This chapter describes issues associated with Oracle Access Management. It includes the following topics:
This section describes general issue and workarounds organized around specific services. To streamline your experience, only services with a a general issue are included.
If you do not find a service-related topic (Security Token Service, for example), there are no general issues at this time.
The following topics are included:
Section 5.1.1, "General Issues and Workarounds: Access Manager"
Section 5.1.2, "General Issues and Workarounds: Security Token Service"
Section 5.1.3, "General Issues and Workarounds: Identity Federation"
This topic describes general issue and workarounds for Oracle Access Management Access Manager (Access Manager). It includes the following topics:
Unable to Access "/" Context Root if Protected by OSSO Agent for 11g OHS
Starting Access Manager When Protected by Oracle Entitlements Server Throws Exception
Authentication Fails: WNA Challenge, Active Directory, Users with Non-ASCII Characters
When validating a WebGate 11g profile using the OAM Test Tool, an exception may be displayed on the invoking screen when the test tool connects to the OAM server - even though the screen shows a successful connection. This is expected and can be ignored.
mod_osso agents shipped with 11g OHS cannot be configured to protect the @ context root '/'.
When the Access Manger Server is started, an ArmeRUNTIME exception error is thrown.
The exception error does not cause any loss of functionality.
You will get a runtime exception when starting an instance of Access Manager protected by Oracle Entitlements Server. The exception can be ignored.
Register a Webgate with Access Manager using a non-ASCII name. In the Access Tester, enter the valid IP Address, Port, and Agent ID (non-ASCII name), then click Connect.
Connection testing fails.
Configure Access Manager to use Kerberos Authentication Scheme with WNA challenge method, and create a non-ASCII user in Microsoft Active Directory.
An exception occurs when trying to get user details to populate the subject with the user DN and GUID attributes. Authentication fails and an error is recorded in the OAM Server log when a non-ASCII user in Active Directory attempts to access an Access Manager-protected resource:
... Failure getting users by attribute : cn, value ....
The username in the attribute is passed without modification as a java string.
Non-ASCII users can access the resource protected by Kerberos WNA scheme by applying the following JVM system property in the startManagedWeblogic.sh script in $DOMAIN_HOME/bin:
-Dsun.security.krb5.msinterop.kstring=true
Simple mode is not supported with JDK 1.6 and on AIX platforms. Use Open or Cert mode instead.
When you have a Detached Credential Collector-enabled Webgate combined with a resource Webgate, the user might have to provide credentials twice. This can occur when login is triggered with a URL that results in an internal forward by Oracle HTTP Server.
To resolve this issue, you can use following workaround:
Edit the httpd.conf file to add rewrite rules that redirect the browser for directory access (before Webgate configuration include) For example:
RewriteEngine On RewriteRule ^(.*)/$ "$1/welcome-index.html" [R]
SSL-enabled Web server: Repeat these rules under SSL configuration.
This topic describes general issues and workarounds for Oracle Access Management Security Token Service (Security Token Service). It includes the following topics:
Security Token Service searches might not return the expected result when the browser language is set to a non-English language. For example, this occurs when setting the:
Requesters, Relying Parties and Issuing Authorities Partner Type field to Requester, Relying Party or Issuing Authority when the Oracle Access Management Console browser setting is non-English.
Token Issuance Templates Token Type to Username when the Oracle Directory Services Manager browser setting is non-English
Token Validation Templates Token Type to Username when the Oracle Directory Services Manager browser setting is non-English
When the browser language is English, the search returns expected results.
This topic describes general issue and workarounds for Oracle Access Management Identity Federation (Identity Federation). It includes the following topic:
Section 5.1.3.1, "Federation Metadata is not Accessible after Upgrade"
Section 5.1.3.2, "Federation Redirect URLs May be Overwritten in Concurrency Mode"
Section 5.1.3.3, "Errors when Webgate has Credential Collector Option Enabled"
After upgrade from PS1 to R2 the new environment also contains identity federation. If you enable identity federation and try to access the federation metadata there is an error.
To work around this problem, issue the following WLST commands:
connect('<username>', '<password>', 't3://<host>:port')
domainRuntime()
putStringProperty('/stsglobal/jaxbcontextpath','oracle.security.fed.xml.soap.v
11:oracle.security.fed.xml.soap.v12:oracle.security.fed.xml.security.dsig:orac
le.security.fed.xml.security.enc:oracle.security.fed.xml.security.trust.v12:or
acle.security.fed.xml.security.trust.v13:oracle.security.fed.xml.security.trus
t.v14:oracle.security.fed.xml.ws.addressing.v09:oracle.security.fed.xml.ws.add
ressing.v10:oracle.security.fed.xml.ws.policy.v12:oracle.security.fed.xml.secu
rity.wss.ext.v10:oracle.security.fed.xml.security.wss.ext.v11:oracle.security.
fed.xml.security.wss.policy.v11:oracle.security.fed.xml.security.wss.policy.v1
2:oracle.security.fed.xml.security.wss.utility.v10:oracle.security.fed.xml.sec
urity.saml.v11.assertion:oracle.security.fed.xml.security.saml.v11.protocol:or
acle.security.fed.xml.security.saml.v1x.assertion:oracle.security.fed.xml.secu
rity.saml.v1x.protocol:oracle.security.fed.xml.security.saml.v1x.metadata:orac
le.security.fed.xml.security.saml.v20.assertion:oracle.security.fed.xml.securi
ty.saml.v20.protocol:oracle.security.fed.xml.security.saml.v20.metadata:oracle
.security.fed.xml.security.identity.v10:oracle.security.fed.xml.security.openi
d.v20:oracle.security.fed.xml.security.openid.v20.xrd')
In concurrency mode where several clients use the Access Manager server for Federation at the same time, the redirect URLs created by Access Manager and the Federation Plugin for a client may be overwritten with the redirect URL created for another client.
This problem is seen in the following situation:
Webgate fronts a resource.
The "Allow Credential Collector Operations" option is checked for that Webgate.
The resource is protected by a policy using FederationScheme.
Due to this issue, when requesting access to the resource, the server returns a 200 with a URL where the browser will post the request to that URL using the POST, while the browser should have been redirected through a 302.
To resolve this issue, for Webgate agents fronting resources protected with the FederationScheme, disable the "Allow Credential Collector Operations" option.
This section describes configuration issues and their workarounds organized around specific services. To streamline your experience, only services with an issue are included. For example, Identity Context has no known issues at this time and is not included. The following topics are included:
Section 5.2.1, "Configuration Issues and Workarounds: Access Manager"
Section 5.2.2, "Configuration Issues and Workarounds: Security Token Service"
Section 5.2.3, "Configuration Issues and Workarounds: Identity Federation"
Section 5.2.4, "Configuration Issues and Workarounds: Mobile and Social"
This topic describes configuration issues and orkarounds for Oracle Access Management Access Manager (Access Manager). It includes the following topics:
To enable OpenSSO Agent configuration hotswap, make sure the opensso agents have the following properties in the Miscellaneous properties section of the agent's registration in the OpenSSO Proxy on OAM Server, and the agent servers are restarted:
J2ee Agents: com.sun.identity.client.notification.url =http://<AGENT_SERVER_HOST>:<AGENT_SERVER_PORT>/agentapp/notification
Web Agents:
com.sun.identity.client.notification.url=http://<AGENT_SERVER_HOST>:<AGENT_SERVER_PORT>/UpdateAgentCacheServlet?shortcircuit=false
Not Supported for Web Agents: com.sun.identity.agents.config.change.notification.enable=true
Restart the OAM Server hosting the agent.
This topic describes configuration issues and their workarounds for Oracle Access Management Security Token Service (Security Token Service). It includes the following topics:
Section 5.2.2.1, "Create Like (Duplicate) Does Not Copy All Properties of Original Template"
Section 5.2.2.2, "Incorrect Value in the Kerberos Validation Template"
Section 5.2.2.3, "No Console Support Removing Partner Encryption or Signing Certificates"
Section 5.2.2.4, "Resource URLs Removed During Create Like (Duplicate) Operation"
Security Token Service Create Like (duplicate) button does not copy some properties on the original Issuing Authority Profile template (the Security and Attribute Mapping sections, for instance).
The Administrator must manually enter the necessary configuration items into the newly created Issuing Authority Profile:
From the Oracle Access Management Console System Configuration tab, Security Token Service section, go to Issuance Templates.
Select an existing Issuance Template Click the Create Like (duplicate) button.
Create the new copied Issuance Template and manually enter the necessary configuration items in the newly created Template.
In the Security Token Service Kerberos Validation template, the Kerberos Principal No Domain value in the drop down list sets an incorrect value:
Incorrect Value: STS_KERBEROS_NODOMAIN
Correct Value: STS_KERBEROS_PRINCIPAL_NODOMAIN
To use the Kerberos Principal No Domain option the Administrator must select a blank field in drop down list and manually set STS_KERBEROS_PRINCIPAL_NODOMAIN in the field near the list.
From the Oracle Access Management Console System Configuration tab, Security Token Service section, go to Token Validation Template:
Click the Add button.
Provide a name, select token type as Kerberos and enter other details.
In the Token Mapping tab, select Map Token to User from the down list and then enable Enable Simple User Mapping.
From User Token Attribute drop down, select Kerberos Principal No Domain: select a blank field in drop down list and manually set STS_KERBEROS_PRINCIPAL_NODOMAIN in the field near the list.
Give a value for the Datastore Attribute and Save.
In oam-config.xml, the User Token Attribute should set STS_KERBEROS_PRINCIPAL_NODOMAIN as the value.
Oracle Access Management Console does not provide a way to remove a signing or encryption certificate that was set for an Security Token Service Partner.
The Administrator must manually delete these using the following WLST commands:
To delete the signing certificate of an Security Token Service Partner
deletePartnerSigningCert
To delete the encryption certificate of an Security Token Service Partner
deletePartnerEncryptionCert
When using the Security Token Service Create Like (duplicate) button with existing Relying Parties, the URLs listed in the Resource URLs section of the original relying party are removed (but should not be modified).
The Administrator must manually re-enter the necessary URLs, or not use the Create Like button when creating Relying Parties.
The following error can be seen in Security Token Service logs when sending USERNAME TOKEN with NONCE:
<oracle.security.fed.model.util.rdbms.RDBMSBatchExecutor> <FEDSTS-11013> <SQL
Error seen while interacting with the database:
java.sql.BatchUpdateException: ORA-12899: value too large for column "DEV_OAM"."ORAFEDBLOBSTORE"."BLOBID"
Have the client send a smaller nonce.
This topic describes configuration issues and their workarounds for Oracle Access Management Identity Federation (Identity Federation). It includes the following topics:
Section 5.2.3.1, "Provider Search Text Fields do an Exact Match Search"
Section 5.2.3.2, "Incorrect Error Message when an Invalid Signing Certificate is Uploaded"
Section 5.2.3.3, "Data is Cached in the Keystore Templates Table upon Validation Error"
Section 5.2.3.4, "Cannot Specify Multiple Non-Proxy Hosts for Identity Federation"
Section 5.2.3.5, "Invalid IdP is Created if Incorrect Metadata Imported"
Section 5.2.3.7, "No Console Support for Federation OpenID IdP Partner"
Section 5.2.3.8, "SSO Error when federationscheme for a Partner Protects a Resource"
Users should be aware that in the Oracle Access Management Console, the Identity Provider search screen does an exact match (==) for the ProviderId and Partner name fields, rather than a "contains" search.
While creating/editing an IdP, if you upload an invalid file for a signing certificate, you will see a Null pointer exception error message instead of a proper message indicating that the file does not contain a certificate.
When data entered in the keystore templates table in the Oracle Access Management Console is rejected due to a validation error, the error is shown and the invalid row of the table is not saved.
However, this invalid row is cached in the user interface and closing and reopening the Federation Setting tab does not refresh the data. You must log in again to refresh the data.
In the Federation Settings page of the Oracle Access Management Console, the non-proxy hosts field is meant to take a delimited list of non-proxy hosts using a semi-colon (;) separator.
However this field currently does not allow semi-colons (;) in the input characters.
If you need to specify more than one non-proxy host (for example host1 and host2), the workaround is to use WLST as follows:
connect(<adminuser>,<adminpassword>,'t3://<HOST_NAME>:<WLS_ADMIN_PORT>')
domainRuntime()
putStringProperty("/fedserverconfig/nonproxyhosts", "host1;host2")
When creating an IdP with the Oracle Access Management Console, if you choose an invalid Metadata XML file (such as an SP metadata file), you get an error message indicating that the metadata is invalid. The message is as follows:
ADFC-10001: cannot instantiate class 'oracle.security.am.fed.oif.managedbeans.idp.EditIDProviderMB'
However if you still continue with the task and click Save, the IdP is created with the incorrect metadata file and there is an exception in the console, which makes the console unusable until you re-login.
The Federation WLST commands to add an OpenID IdP partner are not listed in the WLST Federation help.
The supported commands are:
addOpenID20IdPFederationPartner: Creates an OpenID 2.0 IdP Federation partner
addOpenID20GoogleIdPFederationPartner: Adds Google as an OpenID 2.0 IdP Partner
addOpenID20YahooIdPFederationPartner: Adds Yahoo as an OpenID 2.0 IdP Partner
addOpenID20IdPFederationPartner
The syntax is as follows:
addOpenID20IdPFederationPartner(partnerName, ssoURL, discoveryURL, description)
The parameters are as follows:
partnerName=The name of the partner to be created.
ssoURL=The endpoint URL of the IdP (OP).
discoveryURL=The discovery URL of the IdP (OP).
description=Description of the partner. This is optional.
addOpenID20GoogleIdPFederationPartner
The syntax is as follows:
addOpenID20GoogleIdPFederationPartner()
This command does not take any parameters.
addOpenID20YahooIdPFederationPartner
The syntax is as follows:
addOpenID20YahooIdPFederationPartner()
This command does not take any parameters.
The federation IdP partner page, accessed in the Oracle Access Management Console from the System Configuration tab, Identity Federation, Identity Providers, does not provide support for OpenID IdP/OP partners.
As a workaround, you can use the Federation OpenID WLST commands to add an OpenID IdP/OP partner. For details, see Section 5.2.3.6.
This issue is seen in the following scenario:
A Federation IdP partner has been added.
An Authentication Scheme and Module were created using the Oracle Access Management Console or WLST commands for that IdP partner.
An authentication policy is created using the newly created Authentication Scheme for that partner.
A resource is protected with this policy.
Due an incorrect configuration in the newly created Authentication Module for that partner, an error will be seen in the browser and logs.
The workaround is as follows:
Log in to the Oracle Access Management Console.
Click the System Configuration Tab.
On left hand side, click Access Manager.
Expand Authentication Modules.
Expand Custom Authentication Module.
Double-click on the new Federation authentication module (IdPNameFederationPlugin).
Go to the Steps Orchestration tab in the right hand side.
For the drop-down called Initial Step, change that to FedAuthnRequestPlugin.
This topic describes configuration issues and their workarounds for Oracle Access Management Mobile and Social (Mobile and Social). It includes the following topics:
Section 5.2.4.1, "Once Set, Jail Breaking "Max OS Version" Setting Cannot be Empty"
Section 5.2.4.2, "Additional Configuration Required After Running Test-to-Production Scripts"
Once you assign a value to the Jail Breaking Detection Policy "Max OS Version" setting, you cannot remove the value and leave the field empty. Per the documentation, the Max OS Version field is used to configure the maximum iOS version to which the Jail Breaking policy applies. If the value is empty, a maximum iOS version number is not checked so the policy applies to any iOS version higher than the value specified for Min OS Version. Once set, however, the value cannot go back to being empty. To work around this issue, set a value for the Max OS Version field.
When moving Mobile and Social from a test environment to a production environment, complete the following configuration steps on each production machine after running the Test-to-Production scripts:
Launch the Oracle Access Management Console.
On the Policy Configuration tab, choose Shared Components > Authentication Schemes > OIC Scheme and click Open.
The Authentication Schemes configuration page opens.
Update the Challenge Redirect URL value to point to the production machine, not the test machine, then click Apply.
For example: https://production_machine:port/oic_rp/login.jsp
Update the Mobile and Social credential store framework (CSF) entry to point from the test machine to the production machine. To do this, run the following WLST command:
createCred(map="OIC_MAP", key=" https://<production machine host>:<production machine port>/oam/server/dap/cred_submit ", user="="<description>", password=" DCC5332B4069BAB4E016C390432627ED", desc="<description>");
For password, use the value from oam-config.xml, which is located in the domain home/config/fmwconfig directory on the production machine. Use the value from the RPPartner entry, TapCipherKey attribute.
In the Oracle Access Management Console, do the following:
Select the System Configuration tab.
Choose Mobile and Social > Internet Identity Services.
In the Application Profiles section, select OAMApplicaton and click Edit. (If using an application profile name other than OAMApplication, edit that instead.)
Update the Registration URL field host name and port to point to the production machine.
Click Apply.
This section documents issues that affect the Oracle Access Management Console. It includes the following topics:
If the OAM Server and the Oracle Access Management Console client are configured for different locales, the server will report error messages to the client in whichever language the server is configured for.
This section describes documentation errata for Oracle Access Management-specific manuals. It includes the following titles:
Oracle Fusion Middleware Administrator's Guide for Oracle Access Management
Oracle Fusion Middleware Developer's Guide for Oracle Access Management
The description of the Max Session Time element in Chapter 13, Registering and Managing OAM 11g Agents has been updated.
There are no documentation issues in the Oracle Fusion Middleware Developer's Guide for Oracle Access Management.