This chapter describes issues associated with the installation and configuration process of Oracle Identity and Access Management 11g Release 2 (11.1.2). It includes the following sections:
This section describes general issues and workarounds. It includes the following topics:
Section 2.1.2, "Launching Oracle Identity Manager Configuration Wizard on AIX with JDK7"
Section 2.1.4, "Unable to Add Weblogic Password in the Fusion Middleware Configuration Wizard"
When you are trying to install Oracle Identity Manager (OIM) Design Console on a Windows machine that has firewall between the machine and the OIM server, the following error message is displayed when you run the config.cmd
command:
Error in validating the Hostname field value.Entered host is not up and running
To install OIM Design Console, you must open port 7 in the firewall.
You can not launch Oracle Identity Manager Configuration Wizard on AIX with JDK7, when you run the script $<ORACLE_HOME>/bin/config.sh
The Oracle Universal Installer window appears if you add the -jreLoc
option in the command line: $<ORACLE_HOME>/bin/config.sh -jreLoc <JRE_HOME>
On AIX, the Simple security mode does not work with Oracle Access Management Server 11.1.2.
Workaround: Use either the Open
or Cert
security mode.
In the Fusion Middleware Configuration Wizard, you cannot add Weblogic password in the Configure Administrator User Name and Password screen.
Workaround:
When you are prompted to enter the Weblogic user password, you may not be able to enter the password. Click Next to go to the next screen. You will be prompted of an error: Password cannot be empty. Go back to the previous screen and type in the password again.
Note:
Before running the Oracle Fusion Middleware Configuration Wizard, ensure that you have installed the following:Oracle WebLogic Server 11g Release 1 (10.3.6) or Oracle WebLogic Server 11g Release 1 (10.3.5)
Oracle SOA Suite 11.1.1.6.0 (Oracle Identity Manager Users Only)
Oracle Identity and Access Management 11g Release 2 (11.1.2)
In a join domain scenario between Oracle Identity Manager and Oracle Access Management, the keystore file configured in Oracle Platform Security Services (OPSS) configuration does not exist but passwords are already available from OIM installation in the Credential Store Framework (CSF) store. Hence when Oracle Access Management Server tries to store the key store file, it fails as the key already exists.
Workaround:
Before starting the Administration server, copy the key store file from Oracle Identity Manager domain to Oracle Access Management domain's key store location.
For example: Copy the default keystore (.jks
) file from <OIM domain>/config/fmwconfig
to <OAM domain>/config/fmwconfig
.
Note:
This step should be performed after you have configured the Oracle Access Management domain usingconfig.sh
but before you start the Administration Server.In Oracle Identity Manager domain, look for default context in jps-config.xml
.
Under this locate keystore service and keystore file location.
Copy this keystore (.jks
) file to the location defined in Oracle Access Management domain key store location under OPSS (jps-config.xml
) configuration.
This section describes configuration issues and their workarounds. It includes the following topics:
Section 2.2.1, "Apply Patches and Manually Copy OIM Adapter Template"
Section 2.2.4, "Use Absolute Paths While Running configureSecurityStore.py With -m Join"
Section 2.2.5, "Warning Messages from idmConfigTool -upgradeLDAPUsersForSSO are Safe to Ignore"
The patches and workaround described in this note are required only if you are integrating Oracle Access Manager or Oracle Identity Manager with Oracle Unified Directory, and Oracle Unified Directory is configured for High Availability in active-active mode.
After performing a fresh installation of Oracle Identity and Access Management, apply the patch for Oracle Identity Manager Bug 16390983 and also Patch 15894053.
Then manually copy the file adapter_template_oim.xml
from ORACLE_COMMON_HOME
/modules/oracle.ovd_11.1.1/templates/
to: IAM_ORACLE_HOME
/libovd/
. For example:
cp ORACLE_COMMON_HOME/modules/oracle.ovd_11.1.1/templates/adapter_template_oim.xml IAM_ORACLE_HOME/libovd/
When you start the Oracle Fusion Middleware Configuration Wizard, by running the config.cmd
or the config.sh
command, the following error message is displayed:
*sys-package-mgr*: can't create package cache dir
The error message indicates that the default cache directory is not valid. You can change the cache directory by including the-Dpython.cachedir=<valid_directory>
option in the command line.
The following are the steps that must be followed after installing Oracle Access Management (OAM) 11g Release 2 (11.1.2) or Oracle Identity Manager (OIM) 11g Release 2 (11.1.2):
Configure domain
Configure the Configsecuritystore
Copy jps-config.xml
file to jps-config.xml_old
for recovery and reference
Do the following to edit the jps-config.xml
file:
Look for the XML element
<serviceInstance name="pdp.service" provider="pdp.service.provider">
Delete the following two entries:
<property name="oracle.security.jps.pdp.AuthorizationDecisionCacheEnabled" value="false"/> <property name="oracle.security.jps.ldap.policystore.refresh.interval" value="10000"/>
After you delete the first two properties their default values will be set. The default values are true
and 600000
(10 minutes) respectively:
Add following entry in same section:
<property name="oracle.security.jps.pd.client.PollingTimerInterval" value="31536000"/>
The edited XML must look like the following:
<serviceInstance name="pdp.service" provider="pdp.service.provider"> <description>Runtime PDP service instance</description> <property name="oracle.security.jps.runtime.pd.client.policyDistributionMode" value="mixed"/> <property name="oracle.security.jps.runtime.instance.name" value="OracleIDM"/> <property name="oracle.security.jps.runtime.pd.client.sm_name" value="OracleIDM"/> <property name="oracle.security.jps.policystore.refresh.enable" value="true"/> <property name="oracle.security.jps.pd.client.PollingTimerInterval" value="31536000"/> </serviceInstance>
The Configure Security Store fails to create the policy store object when using variables such as ORACLE_HOME
and MW_HOME
while running configureSecurityStore.py
with the -m join
parameter. Specify absolute paths for ORACLE_HOME
and MW_HOME
while running the command with -m join
parameter.
If you upgrade existing LDAP users using a command such as:
idmConfigTool.bat -upgradeLDAPUsersForSSO input_file=filename
you might see warning messages similar to these:
WARNING: Expiry date not present in cn=oamadmin,cn=Users, dc=us,dc=oracle,dc=com WARNING: Expiry date not present in cn=weblogic_idm,cn=Users, dc=us,dc=oracle,dc=com WARNING: Expiry date not present in cn=orcladmin, cn=Users, dc=us,dc=oracle,dc=com
These messages do not impact function and can be safely ignored.
This section describes the necessary patches that you must apply for installing and configuring Oracle Identity Manager.
Note:
This section provides the mandatory patches that were available at the time of publishing the release notes. For additional changes and revised patch requirements, see My Oracle Support document ID 1908280.1.The patches must be downloaded only after you have installed Oracle Identity Manager using the Oracle Identity and Access Management 11g Release 2 (11.1.2) Installer and before starting the Oracle Identity Manager configuration.
Table 2-1 provides information about the mandatory patches required for Oracle Identity Manager. Please note that these patches can be applied in any order.
Table 2-1 Patches Required to Fix Specific Issues with Oracle Identity Manager 11g Release 2 (11.1.2)
Oracle Fusion Middleware Product or Component | Patch Number/Name | When to Apply? | Description |
---|---|---|---|
Oracle Application Access Controls Governor |
13931550 |
After installing Oracle Identity and Access Management |
This is a mandatory Oracle Application Access Controls Governor patch. Follow the |
Oracle Containers for J2EE |
14049150 |
After installing Oracle Identity and Access Management |
This is a mandatory Oracle Containers for J2EE patch. Follow the |
Oracle SOA Suite |
16702086 |
After installing Oracle SOA Suite |
This is a mandatory Oracle SOA Suite Bundle Patch 11.1.1.6.7 patch. Follow the |
Oracle SOA Suite |
17988119, 18486891, 13973356 |
After installing Oracle SOA Suite Bundle Patch 11.1.1.6.7 |
These mandatory Oracle SOA Suite patches need to be applied after Oracle SOA Suite has been upgraded to Bundle Patch 11.1.1.6.7 using patch 16702086. Select patch version 11.1.1.6.7, download the patches, and follow the |
Oracle User Messaging Service |
16366204 |
After installing Oracle SOA Suite |
This is an Oracle User Messaging Service (UMS) patch. Select patch version 11.1.1.6.0, download the patch, and follow the |
Oracle Application Development Framework |
19597633 |
After installing Oracle Identity and Access Management |
This is an Oracle Application Development Framework (ADF) patch. Follow the |
Oracle Virtual Directory |
14016801 |
After installing Oracle Identity and Access Management |
This is a mandatory Oracle Virtual Directory patch. Follow the |
Oracle Virtual Directory - Identity Virtualization Library (libOVD) |
18919213 |
After installing Oracle Identity and Access Management |
This is a mandatory patch if you are using Identity Virtualization Library (libOVD). Note that this patch is classified as an Oracle Virtual Directory patch. Select patch version 11.1.1.6.0, download the patch, and follow the |
Oracle Unified Directory |
18489893 |
After installing Oracle Unified Directory |
This is a mandatory patch if you are using Oracle Unified Directory. Download the version of this patch that corresponds with the version of Oracle Unified Directory you installed. Follow the |
To download the patches, do the following:
Log in to My Oracle Support.
Click Patches & Updates.
Select Patch name or Number.
Enter the patch number.
Click Search.
Download and Install the patch.