| Oracle® Fusion Applications Administrator's Troubleshooting Guide 11g Release 1 (11.1.4) Part Number E25450-03 |
|
|
PDF · Mobi · ePub |
| Oracle® Fusion Applications Administrator's Troubleshooting Guide 11g Release 1 (11.1.4) Part Number E25450-03 |
|
|
PDF · Mobi · ePub |
Use this chapter to troubleshoot runtime Oracle Fusion Applications problems that may have originated in the Oracle Identity Management and security integration layer. That is: Your Oracle Fusion Applications deployment was operating properly, but stopped doing so, and the cause appears to be related to identity or security integration.
This chapter contains the following topics:
Getting Started with Troubleshooting Oracle Identity Management
Additional Information for Troubleshooting Oracle Identity Management
Some procedures in this chapter reference content in the Oracle Fusion Middleware guides. These guides describe using Fusion Middleware Control. These procedures also apply to Fusion Applications Control.
In addition to this chapter, review the Oracle Fusion Middleware Error Messages Reference for information about the error messages you may encounter.
This section provides guidelines and a process for using the information in this chapter. Using the following guidelines and process will focus and minimize the time you spend resolving problems.
Guidelines
When using the information in this chapter, Oracle recommends:
Reviewing the various terms and implementations of roles within Oracle Fusion Applications and Oracle Identity Management. For example, a duty role in the context of Oracle Fusion Applications equates to an application role in the context of Oracle Identity Management. See the "Configuring Roles" and "Equivalent Terminology" sections in the Oracle Fusion Applications Administrator's Guide.
After performing any of the solution procedures in this chapter, immediately retrying the failed task that led you to this troubleshooting information. If the task still fails when you retry it, perform a different solution procedure in this chapter and then try the failed task again. Repeat this process until you resolve the problem.
Making notes about the solution procedures you perform, symptoms you see, and data you collect while troubleshooting. If you cannot resolve the problem using the information in this chapter and you must log a service request, the notes you make will expedite the process of solving the problem.
Process
Follow the process outlined in Table 7-1 when using the information in this chapter. If the information in a particular section does not resolve your problem, proceed to the next step in this process.
Table 7-1 Process for Using the Information in this Chapter
| Step | Section to Use | Purpose |
|---|---|---|
|
1 |
Get started troubleshooting Oracle Identity Management. The procedures in this section quickly address a wide variety of problems. |
|
|
2 |
Perform problem-specific troubleshooting procedures. This section describes:
|
|
|
3 |
Get Oracle Identity Management component-specific troubleshooting information. Use this section if you have isolated your problem to a specific Oracle Identity Management component or want to learn more about a component. |
|
|
4 |
Use My Oracle Support to get additional troubleshooting information about Oracle Fusion Applications or Oracle Identity Management. My Oracle Support provides access to several useful troubleshooting resources, including Knowledge Base articles and Community Forums and Discussions. |
|
|
5 |
Log a service request if the information in this chapter and My Oracle Support does not resolve your problem. You can log a service request using My Oracle Support at |
Start troubleshooting by performing the procedures in this section, as they quickly address a wide variety of problems. If the procedures in this section do not resolve your problem, proceed to Section 7.3.
This section contains the following topics:
Verifying Oracle Internet Directory Identity Stores Can Perform Look Ups
Verifying the Security Providers in the Oracle WebLogic Server Domain
Using Selective Tracing to Troubleshoot Inaccessible Functionality
When using Oracle Internet Directory as the identity store, it must be configured to index the displayName attribute. If Oracle Internet Directory is not configured to index the displayName attribute, operations that require looking up users and roles in the identity store will fail.
To verify an Oracle Internet Directory identity store is configured to index the displayName attribute:
Invoke Oracle Directory Services Manager and connect to the Oracle Internet Directory identity store instance. Refer to the "Invoking Oracle Directory Services Manager" and "Connecting to the Server from Oracle Directory Services Manager" sections in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory for more information.
Click Schema on the Oracle Directory Services Manager task selection bar.
Expand the Attributes area of the navigation panel, enter displayName in the search field, and click the Go (>) button to search for the displayName attribute.
Click the displayName attribute in the search results. The configuration details for the displayName attribute appear in the main screen.
Verify the Indexed option is selected (checked) in the configuration details.
If the Indexed option is not selected, click the attribute will be cataloged/decataloged button below the search field in the navigation tree.
Refer to the "Adding an Index to an Existing Attribute by Using Oracle Directory Services Manager" section in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory for more information.
Small configuration errors in the security providers for the Oracle WebLogic Server domain, such as in the Identity Asserters and Authenticators, frequently are the cause of runtime problems. Use the information in this section to quickly verify a few key security provider settings, including:
The order of providers, which determines the authentication sequence.
JAAS Control Flags, which determine how the authentication sequence uses the providers.
Connection, cache, and user and group lookup settings for the identity store's LDAP Authenticator.
To verify configuration settings for the security providers in the Oracle WebLogic Server domain:
Log in to the Oracle WebLogic Server Administration Console by referring to the "Starting the Administration Console" section in the Oracle Fusion Middleware Introduction to Oracle WebLogic Server document.
Click Security Realms in the Domain Structure area on the left side of the Administration Console Home Page. The Summary of Security Realms screen appears.
Click the name of the appropriate security realm in the Realms table. The Settings for REALM_NAME screen appears.
Click the Providers > Authentication tabs. The configured providers appear in the Authentication Providers table.
Verifying the Order of Providers
The security providers must be configured in the following order, where number 1 in the following list is at the top of the Authentication Providers table:
Oracle Access Manager Identity Asserter
LDAP Authenticator for the identity store: Either the Oracle Internet Directory Authenticator or Oracle Virtual Directory Authenticator, depending on the LDAP server used as the identity store.
If needed, you can reorder the security providers by performing the following steps from the Settings for REALM_NAME screen:
Click Reorder.
Select a provider and use the arrow buttons to move it up or down in the order.
Click OK.
Verifying JAAS Control Flags
The JAAS Control Flags for the security providers must be set as shown in Table 7-2. Perform the following steps to view, and if needed, edit the JAAS Control Flags.
From the Settings for REALM_NAME screen:
Click the provider name in the Authentication Providers table.
Click the Configuration > Common tabs.
Examine the Control Flag setting and adjust it as needed.
Click Save.
Table 7-2 Required JAAS Control Flags for Security Providers
| Security Provider | Required JAAS Control Flag |
|---|---|
|
Oracle Access Manager Identity Asserter |
Required |
|
LDAP Authenticator for the identity store:
|
Sufficient |
Verifying Settings for the Identity Store's LDAP Authenticator
Table 7-3 lists settings for the identity store's LDAP Authenticator that you should verify. Perform the following steps on either the Oracle Internet Directory Authenticator or the Oracle Virtual Directory Authenticator, depending on the LDAP server you are using for the identity store.
From the Settings for REALM_NAME screen:
Click the appropriate authenticator in the Authentication Providers table.
Click the Configuration > Provider Specific tabs.
Examine the settings and adjust as needed.
Click Save.
Note:
You can get more information about each of the settings listed in Table 7-3 by clicking More Info... next to each setting in the Oracle WebLogic Server Administration Console.
Table 7-3 Settings to Verify in the Identity Store's LDAP Authenticator
| Setting | Verification to Perform |
|---|---|
|
Connection settings |
Double-check all to ensure accuracy. Pay particular attention to the Host value, which can contain misspelled strings. |
|
User Name Attribute |
Regardless of which attribute is set, the same attribute must be used to specify the user name in the All Users Filter and User From Name Filter settings. |
|
All Users Filter and User From Name Filter |
The user name attribute used in both of these settings must be the attribute configured for the User Name Attribute setting. |
|
Use Retrieved User Name as Principal |
Must be enabled (checked). |
|
Static Group Name Attribute |
Regardless of which attribute is set, the same attribute must be used to specify the group name in the All Groups Filter and Group From Name Filter settings. |
|
All Groups Filter and Group From Name Filter |
The attribute used to specify the group name in these two settings must be the same attribute configured for the Static Group Name Attribute setting. |
|
Cache Enabled |
If enabled, examine the value of the Cache TTL setting. |
|
Cache TTL |
Examine to ensure an appropriate value is set. If you perform an operation that fails, wait for the amount of time specified by the Cache TTL to elapse and then retry the failed operation. This will ensure the authenticator's cache has been refreshed and any recent configuration changes have been activated. |
When Oracle Fusion Applications users cannot access a particular functionality, for example, they attempt to log in to an application and are denied access or see an unexpected view of the application, often it is because they are not authorized to access that functionality. In these situations, you can use the Selective Tracing feature in Fusion Applications Control to collect data specific to the user and request, then collaborate with the security administrator to compare it against the configured authorizations.
To use Selective Tracing to troubleshoot inaccessible functionality:
Update the domain's environment setup script by performing one of the following steps that is appropriate to your environment:
On Linux/UNIX systems, add the text shown in Example 7-1 to the bottom of the DOMAIN_HOME/bin/setDomainEnv.sh file:
Example 7-1 Updating the Domain's Environment Setup Script on Linux/UNIX Systems
JAVA_OPTIONS="-Djava.util.logging.manager=oracle.core.ojdl.logging.ODLLogManager ${JAVA_OPTIONS}"
export JAVA_OPTIONS
FMWCONFIG_CLASSPATH=${FMWCONFIG_CLASSPATH}${CLASSPATHSEP}${ORACLE_COMMON_HOME}/modules/oracle.odl_11.1.1/ojdl.jar
export FMWCONFIG_CLASSPATH
On Windows systems, add the text shown in Example 7-2 to the bottom of the DOMAIN_HOME\bin\setDomainEnv.cmd file:
Log in to Fusion Applications Control by referring to the "Starting Fusion Applications Control" section in the Oracle Fusion Applications Administrator's Guide for more information.
Navigate to the appropriate domain, then select Logs > Selective Tracing from the domain menu. The Selective Tracing page appears.
Click the Tracing Options tab, configure the following settings, and click Start Tracing to generate the selective trace:
Option Name: Select User Name from the list and enter the name of the user that cannot access functionality.
Note:
While this procedure describes troubleshooting inaccessible functionality by selective tracing on a user name, you can also use the other options in the Option Names list for troubleshooting purposes.
Level: Select TRACE:32 (FINEST).
Description: Enter a description that will help you identify the trace results, such as: USER_NAME cannot access functionality.
Duration: Enter the number of minutes the selective trace will run.
Trace ID: Select Generate a New Unique Trace ID. Optionally, you can select Use a Custom Trace ID and enter an ID, but note that Fusion Middleware Control does not verify the uniqueness of Custom Trace ID strings.
Loggers: Oracle recommends enabling the following loggers for troubleshooting inaccessible functionality:
Note:
To quickly locate a specific logger, enter the logger name or a string in the logger name in the field above the list of loggers and press return.
oracle.jps.authorization
oracle.jps.common
oracle.security.jps.az.internal.runtime.policy.AbstractPolicyImpl
oracle.security.jps.internal.policystore.JavaPolicyProvider
oracle.security.jps.internal.policystore.ldap.BulkAuthorizer
oracle.security.jps.trace.logger
oracle.security.jps.util.JpsAuth
Note:
Refer to the "Debugging the Authorization Process" section in the Oracle Fusion Middleware Application Security Guide for information about system properties you can enable for extremely fine grained authorization debugging.
Instruct the user that cannot access functionality to try and access it again. Now that you have enabled Selective Tracing for that user, you will collect data specific to that user and the request.
Access the results from the selective trace by clicking the Active Traces And Tracing History tab and selecting the trace from either the Active Traces or Tracing History table. If the number of minutes that you specified in the Duration option has elapsed, the trace will be in the Tracing History table. If you provided a description for the selective trace, look for it in the Description column.
Provide the trace results to the Security Administrator.
Note:
Typically, the Security Administrator performs the remaining steps in this procedure.
Locate the Failed ProtectionDomain string and its corresponding resourceName=, resourceType=, and Principal= strings in the trace results. These strings will provide information about the user and the inaccessible resource. As shown in Example 7-3, the user named user1 was denied access to the resource named ResourceNameX:
Example 7-3 Failed ProtectionDomain String in Sample Selective Tracing Results
PolicyContext: [JeeScenarioApp] Resource/Target: [resourceType=TaskFlowResourceType,resourceName=ResourceNameX] Action:[read] Permission Class: [oracle.security.jps.ResourcePermission] Result: [FAILED] Evaluator: [ACC] FailedProtectionDomain:ClassLoader=weblogic.utils.classloaders.ChangeAwareClassLoader @c7cee9finder:weblogic.utils.classloaders.CodeGenClassFinder@a05da2 annotation: JeeScenarioApp@jeescenario CodeSource=file:/somepath/wls-jrfServer/servers/jrfServer_admin/tmp/ _WL_user/JeeScenarioApp/gw8m4w/war/WEB-INF/lib/_wl_cls_gen.jar Principals=total 5 of principals( 1. weblogic.security.principal.WLSUserImpl "user1" 2. JpsPrincipal: oracle.security.jps.internal.core.principals.JpsAuthenticatedRoleImpl "authenticated-role" GUID=null DN=null 3. JpsPrincipal: oracle.security.jps.service.policystore.ApplicationRole "basic_role1" GUID=734342D04A2811E0AF671B4A95E1598C DN=cn=basic_role1,cn=Roles,cn=JeeScenarioApp,cn=testfarm_ wilu_mlr6,cn=JPSContext,cn=jpsroot 4. JpsPrincipal: oracle.security.jps.service.policystore.ApplicationRole "myrole2" GUID=738C80D04A2811E0AF671B4A95E1598C DN=cn=myrole2,cn=Roles,cn=JeeScenarioApp,cn=testfarm_wilu_ mlr6,cn=JPSContext,cn=jpsroot 5. JpsPrincipal: oracle.security.jps.internal.core.principals.JpsAnonymousRoleImpl "anonymous-role" GUID=null DN=null) Permissions=( (oracle.security.jps.service.credstore.CredentialAccessPermission context=SYSTEM,mapName=default,keyName=* read,write) (oracle.security.jps.service.policystore.PolicyStoreAccessPermission Context:SYSTEM Context Name:null Actions:getConfiguredApplications) (oracle.security.jps.service.policystore.PolicyStoreAccessPermission Context:APPLICATION Context Name:* Actions:getApplicationPolicy) (oracle.security.jps.service.policystore.PolicyStoreAccessPermission Context:SYSTEM Context Name:null Actions:*) (oracle.security.jps.service.policystore.PolicyStoreAccessPermission Context:APPLICATION Context Name:* Actions:*) (java.io.FilePermission file2.txt read) (java.io.FilePermission file2.txt write) (java.io.FilePermission file1.txt read) (java.util.PropertyPermission line.separator read) (java.util.PropertyPermission java.vm.specification.version read) (java.util.PropertyPermission java.vm.version read) (java.util.PropertyPermission java.vendor.url read) (java.util.PropertyPermission java.vm.specification.vendor read) (java.util.PropertyPermission java.vm.name read) (java.util.PropertyPermission os.name read) (java.util.PropertyPermission java.vm.vendor read) (java.util.PropertyPermission path.separator read) (java.util.PropertyPermission os.version read) (java.util.PropertyPermission java.specification.name read) (java.util.PropertyPermission os.arch read) (java.util.PropertyPermission java.version read) (java.util.PropertyPermission java.class.version read) (java.util.PropertyPermission java.vendor read)
Use Oracle Authorization Policy Manager to search for configured security policies that contain the resource and resource type listed in the trace results (look for resourceName= and resourceType=). In Example 7-3, you would search for configured security polices that contain the resource named ResourceNameX that is of the type TaskFlowResourceType.
Refer to "Searching for Security Objects" in the Oracle Fusion Middleware Oracle Authorization Policy Manager Administrator's Guide (Oracle Fusion Applications Edition) for more information on how to use Oracle Authorization Policy Manager to search for policies based on resources.
Note:
After identifying the relevant security policies using the "Finding Application Policies that Match Entitlements or Resources" procedure, you will be able to identify the principals and actions granted in each of those configured security policies.
Compare the security policies identified by the search in Step 9 against the relevant Failed ProtectionDomain strings in the trace results. Specifically, for each of the security policies, compare the granted actions and principals as follows:
Ensure the action granted in the security policies is the same action listed for the Failed ProtectionDomain string in the trace results. In Example 7-3, you would ensure the security policy is granting the read action (identified by Action:[read] in the trace).
If the action for the Failed ProtectionDomain string is granted in the configured security policy, proceed to Step b.
If the action for the Failed ProtectionDomain string is not granted in the security policy, compare the action against all security policies identified by the search in Step 9.
Ensure the principals granted in the security policies are the same principals listed for the Failed ProtectionDomain string (identified by Principals=).
If the principals configured in the security policy are application roles or external roles and they are not listed in the Failed ProtectionDomain string, use Oracle Authorization Policy Manager to determine if the roles are mapped to the relevant user.
Note:
Be sure to consult your organization's security policies and the Oracle Fusion Applications security reference manuals before altering any aspect of the configured security policies, as it is possible the user is intentionally unauthorized to access the particular functionality.
You can access the Oracle Fusion Applications security reference manuals in the Oracle Fusion Applications Technology Documentation Library.
If both the actions and principals granted in the security polices are consistent with the authorization request (as identified in the trace), examine Oracle Platform Security Services' cache refresh setting by referring to the problem and solution described in Section 7.3.2.1 of this chapter.
Use the information in this section if the solution procedures in Section 7.2 did not resolve your problem. This section describes symptoms of specific Oracle Fusion Applications runtime problems that may have originated in the Oracle Identity Management and security integration layer, possible causes of the problems, and solution procedures corresponding to each of the possible causes.
For problems that contain multiple possible causes, the most probable cause and its corresponding solution are listed first. If multiple possible causes are listed, perform the first solution procedure and then retry the failed task. If the problem persists after retrying the failed task, perform the second solution procedure in the topic and then try the failed task again. Repeat this process while proceeding down the list of solution procedures until the problem is resolved.
This section contains the following topics:
Notes:
When looking in this section for the problem you encountered, be sure to examine all topics, as many problems fit into multiple topics. For example, while the problem of not being able to see application role hierarchies resides in the topic about managing roles, it could also reside in the topic about missing or incorrect data.
This section describes problems and solutions related to missing or incorrect data. This section contains the following topics:
Data is Missing After Migrating or Patching the Policy Store
Administrator Search for Database Resources Returns No Results
LDAP changes to an Oracle Internet Directory identity store are not getting reconciled into Oracle Identity Manager.
Problem
The problem may be the Oracle Internet Directory identity store is not configured to generate change logs.
Solution
To verify change log generation is enabled for an Oracle Internet Directory identity store:
Note:
If you have multiple Oracle Internet Directory identity store instances, perform this procedure on all of them.
Log in to Fusion Applications Control by referring to the "Starting Fusion Applications Control" section in the Oracle Fusion Applications Administrator's Guide for more information.
Navigate to the appropriate Oracle Internet Directory instance. In the Target Navigation Pane, expand the Domain > Identity and Access entries. Alternatively, from the domain home page, expand the Fusion Middleware > Identity and Access entries. Oracle Internet Directory instances are listed in both locations. To view the full name of a instance, move the mouse over the instance name.
Verify change log generation is enabled. If change log generation is disabled, you must enable it. Refer to the "Enabling or Disabling Change Log Generation by Using Fusion Middleware Control" section of the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.
After migrating or patching the Oracle Platform Security Services policy store, data that was once available is now missing. This issue may be encountered after the policy store is:
Migrated from the baseline ("out-of-the-box") jazn-data.xml file policy store to an Oracle Internet Directory instance.
Migrated from one environment to another, such as moving from a test environment to a production environment.
Patched using Oracle Authorization Policy Manager.
Problem
The problem may be the application role GUIDs in the Oracle Fusion Data Security repository are not identical to their corresponding application role GUIDs in the Oracle Platform Security Services policy store.
Solution
Run the oracle.apps.fnd.applcore.dataSecurity.util.DSDataMigrator java program to reconcile the application role GUIDs from the Oracle Platform Security Services policy store (which is the "source of truth" repository) to the Oracle Fusion Data Security repository.
Backing Up the fnd_grants Table in the Oracle Fusion Data Security Repository
The DSDataMigrator program modifies only the fnd_grants table, which is Virtual Private Database (VPD) enabled. Before running the program, as sys user, back up the existing fnd_grants table in the Oracle Fusion Data Security repository. For example:
$sqlplus sys as sysdba create table FUSION.FND_GRANTS_OLD as select * from FUSION.FND_GRANTS;
Running the DSDataMigrator Program
To run the oracle.apps.fnd.applcore.dataSecurity.util.DSDataMigrator java program, the following JAR files must be added to the classpath:
MW_HOME/ATGPF_HOME/atgpf/modules/oracle.applcore.model_11.1.1/Common-Model.jar MW_HOME/ATGPF_HOME/atgpf/modules/oracle.applcore.model_11.1.1/DataSecurity-Model.jar MW_HOME/oracle_common/modules/oracle.adf.model_11.1.1/adfm.jar MW_HOME/oracle_common/modules/oracle.adf.share.ca_11.1.1/adf-share-ca.jar MW_HOME/oracle_common/modules/oracle.adf.share.ca_11.1.1/adf-share-base.jar MW_HOME/oracle_common/modules/oracle.adf.share_11.1.1/jsp-el-api.jar MW_HOME/oracle_common/modules/oracle.adf.businesseditor_11.1.1/adf-businesseditor.jar MW_HOME/oracle_common/modules/oracle.adf.share_11.1.1/adflogginghandler.jar MW_HOME/oracle_common/modules/oracle.jps_11.1.1/jps-manifest.jar MW_HOME/modules/javax.jsp_1.2.0.0_2-1.jar MW_HOME/oracle_common/modules/oracle.mds_11.1.1/mdsrt.jar MW_HOME/oracle_common/modules/oracle.javatools_11.1.1/resourcebundle.jar MW_HOME/oracle_common/modules/oracle.javatools_11.1.1/javatools-nodeps.jar MW_HOME/wlserver_10.3/server/ext/jdbc/oracle/11g/ojdbc5.jar
Note:
If the classpath is set in the shell, you can run the program from the command line using only the necessary arguments.
The syntax to run the DSDataMigrator java program is:
java -classpath $CLASSPATH \ -Doracle.security.jps.config=Path_to_jps-config-jse.xml_file \ oracle.apps.fnd.applcore.dataSecurity.util.DSDataMigrator \ -dsdburl URL_to_Oracle_Fusion_Data_Security_repository \ -dsdbuser user_name_for_Oracle_Fusion_Data_Security_repository \ -silentMode [true | false] -forceProcessAllRows [true | false] \ -policyStripe [crm | fscm | hcm]
Note:
To see usage instructions, execute the following command:
java oracle.apps.fnd.applcore.dataSecurity.util.DSDataMigrator
Parameters
The DSDataMigrator program supports the following parameters:
oracle.security.jps.config: Identifies the path to the jps-config-jse.xml file that the DSDataMigrator program will use. For example:
COMMON_DOMAIN/config/fmwconfig/jps-config-jse.xml
Note:
The jps-config-jse.xml file must have credentials for both the identity store and policy store—not just the policy store.
FND_DS_GUID_RECON_LOG_DIR: Identifies the output directory for the program's log. For example: -DFND_DS_GUID_RECON_LOG_DIR=/tmp
Arguments
The DSDataMigrator program supports the following arguments:
silentMode: Set to true if you do not want exceptions to be raised when an entry is not found in the Oracle Platform Security Services policy store.
forceProcessAllRows: Set to true if you want to process all the rows in the policies table. By default, only rows where compile_flag=Y are processed.
policyStripe: Identifies the policy stripe to process. Valid values are: crm, fscm, and hcm. If the policyStripe argument is not specified, all policy stripes and identity store data security role policies are processed.
idStoreOnly: Set to true if you want to process only data security policies made to enterprise roles. If idStoreOnly is set to true, the policyStripe argument is ignored.
A user with administrator privileges uses Oracle Authorization Policy Manager to search for database resources, but the search does not find any.
Problem
The problem may be data security policies that govern data security administration do not exist in the Oracle Fusion Data Security repository.
Solution
To troubleshoot this issue:
Use Oracle Authorization Policy Manager to verify the following application roles are mapped to the external roles of the user performing the search. Refer to "Managing Policies and Policy Objects" in the Oracle Fusion Middleware Oracle Authorization Policy Manager Administrator's Guide (Oracle Fusion Applications Edition) for more information.
APM_CRM_APPLICATION_OBJECTS_DATA_ADMINISTRATION_DUTY
APM_HCM_APPLICATION_OBJECTS_DATA_ADMINISTRATION_DUTY
APM_FSCM_APPLICATION_OBJECTS_DATA_ADMINISTRATION_DUTY
APM_FND_APPLICATION_OBJECTS_DATA_ADMINISTRATION_DUTY
Note:
If the application roles are mapped to the external roles of the user performing the search, go to Step 2.
If the application roles are not mapped to the external roles of the user performing the search, use Oracle Authorization Policy Manager to map them to the user's external roles and then go to Step 2.
Determine whether data security policies that govern data security administration exist in the Oracle Fusion Data Security repository. Log in to Oracle Authorization Policy Manager as a user with the Application Developer external role and search for the following roles. Ensure that data security policies for the roles exist on the FND_OBJECTS object and that the policies have not expired.
APM_CRM_APPLICATION_OBJECTS_DATA_ADMINISTRATION_DUTY
APM_HCM_APPLICATION_OBJECTS_DATA_ADMINISTRATION_DUTY
APM_FSCM_APPLICATION_OBJECTS_DATA_ADMINISTRATION_DUTY
APM_FND_APPLICATION_OBJECTS_DATA_ADMINISTRATION_DUTY
If the policies do not exist in the Oracle Fusion Data Security repository, use Oracle Fusion Functional Setup Manager to upload the Applications Core data security seed data to the Oracle Fusion Data Security repository. See the "Using Oracle Fusion Functional Setup Manager" section in the Oracle Fusion Applications Administrator's Guide for more information about using Oracle Fusion Functional Setup Manager.
After logging in to an Oracle Fusion Applications portlet, the data the user expects to see is missing or incorrect.
Problem
The problem may be:
The application user session was not propagated to the portlet.
The application user session was not created using the portlet's application stripe and Applications Core did not compute the application roles for the portlet's application stripe.
Solution
To troubleshoot this situation:
Log out of the portlet, and then log in again.
Execute the following diagnostic tests. See the "Searching for Diagnostic Tests by Name or by Categorization Tag" section in the Oracle Fusion Applications Administrator's Guide for more information about running diagnostic tests.
Data Security Configuration
Data Security Configuration with Application User Session Prerequisite
Data Security Run Time
Data Security Run Time with Application User Session Prerequisite
This section describes problems and solutions related to accessing functionality. This section contains the following topics:
Inappropriate User Access After Enterprise Role Membership Removal
Newly Created User Does Not Have Correct Access to Oracle Fusion Applications
After Logging Out, Access to a Secured Resource is Granted Without Logging in
Authenticated User Gets Unexpected Page when Accessing a Different Secured Resource
Support Representative Cannot Impersonate an Oracle Fusion Applications User
Unauthenticated User Gets Error Page when Accessing a Secured Resource
After removing an enterprise role's membership to an application role using Oracle Authorization Policy Manager, access to the application is still being granted.
Problem
Oracle Platform Security Services optimizes the authorization process by caching security artifacts. When an application policy (or some other security artifact) is modified, the change becomes effective depending on where the application and the tool used to modified the artifact (Oracle Authorization Policy Manager in this case) are running.
If the application and the tool (Oracle Authorization Policy Manager) are running on different hosts or in different domains, the change becomes effective after the policy store cache is refreshed. The frequency of the cache refresh is determined by the value of the Refresh Polling Time (secs) parameter in Fusion Middleware Control.
Depending on the configuration, access to the application may have been granted (despite the removal of the enterprise role membership to the application role) because the Oracle Platform Security Services cache was not refreshed before the application was accessed.
Refer to the "Caching and Refreshing the Cache" and "An Example" sections in the Oracle Fusion Middleware Application Security Guide for more information about authorization behavior relating to the Oracle Platform Security Services cache.
Solution
To examine the refresh interval for Oracle Platform Security Services' cache:
Log in to Fusion Applications Control by referring to the "Starting Fusion Applications Control" section in the Oracle Fusion Applications Administrator's Guide for more information.
Click the name of the appropriate domain in the target navigation pane on the left side of the screen.
Select Security > Security Provider Configuration from the domain menu at the top of the screen. The Security Provider Configuration screen appears.
Select the Policy Store Credential Store Keystore entry in the Security Stores table and click Edit. The Edit Security Provider Configuration screen appears.
Examine the value set for the Refresh Polling Time (secs) parameter.
Wait for the amount of time specified by the Refresh Polling Time (secs) parameter to elapse, then retry the use case. This will ensure that the policy store cache has been refreshed and any recent changes to policies are effective.
After creating a new user and external role using Oracle Fusion Human Capital Management, then granting duty roles to that user using Oracle Authorization Policy Manager, the user cannot log in and perform its granted duties.
Problem
The problem may be:
The user does not exist in the identity store.
The user to external role membership does not exist in the identity store.
The Oracle Internet Directory Authenticator's cache or Oracle Platform Security Services' cache has not yet been refreshed.
Oracle Identity Manager and Oracle Authorization Policy Manager are not configured to use the same identity store or their connection settings to identity store are incorrect.
Solution 1
To verify the user exists in the identity store, use Oracle Directory Services Manager to examine the container in the identity store where users are stored, such as cn=users,dc=us,dc=oracle,dc=com.
Refer to the following for more information about examining identity store containers.
If Oracle Internet Directory is the identity store, refer to the following sections in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory using this sequence:
"Connecting to the Server from Oracle Directory Services Manager"
"Displaying Entries by Using Oracle Directory Services Manager"
If Oracle Virtual Directory is the identity store, refer to the following sections in the Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory using this sequence:
Solution 2
To verify the user to external role membership exists in the identity store:
Verify the user exists in the identity store. Use Oracle Directory Services Manager to examine the container in the identity store where users are stored, such as cn=users,dc=us,dc=oracle,dc=com.
Verify the external role exists in the identity store. Use Oracle Directory Services Manager to examine the container where enterprise roles are stored, such as cn=groups.
Verify the user is a member of the external role. Use Oracle Directory Services Manager to confirm uniqueMember is an attribute of the external role.
Use Oracle Authorization Policy Manager to verify the external role is mapped to the appropriate application role. Perform a simple search on the application role, open it, and click the External Role Mapping tab. Refer to "Managing Policies and Policy Objects" in the Oracle Fusion Middleware Oracle Authorization Policy Manager Administrator's Guide (Oracle Fusion Applications Edition) for more information.
Solution 3
To troubleshoot the Oracle Internet Directory Authenticator's cache and Oracle Platform Security Services' cache:
Examine the Oracle Internet Directory Authenticator's cache settings by referring to Section 7.2.2.
Examine Oracle Platform Security Services' cache refresh setting by referring to the problem and solution described in Section 7.3.2.1 of this chapter.
Note:
Wait for the caches to be refreshed before retrying any failed task or operation.
Solution 4
To verify Oracle Identity Manager and Oracle Authorization Policy Manager are configured to use the same identity store and their connection settings to identity store are correct:
Identify the identity store that Oracle Identity Manager is using by performing the following steps:
Log in to the Advanced view of the Oracle Identity Manager Administrative and User Console. You can access the Advanced view by entering a URL similar to the following into a web browser:
http://HOST:PORT/oim/admin/
Click Manage IT Resource. The Manage IT Resource screen appears.
Enter Directory Server in the IT Resource Name field or select Directory Server from the IT Resource Type list and click Search. The search results appear at the bottom of the screen.
Click the Directory Server link in the search results. The configuration details for the identity store appear. Examine and make a note of the connection settings to the identity store.
Identify the identity store that Oracle Authorization Policy Manager is using by examining the connection settings configured for the LDAP Authenticators in the Oracle WebLogic Server domain. To examine the LDAP Authenticators' configuration, refer to Section 7.2.2.
After logging out of a resource secured by Oracle Access Manager and then attempting to access a different secured resource, access is granted without a login page appearing.
Note:
Oracle Platform Security Services manages logouts for Oracle Fusion Applications by providing the configured logout URL (typically the Oracle Access Manager logout URL) to Oracle Application Development Framework for redirection. Oracle Access Manager then sets the session status to logged out.
Problem
The problem may be:
Oracle Access Manager's user session was not removed during logout.
Oracle Platform Security Services is not configured with the correct Oracle Access Manager logout URL.
Solution 1
Perform either of the following steps to determine whether Oracle Access Manager's user session was removed during logout:
Examine the cookies in the user's browser. Oracle Access Manager's OAM_ID session cookie should not be present, as it gets deleted from the browser upon logout.
Use the Oracle Access Manager Administration Console's Session Management functionality to examine the active sessions. Search on the user to see if any of its sessions are active.
Refer to the "Logging In to the Oracle Access Manager 11g Administration Console" and "Managing Active User Sessions" sections in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service.
Solution 2
To verify Oracle Platform Security Services is configured with the correct Oracle Access Manager logout URL:
Log in to Fusion Applications Control by referring to the "Starting Fusion Applications Control" section in the Oracle Fusion Applications Administrator's Guide for more information.
Select the appropriate domain from the target navigation pane or the content pane.
Select Security > Security Provider Configuration from the domain menu. The Security Provider Configuration page appears.
Expand the Single Sign-On Provider area if it is not already expanded and click the Configure button. The Single Sign-On Provider page appears.
Select the Configure Single Sign-on option. All settings on the Single Sign-On Provider page are invisible until you select the Configure Single Sign-on option.
Examine the value set in the Logout URL field.
After successfully logging in to and working on a resource secured by Oracle Access Manager and then attempting to access a different secured resource, an unexpected page, such as Not Authorized, blank (empty), corrupted, or 500 error, appears.
Problem
The problem may be Oracle Access Manager's ObSSOCookie and OAM_ID cookies are not in the user's browser. The ObSSOCookie and OAM_ID cookies are encrypted, single sign-on, session-based cookies generated by the Oracle Access Manager Access Server when a user authenticates successfully.
Solution
To verify Oracle Access Manager's ObSSOCookie and OAM_ID cookies are in the user's browser:
Display the cookies in the user's browser.
Locate Oracle Access Manager's ObSSOCookie and OAM_ID session cookies.
If the ObSSOCookie and OAM_ID cookies are not in the user's browser:
Examine the browser's security settings, as they may be too high and preventing cookies from being accepted
Add the Oracle Fusion application's domain to the browser's exception list
A Support (Help Desk) representative attempts to log in to a resource secured by Oracle Access Manager and impersonate an Oracle Fusion Applications user, but cannot do so.
Problem
The problem may be the user that the Support representative is attempting to impersonate has not granted the privilege to be impersonated or the privilege has expired.
Solution
To verify that the user has granted the privilege to be impersonated and that the privilege is active:
Use Oracle Directory Services Manager to locate the account of the user to be impersonated in the identity store. Look in the container where users are stored, such as cn=users,dc=us,dc=oracle,dc=com.
Refer to the following for more information about examining identity store containers.
If Oracle Internet Directory is the identity store, refer to the following sections in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory using this sequence:
"Connecting to the Server from Oracle Directory Services Manager"
"Displaying Entries by Using Oracle Directory Services Manager"
If Oracle Virtual Directory is the identity store, refer to the following sections in the Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory using this sequence:
Verify the user has granted the privilege to be impersonated by examining the user's account for the orclImpersonationGrantee attribute.
If the user's account does not have the orclImpersonationGrantee attribute, the user has not granted the privilege to be impersonated.
If the user's account has the orclImpersonationGrantee attribute, ensure the privilege has not expired. The orclImpersonationGrantee attribute will be in a format such as:
EEA958988E344BF49740CF00DF9B0421|20110124170000Z|20110124180000Z
EEA958988E344BF49740CF00DF9B0421 is the GUID of the impersonator.
20110124170000Z is the date on which impersonation can begin
20110124180000Z is the expiration date for the impersonation privilege
Note:
The date strings in the orclImpersonationGrantee attribute use the Coordinated Universal Time (UTC) standard and are of the form: yyyyMMddHHmmss'Z'
While attempting to access a resource secured by Oracle Access Manager, an unauthenticated user gets an error page instead of the login page.
Problem
The problem may be:
The Oracle HTTP Server Web servers front-ending the Oracle Fusion application are not running.
The Managed Servers where Oracle Access Manager is deployed or the requisite Oracle Access Manager services are not running.
Solution 1
To verify the Oracle HTTP Server Web servers front-ending the Oracle Fusion application are running:
Connect to a page provided by Oracle Identity Manager. If Oracle Identity Manager is front-ended by Oracle HTTP Server or a load balancer, use the following URL:
http(s)://FRONTEND_HOST:FRONTEND_PORT/admin/faces/pages/accountlocked.jspx
If Oracle Identity Manager is not front-ended by Oracle HTTP Server or a load balancer, use the following URL:
http(s)://OIM_MANAGED_SERVER_HOST:PORT/admin/faces/pages/accountlocked.jspx
Connect to any public page provided by an Oracle Fusion application through Oracle HTTP Server. For example:
http(s)://ORACLE_HTTP_SERVER_FRONTEND_HOST:PORT/fa/app/index.jsp
If you cannot access a page in an Oracle HTTP Server front-ending configuration, use Fusion Applications Control to examine the WebLogic Host and WebLogic Port settings for the Oracle HTTP Server's mod_wl_ohs module. Refer to the "Configuring the mod_wl_ohs Module" section in the Oracle Fusion Middleware Administrator's Guide for Oracle HTTP Server for more information.
Solution 2
To verify the Managed Servers where Oracle Access Manager is deployed and the requisite Oracle Access Manager services are running:
Verify the Managed Servers where Oracle Access Manager is deployed are running by performing the following steps:
Log in to the Oracle WebLogic Server Administration Console by referring to the "Starting the Administration Console" section in the Oracle Fusion Middleware Introduction to Oracle WebLogic Server document.
Click Servers in the Environment section on the Home page. The Summary of Servers page appears.
Click the Configuration tab. A table containing a summary of each server in the domain appears.
Examine the State and Health columns for the Managed Servers where Oracle Access Manager is deployed.
Verify the HTTP port is open by attempting to connect to it. If Oracle Access Manager is front-ended by Oracle HTTP Server or a load balancer, enter the following URL into a web browser:
http://ORACLE_HTTP_SERVER-or-LOAD_BALANCER_HOST:PORT/oam/pages/logout.jsp
If Oracle Access Manager is not front-ended, enter the following URL into a web browser:
http://MANAGED_SERVER_HOST:PORT/oam/pages/logout.jsp
Verify Oracle Access Manager authentication is functioning properly by accessing any resource secured by Oracle Access Manager. For example, log in to the Oracle Access Manager Administration Console by referring to the "Logging In to the Oracle Access Manager 11g Administration Console" section in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service.
This section describes problems and solutions related to managing users. This section contains the following topics:
Oracle Fusion Human Capital Management Requests to Assign Roles to Users Fail
SPML Calls Initiated from an Oracle Fusion Application are Not Processed
Troubleshooting Oracle Fusion Human Capital Management-Oracle Identity Manager SPML Requests
Oracle Fusion Human Capital Management makes a request to assign a role to a user, but the role assignment fails.
Problem
The problem may be the user exists in Oracle Identity Manager, but does not exist in the Oracle Internet Directory identity store.
Solution
To troubleshoot this situation:
Verify the user does not exist in Oracle Internet Directory by using Oracle Directory Services Manager to examine the container where users are stored, such as cn=users,dc=us,dc=oracle,dc=com.
Refer to the "Displaying Entries by Using Oracle Directory Services Manager" or "Searching for Entries by Using Oracle Directory Services Manager" sections in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory for more information.
Note:
If the user does not exist in Oracle Internet Directory, continue this procedure.
If the user exists in Oracle Internet Directory, perform the steps in Section 7.3.3.3 to get information about why the role assignment failed.
Execute the LDAP User Create and Update Reconciliation scheduled job in Oracle Identity Manager. After the job executes, the user account will be removed from Oracle Identity Manager and requests from Oracle HCM for the user will not be created.
Refer to the "Managing Scheduled Tasks" chapter in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for information about the LDAP User Create and Update Reconciliation scheduled job and how to execute it.
An Oracle Fusion application invokes an event that initiates an SPML call, for example, Oracle Fusion Human Capital Management sends an SPML request to add a user, but the call fails.
Problem
The problem may be the Oracle Fusion application's composite that invokes the SPML service is using incompatible Oracle Web Services Manager (Oracle WSM) client and server security policies. The client and server security policies must be compatible for calls to succeed.
Solution
To verify Oracle Identity Manager is using the correct Oracle WSM server and client security policies:
Verify Oracle Identity Manager is using the correct Oracle WSM server security policy by performing the following steps:
Log in to Fusion Applications Control on the Oracle WebLogic Server where Oracle Identity Manager is installed. Refer to the "Starting Fusion Applications Control" section in the Oracle Fusion Middleware Administrator's Guide for more information.
Expand the Application Deployments entry in the navigation tree and click spml-xsd. The spml-xsd details page appears.
Select Web Services from the Application Deployment list. The Web Services tab appears.
Click SPMLServiceProviderSoap. The details for the web service appear.
Click the OWSM Policies tab.
Verify the following policy is listed as a Directly Attached Policy:
oracle/wss_saml_or_username_token_service_policy
Verify the Oracle Fusion application is using the correct Oracle WSM client security policy by performing the following steps:
Log in to Fusion Applications Control on the Oracle WebLogic Server where the Oracle Fusion application is running.
Expand the SOA entry in the navigation tree and all of its child entries until the list of configured composites appear and then click the name of the appropriate composite. The details of the composite appear.
Click the Policies tab.
Verify the following policy is attached to the composite's end points:
oracle/wss_username_token_client_policy
To collect information about SPML requests between Oracle Fusion Human Capital Management and Oracle Identity Manager:
Identify the ID number of the request you want to investigate. After an Oracle Fusion Human Capital Management application performs an operation that sends an SPML request to Oracle Identity Manager, Oracle Identity Manager creates a unique ID for that specific request and returns it to the application. From the application, identify the request ID.
Use the Advanced view of the Oracle Identity Manager Administrative and User Console to see general information about the request, such as its status.
Log in to the Advanced view of the Oracle Identity Manager Administrative and User Console by entering a URL similar to the following into a web browser:
http://HOST:PORT/oim/admin/
Click the Administration tab, then click Requests.
Search for the request by entering the request ID in the search field and clicking Search.
Click the request ID in the search results. Information about the request appears.
Examine the status of the request. If the status is Request Failed, a hyperlink to additional information about the failed request is provided. Click the Request Failed link to see more information.
Refer to the "Searching and Tracking Requests" section in the Oracle Fusion Middleware User's Guide for Oracle Identity Manager for more information.
Note:
To see more detailed information about the request, proceed to the next step in this procedure.
Use the Oracle Identity Manager Diagnostic Dashboard's Orchestration Status test to see information such as which Oracle Identity Manager event handlers handled the request and its status at each event handler.
Log in to the Oracle Identity Manager Diagnostic Dashboard.
Refer to the "Working with the Diagnostic Dashboard" section in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for more information.
Run the Request Diagnostic Information test on the request ID. The test will return and Orchestration ID.
Run the Orchestration Status test on the Orchestration ID. Detailed information about the request appears.
Note:
To see the most information available about the request, proceed to the next step in this procedure.
Use Fusion Middleware Control to view the Oracle Identity Manager diagnostic logs. Examine the log files to see the most detailed information about the SPML request. Refer to the "Managing Log Files and Diagnostic Data" chapter in the Oracle Fusion Middleware Administrator's Guide for more information.
This section describes problems and solutions related to managing roles. This section contains the following topics:
Cannot See the Function Security Policies for an External Role
Attempts to Add an Application Role to a Hierarchy Appear to Have No Effect
The function security polices for a particular external role cannot be seen using Oracle Authorization Policy Manager.
Problem
The problem may be:
If Oracle Internet Directory is being used as the identity store, it is not configured to index the displayName attribute. If Oracle Internet Directory is not indexing the displayName attribute, Oracle Authorization Policy Manager cannot retrieve the role during a search.
The Oracle Internet Directory Authenticator in the Oracle WebLogic Server domain is not configured with the correct connection settings to the Oracle Internet Directory instance.
The external role has not been provisioned into the identity store.
If the administrator attempting to identify the function security polices is configured as a Delegated Administrator, the Delegated Administrator role does not have access to the appropriate application stripe.
The policy store does not have the correct application stripes.
The external role is not mapped to the correct application roles.
The external role is mapped to an application role that does not have policy attached to it.
Solution 1
To verify an Oracle Internet Directory identity store is configured to index the displayName attribute, refer to Section 7.2.1.
Solution 2
To verify the Oracle Internet Directory Authenticator in the Oracle WebLogic Server domain is configured with the correct connection settings to the Oracle Internet Directory instance, refer to Section 7.2.2.
Solution 3
To verify the external role was provisioned into the identity store, use Oracle Directory Services Manager to examine the container in the identity store where external roles are stored, such as: cn=groups,dc=mycompany,dc=com.
Note:
If the external role does not exist in the identity store, use Oracle Fusion Human Capital Management to add it to the identity store.
If the external role exists in the identity store, verify the security providers in the Oracle WebLogic Server domain are configured in the correct order and with the correct JAAS Control Flags by referring to Section 7.2.2.
Refer to the following for more information about examining identity store containers.
If Oracle Internet Directory is the identity store, refer to the following sections in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory using this sequence:
"Connecting to the Server from Oracle Directory Services Manager"
"Displaying Entries by Using Oracle Directory Services Manager"
If Oracle Virtual Directory is the identity store, refer to the following sections in the Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory using this sequence:
Solution 4
If the administrator attempting to identify the function security polices is configured as a Delegated Administrator, verify the Delegated Administrator role has access to the appropriate application stripe by referring to "Delegating With Administrator Roles" in the Oracle Fusion Middleware Oracle Authorization Policy Manager Administrator's Guide (Oracle Fusion Applications Edition).
Solution 5
To verify the policy store has the correct application stripes:
Identify the application stripes that were loaded into the policy store after the Oracle Fusion Applications environment was provisioned by referring to the Oracle Fusion Applications security reference manuals. You can access the Oracle Fusion Applications security reference manuals in the Oracle Fusion Applications Technology Documentation Library.
Verify the application stripes identified in Step 1 exist in the policy store by performing the following steps:
Log in to Oracle Authorization Policy Manager as a security administrator with the APMAdmin application role, which will allow you to see all application stripes in the policy store.
Examine the Browse tab of the Navigation Panel, which lists all policy stripes in the policy store (because you are logged in as a security administrator with the APMAdmin application role).
Refer to "Using the Navigation Panel" in the Oracle Fusion Middleware Oracle Authorization Policy Manager Administrator's Guide (Oracle Fusion Applications Edition) for more information about viewing application stripes in the policy store using the Navigation Panel.
Solution 6
To verify the external role is mapped to the correct application roles:
Verify the application stripe that the application role is expected to be in exists in the policy store by performing the following steps:
Determine which application stripe the application role is expected to be in by referring to the Oracle Fusion Applications security reference manuals. You can access the Oracle Fusion Applications security reference manuals in the Oracle Fusion Applications Technology Documentation Library.
Log in to Oracle Authorization Policy Manager as a security administrator with the APMAdmin application role, which will allow you to see all application stripes in the policy store.
Examine the Browse tab of the Navigation Panel, which lists all policy stripes in the policy store (because you are logged in as a security administrator with the APMAdmin application role). Verify the application stripe identified in Step a exists in the policy store.
Refer to "Using the Navigation Panel" in the Oracle Fusion Middleware Oracle Authorization Policy Manager Administrator's Guide (Oracle Fusion Applications Edition) for more information about viewing application stripes in the policy store using the Navigation Panel.
Use Oracle Authorization Policy Manager to identify the application roles currently mapped to the external role.
Refer to "Managing Policies and Policy Objects" in the Oracle Fusion Middleware Oracle Authorization Policy Manager Administrator's Guide (Oracle Fusion Applications Edition) for more information.
Compare the application roles identified in Step 2 to the application roles listed for the external role in the Oracle Fusion Applications security reference manuals.
If any application roles listed in the Oracle Fusion Applications security reference manuals are not mapped to the external role, use Oracle Authorization Policy Manager to see if they exist in the policy store. Refer to "Searching for Security Objects" in the Oracle Fusion Middleware Oracle Authorization Policy Manager Administrator's Guide (Oracle Fusion Applications Edition) for more information.
If the application roles exist in the policy store, use Oracle Authorization Policy Manager to map them to the external role by referring to "Managing Policies and Policy Objects" in the Oracle Fusion Middleware Oracle Authorization Policy Manager Administrator's Guide (Oracle Fusion Applications Edition).
If the application roles do not exist in the policy store, use Oracle Authorization Policy Manager to create them by referring to "Creating an Application Role" in the Oracle Fusion Middleware Oracle Authorization Policy Manager Administrator's Guide (Oracle Fusion Applications Edition). After creating the application roles, map them to the external role.
Solution 7
To verify the external role is mapped to an application role that has policy attached to it, refer to "Searching for Security Objects" in the Oracle Fusion Middleware Oracle Authorization Policy Manager Administrator's Guide (Oracle Fusion Applications Edition).
Data security polices for a particular data role cannot be seen in Oracle Authorization Policy Manager.
Problem
The problem may be:
The Oracle Internet Directory Authenticator in the Oracle WebLogic Server domain is not configured with the correct connection settings to the Oracle Internet Directory instance.
If Oracle Internet Directory is being used as the identity store, it is not configured to index the displayName attribute. If Oracle Internet Directory is not indexing the displayName attribute, Oracle Authorization Policy Manager cannot retrieve the role during a search.
The user searching for the data security policies does not have the privileges to do so.
The data role does not exist in the identity store.
Data role templates did not create data security policies for the data role.
The data security role GUIDs in the Oracle Fusion Data Security repository and the Oracle Platform Security Services policy store are not synchronized.
Solution 1
To verify the Oracle Internet Directory Authenticator in the Oracle WebLogic Server domain is configured with the correct connection settings to the Oracle Internet Directory instance, refer to Section 7.2.2.
Solution 2
To verify an Oracle Internet Directory identity store is configured to index the displayName attribute, refer to Section 7.2.1.
Solution 3
To verify the user searching for the data security policies has the privileges to do so, perform the solution described in Section 7.3.1.3.
Solution 4
To verify the data role exists in the identity store, use Oracle Directory Services Manager to examine the container in the identity store where data roles are stored, such as cn=groups,dc=mycompany,dc=com. If the role does not exist in the identity store, an administrator should add it.
Refer to the following for more information about examining identity store containers.
If Oracle Internet Directory is the identity store, refer to the following sections in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory using this sequence:
"Connecting to the Server from Oracle Directory Services Manager"
"Displaying Entries by Using Oracle Directory Services Manager"
If Oracle Virtual Directory is the identity store, refer to the following sections in the Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory using this sequence:
Solution 5
To verify data role templates created data security policies for the data role:
Use Oracle Authorization Policy Manager to perform a simple search for the data role using External Role as the object type. Refer to the "Finding Artifacts with a Simple Search" section in the Oracle Fusion Middleware Oracle Authorization Policy Manager Administrator's Guide (Oracle Fusion Applications Edition) for more information.
Select the data role in the search results and click the View button. Details about the data role appear.
Click the Find Global Policies button. The Data Security Policies table appears and lists the data security policies attached to the data role. Examine the entries in the table to ensure the data role template created the appropriate data security policies.
Solution 6
To reconcile the data security role GUIDs in the Oracle Fusion Data Security repository and the Oracle Platform Security Services policy store, run the oracle.apps.fnd.applcore.dataSecurity.util.DSDataMigrator java program to reconcile the GUIDs. Refer to the solution in Section 7.3.1.2 for information about using this program.
While attempting to map an application role to an external role using Oracle Authorization Policy Manager, issues such as the following are encountered:
Either the external role or application role cannot be seen in Oracle Authorization Policy Manager.
The mapping succeeds in Oracle Authorization Policy Manager, but is activated after a delay.
Problem
The problem may be:
If Oracle Internet Directory is being used as the identity store, it is not configured to index the displayName attribute. If Oracle Internet Directory is not indexing the displayName attribute, Oracle Authorization Policy Manager cannot retrieve the roles during a search.
The security providers for the Oracle WebLogic Server domain are configured incorrectly. Specifically, the order of providers, JAAS Control Flags, or connection settings to the Oracle Internet Directory instance may be incorrect.
If the mapping succeeds in Oracle Authorization Policy Manager, but is activated after a delay, the cache refresh settings for the Oracle Internet Directory Authenticator or for Oracle Platform Security Services may need to be adjusted.
Solution 1
To verify an Oracle Internet Directory identity store is configured to index the displayName attribute, refer to Section 7.2.1.
Solution 2
To troubleshoot the configuration of the security providers for the Oracle WebLogic Server domain, perform the steps in Section 7.2.2 and examine the:
Order of providers
JAAS Control Flags
Connection settings to the Oracle Internet Directory instance
Solution 3
If the mapping is activated after a delay, to troubleshoot the cache refresh settings for the Oracle Internet Directory Authenticator and for Oracle Platform Security Services:
Examine the Oracle Internet Directory Authenticator's cache settings by referring to Section 7.2.2.
Examine Oracle Platform Security Services' cache refresh setting by referring to the problem and solution described in Section 7.3.2.1 of this chapter.
Note:
Wait for the caches to be refreshed before reattempting a failed task or operation.
Attempts to view application role hierarchies using Oracle Authorization Policy Manager fail.
Problem
The problem may be:
The identity store's LDAP Authenticator in the Oracle WebLogic Server domain is configured to use the wrong identity store.
The administrator is attempting to view the application role hierarchy from the incorrect application role in the Oracle Authorization Policy Manager interface.
Role hierarchies are not defined.
Solution 1
To verify the identity store's LDAP Authenticator in the Oracle WebLogic Server domain is configured to use the correct identity store, refer to Section 7.2.2 and examine the connection settings configured for the identity store's LDAP Authenticator.
Solution 2
To verify the correct application role is being used to display the application role hierarchy, in the Oracle Authorization Policy Manager interface, ensure attempts to display the role hierarchy are based on the correct application role. Application roles frequently have similar names, such as roles that are qualified by region. Double-check that the intended application role is being used to display the role hierarchy.
Solution 3
To verify role hierarchies are defined, refer to "Managing Policies and Policy Objects" in the Oracle Fusion Middleware Oracle Authorization Policy Manager Administrator's Guide (Oracle Fusion Applications Edition).
After using Oracle Authorization Policy Manager to add an application role to a hierarchy, no changes can be seen in the hierarchy.
Problem
The problem may be:
The application role already exists as a member of the hierarchy.
The incorrect application role was added to the hierarchy, or the correct application role was added to the incorrect hierarchy.
Solution
To verify the application role hierarchy:
Display the application role hierarchy the role was intended for. Refer to "Managing Policies and Policy Objects" in the Oracle Fusion Middleware Oracle Authorization Policy Manager Administrator's Guide (Oracle Fusion Applications Edition) for information about viewing the application role hierarchy.
Ensure that the application role does not already exist in the hierarchy.
Ensure that when the application role was added to the hierarchy, the intended application role and the intended hierarchy were used. It is possible the intended application role was added to the incorrect hierarchy, or the incorrect application role was added to the intended hierarchy.
Refer to the "Permission Inheritance and the Role Hierarchy" section in the Oracle Fusion Middleware Application Security Guide for information about rules for application role hierarchies.
While attempting to create a data role using a data role template in Oracle Authorization Policy Manager, issues such as the following are encountered:
The data role is not created
The data role is created with a null displayName and description
Problem
The problem may be:
The SQL query used in the Dimension tab of the template is invalid or returns no records.
The Oracle Authorization Policy Manager application ID used by the data role template does not have sufficient privileges to create the data role in the intended identity store container.
A general issue in the identity store, such as the instance is not running.
Solution 1
To troubleshoot the SQL query used in the Dimension tab of the template:
Review the SQL query and ensure the intended string was entered correctly.
Review the SQL query and ensure it does not contain special characters such as "," (comma) that are unsupported by the identity store. Role names must be comprised of only alphanumeric characters.
Verify the database table referenced in the SQL query contains data (is not empty).
Solution 2
To troubleshoot the privileges of the Oracle Authorization Policy Manager application ID used by the data role template, perform the following steps on the identity store:
Verify the cn=fusion_apps_apm_rgx_appid user exists in the cn=appidusers container.
Refer to the following for more information about examining identity store containers.
If Oracle Internet Directory is the identity store, refer to the following sections in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory using this sequence:
"Connecting to the Server from Oracle Directory Services Manager"
"Displaying Entries by Using Oracle Directory Services Manager"
If Oracle Virtual Directory is the identity store, refer to the following sections in the Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory using this sequence:
Verify the cn=fusion_apps_apm_rgx_appid group exists in the cn=appidgroups container.
Identify all groups that the fusion_apps_apm_rgx_appid group is a member of, and then verify those groups have write permission to the container where enterprise roles are stored, such as cn=groups.
Note:
If using Oracle Virtual Directory as the identity store, you must verify the groups' permissions in both Oracle Virtual Directory and the back-end (source) repositories.
If using Oracle Virtual Directory as the identity store, verify that the ACLs for Oracle Virtual Directory and its back-end (source) data repositories are configured correctly.
To focus the ACL verification, perform the following steps:
Temporarily disable access control checking in Oracle Virtual Directory using Fusion Middleware Control. To disable access control checking, deselect (disable) the Enable Access Control Check option on Oracle Virtual Directory's Server Properties page.
Refer to the "Configuring Oracle Virtual Directory Server Properties Using Fusion Middleware Control" section in Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory for more information.
Perform the steps to create the data role using a data role template.
If you can create the data role when Oracle Virtual Directory access control checking is disabled, the Oracle Virtual Directory ACLs are configured incorrectly.
To isolate the error in the Oracle Virtual Directory ACLs, re-enable access control checking in Oracle Virtual Directory, set its logging to TRACE message type at level 32, try creating the data role using a data role template, and then examine Oracle Virtual Directory's log, which will now contain the result of each ACL test.
Refer to the "Setting the Level of Information Written to Log Files" section and the "Managing Log Files and Diagnostic Data" chapter in the Oracle Fusion Middleware Administrator's Guide for more information about Oracle Virtual Directory logging.
If you cannot create the data role when Oracle Virtual Directory access control checking is disabled, the error is not in the Oracle Virtual Directory ACLs and you should examine the ACLs in the back-end (source) data repositories by referring to their documentation.
Solution 3
To troubleshoot the identity store:
If using Oracle Internet Directory as the identity store:
Verify Oracle Internet Directory is running.
You can view the status of Oracle Internet Directory using Fusion Applications Control. After logging in to Fusion Applications Control, navigate to the Farm home page and examine the Identity and Access components within the Fusion Middleware section of the content pane.
Refer to the "Navigating within Fusion Applications Control" section in the Oracle Fusion Applications Administrator's Guide for more information.
Verify Oracle Internet Directory is configured to index the displayName attribute by referring to Section 7.2.1.
If using Oracle Virtual Directory as the identity store:
Verify Oracle Virtual Directory is running.
You can view the status of Oracle Virtual Directory using Fusion Applications Control. After logging in to Fusion Applications Control, navigate to the Farm home page and view the Identity and Access components within the Fusion Middleware section of the content pane.
Refer to the "Navigating within Fusion Applications Control" section in the Oracle Fusion Applications Administrator's Guide for more information.
Verify the connectivity between Oracle Virtual Directory and its back-end (source) data repositories. Use Oracle Directory Services Manager's Client View Data Browser to view the directory tree. If Oracle Virtual Directory is not connected to a back-end repository, a message will appear when the Data Browser attempts to connect it.
Refer to the following sections (in the listed sequence) in the Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory for more information about using Oracle Directory Services Manager's Client View Data Browser:
This section describes problems and solutions for managing keystores and certificates. This section contains the following topics:
Key or Credential Store Error After an Application Invokes Web Service
Trust Certificate Error After Application Invokes Web Service
After an Oracle Fusion application invokes a web service, a key store or credential store error such as the following appears:
WSM-00056: The key orakey is not retrieved
WSM-00256: The property "Keystore Sign Alias" is not set
Problem
The problem may be:
The alias for the signature key or encryption key in the Oracle WSM keystore configuration does not exist in the Oracle WSM keystore file.
The signature key, encryption key, or Oracle WSM keystore file password is not synchronized in the keystore file and the keystore configuration for Oracle WSM. That is, at least one of the passwords does not have identical values in both locations.
Solution 1
To verify the alias for the signature key and encryption key in the Oracle WSM keystore configuration exist in the Oracle WSM keystore file:
Use Fusion Middleware Control to identify the alias for the signature key and encryption key in the Oracle WSM keystore configuration. Perform the procedure in the "Configuring Keystores for Message Protection" section in the Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Verify the aliases identified in Step 1 exist in the Oracle WSM keystore file. Use the keytool -list command on the Oracle WSM keystore file to view its aliases. Refer to the keytool - Key and Certificate Management Tool document on the Java SE Technical Documentation Web site for more information about using keytool. You can access this document by searching for it on the Search Java SE Technical Documentation Web page at:
http://download.oracle.com/javase/search.html
Ensure each alias is synchronized in both locations. If they are not, you can edit the alias in the Oracle WSM keystore configuration by performing the procedure in the "Configuring Keystores for Message Protection" section in the Oracle Fusion Middleware Security and Administrator's Guide for Web Services. You can edit the alias in the Oracle WSM keystore file using the keytool -changealias command.
Note:
Before you edit an alias, be sure that doing so will not affect any other web service.
If the alias for the signature key or encryption key does not exist in the Oracle WSM keystore file, add it by referring to the "Generating Private Keys and Creating the Java Keystore" section in the Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Solution 2
To ensure that the signature key, encryption key, and Oracle WSM keystore file passwords are each synchronized in the keystore file and the keystore configuration for Oracle WSM:
Use keytool to reset the passwords in the Oracle WSM keystore file. Because the passwords are not visible, resetting them is the only method to ensure that they have identical respective values in both locations.
Use the keytool -storepasswd command to reset the Oracle WSM keystore file password.
Use the keytool -keypasswd command to reset the signature key password and encryption key password.
Use Fusion Middleware Control to reset the passwords in the Oracle WSM keystore configuration to the same respective values you set in Step 1. Refer to the "Configuring Keystores for Message Protection" section in the Oracle Fusion Middleware Security and Administrator's Guide for Web Services for more information.
After an Oracle Fusion application invokes a web service, a trust certificate error such as the following appears:
WSM-00138: The path to the certificate is invalid due to exception
Problem
The problem may be, if the web service is advertising its certificate in the Web Services Description Language (WSDL), the client is not configured correctly to trust that certificate or its issuer.
Solution
To verify the client is configured to trust the web service's certificate advertised in the WSDL or its issuer:
Verify the client keystore has either the public certificate of the web service or the public certificate of its issuer. Use the keytool –list command to identify the certificates in the client keystore. If either of the public certificates are missing from the client keystore, use the keytool –importcert command to add them.
Refer to the keytool - Key and Certificate Management Tool document on the Java SE Technical Documentation Web site for more information about using keytool. You can access this document by searching for it on the Search Java SE Technical Documentation Web page at:
Verify the value for the keystore.recipient.alias override property of the client Oracle WSM policy is identical to the alias of the trusted public certificate in the Oracle WSM keystore file. Refer to the "Attaching Web Service Policies Permitting Overrides" section of the Oracle Fusion Middleware Security and Administrator's Guide for Web Services for more information.
After an Oracle Fusion application attempts to propagate a user's identity by calling a different Oracle Fusion application using Oracle SOA, InvalidSecurityToken-, FailedAuthentication-, or SAML assertion issuer-related errors appear.
Problem
The problem may be:
The SAML issuer name for the SAML token is not configured or is configured incorrectly.
The subject.precendence configuration override is set incorrectly.
Solution 1
To troubleshoot the SAML issuer name configuration, verify the SAML Issuer Name the client is using is among the issuers configured on the Oracle WebLogic Server domain by performing the steps in the "Adding an Additional SAML Assertion Issuer Name" section of the Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
If the SAML Issuer Name that the client is using is not configured as an issuer in the Oracle WebLogic Server domain, Oracle recommends changing the issuer name on the client by updating its saml.issuer.name override to one of the issuers configured on the Oracle WebLogic Server domain.
If you cannot change the issuer name on the client, you can add its issuer name to the Oracle WebLogic Server domain by performing the steps in the "Adding an Additional SAML Assertion Issuer Name" section of the Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Solution 2
To troubleshoot the subject.precendence configuration override:
Set the subject.precedence override value in your current client policy to false to change the identity to a different user. By default, the subject.precendence override is set to true.
Set the appropriate Credential Store Framework key override on the client policy that contains the user name and password of the user you want to send to the service. If an entry for this user does not exist in the Credential Store Framework, you must add it. Refer to the "Adding Keys and User Credentials to the Credential Store" section in the Oracle Fusion Middleware Security and Administrator's Guide for Web Services for more information.
Ensure the appropriate Web Services Identity Permission is set for the client application by performing the steps in the "Configuring SAML Web Service Clients for Identity Switching" section of the Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
This section describes problems and solutions for logging in to secured resources. This section contains the following topics:
Incorrect Language Appears After Logging in to a Secured Resource
Cannot Access Forgotten Password Functionality from Login Page
While attempting to access a resource secured by Oracle Access Manager, a user changes the language preference on the login page. After logging in successfully, the secured resource appears in a language different from what the user selected on the login page.
Problem
The problem may be Oracle Access Manager's ORA_FUSION_PREFS cookie is not in the user's browser. The ORA_FUSION_PREFS cookie determines which language the secured resource appears in. After the user chooses a language preference on the login page and gets authenticated, Oracle Access Manager sends the ORA_FUSION_PREFS cookie to the user's browser.
Solution
Examine the cookies in the user's browser and try to locate the ORA_FUSION_PREFS cookie. If the ORA_FUSION_PREFS cookie is not in the user's browser:
Examine the browser's security settings, as they may be too high and preventing cookies from being accepted.
Add the Oracle Fusion application's domain to the browser's exception list.
After successfully logging in to a resource secured by Oracle Access Manager, a login page unexpectedly reappears. Regardless if the reappearing login page is for Oracle Access Manager or Oracle Fusion Applications, a user may not expect to see it in a single sign-on environment.
Problem
The problem may be:
If the login page reappeared after attempting to access a different secured resource, the authentication level of the authentication scheme securing the subsequently accessed resource is greater (higher) than the authentication level of the authentication scheme securing the resource that was accessed first. In this situation, the reappearing login page is expected behavior.
The Oracle Access Manager server's Idle Timeout or Session Lifetime configuration parameters are set to a value that is too small. The Idle Timeout parameter specifies the amount of time, in minutes, that a user's authentication session remains valid without accessing a resource secured by Oracle Access Manager. The Session Lifetime parameter specifies the amount of time, in minutes, that a user's authentication session remains valid. For both parameters, the smaller the value, the more frequently users must re-authenticate.
Oracle Access Manager's ObSSOCookie and OAM_ID cookies are not in the user's browser. The ObSSOCookie and OAM_ID cookies are encrypted, single sign-on, session-based cookies generated by the Oracle Access Manager Access Server when a user authenticates successfully.
Solution 1
To examine the authentication levels of the authentication schemes securing the resources:
Log in to the Oracle Access Manager Administration Console by referring to the "Logging In to the Oracle Access Manager 11g Administration Console" section in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service.
Identify the authentication policies securing the resources and the authentication schemes configured for those policies. You can reduce the number of policies to examine by first looking at the policies for the Host Identifier that the Webgate is using.
Refer to the "Searching for an Authentication Policy" and "Viewing or Editing an Authentication Policy" sections in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service for more information.
Identify the authentication levels for each authentication scheme. Refer to the "Viewing or Editing a Authentication Scheme" section in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service.
Note:
If the authentication level for the subsequently accessed resource is greater than that of the first accessed resource, the reappearing login page is the expected behavior.
Solution 2
To verify the settings for the Idle Timeout and Session Lifetime configuration parameters:
Log in to the Oracle Access Manager Administration Console by referring to the "Logging In to the Oracle Access Manager 11g Administration Console" section in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service.
Verify the values configured for the Idle Timeout and Session Lifetime configuration parameters by referring to the "Configuring User Session Lifecycle Settings" section in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service.
Solution 3
To verify Oracle Access Manager's ObSSOCookie and OAM_ID cookies are in the user's browser:
Display the cookies in the user's browser.
Locate Oracle Access Manager's ObSSOCookie and OAM_ID session cookies.
If the ObSSOCookie and OAM_ID cookies are not in the user's browser:
Examine the browser's security settings, as they may be too high and preventing cookies from being accepted.
Add the Oracle Fusion application's domain to the browser's exception list.
While attempting to access a resource secured by Oracle Access Manager, the Forgotten Password feature is inaccessible from the login page.
Problem
The problem may be:
Network issues are preventing a connection to Oracle Identity Manager.
Oracle Access Manager's configuration to Oracle Identity Manager's lost password functionality is incorrect.
Solution 1
To test connectivity to Oracle Identity Manager, from the system hosting the Administration Server where Oracle Access Manager is deployed, ping the system hosting the Managed Server where Oracle Identity Manager is deployed.
Solution 2
To verify Oracle Access Manager's configuration to Oracle Identity Manager's lost password functionality:
Use a text editor to open the following file on the Administration Server for the domain where Oracle Access Manager is deployed:
DOMAIN_HOME/config/fmwconfig/oam-config.xml
Locate the <Setting Name="IdentityManagement" Type="htf:map"> entry.
Examine the ServerConfiguration settings similar to those shown in Example 7-4 and verify the following values:
Example 7-4 ServerConfiguration Settings Within IdentityManagement Entry
<Setting Name="ServerConfiguration" Type="htf:map">
<Setting Name="OIM-SERVER-1" Type="htf:map">
<Setting Name="Host" Type="xsd:string">OIM_HOST</Setting>
<Setting Name="Port" Type="xsd:integer">OIM_PORT</Setting>
<Setting Name="SecureMode" Type="xsd:boolean">true|false</Setting>
</Setting>
</Setting>
OIM-SERVER-1: Must be identical value of the same setting in the IdentityServiceProviderConfiguration entry described in Step 4.
If Oracle Identity Manager is front-ended by Oracle HTTP Server or a load balancer:
OIM_HOST: Fully-qualified host name of Oracle HTTP Server or load balancer.
OIM_PORT: The port for the Oracle HTTP Server or load balancer.
SecureMode: Set to true for connecting to Oracle Identity Manager over HTTPS, set to false for connecting over HTTP.
If Oracle Identity Manager is not front-ended:
OIM_HOST: Fully-qualified host name of the Managed Server where Oracle Identity Manager is deployed.
OIM_PORT: The port for the Managed Server where Oracle Identity Manager is deployed.
SecureMode: Set to true for connecting to Oracle Identity Manager over HTTPS, set to false for connecting over HTTP.
Examine the IdentityServiceProviderConfiguration settings similar to those shown in Example 7-5 and verify the following values:
Example 7-5 IdentityServiceProviderConfiguration Settings Within IdentityManagement Entry
<Setting Name="IdentityServiceProviderConfiguration" Type="htf:map"> <Setting Name="IdentityManagementServer" Type="xsd:string">OIM-SERVER-1</Setting> <Setting Name="DateFormatPattern" Type="xsd:string">yyyy-MM-dd'T'HH:mm:ss'Z'</Setting> <Setting Name="PasswordExpiredURL" Type="xsd:string">/admin/faces/pages/pwdmgmt.jspx</Setting> <Setting Name="ChallengeSetupNotDoneURL" Type="xsd:string">/admin/faces/pages/pwdmgmt.jspx</Setting> <Setting Name="ForcedPasswordChangeURL" Type="xsd:string">/admin/faces/pages/pwdmgmt.jspx</Setting> <Setting Name="AccountLockedURL" Type="xsd:string">/admin/faces/pages/accountlocked.jspx</Setting> </Setting>
OIM-SERVER-1: Must be identical value of the same setting in the ServerConfiguration entry described in Step 3.
Confirm the following URL Settings are configured with the values shown in Example 7-5:
PasswordExpiredURL
ChallengeSetupNotDoneURL
ForcedPasswordChangeURL
AccountLockedURL
The following is a list of Oracle Identity Management documents that provide additional information and will help you troubleshoot. Use these documents if you have isolated your problem to a specific Oracle Identity Management component or to learn more about a specific component.
Note:
A few of the documents in the following list do not contain explicit troubleshooting information, but are a source of information that will help you during troubleshooting.
"Troubleshooting Oracle Fusion Middleware" appendix of the Oracle Fusion Middleware Administrator's Guide
"Troubleshooting Security in Oracle Fusion Middleware" appendix in the Oracle Fusion Middleware Application Security Guide
"Troubleshooting Oracle Internet Directory" appendix of the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory
"Troubleshooting Oracle Virtual Directory" appendix of the Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory
"Troubleshooting Oracle Authorization Policy Manager" appendix in the Oracle Fusion Middleware Oracle Authorization Policy Manager Administrator's Guide (Oracle Fusion Applications Edition)
"Troubleshooting" appendix in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service
Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager
Oracle Fusion Middleware Security and Administrator's Guide for Web Services
|
 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|