC4-HMAC".

If the clients are configured to use DES only encryption, users will not be able to access protected resources with Kerberos authentication. The error message, An incorrect username and password was specified might be displayed.

Because the initial Kerberos tokens are not present, the browser sends NTLM tokens, which the OAM 11g server does not recognize; therefore, the user authentication fails.

The workaround is to enable the encryption mechanisms, and follow the procedure mentioned in:

http://technet.microsoft.com/en-us/library/dd560670%28WS.10%29.aspx

32.3.7 Incompatible Msvcirt.dll Files

When you install the Oracle Access Manager 10g WebGate, do not replace the current version of msvcirt.dll with a newer version when prompted. If you do so, there may be incompatibility issues. Later, when you try to install OSSO 10g (10.1.4.3), the opmn.exe command might fail to start and the OracleCSService might time out because the required .dll file is missing.

32.3.8 IPv6 Support

The supported topology for OAM 11g is shown below.

Supported Topology

  • WebGate10g or WebGate 11g and protected applications on IPv4 (Internet Protocol Version 4) protocol host

  • OHS (Oracle HTTP Server) reverse proxy on dual-stack host

  • Client on IPv6 (Internet Protocol Version 6) protocol host

Dual-stack is the presence of two Internet Protocol software implementations in an operating system, one for IPv4 and another for IPv6.

The IPv6 client can access WebGate (10g or 11g) through the reverse proxy on IPv4/IPv6 dual-stack.

32.3.9 What to Avoid or Note in OAM Configuration

This section contains scenarios and items to note in OAM Configuration

32.3.9.1 Unsupported Operations for WLST Scripts

WLST scripts for OAM 10g and OAM 11g WebGates do not support changing Agent security modes.

32.3.9.2 Unsupported Operations for OAM Administration Console and WLST

Unsupported operations for the OAM Administration Console and WLST are described in the following subsections.

32.3.9.2.1

OAM Server

Use Case: Concurrent Deletion and Updating

Description

  1. Open an OAM Server instance in edit mode in Browser 1.

  2. Using the OAM Administration Console in another browser (Browser 2) or using a WLST script, delete this server instance.

  3. Return to Browser 1 where the server instance is opened in edit mode.

  4. In Browser 1, click the Apply button.

Current Behavior

The OAM Administration Console displays the message, "Server instance server_name might be in use, are you sure you want to edit it?" along with the confirmation that the update succeeded.

This server instance node is removed from navigation tree.

The behavior is incorrect.

Use Case: Two OAM Server Instances with Same Host Cannot have the Same Proxy Port.

Description

For this use case, there are two instances of the OAM Server: oam_server1 and oam_server2.

  1. Open oam_server1 in edit mode and specify a host and OAM proxy port.

  2. Now open oam_server2 in edit mode and specify the same host and proxy port as oam_server1.

The changes are saved without any error message.

Current Behavior

The OAM Administration Console does not display any error and allows the update.

The behavior is incorrect.

Use Case: Log Statements Detailing the Server Instance Creation, Update and Delete are not Present on the OAM Administration Console

Description

If you create, edit, or delete an OAM Server instance from the OAM Administration Console, the log statements corresponding to create, edit and delete are not displayed by the Console.

32.3.9.2.2

LDAP Authentication Module:

Use Case: Concurrent Deletion/Creation of User Identity Store does not Reflect in the Dropdown of Identity Stores in the LDAP Authentication Module Create and Edit

Description

  1. Open create/ edit for the LDAP authentication module.

    A dropdown list displays the identity stores present in the system.

  2. Now create a user identity store using another tab.

  3. Return to the create/edit tab for the LDAP authentication module and check the dropdown list for user identity stores.

Current Behavior

The newly added user identity store entry is not added to the dropdown list.

The entry of the user identity store that was deleted appears on the list.

An error message is not displayed when you select the deleted user identity store in the dropdown list and click Apply.

The OAM Administration Console does not change and the configuration is not updated in back end.

32.3.9.2.3

LDAP, Kerberos and X509 Authentication Module

Use Case: Concurrent deletion and updating

Description

  1. Open an LDAP/Kerberos/X509 authentication module in edit mode in OAM Administration Console in Browser 1.

  2. Using OAM Administration Console in another browser (Browser 2) or using a WLST script, delete this authentication module.

  3. Now return to Browser 1 where the authentication module is opened in edit mode.

  4. Click the Apply button.

Current Behavior

The OAM Administration Console updates this authentication module configuration and writes it to back end.

The behavior is incorrect.

Use Case: Log Statements Detailing the Server Instance Creation, Update and Delete are Not present on OAM Administration Console side.

Description

When you create, edit or delete an authentication module from OAM Administration Console, the log statements corresponding to create, edit and delete are not written by the Console.

32.3.9.2.4

OAM 11G WebGate

Use Case: Concurrent Deletion and Update

Description

  1. Open an OAM 11g WebGate instance in edit mode in OAM Administration Console in Browser 1.

  2. Using the OAM Administration Console in another browser (Browser 2) or using a WLST script, delete this OAM 11g WebGate.

  3. Now return to the Browser1 where the server instance is opened in edit mode.

  4. Click on the Apply button.

Current Behavior

The OAM Administration Console for edit OAM11g WebGate does not change and the tab does not close.

A OAM11g WebGate configuration not found error dialog is displayed by the OAM Administration Console.

However, the navigation tree is blank and attempts to perform any operation results in a javax.faces.model.NoRowAvailableException".

The behavior is incorrect.

32.3.9.2.5

OSSO Agent

Use Case: Concurrent Deletion and Update

Description

  1. Open an OSSO Agent instance in edit mode in the OAM Administration Console in Browser 1.

  2. Using the OAM Administration Console in another browser (Browser 2) or using a WLST script, delete this OSSO Agent.

  3. Now return to the Browser 1 where the OSSO Agent instance is opened in edit mode.

  4. Click on Apply button.

Current Behavior

Editing the OSSO Agent in the OAM Administration Console results in a null pointer exception.

The behavior is incorrect.

32.3.10 OAM_REMOTE_USER Set to Value of USERPRINCIPALNAME and Not Value of CN

When using OAM 11g Native Windows Authentication support, the logged in userid that applications display may appear in a domain qualified format rather than a simple user name format. For example: myuid@MYDOMAN.

If your deployment makes use of both Windows Native Authentication and OAM form authentication, access to applications running on a WebLogic Server container authentication after a form based Single-Sign On may fail and thus not allow access. To correct this problem:

  1. Configure a second Active Directory Authenticator for your WebLogic Server domain.

    The configuration of the second Active Directory Authenticator will be identical to the first Active Directory Authenticator except the values of the UserFromNameFilter and UserNameAttribute configuration fields should be changed as follows:

    UserFromNameFilter:  (&(CN = %n)(objectclass=user)
UserNameAttribute: CN

  2. Order the second Active Directory Authenticator below the first authenticator and make sure that the JAAS flag for both is set to SUFFICIENT.

32.3.11 Install Guides Do Not Include Centralized Logout Configuration Steps

Single-Sign On is enabled after Oracle Access Manager is installed; to complete configuration of Single-Sign On out of the box, centralized log out must be configured post-install. Configure centralized log out by following direction from these sections:

32.3.12 Case Issue Between Host Identifier and Agent URL Prevents Recreation of WebGate Definition

When you try to recreate the WebGate definition and try to associate it with the same host identifier as before (with auto create policies unchecked), the creation is not successful because the Host Identifier fields are case sensitive whereas the WebGate base URL is case insensitive. The mismatch in case due to case sensitivity issue prevents the creation. Regardless of whether the definition was created or not, the OAM Administration Console will display a message that the operation was successful.

32.3.13 NULL Pointer Exception Shown in Administration Server Console During Upgrade

A NULL pointer exception occurs because of the configuration events trigger when the identity store shuts down. The upgrade is successful, however, and error messages are seen in administration server console. There is no loss of service.

If the NULL pointer is seen during upgrade, there is no loss of service, you can ignore the error.

If the NULL pointer is seen during WLST command execution, you must restart the administration server.

32.3.14 Using Access SDK Version 10.1.4.3.0 with OAM 11.1.1.3.0 Servers

In general, the Sun Microsystems JDK 1.4.x compiler is the JDK version used with the Java interfaces of Access SDK Version 10.1.4.3.0.

As an exception, the Java interfaces of the 64-bit Access SDK Version 10.1.4.3.0, specifically for the Linux operating system platform, requires the use of Sun Microsystems JDK 1.5.x compiler.

The new Session Management Engine capability within OAM 11.1.1.3.0 will create a session for every Access SDK version 10.1.4.3.0 call for authentication.

This may cause issues for customers that use Access SDK to programmatically authenticate an automated process. The issue is the number of sessions in the system that is generated within Access SDK will increase dramatically and cause high memory consumption.

32.4 Documentation Errata

This section describes documentation errata.

32.4.1 Correction for proxySSLHeaderVar Section of Administration Guide

The following corrected Header Variable, Default, Syntax will appear in Table 6-6, "Elements Common to Full Remote Registration Requests" of the "User Defined Parameters" section in the next release of the Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager:

proxySSLHeaderVar

.... The value of the header variable must be "ssl" or "nonssl". If the header variable is not set, the SSL state is decided by the SSL state of the current Web server.

Default: IS_SSL

<name>proxySSLHeaderVar</name>

<value>IS_SSL</value>

32.4.2 Steps for Configuring Logout for WebLogic Administration Console and Fusion Middleware Control (using an OAM 10g WebGate against an OAM 11g Server)

The WebLogic Administration Console and Fusion Middleware Control process logout in a way that requires the following workaround to ensure that when logout is selected that an SSO logout completes successfully.

Note:

This workaround will not clear the application session associated with the WebLogic Administration Console or Fusion Middleware Control. Despite the session not being cleared, any access attempt after logout will result in the user needing to reauthenticate. The application session will automatically time out after some time depending on the application's session configuration.

  1. Configure Rewrite URLs in the Web Server configured with 10g WebGate as below:

    Note:

    This step for configuring Rewrite URLs should be performed only if this Web server is to be configured with OAM WebGate. For example, if you later intend to configure OSSO Agent on this Web server, then you should remove these ReWriteRules.

    Edit the file under ohsinstance/config/OHS/ohs-inst-id/modules/admin.conf (or any other relevant file).

    RewriteRule ^/console/jsp/common/logout.jsp   /oamsso/logout.html 
RewriteRule ^/em/targetauth/emaslogout.jsp   /oamsso/logout.html

  2. Configure Logout URLs parameter for the 10g WebGate as below:

    1. Go to the OAM Administration Console.

      http://host:port/oamconsole

    2. Click the System Configuration tab.

    3. Click on the 10g WebGate profile (listed under Agents > 10g WebGates).

    4. Locate the List box titled Logout URL in the details page for the selected WebGate profile.

    5. Append (keep any existing values as it is) the following values to this list.

      Note that you have to enter each value in a new line:

      /console/jsp/common/logout.jsp 
/em/targetauth/emaslogout.jsp

    6. Click the Apply button in the top right.

    7. Restart the Web Server hosting this WebGate.

      This step is not mandatory. If not restarted, the WebGate configuration will take a few minutes to refresh.

Usage

  1. The WebLogic Administration Console and Fusion Middleware Control should always be accessed over a Web Server configured with an OAM WebGate.

  2. When you want to log out, click the logout link displayed by the Console or the Fusion Middleware Control applications.

32.4.3 Updated OAMCfgTool Requirements for Oracle Access Manager 10g (10.1.4.3)

OAMCfgTool can be used only if you are deploying the Oracle Access Manager 10g Identity Asserter for single sign-on, as described in the Oracle Fusion Middleware Security Guide.

OAMCfgTool launches a series of scripts to request information and set up the required profiles and policies in Oracle Access Manager 10g. In Validate mode, OAMCfgTool requires the ldap_base parameter be specified for all directory servers, including Oracle Internet Directory. This parameter species the base from which all LDAP searches are performed.

Although the ldap_base parameter parameter is required for Validate mode, the Oracle Fusion Middleware Security Guide lists this as an optional parameter in Table 16–6 OAMCfgTool VALIDATE Mode Parameters and Values.

32.4.4 Missing Requirement: Converting Oracle Access Manager Certificates to Java Keystore Format While Configuring SSO Solutions for Fusion Middleware

The topic "Converting Oracle Access Manager Certificates to Java Keystore Format" is missing and required to deploy the Oracle Access Manager 10g and 11g single sign-on solutions described in:

  • Oracle Fusion Middleware Security Guide E10043-05

  • Oracle Fusion Middleware Application Security Guide E10043-07

Following are the missing details, which will appear in the next release of the manual, immediately after:

  • Oracle Access Manager 10g Solution: Converting Oracle Access Manager certificates to Java Keystore format immediately follows "Installing Components and Files for Authentication Providers and OAM 10g" in the chapter "Configuring Single Sign-On Using Oracle Access Manager 10g".

  • Oracle Access Manager 11g Solution: Converting Oracle Access Manager certificates to Java Keystore format immediately follows "Installing the Authentication Provider with Oracle Access Manager 11g" in the chapter "Configuring Single Sign-On with Oracle Access Manager 11g".

32.4.4.1 Converting Oracle Access Manager Certificates to Java Keystore Format

Oracle recommends that all Java components and applications use JKS as the keystore format. This topic provides steps to convert Oracle Access Manager X.509 certificates to Java Keystore (JKS) format. These steps, when followed properly, generate the JKS stores that can be used while the Java NAP client wants to communicate with an Oracle Access Manager Access Server in Simple or Cert (certificate) mode.

When communicating in Simple or Cert mode, the Access Server uses a key, server certificate, and CA chain files:

  • aaa_key.pem: the random key information generated by the certificate-generating utilities while it sends a request to a Root CA. This is your private key. The certificate request for WebGate generates the certificate-request file aaa_req.pem. You must send this WebGate certificate request to a root CA that is trusted by the Access Server. The root CA returns the WebGate certificates, which can then be installed either during or after WebGate installation.

  • aaa_cert.pem: the actual certificate for the Access Server, signed by the Root CA.

  • aaa_chain.pem: the public certificate of the Root CA. This is used when peers communicating in Simple or Cert mode perform an SSL handshake and exchange their certificates for validity. In Simple Mode, the aaa_chain.pem is the OpenSSL certificate located inAccessServer_install_dir/access/oblix/tools/openssl/simpleCA/cacert.pem

Here, aaa is the name you specify for the file (applicable only to Cert and chain files).

You can edit an existing certificate with a text editing utility to remove all data except that which is contained within the CERTIFICATE blocks. You then convert the edited certificate to JKS format, and import it into the keystore. Java KeyTool does not allow you to import an existing Private Key for which you already have a certificate. You must convert the PEM format files to DER format files using the OpenSSL utility.

To convert an Oracle Access Manager certificate to JKS format and import it

  1. Install and configure Java 1.6 or the latest version.

  2. Copy the following files before editing to retain the originals:

    • aaa_chain.pem

    • aaa_cert.pem

    • cacert.pem, only if configuring for Simple mode

  3. Edit aaa_chain.pem using TextPad to remove all data except that which is contained within the CERTIFICATE blocks, and save the file in a new location to retain the original.

    -----BEGIN CERTIFICATE-----
...
CERTIFICATE
...
-----END CERTIFICATE-----

  4. Run the following command for the edited aaa_chain.pem:

    JDK_HOME\bin\keytool" -import -alias root_ca -file aaa_chain.pem -keystore 
rootcerts

    Here you are assigning an alias (short name) root_ca to the key. The input file aaa_chain.pem is the one that you manually edited in step 3. The keystore name is rootcerts.

    You must give a password to access the keys stored in the newly created keystore.

    Note:

    To ensure security, Oracle recommends that you allow the keytool to prompt you to enter the password. This prompt occurs automatically when the "-storepass" flag is omitted from the command line.

  5. Enter the keystore password, when asked. For example:

    Enter keystore password: <keystore_password>
Re-enter new keystore password: <keystore_password>

  6. Enter Yes when asked if you trust this tool:

    Trust this certificate? [no]: yes

  7. Confirm that the certificate has been imported to the JKS format by executing the following command and then the password.

    JDK_HOME\bin\keytool" -list -v -keystore "rootcerts"
Enter keystore password: <keystore_password>

  8. Look for a response like the following:

    Keystore type: JKS
Keystore provider: SUN
Your keystore contains n entries
Alias name: root_ca
Creation date: April 19, 2009
Entry type: trustedCertEntry

Owner: CN=NetPoint Simple Security CA - Not for General Use, OU=NetPoint, 
O="Oblix, Inc.", L=Cupertino, ST= California , C=US

Issuer: CN=NetPoint Simple Security CA - Not for General Use, OU=NetPoint, 
O="Oblix, Inc.", L=Cupertino, ST= California ,C=US

Serial number: x
Valid from: Tue Jul 25 23:33:57 GMT+05:30 2000 until: Sun Jul 25 23:33:57
GMT+05:30 2010

Certificate fingerprints
  MD5:  CE:45:3A:66:53:0F:FD:D6:93:AD:A7:01:F3:C6:3E:BC
  SHA1: D6:86:9E:83:CF:E7:24:C6:6C:E1:1A:20:28:63:FE:FE:43:7F:68:95
  Signature algorithm name: MD5withRSA
  Version: 1
*******************************************

  9. Repeat steps 3 through 7 for the other PEM files (except aaa_chain.pem unless there is a chain).

  10. Convert the aaa_key.pem file to DER format using the OpenSSL utility in the Access Server installation directory path. For example:

    AccessServer_install_dir\access\oblix\tools\openssl>openssl pkcs8 -topk8  
-nocrypt -in aaa_key.pem -inform PEM -out aaa_key.der –outform DER

    Here the input file is aaa_key.pem and the output file is aaa_key.der. Additional options include:

    Table 32-1 Options to Create DER Format Files from PEM

    Option Description

    -topk8

    Reads a traditional format private key and writes a PKCS#8 format key. This reverses the default situation where a PKCS#8 private key is expected on input and a traditional format private key is written.

    -nocrypt

    An unencrypted PrivateKeyInfo structure is expected for output.

    -inform

    Specifies the input format. If a PKCS#8 format key is expected on input, then either a DER or PEM encoded version of a PKCS#8 key is expected. Otherwise the DER or PEM format of the traditional format private key is used.

    -outform

    Specifies the output format. If a PKCS#8 format key is expected on output, then either a DER or PEM encoded version of a PKCS#8 key is expected. Otherwise the DER or PEM format of the traditional format private key is used.

  11. Simple or Cert Mode: In the PEM file (in this case, aaa_cert.pem), enter the pass phrase for the Oracle Access Manager Access Server if it is configured for Simple or Cert mode.

    Passphrase for the certificate

  12. Run the following command to convert the aaa_cert.pem file to DER format.

    AccessServer_install_dir\access\oblix\tools\openssl>openssl x509 -in  
aaa_cert.pem -inform PEM -out aaa_cert.der -outform DER

  13. Import the DER format files into a Java keystore using the ImportKey utility. For example:

    Java_install_dir\doc>java -Dkeystore=jkscerts ImportKey aaa_key.der   
aaa_cert.der

  14. Review the results in the window, which should look something like the following example:

    Using keystore-file : jkscerts
One certificate, no chain
Key and certificate stored
Alias:importkey  Password:your_password

  15. Proceed as described in the book

32.4.5 Missing: Oracle Access Manager 10g Authorization Rule Required for Authenticator When Configuring SSO Solution

The step to configure a default authorization rule for the Authenticator is missing and required to deploy the Oracle Access Manager 10g Authenticator function as described in:

  • Oracle Fusion Middleware Security Guide E10043-01 and E10043-05

  • Oracle Fusion Middleware Application Security Guide E10043-07

The following new Step 7 will appear in the next release of the manual in the procedure "To create a policy domain for the Oracle Access Manager Authenticator". See also the Oracle Access Manager Access Administration Guide, topic "Configuring Authorization Rules".

To create a policy domain for the Oracle Access Manager Authenticator

  1. Authorization Rule: Click the Authorization Rules tab, click Add and:

    1. Specify a rule name and, optionally, a brief description. For example:

      Name: Default rule for Authenticator.

      Description: Default rule enables Authenticator function for anyone.

    2. Select Yes from the Enabled list and then click Save.

    3. Click the rule, click the Allow Access tab, and then click Add.

    4. Under Role, select Anyone to allow anyone access to the protected resources.

    5. Click Save.

  2. ...

32.4.6 Missing: Configure mod_osso when Integrating with Oracle Identity Federation

A missing step must be added to the procedure for integrating Oracle Access Manager 11g with Oracle Identity Federation, as described in the Oracle Fusion Middleware Integration Guide for Oracle Access Manager, part number E15740-02.

In Section 4.2, "Register Oracle HTTP Server with Oracle Access Manager", prior to executing Step 4 to copy the osso.conf file, you must configure mod_osso with static directives. The instructions for configuring mod_osso appear in Section 10.3.2.3.1, "Configuring mod_osso with Static Directives" of the Oracle Fusion Middleware Security Guide, part number E10043-04, at:

http://download.oracle.com/docs/cd/E15523_01/core.1111/e10043/osso.htm#JISEC4277